TransitionEnd event can include nodes that have been GCed

[jdm]

https://github.com/servo/servo/commits/5d3847dddc9bb7907abfa5d38a7927d6c656fbc1/components/layout/animation.rs sends an asynchronous message to the script thread that contains an UnsafeNode value. When the script thread processes the message, it casts the unsafe node to a DOM node and tries to use it. If the node has been GCed since the layout event that caused the message to be sent, this is a crash.

I propose fixing this in the same way that #14962 deals with asynchronous operations involving DOM nodes - collect them during layout and have the script thread retrieve them immediately to prevent risk of them being GCed.

I hit this in a debugger while running the TodoMVC benchmark: https://lhorie.github.io/todomvc-perf-comparison/todomvc-benchmark/

[KiChjang]

This looks like it's something that I ought to have fixed but didn't because I assumed that a layout node always have a valid reference to its underlying DOM node. Could you expand on how the "collection during layout" and "retrieving in script thread" works?

[jdm]

The easiest way I've found is to create a layout RPC mechanism to retrieve a list of nodes, and invoke that right after reflow completes in script. Meanwhile layout populates the list via a member of the various context objects that are passed around. Of course, this only works if the reflow is initiated from script. If something's else is driving the animations in layout, we need a different solution.

[jdm]

I can often hit this on the benchmark linked above if I disable the Ractive, Likely, and Mithril suites.

[jdm]

I'm hitting this repeatedly when creating a blank document on docs.google.com with #15082 applied (and other related document.open/document.write hacks to allow page loading to progress).

[jdm]

Blocks #13942.