The crash happens due to lack of FrameLoaderClient updates for children of the Frame that was transferred from one page to another. This leaves the children of transferred Frame using the clients associated with the old Page, and once that one goes away and some GC'ing happens, the operations requiring FrameLoaderClient can cause crash. The code avoids unnecessary updates by accumulating 'didTransfer' bool. The change http://trac.webkit.org/changeset/71962 introduced code that overrides the boolean rather then accumulates the result. Patch is coming shortly. I can't figure out simple test for this, but I'm still working on it. Want to put the fix through before I can do the test since the crash blocks other developers at the moment.
Created attachment 75098 [details] Patch.
OK, but I'm expecting a test soon!
Landed: http://trac.webkit.org/changeset/72863
Still working on a test so keeping bug open.
Comment on attachment 75098 [details] Patch. Any updates? Obsoleting this patch since it was landed.
Comment on attachment 75098 [details] Patch. Cleared David Levin's review+ from obsolete attachment 75098 [details] so that this bug does not appear in http://webkit.org/pending-commit.