Bug 123957

Summary: Fix Range.insertNode when the inserted node is in the same container as the Range
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, ap, commit-queue, darin, ddkilzer, esprehn+autocc, kangil.han, kling, mjs, oliver, sam
Priority: P2 Keywords: BlinkMergeCandidate
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug none

Ryosuke Niwa
Reported 2013-11-06 22:50:31 PST
Fix the bug fixed in https://chromium.googlesource.com/chromium/blink/+/fb6ca1f488703e8d4f20ce6449cc8ea210be6edb When Range.insertNode is called on a collapsed Range, with a node that is in the same container as the Range, the Range offsets are incorrectly updated. This results in Debug asertions and incorect Release behavior (and maybe more serious problems). The fix correctly accounts for situations in which the inserted node immediately precedes the Range in the container. The test verifies this and other cases. Unfortunately, neither code change nor the test meet my standard so I'll write a new fix.
Attachments
Fixes the bug (9.99 KB, patch)
2013-11-06 22:58 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2013-11-06 22:58:27 PST
Created attachment 216262 [details] Fixes the bug
Ryosuke Niwa
Comment 2 2013-11-06 23:03:06 PST
https://code.google.com/p/chromium/issues/detail?id=299993 is a security bug so I might be fixing a security bug here...
WebKit Commit Bot
Comment 3 2013-11-21 05:49:44 PST
Comment on attachment 216262 [details] Fixes the bug Clearing flags on attachment: 216262 Committed r159620: <http://trac.webkit.org/changeset/159620>
WebKit Commit Bot
Comment 4 2013-11-21 05:49:47 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.