blink: fix use-after-scope issues in CSSInterpolationType.

blink: fix use-after-scope issues in CSSInterpolationType.

The problem was in the following line:

const AtomicString& propertyName = getProperty().customPropertyName();
<consequent use of propertyName>

getProperty() returns PropertyHandle value that is allocated on
the stack as a temporary variable with the scope of one statement.
Then customPropertyName() returns a reference to this temp variable.
Once the statement is over, PropertyHandle value goes out of scope
and destroyed. By the time propertyName is used, it already points
to a potentially reused stack address. And even if it's not yet
reused, the object is destroyed, so the value is invalid anyway.

The fix is to save ProperyHandle value in a local variable with
the large enough scope to cover all propertyName uses.

The bug was found by AddressSanitizer with use-after-free check
enabled. It's currently being rolled out into Chrome, and this CL
is a part of a larger cleanup of existing failures.

BUG=649897, 683459, 683493
Review-Url: https://codereview.chromium.org/2649903005
Cr-Commit-Position: refs/heads/master@{#445559}
(cherry picked from commit a6de90795ea5ee5c080e3266dceedd98f66b045e)

Review-Url: https://codereview.chromium.org/2655663005 .
Cr-Commit-Position: refs/branch-heads/2987@{#79}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}
Committed: https://chromium.googlesource.com/chromium/src/+/269942eb79516fad019284211999bc92d382c138

[alancutter (OOO until 2018), 2017-01-25 01:53:34]

Description was changed from

==========
blink: fix use-after-scope issues in CSSInterpolationType.

The problem was in the following line:

const AtomicString& propertyName = getProperty().customPropertyName();
<consequent use of propertyName>

getProperty() returns PropertyHandle value that is allocated on
the stack as a temporary variable with the scope of one statement.
Then customPropertyName() returns a reference to this temp variable.
Once the statement is over, PropertyHandle value goes out of scope
and destroyed. By the time propertyName is used, it already points
to a potentially reused stack address. And even if it's not yet
reused, the object is destroyed, so the value is invalid anyway.

The fix is to save ProperyHandle value in a local variable with
the large enough scope to cover all propertyName uses.

The bug was found by AddressSanitizer with use-after-free check
enabled. It's currently being rolled out into Chrome, and this CL
is a part of a larger cleanup of existing failures.

BUG=649897,683459,683493

Review-Url: https://codereview.chromium.org/2649903005
Cr-Commit-Position: refs/heads/master@{#445559}
(cherry picked from commit a6de90795ea5ee5c080e3266dceedd98f66b045e)
==========

to

==========
blink: fix use-after-scope issues in CSSInterpolationType.

The problem was in the following line:

const AtomicString& propertyName = getProperty().customPropertyName();
<consequent use of propertyName>

getProperty() returns PropertyHandle value that is allocated on
the stack as a temporary variable with the scope of one statement.
Then customPropertyName() returns a reference to this temp variable.
Once the statement is over, PropertyHandle value goes out of scope
and destroyed. By the time propertyName is used, it already points
to a potentially reused stack address. And even if it's not yet
reused, the object is destroyed, so the value is invalid anyway.

The fix is to save ProperyHandle value in a local variable with
the large enough scope to cover all propertyName uses.

The bug was found by AddressSanitizer with use-after-free check
enabled. It's currently being rolled out into Chrome, and this CL
is a part of a larger cleanup of existing failures.

BUG=649897,683459,683493

Review-Url: https://codereview.chromium.org/2649903005
Cr-Commit-Position: refs/heads/master@{#445559}
(cherry picked from commit a6de90795ea5ee5c080e3266dceedd98f66b045e)

Review-Url: https://codereview.chromium.org/2655663005 .
Cr-Commit-Position: refs/branch-heads/2987@{#79}
Cr-Branched-From:
ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}
Committed:
https://chromium.googlesource.com/chromium/src/+/269942eb79516fad019284211999...
==========

[alancutter (OOO until 2018), 2017-01-25 01:53:36]

Committed patchset #1 (id:1) manually as
269942eb79516fad019284211999bc92d382c138.