Bug 735943 - Don't crash if nsSMILAnimationController::FlushResampleRequests destroyed the pres shell. r=bz

content/smil/nsSMILAnimationController.cpp

@@ -399,8 +399,14 @@ nsSMILAnimationController::DoSample(bool aSkipUnchangedContainers)
   // Set running sample flag -- do this before flushing styles so that when we
   // flush styles we don't end up requesting extra samples
   mRunningSample = true;
+  nsCOMPtr<nsIDocument> kungFuDeathGrip(mDocument);  // keeps 'this' alive too
   mDocument->FlushPendingNotifications(Flush_Style);
 
+  // WARNING: 
+  // WARNING: the above flush may have destroyed the pres shell and/or
+  // WARNING: frames and other layout related objects.
+  // WARNING:
+  
   // STEP 1: Bring model up to date
   // (i)  Rewind elements where necessary
   // (ii) Run milestone samples

content/smil/nsSMILAnimationController.h

@@ -95,6 +95,7 @@ public:
   // Methods for resampling all animations
   // (A resample performs the same operations as a sample but doesn't advance
   // the current time and doesn't check if the container is paused)
+  // This will flush pending style changes for the document.
   void Resample() { DoSample(false); }
 
   void SetResampleNeeded()
@@ -106,6 +107,8 @@ public:
       mResampleNeeded = true;
     }
   }
+
+  // This will flush pending style changes for the document.
   void FlushResampleRequests()
   {
     if (!mResampleNeeded)

layout/base/crashtests/735943.html

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+<script>
+
+var asvg = '<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><script xlink:href="data:text/javascript," /><rect width="100" height="100" fill="green"><set attributeName="fill" attributeType="CSS" to="red" begin="0s" end="2s" dur="2s" fill="remove" /></rect></svg>';
+
+function boom()
+{
+  var f = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe"); f.src = "data:text/html,1"; document.body.appendChild(f);
+  var w;
+
+  setTimeout(function() {
+    w = window.open("data:text/html,<body onload=window.close()>", "_blank", "width=200,height=200");
+    // Note that most of the code below will execute before the window appears, and in fact before "w" becomes non-null.
+  }, 0);
+
+  setTimeout(function() {
+    setTimeout(function() { }, 0);
+    f.contentWindow.location = "data:image/svg+xml," + encodeURIComponent(asvg);
+
+    setTimeout(function() {
+      setTimeout(function() {
+        setTimeout(function() {
+          document.body.style.MozColumnCount = "2";
+          document.documentElement.className = "";
+        }, 20);
+      }, 0);
+    }, 0);
+  }, 20);
+}
+
+    window.addEventListener("MozReftestInvalidate", boom, false);
+</script>
+</head>
+
+<body></body>
+</html>

layout/base/crashtests/crashtests.list

@@ -352,5 +352,6 @@ load 707098.html
 load 722137.html
 load 725535.html
 load 727601.html
-load 736389-1.xhtml
+asserts(0-2) pref(dom.disable_open_during_load,false) load 735943.html # the assertion is bug 735966
+asserts(0-2) load 736389-1.xhtml # sometimes the above assertions are delayed and is reported on this test instead
 load 736924-1.html

layout/base/nsPresShell.cpp

@@ -3965,9 +3965,12 @@ PresShell::FlushPendingNotifications(mozFlushType aType)
         mDocument->GetAnimationController()->FlushResampleRequests();
       }
 
-      nsAutoScriptBlocker scriptBlocker;
-      mFrameConstructor->CreateNeededFrames();
-      mFrameConstructor->ProcessPendingRestyles();
+      // The FlushResampleRequests() above flushed style changes.
+      if (!mIsDestroying) {
+        nsAutoScriptBlocker scriptBlocker;
+        mFrameConstructor->CreateNeededFrames();
+        mFrameConstructor->ProcessPendingRestyles();
+      }
     }
 
     // Dispatch any 'animationstart' events those (or earlier) restyles