See HTMLInputElement::updateType(). If both of the current type and the new type return false for canChangeFromAnotherType(), an infinite recursion occurs. updateType() -> setAttribute(typeAttr, current-type) -> parseMappedAttribute() -> updateType() -> setAttribute(typeAttr, current-type) -> ... http://code.google.com/p/chromium/issues/detail?id=77751
Should be extremely easy to fix.
Kent, would you be willing to make a test case and make a patch with the failing test (and expected results from a success)? I could then focus on the fix.
(In reply to comment #2) > Kent, would you be willing to make a test case and make a patch with the failing test (and expected results from a success)? I could then focus on the fix. It's easy to fix it. So I'll post a patch :-)
Created attachment 87464 [details] Patch
Created attachment 87517 [details] Patch 2 Simplify the code
Comment on attachment 87517 [details] Patch 2 Clearing flags on attachment: 87517 Committed r82534: <http://trac.webkit.org/changeset/82534>
All reviewed patches have been landed. Closing bug.
http://trac.webkit.org/changeset/82534 might have broken GTK Linux 32-bit Debug