Created attachment 103903 [details] Repro (unzip and load repro.html) WebCore::Document::documentElement() can return NULL. There are a few places in the code where this is not taken into account. http://codesearch.google.com/codesearch#search/&q=documentElement%5C(%5C)%5C-%5C%3ErenderStyle&exact_package=chromium&type=cs Repro.html: <iframe src="repro.svg" onload="go(this)"></iframe> <script> function go(oIframe) { setTimeout(function() { document.adoptNode(oIframe.contentDocument.documentElement); }, 1); } </script> Repro.svg: <?xml version="1.0" standalone="no"?> <?xml-stylesheet href="repro.css" ?> Repro.css: @media (width:1) { @page {} } (I bet there is a simpler way to trigger this). id: webkit.dll!WebCore::Node::renderStyle ReadAV@NULL (c335e7a3c5b21e67401e64aac7846349) description: Attempt to read from unallocated NULL pointer+0x28 in webkit.dll!WebCore::Node::renderStyle application: Chromium 14.0.828.0 stack: webkit.dll!WebCore::Node::renderStyle webkit.dll!WebCore::widthMediaFeatureEval webkit.dll!WebCore::min_widthMediaFeatureEval webkit.dll!WebCore::MediaQueryEvaluator::eval webkit.dll!WebCore::CSSStyleSelector::affectedByViewportChange webkit.dll!WebCore::FrameView::layout webkit.dll!WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive webkit.dll!WebKit::WebFrameImpl::layout webkit.dll!WebKit::WebViewImpl::layout chrome.dll!RenderWidget::DoDeferredUpdate chrome.dll!RenderWidget::DoDeferredUpdateAndSendInputAck chrome.dll!RenderWidget::InvalidationCallback ... @hyatt: in r45919 you added code to handle "rem" css units, which I think introduced this particular instance of this issue. The w3c docs do not specify how to handle "rem" units when there is no document element, so I don't know how to fix this. If you have a fix, could you see if the other places in the CSS code where the same problem seems to exist might be fixed in the same way?