Fix a crash caused by touching outdated assigned_nodes

This is a tentative fix for several crashes cluster fuzzer reported.
It looks HTMLSlotElement::DetachLayoutTree is touching dirty
assigned_nodes.

It's still hard to have a minimized test case, so I'll work on that later
to investigate further. I've added TODO comment there.

Bug: 776656,843069,843261
Change-Id: I9093e170e3c851b89612f40e764bfdbdc1532d4f
Reviewed-on: https://chromium-review.googlesource.com/1061274
Commit-Queue: Hayato Ito <hayato@chromium.org>
Reviewed-by: Takayoshi Kochi <kochi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559096}

third_party/blink/renderer/core/html/html_slot_element.cc

@@ -364,9 +364,14 @@ HTMLSlotElement::ChildrenInFlatTreeIfAssignmentIsSupported() {
 
 void HTMLSlotElement::DetachLayoutTree(const AttachContext& context) {
   if (SupportsAssignment()) {
+    // TODO(hayato): It is suspicious that AssignedNodes() is required here,
+    // in terms of node tree lifecycle. Find a better way.
     const HeapVector<Member<Node>>& flat_tree_children =
-        RuntimeEnabledFeatures::SlotInFlatTreeEnabled() ? assigned_nodes_
-                                                        : distributed_nodes_;
+        RuntimeEnabledFeatures::SlotInFlatTreeEnabled()
+            ? (RuntimeEnabledFeatures::IncrementalShadowDOMEnabled()
+                   ? AssignedNodes()
+                   : assigned_nodes_)
+            : distributed_nodes_;
     for (auto& node : flat_tree_children)
       node->LazyReattachIfAttached();
   }