diff --git a/js/src/nanojit/NativePPC.cpp b/js/src/nanojit/NativePPC.cpp
index d557adf7378f..5b44722569ec 100644
--- a/js/src/nanojit/NativePPC.cpp
+++ b/js/src/nanojit/NativePPC.cpp
@@ -87,6 +87,7 @@ namespace nanojit
      * sp+12    sp+24   reserved
      */
 
+    const int min_param_area_size = 8*sizeof(void*); // r3-r10
     const int linkage_size = 6*sizeof(void*);
     const int lr_offset = 2*sizeof(void*); // linkage.lr
     const int cr_offset = 1*sizeof(void*); // linkage.cr
@@ -96,8 +97,13 @@ namespace nanojit
         // stw r0, lr_offset(sp)
         // stwu sp, -framesize(sp)
 
+        // param_area must be at least large enough for r3-r10 to be saved,
+        // regardless of whether we think the callee needs less: e.g., the callee
+        // might tail-call to a function that uses varargs, which could flush
+        // r3-r10 to the parameter area.
+        uint32_t param_area = (max_param_size > min_param_area_size) ? max_param_size : min_param_area_size;
         // activation frame is 4 bytes per entry even on 64bit machines
-        uint32_t stackNeeded = max_param_size + linkage_size + _activation.stackSlotsNeeded() * 4;
+        uint32_t stackNeeded = param_area + linkage_size + _activation.stackSlotsNeeded() * 4;
         uint32_t aligned = alignUp(stackNeeded, NJ_ALIGN_STACK);
 
         UNLESS_PEDANTIC( if (isS16(aligned)) {