The following test fails on the above assertion: <html> <body onload="frames[0].location = 'javascript:"FAIL<script>document.body.firstChild.data=location</script>"'"> <iframe viewsource="1"></iframe> </html> Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff574cc01 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff574cc01 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x00007ffff3f974e3 in WebCore::ScriptController::canExecuteScripts (this=0x8ae290, reason=WebCore::NotAboutToExecuteScript) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/ScriptControllerBase.cpp:50 #2 0x00007ffff46295e2 in WebCore::FrameLoader::dispatchDidClearWindowObjectsInAllWorlds (this=0x8adca8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:3223 #3 0x00007ffff461de14 in WebCore::FrameLoader::didBeginDocument (this=0x8adca8, dispatch=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:659 #4 0x00007ffff4615c33 in WebCore::DocumentWriter::begin (this=0x8b8b90, urlReference=..., dispatch=true, ownerDocument=0x8ba780) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:154 #5 0x00007ffff46155a1 in WebCore::DocumentWriter::replaceDocument (this=0x8b8b90, source=..., ownerDocument=0x8ba780) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:71 #6 0x00007ffff3f97a12 in WebCore::ScriptController::executeIfJavaScriptURL (this=0x8ae290, url=..., shouldReplaceDocumentIfJavaScriptURL=WebCore::ReplaceDocumentIfJavaScriptURL) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/bindings/ScriptControllerBase.cpp:117 #7 0x00007ffff461c4a4 in WebCore::FrameLoader::urlSelected (this=0x8adca8, passedRequest=..., triggeringEvent=..., lockHistory=true, lockBackForwardList=true, shouldSendReferrer=WebCore::MaybeSendReferrer, shouldReplaceDocumentIfJavaScriptURL=WebCore::ReplaceDocumentIfJavaScriptURL) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:307 #8 0x00007ffff461c25a in WebCore::FrameLoader::changeLocation (this=0x8adca8, securityOrigin=0x750bc0, url=..., referrer=..., lockHistory=true, lockBackForwardList=true, refresh=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:289 #9 0x00007ffff4644768 in WebCore::ScheduledURLNavigation::fire (this=0x8e9ef0, frame=0x8adc20) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/NavigationScheduler.cpp:111 #10 0x00007ffff4645fc5 in WebCore::NavigationScheduler::timerFired (this=0x8ade60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/NavigationScheduler.cpp:426 #11 0x00007ffff4646e17 in WebCore::Timer<WebCore::NavigationScheduler>::fired (this=0x8ade68) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/Timer.h:113 #12 0x00007ffff4819c6e in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x6d6ae0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ThreadTimers.cpp:129 #13 0x00007ffff4819b5b in WebCore::ThreadTimers::sharedTimerFired () at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ThreadTimers.cpp:105 #14 0x00007ffff4b0a838 in WebCore::SharedTimerQt::timerEvent (this=0x6d6b10, ev=0x7fffffffd660) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/qt/SharedTimerQt.cpp:113 #15 0x00007ffff227a66c in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #16 0x00007ffff30c0dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #17 0x00007ffff30c4075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #18 0x00007ffff2254dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #19 0x00007ffff229b75c in QTimerInfoList::activateTimers() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #20 0x00007ffff229c094 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #21 0x00007fffee3eaf05 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3054 #22 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3630 #23 0x00007fffee3eb248 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3701 #24 0x00007fffee3eb304 in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3762 #25 0x00007ffff229c4bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #26 0x00007ffff2253d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #27 0x00007ffff2257120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #28 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #29 0x0000000000423680 in main (argc=2, argv=0x7fffffffdba8) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
The issue isn't reproducible anymore.