From 644ee82385ce14be501bd10db2c4ec075bf0f4e8 Mon Sep 17 00:00:00 2001
From: Steve Fink <sfink@mozilla.com>
Date: Wed, 26 Sep 2012 14:24:37 -0700
Subject: [PATCH] Bug 794494 - Clear the right buffer link when pruning and
 reversing the list of ArrayBufferViews. r=billm

---
 js/src/jstypedarray.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/js/src/jstypedarray.cpp b/js/src/jstypedarray.cpp
index f73fa72f372..91b067ee4dd 100644
--- a/js/src/jstypedarray.cpp
+++ b/js/src/jstypedarray.cpp
@@ -551,7 +551,6 @@ ArrayBufferObject::sweepAll(JSRuntime *rt)
         JSObject **views = GetViewList(&buffer->asArrayBuffer());
         JS_ASSERT(*views);
         JSObject *nextBuffer = BufferLink(*views);
-        SetBufferLink(*views, UNSET_BUFFER_LINK);
 
         // Rebuild the list of views of the ArrayBuffer, discarding dead views
         JSObject *prevLiveView = NULL;
@@ -566,6 +565,8 @@ ArrayBufferObject::sweepAll(JSRuntime *rt)
             view = nextView;
         }
         *views = prevLiveView;
+        if (*views)
+            SetBufferLink(*views, UNSET_BUFFER_LINK);
 
         buffer = nextBuffer;
     }