RESOLVED INVALID 11737
Windows cookie code uses a reference to a destroyed temporary 
https://bugs.webkit.org/show_bug.cgi?id=11737
Summary Windows cookie code uses a reference to a destroyed temporary
Brett Wilson (Google)
Reported 2006-12-01 15:41:17 PST
In CookieJarWin cookies() there is this great code: String& result = String(buffer, count-1); // Ignore the null terminator. delete buffer; return result; The fix is just: String result(buffer, count-1); // Ignore the null terminator. delete buffer; return result;
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2006-12-01 20:59:03 PST
This temporary should not be destroyed too early, according to C++ standard 12.2.5: "The temporary to which the reference is bound <...> persists for the lifetime of the reference except as specified below <exceptions don't seem to apply to this case>." Does MSVC destroy it too early? However, there is another problem in this snippet - a temporary object cannot be bound to a non-const reference, so it should be: const String& result = String(buffer, count-1); // Ignore the null terminator. delete[] buffer; return result;
Brett Wilson (Google)
Comment 2 2006-12-06 11:17:21 PST
Maybe you're right. I saw a memory corruption problem in this code (if I go to nytimes.com with no cookies), changed this, and the problem went away. In the code produced in debug mode it seems to do the right thing, but the maybe it's an optimizer problem. I think that this is potentially confusing even if it is correct and even if all compilers handle this case properly. The code I suggested produces exactly the same result in terms of objects and work and is super obvious.
Brett Wilson (Google)
Comment 3 2007-01-21 11:30:38 PST
Alexey is right. The crash I saw in this code was bug 12081.
Note You need to log in before you can comment on or make changes to this bug.