With this test case:

<!DOCTYPE html>
ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE ABCDE
&#x202E;&#x202C;
<bdo dir="auto"></bdo>
ABCDE

and a window width that ensures the last "ABCDE" ends up on a second line, I get the following assertion:

/WebKit/Source/WebCore/platform/text/BidiResolver.h(899) : void WebCore::BidiResolverBase<Iterator, Run, DerivedClass>::createBidiRunsForLine(const Iterator&, WebCore::VisualDirectionOverride, bool) [with Iterator = WebCore::InlineIterator; Run = WebCore::BidiRun; DerivedClass = WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>]
1   0x7f01cd0e46cb /WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7f01cd0e46cb]
2   0x7f01dc785cb7 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::BidiResolverBase<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun> >::createBidiRunsForLine(WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool)+0x118f) [0x7f01dc785cb7]
3   0x7f01dc73f282 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xadf9282) [0x7f01dc73f282]
4   0x7f01dc7406de /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int)+0x708) [0x7f01dc7406de]
5   0x7f01dc73ff69 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool)+0x4a7) [0x7f01dc73ff69]
6   0x7f01dc7425e7 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x7f7) [0x7f01dc7425e7]
7   0x7f01dc6f9b5b /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0xb7) [0x7f01dc6f9b5b]
8   0x7f01dc6f8efe /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x380) [0x7f01dc6f8efe]
9   0x7f01dc6e816f /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlock::layout()+0x6d) [0x7f01dc6e816f]
10  0x7f01dc6f9f03 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x3a5) [0x7f01dc6f9f03]
11  0x7f01dc6f9a67 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x21d) [0x7f01dc6f9a67]
12  0x7f01dc6f8f22 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x3a4) [0x7f01dc6f8f22]
13  0x7f01dc6e816f /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlock::layout()+0x6d) [0x7f01dc6e816f]
14  0x7f01dc6f9f03 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x3a5) [0x7f01dc6f9f03]
15  0x7f01dc6f9a67 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x21d) [0x7f01dc6f9a67]
16  0x7f01dc6f8f22 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x3a4) [0x7f01dc6f8f22]
17  0x7f01dc6e816f /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderBlock::layout()+0x6d) [0x7f01dc6e816f]
18  0x7f01dc945ede /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::RenderView::layout()+0x3d6) [0x7f01dc945ede]
19  0x7f01dc269644 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::FrameViewLayoutContext::layout()+0x7ba) [0x7f01dc269644]
20  0x7f01dc2650c1 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive()+0x155) [0x7f01dc2650c1]
21  0x7f01da3aaf00 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebKit::WebPage::layoutIfNeeded()+0x5e) [0x7f01da3aaf00]
22  0x7f01da810e04 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebKit::AcceleratedDrawingArea::updateBackingStoreState(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)+0xfe) [0x7f01da810e04]
23  0x7f01da8128a3 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebKit::DrawingAreaImpl::updateBackingStoreState(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)+0x137) [0x7f01da8128a3]
24  0x7f01da53f3d1 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(void IPC::callMemberFunctionImpl<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&), std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>, 0ul, 1ul, 2ul, 3ul, 4ul>(WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&), std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>&&, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul>)+0xfd) [0x7f01da53f3d1]
25  0x7f01da53f1a3 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(void IPC::callMemberFunction<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&), std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>, std::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul> >(std::tuple<unsigned long, bool, float, WebCore::IntSize, WebCore::IntSize>&&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&))+0x50) [0x7f01da53f1a3]
26  0x7f01da53eff7 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(void IPC::handleMessage<Messages::DrawingArea::UpdateBackingStoreState, WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&)>(IPC::Decoder&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long, bool, float, WebCore::IntSize const&, WebCore::IntSize const&))+0xaa) [0x7f01da53eff7]
27  0x7f01da53ec9f /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebKit::DrawingArea::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x85) [0x7f01da53ec9f]
28  0x7f01d9d52c2b /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x135) [0x7f01d9d52c2b]
29  0x7f01da17916e /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x46) [0x7f01da17916e]
30  0x7f01d9d38165 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(IPC::Connection::dispatchMessage(IPC::Decoder&)+0x71) [0x7f01d9d38165]
31  0x7f01d9d382d7 /WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)+0x16f) [0x7f01d9d382d7]

The value of m_status.eor is 10, which seems to be U_OTHER_NEUTRAL.

This is on GTK, but the code doesn't seem platform-dependent.