Bug 212492 - GridPositionsResolver.cpp stores pointers to HashMap value slots
Summary: GridPositionsResolver.cpp stores pointers to HashMap value slots
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-28 14:42 PDT by Oriol Brufau
Modified: 2020-05-28 14:42 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oriol Brufau 2020-05-28 14:42:34 PDT 
NamedLineCollection::NamedLineCollection in GridPositionsResolver.cpp does things like

    const NamedGridLinesMap& gridLineNames = isRowAxis ? gridContainerStyle.namedGridColumnLines() : gridContainerStyle.namedGridRowLines();
    auto linesIterator = gridLineNames.find(namedLine);
    m_namedLinesIndexes = linesIterator == gridLineNames.end() ? nullptr : &linesIterator->value;

where NamedGridLinesMap is a HashMap<String, Vector<unsigned>>

According to Darin Adler from bug 209572 comment #2,
> It’s really risky to store a pointer to a value slot in a HashMap. If any
> change is made to the map, adding or removing anything, rehashing means the
> pointer can end up invalid. Worse, it’s basically unpredictable how often
> this will happen so you could do a lot of testing and never observe it.

So a different approach should be used.