Fix crash when accessing Event::path().

LayoutTests/http/tests/dom/crash-on-querying-event-path.html

Index: LayoutTests/http/tests/dom/crash-on-querying-event-path.html
diff --git a/LayoutTests/http/tests/dom/crash-on-querying-event-path.html b/LayoutTests/http/tests/dom/crash-on-querying-event-path.html
new file mode 100644
index 0000000000000000000000000000000000000000..51211becf8f13b4ee48d9b52255165012229a08a
--- /dev/null
+++ b/LayoutTests/http/tests/dom/crash-on-querying-event-path.html
@@ -0,0 +1,45 @@
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+</head>
+<body>
+<script>
+var jsTestIsAsync = true;
+description('This is a regression test for crbug.com/400476. It should not crash and then brag about it.')
+
+var root = document.documentElement;
+var iframe = root.ownerDocument.createElement('iframe');
+iframe.onload = iframeOnload;
+root.appendChild(iframe);
+
+function iframeOnload() {
+    var defaultView = iframe.contentDocument.defaultView;
+    defaultView.onpageshow = onPageShow;
+    iframe.src = null;
+    window.setTimeout(nextIframeLoaded, 100);
+}
+
+function onPageShow() {
+    eventObj = arguments[0];
+}
+
+function nextIframeLoaded() {
+    // Access of eventObj.path caused the crash.
+    // The test is somewhat flaky, in that the test may pass as correct
+    // despite the bug being the code. The exact conditions
+    // are unclear, but 1, asan helps detect the crash and 2, the
+    // preceeding gc()s increase the likelihood of it occurring.
+    gc();
+    gc();
+    gc();
+    gc();
+    gc();
+    var path = eventObj.path;
+    debug(path);
+
+    testPassed('totally did not crash.');
+    finishJSTest();
+}
+</script>
+</body>
+</html>