Bug 112832

Summary: Objective-C API: Fix over-releasing in allocateConstructorAndPrototypeWithSuperClassInfo:
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Mark Hahnenberg
Reported 2013-03-20 13:25:51 PDT
If either the m_constructor or m_prototype (but not both) is collected, we will call allocateConstructorAndPrototypeWithSuperClassInfo, which will create a new object to replace the one that was collected, but at the end of the method we call release on both of them. This is incorrect since we autorelease the JSValue in the case that the object doesn't need to be reallocated. Thus we'll end up overreleasing later during the drain of the autorelease pool.
Attachments
Patch (3.52 KB, patch)
2013-03-20 13:49 PDT, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-03-20 13:49:24 PDT
Created attachment 194111 [details] Patch
Mark Hahnenberg
Comment 2 2013-03-20 13:53:12 PDT
<rdar://problem/13465627>
Geoffrey Garen
Comment 3 2013-03-20 13:57:53 PDT
Comment on attachment 194111 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=194111&action=review r=me > Source/JavaScriptCore/ChangeLog:15 > + (createObjectWithCustomBrand): We no longer alloc here. We instead call the JSValue valueWithValue class method, "create" is a term of art for returning a +1 retained object. Since you're changing this function to return an autoreleased object, you should rename it to "objectWithCustomBrand".
Mark Hahnenberg
Comment 4 2013-03-20 14:44:17 PDT
Committed r146392: <http://trac.webkit.org/changeset/146392>
Note You need to log in before you can comment on or make changes to this bug.