From a4c83904d055b7be409e847bab75f454430db8e8 Mon Sep 17 00:00:00 2001 From: Hannes Verschore Date: Thu, 5 Jan 2017 19:33:09 +0100 Subject: [PATCH] Bug 1312480, r=jandem --- js/src/vm/TypedArrayObject.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp index 2b02ff89fddb..286aae5f0d69 100644 --- a/js/src/vm/TypedArrayObject.cpp +++ b/js/src/vm/TypedArrayObject.cpp @@ -231,8 +231,10 @@ JS_FOR_EACH_TYPED_ARRAY(OBJECT_MOVED_TYPED_ARRAY) // Set a forwarding pointer for the element buffers in case they were // preserved on the stack by Ion. - nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(), - /* direct = */nbytes >= sizeof(uintptr_t)); + if (nbytes > 0) { + nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(), + /* direct = */nbytes >= sizeof(uintptr_t)); + } return newObj->hasInlineElements() ? 0 : nbytes; }