https://bugs.webkit.org/show_bug.cgi?id=76191

Source/WebCore: 

Reviewed by Andreas Kling.
        
Setting the user style sheet frees the existing user style sheet data structures. The code
in Document::updatePageGroupUserSheets then relies on styleSelectorChanged to clear the
style selector so it is not left with stale pointers. However under certain conditions
involving pending stylesheets it may bail out quickly without clearing.
        
Document::styleSelectorChanged has to take care that it never leaves the style selector stale
even when bailing out early.

Test: fast/css/user-stylesheet-crash.html

* dom/Document.cpp:
(WebCore::Document::styleSelectorChanged):

LayoutTests: 

Reviewed by Andreas Kling.

* fast/css/user-stylesheet-crash-expected.txt: Added.
* fast/css/user-stylesheet-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104845 268f45cc-cd09-0410-ab3c-d52691b4dbfc