Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(533)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: LayoutTests/accessibility/container-node-delete-causes-crash.html

Issue 11196044: Merge 130266 - AX: Heap-use-after-free when deleting a ContainerNode with an AX object (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/1271/
Patch Set: Created 8 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | LayoutTests/accessibility/container-node-delete-causes-crash-expected.txt » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <!DOCTYPE HTML> 1 <!DOCTYPE HTML>
2 <html> 2 <html>
3 <body> 3 <body>
4 <script src="../fast/js/resources/js-test-pre.js"></script> 4 <script src="../fast/js/resources/js-test-pre.js"></script>
5 5
6 <div id="console"></div> 6 <div id="console"></div>
7 7
8 <svg xmlns:xlink="http://www.w3.org/1999/xlink"> 8 <svg xmlns:xlink="http://www.w3.org/1999/xlink">
9 <text id="a">Text</text> 9 <text id="a">Text</text>
10 <use xlink:href="#a"></use> 10 <use xlink:href="#a"></use>
11 </svg> 11 </svg>
12 12
13 <script> 13 <script>
14 description("Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tre e. The heap-use-after free was occuring when the AccessibilityObject correspondi ng to the child of the text node walked up its parent chain in AccessibilityObje ct::supportsARIALiveRegion but its parent was already deleted."); 14 description("Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tre e. The heap-use-after free was occuring when the AccessibilityObject correspondi ng to the child of the text node walked up its parent chain in AccessibilityObje ct::supportsARIALiveRegion but its parent was already deleted.");
15 15
16 // This creates an accessibility object for every node in the tree. 16 // This creates an accessibility object for every node in the tree.
17 if (window.accessibilityController) 17 if (window.accessibilityController)
18 accessibilityController.accessibleElementById("foo"); 18 accessibilityController.accessibleElementById("foo");
19 19
20 // An SVG "use" element is like a clone, so the "use" element contains a 20 // An SVG "use" element is like a clone, so the "use" element contains a
21 // clone of the "text" element. This statement clears the reference, which 21 // clone of the "text" element. This statement clears the reference, which
22 // causes the cloned "text" element to be destroyed. 22 // causes the cloned "text" element to be destroyed.
23 document.getElementsByTagName('use')[0].setAttribute('xlink:href', ''); 23 document.getElementsByTagName('use')[0].setAttribute('xlink:href', '');
24 </script> 24 </script>
25 25
26 <script src="../fast/js/resources/js-test-post.js"></script> 26 <script src="../fast/js/resources/js-test-post.js"></script>
27 </body> 27 </body>
28 </html> 28 </html>
OLDNEW
« no previous file with comments | « no previous file | LayoutTests/accessibility/container-node-delete-causes-crash-expected.txt » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698