Bug 600193 - trace-test/tests/jaeger/bug588363-1.js asserts with CompartmentChecker enabled. r=gal.

This makes eval(s) an indirect eval if the eval-function being called is in a
different compartment from the caller's scope chain.

This caused the eval in trace-test/tests/jaeger/bug588363-2.js to become
indirect, which caused the test to fail with a ReferenceError. So I changed the
test to delete the sandbox's eval, revealing the global eval underneath.

js/src/jsobj.cpp

@@ -1016,6 +1016,13 @@ obj_eval(JSContext *cx, uintN argc, Value *vp)
     jsbytecode *callerPC = caller->pc(cx);
     bool indirectCall = (callerPC && *callerPC != JSOP_EVAL);
 
+    /*
+     * If the callee was originally a cross-compartment wrapper, this should
+     * be an indirect call.
+     */
+    if (caller->scopeChain().compartment() != vp[0].toObject().compartment())
+        indirectCall = true;
+
     /*
      * Ban indirect uses of eval (nonglobal.eval = eval; nonglobal.eval(....))
      * that attempt to use a non-global object as the scope object.
@@ -1250,6 +1257,8 @@ obj_eval(JSContext *cx, uintN argc, Value *vp)
             return JS_FALSE;
     }
 
+    assertSameCompartment(cx, scopeobj, script);
+
     /*
      * Belt-and-braces: check that the lesser of eval's principals and the
      * caller's principals has access to scopeobj.
@@ -3114,6 +3123,8 @@ js_NewWithObject(JSContext *cx, JSObject *proto, JSObject *parent, jsint depth)
     if (!thisp)
         return NULL;
 
+    assertSameCompartment(cx, obj, thisp);
+
     obj->setWithThis(thisp);
     return obj;
 }

js/src/trace-test/tests/jaeger/bug588363-2.js

@@ -1,5 +1,6 @@
 with(evalcx('')) {
-    eval("x", this.__defineGetter__("x", Function))
+    delete eval;
+    eval("x", this.__defineGetter__("x", Function));
 }
 
 /* Don't assert or crash. */