It looks like the right way to allocate memory that will end up held in an ArrayBuffer is
js_pod_arena_malloc<char>(js::ArrayBufferContentsArena, size), which is bleeding internal details all over. It would better to provide
JS::MallocForArrayBuffer(size) or perhaps
JS::MallocForArrayBuffer(cx, size) to encapsulate this, and encourage calls of
JS::NewArrayBufferWithContents to allocate the memory that way.
(Even better would be to able to assert when freeing ArrayBuffer data that it is in the correct arena.)