Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/editing/text-iterator/rtl-first-letter-text-iterator-crash.html 

<style>
  #el0 {
    visibility: collapse;
  }
  #el1::first-letter {
    height: 1;
</style>
<script>
if (window.testRunner) {
    testRunner.dumpAsText();
    testRunner.waitUntilDone();
}

function crash(){
    el0=document.createElement('div')
    document.body.appendChild(el0)
    el0.setAttribute('id','el0')
    el1=document.createElement('div')
    document.body.appendChild(el1)
    el1.setAttribute('id','el1')
    el0.appendChild(document.createTextNode(unescape(Array(40).join('A')+'%ufed5')));
    el1.appendChild(document.createTextNode(unescape('A%u074b')));
    document.body.offsetTop;
    setTimeout(function () {
        document.body.innerHTML = "PASS. WebKit didn't crash.";
        testRunner.notifyDone();
    }, 0);
}
window.scrollTop;
window.onload=crash
</script>