Mercurial > integration > autoland / changeset / b91c18d5cf083108a3c66d028a2c36456cba991b
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1851441: Speculative fix for image map/html area element crash r=Jamie
authorMorgan Rae Reschenberg <mreschenberg@mozilla.com>
Wed, 15 Nov 2023 22:37:29 +0000 (20 months ago)
changeset 685453 b91c18d5cf083108a3c66d028a2c36456cba991b
parent 685452 eb78feb610e5d895bd63b81693cde56dd08d82df
child 685454 a3dd112b0ed075be924f114a490abaeb9d7c3cd6
push id195081
push usermreschenberg@mozilla.com
push dateWed, 15 Nov 2023 23:09:13 +0000 (20 months ago)
treeherderautoland@b91c18d5cf08 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersJamie
bugs1851441
milestone121.0a1
first release with
nightly linux32
5c80609922c5 / 121.0a1 / 20231116214608 / files
nightly linux64
5c80609922c5 / 121.0a1 / 20231116214608 / files
nightly mac
5c80609922c5 / 121.0a1 / 20231116214608 / files
nightly win32
5c80609922c5 / 121.0a1 / 20231116214608 / files
nightly win64
5c80609922c5 / 121.0a1 / 20231116214608 / files
last release without
nightly linux32
6f3be95d6511 / 121.0a1 / 20231115214519 / files
nightly linux64
6f3be95d6511 / 121.0a1 / 20231115214519 / files
nightly mac
6f3be95d6511 / 121.0a1 / 20231115214519 / files
nightly win32
6f3be95d6511 / 121.0a1 / 20231115214519 / files
nightly win64
6f3be95d6511 / 121.0a1 / 20231115214519 / files
Bug 1851441: Speculative fix for image map/html area element crash r=Jamie I think this crash may occur when the image map is being removed or when the area element is being moved. In any case, I'm reasonably confident that the reason for this crash was a null boundingFrame passed to TransformRect, which should only happen when the image map doesn't exist / has no frame. Also, we really shouldn't be transforming anyway, so I’ve removed the transform call. Differential Revision: https://phabricator.services.mozilla.com/D193460
accessible/html/HTMLImageMapAccessible.cpp file | annotate | diff | comparison | revisions 
--- a/accessible/html/HTMLImageMapAccessible.cpp
+++ b/accessible/html/HTMLImageMapAccessible.cpp
@@ -179,26 +179,22 @@ nsRect HTMLAreaAccessible::RelativeBound
   *aBoundingFrame = frame;
   bounds.SizeTo(bounds.Width() - bounds.X(), bounds.Height() - bounds.Y());
   return bounds;
 }
 
 nsRect HTMLAreaAccessible::ParentRelativeBounds() {
   nsIFrame* boundingFrame = nullptr;
   nsRect relativeBoundsRect = RelativeBounds(&boundingFrame);
-
-  nsIFrame* parentBoundingFrame = nullptr;
-  if (mParent) {
-    parentBoundingFrame = mParent->GetFrame();
+  if (MOZ_UNLIKELY(!boundingFrame)) {
+    // Area is not attached to an image map?
+    return nsRect();
   }
 
-  if (!parentBoundingFrame) {
-    // if we can't get the bounding frame, use the pres shell root for the
-    // bounding frame RelativeBounds returned
-    parentBoundingFrame =
-        nsLayoutUtils::GetContainingBlockForClientRect(boundingFrame);
-  }
-
-  nsLayoutUtils::TransformRect(boundingFrame, parentBoundingFrame,
-                               relativeBoundsRect);
-
+  // The relative bounds returned above are relative to this area's
+  // image map, which is technically already "parent relative".
+  // Because area elements are `display:none` to layout, they can't
+  // have transforms or other styling applied directly, and so we
+  // don't apply any additional transforms here. Any transform
+  // at the image map layer will be taken care of when computing bounds
+  // in the parent process.
   return relativeBoundsRect;
 }
autoland
Deployed from 0549d7aefb93 at 2025-06-12T15:23:35Z.