1 files changed, 6 insertions, 0 deletions

diff --git a/js/src/jit/TrampolineNatives.cpp b/js/src/jit/TrampolineNatives.cpp
index 0bde6d9985..e22023f8dd 100644
--- a/js/src/jit/TrampolineNatives.cpp
+++ b/js/src/jit/TrampolineNatives.cpp
@@ -86,6 +86,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm) {
       -int32_t(FrameSize) + ArraySortData::offsetOfComparatorReturnValue();
   constexpr int32_t DescriptorOffset =
       -int32_t(FrameSize) + ArraySortData::offsetOfDescriptor();
+  constexpr int32_t ComparatorThisOffset =
+      -int32_t(FrameSize) + ArraySortData::offsetOfComparatorThis();
 
 #ifdef JS_USE_LINK_REGISTER
   masm.pushReturnAddress();
@@ -146,6 +148,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm) {
   Label callDone, jitCallFast, jitCallSlow;
   masm.bind(&jitCallFast);
   {
+    masm.storeValue(UndefinedValue(),
+                    Address(FramePointer, ComparatorThisOffset));
     masm.storePtr(ImmWord(jitCallDescriptor),
                   Address(FramePointer, DescriptorOffset));
     masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0);
@@ -155,6 +159,8 @@ uint32_t JitRuntime::generateArraySortTrampoline(MacroAssembler& masm) {
   }
   masm.bind(&jitCallSlow);
   {
+    masm.storeValue(UndefinedValue(),
+                    Address(FramePointer, ComparatorThisOffset));
     masm.storePtr(ImmWord(jitCallDescriptor),
                   Address(FramePointer, DescriptorOffset));
     masm.loadPtr(Address(FramePointer, ComparatorOffset), temp0);