diff --git a/dom/html/crashtests/1440523.html b/dom/html/crashtests/1440523.html
new file mode 100644
index 000000000000..11ce69978197
--- /dev/null
+++ b/dom/html/crashtests/1440523.html
@@ -0,0 +1,13 @@
+<html>
+  <head>
+    <script>
+      try { frame = document.createElement('frame') } catch(e) { }
+      try { document.documentElement.appendChild(frame) } catch(e) { }
+      try { contentDocument = frame.contentDocument } catch(e) { }
+      try { contentDocument.writeln("<p contenteditable='true'>") } catch(e) { }
+      try { anotherDocument = document.implementation.createHTMLDocument(); } catch(e) { }
+      try { rootOfAnotherDocument = anotherDocument.documentElement; } catch(e) { }
+      try { document.replaceChild(rootOfAnotherDocument, document.documentElement); } catch(e) { }
+   </script>
+  </head>
+</html>
diff --git a/dom/html/crashtests/crashtests.list b/dom/html/crashtests/crashtests.list
index 8ac17a52828b..f2b509d741ac 100644
--- a/dom/html/crashtests/crashtests.list
+++ b/dom/html/crashtests/crashtests.list
@@ -87,3 +87,4 @@ load 1350972.html
 load 1386905.html
 asserts(0-4) load 1401726.html
 load 1412173.html
+load 1440523.html
diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp
index 443cd11e252e..35e1fc3b92c4 100644
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -2363,6 +2363,13 @@ nsHTMLDocument::EditingStateChanged()
   if (!docshell)
     return NS_ERROR_FAILURE;
 
+  // FlushPendingNotifications might destroy our docshell.
+  bool isBeingDestroyed = false;
+  docshell->IsBeingDestroyed(&isBeingDestroyed);
+  if (isBeingDestroyed) {
+    return NS_ERROR_FAILURE;
+  }
+
   nsCOMPtr<nsIEditingSession> editSession;
   nsresult rv = docshell->GetEditingSession(getter_AddRefs(editSession));
   NS_ENSURE_SUCCESS(rv, rv);