diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index cf7f23bf785b..6043e0117029 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -1312,8 +1312,6 @@ static JSBool
 array_toString_sub(JSContext *cx, JSObject *obj, JSBool locale,
                    JSString *sepstr, Value *rval)
 {
-    JS_CHECK_RECURSION(cx, return false);
-
     static const jschar comma = ',';
     const jschar *sep;
     size_t seplen;
@@ -1395,6 +1393,8 @@ array_toString_sub(JSContext *cx, JSObject *obj, JSBool locale,
 static JSBool
 array_toString(JSContext *cx, uintN argc, Value *vp)
 {
+    JS_CHECK_RECURSION(cx, return false);
+
     JSObject *obj = ToObject(cx, &vp[1]);
     if (!obj)
         return false;
@@ -1429,6 +1429,8 @@ array_toString(JSContext *cx, uintN argc, Value *vp)
 static JSBool
 array_toLocaleString(JSContext *cx, uintN argc, Value *vp)
 {
+    JS_CHECK_RECURSION(cx, return false);
+
     JSObject *obj = ToObject(cx, &vp[1]);
     if (!obj)
         return false;
@@ -1526,6 +1528,8 @@ InitArrayObject(JSContext *cx, JSObject *obj, jsuint length, const Value *vector
 static JSBool
 array_join(JSContext *cx, uintN argc, Value *vp)
 {
+    JS_CHECK_RECURSION(cx, return false);
+
     JSString *str;
     if (argc == 0 || vp[2].isUndefined()) {
         str = NULL;
diff --git a/js/src/tests/ecma_5/extensions/array-toString-recursion.js b/js/src/tests/ecma_5/extensions/array-toString-recursion.js
new file mode 100644
index 000000000000..aa5d856c3bf4
--- /dev/null
+++ b/js/src/tests/ecma_5/extensions/array-toString-recursion.js
@@ -0,0 +1,46 @@
+/*
+ * Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/licenses/publicdomain/
+ */
+
+//-----------------------------------------------------------------------------
+var BUGNUMBER = 635389;
+var summary = 'Infinite recursion via [].{toString,toLocaleString,join}';
+
+print(BUGNUMBER + ": " + summary);
+
+/**************
+ * BEGIN TEST *
+ **************/
+
+try
+{
+  var x = [];
+  x.join = Array.prototype.toString;
+  "" + x;
+  throw new Error("should have thrown");
+}
+catch (e)
+{
+  assertEq(e instanceof InternalError, true,
+           "should have thrown for over-recursion");
+}
+
+try
+{
+  var x = { toString: Array.prototype.toString, join: Array.prototype.toString };
+  "" + x;
+  throw new Error("should have thrown");
+}
+catch (e)
+{
+  assertEq(e instanceof InternalError, true,
+           "should have thrown for over-recursion");
+}
+
+/******************************************************************************/
+
+if (typeof reportCompare === "function")
+  reportCompare(true, true);
+
+print("All tests passed!");
diff --git a/js/src/tests/ecma_5/extensions/jstests.list b/js/src/tests/ecma_5/extensions/jstests.list
index b269bfa739eb..bcd7fa0185b4 100644
--- a/js/src/tests/ecma_5/extensions/jstests.list
+++ b/js/src/tests/ecma_5/extensions/jstests.list
@@ -9,6 +9,7 @@ script bug352085.js
 script bug472534.js
 script bug496985.js
 script bug566661.js
+script array-toString-recursion.js
 skip-if(!xulRuntime.shell) script cross-global-eval-is-indirect.js # needs newGlobal()
 script eval-native-callback-is-indirect.js
 script extension-methods-reject-null-undefined-this.js