Bug 1375596 - Use valueToAdd in AddAccumulateOrValue, not valueToAddWrapper; r=hiro

AddOrAccumulate in nsSMILCSSValueType.cpp sets initializes |valueToAdd| to
either &valueToAddWrapper->mGeckoValue or nullptr. It then asks
FinalizeStyleAnimationValues to fill it in. FinalizeStyleAnimationValues will
return false if it could not fill it in, in which case AddOrAccumulate returns
early. As a result, after the early return we can be assured that |valueToAdd|
is not null. However, valueToAddWrapper may still be null.

Changeset 4d87f2bf4b10369af0dd83a2ef962a23299ee8d9 from bug 1358966 changed this
code such that we pass a member of valueToAddWrapper to StyleAnimationValue::Add
where we used to pass a member of valueToAdd. As a result, we can end up passing
0x20 (since valueToAddWrapper is nullptr) to Add() and then trying to read from
it.

This patch makes us pass, instead, |valueToAdd| since we know that is guaranteed
to be non-null here.

MozReview-Commit-ID: 1YwT1lBHnUe

--HG--
extra : rebase_source : abec6995af68de13eacaccf7eca7b2d121eaedf3

dom/smil/crashtests/1375596-1.svg

@@ -0,0 +1,3 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="800" height="600">
+<animate by="2" min="5:45" calcMode="discrete" attributeName="height" />
+</svg>

dom/smil/crashtests/crashtests.list

@@ -52,3 +52,4 @@ load 699325-1.svg
 load 709907-1.svg
 load 720103-1.svg
 load 1010681-1.svg
+load 1375596-1.svg

dom/smil/nsSMILCSSValueType.cpp

@@ -412,7 +412,7 @@ AddOrAccumulate(nsSMILValue& aDest, const nsSMILValue& aValueToAdd,
   // hopefully become obsolete before we expand that set.
   return StyleAnimationValue::Add(property,
                                   destWrapper->mGeckoValue,
-                                  valueToAddWrapper->mGeckoValue, aCount);
+                                  *valueToAdd, aCount);
 }
 
 nsresult