diff --git a/mozilla/js/src/jsapi.c b/mozilla/js/src/jsapi.c
index 7e5d911cbdb..3e1a626a404 100644
--- a/mozilla/js/src/jsapi.c
+++ b/mozilla/js/src/jsapi.c
@@ -2707,6 +2707,16 @@ JS_CheckAccess(JSContext *cx, JSObject *obj, jsid id, JSAccessMode mode,
     return OBJ_CHECK_ACCESS(cx, obj, id, mode, vp, attrsp);
 }
 
+JS_PUBLIC_API(JSCheckAccessOp)
+JS_SetCheckObjectAccessCallback(JSRuntime *rt, JSCheckAccessOp acb)
+{
+    JSCheckAccessOp oldacb;
+
+    oldacb = rt->checkObjectAccess;
+    rt->checkObjectAccess = acb;
+    return oldacb;
+}
+
 JS_PUBLIC_API(JSBool)
 JS_GetReservedSlot(JSContext *cx, JSObject *obj, uint32 index, jsval *vp)
 {
diff --git a/mozilla/js/src/jsapi.h b/mozilla/js/src/jsapi.h
index 441338bf2f7..842dadfd3b4 100644
--- a/mozilla/js/src/jsapi.h
+++ b/mozilla/js/src/jsapi.h
@@ -1041,6 +1041,9 @@ extern JS_PUBLIC_API(JSBool)
 JS_CheckAccess(JSContext *cx, JSObject *obj, jsid id, JSAccessMode mode,
                jsval *vp, uintN *attrsp);
 
+extern JS_PUBLIC_API(JSCheckAccessOp)
+JS_SetCheckObjectAccessCallback(JSRuntime *rt, JSCheckAccessOp acb);
+
 extern JS_PUBLIC_API(JSBool)
 JS_GetReservedSlot(JSContext *cx, JSObject *obj, uint32 index, jsval *vp);
 
diff --git a/mozilla/js/src/jscntxt.h b/mozilla/js/src/jscntxt.h
index 92bb4ef340b..bf79ff5ae77 100644
--- a/mozilla/js/src/jscntxt.h
+++ b/mozilla/js/src/jscntxt.h
@@ -184,6 +184,12 @@ struct JSRuntime {
 #define NO_SCOPE_SHARING_TODO   ((JSScope *) 0xfeedbeef)
 #endif
 
+    /*
+     * Check property accessibility for objects of arbitrary class.  Used at
+     * present to check f.caller accessibility for any function object f.
+     */
+    JSCheckAccessOp     checkObjectAccess;
+
     /* Security principals serialization support. */
     JSPrincipalsTranscoder principalsTranscoder;
 
diff --git a/mozilla/js/src/jsfun.c b/mozilla/js/src/jsfun.c
index fe5c137c4c5..384ad28d805 100644
--- a/mozilla/js/src/jsfun.c
+++ b/mozilla/js/src/jsfun.c
@@ -67,8 +67,7 @@ enum {
     ARGS_CALLEE     = -4,       /* reference from arguments to active funobj */
     FUN_ARITY       = -5,       /* number of formal parameters; desired argc */
     FUN_NAME        = -6,       /* function name, "" if anonymous */
-    FUN_CALL        = -7,       /* function's top Call object in this context */
-    FUN_CALLER      = -8        /* Function.prototype.caller, backward compat */
+    FUN_CALLER      = -7        /* Function.prototype.caller, backward compat */
 };
 
 #if JSFRAME_OVERRIDE_BITS < 8
@@ -626,7 +625,6 @@ Call(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 static JSPropertySpec call_props[] = {
     {js_arguments_str,  CALL_ARGUMENTS, JSPROP_PERMANENT,0,0},
     {"__callee__",      CALL_CALLEE,    0,0,0},
-    {"__call__",        FUN_CALL,       0,0,0},
     {0,0,0,0,0}
 };
 
@@ -659,11 +657,6 @@ call_getProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
             *vp = fp->argv ? fp->argv[-2] : OBJECT_TO_JSVAL(fp->fun->object);
         break;
 
-      case FUN_CALL:
-        if (!TEST_OVERRIDE_BIT(fp, slot))
-            *vp = OBJECT_TO_JSVAL(obj);
-        break;
-
       default:
         if ((uintN)slot < JS_MAX(fp->argc, fp->fun->nargs))
             *vp = fp->argv[slot];
@@ -689,7 +682,6 @@ call_setProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
     switch (slot) {
       case CALL_ARGUMENTS:
       case CALL_CALLEE:
-      case FUN_CALL:
         SET_OVERRIDE_BIT(fp, slot);
         break;
 
@@ -870,7 +862,6 @@ static JSPropertySpec function_props[] = {
     {js_arity_str,     FUN_ARITY,      FUNCTION_PROP_ATTRS,0,0},
     {js_length_str,    ARGS_LENGTH,    FUNCTION_PROP_ATTRS,0,0},
     {js_name_str,      FUN_NAME,       FUNCTION_PROP_ATTRS,0,0},
-    {"__call__",       FUN_CALL,       FUNCTION_PROP_ATTRS,0,0},
     {js_caller_str,    FUN_CALLER,     FUNCTION_PROP_ATTRS,0,0},
     {0,0,0,0,0}
 };
@@ -939,22 +930,16 @@ fun_getProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
               : STRING_TO_JSVAL(cx->runtime->emptyString);
         break;
 
-      case FUN_CALL:
-        if (fp && fp->fun) {
-            JSObject *callobj = js_GetCallObject(cx, fp, NULL);
-            if (!callobj)
-                return JS_FALSE;
-            *vp = OBJECT_TO_JSVAL(callobj);
-        } else {
-            *vp = JSVAL_NULL;
-        }
-        break;
-
       case FUN_CALLER:
         if (fp && fp->down && fp->down->fun)
             *vp = fp->down->argv[-2];
         else
             *vp = JSVAL_NULL;
+        if (cx->runtime->checkObjectAccess) {
+            id = ATOM_KEY(cx->runtime->atomState.callerAtom);
+            if (!cx->runtime->checkObjectAccess(cx, obj, id, JSACC_READ, vp))
+                return JS_FALSE;
+        }
         break;
 
       default:
diff --git a/mozilla/js/src/jspubtd.h b/mozilla/js/src/jspubtd.h
index 959f8e4f871..647324e7082 100644
--- a/mozilla/js/src/jspubtd.h
+++ b/mozilla/js/src/jspubtd.h
@@ -78,10 +78,12 @@ typedef enum JSType {
 
 /* JSObjectOps.checkAccess mode enumeration. */
 typedef enum JSAccessMode {
-    JSACC_PROTO,
-    JSACC_PARENT,
-    JSACC_IMPORT,
-    JSACC_WATCH,
+    JSACC_PROTO,                /* XXXbe redundant w.r.t. id */
+    JSACC_PARENT,               /* XXXbe redundant w.r.t. id */
+    JSACC_IMPORT,               /* import foo.bar */
+    JSACC_WATCH,                /* a watchpoint on object foo for id 'bar' */
+    JSACC_READ,                 /* a "get" of foo.bar */
+    JSACC_WRITE,                /* a "set" of foo.bar = baz */
     JSACC_LIMIT
 } JSAccessMode;