Created attachment 132710 [details]
patch w/ layout test

Ryosuke, Thanks for the bug report!

I checked other pointer dereference codes, and I think they are mostly looks ok.

How about the following when textBox is a not-null-InlineTextBox?
textBox->textRenderer()->text()->characters()

I think it is fine since InlineTextBox must have a text renderer. And it should have text()->characters() although it could be null. There is similar usage in 
https://cs.corp.google.com/#chrome/src/third_party/WebKit/Source/WebCore/rendering/InlineTextBox.cpp&q=textRenderer()%20package:%5Echrome$%20file:%5Esrc/third_party/WebKit/.*.cpp&type=cs&l=346

Comment on attachment 132710 [details]
patch w/ layout test

View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review

> LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1
> +<head>

No DOCTYPE?

Comment on attachment 132710 [details]
patch w/ layout test

View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review

>> LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1
>> +<head>
> 
> No DOCTYPE?

I will update all the tests in another patch.

Comment on attachment 132710 [details]
patch w/ layout test

Clearing flags on attachment: 132710

Committed r111469: <http://trac.webkit.org/changeset/111469>

All reviewed patches have been landed.  Closing bug.