blob: dbced2f8ff746ac2d987dd9ad28ea20fec9a6189 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
<!DOCTYPE HTML>
<html>
<head>
<script type="application/javascript">
// Crashes if 'target' doesn't get properly unlinked in FragmentOrElement::Unlink
function crash() {
var target = document.createElement('div');
// By setting a custom prop we create a cycle between JS and C++ that requires the CC to break.
target.foo = 'bar';
var io = new IntersectionObserver(function () { }, { });
io.observe(target);
}
</script>
</head>
<body onload="crash()">
</body>
</html>
|