• enrica@apple.com's avatar
    WebCore: REGRESSION (r59385) crash destroying inline renderers · 69fdfe2e
    enrica@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=39143
    <rdar://problem/8003662>
            
    Reviewed by Dave Hyatt.
    
    The goal of r59385 was to make sure that the layout of block after all its children had been removed produced the identical result
    as the one of a newly created empty block. In order to do so, we had to make sure that the m_inlineChildren flag was reset to true when
    the block had no children (as it is upon creation).
    I discovered that, by doing that for anonymous blocks it leads removeChild to conclude that the anonymous children can be removed,
    without considering that the anonymous block could be part of a continuation chain. For this reason, when RenderInline::destroy()
    tries to remove the continuations we are effectively deleting a renderer that had been deleted already.
            
    Test: fast/inline-block/anonymous-block-crash.html
    
    * rendering/RenderBlock.cpp:
    (WebCore::RenderBlock::layoutBlock): resetting the flag m_inlineChildren only for non anonymous blocks otherwise we incurr in
    a double deletion of the renderer that causes the crash.
    
    LayoutTests: REGRESSION (r59385) crash destroying inline renderers
    https://bugs.webkit.org/show_bug.cgi?id=39143
    <rdar://problem/8003662>
    
    Reviewed by Dave Hyatt.
    
    * fast/inline-block/anonymous-block-crash-expected.txt: Added.
    * fast/inline-block/anonymous-block-crash.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59786 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    69fdfe2e
ChangeLog 1.08 MB