Created attachment 191102 [details] Patch

I don't believe this causes any behavior change, but it's possible this is why we were passing that inspector view-source test better with the threaded parser. In order to have this be a problem, we would have to push a token onto the TreeBuilder's item-stack, and then end the chuck, and then somehow cause item()->token()->characters() to be accessed while parsing the next chunk.

This whole design is wrong for HTMLCompactToken. We shouldn't need a heap allocated AtomicHTMLToken anyway. We should replace it with a stack-allocated object which knows how to hang onto the necessary data when copied into an HTMLStackItem.

Comment on attachment 191102 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=191102&action=review > Source/WebCore/ChangeLog:10 > + I don't know how to write a test for this. It's possible characters() > + is never accessed from HTMLStackItem::token(), but it's better to be > + safe than sorry here. Yeah, there isn't any behavior change from this patch, but it's worth doing anyway. > Source/WebCore/html/parser/HTMLDocumentParser.cpp:573 > + token->clearExternalCharacters(); // The compact token could be destroyed any time after this method returns. Yeah, we do the same thing in HTMLDocumentParser::constructTreeFromHTMLToken

Comment on attachment 191102 [details] Patch Clearing flags on attachment: 191102 Committed r144543: <http://trac.webkit.org/changeset/144543>

All reviewed patches have been landed. Closing bug.