Bug 1650159 - Fix crash when editor is used mixed with shadow DOM. r=layout-reviewers,TYLin

See bug 1574544 and co for previous items in this saga. The editor code
can't go soon enough.

Using FlattenedChildIterator with anonymous children (the
IsRootOfNativeAnonymousSubtree() check) is just not supposed to happen,
as NAC are not flat tree children of their parent.

That is, the common case is hitting the
!IsRootOfNativeAnonymousSubtree() case, regardless of shadow dom.

It's only when editor does something awful like reframing NAC directly
that we hit this.

Differential Revision: https://phabricator.services.mozilla.com/D204892

layout/base/nsCSSFrameConstructor.cpp

@@ -6012,7 +6012,7 @@ nsIFrame* nsCSSFrameConstructor::GetInsertionPrevSibling(
 
   // Find the frame that precedes the insertion point.
   FlattenedChildIterator iter(aInsertion->mContainer);
-  if (iter.ShadowDOMInvolved() || !aChild->IsRootOfNativeAnonymousSubtree()) {
+  if (!aChild->IsRootOfNativeAnonymousSubtree()) {
     // The check for IsRootOfNativeAnonymousSubtree() is because editor is
     // severely broken and calls us directly for native anonymous
     // nodes that it creates.
@@ -8390,7 +8390,7 @@ void nsCSSFrameConstructor::RecreateFramesForContent(
   }
 
   // TODO(emilio): We technically can find the right insertion point nowadays
-  // using StyleChildrenIterator rather than FlattenedTreeIterator. But we'd
+  // using StyleChildrenIterator rather than FlattenedChildIterator. But we'd
   // need to tweak the setup to insert into replaced elements to filter which
   // anonymous roots can be allowed, and which can't.
   //