Fix crash when removing contents from a document having multiple bodies

Fix crash when removing contents from a document having multiple bodies

Removed the early return under condition 'isBody()' from
LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the
painting layer and body object are invalidated.

BTW fixed issues of DisplayItemClient aliveness checking which made
it not actually work for subsequences. (If we didn't have the issues,
we should have caught this bug through aliveness-checking.)

Still not sure if we could have more reduced test. For the test, removing
anything from the test would make the test not reproducing the bug. A
normal removal of <body> couldn't reproduce the bug because we will
invalidate the painting layer in other paths (e.g. layout triggered
invalidation, etc.).

BUG=626182
Committed: https://crrev.com/a0ccb0df60af245b02a405fef95822b658f10381
Cr-Commit-Position: refs/heads/master@{#404552}

[Xianzhu, 2016-07-08 16:56:28]

Description was changed from

==========
Fix crash when removing contents from a document having multiple bodies

Removed the early return under condition 'isBody()' from
LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the
painting layer and body object are invalidated.

BTW fixed issues of DisplayItemClient aliveness checking which made
it not actually work for subsequences.

BUG=626182
==========

to

==========
Fix crash when removing contents from a document having multiple bodies

Removed the early return under condition 'isBody()' from
LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the
painting layer and body object are invalidated.

BTW fixed issues of DisplayItemClient aliveness checking which made
it not actually work for subsequences. (If we didn't have the issues,
we should have caught this bug through aliveness-checking.)

Still not sure if we could have more reduced test. For the test, removing
anything from the test would make the test not reproducing the bug. A
normal removal of <body> couldn't reproduce the bug because we will
invalidate the painting layer in other paths (e.g. layout triggered
invalidation, etc.).

BUG=626182
==========

[Xianzhu, 2016-07-08 16:56:39]

wangxianzhu@chromium.org changed reviewers:
+ chrishtr@chromium.org

[Xianzhu, 2016-07-08 16:56:40]

https://codereview.chromium.org/2133603002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/frame/FrameView.cpp (left):

https://codereview.chromium.org/2133603002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/frame/FrameView.cpp:2627: #endif
This cleared the aliveness information after each painting, but broke aliveness
keeping in subsequences. Should have been removed when I added
aliveness-checking for subsequences.

https://codereview.chromium.org/2133603002/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/platform/graphics/paint/DisplayItemClient.cpp
(right):

https://codereview.chromium.org/2133603002/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/platform/graphics/paint/DisplayItemClient.cpp:64: for
(auto& item : *displayItemClientsShouldKeepAlive)
This error was hidden by the clearShouldKeepAliveAllClients() call in
FrameView.cpp.

[chrishtr, 2016-07-08 17:43:21]

The CQ bit was checked by chrishtr@chromium.org

[chrishtr, 2016-07-08 17:43:22]

lgtm

[commit-bot: I haz the power, 2016-07-08 17:43:49]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-08 19:38:07]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-08 19:38:08]

Try jobs failed on following builders:
  linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[Xianzhu, 2016-07-08 20:24:47]

The CQ bit was checked by wangxianzhu@chromium.org

[Xianzhu, 2016-07-08 20:24:48]

The patchset sent to the CQ was uploaded after l-g-t-m from
chrishtr@chromium.org
Link to the patchset: https://codereview.chromium.org/2133603002/#ps40001
(title: "Handle LayoutScrollbarPart aliveness")

[commit-bot: I haz the power, 2016-07-08 20:25:18]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-09 00:47:55]

Description was changed from

==========
Fix crash when removing contents from a document having multiple bodies

Removed the early return under condition 'isBody()' from
LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the
painting layer and body object are invalidated.

BTW fixed issues of DisplayItemClient aliveness checking which made
it not actually work for subsequences. (If we didn't have the issues,
we should have caught this bug through aliveness-checking.)

Still not sure if we could have more reduced test. For the test, removing
anything from the test would make the test not reproducing the bug. A
normal removal of <body> couldn't reproduce the bug because we will
invalidate the painting layer in other paths (e.g. layout triggered
invalidation, etc.).

BUG=626182
==========

to

==========
Fix crash when removing contents from a document having multiple bodies

Removed the early return under condition 'isBody()' from
LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the
painting layer and body object are invalidated.

BTW fixed issues of DisplayItemClient aliveness checking which made
it not actually work for subsequences. (If we didn't have the issues,
we should have caught this bug through aliveness-checking.)

Still not sure if we could have more reduced test. For the test, removing
anything from the test would make the test not reproducing the bug. A
normal removal of <body> couldn't reproduce the bug because we will
invalidate the painting layer in other paths (e.g. layout triggered
invalidation, etc.).

BUG=626182
==========

[commit-bot: I haz the power, 2016-07-09 00:47:56]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-07-09 00:49:11]

Description was changed from

==========
Fix crash when removing contents from a document having multiple bodies

Removed the early return under condition 'isBody()' from
LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the
painting layer and body object are invalidated.

BTW fixed issues of DisplayItemClient aliveness checking which made
it not actually work for subsequences. (If we didn't have the issues,
we should have caught this bug through aliveness-checking.)

Still not sure if we could have more reduced test. For the test, removing
anything from the test would make the test not reproducing the bug. A
normal removal of <body> couldn't reproduce the bug because we will
invalidate the painting layer in other paths (e.g. layout triggered
invalidation, etc.).

BUG=626182
==========

to

==========
Fix crash when removing contents from a document having multiple bodies

Removed the early return under condition 'isBody()' from
LayoutObjectChildList::invalidatePaintOnRemoval() to ensure the
painting layer and body object are invalidated.

BTW fixed issues of DisplayItemClient aliveness checking which made
it not actually work for subsequences. (If we didn't have the issues,
we should have caught this bug through aliveness-checking.)

Still not sure if we could have more reduced test. For the test, removing
anything from the test would make the test not reproducing the bug. A
normal removal of <body> couldn't reproduce the bug because we will
invalidate the painting layer in other paths (e.g. layout triggered
invalidation, etc.).

BUG=626182

Committed: https://crrev.com/a0ccb0df60af245b02a405fef95822b658f10381
Cr-Commit-Position: refs/heads/master@{#404552}
==========

[commit-bot: I haz the power, 2016-07-09 00:49:12]

Patchset 3 (id:??) landed as
https://crrev.com/a0ccb0df60af245b02a405fef95822b658f10381
Cr-Commit-Position: refs/heads/master@{#404552}