Fix a bug in Range::didSplitTextNode() that may yield an invalid Range object.

Source/core/dom/Range.cpp

Index: Source/core/dom/Range.cpp
diff --git a/Source/core/dom/Range.cpp b/Source/core/dom/Range.cpp
index 53a081d175f13e58a51dee60b31a953d1ef101cc..690e034061c641f35c78bfa457fbb2579cfcbda6 100644
--- a/Source/core/dom/Range.cpp
+++ b/Source/core/dom/Range.cpp
@@ -1457,6 +1457,8 @@ void Range::checkDeleteExtract(ExceptionState& exceptionState)
         return;
     }
 
+    ASSERT(boundaryPointsValid());
+
     if (!commonAncestorContainer(exceptionState) || exceptionState.hadException())
         return;
 
@@ -1765,12 +1767,12 @@ void Range::didMergeTextNodes(NodeWithIndex& oldNode, unsigned offset)
 
 static inline void boundaryTextNodeSplit(RangeBoundaryPoint& boundary, Text* oldNode)
 {
-    if (boundary.container() != oldNode)
-        return;
+    Node* boundaryContainer = boundary.container();
     unsigned boundaryOffset = boundary.offset();
-    if (boundaryOffset <= oldNode->length())
-        return;
-    boundary.set(oldNode->nextSibling(), boundaryOffset - oldNode->length(), 0);
+    if (boundary.childBefore() == oldNode)
+        boundary.set(boundaryContainer, boundaryOffset + 1, oldNode->nextSibling());
+    else if (boundary.container() == oldNode && boundaryOffset > oldNode->length())
+        boundary.set(oldNode->nextSibling(), boundaryOffset - oldNode->length(), 0);
 }
 
 void Range::didSplitTextNode(Text* oldNode)
@@ -1783,6 +1785,7 @@ void Range::didSplitTextNode(Text* oldNode)
     ASSERT(oldNode->nextSibling()->isTextNode());
     boundaryTextNodeSplit(m_start, oldNode);
     boundaryTextNodeSplit(m_end, oldNode);
+    ASSERT(boundaryPointsValid());
 }
 
 void Range::expand(const String& unit, ExceptionState& exceptionState)