chromium/src/third_party/blink/web_tests/fast/events/event-fire-disconnected-shadow-dom-crash.html - manifest_repos/chromium_src - Git at Google

 <!DOCTYPE html>
 <script src="../../resources/js-test.js"></script>

 <div id="root">
 <span id="div1"></span>
 </div>

 <!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=507413 -->
 <script>

 description("Generated by cluster-fuzz. This test passes if it doesn't crash.");

 // Here's explanation of what happens (before fix is in).
 // - execCommand("SelectAll") does 2 things
 //   1. triggers "selectstart" event handler.
 //   2. until the event handler finishes, the following events are queued.
 //     - DOMNodeInserted for #text "A"
 //     - DOMNodeInserted for #text "C"
 //     - DOMNodeInserted for <option> (outer one)
 // - Once "selectstart" handler finishes, the following occurs.
 //     - at entry, event.srcElement is <body>
 //     - DOMNodeInserted for #text "A" is dispatched.
 //     - "A"'s innerHTML ("<a><option>C</option></a>") is replaced with "ABC".
 //     - <a> element is destructed.
 //     - <option> (inner one) is destructed. <option>'s shadow root is detached at this point.
 //     - DOMNodeInserted for #text "C" is dispatched.
 //     - event.path calculation touches the #text's parent and get nullptr dereference.

 document.addEventListener("selectstart", function() {
   var oElement = event.srcElement;
   oElement.innerHTML = "<option>A<a><option>C</option></a></option>";
 }
 );

 document.addEventListener("DOMNodeInserted", function() {
   var oElement = event.srcElement;
   oElement.innerHTML = "ABC";
 });

 document.execCommand("SelectAll")
 </script>
	<!DOCTYPE html>
	<script src="../../resources/js-test.js"></script>

	<div id="root">
	<span id="div1"></span>
	</div>

	<!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=507413 -->
	<script>

	description("Generated by cluster-fuzz. This test passes if it doesn't crash.");

	// Here's explanation of what happens (before fix is in).
	// - execCommand("SelectAll") does 2 things
	// 1. triggers "selectstart" event handler.
	// 2. until the event handler finishes, the following events are queued.
	// - DOMNodeInserted for #text "A"
	// - DOMNodeInserted for #text "C"
	// - DOMNodeInserted for <option> (outer one)
	// - Once "selectstart" handler finishes, the following occurs.
	// - at entry, event.srcElement is <body>
	// - DOMNodeInserted for #text "A" is dispatched.
	// - "A"'s innerHTML ("<a><option>C</option></a>") is replaced with "ABC".
	// - <a> element is destructed.
	// - <option> (inner one) is destructed. <option>'s shadow root is detached at this point.
	// - DOMNodeInserted for #text "C" is dispatched.
	// - event.path calculation touches the #text's parent and get nullptr dereference.

	document.addEventListener("selectstart", function() {
	var oElement = event.srcElement;
	oElement.innerHTML = "<option>A<a><option>C</option></a></option>";
	}
	);

	document.addEventListener("DOMNodeInserted", function() {
	var oElement = event.srcElement;
	oElement.innerHTML = "ABC";
	});

	document.execCommand("SelectAll")
	</script>