Created attachment 354806 [details] Patch

Comment on attachment 354806 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=354806&action=review > Source/WebCore/ChangeLog:8 > + Copy the set of observers in a vector before iterating over it. Nit: s/in a vector/to a vector/

Created attachment 354815 [details] Patch for landing

Comment on attachment 354806 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=354806&action=review > Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:99 > + if (!m_observers.contains(observer)) > + continue; This technique is not guaranteed to work. Code could delete an Observer, then allocate a new Observer and the two might coincidentally use the same memory and have the same address. So checking "contains" on a set of weak pointers doesn’t give a guaranteed accurate answer.

Comment on attachment 354815 [details] Patch for landing Clearing flags on attachment: 354815 Committed r238181: <https://trac.webkit.org/changeset/238181>

All reviewed patches have been landed. Closing bug.

<rdar://problem/46065771>

(In reply to Darin Adler from comment #4) > Comment on attachment 354806 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=354806&action=review > > > Source/WebCore/platform/mediastream/MediaStreamPrivate.cpp:99 > > + if (!m_observers.contains(observer)) > > + continue; > > This technique is not guaranteed to work. Code could delete an Observer, > then allocate a new Observer and the two might coincidentally use the same > memory and have the same address. So checking "contains" on a set of weak > pointers doesn’t give a guaranteed accurate answer. True, this adds some potential uncertainty when such collision happens. I guess we could have a HashSet<WeakPtr<Observer>> to fix this issue. That would add some additional count churning but maybe this is ok since we are creating a Vector already whenever iterating over observers. I am unsure whether we should fix this uncertainty.