<!DOCTYPE HTML>
<html>
<body>
<script src="../resources/js-test.js"></script>
<div id="console"></div>
<svg xmlns:xlink="http://www.w3.org/1999/xlink">
<text id="a">Text</text>
<use xlink:href="#a"></use>
</svg>
<script>
description("Checks to make sure a heap-use-after-free crash doesn't occur when a container node with an associated accessibility object is deleted from the tree. The heap-use-after free was occuring when the AccessibilityObject corresponding to the child of the text node walked up its parent chain in AccessibilityObject::supportsARIALiveRegion but its parent was already deleted.");
// This creates an accessibility object for every node in the tree.
if (window.accessibilityController)
accessibilityController.accessibleElementById("foo");
// An SVG "use" element is like a clone, so the "use" element contains a
// clone of the "text" element. This statement clears the reference, which
// causes the cloned "text" element to be destroyed.
document.getElementsByTagName('use')[0].setAttribute('xlink:href', '');
</script>
</body>
</html>
Codebase Browser
chromium