Bug 1409931: nsImageControlFrame can also be using a <map> element. r?xidorn
This goes with a crashtest, as soon as I get a usable build.
MozReview-Commit-ID: LqmPWoJZ7AJ
--- a/layout/base/ServoRestyleManager.cpp
+++ b/layout/base/ServoRestyleManager.cpp
@@ -14,16 +14,17 @@
#include "mozilla/ServoStyleContext.h"
#include "mozilla/ServoStyleContextInlines.h"
#include "mozilla/Unused.h"
#include "mozilla/ViewportFrame.h"
#include "mozilla/dom/ChildIterator.h"
#include "mozilla/dom/ElementInlines.h"
#include "nsBlockFrame.h"
#include "nsBulletFrame.h"
+#include "nsImageFrame.h"
#include "nsPlaceholderFrame.h"
#include "nsContentUtils.h"
#include "nsCSSFrameConstructor.h"
#include "nsPrintfCString.h"
#include "nsRefreshDriver.h"
#include "nsStyleChangeList.h"
using namespace mozilla::dom;
@@ -779,17 +780,17 @@ ServoRestyleManager::ProcessPostTraversa
// Grab the change hint from Servo.
bool wasRestyled;
nsChangeHint changeHint =
static_cast<nsChangeHint>(Servo_TakeChangeHint(aElement, &wasRestyled));
// We should really fix the weird primary frame mapping for image maps
// (bug 135040)...
if (styleFrame && styleFrame->GetContent() != aElement) {
- MOZ_ASSERT(styleFrame->IsImageFrame());
+ MOZ_ASSERT(static_cast<nsImageFrame*>(do_QueryFrame(styleFrame)));
styleFrame = nullptr;
}
// Handle lazy frame construction by posting a reconstruct for any lazily-
// constructed roots.
if (aElement->HasFlag(NODE_NEEDS_FRAME)) {
changeHint |= nsChangeHint_ReconstructFrame;
MOZ_ASSERT(!styleFrame);
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/1409931.html
@@ -0,0 +1,14 @@
+<!doctype html>
+<map id="htmlvar00005">
+<area></area>
+<input
+ id="htmlvar00019"
+ type="image"
+ usemap="#htmlvar00005"
+ src="data:image/gif;base64,R0lGODlhIAAgAPIBAGbMzP///wAAADOZZpn/zAAAAAAAAAAAACH5BAAAAAAALAAAAAAgACAAAAOLGLrc/k7ISau9S5DNu/8fICgaYJ5oqqbDGJRrLAMtScw468J5Xr+3nm8XFM5+PGMMWYwxcMyZ40iULQaDhSzqDGBNisGyuhUDrmNb72pWcaXhtpsM/27pVi8UX96rcQpDf3V+QD12d4NKK2+Lc4qOKI2RJ5OUNHyXSDRYnZ6foKAuLxelphMQqaoPCQA7">
+<script>
+onload = () => {
+ document.body.offsetTop;
+ document.querySelector('area').style.color = "red";
+}
+</script>
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -246,8 +246,9 @@ load 1404180-1.html
load 1404316.html
load 1406222-1.html
load 1406222-2.html
load 1404324-1.html
load 1404324-2.html
load 1404324-3.html
load 1404057.html
load 1409502.html
+load 1409931.html
