Created attachment 86162 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=76675 Repro: <body onload="go()"></body> <script> function go() { document.open(); document.designMode="on"; var oSelection = window.getSelection(); oSelection.setPosition(document,6); document.write("x"); document.execCommand("InsertImage"); } </script> id: chrome.dll!WebCore::positionAvoidingPrecedingNodes ReadAV@NULL (586c6d571697e9318ad053888f701434) description: Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::positionAvoidingPrecedingNodes stack: chrome.dll!WebCore::positionAvoidingPrecedingNodes chrome.dll!WebCore::ReplaceSelectionCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertFragment chrome.dll!WebCore::executeInsertNode chrome.dll!WebCore::executeInsertImage chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...