Revert "Remove redundant SelectionState reassignment."

This reverts commit 895571d6.

Reason for revert: This causes HUA.

Original change's description:
> Remove redundant SelectionState reassignment.
> 
> Xor invalidation was shipped:
> https://chromium-review.googlesource.com/c/chromium/src/+/720817
> 
> Then there is no inconsistency SelectionState in layout tree thus
> we can just DCHECK its start/end state.
> 
> Bug: 739062
> Change-Id: I6bb791568a76d47f7088c692d2960eddc34f570a
> Reviewed-on: https://chromium-review.googlesource.com/798995
> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
> Commit-Queue: Yoichi Osato <yoichio@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#520869}

TBR=yosin@chromium.org,yoichio@chromium.org,xiaochengh@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 791484, 791293
Change-Id: Ie9679e069bbecc633a5c3818b8c8256598acb433
Reviewed-on: https://chromium-review.googlesource.com/807489Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521625}

third_party/WebKit/Source/core/editing/LayoutSelection.cpp

@@ -687,15 +687,43 @@ void LayoutSelection::Commit() {
   paint_range_ = new_range.PaintRange();
   if (paint_range_.IsNull())
     return;
-  if (paint_range_.StartLayoutObject() == paint_range_.EndLayoutObject()) {
-    DCHECK_EQ(paint_range_.StartLayoutObject()->GetSelectionState(),
-              SelectionState::kStartAndEnd);
-    return;
+  // TODO(yoichio): Remove this if state.
+  // This SelectionState reassignment is ad-hoc patch for
+  // prohibiting use-after-free(crbug.com/752715).
+  // LayoutText::setSelectionState(state) propergates |state| to ancestor
+  // LayoutObjects, which can accidentally change start/end LayoutObject state
+  // then LayoutObject::IsSelectionBorder() returns false although we should
+  // clear selection at LayoutObject::WillBeRemoved().
+  // We should make LayoutObject::setSelectionState() trivial and remove
+  // such propagation or at least do it in LayoutSelection.
+  if ((paint_range_.StartLayoutObject()->GetSelectionState() !=
+           SelectionState::kStart &&
+       paint_range_.StartLayoutObject()->GetSelectionState() !=
+           SelectionState::kStartAndEnd) ||
+      (paint_range_.EndLayoutObject()->GetSelectionState() !=
+           SelectionState::kEnd &&
+       paint_range_.EndLayoutObject()->GetSelectionState() !=
+           SelectionState::kStartAndEnd)) {
+    if (paint_range_.StartLayoutObject() == paint_range_.EndLayoutObject()) {
+      paint_range_.StartLayoutObject()->LayoutObject::SetSelectionState(
+          SelectionState::kStartAndEnd);
+    } else {
+      paint_range_.StartLayoutObject()->LayoutObject::SetSelectionState(
+          SelectionState::kStart);
+      paint_range_.EndLayoutObject()->LayoutObject::SetSelectionState(
+          SelectionState::kEnd);
+    }
   }
-  DCHECK_EQ(paint_range_.StartLayoutObject()->GetSelectionState(),
-            SelectionState::kStart);
-  DCHECK_EQ(paint_range_.EndLayoutObject()->GetSelectionState(),
-            SelectionState::kEnd);
+  // TODO(yoichio): If start == end, they should be kStartAndEnd.
+  // If not, start.SelectionState == kStart and vice versa.
+  DCHECK(paint_range_.StartLayoutObject()->GetSelectionState() ==
+             SelectionState::kStart ||
+         paint_range_.StartLayoutObject()->GetSelectionState() ==
+             SelectionState::kStartAndEnd);
+  DCHECK(paint_range_.EndLayoutObject()->GetSelectionState() ==
+             SelectionState::kEnd ||
+         paint_range_.EndLayoutObject()->GetSelectionState() ==
+             SelectionState::kStartAndEnd);
 }
 
 void LayoutSelection::OnDocumentShutdown() {