Fix crash in CompositeEditCommand::cloneParagraphUnderNewElement()
<http://webkit.org/b/129751>
<rdar://problem/
16237965>
Reviewed by Jon Honeycutt.
Merged from Blink (patch by Yuta Kitamura):
https://src.chromium.org/viewvc/blink?revision=168160&view=revision
http://crbug.com/345005
The root cause is CompositeEditCommand::moveParagraphWithClones() passing
two positions |start| and |end| which do not follow the document order,
i.e. in some situations |start| is located after |end| because of
the difference in affinity.
This patch fixes this crash by normalizing |end| to |start| in such situations.
It also adds an ASSERT that checks the relationship between |start| and |end|.
Source/WebCore:
Test: editing/execCommand/format-block-crash.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
(WebCore::CompositeEditCommand::moveParagraphWithClones):
* editing/CompositeEditCommand.h:
LayoutTests:
* editing/execCommand/format-block-crash-expected.txt: Added.
* editing/execCommand/format-block-crash.html: Added.
* editing/execCommand/resources/format-block-crash-iframe.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@165138
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
git://git.webkit.org / WebKit-https.git / commit