new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/recover-lambdas-bug1133389.js
@@ -0,0 +1,17 @@
+var o = {}
+Object.defineProperty(o, "p", {
+    get: function() {
+        return arguments.callee.caller.caller;
+    }
+});
+
+function f() {
+    function g() {
+        return o.p;
+    }
+    return g();
+}
+
+for (var k = 0; k < 2; k++) {
+    assertEq(f(), f);
+}

--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@@ -1103,22 +1103,16 @@ FrameIter::matchCallee(JSContext *cx, Ha
     // template from which it would be cloned, we compare properties which are
     // stable across the cloning of JSFunctions.
     if (((currentCallee->flags() ^ fun->flags()) & JSFunction::STABLE_ACROSS_CLONES) != 0 ||
         currentCallee->nargs() != fun->nargs())
     {
         return false;
     }
 
-    // Only some lambdas are optimized in a way which cannot be recovered without
-    // invalidating the frame. Thus, if one of the function is not a lambda we can just
-    // compare it against the calleeTemplate.
-    if (!fun->isLambda() || !currentCallee->isLambda())
-        return currentCallee == fun;
-
     // Use the same condition as |js::CloneFunctionObject|, to know if we should
     // expect both functions to have the same JSScript. If so, and if they are
     // different, then they cannot be equal.
     bool useSameScript = CloneFunctionObjectUseSameScript(fun->compartment(), currentCallee);
     if (useSameScript &&
         (currentCallee->hasScript() != fun->hasScript() ||
          currentCallee->nonLazyScript() != fun->nonLazyScript()))
     {