Bug 212492
| Summary: | GridPositionsResolver.cpp stores pointers to HashMap value slots | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Oriol Brufau <obrufau> |
| Component: | CSS | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | darin, jfernandez, rego |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Oriol Brufau
NamedLineCollection::NamedLineCollection in GridPositionsResolver.cpp does things like
const NamedGridLinesMap& gridLineNames = isRowAxis ? gridContainerStyle.namedGridColumnLines() : gridContainerStyle.namedGridRowLines();
auto linesIterator = gridLineNames.find(namedLine);
m_namedLinesIndexes = linesIterator == gridLineNames.end() ? nullptr : &linesIterator->value;
where NamedGridLinesMap is a HashMap<String, Vector<unsigned>>
According to Darin Adler from bug 209572 comment #2,
> It’s really risky to store a pointer to a value slot in a HashMap. If any
> change is made to the map, adding or removing anything, rehashing means the
> pointer can end up invalid. Worse, it’s basically unpredictable how often
> this will happen so you could do a lot of testing and never observe it.
So a different approach should be used.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |