Sunny He 534890f423 Fix crash when Node::normalize() triggers mutation event that modifies child order ... https://bugs.webkit.org/show_bug.cgi?id=207875 <rdar://58976682> Patch by Sunny He <sunny_he@apple.com> on 2020-02-19 Reviewed by Ryosuke Niwa. When Node::normalize() merges two text nodes, it calls appendData before textNodesMerged. If there is a mutator event registered, it will fire on the call to appendData, potentially changing the child order and causing a nullptr crash due to incorrect sibling pointers. Reverse the order of these calls to ensure order gets correctly updated. Source/WebCore: Test: fast/dom/Node/normalize-mutation-event.html * dom/Node.cpp: (WebCore::Node::normalize): LayoutTests: * fast/dom/Node/normalize-mutation-event-expected.txt: Added. * fast/dom/Node/normalize-mutation-event.html: Added. Canonical link: https://commits.webkit.org/220951@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@257036 268f45cc-cd09-0410-ab3c-d52691b4dbfc		2020-02-20 03:36:53 +00:00
..
DOMNodeRemovedEvent-expected.txt	WebCore:	2008-06-08 19:41:25 +00:00
DOMNodeRemovedEvent.html	…
appendChild-no-op-mutationobserver-expected.txt	…
appendChild-no-op-mutationobserver.html	…
contains-method-expected.txt	…
contains-method.html	…
default-namespace-empty-argument-expected.txt	…
default-namespace-empty-argument.html	…
fragment-mutation-expected.txt	…
fragment-mutation.html	…
initial-values-expected.txt	…
initial-values.html	…
insertBefore-no-op-mutationobserver-expected.txt	…
insertBefore-no-op-mutationobserver.html	…
isEqualNode-expected.txt	…
isEqualNode.html	…
mutation-blur-expected.txt	…
mutation-blur.html	…
normalize-expected.txt	…
normalize-mutation-event-expected.txt	…
normalize-mutation-event.html	…
normalize-with-cdata-expected.txt	…
normalize-with-cdata.html	…
normalize.html	…
nullable-parameters-expected.txt	…
nullable-parameters.html	…
replaceChild-notFoundError-expected.txt	…
replaceChild-notFoundError.html	…
textContent-mutationEvents-expected.txt	…
textContent-mutationEvents.html	…