Skip to content

Commit 202905a

Browse files
committed
CSS selector fuzz: Update moved selector-fix references
1 parent 9d1129c commit 202905a

2 files changed

Lines changed: 6 additions & 6 deletions

File tree

tools/css-selector-fuzz/FINDINGS.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
# CSS Selector Fuzzer — Findings
22

3-
Run: branch `html-css-fuzz` @ `46334f170b`, PHP 8.4.21. 5000 deterministic
3+
Run: branch `html-css-fuzz` @ `5da3afedd0`, PHP 8.4.21. 5000 deterministic
44
seeds, 0 crashes/timeouts. Three distinct, reproduced WordPress-core correctness
55
bugs in the new HTML-API CSS selector support. Every selector below is valid,
66
supported CSS that the API mis-handles **without** reporting lack of support.
77

88
**Status: all three bugs are fixed on this branch** (commit prefix
9-
`CSS selector:` — Bug 1 `7419a9fef6`, Bug 2 `0cefeb2fc8`, Bug 3 `16d03e2c5f`),
9+
`CSS selector:` — Bug 1 `aed6cfb4aa`, Bug 2 `989e18da8a`, Bug 3 `0a87b20178`),
1010
each with PHPUnit regression tests that fail pre-fix. A post-fix 5000-seed run
1111
is clean (0 failures, 0 crashes). The repros below no longer trigger; they
1212
remain as regression anchors and Trac-ready minimal test cases.
@@ -61,7 +61,7 @@ non-hex identity-escape branch is wrong. Depending on what wrong codepoint is
6161
produced this also causes spurious parse failures (a valid selector returns
6262
`null`).
6363

64-
**Fix (landed in `7419a9fef6`):** read the next codepoint from the byte
64+
**Fix (landed in `aed6cfb4aa`):** read the next codepoint from the byte
6565
offset: `mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' )`.
6666

6767
---
@@ -88,7 +88,7 @@ Reproduction against `<i x="">…</i><b x="abc">…</b><u>…</u>`:
8888
| `[x$=""]` | `I` | none |
8989
| `[x~=""]` | none ✅ | none |
9090

91-
**Fix (landed in `0cefeb2fc8`):** in `matches()`, return `false` for `^= $= *=`
91+
**Fix (landed in `989e18da8a`):** in `matches()`, return `false` for `^= $= *=`
9292
when `'' === $this->value`, before the `substr_compare`/`strpos` calls. `~=`
9393
needs no guard — a whitespace-delimited list never yields an empty item — and
9494
a test pins that. (No `substr_compare` length edge exists here: `-strlen('')`
@@ -123,7 +123,7 @@ character of the selector string.
123123
| `[a^=b]` | parsed ✅ (2-char operator) |
124124
| `[a=b].c` | parsed ✅ (trailing content) |
125125

126-
**Fix (landed in `16d03e2c5f`):** change `>=` to `>` (need
126+
**Fix (landed in `0a87b20178`):** change `>=` to `>` (need
127127
`strlen - $updated_offset >= 3`).
128128

129129
---

tools/css-selector-fuzz/NEXT-STEPS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
> which still reproduce. The notes below are retained as the design rationale.
1212
>
1313
> **Core fixes landed:** the three FINDINGS.md bugs are fixed on this branch
14-
> (`CSS selector:` commits `7419a9fef6` / `0cefeb2fc8` / `16d03e2c5f`), each
14+
> (`CSS selector:` commits `aed6cfb4aa` / `989e18da8a` / `0a87b20178`), each
1515
> with PHPUnit regression tests. A post-fix 5000-seed run is clean.
1616
>
1717
> **Fuzzer-side follow-up hardening implemented (2026-06-12):**

0 commit comments

Comments
 (0)