diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 13a741da699d..53c008b18552 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -3713,11 +3713,15 @@ JSObject::traceChildren(JSTracer* trc)
             GetObjectSlotNameFunctor func(nobj);
             JS::AutoTracingDetails ctx(trc, func);
             JS::AutoTracingIndex index(trc);
-            for (uint32_t i = 0; i < nobj->slotSpan(); ++i) {
+            // Tracing can mutate the target but cannot change the slot count,
+            // but the compiler has no way of knowing this.
+            const uint32_t nslots = nobj->slotSpan();
+            for (uint32_t i = 0; i < nslots; ++i) {
                 TraceManuallyBarrieredEdge(trc, nobj->getSlotRef(i).unsafeUnbarrieredForTracing(),
                                            "object slot");
                 ++index;
             }
+            MOZ_ASSERT(nslots == nobj->slotSpan());
         }
 
         do {