diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp
index 34d5a138ccd..703e4917fc7 100644
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -2234,6 +2234,10 @@ mjit::Compiler::jsop_getelem_pic(FrameEntry *obj, FrameEntry *id, RegisterID obj
                                  inlineAtomOffsetLabel, ImmPtr(BOGUS_ATOM));
     DBGLABEL(dbgInlineAtomJump);
 
+    /*
+     * The state between these two exits is identical, so this safe. The
+     * GETELEM PIC repatches both jumps to the slowPathStart on reset.
+     */
     stubcc.linkExit(idGuard, Uses(2));
     pic.slowPathStart = stubcc.linkExit(jmpShapeGuard, Uses(2));
 
diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp
index a85230ef690..e604cbcbfe3 100644
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -1130,6 +1130,8 @@ class GetElemCompiler : public PICStubCompiler
                           int32(JSObjectMap::INVALID_SHAPE));
         repatcher.relink(pic.fastPathStart.jumpAtOffset(pic.shapeGuard + inlineShapeJump(pic)),
                          pic.slowPathStart);
+        repatcher.relink(pic.fastPathStart.jumpAtOffset(pic.shapeGuard + inlineAtomJump(pic)),
+                         pic.slowPathStart);
 
         RepatchBuffer repatcher2(pic.slowPathStart.executableAddress(), INLINE_PATH_LENGTH);
         ReturnAddressPtr retPtr(pic.slowPathStart.callAtOffset(pic.callReturn).executableAddress());