diff --git a/js/src/methodjit/FrameState.cpp b/js/src/methodjit/FrameState.cpp
index 5c965648f9d..cad7ae4caf1 100644
--- a/js/src/methodjit/FrameState.cpp
+++ b/js/src/methodjit/FrameState.cpp
@@ -1244,7 +1244,7 @@ FrameState::shimmy(uint32 n)
 {
     JS_ASSERT(sp - n >= spBase);
     int32 depth = 0 - int32(n);
-    storeTop(&sp[depth - 1], true);
+    storeTop(peek(depth - 1), true);
     popn(n);
 }
 
@@ -1253,7 +1253,7 @@ FrameState::shift(int32 n)
 {
     JS_ASSERT(n < 0);
     JS_ASSERT(sp + n - 1 >= spBase);
-    storeTop(&sp[n - 1], true);
+    storeTop(peek(n - 1), true);
     pop();
 }
 
diff --git a/js/src/trace-test/tests/jaeger/bug600139.js b/js/src/trace-test/tests/jaeger/bug600139.js
new file mode 100644
index 00000000000..d8e26193067
--- /dev/null
+++ b/js/src/trace-test/tests/jaeger/bug600139.js
@@ -0,0 +1,11 @@
+// |trace-test| error: ReferenceError
+// vim: set ts=4 sw=4 tw=99 et:
+function f(a, b, c) {
+    if (!a.__SSi) {
+        throw Components.returnCode = Cr.NS_ERROR_INVALID_ARG;
+    }
+    this.restoreWindow(a, b, c);
+    eval();
+}
+dis(f);
+f(1, 2, 3);