Changeset 34617 in webkit


Ignore:
Timestamp:
Jun 16, 2008 11:22:46 PM (16 years ago)
Author:
cwzwarich@webkit.org
Message:

2008-06-16 Cameron Zwarich <cwzwarich@uwaterloo.ca>

Reviewed by Maciej.

Bug 19596: LEAK: Gmail leaks SegmentedVector<RegisterID>
<https://bugs.webkit.org/show_bug.cgi?id=19596>

When growing SegmentedVector, we start adding segments at the position
of the last segment, overwriting it. The destructor frees allocated
segments starting at the segment of index 1, because the segment of
index 0 is assumed to be the initial inline segment. This causes a leak
of the segment that is referenced by index 0. Modifying grow() so that
it starts adding segments at the position after the last segment fixes
the leak.

Since the initial segment is a special case in the lookup code, this
bug never manifested itself via incorrect results.

  • VM/SegmentedVector.h: (KJS::SegmentedVector::grow):
Location:
trunk/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/ChangeLog

    r34615 r34617  
     12008-06-16  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
     2
     3        Reviewed by Maciej.
     4
     5        Bug 19596: LEAK: Gmail leaks SegmentedVector<RegisterID>
     6        <https://bugs.webkit.org/show_bug.cgi?id=19596>
     7
     8        When growing SegmentedVector, we start adding segments at the position
     9        of the last segment, overwriting it. The destructor frees allocated
     10        segments starting at the segment of index 1, because the segment of
     11        index 0 is assumed to be the initial inline segment. This causes a leak
     12        of the segment that is referenced by index 0. Modifying grow() so that
     13        it starts adding segments at the position after the last segment fixes
     14        the leak.
     15
     16        Since the initial segment is a special case in the lookup code, this
     17        bug never manifested itself via incorrect results.
     18
     19        * VM/SegmentedVector.h:
     20        (KJS::SegmentedVector::grow):
     21
    1222008-06-16  Maciej Stachowiak  <mjs@apple.com>
    223

  • trunk/JavaScriptCore/VM/SegmentedVector.h

    r34372 r34617  
    145145
    146146            ASSERT(oldSize < m_segments.size());
    147             for (size_t i = oldSize - 1; i < (numSegments - 1); i++) {
     147            for (size_t i = oldSize; i < (numSegments - 1); i++) {
    148148                Segment* segment = new Segment;
    149149                segment->resize(SegmentSize);
Note: See TracChangeset for help on using the changeset viewer.