Bug 116217 - [CSS Regions] Assertion when cleaning-up RenderBoxRegionInfo objects after using negative margin-top to push the box into a previous region
Summary: [CSS Regions] Assertion when cleaning-up RenderBoxRegionInfo objects after us...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: AdobeTracked
Depends on:
Blocks: 57312
  Show dependency treegraph
 
Reported: 2013-05-16 04:18 PDT by Radu Stavila
Modified: 2013-06-13 10:56 PDT (History)
1 user (show)

See Also:

Attachments
File that reproduces the problem (2.28 KB, text/html)
2013-05-16 04:18 PDT, Radu Stavila 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Radu Stavila 2013-05-16 04:18:19 PDT 
Created attachment 201941 [details]
File that reproduces the problem

When content is flowed into multiple regions, taking a box which would normally flow in the 3rd region and using a negative margin-top on it to push it back to the first would cause an assertion when cleaning-up (and a memory leak on release build). 

The problem seems to be that a RenderBoxRegionInfo object is generated for this box in the first region but, when calling RenderFlowThread::removeRenderBoxRegionInfo (RenderBox* box), it only destroys RenderBoxRegionInfo objects for the regions returned by the RenderFlowThread::getRegionRangeForBox method, which only returns regions 2 and 3, not taking into account that the negative margin-top pushed the box into a different region.

Attached test that reproduces the problem. Remove the following line to see what the page looks like without it crashing:

document.getElementById("divMain").style.display = "none";
Comment 1 Michelangelo De Simone 2013-06-13 10:56:39 PDT 
Still repros on today's nightly (r151543)