This test demonstrates a problem with our handling of the beforeunload event.
If a script manages to try and navigate the frame from beforeunload - when a navigation is already pending - we end up blowing out the stack by recursively consulting the policy delegate then running onbeforeunload repeatedly.
After this happens, the FrameLoader is in a bogus state where it thinks it is in the middle of a provisional load, but it doesn't have a provisional document loader.
In this state, the frame is very difficult to navigate anywhere else, and attempts to load new things within the frame can result in a crash.
This was reproducibly identified on sears.com following a bizarre Safari specific code path.
Click here to run the beforeunload test and blow out the stack
Click here to append an iframe and crash