Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(162)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html

Issue 1265573003: Fix crash on null ptr dereference in EventPath propagation (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: update the comment (not necessarily async events) Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html
diff --git a/LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html b/LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html
new file mode 100644
index 0000000000000000000000000000000000000000..1b7069bf2d2b45dee1752df40332bc85d0dd5615
--- /dev/null
+++ b/LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash.html
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<script src="../../resources/js-test.js"></script>
+
+<div id="root">
+<span id="div1"></span>
+</div>
+
+<!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=507413 -->
+<script>
+
+description("Generated by cluster-fuzz. This test passes if it doesn't crash.");
+
+// Here's explanation of what happens (before fix is in).
+// - execCommand("SelectAll") does 2 things
+// 1. triggers "selectstart" event handler.
+// 2. until the event handler finishes, the following events are queued.
+// - DOMNodeInserted for #text "A"
+// - DOMNodeInserted for #text "C"
+// - DOMNodeInserted for <option> (outer one)
+// - Once "selectstart" handler finishes, the following occurs.
+// - at entry, event.srcElement is <body>
+// - DOMNodeInserted for #text "A" is dispatched.
+// - "A"'s innerHTML ("<a><option>C</option></a>") is replaced with "ABC".
+// - <a> element is destructed.
+// - <option> (inner one) is destructed. <option>'s shadow root is detached at this point.
+// - DOMNodeInserted for #text "C" is dispatched.
+// - event.path calculation touches the #text's parent and get nullptr dereference.
+
+document.addEventListener("selectstart", function() {
+ var oElement = event.srcElement;
+ oElement.innerHTML = "<option>A<a><option>C</option></a></option>";
+}
+);
+
+document.addEventListener("DOMNodeInserted", function() {
+ var oElement = event.srcElement;
+ oElement.innerHTML = "ABC";
+});
+
+document.execCommand("SelectAll")
+</script>
« no previous file with comments | « no previous file | LayoutTests/fast/events/event-fire-disconnected-shadow-dom-crash-expected.txt » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698