Steps to repro: 1. Visit <data:text/html,<input placeholder="placeholder" oninput="this.selectionStart">> 2. Tap field. 3. Press ‘h’ on the keyboard.
Assert is always incorrect because of FIXME in HTMLTextFormControlElement::indexForPosition(). Well, FIXME is correct: [[ index = std::min(index, length); // FIXME: We shouldn't have to call innerTextValue() just to ignore the last LF. See finishText. ]] <https://trac.webkit.org/browser/trunk/Source/WebCore/html/HTMLTextFormControlElement.cpp?rev=256197#L652> but doesn't explain why. innerTextValue() is wrong because it represents the AFTER insertion value of the field. But the passed position is BEFORE insertion. So, guaranteed mismatch if indexForPosition() is called when the text input event is dispatched.
I am just going to get rid of the assert because I would need to study the code to actually fix it up. The code has had the original FIXME since it was written in 2014!
Created attachment 390692 [details] Patch
Comment on attachment 390692 [details] Patch R=me.
<rdar://problem/59435896>