Bug 1295031 - Pass direct = true only if we have enough space for the forwarding pointer. r=jandem

--HG--
extra : rebase_source : 6940838a5f490c6b128e3cfe333c0b4eb05480e6

js/src/jit-test/tests/basic/bug1295031.js

@@ -0,0 +1,20 @@
+try {
+    while (true) {
+        a = inIon() ? 0 : 300;
+        try {
+            buf = new Uint8ClampedArray(a);
+            assertEq(buf.length, 300);
+        } catch (e) {
+            assertEqa;
+        }
+    }
+} catch(exc1) {}
+loadFile()
+function loadFile() {
+    try {
+        switch (lfRunTypeId) {
+          case 1:
+            eval();
+        }
+    } catch (lfVare) {}
+}

js/src/vm/TypedArrayObject.cpp

@@ -228,7 +228,8 @@ JS_FOR_EACH_TYPED_ARRAY(OBJECT_MOVED_TYPED_ARRAY)
 
     // Set a forwarding pointer for the element buffers in case they were
     // preserved on the stack by Ion.
-    nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(), true);
+    nursery.maybeSetForwardingPointer(trc, oldObj->elements(), newObj->elements(),
+                                      /* direct = */nbytes >= sizeof(uintptr_t));
 
     return newObj->hasInlineElements() ? 0 : nbytes;
 }