Bug 28295

Created attachment 34810 [details] Testcase The attached testcase asserts. It changes the image background from using two images to one image. The assertion is: ASSERTION FAILED: m_clients.contains(client) (/Volumes/WebKit/WebKit.git/WebCore/loader/CachedResource.cpp:201 void WebCore::CachedResource::removeClient(WebCore::CachedResourceClient*)) from #0 0x0000000100da0fe4 in WebCore::CachedResource::removeClient (this=0x11adb5ca0, client=0x11adb6058) at /Volumes/WebKit/WebKit.git/WebCore/loader/CachedResource.cpp:201 #1 0x000000010158b031 in WebCore::StyleCachedImage::removeClient (this=0x118b02440, renderer=0x11adb6058) at /Volumes/WebKit/WebKit.git/WebCore/rendering/style/StyleCachedImage.cpp:84 #2 0x00000001014a691f in WebCore::RenderObject::arenaDelete (this=0x11adb6058, arena=0x118b1e660, base=0x11adb6058) at /Volumes/WebKit/WebKit.git/WebCore/rendering/RenderObject.cpp:1864 #3 0x00000001014a6bb3 in WebCore::RenderObject::destroy (this=0x11adb6058) at /Volumes/WebKit/WebKit.git/WebCore/rendering/RenderObject.cpp:1856 #4 0x0000000101457f3d in WebCore::RenderBoxModelObject::destroy (this=0x11adb6058) at /Volumes/WebKit/WebKit.git/WebCore/rendering/RenderBoxModelObject.cpp:75 #5 0x000000010144ef1e in WebCore::RenderBox::destroy (this=0x11adb6058) at /Volumes/WebKit/WebKit.git/WebCore/rendering/RenderBox.cpp:95 #6 0x000000010141de57 in WebCore::RenderBlock::destroy (this=0x11adb6058) at /Volumes/WebKit/WebKit.git/WebCore/rendering/RenderBlock.cpp:204 #7 0x00000001013b6ed7 in WebCore::Node::detach (this=0x11adad7e0) at /Volumes/WebKit/WebKit.git/WebCore/dom/Node.cpp:1165 ...