Fix crash if a nonexistent CSS function is referenced. This caused crashes both with the CSSFunctions feature being off and on. Importantly, with it off (which is the situation in prod), it would cause CSSPendingSubstitutionValues to be sent to various ApplyValue() functions, causing cast CHECKs to trigger. (cherry picked from commit 307d0f9cb938115af1fa261531a6eece0245ad1c) Bug: 327472847 Fixed: 327782777, 327712014, 327472847, 325819913 Change-Id: I7fa125e371c8be047ac6527cb52815a6835540be Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5339608 Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org> Commit-Queue: Steinar H Gunderson <sesse@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1267841} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5361855 Reviewed-by: Steinar H Gunderson <sesse@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/branch-heads/6312@{#519} Cr-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506}

commit: 40d29afe1719eff47f79a97ec0755259eb93aa4c [log] [tgz]
author: Steinar H. Gunderson <sesse@chromium.org> Mon Mar 11 19:29:33 2024
committer: Chromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Mar 11 19:29:33 2024
tree: 2cc01875e9f6997a9d3664a7cacf9d377641f20a
parent: 0174f243f416809658837c98e69ac2369596e694 [diff]
diff --git a/third_party/blink/renderer/core/css/parser/css_variable_parser.cc b/third_party/blink/renderer/core/css/parser/css_variable_parser.cc
index 1fcc361..cf65b04 100644
--- a/third_party/blink/renderer/core/css/parser/css_variable_parser.cc
+++ b/third_party/blink/renderer/core/css/parser/css_variable_parser.cc

@@ -73,7 +73,8 @@
         case CSSValueID::kInvalid:
           // Not a built-in function, but it might be a user-defined
           // CSS function (e.g. --foo()).
-          if (token.GetType() == kFunctionToken &&
+          if (RuntimeEnabledFeatures::CSSFunctionsEnabled() &&
+              token.GetType() == kFunctionToken &&
               CSSVariableParser::IsValidVariableName(token.Value())) {
             has_references = true;
           }

diff --git a/third_party/blink/renderer/core/css/resolver/style_builder_converter.cc b/third_party/blink/renderer/core/css/resolver/style_builder_converter.cc
index 2dd4b81a..8b10ec5 100644
--- a/third_party/blink/renderer/core/css/resolver/style_builder_converter.cc
+++ b/third_party/blink/renderer/core/css/resolver/style_builder_converter.cc

@@ -2384,19 +2384,14 @@
                             color_mix_value->HueInterpolationMethod(), c1, c2,
                             mix_amount, alpha_multiplier));
   }
-  if (auto* light_dark_pair = DynamicTo<CSSLightDarkValuePair>(value)) {
-    const CSSValue& color_value =
-        used_color_scheme == mojom::blink::ColorScheme::kLight
-            ? light_dark_pair->First()
-            : light_dark_pair->Second();
-    return ResolveColorValue(color_value, text_link_colors, used_color_scheme,
-                             color_provider, for_visited_link);
-  }
-#if DCHECK_IS_ON()
-  // https://crbug.com/325819913
-  DCHECK(false) << "Unexpected CSSValue: " << value.ClassTypeToString();
-#endif  // DCHECK_IS_ON()
-  return StyleColor(Color::kBlack);
+
+  auto& light_dark_pair = To<CSSLightDarkValuePair>(value);
+  const CSSValue& color_value =
+      used_color_scheme == mojom::blink::ColorScheme::kLight
+          ? light_dark_pair.First()
+          : light_dark_pair.Second();
+  return ResolveColorValue(color_value, text_link_colors, used_color_scheme,
+                           color_provider, for_visited_link);
 }
 
 StyleColor StyleBuilderConverter::ConvertStyleColor(StyleResolverState& state,

diff --git a/third_party/blink/renderer/core/css/resolver/style_cascade.cc b/third_party/blink/renderer/core/css/resolver/style_cascade.cc
index 1551d3d..498fafb 100644
--- a/third_party/blink/renderer/core/css/resolver/style_cascade.cc
+++ b/third_party/blink/renderer/core/css/resolver/style_cascade.cc

@@ -1317,8 +1317,11 @@
                                        const FunctionContext& function_context,
                                        TokenSequence& out) {
   // TODO(sesse): Deal with tree-scoped references.
-  StyleRuleFunction* function =
-      GetDocument().GetScopedStyleResolver()->FunctionForName(function_name);
+  StyleRuleFunction* function = nullptr;
+  if (GetDocument().GetScopedStyleResolver()) {
+    function =
+        GetDocument().GetScopedStyleResolver()->FunctionForName(function_name);
+  }
   if (!function) {
     return false;
   }

diff --git a/third_party/blink/renderer/core/css/resolver/style_cascade_test.cc b/third_party/blink/renderer/core/css/resolver/style_cascade_test.cc
index ba572bbc..7dab77d 100644
--- a/third_party/blink/renderer/core/css/resolver/style_cascade_test.cc
+++ b/third_party/blink/renderer/core/css/resolver/style_cascade_test.cc

@@ -4109,4 +4109,16 @@
   EXPECT_EQ("18", cascade.ComputedValue("--result"));
 }
 
+TEST_F(StyleCascadeTest, CSSFunctionDoesNotExistInShorthand) {
+  for (bool enabled : {false, true}) {
+    ScopedCSSFunctionsForTest scoped_feature(enabled);
+    TestCascade cascade(GetDocument());
+
+    cascade.Add("background", "--nonexistent()");
+    cascade.Apply();
+
+    EXPECT_EQ("rgba(0, 0, 0, 0)", cascade.ComputedValue("background-color"));
+  }
+}
+
 }  // namespace blink
commit	40d29afe1719eff47f79a97ec0755259eb93aa4c	[log] [tgz]
author	Steinar H. Gunderson <sesse@chromium.org>	Mon Mar 11 19:29:33 2024
committer	Chromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>	Mon Mar 11 19:29:33 2024
tree	2cc01875e9f6997a9d3664a7cacf9d377641f20a
parent	0174f243f416809658837c98e69ac2369596e694 [diff]