diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
index 81df2b5b1b2..228690cd5e1 100644
--- a/js/src/jscompartment.cpp
+++ b/js/src/jscompartment.cpp
@@ -20,6 +20,7 @@
 
 #include "assembler/wtf/Platform.h"
 #include "gc/Marking.h"
+#include "gc/Root.h"
 #include "js/MemoryMetrics.h"
 #include "methodjit/MethodJIT.h"
 #include "methodjit/PolyIC.h"
@@ -243,6 +244,9 @@ bool
 JSCompartment::putWrapper(const CrossCompartmentKey &wrapped, const js::Value &wrapper)
 {
     JS_ASSERT(wrapped.wrapped);
+    JS_ASSERT(!IsPoisonedPtr(wrapped.wrapped));
+    JS_ASSERT(!IsPoisonedPtr(wrapped.debugger));
+    JS_ASSERT(!IsPoisonedPtr(wrapper.toGCThing()));
     JS_ASSERT_IF(wrapped.kind == CrossCompartmentKey::StringWrapper, wrapper.isString());
     JS_ASSERT_IF(wrapped.kind != CrossCompartmentKey::StringWrapper, wrapper.isObject());
     // todo: uncomment when bug 815999 is fixed:
@@ -251,8 +255,9 @@ JSCompartment::putWrapper(const CrossCompartmentKey &wrapped, const js::Value &w
 }
 
 bool
-JSCompartment::wrap(JSContext *cx, Value *vp, JSObject *existing)
+JSCompartment::wrap(JSContext *cx, Value *vp, JSObject *existingArg)
 {
+    RootedObject existing(cx, existingArg);
     JS_ASSERT(cx->compartment == this);
     JS_ASSERT_IF(existing, existing->compartment() == cx->compartment);
     JS_ASSERT_IF(existing, vp->isObject());
diff --git a/js/src/jswrapper.cpp b/js/src/jswrapper.cpp
index 87ff862b8b5..767ec66bfe0 100644
--- a/js/src/jswrapper.cpp
+++ b/js/src/jswrapper.cpp
@@ -1049,8 +1049,10 @@ js::NukeCrossCompartmentWrappers(JSContext* cx,
 // |newTarget|. This recomputes the wrapper with JS_WrapValue, and thus can be
 // useful even if wrapper already points to newTarget.
 bool
-js::RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget)
+js::RemapWrapper(JSContext *cx, JSObject *wobjArg, JSObject *newTargetArg)
 {
+    RootedObject wobj(cx, wobjArg);
+    RootedObject newTarget(cx, newTargetArg);
     JS_ASSERT(IsCrossCompartmentWrapper(wobj));
     JS_ASSERT(!IsCrossCompartmentWrapper(newTarget));
     JSObject *origTarget = Wrapper::wrappedObject(wobj);
@@ -1077,9 +1079,9 @@ js::RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget)
     // First, we wrap it in the new compartment. We try to use the existing
     // wrapper, |wobj|, since it's been nuked anyway. The wrap() function has
     // the choice to reuse |wobj| or not.
-    JSObject *tobj = newTarget;
+    RootedObject tobj(cx, newTarget);
     AutoCompartment ac(cx, wobj);
-    if (!wcompartment->wrap(cx, &tobj, wobj))
+    if (!wcompartment->wrap(cx, tobj.address(), wobj))
         MOZ_CRASH();
 
     // If wrap() reused |wobj|, it will have overwritten it and returned with
@@ -1107,10 +1109,11 @@ js::RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget)
 // Remap all cross-compartment wrappers pointing to |oldTarget| to point to
 // |newTarget|. All wrappers are recomputed.
 JS_FRIEND_API(bool)
-js::RemapAllWrappersForObject(JSContext *cx, JSObject *oldTarget,
-                              JSObject *newTarget)
+js::RemapAllWrappersForObject(JSContext *cx, JSObject *oldTargetArg,
+                              JSObject *newTargetArg)
 {
-    Value origv = ObjectValue(*oldTarget);
+    RootedValue origv(cx, ObjectValue(*oldTargetArg));
+    RootedObject newTarget(cx, newTargetArg);
 
     AutoWrapperVector toTransplant(cx);
     if (!toTransplant.reserve(cx->runtime->compartments.length()))