Hey dcheng@, FYI I hit this UAF when using a flat_map and I was wondering if it's worth updating the doc (at the top of flat_map.h) to add that references returned by operator[] are also invalidated across mutations? Or is the "Assume that every operation invalidates iterators and references" comment around line 188 sufficient?

I wouldn't be too surprised if there was more issues like this one in the codebase, it look like a really simple to make (it's trivial to fix it once you know it's there).

Having a linter to prevent this would be cool.

I forgot to mention it here but I'll fix this by using a temporary variable to hold the return value of |existing_tabs_[old_contents]|

I'm not sure: on one hand, I feel like it's kind of implied since the underlying collection is backed by a vector, but on the other, I can understand it's kind of surprising.

I'd probably just update the class usage notes to mention that this applies to references returned from operator[] as well: there's already a bullet point that says "Iterators are invalidated across mutations".

My suggestion would be to just update the comment you're referring to to: "Iterators and references returned by operator[] are  invalidated across mutations".

+etienneb@ said that it'd be trivial to write a linter for this pattern, it's quite easy to make this mistake (e.g. you replace a map class member by a flat_map but you fail to notice that there's a foo[a] = foo[b] in the code), so I wouldn't be too surprised if there was more occurrences of this.