Crash in WebCore::RenderElement::containingBlockForObjectInFlow
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 00:45:25 +0000 (00:45 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 00:45:25 +0000 (00:45 +0000)
commitfe431dce218dbe23cf1d551877f47feb53b41d0e
tree02a8548f16bcf06582b897b2aca8e76efcf9cfb7
parent8d3a852f6019b02b1bda2fc8525f4ac949a7d947
Crash in WebCore::RenderElement::containingBlockForObjectInFlow
https://bugs.webkit.org/show_bug.cgi?id=155109

Reviewed by Simon Fraser.

It's unsafe to call containingBlock() on RenderView.

Unable to reproduce.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::styleWillChange):
(WebCore::RenderBlock::isSelfCollapsingBlock):
(WebCore::RenderBlock::selectionGaps):
* rendering/RenderBox.cpp:
(WebCore::RenderBox::borderBoxRectInRegion):
(WebCore::RenderBox::computePercentageLogicalHeight):
(WebCore::RenderBox::computeReplacedLogicalHeightUsing):
(WebCore::logicalWidthIsResolvable):
(WebCore::RenderBox::percentageLogicalHeightIsResolvableFromBlock):
* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::hasAutoHeightOrContainingBlockWithAutoHeight):
* rendering/RenderFlowThread.cpp:
(WebCore::RenderFlowThread::adjustedPositionRelativeToOffsetParent):
(WebCore::RenderFlowThread::offsetFromLogicalTopOfFirstRegion):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::hasCompositedLayerInEnclosingPaginationChain):
(WebCore::RenderLayer::updatePagination):
(WebCore::inContainingBlockChain):
* rendering/RenderMultiColumnFlowThread.cpp:
(WebCore::isValidColumnSpanner):
* rendering/RenderNamedFlowThread.cpp:
(WebCore::RenderNamedFlowThread::decorationsClipRectForBoxInNamedFlowFragment):
* rendering/RenderObject.cpp:
(WebCore::hasFixedPosInNamedFlowContainingBlock):
* rendering/RenderReplaced.cpp:
(WebCore::firstContainingBlockWithLogicalWidth):
* rendering/RenderView.cpp:
(WebCore::RenderView::subtreeSelectionBounds):
(WebCore::RenderView::repaintSubtreeSelection):
(WebCore::RenderView::clearSubtreeSelection):
(WebCore::RenderView::applySubtreeSelection):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197716 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp
Source/WebCore/rendering/RenderBox.cpp
Source/WebCore/rendering/RenderBoxModelObject.cpp
Source/WebCore/rendering/RenderFlowThread.cpp
Source/WebCore/rendering/RenderLayer.cpp
Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp
Source/WebCore/rendering/RenderNamedFlowThread.cpp
Source/WebCore/rendering/RenderObject.cpp
Source/WebCore/rendering/RenderReplaced.cpp
Source/WebCore/rendering/RenderView.cpp