Fix for b/2786464

Some renderobjects are "anonymous", i.e. have the document node associated with them and in this case
the node() function returns null. We were then using the null RefPtr, hence the crash. RenderListMarker
is an example of such an anonymous node which is why websites that use lists exposed the crash.

Change-Id: I1a5527c42d99bbe8418b0e7bce4f3c245276e058

1 files changed, 3 insertions, 2 deletions

diff --git a/WebCore/rendering/RenderBlockLineLayout.cpp b/WebCore/rendering/RenderBlockLineLayout.cpp
index a78da2b..be7c76b 100644
--- a/WebCore/rendering/RenderBlockLineLayout.cpp
+++ b/WebCore/rendering/RenderBlockLineLayout.cpp
@@ -627,8 +627,9 @@ void RenderBlock::layoutInlineChildren(bool relayoutChildren, int& repaintTop, i
                     // renderer to be destroyed, if for example a frames onresize handler
                     // deletes the frame - see http://trac.webkit.org/changeset/61070 for example.
                     // We may be able to remove this protector when we switch to the upstream
-                    // frame flattening code.
-                    RefPtr<Node> protector(o->node());
+                    // frame flattening code. In the case of an anonymous render object like RenderListMarker
+                    // the document is the DOM node associated with this RenderObject.
+                    RefPtr<Node> protector(o->isAnonymous() ? o->document() : o->node());
 #endif
                     o->layoutIfNeeded();
 #if defined(ANDROID_FLATTEN_IFRAME) || defined(ANDROID_FLATTEN_FRAMESET)