Bug 1156581 - Add null check to nsSVGEffects::InvalidateRenderingObservers to prevent crashes r=dholbert

layout/svg/crashtests/1156581-1.svg

@@ -0,0 +1,12 @@
+<svg xmlns="http://www.w3.org/2000/svg" style="filter: url(#a); clip: rect(0px, 4rem, 2px, 2px);">
+    <script>
+        function boom()
+        {
+            document.getElementById("a").style.overflow = "hidden";
+            document.documentElement.style.fontSize = "10px";
+        }
+        window.addEventListener("load", boom, false);
+    </script>
+
+    <set id="a"/>
+</svg>

layout/svg/crashtests/crashtests.list

@@ -192,6 +192,7 @@ load 1016145.svg
 load 1028512.svg
 load 1140080-1.svg
 load 1149542-1.svg
+load 1156581-1.svg
 load 1182496-1.html
 load 1209525-1.svg
 load 1223281-1.svg

layout/svg/nsSVGEffects.cpp

@@ -770,14 +770,15 @@ nsSVGEffects::InvalidateRenderingObservers(nsIFrame *aFrame)
 {
   NS_ASSERTION(!aFrame->GetPrevContinuation(), "aFrame must be first continuation");
 
-  if (!aFrame->GetContent()->IsElement())
+  nsIContent* content = aFrame->GetContent();
+  if (!content || !content->IsElement())
     return;
 
   // If the rendering has changed, the bounds may well have changed too:
   aFrame->Properties().Delete(nsSVGUtils::ObjectBoundingBoxProperty());
 
   nsSVGRenderingObserverList *observerList =
-    GetObserverList(aFrame->GetContent()->AsElement());
+    GetObserverList(content->AsElement());
   if (observerList) {
     observerList->InvalidateAll();
     return;
@@ -821,7 +822,8 @@ nsSVGEffects::InvalidateDirectRenderingObservers(Element *aElement, uint32_t aFl
 void
 nsSVGEffects::InvalidateDirectRenderingObservers(nsIFrame *aFrame, uint32_t aFlags /* = 0 */)
 {
-  if (aFrame->GetContent() && aFrame->GetContent()->IsElement()) {
-    InvalidateDirectRenderingObservers(aFrame->GetContent()->AsElement(), aFlags);
+  nsIContent* content = aFrame->GetContent();
+  if (content && content->IsElement()) {
+    InvalidateDirectRenderingObservers(content->AsElement(), aFlags);
   }
 }