diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index f5c332ad6d3..7dc4a9051f7 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -2470,9 +2470,9 @@ void TranslateToFuzzReader::mutateJSBoundary() {
       options.push_back(newHeapType);
       // We cannot look at a bottom type's supers (there can be many, and the
       // getSuperType() API doesn't return them), but can use
-      // interestingHeapSubTypes on the top.
+      // interestingHeapSubTypes: any subtype of old is valid.
       if (newHeapType.isBottom()) {
-        for (auto type : interestingHeapSubTypes[newHeapType.getTop()]) {
+        for (auto type : interestingHeapSubTypes[oldHeapType]) {
           options.push_back(type);
         }
         break;