Created attachment 79921 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=70605 Repro: <body onload=" document.execCommand('SelectAll'); document.designMode='on'; document.execCommand('underline'); document.execCommand('Bold'); "><svg><text>x This code hits ApplyStyleCommand::applyInlineStyle twice. The second time it does so, splitEnd is true in: bool splitEnd = isValidCaretPositionInTextNode(end); if (splitEnd) { if (shouldSplitTextElement(end.node()->parentElement(), style)) splitTextElementAtEnd(start, end); else splitTextAtEnd(start, end); start = startPosition(); end = endPosition(); endDummySpanAncestor = dummySpanAncestorForNode(end.node()); } After this code runs, start.isNull() is true. This causes a NULL pointer in an inline function later on. Adding the below check after the above code fixes this issue: if (start.isNull()) return; However, I don't understand the code well enough to determine if this is a proper fix for this issue, or if the problems is more fundamental.