Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop...
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 May 2015 17:15:16 +0000 (17:15 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 May 2015 17:15:16 +0000 (17:15 +0000)
commit0f7288ae4d05a98eecc3c1fcd143b92f30e59414
tree9f559939384bbccddab85e44804ce240295abcc6
parent8dd6def3abce9cfe25afb0ee6f737e0302030077
Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count
https://bugs.webkit.org/show_bug.cgi?id=145042

Reviewed by David Hyatt.

RenderFlowThread previously used a ListHashSet to store its stack of active objects. This
is problematic because, if the same object is pushed twice, only a single entry of that
object is added to the stack. After this occurs, a matching number of pushes will pop too
many items off the stack, causing a crash when popping a stack with zero items. This
specifically happens in FrameView::layout(), which will push its root renderer on the stack
of active items, and then ask the root to layout(), which will attempt to push itself on the
stack of active items.

Instead of a ListHashSet, use a Vector, which has similar memory characteristics and no
uniqueness requirements.

* rendering/RenderFlowThread.cpp:
(WebCore::RenderFlowThread::pushFlowThreadLayoutState):
(WebCore::RenderFlowThread::popFlowThreadLayoutState):
* rendering/RenderFlowThread.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184394 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderFlowThread.cpp
Source/WebCore/rendering/RenderFlowThread.h