bug 580128 - Fix evalInSandbox returning objects in the wrong compartment. r=jst

js/src/jsinterp.cpp

@@ -4698,7 +4698,7 @@ BEGIN_CASE(JSOP_APPLY)
         JS_ASSERT(vp[1].isObjectOrNull() || PrimitiveThisTest(newfun, vp[1]));
 
         Probes::enterJSFun(cx, newfun);
-        JSBool ok = newfun->u.n.native(cx, argc, vp);
+        JSBool ok = CallJSNative(cx, newfun->u.n.native, argc, vp);
         Probes::exitJSFun(cx, newfun);
         regs.sp = vp + 1;
         if (!ok)

js/src/xpconnect/src/xpccomponents.cpp

@@ -3669,8 +3669,10 @@ xpc_EvalInSandbox(JSContext *cx, JSObject *sandbox, const nsAString& source,
         JSString *str = nsnull;
 
         if (!ac.enter(sandcx->GetJSContext(), sandbox)) {
-            // XXX HELP!
-            NS_ABORT();
+            if (stack) {
+                stack->Pop(nsnull);
+            }
+            return NS_ERROR_FAILURE;
         }
 
         JSBool ok =
@@ -3729,11 +3731,12 @@ xpc_EvalInSandbox(JSContext *cx, JSObject *sandbox, const nsAString& source,
         } else {
             // Convert the result into something safe for our caller.
             JSAutoRequest req(cx);
+            JSAutoEnterCompartment ac;
             if (str) {
                 v = STRING_TO_JSVAL(str);
             }
 
-            if (!JS_WrapValue(cx, &v)) {
+            if (!ac.enter(cx, callingScope) || !JS_WrapValue(cx, &v)) {
                 rv = NS_ERROR_FAILURE;
             }