Fix a nullptr deref in sorting keyframes rules

Bug: 1145406
Change-Id: I2bcc50fe3c6799586643750e7c655be0cac979dc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2519860
Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org>
Cr-Commit-Position: refs/heads/master@{#824324}

third_party/blink/renderer/core/css/resolver/scoped_style_resolver.cc

@@ -162,6 +162,8 @@ ScopedStyleResolver::KeyframeStylesForAnimationFromActiveSheets(
   StyleRuleKeyframes* vendor_prefixed_result = nullptr;
   for (auto sheet = sheets.rbegin(); sheet != sheets.rend(); ++sheet) {
     RuleSet* rule_set = sheet->second;
+    if (!rule_set)
+      continue;
     if (StyleRuleKeyframes* rule = rule_set->KeyframeStylesForAnimation(name)) {
       if (!rule->IsVendorPrefixed())
         return rule;

third_party/blink/renderer/core/css/resolver/style_resolver_test.cc

@@ -1094,4 +1094,18 @@ TEST_F(StyleResolverTest, InheritStyleImagesFromDisplayContents) {
       << "-webkit-mask-image is fetched";
 }
 
+// https://crbug.com/1145406
+TEST_F(StyleResolverTest, StyleSheetWithNullRuleSet) {
+  ScopedCSSKeyframesMemoryReductionForTest enabled_scope(true);
+
+  GetDocument().documentElement()->setInnerHTML(R"HTML(
+    <style>.c6 { animation-name: anim; }</style>
+    <style media=print></style>
+    <div class=c6></div>
+  )HTML");
+
+  // Should not crash inside
+  UpdateAllLifecyclePhasesForTest();
+}
+
 }  // namespace blink