diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index 685791a3b18..868d17a0317 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -1001,6 +1001,16 @@ Class js_SlowArrayClass = {
     js_TryValueOf
 };
 
+static bool
+AddLengthProperty(JSContext *cx, JSObject *obj)
+{
+    const jsid lengthId = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom);
+    JS_ASSERT(!obj->nativeLookup(lengthId));
+
+    return obj->addProperty(cx, lengthId, array_length_getter, array_length_setter,
+                            SHAPE_INVALID_SLOT, JSPROP_PERMANENT | JSPROP_SHARED, 0, 0);
+}
+
 /*
  * Convert an array object from fast-and-dense to slow-and-flexible.
  */
@@ -1027,9 +1037,7 @@ JSObject::makeDenseArraySlow(JSContext *cx)
      * Begin with the length property to share more of the property tree.
      * The getter/setter here will directly access the object's private value.
      */
-    if (!addProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.lengthAtom),
-                     array_length_getter, array_length_setter,
-                     SHAPE_INVALID_SLOT, JSPROP_PERMANENT | JSPROP_SHARED, 0, 0)) {
+    if (!AddLengthProperty(cx, this)) {
         setMap(oldMap);
         return false;
     }
@@ -3088,7 +3096,7 @@ JSObject *
 NewSlowEmptyArray(JSContext *cx)
 {
     JSObject *obj = NewNonFunction<WithProto::Class>(cx, &js_SlowArrayClass, NULL, NULL);
-    if (!obj)
+    if (!obj || !AddLengthProperty(cx, obj))
         return NULL;
 
     obj->setArrayLength(0);