Bug 122777

Summary: Assertion failure in Range::processContentsBetweenOffsets
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, ap, commit-queue, darin, esprehn+autocc, kangil.han, webkit-bug-importer
Priority: P2 Keywords: BlinkMergeCandidate, InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug
none
Updated for ToT darin: review+

Description Ryosuke Niwa 2013-10-14 14:26:55 PDT 
Merge https://chromium.googlesource.com/chromium/blink/+/c15de182774c7859c20d97126eb844ae97b792a4

https://code.google.com/p/chromium/issues/detail?id=240594

Make Range::processContentsBetweenOffsets() to handle node modification by mutation event handler

This patch changes ASSERT statements for checking |endOffset| inbound in Range::processContentsBetweenOffsets() to limit |endOffset|. This situation can be happened when DOMNodeRemovedFromDocument event handler splits text nodes, Range::insertNode() on text node, in the range calling Range::deleteContents().

This is the last part of fixing issue 240594.
Comment 1 Ryosuke Niwa 2013-10-14 14:40:29 PDT 
Created attachment 214189 [details]
Fixes the bug
Comment 2 Ryosuke Niwa 2013-10-14 14:41:54 PDT 
Comment on attachment 214189 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=214189&action=review

> Source/WebCore/dom/Range.cpp:792
> +        startOffset = std::min(startOffset, endOffset);

The Blink patch didn't adjust startOffset so I'm doing that here.

> Source/WebCore/dom/Range.cpp:807
> +        startOffset = std::min(startOffset, endOffset);

Ditto.

> LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash-expected.txt:1
> +This tests inserting a text node while calling deleteContents. WebKit should not hit an assertion.

I added this description.

> LayoutTests/fast/dom/Range/range-delete-contents-mutation-event-crash.html:11
> +var sample = document.getElementById('sample');

And got rid of obnoxious $ function.
Comment 3 Ryosuke Niwa 2013-10-14 14:50:19 PDT 
Created attachment 214191 [details]
Updated for ToT
Comment 4 Ryosuke Niwa 2013-10-14 16:57:17 PDT 
Committed r157431: <http://trac.webkit.org/changeset/157431>
Comment 5 Radar WebKit Bug Importer 2013-10-14 23:19:52 PDT 
<rdar://problem/15228667>