Fix crash in style invalidation when element has no parent during removal

https://bugs.webkit.org/show_bug.cgi?id=301879
rdar://163025404

Reviewed by Antti Koivisto.

This is a fuzzer found bug that results in a crash.
When hidePopoverInternal() is called during element removal (due to outerText being set),
style invalidation runs even when parentNode is null. This is
incorrect. We shouldn't be entering style invalidation in this case at all.
While the rest of the cleanup in hidePopoverInternal() is necessary, style
invalidation is not here.

As a result, this fix adds a null check to only perform style invalidation
when elements are NOT being removed (aka its parent still exists). Since we
add this check, the existing null check further down in invalidateStyleWithMatchElement()
is redundant and no longer necessary.

There were 2 previous attempted fixes for this: 286644@main and 293967@main.
286644@main had an incorrect Style::InvalidationScope::Descendants. 293967@main didn't
add null checks to the other relevant cases in invalidateStyleWithMatchElement().
This PR correctly implements the full fix.

Test: fast/dom/Element/nth-child-of-popover-open-crash.html

* LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash-expected.txt: Added.
* LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash.html: Added.
* Source/WebCore/html/HTMLElement.cpp:
(WebCore::HTMLElement::hidePopoverInternal):
* Source/WebCore/style/StyleInvalidator.cpp:
(WebCore::Style::Invalidator::invalidateStyleWithMatchElement):

Canonical link: https://commits.webkit.org/303507@main

Author: ruthvikkonda

LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash-expected.txt

@@ -0,0 +1,3 @@
+This test passes if WebKit does not crash.
+
+X

LayoutTests/fast/dom/Element/nth-child-of-popover-open-crash.html

@@ -0,0 +1,16 @@
+<p>This test passes if WebKit does not crash.</p>
+<style></style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+document.styleSheets[0].insertRule(`@scope (:nth-last-child(1 of :popover-open)) { i { } }`);
+
+let element = document.createElement('div');
+document.body.append(element);
+
+element.popover = 'auto';
+element.showPopover();
+element.scrollIntoView();
+element.outerText = 'X';
+</script>

Source/WebCore/html/HTMLElement.cpp

@@ -1243,7 +1243,9 @@ ExceptionOr<void> HTMLElement::hidePopoverInternal(FocusPreviousElement focusPre
     if (isInTopLayer())
         removeFromTopLayer();
 
-    Style::PseudoClassChangeInvalidation styleInvalidation(*this, CSSSelector::PseudoClass::PopoverOpen, false);
+    std::optional<Style::PseudoClassChangeInvalidation> styleInvalidation;
+    if (parentNode())
+        styleInvalidation.emplace(*this, CSSSelector::PseudoClass::PopoverOpen, false);
     popoverData()->setVisibilityState(PopoverVisibilityState::Hidden);
 
     if (fireEvents == FireEvents::Yes)

Source/WebCore/style/StyleInvalidator.cpp

@@ -303,10 +303,8 @@ void Invalidator::invalidateStyleWithMatchElement(Element& element, MatchElement
         break;
     case MatchElement::AnySibling:
         // :nth-last-child(even of .changed)
-        if (CheckedPtr parentNode = element.parentNode()) {
-            for (auto& parentChild : childrenOfType<Element>(*element.parentNode()))
-                invalidateIfNeeded(parentChild, nullptr);
-        }
+        for (auto& parentChild : childrenOfType<Element>(*element.parentNode()))
+            invalidateIfNeeded(parentChild, nullptr);
         break;
     case MatchElement::ParentSibling:
         // .changed ~ .a > .subject