Various crashers in RenderLayer due to missing a ScrollableArea

When splitting ScrollableArea out of RenderLayer, the scrollbar
teardown wasn't taken into account and thus we would try de-allocate
or not have a ScrollableArea when it was required to hang the
scrollbar on.

RenderLayerScrollableArea and Scrollbars have fairly entangled
bring-up and tear-down code which makes it hard to fix correctly in
the current situation. However the scrollbars should be moved to
RenderLayerScrollableArea soon which will solve this problem in a
better way.

BUG=264213,264287,264171,263923
TESTS=fast/layers/crash-no-scrollable-area-scrollbars.html
      fast/layers/crash-remove-scrollbar-no-scrollable-area.html
      fast/layers/crash-shadowdom-scrollbar-no-scrollable-area.html

R=vollick@chromium.org

Review URL: https://codereview.chromium.org/20422002

Patch from Julien Chaffraix <jchaffraix@chromium.org>.

git-svn-id: svn://svn.chromium.org/blink/trunk@154938 bbb929c8-8fbe-4397-9dbb-9b2b20218538

7 files changed, 96 insertions, 1 deletions

diff --git a/third_party/WebKit/LayoutTests/fast/layers/crash-no-scrollable-area-scrollbars-expected.txt b/third_party/WebKit/LayoutTests/fast/layers/crash-no-scrollable-area-scrollbars-expected.txt
new file mode 100644
index 0000000..3fb158c
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layers/crash-no-scrollable-area-scrollbars-expected.txt
@@ -0,0 +1,3 @@
+This test checks that RenderLayer doesn't crash because it is missing a ScrollableArea.
+This test has passed if it doesn't crash.
+
diff --git a/third_party/WebKit/LayoutTests/fast/layers/crash-no-scrollable-area-scrollbars.html b/third_party/WebKit/LayoutTests/fast/layers/crash-no-scrollable-area-scrollbars.html
new file mode 100644
index 0000000..53d823b
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layers/crash-no-scrollable-area-scrollbars.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<style>
+.c11:nth-child(2n) { opacity: 0.1; }
+.c11:nth-last-child(odd) { overflow: scroll; }
+</style>
+<div>This test checks that RenderLayer doesn't crash because it is missing a ScrollableArea.</div>
+<div>This test has passed if it doesn't crash.</div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function boom() {
+    var preDiv = document.createElement('div');
+    document.documentElement.appendChild(preDiv);
+    var selectDiv = document.createElement('div');
+    selectDiv.setAttribute('multiple', 'multiple');
+    selectDiv.setAttribute('class', 'c11');
+    document.documentElement.appendChild(selectDiv);
+    var div = document.createElement('div');
+    document.documentElement.appendChild(div);
+    var div3 = document.createElement('div');
+    document.documentElement.appendChild(div3);
+    document.body.offsetTop;
+    var div2 = document.createElement('div');
+    div2.appendChild(div);
+}
+window.onload = boom;
+</script>
diff --git a/third_party/WebKit/LayoutTests/fast/layers/crash-remove-scrollbar-no-scrollable-area-expected.txt b/third_party/WebKit/LayoutTests/fast/layers/crash-remove-scrollbar-no-scrollable-area-expected.txt
new file mode 100644
index 0000000..5cec8a7
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layers/crash-remove-scrollbar-no-scrollable-area-expected.txt
@@ -0,0 +1,3 @@
+This test checks that RenderLayer doesn't crash because it is missing a ScrollableArea.
+This test has PASSED if it didn't CRASH.
+
diff --git a/third_party/WebKit/LayoutTests/fast/layers/crash-remove-scrollbar-no-scrollable-area.html b/third_party/WebKit/LayoutTests/fast/layers/crash-remove-scrollbar-no-scrollable-area.html
new file mode 100644
index 0000000..054764c
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layers/crash-remove-scrollbar-no-scrollable-area.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<style>
+.c2 { overflow: scroll; background: aqua; }
+.c6 { -webkit-column-count: 2;}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function boom() {
+    var select = document.createElement('select');
+    select.setAttribute('size', '65536');
+    select.setAttribute('class', 'c2');
+    document.documentElement.appendChild(select);
+    document.body.offsetTop;
+    select.setAttribute('class', 'c6');
+    document.body.offsetTop;
+}
+window.onload = boom;
+</script>
+<div>This test checks that RenderLayer doesn't crash because it is missing a ScrollableArea.</div>
+<div>This test has PASSED if it didn't CRASH.</div>
diff --git a/third_party/WebKit/LayoutTests/fast/layers/crash-shadowdom-scrollbar-no-scrollable-area-expected.txt b/third_party/WebKit/LayoutTests/fast/layers/crash-shadowdom-scrollbar-no-scrollable-area-expected.txt
new file mode 100644
index 0000000..5cec8a7
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layers/crash-shadowdom-scrollbar-no-scrollable-area-expected.txt
@@ -0,0 +1,3 @@
+This test checks that RenderLayer doesn't crash because it is missing a ScrollableArea.
+This test has PASSED if it didn't CRASH.
+
diff --git a/third_party/WebKit/LayoutTests/fast/layers/crash-shadowdom-scrollbar-no-scrollable-area.html b/third_party/WebKit/LayoutTests/fast/layers/crash-shadowdom-scrollbar-no-scrollable-area.html
new file mode 100644
index 0000000..13cb426
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/fast/layers/crash-shadowdom-scrollbar-no-scrollable-area.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<div>This test checks that RenderLayer doesn't crash because it is missing a ScrollableArea.</div>
+<div>This test has PASSED if it didn't CRASH.</div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function boom() {
+    var ruby = document.createElement('ruby');
+    var ins = document.createElement('ins');
+    var map = document.createElement('map');
+    var tfoot = document.createElement('tfoot');
+    var blockquote = document.createElement('blockquote');
+    var style = document.createElement('style');
+    style.innerHTML = '.c19 { -webkit-backface-visibility: hidden; } .c19:nth-child(even) { overflow: scroll; -webkit-transform: scale(0.5, 0.5); }';
+    var em = document.createElement('em');
+    var header = document.createElement('header');
+    header.setAttribute('class', 'c19');
+    document.documentElement.appendChild(ruby);
+    document.documentElement.appendChild(ins);
+    document.documentElement.appendChild(map);
+    document.documentElement.appendChild(tfoot);
+    document.documentElement.appendChild(blockquote);
+    document.documentElement.appendChild(style);
+    document.documentElement.appendChild(em);
+    document.documentElement.appendChild(header);
+
+    document.body.offsetTop;
+    var shadow = document.createElement('div').webkitCreateShadowRoot();
+    shadow.appendChild(tfoot);
+}
+window.onload = boom;
+</script>
diff --git a/third_party/WebKit/Source/core/rendering/RenderLayer.h b/third_party/WebKit/Source/core/rendering/RenderLayer.h
index 528b4ce..cbc0114 100644
--- a/third_party/WebKit/Source/core/rendering/RenderLayer.h
+++ b/third_party/WebKit/Source/core/rendering/RenderLayer.h
@@ -816,7 +816,10 @@ private:
     bool requiresScrollableArea() const
     {
         // We don't use hasOverflowClip as it is not set on a lot of cases (e.g. non-block and root).
-        return renderer()->style()->overflowX() != OVISIBLE || canResize() || usesCompositedScrolling();
+        // FIXME: It's wrong to check for scrollbars here but the scrollbar / scrollablearea code is
+        // entangled and racy at the moment so we need to hold onto the ScrollableArea as long as we
+        // have scrollbars. This check will go away once the scrollbars have been moved to RenderLayerScrollableArea.
+        return renderer()->style()->overflowX() != OVISIBLE || canResize() || usesCompositedScrolling() || m_hBar || m_vBar;
     }
 
     enum CollectLayersBehavior {