Protect documents from deletion when their onload removes them

LayoutTests/loader/iframe-src-change-onload-crash.html

Index: LayoutTests/loader/iframe-src-change-onload-crash.html
diff --git a/LayoutTests/loader/iframe-src-change-onload-crash.html b/LayoutTests/loader/iframe-src-change-onload-crash.html
new file mode 100644
index 0000000000000000000000000000000000000000..057100a93f6271f723e0eeb1d1be73c965dd69c6
--- /dev/null
+++ b/LayoutTests/loader/iframe-src-change-onload-crash.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <script>
+      function start() {
+        if (window.testRunner) {
+          testRunner.dumpAsText();
+          testRunner.waitUntilDone();
+        }
+        iframeElmt = document.createElement('iframe');
+        iframeElmt.src = 'resources/empty.xml';
+        window.setTimeout('window.top.do_test()', 0);
+      }
+
+      function do_test() {
+        window.top.cb_onload_count = 0;
+        window.top.conce = function() {
+          window.top.cb_onload_count++;
+          var f = eval('window.top.cb_onload_' + window.top.cb_onload_count);
+          if (f) return f(arguments, this);
+        };
+
+        iframeElmt.onload = window.top.conce;
+
+        document.body.appendChild(iframeElmt);
+      }
+
+      function cb_onload_1() {
+        iframeElmt = arguments[1];
+        iframeElmt.src = 'javascript:window.top.cb_scriptsrc();';
+      }
+
+      function cb_scriptsrc() {
+        return 'X';
+      }
+      
+      function cb_onload_2() {
+        gc();
+        if (window.testRunner) {
+          testRunner.notifyDone();
+        }
+      }
+    </script>
+  </head>
+  <body onload="start()">
+    <p>Test PASSES if it does not crash in ASAN builds.</p>
+  </body>
+</html>