void Page::goBackOrForward(int distance) { if (distance == 0) return; HistoryItem* item = backForward()->itemAtIndex(distance); if (!item) { if (distance > 0) { if (int forwardCount = backForward()->forwardCount()) item = backForward()->itemAtIndex(forwardCount); } else { if (int backCount = backForward()->backCount()) item = backForward()->itemAtIndex(-backCount); } } ASSERT(item); if (!item) return; goToItem(item, FrameLoadTypeIndexedBackForward); } It is not clear that the assertion is valid, since it seems possible that you couldn't go back or forward. This seems separate from the crash with a similar backtrace seen on Lion Intel Debug Tests (http://build.webkit.org/results/Lion%20Intel%20Debug%20%28Tests%29/r110714%20%284462%29/compositing/iframes/page-cache-layer-tree-crash-log.txt) Unfortunately, I do not know when it started. Here is a sample: http://build.webkit.org/results/Lion%20Intel%20Debug%20(WebKit2%20Tests)/r110743%20(4915)/fast/frames/layout-after-destruction-crash-log.txt Process: WebProcess [24853] Path: /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 536+ (536.3+) Code Type: X86-64 (Native) Parent Process: WebKitTestRunner [24842] Date/Time: 2012-03-14 14:22:29.730 -0700 OS Version: Mac OS X 10.7.2 (11C74) Report Version: 9 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 000000010e447000-000000010e448000 [ 4K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: objc[24853]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001112a1b23 WebCore::Page::goBackOrForward(int) + 291 (Page.cpp:327) 1 com.apple.WebCore 0x000000011020b3de WebCore::BackForwardController::goBackOrForward(int) + 30 (BackForwardController.cpp:60) 2 com.apple.WebCore 0x0000000111243b42 WebCore::ScheduledHistoryNavigation::fire(WebCore::Frame*) + 338 (NavigationScheduler.cpp:206) 3 com.apple.WebCore 0x000000011124181f WebCore::NavigationScheduler::timerFired(WebCore::Timer<WebCore::NavigationScheduler>*) + 175 (NavigationScheduler.cpp:419) 4 com.apple.WebCore 0x0000000111243893 WebCore::Timer<WebCore::NavigationScheduler>::fired() + 115 (Timer.h:100) 5 com.apple.WebCore 0x00000001118d0fa7 WebCore::ThreadTimers::sharedTimerFiredInternal() + 311 (ThreadTimers.cpp:118) 6 com.apple.WebCore 0x00000001118d0ce9 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94) 7 com.apple.WebCore 0x00000001116abcf3 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 67 (SharedTimerMac.mm:167) 8 com.apple.CoreFoundation 0x00007fff84dcaf84 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 9 com.apple.CoreFoundation 0x00007fff84dcaad6 __CFRunLoopDoTimer + 534 10 com.apple.CoreFoundation 0x00007fff84dab471 __CFRunLoopRun + 1617 11 com.apple.CoreFoundation 0x00007fff84daaae6 CFRunLoopRunSpecific + 230 12 com.apple.HIToolbox 0x00007fff897253d3 RunCurrentEventLoopInMode + 277 13 com.apple.HIToolbox 0x00007fff8972c63d ReceiveNextEventCommon + 355 14 com.apple.HIToolbox 0x00007fff8972c4ca BlockUntilNextEventMatchingListInMode + 62 15 com.apple.AppKit 0x00007fff8cb3e3f1 _DPSNextEvent + 659 16 com.apple.AppKit 0x00007fff8cb3dcf5 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 135 17 com.apple.AppKit 0x00007fff8cb3a62d -[NSApplication run] + 470 18 com.apple.WebCore 0x00000001115fab4c WebCore::RunLoop::run() + 92 (RunLoopMac.mm:101) 19 com.apple.WebKit2 0x000000010e912ee4 WebKit::WebProcessMain(WebKit::CommandLine const&) + 3556 (WebProcessMainMac.mm:176) 20 com.apple.WebKit2 0x000000010e81e76f _ZL10WebKitMainRKN6WebKit11CommandLineE + 239 (WebKitMain.cpp:50) 21 com.apple.WebKit2 0x000000010e81e652 WebKitMain + 178 (WebKitMain.cpp:74) 22 com.apple.WebProcess 0x000000010e447d82 main + 290 23 com.apple.WebProcess 0x000000010e447c54 start + 52