If a WebBackForwardList is restored with a certain bogus session state as input (current index pointing past the end of the entry list), the page involved is likely to crash later down the line when that wrong entry is accessed. In radar as <rdar://problem/8960434>
Created attachment 81549 [details] Patch v1
Landed in r77861