Fix CSS Typed OM crash for pending substitutions.

Shorthand properties containing var() references are represented as CSSPendingSubstitutionValues. The style value factory had casts ignoring this fact which caused crashes. Bug: 1007866 Change-Id: I8d83ba03ce6e4d3a8ce7d2ced949a4bd5ab1072e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1827016Reviewed-by: Xida Chen <xidachen@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#700702}

Fix CSS Typed OM crash for pending substitutions.
Shorthand properties containing var() references are represented as CSSPendingSubstitutionValues. The style value factory had casts ignoring this fact which caused crashes. Bug: 1007866 Change-Id: I8d83ba03ce6e4d3a8ce7d2ced949a4bd5ab1072e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1827016Reviewed-by: Xida Chen <xidachen@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#700702}
482293e3 · Rune Lillesveen · Commit Bot · 9a235650 · 482293e3 · 482293e3
Commit 482293e3 authored Sep 27, 2019 by Rune Lillesveen Committed by Commit Bot Sep 27, 2019
5 changed files
--- a/third_party/blink/renderer/build/scripts/core/css/templates/style_property_shorthand.h.tmpl
+++ b/third_party/blink/renderer/build/scripts/core/css/templates/style_property_shorthand.h.tmpl
@@ -64,7 +64,7 @@ const StylePropertyShorthand& animationShorthandForParsing();
 const StylePropertyShorthand& transitionShorthandForParsing();
 // Returns an empty list if the property is not a shorthand.
-const StylePropertyShorthand& shorthandForProperty(CSSPropertyID);
+CORE_EXPORT const StylePropertyShorthand& shorthandForProperty(CSSPropertyID);
 // Return the list of shorthands for a given longhand.
 // The client must pass in an empty result vector.

--- a/third_party/blink/renderer/core/css/BUILD.gn
+++ b/third_party/blink/renderer/core/css/BUILD.gn
@@ -616,6 +616,7 @@ blink_core_tests("unit_tests") {
    "cssom/css_unit_value_test.cc",
    "cssom/css_unparsed_value_test.cc",
    "cssom/css_unsupported_color_value_test.cc",
+    "cssom/inline_style_property_map_test.cc",
    "cssom/paint_worklet_style_property_map_test.cc",
    "cssom/prepopulated_computed_style_property_map_test.cc",
    "drag_update_test.cc",

--- a/third_party/blink/renderer/core/css/cssom/css_position_value.cc
+++ b/third_party/blink/renderer/core/css/cssom/css_position_value.cc
@@ -95,10 +95,11 @@ CSSPositionValue* CSSPositionValue::Create(CSSNumericValue* x,
 }
 CSSPositionValue* CSSPositionValue::FromCSSValue(const CSSValue& value) {
-  const auto& pair = To<CSSValuePair>(value);
+  const auto* pair = DynamicTo<CSSValuePair>(&value);
+  if (!pair)
-  CSSNumericValue* x = FromSingleValue(pair.First());
+    return nullptr;
-  CSSNumericValue* y = FromSingleValue(pair.Second());
+  CSSNumericValue* x = FromSingleValue(pair->First());
+  CSSNumericValue* y = FromSingleValue(pair->Second());
  DCHECK(x);
  DCHECK(y);

--- a/third_party/blink/renderer/core/css/cssom/inline_style_property_map_test.cc
+++ b/third_party/blink/renderer/core/css/cssom/inline_style_property_map_test.cc
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "third_party/blink/renderer/core/css/cssom/inline_style_property_map.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/blink/renderer/core/css/properties/css_property.h"
+#include "third_party/blink/renderer/core/dom/document.h"
+#include "third_party/blink/renderer/core/dom/element.h"
+#include "third_party/blink/renderer/core/style_property_shorthand.h"
+namespace blink {
+TEST(InlineStylePropertyMapTest, PendingSubstitutionValueCrash) {
+  // Test that trying to reify any longhands with a CSSPendingSubstitutionValue
+  // does not cause a crash.
+  Document* document = MakeGarbageCollected<Document>();
+  Element* div = document->CreateRawElement(html_names::kDivTag);
+  InlineStylePropertyMap map(div);
+  // For each shorthand, create a declaration with a var() reference and try
+  // reifying all longhands.
+  for (CSSPropertyID property_id : CSSPropertyIDList()) {
+    const CSSProperty& shorthand = CSSProperty::Get(property_id);
+    if (!shorthand.IsShorthand())
+      continue;
+    div->SetInlineStyleProperty(property_id, "var(--dummy)");
+    const StylePropertyShorthand& longhands = shorthandForProperty(property_id);
+    for (unsigned i = 0; i < longhands.length(); i++) {
+      map.get(document,
+              longhands.properties()[i]->GetCSSPropertyName().ToAtomicString(),
+              ASSERT_NO_EXCEPTION);
+    }
+  }
+}
+}  // namespace blink
--- a/third_party/blink/renderer/core/css/cssom/style_value_factory.cc
+++ b/third_party/blink/renderer/core/css/cssom/style_value_factory.cc
@@ -131,10 +131,11 @@ CSSStyleValue* CreateStyleValueWithPropertyInternal(CSSPropertyID property_id,
      return CreateStyleValue(value);
    }
    case CSSPropertyID::kGridAutoFlow: {
-      const auto& value_list = To<CSSValueList>(value);
+      if (const auto* value_list = DynamicTo<CSSValueList>(value)) {
-      // Only single keywords are supported in level 1.
+        // Only single keywords are supported in level 1.
-      if (value_list.length() == 1U)
+        if (value_list->length() == 1U)
-        return CreateStyleValue(value_list.Item(0));
+          return CreateStyleValue(value_list->Item(0));
+      }
      return nullptr;
    }
    case CSSPropertyID::kTransform:
@@ -150,10 +151,11 @@ CSSStyleValue* CreateStyleValueWithPropertyInternal(CSSPropertyID property_id,
    case CSSPropertyID::kTransformOrigin:
      return CSSPositionValue::FromCSSValue(value);
    case CSSPropertyID::kOffsetRotate: {
-      const auto& value_list = To<CSSValueList>(value);
+      if (const auto* value_list = DynamicTo<CSSValueList>(&value)) {
-      // Only single keywords are supported in level 1.
+        // Only single keywords are supported in level 1.
-      if (value_list.length() == 1U)
+        if (value_list->length() == 1U)
-        return CreateStyleValue(value_list.Item(0));
+          return CreateStyleValue(value_list->Item(0));
+      }
      return nullptr;
    }
    case CSSPropertyID::kAlignItems: {
@@ -171,10 +173,11 @@ CSSStyleValue* CreateStyleValueWithPropertyInternal(CSSPropertyID property_id,
      if (value.IsIdentifierValue())
        return CreateStyleValue(value);
-      const auto& value_list = To<CSSValueList>(value);
+      if (const auto* value_list = DynamicTo<CSSValueList>(&value)) {
-      // Only single keywords are supported in level 1.
+        // Only single keywords are supported in level 1.
-      if (value_list.length() == 1U)
+        if (value_list->length() == 1U)
-        return CreateStyleValue(value_list.Item(0));
+          return CreateStyleValue(value_list->Item(0));
+      }
      return nullptr;
    }
    case CSSPropertyID::kTextIndent: {
@@ -189,10 +192,11 @@ CSSStyleValue* CreateStyleValueWithPropertyInternal(CSSPropertyID property_id,
    }
    case CSSPropertyID::kTransitionProperty:
    case CSSPropertyID::kTouchAction: {
-      const auto& value_list = To<CSSValueList>(value);
+      if (const auto* value_list = DynamicTo<CSSValueList>(value)) {
-      // Only single values are supported in level 1.
+        // Only single values are supported in level 1.
-      if (value_list.length() == 1U)
+        if (value_list->length() == 1U)
-        return CreateStyleValue(value_list.Item(0));
+          return CreateStyleValue(value_list->Item(0));
+      }
      return nullptr;
    }
    case CSSPropertyID::kWillChange: {