From 5a1933485a6ed31c88b9708482254b37c0865608 Mon Sep 17 00:00:00 2001
From: "inferno@chromium.org"
 <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue, 24 Jan 2012 18:33:05 +0000
Subject: [PATCH] Crash when accessing removed parent in InlineTextBox.
 https://bugs.webkit.org/show_bug.cgi?id=72982

Reviewed by James Robinson.

Source/WebCore:

The crash happens because:
1. We add heading element(h1) before the span element(span1),
   causing splitflow on the anonymous block containing BeforeText,
   span1(and SpanText) and AfterText.
2. span1 moves to the cloneBlock (continuation).
3. Our anonymous block and cloneBlock are both marked for layout,
   however we still have a copy of our lineboxes with its childs
   as the textboxes belonging to SpanText.
4. Our anonymous block only child BeforeText is getting removed,
   so we dont have any children anymore and we delete our lineboxes,
   leaving behind the children textboxes belonging to SpanText.
5. SpanText is getting destroyed, so it tries to inform removed
   parent lineboxes causing the crash.

Test: fast/block/block-remove-child-delete-line-box-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeChild):

LayoutTests:

Tests passes if it does not crash on ASSERT(!m_hasBadParent)
in InlineBox::parent().

* fast/block/block-remove-child-delete-line-box-crash-expected.txt: Added.
* fast/block/block-remove-child-delete-line-box-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105750 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 13 +++++++++++
 ...remove-child-delete-line-box-crash-expected.txt |  5 +++++
 .../block-remove-child-delete-line-box-crash.html  | 23 +++++++++++++++++++
 Source/WebCore/ChangeLog                           | 26 ++++++++++++++++++++++
 Source/WebCore/rendering/RenderBlock.cpp           |  2 +-
 5 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 LayoutTests/fast/block/block-remove-child-delete-line-box-crash-expected.txt
 create mode 100644 LayoutTests/fast/block/block-remove-child-delete-line-box-crash.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cb3fafd..88f565e 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2012-01-24  Abhishek Arya  <inferno@chromium.org>
+
+        Crash when accessing removed parent in InlineTextBox.
+        https://bugs.webkit.org/show_bug.cgi?id=72982
+
+        Reviewed by James Robinson.
+
+        Tests passes if it does not crash on ASSERT(!m_hasBadParent)
+        in InlineBox::parent().
+
+        * fast/block/block-remove-child-delete-line-box-crash-expected.txt: Added.
+        * fast/block/block-remove-child-delete-line-box-crash.html: Added.
+
 2012-01-24  Levi Weintraub  <leviw@chromium.org>
 
         Update Snow Leopard image test expectations
diff --git a/LayoutTests/fast/block/block-remove-child-delete-line-box-crash-expected.txt b/LayoutTests/fast/block/block-remove-child-delete-line-box-crash-expected.txt
new file mode 100644
index 0000000..5aefa63
--- /dev/null
+++ b/LayoutTests/fast/block/block-remove-child-delete-line-box-crash-expected.txt
@@ -0,0 +1,5 @@
+BeforeText
+heading
+
+SpanTextAfterText
+ParaText
diff --git a/LayoutTests/fast/block/block-remove-child-delete-line-box-crash.html b/LayoutTests/fast/block/block-remove-child-delete-line-box-crash.html
new file mode 100644
index 0000000..0832ac4
--- /dev/null
+++ b/LayoutTests/fast/block/block-remove-child-delete-line-box-crash.html
@@ -0,0 +1,23 @@
+<html>
+<style>
+div { -webkit-column-count:2; }
+h1 { -webkit-column-span: all; }
+</style>
+<body>
+<summary>
+<div id="div1">
+BeforeText<span id="span1">SpanText</span>AfterText
+<p>ParaText</p>
+</div>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+document.body.offsetTop;
+var h1 = document.createElement('h1');
+h1.appendChild(document.createTextNode('heading'));
+div1.insertBefore(h1, span1);
+</script>
+</summary>
+</body>
+</html>
\ No newline at end of file
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 53b314c..d7607fa 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,29 @@
+2012-01-24  Abhishek Arya  <inferno@chromium.org>
+
+        Crash when accessing removed parent in InlineTextBox.
+        https://bugs.webkit.org/show_bug.cgi?id=72982
+
+        Reviewed by James Robinson.
+
+        The crash happens because:
+        1. We add heading element(h1) before the span element(span1),
+           causing splitflow on the anonymous block containing BeforeText,
+           span1(and SpanText) and AfterText.
+        2. span1 moves to the cloneBlock (continuation).
+        3. Our anonymous block and cloneBlock are both marked for layout,
+           however we still have a copy of our lineboxes with its childs
+           as the textboxes belonging to SpanText.
+        4. Our anonymous block only child BeforeText is getting removed,
+           so we dont have any children anymore and we delete our lineboxes,
+           leaving behind the children textboxes belonging to SpanText.
+        5. SpanText is getting destroyed, so it tries to inform removed
+           parent lineboxes causing the crash.
+
+        Test: fast/block/block-remove-child-delete-line-box-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeChild):
+
 2012-01-24  Mario Sanchez Prada  <msanchez@igalia.com>
 
         [GTK] Refactor GTK's accessibilitity code to be more modular
diff --git a/Source/WebCore/rendering/RenderBlock.cpp b/Source/WebCore/rendering/RenderBlock.cpp
index d70b9f5..57babde 100755
--- a/Source/WebCore/rendering/RenderBlock.cpp
+++ b/Source/WebCore/rendering/RenderBlock.cpp
@@ -1091,7 +1091,7 @@ void RenderBlock::removeChild(RenderObject* oldChild)
     if (!firstChild() && !documentBeingDestroyed()) {
         // If this was our last child be sure to clear out our line boxes.
         if (childrenInline())
-            lineBoxes()->deleteLineBoxes(renderArena());
+            deleteLineBoxTree();
     }
 }
 
-- 
2.7.4