[CSSRegions]Crash when moving anonymous block children inside a named flow
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Aug 2012 18:45:47 +0000 (18:45 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Aug 2012 18:45:47 +0000 (18:45 +0000)
commit2ebdc48fef46eef3b7be83ebe25af6865635f14f
treef93ba001ca3def81ccb9eb067ba09c19fbd9ba19
parent222f79a90b4eaea35bacfef89c48b4a9313cbfe8
[CSSRegions]Crash when moving anonymous block children inside a named flow
https://bugs.webkit.org/show_bug.cgi?id=90865

Patch by Andrei Onea <onea@adobe.com> on 2012-08-23
Reviewed by Abhishek Arya.

Source/WebCore:

When an anonymous block's children are detached in RenderBlock::collapseAnonymousBoxChild, the reference
to their enclosingRenderFlowThread is lost and causes a crash in RenderObject::willBeRemovedFromTree.
Because of this, we now maintain the enclosingRenderFlowThread during the whole lifetime of the
RenderBlock::collapseAnonymousBoxChild function, using a CurrentRenderFlowThreadMaintainer local.

Test: fast/regions/move-anonymous-block-inside-named-flow-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::collapseAnonymousBoxChild):
* rendering/RenderFlowThread.cpp:
(WebCore::CurrentRenderFlowThreadMaintainer::CurrentRenderFlowThreadMaintainer):
(WebCore):
(WebCore::CurrentRenderFlowThreadMaintainer::~CurrentRenderFlowThreadMaintainer):
Moved CurrentRenderFlowThreadMaintaner declaration from .cpp to .h, so that we can access it from
RenderBlock::collapseAnonymousBoxChild.
* rendering/RenderFlowThread.h:
(CurrentRenderFlowThreadMaintainer):
(WebCore):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::willBeRemovedFromTree):

LayoutTests:

Added test for crash which happens when the children of an anonymous block
inside a flow thread are moved.

* fast/regions/move-anonymous-block-inside-named-flow-crash-expected.txt:
* fast/regions/move-anonymous-block-inside-named-flow-crash.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@126459 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/regions/move-anonymous-block-inside-named-flow-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/RenderFlowThread.cpp
Source/WebCore/rendering/RenderFlowThread.h
Source/WebCore/rendering/RenderObject.cpp