Bug 12704

Summary: REGRESSION: Assert and crash after dragging image into window with onunload handlers
Product: WebKit Reporter: Tom Brown <tom>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: mitz
Priority: P1 Keywords: HasReduction, InRadar, Regression
Version: 420+   
Hardware: All   
OS: OS X 10.4   
Attachments:
Description Flags
A backtrace of the crash
none
Test case reduction none

Description Tom Brown 2007-02-08 15:29:56 PST 
This crash is partially reproducible and *feels* like a race condition. Sometimes the test-case reduction crashes the browser, but other times it doesn't. The test-case reduction does the following:

1) Main window script opens new window.
2) Drag image from new window into main window.
3) Main window document onUnload event fires as image is loaded.
4) Main window onUnload handler closes new window.
5) Main window and new window send notification of closure to server.
6) The dragged image appears briefly as the document in the main window.
7) *Crash*
Comment 1 Tom Brown 2007-02-08 15:31:03 PST 
Created attachment 13069 [details]
A backtrace of the crash
Comment 2 Tom Brown 2007-02-08 15:32:46 PST 
Created attachment 13070 [details]
Test case reduction

1) Open "main.html" in the browser.
2) Click the button.
3) Drag the image from the new window to the main window.
4) *Crash*
Comment 3 Matt Lilek 2007-02-08 16:31:42 PST 
r19510 debug build gives me the following assert: 

ASSERTION FAILED: page
(/Users/matt/Code/WebKit/WebKit/WebView/WebHTMLView.mm:2951 -[WebHTMLView draggedImage:endedAt:operation:])
Comment 4 Maciej Stachowiak 2007-02-10 19:14:17 PST 
<rdar://problem/4990047>
Comment 5 mitz 2007-02-14 13:34:47 PST 
Fixed in <http://trac.webkit.org/projects/webkit/changeset/19614>.