See bug for the crash details and fix proposed: https://bugs.webkit.org/show_bug.cgi?id=34490 The crash happens if ImageLoader (owned by HTMLImageElement) is destroyed after it has been added to ImageEventSender::m_dispatchSoonList but before the pending load events are dispatched (by timer, HTMLParser::finished etc). The fix is always remove the image loader from pending event queue whenever the loader is destroyed. The crash could not be easily repro because of all the timing issues: it depends on the time the ImageLoader timer fires, the time HTMLImageElement is destroyed and collected by GC, the image loading time and the time a new empty image src is sets to existing loader etc. Because of all the timing issues, not sure there is a way to create a reliable test for it. Create this bug so I could commit the patch to fix crash first and figure out test case later.