As seen on bugtraq, the attached HTML file (mostly JS) can crash Safari. Bugtraq submitter reported it on 10.3.9 and Safari 1.3 (132); I've also seen it on 10.4.2 w/WebKit.App (ToT from 8 Aug 05).
Created attachment 3302 [details] Javascript that crashes WebKit
Confirmed with ToT WebKit. Bumping to P1 as it's a reproducible crash.
Simple problem in document logic; unnecessary code to destroy the tokenizer twice.
Created attachment 3806 [details] patch to fix this by removing some uneeded code from document.close
It's hard to see the actual code change, given all the formatting changes.
OK, r=me if the layout tests all still pass. Make sure to add the test case as a layout test.
Had to change the test quite a bit to land it as a layout test, but I came up with something.