.: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects.
https://bugs.webkit.org/show_bug.cgi?id=108695

Add a manual test. Unable to write a normal layout test because
1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.

Reviewed by Abhishek Arya.

* ManualTests/scrolling-coordinator-viewport-constrained-crash.html: Added.

Source/WebCore: Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects
https://bugs.webkit.org/show_bug.cgi?id=108695

See comments of RenderLayerModelObject::willBeDestroyed() below for details.

Reviewed by Abhishek Arya.

Test: ManulTests/scrolling-coordinator-viewport-constrained-crash.html
Unable to write a normal layout test because
1) must waitUntilDone() to reproduce the crash but the redirected URL can't notifyDone();
2) Can't use a frame to contain the test because ScrollingCoordinator handles only the main frame.

* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::willBeDestroyed): Moved removeViewportConstrainedObject() call into RenderLayerModelObject::willBeDestroyed() because only RenderLayerModelObjects can be added as viewportConstrainedObjects.
* rendering/RenderLayerModelObject.cpp:
(WebCore::RenderLayerModelObject::willBeDestroyed): Changed this->view() (then view->frameView()) to this->frame() (then frame->view()) because when willBeDestroyed() is called, the document has set its renderView to 0 thus this->view() will return 0, causing removeViewportConstrainedObject() not called and a deleted RenderLayerModelObject in FrameView's viewportConstrainedObjects.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142760 268f45cc-cd09-0410-ab3c-d52691b4dbfc