STEPS TO REPRODUCE: 1. Load javascript-url-crash-tokenizer.html, attached --> crash
Created attachment 19128 [details] reduction
<rdar://problem/5744401>
Created attachment 27346 [details] Fix (without layout test) Here's the obvious fix. I'll turn Geoff's example into a layout test and post it for review.
Created attachment 27347 [details] Proposed patch
Comment on attachment 27347 [details] Proposed patch This doesn't leak the HTMLTokenizer entirely, but it only gets deleted from Document::removeLastRef(). I'll remove the review flag and look for a better solution.
Seems to have been fixed.