[Webkit-unassigned] [Bug 212492] New: GridPositionsResolver.cpp stores pointers to HashMap value slots

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 28 14:42:34 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=212492

            Bug ID: 212492
           Summary: GridPositionsResolver.cpp stores pointers to HashMap
                    value slots
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: obrufau at igalia.com
                CC: darin at apple.com, jfernandez at igalia.com,
                    rego at igalia.com

NamedLineCollection::NamedLineCollection in GridPositionsResolver.cpp does things like

    const NamedGridLinesMap& gridLineNames = isRowAxis ? gridContainerStyle.namedGridColumnLines() : gridContainerStyle.namedGridRowLines();
    auto linesIterator = gridLineNames.find(namedLine);
    m_namedLinesIndexes = linesIterator == gridLineNames.end() ? nullptr : &linesIterator->value;

where NamedGridLinesMap is a HashMap<String, Vector<unsigned>>

According to Darin Adler from bug 209572 comment #2,
> It’s really risky to store a pointer to a value slot in a HashMap. If any
> change is made to the map, adding or removing anything, rehashing means the
> pointer can end up invalid. Worse, it’s basically unpredictable how often
> this will happen so you could do a lot of testing and never observe it.

So a different approach should be used.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200528/af6e151c/attachment.htm>

More information about the webkit-unassigned mailing list