Bug 123957 - Fix Range.insertNode when the inserted node is in the same container as the Range
Summary: Fix Range.insertNode when the inserted node is in the same container as the R...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: BlinkMergeCandidate
Depends on:
Blocks:
 
Reported: 2013-11-06 22:50 PST by Ryosuke Niwa
Modified: 2013-11-21 05:49 PST (History)
11 users (show)

See Also:

Attachments
Fixes the bug (9.99 KB, patch)
2013-11-06 22:58 PST, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2013-11-06 22:50:31 PST 
Fix the bug fixed in https://chromium.googlesource.com/chromium/blink/+/fb6ca1f488703e8d4f20ce6449cc8ea210be6edb

When Range.insertNode is called on a collapsed Range, with a node
that is in the same container as the Range, the Range offsets are
incorrectly updated. This results in Debug asertions and incorect
Release behavior (and maybe more serious problems).

The fix correctly accounts for situations in which the inserted
node immediately precedes the Range in the container. The test
verifies this and other cases.


Unfortunately, neither code change nor the test meet my standard so I'll write a new fix.
Comment 1 Ryosuke Niwa 2013-11-06 22:58:27 PST 
Created attachment 216262 [details]
Fixes the bug
Comment 2 Ryosuke Niwa 2013-11-06 23:03:06 PST 
https://code.google.com/p/chromium/issues/detail?id=299993 is a security bug so I might be fixing a security bug here...
Comment 3 WebKit Commit Bot 2013-11-21 05:49:44 PST 
Comment on attachment 216262 [details]
Fixes the bug

Clearing flags on attachment: 216262

Committed r159620: <http://trac.webkit.org/changeset/159620>
Comment 4 WebKit Commit Bot 2013-11-21 05:49:47 PST 
All reviewed patches have been landed.  Closing bug.