Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/2839062f84fb

# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1455119320 -3600
# Node ID 2839062f84fb6cba2781ea8d59150f13d4813ddc
# Parent  185b233ea03f3811404e3979b65ec86b29d13555
Bug 1242279 - r=bhackett1024 a=sylvestre

diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3961,16 +3961,22 @@ JSScript::maybeSweepTypes(AutoClearTypeI
 
     unsigned num = TypeScript::NumTypeSets(this);
     StackTypeSet* typeArray = types_->typeArray();
 
     // Remove constraints and references to dead objects from stack type sets.
     for (unsigned i = 0; i < num; i++)
         typeArray[i].sweep(zone(), *oom);
 
+    if (oom->hadOOM()) {
+        // It's possible we OOM'd while copying freeze constraints, so they
+        // need to be regenerated.
+        hasFreezeConstraints_ = false;
+    }
+
     // Update the recompile indexes in any IonScripts still on the script.
     if (hasIonScript())
         ionScript()->recompileInfoRef().shouldSweep(types);
 }
 
 void
 TypeScript::destroy()
 {
diff --git a/js/src/vm/TypeInference.h b/js/src/vm/TypeInference.h
--- a/js/src/vm/TypeInference.h
+++ b/js/src/vm/TypeInference.h
@@ -566,16 +566,19 @@ class AutoClearTypeInferenceStateOnOOM
       : zone(zone), oom(false)
     {}
 
     ~AutoClearTypeInferenceStateOnOOM();
 
     void setOOM() {
         oom = true;
     }
+    bool hadOOM() const {
+        return oom;
+    }
 };
 
 /* Superclass common to stack and heap type sets. */
 class ConstraintTypeSet : public TypeSet
 {
   public:
     /* Chain of constraints which propagate changes out from this type set. */
     TypeConstraint* constraintList;