RESOLVED WORKSFORME 45713
Regression: crash in nightlies and Chrome 7.0.517 on object.removeAttribute("type") 
https://bugs.webkit.org/show_bug.cgi?id=45713
Summary Regression: crash in nightlies and Chrome 7.0.517 on object.removeAttribute("...
Aryeh Gregor
Reported 2010-09-13 15:31:34 PDT
http://aryeh.name/tests/reflection.html Visit the page, and after a few seconds you get a sad tab in Chrome/crash in Safari. This didn't happen before my last Chrome update (to 7.0.517), and happens for Chrome on both Windows and Linux. It also happens in the r66933 and r67357 nightly builds for Windows, at least. I don't think I can test in earlier nightly builds because of bug 44968. It doesn't happen in Safari 5. I might change the tests before you see this, so you can get a frozen version of the test page from git if the version at the URL right now isn't showing the problem: http://aryeh.name/gitweb.cgi?p=tests;a=blob;f=reflection.html;hb=d18713d86 If I can provide any additional info, please advise.
Attachments
Add attachment proposed patch, testcase, etc.
Aryeh Gregor
Comment 1 2010-09-17 10:15:42 PDT
Minimal test case: data:text/html,<!doctype html> <script> var el = document.createElement("object"); el.type = ""; el.removeAttribute("type"); </script> This causes a sad tab for me in Chrome dev, and a crash in the latest WebKit nightly (r67637).
Tab Atkins
Comment 2 2011-02-24 09:38:15 PST
No longer appears to cause a sad tab or crash for me. Aryeh, wanna double-check and invalidate this if necessary?
Aryeh Gregor
Comment 3 2011-02-24 16:48:23 PST
Nope, can't reproduce anymore.
Note You need to log in before you can comment on or make changes to this bug.