diff --git a/js/src/builtin/RegExp.cpp b/js/src/builtin/RegExp.cpp
index 17edc55206c..5134fd7fecf 100644
--- a/js/src/builtin/RegExp.cpp
+++ b/js/src/builtin/RegExp.cpp
@@ -559,8 +559,6 @@ js::ExecuteRegExp(JSContext *cx, HandleObject regexp, HandleString string, Match
 
     /* Step 4. */
     Value lastIndex = reobj->getLastIndex();
-
-    const jschar *chars = input->chars();
     size_t length = input->length();
 
     /* Step 5. */
@@ -593,6 +591,7 @@ js::ExecuteRegExp(JSContext *cx, HandleObject regexp, HandleString string, Match
     }
 
     /* Steps 8-21. */
+    const jschar *chars = input->chars();
     size_t lastIndexInt(i);
     RegExpRunStatus status =
         ExecuteRegExpImpl(cx, res, *re, input, chars, length, &lastIndexInt, matches);
diff --git a/js/src/vm/RegExpObject.cpp b/js/src/vm/RegExpObject.cpp
index 3505a683dd0..e5dc014b5ba 100644
--- a/js/src/vm/RegExpObject.cpp
+++ b/js/src/vm/RegExpObject.cpp
@@ -570,6 +570,9 @@ RegExpRunStatus
 RegExpShared::executeMatchOnly(JSContext *cx, const jschar *chars, size_t length,
                                size_t *lastIndex, MatchPair &match)
 {
+    /* These chars may be inline in a string. See bug 846011. */
+    SkipRoot skipChars(cx, &chars);
+
     /* Compile the code at point-of-use. */
     if (!compileMatchOnlyIfNecessary(cx))
         return RegExpRunStatus_Error;