third_party/WebKit/LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html

   1 <!DOCTYPE html>
   2 <script src="../../resources/js-test.js"></script>
   3
   4 <div id="root">
   5 <span id="div1"></span>
   6 </div>
   7
   8 <!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=507413 -->
   9 <script>
  10
  11 description("Generated by cluster-fuzz. This test passes if it doesn't crash.");
  12
  13 // Here's explanation of what happens (before fix is in).
  14 // - execCommand("SelectAll") does 2 things
  15 //   1. triggers "selectstart" event handler.
  16 //   2. until the event handler finishes, the following events are queued.
  17 //     - DOMNodeInserted for #text "A"
  18 //     - DOMNodeInserted for #text "C"
  19 //     - DOMNodeInserted for <option> (outer one)
  20 // - Once "selectstart" handler finishes, the following occurs.
  21 //     - at entry, event.srcElement is <body>
  22 //     - DOMNodeInserted for #text "A" is dispatched.
  23 //     - "A"'s innerHTML ("<a><option>C</option></a>") is replaced with "ABC".
  24 //     - <a> element is destructed.
  25 //     - <option> (inner one) is destructed. <option>'s shadow root is detached at this point.
  26 //     - DOMNodeInserted for #text "C" is dispatched.
  27 //     - event.path calculation touches the #text's parent and get nullptr dereference.
  28
  29 document.addEventListener("selectstart", function() {
  30   var oElement = event.srcElement;
  31   oElement.innerHTML = "<option>A<a><option>C</option></a></option>";
  32 }
  33 );
  34
  35 document.addEventListener("DOMNodeInserted", function() {
  36   var oElement = event.srcElement;
  37   oElement.innerHTML = "ABC";
  38 });
  39
  40 document.execCommand("SelectAll")
  41 </script>