NULL+4*N 9c5.305 @ microsoftedgecp.exe!edgehtml.dll!Tree::TreeReader::GetNextPreorderNode

Fixed Issue #7206617


Apr 14, 2016
This issue is public.
Reported by 1 person

Steps to reproduce

<body onload=x.offsetTop;><ol><li style="column-width:4" id=x>
Different repro with same crash stack:
<svg display="list-item" xmlns="" onload="setTimeout('document.execCommand(‘BackColor’)')">
Attachements will be added later as adding them appears to cause issues on the server which prevents me from submitting this bug.


Comments and activity

  • Interestingly, I cannot upload the BugId report because I get a server error message every time. If you’d like to address that issue, please give me another way to send you a copy of the report for testing.

  • Microsoft Edge Team

    Changed Assigned To to “Travis L.”

  • The problem was that the server does not accept files with a “#” in their name. Please fix the server.

  • Microsoft Edge Team

    Changed Assigned To from “Travis L.” to “Brad E.”

  • Hello,

    Thank you for the feedback on Edge. Our team has been testing this in our latest builds and are not able to repro the crash you reported. Could you provide more input on what is needed in order to complete the repro?

  • For future reference: the AVR.NUL… file contains debugging information, including the version of Edge I tested this with.

    I just reproduced it in 20.10240.16384, which is the current stable version on Windows 10. Were you unable to test it in anything but the latest build?

  • Microsoft Edge Team

    Changed Status to “Fixed”

  • Thanks for the supplemental information. I see that now. 

    The current stable release is 10586 - shown here (green box on the right):

    This was the version I tested with and determined this to be not repro. My apologies for not including that in my first message. I am able to repro in 10240 with a Virtual Machine I just now created - but it does not repro in 10586.  

    As a result of these findings I will close this item out as fixed since it repros in 10240, but is fixed in 10586 (current stable release shown in the URL above).

    We do appreciate you filing the feedback for us and hope that you continue to provide us with more in the future!

    Best regards,
    The MS Edge Team

  • That is odd. I just checked for updates on my VM and there were none. How can there be none if my Edge version is outdated? Should I not get an update to 10586?

  • This still reproduces with the following repro in edgehtml.dll 11.0.10586.306


  • Ugh… it’s discarding the repro html again :(

    Here’s something that you can probably turn into the repro:

    {body onload=open(“?","","width=1”)}{svg height=4% display=list-item}

