Bug 23315

Summary: Mismatched new[] / delete in ByteArray
Product: WebKit Reporter: Dean McNamee <deanm>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Patch attempt. darin: review+

Dean McNamee
Reported 2009-01-14 05:43:54 PST
A ByteArray created with ByteArray::create is allocated with new unsigned char[]. There is then a placement new to initialize the ByteArray object on top of this memory. ByteArray is RefCounted, so it is eventually destroyed with delete. In theory to do it properly, the destructor for ByteArray should be manually called, and then the memory should be freed with delete[]. My reading of the C++ standard allows new/delete and new[]/delete[] to use completely separate and incompatible allocators, which means it's important that a buffer allocated with new[] is freed with delete[].
Attachments
Patch attempt. (1.66 KB, patch)
2009-01-14 10:39 PST, Dean McNamee 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Dean McNamee
Comment 1 2009-01-14 05:56:49 PST
One option that might be generally useful is to make RefCounted take a traits, in which Traits::destroy(Type*) is responsible for destroying the object. The trait would default to something like DefaultRefCountedTrait, which would implement the destroy(Type*) as a delete T; ByteArray could then supply it's own to do the proper ByteArray::~ByteArray() destructor, and then delete[]. I can try to make this patch, but I imagine any modifications to RefCounted as controversial, so I'll wait for some feedback. Thanks
Darin Adler
Comment 2 2009-01-14 10:03:31 PST
It's important that new/delete and new[]/delete[] match, but I don't see how an array could be a RefCounted. Let me take a look.
Darin Adler
Comment 3 2009-01-14 10:07:05 PST
OK, I see now. I don't think we should add traits to RefCounted just so it can be used by ByteArray, though. It doesn't need to inherit from RefCounted. I think it should just inherit from RefCountedBase and implement its own deref function.
David Kilzer (:ddkilzer)
Comment 4 2009-01-14 10:39:14 PST
See also Bug 23123.
Dean McNamee
Comment 5 2009-01-14 10:39:29 PST
Created attachment 26717 [details] Patch attempt.
Darin Adler
Comment 6 2009-01-14 10:43:00 PST
Comment on attachment 26717 [details] Patch attempt. r=me
Oliver Hunt
Comment 7 2009-01-14 10:43:21 PST
Comment on attachment 26717 [details] Patch attempt. r=me, do you have commit rights? (i lose track)
Dean McNamee
Comment 8 2009-01-14 10:54:11 PST
I don't, so feel free to commit it for me. Thanks.
Oliver Hunt
Comment 9 2009-01-14 11:08:05 PST
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/runtime/ByteArray.h Committed r39897
Note You need to log in before you can comment on or make changes to this bug.