Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / third_party / WebKit / LayoutTests / accessibility / container-node-delete-causes-crash.html
blob0ea208fcfb67bd03135207e3a4cfc9630777eca2
1 <!DOCTYPE HTML>
2 <html>
3 <body>
4 <script src="../resources/js-test.js"></script>
6 <div id="console"></div>
8 <svg xmlns:xlink="http://www.w3.org/1999/xlink">
9 <text id="a">Text</text>
10 <use xlink:href="#a"></use>
11 </svg>
13 <script>
14 description("Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tree. The heap-use-after free was occuring when the AccessibilityObject corresponding to the child of the text node walked up its parent chain in AccessibilityObject::supportsARIALiveRegion but its parent was already deleted.");
16 // This creates an accessibility object for every node in the tree.
17 if (window.accessibilityController)
18 accessibilityController.accessibleElementById("foo");
20 // An SVG "use" element is like a clone, so the "use" element contains a
21 // clone of the "text" element. This statement clears the reference, which
22 // causes the cloned "text" element to be destroyed.
23 document.getElementsByTagName('use')[0].setAttribute('xlink:href', '');
24 </script>
26 </body>
27 </html>