Protect documents from deletion when their onload removes them

Source/core/dom/Document.cpp

Index: Source/core/dom/Document.cpp
diff --git a/Source/core/dom/Document.cpp b/Source/core/dom/Document.cpp
index 7b3cad2457145569d99998134c088e7d094c029f..5eb23cb0321c5429cb7a822f45e48207cf7055a6 100644
--- a/Source/core/dom/Document.cpp
+++ b/Source/core/dom/Document.cpp
@@ -4062,6 +4062,11 @@ void Document::finishedParsing()
     if (!m_documentTiming.domContentLoadedEventEnd)
         m_documentTiming.domContentLoadedEventEnd = monotonicallyIncreasingTime();
 
+    // The loader's finishedParsing() method may invoke script that causes this object to
+    // be dereferenced (when this document is in an iframe and the onload causes the iframe's src to change).
+    // Keep it alive until we are done.
+    RefPtr<Document> protect(this);

[abarth-chromium, 2013/07/22 18:06:24]

Why doesn't this issue occur with HTML documents?  Presumably the
HTMLDocumentParser holds a reference to the Document.  Perhaps the
XMLDocumentParser should do the same?  Is the XMLDocumentParser prepared for its
|document| to be garbage after calling this function?

+
     if (RefPtr<Frame> f = frame()) {
         // FrameLoader::finishedParsing() might end up calling Document::implicitClose() if all
         // resource loads are complete. HTMLObjectElements can start loading their resources from