Make previousLinePosition() not to use dangling RootInlineBox

Make previousLinePosition() not to use dangling RootInlineBox

This patch makes |previousLinePosition()| not to use dangling |RootInlineBox|
pointer to avoid use-after-free.

Before this patch, |isEditablePosition()| is called with |DoUpdateStyle|
parameter to update layout tree if needed. Usually, layout tree isn't updated
by this |isEditablePosition()| call since |previousLinePosition()| updates
layout tree at entry. However, if there are pending style sheet, e.g. @import
directive, and HTML import, e.g link rel=import, layout tree is updated since
document isn't rendering ready, |haveImportLoaded()| &&
|haveRenderBlockingStyleSheetsLoaded()|.

BUG=618237
TEST=LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html

Committed: https://crrev.com/fb81c66590538c2487a34b8623066a22d0b27dff
Review-Url: https://codereview.chromium.org/2082893005
Cr-Original-Commit-Position: refs/heads/master@{#401231}
Cr-Commit-Position: refs/heads/master@{#401581}
(cherry picked from commit e9c943f368d15bbfe414aedf5e001792257f3eeb)

Committed: https://chromium.googlesource.com/chromium/src/+/16d4aaf9a5794ff0e10c57bf7b7bbfadee3ba26a

[yosin_UTC9, 2016-07-15 01:35:55]

Description was changed from

==========
Make previousLinePosition() not to use dangling RootInlineBox

This patch makes |previousLinePosition()| not to use dangling |RootInlineBox|
pointer to avoid use-after-free.

Before this patch, |isEditablePosition()| is called with |DoUpdateStyle|
parameter to update layout tree if needed. Usually, layout tree isn't updated
by this |isEditablePosition()| call since |previousLinePosition()| updates
layout tree at entry. However, if there are pending style sheet, e.g. @import
directive, and HTML import, e.g link rel=import, layout tree is updated since
document isn't rendering ready, |haveImportLoaded()| &&
|haveRenderBlockingStyleSheetsLoaded()|.

BUG=618237
TEST=LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html

Committed: https://crrev.com/fb81c66590538c2487a34b8623066a22d0b27dff
Review-Url: https://codereview.chromium.org/2082893005
Cr-Original-Commit-Position: refs/heads/master@{#401231}
Cr-Commit-Position: refs/heads/master@{#401581}
(cherry picked from commit e9c943f368d15bbfe414aedf5e001792257f3eeb)
==========

to

==========
Make previousLinePosition() not to use dangling RootInlineBox

This patch makes |previousLinePosition()| not to use dangling |RootInlineBox|
pointer to avoid use-after-free.

Before this patch, |isEditablePosition()| is called with |DoUpdateStyle|
parameter to update layout tree if needed. Usually, layout tree isn't updated
by this |isEditablePosition()| call since |previousLinePosition()| updates
layout tree at entry. However, if there are pending style sheet, e.g. @import
directive, and HTML import, e.g link rel=import, layout tree is updated since
document isn't rendering ready, |haveImportLoaded()| &&
|haveRenderBlockingStyleSheetsLoaded()|.

BUG=618237
TEST=LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html

Committed: https://crrev.com/fb81c66590538c2487a34b8623066a22d0b27dff
Review-Url: https://codereview.chromium.org/2082893005
Cr-Original-Commit-Position: refs/heads/master@{#401231}
Cr-Commit-Position: refs/heads/master@{#401581}
(cherry picked from commit e9c943f368d15bbfe414aedf5e001792257f3eeb)

Committed:
https://chromium.googlesource.com/chromium/src/+/16d4aaf9a5794ff0e10c57bf7b7b...
==========

[yosin_UTC9, 2016-07-15 01:35:58]

Committed patchset #1 (id:1) manually as
16d4aaf9a5794ff0e10c57bf7b7bbfadee3ba26a.