I was able to reproduce the issue on N10, but what crashes is the QtWebProcess executable, not webapp-container. So the crash file attached to this bug report is useless. I’ve retraced the crash I’m seeing here, and here’s the backtrace I’m getting:

#0  HB_ThaiAssignAttributes (string=<optimized out>, len=3, attributes=0x12cfac1)
    at ../3rdparty/harfbuzz/src/harfbuzz-thai.c:420
#1  0xb571a2c6 in HB_GetTailoredCharAttributes (string=0xa7a53534, stringLength=<optimized out>, 
    items=<optimized out>, numItems=2, attributes=0x12cfac0) at ../3rdparty/harfbuzz/src/harfbuzz-shaper.cpp:496
#2  0xb56e4b30 in QUnicodeTools::initCharAttributes (string=0xa7a53534, length=5, items=0xbed62280, numItems=3, 
    attributes=0x12cfac0, options=...) at tools/qunicodetools.cpp:634
#3  0xb51c3702 in QTextEngine::attributes (this=0x12cf9c0) at text/qtextengine.cpp:1231
#4  0xb51c784c in QTextEngine::attributes (this=<optimized out>) at text/qtextengine.cpp:1236
#5  0xb51d04be in QTextLine::layout_helper (this=this@entry=0xbed62c48, maxGlyphs=maxGlyphs@entry=2147483647)
    at text/qtextlayout.cpp:1773
#6  0xb51d1592 in QTextLine::setLineWidth (this=this@entry=0xbed62c48, width=<optimized out>, width@entry=8388607)
    at text/qtextlayout.cpp:1572
#7  0xb620ebe4 in WebCore::setupLayout (layout=layout@entry=0xbed62c3c, style=...)
    at platform/graphics/qt/FontQt.cpp:68
#8  0xb620f864 in WebCore::Font::floatWidthForComplexText (this=this@entry=0xa7a5e970, run=...)
    at platform/graphics/qt/FontQt.cpp:210
#9  0xb61fcc56 in WebCore::Font::width (this=<optimized out>, run=..., fallbackFonts=fallbackFonts@entry=0x0, 
    glyphOverflow=<optimized out>, glyphOverflow@entry=0x0) at platform/graphics/Font.cpp:209
#10 0xb68cc88e in WebCore::RenderMenuList::updateOptionsWidth (this=0xa7d04154) at rendering/RenderMenuList.cpp:183
#11 0xb68f085c in WebCore::RenderMenuList::updateFromElement (this=0xa7d04154) at rendering/RenderMenuList.cpp:198
#12 0xb68185b0 in WebCore::HTMLFormControlElement::attach (this=0x11e2278) at html/HTMLFormControlElement.cpp:217
#13 0xb695bed4 in attachChildren (this=<optimized out>) at dom/ContainerNode.h:209
#14 attach (this=<optimized out>) at dom/ContainerNode.cpp:774
#15 WebCore::Element::attach (this=0x11e1a30) at dom/Element.cpp:1172
#16 0xb695bed4 in attachChildren (this=<optimized out>) at dom/ContainerNode.h:209
#17 attach (this=<optimized out>) at dom/ContainerNode.cpp:774
#18 WebCore::Element::attach (this=0x11e16c0) at dom/Element.cpp:1172
#19 0xb6964454 in reattach (this=0x11e16c0) at dom/Node.h:878
#20 WebCore::Element::recalcStyle (this=this@entry=0x11e16c0, change=change@entry=WebCore::Node::NoChange)
    at dom/Element.cpp:1281
#21 0xb696427c in WebCore::Element::recalcStyle (this=this@entry=0x11e14a0, 
    change=change@entry=WebCore::Node::NoChange) at dom/Element.cpp:1344
#22 0xb696427c in WebCore::Element::recalcStyle (this=this@entry=0x11e1428, 
    change=change@entry=WebCore::Node::NoChange) at dom/Element.cpp:1344
#23 0xb696427c in WebCore::Element::recalcStyle (this=this@entry=0x11d8340, 
    change=change@entry=WebCore::Node::NoChange) at dom/Element.cpp:1344
#24 0xb696427c in WebCore::Element::recalcStyle (this=this@entry=0x11d8118, 
    change=change@entry=WebCore::Node::NoChange) at dom/Element.cpp:1344
#25 0xb696427c in WebCore::Element::recalcStyle (this=0x11d78d8, change=WebCore::Node::NoChange)
    at dom/Element.cpp:1344
#26 0xb696705e in WebCore::Document::recalcStyle (this=0xa97ba000, change=<optimized out>) at dom/Document.cpp:1847
#27 0xb69671f2 in WebCore::Document::updateStyleIfNeeded (this=0xa97ba000) at dom/Document.cpp:1891
#28 0xb6967480 in WebCore::Document::updateLayout (this=this@entry=0xa97ba000) at dom/Document.cpp:1914
#29 0xb696889e in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0xa97ba000) at dom/Document.cpp:1952
#30 0xb6968f6a in WebCore::Element::clientWidth (this=0x1207fc0) at dom/Element.cpp:481
#31 0xb640cb46 in WebCore::jsElementClientWidth (exec=<optimized out>, slotBase=...) at generated/JSElement.cpp:367
#32 0xb6a71268 in JSC::PropertySlot::getValue (this=0xbed63050, exec=0xaab00218, propertyName=...)
    at runtime/PropertySlot.h:76
#33 0xb6a719ee in JSC::JSValue::get (this=<optimized out>, exec=0xaab00218, propertyName=..., slot=...)
    at runtime/JSObject.h:1461
#34 0xb6afa09c in get (propertyName=..., exec=0xbed630b0, this=0xbed63048) at runtime/JSObject.h:1452
#35 JSC::LLInt::getByVal (exec=exec@entry=0xaab00218, baseValue=..., subscript=...) at llint/LLIntSlowPaths.cpp:1079
#36 0xb6af5f40 in JSC::LLInt::llint_slow_path_get_by_val (exec=0xaab00218, pc=0xa7d8a654)
    at llint/LLIntSlowPaths.cpp:1085
#37 0xb6afc6a6 in llint_op_get_by_val () from /usr/lib/arm-linux-gnueabihf/libQt5WebKit.so.5
Backtrace stopped: previous frame identical to this frame (corrupt stack?)