<html>
<head>
<script src="../../resources/js-test.js"></script>
</head>
<body>
<script>
var jsTestIsAsync = true;
description('This is a regression test for crbug.com/400476. It should not crash and then brag about it.')
var root = document.documentElement;
var iframe = root.ownerDocument.createElement('iframe');
iframe.onload = function() {
var defaultView = iframe.contentDocument.defaultView;
defaultView.onpageshow = onPageShow;
window.setTimeout(tryToCrash, 0);
};
root.appendChild(iframe);
function onPageShow() {
eventObj = arguments[0];
}
function tryToCrash() {
// Access of eventObj.composedPath() caused the crash.
// The test is somewhat flaky, in that the test may pass as correct
// despite the bug being the code. The exact conditions
// are unclear, but 1, asan helps detect the crash and 2, the
// preceding gc()s increase the likelihood of it occurring.
gc();
gc();
gc();
gc();
gc();
var path = eventObj.composedPath();
debug(path);
testPassed('totally did not crash.');
finishJSTest();
}
</script>
</body>
</html>
Codebase Browser
chromium