diff --git a/js/src/jit-test/tests/ion/bug1155807.js b/js/src/jit-test/tests/ion/bug1155807.js
new file mode 100644
index 00000000000..7dd3a6de5d7
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1155807.js
@@ -0,0 +1,15 @@
+
+for (var i = 0; i < 2; i++) {
+    setJitCompilerOption("ion.warmup.trigger", 8)
+    function f(state) {
+        this.s = state
+    }
+    f.prototype.g = function(v, y) {
+        this.t
+    }
+    x = ['', '']
+    j = new f(false)
+    x.filter(j.g, j)
+    x.filter(j.g, new f(false))
+    j.__proto__ = {}
+}
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index e473c5c09c4..2f09e29f073 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -9468,6 +9468,10 @@ IonBuilder::getDefiniteSlot(TemporaryTypeSet* types, PropertyName* name, uint32_
                 if (!convertUnboxedGroups.append(key->group()))
                     CrashAtUnhandlableOOM("IonBuilder::getDefiniteSlot");
                 key = TypeSet::ObjectKey::get(nativeGroup);
+                if (key->unknownProperties()) {
+                    trackOptimizationOutcome(TrackedOutcome::UnknownProperties);
+                    return UINT32_MAX;
+                }
             }
         }