chromium/third_party/blink/web_tests/dom/mutation-event-tests/fast/events/event-fire-disconnected-shadow-dom-crash.html

<!DOCTYPE html>
<script src="../../../../resources/js-test.js"></script>

<div id="root">
<span id="div1"></span>
</div>

<!-- This is a minified version of the clusterfuzz test case at https://code.google.com/p/chromium/issues/detail?id=507413 -->
<script>

description("Generated by cluster-fuzz. This test passes if it doesn't crash.");

// Here's explanation of what happens (before fix is in).
// - execCommand("SelectAll") does 2 things
//   1. triggers "selectstart" event handler.
//   2. until the event handler finishes, the following events are queued.
//     - DOMNodeInserted for #text "A"
//     - DOMNodeInserted for #text "C"
//     - DOMNodeInserted for <option> (outer one)
// - Once "selectstart" handler finishes, the following occurs.
//     - at entry, event.srcElement is <body>
//     - DOMNodeInserted for #text "A" is dispatched.
//     - "A"'s innerHTML ("<a><option>C</option></a>") is replaced with "ABC".
//     - <a> element is destructed.
//     - <option> (inner one) is destructed. <option>'s shadow root is detached at this point.
//     - DOMNodeInserted for #text "C" is dispatched.
//     - event.path calculation touches the #text's parent and get nullptr dereference.

document.addEventListener("selectstart", function() {
  var oElement = event.srcElement;
  oElement.innerHTML = "<option>A<a><option>C</option></a></option>";
}
);

document.addEventListener("DOMNodeInserted", function() {
  var oElement = event.srcElement;
  oElement.innerHTML = "ABC";
});

document.execCommand("SelectAll")
</script>