1 files changed, 13 insertions, 7 deletions

diff --git a/WebCore/bindings/js/JSEventListener.cpp b/WebCore/bindings/js/JSEventListener.cpp
index 4f273fe..1a999a8 100644
--- a/WebCore/bindings/js/JSEventListener.cpp
+++ b/WebCore/bindings/js/JSEventListener.cpp
@@ -31,10 +31,11 @@ using namespace JSC;
 
 namespace WebCore {
 
-JSEventListener::JSEventListener(JSObject* function, bool isAttribute)
+JSEventListener::JSEventListener(JSObject* function, bool isAttribute, DOMWrapperWorld* isolatedWorld)
     : EventListener(JSEventListenerType)
     , m_jsFunction(function)
     , m_isAttribute(isAttribute)
+    , m_isolatedWorld(isolatedWorld)
 {
 }
 
@@ -65,7 +66,7 @@ void JSEventListener::handleEvent(ScriptExecutionContext* scriptExecutionContext
     if (!jsFunction)
         return;
 
-    JSDOMGlobalObject* globalObject = toJSDOMGlobalObject(scriptExecutionContext);
+    JSDOMGlobalObject* globalObject = toJSDOMGlobalObject(scriptExecutionContext, m_isolatedWorld.get());
     if (!globalObject)
         return;
 
@@ -86,7 +87,12 @@ void JSEventListener::handleEvent(ScriptExecutionContext* scriptExecutionContext
 
     ExecState* exec = globalObject->globalExec();
 
-    JSValue handleEventFunction = jsFunction->get(exec, Identifier(exec, "handleEvent"));
+    JSValue handleEventFunction;
+    {
+        // Switch worlds, just in case handleEvent is a getter and causes JS execution!
+        EnterDOMWrapperWorld worldEntry(exec, m_isolatedWorld.get());
+        handleEventFunction = jsFunction->get(exec, Identifier(exec, "handleEvent"));
+    }
     CallData callData;
     CallType callType = handleEventFunction.getCallData(callData);
     if (callType == CallTypeNone) {
@@ -108,8 +114,8 @@ void JSEventListener::handleEvent(ScriptExecutionContext* scriptExecutionContext
 
         globalData->timeoutChecker.start();
         JSValue retval = handleEventFunction
-            ? call(exec, handleEventFunction, callType, callData, jsFunction, args)
-            : call(exec, jsFunction, callType, callData, toJS(exec, globalObject, event->currentTarget()), args);
+            ? callInWorld(exec, handleEventFunction, callType, callData, jsFunction, args, m_isolatedWorld.get())
+            : callInWorld(exec, jsFunction, callType, callData, toJS(exec, globalObject, event->currentTarget()), args, m_isolatedWorld.get());
         globalData->timeoutChecker.stop();
 
         globalObject->setCurrentEvent(savedEvent);
@@ -140,7 +146,7 @@ bool JSEventListener::reportError(ScriptExecutionContext* context, const String&
     if (!jsFunction)
         return false;
 
-    JSDOMGlobalObject* globalObject = toJSDOMGlobalObject(context);
+    JSDOMGlobalObject* globalObject = toJSDOMGlobalObject(context, m_isolatedWorld.get());
     ExecState* exec = globalObject->globalExec();
 
     CallData callData;
@@ -160,7 +166,7 @@ bool JSEventListener::reportError(ScriptExecutionContext* context, const String&
     JSValue thisValue = globalObject->toThisObject(exec);
 
     globalData->timeoutChecker.start();
-    JSValue returnValue = call(exec, jsFunction, callType, callData, thisValue, args);
+    JSValue returnValue = callInWorld(exec, jsFunction, callType, callData, thisValue, args, m_isolatedWorld.get());
     globalData->timeoutChecker.stop();
 
     // If an error occurs while handling the script error, it should be bubbled up.