blob: 6527d5d80c00a6a70a10332f8d09ad6c252abbd3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
<html xmlns="http://www.w3.org/1999/xhtml" xlink="http://www.w3.org/1999/xlink">
<body>
<svg version="1.1" xlink="http://www.w3.org/1999/xlink" width="100%" xmlns="http://www.w3.org/2000/svg">
<g>
<defs>
<font horiz-adv-x="224" id="embeded">
<font-face font-family="embeded" id="fontWillBeRemoved"></font-face>
<glyph horiz-adv-x="1500" unicode="1"></glyph>
<glyph horiz-adv-x="1500" unicode="2"></glyph>
<glyph horiz-adv-x="1500" unicode="3"></glyph>
<glyph horiz-adv-x="1500" unicode="4"></glyph>
<glyph horiz-adv-x="1500" unicode="fi"></glyph>
</font>
</defs>
<g>
<use id="use"></use>
<text font-family="embeded" id="text">fi1234</text>
</g>
</g>
</svg>
</body>
<script>
// crbug.com/352178: Heap-use-after-free in WebCore::SVGFontFaceElement::associatedFontElement.
// PASS if no crash occurs.
if (window.testRunner)
window.testRunner.dumpAsText();
document.execCommand("SelectAll");
function runTest() {
setTimeout(function() {
var fontWillBeRemoved = document.getElementById("fontWillBeRemoved");
var use = document.getElementById("use");
var text = document.getElementById("text");
fontWillBeRemoved.parentNode.removeChild(fontWillBeRemoved);
delete fontWillBeRemoved;
fontWillBeRemoved = null;
gc();
use.appendChild(text);
}, 0);
}
document.addEventListener("DOMContentLoaded", runTest, false);
</script>
</html>
|
