Created attachment 120012 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=108163 <style> /* These values are needed to cause line breaks, but are otherwise not involved in the crash AFAIK */ * { padding-left: 100px; } body { width: 100px; } </style><script> window.onload = function () { document.execCommand('SelectAll'); var oA1 = document.getElementById("1"); oA1.removeChild(oA1.firstChild); var oSelection = window.getSelection(); oSelection.modify("move","backward","paragraph"); }; </script> <body contenteditable="true"> <a id="1"> Some text is needed here <a id="2">There can be no white-space before this text </a> </a> </body> Not sure what is going on here - I'm not familiar with the "leafChild" code and how line-breaks are handled. However, it is a clean NULL ptr because the "firstLeafChild" of the document is NULL and gets used regardless. id: webkit.dll!WebCore::InlineBox::isHorizontal ReadAV@NULL (5446f106152a0ccff998d095bc4ad267) description: Attempt to read from unallocated NULL pointer+0x21 in webkit.dll!WebCore::InlineBox::isHorizontal application: Chrome 18.0.976.0 stack: webkit.dll!WebCore::InlineBox::isHorizontal webkit.dll!WebCore::InlineBox::logicalLeft webkit.dll!WebCore::RootInlineBox::closestLeafChildForLogicalLeftPosition webkit.dll!WebCore::RootInlineBox::closestLeafChildForPoint webkit.dll!WebCore::previousLinePosition webkit.dll!WebCore::previousParagraphPosition webkit.dll!WebCore::FrameSelection::modifyMovingBackward webkit.dll!WebCore::FrameSelection::modify webkit.dll!WebCore::DOMSelection::modify webkit.dll!WebCore::DOMSelectionInternal::modifyCallback ... Not affected: 16.0.877.0- Affected: 16.0.912.63+