RESOLVED WONTFIX 116217
[CSS Regions] Assertion when cleaning-up RenderBoxRegionInfo objects after using negative margin-top to push the box into a previous region 
https://bugs.webkit.org/show_bug.cgi?id=116217
Summary [CSS Regions] Assertion when cleaning-up RenderBoxRegionInfo objects after us...
Radu Stavila
Reported 2013-05-16 04:18:19 PDT
Created attachment 201941 [details] File that reproduces the problem When content is flowed into multiple regions, taking a box which would normally flow in the 3rd region and using a negative margin-top on it to push it back to the first would cause an assertion when cleaning-up (and a memory leak on release build). The problem seems to be that a RenderBoxRegionInfo object is generated for this box in the first region but, when calling RenderFlowThread::removeRenderBoxRegionInfo (RenderBox* box), it only destroys RenderBoxRegionInfo objects for the regions returned by the RenderFlowThread::getRegionRangeForBox method, which only returns regions 2 and 3, not taking into account that the negative margin-top pushed the box into a different region. Attached test that reproduces the problem. Remove the following line to see what the page looks like without it crashing: document.getElementById("divMain").style.display = "none";
Attachments
File that reproduces the problem (2.28 KB, text/html)
2013-05-16 04:18 PDT, Radu Stavila 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michelangelo De Simone
Comment 1 2013-06-13 10:56:39 PDT
Still repros on today's nightly (r151543)
Brent Fulgham
Comment 2 2022-07-12 17:17:23 PDT
CSS Regions were removed in Bug 174978.
Note You need to log in before you can comment on or make changes to this bug.