diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 38c326b32af0dd4bf40a1ed4d097b4250dd30d3d..55b9cb01c84074b9b5a02b7afe80852b12d6acd9 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2008-05-04  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        - test for https://bugs.webkit.org/show_bug.cgi?id=18879
+          <rdar://problem/5909481> Reproducible crash when removing a gradient
+
+        * fast/gradients/crash-on-remove-expected.txt: Added.
+        * fast/gradients/crash-on-remove.html: Added.
+
 2008-05-04  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Maciej Stachowiak.
diff --git a/LayoutTests/fast/gradients/crash-on-remove-expected.txt b/LayoutTests/fast/gradients/crash-on-remove-expected.txt
new file mode 100644
index 0000000000000000000000000000000000000000..c5e8fda4cb25de3a2c83b5246c0e09a87ea74860
--- /dev/null
+++ b/LayoutTests/fast/gradients/crash-on-remove-expected.txt
@@ -0,0 +1,5 @@
+Test for https://bugs.webkit.org/show_bug.cgi?id=18879 Reproducible crash when removing a gradient.
+
+The test should not crash and there should be a green square below.
+
+
diff --git a/LayoutTests/fast/gradients/crash-on-remove.html b/LayoutTests/fast/gradients/crash-on-remove.html
new file mode 100644
index 0000000000000000000000000000000000000000..839c24c6e8596dfe7adbfd97a44b55865ce63081
--- /dev/null
+++ b/LayoutTests/fast/gradients/crash-on-remove.html
@@ -0,0 +1,16 @@
+<p>
+    Test for <i><a href="https://bugs.webkit.org/show_bug.cgi?id=18879">https://bugs.webkit.org/show_bug.cgi?id=18879</a>
+    Reproducible crash when removing a gradient</i>.
+</p>
+<p>
+    The test should not crash and there should be a green square below.
+</p>
+<div id="target" style="width: 100px; height: 100px; background-color: green; background-image: -webkit-gradient(linear, left top, left bottom, from(red), to(transparent))">
+</div>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    document.body.offsetTop;
+    document.getElementById("target").style.removeProperty("background-image");
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 99f2872e1bce91d751596f1e8fe1766b62ff8cc8..7eb37d75a42f8c744cb075ed0abe96a7351cb836 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2008-05-04  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        - fix https://bugs.webkit.org/show_bug.cgi?id=18879
+          <rdar://problem/5909481> Reproducible crash when removing a gradient
+
+        Test: fast/gradients/crash-on-remove.html
+
+        * css/CSSImageGeneratorValue.cpp:
+        (WebCore::CSSImageGeneratorValue::CSSImageGeneratorValue):
+        (WebCore::CSSImageGeneratorValue::addClient): Added a call to ref() the
+        value.
+        (WebCore::CSSImageGeneratorValue::removeClient): Added code to deref()
+        the value.
+
 2008-05-03  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Mark Rowe.
diff --git a/WebCore/css/CSSImageGeneratorValue.cpp b/WebCore/css/CSSImageGeneratorValue.cpp
index ad65ebe45cf69ea84c7f512798bca90860685dab..eeeb5d30cbbf73d893bbaad667e7b78bb222c25e 100644
--- a/WebCore/css/CSSImageGeneratorValue.cpp
+++ b/WebCore/css/CSSImageGeneratorValue.cpp
@@ -37,7 +37,6 @@ namespace WebCore {
 CSSImageGeneratorValue::CSSImageGeneratorValue()
 : m_accessedImage(false)
 {
-
 }
 
 CSSImageGeneratorValue::~CSSImageGeneratorValue()
@@ -47,6 +46,7 @@ CSSImageGeneratorValue::~CSSImageGeneratorValue()
 
 void CSSImageGeneratorValue::addClient(RenderObject* renderer, const IntSize& size)
 {
+    ref();
     if (!size.isEmpty())
         m_sizes.add(size);
     m_clients.add(renderer, size);
@@ -61,6 +61,7 @@ void CSSImageGeneratorValue::removeClient(RenderObject* renderer)
             delete m_images.take(size);
     }
     m_clients.remove(renderer);
+    deref();
 }
 
 Image* CSSImageGeneratorValue::getImage(RenderObject* renderer, const IntSize& size)