Bug 20169 - Memory allocated with fastMalloc is freed with delete
Summary: Memory allocated with fastMalloc is freed with delete
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Minor
Assignee: Alexey Proskuryakov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-25 03:59 PDT by Istvan Siket
Modified: 2008-07-29 22:53 PDT (History)
0 users

See Also:


Attachments
proposed fix (1.52 KB, patch)
2008-07-25 06:53 PDT, Alexey Proskuryakov
sam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Istvan Siket 2008-07-25 03:59:03 PDT
We analyzed WebKit (r35249, qt-linux) with Valgrind and found that memory allocated with fastMalloc is freed with delete.

WebKit\JavaScriptCore\wtf\Vector.h file contains the allocation in the following function:

inline T* Vector<T, inlineCapacity>::releaseBuffer()
{
    T* buffer = m_buffer.releaseBuffer();
    if (inlineCapacity && !buffer && m_size) {
        // If the vector had some data, but no buffer to release,
        // that means it was using the inline buffer. In that case,
        // we create a brand new buffer so the caller always gets one.
        size_t bytes = m_size * sizeof(T);
        buffer = static_cast<T*>(fastMalloc(bytes));
        memcpy(buffer, data(), bytes);
    }
    ASSERT(buffer);
    m_size = 0;
    return buffer;
}

And the memory is freed in WebKit\JavaScriptCore\VM\JSPropertyNameIterator.cpp file, in the following function:

void JSPropertyNameIterator::invalidate()
{
    delete m_propertyNames;
    m_object = 0;
    m_propertyNames = 0;
}
Comment 1 Alexey Proskuryakov 2008-07-25 06:53:52 PDT
Created attachment 22473 [details]
proposed fix

Now, here's some seriously ugly code... I blame whoever implemented PropertyNameArray::releaseIdentifiers() :)
Comment 2 Sam Weinig 2008-07-29 10:00:01 PDT
Comment on attachment 22473 [details]
proposed fix

typo in the ChangeLog, you mean "Delete the array by calling *invalidata()*"
Comment 3 Alexey Proskuryakov 2008-07-29 22:53:21 PDT
Committed revision 35439.