Make Element#innerText to use CHECK at StringView construction

This patch converts use-after-tree to CHECK() by changing Element#innerText
to cause CEHCK() instead of DCHECK in StringView constructor to avoid
use-after-tree.

Note: We are not sure of root causes both use-after-free tree and wrong
StringView constructor call.

Bug: 964464
Change-Id: If4d289c8f6fe4072c1869553cd952d0c153a3369
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1619510Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Commit-Queue: Koji Ishii <kojii@chromium.org>
Auto-Submit: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#661314}

third_party/blink/renderer/core/editing/element_inner_text.cc

@@ -255,6 +255,10 @@ void ElementInnerTextCollector::ProcessLayoutText(const LayoutText& layout_text,
   const NGOffsetMapping* const mapping = GetOffsetMapping(layout_text);
   const NGMappingUnitRange range = mapping->GetMappingUnitsForNode(text_node);
   for (const NGOffsetMappingUnit& unit : range) {
+    // TODO(yosin): Once |NGOffsetMapping| holds valid entries, we should remove
+    // following |CHECK|s. See http://crbug.com/964871
+    CHECK_LE(unit.TextContentStart(), mapping->GetText().length());
+    CHECK_LE(unit.TextContentEnd(), mapping->GetText().length());
     result_.EmitText(
         StringView(mapping->GetText(), unit.TextContentStart(),
                    unit.TextContentEnd() - unit.TextContentStart()));