OLD | NEW |
1 <!DOCTYPE HTML> | 1 <!DOCTYPE HTML> |
2 <html> | 2 <html> |
3 <body> | 3 <body> |
4 <script src="../fast/js/resources/js-test-pre.js"></script> | 4 <script src="../fast/js/resources/js-test-pre.js"></script> |
5 | 5 |
6 <div id="console"></div> | 6 <div id="console"></div> |
7 | 7 |
8 <svg xmlns:xlink="http://www.w3.org/1999/xlink"> | 8 <svg xmlns:xlink="http://www.w3.org/1999/xlink"> |
9 <text id="a">Text</text> | 9 <text id="a">Text</text> |
10 <use xlink:href="#a"></use> | 10 <use xlink:href="#a"></use> |
11 </svg> | 11 </svg> |
12 | 12 |
13 <script> | 13 <script> |
14 description("Checks to make sure a heap-use-after-free crash doesn't occur when
a container node with an associated accessibility object is deleted from the tre
e. The heap-use-after free was occuring when the AccessibilityObject correspondi
ng to the child of the text node walked up its parent chain in AccessibilityObje
ct::supportsARIALiveRegion but its parent was already deleted."); | 14 description("Checks to make sure a heap-use-after-free crash doesn't occur when
a container node with an associated accessibility object is deleted from the tre
e. The heap-use-after free was occuring when the AccessibilityObject correspondi
ng to the child of the text node walked up its parent chain in AccessibilityObje
ct::supportsARIALiveRegion but its parent was already deleted."); |
15 | 15 |
16 // This creates an accessibility object for every node in the tree. | 16 // This creates an accessibility object for every node in the tree. |
17 if (window.accessibilityController) | 17 if (window.accessibilityController) |
18 accessibilityController.accessibleElementById("foo"); | 18 accessibilityController.accessibleElementById("foo"); |
19 | 19 |
20 // An SVG "use" element is like a clone, so the "use" element contains a | 20 // An SVG "use" element is like a clone, so the "use" element contains a |
21 // clone of the "text" element. This statement clears the reference, which | 21 // clone of the "text" element. This statement clears the reference, which |
22 // causes the cloned "text" element to be destroyed. | 22 // causes the cloned "text" element to be destroyed. |
23 document.getElementsByTagName('use')[0].setAttribute('xlink:href', ''); | 23 document.getElementsByTagName('use')[0].setAttribute('xlink:href', ''); |
24 </script> | 24 </script> |
25 | 25 |
26 <script src="../fast/js/resources/js-test-post.js"></script> | 26 <script src="../fast/js/resources/js-test-post.js"></script> |
27 </body> | 27 </body> |
28 </html> | 28 </html> |
OLD | NEW |