diff --git a/js/src/jscntxtinlines.h b/js/src/jscntxtinlines.h
index c8cc8054103..05302767c6c 100644
--- a/js/src/jscntxtinlines.h
+++ b/js/src/jscntxtinlines.h
@@ -143,7 +143,7 @@ StackSpace::ensureSpace(JSContext *maybecx, Value *start, Value *from,
      * over-recursing.
      */
     ptrdiff_t nvals = VALUES_PER_STACK_FRAME + nslots;
-    if (commitEnd < limit && from + nvals < limit) {
+    if (commitEnd <= limit && from + nvals < (start + MAX_STACK_USAGE)) {
         if (!ensureSpace(maybecx, from, nvals))
             return false;
 
diff --git a/js/src/methodjit/MethodJIT.cpp b/js/src/methodjit/MethodJIT.cpp
index f51d61755a4..da477c0bcd8 100644
--- a/js/src/methodjit/MethodJIT.cpp
+++ b/js/src/methodjit/MethodJIT.cpp
@@ -733,7 +733,7 @@ mjit::ProfileStubCall(VMFrame &f)
 bool
 VMFrame::slowEnsureSpace(uint32 nslots)
 {
-    return cx->stack().ensureSpace(cx, reinterpret_cast<Value*>(fp), regs.sp,
+    return cx->stack().ensureSpace(cx, reinterpret_cast<Value*>(entryFp), regs.sp,
                                    stackLimit, nslots);
 }
 
diff --git a/js/src/methodjit/MethodJIT.h b/js/src/methodjit/MethodJIT.h
index dc3bc592cf6..7d35fabf6ac 100644
--- a/js/src/methodjit/MethodJIT.h
+++ b/js/src/methodjit/MethodJIT.h
@@ -138,7 +138,7 @@ struct VMFrame
 
     inline bool ensureSpace(uint32 nmissing, uint32 nslots) {
         /* Fast check - if it's below the limit, it's safe to just get a frame. */
-        if (JS_LIKELY(regs.sp + nmissing + nslots < stackLimit))
+        if (JS_LIKELY(regs.sp + VALUES_PER_STACK_FRAME + nmissing + nslots < stackLimit))
             return true;
 
         /* Slower check that might have to commit memory or throw an error. */