Chrome Version: 62
OS: Linux (not OS specific)

What steps will reproduce the problem?
(1) https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/password
(2) In the password field, type or paste "😁".

What is the expected result?
It is rendered as "·".

What happens instead?
It is rendered as "··". The two dots behave as a single character (moving the cursor over it skips both bullets together).

Details:
The character "😁" or U+1F601 is represented in UTF-16 as the surrogate pair D83D,DE01. The font renderer is clearly assuming that 1 UTF-16 code unit = 1 character, which is not always the case. While I don't think it's a security issue to show the wrong number of dots in a password field, it does incorrectly count the number of characters in a string.

Note that Chrome's RenderText class (which renders non-web text fields) does count each code point as a dot (and has a bunch of code for translating UTF-16 code unit indices to code point indices on password fields).