Bug 20169

Summary: Memory allocated with fastMalloc is freed with delete
Product: WebKit Reporter: Istvan Siket <siket>
Component: JavaScriptCoreAssignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Minor    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
proposed fix sam: review+

Description Istvan Siket 2008-07-25 03:59:03 PDT 
We analyzed WebKit (r35249, qt-linux) with Valgrind and found that memory allocated with fastMalloc is freed with delete.

WebKit\JavaScriptCore\wtf\Vector.h file contains the allocation in the following function:

inline T* Vector<T, inlineCapacity>::releaseBuffer()
{
    T* buffer = m_buffer.releaseBuffer();
    if (inlineCapacity && !buffer && m_size) {
        // If the vector had some data, but no buffer to release,
        // that means it was using the inline buffer. In that case,
        // we create a brand new buffer so the caller always gets one.
        size_t bytes = m_size * sizeof(T);
        buffer = static_cast<T*>(fastMalloc(bytes));
        memcpy(buffer, data(), bytes);
    }
    ASSERT(buffer);
    m_size = 0;
    return buffer;
}

And the memory is freed in WebKit\JavaScriptCore\VM\JSPropertyNameIterator.cpp file, in the following function:

void JSPropertyNameIterator::invalidate()
{
    delete m_propertyNames;
    m_object = 0;
    m_propertyNames = 0;
}
Comment 1 Alexey Proskuryakov 2008-07-25 06:53:52 PDT 
Created attachment 22473 [details]
proposed fix

Now, here's some seriously ugly code... I blame whoever implemented PropertyNameArray::releaseIdentifiers() :)
Comment 2 Sam Weinig 2008-07-29 10:00:01 PDT 
Comment on attachment 22473 [details]
proposed fix

typo in the ChangeLog, you mean "Delete the array by calling *invalidata()*"
Comment 3 Alexey Proskuryakov 2008-07-29 22:53:21 PDT 
Committed revision 35439.