http://code.google.com/p/chromium/issues/detail?id=113182
Could you please post full bug details here? Making everyone click through to a 3rd party system just wastes time, and is unhelpful.
Sorry, Alexey. Chromium's fuzzer system found a repro case. <style> .c4[class$="c4"] { display: table-column-group; -webkit-transform: rotate3d(0, 1, 1, 45deg);</style> <script> var nodes = Array(); function boom() { try { nodes[32] = document.createElement('iframe'); } catch(e) {} try { document.documentElement.appendChild(nodes[32]); } catch(e) {} try { nodes[59] = document.createElement('content'); } catch(e) {} try { nodes[32].appendChild(nodes[59]); } catch(e) {} try { nodes[69] = document.createElement('iframe'); } catch(e) {} try { nodes[69].setAttribute('class', 'c4'); } catch(e) {} try { nodes[59].appendChild(nodes[69]); } catch(e) {} } window.onload = boom; </script>
This bug is already fixed.
http://trac.webkit.org/changeset/108758