diff --git a/js/src/jit-test/tests/basic/bug1295031.js b/js/src/jit-test/tests/basic/bug1295031.js
new file mode 100644
index 000000000000..386ffc93abb9
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1295031.js
@@ -0,0 +1,20 @@
+try {
+    while (true) {
+        a = inIon() ? 0 : 300;
+        try {
+            buf = new Uint8ClampedArray(a);
+            assertEq(buf.length, 300);
+        } catch (e) {
+            assertEqa;
+        }
+    }
+} catch(exc1) {}
+loadFile()
+function loadFile() {
+    try {
+        switch (lfRunTypeId) {
+          case 1:
+            eval();
+        }
+    } catch (lfVare) {}
+}
diff --git a/js/src/vm/TypedArrayObject.cpp b/js/src/vm/TypedArrayObject.cpp
index 4800953feebf..5931dca6080b 100644
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -228,7 +228,8 @@ JS_FOR_EACH_TYPED_ARRAY(OBJECT_MOVED_TYPED_ARRAY)
 
     // Set a forwarding pointer for the element buffers in case they were
     // preserved on the stack by Ion.
-    nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(), true);
+    nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(),
+                                      /* direct = */nbytes >= sizeof(uintptr_t));
 
     return newObj->hasInlineElements() ? 0 : nbytes;
 }