This is a followup for bug 43812. The patch provided for fixing 43812 did not address the real problem in that bug, which is described in the summary of this one: sometimes renderers that can potentially have counters attached are put in the renderer tree by using RenderObjectChildren::insert/appendChild, bypassing RenderObject::addChild. In this case the current code does not update those counters' position in the counter forrest appropriately resulting in a corrupt counter forrest. This corrupt forrest leads to wrong counter values, crashes, etc.
Created attachment 76903 [details] Proposed Patch
Comment on attachment 76903 [details] Proposed Patch Clearing flags on attachment: 76903 Committed r74292: <http://trac.webkit.org/changeset/74292>
All reviewed patches have been landed. Closing bug.
My previous fix was reverted as it exposed other counter related problems such as the fact that sometimes renderers are moved around in the tree during removal of a renderer, causing a previously deleted counter to be recreated during the remove process. Thus I am reopening this bug in order to provide a more comprehensive fix.
Created attachment 78042 [details] Proposed Patch This patch restores changes in my previous patch and takes care of the additional case when Renderers are moved in the Render tree from one place to another, especially when this happens inside the RenderObject::remove() call.
Created attachment 78164 [details] Proposed patch. Fixed contributor name/e-mail in ChangeLog Fixed contributor name/e-mail in ChangeLog
Created attachment 79230 [details] Proposed Patch - Updated to reflect recent WebCore code restructuring.
Comment on attachment 79230 [details] Proposed Patch - Updated to reflect recent WebCore code restructuring. r=me
Comment on attachment 79230 [details] Proposed Patch - Updated to reflect recent WebCore code restructuring. Clearing flags on attachment: 79230 Committed r76859: <http://trac.webkit.org/changeset/76859>