Using the ondragstart event handler, a crash can be invoked by simply setting this.style.display = 'none'. The referenced page shows a simple example. Drag the indicated box to cause WebKit to crash. This has been verified to work on shipping Safari 3.1 on Leopard and the latest nightly build (r34753).
Created attachment 21917 [details] Sample HTML file that will invoke the crash on a drag event.
On a debug build, I'm seeing an assertion failure: ASSERTION FAILED: Uncaught exception - Can't cache image 0 (/Users/ap/Safari/OpenSource/WebCore/platform/mac/BlockExceptions.mm:36 void ReportBlockedObjCException(NSException*))
Created attachment 22385 [details] Null check the renderer
Comment on attachment 22385 [details] Null check the renderer r=me
Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebCore/ChangeLog M WebCore/page/EventHandler.cpp Committed r35256