Code inspection of functions like NodeIteratorImpl::findNextNode make it clear that the NodeIterator does not do correct memory management of the nodes. As it iterates through nodes, the function holds a node pointer across a call to arbitrary JavaScript without calling ref() on that node. Clearly that can lead to a crash.
Bug 3492 now has a patch that addresses this.
Committed revision 30089.
Mass moving XML DOM bugs to the "DOM" Component.