Diff [217367:219817] for releases/WebKitGTK/webkit-2.16 – WebKit

TabularUnified releases/WebKitGTK/webkit-2.16/ChangeLog ¶

-              r217367
+              r219817
+-07-24  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.6 release.
+        * Source/cmake/OptionsGTK.cmake:
+-06-26  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.5 release.
+        * Source/cmake/OptionsGTK.cmake:
+-06-20  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.4 release.
+        * Source/cmake/OptionsGTK.cmake:
 -05-24  Carlos Garcia Campos  <cgarcia@igalia.com>

TabularUnified releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog ¶

-              r217367
+              r219817
+-06-26  Saam Barati  <sbarati@apple.com>
+        Crash in JSC::Lexer<unsigned char>::setCode
+        https://bugs.webkit.org/show_bug.cgi?id=172754
+        Reviewed by Mark Lam.
+        * stress/dont-reserve-huge-capacity-lexer.js: Added.
+        (catch):
+-04-13  Mark Lam  <mark.lam@apple.com>
+        Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+        https://bugs.webkit.org/show_bug.cgi?id=170661
+        <rdar://problem/31579046>
+        Reviewed by Filip Pizlo.
+        * stress/regress-170661.js: Added.
+-04-20  Mark Lam  <mark.lam@apple.com>
+        virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
+        https://bugs.webkit.org/show_bug.cgi?id=171079
+        <rdar://problem/31684756>
+        Reviewed by Saam Barati.
+        * stress/regress-171079.js: Added.
+-05-05  Saam Barati  <sbarati@apple.com>
+        putDirectIndex does not properly do defineOwnProperty
+        https://bugs.webkit.org/show_bug.cgi?id=171591
+        <rdar://problem/31735695>
+        Reviewed by Geoffrey Garen.
+        * stress/array-prototype-splice-making-typed-array.js:
+        (test):
+        * stress/array-species-config-array-constructor.js:
+        (shouldThrow):
+        (test):
+        * stress/put-direct-index-broken-2.js: Added.
+        (assert):
+        (test):
+        (makeLengthWritable):
+        (set get restoreOldDesc):
+        * stress/put-direct-index-broken.js: Added.
+        (whatToTest):
+        (tryRunning):
+        (tryItOut):
+        * stress/put-indexed-getter-setter.js: Added.
+        (foo.X.prototype.set 7):
+        (foo.X.prototype.get 7):
+        (foo.X):
+        (foo):
+-05-17  Filip Pizlo  <fpizlo@apple.com>
+        Unreviewed, address mlam's review feedback.
+        * stress/arguments-elimination-varargs-too-many-args-arg-count.js:
+-05-17  Filip Pizlo  <fpizlo@apple.com>
+        JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
+        https://bugs.webkit.org/show_bug.cgi?id=172208
+        Reviewed by Saam Barati.
+        * stress/arguments-elimination-varargs-too-many-args-arg-count.js: Added.
+        (foo):
+        (bar):
+        (baz):
+-04-17  Mark Lam  <mark.lam@apple.com>
+        JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
+        https://bugs.webkit.org/show_bug.cgi?id=170896
+        <rdar://problem/31651319>
+        Reviewed by JF Bastien and Keith Miller.
+        * stress/regress-170896.js: Added.
+-05-25  Saam Barati  <sbarati@apple.com>
+        Our for-in optimization in the bytecode generator does its static analysis incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=172532
+        <rdar://problem/32369452>
+        Reviewed by Mark Lam.
+        * stress/for-in-invalidation-for-any-write.js: Added.
+        (assert):
+        (test):
+        (test.i):
+-04-14  Saam Barati  <sbarati@apple.com>
+        ParseInt intrinsic in DFG backend doesn't properly flush its operands
+        https://bugs.webkit.org/show_bug.cgi?id=170865
+        Reviewed by Mark Lam and Geoffrey Garen.
+        * stress/parse-int-intrinsic-dfg-backend-flush.js: Added.
+        (assert):
+        (foo):
 -05-10  Filip Pizlo  <fpizlo@apple.com>

TabularUnified releases/WebKitGTK/webkit-2.16/JSTests/stress/array-prototype-splice-making-typed-array.js ¶

-              r217367
+              r219817
 test(function() {
     // This should not crash.
-    // FIXME: this might need to be updated as we make our splice implementation
-    // more ES6 compliant: https://bugs.webkit.org/show_bug.cgi?id=159645
     let x = [1,2,3,4,5];
     x.constructor = Uint8Array;
     delete x[2];
     assert(!(2 in x));
+    let removed = x.splice(1,3);
+    assert(removed instanceof Uint8Array);
+    assert(removed.length === 3);
+    assert(removed[0] === 2);
+    assert(removed[1] === 0);
+    assert(removed[2] === 4);
+    let err = null;
+    try {
+        let removed = x.splice(1,3);
+        assert(removed instanceof Uint8Array);
+        assert(removed.length === 3);
+        assert(removed[0] === 2);
+        assert(removed[1] === 0);
+        assert(removed[2] === 4);
+    } catch(e) {
+        err = e;
+    }
+    assert(err.toString() === "TypeError: Attempting to configure non-configurable property on a typed array at index: 0");
     assert(x instanceof Array);
     assert(x.length === 2);
+    assert(x.length === 5);
     assert(x[0] === 1);
+    assert(x[1] === 5);
+    assert(x[1] === 2);
+    assert(x[2] === undefined);
+    assert(x[3] === 4);
+    assert(x[4] === 5);
 });

TabularUnified releases/WebKitGTK/webkit-2.16/JSTests/stress/array-species-config-array-constructor.js ¶

-              r217367
+              r219817
 Object.defineProperty(Int32Array.prototype, "length", { value: 0, writable: true });
+result = foo.concat([1]);
+if (!(result instanceof Int32Array))
+    throw "concat failed";
+function shouldThrow(f, m) {
+    let err;
+    try {
+        f();
+    } catch(e) {
+        err = e;
+    }
+    if (err.toString() !== m)
+        throw new Error("Wrong error: " + err);
+}
+result = foo.splice();
+if (!(result instanceof Int32Array))
+    throw "splice failed";
+result = foo.slice();
+if (!(result instanceof Int32Array))
+    throw "slice failed";
+function test() {
+    const message = "TypeError: Attempting to configure non-configurable property on a typed array at index: 0";
+    shouldThrow(() => foo.concat([1]), message);
+    foo = [1,2,3,4];
+    shouldThrow(() => foo.slice(0), message);
+    foo = [1,2,3,4];
+    let r = foo.splice();
+    if (!(r instanceof Int32Array))
+        throw "Bad";
+    if (r.length !== 0)
+        throw "Bad";
+    foo = [1,2,3,4];
+    shouldThrow(() => foo.splice(0), message);
+}
+noInline(test);
+for (let i = 0; i < 3000; ++i)
+    test();

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog ¶

-              r217367
+              r219817
+-05-12  Jiewen Tan  <jiewen_tan@apple.com>
+        Elements should be inserted into a template element as its content's last child
+        https://bugs.webkit.org/show_bug.cgi?id=171373
+        <rdar://problem/31862949>
+        Reviewed by Ryosuke Niwa.
+        * fast/dom/HTMLTemplateElement/insert-fostering-child-expected.txt: Added.
+        * fast/dom/HTMLTemplateElement/insert-fostering-child.html: Added.
+-05-15  Jiewen Tan  <jiewen_tan@apple.com>
+        Replace CryptoOperationData with BufferSource for WebKitSubtleCrypto
+        https://bugs.webkit.org/show_bug.cgi?id=172146
+        <rdar://problem/32122256>
+        Reviewed by Brent Fulgham.
+        * crypto/webkitSubtle/argument-conversion-expected.txt:
+        * crypto/webkitSubtle/import-export-raw-key-leak-expected.txt: Added.
+        * crypto/webkitSubtle/import-export-raw-key-leak.html: Added.
+-05-11  Zalan Bujtas  <zalan@apple.com>
+        AX: Defer text changes until after the tree is clean if needed.
+        https://bugs.webkit.org/show_bug.cgi?id=171546
+        <rdar://problem/31934942>
+        Reviewed by Simon Fraser.
+        * accessibility/crash-when-render-tree-is-not-clean-expected.txt: Added.
+        * accessibility/crash-when-render-tree-is-not-clean.html: Added.
+-05-02  Zalan Bujtas  <zalan@apple.com>
+        Defer AX cache update when text content changes until after layout is finished.
+        https://bugs.webkit.org/show_bug.cgi?id=171429
+        <rdar://problem/31885984>
+        Reviewed by Simon Fraser.
+        * accessibility/crash-while-adding-text-child-with-transform-expected.txt: Added.
+        * accessibility/crash-while-adding-text-child-with-transform.html: Added.
+-06-17  Antti Koivisto  <antti@apple.com>
+        Crash due to infinite recursion via FrameSelection::updateAppearanceAfterLayout
+        https://bugs.webkit.org/show_bug.cgi?id=173468
+        Reviewed by Ryosuke Niwa.
+        * editing/selection/updateAppearanceAfterLayout-recursion-expected.txt: Added.
+        * editing/selection/updateAppearanceAfterLayout-recursion.html: Added.
+-06-17  Ryosuke Niwa  <rniwa@webkit.org>
+        REGRESSION(r209495): materiauxlaverdure.com fails to load
+        https://bugs.webkit.org/show_bug.cgi?id=173301
+        <rdar://problem/32624850>
+        Reviewed by Antti Koivisto.
+        Rebaselined the existing tests and added a new regression test for serializing CSS properties and values.
+        * accessibility/mac/alt-for-css-content-expected.txt:
+        * accessibility/mac/webkit-alt-for-css-content-expected.txt:
+        * editing/pasteboard/cjk-line-height-expected.txt:
+        * fast/css/alt-inherit-initial-expected.txt:
+        * fast/css/alt-inherit-initial.html:
+        * fast/css/content-language-comma-separated-list-expected.txt:
+        * fast/css/content-language-empty-expected.txt:
+        * fast/css/content-language-only-whitespace-expected.txt:
+        * fast/css/content-language-with-whitespace-expected.txt:
+        * fast/css/counters/counter-cssText-expected.txt:
+        * fast/css/counters/counter-cssText.html:
+        * fast/css/font-family-trailing-bracket-gunk-expected.txt:
+        * fast/css/font-family-trailing-bracket-gunk.html:
+        * fast/css/getComputedStyle/computed-style-font-family-expected.txt:
+        * fast/css/getComputedStyle/computed-style-properties-expected.txt:
+        * fast/css/getComputedStyle/computed-style-properties.html:
+        * fast/css/getComputedStyle/font-family-fallback-reset-expected.txt:
+        * fast/css/getComputedStyle/font-family-fallback-reset.html:
+        * fast/css/lang-mapped-to-webkit-locale-expected.txt:
+        * fast/css/lang-mapped-to-webkit-locale.xhtml:
+        * fast/css/serialization-with-double-quotes-expected.txt: Added.
+        * fast/css/serialization-with-double-quotes.html: Added.
+        * fast/css/uri-token-parsing-expected.txt:
+        * fast/css/uri-token-parsing.html:
+        * fast/inspector-support/cssURLQuotes-expected.txt:
+        * fast/inspector-support/style-expected.txt:
+        * fast/text/font-stretch-parse-expected.txt:
+        * fast/text/font-stretch-parse.html:
+        * fast/text/font-style-parse-expected.txt:
+        * fast/text/font-style-parse.html:
+        * fast/text/font-weight-parse-expected.txt:
+        * fast/text/font-weight-parse.html:
+        * media/controls/track-menu.html:
+        * platform/mac-elcapitan/fast/css/getComputedStyle/computed-style-font-family-expected.txt:
+        * platform/mac-elcapitan/fast/text/font-stretch-parse-expected.txt:
+        * platform/mac-elcapitan/fast/text/font-style-parse-expected.txt:
+        * platform/mac-elcapitan/fast/text/font-weight-parse-expected.txt:
+-06-09  Brady Eidson  <beidson@apple.com>
+        Crash when IndexedDB's getAll is used inside a Web Worker.
+        https://bugs.webkit.org/show_bug.cgi?id=172434
+        Reviewed by Andy Estes.
+        * storage/indexeddb/modern/resources/worker-getall.js: Added.
+        * storage/indexeddb/modern/worker-getall-expected.txt: Added.
+        * storage/indexeddb/modern/worker-getall.html: Added.
+-06-08  Ryosuke Niwa  <rniwa@webkit.org>
+        Crash inside InsertNodeBeforeCommand via InsertParagraphSeparatorCommand
+        https://bugs.webkit.org/show_bug.cgi?id=173085
+        Reviewed by Wenson Hsieh.
+        Added a regresion test.
+        * editing/inserting/insert-horizontal-rule-in-empty-document-crash-expected.txt: Added.
+        * editing/inserting/insert-horizontal-rule-in-empty-document-crash.html: Added.
+-06-08  Xabier Rodriguez Calvar  <calvaris@igalia.com>
+        MediaTime class has rounding issues in different platforms
+        https://bugs.webkit.org/show_bug.cgi?id=172640
+        Reviewed by Jer Noble.
+        Update expectations because the MediaTime printing changed, but
+        results are the same.
+        * media/media-source/media-source-overlapping-append-expected.txt:
+        * media/media-source/media-source-overlapping-decodetime-expected.txt:
+        * media/media-source/media-source-seek-back-expected.txt:
+        * media/media-source/media-source-sequence-timestamps-expected.txt:
+        * media/media-source/media-source-timeoffset-expected.txt:
+-06-06  Zalan Bujtas  <zalan@apple.com>
+        Safari doesn't load newest The Order of the Stick comic.
+        https://bugs.webkit.org/show_bug.cgi?id=172949
+        <rdar://problem/32389730>
+        Reviewed by Antti Koivisto.
+        * fast/table/floating-table-sibling-is-invisible-expected.html: Added.
+        * fast/table/floating-table-sibling-is-invisible.html: Added.
+-06-05  Chris Dumez  <cdumez@apple.com>
+        ASSERTION FAILED: RunLoop::isMain() in com.apple.WebKit: IPC::Connection::sendSyncMessage + 128
+        https://bugs.webkit.org/show_bug.cgi?id=172943
+        <rdar://problem/31288058>
+        Reviewed by Alexey Proskuryakov.
+        Make test clean a little bit more robust.
+        * storage/domstorage/sessionstorage/set-item-synchronous-keydown.html:
+-06-05  Chris Dumez  <cdumez@apple.com>
+        ASSERTION FAILED: RunLoop::isMain() in com.apple.WebKit: IPC::Connection::sendSyncMessage + 128
+        https://bugs.webkit.org/show_bug.cgi?id=172943
+        <rdar://problem/31288058>
+        Reviewed by Alexey Proskuryakov.
+        Add better test coverage.
+        * storage/domstorage/sessionstorage/set-item-synchronous-keydown-expected.txt: Added.
+        * storage/domstorage/sessionstorage/set-item-synchronous-keydown.html: Added.
+-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GTK] Stop dismissing menus attached to the web view for every injected event
+        https://bugs.webkit.org/show_bug.cgi?id=172708
+        Reviewed by Alex Christensen.
+        * editing/selection/5354455-1.html: No need to click on editable area to focus it, contextClick already focuses
+        it, we even have another test to ensure it. Those fast clicks were causing a double click in GTK+ port which
+        selected the whole line. We don't need to dismiss the context menu either, because contextClick() doesn't really
+        show the menu.
+        * fast/events/context-activated-by-key-event.html: Dismiss the context menu every time we show it.
+        * fast/events/mouse-click-events.html: Dimiss the context menu when testing right click events.
+-05-30  Adrian Perez de Castro  <aperez@igalia.com>
+        [GTK] Test cases for typehead in form menu lists should start from known state
+        https://bugs.webkit.org/show_bug.cgi?id=171792
+        Reviewed by Carlos Garcia Campos.
+        Since r215188 opening a popup menu in a form pre-selects the active
+        element to mimic GtkComboxBox behavior, but the layout test implicitly
+        assumed that type ahead search always started the beginning of the
+        list, which is no longer true now that GTK+ is informed of which one
+        is the active element.
+        * platform/gtk/fast/forms/menulist-typeahead-find.html: Reset menu
+        list to the initial state (no element selected, unfocused) at the
+        beginning of testTypeAheadFunction().
+-05-25  Chris Dumez  <cdumez@apple.com>
+        imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_owner_and_table_2.html is crashing
+        https://bugs.webkit.org/show_bug.cgi?id=172628
+        <rdar://problem/32418707>
+        Reviewed by Sam Weinig.
+        Add reduced test case.
+        * TestExpectations:
+        Unskip test that is no longer crashing in debug builds.
+        * fast/dom/HTMLFormElement/form-removed-during-parsing-crash-expected.txt: Added.
+        * fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html: Added.
+-05-25  Zalan Bujtas  <zalan@apple.com>
+        Frame's composited content is visible when the frame has visibility: hidden.
+        https://bugs.webkit.org/show_bug.cgi?id=125565
+        <rdar://problem/32196849>
+        Reviewed by Simon Fraser.
+        * compositing/resources/visibility.html: Added.
+        * compositing/visibility/frameset-visibility-hidden-expected.html: Added.
+        * compositing/visibility/frameset-visibility-hidden.html: Added.
+        * compositing/visibility/iframe-visibility-hidden-expected.html: Added.
+        * compositing/visibility/iframe-visibility-hidden.html: Added.
+        * compositing/visibility/object-visibility-hidden-expected.html: Added.
+        * compositing/visibility/object-visibility-hidden.html: Added.
+-05-25  Chris Dumez  <cdumez@apple.com>
+        DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader
+        https://bugs.webkit.org/show_bug.cgi?id=172578
+        <rdar://problem/30754582>
+        Reviewed by Youenn Fablet.
+        Add layout test coverage.
+        * http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash-expected.txt: Added.
+        * http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash.html: Added.
+-05-24  Jiewen Tan  <jiewen_tan@apple.com>
+        Crash on WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance + 1195
+        https://bugs.webkit.org/show_bug.cgi?id=172555
+        <rdar://problem/32004724>
+        Reviewed by Ryosuke Niwa.
+        * editing/selection/resources/select-iframe-focusin-document-crash-frame.html: Added.
+        * editing/selection/select-iframe-focusin-document-crash-expected.txt: Added.
+        * editing/selection/select-iframe-focusin-document-crash.html: Added.
+-03-24  Brent Fulgham  <bfulgham@apple.com>
+        Handle recursive calls to ProcessingInstruction::checkStyleSheet
+        https://bugs.webkit.org/show_bug.cgi?id=169982
+        <rdar://problem/31083051>
+        Reviewed by Antti Koivisto.
+        * fast/dom/beforeload/image-removed-during-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/image-removed-during-before-load-expected.txt.
+        * fast/dom/beforeload/image-removed-during-before-load.html: Copied from LayoutTests/fast/dom/beforeload/image-removed-during-before-load.html.
+        * fast/dom/beforeload/recursive-css-pi-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load-expected.txt.
+        * fast/dom/beforeload/recursive-css-pi-before-load.html: Copied from LayoutTests/fast/dom/beforeload/recursive-css-pi-before-load.html.
+        * fast/dom/beforeload/recursive-link-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/recursive-link-before-load-expected.txt.
+        * fast/dom/beforeload/recursive-link-before-load.html: Copied from LayoutTests/fast/dom/beforeload/recursive-link-before-load.html.
+        * fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt: Copied from LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load-expected.txt.
+        * fast/dom/beforeload/recursive-xsl-pi-before-load.html: Copied from LayoutTests/fast/dom/beforeload/recursive-xsl-pi-before-load.html.
+        * fast/dom/beforeload/resources/content.xhtml: Copied from LayoutTests/fast/dom/beforeload/resources/content.xhtml.
+        * fast/dom/beforeload/resources/pass.css: Copied from LayoutTests/fast/dom/beforeload/resources/pass.css.
+        * fast/dom/beforeload/resources/test.xsl: Copied from LayoutTests/fast/dom/beforeload/resources/test.xsl.
 -03-22  Jiewen Tan  <jiewen_tan@apple.com>

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/mac/alt-for-css-content-expected.txt ¶

r217367	r219817
40	40	AXValue: ALTERNATIVE CONTENT TEST6
41	41
42		alt accessed through Javascript: ~~'ALTERNATIVE CONTENT TEST2'~~
	42	alt accessed through Javascript: "ALTERNATIVE CONTENT TEST2"
43	43	Test7 - alt does not apply to DOM nodes.
44	44	AXRole: AXImage

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/mac/webkit-alt-for-css-content-expected.txt ¶

r217367	r219817
40	40	AXValue: ALTERNATIVE CONTENT TEST6
41	41
42		WebKitAlt accessed through Javascript: ~~'ALTERNATIVE CONTENT TEST2'~~
	42	WebKitAlt accessed through Javascript: "ALTERNATIVE CONTENT TEST2"
43	43	Test7 - webkit-alt does not apply to DOM nodes.
44	44	AXRole: AXImage

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/crypto/webkitSubtle/argument-conversion-expected.txt ¶

-              r217367
+              r219817
 Passing invalid data to digest()
 PASS crypto.webkitSubtle.digest({name: 'sha-1'}) threw exception TypeError: Not enough arguments.
 PASS crypto.webkitSubtle.digest({name: 'sha-1'}, null) threw exception TypeError: Only ArrayBuffer and ArrayBufferView objects can be passed as CryptoOperationData.
 PASS crypto.webkitSubtle.digest({name: 'sha-1'}, 10) threw exception TypeError: Only ArrayBuffer and ArrayBufferView objects can be passed as CryptoOperationData.
 PASS crypto.webkitSubtle.digest({name: 'sha-1'}, [10]) threw exception TypeError: Only ArrayBuffer and ArrayBufferView objects can be passed as CryptoOperationData.
 PASS crypto.webkitSubtle.digest({name: 'sha-1'}, [new Uint8Array([0])]) threw exception TypeError: Only ArrayBuffer and ArrayBufferView objects can be passed as CryptoOperationData.
+PASS crypto.webkitSubtle.digest({name: 'sha-1'}, null) threw exception TypeError: Type error.
+PASS crypto.webkitSubtle.digest({name: 'sha-1'}, 10) threw exception TypeError: Type error.
+PASS crypto.webkitSubtle.digest({name: 'sha-1'}, [10]) threw exception TypeError: Type error.
+PASS crypto.webkitSubtle.digest({name: 'sha-1'}, [new Uint8Array([0])]) threw exception TypeError: Type error.
 Passing invalid algorithmIdentifiers to digest()

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/editing/pasteboard/cjk-line-height-expected.txt ¶

r217367	r219817
2	2	To manually test, copy and paste the selected content below. WebKit should not generate line-height property in the pasted content.
3	3	\| <span>
4		\| style="font-family: ~~'Hiragino Kaku Gothic ProN'~~;"
	4	\| style="font-family: "Hiragino Kaku Gothic ProN";"
5	5	\| "hello<#selection-caret>"
6	6	\| <br>

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/editing/selection/5354455-1.html ¶

-              r217367
+              r219817
     y = paragraph.offsetParent.offsetTop + paragraph.offsetTop + paragraph.offsetHeight / 2;
     eventSender.mouseMoveTo(x, y);
-    // Give the editable region focus.
-    eventSender.mouseDown();
-    eventSender.mouseUp();
     // Right click on the paragraph break to select it.
     eventSender.contextClick();
+    // esc key to kill the context menu.
+    eventSender.keyDown(String.fromCharCode(0x001B), null);
     document.getElementById(result).innerHTML = window.getSelection().type;
+}

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/alt-inherit-initial-expected.txt ¶

r217367	r219817
12	12	testDiv.style['alt'] = 'initial'
13	13	PASS testDiv.style['alt'] is "initial"
14		PASS window.getComputedStyle(testDiv).getPropertyValue('alt') is "''"
	14	PASS window.getComputedStyle(testDiv).getPropertyValue('alt') is "\"\""
15	15	PASS successfullyParsed is true
16	16

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/alt-inherit-initial.html ¶

r217367	r219817
31	31	evalAndLog("testDiv.style['alt'] = 'initial'");
32	32	shouldBeEqualToString("testDiv.style['alt']", "initial");
33		shouldBeEqualToString("window.getComputedStyle(testDiv).getPropertyValue('alt')", ~~"''"~~);
	33	shouldBeEqualToString("window.getComputedStyle(testDiv).getPropertyValue('alt')", `""`);
34	34
35	35	</script>

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-comma-separated-list-expected.txt ¶

r217367	r219817
1	1	Test for bug 76701: map HTTP-EQUIV content-language to -webkit-locale. This particular test tests that a comma-separated list of languages is ignored. This expectation may change, see bug. The HTML5 spec says that content-language should not have multiple languages, and decrees that a content-language containing a comma be ignored; this position has been upheld following significant debate. Firefox accepts a comma-separated list and a CSS :lang selector for any language in the list is matched. It's unclear what IE does.
2	2
3		FAIL languageOfNode('x') should be auto. Was ~~'ja, zh_CN'~~.
	3	FAIL languageOfNode('x') should be auto. Was "ja, zh_CN".
4	4	PASS languageOfNode('y') is "ar"
5	5	PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-empty-expected.txt ¶

r217367	r219817
1	1	Test for bug 76701: map HTTP-EQUIV content-language to -webkit-locale. This particular test tests that a content-language of empty string is ignored. This expectation may change, see bug. HTML5 decrees that the meta element be ignored in case of the empty string. It's unclear what other browsers do.
2	2
3		FAIL languageOfNode('x') should be auto. Was ''.
	3	FAIL languageOfNode('x') should be auto. Was "".
4	4	PASS languageOfNode('y') is "ar"
5	5	PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-only-whitespace-expected.txt ¶

r217367	r219817
1	1	Test for bug 76701: map HTTP-EQUIV content-language to -webkit-locale. This particular test tests that a content-language with whitespace-only content is ignored. This expectation may change, see bug. HTML5 decrees that the meta element be ignored in case of whitespace only content. It's unclear what other browsers do.
2	2
3		FAIL languageOfNode('x') should be auto. Was ~~' \9 \a '~~.
	3	FAIL languageOfNode('x') should be auto. Was " \9 \a ".
4	4	PASS languageOfNode('y') is "ar"
5	5	PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-with-whitespace-expected.txt ¶

r217367	r219817
1	1	Test for bug 76701: map HTTP-EQUIV content-language to -webkit-locale. This particular test tests that the the pragma-set default language is set to the first sequence of non-whitespace characters of the content-language content. This expectation may change, see bug. This expectation is as per the HTML 5 spec. It appears that Firefox does not exactly do this, but trims the leading and trailing whitespace. It's unclear what IE does.
2	2
3		FAIL languageOfNode('x') should be ja_JP. Was ~~' \a \9 \9 ja-JP \9 zh_CN \9 \a \a \9 \9 '~~.
	3	FAIL languageOfNode('x') should be ja_JP. Was " \a \9 \9 ja-JP \9 zh_CN \9 \a \a \9 \9 ".
4	4	PASS languageOfNode('y') is "ar"
5	5	PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/counters/counter-cssText-expected.txt ¶

-              r217367
+              r219817
 PASS rules[2].style.cssText is "content: counter(section, decimal);"
 PASS rules[3].style.cssText is "content: counters(section, ':', decimal);"
+PASS rules[3].style.cssText is "content: counters(section, \":\", decimal);"
 PASS rules[4].style.cssText is "content: counter(section, lower-roman);"
 PASS rules[5].style.cssText is "content: counters(section, ',', upper-roman);"
+PASS rules[5].style.cssText is "content: counters(section, \",\", upper-roman);"
 PASS rules[6].style.cssText is "content: counter(section, none);"
 PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/counters/counter-cssText.html ¶

-              r217367
+              r219817
 description("Test the cssText output of counter-valued CSSPrimitiveValues");
 var rules = document.styleSheets[0].cssRules;
 shouldBeEqualToString("rules[2].style.cssText", "content: counter(section, decimal);");
 shouldBeEqualToString("rules[3].style.cssText", "content: counters(section, ':', decimal);");
 shouldBeEqualToString("rules[4].style.cssText", "content: counter(section, lower-roman);");
 shouldBeEqualToString("rules[5].style.cssText", "content: counters(section, ',', upper-roman);");
 shouldBeEqualToString("rules[6].style.cssText", "content: counter(section, none);");
+shouldBeEqualToString("rules[2].style.cssText", `content: counter(section, decimal);`);
+shouldBeEqualToString("rules[3].style.cssText", `content: counters(section, ":", decimal);`);
+shouldBeEqualToString("rules[4].style.cssText", `content: counter(section, lower-roman);`);
+shouldBeEqualToString("rules[5].style.cssText", `content: counters(section, ",", upper-roman);`);
+shouldBeEqualToString("rules[6].style.cssText", `content: counter(section, none);`);
 </script>
 <script src="../../../resources/js-test-post.js"></script>

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/font-family-trailing-bracket-gunk-expected.txt ¶

-              r217367
+              r219817
 PASS spanElement.innerHTML is 'foo'
 PASS computedStyle.getPropertyValue('font-family') is "'Arial [ding dong]', 'Helvetica [Xft]', Courier"
+PASS spanElement.innerHTML is "foo"
+PASS computedStyle.getPropertyValue('font-family') is "\"Arial [ding dong]\", \"Helvetica [Xft]\", Courier"
 PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/font-family-trailing-bracket-gunk.html ¶

-              r217367
+              r219817
 var computedStyle = window.getComputedStyle(spanElement);
 shouldBe("spanElement.innerHTML", "'foo'");
 shouldBe("computedStyle.getPropertyValue('font-family')", "\"'Arial [ding dong]', 'Helvetica [Xft]', Courier\"");
+shouldBeEqualToString("spanElement.innerHTML", "foo");
+shouldBeEqualToString("computedStyle.getPropertyValue('font-family')", `"Arial [ding dong]", "Helvetica [Xft]", Courier`);
 document.body.removeChild(spanElement);

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/computed-style-font-family-expected.txt ¶

r217367	r219817
1	1	Font attributes. The font-family should list three families:
2	2
3		font-family: monospace, ~~'Lucida Grande'~~, sans-serif;
	3	font-family: monospace, "Lucida Grande", sans-serif;
4	4	font-size: 16px;
5	5	font-style: normal;

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/computed-style-properties-expected.txt ¶

-              r217367
+              r219817
 PASS computedStyleFor('outline', null, 'outline-offset') is '5px'
 PASS computedStyleFor('content', 'before', 'content') is 'text'
 PASS computedStyleFor('content', 'after', 'content') is "'test ' url(data:image/gif;base64,R0lGODlhAQABAJAAAP8AAAAAACwAAAAAAQABAAACAgQBADs=)"
 PASS computedStyleFor('counter', null, 'counter-reset') is 'section 0'
+PASS computedStyleFor('content', 'before', 'content') is "text"
+PASS computedStyleFor('content', 'after', 'content') is "\"test \" url(data:image/gif;base64,R0lGODlhAQABAJAAAP8AAAAAACwAAAAAAQABAAACAgQBADs=)"
+PASS computedStyleFor('counter', null, 'counter-reset') is "section 0"
 PASS str.indexOf('subsection 0') != -1 is true
 PASS str.indexOf('anothercounter 5') != -1 is true
 PASS computedStyleFor('counter1', 'before', 'counter-increment') is 'section 1'
 PASS computedStyleFor('subcounter2', 'before', 'counter-increment') is 'subsection 1'
 PASS computedStyleFor('subcounter2', 'before', 'content') is "counter(section) '.' counter(subsection) '. '"
+PASS computedStyleFor('counter1', 'before', 'counter-increment') is "section 1"
+PASS computedStyleFor('subcounter2', 'before', 'counter-increment') is "subsection 1"
+PASS computedStyleFor('subcounter2', 'before', 'content') is "counter(section) \".\" counter(subsection) \". \""
 PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/computed-style-properties.html ¶

-              r217367
+              r219817
 shouldBe("computedStyleFor('outline', null, 'outline-offset')", "'5px'");
 shouldBe("computedStyleFor('content', 'before', 'content')", "'text'");
 shouldBe("computedStyleFor('content', 'after', 'content')", '"\'test \' url(data:image/gif;base64,R0lGODlhAQABAJAAAP8AAAAAACwAAAAAAQABAAACAgQBADs=)"');
 shouldBe("computedStyleFor('counter', null, 'counter-reset')", "'section 0'");
+shouldBeEqualToString("computedStyleFor('content', 'before', 'content')", "text");
+shouldBeEqualToString("computedStyleFor('content', 'after', 'content')", `"test " url(data:image/gif;base64,R0lGODlhAQABAJAAAP8AAAAAACwAAAAAAQABAAACAgQBADs=)`);
+shouldBeEqualToString("computedStyleFor('counter', null, 'counter-reset')", "section 0");
 var str = computedStyleFor('subcounter', null, 'counter-reset');
 shouldBe("str.indexOf('subsection 0') != -1", "true");
 shouldBe("str.indexOf('anothercounter 5') != -1", "true");
 shouldBe("computedStyleFor('counter1', 'before', 'counter-increment')", "'section 1'");
 shouldBe("computedStyleFor('subcounter2', 'before', 'counter-increment')", "'subsection 1'");
 shouldBe("computedStyleFor('subcounter2', 'before', 'content')", '"counter(section) \'.\' counter(subsection) \'. \'"');
+shouldBeEqualToString("computedStyleFor('counter1', 'before', 'counter-increment')", "section 1");
+shouldBeEqualToString("computedStyleFor('subcounter2', 'before', 'counter-increment')", "subsection 1");
+shouldBeEqualToString("computedStyleFor('subcounter2', 'before', 'content')", `counter(section) "." counter(subsection) ". "`);
 </script>
 <script src="../../../resources/js-test-post.js"></script>

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/font-family-fallback-reset-expected.txt ¶

r217367	r219817
4	4
5	5
6		PASS window.getComputedStyle(outerDiv, null).fontFamily is "~~'courier new'~~, cursive"
	6	PASS window.getComputedStyle(outerDiv, null).fontFamily is "\"courier new\", cursive"
7	7	PASS window.getComputedStyle(timesDiv, null).fontFamily is "foo"
8	8	PASS window.getComputedStyle(cursiveDiv, null).fontFamily is "cursive"

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/script-tests/font-family-fallback-reset.js ¶

r217367	r219817
11	11	'</div>';
12	12
13		shouldBeEqualToString("window.getComputedStyle(outerDiv, null).fontFamily", ~~"'courier new', cursive"~~);
	13	shouldBeEqualToString("window.getComputedStyle(outerDiv, null).fontFamily", `"courier new", cursive`);
14	14	shouldBeEqualToString("window.getComputedStyle(timesDiv, null).fontFamily", "foo");
15	15	shouldBeEqualToString("window.getComputedStyle(cursiveDiv, null).fontFamily", "cursive");

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/lang-mapped-to-webkit-locale-expected.txt ¶

-              r217367
+              r219817
 PASS languageOfNode('q4') is "ar"
 PASS languageOfNode('q5') is "auto"
 PASS languageOfNode('q6') is "'  '"
+PASS languageOfNode('q6') is "\"  \""
 PASS languageOfNode('q7') is "auto"
 PASS languageOfNode('q8') is "xyzzy"
 PASS languageOfNode('q9') is "'][;][['"
+PASS languageOfNode('q9') is "\"][;][[\""
 PASS successfullyParsed is true

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/lang-mapped-to-webkit-locale.xhtml ¶

-              r217367
+              r219817
 shouldBeEqualToString("languageOfNode('q4')", "ar");
 shouldBeEqualToString("languageOfNode('q5')", "auto");
 shouldBeEqualToString("languageOfNode('q6')", "'  '");
+shouldBeEqualToString("languageOfNode('q6')", `"  "`);
 shouldBeEqualToString("languageOfNode('q7')", "auto");
 shouldBeEqualToString("languageOfNode('q8')", "xyzzy");
 shouldBeEqualToString("languageOfNode('q9')", "'][;][['");
+shouldBeEqualToString("languageOfNode('q9')", `"][;][["`);
 var successfullyParsed = true;

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/uri-token-parsing-expected.txt ¶

-              r217367
+              r219817
 #h { content: url(e); }
 #i { content: url(f); }
 #j { content: url('url(g)'); }
+#j { content: url("url(g)"); }
 #l { content: url(c); }
 #m { content: url(d); }
 #n { content: url(e); }
 #o { content: url(f); }
 #p { content: url('url(g)'); }
 #q { cursor: url('url(q)'), default; }
 #r { list-style-image: url('url(r)'); }
 #s { background-image: url('url(s)'); }
 #t { -webkit-mask-image: url('url(t)'); }
 #u { -webkit-border-image: url('url(u)') 1 2 3 4 fill stretch round; }
 #v { -webkit-mask-box-image: url('url(v)') 1 2 3 4 fill stretch round; }
+#p { content: url("url(g)"); }
+#q { cursor: url("url(q)"), default; }
+#r { list-style-image: url("url(r)"); }
+#s { background-image: url("url(s)"); }
+#t { -webkit-mask-image: url("url(t)"); }
+#u { -webkit-border-image: url("url(u)") 1 2 3 4 fill stretch round; }
+#v { -webkit-mask-box-image: url("url(v)") 1 2 3 4 fill stretch round; }
 #w { content: url(ww); }
 #x { content: url(x%20xx); }
 …
 #h { content: url(e); }
 #i { content: url(f); }
 #j { content: url('url(g)'); }
+#j { content: url("url(g)"); }
 #l { content: url(c); }
 #m { content: url(d); }
 #n { content: url(e); }
 #o { content: url(f); }
 #p { content: url('url(g)'); }
 #q { cursor: url('url(q)'), default; }
 #r { list-style-image: url('url(r)'); }
 #s { background-image: url('url(s)'); }
 #t { -webkit-mask-image: url('url(t)'); }
 #u { -webkit-border-image: url('url(u)') 1 2 3 4 fill stretch round; }
 #v { -webkit-mask-box-image: url('url(v)') 1 2 3 4 fill stretch round; }
+#p { content: url("url(g)"); }
+#q { cursor: url("url(q)"), default; }
+#r { list-style-image: url("url(r)"); }
+#s { background-image: url("url(s)"); }
+#t { -webkit-mask-image: url("url(t)"); }
+#u { -webkit-border-image: url("url(u)") 1 2 3 4 fill stretch round; }
+#v { -webkit-mask-box-image: url("url(v)") 1 2 3 4 fill stretch round; }
 #w { content: url(ww); }
 #x { content: url(x%20xx); }

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/uri-token-parsing.html ¶

-              r217367
+              r219817
 #h { content: url(e); }
 #i { content: url(f); }
 #j { content: url('url(g)'); }
+#j { content: url("url(g)"); }
 #l { content: url(c); }
 #m { content: url(d); }
 #n { content: url(e); }
 #o { content: url(f); }
 #p { content: url('url(g)'); }
 #q { cursor: url('url(q)'), default; }
 #r { list-style-image: url('url(r)'); }
 #s { background-image: url('url(s)'); }
 #t { -webkit-mask-image: url('url(t)'); }
 #u { -webkit-border-image: url('url(u)') 1 2 3 4 fill stretch round; }
 #v { -webkit-mask-box-image: url('url(v)') 1 2 3 4 fill stretch round; }
+#p { content: url("url(g)"); }
+#q { cursor: url("url(q)"), default; }
+#r { list-style-image: url("url(r)"); }
+#s { background-image: url("url(s)"); }
+#t { -webkit-mask-image: url("url(t)"); }
+#u { -webkit-border-image: url("url(u)") 1 2 3 4 fill stretch round; }
+#v { -webkit-mask-box-image: url("url(v)") 1 2 3 4 fill stretch round; }
 #w { content: url(ww); }
 #x { content: url(x%20xx); }

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/events/context-activated-by-key-event.html ¶

-              r217367
+              r219817
   document.getElementById('result').appendChild(document.createTextNode(text));
   document.getElementById('result').appendChild(document.createElement("br"));
+}
+function dismissContextMenu() {
+  if (window.eventSender) {
+    // esc key to kill the context menu.
+    eventSender.keyDown(String.fromCharCode(0x001B), null);
+  }
+}
 …
 if (window.testRunner) {
   eventSender.keyDown('menu');
+  dismissContextMenu();
   var rect = document.getElementById('contenteditable').getBoundingClientRect();
 …
   eventSender.mouseUp();
   eventSender.keyDown('menu');
+  dismissContextMenu();
   document.getElementById('link').focus();
   eventSender.keyDown('menu');
+  dismissContextMenu();
   window.getSelection().selectAllChildren(document.getElementById('contenteditable'));
   eventSender.keyDown('menu');
+  dismissContextMenu();
   testRunner.dumpAsText();

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/events/script-tests/mouse-click-events.js ¶

-              r217367
+              r219817
+}
+function dismissContextMenu() {
+    if (window.eventSender) {
+        // esc key to kill the context menu.
+        eventSender.keyDown(String.fromCharCode(0x001B), null);
+    }
+}
 div.addEventListener("click", appendEventLog, false);
 div.addEventListener("dblclick", appendEventLog, false);
 …
+    }
     eventSender.mouseDown(button);
+    if (button == 2)
+        dismissContextMenu();
     eventSender.mouseUp(button);
     eventSender.mouseDown(button);
+    if (button == 2)
+        dismissContextMenu();
     eventSender.mouseUp(button);
     // could test dragging here too

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/inspector-support/cssURLQuotes-expected.txt ¶

r217367	r219817
1	1	ALERT: url(file:///unquoted) (URL should not be quoted)
2	2	ALERT: url(file:///noQuotesNeeded) (URL should not be quoted)
3		ALERT: url(~~'file:///should(Quote)'~~) (URL should be quoted)
	3	ALERT: url("file:///should(Quote)") (URL should be quoted)
4	4

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/inspector-support/style-expected.txt ¶

r217367	r219817
21	21	font-size: 24px (original property was font)
22	22	line-height: normal (original property was font and property was implicitly set.)
23		font-family: ~~'Lucida Grande'~~ (original property was font)
	23	font-family: "Lucida Grande" (original property was font)
24	24

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/imported/w3c/ChangeLog ¶

-              r217367
+              r219817
+-06-17  Ryosuke Niwa  <rniwa@webkit.org>
+        REGRESSION(r209495): materiauxlaverdure.com fails to load
+        https://bugs.webkit.org/show_bug.cgi?id=173301
+        <rdar://problem/32624850>
+        Reviewed by Antti Koivisto.
+        Rebaselined the tests that are now passing.
+        * web-platform-tests/cssom/CSSNamespaceRule-expected.txt:
+        * web-platform-tests/cssom/serialize-values-expected.txt:
 -05-18  Daniel Bates  <dabates@apple.com>

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/controls/track-menu.html ¶

r217367	r219817
78	78	tester.test("First menu item checkmark image is visible")
79	79	.value(getComputedStyle(checkImage).content)
80		.contains(~~"url('data:image/svg+xml,<svg xmlns="~~);
	80	.contains('url("data:image/svg+xml,<svg xmlns=');
81	81
82	82	var menuItem = menuList.children[1];

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-overlapping-append-expected.txt ¶

-              r217367
+              r219817
 EVENT(updateend)
 EXPECTED (bufferedSamples.length == '6') OK
 {PTS({0/1000, 0.000000}), DTS({0/1000, 0.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({1000/1000, 1.000000}), DTS({1000/1000, 1.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({2000/1000, 2.000000}), DTS({2000/1000, 2.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({3000/1000, 3.000000}), DTS({3000/1000, 3.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({4000/1000, 4.000000}), DTS({4000/1000, 4.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({5000/1000, 5.000000}), DTS({5000/1000, 5.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
+{PTS({0/1000 = 0.000000}), DTS({0/1000 = 0.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({1000/1000 = 1.000000}), DTS({1000/1000 = 1.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({2000/1000 = 2.000000}), DTS({2000/1000 = 2.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({3000/1000 = 3.000000}), DTS({3000/1000 = 3.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({4000/1000 = 4.000000}), DTS({4000/1000 = 4.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({5000/1000 = 5.000000}), DTS({5000/1000 = 5.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
 RUN(sourceBuffer.appendBuffer(samples))
 EVENT(updateend)
 EXPECTED (bufferedSamples.length == '6') OK
 {PTS({0/1000, 0.000000}), DTS({0/1000, 0.000000}), duration({1000/1000, 1.000000}), flags(1), generation(1)}
 {PTS({1000/1000, 1.000000}), DTS({1000/1000, 1.000000}), duration({1000/1000, 1.000000}), flags(0), generation(1)}
 {PTS({2000/1000, 2.000000}), DTS({2000/1000, 2.000000}), duration({1000/1000, 1.000000}), flags(0), generation(1)}
 {PTS({3000/1000, 3.000000}), DTS({3000/1000, 3.000000}), duration({1000/1000, 1.000000}), flags(1), generation(1)}
 {PTS({4000/1000, 4.000000}), DTS({4000/1000, 4.000000}), duration({1000/1000, 1.000000}), flags(0), generation(1)}
 {PTS({5000/1000, 5.000000}), DTS({5000/1000, 5.000000}), duration({1000/1000, 1.000000}), flags(0), generation(1)}
+{PTS({0/1000 = 0.000000}), DTS({0/1000 = 0.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(1)}
+{PTS({1000/1000 = 1.000000}), DTS({1000/1000 = 1.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(1)}
+{PTS({2000/1000 = 2.000000}), DTS({2000/1000 = 2.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(1)}
+{PTS({3000/1000 = 3.000000}), DTS({3000/1000 = 3.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(1)}
+{PTS({4000/1000 = 4.000000}), DTS({4000/1000 = 4.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(1)}
+{PTS({5000/1000 = 5.000000}), DTS({5000/1000 = 5.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(1)}
 RUN(sourceBuffer.appendBuffer(samples))
 EVENT(updateend)
 EXPECTED (bufferedSamples.length == '6') OK
 {PTS({0/1000, 0.000000}), DTS({0/1000, 0.000000}), duration({1000/1000, 1.000000}), flags(1), generation(2)}
 {PTS({2000/1000, 2.000000}), DTS({1000/1000, 1.000000}), duration({1000/1000, 1.000000}), flags(0), generation(2)}
 {PTS({1000/1000, 1.000000}), DTS({2000/1000, 2.000000}), duration({1000/1000, 1.000000}), flags(0), generation(2)}
 {PTS({3000/1000, 3.000000}), DTS({3000/1000, 3.000000}), duration({1000/1000, 1.000000}), flags(1), generation(2)}
 {PTS({5000/1000, 5.000000}), DTS({4000/1000, 4.000000}), duration({1000/1000, 1.000000}), flags(0), generation(2)}
 {PTS({4000/1000, 4.000000}), DTS({5000/1000, 5.000000}), duration({1000/1000, 1.000000}), flags(0), generation(2)}
+{PTS({0/1000 = 0.000000}), DTS({0/1000 = 0.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(2)}
+{PTS({2000/1000 = 2.000000}), DTS({1000/1000 = 1.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(2)}
+{PTS({1000/1000 = 1.000000}), DTS({2000/1000 = 2.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(2)}
+{PTS({3000/1000 = 3.000000}), DTS({3000/1000 = 3.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(2)}
+{PTS({5000/1000 = 5.000000}), DTS({4000/1000 = 4.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(2)}
+{PTS({4000/1000 = 4.000000}), DTS({5000/1000 = 5.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(2)}
 END OF TEST

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-overlapping-decodetime-expected.txt ¶

-              r217367
+              r219817
 EVENT(updateend)
 EXPECTED (bufferedSamples.length == '7') OK
 {PTS({0/1000, 0.000000}), DTS({0/1000, 0.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({1000/1000, 1.000000}), DTS({1000/1000, 1.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({2000/1000, 2.000000}), DTS({2000/1000, 2.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({3000/1000, 3.000000}), DTS({3000/1000, 3.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({4000/1000, 4.000000}), DTS({3000/1000, 3.000000}), duration({1000/1000, 1.000000}), flags(1), generation(1)}
 {PTS({5000/1000, 5.000000}), DTS({4000/1000, 4.000000}), duration({1000/1000, 1.000000}), flags(0), generation(1)}
 {PTS({6000/1000, 6.000000}), DTS({5000/1000, 5.000000}), duration({1000/1000, 1.000000}), flags(0), generation(1)}
+{PTS({0/1000 = 0.000000}), DTS({0/1000 = 0.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({1000/1000 = 1.000000}), DTS({1000/1000 = 1.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({2000/1000 = 2.000000}), DTS({2000/1000 = 2.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({3000/1000 = 3.000000}), DTS({3000/1000 = 3.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({4000/1000 = 4.000000}), DTS({3000/1000 = 3.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(1)}
+{PTS({5000/1000 = 5.000000}), DTS({4000/1000 = 4.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(1)}
+{PTS({6000/1000 = 6.000000}), DTS({5000/1000 = 5.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(1)}
 END OF TEST

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-seek-back-expected.txt ¶

r217367	r219817
13	13	EVENT(seeked)
14	14	EXPECTED (enqueuedSamples.length == '1') OK
15		{PTS({0/1000~~, 0.000000}), DTS({0/1000, 0.000000}), duration({1000/1000,~~ 1.000000}), flags(1), generation(0)}
	15	{PTS({0/1000 = 0.000000}), DTS({0/1000 = 0.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
16	16	END OF TEST
17	17

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-sequence-timestamps-expected.txt ¶

-              r217367
+              r219817
 EVENT(updateend)
 EXPECTED (bufferedSamples.length == '6') OK
 {PTS({0/1, 0.000000}), DTS({0/1, 0.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({1000/1000, 1.000000}), DTS({1000/1000, 1.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({2000/1000, 2.000000}), DTS({2000/1000, 2.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({3000/1000, 3.000000}), DTS({3000/1000, 3.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({4000/1000, 4.000000}), DTS({4000/1000, 4.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({5000/1000, 5.000000}), DTS({5000/1000, 5.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
+{PTS({0/1 = 0.000000}), DTS({0/1 = 0.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({1000/1000 = 1.000000}), DTS({1000/1000 = 1.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({2000/1000 = 2.000000}), DTS({2000/1000 = 2.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({3000/1000 = 3.000000}), DTS({3000/1000 = 3.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({4000/1000 = 4.000000}), DTS({4000/1000 = 4.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({5000/1000 = 5.000000}), DTS({5000/1000 = 5.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
 END OF TEST

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-timeoffset-expected.txt ¶

-              r217367
+              r219817
 EVENT(updateend)
 EXPECTED (bufferedSamples.length == '6') OK
 {PTS({100000000/10000000, 10.000000}), DTS({100000000/10000000, 10.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({110000000/10000000, 11.000000}), DTS({110000000/10000000, 11.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({120000000/10000000, 12.000000}), DTS({120000000/10000000, 12.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({130000000/10000000, 13.000000}), DTS({130000000/10000000, 13.000000}), duration({1000/1000, 1.000000}), flags(1), generation(0)}
 {PTS({140000000/10000000, 14.000000}), DTS({140000000/10000000, 14.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
 {PTS({150000000/10000000, 15.000000}), DTS({150000000/10000000, 15.000000}), duration({1000/1000, 1.000000}), flags(0), generation(0)}
+{PTS({100000000/10000000 = 10.000000}), DTS({100000000/10000000 = 10.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({110000000/10000000 = 11.000000}), DTS({110000000/10000000 = 11.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({120000000/10000000 = 12.000000}), DTS({120000000/10000000 = 12.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({130000000/10000000 = 13.000000}), DTS({130000000/10000000 = 13.000000}), duration({1000/1000 = 1.000000}), flags(1), generation(0)}
+{PTS({140000000/10000000 = 14.000000}), DTS({140000000/10000000 = 14.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
+{PTS({150000000/10000000 = 15.000000}), DTS({150000000/10000000 = 15.000000}), duration({1000/1000 = 1.000000}), flags(0), generation(0)}
 END OF TEST

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/platform/gtk/fast/forms/menulist-typeahead-find.html ¶

-              r217367
+              r219817
     if (!window.eventSender)
         return;
+    // Reset menu list to initial state.
+    menulist.selectedIndex = 0;
+    menulist.blur();
     eventSender.mouseMoveTo(menulist.offsetLeft + (menulist.offsetWidth / 2), menulist.offsetTop + (menulist.offsetHeight / 2));

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog ¶

-              r217367
+              r219817
+-07-24  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Fix the build with GCC 4.9 after merge r217438.
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::StructureForInContext::addGetInst):
+-06-26  Saam Barati  <sbarati@apple.com>
+        Crash in JSC::Lexer<unsigned char>::setCode
+        https://bugs.webkit.org/show_bug.cgi?id=172754
+        Reviewed by Mark Lam.
+        The lexer was asking one of its buffers to reserve initial space that
+        was O(text size in bytes). For large sources, this would end up causing
+        the vector to overflow and crash. This patch changes this code be like
+        the Lexer's other buffers and to only reserve a small starting buffer.
+        * parser/Lexer.cpp:
+        (JSC::Lexer<T>::setCode):
+-04-13  Mark Lam  <mark.lam@apple.com>
+        Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+        https://bugs.webkit.org/show_bug.cgi?id=170661
+        <rdar://problem/31579046>
+        Reviewed by Filip Pizlo.
+        Previously, we were using flush() to flush the outermost frame's scopeRegister.
+        This is incorrect because flush() expects the VirtualRegister value passed to
+        it to be that of the top most inlined frame.  In the event that we reach a
+        terminal condition while inside an inlined frame, flush() will end up flushing
+        the wrong register.  The fix is simply to use flushDirect() instead.
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::flush):
+-04-20  Mark Lam  <mark.lam@apple.com>
+        virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
+        https://bugs.webkit.org/show_bug.cgi?id=171079
+        <rdar://problem/31684756>
+        Reviewed by Saam Barati.
+        This is needed because tail calls would restore callee saved registers (and
+        therefore, potentially clobber the tag registers) before jumping to the thunk.
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+-05-05  Keith Miller  <keith_miller@apple.com>
+        Put does not properly consult the prototype chain
+        https://bugs.webkit.org/show_bug.cgi?id=171754
+        Reviewed by Saam Barati.
+        We should do a follow up that cleans up the rest of put. See:
+        https://bugs.webkit.org/show_bug.cgi?id=171759
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::canPerformFastPutInline):
+-07-24  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Fix merge r217438.
+        See bug #174781.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::StructureForInContext::finalize): Use operand instead of unsignedValue.
+-05-05  Saam Barati  <sbarati@apple.com>
+        putDirectIndex does not properly do defineOwnProperty
+        https://bugs.webkit.org/show_bug.cgi?id=171591
+        <rdar://problem/31735695>
+        Reviewed by Geoffrey Garen.
+        This patch fixes putDirectIndex and its JIT implementations to be
+        compatible with the ES6 spec. I think our code became out of date
+        when we implemented ArraySpeciesCreate since ArraySpeciesCreate may
+        return arbitrary objects. We perform putDirectIndex on that arbitrary
+        object. The behavior we want is as if we performed defineProperty({configurable:true, enumerable:true, writable:true}).
+        However, we weren't doing this. putDirectIndex assumed it could just splat
+        data into any descendent of JSObject's butterfly. For example, this means
+        we'd just splat into the butterfly of a typed array, even though a typed
+        array doesn't use its butterfly to store its indexed properties in the usual
+        way. Also, typed array properties are non-configurable, so this operation
+        should throw. This also means if we saw a ProxyObject, we'd just splat
+        into its butterfly, but this is obviously wrong because ProxyObject should
+        intercept the defineProperty operation.
+        This patch fixes this issue by adding a whitelist of cell types that can
+        go down putDirectIndex's fast path. Anything not in that whitelist will
+        simply call into defineOwnProperty.
+        * bytecode/ByValInfo.h:
+        (JSC::jitArrayModePermitsPutDirect):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::refine):
+        * jit/JITOperations.cpp:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSplice):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createStructure):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
+        * runtime/JSObject.cpp:
+        (JSC::canDoFastPutDirectIndex):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        (JSC::JSObject::putDirectIndexBeyondVectorLength): Deleted.
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectIndex):
+        (JSC::JSObject::canSetIndexQuicklyForPutDirect): Deleted.
+        * runtime/JSType.h:
+-05-17  Filip Pizlo  <fpizlo@apple.com>
+        JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
+        https://bugs.webkit.org/show_bug.cgi?id=172208
+        Reviewed by Saam Barati.
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+-04-17  Mark Lam  <mark.lam@apple.com>
+        JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
+        https://bugs.webkit.org/show_bug.cgi?id=170896
+        <rdar://problem/31651319>
+        Reviewed by JF Bastien and Keith Miller.
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+-05-25  Saam Barati  <sbarati@apple.com>
+        Our for-in optimization in the bytecode generator does its static analysis incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=172532
+        <rdar://problem/32369452>
+        Reviewed by Mark Lam.
+        Our static analysis for when a for-in induction variable
+        is written to tried to its analysis as we generate
+        bytecode. This has issues, since it does not account for
+        the dynamic execution path of the program. Let's consider
+        a program where our old analysis worked:
+        ```
+        for (let p in o) {
+            o[p]; // We can transform this into a fast get_direct_pname
+            p = 20;
+            o[p]; // We cannot transform this since p has been changed.
+        }
+        ```
+        However, our static analysis did not account for loops, which exist
+        in JavaScript. e.g, it would incorrectly compile this program as:
+        ```
+        for (let p in o) {
+            for (let i = 0; i < 20; ++i) {
+                o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
+                p = 20;
+                o[p]; // We correctly do not transform this.
+            }
+        }
+        ```
+        Because of this flaw, I've made the optimization more conservative.
+        We now optimistically emit code for the optimized access. However,
+        if a for-in context is *ever* invalidated, before we pop it off
+        the stack, we rewrite the program's optimized accesses to no longer
+        be optimized. To do this, each context keeps track of its optimized
+        accesses.
+        This patch also adds a new bytecode, op_nop, which is just a no-op.
+        It was helpful to add this because reverting get_direct_pname to get_by_val
+        will leave us with an extra instruction word because get_direct_pname is
+        has a length of 7 where get_by_val has a length of 6. This leaves us with
+        an extra slot that we fill with an op_nop.
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper<Block>::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetByVal):
+        (JSC::BytecodeGenerator::popIndexedForInScope):
+        (JSC::BytecodeGenerator::popStructureForInScope):
+        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
+        (JSC::StructureForInContext::pop):
+        (JSC::IndexedForInContext::pop):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::StructureForInContext::addGetInst):
+        (JSC::IndexedForInContext::addGetInst):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_nop):
+        * llint/LowLevelInterpreter.asm:
+-04-14  Saam Barati  <sbarati@apple.com>
+        ParseInt intrinsic in DFG backend doesn't properly flush its operands
+        https://bugs.webkit.org/show_bug.cgi?id=170865
+        Reviewed by Mark Lam and Geoffrey Garen.
+        The DFG backend code needed to first call .gpr()/.jsValueRegs()
+        before calling flushRegisters(), or the input JSValueOperand would
+        not be flushed.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileParseInt):
+-06-16  Konstantin Tokarev  <annulen@yandex.ru>
+        REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
+        https://bugs.webkit.org/show_bug.cgi?id=173470
+        Reviewed by Joseph Pecoraro.
+        ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
+        const char* overload of StringBuilder::append() that assummes Latin1
+        encoding, not UTF8.
+        * runtime/ConsoleClient.cpp:
+        (JSC::ConsoleClient::printConsoleMessageWithArguments):
+-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
+        RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
+        https://bugs.webkit.org/show_bug.cgi?id=170945
+        Reviewed by Mark Lam.
+        Re-define PutByIdFlags as a int32_t enum explicitly because it is
+        stored as an int32_t value in UnlinkedInstruction.  This prevents
+        a bug on 64-bit big endian architectures where the word order is
+        inverted (when we convert the UnlinkedInstruction into a CodeBlock
+        Instruction), resulting in the PutByIdFlags value not being stored in
+        the 32-bit word that the rest of the code expects it to be in.
+        * bytecode/PutByIdFlags.h:
 -05-10  Mark Lam  <mark.lam@apple.com>

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/ByValInfo.h ¶

-              r217367
+              r219817
+}
+inline bool jitArrayModePermitsPutDirect(JITArrayMode mode)
+{
+    // We don't allow typed array putDirect here since putDirect has
+    // defineOwnProperty({configurable: true, writable:true, enumerable:true})
+    // semantics. Typed array indexed properties are non-configurable by
+    // default, so we can't simply store to a typed array for putDirect.
+    //
+    // We could model putDirect on ScopedArguments and DirectArguments, but we
+    // haven't found any performance incentive to do it yet.
+    switch (mode) {
+    case JITInt32:
+    case JITDouble:
+    case JITContiguous:
+    case JITArrayStorage:
+        return true;
+    default:
+        return false;
+    }
+}
 inline TypedArrayType typedArrayTypeForJITArrayMode(JITArrayMode mode)
+{

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/BytecodeList.json ¶

-              r217367
+              r219817
             { "name" : "op_watchdog", "length" : 1 },
             { "name" : "op_log_shadow_chicken_prologue", "length" : 2},
+            { "name" : "op_log_shadow_chicken_tail", "length" : 3}
+            { "name" : "op_log_shadow_chicken_tail", "length" : 3},
+            { "name" : "op_nop", "length" : 1 }
+        ]
     },

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/BytecodeUseDef.h ¶

-              r217367
+              r219817
     case op_watchdog:
     case op_get_argument:
+    case op_nop:
         return;
     case op_assert:
 …
     case op_log_shadow_chicken_tail:
     case op_yield:
+    case op_nop:
 #define LLINT_HELPER_OPCODES(opcode, length) case opcode:
         FOR_EACH_LLINT_OPCODE_EXTENSION(LLINT_HELPER_OPCODES);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/CodeBlock.cpp ¶

-              r217367
+              r219817
         case op_watchdog: {
             printLocationAndOp(out, exec, location, it, "watchdog");
+            break;
+        }
+        case op_nop: {
+            printLocationAndOp(out, exec, location, it, "nop");
             break;
+        }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/PutByIdFlags.h ¶

r217367	r219817
30	30	namespace JSC {
31	31
32		enum PutByIdFlags : int~~ptr~~_t {
	32	enum PutByIdFlags : int32_t {
33	33	PutByIdNone = 0,
34	34

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp ¶

-              r217367
+              r219817
 RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
+{
     for (size_t i = m_forInContextStack.size(); i > 0; i--) {
         ForInContext& context = m_forInContextStack[i - 1].get();
+    for (size_t i = m_forInContextStack.size(); i--; ) {
+        ForInContext& context = m_forInContextStack[i].get();
         if (context.local() != property)
             continue;
+        if (!context.isValid())
+            break;
+        unsigned instIndex = instructions().size();
         if (context.type() == ForInContext::IndexedForInContextType) {
+            static_cast<IndexedForInContext&>(context).addGetInst(instIndex, property->index());
             property = static_cast<IndexedForInContext&>(context).index();
             break;
 …
         instructions().append(structureContext.enumerator()->index());
         instructions().append(profile);
+        structureContext.addGetInst(instIndex, property->index(), profile);
         return dst;
+    }
 …
     if (!localRegister)
         return;
+    ASSERT(m_forInContextStack.last()->type() == ForInContext::IndexedForInContextType);
+    static_cast<IndexedForInContext&>(m_forInContextStack.last().get()).finalize(*this);
     m_forInContextStack.removeLast();
+}
 …
     if (!localRegister)
         return;
+    ASSERT(m_forInContextStack.last()->type() == ForInContext::StructureForInContextType);
+    static_cast<StructureForInContext&>(m_forInContextStack.last().get()).finalize(*this);
     m_forInContextStack.removeLast();
+}
 …
     // reassigned, or we'd have to resort to runtime checks to see if the variable had been
     // reassigned from its original value.
     for (size_t i = m_forInContextStack.size(); i > 0; i--) {
         ForInContext& context = m_forInContextStack[i - 1].get();
+    for (size_t i = m_forInContextStack.size(); i--; ) {
+        ForInContext& context = m_forInContextStack[i].get();
         if (context.local() != localRegister)
             continue;
 …
+}
+void StructureForInContext::finalize(BytecodeGenerator& generator)
+{
+    if (isValid())
+        return;
+    for (const auto& instTuple : m_getInsts) {
+        unsigned instIndex = std::get<0>(instTuple);
+        int propertyRegIndex = std::get<1>(instTuple);
+        UnlinkedValueProfile valueProfile = std::get<2>(instTuple);
+        OpcodeID op = generator.instructions()[instIndex].u.opcode;
+        RELEASE_ASSERT(op == op_get_direct_pname);
+        ASSERT(opcodeLength(op_get_direct_pname) == 7);
+        ASSERT(opcodeLength(op_get_by_val) == 6);
+        // 0. Change the opcode to get_by_val.
+        generator.instructions()[instIndex].u.opcode = op_get_by_val;
+        // 1. dst stays the same.
+        // 2. base stays the same.
+        // 3. property gets switched to the original property.
+        generator.instructions()[instIndex + 3].u.operand = propertyRegIndex;
+        // 4. add an array profile.
+        generator.instructions()[instIndex + 4].u.operand = generator.newArrayProfile();
+        // 5. set the result value profile.
+        generator.instructions()[instIndex + 5].u.operand = valueProfile;
+        // 6. nop out the last instruction word.
+        generator.instructions()[instIndex + 6].u.opcode = op_nop;
+    }
+}
+void IndexedForInContext::finalize(BytecodeGenerator& generator)
+{
+    if (isValid())
+        return;
+    for (const auto& instPair : m_getInsts) {
+        unsigned instIndex = instPair.first;
+        int propertyRegIndex = instPair.second;
+        OpcodeID op = generator.instructions()[instIndex].u.opcode;
+        RELEASE_ASSERT(op == op_get_by_val);
+        // We just need to perform the get_by_val with the original property here,
+        // not the indexed one.
+        generator.instructions()[instIndex + 3].u.operand = propertyRegIndex;
+    }
+}
 } // namespace JSC

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h ¶

-              r217367
+              r219817
         RegisterID* enumerator() const { return m_enumeratorRegister.get(); }
+        void addGetInst(unsigned instIndex, int propertyRegIndex, UnlinkedValueProfile valueProfile)
+        {
+            m_getInsts.append(std::tuple<unsigned, int, UnlinkedValueProfile>(instIndex, propertyRegIndex, valueProfile));
+        }
+        void finalize(BytecodeGenerator&);
     private:
         RefPtr<RegisterID> m_indexRegister;
         RefPtr<RegisterID> m_propertyRegister;
         RefPtr<RegisterID> m_enumeratorRegister;
+        Vector<std::tuple<unsigned, int, UnlinkedValueProfile>> m_getInsts;
     };
 …
         RegisterID* index() const { return m_indexRegister.get(); }
+        void finalize(BytecodeGenerator&);
+        void addGetInst(unsigned instIndex, int propertyIndex) { m_getInsts.append({ instIndex, propertyIndex }); }
     private:
         RefPtr<RegisterID> m_indexRegister;
+        Vector<std::pair<unsigned, int>> m_getInsts;
     };
 …
         void prepareLexicalScopeForNextForLoopIteration(VariableEnvironmentNode*, RegisterID* loopSymbolTable);
         int labelScopeDepth() const;
+        UnlinkedArrayProfile newArrayProfile();
     private:
 …
         UnlinkedArrayAllocationProfile newArrayAllocationProfile();
         UnlinkedObjectAllocationProfile newObjectAllocationProfile();
-        UnlinkedArrayProfile newArrayProfile();
         UnlinkedValueProfile emitProfiledOpcode(OpcodeID);
         int kill(RegisterID* dst)

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp ¶

r217367	r219817
846	846	storeValue(undefined, storeIndex);
847	847	}
	848
	849	node->remove();
	850	node->origin.exitOK = canExit;
	851	break;
848	852	}
849
850		~~node->remove();~~
851		~~node->origin.exitOK = canExit;~~
852		~~break;~~
853	853	}
854	854	} else {

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGArrayMode.cpp ¶

-              r217367
+              r219817
     // to value profiling, but the array profile tells us something else, then we
     // should just trust the array profile.
+    auto typedArrayResult = [&] (ArrayMode result) -> ArrayMode {
+        if (node->op() == PutByValDirect) {
+            // This is semantically identical to defineOwnProperty({configurable: true, writable:true, enumerable:true}),
+            // which we can't model as a simple store to the typed array since typed array indexed properties
+            // are non-configurable.
+            return ArrayMode(Array::Generic);
+        }
+        return result;
+    };
     switch (type()) {
 …
     case Array::Float32Array:
     case Array::Float64Array:
+        switch (node->op()) {
+        case PutByVal:
+        if (node->op() == PutByVal) {
             if (graph.hasExitSite(node->origin.semantic, OutOfBounds) || !isInBounds())
+                return withSpeculation(Array::OutOfBounds);
+            return withSpeculation(Array::InBounds);
+        default:
+            return withSpeculation(Array::InBounds);
+        }
+        return *this;
+                return typedArrayResult(withSpeculation(Array::OutOfBounds));
+        }
+        return typedArrayResult(withSpeculation(Array::InBounds));
     case Array::Unprofiled:
     case Array::SelectUsingPredictions: {
 …
             break;
+        }
         if (isInt8ArraySpeculation(base))
             return result.withType(Array::Int8Array);
+            return typedArrayResult(result.withType(Array::Int8Array));
         if (isInt16ArraySpeculation(base))
             return result.withType(Array::Int16Array);
+            return typedArrayResult(result.withType(Array::Int16Array));
         if (isInt32ArraySpeculation(base))
             return result.withType(Array::Int32Array);
+            return typedArrayResult(result.withType(Array::Int32Array));
         if (isUint8ArraySpeculation(base))
             return result.withType(Array::Uint8Array);
+            return typedArrayResult(result.withType(Array::Uint8Array));
         if (isUint8ClampedArraySpeculation(base))
             return result.withType(Array::Uint8ClampedArray);
+            return typedArrayResult(result.withType(Array::Uint8ClampedArray));
         if (isUint16ArraySpeculation(base))
             return result.withType(Array::Uint16Array);
+            return typedArrayResult(result.withType(Array::Uint16Array));
         if (isUint32ArraySpeculation(base))
             return result.withType(Array::Uint32Array);
+            return typedArrayResult(result.withType(Array::Uint32Array));
         if (isFloat32ArraySpeculation(base))
             return result.withType(Array::Float32Array);
+            return typedArrayResult(result.withType(Array::Float32Array));
         if (isFloat64ArraySpeculation(base))
             return result.withType(Array::Float64Array);
+            return typedArrayResult(result.withType(Array::Float64Array));
         if (type() == Array::Unprofiled)

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp ¶

-              r217367
+              r219817
             flushDirect(virtualRegisterForArgument(0));
         if (m_graph.needsScopeRegister())
             flush(m_codeBlock->scopeRegister());
+            flushDirect(m_codeBlock->scopeRegister());
+    }
 …
             NEXT_OPCODE(op_watchdog);
+        }
+        case op_nop: {
+            addToGraph(Check); // We add a nop here so that basic block linking doesn't break.
+            NEXT_OPCODE(op_nop);
+        }
         case op_create_lexical_environment: {

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGCapabilities.cpp ¶

r217367	r219817
189	189	case op_loop_hint:
190	190	case op_watchdog:
	191	case op_nop:
191	192	case op_ret:
192	193	case op_end:

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp ¶

-              r217367
+              r219817
         if (node->child1().useKind() == UntypedUse) {
             JSValueOperand value(this, node->child1());
+#if USE(JSVALUE64)
+            auto result = resultRegs.gpr();
+            auto valueReg = value.gpr();
+#else
+            auto result = resultRegs;
+            auto valueReg = value.jsValueRegs();
+#endif
             flushRegisters();
+#if USE(JSVALUE64)
+            callOperation(operationParseIntGeneric, resultRegs.gpr(), value.gpr(), radixGPR);
+#else
+            callOperation(operationParseIntGeneric, resultRegs, value.jsValueRegs(), radixGPR);
+#endif
+            callOperation(operationParseIntGeneric, result, valueReg, radixGPR);
             m_jit.exceptionCheck();
         } else {
 …
             speculateString(node->child1(), valueGPR);
+#if USE(JSVALUE64)
+            auto result = resultRegs.gpr();
+#else
+            auto result = resultRegs;
+#endif
             flushRegisters();
+#if USE(JSVALUE64)
+            callOperation(operationParseIntString, resultRegs.gpr(), valueGPR, radixGPR);
+#else
+            callOperation(operationParseIntString, resultRegs, valueGPR, radixGPR);
+#endif
+            callOperation(operationParseIntString, result, valueGPR, radixGPR);
             m_jit.exceptionCheck();
+        }
 …
         if (node->child1().useKind() == UntypedUse) {
             JSValueOperand value(this, node->child1());
+#if USE(JSVALUE64)
+            auto result = resultRegs.gpr();
+#else
+            auto result = resultRegs;
+#endif
+            JSValueRegs valueRegs = value.jsValueRegs();
             flushRegisters();
+#if USE(JSVALUE64)
+            callOperation(operationParseIntNoRadixGeneric, resultRegs.gpr(), value.jsValueRegs());
+#else
+            callOperation(operationParseIntNoRadixGeneric, resultRegs, value.jsValueRegs());
+#endif
+            callOperation(operationParseIntNoRadixGeneric, result, valueRegs);
             m_jit.exceptionCheck();
         } else {

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JIT.cpp ¶

r217367	r219817
330	330	DEFINE_OP(op_loop_hint)
331	331	DEFINE_OP(op_watchdog)
	332	DEFINE_OP(op_nop)
332	333	DEFINE_OP(op_lshift)
333	334	DEFINE_OP(op_mod)

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JIT.h ¶

r217367	r219817
532	532	void emit_op_loop_hint(Instruction*);
533	533	void emit_op_watchdog(Instruction*);
	534	void emit_op_nop(Instruction*);
534	535	void emit_op_lshift(Instruction*);
535	536	void emit_op_mod(Instruction*);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JITOpcodes.cpp ¶

r217367	r219817
957	957	}
958	958
	959	void JIT::emit_op_nop(Instruction*)
	960	{
	961	}
	962
959	963	void JIT::emit_op_new_regexp(Instruction* currentInstruction)
960	964	{

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JITOperations.cpp ¶

-              r217367
+              r219817
         uint32_t index = subscript.asUInt32();
         ASSERT(isIndex(index));
+        if (baseObject->canSetIndexQuicklyForPutDirect(index)) {
+            baseObject->setIndexQuickly(callFrame->vm(), index, value);
+            return;
+        }
+        // FIXME: This will make us think that in-bounds typed array accesses are actually
+        // out-of-bounds.
+        // https://bugs.webkit.org/show_bug.cgi?id=149886
+        byValInfo->arrayProfile->setOutOfBounds();
+        switch (baseObject->indexingType()) {
+        case ALL_INT32_INDEXING_TYPES:
+        case ALL_DOUBLE_INDEXING_TYPES:
+        case ALL_CONTIGUOUS_INDEXING_TYPES:
+        case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+            if (index < baseObject->butterfly()->vectorLength())
+                break;
+            FALLTHROUGH;
+        default:
+            byValInfo->arrayProfile->setOutOfBounds();
+            break;
+        }
         baseObject->putDirectIndex(callFrame, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         return;
 …
             // Attempt to optimize.
             JITArrayMode arrayMode = jitArrayModeForStructure(structure);
             if (jitArrayModePermitsPut(arrayMode) && arrayMode != byValInfo->arrayMode) {
+            if (jitArrayModePermitsPutDirect(arrayMode) && arrayMode != byValInfo->arrayMode) {
                 CodeBlock* codeBlock = exec->codeBlock();
                 ConcurrentJSLocker locker(codeBlock->m_lock);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/ThunkGenerators.cpp ¶

-              r217367
+              r219817
 #if USE(JSVALUE64)
+    GPRReg tagMaskRegister = GPRInfo::tagMaskRegister;
+    if (callLinkInfo.isTailCall()) {
+        // Tail calls could have clobbered the GPRInfo::tagMaskRegister because they
+        // restore callee saved registers before getthing here. So, let's materialize
+        // the TagMask in a temp register and use the temp instead.
+        tagMaskRegister = GPRInfo::regT4;
+        jit.move(CCallHelpers::TrustedImm64(TagMask), tagMaskRegister);
+    }
     slowCase.append(
+        jit.branchTest64(
+            CCallHelpers::NonZero, GPRInfo::regT0, GPRInfo::tagMaskRegister));
+        jit.branchTest64(CCallHelpers::NonZero, GPRInfo::regT0, tagMaskRegister));
 #else
     slowCase.append(

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/llint/LowLevelInterpreter.asm ¶

-              r217367
+              r219817
+_llint_op_nop:
+    dispatch(1)
 _llint_op_switch_string:
     traceExecution()

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/parser/Lexer.cpp ¶

r217367	r219817
565	565
566	566	m_buffer8.reserveInitialCapacity(initialReadBufferCapacity);
567		m_buffer16.reserveInitialCapacity(~~(m_codeEnd - m_code) / 2~~);
	567	m_buffer16.reserveInitialCapacity(initialReadBufferCapacity);
568	568	m_bufferForRawTemplateString16.reserveInitialCapacity(initialReadBufferCapacity);
569	569

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/ArrayPrototype.cpp ¶

-              r217367
+              r219817
     if (!result) {
         if (speciesResult.first == SpeciesConstructResult::CreatedObject) {
+        if (speciesResult.first == SpeciesConstructResult::CreatedObject)
             result = speciesResult.second;
+            for (unsigned k = 0; k < actualDeleteCount; ++k) {
+                JSValue v = getProperty(exec, thisObj, k + actualStart);
+                RETURN_IF_EXCEPTION(scope, encodedJSValue());
+                if (UNLIKELY(!v))
+                    continue;
+                result->putByIndexInline(exec, k, v, true);
+                RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            }
+        } else {
+        else {
             result = JSArray::tryCreate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
             if (UNLIKELY(!result)) {
 …
                 return encodedJSValue();
+            }
+            for (unsigned k = 0; k < actualDeleteCount; ++k) {
+                JSValue v = getProperty(exec, thisObj, k + actualStart);
+                RETURN_IF_EXCEPTION(scope, encodedJSValue());
+                if (UNLIKELY(!v))
+                    continue;
+                result->putDirectIndex(exec, k, v);
+                RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            }
+        }
+        for (unsigned k = 0; k < actualDeleteCount; ++k) {
+            JSValue v = getProperty(exec, thisObj, k + actualStart);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+            if (UNLIKELY(!v))
+                continue;
+            result->putDirectIndex(exec, k, v, 0, PutDirectIndexShouldThrow);
+            RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        }
+    }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/ClonedArguments.cpp ¶

r217367	r219817
154	154	Structure* ClonedArguments::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, IndexingType indexingType)
155	155	{
156		Structure* structure = Structure::create(vm, globalObject, prototype, TypeInfo(~~Object~~Type, StructureFlags), info(), indexingType);
	156	Structure* structure = Structure::create(vm, globalObject, prototype, TypeInfo(ClonedArgumentsType, StructureFlags), info(), indexingType);
157	157	PropertyOffset offset;
158	158	structure = structure->addPropertyTransition(vm, structure, vm.propertyNames->length, DontEnum, offset);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/ConsoleClient.cpp ¶

r217367	r219817
166	166	String argAsString = arguments->argumentAt(i).toString(arguments->globalState());
167	167	builder.append(' ');
168		builder.append(argAsString~~.utf8().data()~~);
	168	builder.append(argAsString);
169	169	}
170	170

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSArray.cpp ¶

-              r217367
+              r219817
     IndexingType type = indexingType();
+    IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
+    IndexingType otherType = otherArray->indexingType();
+    IndexingType copyType = mergeIndexingTypeForCopying(otherType);
     if (type == ArrayWithUndecided && copyType != NonArray) {
         if (copyType == ArrayWithInt32)
 …
     ASSERT(copyType == indexingType());
+    if (type == ArrayWithDouble)
+    if (UNLIKELY(otherType == ArrayWithUndecided)) {
+        auto* butterfly = this->butterfly();
+        if (type == ArrayWithDouble) {
+            for (unsigned i = startIndex; i < newLength; ++i)
+                butterfly->contiguousDouble()[i] = PNaN;
+        } else {
+            for (unsigned i = startIndex; i < newLength; ++i)
+                butterfly->contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
+        }
+    } else if (type == ArrayWithDouble)
         memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
     else

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSCJSValue.cpp ¶

-              r217367
+              r219817
     if (propertyName != vm.propertyNames->underscoreProto) {
         for (; !obj->structure()->hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
+            prototype = obj->getPrototypeDirect();
+            prototype = obj->getPrototype(vm, exec);
+            RETURN_IF_EXCEPTION(scope, false);
             if (prototype.isNull())
                 return typeError(exec, scope, slot.isStrictMode(), ASCIILiteral(ReadonlyPropertyWriteError));

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h ¶

-              r217367
+              r219817
     JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(object);
+    if (parseIndex(propertyName)) {
+    if (std::optional<uint32_t> index = parseIndex(propertyName)) {
+        auto throwTypeErrorIfNeeded = [&] (const char* errorMessage) -> bool {
+            if (shouldThrow)
+                throwTypeError(exec, scope, makeString(errorMessage, String::number(*index)));
+            return false;
+        };
         if (descriptor.isAccessorDescriptor())
             return typeError(exec, scope, shouldThrow, ASCIILiteral("Attempting to store accessor indexed property on a typed array."));
+            return throwTypeErrorIfNeeded("Attempting to store accessor property on a typed array at index: ");
         if (descriptor.configurable())
             return typeError(exec, scope, shouldThrow, ASCIILiteral("Attempting to configure non-configurable property."));
+            return throwTypeErrorIfNeeded("Attempting to configure non-configurable property on a typed array at index: ");
         if (!descriptor.enumerable() || !descriptor.writable())
             return typeError(exec, scope, shouldThrow, ASCIILiteral("Attempting to store non-enumerable or non-writable indexed property on a typed array."));
+            return throwTypeErrorIfNeeded("Attempting to store non-enumerable or non-writable property on a typed array at index: ");
         if (descriptor.value()) {

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.cpp ¶

-              r217367
+              r219817
             return proxy->ProxyObject::put(proxy, exec, propertyName, value, slot);
+        }
+        JSValue prototype = obj->getPrototypeDirect();
+        JSValue prototype = obj->getPrototype(vm, exec);
+        RETURN_IF_EXCEPTION(scope, false);
         if (prototype.isNull())
             break;
 …
+    }
-    ASSERT(!structure(vm)->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this);
     if (!putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot))
         return typeError(exec, scope, slot.isStrictMode(), ASCIILiteral(ReadonlyPropertyWriteError));
 …
+}
+ALWAYS_INLINE static bool canDoFastPutDirectIndex(JSObject* object)
+{
+    return isJSArray(object)
+        || isJSFinalObject(object)
+        || object->type() == DirectArgumentsType
+        || object->type() == ScopedArgumentsType
+        || object->type() == ClonedArgumentsType;
+}
 // Defined in ES5.1 8.12.9
 bool JSObject::defineOwnIndexedProperty(ExecState* exec, unsigned index, const PropertyDescriptor& descriptor, bool throwException)
 …
         // however if the property currently exists missing attributes will override from their current 'true'
         // state (i.e. defineOwnProperty could be used to set a value without needing to entering 'SparseMode').
         if (!descriptor.attributes() && descriptor.value()) {
+        if (!descriptor.attributes() && descriptor.value() && canDoFastPutDirectIndex(this)) {
             ASSERT(!descriptor.isAccessorDescriptor());
             return putDirectIndex(exec, index, descriptor.value(), 0, throwException ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
 …
+}
 bool JSObject::putDirectIndexBeyondVectorLength(ExecState* exec, unsigned i, JSValue value, unsigned attributes, PutDirectIndexMode mode)
+bool JSObject::putDirectIndexSlowOrBeyondVectorLength(ExecState* exec, unsigned i, JSValue value, unsigned attributes, PutDirectIndexMode mode)
+{
     VM& vm = exec->vm();
+    if (!canDoFastPutDirectIndex(this)) {
+        PropertyDescriptor descriptor;
+        descriptor.setDescriptor(value, attributes);
+        return methodTable(vm)->defineOwnProperty(this, exec, Identifier::from(exec, i), descriptor, mode == PutDirectIndexShouldThrow);
+    }
     // i should be a valid array index that is outside of the current vector.
 …
         if (!value.isInt32()) {
             convertInt32ForValue(vm, value);
             return putDirectIndexBeyondVectorLength(exec, i, value, attributes, mode);
+            return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
+        }
         putByIndexBeyondVectorLengthWithoutAttributes<Int32Shape>(exec, i, value);
 …
         if (!value.isNumber()) {
             convertDoubleToContiguous(vm);
             return putDirectIndexBeyondVectorLength(exec, i, value, attributes, mode);
+            return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
+        }
         double valueAsDouble = value.asNumber();
         if (valueAsDouble != valueAsDouble) {
             convertDoubleToContiguous(vm);
             return putDirectIndexBeyondVectorLength(exec, i, value, attributes, mode);
+            return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
+        }
         putByIndexBeyondVectorLengthWithoutAttributes<DoubleShape>(exec, i, value);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.h ¶

-              r217367
+              r219817
     JS_EXPORT_PRIVATE static bool putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
+    // This performs the ECMAScript Set() operation.
     ALWAYS_INLINE bool putByIndexInline(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
+    {
 …
     //  - accessors are not called.
     //  - it will ignore extensibility and read-only properties if PutDirectIndexLikePutDirect is passed as the mode (the default).
+    // This method creates a property with attributes writable, enumerable and configurable all set to true.
+    // This method creates a property with attributes writable, enumerable and configurable all set to true if attributes is zero,
+    // otherwise, it creates a property with the provided attributes. Semantically, this is performing defineOwnProperty.
     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
+    {
+        if (!attributes && canSetIndexQuicklyForPutDirect(propertyName)) {
+        auto canSetIndexQuicklyForPutDirect = [&] () -> bool {
+            switch (indexingType()) {
+            case ALL_BLANK_INDEXING_TYPES:
+            case ALL_UNDECIDED_INDEXING_TYPES:
+                return false;
+            case ALL_INT32_INDEXING_TYPES:
+            case ALL_DOUBLE_INDEXING_TYPES:
+            case ALL_CONTIGUOUS_INDEXING_TYPES:
+            case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+                return propertyName < m_butterfly.get()->vectorLength();
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+                return false;
+            }
+        };
+        if (!attributes && canSetIndexQuicklyForPutDirect()) {
             setIndexQuickly(exec->vm(), propertyName, value);
             return true;
+        }
+        return putDirectIndexBeyondVectorLength(exec, propertyName, value, attributes, mode);
+    }
+        return putDirectIndexSlowOrBeyondVectorLength(exec, propertyName, value, attributes, mode);
+    }
+    // This is semantically equivalent to performing defineOwnProperty(propertyName, {configurable:true, writable:true, enumerable:true, value:value}).
     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value)
+    {
 …
+    }
+    // A non-throwing version of putDirect and putDirectIndex.
+    // A generally non-throwing version of putDirect and putDirectIndex.
+    // However, it's only guaranteed to not throw based on what the receiver is.
+    // For example, if the receiver is a ProxyObject, this is not guaranteed, since
+    // it may call into arbitrary JS code. It's the responsibility of the user of
+    // this API to ensure that the receiver object is a well known type if they
+    // want to ensure that this won't throw an exception.
     JS_EXPORT_PRIVATE bool putDirectMayBeIndex(ExecState*, PropertyName, JSValue);
 …
             return i < butterfly->arrayStorage()->vectorLength()
                 && !!butterfly->arrayStorage()->m_vector[i];
-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            return false;
+        }
+    }
-    bool canSetIndexQuicklyForPutDirect(unsigned i)
+    {
-        switch (indexingType()) {
-        case ALL_BLANK_INDEXING_TYPES:
-        case ALL_UNDECIDED_INDEXING_TYPES:
-            return false;
-        case ALL_INT32_INDEXING_TYPES:
-        case ALL_DOUBLE_INDEXING_TYPES:
-        case ALL_CONTIGUOUS_INDEXING_TYPES:
-        case ALL_ARRAY_STORAGE_INDEXING_TYPES:
-            return i < m_butterfly.get()->vectorLength();
         default:
             RELEASE_ASSERT_NOT_REACHED();
 …
     bool putByIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
     bool putDirectIndexBeyondVectorLengthWithArrayStorage(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode, ArrayStorage*);
     JS_EXPORT_PRIVATE bool putDirectIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
+    JS_EXPORT_PRIVATE bool putDirectIndexSlowOrBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, unsigned attributes, PutDirectIndexMode);
     unsigned getNewVectorLength(unsigned indexBias, unsigned currentVectorLength, unsigned currentLength, unsigned desiredLength);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObjectInlines.h ¶

-              r217367
+              r219817
     JSObject* obj = this;
     while (true) {
+        if (obj->structure(vm)->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || obj->type() == ProxyObjectType)
+        MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
+        if (obj->structure(vm)->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || obj->methodTable(vm)->getPrototype != defaultGetPrototype)
             return false;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSType.h ¶

-              r217367
+              r219817
     WebAssemblyFunctionType,
+    LastJSCObjectType = JSSetType,
+    ClonedArgumentsType,
+    LastJSCObjectType = ClonedArgumentsType,
     MaxJSType = 0b11111111,
 };

TabularUnified releases/WebKitGTK/webkit-2.16/Source/ThirdParty/ANGLE/ChangeLog ¶

-              r217367
+              r219817
+-07-13  Adrian Perez de Castro  <aperez@igalia.com>
+        eglplatform.h does not support Wayland
+        https://bugs.webkit.org/show_bug.cgi?id=163482
+        This makes it possible to build WebKitGTK+ when the target system has only Wayland support,
+        but no X11 (and therefore the X11 headers are not present).
+        Reviewed by Alex Christensen.
+        * include/EGL/eglplatform.h: Add Wayland typedefs when WL_EGL_PLATFORM is defined (for example
+        by including wayland-egl.h before including EGL/egl.h). Also, include the X11 headers only
+        when ANGLE_USE_X11 is defined and, for consistency with Mesa's version of the header, when
+        MESA_EGL_NO_X11_HEADERS is not defined.
 -12-20  Tim Horton  <timothy_horton@apple.com>

TabularUnified releases/WebKitGTK/webkit-2.16/Source/ThirdParty/ANGLE/changes.diff ¶

-              r217367
+              r219817
                                            framebufferFormatInfo.format)) != conversionSet.end())
+     {
+diff --git a/include/EGL/eglplatform.h b/include/EGL/eglplatform.h
+index 9bb75910ac0..ccaf7e6f343 100644
+--- a/include/EGL/eglplatform.h
++++ b/include/EGL/eglplatform.h
+@@ -89,6 +89,12 @@ typedef int   EGLNativeDisplayType;
+ typedef void *EGLNativeWindowType;
+ typedef void *EGLNativePixmapType;
++#elif defined(WL_EGL_PLATFORM)
++
++typedef struct wl_display    *EGLNativeDisplayType;
++typedef struct wl_egl_pixmap *EGLNativePixmapType;
++typedef struct wl_egl_window *EGLNativeWindowType;
++
+ #elif defined(__ANDROID__) || defined(ANDROID)
+ #include <android/native_window.h>
+@@ -107,6 +113,8 @@ typedef intptr_t EGLNativePixmapType;
+ #elif defined(__unix__)
++#if defined(ANGLE_USE_X11) && !defined(MESA_EGL_NO_X11_HEADERS)
++
+ /* X11 (tentative)  */
+ #include <X11/Xlib.h>
+ #include <X11/Xutil.h>
+@@ -116,6 +124,14 @@ typedef Pixmap   EGLNativePixmapType;
+ typedef Window   EGLNativeWindowType;
+ #else
++
++typedef void             *EGLNativeDisplayType;
++typedef khronos_uintptr_t EGLNativePixmapType;
++typedef khronos_uintptr_t EGLNativeWindowType;
++
++#endif /* ANGLE_USE_X11 && !MESA_EGL_NO_X11_HEADERS */
++
++#else
+ #error "Platform not recognized"
+ #endif

TabularUnified releases/WebKitGTK/webkit-2.16/Source/ThirdParty/ANGLE/include/EGL/eglplatform.h ¶

-              r217367
+              r219817
 typedef void *EGLNativePixmapType;
+#elif defined(WL_EGL_PLATFORM)
+typedef struct wl_display    *EGLNativeDisplayType;
+typedef struct wl_egl_pixmap *EGLNativePixmapType;
+typedef struct wl_egl_window *EGLNativeWindowType;
 #elif defined(__ANDROID__) || defined(ANDROID)
 …
 #elif defined(__unix__)
+#if defined(ANGLE_USE_X11) && !defined(MESA_EGL_NO_X11_HEADERS)
 /* X11 (tentative)  */
 …
 #else
+typedef void             *EGLNativeDisplayType;
+typedef khronos_uintptr_t EGLNativePixmapType;
+typedef khronos_uintptr_t EGLNativeWindowType;
+#endif /* ANGLE_USE_X11 && !MESA_EGL_NO_X11_HEADERS */
+#else
 #error "Platform not recognized"
 #endif

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WTF/ChangeLog ¶

-              r217367
+              r219817
+-06-08  Xabier Rodriguez Calvar  <calvaris@igalia.com>
+        MediaTime class has rounding issues in different platforms
+        https://bugs.webkit.org/show_bug.cgi?id=172640
+        Reviewed by Jer Noble.
+        The way a timescale is set when creating a MediaTime from a double
+        can create rounding issues in different platforms because in some
+        rounding is made and in others, it truncates. This way we ensure a
+        common behavior.
+        Dumping MediaTimes is also confusing and by the output you don't
+        know if it's containing a double or a fraction. Now, if it
+        contains a double, it only prints the double because printing the
+        fraction is misleading (it currently prints the double read as an
+        integer) and if it contains a fraction it shows the fraction and
+        its double representation separated by an = instead of a ,.
+        * wtf/MediaTime.cpp:
+        (WTF::MediaTime::createWithDouble): When creating MediaTime from
+        double, we round instead of leaving it to the cast operation.
+        (WTF::MediaTime::dump):
 -04-21  Konstantin Tokarev  <annulen@yandex.ru>

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WTF/wtf/MediaTime.cpp ¶

-              r217367
+              r219817
     while (doubleTime * timeScale > std::numeric_limits<int64_t>::max())
         timeScale /= 2;
     return MediaTime(static_cast<int64_t>(doubleTime * timeScale), timeScale, Valid);
+    return MediaTime(static_cast<int64_t>(std::round(doubleTime * timeScale)), timeScale, Valid);
+}
 …
+}
+void MediaTime::dump(PrintStream &out) const
+{
+    out.print("{", m_timeValue, "/", m_timeScale, ", ", toDouble(), "}");
+void MediaTime::dump(PrintStream& out) const
+{
+    out.print("{");
+    if (!hasDoubleValue())
+        out.print(m_timeValue, "/", m_timeScale, " = ");
+    out.print(toDouble(), "}");
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog ¶

-              r217367
+              r219817
+-07-12  Carlos Alberto Lopez Perez  <clopez@igalia.com>
+        REGRESSION(r219332): [GTK] 9 new failures on fast/forms spinbutton related tests
+        https://bugs.webkit.org/show_bug.cgi?id=174395
+        Reviewed by Carlos Garcia Campos.
+        Covered by existing tests.
+        Before r219332 the height of the spin button widget was
+        calculated as the maximum value between the individual button
+        ( the [+] or [-] ) width (33 pixels) and height (16 pixels).
+        And r219332 caused the height of the widget to be calculated as
+        the height of the button (16 pixels), which was incorrect as
+        each button should be first expanded vertically to fit the
+        preferred size of the widget.
+        Fix this by making the calculations about the spin button widget
+        on a new function spinButtonSize() that takes this into account,
+        and use this values both for adjusting the style of the input
+        field and the spin button widget itself.
+        * rendering/RenderThemeGtk.cpp:
+        (WebCore::spinButtonSize):
+        (WebCore::RenderThemeGtk::adjustTextFieldStyle):
+        (WebCore::RenderThemeGtk::adjustInnerSpinButtonStyle):
+-07-11  Carlos Alberto Lopez Perez  <clopez@igalia.com>
+        [GTK] Spin buttons on input type number appear over the value itself for small widths
+        https://bugs.webkit.org/show_bug.cgi?id=173572
+        Reviewed by Carlos Garcia Campos.
+        When drawing the spin buttons, override the width of the input
+        element to increment it with the width of the spin button.
+        This ensures that we don't end up covering the input values with
+        the spin buttons.
+        Do this also for user controlled styles, because most web authors
+        won't test how their site renders on WebKitGTK+, and they will
+        assume spin buttons in the order of 13 pixels wide (that is what
+        most browsers use), but the GTK+ spin button is much wider (66 pixels).
+        Test: platform/gtk/fast/forms/number/number-size-spinbutton-nocover.html
+        * rendering/RenderTheme.cpp:
+        (WebCore::RenderTheme::adjustStyle):
+        * rendering/RenderThemeGtk.cpp:
+        (WebCore::RenderThemeGtk::adjustTextFieldStyle): Call the theme's adjustTextFieldStyle() also for user controlled styles.
+        (WebCore::RenderThemeGtk::adjustInnerSpinButtonStyle):
+-05-12  Jiewen Tan  <jiewen_tan@apple.com>
+        Elements should be inserted into a template element as its content's last child
+        https://bugs.webkit.org/show_bug.cgi?id=171373
+        <rdar://problem/31862949>
+        Reviewed by Ryosuke Niwa.
+        Before this change, our HTML parser obeys the following premises:
+) A fostering child whose parent is a table should be inserted before its parent and under its grandparent.
+) When inserting into a template element, an element should be inserted into its content.
+        Let's walk through the example:
+        a) Before eventhandler takes place
+        template
+        table
+            svg <- parser
+        b) After eventhandler takes place
+        template
+            table
+                svg <- parser
+        c) after parsing svg
+        template
+            content
+                svg
+                (table)
+            table
+        Finally, in the example, the svg element will be inserted into the content of the template element while
+        having its next sibling point to the table element. However, the table element is actually under the
+        template element not its content.
+        This messy tree is constructed because the second premise is incompleted. It should be: When inserting into
+        a template element, an element should be inserted into its content as its last child.
+        Quoted from Step 3 of https://html.spec.whatwg.org/multipage/syntax.html#appropriate-place-for-inserting-a-node
+        A correct tree will then looks like:
+        template
+            content
+                svg
+            table
+        Tests: fast/dom/HTMLTemplateElement/insert-fostering-child-crash.html
+               fast/dom/HTMLTemplateElement/insert-fostering-child.html
+        * html/parser/HTMLConstructionSite.cpp:
+        (WebCore::insert):
+        By nullifying task.nextChild, it will force the parser to append the element as task.parent's last child.
+-05-15  Jiewen Tan  <jiewen_tan@apple.com>
+        Replace CryptoOperationData with BufferSource for WebKitSubtleCrypto
+        https://bugs.webkit.org/show_bug.cgi?id=172146
+        <rdar://problem/32122256>
+        Reviewed by Brent Fulgham.
+        In this patch, we replaces CryptoOperationData with BufferSource for WebKitSubtleCrypto in
+        the custom binding codes.
+        Test: crypto/webkitSubtle/import-export-raw-key-leak.html
+        * bindings/js/JSWebKitSubtleCryptoCustom.cpp:
+        (WebCore::JSWebKitSubtleCrypto::encrypt):
+        (WebCore::JSWebKitSubtleCrypto::decrypt):
+        (WebCore::JSWebKitSubtleCrypto::sign):
+        (WebCore::JSWebKitSubtleCrypto::verify):
+        (WebCore::JSWebKitSubtleCrypto::digest):
+        (WebCore::JSWebKitSubtleCrypto::importKey):
+        (WebCore::JSWebKitSubtleCrypto::unwrapKey):
+        * crypto/WebKitSubtleCrypto.idl:
+-05-13  Zalan Bujtas  <zalan@apple.com>
+        AccessibilityRenderObject::textUnderElement needs to assert on unclean tree.
+        https://bugs.webkit.org/show_bug.cgi?id=172065
+        Reviewed by Simon Fraser.
+        r192103 changed the assert logic incorrectly. If the tree is dirty, regardless of the renderer's type,
+        TextIterator will end up forcing style update/layout on the render tree.
+        The original assert would have hit with bug 171546 prior to r216726.
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::textUnderElement):
+-05-11  Zalan Bujtas  <zalan@apple.com>
+        AX: Defer text changes until after the tree is clean if needed.
+        https://bugs.webkit.org/show_bug.cgi?id=171546
+        <rdar://problem/31934942>
+        Reviewed by Simon Fraser.
+        While updating an accessibility object state, we might
+        trigger unintentional style updates. This style update could
+        end up destroying renderes that are still referenced by functions
+        on the callstack.
+        To avoid that, defer such changes and let AXObjectCache operate on a clean tree.
+        Test: accessibility/crash-when-render-tree-is-not-clean.html
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::remove):
+        (WebCore::AXObjectCache::handleAttributeChanged):
+        (WebCore::AXObjectCache::labelChanged):
+        (WebCore::AXObjectCache::performDeferredCacheUpdate):
+        (WebCore::AXObjectCache::deferRecomputeIsIgnored):
+        (WebCore::AXObjectCache::deferTextChangedIfNeeded):
+        (WebCore::AXObjectCache::recomputeDeferredIsIgnored): Deleted.
+        (WebCore::AXObjectCache::deferTextChanged): Deleted.
+        * accessibility/AXObjectCache.h: Decouple different type of changes.
+        (WebCore::AXObjectCache::deferRecomputeIsIgnored):
+        (WebCore::AXObjectCache::deferTextChangedIfNeeded):
+        (WebCore::AXObjectCache::recomputeDeferredIsIgnored): Deleted.
+        (WebCore::AXObjectCache::deferTextChanged): Deleted.
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::deleteLines):
+        * rendering/RenderBlockLineLayout.cpp:
+        (WebCore::RenderBlockFlow::createAndAppendRootInlineBox):
+        * rendering/RenderText.cpp:
+        (WebCore::RenderText::setText):
+-05-02  Zalan Bujtas  <zalan@apple.com>
+        Defer AX cache update when text content changes until after layout is finished.
+        https://bugs.webkit.org/show_bug.cgi?id=171429
+        <rdar://problem/31885984>
+        Reviewed by Simon Fraser.
+        When the content of the RenderText changes (even as the result of a text-transform change)
+        instead of updating the AX cache eagerly (and trigger layout on a half-backed render tree)
+        we should just defer it until after the subsequent layout is done.
+        Test: accessibility/crash-while-adding-text-child-with-transform.html
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::remove):
+        (WebCore::AXObjectCache::performDeferredCacheUpdate):
+        (WebCore::AXObjectCache::recomputeDeferredIsIgnored):
+        (WebCore::AXObjectCache::deferTextChanged):
+        (WebCore::AXObjectCache::performDeferredIsIgnoredChange): Deleted.
+        * accessibility/AXObjectCache.h:
+        (WebCore::AXObjectCache::deferTextChanged):
+        (WebCore::AXObjectCache::performDeferredCacheUpdate):
+        (WebCore::AXObjectCache::performDeferredIsIgnoredChange): Deleted.
+        * page/FrameView.cpp:
+        (WebCore::FrameView::performPostLayoutTasks):
+        * rendering/RenderText.cpp:
+        (WebCore::RenderText::setText):
+-06-19  Brady Eidson  <beidson@apple.com>
+        Various IndexedDB crashes as an after effect of previous test.
+        <rdar://problem/31418761> and https://bugs.webkit.org/show_bug.cgi?id=170436
+        Reviewed by Chris Dumez.
+        No new test (No consistent test possible, in practice covered by all existing IDB tests)
+        This is timing related, where a UniqueIDBDatabase can be destroyed on the main thread while
+        it still has one task left to try to execute on the IDBServer thread.
+        The background thread tasks don't Ref<> the UniqueIDBDatabase, so even though task execution
+        took a Ref<> protector, there was still a small window for a race.
+        Should be closed up by making the background thread tasks themselves protect this.
+        * Modules/indexeddb/server/UniqueIDBDatabase.cpp:
+        (WebCore::IDBServer::UniqueIDBDatabase::postDatabaseTask):
+        (WebCore::IDBServer::UniqueIDBDatabase::postDatabaseTaskReply):
+        (WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTask):
+        (WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply):
+        * Modules/indexeddb/server/UniqueIDBDatabase.h:
+-06-18  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GStreamer] MainThreadNotifier ASSERTION FAILED: m_boundThread == currentThread() in _WebKitWebSrcPrivate::~_WebKitWebSrcPrivate
+        https://bugs.webkit.org/show_bug.cgi?id=152043
+        Reviewed by Xabier Rodriguez-Calvar.
+        Stop using a WeakPtr in MainThreadNotifier, because it's not thread safe, which causes a crash in debug builds when
+        the notifier is destroyed in a different thread. Make MainThreadNotifier thread safe refcounted instead, and add
+        an invalidate() method to mark it as invalid.
+        * platform/graphics/gstreamer/InbandTextTrackPrivateGStreamer.cpp:
+        (WebCore::InbandTextTrackPrivateGStreamer::handleSample):
+        (WebCore::InbandTextTrackPrivateGStreamer::streamChanged):
+        * platform/graphics/gstreamer/MainThreadNotifier.h:
+        (WebCore::MainThreadNotifier::MainThreadNotifier): Deleted.
+        (WebCore::MainThreadNotifier::notify): Deleted.
+        (WebCore::MainThreadNotifier::cancelPendingNotifications): Deleted.
+        (WebCore::MainThreadNotifier::addPendingNotification): Deleted.
+        (WebCore::MainThreadNotifier::removePendingNotification): Deleted.
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
+        (WebCore::MediaPlayerPrivateGStreamer::videoChangedCallback):
+        (WebCore::MediaPlayerPrivateGStreamer::videoSinkCapsChangedCallback):
+        (WebCore::MediaPlayerPrivateGStreamer::audioChangedCallback):
+        (WebCore::MediaPlayerPrivateGStreamer::textChangedCallback):
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
+        (WebCore::MediaPlayerPrivateGStreamerBase::MediaPlayerPrivateGStreamerBase):
+        (WebCore::MediaPlayerPrivateGStreamerBase::~MediaPlayerPrivateGStreamerBase):
+        (WebCore::MediaPlayerPrivateGStreamerBase::volumeChangedCallback):
+        (WebCore::MediaPlayerPrivateGStreamerBase::muteChangedCallback):
+        (WebCore::MediaPlayerPrivateGStreamerBase::triggerRepaint):
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h:
+        * platform/graphics/gstreamer/TrackPrivateBaseGStreamer.cpp:
+        (WebCore::TrackPrivateBaseGStreamer::TrackPrivateBaseGStreamer):
+        (WebCore::TrackPrivateBaseGStreamer::~TrackPrivateBaseGStreamer):
+        (WebCore::TrackPrivateBaseGStreamer::disconnect):
+        (WebCore::TrackPrivateBaseGStreamer::activeChangedCallback):
+        (WebCore::TrackPrivateBaseGStreamer::tagsChanged):
+        * platform/graphics/gstreamer/TrackPrivateBaseGStreamer.h:
+        * platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
+        (webkit_web_src_init):
+        (webKitWebSrcDispose):
+        (webKitWebSrcStop):
+        (webKitWebSrcStart):
+        (webKitWebSrcNeedData):
+        (webKitWebSrcEnoughData):
+        (webKitWebSrcSeek):
+-06-17  Antti Koivisto  <antti@apple.com>
+        Crash due to infinite recursion via FrameSelection::updateAppearanceAfterLayout
+        https://bugs.webkit.org/show_bug.cgi?id=173468
+        Reviewed by Ryosuke Niwa.
+        Test: editing/selection/updateAppearanceAfterLayout-recursion.html
+        Calling FrameSelection::updateAppearanceAfterLayout() from Document::resolveStyle is unsafe
+        because it may cause another call to resolveStyle. We have some cases where the style
+        is still unclean when updateAppearanceAfterLayout() is called. This can lead to infinite
+        recursion.
+        The test case is not the common stack seen in CrashTracer (couldn't quit replicate it) but
+        the updateAppearanceAfterLayout/resolveStyle recursion is the same.
+        * dom/Document.cpp:
+        (WebCore::Document::resolveStyle):
+            Normally selection appearance update is done in post-layout but not all style resolutions schedule a layout.
+            Invoke it asynchronously in that case instead of the previous synchronous call.
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::FrameSelection):
+        (WebCore::FrameSelection::updateAppearanceAfterLayout):
+        (WebCore::FrameSelection::scheduleAppearanceUpdateAfterStyleChange):
+        (WebCore::FrameSelection::appearanceUpdateTimerFired):
+        (WebCore::FrameSelection::updateAppearanceAfterLayoutOrStyleChange):
+        * editing/FrameSelection.h:
+-06-17  Ryosuke Niwa  <rniwa@webkit.org>
+        REGRESSION(r209495): materiauxlaverdure.com fails to load
+        https://bugs.webkit.org/show_bug.cgi?id=173301
+        <rdar://problem/32624850>
+        Reviewed by Antti Koivisto.
+        The bug was caused by WebKit wrapping CSS string values with single quotation marks instead of
+        double quotation marks as spec'ed in https://drafts.csswg.org/cssom/#serialize-a-string and
+        implemented in Firefox and Chrome.
+        The website eval's the computed value of the `content` CSS property with the value `'{name: "flat"}'`
+        after stripping single quotation marks from both ends. Prior to r209495, WebKit serialized this CSS value
+        in single quotations without escaping double quotations. After r209495, double quotations are escaped
+        with backslashes as `'{name: \"flat\"}'`. As a result, `eval` is invoked with `{name: \"flat\"}`
+        after stripping single quotations from both ends, which resulted in an exception.
+        Chrome and Firefox don't encounter this exception despite of the fact they escape double quotations
+        as well because serialize with double quotations as `"{name: \"flat\"}"`. Because there is no code
+        to strip double quotations, eval is invoked with the same string, resulting in the entire value as
+        being parsed as string, instead of an object with a single key "name" with the value of "flat" as
+        was the case in WebKit prior to r209495. While this behavior was most certainly not the intent of
+        the website author, Chrome and Firefox don't encounter an exception and the website continues to work.
+        This patch aligns WebKit's behavior to that of the CSS OM specification, Firefox, and Chrome by
+        serializing CSS string values using double quotation marks instead of single quotation marks.
+        Note: inline change log comments are added below for every call site of serializeString for clarity.
+        Test: fast/css/getPropertyValue-serialization-with-double-quotes.html
+        * css/CSSBasicShapes.cpp:
+        (WebCore::buildPathString): Use double quotation marks in path(~) of shapes.
+        * css/CSSMarkup.cpp:
+        (WebCore::serializeString):
+        (WebCore::serializeURL): Use double quotation marks to serialize URLs.
+        (WebCore::serializeAsStringOrCustomIdent): Use double quotation marks to serialize strings. We still avoid
+        using wrapping the value with double quotations when the value can be an identifier. See r209495.
+        (WebCore::serializeFontFamily): Ditto for font-family names such as "San Francisco".
+        * css/CSSMarkup.h:
+        * css/CSSNamespaceRule.cpp:
+        (WebCore::CSSNamespaceRule::cssText): Use double quotation marks to serialize namespace URIs.
+        * css/CSSPrimitiveValue.cpp:
+        (WebCore::CSSPrimitiveValue::formatNumberForCustomCSSText): Use double quotation marks to serialize
+        the separators; e.g. counter(sectionNumber, ".") to produce "1.".
+        * css/CSSSelector.cpp:
+        (WebCore::CSSSelector::selectorText): Use double quotation marks to serialize attribute values.
+        * css/parser/CSSParserToken.cpp:
+        (WebCore::CSSParserToken::serialize): Use double quotation marks to serialize strings in @support.
+        * editing/EditingStyle.cpp:
+        (WebCore::StyleChange::extractTextStyles): Updated to strip double quotation marks in font family names to
+        maintain the compatibility with old versions of Microsoft Outlook.
+        * html/HTMLElement.cpp:
+        (WebCore::HTMLElement::mapLanguageAttributeToLocale): Use double quotations marks to serialize the value
+        of the lang content attribute. It doesn't matter which one is used here because it's only a temporary value
+        only fed into the CSS parser to set the equivalent CSS value from the content attribute.
+-06-14  Miguel Gomez  <magomez@igalia.com>
+        REGRESSION(r216901): ImageDecoders: rendering of large images is broken since r216901
+        https://bugs.webkit.org/show_bug.cgi?id=172502
+        Reviewed by Carlos Garcia Campos.
+        When using GTK and WPE image decoders, the decoded frames are stored inside a Vector of
+        ImageFrames inside the decoders. These ImageFrames have and ImageBackingStore with the
+        pixels. When a NativeImagePtr is requested, a cairo surface is created from the data
+        in those ImageBackingStores, but the data keeps being owned by the backing stores. Due
+        to this, if the decoder that created the image gets destroyed, the backing stores for
+        the decoded frames get destroyed as well, causing the cairo surfaces that were using
+        that data to contain garbage (and potentially cause a crash).
+        To fix this, we change ImageBackingStore so the pixels are stored in a SharedBuffer. The
+        buffer will be reffed everytime a cairo surface is created with it, and the cairo surfaces
+        will unref the buffer when they are destroyed. This way, the pixel data won't be freed
+        while there are cairo surfaces using it.
+        No new tests, no behaviour change.
+        * platform/graphics/ImageBackingStore.h:
+        (WebCore::ImageBackingStore::setSize):
+        (WebCore::ImageBackingStore::ImageBackingStore):
+        * platform/image-decoders/cairo/ImageBackingStoreCairo.cpp:
+        (WebCore::ImageBackingStore::image):
+-06-13  Jer Noble  <jer.noble@apple.com>
+        Protect lifetime of media element during HTMLMediaElement::notifyAboutPlaying()
+        https://bugs.webkit.org/show_bug.cgi?id=173320
+        <rdar://problem/32590276>
+        Reviewed by Brent Fulgham.
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::notifyAboutPlaying):
+-06-09  Brady Eidson  <beidson@apple.com>
+        Crash when IndexedDB's getAll is used inside a Web Worker.
+        https://bugs.webkit.org/show_bug.cgi?id=172434
+        Reviewed by Andy Estes.
+        Test: storage/indexeddb/modern/worker-getall.html
+        * Modules/indexeddb/IDBGetAllResult.cpp:
+        (WebCore::IDBGetAllResult::IDBGetAllResult): Add an isolated-copying constructor.
+        (WebCore::IDBGetAllResult::isolatedCopy):
+        * Modules/indexeddb/IDBGetAllResult.h:
+        * Modules/indexeddb/shared/IDBResultData.cpp:
+        (WebCore::IDBResultData::isolatedCopy): Actually copy the IDBGetAllResult.
+-06-08  Ryosuke Niwa  <rniwa@webkit.org>
+        Crash inside InsertNodeBeforeCommand via InsertParagraphSeparatorCommand
+        https://bugs.webkit.org/show_bug.cgi?id=173085
+        <rdar://problem/32575059>
+        Reviewed by Wenson Hsieh.
+        The crash was caused by the condition to check for special cases failing when visiblePos is null.
+        Exit early in these extreme cases.
+        Also replaced the use of deprecatedNode and deprecatedEditingOffset to modern idioms.
+        Test: editing/inserting/insert-horizontal-rule-in-empty-document-crash.html
+        * editing/InsertParagraphSeparatorCommand.cpp:
+        (WebCore::InsertParagraphSeparatorCommand::doApply):
+-06-06  Zalan Bujtas  <zalan@apple.com>
+        Safari doesn't load newest The Order of the Stick comic.
+        https://bugs.webkit.org/show_bug.cgi?id=172949
+        <rdar://problem/32389730>
+        Reviewed by Antti Koivisto.
+        As part of the table layout, RenderTableSection::layoutRows calls the RenderTableCell's layout() directly
+        (skipping the RenderTableRow parent). If during this call the RenderTableCell (or any of its descendant) marks the ancestor
+        chain dirty, this dirty flag on the RenderTableRows will never be cleared and we'll end up early returning from RenderTableSection::paint.
+        For certain type of float objects, we need to invalidate the line layout path during layout (and we mark the ancestors dirty).
+        This patch takes a conservative approach and marks the ancestors dirty only when the renderer is not dirty yet, but
+        as part of webkit.org/b/172947 we should revisit and validate whether the setNeedsLayout() is required at all.
+        Test: fast/table/floating-table-sibling-is-invisible.html
+        * rendering/RenderBlockFlow.cpp:
+        (WebCore::RenderBlockFlow::invalidateLineLayoutPath):
+-06-05  Zalan Bujtas  <zalan@apple.com>
+        Destroy the associated renderer subtree when display: contents node is deleted.
+        https://bugs.webkit.org/show_bug.cgi?id=172920
+        <rdar://problem/32446045>
+        Reviewed by Antti Koivisto.
+        Since display: contents node does not create a renderer, we need to explicitly check
+        and distinguish it from the display: none case.
+        Covered by existing tests.
+        * dom/ContainerNode.cpp:
+        (WebCore::destroyRenderTreeIfNeeded):
+        * dom/Node.cpp:
+        (WebCore::Node::~Node): Promote ASSERT(!renderer()) to ASSERT_WITH_SECURITY_IMPLICATION.
+        * dom/Text.cpp:
+        (WebCore::Text::~Text): Redundant assert. Text is a Node.
+-06-05  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GStreamer] Deadlock in MediaPlayerPrivateGStreamer::changePipelineState, web process often locks up on seeking in a youtube video that has already fully buffered
+        https://bugs.webkit.org/show_bug.cgi?id=170003
+        Reviewed by Michael Catanzaro.
+        When video sink is requested to render a frame, the GstBaseSink preroll mutex is taken. Then WebKit media player
+        schedules a repaint in the main thread, taking the draw mutex and waiting on draw condition. It can happen that
+        before the repaint is done in the main thread, a pause is requested in the main thread, causing a change state
+        from PLAYING to PAUSE. When the change state reaches the video sink gst_base_sink_change_state() tries to get
+        the preroll mutex. This causes a deadlock because the main thread is waiting to get the preroll mutex, but the
+        other thread is waiting for the main thread to do the repaint. GStreamer handles this case by calling unlock()
+        on the video sink before trying to get the preroll mutex, but the media player doesn't cancel the pending
+        repaint when using coordinated graphics. This patch adds a new signal to WebKitVideoSink "repaint-cancelled" to
+        notify the media player to cancel the pending prepaint.
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
+        (WebCore::MediaPlayerPrivateGStreamerBase::cancelRepaint): Release the draw mutex and notify the condition.
+        (WebCore::MediaPlayerPrivateGStreamerBase::repaintCancelledCallback): Call cancelRepaint().
+        (WebCore::MediaPlayerPrivateGStreamerBase::createVideoSink): Connect to WebKitVideoSink::repaint-cancelled.
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h:
+        * platform/graphics/gstreamer/VideoSinkGStreamer.cpp:
+        (webkitVideoSinkRepaintCancelled): Emit WebKitVideoSink::repaint-cancelled.
+        (webkitVideoSinkUnlock): Call webkitVideoSinkRepaintCancelled().
+        (webkitVideoSinkStop): Ditto.
+        (webkit_video_sink_class_init): Add WebKitVideoSink::repaint-cancelled signal.
+-06-01  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GTK] Cache RenderThemeGadget hierarchies for rendering themed elements with GTK+ 3.20+
+        https://bugs.webkit.org/show_bug.cgi?id=162673
+        Reviewed by Michael Catanzaro.
+        Because of the way the new theming system works in GTK+ >= 3.20 we are currently creating a gadget hierarchy
+        every time we need to render a styled element or get layout information about it. That's happening on every
+        repaint, and it's specially problematic for overlay scrollbar indicators that fade in/out when shown/hidden. We
+        need to cache the gadgets and simply apply the state before every paint or layout query. When using GtkWidgetPath,
+        calling gtk_style_context_save() breaks the gadget hierarchy, and style classes need to be set when building the
+        GtkWidgetPath. That means we can't cache RenderThemeGadgets, call save, apply style classes and state, and then
+        call restore. We need to cache gadget hierarchies with fixed style classes. Fortunately, setting the state does
+        work, so we don't need to also cache a different hierarchy for every possible state. For example, for the
+        particular case of scrollbars we would cache VerticalScrollbarRight, VerticalScrollbarLeft, HorizontalScrollbar,
+        VerticalScrollIndicatorRight, VerticalScrollIndicatorLeft and HorizontalScrollIndicator. In practice, we will
+        only have 4 of those at the same time in the cache.
+        This patch adds RenderThemeWidget to represent a hierarchy of gadgets with fixed style classes that can be
+        cached and reused to render or query style of those "widgets". It also simplifies the RenderThemeGtk and
+        ScrollbarThemeGtk code by removing a lot of duplicated code to build the gadget hierarchies.
+        * PlatformGTK.cmake:
+        * platform/gtk/RenderThemeGadget.cpp:
+        (WebCore::createStyleContext):
+        (WebCore::appendElementToPath):
+        (WebCore::RenderThemeGadget::state):
+        (WebCore::RenderThemeGadget::setState):
+        * platform/gtk/RenderThemeGadget.h:
+        * platform/gtk/RenderThemeWidget.cpp: Added.
+        (WebCore::widgetMap):
+        (WebCore::RenderThemeWidget::getOrCreate):
+        (WebCore::RenderThemeWidget::clearCache):
+        (WebCore::RenderThemeWidget::~RenderThemeWidget):
+        (WebCore::RenderThemeScrollbar::RenderThemeScrollbar):
+        (WebCore::RenderThemeScrollbar::stepper):
+        (WebCore::RenderThemeToggleButton::RenderThemeToggleButton):
+        (WebCore::RenderThemeButton::RenderThemeButton):
+        (WebCore::RenderThemeComboBox::RenderThemeComboBox):
+        (WebCore::RenderThemeEntry::RenderThemeEntry):
+        (WebCore::RenderThemeSearchEntry::RenderThemeSearchEntry):
+        (WebCore::RenderThemeSpinButton::RenderThemeSpinButton):
+        (WebCore::RenderThemeSlider::RenderThemeSlider):
+        (WebCore::RenderThemeProgressBar::RenderThemeProgressBar):
+        (WebCore::RenderThemeListView::RenderThemeListView):
+        (WebCore::RenderThemeIcon::RenderThemeIcon):
+        * platform/gtk/RenderThemeWidget.h: Added.
+        (WebCore::RenderThemeEntry::entry):
+        (WebCore::RenderThemeEntry::selection):
+        * platform/gtk/ScrollbarThemeGtk.cpp:
+        (WebCore::ScrollbarThemeGtk::themeChanged):
+        (WebCore::ScrollbarThemeGtk::updateThemeProperties):
+        (WebCore::widgetTypeForScrollbar):
+        (WebCore::contentsRectangle):
+        (WebCore::ScrollbarThemeGtk::trackRect):
+        (WebCore::ScrollbarThemeGtk::backButtonRect):
+        (WebCore::ScrollbarThemeGtk::forwardButtonRect):
+        (WebCore::ScrollbarThemeGtk::paint):
+        (WebCore::ScrollbarThemeGtk::scrollbarThickness):
+        (WebCore::ScrollbarThemeGtk::minimumThumbLength):
+        * rendering/RenderThemeGtk.cpp:
+        (WebCore::createStyleContext):
+        (WebCore::setToggleSize):
+        (WebCore::paintToggle):
+        (WebCore::RenderThemeGtk::paintButton):
+        (WebCore::menuListColor):
+        (WebCore::RenderThemeGtk::popupInternalPaddingBox):
+        (WebCore::RenderThemeGtk::paintMenuList):
+        (WebCore::RenderThemeGtk::adjustTextFieldStyle):
+        (WebCore::RenderThemeGtk::paintTextField):
+        (WebCore::adjustSearchFieldIconStyle):
+        (WebCore::paintSearchFieldIcon):
+        (WebCore::RenderThemeGtk::paintSliderTrack):
+        (WebCore::RenderThemeGtk::adjustSliderThumbSize):
+        (WebCore::RenderThemeGtk::paintSliderThumb):
+        (WebCore::RenderThemeGtk::progressBarRectForBounds):
+        (WebCore::RenderThemeGtk::paintProgressBar):
+        (WebCore::RenderThemeGtk::adjustInnerSpinButtonStyle):
+        (WebCore::RenderThemeGtk::paintInnerSpinButton):
+        (WebCore::styleColor):
+        (WebCore::RenderThemeGtk::platformActiveSelectionBackgroundColor):
+        (WebCore::RenderThemeGtk::platformInactiveSelectionBackgroundColor):
+        (WebCore::RenderThemeGtk::platformActiveSelectionForegroundColor):
+        (WebCore::RenderThemeGtk::platformInactiveSelectionForegroundColor):
+        (WebCore::RenderThemeGtk::paintMediaButton):
+-06-01  Chris Dumez  <cdumez@apple.com>
+        Make WebCore::defaultPortForProtocol() thread-safe
+        https://bugs.webkit.org/show_bug.cgi?id=172797
+        Reviewed by Brent Fulgham.
+        Make WebCore::defaultPortForProtocol() thread-safe since it is called from the SecurityOrigin
+        constructor and SecurityOrigin objects are constructed from various threads.
+        This should not regress the non-testing code paths since we only pay locking costs if
+        a default port override has been set by the tests.
+        * platform/URL.cpp:
+        (WebCore::defaultPortForProtocolMapLock):
+        (WebCore::defaultPortForProtocolMapForTesting):
+        (WebCore::ensureDefaultPortForProtocolMapForTesting):
+        (WebCore::registerDefaultPortForProtocolForTesting):
+        (WebCore::clearDefaultPortForProtocolMapForTesting):
+        (WebCore::defaultPortForProtocol):
+-05-30  Dan Bernstein  <mitz@apple.com>
+        Fixed the build after r217588.
+        * page/FrameView.h: Stopped exporting a function defined inline.
+-05-30  Zalan Bujtas  <zalan@apple.com>
+        ASSERTION FAILED: m_layoutPhase == InPostLayerPositionsUpdatedAfterLayout || m_layoutPhase == OutsideLayout
+        https://bugs.webkit.org/show_bug.cgi?id=171501
+        <rdar://problem/31977453>
+        Reviewed by Simon Fraser.
+        We should be able to paint as long as the tree is clean and we are in paintable state.
+        * page/FrameView.cpp:
+        (WebCore::FrameView::paintContents):
+-05-30  Jeremy Jones  <jeremyj@apple.com>
+        m_resourceSelectionTaskQueue tasks should be cleared when player is destroyed to prevent invalid state.
+        https://bugs.webkit.org/show_bug.cgi?id=172726
+        rdar://problem/30867764
+        Reviewed by Eric Carlson.
+        I haven't found a reproducible way to make a test case for this race condition.
+        If m_player is cleared while there is an outstanding task in m_resourceSelectionTaskQueue,
+        that task may assume m_player is not null and crash. It is better to cancel that task than
+        to perform it part way with null checks.
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::~HTMLMediaElement):
+        (WebCore::HTMLMediaElement::clearMediaPlayer):
+-05-27  Zalan Bujtas  <zalan@apple.com>
+        enclosingIntRect returns a rect with -1 width/height when the input FloatRect overflows integer.
+        https://bugs.webkit.org/show_bug.cgi?id=172676
+        Reviewed by Simon Fraser.
+        Clamp integer values soon after the enclosing rectangle is resolved.
+        * platform/graphics/FloatRect.cpp:
+        (WebCore::enclosingIntRect):
+-05-26  Youenn Fablet  <youenn@apple.com>
+        Minor clean-up related to DocumentThreadableLoader redirections
+        https://bugs.webkit.org/show_bug.cgi?id=172647
+        Reviewed by Chris Dumez.
+        No change of behavior.
+        Decrementing m_options redirect count directly instead of using an
+        additional counter.
+        To compare whether two URLs are same-origin, use scheme+host+port check
+        as per the spec.
+        This is fine as only the initial origin may have specific rules and we
+        are using the scheme+host+port checks when already being gone to
+        another origin.
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived):
+        * loader/DocumentThreadableLoader.h:
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
+-05-25  Chris Dumez  <cdumez@apple.com>
+        imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_owner_and_table_2.html is crashing
+        https://bugs.webkit.org/show_bug.cgi?id=172628
+        <rdar://problem/32418707>
+        Reviewed by Sam Weinig.
+        In the event where a form is removed synchronously by a script during parsing,
+        FormAssociatedElement::m_formSetByParser may end up referring to a form that
+        is no longer in the document. As a result, we should make sure m_formSetByParser
+        is still connected in FormAssociatedElement::insertedInto() before we call
+        FormAssociatedElement::setForm(m_formSetByParser).
+        Test: fast/dom/HTMLFormElement/form-removed-during-parsing-crash.html
+        * html/FormAssociatedElement.cpp:
+        (WebCore::FormAssociatedElement::insertedInto):
+-05-25  Zalan Bujtas  <zalan@apple.com>
+        Frame's composited content is visible when the frame has visibility: hidden.
+        https://bugs.webkit.org/show_bug.cgi?id=125565
+        <rdar://problem/32196849>
+        Reviewed by Simon Fraser.
+        Do not construct composited layers for hidden RenderWidgets (frameset, iframe, object).
+        Note that we still construct layers for the associated renderers as usual.
+        Tests: compositing/visibility/frameset-visibility-hidden.html
+               compositing/visibility/iframe-visibility-hidden.html
+               compositing/visibility/object-visibility-hidden.html
+        * rendering/RenderLayerCompositor.cpp:
+        (WebCore::RenderLayerCompositor::requiresCompositingForPlugin):
+        (WebCore::RenderLayerCompositor::requiresCompositingForFrame):
+-05-25  Chris Dumez  <cdumez@apple.com>
+        DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader
+        https://bugs.webkit.org/show_bug.cgi?id=172578
+        <rdar://problem/30754582>
+        Reviewed by Youenn Fablet.
+        DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader. The rest of the methods do not.
+        It is unsafe for it to rely on the resource's loader because it gets cleared when the load completes. A CachedRawresource
+        may be reused from the memory cache once its load has completed.
+        This would cause crashes in CachedRawResource::didAddClient() when replaying the redirects because it would call
+        DocumentThreadableLoader::redirectReceived() and potentially not have a loader anymore. To hit this exact code path,
+        you would need to make repeated XHR to a cacheable simple cross-origin resource that has cacheable redirect.
+        Test: http/tests/xmlhttprequest/cacheable-cross-origin-redirect-crash.html
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived):
+        * loader/DocumentThreadableLoader.h:
+-05-25  Zalan Bujtas  <zalan@apple.com>
+        ASSERTION FAILED: !needsStyleRecalc() || !document().childNeedsStyleRecalc()
+        https://bugs.webkit.org/show_bug.cgi?id=172576
+        <rdar://problem/32181979>
+        Reviewed by Brent Fulgham.
+        Ensure that we clean the subframe's document before start searching for a focusable element.
+        Covered by existing test.
+        * page/FocusController.cpp:
+        (WebCore::FocusController::findFocusableElementDescendingDownIntoFrameDocument):
+-05-24  Jiewen Tan  <jiewen_tan@apple.com>
+        Crash on WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance + 1195
+        https://bugs.webkit.org/show_bug.cgi?id=172555
+        <rdar://problem/32004724>
+        Reviewed by Ryosuke Niwa.
+        setSelectionWithoutUpdatingAppearance could dispatch a synchronous focusin event,
+        which could invoke an event handler that deteles the frame. Therefore, add a
+        protector before the call.
+        Test: editing/selection/select-iframe-focusin-document-crash.html
+        * editing/FrameSelection.cpp:
+        (WebCore::FrameSelection::setSelection):
+-05-23  Zalan Bujtas  <zalan@apple.com>
+        ASSERTION FAILED: !renderer().view().needsLayout() while running media/video-main-content-autoplay.html
+        https://bugs.webkit.org/show_bug.cgi?id=172476
+        Reviewed by Simon Fraser.
+        This patch decouples the layout call logic from the post layout task timer setup.
+        Just because we are switching over to asynchronous performPostLayoutTasks() it should not stop us from
+        running layout on a dirty tree (we could encounter a forced layout (which sets m_postLayoutTasksTimer active)
+        and a subsequent tree mutation during performPostLayoutTasks()).
+        There are a few different ways to end up here:
+        root layout is done -> call performPostLayoutTasks() synchronously ->
+. tree stays clean -> no action needed.
+. tree gets dirty -> setup performPostLayoutTasks timer -> run nested layout -> since m_postLayoutTasksTimer is active()
+        we don't try to run performPostLayoutTasks() while in the nested layout and we return with a clean tree.
+        * page/FrameView.cpp:
+        (WebCore::FrameView::layout):
+-03-24  Brent Fulgham  <bfulgham@apple.com>
+        Handle recursive calls to ProcessingInstruction::checkStyleSheet
+        https://bugs.webkit.org/show_bug.cgi?id=169982
+        <rdar://problem/31083051>
+        Reviewed by Antti Koivisto.
+       See if we triggered a recursive load of the stylesheet during the 'beforeload'
+       event handler. If so, reset to a valid state before completing the load.
+       We should also check after 'beforeload' that we were not disconnected from (or
+       moved to a new) document.
+       I also looked for other cases of this pattern and fixed them, too.
+       Tests: fast/dom/beforeload/image-removed-during-before-load.html
+               fast/dom/beforeload/recursive-css-pi-before-load.html
+               fast/dom/beforeload/recursive-link-before-load.html
+               fast/dom/beforeload/recursive-xsl-pi-before-load.html
+        * dom/ProcessingInstruction.cpp:
+        (WebCore::ProcessingInstruction::clearExistingCachedSheet): Added.
+        (WebCore::ProcessingInstruction::checkStyleSheet): Prevent recursive calls into
+        this function during 'beforeload' handling. Also, safely handle the case where
+        the element was disconnected in the 'beforeload' handler (similar to what
+        we do in HTMLLinkElement).
+        (WebCore::ProcessingInstruction::setCSSStyleSheet): Drive-by Fix: Protect the
+        current document to match what we do in setXSLStyleSheet.
+        * dom/ProcessingInstruction.h:
+        * html/HTMLLinkElement.cpp:
+        (WebCore::HTMLLinkElement::process): Prevent recursive calls into
+        this function during 'beforeload' handling.
+        * html/HTMLLinkElement.h:
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::dispatchPendingBeforeLoadEvent): safely handle the case where
+        the element was disconnected in the 'beforeload' handler (similar to what
+        we do in HTMLLinkElement).
+        * style/StyleScope.cpp:
+        (WebCore::Style::Scope::hasPendingSheet): Added.
+        * style/StyleScope.h:
 -04-09  Fujii Hironori  <Hironori.Fujii@sony.com>

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBGetAllResult.cpp ¶

-              r217367
+              r219817
+}
+IDBGetAllResult::IDBGetAllResult(const IDBGetAllResult& that, IsolatedCopyTag)
+{
+    isolatedCopy(that, *this);
+}
 IDBGetAllResult IDBGetAllResult::isolatedCopy() const
+{
     IDBGetAllResult result;
+    result.m_type = m_type;
+    return { *this, IsolatedCopy };
+}
+    if (WTF::holds_alternative<std::nullptr_t>(m_results))
+        return result;
+void IDBGetAllResult::isolatedCopy(const IDBGetAllResult& source, IDBGetAllResult& destination)
+{
+    destination.m_type = source.m_type;
+    switch (m_type) {
+    if (WTF::holds_alternative<std::nullptr_t>(source.m_results))
+        return;
+    switch (source.m_type) {
     case IndexedDB::GetAllType::Keys:
         isolatedCopyOfVariant<IDBKeyData>(m_results, result.m_results);
+        isolatedCopyOfVariant<IDBKeyData>(source.m_results, destination.m_results);
         break;
     case IndexedDB::GetAllType::Values:
         isolatedCopyOfVariant<IDBValue>(m_results, result.m_results);
+        isolatedCopyOfVariant<IDBValue>(source.m_results, destination.m_results);
         break;
+    }
-    return result;
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBGetAllResult.h ¶

-              r217367
+              r219817
+    }
+    enum IsolatedCopyTag { IsolatedCopy };
+    IDBGetAllResult(const IDBGetAllResult&, IsolatedCopyTag);
     IDBGetAllResult isolatedCopy() const;
 …
 private:
+    static void isolatedCopy(const IDBGetAllResult& source, IDBGetAllResult& destination);
     IndexedDB::GetAllType m_type { IndexedDB::GetAllType::Keys };
     WTF::Variant<Vector<IDBKeyData>, Vector<IDBValue>, std::nullptr_t> m_results { nullptr };

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.cpp ¶

-              r217367
+              r219817
 void UniqueIDBDatabase::postDatabaseTask(CrossThreadTask&& task)
+{
+    m_databaseQueue.append(WTFMove(task));
+    m_databaseQueue.append([protectedThis = makeRef(*this), task = WTFMove(task)]() mutable {
+        task.performTask();
+    });
     ++m_queuedTaskCount;
 …
+{
     ASSERT(!isMainThread());
+    m_databaseReplyQueue.append(WTFMove(task));
+    m_databaseReplyQueue.append([protectedThis = makeRef(*this), task = WTFMove(task)]() mutable {
+        task.performTask();
+    });
     ++m_queuedTaskCount;
 …
     ASSERT(task);
+    // Performing the task might end up removing the last reference to this.
+    Ref<UniqueIDBDatabase> protectedThis(*this);
+    task->performTask();
+    (*task)();
     --m_queuedTaskCount;
+    // Release the ref in the main thread to ensure it's deleted there as expected in case of being the last reference.
+    callOnMainThread([protectedThis = WTFMove(protectedThis)] {
+    // Release the task on the main thread in case it holds the last reference to this,
+    // as UniqueIDBDatabase objects must be deleted on the main thread.
+    callOnMainThread([task = WTFMove(task)] {
     });
+}
 …
     ASSERT(task);
+    // Performing the task might end up removing the last reference to this.
+    Ref<UniqueIDBDatabase> protectedThis(*this);
+    task->performTask();
+    (*task)();
     --m_queuedTaskCount;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/server/UniqueIDBDatabase.h ¶

-              r217367
+              r219817
     bool m_deleteBackingStoreInProgress { false };
     CrossThreadQueue<CrossThreadTask> m_databaseQueue;
     CrossThreadQueue<CrossThreadTask> m_databaseReplyQueue;
+    CrossThreadQueue<Function<void ()>> m_databaseQueue;
+    CrossThreadQueue<Function<void ()>> m_databaseReplyQueue;
     std::atomic<uint64_t> m_queuedTaskCount { 0 };

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/shared/IDBResultData.cpp ¶

r217367	r219817
95	95	if (source.m_getResult)
96	96	destination.m_getResult = std::make_unique<IDBGetResult>(*source.m_getResult, IDBGetResult::IsolatedCopy);
	97	if (source.m_getAllResult)
	98	destination.m_getAllResult = std::make_unique<IDBGetAllResult>(*source.m_getAllResult, IDBGetAllResult::IsolatedCopy);
97	99	}
98	100

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/PlatformGTK.cmake ¶

r217367	r219817
208	208	platform/gtk/PlatformWheelEventGtk.cpp
209	209	platform/gtk/RenderThemeGadget.cpp
	210	platform/gtk/RenderThemeWidget.cpp
210	211	platform/gtk/ScrollbarThemeGtk.cpp
211	212	platform/gtk/SoundGtk.cpp

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/accessibility/AXObjectCache.cpp ¶

-              r217367
+              r219817
     remove(axID);
     m_renderObjectMapping.remove(renderer);
-    if (is<RenderBlock>(*renderer))
-        m_deferredIsIgnoredChangeList.remove(downcast<RenderBlock>(renderer));
+}
 …
         return;
+    if (is<Element>(*node))
+        m_deferredRecomputeIsIgnoredList.remove(downcast<Element>(node));
+    m_deferredTextChangedList.remove(node);
     removeNodeForUse(node);
 …
         handleAriaRoleChanged(element);
     else if (attrName == altAttr || attrName == titleAttr)
         textChanged(element);
+        deferTextChangedIfNeeded(element);
     else if (attrName == forAttr && is<HTMLLabelElement>(*element))
         labelChanged(element);
 …
         postNotification(element, AXObjectCache::AXValueChanged);
     else if (attrName == aria_labelAttr || attrName == aria_labeledbyAttr || attrName == aria_labelledbyAttr)
         textChanged(element);
+        deferTextChangedIfNeeded(element);
     else if (attrName == aria_checkedAttr)
         checkedStateChanged(element);
 …
     ASSERT(is<HTMLLabelElement>(*element));
     HTMLElement* correspondingControl = downcast<HTMLLabelElement>(*element).control();
     textChanged(correspondingControl);
+    deferTextChangedIfNeeded(correspondingControl);
+}
 …
+}
+void AXObjectCache::performDeferredIsIgnoredChange()
+{
+    for (auto* renderer : m_deferredIsIgnoredChangeList)
+        recomputeIsIgnored(renderer);
+    m_deferredIsIgnoredChangeList.clear();
+}
+void AXObjectCache::recomputeDeferredIsIgnored(RenderBlock& renderer)
+{
+    if (renderer.beingDestroyed())
+        return;
+    m_deferredIsIgnoredChangeList.add(&renderer);
+void AXObjectCache::performDeferredCacheUpdate()
+{
+    for (auto* node : m_deferredTextChangedList)
+        textChanged(node);
+    m_deferredTextChangedList.clear();
+    for (auto* element : m_deferredRecomputeIsIgnoredList) {
+        if (auto* renderer = element->renderer())
+            recomputeIsIgnored(renderer);
+    }
+    m_deferredRecomputeIsIgnoredList.clear();
+}
+void AXObjectCache::deferRecomputeIsIgnored(Element* element)
+{
+    if (!element)
+        return;
+    if (element->renderer() && element->renderer()->beingDestroyed())
+        return;
+    m_deferredRecomputeIsIgnoredList.add(element);
+}
+void AXObjectCache::deferTextChangedIfNeeded(Node* node)
+{
+    if (!node)
+        return;
+    if (node->renderer() && node->renderer()->beingDestroyed())
+        return;
+    auto& document = node->document();
+    // FIXME: We should just defer all text changes.
+    if (document.needsStyleRecalc() || document.inRenderTreeUpdate() || (document.view() && document.view()->isInRenderTreeLayout())) {
+        m_deferredTextChangedList.add(node);
+        return;
+    }
+    textChanged(node);
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/accessibility/AXObjectCache.h ¶

-              r217367
+              r219817
 class RenderBlock;
 class RenderObject;
+class RenderText;
 class ScrollView;
 class VisiblePosition;
 …
     static void setShouldRepostNotificationsForTests(bool value);
 #endif
+    void recomputeDeferredIsIgnored(RenderBlock& renderer);
+    void performDeferredIsIgnoredChange();
+    void deferRecomputeIsIgnored(Element*);
+    void deferTextChangedIfNeeded(Node*);
+    void performDeferredCacheUpdate();
 protected:
 …
     AXTextStateChangeIntent m_textSelectionIntent;
     bool m_isSynchronizingSelection { false };
+    ListHashSet<RenderBlock*> m_deferredIsIgnoredChangeList;
+    ListHashSet<Element*> m_deferredRecomputeIsIgnoredList;
+    ListHashSet<Node*> m_deferredTextChangedList;
 };
 …
 inline void AXObjectCache::handleAttributeChanged(const QualifiedName&, Element*) { }
 inline void AXObjectCache::recomputeIsIgnored(RenderObject*) { }
+inline void AXObjectCache::recomputeDeferredIsIgnored(RenderBlock&) { }
+inline void AXObjectCache::performDeferredIsIgnoredChange() { }
+inline void AXObjectCache::deferRecomputeIsIgnored(Element*) { }
+inline void AXObjectCache::deferTextChangedIfNeeded(Node*) { }
+inline void AXObjectCache::performDeferredCacheUpdate() { }
 inline void AXObjectCache::handleScrolledToAnchor(const Node*) { }
 inline void AXObjectCache::postTextStateChangeNotification(Node*, const AXTextStateChangeIntent&, const VisibleSelection&) { }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/accessibility/AccessibilityRenderObject.cpp ¶

-              r217367
+              r219817
         return ASCIILiteral("\n");
-    bool isRenderText = is<RenderText>(*m_renderer);
     if (shouldGetTextFromNode(mode))
         return AccessibilityNodeObject::textUnderElement(mode);
 …
     // We use a text iterator for text objects AND for those cases where we are
     // explicitly asking for the full text under a given element.
+    bool shouldIncludeAllChildren = mode.childrenInclusion == AccessibilityTextUnderElementMode::TextUnderElementModeIncludeAllChildren;
+    if (isRenderText || shouldIncludeAllChildren) {
+    if (is<RenderText>(*m_renderer) || mode.childrenInclusion == AccessibilityTextUnderElementMode::TextUnderElementModeIncludeAllChildren) {
         // If possible, use a text iterator to get the text, so that whitespace
         // is handled consistently.
 …
                     return String();
+                // The tree should be stable before looking through the children of a non-Render Text object.
+                // Otherwise, further uses of TextIterator will force a layout update, potentially altering
+                // the accessibility tree and causing crashes in the loop that computes the result text.
+                ASSERT((isRenderText || !shouldIncludeAllChildren) || (!nodeDocument->renderView()->layoutState() && !nodeDocument->childNeedsStyleRecalc()));
+                // Renders referenced by accessibility objects could get destroyed, if TextIterator ends up triggering
+                // style update/layout here. See also AXObjectCache::deferTextChangedIfNeeded().
+                ASSERT_WITH_SECURITY_IMPLICATION(!nodeDocument->childNeedsStyleRecalc());
+                ASSERT_WITH_SECURITY_IMPLICATION(!nodeDocument->view()->isInRenderTreeLayout());
                 return plainText(textRange.get(), textIteratorBehaviorForTextRange());
+            }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/JSWebKitSubtleCryptoCustom.cpp ¶

-              r217367
+              r219817
 #if ENABLE(SUBTLE_CRYPTO)
+#include "BufferSource.h"
 #include "CryptoAlgorithm.h"
 #include "CryptoAlgorithmParametersDeprecated.h"
 …
 #include "JSCryptoKeyPair.h"
 #include "JSCryptoKeySerializationJWK.h"
-#include "JSCryptoOperationData.h"
 #include "JSDOMPromise.h"
 #include "ScriptState.h"
 …
+    }
     auto data = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(2));
+    auto data = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(2)));
     RETURN_IF_EXCEPTION(scope, { });
 …
     };
     auto result = algorithm->encrypt(*parameters, *key, data, WTFMove(successCallback), WTFMove(failureCallback));
+    auto result = algorithm->encrypt(*parameters, *key, { data.data(), data.length() }, WTFMove(successCallback), WTFMove(failureCallback));
     if (result.hasException()) {
         propagateException(state, scope, result.releaseException());
 …
+    }
     auto data = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(2));
+    auto data = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(2)));
     RETURN_IF_EXCEPTION(scope, { });
 …
     };
     auto result = algorithm->decrypt(*parameters, *key, data, WTFMove(successCallback), WTFMove(failureCallback));
+    auto result = algorithm->decrypt(*parameters, *key, { data.data(), data.length() }, WTFMove(successCallback), WTFMove(failureCallback));
     if (result.hasException()) {
         propagateException(state, scope, result.releaseException());
 …
+    }
     auto data = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(2));
+    auto data = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(2)));
     RETURN_IF_EXCEPTION(scope, { });
 …
     };
     auto result = algorithm->sign(*parameters, *key, data, WTFMove(successCallback), WTFMove(failureCallback));
+    auto result = algorithm->sign(*parameters, *key, { data.data(), data.length() }, WTFMove(successCallback), WTFMove(failureCallback));
     if (result.hasException()) {
         propagateException(state, scope, result.releaseException());
 …
+    }
     auto signature = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(2));
     RETURN_IF_EXCEPTION(scope, { });
     auto data = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(3));
+    auto signature = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(2)));
+    RETURN_IF_EXCEPTION(scope, { });
+    auto data = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(3)));
     RETURN_IF_EXCEPTION(scope, { });
 …
     };
     auto result = algorithm->verify(*parameters, *key, signature, data, WTFMove(successCallback), WTFMove(failureCallback));
+    auto result = algorithm->verify(*parameters, *key, { signature.data(), signature.length() }, { data.data(), data.length() }, WTFMove(successCallback), WTFMove(failureCallback));
     if (result.hasException()) {
         propagateException(state, scope, result.releaseException());
 …
     RETURN_IF_EXCEPTION(scope, { });
     auto data = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(1));
+    auto data = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(1)));
     RETURN_IF_EXCEPTION(scope, { });
 …
     };
     auto result = algorithm->digest(*parameters, data, WTFMove(successCallback), WTFMove(failureCallback));
+    auto result = algorithm->digest(*parameters, { data.data(), data.length() }, WTFMove(successCallback), WTFMove(failureCallback));
     if (result.hasException()) {
         propagateException(state, scope, result.releaseException());
 …
     RETURN_IF_EXCEPTION(scope, { });
     auto data = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(1));
+    auto data = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(1)));
     RETURN_IF_EXCEPTION(scope, { });
 …
     };
     WebCore::importKey(state, keyFormat, data, WTFMove(algorithm), WTFMove(parameters), extractable, keyUsages, WTFMove(successCallback), WTFMove(failureCallback));
+    WebCore::importKey(state, keyFormat, { data.data(), data.length() }, WTFMove(algorithm), WTFMove(parameters), extractable, keyUsages, WTFMove(successCallback), WTFMove(failureCallback));
     RETURN_IF_EXCEPTION(scope, JSValue());
 …
     RETURN_IF_EXCEPTION(scope, { });
     auto wrappedKeyData = cryptoOperationDataFromJSValue(state, scope, state.uncheckedArgument(1));
+    auto wrappedKeyData = BufferSource(convert<IDLBufferSource>(state, state.uncheckedArgument(1)));
     RETURN_IF_EXCEPTION(scope, { });
 …
     };
     auto result = unwrapAlgorithm->decryptForUnwrapKey(*unwrapAlgorithmParameters, *unwrappingKey, wrappedKeyData, WTFMove(decryptSuccessCallback), WTFMove(decryptFailureCallback));
+    auto result = unwrapAlgorithm->decryptForUnwrapKey(*unwrapAlgorithmParameters, *unwrappingKey, { wrappedKeyData.data(), wrappedKeyData.length() }, WTFMove(decryptSuccessCallback), WTFMove(decryptFailureCallback));
     if (result.hasException()) {
         propagateException(state, scope, result.releaseException());

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/crypto/WebKitSubtleCrypto.idl ¶

-              r217367
+              r219817
     NoInterfaceObject,
 ] interface WebKitSubtleCrypto {
     [Custom] Promise<ArrayBuffer> encrypt(AlgorithmIdentifier algorithm, Key key, sequence<CryptoOperationData> data);
     [Custom] Promise<ArrayBuffer> decrypt(AlgorithmIdentifier algorithm, Key key, sequence<CryptoOperationData> data);
     [Custom] Promise<ArrayBuffer> sign(AlgorithmIdentifier algorithm, Key key, sequence<CryptoOperationData> data);
     [Custom] Promise<boolean> verify(AlgorithmIdentifier algorithm, Key key, CryptoOperationData signature, sequence<CryptoOperationData> data);
     [Custom] Promise<ArrayBuffer> digest(AlgorithmIdentifier algorithm, sequence<CryptoOperationData> data);
+    [Custom] Promise<ArrayBuffer> encrypt(AlgorithmIdentifier algorithm, Key key, sequence<BufferSource> data);
+    [Custom] Promise<ArrayBuffer> decrypt(AlgorithmIdentifier algorithm, Key key, sequence<BufferSource> data);
+    [Custom] Promise<ArrayBuffer> sign(AlgorithmIdentifier algorithm, Key key, sequence<BufferSource> data);
+    [Custom] Promise<boolean> verify(AlgorithmIdentifier algorithm, Key key, BufferSource signature, sequence<BufferSource> data);
+    [Custom] Promise<ArrayBuffer> digest(AlgorithmIdentifier algorithm, sequence<BufferSource> data);
     [Custom] Promise<(CryptoKey or CryptoKeyPair)> generateKey(AlgorithmIdentifier algorithm, optional boolean extractable, optional sequence<KeyUsage> keyUsages);
     [Custom] Promise<CryptoKey> importKey(KeyFormat format, CryptoOperationData keyData, AlgorithmIdentifier? algorithm, optional boolean extractable, optional sequence<KeyUsage> keyUsages);
+    [Custom] Promise<CryptoKey> importKey(KeyFormat format, BufferSource keyData, AlgorithmIdentifier? algorithm, optional boolean extractable, optional sequence<KeyUsage> keyUsages);
     [Custom] Promise<ArrayBuffer> exportKey(KeyFormat format, Key key);
     [Custom] Promise<ArrayBuffer> wrapKey(KeyFormat format, Key key, Key wrappingKey, AlgorithmIdentifier wrapAlgorithm);
     [Custom] Promise<CryptoKey> unwrapKey(KeyFormat format, CryptoOperationData wrappedKey, Key unwrappingKey, AlgorithmIdentifier unwrapAlgorithm, AlgorithmIdentifier? unwrappedKeyAlgorithm, optional boolean extractable, optional sequence<KeyUsage> keyUsages);
+    [Custom] Promise<CryptoKey> unwrapKey(KeyFormat format, BufferSource wrappedKey, Key unwrappingKey, AlgorithmIdentifier unwrapAlgorithm, AlgorithmIdentifier? unwrappedKeyAlgorithm, optional boolean extractable, optional sequence<KeyUsage> keyUsages);
 };

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/css/CSSMarkup.cpp ¶

-              r217367
+              r219817
+}
 void serializeString(const String& string, StringBuilder& appendTo, bool useDoubleQuotes)
+void serializeString(const String& string, StringBuilder& appendTo)
+{
     // FIXME: From the CSS OM draft:
 …
     // We need to switch to using " instead of ', but this involves patching a large
     // number of tests and changing editing code to not get confused by double quotes.
     appendTo.append(useDoubleQuotes ? '\"' : '\'');
+    appendTo.append('"');
     unsigned index = 0;
 …
+    }
     appendTo.append(useDoubleQuotes ? '\"' : '\'');
+}
 String serializeString(const String& string, bool useDoubleQuotes)
+    appendTo.append('"');
+}
+String serializeString(const String& string)
+{
     StringBuilder builder;
     serializeString(string, builder, useDoubleQuotes);
+    serializeString(string, builder);
     return builder.toString();
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/css/CSSMarkup.h ¶

-              r217367
+              r219817
 // Common serializing methods. See: http://dev.w3.org/csswg/cssom/#common-serializing-idioms
 void serializeIdentifier(const String& identifier, StringBuilder& appendTo, bool skipStartChecks = false);
 void serializeString(const String&, StringBuilder& appendTo, bool useDoubleQuotes = false);
 String serializeString(const String&, bool useDoubleQuotes = false);
+void serializeString(const String&, StringBuilder& appendTo);
+String serializeString(const String&);
 String serializeURL(const String&);
 String serializeFontFamily(const String&);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/css/CSSSelector.cpp ¶

r217367	r219817
698	698	}
699	699	if (cs->match() != CSSSelector::Set) {
700		serializeString(cs->serializingValue(), str~~, true~~);
	700	serializeString(cs->serializingValue(), str);
701	701	if (cs->attributeValueMatchingIsCaseInsensitive())
702	702	str.appendLiteral(" i]");

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/ContainerNode.cpp ¶

-              r217367
+              r219817
 #include "RenderWidget.h"
 #include "RootInlineBox.h"
+#include "RuntimeEnabledFeatures.h"
 #include "SVGDocumentExtensions.h"
 #include "SVGElement.h"
 …
 static inline void destroyRenderTreeIfNeeded(Node& child)
+{
+    bool childIsHTMLSlotElement = false;
+    childIsHTMLSlotElement = is<HTMLSlotElement>(child);
+    bool isElement = is<Element>(child);
+    auto hasDisplayContents = isElement && downcast<Element>(child).hasDisplayContents();
+    auto isNamedFlowElement = isElement && downcast<Element>(child).isNamedFlowContentElement();
     // FIXME: Get rid of the named flow test.
+    bool isElement = is<Element>(child);
+    if (!child.renderer() && !childIsHTMLSlotElement
+        && !(isElement && downcast<Element>(child).isNamedFlowContentElement()))
+    if (!child.renderer() && !hasDisplayContents && !isNamedFlowElement)
         return;
     if (isElement)

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Document.cpp ¶

-              r217367
+              r219817
         frameView.viewportContentsChanged();
+    // Usually this is handled by post-layout.
     if (!frameView.needsLayout())
         frameView.frame().selection().updateAppearanceAfterLayout();
+        frameView.frame().selection().scheduleAppearanceUpdateAfterStyleChange();
     // As a result of the style recalculation, the currently hovered element might have been
 …
     if (m_gotoAnchorNeededAfterStylesheetsLoad && !styleScope().hasPendingSheets())
         frameView.scrollToFragment(m_url);
+    // FIXME: Ideally we would ASSERT(!needsStyleRecalc()) here but we have some cases where it is not true.
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Node.cpp ¶

r217367	r219817
287	287	#endif
288	288
289		ASSERT(!renderer());
	289	ASSERT_WITH_SECURITY_IMPLICATION(!renderer());
290	290	ASSERT(!parentNode());
291	291	ASSERT(!m_previous);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/ProcessingInstruction.cpp ¶

-              r217367
+              r219817
 /*
  * Copyright (C) 2000 Peter Kelly (pmk@post.com)
  * Copyright (C) 2006, 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2013 Samsung Electronics. All rights reserved.
+ *
 …
 #include "XMLDocumentParser.h"
 #include "XSLStyleSheet.h"
+#include <wtf/SetForScope.h>
 namespace WebCore {
 …
 void ProcessingInstruction::checkStyleSheet()
+{
+    // Prevent recursive loading of stylesheet.
+    if (m_isHandlingBeforeLoad)
+        return;
     if (m_target == "xml-stylesheet" && document().frame() && parentNode() == &document()) {
         // see http://www.w3.org/TR/xml-stylesheet/
 …
             String url = document().completeURL(href).string();
+            Ref<Document> originalDocument = document();
+            {
+            SetForScope<bool> change(m_isHandlingBeforeLoad, true);
             if (!dispatchBeforeLoadEvent(url))
                 return;
+            }
+            bool didEventListenerDisconnectThisElement = !isConnected() || &document() != originalDocument.ptr();
+            if (didEventListenerDisconnectThisElement)
+                return;
             m_loading = true;
             document().styleScope().addPendingSheet();
+            ASSERT_WITH_SECURITY_IMPLICATION(!m_cachedSheet);
 #if ENABLE(XSLT)
 …
     // getting the sheet text in "strict" mode. This enforces a valid CSS MIME
     // type.
+    Ref<Document> protect(document());
     parseStyleSheet(sheet->sheetText());
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/ProcessingInstruction.h ¶

-              r217367
+              r219817
 /*
  * Copyright (C) 2000 Peter Kelly (pmk@post.com)
  * Copyright (C) 2006 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2013 Samsung Electronics. All rights reserved.
+ *
 …
     bool m_isXSL { false };
 #endif
+    bool m_isHandlingBeforeLoad { false };
 };

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/dom/Text.cpp ¶

r217367	r219817
55	55	Text::~Text()
56	56	{
57		~~ASSERT(!renderer());~~
58	57	}
59	58

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/editing/EditingStyle.cpp ¶

-              r217367
+              r219817
     m_applyFontFace = style.getPropertyValue(CSSPropertyFontFamily);
     // Remove single quotes for Outlook 2007 compatibility. See https://bugs.webkit.org/show_bug.cgi?id=79448
     m_applyFontFace.replaceWithLiteral('\'', "");
+    // Remove quotes for Outlook 2007 compatibility. See https://bugs.webkit.org/show_bug.cgi?id=79448
+    m_applyFontFace.replaceWithLiteral('\"', "");
     style.removeProperty(CSSPropertyFontFamily);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/editing/FrameSelection.cpp ¶

-              r217367
+              r219817
     , m_granularity(CharacterGranularity)
     , m_caretBlinkTimer(*this, &FrameSelection::caretBlinkTimerFired)
+    , m_appearanceUpdateTimer(*this, &FrameSelection::appearanceUpdateTimerFired)
     , m_caretInsidePositionFixed(false)
     , m_absCaretBoundsDirty(true)
 …
 void FrameSelection::setSelection(const VisibleSelection& selection, SetSelectionOptions options, AXTextStateChangeIntent intent, CursorAlignOnScroll align, TextGranularity granularity)
+{
+    RefPtr<Frame> protectedFrame(m_frame);
     if (!setSelectionWithoutUpdatingAppearance(selection, options, align, granularity))
         return;
 …
 void FrameSelection::updateAppearanceAfterLayout()
+{
+    m_appearanceUpdateTimer.stop();
+    updateAppearanceAfterLayoutOrStyleChange();
+}
+void FrameSelection::scheduleAppearanceUpdateAfterStyleChange()
+{
+    m_appearanceUpdateTimer.startOneShot(0_s);
+}
+void FrameSelection::appearanceUpdateTimerFired()
+{
+    updateAppearanceAfterLayoutOrStyleChange();
+}
+void FrameSelection::updateAppearanceAfterLayoutOrStyleChange()
+{
     if (auto* client = m_frame->editor().client())
         client->updateEditorStateAfterLayoutIfEditabilityChanged();

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/editing/FrameSelection.h ¶

-              r217367
+              r219817
     void updateAppearanceAfterLayout();
+    void scheduleAppearanceUpdateAfterStyleChange();
     void setNeedsSelectionUpdate();
 …
     void caretBlinkTimerFired();
+    void updateAppearanceAfterLayoutOrStyleChange();
+    void appearanceUpdateTimerFired();
     void setCaretVisibility(CaretVisibility);
     bool recomputeCaretRect();
 …
     Timer m_caretBlinkTimer;
+    Timer m_appearanceUpdateTimer;
     // The painted bounds of the caret in absolute coordinates
     IntRect m_absCaretBounds;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp ¶

-              r217367
+              r219817
     insertionPosition = positionAvoidingSpecialElementBoundary(insertionPosition);
     VisiblePosition visiblePos(insertionPosition, affinity);
+    if (visiblePos.isNull())
+        return;
     calculateStyleBeforeInsertion(insertionPosition);
 …
             ASSERT(startBlock->firstChild());
             refNode = startBlock->firstChild();
+        }
+        else if (insertionPosition.deprecatedNode() == startBlock && nestNewBlock) {
+            refNode = startBlock->traverseToChildAt(insertionPosition.deprecatedEditingOffset());
+        } else if (insertionPosition.containerNode() == startBlock && nestNewBlock) {
+            refNode = startBlock->traverseToChildAt(insertionPosition.computeOffsetInContainerNode());
             ASSERT(refNode); // must be true or we'd be in the end of block case
         } else

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/html/FormAssociatedElement.cpp ¶

-              r217367
+              r219817
     HTMLElement& element = asHTMLElement();
     if (m_formSetByParser) {
+        setForm(m_formSetByParser);
+        // The form could have been removed by a script during parsing.
+        if (m_formSetByParser->isConnected())
+            setForm(m_formSetByParser);
         m_formSetByParser = nullptr;
+    }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLLinkElement.cpp ¶

-              r217367
+              r219817
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  * Copyright (C) 2003, 2006, 2007, 2008, 2009, 2010, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Rob Buis (rwlbuis@gmail.com)
  * Copyright (C) 2011 Google Inc. All rights reserved.
 …
 #include "StyleSheetContents.h"
 #include <wtf/Ref.h>
+#include <wtf/SetForScope.h>
 #include <wtf/StdLibExtras.h>
 …
+    }
+    // Prevent recursive loading of link.
+    if (m_isHandlingBeforeLoad)
+        return;
     URL url = getNonEmptyURLAttribute(hrefAttr);
 …
+        }
+        {
+        SetForScope<bool> change(m_isHandlingBeforeLoad, true);
         if (!shouldLoadLink())
             return;
+        }
         m_loading = true;
 …
         request.setAsPotentiallyCrossOrigin(crossOrigin(), document());
+        ASSERT_WITH_SECURITY_IMPLICATION(!m_cachedSheet);
         m_cachedSheet = document().cachedResourceLoader().requestCSSStyleSheet(WTFMove(request));

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLLinkElement.h ¶

-              r217367
+              r219817
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  * Copyright (C) 2003, 2008, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
+ *
 …
     bool m_firedLoad;
     bool m_loadedResource;
+    bool m_isHandlingBeforeLoad { false };
     PendingSheetType m_pendingSheetType;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/html/HTMLMediaElement.cpp ¶

-              r217367
+              r219817
     m_updatePlaybackControlsManagerQueue.close();
     m_playbackControlsManagerBehaviorRestrictionsQueue.close();
+    m_resourceSelectionTaskQueue.close();
     m_completelyLoaded = true;
 …
 void HTMLMediaElement::notifyAboutPlaying()
+{
+    Ref<HTMLMediaElement> protectedThis(*this); // The 'playing' event can make arbitrary DOM mutations.
     m_playbackStartedTime = currentMediaTime().toDouble();
     dispatchEvent(Event::create(eventNames().playingEvent, false, true));
 …
     m_mediaSession->canProduceAudioChanged();
+    m_resourceSelectionTaskQueue.cancelAllTasks();
     updateSleepDisabling();
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/html/parser/HTMLConstructionSite.cpp ¶

-              r217367
+              r219817
 static inline void insert(HTMLConstructionSiteTask& task)
+{
     if (is<HTMLTemplateElement>(*task.parent))
+    if (is<HTMLTemplateElement>(*task.parent)) {
         task.parent = &downcast<HTMLTemplateElement>(*task.parent).content();
+        task.nextChild = nullptr;
+    }
     ASSERT(!task.child->parentNode());

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/loader/DocumentThreadableLoader.cpp ¶

-              r217367
+              r219817
     Ref<DocumentThreadableLoader> protectedThis(*this);
+    --m_options.maxRedirectCount;
     // FIXME: We restrict this check to Fetch API for the moment, as this might disrupt WorkerScriptLoader.
 …
     ASSERT(m_resource);
+    ASSERT(m_resource->loader());
+    ASSERT(m_originalHeaders);
+    // Use a unique for subsequent loads if needed.
+    // https://fetch.spec.whatwg.org/#concept-http-redirect-fetch (Step 10).
     ASSERT(m_options.mode == FetchOptions::Mode::Cors);
+    ASSERT(m_originalHeaders);
+    // Loader might have modified the origin to a unique one, let's reuse it for subsequent loads.
+    m_origin = m_resource->loader()->origin();
+    if (!securityOrigin().canRequest(redirectResponse.url()) && !protocolHostAndPortAreEqual(redirectResponse.url(), request.url()))
+        m_origin = SecurityOrigin::createUnique();
     // Except in case where preflight is needed, loading should be able to continue on its own.
 …
     m_options.allowCredentials = DoNotAllowStoredCredentials;
-    m_options.maxRedirectCount -= m_resource->loader()->redirectCount();
     clearResource();

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/loader/ImageLoader.cpp ¶

-              r217367
+              r219817
         return;
     m_hasPendingBeforeLoadEvent = false;
+    Ref<Document> originalDocument = element().document();
     if (element().dispatchBeforeLoadEvent(m_image->url())) {
+        bool didEventListenerDisconnectThisElement = !element().isConnected() || &element().document() != originalDocument.ptr();
+        if (didEventListenerDisconnectThisElement)
+            return;
         updateRenderer();
         return;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/loader/SubresourceLoader.cpp ¶

r217367	r219817
496	496	redirectingToNewOrigin = true;
497	497	else
498		redirectingToNewOrigin = !~~SecurityOrigin::create(previousRequest.url())->canRequest(~~newRequest.url());
	498	redirectingToNewOrigin = !protocolHostAndPortAreEqual(previousRequest.url(), newRequest.url());
499	499	}
500	500

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FocusController.cpp ¶

-              r217367
+              r219817
     while (is<HTMLFrameOwnerElement>(element)) {
         HTMLFrameOwnerElement& owner = downcast<HTMLFrameOwnerElement>(*element);
         if (!owner.contentFrame())
+        if (!owner.contentFrame() || !owner.contentFrame()->document())
             break;
+        owner.contentFrame()->document()->updateLayoutIgnorePendingStylesheets();
         Element* foundElement = findFocusableElementWithinScope(direction, FocusNavigationScope::scopeOwnedByIFrame(owner), nullptr, event);
         if (!foundElement)

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.cpp ¶

-              r217367
+              r219817
             // we call it through the timer here.
             m_postLayoutTasksTimer.startOneShot(0);
-            if (needsLayout())
-                layout();
+        }
+        if (needsLayout())
+            layout();
+    }
 …
     if (AXObjectCache* cache = frame().document()->existingAXObjectCache())
         cache->performDeferredIsIgnoredChange();
+        cache->performDeferredCacheUpdate();
+}
 …
 #endif
-    if (m_layoutPhase == InViewSizeAdjust)
-        return;
-    TraceScope tracingScope(PaintViewStart, PaintViewEnd);
-    ASSERT(m_layoutPhase == InPostLayerPositionsUpdatedAfterLayout || m_layoutPhase == OutsideLayout);
     RenderView* renderView = this->renderView();
     if (!renderView) {
 …
         return;
+    }
+    if (!inPaintableState())
+        return;
+    TraceScope tracingScope(PaintViewStart, PaintViewEnd);
     ASSERT(!needsLayout());

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/page/FrameView.h ¶

r217367	r219817
115	115	bool isInLayout() const { return m_layoutPhase != OutsideLayout; }
116	116	bool isInRenderTreeLayout() const { return m_layoutPhase == InRenderTreeLayout; }
117		~~WEBCORE_EXPORT~~ bool inPaintableState() { return m_layoutPhase != InRenderTreeLayout && m_layoutPhase != InViewSizeAdjust && m_layoutPhase != InPostLayout; }
	117	bool inPaintableState() { return m_layoutPhase != InRenderTreeLayout && m_layoutPhase != InViewSizeAdjust && m_layoutPhase != InPostLayout; }
118	118
119	119	RenderElement* layoutRoot() const { return m_layoutRoot; }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/URL.cpp ¶

-              r217367
+              r219817
 #endif
+static Lock& defaultPortForProtocolMapForTestingLock()
+{
+    static NeverDestroyed<Lock> lock;
+    return lock;
+}
 using DefaultPortForProtocolMapForTesting = HashMap<String, uint16_t>;
 static DefaultPortForProtocolMapForTesting& defaultPortForProtocolMapForTesting()
+{
     static NeverDestroyed<DefaultPortForProtocolMapForTesting> defaultPortForProtocolMap;
+static DefaultPortForProtocolMapForTesting*& defaultPortForProtocolMapForTesting()
+{
+    static DefaultPortForProtocolMapForTesting* defaultPortForProtocolMap;
     return defaultPortForProtocolMap;
+}
+static DefaultPortForProtocolMapForTesting& ensureDefaultPortForProtocolMapForTesting()
+{
+    DefaultPortForProtocolMapForTesting*& defaultPortForProtocolMap = defaultPortForProtocolMapForTesting();
+    if (!defaultPortForProtocolMap)
+        defaultPortForProtocolMap = new DefaultPortForProtocolMapForTesting;
+    return *defaultPortForProtocolMap;
+}
 void registerDefaultPortForProtocolForTesting(uint16_t port, const String& protocol)
+{
+    defaultPortForProtocolMapForTesting().add(protocol, port);
+    LockHolder locker(defaultPortForProtocolMapForTestingLock());
+    ensureDefaultPortForProtocolMapForTesting().add(protocol, port);
+}
 void clearDefaultPortForProtocolMapForTesting()
+{
+    defaultPortForProtocolMapForTesting().clear();
+    LockHolder locker(defaultPortForProtocolMapForTestingLock());
+    if (auto* map = defaultPortForProtocolMapForTesting())
+        map->clear();
+}
 std::optional<uint16_t> defaultPortForProtocol(StringView protocol)
+{
+    const auto& defaultPortForProtocolMap = defaultPortForProtocolMapForTesting();
+    auto iterator = defaultPortForProtocolMap.find(protocol.toStringWithoutCopying());
+    if (iterator != defaultPortForProtocolMap.end())
+        return iterator->value;
+    if (auto* overrideMap = defaultPortForProtocolMapForTesting()) {
+        LockHolder locker(defaultPortForProtocolMapForTestingLock());
+        ASSERT(overrideMap); // No need to null check again here since overrideMap cannot become null after being non-null.
+        auto iterator = overrideMap->find(protocol.toStringWithoutCopying());
+        if (iterator != overrideMap->end())
+            return iterator->value;
+    }
     return URLParser::defaultPortForProtocol(protocol);
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/FloatRect.cpp ¶

-              r217367
+              r219817
 IntRect enclosingIntRect(const FloatRect& rect)
+{
+    IntPoint location = flooredIntPoint(rect.minXMinYCorner());
+    IntPoint maxPoint = ceiledIntPoint(rect.maxXMaxYCorner());
+    return IntRect(location, maxPoint - location);
+    FloatPoint location = flooredIntPoint(rect.minXMinYCorner());
+    FloatPoint maxPoint = ceiledIntPoint(rect.maxXMaxYCorner());
+    return IntRect(IntPoint(location), IntSize(maxPoint - location));
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/ImageBackingStore.h ¶

-              r217367
+              r219817
 #include "IntSize.h"
 #include "NativeImage.h"
+#include <wtf/Vector.h>
+#include "SharedBuffer.h"
 namespace WebCore {
 …
             return false;
+        unsigned area = size.area().unsafeGet();
+        if (!m_pixels.tryReserveCapacity(area))
+        Vector<char> buffer;
+        size_t bufferSize = size.area().unsafeGet() * sizeof(RGBA32);
+        if (!buffer.tryReserveCapacity(bufferSize))
             return false;
+        m_pixels.resize(area);
+        m_pixelsPtr = m_pixels.data();
+        buffer.resize(bufferSize);
+        m_pixels = SharedBuffer::adoptVector(buffer);
+        m_pixelsPtr = reinterpret_cast<RGBA32*>(const_cast<char*>(m_pixels->data()));
         m_size = size;
         m_frameRect = IntRect(IntPoint(), m_size);
 …
     ImageBackingStore(const ImageBackingStore& other)
+        : m_pixels(other.m_pixels)
+        , m_size(other.m_size)
+        : m_size(other.m_size)
         , m_premultiplyAlpha(other.m_premultiplyAlpha)
+    {
         ASSERT(!m_size.isEmpty() && !isOverSize(m_size));
+        m_pixelsPtr = m_pixels.data();
+        m_pixels = other.m_pixels->copy();
+        m_pixelsPtr = reinterpret_cast<RGBA32*>(const_cast<char*>(m_pixels->data()));
+    }
 …
+    }
     Vector<RGBA32> m_pixels;
+    RefPtr<SharedBuffer> m_pixels;
     RGBA32* m_pixelsPtr { nullptr };
     IntSize m_size;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/InbandTextTrackPrivateGStreamer.cpp ¶

-              r217367
+              r219817
     RefPtr<InbandTextTrackPrivateGStreamer> protectedThis(this);
     m_notifier.notify(MainThreadNotification::NewSample, [protectedThis] {
+    m_notifier->notify(MainThreadNotification::NewSample, [protectedThis] {
         protectedThis->notifyTrackOfSample();
     });
 …
+{
     RefPtr<InbandTextTrackPrivateGStreamer> protectedThis(this);
     m_notifier.notify(MainThreadNotification::StreamChanged, [protectedThis] {
+    m_notifier->notify(MainThreadNotification::StreamChanged, [protectedThis] {
         protectedThis->notifyTrackOfStreamChanged();
     });

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/MainThreadNotifier.h ¶

-              r217367
+              r219817
  */
+#ifndef MainThreadNotifier_h
+#define MainThreadNotifier_h
+#pragma once
+#include <wtf/Atomics.h>
 #include <wtf/Lock.h>
 #include <wtf/MainThread.h>
 #include <wtf/RunLoop.h>
 #include <wtf/WeakPtr.h>
+#include <wtf/ThreadSafeRefCounted.h>
 namespace WebCore {
 template <typename T>
 class MainThreadNotifier {
+class MainThreadNotifier final : public ThreadSafeRefCounted<MainThreadNotifier<T>> {
 public:
+    MainThreadNotifier()
+        : m_weakPtrFactory(this)
+    static Ref<MainThreadNotifier> create()
+    {
+        return adoptRef(*new MainThreadNotifier());
+    }
 …
     void notify(T notificationType, const F& callbackFunctor)
+    {
+        ASSERT(m_isValid.load());
         if (isMainThread()) {
             removePendingNotification(notificationType);
 …
             return;
         auto weakThis = m_weakPtrFactory.createWeakPtr();
         std::function<void ()> callback(callbackFunctor);
         RunLoop::main().dispatch([weakThis, notificationType, callback] {
             if (weakThis && weakThis->removePendingNotification(notificationType))
+        RunLoop::main().dispatch([this, protectedThis = makeRef(*this), notificationType, callback = std::function<void()>(callbackFunctor)] {
+            if (!m_isValid.load())
+                return;
+            if (removePendingNotification(notificationType))
                 callback();
         });
 …
     void cancelPendingNotifications(unsigned mask = 0)
+    {
+        ASSERT(m_isValid.load());
         LockHolder locker(m_pendingNotificationsLock);
         if (mask)
 …
+    }
+    void invalidate()
+    {
+        ASSERT(m_isValid.load());
+        m_isValid.store(false);
+    }
 private:
+    MainThreadNotifier()
+    {
+        m_isValid.store(true);
+    }
     bool addPendingNotification(T notificationType)
 …
+    }
-    WeakPtrFactory<MainThreadNotifier> m_weakPtrFactory;
     Lock m_pendingNotificationsLock;
     unsigned m_pendingNotifications { 0 };
+    Atomic<bool> m_isValid;
 };
 } // namespace WebCore
-#endif // MainThreadNotifier_h

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp ¶

r217367	r219817
621	621	void MediaPlayerPrivateGStreamer::videoChangedCallback(MediaPlayerPrivateGStreamer* player)
622	622	{
623		player->m_notifier.notify(MainThreadNotification::VideoChanged, [player] { player->notifyPlayerOfVideo(); });
	623	player->m_notifier->notify(MainThreadNotification::VideoChanged, [player] { player->notifyPlayerOfVideo(); });
624	624	}
625	625
…	…
675	675	void MediaPlayerPrivateGStreamer::videoSinkCapsChangedCallback(MediaPlayerPrivateGStreamer* player)
676	676	{
677		player->m_notifier.notify(MainThreadNotification::VideoCapsChanged, [player] { player->notifyPlayerOfVideoCaps(); });
	677	player->m_notifier->notify(MainThreadNotification::VideoCapsChanged, [player] { player->notifyPlayerOfVideoCaps(); });
678	678	}
679	679
…	…
686	686	void MediaPlayerPrivateGStreamer::audioChangedCallback(MediaPlayerPrivateGStreamer* player)
687	687	{
688		player->m_notifier.notify(MainThreadNotification::AudioChanged, [player] { player->notifyPlayerOfAudio(); });
	688	player->m_notifier->notify(MainThreadNotification::AudioChanged, [player] { player->notifyPlayerOfAudio(); });
689	689	}
690	690
…	…
739	739	void MediaPlayerPrivateGStreamer::textChangedCallback(MediaPlayerPrivateGStreamer* player)
740	740	{
741		player->m_notifier.notify(MainThreadNotification::TextChanged, [player] { player->notifyPlayerOfText(); });
	741	player->m_notifier->notify(MainThreadNotification::TextChanged, [player] { player->notifyPlayerOfText(); });
742	742	}
743	743

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp ¶

-              r217367
+              r219817
 MediaPlayerPrivateGStreamerBase::MediaPlayerPrivateGStreamerBase(MediaPlayer* player)
+    : m_player(player)
+    : m_notifier(MainThreadNotifier<MainThreadNotification>::create())
+    , m_player(player)
     , m_fpsSink(nullptr)
     , m_readyState(MediaPlayer::HaveNothing)
 …
     m_protectionCondition.notifyOne();
 #endif
+    m_notifier.cancelPendingNotifications();
+#if USE(GSTREAMER_GL) || USE(COORDINATED_GRAPHICS_THREADED)
+    m_drawTimer.stop();
+    {
+        LockHolder locker(m_drawMutex);
+        m_drawCondition.notifyOne();
+    }
+#endif
+    m_notifier->invalidate();
+    cancelRepaint();
     if (m_videoSink) {
 …
     GST_DEBUG("Volume changed to: %f", player->volume());
     player->m_notifier.notify(MainThreadNotification::VolumeChanged, [player] { player->notifyPlayerOfVolumeChange(); });
+    player->m_notifier->notify(MainThreadNotification::VolumeChanged, [player] { player->notifyPlayerOfVolumeChange(); });
+}
 …
+{
     // This is called when m_volumeElement receives the notify::mute signal.
     player->m_notifier.notify(MainThreadNotification::MuteChanged, [player] { player->notifyPlayerOfMute(); });
+    player->m_notifier->notify(MainThreadNotification::MuteChanged, [player] { player->notifyPlayerOfMute(); });
+}
 …
     if (triggerResize) {
         GST_DEBUG("First sample reached the sink, triggering video dimensions update");
         m_notifier.notify(MainThreadNotification::SizeChanged, [this] { m_player->sizeChanged(); });
+        m_notifier->notify(MainThreadNotification::SizeChanged, [this] { m_player->sizeChanged(); });
+    }
 …
+{
     player->triggerRepaint(sample);
+}
+void MediaPlayerPrivateGStreamerBase::cancelRepaint()
+{
+#if USE(TEXTURE_MAPPER_GL) || USE(COORDINATED_GRAPHICS_THREADED)
+    m_drawTimer.stop();
+    LockHolder locker(m_drawMutex);
+    m_drawCondition.notifyOne();
+#endif
+}
+void MediaPlayerPrivateGStreamerBase::repaintCancelledCallback(MediaPlayerPrivateGStreamerBase* player)
+{
+    player->cancelRepaint();
+}
 …
         m_videoSink = webkitVideoSinkNew();
         g_signal_connect_swapped(m_videoSink.get(), "repaint-requested", G_CALLBACK(repaintCallback), this);
+        g_signal_connect_swapped(m_videoSink.get(), "repaint-cancelled", G_CALLBACK(repaintCancelledCallback), this);
+    }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.h ¶

-              r217367
+              r219817
     void triggerRepaint(GstSample*);
     void repaint();
+    void cancelRepaint();
     static void repaintCallback(MediaPlayerPrivateGStreamerBase*, GstSample*);
+    static void repaintCancelledCallback(MediaPlayerPrivateGStreamerBase*);
     void notifyPlayerOfVolumeChange();
 …
     };
     MainThreadNotifier<MainThreadNotification> m_notifier;
+    Ref<MainThreadNotifier<MainThreadNotification>> m_notifier;
     MediaPlayer* m_player;
     GRefPtr<GstElement> m_pipeline;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/TrackPrivateBaseGStreamer.cpp ¶

r217367	r219817
45	45
46	46	TrackPrivateBaseGStreamer::TrackPrivateBaseGStreamer(TrackPrivateBase* owner, gint index, GRefPtr<GstPad> pad)
47		: m_index(index)
	47	: m_notifier(MainThreadNotifier<MainThreadNotification>::create())
	48	, m_index(index)
48	49	, m_pad(pad)
49	50	, m_owner(owner)
…	…
62	63	{
63	64	disconnect();
	65	m_notifier->invalidate();
64	66	}
65	67
…	…
69	71	return;
70	72
71		m_notifier.cancelPendingNotifications();
	73	m_notifier->cancelPendingNotifications();
72	74	g_signal_handlers_disconnect_matched(m_pad.get(), G_SIGNAL_MATCH_DATA, 0, 0, nullptr, nullptr, this);
73	75
…	…
78	80	void TrackPrivateBaseGStreamer::activeChangedCallback(TrackPrivateBaseGStreamer* track)
79	81	{
80		track->m_notifier.notify(MainThreadNotification::ActiveChanged, [track] { track->notifyTrackOfActiveChanged(); });
	82	track->m_notifier->notify(MainThreadNotification::ActiveChanged, [track] { track->notifyTrackOfActiveChanged(); });
81	83	}
82	84
…	…
99	101	}
100	102
101		m_notifier.notify(MainThreadNotification::TagsChanged, [this] { notifyTrackOfTagsChanged(); });
	103	m_notifier->notify(MainThreadNotification::TagsChanged, [this] { notifyTrackOfTagsChanged(); });
102	104	}
103	105

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/TrackPrivateBaseGStreamer.h ¶

r217367	r219817
64	64	};
65	65
66		~~MainThreadNotifier<MainThreadNotification~~> m_notifier;
	66	Ref<MainThreadNotifier<MainThreadNotification>> m_notifier;
67	67	gint m_index;
68	68	AtomicString m_label;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/VideoSinkGStreamer.cpp ¶

-              r217367
+              r219817
 enum {
     REPAINT_REQUESTED,
+    REPAINT_CANCELLED,
     LAST_SIGNAL
 };
 …
+{
     g_signal_emit(sink, webkitVideoSinkSignals[REPAINT_REQUESTED], 0, sample);
+}
+static void webkitVideoSinkRepaintCancelled(WebKitVideoSink* sink)
+{
+    g_signal_emit(sink, webkitVideoSinkSignals[REPAINT_CANCELLED], 0);
+}
 …
     priv->scheduler.stop();
+    webkitVideoSinkRepaintCancelled(WEBKIT_VIDEO_SINK(baseSink));
     return GST_CALL_PARENT_WITH_DEFAULT(GST_BASE_SINK_CLASS, unlock, (baseSink), TRUE);
 …
     priv->scheduler.stop();
+    webkitVideoSinkRepaintCancelled(WEBKIT_VIDEO_SINK(baseSink));
     if (priv->currentCaps) {
         gst_caps_unref(priv->currentCaps);
 …
 , // Only one parameter
             GST_TYPE_SAMPLE);
+    webkitVideoSinkSignals[REPAINT_CANCELLED] = g_signal_new("repaint-cancelled",
+        G_TYPE_FROM_CLASS(klass),
+        G_SIGNAL_RUN_LAST,
+, // Class offset
+        nullptr, // Accumulator
+        nullptr, // Accumulator data
+        g_cclosure_marshal_generic,
+        G_TYPE_NONE, // Return type
+, // No parameters
+        G_TYPE_NONE);
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp ¶

-              r217367
+              r219817
     bool createdInMainThread;
     MainThreadNotifier<MainThreadSourceNotification> notifier;
+    RefPtr<MainThreadNotifier<MainThreadSourceNotification>> notifier;
     GRefPtr<GstBuffer> buffer;
 };
 …
     priv->createdInMainThread = isMainThread();
+    priv->notifier = MainThreadNotifier<MainThreadSourceNotification>::create();
     priv->appsrc = GST_APP_SRC(gst_element_factory_make("appsrc", nullptr));
 …
 static void webKitWebSrcDispose(GObject* object)
+{
+    WebKitWebSrc* src = WEBKIT_WEB_SRC(object);
+    WebKitWebSrcPrivate* priv = src->priv;
+    WebKitWebSrcPrivate* priv = WEBKIT_WEB_SRC(object)->priv;
+    if (priv->notifier) {
+        priv->notifier->invalidate();
+        priv->notifier = nullptr;
+    }
     priv->player = nullptr;
 …
     if (priv->resource || (priv->loader && !priv->keepAlive)) {
         GRefPtr<WebKitWebSrc> protector = WTF::ensureGRef(src);
         priv->notifier.cancelPendingNotifications(MainThreadSourceNotification::NeedData | MainThreadSourceNotification::EnoughData | MainThreadSourceNotification::Seek);
         priv->notifier.notify(MainThreadSourceNotification::Stop, [protector, keepAlive = priv->keepAlive] {
+        priv->notifier->cancelPendingNotifications(MainThreadSourceNotification::NeedData | MainThreadSourceNotification::EnoughData | MainThreadSourceNotification::Seek);
+        priv->notifier->notify(MainThreadSourceNotification::Stop, [protector, keepAlive = priv->keepAlive] {
             WebKitWebSrcPrivate* priv = protector->priv;
 …
     locker.unlock();
     GRefPtr<WebKitWebSrc> protector = WTF::ensureGRef(src);
     priv->notifier.notify(MainThreadSourceNotification::Start, [protector, request = WTFMove(request)] {
+    priv->notifier->notify(MainThreadSourceNotification::Start, [protector, request = WTFMove(request)] {
         WebKitWebSrcPrivate* priv = protector->priv;
 …
     GRefPtr<WebKitWebSrc> protector = WTF::ensureGRef(src);
     priv->notifier.notify(MainThreadSourceNotification::NeedData, [protector] {
+    priv->notifier->notify(MainThreadSourceNotification::NeedData, [protector] {
         WebKitWebSrcPrivate* priv = protector->priv;
         if (priv->resource)
 …
     GRefPtr<WebKitWebSrc> protector = WTF::ensureGRef(src);
     priv->notifier.notify(MainThreadSourceNotification::EnoughData, [protector] {
+    priv->notifier->notify(MainThreadSourceNotification::EnoughData, [protector] {
         WebKitWebSrcPrivate* priv = protector->priv;
         if (priv->resource)
 …
     GRefPtr<WebKitWebSrc> protector = WTF::ensureGRef(src);
     priv->notifier.notify(MainThreadSourceNotification::Seek, [protector] {
+    priv->notifier->notify(MainThreadSourceNotification::Seek, [protector] {
         webKitWebSrcStop(protector.get());
         webKitWebSrcStart(protector.get());

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/gtk/RenderThemeGadget.cpp ¶

-              r217367
+              r219817
     gtk_style_context_set_path(context.get(), path);
     gtk_style_context_set_parent(context.get(), parent);
-    // Unfortunately, we have to explicitly set the state again here for it to take effect.
-    gtk_style_context_set_state(context.get(), gtk_widget_path_iter_get_state(path, -1));
     return context;
+}
 …
     for (const auto* className : info.classList)
         gtk_widget_path_iter_add_class(path, -1, className);
-    gtk_widget_path_iter_set_state(path, -1, static_cast<GtkStateFlags>(gtk_widget_path_iter_get_state(path, -1) | info.state));
+}
 …
     gtk_style_context_get(m_context.get(), gtk_style_context_get_state(m_context.get()), "opacity", &returnValue, nullptr);
     return returnValue;
+}
+GtkStateFlags RenderThemeGadget::state() const
+{
+    return gtk_style_context_get_state(m_context.get());
+}
+void RenderThemeGadget::setState(GtkStateFlags state)
+{
+    gtk_style_context_set_state(m_context.get(), state);
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/gtk/RenderThemeGadget.h ¶

-              r217367
+              r219817
         Type type;
         const char* name;
-        GtkStateFlags state;
         Vector<const char*> classList;
     };
 …
     GtkStyleContext* context() const { return m_context.get(); }
+    GtkStateFlags state() const;
+    void setState(GtkStateFlags);
 protected:

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/gtk/ScrollbarThemeGtk.cpp ¶

-              r217367
+              r219817
 #include "PlatformContextCairo.h"
 #include "PlatformMouseEvent.h"
 #include "RenderThemeGadget.h"
+#include "RenderThemeWidget.h"
 #include "ScrollView.h"
 #include "Scrollbar.h"
 …
 void ScrollbarThemeGtk::themeChanged()
+{
+#if GTK_CHECK_VERSION(3, 20, 0)
+    RenderThemeWidget::clearCache();
+#endif
     updateThemeProperties();
+}
 …
 void ScrollbarThemeGtk::updateThemeProperties()
+{
     auto steppers = static_cast<RenderThemeScrollbarGadget*>(RenderThemeGadget::create({ RenderThemeGadget::Type::Scrollbar, "scrollbar", GTK_STATE_FLAG_NORMAL, { } }).get())->steppers();
     m_hasBackButtonStartPart = steppers.contains(RenderThemeScrollbarGadget::Steppers::Backward);
     m_hasForwardButtonEndPart = steppers.contains(RenderThemeScrollbarGadget::Steppers::Forward);
     m_hasBackButtonEndPart = steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryBackward);
     m_hasForwardButtonStartPart = steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryForward);
+    auto& scrollbar = static_cast<RenderThemeScrollbar&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::VerticalScrollbarRight));
+    m_hasBackButtonStartPart = scrollbar.stepper(RenderThemeScrollbarGadget::Steppers::Backward);
+    m_hasForwardButtonEndPart = scrollbar.stepper(RenderThemeScrollbarGadget::Steppers::Forward);
+    m_hasBackButtonEndPart = scrollbar.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryBackward);
+    m_hasForwardButtonStartPart = scrollbar.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryForward);
+}
 #else
 …
+}
+static std::unique_ptr<RenderThemeGadget> scrollbarGadgetForLayout(Scrollbar& scrollbar)
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Scrollbar, "scrollbar", scrollbarPartStateFlags(scrollbar, AllParts), { } };
+static RenderThemeWidget::Type widgetTypeForScrollbar(Scrollbar& scrollbar, GtkStateFlags scrollbarState)
+{
     if (scrollbar.orientation() == VerticalScrollbar) {
+        info.classList.append("vertical");
+        info.classList.append("right");
+    } else {
+        info.classList.append("horizontal");
+        info.classList.append("bottom");
+    }
+    if (scrollbar.isOverlayScrollbar())
+        info.classList.append("overlay-indicator");
+    if (info.state & GTK_STATE_FLAG_PRELIGHT)
+        info.classList.append("hovering");
+    return RenderThemeGadget::create(info);
+}
+static std::unique_ptr<RenderThemeBoxGadget> contentsGadgetForLayout(Scrollbar& scrollbar, RenderThemeGadget* parent, IntRect& contentsRect, Vector<int, 4>& steppersPosition)
+{
+    Vector<RenderThemeGadget::Info> children;
+    auto steppers = static_cast<RenderThemeScrollbarGadget*>(parent)->steppers();
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Backward)) {
+        steppersPosition[0] = 0;
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, BackButtonStartPart), { "up" } });
+    }
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryForward)) {
+        steppersPosition[1] = children.size();
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, ForwardButtonStartPart), { "down" } });
+    }
+    children.append({ RenderThemeGadget::Type::Generic, "trough", scrollbarPartStateFlags(scrollbar, BackTrackPart), { } });
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryBackward)) {
+        steppersPosition[2] = children.size();
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, BackButtonEndPart), { "up" } });
+    }
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Forward)) {
+        steppersPosition[3] = children.size();
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, ForwardButtonEndPart), { "down" } });
+    }
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "contents", GTK_STATE_FLAG_NORMAL, { } };
+    auto contentsGadget = std::make_unique<RenderThemeBoxGadget>(info, scrollbar.orientation() == VerticalScrollbar ? GTK_ORIENTATION_VERTICAL : GTK_ORIENTATION_HORIZONTAL,
+        children, parent);
+    GtkBorder scrollbarContentsBox = parent->contentsBox();
+    GtkBorder contentsContentsBox = contentsGadget->contentsBox();
+        if (scrollbar.scrollableArea().shouldPlaceBlockDirectionScrollbarOnLeft())
+            return scrollbarState & GTK_STATE_FLAG_PRELIGHT ? RenderThemeWidget::Type::VerticalScrollbarLeft : RenderThemeWidget::Type::VerticalScrollIndicatorLeft;
+        return scrollbarState & GTK_STATE_FLAG_PRELIGHT ? RenderThemeWidget::Type::VerticalScrollbarRight : RenderThemeWidget::Type::VerticalScrollIndicatorRight;
+    }
+    return scrollbarState & GTK_STATE_FLAG_PRELIGHT ? RenderThemeWidget::Type::HorizontalScrollbar : RenderThemeWidget::Type::HorizontalScrollIndicator;
+}
+static IntRect contentsRectangle(Scrollbar& scrollbar, RenderThemeScrollbar& scrollbarWidget)
+{
+    GtkBorder scrollbarContentsBox = scrollbarWidget.scrollbar().contentsBox();
+    GtkBorder contentsContentsBox = scrollbarWidget.contents().contentsBox();
     GtkBorder padding;
     padding.left = scrollbarContentsBox.left + contentsContentsBox.left;
 …
     padding.top = scrollbarContentsBox.top + contentsContentsBox.top;
     padding.bottom = scrollbarContentsBox.bottom + contentsContentsBox.bottom;
     contentsRect = scrollbar.frameRect();
+    IntRect contentsRect = scrollbar.frameRect();
     contentsRect.move(padding.left, padding.top);
     contentsRect.contract(padding.left + padding.right, padding.top + padding.bottom);
     return contentsGadget;
+    return contentsRect;
+}
 IntRect ScrollbarThemeGtk::trackRect(Scrollbar& scrollbar, bool /*painting*/)
+{
+    auto scrollbarGadget = scrollbarGadgetForLayout(scrollbar);
+    IntRect rect;
+    Vector<int, 4> steppersPosition(4, -1);
+    auto contentsGadget = contentsGadgetForLayout(scrollbar, scrollbarGadget.get(), rect, steppersPosition);
+    if (steppersPosition[0] != -1) {
+        IntSize stepperSize = contentsGadget->child(steppersPosition[0])->preferredSize();
+    auto scrollbarState = scrollbarPartStateFlags(scrollbar, AllParts);
+    auto& scrollbarWidget = static_cast<RenderThemeScrollbar&>(RenderThemeWidget::getOrCreate(widgetTypeForScrollbar(scrollbar, scrollbarState)));
+    scrollbarWidget.scrollbar().setState(scrollbarState);
+    IntRect rect = contentsRectangle(scrollbar, scrollbarWidget);
+    if (auto* backwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Backward)) {
+        backwardStepper->setState(scrollbarPartStateFlags(scrollbar, BackButtonStartPart));
+        IntSize stepperSize = backwardStepper->preferredSize();
         if (scrollbar.orientation() == VerticalScrollbar) {
             rect.move(0, stepperSize.height());
 …
+        }
+    }
+    if (steppersPosition[1] != -1) {
+        IntSize stepperSize = contentsGadget->child(steppersPosition[1])->preferredSize();
+    if (auto* secondaryForwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryForward)) {
+        secondaryForwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonStartPart));
+        IntSize stepperSize = secondaryForwardStepper->preferredSize();
         if (scrollbar.orientation() == VerticalScrollbar) {
             rect.move(0, stepperSize.height());
 …
+        }
+    }
+    if (steppersPosition[2] != -1) {
+    if (auto* secondaryBackwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryBackward)) {
+        secondaryBackwardStepper->setState(scrollbarPartStateFlags(scrollbar, BackButtonEndPart));
         if (scrollbar.orientation() == VerticalScrollbar)
             rect.contract(0, contentsGadget->child(steppersPosition[2])->preferredSize().height());
+            rect.contract(0, secondaryBackwardStepper->preferredSize().height());
         else
+            rect.contract(contentsGadget->child(steppersPosition[2])->preferredSize().width(), 0);
+    }
+    if (steppersPosition[3] != -1) {
+            rect.contract(secondaryBackwardStepper->preferredSize().width(), 0);
+    }
+    if (auto* forwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Forward)) {
+        forwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonEndPart));
         if (scrollbar.orientation() == VerticalScrollbar)
             rect.contract(0, contentsGadget->child(steppersPosition[3])->preferredSize().height());
+            rect.contract(0, forwardStepper->preferredSize().height());
         else
             rect.contract(contentsGadget->child(steppersPosition[3])->preferredSize().width(), 0);
+            rect.contract(forwardStepper->preferredSize().width(), 0);
+    }
 …
         return IntRect();
+    auto scrollbarGadget = scrollbarGadgetForLayout(scrollbar);
+    IntRect rect;
+    Vector<int, 4> steppersPosition(4, -1);
+    auto contentsGadget = contentsGadgetForLayout(scrollbar, scrollbarGadget.get(), rect, steppersPosition);
+    if (part == BackButtonStartPart)
+        return IntRect(rect.location(), contentsGadget->child(0)->preferredSize());
+    // Secondary back.
+    if (steppersPosition[1] != -1) {
+        IntSize preferredSize = contentsGadget->child(steppersPosition[1])->preferredSize();
+    auto scrollbarState = scrollbarPartStateFlags(scrollbar, AllParts);
+    auto& scrollbarWidget = static_cast<RenderThemeScrollbar&>(RenderThemeWidget::getOrCreate(widgetTypeForScrollbar(scrollbar, scrollbarState)));
+    scrollbarWidget.scrollbar().setState(scrollbarState);
+    IntRect rect = contentsRectangle(scrollbar, scrollbarWidget);
+    if (part == BackButtonStartPart) {
+        auto* backwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Backward);
+        ASSERT(backwardStepper);
+        backwardStepper->setState(scrollbarPartStateFlags(scrollbar, BackButtonStartPart));
+        return IntRect(rect.location(), backwardStepper->preferredSize());
+    }
+    if (auto* secondaryForwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryForward)) {
+        secondaryForwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonStartPart));
+        IntSize preferredSize = secondaryForwardStepper->preferredSize();
         if (scrollbar.orientation() == VerticalScrollbar) {
             rect.move(0, preferredSize.height());
 …
+    }
+    if (steppersPosition[3] != -1) {
+    if (auto* secondaryBackwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryBackward)) {
+        secondaryBackwardStepper->setState(scrollbarPartStateFlags(scrollbar, BackButtonEndPart));
         if (scrollbar.orientation() == VerticalScrollbar)
             rect.contract(0, contentsGadget->child(steppersPosition[3])->preferredSize().height());
+            rect.contract(0, secondaryBackwardStepper->preferredSize().height());
         else
+            rect.contract(contentsGadget->child(steppersPosition[3])->preferredSize().width(), 0);
+    }
+    IntSize preferredSize = contentsGadget->child(steppersPosition[2])->preferredSize();
+            rect.contract(secondaryBackwardStepper->preferredSize().width(), 0);
+    }
+    auto* forwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Forward);
+    ASSERT(forwardStepper);
+    forwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonEndPart));
+    IntSize preferredSize = forwardStepper->preferredSize();
     if (scrollbar.orientation() == VerticalScrollbar)
         rect.move(0, rect.height() - preferredSize.height());
 …
         return IntRect();
+    auto scrollbarGadget = scrollbarGadgetForLayout(scrollbar);
+    IntRect rect;
+    Vector<int, 4> steppersPosition(4, -1);
+    auto contentsGadget = contentsGadgetForLayout(scrollbar, scrollbarGadget.get(), rect, steppersPosition);
+    if (steppersPosition[0] != -1) {
+        IntSize preferredSize = contentsGadget->child(steppersPosition[0])->preferredSize();
+    auto scrollbarState = scrollbarPartStateFlags(scrollbar, AllParts);
+    auto& scrollbarWidget = static_cast<RenderThemeScrollbar&>(RenderThemeWidget::getOrCreate(widgetTypeForScrollbar(scrollbar, scrollbarState)));
+    scrollbarWidget.scrollbar().setState(scrollbarState);
+    IntRect rect = contentsRectangle(scrollbar, scrollbarWidget);
+    if (auto* backwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Backward)) {
+        backwardStepper->setState(scrollbarPartStateFlags(scrollbar, BackButtonStartPart));
+        IntSize preferredSize = backwardStepper->preferredSize();
         if (scrollbar.orientation() == VerticalScrollbar) {
             rect.move(0, preferredSize.height());
 …
+    }
+    if (steppersPosition[1] != -1) {
+        IntSize preferredSize = contentsGadget->child(steppersPosition[1])->preferredSize();
+    if (auto* secondaryForwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryForward)) {
+        secondaryForwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonStartPart));
+        IntSize preferredSize = secondaryForwardStepper->preferredSize();
         if (part == ForwardButtonStartPart)
             return IntRect(rect.location(), preferredSize);
 …
+    }
+    // Forward button.
+    IntSize preferredSize = contentsGadget->child(steppersPosition[3])->preferredSize();
+    auto* forwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Forward);
+    ASSERT(forwardStepper);
+    forwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonEndPart));
+    IntSize preferredSize = forwardStepper->preferredSize();
     if (scrollbar.orientation() == VerticalScrollbar)
         rect.move(0, rect.height() - preferredSize.height());
 …
         return true;
+    bool scrollbarOnLeft = scrollbar.scrollableArea().shouldPlaceBlockDirectionScrollbarOnLeft();
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Scrollbar, "scrollbar", scrollbarPartStateFlags(scrollbar, AllParts, true), { } };
+    if (scrollbar.orientation() == VerticalScrollbar) {
+        info.classList.append("vertical");
+        info.classList.append(scrollbarOnLeft ? "left" : "right");
+    } else {
+        info.classList.append("horizontal");
+        info.classList.append("bottom");
+    }
+    auto scrollbarState = scrollbarPartStateFlags(scrollbar, AllParts, true);
+    auto& scrollbarWidget = static_cast<RenderThemeScrollbar&>(RenderThemeWidget::getOrCreate(widgetTypeForScrollbar(scrollbar, scrollbarState)));
+    auto& scrollbarGadget = scrollbarWidget.scrollbar();
+    scrollbarGadget.setState(scrollbarState);
     if (m_usesOverlayScrollbars)
+        info.classList.append("overlay-indicator");
+    if (info.state & GTK_STATE_FLAG_PRELIGHT)
+        info.classList.append("hovering");
+    if (scrollbar.pressedPart() != NoPart)
+        info.classList.append("dragging");
+    auto scrollbarGadget = RenderThemeGadget::create(info);
+    if (m_usesOverlayScrollbars)
+        opacity *= scrollbarGadget->opacity();
+        opacity *= scrollbarGadget.opacity();
     if (!opacity)
         return true;
+    info.type = RenderThemeGadget::Type::Generic;
+    info.name = "contents";
+    info.state = GTK_STATE_FLAG_NORMAL;
+    info.classList.clear();
+    Vector<RenderThemeGadget::Info> children;
+    auto steppers = static_cast<RenderThemeScrollbarGadget*>(scrollbarGadget.get())->steppers();
+    unsigned steppersPosition[4] = { 0, 0, 0, 0 };
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Backward)) {
+        steppersPosition[0] = children.size();
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, BackButtonStartPart), { "up" } });
+    }
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryForward)) {
+        steppersPosition[1] = children.size();
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, ForwardButtonStartPart), { "down" } });
+    }
+    unsigned troughPosition = children.size();
+    children.append({ RenderThemeGadget::Type::Generic, "trough", scrollbarPartStateFlags(scrollbar, BackTrackPart), { } });
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryBackward)) {
+        steppersPosition[2] = children.size();
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, BackButtonEndPart), { "up" } });
+    }
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Forward)) {
+        steppersPosition[3] = children.size();
+        children.append({ RenderThemeGadget::Type::Generic, "button", scrollbarPartStateFlags(scrollbar, ForwardButtonEndPart), { "down" } });
+    }
+    auto contentsGadget = std::make_unique<RenderThemeBoxGadget>(info, scrollbar.orientation() == VerticalScrollbar ? GTK_ORIENTATION_VERTICAL : GTK_ORIENTATION_HORIZONTAL,
+        children, scrollbarGadget.get());
+    RenderThemeGadget* troughGadget = contentsGadget->child(troughPosition);
+    IntSize preferredSize = contentsGadget->preferredSize();
+    std::unique_ptr<RenderThemeGadget> sliderGadget;
+    auto& trough = scrollbarWidget.trough();
+    trough.setState(scrollbarPartStateFlags(scrollbar, BackTrackPart));
+    auto* backwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Backward);
+    if (backwardStepper)
+        backwardStepper->setState(scrollbarPartStateFlags(scrollbar, BackButtonStartPart));
+    auto* secondaryForwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryForward);
+    if (secondaryForwardStepper)
+        secondaryForwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonStartPart));
+    auto* secondaryBackwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::SecondaryBackward);
+    if (secondaryBackwardStepper)
+        secondaryBackwardStepper->setState(scrollbarPartStateFlags(scrollbar, BackButtonEndPart));
+    auto* forwardStepper = scrollbarWidget.stepper(RenderThemeScrollbarGadget::Steppers::Forward);
+    if (forwardStepper)
+        forwardStepper->setState(scrollbarPartStateFlags(scrollbar, ForwardButtonEndPart));
+    IntSize preferredSize = scrollbarWidget.contents().preferredSize();
     int thumbSize = thumbLength(scrollbar);
     if (thumbSize) {
+        info.name = "slider";
+        info.state = scrollbarPartStateFlags(scrollbar, ThumbPart);
+        sliderGadget = RenderThemeGadget::create(info, troughGadget);
+        preferredSize = preferredSize.expandedTo(sliderGadget->preferredSize());
+    }
+    preferredSize += scrollbarGadget->preferredSize() - scrollbarGadget->minimumSize();
+        scrollbarWidget.slider().setState(scrollbarPartStateFlags(scrollbar, ThumbPart));
+        preferredSize = preferredSize.expandedTo(scrollbarWidget.slider().preferredSize());
+    }
+    preferredSize += scrollbarGadget.preferredSize() - scrollbarGadget.minimumSize();
     FloatRect contentsRect(rect);
 …
     if (scrollbar.orientation() == VerticalScrollbar) {
         if (rect.width() != preferredSize.width()) {
             if (!scrollbarOnLeft)
+            if (!scrollbar.scrollableArea().shouldPlaceBlockDirectionScrollbarOnLeft())
                 contentsRect.move(std::abs(rect.width() - preferredSize.width()), 0);
             contentsRect.setWidth(preferredSize.width());
 …
+    }
+    scrollbarGadget->render(graphicsContext.platformContext()->cr(), contentsRect, &contentsRect);
+    contentsGadget->render(graphicsContext.platformContext()->cr(), contentsRect, &contentsRect);
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Backward)) {
+        RenderThemeGadget* buttonGadget = contentsGadget->child(steppersPosition[0]);
+    scrollbarGadget.render(graphicsContext.platformContext()->cr(), contentsRect, &contentsRect);
+    scrollbarWidget.contents().render(graphicsContext.platformContext()->cr(), contentsRect, &contentsRect);
+    if (backwardStepper) {
         FloatRect buttonRect = contentsRect;
         if (scrollbar.orientation() == VerticalScrollbar)
             buttonRect.setHeight(buttonGadget->preferredSize().height());
+            buttonRect.setHeight(backwardStepper->preferredSize().height());
         else
             buttonRect.setWidth(buttonGadget->preferredSize().width());
         static_cast<RenderThemeScrollbarGadget*>(scrollbarGadget.get())->renderStepper(graphicsContext.platformContext()->cr(), buttonRect, buttonGadget,
+            buttonRect.setWidth(backwardStepper->preferredSize().width());
+        static_cast<RenderThemeScrollbarGadget&>(scrollbarGadget).renderStepper(graphicsContext.platformContext()->cr(), buttonRect, backwardStepper,
             scrollbar.orientation() == VerticalScrollbar ? GTK_ORIENTATION_VERTICAL : GTK_ORIENTATION_HORIZONTAL, RenderThemeScrollbarGadget::Steppers::Backward);
         if (scrollbar.orientation() == VerticalScrollbar) {
 …
+        }
+    }
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryForward)) {
+        RenderThemeGadget* buttonGadget = contentsGadget->child(steppersPosition[1]);
+    if (secondaryForwardStepper) {
         FloatRect buttonRect = contentsRect;
         if (scrollbar.orientation() == VerticalScrollbar)
             buttonRect.setHeight(buttonGadget->preferredSize().height());
+            buttonRect.setHeight(secondaryForwardStepper->preferredSize().height());
         else
             buttonRect.setWidth(buttonGadget->preferredSize().width());
         static_cast<RenderThemeScrollbarGadget*>(scrollbarGadget.get())->renderStepper(graphicsContext.platformContext()->cr(), buttonRect, buttonGadget,
+            buttonRect.setWidth(secondaryForwardStepper->preferredSize().width());
+        static_cast<RenderThemeScrollbarGadget&>(scrollbarGadget).renderStepper(graphicsContext.platformContext()->cr(), buttonRect, secondaryForwardStepper,
             scrollbar.orientation() == VerticalScrollbar ? GTK_ORIENTATION_VERTICAL : GTK_ORIENTATION_HORIZONTAL, RenderThemeScrollbarGadget::Steppers::SecondaryForward);
         if (scrollbar.orientation() == VerticalScrollbar) {
 …
+        }
+    }
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Forward)) {
+        RenderThemeGadget* buttonGadget = contentsGadget->child(steppersPosition[3]);
+    if (secondaryBackwardStepper) {
         FloatRect buttonRect = contentsRect;
         if (scrollbar.orientation() == VerticalScrollbar) {
             buttonRect.setHeight(buttonGadget->preferredSize().height());
+            buttonRect.setHeight(secondaryBackwardStepper->preferredSize().height());
             buttonRect.move(0, contentsRect.height() - buttonRect.height());
         } else {
             buttonRect.setWidth(buttonGadget->preferredSize().width());
+            buttonRect.setWidth(secondaryBackwardStepper->preferredSize().width());
             buttonRect.move(contentsRect.width() - buttonRect.width(), 0);
+        }
+        static_cast<RenderThemeScrollbarGadget*>(scrollbarGadget.get())->renderStepper(graphicsContext.platformContext()->cr(), buttonRect, buttonGadget,
+        static_cast<RenderThemeScrollbarGadget&>(scrollbarGadget).renderStepper(graphicsContext.platformContext()->cr(), buttonRect, secondaryBackwardStepper,
+            scrollbar.orientation() == VerticalScrollbar ? GTK_ORIENTATION_VERTICAL : GTK_ORIENTATION_HORIZONTAL, RenderThemeScrollbarGadget::Steppers::SecondaryBackward);
+        if (scrollbar.orientation() == VerticalScrollbar)
+            contentsRect.contract(0, buttonRect.height());
+        else
+            contentsRect.contract(buttonRect.width(), 0);
+    }
+    if (forwardStepper) {
+        FloatRect buttonRect = contentsRect;
+        if (scrollbar.orientation() == VerticalScrollbar) {
+            buttonRect.setHeight(forwardStepper->preferredSize().height());
+            buttonRect.move(0, contentsRect.height() - buttonRect.height());
+        } else {
+            buttonRect.setWidth(forwardStepper->preferredSize().width());
+            buttonRect.move(contentsRect.width() - buttonRect.width(), 0);
+        }
+        static_cast<RenderThemeScrollbarGadget&>(scrollbarGadget).renderStepper(graphicsContext.platformContext()->cr(), buttonRect, forwardStepper,
             scrollbar.orientation() == VerticalScrollbar ? GTK_ORIENTATION_VERTICAL : GTK_ORIENTATION_HORIZONTAL, RenderThemeScrollbarGadget::Steppers::Forward);
         if (scrollbar.orientation() == VerticalScrollbar)
 …
             contentsRect.contract(buttonRect.width(), 0);
+    }
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryBackward)) {
+        RenderThemeGadget* buttonGadget = contentsGadget->child(steppersPosition[2]);
+        FloatRect buttonRect = contentsRect;
+        if (scrollbar.orientation() == VerticalScrollbar) {
+            buttonRect.setHeight(buttonGadget->preferredSize().height());
+            buttonRect.move(0, contentsRect.height() - buttonRect.height());
+        } else {
+            buttonRect.setWidth(buttonGadget->preferredSize().width());
+            buttonRect.move(contentsRect.width() - buttonRect.width(), 0);
+        }
+        static_cast<RenderThemeScrollbarGadget*>(scrollbarGadget.get())->renderStepper(graphicsContext.platformContext()->cr(), buttonRect, buttonGadget,
+            scrollbar.orientation() == VerticalScrollbar ? GTK_ORIENTATION_VERTICAL : GTK_ORIENTATION_HORIZONTAL, RenderThemeScrollbarGadget::Steppers::SecondaryBackward);
+        if (scrollbar.orientation() == VerticalScrollbar)
+            contentsRect.contract(0, buttonRect.height());
+        else
+            contentsRect.contract(buttonRect.width(), 0);
+    }
+    troughGadget->render(graphicsContext.platformContext()->cr(), contentsRect, &contentsRect);
+    if (sliderGadget) {
+    trough.render(graphicsContext.platformContext()->cr(), contentsRect, &contentsRect);
+    if (thumbSize) {
         if (scrollbar.orientation() == VerticalScrollbar) {
             contentsRect.move(0, thumbPosition(scrollbar));
             contentsRect.setWidth(sliderGadget->preferredSize().width());
+            contentsRect.setWidth(scrollbarWidget.slider().preferredSize().width());
             contentsRect.setHeight(thumbSize);
         } else {
             contentsRect.move(thumbPosition(scrollbar), 0);
             contentsRect.setWidth(thumbSize);
             contentsRect.setHeight(sliderGadget->preferredSize().height());
+            contentsRect.setHeight(scrollbarWidget.slider().preferredSize().height());
+        }
         if (contentsRect.intersects(damageRect))
             sliderGadget->render(graphicsContext.platformContext()->cr(), contentsRect);
+            scrollbarWidget.slider().render(graphicsContext.platformContext()->cr(), contentsRect);
+    }
 …
 int ScrollbarThemeGtk::scrollbarThickness(ScrollbarControlSize)
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Scrollbar, "scrollbar", GTK_STATE_FLAG_PRELIGHT, { "vertical", "right", "hovering" } };
+    if (m_usesOverlayScrollbars)
+        info.classList.append("overlay-indicator");
+    auto scrollbarGadget = RenderThemeGadget::create(info);
+    info.type = RenderThemeGadget::Type::Generic;
+    info.name = "contents";
+    info.state = GTK_STATE_FLAG_NORMAL;
+    info.classList.clear();
+    Vector<RenderThemeGadget::Info> children;
+    auto steppers = static_cast<RenderThemeScrollbarGadget*>(scrollbarGadget.get())->steppers();
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Backward))
+        children.append({ RenderThemeGadget::Type::Generic, "button", GTK_STATE_FLAG_NORMAL, { "up" } });
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryForward))
+        children.append({ RenderThemeGadget::Type::Generic, "button", GTK_STATE_FLAG_NORMAL, { "down" } });
+    unsigned troughPositon = children.size();
+    children.append({ RenderThemeGadget::Type::Generic, "trough", GTK_STATE_FLAG_PRELIGHT, { } });
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::SecondaryBackward))
+        children.append({ RenderThemeGadget::Type::Generic, "button", GTK_STATE_FLAG_NORMAL, { "up" } });
+    if (steppers.contains(RenderThemeScrollbarGadget::Steppers::Forward))
+        children.append({ RenderThemeGadget::Type::Generic, "button", GTK_STATE_FLAG_NORMAL, { "down" } });
+    auto contentsGadget = std::make_unique<RenderThemeBoxGadget>(info, GTK_ORIENTATION_VERTICAL, children, scrollbarGadget.get());
+    info.name = "slider";
+    auto sliderGadget = RenderThemeGadget::create(info, contentsGadget->child(troughPositon));
+    IntSize contentsPreferredSize = contentsGadget->preferredSize();
+    contentsPreferredSize = contentsPreferredSize.expandedTo(sliderGadget->preferredSize());
+    IntSize preferredSize = contentsPreferredSize + scrollbarGadget->preferredSize() - scrollbarGadget->minimumSize();
+    auto& scrollbarWidget = static_cast<RenderThemeScrollbar&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::VerticalScrollbarRight));
+    scrollbarWidget.scrollbar().setState(GTK_STATE_FLAG_PRELIGHT);
+    IntSize contentsPreferredSize = scrollbarWidget.contents().preferredSize();
+    contentsPreferredSize = contentsPreferredSize.expandedTo(scrollbarWidget.slider().preferredSize());
+    IntSize preferredSize = contentsPreferredSize + scrollbarWidget.scrollbar().preferredSize() - scrollbarWidget.scrollbar().minimumSize();
     return preferredSize.width();
+}
 …
 int ScrollbarThemeGtk::minimumThumbLength(Scrollbar& scrollbar)
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Scrollbar, "scrollbar", GTK_STATE_FLAG_PRELIGHT, { "vertical", "right", "hovering" } };
+    if (m_usesOverlayScrollbars)
+        info.classList.append("overlay-indicator");
+    auto scrollbarGadget = RenderThemeGadget::create(info);
+    info.type = RenderThemeGadget::Type::Generic;
+    info.name = "contents";
+    info.state = GTK_STATE_FLAG_NORMAL;
+    info.classList.clear();
+    Vector<RenderThemeGadget::Info> children = {{ RenderThemeGadget::Type::Generic, "trough", GTK_STATE_FLAG_PRELIGHT, { } } };
+    auto contentsGadget = std::make_unique<RenderThemeBoxGadget>(info, GTK_ORIENTATION_VERTICAL, children, scrollbarGadget.get());
+    info.name = "slider";
+    IntSize minSize = RenderThemeGadget::create(info, contentsGadget->child(0))->minimumSize();
+    auto& scrollbarWidget = static_cast<RenderThemeScrollbar&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::VerticalScrollbarRight));
+    scrollbarWidget.scrollbar().setState(GTK_STATE_FLAG_PRELIGHT);
+    IntSize minSize = scrollbarWidget.slider().minimumSize();
     return scrollbar.orientation() == VerticalScrollbar ? minSize.height() : minSize.width();
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/image-decoders/cairo/ImageBackingStoreCairo.cpp ¶

-              r217367
+              r219817
 NativeImagePtr ImageBackingStore::image() const
+{
+    return adoptRef(cairo_image_surface_create_for_data(
+    m_pixels->ref();
+    RefPtr<cairo_surface_t> surface = adoptRef(cairo_image_surface_create_for_data(
         reinterpret_cast<unsigned char*>(const_cast<RGBA32*>(m_pixelsPtr)),
         CAIRO_FORMAT_ARGB32, size().width(), size().height(), size().width() * sizeof(RGBA32)));
+    static cairo_user_data_key_t s_surfaceDataKey;
+    cairo_surface_set_user_data(surface.get(), &s_surfaceDataKey, m_pixels.get(), [](void* data) { static_cast<SharedBuffer*>(data)->deref(); });
+    return surface;
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderBlock.cpp ¶

r217367	r219817
682	682	{
683	683	if (AXObjectCache* cache = document().existingAXObjectCache())
684		cache->~~recomputeDeferredIsIgnored(*this~~);
	684	cache->deferRecomputeIsIgnored(element());
685	685	}
686	686

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderBlockFlow.cpp ¶

-              r217367
+              r219817
         // The simple line layout may have become invalid.
         m_simpleLineLayout = nullptr;
+        setLineLayoutPath(UndeterminedPath);
+        if (needsLayout())
+            return;
+        // FIXME: We should just kick off a subtree layout here (if needed at all) see webkit.org/b/172947.
         setNeedsLayout();
-        setLineLayoutPath(UndeterminedPath);
         return;
+    }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderBlockLineLayout.cpp ¶

r217367	r219817
131	131	if (UNLIKELY(AXObjectCache::accessibilityEnabled()) && firstRootBox() == rootBox) {
132	132	if (AXObjectCache* cache = document().existingAXObjectCache())
133		cache->~~recomputeDeferredIsIgnored(*this~~);
	133	cache->deferRecomputeIsIgnored(element());
134	134	}
135	135

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderLayerCompositor.cpp ¶

-              r217367
+              r219817
     RenderWidget& pluginRenderer = downcast<RenderWidget>(renderer);
+    if (pluginRenderer.style().visibility() != VISIBLE)
+        return false;
     // If we can't reliably know the size of the plugin yet, don't change compositing state.
     if (pluginRenderer.needsLayout())
 …
     auto& frameRenderer = downcast<RenderWidget>(renderer);
+    if (frameRenderer.style().visibility() != VISIBLE)
+        return false;
     if (!frameRenderer.requiresAcceleratedCompositing())
         return false;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderText.cpp ¶

r217367	r219817
1284	1284
1285	1285	if (AXObjectCache* cache = document().existingAXObjectCache())
1286		cache->~~textChanged(this~~);
	1286	cache->deferTextChangedIfNeeded(textNode());
1287	1287	}
1288	1288

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderTheme.cpp ¶

-              r217367
+              r219817
     if (UAHasAppearance && isControlStyled(style, border, background, backgroundColor)) {
+        if (part == MenulistPart) {
+        switch (part) {
+        case MenulistPart:
             style.setAppearance(MenulistButtonPart);
             part = MenulistButtonPart;
+        } else
+            break;
+        case TextFieldPart:
+            adjustTextFieldStyle(styleResolver, style, element);
+            FALLTHROUGH;
+        default:
             style.setAppearance(NoControlPart);
+            break;
+        }
+    }

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/rendering/RenderThemeGtk.cpp ¶

-              r217367
+              r219817
 #include "RenderObject.h"
 #include "RenderProgress.h"
 #include "RenderThemeGadget.h"
+#include "RenderThemeWidget.h"
 #include "ScrollbarThemeGtk.h"
 #include "StringTruncator.h"
 …
     switch (themePart) {
     case Entry:
+    case EntrySelection:
         gtk_widget_path_append_type(path.get(), GTK_TYPE_ENTRY);
         gtk_widget_path_iter_add_class(path.get(), -1, GTK_STYLE_CLASS_ENTRY);
 …
         return;
+    RenderThemeGadget::Info info = {
+        .type = RenderThemeGadget::Type::Generic,
+        .name = themePart == CheckButton ? "checkbutton" : "radiobutton",
+        .state = GTK_STATE_FLAG_NORMAL,
+        .classList = { }
+    };
+    auto parentGadget = RenderThemeGadget::create(info);
+    if (themePart == CheckButton) {
+        info.type = RenderThemeGadget::Type::Check;
+        info.name = "check";
+    } else {
+        info.type = RenderThemeGadget::Type::Radio;
+        info.name = "radio";
+    }
+    auto gadget = RenderThemeToggleGadget::create(info);
+    IntSize preferredSize = parentGadget->preferredSize();
+    preferredSize = preferredSize.expandedTo(gadget->preferredSize());
+    auto& toggleWidget = static_cast<RenderThemeToggleButton&>(RenderThemeWidget::getOrCreate(themePart == CheckButton ? RenderThemeWidget::Type::CheckButton : RenderThemeWidget::Type::RadioButton));
+    toggleWidget.button().setState(GTK_STATE_FLAG_NORMAL);
+    toggleWidget.toggle().setState(GTK_STATE_FLAG_NORMAL);
+    IntSize preferredSize = toggleWidget.button().preferredSize();
+    preferredSize = preferredSize.expandedTo(toggleWidget.toggle().preferredSize());
     if (style.width().isIntrinsicOrAuto())
 …
     ASSERT(themePart == CheckButton || themePart == RadioButton);
+    RenderThemeGadget::Info parentInfo = {
+        .type = RenderThemeGadget::Type::Generic,
+        .name = themePart == CheckButton ? "checkbutton" : "radiobutton",
+        .state = themePartStateFlags(*theme, themePart, renderObject),
+        .classList = { "text-button" }
+    };
+    auto parentGadget = RenderThemeGadget::create(parentInfo);
+    RenderThemeGadget::Info info;
+    info.state = parentInfo.state;
+    if (themePart == CheckButton) {
+        info.type = RenderThemeGadget::Type::Check;
+        info.name = "check";
+    } else {
+        info.type = RenderThemeGadget::Type::Radio;
+        info.name = "radio";
+    }
+    auto gadget = RenderThemeGadget::create(info, parentGadget.get());
+    auto& toggleWidget = static_cast<RenderThemeToggleButton&>(RenderThemeWidget::getOrCreate(themePart == CheckButton ? RenderThemeWidget::Type::CheckButton : RenderThemeWidget::Type::RadioButton));
+    auto toggleState = themePartStateFlags(*theme, themePart, renderObject);
+    toggleWidget.button().setState(toggleState);
+    toggleWidget.toggle().setState(toggleState);
     FloatRect rect = fullRect;
 …
     // in the full toggle button region. The reason for not simply forcing toggle
     // buttons to be a smaller size is that we don't want to break site layouts.
     IntSize preferredSize = parentGadget->preferredSize();
     preferredSize = preferredSize.expandedTo(gadget->preferredSize());
+    IntSize preferredSize = toggleWidget.button().preferredSize();
+    preferredSize = preferredSize.expandedTo(toggleWidget.toggle().preferredSize());
     shrinkToMinimumSizeAndCenterRectangle(rect, preferredSize);
     parentGadget->render(paintInfo.context().platformContext()->cr(), rect);
     gadget->render(paintInfo.context().platformContext()->cr(), rect);
+    toggleWidget.button().render(paintInfo.context().platformContext()->cr(), rect);
+    toggleWidget.toggle().render(paintInfo.context().platformContext()->cr(), rect);
     if (theme->isFocused(renderObject))
         parentGadget->renderFocus(paintInfo.context().platformContext()->cr(), rect);
+        toggleWidget.button().renderFocus(paintInfo.context().platformContext()->cr(), rect);
+}
 #else
 …
 bool RenderThemeGtk::paintButton(const RenderObject& renderObject, const PaintInfo& paintInfo, const IntRect& rect)
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "button", themePartStateFlags(*this, Button, renderObject), { "text-button" } };
+    if (isDefault(renderObject))
+        info.classList.append("default");
+    auto gadget = RenderThemeGadget::create(info);
+    gadget->render(paintInfo.context().platformContext()->cr(), rect);
+    auto& buttonWidget = static_cast<RenderThemeButton&>(RenderThemeWidget::getOrCreate(isDefault(renderObject) ? RenderThemeWidget::Type::ButtonDefault : RenderThemeWidget::Type::Button));
+    buttonWidget.button().setState(themePartStateFlags(*this, Button, renderObject));
+    buttonWidget.button().render(paintInfo.context().platformContext()->cr(), rect);
     if (isFocused(renderObject))
         gadget->renderFocus(paintInfo.context().platformContext()->cr(), rect);
+        buttonWidget.button().renderFocus(paintInfo.context().platformContext()->cr(), rect);
     return false;
+}
 …
+{
 #if GTK_CHECK_VERSION(3, 20, 0)
+    RenderThemeGadget::Info info { RenderThemeGadget::Type::Generic, "combobox", element->isDisabledFormControl() ? GTK_STATE_FLAG_INSENSITIVE : GTK_STATE_FLAG_NORMAL, { } };
+    auto comboGadget = RenderThemeGadget::create(info);
+    Vector<RenderThemeGadget::Info> children {
+        { RenderThemeGadget::Type::Generic, "button", info.state, { "combo" } }
+    };
+    info.name = "box";
+    info.classList = { "horizontal", "linked" };
+    return RenderThemeBoxGadget(info, GTK_ORIENTATION_HORIZONTAL, children, comboGadget.get()).child(0)->color();
+    auto& comboWidget = static_cast<RenderThemeComboBox&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::ComboBox));
+    GtkStateFlags state = element->isDisabledFormControl() ? GTK_STATE_FLAG_INSENSITIVE : GTK_STATE_FLAG_NORMAL;
+    comboWidget.comboBox().setState(state);
+    comboWidget.button().setState(state);
+    return comboWidget.button().color();
 #else
     GRefPtr<GtkStyleContext> parentStyleContext = createStyleContext(ComboBox);
 …
         return LengthBox(0);
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "combobox", GTK_STATE_FLAG_NORMAL, { } };
+    auto comboGadget = RenderThemeGadget::create(info);
+    Vector<RenderThemeGadget::Info> children = {
+        { RenderThemeGadget::Type::Generic, "button", GTK_STATE_FLAG_NORMAL, { "combo" } }
+    };
+    info.name = "box";
+    info.classList = { "horizontal", "linked" };
+    auto boxGadget = std::make_unique<RenderThemeBoxGadget>(info, GTK_ORIENTATION_HORIZONTAL, children, comboGadget.get());
+    RenderThemeGadget* buttonGadget = boxGadget->child(0);
+    info.classList.removeLast();
+    auto buttonBoxGadget = RenderThemeGadget::create(info, buttonGadget);
+    info.name = "arrow";
+    info.classList = { };
+    auto arrowGadget = RenderThemeGadget::create(info, buttonBoxGadget.get());
+    GtkBorder comboContentsBox = comboGadget->contentsBox();
+    GtkBorder boxContentsBox = boxGadget->contentsBox();
+    GtkBorder buttonContentsBox = buttonGadget->contentsBox();
+    GtkBorder buttonBoxContentsBox = buttonBoxGadget->contentsBox();
+    auto& comboWidget = static_cast<RenderThemeComboBox&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::ComboBox));
+    comboWidget.comboBox().setState(GTK_STATE_FLAG_NORMAL);
+    comboWidget.button().setState(GTK_STATE_FLAG_NORMAL);
+    comboWidget.arrow().setState(GTK_STATE_FLAG_NORMAL);
+    GtkBorder comboContentsBox = comboWidget.comboBox().contentsBox();
+    GtkBorder boxContentsBox = comboWidget.box().contentsBox();
+    GtkBorder buttonContentsBox = comboWidget.button().contentsBox();
+    GtkBorder buttonBoxContentsBox = comboWidget.buttonBox().contentsBox();
     GtkBorder padding;
     padding.left = comboContentsBox.left + boxContentsBox.left + buttonContentsBox.left + buttonBoxContentsBox.left;
 …
     padding.bottom = comboContentsBox.bottom + boxContentsBox.bottom + buttonContentsBox.bottom + buttonBoxContentsBox.bottom;
     auto arrowSize = arrowGadget->preferredSize();
+    auto arrowSize = comboWidget.arrow().preferredSize();
     return LengthBox(padding.top, padding.right + (style.direction() == LTR ? arrowSize.width() : 0),
         padding.bottom, padding.left + (style.direction() == RTL ? arrowSize.width() : 0));
 …
 bool RenderThemeGtk::paintMenuList(const RenderObject& renderObject, const PaintInfo& paintInfo, const FloatRect& rect)
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "combobox", themePartStateFlags(*this, ComboBoxButton, renderObject), { } };
+    auto comboGadget = RenderThemeGadget::create(info);
+    Vector<RenderThemeGadget::Info> children = {
+        { RenderThemeGadget::Type::Generic, "button", info.state, { "combo" } }
+    };
+    info.name = "box";
+    info.classList = { "horizontal", "linked" };
+    auto boxGadget = std::make_unique<RenderThemeBoxGadget>(info, GTK_ORIENTATION_HORIZONTAL, children, comboGadget.get());
+    RenderThemeGadget* buttonGadget = boxGadget->child(0);
+    info.classList.removeLast();
+    auto buttonBoxGadget = RenderThemeGadget::create(info, buttonGadget);
+    info.type = RenderThemeGadget::Type::Arrow;
+    info.name = "arrow";
+    info.classList = { };
+    auto arrowGadget = RenderThemeGadget::create(info, buttonBoxGadget.get());
+    auto& comboWidget = static_cast<RenderThemeComboBox&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::ComboBox));
+    auto comboState = themePartStateFlags(*this, ComboBoxButton, renderObject);
+    comboWidget.comboBox().setState(comboState);
+    comboWidget.button().setState(comboState);
+    comboWidget.arrow().setState(comboState);
     cairo_t* cr = paintInfo.context().platformContext()->cr();
     comboGadget->render(cr, rect);
     boxGadget->render(cr, rect);
+    comboWidget.comboBox().render(cr, rect);
+    comboWidget.box().render(cr, rect);
     FloatRect contentsRect;
     buttonGadget->render(cr, rect, &contentsRect);
     buttonBoxGadget->render(cr, contentsRect);
     arrowGadget->render(cr, contentsRect);
+    comboWidget.button().render(cr, rect, &contentsRect);
+    comboWidget.buttonBox().render(cr, contentsRect);
+    comboWidget.arrow().render(cr, contentsRect);
     if (isFocused(renderObject))
         buttonGadget->renderFocus(cr, rect);
+        comboWidget.button().renderFocus(cr, rect);
     return false;
 …
 #if GTK_CHECK_VERSION(3, 20, 0)
+static IntSize spinButtonSize()
+{
+    auto& spinButtonWidget = static_cast<RenderThemeSpinButton&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::SpinButton));
+    spinButtonWidget.spinButton().setState(GTK_STATE_FLAG_NORMAL);
+    spinButtonWidget.entry().setState(GTK_STATE_FLAG_NORMAL);
+    spinButtonWidget.up().setState(GTK_STATE_FLAG_NORMAL);
+    spinButtonWidget.down().setState(GTK_STATE_FLAG_NORMAL);
+    IntSize preferredSize = spinButtonWidget.spinButton().preferredSize();
+    preferredSize = preferredSize.expandedTo(spinButtonWidget.entry().preferredSize());
+    IntSize upPreferredSize = preferredSize.expandedTo(spinButtonWidget.up().preferredSize());
+    IntSize downPreferredSize = preferredSize.expandedTo(spinButtonWidget.down().preferredSize());
+    return IntSize(upPreferredSize.width() + downPreferredSize.width(), std::max(upPreferredSize.height(), downPreferredSize.height()));
+}
 void RenderThemeGtk::adjustTextFieldStyle(StyleResolver&, RenderStyle& style, const Element* element) const
+{
 …
         return;
+    // Spinbuttons need a minimum height to be rendered correctly.
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "spinbutton", GTK_STATE_FLAG_NORMAL, { "horizontal" } };
+    auto spinbuttonGadget = RenderThemeGadget::create(info);
+    info.type = RenderThemeGadget::Type::TextField;
+    info.name = "entry";
+    info.classList.clear();
+    auto entryGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    info.type = RenderThemeGadget::Type::Icon;
+    info.name = "button";
+    info.classList.append("up");
+    auto buttonUpGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    static_cast<RenderThemeIconGadget*>(buttonUpGadget.get())->setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
+    info.classList[0] = "down";
+    auto buttonDownGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    static_cast<RenderThemeIconGadget*>(buttonDownGadget.get())->setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
+    IntSize preferredSize = spinbuttonGadget->preferredSize();
+    preferredSize = preferredSize.expandedTo(entryGadget->preferredSize());
+    IntSize upPreferredSize = preferredSize.expandedTo(buttonUpGadget->preferredSize());
+    IntSize downPreferredSize = preferredSize.expandedTo(buttonDownGadget->preferredSize());
+    int height = std::max(upPreferredSize.height(), downPreferredSize.height());
+    style.setMinHeight(Length(height, Fixed));
+    style.setMinHeight(Length(spinButtonSize().height(), Fixed));
+    // The default theme for the GTK+ port uses very wide spin buttons (66px) compared to what other
+    // browsers use (~13 px). And unfortunately, most of the web developers won't test how their site
+    // renders on WebKitGTK+. To ensure that spin buttons don't end up covering the values of the input
+    // field, we override the width of the input element and always increment it with the width needed
+    // for the spinbutton (when drawing the spinbutton).
+    int minimumWidth = style.width().intValue() + spinButtonSize().width();
+    style.setMinWidth(Length(minimumWidth, Fixed));
+}
 bool RenderThemeGtk::paintTextField(const RenderObject& renderObject, const PaintInfo& paintInfo, const FloatRect& rect)
+{
-    RenderThemeGadget::Info info = { RenderThemeGadget::Type::TextField, "entry", themePartStateFlags(*this, Entry, renderObject), { } };
-    std::unique_ptr<RenderThemeGadget> parentGadget;
     if (is<HTMLInputElement>(renderObject.node()) && shouldHaveSpinButton(downcast<HTMLInputElement>(*renderObject.node()))) {
         info.name = "spinbutton";
         info.classList.append("horizontal");
         parentGadget = RenderThemeTextFieldGadget::create(info);
         info.name = "entry";
         info.classList.clear();
+    }
     auto entryGadget = RenderThemeTextFieldGadget::create(info, parentGadget.get());
     if (parentGadget)
         parentGadget->render(paintInfo.context().platformContext()->cr(), rect);
     entryGadget->render(paintInfo.context().platformContext()->cr(), rect);
+        auto& spinButtonWidget = static_cast<RenderThemeSpinButton&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::SpinButton));
+        auto spinButtonState = themePartStateFlags(*this, Entry, renderObject);
+        spinButtonWidget.spinButton().setState(spinButtonState);
+        spinButtonWidget.entry().setState(spinButtonState);
+        spinButtonWidget.spinButton().render(paintInfo.context().platformContext()->cr(), rect);
+        spinButtonWidget.entry().render(paintInfo.context().platformContext()->cr(), rect);
+    } else {
+        auto& entryWidget = static_cast<RenderThemeEntry&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::Entry));
+        entryWidget.entry().setState(themePartStateFlags(*this, Entry, renderObject));
+        entryWidget.entry().render(paintInfo.context().platformContext()->cr(), rect);
+    }
     return false;
+}
 …
+{
     ASSERT(themePart == EntryIconLeft || themePart == EntryIconRight);
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::TextField, "entry", GTK_STATE_FLAG_NORMAL, { } };
+    auto parentGadget = RenderThemeGadget::create(info);
+    info.type = RenderThemeGadget::Type::Icon;
+    info.name = "image";
+    if (themePart == EntryIconLeft)
+        info.classList.append("left");
+    else
+        info.classList.append("right");
+    auto gadget = RenderThemeIconGadget::create(info, parentGadget.get());
+    auto& searchEntryWidget = static_cast<RenderThemeSearchEntry&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::SearchEntry));
+    searchEntryWidget.entry().setState(GTK_STATE_FLAG_NORMAL);
+    searchEntryWidget.leftIcon().setState(GTK_STATE_FLAG_NORMAL);
+    searchEntryWidget.rightIcon().setState(GTK_STATE_FLAG_NORMAL);
     // Get the icon size based on the font size.
+    static_cast<RenderThemeIconGadget*>(gadget.get())->setIconSize(style.fontSize());
+    IntSize preferredSize = gadget->preferredSize();
+    GtkBorder contentsBox = parentGadget->contentsBox();
+    auto& icon = static_cast<RenderThemeIconGadget&>(themePart == EntryIconLeft ? searchEntryWidget.leftIcon() : searchEntryWidget.rightIcon());
+    icon.setIconSize(style.fontSize());
+    IntSize preferredSize = icon.preferredSize();
+    GtkBorder contentsBox = searchEntryWidget.entry().contentsBox();
     if (themePart == EntryIconLeft)
         preferredSize.expand(contentsBox.left, contentsBox.top + contentsBox.bottom);
 …
+{
     ASSERT(themePart == EntryIconLeft || themePart == EntryIconRight);
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::TextField, "entry", themePartStateFlags(*theme, Entry, renderObject), { } };
+    auto parentGadget = RenderThemeGadget::create(info);
+    info.type = RenderThemeGadget::Type::Icon;
+    info.state = themePartStateFlags(*theme, themePart, renderObject);
+    info.name = "image";
+    if (themePart == EntryIconLeft)
+        info.classList.append("left");
+    else
+        info.classList.append("right");
+    auto gadget = RenderThemeGadget::create(info, parentGadget.get());
+    auto* gadgetIcon = static_cast<RenderThemeIconGadget*>(gadget.get());
+    gadgetIcon->setIconSize(renderObject.style().fontSize());
+    if (themePart == EntryIconLeft)
+        gadgetIcon->setIconName("edit-find-symbolic");
+    else
+        gadgetIcon->setIconName("edit-clear-symbolic");
+    GtkBorder contentsBox = parentGadget->contentsBox();
+    auto& searchEntryWidget = static_cast<RenderThemeSearchEntry&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::SearchEntry));
+    searchEntryWidget.entry().setState(themePartStateFlags(*theme, Entry, renderObject));
+    auto& icon = static_cast<RenderThemeIconGadget&>(themePart == EntryIconLeft ? searchEntryWidget.leftIcon() : searchEntryWidget.rightIcon());
+    icon.setState(themePartStateFlags(*theme, themePart, renderObject));
+    icon.setIconSize(renderObject.style().fontSize());
+    GtkBorder contentsBox = searchEntryWidget.entry().contentsBox();
     IntRect iconRect = rect;
     if (themePart == EntryIconLeft) {
 …
     } else
         iconRect.contract(contentsBox.right, contentsBox.top + contentsBox.bottom);
     return !gadget->render(paintInfo.context().platformContext()->cr(), iconRect);
+    return !icon.render(paintInfo.context().platformContext()->cr(), iconRect);
+}
 bool RenderThemeGtk::paintSearchFieldResultsDecorationPart(const RenderBox& renderObject, const PaintInfo& paintInfo, const IntRect& rect)
 …
     ASSERT(part == SliderHorizontalPart || part == SliderVerticalPart);
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "scale", themePartStateFlags(*this, Scale, renderObject), { } };
+    if (part == SliderHorizontalPart)
+        info.classList.append("horizontal");
+    else
+        info.classList.append("vertical");
+    auto scaleGadget = RenderThemeGadget::create(info);
+    info.name = "contents";
+    info.classList.clear();
+    auto contentsGadget = RenderThemeGadget::create(info, scaleGadget.get());
+    info.name = "trough";
+    auto troughGadget = RenderThemeGadget::create(info, contentsGadget.get());
+    info.name = "slider";
+    auto sliderGadget = RenderThemeGadget::create(info, troughGadget.get());
+    info.name = "highlight";
+    auto highlightGadget = RenderThemeGadget::create(info, troughGadget.get());
+    auto& sliderWidget = static_cast<RenderThemeSlider&>(RenderThemeWidget::getOrCreate(part == SliderHorizontalPart ? RenderThemeWidget::Type::HorizontalSlider : RenderThemeWidget::Type::VerticalSlider));
+    auto scaleState = themePartStateFlags(*this, Scale, renderObject);
+    auto& scale = sliderWidget.scale();
+    scale.setState(scaleState);
+    auto& contents = sliderWidget.contents();
+    auto& trough = sliderWidget.trough();
+    trough.setState(scaleState);
+    auto& slider = sliderWidget.slider();
+    auto& highlight = sliderWidget.highlight();
     // The given rectangle is not calculated based on the scale size, but all the margins and paddings are based on it.
     IntSize preferredSize = scaleGadget->preferredSize();
     preferredSize = preferredSize.expandedTo(contentsGadget->preferredSize());
     preferredSize = preferredSize.expandedTo(troughGadget->preferredSize());
+    IntSize preferredSize = scale.preferredSize();
+    preferredSize = preferredSize.expandedTo(contents.preferredSize());
+    preferredSize = preferredSize.expandedTo(trough.preferredSize());
     FloatRect trackRect = rect;
     if (part == SliderHorizontalPart) {
 …
     FloatRect contentsRect;
     scaleGadget->render(paintInfo.context().platformContext()->cr(), trackRect, &contentsRect);
     contentsGadget->render(paintInfo.context().platformContext()->cr(), contentsRect, &contentsRect);
+    scale.render(paintInfo.context().platformContext()->cr(), trackRect, &contentsRect);
+    contents.render(paintInfo.context().platformContext()->cr(), contentsRect, &contentsRect);
     // Scale trough defines its size querying slider and highlight.
     if (part == SliderHorizontalPart)
         contentsRect.setHeight(troughGadget->preferredSize().height() + std::max(sliderGadget->preferredSize().height(), highlightGadget->preferredSize().height()));
+        contentsRect.setHeight(trough.preferredSize().height() + std::max(slider.preferredSize().height(), highlight.preferredSize().height()));
     else
         contentsRect.setWidth(troughGadget->preferredSize().width() + std::max(sliderGadget->preferredSize().width(), highlightGadget->preferredSize().width()));
+        contentsRect.setWidth(trough.preferredSize().width() + std::max(slider.preferredSize().width(), highlight.preferredSize().width()));
     FloatRect troughRect = contentsRect;
     troughGadget->render(paintInfo.context().platformContext()->cr(), troughRect, &contentsRect);
+    trough.render(paintInfo.context().platformContext()->cr(), troughRect, &contentsRect);
     if (isFocused(renderObject))
         troughGadget->renderFocus(paintInfo.context().platformContext()->cr(), troughRect);
+        trough.renderFocus(paintInfo.context().platformContext()->cr(), troughRect);
     LayoutPoint thumbLocation;
 …
     } else
         contentsRect.setHeight(thumbLocation.y());
     highlightGadget->render(paintInfo.context().platformContext()->cr(), contentsRect);
+    highlight.render(paintInfo.context().platformContext()->cr(), contentsRect);
     return false;
 …
         return;
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "scale", GTK_STATE_FLAG_NORMAL, { } };
+    if (part == SliderHorizontalPart)
+        info.classList.append("horizontal");
+    else
+        info.classList.append("vertical");
+    auto scaleGadget = RenderThemeGadget::create(info);
+    info.name = "contents";
+    info.classList.clear();
+    auto contentsGadget = RenderThemeGadget::create(info, scaleGadget.get());
+    info.name = "trough";
+    auto troughGadget = RenderThemeGadget::create(info, contentsGadget.get());
+    info.name = "slider";
+    auto sliderGadget = RenderThemeGadget::create(info, troughGadget.get());
+    info.name = "highlight";
+    auto highlightGadget = RenderThemeGadget::create(info, troughGadget.get());
+    IntSize preferredSize = scaleGadget->preferredSize();
+    preferredSize = preferredSize.expandedTo(contentsGadget->preferredSize());
+    preferredSize = preferredSize.expandedTo(troughGadget->preferredSize());
+    preferredSize = preferredSize.expandedTo(sliderGadget->preferredSize());
+    auto& sliderWidget = static_cast<RenderThemeSlider&>(RenderThemeWidget::getOrCreate(part == SliderHorizontalPart ? RenderThemeWidget::Type::HorizontalSlider : RenderThemeWidget::Type::VerticalSlider));
+    sliderWidget.scale().setState(GTK_STATE_FLAG_NORMAL);
+    sliderWidget.trough().setState(GTK_STATE_FLAG_NORMAL);
+    IntSize preferredSize = sliderWidget.scale().preferredSize();
+    preferredSize = preferredSize.expandedTo(sliderWidget.contents().preferredSize());
+    preferredSize = preferredSize.expandedTo(sliderWidget.trough().preferredSize());
+    preferredSize = preferredSize.expandedTo(sliderWidget.slider().preferredSize());
     if (part == SliderThumbHorizontalPart) {
         style.setWidth(Length(preferredSize.width(), Fixed));
 …
     ASSERT(part == SliderThumbHorizontalPart || part == SliderThumbVerticalPart);
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "scale", themePartStateFlags(*this, Scale, renderObject), { } };
+    if (part == SliderHorizontalPart)
+        info.classList.append("horizontal");
+    else
+        info.classList.append("vertical");
+    auto scaleGadget = RenderThemeGadget::create(info);
+    info.name = "contents";
+    info.classList.clear();
+    auto contentsGadget = RenderThemeGadget::create(info, scaleGadget.get());
+    info.name = "trough";
+    auto troughGadget = RenderThemeGadget::create(info, contentsGadget.get());
+    info.name = "slider";
+    info.state = themePartStateFlags(*this, ScaleSlider, renderObject);
+    auto sliderGadget = RenderThemeGadget::create(info, troughGadget.get());
+    info.name = "highlight";
+    auto highlightGadget = RenderThemeGadget::create(info, troughGadget.get());
+    GtkBorder scaleContentsBox = scaleGadget->contentsBox();
+    GtkBorder contentsContentsBox = contentsGadget->contentsBox();
+    GtkBorder troughContentsBox = troughGadget->contentsBox();
+    auto& sliderWidget = static_cast<RenderThemeSlider&>(RenderThemeWidget::getOrCreate(part == SliderThumbHorizontalPart ? RenderThemeWidget::Type::HorizontalSlider : RenderThemeWidget::Type::VerticalSlider));
+    auto scaleState = themePartStateFlags(*this, Scale, renderObject);
+    auto& scale = sliderWidget.scale();
+    scale.setState(scaleState);
+    auto& contents = sliderWidget.contents();
+    auto& trough = sliderWidget.trough();
+    trough.setState(scaleState);
+    auto& slider = sliderWidget.slider();
+    slider.setState(themePartStateFlags(*this, ScaleSlider, renderObject));
+    auto& highlight = sliderWidget.highlight();
+    GtkBorder scaleContentsBox = scale.contentsBox();
+    GtkBorder contentsContentsBox = contents.contentsBox();
+    GtkBorder troughContentsBox = trough.contentsBox();
     GtkBorder padding;
     padding.left = scaleContentsBox.left + contentsContentsBox.left + troughContentsBox.left;
 …
     // Scale trough defines its size querying slider and highlight.
     int troughHeight = troughGadget->preferredSize().height() + std::max(sliderGadget->preferredSize().height(), highlightGadget->preferredSize().height());
+    int troughHeight = trough.preferredSize().height() + std::max(slider.preferredSize().height(), highlight.preferredSize().height());
     IntRect sliderRect(rect.location(), IntSize(troughHeight, troughHeight));
     sliderRect.move(padding.left, padding.top);
     sliderRect.contract(padding.left + padding.right, padding.top + padding.bottom);
     sliderGadget->render(paintInfo.context().platformContext()->cr(), sliderRect);
+    slider.render(paintInfo.context().platformContext()->cr(), sliderRect);
     return false;
+}
 …
 IntRect RenderThemeGtk::progressBarRectForBounds(const RenderObject& renderObject, const IntRect& bounds) const
+{
-    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "progressbar", GTK_STATE_FLAG_NORMAL, { "horizontal" } };
-    auto progressBarGadget = RenderThemeGadget::create(info);
-    info.name = "trough";
-    info.classList.clear();
-    auto troughGadget = RenderThemeGadget::create(info, progressBarGadget.get());
-    info.name = "progress";
-    if (renderObject.style().direction() == RTL)
-        info.classList.append("right");
-    else
-        info.classList.append("left");
     const auto& renderProgress = downcast<RenderProgress>(renderObject);
+    if (renderProgress.isDeterminate())
+        info.classList.append("pulse");
+    auto progressGadget = RenderThemeGadget::create(info, troughGadget.get());
+    IntSize preferredSize = progressBarGadget->preferredSize();
+    preferredSize = preferredSize.expandedTo(troughGadget->preferredSize());
+    preferredSize = preferredSize.expandedTo(progressGadget->preferredSize());
+    auto& progressBarWidget = static_cast<RenderThemeProgressBar&>(RenderThemeWidget::getOrCreate(renderProgress.isDeterminate() ? RenderThemeProgressBar::Type::ProgressBar : RenderThemeProgressBar::Type::IndeterminateProgressBar));
+    IntSize preferredSize = progressBarWidget.progressBar().preferredSize();
+    preferredSize = preferredSize.expandedTo(progressBarWidget.trough().preferredSize());
+    preferredSize = preferredSize.expandedTo(progressBarWidget.progress().preferredSize());
     return IntRect(bounds.x(), bounds.y(), bounds.width(), preferredSize.height());
+}
 …
         return true;
-    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "progressbar", GTK_STATE_FLAG_NORMAL, { "horizontal" } };
-    auto progressBarGadget = RenderThemeGadget::create(info);
-    info.name = "trough";
-    info.classList.clear();
-    auto troughGadget = RenderThemeGadget::create(info, progressBarGadget.get());
-    info.name = "progress";
-    if (renderObject.style().direction() == RTL)
-        info.classList.append("right");
-    else
-        info.classList.append("left");
     const auto& renderProgress = downcast<RenderProgress>(renderObject);
+    if (renderProgress.isDeterminate())
+        info.classList.append("pulse");
+    auto progressGadget = RenderThemeGadget::create(info, troughGadget.get());
+    progressBarGadget->render(paintInfo.context().platformContext()->cr(), rect);
+    troughGadget->render(paintInfo.context().platformContext()->cr(), rect);
+    progressGadget->render(paintInfo.context().platformContext()->cr(), calculateProgressRect(renderObject, rect));
+    auto& progressBarWidget = static_cast<RenderThemeProgressBar&>(RenderThemeWidget::getOrCreate(renderProgress.isDeterminate() ? RenderThemeProgressBar::Type::ProgressBar : RenderThemeProgressBar::Type::IndeterminateProgressBar));
+    progressBarWidget.progressBar().render(paintInfo.context().platformContext()->cr(), rect);
+    progressBarWidget.trough().render(paintInfo.context().platformContext()->cr(), rect);
+    progressBarWidget.progress().render(paintInfo.context().platformContext()->cr(), calculateProgressRect(renderObject, rect));
     return false;
+}
 …
 void RenderThemeGtk::adjustInnerSpinButtonStyle(StyleResolver&, RenderStyle& style, const Element*) const
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "spinbutton", GTK_STATE_FLAG_NORMAL, { "horizontal" } };
+    auto spinbuttonGadget = RenderThemeGadget::create(info);
+    info.type = RenderThemeGadget::Type::TextField;
+    info.name = "entry";
+    info.classList.clear();
+    auto entryGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    info.type = RenderThemeGadget::Type::Icon;
+    info.name = "button";
+    info.classList.append("up");
+    auto buttonUpGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    static_cast<RenderThemeIconGadget*>(buttonUpGadget.get())->setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
+    info.classList[0] = "down";
+    auto buttonDownGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    static_cast<RenderThemeIconGadget*>(buttonDownGadget.get())->setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
+    IntSize upPreferredSize = buttonUpGadget->preferredSize();
+    IntSize downPreferredSize = buttonDownGadget->preferredSize();
+    int buttonSize = std::max(std::max(upPreferredSize.width(), downPreferredSize.width()), std::max(upPreferredSize.height(), downPreferredSize.height()));
+    style.setWidth(Length(buttonSize * 2, Fixed));
+    style.setHeight(Length(buttonSize, Fixed));
+    style.setWidth(Length(spinButtonSize().width(), Fixed));
+    style.setHeight(Length(spinButtonSize().height(), Fixed));
+}
 bool RenderThemeGtk::paintInnerSpinButton(const RenderObject& renderObject, const PaintInfo& paintInfo, const IntRect& rect)
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, "spinbutton", themePartStateFlags(*this, SpinButton, renderObject), { } };
+    auto spinbuttonGadget = RenderThemeGadget::create(info);
+    info.type = RenderThemeGadget::Type::TextField;
+    info.name = "entry";
+    info.classList.clear();
+    auto entryGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    info.type = RenderThemeGadget::Type::Icon;
+    info.name = "button";
+    info.classList.append("up");
+    info.state = themePartStateFlags(*this, SpinButtonUpButton, renderObject);
+    auto buttonUpGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    auto* gadgetIcon = static_cast<RenderThemeIconGadget*>(buttonUpGadget.get());
+    gadgetIcon->setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
+    gadgetIcon->setIconName("list-add-symbolic");
+    info.classList[0] = "down";
+    info.state = themePartStateFlags(*this, SpinButtonDownButton, renderObject);
+    auto buttonDownGadget = RenderThemeGadget::create(info, spinbuttonGadget.get());
+    gadgetIcon = static_cast<RenderThemeIconGadget*>(buttonDownGadget.get());
+    gadgetIcon->setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
+    gadgetIcon->setIconName("list-remove-symbolic");
+    auto& spinButtonWidget = static_cast<RenderThemeSpinButton&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::SpinButton));
+    auto spinButtonState = themePartStateFlags(*this, SpinButton, renderObject);
+    spinButtonWidget.spinButton().setState(spinButtonState);
+    spinButtonWidget.entry().setState(spinButtonState);
+    auto& up = spinButtonWidget.up();
+    up.setState(themePartStateFlags(*this, SpinButtonUpButton, renderObject));
+    auto& down = spinButtonWidget.down();
+    down.setState(themePartStateFlags(*this, SpinButtonDownButton, renderObject));
     IntRect iconRect = rect;
     iconRect.setWidth(iconRect.width() / 2);
     if (renderObject.style().direction() == RTL)
         buttonUpGadget->render(paintInfo.context().platformContext()->cr(), iconRect);
+        up.render(paintInfo.context().platformContext()->cr(), iconRect);
     else
         buttonDownGadget->render(paintInfo.context().platformContext()->cr(), iconRect);
+        down.render(paintInfo.context().platformContext()->cr(), iconRect);
     iconRect.move(iconRect.width(), 0);
     if (renderObject.style().direction() == RTL)
         buttonDownGadget->render(paintInfo.context().platformContext()->cr(), iconRect);
+        down.render(paintInfo.context().platformContext()->cr(), iconRect);
     else
         buttonUpGadget->render(paintInfo.context().platformContext()->cr(), iconRect);
+        up.render(paintInfo.context().platformContext()->cr(), iconRect);
     return false;
 …
 static Color styleColor(RenderThemePart themePart, GtkStateFlags state, StyleColorType colorType)
+{
+    RenderThemeGadget::Info info = { RenderThemeGadget::Type::Generic, nullptr, state, { } };
+    std::unique_ptr<RenderThemeGadget> parentGadget;
+    RenderThemePart part = themePart;
+    if (themePart == Entry && (state & GTK_STATE_FLAG_SELECTED)) {
+        info.name = "entry";
+        parentGadget = RenderThemeGadget::create(info);
+        part = EntrySelection;
+    }
+    switch (part) {
+    case Entry:
+        info.name = "entry";
+        break;
+    case EntrySelection:
+        info.name = "selection";
+        break;
+    case ListBox:
+        info.name = "treeview";
+        info.classList.append("view");
+        break;
+    case Button:
+        info.name = "button";
+        break;
+    RenderThemeGadget* gadget = nullptr;
+    switch (themePart) {
     default:
         ASSERT_NOT_REACHED();
+        info.name = "entry";
+    }
+    auto gadget = RenderThemeGadget::create(info, parentGadget.get());
+        FALLTHROUGH;
+    case Entry:
+        gadget = &static_cast<RenderThemeEntry&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::Entry)).entry();
+        break;
+    case EntrySelection:
+        gadget = static_cast<RenderThemeEntry&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::SelectedEntry)).selection();
+        break;
+    case ListBox:
+        gadget = &static_cast<RenderThemeListView&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::ListView)).treeview();
+        break;
+    case Button:
+        gadget = &static_cast<RenderThemeButton&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::Button)).button();
+        break;
+    }
+    ASSERT(gadget);
+    gadget->setState(state);
     return colorType == StyleColorBackground ? gadget->backgroundColor() : gadget->color();
+}
 …
 Color RenderThemeGtk::platformActiveSelectionBackgroundColor() const
+{
     return styleColor(Entry, static_cast<GtkStateFlags>(GTK_STATE_FLAG_SELECTED | GTK_STATE_FLAG_FOCUSED), StyleColorBackground);
+    return styleColor(EntrySelection, static_cast<GtkStateFlags>(GTK_STATE_FLAG_SELECTED | GTK_STATE_FLAG_FOCUSED), StyleColorBackground);
+}
 Color RenderThemeGtk::platformInactiveSelectionBackgroundColor() const
+{
     return styleColor(Entry, GTK_STATE_FLAG_SELECTED, StyleColorBackground);
+    return styleColor(EntrySelection, GTK_STATE_FLAG_SELECTED, StyleColorBackground);
+}
 Color RenderThemeGtk::platformActiveSelectionForegroundColor() const
+{
     return styleColor(Entry, static_cast<GtkStateFlags>(GTK_STATE_FLAG_SELECTED | GTK_STATE_FLAG_FOCUSED), StyleColorForeground);
+    return styleColor(EntrySelection, static_cast<GtkStateFlags>(GTK_STATE_FLAG_SELECTED | GTK_STATE_FLAG_FOCUSED), StyleColorForeground);
+}
 Color RenderThemeGtk::platformInactiveSelectionForegroundColor() const
+{
     return styleColor(Entry, GTK_STATE_FLAG_SELECTED, StyleColorForeground);
+    return styleColor(EntrySelection, GTK_STATE_FLAG_SELECTED, StyleColorForeground);
+}
 …
 bool RenderThemeGtk::paintMediaButton(const RenderObject& renderObject, GraphicsContext& graphicsContext, const IntRect& rect, const char* iconName)
+{
     RenderThemeGadget::Info info = { RenderThemeGadget::Type::Icon, "image", themePartStateFlags(*this, MediaButton, renderObject), { } };
     auto gadget = RenderThemeGadget::create(info);
     auto* gadgetIcon = static_cast<RenderThemeIconGadget*>(gadget.get());
     gadgetIcon->setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
     gadgetIcon->setIconName(iconName);
     return !gadget->render(graphicsContext.platformContext()->cr(), rect);
+    auto& iconWidget = static_cast<RenderThemeIcon&>(RenderThemeWidget::getOrCreate(RenderThemeWidget::Type::Icon));
+    auto& icon = static_cast<RenderThemeIconGadget&>(iconWidget.icon());
+    icon.setState(themePartStateFlags(*this, MediaButton, renderObject));
+    icon.setIconSize(RenderThemeIconGadget::IconSizeGtk::Menu);
+    icon.setIconName(iconName);
+    return !icon.render(graphicsContext.platformContext()->cr(), rect);
+}
 #else

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog ¶

-              r217367
+              r219817
+-07-24  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.6 release.
+        * gtk/NEWS: Add release notes for 2.16.6.
+-06-26  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.5 release.
+        * gtk/NEWS: Add release notes for 2.16.5.
+-06-25  Michael Catanzaro  <mcatanzaro@igalia.com>
+        Unreviewed, rolling out r215190.
+        Broke product select element on GNOME Bugzilla
+        Reverted changeset:
+        "[GTK] Misplaced right click menu on web page due to
+        deprecated gtk_menu_popup()"
+        https://bugs.webkit.org/show_bug.cgi?id=170553
+        http://trac.webkit.org/changeset/215190
+-06-20  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Update OptionsGTK.cmake and NEWS for 2.16.4 release.
+        * gtk/NEWS: Add release notes for 2.16.4.
+-06-15  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Fix copy-paste error in GTK+ WEBKIT_JAVASCRIPT_ERROR definition.
+        The print one was copied there.
+        * UIProcess/API/gtk/WebKitError.h:
+-06-16  Carlos Garcia Campos  <cgarcia@igalia.com>
+        Unreviewed. Remove wrong headers check from some GTK+ API files.
+        Remove the __WEBKIT_WEB_EXTENSION_H_INSIDE__ check since these are not actually shared.
+        * UIProcess/API/gtk/WebKitEditorState.h:
+        * UIProcess/API/gtk/WebKitOptionMenu.h:
+        * UIProcess/API/gtk/WebKitPrintCustomWidget.h:
+-06-13  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GTK] Blob download doesn't work
+        https://bugs.webkit.org/show_bug.cgi?id=172442
+        Reviewed by Carlos Alberto Lopez Perez.
+        GTK+ API uses URIs for download destination paths, and passes that URIs to the WebKit internals. But WebKit
+        expects download destination location to be a local path. This is not a problem for normal downloads, because
+        the soup backend handles the cases of download destination being a URI and a path. For blob downloads
+        NetworkDataTaskBlob is used, and it always expects the download destination to be a local path, failing in
+        FileSystem::openFile() when a URI is passed. We need to keep using local files internally and convert to URIs
+        only when exposing those paths to the API.
+        * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
+        (WebKit::NetworkDataTaskSoup::download): Stop handling URIs here, we should always expect local files.
+        * UIProcess/API/gtk/WebKitDownload.cpp:
+        (webkitDownloadDecideDestinationWithSuggestedFilename): Convert destination URI to filanme before pasing it to DownloadClient.
+        (webkitDownloadDestinationCreated): Convert the destination path to a URI before passing it to WebKitDownload::created-destionation signal.
+        * UIProcess/API/gtk/WebKitDownloadClient.cpp:
+        * UIProcess/API/gtk/WebKitDownloadPrivate.h:
+-06-09  Ryosuke Niwa  <rniwa@webkit.org>
+        Crash inside WebKit::PluginView::getAuthenticationInfo
+        https://bugs.webkit.org/show_bug.cgi?id=173083
+        <rdar://problem/32513144>
+        Address Darin's review comment.
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::getAuthenticationInfo):
+-06-07  Ryosuke Niwa  <rniwa@webkit.org>
+        Crash inside WebKit::PluginView::getAuthenticationInfo
+        https://bugs.webkit.org/show_bug.cgi?id=173083
+        Reviewed by Chris Dumez.
+        Added a null pointer check. The content document may have went away by the time we get there from IPC.
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::getAuthenticationInfo):
+-06-05  Chris Dumez  <cdumez@apple.com>
+        ASSERTION FAILED: RunLoop::isMain() in com.apple.WebKit: IPC::Connection::sendSyncMessage + 128
+        https://bugs.webkit.org/show_bug.cgi?id=172943
+        <rdar://problem/31288058>
+        Reviewed by Alexey Proskuryakov.
+        In Connection::sendMessage(), make sure we only ever transform asynchronous messages into synchronous
+        ones if sendMessage() is called on the main thread. This is necessary because we no longer support
+        sending synchronous messages from a background thread since r205125.
+        * Platform/IPC/Connection.cpp:
+        (IPC::Connection::sendMessage):
+        (IPC::Connection::sendSyncMessage):
+-06-02  Chris Dumez  <cdumez@apple.com>
+        REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255
+        https://bugs.webkit.org/show_bug.cgi?id=172846
+        <rdar://problem/31093005>
+        Reviewed by Mark Lam.
+        Follow-up to r217695 to deal with exceptions potentially thrown by
+        NPRuntimeObjectMap::convertJSValueToNPVariant() as well.
+        * WebProcess/Plugins/Netscape/NPJSObject.cpp:
+        (WebKit::NPJSObject::invoke):
+-06-01  Chris Dumez  <cdumez@apple.com>
+        REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255
+        https://bugs.webkit.org/show_bug.cgi?id=172846
+        <rdar://problem/31093005>
+        Reviewed by Andreas Kling.
+        In NPJSObject::invoke(), return early if there was an exception when calling JSC::call().
+        Using the value returned by JSC::call() when an exception occurred is unsafe.
+        * WebProcess/Plugins/Netscape/NPJSObject.cpp:
+        (WebKit::NPJSObject::invoke):
+-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GTK] Stop dismissing menus attached to the web view for every injected event
+        https://bugs.webkit.org/show_bug.cgi?id=172708
+        Reviewed by Alex Christensen.
+        To actually simulate a right-click event we should also send the button release after the press, and let the page
+        handle the events in addition to sending the event to the context menu controller, like we do with normal
+        events. So, this is mostly the same as a real right-click event but without actually showing the menu.
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::contextMenuAtPointInWindow):
+-04-11  Adrian Perez de Castro  <aperez@igalia.com>
+        [GTK] Attach popup menu to web view widget
+        https://bugs.webkit.org/show_bug.cgi?id=145866
+        Use gtk_menu_attach_to_widget() to let GTK+ know that popup menus belong to a certain web view.
+        This improves the positioning choices that the toolkit can do, and solves a long-standing issue
+        that caused long popup menus to hang outside of the available display area under Wayland.
+        Based on a patch by Jonas Ådahl <jadahl@gmail.com>.
+        Reviewed by Carlos Garcia Campos.
+        * UIProcess/gtk/WebPopupMenuProxyGtk.cpp:
+        (WebKit::WebPopupMenuProxyGtk::showPopupMenu):
+-04-10  Adrian Perez de Castro  <aperez@igalia.com>
+        [GTK] Misplaced right click menu on web page due to deprecated gtk_menu_popup()
+        https://bugs.webkit.org/show_bug.cgi?id=170553
+        Reviewed by Michael Catanzaro.
+        Use gtk_menu_popup_at_pointer() and gtk_menu_popup_at_rect() when building with GTK+ 3.22 or
+        newer. This allows the Wayland GTK+ backend to properly position popup menus, and also avoids
+        using functions which were deprecated starting at that GTK+ release.
+        * UIProcess/gtk/WebContextMenuProxyGtk.cpp:
+        (WebKit::WebContextMenuProxyGtk::show): Use gtk_menu_popup_at_pointer() as there is always a
+        pointer event that can be passed to it.
+        * UIProcess/gtk/WebPopupMenuProxyGtk.cpp:
+        (WebKit::WebPopupMenuProxyGtk::showPopupMenu): Use gtk_menu_popup_at_rect(), using the coordinates
+        of the control passed as reference rectangle. Some conditional code is needed because with newer
+        GTK+ versions a relative offset instead of an absolute position is needed.
+-04-10  Adrian Perez de Castro  <aperez@igalia.com>
+        [GTK] Opening a popup menu does not pre-select the active item
+        https://bugs.webkit.org/show_bug.cgi?id=170680
+        Reviewed by Michael Catanzaro.
+        * UIProcess/gtk/WebPopupMenuProxyGtk.cpp:
+        (WebKit::WebPopupMenuProxyGtk::showPopupMenu): Use gtk_menu_shell_select_item() to
+        ensure that the active item appears selected right after popping up the menu.
 -05-24  Carlos Garcia Campos  <cgarcia@igalia.com>

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp ¶

-              r217367
+              r219817
+    }
+    if (g_path_is_absolute(m_pendingDownloadLocation.utf8().data()))
+        m_downloadDestinationFile = adoptGRef(g_file_new_for_path(m_pendingDownloadLocation.utf8().data()));
+    else
+        m_downloadDestinationFile = adoptGRef(g_file_new_for_uri(m_pendingDownloadLocation.utf8().data()));
+    CString downloadDestinationPath = m_pendingDownloadLocation.utf8();
+    m_downloadDestinationFile = adoptGRef(g_file_new_for_path(downloadDestinationPath.data()));
     GRefPtr<GFileOutputStream> outputStream;
     GUniqueOutPtr<GError> error;
 …
+    }
+    GUniquePtr<char> downloadDestinationURI(g_file_get_uri(m_downloadDestinationFile.get()));
+    GUniquePtr<char> intermediateURI(g_strdup_printf("%s.wkdownload", downloadDestinationURI.get()));
+    m_downloadIntermediateFile = adoptGRef(g_file_new_for_uri(intermediateURI.get()));
+    outputStream = adoptGRef(g_file_replace(m_downloadIntermediateFile.get(), 0, TRUE, G_FILE_CREATE_NONE, 0, &error.outPtr()));
+    GUniquePtr<char> intermediatePath(g_strdup_printf("%s.wkdownload", downloadDestinationPath.data()));
+    m_downloadIntermediateFile = adoptGRef(g_file_new_for_path(intermediatePath.get()));
+    outputStream = adoptGRef(g_file_replace(m_downloadIntermediateFile.get(), nullptr, TRUE, G_FILE_CREATE_NONE, nullptr, &error.outPtr()));
     if (!outputStream) {
         didFailDownload(platformDownloadDestinationError(m_response, error->message));
 …
     auto* downloadPtr = download.get();
     downloadManager.dataTaskBecameDownloadTask(m_pendingDownloadID, WTFMove(download));
     downloadPtr->didCreateDestination(String::fromUTF8(downloadDestinationURI.get()));
+    downloadPtr->didCreateDestination(m_pendingDownloadLocation);
     ASSERT(!m_client);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/Platform/IPC/Connection.cpp ¶

r217367	r219817
380	380	return false;
381	381
382		if (m_inDispatchMessageMarkedToUseFullySynchronousModeForTesting && !encoder->isSyncMessage() && !(encoder->messageReceiverName() == "IPC")) {
	382	if (RunLoop::isMain() && m_inDispatchMessageMarkedToUseFullySynchronousModeForTesting && !encoder->isSyncMessage() && !(encoder->messageReceiverName() == "IPC")) {
383	383	uint64_t syncRequestID;
384	384	auto wrappedMessage = createSyncMessageEncoder("IPC", "WrappedAsyncMessageForTesting", encoder->destinationID(), syncRequestID);

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/UIProcess/API/gtk/WebKitDownload.cpp ¶

-              r217367
+              r219817
 #include <wtf/glib/GRefPtr.h>
 #include <wtf/glib/GUniquePtr.h>
+#include <wtf/text/CString.h>
 using namespace WebKit;
 …
+}
 CString webkitDownloadDecideDestinationWithSuggestedFilename(WebKitDownload* download, const CString& suggestedFilename, bool& allowOverwrite)
+String webkitDownloadDecideDestinationWithSuggestedFilename(WebKitDownload* download, const CString& suggestedFilename, bool& allowOverwrite)
+{
     if (download->priv->isCancelled)
         return "";
+        return emptyString();
     gboolean returnValue;
     g_signal_emit(download, signals[DECIDE_DESTINATION], 0, suggestedFilename.data(), &returnValue);
     allowOverwrite = download->priv->allowOverwrite;
+    return download->priv->destinationURI;
+}
+void webkitDownloadDestinationCreated(WebKitDownload* download, const CString& destinationURI)
+    GUniquePtr<char> destinationPath(g_filename_from_uri(download->priv->destinationURI.data(), nullptr, nullptr));
+    if (!destinationPath)
+        return emptyString();
+    return String::fromUTF8(destinationPath.get());
+}
+void webkitDownloadDestinationCreated(WebKitDownload* download, const String& destinationPath)
+{
     if (download->priv->isCancelled)
         return;
+    g_signal_emit(download, signals[CREATED_DESTINATION], 0, destinationURI.data(), nullptr);
+    GUniquePtr<char> destinationURI(g_filename_to_uri(destinationPath.utf8().data(), nullptr, nullptr));
+    ASSERT(destinationURI);
+    g_signal_emit(download, signals[CREATED_DESTINATION], 0, destinationURI.get());
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/UIProcess/API/gtk/WebKitDownloadClient.cpp ¶

r217367	r219817
78	78	{
79	79	GRefPtr<WebKitDownload> download = webkitWebContextGetOrCreateDownload(downloadProxy);
80		return ~~String::fromUTF8(webkitDownloadDecideDestinationWithSuggestedFilename(download.get(), filename.utf8(), allowOverwrite)~~);
	80	return webkitDownloadDecideDestinationWithSuggestedFilename(download.get(), filename.utf8(), allowOverwrite);
81	81	}
82	82
…	…
84	84	{
85	85	GRefPtr<WebKitDownload> download = webkitWebContextGetOrCreateDownload(downloadProxy);
86		webkitDownloadDestinationCreated(download.get(), path~~.utf8()~~);
	86	webkitDownloadDestinationCreated(download.get(), path);
87	87	}
88	88

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/UIProcess/API/gtk/WebKitDownloadPrivate.h ¶

-              r217367
+              r219817
 #include <WebCore/ResourceError.h>
 #include <WebCore/ResourceRequest.h>
-#include <wtf/text/CString.h>
 WebKitDownload* webkitDownloadCreate(WebKit::DownloadProxy*);
 …
 void webkitDownloadCancelled(WebKitDownload*);
 void webkitDownloadFinished(WebKitDownload*);
 CString webkitDownloadDecideDestinationWithSuggestedFilename(WebKitDownload*, const CString& suggestedFilename, bool& allowOverwrite);
 void webkitDownloadDestinationCreated(WebKitDownload*, const CString& destinationURI);
+String webkitDownloadDecideDestinationWithSuggestedFilename(WebKitDownload*, const CString& suggestedFilename, bool& allowOverwrite);
+void webkitDownloadDestinationCreated(WebKitDownload*, const String& destinationPath);
 #endif // WebKitDownloadPrivate_h

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/UIProcess/API/gtk/WebKitEditorState.h ¶

r217367	r219817
18	18	*/
19	19
20		#if !defined(__WEBKIT2_H_INSIDE__) && !defined(WEBKIT2_COMPILATION) ~~&& !defined(__WEBKIT_WEB_EXTENSION_H_INSIDE__)~~
	20	#if !defined(__WEBKIT2_H_INSIDE__) && !defined(WEBKIT2_COMPILATION)
21	21	#error "Only <webkit2/webkit2.h> can be included directly."
22	22	#endif

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/UIProcess/API/gtk/WebKitError.h ¶

r217367	r219817
35	35	#define WEBKIT_DOWNLOAD_ERROR webkit_download_error_quark ()
36	36	#define WEBKIT_PRINT_ERROR webkit_print_error_quark ()
37		#define WEBKIT_JAVASCRIPT_ERROR webkit_~~prin~~t_error_quark ()
	37	#define WEBKIT_JAVASCRIPT_ERROR webkit_javascript_error_quark ()
38	38	#define WEBKIT_SNAPSHOT_ERROR webkit_snapshot_error_quark ()
39	39

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/UIProcess/API/gtk/WebKitPrintCustomWidget.h ¶

r217367	r219817
18	18	*/
19	19
20		#if !defined(__WEBKIT2_H_INSIDE__) && !defined(WEBKIT2_COMPILATION) ~~&& !defined(__WEBKIT_WEB_EXTENSION_H_INSIDE__)~~
	20	#if !defined(__WEBKIT2_H_INSIDE__) && !defined(WEBKIT2_COMPILATION)
21	21	#error "Only <webkit2/webkit2.h> can be included directly."
22	22	#endif

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/UIProcess/gtk/WebPopupMenuProxyGtk.cpp ¶

r217367	r219817
123	123	}
124	124
	125	gtk_menu_attach_to_widget(GTK_MENU(m_popup), GTK_WIDGET(m_webView), nullptr);
	126
125	127	const GdkEvent* event = m_client->currentlyProcessedMouseDownEvent() ? m_client->currentlyProcessedMouseDownEvent()->nativeEvent() : nullptr;
126	128	gtk_menu_popup_for_device(GTK_MENU(m_popup), event ? gdk_event_get_device(event) : nullptr, nullptr, nullptr,
…	…
143	145	return;
144	146	}
	147
	148	// This ensures that the active item gets selected after popping up the menu, and
	149	// as it says in "gtkcombobox.c" (line ~1606): it's ugly, but gets the job done.
	150	GtkWidget* activeChild = gtk_menu_get_active(GTK_MENU(m_popup));
	151	if (activeChild && gtk_widget_get_visible(activeChild))
	152	gtk_menu_shell_select_item(GTK_MENU_SHELL(m_popup), activeChild);
145	153	}
146	154

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp ¶

-              r217367
+              r219817
     JSValue value = JSC::call(exec, function, callType, callData, m_jsObject.get(), argumentList);
+    if (UNLIKELY(scope.exception())) {
+        scope.clearException();
+        return false;
+    }
     // Convert and return the result of the function call.
     m_objectMap->convertJSValueToNPVariant(exec, value, *result);
+    scope.clearException();
+    if (UNLIKELY(scope.exception())) {
+        scope.clearException();
+        return false;
+    }
     return true;

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/Plugins/PluginView.cpp ¶

-              r217367
+              r219817
 bool PluginView::getAuthenticationInfo(const ProtectionSpace& protectionSpace, String& username, String& password)
+{
+    String partitionName = m_pluginElement->contentDocument()->topDocument().securityOrigin().domainForCachePartition();
+    auto* contentDocument = m_pluginElement->contentDocument();
+    if (!contentDocument)
+        return false;
+    String partitionName = contentDocument->topDocument().securityOrigin().domainForCachePartition();
     Credential credential = CredentialStorage::defaultCredentialStorage().get(partitionName, protectionSpace);
     if (credential.isEmpty())

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/WebProcess/WebPage/WebPage.cpp ¶

-              r217367
+              r219817
+{
     corePage()->contextMenuController().clearContextMenu();
     // Simulate a mouse click to generate the correct menu.
+    PlatformMouseEvent mouseEvent(point, point, RightButton, PlatformEvent::MousePressed, 1, false, false, false, false, currentTime(), WebCore::ForceAtClick, WebCore::NoTap);
+    bool handled = corePage()->userInputBridge().handleContextMenuEvent(mouseEvent, &corePage()->mainFrame());
+    if (!handled)
+        return 0;
+    return contextMenu();
+    PlatformMouseEvent mousePressEvent(point, point, RightButton, PlatformEvent::MousePressed, 1, false, false, false, false, currentTime(), WebCore::ForceAtClick, WebCore::NoTap);
+    corePage()->userInputBridge().handleMousePressEvent(mousePressEvent);
+    bool handled = corePage()->userInputBridge().handleContextMenuEvent(mousePressEvent, &corePage()->mainFrame());
+    auto* menu = handled ? contextMenu() : nullptr;
+    PlatformMouseEvent mouseReleaseEvent(point, point, RightButton, PlatformEvent::MouseReleased, 1, false, false, false, false, currentTime(), WebCore::ForceAtClick, WebCore::NoTap);
+    corePage()->userInputBridge().handleMouseReleaseEvent(mouseReleaseEvent);
+    return menu;
+}
 #endif

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebKit2/gtk/NEWS ¶

-              r217367
+              r219817
+==================
+WebKitGTK+  2.16.6
+==================
+  - Fix rendering of spin buttons with GTK+ >= 3.20 when the entry width is too short.
+  - Fix the build when Wayland target is enabled and X11 disabled.
+  - Fix several crashes and rendering issues.
+  - Security fixes: CVE-2017-7039, CVE-2017-7018, CVE-2017-7030, CVE-2017-7037, CVE-2017-7034,
+    CVE-2017-7055, CVE-2017-7056, CVE-2017-7064, CVE-2017-7061, CVE-2017-7048, CVE-2017-7046.
+==================
+WebKitGTK+  2.16.5
+==================
+  - Fix a web process crash when page finishes loading in several web sites.
+  - Fix the menu of select elements not showing in some cases under Wayland.
+==================
+WebKitGTK+  2.16.4
+==================
+  - Fix web process deadlock when seeking youtube videos.
+  - Fix blob downloads.
+  - Improve theme rendering performance when using GTK+ >= 3.20.
+  - Fix positioning of popup menus in Wayland.
+  - Fix several crashes and rendering issues.
+  - Security fixes: CVE-2017-2538.
 ==================
 WebKitGTK+  2.16.3

TabularUnified releases/WebKitGTK/webkit-2.16/Source/cmake/OptionsGTK.cmake ¶

-              r217367
+              r219817
 set(PROJECT_VERSION_MAJOR 2)
 set(PROJECT_VERSION_MINOR 16)
 set(PROJECT_VERSION_MICRO 3)
+set(PROJECT_VERSION_MICRO 6)
 set(PROJECT_VERSION ${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}.${PROJECT_VERSION_MICRO})
 set(WEBKITGTK_API_VERSION 4.0)
 …
 # Libtool library version, not to be confused with API version.
 # See http://www.gnu.org/software/libtool/manual/html_node/Libtool-versioning.html
 CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(WEBKIT2 56 6 19)
 CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(JAVASCRIPTCORE 23 10 5)
+CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(WEBKIT2 56 9 19)
+CALCULATE_LIBRARY_VERSIONS_FROM_LIBTOOL_TRIPLE(JAVASCRIPTCORE 23 13 5)
 # These are shared variables, but we special case their definition so that we can use the

TabularUnified releases/WebKitGTK/webkit-2.16/Tools/ChangeLog ¶

-              r217367
+              r219817
+-06-25  Michael Catanzaro  <mcatanzaro@igalia.com>
+        Unreviewed, rolling out r215190.
+        Broke product select element on GNOME Bugzilla
+        Reverted changeset:
+        "[GTK] Misplaced right click menu on web page due to
+        deprecated gtk_menu_popup()"
+        https://bugs.webkit.org/show_bug.cgi?id=170553
+        http://trac.webkit.org/changeset/215190
+-06-13  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GTK] Blob download doesn't work
+        https://bugs.webkit.org/show_bug.cgi?id=172442
+        Reviewed by Carlos Alberto Lopez Perez.
+        Add a unit test to check blob downloads.
+        * TestWebKitAPI/Tests/WebKit2Gtk/TestDownloads.cpp:
+        (testBlobDownload):
+        (beforeAll):
+-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>
+        [GTK] Stop dismissing menus attached to the web view for every injected event
+        https://bugs.webkit.org/show_bug.cgi?id=172708
+        Reviewed by Alex Christensen.
+        It's a workaround we added in r184015 that has worked so far for the context menu, but doesn't really work now
+        that we also attach popup menus to the web view. We really need to be able to show a popup menu, and then send
+        events while the menu is open.
+        * WebKitTestRunner/InjectedBundle/EventSendingController.cpp:
+        (WTR::EventSendingController::contextClick): Use WKBundlePageCopyContextMenuAtPointInWindow() also in GTK+ port.
+        * WebKitTestRunner/gtk/EventSenderProxyGtk.cpp:
+        (WTR::EventSenderProxy::dispatchEvent): Stop calling PlatformWebView::dismissAllPopupMenus().
+-04-10  Adrian Perez de Castro  <aperez@igalia.com>
+        [GTK] Misplaced right click menu on web page due to deprecated gtk_menu_popup()
+        https://bugs.webkit.org/show_bug.cgi?id=170553
+        Reviewed by Michael Catanzaro.
+        Use gtk_menu_popup_at_pointer() and gtk_menu_popup_at_rect() when
+        building with GTK+ 3.22 or newer. This allows the Wayland GTK+ backend
+        to properly position popup menus, and also avoids using functions
+        which were deprecated starting at that GTK+ release.
+        * MiniBrowser/gtk/BrowserSearchBar.c:
+        (searchEntryMenuIconPressedCallback):
+        Update MiniBrowser to use gtk_menu_popup_at_pointer().
+-05-27  Zalan Bujtas  <zalan@apple.com>
+        enclosingIntRect returns a rect with -1 width/height when the input FloatRect overflows integer.
+        https://bugs.webkit.org/show_bug.cgi?id=172676
+        Reviewed by Simon Fraser.
+        * TestWebKitAPI/Tests/WebCore/FloatRect.cpp:
+        (TestWebKitAPI::TEST):
 -05-20  Ting-Wei Lan  <lantw44@gmail.com>

TabularUnified releases/WebKitGTK/webkit-2.16/Tools/TestWebKitAPI/Tests/WebKit2Gtk/TestDownloads.cpp ¶

-              r217367
+              r219817
+}
+static void testBlobDownload(WebViewDownloadTest* test, gconstpointer)
+{
+    test->showInWindowAndWaitUntilMapped();
+    static const char* linkBlobHTML =
+        "<html><body>"
+        "<a id='downloadLink' style='position:absolute; left:1; top:1' download='foo.pdf'>Download Me</a>"
+        "<script>"
+        "  blob = new Blob(['Hello world'], {type: 'text/plain'});"
+        "  document.getElementById('downloadLink').href = window.URL.createObjectURL(blob);"
+        "</script>"
+        "</body></html>";
+    test->loadHtml(linkBlobHTML, kServer->getURIForPath("/").data());
+    test->waitUntilLoadFinished();
+    g_idle_add([](gpointer userData) -> gboolean {
+        auto* test = static_cast<WebViewDownloadTest*>(userData);
+        test->clickMouseButton(1, 1, 1);
+        return FALSE;
+    }, test);
+    test->waitUntilDownloadStarted();
+    g_assert(test->m_webView == webkit_download_get_web_view(test->m_download.get()));
+    test->waitUntilDownloadFinished();
+    GRefPtr<GFile> downloadFile = adoptGRef(g_file_new_for_uri(webkit_download_get_destination(test->m_download.get())));
+    GRefPtr<GFileInfo> downloadFileInfo = adoptGRef(g_file_query_info(downloadFile.get(), G_FILE_ATTRIBUTE_STANDARD_SIZE, static_cast<GFileQueryInfoFlags>(0), nullptr, nullptr));
+    GUniquePtr<char> downloadPath(g_file_get_path(downloadFile.get()));
+    GUniqueOutPtr<char> downloadContents;
+    gsize downloadContentsLength;
+    g_assert(g_file_get_contents(downloadPath.get(), &downloadContents.outPtr(), &downloadContentsLength, nullptr));
+    g_assert_cmpint(g_file_info_get_size(downloadFileInfo.get()), ==, downloadContentsLength);
+    g_assert_cmpstr(downloadContents.get(), ==, "Hello world");
+    g_file_delete(downloadFile.get(), nullptr, nullptr);
+}
 void beforeAll()
+{
 …
     DownloadTest::add("Downloads", "mime-type", testDownloadMIMEType);
     WebViewDownloadTest::add("Downloads", "contex-menu-download-actions", testContextMenuDownloadActions);
+    WebViewDownloadTest::add("Downloads", "blob-download", testBlobDownload);
+}

TabularUnified releases/WebKitGTK/webkit-2.16/Tools/WebKitTestRunner/InjectedBundle/EventSendingController.cpp ¶

-              r217367
+              r219817
     JSContextRef context = WKBundleFrameGetJavaScriptContext(mainFrame);
 #if ENABLE(CONTEXT_MENUS)
-#if PLATFORM(GTK) || PLATFORM(EFL)
-    // Do mouse context click.
-    mouseDown(2, 0);
-    mouseUp(2, 0);
-    WKRetainPtr<WKArrayRef> menuEntries = adoptWK(WKBundlePageCopyContextMenuItems(page));
-#else
     WKRetainPtr<WKArrayRef> menuEntries = adoptWK(WKBundlePageCopyContextMenuAtPointInWindow(page, m_position));
-#endif
     JSValueRef arrayResult = JSObjectMakeArray(context, 0, 0, 0);
     if (!menuEntries)

TabularUnified releases/WebKitGTK/webkit-2.16/Tools/WebKitTestRunner/gtk/EventSenderProxyGtk.cpp ¶

-              r217367
+              r219817
+{
     ASSERT(m_testController->mainWebView());
-    // If we are sending an escape key to the WebView, this has the side-effect of dismissing
-    // any current popups anyway. Chances are that the test is doing this to dismiss the popup
-    // anyway. Not all tests properly dismiss popup menus, so we still need to do it manually
-    // if this isn't an escape key press.
-    if (event->type != GDK_KEY_PRESS || event->key.keyval != GDK_KEY_Escape)
-        m_testController->mainWebView()->dismissAllPopupMenus();
     gtk_main_do_event(event);
     gdk_event_free(event);

Context Navigation

Changes in releases/WebKitGTK/webkit-2.16 [217367:219817] in webkit

Legend:

TabularUnified releases/WebKitGTK/webkit-2.16/ChangeLog ¶

TabularUnified releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog ¶

TabularUnified releases/WebKitGTK/webkit-2.16/JSTests/stress/array-prototype-splice-making-typed-array.js ¶

TabularUnified releases/WebKitGTK/webkit-2.16/JSTests/stress/array-species-config-array-constructor.js ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/mac/alt-for-css-content-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/accessibility/mac/webkit-alt-for-css-content-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/crypto/webkitSubtle/argument-conversion-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/editing/pasteboard/cjk-line-height-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/editing/selection/5354455-1.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/alt-inherit-initial-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/alt-inherit-initial.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-comma-separated-list-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-empty-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-only-whitespace-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/content-language-with-whitespace-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/counters/counter-cssText-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/counters/counter-cssText.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/font-family-trailing-bracket-gunk-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/font-family-trailing-bracket-gunk.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/computed-style-font-family-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/computed-style-properties-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/computed-style-properties.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/font-family-fallback-reset-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/getComputedStyle/script-tests/font-family-fallback-reset.js ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/lang-mapped-to-webkit-locale-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/lang-mapped-to-webkit-locale.xhtml ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/uri-token-parsing-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/css/uri-token-parsing.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/events/context-activated-by-key-event.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/events/script-tests/mouse-click-events.js ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/inspector-support/cssURLQuotes-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/fast/inspector-support/style-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/imported/w3c/ChangeLog ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/controls/track-menu.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-overlapping-append-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-overlapping-decodetime-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-seek-back-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-sequence-timestamps-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/media/media-source/media-source-timeoffset-expected.txt ¶

TabularUnified releases/WebKitGTK/webkit-2.16/LayoutTests/platform/gtk/fast/forms/menulist-typeahead-find.html ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/ChangeLog ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/ByValInfo.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/BytecodeList.json ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/BytecodeUseDef.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/CodeBlock.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecode/PutByIdFlags.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGArrayMode.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGCapabilities.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JIT.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JIT.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JITOpcodes.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/JITOperations.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/jit/ThunkGenerators.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/llint/LowLevelInterpreter.asm ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/parser/Lexer.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/ArrayPrototype.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/ClonedArguments.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/ConsoleClient.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSArray.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSCJSValue.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObject.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSObjectInlines.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore/runtime/JSType.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/ThirdParty/ANGLE/ChangeLog ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/ThirdParty/ANGLE/changes.diff ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/ThirdParty/ANGLE/include/EGL/eglplatform.h ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WTF/ChangeLog ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WTF/wtf/MediaTime.cpp ¶

TabularUnified releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog ¶