Make "insertHTML" execCommand not to crash on TEXTAREA

This patch changes "insertHTML" execCommand on TEXTAREA not to crash when
inserted HTML containing text.

The root cause of issue 504886 is calling |plainText()| with null |Range| object
in |ReplacementFragment| constructor. This null |Range| object is comes from
|VisibleSelection::selectionFromContentsOfNode()| with HTML fragment without
text content, e.g. "<b></b>", "<span>", and so on, which returns empty
seleciton.


BUG=504886
TEST=LayoutTests/editing/inserting/insert-html-to-textarea-crash.html

Review URL: https://codereview.chromium.org/1219723004

git-svn-id: svn://svn.chromium.org/blink/trunk@198037 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/editing/inserting/insert-html-to-textarea-crash-expected.txt

+PASS if Blink doesn't crash.

third_party/WebKit/LayoutTests/editing/inserting/insert-html-to-textarea-crash.html

+<!DOCTYPE html>
+<textarea></textarea>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.querySelector('textarea').setSelectionRange(0, 0);
+document.execCommand("InsertHTML", false, "<b></b>");
+document.body.textContent = 'PASS if Blink doesn\'t crash.';
+</script>

third_party/WebKit/Source/core/editing/ReplaceSelectionCommand.cpp

@@ -182,7 +182,7 @@ ReplacementFragment::ReplacementFragment(Document* document, DocumentFragment* f
     }
 
     RefPtrWillBeRawPtr<Range> range = VisibleSelection::selectionFromContentsOfNode(holder.get()).toNormalizedRange();
-    String text = plainText(range.get(), static_cast<TextIteratorBehavior>(TextIteratorEmitsOriginalText | TextIteratorIgnoresStyleVisibility));
+    String text = range ? plainText(range.get(), static_cast<TextIteratorBehavior>(TextIteratorEmitsOriginalText | TextIteratorIgnoresStyleVisibility)) : emptyString();
 
     removeInterchangeNodes(holder.get());
     removeUnrenderedNodes(holder.get());