Go to any site, then paste the following in the location bar to evaluate an Xpath. javascript:document.evaluate("//a[@id='']",document) You will crash with the following trace: #0 0x01ab497a in WebCore::XPath::StringExpression::StringExpression at Shared.h:31 #1 0x01ab9d1b in xpathyyparse at XPathGrammar.y:291 #2 0x01ab291e in WebCore::XPath::Parser::parseStatement at XPathParser.cpp:438 #3 0x01ab7c2d in WebCore::XPathExpression::createExpression at XPathExpression.cpp:51 #4 0x01ab7a5d in WebCore::XPathEvaluator::createExpression at XPathEvaluator.cpp:47 #5 0x01ab7b39 in WebCore::XPathEvaluator::evaluate at XPathEvaluator.cpp:67 #6 0x018ff13f in WebCore::Document::evaluate at Document.cpp:3129 #7 0x01a6ee14 in WebCore::JSDocumentProtoFunc::callAsFunction at JSDocument.cpp:463 #8 0x010324be in KJS::JSObject::call at object.cpp:96 #9 0x01025a6b in KJS::FunctionCallDotNode::evaluate at nodes.cpp:758 #10 0x01029ad1 in KJS::ExprStatementNode::execute at nodes.cpp:1712 #11 0x0102c612 in KJS::SourceElementsNode::execute at nodes.cpp:2452 #12 0x010299f3 in KJS::BlockNode::execute at nodes.cpp:1688 #13 0x0101ad05 in KJS::InterpreterImp::evaluate at internal.cpp:514 #14 0x0101e620 in KJS::Interpreter::evaluate at interpreter.cpp:120 #15 0x01a99fbb in WebCore::KJSProxy::evaluate at kjs_proxy.cpp:68 #16 0x018e4c3d in WebCore::Frame::executeScript at Frame.cpp:383 #17 0x01914880 in -[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:forceUserGesture:] at WebCoreFrameBridge.mm:1229 #18 0x0190ed8e in -[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:] at WebCoreFrameBridge.mm:1223