Reviewed by Adele Peterson.

        Test case for <rdar://problem/7085453>.

        * editing/selection/blockquote-crash-expected.txt: Added.
        * editing/selection/blockquote-crash.html: Added.
2009-09-29  Enrica Casucci  <enrica@apple.com>

        Reviewed by Adele Peterson.

        Reproducible crash pressing return inside quoted content
        at WebCore::BreakBlockquoteCommand::doApply.
        <rdar://problem/7085453>
        In some case, like the one provided in the test case, m_downStreamEnd
        refers to a node that gets deleted when executing the DeleteSelectionCommand.
        We shouldn't use m_downStreamEnd to recalculate the new m_endPosition when
        pruning is needed, because it may be point to a node that has been deleted, but
        rather rely on removeNode in CompositeEditCommand to update m_endPosition correctly.

        Test: editing/selection/blockquote-crash.html

        * editing/BreakBlockquoteCommand.cpp:
        (WebCore::BreakBlockquoteCommand::doApply): Added check for invalid position
        to avoid dereferencing a null node pointer.
        * editing/DeleteSelectionCommand.cpp:
        (WebCore::DeleteSelectionCommand::mergeParagraphs): Don't reset m_endPosition
        using the value in m_downStreamEnd when it is necessary to prune the start block.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48910 268f45cc-cd09-0410-ab3c-d52691b4dbfc