Use after free in WebCore::dispatchEditableContentChangedEvents

LayoutTests/editing/undo/undo-after-event-edited.html

Index: LayoutTests/editing/undo/undo-after-event-edited.html
diff --git a/LayoutTests/editing/undo/undo-after-event-edited.html b/LayoutTests/editing/undo/undo-after-event-edited.html
new file mode 100644
index 0000000000000000000000000000000000000000..08005b39d09873d88886d54e335ea51f78dbf848
--- /dev/null
+++ b/LayoutTests/editing/undo/undo-after-event-edited.html
@@ -0,0 +1,57 @@
+<head>

[inferno, 2013/05/14 18:00:00]

Please add <!DOCTYPE html> and <html> opening, closing tag.

[Will Harris, 2013/05/14 22:25:54]

Done.

+<style>
+* {display:run-in;}

[inferno, 2013/05/14 18:00:00]

spaces around { }

[Will Harris, 2013/05/14 22:25:54]

Done.

+.collapse {visibility:collapse;}
+</style>
+<script>
+// BUG=237429

[inferno, 2013/05/14 18:00:00]

No need of bug number here.

[Will Harris, 2013/05/14 22:25:54]

Done.

+
+if (window.testRunner) {
+  window.testRunner.dumpAsText();
+  window.testRunner.waitUntilDone();
+}
+
+document.designMode = "on";
+var aoScriptElements = document.getElementsByTagName("script");

[inferno, 2013/05/14 18:00:00]

s/aoScriptElements/scriptElements

[Will Harris, 2013/05/14 22:25:54]

Done.

+aoScriptElements[0].parentNode.removeChild(aoScriptElements[0]);
+var event_handler_webkitEditableContentChanged_active = false;

[inferno, 2013/05/14 18:00:00]

s/event_handler_webkitEditableContentChanged_active/eventHandleEnabled

[Will Harris, 2013/05/14 22:25:54]

Done.

+
+function event_handler_webkitEditableContentChanged() {
+  if (event_handler_webkitEditableContentChanged_active) return ;

[inferno, 2013/05/14 18:00:00]

return on new line and indented.

[Will Harris, 2013/05/14 22:25:54]

Done.

+  event_handler_webkitEditableContentChanged_active = true;
+  var oElement = event.srcElement;

[inferno, 2013/05/14 18:00:00]

s/oElement/srcElement

[Will Harris, 2013/05/14 22:25:54]

Done.

+  document.execCommand('InsertText',false,'FAIL1');
+  try{oElement.textContent = "PASS"}

[inferno, 2013/05/14 18:00:00]

is try, catch required. if yes, please indent and put on like
try {
  statement;
} catch(e) {
}

[inferno, 2013/05/14 18:00:00]

s/PASS/Pass. Test didn't crash.

[Will Harris, 2013/05/14 22:25:54]

removed exception handler, it never gets used in the test

+  catch(e){}
+  event_handler_webkitEditableContentChanged_active = false;
+  if (window.testRunner)
+    window.testRunner.notifyDone();
+}
+document.addEventListener("webkitEditableContentChanged", event_handler_webkitEditableContentChanged, true);
+function event_handler_DOMCharacterDataModified() {

[inferno, 2013/05/14 18:00:00]

new lines before and after function declaration.

[Will Harris, 2013/05/14 22:25:54]

Done.

+  document.execCommand('InsertParagraph',false,false);
+}
+document.addEventListener("DOMCharacterDataModified", event_handler_DOMCharacterDataModified, false);
+setTimeout(function(){

[inferno, 2013/05/14 18:00:00]

space before {

[Will Harris, 2013/05/14 22:25:54]

Done.

+  var oSelection=window.getSelection();

[inferno, 2013/05/14 18:00:00]

s/oSelection/selection

[Will Harris, 2013/05/14 22:25:54]

Done.

+  if (!oSelection.rangeCount) {

[inferno, 2013/05/14 18:00:00]

no need of braces for single line statmenents.

[Will Harris, 2013/05/14 22:25:54]

Done.

+  document.execCommand("SelectAll", false)
+  }
+  var oRange = oSelection.rangeCount ? oSelection.getRangeAt(2 % oSelection.rangeCount) : null;

[inferno, 2013/05/14 18:00:00]

s/2 % oSelection.rangeCount/ can you hardcode this value, you can do an alert to
see what needs to com ehere.

[Will Harris, 2013/05/14 22:25:54]

Done.

+  if (oRange) {
+    try{var oDocumentFragment = oRange.extractContents()}

[inferno, 2013/05/14 18:00:00]

is try, catch required here.

[Will Harris, 2013/05/14 22:25:54]

removed exception handler, it never gets used in the test

+  catch(e){}
+  }
+  document.execCommand('Undo',false);
+}, 1);
+

[inferno, 2013/05/14 18:00:00]

no need of new line.

[Will Harris, 2013/05/14 22:25:54]

Done.

+</script>
+</head>
+<body>
+<table class="collapse">
+<caption>
+FAIL0

[inferno, 2013/05/14 18:00:00]

FAIL0, FAIL1 make no sense here. Since this a crasher test, we can just have
regular string like ABCD, etc.

[Will Harris, 2013/05/14 22:25:54]

Done.

+</caption>
+</table>
+</body>
+