Table post-child-removal invalidations all go through RenderTable::removeChild. This is a blunt hammer as we have different type of children and not all have the same invalidation. Since we introduced willBeRemovedFromTree, we can remove the function and do only the needed invalidation in the children's function. This will show that some of our code is now unneeded that I intent to remove follow-up patches.
Created attachment 160234 [details] Proposed change: Added the proper willBeRemovedFromTree and moved the removeChild code there.
Comment on attachment 160234 [details] Proposed change: Added the proper willBeRemovedFromTree and moved the removeChild code there. Clearing flags on attachment: 160234 Committed r126495: <http://trac.webkit.org/changeset/126495>
All reviewed patches have been landed. Closing bug.
ASSERTION FAILED: index != notFound third_party/WebKit/Source/WebCore/rendering/RenderTable.cpp(203) : void WebCore::RenderTable::removeCaption(const WebCore::RenderTableCaption *) https://cluster-fuzz.appspot.com/testcase?key=98951173 Testcase:: <style>.caption { display: table-caption </style> >><div id=tCF86>><rp>><theader id=tCF98></theader><div class=caption>><setvar id=tCF108>><script> var docElement = document.body ? document.body : document.documentElement; docElement.contentEditable = "true"; function initCF() { setTimeout("CFcrash()", 408); } document.addEventListener("DOMContentLoaded", initCF, false); function selectRangeBetween(r, sNode, eNode) { window.getSelection().removeAllRanges(); r.setEnd(eNode, eNode.childNodes.length); window.getSelection().addRange(r); } function editFuzz() { try { r = document.createRange(); selectRangeBetween(r, tCF86, tCF108); } catch(e) {} try { document.execCommand("InsertText", false, "the mesage ") } catch(e) {} } function CFcrash() { try { tCF98.style.display = "table-caption" } catch(e) {} setTimeout("editFuzz()", 1922); }</script>>