[webkit-changes] [WebKit/WebKit] 7b5a7a: Brach WebKitGTK+ for 2.16

Carlos Garcia Campos noreply at github.com
Tue Nov 29 13:50:15 PST 2022


  Branch: refs/heads/webkitgtk/2.16
  Home:   https://github.com/WebKit/WebKit
  Commit: 7b5a7ac55b74bf38640a9660a03bd4791bc3f714
      https://github.com/WebKit/WebKit/commit/7b5a7ac55b74bf38640a9660a03bd4791bc3f714
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-02-20 (Mon, 20 Feb 2017)

  Changed paths:

  Log Message:
  -----------
  Brach WebKitGTK+ for 2.16


  Commit: 71c2559dbfd8538b2403dc3c75f770b6cac634f3
      https://github.com/WebKit/WebKit/commit/71c2559dbfd8538b2403dc3c75f770b6cac634f3
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-02-20 (Mon, 20 Feb 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.15.90 release.

.:

* Source/cmake/OptionsGTK.cmake: Bump version numbers.

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.15.90.


  Commit: b980cda08a35b72149e81119990d0ca48782c7ac
      https://github.com/WebKit/WebKit/commit/b980cda08a35b72149e81119990d0ca48782c7ac
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/TextureMapper.cmake
    R Source/WebCore/platform/graphics/opengl/GLPlatformSurface.cpp
    R Source/WebCore/platform/graphics/surfaces/GLTransportSurface.cpp
    R Source/WebCore/platform/graphics/surfaces/GLTransportSurface.h
    R Source/WebCore/platform/graphics/surfaces/GraphicsSurface.cpp
    R Source/WebCore/platform/graphics/surfaces/GraphicsSurface.h
    R Source/WebCore/platform/graphics/surfaces/GraphicsSurfaceToken.h
    R Source/WebCore/platform/graphics/surfaces/egl/EGLConfigSelector.cpp
    R Source/WebCore/platform/graphics/surfaces/egl/EGLConfigSelector.h
    R Source/WebCore/platform/graphics/surfaces/egl/EGLContext.cpp
    R Source/WebCore/platform/graphics/surfaces/egl/EGLContext.h
    R Source/WebCore/platform/graphics/surfaces/egl/EGLHelper.cpp
    R Source/WebCore/platform/graphics/surfaces/egl/EGLHelper.h
    R Source/WebCore/platform/graphics/surfaces/egl/EGLSurface.cpp
    R Source/WebCore/platform/graphics/surfaces/egl/EGLSurface.h
    R Source/WebCore/platform/graphics/surfaces/egl/EGLXSurface.cpp
    R Source/WebCore/platform/graphics/surfaces/egl/EGLXSurface.h
    R Source/WebCore/platform/graphics/surfaces/glx/GLXConfigSelector.h
    R Source/WebCore/platform/graphics/surfaces/glx/GLXContext.cpp
    R Source/WebCore/platform/graphics/surfaces/glx/GLXContext.h
    R Source/WebCore/platform/graphics/surfaces/glx/GLXSurface.cpp
    R Source/WebCore/platform/graphics/surfaces/glx/GLXSurface.h
    R Source/WebCore/platform/graphics/surfaces/glx/X11Helper.cpp
    R Source/WebCore/platform/graphics/surfaces/glx/X11Helper.h
    M Source/WebCore/platform/graphics/texmap/TextureMapperBackingStore.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperBackingStore.h
    M Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayer.h
    R Source/WebCore/platform/graphics/texmap/TextureMapperSurfaceBackingStore.cpp
    R Source/WebCore/platform/graphics/texmap/TextureMapperSurfaceBackingStore.h
    M Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp
    M Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h
    M Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsState.h
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Shared/CoordinatedGraphics/CoordinatedGraphicsArgumentCoders.cpp
    M Source/WebKit2/Shared/CoordinatedGraphics/CoordinatedGraphicsArgumentCoders.h
    M Source/WebKit2/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
    M Source/WebKit2/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.h
    M Source/WebKit2/Shared/CoordinatedGraphics/WebCoordinatedSurface.cpp
    M Source/WebKit2/Shared/CoordinatedGraphics/WebCoordinatedSurface.h

  Log Message:
  -----------
  Merge r212638 - Remove code under USE(GRAPHICS_SURFACE)
https://bugs.webkit.org/show_bug.cgi?id=168592

Patch by Carlos Garcia Campos <cgarcia at igalia.com> on 2017-02-20
Reviewed by Michael Catanzaro.

This was only used by EFL port.

Source/WebCore:

* platform/TextureMapper.cmake:
* platform/graphics/opengl/GLPlatformSurface.cpp: Removed.
* platform/graphics/surfaces/GLTransportSurface.cpp: Removed.
* platform/graphics/surfaces/GLTransportSurface.h: Removed.
* platform/graphics/surfaces/GraphicsSurface.cpp: Removed.
* platform/graphics/surfaces/GraphicsSurface.h: Removed.
* platform/graphics/surfaces/GraphicsSurfaceToken.h: Removed.
* platform/graphics/surfaces/egl/EGLConfigSelector.cpp: Removed.
* platform/graphics/surfaces/egl/EGLConfigSelector.h: Removed.
* platform/graphics/surfaces/egl/EGLContext.cpp: Removed.
* platform/graphics/surfaces/egl/EGLContext.h: Removed.
* platform/graphics/surfaces/egl/EGLHelper.cpp: Removed.
* platform/graphics/surfaces/egl/EGLHelper.h: Removed.
* platform/graphics/surfaces/egl/EGLSurface.cpp: Removed.
* platform/graphics/surfaces/egl/EGLSurface.h: Removed.
* platform/graphics/surfaces/egl/EGLXSurface.cpp: Removed.
* platform/graphics/surfaces/egl/EGLXSurface.h: Removed.
* platform/graphics/surfaces/glx/GLXConfigSelector.h: Removed.
* platform/graphics/surfaces/glx/GLXContext.cpp: Removed.
* platform/graphics/surfaces/glx/GLXContext.h: Removed.
* platform/graphics/surfaces/glx/GLXSurface.cpp: Removed.
* platform/graphics/surfaces/glx/GLXSurface.h: Removed.
* platform/graphics/surfaces/glx/X11Helper.cpp: Removed.
* platform/graphics/surfaces/glx/X11Helper.h: Removed.
* platform/graphics/texmap/TextureMapperBackingStore.cpp:
* platform/graphics/texmap/TextureMapperBackingStore.h:
* platform/graphics/texmap/TextureMapperPlatformLayer.h:
(WebCore::TextureMapperPlatformLayer::setClient):
* platform/graphics/texmap/TextureMapperSurfaceBackingStore.cpp: Removed.
* platform/graphics/texmap/TextureMapperSurfaceBackingStore.h: Removed.
* platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:
(WebCore::CoordinatedGraphicsLayer::CoordinatedGraphicsLayer):
(WebCore::CoordinatedGraphicsLayer::setContentsNeedsDisplay):
(WebCore::CoordinatedGraphicsLayer::setContentsToPlatformLayer):
(WebCore::CoordinatedGraphicsLayer::syncPlatformLayer):
* platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h:
* platform/graphics/texmap/coordinated/CoordinatedGraphicsState.h:
(WebCore::CoordinatedGraphicsLayerState::CoordinatedGraphicsLayerState):

Source/WebKit2:

* Shared/CoordinatedGraphics/CoordinatedGraphicsArgumentCoders.cpp:
(IPC::ArgumentCoder<CoordinatedGraphicsLayerState>::encode):
(IPC::ArgumentCoder<CoordinatedGraphicsLayerState>::decode):
* Shared/CoordinatedGraphics/CoordinatedGraphicsArgumentCoders.h:
* Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:
(WebKit::CoordinatedGraphicsScene::syncPlatformLayerIfNeeded):
(WebKit::CoordinatedGraphicsScene::deleteLayer):
(WebKit::CoordinatedGraphicsScene::assignImageBackingToLayer):
(WebKit::CoordinatedGraphicsScene::purgeGLResources):
* Shared/CoordinatedGraphics/CoordinatedGraphicsScene.h:
* Shared/CoordinatedGraphics/WebCoordinatedSurface.cpp:
(WebKit::WebCoordinatedSurface::Handle::encode):
(WebKit::WebCoordinatedSurface::Handle::decode):
(WebKit::WebCoordinatedSurface::create):
(WebKit::WebCoordinatedSurface::createGraphicsContext):
(WebKit::WebCoordinatedSurface::createHandle):
(WebKit::WebCoordinatedSurface::copyToTexture):
* Shared/CoordinatedGraphics/WebCoordinatedSurface.h:


  Commit: e6bb890ae18ee9ac3ae1022030983a446a67fe9b
      https://github.com/WebKit/WebKit/commit/e6bb890ae18ee9ac3ae1022030983a446a67fe9b
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

  Log Message:
  -----------
  Merge r212640 - BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump.
https://bugs.webkit.org/show_bug.cgi?id=168585

Reviewed by Yusuke Suzuki.

This is because m_controlFlowScopeStack is a SegmentedVector, and entries for
consecutive indices in the vector are not guaranteed to be consecutive in memory
layout.  Instead, we should be using indexing instead.

This issue was detected by the marathon.js test from
https://bugs.webkit.org/show_bug.cgi?id=168580.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitJumpViaFinallyIfNeeded):
(JSC::BytecodeGenerator::emitReturnViaFinallyIfNeeded):


  Commit: cff9e3591de4e717a152a380367cbe414faef99b
      https://github.com/WebKit/WebKit/commit/cff9e3591de4e717a152a380367cbe414faef99b
  Author: Commit Queue <commit-queue at webkit.org>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/interpreter/CachedCall.h
    M Source/JavaScriptCore/interpreter/CallFrame.h
    M Source/JavaScriptCore/interpreter/Interpreter.cpp
    M Source/JavaScriptCore/interpreter/Interpreter.h
    M Source/JavaScriptCore/interpreter/ProtoCallFrame.h
    M Source/JavaScriptCore/runtime/ArgList.cpp
    M Source/JavaScriptCore/runtime/ArgList.h
    M Source/JavaScriptCore/runtime/StringPrototype.cpp
    M Source/JavaScriptCore/runtime/VM.cpp
    M Source/JavaScriptCore/runtime/VM.h
    M Source/WTF/ChangeLog
    M Source/WTF/WTF.xcodeproj/project.pbxproj
    R Source/WTF/wtf/ForbidHeapAllocation.h

  Log Message:
  -----------
  Merge r212665 - Unreviewed, rolling out r212618.
https://bugs.webkit.org/show_bug.cgi?id=168609

"Appears to cause PLT regression" (Requested by mlam on

Reverted changeset:

"CachedCall should let GC know to keep its arguments alive."
https://bugs.webkit.org/show_bug.cgi?id=168567
http://trac.webkit.org/changeset/212618


  Commit: 20c5cbdd08a4a6fcb6e1bd313a9ca637f3574ae0
      https://github.com/WebKit/WebKit/commit/20c5cbdd08a4a6fcb6e1bd313a9ca637f3574ae0
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/interpreter/CachedCall.h
    M Source/JavaScriptCore/interpreter/CallFrame.h
    M Source/JavaScriptCore/interpreter/Interpreter.cpp
    M Source/JavaScriptCore/interpreter/Interpreter.h
    M Source/JavaScriptCore/interpreter/ProtoCallFrame.h
    M Source/JavaScriptCore/runtime/ArgList.cpp
    M Source/JavaScriptCore/runtime/ArgList.h
    M Source/JavaScriptCore/runtime/StringPrototype.cpp
    M Source/JavaScriptCore/runtime/VM.cpp
    M Source/JavaScriptCore/runtime/VM.h
    M Source/WTF/ChangeLog
    M Source/WTF/WTF.xcodeproj/project.pbxproj
    A Source/WTF/wtf/ForbidHeapAllocation.h

  Log Message:
  -----------
  Merge r212692 - [Re-landing] CachedCall should let GC know to keep its arguments alive.
https://bugs.webkit.org/show_bug.cgi?id=168567
<rdar://problem/30475767>

Reviewed by Saam Barati.

Source/JavaScriptCore:

We fix this by having CachedCall use a MarkedArgumentBuffer to store its
arguments instead of a Vector.

Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
correctness.

Update: the original patch has a bug in MarkedArgumentBuffer::expandCapacity()
where it was copying and calling addMarkSet() on values in m_buffer beyond m_size
(up to m_capacity).  As a result, depending on the pre-existing values in
m_inlineBuffer, this may result in a computed Heap pointer that is wrong, and
subsequently, manifest as a crash.  This is likely to be the cause of the PLT
regression.

I don't have a new test for this fix because the issue relies on sufficiently bad
values randomly showing up in m_inlineBuffer when we do an ensureCapacity() which
calls expandCapacity().

* interpreter/CachedCall.h:
(JSC::CachedCall::CachedCall):
(JSC::CachedCall::call):
(JSC::CachedCall::clearArguments):
(JSC::CachedCall::appendArgument):
(JSC::CachedCall::setArgument): Deleted.
* interpreter/CallFrame.h:
(JSC::ExecState::emptyList):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::prepareForRepeatCall):
* interpreter/Interpreter.h:
* interpreter/ProtoCallFrame.h:
* runtime/ArgList.cpp:
(JSC::MarkedArgumentBuffer::slowEnsureCapacity):
(JSC::MarkedArgumentBuffer::expandCapacity):
(JSC::MarkedArgumentBuffer::slowAppend):
* runtime/ArgList.h:
(JSC::MarkedArgumentBuffer::append):
(JSC::MarkedArgumentBuffer::ensureCapacity):
* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:

Source/WTF:

Added a WTF_FORBID_HEAP_ALLOCATION that will cause a compilation failure if
a class declared with it is malloced.

While this doesn't prevent that class declared WTF_FORBID_HEAP_ALLOCATION from
being embedded in another class that is heap allocated, it does at minimum
document the intent and gives the users of this class a chance to do the
right thing.

* WTF.xcodeproj/project.pbxproj:
* wtf/ForbidHeapAllocation.h: Added.


  Commit: 84a4f92fd86911ab877416453d15f4500fc8707e
      https://github.com/WebKit/WebKit/commit/84a4f92fd86911ab877416453d15f4500fc8707e
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/DocumentLoader.cpp

  Log Message:
  -----------
  Merge r212667 - Nullptr dereferences when stopping a load
https://bugs.webkit.org/show_bug.cgi?id=168608
<rdar://problem/29852056>

Reviewed by Ryosuke Niwa.

Don't attempt to notify a detached frame's load client that the load is
stopped.

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::stopLoading): Check for null frame loader and
bypass dereferencing it.


  Commit: f4dbc6ae296c69165584b3b70b9c6873b83866fd
      https://github.com/WebKit/WebKit/commit/f4dbc6ae296c69165584b3b70b9c6873b83866fd
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M ChangeLog
    M Source/cmake/OptionsCommon.cmake

  Log Message:
  -----------
  Merge r212882 - [GTK] Compilation fails if using ninja together with icecream and cmake > 3.5
https://bugs.webkit.org/show_bug.cgi?id=168770

Reviewed by Carlos Garcia Campos.

If using cmake >= 3.6 together with ninja generator and icecream, the
build will fail as icecream does not correctly handle the response
files and it's not passing compiler flags from there to the compiler
itself (in our case it's not passing -fPIC which leads to the
failure while linking). Don't enable the ninja's response files
support if we fulfill the preconditions.

* Source/cmake/OptionsCommon.cmake:


  Commit: a28f22dc0e5d3558acfe32960c5b99bce6b31985
      https://github.com/WebKit/WebKit/commit/a28f22dc0e5d3558acfe32960c5b99bce6b31985
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/Range/simple-line-layout-getclientrects-expected.html
    A LayoutTests/fast/dom/Range/simple-line-layout-getclientrects.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderText.cpp
    M Source/WebCore/rendering/SimpleLineLayoutFunctions.cpp
    M Source/WebCore/rendering/SimpleLineLayoutFunctions.h
    M Source/WebCore/rendering/SimpleLineLayoutResolver.cpp
    M Source/WebCore/rendering/SimpleLineLayoutResolver.h

  Log Message:
  -----------
  Merge r212693 - Simple line layout: Implement absoluteQuadsForRange.
https://bugs.webkit.org/show_bug.cgi?id=168613
<rdar://problem/30614618>

Reviewed by Simon Fraser.

Source/WebCore:

This patch ensures that the commonly used Range::getClientRects calls do not
throw us off of the simple line layout path.

Test: fast/dom/Range/simple-line-layout-getclientrects.html

* rendering/RenderText.cpp:
(WebCore::RenderText::absoluteQuadsForRange):
* rendering/SimpleLineLayoutFunctions.cpp:
(WebCore::SimpleLineLayout::collectAbsoluteQuadsForRange): Special case empty ranges with multiple empty runs.
* rendering/SimpleLineLayoutFunctions.h:
* rendering/SimpleLineLayoutResolver.cpp:
(WebCore::SimpleLineLayout::RunResolver::rangeForRendererWithOffsets):
* rendering/SimpleLineLayoutResolver.h:

LayoutTests:

* fast/dom/Range/simple-line-layout-getclientrects-expected.html: Added.
* fast/dom/Range/simple-line-layout-getclientrects.html: Added.


  Commit: fa61eff79de9c7f0856211bccb777d72e894b417
      https://github.com/WebKit/WebKit/commit/fa61eff79de9c7f0856211bccb777d72e894b417
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Platform/IPC/Connection.cpp
    M Source/WebKit2/Platform/IPC/Connection.h
    M Source/WebKit2/Platform/IPC/glib/GSocketMonitor.cpp
    M Source/WebKit2/Platform/IPC/glib/GSocketMonitor.h
    M Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp
    A Source/WebKit2/Platform/IPC/unix/UnixMessage.h
    M Source/WebKit2/PlatformGTK.cmake

  Log Message:
  -----------
  Merge r213030 - [GTK] Hangs when showing Google search results
https://bugs.webkit.org/show_bug.cgi?id=168699

Reviewed by Žan Doberšek.

Connection::sendOutgoingMessage() can poll forever if sendmsg fails with EAGAIN or EWOULDBLOCK. For example if
socket read buffers are full, poll will be blocked until we read the pending data, but we can't read because
the thread is blocked in the poll. In case of EAGAIN/EWOULDBLOCK we should poll using the run loop, to allow
reads to happen in thread while we wait for the socket to be writable again. In the GTK+ port we use
GSocketMonitor to poll socket file descriptor without blocking, using the run loop. This patch renames the
socket monitor as readSocketMonitor and adds another one for polling output. When sendmsg fails with
EAGAIN/EWOULDBLOCK, the pending message is saved and the write monitor starts polling. Once the socket is
writable again we send the pending message. Helper class MessageInfo and a new one UnixMessage have been moved
to its own header file to be able to use std::unique_ptr member to save the pending message.

* Platform/IPC/Connection.cpp: Include UnixMessage.h as required by std::unique_ptr.
* Platform/IPC/Connection.h: Add write socket monitor and also keep the GSocket as a member to reuse it.
* Platform/IPC/glib/GSocketMonitor.cpp: Use Function instead of std::function.
(IPC::GSocketMonitor::start):
* Platform/IPC/glib/GSocketMonitor.h:
* Platform/IPC/unix/ConnectionUnix.cpp:
(IPC::Connection::platformInitialize): Initialize the GSocket here since we rely on it to take the ownership of
the descriptor. We were leaking it if the connection was invalidated without being opened.
(IPC::Connection::platformInvalidate): Destroy the GSocket even when not connected. Also stop the write monitor.
(IPC::Connection::processMessage):
(IPC::Connection::open):
(IPC::Connection::platformCanSendOutgoingMessages): Return false if we have a pending message to ensure
Connection doesn't try to send more messages until the pending message is dispatched. We don't need to check
m_isConnected because the caller already checks that.
(IPC::Connection::sendOutgoingMessage): Split it in two. This creates and prepares a UnixMessage and then calls
sendOutputMessage() to do the rest.
(IPC::Connection::sendOutputMessage): Send the message, or save it if sendmsg fails with EAGAIN or EWOULDBLOCK
to be sent later when the socket is writable.
* Platform/IPC/unix/UnixMessage.h: Added.
(IPC::MessageInfo::MessageInfo):
(IPC::MessageInfo::setMessageBodyIsOutOfLine):
(IPC::MessageInfo::isMessageBodyIsOutOfLine):
(IPC::MessageInfo::bodySize):
(IPC::MessageInfo::attachmentCount):
(IPC::UnixMessage::UnixMessage):
(IPC::UnixMessage::~UnixMessage):
(IPC::UnixMessage::attachments):
(IPC::UnixMessage::messageInfo):
(IPC::UnixMessage::body):
(IPC::UnixMessage::bodySize):
(IPC::UnixMessage::appendAttachment):
* PlatformGTK.cmake:


  Commit: 2a7303fd51d2c7f9feeaf8a47333e4c8bc8f149b
      https://github.com/WebKit/WebKit/commit/2a7303fd51d2c7f9feeaf8a47333e4c8bc8f149b
  Author: Joseph Pecoraro <pecoraro at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/DOMWindow.cpp
    M Source/WebCore/workers/WorkerGlobalScope.cpp
    M Source/WebCore/workers/WorkerGlobalScope.h

  Log Message:
  -----------
  Merge r212698 - ASSERTION FAILED: m_normalWorld->hasOneRef() under WorkerThread::stop
https://bugs.webkit.org/show_bug.cgi?id=168356
<rdar://problem/30592486>

Patch by Joseph Pecoraro <pecoraro at apple.com> on 2017-02-20
Reviewed by Ryosuke Niwa.

Source/WebCore:

* page/DOMWindow.cpp:
(WebCore::DOMWindow::removeAllEventListeners):
Remove Performance object EventListeners.

* workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::~WorkerGlobalScope):
(WebCore::WorkerGlobalScope::removeAllEventListeners):
(WebCore::WorkerGlobalScope::performance):
* workers/WorkerGlobalScope.h:
Remove Performance object EventListeners.
Also clear Performance early in destruction since its ContextDestructionObserver
destruction makes checks about the WorkerThread.

LayoutTests:

* TestExpectations:
Unskip tests now that they no longer trigger assertions.


  Commit: 3d28f0381026b66d973ca1a0f09f1ab1ed445ab1
      https://github.com/WebKit/WebKit/commit/3d28f0381026b66d973ca1a0f09f1ab1ed445ab1
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/modules/module-namespace-is-frozen.js
    A JSTests/modules/module-namespace-is-sealed.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/ObjectConstructor.cpp

  Log Message:
  -----------
  Merge r212710 - ASSERTION FAILED: "!scope.exception()" with Object.isSealed/isFrozen and uninitialized module bindings
https://bugs.webkit.org/show_bug.cgi?id=168605

Reviewed by Saam Barati.

JSTests:

* modules/module-namespace-is-frozen.js: Added.
(from.string_appeared_here.shouldThrow):
(export.b):
* modules/module-namespace-is-sealed.js: Added.
(from.string_appeared_here.shouldThrow):
(export.b):

Source/JavaScriptCore:

We should check exception state after calling getOwnPropertyDescriptor() since it can throw errors.

* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):


  Commit: 7e29284eb04d4ba486c8112740a7c96abfe38327
      https://github.com/WebKit/WebKit/commit/7e29284eb04d4ba486c8112740a7c96abfe38327
  Author: Maureen Daum <mdaum at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/Storage/LocalStorageDatabaseTracker.cpp

  Log Message:
  -----------
  Merge r212726 - Check what LocalStorage data exists in deleteDatabasesModifiedSince() before attempting deletion.
https://bugs.webkit.org/show_bug.cgi?id=168659
rdar://problem/22781730

Patch by Maureen Daum <mdaum at apple.com> on 2017-02-21
Reviewed by Brady Eidson.

Check what LocalStorage data exists in deleteDatabasesModifiedSince() before attempting deletion.
It is possible that another process has caused information to be added to LocalStorage
after we created this LocalStorageDatabaseTracker instance, so we should update our
internal state by checking the contents of StorageTracker.db and the other local
storage files so we know what databases actually exist. By calling importOriginIdentifiers()
at the start of deleteDatabasesModifiedSince(), m_origins will now have the up-to-date
list of origins LocalStorage contains data for.

* UIProcess/Storage/LocalStorageDatabaseTracker.cpp:
(WebKit::LocalStorageDatabaseTracker::deleteDatabasesModifiedSince):


  Commit: f385c44ed93c75986254a3a07310a8e77db27d3b
      https://github.com/WebKit/WebKit/commit/f385c44ed93c75986254a3a07310a8e77db27d3b
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/splay-flash-access-1ms.js
    A JSTests/stress/splay-flash-access.js
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/dfg/DFGWorklist.cpp
    M Source/JavaScriptCore/dfg/DFGWorklist.h
    A Source/JavaScriptCore/heap/CollectingScope.h
    A Source/JavaScriptCore/heap/CollectorPhase.cpp
    A Source/JavaScriptCore/heap/CollectorPhase.h
    M Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp
    M Source/JavaScriptCore/heap/FullGCActivityCallback.cpp
    A Source/JavaScriptCore/heap/GCConductor.cpp
    A Source/JavaScriptCore/heap/GCConductor.h
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/heap/Heap.h
    M Source/JavaScriptCore/heap/HeapInlines.h
    R Source/JavaScriptCore/heap/HeapStatistics.cpp
    R Source/JavaScriptCore/heap/HeapStatistics.h
    R Source/JavaScriptCore/heap/HelpingGCScope.h
    M Source/JavaScriptCore/heap/IncrementalSweeper.cpp
    M Source/JavaScriptCore/heap/IncrementalSweeper.h
    M Source/JavaScriptCore/heap/MachineStackMarker.cpp
    M Source/JavaScriptCore/heap/MachineStackMarker.h
    M Source/JavaScriptCore/heap/MarkedAllocator.cpp
    M Source/JavaScriptCore/heap/MarkedBlock.cpp
    M Source/JavaScriptCore/heap/MarkedSpace.cpp
    M Source/JavaScriptCore/heap/MutatorState.cpp
    M Source/JavaScriptCore/heap/MutatorState.h
    A Source/JavaScriptCore/heap/RegisterState.h
    A Source/JavaScriptCore/heap/RunningScope.h
    M Source/JavaScriptCore/heap/SlotVisitor.cpp
    M Source/JavaScriptCore/heap/SlotVisitor.h
    M Source/JavaScriptCore/heap/StochasticSpaceTimeMutatorScheduler.cpp
    A Source/JavaScriptCore/heap/SweepingScope.h
    M Source/JavaScriptCore/jit/JITWorklist.cpp
    M Source/JavaScriptCore/jsc.cpp
    M Source/JavaScriptCore/runtime/InitializeThreading.cpp
    M Source/JavaScriptCore/runtime/JSCellInlines.h
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/Options.h
    M Source/JavaScriptCore/runtime/TestRunnerUtils.cpp
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/AutomaticThread.cpp
    M Source/WTF/wtf/AutomaticThread.h
    M Source/WTF/wtf/NumberOfCores.cpp
    M Source/WTF/wtf/ParallelHelperPool.cpp
    M Source/WTF/wtf/ParallelHelperPool.h
    M Source/WebCore/ChangeLog
    A Source/WebCore/ForwardingHeaders/heap/GCFinalizationCallback.h
    A Source/WebCore/ForwardingHeaders/heap/IncrementalSweeper.h
    A Source/WebCore/ForwardingHeaders/heap/MachineStackMarker.h
    A Source/WebCore/ForwardingHeaders/heap/RunningScope.h
    M Source/WebCore/bindings/js/CommonVM.cpp
    M Tools/ChangeLog
    M Tools/Scripts/run-jsc-stress-tests

  Log Message:
  -----------
  The collector thread should only start when the mutator doesn't have heap access
https://bugs.webkit.org/show_bug.cgi?id=167737

Reviewed by Keith Miller.
JSTests:


Add versions of splay that flash heap access, to simulate what might happen if a third-party app
was running concurrent GC. In this case, we might actually start the collector thread.

* stress/splay-flash-access-1ms.js: Added.
(performance.now):
(this.Setup.setup.setup):
(this.TearDown.tearDown.tearDown):
(Benchmark):
(BenchmarkResult):
(BenchmarkResult.prototype.valueOf):
(BenchmarkSuite):
(alert):
(Math.random):
(BenchmarkSuite.ResetRNG):
(RunStep):
(BenchmarkSuite.RunSuites):
(BenchmarkSuite.CountBenchmarks):
(BenchmarkSuite.GeometricMean):
(BenchmarkSuite.GeometricMeanTime):
(BenchmarkSuite.AverageAbovePercentile):
(BenchmarkSuite.GeometricMeanLatency):
(BenchmarkSuite.FormatScore):
(BenchmarkSuite.prototype.NotifyStep):
(BenchmarkSuite.prototype.NotifyResult):
(BenchmarkSuite.prototype.NotifyError):
(BenchmarkSuite.prototype.RunSingleBenchmark):
(RunNextSetup):
(RunNextBenchmark):
(RunNextTearDown):
(BenchmarkSuite.prototype.RunStep):
(GeneratePayloadTree):
(GenerateKey):
(SplayUpdateStats):
(InsertNewNode):
(SplaySetup):
(SplayTearDown):
(SplayRun):
(SplayTree):
(SplayTree.prototype.isEmpty):
(SplayTree.prototype.insert):
(SplayTree.prototype.remove):
(SplayTree.prototype.find):
(SplayTree.prototype.findMax):
(SplayTree.prototype.findGreatestLessThan):
(SplayTree.prototype.exportKeys):
(SplayTree.prototype.splay_):
(SplayTree.Node):
(SplayTree.Node.prototype.traverse_):
(jscSetUp):
(jscTearDown):
(jscRun):
(averageAbovePercentile):
(printPercentile):
* stress/splay-flash-access.js: Added.
(performance.now):
(this.Setup.setup.setup):
(this.TearDown.tearDown.tearDown):
(Benchmark):
(BenchmarkResult):
(BenchmarkResult.prototype.valueOf):
(BenchmarkSuite):
(alert):
(Math.random):
(BenchmarkSuite.ResetRNG):
(RunStep):
(BenchmarkSuite.RunSuites):
(BenchmarkSuite.CountBenchmarks):
(BenchmarkSuite.GeometricMean):
(BenchmarkSuite.GeometricMeanTime):
(BenchmarkSuite.AverageAbovePercentile):
(BenchmarkSuite.GeometricMeanLatency):
(BenchmarkSuite.FormatScore):
(BenchmarkSuite.prototype.NotifyStep):
(BenchmarkSuite.prototype.NotifyResult):
(BenchmarkSuite.prototype.NotifyError):
(BenchmarkSuite.prototype.RunSingleBenchmark):
(RunNextSetup):
(RunNextBenchmark):
(RunNextTearDown):
(BenchmarkSuite.prototype.RunStep):
(GeneratePayloadTree):
(GenerateKey):
(SplayUpdateStats):
(InsertNewNode):
(SplaySetup):
(SplayTearDown):
(SplayRun):
(SplayTree):
(SplayTree.prototype.isEmpty):
(SplayTree.prototype.insert):
(SplayTree.prototype.remove):
(SplayTree.prototype.find):
(SplayTree.prototype.findMax):
(SplayTree.prototype.findGreatestLessThan):
(SplayTree.prototype.exportKeys):
(SplayTree.prototype.splay_):
(SplayTree.Node):
(SplayTree.Node.prototype.traverse_):
(jscSetUp):
(jscTearDown):
(jscRun):
(averageAbovePercentile):
(printPercentile):

Source/JavaScriptCore:


This turns the collector thread's workflow into a state machine, so that the mutator thread can
run it directly. This reduces the amount of synchronization we do with the collector thread, and
means that most apps will never start the collector thread. The collector thread will still start
when we need to finish collecting and we don't have heap access.

In this new world, "stopping the world" means relinquishing control of collection to the mutator.
This means tracking who is conducting collection. I use the GCConductor enum to say who is
conducting. It's either GCConductor::Mutator or GCConductor::Collector. I use the term "conn" to
refer to the concept of conducting (having the conn, relinquishing the conn, taking the conn).
So, stopping the world means giving the mutator the conn. Releasing heap access means giving the
collector the conn.

This meant bringing back the conservative scan of the calling thread. It turns out that this
scan was too slow to be called on each GC increment because apparently setjmp() now does system
calls. So, I wrote our own callee save register saving for the GC. Then I had doubts about
whether or not it was correct, so I also made it so that the GC only rarely asks for the register
state. I think we still want to use my register saving code instead of setjmp because setjmp
seems to save things we don't need, and that could make us overly conservative.

It turns out that this new scheduling discipline makes the old space-time scheduler perform
better than the new stochastic space-time scheduler on systems with fewer than 4 cores. This is
because the mutator having the conn enables us to time the mutator<->collector context switches
by polling. The OS is never involved. So, we can use super precise timing. This allows the old
space-time schduler to shine like it hadn't before.

The splay results imply that this is all a good thing. On 2-core systems, this reduces pause
times by 40% and it increases throughput about 5%. On 1-core systems, this reduces pause times by
half and reduces throughput by 8%. On 4-or-more-core systems, this doesn't seem to have much
effect.

* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitChildren):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::ThreadBody::ThreadBody):
(JSC::DFG::Worklist::dump):
(JSC::DFG::numberOfWorklists):
(JSC::DFG::ensureWorklistForIndex):
(JSC::DFG::existingWorklistForIndexOrNull):
(JSC::DFG::existingWorklistForIndex):
* dfg/DFGWorklist.h:
(JSC::DFG::numberOfWorklists): Deleted.
(JSC::DFG::ensureWorklistForIndex): Deleted.
(JSC::DFG::existingWorklistForIndexOrNull): Deleted.
(JSC::DFG::existingWorklistForIndex): Deleted.
* heap/CollectingScope.h: Added.
(JSC::CollectingScope::CollectingScope):
(JSC::CollectingScope::~CollectingScope):
* heap/CollectorPhase.cpp: Added.
(JSC::worldShouldBeSuspended):
(WTF::printInternal):
* heap/CollectorPhase.h: Added.
* heap/EdenGCActivityCallback.cpp:
(JSC::EdenGCActivityCallback::lastGCLength):
* heap/FullGCActivityCallback.cpp:
(JSC::FullGCActivityCallback::doCollection):
(JSC::FullGCActivityCallback::lastGCLength):
* heap/GCConductor.cpp: Added.
(JSC::gcConductorShortName):
(WTF::printInternal):
* heap/GCConductor.h: Added.
* heap/GCFinalizationCallback.cpp: Added.
(JSC::GCFinalizationCallback::GCFinalizationCallback):
(JSC::GCFinalizationCallback::~GCFinalizationCallback):
* heap/GCFinalizationCallback.h: Added.
(JSC::GCFinalizationCallbackFuncAdaptor::GCFinalizationCallbackFuncAdaptor):
(JSC::createGCFinalizationCallback):
* heap/Heap.cpp:
(JSC::Heap::Thread::Thread):
(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):
(JSC::Heap::gatherStackRoots):
(JSC::Heap::updateObjectCounts):
(JSC::Heap::sweepSynchronously):
(JSC::Heap::collectAllGarbage):
(JSC::Heap::collectAsync):
(JSC::Heap::collectSync):
(JSC::Heap::shouldCollectInCollectorThread):
(JSC::Heap::collectInCollectorThread):
(JSC::Heap::checkConn):
(JSC::Heap::runNotRunningPhase):
(JSC::Heap::runBeginPhase):
(JSC::Heap::runFixpointPhase):
(JSC::Heap::runConcurrentPhase):
(JSC::Heap::runReloopPhase):
(JSC::Heap::runEndPhase):
(JSC::Heap::changePhase):
(JSC::Heap::finishChangingPhase):
(JSC::Heap::stopThePeriphery):
(JSC::Heap::resumeThePeriphery):
(JSC::Heap::stopTheMutator):
(JSC::Heap::resumeTheMutator):
(JSC::Heap::stopIfNecessarySlow):
(JSC::Heap::collectInMutatorThread):
(JSC::Heap::waitForCollector):
(JSC::Heap::acquireAccessSlow):
(JSC::Heap::releaseAccessSlow):
(JSC::Heap::relinquishConn):
(JSC::Heap::finishRelinquishingConn):
(JSC::Heap::handleNeedFinalize):
(JSC::Heap::notifyThreadStopping):
(JSC::Heap::finalize):
(JSC::Heap::addFinalizationCallback):
(JSC::Heap::requestCollection):
(JSC::Heap::waitForCollection):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didFinishCollection):
(JSC::Heap::collectIfNecessaryOrDefer):
(JSC::Heap::notifyIsSafeToCollect):
(JSC::Heap::preventCollection):
(JSC::Heap::performIncrement):
(JSC::Heap::markToFixpoint): Deleted.
(JSC::Heap::shouldCollectInThread): Deleted.
(JSC::Heap::collectInThread): Deleted.
(JSC::Heap::stopTheWorld): Deleted.
(JSC::Heap::resumeTheWorld): Deleted.
* heap/Heap.h:
(JSC::Heap::machineThreads):
(JSC::Heap::lastFullGCLength):
(JSC::Heap::lastEdenGCLength):
(JSC::Heap::increaseLastFullGCLength):
* heap/HeapInlines.h:
(JSC::Heap::mutatorIsStopped): Deleted.
* heap/HeapStatistics.cpp: Removed.
* heap/HeapStatistics.h: Removed.
* heap/HelpingGCScope.h: Removed.
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::stopSweeping):
(JSC::IncrementalSweeper::willFinishSweeping): Deleted.
* heap/IncrementalSweeper.h:
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::gatherFromCurrentThread):
(JSC::MachineThreads::gatherConservativeRoots):
(JSC::callWithCurrentThreadState):
* heap/MachineStackMarker.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::allocateSlowCaseImpl):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::sweep):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::sweep):
* heap/MutatorState.cpp:
(WTF::printInternal):
* heap/MutatorState.h:
* heap/RegisterState.h: Added.
* heap/RunningScope.h: Added.
(JSC::RunningScope::RunningScope):
(JSC::RunningScope::~RunningScope):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::SlotVisitor):
(JSC::SlotVisitor::drain):
(JSC::SlotVisitor::drainFromShared):
(JSC::SlotVisitor::drainInParallelPassively):
(JSC::SlotVisitor::donateAll):
(JSC::SlotVisitor::donate):
* heap/SlotVisitor.h:
(JSC::SlotVisitor::codeName):
* heap/StochasticSpaceTimeMutatorScheduler.cpp:
(JSC::StochasticSpaceTimeMutatorScheduler::beginCollection):
(JSC::StochasticSpaceTimeMutatorScheduler::synchronousDrainingDidStall):
(JSC::StochasticSpaceTimeMutatorScheduler::timeToStop):
* heap/SweepingScope.h: Added.
(JSC::SweepingScope::SweepingScope):
(JSC::SweepingScope::~SweepingScope):
* jit/JITWorklist.cpp:
(JSC::JITWorklist::Thread::Thread):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionFlashHeapAccess):
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
* runtime/JSCellInlines.h:
(JSC::JSCell::classInfo):
* runtime/Options.cpp:
(JSC::overrideDefaults):
* runtime/Options.h:
* runtime/TestRunnerUtils.cpp:
(JSC::finalizeStatsAtEndOfTesting):

Source/WebCore:


Added new tests in JSTests.

The WebCore changes involve:

- Refactoring around new header discipline.

- Adding crazy GC APIs to window.internals to enable us to test the GC's runloop discipline.

* ForwardingHeaders/heap/GCFinalizationCallback.h: Added.
* ForwardingHeaders/heap/IncrementalSweeper.h: Added.
* ForwardingHeaders/heap/MachineStackMarker.h: Added.
* ForwardingHeaders/heap/RunningScope.h: Added.
* bindings/js/CommonVM.cpp:
* testing/Internals.cpp:
(WebCore::Internals::parserMetaData):
(WebCore::Internals::isReadableStreamDisturbed):
(WebCore::Internals::isGCRunning):
(WebCore::Internals::addGCFinalizationCallback):
(WebCore::Internals::stopSweeping):
(WebCore::Internals::startSweeping):
* testing/Internals.h:
* testing/Internals.idl:

Source/WTF:


Extend the use of AbstractLocker so that we can use more locking idioms.

* wtf/AutomaticThread.cpp:
(WTF::AutomaticThreadCondition::notifyOne):
(WTF::AutomaticThreadCondition::notifyAll):
(WTF::AutomaticThreadCondition::add):
(WTF::AutomaticThreadCondition::remove):
(WTF::AutomaticThreadCondition::contains):
(WTF::AutomaticThread::AutomaticThread):
(WTF::AutomaticThread::tryStop):
(WTF::AutomaticThread::isWaiting):
(WTF::AutomaticThread::notify):
(WTF::AutomaticThread::start):
(WTF::AutomaticThread::threadIsStopping):
* wtf/AutomaticThread.h:
* wtf/NumberOfCores.cpp:
(WTF::numberOfProcessorCores):
* wtf/ParallelHelperPool.cpp:
(WTF::ParallelHelperClient::finish):
(WTF::ParallelHelperClient::claimTask):
(WTF::ParallelHelperPool::Thread::Thread):
(WTF::ParallelHelperPool::didMakeWorkAvailable):
(WTF::ParallelHelperPool::hasClientWithTask):
(WTF::ParallelHelperPool::getClientWithTask):
* wtf/ParallelHelperPool.h:

Tools:


Make more tests collect continuously.

* Scripts/run-jsc-stress-tests:


  Commit: a9b50687db29470d1d5e67395575c412dd645ab1
      https://github.com/WebKit/WebKit/commit/a9b50687db29470d1d5e67395575c412dd645ab1
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/JSCJSValueInlines.h
    M Source/JavaScriptCore/runtime/JSObject.cpp

  Log Message:
  -----------
  Merge r212779 - Add missing exception checks detected by running marathon.js.
https://bugs.webkit.org/show_bug.cgi?id=168687

Reviewed by Saam Barati.

When running the marathon.js test from https://bugs.webkit.org/show_bug.cgi?id=168580,
we get some crashes due to missing exception checks.  This patch adds those
missing exception checks.

* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toPropertyKey):
* runtime/JSObject.cpp:
(JSC::JSObject::getPrimitiveNumber):


  Commit: 241b3990dba0c8dbcfe3977c00d169332a864fc5
      https://github.com/WebKit/WebKit/commit/241b3990dba0c8dbcfe3977c00d169332a864fc5
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/runtime/JSLock.cpp

  Log Message:
  -----------
  Merge r212780 - Unreviewed, fix cloop. I managed to have my local patch for relanding be the one without the cloop
fix. I keep forgetting about cloop!

* heap/Heap.cpp:
(JSC::Heap::stopThePeriphery):
* runtime/JSLock.cpp:


  Commit: d25075f53419bf7c20f9b1d1096569043edb3d6c
      https://github.com/WebKit/WebKit/commit/d25075f53419bf7c20f9b1d1096569043edb3d6c
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/context/context-lost-expected.txt
    A LayoutTests/http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/context/context-lost.html
    A LayoutTests/http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/argGenerators-S_V.js
    A LayoutTests/http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/quickCheckAPI-S_V-expected.txt
    A LayoutTests/http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/quickCheckAPI-S_V.html
    A LayoutTests/http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/quickCheckAPI.js
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
    M Source/WebCore/html/canvas/WebGLRenderingContextBase.h

  Log Message:
  -----------
  Merge r212784 - REGRESSION (r207720): /more/conformance/conformance/quickCheckAPI-S_V.html test fails
https://bugs.webkit.org/show_bug.cgi?id=168632
<rdar://problem/30620129>

Reviewed by Darin Adler.

Source/WebCore:

After r207720, the following WebGL conformance tests started failing:
- /more/conformance/conformance/quickCheckAPI-S_V.html
- /context/context-lost.html

We started throwing security errors in case where we did not before.
Chrome and Firefox are both passing these tests so our new behavior was not interoperable.

This patch reverts part of r207720 to restore our previous behavior.

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::texSubImage2D):
(WebCore::WebGLRenderingContextBase::texImage2D):
(WebCore::WebGLRenderingContextBase::validateHTMLImageElement):
(WebCore::WebGLRenderingContextBase::validateHTMLCanvasElement):
(WebCore::WebGLRenderingContextBase::validateHTMLVideoElement):
* html/canvas/WebGLRenderingContextBase.h:

LayoutTests:

Import layout test coverage.

* http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/context/context-lost-expected.txt: Added.
* http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/context/context-lost.html: Added.
* http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/argGenerators-S_V.js: Added.
* http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/quickCheckAPI-S_V-expected.txt: Added.
* http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/quickCheckAPI-S_V.html: Added.
* http/tests/webgl/1.0.2/resources/webgl_test_files/conformance/more/conformance/quickCheckAPI.js: Added.


  Commit: 1d498ef130329b50e2edb4884c8e8e5a2a2d27b1
      https://github.com/WebKit/WebKit/commit/1d498ef130329b50e2edb4884c8e8e5a2a2d27b1
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/StringPrototype.cpp

  Log Message:
  -----------
  Merge r212791 - Add more missing exception checks detected by running marathon.js.
https://bugs.webkit.org/show_bug.cgi?id=168697

Reviewed by Saam Barati.

* runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):


  Commit: 27184ad1ab48cd580725bb174bcce2dcd065815c
      https://github.com/WebKit/WebKit/commit/27184ad1ab48cd580725bb174bcce2dcd065815c
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/platform/gtk/TestExpectations
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/glib/MainThreadGLib.cpp

  Log Message:
  -----------
  Merge r212814 - [GTK] Test fast/events/message-port-postMessage-recursive.html times out
https://bugs.webkit.org/show_bug.cgi?id=168570

Reviewed by Michael Catanzaro.

Source/WTF:

This has recently been added and the patch is good. It's just revealing a problem with our timers. The test is
posting a message recursively, and also starts a timeout timer to finish the test. The timeout timer is never
fired for us, because WebCore timers have lower priority than the one used by postMessage. ScriptExecutionContext
uses Document::postTask, that uses scheduleOnMainThread, that uses RunLoop::dispatch(). We are not setting any
priority for the timer used by RunLoop::dispatch, so it's using the default.
Use a RunLoop::Timer to schedule tasks to the main thread instead of using RunLoop::dispatch(). This allows us
to use a different priority, that is now set to G_PRIORITY_HIGH_IDLE + 20 to match WebCore timers. But it also
avoids the double queue we had with RunLoop::dispatch(), because scheduleOnMainThread() also queues the tasks.

* wtf/glib/MainThreadGLib.cpp:
(WTF::MainThreadDispatcher::MainThreadDispatcher):
(WTF::MainThreadDispatcher::schedule):
(WTF::MainThreadDispatcher::fired):
(WTF::scheduleDispatchFunctionsOnMainThread):

LayoutTests:

* platform/gtk/TestExpectations:


  Commit: 30ff0d9f11bfcf8b45612c8746c2b5bbc1a95aa3
      https://github.com/WebKit/WebKit/commit/30ff0d9f11bfcf8b45612c8746c2b5bbc1a95aa3
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp

  Log Message:
  -----------
  Merge r212815 - [GStreamer] Crash in MediaPlayerPrivateGStreamerMSE::buffered() when MEDIA_STREAM is disabled
https://bugs.webkit.org/show_bug.cgi?id=168662

Reviewed by Michael Catanzaro.

When MEDIA_STREAM is disabled, if MediaPlayer::loadWithNextMediaEngine is called with a current engine and
there's no type specified, the next media engine that is used is the MSE one. Since there's no actually a media
stream, the engine is created but never loaded. When buffered is called it tries to use its media source that is
nullptr. It doesn't happen when MEDIA_STREAM is enabled, because the next media engine returned is Owr that
doesn't implement buffered and always returns an empty PlatformTimeRanges.

* platform/graphics/gstreamer/mse/MediaPlayerPrivateGStreamerMSE.cpp:
(WebCore::MediaPlayerPrivateGStreamerMSE::buffered): Return an empty PlatformTimeRanges if m_mediaSource is nullptr.


  Commit: 588a60fde4958af82c262896aecd0c265aecae06
      https://github.com/WebKit/WebKit/commit/588a60fde4958af82c262896aecd0c265aecae06
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp

  Log Message:
  -----------
  Merge r212816 - NetworkProcess: Stop disabling buffering when NETWORK_CACHE is disabled in build
https://bugs.webkit.org/show_bug.cgi?id=168637

Reviewed by Alex Christensen.

It was added in r193752 as part of bug #137692 to fix an infinite loop in network process that happened in EFL
because they didn't enable the network cache at that time. I think that was actually a workaround, and it was
added without any comment so it has stayed there even when EFL enabled disk cache, and now that is gone. Looking
at current code I see no reason why buffering can't work with the disk cache disabled, so I think it's time to
remove that workaround.

* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::maximumBufferingTime):


  Commit: fa4d2831235c0ad79633fe68b4bd295b97b6d286
      https://github.com/WebKit/WebKit/commit/fa4d2831235c0ad79633fe68b4bd295b97b6d286
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/modules/module-assert-access-binding.js
    A JSTests/modules/module-assert-access-namespace.js
    A JSTests/modules/namespace-empty.js
    A JSTests/stress/module-namespace-access-change.js
    A JSTests/stress/module-namespace-access-non-constant.js
    A JSTests/stress/module-namespace-access-poly.js
    A JSTests/stress/module-namespace-access-transitive-exports.js
    A JSTests/stress/module-namespace-access.js
    A JSTests/stress/resources/module-namespace-access-transitive-exports-2.js
    A JSTests/stress/resources/module-namespace-access-transitive-exports.js
    A JSTests/stress/resources/module-namespace-access.js
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/bytecode/AccessCase.cpp
    M Source/JavaScriptCore/bytecode/AccessCase.h
    M Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
    M Source/JavaScriptCore/bytecode/GetByIdStatus.h
    A Source/JavaScriptCore/bytecode/ModuleNamespaceAccessCase.cpp
    A Source/JavaScriptCore/bytecode/ModuleNamespaceAccessCase.h
    M Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/jit/AssemblyHelpers.h
    M Source/JavaScriptCore/jit/Repatch.cpp
    M Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp
    M Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
    M Source/JavaScriptCore/runtime/JSModuleNamespaceObject.h
    M Source/JavaScriptCore/runtime/JSModuleRecord.h
    M Source/JavaScriptCore/runtime/PropertySlot.h

  Log Message:
  -----------
  Merge r212818 - JSModuleNamespace object should have IC
https://bugs.webkit.org/show_bug.cgi?id=160590

Reviewed by Saam Barati.

JSTests:

* modules/module-assert-access-binding.js: Added.
* modules/module-assert-access-namespace.js: Added.
* modules/namespace-empty.js: Added.
(from.string_appeared_here.access):
(i.shouldThrow):
* stress/module-namespace-access-change.js: Added.
(shouldBe):
(access):
(import.string_appeared_here.then):
* stress/module-namespace-access-non-constant.js: Added.
(shouldBe):
(import.string_appeared_here.then):
* stress/module-namespace-access-poly.js: Added.
(shouldBe):
(access):
(import.string_appeared_here.then):
* stress/module-namespace-access-transitive-exports.js: Added.
(shouldBe):
(import.string_appeared_here.then):
* stress/module-namespace-access.js: Added.
(shouldBe):
(import.string_appeared_here.then):
* stress/resources/module-namespace-access-transitive-exports-2.js: Added.
(export.cocoa):
(export.change):
* stress/resources/module-namespace-access-transitive-exports.js: Added.
* stress/resources/module-namespace-access.js: Added.
(export.cocoa):
(export.change):

Source/JavaScriptCore:

This patch optimizes accesses to module namespace objects.

1. Cache the resolutions for module namespace objects.

    When constructing the module namespace object, we already resolves all the exports.
    The module namespace object caches this result and leverage it in the later access in
    getOwnPropertySlot. This avoids resolving bindings through resolveExport.

2. Introduce ModuleNamespaceLoad IC.

    This patch adds new IC for module namespace objects. The mechanism is simple, getOwnPropertySlot
    tells us about module namespace object resolution. The IC first checks whether the given object
    is an expected module namespace object. If this check succeeds, we load the value from the module
    environment.

3. Introduce DFG/FTL optimization.

    After exploiting module namespace object accesses in (2), DFG can recognize this in ByteCodeParser.
    DFG will convert it to CheckCell with the namespace object and GetClosureVar from the cached environment.
    At that time, we have a chance to fold it to the constant.

This optimization improves the performance of accessing to module namespace objects.

Before
    $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-namespace.js
    ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.43s user 0.03s system 101% cpu 0.451 total
    $ time ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m module-assert-access-binding.js
    ../../WebKitBuild/module-ic-tot/Release/bin/jsc -m   0.08s user 0.02s system 103% cpu 0.104 total

After
    $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-namespace.js
    ../../WebKitBuild/module-ic/Release/bin/jsc -m   0.11s user 0.01s system 106% cpu 0.109 total
    $ time ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.js
    ../../WebKitBuild/module-ic/Release/bin/jsc -m module-assert-access-binding.j  0.08s user 0.02s system 102% cpu 0.105 total

* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheck):
(JSC::AccessCase::canReplace):
(JSC::AccessCase::visitWeak):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
* bytecode/AccessCase.h:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::GetByIdStatus):
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByIdStatus::makesCalls):
(JSC::GetByIdStatus::dump):
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::isModuleNamespace):
(JSC::GetByIdStatus::takesSlowPath):
(JSC::GetByIdStatus::moduleNamespaceObject):
(JSC::GetByIdStatus::moduleEnvironment):
(JSC::GetByIdStatus::scopeOffset):
* bytecode/ModuleNamespaceAccessCase.cpp: Added.
(JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
(JSC::ModuleNamespaceAccessCase::create):
(JSC::ModuleNamespaceAccessCase::~ModuleNamespaceAccessCase):
(JSC::ModuleNamespaceAccessCase::clone):
(JSC::ModuleNamespaceAccessCase::emit):
* bytecode/ModuleNamespaceAccessCase.h: Added.
(JSC::ModuleNamespaceAccessCase::moduleNamespaceObject):
(JSC::ModuleNamespaceAccessCase::moduleEnvironment):
(JSC::ModuleNamespaceAccessCase::scopeOffset):
* bytecode/PolymorphicAccess.cpp:
(WTF::printInternal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
(JSC::DFG::ByteCodeParser::handleGetById):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::loadValue):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::getModuleNamespace):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::finishCreation):
(JSC::JSModuleNamespaceObject::visitChildren):
(JSC::getValue):
(JSC::JSModuleNamespaceObject::getOwnPropertySlot):
(JSC::JSModuleNamespaceObject::getOwnPropertyNames):
* runtime/JSModuleNamespaceObject.h:
(JSC::isJSModuleNamespaceObject):
(JSC::JSModuleNamespaceObject::create): Deleted.
(JSC::JSModuleNamespaceObject::createStructure): Deleted.
(JSC::JSModuleNamespaceObject::moduleRecord): Deleted.
* runtime/JSModuleRecord.h:
(JSC::JSModuleRecord::moduleEnvironment): Deleted.
* runtime/PropertySlot.h:
(JSC::PropertySlot::PropertySlot):
(JSC::PropertySlot::domJIT):
(JSC::PropertySlot::moduleNamespaceSlot):
(JSC::PropertySlot::setValueModuleNamespace):
(JSC::PropertySlot::setCacheableCustom):


  Commit: 79ef3b7f140225a4825c16cd1e706585b6f9f560
      https://github.com/WebKit/WebKit/commit/79ef3b7f140225a4825c16cd1e706585b6f9f560
  Author: Sergio Villar Senin <svillar at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebCore/CMakeLists.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    A Source/WebCore/rendering/GridTrackSizingAlgorithm.cpp
    A Source/WebCore/rendering/GridTrackSizingAlgorithm.h
    M Source/WebCore/rendering/RenderGrid.cpp
    M Source/WebCore/rendering/RenderGrid.h

  Log Message:
  -----------
  Merge r212823 - [css-grid] Move the track sizing algorithm to its own class
https://bugs.webkit.org/show_bug.cgi?id=167988

Reviewed by Manuel Rego Casasnovas.

This is about moving the track sizing algorithm code out of RenderGrid to a new class
GridTrackSizingAlgorithm, making RenderGrid more compact and easy to maintain. A nice side
effect of this patch is the removal of the GridSizingData structure as it is no longer
needed. All the data structures in that class were transferred to GridTrackSizingAlgorithm
as private attribute members. The GridTrack class was also moved to the new file.

The algorithm execution starts with the call to run(). It's mandatory to call setup() before
any call to run() in order to properly configure the behaviour of the algorithm. You can
call setup() & run() multiple times for a single layout operation (normally twice, one for
columns and another one for rows). The algorithm uses a state machine to verify that the
client issues the calls in the proper order (i.e. first columns and then rows). After
finishing the layout, the client should call reset() to allow the algorithm to perform
cleanups and to prepare itself for another round of calls.

In order to implement the different behaviours of the algorithm depending on whether the
available size is definite or not, a strategy pattern was implemented in the
GridTrackSizingAlgorithmStrategy class. It has two subclasses, one for definite sizes and
another one for indefinite ones.

We took advantage of this change to perform some renames of the track sizing algorithm
methods that were still using the names from the first versions of the specs. Not only that,
the original track sizing algorithm method (computeUsedBreadthOfGridTracks) was split in 4
different parts representing the 4 steps of the algorithm.

No new tests as this is about moving code and refactoring.

* CMakeLists.txt:
* WebCore.xcodeproj/project.pbxproj:
* rendering/GridTrackSizingAlgorithm.cpp: Added.
(WebCore::GridTrack::baseSize):
(WebCore::GridTrack::growthLimit):
(WebCore::GridTrack::setBaseSize):
(WebCore::GridTrack::setGrowthLimit):
(WebCore::GridTrack::growthLimitIfNotInfinite):
(WebCore::GridTrack::setTempSize):
(WebCore::GridTrack::growTempSize):
(WebCore::GridTrack::setGrowthLimitCap):
(WebCore::GridTrack::ensureGrowthLimitIsBiggerThanBaseSize):
(WebCore::shouldClearOverrideContainingBlockContentSizeForChild):
(WebCore::hasOverrideContainingBlockContentSizeForChild):
(WebCore::setOverrideContainingBlockContentSizeForChild):
(WebCore::flowAwareDirectionForChild):
(WebCore::overrideContainingBlockContentSizeForChild):
(WebCore::computeMarginLogicalSizeForChild):
(WebCore::marginIntrinsicLogicalWidthForChild):
(WebCore::GridTrackSizingAlgorithm::setFreeSpace):
(WebCore::GridTrackSizingAlgorithm::rawGridTrackSize):
(WebCore::GridTrackSizingAlgorithm::computeTrackBasedSize):
(WebCore::GridTrackSizingAlgorithm::initialBaseSize):
(WebCore::GridTrackSizingAlgorithm::initialGrowthLimit):
(WebCore::GridTrackSizingAlgorithm::sizeTrackToFitNonSpanningItem):
(WebCore::GridTrackSizingAlgorithm::spanningItemCrossesFlexibleSizedTracks):
(WebCore::GridItemWithSpan::GridItemWithSpan):
(WebCore::GridItemWithSpan::gridItem):
(WebCore::GridItemWithSpan::span):
(WebCore::GridItemWithSpan::operator<):
(WebCore::GridTrackSizingAlgorithm::itemSizeForTrackSizeComputationPhase):
(WebCore::shouldProcessTrackForTrackSizeComputationPhase):
(WebCore::trackSizeForTrackSizeComputationPhase):
(WebCore::updateTrackSizeForTrackSizeComputationPhase):
(WebCore::trackShouldGrowBeyondGrowthLimitsForTrackSizeComputationPhase):
(WebCore::markAsInfinitelyGrowableForTrackSizeComputationPhase):
(WebCore::GridTrackSizingAlgorithm::increaseSizesToAccommodateSpanningItems):
(WebCore::sortByGridTrackGrowthPotential):
(WebCore::clampGrowthShareIfNeeded):
(WebCore::GridTrackSizingAlgorithm::distributeSpaceToTracks):
(WebCore::GridTrackSizingAlgorithm::assumedRowsSizeForOrthogonalChild):
(WebCore::GridTrackSizingAlgorithm::gridAreaBreadthForChild):
(WebCore::GridTrackSizingAlgorithm::gridTrackSize):
(WebCore::GridTrackSizingAlgorithm::computeFlexFactorUnitSize):
(WebCore::GridTrackSizingAlgorithm::computeFlexSizedTracksGrowth):
(WebCore::GridTrackSizingAlgorithm::findFrUnitSize):
(WebCore::GridTrackSizingAlgorithm::computeGridContainerIntrinsicSizes):
(WebCore::GridTrackSizingAlgorithmStrategy::logicalHeightForChild):
(WebCore::GridTrackSizingAlgorithmStrategy::minContentForChild):
(WebCore::GridTrackSizingAlgorithmStrategy::maxContentForChild):
(WebCore::GridTrackSizingAlgorithmStrategy::minSizeForChild):
(WebCore::GridTrackSizingAlgorithmStrategy::updateOverrideContainingBlockContentSizeForChild):
(WebCore::IndefiniteSizeStrategy::minLogicalWidthForChild):
(WebCore::IndefiniteSizeStrategy::layoutGridItemForMinSizeComputation):
(WebCore::IndefiniteSizeStrategy::maximizeTracks):
(WebCore::normalizedFlexFraction):
(WebCore::IndefiniteSizeStrategy::findUsedFlexFraction):
(WebCore::IndefiniteSizeStrategy::recomputeUsedFlexFractionIfNeeded):
(WebCore::DefiniteSizeStrategy::minLogicalWidthForChild):
(WebCore::DefiniteSizeStrategy::maximizeTracks):
(WebCore::DefiniteSizeStrategy::layoutGridItemForMinSizeComputation):
(WebCore::DefiniteSizeStrategy::findUsedFlexFraction):
(WebCore::DefiniteSizeStrategy::recomputeUsedFlexFractionIfNeeded):
(WebCore::GridTrackSizingAlgorithm::initializeTrackSizes):
(WebCore::GridTrackSizingAlgorithm::resolveIntrinsicTrackSizes):
(WebCore::GridTrackSizingAlgorithm::stretchFlexibleTracks):
(WebCore::GridTrackSizingAlgorithm::advanceNextState):
(WebCore::GridTrackSizingAlgorithm::isValidTransition):
(WebCore::GridTrackSizingAlgorithm::setup):
(WebCore::GridTrackSizingAlgorithm::run):
(WebCore::GridTrackSizingAlgorithm::reset):
(WebCore::GridTrackSizingAlgorithm::tracksAreWiderThanMinTrackBreadth):
(WebCore::GridTrackSizingAlgorithm::StateMachine::StateMachine):
(WebCore::GridTrackSizingAlgorithm::StateMachine::~StateMachine):
* rendering/GridTrackSizingAlgorithm.h: Added.
(WebCore::GridTrack::GridTrack):
(WebCore::GridTrack::infiniteGrowthPotential):
(WebCore::GridTrack::plannedSize):
(WebCore::GridTrack::setPlannedSize):
(WebCore::GridTrack::tempSize):
(WebCore::GridTrack::infinitelyGrowable):
(WebCore::GridTrack::setInfinitelyGrowable):
(WebCore::GridTrack::growthLimitCap):
(WebCore::GridTrack::growthLimitIsInfinite):
(WebCore::GridTrack::isGrowthLimitBiggerThanBaseSize):
(WebCore::GridTrackSizingAlgorithmStrategy::GridTrackSizingAlgorithmStrategy):
(WebCore::GridTrackSizingAlgorithmStrategy::computeTrackBasedSize):
(WebCore::GridTrackSizingAlgorithmStrategy::direction):
(WebCore::GridTrackSizingAlgorithmStrategy::findFrUnitSize):
(WebCore::GridTrackSizingAlgorithmStrategy::distributeSpaceToTracks):
(WebCore::GridTrackSizingAlgorithmStrategy::renderGrid):
* rendering/RenderGrid.cpp:
(WebCore::RenderGrid::RenderGrid):
(WebCore::RenderGrid::computeTrackBasedLogicalHeight):
(WebCore::RenderGrid::computeTrackSizesForDefiniteSize):
(WebCore::RenderGrid::repeatTracksSizingIfNeeded):
(WebCore::RenderGrid::layoutBlock):
(WebCore::RenderGrid::computeIntrinsicLogicalWidths):
(WebCore::RenderGrid::computeTrackSizesForIndefiniteSize):
(WebCore::RenderGrid::placeSpecifiedMajorAxisItemsOnGrid):
(WebCore::RenderGrid::applyStretchAlignmentToTracksIfNeeded):
(WebCore::RenderGrid::layoutGridItems):
(WebCore::RenderGrid::gridAreaBreadthForChildIncludingAlignmentOffsets):
(WebCore::RenderGrid::populateGridPositionsForDirection):
(WebCore::RenderGrid::columnAxisOffsetForChild):
(WebCore::RenderGrid::rowAxisOffsetForChild):
(WebCore::RenderGrid::findChildLogicalPosition):
(WebCore::GridTrack::GridTrack): Deleted.
(WebCore::GridTrack::baseSize): Deleted.
(WebCore::GridTrack::growthLimit): Deleted.
(WebCore::GridTrack::setBaseSize): Deleted.
(WebCore::GridTrack::setGrowthLimit): Deleted.
(WebCore::GridTrack::infiniteGrowthPotential): Deleted.
(WebCore::GridTrack::growthLimitIfNotInfinite): Deleted.
(WebCore::GridTrack::plannedSize): Deleted.
(WebCore::GridTrack::setPlannedSize): Deleted.
(WebCore::GridTrack::tempSize): Deleted.
(WebCore::GridTrack::setTempSize): Deleted.
(WebCore::GridTrack::growTempSize): Deleted.
(WebCore::GridTrack::infinitelyGrowable): Deleted.
(WebCore::GridTrack::setInfinitelyGrowable): Deleted.
(WebCore::GridTrack::setGrowthLimitCap): Deleted.
(WebCore::GridTrack::growthLimitCap): Deleted.
(WebCore::GridTrack::growthLimitIsInfinite): Deleted.
(WebCore::GridTrack::isGrowthLimitBiggerThanBaseSize): Deleted.
(WebCore::GridTrack::ensureGrowthLimitIsBiggerThanBaseSize): Deleted.
(WebCore::RenderGrid::GridSizingData::GridSizingData): Deleted.
(WebCore::RenderGrid::GridSizingData::freeSpace): Deleted.
(WebCore::RenderGrid::GridSizingData::availableSpace): Deleted.
(WebCore::RenderGrid::GridSizingData::setAvailableSpace): Deleted.
(WebCore::RenderGrid::GridSizingData::advanceNextState): Deleted.
(WebCore::RenderGrid::GridSizingData::isValidTransition): Deleted.
(WebCore::RenderGrid::GridSizingData::grid): Deleted.
(WebCore::RenderGrid::GridSizingData::setFreeSpace): Deleted.
(WebCore::RenderGrid::computeTrackSizesForDirection): Deleted.
(WebCore::RenderGrid::computeIntrinsicLogicalHeight): Deleted.
(WebCore::normalizedFlexFraction): Deleted.
(WebCore::RenderGrid::computeUsedBreadthOfGridTracks): Deleted.
(WebCore::RenderGrid::computeFlexSizedTracksGrowth): Deleted.
(WebCore::RenderGrid::computeUsedBreadthOfMinLength): Deleted.
(WebCore::RenderGrid::computeUsedBreadthOfMaxLength): Deleted.
(WebCore::RenderGrid::computeFlexFactorUnitSize): Deleted.
(WebCore::RenderGrid::findFlexFactorUnitSize): Deleted.
(WebCore::hasOverrideContainingBlockContentSizeForChild): Deleted.
(WebCore::setOverrideContainingBlockContentSizeForChild): Deleted.
(WebCore::shouldClearOverrideContainingBlockContentSizeForChild): Deleted.
(WebCore::RenderGrid::rawGridTrackSize): Deleted.
(WebCore::RenderGrid::gridTrackSize): Deleted.
(WebCore::RenderGrid::logicalHeightForChild): Deleted.
(WebCore::RenderGrid::minSizeForChild): Deleted.
(WebCore::RenderGrid::updateOverrideContainingBlockContentSizeForChild): Deleted.
(WebCore::RenderGrid::minContentForChild): Deleted.
(WebCore::RenderGrid::maxContentForChild): Deleted.
(WebCore::GridItemWithSpan::GridItemWithSpan): Deleted.
(WebCore::GridItemWithSpan::gridItem): Deleted.
(WebCore::GridItemWithSpan::span): Deleted.
(WebCore::GridItemWithSpan::operator<): Deleted.
(WebCore::RenderGrid::spanningItemCrossesFlexibleSizedTracks): Deleted.
(WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions): Deleted.
(WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForNonSpanningItems): Deleted.
(WebCore::trackSizeForTrackSizeComputationPhase): Deleted.
(WebCore::RenderGrid::shouldProcessTrackForTrackSizeComputationPhase): Deleted.
(WebCore::RenderGrid::trackShouldGrowBeyondGrowthLimitsForTrackSizeComputationPhase): Deleted.
(WebCore::RenderGrid::markAsInfinitelyGrowableForTrackSizeComputationPhase): Deleted.
(WebCore::RenderGrid::updateTrackSizeForTrackSizeComputationPhase): Deleted.
(WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase): Deleted.
(WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems): Deleted.
(WebCore::sortByGridTrackGrowthPotential): Deleted.
(WebCore::clampGrowthShareIfNeeded): Deleted.
(WebCore::RenderGrid::distributeSpaceToTracks): Deleted.
(WebCore::RenderGrid::tracksAreWiderThanMinTrackBreadth): Deleted.
(WebCore::RenderGrid::assumedRowsSizeForOrthogonalChild): Deleted.
(WebCore::RenderGrid::gridAreaBreadthForChild): Deleted.
* rendering/RenderGrid.h:


  Commit: 5ef527a04f9f76dcfdfa7a1760affc2e897d3c91
      https://github.com/WebKit/WebKit/commit/5ef527a04f9f76dcfdfa7a1760affc2e897d3c91
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/css/selector-text-mutation-crash-expected.txt
    A LayoutTests/fast/css/selector-text-mutation-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/style/StyleScope.cpp
    M Source/WebCore/style/StyleScope.h

  Log Message:
  -----------
  Merge r212828 - REGRESSION(r207669): Crash after mutating selector text
https://bugs.webkit.org/show_bug.cgi?id=168655
<rdar://problem/30632111>

Reviewed by Andreas Kling.

Source/WebCore:

Test: fast/css/selector-text-mutation-crash.html

* style/StyleScope.cpp:
(WebCore::Style::Scope::resolver):
(WebCore::Style::Scope::updateStyleResolver):

Protect against entering scheduleUpdate and wiping style resolver while updating it.
Extension stylesheets can trigger this.

(WebCore::Style::Scope::scheduleUpdate):

Clear the style resolver immediately if style sheet content changes. The resolver may
have data structures that point to the old sheet contents.

The resolver would get wiped anyway when the scheduled update actually occurs.

* style/StyleScope.h:

LayoutTests:

* fast/css/selector-text-mutation-crash-expected.txt: Added.
* fast/css/selector-text-mutation-crash.html: Added.


  Commit: 52fc01adf6c5cf7dc1f0315ee27fed191c65d577
      https://github.com/WebKit/WebKit/commit/52fc01adf6c5cf7dc1f0315ee27fed191c65d577
  Author: Alberto Garcia <berto at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M ChangeLog
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Merge r212829 - [GTK] [2.15.90] Disable RESOURCE_USAGE on non-Linux systems
https://bugs.webkit.org/show_bug.cgi?id=168714

Reviewed by Carlos Garcia Campos.

* Source/cmake/OptionsGTK.cmake:


  Commit: fa5ece867e7828dd16cc6f49522115beab2f8f23
      https://github.com/WebKit/WebKit/commit/fa5ece867e7828dd16cc6f49522115beab2f8f23
  Author: Xabier Rodriguez-Calvar <calvaris at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp

  Log Message:
  -----------
  Merge r212830 - [GStreamer][EME] Fix issue with allowed systems extraction
https://bugs.webkit.org/show_bug.cgi?id=168717

Reviewed by Carlos Garcia Campos.

The allowed systems were not being extracted from the need-context
message because the loop was not stopping on the right condition.

* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
(WebCore::extractEventsAndSystemsFromMessage): Fix wrong
condition.
(WebCore::MediaPlayerPrivateGStreamerBase::handleProtectionEvent):
Add better debug category.


  Commit: c520b7f2e0aadc6e973438b9b209017158699a13
      https://github.com/WebKit/WebKit/commit/c520b7f2e0aadc6e973438b9b209017158699a13
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/WebKitTestRunner/gtk/EventSenderProxyGtk.cpp

  Log Message:
  -----------
  Merge r212839 - [GTK] Do not use g_return_if_fail in EventSenderProxy::continuousMouseScrollBy
https://bugs.webkit.org/show_bug.cgi?id=168721

Patch by Carlos Garcia Campos <cgarcia at igalia.com> on 2017-02-22
Reviewed by Michael Catanzaro.

Use WTFLogAlways instead. It's still shown in stderr, but it won't crash if we ever run tests with fatal
criticals.

* WebKitTestRunner/gtk/EventSenderProxyGtk.cpp:
(WTR::EventSenderProxy::continuousMouseScrollBy):


  Commit: 6903809071896a8e49498cddd2cb1170be3d0c9f
      https://github.com/WebKit/WebKit/commit/6903809071896a8e49498cddd2cb1170be3d0c9f
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderView.cpp
    M Source/WebCore/rendering/RenderView.h
    M Source/WebCore/rendering/SimpleLineLayout.cpp
    M Source/WebCore/rendering/SimpleLineLayout.h
    M Source/WebCore/rendering/SimpleLineLayoutFunctions.h
    M Source/WebCore/rendering/SimpleLineLayoutResolver.h

  Log Message:
  -----------
  Merge r212843 - Simple line layout: ensureLineBoxes for paginated content.
https://bugs.webkit.org/show_bug.cgi?id=168729
<rdar://problem/30654400>

Reviewed by Antti Koivisto.

This patch sets the layout state bits for paginated subtree layout, when we are switching
over from simple line runs to inline tree.

Not enabled yet.

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::ensureLineBoxes):
* rendering/RenderView.cpp:
(WebCore::RenderView::pushLayoutStateForPagination): LayoutUnit(1) is not the real height, it's just
an indicator that we've got paginated content.
* rendering/RenderView.h:
* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::create):
(WebCore::SimpleLineLayout::Layout::create):
(WebCore::SimpleLineLayout::Layout::Layout):
* rendering/SimpleLineLayout.h:
(WebCore::SimpleLineLayout::Layout::isPaginated):
(WebCore::SimpleLineLayout::Layout::hasPaginationStruts):
* rendering/SimpleLineLayoutFunctions.h:
(WebCore::SimpleLineLayout::computeFlowHeight):
* rendering/SimpleLineLayoutResolver.h:
(WebCore::SimpleLineLayout::RunResolver::Run::computeBaselinePosition):


  Commit: a35ebc8049ecee2340324865f65e78a78d68fb10
      https://github.com/WebKit/WebKit/commit/a35ebc8049ecee2340324865f65e78a78d68fb10
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayout.cpp
    M Source/WebCore/rendering/SimpleLineLayout.h
    M Source/WebCore/rendering/SimpleLineLayoutFunctions.h
    M Source/WebCore/rendering/SimpleLineLayoutResolver.h

  Log Message:
  -----------
  Merge r212854 - Simple line layout: Set the pagination strut on the flow when the first line does not fit the page.
https://bugs.webkit.org/show_bug.cgi?id=168738
<rdar://problem/30659469>

Reviewed by Antti Koivisto.

The pagination strut for the first line is tracked by the parent RenderBlockFlow and not by
the line itself (see RenderBlockFlow::adjustLinePositionForPagination()). Also renamed *PaginationStrut* to
*LineStrut* to make sure we don't confuse it with the block level strut.

Not enabled yet.

* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::computeLineTopAndBottomWithOverflow):
(WebCore::SimpleLineLayout::computeLineBreakIndex):
(WebCore::SimpleLineLayout::setPageBreakForLine):
(WebCore::SimpleLineLayout::adjustLinePositionsForPagination):
(WebCore::SimpleLineLayout::create):
(WebCore::SimpleLineLayout::Layout::create):
(WebCore::SimpleLineLayout::Layout::Layout):
* rendering/SimpleLineLayout.h:
(WebCore::SimpleLineLayout::Layout::hasLineStruts):
(WebCore::SimpleLineLayout::Layout::struts):
(WebCore::SimpleLineLayout::Layout::hasPaginationStruts): Deleted.
* rendering/SimpleLineLayoutFunctions.cpp:
(WebCore::SimpleLineLayout::paintFlow):
* rendering/SimpleLineLayoutFunctions.h:
(WebCore::SimpleLineLayout::computeFlowHeight):
* rendering/SimpleLineLayoutResolver.h:
(WebCore::SimpleLineLayout::RunResolver::Run::computeBaselinePosition):


  Commit: abc85d82a67267a45f454f04055332695fb2db37
      https://github.com/WebKit/WebKit/commit/abc85d82a67267a45f454f04055332695fb2db37
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayoutResolver.cpp
    M Source/WebCore/rendering/SimpleLineLayoutResolver.h

  Log Message:
  -----------
  Merge r212860 - Replace SimpleLineLayout::Range by WTF::IteratorRange
https://bugs.webkit.org/show_bug.cgi?id=168742

Reviewed by Zalan Bujtas.

Kill a redundant custom type.

* rendering/SimpleLineLayoutResolver.cpp:
(WebCore::SimpleLineLayout::RunResolver::rangeForRect):
(WebCore::SimpleLineLayout::RunResolver::rangeForRenderer):
(WebCore::SimpleLineLayout::RunResolver::rangeForRendererWithOffsets):
* rendering/SimpleLineLayoutResolver.h:
(WebCore::SimpleLineLayout::LineResolver::rangeForRect):
(WebCore::SimpleLineLayout::Range::Range): Deleted.
(WebCore::SimpleLineLayout::Range::begin): Deleted.
(WebCore::SimpleLineLayout::Range::end): Deleted.


  Commit: d1dd0c6954ff4220bbb0b06426701648204cbc9d
      https://github.com/WebKit/WebKit/commit/d1dd0c6954ff4220bbb0b06426701648204cbc9d
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/WebPage/gtk/AcceleratedSurfaceX11.cpp
    M Source/WebKit2/WebProcess/WebPage/gtk/AcceleratedSurfaceX11.h

  Log Message:
  -----------
  Merge r213061 - [GTK] Rendering artifacts when resizing the window in X11 with AC mode enabled
https://bugs.webkit.org/show_bug.cgi?id=168728

Reviewed by Žan Doberšek.

This happens because the pixmap we create from the redirected window is uninitialized until the threaded
compositor renders into it. We should always initialize the pixmap right after it's created.

* WebProcess/WebPage/gtk/AcceleratedSurfaceX11.cpp:
(WebKit::defaultVisual): Helper static method to get the default GdkVisual.
(WebKit::AcceleratedSurfaceX11::AcceleratedSurfaceX11): Use createPixmap().
(WebKit::AcceleratedSurfaceX11::createPixmap): Create and initialize the pixmap.
(WebKit::AcceleratedSurfaceX11::resize): Use createPixmap().
* WebProcess/WebPage/gtk/AcceleratedSurfaceX11.h:


  Commit: 80be555ba350994ead38b2a90612d3cd666e579e
      https://github.com/WebKit/WebKit/commit/80be555ba350994ead38b2a90612d3cd666e579e
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-27 (Mon, 27 Feb 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.h
    M Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp

  Log Message:
  -----------
  Merge r213060 - [GTK] Flickering when leaving accelerated compositing mode
https://bugs.webkit.org/show_bug.cgi?id=168911

Reviewed by Žan Doberšek.

It doesn't always happen, and it's too fast, more noticeable in websites with a dark background, because we are
drawing a single white frame. This happens when we leave AC mode during the layer flush that schedules an update
on the compositor, which at that point only clears the area and renders nothing. However,
CoordinatedGraphicsScene::paintToCurrentGLContext() always renders a white background when no web view color has
been set. And that's the white frame we get. We could prevent that last update from happening by checking if we
still have a graphics root layer after syncDisplayState() in the layer flush, the same way we check the layer
tree host is still valid.

* WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.h:
* WebProcess/WebPage/CoordinatedGraphics/CoordinatedLayerTreeHost.cpp:
(WebKit::CoordinatedLayerTreeHost::layerFlushTimerFired):


  Commit: f9587f10f501b66fed0d77b7cb7a1f40b5b3c6ae
      https://github.com/WebKit/WebKit/commit/f9587f10f501b66fed0d77b7cb7a1f40b5b3c6ae
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/CMakeLists.txt
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
    M Source/JavaScriptCore/jit/ExecutableAllocator.h
    R Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
    M Source/JavaScriptCore/jit/JITStubRoutine.h
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/Platform.h

  Log Message:
  -----------
  Merge r212867 - Remove the demand executable allocator
https://bugs.webkit.org/show_bug.cgi?id=168754

Reviewed by Saam Barati.

Source/JavaScriptCore:

We currently only use the demand executable allocator for non-iOS 32-bit platforms.
Benchmark results on a MBP indicate there is no appreciable performance difference
between a the fixed and demand allocators. In a future patch I will go back through
this code and remove more of the abstractions.

* JavaScriptCore.xcodeproj/project.pbxproj:
* jit/ExecutableAllocator.cpp:
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
(JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
(JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
(JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion):
(JSC::ExecutableAllocator::initializeAllocator):
(JSC::ExecutableAllocator::ExecutableAllocator):
(JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
(JSC::ExecutableAllocator::isValid):
(JSC::ExecutableAllocator::underMemoryPressure):
(JSC::ExecutableAllocator::memoryPressureMultiplier):
(JSC::ExecutableAllocator::allocate):
(JSC::ExecutableAllocator::isValidExecutableMemory):
(JSC::ExecutableAllocator::getLock):
(JSC::ExecutableAllocator::committedByteCount):
(JSC::ExecutableAllocator::dumpProfile):
(JSC::DemandExecutableAllocator::DemandExecutableAllocator): Deleted.
(JSC::DemandExecutableAllocator::~DemandExecutableAllocator): Deleted.
(JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators): Deleted.
(JSC::DemandExecutableAllocator::bytesCommittedByAllocactors): Deleted.
(JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators): Deleted.
(JSC::DemandExecutableAllocator::allocateNewSpace): Deleted.
(JSC::DemandExecutableAllocator::notifyNeedPage): Deleted.
(JSC::DemandExecutableAllocator::notifyPageIsFree): Deleted.
(JSC::DemandExecutableAllocator::allocators): Deleted.
(JSC::DemandExecutableAllocator::allocatorsMutex): Deleted.
* jit/ExecutableAllocator.h:
* jit/ExecutableAllocatorFixedVMPool.cpp: Removed.
* jit/JITStubRoutine.h:
(JSC::JITStubRoutine::canPerformRangeFilter):
(JSC::JITStubRoutine::filteringStartAddress):
(JSC::JITStubRoutine::filteringExtentSize):

Source/WTF:

* wtf/Platform.h:


  Commit: 883733220b2851199059f92d9b0b658da07d3896
      https://github.com/WebKit/WebKit/commit/883733220b2851199059f92d9b0b658da07d3896
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/InitializeThreading.cpp
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/MainThread.cpp
    M Source/WTF/wtf/RunLoop.cpp
    M Source/WTF/wtf/glib/MainThreadGLib.cpp
    M Source/WTF/wtf/mac/MainThreadMac.mm
    M Source/WebKit/win/ChangeLog
    M Source/WebKit/win/WebView.cpp
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Shared/WebKit2Initialize.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/ComplexTextController.cpp
    M Tools/TestWebKitAPI/Tests/WebCore/ContentExtensions.cpp
    M Tools/WebKitTestRunner/TestController.cpp

  Log Message:
  -----------
  Merge r212878 - Better handle Thread and RunLoop initialization
https://bugs.webkit.org/show_bug.cgi?id=167828

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

* runtime/InitializeThreading.cpp:
(JSC::initializeThreading): Do not initialize double_conversion, that is already initialized by WTF, and GC
threads that will be initialized by WTF main thread when needed.

Source/WebKit/win:

Remove unnecessary call to WTF::initializeMainThread().

* WebView.cpp:
(WebView::WebView):

Source/WebKit2:

Remove unnecessary call to WTF::initializeMainThread().

* Shared/WebKit2Initialize.cpp:
(WebKit::InitializeWebKit2):

Source/WTF:

Make initialization functions more independent so that they can run in different
order. WTF::initializeMainThread initializes WTF threading, so that neither WTF nor JSC theading need to be
initialized before. RunLoop::initializeMainRunLoop() requires main thread to be initialized in some
ports, so it initializes main thread too. WebKit1 always calls WTF::initializeMainThreadToProcessMainThread()
before RunLoop::initializeMainRunLoop() so there's no problem there. GC threads are initialized alwayas by the
main thread. The rules should be simpler now:

  - JSC::initializeThreading: should always be called when JSC is used.
  - WTF::initializeThreading: only needs to be explicitly called when JSC is not used and process doesn't
    initialize a main thread or main run loop.
  - WTF::initializeMainThread: only needs to be explicitly called if process initializes a main thread but not a
    main run loop.
  - WTF::initializeMainThreadToProcessMainThread(): should always be called in WebKit1 before
    RunLoop::initializeMainRunLoop().
  - RunLoop::initializeMainRunLoop(): to initialize the main run loop. The only requirement is JSC::initializeThreading()
    to be called before if JSC is used.

* wtf/MainThread.cpp:
(WTF::initializeMainThreadOnce): Use pthread_once to initialize the main thread also in GTK+ port.
(WTF::initializeMainThreadToProcessMainThreadOnce): Call initializeThreading() before the platform
initialization and initializeGCThreads() after it.
(WTF::initializeMainThread): Ditto.
* wtf/RunLoop.cpp:
(WTF::RunLoop::initializeMainRunLoop): Call initializeMainThread().
* wtf/glib/MainThreadGLib.cpp:
(WTF::initializeMainThreadPlatform):
(WTF::isMainThread):
* wtf/mac/MainThreadMac.mm:
(WTF::initializeMainThreadPlatform): Remove call to initializeGCThreads().
(WTF::initializeMainThreadToProcessMainThreadPlatform): Ditto.

Tools:

Remove unnecessary calls to WTF::initializeMainThread().

* TestWebKitAPI/Tests/WebCore/ComplexTextController.cpp:
(TestWebKitAPI::ComplexTextControllerTest::SetUp):
* TestWebKitAPI/Tests/WebCore/ContentExtensions.cpp:
(TestWebKitAPI::ContentExtensionTest::SetUp):
* WebKitTestRunner/TestController.cpp:
(WTR::TestController::initialize):


  Commit: 1b39941eac085fb669a994d8811140e478c28517
      https://github.com/WebKit/WebKit/commit/1b39941eac085fb669a994d8811140e478c28517
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/editing/pasteboard/drag-drop-copy-content-expected.txt
    A LayoutTests/editing/pasteboard/drag-drop-copy-content.html
    M LayoutTests/platform/gtk-wayland/TestExpectations
    M LayoutTests/platform/gtk/TestExpectations
    M LayoutTests/platform/mac-wk2/TestExpectations
    M LayoutTests/platform/mac/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/gtk/DragControllerGtk.cpp
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp

  Log Message:
  -----------
  Merge r212881 - [GTK] Drag and drop is always moving the content even if copy is requested
https://bugs.webkit.org/show_bug.cgi?id=168424

Reviewed by Carlos Garcia Campos.

Source/WebCore:

Drag and drop is always moving the content around even if the copy is
requested (i.e. by pressing the Control key).

Test: editing/pasteboard/drag-drop-copy-content.html

* page/gtk/DragControllerGtk.cpp:
(WebCore::DragController::isCopyKeyDown):

Source/WebKit2:

Drag and drop is always moving the content around even if the copy is
requested (i.e. by pressing the Control key).

* UIProcess/gtk/DragAndDropHandler.cpp:
(WebKit::DragAndDropHandler::drop):

LayoutTests:

Mark the editing/pasteboard/drag-drop-copy-content.html as failing
as WTR doesn't know how to perform drag and drop in WK2. Also the
test does not pass on the mac WK1, created a bug for it.

* platform/efl/TestExpectations:
* platform/gtk-wayland/TestExpectations:
* platform/gtk/TestExpectations:
* platform/mac-wk2/TestExpectations:
* platform/mac/TestExpectations:


  Commit: d4ccdfc769f47655084b9ac7985093869d187fb6
      https://github.com/WebKit/WebKit/commit/d4ccdfc769f47655084b9ac7985093869d187fb6
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h

  Log Message:
  -----------
  Merge r212889 - [GStreamer] Several layout tests trigger GStreamer-CRITICAL **: gst_bin_get_by_name: assertion 'GST_IS_BIN (bin)' failed
https://bugs.webkit.org/show_bug.cgi?id=167016

Reviewed by Xabier Rodriguez-Calvar.

This is because we create AudioSourceProviderGStreamer objects that are never loaded. In the destructor the
AudioSourceProviderGStreamer calls gst_bin_get_by_name() on its m_audioSinkBin that is nullptr. We could simply
check m_audioSinkBin in the destructor, but I think it's better to simply not create
AudioSourceProviderGStreamer for nothing. MediaPlayerPrivateGStreamer should create the AudioSourceProvider on demand.

* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::MediaPlayerPrivateGStreamer): Do not create the AudioSourceProvider.
(WebCore::MediaPlayerPrivateGStreamer::createAudioSink): Call ensureAudioSourceProvider() before using m_audioSourceProvider.
(WebCore::MediaPlayerPrivateGStreamer::ensureAudioSourceProvider): Create the AudioSourceProvider if needed.
(WebCore::MediaPlayerPrivateGStreamer::audioSourceProvider): Ensure and return the m_audioSourceProvider.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:


  Commit: bc66121e4e734936e117cd060411f7e404c97640
      https://github.com/WebKit/WebKit/commit/bc66121e4e734936e117cd060411f7e404c97640
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/Plugins/unix/PluginInfoStoreUnix.cpp
    M Source/WebKit2/UIProcess/Plugins/unix/PluginProcessProxyUnix.cpp
    M Source/WebKit2/UIProcess/gtk/WebPageProxyGtk.cpp
    M Source/WebKit2/WebProcess/Plugins/PluginView.cpp

  Log Message:
  -----------
  Merge r212891 - [GTK] Crash attempting to load Flash plugin in Wayland
https://bugs.webkit.org/show_bug.cgi?id=163159

Reviewed by Michael Catanzaro.

The problem is that we check if the current diplay is X11 or Wayland also in the plugin process, but with GTK2
plugins the display is always X11. We should early reject plugins requiring GTK2 in the UI process when the
current display is Wayland.

* UIProcess/Plugins/unix/PluginInfoStoreUnix.cpp:
(WebKit::PluginInfoStore::getPluginInfo):
* UIProcess/Plugins/unix/PluginProcessProxyUnix.cpp:
(WebKit::PluginProcessProxy::scanPlugin):
* UIProcess/gtk/WebPageProxyGtk.cpp:
(WebKit::WebPageProxy::createPluginContainer): Add an assert to ensure this message is never received on a
non-X11 display.
* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::createPluginContainer): Never send CreatePluginContainer message to the UI process if the
display is not X11.


  Commit: 1f49cb7a65afb4359ac51975f31661cce67287b9
      https://github.com/WebKit/WebKit/commit/1f49cb7a65afb4359ac51975f31661cce67287b9
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/jit/ExecutableAllocator.cpp

  Log Message:
  -----------
  Merge r212900 - Unreviewed, fix the cloop build. Needed a #if.

* jit/ExecutableAllocator.cpp:


  Commit: edce280119551b288597a15db3685580de5c9d1e
      https://github.com/WebKit/WebKit/commit/edce280119551b288597a15db3685580de5c9d1e
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/assembler/LinkBuffer.cpp

  Log Message:
  -----------
  Merge r212908 - Ensure that the end of the last invalidation point does not extend beyond the end of the buffer.
https://bugs.webkit.org/show_bug.cgi?id=168786

Reviewed by Filip Pizlo.

In practice, we will always have multiple instructions after invalidation points,
and have enough room in the JIT buffer for the invalidation point to work with.
However, as a precaution, we can guarantee that there's enough room by always
emitting a label just before we link the buffer.  The label will emit nop padding
if needed.

* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::linkCode):


  Commit: 349a45d51a207e8c4e49f1a63ef350e9f90ed0a0
      https://github.com/WebKit/WebKit/commit/349a45d51a207e8c4e49f1a63ef350e9f90ed0a0
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  Merge r212909 - SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check
https://bugs.webkit.org/show_bug.cgi?id=168787

Reviewed by Michael Saboff and Mark Lam.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):


  Commit: 3d6498d34bfa6e9dfb770dcb2aca9c8791c93cd8
      https://github.com/WebKit/WebKit/commit/3d6498d34bfa6e9dfb770dcb2aca9c8791c93cd8
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayoutResolver.cpp
    M Source/WebCore/rendering/SimpleLineLayoutResolver.h

  Log Message:
  -----------
  Merge r212912 - Simple line layout: Adjust RunResolver::lineIndexForHeight with line struts.
https://bugs.webkit.org/show_bug.cgi?id=168783
<rdar://problem/30676449>

Reviewed by Antti Koivisto.

When there's a pagination gap between lines the simple lineIndex = y / lineHeight formula does not work anymore.
This patch takes the line gaps into account by offsetting the y position accordingly.

Not enabled yet.

* rendering/SimpleLineLayoutResolver.cpp:
(WebCore::SimpleLineLayout::RunResolver::lineIndexForHeight):


  Commit: ceb2ce3d252c04040d607ce7cffd6c53482bd678
      https://github.com/WebKit/WebKit/commit/ceb2ce3d252c04040d607ce7cffd6c53482bd678
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/url/file-expected.txt
    M LayoutTests/fast/url/file-http-base-expected.txt
    M LayoutTests/fast/url/relative-win-expected.txt
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-xhtml-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/url-constructor-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URLParser.cpp
    M Source/WebCore/platform/URLParser.h

  Log Message:
  -----------
  Merge r212953 - .. should not remove windows drive letters in paths of file URLs
https://bugs.webkit.org/show_bug.cgi?id=168824

Reviewed by Youenn Fablet.

LayoutTests/imported/w3c:

* web-platform-tests/url/a-element-expected.txt:
* web-platform-tests/url/a-element-xhtml-expected.txt:
* web-platform-tests/url/url-constructor-expected.txt:

Source/WebCore:

It's specified in https://url.spec.whatwg.org/#shorten-a-urls-path and helps behavior for browsers on Windows.
It can't hurt to pass a few more web platform tests, though.

* platform/URLParser.cpp:
(WebCore::URLParser::copyURLPartsUntil):
(WebCore::URLParser::shouldPopPath):
(WebCore::URLParser::popPath):
(WebCore::URLParser::parse):
* platform/URLParser.h:

LayoutTests:

* fast/url/file-expected.txt:
* fast/url/file-http-base-expected.txt:
* fast/url/relative-win-expected.txt:


  Commit: bc01e77d6444211b3a93f4a2c43b324657b2e035
      https://github.com/WebKit/WebKit/commit/bc01e77d6444211b3a93f4a2c43b324657b2e035
  Author: Miguel Gomez <magomez at igalia.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/glx/GLContextGLX.cpp

  Log Message:
  -----------
  Merge r212968 - [GTK] WebkitWebProcess crashes on exit on nvidia if threaded compositing is enabled
https://bugs.webkit.org/show_bug.cgi?id=165522

Reviewed by Carlos Garcia Campos.

Before destrying a GLContextGLX we need to set the default framebufer to avoid a bug
in some nvidia drivers. Ensure that we set the context as current before performing
that operation, and set the appropriate current context after doing so.

No new tests.

* platform/graphics/glx/GLContextGLX.cpp:
(WebCore::GLContextGLX::~GLContextGLX):


  Commit: 156444ca3e9e09c94fe50d26e5bf01cedc3859bb
      https://github.com/WebKit/WebKit/commit/156444ca3e9e09c94fe50d26e5bf01cedc3859bb
  Author: Alexey Proskuryakov <ap at webkit.org>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Range.cpp

  Log Message:
  -----------
  Merge r212976 - Build fix for newer clang
https://bugs.webkit.org/show_bug.cgi?id=168849
rdar://problem/30638741

Reviewed by Ryosuke Niwa.

* dom/Range.cpp: (WebCore::Range::toString): std::max(0, <unsigned>) is not meaningful,
and now triggers a warning.


  Commit: 4c68bbd8be6384b43d9564c0d52c055733769610
      https://github.com/WebKit/WebKit/commit/4c68bbd8be6384b43d9564c0d52c055733769610
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-xhtml-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/url-constructor-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URLParser.cpp

  Log Message:
  -----------
  Merge r212977 - Non-special relative URLs should not ignore extra slashes
https://bugs.webkit.org/show_bug.cgi?id=168834

Reviewed by Sam Weinig.

LayoutTests/imported/w3c:

* web-platform-tests/url/a-element-expected.txt:
* web-platform-tests/url/a-element-xhtml-expected.txt:
* web-platform-tests/url/url-constructor-expected.txt:

Source/WebCore:

Special authority ignore slashes state should, as its name implies,
only be reached by special URLs.  See https://url.spec.whatwg.org/#relative-slash-state

Covered by newly passing web platform tests.

* platform/URLParser.cpp:
(WebCore::URLParser::parse):


  Commit: 0bec48a7032014f4c7ffc294c07a39b1897d822e
      https://github.com/WebKit/WebKit/commit/0bec48a7032014f4c7ffc294c07a39b1897d822e
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/CMakeLists.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderingAllInOne.cpp
    M Source/WebCore/rendering/SimpleLineLayout.cpp
    M Source/WebCore/rendering/SimpleLineLayout.h
    A Source/WebCore/rendering/SimpleLineLayoutPagination.cpp
    A Source/WebCore/rendering/SimpleLineLayoutPagination.h

  Log Message:
  -----------
  Merge r212986 - Simple line layout: Re-adjust paginated lines when block height changes.
https://bugs.webkit.org/show_bug.cgi?id=168838
<rdar://problem/30701233>

Reviewed by Antti Koivisto.

When the estimated block height is wrong, we issue an additional layout on the inline children
so that we get the pagination right (this layout is setChildNeedsLayout(MarkOnlyThis) only).
Since the height change only affects the struts and page breaks (and again, the relayoutChildren flag is false)
we don't need to re-layout the content, but instead we just need to re-adjust the pagination for the simple lines.
This patch also moves the pagination logic to SimpleLineLayoutPagination.cpp.

Not enabled yet.

* CMakeLists.txt:
* WebCore.xcodeproj/project.pbxproj:
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::layoutSimpleLines):
* rendering/RenderingAllInOne.cpp:
* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::canUseForWithReason):
(WebCore::SimpleLineLayout::create):
(WebCore::SimpleLineLayout::Layout::create):
(WebCore::SimpleLineLayout::Layout::Layout):
(WebCore::SimpleLineLayout::computeLineTopAndBottomWithOverflow): Deleted.
(WebCore::SimpleLineLayout::computeLineBreakIndex): Deleted.
(WebCore::SimpleLineLayout::computeOffsetAfterLineBreak): Deleted.
(WebCore::SimpleLineLayout::setPageBreakForLine): Deleted.
(WebCore::SimpleLineLayout::updateMinimumPageHeight): Deleted.
(WebCore::SimpleLineLayout::adjustLinePositionsForPagination): Deleted.
* rendering/SimpleLineLayout.h:
(WebCore::SimpleLineLayout::Layout::setIsPaginated):
(WebCore::SimpleLineLayout::Layout::setLineStruts):
* rendering/SimpleLineLayoutPagination.cpp: Added.
(WebCore::SimpleLineLayout::computeLineTopAndBottomWithOverflow):
(WebCore::SimpleLineLayout::computeLineBreakIndex):
(WebCore::SimpleLineLayout::computeOffsetAfterLineBreak):
(WebCore::SimpleLineLayout::setPageBreakForLine):
(WebCore::SimpleLineLayout::updateMinimumPageHeight):
(WebCore::SimpleLineLayout::adjustLinePositionsForPagination):
* rendering/SimpleLineLayoutPagination.h: Added.


  Commit: 8001c416200e124b9929f57d486024b121947650
      https://github.com/WebKit/WebKit/commit/8001c416200e124b9929f57d486024b121947650
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitWebsiteDataManager.cpp

  Log Message:
  -----------
  Merge r213005 - [GTK] Unreviewed, document deficiency in webkit_website_data_manager_clear() API

Document that this function cannot currently delete cookie data for a particular period of
time.

* UIProcess/API/gtk/WebKitWebsiteDataManager.cpp:


  Commit: 018da393e9cab4b59028a5a84c8e38e37679224e
      https://github.com/WebKit/WebKit/commit/018da393e9cab4b59028a5a84c8e38e37679224e
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/text/fast-run-width-vs-slow-run-width-expected.html
    A LayoutTests/fast/text/fast-run-width-vs-slow-run-width.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/FontCascade.cpp

  Log Message:
  -----------
  Merge r213008 - Text might wrap when its preferred logical width is used for sizing the containing block.
https://bugs.webkit.org/show_bug.cgi?id=168864
<rdar://problem/30690734>

Reviewed by Antti Koivisto.

Source/WebCore:

In certain cases we end up measuring a text run in 2 different ways.
1. preferred width computation -> slow path FontCascade::width()
2. line breaking logic -> fast path FontCascade::widthForSimpleText()

FontCascade::width() and ::widthForSimpleText() might return different results for the same run even when
the individual glyph widths are measured to be the same. It's because they run diffrent set of
arithmetics on the float values and for certain values these arithmetics produce different results due to the floating point
precision.
Since RenderText::computePreferredLogicalWidths() currently forces us to use the slow path
(to retrieve fontfallback and glyph overflow information) the only alternative solution is to turn off the fast path
for all runs that have been already measured using the slow path (which would be just wasteful).

Test: fast/text/fast-run-width-vs-slow-run-width.html

* platform/graphics/FontCascade.cpp:
(WebCore::FontCascade::widthForSimpleText): Mimics WidthIterator::applyFontTransforms. Use the same set of arithmetics here.

LayoutTests:

* fast/text/fast-run-width-vs-slow-run-width-expected.html: Added.
* fast/text/fast-run-width-vs-slow-run-width.html: Added.


  Commit: 5e1760cd1e97a034ed3083f3ce4cc32a7663bc0b
      https://github.com/WebKit/WebKit/commit/5e1760cd1e97a034ed3083f3ce4cc32a7663bc0b
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/CMakeLists.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    M Source/WebCore/rendering/RenderingAllInOne.cpp
    M Source/WebCore/rendering/SimpleLineLayout.cpp
    M Source/WebCore/rendering/SimpleLineLayout.h
    A Source/WebCore/rendering/SimpleLineLayoutCoverage.cpp
    A Source/WebCore/rendering/SimpleLineLayoutCoverage.h

  Log Message:
  -----------
  Merge r213009 - Simple line layout: Move coverage functions out of SimpleLineLayout.cpp
https://bugs.webkit.org/show_bug.cgi?id=168872

Reviewed by Simon Fraser.

SimpleLineLayout.cpp is for core functions only.

No change in functionality.

* CMakeLists.txt:
* WebCore.xcodeproj/project.pbxproj:
* rendering/RenderingAllInOne.cpp:
* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::canUseForWithReason):
(WebCore::SimpleLineLayout::printReason): Deleted.
(WebCore::SimpleLineLayout::printReasons): Deleted.
(WebCore::SimpleLineLayout::printTextForSubtree): Deleted.
(WebCore::SimpleLineLayout::textLengthForSubtree): Deleted.
(WebCore::SimpleLineLayout::collectNonEmptyLeafRenderBlockFlows): Deleted.
(WebCore::SimpleLineLayout::collectNonEmptyLeafRenderBlockFlowsForCurrentPage): Deleted.
(WebCore::SimpleLineLayout::toggleSimpleLineLayout): Deleted.
(WebCore::SimpleLineLayout::printSimpleLineLayoutBlockList): Deleted.
(WebCore::SimpleLineLayout::printSimpleLineLayoutCoverage): Deleted.
* rendering/SimpleLineLayout.h:
* rendering/SimpleLineLayoutCoverage.cpp: Added.
(WebCore::SimpleLineLayout::printReason):
(WebCore::SimpleLineLayout::printReasons):
(WebCore::SimpleLineLayout::printTextForSubtree):
(WebCore::SimpleLineLayout::textLengthForSubtree):
(WebCore::SimpleLineLayout::collectNonEmptyLeafRenderBlockFlows):
(WebCore::SimpleLineLayout::collectNonEmptyLeafRenderBlockFlowsForCurrentPage):
(WebCore::SimpleLineLayout::toggleSimpleLineLayout):
(WebCore::SimpleLineLayout::printSimpleLineLayoutBlockList):
(WebCore::SimpleLineLayout::printSimpleLineLayoutCoverage):
* rendering/SimpleLineLayoutCoverage.h: Added.


  Commit: 7569b7815d913f04415eb5e67ec78b49f5465c76
      https://github.com/WebKit/WebKit/commit/7569b7815d913f04415eb5e67ec78b49f5465c76
  Author: Žan Doberšek <zdobersek at igalia.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/texmap/TextureMapper.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapper.h
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
    M Source/WebKit2/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.h

  Log Message:
  -----------
  Merge r213035 - [CoordinatedGraphics] Remove CoordinatedGraphicsScene::paintToGraphicsContext()
https://bugs.webkit.org/show_bug.cgi?id=168903

Reviewed by Carlos Garcia Campos.

Source/WebCore:

Remove the GraphicsContext pointer member from the TextureMapper class
since the getter and setter methods are not used anywhere.

* platform/graphics/texmap/TextureMapper.cpp:
(WebCore::TextureMapper::TextureMapper):
* platform/graphics/texmap/TextureMapper.h:
(WebCore::TextureMapper::setGraphicsContext): Deleted.
(WebCore::TextureMapper::graphicsContext): Deleted.

Source/WebKit2:

Remove the CoordinatedGraphicsScene::paintToGraphicsContext() method as it
is not used anywhere. Also enables removing the GraphicsContext pointer
member from the TextureMapper class.

* Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:
(WebKit::CoordinatedGraphicsScene::paintToGraphicsContext): Deleted.
* Shared/CoordinatedGraphics/CoordinatedGraphicsScene.h:


  Commit: c38e383a473be7208bb04be5fd6c84b247b8e06e
      https://github.com/WebKit/WebKit/commit/c38e383a473be7208bb04be5fd6c84b247b8e06e
  Author: Žan Doberšek <zdobersek at igalia.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/texmap/BitmapTexture.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapper.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapper.h

  Log Message:
  -----------
  Merge r213043 - [TextureMapper] Remove InterpolationQuality, TextDrawingModeFlags member variables
https://bugs.webkit.org/show_bug.cgi?id=168906

Reviewed by Carlos Garcia Campos.

Remove the InterpolationQuality and TextDrawingModeFlags member variables from the
TextureMapper class. These weren't modified anywhere in the code.

BitmapTexture::updateContents() still sets the image interpolation quality and
drawing mode on the ImageBuffer's GraphicsContext, but now uses the default
InterpolationDefault and TextModeFill values.

* platform/graphics/texmap/BitmapTexture.cpp:
(WebCore::BitmapTexture::updateContents):
* platform/graphics/texmap/TextureMapper.cpp:
(WebCore::TextureMapper::TextureMapper): Deleted.
(WebCore::TextureMapper::~TextureMapper): Deleted.
* platform/graphics/texmap/TextureMapper.h:
(WebCore::TextureMapper::setImageInterpolationQuality): Deleted.
(WebCore::TextureMapper::setTextDrawingMode): Deleted.
(WebCore::TextureMapper::imageInterpolationQuality): Deleted.
(WebCore::TextureMapper::textDrawingMode): Deleted.


  Commit: a3984204b52a81f73a0bb41c2f5edd7b47e97fda
      https://github.com/WebKit/WebKit/commit/a3984204b52a81f73a0bb41c2f5edd7b47e97fda
  Author: Žan Doberšek <zdobersek at igalia.com>
  Date:   2017-02-28 (Tue, 28 Feb 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
    M Source/WebCore/platform/graphics/texmap/BitmapTextureGL.cpp
    M Source/WebCore/platform/graphics/texmap/BitmapTextureGL.h
    M Source/WebCore/platform/graphics/texmap/BitmapTexturePool.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperGL.cpp

  Log Message:
  -----------
  Merge r213044 - [TextureMapper] Clean up BitmapTextureGL construction
https://bugs.webkit.org/show_bug.cgi?id=168909

Reviewed by Carlos Garcia Campos.

Have the BitmapTextureGL constructor accept an rvalue reference pointer
to the GraphicsContext3D object. A static create() method is also added
to help with constructing these objects. Construction sites are updated
appropriately.

The BitmapTextureGL constructor is further cleaned up by moving default
member initializations together with the member declarations.

* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
(WebCore::MediaPlayerPrivateGStreamerBase::pushTextureToCompositor):
* platform/graphics/texmap/BitmapTextureGL.cpp:
(WebCore::BitmapTextureGL::BitmapTextureGL):
* platform/graphics/texmap/BitmapTextureGL.h:
* platform/graphics/texmap/BitmapTexturePool.cpp:
(WebCore::BitmapTexturePool::createTexture):
* platform/graphics/texmap/TextureMapperGL.cpp:
(WebCore::TextureMapperGL::createTexture):


  Commit: e4c39c1369ac34c6245bd199a341fff1e90ab944
      https://github.com/WebKit/WebKit/commit/e4c39c1369ac34c6245bd199a341fff1e90ab944
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-03-01 (Wed, 01 Mar 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/NetworkProcess/cache/NetworkCacheSpeculativeLoad.cpp

  Log Message:
  -----------
  Merge r213206 - NetworkProcess aborts in WebKit::NetworkLoad::didCompleteWithError at Source/WebKit2/NetworkProcess/NetworkLoad.cpp:423
https://bugs.webkit.org/show_bug.cgi?id=168963

Reviewed by Antti Koivisto.

This is trying to call SpeculativeLoad::didFailLoading() after SpeculativeLoad has already been
completed. SpeculativeLoad::didComplete() call its completion handler that removes the load from
m_pendingPreloads. When the completion handler returns the SpeculativeLoad is deleted. So, we should always
ensure that SpeculativeLoad is not used after didComplete() call. In SpeculativeLoad::willSendRedirectedRequest(),
the call to NetworkLoad::continueWillSendRequest() causes SpeculativeLoad::didFailLoading() to be called. We
don't really need to call continueWillSendRequest() though, since the network load is going to be deleted anyway
by didComplete(), and the willSendRequest completion handler does nothing when the request is null.

* NetworkProcess/cache/NetworkCacheSpeculativeLoad.cpp:
(WebKit::NetworkCache::SpeculativeLoad::willSendRedirectedRequest):


  Commit: 692442e1e0e41e93a3468bf30ce1607590cca3dc
      https://github.com/WebKit/WebKit/commit/692442e1e0e41e93a3468bf30ce1607590cca3dc
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-03-01 (Wed, 01 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/compositing/transitions/transform-on-large-layer-expected.html
    M LayoutTests/fast/css/sticky/sticky-left-percentage-expected.html
    M LayoutTests/fast/events/currentTarget-gc-crash.html
    M LayoutTests/fast/multicol/column-span-parent-continuation-crash.html
    M LayoutTests/platform/gtk/TestExpectations

  Log Message:
  -----------
  Merge r212678, r212825, r212890, r212934, r213073, r213085 - Gardening

LayoutTest fast/multicol/column-span-parent-continuation-crash.html is a flaky timeout
https://bugs.webkit.org/show_bug.cgi?id=168341

Reviewed by Daniel Bates.

* fast/multicol/column-span-parent-continuation-crash.html: Make sure that the
document is fully parsed before the test runs. I'm not sure if the zero delay
is still needed, but it doesn't hurt.

Unreviewed GTK+ gardening. Mark http/tests/media/video-redirect.html as timing out.

* platform/gtk/TestExpectations:

[GTK] Gardening of some flaky tests

Unreviewed.

* platform/gtk/TestExpectations: Update some expectations or add new cases of flaky tests.

[GTK] Layout test imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/track-api-texttracks.html is flaky
https://bugs.webkit.org/show_bug.cgi?id=168799

Unreviewed test gardening.

* platform/gtk/TestExpectations:

compositing/transitions/transform-on-large-layer.html : ImageDiff produced stderr output
https://bugs.webkit.org/show_bug.cgi?id=168217

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-02-27
Reviewed by Simon Fraser.

ImageDiff reports an error for image size mismatch of expected and
actual images. But, Nwtr ignores the errors for ref tests at the moment
(Bug 168033). They should have same window size before fixing the
bug.

* compositing/transitions/transform-on-large-layer-expected.html:
Do not resize the window to match the actual.
* fast/css/sticky/sticky-left-percentage-expected.html: Resize the
window to match the actual.

LayoutTest fast/events/currentTarget-gc-crash.html is a flaky failure
https://bugs.webkit.org/show_bug.cgi?id=168917

Reviewed by Alex Christensen.

Make sure we never call finishJSTest() more than once.

* fast/events/currentTarget-gc-crash.html:


  Commit: ccaa29d959097f6b8a75d20d1b43da267ad4058c
      https://github.com/WebKit/WebKit/commit/ccaa29d959097f6b8a75d20d1b43da267ad4058c
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-03-01 (Wed, 01 Mar 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.15.91 release.

.:

* Source/cmake/OptionsGTK.cmake: Bump version numbers.

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.15.91.


  Commit: cfe5d64d90f95a48f40b6c14fdb70427db50168b
      https://github.com/WebKit/WebKit/commit/cfe5d64d90f95a48f40b6c14fdb70427db50168b
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M JSTests/ChangeLog
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/SetupVarargsFrame.cpp
    M Source/JavaScriptCore/jit/SetupVarargsFrame.h

  Log Message:
  -----------
  Merge r213631 - [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot
https://bugs.webkit.org/show_bug.cgi?id=160124

Reviewed by Mark Lam.

JSTests:

* stress/spread-forward-call-varargs-stack-overflow.js:

Source/JavaScriptCore:

When performing CallVarargs, we will copy values to the stack.
Before actually copying values, we need to adjust the stackPointerRegister
to ensure copied values are in the allocated stack area.
If we do not that, OS can break the values that is stored beyond the stack
pointer. For example, signal stack can be constructed on these area, and
breaks values.

This patch fixes the crash in stress/spread-forward-call-varargs-stack-overflow.js
in Linux port. Since Linux ports use signal to suspend and resume threads,
signal handler is frequently called when enabling sampling profiler. Thus this
crash occurs.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
* jit/SetupVarargsFrame.cpp:
(JSC::emitSetupVarargsFrameFastCase):
* jit/SetupVarargsFrame.h:


  Commit: 535f7d78e346e601ccb8864b4e52c02a9e82c031
      https://github.com/WebKit/WebKit/commit/535f7d78e346e601ccb8864b4e52c02a9e82c031
  Author: Aleksandr Skachkov <gskachkov at gmail.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/microbenchmarks/arrowfunciton-direct-arguments.js
    A JSTests/microbenchmarks/arrowfunciton-reference-arguments.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/runtime/JSScope.cpp

  Log Message:
  -----------
  Merge r213165 - Use of arguments in arrow function is slow
https://bugs.webkit.org/show_bug.cgi?id=168829

Reviewed by Saam Barati.

JSTests:

* microbenchmarks/arrowfunciton-direct-arguments.js: Added.
(fn):
* microbenchmarks/arrowfunciton-reference-arguments.js: Added.
(fn):

Source/JavaScriptCore:

Current patch improves performance access to arguments within arrow functuion
by preventing create arguments variable within arrow function, also allow to cache
arguments variable. Before arguments variable always have Dynamic resolve type, after
patch it can be ClosureVar, that increase performance of access to arguments variable
in 9 times inside of the arrow function.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* runtime/JSScope.cpp:
(JSC::abstractAccess):


  Commit: 7b352b0e0e5f0580308f692c1099e563c20e0170
      https://github.com/WebKit/WebKit/commit/7b352b0e0e5f0580308f692c1099e563c20e0170
  Author: Saam Barati <sbarati at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/disassembler/ARM64/A64DOpcode.cpp

  Log Message:
  -----------
  Merge r213171 - Arm64 disassembler prints "ars" instead of "asr"
https://bugs.webkit.org/show_bug.cgi?id=168923

Rubber stamped by Michael Saboff.

* disassembler/ARM64/A64DOpcode.cpp:
(JSC::ARM64Disassembler::A64DOpcodeBitfield::format):


  Commit: ffe96e775d4db36b68ff30ed180a0e9fda0d63f9
      https://github.com/WebKit/WebKit/commit/ffe96e775d4db36b68ff30ed180a0e9fda0d63f9
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/WebPage/gtk/WebPrintOperationGtk.cpp

  Log Message:
  -----------
  Merge r213217 - [GTK] Fix problems found by Coverity scan in WebPrintOperationGtk.cpp
https://bugs.webkit.org/show_bug.cgi?id=169027

Reviewed by Carlos Garcia Campos.

Initialize the lastPagePosition variable and remove an unused one
- totalToPrint.

* WebProcess/WebPage/gtk/WebPrintOperationGtk.cpp:
(WebKit::PrintPagesData::PrintPagesData):


  Commit: 1f8d7b0ebe7f8c5c35bc0f97ae4e2fb92037ce62
      https://github.com/WebKit/WebKit/commit/1f8d7b0ebe7f8c5c35bc0f97ae4e2fb92037ce62
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/gtk/PlatformKeyboardEventGtk.cpp
    M Source/WebCore/platform/gtk/PlatformMouseEventGtk.cpp

  Log Message:
  -----------
  Merge r213218 - [GTK] Fix problems found by Coverity scan in platform's keyboard and mouse events
https://bugs.webkit.org/show_bug.cgi?id=169028

Reviewed by Carlos Garcia Campos.

* platform/gtk/PlatformKeyboardEventGtk.cpp:
(WebCore::PlatformKeyboardEvent::PlatformKeyboardEvent): Initialize
the m_handledByInputMethod member.
* platform/gtk/PlatformMouseEventGtk.cpp:
(WebCore::PlatformMouseEvent::PlatformMouseEvent): Initialize the
m_modifierFlags member.


  Commit: 9c6a76835551724d17b0660bd01568f863985069
      https://github.com/WebKit/WebKit/commit/9c6a76835551724d17b0660bd01568f863985069
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp

  Log Message:
  -----------
  Merge r213219 - [Cairo] Incorrectly determining height in GraphicsContext::roundToDevicePixels()
https://bugs.webkit.org/show_bug.cgi?id=169031

Reviewed by Carlos Garcia Campos.

We should compare if height is between -1 and 0 and not mixing height
and width together.

* platform/graphics/cairo/GraphicsContextCairo.cpp:
(WebCore::GraphicsContext::roundToDevicePixels):


  Commit: 8e7333291d7b38bf90657043f79c0e7ee25edc78
      https://github.com/WebKit/WebKit/commit/8e7333291d7b38bf90657043f79c0e7ee25edc78
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/StringPrintStream.cpp

  Log Message:
  -----------
  Merge r213223 - [WTF] va_list is not ended in StringPrintStream
https://bugs.webkit.org/show_bug.cgi?id=169035

Reviewed by Michael Saboff.

Also fix whitespace errors while touching this file.

* wtf/StringPrintStream.cpp:
(WTF::StringPrintStream::vprintf):
(WTF::StringPrintStream::increaseSize):


  Commit: d86bd069e4114eff21470aaf308ec9956fd167b1
      https://github.com/WebKit/WebKit/commit/d86bd069e4114eff21470aaf308ec9956fd167b1
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
    M Source/WebCore/platform/graphics/gstreamer/VideoSinkGStreamer.cpp

  Log Message:
  -----------
  Merge r213224 - [GTK] fast/canvas/canvas-createPattern-video-loading.html makes its subsequent test timeout
https://bugs.webkit.org/show_bug.cgi?id=169019

Reviewed by Xabier Rodriguez-Calvar.

Source/WebCore:

The timeout happens normally when the media player is deleted and the pipeline state is set to NULL. The call to
gst_element_set_state() never returns because of different deadlocks with the video sink. Sometimes the deadlock
happens with the sample mutex used by VideoRenderRequestScheduler. VideoRenderRequestScheduler::requestRender()
calls webkitVideoSinkRepaintRequested() with the lock held, that ends up calling
MediaPlayerPrivateGStreamerBase::triggerRepaint(). When rendering can't be accelerated the draw timer is
scheduled and triggerRepaint blocks until the timer is fired. If the media player is destroyed before the timer
is fired, when setting the pipeline state to NULL, other VideoRenderRequestScheduler methods can be called, like
stop() that tries to get the sample mutex that is still held by requestRender(). So, first we need to make
sure that requestRender() releases the lock before calling webkitVideoSinkRepaintRequested(). But that's not
enough, we also need to ensure that the pipeline is set to NULL state after everyting has been properly
stopped. This is currently done in ~MediaPlayerPrivateGStreamer that happens before
~MediaPlayerPrivateGStreamerBase, so gst_element_set_state() is hanging before allowing the
MediaPlayerPrivateGStreamerBase to be cleaned up. We should move the call to the end of
~MediaPlayerPrivateGStreamerBase and ensure the draw timer and mutex are properly cleaned up before.

Fixes: fast/canvas/canvas-createPattern-video-loading.html

* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::~MediaPlayerPrivateGStreamer): Do not reset pipeline here.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
(WebCore::MediaPlayerPrivateGStreamerBase::~MediaPlayerPrivateGStreamerBase): Stop the draw mutex and notify the
lock to ensure we unblock. Do the pipeline reset at the end.
* platform/graphics/gstreamer/VideoSinkGStreamer.cpp:
(VideoRenderRequestScheduler::requestRender): Release the mutex lock before calling webkitVideoSinkRepaintRequested().

LayoutTests:

Unskip tests previously skipped because of this timeout.

* platform/gtk/TestExpectations:


  Commit: 6c6aebe546089f98c9c61882672da0c40ed7bcdc
      https://github.com/WebKit/WebKit/commit/6c6aebe546089f98c9c61882672da0c40ed7bcdc
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp

  Log Message:
  -----------
  Merge r213275 - Incorrect RELEASE_ASSERT in JSGlobalObject::addStaticGlobals()
https://bugs.webkit.org/show_bug.cgi?id=169034

Reviewed by Mark Lam.

It should not assign to offset, but compare to offset.

* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::addStaticGlobals):


  Commit: d4ba48fbcb8f9883e3641bcb0cfbabae9281a031
      https://github.com/WebKit/WebKit/commit/d4ba48fbcb8f9883e3641bcb0cfbabae9281a031
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp

  Log Message:
  -----------
  Merge r213276 - [GTK] Crash in WebCore::CoordinatedGraphicsLayer::notifyFlushRequired
https://bugs.webkit.org/show_bug.cgi?id=166420

Reviewed by Žan Doberšek.

This is happening when closing a page that is being inspected. When CoordinatedGraphicsLayer::removeFromParent()
is called, the coordinator has already been invalidated, so all its layers were set a nullptr coordinator. I
think it's safe to simply handle m_coordinator being nullptr in notifyFlushRequired().

* platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:
(WebCore::CoordinatedGraphicsLayer::notifyFlushRequired): Return early if the coordinator is nullptr.


  Commit: 925393bdd901d5002703f7b58530c414e2d66e10
      https://github.com/WebKit/WebKit/commit/925393bdd901d5002703f7b58530c414e2d66e10
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/events/context-activated-by-key-event-expected.txt
    A LayoutTests/fast/events/context-activated-by-key-event.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/EventHandler.cpp
    M Source/WebCore/page/EventHandler.h
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitWebView.cpp
    M Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp
    M Source/WebKit2/UIProcess/WebPageProxy.cpp
    M Source/WebKit2/UIProcess/WebPageProxy.h
    M Source/WebKit2/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit2/WebProcess/WebPage/WebPage.h
    M Source/WebKit2/WebProcess/WebPage/WebPage.messages.in
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestContextMenu.cpp
    M Tools/TestWebKitAPI/gtk/WebKit2Gtk/WebViewTest.cpp
    M Tools/TestWebKitAPI/gtk/WebKit2Gtk/WebViewTest.h

  Log Message:
  -----------
  Merge r213278 - [WK2] Keyboard menu key should show context menu
https://bugs.webkit.org/show_bug.cgi?id=72099

Source/WebCore:

Reviewed by Carlos Garcia Campos.

Show the context menu when the GtkWidget::popup-menu signal is
emitted. This signal is triggered by pressing a key (usually
the Menu key or the Shift + F10 shortcut) or it could be emitted on
WebKitWebView.

Test: fast/events/context-activated-by-key-event.html

Also could be tested by:

ManualTests/keyboard-menukey-event.html
ManualTests/win/contextmenu-key.html
ManualTests/win/contextmenu-key2.html

* page/EventHandler.cpp:
(WebCore::EventHandler::sendContextMenuEventForKey):
Correctly send the mouse event that used for showing the context menu.
Previously the event was immediately dispatched as it is, but this was
only the right way if some element was focused on the page. If there
was no focused element or non-empty text range then the event lacked
the right node, where it was supposed to be shown. The correct node
is determined and added to the event in the sendContextMenuEvent() so
we have to use this function to send the event.

Also use absoluteBoundingBoxRect() instead of
pixelSnappedAbsoluteClippedOverflowRect() when determining
a coordinate where to show the context menu for the currently focus
element. The latter is not returning a right box (it is bigger) which
could lead to the situation that no menu will be displayed at all,
because the HitTest won't contain the right element as the
determined coordinates could be outside of the element.
* page/EventHandler.h:

Source/WebKit2:

Reviewed by Carlos Garcia Campos.

Show the context menu when the GtkWidget::popup-menu signal is
emitted. This signal is triggered by pressing a key (usually
the Menu key or the Shift + F10 shortcut) or it could be emitted on
WebKitWebView.

* UIProcess/API/gtk/WebKitWebView.cpp:
(webkit_web_view_class_init):
(webkit_web_view_class_init): Update the documentation for the
context-menu signal
* UIProcess/API/gtk/WebKitWebViewBase.cpp:
(webkitWebViewBasePopupMenu): Connect to the popup-menu signal and
save the event that was used to trigger the signal. If there is no
such event create a new GdkEvent with GDK_NOTHING type.
(webkitWebViewBasePopupMenu):
(webkit_web_view_base_class_init):
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::handleContextMenuKeyEvent):
* UIProcess/WebPageProxy.h:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::contextMenuForKeyEvent):
* WebProcess/WebPage/WebPage.h:
* WebProcess/WebPage/WebPage.messages.in:

Tools:

Show the context menu when the GtkWidget::popup-menu signal is
emitted. This signal is triggered by pressing a key (usually
the Menu key or the Shift + F10 shortcut) or it could be emitted on
WebKitWebView.

Reviewed by Carlos Garcia Campos.

* TestWebKitAPI/Tests/WebKit2Gtk/TestContextMenu.cpp:
(testContextMenuDefaultMenu):
* TestWebKitAPI/gtk/WebKit2Gtk/WebViewTest.cpp:
(WebViewTest::emitPopupMenuSignal):
* TestWebKitAPI/gtk/WebKit2Gtk/WebViewTest.h:

LayoutTests:

Reviewed by Carlos Garcia Campos.

Skip the fast/events/context-activated-by-key-event.html on Mac as it
does not have a key to activate the context menu and on iOS as well.

* platform/ios-simulator-wk2/TestExpectations:
* platform/mac-wk2/TestExpectations:
* platform/mac/TestExpectations:


  Commit: 9ea19ac26056a80b5c14209ee87254fe580c005b
      https://github.com/WebKit/WebKit/commit/9ea19ac26056a80b5c14209ee87254fe580c005b
  Author: Piotr Drąg <piotrdrag at gmail.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/platform/gtk/po/ChangeLog
    M Source/WebCore/platform/gtk/po/pl.po

  Log Message:
  -----------
  Merge r213279 - [l10n] Updated Polish translation of WebKitGTK+ for 2.16
https://bugs.webkit.org/show_bug.cgi?id=169072

Patch by Piotr Drąg <piotrdrag at gmail.com> on 2017-03-02
Rubber-stamped by Michael Catanzaro.

* pl.po:


  Commit: 9c84e44ba1981f811c5d50835db33b5239a70ed6
      https://github.com/WebKit/WebKit/commit/9c84e44ba1981f811c5d50835db33b5239a70ed6
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/platform/gtk/po/ChangeLog
    M Source/WebCore/platform/gtk/po/pl.po

  Log Message:
  -----------
  Merge r213288 - Unreviewed, restore inadvertently-removed non-breaking spaces in Polish translation

* pl.po:


  Commit: f2c98c219d57094cf0172e00a361e83906479b23
      https://github.com/WebKit/WebKit/commit/f2c98c219d57094cf0172e00a361e83906479b23
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/frames/insert-frame-unload-handler-expected.txt
    A LayoutTests/fast/frames/insert-frame-unload-handler.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/ContainerNodeAlgorithms.cpp
    M Source/WebCore/html/HTMLFrameOwnerElement.h
    M Source/WebCore/loader/FrameLoader.cpp

  Log Message:
  -----------
  Merge r213311 - We should prevent load of subframes inserted during FrameTree deconstruction
https://bugs.webkit.org/show_bug.cgi?id=169095

Reviewed by Brent Fulgham.

Source/WebCore:

When deconstructing the FrameTree, we fire the unload event in each subframe.
Such unload event handler may insert a new frame, we would previously load
such new frame which was unsafe as we would end up with an attached subframe
on a detached tree. To address the issue, we prevent new subframes from loading
while deconstructing the FrameTree and firing the unload events. This new
behavior is consistent with Chrome and should therefore be safe from a
compatibility standpoint.

Test: fast/frames/insert-frame-unload-handler.html

* dom/ContainerNodeAlgorithms.cpp:
(WebCore::disconnectSubframes):
Update SubframeLoadingDisabler call site now that the constructor takes in
a pointer instead of a reference.

* html/HTMLFrameOwnerElement.h:
(WebCore::SubframeLoadingDisabler::SubframeLoadingDisabler):
(WebCore::SubframeLoadingDisabler::~SubframeLoadingDisabler):
Update SubframeLoadingDisabler constructor to take in a pointer instead
of a reference, for convenience.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::detachChildren):
Prevent loads in subframes while detaching the subframes. It would be unsafe
as we copy the list of frames before iterating to fire the unload events.
Therefore, newly inserted frames would not get unloaded.

LayoutTests:

Add layout test coverage. Our behavior on this test is consistent with Chrome.

* fast/frames/insert-frame-unload-handler-expected.txt: Added.
* fast/frames/insert-frame-unload-handler.html: Added.


  Commit: ec49e15d2c6dbeed08b1e30a3d95ab14d0d12242
      https://github.com/WebKit/WebKit/commit/ec49e15d2c6dbeed08b1e30a3d95ab14d0d12242
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/TestExpectations
    M LayoutTests/fast/loader/url-parse-1-expected.txt
    M LayoutTests/fast/url/file-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URLParser.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp

  Log Message:
  -----------
  Merge r213384 - [URLParser] Fix file: as a relative file URL
https://bugs.webkit.org/show_bug.cgi?id=169122

Reviewed by Tim Horton.

Source/WebCore:

This is clearly defined in https://url.spec.whatwg.org/#file-state with the EOF code point.
I got it wrong and didn't test it.  It's been added to the web platform tests since we last updated.

* platform/URLParser.cpp:
(WebCore::URLParser::parse):

Tools:

* TestWebKitAPI/Tests/WebCore/URLParser.cpp:
(TestWebKitAPI::TEST_F):

LayoutTests:

* TestExpectations:
We don't need to skip url-setters.html any more.  It used to assert before the new URLParser was enabled.
* fast/loader/url-parse-1-expected.txt:
* fast/url/file-expected.txt:
We used to add a strange and unnecessary :/// at the end of the URL.


  Commit: 5e4f5c55eca960f38c98f2cb7d252dd7e45dc91b
      https://github.com/WebKit/WebKit/commit/5e4f5c55eca960f38c98f2cb7d252dd7e45dc91b
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderImage.cpp
    M Source/WebCore/rendering/RenderImageResource.cpp
    M Source/WebCore/rendering/RenderImageResource.h
    M Source/WebCore/rendering/RenderImageResourceStyleImage.cpp
    M Source/WebCore/rendering/RenderImageResourceStyleImage.h

  Log Message:
  -----------
  Merge r213404 - Clean up RenderImage and a RenderImageResource function
https://bugs.webkit.org/show_bug.cgi?id=169153

Reviewed by Zalan Bujtas.

Change all calls to imageResource().cachedImage() in RenderImage to use the inline
cachedImage() function.

In RenderImage::paintReplaced(), early return after the broken image block (and no need
to test imageResource().hasImage() again in the second condition). Convert height/width to size,
which also forces us to be explicit about using flooredIntSize() when fetching the image
(perhaps this should be a roundedIntSize, but I didn't want to change behavior).

Change RenderImageResource::image() to take an IntSize, rather than int height and width.

No behavior change.

* rendering/RenderImage.cpp:
(WebCore::RenderImage::styleDidChange):
(WebCore::RenderImage::imageChanged):
(WebCore::RenderImage::notifyFinished):
(WebCore::RenderImage::paintReplaced):
(WebCore::RenderImage::paintIntoRect):
(WebCore::RenderImage::foregroundIsKnownToBeOpaqueInRect):
(WebCore::RenderImage::embeddedContentBox):
* rendering/RenderImageResource.cpp:
(WebCore::RenderImageResource::image):
* rendering/RenderImageResource.h:
(WebCore::RenderImageResource::image):
* rendering/RenderImageResourceStyleImage.cpp:
(WebCore::RenderImageResourceStyleImage::image):
* rendering/RenderImageResourceStyleImage.h:


  Commit: a14472cc55b5eeab85e5b8c4196b62cbe736ba37
      https://github.com/WebKit/WebKit/commit/a14472cc55b5eeab85e5b8c4196b62cbe736ba37
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderLayerBacking.cpp
    M Source/WebCore/rendering/RenderLayerBacking.h

  Log Message:
  -----------
  Merge r213405 - Clean up some RenderLayerBacking code
https://bugs.webkit.org/show_bug.cgi?id=169160

Reviewed by Dean Jackson.

Modern loops in descendantLayerPaintsIntoAncestor().

Rename RenderLayerBacking::paintsChildren() to RenderLayerBacking::paintsChildRenderers() to clarify that
it refers to renderers, not RenderLayers.

Rename RenderLayerBacking::paintsNonDirectCompositedBoxDecoration() to RenderLayerBacking::paintsBoxDecorations().
"Paints" already implies non-composited.

No behavior change.

* rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::updateDrawsContent):
(WebCore::RenderLayerBacking::paintsBoxDecorations):
(WebCore::RenderLayerBacking::paintsChildRenderers):
(WebCore::RenderLayerBacking::isSimpleContainerCompositingLayer):
(WebCore::descendantLayerPaintsIntoAncestor):
(WebCore::RenderLayerBacking::paintsNonDirectCompositedBoxDecoration): Deleted.
(WebCore::RenderLayerBacking::paintsChildren): Deleted.
* rendering/RenderLayerBacking.h:


  Commit: faf38bfcb891272ee4e00e44303612ea2ec30db4
      https://github.com/WebKit/WebKit/commit/faf38bfcb891272ee4e00e44303612ea2ec30db4
  Author: Joseph Pecoraro <pecoraro at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Platform/Logging.cpp

  Log Message:
  -----------
  Merge r213420 - Remove duplicate initialization guard in WebKit2 logging initialization
https://bugs.webkit.org/show_bug.cgi?id=169164

Patch by Joseph Pecoraro <pecoraro at apple.com> on 2017-03-04
Reviewed by Dan Bernstein.

* Platform/Logging.cpp:
(WebKit::initializeLogChannelsIfNecessary):


  Commit: a3547b25e7adf4f0960ef95df2c8212372def046
      https://github.com/WebKit/WebKit/commit/a3547b25e7adf4f0960ef95df2c8212372def046
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderLayerBacking.cpp
    M Source/WebCore/rendering/RenderLayerBacking.h

  Log Message:
  -----------
  Merge r213429 - Clarify some terminology in RenderLayerBacking
https://bugs.webkit.org/show_bug.cgi?id=169174

Reviewed by Zalan Bujtas.

Rename some functions related to directly-composited background images and
box decorations for clarify.

Only behavior change is for canDirectlyCompositeBackgroundBackgroundImage() to check
GraphicsLayer::supportsContentsTiling(), which means that RenderLayerBacking::contentChanged()
will no longer trigger a updateGeometry() when it gets BackgroundImageChanged on non-
CoordinateGraphics platforms.

* rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::updateConfiguration):
(WebCore::RenderLayerBacking::updateAfterDescendants):
(WebCore::RenderLayerBacking::updateDirectlyCompositedBoxDecorations):
(WebCore::canDirectlyCompositeBackgroundBackgroundImage):
(WebCore::hasPaintedBoxDecorationsOrBackgroundImage):
(WebCore::supportsDirectlyCompositedBoxDecorations):
(WebCore::RenderLayerBacking::paintsBoxDecorations):
(WebCore::RenderLayerBacking::isSimpleContainerCompositingLayer):
(WebCore::RenderLayerBacking::contentChanged):
(WebCore::RenderLayerBacking::updateDirectlyCompositedContents): Deleted.
(WebCore::canCreateTiledImage): Deleted.
(WebCore::hasVisibleBoxDecorationsOrBackgroundImage): Deleted.
(WebCore::supportsDirectBoxDecorationsComposition): Deleted.
* rendering/RenderLayerBacking.h:


  Commit: b1d359f4138a821ede43089e7699960e0e102f5c
      https://github.com/WebKit/WebKit/commit/b1d359f4138a821ede43089e7699960e0e102f5c
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderLayerBacking.cpp
    M Source/WebCore/rendering/RenderLayerBacking.h

  Log Message:
  -----------
  Merge r213435 - Make some RenderLayer tree traversal in RenderLayerBacking more generic
https://bugs.webkit.org/show_bug.cgi?id=169177

Reviewed by Zalan Bujtas.

The real goal of this patch is reduce the number of callers of
RenderLayerBacking::isPaintDestinationForDescendantLayers() to one. To achieve that,
have the setContentsVisible() logic (which is really just about the CSS 'visibility' property)
do its own tree traversal which just consults layer.hasVisibleContent(). So
make descendantLayerPaintsIntoAncestor() a generic traversal function which walks
descendant layers which may paint into the target layer. The "Visible" in the name
reflects the fact that it can bypass a subtree for a layer with !hasVisibleDescendant().

* rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::updateAfterDescendants):
(WebCore::traverseVisibleNonCompositedDescendantLayers):
(WebCore::RenderLayerBacking::isPaintDestinationForDescendantLayers):
(WebCore::RenderLayerBacking::hasVisibleNonCompositedDescendants):
(WebCore::descendantLayerPaintsIntoAncestor): Deleted.
* rendering/RenderLayerBacking.h:


  Commit: 81d2807ccc0134a122d54f61492a7a5fd9c91861
      https://github.com/WebKit/WebKit/commit/81d2807ccc0134a122d54f61492a7a5fd9c91861
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/parser/form-after-template-expected.html
    A LayoutTests/fast/parser/form-after-template.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/parser/HTMLConstructionSite.cpp

  Log Message:
  -----------
  Merge r213438 - Using <form> in <template> causes following <form> to get swallowed
https://bugs.webkit.org/show_bug.cgi?id=163552

Reviewed by Sam Weinig.

Source/WebCore:

As per the HTML specification [1], when finding a "form" tag in the "in body"
insertion mode, we should insert an HTML element for the token, and, if there
is no template element on the stack of open elements, set the form element
pointer to point to the element created.

We were missing the "if there is no template element on the stack of open
elements" check and setting the form element pointer unconditionally.
This patch fixes the issue.

[1] https://html.spec.whatwg.org/multipage/syntax.html#parsing-main-inbody:form-element-pointer-2

Test: fast/parser/form-after-template.html

* html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::insertHTMLFormElement):

LayoutTests:

Add layout test coverage.

* fast/parser/form-after-template-expected.html: Added.
* fast/parser/form-after-template.html: Added.


  Commit: 4a0e258237c683acb2c6b50c798137ca8e64c56e
      https://github.com/WebKit/WebKit/commit/4a0e258237c683acb2c6b50c798137ca8e64c56e
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/compositing/backing/inline-block-no-backing-expected.txt
    M LayoutTests/compositing/backing/inline-block-no-backing.html
    M LayoutTests/compositing/iframes/page-cache-layer-tree-expected.txt
    M LayoutTests/css3/blending/blend-mode-clip-accelerated-blending-canvas-expected.txt
    M LayoutTests/platform/ios-simulator-wk2/compositing/backing/inline-block-no-backing-expected.txt
    M LayoutTests/platform/ios-simulator-wk2/compositing/iframes/page-cache-layer-tree-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderLayer.cpp

  Log Message:
  -----------
  Merge r213440 - Avoid backing store for layers with empty text nodes in a few more cases
https://bugs.webkit.org/show_bug.cgi?id=169185

Reviewed by Dan Bernstein.

Source/WebCore:

In hasPaintingNonLayerDescendants() we can check whether the RenderText's linesBoundingBox()
is empty to avoid backing store in a few more cases. Also use containsOnlyWhitespace() rather
than isAllCollapsibleWhitespace(), because there's no need for backing store for non-selectable
whitespace text.

Covered by existing tests.

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::calculateClipRects):

LayoutTests:

inline-block-no-backing.html enhanced to have a layer with non-collapsible whitespace (an  ).

Rebaselined other tests.

* compositing/backing/inline-block-no-backing-expected.txt:
* compositing/backing/inline-block-no-backing.html:
* compositing/iframes/page-cache-layer-tree-expected.txt:
* css3/blending/blend-mode-clip-accelerated-blending-canvas-expected.txt:
* platform/ios-simulator-wk2/compositing/backing/inline-block-no-backing-expected.txt:
* platform/ios-simulator-wk2/compositing/iframes/page-cache-layer-tree-expected.txt:


  Commit: 914d0a844ee774ad5fd0e36394329186f54c0987
      https://github.com/WebKit/WebKit/commit/914d0a844ee774ad5fd0e36394329186f54c0987
  Author: Vanessa Chipirrás Navalón <vchipirras at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/audio/gstreamer/AudioDestinationGStreamer.cpp
    M Source/WebCore/platform/audio/gstreamer/AudioFileReaderGStreamer.cpp
    M Source/WebCore/platform/audio/gstreamer/AudioSourceProviderGStreamer.cpp
    M Source/WebCore/platform/audio/gstreamer/WebKitWebAudioSourceGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/AudioTrackPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/GStreamerUtilities.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerOwr.cpp
    M Source/WebCore/platform/graphics/gstreamer/TextCombinerGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/TextSinkGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/TrackPrivateBaseGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/VideoSinkGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/VideoTrackPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/mse/WebKitMediaSourceGStreamer.cpp

  Log Message:
  -----------
  Merge r213445 - [GStreamer] Adopt nullptr
https://bugs.webkit.org/show_bug.cgi?id=123438

Patch by Vanessa Chipirrás Navalón <vchipirras at igalia.com> on 2017-03-06
Reviewed by Xabier Rodriguez-Calvar.

To adapt the code to the C++11 standard, all NULL or 0 pointers have been changed to nullptr.

* platform/audio/gstreamer/AudioDestinationGStreamer.cpp:
(WebCore::AudioDestinationGStreamer::AudioDestinationGStreamer):
* platform/audio/gstreamer/AudioFileReaderGStreamer.cpp:
(WebCore::AudioFileReader::handleNewDeinterleavePad):
(WebCore::AudioFileReader::plugDeinterleave):
(WebCore::AudioFileReader::decodeAudioForBusCreation):
* platform/audio/gstreamer/AudioSourceProviderGStreamer.cpp:
(WebCore::AudioSourceProviderGStreamer::AudioSourceProviderGStreamer):
(WebCore::AudioSourceProviderGStreamer::configureAudioBin):
(WebCore::AudioSourceProviderGStreamer::setClient):
(WebCore::AudioSourceProviderGStreamer::handleNewDeinterleavePad):
* platform/audio/gstreamer/WebKitWebAudioSourceGStreamer.cpp:
(webkit_web_audio_src_init):
(webKitWebAudioSrcLoop):
(webKitWebAudioSrcChangeState):
* platform/graphics/gstreamer/AudioTrackPrivateGStreamer.cpp:
(WebCore::AudioTrackPrivateGStreamer::setEnabled):
* platform/graphics/gstreamer/GStreamerUtilities.cpp:
(WebCore::initializeGStreamer):
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::setAudioStreamProperties):
(WebCore::MediaPlayerPrivateGStreamer::registerMediaEngine):
(WebCore::initializeGStreamerAndRegisterWebKitElements):
(WebCore::MediaPlayerPrivateGStreamer::MediaPlayerPrivateGStreamer):
(WebCore::MediaPlayerPrivateGStreamer::~MediaPlayerPrivateGStreamer):
(WebCore::MediaPlayerPrivateGStreamer::newTextSample):
(WebCore::MediaPlayerPrivateGStreamer::handleMessage):
(WebCore::MediaPlayerPrivateGStreamer::processTableOfContents):
Removed the unused second argument on processTableOfContentsEntry function.
(WebCore::MediaPlayerPrivateGStreamer::processTableOfContentsEntry):
Removed the unused second argument on this function.
(WebCore::MediaPlayerPrivateGStreamer::fillTimerFired):
(WebCore::MediaPlayerPrivateGStreamer::loadNextLocation):
(WebCore::MediaPlayerPrivateGStreamer::createAudioSink):
(WebCore::MediaPlayerPrivateGStreamer::createGSTPlayBin):
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
Removed the unused second argument on processTableOfContentsEntry function.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
(WebCore::MediaPlayerPrivateGStreamerBase::MediaPlayerPrivateGStreamerBase):
(WebCore::MediaPlayerPrivateGStreamerBase::setMuted):
(WebCore::MediaPlayerPrivateGStreamerBase::muted):
(WebCore::MediaPlayerPrivateGStreamerBase::notifyPlayerOfMute):
(WebCore::MediaPlayerPrivateGStreamerBase::setStreamVolumeElement):
(WebCore::MediaPlayerPrivateGStreamerBase::decodedFrameCount):
(WebCore::MediaPlayerPrivateGStreamerBase::droppedFrameCount):
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerOwr.cpp:
(WebCore::MediaPlayerPrivateGStreamerOwr::registerMediaEngine):
* platform/graphics/gstreamer/TextCombinerGStreamer.cpp:
(webkit_text_combiner_init):
(webkitTextCombinerPadEvent):
(webkitTextCombinerRequestNewPad):
(webkitTextCombinerNew):
* platform/graphics/gstreamer/TextSinkGStreamer.cpp:
(webkitTextSinkNew):
* platform/graphics/gstreamer/TrackPrivateBaseGStreamer.cpp:
(WebCore::TrackPrivateBaseGStreamer::tagsChanged):
(WebCore::TrackPrivateBaseGStreamer::notifyTrackOfActiveChanged):
* platform/graphics/gstreamer/VideoSinkGStreamer.cpp:
(webkit_video_sink_init):
(webkitVideoSinkProposeAllocation):
(webkitVideoSinkNew):
* platform/graphics/gstreamer/VideoTrackPrivateGStreamer.cpp:
(WebCore::VideoTrackPrivateGStreamer::setSelected):
* platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
(webkit_web_src_init):
(webKitWebSrcDispose):
(webKitWebSrcSetProperty):
(webKitWebSrcStop):
(webKitWebSrcChangeState):
(webKitWebSrcQueryWithParent):
(webKitWebSrcGetProtocols):
(StreamingClient::handleResponseReceived):
(StreamingClient::handleDataReceived):
(ResourceHandleStreamingClient::didFail):
(ResourceHandleStreamingClient::wasBlocked):
(ResourceHandleStreamingClient::cannotShowURL):
* platform/graphics/gstreamer/mse/WebKitMediaSourceGStreamer.cpp:
(webKitMediaSrcGetProtocols):


  Commit: 59e0ce252b49cba1d93280ed45361edcd11af1b5
      https://github.com/WebKit/WebKit/commit/59e0ce252b49cba1d93280ed45361edcd11af1b5
  Author: Daniel Ehrenberg <littledan at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/IntlNumberFormat.cpp

  Log Message:
  -----------
  Merge r213447 - Currency digits calculation in Intl.NumberFormat should call out to ICU
https://bugs.webkit.org/show_bug.cgi?id=169182

Patch by Daniel Ehrenberg <littledan at igalia.com> on 2017-03-06
Reviewed by Yusuke Suzuki.

* runtime/IntlNumberFormat.cpp:
(JSC::computeCurrencyDigits):
(JSC::computeCurrencySortKey): Deleted.
(JSC::extractCurrencySortKey): Deleted.


  Commit: 1ffcf3b745c94a5e228dd07d48394373dacf9023
      https://github.com/WebKit/WebKit/commit/1ffcf3b745c94a5e228dd07d48394373dacf9023
  Author: Miguel Gomez <magomez at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/image-decoders/gif/GIFImageDecoder.cpp

  Log Message:
  -----------
  Merge r213448 - [GTK] WebProcess from WebKitGtk+ 2.15.x SIGSEVs in GIFLZWContext::doLZW(unsigned char const*, unsigned long) at Source/WebCore/platform/image-decoders/gif/GIFImageReader.cpp:303
https://bugs.webkit.org/show_bug.cgi?id=167304

Reviewed by Carlos Garcia Campos.

Add a lock to ensure that the GIFImageReader that we are using for decoding is not deleted while
the decoding thread is using it.

No new tests.

* platform/image-decoders/gif/GIFImageDecoder.cpp:
(WebCore::GIFImageDecoder::clearFrameBufferCache):


  Commit: f466900f5db2624abba596c9dd54357fad3016bd
      https://github.com/WebKit/WebKit/commit/f466900f5db2624abba596c9dd54357fad3016bd
  Author: Manuel Rego Casasnovas <rego at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/css-grid-layout/grid-container-percentage-columns.html
    M LayoutTests/fast/css-grid-layout/min-width-height-auto-and-margins.html
    M LayoutTests/fast/css-grid-layout/min-width-height-auto.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBox.cpp

  Log Message:
  -----------
  Merge r213449 - [css-grid] Stretch should grow and shrink items to fit its grid area
https://bugs.webkit.org/show_bug.cgi?id=163200

Reviewed by Darin Adler.

Source/WebCore:

After some discussions the CSS WG agreed that stretch should not only
grow items, but also shrink them to fit its grid area.
That way the "min-width|height: auto" is somehow ignored for grid items.
More info at: https://github.com/w3c/csswg-drafts/issues/283

The good part is that this allows us to remove some ugly code we've
in RenderBox that was only used by Grid Layout.

For images, we'll be stretching on both axis right now, so the aspect
ratio won't be preserved. The default behavior might change in those
cases, but that should be implemented in a different patch.

* rendering/RenderBox.cpp:
(WebCore::RenderBox::computeLogicalWidthInRegion):
(WebCore::RenderBox::computeLogicalHeight):

LayoutTests:

The tests have been updated according to the new expected behavior.

* fast/css-grid-layout/grid-container-percentage-columns.html:
* fast/css-grid-layout/min-width-height-auto-and-margins.html:
* fast/css-grid-layout/min-width-height-auto.html:


  Commit: ea2b9ac2c661020adbcc1bc6f6245c2db687baba
      https://github.com/WebKit/WebKit/commit/ea2b9ac2c661020adbcc1bc6f6245c2db687baba
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/re-execute-error-module.js
    A JSTests/stress/resources/error-module.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js
    M Source/JavaScriptCore/runtime/JSModuleRecord.cpp

  Log Message:
  -----------
  Merge r213452 - Null pointer crash when loading module with unresolved import also as a script file
https://bugs.webkit.org/show_bug.cgi?id=168971

Reviewed by Saam Barati.

JSTests:

* stress/re-execute-error-module.js: Added.
(shouldBe):
(async):
* stress/resources/error-module.js: Added.

Source/JavaScriptCore:

If linking throws an error, this error should be re-thrown
when requesting the same module.

* builtins/ModuleLoaderPrototype.js:
(globalPrivate.newRegistryEntry):
* runtime/JSModuleRecord.cpp:
(JSC::JSModuleRecord::link):


  Commit: b71b410c2bb4d4fcea06c34da260555f49ab4744
      https://github.com/WebKit/WebKit/commit/b71b410c2bb4d4fcea06c34da260555f49ab4744
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/url/relative-win-expected.txt
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-xhtml-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/url-constructor-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URLParser.cpp
    M Source/WebCore/platform/URLParser.h
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp

  Log Message:
  -----------
  Merge r213469 - Fix URLs relative to file URLs with paths beginning with Windows drive letters
https://bugs.webkit.org/show_bug.cgi?id=169178

Reviewed by Tim Horton.

LayoutTests/imported/w3c:

* web-platform-tests/url/a-element-expected.txt:
* web-platform-tests/url/a-element-xhtml-expected.txt:
* web-platform-tests/url/url-constructor-expected.txt:

Source/WebCore:

Windows drives in file URLs can begin with windows drive letters, such as file:///C:/
which should not be removed when making other URLs relative to them.
See https://url.spec.whatwg.org/#file-slash-state

Covered by new API tests and newly passing web-platform-tests.

* platform/URLParser.cpp:
(WebCore::URLParser::copyBaseWindowsDriveLetter):
(WebCore::URLParser::copyASCIIStringUntil):
(WebCore::URLParser::parse):
* platform/URLParser.h:

Tools:

* TestWebKitAPI/Tests/WebCore/URLParser.cpp:
(TestWebKitAPI::TEST_F):

LayoutTests:

* fast/url/relative-win-expected.txt:
Some tests pass now.  localhost should indeed be removed according to the latest spec.


  Commit: ea49241aec466012d2017f4405e1848fe8f30d55
      https://github.com/WebKit/WebKit/commit/ea49241aec466012d2017f4405e1848fe8f30d55
  Author: Carlos Alberto Lopez Perez <clopez at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/Scripts/run-gtk-tests

  Log Message:
  -----------
  Merge r213485 - [GTK] Mark WTF_Lock.ContendedLongSection and WTF_WordLock.ContendedLongSection as slow.

Unreviewed test gardening.

The ContendedShortSection version of this tests were already marked as slow.
And the ContendedLongSection version takes more or less the same time to run.
They cause time outs on the bot sometimes.

* Scripts/run-gtk-tests:
(TestRunner):


  Commit: 692611df9984ef317066350fa8697fa5be79ec79
      https://github.com/WebKit/WebKit/commit/692611df9984ef317066350fa8697fa5be79ec79
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/cairo/ImageBufferCairo.cpp

  Log Message:
  -----------
  Merge r213491 - [cairo] error C2065: 'quality': undeclared identifier since r213412
https://bugs.webkit.org/show_bug.cgi?id=169240

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-03-06
Reviewed by Ryosuke Niwa.

* platform/graphics/cairo/ImageBufferCairo.cpp:
(WebCore::ImageBuffer::toDataURL): Name the unnamed second argument 'quality'.


  Commit: 83edea723494f4ede13cae98732faf3bf841a5d3
      https://github.com/WebKit/WebKit/commit/83edea723494f4ede13cae98732faf3bf841a5d3
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/CMakeLists.txt
    M Source/WebCore/ChangeLog

  Log Message:
  -----------
  Merge r213493 - [CMake] SN-DBS fails to build: Cannot open include file: 'WebCoreTestSupportPrefix.h'
https://bugs.webkit.org/show_bug.cgi?id=169244

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-03-06
Reviewed by Alex Christensen.

A distributed build system SN-DBS can not find
WebCoreTestSupportPrefix.h without an include path to it.

* CMakeLists.txt: Add 'WebCore/testing/js' to include paths.


  Commit: 78d9142d6169a51c49f7a29abb800a2ba9a5f5d9
      https://github.com/WebKit/WebKit/commit/78d9142d6169a51c49f7a29abb800a2ba9a5f5d9
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/parser/scriptexec-during-parserInsertBefore-expected.txt
    A LayoutTests/fast/parser/scriptexec-during-parserInsertBefore.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/parser/HTMLConstructionSite.cpp

  Log Message:
  -----------
  Merge r213501 - Validate DOM after potentially destructive actions during parser insert operations
https://bugs.webkit.org/show_bug.cgi?id=169222
<rdar://problem/30689729>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Do not perform an insert operation if the next child's parent is no longer
part of the tree. This can happen if JavaScript runs during node removal
events and modifies the contents of the document.

This patch was inspired by a similar Blink change by Marius Mlynski:
<https://src.chromium.org/viewvc/blink?view=revision&revision=200690>

Tests: fast/parser/scriptexec-during-parserInsertBefore.html

* html/parser/HTMLConstructionSite.cpp:
(WebCore::executeReparentTask):
(WebCore::executeInsertAlreadyParsedChildTask):

LayoutTests:

This change merges a Blink test case from:
<https://src.chromium.org/viewvc/blink?view=revision&revision=200690>

* fast/parser/scriptexec-during-parserInsertBefore-expected.txt: Added.
* fast/parser/scriptexec-during-parserInsertBefore.html: Added.


  Commit: 94f87e389e219cc52ad24c89e1a32938fbe3aa52
      https://github.com/WebKit/WebKit/commit/94f87e389e219cc52ad24c89e1a32938fbe3aa52
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/events/init-events-expected.txt
    M LayoutTests/fast/events/script-tests/init-events.js
    M LayoutTests/fast/eventsource/eventsource-attribute-listeners.html
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/dom/events/CustomEvent-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/dom/events/CustomEvent.html
    M LayoutTests/imported/w3c/web-platform-tests/dom/events/Event-initEvent-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/dom/events/Event-initEvent.html
    M LayoutTests/imported/w3c/web-platform-tests/dom/interfaces-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/dom/interfaces.html
    M LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces.html
    A LayoutTests/imported/w3c/web-platform-tests/html/dom/resources/interfaces.idl
    A LayoutTests/imported/w3c/web-platform-tests/html/dom/resources/untested-interfaces.idl
    R LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/messageevent-constructor-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/messageevent-constructor.html
    M LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/messageevent-constructor.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/events/messageevent-constructor.https.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/bindings/js/JSMessageEventCustom.cpp
    M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
    M Source/WebCore/dom/CustomEvent.idl
    M Source/WebCore/dom/MessageEvent.idl

  Log Message:
  -----------
  Merge r213517 - Align initEvent / initCustomEvent / initMessageEvent with the latest specification
https://bugs.webkit.org/show_bug.cgi?id=169176

Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

Re-sync web-platform tests from upstream after:
- https://github.com/w3c/web-platform-tests/pull/5043
- https://github.com/w3c/web-platform-tests/pull/5044

* web-platform-tests/dom/events/CustomEvent-expected.txt:
* web-platform-tests/dom/events/CustomEvent.html:
* web-platform-tests/dom/events/Event-initEvent-expected.txt:
* web-platform-tests/dom/events/Event-initEvent.html:
* web-platform-tests/dom/interfaces-expected.txt:
* web-platform-tests/dom/interfaces.html:
* web-platform-tests/html/dom/interfaces-expected.txt:
* web-platform-tests/html/dom/interfaces.html:
* web-platform-tests/html/dom/resources/interfaces.idl: Copied from LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces.html.
* web-platform-tests/html/dom/resources/untested-interfaces.idl: Added.
* web-platform-tests/html/webappapis/scripting/events/messageevent-constructor-expected.txt: Removed.
* web-platform-tests/html/webappapis/scripting/events/messageevent-constructor.html: Removed.
* web-platform-tests/html/webappapis/scripting/events/messageevent-constructor.https-expected.txt:
* web-platform-tests/html/webappapis/scripting/events/messageevent-constructor.https.html:

Source/WebCore:

Align initEvent / initCustomEvent / initMessageEvent with the latest specification
after:
- https://github.com/whatwg/dom/pull/417
- https://github.com/whatwg/html/pull/2410

In particular, the following changes were made:
- initEvent: The length property now properly returns 1 instead of 3 as only the
  first parameter is mandatory. We were already behaving correcting the the length
  property value was wrong because we forgot to drop a hack from the bindings
  generator.
- initCustomEvent: Make all parameters except the first optional. Previously, all
  parameters were mandatory so this is safe.
- initMessageEvent: Drop the custom code and mark the first parameter as mandatory.
  A side effect of dropping the custom code is that null is no longer considered as
  valid input for the last parameter. The parameter is of type sequence<> and the
  new behavior is consistent with the specification and Firefox. If it turns out to
  break existing content, I'll make the parameter nullable in a follow-up.

No new tests, updated existing tests.

* bindings/js/JSMessageEventCustom.cpp:
* bindings/scripts/CodeGeneratorJS.pm:
(GeneratePropertiesHashTable):
* dom/CustomEvent.idl:
* dom/MessageEvent.idl:

LayoutTests:

Updated existing tests to reflect behavior change.

* fast/events/init-events-expected.txt:
* fast/events/script-tests/init-events.js:
* fast/eventsource/eventsource-attribute-listeners.html:


  Commit: 870a442743c08866b3e2e42f9080ce0a6dd43e86
      https://github.com/WebKit/WebKit/commit/870a442743c08866b3e2e42f9080ce0a6dd43e86
  Author: David Hyatt <hyatt at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBox.cpp

  Log Message:
  -----------
  Merge r213523 - Animated GIFs fail to play in multi-column layout
https://bugs.webkit.org/show_bug.cgi?id=167901
<rdar://problem/30382262>

Reviewed by Zalan Bujtas.

* rendering/RenderBox.cpp:
(WebCore::RenderBox::computeRectForRepaint):
Make sure to handle the case where we pass in a null repaintContainer and need
to cross a multicolumn flow thread -> region boundary as a result.


  Commit: e4b4e6f5210eaa69057ac98174e697363e9b5397
      https://github.com/WebKit/WebKit/commit/e4b4e6f5210eaa69057ac98174e697363e9b5397
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/ShadowBlur.cpp
    M Source/WebCore/platform/graphics/ShadowBlur.h

  Log Message:
  -----------
  Merge r213522 - ShadowBlur::calculateLayerBoundingRect doesn't need to return the enclosingIntRect of layerRect
https://bugs.webkit.org/show_bug.cgi?id=168650

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-03-07
Reviewed by Simon Fraser.

No new tests, no behavior change.

* platform/graphics/ShadowBlur.h: Change the type of return value
from IntRect to IntSize.
* platform/graphics/ShadowBlur.cpp:
(WebCore::ShadowBlur::calculateLayerBoundingRect): Ditto.
(WebCore::ShadowBlur::drawRectShadow): Rename a variable layerRect layerSize.
(WebCore::ShadowBlur::drawInsetShadow): Ditto.
(WebCore::ShadowBlur::drawRectShadowWithoutTiling): Ditto.
(WebCore::ShadowBlur::drawInsetShadowWithoutTiling): Ditto.
(WebCore::ShadowBlur::beginShadowLayer): Ditto.


  Commit: b1c3b459cdb10874c7ace6d3ff774c1c5e86e209
      https://github.com/WebKit/WebKit/commit/b1c3b459cdb10874c7ace6d3ff774c1c5e86e209
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/text/simple-line-layout-line-is-all-whitespace-expected.txt
    A LayoutTests/fast/text/simple-line-layout-line-is-all-whitespace.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayout.cpp

  Log Message:
  -----------
  Merge r213534 - Simple line layout: Do not use invalid m_lastNonWhitespaceFragment while removing trailing whitespace.
https://bugs.webkit.org/show_bug.cgi?id=169288
rdar://problem/30576976

Reviewed by Antti Koivisto.

Source/WebCore:

When the current line has nothing but whitespace, m_lastNonWhitespaceFragment is invalid so
we should not use the start/end values to decide how many characters we need to revert.
This patch makes m_lastNonWhitespaceFragment optional. When it's invalid we just remove
all the runs from the current line since they are all considered whitespace runs.

Test: fast/text/simple-line-layout-line-is-all-whitespace.html

* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::revertAllRunsOnCurrentLine):
(WebCore::SimpleLineLayout::LineState::removeTrailingWhitespace):

LayoutTests:

* fast/text/simple-line-layout-line-is-all-whitespace-expected.txt: Added.
* fast/text/simple-line-layout-line-is-all-whitespace.html: Added.


  Commit: 0f3cbfdb14be98d21d5a0c35bd27d887ec253652
      https://github.com/WebKit/WebKit/commit/0f3cbfdb14be98d21d5a0c35bd27d887ec253652
  Author: Alex Christensen <achristensen at webkit.org>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-xhtml-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/url-constructor-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URLParser.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp

  Log Message:
  -----------
  Merge r213546 - [URLParser] Fix file URLs that are just file:// and a Windows drive letter
https://bugs.webkit.org/show_bug.cgi?id=169242

Patch by Alex Christensen <achristensen at webkit.org> on 2017-03-07
Reviewed by Tim Horton.

LayoutTests/imported/w3c:

* web-platform-tests/url/a-element-expected.txt:
* web-platform-tests/url/a-element-xhtml-expected.txt:
* web-platform-tests/url/url-constructor-expected.txt:

Source/WebCore:

This is specified in https://url.spec.whatwg.org/#file-host-state and tested by a newly-passing
web platform test.  I added the check for the windows drive quirk in the FileHost state of the
parser but I forgot it when FileHost is the terminal state.

* platform/URLParser.cpp:
(WebCore::URLParser::parse):

Tools:

* TestWebKitAPI/Tests/WebCore/URLParser.cpp:
(TestWebKitAPI::TEST_F):


  Commit: 6e01028f2067005a5fbe8c82fb1ec2bc8c422bee
      https://github.com/WebKit/WebKit/commit/6e01028f2067005a5fbe8c82fb1ec2bc8c422bee
  Author: Said Abou-Hallawa <sabouhallawa at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/cache/CachedImage.h
    M Source/WebCore/platform/graphics/BitmapImage.cpp
    M Source/WebCore/platform/graphics/BitmapImage.h
    M Source/WebCore/platform/graphics/ImageFrame.cpp
    M Source/WebCore/platform/graphics/ImageFrame.h
    M Source/WebCore/platform/graphics/ImageFrameCache.cpp
    M Source/WebCore/platform/graphics/ImageFrameCache.h
    M Source/WebCore/platform/graphics/ImageObserver.h
    M Source/WebCore/platform/graphics/ImageSource.cpp
    M Source/WebCore/platform/graphics/ImageSource.h
    M Source/WebCore/platform/graphics/cg/ImageDecoderCG.cpp
    M Source/WebCore/platform/graphics/cg/ImageDecoderCG.h
    M Source/WebCore/platform/graphics/win/ImageDecoderDirect2D.cpp
    M Source/WebCore/platform/graphics/win/ImageDecoderDirect2D.h
    M Source/WebCore/platform/image-decoders/ImageDecoder.cpp
    M Source/WebCore/platform/image-decoders/ImageDecoder.h

  Log Message:
  -----------
  Merge r213563 - Asynchronous image decoding should consider the drawing size if it is smaller than the size of the image
https://bugs.webkit.org/show_bug.cgi?id=168814

Patch by Said Abou-Hallawa <sabouhallawa at apple.com> on 2017-03-07
Reviewed by Simon Fraser.

If the image destinationRect.size() is smaller than the imageSourceSize
(e.g. 3000x3000 pixels), CGImageSourceCreateThumbnailAtIndex() is slower
than CGImageSourceCreateImageAtIndex() in decoding this image. To overcome
this problem, the entry (kCGImageSourceThumbnailMaxPixelSize,
max(destinationRect.width, destinationRect.height)) is added to the options
dictionary when calling CGImageSourceCreateThumbnailAtIndex(). This will
avoid copying a large block of memory for the unscaled bitmap image.

An argument named 'sizeForDrawing' of type std::optional<IntSize> will be passed
all the way from BitmapImage to ImageDecoder. If bool(sizeForDrawing) equals
true that means we want async image decoding. Otherwise the image will be decoded
synchronously.

The subsamplingLevel argument will be passed as std::optional<SubsamplingLevel>.
to ImageFrame query functions. When combined with sizeForDrawing, the meaning of
these two arguments will be the following:
-- !bool(subsamplingLevel): No caching is required. return what is stored in ImageFrameCache.
-- bool(subsamplingLevel) && !bool(sizeForDrawing): Match subsamplingLevel only. Recache if it's different.
-- bool(subsamplingLevel) && bool(sizeForDrawing): Match both both. . Recache if one of them is different.

We are going to allow decoding the same ImageFrame for different sizeForDrawings.
The rule is a new decoding is allowed only if the maxPixelSize(sizeForDrawing) of
the last requested image decoding is less than the new request sizeForDrawing.

* loader/cache/CachedImage.h: Add a helper function which returns the URL of a CachedImage.

* platform/graphics/BitmapImage.cpp:
(WebCore::BitmapImage::frameImageAtIndex): Add a new argument for sizeForDrawing.
(WebCore::BitmapImage::nativeImage): Pass an empty sizeForDrawing to frameImageAtIndex(). We an image with the native size.
(WebCore::BitmapImage::nativeImageForCurrentFrame): Ditto.
(WebCore::BitmapImage::nativeImageOfSize): Ditto.
(WebCore::BitmapImage::draw): Pass the destRect.size() to internalStartAnimation().
(WebCore::BitmapImage::isAsyncDecodingRequired): A helper function to answer the question
whether the async image decoding is required. It takes into account the animated images, the
large image, and the image size.
(WebCore::BitmapImage::internalStartAnimation):  If async image decoding is requested for this frame m_sizeForDraw
will be set. If internalStartAnimation() is called from startAnimation(), sizeForDraw will be empty. In this
case no async image decoding will be requested. This happens only when startAnimation() is called from outside
BitmapImage::draw().
(WebCore::BitmapImage::advanceAnimation): Change the log message.
(WebCore::BitmapImage::newFrameNativeImageAvailableAtIndex): Ditto.
* platform/graphics/BitmapImage.h:

* platform/graphics/ImageFrame.cpp:
(WebCore::ImageFrame::operator=):  Include m_sizeForDraw in the properties of ImageFrame.
(WebCore::maxPixelSize): Returns the maximum of the width() and the height of an IntSize.
(WebCore::ImageFrame::isBeingDecoded): Returns true if the ImageFrame is currently being decoded for a specific sizeForDrawing.
(WebCore::ImageFrame::hasValidNativeImage): Ditto.
* platform/graphics/ImageFrame.h:
(WebCore::ImageFrame::enqueueSizeForDecoding): Adds a new sizeForDrawing; this sets the ImageFrame is being decoded for this sizeForDrawing.
(WebCore::ImageFrame::dequeueSizeForDecoding): Removes the first sizeForDrawing was enqueued; this marks this ImageFrame has finished decoding for this sizeForDrawing.
(WebCore::ImageFrame::clearSizeForDecoding): Clears the sizeForDecoding queue. Marks the ImageFrame for not being decoded.
(WebCore::ImageFrame::isEmpty): Replace Decoding::Empty by Decoding::None.
(WebCore::ImageFrame::sizeForDrawing): Returns the ImageFrame sizeForDraw.
(WebCore::ImageFrame::hasDecodedNativeImage): Returns true if the ImageFrame doesn't need decoding before drawing.
(WebCore::ImageFrame::hasValidNativeImage): Deleted. Moved to the source file.

* platform/graphics/ImageFrameCache.cpp:
(WebCore::ImageFrameCache::setFrameNativeImageAtIndex): Take a new argument for sizeForDraw.
(WebCore::ImageFrameCache::setFrameMetadataAtIndex):  When sizeForDraw is set, use the decoder to get the image
frame size. Otherwise, get the size of the nativeImage.
(WebCore::ImageFrameCache::replaceFrameNativeImageAtIndex): Take a new argument for sizeForDraw.
(WebCore::ImageFrameCache::cacheFrameNativeImageAtIndex): Ditto.
(WebCore::ImageFrameCache::startAsyncDecodingQueue): Pass the sizeForDraw as a new property of the ImageFrame.
(WebCore::ImageFrameCache::requestFrameAsyncDecodingAtIndex): Store sizeForDraw in ImageFrameRequest. Delete unneeded check.
This function always receives a valid subsamplingLevel.
(WebCore::ImageFrameCache::stopAsyncDecodingQueue): Marks all the queued ImageFrames for not being decoded.
(WebCore::ImageFrameCache::frameAtIndexCacheIfNeeded): Take a new argument for sizeForDraw. If this function fixes the
properties of ImageFrame properties, keep the old sizeForDraw and/or subsamplingLevel. If a new frame is
decoded, no async image decoding will be done in this code path. So pass an empty std::optional<IntSize> to
ImageDecoder::createFrameImageAtIndex() and store std::optional<IntSize> in ImageFrame.
(WebCore::ImageFrameCache::frameMetadataAtIndex): A new helper function which takes a variable number of arguments which
will be passed to the (ImageFrame::*functor).
(WebCore::ImageFrameCache::frameMetadataAtIndexCacheIfNeeded): Make this function takes a variable number of arguments which
will be passed to the frameAtIndexCacheIfNeeded().
(WebCore::ImageFrameCache::size): Pass an Metadata, valid SubsamplingLevel and empty sizeForDraw to frameMetadataAtIndexCacheIfNeeded().
(WebCore::ImageFrameCache::sizeRespectingOrientation): Ditto.
(WebCore::ImageFrameCache::singlePixelSolidColor): Pass MetadataAndImage, empty SubsamplingLevel and empty sizeForDraw to
frameMetadataAtIndexCacheIfNeeded(); we can use the current frame image regardless of its size.
(WebCore::ImageFrameCache::frameIsBeingDecodedAtIndex): Pass the ImageFrame method as a function argument instead of
passing it as a template argument.
(WebCore::ImageFrameCache::frameIsCompleteAtIndex): Ditto.
(WebCore::ImageFrameCache::frameHasAlphaAtIndex): Ditto.
(WebCore::ImageFrameCache::frameHasImageAtIndex): Ditto.
(WebCore::ImageFrameCache::frameHasValidNativeImageAtIndex): Pass subsamplingLevel and sizeForDrawing to frameMetadataAtIndex().
(WebCore::ImageFrameCache::frameHasDecodedNativeImage): New helper function to answer the question whether an ImageFrame will need
decoding when drawing or not.
(WebCore::ImageFrameCache::frameSubsamplingLevelAtIndex):  Pass the ImageFrame method as a function argument instead of
passing it as a template argument.
(WebCore::ImageFrameCache::frameSizeAtIndex): Ditto.
(WebCore::ImageFrameCache::frameBytesAtIndex): Ditto.
(WebCore::ImageFrameCache::frameDurationAtIndex): Ditto.
(WebCore::ImageFrameCache::frameOrientationAtIndex):
(WebCore::ImageFrameCache::frameImageAtIndex): Ditto.
(WebCore::ImageFrameCache::frameAtIndex): Deleted. Renamed to frameAtIndexCacheIfNeeded().
* platform/graphics/ImageFrameCache.h:
(WebCore::ImageFrameCache::frameAtIndexCacheIfNeeded):

* platform/graphics/ImageObserver.h: Define a virtual function for image sourceUrl().

* platform/graphics/ImageSource.cpp:
(WebCore::ImageSource::frameImageAtIndex): Take a new argument for sizeForDrawing.
* platform/graphics/ImageSource.h:
(WebCore::ImageSource::requestFrameAsyncDecodingAtIndex): Take a new argument for sizeForDrawing.
(WebCore::ImageSource::frameHasValidNativeImageAtIndex): Ditto.
(WebCore::ImageSource::frameHasDecodedNativeImage): New helper function.
(WebCore::ImageSource::frameImageAtIndex): Ditto.

* platform/graphics/cg/ImageDecoderCG.cpp:
(WebCore::createImageSourceOptions): Create a dictionary with the basic image decoding options.
(WebCore::createImageSourceAsyncOptions): Create a dictionary with the basic asynchronous image decoding options.
(WebCore::appendImageSourceOption): Append the SubsamplingLevel or the MaxPixelSize option to an CGImageSource options dictionary.
(WebCore::appendImageSourceOptions): Append the SubsamplingLevel and the MaxPixelSize option to an CGImageSource options dictionary.
(WebCore::imageSourceOptions): Creates a dictionary for the synchronous image decoding options.
(WebCore::imageSourceAsyncOptions): Creates a dictionary for the asynchronous image decoding options.
(WebCore::ImageDecoder::createFrameImageAtIndex): Replace the DecodingMode argument by an std::optional<IntSize>.
* platform/graphics/cg/ImageDecoderCG.h: Change a prototype.

* platform/graphics/win/ImageDecoderDirect2D.cpp:
(WebCore::ImageDecoder::createFrameImageAtIndex): Replace the DecodingMode argument by an std::optional<IntSize>.
* platform/graphics/win/ImageDecoderDirect2D.h: Change a prototype.

* platform/image-decoders/ImageDecoder.cpp:
(WebCore::ImageDecoder::createFrameImageAtIndex): Replace the DecodingMode argument by an std::optional<IntSize>.
* platform/image-decoders/ImageDecoder.h: Change a prototype.


  Commit: 5fe99b3d3a7bad43eb598137aa74b0ff2b2f450c
      https://github.com/WebKit/WebKit/commit/5fe99b3d3a7bad43eb598137aa74b0ff2b2f450c
  Author: David Hyatt <hyatt at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/multicol/newmulticol/adjacent-spanners-expected.html
    M LayoutTests/fast/multicol/newmulticol/adjacent-spanners.html
    M LayoutTests/fast/multicol/newmulticol/clipping-expected.html
    M LayoutTests/fast/multicol/newmulticol/clipping.html
    M LayoutTests/fast/multicol/newmulticol/spanner-inline-block-expected.html
    M LayoutTests/fast/multicol/newmulticol/spanner-inline-block.html
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-block-clip-001-expected.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-block-clip-001.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-block-clip-002-expected.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-block-clip-002.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-count-computed-003-expected.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-count-computed-003.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-count-computed-005-expected.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-count-computed-005.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-height-block-child-001-expected.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-height-block-child-001.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-span-none-001-expected.xht
    R LayoutTests/imported/w3c/css/css-multicol-1/multicol-span-none-001.xht
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderMultiColumnSet.cpp

  Log Message:
  -----------
  Merge r213593 - CSS Multicolumn should not clip columns horizontally
https://bugs.webkit.org/show_bug.cgi?id=169363

Reviewed by Sam Weinig.

Source/WebCore:

Revised multiple tests in fast/multicol.

* rendering/RenderMultiColumnSet.cpp:
(WebCore::RenderMultiColumnSet::flowThreadPortionOverflowRect):
Stop clipping horizontally. Section 8.1 of the spec changed from "clip" to "don't clip",
so we're changing to match the latest draft. Keep iBooks-based pagination clipping though.

LayoutTests:

* fast/multicol/newmulticol/adjacent-spanners-expected.html:
* fast/multicol/newmulticol/adjacent-spanners.html:
* fast/multicol/newmulticol/clipping-expected.html:
* fast/multicol/newmulticol/clipping.html:
* fast/multicol/newmulticol/spanner-inline-block-expected.html:
* fast/multicol/newmulticol/spanner-inline-block.html:


  Commit: 4f1ba4688fa7b09bf67b93043a886c2f49bcd524
      https://github.com/WebKit/WebKit/commit/4f1ba4688fa7b09bf67b93043a886c2f49bcd524
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/forms/ValidityState-customError-expected.txt
    M LayoutTests/fast/forms/ValidityState-customError.html
    A LayoutTests/fast/forms/setCustomValidity-null-parameter-expected.txt
    A LayoutTests/fast/forms/setCustomValidity-null-parameter.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/HTMLButtonElement.idl
    M Source/WebCore/html/HTMLFieldSetElement.idl
    M Source/WebCore/html/HTMLInputElement.idl
    M Source/WebCore/html/HTMLKeygenElement.idl
    M Source/WebCore/html/HTMLObjectElement.idl
    M Source/WebCore/html/HTMLOutputElement.idl
    M Source/WebCore/html/HTMLSelectElement.idl
    M Source/WebCore/html/HTMLTextAreaElement.idl

  Log Message:
  -----------
  Merge r213606 - Parameter to input.setCustomValidity() should not be nullable
https://bugs.webkit.org/show_bug.cgi?id=169332

Reviewed by Sam Weinig.

Source/WebCore:

Parameter to input.setCustomValidity() should not be nullable:
- https://html.spec.whatwg.org/#htmlinputelement

Firefox and Chrome agree with the specification so the change
should be safe.

Test: fast/forms/setCustomValidity-null-parameter.html

* html/HTMLButtonElement.idl:
* html/HTMLFieldSetElement.idl:
* html/HTMLInputElement.idl:
* html/HTMLKeygenElement.idl:
* html/HTMLObjectElement.idl:
* html/HTMLOutputElement.idl:
* html/HTMLSelectElement.idl:
* html/HTMLTextAreaElement.idl:

LayoutTests:

* fast/forms/ValidityState-customError-expected.txt:
* fast/forms/ValidityState-customError.html:
Rebaseline now that behavior has changed when passing null or undefined
to setCustomValidity().

* fast/forms/setCustomValidity-null-parameter-expected.txt: Added.
* fast/forms/setCustomValidity-null-parameter.html: Added.
Add layout test coverage.


  Commit: 2ddc6b82c72f70be13705e571b1b275d27a90fdb
      https://github.com/WebKit/WebKit/commit/2ddc6b82c72f70be13705e571b1b275d27a90fdb
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/gtk/DragAndDropHandler.cpp

  Log Message:
  -----------
  Merge r213638 - Correctly process the return value of gdk_drag_context_get_selected_action()

Reviewed by Carlos Garcia Campos.

It returns the action itself and not the bitmask.

* UIProcess/gtk/DragAndDropHandler.cpp:
(WebKit::DragAndDropHandler::drop):


  Commit: 66955b3813e998069ec5d458773dbee8f21b2d50
      https://github.com/WebKit/WebKit/commit/66955b3813e998069ec5d458773dbee8f21b2d50
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/elementFromPoint-parameters-expected.txt
    A LayoutTests/fast/dom/elementFromPoint-parameters.html
    M LayoutTests/fast/dom/non-numeric-values-numeric-parameters-expected.txt
    M LayoutTests/fast/dom/script-tests/non-numeric-values-numeric-parameters.js
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/DocumentOrShadowRoot.idl
    M Source/WebCore/dom/TreeScope.cpp
    M Source/WebCore/dom/TreeScope.h

  Log Message:
  -----------
  Merge r213646 - Align Document.elementFromPoint() with the CSSOM specification
https://bugs.webkit.org/show_bug.cgi?id=169403

Reviewed by Sam Weinig.

Source/WebCore:

Align Document.elementFromPoint() with the CSSOM specification:
- https://drafts.csswg.org/cssom-view/#extensions-to-the-document-interface

In particular, the parameters should be mandatory and of type double.

The parameters are mandatory in both Firefox and Chrome already. Parameters
are finite floating point in Firefox and integers in Chrome.

Test: fast/dom/elementFromPoint-parameters.html

* dom/DocumentOrShadowRoot.idl:
* dom/TreeScope.cpp:
(WebCore::TreeScope::elementFromPoint):
* dom/TreeScope.h:

LayoutTests:

Add layout test coverage.

* fast/dom/elementFromPoint-parameters-expected.txt: Added.
* fast/dom/elementFromPoint-parameters.html: Added.
* fast/dom/non-numeric-values-numeric-parameters-expected.txt:
* fast/dom/script-tests/non-numeric-values-numeric-parameters.js:


  Commit: 83c332c0181c28ac8242f4e9092652e56be54673
      https://github.com/WebKit/WebKit/commit/83c332c0181c28ac8242f4e9092652e56be54673
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/JSObject.h

  Log Message:
  -----------
  Merge r213648 - WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed
https://bugs.webkit.org/show_bug.cgi?id=169215

Reviewed by Mark Lam.

This doesn't have a test because it would be a very complicated test.

* runtime/JSObject.h:
(JSC::JSObject::ensureLength): If ensureLengthSlow returns false, we need to return false.


  Commit: 28ec675dbd3b65744420fab187013922d560bd2d
      https://github.com/WebKit/WebKit/commit/28ec675dbd3b65744420fab187013922d560bd2d
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/parser/SizesAttributeParser.cpp

  Log Message:
  -----------
  Merge r213711 - imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html is unreliable
https://bugs.webkit.org/show_bug.cgi?id=169465

Reviewed by Zalan Bujtas.

LayoutTests/imported/w3c:

* web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute-expected.txt:

Source/WebCore:

It shows all subtests passing but that is a bug. We don't even support all the unit types.
The test occasionally fails when reloading, that failing results are actually the correct ones.

* css/parser/SizesAttributeParser.cpp:
(WebCore::SizesAttributeParser::SizesAttributeParser):

    Ensure we have correct size for the iframe before parsing 'sizes' attribute values. The interpretation of
    these may depend on the iframe dimensions.


  Commit: 7dbeef947f3c75822c98df50aa8c73fc1bb6af7d
      https://github.com/WebKit/WebKit/commit/7dbeef947f3c75822c98df50aa8c73fc1bb6af7d
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/regress-168546.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

  Log Message:
  -----------
  Merge r213742 - JSC: BindingNode::bindValue doesn't increase the scope's reference count.
https://bugs.webkit.org/show_bug.cgi?id=168546
<rdar://problem/30589551>

Reviewed by Saam Barati.

JSTests:

* stress/regress-168546.js: Added.

Source/JavaScriptCore:

We should protect the scope RegisterID with a RefPtr while it is still needed.

* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitLoopHeader):
(JSC::ForOfNode::emitBytecode):
(JSC::BindingNode::bindValue):


  Commit: 53033d751cb4a21ec3acb95572b741758ecb05ac
      https://github.com/WebKit/WebKit/commit/53033d751cb4a21ec3acb95572b741758ecb05ac
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/HeapCell.cpp
    M Source/JavaScriptCore/heap/HeapCell.h
    M Source/JavaScriptCore/runtime/Structure.cpp

  Log Message:
  -----------
  Merge r213773 - Structure::willStoreValueSlow needs to keep the property table alive until the end
https://bugs.webkit.org/show_bug.cgi?id=169520

Reviewed by Michael Saboff.

We use pointers logically interior to `propertyTable` after doing a GC. We need to prevent the
compiler from optimizing away pointers to `propertyTable`.

* heap/HeapCell.cpp:
(JSC::HeapCell::use):
* heap/HeapCell.h:
(JSC::HeapCell::use): Introduce API for keeping a pointer alive until some point in execution.
* runtime/Structure.cpp:
(JSC::Structure::willStoreValueSlow): Use HeapCell::use() to keep the pointer alive.


  Commit: c43faf46ef64a13c3838f0cb2abd42aaa7a028b9
      https://github.com/WebKit/WebKit/commit/c43faf46ef64a13c3838f0cb2abd42aaa7a028b9
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/MiniBrowser/gtk/BrowserWindow.c

  Log Message:
  -----------
  Merge r213789 - MiniBrowser: a tab closed from javascript always closes the window
https://bugs.webkit.org/show_bug.cgi?id=169415

Reviewed by Michael Catanzaro.

When I implemented tabs support in MiniBrowser I forgot about web view close. We connect to the signal (only for
the active tab) and close the window. That worked when we didn't have tabs, but now we should close the tab, or
the window if it's the last tab.

* MiniBrowser/gtk/BrowserWindow.c:
(webViewClose): Destroy the window if therte's only one tab, otherwise search for the tab corresponding to the web
view and destroy it.
(browserWindowSwitchTab): Re-connect to close signal, we want to handle close on all tabs.


  Commit: 2b41d1569793f2a6180a02145f4995d1660b575a
      https://github.com/WebKit/WebKit/commit/2b41d1569793f2a6180a02145f4995d1660b575a
  Author: Miguel Gomez <magomez at igalia.com>
  Date:   2017-03-13 (Mon, 13 Mar 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/ImageFrameCache.cpp
    M Source/WebCore/platform/graphics/ImageFrameCache.h
    M Source/WebCore/platform/graphics/ImageSource.h
    M Source/WebCore/platform/graphics/cg/ImageDecoderCG.h
    M Source/WebCore/platform/graphics/win/ImageDecoderDirect2D.h
    M Source/WebCore/platform/image-decoders/ImageDecoder.cpp
    M Source/WebCore/platform/image-decoders/ImageDecoder.h

  Log Message:
  -----------
  Merge r213833 - ImageDecoder can be deleted while the async decoder thread is still using it
https://bugs.webkit.org/show_bug.cgi?id=169199

Reviewed by Carlos Garcia Campos.

Make the image decoder used by ImageSource and ImageFrameCache into a RefPtr instead of
and unique_ptr, and pass a reference to the decoder thread. This ensures that the decoder
will stay alive as long as the decoding thread is processing frames. Also, stop the async
decoding queue if a new decoder is set to ImageFrameCache.

No new tests.

* platform/graphics/ImageFrameCache.cpp:
(WebCore::ImageFrameCache::setDecoder):
(WebCore::ImageFrameCache::decoder):
(WebCore::ImageFrameCache::startAsyncDecodingQueue):
(WebCore::ImageFrameCache::metadata):
* platform/graphics/ImageFrameCache.h:
(WebCore::ImageFrameCache::setDecoder): Deleted.
Moved to source file so we can keep the ImageDecoder forward declaration.
(WebCore::ImageFrameCache::decoder): Deleted.
Moved to source file so we can keep the ImageDecoder forward declaration.
* platform/graphics/ImageSource.h:
* platform/graphics/cg/ImageDecoderCG.h:
(WebCore::ImageDecoder::create):
* platform/graphics/win/ImageDecoderDirect2D.h:
(WebCore::ImageDecoder::create):
* platform/image-decoders/ImageDecoder.cpp:
(WebCore::ImageDecoder::create):
* platform/image-decoders/ImageDecoder.h:


  Commit: 800c170448fd0ee0eeb5c1494dd9628d8400fb30
      https://github.com/WebKit/WebKit/commit/800c170448fd0ee0eeb5c1494dd9628d8400fb30
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-03-14 (Tue, 14 Mar 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitWebView.cpp

  Log Message:
  -----------
  Merge r213888 - Unreviewed. Fix syntax error in GTK+ API docs.

* UIProcess/API/gtk/WebKitWebView.cpp:
(webkit_web_view_class_init):


  Commit: d266ee6a9ba611e246d9da3ae97e0f2ae9f5352e
      https://github.com/WebKit/WebKit/commit/d266ee6a9ba611e246d9da3ae97e0f2ae9f5352e
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-03-14 (Tue, 14 Mar 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.15.92 release.

.:

* Source/cmake/OptionsGTK.cmake: Bump version numbers.

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.15.92.


  Commit: d1d05dbf3543f2f163a223bbfef8fea060ae7f05
      https://github.com/WebKit/WebKit/commit/d1d05dbf3543f2f163a223bbfef8fea060ae7f05
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-03-20 (Mon, 20 Mar 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitAutocleanups.h

  Log Message:
  -----------
  Merge r214163 - Unreviewed. Add missing types to WebKitAutocleanups.

* UIProcess/API/gtk/WebKitAutocleanups.h:


  Commit: c8719a32056791fa7797ccb5671e839caf13eb70
      https://github.com/WebKit/WebKit/commit/c8719a32056791fa7797ccb5671e839caf13eb70
  Author: Josef Andersson <l10nl18nsweja at gmail.com>
  Date:   2017-03-20 (Mon, 20 Mar 2017)

  Changed paths:
    M Source/WebCore/platform/gtk/po/ChangeLog
    M Source/WebCore/platform/gtk/po/sv.po

  Log Message:
  -----------
  Merge r213855 - Updated Swedish translation
https://bugs.webkit.org/show_bug.cgi?id=169549

Patch by Josef Andersson <l10nl18nsweja at gmail.com> on 2017-03-13
Rubber-stamped by Michael Catanzaro.

* sv.po:


  Commit: 67df93f2b54df6a1759ea63b21129da6d7d56adf
      https://github.com/WebKit/WebKit/commit/67df93f2b54df6a1759ea63b21129da6d7d56adf
  Author: Yuri Chornoivan <yurchor at ukr.net>
  Date:   2017-03-20 (Mon, 20 Mar 2017)

  Changed paths:
    M Source/WebCore/platform/gtk/po/ChangeLog
    M Source/WebCore/platform/gtk/po/uk.po

  Log Message:
  -----------
  Update Ukrainian translation
https://bugs.webkit.org/show_bug.cgi?id=169812

Patch by Yuri Chornoivan <yurchor at ukr.net> on 2017-03-18
Rubber-stamped by Michael Catanzaro.

* uk.po:


  Commit: c48b8862198b68214b47885b1e32f037fe2d5e5e
      https://github.com/WebKit/WebKit/commit/c48b8862198b68214b47885b1e32f037fe2d5e5e
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-03-20 (Mon, 20 Mar 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.0 release.

.:

* Source/cmake/OptionsGTK.cmake: Bump version numbers.

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.16.0.


  Commit: 1006d9eca761af1b1aef97b05ed76dcc99c8d477
      https://github.com/WebKit/WebKit/commit/1006d9eca761af1b1aef97b05ed76dcc99c8d477
  Author: Caio Araujo Neponoceno de Lima <ticaiolima at gmail.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChakraCore/test/LetConst/DeclOutofBlock.baseline-jsc
    M JSTests/ChangeLog
    M LayoutTests/ChangeLog
    M LayoutTests/js/let-syntax-expected.txt
    M LayoutTests/js/script-tests/let-syntax.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/parser/Parser.cpp

  Log Message:
  -----------
  Merge r213850 - [JSC] It should be possible create a label named let when parsing Statement in non strict mode
https://bugs.webkit.org/show_bug.cgi?id=168684

Patch by Caio Lima <ticaiolima at gmail.com> on 2017-03-13
Reviewed by Saam Barati.

JSTests:

* ChakraCore/test/LetConst/DeclOutofBlock.baseline-jsc:

Source/JavaScriptCore:

This patch is fixing a Parser bug to allow define a label named
```let``` in sloppy mode when parsing a Statement.

* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseStatement):

LayoutTests:

* js/let-syntax-expected.txt:
* js/script-tests/let-syntax.js:
(shouldNotHaveSyntaxErrorSloopyOnly):


  Commit: 526d7065e880c66648ba4757df94dbb54a14ce43
      https://github.com/WebKit/WebKit/commit/526d7065e880c66648ba4757df94dbb54a14ce43
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h

  Log Message:
  -----------
  Merge r213876 - FTL should not flush strict arguments unless it really needs to
https://bugs.webkit.org/show_bug.cgi?id=169519

Reviewed by Mark Lam.

This is a refinement that we should have done ages ago. This kills some pointless PutStacks
in DFG SSA IR. It can sometimes unlock other optimizations.

Relanding after I fixed the special cases for CreateArguments-style nodes.

* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):


  Commit: 702a98e4467ac5dcf169ebb02bb7dd202f6889c7
      https://github.com/WebKit/WebKit/commit/702a98e4467ac5dcf169ebb02bb7dd202f6889c7
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/TestExpectations
    A LayoutTests/editing/execCommand/resources/self-closing-modal-dialog.html
    A LayoutTests/editing/execCommand/show-modal-dialog-during-execCommand-expected.txt
    A LayoutTests/editing/execCommand/show-modal-dialog-during-execCommand.html
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/editing/EditorCommand.cpp
    M Source/WebCore/rendering/RenderView.cpp
    M Source/WebCore/rendering/RenderView.h

  Log Message:
  -----------
  Merge r213897 - Make RepaintRegionAccumulator hold a WeakPtr to its root RenderView
https://bugs.webkit.org/show_bug.cgi?id=168480
<rdar://problem/30566976>

Reviewed by Antti Koivisto.

Source/WebCore:

Implements two mitigations to prevent the symptoms of the bug from occurring (see the bugzilla for more details).

Test: editing/execCommand/show-modal-dialog-during-execCommand.html

* editing/EditorCommand.cpp:
(WebCore::Editor::Command::execute):

Do not allow edit commands to execute if the frame's document before and after layout differ (that is, edit commands
triggered by a certain document should not run on a different document).

* rendering/RenderView.cpp:
(WebCore::RenderView::RenderView):
(WebCore::RenderView::RepaintRegionAccumulator::RepaintRegionAccumulator):

Turns RepaintRegionAccumulator's reference to its root RenderView into a WeakPtr to gracefully handle the case
where its RenderView is destroyed before RepaintRegionAccumulator's destructor gets a chance to flush the
RenderView's repaint regions.

* rendering/RenderView.h:

LayoutTests:

Introduces a new layout test. See WebCore ChangeLog for more details.

* TestExpectations:
* editing/execCommand/show-modal-dialog-during-execCommand-expected.txt: Added.
* editing/execCommand/show-modal-dialog-during-execCommand.html: Added.
* editing/execCommand/resources/self-closing-modal-dialog.html: Added.
* platform/mac-wk1/TestExpectations:


  Commit: 1e4d5da30628a14e8bb28031a47661e615382bba
      https://github.com/WebKit/WebKit/commit/1e4d5da30628a14e8bb28031a47661e615382bba
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlock.cpp

  Log Message:
  -----------
  Merge r213923 - Remove redundant check for "firstLine" in RenderBlock::lineHeight()
https://bugs.webkit.org/show_bug.cgi?id=169610

Patch by Adrian Perez de Castro <aperez at igalia.com> on 2017-03-14
Reviewed by Michael Catanzaro.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::lineHeight): Remove test of "firstLine" that
was already checked in the condition for the enclosing if-clause.


  Commit: e140c8def1b4cbd4f24eb88ed74d35d038bd50a0
      https://github.com/WebKit/WebKit/commit/e140c8def1b4cbd4f24eb88ed74d35d038bd50a0
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/text/simple-line-layout-hyphenation-constrains-expected.html
    A LayoutTests/fast/text/simple-line-layout-hyphenation-constrains.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayout.cpp
    M Source/WebCore/rendering/line/BreakingContext.h

  Log Message:
  -----------
  Merge r213944 - Simple line layout: Adjust hyphenation constrains based on the normal line layout line-breaking logic.
https://bugs.webkit.org/show_bug.cgi?id=169617

Source/WebCore:

Reviewed by Antti Koivisto.

This patch ensures that simple line layout ends up with the same hyphenation context as normal line layout.

Test: fast/text/simple-line-layout-hyphenation-constrains.html

* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::hyphenPositionForFragment): see webkit.org/b/169613
(WebCore::SimpleLineLayout::splitFragmentToFitLine):
* rendering/line/BreakingContext.h: Integral -> fractional.
(WebCore::tryHyphenating):

LayoutTests:

Reviewed by Antti Koivisto.

* fast/text/simple-line-layout-hyphenation-constrains-expected.html: Added.
* fast/text/simple-line-layout-hyphenation-constrains.html: Added.


  Commit: 3b3134a10ecf035926b372df9cb5539b764e463e
      https://github.com/WebKit/WebKit/commit/3b3134a10ecf035926b372df9cb5539b764e463e
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

  Log Message:
  -----------
  Merge r213966 - BytecodeGenerator should use the same function to determine if it needs to store the DerivedConstructor in an ArrowFunction lexical environment.
https://bugs.webkit.org/show_bug.cgi?id=169647
<rdar://problem/31051832>

Reviewed by Michael Saboff.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::usesDerivedConstructorInArrowFunctionLexicalEnvironment):
(JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
(JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
* bytecompiler/BytecodeGenerator.h:


  Commit: ea6f340cce96a774dfeed047084509946148bebe
      https://github.com/WebKit/WebKit/commit/ea6f340cce96a774dfeed047084509946148bebe
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/media/video-element-in-details-collapse-expected.txt
    A LayoutTests/fast/media/video-element-in-details-collapse.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderElement.cpp

  Log Message:
  -----------
  Merge r213967 - RenderElements should unregister for viewport visibility callbacks when they are destroyed
https://bugs.webkit.org/show_bug.cgi?id=169521
<rdar://problem/30959545>

Reviewed by Simon Fraser.

Source/WebCore:

When registering a RenderElement for viewport visibility callbacks, we always need to make sure that it is unregistered
before it is destroyed. While we account for this in the destructor of RenderElement, we only unregister in the destructor
if we are already registered for visibility callbacks. In the call to RenderObject::willBeDestroyed(), we clear out rare
data, which holds RenderElement's viewport callback registration state, so upon entering the destructor of RenderElement,
we skip unregistration because RenderElement thinks that it is not registered.

We can mitigate this by unregistering the RenderElement earlier, in RenderElement::willBeDestroyed, prior to clearing out
the rare data. However, we'd ideally want to move the cleanup logic out of the destructor altogether and into willBeDestroyed
(see https://bugs.webkit.org/show_bug.cgi?id=169650).

Test: fast/media/video-element-in-details-collapse.html

* rendering/RenderElement.cpp:
(WebCore::RenderElement::willBeDestroyed):

LayoutTests:

Adds a new layout test covering this regression. See WebCore ChangeLog for more details.

* fast/media/video-element-in-details-collapse-expected.txt: Added.
* fast/media/video-element-in-details-collapse.html: Added.


  Commit: 82e01c081b2d641a075f728089079698d52f5778
      https://github.com/WebKit/WebKit/commit/82e01c081b2d641a075f728089079698d52f5778
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/offlineasm/risc.rb

  Log Message:
  -----------
  Merge r213973 - Wrong condition in offlineasm/risc.rb
https://bugs.webkit.org/show_bug.cgi?id=169597

Reviewed by Mark Lam.

It's missing the 'and' operator between the conditions.

* offlineasm/risc.rb:


  Commit: 281321d3e5fd9c3ec28c85c63a3dad2bfaae1abd
      https://github.com/WebKit/WebKit/commit/281321d3e5fd9c3ec28c85c63a3dad2bfaae1abd
  Author: Žan Doberšek <zdobersek at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/texmap/BitmapTexturePool.h
    M Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h
    M Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsState.h
    M Source/WebCore/platform/graphics/texmap/coordinated/SurfaceUpdateInfo.h

  Log Message:
  -----------
  Merge r213989 - [TexMap] Add missing class member initializations
https://bugs.webkit.org/show_bug.cgi?id=169665

Reviewed by Michael Catanzaro.

Zero-initialize the members in various TextureMapper classes
that are missing the proper initialization, as reported by
the Coverity tool.

* platform/graphics/texmap/BitmapTexturePool.h:
* platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h:
* platform/graphics/texmap/coordinated/CoordinatedGraphicsState.h:
(WebCore::CoordinatedGraphicsLayerState::CoordinatedGraphicsLayerState):
* platform/graphics/texmap/coordinated/SurfaceUpdateInfo.h:


  Commit: 2510076c42dbfa99a9b56ac307c6a62a2c37d705
      https://github.com/WebKit/WebKit/commit/2510076c42dbfa99a9b56ac307c6a62a2c37d705
  Author: Žan Doberšek <zdobersek at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/gtk/PlatformMouseEventGtk.cpp

  Log Message:
  -----------
  Merge r213990 - [GTK] Initialize m_button, m_clickCount members in PlatformMouseEvent constructors
https://bugs.webkit.org/show_bug.cgi?id=169666

Reviewed by Michael Catanzaro.

Initialize the m_button and m_clickCount class members in the GTK+-specific
implementation of PlatformMouseEvent constructors to NoButton and 0,
respectively. The constructors expect to operate on passed-in GTK+ events
that will be able to initialize those two members to some valid values, but
this is not guaranteed.

* platform/gtk/PlatformMouseEventGtk.cpp:
(WebCore::PlatformMouseEvent::PlatformMouseEvent):


  Commit: f0bec6b52d82c3489a2aa6311a6e3f26f33235b0
      https://github.com/WebKit/WebKit/commit/f0bec6b52d82c3489a2aa6311a6e3f26f33235b0
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/interpreter/Interpreter.cpp

  Log Message:
  -----------
  Merge r214005 - Fix missing exception checks in Interpreter.cpp.
https://bugs.webkit.org/show_bug.cgi?id=164964

Reviewed by Saam Barati.

* interpreter/Interpreter.cpp:
(JSC::eval):
(JSC::sizeOfVarargs):
(JSC::sizeFrameForVarargs):
(JSC::Interpreter::executeProgram):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall):
(JSC::Interpreter::execute):


  Commit: baec2d9176ece0614b2d6b67e421804b952e03d6
      https://github.com/WebKit/WebKit/commit/baec2d9176ece0614b2d6b67e421804b952e03d6
  Author: David Hyatt <hyatt at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/svg/in-html/rect-positioned-expected.html
    A LayoutTests/svg/in-html/rect-positioned.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h
    M Source/WebCore/rendering/RenderReplaced.cpp
    M Source/WebCore/rendering/RenderReplaced.h
    M Source/WebCore/rendering/RenderVideo.cpp
    M Source/WebCore/rendering/RenderVideo.h
    M Source/WebCore/rendering/svg/RenderSVGRoot.cpp
    M Source/WebCore/rendering/svg/RenderSVGRoot.h

  Log Message:
  -----------
  Merge r214010 - Positioned SVG not sized correctly
https://bugs.webkit.org/show_bug.cgi?id=169693
<rdar://problem/30996893>

Reviewed by Zalan Bujtas.

Source/WebCore:

Test: svg/in-html/rect-positioned.html

Change computeReplacedLogicalHeight to take an estimatedUsedWidth. This
value is used instead of the available logical width to resolve replaced
elements without intrinsic sizes but with aspect ratios set.

* rendering/RenderBox.cpp:
(WebCore::RenderBox::computeReplacedLogicalHeight):
* rendering/RenderBox.h:
* rendering/RenderReplaced.cpp:
(WebCore::RenderReplaced::computeConstrainedLogicalWidth):
(WebCore::RenderReplaced::computeReplacedLogicalWidth):
(WebCore::RenderReplaced::computeReplacedLogicalHeight):
* rendering/RenderReplaced.h:
* rendering/RenderVideo.cpp:
(WebCore::RenderVideo::computeReplacedLogicalHeight): Deleted.
* rendering/RenderVideo.h:
* rendering/svg/RenderSVGRoot.cpp:
(WebCore::RenderSVGRoot::computeReplacedLogicalWidth):
(WebCore::RenderSVGRoot::computeReplacedLogicalHeight):
* rendering/svg/RenderSVGRoot.h:

LayoutTests:

* svg/in-html/rect-positioned-expected.html: Added.
* svg/in-html/rect-positioned.html: Added.


  Commit: a2a916db1e81ae97a3cf20f853759bb8bc333c2f
      https://github.com/WebKit/WebKit/commit/a2a916db1e81ae97a3cf20f853759bb8bc333c2f
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/history/CachedFrame.cpp
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/FrameLoader.h
    M Source/WebCore/page/FrameTree.cpp
    M Source/WebCore/page/FrameTree.h

  Log Message:
  -----------
  Merge r214014 - Iteratively dispatch DOM events after restoring a cached page
https://bugs.webkit.org/show_bug.cgi?id=169703
<rdar://problem/31075903>

Reviewed by Brady Eidson.

Make dispatching of DOM events when restoring a page from the page cache symmetric with
dispatching of events when saving a page to the page cache.

* history/CachedFrame.cpp:
(WebCore::CachedFrameBase::restore): Move code to dispatch events from here to FrameLoader::didRestoreFromCachedPage().
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad): Ensure that no DOM events are dispatched during
restoration of a cached page. Call didRestoreFromCachedPage() after restoring the page to
dispatch DOM events on the restored frames.
(WebCore::FrameLoader::willRestoreFromCachedPage): Renamed; formerly named prepareForCachedPageRestore().
(WebCore::FrameLoader::didRestoreFromCachedPage): Added.
(WebCore::FrameLoader::prepareForCachedPageRestore): Renamed to willRestoreFromCachedPage().
* loader/FrameLoader.h:
* page/FrameTree.cpp:
(WebCore::FrameTree::traverseNextInPostOrderWithWrap): Returns the next Frame* in a post-order
traversal of the frame tree optionally wrapping around to the deepest first child in the tree.
(WebCore::FrameTree::deepFirstChild): Added.
* page/FrameTree.h:


  Commit: b8190d7d1fd06aa91b3e070cb911d72aabfaab7c
      https://github.com/WebKit/WebKit/commit/b8190d7d1fd06aa91b3e070cb911d72aabfaab7c
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Document.h
    M Source/WebCore/history/CachedPage.cpp
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/FrameLoader.h

  Log Message:
  -----------
  Merge r214392 - media/restore-from-page-cache.html causes NoEventDispatchAssertion::isEventAllowedInMainThread() assertion failure
https://bugs.webkit.org/show_bug.cgi?id=170087
<rdar://problem/31254822>

Reviewed by Simon Fraser.

Reduce the scope of code that should never dispatch DOM events so as to allow updating contents size
after restoring a page from the page cache.

In r214014 we instantiate a NoEventDispatchAssertion in FrameLoader::commitProvisionalLoad()
around the call to CachedPage::restore() to assert when a DOM event is dispatched during
page restoration as such events can cause re-entrancy into the page cache. As it turns out
it is sufficient to ensure that no DOM events are dispatched after restoring all cached frames
as opposed to after CachedPage::restore() returns.

Also rename Document::enqueue{Pageshow, Popstate}Event() to dispatch{Pageshow, Popstate}Event(),
respectively, since they synchronously dispatch events :(. We hope in the future to make them
asynchronously dispatch events.

* dom/Document.cpp:
(WebCore::Document::implicitClose): Update for renaming.
(WebCore::Document::statePopped): Ditto.
(WebCore::Document::dispatchPageshowEvent): Renamed; formerly named enqueuePageshowEvent().
(WebCore::Document::dispatchPopstateEvent): Renamed; formerly named enqueuePopstateEvent().
(WebCore::Document::enqueuePageshowEvent): Deleted.
(WebCore::Document::enqueuePopstateEvent): Deleted.
* dom/Document.h:
* history/CachedPage.cpp:
(WebCore::firePageShowAndPopStateEvents): Moved logic from FrameLoader::didRestoreFromCachedPage() to here.
(WebCore::CachedPage::restore): Modified to call firePageShowAndPopStateEvents().
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad): Removed use of NoEventDispatchAssertion RAII object. We
will instantiate it in CachedPage::restore() with a smaller scope.
(WebCore::FrameLoader::didRestoreFromCachedPage): Deleted; moved logic from here to WebCore::firePageShowAndPopStateEvents().
* loader/FrameLoader.h:


  Commit: 1d46c74e6feaf2d22cb86846c816a0a109d74100
      https://github.com/WebKit/WebKit/commit/1d46c74e6feaf2d22cb86846c816a0a109d74100
  Author: Tim Horton <timothy_horton at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/WebPageProxy.cpp
    M Tools/ChangeLog
    A Tools/TestWebKitAPI/Tests/WebKit2Cocoa/DoAfterNextPresentationUpdateAfterCrash.mm

  Log Message:
  -----------
  Merge r214019 - Null deref under callAfterNextPresentationUpdate
https://bugs.webkit.org/show_bug.cgi?id=169710
<rdar://problem/30987863>

Patch by Tim Horton <timothy_horton at apple.com> on 2017-03-15
Reviewed by Simon Fraser.

Source/WebKit2:

* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::callAfterNextPresentationUpdate):
Call the callback with an error if we don't have a web process or drawing area.

Tools:

* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKit2Cocoa/DoAfterNextPresentationUpdateAfterCrash.mm: Added.
(TEST):


  Commit: aea90a77ac87d4388c9222097c3a4ba43b7a7b4a
      https://github.com/WebKit/WebKit/commit/aea90a77ac87d4388c9222097c3a4ba43b7a7b4a
  Author: Daniel Ehrenberg <littledan at chromium.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/IntlNumberFormat.cpp

  Log Message:
  -----------
  Merge r214020 - Switch back to ISO 4217 for Intl CurrencyDigits data
https://bugs.webkit.org/show_bug.cgi?id=169182

Previously, a patch switched Intl.NumberFormat to use CLDR data through
ICU to get the default number of decimal digits for a currency.
However, that change actually violated the ECMA 402 specification,
which references ISO 4217 as the data source. This patch reverts to
an in-line implementation of that data.

Patch by Daniel Ehrenberg <littledan at chromium.org> on 2017-03-15
Reviewed by Saam Barati.

* runtime/IntlNumberFormat.cpp:
(JSC::computeCurrencySortKey):
(JSC::extractCurrencySortKey):
(JSC::computeCurrencyDigits):


  Commit: 620a47e0175610f31c3aaacb39763db2a30a4487
      https://github.com/WebKit/WebKit/commit/620a47e0175610f31c3aaacb39763db2a30a4487
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/block/float/inline-becomes-float-and-moves-around-expected.txt
    A LayoutTests/fast/block/float/inline-becomes-float-and-moves-around.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderElement.cpp
    M Source/WebCore/rendering/RenderElement.h

  Log Message:
  -----------
  Merge r214023 - Do not reparent floating object until after intruding/overhanging dependency is cleared.
https://bugs.webkit.org/show_bug.cgi?id=169711
<rdar://problem/30959743>

Reviewed by Simon Fraser.

Source/WebCore:

This patch ensures that we cleanup the m_floatingObjects for siblings before reparenting the fresh float.

Test: fast/block/float/inline-becomes-float-and-moves-around.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::styleDidChange):
* rendering/RenderElement.cpp:
(WebCore::RenderElement::styleDidChange):
* rendering/RenderElement.h:
(WebCore::RenderElement::noLongerAffectsParentBlock):

LayoutTests:

* fast/block/float/inline-becomes-float-and-moves-around-expected.txt: Added.
* fast/block/float/inline-becomes-float-and-moves-around.html: Added.


  Commit: cf7922d0786d5696ea400871a8b8259e56cfb0d0
      https://github.com/WebKit/WebKit/commit/cf7922d0786d5696ea400871a8b8259e56cfb0d0
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/microbenchmarks/template-string-array.js
    A JSTests/stress/to-string-non-cell-use.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Merge r214028 - [DFG] ToString operation should have fixup for primitives to say this node does not have side effects
https://bugs.webkit.org/show_bug.cgi?id=169544

Reviewed by Saam Barati.

JSTests:

* microbenchmarks/template-string-array.js: Added.
(test):
* stress/to-string-non-cell-use.js: Added.
(shouldBe):
(shouldThrow):

Source/JavaScriptCore:

Our DFG ToString only considers well about String operands. While ToString(non cell operand) does not have
any side effect, it is not modeled well in DFG.

This patch introduces a fixup for ToString with NonCellUse edge. If this edge is set, ToString does not
clobber things (like ToLowerCase, producing String). And ToString(NonCellUse) allows us to perform CSE!

Our microbenchmark shows 32.9% improvement due to dropped GetButterfly and CSE for ToString().

                                    baseline                  patched

    template-string-array       12.6284+-0.2766     ^      9.4998+-0.2295        ^ definitely 1.3293x faster

And SixSpeed template_string.es6 shows 16.68x performance improvement due to LICM onto this non-side-effectful ToString().

                                  baseline                  patched

    template_string.es6     3229.7343+-40.5705    ^    193.6077+-36.3349       ^ definitely 16.6818x faster

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
(JSC::DFG::SpeculativeJIT::speculateNotCell):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
(JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
(JSC::FTL::DFG::LowerDFGToB3::speculateNotCell):


  Commit: dc3dd6ec14ea80fd32f0c54ee53293fb0b00d04b
      https://github.com/WebKit/WebKit/commit/dc3dd6ec14ea80fd32f0c54ee53293fb0b00d04b
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/function-with-defaults-inlining.js
    A JSTests/stress/function-with-defaults-non-inlining.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp
    M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/parser/ASTBuilder.h
    M Source/JavaScriptCore/parser/Nodes.cpp
    M Source/JavaScriptCore/parser/Nodes.h
    M Source/JavaScriptCore/parser/Parser.cpp
    M Source/JavaScriptCore/parser/Parser.h
    M Source/JavaScriptCore/parser/SyntaxChecker.h
    M Source/JavaScriptCore/runtime/FunctionExecutable.h
    M Source/JavaScriptCore/runtime/JSFunction.cpp

  Log Message:
  -----------
  Merge r214029 - [JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity
https://bugs.webkit.org/show_bug.cgi?id=164582

Reviewed by Saam Barati.

JSTests:

* stress/function-with-defaults-inlining.js: Added.
(shouldBe):
(ok):
(a):
* stress/function-with-defaults-non-inlining.js: Added.
(shouldBe):
(ok):
(a):

Source/JavaScriptCore:

Previously we implement the default parameters as follows.

    1. We count the default parameters as the usual parameters.
    2. We just get the argument register.
    3. Check it with op_is_undefined.
    4. And fill the binding with either the argument register or default value.

The above is simple. However, it has the side effect that it always increase the arity of the function.
While `function.length` does not increase, internally, the number of parameters of CodeBlock increases.
This effectively prevent our DFG / FTL to perform inlining: currently we only allows DFG to inline
the function with the arity less than or equal the number of passing arguments. It is OK. But when using
default parameters, we frequently do not pass the argument for the parameter with the default value.
Thus, in our current implementation, we frequently need to fixup the arity. And we frequently fail
to inline the function.

This patch fixes the above problem by not increasing the arity of the function. When we encounter the
parameter with the default value, we use `op_argument` to get the argument instead of using the argument
registers.

This improves six-speed defaults.es6 performance by 4.45x.

    defaults.es6        968.4126+-101.2350   ^    217.6602+-14.8831       ^ definitely 4.4492x faster

* bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
* bytecode/UnlinkedFunctionExecutable.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
(JSC::BytecodeGenerator::initializeNextParameter):
(JSC::BytecodeGenerator::initializeParameters):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionNode::emitBytecode):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::inliningCost):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createFunctionMetadata):
* parser/Nodes.cpp:
(JSC::FunctionMetadataNode::FunctionMetadataNode):
* parser/Nodes.h:
(JSC::FunctionParameters::size):
(JSC::FunctionParameters::at):
(JSC::FunctionParameters::append):
(JSC::FunctionParameters::isSimpleParameterList):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::isArrowFunctionParameters):
(JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
(JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
(JSC::Parser<LexerType>::parseFormalParameters):
(JSC::Parser<LexerType>::parseFunctionBody):
(JSC::Parser<LexerType>::parseFunctionParameters):
(JSC::Parser<LexerType>::parseFunctionInfo):
* parser/Parser.h:
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createFunctionMetadata):
* runtime/FunctionExecutable.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::createBuiltinFunction):
(JSC::JSFunction::reifyLength):


  Commit: 8d2cb9c452196404fbc8193966f9c1a340b6398f
      https://github.com/WebKit/WebKit/commit/8d2cb9c452196404fbc8193966f9c1a340b6398f
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/CodeBlock.h
    M Source/JavaScriptCore/ftl/FTLOperations.cpp

  Log Message:
  -----------
  Merge r214040 - Unreviewed, fix numParameter() - 1 OSRExit materialization
https://bugs.webkit.org/show_bug.cgi?id=164582

When materializing rest parameters, we rely on that numParameter() - 1 equals to
the numberOfArgumentsToSkip. But this assumption is broken in r214029.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::numberOfArgumentsToSkip):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):


  Commit: e098cbfb942123758ea4ef9775310c2127308679
      https://github.com/WebKit/WebKit/commit/e098cbfb942123758ea4ef9775310c2127308679
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/PlatformGTK.cmake
    R Source/WTF/wtf/text/gtk/TextBreakIteratorInternalICUGtk.cpp
    R Source/WTF/wtf/text/jsconly/TextBreakIteratorInternalICUJSCOnly.cpp
    A Source/WTF/wtf/text/unix/TextBreakIteratorInternalICUUnix.cpp

  Log Message:
  -----------
  Merge r214036 - [UNIX] Implement currentSearchLocaleID() and currentTextBreakLocaleID()
https://bugs.webkit.org/show_bug.cgi?id=169745

Reviewed by Yusuke Suzuki.

Add a common implementation for Unix based ports using setlocale.

* wtf/PlatformGTK.cmake:
* wtf/PlatformJSCOnly.cmake:
* wtf/text/gtk/TextBreakIteratorInternalICUGtk.cpp: Removed.
* wtf/text/unix/TextBreakIteratorInternalICUUnix.cpp: Renamed from Source/WTF/wtf/text/jsconly/TextBreakIteratorInternalICUJSCOnly.cpp.
(WTF::currentSearchLocaleID):
(WTF::currentTextBreakLocaleID):


  Commit: 49c405abe145da3c7c20539433b26cf574d48111
      https://github.com/WebKit/WebKit/commit/49c405abe145da3c7c20539433b26cf574d48111
  Author: Manuel Rego Casasnovas <rego at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/css-grid-layout/grid-crash-remove-positioned-item-expected.txt
    A LayoutTests/fast/css-grid-layout/grid-crash-remove-positioned-item.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderGrid.cpp

  Log Message:
  -----------
  Merge r214039 - [css-grid] Crash on debug removing a positioned child
https://bugs.webkit.org/show_bug.cgi?id=169739

Reviewed by Sergio Villar Senin.

Source/WebCore:

When we add or remove a positioned item we don't need to mark
the grid as dirty, because positioned items do not affect the layout
of the grid at all.

This was causing a crash when a positioned item was removed
after a layout. As after the positioned item was removed,
the method RenderGrid::layoutBlock() was not called,
so when the grid was repainted we got a crash.

Test: fast/css-grid-layout/grid-crash-remove-positioned-item.html

* rendering/RenderGrid.cpp:
(WebCore::RenderGrid::addChild): Add early return to avoid marking
the grid as dirty for positioned grid items.
(WebCore::RenderGrid::removeChild): Ditto.

LayoutTests:

Add new test that checks that adding and removing a positioned grid item
doesn't cause any crashes.

* fast/css-grid-layout/grid-crash-remove-positioned-item-expected.txt: Added.
* fast/css-grid-layout/grid-crash-remove-positioned-item.html: Added.


  Commit: 10d5f0fb77aee0bdc457acc27652613f744ba6df
      https://github.com/WebKit/WebKit/commit/10d5f0fb77aee0bdc457acc27652613f744ba6df
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp

  Log Message:
  -----------
  Merge r214041 - Unreviewed, copy m_numberOfArgumentsToSkip
https://bugs.webkit.org/show_bug.cgi?id=164582

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):


  Commit: 61455444c0c0cc0277c5eaa9a110ae37d5122b29
      https://github.com/WebKit/WebKit/commit/61455444c0c0cc0277c5eaa9a110ae37d5122b29
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/inline/continuation-crash-with-anon-ancestors-expected.txt
    A LayoutTests/fast/inline/continuation-crash-with-anon-ancestors.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderInline.cpp

  Log Message:
  -----------
  Merge r214059 - Stay inside the continuation while searching for a candidate ancestor for insertion.
https://bugs.webkit.org/show_bug.cgi?id=169768
<rdar://problem/30959936>

Reviewed by David Hyatt.

Source/WebCore:

Test: fast/inline/continuation-crash-with-anon-ancestors.html

* rendering/RenderInline.cpp:
(WebCore::RenderInline::addChildToContinuation):

LayoutTests:

* fast/inline/continuation-crash-with-anon-ancestors-expected.txt: Added.
* fast/inline/continuation-crash-with-anon-ancestors.html: Added.


  Commit: 630bb1f3f8cf941610f597034a641ef9d7b3f8b5
      https://github.com/WebKit/WebKit/commit/630bb1f3f8cf941610f597034a641ef9d7b3f8b5
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/ftl/FTLOperations.cpp
    M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp

  Log Message:
  -----------
  Merge r214071 - The new array with spread operation needs to check for length overflows.
https://bugs.webkit.org/show_bug.cgi?id=169780
<rdar://problem/31072182>

Reviewed by Filip Pizlo.

* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* llint/LLIntSlowPaths.cpp:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSGlobalObject.cpp:


  Commit: f859057e512807a6940c36861e47b6a994cb63ba
      https://github.com/WebKit/WebKit/commit/f859057e512807a6940c36861e47b6a994cb63ba
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp

  Log Message:
  -----------
  Merge r214079 - Array concat operation should check for length overflows.
https://bugs.webkit.org/show_bug.cgi?id=169796
<rdar://problem/31095276>

Reviewed by Keith Miller.

* runtime/ArrayPrototype.cpp:
(JSC::concatAppendOne):
(JSC::arrayProtoPrivateFuncConcatMemcpy):


  Commit: 1c8a19cd76461efd0ded84dcdd4329c7d8594eec
      https://github.com/WebKit/WebKit/commit/1c8a19cd76461efd0ded84dcdd4329c7d8594eec
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FrameView.cpp
    M Source/WebCore/page/scrolling/ScrollingCoordinator.cpp
    M Source/WebCore/rendering/CounterNode.cpp
    M Source/WebCore/rendering/ImageQualityController.cpp
    M Source/WebCore/rendering/RenderBlock.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBoxModelObject.cpp
    M Source/WebCore/rendering/RenderElement.cpp
    M Source/WebCore/rendering/RenderImage.cpp
    M Source/WebCore/rendering/RenderInline.cpp
    M Source/WebCore/rendering/RenderLayer.cpp
    M Source/WebCore/rendering/RenderLayerBacking.cpp
    M Source/WebCore/rendering/RenderLayerCompositor.cpp
    M Source/WebCore/rendering/RenderLineBreak.cpp
    M Source/WebCore/rendering/RenderNamedFlowFragment.cpp
    M Source/WebCore/rendering/RenderObject.cpp
    M Source/WebCore/rendering/RenderObject.h
    M Source/WebCore/rendering/RenderQuote.cpp
    M Source/WebCore/rendering/RenderRegion.cpp
    M Source/WebCore/rendering/RenderReplaced.cpp
    M Source/WebCore/rendering/RenderRubyRun.cpp
    M Source/WebCore/rendering/RenderTable.h
    M Source/WebCore/rendering/RenderText.cpp
    M Source/WebCore/rendering/RenderVideo.cpp
    M Source/WebCore/rendering/svg/RenderSVGResource.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp
    M Source/WebCore/rendering/svg/RenderSVGText.cpp

  Log Message:
  -----------
  Merge r214082 - RenderView::documentBeingDestroyed() needs a new name.
https://bugs.webkit.org/show_bug.cgi?id=166727

Reviewed by Andreas Kling.

Now that we destroy the render tree for documents going into the page cache, RenderView::documentBeingDestroyed()
is misleadingly named. Rename it to renderTreeBeingDestroyed() and fix all callers.

* page/FrameView.cpp:
(WebCore::FrameView::scheduleRelayoutOfSubtree):
* page/scrolling/ScrollingCoordinator.cpp:
(WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame):
* rendering/CounterNode.cpp:
(WebCore::CounterNode::resetRenderers):
* rendering/ImageQualityController.cpp:
(WebCore::ImageQualityController::highQualityRepaintTimerFired):
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::willBeDestroyed):
(WebCore::canMergeContiguousAnonymousBlocks):
(WebCore::RenderBlock::removeChild):
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::willBeDestroyed):
(WebCore::RenderBlockFlow::removeChild):
* rendering/RenderBox.cpp:
(WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
(WebCore::RenderBox::deleteLineBoxWrapper):
* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::willBeDestroyed):
* rendering/RenderElement.cpp:
(WebCore::RenderElement::insertChildInternal):
(WebCore::RenderElement::removeChildInternal):
(WebCore::RenderElement::clearLayoutRootIfNeeded):
(WebCore::RenderElement::willBeDestroyed):
* rendering/RenderImage.cpp:
(WebCore::RenderImage::imageChanged):
(WebCore::RenderImage::notifyFinished):
* rendering/RenderInline.cpp:
(WebCore::RenderInline::willBeDestroyed):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::removeChild):
(WebCore::RenderLayer::calculateClipRects):
* rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::notifyFlushRequired):
* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::layerWillBeRemoved):
(WebCore::RenderLayerCompositor::fixedRootBackgroundLayerChanged):
* rendering/RenderLineBreak.cpp:
(WebCore::RenderLineBreak::deleteInlineBoxWrapper):
* rendering/RenderNamedFlowFragment.cpp:
(WebCore::RenderNamedFlowFragment::attachRegion):
* rendering/RenderObject.cpp:
(WebCore::RenderObject::resetFlowThreadStateOnRemoval):
(WebCore::RenderObject::willBeDestroyed):
(WebCore::RenderObject::destroyAndCleanupAnonymousWrappers):
* rendering/RenderObject.h:
(WebCore::RenderObject::renderTreeBeingDestroyed):
(WebCore::RenderObject::documentBeingDestroyed): Deleted.
* rendering/RenderQuote.cpp:
(WebCore::RenderQuote::detachQuote):
* rendering/RenderRegion.cpp:
(WebCore::RenderRegion::attachRegion):
* rendering/RenderReplaced.cpp:
(WebCore::RenderReplaced::willBeDestroyed):
* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::removeChild):
* rendering/RenderTable.h:
(WebCore::RenderTable::setNeedsSectionRecalc):
* rendering/RenderText.cpp:
(WebCore::RenderText::removeAndDestroyTextBoxes):
* rendering/RenderVideo.cpp:
(WebCore::RenderVideo::updatePlayer):
* rendering/svg/RenderSVGResource.cpp:
(WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation):
* rendering/svg/RenderSVGResourceContainer.cpp:
(WebCore::RenderSVGResourceContainer::markClientForInvalidation):
* rendering/svg/RenderSVGText.cpp:
(WebCore::RenderSVGText::subtreeChildWasAdded):
(WebCore::RenderSVGText::subtreeChildWillBeRemoved):
(WebCore::RenderSVGText::subtreeChildWasRemoved):
(WebCore::RenderSVGText::subtreeStyleDidChange):


  Commit: e8f484583f252d0aaae31ef24a267a7f5f8c94da
      https://github.com/WebKit/WebKit/commit/e8f484583f252d0aaae31ef24a267a7f5f8c94da
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/GenericArgumentsInlines.h

  Log Message:
  -----------
  Merge r214085 - Fix exception scope verification failures in GenericArgumentsInlines.h.
https://bugs.webkit.org/show_bug.cgi?id=165012

Reviewed by Saam Barati.

* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::defineOwnProperty):


  Commit: 3a66f407b31b9faf69b753941b86e740d9ed76f8
      https://github.com/WebKit/WebKit/commit/3a66f407b31b9faf69b753941b86e740d9ed76f8
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/cairo/CairoUtilities.cpp
    M Source/WebCore/platform/graphics/cairo/CairoUtilities.h
    M Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp

  Log Message:
  -----------
  Merge r214100 - [Cairo] Handle the blend mode in GraphicsContext::drawPattern
https://bugs.webkit.org/show_bug.cgi?id=169746

Reviewed by Žan Doberšek.

We are not taking into account the blend mode when passing the cairo operator to drawPatternToCairoContext().
This is based on patch by Žan Doberšek, just adding the toCairoOperator changes to make it easier to handle
it. Instead of checking everywhere if blend mode is Normal to decide whether to use toCairoOperator with
CompositeOperator or BlendMode, there's no a single toCairoOperator that receives both parameters, but BlendMode
is optional and defaults to Normal.

* platform/graphics/cairo/CairoUtilities.cpp:
(WebCore::toCairoCompositeOperator):
(WebCore::toCairoOperator):
* platform/graphics/cairo/CairoUtilities.h:
* platform/graphics/cairo/GraphicsContextCairo.cpp:
(WebCore::GraphicsContext::setPlatformCompositeOperation):
(WebCore::GraphicsContext::drawPattern):


  Commit: 055fa90f2d0620de7bc87d85c3f734dd88c1f12a
      https://github.com/WebKit/WebKit/commit/055fa90f2d0620de7bc87d85c3f734dd88c1f12a
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/multicol/fix-inherit-when-container-is-replaced-expected.txt
    A LayoutTests/fast/multicol/fix-inherit-when-container-is-replaced.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderObject.cpp

  Log Message:
  -----------
  Merge r214119 - Fix the flow thread state on the descendants of out of flow positioned replaced elements.
https://bugs.webkit.org/show_bug.cgi?id=169821
<rdar://problem/30964017>

Reviewed by Simon Fraser.

Source/WebCore:

Descendants of a replaced out of flow elmement should inherit the flowthread state
from the replaced element and not from the replaced element's parent.

Test: fast/multicol/fix-inherit-when-container-is-replaced.html

* rendering/RenderObject.cpp:
(WebCore::RenderObject::computedFlowThreadState):

LayoutTests:

* fast/multicol/fix-inherit-when-container-is-replaced-expected.txt: Added.
* fast/multicol/fix-inherit-when-container-is-replaced.html: Added.


  Commit: 36c03dd374a77886bfce0240bd72ce9b43574b4a
      https://github.com/WebKit/WebKit/commit/36c03dd374a77886bfce0240bd72ce9b43574b4a
  Author: Said Abou-Hallawa <sabouhallawa at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/MathExtras.h
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/filters/FEColorMatrix.cpp
    M Source/WebCore/platform/graphics/filters/FEConvolveMatrix.cpp
    M Source/WebCore/platform/graphics/filters/FEConvolveMatrix.h
    M Source/WebCore/platform/graphics/filters/FilterEffect.h

  Log Message:
  -----------
  Merge r214125 - Time channel attack on SVG Filters
https://bugs.webkit.org/show_bug.cgi?id=118689

Reviewed by Simon Fraser.

Source/WebCore:

The time channel attack can happen if the attacker applies FEColorMatrix
or FEConvolveMatrix and provides a matrix which is filled with subnormal
floating point values. Performing floating-point operations on subnormals
is very expensive unless the pixel in the source graphics is black (or
zero). By measuring the time a filter takes to be applied, the attacker
can know whether the pixel he wants to steal from  an iframe is black or
white. By repeating the same process on all the pixels in the iframe, the
attacker can reconstruct the whole page of the iframe.

To fix this issue, the values in the matrices of these filters will clamped
to FLT_MIN. We do not want to consume too much time calculating filtered
pixels because of such tiny values. The difference between applying FLT_MIN
and applying a subnormal should not be even noticeable. Normalizing the
floating-point matrices should happen only at the beginning of the filter
platformApplySoftware().

* platform/graphics/filters/FEColorMatrix.cpp:
(WebCore::FEColorMatrix::platformApplySoftware):
* platform/graphics/filters/FEConvolveMatrix.cpp:
(WebCore::FEConvolveMatrix::fastSetInteriorPixels):
(WebCore::FEConvolveMatrix::fastSetOuterPixels):
(WebCore::FEConvolveMatrix::platformApplySoftware):
* platform/graphics/filters/FEConvolveMatrix.h:
* platform/graphics/filters/FilterEffect.h:
(WebCore::FilterEffect::normalizedFloats):

Source/WTF:

Performing arithmetic operations on subnormal floating-point numbers is
very expensive. Normalizing the floating-point number to the minimum normal
value should accelerate the calculations and there won't be a noticeable
difference in the result since all the subnormal values and the minimum
normal value are all very close to zero.

* wtf/MathExtras.h:
(normalizedFloat):


  Commit: 70769750a2118b87aecf1ffb4ae4dec6b3d4c833
      https://github.com/WebKit/WebKit/commit/70769750a2118b87aecf1ffb4ae4dec6b3d4c833
  Author: David Hyatt <hyatt at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/multicol/float-adjacent-to-overflow-block-expected.html
    A LayoutTests/fast/multicol/float-adjacent-to-overflow-block.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp

  Log Message:
  -----------
  Merge r214126 - Disable per-region boxes for multicolumn
https://bugs.webkit.org/show_bug.cgi?id=169830

Reviewed by Zalan Bujtas.

Source/WebCore:

Test: fast/multicol/float-adjacent-to-overflow-block.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::determineLogicalLeftPositionForChild):
* rendering/RenderBox.cpp:
(WebCore::RenderBox::borderBoxRectInRegion):
(WebCore::RenderBox::renderBoxRegionInfo):
Limit all of the per-region box code to RenderNamedFlowThreads.
This code should never be used by multicolumn layout.

LayoutTests:

* fast/multicol/float-adjacent-to-overflow-block-expected.html: Added.
* fast/multicol/float-adjacent-to-overflow-block.html: Added.


  Commit: ac6c8c97d3b489396339df7149b1f8f3f48af347
      https://github.com/WebKit/WebKit/commit/ac6c8c97d3b489396339df7149b1f8f3f48af347
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/import-reject-with-exception.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

  Log Message:
  -----------
  Merge r214143 - import(arg) crashes when ToString(arg) throws
https://bugs.webkit.org/show_bug.cgi?id=169778

Reviewed by Saam Barati.

JSTests:

* stress/import-reject-with-exception.js: Added.
(shouldBe):
(let.x.get toString):

Source/JavaScriptCore:

JSPromiseDeferred should not be rejected with Exception*.

* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncImportModule):


  Commit: 91ad17b891e3e7bd0eb324c49528fd6fcd0fda89
      https://github.com/WebKit/WebKit/commit/91ad17b891e3e7bd0eb324c49528fd6fcd0fda89
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChakraCore.yaml
    M JSTests/ChakraCore/test/es6/letconst_global_shadow_builtins_nonconfigurable.baseline-jsc
    M JSTests/ChangeLog
    M JSTests/stress/global-lexical-redeclare-variable.js
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/window-const-variable-shadowing-expected.txt
    A LayoutTests/fast/dom/window-const-variable-shadowing.html
    A LayoutTests/fast/workers/const-location-variable-expected.txt
    A LayoutTests/fast/workers/const-location-variable.html
    A LayoutTests/fast/workers/resources/worker-const-location.js
    M LayoutTests/js/dom/const-expected.txt
    M LayoutTests/js/dom/const.html
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/ProgramExecutable.cpp

  Log Message:
  -----------
  Merge r214145 - `const location = "foo"` throws in a worker
https://bugs.webkit.org/show_bug.cgi?id=169839

Reviewed by Mark Lam.

JSTests:

* ChakraCore/test/es6/letconst_global_shadow_builtins_nonconfigurable.baseline-jsc:
Update expected jsc result now that we throw a SyntaxError when trying to shadow undefined
with a let variable. We used not to throw because the value is undefined but this was not
as per EcmaScript. Both Firefox and Chrome throw in this case.

* stress/global-lexical-redeclare-variable.js:
(catch):
Update test that defines a non-configurable 'zoo' property on the global object and then
expected shadowing it with a 'let zoo' variable to work because its value was undefined.
This was not as per EcmaScript spec and both Firefox and Chrome throw in this case.

Source/JavaScriptCore:

Our HasRestrictedGlobalProperty check in JSC was slightly wrong, causing us
to sometimes throw a Syntax exception when we shouldn't when declaring a
const/let variable and sometimes not throw an exception when we should have.

This aligns our behavior with ES6, Firefox and Chrome.

* runtime/ProgramExecutable.cpp:
(JSC::hasRestrictedGlobalProperty):
(JSC::ProgramExecutable::initializeGlobalProperties):
Rewrite hasRestrictedGlobalProperty logic as per the EcmaScript spec:
- http://www.ecma-international.org/ecma-262/6.0/index.html#sec-hasproperty
In particular, they were 2 issues:
- We should throw a SyntaxError if hasProperty() returned true but getOwnProperty()
  would fail to return a descriptor. This would happen for properties that are
  not OWN properties, but defined somewhere in the prototype chain. The spec does
  not say to use hasProperty(), only getOwnProperty() and says we should return
  false if getOwnProperty() does not return a descriptor. This is what we do now.
- We would fail to throw when declaring a let/const variable that shadows an own
  property whose value is undefined. This is because the previous code was
  explicitly checking for this case. I believe this was a misinterpretation of
  ES6 which says:
  """
  Let desc be O.[[GetOwnProperty]](P).
  If desc is undefined, return false.
  """
  We should check that desc is undefined, not desc.value. This is now fixed.

LayoutTests:

* fast/dom/window-const-variable-shadowing-expected.txt: Added.
* fast/dom/window-const-variable-shadowing.html: Added.
* fast/workers/const-location-variable-expected.txt: Added.
* fast/workers/const-location-variable.html: Added.
* fast/workers/resources/worker-const-location.js: Added.
Add layout test coverage for behavior changes. Those tests pass in Firefox and Chrome.

* js/dom/const-expected.txt:
* js/dom/const.html:
Update test which wrongly expected a let variable not to be able to shadow a
window named property. This test was failing in Chrome and Firefox. The reason
this does not throw is because window named properties are not on the window
object, they are on the WindowProperties object in the Window prototype chain.


  Commit: c2fbbeafe24a7c908d99492924aa72db20a27167
      https://github.com/WebKit/WebKit/commit/c2fbbeafe24a7c908d99492924aa72db20a27167
  Author: Emanuele Aina <emanuele.aina at collabora.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/GraphicsContext3D.h
    M Source/WebCore/platform/graphics/cairo/GraphicsContext3DCairo.cpp

  Log Message:
  -----------
  Merge r214162 - [Cairo] Ensure depth and stencil renderbuffers are created on GLESv2
https://bugs.webkit.org/show_bug.cgi?id=166643

Patch by Emanuele Aina <emanuele.aina at collabora.com> on 2017-03-20
Reviewed by Darin Adler.

If the gfx device doesn't support GL_OES_packed_depth_stencil, the
separate depth and stencil buffers are not generated.

Copy what GraphicsContext3DEfl used to do and apply it in
GraphicsContext3DCairo.

The Intel gfx driver seem to tolerate unbound renderbuffers, but
enabling debugging in Mesa yields an error:

$ MESA_DEBUG=1 \
  MESA_EXTENSION_OVERRIDE=-GL_OES_packed_depth_stencil
  ./bin/MiniBrowser http://webglsamples.org/aquarium/aquarium.html
Mesa: User error: GL_INVALID_OPERATION in glRenderbufferStorage(no renderbuffer bound)

* platform/graphics/GraphicsContext3D.h:
* platform/graphics/cairo/GraphicsContext3DCairo.cpp:
(WebCore::GraphicsContext3D::GraphicsContext3D):
Ensure separate depth and stencil renderbuffers are created.
(WebCore::GraphicsContext3D::~GraphicsContext3D):
Ensure separate depth and stencil renderbuffers are released.


  Commit: 1935c55a2eabb92b7b91e2c9e46761de5d13bd52
      https://github.com/WebKit/WebKit/commit/1935c55a2eabb92b7b91e2c9e46761de5d13bd52
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlock.cpp
    M Source/WebCore/rendering/RenderBlock.h
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h
    M Source/WebCore/rendering/RenderBoxModelObject.cpp
    M Source/WebCore/rendering/RenderCounter.cpp
    M Source/WebCore/rendering/RenderCounter.h
    M Source/WebCore/rendering/RenderElement.cpp
    M Source/WebCore/rendering/RenderEmbeddedObject.cpp
    M Source/WebCore/rendering/RenderEmbeddedObject.h
    M Source/WebCore/rendering/RenderImage.cpp
    M Source/WebCore/rendering/RenderImage.h
    M Source/WebCore/rendering/RenderLayerModelObject.cpp
    M Source/WebCore/rendering/RenderLayerModelObject.h
    M Source/WebCore/rendering/RenderListBox.cpp
    M Source/WebCore/rendering/RenderListBox.h
    M Source/WebCore/rendering/RenderListItem.cpp
    M Source/WebCore/rendering/RenderListItem.h
    M Source/WebCore/rendering/RenderListMarker.cpp
    M Source/WebCore/rendering/RenderListMarker.h
    M Source/WebCore/rendering/RenderMenuList.cpp
    M Source/WebCore/rendering/RenderMenuList.h
    M Source/WebCore/rendering/RenderNamedFlowThread.cpp
    M Source/WebCore/rendering/RenderNamedFlowThread.h
    M Source/WebCore/rendering/RenderObject.cpp
    M Source/WebCore/rendering/RenderQuote.cpp
    M Source/WebCore/rendering/RenderQuote.h
    M Source/WebCore/rendering/RenderSearchField.cpp
    M Source/WebCore/rendering/RenderSearchField.h
    M Source/WebCore/rendering/RenderSnapshottedPlugIn.cpp
    M Source/WebCore/rendering/RenderSnapshottedPlugIn.h
    M Source/WebCore/rendering/RenderText.cpp
    M Source/WebCore/rendering/RenderTextControlMultiLine.cpp
    M Source/WebCore/rendering/RenderTextControlMultiLine.h
    M Source/WebCore/rendering/RenderVideo.cpp
    M Source/WebCore/rendering/RenderVideo.h
    M Source/WebCore/rendering/RenderWidget.h
    M Source/WebCore/rendering/svg/RenderSVGImage.cpp
    M Source/WebCore/rendering/svg/RenderSVGImage.h
    M Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp

  Log Message:
  -----------
  Merge r214173 - Move code out of renderer destructors into willBeDestroyed()
https://bugs.webkit.org/show_bug.cgi?id=169650

Reviewed by Antti Koivisto.

This is done for four reasons. First, code in willBeDestroyed() is able to call
virtual functions on derived classes. Second, this code will run before we've destroyed
the renderer's rareData, so can safely access it. Third, RenderWidget is special, and can have
its lifetime extended via manual ref-counting, and we want all cleanup to complete
before it goes into this weird zombie state. Fourth, in a shiny future where we have
ref-counted RenderObjects, we want cleanup code to be run explicitly and not tied
to object lifetime, and this is a step in that direction.

For all classes that derive from RenderObject, move code from the destructor into
willBeDestroyed(). New willBeDestroyed() implementations must call the base class.

RenderBlock and RenderBlockFlow are special; RenderBlockFlow::willBeDestroyed()
skips over RenderBlock::willBeDestroyed(), but they both need to run some code, which
I moved into RenderBlock::blockWillBeDestroyed().

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::~RenderBlock):
(WebCore::RenderBlock::willBeDestroyed):
(WebCore::RenderBlock::blockWillBeDestroyed):
* rendering/RenderBlock.h:
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::~RenderBlockFlow):
(WebCore::RenderBlockFlow::willBeDestroyed):
* rendering/RenderBox.cpp:
(WebCore::RenderBox::~RenderBox):
(WebCore::RenderBox::willBeDestroyed):
* rendering/RenderBox.h:
* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::~RenderBoxModelObject):
* rendering/RenderCounter.cpp:
(WebCore::RenderCounter::~RenderCounter):
(WebCore::RenderCounter::willBeDestroyed):
* rendering/RenderCounter.h:
* rendering/RenderElement.cpp:
(WebCore::RenderElement::~RenderElement):
(WebCore::RenderElement::willBeDestroyed):
* rendering/RenderEmbeddedObject.cpp:
(WebCore::RenderEmbeddedObject::~RenderEmbeddedObject):
(WebCore::RenderEmbeddedObject::willBeDestroyed):
* rendering/RenderEmbeddedObject.h:
* rendering/RenderImage.cpp:
(WebCore::RenderImage::~RenderImage):
(WebCore::RenderImage::willBeDestroyed):
* rendering/RenderImage.h:
* rendering/RenderLayerModelObject.cpp:
(WebCore::RenderLayerModelObject::~RenderLayerModelObject):
(WebCore::RenderLayerModelObject::willBeDestroyed):
* rendering/RenderLayerModelObject.h:
* rendering/RenderLineBreak.cpp:
(WebCore::RenderLineBreak::~RenderLineBreak):
(WebCore::RenderLineBreak::willBeDestroyed):
* rendering/RenderLineBreak.h:
* rendering/RenderListBox.cpp:
(WebCore::RenderListBox::~RenderListBox):
(WebCore::RenderListBox::willBeDestroyed):
* rendering/RenderListBox.h:
* rendering/RenderListItem.cpp:
(WebCore::RenderListItem::~RenderListItem):
(WebCore::RenderListItem::willBeDestroyed):
* rendering/RenderListItem.h:
* rendering/RenderListMarker.cpp:
(WebCore::RenderListMarker::~RenderListMarker):
(WebCore::RenderListMarker::willBeDestroyed):
* rendering/RenderListMarker.h:
* rendering/RenderMenuList.cpp:
(WebCore::RenderMenuList::~RenderMenuList):
(WebCore::RenderMenuList::willBeDestroyed):
* rendering/RenderMenuList.h:
* rendering/RenderNamedFlowThread.cpp:
(WebCore::RenderNamedFlowThread::~RenderNamedFlowThread):
(WebCore::RenderNamedFlowThread::willBeDestroyed):
* rendering/RenderNamedFlowThread.h:
* rendering/RenderObject.cpp:
(WebCore::RenderObject::willBeDestroyed):
* rendering/RenderQuote.cpp:
(WebCore::RenderQuote::~RenderQuote):
(WebCore::RenderQuote::willBeDestroyed):
* rendering/RenderQuote.h:
* rendering/RenderSearchField.cpp:
(WebCore::RenderSearchField::~RenderSearchField):
(WebCore::RenderSearchField::willBeDestroyed):
* rendering/RenderSearchField.h:
* rendering/RenderSnapshottedPlugIn.cpp:
(WebCore::RenderSnapshottedPlugIn::~RenderSnapshottedPlugIn):
(WebCore::RenderSnapshottedPlugIn::willBeDestroyed):
* rendering/RenderSnapshottedPlugIn.h:
* rendering/RenderText.cpp:
(WebCore::RenderText::~RenderText):
(WebCore::RenderText::willBeDestroyed):
* rendering/RenderTextControlMultiLine.cpp:
(WebCore::RenderTextControlMultiLine::~RenderTextControlMultiLine):
(WebCore::RenderTextControlMultiLine::willBeDestroyed):
* rendering/RenderTextControlMultiLine.h:
* rendering/RenderVideo.cpp:
(WebCore::RenderVideo::~RenderVideo):
(WebCore::RenderVideo::willBeDestroyed):
* rendering/RenderVideo.h:
* rendering/RenderWidget.h:
* rendering/svg/RenderSVGImage.cpp:
(WebCore::RenderSVGImage::~RenderSVGImage):
(WebCore::RenderSVGImage::willBeDestroyed):
* rendering/svg/RenderSVGImage.h:
* rendering/svg/RenderSVGResourceContainer.cpp:
(WebCore::RenderSVGResourceContainer::~RenderSVGResourceContainer):
(WebCore::RenderSVGResourceContainer::willBeDestroyed):


  Commit: ed0a28b1a5e5f9a72a71b34a05d6fa2d387f7574
      https://github.com/WebKit/WebKit/commit/ed0a28b1a5e5f9a72a71b34a05d6fa2d387f7574
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/events/before-unload-forbidden-navigation.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/FrameLoader.h

  Log Message:
  -----------
  Merge r214194 - Prevent new navigations from onbeforeunload handler
https://bugs.webkit.org/show_bug.cgi?id=169891
<rdar://problem/31155736>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Ensure that all navigations initiated from an onbeforeunload handler are disallowed
regardless of how they were scheduled. Such navigations go against the expectation
of a user.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::isNavigationAllowed): Added.
(WebCore::FrameLoader::loadURL): Modified code to call FrameLoader::isNavigationAllowed().
(WebCore::FrameLoader::loadWithDocumentLoader): Ditto.
(WebCore::FrameLoader::stopAllLoaders): Ditto.
* loader/FrameLoader.h:

LayoutTests:

Update test to ensure that we disallow navigation initiated via a DOM click event from
an onbeforeunload handler.

* fast/events/before-unload-forbidden-navigation.html:


  Commit: 179a73962b9846bf72fe04f6683dd7b06abd9bdc
      https://github.com/WebKit/WebKit/commit/179a73962b9846bf72fe04f6683dd7b06abd9bdc
  Author: Saam Barati <sbarati at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/parse-int-intrinsic.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/JITOperations.h
    M Source/JavaScriptCore/parser/Lexer.cpp
    M Source/JavaScriptCore/runtime/ErrorInstance.cpp
    M Source/JavaScriptCore/runtime/Intrinsic.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h
    A Source/JavaScriptCore/runtime/ParseInt.h
    M Source/JavaScriptCore/runtime/StringPrototype.cpp

  Log Message:
  -----------
  Merge r212939 - Intrinsicify parseInt
https://bugs.webkit.org/show_bug.cgi?id=168627

Reviewed by Filip Pizlo.

JSTests:

* stress/parse-int-intrinsic.js: Added.
(assert):
(testIntrinsic.let.s):
(testIntrinsic):
(testIntrinsic2.baz):
(testIntrinsic2):
(testIntrinsic3.foo):
(testIntrinsic3):
(testIntrinsic4.foo):
(testIntrinsic4):
(testIntrinsic5.foo):
(testIntrinsic5):
(testIntrinsic6.foo):
(testIntrinsic6):
(testIntrinsic7.foo):
(testIntrinsic7):

Source/JavaScriptCore:

This patch makes parseInt an intrinsic in the DFG and FTL.
We do our best to eliminate this node. If we speculate that
the first operand to the operation is an int32, and that there
isn't a second operand, we convert to the identity of the first
operand. That's because parseInt(someInt) === someInt.

If the first operand is proven to be an integer, and the second
operand is the integer 0 or the integer 10, we can eliminate the
node by making it an identity over its first operand. That's
because parseInt(someInt, 0) === someInt and parseInt(someInt, 10) === someInt.

If we are not able to constant fold the node away, we try to remove
checks. The most common use case of parseInt is that its first operand
is a proven string. The DFG might be able to remove type checks in this
case. We also set up CSE rules for parseInt(someString, someIntRadix)
because it's a "pure" operation (modulo resolving a rope).

This looks to be a 4% Octane/Box2D progression.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::parseIntResult):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileParseInt):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
(JSC::DFG::SpeculativeJIT::appendCallSetResult):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
* jit/JITOperations.h:
* parser/Lexer.cpp:
* runtime/ErrorInstance.cpp:
* runtime/Intrinsic.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::toStringView): Deleted.
(JSC::isStrWhiteSpace): Deleted.
(JSC::parseDigit): Deleted.
(JSC::parseIntOverflow): Deleted.
(JSC::parseInt): Deleted.
* runtime/JSGlobalObjectFunctions.h:
* runtime/ParseInt.h: Added.
(JSC::parseDigit):
(JSC::parseIntOverflow):
(JSC::isStrWhiteSpace):
(JSC::parseInt):
(JSC::toStringView):
* runtime/StringPrototype.cpp:


  Commit: 773058b529511e5d2f25f74cbb2698794c562310
      https://github.com/WebKit/WebKit/commit/773058b529511e5d2f25f74cbb2698794c562310
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/number-to-string-abstract-operation.js
    A JSTests/stress/number-to-string-radix.js
    A JSTests/stress/number-to-string.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/CCallHelpers.h
    M Source/JavaScriptCore/jit/JITOperations.h
    M Source/JavaScriptCore/runtime/Intrinsic.h
    M Source/JavaScriptCore/runtime/NumberPrototype.cpp
    M Source/JavaScriptCore/runtime/NumberPrototype.h
    M Source/JavaScriptCore/runtime/StringPrototype.cpp

  Log Message:
  -----------
  Merge r214219 - [JSC] Optimize Number.prototype.toString on Int32 / Int52 / Double
https://bugs.webkit.org/show_bug.cgi?id=167454

Reviewed by Saam Barati.

JSTests:

* stress/number-to-string-abstract-operation.js: Added.
(shouldBe):
(int32ToString):
(shouldBe.int32ToString.new.Number.int52ToString):
(shouldBe.int32ToString.new.Number):
(shouldBe.doubleToString):
* stress/number-to-string-radix.js: Added.
(shouldBe):
(int32ToString):
(shouldBe.int32ToString.new.Number.int52ToString):
(shouldBe.int32ToString.new.Number):
(shouldBe.doubleToString):
* stress/number-to-string.js: Added.
(shouldBe):
(int32ToString):
(shouldBe.int32ToString.new.Number.int52ToString):
(shouldBe.int32ToString.new.Number):
(shouldBe.doubleToString):

Source/JavaScriptCore:

This patch improves Number.toString(radix) performance
by introducing NumberToStringWithRadix DFG node. It directly
calls the operation and it always returns String.

                                               baseline                  patched

    stanford-crypto-sha256-iterative        45.130+-0.928             44.032+-1.184           might be 1.0250x faster


  Commit: 5ef02abd27cab35d80eaa57e345596446c42b14b
      https://github.com/WebKit/WebKit/commit/5ef02abd27cab35d80eaa57e345596446c42b14b
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/shadow-dom/slot-with-continuation-descendants-expected.txt
    A LayoutTests/fast/shadow-dom/slot-with-continuation-descendants.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/style/RenderTreeUpdater.cpp

  Log Message:
  -----------
  Merge r214232 - 2017-03-21  Zalan Bujtas  <zalan at apple.com>

        Tear down descendant renderers when <slot>'s display value is set to no "contents".
        https://bugs.webkit.org/show_bug.cgi?id=169921
        <rdar://problem/30336417>

        Reviewed by Antti Koivisto.

        Since "display: contents" does not generate a renderer, when an element's display value is
        changed to something other than "contents", we not only create a renderer but also reparent its descendant
        subtree (e.g from slot's parent to the newly constructed slot renderer). During this reparenting, we
        need to tear down the descendant subtree tree and build it up again to reflect the new rendering context.

        Test: fast/shadow-dom/slot-with-continuation-descendants.html

        * style/RenderTreeUpdater.cpp:
        (WebCore::RenderTreeUpdater::updateElementRenderer):


  Commit: 830ed9333642dda68ff10fad1af0200d3e450931
      https://github.com/WebKit/WebKit/commit/830ed9333642dda68ff10fad1af0200d3e450931
  Author: Brady Eidson <beidson at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/storage/websql/test-authorizer-expected.txt
    M LayoutTests/storage/websql/test-authorizer.js
    M Source/WebCore/ChangeLog
    M Source/WebCore/Modules/webdatabase/DatabaseAuthorizer.cpp

  Log Message:
  -----------
  Merge r214237 - Disable all virtual tables.
<rdar://problem/31081972> and https://bugs.webkit.org/show_bug.cgi?id=169928
Source/WebCore:

Reviewed by Jer Noble.

No new tests (Covered by changes to existing test).

* Modules/webdatabase/DatabaseAuthorizer.cpp:
(WebCore::DatabaseAuthorizer::createVTable):
(WebCore::DatabaseAuthorizer::dropVTable):

LayoutTests:

Reviewed by Jer Noble.

* storage/websql/test-authorizer-expected.txt:
* storage/websql/test-authorizer.js:
(createStatementsCallback):


  Commit: 361145c580b2638a202e84401aa399672635edf7
      https://github.com/WebKit/WebKit/commit/361145c580b2638a202e84401aa399672635edf7
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp

  Log Message:
  -----------
  Merge r214240 - The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
https://bugs.webkit.org/show_bug.cgi?id=169933
<rdar://problem/31105125>

Reviewed by Filip Pizlo and Geoffrey Garen.

Also fixed the bit-rotted RangeKey::dump() function.

* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):


  Commit: ec376c83a2dae3a1e570f82105fa05c7bb315684
      https://github.com/WebKit/WebKit/commit/ec376c83a2dae3a1e570f82105fa05c7bb315684
  Author: Sergio Villar Senin <svillar at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt
    A LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp

  Log Message:
  -----------
  Merge r214246 - [Soup] "Only from websites I visit" cookie policy is broken
https://bugs.webkit.org/show_bug.cgi?id=168912

Reviewed by Carlos Garcia Campos.

Source/WebCore:

Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).

The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.

Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html

* platform/network/soup/ResourceHandleSoup.cpp:
(WebCore::doRedirect):

Source/WebKit2:

Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).

The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.

* NetworkProcess/soup/NetworkDataTaskSoup.cpp:
(WebKit::NetworkDataTaskSoup::continueHTTPRedirection):

LayoutTests:

* http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
* http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.


  Commit: 3f3975dfa29ff2bb3a89075963ffc6e2a0e126d9
      https://github.com/WebKit/WebKit/commit/3f3975dfa29ff2bb3a89075963ffc6e2a0e126d9
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-worker-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight.js
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/CrossOriginAccessControl.cpp

  Log Message:
  -----------
  Merge r214254 - Safari sends empty "Access-Control-Request-Headers" in preflight request
https://bugs.webkit.org/show_bug.cgi?id=169851

Patch by Youenn Fablet <youenn at apple.com> on 2017-03-22
Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

* web-platform-tests/fetch/api/cors/cors-preflight-expected.txt:
* web-platform-tests/fetch/api/cors/cors-preflight.js:

Source/WebCore:

Covered by updated test.

* loader/CrossOriginAccessControl.cpp:
(WebCore::createAccessControlPreflightRequest): Not adding "Access-Control-Request-Headers" to
request header if value is empty.


  Commit: 9774a95370bba10d3aa54a010b73e32c10e2a84e
      https://github.com/WebKit/WebKit/commit/9774a95370bba10d3aa54a010b73e32c10e2a84e
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/DocumentRuleSets.cpp
    M Source/WebCore/css/DocumentRuleSets.h
    M Source/WebCore/css/ElementRuleCollector.cpp
    M Source/WebCore/css/RuleFeature.cpp
    M Source/WebCore/css/RuleFeature.h
    M Source/WebCore/css/RuleSet.cpp
    M Source/WebCore/css/RuleSet.h
    M Source/WebCore/css/StyleResolver.h
    M Source/WebCore/style/AttributeChangeInvalidation.cpp
    M Source/WebCore/style/IdChangeInvalidation.cpp
    M Source/WebCore/style/StyleSharingResolver.cpp

  Log Message:
  -----------
  Merge r214255 - Use AtomicString in RuleSet and RuleFeature
https://bugs.webkit.org/show_bug.cgi?id=119310
<rdar://problem/28214658>

Reviewed by Andreas Kling.

..instead of the plain AtomicStringImpl*. This introduces some ref churn but not too much.

* css/DocumentRuleSets.cpp:
(WebCore::DocumentRuleSets::ancestorClassRules):
(WebCore::DocumentRuleSets::ancestorAttributeRulesForHTML):
* css/DocumentRuleSets.h:
* css/ElementRuleCollector.cpp:
(WebCore::ElementRuleCollector::collectMatchingRules):
(WebCore::ElementRuleCollector::collectMatchingShadowPseudoElementRules):
* css/RuleFeature.cpp:
(WebCore::RuleFeatureSet::recursivelyCollectFeaturesFromSelector):
(WebCore::makeAttributeSelectorKey):
(WebCore::RuleFeatureSet::collectFeatures):
* css/RuleFeature.h:
* css/RuleSet.cpp:
(WebCore::RuleSet::addToRuleSet):
(WebCore::rulesCountForName):
(WebCore::RuleSet::addRule):
* css/RuleSet.h:
(WebCore::RuleSet::idRules):
(WebCore::RuleSet::classRules):
(WebCore::RuleSet::shadowPseudoElementRules):
(WebCore::RuleSet::tagRules):
* css/StyleResolver.h:
(WebCore::StyleResolver::hasSelectorForAttribute):
(WebCore::StyleResolver::hasSelectorForClass):
(WebCore::StyleResolver::hasSelectorForId):
* style/AttributeChangeInvalidation.cpp:
(WebCore::Style::mayBeAffectedByAttributeChange):
(WebCore::Style::AttributeChangeInvalidation::invalidateStyle):
* style/IdChangeInvalidation.cpp:
(WebCore::Style::mayBeAffectedByHostRules):
(WebCore::Style::mayBeAffectedBySlottedRules):
(WebCore::Style::IdChangeInvalidation::invalidateStyle):
* style/StyleSharingResolver.cpp:
(WebCore::Style::SharingResolver::resolve):
(WebCore::Style::SharingResolver::canShareStyleWithElement):
(WebCore::Style::SharingResolver::classNamesAffectedByRules):


  Commit: f9ffd2fa89d30c575f24ebff04ddca762b3607f9
      https://github.com/WebKit/WebKit/commit/f9ffd2fa89d30c575f24ebff04ddca762b3607f9
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/to-string-int32.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/NumberPrototype.cpp

  Log Message:
  -----------
  Merge r214272 - [JSC] Use jsNontrivialString for Number toString operations
https://bugs.webkit.org/show_bug.cgi?id=169965

Reviewed by Mark Lam.

JSTests:

* stress/to-string-int32.js: Added.
(shouldBe):
(toString10):
(expected):

Source/JavaScriptCore:

After single character check, produced string is always longer than 1.
Thus, we can use jsNontrivialString.

* runtime/NumberPrototype.cpp:
(JSC::int32ToStringInternal):


  Commit: e0bbd2b8a083bbafa986754249d0dad07e1cc962
      https://github.com/WebKit/WebKit/commit/e0bbd2b8a083bbafa986754249d0dad07e1cc962
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/icon/IconLoader.cpp

  Log Message:
  -----------
  Merge r214276 - ASan violation in IconLoader::stopLoading
https://bugs.webkit.org/show_bug.cgi?id=169960
<rdar://problem/30577691>

Reviewed by David Kilzer.

DocumentLoader::finishLoadingIcon handles the life cycle of the IconLoader. Once this method is called,
we should return immediately rather than attempt to make further modifications to the IconLoader.

No new tests due to lack of test features (see https://bugs.webkit.org/show_bug.cgi?id=164895). Easily
tested in MiniBrowser under ASan visiting websites with icons.

* loader/icon/IconLoader.cpp:
(WebCore::IconLoader::notifyFinished):


  Commit: 2d21b0e6e7b3fff25cbc7e10180b29e208bdc134
      https://github.com/WebKit/WebKit/commit/2d21b0e6e7b3fff25cbc7e10180b29e208bdc134
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/events/before-unload-return-string-conversion-expected.txt
    M LayoutTests/fast/events/before-unload-returnValue-expected.txt
    A LayoutTests/fast/events/beforeunload-alert-no-user-interaction-expected.txt
    A LayoutTests/fast/events/beforeunload-alert-no-user-interaction.html
    A LayoutTests/fast/events/beforeunload-alert-user-interaction-expected.txt
    A LayoutTests/fast/events/beforeunload-alert-user-interaction.html
    A LayoutTests/fast/events/beforeunload-alert-user-interaction2-expected.txt
    A LayoutTests/fast/events/beforeunload-alert-user-interaction2.html
    M LayoutTests/fast/loader/form-submission-after-beforeunload-cancel.html
    M LayoutTests/fast/loader/show-only-one-beforeunload-dialog.html
    M LayoutTests/http/tests/misc/iframe-beforeunload-dialog-matching-ancestor-securityorigin.html
    M LayoutTests/http/tests/misc/iframe-beforeunload-dialog-not-matching-ancestor-securityorigin.html
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/html/browsers/browsing-the-web/unloading-documents/beforeunload-canceling-expected.txt
    M LayoutTests/platform/ios-simulator/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/FrameLoader.cpp

  Log Message:
  -----------
  Merge r214277 - WebKit should disallow beforeunload alerts from web pages users have never interacted with
https://bugs.webkit.org/show_bug.cgi?id=169936
<rdar://problem/23798897>

Reviewed by Brent Fulgham.

LayoutTests/imported/w3c:

* web-platform-tests/html/browsers/browsing-the-web/unloading-documents/beforeunload-canceling-expected.txt:
* web-platform-tests/html/webappapis/scripting/events/compile-event-handler-settings-objects-expected.txt:
Rebaseline now that the CONFIRM MESSAGE lines are now longer shown. This is because there is no user interaction
with the page.

Source/WebCore:

WebKit should disallow beforeunload alerts from web pages users have never interacted with.
This reduces the risk of annoyance to the user and is allowed by the specification:
- https://html.spec.whatwg.org/multipage/browsers.html#prompt-to-unload-a-document (Step 8):
which says:
"""
The user agent is encouraged to avoid asking the user for confirmation if it judges that doing
so would be annoying, deceptive, or pointless. A simple heuristic might be that if the user
has not interacted with the document, the user agent would not ask for confirmation before
unloading it.
"""

Firefox already implements this, Chrome does not.

Tests: fast/events/beforeunload-alert-no-user-interaction.html
       fast/events/beforeunload-alert-user-interaction.html
       fast/events/beforeunload-alert-user-interaction2.html

* loader/FrameLoader.cpp:
(WebCore::shouldAskForNavigationConfirmation):
(WebCore::FrameLoader::dispatchBeforeUnloadEvent):

LayoutTests:

* fast/events/before-unload-return-string-conversion-expected.txt:
* fast/events/before-unload-returnValue-expected.txt:
Rebaseline now that the CONFIRM MESSAGE is no longer shown. This is because there is
no user interaction with the page.

* fast/events/beforeunload-alert-no-user-interaction-expected.txt: Added.
* fast/events/beforeunload-alert-no-user-interaction.html: Added.
* fast/events/beforeunload-alert-user-interaction-expected.txt: Added.
* fast/events/beforeunload-alert-user-interaction.html: Added.
* fast/events/beforeunload-alert-user-interaction2-expected.txt: Added.
* fast/events/beforeunload-alert-user-interaction2.html: Added.
Add layout test coverage.

* fast/loader/form-submission-after-beforeunload-cancel.html:
* fast/loader/show-only-one-beforeunload-dialog.html:
* http/tests/misc/iframe-beforeunload-dialog-matching-ancestor-securityorigin.html:
* http/tests/misc/iframe-beforeunload-dialog-not-matching-ancestor-securityorigin.html:
Simulate user interaction with the page so that the CONFIRM MESSAGE log lines are still
shown.


  Commit: b6a21764ded963329a433efb43dfb607462e9dfb
      https://github.com/WebKit/WebKit/commit/b6a21764ded963329a433efb43dfb607462e9dfb
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestUIClient.cpp

  Log Message:
  -----------
  Merge r214347 - Unreviewed. Fix GTK+ test /webkit2/WebKitWebView/javascript-dialogs after r214277.

Since r214277 beforeunload events are not fired unless there's some user interaction, so we need to simulate it
in our unit tests to work.

* TestWebKitAPI/Tests/WebKit2Gtk/TestUIClient.cpp:
(testWebViewJavaScriptDialogs):


  Commit: 2edc63c0d710832b4eba5fc9a633980ac5602daa
      https://github.com/WebKit/WebKit/commit/2edc63c0d710832b4eba5fc9a633980ac5602daa
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/PlatformGTK.cmake
    M Source/WebCore/platform/graphics/cairo/CairoUtilities.cpp
    M Source/WebCore/platform/graphics/cairo/CairoUtilities.h
    M Source/WebCore/platform/graphics/freetype/FontCacheFreeType.cpp
    M Source/WebCore/platform/graphics/freetype/FontPlatformDataFreeType.cpp
    M Source/WebCore/platform/graphics/gtk/GdkCairoUtilities.cpp
    M Source/WebCore/platform/graphics/gtk/GdkCairoUtilities.h

  Log Message:
  -----------
  Merge r214283 - [GTK] Honor GTK+ font settings
https://bugs.webkit.org/show_bug.cgi?id=82889

Reviewed by Carlos Garcia Campos.

After much discussion with Behdad and Martin (who is still not completely convinced I think
:) I want to merge cairo font options into the Fontconfig pattern used for rendering using
cairo_ft_font_options_substitute(). This is how the API was designed to be used anyway.
Fontconfig will still have final say over whether to actually respect the desktop settings
or not, so it can still choose to ignore the desktop's settings, but I don't think it makes
sense to have desktop-wide font settings and not tell Fontconfig about them, especially when
the whole point of WebKitGTK+ is desktop integration. This should also reduce complaints
that we're not following desktop settings and that we're drawing fonts differently than
Firefox.

* PlatformGTK.cmake:
* platform/graphics/cairo/CairoUtilities.cpp:
(WebCore::getDefaultCairoFontOptions):
* platform/graphics/cairo/CairoUtilities.h:
* platform/graphics/freetype/FontCacheFreeType.cpp:
(WebCore::createFontConfigPatternForCharacters):
(WebCore::strongAliasesForFamily):
(WebCore::FontCache::createFontPlatformData):
* platform/graphics/freetype/FontPlatformDataFreeType.cpp:
(WebCore::getDefaultFontconfigOptions):
(WebCore::getDefaultCairoFontOptions): Deleted.
* platform/graphics/gtk/GdkCairoUtilities.cpp:
(getDefaultCairoFontOptions):


  Commit: 602e661fef18bbbd91942d699ec1ac493b0c20e0
      https://github.com/WebKit/WebKit/commit/602e661fef18bbbd91942d699ec1ac493b0c20e0
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/css/empty-display-none-invalidation-expected.html
    A LayoutTests/fast/css/empty-display-none-invalidation.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Element.cpp
    M Source/WebCore/dom/Element.h
    M Source/WebCore/dom/ElementRareData.h
    M Source/WebCore/style/StyleTreeResolver.cpp

  Log Message:
  -----------
  Merge r214290 - Dynamically applied :empty pseudo class with display:none does not get unapplied
https://bugs.webkit.org/show_bug.cgi?id=169907

Reviewed by Ryosuke Niwa.

Source/WebCore:

We improperly reset the styleAffectedByEmpty bit when removing the renderer when :empty starts
applying. We then fail to invalidate the style when the element becomes non-empty again.

Fix by resetting the style relation bits only when computing the style.

Test: fast/css/empty-display-none-invalidation.html

* dom/Element.cpp:
(WebCore::Element::resetStyleRelations):

    Expose this separately.

(WebCore::Element::clearStyleDerivedDataBeforeDetachingRenderer):

    Don't reset style relation bits when removing renderers.

* dom/Element.h:
* dom/ElementRareData.h:
(WebCore::ElementRareData::resetComputedStyle):
(WebCore::ElementRareData::resetStyleRelations):

    Reset all these bits in one function.

(WebCore::ElementRareData::resetDynamicRestyleObservations): Deleted.
* style/StyleTreeResolver.cpp:
(WebCore::Style::resetStyleForNonRenderedDescendants):
(WebCore::Style::TreeResolver::resolveComposedTree):

    Call the explicit style relation reset function when recomputing style.

LayoutTests:

* fast/css/empty-display-none-invalidation-expected.html: Added.
* fast/css/empty-display-none-invalidation.html: Added.


  Commit: fe0a8f46d9e134b411a29e1f3764d752c76a290b
      https://github.com/WebKit/WebKit/commit/fe0a8f46d9e134b411a29e1f3764d752c76a290b
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/any-int-as-double-add.js
    A JSTests/stress/to-this-numbers.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGGraph.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Merge r214296 - [JSC][DFG] Propagate AnyIntAsDouble information carefully to utilize it in fixup
https://bugs.webkit.org/show_bug.cgi?id=169914

Reviewed by Saam Barati.

JSTests:

* stress/any-int-as-double-add.js: Added.
(shouldBe):
(test):
* stress/to-this-numbers.js: Added.
(shouldBe):
(Number.prototype.toThis):

Source/JavaScriptCore:

In DFG prediction propagation phase, we pollute the prediction of GetByVal for Array::Double
as SpecDoubleReal even if the heap prediction says the proper prediction is SpecAnyIntAsDouble.
Thus, the following nodes just see the result of GetByVal(Array::Double) as double value,
and select suboptimal edge filters in fixup phase. For example, if the result of GetByVal is
SpecAnyIntAsDouble, we can see the node like ArithAdd(SpecAnyIntAsDouble, Int52) and we should
have a chance to make it ArithAdd(Check:Int52, Int52) instead of ArithAdd(Double, Double).

This patch propagates SpecAnyIntAsDouble in GetByVal(Array::Double) properly. And ValueAdd,
ArithAdd and ArithSub select AnyInt edge filters for SpecAnyIntAsDouble values. It finally
produces a Int52 specialized DFG node. And subsequent nodes using the produced one also
become Int52 specialized.

One considerable problem is that the heap prediction misses the non any int doubles. In that case,
if Int52 edge filter is used, BadType exit will occur. It updates the prediction of the value profile
of GetByVal. So, in the next time, GetByVal(Array::Double) produces more conservative predictions
and avoids exit-and-recompile loop correctly.

This change is very sensitive to the correct AI and appropriate predictions. Thus, this patch finds
and fixes some related issues. One is incorrect prediction of ToThis and another is incorrect
AI logic for Int52Rep.

This change dramatically improves kraken benchmarks' crypto-pbkdf2 and crypto-sha256-iterative
by 42.0% and 30.7%, respectively.

                                             baseline                  patched
Kraken:
ai-astar                                  158.851+-4.132      ?     159.433+-5.176         ?
audio-beat-detection                       53.193+-1.621      ?      53.391+-2.072         ?
audio-dft                                 103.589+-2.277      ?     104.902+-1.924         ? might be 1.0127x slower
audio-fft                                  40.491+-1.102             39.854+-0.755           might be 1.0160x faster
audio-oscillator                           68.504+-1.721      ?      68.957+-1.725         ?
imaging-darkroom                          118.367+-2.171      ?     119.581+-2.310         ? might be 1.0103x slower
imaging-desaturate                         71.443+-1.461      ?      72.398+-1.918         ? might be 1.0134x slower
imaging-gaussian-blur                     110.648+-4.035            109.184+-3.373           might be 1.0134x faster
json-parse-financial                       60.363+-1.628      ?      61.936+-1.585         ? might be 1.0261x slower
json-stringify-tinderbox                   37.903+-0.869      ?      39.559+-1.607         ? might be 1.0437x slower
stanford-crypto-aes                        56.313+-1.512      ?      56.675+-1.715         ?
stanford-crypto-ccm                        51.564+-1.900      ?      53.456+-2.548         ? might be 1.0367x slower
stanford-crypto-pbkdf2                    129.546+-2.738      ^      91.214+-2.027         ^ definitely 1.4202x faster
stanford-crypto-sha256-iterative           43.515+-0.730      ^      33.292+-0.653         ^ definitely 1.3071x faster

<arithmetic>                               78.878+-0.528      ^      75.988+-0.621         ^ definitely 1.0380x faster

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateAnyInt):
* dfg/DFGPredictionPropagationPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):


  Commit: 2a5e8f94cb5753da8f8c7bdab16f3b6dd4a9661b
      https://github.com/WebKit/WebKit/commit/2a5e8f94cb5753da8f8c7bdab16f3b6dd4a9661b
  Author: Dean Jackson <dino at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/CSSDefaultStyleSheets.cpp

  Log Message:
  -----------
  Merge r214305 - NeverDestroyed<MediaQueryEvaluator> must explicitly construct with a String
https://bugs.webkit.org/show_bug.cgi?id=169987
<rdar://problem/31211087>

Reviewed by Alex Christensen.

CSSDefaultStyleSheets creates a static MediaQueryEvaluator, but thanks
to the template magic of NeverDestroyed, it was converting the char*
argument into a bool, and calling the wrong constructor.

Unfortunately this is difficult to test because it only affects
the default UA style sheets, and they currently don't have
and @media rules (which would always evaluate to true given
the bug). I don't want to put in a useless rule just to check
if the bug is fixed. When one is added for bug 168447, this change
will be exercised.

* css/CSSDefaultStyleSheets.cpp: Explicitly construct with a String
rather than a char*.
(WebCore::screenEval):
(WebCore::printEval):


  Commit: 89635e4f0b36f53a3bb204a7fb1c737c9690032a
      https://github.com/WebKit/WebKit/commit/89635e4f0b36f53a3bb204a7fb1c737c9690032a
  Author: Brady Eidson <beidson at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/storage/websql/private-browsing-open-disabled-expected.txt
    A LayoutTests/storage/websql/private-browsing-open-disabled.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/Modules/webdatabase/DatabaseManager.cpp
    M Source/WebCore/Modules/webdatabase/DatabaseManager.h

  Log Message:
  -----------
  Merge r214309 - WebSQL databases should not openable in private browsing.
<rdar://problem/30383335> and https://bugs.webkit.org/show_bug.cgi?id=170013

Reviewed by Alex Christensen.

Source/WebCore:

Test: storage/websql/private-browsing-open-disabled.html

* Modules/webdatabase/DatabaseManager.cpp:
(WebCore::DatabaseManager::openDatabaseBackend):
(WebCore::DatabaseManager::tryToOpenDatabaseBackend): Throw an exception if in private browsing.
* Modules/webdatabase/DatabaseManager.h:

LayoutTests:

* storage/websql/private-browsing-open-disabled-expected.txt: Added.
* storage/websql/private-browsing-open-disabled.html: Added.


  Commit: 0904c8aebfce4604f281fc00e5d73f54263c28bc
      https://github.com/WebKit/WebKit/commit/0904c8aebfce4604f281fc00e5d73f54263c28bc
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/regress-169783.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/ftl/FTLOperations.cpp
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/JSArray.cpp
    M Source/JavaScriptCore/runtime/JSArray.h
    M Source/JavaScriptCore/runtime/RegExpMatchesArray.cpp
    M Source/JavaScriptCore/runtime/RegExpMatchesArray.h

  Log Message:
  -----------
  Merge r214313 - Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks.
https://bugs.webkit.org/show_bug.cgi?id=169783

Reviewed by Saam Barati.

JSTests:

* stress/regress-169783.js: Added.

Source/JavaScriptCore:

Fixed clients of tryCreateForInitializationPrivate() to do a null check and throw
an OutOfMemoryError if allocation fails, or RELEASE_ASSERT that the allocation
succeeds.

* dfg/DFGOperations.cpp:
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateForInitializationPrivate):
(JSC::JSArray::fastSlice):
* runtime/JSArray.h:
(JSC::constructArray):
(JSC::constructArrayNegativeIndexed):
* runtime/RegExpMatchesArray.cpp:
(JSC::createEmptyRegExpMatchesArray):
* runtime/RegExpMatchesArray.h:
(JSC::createRegExpMatchesArray):


  Commit: 871659ca0703dc3cd64763507f5c6dcb58e26b82
      https://github.com/WebKit/WebKit/commit/871659ca0703dc3cd64763507f5c6dcb58e26b82
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/NetworkProcess/cache/NetworkCacheStorage.cpp

  Log Message:
  -----------
  Merge r214786 - Mutex may be freed too late in NetworkCache::Storage::traverse
https://bugs.webkit.org/show_bug.cgi?id=170400
<rdar://problem/30515865>

Reviewed by Carlos Garcia Campos and Andreas Kling.

Fix a race.

* NetworkProcess/cache/NetworkCacheStorage.cpp:
(WebKit::NetworkCache::Storage::traverse):

    Ensure the mutex is not accessed after we dispatch to the main thread.
    The main thread call deletes the owning TraverseOperation.


  Commit: 11d5ac7c19d824fe4b14974dfd3d32b91f10ed4f
      https://github.com/WebKit/WebKit/commit/11d5ac7c19d824fe4b14974dfd3d32b91f10ed4f
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/microbenchmarks/int52-back-and-forth.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGGraph.h

  Log Message:
  -----------
  Merge r214323 - [JSC][DFG] Make addShouldSpeculateAnyInt more conservative to avoid regression caused by Double <-> Int52 conversions
https://bugs.webkit.org/show_bug.cgi?id=169998

Reviewed by Saam Barati.

JSTests:

* microbenchmarks/int52-back-and-forth.js: Added.
(shouldBe):
(num):

Source/JavaScriptCore:

Double <-> Int52 and JSValue <-> Int52 conversions are not so cheap. Thus, Int52Rep is super carefully emitted.
We make addShouldSpeculateAnyInt more conservative to avoid regressions caused by the above conversions.
We select ArithAdd(Int52, Int52) only when this calculation is beneficial compared to added Int52Rep conversions.

This patch tighten the conditions of addShouldSpeculateAnyInt.

1. Honor DoubleConstant.

When executing imaging-darkroom, we have a thing like that,

    132:< 2:loc36> DoubleConstant(Double|UseAsOther, AnyIntAsDouble, Double: 4607182418800017408, 1.000000, bc#114)
    1320:< 1:loc38>        Int52Rep(Check:Int32:@82, Int52|PureInt, Int32, Exits, bc#114)
    1321:< 1:loc39>        Int52Constant(Int52|PureInt, Boolint32Nonboolint32Int52, Double: 4607182418800017408, 1.000000, bc#114)
    133:<!3:loc39> ArithSub(Int52Rep:@1320<Int52>, Int52Rep:@1321<Int52>, Int52|MustGen, Int52, CheckOverflow, Exits, bc#114)

The LHS of ArithSub says predicting Boolint32, and the rhs says AnyIntAsDouble. Thus we select ArithSub(Int52, Int52) instead
of ArithSub(Double, Double). However, it soon causes OSR exits. In imaging-darkroom, LHS's Int32 prediction will be broken.
While speculating Int32 in the above situation is reasonable approach since the given LHS says predicting Int32, this causes
severe performance regression.

Previously, we always select ArithSub(Double, Double). So accidentally, we do not encounter this misprediction issue.

One thing can be found that we have DoubleConstant in the RHS. It means that we have `1.0` instead of `1` in the code.
We can see the code like `lhs - 1.0` instead of `lhs - 1` in imaging-darkroom. It offers good information that lhs and
the resulting value would be double. Handling the above ArithSub in double seems more appropriate rather than handling
it in Int52.

So, in this patch, we honor DoubleConstant. If we find DoubleConstant on one operand, we give up selecting
Arith[Sub,Add](Int52, Int52). This change removes OSR exits occurr in imaging-darkroom right now.

2. Two Int52Rep(Double) conversions are not desirable.

We allow AnyInt ArithAdd only when the one operand of the binary operation should be speculated AnyInt. It is a bit conservative
decision. This is because Double to Int52 conversion is not so cheap. Frequent back-and-forth conversions between Double and Int52
rather hurt the performance. If the one operand of the operation is already Int52, the cost for constructing ArithAdd becomes
cheap since only one Double to Int52 conversion could be required.
This recovers some regression in assorted tests while keeping kraken crypto improvements.

3. Avoid frequent Int52 to JSValue conversions.

Int52 to JSValue conversion is not so cheap. Thus, we would like to avoid such situations. So, in this patch, we allow
Arith(Int52, Int52) with AnyIntAsDouble operand only when the node is used as number. By doing so, we avoid the case like,
converting Int52, performing ArithAdd, and soon converting back to JSValue.

The above 3 changes recover the regression measured in microbenchmarks/int52-back-and-forth.js and assorted benchmarks.
And still it keeps kraken crypto improvements.

                                           baseline                  patched

imaging-darkroom                       201.112+-3.192      ^     189.532+-2.883         ^ definitely 1.0611x faster
stanford-crypto-pbkdf2                 103.953+-2.325            100.926+-2.396           might be 1.0300x faster
stanford-crypto-sha256-iterative        35.103+-1.071      ?      36.049+-1.143         ? might be 1.0270x slower

* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateAnyInt):


  Commit: aef25df847ff2906f18553797118f91f886b74c8
      https://github.com/WebKit/WebKit/commit/aef25df847ff2906f18553797118f91f886b74c8
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp

  Log Message:
  -----------
  Merge r214334 - Array.prototype.splice behaves incorrectly when the VM is "having a bad time".
https://bugs.webkit.org/show_bug.cgi?id=170025
<rdar://problem/31228679>

Reviewed by Saam Barati.

* runtime/ArrayPrototype.cpp:
(JSC::copySplicedArrayElements):
(JSC::arrayProtoFuncSplice):


  Commit: 0993b3edd3f8f8e1cef843cde1c1613c8ff792ef
      https://github.com/WebKit/WebKit/commit/0993b3edd3f8f8e1cef843cde1c1613c8ff792ef
  Author: Per Arne Vollan <pvollan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/media/track/track-css-stroke-cues-expected.txt
    M LayoutTests/media/track/track-css-stroke-cues.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/track/TextTrackCueGeneric.cpp
    M Source/WebCore/html/track/VTTCue.cpp

  Log Message:
  -----------
  Merge r214340 - Text stroke is sometimes clipped on video captions.
https://bugs.webkit.org/show_bug.cgi?id=170006

Reviewed by Eric Carlson.

Source/WebCore:

Set 'overflow' property to 'visible' on cue element to avoid clipping of text stroke.

Updated test media/track/track-css-stroke-cues.html.

* html/track/TextTrackCueGeneric.cpp:
(WebCore::TextTrackCueGenericBoxElement::applyCSSProperties):
* html/track/VTTCue.cpp:
(WebCore::VTTCueBox::applyCSSProperties):

LayoutTests:

* media/track/track-css-stroke-cues-expected.txt:
* media/track/track-css-stroke-cues.html:


  Commit: 0a414fad042c2ecc022222d4904cde42e6499206
      https://github.com/WebKit/WebKit/commit/0a414fad042c2ecc022222d4904cde42e6499206
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/to-string-int52.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/NumberPrototype.cpp

  Log Message:
  -----------
  Merge r214345 - [JSC] Use jsNontrivialString agressively for ToString(Int52)
https://bugs.webkit.org/show_bug.cgi?id=170002

Reviewed by Sam Weinig.

JSTests:

* stress/to-string-int52.js: Added.
(shouldBe):
(toString10):
(expected):

Source/JavaScriptCore:

We use the same logic used for Int32 to use jsNontvirialString.
After single character check, produced string is always longer than 1.
Thus, we can use jsNontrivialString.

* runtime/NumberPrototype.cpp:
(JSC::int52ToString):


  Commit: 17adb635ed2c6e754e487aa0f69ecc5059ac5b0a
      https://github.com/WebKit/WebKit/commit/17adb635ed2c6e754e487aa0f69ecc5059ac5b0a
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt
    A LayoutTests/fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/NavigationScheduler.cpp
    M Source/WebCore/loader/NavigationScheduler.h

  Log Message:
  -----------
  Merge r214365 - Prevent new navigations during document unload
https://bugs.webkit.org/show_bug.cgi?id=169934
<rdar://problem/31247584>

Reviewed by Chris Dumez.

Source/WebCore:

Similar to our policy of preventing new navigations from onbeforeunload handlers
we should prevent new navigations that are initiated during the document unload
process.

The significant part of this change is the instantiation of the RAII object NavigationDisabler
in Document::prepareForDestruction(). The rest of this change just renames class
NavigationDisablerForBeforeUnload to NavigationDisabler now that this RAII class is
used to prevent navigation from both onbeforeunload event handlers and when unloading
a document.

Test: fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html

* dom/Document.cpp:
(WebCore::Document::prepareForDestruction): Disable new navigations when disconnecting
subframes. Also assert that the document is not in the page cache before we fall off
the end of the function.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::isNavigationAllowed): Update for renaming below.
(WebCore::FrameLoader::shouldClose): Ditto.
* loader/NavigationScheduler.cpp:
(WebCore::NavigationScheduler::shouldScheduleNavigation): Ditto.
* loader/NavigationScheduler.h:
(WebCore::NavigationDisabler::NavigationDisabler): Renamed class; formerly named NavigationDisablerForBeforeUnload.
(WebCore::NavigationDisabler::~NavigationDisabler): Ditto.
(WebCore::NavigationDisabler::isNavigationAllowed): Ditto.
(WebCore::NavigationDisablerForBeforeUnload::NavigationDisablerForBeforeUnload): Deleted.
(WebCore::NavigationDisablerForBeforeUnload::~NavigationDisablerForBeforeUnload): Deleted.
(WebCore::NavigationDisablerForBeforeUnload::isNavigationAllowed): Deleted.

LayoutTests:

Add a test to ensure that we do not cause an assertion fail when calling setTimeout
after starting a navigation from an onunload event handler.

* fast/frames/frame-unload-navigate-and-setTimeout-assert-fail-expected.txt: Added.
* fast/frames/frame-unload-navigate-and-setTimeout-assert-fail.html: Added.


  Commit: c0b7e5560bfd3aef2f0120dd54e9ccd61af3e0e1
      https://github.com/WebKit/WebKit/commit/c0b7e5560bfd3aef2f0120dd54e9ccd61af3e0e1
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
    M Source/JavaScriptCore/runtime/JSArray.cpp

  Log Message:
  -----------
  Merge r214374 - Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
https://bugs.webkit.org/show_bug.cgi?id=170064
<rdar://problem/31246098>

Reviewed by Geoffrey Garen.

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoPrivateFuncConcatMemcpy):
* runtime/JSArray.cpp:
(JSC::JSArray::fastSlice):


  Commit: 6b0d08da7c75643c870c2fa02dd1fcb8d3e66c22
      https://github.com/WebKit/WebKit/commit/6b0d08da7c75643c870c2fa02dd1fcb8d3e66c22
  Author: Brady Eidson <beidson at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/storage/indexeddb/modern/resources/single-entry-index-invalid-key-crash.js
    A LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-expected.txt
    A LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private-expected.txt
    A LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private.html
    A LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/Modules/indexeddb/IDBKeyPath.cpp
    M Source/WebCore/Modules/indexeddb/IDBKeyPath.h
    M Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp
    M Source/WebCore/Modules/indexeddb/shared/IDBIndexInfo.cpp
    M Source/WebCore/bindings/js/IDBBindingUtilities.cpp

  Log Message:
  -----------
  Merge r214375 - A null compound index value crashes the Databases process.
<rdar://problem/30499831> and https://bugs.webkit.org/show_bug.cgi?id=170000

Reviewed by Alex Christensen.

Source/WebCore:

Test: storage/indexeddb/modern/single-entry-index-invalid-key-crash.html

* bindings/js/IDBBindingUtilities.cpp:
(WebCore::createKeyPathArray): Fix the bug by rejecting arrays with any invalid keys in them.

Add some logging:
* Modules/indexeddb/IDBKeyPath.cpp:
(WebCore::loggingString):
* Modules/indexeddb/IDBKeyPath.h:
* Modules/indexeddb/IDBObjectStore.cpp:
(WebCore::IDBObjectStore::createIndex):
* Modules/indexeddb/shared/IDBIndexInfo.cpp:
(WebCore::IDBIndexInfo::loggingString):

LayoutTests:

* storage/indexeddb/modern/resources/single-entry-index-invalid-key-crash.js: Added.
* storage/indexeddb/modern/single-entry-index-invalid-key-crash-expected.txt: Added.
* storage/indexeddb/modern/single-entry-index-invalid-key-crash-private-expected.txt: Added.
* storage/indexeddb/modern/single-entry-index-invalid-key-crash-private.html: Added.
* storage/indexeddb/modern/single-entry-index-invalid-key-crash.html: Added.


  Commit: 02524f835d035a244e6a7626311f6cc4ff28b2c5
      https://github.com/WebKit/WebKit/commit/02524f835d035a244e6a7626311f6cc4ff28b2c5
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog

  Log Message:
  -----------
  Merge r214392 - media/restore-from-page-cache.html causes NoEventDispatchAssertion::isEventAllowedInMainThread() assertion failure
https://bugs.webkit.org/show_bug.cgi?id=170087
<rdar://problem/31254822>

Reviewed by Simon Fraser.

Reduce the scope of code that should never dispatch DOM events so as to allow updating contents size
after restoring a page from the page cache.

In r214014 we instantiate a NoEventDispatchAssertion in FrameLoader::commitProvisionalLoad()
around the call to CachedPage::restore() to assert when a DOM event is dispatched during
page restoration as such events can cause re-entrancy into the page cache. As it turns out
it is sufficient to ensure that no DOM events are dispatched after restoring all cached frames
as opposed to after CachedPage::restore() returns.

Also rename Document::enqueue{Pageshow, Popstate}Event() to dispatch{Pageshow, Popstate}Event(),
respectively, since they synchronously dispatch events :(. We hope in the future to make them
asynchronously dispatch events.

* dom/Document.cpp:
(WebCore::Document::implicitClose): Update for renaming.
(WebCore::Document::statePopped): Ditto.
(WebCore::Document::dispatchPageshowEvent): Renamed; formerly named enqueuePageshowEvent().
(WebCore::Document::dispatchPopstateEvent): Renamed; formerly named enqueuePopstateEvent().
(WebCore::Document::enqueuePageshowEvent): Deleted.
(WebCore::Document::enqueuePopstateEvent): Deleted.
* dom/Document.h:
* history/CachedPage.cpp:
(WebCore::firePageShowAndPopStateEvents): Moved logic from FrameLoader::didRestoreFromCachedPage() to here.
(WebCore::CachedPage::restore): Modified to call firePageShowAndPopStateEvents().
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad): Removed use of NoEventDispatchAssertion RAII object. We
will instantiate it in CachedPage::restore() with a smaller scope.
(WebCore::FrameLoader::didRestoreFromCachedPage): Deleted; moved logic from here to WebCore::firePageShowAndPopStateEvents().
* loader/FrameLoader.h:


  Commit: e6e950a3fad975cabaf663a67e94c25be37e716c
      https://github.com/WebKit/WebKit/commit/e6e950a3fad975cabaf663a67e94c25be37e716c
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    R LayoutTests/platform/gtk/http/tests/loading/server-redirect-for-provisional-load-caching-expected.txt

  Log Message:
  -----------
  Merge r214248 - Unreviewed GTK+ gardening. Remove platform expectation after r214246.

* platform/gtk/http/tests/loading/server-redirect-for-provisional-load-caching-expected.txt: Removed.


  Commit: 80732e07ab2da244a24774550830427d77406349
      https://github.com/WebKit/WebKit/commit/80732e07ab2da244a24774550830427d77406349
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestPrinting.cpp

  Log Message:
  -----------
  Merge r214398 - [GTK] No value returned from PrintCustomWidgetTest::createWebKitPrintOperation() in TestPrinting.cpp
https://bugs.webkit.org/show_bug.cgi?id=170059

Patch by Adrian Perez de Castro <aperez at igalia.com> on 2017-03-25
Reviewed by Carlos Garcia Campos.

* TestWebKitAPI/Tests/WebKit2Gtk/TestPrinting.cpp: Use "void" as return type in the declaration,
the only use of the method in this same file ignores the returned value anyway.


  Commit: 05ed2efc4ab19718dc65c3fc7c7686ff33a2583c
      https://github.com/WebKit/WebKit/commit/05ed2efc4ab19718dc65c3fc7c7686ff33a2583c
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/shadow-dom/slot-renderer-teardown-expected.txt
    A LayoutTests/fast/shadow-dom/slot-renderer-teardown.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/style/RenderTreeUpdater.cpp

  Log Message:
  -----------
  Merge r214501 - Missing render tree position invalidation when tearing down renderers for display:contents subtree
https://bugs.webkit.org/show_bug.cgi?id=170199
<rdar://problem/31260856>

Reviewed by Zalan Bujtas.

Source/WebCore:

Test: fast/shadow-dom/slot-renderer-teardown.html

* style/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::updateElementRenderer):

    Invalidate the render tree position in case we do a teardown for an element without renderer.

LayoutTests:

* fast/shadow-dom/slot-renderer-teardown-expected.txt: Added.
* fast/shadow-dom/slot-renderer-teardown.html: Added.


  Commit: 6d99a91b2b6c61b73e40c07c5c548dd1064b14d3
      https://github.com/WebKit/WebKit/commit/6d99a91b2b6c61b73e40c07c5c548dd1064b14d3
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/Heap.cpp

  Log Message:
  -----------
  Merge r214509 - The Mutator should not be able to steal the conn if the Collector hasn't reached the NotRunning phase yet.
https://bugs.webkit.org/show_bug.cgi?id=170213
<rdar://problem/30755345>

Reviewed by Filip Pizlo.

The current condition for stealing the conn isn't tight enough.  Restricting the
stealing to when m_currentPhase == NotRunning ensures that the Collector is
really done running.

No test because this issue only manifests with a race condition that is difficult
to reproduce on demand.

* heap/Heap.cpp:
(JSC::Heap::requestCollection):


  Commit: 4488f826e1f7127a41db7f982241755625c8e2f2
      https://github.com/WebKit/WebKit/commit/4488f826e1f7127a41db7f982241755625c8e2f2
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt
    M LayoutTests/fast/dom/Attr/make-unique-element-data-while-replacing-attr.html
    A LayoutTests/fast/dom/Attr/only-attach-attr-once-expected.txt
    A LayoutTests/fast/dom/Attr/only-attach-attr-once.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Element.cpp
    M Source/WebCore/dom/Element.h

  Log Message:
  -----------
  Merge r214510 - Only attach Attributes to a given element one time
https://bugs.webkit.org/show_bug.cgi?id=170125
<rdar://problem/31279676>

Reviewed by Chris Dumez.

Source/WebCore:

Attach the attribute node to the Element before calling 'setAttributeInternal', since that method may cause
arbitrary JavaScript events to fire.

Test: fast/dom/Attr/only-attach-attr-once.html

* dom/Element.cpp:
(WebCore::Element::attachAttributeNodeIfNeeded): Added.
(WebCore::Element::setAttributeNode): Use new method. Revise to attach attribute before calling 'setAttributeInternal'.
(WebCore::Element::setAttributeNodeNS): Ditto.
* dom/Element.h:

LayoutTests:

* fast/dom/Attr/make-unique-element-data-while-replacing-attr-expected.txt: Rebaselined.
* fast/dom/Attr/make-unique-element-data-while-replacing-attr.html: Add check before setting new value.
* fast/dom/Attr/only-attach-attr-once-expected.txt: Added.
* fast/dom/Attr/only-attach-attr-once.html: Added.


  Commit: 3d6c6821c60e353edb7c2e358a0655710abd0d12
      https://github.com/WebKit/WebKit/commit/3d6c6821c60e353edb7c2e358a0655710abd0d12
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/block/float/placing-multiple-floats-crash-expected.txt
    A LayoutTests/fast/block/float/placing-multiple-floats-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Merge r214588 - RenderBlockFlow::addFloatsToNewParent should check if float is already added to the object list.
https://bugs.webkit.org/show_bug.cgi?id=170259
<rdar://problem/31300584>

Reviewed by Simon Fraser.

Source/WebCore:

r210145 assumed that m_floatingObjects would simply ignore the floating box if it was already in the list.

Test: fast/block/float/placing-multiple-floats-crash.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::addFloatsToNewParent):

LayoutTests:

* fast/block/float/placing-multiple-floats-crash-expected.txt: Added.
* fast/block/float/placing-multiple-floats-crash.html: Added.


  Commit: 4680cd6de6dd15e670871b7cd6faa0ec957d3a1b
      https://github.com/WebKit/WebKit/commit/4680cd6de6dd15e670871b7cd6faa0ec957d3a1b
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/removing-focused-object-element-expected.txt
    A LayoutTests/fast/dom/removing-focused-object-element.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Merge r214599 - Disconnecting a HTMLObjectElement does not always unload its content document
https://bugs.webkit.org/show_bug.cgi?id=169606

Reviewed by Andy Estes.

Source/WebCore:

When removing a node, we first disconnect all subframes then update the focused element as we remove each child.
However, when the removed element is a focused object element with a content document, removeFocusedNodeOfSubtree
can update the style tree synchronously inside Document::setFocusedElement, and reload the document.

Avoid this by instantiating a SubframeLoadingDisabler on the parent of the focused element.

Test: fast/dom/removing-focused-object-element.html

* dom/Document.cpp:
(WebCore::Document::removeFocusedNodeOfSubtree):

LayoutTests:

Add a regression test.

* fast/dom/removing-focused-object-element-expected.txt: Added.
* fast/dom/removing-focused-object-element.html: Added.


  Commit: 687d7c5389d6a1c2cd5e0c13c8b0a2a70dc7e339
      https://github.com/WebKit/WebKit/commit/687d7c5389d6a1c2cd5e0c13c8b0a2a70dc7e339
  Author: Eric Carlson <eric.carlson at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/webaudio/audiobuffer-crash-expected.txt
    A LayoutTests/webaudio/audiobuffer-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/Modules/webaudio/AudioBuffer.cpp
    M Source/WebCore/Modules/webaudio/AudioBuffer.h

  Log Message:
  -----------
  Merge r214618 - [Crash] WebCore::AudioBuffer::AudioBuffer don't checking illegal value
https://bugs.webkit.org/show_bug.cgi?id=169956

Reviewed by Youenn Fablet.

Source/WebCore:

Test: webaudio/audiobuffer-crash.html

* Modules/webaudio/AudioBuffer.cpp:
(WebCore::AudioBuffer::AudioBuffer): Invalidate the object and return early if the channel
array allocation fails.
(WebCore::AudioBuffer::AudioBuffer): Ditto.
(WebCore::AudioBuffer::invalidate): Invalidate the object.
* Modules/webaudio/AudioBuffer.h:

LayoutTests:

* webaudio/audiobuffer-crash-expected.txt: Added.
* webaudio/audiobuffer-crash.html: Added.


  Commit: b2c9066b331bdc527edafefb2e8edbfeff3aa810
      https://github.com/WebKit/WebKit/commit/b2c9066b331bdc527edafefb2e8edbfeff3aa810
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/IntlObject.cpp

  Log Message:
  -----------
  Merge r214637 - IntlObject should not be using JSArray::initializeIndex().
https://bugs.webkit.org/show_bug.cgi?id=170302
<rdar://problem/31356918>

Reviewed by Saam Barati.

JSArray::initializeIndex() is only meant to be used with arrays created using
JSArray::tryCreateForInitializationPrivate() under very constrained conditions.

* runtime/IntlObject.cpp:
(JSC::canonicalizeLocaleList):
(JSC::intlObjectFuncGetCanonicalLocales):


  Commit: 3bb4f809cb0221d05e13a403c187f060dab6ece3
      https://github.com/WebKit/WebKit/commit/3bb4f809cb0221d05e13a403c187f060dab6ece3
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Shared/WebPreferencesDefinitions.h

  Log Message:
  -----------
  Merge r214666 - Modern media controls should never be enabled in non cocoa ports
https://bugs.webkit.org/show_bug.cgi?id=170338

Reviewed by Michael Catanzaro.

It's currently enabled, because it uses the default value for all other runtime features, but modern media
controls are not a cross-platform feature. I think this is why media/video-click-dblckick-standalone.html
started to fail in GTK+ port after r214426. I can't reprouduce the failure locally, so I can't confirm it,
though.

* Shared/WebPreferencesDefinitions.h:


  Commit: d9555aa278b8f19b0447f6e561d8e1741524ddb8
      https://github.com/WebKit/WebKit/commit/d9555aa278b8f19b0447f6e561d8e1741524ddb8
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp

  Log Message:
  -----------
  Merge r214684 - Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
https://bugs.webkit.org/show_bug.cgi?id=170303
<rdar://problem/31358281>

Reviewed by Filip Pizlo.

This is because it needs to call getProperty() later to get the values for
initializing the array.  getProperty() can execute arbitrary code and potentially
trigger the GC.  This is not allowed for clients of JSArray::tryCreateForInitializationPrivate().

* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
(JSC::copySplicedArrayElements): Deleted.


  Commit: f9235feffaa7746060d5e27728318c0866aedc7c
      https://github.com/WebKit/WebKit/commit/f9235feffaa7746060d5e27728318c0866aedc7c
  Author: Aleksandr Skachkov <gskachkov at gmail.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/object-number-properties.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/JSObject.cpp

  Log Message:
  -----------
  Merge r214714 - Object with numerical keys with gaps gets filled by NaN values
https://bugs.webkit.org/show_bug.cgi?id=164412

Reviewed by Mark Lam.

This patch fixes issue when object have two properties
with name as number. The issue appears when during invoking
convertDoubleToArrayStorage, array is filled by pNaN and
method converting it to real NaN. This happeneds because a
pNaN in a Double array is a hole, and Double arrays cannot
have NaN values. To fix issue we need to check value and
clear it if it pNaN.

Source/JavaScriptCore:
* runtime/JSObject.cpp:
(JSC::JSObject::convertDoubleToArrayStorage):

JSTests:
* stress/object-number-properties.js: Added.


  Commit: 43ec659b55dbbdec1a3510a81eb033d01b78f520
      https://github.com/WebKit/WebKit/commit/43ec659b55dbbdec1a3510a81eb033d01b78f520
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/line/BreakingContext.h

  Log Message:
  -----------
  Merge r214726 - Long Arabic text in ContentEditable with css white-space=pre hangs Safari
https://bugs.webkit.org/show_bug.cgi?id=170245

Reviewed by Myles C. Maxfield.

While searching for mid-word break, we measure the text by codepoints in a loop until the accumulated width > available width.
When we see that the accumulated width for the individual codepoints overflows, we join the codepoints and re-measure them.
These 2 widths could be considerably different for number of reasons (ligatures is a prime example). When we figure that
the run still fits, we go back to the main loop (since we are not supposed to wrap the line here) and take the next codepoint.
However this time we start the measurement from the last whitespace, so we end up remeasuring a potentially long chuck of text
until we hit the wrapping point. This is way too expensive.
This patch changes the logic so that we just go back to measuring individual codepoints until we hit the constrain again.

Covered by existing tests.

* rendering/line/BreakingContext.h:
(WebCore::BreakingContext::handleText): canUseSimpleFontCodePath() is just to mitigate the potential risk of regression and
complex text is more likely to fall into this category.


  Commit: 6b3fb151d948e4ccacc38b72c3b2f244cf4f9ef6
      https://github.com/WebKit/WebKit/commit/6b3fb151d948e4ccacc38b72c3b2f244cf4f9ef6
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/HeapTimer.cpp
    M Source/JavaScriptCore/heap/HeapTimer.h

  Log Message:
  -----------
  Merge r214732 - Share implementation of JSRunLoopTimer::timerDidFire
https://bugs.webkit.org/show_bug.cgi?id=170392

Reviewed by Michael Catanzaro.

The code is cross-platform but it's duplicated in CF and GLib implementations, it could be shared instead.

* runtime/JSRunLoopTimer.cpp:
(JSC::JSRunLoopTimer::timerDidFire): Move common implementation here.
(JSC::JSRunLoopTimer::setRunLoop): Use timerDidFireCallback.
(JSC::JSRunLoopTimer::timerDidFireCallback): Call JSRunLoopTimer::timerDidFire().
* runtime/JSRunLoopTimer.h:


  Commit: 9f204ea421478c78061954c6186e2527da266f9d
      https://github.com/WebKit/WebKit/commit/9f204ea421478c78061954c6186e2527da266f9d
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-04-03 (Mon, 03 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/navigation/redirect-preserves-fragment-expected.txt
    A LayoutTests/http/tests/navigation/redirect-preserves-fragment.html
    A LayoutTests/http/tests/navigation/redirect-to-fragment-expected.txt
    A LayoutTests/http/tests/navigation/redirect-to-fragment.html
    A LayoutTests/http/tests/navigation/redirect-to-fragment2-expected.txt
    A LayoutTests/http/tests/navigation/redirect-to-fragment2.html
    A LayoutTests/http/tests/navigation/resources/redirect-preserves-fragment.php
    A LayoutTests/http/tests/navigation/resources/redirect-to-fragment.php
    A LayoutTests/http/tests/navigation/resources/redirect-to-fragment2.php
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp
    M Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.h

  Log Message:
  -----------
  Merge r214807 - [SOUP] URI Fragment is lost after redirect
https://bugs.webkit.org/show_bug.cgi?id=170058

Reviewed by Michael Catanzaro.

Source/WebKit2:

In case of redirection check if the current request has a fragment identifier and apply it to the redirection
only when it doesn't have a fragment identifier yet.

* NetworkProcess/soup/NetworkDataTaskSoup.cpp:
(WebKit::NetworkDataTaskSoup::NetworkDataTaskSoup):
(WebKit::NetworkDataTaskSoup::createRequest):
(WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
* NetworkProcess/soup/NetworkDataTaskSoup.h:

LayoutTests:

Add tests to check we correctly handle fragment identifiers on server redirections.

* http/tests/navigation/redirect-preserves-fragment-expected.txt: Added.
* http/tests/navigation/redirect-preserves-fragment.html: Added.
* http/tests/navigation/redirect-to-fragment-expected.txt: Added.
* http/tests/navigation/redirect-to-fragment.html: Added.
* http/tests/navigation/redirect-to-fragment2-expected.txt: Added.
* http/tests/navigation/redirect-to-fragment2.html: Added.
* http/tests/navigation/resources/redirect-preserves-fragment.php: Added.
* http/tests/navigation/resources/redirect-to-fragment.php: Added.
* http/tests/navigation/resources/redirect-to-fragment2.php: Added.
* platform/ios/TestExpectations:
* platform/mac/TestExpectations:


  Commit: 422bec1b4668057bb1ad60c8bc7f0e06c81486cd
      https://github.com/WebKit/WebKit/commit/422bec1b4668057bb1ad60c8bc7f0e06c81486cd
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-04-04 (Tue, 04 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/css/document-stylesheets-dynamic-expected.html
    A LayoutTests/fast/css/document-stylesheets-dynamic.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/style/StyleScope.cpp
    M Source/WebCore/style/StyleScope.h

  Log Message:
  -----------
  Merge r214830 - REGRESSION (r207669): FileMaker Pro Help pages do not render correctly
https://bugs.webkit.org/show_bug.cgi?id=170402
<rdar://problem/31004344>

Reviewed by Simon Fraser.

Source/WebCore:

If a new stylesheet load is started from the load event the document.styleSheets does not
always reflect the already loaded stylesheets.

Test: fast/css/document-stylesheets-dynamic.html

* style/StyleScope.cpp:
(WebCore::Style::Scope::updateActiveStyleSheets):

    Remove an old optimization where we would not update active stylesheets if there were pending
    (head) stylesheet loads and they had not been updated already.
    This is probably not a valuable optimization anymore with the new lazy stylesheet update strategy.

* style/StyleScope.h:

LayoutTests:

* fast/css/document-stylesheets-dynamic-expected.html: Added.
* fast/css/document-stylesheets-dynamic.html: Added.


  Commit: f2704b859651945718f7d8382231fc2e88410c68
      https://github.com/WebKit/WebKit/commit/f2704b859651945718f7d8382231fc2e88410c68
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-04-04 (Tue, 04 Apr 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/images/background-image-relative-url-changes-document-expected.html
    A LayoutTests/fast/images/background-image-relative-url-changes-document.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/CSSImageValue.cpp

  Log Message:
  -----------
  Merge r214842 - REGRESSION (r206744): CSS background-image in style attribute ignored when using createHTMLDocument method of DOM parsing
https://bugs.webkit.org/show_bug.cgi?id=170285
<rdar://problem/31378543>

Reviewed by Andy Estes.

Source/WebCore:

r206744 caused up to stop trying to resolve relative URLs when trying to load an image
referred to by CSS. We already try to resolve the relative URL when parsing the CSS
property so this will usually work fine. However, in the case when the CSS property
is parsed in detached document and then moved to another document, we will not have
the complete URL.

Test: fast/images/background-image-relative-url-changes-document.html

* css/CSSImageValue.cpp:
(WebCore::CSSImageValue::loadImage):

LayoutTests:

Add layout test coverage.

* fast/images/background-image-relative-url-changes-document-expected.html: Added.
* fast/images/background-image-relative-url-changes-document.html: Added.


  Commit: e99a3f7dff009e1988fc2cf76062168a5488b344
      https://github.com/WebKit/WebKit/commit/e99a3f7dff009e1988fc2cf76062168a5488b344
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-04-04 (Tue, 04 Apr 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/regress-170412.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp

  Log Message:
  -----------
  Merge r214857 - Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add().
https://bugs.webkit.org/show_bug.cgi?id=170412
<rdar://problem/29697336>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-170412.js: Added.

Source/JavaScriptCore:

Here's an example of code that will trigger underflow in the "deprecatedExtraMemory"
reported by SparseArrayValueMap::add() that is added to Heap::m_deprecatedExtraMemorySize:

    arr = new Array;
    Object.defineProperty(arr, 18, ({writable: true, configurable: true}));
    for (var i = 0; i < 3; ++i) {
        Array.prototype.push.apply(arr, ["", () => {}, {}]);
        Array.prototype.sort.apply(arr, [() => {}, []]);
    }

However, Heap::m_deprecatedExtraMemorySize is only 1 of 3 values that are added
up to form the result of Heap::extraMemorySize().  Heap::m_extraMemorySize and
Heap::m_arrayBuffers.size() are the other 2.

While Heap::m_arrayBuffers.size() is bounded by actual allocated memory, both
Heap::m_deprecatedExtraMemorySize and Heap::m_extraMemorySize are added to
without any bounds checks, and they are only reset to 0 at the start of a full
GC.  As a result, if we have a long sequence of eden GCs with a lot of additions
to Heap::m_extraMemorySize and/or Heap::m_deprecatedExtraMemorySize, then these
values could theoretically overflow.  Coupling this with the underflow from
SparseArrayValueMap::add(), the result for Heap::extraMemorySize() can easily
overflow.  Note: Heap::extraMemorySize() is used to compute the value
currentHeapSize.

If multiple conditions line up just right, the above overflows can result in this
debug assertion failure during an eden GC:

    ASSERT(currentHeapSize >= m_sizeAfterLastCollect);

Otherwise, the effects of the overflows will only result in the computed
currentHeapSize not being representative of actual memory usage, and therefore,
a full GC may be triggered earlier or later than is ideal.

This patch ensures that SparseArrayValueMap::add() cannot underflow
Heap::m_deprecatedExtraMemorySize.  It also adds overflows checks in the
calculations of Heap::m_deprecatedExtraMemorySize, Heap::m_extraMemorySize, and
Heap::extraMemorySize() so that their values are saturated appropriately to
ensure that GC collections are triggered based on representative memory usage.

* heap/Heap.cpp:
(JSC::Heap::deprecatedReportExtraMemorySlowCase):
(JSC::Heap::extraMemorySize):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::reportExtraMemoryVisited):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::add):


  Commit: cc6f4fbedc45ed07c7043a81b3b4040cabcf6fd2
      https://github.com/WebKit/WebKit/commit/cc6f4fbedc45ed07c7043a81b3b4040cabcf6fd2
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-04-04 (Tue, 04 Apr 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.1 release.

.:

* Source/cmake/OptionsGTK.cmake: Bump version numbers.

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.16.1.


  Commit: 69cb3b983c7f4c14bf152a57bb232e54c1634bba
      https://github.com/WebKit/WebKit/commit/69cb3b983c7f4c14bf152a57bb232e54c1634bba
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-04-04 (Tue, 04 Apr 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/MachineStackMarker.cpp
    M Source/JavaScriptCore/heap/MachineStackMarker.h
    M Source/JavaScriptCore/runtime/SamplingProfiler.cpp

  Log Message:
  -----------
  Merge r214319 - [JSC] MachineThreads does not consider situation that one thread has multiple VMs
https://bugs.webkit.org/show_bug.cgi?id=169819

Reviewed by Mark Lam.

The Linux port of PlatformThread suspend/resume mechanism relies on having a thread
specific singleton thread data, and was relying on MachineThreads::Thread to be this
thread specific singleton. But because MachineThreads::Thread is not a thread specific
singleton, we can get a deadlock in the GTK port's DatabaseProcess.

This patch fixes this issue by moving per thread data from MachineThreads::Thread to
MachineThreads::ThreadData, where there will only be one instance of
MachineThreads::ThreadData per thread. Each MachineThreads::Thread will now point to
the same MachineThreads::ThreadData for any given thread.

* heap/MachineStackMarker.cpp:
(pthreadSignalHandlerSuspendResume):
(JSC::threadData):
(JSC::MachineThreads::Thread::Thread):
(JSC::MachineThreads::Thread::createForCurrentThread):
(JSC::MachineThreads::Thread::operator==):
(JSC::MachineThreads::ThreadData::ThreadData):
(JSC::MachineThreads::ThreadData::~ThreadData):
(JSC::MachineThreads::ThreadData::suspend):
(JSC::MachineThreads::ThreadData::resume):
(JSC::MachineThreads::ThreadData::getRegisters):
(JSC::MachineThreads::ThreadData::Registers::stackPointer):
(JSC::MachineThreads::ThreadData::Registers::framePointer):
(JSC::MachineThreads::ThreadData::Registers::instructionPointer):
(JSC::MachineThreads::ThreadData::Registers::llintPC):
(JSC::MachineThreads::ThreadData::freeRegisters):
(JSC::MachineThreads::ThreadData::captureStack):
(JSC::MachineThreads::tryCopyOtherThreadStacks):
(JSC::MachineThreads::Thread::~Thread): Deleted.
(JSC::MachineThreads::Thread::suspend): Deleted.
(JSC::MachineThreads::Thread::resume): Deleted.
(JSC::MachineThreads::Thread::getRegisters): Deleted.
(JSC::MachineThreads::Thread::Registers::stackPointer): Deleted.
(JSC::MachineThreads::Thread::Registers::framePointer): Deleted.
(JSC::MachineThreads::Thread::Registers::instructionPointer): Deleted.
(JSC::MachineThreads::Thread::Registers::llintPC): Deleted.
(JSC::MachineThreads::Thread::freeRegisters): Deleted.
(JSC::MachineThreads::Thread::captureStack): Deleted.
* heap/MachineStackMarker.h:
(JSC::MachineThreads::Thread::operator!=):
(JSC::MachineThreads::Thread::suspend):
(JSC::MachineThreads::Thread::resume):
(JSC::MachineThreads::Thread::getRegisters):
(JSC::MachineThreads::Thread::freeRegisters):
(JSC::MachineThreads::Thread::captureStack):
(JSC::MachineThreads::Thread::platformThread):
(JSC::MachineThreads::Thread::stackBase):
(JSC::MachineThreads::Thread::stackEnd):
* runtime/SamplingProfiler.cpp:
(JSC::FrameWalker::isValidFramePointer):
* runtime/VMTraps.cpp:
(JSC::findActiveVMAndStackBounds):


  Commit: 44efe0edd58e17621a650ccdd1bb1942846b344e
      https://github.com/WebKit/WebKit/commit/44efe0edd58e17621a650ccdd1bb1942846b344e
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-04 (Thu, 04 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt
    A LayoutTests/fast/dom/no-assert-for-malformed-js-url-attribute.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/CharacterData.cpp

  Log Message:
  -----------
  Merge r214915 - Do not assert when CharacterData representing an Attr fires events
https://bugs.webkit.org/show_bug.cgi?id=170454
<rdar://problem/30979320>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Make the NoEventDispatchAssertion in CharacterData::notifyParentAfterChange conditional
since Attr elements should be allowed to fire events.

Tests: fast/dom/no-assert-for-malformed-js-url-attribute.html

* dom/CharacterData.cpp:
(WebCore::CharacterData::notifyParentAfterChange):

LayoutTests:

* fast/dom/no-assert-for-malformed-js-url-attribute-expected.txt: Added.
* fast/dom/no-assert-for-malformed-js-url-attribute.html: Added.


  Commit: f1406a238f1690738dbff04c6d566248290e33c7
      https://github.com/WebKit/WebKit/commit/f1406a238f1690738dbff04c6d566248290e33c7
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-04 (Thu, 04 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Shared/ChildProcess.cpp

  Log Message:
  -----------
  Merge r214947 - Show a log message when an invalid message is received in non cocoa ports
https://bugs.webkit.org/show_bug.cgi?id=170506

Patch by Carlos Garcia Campos <cgarcia at igalia.com> on 2017-04-05
Reviewed by Michael Catanzaro.

We just crash, but without knowing the details about the message it's impossible to debug.

* Shared/ChildProcess.cpp:
(WebKit::ChildProcess::didReceiveInvalidMessage):


  Commit: 65fd65ccaba0b53633e46806383e98d0eab30dd8
      https://github.com/WebKit/WebKit/commit/65fd65ccaba0b53633e46806383e98d0eab30dd8
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/InjectedBundle/API/gtk/DOM/WebKitDOMDeprecated.cpp

  Log Message:
  -----------
  Merge r215009 - [GTK] Fix build with MEDIA_CAPTURE enabled
https://bugs.webkit.org/show_bug.cgi?id=170539

Patch by Adrian Perez de Castro <aperez at igalia.com> on 2017-04-06
Reviewed by Carlos Garcia Campos.

* WebProcess/InjectedBundle/API/gtk/DOM/WebKitDOMDeprecated.cpp:
(webkit_dom_html_input_element_get_capture): Add missing namespace in usage of WebCore::MediaCaptureTypeNone.


  Commit: 0d54a4358892a93c9de13e76e95fbdf3fe570446
      https://github.com/WebKit/WebKit/commit/0d54a4358892a93c9de13e76e95fbdf3fe570446
  Author: Nael Ouedraogo <nael.ouedp at gmail.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M ChangeLog
    M Source/cmake/OptionsCommon.cmake

  Log Message:
  -----------
  Merge r215001 - [GTK] Build fails when using icecream, ccache and cmake 3.6
https://bugs.webkit.org/show_bug.cgi?id=170498

Reviewed by Michael Catanzaro.

Disable ninja response file when using icecream, ccache and cmake > 3.5.

* Source/cmake/OptionsCommon.cmake:


  Commit: 118e4e985f47e60e381db894f7598cec9a931194
      https://github.com/WebKit/WebKit/commit/118e4e985f47e60e381db894f7598cec9a931194
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/Document/CaretRangeFromPoint/simple-line-layout-hittest-with-caret-range-from-point-expected.html
    A LayoutTests/fast/dom/Document/CaretRangeFromPoint/simple-line-layout-hittest-with-caret-range-from-point.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderText.cpp
    M Source/WebCore/rendering/SimpleLineLayoutFlowContents.h
    M Source/WebCore/rendering/SimpleLineLayoutFunctions.cpp
    M Source/WebCore/rendering/SimpleLineLayoutResolver.cpp
    M Source/WebCore/rendering/SimpleLineLayoutResolver.h

  Log Message:
  -----------
  Merge r215054 - Simple line layout: Hittest always returns the first renderer in the block.
https://bugs.webkit.org/show_bug.cgi?id=170520
<rdar://problem/30979175>

Reviewed by Antti Koivisto.

Source/WebCore:

This is incorrect now with <br> support (multiple renderers within the same block flow).

Test: fast/dom/Document/CaretRangeFromPoint/simple-line-layout-hittest-with-caret-range-from-point.html

* rendering/RenderText.cpp:
(WebCore::RenderText::positionForPoint): Related fix. We don't yet support positionForPoint with multiple renderes.
* rendering/SimpleLineLayoutFlowContents.h:
(WebCore::SimpleLineLayout::FlowContents::segmentForRun): Empty runs are all valid.
* rendering/SimpleLineLayoutFunctions.cpp:
(WebCore::SimpleLineLayout::hitTestFlow):
(WebCore::SimpleLineLayout::collectFlowOverflow):
* rendering/SimpleLineLayoutResolver.cpp:
(WebCore::SimpleLineLayout::LineResolver::Iterator::operator*): This should eventually return a list of renderes.
* rendering/SimpleLineLayoutResolver.h:
(WebCore::SimpleLineLayout::RunResolver::flowContents):

LayoutTests:

* fast/dom/Document/CaretRangeFromPoint/simple-line-layout-hittest-with-caret-range-from-point-expected.html: Added.
* fast/dom/Document/CaretRangeFromPoint/simple-line-layout-hittest-with-caret-range-from-point.html: Added.


  Commit: 66327147d94c1107f7356b6fba9ab0ee7cfb6cba
      https://github.com/WebKit/WebKit/commit/66327147d94c1107f7356b6fba9ab0ee7cfb6cba
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/accessibility/AccessibilityRenderObject.cpp

  Log Message:
  -----------
  Merge r215089 - AX: Don't crash if no renderer is available for AccessibilityRenderObject
https://bugs.webkit.org/show_bug.cgi?id=170448

Reviewed by Chris Fleizach.

Don't crash or assert if no renderer is available, but early return
gracefully (as in other places in the AccessibilityRenderObject.cpp).
Spotted by running some tests through dogtail.

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::isOffScreen):
(WebCore::AccessibilityRenderObject::isUnvisited):
(WebCore::AccessibilityRenderObject::isVisited):


  Commit: d9c844e2b0a806aa3728c8df1ec99c793935cd1b
      https://github.com/WebKit/WebKit/commit/d9c844e2b0a806aa3728c8df1ec99c793935cd1b
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt
    M LayoutTests/fast/frames/xss-auditor-handles-file-urls-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/base-href-control-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/base-href-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/base-href-null-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/form-action-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/formaction-on-button-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/formaction-on-input-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/frameset-injection-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/iframe-injection-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/link-onclick-entities-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/link-onclick-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/svg-animate-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt
    M LayoutTests/http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URLParser.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/URLParser.cpp

  Log Message:
  -----------
  Merge r215096 - WebKit should percent encode single quotes in query strings
https://bugs.webkit.org/show_bug.cgi?id=170561
<rdar://problem/7415154>

Reviewed by Alex Christensen.

Source/WebCore:

Modify the characterClassTable to instruct the URLParser to convert
the single-quote character ' to %27 in URL query strings.

Tests: URLParserTest in TestWebKitAPI.
    fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html
    fast/frames/xss-auditor-handles-file-urls.html
    http/tests/security/xssAuditor

* platform/URLParser.cpp:

Tools:

Add a test case for single-quote in the URL query string.

* TestWebKitAPI/Tests/WebCore/URLParser.cpp:

LayoutTests:

Rebaseline tests after change.

* fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt:
* fast/frames/xss-auditor-handles-file-urls-expected.txt:
* http/tests/security/xssAuditor/base-href-control-char-expected.txt:
* http/tests/security/xssAuditor/base-href-expected.txt:
* http/tests/security/xssAuditor/base-href-null-char-expected.txt:
* http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
* http/tests/security/xssAuditor/embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/embed-tag-expected.txt:
* http/tests/security/xssAuditor/embed-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/form-action-expected.txt:
* http/tests/security/xssAuditor/formaction-on-button-expected.txt:
* http/tests/security/xssAuditor/formaction-on-input-expected.txt:
* http/tests/security/xssAuditor/frameset-injection-expected.txt:
* http/tests/security/xssAuditor/full-block-base-href-expected.txt:
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt:
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt:
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/iframe-injection-expected.txt:
* http/tests/security/xssAuditor/iframe-javascript-url-more-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected.txt:
* http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt:
* http/tests/security/xssAuditor/link-onclick-ampersand-expected.txt:
* http/tests/security/xssAuditor/link-onclick-control-char-expected.txt:
* http/tests/security/xssAuditor/link-onclick-entities-expected.txt:
* http/tests/security/xssAuditor/link-onclick-expected.txt:
* http/tests/security/xssAuditor/link-onclick-null-char-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-expected.txt:
* http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt:
* http/tests/security/xssAuditor/object-tag-expected.txt:
* http/tests/security/xssAuditor/object-tag-javascript-url-expected.txt:
* http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-comma-01-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-entities-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt:
* http/tests/security/xssAuditor/svg-animate-expected.txt:
* http/tests/security/xssAuditor/svg-script-tag-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-big5-expected.txt:
* http/tests/security/xssAuditor/xss-filter-bypass-sjis-expected.txt:


  Commit: af408e31d33195789ae433be774df5076a7875f9
      https://github.com/WebKit/WebKit/commit/af408e31d33195789ae433be774df5076a7875f9
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt
    M LayoutTests/http/tests/security/no-popup-from-sandbox-top-expected.txt
    M LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt
    M LayoutTests/imported/w3c/ChangeLog

  Log Message:
  -----------
  Merge r215098 - Rebaseline additional tests after r215096.
https://bugs.webkit.org/show_bug.cgi?id=170561
<rdar://problem/7415154>

LayoutTests/imported/w3c:

* web-platform-tests/cors/allow-headers-expected.txt:
* web-platform-tests/cors/origin-expected.txt:

LayoutTests:

* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-cross-self-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-same-self-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-cross-self-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-same-in-same-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-none-block-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-self-block-expected.txt:
* http/tests/security/no-popup-from-sandbox-top-expected.txt:
* http/tests/xmlhttprequest/origin-exact-matching-expected.txt:


  Commit: d25bbde27b29060a2be45ee9aebf8ed16c26c62d
      https://github.com/WebKit/WebKit/commit/d25bbde27b29060a2be45ee9aebf8ed16c26c62d
  Author: Ryan Haddad <ryanhaddad at apple.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/url/url-setters-expected.txt

  Log Message:
  -----------
  Merge r215110 - Rebaseline another test after r215096.
https://bugs.webkit.org/show_bug.cgi?id=170561
<rdar://problem/7415154>

Unreviewed test gardening.

* web-platform-tests/url/url-setters-expected.txt:


  Commit: 3be76da977c0df1d14a2a9687045f87cb6bbbf8b
      https://github.com/WebKit/WebKit/commit/3be76da977c0df1d14a2a9687045f87cb6bbbf8b
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp
    M Source/WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp

  Log Message:
  -----------
  Merge r215102 - REGRESSION(r204512): WebSocket errors with "Failed to send WebSocket frame."  if too much data is sent
https://bugs.webkit.org/show_bug.cgi?id=170463

Reviewed by Michael Catanzaro.

This only reproduces when using WebSockets to communicate with an external server.
When communicating with a local server, CFWriteStreamWrite succeeds too reliably, so
CFWriteStreamCanAcceptBytes returns true, when sometimes it doesn't when communicating
across the real internet.

* platform/network/cf/SocketStreamHandleImplCFNet.cpp:
(WebCore::SocketStreamHandleImpl::platformSendInternal):
* platform/network/soup/SocketStreamHandleImplSoup.cpp:
(WebCore::SocketStreamHandleImpl::platformSendInternal):
Returning std::nullopt means there was an error, which is not true when the socket stream
is in a state where it cannot be written to because it is actively communicating.
Returning 0 means 0 new bytes were sent, so we will try again later.


  Commit: db7fd163fe2749c8d7051add86b916cb294b1d94
      https://github.com/WebKit/WebKit/commit/db7fd163fe2749c8d7051add86b916cb294b1d94
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/PluginProcess/unix/PluginControllerProxyUnix.cpp
    M Source/WebKit2/UIProcess/API/gtk/WebKitWebsiteData.cpp
    M Source/WebKit2/UIProcess/API/gtk/WebKitWebsiteDataManager.cpp
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Merge r215106 - [GTK] Various build errors when plugin support is disabled
https://bugs.webkit.org/show_bug.cgi?id=170015

Reviewed by Carlos Garcia Campos.

.:

Allow building with ENABLE_NETSCAPE_PLUGIN_API=ON and ENABLE_X11_TARGET=OFF. This should be
possible as Carlos worked to ensure windowless plugins work properly outside X11. The GTK2
plugin process still depends on ENABLE_X11_TARGET because a plugin that uses GTK+ surely
wants to display a window, and is not going to work outside X11. (If the plugin links to
GTK+ but does not display a window, it's dumb and deserves to be broken.)

Also, make ENABLE_PLUGIN_PROCESS conditional on ENABLE_NETSCAPE_PLUGIN_API, not
ENABLE_X11_TARGET.

* Source/cmake/OptionsGTK.cmake:

Source/WebKit2:

* PluginProcess/unix/PluginControllerProxyUnix.cpp:
* UIProcess/API/gtk/WebKitWebsiteData.cpp:
(recordContainsSupportedDataTypes):
(toWebKitWebsiteDataTypes):
* UIProcess/API/gtk/WebKitWebsiteDataManager.cpp:
(toWebsiteDataTypes):


  Commit: 3f013389e2b2c982bcbe74486547c484e571acfd
      https://github.com/WebKit/WebKit/commit/3f013389e2b2c982bcbe74486547c484e571acfd
  Author: Ting-Wei Lan <lantw44 at gmail.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/NumberOfCores.cpp

  Log Message:
  -----------
  Merge r215107 - Include cstdio before using sscanf and stderr
https://bugs.webkit.org/show_bug.cgi?id=170098

Patch by Ting-Wei Lan <lantw44 at gmail.com> on 2017-04-07
Reviewed by Michael Catanzaro.

* wtf/NumberOfCores.cpp:


  Commit: 1efa04b79ae742b0f817fac22f1da5febf9a2d83
      https://github.com/WebKit/WebKit/commit/1efa04b79ae742b0f817fac22f1da5febf9a2d83
  Author: Myles C. Maxfield <mmaxfield at apple.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/ComplexTextController.cpp
    M Source/WebCore/rendering/InlineBox.h
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/ComplexTextController.cpp

  Log Message:
  -----------
  Merge r215117 - REGRESSION(r211382): Complex text with justification erroneously overflows containers
https://bugs.webkit.org/show_bug.cgi?id=170399
<rdar://problem/31442008>

Reviewed by Simon Fraser.

Source/WebCore:

When we perform justification, we adjust glyphs' advances to add extra space between words.
ComplexTextController maintains an invariant where m_totalWidth is equal to the sum of these
advances. However, in RTL text, inserting extra justification space to the left of a glyph
would break that invariant, and would increase the advances of two glyphs instead of just
one. Then, when we go to draw the text, the sum of the advances is wider than m_totalWidth,
which means the glyphs would be drawn outside of their container.

This regressed in r211382 simply because of an oversight and because there were no tests for
this codepath.

Test: ComplexTextControllerTest.TotalWidthWithJustification

* platform/graphics/ComplexTextController.cpp:
(WebCore::ComplexTextController::adjustGlyphsAndAdvances):
* rendering/InlineBox.h:
(WebCore::InlineBox::InlineBox):

Tools:

Check for the invariant that the sum of the advances is equal to m_totalWidth.

* TestWebKitAPI/Tests/WebCore/ComplexTextController.cpp:
(TestWebKitAPI::TEST_F):


  Commit: 73210ce262e0ccc55ef9c3fdaa3dc6f63437df6d
      https://github.com/WebKit/WebKit/commit/73210ce262e0ccc55ef9c3fdaa3dc6f63437df6d
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/text/simple-line-layout-hover-over-subsequent-linebreaks-expected.txt
    A LayoutTests/fast/text/simple-line-layout-hover-over-subsequent-linebreaks.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayoutFlowContents.cpp
    M Source/WebCore/rendering/SimpleLineLayoutFunctions.cpp

  Log Message:
  -----------
  Merge r215124 - Simple line layout: FlowContents::segmentIndexForRunSlow skips empty runs.
https://bugs.webkit.org/show_bug.cgi?id=170552

Reviewed by Antti Koivisto.

Source/WebCore:

The compare function passed to std::lower_bound completely misses empty runs.

Test: fast/text/simple-line-layout-hover-over-subsequent-linebreaks.html

* rendering/SimpleLineLayoutFlowContents.cpp:
(WebCore::SimpleLineLayout::FlowContents::segmentIndexForRunSlow):

LayoutTests:

* fast/text/simple-line-layout-hover-over-subsequent-linebreaks-expected.txt: Added.
* fast/text/simple-line-layout-hover-over-subsequent-linebreaks.html: Added.


  Commit: 44a0cd14ec904f84fe50a8abfa1a7b8f295adf64
      https://github.com/WebKit/WebKit/commit/44a0cd14ec904f84fe50a8abfa1a7b8f295adf64
  Author: Ting-Wei Lan <lantw44 at gmail.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M ChangeLog
    M Source/cmake/OptionsCommon.cmake

  Log Message:
  -----------
  Merge r215156 - Elftoolchain ar doesn't support response files
https://bugs.webkit.org/show_bug.cgi?id=170105

Patch by Ting-Wei Lan <lantw44 at gmail.com> on 2017-04-08
Reviewed by Michael Catanzaro.

WebKit enables the use of response files when cmake and ninja is used.
However, the default implementation of ar command used in FreeBSD, which
is part of elftoolchain project, doesn't support reading arguments from
response files. To avoid causing undefined reference error on FreeBSD,
we disable the use of response files when elftoolchain ar is detected.

* Source/cmake/OptionsCommon.cmake:


  Commit: 89f4bf87cd6acad1b5e7bed006a219619b2eb131
      https://github.com/WebKit/WebKit/commit/89f4bf87cd6acad1b5e7bed006a219619b2eb131
  Author: Miguel Gomez <magomez at igalia.com>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/platform/gtk/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/Color.cpp
    M Source/WebCore/platform/graphics/Color.h
    M Source/WebCore/platform/graphics/ImageBackingStore.h

  Log Message:
  -----------
  Merge r215172 - REGRESSION(r205841): [GTK] Test fast/images/animated-png.html is failing since r205841
https://bugs.webkit.org/show_bug.cgi?id=168425

Reviewed by Said Abou-Hallawa.

Source/WebCore:

There is a problem with animations that are blending their frames into the previous frame. Due to a change
in how pixel components are premultiplied (the result is now rounded up), the parameters to the blending
operation may vary in one unit, causing the result of the blending to be different from the expected result.
In order to fix this, a new parameter is added to indicate whether we want to use rounding up when
premultiplying or not, and ImageBackingStore uses that parameter to disable rounding up.

Adjusted the expectation for fast/images/animated-png.html, as it must pass now.

* platform/graphics/Color.cpp:
(WebCore::premultipliedChannel):
(WebCore::makePremultipliedRGBA):
* platform/graphics/Color.h:
* platform/graphics/ImageBackingStore.h:
(WebCore::ImageBackingStore::blendPixel):
(WebCore::ImageBackingStore::pixelValue):

LayoutTests:

Adjusted expectation for fast/images/animated-png.html. It must pass now.

* platform/gtk/TestExpectations:


  Commit: 2e7fafe35063c5f996e5b6180a3a7d464cd472ba
      https://github.com/WebKit/WebKit/commit/2e7fafe35063c5f996e5b6180a3a7d464cd472ba
  Author: Thorsten Glaser <tg at mirbsd.de>
  Date:   2017-05-06 (Sat, 06 May 2017)

  Changed paths:
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/Platform.h

  Log Message:
  -----------
  Merge r215180 - [GTK] Fix x32 build
https://bugs.webkit.org/show_bug.cgi?id=170673

Patch by Thorsten Glaser <tg at mirbsd.de> on 2017-04-10
Reviewed by Carlos Alberto Lopez Perez.

* wtf/Platform.h:


  Commit: 990a8cb3cafe0b89983b96a931be5250571a967c
      https://github.com/WebKit/WebKit/commit/990a8cb3cafe0b89983b96a931be5250571a967c
  Author: Brady Eidson <beidson at apple.com>
  Date:   2017-05-07 (Sun, 07 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    M Source/WebCore/inspector/InspectorDOMStorageAgent.cpp
    M Source/WebCore/inspector/InspectorInstrumentation.h
    M Source/WebCore/loader/EmptyClients.cpp
    M Source/WebCore/storage/Storage.cpp
    M Source/WebCore/storage/StorageArea.h
    M Source/WebCore/storage/StorageEventDispatcher.cpp
    A Source/WebCore/storage/StorageType.h
    M Source/WebKit/ChangeLog
    M Source/WebKit/Storage/StorageAreaImpl.cpp
    M Source/WebKit/Storage/StorageNamespaceImpl.cpp
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Storage/StorageAreaMap.cpp
    M Source/WebKit2/WebProcess/Storage/StorageNamespaceImpl.cpp

  Log Message:
  -----------
  Merge r214680 - Clean up the "StorageType" enum.
https://bugs.webkit.org/show_bug.cgi?id=170349

Reviewed by Tim Horton.

Source/WebCore:

- Make this `enum` into an `enum class`
- Add a new type specific for "transient local storage"

No new tests (No behavior change).

* WebCore.xcodeproj/project.pbxproj:

* inspector/InspectorDOMStorageAgent.cpp:
(WebCore::InspectorDOMStorageAgent::didDispatchDOMStorageEvent):

* inspector/InspectorInstrumentation.h:

* loader/EmptyClients.cpp:

* storage/Storage.cpp:
(WebCore::Storage::isDisabledByPrivateBrowsing):

* storage/StorageArea.h:
(): Deleted.

* storage/StorageEventDispatcher.cpp:
(WebCore::StorageEventDispatcher::dispatchSessionStorageEventsToFrames):
(WebCore::StorageEventDispatcher::dispatchLocalStorageEventsToFrames):

* storage/StorageType.h:
(WebCore::isLocalStorage):

Source/WebKit:

* Storage/StorageAreaImpl.cpp:
(WebKit::StorageAreaImpl::dispatchStorageEvent):

* Storage/StorageNamespaceImpl.cpp:
(WebKit::StorageNamespaceImpl::createSessionStorageNamespace):
(WebKit::StorageNamespaceImpl::getOrCreateLocalStorageNamespace):
(WebKit::StorageNamespaceImpl::StorageNamespaceImpl):
(WebKit::StorageNamespaceImpl::~StorageNamespaceImpl):
(WebKit::StorageNamespaceImpl::copy):
(WebKit::StorageNamespaceImpl::close):

Source/WebKit2:

* WebProcess/Storage/StorageAreaMap.cpp:
(WebKit::StorageAreaMap::StorageAreaMap):
(WebKit::StorageAreaMap::dispatchStorageEvent):
(WebKit::StorageAreaMap::dispatchSessionStorageEvent):
(WebKit::StorageAreaMap::dispatchLocalStorageEvent):

* WebProcess/Storage/StorageNamespaceImpl.cpp:
(WebKit::StorageNamespaceImpl::createSessionStorageNamespace):
(WebKit::StorageNamespaceImpl::createLocalStorageNamespace):
(WebKit::StorageNamespaceImpl::createTransientLocalStorageNamespace):


  Commit: 7088d00cc84181002ad152ade08531a83ec39ed3
      https://github.com/WebKit/WebKit/commit/7088d00cc84181002ad152ade08531a83ec39ed3
  Author: Brady Eidson <beidson at apple.com>
  Date:   2017-05-07 (Sun, 07 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/platform/mac-wk2/TestExpectations
    M LayoutTests/storage/domstorage/localstorage/private-browsing-affects-storage-expected.txt
    M LayoutTests/storage/domstorage/localstorage/private-browsing-affects-storage.html
    A LayoutTests/storage/domstorage/localstorage/resources/private-browsing-1.html
    A LayoutTests/storage/domstorage/localstorage/resources/private-browsing-2.html
    A LayoutTests/storage/domstorage/localstorage/resources/private-browsing-3.html
    A LayoutTests/storage/domstorage/localstorage/resources/private-browsing-storage-2.html
    R LayoutTests/storage/domstorage/sessionstorage/private-browsing-affects-storage-expected.txt
    R LayoutTests/storage/domstorage/sessionstorage/private-browsing-affects-storage.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/EmptyClients.cpp
    M Source/WebCore/page/Chrome.cpp
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebCore/page/SecurityOriginData.h
    M Source/WebCore/storage/Storage.cpp
    M Source/WebCore/storage/StorageMap.h
    M Source/WebCore/storage/StorageNamespaceProvider.cpp
    M Source/WebCore/storage/StorageNamespaceProvider.h
    M Source/WebCore/storage/StorageType.h
    M Source/WebKit/ChangeLog
    M Source/WebKit/Storage/StorageNamespaceImpl.cpp
    M Source/WebKit/Storage/StorageNamespaceImpl.h
    M Source/WebKit/Storage/WebStorageNamespaceProvider.cpp
    M Source/WebKit/Storage/WebStorageNamespaceProvider.h
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Storage/StorageAreaMap.cpp
    M Source/WebKit2/WebProcess/Storage/StorageNamespaceImpl.cpp
    M Source/WebKit2/WebProcess/Storage/StorageNamespaceImpl.h
    M Source/WebKit2/WebProcess/Storage/WebStorageNamespaceProvider.cpp
    M Source/WebKit2/WebProcess/Storage/WebStorageNamespaceProvider.h

  Log Message:
  -----------
  Merge r215315 - QuotaExceededError when saving to localStorage in private mode.
https://bugs.webkit.org/show_bug.cgi?id=157010

Reviewed by Alex Christensen.

Source/WebCore:

No new tests (Covered by changes to existing test).

LocalStorage in private browsing is now effectively SessionStorage.
It's ephemeral, per-tab, and copied over to tabs window.open()'ed from the current.

* loader/EmptyClients.cpp:
(WebCore::EmptyStorageNamespaceProvider::createEphemeralLocalStorageNamespace):

* page/Chrome.cpp:
(WebCore::Chrome::createWindow):

* page/Page.cpp:
(WebCore::Page::ephemeralLocalStorage):
(WebCore::Page::setEphemeralLocalStorage):
* page/Page.h:

* page/SecurityOriginData.h:

* storage/Storage.cpp:
(WebCore::Storage::length):
(WebCore::Storage::key):
(WebCore::Storage::getItem):
(WebCore::Storage::setItem):
(WebCore::Storage::removeItem):
(WebCore::Storage::clear):
(WebCore::Storage::contains):
(WebCore::Storage::isDisabledByPrivateBrowsing): Deleted.

* storage/StorageMap.h:

* storage/StorageNamespaceProvider.cpp:
(WebCore::StorageNamespaceProvider::localStorageArea):
* storage/StorageNamespaceProvider.h:

* storage/StorageType.h:
(WebCore::isLocalStorage):
(WebCore::isPersistentLocalStorage):

Source/WebKit:

* Storage/StorageNamespaceImpl.cpp:
(WebKit::StorageNamespaceImpl::createEphemeralLocalStorageNamespace):
(WebKit::StorageNamespaceImpl::StorageNamespaceImpl):
(WebKit::StorageNamespaceImpl::~StorageNamespaceImpl):
(WebKit::StorageNamespaceImpl::copy):
(WebKit::StorageNamespaceImpl::close):
* Storage/StorageNamespaceImpl.h:

* Storage/WebStorageNamespaceProvider.cpp:
(WebKit::WebStorageNamespaceProvider::createEphemeralLocalStorageNamespace):
* Storage/WebStorageNamespaceProvider.h:

Source/WebKit2:

* WebProcess/Storage/StorageAreaMap.cpp:
(WebKit::StorageAreaMap::StorageAreaMap):
(WebKit::StorageAreaMap::~StorageAreaMap):

* WebProcess/Storage/StorageNamespaceImpl.cpp:
(WebKit::StorageNamespaceImpl::createEphemeralLocalStorageNamespace):
(WebKit::StorageNamespaceImpl::storageArea):
(WebKit::StorageNamespaceImpl::ephemeralLocalStorageArea):
(WebKit::StorageNamespaceImpl::copy):
* WebProcess/Storage/StorageNamespaceImpl.h:

* WebProcess/Storage/WebStorageNamespaceProvider.cpp:
(WebKit::WebStorageNamespaceProvider::createEphemeralLocalStorageNamespace):
* WebProcess/Storage/WebStorageNamespaceProvider.h:

LayoutTests:

* platform/mac-wk2/TestExpectations:
* storage/domstorage/localstorage/private-browsing-affects-storage-expected.txt:
* storage/domstorage/localstorage/private-browsing-affects-storage.html:
* storage/domstorage/localstorage/resources/private-browsing-1.html: Added.
* storage/domstorage/localstorage/resources/private-browsing-2.html: Added.
* storage/domstorage/localstorage/resources/private-browsing-3.html: Added.
* storage/domstorage/localstorage/resources/private-browsing-storage-2.html: Added.
* storage/domstorage/sessionstorage/private-browsing-affects-storage-expected.txt: Removed.
* storage/domstorage/sessionstorage/private-browsing-affects-storage.html: Removed.


  Commit: 02fb144f551762288e29bb34b223d8f7cab798b2
      https://github.com/WebKit/WebKit/commit/02fb144f551762288e29bb34b223d8f7cab798b2
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-07 (Sun, 07 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/compositing/updates/animation-non-composited-expected.txt
    A LayoutTests/compositing/updates/animation-non-composited.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderElement.h
    M Source/WebCore/rendering/RenderLayerCompositor.cpp
    M Source/WebCore/rendering/RenderLayerCompositor.h

  Log Message:
  -----------
  Merge r215347 - Don't invalidate composition for style changes in non-composited layers
https://bugs.webkit.org/show_bug.cgi?id=170805
<rdar://problem/31606185>

Reviewed by Simon Fraser.

Source/WebCore:

Test: compositing/updates/animation-non-composited.html

In most cases they can't affect composition. Composition updates are expensive, this can
save a lot of work (tumblr.com animations hit this at the moment).

* rendering/RenderElement.h:
(WebCore::RenderElement::createsGroup):
(WebCore::RenderElement::createsGroupForStyle):

    Factor to a static function so we can test style directly.

* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::layerStyleChanged):
(WebCore::RenderLayerCompositor::styleChangeMayAffectIndirectCompositingReasons):

    Test if style change might cause compositing change that can't be determined without compositing update.

* rendering/RenderLayerCompositor.h:

LayoutTests:

* compositing/updates/animation-non-composited-expected.txt: Added.
* compositing/updates/animation-non-composited.html: Added.


  Commit: 7d55dbbfd109fa15a41d6c4cb59ccc213860ed12
      https://github.com/WebKit/WebKit/commit/7d55dbbfd109fa15a41d6c4cb59ccc213860ed12
  Author: Dean Jackson <dino at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/animations/large-negative-delay-expected.txt
    A LayoutTests/animations/large-negative-delay.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/animation/AnimationBase.cpp
    M Source/WebCore/page/animation/AnimationBase.h

  Log Message:
  -----------
  Merge r215352 - Large negative animation-delays may not work depending on machine uptime
https://bugs.webkit.org/show_bug.cgi?id=166962
<rdar://problem/30091526>

Reviewed by Tim Horton.

Source/WebCore:

If you set a really negative animation delay, it would cause
AnimationBase::m_startTime to become negative, because the delay
value was "bigger" than monotonicallyIncreasingTime.

However, the state machine was using -1 to mean that the start time
hadn't yet been set. Classic cmarrin!

Replace all the special values with std::optional, and use nullopt
to mean the value doesn't exist yet.

Test: animations/large-negative-delay.html

* page/animation/AnimationBase.cpp:
(WebCore::AnimationBase::updateStateMachine):
(WebCore::AnimationBase::fireAnimationEventsIfNeeded):
(WebCore::AnimationBase::getTimeToNextEvent):
(WebCore::AnimationBase::freezeAtTime):
(WebCore::AnimationBase::getElapsedTime):
* page/animation/AnimationBase.h: Use std::optional.
(WebCore::AnimationBase::paused):

LayoutTests:

* animations/large-negative-delay-expected.txt: Added.
* animations/large-negative-delay.html: Added.


  Commit: fe126d3c4a055a5903873b5e2462628c8133393c
      https://github.com/WebKit/WebKit/commit/fe126d3c4a055a5903873b5e2462628c8133393c
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/table/center-th-when-parent-has-initial-text-align-expected.html
    A LayoutTests/fast/table/center-th-when-parent-has-initial-text-align.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/CSSProperties.json
    M Source/WebCore/css/StyleBuilderCustom.h
    M Source/WebCore/css/StyleResolver.cpp
    M Source/WebCore/rendering/style/RenderStyle.h

  Log Message:
  -----------
  Merge r215375 - text-align start / end failure in table cells
https://bugs.webkit.org/show_bug.cgi?id=141417
<rdar://problem/31051672>

Reviewed by Antti Koivisto.

Source/WebCore:

Apply "text-align: center" on th elements when parent's computed value for the 'text-align' property
is its initial value, unless it is explicitly set.

Test: fast/table/center-th-when-parent-has-initial-text-align.html

* css/CSSProperties.json:
* css/StyleBuilderCustom.h:
(WebCore::StyleBuilderCustom::applyInitialTextAlign):
(WebCore::StyleBuilderCustom::applyValueTextAlign):
* css/StyleResolver.cpp:
(WebCore::StyleResolver::adjustRenderStyle):
(WebCore::StyleResolver::applyProperty):
* rendering/style/RenderStyle.h:
(WebCore::RenderStyle::hasExplicitlySetTextAlign):
(WebCore::RenderStyle::setHasExplicitlySetTextAlign):
(WebCore::RenderStyle::NonInheritedFlags::hasExplicitlySetTextAlign):
(WebCore::RenderStyle::NonInheritedFlags::setHasExplicitlySetTextAlign):

LayoutTests:

* fast/table/center-th-when-parent-has-initial-text-align-expected.html: Added.
* fast/table/center-th-when-parent-has-initial-text-align.html: Added.


  Commit: 2be7cead54b9f2255051d3346a19cdb535a11dc9
      https://github.com/WebKit/WebKit/commit/2be7cead54b9f2255051d3346a19cdb535a11dc9
  Author: Miguel Gomez <magomez at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/image-decoders/png/PNGImageDecoder.cpp
    M Source/WebCore/platform/image-decoders/png/PNGImageDecoder.h

  Log Message:
  -----------
  Merge r214939 - [GTK+] PNG animations that should run once are not played at all
https://bugs.webkit.org/show_bug.cgi?id=170499

Reviewed by Carlos Garcia Campos.

The repetition count reported bu the PNGImageDecoder is wrong. It's returning m_playCount - 1, which
means 0 for the animations that need to be played once. Change it to return an appropriate value.

Covered by existent tests.

* platform/image-decoders/png/PNGImageDecoder.cpp:
(WebCore::PNGImageDecoder::repetitionCount):
* platform/image-decoders/png/PNGImageDecoder.h:


  Commit: 788e7880176561f7cb106ffacd368e1d991cb6ad
      https://github.com/WebKit/WebKit/commit/788e7880176561f7cb106ffacd368e1d991cb6ad
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/events/beforeunload-alert-handled-keydown-expected.txt
    A LayoutTests/fast/events/beforeunload-alert-handled-keydown.html
    A LayoutTests/fast/events/beforeunload-alert-unhandled-keydown-expected.txt
    A LayoutTests/fast/events/beforeunload-alert-unhandled-keydown.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.h
    M Source/WebCore/dom/UserGestureIndicator.cpp
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/page/EventHandler.cpp
    M Source/WebCore/page/EventHandler.h

  Log Message:
  -----------
  Merge r215404 - CMD+R / CMD+Q is considered as user interaction and beforeunload alert is shown
https://bugs.webkit.org/show_bug.cgi?id=169995
<rdar://problem/23798897>

Reviewed by Sam Weinig.

Source/WebCore:

Any key event was considered as user interaction with the page, which meant that they
would allow beforeunload alerts to be shown even when they do not represent actual
user interaction (e.g CMD+R / CMD+Q / CMD+T keyboard shortcuts).

To address the issue, we now only treat as user interaction with the page key events
that are actually handled by the page (i.e. handled by JS, typed into a field, ...).

Tests: fast/events/beforeunload-alert-handled-keydown.html
       fast/events/beforeunload-alert-unhandled-keydown.html

* dom/Document.h:
(WebCore::Document::setUserDidInteractWithPage):
(WebCore::Document::userDidInteractWithPage):
* dom/UserGestureIndicator.cpp:
(WebCore::UserGestureIndicator::UserGestureIndicator):
* loader/FrameLoader.cpp:
(WebCore::shouldAskForNavigationConfirmation):
* page/EventHandler.cpp:
(WebCore::EventHandler::keyEvent):
(WebCore::EventHandler::internalKeyEvent):
* page/EventHandler.h:

LayoutTests:

Add layout test coverage.

* fast/events/beforeunload-alert-handled-keydown-expected.txt: Added.
* fast/events/beforeunload-alert-handled-keydown.html: Added.
* fast/events/beforeunload-alert-unhandled-keydown-expected.txt: Added.
* fast/events/beforeunload-alert-unhandled-keydown.html: Added.


  Commit: 14e6690a03a79e080b0f75a3ece98e1c1c666b1d
      https://github.com/WebKit/WebKit/commit/14e6690a03a79e080b0f75a3ece98e1c1c666b1d
  Author: Andreas Kling <akling at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Merge r215465 - Break Document::m_associatedFormControls reference cycle.
<https://webkit.org/b/170946>

Reviewed by Antti Koivisto.

There was a race between didAssociateFormControls() and didAssociateFormControlsTimerFired()
where detaching Document from its frame between the two would lead to an unbreakable reference
cycle between Document and its form elements.

Solve this by clearing the set of associated form elements in removedLastRef(), where we clear
all the other strong smart pointers to elements.

* dom/Document.cpp:
(WebCore::Document::removedLastRef):


  Commit: dfaed100a76853dbc93fa57b3b44d40632c98bab
      https://github.com/WebKit/WebKit/commit/dfaed100a76853dbc93fa57b3b44d40632c98bab
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/microbenchmarks/double-to-int32.js
    A JSTests/stress/to-int32-sensible2.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/runtime/MathCommon.cpp
    M Source/JavaScriptCore/runtime/MathCommon.h

  Log Message:
  -----------
  Merge r215482 - r211670 broke double to int conversion.
https://bugs.webkit.org/show_bug.cgi?id=170961
<rdar://problem/31687696>

Reviewed by Yusuke Suzuki.

JSTests:

* microbenchmarks/double-to-int32.js: Added.
* stress/to-int32-sensible2.js: Added.

Source/JavaScriptCore:

This is because operationToInt32SensibleSlow() assumes that left shifts of greater
than 31 bits on an 31-bit value will produce a 0.  However, the spec says that
"if the value of the right operand is negative or is greater or equal to the
number of bits in the promoted left operand, the behavior is undefined."
See http://en.cppreference.com/w/cpp/language/operator_arithmetic#Bitwise_shift_operators.

This patch fixes this by restoring the check to prevent a shift of greater than
31 bits.  It also consolidates the optimization in operationToInt32SensibleSlow()
back into toInt32() so that we don't have 2 copies of the same code with only a
slight variation.

JSC benchmarks shows that performance is neutral with this patch.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
* runtime/MathCommon.cpp:
(JSC::operationToInt32SensibleSlow): Deleted.
* runtime/MathCommon.h:
(JSC::toInt32):


  Commit: fa7a7c1f8cb31daeba26a8a5ec313e3433360ffd
      https://github.com/WebKit/WebKit/commit/fa7a7c1f8cb31daeba26a8a5ec313e3433360ffd
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/runtime/MathCommon.cpp
    M Source/JavaScriptCore/runtime/MathCommon.h

  Log Message:
  -----------
  Merge r215516 - r211670 broke double to int conversion.
https://bugs.webkit.org/show_bug.cgi?id=170961

Reviewed by Mark Lam.

In this patch, we take a template parameter way.
While it reduces duplicate code, it effectively produces
optimized code for operationToInt32SensibleSlow,
and fixes kraken pbkdf2 regression on Linux.

And this patch also fixes undefined behavior by changing
int32_t to uint32_t. If exp is 31, missingOne is 1 << 31,
INT32_MIN. Thus missingOne - 1 will cause int32_t overflow,
and it is an undefined behavior.

* runtime/MathCommon.cpp:
(JSC::operationToInt32SensibleSlow):
* runtime/MathCommon.h:
(JSC::toInt32Internal):
(JSC::toInt32):


  Commit: e199f48424bb4d14a1a4aff3b1d23b11eff2025b
      https://github.com/WebKit/WebKit/commit/e199f48424bb4d14a1a4aff3b1d23b11eff2025b
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/event-attrs-isolated-world-expected.txt
    A LayoutTests/fast/dom/event-attrs-isolated-world.html
    A LayoutTests/http/tests/security/isolatedWorld/onclick-attribute-expected.txt
    A LayoutTests/http/tests/security/isolatedWorld/onclick-attribute.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/bindings/js/JSEventListener.cpp
    M Source/WebCore/bindings/js/JSEventListener.h
    M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
    M Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Document.h
    M Source/WebCore/dom/Element.cpp
    M Source/WebCore/dom/EventTarget.cpp
    M Source/WebCore/dom/EventTarget.h
    M Source/WebCore/editing/ReplaceSelectionCommand.cpp
    M Source/WebCore/html/HTMLBodyElement.cpp
    M Source/WebCore/html/HTMLFrameSetElement.cpp
    M Source/WebCore/svg/SVGSVGElement.cpp

  Log Message:
  -----------
  Merge r215486 - Correct handling of isolatedWorld in event handling
https://bugs.webkit.org/show_bug.cgi?id=65589
<rdar://problem/24097804>

Reviewed by Geoffrey Garen.

Source/WebCore:

This patch was inspired by Adam's original patch as well as the
following Blink change:
https://src.chromium.org/viewvc/blink?revision=152377&view=revision

Thread isolatedWorld state through event handling logic.

Tests: fast/dom/event-attrs-isolated-world.html
       http/tests/security/isolatedWorld/onclick-attribute.html

* bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::initializeJSFunction):
(WebCore::JSEventListener::world):
(WebCore::eventHandlerAttribute):
(WebCore::setEventHandlerAttribute):
(WebCore::windowEventHandlerAttribute):
(WebCore::setWindowEventHandlerAttribute):
(WebCore::documentEventHandlerAttribute):
(WebCore::setDocumentEventHandlerAttribute):
* bindings/js/JSEventListener.h:
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* dom/Document.cpp:
(WebCore::Document::setWindowAttributeEventListener):
(WebCore::Document::getWindowAttributeEventListener):
* dom/Document.h:
* dom/Element.cpp:
(WebCore::Element::setAttributeEventListener):
* dom/EventTarget.cpp:
(WebCore::EventTarget::setAttributeEventListener):
(WebCore::EventTarget::attributeEventListener):
* dom/EventTarget.h:
* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplacementFragment::ReplacementFragment):
* html/HTMLBodyElement.cpp:
(WebCore::HTMLBodyElement::parseAttribute):
* html/HTMLFrameSetElement.cpp:
(WebCore::HTMLFrameSetElement::parseAttribute):
* svg/SVGSVGElement.cpp:
(WebCore::SVGSVGElement::parseAttribute):

LayoutTests:

This following test cases are from the following Blink change:
https://src.chromium.org/viewvc/blink?revision=152377&view=revision

* fast/dom/event-attrs-isolated-world-expected.txt: Added.
* fast/dom/event-attrs-isolated-world.html: Added.
* http/tests/security/isolatedWorld/onclick-attribute-expected.txt: Added.
* http/tests/security/isolatedWorld/onclick-attribute.html: Added.


  Commit: c529f24ed4665ace3b626562e85d4604f8e08daa
      https://github.com/WebKit/WebKit/commit/c529f24ed4665ace3b626562e85d4604f8e08daa
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/bindings/js/JSEventListener.cpp
    M Source/WebCore/bindings/js/JSEventListener.h

  Log Message:
  -----------
  Merge r215487 - JSEventListener::m_isolatedWorld should be a Ref
https://bugs.webkit.org/show_bug.cgi?id=170910
<rdar://problem/30470332>

Reviewed by Alex Christensen.

Since m_isolatedWorld should never be nullptr, change the implementation of m_isolatedWorld
from a RefPtr to a Ref, and adjust the various call sites to support this change.

This should help us catch any changes that permit the isolatedWorld to be set to nullptr.

No new tests since there should be no change in behavior.

* bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::JSEventListener):
(WebCore::JSEventListener::initializeJSFunction):
(WebCore::JSEventListener::handleEvent):
* bindings/js/JSEventListener.h:
(WebCore::JSEventListener::cast):
(WebCore::JSEventListener::isolatedWorld):
(WebCore::JSEventListener::jsFunction):


  Commit: 7e678d86e8af6b97f26f2bfaea999c07ac25ceab
      https://github.com/WebKit/WebKit/commit/7e678d86e8af6b97f26f2bfaea999c07ac25ceab
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/repaint/mutate-non-visible-expected.txt
    A LayoutTests/fast/repaint/mutate-non-visible.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/style/RenderStyle.cpp

  Log Message:
  -----------
  Merge r215507 - Avoid repaints for invisible animations on tumblr.com/search/aww
https://bugs.webkit.org/show_bug.cgi?id=170986
<rdar://problem/28644580>

Reviewed by Andreas Kling.

Source/WebCore:

Test: fast/repaint/mutate-non-visible.html

* rendering/style/RenderStyle.cpp:
(WebCore::requiresPainting):
(WebCore::RenderStyle::changeRequiresRepaint):

    If an element is invisible it does not require repaint even if something else changes.

LayoutTests:

* fast/repaint/mutate-non-visible-expected.txt: Added.
* fast/repaint/mutate-non-visible.html: Added.


  Commit: 0c7c7a89dc17e368eace761939d8034cede843f9
      https://github.com/WebKit/WebKit/commit/0c7c7a89dc17e368eace761939d8034cede843f9
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitAutocleanups.h

  Log Message:
  -----------
  Merge r215508 - [GTK] WebKitAutocleanups.h regression in v2.16.1 release
https://bugs.webkit.org/show_bug.cgi?id=170987

Patch by Adrian Perez de Castro <aperez at igalia.com> on 2017-04-19
Reviewed by Carlos Garcia Campos.

* UIProcess/API/gtk/WebKitAutocleanups.h: Remove stray semicolon.


  Commit: 43c40f42b72900aeeb86ef038df98f456b9704b8
      https://github.com/WebKit/WebKit/commit/43c40f42b72900aeeb86ef038df98f456b9704b8
  Author: David Hyatt <hyatt at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/parser/CSSSelectorParser.cpp

  Log Message:
  -----------
  Merge r215513 - Remove bogus assert for :not.
https://bugs.webkit.org/show_bug.cgi?id=170995
<rdar://problem/29693115>

Reviewed by Zalan Bujtas.

* css/parser/CSSSelectorParser.cpp:


  Commit: ec7c86636deb2fe01ad269bba0808cafc464b774
      https://github.com/WebKit/WebKit/commit/ec7c86636deb2fe01ad269bba0808cafc464b774
  Author: Joseph Pecoraro <pecoraro at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/workers/WorkerMessagingProxy.cpp
    M Source/WebCore/workers/WorkerMessagingProxy.h

  Log Message:
  -----------
  Merge r215528 - ASAN Crash running LayoutTests/inspector/worker tests
https://bugs.webkit.org/show_bug.cgi?id=170967
<rdar://problem/31256437>

Patch by Joseph Pecoraro <pecoraro at apple.com> on 2017-04-19
Reviewed by Alex Christensen.

* workers/WorkerMessagingProxy.h:
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::WorkerMessagingProxy):
(WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyedInternal):
Make the MessagingProxy thread safe ref counted. Since it used to
delete itself, turn this into a ref (implicit on construction)
and deref (replacing delete this).

(WebCore::WorkerMessagingProxy::postMessageToPageInspector):
When dispatching have the lambda implicitly ref/deref with the
lambda to keep the proxy alive while a lambda is queued.


  Commit: 1e8f61887770f5f0937734cd7eafeede9a7403b6
      https://github.com/WebKit/WebKit/commit/1e8f61887770f5f0937734cd7eafeede9a7403b6
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/xml-large-expected.txt
    A LayoutTests/fast/dom/xml-large.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Merge r215535 - Parsing large XML strings fails
https://bugs.webkit.org/show_bug.cgi?id=170999
<rdar://problem/17336267>

Reviewed by Brady Eidson.

Source/WebCore:

Test: fast/dom/xml-large.html

* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLParserContext::createStringParser):
(WebCore::XMLParserContext::createMemoryParser):
Allow huge XML strings. They work fine in Chrome and Firefox.

LayoutTests:

* fast/dom/xml-large-expected.txt: Added.
* fast/dom/xml-large.html: Added.


  Commit: a5543ed13510a17497fa900211a218ddc9afa522
      https://github.com/WebKit/WebKit/commit/a5543ed13510a17497fa900211a218ddc9afa522
  Author: Alex Christensen <achristensen at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/WebProcessPool.cpp

  Log Message:
  -----------
  Merge r215567 - Fix assertions in webProcessProxyFromConnection
https://bugs.webkit.org/show_bug.cgi?id=171025
<rdar://problem/31184073>

Patch by Alex Christensen <achristensen at webkit.org> on 2017-04-20
Reviewed by Brady Eidson.

* UIProcess/WebProcessPool.cpp:
(WebKit::webProcessProxyFromConnection):
If we have a Connection, then we have a valid process attached to that connection,
unless it's a Connection to a different type of child process.
Calling ChildProcessProxy::connection on other web processes that are in State::Launching,
then we get an assertion.  Luckily, ChildProcessProxy::hasConnection was introduced in r210861
for this reason.


  Commit: c1762ce8e77157463944e0f310a417586c5d15c0
      https://github.com/WebKit/WebKit/commit/c1762ce8e77157463944e0f310a417586c5d15c0
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/events/drag-and-drop-link-containing-block-expected.txt
    A LayoutTests/fast/events/drag-and-drop-link-containing-block.html
    M LayoutTests/platform/gtk/TestExpectations
    M LayoutTests/platform/mac-wk2/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/DragController.cpp

  Log Message:
  -----------
  Merge r215581 - Inline anchor elements cannot be dragged when starting the drag from a block descendant
https://bugs.webkit.org/show_bug.cgi?id=171062
<rdar://problem/31697835>

Reviewed by Tim Horton.

Source/WebCore:

Tweaks DragController::draggableElement to traverse the DOM instead of the render tree when finding a draggable
element. This prevents us from skipping elements that are in the DOM ancestor chain, but appear as siblings to
the hit-tested node's renderer in the render tree.

There was also previously a check to ensure that we skip anonymous RenderObjects while traversing up the chain,
but this is no longer necessary fter this change, since all the elements we traverse in the DOM should have
renderers that are not anonymous.

Test: fast/events/drag-and-drop-link-containing-block.html

* page/DragController.cpp:
(WebCore::DragController::draggableElement):

LayoutTests:

Adds a new test on WK1 Mac to verify that link dragging succeeds when the link's anchor element is inline and
the drag is started from a block element under the link.

* fast/events/drag-and-drop-link-containing-block-expected.txt: Added.
* fast/events/drag-and-drop-link-containing-block.html: Added.
* platform/ios/TestExpectations:
* platform/mac-wk2/TestExpectations:

Skip the test on iOS and Mac WK2.


  Commit: 69078a291606044d7651290848097e6fc802ee99
      https://github.com/WebKit/WebKit/commit/69078a291606044d7651290848097e6fc802ee99
  Author: Gwang Yoon Hwang <yoon at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/GeometryUtilities.cpp
    M Source/WebCore/platform/graphics/GeometryUtilities.h
    M Source/WebCore/platform/graphics/RoundedRect.cpp
    M Source/WebCore/platform/graphics/RoundedRect.h
    M Source/WebCore/rendering/RenderBoxModelObject.cpp

  Log Message:
  -----------
  Merge r215613 - Do not paint the border of the box if the dirty region does not intersect with border area
https://bugs.webkit.org/show_bug.cgi?id=170988

Reviewed by Simon Fraser.

No new tests, since there is no change in behavior.

* platform/graphics/GeometryUtilities.cpp:
(WebCore::ellipseContainsPoint):
Checks if a point is within an ellipse.

* platform/graphics/GeometryUtilities.h:
Replace header-guards with #pragma once.

* platform/graphics/RoundedRect.cpp:
(WebCore::RoundedRect::contains):
Implemented to know the dirty rectangle intersects with rounded rectangle or not.
* platform/graphics/RoundedRect.h:
* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::paintBorder):
When typing in decorated text box, the dirty rect generated only for the
inside of the text box, not for the decorations.  So we can avoid the
calculations to draw borders if the inner border totally covers the
target surface. It will optimize the rendering process since we don't
have to render border decorations whenever we type somethings in side of
the text input element.


  Commit: 505c21805282f1ab9aa96990bc895fe19e5545da
      https://github.com/WebKit/WebKit/commit/505c21805282f1ab9aa96990bc895fe19e5545da
  Author: Per Arne Vollan <pvollan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/canvas/canvas-crash-expected.txt
    A LayoutTests/fast/canvas/canvas-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/canvas/CanvasRenderingContext2D.cpp

  Log Message:
  -----------
  Merge r215632 - Validate vImage arguments
https://bugs.webkit.org/show_bug.cgi?id=171109
Source/WebCore:

rdar://problem/30236606

Patch by Per Arne Vollan <pvollan at apple.com> on 2017-04-21
Reviewed by Brent Fulgham.

When writing data to a canvas context, clip the source rectangle to the data rectangle
to make sure we will not attempt to read data outside of the buffer.

Test: fast/canvas/canvas-crash.html

* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::putImageData):

LayoutTests:

Patch by Per Arne Vollan <pvollan at apple.com> on 2017-04-21
Reviewed by Brent Fulgham.

* fast/canvas/canvas-crash-expected.txt: Added.
* fast/canvas/canvas-crash.html: Added.


  Commit: 3940e45bd7041c20a5443d834ae1e80c14cdf524
      https://github.com/WebKit/WebKit/commit/3940e45bd7041c20a5443d834ae1e80c14cdf524
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/XMLSerializer-serializeToString-entities-expected.txt
    A LayoutTests/fast/dom/XMLSerializer-serializeToString-entities.html
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/DOMParser-parseFromString-html.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/DOMParser-parseFromString-xml-doctype.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/DOMParser-parseFromString-xml.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/XMLSerializer-serializeToString.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/createContextualFragment.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/innerhtml-01.xhtml
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/innerhtml-03.xhtml
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/innerhtml-04.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/innerhtml-05.xhtml
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/innerhtml-06.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/innerhtml-07.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/insert-adjacent.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/insert_adjacent_html-xhtml.xhtml
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/insert_adjacent_html.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/outerhtml-01.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/outerhtml-02.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/style_attribute_html.html
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/w3c-import.log
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/xml-serialization.xhtml
    M Source/WebCore/ChangeLog
    M Source/WebCore/editing/MarkupAccumulator.cpp
    M Source/WebCore/editing/MarkupAccumulator.h

  Log Message:
  -----------
  Merge r215648 - Regression(r206240): XMLSerializer.serializeToString() does not properly escape '<' / '>' in attribute values
https://bugs.webkit.org/show_bug.cgi?id=171132
<rdar://problem/31426752>

Reviewed by Ryosuke Niwa.

LayoutTests/imported/w3c:

Re-sync web-platform-tests/domparsing from upstream.

* web-platform-tests/domparsing/DOMParser-parseFromString-html.html:
* web-platform-tests/domparsing/DOMParser-parseFromString-xml-doctype.html:
* web-platform-tests/domparsing/DOMParser-parseFromString-xml.html:
* web-platform-tests/domparsing/XMLSerializer-serializeToString.html:
* web-platform-tests/domparsing/createContextualFragment.html:
* web-platform-tests/domparsing/innerhtml-01.xhtml:
* web-platform-tests/domparsing/innerhtml-03.xhtml:
* web-platform-tests/domparsing/innerhtml-04.html:
* web-platform-tests/domparsing/innerhtml-05.xhtml:
* web-platform-tests/domparsing/innerhtml-06.html:
* web-platform-tests/domparsing/innerhtml-07.html:
* web-platform-tests/domparsing/insert-adjacent.html:
* web-platform-tests/domparsing/insert_adjacent_html-xhtml.xhtml:
* web-platform-tests/domparsing/insert_adjacent_html.html:
* web-platform-tests/domparsing/outerhtml-01.html:
* web-platform-tests/domparsing/outerhtml-02.html:
* web-platform-tests/domparsing/style_attribute_html.html:
* web-platform-tests/domparsing/w3c-import.log:
* web-platform-tests/domparsing/xml-serialization.xhtml:

Source/WebCore:

Use XMLSerialization [1] in MarkupAccumulator::appendAttribute() when inXMLFragmentSerialization()
returns true, even if the node's associated document is an HTML document. When XMLSerializer.serializeToString()
is called on a Node, we want XML serialization, even if the node comes from an HTML document.

[1] https://w3c.github.io/DOM-Parsing/#dfn-xml-serialization

Test: fast/dom/XMLSerializer-serializeToString-entities.html

* editing/MarkupAccumulator.cpp:
(WebCore::MarkupAccumulator::appendAttributeValue):
(WebCore::MarkupAccumulator::appendAttribute):
* editing/MarkupAccumulator.h:

LayoutTests:

Add layout test coverage. This test is passing in both Firefox and Chrome.

* fast/dom/XMLSerializer-serializeToString-entities-expected.txt: Added.
* fast/dom/XMLSerializer-serializeToString-entities.html: Added.


  Commit: 091ea18ea8ca6639f18bf0dd17707df773dbd863
      https://github.com/WebKit/WebKit/commit/091ea18ea8ca6639f18bf0dd17707df773dbd863
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/platform/gtk/TestExpectations

  Log Message:
  -----------
  Unreviewed. Fix expectations of fast/events/drag-and-drop-link-containing-block.html.

* platform/gtk/TestExpectations:


  Commit: 9be0ded18c118178c15129351300dc7ebe13a386
      https://github.com/WebKit/WebKit/commit/9be0ded18c118178c15129351300dc7ebe13a386
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/replaced/ul-li-word-break-break-word-expected.html
    A LayoutTests/fast/replaced/ul-li-word-break-break-word.html
    A LayoutTests/fast/replaced/zero-width-image-force-linebreak-expected.html
    A LayoutTests/fast/replaced/zero-width-image-force-linebreak.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/line/BreakingContext.h
    M Source/WebCore/rendering/line/LineWidth.cpp
    M Source/WebCore/rendering/line/LineWidth.h

  Log Message:
  -----------
  Merge r215660 - REGRESSION(r205374): <li> content inside <ul> should mid-word wrap when word-break: break-word is present.
https://bugs.webkit.org/show_bug.cgi?id=171108
<rdar://problem/30271747>

Reviewed by Dan Bernstein.

Source/WebCore:

This patch ensures that we search for mid-word breaks when a zero sized element has been committed on the line
unless it's an image or some other replaced element with special properties (e.g. list-style: inside).

Tests: fast/replaced/ul-li-word-break-break-word.html
       fast/replaced/zero-width-image-force-linebreak.html

* rendering/line/BreakingContext.h:
(WebCore::BreakingContext::handleReplaced):
(WebCore::BreakingContext::handleText): This matches pre-r205374 behaviour, but it's explicit about whether a
replaced width has already been committed on the current line.
* rendering/line/LineWidth.cpp:
(WebCore::LineWidth::commit):
* rendering/line/LineWidth.h:
(WebCore::LineWidth::hasCommittedReplaced):
(WebCore::LineWidth::addUncommittedReplacedWidth): These 2 last functions were removed with r205374 (and now I am adding them back).

LayoutTests:

* fast/replaced/ul-li-word-break-break-word-expected.html: Added.
* fast/replaced/ul-li-word-break-break-word.html: Added.
* fast/replaced/zero-width-image-force-linebreak-expected.html: Added.
* fast/replaced/zero-width-image-force-linebreak.html: Added.


  Commit: c20ef69f874420ece7c8acc879abb34e1788bde1
      https://github.com/WebKit/WebKit/commit/c20ef69f874420ece7c8acc879abb34e1788bde1
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/download/anchor-download-attribute-content-disposition-expected.txt
    A LayoutTests/http/tests/download/anchor-download-attribute-content-disposition.html
    A LayoutTests/http/tests/download/resources/content-disposition-pass.php
    M LayoutTests/http/tests/security/anchor-download-allow-sameorigin.html
    M LayoutTests/platform/mac-wk1/TestExpectations
    M LayoutTests/platform/win/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/network/ResourceResponseBase.cpp
    M Source/WebCore/platform/network/ResourceResponseBase.h
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/NetworkProcess/NetworkProcess.cpp
    M Source/WebKit2/UIProcess/Downloads/DownloadProxy.cpp

  Log Message:
  -----------
  Merge r215736 - Content-Disposition header filename is ignored when 'download' attribute is specified in HTML
https://bugs.webkit.org/show_bug.cgi?id=171239
<rdar://problem/31789855>

Reviewed by Alex Christensen.

Source/WebCore:

Add isAttachmentWithFilename() utility method to ResourceResponse to implement:
- https://html.spec.whatwg.org/#as-a-download (Step 2)

Test: http/tests/download/anchor-download-attribute-content-disposition.html

* platform/network/ResourceResponseBase.cpp:
(WebCore::ResourceResponseBase::isAttachmentWithFilename):
* platform/network/ResourceResponseBase.h:

Source/WebKit2:

Content-Disposition header filename is ignored when 'download' attribute is specified in HTML.
This is not as per HTML specification:
- https://html.spec.whatwg.org/#as-a-download (Step 2)

Content-Disposition header filename is supposed to override the value of the download attribute.

Firefox and Chrome follow the specification.

* NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::findPendingDownloadLocation):
* UIProcess/Downloads/DownloadProxy.cpp:
(WebKit::DownloadProxy::didReceiveResponse):

LayoutTests:

* http/tests/security/anchor-download-allow-sameorigin.html:
Stop using attachment.php as resource for this download attribute test because attachment.php
returns a Content-Disposition header with a filename. Given the behavior change in this patch,
this resource is no longer suitable for testing the download attribute.

* http/tests/download/anchor-download-attribute-content-disposition-expected.txt: Added.
* http/tests/download/anchor-download-attribute-content-disposition.html: Added.
* http/tests/download/resources/content-disposition-pass.php: Added.
Add layout test coverage.

* platform/ios-wk2/TestExpectations:
* platform/mac-wk1/TestExpectations:
* platform/win/TestExpectations:
Skip new test on platforms where the download attribute is not supported.


  Commit: 228ac8e0a3928461b635676189b3d5565320abb5
      https://github.com/WebKit/WebKit/commit/228ac8e0a3928461b635676189b3d5565320abb5
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/platform/text/StringWithDirection.h
    M Source/WebKit/mac/ChangeLog
    M Source/WebKit/mac/WebCoreSupport/WebFrameLoaderClient.mm
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
    M Tools/ChangeLog
    A Tools/TestWebKitAPI/Tests/WebKit2/LimitTitleSize.cpp
    A Tools/TestWebKitAPI/Tests/WebKit2/set-long-title.html
    A Tools/TestWebKitAPI/Tests/mac/LimitTitleSize.mm

  Log Message:
  -----------
  Merge r215784 - Limit allowed size of document.title to avoid locking WebKit clients
https://bugs.webkit.org/show_bug.cgi?id=165113
<rdar://problem/28324389>

Reviewed by Darin Adler.

Source/WebKit/mac:

When a web application attempts to set an extremely long title, truncate the
title to a more reasonable size.

We do this at at the presentation layer, rather than in the DOM, so that we do
not affect script function. Instead, we merely limit display to a level that is
reasonable for normal GUI widgets. Anything else needs to be truncated in the UI
layer, so it is a waste of effort to send across IPC.

* WebCoreSupport/WebFrameLoaderClient.h:
* WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::dispatchDidReceiveTitle):

Source/WebKit2:

When a web application attempts to set an extremely long title, truncate the
title to a more reasonable size.

We do this at at the presentation layer, rather than in the DOM, so that we do
not affect script function. Instead, we merely limit display to a level that is
reasonable for normal GUI widgets. Anything else needs to be truncated in the UI
layer, so it is a waste of effort to send across IPC.

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDidReceiveTitle):
* WebProcess/WebCoreSupport/WebFrameLoaderClient.h:

Tools:

* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: Add new files.
* TestWebKitAPI/Tests/WebKit2/LimitTitleSize.cpp: Added.
* TestWebKitAPI/Tests/WebKit2/set-long-title.html: Added.
* TestWebKitAPI/Tests/mac/LimitTitleSize.mm: Added.


  Commit: 4abe1717459143590500995460ff134d322f3da5
      https://github.com/WebKit/WebKit/commit/4abe1717459143590500995460ff134d322f3da5
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/HTMLLinkElement/event-while-removing-attribute-expected.txt
    A LayoutTests/fast/dom/HTMLLinkElement/event-while-removing-attribute.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Attr.cpp
    M Source/WebCore/dom/ContainerNode.cpp
    M Source/WebCore/dom/NoEventDispatchAssertion.h

  Log Message:
  -----------
  Merge r215787 - Relax the event firing ASSERT for Attr changes
https://bugs.webkit.org/show_bug.cgi?id=171236
<rdar://problem/30516349>

Reviewed by Dean Jackson.

Source/WebCore:

The assertions added in Bug 167318 were overly strict, and trigger for valid behavior.
Relax the assertion preventing event dispatch for the case of Attr elements at the
end of childrenChanged.

Test: fast/dom/HTMLLinkElement/event-while-removing-attribute.html

* dom/Attr.cpp:
(WebCore::Attr::childrenChanged):

LayoutTests:

* fast/dom/HTMLLinkElement/event-while-removing-attribute-expected.txt: Added.
* fast/dom/HTMLLinkElement/event-while-removing-attribute.html: Added.


  Commit: 50edf99bad75b29c1d057ff0c7d6da3683ec3520
      https://github.com/WebKit/WebKit/commit/50edf99bad75b29c1d057ff0c7d6da3683ec3520
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Shared/WebEventConversion.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/PlatformWebView.h
    A Tools/TestWebKitAPI/Tests/WebKit2/EventModifiers.cpp
    M Tools/TestWebKitAPI/gtk/PlatformWebViewGtk.cpp
    M Tools/TestWebKitAPI/mac/PlatformWebViewMac.mm

  Log Message:
  -----------
  Merge r215790 - REGRESSION(206450): WebKit2PlatformMouseEvent m_modifierFlags not set
https://bugs.webkit.org/show_bug.cgi?id=171297
<rdar://problem/31530719>

Reviewed by Geoffrey Garen.

Source/WebKit2:

* Shared/WebEventConversion.cpp:
(WebKit::WebKit2PlatformMouseEvent::WebKit2PlatformMouseEvent):

Tools:

* TestWebKitAPI/PlatformWebView.h:
* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKit2/EventModifiers.cpp: Added.
(TestWebKitAPI::didFinishLoadForFrame):
(TestWebKitAPI::mouseDidMoveOverElement):
(TestWebKitAPI::setClients):
(TestWebKitAPI::TEST):
* TestWebKitAPI/mac/PlatformWebViewMac.mm:
(TestWebKitAPI::PlatformWebView::simulateRightClick):
(TestWebKitAPI::PlatformWebView::simulateMouseMove):


  Commit: 74972ea60e45a5f2ad8e6c14866bbfbcdd5ef038
      https://github.com/WebKit/WebKit/commit/74972ea60e45a5f2ad8e6c14866bbfbcdd5ef038
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/multicol/infinite-loop-when-forced-break-expected.txt
    A LayoutTests/fast/multicol/infinite-loop-when-forced-break.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderMultiColumnSet.cpp

  Log Message:
  -----------
  Merge r215805 - Forced page break on :after triggers infinite loop in column balancing
https://bugs.webkit.org/show_bug.cgi?id=171309
rdar://problem/26285884

Reviewed by David Hyatt.

Source/WebCore:

Stop trying to balance the columns when the forced page breaks >= the number of
columns even when this number is 1. Content will always overflow to the next page.
see https://chromium.googlesource.com/chromium/src/+/fbbebf38cefb2712c912581eccb046ef363ec84e%5E%21/#F2

Test: fast/multicol/infinite-loop-when-forced-break.html

* rendering/RenderMultiColumnSet.cpp:
(WebCore::RenderMultiColumnSet::calculateBalancedHeight):

LayoutTests:

* fast/multicol/infinite-loop-when-forced-break-expected.txt: Added.
* fast/multicol/infinite-loop-when-forced-break.html: Added.


  Commit: 5cb288726de9311fc21ef613957c4109fdaa4a26
      https://github.com/WebKit/WebKit/commit/5cb288726de9311fc21ef613957c4109fdaa4a26
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/multicol/simple-line-layout-widows-when-switching-over-to-normal-line-layout-expected.html
    A LayoutTests/fast/multicol/simple-line-layout-widows-when-switching-over-to-normal-line-layout.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Merge r215861 - Text gets cut off when bailing out of simple line layout with widows.
https://bugs.webkit.org/show_bug.cgi?id=171370
<rdar://problem/31563414>

Reviewed by Antti Koivisto.

Source/WebCore:

Normal line layout requires an extra layout to handle widows. See RenderBlockFlow::relayoutToAvoidWidows.

Test: fast/multicol/simple-line-layout-widows-when-switching-over-to-normal-line-layout.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::ensureLineBoxes):

LayoutTests:

* fast/multicol/simple-line-layout-widows-when-switching-over-to-normal-line-layout-expected.html: Added.
* fast/multicol/simple-line-layout-widows-when-switching-over-to-normal-line-layout.html: Added.


  Commit: 82b11157d1901dca9815035e69180851e154bbc3
      https://github.com/WebKit/WebKit/commit/82b11157d1901dca9815035e69180851e154bbc3
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebInspectorUI/ChangeLog
    M Source/WebInspectorUI/UserInterface/Images/gtk/NavigationItemTypes.svg
    M Source/WebInspectorUI/UserInterface/Images/gtk/UpDownArrows.svg

  Log Message:
  -----------
  Merge r215867 - [GTK] Web Inspector: some SVG images are specified 'currentColor' incorrectly
https://bugs.webkit.org/show_bug.cgi?id=170977

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-04-27
Reviewed by Michael Catanzaro.

The keyword 'currentColor' is specifed manually in Bug 150602.
But, some SVG images are specified incorrectly.

* UserInterface/Images/gtk/NavigationItemTypes.svg: Do not stroke
with currentColor, but fill.
* UserInterface/Images/gtk/UpDownArrows.svg: Ditto.


  Commit: 33abafd627c0a9d60c5216a6703150884ad84ace
      https://github.com/WebKit/WebKit/commit/33abafd627c0a9d60c5216a6703150884ad84ace
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebInspectorUI/ChangeLog
    M Source/WebInspectorUI/UserInterface/Images/gtk/NavigationItemCurleyBraces.svg

  Log Message:
  -----------
  Merge r215868 - [GTK] Web Inspector: gtk/NavigationItemCurleyBraces.svg is licensed under NonCommercial CC
https://bugs.webkit.org/show_bug.cgi?id=170902

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-04-27
Reviewed by Michael Catanzaro.

* UserInterface/Images/gtk/NavigationItemCurleyBraces.svg:
Replaced with new one created by me.


  Commit: db15f43d5eeb0264d6b7103e7f30a454ecb2d096
      https://github.com/WebKit/WebKit/commit/db15f43d5eeb0264d6b7103e7f30a454ecb2d096
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebInspectorUI/ChangeLog
    R Source/WebInspectorUI/UserInterface/Images/gtk/Colors.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/Colors at 2x.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/ColorsLarge.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/ColorsLarge at 2x.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/Frames.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/Frames at 2x.png
    A Source/WebInspectorUI/UserInterface/Images/gtk/HeapAllocationsInstrument.svg
    A Source/WebInspectorUI/UserInterface/Images/gtk/LayoutInstrument.svg
    A Source/WebInspectorUI/UserInterface/Images/gtk/MemoryInstrument.svg
    R Source/WebInspectorUI/UserInterface/Images/gtk/Network.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/Network at 2x.png
    A Source/WebInspectorUI/UserInterface/Images/gtk/NetworkInstrument.svg
    R Source/WebInspectorUI/UserInterface/Images/gtk/NetworkLarge.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/NetworkLarge at 2x.png
    A Source/WebInspectorUI/UserInterface/Images/gtk/RenderingFramesInstrument.svg
    R Source/WebInspectorUI/UserInterface/Images/gtk/Script.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/Script at 2x.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/ScriptLarge.png
    R Source/WebInspectorUI/UserInterface/Images/gtk/ScriptLarge at 2x.png
    A Source/WebInspectorUI/UserInterface/Images/gtk/ScriptsInstrument.svg
    M Source/WebInspectorUI/UserInterface/Views/TimelineIcons.css

  Log Message:
  -----------
  Merge r215869 - [GTK] Web Inspector: Add new GTK+ icons for instrument icons
https://bugs.webkit.org/show_bug.cgi?id=153892
<rdar://problem/24510460>

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-04-27
Reviewed by Joseph Pecoraro.

Add more free icons from art-libre symbolic and removed some
unused ones for the Web Inspector in GTK+.

* UserInterface/Images/gtk/Colors.png: Removed.
* UserInterface/Images/gtk/Colors at 2x.png: Removed.
* UserInterface/Images/gtk/ColorsLarge.png: Removed.
* UserInterface/Images/gtk/ColorsLarge at 2x.png: Removed.
* UserInterface/Images/gtk/Frames.png: Removed.
* UserInterface/Images/gtk/Frames at 2x.png: Removed.
* UserInterface/Images/gtk/HeapAllocationsInstrument.svg: Added.
* UserInterface/Images/gtk/LayoutInstrument.svg: Added.
* UserInterface/Images/gtk/MemoryInstrument.svg: Added.
* UserInterface/Images/gtk/Network.png: Removed.
* UserInterface/Images/gtk/Network at 2x.png: Removed.
* UserInterface/Images/gtk/NetworkInstrument.svg: Added.
* UserInterface/Images/gtk/NetworkLarge.png: Removed.
* UserInterface/Images/gtk/NetworkLarge at 2x.png: Removed.
* UserInterface/Images/gtk/RenderingFramesInstrument.svg: Added.
* UserInterface/Images/gtk/Script.png: Removed.
* UserInterface/Images/gtk/Script at 2x.png: Removed.
* UserInterface/Images/gtk/ScriptLarge.png: Removed.
* UserInterface/Images/gtk/ScriptLarge at 2x.png: Removed.
* UserInterface/Images/gtk/ScriptsInstrument.svg: Added.
* UserInterface/Views/TimelineIcons.css:
(body:not(.mac-platform, .windows-platform) .network-icon .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .network-icon.large .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .layout-icon .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .layout-icon.large .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .script-icon .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .script-icon.large .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .rendering-frame-icon .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .memory-icon .icon): Deleted.
(body:not(.mac-platform, .windows-platform) .heap-allocations-icon .icon): Deleted.


  Commit: f1cd5d5a551ffc93c51e1026c167667aabbefb67
      https://github.com/WebKit/WebKit/commit/f1cd5d5a551ffc93c51e1026c167667aabbefb67
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebInspectorUI/ChangeLog
    R Source/WebInspectorUI/UserInterface/Images/gtk/BreakpointActionAdd.svg
    R Source/WebInspectorUI/UserInterface/Images/gtk/BreakpointActionRemove.svg

  Log Message:
  -----------
  Merge r216063 - [GTK] Web Inspector: Remove GTK+ icons AnimationPlayStatePaused.svg and AnimationPlayStateRunning.svg
https://bugs.webkit.org/show_bug.cgi?id=171540

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-05-02
Reviewed by Carlos Garcia Campos.

These images aren't used since r204152 (Bug 160566). Instead,
Plus13.svg and Minus.svg are used.

* UserInterface/Images/gtk/BreakpointActionAdd.svg: Removed.
* UserInterface/Images/gtk/BreakpointActionRemove.svg: Removed.


  Commit: 2b47e59ac8a21dbc53f63c918664c010cd3f2f4e
      https://github.com/WebKit/WebKit/commit/2b47e59ac8a21dbc53f63c918664c010cd3f2f4e
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebInspectorUI/ChangeLog
    R Source/WebInspectorUI/UserInterface/Images/gtk/FontVariantSmallCaps.svg

  Log Message:
  -----------
  Merge r216064 - [GTK] Web Inspector: Remove GTK+ icon FontVariantSmallCaps.svg
https://bugs.webkit.org/show_bug.cgi?id=171542

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-05-02
Reviewed by Carlos Garcia Campos.

This image is not used and Apple's one was removed in Bug 148720.

* UserInterface/Images/gtk/FontVariantSmallCaps.svg: Removed.


  Commit: a1e90df8cacc3c8de470afd53b34ae0ab6f3c0d0
      https://github.com/WebKit/WebKit/commit/a1e90df8cacc3c8de470afd53b34ae0ab6f3c0d0
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebInspectorUI/ChangeLog
    R Source/WebInspectorUI/UserInterface/Images/gtk/Stopwatch.png
    A Source/WebInspectorUI/UserInterface/Images/gtk/Stopwatch.svg
    R Source/WebInspectorUI/UserInterface/Images/gtk/Stopwatch at 2x.png
    M Source/WebInspectorUI/UserInterface/Views/TimelineIcons.css

  Log Message:
  -----------
  Merge r216356 - [GTK] Web Inspector: Add new GTK+ icon for timeline recording stopwatch
https://bugs.webkit.org/show_bug.cgi?id=154088

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-05-08
Reviewed by Carlos Garcia Campos.

Add a free icon and remove some unused ones for the Web Inspector
in GTK+.

* UserInterface/Images/gtk/Stopwatch.png: Removed.
* UserInterface/Images/gtk/Stopwatch.svg: Added.
* UserInterface/Images/gtk/Stopwatch at 2x.png: Removed.
* UserInterface/Views/TimelineIcons.css:
(body:not(.mac-platform, .windows-platform) .stopwatch-icon .icon): Deleted.


  Commit: d8484212ce1a20f942a15dc52c1a94f2d11ed602
      https://github.com/WebKit/WebKit/commit/d8484212ce1a20f942a15dc52c1a94f2d11ed602
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/css3/viewport-percentage-lengths/vh-auto-size-expected.html
    A LayoutTests/css3/viewport-percentage-lengths/vh-auto-size.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FrameView.cpp

  Log Message:
  -----------
  Merge r215874 - Repeated layouts in Mail due to viewport units being used with auto-sizing
https://bugs.webkit.org/show_bug.cgi?id=171371
<rdar://problem/28780084>

Reviewed by Zalan Bujtas.

Source/WebCore:

Test: css3/viewport-percentage-lengths/vh-auto-size.html

Auto-sizing code would adjust the size of the view in the beginning of layout(). This would
end up invalidating style for elements that use vh units and we would perform main layout
with unclean style. This would result in endless layout loops and hit assert on debug.

* page/FrameView.cpp:
(WebCore::FrameView::availableContentSizeChanged):

    Ensure we heve clean style after resize if we are in pre-layout.

LayoutTests:

* css3/viewport-percentage-lengths/vh-auto-size-expected.html: Added.
* css3/viewport-percentage-lengths/vh-auto-size.html: Added.


  Commit: 804e5fbd8a818839441511f4b6a72d743a9d1305
      https://github.com/WebKit/WebKit/commit/804e5fbd8a818839441511f4b6a72d743a9d1305
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/bmalloc/ChangeLog
    M Source/bmalloc/bmalloc/Heap.cpp
    M Source/bmalloc/bmalloc/Heap.h
    M Source/bmalloc/bmalloc/VMHeap.h
    M Source/bmalloc/bmalloc/bmalloc.h

  Log Message:
  -----------
  Merge r215909 - bmalloc scavenger should know what page classes are allocating
https://bugs.webkit.org/show_bug.cgi?id=171384

Reviewed by Geoffrey Garen.

This change replaces m_isAllocatingPages with a per page class flag to track which page
classes are currently allocating.  When scavenging, we skip page classes that are actively
allocating and come back to them on a subsequent pass.  This reduces the amount of time it
takes for scavenger to free up pages as well as the total time it takes to handle all
page classes.

* bmalloc/Heap.cpp:
(bmalloc::Heap::Heap):
(bmalloc::Heap::concurrentScavenge):
(bmalloc::Heap::scavenge):
(bmalloc::Heap::scavengeSmallPages):
(bmalloc::Heap::scavengeLargeObjects):
(bmalloc::Heap::allocateSmallPage):
(bmalloc::Heap::splitAndAllocate):
(bmalloc::Heap::deallocateLarge):
* bmalloc/Heap.h:
(bmalloc::Heap::takeRequestedScavengerThreadQOSClass): Deleted.
* bmalloc/VMHeap.h:
(bmalloc::VMHeap::deallocateSmallPage):
* bmalloc/bmalloc.h:
(bmalloc::api::scavenge):


  Commit: 59c3ee66435c434fe983f44d16e047b0ac118845
      https://github.com/WebKit/WebKit/commit/59c3ee66435c434fe983f44d16e047b0ac118845
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/url/urlsearchparams-constructor-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/urlsearchparams-constructor.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URLParser.cpp

  Log Message:
  -----------
  Merge r215940 - URLSearchParams should be reflective
https://bugs.webkit.org/show_bug.cgi?id=171345

Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

Merge https://github.com/w3c/web-platform-tests/pull/5736 to gain test
coverage.

* web-platform-tests/url/urlsearchparams-constructor-expected.txt:
* web-platform-tests/url/urlsearchparams-constructor.html:

Source/WebCore:

There was a bug in our implementation of [1] where we would replace
'+' with 0x20 *after* URL-decoding the string, instead of *before*.
This was causing us to replace URL-encoded '+' characters with 0x20.

[1] https://url.spec.whatwg.org/#concept-urlencoded-parser

No new tests, updated existing test.

* platform/URLParser.cpp:


  Commit: dcafef5199c199e2c7ab3186affecd16644bdcc2
      https://github.com/WebKit/WebKit/commit/dcafef5199c199e2c7ab3186affecd16644bdcc2
  Author: Dean Jackson <dino at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/css3/filters/blur-various-radii-expected.html
    A LayoutTests/css3/filters/blur-various-radii.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/filters/FEGaussianBlur.cpp

  Log Message:
  -----------
  Merge r215957 - App crashing: Dispatch queue: com.apple.root.user-interactive-qos / vBoxConvolve / WebCore::FEGaussianBlur::platformApplySoftware()
https://bugs.webkit.org/show_bug.cgi?id=171461
<rdar://problem/30534722>

Reviewed by Eric Carlson.

Source/WebCore:

We're getting reports of crashes in this function, caused by null or empty data being
passed to vImage. Guard against this, in a way that will ASSERT in debug builds if
anyone comes across it.

Test: css3/filters/blur-various-radii.html

* platform/graphics/filters/FEGaussianBlur.cpp:
(WebCore::accelerateBoxBlur): Return early if things don't look good.

LayoutTests:

Test a bunch of blurs a frame at a time.

* css3/filters/blur-various-radii-expected.html: Added.
* css3/filters/blur-various-radii.html: Added.


  Commit: 221abac8ea5925aaa9b09345673f988c3cc0db30
      https://github.com/WebKit/WebKit/commit/221abac8ea5925aaa9b09345673f988c3cc0db30
  Author: Per Arne Vollan <pvollan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/accessibility/accessibility-crash-setattribute-expected.txt
    A LayoutTests/accessibility/accessibility-crash-setattribute.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/accessibility/AccessibilityRenderObject.cpp

  Log Message:
  -----------
  Merge r215971 - Crash under WebCore::AccessibilityRenderObject::handleAriaExpandedChanged().
https://bugs.webkit.org/show_bug.cgi?id=171427
Source/WebCore:

rdar://problem/31863417

Reviewed by Brent Fulgham.

The AccessibilityRenderObject object might delete itself in handleAriaExpandedChanged() under the call
to the parentObject() method. This will cause a crash when accessing the object later in this method.
Protect the current object while executing arbitrary event code.

Test: accessibility/accessibility-crash-setattribute.html

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::handleAriaExpandedChanged):

LayoutTests:

Reviewed by Brent Fulgham.

* accessibility/accessibility-crash-setattribute-expected.txt: Added.
* accessibility/accessibility-crash-setattribute.html: Added.


  Commit: 414358cc50617210ead9534456aa372f3fb2cee7
      https://github.com/WebKit/WebKit/commit/414358cc50617210ead9534456aa372f3fb2cee7
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/text/simple-line-layout-glyph-overflows-line-expected.html
    A LayoutTests/fast/text/simple-line-layout-glyph-overflows-line.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayout.cpp

  Log Message:
  -----------
  Merge r215976 - iBooks text can overlap, sometimes columns are shifted splitting words.
https://bugs.webkit.org/show_bug.cgi?id=171472
<rdar://problem/31096037>

Reviewed by Antti Koivisto.

Source/WebCore:

Instead of just checking if the glyph is taller than the line, we need to ensure that both the
ascent and the descent have enough space (this is for -webkit-line-box-contain: glyph).

Test: fast/text/simple-line-layout-glyph-overflows-line.html

* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::canUseForText): compute the available space for the ascent/descent
and check them against the ceil-ed(see FontCascade::floatWidthForSimpleText) glyph min/max y.

LayoutTests:

* fast/text/simple-line-layout-glyph-overflows-line-expected.html: Added.
* fast/text/simple-line-layout-glyph-overflows-line.html: Added.


  Commit: 91bc40ccf662277a720165d525df79302b9080eb
      https://github.com/WebKit/WebKit/commit/91bc40ccf662277a720165d525df79302b9080eb
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/domparser-parsefromstring-svg-load-event-expected.txt
    A LayoutTests/fast/dom/domparser-parsefromstring-svg-load-event.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Merge r216023 - Do not dispatch SVG load event in frameless documents
https://bugs.webkit.org/show_bug.cgi?id=171505
<rdar://problem/31799776>

Reviewed by Andreas Kling.

Source/WebCore:

We should not dispatch SVG load events in frameless documents. <https://trac.webkit.org/changeset/173028/webkit>
took care of most load events but forgot the SVG load event.

Test: fast/dom/domparser-parsefromstring-svg-load-event.html

* dom/Document.cpp:
(WebCore::Document::implicitClose):

LayoutTests:

Add layout test coverage. I have verified that this test passes on both Firefox and Chrome.

* fast/dom/domparser-parsefromstring-svg-load-event-expected.txt: Added.
* fast/dom/domparser-parsefromstring-svg-load-event.html: Added.


  Commit: 71f2a31999266ed6b27470ae995f95f9b689dd54
      https://github.com/WebKit/WebKit/commit/71f2a31999266ed6b27470ae995f95f9b689dd54
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/domparser-parsefromstring-origin-expected.txt
    A LayoutTests/fast/dom/domparser-parsefromstring-origin.html
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/DOMParser-parseFromString-html-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/domparsing/DOMParser-parseFromString-xml-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/xml/DOMParser.cpp

  Log Message:
  -----------
  Merge r216046 - Documents created using DOMParser.parseFromString should inherit their context document's origin / URL
https://bugs.webkit.org/show_bug.cgi?id=171499

Reviewed by Sam Weinig.

LayoutTests/imported/w3c:

Rebaseline web-platform-tests now that more checks are passing.

* web-platform-tests/domparsing/DOMParser-parseFromString-html-expected.txt:
* web-platform-tests/domparsing/DOMParser-parseFromString-xml-expected.txt:

Source/WebCore:

Documents created using DOMParser.parseFromString should inherit their context document's
origin / URL:
- https://w3c.github.io/DOM-Parsing/#dom-domparser-parsefromstring

Test: fast/dom/domparser-parsefromstring-origin.html

* xml/DOMParser.cpp:
(WebCore::DOMParser::parseFromString):

LayoutTests:

Add layout test coverage. I have verified that this test passes in both Firefox and Chrome.

* fast/dom/domparser-parsefromstring-origin-expected.txt: Added.
* fast/dom/domparser-parsefromstring-origin.html: Added.


  Commit: 0d4b9b1ef7b0252e202ebc899daf7b92dbc70dc2
      https://github.com/WebKit/WebKit/commit/0d4b9b1ef7b0252e202ebc899daf7b92dbc70dc2
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp

  Log Message:
  -----------
  Merge r216065 - [GTK] Crash at WebCore::ResourceHandle::clearClient() when streaming live video from dailymotion
https://bugs.webkit.org/show_bug.cgi?id=169725

Reviewed by Michael Catanzaro.

Make ResourceHandleStreamingClient refcounted and add an invalidate method to do the cleanup in the networking
thread while keeping a reference.

* platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
(webKitWebSrcStop): Call invalidate before reseting client pointer.
(webKitWebSrcStart): Ditto.
(ResourceHandleStreamingClient::ResourceHandleStreamingClient): Remove all cleanup code after the run loop run call.
(ResourceHandleStreamingClient::~ResourceHandleStreamingClient): Just detach the thread.
(ResourceHandleStreamingClient::invalidate): Schedule a task on the networking thread to clean up and fiish the
run loop, protecting this.
(ResourceHandleStreamingClient::setDefersLoading): Protect this.
(ResourceHandleStreamingClient::didReceiveResponse): Do nothing if client was invalidated.
(ResourceHandleStreamingClient::didReceiveBuffer): Ditto.
(ResourceHandleStreamingClient::didFinishLoading): Ditto.


  Commit: a5a62f3c090aaa54d7e7560f1db5cd5441c73f7a
      https://github.com/WebKit/WebKit/commit/a5a62f3c090aaa54d7e7560f1db5cd5441c73f7a
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp

  Log Message:
  -----------
  Merge r216067 - [GStreamer] Dailymotion live stream videos don't play
https://bugs.webkit.org/show_bug.cgi?id=170767

Reviewed by Sergio Villar Senin.

The video shows a message saying that an error occurred and nothing is played. There are actually several
problems with dailymotion. The main issue is that URLs are redirected by the server, and GStreamer needs to
know the redirected URL. Once GStreamer knows the redirected URL the error message no longer appears, the video
starts but it always stops after a few seconds. This is because the source receives an early EOS while still
downloading the fragments. The reason of the early EOS is because dailymotion sends a wrong Content-Length header,
something that is expected to happen and we correctly handle that case when receiving the data, by updating the
size accordingly if the bytes received are longer than the expected content length. This particular case
doesn't work well with GStreamer automatic EOS handling, which is the default. At some point, GStreamer detects
that the bytes received are at least the expected ones and emits a GST_EVENT_EOS that the GstUriDownloader
handles finishing the download early. We should always disable automatic EOS, since we know when EOS actually
happens and we already call gst_app_src_end_of_stream(). This patch also emits a GST_EVENT_CUSTOM_DOWNSTREAM_STICKY
event to let GStreamer know about the HTTP headers sent and received.

* platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
(webkit_web_src_init): Disable automatic EOS.
(webKitWebSrcGetProperty): Return the redirected URL in case of redirection.
(webKitWebSrcStart): Pass the ResourceRequest to the stream clients.
(webKitWebSrcQueryWithParent): Set the redirected URL in the query in case of redirection.
(webKitWebSrcSetUri): Clear also the redirected URL when setting a new URI.
(StreamingClient::StreamingClient): Use GRefPtr for the source and initialize the request too.
(StreamingClient::~StreamingClient): Remove explicit unref.
(StreamingClient::createReadBuffer):
(StreamingClient::handleResponseReceived): Initialize the redirected URL in case of redirection. Create and push
the HTTP headers event.
(StreamingClient::handleDataReceived):
(StreamingClient::handleNotifyFinished):
(CachedResourceStreamingClient::CachedResourceStreamingClient):
(CachedResourceStreamingClient::responseReceived):
(CachedResourceStreamingClient::accessControlCheckFailed):
(CachedResourceStreamingClient::loadFailed):
(ResourceHandleStreamingClient::ResourceHandleStreamingClient):
(ResourceHandleStreamingClient::didFail):
(ResourceHandleStreamingClient::wasBlocked):
(ResourceHandleStreamingClient::cannotShowURL):


  Commit: ea2835172d1ed5220bd23255b53615af6c06fb75
      https://github.com/WebKit/WebKit/commit/ea2835172d1ed5220bd23255b53615af6c06fb75
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt
    A LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/FrameLoader.cpp

  Log Message:
  -----------
  Merge r216120 - Abandon the current load once the provisional loader detaches from the frame
https://bugs.webkit.org/show_bug.cgi?id=171577
<rdar://problem/31581227>

Source/WebCore:

Reviewed by Brent Fulgham and Brady Eidson.

We detach all child frames as part of setting our document loader to the provisional
document loader when committing a load for a frame. Detaching child frames invokes
the unload event handler on the child frames that can run arbitrary JavaScript script.
Among other things, such script can initiate a new load in the frame whose current
load is being committed. We should stop processing the current load as soon as we
detect that updating our document loader has started a new provisional load.

Test: fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::transitionToCommitted):

LayoutTests:

Reviewed by Brent Fulgham.

* fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt: Added.
* fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html: Added.


  Commit: 25581ccf7808b4b4a33dd59b83cc647b0df9eeca
      https://github.com/WebKit/WebKit/commit/25581ccf7808b4b4a33dd59b83cc647b0df9eeca
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/TestExpectations
    M LayoutTests/fast/history/page-cache-after-window-open-expected.txt
    M LayoutTests/fast/history/page-cache-after-window-open.html
    M LayoutTests/fast/history/page-cache-with-opener-expected.txt
    M LayoutTests/fast/history/page-cache-with-opener.html
    M LayoutTests/fast/history/resources/page-cache-window-with-opener.html
    A LayoutTests/http/tests/security/xss-DENIED-click-and-form-submission-from-inactive-domwindow-expected.txt
    A LayoutTests/http/tests/security/xss-DENIED-click-and-form-submission-from-inactive-domwindow.html
    A LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window-expected.txt
    A LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window.html
    A LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2-expected.txt
    A LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html
    A LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window3-expected.txt
    A LayoutTests/http/tests/security/xss-DENIED-script-inject-into-inactive-window3.html

  Log Message:
  -----------
  Merge r216126 - Detach frame from document when entering page cache
https://bugs.webkit.org/show_bug.cgi?id=166774
<rdar://problem/29904368>

Reviewed by Chris Dumez.

* TestExpectations: Unskip tests.
* fast/history/page-cache-after-window-open-expected.txt: Update expected result.
* fast/history/page-cache-after-window-open.html: Ditto.
* fast/history/page-cache-with-opener-expected.txt: Ditto.
* fast/history/page-cache-with-opener.html: Update test given its new expected behavior.
* fast/history/resources/page-cache-window-with-opener.html: Ditto.
* http/tests/security/xss-DENIED-click-and-form-submission-from-inactive-domwindow-expected.txt: Added.
* http/tests/security/xss-DENIED-click-and-form-submission-from-inactive-domwindow.html: Added.
* http/tests/security/xss-DENIED-script-inject-into-inactive-window-expected.txt: Added.
* http/tests/security/xss-DENIED-script-inject-into-inactive-window.html: Added.
* http/tests/security/xss-DENIED-script-inject-into-inactive-window2-expected.txt: Added.
* http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html: Added.
* http/tests/security/xss-DENIED-script-inject-into-inactive-window3-expected.txt: Added.
* http/tests/security/xss-DENIED-script-inject-into-inactive-window3.html: Added.


  Commit: b31216c8abd621260b33e447fad9eb38d5c9defd
      https://github.com/WebKit/WebKit/commit/b31216c8abd621260b33e447fad9eb38d5c9defd
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderObject.h
    M Source/WebCore/rendering/RenderSearchField.h

  Log Message:
  -----------
  Merge r216131 - RenderSearchField should not use isTextField() in SPECIALIZE_TYPE_TRAITS_RENDER_OBJECT
https://bugs.webkit.org/show_bug.cgi?id=171608

Reviewed by Simon Fraser.

isTextField() is true for any generic single line text control.

* rendering/RenderObject.h:
(WebCore::RenderObject::isSearchField):
* rendering/RenderSearchField.h:


  Commit: 4e67b162f4e7739f7874b99c440dda27fad1a479
      https://github.com/WebKit/WebKit/commit/4e67b162f4e7739f7874b99c440dda27fad1a479
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/UserAgentQuirks.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp

  Log Message:
  -----------
  Merge r216139 - YouTube user agent quirk breaks new YouTube
https://bugs.webkit.org/show_bug.cgi?id=171603

Reviewed by Carlos Garcia Campos.

Source/WebCore:

Our user agent quirk to make YouTube 360 work breaks the new YouTube UI, causing it to
attempt to use the obsolete custom elements v0 API. WebKit only supports the v1 API. We
have to remove this quirk.

Note this does not affect Safari as Apple ports don't use our user agent quirks.

* platform/UserAgentQuirks.cpp:
(WebCore::urlRequiresChromeBrowser):

Tools:

Remove the YouTube quirk test.

* TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp:
(TestWebKitAPI::TEST):


  Commit: 3e86097dcd2afd4d23cf2268bbf8e98191be1b60
      https://github.com/WebKit/WebKit/commit/3e86097dcd2afd4d23cf2268bbf8e98191be1b60
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/UserAgentQuirks.cpp

  Log Message:
  -----------
  Merge r216343 - [GTK] Cannot sign in with new Google sign-in page
https://bugs.webkit.org/show_bug.cgi?id=171770

Reviewed by Carlos Garcia Campos.

Google's new authentication page does not work with the Firefox user
agent that's required to make various Google websites work. Special-case
accounts.google.com so that it receives our standard user agent.

* platform/UserAgentQuirks.cpp:
(WebCore::isGoogle):
(WebCore::urlRequiresFirefoxBrowser):


  Commit: 6d4b55883cb4f12f3717601fa792772f018e9d62
      https://github.com/WebKit/WebKit/commit/6d4b55883cb4f12f3717601fa792772f018e9d62
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp

  Log Message:
  -----------
  Merge r216350 - [GTK] Cannot sign in with new Google sign-in page
https://bugs.webkit.org/show_bug.cgi?id=171770

Unreviewed. This just adds a test.

* TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp:
(TestWebKitAPI::TEST):


  Commit: 37f983b15f481611a55dfb757babe5f675228e47
      https://github.com/WebKit/WebKit/commit/37f983b15f481611a55dfb757babe5f675228e47
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/forms/change-input-type-and-submit-form-crash-expected.txt
    A LayoutTests/fast/forms/change-input-type-and-submit-form-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/SearchInputType.cpp

  Log Message:
  -----------
  Merge r216159 - SearchInputType could end up with a mismatched renderer.
https://bugs.webkit.org/show_bug.cgi?id=171547
<rdar://problem/31935047>

Reviewed by Antti Koivisto.

Source/WebCore:

Normally we've got the correct renderer by the time we call into SearchInputType.
However, since HTMLInputElement::updateType() eagerly updates the type while the associated renderers are done lazily
(so we don't get them updated until after the next tree update), we could actually end up
with a mismatched renderer (e.g. through form submission).

Test: fast/forms/change-input-type-and-submit-form-crash.html

* html/SearchInputType.cpp:
(WebCore::SearchInputType::addSearchResult):
(WebCore::SearchInputType::didSetValueByUserEdit):

LayoutTests:

* fast/forms/change-input-type-and-submit-form-crash-expected.txt: Added.
* fast/forms/change-input-type-and-submit-form-crash.html: Added.


  Commit: e3988e3dc4dcb89e905944a0dabb17fe82f71258
      https://github.com/WebKit/WebKit/commit/e3988e3dc4dcb89e905944a0dabb17fe82f71258
  Author: Konstantin Tokarev <annulen at yandex.ru>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/JavaScriptCore/API/JSStringRef.cpp
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/DateConversion.cpp
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Shared/API/c/WKString.cpp
    M Tools/ChangeLog
    M Tools/TestRunnerShared/UIScriptContext/UIScriptContext.cpp

  Log Message:
  -----------
  Merge r216187 - Fix compilation with ICU 59.1
https://bugs.webkit.org/show_bug.cgi?id=171612

Reviewed by Mark Lam.

ICU 59.1 has broken source compatibility. Now it defines UChar as
char16_t, which does not allow automatic type conversion from unsigned
short in C++ code.

Source/JavaScriptCore:

* API/JSStringRef.cpp:
(JSStringCreateWithCharacters):
(JSStringCreateWithCharactersNoCopy):
(JSStringGetCharactersPtr):
* runtime/DateConversion.cpp:
(JSC::formatDateTime):

Source/WebKit2:

* Shared/API/c/WKString.cpp:
(WKStringGetCharacters):

Tools:

* TestRunnerShared/UIScriptContext/UIScriptContext.cpp:
(UIScriptContext::tryToCompleteUIScriptForCurrentParentCallback):


  Commit: c552c9874b99af22f41ccffe9182aa8b581ae4a2
      https://github.com/WebKit/WebKit/commit/c552c9874b99af22f41ccffe9182aa8b581ae4a2
  Author: David Hyatt <hyatt at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/css/variables/calc-float-to-int-expected.html
    A LayoutTests/fast/css/variables/calc-float-to-int.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/CSSCalculationValue.cpp

  Log Message:
  -----------
  Merge r216188 - REGRESSION(STP): rgb() with calc() containing variables doesn't work
https://bugs.webkit.org/show_bug.cgi?id=169939

Reviewed by Zalan Bujtas.

Source/WebCore:

Added new test in fast/css/variables.

* css/CSSCalculationValue.cpp:
(WebCore::CSSCalcExpressionNodeParser::parseValue):
Treat floats in calcs as integers when we can.

LayoutTests:

* fast/css/variables/calc-float-to-int-expected.html: Added.
* fast/css/variables/calc-float-to-int.html: Added.


  Commit: 1f94651ec8233238efd83490be43040301c18559
      https://github.com/WebKit/WebKit/commit/1f94651ec8233238efd83490be43040301c18559
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FrameView.cpp

  Log Message:
  -----------
  Merge r216196 - Should never hit layout while updating the render tree.
https://bugs.webkit.org/show_bug.cgi?id=171643

Reviewed by Antti Koivisto.

Laying out a half-baked render tree is not a great idea. Especially considering
that layout (sadly) can mutate the render tree.

* page/FrameView.cpp:
(WebCore::FrameView::layout):


  Commit: 4cb53dbdacf809fe362300b73bf19b7562a87c54
      https://github.com/WebKit/WebKit/commit/4cb53dbdacf809fe362300b73bf19b7562a87c54
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/transitions/transition-unknown-property-ignore-expected.txt
    A LayoutTests/transitions/transition-unknown-property-ignore.html
    M LayoutTests/transitions/transitions-parsing-expected.txt
    M LayoutTests/transitions/transitions-parsing.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/CSSComputedStyleDeclaration.cpp
    M Source/WebCore/css/CSSToStyleMap.cpp
    M Source/WebCore/page/animation/CompositeAnimation.cpp
    M Source/WebCore/platform/animation/Animation.h

  Log Message:
  -----------
  Merge r216204 - REGRESSION (Safari 10.1): When 'transition' contains -ms-transform, transform-origin is also transitioned
https://bugs.webkit.org/show_bug.cgi?id=171250
<rdar://problem/31827243>

Reviewed by Geoffrey Garen.

Source/WebCore:

We were mapping unknown properties to 'all' animation. With this patch we ignore them instead.
The patch also implements roundtripping of unknown properties via CSSOM, matching Blink and Gecko.

Test: transitions/transition-unknown-property-ignore.html

* css/CSSComputedStyleDeclaration.cpp:
(WebCore::createTransitionPropertyValue):

    Return the correct name for unknown properties.

* css/CSSToStyleMap.cpp:
(WebCore::CSSToStyleMap::mapAnimationProperty):

    Map any unknown property to AnimateUnknownProperty mode instead of falling back to the default of AnimateAll.
    Save the unknown property name so we can roundtrip it properly.

* page/animation/CompositeAnimation.cpp:
(WebCore::CompositeAnimation::updateTransitions):

    Ignore AnimateUnknownProperty like AnimateNone.

* platform/animation/Animation.h:
(WebCore::Animation::unknownProperty):
(WebCore::Animation::setUnknownProperty):

LayoutTests:

* transitions/transition-unknown-property-ignore-expected.txt: Added.
* transitions/transition-unknown-property-ignore.html: Added.
* transitions/transitions-parsing-expected.txt:
* transitions/transitions-parsing.html:

    Update the roundtrip expectations for unknown properties. The new results match Blink and Gecko.


  Commit: 4c9c567b461d5d612afbf8bfac847d5892524d40
      https://github.com/WebKit/WebKit/commit/4c9c567b461d5d612afbf8bfac847d5892524d40
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp

  Log Message:
  -----------
  Merge r216239 - [GStreamer] Fix handling of gst errors in MediaPlayerPrivateGStreamer::handleMessage
https://bugs.webkit.org/show_bug.cgi?id=171721

Reviewed by Xabier Rodriguez-Calvar.

We are checking the GError only comparing the code, and ignoring the domain in some cases. Use g_error_matches()
in those cases instead of only checking the code.

* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::handleMessage):


  Commit: 4953c9df58b953723091e7de508c149327f4c67a
      https://github.com/WebKit/WebKit/commit/4953c9df58b953723091e7de508c149327f4c67a
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp

  Log Message:
  -----------
  Merge r216240 - [GStreamer] Do not report more errors after the first one
https://bugs.webkit.org/show_bug.cgi?id=171722

Reviewed by Xabier Rodriguez-Calvar.

We can receive several error messages for the same error from different elements. That's not expected by the
media source selection algorithm implementation. I don't know if didn't happen with previous versions of GST,
but since the upgrade to 1.10.4 several tests are failing because of this.

Fixes: media/video-error-does-not-exist.html
       media/video-load-networkState.html
       media/video-source-error.html
       media/video-source-none-supported.html
       media/video-source-moved.html

* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::handleMessage): Return early also when an error already occured.


  Commit: cb5a369f3da01943e507014a4438ddfd7ce98aff
      https://github.com/WebKit/WebKit/commit/cb5a369f3da01943e507014a4438ddfd7ce98aff
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/WebKitTestRunner/gtk/TestControllerGtk.cpp

  Log Message:
  -----------
  Merge r216241 - [GTK] TestController timeout source callback should return G_SOURCE_REMOVE
https://bugs.webkit.org/show_bug.cgi?id=171724

Reviewed by Michael Catanzaro.

It's currently returning CONTINUE which causes it to be called again even if the run loop has been stopped.

* WebKitTestRunner/gtk/TestControllerGtk.cpp:
(WTR::timeoutSource):


  Commit: f4a1e80eccb4ebc671fe76a40988a1fa4e79780b
      https://github.com/WebKit/WebKit/commit/f4a1e80eccb4ebc671fe76a40988a1fa4e79780b
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/Modules/indexeddb/IDBRequest.cpp
    M Tools/ChangeLog
    M Tools/DumpRenderTree/TestRunner.cpp

  Log Message:
  -----------
  Merge r216246 - DRT's setAudioResultCallback() and IDBRequest::setResult() need to acquire the JSLock.
https://bugs.webkit.org/show_bug.cgi?id=171716
<rdar://problem/30878027>

Reviewed by Saam Barati.

Source/WebCore:

No new tests.  This issue was caught by existing tests.

IDBRequest::setResult() needs to acquire the JSLock before calling toJS() (which
does JS conversion and therefore, potentially JS allocations).

* Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::setResult):
(WebCore::IDBRequest::setResultToStructuredClone):

Tools:

setAudioResultCallback() needs to acquire the JSLock before calling toJS() (which
does JS conversion and therefore, potentially JS allocations) and accessing
methods of internal JS data structures (which may do JS invocation, etc).

* DumpRenderTree/TestRunner.cpp:
(setAudioResultCallback):


  Commit: 375271aa300c62714c4d04a1863fdc77023f97a6
      https://github.com/WebKit/WebKit/commit/375271aa300c62714c4d04a1863fdc77023f97a6
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/FrameLoader.cpp

  Log Message:
  -----------
  Merge r216253 - ASSERTION FAILED: !frame().document()->inRenderTreeUpdate() in WebCore::FrameView::layout(bool)
https://bugs.webkit.org/show_bug.cgi?id=171717

Reviewed by Brent Fulgham.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkCompleted):

    Don't allow frame load to complete in the middle of a render tree update. Instead delay the check.


  Commit: d6a48df183d152c02305852ea8e679afcf07a83b
      https://github.com/WebKit/WebKit/commit/d6a48df183d152c02305852ea8e679afcf07a83b
  Author: Dean Jackson <dino at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/css/filters-on-iframes-expected.html
    A LayoutTests/http/tests/css/filters-on-iframes.html
    A LayoutTests/http/tests/css/resources/blank.html
    A LayoutTests/http/tests/css/resources/references-external.html
    A LayoutTests/http/tests/css/resources/solid-red.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FrameView.cpp
    M Source/WebCore/page/FrameView.h
    M Source/WebCore/platform/ScrollView.cpp
    M Source/WebCore/platform/ScrollView.h
    M Source/WebCore/platform/Scrollbar.cpp
    M Source/WebCore/platform/Scrollbar.h
    M Source/WebCore/platform/Widget.h
    M Source/WebCore/platform/graphics/filters/FilterOperation.h
    M Source/WebCore/platform/graphics/filters/FilterOperations.cpp
    M Source/WebCore/platform/graphics/filters/FilterOperations.h
    M Source/WebCore/platform/gtk/WidgetGtk.cpp
    M Source/WebCore/platform/mac/WidgetMac.mm
    M Source/WebCore/platform/win/WidgetWin.cpp
    M Source/WebCore/rendering/FilterEffectRenderer.cpp
    M Source/WebCore/rendering/FilterEffectRenderer.h
    M Source/WebCore/rendering/PaintInfo.h
    M Source/WebCore/rendering/RenderLayer.cpp
    M Source/WebCore/rendering/RenderLayer.h
    M Source/WebCore/rendering/RenderScrollbar.cpp
    M Source/WebCore/rendering/RenderScrollbar.h
    M Source/WebCore/rendering/RenderWidget.cpp
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Plugins/PluginView.cpp
    M Source/WebKit2/WebProcess/Plugins/PluginView.h

  Log Message:
  -----------
  Merge r216294 - Restrict SVG filters to accessible security origins
https://bugs.webkit.org/show_bug.cgi?id=118689
<rdar://problem/27362159>

Reviewed by Brent Fulgham.

Source/WebCore:

Certain SVG filters should only be allowed to operate
on content that is has SecurityOrigin access to. Implement
this by including a flag in PaintInfo and LayerPaintingInfo,
and have RenderWidget make sure the documents have acceptable
SecurityOrigins as it goes to paint.

This could be used as the first step in a "safe painting"
strategy, allowing some content to be rendered into a
canvas or via the element() CSS function... but it is only
a small first step.

Test: http/tests/css/filters-on-iframes.html

* page/FrameView.cpp:
(WebCore::FrameView::paintContents):
* page/FrameView.h:
* platform/ScrollView.cpp:
(WebCore::ScrollView::paint):
* platform/ScrollView.h:
* platform/Scrollbar.cpp:
(WebCore::Scrollbar::paint):
* platform/Scrollbar.h:
* platform/Widget.h:
* platform/graphics/filters/FilterOperation.h:
(WebCore::FilterOperation::shouldBeRestrictedBySecurityOrigin):
* platform/graphics/filters/FilterOperations.cpp:
(WebCore::FilterOperations::hasFilterThatShouldBeRestrictedBySecurityOrigin):
* platform/graphics/filters/FilterOperations.h:
* platform/mac/WidgetMac.mm:
(WebCore::Widget::paint):
* rendering/FilterEffectRenderer.cpp:
(WebCore::FilterEffectRenderer::build):
* rendering/FilterEffectRenderer.h:
* rendering/PaintInfo.h:
(WebCore::PaintInfo::PaintInfo):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::paint):
(WebCore::RenderLayer::setupFilters):
(WebCore::RenderLayer::paintForegroundForFragmentsWithPhase):
* rendering/RenderLayer.h:
* rendering/RenderScrollbar.cpp:
(WebCore::RenderScrollbar::paint):
* rendering/RenderScrollbar.h:
* rendering/RenderWidget.cpp:
(WebCore::RenderWidget::paintContents):

Source/WebKit2:

Update parameter lists.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::paint):
* WebProcess/Plugins/PluginView.h:

LayoutTests:

Add a test that shows safe frames, unsafe frames, and
then a safe frame that itself has an unsafe frame, to
show that the security requirements are being forwarded
down the tree.

* http/tests/css/filters-on-iframes-expected.html: Added.
* http/tests/css/filters-on-iframes.html: Added.
* http/tests/css/resources/blank.html: Added.
* http/tests/css/resources/references-external.html: Added.
* http/tests/css/resources/solid-red.html: Added.


  Commit: 8e7c70e0476a91db5dcfb8d034b85c9f1943112a
      https://github.com/WebKit/WebKit/commit/8e7c70e0476a91db5dcfb8d034b85c9f1943112a
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list-expected.txt
    A LayoutTests/accessibility/crash-when-renderers-are-added-back-to-deferred-list.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/accessibility/AXObjectCache.cpp

  Log Message:
  -----------
  Merge r216307 - Renderers being destroyed should not be added to AX's deferred list.
https://bugs.webkit.org/show_bug.cgi?id=171768
<rdar://problem/31955660>

Reviewed by Simon Fraser.

Source/WebCore:

In certain cases, when custom scrollbars are present, while destroying the scrollbars' block parent, we
  - first remove the block from the AX's deferred list (AXObjectCache::remove)
  - destroy the render layer that owns the custom scrollbars (RenderLayer::destroyLayer)
  - detach the scrollbars from the parent (block) (RenderObject::removeFromParent)
    - clean up the block's lines (RenderBlock::deleteLines)
      - push the block back to the AX's deferred list (AXObjectCache::recomputeDeferredIsIgnored)
At this point no one will remove the current block from AX's deferred list.

Test: accessibility/crash-when-renderers-are-added-back-to-deferred-list.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::recomputeDeferredIsIgnored):
(WebCore::AXObjectCache::deferTextChanged):

LayoutTests:

* accessibility/crash-when-renderers-are-added-back-to-deferred-list-expected.txt: Added.
* accessibility/crash-when-renderers-are-added-back-to-deferred-list.html: Added.


  Commit: 78abcbe11a979b3bca8468e80b0b42d000948c18
      https://github.com/WebKit/WebKit/commit/78abcbe11a979b3bca8468e80b0b42d000948c18
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/platform/gtk/TestExpectations

  Log Message:
  -----------
  Unreviewed. Skip hls tests crashing with GST 1.8.

* platform/gtk/TestExpectations:


  Commit: 997944af28b507fe50b3f0597af5562b5bb1caa4
      https://github.com/WebKit/WebKit/commit/997944af28b507fe50b3f0597af5562b5bb1caa4
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/platform/gtk/fast/repaint/mutate-non-visible-expected.txt

  Log Message:
  -----------
  Unreviewed GTK+ gardening. Rebaseline fast/repaint/mutate-non-visible.html.

* platform/gtk/fast/repaint/mutate-non-visible-expected.txt: Added.


  Commit: 96dd6e9f72ccabf1abc4bfd550e0a20182ae82b0
      https://github.com/WebKit/WebKit/commit/96dd6e9f72ccabf1abc4bfd550e0a20182ae82b0
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestUIClient.cpp

  Log Message:
  -----------
  Merge r216423 - Unreviewed. Fix GTK+ test /webkit2/WebKitWebView/javascript-dialogs after r215404.

Sending down+up keys is no longer enough to simulate a real user interaction after r215404, the key events now
should be handled by the web process to be considered a user interaction. So, add an input to the HTML and send
characters to the input. Also fix typo in the function name.

* TestWebKitAPI/Tests/WebKit2Gtk/TestUIClient.cpp:
(testWebViewJavaScriptDialogs):


  Commit: 96d755842530267f863cb2f5ad00d6b34dd8c237
      https://github.com/WebKit/WebKit/commit/96d755842530267f863cb2f5ad00d6b34dd8c237
  Author: Guilherme Iscaro <iscaro at profusion.mobi>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/offlineasm/arm.rb

  Log Message:
  -----------
  Merge r214969 - Do not use BLX for immediates (ARM-32)

https://bugs.webkit.org/show_bug.cgi?id=170351

Patch by Guilherme Iscaro <iscaro at profusion.mobi> on 2017-04-05
Reviewed by Mark Lam.

Currently the offline asm generator for 32-bit ARM code translates the
'call' meta-instruction (which may be found in LowLevelInterpreter.asm
and friends) to the ARM's BLX instrunction. The BLX instruction may be
used for labels (immediates) and registers and one side effect of BLX
is that it may switch the processor's instruction set.
A 'BLX register' instruction will change/remain the processor state to
ARM if the  register_bit[0] is set to 0 or change/remain to Thumb if
register_bit[0] is set to 1. However, a 'BLX label' instruction will
always switch the processor state. It switches ARM to thumb and vice-versa.
This behaviour is unwanted, since the C++ code and the offlineasm generated code
are both compiled using the same instruction set, thus a instruction
set change will likely produce a crash. In order to fix the problem the
BL instruction can be used for labels. It will branch just like BLX,
but it won't change the instruction set. It's important to note that
Darwin is not affected by this problem, thus to minimize the impact of
this change the BL instruction will only be used on non-darwin targets.

BLX reference: http://infocenter.arm.com/help/topic/com.arm.doc.dui0489i/CIHBJCDC.html?resultof=%22%62%6c%78%22%20

* offlineasm/arm.rb:


  Commit: 871cbd8387027b094530a470e411a31d020ef311
      https://github.com/WebKit/WebKit/commit/871cbd8387027b094530a470e411a31d020ef311
  Author: Konstantin Tokarev <annulen at yandex.ru>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M ChangeLog
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/CMakeLists.txt
    M Source/WebCore/ChangeLog
    M Source/cmake/WebKitMacros.cmake

  Log Message:
  -----------
  Merge r215614 - [cmake] WTF target should not have wtf and subdirectries in public interface
https://bugs.webkit.org/show_bug.cgi?id=171115

Reviewed by Michael Catanzaro.

In r209665 WEBCORE_FRAMEWORK macro started to export INCLUDE_DIRECTORIES of
targets as their public interface, so that linked targets can use them
implicitly without copying directory lists around. This matches existing
practice for all targets except WTF, headers from which are always included
with full path starting from "<wtf/...".

Since r209665 it became possible to include headers from wtf or its
subdirectories in CMake builds without using "<wtf/..." path. It should
not be allowed.

.:

* Source/cmake/WebKitMacros.cmake: Support xxx_PRIVATE_HEADERS
CMake variables.

Source/WebCore:

* platform/graphics/texmap/coordinated/TiledBackingStore.cpp: Fix
incorrect include of WTF header.

Source/WTF:

* wtf/CMakeLists.txt: WTF/wtf and its sudirectories should not be in
public include paths of WTF target.


  Commit: 81a7aaf7ae19b7a169d507887092f7fc9f5d39fa
      https://github.com/WebKit/WebKit/commit/81a7aaf7ae19b7a169d507887092f7fc9f5d39fa
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-08 (Mon, 08 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/html/details-flow-thread-expected.txt
    A LayoutTests/fast/html/details-flow-thread.html
    M LayoutTests/fast/shadow-dom/composed-tree-slots-expected.txt
    M LayoutTests/fast/shadow-dom/composed-tree-slots.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/ComposedTreeIterator.cpp

  Log Message:
  -----------
  Merge r216431 - ComposedTreeIterator does not traverse all slotted children if the traversal root is a slot element.
https://bugs.webkit.org/show_bug.cgi?id=171375
<rdar://problem/31863184>

Reviewed by Zalan Bujtas.

Source/WebCore:

We were hitting an assert when using details element with a flow thread. The root cause for this turned
out to be that we only traversed the first slotted child if the traversal root was a slot element.

Test: fast/html/details-flow-thread.html

* dom/ComposedTreeIterator.cpp:
(WebCore::ComposedTreeIterator::traverseNextLeavingContext):

    Try to traverse to the next slotted child before testing if we at the end of the current context.

LayoutTests:

* fast/html/details-flow-thread-expected.txt: Added.
* fast/html/details-flow-thread.html: Added.
* fast/shadow-dom/composed-tree-slots-expected.txt:
* fast/shadow-dom/composed-tree-slots.html:

    Expand the test so it also prints out slot subtrees using slots as traversal roots.


  Commit: 60dfa9246976a7cd7e35a843b2cae3f22c36f365
      https://github.com/WebKit/WebKit/commit/60dfa9246976a7cd7e35a843b2cae3f22c36f365
  Author: Jiewen Tan <jiewen_tan at apple.com>
  Date:   2017-05-09 (Tue, 09 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/forms/search/search-incremental-crash-expected.txt
    A LayoutTests/fast/forms/search/search-incremental-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/SearchInputType.cpp

  Log Message:
  -----------
  Merge r216443 - Search events should not fire synchronously for search type input elements with incremental attribute set
https://bugs.webkit.org/show_bug.cgi?id=171376
<rdar://problem/31863296>

Reviewed by Chris Dumez.

Source/WebCore:

For some reasons, we fire search events immediately for search type input elements with incremental
attribute set only when the length of the input equals to zero. This behaviour should be prevented
as event listeners in the middle might perform unexpectedly.

Test: fast/forms/search/search-incremental-crash.html

* html/SearchInputType.cpp:
(WebCore::SearchInputType::startSearchEventTimer):

LayoutTests:

* fast/forms/search/search-incremental-crash-expected.txt: Added.
* fast/forms/search/search-incremental-crash.html: Added.


  Commit: 1ccdafb2ffe70dce7160cf0efbdc28f26a83ba69
      https://github.com/WebKit/WebKit/commit/1ccdafb2ffe70dce7160cf0efbdc28f26a83ba69
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-09 (Tue, 09 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/texmap/TextureMapperGC3DPlatformLayer.cpp
    M Source/WebCore/platform/graphics/texmap/TextureMapperGC3DPlatformLayer.h
    M Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerBuffer.h
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/gtk/HardwareAccelerationManager.cpp

  Log Message:
  -----------
  Merge r216483 - [GTK] Building Webkit2Gtk without OpenGL fails.
https://bugs.webkit.org/show_bug.cgi?id=170959

Reviewed by Žan Doberšek.

Source/WebCore:

* platform/graphics/texmap/TextureMapperGC3DPlatformLayer.cpp:
* platform/graphics/texmap/TextureMapperGC3DPlatformLayer.h:
* platform/graphics/texmap/TextureMapperPlatformLayerBuffer.h:

Source/WebKit2:

* UIProcess/gtk/HardwareAccelerationManager.cpp:
(WebKit::HardwareAccelerationManager::HardwareAccelerationManager):


  Commit: f2ebb99ce72a1cbfffb1fa8bad38089ceead60a9
      https://github.com/WebKit/WebKit/commit/f2ebb99ce72a1cbfffb1fa8bad38089ceead60a9
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-05-09 (Tue, 09 May 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.2 release.

.:

* Source/cmake/OptionsGTK.cmake: Bump version numbers.

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.16.2.


  Commit: 7ec971987ff3b1ad0f10b9fc97eac18ef340c5d9
      https://github.com/WebKit/WebKit/commit/7ec971987ff3b1ad0f10b9fc97eac18ef340c5d9
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayout.cpp

  Log Message:
  -----------
  Merge r216438 - Bail out of simple line layout when hyphen needs a fallback font.
https://bugs.webkit.org/show_bug.cgi?id=171811

Reviewed by Antti Koivisto.

With hyphen: auto is set, we don't know if the hypen string is going to be used, until
after we started laying out the content and figured that the text overflows the line.
However it's too late to bail out of simple line layout at this point, so let's just
pre-check if the hyphen string needs a fallback font.

* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::canUseForStyle):


  Commit: 79b5d64ce8a069c112354342656503694887ddf3
      https://github.com/WebKit/WebKit/commit/79b5d64ce8a069c112354342656503694887ddf3
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/text/simple-line-layout-fallback-space-glyph-expected.html
    A LayoutTests/fast/text/simple-line-layout-fallback-space-glyph.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/SimpleLineLayout.cpp
    M Source/WebCore/rendering/SimpleLineLayoutTextFragmentIterator.cpp
    M Source/WebCore/rendering/SimpleLineLayoutTextFragmentIterator.h

  Log Message:
  -----------
  Merge r216440 - Text overlaps on http://www.duden.de/rechtschreibung/Acre
https://bugs.webkit.org/show_bug.cgi?id=171796
<rdar://problem/31036028>

Reviewed by Simon Fraser.

Source/WebCore:

Simple line layout pre-measures space using the primary font,
even if the space glyph requires a fallback font (and even if the string does not have a space in it at all).
When this width gets cached (see WidthCache) we might end up using it later during normal line layout and
it could produce incorrect layout.
This patch removes the space width caching from Simple line layout, since Font already caches it.

Test: fast/text/simple-line-layout-fallback-space-glyph.html

* rendering/SimpleLineLayout.cpp:
(WebCore::SimpleLineLayout::createLineRuns):
* rendering/SimpleLineLayoutTextFragmentIterator.cpp:
(WebCore::SimpleLineLayout::TextFragmentIterator::Style::Style):
(WebCore::SimpleLineLayout::TextFragmentIterator::skipToNextPosition):
(WebCore::SimpleLineLayout::TextFragmentIterator::textWidth):
* rendering/SimpleLineLayoutTextFragmentIterator.h:

LayoutTests:

* fast/text/simple-line-layout-fallback-space-glyph-expected.html: Added.
* fast/text/simple-line-layout-fallback-space-glyph.html: Added.


  Commit: 01f6144ce088ee589f563e573aa720696b49d898
      https://github.com/WebKit/WebKit/commit/01f6144ce088ee589f563e573aa720696b49d898
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/UserAgentQuirks.cpp

  Log Message:
  -----------
  Merge r216531 - Update Chrome and Firefox versions in user agent quirks
https://bugs.webkit.org/show_bug.cgi?id=171823

Reviewed by Carlos Alberto Lopez Perez.

* platform/UserAgentQuirks.cpp:
(WebCore::UserAgentQuirks::stringForQuirk):
(WebCore::UserAgentQuirks::firefoxRevisionString):


  Commit: a1c95f8500835369acf58049a28d28382768c39d
      https://github.com/WebKit/WebKit/commit/a1c95f8500835369acf58049a28d28382768c39d
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/UserAgentQuirks.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp

  Log Message:
  -----------
  Merge r216585 - Remove user agent quirk for Slack
https://bugs.webkit.org/show_bug.cgi?id=171869

Reviewed by Carlos Garcia Campos.

Source/WebCore:

The user agent quirk for Slack does not seem to be necessary anymore. I am able to use Slack
without difficulty using our default user agent.

* platform/UserAgentQuirks.cpp:
(WebCore::urlRequiresChromeBrowser):

Tools:

Remove the corresponding test.

* TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp:
(TestWebKitAPI::TEST):


  Commit: af54ba932043679a8ac98f9ed3476b49ba6509ea
      https://github.com/WebKit/WebKit/commit/af54ba932043679a8ac98f9ed3476b49ba6509ea
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/UserAgentQuirks.cpp
    M Source/WebCore/platform/UserAgentQuirks.h
    M Source/WebCore/platform/gtk/UserAgentGtk.cpp
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp

  Log Message:
  -----------
  Merge r217203 - [GTK] Remove Firefox user agent quirk for Google domains
https://bugs.webkit.org/show_bug.cgi?id=171941

Reviewed by Carlos Garcia Campos.

Source/WebCore:

* platform/UserAgentQuirks.cpp:
(WebCore::UserAgentQuirks::quirksForURL):
(WebCore::UserAgentQuirks::stringForQuirk):
(WebCore::urlRequiresFirefoxBrowser): Deleted.
(WebCore::UserAgentQuirks::firefoxRevisionString): Deleted.
* platform/UserAgentQuirks.h:
* platform/gtk/UserAgentGtk.cpp:
(WebCore::buildUserAgentString):

Tools:

* TestWebKitAPI/Tests/WebCore/UserAgentQuirks.cpp:
(TestWebKitAPI::TEST):
(TestWebKitAPI::assertUserAgentForURLHasFirefoxBrowserQuirk): Deleted.


  Commit: e676657f05e2e7ae1daa820824c81edf15926dcb
      https://github.com/WebKit/WebKit/commit/e676657f05e2e7ae1daa820824c81edf15926dcb
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/HeapInlines.h

  Log Message:
  -----------
  Merge r216547 - Heap::heap() should behave gracefully for null pointers
https://bugs.webkit.org/show_bug.cgi?id=171888
<rdar://problem/32005315>

Reviewed by Mark Lam.

Some callers of Heap::heap() can pass a null cell and they will behave gracefully if we
return a null Heap. So, let's do that.

This fixes a crash and it does not hurt performance. I'm seeing a possible 0.5% regression
with 74% probability. That's a neutral result by our usual 95% standard.

* heap/HeapInlines.h:
(JSC::Heap::heap):


  Commit: 56cefb6feea4b75fbe72f366f3f4476e96966c49
      https://github.com/WebKit/WebKit/commit/56cefb6feea4b75fbe72f366f3f4476e96966c49
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebInspectorUI/ChangeLog
    M Source/WebInspectorUI/UserInterface/Base/Main.js

  Log Message:
  -----------
  Merge r216562 - [GTK][Win] Web Inspector: Cann't open "Quick Open" dialog by pressing Ctrl+Shift+O
https://bugs.webkit.org/show_bug.cgi?id=171798

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-05-09
Reviewed by Michael Catanzaro.

PC can't input the shortcut keys Command+Shift+O and Command+P.

* UserInterface/Base/Main.js:
(WebInspector.contentLoaded): Use CommandOrControl instead of Command.


  Commit: 5b43f3b3f1a60773d7df8a24b79ce5f6e5b80c63
      https://github.com/WebKit/WebKit/commit/5b43f3b3f1a60773d7df8a24b79ce5f6e5b80c63
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitAuthenticationDialog.cpp

  Log Message:
  -----------
  Merge r216584 - [GTK] HTTP authentication dialog should focus on first input field
https://bugs.webkit.org/show_bug.cgi?id=151349

Reviewed by Michael Catanzaro.

Setting focus on a widget before it's mapped does nothing. Move
the call to the right place.

* UIProcess/API/gtk/WebKitAuthenticationDialog.cpp:
(webkitAuthenticationDialogInitialize):
(webkitAuthenticationDialogMap):


  Commit: 3dcc30ed807f042587c40d5579803950eaccb666
      https://github.com/WebKit/WebKit/commit/3dcc30ed807f042587c40d5579803950eaccb666
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/for-in-postfix-ignored-index.js
    A JSTests/stress/for-in-postfix-index.js
    A JSTests/stress/for-in-prefix-index.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

  Log Message:
  -----------
  Merge r216593 - Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname
https://bugs.webkit.org/show_bug.cgi?id=171801

Reviewed by Michael Saboff.

JSTests:

These tests used to crash. The prefix and postfix tests cover different paths, except
postfix-ignored goes down the same path as prefix due to an optimization.

* stress/for-in-postfix-ignored-index.js: Added.
(foo):
* stress/for-in-postfix-index.js: Added.
(foo):
* stress/for-in-prefix-index.js: Added.
(foo):

Source/JavaScriptCore:

This was a goofy oversight. The for-in optimization relies on the bytecode generator
to detect when the loop's index variable gets mutated. We forgot to have the hooks for
detecting this in prefix and postfix operations (++i and i++).

* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):


  Commit: 64e040a933abd68ca537e0529d269da3ce07bbe3
      https://github.com/WebKit/WebKit/commit/64e040a933abd68ca537e0529d269da3ce07bbe3
  Author: Andy Estes <aestes at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/http/tests/navigation/keyboard-events-during-provisional-navigation-expected.txt
    M LayoutTests/http/tests/navigation/keyboard-events-during-provisional-navigation.html
    A LayoutTests/http/tests/navigation/keyboard-events-during-provisional-subframe-navigation-expected.txt
    A LayoutTests/http/tests/navigation/keyboard-events-during-provisional-subframe-navigation.html
    M LayoutTests/http/tests/navigation/resources/keyboard-events-after-navigation.html
    M LayoutTests/http/tests/navigation/resources/keyboard-events-test.js
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/EventDispatcher.cpp
    M Source/WebCore/editing/Editor.cpp

  Log Message:
  -----------
  Merge r216599 - Keyboard input suppression should extend to subframes
https://bugs.webkit.org/show_bug.cgi?id=171880
<rdar://problem/31201793>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: http/tests/navigation/keyboard-events-during-provisional-subframe-navigation.html

* dom/EventDispatcher.cpp:
(WebCore::shouldSuppressEventDispatchInDOM): Changed to call shouldSuppressKeyboardInput()
on the main frame's loader.
* editing/Editor.cpp:
(WebCore::Editor::shouldInsertText): Ditto.

LayoutTests:

* http/tests/navigation/keyboard-events-during-provisional-navigation-expected.txt:
* http/tests/navigation/keyboard-events-during-provisional-navigation.html:
* http/tests/navigation/keyboard-events-during-provisional-subframe-navigation-expected.txt: Copied from LayoutTests/http/tests/navigation/keyboard-events-during-provisional-navigation-expected.txt.
* http/tests/navigation/keyboard-events-during-provisional-subframe-navigation.html: Copied from LayoutTests/http/tests/navigation/keyboard-events-during-provisional-navigation.html.
* http/tests/navigation/resources/keyboard-events-after-navigation.html:
* http/tests/navigation/resources/keyboard-events-test.js:
(runTest):
(waitForProvisionalNavigation.xhr.onreadystatechange):
(waitForProvisionalNavigation):


  Commit: 5819f017d992986237f6e9600ba4c00574ca478e
      https://github.com/WebKit/WebKit/commit/5819f017d992986237f6e9600ba4c00574ca478e
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/DOMSelection.cpp

  Log Message:
  -----------
  Merge r216607 - REGRESSION (r206960): Possible null pointer dereference under DOMSelection::getRangeAt()
https://bugs.webkit.org/show_bug.cgi?id=171925
<rdar://problem/29931223>

Reviewed by Wenson Hsieh.

We have evidence that selection().firstRange() can return null in DOMSelection::getRangeAt().
When this happens, we now throw an INDEX_SIZE_ERR instead of dereferencing it.

I believe this can happen if the VisibleSelection is orphaned but not none, because
rangeCount() only checks for isNone() but VisibleSelection::firstRange() can return null
if isNoneOrOrphaned().

No new tests, I do not know how to reproduce.

* page/DOMSelection.cpp:
(WebCore::DOMSelection::getRangeAt):


  Commit: 6828906f7f005696bc959a6bef059f84f002e87f
      https://github.com/WebKit/WebKit/commit/6828906f7f005696bc959a6bef059f84f002e87f
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/heap/MachineStackMarker.cpp

  Log Message:
  -----------
  Merge r216608 - Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
https://bugs.webkit.org/show_bug.cgi?id=160337
<rdar://problem/27611733>

Reviewed by Filip Pizlo and Geoffrey Garen.

This is a workaround for <rdar://problem/27607384>. During thread initialization,
for some target platforms, thread state is momentarily set to 0 before being
filled in with the target thread's real register values. As a result, there's
a race condition that may result in us getting a null stackPointer during a GC scan.
This issue may manifest with workqueue threads where the OS may choose to recycle
a thread for an expired task.

The workaround is simply to indicate that there's nothing to copy and return.
This is correct because we will only ever observe a null pointer during thread
initialization. Hence, by definition, there's nothing there that we need to scan
yet, and therefore, nothing that needs to be copied.

* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::tryCopyOtherThreadStack):


  Commit: 4894dc49375d55dc1d9e19144a06e3ef9aa9f9a9
      https://github.com/WebKit/WebKit/commit/4894dc49375d55dc1d9e19144a06e3ef9aa9f9a9
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/animations/animation-initial-inheritance-expected.html
    A LayoutTests/animations/animation-initial-inheritance.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderElement.cpp
    M Source/WebCore/rendering/RenderElement.h
    M Source/WebCore/style/RenderTreeUpdater.cpp
    M Source/WebCore/style/StyleTreeResolver.cpp

  Log Message:
  -----------
  Merge r216631 - REGRESSION (r207372) Visibility property is not inherited when used in an animation
https://bugs.webkit.org/show_bug.cgi?id=171883
<rdar://problem/32086550>

Reviewed by Simon Fraser.

Source/WebCore:

The problem here is that our animation code is tied to renderers. We don't have renderers during
the initial style resolution so animations are not applied yet. When constructing renderers we set
their style to the initial animated style but this step can't implement inheritance.

Normally this is invisible as the first animation frame will immediately inherit the style correctly.
However in this case the animation is discrete and the first frame is the same as the initial state.
With r207372 we optimize the descendant style change away.

This patch fixes the problem by tracking that the renderer has initial animated style and inheriting
it to descendants during next style resolution even if it doesn't change.

Test: animations/animation-initial-inheritance.html

* rendering/RenderElement.cpp:
(WebCore::RenderElement::RenderElement):
* rendering/RenderElement.h:
(WebCore::RenderElement::hasInitialAnimatedStyle):
(WebCore::RenderElement::setHasInitialAnimatedStyle):
* style/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::createRenderer):

    Set a bit on renderer indicating it has initial animated style.

* style/StyleTreeResolver.cpp:
(WebCore::Style::TreeResolver::createAnimatedElementUpdate):

    Return at least 'Inherit' for style change when updating renderer with initial animated style.

LayoutTests:

* animations/animation-initial-inheritance-expected.html: Added.
* animations/animation-initial-inheritance.html: Added.


  Commit: 3b74fce0d3e5fa48489d9512e529e2474273a5cb
      https://github.com/WebKit/WebKit/commit/3b74fce0d3e5fa48489d9512e529e2474273a5cb
  Author: Andy Estes <aestes at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/http/tests/navigation/keyboard-events-during-provisional-navigation-expected.txt
    M LayoutTests/http/tests/navigation/keyboard-events-during-provisional-subframe-navigation-expected.txt
    M LayoutTests/http/tests/navigation/resources/keyboard-events-test.js
    M LayoutTests/platform/wk2/TestExpectations
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderLayerCompositor.cpp

  Log Message:
  -----------
  Merge r216643 - REGRESSION (r167845): ASSERT(!m_renderView.needsLayout()) in svg/custom/bug79798.html
https://bugs.webkit.org/show_bug.cgi?id=132297

Reviewed by Simon Fraser.

Source/WebCore:

We don't know why m_renderView needs layout in this case, but we know that we don't need to
assert if the client hasn't set the ScrollableInnerFrameTrigger compositing trigger.

* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::requiresCompositingForScrollableFrame):

LayoutTests:

* http/tests/navigation/keyboard-events-during-provisional-navigation-expected.txt:
* http/tests/navigation/keyboard-events-during-provisional-subframe-navigation-expected.txt:
* http/tests/navigation/resources/keyboard-events-test.js:
(runTest):
* platform/ios-wk2/TestExpectations:
* platform/wk2/TestExpectations:


  Commit: b146f4ff2c56c7a68597cedaeb8531039e547fc6
      https://github.com/WebKit/WebKit/commit/b146f4ff2c56c7a68597cedaeb8531039e547fc6
  Author: Claudio Saavedra <csaavedra at igalia.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitWebView.cpp

  Log Message:
  -----------
  Merge r216670 - [GTK] JavaScript prompt uses title of page to be loaded rather than title of current page
https://bugs.webkit.org/show_bug.cgi?id=152690

Reviewed by Michael Catanzaro.

webkit_web_view_get_uri() returns the page to be loaded, use
internal api for this.
* UIProcess/API/gtk/WebKitWebView.cpp:
(webkitWebViewCreateJavaScriptDialog):


  Commit: 45d496e8e73ee0de5d807e986fc811f2b1068a89
      https://github.com/WebKit/WebKit/commit/45d496e8e73ee0de5d807e986fc811f2b1068a89
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/images/gif-progressive-load-expected.html
    A LayoutTests/http/tests/images/gif-progressive-load.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/ImageFrameCache.cpp

  Log Message:
  -----------
  Merge r216758 - [GTK] GIF images are not properly loaded the first time
https://bugs.webkit.org/show_bug.cgi?id=170432

Reviewed by Carlos Alberto Lopez Perez.

Source/WebCore:

When the GIF image is loaded for the first time, it's always read from the network, and the decoder is usually
fetched with chunks of data. Then the data is cached in disk by the network process, so that when loaded from
the cache, the whole encoded data is available to fetch the encoder. The problem is that we are failing to
decode the image when giving chunks of data, that's why it only happens the first time loaded. If the first
chunk of data provided is enough to get some metadata, including the size, but not frame contents, the load fails
in CachedImage::addIncrementalDataBuffer() because the EncodedDataStatus reported is SizeAvailable but
Image::isNull() returns true. An Image is considered to be Null when its size is empty, and the size is
calculated always using the first frame in ImageFrameCache. Since we still don't have frames, the image is
always Null in this case. It is not expected that EncodedDataStatus returns SizeAvailable and the image is Null,
that's why it's considered an error and the load finishes with a decode error. However, the non CG ImageDecoder
has a m_size member to handle this particular case, and it's when m_size is set when EncodedDataStatus changes
to SizeAvailable. We should return the ImageEncoder size as the ImageSize when we have a decoder but
not frames yet.

Test: http/tests/images/gif-progressive-load.html

* platform/graphics/ImageFrameCache.cpp:
(WebCore::ImageFrameCache::size): Return ImageDecoder::size() without caching it, if frame list is empty.

LayoutTests:

* http/tests/images/gif-progressive-load-expected.html: Added.
* http/tests/images/gif-progressive-load.html: Added.


  Commit: b0bcfdece40b115ef0197b69527c109c6481f07c
      https://github.com/WebKit/WebKit/commit/b0bcfdece40b115ef0197b69527c109c6481f07c
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp

  Log Message:
  -----------
  Merge r216759 - [GTK] ASSERTION FAILED: !m_flushingLayers
https://bugs.webkit.org/show_bug.cgi?id=172025

Reviewed by Žan Doberšek.

Source/WebCore:

The problem is that syncImageBacking() is calling didChangeLayerState(). All sync methods are called by
flushCompositingStateForThisLayerOnly() while flushing layers, so none of them should call didChange method that
will schedule a new flush while flushing.

* platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:
(WebCore::CoordinatedGraphicsLayer::syncImageBacking):

LayoutTests:

* platform/gtk/TestExpectations:


  Commit: 2a017b80d1e6c9dfea185d3b8118bb7da3a059fa
      https://github.com/WebKit/WebKit/commit/2a017b80d1e6c9dfea185d3b8118bb7da3a059fa
  Author: Jiewen Tan <jiewen_tan at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/plugins/navigator-plugin-crash-expected.txt
    A LayoutTests/plugins/navigator-plugin-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/plugins/DOMPlugin.cpp

  Log Message:
  -----------
  Merge r216789 - Check existence of a page before accessing its plugins
https://bugs.webkit.org/show_bug.cgi?id=171712
<rdar://problem/32007806>

Reviewed by Brent Fulgham.

Source/WebCore:

Test: plugins/navigator-plugin-crash.html

* plugins/DOMPlugin.cpp:
(WebCore::DOMPlugin::item):
(WebCore::DOMPlugin::namedItem):

LayoutTests:

* plugins/navigator-plugin-crash-expected.txt: Added.
* plugins/navigator-plugin-crash.html: Added.


  Commit: a36eb01e5f8eab8a3422f46f4c1e5d164afa287b
      https://github.com/WebKit/WebKit/commit/a36eb01e5f8eab8a3422f46f4c1e5d164afa287b
  Author: Andreas Kling <akling at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/WebPage/WebPage.cpp

  Log Message:
  -----------
  Merge r216847 - Always reset the assisted node when the main frame commits a new load.
https://bugs.webkit.org/show_bug.cgi?id=172088

Reviewed by Antti Koivisto.

WebPage::m_assistedNode could extend the lifetime of the document it pointed into
if the main frame was navigated while the assisted node was in one of its subframes.
The life-supported document wouldn't be reachable from JavaScript but nevertheless
would consume memory and other resources.

This patch fixes the issue by always clearing WebPage::m_assistedNode when the main
frame commits a new load.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::resetAssistedNodeForFrame):


  Commit: 91406a65526f75fcf4fe4c4a6660be3900815a0e
      https://github.com/WebKit/WebKit/commit/91406a65526f75fcf4fe4c4a6660be3900815a0e
  Author: Gwang Yoon Hwang <yoon at igalia.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/hidpi/hidpi-long-page-with-inset-element-expected.html
    A LayoutTests/fast/hidpi/hidpi-long-page-with-inset-element.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/cairo/PlatformContextCairo.cpp

  Log Message:
  -----------
  Merge r216859 - [CAIRO] Painting an image mask with a matrix above Pixman's limit breaks internal states of Cairo
https://bugs.webkit.org/show_bug.cgi?id=169094

Reviewed by Žan Doberšek.

Source/WebCore:

It is the same problem which addressed in r212431.
In HiDPI situation, it happens easily due to the size of coordinates.
Also, if this bug happens, it will break the rendering continuously
since we are reusing graphics contexts to render webpages in same
webview.

Test: fast/hidpi/hidpi-long-page-with-inset-element.html

* platform/graphics/cairo/PlatformContextCairo.cpp:
(WebCore::PlatformContextCairo::pushImageMask):
We can avoid the limit of the Pixman by reducing the source surface's
size, and it will create a minimal pattern matrix.

LayoutTests:

* fast/hidpi/hidpi-long-page-with-inset-element-expected.html: Added.
* fast/hidpi/hidpi-long-page-with-inset-element.html: Added.


  Commit: fd547b7d42f650f8c758a42abf5fc2f0bf65a34f
      https://github.com/WebKit/WebKit/commit/fd547b7d42f650f8c758a42abf5fc2f0bf65a34f
  Author: David Kilzer <ddkilzer at webkit.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/xml/XSLStyleSheet.h
    M Source/WebCore/xml/XSLStyleSheetLibxslt.cpp

  Log Message:
  -----------
  Merge r216889 - Crash in libxml2.2.dylib: xmlDictReference
<https://webkit.org/b/172086>
<rdar://problem/23643436>

Reviewed by Daniel Bates.

Speculative fix and code clean-up based on source code
inspection.  The fix for the crash is in two parts that change
XSLStyleSheet::parseString():
1. Always set m_stylesheetDoc to nullptr after freeing it via
   XSLStyleSheet::clearXSLStylesheetDocument().
2. Add nullptr check before using m_stylesheetDoc from parent.

Broadly speaking, the changes are:
- Extract code to reset m_stylesheetDoc into new private
  XSLStyleSheet::clearXSLStylesheetDocument() method.  There is
  a special contract between m_stylesheetDoc and
  m_stylesheetDocTaken that wasn't being followed every time.
  See comment in XSLStyleSheet::compileStyleSheet().
- XSLStyleSheet::clearDocuments() now calls new
  clearXSLStylesheetDocument() method.  Previously, it was not
  checking or resetting m_stylesheetDocTaken, and it might have
  leaked an xmlDocPtr if m_stylesheetDoc was set and
  m_stylesheetDocTaken was false.
- XSLStyleSheet::parseString() now calls new
  clearXSLStylesheetDocument() method.  Previously, it did not
  clear m_stylesheetDoc after freeing it, and it could return
  early due to a failure in xmlCreateMemoryParserCtxt().
- In XSLStyleSheet::parseString() use checked arithmetic when
  calculating 'size' for xmlCreateMemoryParserCtxt() and
  xmlCtxtReadMemory().  This code used to do an implicit
  unsigned -> signed integer conversion that could overflow.
- Always iterate m_children using an 'auto& import' variable.

* xml/XSLStyleSheet.h:
(WebCore::XSLStyleSheet::clearXSLStylesheetDocument): Add declaration.
(WebCore::XSLStyleSheet::m_disabled): Add default initializer.
(WebCore::XSLStyleSheet::m_stylesheetDoc): Ditto.
(WebCore::XSLStyleSheet::m_stylesheetDocTaken): Ditto.
(WebCore::XSLStyleSheet::m_parentStyleSheet): Ditto.

* xml/XSLStyleSheetLibxslt.cpp:
(WebCore::XSLStyleSheet::XSLStyleSheet): Get rid of redundant
initializers.  Set m_parentStyleSheet if needed.
(WebCore::XSLStyleSheet::~XSLStyleSheet): Call
clearXSLStylesheetDocument() instead of custom code.  Switch
m_children fast iteration to use 'auto& import' variable.
(WebCore::XSLStyleSheet::isLoading): Switch m_children fast
iteration to use 'auto& import' variable.
(WebCore::XSLStyleSheet::clearDocuments): Call
clearXSLStylesheetDocument() instead of setting m_stylesheetDoc
to nullptr.  This might fix an occasional xmlDocPtr leak.
(WebCore::XSLStyleSheet::clearXSLStylesheetDocument): Add.  This
method always sets m_stylesheetDoc to nullptr (after freeing it
if necessary) and sets m_stylesheetDocTaken to false.
(WebCore::XSLStyleSheet::parseString): Call
clearXSLStylesheetDocument().  Prior to this, m_stylesheetDoc
might be left pointing to a freed value, and this method could
return early if xmlCreateMemoryParserCtxt() failed.  Switch to
using Checked<> to compute required buffer size to parse XSL
stylesheet, and return early on overflow.  Clean up existing
return statements to use boolean expressions.  Add nullptr check
for m_parentStyleSheet->m_stylesheetDoc before using it.
(WebCore::XSLStyleSheet::loadChildSheet): Get rid of local
variable by calling loadSheet() from last array element.
(WebCore::XSLStyleSheet::compileStyleSheet): Add debug assert
that m_stylesheetDoc is not nullptr.


  Commit: 78491a9a2acf43510d09e9836e381a818bc13463
      https://github.com/WebKit/WebKit/commit/78491a9a2acf43510d09e9836e381a818bc13463
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp
    M Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp

  Log Message:
  -----------
  Merge r216915 - [SOUP] Remove LATEST_RECORD_VERSION from GnuTLS priority string
https://bugs.webkit.org/show_bug.cgi?id=172153

Based on discussion with Nikos in https://bugzilla.gnome.org/show_bug.cgi?id=782218, we
should remove LATEST_RECORD_VERSION from our GnuTLS priority string. This causes GnuTLS to
use the latest TLS record version (the record format is separate from the TLS protocol
version), which we needed a couple years ago (after dropping SSLv3) for maximum
compatibility with broken web servers. But it's not needed anymore, and is causing new
compatibility problems with other broken web servers, so let's get rid of it.

Reviewed by Carlos Garcia Campos.

* NetworkProcess/EntryPoint/unix/NetworkProcessMain.cpp:
(main):
* WebProcess/EntryPoint/unix/WebProcessMain.cpp:
(main):


  Commit: 70f6f5fb84289775b1447dfad3f04d0661ee3a29
      https://github.com/WebKit/WebKit/commit/70f6f5fb84289775b1447dfad3f04d0661ee3a29
  Author: David Kilzer <ddkilzer at webkit.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/TransformSource.h
    M Source/WebCore/dom/TransformSourceLibxslt.cpp
    M Source/WebCore/xml/XSLStyleSheetLibxslt.cpp
    M Source/WebCore/xml/XSLTProcessorLibxslt.cpp
    M Source/WebCore/xml/parser/XMLDocumentParser.h
    M Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp

  Log Message:
  -----------
  Merge r216968 - Remove C-style casts by using xmlDocPtr instead of void*
<https://webkit.org/b/172189>

Reviewed by Alex Christensen.

* dom/TransformSource.h: Fix whitespace indentation.
(typedef PlatformTransformSource): Use xmlDocPtr not void*.
* dom/TransformSourceLibxslt.cpp:
(WebCore::TransformSource::~TransformSource): Remove cast.
* xml/XSLStyleSheetLibxslt.cpp:
(WebCore::XSLStyleSheet::document): Remove cast.
* xml/XSLTProcessorLibxslt.cpp:
(WebCore::xmlDocPtrFromNode): Remove casts.
* xml/parser/XMLDocumentParser.h:
(WebCore::xmlDocPtrForString): Update declaration to return
xmlDocPtr not void*.
* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::doEnd): Change type of local
variable from void* to xmlDocPtr.
(WebCore::xmlDocPtrForString): Update to return xmlDocPtr
not void*.


  Commit: 83e6465e5318af319b8d99525e275d4804afef3e
      https://github.com/WebKit/WebKit/commit/83e6465e5318af319b8d99525e275d4804afef3e
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/html/link-element-removal-during-beforeload-expected.txt
    A LayoutTests/fast/html/link-element-removal-during-beforeload.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/HTMLLinkElement.cpp
    M Source/WebCore/html/HTMLLinkElement.h

  Log Message:
  -----------
  Merge r216978 - getElementById can return a wrong elemnt when a matching element is removed during beforeload event
https://bugs.webkit.org/show_bug.cgi?id=171374

Patch by Ryosuke Niwa <rniwa at webkit.org> on 2017-05-17
Reviewed by Brent Fulgham.

Source/WebCore:

The bug was caused by HTMLLinkElement firing beforeload event inside insertedInto before the tree state is updated.
Delay the event dispatch to the post insertion callback.

Test: fast/html/link-element-removal-during-beforeload.html

* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::insertedInto):
(WebCore::HTMLLinkElement::finishedInsertingSubtree):
* html/HTMLLinkElement.h:

LayoutTests:

Added a regression test for calling getElementById after removing a matching element
during beforeload event of a link element.

* fast/html/link-element-removal-during-beforeload-expected.txt: Added.
* fast/html/link-element-removal-during-beforeload.html: Added.


  Commit: cfd457a6f467388c62f41d75f622877ad9b47ecd
      https://github.com/WebKit/WebKit/commit/cfd457a6f467388c62f41d75f622877ad9b47ecd
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/plugins/resources/plugin-document-alert-and-notify-done.pl
    A LayoutTests/http/tests/security/contentSecurityPolicy/cross-origin-plugin-document-allowed-in-child-window-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/cross-origin-plugin-document-allowed-in-child-window.html
    A LayoutTests/http/tests/security/contentSecurityPolicy/plugin-blocked-in-about-blank-window-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/plugin-blocked-in-about-blank-window.html
    A LayoutTests/http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window-expected.txt
    A LayoutTests/http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Document.h
    M Tools/ChangeLog
    M Tools/DumpRenderTree/TestNetscapePlugIn/main.cpp

  Log Message:
  -----------
  Merge r217054 - REGRESSION (r209608): Cross-origin plugin document opened in child window blocked by parent
window CSP when object-src 'none' is set
https://bugs.webkit.org/show_bug.cgi?id=172038
<rdar://problem/32258262>

Reviewed by Andy Estes.

Source/WebCore:

Fixes an issue where a cross-origin plugin document opened in a child window would inherit
the Content Security Policy (CSP) of its opener. In particular, a cross-origin plugin
document opened in a child window would be blocked when the CSP of its opener disallows
plugins (e.g. object-source 'none').

Prior to r209608 a document opened in a child window never inherited the CSP from its opener
and a plugin document loaded in a subframe would unconditionally inherit the CSP from its
parent frame. So, a plugin document opened in a child window would be allowed to load
regardless of whether its opener had a CSP that prevented plugins. Following r209608 a
document opened in a child window would inherit its CSP from its opener if and only if it
would inherit the security origin from its opener (e.g. about:blank) or was a plugin
document. The latter condition makes plugin documents opened in a child window unconditionally
inherit the CSP from their opener and is the cause of this bug. It seems reasonable to exempt
cross-origin plugin documents opened in a child window from the CSP inheritance rule because
such documents cannot compromise the origin of their opener. Same-origin plugin documents
opened in a child window will continue to inherit the CSP from their opener because such
documents can compromise the origin of their opener.

Tests: http/tests/security/contentSecurityPolicy/cross-origin-plugin-document-allowed-in-child-window.html
       http/tests/security/contentSecurityPolicy/plugin-blocked-in-about-blank-window.html
       http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window.html

* dom/Document.cpp:
(WebCore::Document::shouldInheritContentSecurityPolicyFromOwner): Added.
(WebCore::Document::initContentSecurityPolicy):
* dom/Document.h:

Tools:

Teach the test Netscape plugin to look for a URL that contains plugin-document-alert-and-notify-done.pl.
When it sees this URL it will show a JavaScript alert and call testRunner.notifyDone().

* DumpRenderTree/TestNetscapePlugIn/main.cpp:
(NPP_New):

LayoutTests:

Adds tests to ensure that a same-origin- and cross-origin- plugin document opened in a child
window inherit and do not inherit the CSP of its opener, respectively. Also adds a test to
ensure that an about:blank window inherits the CSP plugin policy of its opener.

* http/tests/plugins/resources/plugin-document-alert-and-notify-done.pl: Added.
* http/tests/security/contentSecurityPolicy/cross-origin-plugin-document-allowed-in-child-window-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/cross-origin-plugin-document-allowed-in-child-window.html: Added.
* http/tests/security/contentSecurityPolicy/plugin-blocked-in-about-blank-window-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/plugin-blocked-in-about-blank-window.html: Added.
* http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/same-origin-plugin-document-blocked-in-child-window.html: Added.
* platform/ios/TestExpectations: Skip added tests as iOS does not support plugins.


  Commit: 6337f0774742039b459623ff4d931a6fd7c63473
      https://github.com/WebKit/WebKit/commit/6337f0774742039b459623ff4d931a6fd7c63473
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt
    M LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/CrossOriginAccessControl.cpp

  Log Message:
  -----------
  Merge r217069 - Improve error message for Access-Control-Allow-Origin violation due to misconfigured server
https://bugs.webkit.org/show_bug.cgi?id=162819
<rdar://problem/28575938>

Reviewed by Joseph Pecoraro.

LayoutTests/imported/w3c:

Update expected result.

* web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt:
* web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt:

Source/WebCore:

Inspired by Blink change:
<https://src.chromium.org/viewvc/blink?view=revision&revision=163406>

At most one Access-Control-Allow-Origin header may be in an HTTP response. Improve the
error message emitted on a CORS failure when Access-Control-Allow-Origin contains more
than one origin, indicated by the presence of a ',', as a way to help web developers/server
administrators differentiate between a misconfigured Access-Control-Allow-Origin header
and a misconfigured server.

* loader/CrossOriginAccessControl.cpp:
(WebCore::passesAccessControlCheck): Defined a local variable to hold the value of securityOrigin.toString()
and referenced this variable throughout the code to avoid computing the stringified security
origin more than once. Switched to using makeString() to concatenate error message when the
origin of the page does not match the value of the Access-Control-Allow-Origin header.

LayoutTests:

Add more tests when Access-Control-Allow-Origin has more than one value and group
with existing tests. Update expected results.

* http/tests/xmlhttprequest/origin-exact-matching-expected.txt:
* http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html: Also extracted
the origin string for the page into a local variable called pageOrigin, making use of document.origin,
and referenced this variable instead of duplicating its value. Fixed various style nits.


  Commit: 5c9f406400a6e217c4d0ff622a0e149d63be7d13
      https://github.com/WebKit/WebKit/commit/5c9f406400a6e217c4d0ff622a0e149d63be7d13
  Author: Dean Jackson <dino at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/animations/needs-layout-expected.html
    A LayoutTests/animations/needs-layout.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/animation/CSSAnimationController.cpp
    M Source/WebCore/page/animation/CSSAnimationControllerPrivate.h
    M Source/WebCore/page/animation/CompositeAnimation.cpp
    M Source/WebCore/page/animation/CompositeAnimation.h
    M Source/WebCore/page/animation/KeyframeAnimation.cpp
    M Source/WebCore/page/animation/KeyframeAnimation.h

  Log Message:
  -----------
  Merge r217075 - Transform misplaces element 50% of the time
https://bugs.webkit.org/show_bug.cgi?id=172300
Source/WebCore:

Reviewed by Simon Fraser.

A hardware-accelerated animation of the transform property
requires layout to happen if it contains a translate operation
using percentages, otherwise it may create an incorrect
animation. The "50% of the time" comes in to play because
the layout timer may sometimes fire before the animation
timer. The test case contains a example that is much more
likely to fail without this fix.

Test: animations/needs-layout.html

* page/animation/CSSAnimationController.cpp:
(WebCore::CSSAnimationControllerPrivate::animationTimerFired): If
we've been told that we need a layout, and we have one pending, then
force it before doing the rest of the animation logic.
(WebCore::CSSAnimationController::updateAnimations): Check if the
CompositeAnimation depends on layout, and tell the private controller
that it should check for the necessity of a layout as the animation
timer fires.

* page/animation/CompositeAnimation.cpp:
(WebCore::CompositeAnimation::animate): Ask the keyframes if this
animation depends on layout.

* page/animation/CompositeAnimation.h:
(WebCore::CompositeAnimation::hasAnimationThatDependsOnLayout):
* page/animation/KeyframeAnimation.cpp:
(WebCore::KeyframeAnimation::KeyframeAnimation):
(WebCore::KeyframeAnimation::computeLayoutDependency): Look at all
the keyframe properties for something that is a translation using
percentages.

* page/animation/KeyframeAnimation.h:

LayoutTests:

<rdar://problem/29835668>

Reviewed by Simon Fraser.

A test case which has an animation that relies on
translation percentages. If all goes well, the
animating element will be completely obscured.

* animations/needs-layout-expected.html: Added.
* animations/needs-layout.html: Added.


  Commit: 6f429c6c496143d12568e4b0a5b412315875b280
      https://github.com/WebKit/WebKit/commit/6f429c6c496143d12568e4b0a5b412315875b280
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/inline/redundant-ellipsis-triggers-assert-incorrectly-expected.txt
    A LayoutTests/fast/inline/redundant-ellipsis-triggers-assert-incorrectly.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/EllipsisBox.cpp
    M Source/WebCore/rendering/InlineBox.cpp
    M Source/WebCore/rendering/InlineBox.h
    M Source/WebCore/rendering/RootInlineBox.cpp

  Log Message:
  -----------
  Merge r217079 - Redundant ellipsis box triggers ASSERT_WITH_SECURITY_IMPLICATION in InlineBox::parent().
https://bugs.webkit.org/show_bug.cgi?id=172309
<rdar://problem/32262357>

Reviewed by Simon Fraser.

Source/WebCore:

This patch stops the redundant ellipsis box trigger ASSERT_WITH_SECURITY_IMPLICATION.

In RootInlineBox::placeEllipsis we construct an ellipsis box and append it to a static HashMap which
keeps track of the ellipsis boxes on each line. However when the line already has an ellipsis, we
re-use the existing one and this newly constructed (but redundant) box gets destroyed as we return from this function.
In InlineBox's d'tor, we let the parent know that now it has a dangling child and we assert on it
later, while accessing the children list. However this redundant ellipsis box was never added to the line,
so the assertion hits incorrectly.

Test: fast/inline/redundant-ellipsis-triggers-assert-incorrectly.html

* rendering/EllipsisBox.cpp:
(WebCore::EllipsisBox::EllipsisBox):
* rendering/InlineBox.cpp:
(WebCore::InlineBox::invalidateParentChildList):
* rendering/InlineBox.h:
* rendering/RootInlineBox.cpp:
(WebCore::RootInlineBox::placeEllipsis): Use the newly created ellipsis box instead.

LayoutTests:

* fast/inline/redundant-ellipsis-triggers-assert-incorrectly-expected.txt: Added.
* fast/inline/redundant-ellipsis-triggers-assert-incorrectly.html: Added.


  Commit: 6d2515b1875aeeb638cf34d2d879881fc6ada838
      https://github.com/WebKit/WebKit/commit/6d2515b1875aeeb638cf34d2d879881fc6ada838
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/InlineBox.cpp

  Log Message:
  -----------
  Merge r217164 - Redundant ellipsis box triggers ASSERT_WITH_SECURITY_IMPLICATION in InlineBox::parent().
https://bugs.webkit.org/show_bug.cgi?id=172309
<rdar://problem/32262357>

Reviewed by Simon Fraser.

Source/WebCore:

This patch stops the redundant ellipsis box trigger ASSERT_WITH_SECURITY_IMPLICATION.

In RootInlineBox::placeEllipsis we construct an ellipsis box and append it to a static HashMap which
keeps track of the ellipsis boxes on each line. However when the line already has an ellipsis, we
re-use the existing one and this newly constructed (but redundant) box gets destroyed as we return from this function.
In InlineBox's d'tor, we let the parent know that now it has a dangling child and we assert on it
later, while accessing the children list. However this redundant ellipsis box was never added to the line,
so the assertion hits incorrectly.

Test: fast/inline/redundant-ellipsis-triggers-assert-incorrectly.html

* rendering/EllipsisBox.cpp:
(WebCore::EllipsisBox::EllipsisBox):
* rendering/InlineBox.cpp: This needs 32bits padding.
(WebCore::InlineBox::invalidateParentChildList):
* rendering/InlineBox.h:
* rendering/RootInlineBox.cpp:
(WebCore::RootInlineBox::placeEllipsis):

LayoutTests:

* fast/inline/redundant-ellipsis-triggers-assert-incorrectly-expected.txt: Added.
* fast/inline/redundant-ellipsis-triggers-assert-incorrectly.html: Added.


  Commit: 4be1d2d440a7e6c0b1e6edc4782cfe69e521b6cb
      https://github.com/WebKit/WebKit/commit/4be1d2d440a7e6c0b1e6edc4782cfe69e521b6cb
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp

  Log Message:
  -----------
  Merge r217126 - Add more input validation in Connection::processMessage()
https://bugs.webkit.org/show_bug.cgi?id=171682

Reviewed by Michael Catanzaro.

Check limits of attachments and message size. Credit to Nathan Crandall for reporting this issue and submitting
an equivalent fix.

* Platform/IPC/unix/ConnectionUnix.cpp:
(IPC::Connection::processMessage):


  Commit: 0b11b362c4e916519bfadd62415486d1f53ece67
      https://github.com/WebKit/WebKit/commit/0b11b362c4e916519bfadd62415486d1f53ece67
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp

  Log Message:
  -----------
  Merge r217206 - Add more input validation in Connection::readBytesFromSocket()
https://bugs.webkit.org/show_bug.cgi?id=171871

Reviewed by Michael Catanzaro.

Check the control message length is in the limits. Credit to Nathan Crandall for reporting this issue and
submitting an equivalent fix.

* Platform/IPC/unix/ConnectionUnix.cpp:
(IPC::readBytesFromSocket):


  Commit: 7c676852765a8f226982760aa893c20aeb2576b9
      https://github.com/WebKit/WebKit/commit/7c676852765a8f226982760aa893c20aeb2576b9
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Platform/IPC/unix/ConnectionUnix.cpp

  Log Message:
  -----------
  Merge r217219 - Add even more input validation in Connection::processMessage()
https://bugs.webkit.org/show_bug.cgi?id=171682

Reviewed by Carlos Garcia Campos.

Verify that the size of the out-of-line message body matches the size of the AttachmentInfo
that is containing it.

* Platform/IPC/unix/ConnectionUnix.cpp:
(IPC::Connection::processMessage):


  Commit: 0bd28df47924520469e0a0886df2504d3edd9f03
      https://github.com/WebKit/WebKit/commit/0bd28df47924520469e0a0886df2504d3edd9f03
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/svg/load-event-detached-expected.txt
    A LayoutTests/svg/load-event-detached.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/svg/SVGElement.cpp

  Log Message:
  -----------
  Merge r217172 - Do not fire load event for SVGElements that are detached or in frameless documents
https://bugs.webkit.org/show_bug.cgi?id=172289
<rdar://problem/32275689>

Reviewed by Ryosuke Niwa.

Source/WebCore:

We should not fire load event for SVGElements that are detached or in frameless
documents.

Test: svg/load-event-detached.html

* svg/SVGElement.cpp:
(WebCore::SVGElement::sendSVGLoadEventIfPossible):

LayoutTests:

Add layout test coverage.

* svg/load-event-detached-expected.txt: Added.
* svg/load-event-detached.html: Added.


  Commit: fcbb79085e1c688980d17bcaf963612e396cd9bd
      https://github.com/WebKit/WebKit/commit/fcbb79085e1c688980d17bcaf963612e396cd9bd
  Author: Ting-Wei Lan <lantw44 at gmail.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Tools/ChangeLog
    M Tools/gtk/gtkdoc.py

  Log Message:
  -----------
  Merge r217190 - [GTK] gtkdoc-fixxref needs --module argument to work
https://bugs.webkit.org/show_bug.cgi?id=172415

Patch by Ting-Wei Lan <lantw44 at gmail.com> on 2017-05-20
Reviewed by Michael Catanzaro.

* gtk/gtkdoc.py:
(GTKDoc._run_gtkdoc_fixxref):


  Commit: 1b13281475415e95d55a85e9a811e00167e5dc68
      https://github.com/WebKit/WebKit/commit/1b13281475415e95d55a85e9a811e00167e5dc68
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/animations/keyframes-rule-expected.txt
    M LayoutTests/animations/keyframes-rule.html
    M LayoutTests/animations/unprefixed-keyframes-rule-expected.txt
    M LayoutTests/animations/unprefixed-keyframes-rule.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/CSSKeyframesRule.cpp

  Log Message:
  -----------
  Merge r217227 - Crash in WebCore::StyleRuleKeyframes::findKeyframeIndex
https://bugs.webkit.org/show_bug.cgi?id=170756
<rdar://problem/31573157>

Reviewed by Andreas Kling.

Source/WebCore:

Using a malformed key with CSSKeyframesRule.findRule crashes because
CSSParser::parseKeyframeKeyList returns null which is then dereferenced.

* css/CSSKeyframesRule.cpp:
(WebCore::StyleRuleKeyframes::findKeyframeIndex): Null test.

LayoutTests:

Expand the tests to cover the malformed key case.

* animations/keyframes-rule.html:
* animations/unprefixed-keyframes-rule.html:


  Commit: de31967462ab8ea4a07755356e83386bc4ac55e3
      https://github.com/WebKit/WebKit/commit/de31967462ab8ea4a07755356e83386bc4ac55e3
  Author: Daniel Bates <dbates at webkit.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/FrameLoader.h

  Log Message:
  -----------
  Merge r214014 - Iteratively dispatch DOM events after restoring a cached page
https://bugs.webkit.org/show_bug.cgi?id=169703
<rdar://problem/31075903>

Reviewed by Brady Eidson.

Make dispatching of DOM events when restoring a page from the page cache symmetric with
dispatching of events when saving a page to the page cache.

* history/CachedFrame.cpp:
(WebCore::CachedFrameBase::restore): Move code to dispatch events from here to FrameLoader::didRestoreFromCachedPage().
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad): Ensure that no DOM events are dispatched during
restoration of a cached page. Call didRestoreFromCachedPage() after restoring the page to
dispatch DOM events on the restored frames.
(WebCore::FrameLoader::willRestoreFromCachedPage): Renamed; formerly named prepareForCachedPageRestore().
(WebCore::FrameLoader::didRestoreFromCachedPage): Added.
(WebCore::FrameLoader::prepareForCachedPageRestore): Renamed to willRestoreFromCachedPage().
* loader/FrameLoader.h:
* page/FrameTree.cpp:
(WebCore::FrameTree::traverseNextInPostOrderWithWrap): Returns the next Frame* in a post-order
traversal of the frame tree optionally wrapping around to the deepest first child in the tree.
(WebCore::FrameTree::deepFirstChild): Added.
* page/FrameTree.h:


  Commit: 0b51f078cbe38d785a249c132703b24287a9b9f4
      https://github.com/WebKit/WebKit/commit/0b51f078cbe38d785a249c132703b24287a9b9f4
  Author: Dean Jackson <dino at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds-uint-index-expected.txt
    A LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds-uint-index.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/canvas/WebGL2RenderingContext.cpp
    M Source/WebCore/html/canvas/WebGLBuffer.cpp
    M Source/WebCore/html/canvas/WebGLBuffer.h
    M Source/WebCore/html/canvas/WebGLRenderingContext.cpp
    M Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

  Log Message:
  -----------
  Merge r214086 - WebGL: Improve index validation when using uint index values
https://bugs.webkit.org/show_bug.cgi?id=169798

Reviewed by Simon Fraser.

Source/WebCore:

Make sure that we test index validation with the correct type.
Also stop using -1 in WebGLBuffer to indicate non-existant values.

Test: fast/canvas/webgl/draw-elements-out-of-bounds-uint-index.html

* html/canvas/WebGL2RenderingContext.cpp:
(WebCore::WebGL2RenderingContext::validateIndexArrayConservative): Use optional<> and
unsigned values.
* html/canvas/WebGLBuffer.cpp: Use unsigned for maxIndex (they can't be negative)
and optional<> to indicate unknown value.
(WebCore::WebGLBuffer::getCachedMaxIndex):
(WebCore::WebGLBuffer::setCachedMaxIndex):
* html/canvas/WebGLBuffer.h:
* html/canvas/WebGLRenderingContext.cpp:
(WebCore::WebGLRenderingContext::validateIndexArrayConservative): Use optional<> and
unsigned values.
* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::validateVertexAttributes): No need to check if
an unsigned value is less than zero.

LayoutTests:

* fast/canvas/webgl/draw-elements-out-of-bounds-uint-index-expected.txt: Added.
* fast/canvas/webgl/draw-elements-out-of-bounds-uint-index.html: Added.


  Commit: 4ad652eb160997cfd698e517a54a8ac5cd38ffbe
      https://github.com/WebKit/WebKit/commit/4ad652eb160997cfd698e517a54a8ac5cd38ffbe
  Author: Jiewen Tan <jiewen_tan at apple.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/TestExpectations
    A LayoutTests/fast/forms/range/range-remove-on-drag-expected.txt
    A LayoutTests/fast/forms/range/range-remove-on-drag.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/shadow/SliderThumbElement.cpp

  Log Message:
  -----------
  Merge r214291 - ASSERT_WITH_SECURITY_IMPLICATION hit when removing an <input type="range"> while dragging on iOS
https://bugs.webkit.org/show_bug.cgi?id=165535
<rdar://problem/29559749>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Utimately we should prevent SliderThumbElement::unregisterForTouchEvents() being called while
updating render tree. A quick fix for this is to move dispatchFormControlChangeEvent for input
from stopDragging up to the callers which really needs to dispatch this event, i.e., finishing
dragging the slider. It is clear that not every caller of stopDragging wants to
dispatchFormControlChangeEvent.

Test: fast/forms/range/range-remove-on-drag.html

* html/shadow/SliderThumbElement.cpp:
(WebCore::SliderThumbElement::stopDragging):
(WebCore::SliderThumbElement::defaultEventHandler):
(WebCore::SliderThumbElement::handleTouchEndAndCancel):

LayoutTests:

This test case is only enabled in iOS simulator WK2.

* TestExpectations:
* fast/forms/range/range-remove-on-drag-expected.txt: Added.
* fast/forms/range/range-remove-on-drag.html: Added.
* platform/ios-simulator-wk2/TestExpectations:


  Commit: 47e986d081a888adff284658a6d58fe37bb1a82d
      https://github.com/WebKit/WebKit/commit/47e986d081a888adff284658a6d58fe37bb1a82d
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/bindings/scripts/generate-bindings-all.pl

  Log Message:
  -----------
  Merge r215166 - generate-bindings-all.pl shouldn't use Perl threads
https://bugs.webkit.org/show_bug.cgi?id=170106

Patch by Fujii Hironori <Hironori.Fujii at sony.com> on 2017-04-09
Reviewed by Yusuke Suzuki.

The use of interpreter-based threads in Perl is officially
discouraged and not all Linux distributions and BSD compile Perl
with threads support. Use fork instead of threads to run
generate-bindings.pl in parallel.

* bindings/scripts/generate-bindings-all.pl:
(spawnGenerateBindingsIfNeeded): Added.
(executeCommand): Removed the workaround for Cygwin Perl threads.
(spawnCommand): Added.
(worker): Deleted.


  Commit: aa09ca61dcf9c33ec35969fe932bb0464df87d0f
      https://github.com/WebKit/WebKit/commit/aa09ca61dcf9c33ec35969fe932bb0464df87d0f
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-05-24 (Wed, 24 May 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.3 release.

.:

* Source/cmake/OptionsGTK.cmake: Bump version numbers.

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.16.3.


  Commit: d2b2852669dada641d018a79d03a82e5de58f632
      https://github.com/WebKit/WebKit/commit/d2b2852669dada641d018a79d03a82e5de58f632
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2017-05-26 (Fri, 26 May 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/beforeload/image-removed-during-before-load-expected.txt
    A LayoutTests/fast/dom/beforeload/image-removed-during-before-load.html
    A LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt
    A LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load.html
    A LayoutTests/fast/dom/beforeload/recursive-link-before-load-expected.txt
    A LayoutTests/fast/dom/beforeload/recursive-link-before-load.html
    A LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt
    A LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load.html
    A LayoutTests/fast/dom/beforeload/resources/content.xhtml
    A LayoutTests/fast/dom/beforeload/resources/pass.css
    A LayoutTests/fast/dom/beforeload/resources/test.xsl
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/ProcessingInstruction.cpp
    M Source/WebCore/dom/ProcessingInstruction.h
    M Source/WebCore/html/HTMLLinkElement.cpp
    M Source/WebCore/html/HTMLLinkElement.h
    M Source/WebCore/loader/ImageLoader.cpp

  Log Message:
  -----------
  Merge r214378 - Handle recursive calls to ProcessingInstruction::checkStyleSheet
https://bugs.webkit.org/show_bug.cgi?id=169982
<rdar://problem/31083051>

Reviewed by Antti Koivisto.

Source/WebCore:

       See if we triggered a recursive load of the stylesheet during the 'beforeload'
       event handler. If so, reset to a valid state before completing the load.

       We should also check after 'beforeload' that we were not disconnected from (or
       moved to a new) document.

       I also looked for other cases of this pattern and fixed them, too.

       Tests: fast/dom/beforeload/image-removed-during-before-load.html
       fast/dom/beforeload/recursive-css-pi-before-load.html
       fast/dom/beforeload/recursive-link-before-load.html
       fast/dom/beforeload/recursive-xsl-pi-before-load.html

* dom/ProcessingInstruction.cpp:
(WebCore::ProcessingInstruction::clearExistingCachedSheet): Added.
(WebCore::ProcessingInstruction::checkStyleSheet): Prevent recursive calls into
this function during 'beforeload' handling. Also, safely handle the case where
the element was disconnected in the 'beforeload' handler (similar to what
we do in HTMLLinkElement).
(WebCore::ProcessingInstruction::setCSSStyleSheet): Drive-by Fix: Protect the
current document to match what we do in setXSLStyleSheet.
* dom/ProcessingInstruction.h:
* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::process): Prevent recursive calls into
this function during 'beforeload' handling.
* html/HTMLLinkElement.h:
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::dispatchPendingBeforeLoadEvent): safely handle the case where
the element was disconnected in the 'beforeload' handler (similar to what
we do in HTMLLinkElement).
* style/StyleScope.cpp:
(WebCore::Style::Scope::hasPendingSheet): Added.
* style/StyleScope.h:

LayoutTests:

* fast/dom/beforeload/image-removed-during-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/image-removed-during-before-load-expected.txt.
* fast/dom/beforeload/image-removed-during-before-load.html: Copied from LayoutTests/fast/dom/beforeload/image-removed-during-before-load.html.
* fast/dom/beforeload/recursive-css-pi-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt.
* fast/dom/beforeload/recursive-css-pi-before-load.html: Copied from LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load.html.
* fast/dom/beforeload/recursive-link-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/recursive-link-before-load-expected.txt.
* fast/dom/beforeload/recursive-link-before-load.html: Copied from LayoutTests/fast/dom/beforeload/recursive-link-before-load.html.
* fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt.
* fast/dom/beforeload/recursive-xsl-pi-before-load.html: Copied from LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load.html.
* fast/dom/beforeload/resources/content.xhtml: Copied from LayoutTests/fast/dom/beforeload/resources/content.xhtml.
* fast/dom/beforeload/resources/pass.css: Copied from LayoutTests/fast/dom/beforeload/resources/pass.css.
* fast/dom/beforeload/resources/test.xsl: Copied from LayoutTests/fast/dom/beforeload/resources/test.xsl.


  Commit: e5a631b418e13d4ebf38d986acc6ecfc9f37c32c
      https://github.com/WebKit/WebKit/commit/e5a631b418e13d4ebf38d986acc6ecfc9f37c32c
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FrameView.cpp

  Log Message:
  -----------
  Merge r217286 - ASSERTION FAILED: !renderer().view().needsLayout() while running media/video-main-content-autoplay.html
https://bugs.webkit.org/show_bug.cgi?id=172476

Reviewed by Simon Fraser.

This patch decouples the layout call logic from the post layout task timer setup.
Just because we are switching over to asynchronous performPostLayoutTasks() it should not stop us from
running layout on a dirty tree (we could encounter a forced layout (which sets m_postLayoutTasksTimer active)
and a subsequent tree mutation during performPostLayoutTasks()).

There are a few different ways to end up here:
root layout is done -> call performPostLayoutTasks() synchronously ->
1. tree stays clean -> no action needed.
2. tree gets dirty -> setup performPostLayoutTasks timer -> run nested layout -> since m_postLayoutTasksTimer is active()
we don't try to run performPostLayoutTasks() while in the nested layout and we return with a clean tree.

* page/FrameView.cpp:
(WebCore::FrameView::layout):


  Commit: fc568dec09772b02c25df83a2405633f403486e7
      https://github.com/WebKit/WebKit/commit/fc568dec09772b02c25df83a2405633f403486e7
  Author: Jiewen Tan <jiewen_tan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/editing/selection/resources/select-iframe-focusin-document-crash-frame.html
    A LayoutTests/editing/selection/select-iframe-focusin-document-crash-expected.txt
    A LayoutTests/editing/selection/select-iframe-focusin-document-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/editing/FrameSelection.cpp

  Log Message:
  -----------
  Merge r217439 - Crash on WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance + 1195
https://bugs.webkit.org/show_bug.cgi?id=172555
<rdar://problem/32004724>

Reviewed by Ryosuke Niwa.

Source/WebCore:

setSelectionWithoutUpdatingAppearance could dispatch a synchronous focusin event,
which could invoke an event handler that deteles the frame. Therefore, add a
protector before the call.

Test: editing/selection/select-iframe-focusin-document-crash.html

* editing/FrameSelection.cpp:
(WebCore::FrameSelection::setSelection):

LayoutTests:

* editing/selection/resources/select-iframe-focusin-document-crash-frame.html: Added.
* editing/selection/select-iframe-focusin-document-crash-expected.txt: Added.
* editing/selection/select-iframe-focusin-document-crash.html: Added.


  Commit: 3dba7a87c5a43b7be0de60df5e64c7490f3903ca
      https://github.com/WebKit/WebKit/commit/3dba7a87c5a43b7be0de60df5e64c7490f3903ca
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FocusController.cpp

  Log Message:
  -----------
  Merge r217441 - ASSERTION FAILED: !needsStyleRecalc() || !document().childNeedsStyleRecalc()
https://bugs.webkit.org/show_bug.cgi?id=172576
<rdar://problem/32181979>

Reviewed by Brent Fulgham.

Ensure that we clean the subframe's document before start searching for a focusable element.

Covered by existing test.

* page/FocusController.cpp:
(WebCore::FocusController::findFocusableElementDescendingDownIntoFrameDocument):


  Commit: ef3459a889ae05af2cef99f625fac3be3fd8a5b3
      https://github.com/WebKit/WebKit/commit/ef3459a889ae05af2cef99f625fac3be3fd8a5b3
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash-expected.txt
    A LayoutTests/http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/DocumentThreadableLoader.cpp
    M Source/WebCore/loader/DocumentThreadableLoader.h

  Log Message:
  -----------
  Merge r217445 - DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader
https://bugs.webkit.org/show_bug.cgi?id=172578
<rdar://problem/30754582>

Reviewed by Youenn Fablet.

Source/WebCore:

DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader. The rest of the methods do not.
It is unsafe for it to rely on the resource's loader because it gets cleared when the load completes. A CachedRawresource
may be reused from the memory cache once its load has completed.

This would cause crashes in CachedRawResource::didAddClient() when replaying the redirects because it would call
DocumentThreadableLoader::redirectReceived() and potentially not have a loader anymore. To hit this exact code path,
you would need to make repeated XHR to a cacheable simple cross-origin resource that has cacheable redirect.

Test: http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash.html

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived):
* loader/DocumentThreadableLoader.h:

LayoutTests:

Add layout test coverage.

* http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash-expected.txt: Added.
* http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash.html: Added.


  Commit: 1969a2ad373391b2d4e1260dd7a97c80f018fc95
      https://github.com/WebKit/WebKit/commit/1969a2ad373391b2d4e1260dd7a97c80f018fc95
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/compositing/resources/visibility.html
    A LayoutTests/compositing/visibility/frameset-visibility-hidden-expected.html
    A LayoutTests/compositing/visibility/frameset-visibility-hidden.html
    A LayoutTests/compositing/visibility/iframe-visibility-hidden-expected.html
    A LayoutTests/compositing/visibility/iframe-visibility-hidden.html
    A LayoutTests/compositing/visibility/object-visibility-hidden-expected.html
    A LayoutTests/compositing/visibility/object-visibility-hidden.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderLayerCompositor.cpp

  Log Message:
  -----------
  Merge r217472 - Frame's composited content is visible when the frame has visibility: hidden.
https://bugs.webkit.org/show_bug.cgi?id=125565
<rdar://problem/32196849>

Reviewed by Simon Fraser.

Source/WebCore:

Do not construct composited layers for hidden RenderWidgets (frameset, iframe, object).
Note that we still construct layers for the associated renderers as usual.

Tests: compositing/visibility/frameset-visibility-hidden.html
       compositing/visibility/iframe-visibility-hidden.html
       compositing/visibility/object-visibility-hidden.html

* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::requiresCompositingForPlugin):
(WebCore::RenderLayerCompositor::requiresCompositingForFrame):

LayoutTests:

* compositing/resources/visibility.html: Added.
* compositing/visibility/frameset-visibility-hidden-expected.html: Added.
* compositing/visibility/frameset-visibility-hidden.html: Added.
* compositing/visibility/iframe-visibility-hidden-expected.html: Added.
* compositing/visibility/iframe-visibility-hidden.html: Added.
* compositing/visibility/object-visibility-hidden-expected.html: Added.
* compositing/visibility/object-visibility-hidden.html: Added.


  Commit: ea0f777ada85b121c3172d9460fa1a74b8896527
      https://github.com/WebKit/WebKit/commit/ea0f777ada85b121c3172d9460fa1a74b8896527
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt
    A LayoutTests/fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/FormAssociatedElement.cpp

  Log Message:
  -----------
  Merge r217473 - imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_owner_and_table_2.html is crashing
https://bugs.webkit.org/show_bug.cgi?id=172628
<rdar://problem/32418707>

Reviewed by Sam Weinig.

Source/WebCore:

In the event where a form is removed synchronously by a script during parsing,
FormAssociatedElement::m_formSetByParser may end up referring to a form that
is no longer in the document. As a result, we should make sure m_formSetByParser
is still connected in FormAssociatedElement::insertedInto() before we call
FormAssociatedElement::setForm(m_formSetByParser).

Test: fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html

* html/FormAssociatedElement.cpp:
(WebCore::FormAssociatedElement::insertedInto):

LayoutTests:

Add reduced test case.

* TestExpectations:
Unskip test that is no longer crashing in debug builds.

* fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt: Added.
* fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html: Added.


  Commit: 028b3d852023d7660d482cf5784a3f691267af18
      https://github.com/WebKit/WebKit/commit/028b3d852023d7660d482cf5784a3f691267af18
  Author: Youenn Fablet <youenn at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/loader/DocumentThreadableLoader.cpp
    M Source/WebCore/loader/DocumentThreadableLoader.h
    M Source/WebCore/loader/SubresourceLoader.cpp

  Log Message:
  -----------
  Merge r217494 - Minor clean-up related to DocumentThreadableLoader redirections
https://bugs.webkit.org/show_bug.cgi?id=172647

Patch by Youenn Fablet <youenn at apple.com> on 2017-05-26
Reviewed by Chris Dumez.

No change of behavior.

Decrementing m_options redirect count directly instead of using an
additional counter.

To compare whether two URLs are same-origin, use scheme+host+port check
as per the spec.
This is fine as only the initial origin may have specific rules and we
are using the scheme+host+port checks when already being gone to
another origin.

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived):
* loader/DocumentThreadableLoader.h:
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):


  Commit: c1f6364d585d0e86419973bf57c46221a41c56c4
      https://github.com/WebKit/WebKit/commit/c1f6364d585d0e86419973bf57c46221a41c56c4
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/FloatRect.cpp
    M Tools/ChangeLog

  Log Message:
  -----------
  Merge r217521 - enclosingIntRect returns a rect with -1 width/height when the input FloatRect overflows integer.
https://bugs.webkit.org/show_bug.cgi?id=172676

Reviewed by Simon Fraser.

Source/WebCore:

Clamp integer values soon after the enclosing rectangle is resolved.

* platform/graphics/FloatRect.cpp:
(WebCore::enclosingIntRect):

Tools:

* TestWebKitAPI/Tests/WebCore/FloatRect.cpp:
(TestWebKitAPI::TEST):


  Commit: f8ab115d5388dd1e3c60b0471452458cec17a818
      https://github.com/WebKit/WebKit/commit/f8ab115d5388dd1e3c60b0471452458cec17a818
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/gtk/WebPopupMenuProxyGtk.cpp

  Log Message:
  -----------
  Merge r215188 - [GTK] Opening a popup menu does not pre-select the active item
https://bugs.webkit.org/show_bug.cgi?id=170680

Patch by Adrian Perez de Castro <aperez at igalia.com> on 2017-04-10
Reviewed by Michael Catanzaro.

* UIProcess/gtk/WebPopupMenuProxyGtk.cpp:
(WebKit::WebPopupMenuProxyGtk::showPopupMenu): Use gtk_menu_shell_select_item() to
ensure that the active item appears selected right after popping up the menu.


  Commit: 40ddbe3f2809a52a8c050d7ae1bf373583446525
      https://github.com/WebKit/WebKit/commit/40ddbe3f2809a52a8c050d7ae1bf373583446525
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/platform/gtk/fast/forms/menulist-typeahead-find.html

  Log Message:
  -----------
  Merge r217554 - [GTK] Test cases for typehead in form menu lists should start from known state
https://bugs.webkit.org/show_bug.cgi?id=171792

Reviewed by Carlos Garcia Campos.

Since r215188 opening a popup menu in a form pre-selects the active
element to mimic GtkComboxBox behavior, but the layout test implicitly
assumed that type ahead search always started the beginning of the
list, which is no longer true now that GTK+ is informed of which one
is the active element.

* platform/gtk/fast/forms/menulist-typeahead-find.html: Reset menu
list to the initial state (no element selected, unfocused) at the
beginning of testTypeAheadFunction().


  Commit: 82451a32a382b1cb1f50f1bc5bfdb6e4f4763c06
      https://github.com/WebKit/WebKit/commit/82451a32a382b1cb1f50f1bc5bfdb6e4f4763c06
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/gtk/WebContextMenuProxyGtk.cpp
    M Source/WebKit2/UIProcess/gtk/WebPopupMenuProxyGtk.cpp
    M Tools/ChangeLog
    M Tools/MiniBrowser/gtk/BrowserSearchBar.c

  Log Message:
  -----------
  Merge r215190 - [GTK] Misplaced right click menu on web page due to deprecated gtk_menu_popup()
https://bugs.webkit.org/show_bug.cgi?id=170553

Patch by Adrian Perez de Castro <aperez at igalia.com> on 2017-04-10
Reviewed by Michael Catanzaro.

Source/WebKit2:

Use gtk_menu_popup_at_pointer() and gtk_menu_popup_at_rect() when building with GTK+ 3.22 or
newer. This allows the Wayland GTK+ backend to properly position popup menus, and also avoids
using functions which were deprecated starting at that GTK+ release.

* UIProcess/gtk/WebContextMenuProxyGtk.cpp:
(WebKit::WebContextMenuProxyGtk::show): Use gtk_menu_popup_at_pointer() as there is always a
pointer event that can be passed to it.
* UIProcess/gtk/WebPopupMenuProxyGtk.cpp:
(WebKit::WebPopupMenuProxyGtk::showPopupMenu): Use gtk_menu_popup_at_rect(), using the coordinates
of the control passed as reference rectangle. Some conditional code is needed because with newer
GTK+ versions a relative offset instead of an absolute position is needed.

Tools:

Use gtk_menu_popup_at_pointer() and gtk_menu_popup_at_rect() when
building with GTK+ 3.22 or newer. This allows the Wayland GTK+ backend
to properly position popup menus, and also avoids using functions
which were deprecated starting at that GTK+ release.

* MiniBrowser/gtk/BrowserSearchBar.c:
(searchEntryMenuIconPressedCallback):
Update MiniBrowser to use gtk_menu_popup_at_pointer().


  Commit: 39bf878566e6a7bfc2b98d917d4040c54b4363be
      https://github.com/WebKit/WebKit/commit/39bf878566e6a7bfc2b98d917d4040c54b4363be
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/gtk/WebPopupMenuProxyGtk.cpp

  Log Message:
  -----------
  Merge r215225 - [GTK] Attach popup menu to web view widget
https://bugs.webkit.org/show_bug.cgi?id=145866

Use gtk_menu_attach_to_widget() to let GTK+ know that popup menus belong to a certain web view.
This improves the positioning choices that the toolkit can do, and solves a long-standing issue
that caused long popup menus to hang outside of the available display area under Wayland.

Based on a patch by Jonas Ådahl <jadahl at gmail.com>.

Patch by Adrian Perez de Castro <aperez at igalia.com> on 2017-04-11
Reviewed by Carlos Garcia Campos.

* UIProcess/gtk/WebPopupMenuProxyGtk.cpp:
(WebKit::WebPopupMenuProxyGtk::showPopupMenu):


  Commit: af483010b06a2514672874a2f5cbd1a52f8813ce
      https://github.com/WebKit/WebKit/commit/af483010b06a2514672874a2f5cbd1a52f8813ce
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/editing/selection/5354455-1.html
    M LayoutTests/fast/events/context-activated-by-key-event.html
    M LayoutTests/fast/events/script-tests/mouse-click-events.js
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/WebPage/WebPage.cpp
    M Tools/ChangeLog
    M Tools/WebKitTestRunner/InjectedBundle/EventSendingController.cpp
    M Tools/WebKitTestRunner/gtk/EventSenderProxyGtk.cpp

  Log Message:
  -----------
  Merge r218106 - [GTK] Stop dismissing menus attached to the web view for every injected event
https://bugs.webkit.org/show_bug.cgi?id=172708

Reviewed by Alex Christensen.

Source/WebKit2:

To actually simulate a right-click event we should also send the button release after the press, and let the page
handle the events in addition to sending the event to the context menu controller, like we do with normal
events. So, this is mostly the same as a real right-click event but without actually showing the menu.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::contextMenuAtPointInWindow):

Tools:

It's a workaround we added in r184015 that has worked so far for the context menu, but doesn't really work now
that we also attach popup menus to the web view. We really need to be able to show a popup menu, and then send
events while the menu is open.

* WebKitTestRunner/InjectedBundle/EventSendingController.cpp:
(WTR::EventSendingController::contextClick): Use WKBundlePageCopyContextMenuAtPointInWindow() also in GTK+ port.
* WebKitTestRunner/gtk/EventSenderProxyGtk.cpp:
(WTR::EventSenderProxy::dispatchEvent): Stop calling PlatformWebView::dismissAllPopupMenus().

LayoutTests:

* editing/selection/5354455-1.html: No need to click on editable area to focus it, contextClick already focuses
it, we even have another test to ensure it. Those fast clicks were causing a double click in GTK+ port which
selected the whole line. We don't need to dismiss the context menu either, because contextClick() doesn't really
show the menu.
* fast/events/context-activated-by-key-event.html: Dismiss the context menu every time we show it.
* fast/events/mouse-click-events.html: Dimiss the context menu when testing right click events.


  Commit: 9931a5ff467b6b2fc6a27eb77ce7897f76655f54
      https://github.com/WebKit/WebKit/commit/9931a5ff467b6b2fc6a27eb77ce7897f76655f54
  Author: Jeremy Jones <jeremyj at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/HTMLMediaElement.cpp

  Log Message:
  -----------
  Merge r217581 - m_resourceSelectionTaskQueue tasks should be cleared when player is destroyed to prevent invalid state.
https://bugs.webkit.org/show_bug.cgi?id=172726
rdar://problem/30867764

Patch by Jeremy Jones <jeremyj at apple.com> on 2017-05-30
Reviewed by Eric Carlson.

I haven't found a reproducible way to make a test case for this race condition.

If m_player is cleared while there is an outstanding task in m_resourceSelectionTaskQueue,
that task may assume m_player is not null and crash. It is better to cancel that task than
to perform it part way with null checks.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement):
(WebCore::HTMLMediaElement::clearMediaPlayer):


  Commit: 52d229b7c4223c15272e4447415007ce23032859
      https://github.com/WebKit/WebKit/commit/52d229b7c4223c15272e4447415007ce23032859
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FrameView.cpp

  Log Message:
  -----------
  Merge r217588 - ASSERTION FAILED: m_layoutPhase == InPostLayerPositionsUpdatedAfterLayout || m_layoutPhase == OutsideLayout
https://bugs.webkit.org/show_bug.cgi?id=171501
<rdar://problem/31977453>

Reviewed by Simon Fraser.

We should be able to paint as long as the tree is clean and we are in paintable state.

* page/FrameView.cpp:
(WebCore::FrameView::paintContents):


  Commit: 0d2636fd99da2a5613e2d2f1b4b699e2e3816574
      https://github.com/WebKit/WebKit/commit/0d2636fd99da2a5613e2d2f1b4b699e2e3816574
  Author: Dan Bernstein <mitz at webkit.org>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/page/FrameView.h

  Log Message:
  -----------
  Merge r217589 - Fixed the build after r217588.

* page/FrameView.h: Stopped exporting a function defined inline.


  Commit: 110367654b4a7dbc267f828c4522f23ecef625a0
      https://github.com/WebKit/WebKit/commit/110367654b4a7dbc267f828c4522f23ecef625a0
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/URL.cpp

  Log Message:
  -----------
  Merge r217682 - Make WebCore::defaultPortForProtocol() thread-safe
https://bugs.webkit.org/show_bug.cgi?id=172797

Reviewed by Brent Fulgham.

Make WebCore::defaultPortForProtocol() thread-safe since it is called from the SecurityOrigin
constructor and SecurityOrigin objects are constructed from various threads.

This should not regress the non-testing code paths since we only pay locking costs if
a default port override has been set by the tests.

* platform/URL.cpp:
(WebCore::defaultPortForProtocolMapLock):
(WebCore::defaultPortForProtocolMapForTesting):
(WebCore::ensureDefaultPortForProtocolMapForTesting):
(WebCore::registerDefaultPortForProtocolForTesting):
(WebCore::clearDefaultPortForProtocolMapForTesting):
(WebCore::defaultPortForProtocol):


  Commit: 8fd72f198823cc543e55f86eedde898e0bddc159
      https://github.com/WebKit/WebKit/commit/8fd72f198823cc543e55f86eedde898e0bddc159
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp

  Log Message:
  -----------
  Merge r217695 - REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255
https://bugs.webkit.org/show_bug.cgi?id=172846
<rdar://problem/31093005>

Reviewed by Andreas Kling.

In NPJSObject::invoke(), return early if there was an exception when calling JSC::call().
Using the value returned by JSC::call() when an exception occurred is unsafe.

* WebProcess/Plugins/Netscape/NPJSObject.cpp:
(WebKit::NPJSObject::invoke):


  Commit: 52819836b971fd7a1ab4c1a42f318471c95aa52c
      https://github.com/WebKit/WebKit/commit/52819836b971fd7a1ab4c1a42f318471c95aa52c
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp

  Log Message:
  -----------
  Merge r217729 - REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255
https://bugs.webkit.org/show_bug.cgi?id=172846
<rdar://problem/31093005>

Reviewed by Mark Lam.

Follow-up to r217695 to deal with exceptions potentially thrown by
NPRuntimeObjectMap::convertJSValueToNPVariant() as well.

* WebProcess/Plugins/Netscape/NPJSObject.cpp:
(WebKit::NPJSObject::invoke):


  Commit: deba90285757228dfae44c1bcf4590ec5f84df64
      https://github.com/WebKit/WebKit/commit/deba90285757228dfae44c1bcf4590ec5f84df64
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/PlatformGTK.cmake
    M Source/WebCore/platform/gtk/RenderThemeGadget.cpp
    M Source/WebCore/platform/gtk/RenderThemeGadget.h
    A Source/WebCore/platform/gtk/RenderThemeWidget.cpp
    A Source/WebCore/platform/gtk/RenderThemeWidget.h
    M Source/WebCore/platform/gtk/ScrollbarThemeGtk.cpp
    M Source/WebCore/rendering/RenderThemeGtk.cpp

  Log Message:
  -----------
  Merge r217702 - [GTK] Cache RenderThemeGadget hierarchies for rendering themed elements with GTK+ 3.20+
https://bugs.webkit.org/show_bug.cgi?id=162673

Reviewed by Michael Catanzaro.

Because of the way the new theming system works in GTK+ >= 3.20 we are currently creating a gadget hierarchy
every time we need to render a styled element or get layout information about it. That's happening on every
repaint, and it's specially problematic for overlay scrollbar indicators that fade in/out when shown/hidden. We
need to cache the gadgets and simply apply the state before every paint or layout query. When using GtkWidgetPath,
calling gtk_style_context_save() breaks the gadget hierarchy, and style classes need to be set when building the
GtkWidgetPath. That means we can't cache RenderThemeGadgets, call save, apply style classes and state, and then
call restore. We need to cache gadget hierarchies with fixed style classes. Fortunately, setting the state does
work, so we don't need to also cache a different hierarchy for every possible state. For example, for the
particular case of scrollbars we would cache VerticalScrollbarRight, VerticalScrollbarLeft, HorizontalScrollbar,
VerticalScrollIndicatorRight, VerticalScrollIndicatorLeft and HorizontalScrollIndicator. In practice, we will
only have 4 of those at the same time in the cache.
This patch adds RenderThemeWidget to represent a hierarchy of gadgets with fixed style classes that can be
cached and reused to render or query style of those "widgets". It also simplifies the RenderThemeGtk and
ScrollbarThemeGtk code by removing a lot of duplicated code to build the gadget hierarchies.

* PlatformGTK.cmake:
* platform/gtk/RenderThemeGadget.cpp:
(WebCore::createStyleContext):
(WebCore::appendElementToPath):
(WebCore::RenderThemeGadget::state):
(WebCore::RenderThemeGadget::setState):
* platform/gtk/RenderThemeGadget.h:
* platform/gtk/RenderThemeWidget.cpp: Added.
(WebCore::widgetMap):
(WebCore::RenderThemeWidget::getOrCreate):
(WebCore::RenderThemeWidget::clearCache):
(WebCore::RenderThemeWidget::~RenderThemeWidget):
(WebCore::RenderThemeScrollbar::RenderThemeScrollbar):
(WebCore::RenderThemeScrollbar::stepper):
(WebCore::RenderThemeToggleButton::RenderThemeToggleButton):
(WebCore::RenderThemeButton::RenderThemeButton):
(WebCore::RenderThemeComboBox::RenderThemeComboBox):
(WebCore::RenderThemeEntry::RenderThemeEntry):
(WebCore::RenderThemeSearchEntry::RenderThemeSearchEntry):
(WebCore::RenderThemeSpinButton::RenderThemeSpinButton):
(WebCore::RenderThemeSlider::RenderThemeSlider):
(WebCore::RenderThemeProgressBar::RenderThemeProgressBar):
(WebCore::RenderThemeListView::RenderThemeListView):
(WebCore::RenderThemeIcon::RenderThemeIcon):
* platform/gtk/RenderThemeWidget.h: Added.
(WebCore::RenderThemeEntry::entry):
(WebCore::RenderThemeEntry::selection):
* platform/gtk/ScrollbarThemeGtk.cpp:
(WebCore::ScrollbarThemeGtk::themeChanged):
(WebCore::ScrollbarThemeGtk::updateThemeProperties):
(WebCore::widgetTypeForScrollbar):
(WebCore::contentsRectangle):
(WebCore::ScrollbarThemeGtk::trackRect):
(WebCore::ScrollbarThemeGtk::backButtonRect):
(WebCore::ScrollbarThemeGtk::forwardButtonRect):
(WebCore::ScrollbarThemeGtk::paint):
(WebCore::ScrollbarThemeGtk::scrollbarThickness):
(WebCore::ScrollbarThemeGtk::minimumThumbLength):
* rendering/RenderThemeGtk.cpp:
(WebCore::createStyleContext):
(WebCore::setToggleSize):
(WebCore::paintToggle):
(WebCore::RenderThemeGtk::paintButton):
(WebCore::menuListColor):
(WebCore::RenderThemeGtk::popupInternalPaddingBox):
(WebCore::RenderThemeGtk::paintMenuList):
(WebCore::RenderThemeGtk::adjustTextFieldStyle):
(WebCore::RenderThemeGtk::paintTextField):
(WebCore::adjustSearchFieldIconStyle):
(WebCore::paintSearchFieldIcon):
(WebCore::RenderThemeGtk::paintSliderTrack):
(WebCore::RenderThemeGtk::adjustSliderThumbSize):
(WebCore::RenderThemeGtk::paintSliderThumb):
(WebCore::RenderThemeGtk::progressBarRectForBounds):
(WebCore::RenderThemeGtk::paintProgressBar):
(WebCore::RenderThemeGtk::adjustInnerSpinButtonStyle):
(WebCore::RenderThemeGtk::paintInnerSpinButton):
(WebCore::styleColor):
(WebCore::RenderThemeGtk::platformActiveSelectionBackgroundColor):
(WebCore::RenderThemeGtk::platformInactiveSelectionBackgroundColor):
(WebCore::RenderThemeGtk::platformActiveSelectionForegroundColor):
(WebCore::RenderThemeGtk::platformInactiveSelectionForegroundColor):
(WebCore::RenderThemeGtk::paintMediaButton):


  Commit: af175f85f0a8edcc098b0ee7887cca9e90a57142
      https://github.com/WebKit/WebKit/commit/af175f85f0a8edcc098b0ee7887cca9e90a57142
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h
    M Source/WebCore/platform/graphics/gstreamer/VideoSinkGStreamer.cpp

  Log Message:
  -----------
  Merge r217786 - [GStreamer] Deadlock in MediaPlayerPrivateGStreamer::changePipelineState, web process often locks up on seeking in a youtube video that has already fully buffered
https://bugs.webkit.org/show_bug.cgi?id=170003

Reviewed by Michael Catanzaro.

When video sink is requested to render a frame, the GstBaseSink preroll mutex is taken. Then WebKit media player
schedules a repaint in the main thread, taking the draw mutex and waiting on draw condition. It can happen that
before the repaint is done in the main thread, a pause is requested in the main thread, causing a change state
from PLAYING to PAUSE. When the change state reaches the video sink gst_base_sink_change_state() tries to get
the preroll mutex. This causes a deadlock because the main thread is waiting to get the preroll mutex, but the
other thread is waiting for the main thread to do the repaint. GStreamer handles this case by calling unlock()
on the video sink before trying to get the preroll mutex, but the media player doesn't cancel the pending
repaint when using coordinated graphics. This patch adds a new signal to WebKitVideoSink "repaint-cancelled" to
notify the media player to cancel the pending prepaint.

* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
(WebCore::MediaPlayerPrivateGStreamerBase::cancelRepaint): Release the draw mutex and notify the condition.
(WebCore::MediaPlayerPrivateGStreamerBase::repaintCancelledCallback): Call cancelRepaint().
(WebCore::MediaPlayerPrivateGStreamerBase::createVideoSink): Connect to WebKitVideoSink::repaint-cancelled.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h:
* platform/graphics/gstreamer/VideoSinkGStreamer.cpp:
(webkitVideoSinkRepaintCancelled): Emit WebKitVideoSink::repaint-cancelled.
(webkitVideoSinkUnlock): Call webkitVideoSinkRepaintCancelled().
(webkitVideoSinkStop): Ditto.
(webkit_video_sink_class_init): Add WebKitVideoSink::repaint-cancelled signal.


  Commit: af737adaee4dde987c9e1603453e2cb89a6c884a
      https://github.com/WebKit/WebKit/commit/af737adaee4dde987c9e1603453e2cb89a6c884a
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/ContainerNode.cpp
    M Source/WebCore/dom/Node.cpp
    M Source/WebCore/dom/Text.cpp

  Log Message:
  -----------
  Merge r217794 - Destroy the associated renderer subtree when display: contents node is deleted.
https://bugs.webkit.org/show_bug.cgi?id=172920
<rdar://problem/32446045>

Reviewed by Antti Koivisto.

Since display: contents node does not create a renderer, we need to explicitly check
and distinguish it from the display: none case.

Covered by existing tests.

* dom/ContainerNode.cpp:
(WebCore::destroyRenderTreeIfNeeded):
* dom/Node.cpp:
(WebCore::Node::~Node): Promote ASSERT(!renderer()) to ASSERT_WITH_SECURITY_IMPLICATION.
* dom/Text.cpp:
(WebCore::Text::~Text): Redundant assert. Text is a Node.


  Commit: a6f2f5f416076ce28e01446f8e5393115e08c28e
      https://github.com/WebKit/WebKit/commit/a6f2f5f416076ce28e01446f8e5393115e08c28e
  Author: Tomáš Popela <tpopela at redhat.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecode/PutByIdFlags.h

  Log Message:
  -----------
  Merge r217650 - RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
https://bugs.webkit.org/show_bug.cgi?id=170945

Patch by Tomas Popela  <tpopela at redhat.com>, Mark Lam <mark.lam at apple.com> on 2017-06-01
Reviewed by Mark Lam.

Re-define PutByIdFlags as a int32_t enum explicitly because it is
stored as an int32_t value in UnlinkedInstruction.  This prevents
a bug on 64-bit big endian architectures where the word order is
inverted (when we convert the UnlinkedInstruction into a CodeBlock
Instruction), resulting in the PutByIdFlags value not being stored in
the 32-bit word that the rest of the code expects it to be in.

* bytecode/PutByIdFlags.h:


  Commit: dec46249cc39e7e0a9afe4d4a8365c30b642972b
      https://github.com/WebKit/WebKit/commit/dec46249cc39e7e0a9afe4d4a8365c30b642972b
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/storage/domstorage/sessionstorage/set-item-synchronous-keydown-expected.txt
    A LayoutTests/storage/domstorage/sessionstorage/set-item-synchronous-keydown.html
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/Platform/IPC/Connection.cpp

  Log Message:
  -----------
  Merge r217810 - ASSERTION FAILED: RunLoop::isMain() in com.apple.WebKit: IPC::Connection::sendSyncMessage + 128
https://bugs.webkit.org/show_bug.cgi?id=172943
<rdar://problem/31288058>

Reviewed by Alexey Proskuryakov.

Source/WebKit2:

In Connection::sendMessage(), make sure we only ever transform asynchronous messages into synchronous
ones if sendMessage() is called on the main thread. This is necessary because we no longer support
sending synchronous messages from a background thread since r205125.

* Platform/IPC/Connection.cpp:
(IPC::Connection::sendMessage):
(IPC::Connection::sendSyncMessage):

LayoutTests:

Add better test coverage.

* storage/domstorage/sessionstorage/set-item-synchronous-keydown-expected.txt: Added.
* storage/domstorage/sessionstorage/set-item-synchronous-keydown.html: Added.


  Commit: e4b24e61eac6b25201dc0402843bf05c0bb0d7e5
      https://github.com/WebKit/WebKit/commit/e4b24e61eac6b25201dc0402843bf05c0bb0d7e5
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/storage/domstorage/sessionstorage/set-item-synchronous-keydown.html

  Log Message:
  -----------
  Merge r217813 - ASSERTION FAILED: RunLoop::isMain() in com.apple.WebKit: IPC::Connection::sendSyncMessage + 128
https://bugs.webkit.org/show_bug.cgi?id=172943
<rdar://problem/31288058>

Reviewed by Alexey Proskuryakov.

Make test clean a little bit more robust.

* storage/domstorage/sessionstorage/set-item-synchronous-keydown.html:


  Commit: 7403b9552d311313bf22d33810a8c8218e8d9041
      https://github.com/WebKit/WebKit/commit/7403b9552d311313bf22d33810a8c8218e8d9041
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/table/floating-table-sibling-is-invisible-expected.html
    A LayoutTests/fast/table/floating-table-sibling-is-invisible.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Merge r217848 - Safari doesn't load newest The Order of the Stick comic.
https://bugs.webkit.org/show_bug.cgi?id=172949
<rdar://problem/32389730>

Reviewed by Antti Koivisto.

Source/WebCore:

As part of the table layout, RenderTableSection::layoutRows calls the RenderTableCell's layout() directly
(skipping the RenderTableRow parent). If during this call the RenderTableCell (or any of its descendant) marks the ancestor
chain dirty, this dirty flag on the RenderTableRows will never be cleared and we'll end up early returning from RenderTableSection::paint.
For certain type of float objects, we need to invalidate the line layout path during layout (and we mark the ancestors dirty).
This patch takes a conservative approach and marks the ancestors dirty only when the renderer is not dirty yet, but
as part of webkit.org/b/172947 we should revisit and validate whether the setNeedsLayout() is required at all.

Test: fast/table/floating-table-sibling-is-invisible.html

* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::invalidateLineLayoutPath):

LayoutTests:

* fast/table/floating-table-sibling-is-invisible-expected.html: Added.
* fast/table/floating-table-sibling-is-invisible.html: Added.


  Commit: fe4969eee9c4f0a7e91e7ec0e732026a945e0386
      https://github.com/WebKit/WebKit/commit/fe4969eee9c4f0a7e91e7ec0e732026a945e0386
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Plugins/PluginView.cpp

  Log Message:
  -----------
  Merge r217914 - Crash inside WebKit::PluginView::getAuthenticationInfo
https://bugs.webkit.org/show_bug.cgi?id=173083

Reviewed by Chris Dumez.

Added a null pointer check. The content document may have went away by the time we get there from IPC.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::getAuthenticationInfo):


  Commit: 0c86a588a6a24e8ac838639950e44605a651a5fb
      https://github.com/WebKit/WebKit/commit/0c86a588a6a24e8ac838639950e44605a651a5fb
  Author: Xabier Rodriguez-Calvar <calvaris at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/media/media-source/media-source-overlapping-append-expected.txt
    M LayoutTests/media/media-source/media-source-overlapping-decodetime-expected.txt
    M LayoutTests/media/media-source/media-source-seek-back-expected.txt
    M LayoutTests/media/media-source/media-source-sequence-timestamps-expected.txt
    M LayoutTests/media/media-source/media-source-timeoffset-expected.txt
    M Source/WTF/ChangeLog
    M Source/WTF/wtf/MediaTime.cpp

  Log Message:
  -----------
  Merge r217928 - MediaTime class has rounding issues in different platforms
https://bugs.webkit.org/show_bug.cgi?id=172640

Reviewed by Jer Noble.

Source/WTF:

The way a timescale is set when creating a MediaTime from a double
can create rounding issues in different platforms because in some
rounding is made and in others, it truncates. This way we ensure a
common behavior.

Dumping MediaTimes is also confusing and by the output you don't
know if it's containing a double or a fraction. Now, if it
contains a double, it only prints the double because printing the
fraction is misleading (it currently prints the double read as an
integer) and if it contains a fraction it shows the fraction and
its double representation separated by an = instead of a ,.

* wtf/MediaTime.cpp:
(WTF::MediaTime::createWithDouble): When creating MediaTime from
double, we round instead of leaving it to the cast operation.
(WTF::MediaTime::dump):

LayoutTests:

Update expectations because the MediaTime printing changed, but
results are the same.

* media/media-source/media-source-overlapping-append-expected.txt:
* media/media-source/media-source-overlapping-decodetime-expected.txt:
* media/media-source/media-source-seek-back-expected.txt:
* media/media-source/media-source-sequence-timestamps-expected.txt:
* media/media-source/media-source-timeoffset-expected.txt:


  Commit: 61ca3de4a25a1506ba21faffd2b0494391df9544
      https://github.com/WebKit/WebKit/commit/61ca3de4a25a1506ba21faffd2b0494391df9544
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/editing/inserting/insert-horizontal-rule-in-empty-document-crash-expected.txt
    A LayoutTests/editing/inserting/insert-horizontal-rule-in-empty-document-crash.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp

  Log Message:
  -----------
  Merge r217958 - Crash inside InsertNodeBeforeCommand via InsertParagraphSeparatorCommand
https://bugs.webkit.org/show_bug.cgi?id=173085
Source/WebCore:

<rdar://problem/32575059>

Reviewed by Wenson Hsieh.

The crash was caused by the condition to check for special cases failing when visiblePos is null.
Exit early in these extreme cases.

Also replaced the use of deprecatedNode and deprecatedEditingOffset to modern idioms.

Test: editing/inserting/insert-horizontal-rule-in-empty-document-crash.html

* editing/InsertParagraphSeparatorCommand.cpp:
(WebCore::InsertParagraphSeparatorCommand::doApply):

LayoutTests:

Reviewed by Wenson Hsieh.

Added a regresion test.

* editing/inserting/insert-horizontal-rule-in-empty-document-crash-expected.txt: Added.
* editing/inserting/insert-horizontal-rule-in-empty-document-crash.html: Added.


  Commit: 695e0de26279a1d53e11e0b01272aa02a2048cd5
      https://github.com/WebKit/WebKit/commit/695e0de26279a1d53e11e0b01272aa02a2048cd5
  Author: Brady Eidson <beidson at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/storage/indexeddb/modern/resources/worker-getall.js
    A LayoutTests/storage/indexeddb/modern/worker-getall-expected.txt
    A LayoutTests/storage/indexeddb/modern/worker-getall.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/Modules/indexeddb/IDBGetAllResult.cpp
    M Source/WebCore/Modules/indexeddb/IDBGetAllResult.h
    M Source/WebCore/Modules/indexeddb/shared/IDBResultData.cpp

  Log Message:
  -----------
  Merge r218041 - Crash when IndexedDB's getAll is used inside a Web Worker.
https://bugs.webkit.org/show_bug.cgi?id=172434

Reviewed by Andy Estes.

Source/WebCore:

Test: storage/indexeddb/modern/worker-getall.html

* Modules/indexeddb/IDBGetAllResult.cpp:
(WebCore::IDBGetAllResult::IDBGetAllResult): Add an isolated-copying constructor.
(WebCore::IDBGetAllResult::isolatedCopy):
* Modules/indexeddb/IDBGetAllResult.h:

* Modules/indexeddb/shared/IDBResultData.cpp:
(WebCore::IDBResultData::isolatedCopy): Actually copy the IDBGetAllResult.

LayoutTests:

* storage/indexeddb/modern/resources/worker-getall.js: Added.
* storage/indexeddb/modern/worker-getall-expected.txt: Added.
* storage/indexeddb/modern/worker-getall.html: Added.


  Commit: 3df6196de8c81b883df395ec657958749c7dd364
      https://github.com/WebKit/WebKit/commit/3df6196de8c81b883df395ec657958749c7dd364
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/WebProcess/Plugins/PluginView.cpp

  Log Message:
  -----------
  Merge r218046 - Crash inside WebKit::PluginView::getAuthenticationInfo
https://bugs.webkit.org/show_bug.cgi?id=173083
<rdar://problem/32513144>

Address Darin's review comment.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::getAuthenticationInfo):


  Commit: d11f57a7964e4afd878eff08311e73c4dd3db6f1
      https://github.com/WebKit/WebKit/commit/d11f57a7964e4afd878eff08311e73c4dd3db6f1
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp
    M Source/WebKit2/UIProcess/API/gtk/WebKitDownload.cpp
    M Source/WebKit2/UIProcess/API/gtk/WebKitDownloadClient.cpp
    M Source/WebKit2/UIProcess/API/gtk/WebKitDownloadPrivate.h
    M Tools/ChangeLog
    M Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestDownloads.cpp

  Log Message:
  -----------
  Merge r218185 - [GTK] Blob download doesn't work
https://bugs.webkit.org/show_bug.cgi?id=172442

Reviewed by Carlos Alberto Lopez Perez.

Source/WebKit2:

GTK+ API uses URIs for download destination paths, and passes that URIs to the WebKit internals. But WebKit
expects download destination location to be a local path. This is not a problem for normal downloads, because
the soup backend handles the cases of download destination being a URI and a path. For blob downloads
NetworkDataTaskBlob is used, and it always expects the download destination to be a local path, failing in
FileSystem::openFile() when a URI is passed. We need to keep using local files internally and convert to URIs
only when exposing those paths to the API.

* NetworkProcess/soup/NetworkDataTaskSoup.cpp:
(WebKit::NetworkDataTaskSoup::download): Stop handling URIs here, we should always expect local files.
* UIProcess/API/gtk/WebKitDownload.cpp:
(webkitDownloadDecideDestinationWithSuggestedFilename): Convert destination URI to filanme before pasing it to DownloadClient.
(webkitDownloadDestinationCreated): Convert the destination path to a URI before passing it to WebKitDownload::created-destionation signal.
* UIProcess/API/gtk/WebKitDownloadClient.cpp:
* UIProcess/API/gtk/WebKitDownloadPrivate.h:

Tools:

Add a unit test to check blob downloads.

* TestWebKitAPI/Tests/WebKit2Gtk/TestDownloads.cpp:
(testBlobDownload):
(beforeAll):


  Commit: 9baba1d47ef64aec35c32b36bb097663aeefb695
      https://github.com/WebKit/WebKit/commit/9baba1d47ef64aec35c32b36bb097663aeefb695
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/HTMLMediaElement.cpp

  Log Message:
  -----------
  Merge r218190 - Protect lifetime of media element during HTMLMediaElement::notifyAboutPlaying()
https://bugs.webkit.org/show_bug.cgi?id=173320
<rdar://problem/32590276>

Reviewed by Brent Fulgham.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::notifyAboutPlaying):


  Commit: 3005ce710802f633f5546e49ff11ecc59f3cc726
      https://github.com/WebKit/WebKit/commit/3005ce710802f633f5546e49ff11ecc59f3cc726
  Author: Miguel Gomez <magomez at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/ImageBackingStore.h
    M Source/WebCore/platform/image-decoders/cairo/ImageBackingStoreCairo.cpp

  Log Message:
  -----------
  Merge r218253 - REGRESSION(r216901): ImageDecoders: rendering of large images is broken since r216901
https://bugs.webkit.org/show_bug.cgi?id=172502

Reviewed by Carlos Garcia Campos.

When using GTK and WPE image decoders, the decoded frames are stored inside a Vector of
ImageFrames inside the decoders. These ImageFrames have and ImageBackingStore with the
pixels. When a NativeImagePtr is requested, a cairo surface is created from the data
in those ImageBackingStores, but the data keeps being owned by the backing stores. Due
to this, if the decoder that created the image gets destroyed, the backing stores for
the decoded frames get destroyed as well, causing the cairo surfaces that were using
that data to contain garbage (and potentially cause a crash).

To fix this, we change ImageBackingStore so the pixels are stored in a SharedBuffer. The
buffer will be reffed everytime a cairo surface is created with it, and the cairo surfaces
will unref the buffer when they are destroyed. This way, the pixel data won't be freed
while there are cairo surfaces using it.

No new tests, no behaviour change.

* platform/graphics/ImageBackingStore.h:
(WebCore::ImageBackingStore::setSize):
(WebCore::ImageBackingStore::ImageBackingStore):
* platform/image-decoders/cairo/ImageBackingStoreCairo.cpp:
(WebCore::ImageBackingStore::image):


  Commit: 0e9ac9758b5a00cbda106741e1e7d721ae54e896
      https://github.com/WebKit/WebKit/commit/0e9ac9758b5a00cbda106741e1e7d721ae54e896
  Author: Konstantin Tokarev <annulen at yandex.ru>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/ConsoleClient.cpp

  Log Message:
  -----------
  Merge r218392 - REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
https://bugs.webkit.org/show_bug.cgi?id=173470

Reviewed by Joseph Pecoraro.

ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
const char* overload of StringBuilder::append() that assummes Latin1
encoding, not UTF8.

* runtime/ConsoleClient.cpp:
(JSC::ConsoleClient::printConsoleMessageWithArguments):


  Commit: 92f1b3b3159b0ef50bd4d42a5876b878b1fcef29
      https://github.com/WebKit/WebKit/commit/92f1b3b3159b0ef50bd4d42a5876b878b1fcef29
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/accessibility/mac/alt-for-css-content-expected.txt
    M LayoutTests/accessibility/mac/webkit-alt-for-css-content-expected.txt
    M LayoutTests/editing/pasteboard/cjk-line-height-expected.txt
    M LayoutTests/fast/css/alt-inherit-initial-expected.txt
    M LayoutTests/fast/css/alt-inherit-initial.html
    M LayoutTests/fast/css/content-language-comma-separated-list-expected.txt
    M LayoutTests/fast/css/content-language-empty-expected.txt
    M LayoutTests/fast/css/content-language-only-whitespace-expected.txt
    M LayoutTests/fast/css/content-language-with-whitespace-expected.txt
    M LayoutTests/fast/css/counters/counter-cssText-expected.txt
    M LayoutTests/fast/css/counters/counter-cssText.html
    M LayoutTests/fast/css/font-family-trailing-bracket-gunk-expected.txt
    M LayoutTests/fast/css/font-family-trailing-bracket-gunk.html
    M LayoutTests/fast/css/getComputedStyle/computed-style-font-family-expected.txt
    M LayoutTests/fast/css/getComputedStyle/computed-style-properties-expected.txt
    M LayoutTests/fast/css/getComputedStyle/computed-style-properties.html
    M LayoutTests/fast/css/getComputedStyle/font-family-fallback-reset-expected.txt
    M LayoutTests/fast/css/getComputedStyle/script-tests/font-family-fallback-reset.js
    M LayoutTests/fast/css/lang-mapped-to-webkit-locale-expected.txt
    M LayoutTests/fast/css/lang-mapped-to-webkit-locale.xhtml
    A LayoutTests/fast/css/serialization-with-double-quotes-expected.txt
    A LayoutTests/fast/css/serialization-with-double-quotes.html
    M LayoutTests/fast/css/uri-token-parsing-expected.txt
    M LayoutTests/fast/css/uri-token-parsing.html
    M LayoutTests/fast/inspector-support/cssURLQuotes-expected.txt
    M LayoutTests/fast/inspector-support/style-expected.txt
    M LayoutTests/imported/w3c/ChangeLog
    M LayoutTests/media/controls/track-menu.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/css/CSSMarkup.cpp
    M Source/WebCore/css/CSSMarkup.h
    M Source/WebCore/css/CSSSelector.cpp
    M Source/WebCore/editing/EditingStyle.cpp

  Log Message:
  -----------
  Merge r218446 - REGRESSION(r209495): materiauxlaverdure.com fails to load
https://bugs.webkit.org/show_bug.cgi?id=173301
<rdar://problem/32624850>

Reviewed by Antti Koivisto.

LayoutTests/imported/w3c:

Rebaselined the tests that are now passing.

* web-platform-tests/cssom/CSSNamespaceRule-expected.txt:
* web-platform-tests/cssom/serialize-values-expected.txt:

Source/WebCore:

The bug was caused by WebKit wrapping CSS string values with single quotation marks instead of
double quotation marks as spec'ed in https://drafts.csswg.org/cssom/#serialize-a-string and
implemented in Firefox and Chrome.

The website eval's the computed value of the `content` CSS property with the value `'{name: "flat"}'`
after stripping single quotation marks from both ends. Prior to r209495, WebKit serialized this CSS value
in single quotations without escaping double quotations. After r209495, double quotations are escaped
with backslashes as `'{name: \"flat\"}'`. As a result, `eval` is invoked with `{name: \"flat\"}`
after stripping single quotations from both ends, which resulted in an exception.

Chrome and Firefox don't encounter this exception despite of the fact they escape double quotations
as well because serialize with double quotations as `"{name: \"flat\"}"`. Because there is no code
to strip double quotations, eval is invoked with the same string, resulting in the entire value as
being parsed as string, instead of an object with a single key "name" with the value of "flat" as
was the case in WebKit prior to r209495. While this behavior was most certainly not the intent of
the website author, Chrome and Firefox don't encounter an exception and the website continues to work.

This patch aligns WebKit's behavior to that of the CSS OM specification, Firefox, and Chrome by
serializing CSS string values using double quotation marks instead of single quotation marks.

Note: inline change log comments are added below for every call site of serializeString for clarity.

Test: fast/css/getPropertyValue-serialization-with-double-quotes.html

* css/CSSBasicShapes.cpp:
(WebCore::buildPathString): Use double quotation marks in path(~) of shapes.
* css/CSSMarkup.cpp:
(WebCore::serializeString):
(WebCore::serializeURL): Use double quotation marks to serialize URLs.
(WebCore::serializeAsStringOrCustomIdent): Use double quotation marks to serialize strings. We still avoid
using wrapping the value with double quotations when the value can be an identifier. See r209495.
(WebCore::serializeFontFamily): Ditto for font-family names such as "San Francisco".
* css/CSSMarkup.h:
* css/CSSNamespaceRule.cpp:
(WebCore::CSSNamespaceRule::cssText): Use double quotation marks to serialize namespace URIs.
* css/CSSPrimitiveValue.cpp:
(WebCore::CSSPrimitiveValue::formatNumberForCustomCSSText): Use double quotation marks to serialize
the separators; e.g. counter(sectionNumber, ".") to produce "1.".
* css/CSSSelector.cpp:
(WebCore::CSSSelector::selectorText): Use double quotation marks to serialize attribute values.
* css/parser/CSSParserToken.cpp:
(WebCore::CSSParserToken::serialize): Use double quotation marks to serialize strings in @support.
* editing/EditingStyle.cpp:
(WebCore::StyleChange::extractTextStyles): Updated to strip double quotation marks in font family names to
maintain the compatibility with old versions of Microsoft Outlook.
* html/HTMLElement.cpp:
(WebCore::HTMLElement::mapLanguageAttributeToLocale): Use double quotations marks to serialize the value
of the lang content attribute. It doesn't matter which one is used here because it's only a temporary value
only fed into the CSS parser to set the equivalent CSS value from the content attribute.

LayoutTests:

Rebaselined the existing tests and added a new regression test for serializing CSS properties and values.

* accessibility/mac/alt-for-css-content-expected.txt:
* accessibility/mac/webkit-alt-for-css-content-expected.txt:
* editing/pasteboard/cjk-line-height-expected.txt:
* fast/css/alt-inherit-initial-expected.txt:
* fast/css/alt-inherit-initial.html:
* fast/css/content-language-comma-separated-list-expected.txt:
* fast/css/content-language-empty-expected.txt:
* fast/css/content-language-only-whitespace-expected.txt:
* fast/css/content-language-with-whitespace-expected.txt:
* fast/css/counters/counter-cssText-expected.txt:
* fast/css/counters/counter-cssText.html:
* fast/css/font-family-trailing-bracket-gunk-expected.txt:
* fast/css/font-family-trailing-bracket-gunk.html:
* fast/css/getComputedStyle/computed-style-font-family-expected.txt:
* fast/css/getComputedStyle/computed-style-properties-expected.txt:
* fast/css/getComputedStyle/computed-style-properties.html:
* fast/css/getComputedStyle/font-family-fallback-reset-expected.txt:
* fast/css/getComputedStyle/font-family-fallback-reset.html:
* fast/css/lang-mapped-to-webkit-locale-expected.txt:
* fast/css/lang-mapped-to-webkit-locale.xhtml:
* fast/css/serialization-with-double-quotes-expected.txt: Added.
* fast/css/serialization-with-double-quotes.html: Added.
* fast/css/uri-token-parsing-expected.txt:
* fast/css/uri-token-parsing.html:
* fast/inspector-support/cssURLQuotes-expected.txt:
* fast/inspector-support/style-expected.txt:
* fast/text/font-stretch-parse-expected.txt:
* fast/text/font-stretch-parse.html:
* fast/text/font-style-parse-expected.txt:
* fast/text/font-style-parse.html:
* fast/text/font-weight-parse-expected.txt:
* fast/text/font-weight-parse.html:
* media/controls/track-menu.html:
* platform/mac-elcapitan/fast/css/getComputedStyle/computed-style-font-family-expected.txt:
* platform/mac-elcapitan/fast/text/font-stretch-parse-expected.txt:
* platform/mac-elcapitan/fast/text/font-style-parse-expected.txt:
* platform/mac-elcapitan/fast/text/font-weight-parse-expected.txt:


  Commit: bc8bd3c97d135c40f0cbf09e29bdb042336990f7
      https://github.com/WebKit/WebKit/commit/bc8bd3c97d135c40f0cbf09e29bdb042336990f7
  Author: Antti Koivisto <koivisto at iki.fi>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/editing/selection/updateAppearanceAfterLayout-recursion-expected.txt
    A LayoutTests/editing/selection/updateAppearanceAfterLayout-recursion.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/editing/FrameSelection.cpp
    M Source/WebCore/editing/FrameSelection.h

  Log Message:
  -----------
  Merge r218451 - Crash due to infinite recursion via FrameSelection::updateAppearanceAfterLayout
https://bugs.webkit.org/show_bug.cgi?id=173468

Reviewed by Ryosuke Niwa.

Source/WebCore:

Test: editing/selection/updateAppearanceAfterLayout-recursion.html

Calling FrameSelection::updateAppearanceAfterLayout() from Document::resolveStyle is unsafe
because it may cause another call to resolveStyle. We have some cases where the style
is still unclean when updateAppearanceAfterLayout() is called. This can lead to infinite
recursion.

The test case is not the common stack seen in CrashTracer (couldn't quit replicate it) but
the updateAppearanceAfterLayout/resolveStyle recursion is the same.

* dom/Document.cpp:
(WebCore::Document::resolveStyle):

    Normally selection appearance update is done in post-layout but not all style resolutions schedule a layout.
    Invoke it asynchronously in that case instead of the previous synchronous call.

* editing/FrameSelection.cpp:
(WebCore::FrameSelection::FrameSelection):
(WebCore::FrameSelection::updateAppearanceAfterLayout):
(WebCore::FrameSelection::scheduleAppearanceUpdateAfterStyleChange):
(WebCore::FrameSelection::appearanceUpdateTimerFired):
(WebCore::FrameSelection::updateAppearanceAfterLayoutOrStyleChange):
* editing/FrameSelection.h:

LayoutTests:

* editing/selection/updateAppearanceAfterLayout-recursion-expected.txt: Added.
* editing/selection/updateAppearanceAfterLayout-recursion.html: Added.


  Commit: eb8a09c8facb56db110bd207b1373b5090187ad1
      https://github.com/WebKit/WebKit/commit/eb8a09c8facb56db110bd207b1373b5090187ad1
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitEditorState.h
    M Source/WebKit2/UIProcess/API/gtk/WebKitPrintCustomWidget.h

  Log Message:
  -----------
  Merge r218386 - Unreviewed. Remove wrong headers check from some GTK+ API files.

Remove the __WEBKIT_WEB_EXTENSION_H_INSIDE__ check since these are not actually shared.

* UIProcess/API/gtk/WebKitEditorState.h:
* UIProcess/API/gtk/WebKitOptionMenu.h:
* UIProcess/API/gtk/WebKitPrintCustomWidget.h:


  Commit: 2bf0f8e2282668e6f37a1b731d51eabbe42fe055
      https://github.com/WebKit/WebKit/commit/2bf0f8e2282668e6f37a1b731d51eabbe42fe055
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/API/gtk/WebKitError.h

  Log Message:
  -----------
  Merge r218326 - Unreviewed. Fix copy-paste error in GTK+ WEBKIT_JAVASCRIPT_ERROR definition.

The print one was copied there.

* UIProcess/API/gtk/WebKitError.h:


  Commit: 3efacb1ac68f4a35baa775375ad6429af46ae0b7
      https://github.com/WebKit/WebKit/commit/3efacb1ac68f4a35baa775375ad6429af46ae0b7
  Author: Carlos Garcia Campos <cgarcia at igalia.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/platform/graphics/gstreamer/InbandTextTrackPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MainThreadNotifier.h
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp
    M Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h
    M Source/WebCore/platform/graphics/gstreamer/TrackPrivateBaseGStreamer.cpp
    M Source/WebCore/platform/graphics/gstreamer/TrackPrivateBaseGStreamer.h
    M Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp

  Log Message:
  -----------
  Merge r218471 - [GStreamer] MainThreadNotifier ASSERTION FAILED: m_boundThread == currentThread() in _WebKitWebSrcPrivate::~_WebKitWebSrcPrivate
https://bugs.webkit.org/show_bug.cgi?id=152043

Reviewed by Xabier Rodriguez-Calvar.

Stop using a WeakPtr in MainThreadNotifier, because it's not thread safe, which causes a crash in debug builds when
the notifier is destroyed in a different thread. Make MainThreadNotifier thread safe refcounted instead, and add
an invalidate() method to mark it as invalid.

* platform/graphics/gstreamer/InbandTextTrackPrivateGStreamer.cpp:
(WebCore::InbandTextTrackPrivateGStreamer::handleSample):
(WebCore::InbandTextTrackPrivateGStreamer::streamChanged):
* platform/graphics/gstreamer/MainThreadNotifier.h:
(WebCore::MainThreadNotifier::MainThreadNotifier): Deleted.
(WebCore::MainThreadNotifier::notify): Deleted.
(WebCore::MainThreadNotifier::cancelPendingNotifications): Deleted.
(WebCore::MainThreadNotifier::addPendingNotification): Deleted.
(WebCore::MainThreadNotifier::removePendingNotification): Deleted.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::videoChangedCallback):
(WebCore::MediaPlayerPrivateGStreamer::videoSinkCapsChangedCallback):
(WebCore::MediaPlayerPrivateGStreamer::audioChangedCallback):
(WebCore::MediaPlayerPrivateGStreamer::textChangedCallback):
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
(WebCore::MediaPlayerPrivateGStreamerBase::MediaPlayerPrivateGStreamerBase):
(WebCore::MediaPlayerPrivateGStreamerBase::~MediaPlayerPrivateGStreamerBase):
(WebCore::MediaPlayerPrivateGStreamerBase::volumeChangedCallback):
(WebCore::MediaPlayerPrivateGStreamerBase::muteChangedCallback):
(WebCore::MediaPlayerPrivateGStreamerBase::triggerRepaint):
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h:
* platform/graphics/gstreamer/TrackPrivateBaseGStreamer.cpp:
(WebCore::TrackPrivateBaseGStreamer::TrackPrivateBaseGStreamer):
(WebCore::TrackPrivateBaseGStreamer::~TrackPrivateBaseGStreamer):
(WebCore::TrackPrivateBaseGStreamer::disconnect):
(WebCore::TrackPrivateBaseGStreamer::activeChangedCallback):
(WebCore::TrackPrivateBaseGStreamer::tagsChanged):
* platform/graphics/gstreamer/TrackPrivateBaseGStreamer.h:
* platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
(webkit_web_src_init):
(webKitWebSrcDispose):
(webKitWebSrcStop):
(webKitWebSrcStart):
(webKitWebSrcNeedData):
(webKitWebSrcEnoughData):
(webKitWebSrcSeek):


  Commit: 872b11e4f2b85589664bd2fdf068640e482f419d
      https://github.com/WebKit/WebKit/commit/872b11e4f2b85589664bd2fdf068640e482f419d
  Author: Brady Eidson <beidson at apple.com>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp
    M Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h

  Log Message:
  -----------
  Merge r218516 - Various IndexedDB crashes as an after effect of previous test.
<rdar://problem/31418761> and https://bugs.webkit.org/show_bug.cgi?id=170436

Reviewed by Chris Dumez.

No new test (No consistent test possible, in practice covered by all existing IDB tests)

This is timing related, where a UniqueIDBDatabase can be destroyed on the main thread while
it still has one task left to try to execute on the IDBServer thread.

The background thread tasks don't Ref<> the UniqueIDBDatabase, so even though task execution
took a Ref<> protector, there was still a small window for a race.

Should be closed up by making the background thread tasks themselves protect this.

* Modules/indexeddb/server/UniqueIDBDatabase.cpp:
(WebCore::IDBServer::UniqueIDBDatabase::postDatabaseTask):
(WebCore::IDBServer::UniqueIDBDatabase::postDatabaseTaskReply):
(WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTask):
(WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply):
* Modules/indexeddb/server/UniqueIDBDatabase.h:


  Commit: 33d0b7513444277321a3aacc19aa44f524c1febf
      https://github.com/WebKit/WebKit/commit/33d0b7513444277321a3aacc19aa44f524c1febf
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-06-20 (Tue, 20 Jun 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.4 release.

.:

* Source/cmake/OptionsGTK.cmake:

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.16.4.


  Commit: 8e2b0c84ac4e22f95f57c26813f2f02e1a04d6aa
      https://github.com/WebKit/WebKit/commit/8e2b0c84ac4e22f95f57c26813f2f02e1a04d6aa
  Author: Saam Barati <sbarati at apple.com>
  Date:   2017-06-26 (Mon, 26 Jun 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/parse-int-intrinsic-dfg-backend-flush.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  Merge r215387 - ParseInt intrinsic in DFG backend doesn't properly flush its operands
https://bugs.webkit.org/show_bug.cgi?id=170865

Reviewed by Mark Lam and Geoffrey Garen.

JSTests:

* stress/parse-int-intrinsic-dfg-backend-flush.js: Added.
(assert):
(foo):

Source/JavaScriptCore:

The DFG backend code needed to first call .gpr()/.jsValueRegs()
before calling flushRegisters(), or the input JSValueOperand would
not be flushed.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileParseInt):


  Commit: b58118f288fed4f87819ffd09c67e3c5bbf95e8d
      https://github.com/WebKit/WebKit/commit/b58118f288fed4f87819ffd09c67e3c5bbf95e8d
  Author: Michael Catanzaro <mcatanzaro at gnome.org>
  Date:   2017-06-27 (Tue, 27 Jun 2017)

  Changed paths:
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/UIProcess/gtk/WebContextMenuProxyGtk.cpp
    M Source/WebKit2/UIProcess/gtk/WebPopupMenuProxyGtk.cpp
    M Tools/ChangeLog
    M Tools/MiniBrowser/gtk/BrowserSearchBar.c

  Log Message:
  -----------
  Merge r218798 - Unreviewed, rolling out r215190.

Broke product select element on GNOME Bugzilla

Reverted changeset:

"[GTK] Misplaced right click menu on web page due to
deprecated gtk_menu_popup()"
https://bugs.webkit.org/show_bug.cgi?id=170553
http://trac.webkit.org/changeset/215190


  Commit: 4f1e2b9a131f2d15c6d776898501c59dc2ef4913
      https://github.com/WebKit/WebKit/commit/4f1e2b9a131f2d15c6d776898501c59dc2ef4913
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-06-27 (Tue, 27 Jun 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.5 release.

.:

* Source/cmake/OptionsGTK.cmake:

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.16.5.


  Commit: b6c35e32dbbd872ceb58a95b3574391f86f28462
      https://github.com/WebKit/WebKit/commit/b6c35e32dbbd872ceb58a95b3574391f86f28462
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/accessibility/crash-while-adding-text-child-with-transform-expected.txt
    A LayoutTests/accessibility/crash-while-adding-text-child-with-transform.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/accessibility/AXObjectCache.cpp
    M Source/WebCore/accessibility/AXObjectCache.h
    M Source/WebCore/page/FrameView.cpp
    M Source/WebCore/rendering/RenderText.cpp

  Log Message:
  -----------
  Merge r216096 - Defer AX cache update when text content changes until after layout is finished.
https://bugs.webkit.org/show_bug.cgi?id=171429
<rdar://problem/31885984>

Reviewed by Simon Fraser.

Source/WebCore:

When the content of the RenderText changes (even as the result of a text-transform change)
instead of updating the AX cache eagerly (and trigger layout on a half-backed render tree)
we should just defer it until after the subsequent layout is done.

Test: accessibility/crash-while-adding-text-child-with-transform.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):
(WebCore::AXObjectCache::performDeferredCacheUpdate):
(WebCore::AXObjectCache::recomputeDeferredIsIgnored):
(WebCore::AXObjectCache::deferTextChanged):
(WebCore::AXObjectCache::performDeferredIsIgnoredChange): Deleted.
* accessibility/AXObjectCache.h:
(WebCore::AXObjectCache::deferTextChanged):
(WebCore::AXObjectCache::performDeferredCacheUpdate):
(WebCore::AXObjectCache::performDeferredIsIgnoredChange): Deleted.
* page/FrameView.cpp:
(WebCore::FrameView::performPostLayoutTasks):
* rendering/RenderText.cpp:
(WebCore::RenderText::setText):

LayoutTests:

* accessibility/crash-while-adding-text-child-with-transform-expected.txt: Added.
* accessibility/crash-while-adding-text-child-with-transform.html: Added.


  Commit: 8801d6c64347e6adce3e11edee10327c1ab3994a
      https://github.com/WebKit/WebKit/commit/8801d6c64347e6adce3e11edee10327c1ab3994a
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/accessibility/crash-when-render-tree-is-not-clean-expected.txt
    A LayoutTests/accessibility/crash-when-render-tree-is-not-clean.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/accessibility/AXObjectCache.cpp
    M Source/WebCore/accessibility/AXObjectCache.h
    M Source/WebCore/rendering/RenderBlock.cpp
    M Source/WebCore/rendering/RenderBlockLineLayout.cpp
    M Source/WebCore/rendering/RenderText.cpp

  Log Message:
  -----------
  Merge r216726 - AX: Defer text changes until after the tree is clean if needed.
https://bugs.webkit.org/show_bug.cgi?id=171546
<rdar://problem/31934942>

Reviewed by Simon Fraser.

Source/WebCore:

While updating an accessibility object state, we might
trigger unintentional style updates. This style update could
end up destroying renderes that are still referenced by functions
on the callstack.
To avoid that, defer such changes and let AXObjectCache operate on a clean tree.

Test: accessibility/crash-when-render-tree-is-not-clean.html

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):
(WebCore::AXObjectCache::handleAttributeChanged):
(WebCore::AXObjectCache::labelChanged):
(WebCore::AXObjectCache::performDeferredCacheUpdate):
(WebCore::AXObjectCache::deferRecomputeIsIgnored):
(WebCore::AXObjectCache::deferTextChangedIfNeeded):
(WebCore::AXObjectCache::recomputeDeferredIsIgnored): Deleted.
(WebCore::AXObjectCache::deferTextChanged): Deleted.
* accessibility/AXObjectCache.h: Decouple different type of changes.
(WebCore::AXObjectCache::deferRecomputeIsIgnored):
(WebCore::AXObjectCache::deferTextChangedIfNeeded):
(WebCore::AXObjectCache::recomputeDeferredIsIgnored): Deleted.
(WebCore::AXObjectCache::deferTextChanged): Deleted.
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::deleteLines):
* rendering/RenderBlockLineLayout.cpp:
(WebCore::RenderBlockFlow::createAndAppendRootInlineBox):
* rendering/RenderText.cpp:
(WebCore::RenderText::setText):

LayoutTests:

* accessibility/crash-when-render-tree-is-not-clean-expected.txt: Added.
* accessibility/crash-when-render-tree-is-not-clean.html: Added.


  Commit: 4a64087fa4c6479448cd9e6b33a4b070513ddb41
      https://github.com/WebKit/WebKit/commit/4a64087fa4c6479448cd9e6b33a4b070513ddb41
  Author: Alan Bujtas <zalan at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/accessibility/AccessibilityRenderObject.cpp

  Log Message:
  -----------
  Merge r216825 - AccessibilityRenderObject::textUnderElement needs to assert on unclean tree.
https://bugs.webkit.org/show_bug.cgi?id=172065

Reviewed by Simon Fraser.

r192103 changed the assert logic incorrectly. If the tree is dirty, regardless of the renderer's type,
TextIterator will end up forcing style update/layout on the render tree.
The original assert would have hit with bug 171546 prior to r216726.

* accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::textUnderElement):


  Commit: 02ff6a9a567190cdc9b19dd0daea1c916f7b519e
      https://github.com/WebKit/WebKit/commit/02ff6a9a567190cdc9b19dd0daea1c916f7b519e
  Author: Saam Barati <sbarati at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/for-in-invalidation-for-any-write.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecode/BytecodeList.json
    M Source/JavaScriptCore/bytecode/BytecodeUseDef.h
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGCapabilities.cpp
    M Source/JavaScriptCore/jit/JIT.cpp
    M Source/JavaScriptCore/jit/JIT.h
    M Source/JavaScriptCore/jit/JITOpcodes.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter.asm

  Log Message:
  -----------
  Merge r217438 - Our for-in optimization in the bytecode generator does its static analysis incorrectly
https://bugs.webkit.org/show_bug.cgi?id=172532
<rdar://problem/32369452>

Reviewed by Mark Lam.

JSTests:

* stress/for-in-invalidation-for-any-write.js: Added.
(assert):
(test):
(test.i):

Source/JavaScriptCore:

Our static analysis for when a for-in induction variable
is written to tried to its analysis as we generate
bytecode. This has issues, since it does not account for
the dynamic execution path of the program. Let's consider
a program where our old analysis worked:

```
for (let p in o) {
    o[p]; // We can transform this into a fast get_direct_pname
    p = 20;
    o[p]; // We cannot transform this since p has been changed.
}
```

However, our static analysis did not account for loops, which exist
in JavaScript. e.g, it would incorrectly compile this program as:
```
for (let p in o) {
    for (let i = 0; i < 20; ++i) {
        o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
        p = 20;
        o[p]; // We correctly do not transform this.
    }
}
```

Because of this flaw, I've made the optimization more conservative.
We now optimistically emit code for the optimized access. However,
if a for-in context is *ever* invalidated, before we pop it off
the stack, we rewrite the program's optimized accesses to no longer
be optimized. To do this, each context keeps track of its optimized
accesses.

This patch also adds a new bytecode, op_nop, which is just a no-op.
It was helpful to add this because reverting get_direct_pname to get_by_val
will leave us with an extra instruction word because get_direct_pname is
has a length of 7 where get_by_val has a length of 6. This leaves us with
an extra slot that we fill with an op_nop.

* bytecode/BytecodeDumper.cpp:
(JSC::BytecodeDumper<Block>::dumpBytecode):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::popIndexedForInScope):
(JSC::BytecodeGenerator::popStructureForInScope):
(JSC::BytecodeGenerator::invalidateForInContextForLocal):
(JSC::StructureForInContext::pop):
(JSC::IndexedForInContext::pop):
* bytecompiler/BytecodeGenerator.h:
(JSC::StructureForInContext::addGetInst):
(JSC::IndexedForInContext::addGetInst):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_nop):
* llint/LowLevelInterpreter.asm:


  Commit: ddb86ecef9293a7d73c00cd88befef723905fe48
      https://github.com/WebKit/WebKit/commit/ddb86ecef9293a7d73c00cd88befef723905fe48
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/regress-170896.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/JSArray.cpp

  Log Message:
  -----------
  Merge r215451 - JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
https://bugs.webkit.org/show_bug.cgi?id=170896
<rdar://problem/31651319>

Reviewed by JF Bastien and Keith Miller.

JSTests:

* stress/regress-170896.js: Added.

Source/JavaScriptCore:

* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):


  Commit: 3d7a68c8b1d2033e851b92eff02f7a9b1109977e
      https://github.com/WebKit/WebKit/commit/3d7a68c8b1d2033e851b92eff02f7a9b1109977e
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/arguments-elimination-varargs-too-many-args-arg-count.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp

  Log Message:
  -----------
  Merge r217016 - JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
https://bugs.webkit.org/show_bug.cgi?id=172208

Reviewed by Saam Barati.

JSTests:

* stress/arguments-elimination-varargs-too-many-args-arg-count.js: Added.
(foo):
(bar):
(baz):

Source/JavaScriptCore:

* dfg/DFGArgumentsEliminationPhase.cpp:


  Commit: 8882b0e1e4e605ce7a9923ef4114f9b7fd8865f5
      https://github.com/WebKit/WebKit/commit/8882b0e1e4e605ce7a9923ef4114f9b7fd8865f5
  Author: Filip Pizlo <fpizlo at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    M JSTests/stress/arguments-elimination-varargs-too-many-args-arg-count.js

  Log Message:
  -----------
  Merge r217018 - Unreviewed, address mlam's review feedback.

* stress/arguments-elimination-varargs-too-many-args-arg-count.js:


  Commit: 72889c5d98db7183fc80dcf5051f04a30ceed1fa
      https://github.com/WebKit/WebKit/commit/72889c5d98db7183fc80dcf5051f04a30ceed1fa
  Author: Jiewen Tan <jiewen_tan at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    M LayoutTests/crypto/webkitSubtle/argument-conversion-expected.txt
    A LayoutTests/crypto/webkitSubtle/import-export-raw-key-leak-expected.txt
    A LayoutTests/crypto/webkitSubtle/import-export-raw-key-leak.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/bindings/js/JSWebKitSubtleCryptoCustom.cpp
    M Source/WebCore/crypto/WebKitSubtleCrypto.idl

  Log Message:
  -----------
  Merge r216992 - Replace CryptoOperationData with BufferSource for WebKitSubtleCrypto
https://bugs.webkit.org/show_bug.cgi?id=172146
<rdar://problem/32122256>

Reviewed by Brent Fulgham.

Source/WebCore:

In this patch, we replaces CryptoOperationData with BufferSource for WebKitSubtleCrypto in
the custom binding codes.

Test: crypto/webkitSubtle/import-export-raw-key-leak.html

* bindings/js/JSWebKitSubtleCryptoCustom.cpp:
(WebCore::JSWebKitSubtleCrypto::encrypt):
(WebCore::JSWebKitSubtleCrypto::decrypt):
(WebCore::JSWebKitSubtleCrypto::sign):
(WebCore::JSWebKitSubtleCrypto::verify):
(WebCore::JSWebKitSubtleCrypto::digest):
(WebCore::JSWebKitSubtleCrypto::importKey):
(WebCore::JSWebKitSubtleCrypto::unwrapKey):
* crypto/WebKitSubtleCrypto.idl:

LayoutTests:

* crypto/webkitSubtle/argument-conversion-expected.txt:
* crypto/webkitSubtle/import-export-raw-key-leak-expected.txt: Added.
* crypto/webkitSubtle/import-export-raw-key-leak.html: Added.


  Commit: 7721b71f7b2f1e32eb4eb3c0f77eed0b782c06c5
      https://github.com/WebKit/WebKit/commit/7721b71f7b2f1e32eb4eb3c0f77eed0b782c06c5
  Author: Saam Barati <sbarati at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    M JSTests/stress/array-prototype-splice-making-typed-array.js
    M JSTests/stress/array-species-config-array-constructor.js
    A JSTests/stress/put-direct-index-broken-2.js
    A JSTests/stress/put-direct-index-broken.js
    A JSTests/stress/put-indexed-getter-setter.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecode/ByValInfo.h
    M Source/JavaScriptCore/dfg/DFGArrayMode.cpp
    M Source/JavaScriptCore/jit/JITOperations.cpp
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
    M Source/JavaScriptCore/runtime/ClonedArguments.cpp
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSObject.cpp
    M Source/JavaScriptCore/runtime/JSObject.h
    M Source/JavaScriptCore/runtime/JSType.h

  Log Message:
  -----------
  Merge r216279 - putDirectIndex does not properly do defineOwnProperty
https://bugs.webkit.org/show_bug.cgi?id=171591
<rdar://problem/31735695>

Reviewed by Geoffrey Garen.

JSTests:

* stress/array-prototype-splice-making-typed-array.js:
(test):
* stress/array-species-config-array-constructor.js:
(shouldThrow):
(test):
* stress/put-direct-index-broken-2.js: Added.
(assert):
(test):
(makeLengthWritable):
(set get restoreOldDesc):
* stress/put-direct-index-broken.js: Added.
(whatToTest):
(tryRunning):
(tryItOut):
* stress/put-indexed-getter-setter.js: Added.
(foo.X.prototype.set 7):
(foo.X.prototype.get 7):
(foo.X):
(foo):

Source/JavaScriptCore:

This patch fixes putDirectIndex and its JIT implementations to be
compatible with the ES6 spec. I think our code became out of date
when we implemented ArraySpeciesCreate since ArraySpeciesCreate may
return arbitrary objects. We perform putDirectIndex on that arbitrary
object. The behavior we want is as if we performed defineProperty({configurable:true, enumerable:true, writable:true}).
However, we weren't doing this. putDirectIndex assumed it could just splat
data into any descendent of JSObject's butterfly. For example, this means
we'd just splat into the butterfly of a typed array, even though a typed
array doesn't use its butterfly to store its indexed properties in the usual
way. Also, typed array properties are non-configurable, so this operation
should throw. This also means if we saw a ProxyObject, we'd just splat
into its butterfly, but this is obviously wrong because ProxyObject should
intercept the defineProperty operation.

This patch fixes this issue by adding a whitelist of cell types that can
go down putDirectIndex's fast path. Anything not in that whitelist will
simply call into defineOwnProperty.

* bytecode/ByValInfo.h:
(JSC::jitArrayModePermitsPutDirect):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* jit/JITOperations.cpp:
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createStructure):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
* runtime/JSObject.cpp:
(JSC::canDoFastPutDirectIndex):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLength): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putDirectIndex):
(JSC::JSObject::canSetIndexQuicklyForPutDirect): Deleted.
* runtime/JSType.h:


  Commit: 73830af9490eb775ee1dfcdeab033bdf8c78203f
      https://github.com/WebKit/WebKit/commit/73830af9490eb775ee1dfcdeab033bdf8c78203f
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

  Log Message:
  -----------
  Unreviewed. Fix merge r217438.

See bug #174781.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::StructureForInContext::finalize): Use operand instead of unsignedValue.


  Commit: c00e66c3baea669d70aeebfb5990e92a4ca96773
      https://github.com/WebKit/WebKit/commit/c00e66c3baea669d70aeebfb5990e92a4ca96773
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/runtime/JSCJSValue.cpp
    M Source/JavaScriptCore/runtime/JSObject.cpp
    M Source/JavaScriptCore/runtime/JSObjectInlines.h

  Log Message:
  -----------
  Merge r216309 - Put does not properly consult the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=171754

Reviewed by Saam Barati.

We should do a follow up that cleans up the rest of put. See:
https://bugs.webkit.org/show_bug.cgi?id=171759

* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInline):


  Commit: 9f1029496109935d4477dab9e45ed2ab2d91dadd
      https://github.com/WebKit/WebKit/commit/9f1029496109935d4477dab9e45ed2ab2d91dadd
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/regress-171079.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp

  Log Message:
  -----------
  Merge r215596 - virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
https://bugs.webkit.org/show_bug.cgi?id=171079
<rdar://problem/31684756>

Reviewed by Saam Barati.

JSTests:

* stress/regress-171079.js: Added.

Source/JavaScriptCore:

This is needed because tail calls would restore callee saved registers (and
therefore, potentially clobber the tag registers) before jumping to the thunk.

* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):


  Commit: 3761d12e0234468446a9c247319a76e8063fe216
      https://github.com/WebKit/WebKit/commit/3761d12e0234468446a9c247319a76e8063fe216
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/regress-170661.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

  Log Message:
  -----------
  Merge r215351 - Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
https://bugs.webkit.org/show_bug.cgi?id=170661
<rdar://problem/31579046>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-170661.js: Added.

Source/JavaScriptCore:

Previously, we were using flush() to flush the outermost frame's scopeRegister.
This is incorrect because flush() expects the VirtualRegister value passed to
it to be that of the top most inlined frame.  In the event that we reach a
terminal condition while inside an inlined frame, flush() will end up flushing
the wrong register.  The fix is simply to use flushDirect() instead.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flush):


  Commit: e973d4b6ef5a17766a59090e4ed717d21396f74e
      https://github.com/WebKit/WebKit/commit/e973d4b6ef5a17766a59090e4ed717d21396f74e
  Author: Jiewen Tan <jiewen_tan at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M LayoutTests/ChangeLog
    A LayoutTests/fast/dom/HTMLTemplateElement/insert-fostering-child-expected.txt
    A LayoutTests/fast/dom/HTMLTemplateElement/insert-fostering-child.html
    M Source/WebCore/ChangeLog
    M Source/WebCore/html/parser/HTMLConstructionSite.cpp

  Log Message:
  -----------
  Merge r216813 - Elements should be inserted into a template element as its content's last child
https://bugs.webkit.org/show_bug.cgi?id=171373
<rdar://problem/31862949>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Before this change, our HTML parser obeys the following premises:
1) A fostering child whose parent is a table should be inserted before its parent and under its grandparent.
2) When inserting into a template element, an element should be inserted into its content.

Let's walk through the example:
a) Before eventhandler takes place
template
table
    svg <- parser
b) After eventhandler takes place
template
    table
        svg <- parser
c) after parsing svg
template
    content
        svg
        (table)
    table

Finally, in the example, the svg element will be inserted into the content of the template element while
having its next sibling point to the table element. However, the table element is actually under the
template element not its content.

This messy tree is constructed because the second premise is incompleted. It should be: When inserting into
a template element, an element should be inserted into its content as its last child.
Quoted from Step 3 of https://html.spec.whatwg.org/multipage/syntax.html#appropriate-place-for-inserting-a-node
A correct tree will then looks like:
template
    content
        svg
    table

Tests: fast/dom/HTMLTemplateElement/insert-fostering-child-crash.html
       fast/dom/HTMLTemplateElement/insert-fostering-child.html

* html/parser/HTMLConstructionSite.cpp:
(WebCore::insert):
By nullifying task.nextChild, it will force the parser to append the element as task.parent's last child.

LayoutTests:

* fast/dom/HTMLTemplateElement/insert-fostering-child-expected.txt: Added.
* fast/dom/HTMLTemplateElement/insert-fostering-child.html: Added.


  Commit: 4dd77a5b6fdde84d6884ee943601c22d6f59569c
      https://github.com/WebKit/WebKit/commit/4dd77a5b6fdde84d6884ee943601c22d6f59569c
  Author: Saam Barati <sbarati at apple.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M JSTests/ChangeLog
    A JSTests/stress/dont-reserve-huge-capacity-lexer.js
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/parser/Lexer.cpp

  Log Message:
  -----------
  Merge r218819 - Crash in JSC::Lexer<unsigned char>::setCode
https://bugs.webkit.org/show_bug.cgi?id=172754

Reviewed by Mark Lam.

JSTests:

* stress/dont-reserve-huge-capacity-lexer.js: Added.
(catch):

Source/JavaScriptCore:

The lexer was asking one of its buffers to reserve initial space that
was O(text size in bytes). For large sources, this would end up causing
the vector to overflow and crash. This patch changes this code be like
the Lexer's other buffers and to only reserve a small starting buffer.

* parser/Lexer.cpp:
(JSC::Lexer<T>::setCode):


  Commit: d18c690b07ea06bb83ddf4ebee04c9a7736c53ce
      https://github.com/WebKit/WebKit/commit/d18c690b07ea06bb83ddf4ebee04c9a7736c53ce
  Author: Carlos Alberto Lopez Perez <clopez at igalia.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M Source/WebCore/ChangeLog
    M Source/WebCore/rendering/RenderTheme.cpp
    M Source/WebCore/rendering/RenderThemeGtk.cpp

  Log Message:
  -----------
  Merge r219332, r219447 - [GTK] Spin buttons on input type number appear over the value itself for small widths
https://bugs.webkit.org/show_bug.cgi?id=173572

Reviewed by Carlos Garcia Campos.

Source/WebCore:

When drawing the spin buttons, override the width of the input
element to increment it with the width of the spin button.
This ensures that we don't end up covering the input values with
the spin buttons.

Do this also for user controlled styles, because most web authors
won't test how their site renders on WebKitGTK+, and they will
assume spin buttons in the order of 13 pixels wide (that is what
most browsers use), but the GTK+ spin button is much wider (66 pixels).

* rendering/RenderTheme.cpp:
(WebCore::RenderTheme::adjustStyle):
* rendering/RenderThemeGtk.cpp:
(WebCore::RenderThemeGtk::adjustTextFieldStyle): Call the theme's adjustTextFieldStyle() also for user controlled styles.
(WebCore::RenderThemeGtk::adjustInnerSpinButtonStyle):

REGRESSION(r219332): [GTK] 9 new failures on fast/forms spinbutton related tests
https://bugs.webkit.org/show_bug.cgi?id=174395

Reviewed by Carlos Garcia Campos.

Source/WebCore:

Before r219332 the height of the spin button widget was
calculated as the maximum value between the individual button
( the [+] or [-] ) width (33 pixels) and height (16 pixels).
And r219332 caused the height of the widget to be calculated as
the height of the button (16 pixels), which was incorrect as
each button should be first expanded vertically to fit the
preferred size of the widget.

Fix this by making the calculations about the spin button widget
on a new function spinButtonSize() that takes this into account,
and use this values both for adjusting the style of the input
field and the spin button widget itself.

* rendering/RenderThemeGtk.cpp:
(WebCore::spinButtonSize):
(WebCore::RenderThemeGtk::adjustTextFieldStyle):
(WebCore::RenderThemeGtk::adjustInnerSpinButtonStyle):


  Commit: c0d7323f3f1ae9a672f0bf46ed6975c76ad29e1e
      https://github.com/WebKit/WebKit/commit/c0d7323f3f1ae9a672f0bf46ed6975c76ad29e1e
  Author: Adrian Perez de Castro <aperez at igalia.com>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M Source/ThirdParty/ANGLE/ChangeLog
    M Source/ThirdParty/ANGLE/changes.diff
    M Source/ThirdParty/ANGLE/include/EGL/eglplatform.h

  Log Message:
  -----------
  Merge r219446 - eglplatform.h does not support Wayland
https://bugs.webkit.org/show_bug.cgi?id=163482

This makes it possible to build WebKitGTK+ when the target system has only Wayland support,
but no X11 (and therefore the X11 headers are not present).

Reviewed by Alex Christensen.

* include/EGL/eglplatform.h: Add Wayland typedefs when WL_EGL_PLATFORM is defined (for example
by including wayland-egl.h before including EGL/egl.h). Also, include the X11 headers only
when ANGLE_USE_X11 is defined and, for consistency with Mesa's version of the header, when
MESA_EGL_NO_X11_HEADERS is not defined.


  Commit: ad1db14259201e4362e016c2776ec4950643f0d6
      https://github.com/WebKit/WebKit/commit/ad1db14259201e4362e016c2776ec4950643f0d6
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M Source/JavaScriptCore/ChangeLog
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

  Log Message:
  -----------
  Unreviewed. Fix the build with GCC 4.9 after merge r217438.

* bytecompiler/BytecodeGenerator.h:
(JSC::StructureForInContext::addGetInst):


  Commit: 0ce22e97cc1b5f87f09b32c2029082d278ba64d4
      https://github.com/WebKit/WebKit/commit/0ce22e97cc1b5f87f09b32c2029082d278ba64d4
  Author: Carlos Garcia Campos <carlosgc at webkit.org>
  Date:   2017-07-24 (Mon, 24 Jul 2017)

  Changed paths:
    M ChangeLog
    M Source/WebKit2/ChangeLog
    M Source/WebKit2/gtk/NEWS
    M Source/cmake/OptionsGTK.cmake

  Log Message:
  -----------
  Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.6 release.

.:

* Source/cmake/OptionsGTK.cmake:

Source/WebKit2:

* gtk/NEWS: Add release notes for 2.16.6.


Compare: https://github.com/WebKit/WebKit/compare/7b5a7ac55b74%5E...0ce22e97cc1b


More information about the webkit-changes mailing list