fix: several memory leaks in the new String API (#11263)

hargoniX · web-flow · commit 827a96ade31c · 2025-11-19T18:23:35.000Z
This PR fixes several memory leaks in the new `String` API.

These leaks are mostly situations where we forgot to put borrowing
annotations. The single
exception is the new `String` constructor `ofByteArray`. It cannot take
the `ByteArray` as
a borrowed argument anymore and must thus free it on its own.
diff --git a/src/Init/Data/String/Basic.lean b/src/Init/Data/String/Basic.lean
@@ -80,7 +80,7 @@ where
   termination_by structural fuel
 
 @[expose, extern "lean_string_validate_utf8"]
-def ByteArray.validateUTF8 (b : ByteArray) : Bool :=
+def ByteArray.validateUTF8 (b : @& ByteArray) : Bool :=
   go (b.size + 1) 0 (by simp) (by simp)
 where
   go (fuel : Nat) (i : Nat) (hi : i ≤ b.size) (hf : b.size - i < fuel) : Bool :=
@@ -1601,11 +1601,11 @@ def Slice.pos! (s : Slice) (off : String.Pos.Raw) : s.Pos :=
 /-- Advances a valid position on a string to the next valid position, given a proof that the
 position is not the past-the-end position, which guarantees that such a position exists. -/
 @[expose, extern "lean_string_utf8_next_fast"]
-def ValidPos.next {s : String} (pos : s.ValidPos) (h : pos ≠ s.endValidPos) : s.ValidPos :=
+def ValidPos.next {s : @& String} (pos : @& s.ValidPos) (h : pos ≠ s.endValidPos) : s.ValidPos :=
   ((inline (Slice.Pos.next pos.toSlice (ne_of_apply_ne Slice.Pos.ofSlice (by simpa)))).ofSlice)
 
 @[expose, extern "lean_string_utf8_next_fast"]
-def Pos.next {s : String} (pos : s.ValidPos) (h : pos ≠ s.endValidPos) : s.ValidPos :=
+def Pos.next {s : @& String} (pos : @& s.ValidPos) (h : pos ≠ s.endValidPos) : s.ValidPos :=
   ((inline (Slice.Pos.next pos.toSlice (ne_of_apply_ne Slice.Pos.ofSlice (by simpa)))).ofSlice)
 
 /-- Advances a valid position on a string to the next valid position, or returns `none` if the
diff --git a/src/runtime/object.cpp b/src/runtime/object.cpp
@@ -1952,8 +1952,10 @@ extern "C" LEAN_EXPORT obj_res lean_decode_lossy_utf8(b_obj_arg a) {
     return lean_mk_string_from_bytes(reinterpret_cast<char *>(lean_sarray_cptr(a)), lean_sarray_size(a));
 }
 
-extern "C" LEAN_EXPORT obj_res lean_string_from_utf8_unchecked(b_obj_arg a) {
-    return lean_mk_string_from_bytes_unchecked(reinterpret_cast<char *>(lean_sarray_cptr(a)), lean_sarray_size(a));
+extern "C" LEAN_EXPORT obj_res lean_string_from_utf8_unchecked(obj_arg a) {
+    obj_res ret = lean_mk_string_from_bytes_unchecked(reinterpret_cast<char *>(lean_sarray_cptr(a)), lean_sarray_size(a));
+    lean_dec(a);
+    return ret;
 }
 
 extern "C" LEAN_EXPORT uint8 lean_string_validate_utf8(b_obj_arg a) {

Original file line number	Diff line number	Diff line change
`@@ -1952,8 +1952,10 @@ extern "C" LEAN_EXPORT obj_res lean_decode_lossy_utf8(b_obj_arg a) {`
`1952`	`1952`	`return lean_mk_string_from_bytes(reinterpret_cast<char *>(lean_sarray_cptr(a)), lean_sarray_size(a));`
`1953`	`1953`	`}`
`1954`	`1954`
`1955`		`-extern "C" LEAN_EXPORT obj_res lean_string_from_utf8_unchecked(b_obj_arg a) {`
`1956`		`- return lean_mk_string_from_bytes_unchecked(reinterpret_cast<char *>(lean_sarray_cptr(a)), lean_sarray_size(a));`
	`1955`	`+extern "C" LEAN_EXPORT obj_res lean_string_from_utf8_unchecked(obj_arg a) {`
	`1956`	`+ obj_res ret = lean_mk_string_from_bytes_unchecked(reinterpret_cast<char *>(lean_sarray_cptr(a)), lean_sarray_size(a));`
	`1957`	`+ lean_dec(a);`
	`1958`	`+ return ret;`
`1957`	`1959`	`}`
`1958`	`1960`
`1959`	`1961`	`extern "C" LEAN_EXPORT uint8 lean_string_validate_utf8(b_obj_arg a) {`