Fix Shadow DOM v0 crash in style resolution.

StyleResolverState::DistributedToV0InsertionPoint() doesn't mean that it is a V0 host child. There is no use in trying to make sense of that now as Shadow DOM v0 is going away, but the fact that it can actually be a shadow root child means parentElement() might be null. Bug: 1058605 Change-Id: Ia791f2caa1a4c7c19935135611a1fbdcfb07dc47 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089753Reviewed-by: Mason Freed <masonfreed@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#747416}

Fix Shadow DOM v0 crash in style resolution.
StyleResolverState::DistributedToV0InsertionPoint() doesn't mean that it is a V0 host child. There is no use in trying to make sense of that now as Shadow DOM v0 is going away, but the fact that it can actually be a shadow root child means parentElement() might be null. Bug: 1058605 Change-Id: Ia791f2caa1a4c7c19935135611a1fbdcfb07dc47 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089753Reviewed-by: Mason Freed <masonfreed@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#747416}
5a3894e0 · Rune Lillesveen · Commit Bot · 944e08f0 · 5a3894e0 · 5a3894e0
Commit 5a3894e0 authored Mar 05, 2020 by Rune Lillesveen Committed by Commit Bot Mar 05, 2020
2 changed files
--- a/third_party/blink/renderer/core/css/resolver/style_resolver.cc
+++ b/third_party/blink/renderer/core/css/resolver/style_resolver.cc
@@ -849,10 +849,10 @@ void StyleResolver::InitStyleAndApplyInheritance(Element& element,
    // contenteditable attribute (implemented by -webkit-user-modify) should
    // be propagated from shadow host to distributed node.
    if (state.DistributedToV0InsertionPoint() || element.AssignedSlot()) {
-      Element* parent = element.parentElement();
+      if (Element* parent = element.parentElement()) {
-      DCHECK(parent);
+        if (const ComputedStyle* shadow_host_style = parent->GetComputedStyle())
-      if (const ComputedStyle* shadow_host_style = parent->GetComputedStyle())
+          state.Style()->SetUserModify(shadow_host_style->UserModify());
-        state.Style()->SetUserModify(shadow_host_style->UserModify());
+      }
    }
  } else {
    state.SetStyle(InitialStyleForElement(GetDocument()));

--- a/third_party/blink/renderer/core/css/resolver/style_resolver_test.cc
+++ b/third_party/blink/renderer/core/css/resolver/style_resolver_test.cc
@@ -9,6 +9,7 @@
 #include "third_party/blink/renderer/core/css/style_engine.h"
 #include "third_party/blink/renderer/core/dom/document.h"
 #include "third_party/blink/renderer/core/dom/node_computed_style.h"
+#include "third_party/blink/renderer/core/dom/shadow_root.h"
 #include "third_party/blink/renderer/core/dom/text.h"
 #include "third_party/blink/renderer/core/testing/page_test_base.h"
@@ -67,4 +68,23 @@ TEST_F(StyleResolverTest, AnimationBaseComputedStyle) {
  EXPECT_EQ(20, resolver->StyleForElement(div)->FontSize());
 }
+TEST_F(StyleResolverTest, ShadowDOMV0Crash) {
+  GetDocument().documentElement()->SetInnerHTMLFromString(R"HTML(
+    <style>
+      span { display: contents; }
+    </style>
+    <summary><span id="outer"><span id="inner"></b></b></summary>
+  )HTML");
+  Element* outer = GetDocument().getElementById("outer");
+  Element* inner = GetDocument().getElementById("inner");
+  ShadowRoot& outer_root = outer->CreateV0ShadowRootForTesting();
+  ShadowRoot& inner_root = inner->CreateV0ShadowRootForTesting();
+  outer_root.SetInnerHTMLFromString("<content>");
+  inner_root.SetInnerHTMLFromString("<span>");
+  // Test passes if it doesn't crash.
+  UpdateAllLifecyclePhasesForTest();
+}
 }  // namespace blink