Fixing a crash in InsertListCommand.

Source/core/dom/Range.cpp

Index: Source/core/dom/Range.cpp
diff --git a/Source/core/dom/Range.cpp b/Source/core/dom/Range.cpp
index 85906a831541882178e89be7e9c85b864e07bc3a..315ef3bda3229e3f98788ea089f5ed519b606a3a 100644
--- a/Source/core/dom/Range.cpp
+++ b/Source/core/dom/Range.cpp
@@ -901,6 +901,11 @@ PassRefPtr<Node> Range::processAncestorsAndTheirSiblings(ActionType action, Node
             Node* child = it->get();
             switch (action) {
             case DELETE_CONTENTS:
+                // ancestor->removeChild(<child before this child>) might cause the tree change
+                // because removeChild might call dispatchSubtreeModifiedEvent.
+                // Then we should validate again.

[Yuta Kitamura, 2014/02/26 10:41:16]

nit: The first sentence sounds a little bit strange
(what's "child before this child"?).

Also, in the last sentence "validate" sounds a little
bit vague under this context.

With that in mind I'd suggest something like:

    // Prior call of ancestor->removeChild() may cause a tree change due to
DOMSubtreeModified event.
    // Therefore, we need to make sure |ancestor| is still |child|'s parent.

[yoichio, 2014/02/27 04:00:03]

Done.

+                if (ancestor != child->parentNode())

[Yuta Kitamura, 2014/02/26 10:41:16]

Ideally, we could have bulk-removal functionality
to avoid this kind of mistake, but your change seems
acceptable at this moment.

You can make the code cleaner by replacing the lines
907-909 with:

    if (ancestor == child->parentNode())
        ancestor->removeChild(child, exceptionState);

[yoichio, 2014/02/27 04:00:03]

Done.

+                    break;
                 ancestor->removeChild(child, exceptionState);
                 break;
             case EXTRACT_CONTENTS: // will remove child from ancestor