Chromium: http://code.google.com/p/chromium/issues/detail?id=112429 Detailed report: https://cluster-fuzz.appspot.com/testcase?key=17437362 Fuzzer: Bj_doc_fuzzer Crash Type: UNKNOWN Crash Address: 0x000000000024 Crash State: - crash stack - WebCore::CompositeEditCommand::splitTreeToNode WebCore::InsertParagraphSeparatorCommand::doApply WebCore::CompositeEditCommand::applyCommandToComposite Regressed: https://cluster-fuzz.appspot.com/revisions?range=114944:114952 Minimized Testcase (1.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv975pgjac1kPy_yBFunVYtgDLHRLi2HG814EDcvAiPB-_3pZvb606d4Fd1HfymuDNVoNq4kVPdEzIaKBlXR0-R0rj-7FvspNTORr5aNxH4T1W5wio3A6IV3bJ9o3n_sSJxnB3ikGdOayNWBV6izygUhvQExFSw
I can no longer reproduce a null pointer crash. We fall into an infinite loop because mutation events trigger more editing commands to execute but that's expected behavior in accordance to the script.