It is not possible for newParent to be null in Frame::transferChildFrameToNewDocument() based on the the call order of HTMLFrameElementBase::setRemainsAliveOnRemovalFromTree() and Frame::transferChildFrameToNewDocument(): Frame::transferChildFrameToNewDocument() is only called if HTMLFrameElementBase::m_remainsAliveOnRemovalFromTree is true by line 177 <http://trac.webkit.org/browser/trunk/WebCore/html/HTMLFrameElementBase.cpp?rev=71219#L177> and line 169 <http://trac.webkit.org/browser/trunk/WebCore/html/HTMLFrameElementBase.cpp?rev=71219#L169> of r71219 of HTMLFrameElementBase.cpp. Without loss of generality, HTMLFrameElementBase::m_remainsAliveOnRemovalFromTree is set to true if the document that is adopting the <iframe> is attached() by line 880 of r71767 of Document.cpp <http://trac.webkit.org/browser/trunk/WebCore/dom/Document.cpp?rev=71767#L880> and line 264 of r71219 of HTMLFrameElementBase.cpp <http://trac.webkit.org/browser/trunk/WebCore/html/HTMLFrameElementBase.cpp?rev=71219#L264>. Moreover, Document::adoptNode() (line 880 of r71767 of Document.cpp) is the only caller of HTMLFrameElementBase::setRemainsAliveOnRemovalFromTree(). Notice, a Document D is said to be attached if Frame::setDocument() is called on it AND by the ASSERT in Frame::setDocument() <http://trac.webkit.org/browser/trunk/WebCore/page/Frame.cpp?rev=71493#L279> D must have a non-null pointer to a Frame object. So, Frame::transferChildFrameToNewDocument() is only called if the document the <iframe> is being transferred to has a frame (i.e. m_ownerElement->document()->frame() != NULL); => newParent cannot be NULL.