The MediaControlTimelineElement constructor calls setAttribute(precisionAttr, "float"). When used in a page that registers for mutation events, this causes a synchronous event to be fired immediately. The event destructor derefs the event target, the MediaControlTimelineElement, which means the element gets destroyed before the constructor returns. Badness ensues. Stack trace attached
Created attachment 30030 [details] crash log
Firing a mutation event for something in the shadow tree seems wrong.
rdar://6862908
(In reply to comment #2) > Firing a mutation event for something in the shadow tree seems wrong. There are three separate ways to fix this I can think of: 1) Fix it so mutation events don't fire for elements in shadow trees. This is a problem regardless. If JavaScript code in the main page can get a pointer to a node in the shadow tree, we've got trouble. 2) Setting the initial value of the precision attribute needn't be done inside the constructor and probably shouldn't. It can just be done by RenderMedia::createTimeline instead. Generally we should do as little as possible in derived classes and just use HTML classes in any case we can. Moving the setAttribute call is probably the quickest fix to the problem. 3) To set initial attributes in a way more like the way the parser does, you could create a NamedNodeMap and call setAttributeMap instead. I am pretty sure this code path won't fire any DOM mutation events.
(In reply to comment #2) > Firing a mutation event for something in the shadow tree seems wrong. It turns out that firing the mutation event isn't necessary to cause the bug. The bug happens because the object gets ref/deref'd during its constructor and event dispatch is not the only code that does this.
Created attachment 30124 [details] patch
Created attachment 30125 [details] patch
http://trac.webkit.org/changeset/43381