Created attachment 44675 [details] Repro Id: WebCore::executeToggleStyleInList ReadAV@NULL (08a7de8db480c4e2b2ae552176cb3df1) Description: Attempt to read from NULL pointer in WebCore::executeToggleStyleInList Stack: WebCore::executeToggleStyleInList WebCore::executeStrikethrough WebCore::Editor::Command::execute WebCore::Document::execCommand WebCore::DocumentInternal::execCommandCallback v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run WebCore::V8Proxy::runScript WebCore::V8Proxy::evaluate WebCore::ScriptController::evaluate WebCore::ScriptController::executeScript WebCore::ScriptController::executeScript WebCore::ScriptController::executeIfJavaScriptURL WebCore::FrameLoader::changeLocation WebCore::RedirectScheduler::timerFired WebCore::Timer<...>::fired WebCore::ThreadTimers::sharedTimerFiredInternal MessageLoop::RunTask MessageLoop::DoWork base::MessagePumpDefault::Run MessageLoop::RunInternal MessageLoop::Run RendererMain ChromeMain Repro: <BODY></BODY> <SCRIPT> document.execCommand("selectall",false,2); document.designMode="on"; document.execCommand("InsertHorizontalRule",false,""); document.execCommand("Delete",false,""); document.designMode=""; document.execCommand("undo",false,""); document.designMode ="on"; document.execCommand("strikethrough",false,false); </SCRIPT>
Online repro
I cannot reproduce this with Safari for Mac.
Mike Moretti claims there is a problem with "Undo" after "designmode off". https://bugs.webkit.org/show_bug.cgi?id=32822 I am assuming this is a variation of that problem. *** This bug has been marked as a duplicate of bug 32823 ***