From 40a14b72b132468f4bbdfc6ff2dca30407cf866e Mon Sep 17 00:00:00 2001
From: Vitaliy Slobodin <vitaliy.slobodin@gmail.com>
Date: Wed, 14 Nov 2012 14:20:06 +0400
Subject: [PATCH] Restore dirty line logic in RenderInline::destroy.

WebKit upstream fix: http://trac.webkit.org/changeset/86060
WebKit upsteam bug: https://bugs.webkit.org/show_bug.cgi?id=60448

Related issues:
http://code.google.com/p/phantomjs/issues/detail?id=704
http://code.google.com/p/phantomjs/issues/detail?id=703
http://code.google.com/p/phantomjs/issues/detail?id=675
http://code.google.com/p/phantomjs/issues/detail?id=689
http://code.google.com/p/phantomjs/issues/detail?id=532
http://code.google.com/p/phantomjs/issues/detail?id=851
---
 .../Source/WebCore/rendering/RenderInline.cpp     |  3 ++-
 test/webkit-spec.js                               |  6 ++++++
 .../inline-destroy-dirty-lines-crash.html         | 15 +++++++++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 test/webkit-spec/inline-destroy-dirty-lines-crash.html

diff --git a/src/qt/src/3rdparty/webkit/Source/WebCore/rendering/RenderInline.cpp b/src/qt/src/3rdparty/webkit/Source/WebCore/rendering/RenderInline.cpp
index 5bd726db..49f02246 100644
--- a/src/qt/src/3rdparty/webkit/Source/WebCore/rendering/RenderInline.cpp
+++ b/src/qt/src/3rdparty/webkit/Source/WebCore/rendering/RenderInline.cpp
@@ -99,7 +99,8 @@ void RenderInline::destroy()
                 for (InlineFlowBox* box = firstLineBox(); box; box = box->nextLineBox())
                     box->remove();
             }
-        }
+        } else if (parent())
+            parent()->dirtyLinesFromChangedChild(this);
     }
 
     m_lineBoxes.deleteLineBoxes(renderArena());
diff --git a/test/webkit-spec.js b/test/webkit-spec.js
index bb094099..a7c4f557 100644
--- a/test/webkit-spec.js
+++ b/test/webkit-spec.js
@@ -8,4 +8,10 @@ describe("WebKit", function() {
     var date = Date.parse("2012-01-01");
     expect(date).toEqual(1325376000000);
   });
+  
+  it("should not crash when failing to dirty lines while removing a inline.", function () {
+    var p = require("webpage").create();
+    p.open('../test/webkit-spec/inline-destroy-dirty-lines-crash.html');
+    waits(50);
+  });
 });
\ No newline at end of file
diff --git a/test/webkit-spec/inline-destroy-dirty-lines-crash.html b/test/webkit-spec/inline-destroy-dirty-lines-crash.html
new file mode 100644
index 00000000..1de358b3
--- /dev/null
+++ b/test/webkit-spec/inline-destroy-dirty-lines-crash.html
@@ -0,0 +1,15 @@
+<html>
+<body onload="runTest()">
+Test passes if it does not crash.
+<script>
+    function runTest()
+    {
+        document.body.offsetTop;
+        child = document.getElementById('test');
+        child.parentNode.removeChild(child);
+    }
+</script>
+<br>
+<span id="test"></span>
+</body>
+</html>
\ No newline at end of file