Created attachment 97772 [details] Repro Chromium: https://code.google.com/p/chromium/issues/detail?id=86760 Repro: <body></body> <script> document.designMode="on"; document.execCommand("selectall",false); document.execCommand("justifyright",false); document.execCommand("indent"); document.execCommand("InsertParagraph",false); document.execCommand("underline",false); document.execCommand("Outdent",false); document.execCommand("InsertOrderedList"); document.execCommand("inserthorizontalrule",false); document.execCommand("InsertImage",false); document.execCommand("JustifyLeft"); document.execCommand("inserthorizontalrule",false); document.execCommand("SelectAll",false); document.execCommand("underline",false); document.execCommand("insertorderedlist",false); document.execCommand("JustifyFull",false); document.execCommand("outdent",false); // ASSERTS document.execCommand("InsertText",false); // NULL ptr </script> id: chrome.dll!WebCore::Node::nodeIndex ReadAV@NULL (a4624887a870380698318e1d339ead43) description: Attempt to read from unallocated NULL pointer+0x18 in chrome.dll!WebCore::Node::nodeIndex application: Chromium 14.0.797.0 stack: chrome.dll!WebCore::Node::nodeIndex chrome.dll!WebCore::positionInParentBeforeNode chrome.dll!WebCore::InsertTextCommand::input chrome.dll!WebCore::TypingCommand::insertTextRunWithoutNewlines chrome.dll!WebCore::TypingCommand::insertText chrome.dll!WebCore::TypingCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::TypingCommand::insertText chrome.dll!WebCore::TypingCommand::insertText chrome.dll!WebCore::executeInsertText chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call chrome.dll!v8::Script::Run chrome.dll!WebCore::V8Proxy::runScript chrome.dll!WebCore::V8Proxy::evaluate chrome.dll!WebCore::ScriptController::evaluate chrome.dll!WebCore::ScriptElement::executeScript chrome.dll!WebCore::ScriptElement::prepareScript chrome.dll!WebCore::HTMLScriptRunner::runScript chrome.dll!WebCore::HTMLScriptRunner::execute chrome.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder chrome.dll!WebCore::HTMLDocumentParser::canTakeNextToken chrome.dll!WebCore::HTMLDocumentParser::pumpTokenizer chrome.dll!WebCore::HTMLDocumentParser::append chrome.dll!WebCore::DecodedDataDocumentParser::flush chrome.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource chrome.dll!WebCore::FrameLoader::finishedLoading chrome.dll!WebCore::MainResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceLoader::didFinishLoading chrome.dll!WebCore::ResourceHandleInternal::didFinishLoading chrome.dll!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest chrome.dll!ResourceDispatcher::OnRequestComplete chrome.dll!IPC::MessageWithTuple<...>::Dispatch<ResourceDispatcher,ResourceDispatcher,void chrome.dll!ResourceDispatcher::DispatchMessageW chrome.dll!ResourceDispatcher::OnMessageReceived ...