Bug 537157: Explicitly prevent SMIL animations inside of XBL bindings from running. Also, make nsSMILCSSProperty directly create a computed style object, instead of using nsPIDOMWindow helper method. r=smaug sr=roc

content/base/src/nsDocument.cpp

@@ -5354,7 +5354,7 @@ nsDocument::GetAnimationController()
     return mAnimationController;
   // Refuse to create an Animation Controller if SMIL is disabled, and also
   // for data documents.
-  if (!NS_SMILEnabled() || mLoadedAsData)
+  if (!NS_SMILEnabled() || mLoadedAsData || mLoadedAsInteractiveData)
     return nsnull;
 
   mAnimationController = NS_NewSMILAnimationController(this);

content/base/src/nsDocument.h

@@ -1195,6 +1195,11 @@ protected:
 
   PRPackedBool mInXBLUpdate:1;
 
+  // This flag is only set in nsXMLDocument, for e.g. documents used in XBL. We
+  // don't want animations to play in such documents, so we need to store the
+  // flag here so that we can check it in nsDocument::GetAnimationController.
+  PRPackedBool mLoadedAsInteractiveData:1;
+
   PRUint8 mXMLDeclarationBits;
 
   PRUint8 mDefaultElementType;

content/smil/crashtests/537157-1.svg

@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg" style="-moz-binding:url(#xbl)">
+<bindings xmlns="http://www.mozilla.org/xbl">
+<binding id="xbl" inheritstyle="false">
+<content>
+<svg xmlns="http://www.w3.org/2000/svg">
+<animate attributeName="font-size"/>
+</svg>
+</content>
+</binding>
+</bindings>
+</svg>

content/smil/crashtests/crashtests.list

@@ -3,3 +3,4 @@ load 525099-1.svg
 load 526875-1.svg
 load 526875-2.svg
 load 529387-1.xhtml
+load 537157-1.svg

content/smil/nsSMILCSSProperty.cpp

@@ -44,7 +44,7 @@
 #include "nsComputedDOMStyle.h"
 #include "nsStyleAnimation.h"
 #include "nsIContent.h"
-#include "nsPIDOMWindow.h"
+#include "nsIDOMElement.h"
 
 static PRBool
 GetCSSComputedValue(nsIContent* aElem,
@@ -62,11 +62,18 @@ GetCSSComputedValue(nsIContent* aElem,
     return PR_FALSE;
   }
 
-  nsPIDOMWindow* win = doc->GetWindow();
-  NS_ABORT_IF_FALSE(win, "actively animated document w/ no window");
-  nsRefPtr<nsComputedDOMStyle>
-    computedStyle(win->LookupComputedStyleFor(aElem));
-  if (computedStyle) {
+  nsIPresShell* shell = doc->GetPrimaryShell();
+  if (!shell) {
+    NS_WARNING("Unable to look up computed style -- no pres shell");
+    return PR_FALSE;
+  }
+
+  nsRefPtr<nsComputedDOMStyle> computedStyle;
+  nsCOMPtr<nsIDOMElement> domElement(do_QueryInterface(aElem));
+  nsresult rv = NS_NewComputedDOMStyle(domElement, EmptyString(), shell,
+                                       getter_AddRefs(computedStyle));
+
+  if (NS_SUCCEEDED(rv) && computedStyle) {
     // NOTE: This will produce an empty string for shorthand values
     computedStyle->GetPropertyValue(aPropID, aResult);
     return PR_TRUE;

content/xml/document/src/nsXMLDocument.h

@@ -83,7 +83,6 @@ protected:
   // mChannel is also cancelled.  Note that if this member is true, mChannel
   // cannot be null.
   PRPackedBool mChannelIsPending;
-  PRPackedBool mLoadedAsInteractiveData;
   PRPackedBool mAsync;
   PRPackedBool mLoopingForSyncLoad;
 };

dom/base/nsGlobalWindow.cpp

@@ -100,7 +100,6 @@
 #include "nsIDOMHTMLDocument.h"
 #include "nsIDOMHTMLElement.h"
 #include "nsIDOMCrypto.h"
-#include "nsIDOMCSSStyleDeclaration.h"
 #include "nsIDOMDocument.h"
 #include "nsIDOMNSDocument.h"
 #include "nsIDOMDocumentView.h"
@@ -1419,16 +1418,6 @@ nsGlobalWindow::WouldReuseInnerWindow(nsIDocument *aNewDocument)
   return PR_FALSE;
 }
 
-already_AddRefed<nsComputedDOMStyle>
-nsGlobalWindow::LookupComputedStyleFor(nsIContent* aElem)
-{
-  nsCOMPtr<nsIDOMElement> domElement(do_QueryInterface(aElem));
-  nsRefPtr<nsComputedDOMStyle> computedDOMStyle;
-  GetComputedStyle(domElement, EmptyString(),
-                   getter_AddRefs(computedDOMStyle));
-  return computedDOMStyle.forget();
-}
-
 void
 nsGlobalWindow::SetOpenerScriptPrincipal(nsIPrincipal* aPrincipal)
 {
@@ -7043,12 +7032,14 @@ nsGlobalWindow::UpdateCanvasFocus(PRBool aFocusChanged, nsIContent* aNewContent)
 // nsGlobalWindow::nsIDOMViewCSS
 //*****************************************************************************
 
-// Helper method for below
-nsresult
+NS_IMETHODIMP
 nsGlobalWindow::GetComputedStyle(nsIDOMElement* aElt,
                                  const nsAString& aPseudoElt,
-                                 nsComputedDOMStyle** aReturn)
+                                 nsIDOMCSSStyleDeclaration** aReturn)
 {
+  FORWARD_TO_OUTER(GetComputedStyle, (aElt, aPseudoElt, aReturn),
+                   NS_ERROR_NOT_INITIALIZED);
+
   NS_ENSURE_ARG_POINTER(aReturn);
   *aReturn = nsnull;
 
@@ -7067,18 +7058,9 @@ nsGlobalWindow::GetComputedStyle(nsIDOMElement* aElt,
     return NS_OK;
   }
 
-  return NS_NewComputedDOMStyle(aElt, aPseudoElt, presShell,
-                                aReturn);
-}
-NS_IMETHODIMP
-nsGlobalWindow::GetComputedStyle(nsIDOMElement* aElt,
-                                 const nsAString& aPseudoElt,
-                                 nsIDOMCSSStyleDeclaration** aReturn)
-{
-  FORWARD_TO_OUTER(GetComputedStyle, (aElt, aPseudoElt, aReturn),
-                   NS_ERROR_NOT_INITIALIZED);
   nsRefPtr<nsComputedDOMStyle> compStyle;
-  nsresult rv = GetComputedStyle(aElt, aPseudoElt, getter_AddRefs(compStyle));
+  nsresult rv = NS_NewComputedDOMStyle(aElt, aPseudoElt, presShell,
+                                       getter_AddRefs(compStyle));
   NS_ENSURE_SUCCESS(rv, rv);
 
   *aReturn = compStyle.forget().get();
@@ -8479,6 +8461,7 @@ nsGlobalWindow::TimerCallback(nsITimer *aTimer, void *aClosure)
 //*****************************************************************************
 // nsGlobalWindow: Helper Functions
 //*****************************************************************************
+
 nsresult
 nsGlobalWindow::GetTreeOwner(nsIDocShellTreeOwner **aTreeOwner)
 {

dom/base/nsGlobalWindow.h

@@ -290,9 +290,6 @@ public:
   virtual NS_HIDDEN_(void) SetChromeEventHandler(nsPIDOMEventTarget* aChromeEventHandler);
   virtual NS_HIDDEN_(nsIFocusController*) GetRootFocusController();
 
-  virtual NS_HIDDEN_(already_AddRefed<nsComputedDOMStyle>)
-    LookupComputedStyleFor(nsIContent* aElem);
-
   virtual NS_HIDDEN_(void) SetOpenerScriptPrincipal(nsIPrincipal* aPrincipal);
   virtual NS_HIDDEN_(nsIPrincipal*) GetOpenerScriptPrincipal();
 
@@ -643,11 +640,6 @@ protected:
     return aList != &mTimeouts;
   }
 
-  // Helper method for looking up computed style
-  nsresult GetComputedStyle(nsIDOMElement* aElt,
-                            const nsAString& aPseudoElt,
-                            nsComputedDOMStyle** aReturn);
-
   // Convenience functions for the many methods that need to scale
   // from device to CSS pixels or vice versa.  Note: if a presentation
   // context is not available, they will assume a 1:1 ratio.

dom/base/nsPIDOMWindow.h

@@ -53,8 +53,6 @@
 #define DOM_WINDOW_DESTROYED_TOPIC "dom-window-destroyed"
 
 class nsIPrincipal;
-class nsICSSDeclaration;
-class nsComputedDOMStyle;
 
 // Popup control state enum. The values in this enum must go from most
 // permissive to least permissive so that it's safe to push state in
@@ -80,8 +78,8 @@ class nsXBLPrototypeHandler;
 class nsIArray;
 
 #define NS_PIDOMWINDOW_IID \
-{ 0x70c9f57f, 0xf7b3, 0x4a37, \
-  { 0xbe, 0x36, 0xbb, 0xb2, 0xd7, 0xe9, 0x40, 0x13 } }
+{ 0xeee92d9a, 0xae9f, 0x41e5, \
+  { 0x95, 0x5f, 0xaf, 0x1c, 0xe7, 0x66, 0x42, 0xe6 } }
 
 class nsPIDOMWindow : public nsIDOMWindowInternal
 {
@@ -251,10 +249,6 @@ public:
     return win->mIsHandlingResizeEvent;
   }
 
-  // Convenience method for getting an element's computed style
-  virtual already_AddRefed<nsComputedDOMStyle>
-    LookupComputedStyleFor(nsIContent* aElem) = 0;
-
   // Tell this window who opened it.  This only has an effect if there is
   // either no document currently in the window or if the document is the
   // original document this window came with (an about:blank document either