LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html - Issue 1265573003: Fix crash on null ptr dereference in EventPath propagation

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html

Issue 1265573003: Fix crash on null ptr dereference in EventPath propagation (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: update the comment (not necessarily async events) Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 <!DOCTYPE html>

	2 <script src="../../resources/js-test.js"></script>

	3

	4 <div id="root">

	5 <span id="div1"></span>

	6 </div>

	7

	8 <!-- This is a minified version of the clusterfuzz test case at https://code.goo gle.com/p/chromium/issues/detail?id=507413 -->

	9 <script>

	10

	11 description("Generated by cluster-fuzz. This test passes if it doesn't crash.");

	12

	13 // Here's explanation of what happens (before fix is in).

	14 // - execCommand("SelectAll") does 2 things

	15 // 1. triggers "selectstart" event handler.

	16 // 2. until the event handler finishes, the following events are queued.

	17 // - DOMNodeInserted for #text "A"

	18 // - DOMNodeInserted for #text "C"

	19 // - DOMNodeInserted for <option> (outer one)

	20 // - Once "selectstart" handler finishes, the following occurs.

	21 // - at entry, event.srcElement is <body>

	22 // - DOMNodeInserted for #text "A" is dispatched.

	23 // - "A"'s innerHTML ("<a><option>C</option></a>") is replaced with "ABC".

	24 // - <a> element is destructed.

	25 // - <option> (inner one) is destructed. <option>'s shadow root is detached at this point.

	26 // - DOMNodeInserted for #text "C" is dispatched.

	27 // - event.path calculation touches the #text's parent and get nullptr deref erence.

	28

	29 document.addEventListener("selectstart", function() {

	30 var oElement = event.srcElement;

	31 oElement.innerHTML = "<option>A<a><option>C</option></a></option>";

	32 }

	33 );

	34

	35 document.addEventListener("DOMNodeInserted", function() {

	36 var oElement = event.srcElement;

	37 oElement.innerHTML = "ABC";

	38 });

	39

	40 document.execCommand("SelectAll")

	41 </script>

OLD	NEW

« no previous file with comments | « no previous file | LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash-expected.txt » ('j') | no next file with comments »