diff --git a/js/src/jit-test/tests/gc/bug-906236.js b/js/src/jit-test/tests/gc/bug-906236.js
new file mode 100644
index 00000000000..7566bda428d
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-906236.js
@@ -0,0 +1,9 @@
+// |jit-test| error: too much recursion
+(function() {
+    (function f(x) {
+        return x * f(x - 1);
+        with({})
+        var r = ""
+    })()
+})()
+
diff --git a/js/src/vm/ScopeObject.cpp b/js/src/vm/ScopeObject.cpp
index bfcc5160d9a..df9e494262b 100644
--- a/js/src/vm/ScopeObject.cpp
+++ b/js/src/vm/ScopeObject.cpp
@@ -333,6 +333,8 @@ Class DeclEnvObject::class_ = {
 DeclEnvObject *
 DeclEnvObject::createTemplateObject(JSContext *cx, HandleFunction fun, gc::InitialHeap heap)
 {
+    JS_ASSERT(IsNurseryAllocable(FINALIZE_KIND));
+
     RootedTypeObject type(cx, cx->getNewType(&class_, NULL));
     if (!type)
         return NULL;
diff --git a/js/src/vm/ScopeObject.h b/js/src/vm/ScopeObject.h
index 14f859c81d0..d3468ea75dc 100644
--- a/js/src/vm/ScopeObject.h
+++ b/js/src/vm/ScopeObject.h
@@ -256,7 +256,7 @@ class DeclEnvObject : public ScopeObject
 
   public:
     static const uint32_t RESERVED_SLOTS = 2;
-    static const gc::AllocKind FINALIZE_KIND = gc::FINALIZE_OBJECT2;
+    static const gc::AllocKind FINALIZE_KIND = gc::FINALIZE_OBJECT2_BACKGROUND;
 
     static Class class_;