Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(106)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: LayoutTests/fast/flexbox/order-iterator-crash.html

Issue 19558006: Heap-use-after-free in WebCore::RenderFlexibleBox::firstLineBoxBaseline (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Updated change after the review's comments Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | LayoutTests/fast/flexbox/order-iterator-crash-expected.txt » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: LayoutTests/fast/flexbox/order-iterator-crash.html
diff --git a/LayoutTests/fast/flexbox/order-iterator-crash.html b/LayoutTests/fast/flexbox/order-iterator-crash.html
new file mode 100644
index 0000000000000000000000000000000000000000..2b519664c713755e8095fec850ad1bfa52ecdf58
--- /dev/null
+++ b/LayoutTests/fast/flexbox/order-iterator-crash.html
@@ -0,0 +1,12 @@
+<div>This test has passed if it doesn't crash under ASAN.</div>
+<style>
+* { display: flex; }
+</style>
+<table><td id="crashy"></td></table>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+crashy.offsetLeft;
+crashy.parentNode.removeChild(crashy);
+</script>
« no previous file with comments | « no previous file | LayoutTests/fast/flexbox/order-iterator-crash-expected.txt » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698