Bug 83276

Summary: WebKit2 crashes when calling event.dataTransfer.setDragImage with a 0x0 HTML element
Product: WebKit Reporter: Matthew Caruana Galizia <matt.cg>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: andersca, apstukalin, ap, dtrebbien, thorton, wenson_hsieh
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: All   
Attachments:
Description Flags
Crash log
none
test case none

Matthew Caruana Galizia
Reported 2012-04-05 07:15:28 PDT
Created attachment 135818 [details] Crash log Steps to reproduce: 1) In the dragstart callback for a draggable element, call event.dataTransfer.setDragImage(document.createElement('div'), 0, 0). What should happen: In browsers that support passing an HTML element to setDragImage, the element should be painted below the cursor while dragging. WebKit does not seem to support this behaviour, so I would expect the default drag image to be used instead. What happens instead: The page reloads immediately and a crash log is saved to ~/Library/Logs/DiagnosticReports on Mac OS. The Drag and Drop section of the HTML5 spec says[1]: If the element argument is an img element, then set the drag data store bitmap to the element's image (at its intrinsic size); otherwise, set the drag data store bitmap to an image generated from the given element (the exact mechanism for doing so is not currently specified). [1] http://www.w3.org/TR/2011/WD-html5-20110405/dnd.html#dom-datatransfer-setdragimage
Attachments
Crash log (33.92 KB, text/plain)
2012-04-05 07:15 PDT, Matthew Caruana Galizia 		no flags
Details
test case (161 bytes, text/html)
2012-04-05 11:06 PDT, Alexey Proskuryakov 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-04-05 11:06:16 PDT
Asserts in debug builds: PassRefPtr<SharedMemory> SharedMemory::create(size_t size) { ASSERT(size); Not immediately sure which level is right for a null check.
Alexey Proskuryakov
Comment 2 2012-04-05 11:06:39 PDT
Created attachment 135859 [details] test case
Alexey Proskuryakov
Comment 3 2012-04-05 11:09:40 PDT
<rdar://problem/11192720>
Daniel Trebbien
Comment 4 2013-07-23 16:46:03 PDT
I can reproduce the problem using Alexey's test case in Safari 6.0.5, but not in the latest nightly, r153061 built on 23 July 2013.
Alexey Proskuryakov
Comment 5 2013-07-23 16:55:58 PDT
Looks like dragging may not work at all on the test case any more, masking the crash. I'm not sure if the crash has been addressed.
Daniel Trebbien
Comment 6 2013-07-23 17:00:56 PDT
Possibly related: https://bugs.webkit.org/show_bug.cgi?id=119027
Wenson Hsieh
Comment 8 2019-10-16 09:55:24 PDT
Does not reproduce for me on macOS Catalina. Maybe a dupe of https://bugs.webkit.org/show_bug.cgi?id=191817?
Note You need to log in before you can comment on or make changes to this bug.