[LayoutNG] LayoutNGInsideListMarker inline splitting

Fuzzer caught a NULL deref crash. Running with DCHECK,
found a problem before the deref, we were cloning
LayoutNGInsideListMarker inside LayoutInline::SplitInlines.
This was triggering a DCHECK in LayoutInline::Clone.

I am not very familiar with how LayoutInline line splitting
works. I have a patch created with my shallow understanding
that fixes the crash, but I am not sure if this is the
right thing to do.

Bug: 962242
Change-Id: I11e4cf3307c257e7c396b4112888bad0cd76ac5a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1610522
Commit-Queue: Aleks Totic <atotic@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#659286}

third_party/blink/renderer/core/layout/layout_inline.cc

@@ -614,6 +614,8 @@ void LayoutInline::SplitInlines(LayoutBlockFlow* from_block,
   Vector<LayoutInline*> inlines_to_clone;
   LayoutInline* top_most_inline = this;
   for (LayoutObject* o = this; o != from_block; o = o->Parent()) {
+    if (o->IsAnonymous())
+      continue;
     top_most_inline = ToLayoutInline(o);
     if (inlines_to_clone.size() < kCMaxSplitDepth)
       inlines_to_clone.push_back(top_most_inline);

third_party/blink/web_tests/external/wpt/css/css-inline/inline-crash-chrome-001.html

+<!DOCTYPE html>
+<title>CSS Inline: Chrome crash with split inlines</title>
+<link rel="author" href="mailto:atotic@google.com">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=962242">
+<meta name="assert" content="Chrome crashes on split inlines">
+<style>
+.first-line::first-line {
+  font-size: larger;
+}
+</style>
+<div class="first-line">
+  <ol style="list-style-position: inside">
+    <li>
+      <tag>
+        <div></div>
+<script>
+test(() => {
+}, 'did not crash');
+</script>