WebKit on Mac OS X 10.4.5 using the 31 March 2006 nightly.
Dragging and dropping text repeatedly within a text input field modifies the page contents.
Steps to reproduce:
Type a query into the search field (say, "Safari WebKit")
Select a portion of the text field contents (say, "Saf"), then move it elsewhere within the text field.
Without deselecting the text that has been moved, move it once more to a different location.
Same problem with normal contenteditable divs.
ASSERTION FAILED: editableRoot (/Users/ap/WebKit/WebCore/editing/ReplaceSelectionCommand.cpp:124 WebCore::ReplacementFragment::ReplacementFragment(WebCore::Document*, WebCore::DocumentFragment*, bool))
Ah, when a ReplaceSelectionCommand is a sub-command (which is what happens during a drag), frame->selection() may be different than the endingSelection. The ReplacementFragment will need to either be given the endingSelection or a pointer back to the ReplaceSelectionCommand so it can get the endingSelection.
We should get rid of the endingSelection, it's confusing. An operation should just set its selection on the frame, but through a special setter that doesn't send selection change notifications (those should only be sent for user-level selection changes).
These are all text field regressions so they should all be P1.
This happens in any empty contenteditable div at the end of the document, it looks like a regression from r13628 (setting mergeStart to true for empty editable regions to fix Undo).