[webkit-changes] [WebKit/WebKit] c9880d: CloneDeserializer::deserialize() should store cell...

[Commit Queue]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb
      
https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb
  Author: Mark Lam <mark....@apple.com>
  Date:   2023-04-17 (Mon, 17 Apr 2023)

  Changed paths:
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/heap/Heap.h
    M Source/JavaScriptCore/heap/HeapInlines.h
    M Source/JavaScriptCore/runtime/ArgList.cpp
    M Source/JavaScriptCore/runtime/ArgList.h
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
    M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
https://bugs.webkit.org/show_bug.cgi?id=254797
rdar://107459160

Reviewed by Justin Michaud.

Previously, CloneDeserializer::deserialize() was storing pointers to newly 
created objects
in a few Vectors.  This is problematic because the GC is not aware of Vectors, 
and cannot
scan them.  In this patch, we refactor the MarkedArgumentBuffer class into a 
MarkedVector
template class that offer 2 enhancements:

1. It can be configured to store specific types of cell pointer types.  This 
avoids us
   having to constantly cast JSValues into these pointers.

2. It allows us to specify the type of OverflowHandler we want to use.  In this 
case,
   we want to use CrashOnOverflow.  The previous MarkedArgumentBuffer always 
assumes
   RecordOnOverflow.  This allows us to avoid having to manually check for 
overflows,
   or have to use appendWithCrashOnOverflow.  For our current needs, 
MarkedVector can be
   used as a drop in replacement for Vector.

And we fix the CloneDeserializer::deserialize() issue by replacing the use of 
Vectors
with MarkedVector instead.

* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* Source/JavaScriptCore/heap/Heap.h:
* Source/JavaScriptCore/heap/HeapInlines.h:
* Source/JavaScriptCore/runtime/ArgList.cpp:
(JSC::MarkedVectorBase::addMarkSet):
(JSC::MarkedVectorBase::markLists):
(JSC::MarkedVectorBase::slowEnsureCapacity):
(JSC::MarkedVectorBase::expandCapacity):
(JSC::MarkedVectorBase::slowAppend):
(JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.
(JSC::MarkedArgumentBufferBase::markLists): Deleted.
(JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::slowAppend): Deleted.
* Source/JavaScriptCore/runtime/ArgList.h:
(JSC::MarkedVectorWithSize::MarkedVectorWithSize):
(JSC::MarkedVectorWithSize::at const):
(JSC::MarkedVectorWithSize::clear):
(JSC::MarkedVectorWithSize::append):
(JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):
(JSC::MarkedVectorWithSize::last const):
(JSC::MarkedVectorWithSize::takeLast):
(JSC::MarkedVectorWithSize::ensureCapacity):
(JSC::MarkedVectorWithSize::hasOverflowed):
(JSC::MarkedVectorWithSize::fill):
(JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::AudioWorkletProcessor::buildJSArguments):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):

Originally-landed-as: 259548.530@safari-7615-branch (2c49ff7b0481). 
rdar://108145916
Canonical link: https://commits.webkit.org/263041@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes