In xmlParseExternalEntityPrivate(), the following code tries to dereference 'oldctxt':

    /*
     * And record the last error if any
     */
    if (ctxt->lastError.code != XML_ERR_OK)
        xmlCopyError(&ctxt->lastError, &oldctxt->lastError);

However, that function parameter is NULL at some call sites, such as this one in parser.c:

int
xmlParseExternalEntity(xmlDocPtr doc, xmlSAXHandlerPtr sax, void *user_data,
	  int depth, const xmlChar *URL, const xmlChar *ID, xmlNodePtr *lst) {
    return(xmlParseExternalEntityPrivate(doc, NULL, sax, user_data, depth, URL,
		                       ID, lst));
}

I can reproduce this easily with Apple's internal libxml2 repository by compiling with ASan enabled and running testapi like this:

$ ASAN_OPTIONS=redzone=128 ./testapi

However, I'm unable to reproduce the crash the same way using the upstream libxml2 repository.  (I've tried bisecting the internal repository, but haven't been successful in finding the revision that makes this reproduce.  A few changes are too old to bisect this way, but I'm continuing to work on getting approval to upstream them.)

Note that to reproduce this crash, one must also fix the issues found in Bug 767154 first.