Null deref crash in DocumentLoader::finishedLoadingIcon Specifically, deref'ing a null frame. 0 com.apple.WebCore 0x000000010faa91fd WebCore::DocumentLoader::finishedLoadingIcon(WebCore::IconLoader&, WebCore::SharedBuffer*) + 29 1 com.apple.WebCore 0x000000010f8dc3fd WebCore::CachedResource::didAddClient(WebCore::CachedResourceClient&) + 205 2 com.apple.WebCore 0x000000010f8d9ad6 WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&) + 758 3 com.apple.WebCore 0x000000010f60f870 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176 4 com.apple.WebCore 0x000000010f60f7af WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 I have not been able to reproduce. I've been able to figure out a sequence of events to reproduce this: 0 - Be using an embedding app that uses the icon loading delegate API. 1 - Visit a website that references a site icon. 2 - The embedding app says "yes, load it". 3 - The icon is loaded as a sub resource, and that includes putting it in the memory cache. 4 - Navigate to another page within the same website that will load the same icon. 5 - Embedding app says "yes, load it" 6 - DocumentLoader - still attached to a frame - creates an IconLoader for the icon 7 - The IconLoader goes through the memory cache to get at a CachedResource for the icon, and finds it. 8 - The IconLoader attaches itself to the CachedResource as a CachedResourceClient. CachedResource schedules a timer to deliver callbacks to the IconLoader asynchronously 9 - Before that timer fires, the Frame navigates, so the DocumentLoader detaches itself from the frame. 10 - The timer fires, giving the data to the IconLoader and telling it that it finished. 11 - The IconLoader tells the DocumentLoader it finished, which then tries to call out to the FrameLoader client, but the m_frame is gone. I'm 97% sure this is how this is happening, but cannot reproduce. The timing around steps 8-10 is REALLY tight, and I have not found a way to reproduce - it's just a few tight spins of the runloop. I'm going to spend a little while longer trying to reproduce before I give up and fix this speculatively.