WebKit GIT trees - WebKit-https.git/commit

REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency
https://bugs.webkit.org/show_bug.cgi?id=133462

Reviewed by David Hyatt.

RenderFlowThread::m_lineToRegionMap stores pointers to the root inlineboxes in the block flow.
Normally root inlineboxes remove themselves from this map in their dtors. However when collapsing an anonymous block,
we detach the inline tree first and destroy them after. The detached root boxes can't access
the flowthread containing block and we end up with dangling pointers in this map.
Call removeFlowChildInfo() before detaching the subtree to ensure proper pointer removal.

Source/WebCore:

Test: fast/multicol/newmulticol/crash-when-switching-to-floating.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::collapseAnonymousBoxChild):

LayoutTests:

* fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt: Added.
* fast/multicol/newmulticol/crash-when-switching-to-floating.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@179877 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	zalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 10 Feb 2015 20:27:40 +0000 (20:27 +0000)
committer	zalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Tue, 10 Feb 2015 20:27:40 +0000 (20:27 +0000)
commit	70a976ee566c5b38274089fa11bdb42c86b94c22
tree	4fdcb6e29b349176668730bcbf5ea2c21fc7da95	tree \| snapshot
parent	485bffad95e2414c0a2ec5ca159916b35e91268a	commit \| diff

LayoutTests/ChangeLog		diff \| blob \| history
LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating-expected.txt	[new file with mode: 0644]	blob
LayoutTests/fast/multicol/newmulticol/crash-when-switching-to-floating.html	[new file with mode: 0644]	blob
Source/WebCore/ChangeLog		diff \| blob \| history
Source/WebCore/rendering/RenderBlock.cpp		diff \| blob \| history