GitLab

Range::didSplitTextNode() fails to update RangeBoundaryPoint's
m_childBeforeBoundary correctly, if either boundary point is located
immediately after the split text node. This change fixes this bug and adds
a couple of unit tests that make sure text splits are handled correctly.

This is a bug I found while I was investigating on a ClusterFuzz crash. The bug
above was the root cause of the crash. The crash happens in the following way:
  1. Range::surroundContents() removes some nodes during its operation,
     which causes DOMNodeRemoved event to fire *before* surroundContents()
     completes.
  2. A user-supplied event handler does something causing text to split.
  3. Due to the bug above, Range's boundary points may get into an inconsistent
     state; i.e. m_start may be located *after* m_end.
  4. If certain conditions are met, an invalid Range object created during
     Range::surroundContents() causes a crash within checkDeleteExtract().
  5. Sad face.

This change adds a new layout test that reproduces this crash.

BUG=343798

Review URL: https://codereview.chromium.org/178543013

git-svn-id: svn://svn.chromium.org/blink/trunk@168521 bbb929c8-8fbe-4397-9dbb-9b2b20218538