diff --git a/js/src/ion/BaselineIC.cpp b/js/src/ion/BaselineIC.cpp
index acfe16543184..dd4a31784a08 100644
--- a/js/src/ion/BaselineIC.cpp
+++ b/js/src/ion/BaselineIC.cpp
@@ -2351,7 +2351,7 @@ DoToNumberFallback(JSContext *cx, ICToNumber_Fallback *stub, HandleValue arg, Mu
 {
     FallbackICSpew(cx, stub, "ToNumber");
     ret.set(arg);
-    return ToNumber(cx, ret.address());
+    return ToNumber(cx, ret);
 }
 
 typedef bool (*DoToNumberFallbackFn)(JSContext *, ICToNumber_Fallback *, HandleValue, MutableHandleValue);
diff --git a/js/src/jsnum.cpp b/js/src/jsnum.cpp
index a62e33d6c22f..bc1b33aea308 100644
--- a/js/src/jsnum.cpp
+++ b/js/src/jsnum.cpp
@@ -423,24 +423,26 @@ Class NumberObject::class_ = {
 static JSBool
 Number(JSContext *cx, unsigned argc, Value *vp)
 {
-    /* Sample JS_CALLEE before clobbering. */
-    bool isConstructing = IsConstructing(vp);
+    CallArgs args = CallArgsFromVp(argc, vp);
 
-    if (argc > 0) {
-        if (!ToNumber(cx, &vp[2]))
+    /* Sample JS_CALLEE before clobbering. */
+    bool isConstructing = IsConstructing(args);
+
+    if (args.length() > 0) {
+        if (!ToNumber(cx, args.handleAt(0)))
             return false;
-        vp[0] = vp[2];
+        args.rval().set(args[0]);
     } else {
-        vp[0].setInt32(0);
+        args.rval().setInt32(0);
     }
 
     if (!isConstructing)
         return true;
 
-    JSObject *obj = NumberObject::create(cx, vp[0].toNumber());
+    JSObject *obj = NumberObject::create(cx, args.rval().toNumber());
     if (!obj)
         return false;
-    vp->setObject(*obj);
+    args.rval().setObject(*obj);
     return true;
 }
 
diff --git a/js/src/jsnum.h b/js/src/jsnum.h
index 8efecf928542..a28787cb6617 100644
--- a/js/src/jsnum.h
+++ b/js/src/jsnum.h
@@ -133,23 +133,20 @@ GetPrefixInteger(JSContext *cx, const jschar *start, const jschar *end, int base
 
 /* ES5 9.3 ToNumber, overwriting *vp with the appropriate number value. */
 JS_ALWAYS_INLINE bool
-ToNumber(JSContext *cx, Value *vp)
+ToNumber(JSContext *cx, JS::MutableHandleValue vp)
 {
 #ifdef DEBUG
-    {
-        SkipRoot skip(cx, vp);
-        MaybeCheckStackRoots(cx);
-    }
+    MaybeCheckStackRoots(cx);
 #endif
 
-    if (vp->isNumber())
+    if (vp.isNumber())
         return true;
     double d;
-    extern bool ToNumberSlow(JSContext *cx, js::Value v, double *dp);
-    if (!ToNumberSlow(cx, *vp, &d))
+    extern bool ToNumberSlow(JSContext *cx, Value v, double *dp);
+    if (!ToNumberSlow(cx, vp, &d))
         return false;
 
-    vp->setNumber(d);
+    vp.setNumber(d);
     return true;
 }
 
diff --git a/js/src/vm/Interpreter.cpp b/js/src/vm/Interpreter.cpp
index a8447cf776cf..43dd100c9d26 100644
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@@ -2019,7 +2019,7 @@ BEGIN_CASE(JSOP_NEG)
 END_CASE(JSOP_NEG)
 
 BEGIN_CASE(JSOP_POS)
-    if (!ToNumber(cx, &regs.sp[-1]))
+    if (!ToNumber(cx, MutableHandleValue::fromMarkedLocation(&regs.sp[-1])))
         goto error;
     if (!regs.sp[-1].isInt32())
         TypeScript::MonitorOverflow(cx, script, regs.pc);