Check if documentElement needs re-attachment

A fuzzer case caused a crash in
LayoutBoxModelObject::BackgroundTransfersToView because the body style
was null, but the body still had a layout object since
ViewportDefiningElementChanged is called after style recalc but before
layout tree re-attachment. We had a guard for NeedsReattachLayoutTree on
body for this, but not for the root element.

I am not sure how the body can get a null ComputedStyle during recalc
without the NeedsReattachLayoutTree being set, but checking the root
element as well does fix the fuzzer crash.

Bug: 1150916
Change-Id: Icd1368717a9bd97dbd5ef541733eeab4187ccf93
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2550549Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#829625}

third_party/blink/renderer/core/css/style_engine.cc

@@ -2112,6 +2112,10 @@ void StyleEngine::UpdateStyleAndLayoutTree() {
 }
 
 void StyleEngine::ViewportDefiningElementDidChange() {
+  // Guarded by if-test in UpdateStyleAndLayoutTree().
+  DCHECK(GetDocument().documentElement());
+  if (GetDocument().documentElement()->NeedsReattachLayoutTree())
+    return;
   HTMLBodyElement* body = GetDocument().FirstBodyElement();
   if (!body || body->NeedsReattachLayoutTree())
     return;