Fix layout object lifecycle in HTMLElement.offset*

third_party/WebKit/LayoutTests/shadow-dom/offsetParent-layoutObject-lifecycle.html

Index: third_party/WebKit/LayoutTests/shadow-dom/offsetParent-layoutObject-lifecycle.html
diff --git a/third_party/WebKit/LayoutTests/shadow-dom/offsetParent-layoutObject-lifecycle.html b/third_party/WebKit/LayoutTests/shadow-dom/offsetParent-layoutObject-lifecycle.html
new file mode 100644
index 0000000000000000000000000000000000000000..8d403cfd7e08c701ccf1ebf3124c89df7799388a
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/shadow-dom/offsetParent-layoutObject-lifecycle.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>

[hayato, 2016/07/07 03:27:19]

Could you move this file to shadow-dom/crashes/ ?
I would like to use shadow-dom/ directory for a spec compliant test.

[kochi, 2016/07/07 03:39:07]

Done.

+<script src='../resources/testharness.js'></script>
+<script src='../resources/testharnessreport.js'></script>
+<script>
+// This case is created from reproduction case by cloudfuzzer.
+function f() {
+  test(() => {
+    var link = document.createElement('link');
+    link.setAttribute('rel','import');
+    document.head.appendChild(link);
+
+    var style = document.createElement('style');
+    style.textContent = '@import url(x)';
+    document.head.appendChild(style);
+
+    var frame = document.createElement('frame');
+    document.body.appendChild(frame);
+
+    // This could cause crash.
+    frame.offsetHeight;
+    assert_true(true, 'This test must run without crash.');
+  }, "HTMLElement.offsetHeight should not cause crash.");
+}
+</script>
+<body onload="f()"></body>

[hayato, 2016/07/07 03:27:19]

Use window.addEventListener, instead of <body onload="">.

[kochi, 2016/07/07 03:39:07]

Done.