credit:kuzzcc Treebuilder issue, null ptr crash, first goes through couple of asserts <nobr> <audio> <p> <button autofocus="1"/> <button autofocus="1"/> <iframe> </iframe> </p> </audio> </nobr> Stacktrace:: hits this assert first ASSERT(!widgetHierarchyUpdateSuspendCount); > chrome.dll!WebCore::RenderWidget::setWidgetGeometry(const WebCore::IntRect & frame=((40,15),(300,150))) Line 162 + 0x25 bytes C++ chrome.dll!WebCore::RenderWidget::updateWidgetPosition() Line 346 + 0x35 bytes C++ chrome.dll!WebCore::RenderView::updateWidgetPositions() Line 588 + 0x13 bytes C++ chrome.dll!WebCore::FrameView::performPostLayoutTasks() Line 1611 C++ chrome.dll!WebCore::FrameView::layout(bool allowSubtree=true) Line 833 C++ chrome.dll!WebCore::Document::updateLayout() Line 1524 C++ chrome.dll!WebCore::Document::updateLayoutIgnorePendingStylesheets() Line 1556 C++ chrome.dll!WebCore::Element::focus(bool restorePreviousSelection=true) Line 1301 C++ chrome.dll!WebCore::HTMLFormControlElement::attach() Line 144 + 0x14 bytes C++ chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 906 + 0x12 bytes C++ chrome.dll!WebCore::HTMLFormControlElement::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 234 C++ chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 969 + 0x16 bytes C++ chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 969 + 0x16 bytes C++ chrome.dll!WebCore::Element::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 969 + 0x16 bytes C++ chrome.dll!WebCore::Document::recalcStyle(WebCore::Node::StyleChange change=NoChange) Line 1448 + 0x16 bytes C++ chrome.dll!WebCore::Document::updateStyleIfNeeded() Line 1492 + 0x14 bytes C++ chrome.dll!WebCore::Document::setFocusedNode(WTF::PassRefPtr<WebCore::Node> newFocusedNode={m_document=0x07e1b000 m_previous=0x0814cd00 m_next=0x07bff240 ...}) Line 3099 + 0x12 bytes C++ chrome.dll!WebCore::FocusController::setFocusedNode(WebCore::Node * node=0x07bf5d20, WTF::PassRefPtr<WebCore::Frame> newFocusedFrame=NULL) Line 629 C++ chrome.dll!WebCore::Element::focus(bool restorePreviousSelection=true) Line 1316 C++ chrome.dll!WebCore::HTMLFormControlElement::attach() Line 144 + 0x14 bytes C++ chrome.dll!WebCore::ContainerNode::attach() Line 690 + 0x12 bytes C++ chrome.dll!WebCore::Element::attach() Line 817 C++ chrome.dll!WebCore::Node::lazyAttach() Line 783 + 0x12 bytes C++ chrome.dll!WebCore::HTMLTreeBuilder::callTheAdoptionAgency(WebCore::AtomicHTMLToken & token={...}) Line 1844 C++ chrome.dll!WebCore::HTMLTreeBuilder::processEndTagForInBody(WebCore::AtomicHTMLToken & token={...}) Line 2164 C++ chrome.dll!WebCore::HTMLTreeBuilder::processEndTag(WebCore::AtomicHTMLToken & token={...}) Line 2298 C++ chrome.dll!WebCore::HTMLTreeBuilder::processToken(WebCore::AtomicHTMLToken & token={...}) Line 628 C++ chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken(WebCore::HTMLToken & rawToken={...}) Line 611 C++ chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield) Line 214 C++ chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode mode=AllowYield) Line 162 C++ chrome.dll!WebCore::HTMLDocumentParser::append(const WebCore::SegmentedString & source={...}) Line 321 C++ chrome.dll!WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter * writer=0x07c9398c, const char * data=0x00000000, int length=0, bool shouldFlush=true) Line 55 + 0x1f bytes C++ chrome.dll!WebCore::DocumentWriter::addData(const char * str=0x00000000, int len=0, bool flush=true) Line 200 + 0x20 bytes C++ chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource() Line 221 C++ chrome.dll!WebCore::DocumentWriter::end() Line 207 C++ chrome.dll!WebCore::DocumentLoader::finishedLoading() Line 271 C++ chrome.dll!WebCore::FrameLoader::finishedLoading() Line 2160 C++ chrome.dll!WebCore::MainResourceLoader::didFinishLoading() Line 442 C++ chrome.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x07bfe740) Line 443 + 0xf bytes C++ chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading(WebKit::WebURLLoader * __formal=0x04f4ae58) Line 191 + 0x25 bytes C++ chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(const URLRequestStatus & status={...}, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info="") l!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate * delegate=0x04f3fda8, base::MessagePumpWin::Dispatcher * dispatcher=0x00000000) Line 51 + 0xf bytes C++ chrome.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate=0x04f3fda8) Line 80 + 0x1c bytes C++ chrome.dll!MessageLoop::RunInternal() Line 256 + 0x2a bytes C++ chrome.dll!MessageLoop::RunHandler() Line 229 C++ chrome.dll!MessageLoop::Run() Line 207 C++ chrome.dll!base::Thread::Run(MessageLoop * message_loop=0x04f3fda8) Line 141 C++ chrome.dll!base::Thread::ThreadMain() Line 164 + 0x16 bytes C++ chrome.dll!`anonymous namespace'::ThreadFunc(void * closure=0x010f6a80) Line 26 + 0xf bytes C++ kernel32.dll!@BaseThreadInitThunk@12() + 0xe bytes ntdll.dll!___RtlUserThreadStart@8() + 0x23 bytes ntdll.dll!__RtlUserThreadStart@8() + 0x1b bytes