Add failing displaylocking+shadowdom crash tests
These crashing tests were uncovered by clusterfuzz after I landed a
patch to use content-visibility in <details>. It turned out that all of
them could also reproduce the crash without the use of <details>, so
here they are.
Bug: 1236774
Change-Id: Ib44f6f8167929c90d4b78c6e153ad645767e1b58
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3072277
Reviewed-by: vmpstr <vmpstr@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#911804}
diff --git a/css/css-contain/content-visibility/slot-content-visibility-1-crash.html b/css/css-contain/content-visibility/slot-content-visibility-1-crash.html
new file mode 100644
index 0000000..7fd4ba7
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-1-crash.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1221036">
+
+>
+<div>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display: block"></slot>
+ </template>
+ a
+<script type="text/javascript">
+document.execCommand("selectall");
+</script>
diff --git a/css/css-contain/content-visibility/slot-content-visibility-2-crash.html b/css/css-contain/content-visibility/slot-content-visibility-2-crash.html
new file mode 100644
index 0000000..47b7962
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-2-crash.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1221821">
+
+<div>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display: block"></slot>
+ </template>
+<link rel=stylesheet href="/fonts/ahem.css">
+<span style="columns: 1 46px">
+<style>
+* {}
+</style>
diff --git a/css/css-contain/content-visibility/slot-content-visibility-3-crash.html b/css/css-contain/content-visibility/slot-content-visibility-3-crash.html
new file mode 100644
index 0000000..a849239
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-3-crash.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1221821">
+
+<div>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display: block"></slot>
+ </template>
+<span autofocus>
+<link rel=stylesheet href="/fonts/ahem.css">
+<body hidden>
+<span style="columns: 4294967236 46px; ">
+<style>
+* {}
+</style>
diff --git a/css/css-contain/content-visibility/slot-content-visibility-4-crash.html b/css/css-contain/content-visibility/slot-content-visibility-4-crash.html
new file mode 100644
index 0000000..83e85a1
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-4-crash.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1221767">
+
+<div>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display: block"></slot>
+ </template>
+a
+<meter>a
+<script>
+document.execCommand("selectall");
+</script>
diff --git a/css/css-contain/content-visibility/slot-content-visibility-5-crash.html b/css/css-contain/content-visibility/slot-content-visibility-5-crash.html
new file mode 100644
index 0000000..01f0633
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-5-crash.html
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1221121">
+
+<style>
+</style>
+<style>
+</style>
+<style>
+</style>
+<div>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display: block"></slot>
+ </template>
+<embed id="I7" class= accesskey="h">
+<meter class="C8">a
+<script>
+ document.head.appendChild(document.createElement("style"));
+ const styleSheet = document.styleSheets[document.styleSheets.length - 1];
+ styleSheet.insertRule(":root{}");
+ const styleSheet0 = document.styleSheets[0];
+ const test2 = document.getElementById("I7");
+ test2.className += "fuzzClass5";
+ styleSheet0.insertRule('.C8 {}');
+ try {
+ test2.style.setProperty();
+ } catch(e) {}
+ document.styleSheets[3].disabled = true;
+ test2.style['border-right-color-value'] = '';
+ styleSheet0.insertRule('.foo { color: blue }', styleSheet0.cssRules.length);
+ document.execCommand("false");
+ document.designMode = "on";
+</script>
diff --git a/css/css-contain/content-visibility/slot-content-visibility-6-crash.html b/css/css-contain/content-visibility/slot-content-visibility-6-crash.html
new file mode 100644
index 0000000..3055b04
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-6-crash.html
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1221890">
+
+<a autofocus="autofocus">
+<div>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display: block"></slot>
+ </template>
+</a>
+<svg>
+<clipPath id="svgvar00002">
+</div>
+<svg clip-path="url(#svgvar00002)">
diff --git a/css/css-contain/content-visibility/slot-content-visibility-7-crash.html b/css/css-contain/content-visibility/slot-content-visibility-7-crash.html
new file mode 100644
index 0000000..896ebf7
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-7-crash.html
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1221508">
+
+<script>
+function showmodal() {
+ dialog.showModal();
+}
+</script>
+
+<body onload=showmodal()>
+ <div>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display:block"></slot>
+ </template>
+ <dialog id=dialog></dialog>
+ </div>
+</body>
diff --git a/css/css-contain/content-visibility/slot-content-visibility-8-crash.html b/css/css-contain/content-visibility/slot-content-visibility-8-crash.html
new file mode 100644
index 0000000..208e2c7
--- /dev/null
+++ b/css/css-contain/content-visibility/slot-content-visibility-8-crash.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<link rel=author href="mailto:jarhar@chromium.org">
+<link rel=help href="https://bugs.chromium.org/p/chromium/issues/detail?id=1222408">
+
+<div id=details>
+ <template shadowroot=open>
+ <slot style="content-visibility: hidden; display: block"></slot>
+ </template>
+</div>
+
+<div id="clear-left">
+<div>X</div>
+<script>
+document.head.appendChild(document.createElement("style"));
+var styleSheet = document.styleSheets[document.styleSheets.length-1];
+styleSheet.insertRule(":root{}"); styleSheet.disabled=false;
+var styleSheet0 = document.styleSheets[0];
+var test0=document.getElementById("clear-left");
+var test5=test0.appendChild(details);
+var test6=test5.appendChild(document.createElement("figure"));
+var test7=test5.appendChild(document.createElement("cite"));
+requestAnimationFrame(function() {
+ styleSheet0.insertRule('p:checked, #clear-left:before {-ms-transform:perspective(45in) rotateX(90deg); -ms-flex-wrap:wrap; }',styleSheet0.cssRules.length);
+ document.execCommand(null);
+ styleSheet0.insertRule('hgroup:link, #clear-left:link {-webkit-animation-name:test; padding-bottom:$grid-padding; }',styleSheet0.cssRules.length);
+ test6.style.setProperty('font-Weight','bold');
+});
+window.scrollTo();
+test7.style.transform = 'scale(1)';
+</script>
