https://bugs.webkit.org/show_bug.cgi?id=86162

Patch by Takashi Sakamoto <tasak@google.com> on 2012-05-14
Reviewed by Abhishek Arya.

Source/WebCore:

As RenderScrollbarPart has no parent renderer, we crash in
WebCore::RenderBoxModelObject::paddingLeft when paddingLeft has
percent value, e.g. 5%. However if we set the scrollbar's parent
renderer to a renderer owning the scrollbar by using setParent method,
RenderScrollbarPart::styleWillChange will invoke parent renderer's
repaint. This causes crash in WebCore::RenderObject::repaint if the
owning renderer is already destroyed.
To fix the first crash without the second crash, modify
RenderObject::containingBlock() to check isRenderScrollbarPart or not,
if parent() is 0.
If so, use scrollbar's owningRenderer from RenderScrollbarPart.

Test: scrollbars/scrollbar-percent-padding-crash.html
      scrollbars/scrollbar-scrollbarparts-repaint-crash.html

* rendering/RenderObject.cpp:
(WebCore::RenderObject::containingBlock):
Modifying containingBlock. If parent() is 0 and isRenderScrollbarPart()
is true, use RenderScrollbarPart's m_scrollbar->owningRenderer()
instead of parent().
* rendering/RenderObject.h:
(WebCore::RenderObject::isRenderScrollbarPart):
(RenderObject):
Adding a new method, isRenderScrollbarPart.
* rendering/RenderScrollbarPart.cpp:
(WebCore::RenderScrollbarPart::rendererOwningScrollbar):
(WebCore):
Adding a new method, scrollbarOwningRenderer to obtain m_scrollar's
owningRenderer.
* rendering/RenderScrollbarPart.h:
(RenderScrollbarPart):
Removing "friend class RenderScrollbar".
(WebCore::RenderScrollbarPart::isRenderScrollbarPart):
(WebCore::toRenderScrollbarPart):
(WebCore):
Implementing isRenderScrollbarPart and toRenderScrollbarPart.

LayoutTests:

* scrollbars/scrollbar-scrollbarparts-repaint-crash-expected.txt: Added.
* scrollbars/scrollbar-scrollbarparts-repaint-crash.html: Added.
* scrollbars/scrollbar-percent-padding-crash-expected.txt: Added.
* scrollbars/scrollbar-percent-padding-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@117007 268f45cc-cd09-0410-ab3c-d52691b4dbfc

http://trac.webkit.org/changeset/116527
https://bugs.webkit.org/show_bug.cgi?id=86199

Causing crashes on ClusterFuzz (Requested by inferno-sec on
#webkit).

Patch by Sheriff Bot <webkit.review.bot@gmail.com> on 2012-05-11

Source/WebCore:

* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::updateScrollbarPart):
* rendering/RenderScrollbarPart.h:

LayoutTests:

* scrollbars/scrollbar-percent-padding-crash-expected.txt: Removed.
* scrollbars/scrollbar-percent-padding-crash.html: Removed.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@116754 268f45cc-cd09-0410-ab3c-d52691b4dbfc

https://bugs.webkit.org/show_bug.cgi?id=83889

Patch by Takashi Sakamoto <tasak@google.com> on 2012-05-09
Reviewed by Abhishek Arya.

Source/WebCore:

RenderScrollbar creates RenderScrollbarPart without any parent
renderers. However, if the scrollbar has percent padding styles,
non-null parent renderer is required. So after creating/destroying
RenderScrollbarPart instances, set owningRenderer(creating)/0
(destroying) as its parent renderer.

Test: scrollbars/scrollbar-percent-padding-crash.html
      scrollbars/scrollbar-percent-padding-crash-expected.txt

* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::updateScrollbarPart):
Added setParent after creating/destroying RenderScrollbarPart.
* rendering/RenderScrollbarPart.cpp:
Made RenderScollbar friend, because setParent is protected and
RenderScrollbar is not inherited from class RenderObject.

LayoutTests:

As just invoking layoutTestController.display() invokes scrollbar's
WebCore::RenderScrollbarPart::paintIntoRect(), adding display() after
invoking layoutTestController.dumpAsText().

* scrollbars/scrollbar-percent-padding-crash.html: Added.
* scrollbars/scrollbar-percent-padding-crash-expected.txt: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@116527 268f45cc-cd09-0410-ab3c-d52691b4dbfc