Now I can reproduce it without an iframe (second example in `test.html`). However I believe browser didn't crash outside of iframe when I initially posted this issue.

Thanks for filing the issue! Able to reproduce the issue with provided html.Please find the stack trace for the crash id.

Stack Trace:
------------
Thread 0 (id: 0x11441) CRASHED [SIGSEGV @ 0x00000010 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x000055c2cb932b67	(chrome -node.h:906 )	blink::Node::UpdateDistributionInternal()
0x000055c2cb9dbfbb	(chrome -node.h:506 )	blink::ComparePositions(blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&)
0x000055c2cb9e3717	(chrome -selection_adjuster.cc:51 )	blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > blink::(anonymous namespace)::ComputeAdjustedSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >, blink::EphemeralRangeTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&)
0x000055c2cb9e2f92	(chrome -selection_adjuster.cc:588 )	blink::SelectionAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&)
0x000055c2cb9ff33b	(chrome -visible_selection.cc:255 )	blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::CreateWithGranularity(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::TextGranularity)
0x000055c2cb9ff6bf	(chrome -visible_selection.cc:61 )	blink::CreateVisibleSelection(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&)
0x000055c2cb9de79e	(chrome -selection_controller.cc:780 )	blink::SelectionController::SetNonDirectionalSelectionIfNeeded(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::SetSelectionOptions const&, blink::SelectionController::EndPointsAdjustmentMode)
0x000055c2cb9de708	(chrome -selection_controller.cc:534 )	blink::SelectionController::UpdateSelectionForMouseDrag(blink::HitTestResult const&, blink::LayoutPoint const&, blink::LayoutPoint const&)
0x000055c2cb9df8a0	(chrome -selection_controller.cc:1002 )	blink::SelectionController::HandleMouseDraggedEvent(blink::EventWithHitTestResults<blink::WebMouseEvent> const&, blink::IntPoint const&, blink::LayoutPoint const&, blink::LayoutPoint const&)
0x000055c2cbcf00fa	(chrome -mouse_event_manager.cc:847 )	blink::MouseEventManager::HandleMouseDraggedEvent(blink::EventWithHitTestResults<blink::WebMouseEvent> const&)
0x000055c2cbce5fe8	(chrome -event_handler.cc:986 )	blink::EventHandler::HandleMouseMoveOrLeaveEvent(blink::WebMouseEvent const&, WTF::Vector<blink::WebMouseEvent, 0ul, WTF::PartitionAllocator> const&, blink::HitTestResult*, bool, bool)
0x000055c2cbce5ee1	(chrome -event_handler.cc:2180 )	blink::EventHandler::HandleMouseMoveOrLeaveEvent(blink::WebMouseEvent const&, WTF::Vector<blink::WebMouseEvent, 0ul, WTF::PartitionAllocator> const&, blink::HitTestResult*, bool, bool)
0x000055c2cbce5873	(chrome -event_handler.cc:795 )	blink::EventHandler::HandleMouseMoveEvent(blink::WebMouseEvent const&, WTF::Vector<blink::WebMouseEvent, 0ul, WTF::PartitionAllocator> const&)
0x000055c2cbfb6fbd	(chrome -page_widget_delegate.cc:259 )	blink::PageWidgetDelegate::HandleInputEvent(blink::PageWidgetEventHandler&, blink::WebCoalescedInputEvent const&, blink::LocalFrame*)
0x000055c2cba462d3	(chrome -web_view_impl.cc:2019 )	blink::WebViewImpl::HandleInputEvent(blink::WebCoalescedInputEvent const&)
0x000055c2ccc6d172	(chrome -render_widget_input_handler.cc:371 )	content::RenderWidgetInputHandler::HandleInputEvent(blink::WebCoalescedInputEvent const&, ui::LatencyInfo const&, base::OnceCallback<void (content::InputEventAckState, ui::LatencyInfo const&, std::__1::unique_ptr<ui::DidOverscrollParams, std::__1::default_delete<ui::DidOverscrollParams> >, base::Optional<cc::TouchAction>)>)
0x000055c2ccc5ed3b	(chrome -render_widget.cc:867 )	<name omitted>
0x000055c2ccc5766e	(chrome -render_view_impl.cc:2453 )	content::RenderViewImpl::HandleInputEvent(blink::WebCoalescedInputEvent const&, ui::LatencyInfo const&, base::OnceCallback<void (content::InputEventAckState, ui::LatencyInfo const&, std::__1::unique_ptr<ui::DidOverscrollParams, std::__1::default_delete<ui::DidOverscrollParams> >, base::Optional<cc::TouchAction>)>)
0x000055c2cc731c34	(chrome -main_thread_event_queue.cc:502 )	content::QueuedWebInputEvent::Dispatch(content::MainThreadEventQueue*)
0x000055c2cc7314da	(chrome -main_thread_event_queue.cc:431 )	content::MainThreadEventQueue::DispatchRafAlignedInput(base::TimeTicks)
0x000055c2ccc5fb07	(chrome -render_widget.cc:936 )	non-virtual thunk to content::RenderWidget::BeginMainFrame(base::TimeTicks)
0x000055c2c9bec288	(chrome -proxy_main.cc:208 )	cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >)
0x000055c2c9bf257c	(chrome -bind_internal.h:507 )	base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunOnce(base::internal::BindStateBase*)
0x000055c2c8d52182	(chrome -callback.h:99 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000055c2c88de6ea	(chrome -thread_controller_impl.cc:166 )	base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType)
0x000055c2c8d52182	(chrome -callback.h:99 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x000055c2c8d6ac5d	(chrome -message_loop.cc:319 )	base::MessageLoop::RunTask(base::PendingTask*)
0x000055c2c8d6b667	(chrome -message_loop.cc:329 )	base::MessageLoop::DoWork()
0x000055c2c8d6e484	(chrome -message_pump_default.cc:37 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate*)
0x000055c2c8d8cba3	(chrome -run_loop.cc:102 )	<name omitted>
0x000055c2ccc8ef88	(chrome -renderer_main.cc:218 )	content::RendererMain(content::MainFunctionParams const&)
0x000055c2c8a50540	(chrome -content_main_runner_impl.cc:561 )	content::RunZygote(content::ContentMainDelegate*)
0x000055c2c8a51983	(chrome -content_main_runner_impl.cc:643 )	content::ContentMainRunnerImpl::Run()
0x000055c2c8a5a7c6	(chrome -main.cc:459 )	service_manager::Main(service_manager::MainParams const&)
0x000055c2c8a4f9d3	(chrome -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const&)
0x000055c2c6e07142	(chrome -chrome_main.cc:101 )	ChromeMain
0x00007f041e5602b0	(libc-2.24.so + 0x000202b0 )	
0x000055c2c6d7da67	(chrome + 0x01919a67 )	clock_gettime.cfi_jt

Observed different behaviour on previous builds:
M60 - Unable to reproduce the issue.
M61 to M65 - Unable to select the inside text.
M65 to M69 - able to reproduce the issue.

Based on above results unable to provide the bisect results.Unable to provide the suspect also.

Making the status to Untriaged so that the issue would get addressed.Adding related component for further triage.
Note: Able to reproduce the issue on Windows 10, Linux Debian Rodete.

Thank You!

ctzsm: Does crrev.com/c/1102157 fix it? Or is it an independent issue?

Hmm, this can't be fixed by DOM only fix, it is still crashed on flat tree selection. I think we have to apply the fix for flat tree when shadow DOM is not involved in selection.

Assign this to me now, we need to figure out the scope we want to apply the fix.

Tried on recent Chrome Dev (70.0.3510.0), doesn't see crash anymore, should be fixed by crrev.com/c/1102157.