Created attachment 93662 [details] Repro Chromium: https://code.google.com/p/chromium/issues/detail?id=82793 Repro: <script> function f() { document.designMode="on"; document.execCommand("selectall"); document.execCommand("insertimage",false); document.execCommand("insertunorderedlist",false); document.execCommand("insertparagraph",false); document.execCommand("InsertUnorderedList",false); document.execCommand("justifyleft"); document.execCommand("insertorderedlist",false); document.execCommand("outdent"); document.execCommand("Undo"); document.execCommand("justifyfull"); document.execCommand("insertorderedlist"); document.execCommand("ForwardDelete",false); document.execCommand("InsertLineBreak",false); document.execCommand("InsertImage",false); document.execCommand("InsertImage",false); location.reload(); } </script> <body onload="f()"><pre style="word-wrap: break-word; white-space: pre-wrap;">;</pre></body> Maybe a long lost cousin of bug 32823 ? id: chrome.dll!WebCore::positionInParentBeforeNode ReadAV@NULL (2bff1e44471dc03603b0d1576c1b0601) description: Attempt to read from unallocated NULL pointer+0x24 in chrome.dll!WebCore::positionInParentBeforeNode application: Chromium 13.0.764.0 stack: chrome.dll!WebCore::positionInParentBeforeNode chrome.dll!WebCore::ReplaceSelectionCommand::positionAtStartOfInsertedContent chrome.dll!WebCore::ReplaceSelectionCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::executeInsertFragment chrome.dll!WebCore::executeInsertNode chrome.dll!WebCore::executeInsertImage chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call chrome.dll!v8::Function::Call chrome.dll!WebCore::V8Proxy::callFunction chrome.dll!WebCore::V8LazyEventListener::callListenerFunction chrome.dll!WebCore::V8AbstractEventListener::invokeEventHandler chrome.dll!WebCore::V8AbstractEventListener::handleEvent chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::EventTarget::fireEventListeners chrome.dll!WebCore::DOMWindow::dispatchEvent chrome.dll!WebCore::DOMWindow::dispatchTimedEvent chrome.dll!WebCore::DOMWindow::dispatchLoadEvent chrome.dll!WebCore::Document::implicitClose chrome.dll!WebCore::FrameLoader::checkCompleted chrome.dll!WebCore::FrameLoader::finishedParsing chrome.dll!WebCore::Document::finishedParsing chrome.dll!WebCore::HTMLDocumentParser::prepareToStopParsing chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest chrome.dll!ResourceDispatcher::OnRequestComplete chrome.dll!IPC::MessageWithTuple<...>::Dispatch<ResourceDispatcher,ResourceDispatcher,void chrome.dll!ResourceDispatcher::DispatchMessageW chrome.dll!ResourceDispatcher::OnMessageReceived chrome.dll!ChildThread::OnMessageReceived chrome.dll!RunnableMethod<sync_notifier::NonBlockingInvalidationNotifier::Core,void chrome.dll!`anonymous namespace'::TaskClosureAdapter::Run ...