Created attachment 72796 [details] Repro Repro: <html><head><script> function go() { document.designMode = "on"; document.execCommand("insertparagraph"); document.execCommand("SelectAll"); document.execCommand("strikethrough"); document.execCommand("inserthorizontalrule"); document.execCommand("InsertImage"); document.execCommand("insertparagraph"); document.execCommand("SelectAll"); document.execCommand("insertimage"); document.execCommand("selectall"); document.execCommand("Underline"); } </script></head><body onload="go();"> <pre>z</pre> </body></html> id: chrome.dll!WebCore::ApplyStyleCommand::addInlineStyleIfNeeded ReadAV@NULL (4e6d0391ed8cca23b3528b81de8bd31c) description: Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::ApplyStyleCommand::addInlineStyleIfNeeded application: Chromium 9.0.571.0 stack: chrome.dll!WebCore::ApplyStyleCommand::addInlineStyleIfNeeded chrome.dll!WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange chrome.dll!WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle chrome.dll!WebCore::ApplyStyleCommand::applyInlineStyle chrome.dll!WebCore::ApplyStyleCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::Editor::applyStyle chrome.dll!WebCore::executeToggleStyleInList chrome.dll!WebCore::executeUnderline chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...