Bug 1459688: Properly traverse the stylesheet list of the shadow root. r=smaug

This is sound because the unlink implementation of the stylesheet drops the
preserved wrapper, and there are no strong references back to any node from the
stylesheet or any of the non-unlinked members.

This almost is the same setup that works for document sheets. We need to account
for a double reference in case the sheet is applicable because Servo keeps
another reference to it in that case, instead of in the StyleSet / PresShell.

Added the testcase as a crashtest, in the hopes that if it regresses leak
reporting on automation will catch it.

MozReview-Commit-ID: Kcc5oaOvP9A

dom/base/ShadowRoot.cpp

@@ -23,8 +23,15 @@ using namespace mozilla::dom;
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(ShadowRoot)
 
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(ShadowRoot,
-                                                  DocumentFragment)
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(ShadowRoot, DocumentFragment)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mStyleSheets)
+  for (StyleSheet* sheet : tmp->mStyleSheets) {
+    // mServoStyles keeps another reference to it if applicable.
+    if (sheet->IsApplicable()) {
+      NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(cb, "mServoStyles->sheets[i]");
+      cb.NoteXPCOMChild(sheet);
+    }
+  }
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mDOMStyleSheets)
   for (auto iter = tmp->mIdentifierMap.ConstIter(); !iter.Done();
        iter.Next()) {

dom/base/crashtests/1459688.html

@@ -0,0 +1,6 @@
+<!doctype html>
+<div id="host"></div>
+<script>
+  host.attachShadow({ mode: "open" }).innerHTML = `<style></style>`;
+  host.shadowRoot.styleSheets[0].foobie = host.shadowRoot;
+</script>

dom/base/crashtests/crashtests.list

@@ -243,3 +243,4 @@ pref(dom.webcomponents.shadowdom.enabled,true) load 1428053.html
 load 1449601.html
 load 1445670.html
 load 1458016.html
+pref(dom.webcomponents.shadowdom.enabled,true) load 1459688.html