STEPS TO REPRODUCE:
Created attachment 19128 [details]
Created attachment 27346 [details]
Fix (without layout test)
Here's the obvious fix. I'll turn Geoff's example into a layout test and post it for review.
Created attachment 27347 [details]
Comment on attachment 27347 [details]
This doesn't leak the HTMLTokenizer entirely, but it only gets deleted from Document::removeLastRef(). I'll remove the review flag and look for a better solution.
Seems to have been fixed.