Bug 45713 - Regression: crash in nightlies and Chrome 7.0.517 on object.removeAttribute("type")
Summary: Regression: crash in nightlies and Chrome 7.0.517 on object.removeAttribute("...
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC All
: P2 Normal
Assignee: Nobody
URL: http://aryeh.name/tests/reflection.html
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-13 15:31 PDT by Aryeh Gregor
Modified: 2011-02-24 23:09 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aryeh Gregor 2010-09-13 15:31:34 PDT 
http://aryeh.name/tests/reflection.html

Visit the page, and after a few seconds you get a sad tab in Chrome/crash in Safari.  This didn't happen before my last Chrome update (to 7.0.517), and happens for Chrome on both Windows and Linux.  It also happens in the r66933 and r67357 nightly builds for Windows, at least.  I don't think I can test in earlier nightly builds because of bug 44968.  It doesn't happen in Safari 5.

I might change the tests before you see this, so you can get a frozen version of the test page from git if the version at the URL right now isn't showing the problem:

http://aryeh.name/gitweb.cgi?p=tests;a=blob;f=reflection.html;hb=d18713d86

If I can provide any additional info, please advise.
Comment 1 Aryeh Gregor 2010-09-17 10:15:42 PDT 
Minimal test case:

data:text/html,<!doctype html>
<script>
var el = document.createElement("object");
el.type = "";
el.removeAttribute("type");
</script>

This causes a sad tab for me in Chrome dev, and a crash in the latest WebKit nightly (r67637).
Comment 2 Tab Atkins 2011-02-24 09:38:15 PST 
No longer appears to cause a sad tab or crash for me.  Aryeh, wanna double-check and invalidate this if necessary?
Comment 3 Aryeh Gregor 2011-02-24 16:48:23 PST 
Nope, can't reproduce anymore.