Created attachment 76983 [details] Repro http://code.google.com/p/chromium/issues/detail?id=67536 Repro: <body onload=" document.designMode='on'; document.execCommand('SelectAll'); document.execCommand('justifyright'); document.execCommand('underline'); document.execCommand('InsertLineBreak'); document.execCommand('insertorderedlist'); document.execCommand('insertimage'); document.execCommand('InsertOrderedList'); document.execCommand('insertimage'); document.execCommand('InsertOrderedList'); document.execCommand('InsertUnorderedList'); document.execCommand('Outdent'); document.execCommand('insertorderedlist'); document.execCommand('SelectAll'); document.execCommand('outdent'); document.execCommand('insertorderedlist'); "> id: chrome.dll!WebCore::CompositeEditCommand::cloneParagraphUnderNewElement ReadAV@NULL (f84a03432e24e16d27d29d94f72b0b0f) description: Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::CompositeEditCommand::cloneParagraphUnderNewElement application: Chromium 10.0.617.0 stack: chrome.dll!WebCore::CompositeEditCommand::cloneParagraphUnderNewElement chrome.dll!WebCore::CompositeEditCommand::moveParagraphWithClones chrome.dll!WebCore::InsertListCommand::doApplyForSingleParagraph chrome.dll!WebCore::InsertListCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertOrderedList chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Created attachment 76984 [details] Variation Variation with different crash stack: <body onload=" document.designMode='on'; document.execCommand('SelectAll'); document.execCommand('justifyright'); document.execCommand('underline', false); document.execCommand('InsertLineBreak', false); document.execCommand('insertorderedlist', false); document.execCommand('JustifyFull'); document.execCommand('insertimage', false); document.execCommand('InsertOrderedList', false); document.execCommand('Indent'); document.execCommand('insertimage', false); document.execCommand('InsertOrderedList'); document.execCommand('fontsize', false); document.execCommand('InsertUnorderedList', false); document.execCommand('Outdent', false); document.execCommand('insertunorderedlist'); document.execCommand('SelectAll'); document.execCommand('outdent'); document.execCommand('insertorderedlist', false); "> id: chrome.dll!WebCore::Node::lastChild ReadAV@NULL (8ba40a58b893ad95e3d64afed231eb8f) description: Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::Node::lastChild application: Chromium 10.0.617.0 stack: chrome.dll!WebCore::Node::lastChild chrome.dll!WebCore::CompositeEditCommand::cloneParagraphUnderNewElement chrome.dll!WebCore::CompositeEditCommand::moveParagraphWithClones chrome.dll!WebCore::InsertListCommand::doApplyForSingleParagraph chrome.dll!WebCore::InsertListCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertOrderedList chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Created attachment 77498 [details] Repro for variation Another variation triggers a different NULL ptr, but it is very likely to be the same issue. id: chrome.dll!WebCore::CompositeEditCommand::insertNodeAfter ReadAV@NULL (29eebb7d18b96e3ebd13753da9421a51) description: Attempt to read from unallocated NULL pointer+0x2C in chrome.dll!WebCore::CompositeEditCommand::insertNodeAfter application: Chromium 10.0.623.0 stack: chrome.dll!WebCore::CompositeEditCommand::insertNodeAfter chrome.dll!WebCore::CompositeEditCommand::cloneParagraphUnderNewElement chrome.dll!WebCore::CompositeEditCommand::moveParagraphWithClones chrome.dll!WebCore::InsertListCommand::doApplyForSingleParagraph chrome.dll!WebCore::InsertListCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertOrderedList chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Created attachment 77499 [details] Repro for yet another variation Another variation triggers a different NULL ptr, but it is very likely to be the same issue. id: chrome.dll!WebCore::Node::lastChild ReadAV@NULL (8ba40a58b893ad95e3d64afed231eb8f) description: Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::Node::lastChild application: Chromium 10.0.623.0 stack: chrome.dll!WebCore::Node::lastChild chrome.dll!WebCore::CompositeEditCommand::cloneParagraphUnderNewElement chrome.dll!WebCore::CompositeEditCommand::moveParagraphWithClones chrome.dll!WebCore::InsertListCommand::doApplyForSingleParagraph chrome.dll!WebCore::InsertListCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertOrderedList chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
> Repro for yet another variation Sorry, please ignore the last one: this is the same as variation #2 - there are only three (not four) variations that I found so far.