Make NGAbstractInlineText::GetOrCreate() to take only NGPaintFragment

This patch changes to |NGAbstractInlineText::GetOrCreate()| to take only
|NGPaintFragment| to avoid to create |NGAbstractInlineText| having
|NGPaintFragment| not to associated to |line_layout_item_| member variable.

These invalid |NGAbstractInlineText| causes crash by referring destructed
|LayoutObject| in |NGAbstractInlineText::Detach()|.

This crash can be happend in following scenario:

1. Create |NGAbstractInlineText| by |LayoutText::FirstAbstractInlineText()|
with layout object L1 and fragment F1_1 then get A1(L1, F1)
2. Create |NGAbstractInlineText::NextOnLine()| with L1 and F2 then get
A2(L1, F2) where F2 is associated to L2.
3. Destroy L1 then call Detach() for A1(L1, F1) => no problem
4. Destroy L2 then call Detach() for A2(L1, F2) => crash since L1 is destroyed

Bug: 928925
Change-Id: Ic0a55b4e15723e1988d0727aba45723aed4d3a4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1525257
Auto-Submit: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Koji Ishii <kojii@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#641109}

third_party/blink/renderer/core/layout/layout_text.cc

@@ -2453,8 +2453,7 @@ scoped_refptr<AbstractInlineTextBox> LayoutText::FirstAbstractInlineTextBox() {
     if (!fragments.IsEmpty() &&
         fragments.IsInLayoutNGInlineFormattingContext()) {
       has_abstract_inline_text_box_ = true;
-      return NGAbstractInlineTextBox::GetOrCreate(LineLayoutText(this),
-                                                  **fragments.begin());
+      return NGAbstractInlineTextBox::GetOrCreate(fragments.front());
     }
   }
   return LegacyAbstractInlineTextBox::GetOrCreate(LineLayoutText(this),

third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.cc

@@ -19,7 +19,6 @@ NGAbstractInlineTextBox::FragmentToNGAbstractInlineTextBoxHashMap*
     NGAbstractInlineTextBox::g_abstract_inline_text_box_map_ = nullptr;
 
 scoped_refptr<AbstractInlineTextBox> NGAbstractInlineTextBox::GetOrCreate(
-    LineLayoutText line_layout_item,
     const NGPaintFragment& fragment) {
   DCHECK(fragment.GetLayoutObject()->IsText()) << fragment.GetLayoutObject();
   if (!g_abstract_inline_text_box_map_) {
@@ -30,7 +29,8 @@ scoped_refptr<AbstractInlineTextBox> NGAbstractInlineTextBox::GetOrCreate(
   if (it != g_abstract_inline_text_box_map_->end())
     return it->value;
   scoped_refptr<AbstractInlineTextBox> obj =
-      base::AdoptRef(new NGAbstractInlineTextBox(line_layout_item, fragment));
+      base::AdoptRef(new NGAbstractInlineTextBox(
+          LineLayoutText(ToLayoutText(fragment.GetLayoutObject())), fragment));
   g_abstract_inline_text_box_map_->Set(&fragment, obj);
   return obj;
 }
@@ -110,7 +110,7 @@ NGAbstractInlineTextBox::NextInlineTextBox() const {
   const NGPaintFragment* next_fragment = NextTextFragmentForSameLayoutObject();
   if (!next_fragment)
     return nullptr;
-  return GetOrCreate(GetLineLayoutItem(), *next_fragment);
+  return GetOrCreate(*next_fragment);
 }
 
 LayoutRect NGAbstractInlineTextBox::LocalBounds() const {
@@ -214,7 +214,7 @@ scoped_refptr<AbstractInlineTextBox> NGAbstractInlineTextBox::NextOnLine()
   NGPaintFragmentTraversal cursor(*fragment_->ContainerLineBox(), *fragment_);
   for (cursor.MoveToNext(); !cursor.IsAtEnd(); cursor.MoveToNext()) {
     if (cursor->GetLayoutObject()->IsText())
-      return GetOrCreate(GetLineLayoutItem(), *cursor);
+      return GetOrCreate(*cursor);
   }
   return nullptr;
 }
@@ -228,7 +228,7 @@ scoped_refptr<AbstractInlineTextBox> NGAbstractInlineTextBox::PreviousOnLine()
   NGPaintFragmentTraversal cursor(*fragment_->ContainerLineBox(), *fragment_);
   for (cursor.MoveToPrevious(); !cursor.IsAtEnd(); cursor.MoveToPrevious()) {
     if (cursor->GetLayoutObject()->IsText())
-      return GetOrCreate(GetLineLayoutItem(), *cursor);
+      return GetOrCreate(*cursor);
   }
   return nullptr;
 }

third_party/blink/renderer/core/layout/ng/inline/ng_abstract_inline_text_box.h

@@ -17,11 +17,8 @@ class NGPhysicalTextFragment;
 class CORE_EXPORT NGAbstractInlineTextBox final : public AbstractInlineTextBox {
  private:
   // Returns existing or newly created |NGAbstractInlineTextBox|.
-  // * |line_layout_item| is |LayoutText| associated to |fragment|. For first
-  // letter part, it is remaining part of |LayoutTextFragment|.
   // * |fragment| should be attached to |NGPhysicalTextFragment|.
   static scoped_refptr<AbstractInlineTextBox> GetOrCreate(
-      LineLayoutText line_layout_item,
       const NGPaintFragment& fragment);
   static void WillDestroy(NGPaintFragment*);