diff --git a/js/src/jsstr.cpp b/js/src/jsstr.cpp
index c59efa86d02..6f0b74e9729 100644
--- a/js/src/jsstr.cpp
+++ b/js/src/jsstr.cpp
@@ -2734,7 +2734,7 @@ js_NewString(JSContext *cx, jschar *chars, size_t length)
         if (JS_ON_TRACE(cx)) {
             /*
              * If we can't leave the trace, signal OOM condition, otherwise
-             * exit from trace and proceed with GC.
+             * exit from trace before throwing.
              */
             if (!js_CanLeaveTrace(cx))
                 return NULL;
diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
index 4eae000a922..f1b93765842 100644
--- a/js/src/jstracer.cpp
+++ b/js/src/jstracer.cpp
@@ -5539,6 +5539,7 @@ ExecuteTree(JSContext* cx, Fragment* f, uintN& inlineCallCount,
 
     cx->interpState = state->prev;
 
+    JS_ASSERT(!cx->bailExit);
     JS_ASSERT(lr->exitType != LOOP_EXIT || !lr->calldepth);
     tm->tracecx = NULL;
     LeaveTree(*state, lr);
@@ -9090,8 +9091,10 @@ TraceRecorder::emitNativePropertyOp(JSScope* scope, JSScopeProperty* sprop, LIns
     LIns* args[] = { vp_ins, INS_CONSTWORD(SPROP_USERID(sprop)), obj_ins, cx_ins };
     LIns* ok_ins = lir->insCall(ci, args);
 
-    // Unroot the vp.
-    lir->insStorei(INS_CONSTPTR(NULL), cx_ins, offsetof(JSContext, nativeVp));
+    // Cleanup.
+    LIns* null_ins = INS_CONSTPTR(NULL);
+    lir->insStorei(null_ins, cx_ins, offsetof(JSContext, nativeVp));
+    lir->insStorei(null_ins, cx_ins, offsetof(JSContext, bailExit));
 
     // Guard that the call succeeded and builtinStatus is still 0.
     // If the native op succeeds but we deep-bail here, the result value is
diff --git a/js/src/trace-test.js b/js/src/trace-test.js
index 93a17d2325c..de0e03e8333 100644
--- a/js/src/trace-test.js
+++ b/js/src/trace-test.js
@@ -5600,6 +5600,21 @@ testNativeSetter.jitstats = {
 };
 test(testNativeSetter);
 
+function testBug507425() {
+    var r = /x/;
+    for (var i = 0; i < 3; i++)
+        r.lastIndex = 0;          // call a setter
+    var s = ';';
+    try {
+        for (i = 0; i < 80; i++)
+            s += s;                   // call js_CanLeaveTrace
+    } catch (exc) {
+        return "ok";
+    }
+}
+testBug507425.expected = "ok";
+test(testBug507425);
+
 /*****************************************************************************
  *                                                                           *
  *  _____ _   _  _____ ______ _____ _______                                  *