[LayoutNG] Don't hit test LayoutInline with missed layout

We currently have some cases where certain LayoutObjects remain dirty
after layout update, which causes security bugs if we continue to visit
its subtree or fragment tree.

This patch adds a CHECK to make it crash safely when hit testing such
a LayoutInline. We should fix the root cause later.

Bug: 965976
Change-Id: I1de8faf6d76caa43bddf93ddabc20653c1f2803d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1626349
Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#662450}

third_party/blink/renderer/core/layout/layout_inline.cc

@@ -1033,6 +1033,10 @@ bool LayoutInline::NodeAtPoint(HitTestResult& result,
                                const LayoutPoint& accumulated_offset,
                                HitTestAction hit_test_action) {
   if (ContainingNGBlockFlow()) {
+    // TODO(crbug.com/965976): We should fix the root cause of the missed
+    // layout, and then turn this into a DCHECK.
+    CHECK(!NeedsLayout()) << this;
+
     // In LayoutNG, we reach here only when called from
     // PaintLayer::HitTestContents() without going through any ancestor, in
     // which case the element must have self painting layer.