JS_{Save,Restore}FrameChain allow a single JSContext to switch in the middle of executing one JS callstack to start executing a second callstack. This is currently achieved by simply saving the original cx->fp and restoring it later. This subtle reuse of JSContext can lead to unlikely and subtle bugs where data stored in JSContext is associated with a single callstack. For example, 'throwing' and 'exception' are associated with a single callstack and need to be handled specially to avoid leaking between frame chains. It also seems possible for 'resolvingTable' and 'busyArrayTable' to leak with visible side effects. With bug 535656, there is a JSCallStack data structure associated with a single segment of a callstack that may be a more approriate place for this and future data. This bug proposes moving callstack-related data from JSContext to JSCallStack. Other candidates for moving include: 'regExpStatics', 'sharpObjectMap', 'lastMessage', and 'display'.

How about just removing JSContext altogether (bug 650351).

Er, bug 650361.