Here's a snippet from the crash report: Identifier: com.apple.WebKit.WebContent.Development ... Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Exception Note: EXC_CORPSE_NOTIFY ... Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 JavaScriptCore 0x000000010a898564 WTFCrash + 36 (Assertions.cpp:323) 1 com.apple.WebCore 0x000000010cef5a90 WebCore::FrameTree::traverseNext(WebCore::Frame const*) const + 128 (FrameTree.cpp:348) 2 com.apple.WebCore 0x000000010ceff2d0 WebCore::FrameView::updateCanBlitOnScrollRecursively() + 160 (FrameView.cpp:1645) 3 com.apple.WebCore 0x000000010cefd7bb WebCore::FrameView::layout(bool) + 4859 (FrameView.cpp:1508) 4 com.apple.WebCore 0x000000010cafa77c WebCore::Document::updateLayout() + 332 (Document.cpp:2001) 5 com.apple.WebCore 0x000000010cafa70f WebCore::Document::updateLayout() + 223 (Document.cpp:1995) 6 com.apple.WebCore 0x000000010caffac7 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 199 (Document.cpp:2035) 7 com.apple.WebKit 0x000000010267124f WebKit::inlineVideoFrame(WebCore::HTMLVideoElement&) + 31 (WebVideoFullscreenManager.mm:59) 8 com.apple.WebKit 0x0000000102671d2e WebKit::WebVideoFullscreenManager::exitVideoFullscreenForVideoElement(WebCore::HTMLVideoElement&) + 238 (WebVideoFullscreenManager.mm:312) 9 com.apple.WebKit 0x0000000102200389 WebKit::WebChromeClient::exitVideoFullscreenForVideoElement(WebCore::HTMLVideoElement&) + 41 (WebChromeClient.cpp:885) 10 com.apple.WebCore 0x000000010d0ae0a0 WebCore::HTMLMediaElement::exitFullscreen() + 560 (HTMLMediaElement.cpp:5477) 11 com.apple.WebCore 0x000000010d0c48ca WebCore::HTMLMediaElement::stopWithoutDestroyingMediaPlayer() + 74 (HTMLMediaElement.cpp:5090) 12 com.apple.WebCore 0x000000010d0c4b36 WebCore::HTMLMediaElement::stop() + 70 (HTMLMediaElement.cpp:5132) 13 com.apple.WebCore 0x000000010e2ac45e WebCore::ScriptExecutionContext::stopActiveDOMObjects() + 286 (ScriptExecutionContext.cpp:298) 14 com.apple.WebCore 0x000000010cb02c95 WebCore::Document::stopActiveDOMObjects() + 37 (Document.cpp:2491) 15 com.apple.WebCore 0x000000010caf5f4e WebCore::Document::prepareForDestruction() + 334 (Document.cpp:2380) 16 com.apple.WebCore 0x000000010ceac929 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView>&&) + 185 (Frame.cpp:251) 17 com.apple.WebCore 0x000000010cecf28b WebCore::FrameLoader::closeAndRemoveChild(WebCore::Frame*) + 75 (FrameLoader.cpp:2443) 18 com.apple.WebCore 0x000000010cecf177 WebCore::FrameLoader::detachFromParent() + 423 (FrameLoader.cpp:2529) 19 com.apple.WebCore 0x000000010cec6f05 WebCore::FrameLoader::detachChildren() + 309 (FrameLoader.cpp:2435) 20 com.apple.WebCore 0x000000010cec055b WebCore::FrameLoader::setDocumentLoader(WebCore::DocumentLoader*) + 251 (FrameLoader.cpp:1694) 21 com.apple.WebCore 0x000000010cecc98d WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 509 (FrameLoader.cpp:1923) 22 com.apple.WebCore 0x000000010cecbc15 WebCore::FrameLoader::commitProvisionalLoad() + 2437 (FrameLoader.cpp:1799) 23 com.apple.WebCore 0x000000010cb6fb3c WebCore::DocumentLoader::commitIfReady() + 60 (DocumentLoader.cpp:361) 24 com.apple.WebCore 0x000000010cb734bc WebCore::DocumentLoader::commitLoad(char const*, int) + 76 (DocumentLoader.cpp:836) 25 com.apple.WebCore 0x000000010cb73da9 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 585 (DocumentLoader.cpp:956) 26 com.apple.WebCore 0x000000010c699e58 WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) + 152 (CachedRawResource.cpp:118) 27 com.apple.WebCore 0x000000010c699ce2 WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) + 194 (CachedRawResource.cpp:70) 28 com.apple.WebCore 0x000000010e51e0c7 WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) + 471 (SubresourceLoader.cpp:337) 29 com.apple.WebCore 0x000000010e51ded2 WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) + 98 (SubresourceLoader.cpp:313) 30 com.apple.WebKit 0x00000001025e36b4 WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) + 612 (WebResourceLoader.cpp:144) 31 com.apple.WebKit 0x00000001025e7f4c void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 188 (HandleMessage.h:17) 32 com.apple.WebKit 0x00000001025e7d28 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::DataReference, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) + 88 (HandleMessage.h:23) 33 com.apple.WebKit 0x00000001025e7343 void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) + 291 (HandleMessage.h:93) 34 com.apple.WebKit 0x00000001025e6b86 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 502 (WebResourceLoaderMessageReceiver.cpp:59) 35 com.apple.WebKit 0x000000010200e08d WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) + 157 (NetworkProcessConnection.cpp:60) 36 com.apple.WebKit 0x0000000101e20b03 IPC::Connection::dispatchMessage(IPC::MessageDecoder&) + 51 (Connection.cpp:897) 37 com.apple.WebKit 0x0000000101e165a6 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 710 (Connection.cpp:929) 38 com.apple.WebKit 0x0000000101e210f0 IPC::Connection::dispatchOneMessage() + 1504 (Connection.cpp:958) 39 com.apple.WebKit 0x0000000101e354bd IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() + 29 (Connection.cpp:891) 40 com.apple.WebKit 0x0000000101e35419 WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>::call() + 25 (Function.h:101) 41 JavaScriptCore 0x000000010a8c131e WTF::Function<void ()>::operator()() const + 94 (Function.h:50) 42 JavaScriptCore 0x000000010a8dd3c3 WTF::RunLoop::performWork() + 211 (RunLoop.cpp:106) 43 JavaScriptCore 0x000000010a8ddaf4 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 44 com.apple.CoreFoundation 0x0000000104cc8191 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 45 com.apple.CoreFoundation 0x0000000104cad41c __CFRunLoopDoSources0 + 556 46 com.apple.CoreFoundation 0x0000000104cac906 __CFRunLoopRun + 918 47 com.apple.CoreFoundation 0x0000000104cac314 CFRunLoopRunSpecific + 420 48 com.apple.Foundation 0x00000001018541a0 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 274 49 com.apple.Foundation 0x000000010185407b -[NSRunLoop(NSRunLoop) run] + 76 50 libxpc.dylib 0x00000001064aa7c9 _xpc_objc_main + 400 51 libxpc.dylib 0x00000001064acaf9 xpc_main + 189 52 com.apple.WebKit.WebContent.Development 0x00000001017bad3c main + 892 (XPCServiceMain.mm:120) 53 libdyld.dylib 0x00000001061d968d start + 1

(In reply to comment #0) > Using a debug build of WebKit perform the following: > > 1. Open Simulator.app and simulate an iPad device (say, iPad Air 2). > 2. Visit data:text/html,<iframe height='500' width='500' srcdoc='<video > src="http://www.quirksmode.org/html5/videos/big_buck_bunny.mp4" > controls>'></iframe> 2.5. Tap the picture-in-picture button on the video. > 3. Press the reload button. > > Then the WebContent process crashes because the ASSERT(!stayWithin || > child->tree().isDescendantOf(stayWithin)) fails in FrameTree::traverseNext().

Created attachment 285057 [details] Layout Test This patch depends on attachment #285055 [details] (bug #160433). Note this test must be run in an iPad simulator. You can have run-webkit-tests use an iPad simulator device by passing --device-type X where X is an iPad simulator device identifier. You can see a list of available simulator device identifiers by running "xcrun -sdk iphonesimulator simctl list".