I haven't been able to pin down 100% reproducible, step by step instructions for reproducing this, but you can trigger it fairly easily within a couple minutes if you play around a bit. First, set a personal style sheet and navigate to <http://www.alternet.org/> (my sheet consisted of one rule: div { background: purple; }). Inspect a few elements and, thanks to bug 17602, scroll on down to the "inline" personal sheet you set and start editing the CSS. You may need to jump around to a few different elements before you can get it to crash, and I always had to edit the property twice before it crashed (crashing while applying the 2nd edit). Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000065746175 Crashed Thread: 0 Thread 0 Crashed: 0 com.apple.WebCore 0x01b6ead5 WebCore::StyleBase::parent() const + 9 (StyleBase.h:45) 1 com.apple.WebCore 0x01b6fd92 WebCore::CSSMutableStyleDeclaration::setChanged(WebCore::StyleChangeType) + 146 (CSSMutableStyleDeclaration.cpp:469) 2 com.apple.WebCore 0x01b71cc9 WebCore::CSSMutableStyleDeclaration::removeProperty(int, bool, bool, int&) + 445 (CSSMutableStyleDeclaration.cpp:441) 3 com.apple.WebCore 0x01b72435 WebCore::CSSMutableStyleDeclaration::removeProperty(int, int&) + 57 (CSSMutableStyleDeclaration.cpp:512) 4 com.apple.WebCore 0x01b9044a WebCore::CSSStyleDeclaration::removeProperty(WebCore::String const&, int&) + 80 (CSSStyleDeclaration.cpp:114) 5 com.apple.WebCore 0x01db6a6c WebCore::jsCSSStyleDeclarationPrototypeFunctionRemoveProperty(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 202 (JSCSSStyleDeclaration.cpp:273)
Cannot be replicated on WebKit 534.9. Maybe fixed in an earlier build?
The steps to reproduce cannot be followed, as bug 17602 has been fixed. There have been many fixes in CSSOM since 2008, and chances are that the underlying issue is also fixed.