--- a/xpcom/glue/nsTArray-inl.h
+++ b/xpcom/glue/nsTArray-inl.h
@@ -288,17 +288,17 @@ template<class Alloc>
 nsTArray_base<Alloc>::IsAutoArrayRestorer::~IsAutoArrayRestorer() {
   // Careful: We don't want to set mIsAutoArray = 1 on sEmptyHdr.
   if (mIsAuto && mArray.mHdr == mArray.EmptyHdr()) {
     // Call GetAutoArrayBufferUnsafe() because GetAutoArrayBuffer() asserts
     // that mHdr->mIsAutoArray is true, which surely isn't the case here.
     mArray.mHdr = mArray.GetAutoArrayBufferUnsafe(mElemAlign);
     mArray.mHdr->mLength = 0;
   }
-  else {
+  else if (mArray.mHdr != mArray.EmptyHdr()) {
     mArray.mHdr->mIsAutoArray = mIsAuto;
   }
 }
 
 template<class Alloc>
 template<class Allocator>
 bool
 nsTArray_base<Alloc>::SwapArrayElements(nsTArray_base<Allocator>& other,

--- a/xpcom/glue/nsTArray.h
+++ b/xpcom/glue/nsTArray.h
@@ -322,18 +322,24 @@ protected:
   void ShiftData(index_type start, size_type oldLen, size_type newLen,
                  size_type elemSize, size_t elemAlign);
 
   // This method increments the length member of the array's header.
   // Note that mHdr may actually be sEmptyHdr in the case where a
   // zero-length array is inserted into our array. But then n should
   // always be 0.
   void IncrementLength(uint32_t n) {
-    MOZ_ASSERT(mHdr != EmptyHdr() || n == 0, "bad data pointer");
-    mHdr->mLength += n;
+    if (mHdr == EmptyHdr()) {
+      if (MOZ_UNLIKELY(n != 0)) {
+        // Writing a non-zero length to the empty header would be extremely bad.
+        MOZ_CRASH();
+      }
+    } else {
+      mHdr->mLength += n;
+    }
   }
 
   // This method inserts blank slots into the array.
   // @param index the place to insert the new elements. This must be no
   //              greater than the current length of the array.
   // @param count the number of slots to insert
   // @param elementSize the size of an array element.
   // @param elemAlign the alignment in bytes of an array element.