Bug 116509

Summary: Fix an assertion failure in Range::textNodeSplit by Text::splitText
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, darin, esprehn+autocc, tkent
Priority: P2 Keywords: BlinkMergeCandidate
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Ryosuke Niwa 2013-05-20 19:45:01 PDT 
Merge https://chromium.googlesource.com/chromium/blink/+/a0f5a1c5a050249d3f1be10249a91d88cd18c684

Range::textNodeSplit is called in Text::splitText, and it assumes the next sibling
node is still a Text node. A DOM mutation event handler can break this assumption.

We had better postpone DOM mutation events dispatched in Node::insertBefore
until exiting splitText to avoid inconsistent Range state.
Comment 1 Kent Tamura 2013-06-03 23:50:32 PDT 
Created attachment 203655 [details]
Patch
Comment 2 Kent Tamura 2013-06-04 00:12:04 PDT 
Created attachment 203659 [details]
Patch for landing

ChangeLog nits
Comment 3 WebKit Commit Bot 2013-06-04 01:10:11 PDT 
Comment on attachment 203659 [details]
Patch for landing

Clearing flags on attachment: 203659

Committed r151160: <http://trac.webkit.org/changeset/151160>
Comment 4 WebKit Commit Bot 2013-06-04 01:10:13 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 5 Ahmad Saleem 2024-01-19 05:56:33 PST 
*** Bug 116073 has been marked as a duplicate of this bug. ***