From 5b67f3fb7b591db5f4868d55f6ad0408066b959c Mon Sep 17 00:00:00 2001
From: "commit-queue@webkit.org"
 <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed, 22 Feb 2012 21:56:33 +0000
Subject: [PATCH] Crash from empty anonymous block preceding :before content
 https://bugs.webkit.org/show_bug.cgi?id=78250

Patch by Ken Buchanan <kenrb@chromium.org> on 2012-02-22
Reviewed by David Hyatt.

Source/WebCore:

RenderListMarkers getting removed from the tree in updateMarkerLocation()
can leave parent anonymous blocks behind with no children. This was
confusing updateBeforeAfterContent() because it does not expect
an empty block to precede :before content renderers.

Fix is to remove the anonymous block if it will lose all of its children.

* rendering/RenderListItem.cpp:
(WebCore::RenderListItem::updateMarkerLocation):

LayoutTests:

Test exercises a crashing condition from extra :before content being
created after a RenderListMarker in an anonymous block has been moved.

Also rebasing some tests that had extraneous anonymous blocks in their
render tree dumps.

* fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash-expected.txt: Added
* fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash.html: Added
* platform/chromium-win/editing/execCommand/create-list-with-hr-expected.txt:
* platform/gtk/editing/execCommand/create-list-with-hr-expected.txt:
* platform/mac/editing/execCommand/create-list-with-hr-expected.txt:
* platform/qt/editing/execCommand/create-list-with-hr-expected.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@108548 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 20 +++++++++++
 ...th-list-marker-in-anon-block-crash-expected.txt |  2 ++
 ...ntent-with-list-marker-in-anon-block-crash.html | 41 ++++++++++++++++++++++
 .../execCommand/create-list-with-hr-expected.txt   |  1 -
 .../execCommand/create-list-with-hr-expected.txt   |  1 -
 .../execCommand/create-list-with-hr-expected.txt   |  1 -
 .../execCommand/create-list-with-hr-expected.txt   |  1 -
 Source/WebCore/ChangeLog                           | 17 +++++++++
 Source/WebCore/rendering/RenderListItem.cpp        |  3 ++
 9 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100644 LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash-expected.txt
 create mode 100644 LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 1de78bb..28a0150 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,23 @@
+2012-02-22  Ken Buchanan  <kenrb@chromium.org>
+
+        Crash from empty anonymous block preceding :before content
+        https://bugs.webkit.org/show_bug.cgi?id=78250
+
+        Reviewed by David Hyatt.
+
+        Test exercises a crashing condition from extra :before content being
+        created after a RenderListMarker in an anonymous block has been moved.
+
+        Also rebasing some tests that had extraneous anonymous blocks in their
+        render tree dumps.
+
+        * fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash-expected.txt: Added
+        * fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash.html: Added
+        * platform/chromium-win/editing/execCommand/create-list-with-hr-expected.txt:
+        * platform/gtk/editing/execCommand/create-list-with-hr-expected.txt:
+        * platform/mac/editing/execCommand/create-list-with-hr-expected.txt:
+        * platform/qt/editing/execCommand/create-list-with-hr-expected.txt:
+
 2012-02-22  Abhishek Arya  <inferno@chromium.org>
 
         Crash due to accessing removed parent lineboxes when clearing view selection.
diff --git a/LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash-expected.txt b/LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash-expected.txt
new file mode 100644
index 0000000..2efeb0d
--- /dev/null
+++ b/LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash-expected.txt
@@ -0,0 +1,2 @@
+PASS if no assert or crash on debug
+
diff --git a/LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash.html b/LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash.html
new file mode 100644
index 0000000..09992a1
--- /dev/null
+++ b/LayoutTests/fast/css-generated-content/before-content-with-list-marker-in-anon-block-crash.html
@@ -0,0 +1,41 @@
+<style>
+.c9::before { float: right; content: counter(section); }
+.c9 { display: list-item; }
+.c19 { display: table-row; }
+.c19:nth-child(even) { position: fixed; }
+</style>
+<script>
+var nodes = Array();
+function runTest() {
+    firstDiv = document.createElement('div');
+    document.documentElement.appendChild(firstDiv);
+
+    secondDiv = document.createElement('div');
+    document.documentElement.appendChild(secondDiv);
+
+    childDivListItem = document.createElement('div');
+    childDivListItem.setAttribute('class', 'c9');
+    document.documentElement.appendChild(childDivListItem);
+
+    citeNode = document.createElement('cite');
+    citeNode.setAttribute('class', 'c19');
+    document.documentElement.appendChild(citeNode);
+
+    parentDivListItem = document.createElement('div');
+    parentDivListItem.setAttribute('class', 'c9');
+    
+    citeNode.appendChild(parentDivListItem);
+
+    document.body.offsetTop;
+    parentDivListItem.appendChild(childDivListItem);
+    document.body.offsetTop;
+    secondDiv.setAttribute('class', 'c1');
+    document.body.offsetTop;
+    firstDiv.setAttribute('class', 'c1');
+
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+}
+window.onload = runTest;
+</script>
+PASS if no assert or crash on debug
diff --git a/LayoutTests/platform/chromium-win/editing/execCommand/create-list-with-hr-expected.txt b/LayoutTests/platform/chromium-win/editing/execCommand/create-list-with-hr-expected.txt
index 7c3486b..fcb4f33 100644
--- a/LayoutTests/platform/chromium-win/editing/execCommand/create-list-with-hr-expected.txt
+++ b/LayoutTests/platform/chromium-win/editing/execCommand/create-list-with-hr-expected.txt
@@ -21,7 +21,6 @@ layer at (0,0) size 800x600
       RenderBlock {DIV} at (0,56) size 784x30
         RenderBlock {UL} at (0,0) size 784x30
           RenderListItem {LI} at (40,0) size 744x30
-            RenderBlock (anonymous) at (0,0) size 744x0
             RenderBlock {HR} at (0,0) size 744x2 [border: (1px inset #000000)]
             RenderBlock (anonymous) at (0,10) size 744x20
               RenderListMarker at (-18,0) size 7x19: bullet
diff --git a/LayoutTests/platform/gtk/editing/execCommand/create-list-with-hr-expected.txt b/LayoutTests/platform/gtk/editing/execCommand/create-list-with-hr-expected.txt
index 41d5339..d5d78bb 100644
--- a/LayoutTests/platform/gtk/editing/execCommand/create-list-with-hr-expected.txt
+++ b/LayoutTests/platform/gtk/editing/execCommand/create-list-with-hr-expected.txt
@@ -21,7 +21,6 @@ layer at (0,0) size 800x600
       RenderBlock {DIV} at (0,52) size 784x28
         RenderBlock {UL} at (0,0) size 784x28
           RenderListItem {LI} at (40,0) size 744x28
-            RenderBlock (anonymous) at (0,0) size 744x0
             RenderBlock {HR} at (0,0) size 744x2 [border: (1px inset #000000)]
             RenderBlock (anonymous) at (0,10) size 744x18
               RenderListMarker at (-17,0) size 7x17: bullet
diff --git a/LayoutTests/platform/mac/editing/execCommand/create-list-with-hr-expected.txt b/LayoutTests/platform/mac/editing/execCommand/create-list-with-hr-expected.txt
index 18b6332..3ed0b22 100644
--- a/LayoutTests/platform/mac/editing/execCommand/create-list-with-hr-expected.txt
+++ b/LayoutTests/platform/mac/editing/execCommand/create-list-with-hr-expected.txt
@@ -21,7 +21,6 @@ layer at (0,0) size 800x600
       RenderBlock {DIV} at (0,52) size 784x28
         RenderBlock {UL} at (0,0) size 784x28
           RenderListItem {LI} at (40,0) size 744x28
-            RenderBlock (anonymous) at (0,0) size 744x0
             RenderBlock {HR} at (0,0) size 744x2 [border: (1px inset #000000)]
             RenderBlock (anonymous) at (0,10) size 744x18
               RenderListMarker at (-17,0) size 7x18: bullet
diff --git a/LayoutTests/platform/qt/editing/execCommand/create-list-with-hr-expected.txt b/LayoutTests/platform/qt/editing/execCommand/create-list-with-hr-expected.txt
index 7fa7eb6..b6c8285 100644
--- a/LayoutTests/platform/qt/editing/execCommand/create-list-with-hr-expected.txt
+++ b/LayoutTests/platform/qt/editing/execCommand/create-list-with-hr-expected.txt
@@ -21,7 +21,6 @@ layer at (0,0) size 800x600
       RenderBlock {DIV} at (0,58) size 784x31
         RenderBlock {UL} at (0,0) size 784x31
           RenderListItem {LI} at (40,0) size 744x31
-            RenderBlock (anonymous) at (0,0) size 744x0
             RenderBlock {HR} at (0,0) size 744x2 [border: (1px inset #000000)]
             RenderBlock (anonymous) at (0,10) size 744x21
               RenderListMarker at (-18,0) size 7x21: bullet
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index c275cac..da6de8d 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2012-02-22  Ken Buchanan  <kenrb@chromium.org>
+
+        Crash from empty anonymous block preceding :before content
+        https://bugs.webkit.org/show_bug.cgi?id=78250
+
+        Reviewed by David Hyatt.
+
+        RenderListMarkers getting removed from the tree in updateMarkerLocation()
+        can leave parent anonymous blocks behind with no children. This was
+        confusing updateBeforeAfterContent() because it does not expect
+        an empty block to precede :before content renderers.
+
+        Fix is to remove the anonymous block if it will lose all of its children.
+
+        * rendering/RenderListItem.cpp:
+        (WebCore::RenderListItem::updateMarkerLocation):
+
 2012-02-22  Abhishek Arya  <inferno@chromium.org>
 
         Crash due to accessing removed parent lineboxes when clearing view selection.
diff --git a/Source/WebCore/rendering/RenderListItem.cpp b/Source/WebCore/rendering/RenderListItem.cpp
index a5b5b94..883218d 100644
--- a/Source/WebCore/rendering/RenderListItem.cpp
+++ b/Source/WebCore/rendering/RenderListItem.cpp
@@ -247,6 +247,9 @@ void RenderListItem::updateMarkerLocation()
             LayoutStateDisabler layoutStateDisabler(view());
             updateFirstLetter();
             m_marker->remove();
+            // If markerPar is an anonymous block that will lose all its children, destroy it
+            if (markerPar && (markerPar != lineBoxParent) && markerPar->isAnonymousBlock() && !(toRenderBlock(markerPar)->firstChild()))
+                markerPar->destroy();
             if (!lineBoxParent)
                 lineBoxParent = this;
             lineBoxParent->addChild(m_marker, firstNonMarkerChild(lineBoxParent));
-- 
2.7.4