We analyzed WebKit (r35249, qt-linux) with Valgrind and found that memory allocated with fastMalloc is freed with delete. WebKit\JavaScriptCore\wtf\Vector.h file contains the allocation in the following function: inline T* Vector<T, inlineCapacity>::releaseBuffer() { T* buffer = m_buffer.releaseBuffer(); if (inlineCapacity && !buffer && m_size) { // If the vector had some data, but no buffer to release, // that means it was using the inline buffer. In that case, // we create a brand new buffer so the caller always gets one. size_t bytes = m_size * sizeof(T); buffer = static_cast<T*>(fastMalloc(bytes)); memcpy(buffer, data(), bytes); } ASSERT(buffer); m_size = 0; return buffer; } And the memory is freed in WebKit\JavaScriptCore\VM\JSPropertyNameIterator.cpp file, in the following function: void JSPropertyNameIterator::invalidate() { delete m_propertyNames; m_object = 0; m_propertyNames = 0; }
Created attachment 22473 [details] proposed fix Now, here's some seriously ugly code... I blame whoever implemented PropertyNameArray::releaseIdentifiers() :)
Comment on attachment 22473 [details] proposed fix typo in the ChangeLog, you mean "Delete the array by calling *invalidata()*"
Committed revision 35439.