| <html> |
| <head> |
| <script> |
| function openIframe() |
| { |
| if (document.createElement && (iframe = document.createElement('iframe'))) { |
| document.body.appendChild(iframe); |
| return iframe; |
| } |
| } |
| |
| function runTestReplaceWholeText() |
| { |
| t1 = openIframe(); |
| var a = t1.contentWindow.frames; |
| var b = t1.contentDocument.defaultView.localStorage; |
| t1.outerText = ""; |
| t1.src = undefined; |
| first_attr = t1.attributes.item(undefined, undefined, undefined, undefined); |
| first_attr_value_replaced = first_attr.firstChild.replaceWholeText(undefined, undefined, undefined, undefined); |
| first_attr_value_replaced.DOCUMENT_FRAGMENT_NODE = a; |
| try { |
| first_attr.firstChild.DOCUMENT_FRAGMENT_NODE.localStorage.fuzz3_visited="test"; |
| } catch (e) { |
| console.log("Expected exception caught."); |
| } |
| } |
| |
| function runTestOuterText() { |
| t1 = openIframe(); |
| var a = t1.contentWindow.frames; |
| var b = t1.contentDocument.defaultView.localStorage; |
| var a_localStorage = a.localStorage; // The constructor won't be reachable as window object property after detaching the frame. |
| |
| t1.outerText = ""; |
| try { |
| a_localStorage.fuzz3_visited="test"; |
| } catch (e) { |
| console.log("Expected exception caught."); |
| } |
| } |
| |
| function runTests() { |
| runTestReplaceWholeText(); |
| runTestOuterText(); |
| document.getElementById("result").innerHTML = "passed"; |
| } |
| |
| if (window.testRunner) |
| testRunner.dumpAsText(); |
| |
| </script> |
| </head> |
| <body onload="runTests()"> |
| <p>Bug: https://bugs.webkit.org/show_bug.cgi?id=57140 |
| <p>Description: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem() |
| <p>Expect: passed |
| <p>Result: <span id="result">failed</span> |
| </body> |
| </html> |
