Fix an assertion failure in Range::textNodeSplit by Text::splitText
authortkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Jun 2013 08:10:12 +0000 (08:10 +0000)
committertkent@chromium.org <tkent@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Jun 2013 08:10:12 +0000 (08:10 +0000)
commit9f80e8b1ff8c3826ff112a2f71cbe0e41b8229cb
tree43597cde6f43f5da50e4b5efdb97d9c045f4f8e1
parent3c1f01f621d3e777e6e75fc314bba2daf67a92e3
Fix an assertion failure in Range::textNodeSplit by Text::splitText
https://bugs.webkit.org/show_bug.cgi?id=116509

Reviewed by Ryosuke Niwa.

Source/WebCore:

Range::textNodeSplit is called in Text::splitText, and it assumes the
next sibling node is still a Text node. A DOM mutation event handler can
break this assumption.

We had better postpone DOM mutation events dispatched in Node::insertBefore
until exiting splitText to avoid inconsistent Range state.

This imports http://src.chromium.org/viewvc/blink?view=revision&revision=150493 .

Test: fast/dom/Range/split-text-in-range.html

* dom/Text.cpp:
(WebCore::Text::splitText): Add EventQueueScope.

LayoutTests:

* fast/dom/Range/split-text-in-range-expected.txt: Added.
* fast/dom/Range/split-text-in-range.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@151160 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/dom/Range/split-text-in-range-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/Range/split-text-in-range.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Text.cpp