blob: 706e3092e68fdc7a7080575b0276238154ce1ce6 [file] [log] [blame]
<!DOCTYPE html>
<script src="../../resources/testharness.js"></script>
<script src="../../resources/testharnessreport.js"></script>
Adapted from clusterfuzz case filed in
This bug was a combination of 2 things:
- calling appendChild with an iframe's body as the child causes the
iframe body to become null
- changing a body's margin height in an event handler reacting a
change in the same body's margin width causes a method call on the
body without checking if it's null. The change in height does not
complete immediately, some of the change is applied to the Node
_after_ the handler completes by which point the node (body) has
become null.
<iframe id=html_iframe></iframe>
<div id=html_div></div>
setup({ allow_uncaught_exception: true });
function reactToWidthChange() {
// null the body
// change the height
html_iframe.marginHeight = "0";
test(() => {
window[0].addEventListener("DOMSubtreeModified", reactToWidthChange);
html_iframe.marginWidth = "0";
}, 'try-trigger-crash');