Crash in RenderScrollbarPart::imageChanged.

https://bugs.webkit.org/show_bug.cgi?id=68009

Reviewed by Simon Fraser.

Source/WebCore: 

When a custom scrollbar is removed from its FrameView, its destruction
can be delayed because of RefPtr maintained in EventHandler class
(m_lastScrollbarUnderMouse). Upon removal, we delete all the scrollbar
parts so that they don't link back to scrollbar. However, because of the
delay, we can have a call to updateScrollbarPart which recreates it.
When scrollbar is getting destroyed, we just check to see if there are
remaining scrollbar parts and if yes, we destroy them.

Test: scrollbars/scrollbar-part-created-with-no-parent-crash.html

* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::~RenderScrollbar):

LayoutTests: 

* scrollbars/scrollbar-part-created-with-no-parent-crash-expected.txt: Added.
* scrollbars/scrollbar-part-created-with-no-parent-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95074 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

+2011-09-13  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in RenderScrollbarPart::imageChanged.
+        https://bugs.webkit.org/show_bug.cgi?id=68009
+
+        Reviewed by Simon Fraser.
+
+        * scrollbars/scrollbar-part-created-with-no-parent-crash-expected.txt: Added.
+        * scrollbars/scrollbar-part-created-with-no-parent-crash.html: Added.
+
 2011-09-13  Fumitoshi Ukai  <ukai@chromium.org>
 
         Unreviewed, update chromium test expectations.

LayoutTests/scrollbars/scrollbar-part-created-with-no-parent-crash-expected.txt

+Test passes if it does not crash.
+PASS

LayoutTests/scrollbars/scrollbar-part-created-with-no-parent-crash.html

+<html>
+Test passes if it does not crash.
+<style>
+body
+{
+    margin: 0;
+}
+::-webkit-scrollbar {
+    -webkit-logical-height: 65536;
+    -webkit-border-image: url(does_not_exist) 0 2 0 2;
+}
+
+.inner:not(table) {
+    padding: 400px;
+}
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function showScroller()
+{
+    var scroller = document.createElement('div');
+    scroller.className = 'scroller';
+
+    var contents = document.createElement('div')
+    contents.className = 'inner';
+    scroller.appendChild(contents);
+
+    document.getElementById('container').appendChild(scroller);
+}
+  
+function hideScroller()
+{
+    var scroller = document.getElementById('container').querySelectorAll('.scroller')[0];
+    scroller.parentNode.removeChild(scroller);
+}
+  
+function doTest()
+{
+    if (window.eventSender) {
+        eventSender.mouseMoveTo(50, 40);
+        eventSender.mouseMoveTo(50, 55);
+        eventSender.mouseMoveTo(50, 0);
+    }
+}
+
+window.addEventListener('load', doTest, false);
+</script>
+<div id="container" onmouseover="showScroller()" onmouseout="hideScroller()">
+<p>PASS</p>
+</div>
+</html>
\ No newline at end of file

Source/WebCore/ChangeLog

+2011-09-13  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in RenderScrollbarPart::imageChanged.
+        https://bugs.webkit.org/show_bug.cgi?id=68009
+
+        Reviewed by Simon Fraser.
+
+        When a custom scrollbar is removed from its FrameView, its destruction
+        can be delayed because of RefPtr maintained in EventHandler class
+        (m_lastScrollbarUnderMouse). Upon removal, we delete all the scrollbar
+        parts so that they don't link back to scrollbar. However, because of the
+        delay, we can have a call to updateScrollbarPart which recreates it.
+        When scrollbar is getting destroyed, we just check to see if there are
+        remaining scrollbar parts and if yes, we destroy them.
+
+        Test: scrollbars/scrollbar-part-created-with-no-parent-crash.html
+
+        * rendering/RenderScrollbar.cpp:
+        (WebCore::RenderScrollbar::~RenderScrollbar):
+
 2011-09-13  Adam Klein  <adamk@chromium.org>
 
         Fix cssText property of counter-valued CSSPrimitiveValue and avoid uninitialized read

Source/WebCore/rendering/RenderScrollbar.cpp

@@ -64,7 +64,15 @@ RenderScrollbar::RenderScrollbar(ScrollableArea* scrollableArea, ScrollbarOrient
 
 RenderScrollbar::~RenderScrollbar()
 {
-    ASSERT(m_parts.isEmpty());
+    if (!m_parts.isEmpty()) {
+        // When a scrollbar is detached from its parent (causing all parts removal) and 
+        // ready to be destroyed, its destruction can be delayed because of RefPtr
+        // maintained in other classes such as EventHandler (m_lastScrollbarUnderMouse).
+        // Meanwhile, we can have a call to updateScrollbarPart which recreates the 
+        // scrollbar part. So, we need to destroy these parts since we don't want them
+        // to call on a destroyed scrollbar. See webkit bug 68009.
+        updateScrollbarParts(true);
+    }
 }
 
 RenderBox* RenderScrollbar::owningRenderer() const