Created attachment 44671 [details] Repro Id: WebCore::ReplaceSelectionCommand::doApply ReadAV@NULL (15d09a1a5a07b619154c5a2a36579bfd) Description: Attempt to read from NULL pointer (+0x25) in WebCore::ReplaceSelectionCommand::doApply Stack: WebCore::ReplaceSelectionCommand::doApply WebCore::EditCommand::apply WebCore::applyCommand WebCore::executeInsertFragment WebCore::executeInsertHTML WebCore::Editor::Command::execute WebCore::Document::execCommand WebCore::DocumentInternal::execCommandCallback v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run WebCore::V8Proxy::runScript WebCore::V8Proxy::evaluate WebCore::ScriptController::evaluate WebCore::ScriptController::executeScript WebCore::ScriptController::executeScript WebCore::ScriptController::executeIfJavaScriptURL WebCore::FrameLoader::changeLocation WebCore::RedirectScheduler::timerFired WebCore::Timer<...>::fired WebCore::ThreadTimers::sharedTimerFiredInternal MessageLoop::RunTask MessageLoop::DoWork base::MessagePumpDefault::Run MessageLoop::RunInternal MessageLoop::Run RendererMain ChromeMain Repro: <BODY onload=go()></BODY> <SCRIPT> function go() { document.execCommand("selectall",false,6); document.designMode="on"; document.execCommand("Cut",false,2); document.execCommand("inserthorizontalrule",""); document.execCommand("Delete",false, ""); document.designMode=""; document.execCommand("Undo",""); document.designMode="on"; document.execCommand("InsertHTML",false,""); } </SCRIPT>