commit 2dc0dd8efa5813724e624450dee99b061b3c3c5f
parent 00b1614076666951a187b68c388092c79392ffb5
Author: Anders Hartvoll Ruud <andruud@chromium.org>
Date: Fri, 31 Oct 2025 08:52:33 +0000
Bug 1996559 [wpt PR 55674] - [@scope] Avoid infinite recursion when extracting bucketing values, a=testonly
Automatic update from web-platform-tests
[@scope] Avoid infinite recursion when extracting bucketing values
When extracting bucketing values, we treat :scope similarly
to '&' for nesting, i.e. we look at the <scope-start> selector
of the @scope rule (if present), and bucket against that selector.
However, in the inner call to ExtractBucketingValues, we pass our
own `style_scope` rather than the parent scope, leading to an
infinite recursion for e.g. @scope (:scope) { :scope {} }.
Note: we have a similar treatment of :scope in the SelectorFilter
(CollectDescendantSelectorIdentifierHashes). That code is already
recursing with style_scope->Parent(), so we do not have
the same bug there.
Fixed: 454830626
Change-Id: I568ccb93dadc21fd72a13318e51cb31e3ab11298
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7079582
Reviewed-by: Rune Lillesveen <futhark@chromium.org>
Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1535864}
--
wpt-commits: 86246912eb046e7987dd69a7c63e3f28cab39af5
wpt-pr: 55674
Diffstat:
1 file changed, 13 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/css/css-cascade/scope-inner-pseudo-scope-crash.html b/testing/web-platform/tests/css/css-cascade/scope-inner-pseudo-scope-crash.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<title>Crash with :scope in both subject and prelude</title>
+<link rel="help" href="https://issues.chromium.org/issues/454830626">
+<style>
+@scope (.a) {
+ @scope(:scope) {
+ :scope {
+ background: green;
+ }
+ }
+}
+</style>
+<div class=a>PASS if no crash</div>
