Range.insertNode should verify parent before setting end to it

Source/core/dom/Range.cpp

Index: Source/core/dom/Range.cpp
diff --git a/Source/core/dom/Range.cpp b/Source/core/dom/Range.cpp
index 0020d59410cc9e7d97e78678df1c14b96fb39b8b..eb1ef036103a84722028992973a2850e404e933e 100644
--- a/Source/core/dom/Range.cpp
+++ b/Source/core/dom/Range.cpp
@@ -894,8 +894,13 @@ void Range::insertNode(PassRefPtrWillBeRawPtr<Node> prpNewNode, ExceptionState&
         if (exceptionState.hadException())
             return;
 
-        if (collapsed)
+        if (collapsed) {
+            if (!newText->parentNode()) {

[Yuta Kitamura, 2014/08/07 09:30:41]

I wonder how newText->parentNode() becomes null.

Let me confirm my understanding to this code:
* At line 888: |container| is a text node, and it is split
  into two text nodes: |container| and |newText|.
* At line 893: |container->parentNode()| (called "P"
  hereafter) exists and is non-null. With the step above
  in mind, |container| and |newText| share the same parent
  node P.
* At line 898: newText->parentNode() should be equal to P,
  which is non-null as far as I understand.

Am I wrong? Is there any place where my assumption does not
hold? I guess insertBefore() may cause some side effect but
I'm not sure how it affects the existence of
newText->parentNode().

[kangil_, 2014/08/07 09:59:50]

insertBefore() will trigger Container::insertBefore and fire event. So in some
cases, e.g. test case of this CL, Range.surroundsContent will be called while
calling same.

[Yuta Kitamura, 2014/08/08 04:27:55]

That's weird. We are within a scope of EventQueueScope, which
means such events are queued and will be fired later. What events
are fired?

[kangil_, 2014/08/08 04:52:25]

load event is fired.

When range.surroundContents(testFrame) is called;
Range::insertNode -> ContainerNode::insertBefore ->
ContainerNode::updateTreeAfterInsertion -> ContainerNode::notifyNodeInserted ->
.... -> EventDispatcher::dispatch

[Yuta Kitamura, 2014/08/08 05:25:07]

I'm lost somewhere between ContainerNode::notifyNodeInserted and
EventDispatcher::dispatch. Could you elaborate more?

+                exceptionState.throwDOMException(HierarchyRequestError, "This operation would set range's end to parent with new offset, but there's no parent into which to continue.");
+                return;
+            }
             m_end.setToBeforeChild(*newText);
+        }
     } else {
         RefPtrWillBeRawPtr<Node> lastChild = (newNodeType == Node::DOCUMENT_FRAGMENT_NODE) ? toDocumentFragment(newNode)->lastChild() : newNode.get();
         if (lastChild && lastChild == m_start.childBefore()) {