diff --git a/js/src/builtin/TypedObject.js b/js/src/builtin/TypedObject.js
index 3a80d6873ea4..d80ebe08630c 100644
--- a/js/src/builtin/TypedObject.js
+++ b/js/src/builtin/TypedObject.js
@@ -114,7 +114,7 @@ TypedObjectPointer.prototype.moveTo = function(propName) {
     // the type *object*; this is because some type objects represent
     // unsized arrays and hence do not have a length.
     var index = TO_INT32(propName);
-    if (index === propName && index < REPR_LENGTH(this.typeRepr))
+    if (index === propName && index >= 0 && index < REPR_LENGTH(this.typeRepr))
       return this.moveToElem(index);
     break;
 
@@ -133,7 +133,9 @@ TypedObjectPointer.prototype.moveTo = function(propName) {
 TypedObjectPointer.prototype.moveToElem = function(index) {
   assert(this.kind() == JS_TYPEREPR_ARRAY_KIND,
          "moveToElem invoked on non-array");
-  assert(index < REPR_LENGTH(this.typeRepr),
+  assert(TO_INT32(index) === index,
+         "moveToElem invoked with non-integer index");
+  assert(index >= 0 && index < REPR_LENGTH(this.typeRepr),
          "moveToElem invoked with out-of-bounds index");
 
   var elementTypeObj = this.typeObj.elementType;
diff --git a/js/src/tests/ecma_6/TypedObject/handle_move.js b/js/src/tests/ecma_6/TypedObject/handle_move.js
index 8722d061d75f..d3224cbbeb32 100644
--- a/js/src/tests/ecma_6/TypedObject/handle_move.js
+++ b/js/src/tests/ecma_6/TypedObject/handle_move.js
@@ -145,6 +145,11 @@ function runTests() {
       var h = Point.handle();
       T.Handle.move(h, lines, 22, "to");
     }, TypeError, "No such property: 22");
+
+    assertThrowsInstanceOf(function() {
+      var h = Point.handle();
+      T.Handle.move(h, lines, -100, "to");
+    }, TypeError, "No such property: -100");
   }
   testHandleMoveToIllegalProperty();