Setting innerHTML in a template element in an inactive document should not crash.

Bug: 1100176
Test: html/semantics/scripting-1/the-template-element/template-element/template-set-inner-html-in-inactive-document-crash.html
Change-Id: I1d2ad61aead0d8f14952ae9b8e49d855d773e86f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2273798
Auto-Submit: Nate Chapin <japhet@chromium.org>
Reviewed-by: Mason Freed <masonfreed@chromium.org>
Commit-Queue: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/master@{#783693}

third_party/blink/renderer/core/editing/serializers/serialization.cc

@@ -610,6 +610,11 @@ DocumentFragment* CreateFragmentForInnerOuterHTML(
     const char* method,
     ExceptionState& exception_state) {
   DCHECK(context_element);
+  if (IsA<HTMLTemplateElement>(*context_element) &&
+      !context_element->GetExecutionContext()) {
+    return nullptr;
+  }
+
   Document& document =
       IsA<HTMLTemplateElement>(*context_element)
           ? context_element->GetDocument().EnsureTemplateDocument()

third_party/blink/web_tests/external/wpt/html/semantics/scripting-1/the-template-element/template-element/template-set-inner-html-in-inactive-document-crash.html

+<iframe id="i"></iframe>
+<script>
+  var doc = i.contentDocument;
+  i.remove();
+  doc.createElement("template").innerHTML = "";
+</script>