Fix a crash PaintWorkletImageProvider::GetPaintRecordResult

The root cause of this crash is:
At DiscardableImageMap::GatherDiscardableImages, we got early
exist when the PaintOp::ComputePaintRect. The early out makes
sense because there is nothing to paint if the paint rect is
empty.
Due to the above early out, the |paint_worklet_records_| in the
PictureLayerImpl is empty. But later on at
DrawImageRectOp::RasterWithFlags, we do not have the same
check using PaintOp::ComputePaintRect, so it will try to look
for the RasterContent in the |paint_worklet_records_|.

The solution is that at DrawImageRectOp::RasterWithFlags, if
the PaintOp::ComputePaintRect is empty, we should just early
return because there is nothing to paint, so no paint record
at all.

Bug: 1095163, 1156955
Change-Id: Ic46636cfe7c256f58261430e07c9ff3a9efa6c80
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2570548
Commit-Queue: Xida Chen <xidachen@chromium.org>
Reviewed-by: Khushal <khushalsagar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#835369}

cc/paint/paint_op_buffer.cc

@@ -4,6 +4,10 @@
 
 #include "cc/paint/paint_op_buffer.h"
 
+#include <memory>
+#include <utility>
+#include <vector>
+
 #include "build/build_config.h"
 #include "cc/paint/decoded_draw_image.h"
 #include "cc/paint/display_item_list.h"
@@ -1525,6 +1529,13 @@ void DrawImageRectOp::RasterWithFlags(const DrawImageRectOp* op,
     // we should draw nothing.
     if (!params.image_provider)
       return;
+    // TODO(crbug.com/1157152): We shouldn't need this check, QuickRejectDraw
+    // should have done the job.
+    const SkRect& clip_rect = SkRect::Make(canvas->getDeviceClipBounds());
+    const SkMatrix& ctm = canvas->getTotalMatrix();
+    gfx::Rect local_op_rect = PaintOp::ComputePaintRect(op, clip_rect, ctm);
+    if (local_op_rect.IsEmpty())
+      return;
     ImageProvider::ScopedResult result =
         params.image_provider->GetRasterContent(DrawImage(op->image));
 

third_party/blink/web_tests/FlagExpectations/composite-after-paint

@@ -64,3 +64,6 @@ crbug.com/1124979 compositing/video/video-controls-layer-creation.html [ Pass Fa
 
 crbug.com/1150468 virtual/composite-bgcolor-animation/external/wpt/css/css-backgrounds/* [ Skip ]
 crbug.com/1150468 virtual/composite-bgcolor-animation-hidpi/external/wpt/css/css-backgrounds/hidpi/* [ Skip ]
+
+crbug.com/1157199 external/wpt/css/css-paint-api/column-count-crash.https.html [ Crash ]
+crbug.com/1157199 virtual/off-main-thread-css-paint/external/wpt/css/css-paint-api/column-count-crash.https.html [ Crash ]

third_party/blink/web_tests/external/wpt/css/css-paint-api/column-count-crash.https.html

+<!DOCTYPE html>
+<html class="test-wait">
+<link rel="help" href="https://drafts.css-houdini.org/css-paint-api/">
+<style>
+#output {
+  width: 100px;
+  height: 100px;
+}
+body {
+  -webkit-mask-box-image-source: url(resources/dot.png);
+  column-count: 3;
+}
+.test-wait {
+  column-count: 600;
+}
+</style>
+<body>
+<div id="output"></div>
+
+<script id="code" type="text/worklet">
+registerPaint('green', class {
+    paint(ctx, geom) {}
+});
+</script>
+
+<script>
+// Regression test for crbug.com/1095163, the test passes as long as it doesn't
+// crash.
+var el = document.getElementById('output');
+el.style.backgroundImage = 'paint(green)';
+
+var blob = new Blob([document.getElementById('code').textContent],
+                    {type: 'text/javascript'});
+CSS.paintWorklet.addModule(URL.createObjectURL(blob)).then(function() {
+  document.documentElement.classList.remove("test-wait");
+});
+</script>
+</body>
+</html>