When a frame containing a WebGL context is detached, the WebGL context receives a call to stopActiveDOMObjects, which results in the WebGLRenderingContext::stop() method being called.

This causes the underlying OpenGL context to be destroyed.

If this destruction takes place as part of the replacement of a node with new HTML, this "in-destruction" node can be asked to adjust its style as part of layout. This causes RenderLayerBacking::updateGraphicsLayerConfiguration() to attempt to use the underlying OpenGL context, causing a crash.

The simplest resolution would be the following change:

Index: html/canvas/WebGLRenderingContext.cpp
===================================================================
--- html/canvas/WebGLRenderingContext.cpp	(revision 161907)
+++ html/canvas/WebGLRenderingContext.cpp	(working copy)
@@ -4733,7 +4733,7 @@
 #if USE(ACCELERATED_COMPOSITING)
 PlatformLayer* WebGLRenderingContext::platformLayer() const
 {
-    return m_context->platformLayer();
+    return (m_context) ? m_context->platformLayer() : 0;
 }
 #endif

However, this additional null check for every "platformLayer()" access might be too expensive.