diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h
index 7f6e08b2f9aa..0fb97842aa37 100644
--- a/js/src/jscntxt.h
+++ b/js/src/jscntxt.h
@@ -1656,6 +1656,13 @@ struct JSRuntime {
         return JS_LIKELY(!!p) ? p : onOutOfMemory(reinterpret_cast<void *>(1), bytes, cx);
     }
 
+    void* realloc(void* p, size_t oldBytes, size_t newBytes, JSContext *cx = NULL) {
+        JS_ASSERT(oldBytes < newBytes);
+        updateMallocCounter(newBytes - oldBytes);
+        void *p2 = ::js_realloc(p, newBytes);
+        return JS_LIKELY(!!p2) ? p2 : onOutOfMemory(p, newBytes, cx);
+    }
+
     void* realloc(void* p, size_t bytes, JSContext *cx = NULL) {
         /*
          * For compatibility we do not account for realloc that increases
@@ -2295,6 +2302,10 @@ struct JSContext
         return runtime->realloc(p, bytes, this);
     }
 
+    inline void* realloc(void* p, size_t oldBytes, size_t newBytes) {
+        return runtime->realloc(p, oldBytes, newBytes, this);
+    }
+
     inline void free(void* p) {
 #ifdef JS_THREADSAFE
         if (gcBackgroundFree) {
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 6c33ad8ef529..87fe8cff3e77 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -3939,7 +3939,7 @@ JSObject::growSlots(JSContext *cx, size_t newcap)
     if (!hasSlotsArray())
         return allocSlots(cx, actualCapacity);
 
-    Value *tmpslots = (Value*) cx->realloc(slots, actualCapacity * sizeof(Value));
+    Value *tmpslots = (Value*) cx->realloc(slots, oldcap * sizeof(Value), actualCapacity * sizeof(Value));
     if (!tmpslots)
         return false;    /* Leave dslots as its old size. */
     slots = tmpslots;