Postpone mutation event dispatch in Selection.deleteFromDocument

Postpone mutation event dispatch in Selection.deleteFromDocument.

A crash bug which an attached test case causes is following: 
1. Selection.deleteFromDocument calls Range.deleteContents which removes a node through Node.removeChild. 
2. Node.removeChild calls a DOMNodeRemoved event which removes the node. 
3. Then Node.removeChild asserts a DOM exception NOT_FOUND_ERR. 
4. Range.deleteContents picks the exception and it causes crash because Selection.deleteFromDocument calls Range.deleteContents with ASSERT_NO_EXCEPTION. 

This cl changes Selection.deleteFromDocument to delay the mutation event dispatching when it calls Range.deleteContents.
Especially, DOMNodeRemoved will be not kicked.

BUG=339186
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=174944

[Yuta Kitamura, 2014-03-19 06:57:51]

+Yoshi for second opinion

https://codereview.chromium.org/199383004/diff/1/Source/core/page/DOMSelectio...
File Source/core/page/DOMSelection.cpp (right):

https://codereview.chromium.org/199383004/diff/1/Source/core/page/DOMSelectio...
Source/core/page/DOMSelection.cpp:461: EventQueueScope eventQueueScope;
I think this should be done within Range::deleteContents().

[yosin_UTC9, 2014-03-19 07:33:35]

https://codereview.chromium.org/199383004/diff/1/LayoutTests/editing/selectio...
File
LayoutTests/editing/selection/resources/deleteFromDocument-scoped-dispatch-event-crash-iframe.html
(right):

https://codereview.chromium.org/199383004/diff/1/LayoutTests/editing/selectio...
LayoutTests/editing/selection/resources/deleteFromDocument-scoped-dispatch-event-crash-iframe.html:5:
document.addEventListener("DOMNodeRemoved", function () {
nit: Please use single quote in JavaScript.
https://google-styleguide.googlecode.com/svn/trunk/javascriptguide.xml?showon...

https://codereview.chromium.org/199383004/diff/1/Source/core/page/DOMSelectio...
File Source/core/page/DOMSelection.cpp (right):

https://codereview.chromium.org/199383004/diff/1/Source/core/page/DOMSelectio...
Source/core/page/DOMSelection.cpp:461: EventQueueScope eventQueueScope;
On 2014/03/19 06:57:52, Yuta Kitamura wrote:
> I think this should be done within Range::deleteContents().
I agree with yutak@. |Range::deleteContents()| is also fragile against DOM
mutation event attack. I hope changing |Range::deleteContents()| doesn't make
failure on layout tests. Although, if some tests are failed, please update
tests.

[yoichio, 2014-03-20 05:35:24]

> > I think this should be done within Range::deleteContents().
Done.

[Yuta Kitamura, 2014-03-20 06:03:32]

lgtm

[yoichio, 2014-03-20 06:42:12]

The CQ bit was checked by yoichio@chromium.org

[commit-bot: I haz the power, 2014-03-20 06:42:21]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/yoichio@chromium.org/199383004/20001

[commit-bot: I haz the power, 2014-03-20 07:14:21]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-20 07:14:22]

Try jobs failed on following builders:
  tryserver.blink on mac_blink_rel

[yoichio, 2014-03-20 23:35:56]

The CQ bit was checked by yoichio@chromium.org

[commit-bot: I haz the power, 2014-03-20 23:36:04]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/yoichio@chromium.org/199383004/20001

[commit-bot: I haz the power, 2014-03-21 00:08:24]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-03-21 00:08:25]

Try jobs failed on following builders:
  tryserver.blink on linux_blink_rel
  tryserver.blink on mac_blink_rel

[yoichio, 2014-05-28 07:24:57]

The CQ bit was checked by yoichio@chromium.org

[commit-bot: I haz the power, 2014-05-28 07:25:15]

CQ is trying da patch. Follow status at
 https://chromium-status.appspot.com/cq/yoichio@chromium.org/199383004/20001

[commit-bot: I haz the power, 2014-05-28 08:10:59]

Change committed as 174944