Created attachment 132710 [details] patch w/ layout test Ryosuke, Thanks for the bug report!

I checked other pointer dereference codes, and I think they are mostly looks ok. How about the following when textBox is a not-null-InlineTextBox? textBox->textRenderer()->text()->characters() I think it is fine since InlineTextBox must have a text renderer. And it should have text()->characters() although it could be null. There is similar usage in https://cs.corp.google.com/#chrome/src/third_party/WebKit/Source/WebCore/rendering/InlineTextBox.cpp&q=textRenderer()%20package:%5Echrome$%20file:%5Esrc/third_party/WebKit/.*.cpp&type=cs&l=346

Comment on attachment 132710 [details] patch w/ layout test View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review > LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1 > +<head> No DOCTYPE?

Comment on attachment 132710 [details] patch w/ layout test View in context: https://bugs.webkit.org/attachment.cgi?id=132710&action=review >> LayoutTests/editing/selection/move-by-word-visually-crash-test-css-generated-content.html:1 >> +<head> > > No DOCTYPE? I will update all the tests in another patch.

Comment on attachment 132710 [details] patch w/ layout test Clearing flags on attachment: 132710 Committed r111469: <http://trac.webkit.org/changeset/111469>

All reviewed patches have been landed. Closing bug.