CSSRegions: Crash when using style in region for removed element.
authormihnea@adobe.com <mihnea@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 12 Aug 2012 15:57:25 +0000 (15:57 +0000)
committermihnea@adobe.com <mihnea@adobe.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 12 Aug 2012 15:57:25 +0000 (15:57 +0000)
commit85f2f005c129841df9023ff974ce178446b6b7ab
treecf0bd859f7711a29c5b7f50b09501634a95086aa
parentcf77b8df5093edfe1d6054bd8f48bf36e5f56749
CSSRegions: Crash when using style in region for removed element.
https://bugs.webkit.org/show_bug.cgi?id=93276

Reviewed by Abhishek Arya.

Source/WebCore:

When a RenderInline object from within a render flow thread is split, the cloned
hierarchy built during the split process does not have the inRenderFlowThread bit
set properly. If the cloned hierarchy is flowed into a region with region style rules,
we compute the style in region also for objects that do not have inRenderFlowThread bit
set and we store the computed style in region for caching purposes. But we only remove
an object style in region information if that object has the inRenderFlowThread bit set.
Under these circumstances, it is possible to remove a object with cached style in region
and without inRenderFlowThread bit set from the render tree and leave the associated cached
information un-removed. Such information will be accesses during the next paint phase of
the region, thus resulting a crash.

The fix is to modify RenderBlock::clone() and RenderInline::clone() functions to also copy the inRenderFlowThread bit
from the source into the clone, therefore the cloned hierarchies will have the inRenderFlowThread
bit set properly.

Test: fast/regions/removed-element-style-in-region-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::clone):
* rendering/RenderInline.cpp:
(WebCore::RenderInline::clone): Replace former static RenderInline::cloneInline with member RenderInline::clone.
(WebCore::RenderInline::splitInlines):
* rendering/RenderInline.h:
(RenderInline):
* rendering/RenderRegion.cpp:
(WebCore::RenderRegion::setObjectStyleInRegion):
Added an assert to make sure that when we are computing style in region, we are doing for objects
with inRenderFlowThread set. Also, bail out early in this case to prevent further crashes.

LayoutTests:

Added test reproducing the problem.

* fast/regions/removed-element-style-in-region-crash-expected.txt: Added.
* fast/regions/removed-element-style-in-region-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@125376 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/regions/removed-element-style-in-region-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/regions/removed-element-style-in-region-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/RenderInline.cpp
Source/WebCore/rendering/RenderInline.h
Source/WebCore/rendering/RenderRegion.cpp