Fix layout test crash: fast/replaced/frame-removed-during-resize.html

Fix b/2780565

Change-Id: I4956206dfbfaebd44414adaea7ab80e2c2fd4d1b

1 files changed, 15 insertions, 0 deletions

diff --git a/WebCore/rendering/RenderBlockLineLayout.cpp b/WebCore/rendering/RenderBlockLineLayout.cpp
index 2cf3865..a78da2b 100644
--- a/WebCore/rendering/RenderBlockLineLayout.cpp
+++ b/WebCore/rendering/RenderBlockLineLayout.cpp
@@ -622,7 +622,22 @@ void RenderBlock::layoutInlineChildren(bool relayoutChildren, int& repaintTop, i
                     else if (fullLayout || o->needsLayout()) // Replaced elements
                         toRenderBox(o)->dirtyLineBoxes(fullLayout);
 
+#if defined(ANDROID_FLATTEN_IFRAME) || defined(ANDROID_FLATTEN_FRAMESET)
+                    // Android frame flattening during layout() may cause the
+                    // renderer to be destroyed, if for example a frames onresize handler
+                    // deletes the frame - see http://trac.webkit.org/changeset/61070 for example.
+                    // We may be able to remove this protector when we switch to the upstream
+                    // frame flattening code.
+                    RefPtr<Node> protector(o->node());
+#endif
                     o->layoutIfNeeded();
+#if defined(ANDROID_FLATTEN_IFRAME) || defined(ANDROID_FLATTEN_FRAMESET)
+                    // Ensure that the renderer still exists. If it's gone away we will crash pretty
+                    // fast by continuing to use the now invalid o pointer. If the renderer has gone,
+                    // then there's no point in continuing to try to layout it's children so we break.
+                    if (!protector->renderer())
+                        break;
+#endif
                 }
             } else if (o->isText() || (o->isRenderInline() && !endOfInline)) {
                 hasInlineChild = true;