Bug 162695

Summary: StringView should not delete the StringImpl it is viewing.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: Web Template FrameworkAssignee: Mark Lam <mark.lam>
Status: RESOLVED INVALID    
Severity: Normal CC: darin, ddkilzer
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

Mark Lam
Reported 2016-09-28 11:27:37 PDT
Currently, StringView uses a UnderlyingString that starts with a refCount of 1 independent of how many references to the underlying StringImpl exists. In the StringView destructor, it then decrements its UnderlyingString refCount, and if that refCount is now 0, it proceeds to delete the referenced StringImpl even if the StringImpl's refCount is non-zero. As a result, this prematurely frees the StringImpl that other code is still expecting to be alive.
Attachments
Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2016-09-28 11:32:56 PDT
To clarify, this issue only manifests when CHECK_STRINGVIEW_LIFETIME is enabled.
Mark Lam
Comment 2 2016-09-28 11:36:54 PDT
Hmmm ... I'm wrong. Deleting the UnderlyingString should not delete the underlying StringImpl. I'll dig a little further.
Mark Lam
Comment 3 2016-09-28 11:54:42 PDT
I misread the code. This is not the issue I'm seeing.
Note You need to log in before you can comment on or make changes to this bug.