From 549947fd25e32292dd1258b04a11a62e91da0462 Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Mon, 26 Jun 2017 20:15:41 -0400
Subject: [PATCH] Bug 1369994 - Ensure template objects for typed arrays are
 initialized properly before exposing them to GC. r=sfink

---
 js/src/vm/TypedArrayObject.cpp | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp
index 64c6116f37e0..acd2ff242fe4 100644
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -578,11 +578,6 @@ class TypedArrayObjectTemplate : public TypedArrayObject
         RootedObject tmp(cx, NewBuiltinClassInstance(cx, clasp, allocKind, newKind));
         if (!tmp)
             return nullptr;
-        if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tmp,
-                                                                 newKind == SingletonObject))
-        {
-            return nullptr;
-        }
 
         TypedArrayObject* tarray = &tmp->as<TypedArrayObject>();
         initTypedArraySlots(cx, tarray, len);
@@ -592,6 +587,12 @@ class TypedArrayObjectTemplate : public TypedArrayObject
         // nullptr and avoid allocating memory that will never be used.
         tarray->initPrivate(nullptr);
 
+        if (script && !ObjectGroup::setAllocationSiteObjectGroup(cx, script, pc, tmp,
+                                                                 newKind == SingletonObject))
+        {
+            return nullptr;
+        }
+
         return tarray;
     }