Created attachment 65027 [details] Testcase This DOM triggers an ASSERT: FAIL<iframe onload="document.write('PASS')"> ASSERTION FAILED: m_type == Uninitialized || m_type == Character (/work/WebKit/WebCore/html/HTMLToken.h:117 void WebCore::HTMLToken::ensureIsCharacterToken()) I suspect this is closely related to the fix from bug 43055. Adding a document.open() before the document.write() avoids the ASSERT. I haven't debugged, but it looks like Document::open() bails out if parser->isExecutingScript(). I'll be on vacation next week, so I probably won't be able to get to this in a timely manner.
*** This bug has been marked as a duplicate of bug 44209 ***