CSSRegions: Crash when attaching a region to the removed named flow
authormihnea@adobe.com <mihnea@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Aug 2012 19:13:22 +0000 (19:13 +0000)
committermihnea@adobe.com <mihnea@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 9 Aug 2012 19:13:22 +0000 (19:13 +0000)
commit526149c92765cd114a512471e676df6405199af6
treeaad3e4c557079c0bdc94c101e40cfcadd0374fa4
parentae13b018ece268a5103ed92612e32004af7013a0
CSSRegions: Crash when attaching a region to the removed named flow
https://bugs.webkit.org/show_bug.cgi?id=93204

Reviewed by Abhishek Arya.

Source/WebCore:

The crash happens because the flow thread reference is passed to the RenderRegion object
when the RenderRegion object is created. However, it is only in RenderRegion::attachRegion method
when the region is taken into account and stored in flow thread regions list. Under these circumstances,
it is possible that the flow thread passed to the region at the moment of region creation be destroyed
before the region gets the chance to be attached to the flow thread and a crash will occur.

This patch moves the moment when the RenderRegion object stores its 'weak' reference to the flow thread
from RenderRegion constructor to attachRegion method, preventing the situation in which the region is attached
to a wrong flow thread object.

Test: fast/regions/region-attached-wrong-flow-crash.html

* rendering/RenderObject.cpp:
(WebCore::RenderObject::createObject): Pass 0 instead of a reference to the flow thread.
* rendering/RenderRegion.cpp:
(WebCore::RenderRegion::checkRegionStyle): Added this function to check whether the region has region style rules attached.
(WebCore):
(WebCore::RenderRegion::styleDidChange): Use checkRegionStyle.
(WebCore::RenderRegion::attachRegion): Store the reference to the flow thread. If the flow thread does not exist, it will be created.
Also, check whether the region has region style rules attached, since at this moment the region has a flow thread. Checking whether
the region has region style rules is not enough in styleDidChange, because styleDidChange is sometimes triggered before attachRegion.
* rendering/RenderRegion.h:
(RenderRegion):

LayoutTests:

Add test reproducing the crash.

* fast/regions/region-attached-wrong-flow-crash-expected.txt: Added.
* fast/regions/region-attached-wrong-flow-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@125192 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/regions/region-attached-wrong-flow-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/regions/region-attached-wrong-flow-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderObject.cpp
Source/WebCore/rendering/RenderRegion.cpp
Source/WebCore/rendering/RenderRegion.h