Crash in WebCore::RenderListItem::updateMarkerLocation
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 6 Aug 2012 17:46:32 +0000 (17:46 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 6 Aug 2012 17:46:32 +0000 (17:46 +0000)
commitffa10e3f1484c6c637900599a726efa78c63c571
tree64f5082d52f869704206d7c9e1df9edc862d9ae4
parentf09f68fefbe7b0df36be5edbd0a0be7e31ba72a0
Crash in WebCore::RenderListItem::updateMarkerLocation
https://bugs.webkit.org/show_bug.cgi?id=90476

Patch by Douglas Stockwell <dstockwell@chromium.org> on 2012-08-06
Reviewed by Abhishek Arya.

Source/WebCore:

In some cases an anonymous block is destroyed when its last child is
removed. RenderListItem did not expect this and has it's own logic for
cleaning up such blocks when the list marker is removed. Detect this
case in RenderBlock::removeChild to defer to the logic in RenderListItem::updateListMarker.

Test: fast/lists/list-marker-remove-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeChild):

LayoutTests:

* fast/lists/list-marker-remove-crash-expected.txt: Added.
* fast/lists/list-marker-remove-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@124783 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/lists/list-marker-remove-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/lists/list-marker-remove-crash.html [new file with mode: 0644]
LayoutTests/platform/chromium/TestExpectations
LayoutTests/platform/efl/TestExpectations
LayoutTests/platform/gtk/TestExpectations
LayoutTests/platform/mac/TestExpectations
LayoutTests/platform/qt/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBlock.cpp