Bug 1375596 - Use valueToAdd in AddAccumulateOrValue, not valueToAddWrapper; r=hiro
Brian Birtles <birtles@gmail.com>
Tue, 18 Jul 2017 16:24:28 +0900
bugs1375596, 1358966
Bug 1375596 - Use valueToAdd in AddAccumulateOrValue, not valueToAddWrapper; r=hiro AddOrAccumulate in nsSMILCSSValueType.cpp sets initializes |valueToAdd| to either &valueToAddWrapper->mGeckoValue or nullptr. It then asks FinalizeStyleAnimationValues to fill it in. FinalizeStyleAnimationValues will return false if it could not fill it in, in which case AddOrAccumulate returns early. As a result, after the early return we can be assured that |valueToAdd| is not null. However, valueToAddWrapper may still be null. Changeset 4d87f2bf4b10369af0dd83a2ef962a23299ee8d9 from bug 1358966 changed this code such that we pass a member of valueToAddWrapper to StyleAnimationValue::Add where we used to pass a member of valueToAdd. As a result, we can end up passing 0x20 (since valueToAddWrapper is nullptr) to Add() and then trying to read from it. This patch makes us pass, instead, |valueToAdd| since we know that is guaranteed to be non-null here. MozReview-Commit-ID: 1YwT1lBHnUe
+<svg xmlns="http://www.w3.org/2000/svg" width="800" height="600">
+<animate by="2" min="5:45" calcMode="discrete" attributeName="height" />
@@ -47,8 +47,9 @@ load 678938-1.svg
 load 690994-1.svg
 load 691337-1.svg
 load 691337-2.svg
 load 697640-1.svg
 load 699325-1.svg
 load 709907-1.svg
 load 720103-1.svg
 load 1010681-1.svg
+load 1375596-1.svg
@@ -407,17 +407,17 @@ AddOrAccumulate(nsSMILValue& aDest, cons
   // For Gecko, we currently call Add for either composite mode.
   // This is not ideal, but it doesn't make any difference for the set of
   // properties we currently allow adding in SMIL and this code path will
   // hopefully become obsolete before we expand that set.
   return StyleAnimationValue::Add(property,
-                                  valueToAddWrapper->mGeckoValue, aCount);
+                                  *valueToAdd, aCount);
 nsSMILCSSValueType::SandwichAdd(nsSMILValue& aDest,
                                 const nsSMILValue& aValueToAdd) const
   return AddOrAccumulate(aDest, aValueToAdd, CompositeOperation::Add, 1)
          ? NS_OK