[Webkit-unassigned] [Bug 20169] New: Memory allocated with fastMalloc is freed with delete

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=20169

           Summary: Memory allocated with fastMalloc is freed with delete
           Product: WebKit
           Version: 526+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Minor
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: siket at inf.u-szeged.hu


We analyzed WebKit (r35249, qt-linux) with Valgrind and found that memory
allocated with fastMalloc is freed with delete.

WebKit\JavaScriptCore\wtf\Vector.h file contains the allocation in the
following function:

inline T* Vector<T, inlineCapacity>::releaseBuffer()
{
    T* buffer = m_buffer.releaseBuffer();
    if (inlineCapacity && !buffer && m_size) {
        // If the vector had some data, but no buffer to release,
        // that means it was using the inline buffer. In that case,
        // we create a brand new buffer so the caller always gets one.
        size_t bytes = m_size * sizeof(T);
        buffer = static_cast<T*>(fastMalloc(bytes));
        memcpy(buffer, data(), bytes);
    }
    ASSERT(buffer);
    m_size = 0;
    return buffer;
}

And the memory is freed in WebKit\JavaScriptCore\VM\JSPropertyNameIterator.cpp
file, in the following function:

void JSPropertyNameIterator::invalidate()
{
    delete m_propertyNames;
    m_object = 0;
    m_propertyNames = 0;
}


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.