[LayoutNG] Fix Heap-use-after-free in GetDocument

The fix is not to allow paint fragment traversal if layout is
dirty. The traversal was triggered by:

NGPaintFragment::SetShouldDoFullPaintInvalidationForFirstLine

There were other methods doing unsafe paint fragment traversals,
and this will prevent all of them from traversing a dirty
layout tree.

Bug: 962141
Change-Id: I2b44a2cdb250f26f654e108787477f2190a35658
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1612219Reviewed-by: Koji Ishii <kojii@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Aleks Totic <atotic@chromium.org>
Cr-Commit-Position: refs/heads/master@{#659675}

third_party/blink/renderer/core/layout/ng/layout_ng_mixin.h

@@ -52,7 +52,13 @@ class LayoutNGMixin : public Base {
 
   PositionWithAffinity PositionForPoint(const LayoutPoint&) const final;
 
-  NGPaintFragment* PaintFragment() const final { return paint_fragment_.get(); }
+  NGPaintFragment* PaintFragment() const final {
+    // TODO(layout-dev) crbug.com/963103
+    // Safer option here is to return nullptr only if
+    // Lifecycle > DocumentLifecycle::kAfterPerformLayout, but this breaks
+    // some layout tests.
+    return Base::NeedsLayout() ? nullptr : paint_fragment_.get();
+  }
   void SetPaintFragment(const NGBlockBreakToken*,
                         scoped_refptr<const NGPhysicalFragment>) final;