OLD | NEW |
1 <html> | 1 <html> |
2 <link rel="import" href="../resources/dump-as-text.sky" /> | 2 <import src="../resources/dump-as-text.sky" /> |
3 <link rel="import" href="resources/document-register-fuzz.sky" as="fuzzer" /> | 3 <import src="resources/document-register-fuzz.sky" as="fuzzer" /> |
4 <body> | 4 <body> |
5 <div id="container"></div> | 5 <div id="container"></div> |
6 Fuzzing document.registerElement() through getters. PASS uless crash. | 6 Fuzzing document.registerElement() through getters. PASS uless crash. |
7 <script> | 7 <script> |
8 var badPrototype = Image.prototype; | 8 var badPrototype = Image.prototype; |
9 var badConstructor = Image.prototype.constructor; | 9 var badConstructor = Image.prototype.constructor; |
10 | 10 |
11 fuzzer.setupObjectHooks({ | 11 fuzzer.setupObjectHooks({ |
12 prototypeGet: function() { return badPrototype; }, | 12 prototypeGet: function() { return badPrototype; }, |
13 prototypeSet: function(value) { }, | 13 prototypeSet: function(value) { }, |
14 constructorGet: function() { return badConstructor; }, | 14 constructorGet: function() { return badConstructor; }, |
15 constructorSet: function(value) { } | 15 constructorSet: function(value) { } |
16 }); | 16 }); |
17 | 17 |
18 fuzzer.exerciseDocumentRegister(); | 18 fuzzer.exerciseDocumentRegister(); |
19 </script> | 19 </script> |
20 </body> | 20 </body> |
21 </html> | 21 </html> |
OLD | NEW |