See the attached repro. Even when a reference to a document persists via someElement.ownerDocument, JavaScript GC causes the document to be emptied. This does not look like use-after-free – the element’s guard ref keeps the HTMLDocument alive, just in its neutered state. Here’s the callstack resetting documentElement from Chrome: Old value = ('WebCore::Element' *) 0x131a5440 New value = ('WebCore::Element' *) 0x0 WTF::RefPtr<WebCore::Element>::operator= (this=0x6aa70004, optr=0x0) at RefPtr.h:12 6 126 derefIfNotNull(ptr); (gdb) where #0 WTF::RefPtr<WebCore::Element>::operator= (this=0x6aa70004, optr=0x0) at RefPtr. h:126 #1 0x058eef0e in WebCore::Document::removedLastRef (this=0x6aa6fc00) at ../../thir d_party/WebKit/Source/WebCore/dom/Document.cpp:657 #2 0x058ef04c in non-virtual thunk to WebCore::Document::removedLastRef() () at .. /../third_party/WebKit/Source/WebCore/dom/Document.cpp:692 #3 0x02220538 in WebCore::TreeShared<WebCore::ContainerNode>::deref (this=0x6aa6fc 08) at TreeShared.h:79 #4 0x00b287aa in WebCore::DOMDataStore::weakNodeCallback (value={<v8::Handle<v8::V alue>> = {val_ = 0x6ba83d80}, <No data fields>}, domObject=0x6aa6fc00) at ../../thi rd_party/WebKit/Source/WebCore/bindings/v8/DOMDataStore.cpp:150 #5 0x072d16ec in v8::internal::GlobalHandles::Node::PostGarbageCollectionProcessin g (this=0x6ba83d80, isolate=0x6ba23e00, global_handles=0x6c0700b0) at ../../v8/src/ global-handles.cc:233