ASAN_TRAP | WebCore::RenderObject::~RenderObject; WebCore::RenderInli…

…ne::~RenderInline.

https://bugs.webkit.org/show_bug.cgi?id=269667
rdar://122491721

Reviewed by Ryosuke Niwa and Chris Dumez.

Reduce the scope of CheckedPtr renderer in `SplitTextNodeContainingElementCommand::doApply`,
as following `splitElement` could destruct renderer.

* LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change-expected.txt: Added.
* LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change.html: Added.
* Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp:
(WebCore::SplitTextNodeContainingElementCommand::doApply):

Originally-landed-as: 272448.580@safari-7618-branch (3dc4ac4). rdar://128215842
Canonical link: https://commits.webkit.org/278897@main

LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change-expected.txt

@@ -0,0 +1,3 @@
+
+This test passes if it does not crash.
+

LayoutTests/fast/text/splitText-crash-during-tear-down-renderers-after-slot-change.html

@@ -0,0 +1,42 @@
+<style>
+    .class1,
+    .class0:dir(rtl),
+    span {
+        scroll;
+        -webkit-animation: keyframes2, keyframes4
+    }
+
+    @keyframes keyframes4 {}
+</style>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+    function f0() {
+        try { x44.outerHTML = "This test passes if it does not crash."; } catch { }
+        try { x47.select(); } catch { }
+        try { window.onanimationstart = f4; } catch { }
+    }
+    function f4() {
+        try { x19.addEventListener("DOMSubtreeModified", f0); } catch { }
+        try { v12 = window.document; } catch { }
+        try { window.find("a"); } catch { }
+        try { x19.type = "a"; } catch { }
+        try { v55 = window.top; } catch { }
+        try { document.designMode = "on"; } catch { }
+        try { v55.find("This test passes if it does not crash"); } catch { }
+        try { v12.execCommand("subscript", false, null); } catch { }
+        try { x47.selectionEnd = 4; } catch { }
+    }
+</script>
+<textarea id="x47" onfocus="f0()" autofocus="" class="class3">
+</textarea>
+<embed class="class1" part="part1">
+</object>
+<details open="" tabindex="-1">
+    <summary id="x44" itemgroup="AA">
+    </summary>
+    <dd dir="rtl" class="class0" onclick="f0()">
+        <li id="x19" accesskey="A">
+        </li>
+    </dd>
+</details>

Source/WebCore/editing/SplitTextNodeContainingElementCommand.cpp

@@ -52,15 +52,17 @@ void SplitTextNodeContainingElementCommand::doApply()
     if (!parent || !parent->parentElement() || !parent->parentElement()->hasEditableStyle())
         return;
 
+    bool parentRendererIsNoneOrNotInline = false;
     {
         CheckedPtr parentRenderer = parent->renderer();
-        if (!parentRenderer || !parentRenderer->isInline()) {
-            wrapContentsInDummySpan(*parent);
-            RefPtr firstChild = dynamicDowncast<Element>(parent->firstChild());
-            if (!firstChild)
-                return;
-            parent = WTFMove(firstChild);
-        }
+        parentRendererIsNoneOrNotInline = !parentRenderer || !parentRenderer->isInline();
+    }
+    if (parentRendererIsNoneOrNotInline) {
+        wrapContentsInDummySpan(*parent);
+        RefPtr firstChild = parent->firstChild();
+        if (!is<Element>(firstChild))
+            return;
+        parent = downcast<Element>(WTFMove(firstChild));
     }
 
     splitElement(*parent, m_text);