Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Jan 2013 00:22:41 +0000 (00:22 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Jan 2013 00:22:41 +0000 (00:22 +0000)
commitf0768ebd901de8e9cb85c8cdcfcdd778fcd96128
tree31e5d80248a0e45b944ea91b9dec5027fb065b3e
parent8e1be6e57b634393616800e13e663ff7fce63742
Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine
https://bugs.webkit.org/show_bug.cgi?id=90802

Reviewed by Julien Chaffraix.

Source/WebCore:

Test: fast/multicol/float-not-removed-crash.html

* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::moveChildrenTo):
1. When fullRemoveInsert is True, make sure to clear the
floating objects from our list (similar to positioned objects).
Our children are getting moved to another block and we won't
get notified when they are going away.
2. Remove the redundant hasPositionedObjects check since it
is already done inside removePositionedObjects.

LayoutTests:

* fast/multicol/float-not-removed-crash-expected.txt: Added.
* fast/multicol/float-not-removed-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@140069 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/multicol/float-not-removed-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/multicol/float-not-removed-crash.html [new file with mode: 0755]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderBoxModelObject.cpp