diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp
index eb74f0cb472..9643f7035af 100644
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -2499,7 +2499,7 @@ mjit::Compiler::jsop_setprop(JSAtom *atom)
     Address slot(objReg, 1 << 24);
 
     if (vr.isConstant) {
-        dbgInlineStoreType = masm.storeValue(Valueify(vr.u.v), slot);
+        dbgInlineStoreType = masm.storeValueForIC(Valueify(vr.u.v), slot);
         DBGLABEL_ASSIGN(dbgInlineStoreData);
     } else {
         if (vr.u.s.isTypeKnown) {
diff --git a/js/src/methodjit/NunboxAssembler.h b/js/src/methodjit/NunboxAssembler.h
index ae13039f61e..5301112a471 100644
--- a/js/src/methodjit/NunboxAssembler.h
+++ b/js/src/methodjit/NunboxAssembler.h
@@ -153,25 +153,35 @@ class Assembler : public BaseAssembler
      * Stores type first, then payload.
      * Returns label after type store. Useful for offset verification.
      */
-    Label storeValue(const Value &v, Address address) {
+    void storeValue(const Value &v, Address address) {
         jsval_layout jv;
         jv.asBits = JSVAL_BITS(Jsvalify(v));
 
         store32(ImmTag(jv.s.tag), tagOf(address));
-        Label l = label();
         if (!v.isUndefined())
             store32(Imm32(jv.s.payload.u32), payloadOf(address));
-        return l;
     }
 
-    Label storeValue(const Value &v, BaseIndex address) {
+    void storeValue(const Value &v, BaseIndex address) {
+        jsval_layout jv;
+        jv.asBits = JSVAL_BITS(Jsvalify(v));
+
+        store32(ImmTag(jv.s.tag), tagOf(address));
+        if (!v.isUndefined())
+            store32(Imm32(jv.s.payload.u32), payloadOf(address));
+    }
+
+    /*
+     * Performs type store before payload store, even for Undefined.
+     * Returns label after type store.
+     */
+    Label storeValueForIC(const Value &v, Address address) {
         jsval_layout jv;
         jv.asBits = JSVAL_BITS(Jsvalify(v));
 
         store32(ImmTag(jv.s.tag), tagOf(address));
         Label l = label();
-        if (!v.isUndefined())
-            store32(Imm32(jv.s.payload.u32), payloadOf(address));
+        store32(Imm32(jv.s.payload.u32), payloadOf(address));
         return l;
     }
 
diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp
index 22517475f33..c2d9b8d3706 100644
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -251,14 +251,9 @@ class SetPropCompiler : public PICStubCompiler
         }
 
         uint32 shapeOffs = pic.shapeGuard + SETPROP_INLINE_SHAPE_OFFSET;
-        repatcher.repatch(pic.fastPathStart.dataLabel32AtOffset(shapeOffs),
-                          obj->shape());
-        repatcher.repatch(pic.storeBack.dataLabel32AtOffset(inlineTypeOffset()),
-                          offset + 4);
-        if (!pic.u.vr.isConstant || !Valueify(pic.u.vr.u.v).isUndefined()) {
-            repatcher.repatch(pic.storeBack.dataLabel32AtOffset(inlineDataOffset()),
-                              offset);
-        }
+        repatcher.repatch(pic.fastPathStart.dataLabel32AtOffset(shapeOffs), obj->shape());
+        repatcher.repatch(pic.storeBack.dataLabel32AtOffset(inlineTypeOffset()), offset + 4);
+        repatcher.repatch(pic.storeBack.dataLabel32AtOffset(inlineDataOffset()), offset);
 
         pic.inlinePathPatched = true;
 
diff --git a/js/src/methodjit/PunboxAssembler.h b/js/src/methodjit/PunboxAssembler.h
index f2293b8ad75..64a0794e66b 100644
--- a/js/src/methodjit/PunboxAssembler.h
+++ b/js/src/methodjit/PunboxAssembler.h
@@ -205,23 +205,29 @@ class Assembler : public BaseAssembler
         storePtr(imm, valueOf(address));
     }
 
-    /*
-     * Only does one store. Returns label after store.
-     * This is useless, but matches NunboxAssembler's interface.
-     */
-    Label storeValue(const Value &v, Address address) {
+    void storeValue(const Value &v, Address address) {
         jsval_layout jv;
         jv.asBits = JSVAL_BITS(Jsvalify(v));
 
         storePtr(Imm64(jv.asBits), valueOf(address));
-        return label();
     }
 
-    Label storeValue(const Value &v, BaseIndex address) {
+    void storeValue(const Value &v, BaseIndex address) {
         jsval_layout jv;
         jv.asBits = JSVAL_BITS(Jsvalify(v));
 
         storePtr(Imm64(jv.asBits), valueOf(address));        
+    }
+
+    /*
+     * Only does one store. Returns label after store.
+     * This is useless, but matches NunboxAssembler's interface.
+     */
+    Label storeValueForIC(const Value &v, Address address) {
+        jsval_layout jv;
+        jv.asBits = JSVAL_BITS(Jsvalify(v));
+
+        storePtr(Imm64(jv.asBits), valueOf(address));
         return label();
     }
 
diff --git a/js/src/trace-test/tests/jaeger/bug583672.js b/js/src/trace-test/tests/jaeger/bug583672.js
new file mode 100644
index 00000000000..79335ece3b4
--- /dev/null
+++ b/js/src/trace-test/tests/jaeger/bug583672.js
@@ -0,0 +1,30 @@
+(function () {
+    function f()
+    {
+        this.y = w
+        this.y = (void 0)
+        Object
+    }
+    for (a in [0, 0, 0, 0])
+    {
+        new f
+    }
+    let w = {}
+})()
+
+/* Make sure that MICs don't have the same bug. */
+x = Object();
+(function () {
+    function f()
+    {
+        x = w
+        x = (void 0)
+        Object
+    }
+    for (a in [0, 0, 0, 0])
+    {
+        new f
+    }
+    let w = {}
+})()
+/* Don't assert. */