[LayoutNG] Change GetOffsetMapping to return nullptr if dirty

This patch changes GetOffsetMapping to return nullptr if
|NeedsLayout()| is set.

Before this change, we had DCHECK, which we changed to CHECK
to avoid reading unexpected memory, but the number of crashes
seem high enough to consider failing gracefully, similar to
what we do for |PrimaryFont()|.

This may need to add to some callers to handle |nullptr|, but
at worst this change turns CHECK to null-deref at each caller.

Bug: 946004, 967984, 955678
Change-Id: I0989963711c1db1f9f61c07383bf771bd6a778fb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1634590Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Reviewed-by: Morten Stenshorne <mstensho@chromium.org>
Commit-Queue: Emil A Eklund <eae@chromium.org>
Cr-Commit-Position: refs/heads/master@{#664287}

third_party/blink/renderer/core/layout/ng/inline/ng_inline_node.cc

@@ -442,9 +442,13 @@ const NGOffsetMapping* NGInlineNode::GetOffsetMapping(
     LayoutBlockFlow* layout_block_flow) {
   DCHECK(!layout_block_flow->GetDocument().NeedsLayoutTreeUpdate());
 
-  // TODO(crbug.com/962129): Fix the root cause of the missing layout, and turn
-  // this into a DCHECK.
-  CHECK(!layout_block_flow->NeedsLayout()) << layout_block_flow;
+  if (UNLIKELY(layout_block_flow->NeedsLayout())) {
+    // TODO(kojii): This shouldn't happen, but is not easy to fix all cases.
+    // Return nullptr so that callers can chose to fail gracefully, or
+    // null-deref. crbug.com/946004
+    NOTREACHED();
+    return nullptr;
+  }
 
   // If |layout_block_flow| is LayoutNG, compute from |NGInlineNode|.
   if (layout_block_flow->IsLayoutNGMixin()) {