I have reduced the crash to this piece of HTML:
<form><input type="text" id="search" /></form>
If you call WebCore::findPlainText(...) specifying any text as parameter, you'll get an ASSERT here:
static void pushFullyClippedState(BitStack& stack, Node* node)
ASSERT(stack.size() == depthCrossingShadowBoundaries(node));
... snip ...
Stepping through this, I see that stack.size() returns 5 but depthCrossingShadowBoundaries returns 6, because it goes through this hierarchy of parent nodes:
HTMLInputElement (shadow parent)
Darin, if you have something simple you'd like me to try, feel free to suggest changes and I can try it out, formulate a patch and submit it to WebKit.
And, I should mention this bug fix is what seems to have triggered this:
*** This bug has been marked as a duplicate of 26528 ***