Bugzilla

The root cause of the crash in comment 4's testcase_click.html is location.reload() happens before the file picker finishes.

The crash flow is
1. click the "browse" the file picker pop up
2. main() is triggered, then location.reload() is called.
3. location.reload() makes the HTMLInputElement's scriptGlobalObject be freed. HTMLInputElement still be alive but invalid since the file picker has a strong reference RefPtr<HTMLInputElement>. And the file picker is still there.
4. Select a file and click "open", DispatchChangeEventRunnable is created with the invalid HTMLInputElement.
5. DispatchChangeEventRunnable::Run() is called, but try to access the freed scriptGlobalObject through HTMLInputElement::GetOwnerGlobal(), then crash the tab.

I am not sure if it is easy to make the file picker detect the page reload happens and close itself. 
But a simple solution is not to create the DispatchChangeEventRunnable if the HTMLInputElement has no scriptGlobalObject anymore.

The root cause of the crash in comment 4's testcase_click.html is location.reload() happens before the file picker finishes.

The crash flow is
1. click the "browse" the file picker pop up
2. main() is triggered, then location.reload() is called.
3. location.reload() makes the HTMLInputElement's scriptGlobalObject be freed. HTMLInputElement still be alive but invalid since the file picker has a strong reference RefPtr<HTMLInputElement>. And the file picker is still there.
4. Select a file and click "open", DispatchChangeEventCallback is created with the invalid HTMLInputElement.
5. DispatchChangeEventCallback::Callback() is called, but try to access the freed scriptGlobalObject through HTMLInputElement::GetOwnerGlobal(), then crash the tab.

I am not sure if it is easy to make the file picker detect the page reload happens and close itself. 
But a simple solution is not to create the DispatchChangeEventCallback if the HTMLInputElement has no scriptGlobalObject anymore.