Created attachment 62330 [details] Patch to fix the issue Repro and details: <html> <head> <script> function go() { prompt('Time to set breakpoint in renderer at:', 'bm chrome_*!WebCore::DOMSelection::deleteFromDocument'); selection = window.getSelection(); range = document.createRange(); selection.addRange(range); document.designMode = "on"; document.execCommand("InsertText", false, 'x'); document.open(); document.execCommand("Undo"); selection.deleteFromDocument(); // "selectedRange" is NULL in WebKit\WebCore\page\DOMSelection.cpp: // void DOMSelection::deleteFromDocument() // { // if (!m_frame) // return; // // SelectionController* selection = m_frame->selection(); // // if (selection->isNone()) // return; // // if (isCollapsed()) // selection->modify(SelectionController::AlterationExtend, SelectionController::DirectionBackward, CharacterGranularity); // // RefPtr<Range> selectedRange = selection->selection().toNormalizedRange(); // PassRefPtr<Range> VisibleSelection::toNormalizedRange() const // { // if (isNone()) // return 0; // // ExceptionCode ec = 0; // selectedRange->deleteContents(ec); // selectedRange == 0 --> KaB00m!!! } </script> </head> <body onload="go()"> </body> </html> Suggested fix: add the check below. if (selectedRange == 0) return; The above has been tested to resolve the issue, I've attached a .patch file that applies it. I'll create a test shortly.