Bug 122777

Summary:

Assertion failure in Range::processContentsBetweenOffsets

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

DOM

Assignee:

Ryosuke Niwa <rniwa>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

andersca, ap, commit-queue, darin, esprehn+autocc, kangil.han, webkit-bug-importer

Priority:

Keywords:

BlinkMergeCandidate, InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Fixes the bug	none
Updated for ToT	darin: review+

Ryosuke Niwa

Reported 2013-10-14 14:26:55 PDT

Merge https://chromium.googlesource.com/chromium/blink/+/c15de182774c7859c20d97126eb844ae97b792a4 https://code.google.com/p/chromium/issues/detail?id=240594 Make Range::processContentsBetweenOffsets() to handle node modification by mutation event handler This patch changes ASSERT statements for checking |endOffset| inbound in Range::processContentsBetweenOffsets() to limit |endOffset|. This situation can be happened when DOMNodeRemovedFromDocument event handler splits text nodes, Range::insertNode() on text node, in the range calling Range::deleteContents(). This is the last part of fixing issue 240594.

Attachments
Fixes the bug (4.94 KB, patch) 2013-10-14 14:40 PDT, Ryosuke Niwa	no flags	Details Formatted Diff Diff
Updated for ToT (4.90 KB, patch) 2013-10-14 14:50 PDT, Ryosuke Niwa	darin: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2013-10-14 14:40:29 PDT

Created attachment 214189 [details] Fixes the bug

Ryosuke Niwa

Comment 2 2013-10-14 14:41:54 PDT

Comment on attachment 214189 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=214189&action=review > Source/WebCore/dom/Range.cpp:792 > + startOffset = std::min(startOffset, endOffset); The Blink patch didn't adjust startOffset so I'm doing that here. > Source/WebCore/dom/Range.cpp:807 > + startOffset = std::min(startOffset, endOffset); Ditto. > LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash-expected.txt:1 > +This tests inserting a text node while calling deleteContents. WebKit should not hit an assertion. I added this description. > LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash.html:11 > +var sample = document.getElementById('sample'); And got rid of obnoxious $ function.

Ryosuke Niwa

Comment 3 2013-10-14 14:50:19 PDT

Created attachment 214191 [details] Updated for ToT

Ryosuke Niwa

Comment 4 2013-10-14 16:57:17 PDT

Committed r157431: <http://trac.webkit.org/changeset/157431>

Radar WebKit Bug Importer

Comment 5 2013-10-14 23:19:52 PDT

<rdar://problem/15228667>

Note You need to log in before you can comment on or make changes to this bug.