diff --git a/js/src/jit-test/tests/baseline/bug936403.js b/js/src/jit-test/tests/baseline/bug936403.js
new file mode 100644
index 000000000000..81946d88ed40
--- /dev/null
+++ b/js/src/jit-test/tests/baseline/bug936403.js
@@ -0,0 +1,21 @@
+
+s = newGlobal()
+function f(code) {
+    evalcx(code, s)
+}
+f("\
+    c = [];\
+    var x;\
+    for each(z in[\
+        x,,[],,new Number,,,,new Number,,,,new Number,new Number,[],\
+        ,,,[],,new Number,,new Number,,[],new Number,[],,,,,,[],\
+        new Number,,new Number,[],,[],,,,[],,[],,,,,,,,,[],[],,[],\
+        [],[],,new Number,[],[],,[],,new Number,new Number,new Number,\
+        new Number,new Number,,,new Number,new Number,,[],[],[],,,[],\
+        [],[],new Number,,new Number,,,,,[],new Number,new Number,[],\
+        [],[],[],,x,[]]\
+    ) {\
+        c = z\
+    };\
+");
+f("c");
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 3dd8bb375bd8..f9d7c54ed9a8 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -1365,6 +1365,11 @@ ICUpdatedStub::addUpdateStubForValue(JSContext *cx, HandleScript script, HandleO
 
     types::EnsureTrackPropertyTypes(cx, obj, id);
 
+    // Make sure that undefined values are explicitly included in the property
+    // types for an object if generating a stub to write an undefined value.
+    if (val.isUndefined() && types::CanHaveEmptyPropertyTypesForOwnProperty(obj))
+        types::AddTypePropertyId(cx, obj, id, val);
+
     if (val.isPrimitive()) {
         JSValueType type = val.isDouble() ? JSVAL_TYPE_DOUBLE : val.extractNonDoubleType();