Don't leave stale pointers into m_grid

Sometimes grid children are wrapped into an anonymous blocks to become grid
items. Those anonymous blocks could be eventually removed by
RenderBlock::removeLeftoverAnonymousBlock() (called for example when adding
a new child to the grid). That method does not notify the hierarchy about
the removal since those anonymous blocks are not part of the
DOM. This means that further accesses to the m_grid contents will trigger
invalid accesses to the already deleted RenderObjects (the anonymous blocks).

To fix it we invalidate the contents of m_grid by setting the dirty flag in
the grid.

Based on the previous work in r161127 by <jchaffraix@chromium.org>

BUG=313293

Review URL: https://codereview.chromium.org/302083005

git-svn-id: svn://svn.chromium.org/blink/trunk@175912 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/fast/css-grid-layout/stale-grid-layout-2-expected.txt

+XThe test checks that we don't leave stale pointers into the internal grid representation.
+
+This test has PASSED if it didn't crash under ASAN.

third_party/WebKit/LayoutTests/fast/css-grid-layout/stale-grid-layout-2.html

+<!DOCTYPE html>
+<span style="display: grid" contenteditable=plaintext-only>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function crash() {
+    if (!window.eventSender)
+        return;
+    eventSender.keyDown("\t");
+    eventSender.keyDown("X");
+    document.designMode = 'on';
+    document.execCommand("InsertHTML", false, "<div>");
+}
+document.addEventListener("DOMContentLoaded", crash, false);
+</script>The test checks that we don't leave stale pointers into the internal grid representation.<br> This test has PASSED if it didn't crash under ASAN.

third_party/WebKit/LayoutTests/fast/css-grid-layout/stale-grid-layout-expected.txt

+
+The test checks that we don't add non-children of the grid into the grid representation
+This test has passed if it didn't crash under ASAN. 

third_party/WebKit/LayoutTests/fast/css-grid-layout/stale-grid-layout.html

+<!DOCTYPE html>
+<keygen>
+<div style="display: grid;">The test checks that we don't add non-children of the grid into the grid representation<br>This test has passed if it didn't crash under ASAN.
+    <embed type=something-not-js>
+</div>
+<style>
+embed { position: absolute; }
+.c1 { animation-delay: 45762s; }
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function crash() {
+    var highlight = document.createElementNS("http://www.w3.org/1999/xhtml", "highlight");
+    highlight.setAttribute("class", "c1");
+    document.body.appendChild(highlight);
+
+    for (i=0; i != 8; i++)
+        eventSender.keyDown("\t");
+    eventSender.keyDown("X");
+}
+
+if (!window.eventSender)
+    alert("This test needs to be run under DumpRenderTree.");
+else
+    document.addEventListener("DOMContentLoaded", crash, false);
+</script>

third_party/WebKit/Source/core/rendering/RenderBlock.cpp

@@ -49,6 +49,7 @@
 #include "core/rendering/RenderDeprecatedFlexibleBox.h"
 #include "core/rendering/RenderFlexibleBox.h"
 #include "core/rendering/RenderFlowThread.h"
+#include "core/rendering/RenderGrid.h"
 #include "core/rendering/RenderInline.h"
 #include "core/rendering/RenderLayer.h"
 #include "core/rendering/RenderMarquee.h"
@@ -1057,6 +1058,10 @@ void RenderBlock::removeLeftoverAnonymousBlock(RenderBlock* child)
     // Remove all the information in the flow thread associated with the leftover anonymous block.
     child->removeFromRenderFlowThread();
 
+    // RenderGrid keeps track of its children, we must notify it about changes in the tree.
+    if (child->parent()->isRenderGrid())
+        toRenderGrid(child->parent())->dirtyGrid();
+
     child->setParent(0);
     child->setPreviousSibling(0);
     child->setNextSibling(0);