<html>
    <head>
      <base href="https://bugs.webkit.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization"
   href="https://bugs.webkit.org/show_bug.cgi?id=199224">199224</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Nightly Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>CSS
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned@lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>mcatanzaro@igalia.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=372932" name="attach_372932" title="Full backtrace">attachment 372932</a> <a href="attachment.cgi?id=372932&action=edit" title="Full backtrace">[details]</a></span>
Full backtrace

Looks like the problem is here in StyledMarkupAccumulator::traverseNodesForSerialization:

    Node* lastNode = nullptr;
    Node* next = nullptr;
    for (auto* n = startNode; n != pastEnd; lastNode = n, n = next) {

        Vector<Node*, 8> exitedAncestors;
        next = nullptr;
        if (auto* child = firstChild(*n)) // <-- n dereferenced when nullptr
            next = child;

Don't have a reproducer, only have the backtrace:

#0  WebCore::Node::firstChild (this=0x0) at ../Source/WebCore/dom/Node.h:595
No locals.
#1  WebCore::StyledMarkupAccumulator::firstChild (this=0x7ffcf45d82e0, node=...)
    at ../Source/WebCore/editing/markup.cpp:265
No locals.
#2  WebCore::StyledMarkupAccumulator::traverseNodesForSerialization (this=0x7ffcf45d82e0, startNode=<optimized out>, 
    pastEnd=0x7fedf4002838, traversalMode=WebCore::StyledMarkupAccumulator::NodeTraversalMode::DoNotEmitString)
    at ../Source/WebCore/editing/markup.cpp:629
        child = <optimized out>
        exitedAncestors = {<WTF::VectorBuffer<WebCore::Node*, 8>> = {<WTF::VectorBufferBase<WebCore::Node*>> = {
              m_buffer = 0x7ffcf45d8090, m_capacity = 8, m_size = 0}, m_inlineBuffer = {{
                __data = "H9\240\n\356\177\000", __align = {<No data fields>}}, {__data = "\360\267*?\357\177\000", 
                __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", 
                __align = {<No data fields>}}, {__data = "\000\215s\256\212\060\215\022", 
                __align = {<No data fields>}}, {__data = "\000\000\000\000\000\000\000", 
                __align = {<No data fields>}}, {__data = "\016\000\000\000\370\177\000", 
                __align = {<No data fields>}}, {__data = "\001\000\000\000\000\000\000", 
                __align = {<No data fields>}}, {__data = "\000\215s\256\212\060\215\022", 
                __align = {<No data fields>}}}}, <No data fields>}
        n = 0x0
        shouldEmit = false
        depth = 0
        enterNode = {__this = 0x7ffcf45d82e0, __shouldEmit = <synthetic pointer><error reading variable>, 
          __depth = <synthetic pointer><error reading variable>}
        lastClosed = 0x7fee0aa03948
        exitNode = {__depth = <synthetic pointer><error reading variable>, 
          __shouldEmit = <synthetic pointer><error reading variable>, __this = 0x7ffcf45d82e0, 
          __lastClosed = <synthetic pointer><error reading variable>}
        lastNode = 0x0
        next = 0x0
#3  0x00007fef3f2b94fd in WebCore::StyledMarkupAccumulator::serializeNodes (this=this@entry=0x7ffcf45d82e0, 
    start=..., end=...) at DerivedSources/ForwardingHeaders/wtf/DumbPtrTraits.h:43
        lastClosed = <optimized out>
        startNode = {
          static isRefPtr = <error reading variable: Missing ELF symbol "WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >::isRefPtr".>, m_ptr = 0x7fedf3e01008}
        pastEnd = 0x7fedf4002838

See attachment for the remaining frames. Note: crash occurs with WebKitGTK 2.25.2 (<a href="https://trac.webkit.org/r246495">r246495</a>).</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>