Bug 19757

Summary: Crash when an ondragstart handler hides the element
Product: WebKit Reporter: Michael Rondinelli <mjr>
Component: WebCore Misc.Assignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Critical    
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://www.eyesee360.com/mjr/wkdragcrash.html
Attachments:
Description Flags
Sample HTML file that will invoke the crash on a drag event.
none
Null check the renderer mitz: review+

Michael Rondinelli
Reported 2008-06-24 15:51:05 PDT
Using the ondragstart event handler, a crash can be invoked by simply setting this.style.display = 'none'. The referenced page shows a simple example. Drag the indicated box to cause WebKit to crash. This has been verified to work on shipping Safari 3.1 on Leopard and the latest nightly build (r34753).
Attachments
Sample HTML file that will invoke the crash on a drag event. (452 bytes, text/html)
2008-06-24 15:51 PDT, Michael Rondinelli 		no flags
Details
Null check the renderer (2.34 KB, patch)
2008-07-20 00:51 PDT, Oliver Hunt 		mitz: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Rondinelli
Comment 1 2008-06-24 15:51:43 PDT
Created attachment 21917 [details] Sample HTML file that will invoke the crash on a drag event.
Alexey Proskuryakov
Comment 2 2008-06-25 02:44:02 PDT
On a debug build, I'm seeing an assertion failure: ASSERTION FAILED: Uncaught exception - Can't cache image 0 (/Users/ap/Safari/OpenSource/WebCore/platform/mac/BlockExceptions.mm:36 void ReportBlockedObjCException(NSException*))
Oliver Hunt
Comment 3 2008-07-20 00:51:00 PDT
Created attachment 22385 [details] Null check the renderer
mitz
Comment 4 2008-07-20 14:24:00 PDT
Comment on attachment 22385 [details] Null check the renderer r=me
Oliver Hunt
Comment 5 2008-07-20 14:33:29 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/page/EventHandler.cpp Committed r35256
Note You need to log in before you can comment on or make changes to this bug.