Crash in WebCore::RenderBlock::removeChild
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 Aug 2012 15:34:57 +0000 (15:34 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 22 Aug 2012 15:34:57 +0000 (15:34 +0000)
commita030d2e3e5b14602991294c1024a2c62f6c70311
treed43b922e5611fc5c447c326d773bac28fc92ea93
parentb478b38c5a47851fde5ff0e0ded9d5470272c778
Crash in WebCore::RenderBlock::removeChild
https://bugs.webkit.org/show_bug.cgi?id=93879

Patch by Raul Hudea <rhudea@adobe.com> on 2012-08-22
Reviewed by Abhishek Arya.

Source/WebCore:

By adding the lifetime state to the RenderNamedFlowThread (r122556), it become possible for the a RenderRegion object to delete its sibling,
the RenderNamedFlowThread. This is unexpected in the rendering world and cause problems in RenderBlock::removeChild where we retain previous
and next sibling pointers.
So, all the RenderNamedFlowThread are created under a RenderFlowThreadContainer object insted of the RenderView. The new object is created only
when the first named flow is created.

Test: fast/regions/remove-flow-thread-crash.html

* CMakeLists.txt:
* GNUmakefile.list.am:
* Target.pri:
* WebCore.gypi:
* WebCore.vcproj/WebCore.vcproj:
* WebCore.xcodeproj/project.pbxproj:
* rendering/FlowThreadController.cpp:
(WebCore::FlowThreadController::FlowThreadController): Added initialization for the new RenderFlowThreadContainer member
(WebCore::FlowThreadController::ensureRenderFlowThreadWithName): Added the creation of the RenderFlowThreadContainer object and use it as a parent for all RenderNamedFlowThreads
(WebCore::FlowThreadController::styleDidChange): Inform all the RenderNamedFlowThreads that the style changed in regions (initially this code was in RenderView, but now all RenderNamedFlowThreads are children of RenderFlowThreadContainer)
(WebCore):
* rendering/FlowThreadController.h:
(WebCore):
(FlowThreadController):
* rendering/RenderFlowThreadContainer.cpp: Added.
(WebCore):
(WebCore::RenderFlowThreadContainer::RenderFlowThreadContainer):
(WebCore::RenderFlowThreadContainer::layout):
* rendering/RenderFlowThreadContainer.h: Added.
* rendering/RenderObject.cpp:
(WebCore::RenderObject::markContainingBlocksForLayout): Skip to RenderView if the current object is an RenderFlowThreadContainer.
* rendering/RenderObject.h:
(WebCore::RenderObject::isRenderFlowThreadContainer):
* rendering/RenderView.cpp:
(WebCore::RenderView::styleDidChange): Moved the code associated to RenderNamedFlowThreads to FlowThreadController:styleDidChange and call it instead.

LayoutTests:

Test the region-flow_thread sibling case

* fast/regions/remove-flow-thread-crash-expected.txt: Added.
* fast/regions/remove-flow-thread-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@126304 268f45cc-cd09-0410-ab3c-d52691b4dbfc
17 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/regions/remove-flow-thread-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/regions/remove-flow-thread-crash.html [new file with mode: 0644]
Source/WebCore/CMakeLists.txt
Source/WebCore/ChangeLog
Source/WebCore/GNUmakefile.list.am
Source/WebCore/Target.pri
Source/WebCore/WebCore.gypi
Source/WebCore/WebCore.vcproj/WebCore.vcproj
Source/WebCore/WebCore.xcodeproj/project.pbxproj
Source/WebCore/rendering/FlowThreadController.cpp
Source/WebCore/rendering/FlowThreadController.h
Source/WebCore/rendering/RenderFlowThreadContainer.cpp [new file with mode: 0644]
Source/WebCore/rendering/RenderFlowThreadContainer.h [new file with mode: 0644]
Source/WebCore/rendering/RenderObject.cpp
Source/WebCore/rendering/RenderObject.h
Source/WebCore/rendering/RenderView.cpp