diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp index 2b02ff89fddb..286aae5f0d69 100644 --- a/js/src/vm/TypedArrayObject.cpp +++ b/js/src/vm/TypedArrayObject.cpp @@ -231,8 +231,10 @@ JS_FOR_EACH_TYPED_ARRAY(OBJECT_MOVED_TYPED_ARRAY) // Set a forwarding pointer for the element buffers in case they were // preserved on the stack by Ion. - nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(), - /* direct = */nbytes >= sizeof(uintptr_t)); + if (nbytes > 0) { + nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(), + /* direct = */nbytes >= sizeof(uintptr_t)); + } return newObj->hasInlineElements() ? 0 : nbytes; }