Bug 1375596 - Use valueToAdd in AddAccumulateOrValue, not valueToAddWrapper; r=hiro
authorBrian Birtles <birtles@gmail.com>
Tue, 18 Jul 2017 16:24:28 +0900
changeset 418240 86878427cd44e6e0627cb30fe738e29092c915cf
parent 418239 f68747fe8a15bc355f6380b760d747d52a9f4d26
child 418241 6d0e2b939bad8ce83f3960a40e10ff1400b257a0
push id7566
push usermtabara@mozilla.com
push dateWed, 02 Aug 2017 08:25:16 +0000
treeherdermozilla-beta@86913f512c3c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershiro
bugs1375596, 1358966
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1375596 - Use valueToAdd in AddAccumulateOrValue, not valueToAddWrapper; r=hiro AddOrAccumulate in nsSMILCSSValueType.cpp sets initializes |valueToAdd| to either &valueToAddWrapper->mGeckoValue or nullptr. It then asks FinalizeStyleAnimationValues to fill it in. FinalizeStyleAnimationValues will return false if it could not fill it in, in which case AddOrAccumulate returns early. As a result, after the early return we can be assured that |valueToAdd| is not null. However, valueToAddWrapper may still be null. Changeset 4d87f2bf4b10369af0dd83a2ef962a23299ee8d9 from bug 1358966 changed this code such that we pass a member of valueToAddWrapper to StyleAnimationValue::Add where we used to pass a member of valueToAdd. As a result, we can end up passing 0x20 (since valueToAddWrapper is nullptr) to Add() and then trying to read from it. This patch makes us pass, instead, |valueToAdd| since we know that is guaranteed to be non-null here. MozReview-Commit-ID: 1YwT1lBHnUe
dom/smil/crashtests/1375596-1.svg
dom/smil/crashtests/crashtests.list
dom/smil/nsSMILCSSValueType.cpp
new file mode 100644
--- /dev/null
+++ b/dom/smil/crashtests/1375596-1.svg
@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="800" height="600">
+<animate by="2" min="5:45" calcMode="discrete" attributeName="height" />
+</svg>
--- a/dom/smil/crashtests/crashtests.list
+++ b/dom/smil/crashtests/crashtests.list
@@ -47,8 +47,9 @@ load 678938-1.svg
 load 690994-1.svg
 load 691337-1.svg
 load 691337-2.svg
 load 697640-1.svg
 load 699325-1.svg
 load 709907-1.svg
 load 720103-1.svg
 load 1010681-1.svg
+load 1375596-1.svg
--- a/dom/smil/nsSMILCSSValueType.cpp
+++ b/dom/smil/nsSMILCSSValueType.cpp
@@ -407,17 +407,17 @@ AddOrAccumulate(nsSMILValue& aDest, cons
 
   // For Gecko, we currently call Add for either composite mode.
   //
   // This is not ideal, but it doesn't make any difference for the set of
   // properties we currently allow adding in SMIL and this code path will
   // hopefully become obsolete before we expand that set.
   return StyleAnimationValue::Add(property,
                                   destWrapper->mGeckoValue,
-                                  valueToAddWrapper->mGeckoValue, aCount);
+                                  *valueToAdd, aCount);
 }
 
 nsresult
 nsSMILCSSValueType::SandwichAdd(nsSMILValue& aDest,
                                 const nsSMILValue& aValueToAdd) const
 {
   return AddOrAccumulate(aDest, aValueToAdd, CompositeOperation::Add, 1)
          ? NS_OK