[webkit-changes] [WebKit/WebKit] c9880d: CloneDeserializer::deserialize() should store cell...
Commit Queue
noreply at github.com
Mon Apr 17 15:28:48 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb
https://github.com/WebKit/WebKit/commit/c9880de4a28b9a64a5e1d0513dc245d61a2e6ddb
Author: Mark Lam <mark.lam at apple.com>
Date: 2023-04-17 (Mon, 17 Apr 2023)
Changed paths:
M Source/JavaScriptCore/heap/Heap.cpp
M Source/JavaScriptCore/heap/Heap.h
M Source/JavaScriptCore/heap/HeapInlines.h
M Source/JavaScriptCore/runtime/ArgList.cpp
M Source/JavaScriptCore/runtime/ArgList.h
M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
M Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
M Source/WebCore/bindings/js/SerializedScriptValue.cpp
Log Message:
-----------
CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
https://bugs.webkit.org/show_bug.cgi?id=254797
rdar://107459160
Reviewed by Justin Michaud.
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects
in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot
scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector
template class that offer 2 enhancements:
1. It can be configured to store specific types of cell pointer types. This avoids us
having to constantly cast JSValues into these pointers.
2. It allows us to specify the type of OverflowHandler we want to use. In this case,
we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes
RecordOnOverflow. This allows us to avoid having to manually check for overflows,
or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be
used as a drop in replacement for Vector.
And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors
with MarkedVector instead.
* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* Source/JavaScriptCore/heap/Heap.h:
* Source/JavaScriptCore/heap/HeapInlines.h:
* Source/JavaScriptCore/runtime/ArgList.cpp:
(JSC::MarkedVectorBase::addMarkSet):
(JSC::MarkedVectorBase::markLists):
(JSC::MarkedVectorBase::slowEnsureCapacity):
(JSC::MarkedVectorBase::expandCapacity):
(JSC::MarkedVectorBase::slowAppend):
(JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.
(JSC::MarkedArgumentBufferBase::markLists): Deleted.
(JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::slowAppend): Deleted.
* Source/JavaScriptCore/runtime/ArgList.h:
(JSC::MarkedVectorWithSize::MarkedVectorWithSize):
(JSC::MarkedVectorWithSize::at const):
(JSC::MarkedVectorWithSize::clear):
(JSC::MarkedVectorWithSize::append):
(JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):
(JSC::MarkedVectorWithSize::last const):
(JSC::MarkedVectorWithSize::takeLast):
(JSC::MarkedVectorWithSize::ensureCapacity):
(JSC::MarkedVectorWithSize::hasOverflowed):
(JSC::MarkedVectorWithSize::fill):
(JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::AudioWorkletProcessor::buildJSArguments):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):
Originally-landed-as: 259548.530 at safari-7615-branch (2c49ff7b0481). rdar://108145916
Canonical link: https://commits.webkit.org/263041@main
More information about the webkit-changes
mailing list