Make previousLinePosition() not to use dangling RootInlineBox

This patch makes |previousLinePosition()| not to use dangling |RootInlineBox|
pointer to avoid use-after-free.

Before this patch, |isEditablePosition()| is called with |DoUpdateStyle|
parameter to update layout tree if needed. Usually, layout tree isn't updated
by this |isEditablePosition()| call since |previousLinePosition()| updates
layout tree at entry. However, if there are pending style sheet, e.g. @import
directive, and HTML import, e.g link rel=import, layout tree is updated since
document isn't rendering ready, |haveImportLoaded()| &&
|haveRenderBlockingStyleSheetsLoaded()|.

BUG=618237
TEST=LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html

Review-Url: https://codereview.chromium.org/2082893005
Cr-Commit-Position: refs/heads/master@{#401231}
diff --git a/third_party/WebKit/LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html b/third_party/WebKit/LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html
new file mode 100644
index 0000000..b1ccd24
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/editing/selection/modify_move/move_backward_line_import_crash.html
@@ -0,0 +1,28 @@
+<!doctype html>
+<script src="../../../resources/testharness.js"></script>
+<script src="../../../resources/testharnessreport.js"></script>
+<div id="sample"></div>
+<div id="log"></div>
+<script>
+test(() => {
+    var sample = document.getElementById('sample');
+    sample.innerHTML = '<select><option>1</option></select><style>@import url(-)</style>';
+    // Mark tree dirty
+    document.body.appendChild(sample);
+    // Force layout
+    sample.offsetHeight;
+
+    var importElement = document.createElement('link');
+    importElement.setAttribute('rel', 'import');
+    sample.appendChild(importElement);
+
+    var selection = window.getSelection();
+    selection.collapse(sample, 1);
+    selection.modify('move', 'backward', 'line');
+
+    assert_equals(selection.anchorNode, sample, 'anchorNode');
+    assert_equals(selection.anchorOffset, 0, 'anchorOffset');
+    assert_equals(selection.focusNode, sample, 'focusNode');
+    assert_equals(selection.focusOffset, 0, 'focusOffset');
+}, 'move backward line should not crash with link/import');
+</script>
diff --git a/third_party/WebKit/Source/core/editing/VisibleUnits.cpp b/third_party/WebKit/Source/core/editing/VisibleUnits.cpp
index dfcbf04..2be4514 100644
--- a/third_party/WebKit/Source/core/editing/VisibleUnits.cpp
+++ b/third_party/WebKit/Source/core/editing/VisibleUnits.cpp
@@ -1326,7 +1326,7 @@
     if (root) {
         // FIXME: Can be wrong for multi-column layout and with transforms.
         LayoutPoint pointInLine = absoluteLineDirectionPointToLocalPointInBlock(root, lineDirectionPoint);
-        LineLayoutItem lineLayoutItem = root->closestLeafChildForPoint(pointInLine, isEditablePosition(p))->getLineLayoutItem();
+        LineLayoutItem lineLayoutItem = root->closestLeafChildForPoint(pointInLine, isEditablePosition(p, ContentIsEditable, DoNotUpdateStyle))->getLineLayoutItem();
         Node* node = lineLayoutItem.node();
         if (node && editingIgnoresContent(node))
             return VisiblePosition::inParentBeforeNode(*node);