| <!DOCTYPE html> |
| <script src="../../resources/js-test.js"></script> |
| |
| <div id="root"> |
| <span id="div1"></span> |
| </div> |
| |
| <!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=507413 --> |
| <script> |
| |
| description("Generated by cluster-fuzz. This test passes if it doesn't crash."); |
| |
| // Here's explanation of what happens (before fix is in). |
| // - execCommand("SelectAll") does 2 things |
| // 1. triggers "selectstart" event handler. |
| // 2. until the event handler finishes, the following events are queued. |
| // - DOMNodeInserted for #text "A" |
| // - DOMNodeInserted for #text "C" |
| // - DOMNodeInserted for <option> (outer one) |
| // - Once "selectstart" handler finishes, the following occurs. |
| // - at entry, event.srcElement is <body> |
| // - DOMNodeInserted for #text "A" is dispatched. |
| // - "A"'s innerHTML ("<a><option>C</option></a>") is replaced with "ABC". |
| // - <a> element is destructed. |
| // - <option> (inner one) is destructed. <option>'s shadow root is detached at this point. |
| // - DOMNodeInserted for #text "C" is dispatched. |
| // - event.path calculation touches the #text's parent and get nullptr dereference. |
| |
| document.addEventListener("selectstart", function() { |
| var oElement = event.srcElement; |
| oElement.innerHTML = "<option>A<a><option>C</option></a></option>"; |
| } |
| ); |
| |
| document.addEventListener("DOMNodeInserted", function() { |
| var oElement = event.srcElement; |
| oElement.innerHTML = "ABC"; |
| }); |
| |
| document.execCommand("SelectAll") |
| </script> |