Merge 123062 - Crash in RenderTableSection::addCell.

Merge 123062 - Crash in RenderTableSection::addCell.
http://webkit.org/b/89496

Reviewed by Abhishek Arya.

Source/WebCore:

The issue comes from RenderBox::splitAnonymousBoxesAroundChild that would move sections
across tables but didn't force the table to do a synchronous section recalc. This opened
the way for race conditions where we would query the table column structure while it's dirty
(this is not uncommon but as usually the table's column representation is always bigger or
more split than a section's, it's usually harmless).

The fix is to force a synchronous section recalc.

Test: fast/table/split-table-no-section-update-crash.html

* rendering/RenderBox.cpp:
(WebCore::markBoxForRelayoutAfterSplit):
Changed to call forceSectionsRecalc ie force a section recalc.

* rendering/RenderTable.cpp:
(WebCore::RenderTable::recalcSections):
Added missing ASSERT for unneeded calls.

* rendering/RenderTable.h:
(WebCore::RenderTable::forceSectionsRecalc):
Added this helper function.

LayoutTests:

The test is still pretty complex as it involves lots of generated content. It should
be possible to get a smaller test case based on the conditions for the crash. However
this test is a pretty good stress test so I decided against creating a more simple test
case.

* fast/table/split-table-no-section-update-crash-expected.txt: Added.
* fast/table/split-table-no-section-update-crash.html: Added.


TBR=jchaffraix@webkit.org
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=123513