The XMLTokenizer.cpp has a constructor that takes a document fragment and parses XML into this fragment (which is used at least for handling innerHtml, maybe other places as well). While parsing this fragment, the parser calls lots of methods on the document, amongst others finishedParsing(), which can lead to memory corruption when innerHtml is used form within the onload handler.
*** This bug has been marked as a duplicate of 15456 ***