Created attachment 77505 [details] Repro http://code.google.com/p/chromium/issues/detail?id=68091 Repro: (somewhat large - can probably be reduced a lot more) <script> function go() { document.designMode="on"; document.execCommand("SelectAll", false); document.execCommand("insertunorderedlist") document.execCommand("bold"); document.execCommand("Indent", false); document.execCommand("insertparagraph") document.execCommand("inserthorizontalrule"); document.execCommand("Indent",false); document.execCommand("outdent"); document.execCommand("insertorderedlist", false) document.execCommand("insertimage", false); document.execCommand("insertunorderedlist",false); document.execCommand("SelectAll", false) document.execCommand("JustifyFull") document.execCommand("insertorderedlist",false) document.execCommand("insertimage",false); document.execCommand("InsertUnorderedList",false) document.execCommand("Indent"); document.execCommand("delete") document.execCommand("InsertUnorderedList") document.execCommand("insertunorderedlist", false) document.execCommand("Indent") document.execCommand("Indent",false) document.execCommand("outdent") document.execCommand("InsertUnorderedList") document.execCommand("insertorderedlist"); document.execCommand("insertimage", false); document.execCommand("insertparagraph"); document.execCommand("insertimage", false) document.execCommand("InsertHorizontalRule") document.execCommand("delete"); document.execCommand("insertorderedlist"); document.execCommand("delete", false); document.execCommand("selectall"); document.execCommand("Indent") document.execCommand("justifyright"); document.execCommand("insertorderedlist", false); document.execCommand("insertunorderedlist", false) document.execCommand("InsertUnorderedList", false); document.execCommand("Outdent", false); document.execCommand("Bold"); document.execCommand("outdent", false); document.execCommand("Outdent"); document.execCommand("inserthorizontalrule", false); document.execCommand("Outdent") document.execCommand("InsertUnorderedList"); document.execCommand("Outdent"); document.execCommand("InsertImage", false) document.execCommand("insertparagraph"); document.execCommand("Outdent"); document.execCommand("insertunorderedlist"); document.execCommand("insertunorderedlist", false); document.execCommand("insertorderedlist", false); document.execCommand("insertunorderedlist"); document.execCommand("insertunorderedlist", false); document.execCommand("Outdent", false) document.execCommand("selectall"); document.execCommand("indent") document.execCommand("insertimage", false); document.execCommand("insertunorderedlist", false); document.execCommand("insertorderedlist", false); document.execCommand("SelectAll", false); document.execCommand("insertorderedlist"); location.reload(); } </script> <body onload="go()"> id: chrome.dll!WebCore::Node::isBlockFlow ReadAV@NULL (8740b2b92337948c3b9246f2bb3a58f0) description: Attempt to read from unallocated NULL pointer+0x20 in chrome.dll!WebCore::Node::isBlockFlow application: Chromium 10.0.623.0 stack: chrome.dll!WebCore::Node::isBlockFlow chrome.dll!WebCore::InsertListCommand::doApplyForSingleParagraph chrome.dll!WebCore::InsertListCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertOrderedList chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...