diff --git a/js/src/ion/RangeAnalysis.cpp b/js/src/ion/RangeAnalysis.cpp
index 434461144cf..91c4ddc5464 100644
--- a/js/src/ion/RangeAnalysis.cpp
+++ b/js/src/ion/RangeAnalysis.cpp
@@ -940,6 +940,10 @@ MMul::computeRange()
     if (canBeNegativeZero())
         canBeNegativeZero_ = Range::negativeZeroMul(&left, &right);
     setRange(Range::mul(&left, &right));
+
+    // Truncated multiplications could overflow in both directions
+    if (isTruncated() && !range()->isInt32())
+        setRange(new Range(INT32_MIN, INT32_MAX));
 }
 
 void
diff --git a/js/src/jit-test/tests/asm.js/testBug892291.js b/js/src/jit-test/tests/asm.js/testBug892291.js
new file mode 100644
index 00000000000..9e0ae976108
--- /dev/null
+++ b/js/src/jit-test/tests/asm.js/testBug892291.js
@@ -0,0 +1,10 @@
+function a(stdlib) {
+  "use asm";
+  var imul = stdlib.Math.imul;
+  function f() {
+    return ((imul(-800, 0xf8ba1243)|0) % -1)|0;
+  }
+  return f;
+}
+var f = a(this);
+assertEq(f(), 0);