Fix the bug fixed in https://chromium.googlesource.com/chromium/blink/+/fb6ca1f488703e8d4f20ce6449cc8ea210be6edb When Range.insertNode is called on a collapsed Range, with a node that is in the same container as the Range, the Range offsets are incorrectly updated. This results in Debug asertions and incorect Release behavior (and maybe more serious problems). The fix correctly accounts for situations in which the inserted node immediately precedes the Range in the container. The test verifies this and other cases. Unfortunately, neither code change nor the test meet my standard so I'll write a new fix.
Created attachment 216262 [details] Fixes the bug
https://code.google.com/p/chromium/issues/detail?id=299993 is a security bug so I might be fixing a security bug here...
Comment on attachment 216262 [details] Fixes the bug Clearing flags on attachment: 216262 Committed r159620: <http://trac.webkit.org/changeset/159620>
All reviewed patches have been landed. Closing bug.