Bug 1133389 - Fix FrameIter::matchCallee to consider all inner functions and not only lambdas. r=shu

js/src/jit-test/tests/ion/recover-lambdas-bug1133389.js

@@ -0,0 +1,17 @@
+var o = {}
+Object.defineProperty(o, "p", {
+    get: function() {
+        return arguments.callee.caller.caller;
+    }
+});
+
+function f() {
+    function g() {
+        return o.p;
+    }
+    return g();
+}
+
+for (var k = 0; k < 2; k++) {
+    assertEq(f(), f);
+}

js/src/vm/Stack.cpp

@@ -1108,12 +1108,6 @@ FrameIter::matchCallee(JSContext *cx, HandleFunction fun) const
         return false;
     }
 
-    // Only some lambdas are optimized in a way which cannot be recovered without
-    // invalidating the frame. Thus, if one of the function is not a lambda we can just
-    // compare it against the calleeTemplate.
-    if (!fun->isLambda() || !currentCallee->isLambda())
-        return currentCallee == fun;
-
     // Use the same condition as |js::CloneFunctionObject|, to know if we should
     // expect both functions to have the same JSScript. If so, and if they are
     // different, then they cannot be equal.