bug 475133 - Crash [@ nsStyleContext::GetRuleNode] with <xul:progressmeter>, DOMAttrModified event

r=enn, sr=roc
Don't forget to block scripts when manually calling nsProgressMeterFrame::AttributeChanged in progressmeter initialization to prevent evil mutation event listeners from crashing us.

layout/xul/base/src/crashtests/475133.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/javascript">
+function x()
+{
+  document.removeEventListener("DOMAttrModified", x, false);
+  document.removeChild(document.documentElement);
+}
+
+function boom()
+{
+  var p = document.createElementNS("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul", "progressmeter");
+  document.addEventListener("DOMAttrModified", x, false);
+  document.documentElement.appendChild(p);
+}
+</script>
+</head>
+<body onload="boom();"></body>
+</html>

layout/xul/base/src/crashtests/crashtests.list

@@ -41,3 +41,4 @@ load 434458-1.xul
 load 467481-1.xul
 load 470063-1.html
 load 472189.xul
+load 475133.html

layout/xul/base/src/nsProgressMeterFrame.cpp

@@ -82,6 +82,7 @@ public:
     PRBool shouldFlush = PR_FALSE;
     nsIFrame* frame = mWeakFrame.GetFrame();
     if (frame) {
+      nsAutoScriptBlocker scriptBlocker;
       frame->AttributeChanged(kNameSpaceID_None, nsGkAtoms::value, 0);
       shouldFlush = PR_TRUE;
     }
@@ -115,6 +116,8 @@ nsProgressMeterFrame::AttributeChanged(PRInt32 aNameSpaceID,
                                        nsIAtom* aAttribute,
                                        PRInt32 aModType)
 {
+  NS_ASSERTION(!nsContentUtils::IsSafeToRunScript(),
+      "Scripts not blocked in nsProgressMeterFrame::AttributeChanged!");
   nsresult rv = nsBoxFrame::AttributeChanged(aNameSpaceID, aAttribute,
                                              aModType);
   if (NS_OK != rv) {