Why don't they store the housekeeping data preceding the allocation then, making sure the returned pointer is aligned? Operator delete could find the housekeeping information based on the pointer passed to it, via the magic of subtraction.
Seems a no-brainer to me... (maybe the implementation was implemented before alignment became a major issue though, and it is retained for backwards compatibility).
This is how I always thought it worked. AFAIK, the housekeeping data is just the length of the array, so delete knows how many objects to call the destructor on. I just ran a test in GCC and this is indeed how it works (count stored at ReturnedAddress - 4)
I tried placement new as well, and the pointer returned is the same as the pointer passed in, and I can't find the count stored in memory anywhere shortly before or after the data. Also, calling delete on it crashes. I'm pretty sure destructors have to be manually called on placement new'd things, since there's nothing marking that the delete shouldn't also release the memory either.