Clear offset mapping cache in LayoutSVGText::UpdateLayout()

This patch makes |LayoutSVGText::UpdateLayout()| to clear offset mapping cache
if needed rather than in |LayoutBlockFlow::UpdateBlockLayout()|[1] to fix
heap-use-after-free in |NGOffsetMapping|.

Unlike other derived classes of |LayoutBlockFlow|,
|LayoutSVGBlock::UpdateLayout()| doesn't call |UpdateBlockLayout()|, then
|LayoutSVGBlock| holds stale offset mapping cache.

[1] Make LayoutBlockFlowRareData to hold
NGOffsetMapping for legacy layout

Bug: 951218
Change-Id: Iacaa72a426cfcf9cd71495cf2c1ed6a0c6511ed9
Commit-Queue: Yoshifumi Inoue <>
Commit-Queue: Koji Ishii <>
Auto-Submit: Yoshifumi Inoue <>
Reviewed-by: Koji Ishii <>
Cr-Commit-Position: refs/heads/master@{#652503}
3 files changed