Bug 19757

Summary:

Crash when an ondragstart handler hides the element

Product:

WebKit

Reporter:

Michael Rondinelli <mjr>

Component:

WebCore Misc.

Assignee:

Oliver Hunt <oliver>

Status:

RESOLVED FIXED

Severity:

Critical

Priority:

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.5

URL:

http://www.eyesee360.com/mjr/wkdragcrash.html

Attachments:

Description	Flags
Sample HTML file that will invoke the crash on a drag event.	none
Null check the renderer	mitz: review+

Description Michael Rondinelli 2008-06-24 15:51:05 PDT

Using the ondragstart event handler, a crash can be invoked by simply setting this.style.display = 'none'. 

The referenced page shows a simple example. Drag the indicated box to cause WebKit to crash. This has been verified to work on shipping Safari 3.1 on Leopard and the latest nightly build (r34753).

Comment 1 Michael Rondinelli 2008-06-24 15:51:43 PDT

Created attachment 21917 [details]
Sample HTML file that will invoke the crash on a drag event.

Comment 2 Alexey Proskuryakov 2008-06-25 02:44:02 PDT

On a debug build, I'm seeing an assertion failure:

ASSERTION FAILED: Uncaught exception - Can't cache image
0
(/Users/ap/Safari/OpenSource/WebCore/platform/mac/BlockExceptions.mm:36 void ReportBlockedObjCException(NSException*))

Comment 3 Oliver Hunt 2008-07-20 00:51:00 PDT

Created attachment 22385 [details]
Null check the renderer

Comment 4 mitz 2008-07-20 14:24:00 PDT

Comment on attachment 22385 [details]
Null check the renderer

r=me

Comment 5 Oliver Hunt 2008-07-20 14:33:29 PDT

Committing to http://svn.webkit.org/repository/webkit/trunk ...
	M	WebCore/ChangeLog
	M	WebCore/page/EventHandler.cpp
Committed r35256