GitLab

If we don't clear slot's assigned nodes when detaching a slot, if the slot assignment
recalc flag is dirty (the actual condition is more complex, see the code),
*cycle* would happen in detaching (after attaching a slot again) because a series of DOM mutations
can create a tree of trees as such:

- one of the slot's formerly assigned node, call it |A|, is a shadow-including ancestor of
  the slot.
- |A| is already attached.

In this case, detaching the slot will try to lazy-reattach |A|, and lazy-reattaching |A| doesn't
return early (because |A| doesn't need Attach). As a result, detaching the slot *cycles* and causes
an infinite loop (... -> |A| -> .. -> host -> shadow root -> .. -> slot -> |A| -> ...).

See the test (or bug 849599) for a concrete example.

Bug: 849599
Change-Id: I1c1ddb06ca9777af0052260aa721c2438da3c62b
Reviewed-on: https://chromium-review.googlesource.com/1090420Reviewed-by: Takayoshi Kochi <kochi@chromium.org>
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: Hayato Ito <hayato@chromium.org>
Cr-Commit-Position: refs/heads/master@{#565323}