[LayoutNG] Prevent crashes in ShapingLineBreaker

This patch will prevent crashes in |HarfBuzzShaper::ShapeSegment|
probably caused by |ShapingLineBreaker| or |ShapeResult|, but I
could not come up with a good explanation how this happens.

A case I looked at was LTR Arabic, trying to break a
|ShapeResult| for range 0-28. When we found a break opportunity
at 20, |last_safe| becomes 25. Shaping a range 25-20 causes OOM
in |HarfBuzzShaper::ShapeSegment| because start > end.

Checked if any possibilities to accidentally move |last_safe|,
and possibilities where |ShapeResult::CachedPreviousSafeToBreakOffset|
can return larger value than the given argument, but could
not find how it computes such value.

This is a speculative fix.

Bug: 1000560, 1002061
Change-Id: Ieb9c2c988b5a116a49d5de407d1c269106c52dd7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1787026Reviewed-by: Emil A Eklund <eae@chromium.org>
Reviewed-by: Dominik Röttsches <drott@chromium.org>
Commit-Queue: Emil A Eklund <eae@chromium.org>
Commit-Queue: Koji Ishii <kojii@chromium.org>
Auto-Submit: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#694779}

third_party/blink/renderer/platform/fonts/shaping/shaping_line_breaker.cc

@@ -309,10 +309,14 @@ scoped_refptr<const ShapeResultView> ShapingLineBreaker::ShapeLine(
       DCHECK_LE(start, break_opportunity.offset);
       last_safe =
           result_->CachedPreviousSafeToBreakOffset(break_opportunity.offset);
-      DCHECK_LE(last_safe, break_opportunity.offset);
       // No need to reshape the line end because this opportunity is safe.
       if (last_safe == break_opportunity.offset)
         break;
+      if (UNLIKELY(last_safe > break_opportunity.offset)) {
+        // TODO(crbug.com/1787026): This should not happen, but we see crashes.
+        NOTREACHED();
+        break;
+      }
 
       // Moved the opportunity back enough to require reshaping the whole line.
       if (UNLIKELY(last_safe < first_safe)) {