Adapted from clusterfuzz case filed in
This bug was a combination of 2 things:
- calling appendChild with an iframe's body as the child causes the
iframe body to become null
- changing a body's margin height in an event handler reacting a
change in the same body's margin width causes a method call on the
body without checking if it's null. The change in height does not
complete immediately, some of the change is applied to the Node
_after_ the handler completes by which point the node (body) has
become null.
<iframe id=html_iframe></iframe>
<div id=html_div></div>
setup({ allow_uncaught_exception: true });
function reactToWidthChange() {
// null the body
// change the height
html_iframe.marginHeight = "0";
test(() => {
window[0].addEventListener("DOMSubtreeModified", reactToWidthChange);
html_iframe.marginWidth = "0";
}, 'try-trigger-crash');