LayoutTests:

        Reviewed by Hyatt, thumbs up by Darin.

        - test for http://bugs.webkit.org/show_bug.cgi?id=12782
          Reproducible crash in BidiContext::deref

        * fast/dynamic/anonymous-block-orphaned-lines-expected.checksum: Added.
        * fast/dynamic/anonymous-block-orphaned-lines-expected.png: Added.
        * fast/dynamic/anonymous-block-orphaned-lines-expected.txt: Added.
        * fast/dynamic/anonymous-block-orphaned-lines.html: Added.

WebCore:

        Reviewed by Hyatt, thumbs up by Darin.

        - fix http://bugs.webkit.org/show_bug.cgi?id=12782
          Reproducible crash in BidiContext::deref

        Test: fast/dynamic/anonymous-block-orphaned-lines.html

        * rendering/InlineBox.cpp:
        (WebCore::InlineBox::root): Added an assertion that we return a root inline box.
        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::removeChild): Added code to adopt the line boxes of
        anonymous blocks being destroyed instead of leaving them orphaned, which
        is what caused this crash. The boxes will be deleted on the next layout, but
        this ensures consistency in the mean time.



Canonical link: https://commits.webkit.org/16984@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@20188 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,15 @@
+2007-03-14  Mitz Pettel  <mitz@webkit.org>
+
+        Reviewed by Hyatt, thumbs up by Darin.
+
+        - test for http://bugs.webkit.org/show_bug.cgi?id=12782
+          Reproducible crash in BidiContext::deref
+
+        * fast/dynamic/anonymous-block-orphaned-lines-expected.checksum: Added.
+        * fast/dynamic/anonymous-block-orphaned-lines-expected.png: Added.
+        * fast/dynamic/anonymous-block-orphaned-lines-expected.txt: Added.
+        * fast/dynamic/anonymous-block-orphaned-lines.html: Added.
+
 2007-03-14  Antti Koivisto  <antti@apple.com>
 
         Reviewed by Mitz.

LayoutTests/fast/dynamic/anonymous-block-orphaned-lines-expected.checksum

@@ -0,0 +1 @@
+7438c617be4c166db3cc9aa3dc9d69d9

LayoutTests/fast/dynamic/anonymous-block-orphaned-lines-expected.txt

@@ -0,0 +1,25 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
+layer at (0,0) size 800x600
+  RenderBlock {HTML} at (0,0) size 800x600
+    RenderBody {BODY} at (8,8) size 784x584
+      RenderBlock {P} at (0,0) size 784x18
+        RenderText {#text} at (0,0) size 53x18
+          text run at (0,0) width 53: "Test for "
+        RenderInline {I} at (0,0) size 566x18
+          RenderInline {A} at (0,0) size 301x18 [color=#0000EE]
+            RenderText {#text} at (53,0) size 301x18
+              text run at (53,0) width 301: "http://bugs.webkit.org/show_bug.cgi?id=12782"
+          RenderText {#text} at (354,0) size 265x18
+            text run at (354,0) width 4: " "
+            text run at (358,0) width 261: "Reproducible crash in BidiContext::deref"
+        RenderText {#text} at (619,0) size 4x18
+          text run at (619,0) width 4: "."
+      RenderBlock {P} at (0,34) size 784x18
+        RenderText {#text} at (0,0) size 246x18
+          text run at (0,0) width 246: "No assertion failure means SUCCESS."
+      RenderBlock {DIV} at (0,68) size 784x18
+        RenderInline {SPAN} at (0,0) size 21x18
+          RenderText {#text} at (0,0) size 21x18
+            text run at (0,0) width 21: "foo"
+      RenderBlock {DIV} at (0,86) size 784x0

LayoutTests/fast/dynamic/anonymous-block-orphaned-lines.html

@@ -0,0 +1,28 @@
+<html>
+<head>
+    <title></title>
+</head>
+<body>
+    <p>
+        Test for <i><a href="http://bugs.webkit.org/show_bug.cgi?id=12782">http://bugs.webkit.org/show_bug.cgi?id=12782</a>
+        Reproducible crash in BidiContext::deref</i>.
+    </p>
+    <p>
+        No assertion failure means SUCCESS.
+    </p>
+    <div id="target1"><span>foo</span><div></div><span>bar</span></div>
+    <div id="target2"><div></div><span>baz</span></div>
+    <script>
+        document.body.offsetTop;
+
+        var target1 = document.getElementById("target1");
+        target1.removeChild(target1.childNodes[1]);
+        target1.removeChild(target1.childNodes[1]);
+
+        var target2 = document.getElementById("target2");
+        target2.removeChild(target2.firstChild);
+        target2.removeChild(target2.firstChild);
+
+    </script>
+</body>
+</html>

WebCore/ChangeLog

@@ -1,3 +1,20 @@
+2007-03-14  Mitz Pettel  <mitz@webkit.org>
+
+        Reviewed by Hyatt, thumbs up by Darin.
+
+        - fix http://bugs.webkit.org/show_bug.cgi?id=12782
+          Reproducible crash in BidiContext::deref
+
+        Test: fast/dynamic/anonymous-block-orphaned-lines.html
+
+        * rendering/InlineBox.cpp:
+        (WebCore::InlineBox::root): Added an assertion that we return a root inline box.
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeChild): Added code to adopt the line boxes of
+        anonymous blocks being destroyed instead of leaving them orphaned, which
+        is what caused this crash. The boxes will be deleted on the next layout, but
+        this ensures consistency in the mean time.
+
 2007-03-14  Lars Knoll <lars@trolltech.com>
 
         Reviewed by Antti.

WebCore/rendering/InlineBox.cpp

@@ -173,6 +173,7 @@ RootInlineBox* InlineBox::root()
 { 
     if (m_parent)
         return m_parent->root(); 
+    ASSERT(isRootInlineBox());
     return static_cast<RootInlineBox*>(this);
 }
 

WebCore/rendering/RenderBlock.cpp

@@ -343,6 +343,26 @@ void RenderBlock::removeChild(RenderObject *oldChild)
             prev->appendChildNode(next->removeChildNode(no));
             no->setNeedsLayoutAndMinMaxRecalc();
         }
+
+        // Do the same with line boxes.
+        RenderBlock* prevBlock = static_cast<RenderBlock*>(prev);
+        RenderBlock* nextBlock = static_cast<RenderBlock*>(next);
+        if (RootInlineBox* box = nextBlock->firstRootBox()) {
+            if (prevBlock->lastRootBox()) {
+                prevBlock->lastRootBox()->setNextLineBox(box);
+                box->setPreviousLineBox(prevBlock->lastRootBox());
+            } else
+                prevBlock->m_firstLineBox = box;
+
+            while (box) {
+                prevBlock->m_lastLineBox = box;
+                box->m_object = prevBlock;
+                box = box->nextRootBox();
+            }
+            nextBlock->m_firstLineBox = 0;
+            nextBlock->m_lastLineBox = 0;
+        }
+
         // Nuke the now-empty block.
         next->destroy();
     }
@@ -355,7 +375,7 @@ void RenderBlock::removeChild(RenderObject *oldChild)
         // box.  We can go ahead and pull the content right back up into our
         // box.
         setNeedsLayoutAndMinMaxRecalc();
-        RenderObject* anonBlock = removeChildNode(child);
+        RenderBlock* anonBlock = static_cast<RenderBlock*>(removeChildNode(child));
         m_childrenInline = true;
         RenderObject* o = anonBlock->firstChild();
         while (o) {
@@ -365,6 +385,17 @@ void RenderBlock::removeChild(RenderObject *oldChild)
             no->setNeedsLayoutAndMinMaxRecalc();
         }
 
+        // Take over the anonymous child's line boxes.
+        RootInlineBox* box = anonBlock->firstRootBox();
+        m_firstLineBox = box;
+        while (box) {
+            m_lastLineBox = box;
+            box->m_object = this;
+            box = box->nextRootBox();
+        }
+        anonBlock->m_firstLineBox = 0;
+        anonBlock->m_lastLineBox = 0;
+
         // Nuke the now-empty block.
         anonBlock->destroy();
     }