When Loader::Host::didReceiveResponse sees a 304 redirect, it magically removes the load from the list of pending loads, since the load is effectively complete (the cached version is good enough). This means the Host doesn't have a reference to the load that was a 304, but that load is still active. Under CFNet, didFinishLoading is called immediately after the didReceiveResponse without going back to the message loop. At this time, the Host object (which is the client of the subresource load) is still active and it works OK. Other platforms' network stack (and this might not even be guaranteed by CFNet) have different timing. On Chromium, our network stack sends the finished loading after you go back to the message loop. This gives a chance for the Host cleaner-uppper to run, which happens on a timer. This can lead to the Host getting deleted before the finished callback is run. The Host should just clear out the callback when it gets a 304 so there isn't this inconsistent state.
Created attachment 25268 [details] Patch Patch as we discussed on IRC.
r=me
Fixed in r38601