diff --git a/js/src/jit-test/tests/ion/bug1352510.js b/js/src/jit-test/tests/ion/bug1352510.js
new file mode 100644
index 000000000000..5c5e0e20afc7
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1352510.js
@@ -0,0 +1,8 @@
+function maybeSetLength(arr, b) {
+    if (b) arr.length = 0x7fffffff;
+}
+var arr = [];
+for (var i = 0; i < 2000; i++) {
+    maybeSetLength(arr, i > 1500);
+    var res = arr.push((0.017453));
+}
diff --git a/js/src/jit/VMFunctions.cpp b/js/src/jit/VMFunctions.cpp
index d0c03fdf9cf2..6f9c5b53bfae 100644
--- a/js/src/jit/VMFunctions.cpp
+++ b/js/src/jit/VMFunctions.cpp
@@ -356,8 +356,17 @@ ArrayPushDense(JSContext* cx, HandleObject obj, HandleValue v, uint32_t* length)
         return result == DenseElementResult::Success;
     }
 
+    // AutoDetectInvalidation uses GetTopJitJSScript(cx)->ionScript(), but it's
+    // possible the SetOrExtendAnyBoxedOrUnboxedDenseElements call already
+    // invalidated the IonScript. JitFrameIterator::ionScript works when the
+    // script is invalidated so we use that instead.
+    JitFrameIterator it(cx);
+    MOZ_ASSERT(it.type() == JitFrame_Exit);
+    ++it;
+    IonScript* ionScript = it.ionScript();
+
     JS::AutoValueArray<3> argv(cx);
-    AutoDetectInvalidation adi(cx, argv[0]);
+    AutoDetectInvalidation adi(cx, argv[0], ionScript);
     argv[0].setUndefined();
     argv[1].setObject(*obj);
     argv[2].set(v);