Copy m_namespaceRules when copying StyleSheetContents to avoid crashing.

third_party/WebKit/Source/core/css/StyleSheetContents.cpp

Index: third_party/WebKit/Source/core/css/StyleSheetContents.cpp
diff --git a/third_party/WebKit/Source/core/css/StyleSheetContents.cpp b/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
index 6740a6bb11b80df48d1284216d91c6f00fef7b11..5db9e9930013f2c3ee526bf165268c7f357f183e 100644
--- a/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
+++ b/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
@@ -92,6 +92,11 @@ StyleSheetContents::StyleSheetContents(const StyleSheetContents& o)
   // FIXME: Copy import rules.
   ASSERT(o.m_importRules.isEmpty());
 
+  for (unsigned i = 0; i < m_namespaceRules.size(); ++i) {
+    m_namespaceRules[i] =
+        static_cast<StyleRuleNamespace*>(o.m_namespaceRules[i]->copy());
+  }
+
   for (unsigned i = 0; i < m_childRules.size(); ++i)
     m_childRules[i] = o.m_childRules[i]->copy();
 }
@@ -274,6 +279,8 @@ bool StyleSheetContents::wrapperDeleteRule(unsigned index) {
   ASSERT(m_isMutable);
   ASSERT_WITH_SECURITY_IMPLICATION(index < ruleCount());
 
+  StyleRuleNamespace* test;
+  test = m_namespaceRules[0].get();

[rune, 2016/10/28 07:41:16]

What's this for?

[meade_UTC10, 2016/10/31 01:32:53]

Oops, removed.

   if (index < m_importRules.size()) {
     m_importRules[index]->clearParentStyleSheet();
     if (m_importRules[index]->isFontFaceRule())