Bug 20169

Summary: Memory allocated with fastMalloc is freed with delete
Product: WebKit Reporter: Istvan Siket <siket>
Component: JavaScriptCoreAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Minor    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
proposed fix sam: review+

Istvan Siket
Reported 2008-07-25 03:59:03 PDT
We analyzed WebKit (r35249, qt-linux) with Valgrind and found that memory allocated with fastMalloc is freed with delete. WebKit\JavaScriptCore\wtf\Vector.h file contains the allocation in the following function: inline T* Vector<T, inlineCapacity>::releaseBuffer() { T* buffer = m_buffer.releaseBuffer(); if (inlineCapacity && !buffer && m_size) { // If the vector had some data, but no buffer to release, // that means it was using the inline buffer. In that case, // we create a brand new buffer so the caller always gets one. size_t bytes = m_size * sizeof(T); buffer = static_cast<T*>(fastMalloc(bytes)); memcpy(buffer, data(), bytes); } ASSERT(buffer); m_size = 0; return buffer; } And the memory is freed in WebKit\JavaScriptCore\VM\JSPropertyNameIterator.cpp file, in the following function: void JSPropertyNameIterator::invalidate() { delete m_propertyNames; m_object = 0; m_propertyNames = 0; }
Attachments
proposed fix (1.52 KB, patch)
2008-07-25 06:53 PDT, Alexey Proskuryakov 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2008-07-25 06:53:52 PDT
Created attachment 22473 [details] proposed fix Now, here's some seriously ugly code... I blame whoever implemented PropertyNameArray::releaseIdentifiers() :)
Sam Weinig
Comment 2 2008-07-29 10:00:01 PDT
Comment on attachment 22473 [details] proposed fix typo in the ChangeLog, you mean "Delete the array by calling *invalidata()*"
Alexey Proskuryakov
Comment 3 2008-07-29 22:53:21 PDT
Committed revision 35439.
Note You need to log in before you can comment on or make changes to this bug.