Heap-use-after-free in WebCore::MutableStylePropertySet::setProperty

This patch fixes heap-use-after-free error (regression caused by r171246)
in the 'MutableStylePropertySet::setProperty' method. This error turned
up as the 'setProperty' method argument contained a pointer from the vector
buffer which had been previously freed (as we started to use 'Vector::swap'
instead of assignment operator).

BUG=362310

Review URL: https://codereview.chromium.org/234823004

git-svn-id: svn://svn.chromium.org/blink/trunk@171466 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/Source/core/css/StylePropertySet.cpp

@@ -457,7 +457,7 @@ bool MutableStylePropertySet::removePropertiesInSet(const CSSPropertyID* set, un
     if (m_propertyVector.isEmpty())
         return false;
 
-    WillBeHeapVector<CSSProperty, 4> newProperties;
+    WillBeHeapVector<CSSProperty> newProperties;
     newProperties.reserveInitialCapacity(m_propertyVector.size());
 
     unsigned initialSize = m_propertyVector.size();
@@ -470,7 +470,7 @@ bool MutableStylePropertySet::removePropertiesInSet(const CSSPropertyID* set, un
         newProperties.append(property);
     }
 
-    m_propertyVector.swap(newProperties);
+    m_propertyVector = newProperties;
     return initialSize != m_propertyVector.size();
 }