29 lines
1.1 KiB
HTML
29 lines
1.1 KiB
HTML
<!DOCTYPE HTML>
|
|
<html>
|
|
<body>
|
|
<script src="../resources/js-test-pre.js"></script>
|
|
|
|
<div id="console"></div>
|
|
|
|
<svg xmlns:xlink="http://www.w3.org/1999/xlink">
|
|
<text id="a">Text</text>
|
|
<use xlink:href="#a"></use>
|
|
</svg>
|
|
|
|
<script>
|
|
description("Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tree. The heap-use-after free was occuring when the AccessibilityObject corresponding to the child of the text node walked up its parent chain in AccessibilityObject::supportsARIALiveRegion but its parent was already deleted.");
|
|
|
|
// This creates an accessibility object for every node in the tree.
|
|
if (window.accessibilityController)
|
|
accessibilityController.accessibleElementById("foo");
|
|
|
|
// An SVG "use" element is like a clone, so the "use" element contains a
|
|
// clone of the "text" element. This statement clears the reference, which
|
|
// causes the cloned "text" element to be destroyed.
|
|
document.getElementsByTagName('use')[0].setAttribute('xlink:href', '');
|
|
</script>
|
|
|
|
<script src="../resources/js-test-post.js"></script>
|
|
</body>
|
|
</html>
|