`WebLocalFrameLoaderClient::dispatchDidChangeProvisionalURL()` unconditionally dereferences the return value of `provisionalDocumentLoader()` via `Ref documentLoader { *m_localFrame->loader().provisionalDocumentLoader() }`. When `provisionalDocumentLoader()` returns nullptr during redirect processing, the `Ref` constructor reads the reference count at offset 0x18, crashing with `EXC_BAD_ACCESS (SIGSEGV)`. The caller `DocumentLoader::setRequest()` already checks for and logs this nullptr condition (added in Bug 203837, 217227@main) but proceeds to call `dispatchDidChangeProvisionalURL()` unconditionally. The adjacent function `dispatchDidReceiveServerRedirectForProvisionalLoad()` correctly handles this case using `RefPtr` with a null check and early return (added in Bug 199123, 213141@main). Crash stack: ``` 0 WebKit: WTF::RefCountedBase::ref() const 1 WebKit: WebCore::DocumentLoader::ref() const 2 WebKit: WTF::Ref<WebCore::DocumentLoader>::Ref(WebCore::DocumentLoader&) 3 WebKit: WebKit::WebLocalFrameLoaderClient::dispatchDidChangeProvisionalURL() 4 WebCore: WebCore::DocumentLoader::setRequest(WebCore::ResourceRequest&&) 5 WebCore: WebCore::DocumentLoader::willSendRequest(WebCore::ResourceRequest&&, ...) 6 WebCore: WebCore::DocumentLoader::redirectReceived(...) 7 WebCore: WebCore::CachedRawResource::redirectReceived(...) 8 WebCore: WebCore::SubresourceLoader::willSendRequestInternal(...) 9 WebKit: WebKit::WebResourceLoader::willSendRequest(...) [...] ``` <rdar://112727550>