Check VisualPosition.isNull() after the DOM mutation in ReplaceSelectionCommand

The crash is on L1125, calling insertNodeAt with the Null VisualPosition, startOfInsertedContent.
It inserts a <br> element to the selected position but the replacing might change visual position so we should check.

BUG=348283

Review URL: https://codereview.chromium.org/183893018

git-svn-id: svn://svn.chromium.org/blink/trunk@168502 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/editing/execCommand/insert-image-changing-visibility-crash-expected.txt

+Should not crash if we load a test case from crbug.com/348283.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS event.data is "FINISH"
+PASS Did not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

third_party/WebKit/LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html

+<!DOCTYPE html>
+<html>
+<head>
+<title>Issue 348283</title>
+<script src="../../resources/js-test.js"></script>
+</head>
+<body>
+<script>
+description('Should not crash if we load a test case from crbug.com/348283.');
+
+window.jsTestIsAsync = true;
+
+window.addEventListener('message', didReceiveMessage, false);
+
+var iframe = document.createElement('iframe');
+iframe.src = 'resources/insert-image-changing-visibility-crash-iframe.html';
+document.body.appendChild(iframe);
+
+function didReceiveMessage(event)
+{
+    shouldBeEqualToString('event.data', 'FINISH');
+    document.body.removeChild(iframe);
+    testPassed('Did not crash.');
+    window.finishJSTest();
+}
+</script>
+</body>
+</html>

third_party/WebKit/LayoutTests/editing/execCommand/resources/insert-image-changing-visibility-crash-iframe.html

+<!DOCTYPE html>
+<html>
+<head>
+<title>Issue 348283 crash test case</title>
+<style>
+table {
+    visibility: collapse;
+}
+
+*:only-child {
+    visibility: visible;
+}
+</style>
+</head>
+<!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=348283 -->
+<body contenteditable="true">
+<script>
+window.onload = function () {
+    var table = document.getElementById('table');
+    table.insertAdjacentHTML('afterbegin', '<svg></svg><div><div id=\'div\'>text</div>');
+
+    var div = document.getElementById('div');
+    var selection = window.getSelection();
+    selection.collapse(div.firstChild, 0);
+    document.execCommand('InsertImage', false, 'about:blank');
+    window.parent.postMessage('FINISH', '*');
+};
+</script>
+
+<table id="table" ></table>
+<div></div>
+</body>
+</html>

third_party/WebKit/Source/core/editing/ReplaceSelectionCommand.cpp

@@ -1121,7 +1121,7 @@ void ReplaceSelectionCommand::doApply()
 
     // We inserted before the insertionBlock to prevent nesting, and the content before the insertionBlock wasn't in its own block and
     // didn't have a br after it, so the inserted content ended up in the same paragraph.
-    if (insertionBlock && insertionPos.deprecatedNode() == insertionBlock->parentNode() && (unsigned)insertionPos.deprecatedEditingOffset() < insertionBlock->nodeIndex() && !isStartOfParagraph(startOfInsertedContent))
+    if (!startOfInsertedContent.isNull() && insertionBlock && insertionPos.deprecatedNode() == insertionBlock->parentNode() && (unsigned)insertionPos.deprecatedEditingOffset() < insertionBlock->nodeIndex() && !isStartOfParagraph(startOfInsertedContent))
         insertNodeAt(createBreakElement(document()).get(), startOfInsertedContent.deepEquivalent());
 
     if (endBR && (plainTextFragment || (shouldRemoveEndBR(endBR, originalVisPosBeforeEndBR) && !(fragment.hasInterchangeNewlineAtEnd() && selectionIsPlainText)))) {