gdb backtrace for this crash:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56403ca in WebCore::TimerBase::setNextFireTime (this=0x64d570, newTime=0) at ../../../../Source/WebCore/platform/Timer.cpp:317
317         ASSERT(m_thread == currentThread());
(gdb) bt
#0  0x00007ffff56403ca in WebCore::TimerBase::setNextFireTime (this=0x64d570, newTime=0) at ../../../../Source/WebCore/platform/Timer.cpp:317
#1  0x00007ffff563f0fd in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x5177b0) at ../../../../Source/WebCore/platform/ThreadTimers.cpp:112
#2  0x00007ffff563f04b in WebCore::ThreadTimers::sharedTimerFired () at ../../../../Source/WebCore/platform/ThreadTimers.cpp:93
#3  0x00007ffff58b8a5e in WebCore::SharedTimerQt::timerEvent (this=0x508940, ev=0x7fffffffde00) at ../../../../Source/WebCore/platform/qt/SharedTimerQt.cpp:113
#4  0x00007ffff2abace9 in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#5  0x00007ffff30150dc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtGui.so.4
#6  0x00007ffff301a9dd in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtGui.so.4
#7  0x00007ffff2aa88bc in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#8  0x00007ffff2adcc7e in ?? () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#9  0x00007ffff2ad9bcd in ?? () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#10 0x00007ffff08ac6f2 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#11 0x00007ffff08b0568 in ?? () from /lib/libglib-2.0.so.0
#12 0x00007ffff08b071c in g_main_context_iteration () from /lib/libglib-2.0.so.0
#13 0x00007ffff2ad98b3 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#14 0x00007ffff30c186e in ?? () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtGui.so.4
#15 0x00007ffff2aa7472 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#16 0x00007ffff2aa78e4 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#17 0x00007ffff2aad4e9 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt-4.8.0-rc1/lib/libQtCore.so.4
#18 0x00000000004360b4 in main (argc=2, argv=0x7fffffffe428) at /home/oszi/WebKit/Tools/DumpRenderTree/qt/main.cpp:252

It is P1/critical bug, because it is an assertion.

Are you sure about the backtrace? It's strange. Result on the x86_64 debug bot: http://build.webkit.sed.hu/results/x86-64%20Linux%20Qt%20Debug/r100442%20(18888)/http/tests/misc/onload-remove-iframe-crash-2-crash-log.txt

pure virtual method called
terminate called without an active exception

Yes, I'm sure. I created it manually.

(In reply to comment #4)
> Yes, I'm sure. I created it manually.

Yuck, that crash looks to me like a Timer isn't properly getting cancelled. I didn't think any timers were changed in my patch, though.

Let me know how I can help.

Passes successfully for me with trunk. Can you retest it on the bots?

It runs on the bots without any crash long time ago.