Created attachment 75120 [details] Repro Repro: <style> * { -webkit-column-count:3; -webkit-column-span: all; } </style> <h><table> id: chrome.dll!WebCore::RenderObject::RenderObject ReadAV@NULL (65bf4b7466d7b2a21ddbeba4b5e01f4e) description: Attempt to read from unallocated NULL pointer+0x14 in chrome.dll!WebCore::RenderObject::RenderObject application: Chromium 9.0.596.0 stack: chrome.dll!WebCore::RenderObject::RenderObject chrome.dll!WebCore::RenderBoxModelObject::RenderBoxModelObject chrome.dll!WebCore::RenderBox::RenderBox chrome.dll!WebCore::RenderBlock::clone chrome.dll!WebCore::RenderBlock::splitBlocks chrome.dll!WebCore::RenderBlock::splitFlow chrome.dll!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks chrome.dll!WebCore::RenderBlock::addChildIgnoringContinuation chrome.dll!WebCore::RenderBlock::addChild chrome.dll!WebCore::RenderInline::splitFlow chrome.dll!WebCore::RenderInline::addChildIgnoringContinuation chrome.dll!WebCore::Node::createRendererIfNeeded chrome.dll!WebCore::Element::attach chrome.dll!WebCore::HTMLConstructionSite::attach<...> chrome.dll!WebCore::HTMLConstructionSite::insertHTMLElement chrome.dll!WebCore::HTMLTreeBuilder::processStartTagForInBody chrome.dll!WebCore::HTMLTreeBuilder::processStartTag chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromAtomicToken chrome.dll!WebCore::HTMLTreeBuilder::constructTreeFromToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::append chrome.dll!WebCore::DecodedDataDocumentParser::appendBytes chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading ...