chromium/third_party/blink/web_tests/fast/dom/remove-svg-font-face-element-crash.xhtml

<html xmlns="http://www.w3.org/1999/xhtml" xlink="http://www.w3.org/1999/xlink">
<body>
<svg version="1.1" xlink="http://www.w3.org/1999/xlink" width="100%" xmlns="http://www.w3.org/2000/svg">
    <g>
        <defs>
            <font horiz-adv-x="224" id="embedded">
                <font-face font-family="embedded" id="fontWillBeRemoved"></font-face>
                <glyph horiz-adv-x="1500" unicode="1"></glyph>
                <glyph horiz-adv-x="1500" unicode="2"></glyph>
                <glyph horiz-adv-x="1500" unicode="3"></glyph>
                <glyph horiz-adv-x="1500" unicode="4"></glyph>
                <glyph horiz-adv-x="1500" unicode="fi"></glyph>
            </font>
        </defs>
        <g>
            <use id="use"></use>
            <text font-family="embedded" id="text">fi1234</text>
        </g>
    </g>
</svg>
</body>
<script>
// crbug.com/352178: Heap-use-after-free in WebCore::SVGFontFaceElement::associatedFontElement.
// PASS if no crash occurs.
if (window.testRunner) {
    testRunner.dumpAsText();
    testRunner.waitUntilDone();
}

document.execCommand("SelectAll");

function runTest() {
    setTimeout(function() {
        var fontWillBeRemoved = document.getElementById("fontWillBeRemoved");
        var use = document.getElementById("use");
        var text = document.getElementById("text");

        fontWillBeRemoved.parentNode.removeChild(fontWillBeRemoved);
        delete fontWillBeRemoved; 
        fontWillBeRemoved = null;
	gc();
        use.appendChild(text);
        testRunner.notifyDone();
    }, 0);
}

document.addEventListener("DOMContentLoaded", runTest, false);
</script>
</html>