19757 2008-06-24 15:51:05 -0700 Crash when an ondragstart handler hides the element 2008-07-20 14:33:29 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://www.eyesee360.com/mjr/wkdragcrash.html P1 Critical --- 1 mjr oliver oldest_to_newest 84319 0 mjr 2008-06-24 15:51:05 -0700 Using the ondragstart event handler, a crash can be invoked by simply setting this.style.display = 'none'. The referenced page shows a simple example. Drag the indicated box to cause WebKit to crash. This has been verified to work on shipping Safari 3.1 on Leopard and the latest nightly build (r34753). 84320 1 21917 mjr 2008-06-24 15:51:43 -0700 Created attachment 21917 Sample HTML file that will invoke the crash on a drag event. 84367 2 ap 2008-06-25 02:44:02 -0700 On a debug build, I'm seeing an assertion failure: ASSERTION FAILED: Uncaught exception - Can't cache image 0 (/Users/ap/Safari/OpenSource/WebCore/platform/mac/BlockExceptions.mm:36 void ReportBlockedObjCException(NSException*)) 86443 3 22385 oliver 2008-07-20 00:51:00 -0700 Created attachment 22385 Null check the renderer 86503 4 22385 mitz 2008-07-20 14:24:00 -0700 Comment on attachment 22385 Null check the renderer r=me 86507 5 oliver 2008-07-20 14:33:29 -0700 Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/page/EventHandler.cpp Committed r35256 21917 2008-06-24 15:51:43 -0700 2008-06-24 15:51:43 -0700 Sample HTML file that will invoke the crash on a drag event. wkdragcrash.html text/html 452 mjr PGh0bWw+CjxoZWFkPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC10eXBlIiBjb250ZW50 PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPgogICAgPHRpdGxlPlRodW1iIFRlc3Q8L3RpdGxl PgogICAgPHN0eWxlIHR5cGU9InRleHQvY3NzIiBtZWRpYT0ic2NyZWVuIj4KCiNkcmFnZ2VyIHsK ICAgIHdpZHRoOiAyMDBweDsKICAgIGhlaWdodDogMTAwcHg7CiAgICBiYWNrZ3JvdW5kLWNvbG9y OiB0ZWFsOwogICAgLWtodG1sLXVzZXItZHJhZzogZWxlbWVudDsKfQoKICAgIDwvc3R5bGU+Cjwv aGVhZD4KPGJvZHk+CiAgICA8aDE+V2ViS2l0IERyYWcgQ3Jhc2ggVGVzdDwvaDE+CiAgICA8ZGl2 IGlkPSJkcmFnZ2VyIiBvbmRyYWdzdGFydD0idGhpcy5zdHlsZS5kaXNwbGF5ID0gJ25vbmUnOyI+ CiAgICAgICAgRHJhZyBNZSB0byBDcmFzaCEKICAgIDwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4= 22385 2008-07-20 00:51:00 -0700 2008-07-20 14:24:00 -0700 Null check the renderer drag-crash-fix.patch text/plain 2397 oliver ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg YWFkNzU4NC4uMjY0MWExMyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNyBAQAorMjAwOC0wNy0yMCAgT2xpdmVyIEh1bnQg IDxvbGl2ZXJAYXBwbGUuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEp LgorCisgICAgICAgIEJ1ZyAxOTc1NzogQ3Jhc2ggd2hlbiBhbiBvbmRyYWdzdGFydCBoYW5kbGVy IGhpZGVzIHRoZSBlbGVtZW50CisgICAgICAgIDxodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9MTk3NTc+CisKKyAgICAgICAgVGhlIHNvbHV0aW9uIHRvIHRoaXMgaXMgcHJv YmxlbSBpcyBqdXN0IHRvIG51bGwgY2hlY2sgdGhlIHJlbmRlcmVyCisgICAgICAgIGltbWVkaWF0 ZWx5IGJlZm9yZSBsYXVuY2hpbmcgdGhlIHN5c3RlbSBkcmFnLCBhbmQgdGVybWluYXRlIHRoZQor ICAgICAgICBkcmFnIGlmIHRoZSByZW5kZXJlciBpcyBnb25lLgorCisgICAgICAgICogcGFnZS9F dmVudEhhbmRsZXIuY3BwOgorICAgICAgICAoV2ViQ29yZTo6RXZlbnRIYW5kbGVyOjpoYW5kbGVE cmFnKToKKwogMjAwOC0wNy0xOSAgT2xpdmVyIEh1bnQgIDxvbGl2ZXJAYXBwbGUuY29tPgogCiAg ICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoQnVpbGQgZml4KS4KZGlmZiAtLWdpdCBhL1dlYkNv cmUvcGFnZS9FdmVudEhhbmRsZXIuY3BwIGIvV2ViQ29yZS9wYWdlL0V2ZW50SGFuZGxlci5jcHAK aW5kZXggNDU5ZmRhNi4uNWU4YzRhNiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9wYWdlL0V2ZW50SGFu ZGxlci5jcHAKKysrIGIvV2ViQ29yZS9wYWdlL0V2ZW50SGFuZGxlci5jcHAKQEAgLTE4NjAsOSAr MTg2MCwxNiBAQCBib29sIEV2ZW50SGFuZGxlcjo6aGFuZGxlRHJhZyhjb25zdCBNb3VzZUV2ZW50 V2l0aEhpdFRlc3RSZXN1bHRzJiBldmVudCkKICAgICAgICAgLy8gaW1hZ2UgYW5kIG9mZnNldAog ICAgICAgICBpZiAoZHJhZ1N0YXRlKCkubV9kcmFnU3JjSXNESFRNTCkgewogICAgICAgICAgICAg aW50IHNyY1gsIHNyY1k7Ci0gICAgICAgICAgICBkcmFnU3RhdGUoKS5tX2RyYWdTcmMtPnJlbmRl cmVyKCktPmFic29sdXRlUG9zaXRpb24oc3JjWCwgc3JjWSk7Ci0gICAgICAgICAgICBJbnRTaXpl IGRlbHRhID0gbV9tb3VzZURvd25Qb3MgLSBJbnRQb2ludChzcmNYLCBzcmNZKTsKLSAgICAgICAg ICAgIGRyYWdTdGF0ZSgpLm1fZHJhZ0NsaXBib2FyZC0+c2V0RHJhZ0ltYWdlRWxlbWVudChkcmFn U3RhdGUoKS5tX2RyYWdTcmMuZ2V0KCksIEludFBvaW50KCkgKyBkZWx0YSk7CisgICAgICAgICAg ICBpZiAoUmVuZGVyT2JqZWN0KiByZW5kZXJlciA9IGRyYWdTdGF0ZSgpLm1fZHJhZ1NyYy0+cmVu ZGVyZXIoKSkgeworICAgICAgICAgICAgICAgIHJlbmRlcmVyLT5hYnNvbHV0ZVBvc2l0aW9uKHNy Y1gsIHNyY1kpOworICAgICAgICAgICAgICAgIEludFNpemUgZGVsdGEgPSBtX21vdXNlRG93blBv cyAtIEludFBvaW50KHNyY1gsIHNyY1kpOworICAgICAgICAgICAgICAgIGRyYWdTdGF0ZSgpLm1f ZHJhZ0NsaXBib2FyZC0+c2V0RHJhZ0ltYWdlRWxlbWVudChkcmFnU3RhdGUoKS5tX2RyYWdTcmMu Z2V0KCksIEludFBvaW50KCkgKyBkZWx0YSk7CisgICAgICAgICAgICB9IGVsc2UgeworICAgICAg ICAgICAgICAgIC8vIFRoZSByZW5kZXJlciBoYXMgZGlzYXBwZWFyZWQsIHRoaXMgY2FuIGhhcHBl biBpZiB0aGUgb25TdGFydERyYWcgaGFuZGxlciBoYXMgaGlkZGVuCisgICAgICAgICAgICAgICAg Ly8gdGhlIGVsZW1lbnQgaW4gc29tZSB3YXkuICBJbiB0aGlzIGNhc2Ugd2UganVzdCBraWxsIHRo ZSBkcmFnLgorICAgICAgICAgICAgICAgIG1fbW91c2VEb3duTWF5U3RhcnREcmFnID0gZmFsc2U7 CisgICAgICAgICAgICAgICAgZ290byBjbGVhbnVwRHJhZzsKKyAgICAgICAgICAgIH0KICAgICAg ICAgfSAKICAgICAgICAgCiAgICAgICAgIG1fbW91c2VEb3duTWF5U3RhcnREcmFnID0gZGlzcGF0 Y2hEcmFnU3JjRXZlbnQoZHJhZ3N0YXJ0RXZlbnQsIG1fbW91c2VEb3duKQpAQCAtMTg5Miw3ICsx ODk5LDggQEAgYm9vbCBFdmVudEhhbmRsZXI6OmhhbmRsZURyYWcoY29uc3QgTW91c2VFdmVudFdp dGhIaXRUZXN0UmVzdWx0cyYgZXZlbnQpCiAgICAgICAgICAgICBtX21vdXNlRG93bk1heVN0YXJ0 RHJhZyA9IGZhbHNlOwogICAgICAgICB9CiAgICAgfSAKLSAgICAKKworY2xlYW51cERyYWc6CiAg ICAgaWYgKCFtX21vdXNlRG93bk1heVN0YXJ0RHJhZykgewogICAgICAgICAvLyBzb21ldGhpbmcg ZmFpbGVkIHRvIHN0YXJ0IHRoZSBkcmFnLCBjbGVhbnVwCiAgICAgICAgIGZyZWVDbGlwYm9hcmQo KTsK