[css-typed-om] Don't crash when setting CSSVariableReferenceValue.

When creating a CSSVariableReferenceValue with a reference to a variable
which actually exists, we crash because CSSVariableReferenceValue objects
created through Typed OM don't have a CSSParserContext. This was missed
by our existing test suite, because we only covered a similar case where
the referenced variable *didn't* exist, avoiding the broken code path.

For now, fixed by using StrictCSSParserContext.

Bug: 986710, 985028
Change-Id: If51e34a77e5433849e0602f297909027fc743798
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1713627
Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#680390}

third_party/blink/renderer/core/css/resolver/css_variable_resolver.cc

@@ -268,6 +268,15 @@ void CSSVariableResolver::SetInvalidVariable(
     SetVariableValue(name, *registration, nullptr);
 }
 
+const CSSParserContext* CSSVariableResolver::GetParserContext(
+    const CSSVariableReferenceValue& value) const {
+  // TODO(crbug.com/985028): CSSVariableReferenceValue should always have
+  // a CSSParserContext.
+  if (value.ParserContext())
+    return value.ParserContext();
+  return StrictCSSParserContext(state_.GetDocument().GetSecureContextMode());
+}
+
 bool CSSVariableResolver::ResolveVariableReference(CSSParserTokenRange range,
                                                    const Options& options,
                                                    bool is_env_variable,
@@ -403,7 +412,7 @@ const CSSValue* CSSVariableResolver::ResolveVariableReferences(
     return cssvalue::CSSUnsetValue::Create();
   }
   const CSSValue* resolved_value = CSSPropertyParser::ParseSingleValue(
-      id, result.tokens, value.ParserContext());
+      id, result.tokens, GetParserContext(value));
   if (!resolved_value)
     return cssvalue::CSSUnsetValue::Create();
   return resolved_value;

third_party/blink/renderer/core/css/resolver/css_variable_resolver.h

@@ -17,6 +17,7 @@ class CSSCustomPropertyDeclaration;
 class CSSParserTokenRange;
 class CSSVariableData;
 class CSSVariableReferenceValue;
+class CSSParserContext;
 class PropertyRegistration;
 class PropertyRegistry;
 class StyleInheritedVariables;
@@ -214,6 +215,10 @@ class CORE_EXPORT CSSVariableResolver {
                         const CSSValue*);
   void SetInvalidVariable(const AtomicString& name,
                           const PropertyRegistration*);
+
+  const CSSParserContext* GetParserContext(
+      const CSSVariableReferenceValue&) const;
+
   const StyleResolverState& state_;
   StyleInheritedVariables* inherited_variables_;
   StyleNonInheritedVariables* non_inherited_variables_;

third_party/blink/web_tests/external/wpt/css/css-typed-om/set-var-reference-crash.html

+<!DOCTYPE html>
+<title>Don't crash when setting a CSSVariableReferenceValue</title>
+<link rel="help" href="https://drafts.css-houdini.org/css-typed-om-1/#cssvariablereferencevalue">
+<link rel="help" href="https://crbug.com/986710<">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<style>
+  :root { --x: green; }
+</style>
+<div id="target"></div>
+<script>
+  test(function(){
+    let ref = new CSSVariableReferenceValue('--x')
+    let unparsed = new CSSUnparsedValue([' ', ref]);
+    target.attributeStyleMap.set('color', unparsed);
+    assert_equals('rgb(0, 128, 0)', target.computedStyleMap().get('color').toString());
+  }, 'Do not crash when referencing a variable with CSSVariableReferenceValue');
+</script>