Fix a crash in the PriorityQueue class which occurs while trying to assign an uninitialized iterator member to

a valid iterator instance.

This occurs if we have a valid Pointer instance with a valid iterator being assigned to an empty Pointer instance.
The ListIterator member in this case is uninitialized as per STL conventions and behaves like an uninitialized pointer
leading to crashes when this iterator is assigned to another.

Fix is to have a dummy List class and initialize this iterator to its end.

BUG=none
R=jar@chromium.org, jar

Review URL: https://codereview.chromium.org/75473003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@236076 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 1 deletions

diff --git a/net/base/priority_queue.h b/net/base/priority_queue.h
index 7b7d97c..9b17d61 100644
--- a/net/base/priority_queue.h
+++ b/net/base/priority_queue.h
@@ -50,9 +50,16 @@ class PriorityQueue : public base::NonThreadSafe {
 #if !defined(NDEBUG)
       id_ = static_cast<unsigned>(-1);
 #endif
+      // TODO(syzm)
+      // An uninitialized iterator behaves like an uninitialized pointer as per
+      // the STL docs. The fix below is ugly and should possibly be replaced
+      // with a better approach.
+      iterator_ = dummy_empty_list_.end();
     }
 
-    Pointer(const Pointer& p) : priority_(p.priority_), iterator_(p.iterator_) {
+    Pointer(const Pointer& p)
+        : priority_(p.priority_),
+          iterator_(p.iterator_) {
 #if !defined(NDEBUG)
       id_ = p.id_;
 #endif
@@ -109,6 +116,10 @@ class PriorityQueue : public base::NonThreadSafe {
 
     Priority priority_;
     ListIterator iterator_;
+    // The STL iterators when uninitialized are like uninitialized pointers
+    // which cause crashes when assigned to other iterators. We need to
+    // initialize a NULL iterator to the end of a valid list.
+    List dummy_empty_list_;
 
 #if !defined(NDEBUG)
     // Used by the queue to check if a Pointer is valid.