From 1039f0c3235ffd9a6584657adb34db10c562e4af Mon Sep 17 00:00:00 2001

From: Mark Lam <mark.lam@apple.com>

Date: Fri, 31 Mar 2023 10:49:49 -0700

Subject: [PATCH] Cherry-pick 2c49ff7b0481. rdar://problem/107369977

    CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.

    https://bugs.webkit.org/show_bug.cgi?id=254797

    rdar://107369977

    Reviewed by Justin Michaud.

    Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects

    in a few Vectors.  This is problematic because the GC is not aware of Vectors, and cannot

    scan them.  In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector

    template class that offer 2 enhancements:

    1. It can be configured to store specific types of cell pointer types.  This avoids us

       having to constantly cast JSValues into these pointers.

    2. It allows us to specify the type of OverflowHandler we want to use.  In this case,

       we want to use CrashOnOverflow.  The previous MarkedArgumentBuffer always assumes

       RecordOnOverflow.  This allows us to avoid having to manually check for overflows,

       or have to use appendWithCrashOnOverflow.  For our current needs, MarkedVector can be

       used as a drop in replacement for Vector.

    And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors

    with MarkedVector instead.

    * Source/JavaScriptCore/heap/Heap.cpp:

    (JSC::Heap::addCoreConstraints):

    * Source/JavaScriptCore/heap/Heap.h:

    * Source/JavaScriptCore/heap/HeapInlines.h:

    * Source/JavaScriptCore/runtime/ArgList.cpp:

    (JSC::MarkedVectorBase::addMarkSet):

    (JSC::MarkedVectorBase::markLists):

    (JSC::MarkedVectorBase::slowEnsureCapacity):

    (JSC::MarkedVectorBase::expandCapacity):

    (JSC::MarkedVectorBase::slowAppend):

    (JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.

    (JSC::MarkedArgumentBufferBase::markLists): Deleted.

    (JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.

    (JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.

    (JSC::MarkedArgumentBufferBase::slowAppend): Deleted.

    * Source/JavaScriptCore/runtime/ArgList.h:

    (JSC::MarkedVectorWithSize::MarkedVectorWithSize):

    (JSC::MarkedVectorWithSize::at const):

    (JSC::MarkedVectorWithSize::clear):

    (JSC::MarkedVectorWithSize::append):

    (JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):

    (JSC::MarkedVectorWithSize::last const):

    (JSC::MarkedVectorWithSize::takeLast):

    (JSC::MarkedVectorWithSize::ensureCapacity):

    (JSC::MarkedVectorWithSize::hasOverflowed):

    (JSC::MarkedVectorWithSize::fill):

    (JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.

    * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:

    (WebCore::AudioWorkletProcessor::buildJSArguments):

    * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:

    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:

    (WebCore::CloneDeserializer::deserialize):

    Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch

Identifier: 259548.395@safari-7615.1.26.11-branch

---

 Source/JavaScriptCore/heap/Heap.cpp           |   4 +-

 Source/JavaScriptCore/heap/Heap.h             |   8 +-

 Source/JavaScriptCore/heap/HeapInlines.h      |   2 +-

 Source/JavaScriptCore/runtime/ArgList.cpp     |  46 ++--

 Source/JavaScriptCore/runtime/ArgList.h       | 206 ++++++++++--------

 .../webaudio/AudioWorkletProcessor.cpp        |   4 +-

 .../Modules/webaudio/AudioWorkletProcessor.h  |   7 +-

 .../bindings/js/SerializedScriptValue.cpp     |  11 +-

 8 files changed, 158 insertions(+), 130 deletions(-)

diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp

index d773eb9e79d6..37bf0e94b266 100644

--- a/Source/JavaScriptCore/heap/Heap.cpp

+++ b/Source/JavaScriptCore/heap/Heap.cpp

@@ -1,5 +1,5 @@

 /*

- *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.

+ *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.

  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>

  *

  *  This library is free software; you can redistribute it and/or

@@ -2854,7 +2854,7 @@ void Heap::addCoreConstraints()

             if (!m_markListSet.isEmpty()) {

                 SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan);

-                MarkedArgumentBufferBase::markLists(visitor, m_markListSet);

+                MarkedVectorBase::markLists(visitor, m_markListSet);

             }

             {

diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h

index d6cb99c4e4b5..315d62e50b1d 100644

--- a/Source/JavaScriptCore/heap/Heap.h

+++ b/Source/JavaScriptCore/heap/Heap.h

@@ -1,7 +1,7 @@

 /*

  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)

  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)

- *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.

+ *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.

  *

  *  This library is free software; you can redistribute it and/or

  *  modify it under the terms of the GNU Lesser General Public

@@ -85,7 +85,7 @@ class MarkStackArray;

 class MarkStackMergingConstraint;

 class MarkedJSValueRefArray;

 class BlockDirectory;

-class MarkedArgumentBufferBase;

+class MarkedVectorBase;

 class MarkingConstraint;

 class MarkingConstraintSet;

 class MutatorScheduler;

@@ -413,7 +413,7 @@ class Heap {

     JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> protectedObjectTypeCounts();

     JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> objectTypeCounts();

-    HashSet<MarkedArgumentBufferBase*>& markListSet();

+    HashSet<MarkedVectorBase*>& markListSet();

     void addMarkedJSValueRefArray(MarkedJSValueRefArray*);

     template<typename Functor> void forEachProtectedCell(const Functor&);

@@ -782,7 +782,7 @@ class Heap {

     size_t m_deprecatedExtraMemorySize { 0 };

     ProtectCountSet m_protectedValues;

-    HashSet<MarkedArgumentBufferBase*> m_markListSet;

+    HashSet<MarkedVectorBase*> m_markListSet;

     SentinelLinkedList<MarkedJSValueRefArray, BasicRawSentinelNode<MarkedJSValueRefArray>> m_markedJSValueRefArrays;

     std::unique_ptr<MachineThreads> m_machineThreads;

diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h

index f91546bb62c4..8e33eaae4a4f 100644

--- a/Source/JavaScriptCore/heap/HeapInlines.h

+++ b/Source/JavaScriptCore/heap/HeapInlines.h

@@ -205,7 +205,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded()

     }

 }

-inline HashSet<MarkedArgumentBufferBase*>& Heap::markListSet()

+inline HashSet<MarkedVectorBase*>& Heap::markListSet()

 {

     return m_markListSet;

 }

diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp

index f2815b80c8c7..a72dea74a56f 100644

--- a/Source/JavaScriptCore/runtime/ArgList.cpp

+++ b/Source/JavaScriptCore/runtime/ArgList.cpp

@@ -1,5 +1,5 @@

 /*

- *  Copyright (C) 2003-2021 Apple Inc. All rights reserved.

+ *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.

  *

  *  This library is free software; you can redistribute it and/or

  *  modify it under the terms of the GNU Library General Public

@@ -27,7 +27,7 @@ using std::min;

 namespace JSC {

-void MarkedArgumentBufferBase::addMarkSet(JSValue v)

+void MarkedVectorBase::addMarkSet(JSValue v)

 {

     if (m_markSet)

         return;

@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const

 }

 template<typename Visitor>

-void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet)

+void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)

 {

     ListSet::iterator end = markSet.end();

     for (ListSet::iterator it = markSet.begin(); it != end; ++it) {

-        MarkedArgumentBufferBase* list = *it;

+        MarkedVectorBase* list = *it;

         for (int i = 0; i < list->m_size; ++i)

             visitor.appendUnbarriered(JSValue::decode(list->slotFor(i)));

     }

 }

-template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&);

-template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&);

+template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&);

+template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&);

-void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity)

+auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status

 {

     setNeedsOverflowCheck();

     auto checkedNewCapacity = CheckedInt32(requestedCapacity);

     if (UNLIKELY(checkedNewCapacity.hasOverflowed()))

-        return this->overflowed();

-    expandCapacity(checkedNewCapacity);

+        return Status::Overflowed;

+    return expandCapacity(checkedNewCapacity);

 }

-void MarkedArgumentBufferBase::expandCapacity()

+auto MarkedVectorBase::expandCapacity() -> Status

 {

     setNeedsOverflowCheck();

     auto checkedNewCapacity = CheckedInt32(m_capacity) * 2;

     if (UNLIKELY(checkedNewCapacity.hasOverflowed()))

-        return this->overflowed();

-    expandCapacity(checkedNewCapacity);

+        return Status::Overflowed;

+    return expandCapacity(checkedNewCapacity);

 }

-void MarkedArgumentBufferBase::expandCapacity(int newCapacity)

+auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status

 {

     setNeedsOverflowCheck();

     ASSERT(m_capacity < newCapacity);

     auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue);

     if (UNLIKELY(checkedSize.hasOverflowed()))

-        return this->overflowed();

+        return Status::Overflowed;

     EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize));

     if (!newBuffer)

-        return this->overflowed();

+        return Status::Overflowed;

     for (int i = 0; i < m_size; ++i) {

         newBuffer[i] = m_buffer[i];

         addMarkSet(JSValue::decode(m_buffer[i]));

@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity)

     m_buffer = newBuffer;

     m_capacity = newCapacity;

+    return Status::Success;

 }

-void MarkedArgumentBufferBase::slowAppend(JSValue v)

+auto MarkedVectorBase::slowAppend(JSValue v) -> Status

 {

     ASSERT(m_size <= m_capacity);

-    if (m_size == m_capacity)

-        expandCapacity();

-    if (UNLIKELY(Base::hasOverflowed())) {

-        ASSERT(m_needsOverflowCheck);

-        return;

+    if (m_size == m_capacity) {

+        auto status = expandCapacity();

+        if (status == Status::Overflowed) {

+            ASSERT(m_needsOverflowCheck);

+            return status;

+        }

     }

-

     slotFor(m_size) = JSValue::encode(v);

     ++m_size;

     addMarkSet(v);

+    return Status::Success;

 }

 } // namespace JSC

diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h

index 8ea9b0e308b8..07632263266b 100644

--- a/Source/JavaScriptCore/runtime/ArgList.h

+++ b/Source/JavaScriptCore/runtime/ArgList.h

@@ -28,20 +28,20 @@

 namespace JSC {

-class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow {

-    WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase);

-    WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase);

+class alignas(alignof(EncodedJSValue)) MarkedVectorBase {

+    WTF_MAKE_NONCOPYABLE(MarkedVectorBase);

+    WTF_MAKE_NONMOVABLE(MarkedVectorBase);

     WTF_FORBID_HEAP_ALLOCATION;

     friend class VM;

     friend class ArgList;

+protected:

+    enum class Status { Success, Overflowed };

 public:

-    using Base = RecordOverflow;

-    typedef HashSet<MarkedArgumentBufferBase*> ListSet;

+    typedef HashSet<MarkedVectorBase*> ListSet;

-    ~MarkedArgumentBufferBase()

+    ~MarkedVectorBase()

     {

-        ASSERT(!m_needsOverflowCheck);

         if (m_markSet)

             m_markSet->remove(this);

@@ -52,92 +52,20 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO

     size_t size() const { return m_size; }

     bool isEmpty() const { return !m_size; }

-    JSValue at(int i) const

-    {

-        if (i >= m_size)

-            return jsUndefined();

-

-        return JSValue::decode(slotFor(i));

-    }

-

-    void clear()

-    {

-        ASSERT(!m_needsOverflowCheck);

-        clearOverflow();

-        m_size = 0;

-    }

-

-    enum OverflowCheckAction {

-        CrashOnOverflow,

-        WillCheckLater

-    };

-    template<OverflowCheckAction action>

-    void appendWithAction(JSValue v)

-    {

-        ASSERT(m_size <= m_capacity);

-        if (m_size == m_capacity || mallocBase()) {

-            slowAppend(v);

-            if (action == CrashOnOverflow)

-                RELEASE_ASSERT(!hasOverflowed());

-            return;

-        }

-

-        slotFor(m_size) = JSValue::encode(v);

-        ++m_size;

-    }

-    void append(JSValue v) { appendWithAction<WillCheckLater>(v); }

-    void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); }

-

     void removeLast()

     { 

         ASSERT(m_size);

         m_size--;

     }

-    JSValue last() 

-    {

-        ASSERT(m_size);

-        return JSValue::decode(slotFor(m_size - 1));

-    }

-

-    JSValue takeLast()

-    {

-        JSValue result = last();

-        removeLast();

-        return result;

-    }

-        

     template<typename Visitor> static void markLists(Visitor&, ListSet&);

-    void ensureCapacity(size_t requestedCapacity)

-    {

-        if (requestedCapacity > static_cast<size_t>(m_capacity))

-            slowEnsureCapacity(requestedCapacity);

-    }

-

-    bool hasOverflowed()

-    {

-        clearNeedsOverflowCheck();

-        return Base::hasOverflowed();

-    }

-

     void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); }

-    template<typename Functor>

-    void fill(size_t count, const Functor& func)

-    {

-        ASSERT(!m_size);

-        ensureCapacity(count);

-        if (Base::hasOverflowed())

-            return;

-        m_size = count;

-        func(reinterpret_cast<JSValue*>(&slotFor(0)));

-    }

-

 protected:

     // Constructor for a read-write list, to which you may append values.

     // FIXME: Remove all clients of this API, then remove this API.

-    MarkedArgumentBufferBase(size_t capacity)

+    MarkedVectorBase(size_t capacity)

         : m_size(0)

         , m_capacity(capacity)

         , m_buffer(inlineBuffer())

@@ -147,17 +75,16 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO

     EncodedJSValue* inlineBuffer()

     {

-        return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedArgumentBufferBase));

+        return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedVectorBase));

     }

-private:

-    void expandCapacity();

-    void expandCapacity(int newCapacity);

-    void slowEnsureCapacity(size_t requestedCapacity);

+    Status expandCapacity();

+    Status expandCapacity(int newCapacity);

+    Status slowEnsureCapacity(size_t requestedCapacity);

     void addMarkSet(JSValue);

-    JS_EXPORT_PRIVATE void slowAppend(JSValue);

+    JS_EXPORT_PRIVATE Status slowAppend(JSValue);

     EncodedJSValue& slotFor(int item) const

     {

@@ -172,11 +99,14 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO

     }

 #if ASSERT_ENABLED

-    void setNeedsOverflowCheck() { m_needsOverflowCheck = true; }

+    void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; }

+    void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; }

     void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; }

     bool m_needsOverflowCheck { false };

+    bool m_overflowCheckEnabled { true };

 #else

+    void disableNeedsOverflowCheck() { }

     void setNeedsOverflowCheck() { }

     void clearNeedsOverflowCheck() { }

 #endif // ASSERT_ENABLED

@@ -186,22 +116,114 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO

     ListSet* m_markSet;

 };

-template<size_t passedInlineCapacity = 8>

-class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase {

+template<typename T, size_t passedInlineCapacity = 8, class OverflowHandler = CrashOnOverflow>

+class MarkedVector : public OverflowHandler, public MarkedVectorBase  {

 public:

     static constexpr size_t inlineCapacity = passedInlineCapacity;

-    MarkedArgumentBufferWithSize()

-        : MarkedArgumentBufferBase(inlineCapacity)

+    MarkedVector()

+        : MarkedVectorBase(inlineCapacity)

     {

         ASSERT(inlineBuffer() == m_inlineBuffer);

+        if constexpr (std::is_same_v<OverflowHandler, CrashOnOverflow>) {

+            // CrashOnOverflow handles overflows immediately. So, we do not

+            // need to check for it after.

+            disableNeedsOverflowCheck();

+        }

+    }

+

+    auto at(int i) const -> decltype(auto)

+    {

+        if constexpr (std::is_same_v<T, JSValue>) {

+            if (i >= m_size)

+                return jsUndefined();

+            return JSValue::decode(slotFor(i));

+        } else {

+            if (i >= m_size)

+                return static_cast<T>(nullptr);

+            return jsCast<T>(JSValue::decode(slotFor(i)).asCell());

+        }

+    }

+

+    void clear()

+    {

+        ASSERT(!m_needsOverflowCheck);

+        OverflowHandler::clearOverflow();

+        m_size = 0;

+    }

+

+    void append(T v)

+    {

+        ASSERT(m_size <= m_capacity);

+        if (m_size == m_capacity || mallocBase()) {

+            if (slowAppend(v) == Status::Overflowed)

+                this->overflowed();

+            return;

+        }

+

+        slotFor(m_size) = JSValue::encode(v);

+        ++m_size;

+    }

+

+    void appendWithCrashOnOverflow(T v)

+    {

+        append(v);

+        if constexpr (!std::is_same<OverflowHandler, CrashOnOverflow>::value)

+            RELEASE_ASSERT(!this->hasOverflowed());

+    }

+

+    auto last() const -> decltype(auto)

+    {

+        if constexpr (std::is_same_v<T, JSValue>) {

+            ASSERT(m_size);

+            return JSValue::decode(slotFor(m_size - 1));

+        } else {

+            ASSERT(m_size);

+            return jsCast<T>(JSValue::decode(slotFor(m_size - 1)).asCell());

+        }

+    }

+

+    JSValue takeLast()

+    {

+        JSValue result = last();

+        removeLast();

+        return result;

+    }

+

+    void ensureCapacity(size_t requestedCapacity)

+    {

+        if (requestedCapacity > static_cast<size_t>(m_capacity)) {

+            if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed)

+                this->overflowed();

+        }

+    }

+

+    bool hasOverflowed()

+    {

+        clearNeedsOverflowCheck();

+        return OverflowHandler::hasOverflowed();

+    }

+

+    template<typename Functor>

+    void fill(size_t count, const Functor& func)

+    {

+        ASSERT(!m_size);

+        ensureCapacity(count);

+        if (OverflowHandler::hasOverflowed())

+            return;

+        m_size = count;

+        func(reinterpret_cast<JSValue*>(&slotFor(0)));

     }

 private:

     EncodedJSValue m_inlineBuffer[inlineCapacity] { };

 };

-using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>;

+template<size_t passedInlineCapacity>

+class MarkedArgumentBufferWithSize : public MarkedVector<JSValue, passedInlineCapacity, RecordOverflow> {

+};

+

+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;

 class ArgList {

     WTF_MAKE_FAST_ALLOCATED;

diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

index e41a46dd57de..2ab3abb48117 100644

--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp

@@ -1,5 +1,5 @@

 /*

- * Copyright (C) 2020 Apple Inc. All rights reserved.

+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -220,7 +220,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop

     ASSERT(!isMainThread());

 }

-void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)

+void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)

 {

     // For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes.

     if (!copyDataFromBusesToJSArray(globalObject, inputs, toJSArray(m_jsInputs)))

diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h

index 746059067f87..40751a2e501b 100644

--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h

+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h

@@ -1,5 +1,5 @@

 /*

- * Copyright (C) 2020 Apple Inc. All rights reserved.

+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.

  *

  * Redistribution and use in source and binary forms, with or without

  * modification, are permitted provided that the following conditions

@@ -41,7 +41,8 @@

 namespace JSC {

 class JSArray;

-class MarkedArgumentBufferBase;

+template<typename T, size_t, class> class MarkedVector;

+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;

 }

 namespace WebCore {

@@ -71,7 +72,7 @@ class AudioWorkletProcessor : public ScriptWrappable, public ThreadSafeRefCounte

 private:

     explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&);

-    void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);

+    void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);

     AudioWorkletGlobalScope& m_globalScope;

     String m_name;

diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp

index ad135b5da8f8..a465d5a57a73 100644

--- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp

+++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -573,6 +573,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000;

 using DeserializationResult = std::pair<JSC::JSValue, SerializationReturnCode>;

 class CloneBase {

+    WTF_FORBID_HEAP_ALLOCATION;

 protected:

     CloneBase(JSGlobalObject* lexicalGlobalObject)

         : m_lexicalGlobalObject(lexicalGlobalObject)

@@ -650,6 +651,7 @@ template <> bool writeLittleEndian<uint8_t>(Vector<uint8_t>& buffer, const uint8

 }

 class CloneSerializer : CloneBase {

+    WTF_FORBID_HEAP_ALLOCATION;

 public:

     static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector<RefPtr<MessagePort>>& messagePorts, Vector<RefPtr<JSC::ArrayBuffer>>& arrayBuffers, const Vector<RefPtr<ImageBitmap>>& imageBitmaps,

 #if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS)

@@ -2318,6 +2320,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)

 }

 class CloneDeserializer : CloneBase {

+    WTF_FORBID_HEAP_ALLOCATION;

 public:

     static String deserializeString(const Vector<uint8_t>& buffer)

     {

@@ -4285,10 +4288,10 @@ DeserializationResult CloneDeserializer::deserialize()

     Vector<uint32_t, 16> indexStack;

     Vector<Identifier, 16> propertyNameStack;

-    Vector<JSObject*, 32> outputObjectStack;

-    Vector<JSValue, 4> mapKeyStack;

-    Vector<JSMap*, 4> mapStack;

-    Vector<JSSet*, 4> setStack;

+    MarkedVector<JSObject*, 32> outputObjectStack;

+    MarkedVector<JSValue, 4> mapKeyStack;

+    MarkedVector<JSMap*, 4> mapStack;

+    MarkedVector<JSSet*, 4> setStack;

     Vector<WalkerState, 16> stateStack;

     WalkerState lexicalGlobalObject = StateUnknown;

     JSValue outValue;