CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.

https://bugs.webkit.org/show_bug.cgi?id=254797
rdar://107459160

Reviewed by Justin Michaud.

Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects
in a few Vectors.  This is problematic because the GC is not aware of Vectors, and cannot
scan them.  In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector
template class that offer 2 enhancements:

1. It can be configured to store specific types of cell pointer types.  This avoids us
   having to constantly cast JSValues into these pointers.

2. It allows us to specify the type of OverflowHandler we want to use.  In this case,
   we want to use CrashOnOverflow.  The previous MarkedArgumentBuffer always assumes
   RecordOnOverflow.  This allows us to avoid having to manually check for overflows,
   or have to use appendWithCrashOnOverflow.  For our current needs, MarkedVector can be
   used as a drop in replacement for Vector.

And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors
with MarkedVector instead.

* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* Source/JavaScriptCore/heap/Heap.h:
* Source/JavaScriptCore/heap/HeapInlines.h:
* Source/JavaScriptCore/runtime/ArgList.cpp:
(JSC::MarkedVectorBase::addMarkSet):
(JSC::MarkedVectorBase::markLists):
(JSC::MarkedVectorBase::slowEnsureCapacity):
(JSC::MarkedVectorBase::expandCapacity):
(JSC::MarkedVectorBase::slowAppend):
(JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.
(JSC::MarkedArgumentBufferBase::markLists): Deleted.
(JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::slowAppend): Deleted.
* Source/JavaScriptCore/runtime/ArgList.h:
(JSC::MarkedVectorWithSize::MarkedVectorWithSize):
(JSC::MarkedVectorWithSize::at const):
(JSC::MarkedVectorWithSize::clear):
(JSC::MarkedVectorWithSize::append):
(JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):
(JSC::MarkedVectorWithSize::last const):
(JSC::MarkedVectorWithSize::takeLast):
(JSC::MarkedVectorWithSize::ensureCapacity):
(JSC::MarkedVectorWithSize::hasOverflowed):
(JSC::MarkedVectorWithSize::fill):
(JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::AudioWorkletProcessor::buildJSArguments):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):

Originally-landed-as: 259548.530@safari-7615-branch (2c49ff7). rdar://108145916
Canonical link: https://commits.webkit.org/263041@main

Author: Mark Lam

Source/JavaScriptCore/heap/Heap.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
  *  This library is free software; you can redistribute it and/or
@@ -2864,7 +2864,7 @@ void Heap::addCoreConstraints()
 
             if (!m_markListSet.isEmpty()) {
                 SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan);
-                MarkedArgumentBufferBase::markLists(visitor, m_markListSet);
+                MarkedVectorBase::markLists(visitor, m_markListSet);
             }
 
             {

Source/JavaScriptCore/heap/Heap.h

@@ -1,7 +1,7 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -85,7 +85,7 @@ class MarkStackArray;
 class MarkStackMergingConstraint;
 class MarkedJSValueRefArray;
 class BlockDirectory;
-class MarkedArgumentBufferBase;
+class MarkedVectorBase;
 class MarkingConstraint;
 class MarkingConstraintSet;
 class MutatorScheduler;
@@ -413,7 +413,7 @@ class Heap {
     JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> protectedObjectTypeCounts();
     JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> objectTypeCounts();
 
-    HashSet<MarkedArgumentBufferBase*>& markListSet();
+    HashSet<MarkedVectorBase*>& markListSet();
     void addMarkedJSValueRefArray(MarkedJSValueRefArray*);
 
     template<typename Functor> void forEachProtectedCell(const Functor&);
@@ -782,7 +782,7 @@ class Heap {
     size_t m_deprecatedExtraMemorySize { 0 };
 
     ProtectCountSet m_protectedValues;
-    HashSet<MarkedArgumentBufferBase*> m_markListSet;
+    HashSet<MarkedVectorBase*> m_markListSet;
     SentinelLinkedList<MarkedJSValueRefArray, BasicRawSentinelNode<MarkedJSValueRefArray>> m_markedJSValueRefArrays;
 
     std::unique_ptr<MachineThreads> m_machineThreads;

Source/JavaScriptCore/heap/HeapInlines.h

@@ -205,7 +205,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded()
     }
 }
 
-inline HashSet<MarkedArgumentBufferBase*>& Heap::markListSet()
+inline HashSet<MarkedVectorBase*>& Heap::markListSet()
 {
     return m_markListSet;
 }

Source/JavaScriptCore/runtime/ArgList.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2003-2021 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Library General Public
@@ -27,7 +27,7 @@ using std::min;
 
 namespace JSC {
 
-void MarkedArgumentBufferBase::addMarkSet(JSValue v)
+void MarkedVectorBase::addMarkSet(JSValue v)
 {
     if (m_markSet)
         return;
@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const
 }
 
 template<typename Visitor>
-void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet)
+void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)
 {
     ListSet::iterator end = markSet.end();
     for (ListSet::iterator it = markSet.begin(); it != end; ++it) {
-        MarkedArgumentBufferBase* list = *it;
+        MarkedVectorBase* list = *it;
         for (int i = 0; i < list->m_size; ++i)
             visitor.appendUnbarriered(JSValue::decode(list->slotFor(i)));
     }
 }
 
-template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&);
-template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&);
+template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&);
+template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&);
 
-void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity)
+auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status
 {
     setNeedsOverflowCheck();
     auto checkedNewCapacity = CheckedInt32(requestedCapacity);
     if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
-        return this->overflowed();
-    expandCapacity(checkedNewCapacity);
+        return Status::Overflowed;
+    return expandCapacity(checkedNewCapacity);
 }
 
-void MarkedArgumentBufferBase::expandCapacity()
+auto MarkedVectorBase::expandCapacity() -> Status
 {
     setNeedsOverflowCheck();
     auto checkedNewCapacity = CheckedInt32(m_capacity) * 2;
     if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
-        return this->overflowed();
-    expandCapacity(checkedNewCapacity);
+        return Status::Overflowed;
+    return expandCapacity(checkedNewCapacity);
 }
 
-void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
+auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
 {
     setNeedsOverflowCheck();
     ASSERT(m_capacity < newCapacity);
     auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue);
     if (UNLIKELY(checkedSize.hasOverflowed()))
-        return this->overflowed();
+        return Status::Overflowed;
     EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize));
     if (!newBuffer)
-        return this->overflowed();
+        return Status::Overflowed;
     for (int i = 0; i < m_size; ++i) {
         newBuffer[i] = m_buffer[i];
         addMarkSet(JSValue::decode(m_buffer[i]));
@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
 
     m_buffer = newBuffer;
     m_capacity = newCapacity;
+    return Status::Success;
 }
 
-void MarkedArgumentBufferBase::slowAppend(JSValue v)
+auto MarkedVectorBase::slowAppend(JSValue v) -> Status
 {
     ASSERT(m_size <= m_capacity);
-    if (m_size == m_capacity)
-        expandCapacity();
-    if (UNLIKELY(Base::hasOverflowed())) {
-        ASSERT(m_needsOverflowCheck);
-        return;
+    if (m_size == m_capacity) {
+        auto status = expandCapacity();
+        if (status == Status::Overflowed) {
+            ASSERT(m_needsOverflowCheck);
+            return status;
+        }
     }
-
     slotFor(m_size) = JSValue::encode(v);
     ++m_size;
     addMarkSet(v);
+    return Status::Success;
 }
 
 } // namespace JSC