Only copy parsed properties over when mutating a rule.

Currently when we copy over a StyleRule we parse all proeprties
greedily. This should only be the already parsed properties. The greedy
method may result in a dangerous state.

This is a speculative fix for the ClusterFuzz issue.

Bug: 774061
Change-Id: I0b7f09018c7cf2d8ca75ea5d705016fbcce6f0ae
Reviewed-on: https://chromium-review.googlesource.com/722579Reviewed-by: Darren Shen <shend@chromium.org>
Commit-Queue: nainar <nainar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509352}

third_party/WebKit/LayoutTests/fast/css/lazy-parsing-delete-rule-crash.html

+<!DOCTYPE html>
+<link type="text/css" rel="stylesheet" href="resources/lazy-pasing-delete-rule-crash.css"/>
+<script src='../../resources/testharness.js'></script>
+<script src='../../resources/testharnessreport.js'></script>
+<div id="success"></div>
+<script>
+test(function() {
+	document.styleSheets[0].deleteRule(0);
+}, "Test that deleting a rule with lazy parsing turned on doesn't cause a crash");
+</script>
\ No newline at end of file

third_party/WebKit/LayoutTests/fast/css/resources/lazy-pasing-delete-rule-crash.css

+#success:before { content:'SUCCESS' }
\ No newline at end of file

third_party/WebKit/Source/core/css/StyleRule.cpp

@@ -234,7 +234,8 @@ StyleRule::StyleRule(const StyleRule& o)
     : StyleRuleBase(o),
       should_consider_for_matching_rules_(kConsiderIfNonEmpty),
       selector_list_(o.selector_list_.Copy()),
-      properties_(o.Properties().MutableCopy()) {}
+      properties_(o.ParsedProperties() ? o.ParsedProperties()->MutableCopy()
+                                       : nullptr) {}
 
 StyleRule::~StyleRule() {}