[webkit-changes] [WebKit/WebKit] 5e0182: Cherry-pick 1cc30ed20c25. rdar://problem/107756651

youennf noreply at github.com
Wed Jul 26 19:03:47 PDT 2023


  Branch: refs/heads/safari-7615-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: 5e018210a5ca21e19bb738ef20bf2ff4fef293c3
      https://github.com/WebKit/WebKit/commit/5e018210a5ca21e19bb738ef20bf2ff4fef293c3
  Author: Brent Fulgham <bfulgham at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    A LayoutTests/dom/html/navigator-plugins-expected.txt
    A LayoutTests/dom/html/navigator-plugins.html
    M Source/WebCore/page/Navigator.cpp

  Log Message:
  -----------
  Cherry-pick 1cc30ed20c25. rdar://problem/107756651

    Correct PDF Plugin descriptions returned by navigator.plugins[x].description
    https://bugs.webkit.org/show_bug.cgi?id=255155
    <rdar://problem/107756651>

    Reviewed by Geoffrey Garen.

    In Bug 254189 we corrected a bug where the name of the WebKit Built-in PDF plugin was localized
    for the user's settings, which confused some anti-fraud software because the specification requires
    the name to be in plain English text.

    While that issue was fixed, the specification also requires a consistent English label, "Portable
    Document Format" be returned by the 'description' property of the plugin. This is currently localized
    in Safari, leading to some anti-fraud software failing.

    This patch modifies only the return value from Navigator.plugins[].description, so that other
    elements of the Browser UI can correctly localize the description.

    * Source/WebCore/page/Navigator.cpp:
    (WebCore::Navigator::initializePluginAndMimeTypeArrays):

    Canonical link: https://commits.webkit.org/262779@main

Identifier: 259548.661 at safari-7615-branch


  Commit: 8d29e8d0af691428160545544d857a0c1570092c
      https://github.com/WebKit/WebKit/commit/8d29e8d0af691428160545544d857a0c1570092c
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    A LayoutTests/svg/masking/masking-with-event-region-expected.html
    A LayoutTests/svg/masking/masking-with-event-region.html
    M Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp
    M Source/WebCore/rendering/svg/RenderSVGResourceClipper.h

  Log Message:
  -----------
  Cherry-pick e4d2a7474950. rdar://problem/107885344

    SVG clip-path is sometimes broken on stevejobsarchive.com
    https://bugs.webkit.org/show_bug.cgi?id=255577
    rdar://107885344

    Reviewed by Said Abou-Hallawa.

    http://book.stevejobsarchive.com/ uses CSS clip-path with a reference to an SVG <clipPath> element
    which contains text.

    In this configuration, RenderSVGResourceClipper::applyClippingToContext() falls back to a code path
    that uses an ImageBuffer as a mask, and it caches the ImageBuffer between calls. This caused a
    problem when DOM Rendering in the GPU Process was enabled; this code is first hit for a "fake" paint
    with a NullGraphicsContext which is updating EventRegions, called out of
    `RenderLayerBacking::updateEventRegion()`. The NullGraphicsContext will make a local ImageBuffer.

    If we then hit this same code for actual painting with a painting GraphicsContext, we'll use that
    cached ImageBuffer, rather than creating a new one with appropriate GPU Process backing.

    Fix this by adding `isPaintingDisabled` to the criteria used to decide if the cached buffer can be
    re-used.

    * LayoutTests/svg/masking/masking-with-event-region-expected.html: Added.
    * LayoutTests/svg/masking/masking-with-event-region.html: Added.
    * Source/WebCore/rendering/svg/RenderSVGResourceClipper.cpp:
    (WebCore::RenderSVGResourceClipper::computeInputs):
    (WebCore::RenderSVGResourceClipper::applyClippingToContext):
    * Source/WebCore/rendering/svg/RenderSVGResourceClipper.h:
    (WebCore::ClipperData::Inputs::operator== const):

    Canonical link: https://commits.webkit.org/263087@main

Identifier: 259548.662 at safari-7615-branch


  Commit: 54bbd87350b3e4a4aa261e4f7cc91a7700a9299e
      https://github.com/WebKit/WebKit/commit/54bbd87350b3e4a4aa261e4f7cc91a7700a9299e
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    A LayoutTests/fast/events/message-event-data-isolated-world-expected.txt
    A LayoutTests/fast/events/message-event-data-isolated-world.html
    M Source/WebCore/dom/MessageEvent.cpp

  Log Message:
  -----------
  Cherry-pick ca6ca7d1895d. rdar://problem/107538083

    REGRESSION (Safari 16.4): PostMessage with transfer object is broken between contexts
    https://bugs.webkit.org/show_bug.cgi?id=254777
    rdar://107538083

    Reviewed by Geoffrey Garen.

    Before 256896 at main, we would construct MessageEvents and give them a
    SerializedScriptValue to store internally. Then, the deserialization of this
    SerializedScriptValue would happen lazily when the JS accesses
    MessageEvent.data. We would then cache the result of the deserialization
    inside MessageEvent::m_cachedData to avoid repeated deserializations.
    Also note that we would make sure that the cachedData's world matches the
    current world before using it. We would deserialize again if the worlds
    don't match.

    After 256896 at main, we now deserialize the SerializedScriptValue eagerly, so
    that we know whether to fire a `message` event or a `messageerror` one.
    This deserialization would happen in the main JS world and we would pass
    the resulting JSValue to the MessageEvent to store instead of the
    SerializedScriptValue. This would work fine for main worlds and regressed
    isolated worlds since JSMessageEvent::data() would not have a
    SerializedScriptValue to re-deserialize for isolated worlds.

    To address the issue, we now construct MessageEvents with a
    SerializedScriptValue, like we did before 256896 at main. For performance reasons
    we also store the deserialized JSValue in MessageEvent::cachedData so that
    later calls to JSMessageEvent::data() don't end up deserializing the
    SerializedScriptValue again if called from the main world. However, if the
    call for JSMessageEvent::data() comes from an isolated world, the
    implementation will properly deserialize the SerializedScriptValue again,
    like it did before 256896 at main.

    This was tested manually on strava.com.

    Test: fast/events/message-event-data-isolated-world.html

    * Source/WebCore/dom/MessageEvent.cpp:
    (WebCore::MessageEvent::create):

    Canonical link: https://commits.webkit.org/263155@main

Identifier: 259548.663 at safari-7615-branch


  Commit: 250c4928b0b6beec9ece71877ec99c71bd40b798
      https://github.com/WebKit/WebKit/commit/250c4928b0b6beec9ece71877ec99c71bd40b798
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/cssom-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/cssom.html
    M Source/WebCore/css/CSSStyleRule.cpp
    M Source/WebCore/css/StyleRule.h

  Log Message:
  -----------
  Cherry-pick 262961 at main (fdf42acd549d). rdar://108041191

    Fix setSelectorText() to overwrite both selector and original selector
    https://bugs.webkit.org/show_bug.cgi?id=255446
    rdar://108041191

    Reviewed by Antti Koivisto.

    Before this patch, only the StyleRule selector was overwritten:
    selector matching was correct but CSSOM cssText() displayed the wrong selector.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/cssom-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/cssom.html:
    * Source/WebCore/css/CSSStyleRule.cpp:
    (WebCore::CSSStyleRule::setSelectorText):
    * Source/WebCore/css/StyleRule.h:
    (WebCore::StyleRuleWithNesting::wrapperAdoptOriginalSelectorList):

    Canonical link: https://commits.webkit.org/262961@main
Canonical link: https://commits.webkit.org/259548.664@safari-7615-branch


  Commit: f001b0bc6b6a9712bfa630614d67459b2495302d
      https://github.com/WebKit/WebKit/commit/f001b0bc6b6a9712bfa630614d67459b2495302d
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    A LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-event-in-mainframe-expected.txt
    A LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-event-in-mainframe.html
    M LayoutTests/css3/scroll-snap/scroll-snap-wheel-event.html
    M LayoutTests/platform/glib/TestExpectations
    M LayoutTests/platform/ios-wk2/TestExpectations
    M LayoutTests/platform/mac-wk1/TestExpectations
    M Source/WebCore/platform/ScrollingEffectsController.h
    M Source/WebCore/platform/mac/ScrollingEffectsController.mm

  Log Message:
  -----------
  Cherry-pick 939e8d49f5a5. rdar://problem/107885426

    [macOS] Scrolling with a physical mouse wheel should not always animate to the closest snap point
    https://bugs.webkit.org/show_bug.cgi?id=255493
    rdar://107885426

    Reviewed by Simon Fraser.

    When scrolling using a physical mouse wheel in a scroll snap container, WebKit's current scroll snap
    implementation handles each wheel event in a stateless manner, kicking off a scroll snap animation
    to the closest snap point if no other wheel event is observed after 750 ms. This can lead to some
    unintuitive behaviors when distances between scroll snap points are large, since the user may scroll
    for a single wheel tick expecting to advance to the next page, only for the scroll position to
    animate back to where they started.

    This patch improves this by treating a stream of discrete wheel events similarly to trackpad-based
    momentum scrolling, and animates to the appropriate snap point in the direction of scrolling; this
    also aligns our implementation more closely with both Gecko and Blink.

    See below for more details.

    Test: css3/scroll-snap/scroll-snap-discrete-wheel-event-in-mainframe.html

    * LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-event-in-mainframe-expected.txt: Added.
    * LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-event-in-mainframe.html: Added.

    Add a new layout test to exercise the change, in a mainframe (root) scroll snapping context.

    * LayoutTests/css3/scroll-snap/scroll-snap-wheel-event.html:

    Adjust an existing stateless scroll snapping test to exercise the change by lowering the scrolling
    tick count from 3 to 1. Without this change, this adjustment would've bumped us back to the original
    scroll position; after this change, we'll now animate to the next snap point.

    * LayoutTests/platform/glib/TestExpectations:
    * LayoutTests/platform/ios-wk2/TestExpectations:
    * LayoutTests/platform/mac-wk1/TestExpectations:

    Discrete wheel events on the root don't seem to trigger scroll snapping at all in WebKit1, both
    before and after this patch. I filed webkit.org/b/255498, to track that issue separately.

    * Source/WebCore/platform/ScrollingEffectsController.h:

    Maintain a LIFO queue of up to three discrete wheel event deltas, which we use to determine the
    user's intended scrolling direction after finishing a stream of discrete wheel events.

    * Source/WebCore/platform/mac/ScrollingEffectsController.mm:
    (WebCore::ScrollingEffectsController::stopAllTimers):
    (WebCore::toWheelEventStatus):
    (WebCore::operator<<):
    (WebCore::ScrollingEffectsController::scheduleDiscreteScrollSnap):
    (WebCore::ScrollingEffectsController::discreteSnapTransitionTimerFired):

    Rename "stateless" -> "discrete", to reflect the fact that the new implementation is now stateful
    by way of maintaining a queue of recent discrete wheel event deltas. Additionally, use
    `transitionToGlideAnimationState()` to kick off scroll snapping if the average wheel event delta is
    nonzero.

    (WebCore::ScrollingEffectsController::processWheelEventForScrollSnap):
    (WebCore::ScrollingEffectsController::scheduleStatelessScrollSnap): Deleted.

    Dramatically reduce the delay before firing the scroll snap timer for discrete wheel events, now
    that the purpose is no longer to wait for the user to manually scroll to the next page before
    snapping, but rather observe enough events to estimate the user's intended scrolling direction.

    (WebCore::ScrollingEffectsController::statelessSnapTransitionTimerFired): Deleted.

    Canonical link: https://commits.webkit.org/263071@main

Identifier: 259548.665 at safari-7615-branch


  Commit: 502cd653a7f7071660b42a3f916dab2c40f6ae66
      https://github.com/WebKit/WebKit/commit/502cd653a7f7071660b42a3f916dab2c40f6ae66
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    A LayoutTests/css3/scroll-snap/resnap-after-layout-expected.txt
    A LayoutTests/css3/scroll-snap/resnap-after-layout.html
    M LayoutTests/platform/gtk/TestExpectations
    M LayoutTests/platform/ios-wk2/TestExpectations
    M LayoutTests/platform/wpe/TestExpectations
    M Source/WebCore/platform/ScrollSnapAnimatorState.cpp
    M Source/WebCore/platform/ScrollSnapAnimatorState.h
    M Source/WebCore/platform/ScrollableArea.cpp

  Log Message:
  -----------
  Cherry-pick ee03689988d7. rdar://problem/107885376

    Scroll snap sometimes jumps back to the wrong place on stevejobsarchive.com
    https://bugs.webkit.org/show_bug.cgi?id=255492
    rdar://107885376

    Reviewed by Wenson Hsieh.

    259696 at main added some logic that attempts to re-snap after layout when multiple boxes were snapped,
    adding a `m_currentlySnappedBoxes` member to `ScrollSnapAnimatorState`.

    However, `m_currentlySnappedBoxes` was only updated in the `resnapAfterLayout` code path, not when
    scrolling moved you to a new snap point. That resulted in `resnapAfterLayout` sometimes returning
    you to a stale location if you'd scrolled to a new snap point since the last time
    `resnapAfterLayout` was run, especially when hitting the "multiple boxes were snapped" clause.

    It's troublesome to have both `m_currentlySnappedBoxes` and a `snapTargetID` in each SnapOffset (a
    future patch will clean this up). But for now, ensure that `m_currentlySnappedBoxes` is updated on
    each scroll-related snap as well as resnapping after layout.

    * LayoutTests/css3/scroll-snap/resnap-after-layout-expected.txt: Added.
    * LayoutTests/css3/scroll-snap/resnap-after-layout.html: Added.
    * LayoutTests/platform/gtk/TestExpectations:
    * LayoutTests/platform/ios-wk2/TestExpectations:
    * LayoutTests/platform/wpe/TestExpectations:
    * Source/WebCore/platform/ScrollSnapAnimatorState.cpp:
    (WebCore::ScrollSnapAnimatorState::setActiveSnapIndexForAxis):
    (WebCore::ScrollSnapAnimatorState::updateCurrentlySnappedBoxes):
    (WebCore::chooseBoxToResnapTo):
    (WebCore::ScrollSnapAnimatorState::resnapAfterLayout):
    (WebCore::ScrollSnapAnimatorState::setNearestScrollSnapIndexForAxisAndOffsetInternal):
    (WebCore::ScrollSnapAnimatorState::setNearestScrollSnapIndexForOffset):
    (WebCore::ScrollSnapAnimatorState::chooseBoxToResnapTo const): Deleted.
    (WebCore::ScrollSnapAnimatorState::setNearestScrollSnapIndexForAxisAndOffset): Deleted.
    * Source/WebCore/platform/ScrollSnapAnimatorState.h: Some functions can be private.
    (WebCore::ScrollSnapAnimatorState::setActiveSnapIndexForAxisInternal): The "internal" implies that it doesn't update m_currentlySnappedBoxes.
    (WebCore::ScrollSnapAnimatorState::setActiveSnapIndexForAxis): Deleted.
    * Source/WebCore/platform/ScrollableArea.cpp:
    (WebCore::ScrollableArea::resnapAfterLayout): Improved logging.
    (WebCore::ScrollableArea::doPostThumbMoveSnapping): Improved logging.

    Canonical link: https://commits.webkit.org/263097@main

Identifier: 259548.666 at safari-7615-branch


  Commit: 4aa8750579fb41180e551ec753a1f79e1ea06798
      https://github.com/WebKit/WebKit/commit/4aa8750579fb41180e551ec753a1f79e1ea06798
  Author: Dan Glastonbury <djg at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/ProgramMtl.mm

  Log Message:
  -----------
  [ANGLE] UBO convert only whole block
rdar://106964250

Reviewed by Dean Jackson.

OpenGL doesn't guarantee that the buffer backing uniform blocks needs to be a
multiple of the block size. When converting OpenGL layout blocks to Metal
layout, ConvertUniformBufferData is rounding up the size of the backing buffer
to a multiple of the block size which leads to reading out of bounds.

To ensure we don't read outside the source buffer, this change replaces calls to
`memcpy` with `memcpy_guarded` which accepts a pointer to the limit of available
data and copies as much data as is available, writing zeroes for any unavailable
amount.

Conversion of bools didn't use memcpy, so the raw pointer is checked against
maxSrcPtr and only dereferenced if valid, otherwise zero is used.

This has been tested with ASan and UBSan enabled against the OpenGL dEQP tests
for Uniform Buffer Objects in ANGLE.

* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/ProgramMtl.mm:

Canonical link: https://commits.webkit.org/259548.667@safari-7615-branch


  Commit: 361116a68ae66e4f50d7e4e84faee59577cc8031
      https://github.com/WebKit/WebKit/commit/361116a68ae66e4f50d7e4e84faee59577cc8031
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    A LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-events-with-layout-expected.txt
    A LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-events-with-layout.html
    M LayoutTests/platform/glib/TestExpectations
    M LayoutTests/platform/ios-wk2/TestExpectations
    M Source/WebCore/page/scrolling/ScrollingTree.cpp
    M Source/WebCore/page/scrolling/ScrollingTree.h
    M Source/WebCore/platform/mac/ScrollingEffectsController.mm
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.h
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.cpp
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.h
    M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.h
    M Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm

  Log Message:
  -----------
  Cherry-pick 025262762049. rdar://problem/108231619

    [macOS] Performing layout when scroll snapping with a physical mouse wheel snaps to the last snap position
    https://bugs.webkit.org/show_bug.cgi?id=255603

    Reviewed by Tim Horton.

    Currently, when `resnapAfterLayout()` is called after a layout pass while scrolling with a physical
    mouse wheel in a scroll snapping container, we end up erroneously re-snapping to the last active
    snap position. This doesn't happen when using a trackpad to scroll because we bail here:

    ```
    void ScrollableArea::resnapAfterLayout()
    {
    …
        if (!scrollAnimator || isScrollSnapInProgress() || isUserScrollInProgress())
            return;
    ```

    …due to the fact that `isUserScrollInProgress()` is `true`, since this flag is set over the course
    of both user-driven and momentum scrolling phases. Importantly, note that `isScrollSnapInProgress()`
    is only `true` in this case where UI-side compositing is *disabled* — this is because nothing
    currently calls `{add|remove}NodeWithActiveScrollSnap` on `RemoteScrollingUIState`, which means that
    we never end up propagating `m_nodesWithActiveScrollSnap` to the web process when UI-side
    compositing is enabled, so from the web-process' perspective, `isScrollSnapInProgress()` is always
    `false`.

    As such, in order to make physical mouse wheel scrolling work well when there are interleaved layout
    passes, the fix is two-fold:

    1.  Consider `isScrollSnapInProgress()` to be true if the discrete wheel event timer is scheduled.
    2.  Add plumbing to deliver `isScrollSnapInProgress()` state from the UI process to the web process
        through the scrolling state tree, to ensure that this bug fix is also effective when UI-side
        compositing is enabled.

    Test: css3/scroll-snap/scroll-snap-discrete-wheel-events-with-layout.html

    * LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-events-with-layout-expected.txt: Added.
    * LayoutTests/css3/scroll-snap/scroll-snap-discrete-wheel-events-with-layout.html: Added.

    Add a new test case to exercise the bug fix.

    * LayoutTests/platform/glib/TestExpectations:
    * LayoutTests/platform/ios-wk2/TestExpectations:
    * Source/WebCore/page/scrolling/ScrollingTree.cpp:
    (WebCore::ScrollingTree::setNodeScrollSnapInProgress):
    * Source/WebCore/page/scrolling/ScrollingTree.h:
    (WebCore::ScrollingTree::scrollingTreeNodeDidBeginScrollSnapping):
    (WebCore::ScrollingTree::scrollingTreeNodeDidEndScrollSnapping):

    Add new override hooks to allow the client layer to know when scrolling tree nodes change "scroll
    snap in progress" state. See WebKit2 changes below for more information.

    * Source/WebCore/platform/mac/ScrollingEffectsController.mm:
    (WebCore::ScrollingEffectsController::stopAllTimers):
    (WebCore::ScrollingEffectsController::isScrollSnapInProgress const):

    Consider scroll snap in progress if we've scheduled a scroll snap while handling discrete wheel
    events.

    (WebCore::ScrollingEffectsController::discreteSnapTransitionTimerFired):

    Add a couple of call sites to `m_client.didStopScrollSnapAnimation()` in the case where the timer
    is either stopped early or without triggering a scroll snap animation, such that we don't end up
    with a node being stuck indefinitely in `nodesWithActiveScrollSnap`.

    * Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingCoordinatorProxy.h:
    (WebKit::RemoteScrollingCoordinatorProxy::scrollingTreeNodeDidBeginScrollSnapping):
    (WebKit::RemoteScrollingCoordinatorProxy::scrollingTreeNodeDidEndScrollSnapping):
    * Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.cpp:
    (WebKit::RemoteScrollingTree::scrollingTreeNodeDidBeginScrollSnapping):
    (WebKit::RemoteScrollingTree::scrollingTreeNodeDidEndScrollSnapping):

    Add plumbing from `RemoteScrollingTree` -> `RemoteScrollingCoordinatorProxy` ->
    `RemoteScrollingUIState` whenever a scrolling node begins or ends scroll snapping progress.

    * Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.h:
    * Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.h:
    * Source/WebKit/UIProcess/RemoteLayerTree/mac/RemoteScrollingCoordinatorProxyMac.mm:
    (WebKit::RemoteScrollingCoordinatorProxyMac::scrollingTreeNodeDidBeginScrollSnapping):
    (WebKit::RemoteScrollingCoordinatorProxyMac::scrollingTreeNodeDidEndScrollSnapping):

    Canonical link: https://commits.webkit.org/263108@main

Identifier: 259548.667 at safari-7615-branch


  Commit: 005d93b39e87b494bcbe4516b1d8d29e14808725
      https://github.com/WebKit/WebKit/commit/005d93b39e87b494bcbe4516b1d8d29e14808725
  Author: Wenson Hsieh <wenson_hsieh at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset-expected.txt
    A LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset.html
    M LayoutTests/platform/ios-wk2/TestExpectations
    M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm
    M Tools/WebKitTestRunner/TestOptions.cpp
    M Tools/WebKitTestRunner/TestOptions.h
    M Tools/WebKitTestRunner/ios/TestControllerIOS.mm

  Log Message:
  -----------
  Cherry-pick dc3e66efee5b. rdar://problem/108008480

    [iOS] Scrolling snaps to previous snap point when tapping during a scroll snap in mainframe
    https://bugs.webkit.org/show_bug.cgi?id=255670
    rdar://108008480

    Reviewed by Tim Horton.

    When interrupting scroll view deceleration with a tap gesture, we re-run logic to retarget the snap
    offset given the current scroll offset and the projected (original) scroll offset where we would've
    ended up scrolling. In an overflow region where this bug does *not* reproduce, the current offset is
    equal to the projected offset, so we simply retarget to the closest snap point.

    However, in a mainframe scroll snapping context where the bug reproduces, the projected snap offset
    is off by an amount equal to the top obscured inset, which means that instead of defaulting to the
    closest snap position, we'll instead always retarget the previous snap point. To fix this, we simply
    apply this same adjustment to this projected offset.

    Test: css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset.html

    * LayoutTests/TestExpectations:
    * LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset-expected.txt: Added.
    * LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset.html: Added.

    Add a layout test to exercise this change, by scrolling via a swipe gesture, tapping, and verifying
    that we don't snap back to the start.

    * LayoutTests/platform/ios-wk2/TestExpectations:
    * Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm:
    (WebKit::RemoteScrollingCoordinatorProxyIOS::adjustTargetContentOffsetForSnapping):

    Offset the projected offset by the top obscured inset, for consistency with the current offset.

    * Tools/WebKitTestRunner/TestOptions.cpp:
    (WTR::TestOptions::defaults):
    (WTR::TestOptions::keyTypeMapping):
    * Tools/WebKitTestRunner/TestOptions.h:
    (WTR::TestOptions::obscuredInsetTop const):
    * Tools/WebKitTestRunner/ios/TestControllerIOS.mm:
    (WTR::TestController::platformResetStateToConsistentValues):

    Add a new test option to specify a top obscured inset value on the web view.

    Canonical link: https://commits.webkit.org/263158@main

Identifier: 259548.669 at safari-7615-branch


  Commit: a1c1e04148d7b4606a1322e889c6a12c36753f5d
      https://github.com/WebKit/WebKit/commit/a1c1e04148d7b4606a1322e889c6a12c36753f5d
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-04-20 (Thu, 20 Apr 2023)

  Changed paths:
    M LayoutTests/media/media-source/media-webm-opus-partial-abort-expected.txt
    M LayoutTests/media/media-source/media-webm-opus-partial-abort.html
    M LayoutTests/media/media-source/media-webm-opus-partial-expected.txt
    M LayoutTests/media/media-source/media-webm-opus-partial.html
    M LayoutTests/media/video-test.js
    M Source/WebCore/platform/MediaSample.h
    M Source/WebCore/platform/graphics/cocoa/CMUtilities.mm
    M Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.cpp
    M Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.h

  Log Message:
  -----------
  Cherry-pick 262837 at main (7f1bcb55362b). rdar://106976225

    [Cocoa] "Pop" of bad audio heard at the start of certain YouTube videos
    https://bugs.webkit.org/show_bug.cgi?id=255212
    rdar://106976225

    Reviewed by Eric Carlson.

    Tracking addition of a test via https://bugs.webkit.org/show_bug.cgi?id=255227.

    Two interrelated problems cause discontinuties in the audio output at the
    start of certain Opus-encoded WebM files.

    1) A bug in the ffmpeg muxer causes the initial block in a cluster to be 1ms
    too long, which causes an audible discontinuity to be generated from
    AVSampleBufferAudioRenderer.

    2) Some Opus-encoded WebM files include a CodecDelay value, which requires
    players to decode, but not render, the initial audio frames in a stream.

    For 2), map the CodecDelay value to a kCMSampleBufferAttachmentKey_TrimDurationAtStart
    attachment in the resulting CMSampleBuffer. This causes the output duration of the
    sample to be reduced by the trim duration, and the output presentation time to be
    increased by the trim duration, so also shift the input presentation time by the same
    amount. This aligns the first audible frame with the start time of the track.

    For 1), if a discontinuity is encountered, and the discontinuity is less than 15ms
    simply advance the presentation time of the subsequent sample by the discontinuity
    duration. Track this discontinuity cumulatively, so that if multiple discontinuities
    are encountered that total greater than 15ms, a real audible discontinuity is generated
     and the track is brought back in sync with the master timeline.

    * Source/WebCore/platform/MediaSample.h:
    * Source/WebCore/platform/graphics/cocoa/CMUtilities.mm:
        (WebCore::toCMSampleBuffer):
    * Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.cpp:
        (WebCore::WebMParser::VideoTrackData::consumeFrameData):
        (WebCore::WebMParser::AudioTrackData::AudioTrackData):
        (WebCore::WebMParser::AudioTrackData::consumeFrameData):
    * Source/WebCore/platform/graphics/cocoa/SourceBufferParserWebM.h:
        (WebCore::WebMParser::AudioTrackData::AudioTrackData): Deleted.

    Canonical link: https://commits.webkit.org/262837@main
Canonical link: https://commits.webkit.org/259548.670@safari-7615-branch


  Commit: a04c374a68356d926ec8e7d4b6fc1d31f6452e35
      https://github.com/WebKit/WebKit/commit/a04c374a68356d926ec8e7d4b6fc1d31f6452e35
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/commit_unittest.py

  Log Message:
  -----------
  Cherry-pick 263027 at main (3338c3aac8ff). rdar://108143386

    [git-webkit] Do not include indented trailers
    https://bugs.webkit.org/show_bug.cgi?id=255528
    rdar://108143386

    Reviewed by Ryan Haddad.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit.py:
    (Commit): Trailers cannot start with whitespace.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/commit_unittest.py:

    Canonical link: https://commits.webkit.org/263027@main

Canonical link: https://commits.webkit.org/259548.671@safari-7615-branch


  Commit: 696c971de90d829e654ee0f92c3935364eeae658
      https://github.com/WebKit/WebKit/commit/696c971de90d829e654ee0f92c3935364eeae658
  Author: Carlos Alberto Lopez Perez <clopez at igalia.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/webkitpy/autoinstalled/twisted.py

  Log Message:
  -----------
  Cherry-pick 263081 at main (2a0a1467f4d8). https://bugs.webkit.org/show_bug.cgi?id=255519

    [WPE][GTK] Autoinstall version conflicts for cryptography and cffi libraries when running the run-benchmark script
    https://bugs.webkit.org/show_bug.cgi?id=255519

    Reviewed by Jonathan Bedard.

    Autoinstall cffi and cryptography libraries for all platforms
    on webkitcorepy since now are required for twisted and use
    the version that was defined on twisted.

    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py:
    * Tools/Scripts/webkitpy/autoinstalled/twisted.py:

    Canonical link: https://commits.webkit.org/263081@main

Canonical link: https://commits.webkit.org/259548.672@safari-7615-branch


  Commit: 8c86863d21e5738aec4cbeb97806913f5d25eb51
      https://github.com/WebKit/WebKit/commit/8c86863d21e5738aec4cbeb97806913f5d25eb51
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py

  Log Message:
  -----------
  Cherry-pick 263099 at main (feea593221f2). rdar://107615755

    [git-webkit] Provide mechanism to exempt bugs from redaction (Follow-up)
    https://bugs.webkit.org/show_bug.cgi?id=254993
    rdar://107615755

    Reviewed by Dewei Zhu.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.create_pull_request): If the issue exempt from redaction is the second issue,
    we should print the fact that the first redacted issue is being made public.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:

    Canonical link: https://commits.webkit.org/263099@main

Canonical link: https://commits.webkit.org/259548.673@safari-7615-branch


  Commit: 2bedb0e080ed17d6d9b5096f2dc422c235ffe411
      https://github.com/WebKit/WebKit/commit/2bedb0e080ed17d6d9b5096f2dc422c235ffe411
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py

  Log Message:
  -----------
  Cherry-pick 263101 at main (9384f300d865). rdar://107343169

    [git-webkit] Prevent publication of commits for redacted PRs
    https://bugs.webkit.org/show_bug.cgi?id=254627
    rdar://107343169

    Reviewed by Dewei Zhu.

    Since we have a way of marking issues as exempt from redaction, local tooling
    should not aid the user in uploading commits for redacted issues.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.create_pull_request): Exit program if user declines (or cannot) upload
    a redacted change.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:

    Canonical link: https://commits.webkit.org/263101@main

Canonical link: https://commits.webkit.org/259548.674@safari-7615-branch


  Commit: 9ba6158e50770841848839e617e09da0466bba00
      https://github.com/WebKit/WebKit/commit/9ba6158e50770841848839e617e09da0466bba00
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Tools/Scripts/webkitpy/tool/commands/commandtest.py
    M Tools/Scripts/webkitpy/tool/commands/upload.py
    M Tools/Scripts/webkitpy/tool/commands/upload_unittest.py
    M Tools/Scripts/webkitpy/tool/steps/__init__.py
    A Tools/Scripts/webkitpy/tool/steps/checkforredactedissue.py

  Log Message:
  -----------
  Cherry-pick 263104 at main (dc5b85ccaaa7). rdar://108169167

    [webkit-patch] Check issue redaction before upload
    https://bugs.webkit.org/show_bug.cgi?id=255565
    rdar://108169167

    Rubber-stamped by Alan Baradlay.

    webkit-patch should check if a patch references a redacted issue, just like git-webkit.

    * Tools/Scripts/webkitpy/tool/commands/commandtest.py:
    (CommandsTest.assert_execute_outputs): Check command output, even when exceptions are raised.
    * Tools/Scripts/webkitpy/tool/commands/upload.py:
    (AbstractPatchUploadingCommand._issues): List all issues associated with patch being uploaded.
    (AbstractPatchUploadingCommand._prepare_state): Cache issues associated with patch.
    (Post): Check that associated issues are not redacted.
    (LandSafely): Ditto.
    (Upload): Ditto.
    (Upload._prepare_state): Cache issues associated with patch.
    * Tools/Scripts/webkitpy/tool/commands/upload_unittest.py:
    (MockIssue):
    (MockRedaction):
    (UploadCommandsTest.test_upload_blocked):
    (UploadCommandsTest.test_upload_exempt):
    * Tools/Scripts/webkitpy/tool/steps/__init__.py: Export CheckForRedactedIssue.
    * Tools/Scripts/webkitpy/tool/steps/checkforredactedissue.py: Added.
    (CheckForRedactedIssue): Abandon upload if associated issues are redacted.

    Canonical link: https://commits.webkit.org/263104@main

Canonical link: https://commits.webkit.org/259548.675@safari-7615-branch


  Commit: 39b0087a0443ead18c79b840fbdd898a2ec2e201
      https://github.com/WebKit/WebKit/commit/39b0087a0443ead18c79b840fbdd898a2ec2e201
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/local/git.py

  Log Message:
  -----------
  Cherry-pick 263190 at main (610c7d596fb7). rdar://108328653

    [git-webkit] Avoid listing all branches for old commits
    https://bugs.webkit.org/show_bug.cgi?id=255737
    rdar://108328653

    Reviewed by Dewei Zhu.

    For very old commits, listing all branches those commits are members of
    can be very expensive. It's also a fairly wasteful operation, most commits
    are on `main`, so we should quickly check that case first before attempting
    the more general case.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/local/git.py:
    (Git._is_on_default_branch): Directly check if a commit is on the default branch.
    (Git.commit): Attempt to directly check if a commit is on the default branch before
    listing all branches for a commit.

    Canonical link: https://commits.webkit.org/263190@main

Canonical link: https://commits.webkit.org/259548.676@safari-7615-branch


  Commit: be22708f4dbd06657377fd22b92926faee34e01b
      https://github.com/WebKit/WebKit/commit/be22708f4dbd06657377fd22b92926faee34e01b
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.cpp

  Log Message:
  -----------
  Unreviewed build fix. rdar://107885426

Source/WebKit/UIProcess/RemoteLayerTree/RemoteScrollingTree.cpp:76:9: error: value of type 'WebKit::RemoteScrollingCoordinatorProxy' is not contextually convertible to 'bool'

Canonical link: https://commits.webkit.org/259548.677@safari-7615-branch


  Commit: 7c662f5b36e37d3496bcfc361c9545a13f28ef24
      https://github.com/WebKit/WebKit/commit/7c662f5b36e37d3496bcfc361c9545a13f28ef24
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt
    A LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html
    M Source/WebCore/rendering/RenderInline.cpp

  Log Message:
  -----------
  Renderinline::offsetForInFlowPositionedInline causes a null-deref of a laybox on repaint.
https://bugs.webkit.org/show_bug.cgi?id=255552.
rdar://107952390.

Reviewed by Alan Baradlay.

Line layout codepath invalidation is triggered by JS which issues a repaint on the newly inserted renderer. The newly inserted renderer is used for geometry computations and which calls offsetForInFlowPositionedInline in case of inline boxes. This tries to access the lineBoxes assocaited with the renderers but they invalidated by previous repaints. This leads to null deref of the lineboxes.

* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint-expected.txt: Added.
* LayoutTests/fast/inline/layoutBox-null-deref-crash-on-repaint.html: Added.
* Source/WebCore/rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::isLineLayoutPresent const):
* Source/WebCore/rendering/RenderBlockFlow.h:
* Source/WebCore/rendering/RenderInline.cpp:
(WebCore::RenderInline::offsetForInFlowPositionedInline const):

Canonical link: https://commits.webkit.org/259548.678@safari-7615-branch


  Commit: 5334ed87186f273a6409bf0d5d38c36faf30060f
      https://github.com/WebKit/WebKit/commit/5334ed87186f273a6409bf0d5d38c36faf30060f
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Source/WebKit/UIProcess/ios/WKWebGeolocationPolicyDeciderIOS.mm

  Log Message:
  -----------
  Cherry-pick 14f467660549. rdar://problem/107352115

    Regression(259658 at main) Geolocation permission prompt is no longer showing in modal view
    https://bugs.webkit.org/show_bug.cgi?id=255133
    rdar://107352115

    Reviewed by Wenson Hsieh and Tim Horton.

    Use the same view controller to present the prompt as the UIWebView code used to.
    I have verified locally that this fixes the issue.

    * Source/WebKit/UIProcess/ios/WKWebGeolocationPolicyDeciderIOS.mm:
    (-[WKWebGeolocationPolicyDecider _executeNextChallenge]):

    Canonical link: https://commits.webkit.org/262697@main

Identifier: 259548.679 at safari-7615-branch


  Commit: 07d73d8cb1379586ef0e812a3e65291a2f9b92ef
      https://github.com/WebKit/WebKit/commit/07d73d8cb1379586ef0e812a3e65291a2f9b92ef
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    M Source/WebKit/Shared/Cocoa/SandboxExtensionCocoa.mm
    M Source/WebKit/UIProcess/WebProcessPool.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Cherry-pick 2dbbdbf493db. rdar://problem/107723629

    REGRESSION (iOS 16.4): Chrome crashes in WebBackForwardCache::takeSuspendedPage
    https://bugs.webkit.org/show_bug.cgi?id=255102
    rdar://107723629

    Reviewed by Geoffrey Garen.

    We recently added an AddAllowedFirstPartyForCookies async IPC call inside
    WebProcessPool::processForNavigation(), right after we decide which process to
    use. Because the IPC is async, this means that the selected process may crash
    while we're waiting for a response. If this happens, we now call
    processForNavigation() again to select a new process instead of trying to
    proceed with the navigation with the terminated process.

    Similarly, also make sure that the destination suspendedPage is still valid
    after receiving the async IPC, in case the back/forward cache got cleared
    during the IPC (e.g. due to memory pressure).

    * Source/WebKit/UIProcess/WebProcessPool.cpp:
    (WebKit::WebProcessPool::processForNavigation):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

    Canonical link: https://commits.webkit.org/262709@main

Identifier: 259548.680 at safari-7615-branch


  Commit: 1e04ec38d7f9319fbd8ed2fb4a1d7071fe315002
      https://github.com/WebKit/WebKit/commit/1e04ec38d7f9319fbd8ed2fb4a1d7071fe315002
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    M Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_render_utils.h

  Log Message:
  -----------
  ANGLE mtl_render_utils.h various classes have uninitialised std::array<> members
https://bugs.webkit.org/show_bug.cgi?id=255865
rdar://90537480

Reviewed by Dean Jackson.

Initialize all needed std::array<>s via value initialization.
The default initialization does not initialize the array, leading to
uninitialized reads.

The std::array<>s in RenderUtils are value-initialized in the constructor.

* Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/mtl_render_utils.h:
(rx::mtl::RenderUtils::angle::EnumSize<PixelType>):

Canonical link: https://commits.webkit.org/259548.681@safari-7615-branch


  Commit: faf6a474e931160a68aa2abb5db341a5e946fc8a
      https://github.com/WebKit/WebKit/commit/faf6a474e931160a68aa2abb5db341a5e946fc8a
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    A LayoutTests/fast/dom/object-load-pdf-data-url-expected.txt
    A LayoutTests/fast/dom/object-load-pdf-data-url.html
    M Source/WebCore/html/HTMLImageLoader.cpp
    M Source/WebKit/WebProcess/Plugins/PDF/PDFPlugin.mm

  Log Message:
  -----------
  Cherry-pick 2c5a97645ec0. rdar://problem/107795151

    Regression(255052 at main) Some streaming sites fail with an Embedded Video Sandbox Browser Error
    https://bugs.webkit.org/show_bug.cgi?id=255900
    <rdar://107795151>

    Reviewed by Tim Horton and Darin Adler.

    Some streaming sites fail with an Embedded Video Sandbox Browser Error since
    255052 at main. 255052 at main seems correct per the specification but exposing the
    "Chrome PDF Viewer" caused those sites to use a different code path for
    validating iframe sandboxing.

    They now try to load a data URL with a pdf MIME type inside an <object> element
    and this was firing an error event on iOS, which was causing the site's logic
    to display the sandbox error.

    There is logic inside WebFrameLoaderClient::objectContentType() that is iOS
    specific and causes us  to try to load PDF as an image when inside an <object>.
    This is because we don't support loadings such PDFs as plugins on iOS.

    However, WebKit, in general, doesn't fire load/error events on <object> elements
    that are loaded as plugins. It only does so when loading the <object> as an image.
    I propose that we stop firing the load/error events for <object> loads of PDFs on
    iOS, to make it look like they were loaded as plugins and avoid firing events that
    could confuse sites such as the ones in the radar.

    * LayoutTests/fast/dom/object-load-pdf-data-url-expected.txt: Added.
    * LayoutTests/fast/dom/object-load-pdf-data-url.html: Added.
    * Source/WebCore/html/HTMLImageLoader.cpp:
    (WebCore::HTMLImageLoader::dispatchLoadEvent():

    Canonical link: https://commits.webkit.org/263377@main

Identifier: 259548.682 at safari-7615-branch


  Commit: 4cd2a95afafccf579cd05455d3bc9566351ad979
      https://github.com/WebKit/WebKit/commit/4cd2a95afafccf579cd05455d3bc9566351ad979
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-values/hypot-pow-sqrt-computed-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-values/hypot-pow-sqrt-computed.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-values/round-mod-rem-computed-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-values/round-mod-rem-computed.html
    M Source/WebCore/css/calc/CSSCalcOperationNode.cpp
    M Source/WebCore/css/calc/CSSCalcOperationNode.h

  Log Message:
  -----------
  Cherry-pick 1643a89b579b. rdar://problem/107168358

    css/css-values/hypot-pow-sqrt-computed.html WPT crashes
    https://bugs.webkit.org/show_bug.cgi?id=254392

    Reviewed by Tim Nguyen.

    When simplifying hypot CSSCalcOperationNodes we may have only one child and
    it may not be a CSSCalcPrimitiveValueNode, in that case do not simplify.

    Add a similar check and tests for round, mod and rem.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-values/hypot-pow-sqrt-computed-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-values/hypot-pow-sqrt-computed.html:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-values/round-mod-rem-computed-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-values/round-mod-rem-computed.html:
    * Source/WebCore/css/calc/CSSCalcOperationNode.cpp:
    (WebCore::CSSCalcOperationNode::combineChildren):
    * Source/WebCore/css/calc/CSSCalcOperationNode.h:

    Canonical link: https://commits.webkit.org/263345@main

Identifier: 259548.683 at safari-7615-branch


  Commit: 11680b16159b14480308a96e7700b7f290649909
      https://github.com/WebKit/WebKit/commit/11680b16159b14480308a96e7700b7f290649909
  Author: Tim Nguyen <ntim at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-values/hypot-pow-sqrt-computed-expected.txt
    M Source/WebCore/platform/calc/CalcExpressionOperation.cpp

  Log Message:
  -----------
  Cherry-pick a9211716efb3. rdar://problem/108487071

    CSS hypot() function sometimes returns the result squared
    https://bugs.webkit.org/show_bug.cgi?id=255905
    rdar://108487071

    Reviewed by Tim Horton.

    In cases where the result is computed by CalcExpressionOperation.cpp, the result ends up being squared, because we're missing a sqrt() operation.
    The result is correct for cases computed by CSSCalcOperationNode.cpp however, ideally code should be shared to prevent these types of bugs.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-values/hypot-pow-sqrt-computed-expected.txt:
    * Source/WebCore/platform/calc/CalcExpressionOperation.cpp:
    (WebCore::CalcExpressionOperation::evaluate const):

    Canonical link: https://commits.webkit.org/263351@main

Identifier: 259548.684 at safari-7615-branch


  Commit: 84d7397487c0f6320eb59d34772195a8b81ee72a
      https://github.com/WebKit/WebKit/commit/84d7397487c0f6320eb59d34772195a8b81ee72a
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    A LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-pinch-out-expected.txt
    A LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-pinch-out.html
    M LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset.html
    M LayoutTests/resources/ui-helper.js
    M Source/WebCore/page/ChromeClient.h
    M Source/WebCore/page/FrameView.cpp
    A Source/WebCore/page/LocalFrameView.h
    M Source/WebCore/platform/ScrollableArea.cpp
    M Source/WebCore/platform/ScrollableArea.h
    M Source/WebKit/Platform/spi/ios/UIKitSPI.h
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm
    M Source/WebKit/UIProcess/ios/WKScrollView.mm
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.h
    M Source/WebKit/WebProcess/WebPage/WebPage.h

  Log Message:
  -----------
  Apply patch. rdar://problem/108008629

Identifier: 259548.685 at safari-7615-branch


  Commit: 1d51b2fcc819ac2982f20cbd5e41d89292773e2f
      https://github.com/WebKit/WebKit/commit/1d51b2fcc819ac2982f20cbd5e41d89292773e2f
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    R LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-pinch-out-expected.txt
    R LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-pinch-out.html
    M LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset.html
    M LayoutTests/resources/ui-helper.js
    M Source/WebCore/page/ChromeClient.h
    M Source/WebCore/page/FrameView.cpp
    R Source/WebCore/page/LocalFrameView.h
    M Source/WebCore/platform/ScrollableArea.cpp
    M Source/WebCore/platform/ScrollableArea.h
    M Source/WebKit/Platform/spi/ios/UIKitSPI.h
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm
    M Source/WebKit/UIProcess/ios/WKScrollView.mm
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.h
    M Source/WebKit/WebProcess/WebPage/WebPage.h

  Log Message:
  -----------
  Revert "Apply patch. rdar://problem/108008629"

This reverts commit 84d7397487c0f6320eb59d34772195a8b81ee72a.

Identifier: 259548.686 at safari-7615-branch


  Commit: 2c37e8ef640dc83e01580c92fdce006610bc2e35
      https://github.com/WebKit/WebKit/commit/2c37e8ef640dc83e01580c92fdce006610bc2e35
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    A LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-pinch-out-expected.txt
    A LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-pinch-out.html
    M LayoutTests/css3/scroll-snap/ios/scroll-snap-mainframe-scroll-deceleration-with-obscured-inset.html
    M LayoutTests/resources/ui-helper.js
    M Source/WebCore/page/ChromeClient.h
    M Source/WebCore/page/FrameView.cpp
    M Source/WebCore/page/FrameView.h
    M Source/WebCore/platform/ScrollableArea.cpp
    M Source/WebCore/platform/ScrollableArea.h
    M Source/WebKit/Platform/spi/ios/UIKitSPI.h
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Source/WebKit/UIProcess/RemoteLayerTree/ios/RemoteScrollingCoordinatorProxyIOS.mm
    M Source/WebKit/UIProcess/ios/WKScrollView.mm
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.h
    M Source/WebKit/WebProcess/WebPage/WebPage.h

  Log Message:
  -----------
  Apply patch. rdar://problem/108008629

Identifier: 259548.687 at safari-7615-branch


  Commit: 0500e7adcfa56961c08d67e8032c7dba6a1d39f2
      https://github.com/WebKit/WebKit/commit/0500e7adcfa56961c08d67e8032c7dba6a1d39f2
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    A Tools/Scripts/upload-file-to-url

  Log Message:
  -----------
  Cherry-pick 262888 at main (ab2b21fb6389). https://bugs.webkit.org/show_bug.cgi?id=255340

    [ews] Add a script to upload a file to given url
    https://bugs.webkit.org/show_bug.cgi?id=255340

    Reviewed by Ryan Haddad.

    * Tools/Scripts/upload-file-to-url: Added.

    Canonical link: https://commits.webkit.org/262888@main

Canonical link: https://commits.webkit.org/259548.688@safari-7615-branch


  Commit: a75d564e8c5f4448c1f629a342831c6cc53db761
      https://github.com/WebKit/WebKit/commit/a75d564e8c5f4448c1f629a342831c6cc53db761
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    A JSTests/stress/regress-255806.js
    M Source/JavaScriptCore/runtime/StringPrototype.cpp

  Log Message:
  -----------
  jsc_fuzz: ASSERTION FAILED: !is8Bit() || isEmpty() in stringProtoFuncToWellFormed()
https://bugs.webkit.org/show_bug.cgi?id=255806
<rdar://108256807>

Reviewed by Yusuke Suzuki.

It's necessary to resolve a rope to determine if a string is 8-bit: JSRopeString's is8BitInPointer merely
implies it can be represented as 8-bit, but after the rope is resolved, it can become a 16-bit string.

* JSTests/stress/regress-255806.js: Added.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/259548.689@safari-7615-branch


  Commit: b05050e0cc0031ca2bf2f2d26d002639629dee18
      https://github.com/WebKit/WebKit/commit/b05050e0cc0031ca2bf2f2d26d002639629dee18
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-04-25 (Tue, 25 Apr 2023)

  Changed paths:
    A JSTests/stress/marked-buffer-fill-should-be-gc-aware.js
    M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
    M Source/JavaScriptCore/runtime/ArgList.h

  Log Message:
  -----------
  [JSC] MarkedVector::fill should register itself as a root
https://bugs.webkit.org/show_bug.cgi?id=255951
rdar://108261913

Reviewed by Alexey Shvayka and Justin Michaud.

1. MarkedVector::fill is not registering itself as a strong root of GC. This patch fixes it with m_markSet->add.
2. Initialize buffer with empty value in MarkedVector::fill. This buffer can be scanned via GC when GC is invoked from
   a passed lambda.

* JSTests/stress/marked-buffer-fill-should-be-gc-aware.js: Added.
(foo):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::handleVarargsCheckpoint):
* Source/JavaScriptCore/runtime/ArgList.h:
(JSC::MarkedVector::fill):

Canonical link: https://commits.webkit.org/259548.690@safari-7615-branch


  Commit: 2feb3068b0538f424b0eee65e9df802d313446a2
      https://github.com/WebKit/WebKit/commit/2feb3068b0538f424b0eee65e9df802d313446a2
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-26 (Wed, 26 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/land_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/squash_unittest.py

  Log Message:
  -----------
  Cherry-pick 263251 at main (556bf5c84d3e). rdar://97741202

    [git-webkit] Update fork via API instead of local push
    https://bugs.webkit.org/show_bug.cgi?id=243283
    rdar://97741202

    Reviewed by Aakash Jain.

    For GitHub forks, update the fork via GitHub's API before pushing anything
    to avoid re-pushing commits GitHub already has.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/git_hub.py:
    (GitHub.request): Mock 'merge-upstream' path.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.create_pull_request): Update fork's base branch before pushing PR branch,
    and use GitHub's API to update the fork if available.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/land_unittest.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/squash_unittest.py:

    Canonical link: https://commits.webkit.org/263251@main

Canonical link: https://commits.webkit.org/259548.691@safari-7615-branch


  Commit: a22a1db149f87c88a03b001d569b0c5d02bcce42
      https://github.com/WebKit/WebKit/commit/a22a1db149f87c88a03b001d569b0c5d02bcce42
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-26 (Wed, 26 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/svn.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/svn_unittest.py

  Log Message:
  -----------
  Cherry-pick 263389 at main (0756acde4447). rdar://108510545

    [git-webkit] Allow alternative publication account
    https://bugs.webkit.org/show_bug.cgi?id=255934
    rdar://108510545

    Reviewed by Elliott Williams.

    Support a --user option in `git-webkit publish` to allow an alternative account
    from a user's regular development account to perform the push.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py:
    (Publish.parser): Add --user option.
    (Publish.main): Prompt user for password if --user specified, pass that password via
    environment variable to `git push` commands.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py:
    (Setup.git): Add credential helper, event if the checkout is not a HTTPs checkout.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py:
    (BitBucket.checkout_url): Return ssh and http checkout URL.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py:
    (GitHub.checkout_url): Return ssh and http checkout URL.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py:
    (Scm.checkout_url): Added.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/svn.py:
    (Svn.checkout_url): Return http checkout URL.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py:
    (TestGitHub.test_checkout_url):
    (TestBitBucket.test_checkout_url):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/svn_unittest.py:
    (TestRemoteSvn.test_checkout_url):

    Canonical link: https://commits.webkit.org/263389@main

Canonical link: https://commits.webkit.org/259548.692@safari-7615-branch


  Commit: 5e67e613d41ad26e5c9a7a0aedb0d98521ab9aff
      https://github.com/WebKit/WebKit/commit/5e67e613d41ad26e5c9a7a0aedb0d98521ab9aff
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-26 (Wed, 26 Apr 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py

  Log Message:
  -----------
  Cherry-pick 263431 at main (2a1e05db9254). rdar://108565576

    [git-webkit] Fallback to git push if API call fails
    https://bugs.webkit.org/show_bug.cgi?id=255999
    rdar://108565576

    Reviewed by Aakash Jain.

    This is a follow-up fix for 263251 at main.

    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.create_pull_request): Push target branch to fork if the branch doesn't exist.

    Canonical link: https://commits.webkit.org/263431@main

Canonical link: https://commits.webkit.org/259548.693@safari-7615-branch


  Commit: f1d2dd13dd491f766d8dbde1b6a5eed5d3801373
      https://github.com/WebKit/WebKit/commit/f1d2dd13dd491f766d8dbde1b6a5eed5d3801373
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-04-26 (Wed, 26 Apr 2023)

  Changed paths:
    M metadata/trackers.json

  Log Message:
  -----------
  Cherry-pick 263440 at main (9c5f7b8588c3). rdar://107615755

    [git-webkit] Provide mechanism to exempt bugs from redaction (Follow-up)
    https://bugs.webkit.org/show_bug.cgi?id=254993
    rdar://107615755

    Reviewed by Ryan Haddad.

    * metadata/trackers.json: Rename keyword.

    Canonical link: https://commits.webkit.org/263440@main

Canonical link: https://commits.webkit.org/259548.694@safari-7615-branch


  Commit: a61e3766b183d6a0c872ca9dbce651391d7b0853
      https://github.com/WebKit/WebKit/commit/a61e3766b183d6a0c872ca9dbce651391d7b0853
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M Source/WebKit/WebProcess/GPU/media/cocoa/VideoLayerRemoteCocoa.mm

  Log Message:
  -----------
  Cherry-pick 8a95a469c00c. rdar://problem/108109357

    [Cocoa] Extra transform left on video layer when UI-side compositing is disabled
    https://bugs.webkit.org/show_bug.cgi?id=256027
    rdar://108109357

    Reviewed by Eric Carlson.

    In -resolveBounds, we bail out early if the WKVideoLayerRemote has the correct bounds and has
    a identity affineTransform. But in -layoutSublayers we apply the transform directly to the
    videoLayer, rather than the WKVideoLayerRemote itself, so this check will always succeed.

    Leaving the transformation in place _should_ have no perceivable side effects. However power
    testing has revealed that in some circumstances, this layer change may result in excess power
    use when displaying video in fullscreen mode.

    * Source/WebKit/WebProcess/GPU/media/cocoa/VideoLayerRemoteCocoa.mm:
    (-[WKVideoLayerRemote resolveBounds]):

    Canonical link: https://commits.webkit.org/263456@main

Canonical link: https://commits.webkit.org/259548.695@safari-7615-branch


  Commit: cd940689dbca5046675dcfb3965d40f15342581c
      https://github.com/WebKit/WebKit/commit/cd940689dbca5046675dcfb3965d40f15342581c
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.1

Identifier: 259548.696 at safari-7615-branch


  Commit: bc76e765c3350557cd6400263e7206270f24dc1a
      https://github.com/WebKit/WebKit/commit/bc76e765c3350557cd6400263e7206270f24dc1a
  Author: Dawn Flores <dawn_flores at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M LayoutTests/platform/mac-ventura/TestExpectations

  Log Message:
  -----------
  [ Gardening ]([ EWS arm64 ] 3x imported/w3c/web-platform-tests/css/css-color/parsing/color* (layout-tests) are constant failures)
rdar://108624999

Unreviewed test gardening.

* LayoutTests/platform/mac-ventura/TestExpectations:

Canonical link: https://commits.webkit.org/259548.697@safari-7615-branch


  Commit: bdb16982bf8259f58dd11d9e3c03a03ba45ca248
      https://github.com/WebKit/WebKit/commit/bdb16982bf8259f58dd11d9e3c03a03ba45ca248
  Author: Dawn Flores <dawn_flores at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M LayoutTests/platform/mac-monterey/TestExpectations

  Log Message:
  -----------
  [Gardening] (Mass Expectations for failing tests on branch)
rdar://107906590

Unreviewed test gardening.

* LayoutTests/platform/mac-monterey/TestExpectations:

Canonical link: https://commits.webkit.org/259548.698@safari-7615-branch


  Commit: c80d8c789c3e0545dee40d60b2908321a720fae8
      https://github.com/WebKit/WebKit/commit/c80d8c789c3e0545dee40d60b2908321a720fae8
  Author: Dawn Flores <dawn_flores at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M LayoutTests/platform/mac-ventura/TestExpectations

  Log Message:
  -----------
  [ Gardening ]fast/images/avif-image-docu ment.html is a flaky crash (251099))
rdar://104615689
https://bugs.webkit.org/show_bug.cgi?id=251099

Unreviewed test gardening.

Resolving a typo.

* LayoutTests/platform/mac-ventura/TestExpectations:

Canonical link: https://commits.webkit.org/259548.699@safari-7615-branch


  Commit: f68117865bcfdad098e513d31a3a1545fce9e762
      https://github.com/WebKit/WebKit/commit/f68117865bcfdad098e513d31a3a1545fce9e762
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M Source/WTF/wtf/PlatformEnableCocoa.h
    M Source/WebCore/accessibility/mac/AXObjectCacheMac.mm

  Log Message:
  -----------
  Cherry-pick e6a6b562387c. rdar://problem/107946915

    AX: ITM should only be available for Ventura and later
    https://bugs.webkit.org/show_bug.cgi?id=255501
    rdar://107946915

    Reviewed by Chris Fleizach.

    ENABLE(ACCESSIBILITY_ISOLATED_TREE) should require macOS >= 13.0 -- this
    patch fixes that.

    * Source/WTF/wtf/PlatformEnableCocoa.h:
    * Source/WebCore/accessibility/mac/AXObjectCacheMac.mm:

    Canonical link: https://commits.webkit.org/263330@main

Identifier: 259548.700 at safari-7615-branch


  Commit: 242b34db872adec699b7f804f89aa74d8f51f599
      https://github.com/WebKit/WebKit/commit/242b34db872adec699b7f804f89aa74d8f51f599
  Author: Brady Eidson <beidson at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/notifications/idlharness.https.any-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/notifications/idlharness.https.any.serviceworker-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/notifications/idlharness.https.any.worker-expected.txt
    M Source/WebCore/Modules/notifications/Notification.cpp
    M Source/WebCore/Modules/notifications/Notification.h
    M Source/WebCore/Modules/notifications/Notification.idl
    M Source/WebCore/Modules/notifications/NotificationData.cpp
    M Source/WebCore/Modules/notifications/NotificationData.h
    M Source/WebCore/Modules/notifications/NotificationDataCocoa.mm
    M Source/WebCore/Modules/notifications/NotificationOptions.idl
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
    M Source/WebKit/UIProcess/API/Cocoa/_WKNotificationData.h
    M Source/WebKit/UIProcess/API/Cocoa/_WKNotificationData.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/PushAPI.mm

  Log Message:
  -----------
  Cherry-pick c33fee9a5907. rdar://problem/108624855

    WebKit needs to pass along NotificationOptions.silent to API clients
    https://bugs.webkit.org/show_bug.cgi?id=254562
    rdar://107424158

    Reviewed by Megan Gardner.

    WebKit doesn't display notifications itself. API clients do that.
    WebKit simply passes along all of the information about the proposed notification to the client.

    If a client wants to support notifications having sound, it also needs to know when a particular
    notification should be silent.

    JavaScript can specify in its NotificationOptions dictionary whether or not it prefers a
    notification be silent.

    This patch pays attention to the silent flag and passes along to the API client whether it:
    - Was set to true
    - Was set to false
    - Was not set at all

    * Source/WebCore/Modules/notifications/Notification.cpp:
    (WebCore::Notification::create):
    (WebCore::Notification::Notification):
    (WebCore::Notification::data const):
    * Source/WebCore/Modules/notifications/Notification.h:
    * Source/WebCore/Modules/notifications/Notification.idl:

    * Source/WebCore/Modules/notifications/NotificationData.cpp:
    (WebCore::NotificationData::isolatedCopy const):
    (WebCore::NotificationData::isolatedCopy):
    * Source/WebCore/Modules/notifications/NotificationData.h:

    * Source/WebCore/Modules/notifications/NotificationDataCocoa.mm:
    (WebCore::nsValueToOptionalBool):
    (WebCore::NotificationData::fromDictionary):
    (WebCore::NotificationData::dictionaryRepresentation const):

    * Source/WebCore/Modules/notifications/NotificationOptions.idl:

    * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:

    * Source/WebKit/UIProcess/API/Cocoa/_WKNotificationData.h:
    * Source/WebKit/UIProcess/API/Cocoa/_WKNotificationData.mm:
    (-[_WKNotificationData initWithCoreData:dataStore:]):

    * Tools/TestWebKitAPI/Tests/WebKitCocoa/PushAPI.mm:

    Canonical link: https://commits.webkit.org/263184@main

Identifier: 259548.701 at safari-7615-branch


  Commit: d7114d64c3205f9c9a4d05c538f69821eddaba8f
      https://github.com/WebKit/WebKit/commit/d7114d64c3205f9c9a4d05c538f69821eddaba8f
  Author: Aditya Keerthi <akeerthi at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    A LayoutTests/fast/forms/datalist/datalist-dropdown-transformed-element-crash-expected.txt
    A LayoutTests/fast/forms/datalist/datalist-dropdown-transformed-element-crash.html
    M Source/WebKit/UIProcess/mac/WebDataListSuggestionsDropdownMac.mm

  Log Message:
  -----------
  [macOS] Crash when presenting a datalist dropdown for a transformed element
https://bugs.webkit.org/show_bug.cgi?id=256029
rdar://105190475

Reviewed by Wenson Hsieh.

AppKit throws an exception when an `NSWindow` is constructed with an
invalid frame. The `<datalist>` dropdown is an `NSWindow` with a frame derived
from the rect of its associated element. When this element is off-screen or
abnormally large, the frame used for the window may be invalid.

Fix by ensuring the frame can never be outside the screen.

* LayoutTests/fast/forms/datalist/datalist-dropdown-transformed-element-crash-expected.txt: Added.
* LayoutTests/fast/forms/datalist/datalist-dropdown-transformed-element-crash.html: Added.
* Source/WebKit/UIProcess/mac/WebDataListSuggestionsDropdownMac.mm:
(-[WKDataListSuggestionsController dropdownRectForElementRect:]):

1. Use the presenting window's screen, rather than the main screen for correctness.
2. Take the intersection of the screen's visible frame and the element's visible frame to avoid using an invalid rect.
3. Ensure the minimum origin of the window is (0, 0).

Canonical link: https://commits.webkit.org/259548.702@safari-7615-branch


  Commit: 0ffc79d64999230b42051334ef806821fa2fda04
      https://github.com/WebKit/WebKit/commit/0ffc79d64999230b42051334ef806821fa2fda04
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-04-27 (Thu, 27 Apr 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt
    A LayoutTests/fullscreen/exit-full-screen-video-crash.html
    M Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm

  Log Message:
  -----------
  Fix crash when HTMLMediaElement::exitFullscreen is called on a video
element which is not currently full screen
https://bugs.webkit.org/show_bug.cgi?id=255970
rdar://108489504

Reviewed by Jer Noble.

This change fixes an issue where exitFullScreen is called on video, but
the current full screen element is div, due to which we end up
scheduling the webkitendfullscreenEvent event for video, which trips
over an assertion.

* LayoutTests/fullscreen/exit-full-screen-video-crash-expected.txt: Added.
* LayoutTests/fullscreen/exit-full-screen-video-crash.html: Added.
* Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm:
(WebKit::VideoFullscreenManager::exitVideoFullscreenForVideoElement):
(WebKit::VideoFullscreenManager::exitVideoFullscreenToModeWithoutAnimation):

Canonical link: https://commits.webkit.org/259548.703@safari-7615-branch


  Commit: 6daf218b50fbf8921a5271ca8b9106d1772da05a
      https://github.com/WebKit/WebKit/commit/6daf218b50fbf8921a5271ca8b9106d1772da05a
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-04-28 (Fri, 28 Apr 2023)

  Changed paths:
    M Tools/TestWebKitAPI/Tests/WTF/bmalloc/IsoHeap.cpp

  Log Message:
  -----------
  Cherry-pick b6951b41f339. rdar://problem/108470299

    Unreviewed, suppress warning
    https://bugs.webkit.org/show_bug.cgi?id=255887
    rdar://108470299

    * Tools/TestWebKitAPI/Tests/WTF/bmalloc/IsoHeap.cpp:
    (TEST):

    Canonical link: https://commits.webkit.org/263332@main

Canonical link: https://commits.webkit.org/259548.704@safari-7615-branch


  Commit: 2c77ea0857a3136736ab8948ceb2a529e293acbe
      https://github.com/WebKit/WebKit/commit/2c77ea0857a3136736ab8948ceb2a529e293acbe
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-04-28 (Fri, 28 Apr 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    M Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp
    M Source/WebCore/rendering/CounterNode.cpp
    M Source/WebCore/rendering/LegacyLineLayout.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderCounter.cpp
    M Source/WebCore/rendering/RenderCounter.h
    M Source/WebCore/rendering/RenderView.cpp
    M Source/WebCore/rendering/RenderView.h
    M Source/WebCore/rendering/line/BreakingContext.h
    M Source/WebCore/rendering/updating/RenderTreeBuilder.cpp
    M Source/WebCore/rendering/updating/RenderTreeUpdater.cpp
    M Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.cpp
    M Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.h

  Log Message:
  -----------
  Cherry-pick 263127 at main (21790649ca10). rdar://problem/108611630

    Update counters at the end of render tree update
    https://bugs.webkit.org/show_bug.cgi?id=255589
    rdar://108189324

    Reviewed by Alan Baradlay.

    Simplify counter updating by doing it in a single place at the end of render tree update.

    * Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp:
    (WebCore::LayoutIntegration::BoxTree::createLayoutBox):

    Remove layout-time update code from here and elsewhere.

    * Source/WebCore/rendering/CounterNode.cpp:
    (WebCore::CounterNode::resetRenderers):

    Invalidate by adding the counter to a weak map.

    * Source/WebCore/rendering/LegacyLineLayout.cpp:
    (WebCore::dirtyLineBoxesForRenderer):
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::layoutModernLines):
    * Source/WebCore/rendering/RenderCounter.cpp:
    (WebCore::RenderCounter::RenderCounter):
    (WebCore::RenderCounter::willBeDestroyed):
    (WebCore::RenderCounter::originalText const):

    Just generate the text here.

    (WebCore::RenderCounter::updateCounter):

    Use setText instead of setRenderedText so we get correct layout invalidation for free.

    (WebCore::RenderCounter::computePreferredLogicalWidths): Deleted.

    Updating counters is no longer tied to preferred width updates.

    * Source/WebCore/rendering/RenderCounter.h:
    * Source/WebCore/rendering/RenderCounter.cpp:
    (WebCore::RenderCounter::rendererRemovedFromTree): Deleted.
    (WebCore::updateCounters): Deleted.
    (WebCore::RenderCounter::rendererSubtreeAttached): Deleted.

    No need for these tree-traversing move paths anymore. Counters get recomputed using the normal update paths.

    * Source/WebCore/rendering/RenderView.cpp:
    (WebCore::RenderView::addCounterNeedingUpdate):
    (WebCore::RenderView::takeCountersNeedingUpdate):

    Track counters that need updating. This replaces the use preferred logical width bit.

    * Source/WebCore/rendering/RenderView.h:
    * Source/WebCore/rendering/line/BreakingContext.h:
    (WebCore::BreakingContext::handleText):
    (WebCore::updateCounterIfNeeded): Deleted.
    * Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:
    (WebCore::RenderTreeUpdater::commit):
    * Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:
    (WebCore::RenderTreeBuilder::attachToRenderElementInternal):
    (WebCore::RenderTreeBuilder::detachFromRenderElement):
    * Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.cpp:
    (WebCore::RenderTreeUpdater::GeneratedContent::updateCounters):

    Do The actual updating.

    * Source/WebCore/rendering/updating/RenderTreeUpdaterGeneratedContent.h:

    Canonical link: https://commits.webkit.org/263127@main

Canonical link: https://commits.webkit.org/259548.705@safari-7615-branch


  Commit: 3312a9738245adde0c331414b4f9540984891aff
      https://github.com/WebKit/WebKit/commit/3312a9738245adde0c331414b4f9540984891aff
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-04-28 (Fri, 28 Apr 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h

  Log Message:
  -----------
  Cherry-pick e44bd7f346a1. rdar://problem/106454992

    [margin-trim][block layout] Trimmed block-end margins should be reflected in computed style in a horizontal writing-mode BFC.
    https://bugs.webkit.org/show_bug.cgi?id=253610
    rdar://106454992

    Reviewed by Alan Baradlay.

    We currently perform margin trimming by doing some backtracking after a
    block container with block-end margin trim has completed layout (261750 at main).
    In order to make sure that these margins are properly shown in their
    computed style value, we need a way for ComputedStyleExtractor to know
    that the block-end margin for the renderer has been trimmed. This can be
    done by setting the margin-trim rare data bit for that renderer.

    Whenever we trim a margin in RenderBlockFlow::trimBlockEndChildrenMargins,
    we can replace the calls to setMarginAfterForChild with setTrimmedMarginForChild
    which will both trim the margin and set the rare data bit for the renderer.

    Later on when ComputedStyleExtractor tries to determine the value of
    a bottom margin for a renderer it can first use hasTrimmedMargin on the
    renderer in order to determine if that specific margin is trimmed.

    While creating this patch and testing the logic, I found that certain
    margins are not being trimmed correctly. It seems like particularly that
    self collapsing children that has other nested self collapsing content
    do not have the nested content trimmed properly. Whenever we have a
    self collapsing child, we need to also go inside and trim the margins
    of any other children (and perhaps perform this logic for any other
    children that are nested inside that). For example

    <container>
        <item style="margin-bottom: 10px"></item>
        <item style="margin-bottom: 10px; height: 0px;">
            <item style="margin-bottom: 10px; height: 0px;">
                <item style="margin-bottom: 10px; height: 0px;">
                    <item style="margin-bottom: 10px; height: 0px;"></item>
                    <item style="margin-bottom: 10px; height: 0px;"></item>
                </item>
            </item>
        </item>
    </container>

    In this scenario the content itself looks fine as if margin-trimming
    occurred correctly, however when looking at the computed margin-bottom
    values of the nested self collapsing children we can see that their
    margins were not trimmed. Currently we fail the tests in these scenarios
    that are introduced in this patch because of this. I plan on addressing
    this in a separate patch following this one.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end.html: Added.
    * Source/WebCore/css/ComputedStyleExtractor.cpp:
    (WebCore::rendererCanHaveTrimmedMargin):
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::trimBlockEndChildrenMargins):
    * Source/WebCore/rendering/RenderBox.cpp:
    (WebCore::RenderBox::physicalToFlowRelativeDirectionMapping const):
    (WebCore::RenderBox::hasTrimmedMargin const):
    (WebCore::RenderBox::hasTrimmedMargin const):
    * Source/WebCore/rendering/RenderBox.h:
    (WebCore::RenderBox::isBlockLevelBox const):

    Canonical link: https://commits.webkit.org/263398@main

Identifier: 259548.706 at safari-7615-branch


  Commit: 8f853d51e77467ec36628720b243fd347cfd9b02
      https://github.com/WebKit/WebKit/commit/8f853d51e77467ec36628720b243fd347cfd9b02
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-04-28 (Fri, 28 Apr 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderLayoutState.cpp
    M Source/WebCore/rendering/RenderLayoutState.h

  Log Message:
  -----------
  Cherry-pick 99e30b0ca8f6. rdar://problem/106452955

    [margin-trim][block-layout] Content at block-start edge should have trimmed margins reflected in computed style
    https://bugs.webkit.org/show_bug.cgi?id=253606
    rdar://106452955

    Reviewed by Alan Baradlay.

    When we trim margins at the block-start edge, we can indicate that the
    renderer has a trimmed margin by replacing the calls to setMarginBefore/After
    with setTrimmedMarginForChild. This will perform the same behavior of
    trimming the renderer's margins by updating its m_marginBox and also
    setting the margin-trim rare data bit to indicate that the margin has
    been trimmed.

    In order to apply this behavior for nested block content that is at the
    block-start edge of the outer block container we need to keep track of
    some additional state. If a block container has block-start margin-trim
    set then it will push some new state onto m_blockStartTrimming to indicate
    that block-start trimming should occur and propagate this information to
    its children in order to determine whether they should trim. This
    new structure acts as a stack that will help nested block containers
    determine if they should trim the margins at their block-start edge
    based upon its containing block's trimming state and its own MarginInfo
    state.

    A block container will push new state onto this stack in the following
    scenarios:

    - If a block-container has block-start margin trim set, then it will push
    some new state onto the stack (true) indicating trimming should occur
    - A nested block container will check to see if its containing block has trimming
    state set by checking the value at the top of the stack along with whether or
    not its margins can collapse through to its containing block
        - If the containing block has trimming state and the nested child's
          margins can collapse through to the top, then the nested child will
          push its own state onto the stack to use later on as it lays out
          its children. The state will be the same as its containing block's
          so that the nested block container will only trim if it is at the
          block-start edge of the containing block that has margin-trim set.

        - If the containing block has trimming state and the nested child's
          margins *cannot* collapse through to the top, then it will push
          state onto the stack (false) to indicate that it should not
          perform any sort of trimming. This will also indicate to nested
          block containers that they should also not trim.

    <div id="container" style="margin-trim: block">
        <div id="outer" style="margin-block-start: 10px; border: 1px solid black; width: 50px; height: 50px; background-color: green;">
            <div id="inner" style="margin-block-start: 10px; border: 1px solid black; width: 50px; height: 50px; background-color: blue;"></div>
        </div>
    </div>

    Here "container," will push some state onto the margin trimming stack
    to indicate that it should trim margins at the block-start edge. When
    "outer," goes through layout, it will see that its containing block had
    set some trimming state so it will do the same. Since it has a border that
    means its children's margins cannot collapse through, so it should not
    trim those margins and set the state appropriately. "Inner," will see
    that its containing block had set some margin-trim state and will need
    to do the same. Since its children's margins could collapse through, it
    will use the same state as its containing block. However, since the
    containing block did not perform trimming, it will also not trim when
    it attempts to use this information.

    In ComputedStyleExtractor, we will check to see if the renderer has its
    top margin trimmed by checking to see if the rare data bit was set during
    layout by using RenderBox::hasTrimmedMargin.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start.html: Added.
    * Source/WebCore/css/ComputedStyleExtractor.cpp:
    (WebCore::rendererCanHaveTrimmedMargin):
    (WebCore::isLayoutDependent):
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::layoutBlockChildren):
    (WebCore::RenderBlockFlow::layoutBlockChild):
    (WebCore::RenderBlockFlow::collapseMarginsWithChildInfo):
    * Source/WebCore/rendering/RenderBox.cpp:
    (WebCore::RenderBox::physicalToFlowRelativeDirectionMapping const):
    (WebCore::RenderBox::hasTrimmedMargin const):
    * Source/WebCore/rendering/RenderBox.h:
    (WebCore::RenderBox::isBlockLevelBox const):
    * Source/WebCore/rendering/RenderLayoutState.cpp:
    (WebCore::RenderLayoutState::RenderLayoutState):
    * Source/WebCore/rendering/RenderLayoutState.h:
    (WebCore::RenderLayoutState::RenderLayoutState):
    (WebCore::RenderLayoutState::pushBlockStartTrimming):
    (WebCore::RenderLayoutState::peekBlockStartTrimming):
    (WebCore::RenderLayoutState::popBlockStartTrimming):

    Canonical link: https://commits.webkit.org/263412@main

Identifier: 259548.707 at safari-7615-branch


  Commit: 433df92ef6c0a2eaf02f62e5bb3a49ff5fcae774
      https://github.com/WebKit/WebKit/commit/433df92ef6c0a2eaf02f62e5bb3a49ff5fcae774
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-04-28 (Fri, 28 Apr 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Cherry-pick 809b95bb1a78. rdar://problem/108327029

    [margin-trim][block layout] Nested self-collapsing children at block-end should also be trimmed.
    https://bugs.webkit.org/show_bug.cgi?id=255736
    rdar://108327029

    Reviewed by Alan Baradlay.

    When walking back up the block container for the purposes of block-end
    margin trimming we may run into a self collapsing child that needs to
    have both of its margins trimmed and its position adjusted. However, it
    is also possible that these self-collapsing children may also have other
    self-collapsing children nested arbitrarily within. If that is the case,
    we need to also trim the margins of all of its descendants.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt:
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::trimBlockEndChildrenMargins):

    Canonical link: https://commits.webkit.org/263439@main

Identifier: 259548.708 at safari-7615-branch


  Commit: 6efa0b2526878ed6fa65fbcd7bf95eaa59e47a1d
      https://github.com/WebKit/WebKit/commit/6efa0b2526878ed6fa65fbcd7bf95eaa59e47a1d
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-04-29 (Sat, 29 Apr 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 809b95bb1a78. rdar://problem/108327029"

This reverts commit 433df92ef6c0a2eaf02f62e5bb3a49ff5fcae774.

Identifier: 259548.709 at safari-7615-branch


  Commit: 20004ef38ba22c2f3870a8a56bad4f47355c1a22
      https://github.com/WebKit/WebKit/commit/20004ef38ba22c2f3870a8a56bad4f47355c1a22
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-04-29 (Sat, 29 Apr 2023)

  Changed paths:
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderLayoutState.cpp
    M Source/WebCore/rendering/RenderLayoutState.h

  Log Message:
  -----------
  Revert "Cherry-pick 99e30b0ca8f6. rdar://problem/106452955"

This reverts commit 8f853d51e77467ec36628720b243fd347cfd9b02.

Identifier: 259548.710 at safari-7615-branch


  Commit: 52f806e6cbf85e3b97b69164fe1d95ba956cc6fb
      https://github.com/WebKit/WebKit/commit/52f806e6cbf85e3b97b69164fe1d95ba956cc6fb
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-04-29 (Sat, 29 Apr 2023)

  Changed paths:
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h

  Log Message:
  -----------
  Revert "Cherry-pick e44bd7f346a1. rdar://problem/106454992"

This reverts commit 3312a9738245adde0c331414b4f9540984891aff.

Identifier: 259548.711 at safari-7615-branch


  Commit: a7149084a1f528e39c7f2ce10f0e26cee3f93377
      https://github.com/WebKit/WebKit/commit/a7149084a1f528e39c7f2ce10f0e26cee3f93377
  Author: Tim Nguyen <ntim at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-expected.xht
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent-expected.xht
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent-expected.xht
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent.html
    M Source/WebCore/animation/CSSPropertyAnimation.cpp
    M Source/WebCore/css/StyleColor.cpp
    M Source/WebCore/css/StyleColor.h
    M Source/WebCore/css/color/CSSUnresolvedColor.cpp
    M Source/WebCore/css/color/CSSUnresolvedColor.h
    M Source/WebCore/editing/EditingStyle.cpp
    M Source/WebCore/rendering/style/BorderData.cpp
    M Source/WebCore/rendering/style/RenderStyle.cpp
    M Source/WebCore/rendering/style/RenderStyle.h
    M Source/WebCore/rendering/style/SVGRenderStyle.cpp
    M Source/WebCore/rendering/style/StyleGradientImage.cpp
    M Source/WebCore/style/ElementRuleCollector.cpp
    M Source/WebCore/svg/properties/SVGAnimationAdditiveValueFunctionImpl.cpp

  Log Message:
  -----------
  Cherry-pick 63a655702b01. rdar://problem/104872702

    Repaint issues with currentColor & color-mix()
    https://bugs.webkit.org/show_bug.cgi?id=256118
    rdar://104872702

    Reviewed by Antti Koivisto.

    There are 2 different issues:
    1. Raw `currentColor` (even without `color-mix()`) will not repaint if the color was changed on the ancestors
    2. Using `currentColor` inside `color-mix()` will not repaint if the color was changed (either on the element itself or the ancestors)

    1. is fixed by taking in account currentColor changes in `RenderStyle::changeRequiresRepaint()`
    2. is fixed by introducing a `containsCurrentColor()` helper taking in account nested currentColor inside `color-mix()`, and replacing appropriate `isCurrentColor()` checks.

    Also remove `RenderStyle::isCurrentColor()` since it does not add much value.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-expected.xht: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent-expected.xht: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent-expected.xht: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent.html: Added.
    * Source/WebCore/animation/CSSPropertyAnimation.cpp:
    (WebCore::blendSyntaxValues):
    * Source/WebCore/css/StyleColor.cpp:
    (WebCore::StyleColor::containsCurrentColor):
    (WebCore::StyleColor::containsCurrentColor const):
    * Source/WebCore/css/StyleColor.h:
    * Source/WebCore/css/color/CSSUnresolvedColor.cpp:
    (WebCore::CSSUnresolvedColor::containsCurrentColor const):
    * Source/WebCore/css/color/CSSUnresolvedColor.h:
    * Source/WebCore/editing/EditingStyle.cpp:
    (WebCore::EditingStyle::removeTextFillAndStrokeColorsIfNeeded):
    * Source/WebCore/rendering/style/BorderData.cpp:
    (WebCore::BorderData::isEquivalentForPainting const):
    * Source/WebCore/rendering/style/RenderStyle.cpp:
    (WebCore::RenderStyle::changeRequiresRepaint const):
    (WebCore::RenderStyle::colorResolvingCurrentColor const):
    * Source/WebCore/rendering/style/RenderStyle.h:
    (WebCore::RenderStyle::currentColor):
    (WebCore::RenderStyle::isCurrentColor): Deleted.
    * Source/WebCore/rendering/style/SVGRenderStyle.cpp:
    (WebCore::colorChangeRequiresRepaint):
    * Source/WebCore/rendering/style/StyleGradientImage.cpp:
    (WebCore::stopsAreCacheable):
    * Source/WebCore/style/ElementRuleCollector.cpp:
    (WebCore::Style::ElementRuleCollector::addMatchedProperties):
    * Source/WebCore/svg/properties/SVGAnimationAdditiveValueFunctionImpl.cpp:
    (WebCore::SVGAnimationColorFunction::calculateDistance const):

    Canonical link: https://commits.webkit.org/263531@main

Identifier: 259548.712 at safari-7615-branch


  Commit: 9bf39d96592d02c3988efa649a43ca46f966c5f1
      https://github.com/WebKit/WebKit/commit/9bf39d96592d02c3988efa649a43ca46f966c5f1
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    M Source/WebCore/css/ComputedStyleExtractor.cpp

  Log Message:
  -----------
  Apply patch. rdar://problem/108664653

Identifier: 259548.713 at safari-7615-branch


  Commit: 5e0c1ca6b0e7be181bd76ce983b9236c4759b5fa
      https://github.com/WebKit/WebKit/commit/5e0c1ca6b0e7be181bd76ce983b9236c4759b5fa
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h

  Log Message:
  -----------
  Cherry-pick e44bd7f346a1. rdar://problem/106454992

    [margin-trim][block layout] Trimmed block-end margins should be reflected in computed style in a horizontal writing-mode BFC.
    https://bugs.webkit.org/show_bug.cgi?id=253610
    rdar://106454992

    Reviewed by Alan Baradlay.

    We currently perform margin trimming by doing some backtracking after a
    block container with block-end margin trim has completed layout (261750 at main).
    In order to make sure that these margins are properly shown in their
    computed style value, we need a way for ComputedStyleExtractor to know
    that the block-end margin for the renderer has been trimmed. This can be
    done by setting the margin-trim rare data bit for that renderer.

    Whenever we trim a margin in RenderBlockFlow::trimBlockEndChildrenMargins,
    we can replace the calls to setMarginAfterForChild with setTrimmedMarginForChild
    which will both trim the margin and set the rare data bit for the renderer.

    Later on when ComputedStyleExtractor tries to determine the value of
    a bottom margin for a renderer it can first use hasTrimmedMargin on the
    renderer in order to determine if that specific margin is trimmed.

    While creating this patch and testing the logic, I found that certain
    margins are not being trimmed correctly. It seems like particularly that
    self collapsing children that has other nested self collapsing content
    do not have the nested content trimmed properly. Whenever we have a
    self collapsing child, we need to also go inside and trim the margins
    of any other children (and perhaps perform this logic for any other
    children that are nested inside that). For example

    <container>
        <item style="margin-bottom: 10px"></item>
        <item style="margin-bottom: 10px; height: 0px;">
            <item style="margin-bottom: 10px; height: 0px;">
                <item style="margin-bottom: 10px; height: 0px;">
                    <item style="margin-bottom: 10px; height: 0px;"></item>
                    <item style="margin-bottom: 10px; height: 0px;"></item>
                </item>
            </item>
        </item>
    </container>

    In this scenario the content itself looks fine as if margin-trimming
    occurred correctly, however when looking at the computed margin-bottom
    values of the nested self collapsing children we can see that their
    margins were not trimmed. Currently we fail the tests in these scenarios
    that are introduced in this patch because of this. I plan on addressing
    this in a separate patch following this one.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end.html: Added.
    * Source/WebCore/css/ComputedStyleExtractor.cpp:
    (WebCore::rendererCanHaveTrimmedMargin):
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::trimBlockEndChildrenMargins):
    * Source/WebCore/rendering/RenderBox.cpp:
    (WebCore::RenderBox::physicalToFlowRelativeDirectionMapping const):
    (WebCore::RenderBox::hasTrimmedMargin const):
    (WebCore::RenderBox::hasTrimmedMargin const):
    * Source/WebCore/rendering/RenderBox.h:
    (WebCore::RenderBox::isBlockLevelBox const):

    Canonical link: https://commits.webkit.org/263398@main

Identifier: 259548.714 at safari-7615-branch


  Commit: b149bce837304901b1677cc8fe93f1e9297f9cd9
      https://github.com/WebKit/WebKit/commit/b149bce837304901b1677cc8fe93f1e9297f9cd9
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderLayoutState.cpp
    M Source/WebCore/rendering/RenderLayoutState.h

  Log Message:
  -----------
  Cherry-pick 99e30b0ca8f6. rdar://problem/106452955

    [margin-trim][block-layout] Content at block-start edge should have trimmed margins reflected in computed style
    https://bugs.webkit.org/show_bug.cgi?id=253606
    rdar://106452955

    Reviewed by Alan Baradlay.

    When we trim margins at the block-start edge, we can indicate that the
    renderer has a trimmed margin by replacing the calls to setMarginBefore/After
    with setTrimmedMarginForChild. This will perform the same behavior of
    trimming the renderer's margins by updating its m_marginBox and also
    setting the margin-trim rare data bit to indicate that the margin has
    been trimmed.

    In order to apply this behavior for nested block content that is at the
    block-start edge of the outer block container we need to keep track of
    some additional state. If a block container has block-start margin-trim
    set then it will push some new state onto m_blockStartTrimming to indicate
    that block-start trimming should occur and propagate this information to
    its children in order to determine whether they should trim. This
    new structure acts as a stack that will help nested block containers
    determine if they should trim the margins at their block-start edge
    based upon its containing block's trimming state and its own MarginInfo
    state.

    A block container will push new state onto this stack in the following
    scenarios:

    - If a block-container has block-start margin trim set, then it will push
    some new state onto the stack (true) indicating trimming should occur
    - A nested block container will check to see if its containing block has trimming
    state set by checking the value at the top of the stack along with whether or
    not its margins can collapse through to its containing block
        - If the containing block has trimming state and the nested child's
          margins can collapse through to the top, then the nested child will
          push its own state onto the stack to use later on as it lays out
          its children. The state will be the same as its containing block's
          so that the nested block container will only trim if it is at the
          block-start edge of the containing block that has margin-trim set.

        - If the containing block has trimming state and the nested child's
          margins *cannot* collapse through to the top, then it will push
          state onto the stack (false) to indicate that it should not
          perform any sort of trimming. This will also indicate to nested
          block containers that they should also not trim.

    <div id="container" style="margin-trim: block">
        <div id="outer" style="margin-block-start: 10px; border: 1px solid black; width: 50px; height: 50px; background-color: green;">
            <div id="inner" style="margin-block-start: 10px; border: 1px solid black; width: 50px; height: 50px; background-color: blue;"></div>
        </div>
    </div>

    Here "container," will push some state onto the margin trimming stack
    to indicate that it should trim margins at the block-start edge. When
    "outer," goes through layout, it will see that its containing block had
    set some trimming state so it will do the same. Since it has a border that
    means its children's margins cannot collapse through, so it should not
    trim those margins and set the state appropriately. "Inner," will see
    that its containing block had set some margin-trim state and will need
    to do the same. Since its children's margins could collapse through, it
    will use the same state as its containing block. However, since the
    containing block did not perform trimming, it will also not trim when
    it attempts to use this information.

    In ComputedStyleExtractor, we will check to see if the renderer has its
    top margin trimmed by checking to see if the rare data bit was set during
    layout by using RenderBox::hasTrimmedMargin.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start.html: Added.
    * Source/WebCore/css/ComputedStyleExtractor.cpp:
    (WebCore::rendererCanHaveTrimmedMargin):
    (WebCore::isLayoutDependent):
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::layoutBlockChildren):
    (WebCore::RenderBlockFlow::layoutBlockChild):
    (WebCore::RenderBlockFlow::collapseMarginsWithChildInfo):
    * Source/WebCore/rendering/RenderBox.cpp:
    (WebCore::RenderBox::physicalToFlowRelativeDirectionMapping const):
    (WebCore::RenderBox::hasTrimmedMargin const):
    * Source/WebCore/rendering/RenderBox.h:
    (WebCore::RenderBox::isBlockLevelBox const):
    * Source/WebCore/rendering/RenderLayoutState.cpp:
    (WebCore::RenderLayoutState::RenderLayoutState):
    * Source/WebCore/rendering/RenderLayoutState.h:
    (WebCore::RenderLayoutState::RenderLayoutState):
    (WebCore::RenderLayoutState::pushBlockStartTrimming):
    (WebCore::RenderLayoutState::peekBlockStartTrimming):
    (WebCore::RenderLayoutState::popBlockStartTrimming):

    Canonical link: https://commits.webkit.org/263412@main

Identifier: 259548.715 at safari-7615-branch


  Commit: fe8bf739074db33f746ed08620176e34fccaaeba
      https://github.com/WebKit/WebKit/commit/fe8bf739074db33f746ed08620176e34fccaaeba
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Cherry-pick 809b95bb1a78. rdar://problem/108327029

    [margin-trim][block layout] Nested self-collapsing children at block-end should also be trimmed.
    https://bugs.webkit.org/show_bug.cgi?id=255736
    rdar://108327029

    Reviewed by Alan Baradlay.

    When walking back up the block container for the purposes of block-end
    margin trimming we may run into a self collapsing child that needs to
    have both of its margins trimmed and its position adjusted. However, it
    is also possible that these self-collapsing children may also have other
    self-collapsing children nested arbitrarily within. If that is the case,
    we need to also trim the margins of all of its descendants.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt:
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::trimBlockEndChildrenMargins):

    Canonical link: https://commits.webkit.org/263439@main

Identifier: 259548.716 at safari-7615-branch


  Commit: 1c4897d1134aa0eb5e5463830541d7f5597bcb52
      https://github.com/WebKit/WebKit/commit/1c4897d1134aa0eb5e5463830541d7f5597bcb52
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    R LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-expected.xht
    R LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent-expected.xht
    R LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent-expected.xht
    R LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent.html
    M Source/WebCore/animation/CSSPropertyAnimation.cpp
    M Source/WebCore/css/StyleColor.cpp
    M Source/WebCore/css/StyleColor.h
    M Source/WebCore/css/color/CSSUnresolvedColor.cpp
    M Source/WebCore/css/color/CSSUnresolvedColor.h
    M Source/WebCore/editing/EditingStyle.cpp
    M Source/WebCore/rendering/style/BorderData.cpp
    M Source/WebCore/rendering/style/RenderStyle.cpp
    M Source/WebCore/rendering/style/RenderStyle.h
    M Source/WebCore/rendering/style/SVGRenderStyle.cpp
    M Source/WebCore/rendering/style/StyleGradientImage.cpp
    M Source/WebCore/style/ElementRuleCollector.cpp
    M Source/WebCore/svg/properties/SVGAnimationAdditiveValueFunctionImpl.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 63a655702b01. rdar://problem/104872702"

This reverts commit a7149084a1f528e39c7f2ce10f0e26cee3f93377.

Identifier: 259548.717 at safari-7615-branch


  Commit: 4b11fc9c5e1dad1f8b47e872be2fb0d224ac49e5
      https://github.com/WebKit/WebKit/commit/4b11fc9c5e1dad1f8b47e872be2fb0d224ac49e5
  Author: Brady Eidson <beidson at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/C/WKNotification.cpp
    M Source/WebKit/UIProcess/API/C/WKNotification.h

  Log Message:
  -----------
  Cherry-pick eaa067b4e145. rdar://problem/108747682

    Expose C-based API for WKNotificationGetAlert
    https://bugs.webkit.org/show_bug.cgi?id=255759
    rdar://108348296

    Reviewed by Megan Gardner.

    * Source/WebKit/UIProcess/API/C/WKNotification.cpp:
    (WKNotificationGetAlert):
    * Source/WebKit/UIProcess/API/C/WKNotification.h:

    Canonical link: https://commits.webkit.org/263212@main

Identifier: 259548.718 at safari-7615-branch


  Commit: 4c34d7bba54c12b26992fcef9c382502a7a045c4
      https://github.com/WebKit/WebKit/commit/4c34d7bba54c12b26992fcef9c382502a7a045c4
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Revert "Cherry-pick 809b95bb1a78. rdar://problem/108327029"

This reverts commit fe8bf739074db33f746ed08620176e34fccaaeba.

Identifier: 259548.719 at safari-7615-branch


  Commit: e8815d6a5e76a7726882a12b9a3596bc802e09ec
      https://github.com/WebKit/WebKit/commit/e8815d6a5e76a7726882a12b9a3596bc802e09ec
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderLayoutState.cpp
    M Source/WebCore/rendering/RenderLayoutState.h

  Log Message:
  -----------
  Revert "Cherry-pick 99e30b0ca8f6. rdar://problem/106452955"

This reverts commit b149bce837304901b1677cc8fe93f1e9297f9cd9.

Identifier: 259548.720 at safari-7615-branch


  Commit: bd32211f61933392f00129ffd87ee0ede4aa5e98
      https://github.com/WebKit/WebKit/commit/bd32211f61933392f00129ffd87ee0ede4aa5e98
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children.html
    R LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h

  Log Message:
  -----------
  Revert "Cherry-pick e44bd7f346a1. rdar://problem/106454992"

This reverts commit 5e0c1ca6b0e7be181bd76ce983b9236c4759b5fa.

Identifier: 259548.721 at safari-7615-branch


  Commit: 56d6eb673565b77196fc6c9682d1be720f781c0d
      https://github.com/WebKit/WebKit/commit/56d6eb673565b77196fc6c9682d1be720f781c0d
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-expected.xht
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent-expected.xht
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint-parent.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/color-mix-currentcolor-border-repaint.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent-expected.xht
    A LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/currentcolor-border-repaint-parent.html
    M Source/WebCore/animation/CSSPropertyAnimation.cpp
    M Source/WebCore/css/StyleColor.cpp
    M Source/WebCore/css/StyleColor.h
    M Source/WebCore/css/color/CSSUnresolvedColor.cpp
    M Source/WebCore/css/color/CSSUnresolvedColor.h
    M Source/WebCore/editing/EditingStyle.cpp
    M Source/WebCore/rendering/style/BorderData.cpp
    M Source/WebCore/rendering/style/RenderStyle.cpp
    M Source/WebCore/rendering/style/SVGRenderStyle.cpp
    M Source/WebCore/rendering/style/StyleGradientImage.cpp
    M Source/WebCore/style/ElementRuleCollector.cpp
    M Source/WebCore/svg/properties/SVGAnimationAdditiveValueFunctionImpl.cpp

  Log Message:
  -----------
  Apply patch. rdar://problem/104872702

Identifier: 259548.722 at safari-7615-branch


  Commit: 9e8e582627a83ed3706ec32caee92283a5f6db88
      https://github.com/WebKit/WebKit/commit/9e8e582627a83ed3706ec32caee92283a5f6db88
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-05-02 (Tue, 02 May 2023)

  Changed paths:
    M Source/WebCore/animation/KeyframeEffect.cpp
    M Source/WebCore/platform/graphics/transforms/IdentityTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/Matrix3DTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/MatrixTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/PerspectiveTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/SkewTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/SkewTransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TransformOperation.h
    M Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp
    M Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h
    M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in

  Log Message:
  -----------
  TransformOperation subclasses should verify deserialized type
https://bugs.webkit.org/show_bug.cgi?id=255629
rdar://108161092

Reviewed by David Kilzer.

The type needs to line up with the same types used by the is, downcast, and dynamicDowncast functions.

* Source/WebCore/animation/KeyframeEffect.cpp:
(WebCore::KeyframeEffect::computedNeedsForcedLayout):
* Source/WebCore/platform/graphics/transforms/IdentityTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/Matrix3DTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/MatrixTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/PerspectiveTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/RotateTransformOperation.cpp:
(WebCore::RotateTransformOperation::RotateTransformOperation):
* Source/WebCore/platform/graphics/transforms/RotateTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.cpp:
(WebCore::ScaleTransformOperation::ScaleTransformOperation):
* Source/WebCore/platform/graphics/transforms/ScaleTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/SkewTransformOperation.cpp:
(WebCore::SkewTransformOperation::SkewTransformOperation):
* Source/WebCore/platform/graphics/transforms/SkewTransformOperation.h:
* Source/WebCore/platform/graphics/transforms/TransformOperation.h:
(WebCore::TransformOperation::isRotateTransformOperationType):
(WebCore::TransformOperation::isScaleTransformOperationType):
(WebCore::TransformOperation::isSkewTransformOperationType):
(WebCore::TransformOperation::isTranslateTransformOperationType):
(WebCore::TransformOperation::isRotateTransformOperationType const): Deleted.
(WebCore::TransformOperation::isScaleTransformOperationType const): Deleted.
(WebCore::TransformOperation::isSkewTransformOperationType const): Deleted.
(WebCore::TransformOperation::isTranslateTransformOperationType const): Deleted.
* Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.cpp:
(WebCore::TranslateTransformOperation::TranslateTransformOperation):
* Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h:
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:

Canonical link: https://commits.webkit.org/259548.723@safari-7615-branch


  Commit: ed91d31068648f5bb03ff99d5b2d60a5aa9cc0d9
      https://github.com/WebKit/WebKit/commit/ed91d31068648f5bb03ff99d5b2d60a5aa9cc0d9
  Author: Ryan Haddad <ryanhaddad at apple.com>
  Date:   2023-05-02 (Tue, 02 May 2023)

  Changed paths:
    R LayoutTests/platform/ios-simulator/imported/w3c/web-platform-tests/svg/import/metadata-example-01-t-manual-expected.txt
    R LayoutTests/platform/ios-wk2/fast/block/basic/011-expected.txt
    R LayoutTests/platform/ios-wk2/fast/block/basic/minheight-expected.txt
    R LayoutTests/platform/ios-wk2/fast/block/margin-collapse/103-expected.txt
    R LayoutTests/platform/ios-wk2/fast/css/002-expected.txt
    R LayoutTests/platform/ios-wk2/fast/invalid/008-expected.txt
    R LayoutTests/platform/ios-wk2/fast/overflow/003-expected.txt
    R LayoutTests/platform/ios-wk2/fast/overflow/infiniteRecursion-expected.txt
    R LayoutTests/platform/ios-wk2/fast/text/international/bidi-explicit-embedding-expected.txt
    M LayoutTests/platform/ios/TestExpectations
    M LayoutTests/platform/ios/css1/box_properties/acid_test-expected.txt
    M LayoutTests/platform/ios/css2.1/t09-c5526c-display-00-e-expected.txt
    M LayoutTests/platform/ios/fast/block/basic/011-expected.txt
    M LayoutTests/platform/ios/fast/block/margin-collapse/103-expected.txt
    M LayoutTests/platform/ios/fast/forms/search-styled-expected.txt
    M LayoutTests/platform/ios/fast/overflow/003-expected.txt
    M LayoutTests/platform/ios/fast/table/rowindex-expected.txt
    A LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/css-writing-modes/forms/meter-appearance-native-computed-style.optional-expected.txt
    A LayoutTests/platform/ios/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any-expected.txt
    A LayoutTests/platform/ios/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any.worker-expected.txt
    A LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/dom/idlharness.https_exclude=(Document_Window_HTML._)-expected.txt
    A LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/disabled-elements/disabled-event-dispatch.tentative-expected.txt
    A LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/popovers/popover-light-dismiss-expected.txt
    M LayoutTests/platform/ios/imported/w3c/web-platform-tests/screen-orientation/nested-documents-expected.txt
    M LayoutTests/platform/ios/imported/w3c/web-platform-tests/screen-orientation/unlock-expected.txt
    A LayoutTests/platform/ios/imported/w3c/web-platform-tests/svg/import/metadata-example-01-t-manual-expected.txt
    M LayoutTests/platform/ios/scrollbars/overflow-scrollbar-combinations-expected.txt
    M LayoutTests/platform/ios/svg/W3C-SVG-1.1/metadata-example-01-b-expected.txt
    M LayoutTests/platform/ios/svg/custom/svg-fonts-in-html-expected.txt
    M LayoutTests/platform/ios/svg/custom/use-on-symbol-inside-pattern-expected.txt
    M LayoutTests/platform/ios/tables/mozilla/bugs/bug2479-2-expected.txt

  Log Message:
  -----------
  Cherry-pick 262717 at main (5981ddb013be). rdar://107742631

    [iOS] Rebaseline tests for iOS 16.4
    https://bugs.webkit.org/show_bug.cgi?id=255140
    rdar://107742631

    Unreviewed test gardening

    * LayoutTests/platform/ios/TestExpectations:
    * LayoutTests/platform/ios/css1/box_properties/acid_test-expected.txt:
    * LayoutTests/platform/ios/css2.1/t09-c5526c-display-00-e-expected.txt:
    * LayoutTests/platform/ios/fast/block/basic/011-expected.txt:
    * LayoutTests/platform/ios/fast/block/margin-collapse/103-expected.txt:
    * LayoutTests/platform/ios/fast/forms/search-styled-expected.txt:
    * LayoutTests/platform/ios/fast/overflow/003-expected.txt:
    * LayoutTests/platform/ios/fast/table/rowindex-expected.txt:
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/css/css-writing-modes/forms/meter-appearance-native-computed-style.optional-expected.txt: Added.
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any-expected.txt: Added.
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/dom/idlharness.https_exclude=(Document_Window_HTML._)-expected.txt: Added.
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/disabled-elements/disabled-event-dispatch.tentative-expected.txt: Added.
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/html/semantics/popovers/popover-light-dismiss-expected.txt: Added.
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/screen-orientation/nested-documents-expected.txt:
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/screen-orientation/unlock-expected.txt:
    * LayoutTests/platform/ios/imported/w3c/web-platform-tests/svg/import/metadata-example-01-t-manual-expected.txt: Added.
    * LayoutTests/platform/ios/scrollbars/overflow-scrollbar-combinations-expected.txt:
    * LayoutTests/platform/ios/svg/W3C-SVG-1.1/metadata-example-01-b-expected.txt:
    * LayoutTests/platform/ios/svg/custom/svg-fonts-in-html-expected.txt:
    * LayoutTests/platform/ios/svg/custom/use-on-symbol-inside-pattern-expected.txt:
    * LayoutTests/platform/ios/tables/mozilla/bugs/bug2479-2-expected.txt:
    * LayoutTests/platform/ios-simulator/imported/w3c/web-platform-tests/svg/import/metadata-example-01-t-manual-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/block/basic/011-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/block/basic/minheight-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/block/margin-collapse/103-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/css/002-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/invalid/008-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/overflow/003-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/overflow/infiniteRecursion-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/fast/text/international/bidi-explicit-embedding-expected.txt: Removed.
    * LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/html/semantics/popovers/popover-light-dismiss-expected.txt: Removed.

    Canonical link: https://commits.webkit.org/262717@main

Canonical link: https://commits.webkit.org/259548.724@safari-7615-branch


  Commit: d03416657a40b995244ef0b1319d3d4bfa4074c4
      https://github.com/WebKit/WebKit/commit/d03416657a40b995244ef0b1319d3d4bfa4074c4
  Author: Robert Jenner <jenner at apple.com>
  Date:   2023-05-02 (Tue, 02 May 2023)

  Changed paths:
    M LayoutTests/fast/gradients/linear-two-hints-angle.html

  Log Message:
  -----------
  Cherry-pick 262858 at main (01307ba22bed). rdar://107774707

    [ iOS ] fast/gradients/linear-two-hints-angle.html is a constant ImageOnlyFailure
    https://bugs.webkit.org/show_bug.cgi?id=255181
    rdar://107774707

    Unreviewed test gardening.

    * LayoutTests/fast/gradients/linear-two-hints-angle.html:
    * LayoutTests/platform/ios/TestExpectations:

    Canonical link: https://commits.webkit.org/262858@main

Canonical link: https://commits.webkit.org/259548.725@safari-7615-branch


  Commit: 46cc2aa9eacb1978cd76e55ff4fa0086d893ff69
      https://github.com/WebKit/WebKit/commit/46cc2aa9eacb1978cd76e55ff4fa0086d893ff69
  Author: Robert Jenner <jenner at apple.com>
  Date:   2023-05-02 (Tue, 02 May 2023)

  Changed paths:
    M LayoutTests/platform/ios/TestExpectations

  Log Message:
  -----------
  Cherry-pick 262734 at main (b3ab7042bc2a). rdar://problem/107772432

    [GARDNEING] Batch mark expectations for newly failing tests introduced with iOS 16.4 update
    https://bugs.webkit.org/show_bug.cgi?id=255177
    rdar://problem/107772432

    Unreviewed test gardening.

    * LayoutTests/platform/ios/TestExpectations:

    Canonical link: https://commits.webkit.org/262734@main

Canonical link: https://commits.webkit.org/259548.726@safari-7615-branch


  Commit: 2aad4d480bf30e7db859e1f30ba7d90adb2c3dc5
      https://github.com/WebKit/WebKit/commit/2aad4d480bf30e7db859e1f30ba7d90adb2c3dc5
  Author: Tim Nguyen <ntim at apple.com>
  Date:   2023-05-03 (Wed, 03 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-color/color-mix-currentcolor-003-expected.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-color/color-mix-currentcolor-003-ref.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-color/color-mix-currentcolor-003.html
    M Source/WebCore/style/StyleBuilderCustom.h

  Log Message:
  -----------
  Cherry-pick 0d0b8844e76c. rdar://problem/108698737

    REGRESSION(259145 at main): Crash when using 'currentcolor' with color-mix() in color property
    https://bugs.webkit.org/show_bug.cgi?id=256171
    rdar://108698737

    Reviewed by Darin Adler.

    We were previously not handling `color-mix()` in the logic to resolve colors for `BuilderCustom::applyValueColor`.
    Use StyleColor::resolveColor() which properly takes care of all cases.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-color/color-mix-currentcolor-003-expected.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-color/color-mix-currentcolor-003-ref.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-color/color-mix-currentcolor-003.html: Added.
    * Source/WebCore/style/StyleBuilderCustom.h:
    (WebCore::Style::BuilderCustom::applyValueColor):

    Canonical link: https://commits.webkit.org/263556@main

Identifier: 259548.727 at safari-7615-branch


  Commit: 4206d483814cad487ba2a0b8b6b58cf7a60a0477
      https://github.com/WebKit/WebKit/commit/4206d483814cad487ba2a0b8b6b58cf7a60a0477
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-05-03 (Wed, 03 May 2023)

  Changed paths:
    A LayoutTests/fast/media/media-player-uaf-expected.txt
    A LayoutTests/fast/media/media-player-uaf.html
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.mm

  Log Message:
  -----------
  Fix UAF in MediaPlayerPrivateMediaStreamAVFObjC::processNewVideoFrame
https://bugs.webkit.org/show_bug.cgi?id=256173
rdar://108504399

Reviewed by Jer Noble and Youenn Fablet.

This change fixes the heap UAF on MediaPlayer element by protecting the
MediaPlayer object when executing callbacks/deferred tasks on the mainThread,
so that MediaPlayerPrivateMediaStreamAVFObjC remains valid.

* Source/WebCore/html/HTMLMediaElement.cpp:
* Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaStreamAVFObjC.mm:
(WebCore::MediaPlayerPrivateMediaStreamAVFObjC::processNewVideoFrame):
(WebCore::MediaPlayerPrivateMediaStreamAVFObjC::scheduleDeferredTask):
* LayoutTests/fast/media/media-player-uaf-expected.txt: Added.
* LayoutTests/fast/media/media-player-uaf.html: Added.

Canonical link: https://commits.webkit.org/259548.728@safari-7615-branch


  Commit: 5cc2ead4986a1602ac43a1ff2c32c51f2dfc7393
      https://github.com/WebKit/WebKit/commit/5cc2ead4986a1602ac43a1ff2c32c51f2dfc7393
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Source/WebCore/page/DOMWindow.h

  Log Message:
  -----------
  Handle potential overflow of gamepadEventListenerCount.
https://bugs.webkit.org/show_bug.cgi?id=256205.
rdar://80838189.

Reviewed by Ryosuke Niwa.

m_gamepadEventListenerCount can overflow if addEventListener() is called UINT_MAX+1 times.
Once the window is freed, we will be left with a dangling pointer in the GamepadManager.
This change adds a flag to check for overflow and keep the behavior same in the event of overflow..

* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::~DOMWindow):
(WebCore::DOMWindow::incrementGamepadEventListenerCount):
(WebCore::DOMWindow::decrementGamepadEventListenerCount):
* Source/WebCore/page/DOMWindow.h:

Canonical link: https://commits.webkit.org/259548.729@safari-7615-branch


  Commit: c123784dc828d5581cf184d082bd86f1f84bd0d8
      https://github.com/WebKit/WebKit/commit/c123784dc828d5581cf184d082bd86f1f84bd0d8
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt
    A LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html
    M Source/WebCore/style/StyleBuilderCustom.h

  Log Message:
  -----------
  Fix type confusion in BuilderConverter::applyValueContent.
https://bugs.webkit.org/show_bug.cgi?id=255955.
rdar://108499561.

Reviewed by Antti Koivisto.

This change fixes applyValueContent so that it can deal with single
values instead of expecting a list of values towards the end.

* LayoutTests/fast/css/style-builder-apply-value-content-type-confusion-expected.txt: Added.
* LayoutTests/fast/css/style-builder-apply-value-content-type-confusion.html: Added.
* Source/WebCore/style/StyleBuilderCustom.h:
  (WebCore::Style::BuilderCustom::applyValueContent):

Canonical link: https://commits.webkit.org/259548.730@safari-7615-branch


  Commit: 22f78ddff34169bd63ebd1dd269a6c4241d3a0e0
      https://github.com/WebKit/WebKit/commit/22f78ddff34169bd63ebd1dd269a6c4241d3a0e0
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/cherry_pick.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/command.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py

  Log Message:
  -----------
  Cherry-pick 263641 at main (2425de1c879b). rdar://107629444

    [git-webkit] Cache filed bug
    https://bugs.webkit.org/show_bug.cgi?id=255007
    rdar://107629444

    Reviewed by Elliott Williams.

    git-webkit branch will file a bug. However, that bug is only picked up
    in a commit message through environment variables, which means that
    bugs filed by `git-webkit branch` aren't very useful except when happening
    through `git-webkit pr`'s invocation of `git-webkit branch`. We have a
    similar problem when crafting cherry-picks or reverting changes.

    * Tools/Scripts/hooks/prepare-commit-msg: Pull title, bug and cherry-pick message from
    `git config` if they aren't available in the environment.
    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py: Add ability to get
    and set `git config` values.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py:
    (Branch.main): Save filed bug into `git config` environment.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/cherry_pick.py:
    (CherryPick.main): Save cherry-pick pattern and bug details into `git config`, use
    COMMIT_MESSAGE_BUG instead of GIT_WEBKIT_BUG.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/command.py:
    (Command.write_branch_variables): Write variable to `git config`'s branch specific namespace.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/revert.py:
    (Revert.revert_commit): Save filed bug into `git config` environment.

    Canonical link: https://commits.webkit.org/263641@main

Canonical link: https://commits.webkit.org/259548.731@safari-7615-branch


  Commit: 12ee50ff164387ed50e1c037e926821ef6c4c8ee
      https://github.com/WebKit/WebKit/commit/12ee50ff164387ed50e1c037e926821ef6c4c8ee
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Tools/Scripts/hooks/pre-push

  Log Message:
  -----------
  Cherry-pick 263677 at main (f4a0a73081dd). rdar://108588596

    [pre-push] Check publish pushes for references to redacted commits
    https://bugs.webkit.org/show_bug.cgi?id=256025
    rdar://108588596

    Reviewed by Elliott Williams.

    When operating in "publish" mode, our pre-push hook should check commits
    for redacted commits, even if the commit in question originates from a
    different remote.

    * Tools/Scripts/hooks/pre-push:

    Canonical link: https://commits.webkit.org/263677@main

Canonical link: https://commits.webkit.org/259548.732@safari-7615-branch


  Commit: 8214657dcf4ecbc50f3b2c545db8d84767598c3b
      https://github.com/WebKit/WebKit/commit/8214657dcf4ecbc50f3b2c545db8d84767598c3b
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/trace.py

  Log Message:
  -----------
  Cherry-pick 263681 at main (4a2df13be225). rdar://108892742

    [git-webkit] Exclude trailing . in commit regex for cherry-picks
    https://bugs.webkit.org/show_bug.cgi?id=256305
    rdar://108892742

    Reviewed by Elliott Williams.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/trace.py:
    (Relationship.parse): Use regex definition to exclude trailing period.

    Canonical link: https://commits.webkit.org/263681@main

Canonical link: https://commits.webkit.org/259548.733@safari-7615-branch


  Commit: f24c4ce75d9daaeb410aec7392228284b499fe42
      https://github.com/WebKit/WebKit/commit/f24c4ce75d9daaeb410aec7392228284b499fe42
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/trace.py

  Log Message:
  -----------
  Cherry-pick 263685 at main (c0ccf9b3fce9). rdar://108816711

    [git-webkit] Use shared commit issue parsing in 'trace'
    https://bugs.webkit.org/show_bug.cgi?id=256236
    rdar://108816711

    Reviewed by Aakash Jain.

    Prefer the shared commits.issues implementation instead of re-implementing
    similar code within CommitsStory.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/trace.py:
    (CommitsStory.add): Use commits.issues.
    (Trace.relationships): Ditto.
    (CommitsStory.issues_for): Deleted.

    Canonical link: https://commits.webkit.org/263685@main

Canonical link: https://commits.webkit.org/259548.734@safari-7615-branch


  Commit: 96fbff2cffb2e2b383efe99d9a1c861ed9ff7bbd
      https://github.com/WebKit/WebKit/commit/96fbff2cffb2e2b383efe99d9a1c861ed9ff7bbd
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py

  Log Message:
  -----------
  Cherry-pick 263686 at main (3d23652e74b3). rdar://108817593

    [git-webkit] Correct --format in branch list
    https://bugs.webkit.org/show_bug.cgi?id=256237
    rdar://108817593

    Reviewed by Elliott Williams.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py:
    (Publish.branches_on): Pass --format before --merged. Seperate format into a different argument.

    Canonical link: https://commits.webkit.org/263686@main

Canonical link: https://commits.webkit.org/259548.735@safari-7615-branch


  Commit: 3597549574e5466289324cf11b90cc10d2a2d6fa
      https://github.com/WebKit/WebKit/commit/3597549574e5466289324cf11b90cc10d2a2d6fa
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg

  Log Message:
  -----------
  Cherry-pick 263687 at main (c8b247965127). rdar://107629444

    [git-webkit] Cache filed bug (Follow-up fix)
    https://bugs.webkit.org/show_bug.cgi?id=255007
    rdar://107629444

    Unreviewed follow-up fix.

    * Tools/Scripts/hooks/prepare-commit-msg: Handle undefined bug case.

    Canonical link: https://commits.webkit.org/263687@main

Canonical link: https://commits.webkit.org/259548.736@safari-7615-branch


  Commit: 067edf186e1b00e5b6e88bf38f70f8ee646a2403
      https://github.com/WebKit/WebKit/commit/067edf186e1b00e5b6e88bf38f70f8ee646a2403
  Author: Antti Koivisto <antti at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/container-units-content-box-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/container-units-content-box.html
    M Source/WebCore/css/CSSPrimitiveValue.cpp

  Log Message:
  -----------
  Cherry-pick e31e2eb9806e. rdar://problem/108754549

    Container query length units use border box instead of a content box
    https://bugs.webkit.org/show_bug.cgi?id=256178
    rdar://problem/108754549

    Reviewed by Alan Baradlay.

    https://www.w3.org/TR/css-contain-3/#container-query-length:

    > For each element, container query length units are evaluated as container size queries on the relevant axis (or axes) described by the unit.

    https://www.w3.org/TR/css-contain-3/#container-size-query:

    > The width container feature queries the width of the query container’s content box.
    > The height container feature queries the height of the query container’s content box.
    > The inline-size container feature queries the size of the query container’s content box in the query container’s inline axis.
    > The block-size container feature queries the size of the query container’s content box in the query container’s block axis.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/container-units-content-box-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-contain/container-queries/container-units-content-box.html: Added.
    * Source/WebCore/css/CSSPrimitiveValue.cpp:
    (WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble):

    Resolve the container units against the correct box.

    Canonical link: https://commits.webkit.org/263595@main


  Commit: 8674bce44c7c93e9bf75d91b2d1f8f7336975c31
      https://github.com/WebKit/WebKit/commit/8674bce44c7c93e9bf75d91b2d1f8f7336975c31
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h

  Log Message:
  -----------
  Apply patch. rdar://problem/106454992


  Commit: edd5bbb184f467ecc0acc606af4f51780df81fbe
      https://github.com/WebKit/WebKit/commit/edd5bbb184f467ecc0acc606af4f51780df81fbe
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-child-with-border.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start-self-collapsing-nested.html
    A LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-start.html
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBlockFlow.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderLayoutState.cpp
    M Source/WebCore/rendering/RenderLayoutState.h

  Log Message:
  -----------
  Apply patch. rdar://problem/106452955


  Commit: d49b216c268bbaa679221b12a658e7c0499d902e
      https://github.com/WebKit/WebKit/commit/d49b216c268bbaa679221b12a658e7c0499d902e
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt
    M Source/WebCore/rendering/RenderBlockFlow.cpp

  Log Message:
  -----------
  Cherry-pick 809b95bb1a78. rdar://problem/108327029

    [margin-trim][block layout] Nested self-collapsing children at block-end should also be trimmed.
    https://bugs.webkit.org/show_bug.cgi?id=255736
    rdar://108327029

    Reviewed by Alan Baradlay.

    When walking back up the block container for the purposes of block-end
    margin trimming we may run into a self collapsing child that needs to
    have both of its margins trimmed and its position adjusted. However, it
    is also possible that these self-collapsing children may also have other
    self-collapsing children nested arbitrarily within. If that is the case,
    we need to also trim the margins of all of its descendants.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-nested-child-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-box/margin-trim/computed-margin-values/block-container-block-end-with-self-collapsing-children-expected.txt:
    * Source/WebCore/rendering/RenderBlockFlow.cpp:
    (WebCore::RenderBlockFlow::trimBlockEndChildrenMargins):

    Canonical link: https://commits.webkit.org/263439@main


  Commit: 6bf69a0fd3864e0a062d10173a9761b160c7cbde
      https://github.com/WebKit/WebKit/commit/6bf69a0fd3864e0a062d10173a9761b160c7cbde
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

Identifier: 259548.741 at safari-7615-branch


  Commit: 5e468393c4a2a3b59cb3cad4908402bd2cdfac9e
      https://github.com/WebKit/WebKit/commit/5e468393c4a2a3b59cb3cad4908402bd2cdfac9e
  Author: Ryan Haddad <ryanhaddad at apple.com>
  Date:   2023-05-04 (Thu, 04 May 2023)

  Changed paths:
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm

  Log Message:
  -----------
  [ Gardening ]Cherry-pick 261522 at main (b8b59f71961f). rdar://106235771

    New test: [iOS] TestWebKitAPI.WebKit.CookieAccessFromPDFInAboutBlank is consistently timing out
    https://bugs.webkit.org/show_bug.cgi?id=253387
    rdar://106235771

    Unreviewed test gardening.

    * Tools/TestWebKitAPI/Tests/WebKitCocoa/CookiePrivateBrowsing.mm:
    (TEST): Disable the test for iOS.

    Canonical link: https://commits.webkit.org/261522@main

Canonical link: https://commits.webkit.org/259548.742@safari-7615-branch


  Commit: 13bba6c4a2041cfd9318f18880b9a58428a10363
      https://github.com/WebKit/WebKit/commit/13bba6c4a2041cfd9318f18880b9a58428a10363
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-05-05 (Fri, 05 May 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.3

Canonical link: https://commits.webkit.org/259548.743@safari-7615-branch


  Commit: c01bb59106d88f798da0ebcab8f5655b223a5980
      https://github.com/WebKit/WebKit/commit/c01bb59106d88f798da0ebcab8f5655b223a5980
  Author: Antti Koivisto <antti at apple.com>
  Date:   2023-05-08 (Mon, 08 May 2023)

  Changed paths:
    M Source/WebCore/css/CSSGroupingRule.cpp
    M Source/WebCore/css/CSSStyleSheet.cpp
    M Source/WebCore/css/StyleSheetContents.cpp
    M Source/WebCore/css/StyleSheetContents.h
    M Source/WebCore/css/parser/CSSParserImpl.cpp

  Log Message:
  -----------
  Cherry-pick 1ffbfef4c616. rdar://problem/108758349

    Disallow caching of StyleSheetContents that uses nesting
    https://bugs.webkit.org/show_bug.cgi?id=256449
    rdar://108758349

    Reviewed by Alan Baradlay.

    Mutations to cached document may affect other stylesheets.

    * Source/WebCore/css/CSSGroupingRule.cpp:
    (WebCore::CSSGroupingRule::prepareChildStyleRuleForNesting):
    * Source/WebCore/css/CSSStyleSheet.cpp:
    (WebCore::CSSStyleSheet::prepareChildStyleRuleForNesting):
    * Source/WebCore/css/StyleSheetContents.cpp:
    (WebCore::StyleSheetContents::isCacheable const):
    * Source/WebCore/css/StyleSheetContents.h:
    * Source/WebCore/css/parser/CSSParserImpl.cpp:
    (WebCore::CSSParserImpl::consumeRegularRuleList):
    (WebCore::CSSParserImpl::consumeStyleRule):

    Canonical link: https://commits.webkit.org/263799@main

Identifier: 259548.744 at safari-7615-branch


  Commit: 4b27e08fbe8e13cfa87b12effdfd7cd6f199955e
      https://github.com/WebKit/WebKit/commit/4b27e08fbe8e13cfa87b12effdfd7cd6f199955e
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-05-08 (Mon, 08 May 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.4

Identifier: 259548.745 at safari-7615-branch


  Commit: 1b98f8905ce2a781c7b4b044d2498b396223aa81
      https://github.com/WebKit/WebKit/commit/1b98f8905ce2a781c7b4b044d2498b396223aa81
  Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
  Date:   2023-05-09 (Tue, 09 May 2023)

  Changed paths:
    A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt
    A LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html
    M Source/WebCore/style/StyleBuilderConverter.h

  Log Message:
  -----------
  Fix type confusion in StyleBuilder::ConvertGridTrackSizeList.
https://bugs.webkit.org/show_bug.cgi?id=256055.
rdar://108501981.

Reviewed by Antti Koivisto.

This change fixes convertGridTrackSizeList so that it can deal with single
values instead of expecting a list of values towards the end.

* LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion-expected.txt: Added.
* LayoutTests/fast/css/style-builder-convert-grid-track-size-list-type-confusion.html: Added.
* Source/WebCore/style/StyleBuilderConverter.h:
(WebCore::Style::BuilderConverter::convertGridTrackSizeList):

Canonical link: https://commits.webkit.org/259548.746@safari-7615-branch


  Commit: b273da8975a7c18d151972db27c4056bf96f4299
      https://github.com/WebKit/WebKit/commit/b273da8975a7c18d151972db27c4056bf96f4299
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-05-09 (Tue, 09 May 2023)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector.cc

  Log Message:
  -----------
  [WebRTC] oob in RTCStatsCollector::ProduceTransportStats_n
https://bugs.webkit.org/show_bug.cgi?id=256516
rdar://109084778

Reviewed by Eric Carlson.

Cherry-pick libwebrtc 124d7c3fe5bdc79a355c9df02d07f25331631a68, which makes sure to check that the iterator is valid before using it.

* Source/ThirdParty/libwebrtc/Source/webrtc/pc/rtc_stats_collector.cc:

Canonical link: https://commits.webkit.org/259548.747@safari-7615-branch


  Commit: 207e5a27f06d07d01287d0c5cc8171ab8725ca57
      https://github.com/WebKit/WebKit/commit/207e5a27f06d07d01287d0c5cc8171ab8725ca57
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-05-09 (Tue, 09 May 2023)

  Changed paths:
    M Source/WebCore/html/CanvasBase.cpp
    M Source/WebCore/rendering/style/StyleCanvasImage.cpp
    M Source/WebCore/rendering/style/StyleCrossfadeImage.cpp
    M Source/WebCore/rendering/style/StyleFilterImage.cpp
    M Source/WebCore/rendering/style/StyleGeneratedImage.cpp
    M Source/WebCore/rendering/style/StyleGeneratedImage.h
    M Source/WebCore/rendering/style/StyleGradientImage.cpp

  Log Message:
  -----------
  Move HashCountedSet to WeakHashCountedSet in StyleGeneratedImage
https://bugs.webkit.org/show_bug.cgi?id=256532
rdar://109106473

Reviewed by Antti Koivisto.

Generated images should use a Weak container to keep track of
RenderElements so that we don't trigger UAF issues.

* Source/WebCore/html/CanvasBase.cpp:
(WebCore:: const):
* Source/WebCore/rendering/style/StyleCanvasImage.cpp:
(WebCore::StyleCanvasImage::image const):
(WebCore::StyleCanvasImage::canvasChanged):
(WebCore::StyleCanvasImage::canvasResized):
* Source/WebCore/rendering/style/StyleCrossfadeImage.cpp:
(WebCore::StyleCrossfadeImage::imageChanged):
* Source/WebCore/rendering/style/StyleFilterImage.cpp:
(WebCore::StyleFilterImage::imageChanged):
* Source/WebCore/rendering/style/StyleGeneratedImage.cpp:
(WebCore::StyleGeneratedImage::addClient):
(WebCore::StyleGeneratedImage::removeClient):
(WebCore::StyleGeneratedImage::hasClient const):
* Source/WebCore/rendering/style/StyleGeneratedImage.h:
(WebCore::StyleGeneratedImage::clients const):
(WebCore::StyleGeneratedImage:: const): Deleted.
* Source/WebCore/rendering/style/StyleGradientImage.cpp:
(WebCore::StyleGradientImage::image const):

Canonical link: https://commits.webkit.org/259548.748@safari-7615-branch


  Commit: 81e6dc7d31740e12d72a21e2cc59bf906dfeceb8
      https://github.com/WebKit/WebKit/commit/81e6dc7d31740e12d72a21e2cc59bf906dfeceb8
  Author: Myles C. Maxfield <mmaxfield at apple.com>
  Date:   2023-05-09 (Tue, 09 May 2023)

  Changed paths:
    M Source/WebCore/page/Navigator.cpp

  Log Message:
  -----------
  [WebGPU] Disable getContext("webgpu") when WebGPU is disabled
https://bugs.webkit.org/show_bug.cgi?id=256571
<rdar://problem/109134077>

Reviewed by Alex Christensen.

navigator.gpu is disabled, but getContext("webgpu") isn't.

* Source/WebCore/page/Navigator.cpp:
(WebCore::Navigator::gpu):

Canonical link: https://commits.webkit.org/259548.749@safari-7615-branch


  Commit: 47c1f159af10b513ea37beb7a30014a5d3e07c43
      https://github.com/WebKit/WebKit/commit/47c1f159af10b513ea37beb7a30014a5d3e07c43
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-05-10 (Wed, 10 May 2023)

  Changed paths:
    M Tools/Scripts/webkitpy/layout_tests/controllers/single_test_runner.py

  Log Message:
  -----------
  Cherry-pick 263649 at main (2e9ec190c7f6). https://bugs.webkit.org/show_bug.cgi?id=255873

    REGRESSION: iOS layout tests intermittently failing with TypeError: 'NoneType' object is not subscriptable in _test_passes_fuzzy_matching
    https://bugs.webkit.org/show_bug.cgi?id=255873

    Reviewed by Simon Fraser.

    Check if fuzzy_result is None before accessing it.

    * Tools/Scripts/webkitpy/layout_tests/controllers/single_test_runner.py:
    (SingleTestRunner._test_passes_fuzzy_matching):

    Canonical link: https://commits.webkit.org/263649@main

Canonical link: https://commits.webkit.org/259548.750@safari-7615-branch


  Commit: 9fc652968e3cc0be5adab10fc01c177966ced327
      https://github.com/WebKit/WebKit/commit/9fc652968e3cc0be5adab10fc01c177966ced327
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-05-10 (Wed, 10 May 2023)

  Changed paths:
    M Source/WebKit/Platform/IPC/Connection.cpp
    M Source/WebKit/Scripts/webkit/model.py
    M Source/WebKit/Scripts/webkit/tests/MessageNames.cpp
    M Source/WebKit/Scripts/webkit/tests/MessageNames.h
    M Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp

  Log Message:
  -----------
  Drop MessageName::Terminate IPC message
https://bugs.webkit.org/show_bug.cgi?id=256373
rdar://108899132

Reviewed by Sihui Liu.

Drop MessageName::Terminate IPC message as it could easily be abused by a
compromised WebProcess to kill the UIProcess.

It was temporarily introduced in 243810 at main to investigate NetworkProcess
hangs we were seeing and should no longer be needed. This reverts 243810 at main.

* Source/WebKit/Platform/IPC/Connection.cpp:
(IPC::Connection::processIncomingMessage):
(IPC::terminateDueToIPCTerminateMessage): Deleted.
* Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::didBecomeUnresponsive):
(WebKit::shouldTerminateNetworkProcessBySendingMessage): Deleted.

Canonical link: https://commits.webkit.org/259548.751@safari-7615-branch


  Commit: a0fa94d1a572050f592fc57d2fca6f2b75bd5b0e
      https://github.com/WebKit/WebKit/commit/a0fa94d1a572050f592fc57d2fca6f2b75bd5b0e
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-05-10 (Wed, 10 May 2023)

  Changed paths:
    M LayoutTests/fast/files/null-origin-string-expected.txt
    M LayoutTests/fast/files/null-origin-string.html
    A LayoutTests/http/tests/security/block-top-level-navigation-to-different-scheme-by-third-party-iframes-expected.txt
    A LayoutTests/http/tests/security/block-top-level-navigation-to-different-scheme-by-third-party-iframes.html
    A LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes-expected.txt
    A LayoutTests/http/tests/security/block-top-level-navigation-via-redirect-by-third-party-iframes.html
    A LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-different-scheme.html
    A LayoutTests/http/tests/security/resources/navigate-top-level-frame-to-failure-page-via-redirect.html
    M Source/WebCore/dom/Document.cpp
    M Source/WebCore/dom/Document.h
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/NavigationRequester.cpp
    M Source/WebCore/loader/NavigationRequester.h

  Log Message:
  -----------
  Restrict further top-frame navigations by a third-party iframe
https://bugs.webkit.org/show_bug.cgi?id=256549
rdar://108794051

Reviewed by Geoffrey Garen.

Restrict further top-frame navigations by a third-party iframe:
- Block navigations to a different scheme
- Block navigations that start off same-site but redirect to a different site

* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
* Source/WebCore/dom/Document.h:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
(WebCore::NavigationRequester::encode const):
(WebCore::NavigationRequester::decode):

Canonical link: https://commits.webkit.org/259548.752@safari-7615-branch


  Commit: 08cf44bc2869fde1d699f3bbb6e08eb4260cf528
      https://github.com/WebKit/WebKit/commit/08cf44bc2869fde1d699f3bbb6e08eb4260cf528
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-05-10 (Wed, 10 May 2023)

  Changed paths:
    M Source/WebCore/css/CSSSelector.cpp

  Log Message:
  -----------
  Cherry-pick 263859 at main (28bb70d0289c). rdar://109152809

    [CSS] Fix memory leak in CSSSelector copy ctor
    https://bugs.webkit.org/show_bug.cgi?id=256412
    rdar://108836283

    Reviewed by Antti Koivisto.

    After leakRef(), the counter is already at 1, calling ref() is wrong.

    * Source/WebCore/css/CSSSelector.cpp:
    (WebCore::CSSSelector::CSSSelector):

    Canonical link: https://commits.webkit.org/263859@main

Canonical link: https://commits.webkit.org/259548.753@safari-7615-branch


  Commit: 20a5467260edc8b5501ffb5ee4fb7e345d07d8c8
      https://github.com/WebKit/WebKit/commit/20a5467260edc8b5501ffb5ee4fb7e345d07d8c8
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-05-11 (Thu, 11 May 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.5

Identifier: 259548.754 at safari-7615-branch


  Commit: e7bdd0a46019e5ced4db2e1f0162906961b1e9ea
      https://github.com/WebKit/WebKit/commit/e7bdd0a46019e5ced4db2e1f0162906961b1e9ea
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-12 (Fri, 12 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py

  Log Message:
  -----------
  Cherry-pick 263898 at main (0f420eb4d89c). rdar://108967330

    [git-webkit] Treat tags like branches in pickable
    https://bugs.webkit.org/show_bug.cgi?id=256398
    rdar://108967330

    Reviewed by Elliott Williams.

    `git-webkit pickable` can either check if a single commit is pickable, or if
    a sequence of commits is pickable. Hashes and hash-replacements (ie, identifiers)
    should ask if a single commit as pickable, branches and tags should ask if a
    sequence of commits is pickable.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py:
    (Pickable.main): Check if specified ref is a tag or a branch.

    Canonical link: https://commits.webkit.org/263898@main

Canonical link: https://commits.webkit.org/259548.755@safari-7615-branch


  Commit: f8d50fa162abf19ff4958e863f26b1542fa07cb2
      https://github.com/WebKit/WebKit/commit/f8d50fa162abf19ff4958e863f26b1542fa07cb2
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-12 (Fri, 12 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/commit.py

  Log Message:
  -----------
  Cherry-pick 263906 at main (6aa59a41298e). rdar://109155059

    [git-webkit] Don't redact bug title in commit message
    https://bugs.webkit.org/show_bug.cgi?id=256588
    rdar://109155059

    Reviewed by Chris Dumez.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/commit.py:
    (Commit.main): Stop scrubbing commit titles of redacted bugs.

    Canonical link: https://commits.webkit.org/263906@main

Canonical link: https://commits.webkit.org/259548.756@safari-7615-branch


  Commit: 34ceb54ad41dd3188f644e35a78e70e3ca2fec0d
      https://github.com/WebKit/WebKit/commit/34ceb54ad41dd3188f644e35a78e70e3ca2fec0d
  Author: Aakash Jain <aakash_jain at apple.com>
  Date:   2023-05-12 (Fri, 12 May 2023)

  Changed paths:
    R Tools/Scripts/webkitpy/common/checksvnconfigfile.py
    M Tools/Scripts/webkitpy/style/checkers/png.py
    M Tools/Scripts/webkitpy/style/checkers/png_unittest.py
    M Tools/Scripts/webkitpy/tool/commands/download.py
    M Tools/Scripts/webkitpy/tool/steps/__init__.py
    R Tools/Scripts/webkitpy/tool/steps/addsvnmimetypeforpng.py
    R Tools/Scripts/webkitpy/tool/steps/addsvnmimetypeforpng_unittest.py

  Log Message:
  -----------
  Cherry-pick 261272 at main (ccc5e22b7254). https://bugs.webkit.org/show_bug.cgi?id=253386

    check-webkit-style should not complaint about svn related errors while checking png files
    https://bugs.webkit.org/show_bug.cgi?id=253386

    Reviewed by Jonathan Bedard.

    Removed SVN related code from style checker for png files. We moved away from
    SVN a while back.

    * Tools/Scripts/webkitpy/common/checksvnconfigfile.py: Removed.
    * Tools/Scripts/webkitpy/tool/steps/addsvnmimetypeforpng.py: Removed.
    * Tools/Scripts/webkitpy/tool/steps/addsvnmimetypeforpng_unittest.py: Removed.

    Canonical link: https://commits.webkit.org/261272@main

Canonical link: https://commits.webkit.org/259548.757@safari-7615-branch


  Commit: 4df3b5ab1ba21e6d66bfb522806734f59d6e3017
      https://github.com/WebKit/WebKit/commit/4df3b5ab1ba21e6d66bfb522806734f59d6e3017
  Author: Anne van Kesteren <annevk at annevk.nl>
  Date:   2023-05-12 (Fri, 12 May 2023)

  Changed paths:
    M Tools/Scripts/webkitpy/style/checker.py

  Log Message:
  -----------
  Cherry-pick 263710 at main (ec437900002d). rdar://108892673

    check-webkit-style: enforce whitespace/end_of_line
    https://bugs.webkit.org/show_bug.cgi?id=256304
    rdar://108892673

    Reviewed by Jonathan Bedard and Ryosuke Niwa.

    This ensures that changed lines will get a style error if they end in whitespace (as defined at https://docs.python.org/3/library/stdtypes.html#str.isspace).

    This appears to have agreement per the thread at https://lists.webkit.org/pipermail/webkit-dev/2023-April/thread.html#32525.

    * Tools/Scripts/webkitpy/style/checker.py:

    Canonical link: https://commits.webkit.org/263710@main

Canonical link: https://commits.webkit.org/259548.758@safari-7615-branch


  Commit: 49892baf8b1c1079a386768866485e165c46da75
      https://github.com/WebKit/WebKit/commit/49892baf8b1c1079a386768866485e165c46da75
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-12 (Fri, 12 May 2023)

  Changed paths:
    M Tools/Scripts/webkitpy/tool/steps/preparechangelogforrevert.py

  Log Message:
  -----------
  Cherry-pick 263910 at main (076489aa12ca). rdar://109157004

    [webkit-patch] Only prefix reverts with r when revision used
    https://bugs.webkit.org/show_bug.cgi?id=256592
    rdar://109157004

    Reviewed by Ryan Haddad.

    * Tools/Scripts/webkitpy/tool/steps/preparechangelogforrevert.py:
    (PrepareChangeLogForRevert._message_for_revert): Only prefix r when the revision is an integer.

    Canonical link: https://commits.webkit.org/263910@main

Canonical link: https://commits.webkit.org/259548.759@safari-7615-branch


  Commit: ce9226fc4698f4b295e1cf14dad37dce6c2497bb
      https://github.com/WebKit/WebKit/commit/ce9226fc4698f4b295e1cf14dad37dce6c2497bb
  Author: Elliott Williams <emw at apple.com>
  Date:   2023-05-12 (Fri, 12 May 2023)

  Changed paths:
    M Tools/Scripts/hooks/prepare-commit-msg

  Log Message:
  -----------
  Cherry-pick 263965 at main (b614d2729f54). rdar://109107387

    git-webkit prints "error: invalid key:" during prepare-commit-msg
    https://bugs.webkit.org/show_bug.cgi?id=256534
    rdar://109107387

    Reviewed by Jonathan Bedard.

    git-config(1) exits "1" when a key is missing, which is an expected
    case for the hook. AFAICT, there's not a good way to silence the error,
    so capture stderr when making the call and only print it out if
    git-config fails with a *different* exit code.

    * Tools/Scripts/hooks/prepare-commit-msg:

    Canonical link: https://commits.webkit.org/263965@main

Canonical link: https://commits.webkit.org/259548.760@safari-7615-branch


  Commit: 776066945bf4070a7c68da6c2d07e9e97fba0557
      https://github.com/WebKit/WebKit/commit/776066945bf4070a7c68da6c2d07e9e97fba0557
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-05-16 (Tue, 16 May 2023)

  Changed paths:
    A JSTests/stress/regress-109134454.js
    M Source/JavaScriptCore/b3/B3ReduceStrength.cpp

  Log Message:
  -----------
  [JSC] Fix IntRange speculation for zExt32
https://bugs.webkit.org/show_bug.cgi?id=256573
rdar://109134454

Reviewed by Yusuke Suzuki.

Previously, the IntRange speculation in B3ReduceStrength for node
zExt32 is wrong. This patch fixes this issue.

* JSTests/stress/regress-109134454.js: Added.
* Source/JavaScriptCore/b3/B3ReduceStrength.cpp:

Canonical link: https://commits.webkit.org/259548.761@safari-7615-branch


  Commit: 7fb3ced7874a5e387d557092de32f86a086f19cc
      https://github.com/WebKit/WebKit/commit/7fb3ced7874a5e387d557092de32f86a086f19cc
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-05-16 (Tue, 16 May 2023)

  Changed paths:
    A JSTests/wasm/stress/throw-multiple-values.js
    A JSTests/wasm/stress/throw-with-live-value-on-stack.js
    M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp

  Log Message:
  -----------
  Parameters to throw alias with stack elements in WASM LLInt
https://bugs.webkit.org/show_bug.cgi?id=256818
rdar://108036137

Reviewed by Yusuke Suzuki.

Correctly computes stack offsets when materializing the operands of
a wasm_throw instruction in the WasmLLIntGenerator by counting relative
to the stack height before the operands were popped as opposed to after.

* JSTests/wasm/stress/throw-multiple-values.js: Added.
(async test):
* JSTests/wasm/stress/throw-with-live-value-on-stack.js: Added.
(async test):
* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::addThrow):

Canonical link: https://commits.webkit.org/259548.762@safari-7615-branch


  Commit: 62d974e461701e33e79b5e0912b38b4eceb4081a
      https://github.com/WebKit/WebKit/commit/62d974e461701e33e79b5e0912b38b4eceb4081a
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-05-16 (Tue, 16 May 2023)

  Changed paths:
    A JSTests/stress/regress-109102631.js
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

  Log Message:
  -----------
  [JSC] GetTypedArrayByteOffset should do speculation check for all bits in DFG
https://bugs.webkit.org/show_bug.cgi?id=256865
rdar://109428505

Reviewed by Yusuke Suzuki.

DFG abstract interpreter speculates that GetTypedArrayByteOffset node
should have int32 result. However, when compiling GetTypedArrayByteOffset
we only do speculation check on lower bits of the result, which is wrong.
This patch fixes this problem.

* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:

Canonical link: https://commits.webkit.org/259548.763@safari-7615-branch


  Commit: 51673956823d9ece6a1427790744d4c370c07a3a
      https://github.com/WebKit/WebKit/commit/51673956823d9ece6a1427790744d4c370c07a3a
  Author: Michael Saboff <msaboff at apple.com>
  Date:   2023-05-17 (Wed, 17 May 2023)

  Changed paths:
    M JSTests/stress/unscopables.js
    M LayoutTests/inspector/model/remote-object-get-properties-expected.txt
    M LayoutTests/js/Object-getOwnPropertyNames-expected.txt
    M LayoutTests/js/array-unscopables-properties-expected.txt
    M LayoutTests/js/script-tests/Object-getOwnPropertyNames.js
    M LayoutTests/js/script-tests/array-unscopables-properties.js
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WebInspectorUI/UserInterface/Models/NativeFunctionParameters.js

  Log Message:
  -----------
  Cherry-pick 0ad3c9cd654b. rdar://problem/109156668

    [JSC] Disable Array#group and Array#groupToMap
    https://bugs.webkit.org/show_bug.cgi?id=256591
    rdar://109156668

    Reviewed by Yusuke Suzuki and Devin Rousso.

    Disable stage 3 proposed APIs Array#group and Array#groupToMap as they have run into web compatibility issues.
    The name for at least Array#group will likely change.

    * JSTests/stress/unscopables.js:
    * LayoutTests/inspector/model/remote-object-get-properties-expected.txt:
    * LayoutTests/js/Object-getOwnPropertyNames-expected.txt:
    * LayoutTests/js/array-unscopables-properties-expected.txt:
    * LayoutTests/js/script-tests/Object-getOwnPropertyNames.js:
    * LayoutTests/js/script-tests/array-unscopables-properties.js:
    * Source/JavaScriptCore/runtime/OptionsList.h:
    * Source/WebInspectorUI/UserInterface/Models/NativeFunctionParameters.js:

    Canonical link: https://commits.webkit.org/263922@main

Identifier: 259548.764 at safari-7615-branch


  Commit: 568981718c59f02253680b0bc87c6079bdfc6eb1
      https://github.com/WebKit/WebKit/commit/568981718c59f02253680b0bc87c6079bdfc6eb1
  Author: Kimmo Kinnunen <kkinnunen at apple.com>
  Date:   2023-05-17 (Wed, 17 May 2023)

  Changed paths:
    A LayoutTests/fast/canvas/canvas-put-image-data-after-draw-expected.html
    A LayoutTests/fast/canvas/canvas-put-image-data-after-draw.html
    M Source/WebKit/WebProcess/GPU/graphics/RemoteImageBufferProxy.cpp

  Log Message:
  -----------
  Cherry-pick a658f97638bf. rdar://problem/108741153

    Cherry-pick 263978 at main (a658f97638bf). rdar://108741153

        REGRESSION(261130 at main): Canvas putImageData draws onto wrong canvas
        https://bugs.webkit.org/show_bug.cgi?id=256151
        rdar://108741153

        Reviewed by Said Abou-Hallawa.

        Pending reads are of form CGImage that points to the IOSurface.
        Thus the IOSurface cannot be modified without synchronizing with the
        GPUP.
        Fix by simulating a write and synchronizing with the GPUP. After
        this completes, there are no readers to the IOSurface and the
        operation may proceed.

        * LayoutTests/fast/canvas/canvas-put-image-data-after-draw-expected.html: Added.
        * LayoutTests/fast/canvas/canvas-put-image-data-after-draw.html: Added.
        * Source/WebKit/WebProcess/GPU/graphics/RemoteImageBufferProxy.cpp:
        (WebKit::RemoteImageBufferProxy::putPixelBuffer):

        Canonical link: https://commits.webkit.org/263978@main

Identifier: 259548.765 at safari-7615-branch


  Commit: f244685eaca5a3c4971c03262df2cfadca246856
      https://github.com/WebKit/WebKit/commit/f244685eaca5a3c4971c03262df2cfadca246856
  Author: Brandon Stewart <brandonstewart at apple.com>
  Date:   2023-05-18 (Thu, 18 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/compression/compression-large-flush-output.any-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/compression/compression-large-flush-output.any.html
    A LayoutTests/imported/w3c/web-platform-tests/compression/compression-large-flush-output.any.js
    M Source/WebCore/Modules/compression/CompressionStreamEncoder.cpp
    M Source/WebCore/Modules/compression/CompressionStreamEncoder.h
    M Source/WebCore/Modules/compression/DecompressionStreamDecoder.cpp
    M Source/WebCore/Modules/compression/DecompressionStreamDecoder.h

  Log Message:
  -----------
  Cherry-pick a30d9284f5b9. rdar://problem/107133345

    Compression Streams not handling large outputs during the flush stage
    https://bugs.webkit.org/show_bug.cgi?id=254021

    Reviewed by Chris Dumez and Brent Fulgham.

    We missed an edge case where during the flush step we may have data longer than
    the allocated output. Since the avail_in will be set to 0 we would just exit.
    We need to verify that the stream has ended before exiting.

    * LayoutTests/imported/w3c/web-platform-tests/compression/compression-large-flush-output.any-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/compression/compression-large-flush-output.any.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/compression/compression-large-flush-output.any.js: Added.
    (async compressData):
    (promise_test.async t):
    * Source/WebCore/Modules/compression/CompressionStreamEncoder.cpp:
    (WebCore::CompressionStreamEncoder::flush):
    (WebCore::CompressionStreamEncoder::didDeflateFinish const):
    (WebCore::didDeflateFail):
    (WebCore::CompressionStreamEncoder::compress):
    * Source/WebCore/Modules/compression/CompressionStreamEncoder.h:
    (WebCore::CompressionStreamEncoder::CompressionStreamEncoder):
    * Source/WebCore/Modules/compression/DecompressionStreamDecoder.cpp:
    (WebCore::DecompressionStreamDecoder::flush):
    (WebCore::DecompressionStreamDecoder::didInflateFinish const):
    (WebCore::didInflateFail):
    (WebCore::DecompressionStreamDecoder::didInflateContainExtraBytes const):
    (WebCore::DecompressionStreamDecoder::decompressZlib):
    (WebCore::DecompressionStreamDecoder::decompressAppleCompressionFramework):
    * Source/WebCore/Modules/compression/DecompressionStreamDecoder.h:
    (WebCore::DecompressionStreamDecoder::DecompressionStreamDecoder):

    Canonical link: https://commits.webkit.org/263997@main

Identifier: 259548.766 at safari-7615-branch


  Commit: 168b349a71f00c0d7295aaa5ddcb88b5e2f58a50
      https://github.com/WebKit/WebKit/commit/168b349a71f00c0d7295aaa5ddcb88b5e2f58a50
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-05-18 (Thu, 18 May 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/parsing-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/parsing.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/serialize-group-rules-with-decls.tentative-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/serialize-group-rules-with-decls.tentative.html
    M Source/WebCore/css/CSSGroupingRule.cpp
    M Source/WebCore/css/CSSStyleRule.cpp

  Log Message:
  -----------
  Cherry-pick 264003 at main (e07871e21ea8). rdar://109208359

    [CSS Nesting] Don't serialize first implicit style rule inside group rule
    https://bugs.webkit.org/show_bug.cgi?id=256647
    rdar://109208359

    Reviewed by Antti Koivisto.

    Orphaned properties in group rule are implicitly added
    to a style rule with '&' as selector ;
    this implicit style rule should not be serialized.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/parsing-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/parsing.html:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/serialize-group-rules-with-decls.tentative-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/serialize-group-rules-with-decls.tentative.html:

     Import from WPT

    * Source/WebCore/css/CSSGroupingRule.cpp:
    (WebCore::CSSGroupingRule::appendCSSTextForItems const):
    (WebCore::CSSGroupingRule::cssTextForDeclsAndRules const):
    * Source/WebCore/css/CSSStyleRule.cpp:
    (WebCore::CSSStyleRule::cssTextForDeclsAndRules const):

    This behavior only concerns group rule, not style rule (where a property can't be orphaned)

    Canonical link: https://commits.webkit.org/264003@main

Canonical link: https://commits.webkit.org/259548.767@safari-7615-branch


  Commit: 80440fb1fa52e95d3d11b822053641f0df66a9b6
      https://github.com/WebKit/WebKit/commit/80440fb1fa52e95d3d11b822053641f0df66a9b6
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-22 (Mon, 22 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/publish_unittest.py

  Log Message:
  -----------
  Cherry-pick 264124 at main (cafa1460dd1b). rdar://108962363

    [git-webkit] Allow publish to exclude branches or tags
    https://bugs.webkit.org/show_bug.cgi?id=256388
    rdar://108962363

    Reviewed by Elliott Williams.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py:
    (Publish.parser): Add --exclude option.
    (Publish.branches_on): Exclude specified branches.
    (Publish.tags_on): Exclude specified tags.
    (Publish.main): Exclude specified branches and tags from publication.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/publish_unittest.py:
    (TestPublish.test_git_exclude):

    Canonical link: https://commits.webkit.org/264124@main

Canonical link: https://commits.webkit.org/259548.768@safari-7615-branch


  Commit: bedbee4cf2dca82297c470f86bfa6e8c3abdc53f
      https://github.com/WebKit/WebKit/commit/bedbee4cf2dca82297c470f86bfa6e8c3abdc53f
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-22 (Mon, 22 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/setup.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/file_lock.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/tests/file_lock_unittest.py

  Log Message:
  -----------
  Cherry-pick 264321 at main (1c10cac85558). rdar://109487762

    [webkitcorepy] Fix race condition in FileLock
    https://bugs.webkit.org/show_bug.cgi?id=256931
    rdar://109487762

    Reviewed by Alexey Proskuryakov.

    * Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/file_lock.py:
    (FileLock.is_process_running): Check if a specific PID is running.
    (FileLock.acquire): Create and acquire lock in a single operation on Unix systems.
    Save the current PID to the file, which allows future processes to ignore this lock
    if the PID saved in it is dead. For systems which support it, use O_EXLOCK and interrupts
    instead of a spinlock. Raise exceptions when we fail to acquire the lock.
    (FileLock.release): Delete the lockfile before releasing it on Unix systems. Systems using
    O_EXLOCK simply need to close their file handle.
    (FileLock.__exit__): Don't raise a 2nd exception if __enter__ has raised one.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/tests/file_lock_unittest.py:
    (action):
    (FileLockTestCase.test_locked):
    (FileLockTestCase.test_locked_timeout):
    (FileLockTestCase.test_double):
    (FileLockTestCase.test_race):

    Canonical link: https://commits.webkit.org/264321@main

Canonical link: https://commits.webkit.org/259548.769@safari-7615-branch


  Commit: aa5e9d582edd21ec6ef9578b2f635f6cdf0a265c
      https://github.com/WebKit/WebKit/commit/aa5e9d582edd21ec6ef9578b2f635f6cdf0a265c
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-22 (Mon, 22 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/setup.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/file_lock.py

  Log Message:
  -----------
  Cherry-pick 264322 at main (caf109704d37). rdar://109488201

    [webkitcorepy] Support multiple autoinstallers running in parallel
    https://bugs.webkit.org/show_bug.cgi?id=256933
    rdar://109488201

    Reviewed by Alexey Proskuryakov.

    Lay down a lockfile so that only one autoinstaller process can modify an autoinstall
    location at a time.

    * Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py:
    (Package.install): While installing a package, acquire the lock to prevent
    other processes from installing packages while this one is.
    (AutoInstall): Define manifest.json and lockfile as class members.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/file_lock.py:
    (FileLock.acquire): Disable patch in Timeout to avoid infinite recursion.

    Canonical link: https://commits.webkit.org/264322@main

Canonical link: https://commits.webkit.org/259548.770@safari-7615-branch


  Commit: 2ece37d3ee5b1163e995b68d860acce97402c622
      https://github.com/WebKit/WebKit/commit/2ece37d3ee5b1163e995b68d860acce97402c622
  Author: Dawn Flores <dawn_flores at apple.com>
  Date:   2023-05-22 (Mon, 22 May 2023)

  Changed paths:
    M LayoutTests/platform/ios/TestExpectations
    M LayoutTests/platform/mac/TestExpectations

  Log Message:
  -----------
  [ Gardening ]([ EWS ] 5x imported/w3c/web-platform-tests/css/ (Layout-tests) are constant failures)
rdar://108628398

Unreviewed test gardening.

* LayoutTests/platform/ios/TestExpectations:
* LayoutTests/platform/mac/TestExpectations:

Canonical link: https://commits.webkit.org/259548.771@safari-7615-branch


  Commit: 64e3d5c74385b79609db6ff9bd54d1a6aa8a4970
      https://github.com/WebKit/WebKit/commit/64e3d5c74385b79609db6ff9bd54d1a6aa8a4970
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2023-05-22 (Mon, 22 May 2023)

  Changed paths:
    A LayoutTests/compositing/overflow/overflow-change-abspos-descendant-expected.txt
    A LayoutTests/compositing/overflow/overflow-change-abspos-descendant.html
    M Source/WebCore/rendering/RenderLayer.cpp

  Log Message:
  -----------
  Cherry-pick 263286 at main (eb40daa6cd50). rdar://109683319

    Crash in collectStationaryLayerRelatedOverflowNodes()
    https://bugs.webkit.org/show_bug.cgi?id=255830
    <rdar://107526702>

    Reviewed by Alan Baradlay.

    Some unusual content configurations can hit the ASSERT(overflowLayer.isComposited())
    in collectStationaryLayerRelatedOverflowNodes(), which ends up in a null dereference in release builds.

    The issue occurs when a RenderLayer which was using composited scrolling becomes non-scrollable,
    but hasCompositedScrollableOverflow() continues to return true, leading to errors in compositing code
    which relies on canUseCompositedScrolling(). RenderLayerScrollableArea caches m_hasCompositedScrollableOverflow,
    and failed to recompute it in this case.

    Fix by having RenderLayer::styleChanged() force hasCompositedScrollableOverflow() to be recomputed
    when style scrollability changes.

    The testcase is derived from rdar://88329753.

    * LayoutTests/compositing/overflow/overflow-change-abspos-descendant-expected.txt: Added.
    * LayoutTests/compositing/overflow/overflow-change-abspos-descendant.html: Added.
    * Source/WebCore/rendering/RenderLayer.cpp:
    (WebCore::RenderLayer::calculateClipRects const):

    Canonical link: https://commits.webkit.org/263286@main

Canonical link: https://commits.webkit.org/259548.772@safari-7615-branch


  Commit: 3d72c3255b5fb2cbfdce5474e90a9765802b70f9
      https://github.com/WebKit/WebKit/commit/3d72c3255b5fb2cbfdce5474e90a9765802b70f9
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-05-23 (Tue, 23 May 2023)

  Changed paths:
    M Source/WebCore/loader/DocumentLoader.cpp

  Log Message:
  -----------
  Follow-up to 259548.752 at safari-7615-branch to cancel navigations instead of blocking them
https://bugs.webkit.org/show_bug.cgi?id=257161
rdar://108794051

Reviewed by Alex Christensen.

259548.752 at safari-7615-branch added further restrictions to prevent top-frame navigations
by third-party iframes, in particular using redirects. I had decided to block the redirect
with a blockedError(). However, it turns out that Safari shows an error page when doing
so, which results in a bad user experience since the top frame is still being navigated
(to an error page).

To address the issue, I am now cancelling the redirect instead and returning a
cancelledError(). I have verified that Safari doesn't show an error page in this case and
that the top frame is not getting navigated.

* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):

Canonical link: https://commits.webkit.org/259548.773@safari-7615-branch


  Commit: 23e9761b5751f9a6d81c689ceb26784dd1ea51b0
      https://github.com/WebKit/WebKit/commit/23e9761b5751f9a6d81c689ceb26784dd1ea51b0
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-05-23 (Tue, 23 May 2023)

  Changed paths:
    A JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js
    M JSTests/stress/ordinary-set-exceptions.js
    M Source/JavaScriptCore/runtime/JSObject.cpp

  Log Message:
  -----------
  [JSC] putByValWithThis shouldn't bypass definePropertyOnReceiverSlow
https://bugs.webkit.org/show_bug.cgi?id=257164
<rdar://108759737>

Reviewed by Yusuke Suzuki.

The OrdinarySet revamp in https://webkit.org/b/217916 assumed that there are only 2 cases to take the slow path
for altered receivers: overriden [[Set]] in prototype chain and Reflect.set(). I thought that it's unobservable
to take the fast path otherwise since overriden methods were already called.

However, the third case was missed: put_by_val_with_this bytecode op, which is emitted for setting a property
on `super` base, and with https://webkit.org/b/252602, for ProxyObjectStore IC when the trap is missing.

Among other minor web compatibility bugs, missing that case caused properties to be put right on ProxyObject's
structure, where they are unaccessible, skipping calls to "set" and "defineProperty" traps.

This change relaxes the condition for taking the definePropertyOnReceiverSlow() while ensuring all common
[[Set]] targets like JSArray or `class X extends Y {}` are just as fast.

* JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js: Added.
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::canDefinePropertyOnReceiverFast):
(JSC::JSObject::definePropertyOnReceiver):

Canonical link: https://commits.webkit.org/259548.774@safari-7615-branch


  Commit: ffe32d106cb2438f39378707a109d7c2bb27e193
      https://github.com/WebKit/WebKit/commit/ffe32d106cb2438f39378707a109d7c2bb27e193
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-05-23 (Tue, 23 May 2023)

  Changed paths:
    A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
    A LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
    M Source/JavaScriptCore/runtime/ClassInfo.h
    M Source/JavaScriptCore/runtime/PropertySlot.h
    M Source/JavaScriptCore/runtime/Structure.cpp
    M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

  Log Message:
  -----------
  [JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take non-reified static properties into account
https://bugs.webkit.org/show_bug.cgi?id=255952
<rdar://108334411>

Reviewed by Yusuke Suzuki.

Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not checking the
structure's non-reified static properties against the condition. This can lead to incorrect analysis
of side effects: AbsenceOfSetEffect condition with a non-reified static setter is considered pure
even though a setter with arbitrary code can be invoked.

This patch fixes AbsenceOfSetEffect validity check for structures with non-reified static properties
while takes extra care to make the fix as precise as possible to avoid unnecessary slowdowns.

* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt: Added.
* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html: Added.
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
* Source/JavaScriptCore/runtime/ClassInfo.h:
* Source/JavaScriptCore/runtime/PropertySlot.h:
* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::ClassInfo::hasStaticReadOnlyOrGetterSetterProperty const):
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:

Canonical link: https://commits.webkit.org/259548.775@safari-7615-branch


  Commit: 7849e30e34aa0e4204fd060b8484d14177a7faf1
      https://github.com/WebKit/WebKit/commit/7849e30e34aa0e4204fd060b8484d14177a7faf1
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-05-23 (Tue, 23 May 2023)

  Changed paths:
    M JSTests/stress/regress-109102631.js

  Log Message:
  -----------
  [JSC] Skip memory limited systems for test case allocating large size array
https://bugs.webkit.org/show_bug.cgi?id=257215
rdar://109729172

Reviewed by Yusuke Suzuki.

* JSTests/stress/regress-109102631.js:

Canonical link: https://commits.webkit.org/259548.776@safari-7615-branch


  Commit: e74d4b07ad3898db3e7d1c819fcaf46bf03ccca3
      https://github.com/WebKit/WebKit/commit/e74d4b07ad3898db3e7d1c819fcaf46bf03ccca3
  Author: Patrick Angle <pangle at apple.com>
  Date:   2023-05-24 (Wed, 24 May 2023)

  Changed paths:
    M Source/JavaScriptCore/inspector/ScriptCallStack.cpp
    M Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp

  Log Message:
  -----------
  Web Inspector: Deeply nested console logging can cause ConsoleMessage to be destroyed while we are still trying to log it
https://bugs.webkit.org/show_bug.cgi?id=256932
rdar://108063640

Reviewed by Mark Lam.

InspectorConsoleAgent has been incorrectly managing the lifetime of each ConsoleMessage by moving messages into a vector
of messages before we have passed those messages on to the frontend. This means that a console message that causes
another console message to be logged may eventually cause our original message to be dropped from the vector if this
occurs deeply enough. At that point, when we unwind back to the original message, it has been destroyed while we are
trying to send it to the frontend, which results in a bad time because we are still inside a function on the
ConsoleMessage that tries to access its own member variables like m_arguments, and fails because the message object
itself has been destroyed, taking its members with it.

This also fixes a subtle message inversion in the backlog of messages and what is logged to the console when Web
Inspector is open, since the message is sent to the frontend after all other processing, but we were previously adding
the message to the vector of past messages before that processing (which may in turn cause more logging before the
actual logging we called in to perform) to occur.

A second minor issue is that ScriptCallStack is incorrectly asserting in its constructor, which preventing investigation
of this issue initially. The call stack should be less than __or equal to__ the max call stack, not just less than.

* Source/JavaScriptCore/inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend):
* Source/JavaScriptCore/inspector/InjectedScript.cpp:
(Inspector::InjectedScript::wrapObject const):
(Inspector::InjectedScript::wrapTable const):
* Source/JavaScriptCore/inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::ScriptCallStack):
* Source/JavaScriptCore/inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::addConsoleMessage):
* Source/WebCore/page/PageConsoleClient.cpp:
(WebCore::PageConsoleClient::messageWithTypeAndLevel):

Canonical link: https://commits.webkit.org/259548.777@safari-7615-branch


  Commit: 4fefffcb57d1b00a3a78acfa0766122b013bb840
      https://github.com/WebKit/WebKit/commit/4fefffcb57d1b00a3a78acfa0766122b013bb840
  Author: Brent Fulgham <bfulgham at webkit.org>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm

  Log Message:
  -----------
  Cherry-pick 7b389848394a. rdar://problem/109853007

    REGRESSION(255664 at main): [Lockdown Mode] Switch back to `CaptivePortal` key to avoid shipping apps that use that key
    https://bugs.webkit.org/show_bug.cgi?id=252190
    <rdar://102422729>

    Reviewed by Wenson Hsieh and Chris Dumez.

    The Lockdown Mode renaming update done in 255664 at main changed the string used to store
    the app-specific user decision about Lockdown Mode use. We did not realize this string
    was effectively an API used by other applications.

    To avoid breaking behavior, we should revert to use the original key until a proper API
    is created.

    * Source/WebKit/UIProcess/API/ios/WKWebViewIOS.mm:
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/UIDelegate.mm:

    Canonical link: https://commits.webkit.org/260233@main

Canonical link: https://commits.webkit.org/259548.778@safari-7615-branch


  Commit: a71893c9f77d267ea583f5c6a33b0f13497d0ce2
      https://github.com/WebKit/WebKit/commit/a71893c9f77d267ea583f5c6a33b0f13497d0ce2
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.6

Identifier: 259548.779 at safari-7615-branch


  Commit: 27b3c41a193420a8c0ab4deaf2693b95cbb035fd
      https://github.com/WebKit/WebKit/commit/27b3c41a193420a8c0ab4deaf2693b95cbb035fd
  Author: Dawn Flores <dawn_flores at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M LayoutTests/platform/mac-wk1/TestExpectations

  Log Message:
  -----------
  Cherry-pick 264542 at main (fca03ab2097e). rdar://106235771

    ([ WK1 ] 2 http/tests/resourceLoadStatistics/* (layout-tests) are constant failures)
    rdar://105804155

    Unreviewed test gardening.

    These tests need to be skipped on WK1.

    * LayoutTests/platform/mac-wk1/TestExpectations:

    Canonical link: https://commits.webkit.org/264542@main

Canonical link: https://commits.webkit.org/259548.780@safari-7615-branch


  Commit: dbb0655c9d5d901d9e2d0728f98a253a5b821776
      https://github.com/WebKit/WebKit/commit/dbb0655c9d5d901d9e2d0728f98a253a5b821776
  Author: Kenji Shukuwa <kenji.shukuwa at open-tec.co.jp>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/file_lock.py

  Log Message:
  -----------
  Cherry-pick 264522 at main (86fec1312374). https://bugs.webkit.org/show_bug.cgi?id=257310

    [webkitcorepy][Win] Fix NameError error in FileLock after 264321 at main
    https://bugs.webkit.org/show_bug.cgi?id=257310

    Reviewed by Jonathan Bedard.

    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/file_lock.py:
    (FileLock.acquire):

    Canonical link: https://commits.webkit.org/264522@main

Canonical link: https://commits.webkit.org/259548.781@safari-7615-branch


  Commit: 9d8c69db76df770982eb4a2e3b09787fa1f3f32e
      https://github.com/WebKit/WebKit/commit/9d8c69db76df770982eb4a2e3b09787fa1f3f32e
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/git-repo.json
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/branch_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/land_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/squash_unittest.py
    M Tools/Scripts/webkitpy/common/checkout/scm/git.py

  Log Message:
  -----------
  Cherry-pick 264536 at main (295115e98b2e). rdar://109419012

    [git-webkit] Speed up Branch.branch_point
    https://bugs.webkit.org/show_bug.cgi?id=256855
    rdar://109419012

    Reviewed by Elliott Williams.

    Calculating the merge-base of a commit and all production branches is actually faster than checking
    which branches that commit is a member of. Re-implement branch-point using this techinque.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/git-repo.json: Add identifiers to all commits.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py:
    (Git.__init__): Pass all arguments to merge-base
    (Git.merge_base): Support multiple branch arguments.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/branch.py:
    (Branch.branch_point): Calculate the merge-base between the current commit and all potential production branches.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.pull_request_branch_point): Early-exit function if branch-point is undefined.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/branch_unittest.py:
    (TestBranch.test_branch_point):
    (TestBranch.test_branch_point_main):
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/land_unittest.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/pull_request_unittest.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/revert_unittest.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/squash_unittest.py:

    Canonical link: https://commits.webkit.org/264536@main

Canonical link: https://commits.webkit.org/259548.782@safari-7615-branch


  Commit: 3e4a5e1d52fc9868c5b429e016c06120390f5c53
      https://github.com/WebKit/WebKit/commit/3e4a5e1d52fc9868c5b429e016c06120390f5c53
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-26 (Fri, 26 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py

  Log Message:
  -----------
  Cherry-pick 264543 at main (5bb3efd51ace). rdar://109840268

    [git-webkit] Make more follow-up fixes pickable
    https://bugs.webkit.org/show_bug.cgi?id=257335
    rdar://109840268

    Reviewed by Dewei Zhu.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py:
    (Pickable.pickable): Seperate reverts from follow-up fixes, and be more inclusive of follow-up fixes.

    Canonical link: https://commits.webkit.org/264543@main

Canonical link: https://commits.webkit.org/259548.783@safari-7615-branch


  Commit: e1ebb63c008085ebe070df66b02dd90148bfc798
      https://github.com/WebKit/WebKit/commit/e1ebb63c008085ebe070df66b02dd90148bfc798
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-05-26 (Fri, 26 May 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py

  Log Message:
  -----------
  Cherry-pick 264544 at main (bb0606c86b4a). rdar://109860518

    [git-webkit] Only reset local main when it contains local commits
    https://bugs.webkit.org/enter_bug.cgi?product=WebKit
    rdar://109860518

    Reviewed by Dewei Zhu.

    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py: Mock --is-ancestor.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
    (PullRequest.pull_request_branch_point): Only reset local branch ref if the local branch ref
    is not tracking the remote branch.

    Canonical link: https://commits.webkit.org/264544@main

Canonical link: https://commits.webkit.org/259548.784@safari-7615-branch


  Commit: f2a2820d312c873be47fbdd12d6be557fae857af
      https://github.com/WebKit/WebKit/commit/f2a2820d312c873be47fbdd12d6be557fae857af
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-05-26 (Fri, 26 May 2023)

  Changed paths:
    A JSTests/stress/resizable-array-buffer-copy-within-length-update.js
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

  Log Message:
  -----------
  [JSC] Recompute length properly when resize happens during TypedArray#copyWithin
https://bugs.webkit.org/show_bug.cgi?id=257387
rdar://109851495

Reviewed by Mark Lam.

copyWithin's side effectful operation can resize resizable ArrayBuffer. We have a code catching this and recompute the appropriate copy count
again, but it can overflow if `to` or `from` are larger than the newly updated `length`. This patch handles this case correctly: returning
since there is no copying content in this case.

* JSTests/stress/resizable-array-buffer-copy-within-length-update.js: Added.
(call_back):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncCopyWithin):

Canonical link: https://commits.webkit.org/259548.785@safari-7615-branch


  Commit: c9d2edfda9b00ec2825471d86488c7bd6776364b
      https://github.com/WebKit/WebKit/commit/c9d2edfda9b00ec2825471d86488c7bd6776364b
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    A LayoutTests/http/tests/mime/resources/.htaccess
    A LayoutTests/http/tests/mime/resources/svg-with-html.svg
    A LayoutTests/http/tests/mime/resources/xml-with-html.xml
    A LayoutTests/http/tests/mime/svg-with-html-expected.txt
    A LayoutTests/http/tests/mime/svg-with-html.html
    A LayoutTests/http/tests/mime/xml-with-html-expected.txt
    A LayoutTests/http/tests/mime/xml-with-html.html
    M Source/WebCore/platform/network/ios/WebCoreURLResponseIOS.mm

  Log Message:
  -----------
  [ios] Prioritize text/plain MIME type over file extension for XML file types
https://bugs.webkit.org/show_bug.cgi?id=257299
rdar://107379119

Reviewed by David Kilzer.

When we receive a file with a text/plain resource, we try harder to find a
better match for the file content, but this can potentially lead to an issue
with some file types like XML. Therefore, if the server says that a file should
be treated as text/plain, and we decide that it is actually XML or SVG, we
prefer using text/plain.

* LayoutTests/http/tests/mime/resources/.htaccess: Added.
* LayoutTests/http/tests/mime/resources/svg-with-html.svg: Added.
* LayoutTests/http/tests/mime/resources/xml-with-html.xml: Added.
* LayoutTests/http/tests/mime/svg-with-html-expected.txt: Added.
* LayoutTests/http/tests/mime/svg-with-html.html: Added.
* LayoutTests/http/tests/mime/xml-with-html-expected.txt: Added.
* LayoutTests/http/tests/mime/xml-with-html.html: Added.
* Source/WebCore/platform/network/ios/WebCoreURLResponseIOS.mm:
(WebCore::shouldPreferTextPlainMIMEType):
(WebCore::adjustMIMETypeIfNecessary):

Canonical link: https://commits.webkit.org/259548.786@safari-7615-branch


  Commit: 88ed3825fa4ee17f927da5a03871205bdd4fa461
      https://github.com/WebKit/WebKit/commit/88ed3825fa4ee17f927da5a03871205bdd4fa461
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    M Source/WebCore/html/CanvasBase.h
    M Source/WebCore/html/HTMLCanvasElement.h
    M Source/WebCore/html/OffscreenCanvas.cpp
    M Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp
    M Source/WebCore/rendering/style/StyleCanvasImage.cpp

  Log Message:
  -----------
  Ensure CanvasBase remains alive while in use
https://bugs.webkit.org/show_bug.cgi?id=257234
rdar://109540621

Reviewed by Chris Dumez.

A HTMLCanvasElement could be destroyed when it calls CanvasBase::setImageBuffer
because that call could trigger a GC. We've seen crashes originating from
HTMLCanvasElement::setImageBufferAndMarkDirty, but this patch adds protection
around other setImageBuffer call sites, as well.

* Source/WebCore/html/CanvasBase.h:
(WebCore::CanvasBase::ref):
(WebCore::CanvasBase::deref):
* Source/WebCore/html/HTMLCanvasElement.h:
* Source/WebCore/html/OffscreenCanvas.cpp:
(WebCore::OffscreenCanvas::create):
(WebCore::OffscreenCanvas::setPlaceholderCanvas):
(WebCore::OffscreenCanvas::pushBufferToPlaceholder):
* Source/WebCore/html/canvas/CanvasRenderingContext2DBase.cpp:
(WebCore::CanvasRenderingContext2DBase::drawImage):
* Source/WebCore/rendering/style/StyleCanvasImage.cpp:
(WebCore::StyleCanvasImage::image const):

Canonical link: https://commits.webkit.org/259548.787@safari-7615-branch


  Commit: 0292d5609d11d00b0fd932159e3b44e5944f3d8d
      https://github.com/WebKit/WebKit/commit/0292d5609d11d00b0fd932159e3b44e5944f3d8d
  Author: Dawn Flores <dawn_flores at apple.com>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    A LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any-expected.txt
    A LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any.worker-expected.txt

  Log Message:
  -----------
  [ Gardening ] [ Rebasline ] 2X imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate* (layout-tests) are constant failures
rdar://110026683

Unreviewed test gardening.

* LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any-expected.txt: Added.
* LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any.worker-expected.txt: Added.

Canonical link: https://commits.webkit.org/259548.788@safari-7615-branch


  Commit: 20c4a3242226ba1141c4848ac2846da15a45fe5d
      https://github.com/WebKit/WebKit/commit/20c4a3242226ba1141c4848ac2846da15a45fe5d
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    M Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp

  Log Message:
  -----------
  Cherry-pick 7a4f94728cde. rdar://problem/108884055

    Webkit PWA in Bad State After Opening in-PWA Webkit Tab
    https://bugs.webkit.org/show_bug.cgi?id=256280
    rdar://108884055

    Reviewed by Chris Dumez.

    Network process is registerng a process with pages as service worker clients to a given service worker process.
    This allows UIProcess to suspend/resume the service worker process based on all its registered processes.
    Our logic to register page processes is working fine.
    Our logic to unregister page processes is not working fine if the same process has clients with different origins but the same registrable domain,
    for instance a process with a page 'a.example.org' and another page 'b.example.org'.
    In that case, when the 'b.example.org' page is gone, we would unregister the process while 'a.example.org' is still running.

    We update WebSWServerConnection::unregisterServiceWorkerClient to check for registrable domains of all pages.

    Manually tested, we cannot yet write tests with different registrable domains that make use of service workers.

    * Source/WebKit/NetworkProcess/ServiceWorker/WebSWServerConnection.cpp:
    (WebKit::WebSWServerConnection::unregisterServiceWorkerClient):

    Canonical link: https://commits.webkit.org/263901@main

Identifier: 259548.789 at safari-7615-branch


  Commit: 1e61659a29abac92535b88260139c70709ca9c26
      https://github.com/WebKit/WebKit/commit/1e61659a29abac92535b88260139c70709ca9c26
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window.html
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window.js
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window.js.headers
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window.html
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window.js
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/resources/middle-frame.html
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/resources/w3c-import.log
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub.html
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub.html
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub.html
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub.html
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/w3c-import.log
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/w3c-import.log
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub-expected.txt
    A LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub-expected.txt
    M LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub-expected.txt

  Log Message:
  -----------
  Cherry-pick 2f019929ef93. rdar://problem/109676140

    [mixed-content] Resync WPT
    https://bugs.webkit.org/show_bug.cgi?id=257150
    rdar://109676140

    Reviewed by Tim Nguyen.

    Resync mixed-content tests as of upstream commit
    a4d663e6e09213bf599fb3a9dc66a52f2549c7fe

    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window.js: Added.
    (promise_test):
    (promise_test.async t):
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window.js.headers: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window.js: Added.
    (onmessage):
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/resources/middle-frame.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/resources/w3c-import.log:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub.html:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub.html:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub-expected.txt: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub.html: Added.
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub-expected.txt:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub.html:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/w3c-import.log:
    * LayoutTests/imported/w3c/web-platform-tests/mixed-content/w3c-import.log:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/audio-upgrade.https.sub-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/image-upgrade.https.sub-expected.txt:
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/mixed-content-cors.https.sub-expected.txt: Added.
    * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/tentative/autoupgrades/video-upgrade.https.sub-expected.txt:

    Canonical link: https://commits.webkit.org/264495@main

Identifier: 259548.790 at safari-7615-branch


  Commit: 9316f6e4691e6eff83fc879e1ee96c62936b5b01
      https://github.com/WebKit/WebKit/commit/9316f6e4691e6eff83fc879e1ee96c62936b5b01
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2023-05-30 (Tue, 30 May 2023)

  Changed paths:
    A LayoutTests/transforms/3d/hit-testing/hit-preserves-3d-2-expected.txt
    A LayoutTests/transforms/3d/hit-testing/hit-preserves-3d-2.html
    M Source/WebCore/rendering/RenderLayer.cpp

  Log Message:
  -----------
  Cherry-pick 048b254e9fd9. rdar://problem/110032480

    transform-style:preserve-3d has incorrect hit-testing of negative z-index ::after.
    https://bugs.webkit.org/show_bug.cgi?id=255028

    Reviewed by Simon Fraser.

    We call hitTestList with the intention of storing the result in the temporary object 'hitLayer',
    and only mutate the final result 'candidateLayer' if the depth test passes.
    Unfortunately the 'result' variable is also part of the final output, and this gets mutated
    on hitTestList calls that don't pass the depth test.

    This creates a temporary 'tempResult' (like we do for the other sections of this function),
    and only copies back to 'result' if the depth test passes.

    * LayoutTests/transforms/3d/hit-testing/hit-preserves-3d-2-expected.txt: Added.
    * LayoutTests/transforms/3d/hit-testing/hit-preserves-3d-2.html: Added.
    * Source/WebCore/rendering/RenderLayer.cpp:
    (WebCore::RenderLayer::hitTestLayer):

    Canonical link: https://commits.webkit.org/262728@main

Identifier: 259548.791 at safari-7615-branch


  Commit: f52bc7e18a7ce5930630c0744e92678bed95791d
      https://github.com/WebKit/WebKit/commit/f52bc7e18a7ce5930630c0744e92678bed95791d
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-05-31 (Wed, 31 May 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebProcessPool.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Process Isolation Bypass via navigating to about:* context
https://bugs.webkit.org/show_bug.cgi?id=257348
rdar://109853048

Reviewed by Chris Dumez and J Pascoe.

This patch fixes an issue where we will never swap processes when navigating from an
about:* page. A compromised WebContent process could leverage this behavior to avoid
swapping processes when navigating to a cross-origin domain.

This is fixed by checking the following when navigating from an about:* page.
- The page has not committed a provisional load to a URL that isn't about:*.
- The source process last loaded a domain from the same origin as the domain we are navigating to.

If neither of these two conditions are met, we won’t reuse the process.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didExplicitOpenForFrame):
(WebKit::WebPageProxy::didCommitLoadForFrame):
* Source/WebKit/UIProcess/WebProcessPool.cpp:
(WebKit::WebProcessPool::processForNavigationInternal):
* Source/WebKit/UIProcess/WebProcessProxy.h:
(WebKit::WebProcessProxy::didCommitMeaningfulProvisionalLoad):
(WebKit::WebProcessProxy::hasCommittedAnyMeaningfulProvisionalLoads const):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

Canonical link: https://commits.webkit.org/259548.792@safari-7615-branch


  Commit: 758218a8a84ab7fbd074b47544a9013865212907
      https://github.com/WebKit/WebKit/commit/758218a8a84ab7fbd074b47544a9013865212907
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-06-01 (Thu, 01 Jun 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/implicit-nesting-expected.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/implicit-nesting-ref.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/implicit-nesting.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/parsing.html
    M Source/WebCore/css/CSSSelector.cpp
    M Source/WebCore/css/parser/CSSParserImpl.cpp
    M Source/WebCore/css/parser/CSSSelectorParser.cpp

  Log Message:
  -----------
  Cherry-pick 22a69c73dd84. rdar://problem/109141615

    Cherry-pick 263902 at main (22a69c73dd84). rdar://109141615

        [CSS Nesting] Don't serialize the implicit parent selector in relative selector
        https://bugs.webkit.org/show_bug.cgi?id=256578
        rdar://109141615

        Reviewed by Antti Koivisto.

        Instead of inserting the implicit parent selector at parse time
        (which makes it appears in the serialization),
        we insert the resolved parent later (during rule set building).

        * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/implicit-nesting-expected.html:
        * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/implicit-nesting-ref.html:
        * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/implicit-nesting.html:
        * LayoutTests/imported/w3c/web-platform-tests/css/css-nesting/parsing.html:
        * Source/WebCore/css/CSSSelector.cpp:
        (WebCore::CSSSelector::selectorText const):
        * Source/WebCore/css/parser/CSSParserImpl.cpp:
        (WebCore::CSSParserImpl::consumeStyleRule):
        (WebCore::CSSParserImpl::consumeDeclarationListOrStyleBlockHelper):
        * Source/WebCore/css/parser/CSSSelectorParser.cpp:
        (WebCore::parseCSSSelector):
        (WebCore::CSSSelectorParser::consumeRelativeNestedSelector):
        (WebCore::CSSSelectorParser::resolveNestingParent):

        Canonical link: https://commits.webkit.org/263902@main

Identifier: 259548.793 at safari-7615-branch


  Commit: 92a6548afec05882a4abbcd0704b018546c62f16
      https://github.com/WebKit/WebKit/commit/92a6548afec05882a4abbcd0704b018546c62f16
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-06-01 (Thu, 01 Jun 2023)

  Changed paths:
    A LayoutTests/fast/mediastream/getUserMedia-echoCancellation-expected.txt
    A LayoutTests/fast/mediastream/getUserMedia-echoCancellation.html
    M Source/WebCore/Modules/mediastream/MediaDevices.cpp
    M Source/WebCore/platform/mediastream/MediaConstraints.cpp
    M Source/WebCore/platform/mediastream/MediaConstraints.h

  Log Message:
  -----------
  Cherry-pick 3fb10034184d. rdar://problem/110010294

    Set echoCancellation to true if not explicitly set within a getUserMedia call
    https://bugs.webkit.org/show_bug.cgi?id=257495
    rdar://110010294

    Reviewed by Eric Carlson.

    Before the patch, if the web page does not provide a echoCancellation setting, we would use whatever setting was used by the previous web application using the microphone.
    This might break some applications that want echoCancellation but do not set it explicitly.
    This change aligns with Chrome's behavior.

    * Source/WebCore/Modules/mediastream/MediaDevices.cpp:
    (WebCore::MediaDevices::getUserMedia):
    * Source/WebCore/platform/mediastream/MediaConstraints.cpp:
    (WebCore::MediaConstraints::setDefaultAudioConstraints):
    * Source/WebCore/platform/mediastream/MediaConstraints.h:
    * LayoutTests/fast/mediastream/getUserMedia-echoCancellation-expected.txt: Added.
    * LayoutTests/fast/mediastream/getUserMedia-echoCancellation.html: Added.

    Canonical link: https://commits.webkit.org/264721@main

Identifier: 259548.794 at safari-7615-branch


  Commit: 32725f4957d96c47da6de775a81ba2b8f6b60f01
      https://github.com/WebKit/WebKit/commit/32725f4957d96c47da6de775a81ba2b8f6b60f01
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-06-01 (Thu, 01 Jun 2023)

  Changed paths:
    A LayoutTests/fast/css/color-mix-various-expected.html
    A LayoutTests/fast/css/color-mix-various.html
    M Source/WebCore/style/ColorFromPrimitiveValue.cpp

  Log Message:
  -----------
  Cherry-pick 80e4d733b917. rdar://problem/108683501

    [CSS] Resolve "currentcolor" with style if possible
    https://bugs.webkit.org/show_bug.cgi?id=257255
    rdar://108683501

    Reviewed by Tim Nguyen.

    Ideally, we should never try to resolve "currentcolor" during
    style building.
    However, for the rare cases where we do it (gradient, drop-shadow)
    it's better to use the incomplete style than assuming an absolute color.

    * LayoutTests/fast/css/color-mix-various-expected.html: Added.
    * LayoutTests/fast/css/color-mix-various.html: Added.
    * Source/WebCore/style/ColorFromPrimitiveValue.cpp:
    (WebCore::Style::colorFromPrimitiveValueWithResolvedCurrentColor):
    * Source/WebCore/style/ElementRuleCollector.cpp:
    (WebCore::Style::ElementRuleCollector::addMatchedProperties):

    Canonical link: https://commits.webkit.org/264737@main

Identifier: 259548.795 at safari-7615-branch


  Commit: 2f8e790f962f42b346c1d9ed08a135e49cc19072
      https://github.com/WebKit/WebKit/commit/2f8e790f962f42b346c1d9ed08a135e49cc19072
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-06-01 (Thu, 01 Jun 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/streams/idlharness.any-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/streams/idlharness.any.serviceworker-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/streams/idlharness.any.sharedworker-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/streams/idlharness.any.worker-expected.txt
    M Source/WebCore/CMakeLists.txt
    M Source/WebCore/DerivedSources-input.xcfilelist
    M Source/WebCore/DerivedSources.make
    M Source/WebCore/Modules/compression/CompressionStream.js
    M Source/WebCore/Modules/compression/DecompressionStream.js
    A Source/WebCore/Modules/streams/TransformStream.cpp
    A Source/WebCore/Modules/streams/TransformStream.h
    M Source/WebCore/Modules/streams/TransformStream.idl
    R Source/WebCore/Modules/streams/TransformStream.js
    M Source/WebCore/Modules/streams/TransformStreamInternals.js
    M Source/WebCore/Sources.txt
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    M Source/WebCore/dom/TextDecoderStream.js
    M Source/WebCore/dom/TextEncoderStream.js

  Log Message:
  -----------
  Apply patch. rdar://problem/109409251

Identifier: 259548.796 at safari-7615-branch


  Commit: 169a4b7e3f4805d55010f7783b52457fa476cd50
      https://github.com/WebKit/WebKit/commit/169a4b7e3f4805d55010f7783b52457fa476cd50
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-06-02 (Fri, 02 Jun 2023)

  Changed paths:
    A JSTests/stress/regress-108468977.js
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
    M Source/JavaScriptCore/runtime/JSObject.cpp
    M Source/JavaScriptCore/runtime/JSObject.h

  Log Message:
  -----------
  [JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take all put() overrides into account
https://bugs.webkit.org/show_bug.cgi?id=257271
<rdar://108468977>

Reviewed by Yusuke Suzuki.

Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not taking into account
all existing put() overrides when analyzing side effects of AbsenceOfSetEffect condition, which leads
to incorrect results for e.g. StringObject's "length", which is no-op in sloppy mode yet we rely on
structure being transitioned.

This patch fixes AbsenceOfSetEffect validity check to be more pessimistic when there is overriden put(),
unless it's a common assigment target like JSArray or JSFunction to avoid performance regressions,
all while the helper that checks for special properties with JSObject::definePropertyOnReceiver().

* JSTests/stress/regress-108468977.js: Added.
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
(JSC::nonStructurePropertyMayBecomeReadOnlyWithoutTransition): Deleted.
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::JSObject::mightBeSpecialProperty):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::canDefinePropertyOnReceiverFast): Deleted.
* Source/JavaScriptCore/runtime/JSObject.h:

Canonical link: https://commits.webkit.org/259548.797@safari-7615-branch


  Commit: b7e3ebd9c3726e3e84e3b80bc77a6841a0697cf0
      https://github.com/WebKit/WebKit/commit/b7e3ebd9c3726e3e84e3b80bc77a6841a0697cf0
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-06-02 (Fri, 02 Jun 2023)

  Changed paths:
    A JSTests/stress/get-concurrently-should-take-cell-lock.js
    M Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
    M Source/JavaScriptCore/bytecode/PropertyCondition.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/runtime/JSArray.cpp
    M Source/JavaScriptCore/runtime/JSCell.h
    M Source/JavaScriptCore/runtime/JSObject.h

  Log Message:
  -----------
  JSObject::getDirectConcurrently should take the cell lock.
https://bugs.webkit.org/show_bug.cgi?id=257285
rdar://108166258

Reviewed by Yusuke Suzuki.

`JSArray::unshiftCountWithArrayStorage` takes the cell lock and then the
structure lock to prevent the compiler thread from accessing the butterfly
before it is fully initialized.

`JSObject::getDirectConcurrently` only takes the structure lock. This means
that the compiler can take the structure lock, the cell can transition
to a new structure, then unshift can mess up the butterfly, and finally
the compiler thread proceeds to see garbage.

The attached POC only reproduces if waits are introduced to extend the race window.

It seems that the comment above cellLock is outdated, as our current concurrency
protocol to prevent deadlocks is to take the cell lock then the structure lock.
I could not find anywhere that uses the reverse, but if I missed something,
a deadlock will be pretty easy to debug.

* Source/JavaScriptCore/runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountWithArrayStorage):
* Source/JavaScriptCore/runtime/JSCell.h:
(JSC::JSCell::cellLock const):
(JSC::JSCell::cellLock): Deleted.
* Source/JavaScriptCore/runtime/JSObject.h:
(JSC::JSObject::getDirectConcurrently const):

Canonical link: https://commits.webkit.org/259548.798@safari-7615-branch


  Commit: 29daeb40cf6a11b1e644365412e43434e346996a
      https://github.com/WebKit/WebKit/commit/29daeb40cf6a11b1e644365412e43434e346996a
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-06-05 (Mon, 05 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.7

Identifier: 259548.799 at safari-7615-branch


  Commit: 1f4eda3d2cabdd6c7ffe9b0d9b48fff49667c72e
      https://github.com/WebKit/WebKit/commit/1f4eda3d2cabdd6c7ffe9b0d9b48fff49667c72e
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-06-05 (Mon, 05 Jun 2023)

  Changed paths:
    M Source/WebCore/layout/formattingContexts/inline/InlineFormattingGeometry.cpp

  Log Message:
  -----------
  Cherry-pick 264579 at main (9d3c89bfe30c). <rdar://108742128>

    [IFC][Float] Incorrectly placed float boxes may generate series of empty lines
    https://bugs.webkit.org/show_bug.cgi?id=257261
    <rdar://108742128>

    Reviewed by Antti Koivisto.

    When intrusive floats prevent us from placing any content at the current vertical position,
    the candidate position for the next line is computed by looking at such intrusive floats.
    e.g.

      Two float boxes with the inline content of "foobar".

      _______    _______
     |       |  |       |
     | left  |  | right |
     |_______|  |       |
                |_______|

     1. "foobar" does not fit at y: 0 (overlaps "left").
     2. we find 2 intrusive floats at y: 0
     3. vertical position for next line is at the bottom of "left1"

    This is rather simple, but if float placement bugs produce some vertical gaps between floats
    e.g.

      _______    _______
     |       |  |       |
     | left1 |  | right |
     |_______|  |       |
                |_______|

      _______
     |       |
     | left2 |
     |_______|

     (note that left2 is supposed to be vertically adjacent to left1)

     Now if we run line layout:

     1. "foobar" does not fit at y: 0 -> vertical position for next line is at the bottom of "left1"
     2. "foobar" still does not fit (assume it overlaps "right") -> position for next line is at the bottom of "right"
     3. now assume that "foobar" is tall and it does not fit between the bottom of the "right" and the top of this incorrectly placed "left2"

      _______    _______
     |       |  |       |
     | left1 |  | right |
     |_______|  |       |
                |_______|
        ____
       |
       |___
      _|_____
     | |     |
     | |     |
     |_______|

     running "let's find the position for next line by avoiding intrusive floats" logic in InlineFormattingGeometry::logicalTopForNextLine()
     finds no intrusive float at the bottom of the "right" float (that's what #2 computed as candidate position).
     This is an unexpected state (we assert) and in order not to get stuck on the same vertical position we advance by 1px for the next line hoping we would be able to place "foobar" there.
     While it helps to avoid forever looping, if the gap between the bottom of the "right" and the top of the "left2" is
     wide we may end up producing thousands of empty lines until we reach the top of the "left2" float box and finally get out of this unexpected state.

    In this patch, instead of advancing by 1px, we jump right to the bottom of the "left2" float box (bottom of all the floats in this floating context) and continue from there.

    * Source/WebCore/layout/formattingContexts/inline/InlineFormattingGeometry.cpp:
    (WebCore::Layout::InlineFormattingGeometry::logicalTopForNextLine const): move float handling to a helper (intrusiveFloatBottom) and return
    the max of floatingContext.bottom() and lineLogicalRect.bottom().

    Canonical link: https://commits.webkit.org/264579@main

Canonical link: https://commits.webkit.org/259548.800@safari-7615-branch


  Commit: 61b244e285212769e72e5e571ff3d121938f9413
      https://github.com/WebKit/WebKit/commit/61b244e285212769e72e5e571ff3d121938f9413
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-06-06 (Tue, 06 Jun 2023)

  Changed paths:
    A LayoutTests/http/wpt/service-workers/service-worker-pending-job-cancel-expected.txt
    A LayoutTests/http/wpt/service-workers/service-worker-pending-job-cancel-worker.js
    A LayoutTests/http/wpt/service-workers/service-worker-pending-job-cancel.html
    M Source/WebCore/workers/service/ServiceWorkerJob.cpp

  Log Message:
  -----------
  jsc_fuz/wktr: *very flaky* null ptr deref in WebCore::WorkerScriptLoader::cancel() + 20 (WorkerScriptLoader.cpp:351)
https://bugs.webkit.org/show_bug.cgi?id=257568
rdar://109658530

Reviewed by David Kilzer.

Make sure to use the local variable loader instead of m_scriptLoader which is nullified just before.
Switch to std::exchange since it is more semantically correct.

* LayoutTests/http/wpt/service-workers/service-worker-pending-job-cancel-expected.txt: Added.
* LayoutTests/http/wpt/service-workers/service-worker-pending-job-cancel-worker.js: Added.
* LayoutTests/http/wpt/service-workers/service-worker-pending-job-cancel.html: Added.
* Source/WebCore/workers/service/ServiceWorkerJob.cpp:
(WebCore::ServiceWorkerJob::notifyFinished):
(WebCore::ServiceWorkerJob::cancelPendingLoad):

Canonical link: https://commits.webkit.org/259548.801@safari-7615-branch


  Commit: bc09b6fca3255742370fdd150cf9627b53794c1e
      https://github.com/WebKit/WebKit/commit/bc09b6fca3255742370fdd150cf9627b53794c1e
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-06-06 (Tue, 06 Jun 2023)

  Changed paths:
    M LayoutTests/http/tests/referrer-policy-iframe/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/no-referrer/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/same-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/strict-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy-iframe/unsafe-url/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/no-referrer-when-downgrade/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/no-referrer/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/same-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/strict-origin-when-cross-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/strict-origin/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/referrer-policy/unsafe-url/cross-origin-http.https-expected.txt
    M LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt
    M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    M LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-iframe.html
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
    A LayoutTests/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe.html
    M LayoutTests/http/tests/security/mixedContent/insecure-script-in-data-iframe-in-main-frame-blocked-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag-emptyString.html
    M LayoutTests/http/tests/security/referrer-policy-header-and-meta-tag.html
    M LayoutTests/http/tests/security/referrer-policy-header-multipart.html
    M LayoutTests/http/tests/security/referrer-policy-header-test.js
    M LayoutTests/http/tests/security/referrer-policy-header.html
    M LayoutTests/http/tests/security/referrer-policy-https-always-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-always.html
    M LayoutTests/http/tests/security/referrer-policy-https-default-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-default.html
    M LayoutTests/http/tests/security/referrer-policy-https-never-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-never.html
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer-when-downgrade.html
    M LayoutTests/http/tests/security/referrer-policy-https-no-referrer.html
    M LayoutTests/http/tests/security/referrer-policy-https-origin-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-origin.html
    M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url-expected.txt
    M LayoutTests/http/tests/security/referrer-policy-https-unsafe-url.html
    M LayoutTests/http/tests/security/resources/postReferrer.py
    M LayoutTests/http/tests/security/resources/referrer-policy-log.py
    M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-getCurrentPosition.html
    M LayoutTests/http/tests/security/resources/sandboxed-iframe-geolocation-watchPosition.html
    M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-meta-tag.py
    M LayoutTests/http/tests/security/resources/serve-referrer-policy-and-test.py
    R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt
    R LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html
    M LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-https-with-embedded-http-with-embedded-https.https-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-original-url-on-mixed-content-frame.https.sub-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/nested-documents-expected.txt
    A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/screen-orientation/unlock-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-iframe-in-sandboxed-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
    A LayoutTests/platform/mac-wk1/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/win/TestExpectations
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt
    R LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-iframe-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/insecure-image-in-iframe-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-http-to-https-iframe-in-main-frame-expected.txt
    M LayoutTests/platform/wk2/http/tests/security/mixedContent/redirect-https-to-http-iframe-in-main-frame-expected.txt
    M Source/WebCore/Modules/websockets/WebSocket.cpp
    M Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp
    M Source/WebCore/html/HTMLFormElement.cpp
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/DocumentThreadableLoader.cpp
    M Source/WebCore/loader/MixedContentChecker.cpp
    M Source/WebCore/loader/MixedContentChecker.h
    M Source/WebCore/loader/SubframeLoader.cpp
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp

  Log Message:
  -----------
  Framed pages have ability to bypass Mixed Content restrictions
https://bugs.webkit.org/show_bug.cgi?id=257331
rdar://109100886

Reviewed by Brent Fulgham.

It is possible to bypass mixed content restrictions in pages which are
framed. There are actually two issues here: secure frames embedded in
insecure frames can bypass and frames which are sandboxed can bypass.

In the former case we are only checking the for mixed content in the
frame making the request as well as the top frame. So if an insecure frame
embeds a secure frame, that secure frame could then embed an insecure frame and
make mixed content requests without being blocked since the middle frame
is not checked against the URL for mixed content.

For the latter case we check whether or not the security origin
of the requestor has an "https" protocol. The problem is sandboxed iframes
are given an opaque origin which does not have the "https" protocol (or
any protocol for that matter) and so we were skipping the mixed content check.

This patch cleans up the MixedContentChecker implementation and fixes
these two methods of bypass. This is accomplished by 1) checking the entire
ancestor frame path from the requestor up to the top frame and 2) considering
what the protocol of the security origin for the frame making the
request would have been if it were not opaque. We special case a main resource
load in the DocumentLoader by checking for mixed content starting from the parent frame.
Otherwise we would block an insecure main frame from navigating a secure
iframe to an insecure URL which is allowed by other browser engines.

LayoutTests/http/tests/security:
    Rewrote some tests to no longer use HTTP iframes in HTTPS frames
    which is now blocked. These changes also include new console output
    for mixed content blocking messages.

* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http-expected.txt: Removed.
* LayoutTests/http/tests/websocket/tests/hybi/non-document-mixed-content-blocked-http-with-embedded-https-with-embedded-http.html: Removed.
    This test is no longer needed. We now block loading a HTTP iframe
    in a middle HTTPS frame so the innermost frame would never have a
    chance to load a worker anyway.

* LayoutTests/imported/w3c/web-platform-tests/fs/FileSystemFileHandle-create-sync-access-handle.https.tentative.window-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/csp.https.window-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/mixed-content/nested-iframes.window-expected.txt:

LayoutTests/platform:
    Updated platform-specific expectations.

* Source/WebCore/Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* Source/WebCore/Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
(WebCore::WorkerThreadableWebSocketChannel::Bridge::connect):
* Source/WebCore/html/HTMLFormElement.cpp:
(WebCore::HTMLFormElement::parseAttribute):
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* Source/WebCore/loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::loadRequest):

Source/WebCore/loader/MixedContentChecker:
    Refactor the MixedContentChecker to expose a more clear API.
    isMixedContent was never called by client code and canDisplay and
    canShow functions should be more clear that they will be checking
    the entire frame ancestor hierarchy so clients don't try to do that
    themselves. Move helpers to be static functions in the .cpp file.

* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::isMixedContent):
(WebCore::foundMixedContentInFrameTree):
(WebCore::MixedContentChecker::frameAndAncestorsCanDisplayInsecureContent):
(WebCore::MixedContentChecker::frameAndAncestorsCanRunInsecureContent):
(WebCore::MixedContentChecker::checkFormForMixedContent):
(WebCore::MixedContentChecker::checkForMixedContentInFrameTree): Deleted.
(WebCore::MixedContentChecker::isMixedContent): Deleted.
(WebCore::MixedContentChecker::canDisplayInsecureContent): Deleted.
(WebCore::MixedContentChecker::canRunInsecureContent): Deleted.
* Source/WebCore/loader/MixedContentChecker.h:

* Source/WebCore/loader/SubframeLoader.cpp:
(WebCore::FrameLoader::SubframeLoader::pluginIsLoadable):
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent const):

Canonical link: https://commits.webkit.org/259548.802@safari-7615-branch


  Commit: ed34e0fc30a6c1ab6fa6fc53b71b3de931723889
      https://github.com/WebKit/WebKit/commit/ed34e0fc30a6c1ab6fa6fc53b71b3de931723889
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-06-07 (Wed, 07 Jun 2023)

  Changed paths:
    A LayoutTests/fast/media/print-video-crash-expected.txt
    A LayoutTests/fast/media/print-video-crash.html
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/WebPageProxy.h
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.h
    M Source/WebKit/WebProcess/WebPage/WebPage.messages.in
    M Tools/WebKitTestRunner/TestController.cpp

  Log Message:
  -----------
  Cherry-pick 263022.8 at webkit-2023.4-embargoed (221c50b850f8). rdar://89084798

    Make sure end printing is handled before PrintFrame
    https://bugs.webkit.org/show_bug.cgi?id=237291
    rdar://89084798

    Reviewed by Chris Dumez.

    To ensure end printing is handled (and layer tree is unfrozen)
    introduce a completion handler on EndPrinting and tie its completion
    to the completion handler in WebPageProxy::printFrame.

    Also do not call endPrinting from TestController.cpp since
    WebPageProxy::printFrame takes care of that.

    * LayoutTests/fast/media/print-video-crash-expected.txt: Added.
    * LayoutTests/fast/media/print-video-crash.html: Added.
    * Source/WebKit/UIProcess/WebPageProxy.cpp:
    (WebKit::WebPageProxy::printFrame):
    (WebKit::WebPageProxy::endPrinting):
    * Source/WebKit/UIProcess/WebPageProxy.h:
    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::WebPage::endPrinting):
    * Source/WebKit/WebProcess/WebPage/WebPage.h:
    (WebKit::WebPage::endPrinting):
    (WebKit::WebPage::endPrintingDuringDOMPrintOperation):
    * Source/WebKit/WebProcess/WebPage/WebPage.messages.in:
    * Tools/WebKitTestRunner/TestController.cpp:
    (WTR::printFrame):

    Canonical link: https://commits.webkit.org/263022.8@webkit-2023.4-embargoed

Canonical link: https://commits.webkit.org/259548.803@safari-7615-branch


  Commit: a4de140c086157bfbc0c003c91bb4d8edf7c5dda
      https://github.com/WebKit/WebKit/commit/a4de140c086157bfbc0c003c91bb4d8edf7c5dda
  Author: Rob Buis <rbuis at igalia.com>
  Date:   2023-06-07 (Wed, 07 Jun 2023)

  Changed paths:
    A LayoutTests/fast/canvas/canvas-print-crash-expected.txt
    A LayoutTests/fast/canvas/canvas-print-crash.html

  Log Message:
  -----------
  Cherry-pick 263022.9 at webkit-2023.4-embargoed (a0645306d06d). rdar://102860360

    Add test case for bug 251370
    https://bugs.webkit.org/show_bug.cgi?id=251370
    rdar://102860360

    Reviewed by Chris Dumez.

    Already fixed by https://commits.webkit.org/263022.8@webkit-2023.4-embargoed, but
    add this test for completeness.

    * LayoutTests/fast/canvas/canvas-print-crash-expected.txt: Added.
    * LayoutTests/fast/canvas/canvas-print-crash.html: Added.

    Canonical link: https://commits.webkit.org/263022.9@webkit-2023.4-embargoed

Canonical link: https://commits.webkit.org/259548.804@safari-7615-branch


  Commit: 3550ea5e0324e103a800de8fdf71de03d97238b1
      https://github.com/WebKit/WebKit/commit/3550ea5e0324e103a800de8fdf71de03d97238b1
  Author: Sammy Gill <sammy.gill at apple.com>
  Date:   2023-06-07 (Wed, 07 Jun 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/css/css-logical/parsing/margin-block-inline-computed-expected.txt
    M LayoutTests/platform/mac-wk1/TestExpectations
    M LayoutTests/platform/mac/TestExpectations
    M Source/WebCore/css/ComputedStyleExtractor.cpp
    M Source/WebCore/rendering/RenderBox.cpp
    M Source/WebCore/rendering/RenderBox.h

  Log Message:
  -----------
  getComputedStyle isLayoutDependent should return true for logical margin properties.
rdar://110266135

Reviewed by Alan Baradlay.

When we try to get the value of a margin using its equivalent logical property,
we will run into a debug ASSERT(!needsLayout()!) that gets triggered because
the logical properties do not return true for isLayoutDependent when they should.
Now, we will force a layout to occur for these properties before trying to
determine their value.

* LayoutTests/imported/w3c/web-platform-tests/css/css-logical/parsing/margin-block-inline-computed-expected.txt:
* LayoutTests/platform/mac-wk1/TestExpectations:
* LayoutTests/platform/mac/TestExpectations:
* Source/WebCore/css/ComputedStyleExtractor.cpp:
(WebCore::formattingContextRootStyle):
(WebCore::physicalToFlowRelativeDirection):
(WebCore::flowRelativeToPhysicalDirection):
(WebCore::toMarginTrimType):
(WebCore::toMarginPropertyID):
(WebCore::isLayoutDependent):
(WebCore::ComputedStyleExtractor::valueForPropertyInStyle):
* Source/WebCore/rendering/RenderBox.cpp:
(WebCore::RenderBox::physicalToFlowRelativeDirectionMapping const): Deleted.
(WebCore::flowRelativeDirectionToMarginTrimType): Deleted.
* Source/WebCore/rendering/RenderBox.h:

Canonical link: https://commits.webkit.org/259548.805@safari-7615-branch


  Commit: 8c5fe8ed43271874e1db75f8e6d4265dcaed2699
      https://github.com/WebKit/WebKit/commit/8c5fe8ed43271874e1db75f8e6d4265dcaed2699
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    A LayoutTests/media/media-session/actionHandler-no-document-leak-expected.txt
    A LayoutTests/media/media-session/actionHandler-no-document-leak.html
    A LayoutTests/media/media-session/resources/media-session-action-handler-document-leak-frame.html
    M Source/WebCore/Modules/mediasession/MediaSessionActionHandler.h
    M Source/WebCore/Modules/mediasession/MediaSessionActionHandler.idl

  Log Message:
  -----------
  Cherry-pick 56280cdcbd8a. rdar://problem/105112595

    The Document object is leaked on some pages using media (like YouTube.com)
    https://bugs.webkit.org/show_bug.cgi?id=251835
    rdar://105112595

    Reviewed by Chris Dumez.

    By default a callback holds a Strong<> reference to the JS Function
    object. This has the effect of making the callback a GC root. Another
    option is to annotate the callback with the IsWeakCallback extended
    attribute which will hold the callback object as a Weak reference and
    keep it alive via the visitJSFunction mechanism instead of making it a
    root.

    In the case of MediaSessionActionHandler the strong reference will
    prevent an HTMLDocument from being garbage collected even after
    navigating away and clearing the caches (after a low memory warning, for
    example). This change adds the IsWeakCallback attribute and the
    necessary virtual function to the MediaSessionActionHandler base class.

    LayoutTests:
        Add a test to check that action handlers installed by the page are
        not leaked. Use an iframe to install and exercise the action
        handlers before the iframe is navigated away and a garbage
        collection is triggered (repeatedly). If after 500 attempts at GC
        the document containing the action handlers still exists we consider
        the document leaked.

    * LayoutTests/media/media-session/actionHandler-no-document-leak-expected.txt: Added.
    * LayoutTests/media/media-session/actionHandler-no-document-leak.html: Added.
    * LayoutTests/media/media-session/resources/media-session-action-handler-document-leak-frame.html: Added.

    * Source/WebCore/Modules/mediasession/MediaSessionActionHandler.h:
    * Source/WebCore/Modules/mediasession/MediaSessionActionHandler.idl:

    Canonical link: https://commits.webkit.org/263660@main

Identifier: 259548.806 at safari-7615-branch


  Commit: 3b73de9261bd625062401d54c8b6e7e6e9b25ea9
      https://github.com/WebKit/WebKit/commit/3b73de9261bd625062401d54c8b6e7e6e9b25ea9
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    A LayoutTests/fast/canvas/canvas-gradient-can-outlive-context-expected.txt
    A LayoutTests/fast/canvas/canvas-gradient-can-outlive-context.html
    A LayoutTests/fast/canvas/canvas-state-stack-gradient-expected.txt
    A LayoutTests/fast/canvas/canvas-state-stack-gradient.html
    A LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak-expected.txt
    A LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak.html
    A LayoutTests/http/tests/canvas/resources/background.png
    A LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-color.html
    A LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-gradient.html
    A LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-pattern.html
    M Source/WebCore/html/canvas/CanvasGradient.cpp
    M Source/WebCore/html/canvas/CanvasGradient.h
    M Source/WebCore/html/canvas/CanvasStyle.cpp
    M Source/WebCore/html/canvas/CanvasStyle.h

  Log Message:
  -----------
  Cherry-pick ade36a336115. rdar://problem/108845985

    HTMLCanvasElement is orphaned causing a HTMLDocument leak on YouTube video pages
    https://bugs.webkit.org/show_bug.cgi?id=256262
    rdar://108845985

    Reviewed by Darin Adler.

    CanvasRenderingContext2DBase has a State stack for setting up drawing
    state. Two of the fields - strokeStyle and fillStyle - each hold CanvasStyle
    objects. These objects may be set with colors or images or gradients. In
    the case of a CanvasGradient, the gradient has a strong reference
    to the context which creates a reference cycle.

    CanvasRenderingContext2DBase -> State -> CanvasStyle -> CanvasGradient -> CanvasRenderingContext(2DBase)

    What makes this cycle dangerous is the CanvasRenderingContext will
    increase the ref count of an HTMLCanvasElement which, being a Node, will
    increment the referencingNodeCount of a Document object. So if a
    gradient is set on the context's fillStyle or strokeStyle we can cause a
    Document leak if the state is never cleared like on YouTube video pages.

    This patch changes the CanvasGradient object to hold a weak reference to
    the CanvasRenderingContext instead of a strong reference which breaks the cycle.

    * LayoutTests/fast/canvas
        Add tests to verify the now-decoupled lifetimes of gradient and
        context do not cause crashes.
    * LayoutTests/fast/canvas/canvas-gradient-can-outlive-context-expected.txt: Added.
    * LayoutTests/fast/canvas/canvas-gradient-can-outlive-context.html: Added.
    * LayoutTests/fast/canvas/canvas-state-stack-gradient-expected.txt: Added.
    * LayoutTests/fast/canvas/canvas-state-stack-gradient.html: Added.

    * LayoutTests/http/tests/canvas
        Add a test to verify that setting the style of a 2D canvas context
        does not leak Documents.
    * LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak-expected.txt: Added.
    * LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak.html: Added.
    * LayoutTests/http/tests/canvas/resources/background.png: Added.
    * LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-color.html: Added.
    * LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-gradient.html: Added.
    * LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-pattern.html: Added.

    * Source/WebCore/html/canvas/CanvasGradient.cpp:
    (WebCore::CanvasGradient::addColorStop):
    * Source/WebCore/html/canvas/CanvasGradient.h:
    * Source/WebCore/html/canvas/CanvasStyle.cpp:
    (WebCore::parseColor):
        Since the gradient can outlive the context that created it, we need
        to be able to parse colors without having a CSSParserContext
        reference. This overload calls CSSParser::parseColorWithoutContext
        in that case.
    * Source/WebCore/html/canvas/CanvasStyle.h:
    (WebCore::CanvasStyle::canvasGradient const):

    Canonical link: https://commits.webkit.org/263774@main

Identifier: 259548.807 at safari-7615-branch


  Commit: 068e12f25f61d2d6cf02ea29bc248ade66155150
      https://github.com/WebKit/WebKit/commit/068e12f25f61d2d6cf02ea29bc248ade66155150
  Author: Matt Woodrow <mattwoodrow at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    M Source/WebCore/rendering/RenderLayerBacking.cpp

  Log Message:
  -----------
  Cherry-pick 282f60810467. rdar://problem/108866016

    Canvas will intermittently come up blurry and remain so.
    https://bugs.webkit.org/show_bug.cgi?id=256260

    Reviewed by Simon Fraser.

    The unscaled bitmap optimization uses backing stores that don't have device scaling applied, when the result would be identical.
    We need to make sure it gets re-evaluated if the size of the canvas backing store changes, this patch makes sure we schedule a compositing layer update for that to happen.

    I haven't found a way to test this yet, capturing the layer tree as text (as other tests of this feature do) implicitly forces a compositing layer update, hiding the bug.

    * Source/WebCore/rendering/RenderLayerBacking.cpp:
    (WebCore::RenderLayerBacking::contentChanged):

    Canonical link: https://commits.webkit.org/264699@main

Identifier: 259548.808 at safari-7615-branch


  Commit: 0a592f3136fa459665929997bec6630f702ba524
      https://github.com/WebKit/WebKit/commit/0a592f3136fa459665929997bec6630f702ba524
  Author: Tim Nguyen <ntim at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    A LayoutTests/fullscreen/event-listener-prefixed-unprefixed-document-expected.html
    A LayoutTests/fullscreen/event-listener-prefixed-unprefixed-document.html
    M Source/WebCore/dom/FullscreenManager.cpp

  Log Message:
  -----------
  Cherry-pick fced3c933266. rdar://problem/109373298

    REGRESSION(257658 at main): Unable to exit fullscreen from video controls on bleacherreport.com
    https://bugs.webkit.org/show_bug.cgi?id=257616
    rdar://109373298

    Reviewed by Jer Noble.

    The website was using an event listener for both prefixed & unprefixed APIs on the document object, causing the
    library's event listener to fire twice and wrongly track the fullscreen state.

    To fix this, extend the check from 260651 at main to cover document event listners as well.

    * LayoutTests/fullscreen/event-listener-prefixed-unprefixed-document-expected.html: Added.
    * LayoutTests/fullscreen/event-listener-prefixed-unprefixed-document.html: Added.
    * Source/WebCore/dom/FullscreenManager.cpp:
    (WebCore::FullscreenManager::dispatchEventForNode):

    Canonical link: https://commits.webkit.org/264814@main

Identifier: 259548.809 at safari-7615-branch


  Commit: 84e53d91960d61e72da415bb67cc1f842c7e3e93
      https://github.com/WebKit/WebKit/commit/84e53d91960d61e72da415bb67cc1f842c7e3e93
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    A LayoutTests/media/media-session/actionHandler-lifetime-expected.txt
    A LayoutTests/media/media-session/actionHandler-lifetime.html
    M Source/WebCore/Modules/mediasession/MediaSession.cpp
    M Source/WebCore/Modules/mediasession/MediaSession.h
    M Source/WebCore/Modules/mediasession/MediaSession.idl
    M Source/WebCore/Modules/mediasession/MediaSessionActionHandler.h
    M Source/WebCore/Sources.txt
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    A Source/WebCore/bindings/js/JSMediaSessionCustom.cpp

  Log Message:
  -----------
  Cherry-pick e938617efad6. rdar://problem/105112595

    Cherry-pick 263868 at main (e938617efad6). rdar://105112595

        The Document object is leaked on some pages using media (like YouTube.com)
        https://bugs.webkit.org/show_bug.cgi?id=251835
        rdar://105112595

        Reviewed by Chris Dumez.

        Re-land of 263660 at main (and 263715 at main) fixing crashes due to
        prematurely garbage collected MediaSessionActionHandler JS wrappers.

        By default a callback holds a Strong<> reference to the JS Function
        object. This has the effect of making the callback a GC root. Another
        option is to annotate the callback with the IsWeakCallback extended
        attribute which will hold the callback object as a Weak reference and
        keep it alive via the visitJSFunction mechanism instead of making it a
        root.

        In the case of MediaSessionActionHandler the strong reference will
        prevent an HTMLDocument from being garbage collected even after
        navigating away and clearing the caches (after a low memory warning, for
        example). This change adds the IsWeakCallback attribute and the
        necessary virtual function to the MediaSessionActionHandler base class
        and makes changes to allow the MediaSession to mark any action handlers
        that have been added to it.

        LayoutTests:

            Add a test to check that action handlers installed by the page are
            not leaked. Use an iframe to install and exercise the action
            handlers before the iframe is navigated away and a garbage
            collection is triggered (repeatedly). If after 500 attempts at GC
            the document containing the action handlers still exists we consider
            the document leaked.

            Also add a test to check that action handlers survive garbage
            collection and can be called when appropriate.

        * LayoutTests/media/media-session/actionHandler-lifetime-expected.txt: Added.
        * LayoutTests/media/media-session/actionHandler-lifetime.html: Added.
        * LayoutTests/media/media-session/actionHandler-no-document-leak-expected.txt: Added.
        * LayoutTests/media/media-session/actionHandler-no-document-leak.html: Added.
        * LayoutTests/media/media-session/resources/media-session-action-handler-document-leak-frame.html: Added.

        * Source/WebCore/Modules/mediasession/MediaSession.cpp:
        (WebCore::MediaSession::virtualHasPendingActivity const):
        (WebCore::MediaSession::setActionHandler):
        (WebCore::MediaSession::callActionHandler):
        * Source/WebCore/Modules/mediasession/MediaSession.h:
        (WebCore::MediaSession::hasActiveActionHandlers const):
        (WebCore::MediaSession::visitActionHandlers const):
        * Source/WebCore/Modules/mediasession/MediaSession.idl:
        * Source/WebCore/Modules/mediasession/MediaSessionActionHandler.h:
        * Source/WebCore/Modules/mediasession/MediaSessionActionHandler.idl:
        * Source/WebCore/Sources.txt:
        * Source/WebCore/WebCore.xcodeproj/project.pbxproj:
        * Source/WebCore/bindings/js/JSMediaSessionCustom.cpp: Added.
        (WebCore::JSMediaSession::visitAdditionalChildren):

        Canonical link: https://commits.webkit.org/263868@main

Identifier: 259548.810 at safari-7615-branch


  Commit: b401793c232bc65be6f29979d1d1c90820a054d3
      https://github.com/WebKit/WebKit/commit/b401793c232bc65be6f29979d1d1c90820a054d3
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    R LayoutTests/fast/canvas/canvas-gradient-can-outlive-context-expected.txt
    R LayoutTests/fast/canvas/canvas-gradient-can-outlive-context.html
    R LayoutTests/fast/canvas/canvas-state-stack-gradient-expected.txt
    R LayoutTests/fast/canvas/canvas-state-stack-gradient.html
    R LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak-expected.txt
    R LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak.html
    R LayoutTests/http/tests/canvas/resources/background.png
    R LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-color.html
    R LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-gradient.html
    R LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-pattern.html
    M Source/WebCore/html/canvas/CanvasGradient.cpp
    M Source/WebCore/html/canvas/CanvasGradient.h
    M Source/WebCore/html/canvas/CanvasStyle.cpp
    M Source/WebCore/html/canvas/CanvasStyle.h

  Log Message:
  -----------
  Revert ade36a33611 rdar://108845985

* LayoutTests/fast/canvas/canvas-gradient-can-outlive-context-expected.txt: Removed.
* LayoutTests/fast/canvas/canvas-gradient-can-outlive-context.html: Removed.
* LayoutTests/fast/canvas/canvas-state-stack-gradient-expected.txt: Removed.
* LayoutTests/fast/canvas/canvas-state-stack-gradient.html: Removed.
* LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak-expected.txt: Removed.
* LayoutTests/http/tests/canvas/ctx.2d-canvas-style-no-document-leak.html: Removed.
* LayoutTests/http/tests/canvas/resources/background.png: Removed.
* LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-color.html: Removed.
* LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-gradient.html: Removed.
* LayoutTests/http/tests/canvas/resources/ctx.2d-fillStyle-pattern.html: Removed.
* Source/WebCore/html/canvas/CanvasGradient.cpp:
(WebCore::CanvasGradient::addColorStop):
* Source/WebCore/html/canvas/CanvasGradient.h:
* Source/WebCore/html/canvas/CanvasStyle.cpp:
* Source/WebCore/html/canvas/CanvasStyle.h:

Identifier: 259548.811 at safari-7615-branch


  Commit: 5e250c9fb3d77d69f886a3d512197601f4b4f4a5
      https://github.com/WebKit/WebKit/commit/5e250c9fb3d77d69f886a3d512197601f4b4f4a5
  Author: Charlie Wolfe <charliew at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/C/WKPage.cpp
    M Source/WebKit/UIProcess/API/C/WKPage.h
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/WebKitTestRunner/TestController.cpp

  Log Message:
  -----------
  REGRESSION(259548.792 at safari-7615-branch) http/tests/contentextensions/block-everything-unless-domain-redirect.py & http/tests/loading/preload-append-scan.py are failing
https://bugs.webkit.org/show_bug.cgi?id=257833
rdar://110350341

Reviewed by Alex Christensen.

259548.792 at safari-7615-branch made a change where we will swap processes when navigating from about:blank when
the current process has made a provisional load to a URL that was not about:*. This state was not reset between
tests, and since about:blank is loaded between each test, we would process swap in cases where we previously
hadn’t when running tests. Let’s fix this by clearing this state on `WebProcessProxy` between each test run.

* Source/WebKit/UIProcess/API/C/WKPage.cpp:
(WKPageResetProcessState):
* Source/WebKit/UIProcess/API/C/WKPage.h:
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::resetState):
* Source/WebKit/UIProcess/WebProcessProxy.h:
* Tools/WebKitTestRunner/TestController.cpp:
(WTR::TestController::resetStateToConsistentValues):

Canonical link: https://commits.webkit.org/259548.812@safari-7615-branch


  Commit: 47ed6aa2ea8881708815815e4749fd6cc5c6d90d
      https://github.com/WebKit/WebKit/commit/47ed6aa2ea8881708815815e4749fd6cc5c6d90d
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt
    A LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/NavigationRequester.cpp
    M Source/WebCore/loader/NavigationRequester.h

  Log Message:
  -----------
  Block sandboxed frames from navigating to javascript URLs without allow-scripts sandbox flag.
https://bugs.webkit.org/show_bug.cgi?id=257824
rdar://108462161

Reviewed by Alex Christensen.

Sandboxed iframes could execute script in a target frame by navigating
the frame to a javascript: URL. For example, the top frame when the
iframe has the sandbox flag "allow-top-navigation". This change checks to see if
the "allow-scripts" flag is set before executing the URL in the target frame.

* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-self-navigation.html: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation-expected.txt: Added.
* LayoutTests/http/tests/security/sandboxed-iframe-javascript-top-navigation.html: Added.
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::executeJavaScriptURL):
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
(WebCore::NavigationRequester::encode const):
(WebCore::NavigationRequester::decode):

Canonical link: https://commits.webkit.org/259548.813@safari-7615-branch


  Commit: 7751cb1beada0f0a1833161c446b5e29eb872911
      https://github.com/WebKit/WebKit/commit/7751cb1beada0f0a1833161c446b5e29eb872911
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    M Source/WebCore/html/canvas/CanvasRenderingContext.h

  Log Message:
  -----------
  Cherry-pick ade36a336 and Apply patch. rdar://problem/108845985

Identifier: 259548.814 at safari-7615-branch


  Commit: 7b6d48342b8277129dd365d80e234413bfa964da
      https://github.com/WebKit/WebKit/commit/7b6d48342b8277129dd365d80e234413bfa964da
  Author: Andy Estes <aestes at apple.com>
  Date:   2023-06-08 (Thu, 08 Jun 2023)

  Changed paths:
    M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp
    M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h
    M Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in
    M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp
    M Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h

  Log Message:
  -----------
  WebContent process can create files at arbitrary locations by calling RemoteMediaPlayerManagerProxy::OriginsInMediaCache
https://bugs.webkit.org/show_bug.cgi?id=257875
rdar://107931180

Reviewed by Eric Carlson.

MediaPlayerPrivateAVFoundationObjC implements cache management by creating an AVAssetCache at a
specified path, and AVAssetCache creates an empty directory at this path if one doesn't exist. When
MediaPlayer's installedMediaEngines() are accessed from the WebContent process and the GPU process
is in use, RemoteMediaPlayerManager creates media player factories that proxy cache management calls
to the GPU process via RemoteMediaPlayerManagerProxy IPC messages, passing the media cache directory
specified by the website data store as an argument. If a compromised WebContent process were to send
these messages with a path of its choosing, it could convince the GPU process to create a directory
at an arbitrary location within the GPU process sandbox.

Fixed this by removing the cache management IPC messages (OriginsInMediaCache, ClearMediaCache, and
ClearMediaCacheForOrigins) from RemoteMediaPlayerManagerProxy and calling ASSERT_NOT_REACHED() if
the WebContent process attempts to perform MediaPlayer cache management while the GPU process is in
use. This is OK because the cache management subset of MediaPlayerFactory's interface is exclusively
called from WebsiteDataStore in the UI process where media engines are accessed directly rather than
via RemoteMediaPlayerManagerProxy.

* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.cpp:
(WebKit::RemoteMediaPlayerManagerProxy::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManagerProxy::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.h:
* Source/WebKit/GPUProcess/media/RemoteMediaPlayerManagerProxy.messages.in:
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.cpp:
(WebKit::RemoteMediaPlayerManager::originsInMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCache): Deleted.
(WebKit::RemoteMediaPlayerManager::clearMediaCacheForOrigins): Deleted.
* Source/WebKit/WebProcess/GPU/media/RemoteMediaPlayerManager.h:

Canonical link: https://commits.webkit.org/259548.815@safari-7615-branch


  Commit: 8437c2302b67ecd10705fb0cde46524895de5139
      https://github.com/WebKit/WebKit/commit/8437c2302b67ecd10705fb0cde46524895de5139
  Author: Marcos Caceres <marcosc at apple.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    M LayoutTests/TestExpectations
    A LayoutTests/http/wpt/content-security-policy/manifest.json
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub-expected.txt
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html.headers
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-expected.txt
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html
    A LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html.headers
    M LayoutTests/platform/ios-wk2/TestExpectations
    M LayoutTests/platform/mac-wk2/TestExpectations
    M Source/WebCore/loader/ApplicationManifestLoader.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ApplicationManifest.mm

  Log Message:
  -----------
  Incorrect CORS mode for ApplicationManifest
https://bugs.webkit.org/show_bug.cgi?id=256686
rdar://109154572

Reviewed by Brent Fulgham.

* LayoutTests/TestExpectations:
* LayoutTests/http/wpt/content-security-policy/manifest.json: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub-expected.txt: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-cross-origin.sub.html.headers: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked-expected.txt: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html: Added.
* LayoutTests/http/wpt/content-security-policy/sandbox-manifest-blocked.html.headers: Added.
* LayoutTests/platform/ios-wk2/TestExpectations:
* LayoutTests/platform/mac-wk2/TestExpectations:
* Source/WebCore/loader/ApplicationManifestLoader.cpp:
(WebCore::ApplicationManifestLoader::startLoading):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/ApplicationManifest.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/259548.816@safari-7615-branch


  Commit: 9abef45e45a6243ebbc4c6d3a3975f74fe3bf028
      https://github.com/WebKit/WebKit/commit/9abef45e45a6243ebbc4c6d3a3975f74fe3bf028
  Author: Simon Fraser <simon.fraser at apple.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    M Source/WebCore/page/mac/ServicesOverlayController.mm
    M Source/WebCore/platform/mac/DataDetectorHighlight.h
    M Source/WebCore/platform/mac/DataDetectorHighlight.mm

  Log Message:
  -----------
  Crash in GraphicsLayerCA::computeVisibleAndCoverageRect() caused by data detector highlights
https://bugs.webkit.org/show_bug.cgi?id=257684
rdar://105900355

Reviewed by Aditya Keerthi.

It was possible for ServicesOverlayController to delete a DataDetectorHighlight, but leave its GraphicsLayer
parented in the page overlay, so the GraphicsLayer client() was deleted.

Fix by having the DataDetectorHighlight's destructor call invalidate(), which unparents the layer. The
ServicesOverlayController destructor no longer needs to explicitly call invalidate().

I attempted for several hours to make an API test for this, but was unable.

* Source/WebCore/page/mac/ServicesOverlayController.mm:
(WebCore::ServicesOverlayController::~ServicesOverlayController): Deleted.
* Source/WebCore/platform/mac/DataDetectorHighlight.h:
* Source/WebCore/platform/mac/DataDetectorHighlight.mm:
(WebCore::DataDetectorHighlight::~DataDetectorHighlight):

Canonical link: https://commits.webkit.org/259548.817@safari-7615-branch


  Commit: 9fe8826eb6a364856a3ed6149e48201edb141c34
      https://github.com/WebKit/WebKit/commit/9fe8826eb6a364856a3ed6149e48201edb141c34
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    A LayoutTests/fast/editing/document-leak-altered-text-field-expected.txt
    A LayoutTests/fast/editing/document-leak-altered-text-field.html
    A LayoutTests/fast/editing/resources/document-leak-altered-text-field-popup.html
    A LayoutTests/fast/editing/resources/simple.html
    M Source/WebCore/editing/Editor.cpp
    M Source/WebCore/editing/Editor.h
    M Source/WebCore/page/EditorClient.h
    M Source/WebCore/page/Page.cpp
    M Source/WebCore/page/Page.h
    M Source/WebKitLegacy/mac/WebCoreSupport/WebEditorClient.h
    M Source/WebKitLegacy/mac/WebCoreSupport/WebEditorClient.mm

  Log Message:
  -----------
  Cherry-pick b9a32bf41135. rdar://problem/110483637

    Document leak on pages with text input forms such as google.com
    https://bugs.webkit.org/show_bug.cgi?id=256404
    rdar://108975202

    Reviewed by Wenson Hsieh and Ryosuke Niwa.

    When typing test in a text input field and then navigating away, the
    text field's document would leak. It would be kept alive via a
    WebUndoStep stored in the WebPage::m_undoStepMap map.

    FrameLoader::closeURL() was calling Editor::clearUndoRedoOperations()
    to clear those WebUndoSteps on the WebPage. However, it ended up being
    a no-op because Editor::client() would return null because the document
    was already detached from the frame and the EditorClient is stored on
    the Page. This happens in particular when the previous page was put in
    the back/forward cache.

    To address the issue, I updated Editor to store a WeakPtr to the
    EditorClient object so that it is always able to tell the client to
    clear operations if the Page/EditorClient are still alive.

    * Source/WebCore/editing/Editor.cpp:
    (WebCore::Editor::client const):
    (WebCore::Editor::Editor):
    * Source/WebCore/editing/Editor.h:

    Canonical link: https://commits.webkit.org/264022@main

Canonical link: https://commits.webkit.org/259548.818@safari-7615-branch


  Commit: 91ae9f7be76aee4ed415bd8fc3ecafc0da9b54fa
      https://github.com/WebKit/WebKit/commit/91ae9f7be76aee4ed415bd8fc3ecafc0da9b54fa
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.8

Identifier: 259548.819 at safari-7615-branch


  Commit: 89399f0f461425ce4c5f47e035edc04c3ba9e81f
      https://github.com/WebKit/WebKit/commit/89399f0f461425ce4c5f47e035edc04c3ba9e81f
  Author: Said Abou-Hallawa <said at apple.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    A LayoutTests/css3/filters/filter-visited-links-expected.html
    A LayoutTests/css3/filters/filter-visited-links.html
    M Source/WebCore/rendering/PaintPhase.h
    M Source/WebCore/rendering/RenderLayer.cpp
    M Source/WebCore/rendering/StyledMarkedText.cpp
    M Source/WebCore/rendering/TextDecorationPainter.cpp
    M Source/WebCore/rendering/TextDecorationPainter.h
    M Source/WebCore/rendering/TextPaintStyle.cpp
    M Source/WebCore/rendering/style/RenderStyle.cpp
    M Source/WebCore/rendering/style/RenderStyle.h

  Log Message:
  -----------
  Prevent SVG filters from leaking visited hyperlinks
https://bugs.webkit.org/show_bug.cgi?id=257822
rdar://109749006

Reviewed by Simon Fraser.

We should prevent websites from learning which sites have been visited via SVG
filters on hyperlinks, per the attack described in https://arxiv.org/abs/2305.12784.

This can be acheived by ignoring the visited links color when a filter is applied
to the anchor element.

* LayoutTests/css3/filters/filter-visited-links-expected.html: Added.
* LayoutTests/css3/filters/filter-visited-links.html: Added.
* Source/WebCore/rendering/PaintPhase.h:
* Source/WebCore/rendering/RenderLayer.cpp:
(WebCore::RenderLayer::paintLayerContents):
(WebCore::RenderLayer::paintForegroundForFragments):
(WebCore::RenderLayer::calculateClipRects const):
* Source/WebCore/rendering/StyledMarkedText.cpp:
(WebCore::resolveStyleForMarkedText):
(WebCore::StyledMarkedText::computeStyleForUnmarkedMarkedText):
* Source/WebCore/rendering/TextDecorationPainter.cpp:
(WebCore::collectStylesForRenderer):
(WebCore::TextDecorationPainter::decorationColor):
(WebCore::TextDecorationPainter::stylesForRenderer):
* Source/WebCore/rendering/TextDecorationPainter.h:
(WebCore::TextDecorationPainter::decorationColor):
(WebCore::TextDecorationPainter::stylesForRenderer):
* Source/WebCore/rendering/TextPaintStyle.cpp:
(WebCore::computeTextPaintStyle):
* Source/WebCore/rendering/style/RenderStyle.cpp:
(WebCore::RenderStyle::visitedDependentColor const):
(WebCore::RenderStyle::visitedDependentColorWithColorFilter const):
* Source/WebCore/rendering/style/RenderStyle.h:
(WebCore::RenderStyle::visitedDependentColor):
(WebCore::RenderStyle::visitedDependentColorWithColorFilter):

Canonical link: https://commits.webkit.org/259548.820@safari-7615-branch


  Commit: 8a8217bf0a7b4fc83261acf51ec4b7b41198f50e
      https://github.com/WebKit/WebKit/commit/8a8217bf0a7b4fc83261acf51ec4b7b41198f50e
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    A LayoutTests/fast/css/rule-selector-nesting-overflow-expected.txt
    A LayoutTests/fast/css/rule-selector-nesting-overflow.html
    M Source/WebCore/css/CSSGroupingRule.cpp
    M Source/WebCore/css/CSSStyleRule.cpp
    M Source/WebCore/css/StyleRule.h
    M Source/WebCore/css/StyleSheetContents.cpp
    M Source/WebCore/css/parser/CSSParserImpl.cpp
    M Source/WebCore/style/RuleFeature.h
    M Source/WebCore/style/RuleSetBuilder.cpp
    M Source/WebCore/style/RuleSetBuilder.h
    M Source/WebCore/style/StyleInvalidator.cpp
    M Source/WebCore/style/StyleScopeRuleSets.cpp

  Log Message:
  -----------
  Cherry-pick f347660f0196. rdar://problem/109254000

    [CSS] StyleRuleWithNesting is a StyleRule (through inheritance)
    https://bugs.webkit.org/show_bug.cgi?id=256693
    rdar://109254000

    Reviewed by Antti Koivisto.

    StyleRuleWithNesting should be treated like a StyleRule
    in the codebase.

    * LayoutTests/fast/css/rule-selector-nesting-overflow-expected.txt: Added.
    * LayoutTests/fast/css/rule-selector-nesting-overflow.html: Added.
    * Source/WebCore/css/CSSGroupingRule.cpp:
    (WebCore::CSSGroupingRule::insertRule):
    * Source/WebCore/css/CSSStyleRule.cpp:
    (WebCore::CSSStyleRule::insertRule):
    * Source/WebCore/css/StyleRule.h:
    (WebCore::StyleRuleBase::isStyleRule const):
    (isType):
    * Source/WebCore/css/StyleSheetContents.cpp:
    (WebCore::StyleSheetContents::parserAppendRule):
    (WebCore::traverseRulesInVector):
    * Source/WebCore/css/parser/CSSParserImpl.cpp:
    (WebCore::CSSParserImpl::consumeDeclarationListOrStyleBlockHelper):
    * Source/WebCore/style/RuleFeature.h:
    * Source/WebCore/style/RuleSetBuilder.cpp:
    (WebCore::Style::RuleSetBuilder::RuleSetBuilder):
    (WebCore::Style::m_shouldResolveNesting):

    Invalidation selectors assume that the RuleSet doesn't mutate.
    We need to be careful not to resolve the nesting selector more than once.

    (WebCore::Style::RuleSetBuilder::addStyleRule):
    * Source/WebCore/style/RuleSetBuilder.h:
    * Source/WebCore/style/StyleInvalidator.cpp:
    (WebCore::Style::shouldDirtyAllStyle):
    * Source/WebCore/style/StyleScope.cpp:
    (WebCore::Style::Scope::updateActiveStyleSheets):
    * Source/WebCore/style/StyleScopeRuleSets.cpp:
    (WebCore::Style::ScopeRuleSets::appendAuthorStyleSheets):

    Canonical link: https://commits.webkit.org/265028@main

Identifier: 259548.821 at safari-7615-branch


  Commit: 3282e8c968c765c7a892212162651ea3b834e11a
      https://github.com/WebKit/WebKit/commit/3282e8c968c765c7a892212162651ea3b834e11a
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    A LayoutTests/fast/mediastream/mediarecorder-close-expected.txt
    A LayoutTests/fast/mediastream/mediarecorder-close.html
    M Source/WebCore/platform/mediarecorder/MediaRecorderPrivateAVFImpl.cpp
    M Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterCocoa.h
    M Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterCocoa.mm
    M Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.cpp

  Log Message:
  -----------
  jsc_fuz/wktr: *flaky* RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!retainedPointer || !m_controlBlock->objectHasBeenDeleted()); in MediaRecorderPrivateWriter::compressedVideoOutputBufferCallback MediaRecorderPrivateWriterCocoa.mm:107
https://bugs.webkit.org/show_bug.cgi?id=257780
rdar://109659987

Reviewed by Eric Carlson.

After the introduction of ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr,
we are now lazily creating our weak pointer on various threads, and this can happen while destroying the object in main thread.
To make sure we do not end up in that situation, we are now closing MediaRecorderPrivateWriter before destroying it.
In closing, we destroy the compressors which are the ones calling the callbacks that can create the weak pointers.

* LayoutTests/fast/mediastream/mediarecorder-close-expected.txt: Added.
* LayoutTests/fast/mediastream/mediarecorder-close.html: Added.
* Source/WebCore/platform/mediarecorder/MediaRecorderPrivateAVFImpl.cpp:
(WebCore::MediaRecorderPrivateAVFImpl::MediaRecorderPrivateAVFImpl):
* Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterCocoa.h:
* Source/WebCore/platform/mediarecorder/cocoa/MediaRecorderPrivateWriterCocoa.mm:
(WebCore::MediaRecorderPrivateWriter::~MediaRecorderPrivateWriter):
(WebCore::MediaRecorderPrivateWriter::close):
* Source/WebKit/GPUProcess/webrtc/RemoteMediaRecorder.cpp:
(WebKit::RemoteMediaRecorder::~RemoteMediaRecorder):

Canonical link: https://commits.webkit.org/259548.822@safari-7615-branch


  Commit: 18a05c43972c866180a74be0a748b65a1307227e
      https://github.com/WebKit/WebKit/commit/18a05c43972c866180a74be0a748b65a1307227e
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-06-09 (Fri, 09 Jun 2023)

  Changed paths:
    A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt
    A LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html
    A LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py
    M Source/WebCore/dom/Document.cpp

  Log Message:
  -----------
  Third Party IFrame Navigation Block Bypass via Content Security Policy Sandbox
https://bugs.webkit.org/show_bug.cgi?id=257903
rdar://109059471

Reviewed by Brent Fulgham.

If a third-party iframe is unsandboxed we will prevent top navigation
without user interaction with the frame. However, this is bypassable if
the iframe gives itself a sandbox which allows top navigation via CSP.

This change checks to see if the iframe element was unsandboxed and
proceeds with the more strict third-party checks if so.

* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp-expected.txt: Added.
* LayoutTests/http/tests/security/block-top-level-navigations-by-third-party-iframe-sandboxed-by-own-csp.html: Added.
* LayoutTests/http/tests/security/resources/attempt-top-level-navigation-with-csp.py: Added.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):

Canonical link: https://commits.webkit.org/259548.823@safari-7615-branch


  Commit: cff01e3a9ba54dcf614dc9ea59007ae44a07d415
      https://github.com/WebKit/WebKit/commit/cff01e3a9ba54dcf614dc9ea59007ae44a07d415
  Author: J Pascoe <j_pascoe at apple.com>
  Date:   2023-06-12 (Mon, 12 Jun 2023)

  Changed paths:
    M Source/WebCore/page/DOMWindow.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  https://bugs.webkit.org/show_bug.cgi?id=257352
rdar://106974958

Reviewed by John Wilander and Brent Fulgham.

This quirk is no longer nessesary to get favorites and recents to show up
in the radio player, which is why it was added in the first place. Therefore
it can be removed.

* Source/WebCore/page/DOMWindow.cpp:
(WebCore::DOMWindow::open):
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::triggerOptionalStorageAccessQuirk const):
(WebCore::Quirks::BBCRadioPlayerURLString): Deleted.
(WebCore::Quirks::staticRadioPlayerURLString): Deleted.
(WebCore::isBBCDomain): Deleted.
(WebCore::isBBCPopUpPlayerElement): Deleted.
* Source/WebCore/page/Quirks.h:
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::createNewPage):

Canonical link: https://commits.webkit.org/259548.824@safari-7615-branch


  Commit: 9b3d228ec2cb2900c3b21f070720b439c8b40cab
      https://github.com/WebKit/WebKit/commit/9b3d228ec2cb2900c3b21f070720b439c8b40cab
  Author: Sihui Liu <sihui_liu at apple.com>
  Date:   2023-06-13 (Tue, 13 Jun 2023)

  Changed paths:
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-expected.txt
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private-expected.txt
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private.html
    A LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event.html
    A LayoutTests/storage/indexeddb/modern/resources/request-dispatch-untrusted-event.js
    M Source/WebCore/Modules/indexeddb/IDBRequest.cpp

  Log Message:
  -----------
  jsc_fuz/wktr: null ptr deref in WebCore::IDBRequest::dispatchEvent(WebCore::Event&)
rdar://110459666

Reviewed by Brady Eidson.

Make sure untrusted event does not change the internal state of IDBRequest. Also, move the assert that request must have
pending activity when event is being dispatched to a later point, because IDBRequest::dispatchEvent might be invoked
from JavaScript code (i.e. request does not actually have pending activity).

Test: storage/indexeddb/modern/request-dispatch-untrusted-event.html
      storage/indexeddb/modern/request-dispatch-untrusted-event-private.html

* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-expected.txt: Added.
* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private-expected.txt: Added.
* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event-private.html: Added.
* LayoutTests/storage/indexeddb/modern/request-dispatch-untrusted-event.html: Added.
* LayoutTests/storage/indexeddb/modern/resources/request-dispatch-untrusted-event.js: Added.
(loadImage):
(openDatabase):
* Source/WebCore/Modules/indexeddb/IDBRequest.cpp:
(WebCore::IDBRequest::dispatchEvent):

Canonical link: https://commits.webkit.org/259548.825@safari-7615-branch


  Commit: cad37dce2389b518c1e60eea5f71f19c38fbab08
      https://github.com/WebKit/WebKit/commit/cad37dce2389b518c1e60eea5f71f19c38fbab08
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-06-13 (Tue, 13 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.9

Identifier: 259548.826 at safari-7615-branch


  Commit: 43a9f4f9ac1c7589ec86e4fc7f2c59192aa46cba
      https://github.com/WebKit/WebKit/commit/43a9f4f9ac1c7589ec86e4fc7f2c59192aa46cba
  Author: Chirag M Shah <chirag_m_shah at apple.com>
  Date:   2023-06-13 (Tue, 13 Jun 2023)

  Changed paths:
    M LayoutTests/fast/css/calc-parsing-expected.txt
    M LayoutTests/fast/css/calc-parsing.html
    A LayoutTests/fast/css/calc-with-round-crash-expected.txt
    A LayoutTests/fast/css/calc-with-round-crash.html
    M Source/WebCore/css/calc/CSSCalcValue.cpp

  Log Message:
  -----------
  Cherry-pick 569bdcf08cfa. rdar://problem/109503971

    Ensure we don't crash with calc(round())
    https://bugs.webkit.org/show_bug.cgi?id=257157
    rdar://109503971

    Reviewed by Darin Adler.

    This change fixes the crash which happens due to us discarding the
    children in case of a round to nearest operation.

    * LayoutTests/fast/css/calc-parsing-expected.txt:
    * LayoutTests/fast/css/calc-parsing.html:
    * LayoutTests/fast/css/calc-with-round-crash-expected.txt: Added.
    * LayoutTests/fast/css/calc-with-round-crash.html: Added.
    * Source/WebCore/css/calc/CSSCalcValue.cpp:
    (WebCore::createCSS):

    Canonical link: https://commits.webkit.org/264863@main

Identifier: 259548.827 at safari-7615-branch


  Commit: 01e86f13952b6a477dceb66bcebb123834f8e1b2
      https://github.com/WebKit/WebKit/commit/01e86f13952b6a477dceb66bcebb123834f8e1b2
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-06-14 (Wed, 14 Jun 2023)

  Changed paths:
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
    M Source/JavaScriptCore/dfg/DFGHeapLocation.h

  Log Message:
  -----------
  Backport fix for erroneous CSE of EnumeratorNextUpdateIndexAndMode and HasIndexedProperty
rdar://110785576

Reviewed by Michael Saboff, Justin Michaud and Yusuke Suzuki.

Backports part of https://commits.webkit.org/263909@main, which
prevents erroneous elimination of an EnumeratorNextUpdateIndexAndMode
and HasIndexedProperty node pair if they have the same operands.
The full commit in 263909 at main depends on the existence of DFG tuples,
which haven't yet been brought into the security branch, so those
parts are omitted from this patch.

* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:

Canonical link: https://commits.webkit.org/259548.828@safari-7615-branch


  Commit: fb695673fd232b563af185a11652d8feb7871e2c
      https://github.com/WebKit/WebKit/commit/fb695673fd232b563af185a11652d8feb7871e2c
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-06-14 (Wed, 14 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.8.1

Identifier: 259548.829 at safari-7615-branch


  Commit: 9cd44913c84ee5fbab1ea6db6ae62bf36005e7ba
      https://github.com/WebKit/WebKit/commit/9cd44913c84ee5fbab1ea6db6ae62bf36005e7ba
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-06-14 (Wed, 14 Jun 2023)

  Changed paths:
    M Source/WebCore/editing/markup.cpp

  Log Message:
  -----------
  Disable link preload when sanitizing web content
https://bugs.webkit.org/show_bug.cgi?id=258100
rdar://109675198

Reviewed by Chris Dumez.

Otherwise we get a request in the network process with an invalid pageID,
and it MESSAGE_CHECKs and terminates the process.

* Source/WebCore/editing/markup.cpp:
(WebCore::createPageForSanitizingWebContent):

Canonical link: https://commits.webkit.org/259548.830@safari-7615-branch


  Commit: d263e8a08a93795b187308bff49c8961daaa01df
      https://github.com/WebKit/WebKit/commit/d263e8a08a93795b187308bff49c8961daaa01df
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-06-15 (Thu, 15 Jun 2023)

  Changed paths:
    A LayoutTests/http/wpt/webcodecs/videoFrame-negative-timestamp-expected.txt
    A LayoutTests/http/wpt/webcodecs/videoFrame-negative-timestamp.html
    M Source/WebKit/WebProcess/GPU/media/RemoteVideoCodecFactory.cpp

  Log Message:
  -----------
  RemoteVideoEncoderCallbacks and RemoteVideoDecoderCallbacks HashMaps could be corrupted by JS
https://bugs.webkit.org/show_bug.cgi?id=258123
rdar://110777506

Reviewed by Eric Carlson.

JS can provide signed timestamps, which are used as keys in RemoteVideoDecoderCallbacks and RemoteVideoEncoderCallbacks maps.
Move to StdUnorderedMap to support all keys.

* LayoutTests/http/wpt/webcodecs/videoFrame-negative-timestamp-expected.txt: Added.
* LayoutTests/http/wpt/webcodecs/videoFrame-negative-timestamp.html: Added.
* Source/WebKit/WebProcess/GPU/media/RemoteVideoCodecFactory.cpp:
(WebKit::RemoteVideoDecoderCallbacks::addDuration):
(WebKit::RemoteVideoEncoderCallbacks::addDuration):
(WebKit::RemoteVideoDecoderCallbacks::notifyDecodingResult):
(WebKit::RemoteVideoEncoderCallbacks::notifyEncodedChunk):

Canonical link: https://commits.webkit.org/259548.831@safari-7615-branch


  Commit: aecf4d579f39edebcb784b0fefa5b2978ea5226e
      https://github.com/WebKit/WebKit/commit/aecf4d579f39edebcb784b0fefa5b2978ea5226e
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2023-06-15 (Thu, 15 Jun 2023)

  Changed paths:
    M Source/WTF/wtf/URLHelpers.cpp
    M Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm

  Log Message:
  -----------
  Expand list of URL spoofing characters
https://bugs.webkit.org/show_bug.cgi?id=256813
rdar://109105078, rdar://109056841, and rdar://109056217

Reviewed by Tim Horton.

U+1E9C and U+1E9D are Medievalist characters, which means they haven't been used much
in the last several centuries.  They look kind of like 'f' and other browsers punycode
encode them when seen in URL hosts, so let's do the same.  Same with U+1EFE and U+1EFF.

Deseret has been used much more recently, but still not much since the late 1800's.
There is a sign in a restaurant in the Salt Lake City airport that uses it, but it
seems to be a historical reference.  Classify Deseret like we do the International
Phonetic Alphabet and punycode encode it if seen in URL hosts.

* Source/WTF/wtf/URLHelpers.cpp:
(WTF::URLHelpers::isLookalikeCharacter):
* Tools/TestWebKitAPI/Tests/WTF/cocoa/URLExtras.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/259548.832@safari-7615-branch


  Commit: c60c40574fc54fcf65b867b297ad9da3da015bed
      https://github.com/WebKit/WebKit/commit/c60c40574fc54fcf65b867b297ad9da3da015bed
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-06-15 (Thu, 15 Jun 2023)

  Changed paths:
    A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt
    A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html
    A LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html
    M Source/WebCore/workers/WorkerAnimationController.cpp

  Log Message:
  -----------
  Crash under WebCore::JSRequestAnimationFrameCallback::~JSRequestAnimationFrameCallback()
https://bugs.webkit.org/show_bug.cgi?id=258058
rdar://110530772

Reviewed by Ryosuke Niwa.

JSRequestAnimationFrameCallback were outliving the VM and thus using the VM
after-free in their destructor. JS Wrapper should never outlive the VM.

JSRequestAnimationFrameCallback are subclasses of RequestAnimationFrameCallback,
which were being kept alive by the WorkerAnimationController via its
m_animationCallbacks vector.

To address the issue, WorkerAnimationController now clears m_animationCallbacks
in stop(), which gets called when the global scope (and thus the VM) are about
to go away.

* LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt: Added.
* LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html: Added.
* LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html: Added.
* Source/WebCore/workers/WorkerAnimationController.cpp:
(WebCore::WorkerAnimationController::stop):

Canonical link: https://commits.webkit.org/259548.833@safari-7615-branch


  Commit: 5989e11996a71dec09cae9f0dc863a94e726ca66
      https://github.com/WebKit/WebKit/commit/5989e11996a71dec09cae9f0dc863a94e726ca66
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-06-15 (Thu, 15 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.9

Identifier: 259548.834 at safari-7615-branch


  Commit: b63d456498913cbc8bc70757cca2a74a2c854b8d
      https://github.com/WebKit/WebKit/commit/b63d456498913cbc8bc70757cca2a74a2c854b8d
  Author: Brandon Stewart <brandonstewart at apple.com>
  Date:   2023-06-15 (Thu, 15 Jun 2023)

  Changed paths:
    A LayoutTests/fast/css-grid-layout/baseline-masonry-crash-expected.html
    A LayoutTests/fast/css-grid-layout/baseline-masonry-crash.html
    M Source/WebCore/rendering/RenderGrid.cpp

  Log Message:
  -----------
  Crash in GridBaselineAlignment::baselineGroupForChild
https://bugs.webkit.org/show_bug.cgi?id=257509
rdar://110027455

Reviewed by Alan Baradlay.

Certain baseline properties are not properly handled in CSS Masonry.
We will just disable these calculations for now and then remove this in the future.

* LayoutTests/fast/css-grid-layout/baseline-masonry-crash-expected.html: Added.
* LayoutTests/fast/css-grid-layout/baseline-masonry-crash.html: Added.
* Source/WebCore/rendering/RenderGrid.cpp:
(WebCore::RenderGrid::columnAxisBaselineOffsetForChild const):
(WebCore::RenderGrid::rowAxisBaselineOffsetForChild const):

Canonical link: https://commits.webkit.org/259548.835@safari-7615-branch


  Commit: 8b5bb60ce55dd5afc4909c4030f8fdcd73033951
      https://github.com/WebKit/WebKit/commit/8b5bb60ce55dd5afc4909c4030f8fdcd73033951
  Author: Matthieu Dubet <m_dubet at apple.com>
  Date:   2023-06-16 (Fri, 16 Jun 2023)

  Changed paths:
    A LayoutTests/fast/css/cssom-mutation-stylerule-expected.html
    A LayoutTests/fast/css/cssom-mutation-stylerule.html
    M Source/WebCore/css/CSSStyleRule.cpp

  Log Message:
  -----------
  Cherry-pick 36514195098d. rdar://problem/110629287

    [CSSOM] Fix insertion of rule into orphaned style rule
    https://bugs.webkit.org/show_bug.cgi?id=258017
    rdar://110629287

    Reviewed by Antti Koivisto.

    When a StyleRule is orphaned, we don't need any specific mechanism (such as RuleMutationScope)
    and convert it directly to a StyleRuleWithNesting.

    * LayoutTests/fast/css/cssom-mutation-stylerule-expected.html: Added.
    * LayoutTests/fast/css/cssom-mutation-stylerule.html: Added.
    * Source/WebCore/css/CSSStyleRule.cpp:
    (WebCore::CSSStyleRule::insertRule):

    Canonical link: https://commits.webkit.org/265154@main
Identifier: 259548.836 at safari-7615-branch


  Commit: 85ad52c2d1fedc6a0a5de32aacbb2f520035baca
      https://github.com/WebKit/WebKit/commit/85ad52c2d1fedc6a0a5de32aacbb2f520035baca
  Author: Dan Robson <dan_robson at apple.com>
  Date:   2023-06-20 (Tue, 20 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.10

Identifier: 259548.837 at safari-7615-branch


  Commit: 4d21adaefda64eac79e8008588e7ee1dd55f6543
      https://github.com/WebKit/WebKit/commit/4d21adaefda64eac79e8008588e7ee1dd55f6543
  Author: Brady Eidson <beidson at apple.com>
  Date:   2023-06-20 (Tue, 20 Jun 2023)

  Changed paths:
    M Source/WebCore/Modules/notifications/NotificationDataCocoa.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/PushAPI.mm

  Log Message:
  -----------
  Cherry-pick b2b22d7e5d2c. rdar://problem/111052083

    Make the NotificationData NSDictionary representation property list serializable
    https://bugs.webkit.org/show_bug.cgi?id=257339
    rdar://109734742

    Reviewed by Tim Horton.

    Only put the silent value in the dictionary if it exists.

    * Source/WebCore/Modules/notifications/NotificationDataCocoa.mm:
    (WebCore::NotificationData::dictionaryRepresentation const):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/PushAPI.mm:

    Canonical link: https://commits.webkit.org/264548@main

Identifier: 259548.838 at safari-7615-branch


  Commit: 103894675a8bab09d55d64f51c196e4eec0af2c2
      https://github.com/WebKit/WebKit/commit/103894675a8bab09d55d64f51c196e4eec0af2c2
  Author: Dawn Flores <dawn_flores at apple.com>
  Date:   2023-06-20 (Tue, 20 Jun 2023)

  Changed paths:
    M LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any-expected.txt
    M LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any.worker-expected.txt

  Log Message:
  -----------
  [ Gardening ]([ Branch ] [ Rebasline ] 2X imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate* (layout-tests) are constant failures)
rdar://110026683

Unreviewed test gardening.

Rebaline of tests.

* LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any-expected.txt:
* LayoutTests/platform/mac-ventura/imported/w3c/web-platform-tests/fetch/content-length/api-and-duplicate-headers.any.worker-expected.txt:

Canonical link: https://commits.webkit.org/259548.839@safari-7615-branch


  Commit: 259842c7afc200bb914c85d2dc4719dcce5d4dec
      https://github.com/WebKit/WebKit/commit/259842c7afc200bb914c85d2dc4719dcce5d4dec
  Author: Brady Eidson <beidson at apple.com>
  Date:   2023-06-21 (Wed, 21 Jun 2023)

  Changed paths:
    M Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h
    M Source/WebCore/bindings/js/ScriptController.cpp
    M Source/WebCore/dom/UserGestureIndicator.cpp
    M Source/WebCore/dom/UserGestureIndicator.h
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/AsyncFunction.mm

  Log Message:
  -----------
  Cherry-pick 265168 at main (8e5ddea16577). rdar://110919134

    evaluateJavaScript: and callAsyncJavaScript: should not leave behind transient activation
    https://bugs.webkit.org/show_bug.cgi?id=258037
    rdar://107102031

    Reviewed by Ben Nham.

    JavaScript evaluated by the client app is executed as if from a user gesture, which is fine for now.
    But before this change, such JS left behind transient user activation for (currently) 5 seconds, which is not fine.

    Let's remove that sticky side effect.

    * Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.cpp:
    (WTF::computeSDKAlignedBehaviors):
    * Source/WTF/wtf/cocoa/RuntimeApplicationChecksCocoa.h:

    * Source/WebCore/bindings/js/ScriptController.cpp:
    (WebCore::ScriptController::executeScriptInWorld):
    (WebCore::ScriptController::executeAsynchronousUserAgentScriptInWorld):

    * Source/WebCore/dom/UserGestureIndicator.cpp:
    (WebCore::UserGestureToken::forEachImpactedDocument):
    * Source/WebCore/dom/UserGestureIndicator.h:

    * Tools/TestWebKitAPI/Tests/WebKitCocoa/AsyncFunction.mm:
    (TestWebKitAPI::TEST):

    Canonical link: https://commits.webkit.org/265168@main

Canonical link: https://commits.webkit.org/259548.840@safari-7615-branch


  Commit: 74f32c21189a2f98be012bf9a3c731a4cf1dbd10
      https://github.com/WebKit/WebKit/commit/74f32c21189a2f98be012bf9a3c731a4cf1dbd10
  Author: Ryan Reno <rreno at apple.com>
  Date:   2023-06-21 (Wed, 21 Jun 2023)

  Changed paths:
    M Source/WebCore/loader/MixedContentChecker.cpp

  Log Message:
  -----------
  Remove unnecessary release assertion from mixed content checker.
https://bugs.webkit.org/show_bug.cgi?id=258303
<rdar://110766912>

Reviewed by Brent Fulgham.

We now check the entire frame tree for mixed content checks for all
resources loads. An assertion that a document has a frame is no
longer valid in general. This assertion was originally added in
215749 at main in an attempt to cover an untestable case. This replaces
the assert with a null check.

* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::foundMixedContentInFrameTree):

Canonical link: https://commits.webkit.org/259548.841@safari-7615-branch


  Commit: e6347f30ecf114598c9057a18bbeb5b8e633d412
      https://github.com/WebKit/WebKit/commit/e6347f30ecf114598c9057a18bbeb5b8e633d412
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-06-21 (Wed, 21 Jun 2023)

  Changed paths:
    M Source/WebKit/UIProcess/WebPageProxy.cpp

  Log Message:
  -----------
  [IPC][Hardening] Validate URLs sent by the WebProcess via the WebPageProxy::DidFailProvisionalLoad IPC
https://bugs.webkit.org/show_bug.cgi?id=258322
rdar://111059792

Reviewed by Brent Fulgham.

Validate URLs sent by the WebProcess via the WebPageProxy::DidFailProvisionalLoad IPC.

* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didFailProvisionalLoadForFrameShared):

Canonical link: https://commits.webkit.org/259548.842@safari-7615-branch


  Commit: de1eae9dc949ff8967e2e10f1d96357104403e82
      https://github.com/WebKit/WebKit/commit/de1eae9dc949ff8967e2e10f1d96357104403e82
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-06-21 (Wed, 21 Jun 2023)

  Changed paths:
    A JSTests/wasm/stress/simd-select.js
    M Source/JavaScriptCore/b3/B3LowerToAir.cpp

  Log Message:
  -----------
  Cherry-pick c4e675b3afdd. rdar://problem/111066972

    B3 Select instruction truncates vector operands
    https://bugs.webkit.org/show_bug.cgi?id=257842
    rdar://108643371

    Reviewed by Mark Lam, Justin Michaud and Yusuke Suzuki.

    Fixes a bug where we would generate a double-precision conditional
    move when lowering the Select B3 instruction on vector operands.
    Since vector-sized conditional move isn't widely supported, we
    transform the Select into a branch and moves during Air lowering
    when the operands are vectors.

    * JSTests/wasm/stress/simd-select.js: Added.
    * Source/JavaScriptCore/b3/B3LowerToAir.cpp:

    Canonical link: https://commits.webkit.org/264996@main

Identifier: 259548.843 at safari-7615-branch


  Commit: 2e29306082aebd4d74cfffa82e953b2d3bfde691
      https://github.com/WebKit/WebKit/commit/2e29306082aebd4d74cfffa82e953b2d3bfde691
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-06-22 (Thu, 22 Jun 2023)

  Changed paths:
    A JSTests/wasm/stress/phi-live-across-rethrow.js
    A JSTests/wasm/stress/phi-live-across-throw.js
    M Source/JavaScriptCore/b3/B3DuplicateTails.cpp
    M Source/JavaScriptCore/b3/B3Kind.cpp
    M Source/JavaScriptCore/b3/B3Kind.h
    M Source/JavaScriptCore/b3/B3PatchpointValue.cpp
    M Source/JavaScriptCore/b3/B3PatchpointValue.h
    M Source/JavaScriptCore/b3/B3ValueInlines.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

  Log Message:
  -----------
  Prevent duplication of WASM throw and rethrow patchpoints in B3
https://bugs.webkit.org/show_bug.cgi?id=258408
rdar://110634913

Reviewed by Yusuke Suzuki.

Adds a cloningForbidden property to B3Kind, used to prevent a B3 value
from being cloned during optimizations, and applies it to the patchpoints
generated for the WASM throw and rethrow opcodes in WasmB3IRGenerator.
This prevents a problem where these patchpoints could be duplicated, still
share a stackmap/callsite index, but have conflicting live value
locations.

* JSTests/wasm/stress/phi-live-across-rethrow.js: Added.
(async test):
* JSTests/wasm/stress/phi-live-across-throw.js: Added.
(async test):
* Source/JavaScriptCore/b3/B3DuplicateTails.cpp:
* Source/JavaScriptCore/b3/B3Kind.cpp:
(JSC::B3::Kind::dump const):
* Source/JavaScriptCore/b3/B3Kind.h:
(JSC::B3::Kind::hasCloningForbidden):
(JSC::B3::Kind::hasCloningForbidden const):
(JSC::B3::Kind::isCloningForbidden const):
(JSC::B3::Kind::setIsCloningForbidden):
(JSC::B3::Kind::operator== const):
(JSC::B3::Kind::hash const):
(JSC::B3::cloningForbidden):
* Source/JavaScriptCore/b3/B3PatchpointValue.cpp:
(JSC::B3::PatchpointValue::PatchpointValue):
* Source/JavaScriptCore/b3/B3PatchpointValue.h:
* Source/JavaScriptCore/b3/B3ValueInlines.h:
(JSC::B3::Value::cloneImpl const):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addThrow):
(JSC::Wasm::B3IRGenerator::addRethrow):

Canonical link: https://commits.webkit.org/259548.844@safari-7615-branch


  Commit: ecc32372e8709f68bd1616e1944ae3bde044d5d5
      https://github.com/WebKit/WebKit/commit/ecc32372e8709f68bd1616e1944ae3bde044d5d5
  Author: Brent Fulgham <bfulgham at apple.com>
  Date:   2023-06-23 (Fri, 23 Jun 2023)

  Changed paths:
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm

  Log Message:
  -----------
  Cherry-pick a09166e3759c. rdar://problem/111223197

    Revert 257885 at main: Broke too many sites in Lockdown Mode
    https://bugs.webkit.org/show_bug.cgi?id=256665
    <rdar://109177509>

    Unreviewed revert of 257886 at main.

    We have determined that disabling Service Workers in Lockdown Mode is not
    viable with acceptable levels of Website Compatibility.

    * Source/WebKit/WebProcess/WebPage/WebPage.cpp:
    (WebKit::adjustSettingsForLockdownMode):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm:

    Canonical link: https://commits.webkit.org/263986@main
Identifier: 259548.845 at safari-7615-branch


  Commit: 9151fc84ffddd20b3ba31b93470506e6dc69386e
      https://github.com/WebKit/WebKit/commit/9151fc84ffddd20b3ba31b93470506e6dc69386e
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-06-23 (Fri, 23 Jun 2023)

  Changed paths:
    M Source/WebKit/UIProcess/API/APIPageConfiguration.cpp
    M Source/WebKit/UIProcess/API/APIPageConfiguration.h
    M Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfiguration.mm
    M Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h
    M Source/WebKit/UIProcess/Cocoa/WebPageProxyCocoa.mm
    M Source/WebKit/UIProcess/PageClient.h
    M Source/WebKit/UIProcess/WebPageProxy.cpp
    M Source/WebKit/UIProcess/ios/WebPageProxyIOS.mm
    M Source/WebKit/UIProcess/mac/PageClientImplMac.h

  Log Message:
  -----------
  Cherry-pick 985a124eb978c. rdar://problem/107383904

Identifier: 259548.846 at safari-7615-branch


  Commit: b8259d818b89e428d3395a81ce2364e343198992
      https://github.com/WebKit/WebKit/commit/b8259d818b89e428d3395a81ce2364e343198992
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7615.3.11

Canonical link: https://commits.webkit.org/259548.847@safari-7615-branch


  Commit: 77eb72570a8bf4f6954b9c2ec7e0eeaf25324d65
      https://github.com/WebKit/WebKit/commit/77eb72570a8bf4f6954b9c2ec7e0eeaf25324d65
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/setup.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py

  Log Message:
  -----------
  Cherry-pick 264590 at main (92f9f829efb5). rdar://109891019

    [webkitcorepy] Make packaging a prerequisite of the autoinstaller
    https://bugs.webkit.org/show_bug.cgi?id=257382
    rdar://109891019

    Reviewed by Alexey Proskuryakov.

    * Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py:
    (Package.install): Add packaging as prerequisite.

    Canonical link: https://commits.webkit.org/264590@main

Canonical link: https://commits.webkit.org/259548.848@safari-7615-branch


  Commit: 08c11ebeed8a09d46be35b35fda8fe280b42a9d1
      https://github.com/WebKit/WebKit/commit/08c11ebeed8a09d46be35b35fda8fe280b42a9d1
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitbugspy/setup.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/bugzilla.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/github.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/user.py
    M Tools/Scripts/libraries/webkitcorepy/setup.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/call_by_need.py
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit_classifier.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/local/git.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/local/scm.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/svn.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/svn.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/install_git_lfs.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/svn.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/scm_base.py

  Log Message:
  -----------
  Cherry-pick 265377 at main (5f9e420cedb1). rdar://111120365

    [webkitpy] Avoid autoinstalling libraries in init
    https://bugs.webkit.org/show_bug.cgi?id=258366
    rdar://111120365

    Reviewed by Elliott Williams.

    Re-organize webkitscmpy and webkitbugspy to avoid invoking the autoinstaller
    in webkitpy's __init__.py.

    * Tools/Scripts/libraries/webkitbugspy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/bugzilla.py:
    Lazy-evaluate requests import.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/github.py: Ditto.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/issue.py: Ditto.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/user.py:
    Use webkitcorepy instead of six.
    * Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/call_by_need.py:
    (CallByNeed.__getattribute__): Attempt to use underlying object's attributes
    when no type is defined.
    (CallByNeed.__call__): If the value is callable, call it.
    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit.py:
    Use webkitcorepy instead of six.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/commit_classifier.py:
    (CommitClassifier.LineFilter.fuzzy): Move rapidfuzz import into function call.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/local/git.py:
    Use webkitcorepy instead of six.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/local/scm.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py:
    Move mock import into function call.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/svn.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/remote/svn.py:
    Move xmldict import into function call.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/install_git_lfs.py:
    Lazy import requests.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pickable.py:
    (Pickable.Filters.fuzzy): Move rapidfuzz import into function call.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py:
    Lazy import requests.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/pull_request.py:
    Use webkitcorepy instead of six.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/bitbucket.py:
    Use webkitcorepy instead of six, lazy import requests.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/git_hub.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/scm.py:
    Use webkitcorepy instead of six.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/remote/svn.py:
    Lazy import requests and xmltodict.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/scm_base.py:
    Use webkitcorepy instead of six.

    Canonical link: https://commits.webkit.org/265377@main

Canonical link: https://commits.webkit.org/259548.849@safari-7615-branch


  Commit: 53b81354246a375d894dc4830ac9372140e9469e
      https://github.com/WebKit/WebKit/commit/53b81354246a375d894dc4830ac9372140e9469e
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitbugspy/setup.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/__init__.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/data.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py
    M Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/__init__.py
    A Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/clone.py
    A Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/clone_unittest.py

  Log Message:
  -----------
  Cherry-pick 265475 at main (1463644b7ce9). rdar://107320897

    [git-webkit] Add clone command
    https://bugs.webkit.org/show_bug.cgi?id=254599
    rdar://107320897

    Reviewed by Dewei Zhu.

    Add a command to quickly clone a radar from a commit or Bugzilla.

    * Tools/Scripts/libraries/webkitbugspy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/__init__.py: Import mock milestones.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/data.py: Add mock milestones.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/mocks/radar.py:
    (AppleDirectoryQuery.member_dsid_list_for_group_name): Add.
    (RadarModel.Milestone): Add mock Milestone object.
    (RadarModel.Category): Add mock Category object.
    (RadarModel.Event): Add mock Event object.
    (RadarModel.Tentpole): Add mock Tentpole object.
    (RadarModel.MilestoneAssociations): Add mock MilestoneAssociations object.
    (RadarModel.commit_changes): Commit milestone, category, event and tentpole.
    (RadarModel.milestone_associations): List MilestoneAssociations object from Milestone object.
    (RadarClient.milestones_for_component): List all mock milestones.
    (RadarClient.clone_radar): Mock implementation of Radarclient's clone_radar.
    (Radar.__init__):
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/radar.py:
    (Tracker.create): Handle empty project.
    (Tracker.clone): Clone radar with specified reason.
    * Tools/Scripts/libraries/webkitbugspy/webkitbugspy/tests/radar_unittest.py:
    * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/__init__.py:
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/clone.py: Added.
    (Clone.parser): User must specify problem, reason and optionally milestone
    to clone radar into.
    (Clone.main): Resolve the provided argument to a radar and then clone the
    specified radar. Attempt to copy as much of the original radar as possible
    after moving the cloned radar into the specified milestone.
    * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/clone_unittest.py: Added.
    (TestClone):

    Canonical link: https://commits.webkit.org/265475@main

Canonical link: https://commits.webkit.org/259548.850@safari-7615-branch


  Commit: 6992bf7efc47426ddebd245cd4283fc789feac52
      https://github.com/WebKit/WebKit/commit/6992bf7efc47426ddebd245cd4283fc789feac52
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    A Tools/Scripts/libraries/webkitcorepy/run-tests
    M Tools/Scripts/libraries/webkitcorepy/setup.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/terminal.py
    R Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing.py
    A Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/__init__.py
    A Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/path_test_case.py
    A Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/python_test_runner.py
    A Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/test_runner.py

  Log Message:
  -----------
  Cherry-pick 265519 at main (41ea5f4983d4). rdar://111220802

    [webkitcorepy] Add generic test runner
    https://bugs.webkit.org/show_bug.cgi?id=258464
    rdar://111220802

    Reviewed by Aakash Jain.

    * Tools/Scripts/libraries/webkitcorepy/run-tests: Added.
    * Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/terminal.py:
    (Terminal.size): Compute size of current terminal.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/__init__.py: Added.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/path_test_case.py:
    Renamed from Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing.py.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/python_test_runner.py: Added.
    (PythonTestRunner.recurse): List all tests in a suite.
    (PythonTestRunner.__init__): Discover all tests in provided modules.
    (PythonTestRunner.tests): List all tests to be run, given a set of arguments.
    (PythonTestRunner.run_test): Attempt to run a test with a name.
    (PythonTestRunner.id): Convert a test to a name.
    (PythonTestRunner.run): Trigger autoinstall before running tests.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/testing/test_runner.py: Added.
    (TestRunner.combine): Combine two test result objects.
    (TestRunner.__init__):
    (TestRunner.tests): Subclass to implement.
    (TestRunner.run_test): Ditto.
    (TestRunner.id): Pass-through unless subclass implements.
    (TestRunner.run): Run all tests.
    (TestRunner.main): Parse arguments and run tests.

    Canonical link: https://commits.webkit.org/265519@main

Canonical link: https://commits.webkit.org/259548.851@safari-7615-branch


  Commit: dd5e1fd6fd44e1deb99ff9b21942090382252b75
      https://github.com/WebKit/WebKit/commit/dd5e1fd6fd44e1deb99ff9b21942090382252b75
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    M Tools/Scripts/libraries/webkitcorepy/setup.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py
    M Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py

  Log Message:
  -----------
  Cherry-pick 265530 at main (96c42fec959c). rdar://111347997

    [webkitcorepy] Stop using deprecated urlopen API
    https://bugs.webkit.org/show_bug.cgi?id=258530
    rdar://111347997

    Reviewed by Aakash Jain.

    * Tools/Scripts/libraries/webkitcorepy/setup.py: Bump version.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/__init__.py: Ditto.
    * Tools/Scripts/libraries/webkitcorepy/webkitcorepy/autoinstall.py:
    (AutoInstall._request): Use an SSL context to define the cafile.

    Canonical link: https://commits.webkit.org/265530@main

Canonical link: https://commits.webkit.org/259548.852@safari-7615-branch


  Commit: bb70e32b88ed08a2cf98dd6cd7ead6d690ad3100
      https://github.com/WebKit/WebKit/commit/bb70e32b88ed08a2cf98dd6cd7ead6d690ad3100
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    M Source/WebCore/platform/mac/PlatformPasteboardMac.mm

  Log Message:
  -----------
  [IPC][Hardening] Update isFilePasteboardType() to also check for kUTTypeFileURL
https://bugs.webkit.org/show_bug.cgi?id=258519
rdar://111187390

Reviewed by Wenson Hsieh.

* Source/WebCore/platform/mac/PlatformPasteboardMac.mm:
(WebCore::isFilePasteboardType):

Canonical link: https://commits.webkit.org/259548.853@safari-7615-branch


  Commit: 465b681115e692be58dd12ec6744c77d6d51a67a
      https://github.com/WebKit/WebKit/commit/465b681115e692be58dd12ec6744c77d6d51a67a
  Author: Brady Eidson <beidson at apple.com>
  Date:   2023-06-26 (Mon, 26 Jun 2023)

  Changed paths:
    M Source/WebCore/bindings/js/RunJavaScriptParameters.h
    M Source/WebCore/bindings/js/ScriptController.cpp
    M Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.h
    M Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.mm
    M Source/WebKit/UIProcess/API/C/WKPage.cpp
    M Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm
    M Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp
    M Source/WebKit/UIProcess/Inspector/socket/RemoteInspectorProtocolHandler.cpp

  Log Message:
  -----------
  User agent JavaScript from full web browsers should clear transient activation.
rdar://104748908
https://bugs.webkit.org/show_bug.cgi?id=251276

Reviewed by Brent Fulgham.

Take the solution from https://commits.webkit.org/265168@main and extend it to full web browsers now.

* Source/WebCore/bindings/js/RunJavaScriptParameters.h:
(WebCore::RunJavaScriptParameters::RunJavaScriptParameters):
(WebCore::RunJavaScriptParameters::encode const):
(WebCore::RunJavaScriptParameters::decode):

* Source/WebCore/bindings/js/ScriptController.cpp:
(WebCore::ScriptController::executeScriptInWorldIgnoringException):
(WebCore::ScriptController::executeScriptInWorld):
(WebCore::ScriptController::executeUserAgentScriptInWorld):

* Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.h:
* Source/WebKit/Shared/Cocoa/DefaultWebBrowserChecks.mm:
(WebKit::shouldEvaluateJavaScriptWithoutTransientActivation):

* Source/WebKit/UIProcess/API/C/WKPage.cpp:
(WKPageRunJavaScriptInMainFrame):

* Source/WebKit/UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _evaluateJavaScript:asAsyncFunction:withSourceURL:withArguments:forceUserGesture:inFrame:inWorld:completionHandler:]):

Canonical link: https://commits.webkit.org/259548.854@safari-7615-branch


  Commit: 7f4ad44e742144641699be6b98b578add94fc71a
      https://github.com/WebKit/WebKit/commit/7f4ad44e742144641699be6b98b578add94fc71a
  Author: Myah Cobbs <mcobbs at apple.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

Identifier: 259548.855 at safari-7615-branch


  Commit: c3d2e3627b45699577876022441428a6130547b4
      https://github.com/WebKit/WebKit/commit/c3d2e3627b45699577876022441428a6130547b4
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    A JSTests/stress/putstacksinking-callvarargs.js
    A JSTests/stress/putstacksinking-tailcallvarargs.js
    M Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h

  Log Message:
  -----------
  CallVarargs should identify that it can read inline call frame arguments.
rdar://111361499

Reviewed by Yusuke Suzuki.

Call already does this, but CallVarargs has a special case that forgot.

We should not be allowed to push PutStacks below a call of any kind, since
it might access our call frame's arguments via foo.arguments, unless
we are strict.

The only exception is TailCall (but not TailCallForwardVarargsInlinedCaller),
because it will destroy the entire frame.

We do not un-pessimize TailCall yet to reduce risk, but it could be made
to match TailCallForwardVarargs in the future.

* JSTests/stress/putstacksinking-callvarargs.js: Added.
(main.opt.x):
(main.opt.y):
(main.opt.z):
(main.opt):
(main):
* JSTests/stress/putstacksinking-tailcallvarargs.js: Added.
(main.opt.x):
(main.opt.y):
(main.opt.z):
(main.opt):
(main):
* Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):

Canonical link: https://commits.webkit.org/259548.856@safari-7615-branch


  Commit: 115fef229108c074ebbfd0d6ac7ac5ae0b920874
      https://github.com/WebKit/WebKit/commit/115fef229108c074ebbfd0d6ac7ac5ae0b920874
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M Source/WebCore/platform/mediastream/ios/AVAudioSessionCaptureDeviceManager.mm

  Log Message:
  -----------
  Cherry-pick 53bd19405878. rdar://problem/107871881

    [iOS 16.x] WebRTC call not switching when connect with EarPods with Lightning Connector
    https://bugs.webkit.org/show_bug.cgi?id=254978
    rdar://107871881

    Reviewed by Eric Carlson.

    We are using the default route to select the default microphone on iOS.
    When headphones are plugged in, the route is the builtin route, but the subtype is different to differentiate
    iPhone speakers from headset.

    To take this into account on microphones, we keep the same logic to know the default route.
    But we do a first iteration to check whether there is a head set microphone available.
    If so, we consider this should be the default microphone if the default route is the builtin route.

    Manually tested.

    * Source/WebCore/platform/mediastream/ios/AVAudioSessionCaptureDeviceManager.mm:
    (SOFT_LINK_CONSTANT):
    (WebCore::AVAudioSessionCaptureDeviceManager::retrieveAudioSessionCaptureDevices const):

    Canonical link: https://commits.webkit.org/264070@main
Identifier: 259548.857 at safari-7615-branch


  Commit: 9ec0db86a3230696b3ee4ee09b0f2971d9553df7
      https://github.com/WebKit/WebKit/commit/9ec0db86a3230696b3ee4ee09b0f2971d9553df7
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M Source/ThirdParty/libwebrtc/Source/webrtc/sdk/objc/components/video_frame_buffer/RTCCVPixelBuffer.mm
    M Source/ThirdParty/libwebrtc/Source/webrtc/sdk/objc/native/src/objc_frame_buffer.mm

  Log Message:
  -----------
  Cherry-pick ebb91ef51ed3. rdar://problem/108377764

    Add a bounds check in [RTCCVPixelBuffer toI420]
    https://bugs.webkit.org/show_bug.cgi?id=257479
    rdar://108377764

    Reviewed by Jean-Yves Avenard.

    Add a width/height check to toI420 for extra safety.
    Update ObjCFrameBuffer::wrapped_frame_buffer to always use a mutex.

    * Source/ThirdParty/libwebrtc/Source/webrtc/sdk/objc/components/video_frame_buffer/RTCCVPixelBuffer.mm:
    (-[RTCCVPixelBuffer toI420]):
    * Source/ThirdParty/libwebrtc/Source/webrtc/sdk/objc/native/src/objc_frame_buffer.mm:
    (webrtc::ObjCFrameBuffer::wrapped_frame_buffer const):

    Canonical link: https://commits.webkit.org/264670@main
Identifier: 259548.858 at safari-7615-branch


  Commit: bb38f117eeef60f90918313b37e9ed7751a2d9b6
      https://github.com/WebKit/WebKit/commit/bb38f117eeef60f90918313b37e9ed7751a2d9b6
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M Source/WebKit/UIProcess/Cocoa/AuxiliaryProcessProxyCocoa.mm
    M Source/WebKit/UIProcess/Cocoa/XPCConnectionTerminationWatchdog.h
    M Source/WebKit/UIProcess/Cocoa/XPCConnectionTerminationWatchdog.mm

  Log Message:
  -----------
  Cherry-pick 256bf3a7dde7. rdar://problem/108805025

    Use the XPCConnectionTerminationWatchdog on macOS too
    https://bugs.webkit.org/show_bug.cgi?id=256096

    Reviewed by Ben Nham.

    Use the XPCConnectionTerminationWatchdog on macOS too now that process
    suspension is no longer specific to iOS.

    * Source/WebKit/UIProcess/Cocoa/AuxiliaryProcessProxyCocoa.mm:
    (WebKit::AuxiliaryProcessProxy::platformStartConnectionTerminationWatchdog):
    * Source/WebKit/UIProcess/Cocoa/XPCConnectionTerminationWatchdog.h:
    * Source/WebKit/UIProcess/Cocoa/XPCConnectionTerminationWatchdog.mm:
    (WebKit::XPCConnectionTerminationWatchdog::XPCConnectionTerminationWatchdog):

    Canonical link: https://commits.webkit.org/263514@main
Identifier: 259548.859 at safari-7615-branch


  Commit: 383d4ade9f18a53d6af95218ab9949569a45fbc4
      https://github.com/WebKit/WebKit/commit/383d4ade9f18a53d6af95218ab9949569a45fbc4
  Author: Jean-Yves Avenard <jya at apple.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M Source/WebCore/dom/FullscreenManager.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h

  Log Message:
  -----------
  Cherry-pick ba3971672860. rdar://problem/108304377

    bbc.co.uk: Video goes black with only audio playing when exiting PiP mode
    https://bugs.webkit.org/show_bug.cgi?id=257711
    rdar://108304377

    Reviewed by Jer Noble.

    Only fire the fullscreen change event once we did enter fullscreen.
    This gives time for the UI process to complete exiting PiP in the UI process.

    The process for exiting PiP and go back into fullscreen is a complicated
    (and unnecessary) dance between the content and the UI process.
    didStopPictureInPicture (UI) -> requestRestoreFullScreen (CP) -> EnterFullScreen (UI)
     -> WillEnterFullscreen (CP) -> beganEnterFullScreen (UI) -> didEnterFullScreen (UI)
     -> didEnterFullScreen (CP)

    Previously, the events `fullscreenchange` was fired in WillEnterFullscreen.
    if a JS event listener was set, and attempted to exit PiP then (as BBC website is doing)
    it would have left VideoFullscreenInterfaceAVKit in a broken state
    once it received `beganEnterFullScreen` as it's not an handled chained of event.

    By letting the UI process complete the exit of PiP back to fullscreen,
    we can avoid the problem from occurring alltogether, and this is simply
    done by firing the events and resolving the promise in didEnterFullScreen.

    We limit this behaviour to BBC.com

    This entire code is in serious need of a rewrite.

    Manually tested under all possible interface scenarios:
    - Entering PiP, Exiting PiP using BBC main player control.
    - Entering PiP, Exiting PiP using PiP controller button.
    - Entering fullscreen via BBC control, entering PiP using PiP button, exiting PiP using BBC main player control
    - As above but using PiP controller button as last step.
    - Going into Auto-Pip by swiping home and exiting PiP.
    - Entering PiP, quitting PiP (X button)

    * Source/WebCore/dom/FullscreenManager.cpp:
    (WebCore::FullscreenManager::willEnterFullscreen):
    (WebCore::FullscreenManager::didEnterFullscreen):
    * Source/WebCore/page/Quirks.cpp:
    (WebCore::Quirks::shouldDelayFullscreenEventWhenExitingPictureInPictureQuirk const):
    * Source/WebCore/page/Quirks.h:

    Canonical link: https://commits.webkit.org/264974@main
Identifier: 259548.860 at safari-7615-branch


  Commit: 3f5f0f1ba3d7aec5f3f4ba57d55b1f4b0524d8d1
      https://github.com/WebKit/WebKit/commit/3f5f0f1ba3d7aec5f3f4ba57d55b1f4b0524d8d1
  Author: Darin Adler <darin at apple.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M LayoutTests/fast/css/background-position-serialize-expected.txt
    M LayoutTests/fast/css/background-position-serialize.html
    M LayoutTests/fast/masking/parsing-webkit-mask-expected.txt
    M LayoutTests/fast/masking/parsing-webkit-mask.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/parsing/background-position-valid-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/parsing/background-position-valid.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/parsing/background-valid.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-masking/parsing/mask-position-valid-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/css/css-masking/parsing/mask-position-valid.html
    M LayoutTests/imported/w3c/web-platform-tests/css/css-masking/parsing/mask-valid.sub.html
    M Source/WebCore/css/ShorthandSerializer.cpp

  Log Message:
  -----------
  Cherry-pick 82228ed93559. rdar://problem/109380755

    REGRESSION (Safari 16.4, 258767 at main): Carcassonne game on boardgamearena.com unplayable (serialization bug affecting background-position)
    https://bugs.webkit.org/show_bug.cgi?id=256814
    rdar://109380755

    Reviewed by Tim Nguyen.

    The code to serialize background-position and mask-position did not correctly handle the case
    where the Y value was 0%. Rearranged the code slightly to resolve this.

    * LayoutTests/fast/css/background-position-serialize-expected.txt: Added test cases.
    * LayoutTests/fast/css/background-position-serialize.html: Ditto.
    * LayoutTests/fast/masking/parsing-webkit-mask-expected.txt: Ditto.
    * LayoutTests/fast/masking/parsing-webkit-mask.html: Ditto.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/parsing/background-position-valid-expected.txt: Ditto.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/parsing/background-position-valid.html: Ditto.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-backgrounds/parsing/background-valid.html:
    Updated expectations since initial value of background-position is "0% 0%", not "0% center".

    * LayoutTests/imported/w3c/web-platform-tests/css/css-masking/parsing/mask-position-valid-expected.txt: Added test cases.
    * LayoutTests/imported/w3c/web-platform-tests/css/css-masking/parsing/mask-position-valid.html: Ditto.

    * LayoutTests/imported/w3c/web-platform-tests/css/css-masking/parsing/mask-valid.sub.html:
    Updated expectations since initial value of mask-position is "0% 0%", not "0% center".

    * Source/WebCore/css/ShorthandSerializer.cpp:
    (WebCore::ShorthandSerializer::serializeLayered const): Rearrange the code to correctly serialize
    background-position-y and mask-position-y as part of a shorthand.

    Canonical link: https://commits.webkit.org/265056@main
Identifier: 259548.861 at safari-7615-branch


  Commit: fa3d4fa011859597f09586418714bc12c10f647c
      https://github.com/WebKit/WebKit/commit/fa3d4fa011859597f09586418714bc12c10f647c
  Author: Eric Carlson <eric.carlson at apple.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M Source/WebCore/platform/mac/WebPlaybackControlsManager.mm

  Log Message:
  -----------
  Cherry-pick ca484addbacd. rdar://problem/111456370

    [Cocoa] Playback is paused after scrubbing with touch bar
    https://bugs.webkit.org/show_bug.cgi?id=257177
    rdar://109523926

    Reviewed by Jer Noble.

    * Source/WebCore/platform/mac/WebPlaybackControlsManager.mm:
    (-[WebPlaybackControlsManager setPlaying:]): Don't send a remote playback command to the
    model if is already in the correct state.

    Canonical link: https://commits.webkit.org/264400@main
Identifier: 259548.862 at safari-7615-branch


  Commit: 08761da690e52511272f7f745ce8d92f20c97e04
      https://github.com/WebKit/WebKit/commit/08761da690e52511272f7f745ce8d92f20c97e04
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-06-28 (Wed, 28 Jun 2023)

  Changed paths:
    M Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm

  Log Message:
  -----------
  Cherry-pick d3783956a151. rdar://problem/111456704

    ServiceWorkerGlobalScope::notifyServiceWorkerPageOfCreationIfNecessary should limit itself to normalWorld
    https://bugs.webkit.org/show_bug.cgi?id=258339
    rdar://105387315

    Reviewed by Chris Dumez.

    Page::serviceWorkerGlobalObject is only supporting normal worlds and is checking this with a RELEASE_ASSERT.
    ServiceWorkerGlobalScope::notifyServiceWorkerPageOfCreationIfNecessary calls LocalFrameLoaderClient::dispatchServiceWorkerGlobalObjectAvailable on all worlds.
    This puts the burden on implementors of LocalFrameLoaderClient::dispatchServiceWorkerGlobalObjectAvailable to check that the world is a normal world.
    Instead of hitting the RELEASE_ASSERT, we are limiting LocalFrameLoaderClient::dispatchServiceWorkerGlobalObjectAvailable call to normal worlds.

    Updated test is adding a world in a test that is using service worker.
    It hits the RELEASE_ASSERT without the change in ServiceWorkerGlobalScope::notifyServiceWorkerPageOfCreationIfNecessary.

    * Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:
    (WebCore::ServiceWorkerGlobalScope::notifyServiceWorkerPageOfCreationIfNecessary):
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/ServiceWorkerBasic.mm:

    Canonical link: https://commits.webkit.org/265358@main
Identifier: 259548.863 at safari-7615-branch


Compare: https://github.com/WebKit/WebKit/compare/f0589f652bac...08761da690e5


More information about the webkit-changes mailing list