Fix crash due to null context document in GetStringFromScriptHelper()

Bug: 1052723
Test: fast/dom/HTMLScriptElement/script-append-child-in-detached-document.html
Change-Id: Id1f0ad773644cbc3d5c0b5f556070c2d257a331b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2070957
Commit-Queue: Kentaro Hara <haraken@chromium.org>
Auto-Submit: Nate Chapin <japhet@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#744146}

third_party/blink/renderer/core/trustedtypes/trusted_types_util.cc

@@ -164,6 +164,8 @@ String GetStringFromScriptHelper(
     const char* attribute_name_for_exception,
     TrustedTypeViolationKind violation_kind,
     TrustedTypeViolationKind violation_kind_when_default_policy_failed) {
+  if (!doc)
+    return script;
   bool require_trusted_type =
       RequireTrustedTypesCheck(doc->ToExecutionContext());
   if (!require_trusted_type)

third_party/blink/web_tests/fast/dom/HTMLScriptElement/script-append-child-in-detached-document-expected.txt

+PASS unless crash

third_party/blink/web_tests/fast/dom/HTMLScriptElement/script-append-child-in-detached-document.html

+<!DOCTYPE html>
+<body>
+<iframe id="i" src="about:blank"></iframe>
+<script>
+if (window.testRunner)
+  testRunner.dumpAsText();
+var i_doc = i.contentDocument;
+i.remove();
+var script = i_doc.createElement("script");
+script.appendChild(i_doc.createTextNode("foo"));
+i_doc.body.appendChild(script);
+</script>
+<p>PASS unless crash</p>
+</body>