Selection in Shadow DOM is really broken now. This is a umbrella bug to fix Selection in Shadow DOM.
I've extracted all code where Position::containerNode() is used. https://docs.google.com/a/chromium.org/spreadsheet/ccc?key=0Aty2DXLelNGhdFhuaWliQWFnNEY0blNtX2lLUTRDZHc&pli=1#gid=0 Maybe we should create explicit tests for them to prove this patch does not introduce vulnerability...
To prove our code are sanity, it's good to have a fuzzer. If no bugs are found by the fuzzer, our code quality seems OK.