A ByteArray created with ByteArray::create is allocated with new unsigned char[]. There is then a placement new to initialize the ByteArray object on top of this memory. ByteArray is RefCounted, so it is eventually destroyed with delete. In theory to do it properly, the destructor for ByteArray should be manually called, and then the memory should be freed with delete[]. My reading of the C++ standard allows new/delete and new[]/delete[] to use completely separate and incompatible allocators, which means it's important that a buffer allocated with new[] is freed with delete[].
One option that might be generally useful is to make RefCounted take a traits, in which Traits::destroy(Type*) is responsible for destroying the object. The trait would default to something like DefaultRefCountedTrait, which would implement the destroy(Type*) as a delete T; ByteArray could then supply it's own to do the proper ByteArray::~ByteArray() destructor, and then delete[]. I can try to make this patch, but I imagine any modifications to RefCounted as controversial, so I'll wait for some feedback. Thanks
It's important that new/delete and new[]/delete[] match, but I don't see how an array could be a RefCounted. Let me take a look.
OK, I see now. I don't think we should add traits to RefCounted just so it can be used by ByteArray, though. It doesn't need to inherit from RefCounted. I think it should just inherit from RefCountedBase and implement its own deref function.
See also Bug 23123.
Created attachment 26717 [details] Patch attempt.
Comment on attachment 26717 [details] Patch attempt. r=me
Comment on attachment 26717 [details] Patch attempt. r=me, do you have commit rights? (i lose track)
I don't, so feel free to commit it for me. Thanks.
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/runtime/ByteArray.h Committed r39897