• commit-queue@webkit.org's avatar
    [CSS Regions] Destroying a render named flow thread without unregistering... · 9e41565f
    commit-queue@webkit.org authored
    [CSS Regions] Destroying a render named flow thread without unregistering left-over content nodes triggered an assertion.
    https://bugs.webkit.org/show_bug.cgi?id=95645
    
    Patch by Andrei Bucur <abucur@adobe.com> on 2012-09-04
    Reviewed by Abhishek Arya.
    
    Source/WebCore:
    
    This patch cleans up the render named flow thread before destruction by unregistering left-over content nodes.
    
    Tests: fast/regions/moved-content-node-crash.html
    
    * rendering/RenderNamedFlowThread.cpp:
    (WebCore::RenderNamedFlowThread::~RenderNamedFlowThread):
    
    LayoutTests:
    
    Simple test case that triggers an ASSERT in debug mode and causes a crash in release.
    The ASSERT appears in RenderFlowThreadController::unregisterNamedFlowContentNode
    ASSERT(it != m_mapNamedFlowContentNodes.end());
    
    It happens because when a content node is added to an iframe document and then moved back, the iframe's RenderNamedFlowThread is destroyed
    without calling unregisterNamedFlowContentNode on the node. This triggers the before mentioned assertion after a lazyAttach and a detach
    in the parent document.
    
    * fast/regions/moved-content-node-crash-expected.txt: Added.
    * fast/regions/moved-content-node-crash.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127472 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    9e41565f
ChangeLog 5.15 MB
The source could not be displayed because it is larger than 1 MB. You can load it anyway or download it instead.