11737 2006-12-01 15:41:17 -0800 Windows cookie code uses a reference to a destroyed temporary 2007-01-21 11:30:38 -0800 1 1 1 Unclassified WebKit New Bugs 420+ PC Windows XP RESOLVED INVALID P2 Normal --- 1 brettw webkit-unassigned ap oldest_to_newest 43635 0 brettw 2006-12-01 15:41:17 -0800 In CookieJarWin cookies() there is this great code: String& result = String(buffer, count-1); // Ignore the null terminator. delete buffer; return result; The fix is just: String result(buffer, count-1); // Ignore the null terminator. delete buffer; return result; 43551 1 ap 2006-12-01 20:59:03 -0800 This temporary should not be destroyed too early, according to C++ standard 12.2.5: "The temporary to which the reference is bound <...> persists for the lifetime of the reference except as specified below <exceptions don't seem to apply to this case>." Does MSVC destroy it too early? However, there is another problem in this snippet - a temporary object cannot be bound to a non-const reference, so it should be: const String& result = String(buffer, count-1); // Ignore the null terminator. delete[] buffer; return result; 43082 2 brettw 2006-12-06 11:17:21 -0800 Maybe you're right. I saw a memory corruption problem in this code (if I go to nytimes.com with no cookies), changed this, and the problem went away. In the code produced in debug mode it seems to do the right thing, but the maybe it's an optimizer problem. I think that this is potentially confusing even if it is correct and even if all compilers handle this case properly. The code I suggested produces exactly the same result in terms of objects and work and is super obvious. 33924 3 brettw 2007-01-21 11:30:38 -0800 Alexey is right. The crash I saw in this code was bug 12081.