Timeline



Jul 7, 2015:

11:27 PM Changeset in webkit [186492] by Nikita Vasilyev
  • 5 edits in trunk/Source/WebInspectorUI

Web Inspector: Use "hairline" borders on retina screen
https://bugs.webkit.org/show_bug.cgi?id=146619

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationSection.css:

(.style-declaration-section):
(.style-declaration-section.locked):
(.style-declaration-section:not(.locked)):
(.style-declaration-section.last-in-group):
(.style-declaration-section + .style-declaration-section):
(.style-declaration-section.last-in-group + .style-declaration-section):
(@media (-webkit-min-device-pixel-ratio: 2)):

  • UserInterface/Views/DetailsSection.css:

(.details-section .details-section):
(.details-section > .content > .group:nth-child(even)):
(@media (-webkit-min-device-pixel-ratio: 2)):

  • UserInterface/Views/DividerNavigationItem.css:

(@media (-webkit-min-device-pixel-ratio: 2)):

  • UserInterface/Views/RulesStyleDetailsPanel.css:

(.sidebar > .panel.details.css-style .rules .label + .style-declaration-section):
(.sidebar > .panel.details.css-style > .content.filter-in-progress .label.filter-matching-label):
(.sidebar > .panel.details.css-style > .content:not(.filter-in-progress) > .rules > .new-rule + .style-declaration-section):
(.sidebar > .panel.details.css-style > .content:not(.filter-in-progress) > .rules > .new-rule + .label):
(@media (-webkit-min-device-pixel-ratio: 2)):

10:44 PM Changeset in webkit [186491] by benjamin@webkit.org
  • 8 edits in trunk/Source/WebCore

Remove the overflow checks from the important vectors used by the content extensions machines
https://bugs.webkit.org/show_bug.cgi?id=146703

Patch by Benjamin Poulain <bpoulain@apple.com> on 2015-07-07
Reviewed by Andreas Kling.

Most of the overflow checks cannot be eliminated by clang. Removing them
explicitly removes 400 ms from the compile time of a very large test list.

  • contentextensions/ContentExtensionsDebugging.h:
  • contentextensions/DFA.h:
  • contentextensions/DFACombiner.cpp:
  • contentextensions/DFAMinimizer.cpp:
  • contentextensions/ImmutableNFA.h:
  • contentextensions/MutableRangeList.h:
  • contentextensions/NFAToDFA.cpp:

(WebCore::ContentExtensions::epsilonClosureExcludingSelf):
(WebCore::ContentExtensions::resolveEpsilonClosures):
(WebCore::ContentExtensions::extendSetWithClosure):
(WebCore::ContentExtensions::DataConverterWithEpsilonClosure::convert):
(WebCore::ContentExtensions::DataConverterWithEpsilonClosure::extend):
(WebCore::ContentExtensions::createCombinedTransition):
(WebCore::ContentExtensions::getOrCreateDFANode):
(WebCore::ContentExtensions::NFAToDFA::convert):

10:27 PM Changeset in webkit [186490] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Pressing tab on a comment in the styles sidebar doesn't highlight the comment
https://bugs.webkit.org/show_bug.cgi?id=146709

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationTextEditor.js:

(WebInspector.CSSStyleDeclarationTextEditor.prototype.selectFirstProperty):
(WebInspector.CSSStyleDeclarationTextEditor.prototype.selectLastProperty):
(WebInspector.CSSStyleDeclarationTextEditor.prototype._textAtCursorIsComment):
(WebInspector.CSSStyleDeclarationTextEditor.prototype._highlightNextNameOrValue):
(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleMouseUp):
(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleEnterKey):
(WebInspector.CSSStyleDeclarationTextEditor.prototype._insertNewlineAfterCurrentLine):
Determines if the text at the given cursor position in the given line is a comment.
(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleShiftTabKey):
(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleTabKey):

10:24 PM Changeset in webkit [186489] by Devin Rousso
  • 3 edits in trunk/Source/WebInspectorUI

Web Inspector: spacebar should pause/resume timeline recording when timelines are open
https://bugs.webkit.org/show_bug.cgi?id=143267

Reviewed by Timothy Hatcher.

  • Localizations/en.lproj/localizedStrings.js:
  • UserInterface/Views/TimelineTabContentView.js:

(WebInspector.TimelineSidebarPanel): Added two new keyboard shortcuts: space and shift-space.
(WebInspector.TimelineSidebarPanel.prototype.shown): Enables the keyboard shortcuts.
(WebInspector.TimelineSidebarPanel.prototype.hidden): Disables the keyboard shortcuts.
(WebInspector.TimelineSidebarPanel.prototype._toggleRecordingOnSpacebar):
(WebInspector.TimelineSidebarPanel.prototype._toggleNewRecordingOnSpacebar):
(WebInspector.TimelineSidebarPanel.prototype._toggleRecording): Starts/stops recording.

10:23 PM Changeset in webkit [186488] by commit-queue@webkit.org
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Improve names for unprefixed animation events
https://bugs.webkit.org/show_bug.cgi?id=146708

Patch by Joseph Pecoraro <Joseph Pecoraro> on 2015-07-07
Reviewed by Timothy Hatcher.

  • UserInterface/Models/ScriptTimelineRecord.js:
7:19 PM Changeset in webkit [186487] by dino@apple.com
  • 3 edits in trunk/Source/WebCore

[iOS] MediaControls: Start Play and Can't Play buttons need to be cutout and blurred
https://bugs.webkit.org/show_bug.cgi?id=146226

Reviewed by Simon Fraser.

This patch takes what Said Abou-Hallawa posted in an earlier revision and
makes a few tweaks to workaround the bugs he's listed.

Replicate the iOS System blur backdrop in pure CSS, so that the large
start button looks more correct. Also add artwork for a failure state.

  • Modules/mediacontrols/mediaControlsiOS.css: New style rules for the start

button, which now is a collection of elements rather than a <button>.
(video::-webkit-media-controls-start-playback-button):
(video::-webkit-media-controls-start-playback-background):
(video::-webkit-media-controls-start-playback-tint):

  • Modules/mediacontrols/mediaControlsiOS.js:

(ControllerIOS.prototype.createBase): Replace the <button> with the hierarchy of
elements to replicate the blur. Give some of them a class attribute, so they
can match selectors (see the bugs Said filed in the original bugzilla).
(ControllerIOS.prototype.handleStartPlaybackButtonTouchStart): Toggle classes on
the hierarchy as needed.
(ControllerIOS.prototype.handleStartPlaybackButtonTouchEnd): Ditto.
(ControllerIOS.prototype.updateStatusDisplay): Ditto.

6:53 PM Changeset in webkit [186486] by Alan Bujtas
  • 3 edits
    3 adds in trunk

Crash when parent iframe is set to display none and the child frame is mutated the same time.
https://bugs.webkit.org/show_bug.cgi?id=146699
rdar://problem/16207881

Reviewed by Andreas Kling.

When the parent iframe is set to display: none, we destroy the associated renderer (RenderIFrame).
However if the child frame is mutated the same time, during layout we try to access this RenderIFrame
to check whether it needs frame flattening.
This patch checks whether the parent render widget is still valid.

Source/WebCore:

Test: fast/frames/crash-display-none-iframe-during-onbeforeload.html

  • page/FrameView.cpp:

(WebCore::FrameView::isInChildFrameWithFrameFlattening): rearrange early returns.

LayoutTests:

  • fast/frames/crash-display-none-iframe-during-onbeforeload-expected.txt: Added.
  • fast/frames/crash-display-none-iframe-during-onbeforeload.html: Added.
  • fast/frames/resources/displaynone-this-during-object-beforeload.html: Added.
4:54 PM Changeset in webkit [186485] by timothy_horton@apple.com
  • 3 edits in trunk/Source/WebKit2

Occasional null deref in the CA callback in flushLayers()
https://bugs.webkit.org/show_bug.cgi?id=146700
<rdar://problem/21668754>

Reviewed by Simon Fraser.

  • WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:

(WebKit::TiledCoreAnimationDrawingArea::flushLayers):

  • WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm:

(WebKit::RemoteLayerTreeDrawingArea::flushLayers):
Make sure we keep the WebPage alive, and null-check the potentially null
WebCore objects (Page and Frame).

4:52 PM Changeset in webkit [186484] by mrajca@apple.com
  • 12 edits
    4 adds in trunk

Media Session: propagate metadata changes to UI clients
https://bugs.webkit.org/show_bug.cgi?id=146660

Reviewed by Tim Horton.

  • CMakeLists.txt: Added WebMediaSessionMetadata and WKMediaSessionMetadata.
  • Shared/API/APIObject.h: Added a media session metadata type.
  • Shared/API/c/WKBase.h:
  • Shared/WebMediaSessionMetadata.cpp: Added API adapter for WebCore::MediaSessionMetadata.

(WebKit::WebMediaSessionMetadata::create):
(WebKit::WebMediaSessionMetadata::WebMediaSessionMetadata):
(WebKit::WebMediaSessionMetadata::~WebMediaSessionMetadata):

  • Shared/WebMediaSessionMetadata.h: Added API adapter for WebCore::MediaSessionMetadata.

(WebKit::WebMediaSessionMetadata::title):
(WebKit::WebMediaSessionMetadata::artist):
(WebKit::WebMediaSessionMetadata::album):

  • UIProcess/API/APIUIClient.h: Added 'mediaSessionMetadataDidChange' interface.

(API::UIClient::mediaSessionMetadataDidChange):

  • UIProcess/API/C/WKAPICast.h:
  • UIProcess/API/C/WKMediaSessionMetadata.cpp: Added C wrapper for WebMediaSessionMetadata.

(WKMediaSessionMetadataGetTypeID):
(WKMediaSessionMetadataCopyTitle):
(WKMediaSessionMetadataCopyArtist):
(WKMediaSessionMetadataCopyAlbum):

  • UIProcess/API/C/WKMediaSessionMetadata.h: Added C wrapper for WebMediaSessionMetadata.
  • UIProcess/API/C/WKPage.cpp: Forward 'mediaSessionMetadataDidChange' to client.

(WKPageSetPageUIClient):

  • UIProcess/API/C/WKPageUIClient.h: Added 'mediaSessionMetadataDidChange' callback.
  • UIProcess/WebPageProxy.cpp: Forward 'mediaSessionMetadataDidChange' to UI client.

(WebKit::WebPageProxy::mediaSessionMetadataDidChange):

  • WebKit2.xcodeproj/project.pbxproj: Added WebMediaSessionMetadata and WKMediaSessionMetadata.
4:25 PM Changeset in webkit [186483] by Brent Fulgham
  • 2 edits in trunk/LayoutTests

[Win] Unreviewed test skip after r186476.

  • platform/win/TestExpectations:
4:00 PM Changeset in webkit [186482] by mrajca@apple.com
  • 3 edits in trunk/Source/WebCore

Media Session: remove seek forward/backward attributes
https://bugs.webkit.org/show_bug.cgi?id=146645

Reviewed by Eric Carlson.

  • Modules/mediasession/MediaRemoteControls.h:
  • Modules/mediasession/MediaRemoteControls.idl:
3:57 PM Changeset in webkit [186481] by timothy@apple.com
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Timeline record bars are not white when the row is selected from the sidebar
https://bugs.webkit.org/show_bug.cgi?id=146694

Reviewed by Joseph Pecoraro.

  • UserInterface/Views/TimelineRecordBar.css:

(:matches(:focus, .force-focus) .selected .timeline-record-bar > .segment):
(:matches(:focus, .force-focus) .selected .timeline-record-bar > .segment.inactive):
(:matches(:focus, .force-focus) .selected .timeline-record-bar.has-inactive-segment > .segment:not(.inactive)):

3:32 PM Changeset in webkit [186480] by Brent Fulgham
  • 2 edits in trunk/Source/WebCore

REGRESSION (r183133-r183138): Secondary clicking in whitespace selects preceding word
https://bugs.webkit.org/show_bug.cgi?id=146695
<rdar://problem/21441466>

Reviewed by Tim Horton.

When we would currently use dictionary lookup to decide on our text selection, first check if we
are targeting an editable field. If we are, use the original selection behavior. Otherwise, use
the new "dictionary lookup" selection.

  • page/EventHandler.cpp:

(WebCore::EventHandler::selectClosestContextualWordOrLinkFromMouseEvent): Only use dictionary lookup
when our target node is not editable.

3:26 PM Changeset in webkit [186479] by beidson@apple.com
  • 3 edits in trunk/Source/WebCore

Another attempt to fix CURL/Soup builds after r186476

Reviewed by NOBODY.

  • platform/network/curl/SocketStreamHandle.h:
  • platform/network/soup/SocketStreamHandle.h:
2:37 PM Changeset in webkit [186478] by beidson@apple.com
  • 3 edits in trunk/Source/WebCore

Attempt to fix CURL/Soup builds after r186476

Reviewed by NOBODY.

  • platform/network/curl/SocketStreamHandle.h:

(WebCore::SocketStreamHandle::create):

  • platform/network/soup/SocketStreamHandle.h:

(WebCore::SocketStreamHandle::create):

2:21 PM Changeset in webkit [186477] by Devin Rousso
  • 3 edits
    2 adds in trunk/Source/WebInspectorUI

Web Inspector: Unnecessary space added after -webkit- prefixed property values
https://bugs.webkit.org/show_bug.cgi?id=146671

Reviewed by Joseph Pecoraro.

  • Tools/PrettyPrinting/css-rule-tests/do-not-add-whitespace-before-prefixed-property-value-expected.css: Added.
  • Tools/PrettyPrinting/css-rule-tests/do-not-add-whitespace-before-prefixed-property-value.css: Added.
  • Tools/PrettyPrinting/index.html:
  • UserInterface/Views/CodeMirrorFormatters.js: Now only adds a space if both the current and previous

tokens are a property, value, or atom.

2:13 PM Changeset in webkit [186476] by beidson@apple.com
  • 27 edits
    4 adds in trunk

HTTP Auth cached after disabling private browsing/reset.
<rdar://problem/8293055> and https://bugs.webkit.org/show_bug.cgi?id=146654

Reviewed by Tim Horton.

Source/WebCore:

Test: http/tests/security/private-browsing-http-auth.html

  • Change most static CredentialStorage methods to be instance methods instead.
  • Make a CredentialStorage objects be per-NetworkStorageSession.
  • Modules/websockets/WebSocketChannel.cpp:

(WebCore::WebSocketChannel::WebSocketChannel):
(WebCore::WebSocketChannel::connect): Only start the web socket load if a networking

context is available.

  • platform/network/CredentialStorage.cpp:

(WebCore::CredentialStorage::defaultCredentialStorage): Returns the credential storage

from the default NetworkStorageSession.

(WebCore::CredentialStorage::set):
(WebCore::CredentialStorage::get):
(WebCore::CredentialStorage::remove):
(WebCore::CredentialStorage::findDefaultProtectionSpaceForURL):
(WebCore::CredentialStorage::clearCredentials):
(WebCore::protectionSpaceToCredentialMap): Deleted.
(WebCore::originsWithCredentials): Deleted.
(WebCore::pathToDefaultProtectionSpaceMap): Deleted.
(WebCore::findDefaultProtectionSpaceForURL): Deleted.
(WebCore::CredentialStorage::setPrivateMode): Deleted. Was a no-op anyways.

  • platform/network/CredentialStorage.h:
  • platform/network/NetworkStorageSession.h:

(WebCore::NetworkStorageSession::credentialStorage):

  • platform/network/cf/ResourceHandleCFNet.cpp:

(WebCore::ResourceHandle::createCFURLConnection):
(WebCore::ResourceHandle::willSendRequest):
(WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
(WebCore::ResourceHandle::receivedCredential):

  • platform/network/cf/SocketStreamHandle.h:

(WebCore::SocketStreamHandle::create):

  • platform/network/cf/SocketStreamHandleCFNet.cpp:

(WebCore::SocketStreamHandle::SocketStreamHandle):
(WebCore::SocketStreamHandle::getStoredCONNECTProxyCredentials):
(WebCore::getStoredCONNECTProxyCredentials): Deleted.

  • platform/network/curl/ResourceHandleCurl.cpp:

(WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
(WebCore::ResourceHandle::receivedCredential):

  • platform/network/curl/ResourceHandleManager.cpp:

(WebCore::ResourceHandleManager::applyAuthenticationToRequest):

  • platform/network/mac/ResourceHandleMac.mm:

(WebCore::ResourceHandle::createNSURLConnection):
(WebCore::ResourceHandle::willSendRequest):
(WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
(WebCore::ResourceHandle::receivedCredential):

  • platform/network/soup/ResourceHandleSoup.cpp:

(WebCore::applyAuthenticationToRequest):
(WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
(WebCore::ResourceHandle::receivedCredential):

Source/WebKit/mac:

  • Misc/WebCache.h:
  • Misc/WebCache.mm:

(+[WebCache clearCachedCredentials]): Clear the global CredentialStorage as well as the

storages belonging to each main frame of each WebView. This method is for DRT.

  • Misc/WebDownload.mm:

(-[WebDownloadInternal download:didReceiveAuthenticationChallenge:]):

  • Plugins/WebBaseNetscapePluginView.mm:

(WebKit::getAuthenticationInfo):

  • WebView/WebView.mm:

(-[WebView _clearCredentials]): Clear the storage belonging to the current networking session

of the main frame of this WebView.

  • WebView/WebViewInternal.h:

Source/WebKit/win:

  • WebDownloadCFNet.cpp:

(WebDownload::didReceiveAuthenticationChallenge):

Source/WebKit2:

  • WebProcess/Plugins/PluginView.cpp:

(WebKit::PluginView::getAuthenticationInfo):

Tools:

  • DumpRenderTree/mac/DumpRenderTree.mm:

(resetWebViewToConsistentStateBeforeTesting): Clear in-memory credentials in between test runs.

LayoutTests:

  • http/tests/security/private-browsing-http-auth-expected.txt: Added.
  • http/tests/security/private-browsing-http-auth.html: Added.
  • http/tests/security/resources/auth-echo.php: Added.
  • http/tests/security/resources/basic-auth.php: Added.
  • platform/wk2/TestExpectations:
1:16 PM Changeset in webkit [186475] by matthew_hanson@apple.com
  • 1 delete in branches/safari-600.7-branch/safari-600.7-branch

The safari-600.8-branch had already been created.

1:09 PM Changeset in webkit [186474] by Alan Bujtas
  • 3 edits
    2 adds in trunk

REGRESSION(169105): CSS Regions: renderer returns wrong selection root when it is inside a column flow.
https://bugs.webkit.org/show_bug.cgi?id=146529
rdar://problem/21613670

Reviewed by Mihnea Ovidenie and David Kilzer.

This patch ensures that RenderObject::selectionRoot() handles column flows properly while searching for the associated
selection root.
When the renderer is inside a column flow and the column flow is part of a named flow, we stop
traversing the ancestor chain, searching for the selection root, when we reach the column flow.
Since the column flow is not a selection root, we mistakenly fall back to the RenderView as selection root.
Instead, we should check if the column is inside a named flow and return the selection root accordingly.
Returning the wrong selection root confuses RenderView::splitSelectionBetweenSubtrees() logic and this particular
RenderObject could end up in multiple selection trees.

Source/WebCore:

Test: fast/regions/selection/crash-when-element-is-inside-column-and-the-containing-block-is-inside-flow.html

  • rendering/RenderObject.cpp:

(WebCore::RenderObject::selectionRoot):

LayoutTests:

  • fast/regions/selection/crash-when-element-is-inside-column-and-the-containing-block-is-inside-flow-expected.txt: Added.
  • fast/regions/selection/crash-when-element-is-inside-column-and-the-containing-block-is-inside-flow.html: Added.
1:07 PM Changeset in webkit [186473] by matthew_hanson@apple.com
  • 1 copy in branches/safari-600.7-branch/safari-600.7-branch

New Branch.

1:03 PM Changeset in webkit [186472] by Brent Fulgham
  • 2 edits in trunk/Source/WebCore

[Mac] REGRESSION (r184794): Play/Pause control doesn't update state in full screen
https://bugs.webkit.org/show_bug.cgi?id=146689
<rdar://problem/21393490>

Reviewed by Dean Jackson.

The changes in r184794 did not take full screen mode into account. This needed to be corrected.

  • Modules/mediacontrols/mediaControlsApple.js:

(Controller.prototype.handlePanelTransitionEnd):
(Controller.prototype.setPlaying):
(Controller.prototype.showControls):

12:58 PM Changeset in webkit [186471] by Matt Baker
  • 4 edits in trunk/Source/WebInspectorUI

Web Inspector: Pad ruler selection area by 1px in the Rendering Frames timeline overview
https://bugs.webkit.org/show_bug.cgi?id=146248

Reviewed by Timothy Hatcher.

  • UserInterface/Views/RenderingFrameTimelineOverview.js:

Enable duration pixel alignment.

  • UserInterface/Views/TimelineOverview.css:

(.timeline-overview.frames > .timeline-ruler > .header > .divider):
(.timeline-overview.frames > .timeline-ruler > .selection-handle.right):
(.timeline-overview.frames > .timeline-ruler > .shaded-area.right):
Shift ruler elements 1 pixel to the right, so that selection boundaries and dividers are
positioned inside the gap between frame elements.

  • UserInterface/Views/TimelineOverview.js:

(WebInspector.TimelineOverview):
(WebInspector.TimelineOverview.prototype.set secondsPerPixel):
(WebInspector.TimelineOverview.prototype.get pixelAlignDuration):
(WebInspector.TimelineOverview.prototype.set pixelAlignDuration):
(WebInspector.TimelineOverview.prototype._handleWheelEvent):
Added a property to force the overview graph to align duration units on the y-axis to pixel boundaries.
When enabled, frame elements are displayed in integer widths while zooming, preventing subpixel blurring
and maintaining a consistent 1 pixel gap between frames.

12:24 PM Changeset in webkit [186470] by andersca@apple.com
  • 2 edits in trunk/Source/WebKit2

Make sure to remove the download message receiver before freeing it
https://bugs.webkit.org/show_bug.cgi?id=146687

Reviewed by Simon Fraser.

  • UIProcess/Downloads/DownloadProxyMap.cpp:

(WebKit::DownloadProxyMap::downloadFinished):

12:12 PM Changeset in webkit [186469] by commit-queue@webkit.org
  • 8 edits
    2 adds in trunk

Snap point regions containing X and Y snap points should do a better job animating
https://bugs.webkit.org/show_bug.cgi?id=142523
<rdar://problem/20100753>

Patch by Wenson Hsieh <whsieh@berkeley.edu> on 2015-07-07
Reviewed by Brent Fulgham.

Source/WebCore:

Reimplemented snap point animations to use a single timer for both horizontal and
vertical axes to better support 2D snap scrolling. Instead of making velocity
dependent on progress to the snap point and handling 2D snapping with different
timer update functions, this implementation uses a fixed animation time to coordinate
the snapping animation across both axes.

Test: platform/mac-wk2/tiled-drawing/scrolling/scroll-snap/scroll-snap-mandatory-2d-overflow.html

  • page/scrolling/mac/ScrollingTreeFrameScrollingNodeMac.h: Refactored to use a single scroll snap timer.
  • page/scrolling/mac/ScrollingTreeFrameScrollingNodeMac.mm: See above.

(WebCore::ScrollingTreeFrameScrollingNodeMac::startScrollSnapTimer): See above.
(WebCore::ScrollingTreeFrameScrollingNodeMac::stopScrollSnapTimer): See above.

  • platform/cocoa/ScrollController.h: Refactored to use a single scroll snap timer and update function to handle

snapping in both axes. This entails removing the ScrollEventAxis parameter from various functions below. Also
removed methods that computed "snap" and "glide" offsets.

(WebCore::ScrollControllerClient::startScrollSnapTimer): See above.
(WebCore::ScrollControllerClient::stopScrollSnapTimer): See above.

  • platform/cocoa/ScrollController.mm: See above.

(WebCore::ScrollController::ScrollController): Added new constants used to compute animation offsets.
(WebCore::ScrollController::snapRubberBandTimerFired): Added a check to prevent the rubber band timer from firing

alongside the scroll snap timer. This results in scroll snapping taking precedence over rubber banding when
scrolling against the edge of a container in the case of 2D scrolling. We didn't run into this issue before
because snapping wasn't working properly at the edges of a 2D scrolling container. In the future, we may want
to unify both snap scrolling and rubber banding timers to solve this issue.

(WebCore::ScrollController::isScrollSnapInProgress): Refactored to use a single scroll snap timer.
(WebCore::ScrollController::processWheelEventForScrollSnapOnAxis): Fixed an issue where wheel deltas were being pushed

to the snap state incorrectly.

(WebCore::ScrollController::processWheelEventForScrollSnap): Fixed an issue with 2D snapping where scrolling in 2 axes

simultaneously would cause the vertical axis to override the horizontal axis. This is more like a sub-issue of fixing
2D scrolling, and is required for 2D snap animations to work properly.

(WebCore::ScrollController::startScrollSnapTimer): Refactored to use a single scroll snap timer.
(WebCore::ScrollController::stopScrollSnapTimer): See above.
(WebCore::ScrollController::scrollSnapTimerFired): This new method handles snap scroll updates on both axes.
(WebCore::ScrollController::beginScrollSnapAnimation): Refactored to account for single scroll snap timer.
(WebCore::ScrollController::endScrollSnapAnimation): See above.
(WebCore::ScrollController::initializeScrollSnapAnimationParameters): New method that initializes parameters used to

coordinate the animation state across horizontal and vertical axes.

(WebCore::ScrollController::isSnappingOnAxis): Checks whether or not a given axis is currently scroll snapping. This will

return true in the case of active 2D scroll snapping.

(WebCore::ScrollController::hasActiveScrollSnapTimerForAxis): Deleted.
(WebCore::ScrollController::horizontalScrollSnapTimerFired): Deleted.
(WebCore::ScrollController::verticalScrollSnapTimerFired): Deleted.
(WebCore::ScrollController::scrollSnapAnimationUpdate): Deleted.
(WebCore::ScrollController::initializeGlideParameters): Deleted.
(WebCore::snapProgress): Deleted.
(WebCore::clampedSnapMagnitude): Deleted.
(WebCore::ScrollController::computeSnapDelta): Deleted.
(WebCore::snapGlide): Deleted.
(WebCore::ScrollController::computeGlideDelta): Deleted.

  • platform/cocoa/ScrollSnapAnimatorState.h: Added a new datastructure, ScrollSnapAnimationCurveState, which tracks

the scroll snap animation state across both axes.

  • platform/cocoa/ScrollSnapAnimatorState.mm: Removed fields relevant to the former "gliding" model and renamed the

initial wheel delta variable to reflect this.

(WebCore::ScrollSnapAnimatorState::averageInitialWheelDelta): Fixed an issue where wheel deltas were being pushed

to the snap state incorrectly.

(WebCore::ScrollSnapAnimatorState::clearInitialWheelDeltaWindow): Tiny for loop incrementor style fix.
(WebCore::ScrollSnapAnimatorState::isSnapping): Checks whether this state is in either snapping or gliding mode.
(WebCore::ScrollSnapAnimatorState::canReachTargetWithCurrentInitialScrollDelta): Checks whether the scroll velocity is

consistent with the initial and target offsets.

(WebCore::ScrollSnapAnimatorState::interpolatedOffsetAtProgress): Interpolates the offset for a given progress value.
(WebCore::ScrollSnapAnimationCurveState::ScrollSnapAnimationCurveState): New constants.
(WebCore::ScrollSnapAnimationCurveState::initializeSnapProgressCurve): Abstracts out part of the initialization process.
(WebCore::ScrollSnapAnimationCurveState::initializeInterpolationCoefficientsIfNecessary): Abstracts out part of the

initialization process.

(WebCore::ScrollSnapAnimationCurveState::interpolatedPositionAtProgress): Abstracts out curve interpolation.
(WebCore::ScrollSnapAnimationCurveState::shouldCompleteSnapAnimationImmediatelyAtTime): Added.
(WebCore::ScrollSnapAnimationCurveState::animationProgressAtTime): Added.

LayoutTests:

Tests that snap points are honored when scrolling in a 2D overflow container.

  • platform/mac-wk2/tiled-drawing/scrolling/scroll-snap/scroll-snap-mandatory-2d-overflow-expected.txt: Added.
  • platform/mac-wk2/tiled-drawing/scrolling/scroll-snap/scroll-snap-mandatory-2d-overflow.html: Added.
11:28 AM Changeset in webkit [186468] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Tabbing in the styles sidebar doesn't highlight the next section of text
https://bugs.webkit.org/show_bug.cgi?id=146676

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationTextEditor.js:

(WebInspector.CSSStyleDeclarationTextEditor.prototype._highlightNextNameOrValue): Modified the logic to only search the
remaining text after the current cursor position.
(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleShiftTabKey): Now only searches for matches before the colon.

10:28 AM Changeset in webkit [186467] by Chris Dumez
  • 2 edits in trunk/Source/WebKit2

Unreviewed, Fix non-Mac build after r186464.

  • UIProcess/Network/CustomProtocols/soup/CustomProtocolManagerProxySoup.cpp:

(WebKit::CustomProtocolManagerProxy::~CustomProtocolManagerProxy):

10:25 AM Changeset in webkit [186466] by Devin Rousso
  • 6 edits in trunk/Source/WebInspectorUI

Web Inspector: Option+Click not jumping to resource
https://bugs.webkit.org/show_bug.cgi?id=146498

Reviewed by Timothy Hatcher.

  • UserInterface/Base/Main.js: Always show the tab which contains the represented object.

(WebInspector._domNodeWasInspected):
(WebInspector._frameWasAdded):
(WebInspector.showConsoleTab):
(WebInspector.showRepresentedObject): Removed forceShowTab parameter.
(WebInspector.showMainFrameDOMTree):
(WebInspector.showContentFlowDOMTree):
(WebInspector.showSourceCodeForFrame):
(WebInspector.showSourceCode):
(WebInspector.showSourceCodeLocation):
(WebInspector.showOriginalUnformattedSourceCodeLocation):
(WebInspector.showOriginalOrFormattedSourceCodeLocation):
(WebInspector.showOriginalOrFormattedSourceCodeTextRange):
(WebInspector.showResourceRequest):

  • UserInterface/Controllers/CodeMirrorTokenTrackingController.js:

(WebInspector.CodeMirrorTokenTrackingController.prototype._mouseButtonWasReleasedOverEditor):

  • UserInterface/Protocol/InspectorFrontendAPI.js:

(InspectorFrontendAPI.showMainResourceForFrame):

  • UserInterface/Views/ComputedStyleDetailsPanel.js:

(WebInspector.ComputedStyleDetailsPanel.prototype._goToContentFlowArrowWasClicked):
(WebInspector.ComputedStyleDetailsPanel):

  • UserInterface/Views/ObjectTreeBaseTreeElement.js:

(WebInspector.ObjectTreeBaseTreeElement.prototype._appendMenusItemsForObject):
(WebInspector.ObjectTreeBaseTreeElement):

10:22 AM Changeset in webkit [186465] by Chris Dumez
  • 2 edits in trunk/Source/WebCore

Unreviewed, attempt to fix iOS build.

  • platform/ios/WebVideoFullscreenInterfaceAVKit.mm:

(WebVideoFullscreenInterfaceAVKit::setupFullscreen):

10:12 AM Changeset in webkit [186464] by andersca@apple.com
  • 14 edits in trunk/Source/WebKit2

Make sure to remove message receivers before they are deallocated
https://bugs.webkit.org/show_bug.cgi?id=146666
rdar://problem/21331118

Reviewed by Tim Horton.

Add code so we can assert that there are no message receiver maps pointing to a message receiver
when it's being destroyed. Fix all the assertions by calling removeMessageReceiver in the right places.

  • Platform/IPC/MessageReceiver.h:

(IPC::MessageReceiver::~MessageReceiver):
(IPC::MessageReceiver::willBeAddedToMessageReceiverMap):
(IPC::MessageReceiver::willBeRemovedFromMessageReceiverMap):

  • Platform/IPC/MessageReceiverMap.cpp:

(IPC::MessageReceiverMap::addMessageReceiver):
(IPC::MessageReceiverMap::removeMessageReceiver):
(IPC::MessageReceiverMap::invalidate):

  • Shared/ChildProcess.cpp:

(WebKit::ChildProcess::removeMessageReceiver):

  • Shared/ChildProcess.h:
  • Shared/ChildProcessProxy.cpp:

(WebKit::ChildProcessProxy::removeMessageReceiver):

  • Shared/ChildProcessProxy.h:
  • UIProcess/API/Cocoa/WKBrowsingContextController.mm:

(-[WKBrowsingContextController dealloc]):

  • UIProcess/Network/CustomProtocols/CustomProtocolManagerProxy.h:
  • UIProcess/Network/CustomProtocols/mac/CustomProtocolManagerProxyMac.mm:

(WebKit::CustomProtocolManagerProxy::~CustomProtocolManagerProxy):

  • UIProcess/UserContent/WebUserContentControllerProxy.cpp:

(WebKit::WebUserContentControllerProxy::~WebUserContentControllerProxy):

  • UIProcess/WebConnectionToWebProcess.cpp:

(WebKit::WebConnectionToWebProcess::invalidate):

  • WebProcess/InjectedBundle/API/mac/WKWebProcessPlugInBrowserContextController.mm:

(-[WKWebProcessPlugInBrowserContextController dealloc]):

  • WebProcess/WebConnectionToUIProcess.cpp:

(WebKit::WebConnectionToUIProcess::invalidate):

10:11 AM Changeset in webkit [186463] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Regression: CSS autocompletion suggestion applies on pressing delete
https://bugs.webkit.org/show_bug.cgi?id=146672

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationTextEditor.js:

(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleBeforeChange): Now returns if completions are showing.

9:25 AM Changeset in webkit [186462] by Nikita Vasilyev
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Properly align checkboxes in the styles sidebar
https://bugs.webkit.org/show_bug.cgi?id=146673

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationTextEditor.css:

(.css-style-text-editor > .CodeMirror .CodeMirror-lines input[type=checkbox]):

8:54 AM Changeset in webkit [186461] by akling@apple.com
  • 4 edits
    2 adds in trunk

REGRESSION(r183706): HTMLImageElement sometimes fails to register as document named item.
<https://webkit.org/b/146679>
<rdar://problem/21613839>

Reviewed by Antti Koivisto.

Source/WebCore:

After r183706, Element::hasName() no longer returns outdated information when called
inside a parseAttribute() override. HTMLImageElement was relying on this to check
if it *used* to have a name attribute before the currently parsing one was set.

Since parseAttribute() only shows subclasses the new attribute value, I'm adding a
flag to HTMLImageElement that remembers whether we had a name attribute or not.

Test: fast/dom/HTMLImageElement/remove-img-with-name-from-document-crash.html

  • html/HTMLImageElement.cpp:

(WebCore::HTMLImageElement::parseAttribute):

  • html/HTMLImageElement.h:

LayoutTests:

Add a test that would assert when removing a named HTMLImageElement from the DOM
after having failed to register it as a document named item.

  • fast/dom/HTMLImageElement/remove-img-with-name-from-document-crash-expected.txt: Added.
  • fast/dom/HTMLImageElement/remove-img-with-name-from-document-crash.html: Added.
6:32 AM Changeset in webkit [186460] by Carlos Garcia Campos
  • 7 edits
    1 copy
    1 delete in releases/WebKitGTK/webkit-2.8

Merge r184954 - [CMake] Improve detection and usage of GL/GLES/EGL libraries.
https://bugs.webkit.org/show_bug.cgi?id=145408

Reviewed by Carlos Garcia Campos.

.:

  • Source/cmake/FindEGL.cmake: Improve detection of EGL libraries.
  • Source/cmake/FindGLES.cmake: Removed. It was used by the EGL port.

Remove it and make the EGL port use the improved FindOpenGLES2.cmake
instead.

  • Source/cmake/FindOpenGL.cmake: Added. Add module to detect OpenGL

libraries. Detect also GLX libraries.

  • Source/cmake/FindOpenGLES2.cmake: Improve detection of OpenGLES-v2

libraries. Use find_path() to get the include path.

  • Source/cmake/OptionsEfl.cmake: Use now the improved FindOpenGLES2

module.

  • Source/cmake/OptionsGTK.cmake: Set default value for ENABLE_GLES2

depending on the libraries found on the system.
Move the detection of GLX (and the include of CMakePushCheckState)
to FindOpenGL.cmake.
Ensure that we only define USE_GLX when we build with OpenGL
(but not with GLESv2).

Source/WebCore:

No new tests, no behavior changes.

  • CMakeLists.txt: Ensure that we include the libraries and includes

for the GL/GLESv2/EGL libraries before including the ANGLE directories.
Define also any CFLAG that the system GL/GLESv2/EGL libraries may need.

  • PlatformEfl.cmake: Remove some includes that are now unneeded,

because we are including now the EGL libraries on CMakeLists.txt

  • PlatformGTK.cmake: Remove unneeded include (We are including the EGL

libraries now on CMakeLists.txt)

5:53 AM WebKitGTK/2.8.x edited by Carlos Garcia Campos
(diff)
5:40 AM Changeset in webkit [186459] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

[GTK] DrawingBuffer.h used outside of include guard
https://bugs.webkit.org/show_bug.cgi?id=144559

Patch by Philip Chimento <philip.chimento@gmail.com> on 2015-05-07
Reviewed by Carlos Garcia Campos.

  • platform/graphics/cairo/DrawingBufferCairo.cpp: A header was

improperly included outside of an include guard, causing a build
failure with a particular combination of options.

5:38 AM Changeset in webkit [186458] by Carlos Garcia Campos
  • 2 edits
    1 add in releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore

Merge r183692 - Math.abs() returns negative
https://bugs.webkit.org/show_bug.cgi?id=137827

Reviewed by Michael Saboff.

Math.abs() on doubles was mistakenly assumed by the DFG AI to be the
identity function.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • tests/stress/math-abs-positive.js: Added, was previously failing.

(foo):

5:34 AM WebKitGTK/2.8.x edited by Carlos Garcia Campos
(diff)
5:33 AM Changeset in webkit [186457] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r186393 - Crash when setting text direction via MakeTextWritingDirection* editing commands.
<https://webkit.org/b/146665>
<rdar://problem/20835477>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Fix two buggy clients of enclosingBlock(node) that would fail if the returned
element is the same as the node passed in.

Test: editing/style/change-text-direction-crash.html

  • editing/ApplyStyleCommand.cpp:

(WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):
(WebCore::ApplyStyleCommand::removeEmbeddingUpToEnclosingBlock):

LayoutTests:

Add a test that covers some very simple MakeTextWritingDirection* command usage.

  • editing/style/change-text-direction-crash-expected.txt: Added.
  • editing/style/change-text-direction-crash.html: Added.
5:30 AM Changeset in webkit [186456] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r186384 - Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
https://bugs.webkit.org/show_bug.cgi?id=146652
<rdar://problem/21567767>

Follow-up fix.

  • html/canvas/WebGLRenderingContextBase.cpp:

(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0):

5:30 AM Changeset in webkit [186455] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r186380 - Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
https://bugs.webkit.org/show_bug.cgi?id=146652
<rdar://problem/21567767>

Reviewed by Brent Fulgham.

The expression "(numVertex + 1) * 4 * sizeof(GC3Dfloat)" could potentially
overflow. Make it use checked arithmetic.

I couldn't make a test case that reliably exercised this.

  • html/canvas/WebGLRenderingContextBase.cpp:

(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Used Checked<GC3Dsizeiptr>
for calculating the size of the buffer.

5:28 AM Changeset in webkit [186454] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r186366 - Crash: LayoutState root's container is nullptr when the layout root is detached.
https://bugs.webkit.org/show_bug.cgi?id=146646
rdar://problem/21371544

Reviewed by Simon Fraser.

This is a speculative fix to ensure that when the root of the LayoutState is detached
we don't try to access its container (nullptr).
This is related to trac.webkit.org/r185484.

Not reproducible.

  • rendering/LayoutState.cpp:

(WebCore::LayoutState::LayoutState):

  • rendering/LayoutState.h:

(WebCore::LayoutState::LayoutState): Deleted.

5:25 AM Changeset in webkit [186453] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r186360 - Unreviewed, rolling out r185896.
https://bugs.webkit.org/show_bug.cgi?id=146647

Caused by a refcounting error in GTK+; it's actually legal for
the event to be null, just the gi annotations were wrong.
(Requested by mcatanzaro on #webkit).

Reverted changeset:

"[GTK] Crash performing drag-and-drop"
https://bugs.webkit.org/show_bug.cgi?id=146267
http://trac.webkit.org/changeset/185896

5:18 AM Changeset in webkit [186452] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r186296 - Crash when closing the web inspector
https://bugs.webkit.org/show_bug.cgi?id=146620

Reviewed by Darin Adler.

  • WebProcess/WebPage/WebInspectorUI.cpp:

(WebKit::WebInspectorUI::closeWindow): Null check the connection, like it is
in other places where it is used.

5:17 AM Changeset in webkit [186451] by Carlos Garcia Campos
  • 4 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r186287 - [WK2] WebBackForwardListItems' pageState is not kept up-to-date
https://bugs.webkit.org/show_bug.cgi?id=146614
<rdar://problem/21585268>

Reviewed by Gavin Barraclough.

WebBackForwardListItems' pageState on UIProcess-side were not kept
up-to-date when it was updated on WebContent process side. This meant
that we were losing the scroll position (among other things) when
transferring the session state over from one view to another.

We now call notifyHistoryItemChanged(item) after saving the scroll
position and the view state on the HistoryItem. As a result, the
WebBackForwardListProxy will send the updated pageState to the
UIProcess.

  • history/HistoryItem.cpp:

(WebCore::HistoryItem::notifyChanged):

  • history/HistoryItem.h:
  • loader/HistoryController.cpp:

(WebCore::HistoryController::saveScrollPositionAndViewStateToItem):

5:15 AM Changeset in webkit [186450] by Carlos Garcia Campos
  • 10 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r186275 - REGRESSION (r178097): HTMLSelectElement.add(option, undefined) prepends option to the list of options; should append to the end of the list of options
https://bugs.webkit.org/show_bug.cgi?id=146566
<rdar://problem/21663919>

Reviewed by Ryosuke Niwa.

Source/WebCore:

HTMLSelectElement.add(X, undefined) is supposed to be equivalent to
HTMLSelectElement.add(X) which should *append* X. The same is true
for HTMLOptionsCollection.add(X, undefined).

However, due to a bug in our bindings generator for overloaded
operations, the actual behavior was not the expected one. The
second overload would be chosen: add(X, index) and undefined would
be converted as 0-index, which would *prepend* X.

This patch fixes the bindings generator so that undefined is allowed
for optional parameters of an overload operation, when doing the
overload resolution.

Tests:

  • fast/dom/HTMLSelectElement/add.html
  • fast/dom/HTMLSelectElement/options-collection-add.html
  • http/tests/websocket/tests/hybi/undefined-protocol.html
  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateParametersCheckExpression):
Allow undefined value for optional parameters when doing the overload
resolution.

  • bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::jsTestObjPrototypeFunctionOverloadedMethod):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethodWithOptionalParameter1):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethodWithOptionalParameter2):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethodWithOptionalParameter):

  • bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:

(WebCore::JSTestOverloadedConstructorsConstructor::constructJSTestOverloadedConstructors):

  • bindings/scripts/test/TestObj.idl:

Add bindings tests coverage and rebaseline.

LayoutTests:

  • fast/dom/HTMLSelectElement/add-expected.txt:
  • fast/dom/HTMLSelectElement/add.html:
  • fast/dom/HTMLSelectElement/options-collection-add-expected.txt:
  • fast/dom/HTMLSelectElement/options-collection-add.html:

Update tests so that calling add(X, undefined) is expected to append X,
not prepend it.

  • http/tests/websocket/tests/hybi/undefined-protocol-expected.txt: Added.
  • http/tests/websocket/tests/hybi/undefined-protocol.html: Added.

Add test coverage for "new WebSocket(url, undefined)" as WebSocket is
using constructor overloads with optional parameters. Previously, calling
new WebSocket(url, undefined) was equivalent to calling
new WebSocket(url, "undefined") even though it is supposed to be
equivalent to calling new WebSocket(url).

4:55 AM Changeset in webkit [186449] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r186267 - Memory leak for a protected Element having pending events in ImageLoader.
https://bugs.webkit.org/show_bug.cgi?id=146538

Patch by Kyounga Ra <kyounga@alticast.com> on 2015-07-03
Reviewed by Brady Eidson.

If ImageLoader is destroyed before an active derefElementTimer is fired, protected element's refCount never be zero..

  • loader/ImageLoader.cpp:

(WebCore::ImageLoader::~ImageLoader):
(WebCore::ImageLoader::updateFromElement):
(WebCore::ImageLoader::updateRenderer):
(WebCore::ImageLoader::updatedHasPendingEvent):
(WebCore::ImageLoader::timerFired):

  • loader/ImageLoader.h:
4:52 AM Changeset in webkit [186448] by Carlos Garcia Campos
  • 19 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r186265 - REGRESSION (r178097): JavaScript TypeError after clicking on compose button in Yahoo Mail
https://bugs.webkit.org/show_bug.cgi?id=146515
<rdar://problem/21348421>

Reviewed by Chris Dumez.

Source/WebCore:

Fixes an issue where extra arguments passed to a Web IDL overloaded function, whose implementation
is generated by the bindings generator script, are not ignored as per the note in section "Interface object Call? method"
of the Web IDL spec, <http://www.w3.org/TR/2012/CR-WebIDL-20120419/> (19 April 2012).

Currently for an overloaded function the JavaScript bindings generator script emits code to
throw a TypeError when it cannot find a candidate function that takes the same number of
arguments as passed by a caller. Prior to the change made in bug #139179 (r178097), the
bindings code for HTMLSelectElement.add() was written by hand and ignored extra arguments
that were passed to it. Following this change, the bindings code for HTMLSelectElement.add()
is generated by the bindings generator script. Therefore, we throw a TypeError when Yahoo Mail
calls HTMLSelectElement.add() with extra arguments because the code emitted by the bindings
generator script does not ignore them.

  • bindings/scripts/CodeGeneratorJS.pm:

(LengthOfLongestFunctionParameterList): Added. Computes the length of longest overload parameter list.
(GenerateOverloadedFunction): Emit code that ignores more arguments than LengthOfLongestFunctionParameterList().
(GenerateOverloadedConstructorDefinition): Ditto.

  • bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::jsTestObjPrototypeFunctionOverloadedMethod12): Added; expected result for an overloaded
function that takes a variadic number of Blob elements.
(WebCore::jsTestObjPrototypeFunctionOverloadedMethod): Update expected result. The added
if-conditional expression for the IDL declaration overloadedMethod(Blob... blobArgs) is empty
because we do not support overloading of functions with variadic arguments.
(WebCore::jsTestObjConstructorFunctionOverloadedMethod1):

  • bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:

(WebCore::JSTestOverloadedConstructorsConstructor::constructJSTestOverloadedConstructors5): Added; expected
result for an overloaded constructors that takes a variadic number of long arguments.
(WebCore::JSTestOverloadedConstructorsConstructor::constructJSTestOverloadedConstructors): Update expected
result. The added if-conditional expression for the IDL declaration Constructor(long... longArgs) is empty
because we do not support overloading of constructors with variadic arguments.

  • bindings/scripts/test/TestObj.idl: Added declaration overloadedMethod(Blob...). Also fixed

typo in license block text.

  • bindings/scripts/test/TestOverloadedConstructors.idl: Added declaration Constructor(long... longArgs).

Also fixed typo in license block text.

LayoutTests:

Add new sub-tests to LayoutTests/fast/dom/HTMLSelectElement/{add, options-collection-add}.html,
simplify existing test code, share common code, and update expected results.

Additionally, update results for tests in LayoutTests/fast/canvas now that we ignore extra
arguments passed to a Web IDL overloaded function whose implementation is generated by the
bindings generator script.

  • fast/canvas/canvas-overloads-drawImage-expected.txt:
  • fast/canvas/canvas-overloads-setFillColor-expected.txt:
  • fast/canvas/canvas-overloads-setShadow-expected.txt:
  • fast/canvas/canvas-overloads-setStrokeColor-expected.txt:
  • fast/canvas/script-tests/canvas-overloads-drawImage.js:
  • fast/canvas/script-tests/canvas-overloads-setFillColor.js:
  • fast/canvas/script-tests/canvas-overloads-setShadow.js:
  • fast/canvas/script-tests/canvas-overloads-setStrokeColor.js:
  • fast/dom/HTMLSelectElement/add-expected.txt:
  • fast/dom/HTMLSelectElement/add.html:
  • fast/dom/HTMLSelectElement/options-collection-add-expected.txt:
  • fast/dom/HTMLSelectElement/options-collection-add.html:
  • fast/dom/HTMLSelectElement/resources/html-select-and-options-collection-utilities.js: Added.

(createSelectElementWithTestData):
(deepCopy):
(createOption):
(createGroup):

4:27 AM Changeset in webkit [186447] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

REGRESSION (r186388): http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html always fails on Windows

  • platform/win/TestExpectations: Consolidate WebAudio skips.

Mark test as always failing:

  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html
4:27 AM Changeset in webkit [186446] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html crashes on Windows sometimes

<http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Ftests%2Fsecurity%2FXFrameOptions%2Fx-frame-options-deny-meta-tag-parent-same-origin-allow.html>

  • platform/win/TestExpectations: Mark test as crashing, too:
  • http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html
4:21 AM Changeset in webkit [186445] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r186263 - Crash on xLarge memory allocation using bmalloc on 32bit systems
https://bugs.webkit.org/show_bug.cgi?id=146440

Reviewed by Gustavo Noronha Silva.

Disable the gcc's -ftree-sra optimization (automatically enabled
with -O1 and higher levels) for WebCore and 32bit Intel architectures,
as that causes the crash in bmalloc when allocating large amounts of
memory from the texture mapper's tiled backing store implementation.

  • CMakeLists.txt: Pass -fno-free-sra to gcc on 32bit Intel architectures.
4:11 AM Changeset in webkit [186444] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/bmalloc

Merge r186242 - bmalloc: Shrink the super chunk size
https://bugs.webkit.org/show_bug.cgi?id=146519

Reviewed by Andreas Kling.

We have lots of reports of crashing due to failed VM allocation on iOS.
(This VM limit on iOS is usually 1GB-2GB, and has been as low as 256MB.)

Shrink the super chunk size in case fragmentation is the reason for
VM allocation failure.

This has the downside that >= 2MB allocations will now be super slow,
but they are also super rare (as in never on most websites), so this
is probably an OK tradeoff.

  • bmalloc/Sizes.h:
4:09 AM Changeset in webkit [186443] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r186225 - [GTK] WebSQL doesn't work because openDatabase always fails with DOM Exception 18
https://bugs.webkit.org/show_bug.cgi?id=146234

Reviewed by Sergio Villar Senin.

Source/WebKit2:

This is because we don't provide any quota, and 0 is used by
default, so there's never enough quota and openDatabase fails. We
should expose this in the API, but for now, we could use a default
quota of 5MB like WTR does.

  • UIProcess/API/gtk/WebKitUIClient.cpp: Override

exceededDatabaseQuota and return always the default quota.

  • UIProcess/gtk/WebInspectorProxyGtk.cpp:

(WebKit::exceededDatabaseQuota): Return the quota based on the
expected usage and current database usabe like mac does.
(WebKit::WebInspectorProxy::platformCreateInspectorPage): Add
custom UI client to implement exceededDatabaseQuota.

4:07 AM Changeset in webkit [186442] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

El Capitan: Hangs caused by PDFs should be fixed

  • platform/mac-wk1/TestExpectations: Remove skipped tests as the

PDF hangs should be fixed.

4:07 AM Changeset in webkit [186441] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

REGRESSION (r186391): css3/masking/mask-repeat-space-padding.html image-only failure on El Capitan WK1

  • platform/mac-wk1/TestExpectations: Mark as image-only failure:
  • css3/masking/mask-repeat-space-padding.html
4:07 AM Changeset in webkit [186440] by Carlos Garcia Campos
  • 4 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r186333 - [GTK] Accelerated Compositing stops working after a web process crash
https://bugs.webkit.org/show_bug.cgi?id=146508

Reviewed by Martin Robinson.

The problem is that we don't send the window ID again to the new
web process.

  • UIProcess/API/gtk/PageClientImpl.cpp:

(WebKit::PageClientImpl::didRelaunchProcess): Call
webkitWebViewBaseDidRelaunchWebProcess().

  • UIProcess/API/gtk/WebKitWebViewBase.cpp:

(webkitWebViewBaseDidRelaunchWebProcess): Set the window ID to
the new drawing area.

  • UIProcess/API/gtk/WebKitWebViewBasePrivate.h:
4:04 AM Changeset in webkit [186439] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/bmalloc

Merge r186203 - bmalloc: realloc of an XLarge range can unmap adjacent VM ranges
https://bugs.webkit.org/show_bug.cgi?id=146535

Reviewed by Anders Carlsson.

This bug causes a crash when running fast/css/large-list-of-rules-crash.html
with the fix applied for https://bugs.webkit.org/show_bug.cgi?id=146519.

  • bmalloc/Allocator.cpp:

(bmalloc::Allocator::reallocate): Start at object + newSize since starting
at object + oldSize means deleting the adjacent VM range.

4:00 AM Changeset in webkit [186438] by Carlos Garcia Campos
  • 4 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r186191 - REGRESSION (r179168): Characters overlap after resizing the font on the copy-pasted Japanese text
https://bugs.webkit.org/show_bug.cgi?id=146492

Reviewed by Darin Adler.

Source/WebCore:

The bug was caused by WebKit serializing the used line-height size (e.g. 18px) in the copied content
instead of string "normal" and removeStyleFromRulesAndContext failing to strip it down when text with
a font that influences the line height got pasted. This is because the used value of line-height
property of the context and the pasted content doesn't match when the context doesn't use the same font.

Fixed the bug by not considering line-height as a list of editing properties we try to preserve. This is
fine because we don't provide editing operations to directly manipulate line-height.

Test: editing/pasteboard/cjk-line-height.html

  • editing/EditingStyle.cpp:

(WebCore::editingProperties): Removed CSSPropertyLineHeight.

LayoutTests:

Added a regression test. Also reverted the bad rebaseline in r179168:
http://trac.webkit.org/changeset/179168/trunk/LayoutTests/editing/pasteboard/simplfiying-markup-should-not-strip-content-expected.txt

  • editing/pasteboard/cjk-line-height-expected.txt: Added.
  • editing/pasteboard/cjk-line-height.html: Added.
  • editing/pasteboard/simplfiying-markup-should-not-strip-content-expected.txt:
3:58 AM Changeset in webkit [186437] by Carlos Garcia Campos
  • 7 edits
    2 adds in releases/WebKitGTK/webkit-2.8

PNG mask images are loaded with Accept:image/svg+xml
https://bugs.webkit.org/show_bug.cgi?id=146509
Source/WebCore:

rdar://problem/21584740

Reviewed by Simon Fraser.

For some strange reason MaskImageOperation code loads all mask images, including non-SVG ones
using CachedSVGDocument. Resulting bad accept header may cause server to reject the request.

This is far from ideal but as a quick fix we can override the accept header for mask images to
allow any image type.

Test: http/tests/misc/mask-image-accept.html

  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestResource):

  • loader/cache/CachedResourceRequest.h:

(WebCore::CachedResourceRequest::acceptOverride):
(WebCore::CachedResourceRequest::setAcceptOverride):

  • loader/cache/CachedSVGDocumentReference.cpp:

(WebCore::CachedSVGDocumentReference::load):

  • loader/cache/CachedSVGDocumentReference.h:

(WebCore::CachedSVGDocumentReference::loadRequested):
(WebCore::CachedSVGDocumentReference::setAcceptsAnyImageType):
(WebCore::CachedSVGDocumentReference::document):

  • platform/graphics/MaskImageOperation.cpp:

(WebCore::MaskImageOperation::ensureCachedSVGDocumentReference):

LayoutTests:

Reviewed by Simon Fraser.

  • http/tests/misc/mask-image-accept-expected.html: Added.
  • http/tests/misc/mask-image-accept.html: Added.
3:49 AM Changeset in webkit [186436] by Carlos Garcia Campos
  • 5 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r186165 - Frame flattening: Hit-testing an iframe could end up destroying the associated inline tree context.
https://bugs.webkit.org/show_bug.cgi?id=146447
rdar://problem/20613501

Reviewed by Simon Fraser.

This patch ensures that the render tree associated with the document on which
the hit-test is initiated does not get laid out, unless it was directly mutated prior to the hittest.

Hit-test requirements:

  1. A clean the render tree before hit-testing gets propagated to the renderers.

Document::updateLayout() ensures it by calling both updateStyleIfNeeded() and layout() not only on the current tree, but also
on the ancestors if needed.

  1. No render tree mutation while hit-testing the renderers.

When an iframe is being hit-tested, this hit-test could bubble down to the child frame's render view.
In order to ensure #1, we call Document::updateLayout() on the current (subframe) document.
If updateStyleIfNeeded() mutates the render tree, we mark it dirty for layout(). However frame flattening also
marks the parent renderer (RenderIFrame) dirty.
While calling layout() to clean the current render tree, we end up laying out the parent tree too.
Laying out the parent tree could end up destroying the inline tree context from where the
hittest just bubbled down. (InlineFlowBox -> RenderWidget -> RenderView).

This patch protects the render tree from such unintentional inline tree mutation during hittesting.
After the initial layout we set a layout disallow flag on the frame view to defer subsequent layouts.
This patch only changes behavior when frame flattening is enabled, but in future we may always want to enable this.

Source/WebCore:

Test: fast/frames/flattening/hittest-iframe-while-style-changes-crash.html

  • page/FrameView.cpp:

(WebCore::FrameView::layout):
(WebCore::FrameView::startLayoutAtMainFrameViewIfNeeded): Deleted. -> Assertion in no longer valid.

  • page/FrameView.h:
  • rendering/RenderView.cpp:

(WebCore::FrameFlatteningLayoutDisallower::FrameFlatteningLayoutDisallower):
(WebCore::FrameFlatteningLayoutDisallower::~FrameFlatteningLayoutDisallower):
(WebCore::RenderView::hitTest): Protect the render tree from subsequent layouts.

LayoutTests:

  • fast/frames/flattening/hittest-iframe-while-style-changes-crash-expected.txt: Added.
  • fast/frames/flattening/hittest-iframe-while-style-changes-crash.html: Added.
3:42 AM Changeset in webkit [186435] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WTF

Merge r186151 - Errors in read() are not handled in WTF::cryptographicallyRandomValuesFromOS.
https://bugs.webkit.org/show_bug.cgi?id=146473

Patch by Keith Miller <keith_miller@apple.com> on 2015-06-30
Reviewed by Filip Pizlo.

We were not checking if errors occurred in WTF::cryptographicallyRandomValuesFromOS.
We now buffer the data until enough bits of entropy exist to fill the buffer
rather than crash. Additionally, added two crash functions so we can distinguish
between the two reasons why we crashed in traces.

  • wtf/OSRandomSource.cpp:

(WTF::crashUnableToOpenFD):
(WTF::crashUnableToReadFromFD):
(WTF::cryptographicallyRandomValuesFromOS):

3:33 AM Changeset in webkit [186434] by Carlos Garcia Campos
  • 5 edits
    3 adds in releases/WebKitGTK/webkit-2.8

Merge r186049 - Crash: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::CachedFrameBase::restore + 333
https://bugs.webkit.org/show_bug.cgi?id=146388
<rdar://problem/21567343>

Reviewed by Darin Adler.

Source/WebCore:

Pages that are currently loading are not supposed to go into the
PageCache. However, PageCache::canCache() only checks if the
FrameLoader's documentLoader is loading. If the subframe is in
provisional load stage, we would fail to detect that the frame is
actually loading because the FrameLoader active documentLoader would
be the provisional documentLoader, not the regular documentLoader.
Therefore, the page would get added to the PageCache and the frame
would keep loading while in the PageCache.

On http://www.audiusa.com/models, this is what was happening. It was
crashing because the subframe would finish loading while in the
PageCache, in which case we would fire the 'load' event and the
content 'load' event handler would then proceed to remove the iframe.
Upon restoring the PageCache entry, we would run into trouble as we
would have a CachedFrame whose Frame has been removed.

The solution proposed is to prevent page-caching if a subframe is in
provisional load stage.

Test: http/tests/navigation/page-cache-iframe-provisional-load.html

  • history/PageCache.cpp:

(WebCore::logCanCacheFrameDecision):
(WebCore::PageCache::canCachePageContainingThisFrame):

  • page/DiagnosticLoggingKeys.cpp:

(WebCore::DiagnosticLoggingKeys::provisionalLoadKey):

  • page/DiagnosticLoggingKeys.h:

LayoutTests:

Add layout test to cover the case where a subframe is currently in
provisional load stage when checking if the page if page-cacheable.

The test also removes the iframe once loaded in order to cause a crash
if the frame were to finish loading while in the page cache.

  • http/tests/navigation/page-cache-iframe-provisional-load-expected.txt: Added.
  • http/tests/navigation/page-cache-iframe-provisional-load.html: Added.
  • http/tests/navigation/resources/page-cache-helper-slow.html: Added.
3:22 AM Changeset in webkit [186433] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185955 - Do not send touch events to the slider's thumb when it does not have a renderer.
https://bugs.webkit.org/show_bug.cgi?id=146307
rdar://problem/21539399

Reviewed by Simon Fraser.

Bail out early if either the touch target or the renderer() is null.

Source/WebCore:

Test: fast/events/touch/input-range-with-thumb-display-none-crash.html

  • html/shadow/SliderThumbElement.cpp:

(WebCore::findTouchWithIdentifier):
(WebCore::SliderThumbElement::handleTouchStart):
(WebCore::SliderThumbElement::handleTouchMove):
(WebCore::SliderThumbElement::handleTouchEndAndCancel):

LayoutTests:

  • fast/events/touch/input-range-with-thumb-display-none-crash-expected.txt: Added.
  • fast/events/touch/input-range-with-thumb-display-none-crash.html: Added.
3:20 AM Changeset in webkit [186432] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185948 - [GTK] Empty gtk-font-name setting causes WebProcess crash rendering pages
https://bugs.webkit.org/show_bug.cgi?id=146246

Reviewed by Sergio Villar Senin.

Return early if system font is empty.

  • rendering/RenderThemeGtk.cpp:

(WebCore::RenderThemeGtk::updateCachedSystemFontDescription):

3:13 AM Changeset in webkit [186431] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185927 - Null dereference in DocumentLoader::areAllLoadersPageCacheAcceptable()
https://bugs.webkit.org/show_bug.cgi?id=146286
<rdar://problem/21523788>

Reviewed by Sam Weinig.

Add null check for the Page in areAllLoadersPageCacheAcceptable()
to fix this top crasher until I can investigate how this can happen.

  • loader/DocumentLoader.cpp:

(WebCore::areAllLoadersPageCacheAcceptable):

3:11 AM Changeset in webkit [186430] by Carlos Garcia Campos
  • 4 edits in releases/WebKitGTK/webkit-2.8

Merge r185916 - Subpixel rendering: roundToDevicePixel() snaps to wrong value.
https://bugs.webkit.org/show_bug.cgi?id=146273
rdar://problem/18509840

Reviewed by Simon Fraser.

Due to the floating point approximate representation, we can't always produce
the correct snap value. This patch addresses the issue by removing redundant kFixedPointDenominator multiplication
and by changing the rounding in roundToDevicePixel() from float to double.

Source/WebCore:

API test is added.

  • platform/LayoutUnit.h:

(WebCore::roundToDevicePixel):

Tools:

  • TestWebKitAPI/Tests/WebCore/LayoutUnit.cpp:

(TestWebKitAPI::TEST):

2:44 AM Changeset in webkit [186429] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r185896 - [GTK] Crash performing drag-and-drop
https://bugs.webkit.org/show_bug.cgi?id=146267

Reviewed by Darin Adler.

Return early if gtk_get_current_event() returns null to avoid a crash. Note that this does
not fix drag-and-drop. Note also this prevents the web process from forcing the UI process
to crash by sending fake startDrag messages.

  • UIProcess/gtk/DragAndDropHandler.cpp:

(WebKit::DragAndDropHandler::startDrag):

2:43 AM Changeset in webkit [186428] by Carlos Garcia Campos
  • 4 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r185866 - [EFL][CustomProtocol] Do not add duplicated custom scheme
https://bugs.webkit.org/show_bug.cgi?id=146199

Reviewed by Carlos Garcia Campos.

WebSoupCustomProtocolRequestManager::registerSchemeForCustomProtocol generates
a crash when duplicated scheme is registered on debug mode, or just registers it on release mode.
However application can register duplicate scheme by mistake or on purpose. Thus it would be good
if we don't register it instead of registering it or generating a crash when trying to regiseter
duplicated scheme.

EFL port want to allow user to change registered callback, thus EWK2ContextTest::ewk_context_url_scheme_register()
is modified to test it.

Test: ewk_context_url_scheme_register() in test_ewk2_context.cpp.

  • UIProcess/API/efl/ewk_context.h: Added a comment to replace registered callback.
  • UIProcess/API/efl/tests/test_ewk2_context.cpp:

(EWK2ContextTest::schemeRequestCallback1):
(EWK2ContextTest::schemeRequestCallback2):
(TEST_F):
(EWK2ContextTest::schemeRequestCallback): Deleted.

  • UIProcess/Network/CustomProtocols/soup/WebSoupCustomProtocolRequestManager.cpp:

(WebKit::WebSoupCustomProtocolRequestManager::registerSchemeForCustomProtocol):

2:17 AM Changeset in webkit [186427] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WTF

Merge r185863 - [WTF] Platform.h: use _ABI64 instead of _MIPS_SIM_ABI64 to determine MIPS N64
https://bugs.webkit.org/show_bug.cgi?id=145113

Patch by YunQiang Su <wzssyqa@gmail.com> on 2015-06-22
Reviewed by Csaba Osztrogonác.

  • wtf/Platform.h:
2:16 AM Changeset in webkit [186426] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185858 - ASSERT(!m_zOrderListsDirty) when mousing over web view with incremental rendering suppressed
https://bugs.webkit.org/show_bug.cgi?id=146225

Reviewed by Zalan Bujtas.

Update RenderLayer's z-order lists when hit testing. There's no guarantee that they've
been updated; this happens to work most of the time because painting updates them,
but if incremental rendering is suppressed, we may not have painted yet.

Easy to hit on webkit.org in MiniBrowser, but I wasn't able to make a reduced testcase.

  • rendering/RenderLayer.cpp:

(WebCore::RenderLayer::hitTest):
(WebCore::RenderLayer::updateLayerListsIfNeeded): Flip the order of the tests, since checking
dirty bits is cheaper than calling isStackingContext().

2:13 AM Changeset in webkit [186425] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185838 - REGRESSION(r169105) Dangling renderer pointer in SelectionSubtreeRoot::SelectionSubtreeData.
https://bugs.webkit.org/show_bug.cgi?id=146116
rdar://problem/20959369

Reviewed by Brent Fulgham.

This patch ensures that we don't adjust the selection unless the visual selection still matches this subtree root.

When multiple selection roots are present we need to ensure that a RenderObject
only shows up in one of them.
RenderView::splitSelectionBetweenSubtrees(), as the name implies, splits the
selection and sets the selection range (start/end) on each selection root.
However, SelectionSubtreeRoot::adjustForVisibleSelection() later recomputes the range
based on visible selection and that could end up collecting renderers as selection start/end
from another selection subtree.
RenderObject's holds the last selection state (RenderObject::setSelectionState).
If we set a renderer first as "on selection border" and later "inside" using multiple selection roots,
we can't clean up selections properly when this object gets destroyed.
One of the roots ends up with a dangling RenderObject pointer.

Source/WebCore:

Test: fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html

  • rendering/SelectionSubtreeRoot.cpp:

(WebCore::SelectionSubtreeRoot::adjustForVisibleSelection):

LayoutTests:

  • fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees-expected.txt: Added.
  • fast/regions/crash-when-renderer-is-in-multiple-selection-subtrees.html: Added.
2:09 AM Changeset in webkit [186424] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r185824 - [WK2] ConnectionUnix should use FastMalloc to allocate on-heap resources
https://bugs.webkit.org/show_bug.cgi?id=146143

Reviewed by Carlos Garcia Campos.

IPC handling in Unix-specific IPC::Connection implementation should use
FastMalloc to allocate on-heap resources, instead of allocating via the
system allocator.

The AttachmentInfo class is marked as allocatable through FastMalloc.
That way it can be allocated through FastMalloc while still handled
through std::unique_ptr<>.

The char[] arrays in readBytesFromSocket() and Connection::sendOutgoingMessage()
are now handled through a MallocPtr<> object.

In Connection::sendOutgoingMessage(), both the AttachmentInfo[] and char[]
arrays are now only allocated if there are actual attachments contained
in the message. The code that's conditioned with a non-empty attachments
Vector is now also grouped together, in a single branch.

  • Platform/IPC/unix/ConnectionUnix.cpp:

(IPC::readBytesFromSocket):
(IPC::Connection::sendOutgoingMessage):

2:05 AM Changeset in webkit [186423] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185781 - Crash under WebCore::PageConsoleClient::addMessage attempting to log insecure content message in ImageDocument
https://bugs.webkit.org/show_bug.cgi?id=146096

Patch by Joseph Pecoraro <Joseph Pecoraro> on 2015-06-19
Reviewed by Timothy Hatcher.

Was able to reproduce this using a user stylesheet with an http css font
on a pdf (ImageDocument) main document loaded over https. Was unable to
create a reliable test for this scenario.

  • page/PageConsoleClient.cpp:

(WebCore::getParserLocationForConsoleMessage):
The scriptableDocumentParser could be null, such as in an ImageDocument.

2:03 AM Changeset in webkit [186422] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore

Merge r185770 - WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276
https://bugs.webkit.org/show_bug.cgi?id=146163
<rdar://problem/20392986>

Reviewed by Michael Saboff.

There's no good way to test this in our test harness because we don't
have a way to simulate executable memory pressure, and doing so would
cause the cases that still use JITCompilationMustSucceed to crash.

Instead, I tested by manually forcing all regexp JIT compilation to
fail and running the JavaScriptCore tests.

  • yarr/YarrJIT.cpp:

(JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can
fall back to the regexp interpreter if we need to.

2:02 AM Changeset in webkit [186421] by Carlos Garcia Campos
  • 8 edits
    8 adds in releases/WebKitGTK/webkit-2.8

Merge r185769 - Various assertion failures occur when executing script in the midst of DOM insertion
https://bugs.webkit.org/show_bug.cgi?id=132482

Reviewed by Darin Adler.

Source/WebCore:

Prior to this change, when an element containing a <script> child was inserted into a document, the script was
executed in ScriptElement::insertedInto(). That script can access nodes that follow it in the newly-inserted
hierarchy but are not yet fully inserted, leading to at least the following problems:

  • The script could remove a node that is not yet marked as in the document.
  • The script could remove a named <map> that has yet to be added to TreeScope::m_imageMapsByName.
  • The script could remove a form control that has yet to be added to FormController::m_formElementsWithState.

These scenarios all result in assertion failures. This change ensures that each node in the newly-inserted
hierarchy is fully inserted before executing any scripts.

Tests: fast/dom/element-removed-while-inserting-parent-crash.html

fast/dom/named-map-removed-while-inserting-parent-crash.html
fast/forms/form-control-removed-while-inserting-parent-crash.html
svg/dom/element-removed-while-inserting-parent-crash.html

  • dom/ScriptElement.cpp:

(WebCore::ScriptElement::shouldNotifySubtreeInsertions): Renamed from insertedInto().
Returned true in the case where insertedInto() would've called prepareScript().
(WebCore::ScriptElement::didNotifySubtreeInsertions): Called prepareScript().
(WebCore::ScriptElement::insertedInto): Renamed to shouldNotifySubtreeInsertions().

  • dom/ScriptElement.h:
  • html/HTMLScriptElement.cpp:

(WebCore::HTMLScriptElement::insertedInto): If shouldNotifySubtreeInsertions() is true, returned InsertionShouldCallDidNotifySubtreeInsertions.
Otherwise, returned InsertionDone.
(WebCore::HTMLScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().

  • html/HTMLScriptElement.h:
  • svg/SVGScriptElement.cpp:

(WebCore::SVGScriptElement::insertedInto): Did the same as HTMLScriptElement::insertedInto().
(WebCore::SVGScriptElement::didNotifySubtreeInsertions): Called ScriptElement::didNotifySubtreeInsertions().

  • svg/SVGScriptElement.h:

LayoutTests:

Wrote named-map-removed-while-inserting-parent-crash.html by reducing the test case attached to bug 132482.
The remaining tests were taken from blink r132482.

  • fast/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
  • fast/dom/element-removed-while-inserting-parent-crash.html: Added.
  • fast/dom/named-map-removed-while-inserting-parent-crash-expected.txt: Added.
  • fast/dom/named-map-removed-while-inserting-parent-crash.html: Added.
  • fast/forms/form-control-removed-while-inserting-parent-crash-expected.txt: Added.
  • fast/forms/form-control-removed-while-inserting-parent-crash.html: Added.
  • svg/dom/element-removed-while-inserting-parent-crash-expected.txt: Added.
  • svg/dom/element-removed-while-inserting-parent-crash.html: Added.
1:59 AM Changeset in webkit [186420] by Carlos Garcia Campos
  • 8 edits in releases/WebKitGTK/webkit-2.8/Source

Merge r185766 - All calls of ImageBuffer::create should null check the return value
https://bugs.webkit.org/show_bug.cgi?id=22132

Reviewed by Zalan Bujtas.

ImageBuffer::create returns nullptr for a number of reasons, and should be
expected to do so. We missed this check in a few places, resulting in
crashes on some systems. Likewise, ImageBuffer::copyImage may return nullptr
in normal use and should be checked.

Source/WebCore:

  • platform/graphics/BitmapImage.cpp:

(WebCore::BitmapImage::drawPattern): Add nullptr check for create and copyImage. Remove
extra call to 'setImageObserver'.

  • platform/graphics/cairo/ImageBufferCairo.cpp:

(WebCore::ImageBuffer::drawPattern): Add nullptr check for copyImage.

  • platform/graphics/cg/ImageBufferCG.cpp:

(WebCore::ImageBuffer::drawPattern): Add nullptr checks for copyImage.

  • platform/graphics/filters/FETile.cpp:

(WebCore::FETile::platformApplySoftware): Add nullptr check for copyImage.

  • platform/graphics/filters/FilterEffect.cpp:

(WebCore::FilterEffect::asImageBuffer): Add nullptr check for create.
(WebCore::FilterEffect::openCLImageToImageBuffer): Ditto.

  • platform/graphics/texmap/BitmapTexture.cpp:

(WebCore::BitmapTexture::updateContents): Add nullptr checks for create and copyImage.

  • svg/graphics/SVGImage.cpp:

(WebCore::SVGImage::drawPatternForContainer): Add nullptr check for copyImage.

Source/WebKit/mac:

  • WebCoreSupport/WebContextMenuClient.mm:

(WebContextMenuClient::imageForCurrentSharingServicePickerItem): Add nullptr check
for copyImage.

1:51 AM Changeset in webkit [186419] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185719 - [CSS JIT][ARMv7] The pseudo element early exit trashes r6
https://bugs.webkit.org/show_bug.cgi?id=146078

Patch by Benjamin Poulain <bpoulain@apple.com> on 2015-06-18
Reviewed by Alex Christensen.

The pseudo element early failure runs before we generate the prologue.
The reason is that we can often exit immediately on function entry, before
we even touch any memory.

On ARMv7, we don't have many spare registers so the MacroAssembler
uses r6 as a scratch register and the client code is expected to save
it.

In the early failure case, we were not pushing r6 before using the MacroAssembler
and its value could be trashed.

This patch push the macro assembler registers separately from the prologue.

For restoring the registers, a new function generateFunctionEnding() encapsulate
the pop() and ret().

  • cssjit/SelectorCompiler.cpp:

(WebCore::SelectorCompiler::SelectorCodeGenerator::pushMacroAssemblerRegisters):
(WebCore::SelectorCompiler::SelectorCodeGenerator::popMacroAssemblerRegisters):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generatePrologue):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateEpilogue):
(WebCore::SelectorCompiler::SelectorCodeGenerator::generateSelectorChecker):

  • cssjit/StackAllocator.h:

(WebCore::StackAllocator::operator=):
We have a new case for the stack allocator: some stack changes are conditional
at compile time instead of runtime. This is easy to deal with by overriding
the stack if a path is not taken at compile time.

1:45 AM Changeset in webkit [186418] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185712 - Crash under WebCore::DOMWindow::dispatchMessageEventWithOriginCheck attempting to log console message
https://bugs.webkit.org/show_bug.cgi?id=146093

Patch by Joseph Pecoraro <Joseph Pecoraro> on 2015-06-18
Reviewed by Timothy Hatcher.

  • page/DOMWindow.cpp:

(WebCore::DOMWindow::dispatchMessageEventWithOriginCheck):
The console could be null so null check its use.

1:42 AM Changeset in webkit [186417] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185666 - REGRESSION (r173283-r173296): Amazon.com front page has no caret in the search field
https://bugs.webkit.org/show_bug.cgi?id=146073
rdar://problem/21022203

Reviewed by Tim Horton.

Source/WebCore:

Text controls (text inputs and textareas) need backing store even when empty, because
they need to be able to paint a caret.

Test: compositing/backing/form-controls-backing.html

  • rendering/RenderLayerBacking.cpp:

(WebCore::RenderLayerBacking::isSimpleContainerCompositingLayer):

LayoutTests:

Dump layers for composited text inputs and textareas.

  • compositing/backing/form-controls-backing-expected.txt: Added.
  • compositing/backing/form-controls-backing.html: Added.
1:39 AM Changeset in webkit [186416] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WTF

Merge r185663 - SegmentedVector should waste less memory.
<https://webkit.org/b/146069>

Reviewed by Anders Carlsson.

We were wasting sizeof(Vector) on every segment in SegmentVector.
The segments were using inline capacity, and would never go beyond it,
so all the size/capacity/out-of-line-buffer metadata was useless.

Change the internal representation to Vector<T[SegmentSize]> instead.
This saves 16 bytes per segment, so lower SegmentSize -> bigger savings!

  • wtf/SegmentedVector.h:

(WTF::SegmentedVectorIterator::operator*):
(WTF::SegmentedVectorIterator::operator->):
(WTF::SegmentedVectorIterator::operator++):
(WTF::SegmentedVectorIterator::operator==):
(WTF::SegmentedVectorIterator::operator!=):
(WTF::SegmentedVectorIterator::SegmentedVectorIterator):
(WTF::SegmentedVector::at):
(WTF::SegmentedVector::append):
(WTF::SegmentedVector::removeLast):
(WTF::SegmentedVector::grow):
(WTF::SegmentedVector::begin):
(WTF::SegmentedVector::end):
(WTF::SegmentedVector::deleteAllSegments):
(WTF::SegmentedVector::ensureSegmentsFor):
(WTF::SegmentedVector::ensureSegment):
(WTF::SegmentedVector::allocateSegment):
(WTF::SegmentedVectorIterator::operator=): Deleted.
(WTF::SegmentedVector::SegmentedVector): Deleted.

1:19 AM Changeset in webkit [186415] by Carlos Garcia Campos
  • 5 edits in releases/WebKitGTK/webkit-2.8/Source

Merge r185639 - Remove unused template parameter InlineCapacity from SegmentedVector.
<https://webkit.org/b/146044>

Reviewed by Anders Carlsson.

Source/JavaScriptCore:

  • bytecode/ArrayProfile.h:
  • dfg/DFGCommonData.h:

Source/WTF:

  • wtf/SegmentedVector.h:

(WTF::SegmentedVectorIterator::operator=):
(WTF::SegmentedVectorIterator::SegmentedVectorIterator):
(WTF::SegmentedVector::at):

1:00 AM Changeset in webkit [186414] by youenn.fablet@crf.canon.fr
  • 12 edits in trunk

Source/WebCore:
[Streams API] Remove ReadableStreamReader.read() custom binding
https://bugs.webkit.org/show_bug.cgi?id=146643

Reviewed by Darin Adler.

Moved ReadableStreamReader.read handling from callbacks to promises.
Introduced DOMPromiseIteratorWithCallback for that purpose: it takes resolve() to resolve a promise with a not-ending iterator value,
resolveEnd() to resolve a promise with a terminating iterator value and reject().
Added template helper routine to convert typed values to JS iterator wrapping the value.
Removed ReadableStreamReader.read custom binding.

Covered by rebased tests.

  • Modules/streams/ReadableStream.cpp: Updated code to use DOMPromiseIteratorWithCallback API.

(WebCore::ReadableStream::releaseReader):
(WebCore::ReadableStream::changeStateToErrored):
(WebCore::ReadableStream::read):
(WebCore::ReadableStream::resolveReadCallback):

  • Modules/streams/ReadableStream.h:
  • Modules/streams/ReadableStreamReader.cpp:

(WebCore::ReadableStreamReader::read):

  • Modules/streams/ReadableStreamReader.h:
  • Modules/streams/ReadableStreamReader.idl: Removed custom binding.
  • bindings/js/JSDOMBinding.h:

(WebCore::toJSIterator): create JS iterator from typed value.
(WebCore::toJSIteratorEnd): create JS end iterator.

  • bindings/js/JSDOMPromise.cpp:

(WebCore::DeferredWrapper::globalObject): Added globaObject getter and removed promise getter.

  • bindings/js/JSDOMPromise.h:

(WebCore::DOMPromiseIteratorWithCallback::DOMPromiseIteratorWithCallback):
(WebCore::Error>::resolve):
(WebCore::Error>::resolveEnd):
(WebCore::Error>::reject):

  • bindings/js/JSReadableStreamReaderCustom.cpp: Removed custom binding.

LayoutTests:
[Streams API] Remove ReadableStreamStream.read() custom binding
https://bugs.webkit.org/show_bug.cgi?id=146643

Reviewed by Darin Adler.

  • streams/reference-implementation/brand-checks-expected.txt:
12:55 AM Changeset in webkit [186413] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r185651 - [GTK] WEBKIT_CACHE_MODEL_DOCUMENT_VIEWER doesn't disable memory cache when set before the web process is launched
https://bugs.webkit.org/show_bug.cgi?id=146053

Reviewed by Martin Robinson.

The cache is disabled in WebProcess::platformSetCacheModel() when
the cache model is CacheModelDocumentViewer, but it's enabled
again by WebProcess::setMemoryCacheDisabled() when
memoryCacheDisabled creation parameter is processed. We need to
make sure the cache model and memoryCacheDisabled parameters are consistent.

  • UIProcess/gtk/WebProcessPoolGtk.cpp:

(WebKit::WebProcessPool::platformInitializeWebProcess): Initialize
memoryCacheDisabled parameter to true if memory cache was
explicitly disabled or cache model is CacheModelDocumentViewer.

12:54 AM Changeset in webkit [186412] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185643 - WebProcess crashes after too many redirect error when there's an active NPAPI plugin
https://bugs.webkit.org/show_bug.cgi?id=146019

Reviewed by Darin Adler.

This happens with the GTK+ port after a navigation action ends up
in an infinite redirection and the ResourceHandle fails with too
many redirections error. I should actually happen after any error
is reported by the ResourceHnalder before the load is
committed. But tt only happens if there's an active NPAPI
plugin. The problem is that FrameLoader::receivedMainResourceError()
is called recursively because DocumentLoader::stopLoading() ends up
calling mainReceivedError() that calls FrameLoader::receivedMainResourceError()
again. DocumentLoader::stopLoading() checks if the document is
still loading, which can happen if the main resource is loading,
if there's any subresource loading or if there's a plugin
loading. So, in case of being loading, those cases are handled
individually to cancel the main resource, or set an error in the
document loader and cancel subresources and plugins, except for
this case of plugins, that mainReceivedError is called instead of
setting cancelled error on the document loader.

  • loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::stopLoading): If the document is still
loading because there are active plugins, set the cancelled error
on the document instead of calling mainReceivedError again.

12:30 AM Changeset in webkit [186411] by Carlos Garcia Campos
  • 4 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185572 - RootInlineBox::m_lineBreakObj becomes invalid when a child renderer is removed and the line does not get marked dirty.
https://bugs.webkit.org/show_bug.cgi?id=145988
rdar://problem/20959137

Reviewed by David Hyatt.

This patch ensures that we find the right first inline box so that we can dirty the
the appropriate line boxes.
With marking the right line boxes dirty, now we can update RootInlineBox::m_lineBreakObj at the next layout.

Source/WebCore:

Test: fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html

  • rendering/RenderInline.cpp:

(WebCore::RenderInline::culledInlineFirstLineBox):
(WebCore::RenderInline::culledInlineLastLineBox):

  • rendering/RootInlineBox.cpp:

(WebCore::RootInlineBox::setLineBreakInfo): Deleted. Remove misleading assert and comment.

LayoutTests:

  • fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean-expected.txt: Added.
  • fast/inline/crash-when-child-renderer-is-removed-and-line-stays-clean.html: Added.
12:28 AM Changeset in webkit [186410] by Carlos Garcia Campos
  • 13 edits in releases/WebKitGTK/webkit-2.8/Source

Merge r185542 - [WK2] API::Navigation objects are leaked on history navigation to HistoryItems in PageCache
https://bugs.webkit.org/show_bug.cgi?id=145948

Reviewed by Darin Adler.

Source/WebCore:

API::Navigation objects were leaked on history navigation to
HistoryItems in PageCache. In such case, we would create 2 Navigation
objects instead of 1 and the first one would be leaked. The reason
we create the second one is because we fail to pass along the
navigationID from the UIProcess to the WebProcess and then back to the
UIProcess. On the IPC back to the UIProcess, the navigationID ends up
being 0 so the UIProcess creates a new Navigation object, thinking that
the load was triggered by the WebContent process.

We now pass along the navigationID, even if the HistoryItem is in the
PageCache and we end up reusing the cached DocumentLoader, instead of
creating a new one. A new updateCachedDocumentLoader() delegate is
added to the FrameLoaderClient, similarly to the pre-existing
createDocumentLoader() but for the case where the DocumentLoader gets
reused.

  • loader/EmptyClients.h:
  • loader/FrameLoader.cpp:

(WebCore::FrameLoader::loadDifferentDocumentItem):

  • loader/FrameLoaderClient.h:

Source/WebKit/mac:

Add empty implementation for new
FrameLoaderClient::updatedCachedDocumentLoader().

  • WebCoreSupport/WebFrameLoaderClient.h:

Source/WebKit/win:

Add empty implementation for new
FrameLoaderClient::updatedCachedDocumentLoader().

  • WebCoreSupport/WebFrameLoaderClient.h:

Source/WebKit2:

API::Navigation objects were leaked on history navigation to
HistoryItems in PageCache. In such case, we would create 2 Navigation
objects instead of 1 and the first one would be leaked. The reason
we create the second one is because we fail to pass along the
navigationID from the UIProcess to the WebProcess and then back to the
UIProcess. On the IPC back to the UIProcess, the navigationID ends up
being 0 so the UIProcess creates a new Navigation object, thinking that
the load was triggered by the WebContent process.

We now pass along the navigationID, even if the HistoryItem is in the
PageCache and we end up reusing the cached DocumentLoader, instead of
creating a new one. A new updateCachedDocumentLoader() delegate is
added to the FrameLoaderClient, similarly to the pre-existing
createDocumentLoader() but for the case where the DocumentLoader gets
reused.

  • WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:

(WebKit::WebFrameLoaderClient::updateCachedDocumentLoader):

  • WebProcess/WebCoreSupport/WebFrameLoaderClient.h:
  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::goForward):
(WebKit::WebPage::goBack):
(WebKit::WebPage::goToBackForwardItem):
(WebKit::WebPage::updateCachedDocumentLoader):

  • WebProcess/WebPage/WebPage.h:
12:21 AM Changeset in webkit [186409] by Carlos Garcia Campos
  • 9 edits in releases/WebKitGTK/webkit-2.8

Merge r185484 - Do not crash when the descendant frame tree is destroyed during layout.
https://bugs.webkit.org/show_bug.cgi?id=144540
rdar://problem/20793184

Reviewed by Andreas Kling.

Source/WebCore:

Widget::setFrameRect(), through WebHTMLView layout, could trigger a style recalc, which in turn
could initiate an onBeforeLoad callback.
If javascript happens to destroy the current iframe in the onBeforeLoad callback, we lose the descendant
render tree, including the child FrameView (the iframe element's view). However the RenderIFrame
object stays protected until after the layout is done. (see protectRenderWidgetUntilLayoutIsDone())

Climbing back on the callstack, we need to make sure that

  1. the root widget of the descendant render tree (FrameView) stays valid as long as it is needed.
  2. RenderFrameBase::layoutWithFlattening() can handle the case when the associated widget (child FrameView) is set to nullptr.

(see RenderWidget::willBeDestroyed() -> setWidget(nullptr))

(and later, when layout is finished this (RenderIFrame) object gets destroyed too.)

Covered by fast/frames/flattening/crash-remove-iframe-during-object-beforeload.html.

  • page/FrameView.cpp:

(WebCore::FrameView::setFrameRect):
(WebCore::FrameView::updateEmbeddedObject):
(WebCore::FrameView::updateWidgetPositions):

  • platform/ScrollView.cpp:

(WebCore::ScrollView::setFrameRect):

  • platform/mac/WidgetMac.mm:

(WebCore::Widget::setFrameRect):

  • rendering/RenderFrameBase.cpp:

(WebCore::RenderFrameBase::layoutWithFlattening):
(WebCore::RenderFrameBase::childRenderView):
(WebCore::RenderFrameBase::peformLayoutWithFlattening):

  • rendering/RenderFrameBase.h:
  • rendering/RenderWidget.cpp:

(WebCore::RenderWidget::updateWidgetPosition):

  • rendering/RenderWidget.h:

LayoutTests:

Unskip fast/frames/flattening/crash-remove-iframe-during-object-beforeload.html.

12:07 AM Changeset in webkit [186408] by Carlos Garcia Campos
  • 6 edits
    4 adds in releases/WebKitGTK/webkit-2.8

Merge r185435 - ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById
https://bugs.webkit.org/show_bug.cgi?id=145857
<rdar://problem/16798440>

Reviewed by Darin Adler.

Source/WebCore:

Make sure Node::insertedInto() gets called on the inserted node and its
descendants after its insertion into the tree but *before*
ContainerNode::childrenChanged() is called on the parent node. This is
needed so that the descendants know they've been inserted into the tree
(and their InDocumentFlag flag gets set) before the parent node does
anything with them in childrenChanged().

In the case of <rdar://problem/16798440>, executing HTMLScriptElement's
childrenChanged() after appending a child to a script element was causing
the script to be executed. The script would call getElementBy() which
would traverse the DOM tree and find a matching Element in the newly
inserted subtree. However, the matching Element's InDocumentFlag flag was
not set yet because the element's insertedInto() method has not been called
yet at this point. This would cause us to hit an assertion as
DocumentOrderedMap::getElementById() is only supposed to return elements
that are in a Document.

This patch is based on Blink r178976 by <esprehn@chromium.org>:
https://src.chromium.org/viewvc/blink?view=rev&revision=178976

Tests: fast/dom/script-getElementById-during-insertion.html

fast/dom/script-remove-child-id-map.html

  • dom/ContainerNode.cpp:

(WebCore::ContainerNode::notifyChildInserted):
(WebCore::ContainerNode::notifyChildRemoved):
(WebCore::ContainerNode::removeChildren):
(WebCore::ContainerNode::parserInsertBefore): Deleted.
(WebCore::ContainerNode::removeChild): Deleted.
(WebCore::ContainerNode::parserRemoveChild): Deleted.
(WebCore::ContainerNode::parserAppendChild): Deleted.
(WebCore::ContainerNode::childrenChanged): Deleted.
(WebCore::ContainerNode::setAttributeEventListener): Deleted.
(WebCore::ContainerNode::querySelector): Deleted.

  • dom/ContainerNodeAlgorithms.cpp:

(WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument):
(WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoTree):

  • dom/ContainerNodeAlgorithms.h:

(WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument):
(WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoTree):
(WebCore::ChildNodeInsertionNotifier::notify):
(WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument): Deleted.

  • dom/Element.cpp:

(WebCore::Element::addShadowRoot):

LayoutTests:

Add layout tests covering different crashes caused by the same bug.

  • fast/dom/script-getElementById-during-insertion-expected.txt: Added.
  • fast/dom/script-getElementById-during-insertion.html: Added.

Reduction test case for <rdar://problem/16798440>.

  • fast/dom/script-remove-child-id-map-expected.txt: Added.
  • fast/dom/script-remove-child-id-map.html: Added.

Test imported from Blink r178976.

12:04 AM Changeset in webkit [186407] by Carlos Garcia Campos
  • 15 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185423 - Drop unused argument for Node::didNotifySubtreeInsertions()
https://bugs.webkit.org/show_bug.cgi?id=145845

Reviewed by Andreas Kling.

  • dom/ContainerNodeAlgorithms.h:

(WebCore::ChildNodeInsertionNotifier::notify):

  • dom/Node.h:

(WebCore::Node::didNotifySubtreeInsertions):

  • html/HTMLFrameElementBase.cpp:

(WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions):

  • html/HTMLFrameElementBase.h:
  • svg/SVGFEImageElement.cpp:

(WebCore::SVGFEImageElement::didNotifySubtreeInsertions):

  • svg/SVGFEImageElement.h:
  • svg/SVGMPathElement.cpp:

(WebCore::SVGMPathElement::didNotifySubtreeInsertions):

  • svg/SVGMPathElement.h:
  • svg/SVGTRefElement.cpp:

(WebCore::SVGTRefElement::didNotifySubtreeInsertions):

  • svg/SVGTRefElement.h:
  • svg/SVGTextPathElement.cpp:

(WebCore::SVGTextPathElement::didNotifySubtreeInsertions):

  • svg/SVGTextPathElement.h:
  • svg/animation/SVGSMILElement.cpp:

(WebCore::SVGSMILElement::didNotifySubtreeInsertions):

  • svg/animation/SVGSMILElement.h:

Jul 6, 2015:

11:38 PM Changeset in webkit [186406] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185434 - [Web Timing] Fix flaky test.
https://bugs.webkit.org/show_bug.cgi?id=145846

Patch by Alex Christensen <achristensen@webkit.org> on 2015-06-10
Reviewed by Alexey Proskuryakov.

The timing data is gathered in ResourceHandle::getConnectionTimingData as
millisecond deltas from the fetch start time, not the navigation start time.
The difference between navigation and fetch start time is usually so small that
it only caused one flaky test, but this should fix that flakiness. This patch
corrects how the millisecond deltas are used.

  • page/PerformanceTiming.cpp:

(WebCore::PerformanceTiming::domainLookupStart):
(WebCore::PerformanceTiming::domainLookupEnd):
(WebCore::PerformanceTiming::connectStart):
(WebCore::PerformanceTiming::connectEnd):
(WebCore::PerformanceTiming::secureConnectionStart):
(WebCore::PerformanceTiming::requestStart):
(WebCore::PerformanceTiming::responseStart):
(WebCore::PerformanceTiming::responseEnd):
(WebCore::PerformanceTiming::documentLoadTiming):
(WebCore::PerformanceTiming::resourceLoadTimeRelativeToFetchStart):
(WebCore::PerformanceTiming::monotonicTimeToIntegerMilliseconds):
(WebCore::PerformanceTiming::resourceLoadTimeRelativeToAbsolute): Deleted.

  • page/PerformanceTiming.h:
11:35 PM Changeset in webkit [186405] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185403 - Protect FrameView from being destroyed in Document::recalcStyle()
https://bugs.webkit.org/show_bug.cgi?id=143033
rdar://problem/20326871

Reviewed by Andreas Kling.

This patch ensures that FrameView stays valid in Document::recalcStyle().
It follows the defensive pattern we use to deal with the refcounted FrameView (see EventDispatcher::dispatchEvent)

When the iframe destroys itself in the onBeforeLoad callback (as the result of
PostResolutionCallbackDisabler -> HTMLObjectElement::updateWidget -> guardedDispatchBeforeLoadEvent),
we detach the frame and release the FrameView. However Document::recalcStyle() expects
the FrameView to stay valid.

Covered by fast/frames/flattening/crash-remove-iframe-during-object-beforeload.html.

  • dom/Document.cpp:

(WebCore::Document::recalcStyle):

11:33 PM Changeset in webkit [186404] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185396 - GraphicsContext state stack wasting lots of memory when empty.
<https://webkit.org/b/145817>

Reviewed by Geoffrey Garen.

Give the GraphicsContextState stack an inline capacity of 1, and make sure
to free any heap-allocated backing store when the stack goes empty.

The 1 is because HTMLCanvasElement keeps one "save" on the underlying
GraphicsContext at all times, and this prevents those canvases from always
sitting on an empty stack with 16 capacity.

This saves ~520 kB on cnet.com video pages.

  • platform/graphics/GraphicsContext.cpp:

(WebCore::GraphicsContext::restore):

  • platform/graphics/GraphicsContext.h:
11:27 PM Changeset in webkit [186403] by Carlos Garcia Campos
  • 8 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185395 - SVG Fragment is not rendered if it is the css background image of an HTML element
https://bugs.webkit.org/show_bug.cgi?id=91790

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2015-06-09
Reviewed by Darin Adler.

Source/WebCore:

To show an SVG fragment, the SVGImage has to scrollToFragment() using
the resource url. The changes http://trac.webkit.org/changeset/164804
and http://trac.webkit.org/changeset/164983 set the url of SVGImage to
to be used later in SVGImage::draw(). The problem is the SVGImage url
is only set when it is the src of an <img> tag. We did not do the same
thing when the SVGImage is the css background image of an HTML element.

The fix is to set the url of the SVGImage always when it's created by
the CachedImage. The CachedImage must have a valid url when the SVGImage
is created.

Test: svg/css/svg-resource-fragment-identifier-background.html

  • loader/cache/CachedImage.cpp:

(WebCore::CachedImage::load):
(WebCore::CachedImage::checkShouldPaintBrokenImage):
Replace the calls resourceRequest().url() and m_resourceRequest.url() by
calling url() since they are all the same.

(WebCore::CachedImage::createImage): Pass the resource url to SVGImage
and change ImageObserver& by ImageObserver*, since null is not legal.

  • svg/graphics/SVGImage.cpp:

(WebCore::SVGImage::SVGImage):

  • svg/graphics/SVGImage.h: Add a url parameter to SVGImage constructor.
  • svg/graphics/SVGImageCache.cpp:

(WebCore::SVGImageCache::findImageForRenderer): Add a new helper function.

(WebCore::SVGImageCache::imageSizeForRenderer):
(WebCore::SVGImageCache::imageForRenderer): Code clean up.

  • svg/graphics/SVGImageCache.h: Make imageForRenderer() const.
  • svg/graphics/SVGImageForContainer.cpp: Remove unneeded header file.

LayoutTests:

  • svg/css/svg-resource-fragment-identifier-background-expected.html: Added.
  • svg/css/svg-resource-fragment-identifier-background.html: Added.

Ensure that the SVG fragment is displayed correctly when it's used as a
css background image.

11:21 PM Changeset in webkit [186402] by Carlos Garcia Campos
  • 6 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185392 - feComposite filter does not clip the paint rect to its effect rect when the operator is 'in' or 'atop'
https://bugs.webkit.org/show_bug.cgi?id=137856

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2015-06-09
Reviewed by Darin Adler.

Source/WebCore:

There was bug in calculating the absolutePaintRect of the feComposite filter
when the operator is equal to 'in' or 'atop'. The absolutePaintRect was set
to the absolutePaintRect of the background FilterEffect which is correct.
What was missing is clipping this rectangle to the maxEffectRect of the
filter which we do for other operators.

Tests: svg/filters/feComposite-background-rect-control-operators.svg

  • platform/graphics/IntRect.h:

(WebCore::operator-=):
(WebCore::operator-): Add new operators to IntRect.

  • platform/graphics/filters/FEComposite.cpp:

(WebCore::FEComposite::determineAbsolutePaintRect): Make sure the filter
absolutePaintRect is clipped to maxEffectRect for all operators.

(WebCore::FEComposite::platformApplySoftware): Code clean-up.

  • platform/graphics/filters/FilterEffect.cpp:

(WebCore::FilterEffect::determineAbsolutePaintRect): Move the clipping
part to a separate function.

(WebCore::FilterEffect::clipAbsolutePaintRect): Clip the absolutePaintRect
to the maxEffectRect of the filter.

  • platform/graphics/filters/FilterEffect.h:

LayoutTests:

  • svg/filters/feComposite-background-rect-control-operators-expected.svg: Added.
  • svg/filters/feComposite-background-rect-control-operators.svg: Added.

Ensure the painting rect of the feComposite filter with operator 'in' or
'atop' is clipped to its bounding rectangle

10:56 PM Changeset in webkit [186401] by Carlos Garcia Campos
  • 7 edits
    3 adds
    2 deletes in releases/WebKitGTK/webkit-2.8

Merge r185310 - REGRESSION (r181720): Unnecessary layout triggered any time animated GIF advances to a new frame
https://bugs.webkit.org/show_bug.cgi?id=145733

Reviewed by Andreas Kling.

Source/WebCore:

Test: fast/images/animated-gif-no-layout.html

  • rendering/RenderImage.cpp:

(WebCore::RenderImage::styleDidChange): Correctly pass ImageSizeChangeNone in cases
where we don't need to report a change in intrinsic size that happened outside the
repaintOrMarkForLayout function.
(WebCore::RenderImage::repaintOrMarkForLayout): Move work that should only be done
when size changed inside the if statement.

  • testing/Internals.cpp:

(WebCore::Internals::layoutCount): Added.

  • testing/Internals.h: Added layoutCount.
  • testing/Internals.idl: Ditto.

LayoutTests:

old one I am fixing and the one new one I am adding) because they don't yet work
under DumpRenderTree.

  • fast/images/animated-gif-no-layout-expected.html: Added.
  • fast/images/animated-gif-no-layout.html: Added.
  • fast/images/gif-loop-count-expected.html: Added. This test was worthless as a render

tree dump test, and only valuable as a pixel test. And that hid the fact that it was
failing under WebKit1. Changing it to a reference test makes it a valuable test again.

  • fast/images/gif-loop-count-expected.png: Removed.
  • fast/images/gif-loop-count-expected.txt: Removed.
  • platform/wk2/TestExpectations: Expect successes on these two tests.
10:37 PM Changeset in webkit [186400] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185287 - Typing is slow in Gmail on iPads
https://bugs.webkit.org/show_bug.cgi?id=145686

Reviewed by Enrica Casucci.

The bug was caused by nextCandidate and nextVisuallyDistinctCandidate traversing through each character
in a text node without a renderer. Skip any node that doesn't have a renderer in both of those functions
and corresponding previous* functions.

It's fine to skip unrendered nodes in PositionIterator because only other clients of PositionIterator
are Position::upstream and Position::downstream and they don't care about un-rendered nodes either.

  • dom/PositionIterator.cpp:

(WebCore::PositionIterator::increment):
(WebCore::PositionIterator::decrement):

  • editing/htmlediting.cpp:

(WebCore::nextVisuallyDistinctCandidate):
(WebCore::previousVisuallyDistinctCandidate):

10:04 PM Changeset in webkit [186399] by Alan Bujtas
  • 4 edits in trunk

REGRESSION: Slider thumb does not render properly (image tests with <input type="range">)
https://bugs.webkit.org/show_bug.cgi?id=146669
rdar://problem/21677831

Reviewed by Simon Fraser.

Draw NSSliderCell's knob only when slider's thumb paint is requested.

Covered by existing tests.

Source/WebCore:

  • rendering/RenderThemeMac.mm:

(WebCore::RenderThemeMac::paintSliderThumb):

LayoutTests:

  • platform/mac/TestExpectations: Unskip slider tests.
9:27 PM Changeset in webkit [186398] by Csaba Osztrogonác
  • 4 edits in trunk/Source/WebCore

Move shouldIgnoreAttributeCase inline function to Element.h
https://bugs.webkit.org/show_bug.cgi?id=146588

Reviewed by Andreas Kling.

  • dom/Element.cpp:

(WebCore::shouldIgnoreAttributeCase): Deleted.

  • dom/Element.h:

(WebCore::shouldIgnoreAttributeCase):

  • dom/NamedNodeMap.cpp:

(WebCore::shouldIgnoreAttributeCase): Deleted.

9:20 PM Changeset in webkit [186397] by Csaba Osztrogonác
  • 9 edits
    1 delete in trunk/Source/JavaScriptCore

Remove the unused HeapBlock.h
https://bugs.webkit.org/show_bug.cgi?id=146580

Reviewed by Andreas Kling.

  • JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
  • JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
  • JavaScriptCore.xcodeproj/project.pbxproj:
  • heap/CopiedBlock.h:
  • heap/CopiedSpace.h:
  • heap/CopiedSpaceInlines.h:
  • heap/HandleBlock.h:
  • heap/HeapBlock.h: Removed.
  • heap/MarkedBlock.h:
8:40 PM Changeset in webkit [186396] by Brent Fulgham
  • 10 edits in trunk/Source

Ensure media playback is stopped during page close
https://bugs.webkit.org/show_bug.cgi?id=146554
<rdar://problem/18033944>

Reviewed by Brady Eidson.

Source/WebCore:

  • Modules/webaudio/AudioContext.cpp:

(WebCore::WebAudio::hostingDocument): Added.

  • Modules/webaudio/AudioContext.h:
  • html/HTMLMediaElement.h:

(WebCore::HTMLMediaElement::hostingDocument): Added.

  • dom/Document.cpp:

(WebCore::Document::~Document): Call new 'stopAllMediaPlaybackForDocument' at destruction time.

  • platform/audio/PlatformMediaSession.h:

Made PlatformMediaSessionManager a friend so it can access the protected 'client' accessor.
Updated PlatformMediaSessionClient to require clients to have a "hostingDocument" member.

  • platform/audio/PlatformMediaSessionManager.cpp:

(WebCore::PlatformMediaSessionManager::stopAllMediaPlaybackForDocument): Added. Only pauses
playback on elements that match the provided document.
(WebCore::PlatformMediaSessionManager::stopAllMediaPlaybackForProcess): Added. Pauses playback
on all elements in the current process.

  • platform/audio/PlatformMediaSessionManager.h:

Source/WebKit2:

  • WebProcess/WebProcess.cpp:

(WebKit::WebProcess::didClose): Make sure to clean up any running media sessions when
the process is being shut down.

8:12 PM Changeset in webkit [186395] by dbates@webkit.org
  • 3 edits in trunk/Source/WebCore

Isolated worlds should respect Content Security Policy; User Agent Shadow DOM
should be exempt from Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=144830
<rdar://problem/18860261>

Inadvertently omitted argument overrideContentSecurityPolicy in calls to ContentSecurityPolicy::allowEval()
that explicitly specified a report status. And the report status, which is an enum, was being implicitly
converted to bool.

  • bindings/js/ScriptController.cpp:

(WebCore::ScriptController::initScript):

  • page/DOMSecurityPolicy.cpp:

(WebCore::DOMSecurityPolicy::allowsEval):

6:42 PM Changeset in webkit [186394] by commit-queue@webkit.org
  • 9 edits in trunk/Source

Unreviewed, rolling out r186385.
https://bugs.webkit.org/show_bug.cgi?id=146668

crashes 3 webaudio tests in debug builds (Requested by
alexchristensen on #webkit).

Reverted changeset:

"Ensure media playback is stopped during page close"
https://bugs.webkit.org/show_bug.cgi?id=146554
http://trac.webkit.org/changeset/186385

6:37 PM Changeset in webkit [186393] by akling@apple.com
  • 3 edits
    2 adds in trunk

Crash when setting text direction via MakeTextWritingDirection* editing commands.
<https://webkit.org/b/146665>
<rdar://problem/20835477>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Fix two buggy clients of enclosingBlock(node) that would fail if the returned
element is the same as the node passed in.

Test: editing/style/change-text-direction-crash.html

  • editing/ApplyStyleCommand.cpp:

(WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):
(WebCore::ApplyStyleCommand::removeEmbeddingUpToEnclosingBlock):

LayoutTests:

Add a test that covers some very simple MakeTextWritingDirection* command usage.

  • editing/style/change-text-direction-crash-expected.txt: Added.
  • editing/style/change-text-direction-crash.html: Added.
6:16 PM Changeset in webkit [186392] by Simon Fraser
  • 33 edits
    5 deletes in trunk/Source/WebCore

Revert use of SVG <mask> elements for -webkit-mask-image (r176798, r177494)
https://bugs.webkit.org/show_bug.cgi?id=146653

Reviewed by Dean Jackson.

Fixes rdar://problem/21435233.

r177494 caused a number of regressions (bugs 141857, 146509, 146561), added new layering violations, and
was not being maintained, so revert it.

This patch reverts r176798.

  • CMakeLists.txt:
  • WebCore.vcxproj/WebCore.vcxproj:
  • WebCore.vcxproj/WebCore.vcxproj.filters:
  • WebCore.xcodeproj/project.pbxproj:
  • css/CSSValue.cpp:

(WebCore::CSSValue::cssText): Deleted.
(WebCore::CSSValue::destroy): Deleted.

  • css/CSSValue.h:

(WebCore::CSSValue::isWebKitCSSResourceValue): Deleted.

  • css/StyleBuilderConverter.h:

(WebCore::maskImageValueFromIterator): Deleted.

  • css/StyleResolver.cpp:

(WebCore::StyleResolver::State::clear): Deleted.

  • css/StyleResolver.h:

(WebCore::StyleResolver::State::maskImagesWithPendingSVGDocuments): Deleted.

  • css/WebKitCSSResourceValue.cpp: Removed.
  • css/WebKitCSSResourceValue.h: Removed.
  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::addCachedResource): Deleted.

  • loader/cache/CachedResourceLoader.h:
  • loader/cache/CachedSVGDocument.cpp:

(WebCore::CachedSVGDocument::finishLoading):
(WebCore::CachedSVGDocument::CachedSVGDocument): Deleted.

  • loader/cache/CachedSVGDocument.h:
  • loader/cache/CachedSVGDocumentReference.cpp:

(WebCore::CachedSVGDocumentReference::CachedSVGDocumentReference):
(WebCore::CachedSVGDocumentReference::~CachedSVGDocumentReference):
(WebCore::CachedSVGDocumentReference::load):

  • loader/cache/CachedSVGDocumentReference.h:
  • page/FrameView.cpp:

(WebCore::FrameView::containsSVGDocument): Deleted.

  • page/FrameView.h:
  • page/Page.cpp:

(WebCore::Page::createPageFromBuffer): Deleted.

  • page/Page.h:
  • platform/ScrollView.h:

(WebCore::ScrollView::containsSVGDocument): Deleted.

  • platform/graphics/MaskImageOperation.cpp: Removed.
  • platform/graphics/MaskImageOperation.h: Removed.
  • rendering/RenderLayer.cpp:

(WebCore::RenderLayer::RenderLayer): Deleted.

  • rendering/RenderLayer.h:
  • rendering/RenderLayerFilterInfo.cpp:
  • rendering/RenderLayerFilterInfo.h:
  • rendering/RenderLayerMaskImageInfo.h: Removed.
  • rendering/style/FillLayer.cpp:

(WebCore::FillLayer::operator==):
(WebCore::FillLayer::cullEmptyLayers):
(WebCore::layerImagesIdentical):
(WebCore::FillLayer::FillLayer): Deleted.
(WebCore::FillLayer::operator=): Deleted.
(WebCore::FillLayer::hasNonEmptyMaskImage): Deleted.
(WebCore::FillLayer::imagesAreLoaded): Deleted.

  • rendering/style/FillLayer.h:

(WebCore::FillLayer::maskImage): Deleted.
(WebCore::FillLayer::imageOrMaskImage): Deleted.
(WebCore::FillLayer::setMaskImage): Deleted.
(WebCore::FillLayer::clearMaskImage): Deleted.
(WebCore::FillLayer::hasMaskImage): Deleted.

  • rendering/svg/RenderSVGResourceMasker.cpp:

(WebCore::RenderSVGResourceMasker::applyResource):
(WebCore::RenderSVGResourceMasker::applySVGMask): Deleted.
(WebCore::RenderSVGResourceMasker::drawMaskForRenderer): Deleted.

  • rendering/svg/RenderSVGResourceMasker.h:
  • svg/SVGMaskElement.cpp:

(WebCore::SVGMaskElement::createElementRenderer):
(WebCore::SVGMaskElement::addClientRenderLayer): Deleted.
(WebCore::SVGMaskElement::removeClientRenderLayer): Deleted.

  • svg/SVGMaskElement.h:
  • svg/SVGUseElement.cpp:

(WebCore::SVGUseElement::updateExternalDocument):

  • svg/graphics/SVGImage.cpp:

(WebCore::SVGImage::dataChanged):

6:15 PM Changeset in webkit [186391] by Simon Fraser
  • 27 edits
    25 deletes in trunk

Revert use of SVG <mask> elements for -webkit-mask-image (r176798, r177494, r186180)
https://bugs.webkit.org/show_bug.cgi?id=146653

Reviewed by Dean Jackson.

Fixes rdar://problem/21435233.

r177494 caused a number of regressions (bugs 141857, 146509, 146561), added new layering violations, and
was not being maintained, so revert it.

This patch reverts r177494.

Source/WebCore:

  • WebCore.xcodeproj/project.pbxproj:
  • css/CSSComputedStyleDeclaration.cpp:

(WebCore::ComputedStyleExtractor::propertyValue):

  • css/CSSParser.cpp:

(WebCore::CSSParser::parseFillProperty):
(WebCore::CSSParser::parseMaskImage): Deleted.

  • css/CSSParser.h:
  • css/CSSPropertyNames.in:
  • css/CSSValue.h:
  • css/StyleBuilderConverter.h:

(WebCore::StyleBuilderConverter::convertMaskImageOperations): Deleted.

  • css/StyleResolver.cpp:

(WebCore::StyleResolver::loadPendingSVGDocuments):
(WebCore::StyleResolver::loadPendingImages):
(WebCore::StyleResolver::adjustStyleForMaskImages): Deleted.
(WebCore::StyleResolver::applyMatchedProperties): Deleted.

  • css/StyleResolver.h:
  • page/FrameView.cpp:

(WebCore::FrameView::containsSVGDocument):

  • page/FrameView.h:
  • page/animation/CSSPropertyAnimation.cpp:

(WebCore::CSSPropertyAnimationWrapperMap::CSSPropertyAnimationWrapperMap):
(WebCore::blendFunc): Deleted.
(WebCore::MaskImagePropertyWrapper::MaskImagePropertyWrapper): Deleted.
(WebCore::MaskImagePropertyWrapper::equals): Deleted.

  • platform/ScrollView.h:

(WebCore::ScrollView::containsSVGDocument):

  • platform/graphics/MaskImageOperation.cpp:

(WebCore::MaskImageOperation::~MaskImageOperation): Deleted.
(WebCore::MaskImageOperation::operator==): Deleted.

  • platform/graphics/MaskImageOperation.h:
  • rendering/RenderBox.cpp:

(WebCore::RenderBox::maskClipRect):

  • rendering/RenderBoxModelObject.cpp:

(WebCore::RenderBoxModelObject::paintFillLayerExtended):

  • rendering/RenderElement.cpp:

(WebCore::RenderElement::updateFillImages):
(WebCore::RenderElement::~RenderElement): Deleted.

  • rendering/RenderLayer.cpp:

(WebCore::RenderLayer::~RenderLayer): Deleted.
(WebCore::RenderLayer::calculateClipRects): Deleted.

  • rendering/RenderLayer.h:
  • rendering/RenderLayerMaskImageInfo.cpp: Removed.
  • rendering/style/FillLayer.h:

(WebCore::FillLayer::image):
(WebCore::FillLayer::imageOrMaskImage):

  • rendering/style/RenderStyle.cpp:

(WebCore::RenderStyle::setMaskImage): Deleted.

  • rendering/style/RenderStyle.h:

LayoutTests:

  • css3/masking/mask-base64-expected.html: Removed.
  • css3/masking/mask-base64.html: Removed.
  • css3/masking/mask-multiple-values-expected.html: Removed.
  • css3/masking/mask-multiple-values.html: Removed.
  • css3/masking/mask-repeat-space-padding-expected.html:
  • css3/masking/mask-repeat-space-padding.html:
  • css3/masking/mask-svg-clipped-fragmentId-expected.html: Removed.
  • css3/masking/mask-svg-clipped-fragmentId.html: Removed.
  • css3/masking/mask-svg-fragmentId-expected.html: Removed.
  • css3/masking/mask-svg-fragmentId.html: Removed.
  • css3/masking/mask-svg-inline-fragmentId-expected.html: Removed.
  • css3/masking/mask-svg-inline-fragmentId.html: Removed.
  • css3/masking/mask-svg-inline-invalid-fragmentId-expected.html: Removed.
  • css3/masking/mask-svg-inline-invalid-fragmentId.html: Removed.
  • css3/masking/mask-svg-invalid-fragmentId-expected.html: Removed.
  • css3/masking/mask-svg-invalid-fragmentId.html: Removed.
  • css3/masking/mask-svg-no-fragmentId-expected.html: Removed.
  • css3/masking/mask-svg-no-fragmentId-tiled-expected.html: Removed.
  • css3/masking/mask-svg-no-fragmentId-tiled.html: Removed.
  • css3/masking/mask-svg-no-fragmentId.html: Removed.
  • css3/masking/mask-svg-script-entire-svg-to-mask-expected.html: Removed.
  • css3/masking/mask-svg-script-entire-svg-to-mask.html: Removed.
  • css3/masking/mask-svg-script-mask-to-entire-svg-expected.html: Removed.
  • css3/masking/mask-svg-script-mask-to-entire-svg.html: Removed.
  • css3/masking/mask-svg-script-mask-to-none-expected.html: Removed.
  • css3/masking/mask-svg-script-mask-to-none.html: Removed.
  • css3/masking/mask-svg-script-mask-to-png-expected.html: Removed.
  • css3/masking/mask-svg-script-mask-to-png.html: Removed.
  • css3/masking/mask-svg-script-none-to-mask-expected.html: Removed.
  • css3/masking/mask-svg-script-none-to-mask.html: Removed.
  • css3/masking/mask-svg-script-none-to-png-expected.html: Removed.
  • css3/masking/mask-svg-script-none-to-png.html: Removed.
  • css3/masking/mask-svg-script-png-to-mask-expected.html: Removed.
  • css3/masking/mask-svg-script-png-to-mask.html: Removed.
  • css3/masking/mask-svg-script-png-to-none-expected.html: Removed.
  • css3/masking/mask-svg-script-png-to-none.html: Removed.
  • css3/masking/resources/masks.svg: Removed.
6:11 PM Changeset in webkit [186390] by Simon Fraser
  • 6 edits in trunk/Source/WebCore

Revert use of SVG <mask> elements for -webkit-mask-image (r176798, r177494, r186180)
https://bugs.webkit.org/show_bug.cgi?id=146653

Fixes rdar://problem/21435233.

This patch reverts r186180, but keeps the layout test.

This feature caused a number of regressions (bugs 141857, 146509, 146561), added new layering violations, and
was not being maintained, so revert it.

  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestResource): Deleted.

  • loader/cache/CachedResourceRequest.h:

(WebCore::CachedResourceRequest::acceptOverride): Deleted.
(WebCore::CachedResourceRequest::setAcceptOverride): Deleted.

  • loader/cache/CachedSVGDocumentReference.cpp:

(WebCore::CachedSVGDocumentReference::load): Deleted.

  • loader/cache/CachedSVGDocumentReference.h:

(WebCore::CachedSVGDocumentReference::setAcceptsAnyImageType): Deleted.

  • platform/graphics/MaskImageOperation.cpp:

(WebCore::MaskImageOperation::ensureCachedSVGDocumentReference):
(WebCore::MaskImageOperation::notifyFinished):

6:05 PM Changeset in webkit [186389] by dbates@webkit.org
  • 2 edits in trunk/Source/WebCore

Fix the Windows build following <https://trac.webkit.org/changeset/186388>
(https://bugs.webkit.org/show_bug.cgi?id=144830)

As we for for Mac in WebCoreAVFResourceLoader::startLoading(), instantiate ResourceLoaderOptions
with ContentSecurityPolicyImposition::DoPolicyCheck.

  • platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:

(WebCore::WebCoreAVCFResourceLoader::startLoading):

5:42 PM Changeset in webkit [186388] by dbates@webkit.org
  • 59 edits
    2 moves
    59 adds in trunk

Isolated worlds should respect Content Security Policy; User Agent Shadow DOM
should be exempt from Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=144830
<rdar://problem/18860261>

Reviewed by Geoffrey Garen.

Source/WebCore:

Make scripts that run in an isolated world be subject to the Content Security Policy (CSP) of the page
and exempt features implemented using a user agent shadow DOM. As a side effect of this change,
Safari Content Extensions will respect the CSP policy of the page when loading subresources (e.g. an image).

Tests: http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html

http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-background.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-cursor.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-filter-on-image.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-webkit-image-set.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-embed-plugin.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-external-script.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-iframe.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-after-redirect.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-style.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-stylesheet.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-plugin.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-feimage-element.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-use-element.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-track.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-allowed.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/video-controls-allowed.html
http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html

  • Modules/websockets/WebSocket.cpp:

(WebCore::WebSocket::connect): Pass shouldBypassMainWorldContentSecurityPolicy to ContentSecurityPolicy::allowConnectToSource().

  • css/CSSCanvasValue.h:

(WebCore::CSSCanvasValue::loadSubimages): Modified to take argument ResourceLoaderOptions (unused).

  • css/CSSCrossfadeValue.cpp:

(WebCore::CSSCrossfadeValue::fixedSize): Explicitly instantiate default ResourceLoaderOptions and pass
pass it when requesting a cached image. Added FIXME comment to skip Content Security Policy check when
the cross fade is applied to an element in a user agent shadow tree.
(WebCore::CSSCrossfadeValue::loadSubimages): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.
(WebCore::CSSCrossfadeValue::image): Explicitly instantiate default ResourceLoaderOptions and pass it
when requesting a cached image. Added FIXME comment to skip Content Security Policy check when the cross
fade is applied to an element in a user agent shadow tree.

  • css/CSSCrossfadeValue.h:
  • css/CSSCursorImageValue.cpp:

(WebCore::CSSCursorImageValue::cachedImage): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.

  • css/CSSCursorImageValue.h:
  • css/CSSFilterImageValue.cpp:

(WebCore::CSSFilterImageValue::fixedSize): Explicitly instantiate default ResourceLoaderOptions and pass
pass it when requesting a cached image. Added FIXME comment to skip Content Security Policy check when
the cross fade is applied to an element in a user agent shadow tree.
(WebCore::CSSFilterImageValue::loadSubimages): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.
(WebCore::CSSFilterImageValue::loadSubimages): Explicitly instantiate default ResourceLoaderOptions and pass
pass it when requesting a cached image. Added FIXME comment to skip Content Security Policy check when
the cross fade is applied to an element in a user agent shadow tree.
(WebCore::CSSFilterImageValue::image):

  • css/CSSFilterImageValue.h:
  • css/CSSFontFaceSrcValue.cpp:

(WebCore::CSSFontFaceSrcValue::cachedFont): Take a boolean, isInitiatingElementInUserAgentShadowTree,
so as to determine the appropriate CSP imposition. In particular, we skip the CSP check when the initiating element
(e.g. SVG font-face element) is in a user agent shadow tree.

  • css/CSSFontFaceSrcValue.h:
  • css/CSSFontSelector.cpp:

(WebCore::CSSFontSelector::addFontFaceRule): Take a boolean, isInitiatingElementInUserAgentShadowTree, and passes
it as appropriate.

  • css/CSSFontSelector.h:
  • css/CSSGradientValue.h:

(WebCore::CSSGradientValue::loadSubimages): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.

  • css/CSSImageGeneratorValue.cpp:

(WebCore::CSSImageGeneratorValue::loadSubimages): Ditto.
(WebCore::CSSImageGeneratorValue::cachedImageForCSSValue): Ditto.

  • css/CSSImageGeneratorValue.h:
  • css/CSSImageSetValue.cpp:

(WebCore::CSSImageSetValue::cachedImageSet): Deleted.

  • css/CSSImageSetValue.h:
  • css/CSSImageValue.cpp:

(WebCore::CSSImageValue::cachedImage): Deleted.

  • css/CSSImageValue.h:
  • css/RuleSet.cpp:

(WebCore::RuleSet::addChildRules): Take a boolean, isInitiatingElementInUserAgentShadowTree, and passes
it as appropriate.
(WebCore::RuleSet::addRulesFromSheet): Added FIXME comment to skip Content Security Policy check when
when stylesheet is in a user agent shadow tree.

  • css/RuleSet.h:
  • css/StyleResolver.cpp:

(WebCore::StyleResolver::StyleResolver): Determine whether the SVG font-face element is in a user agent shadow tree
and pass the appropriate value when calling CSSFontSelector::addFontFaceRule(). Also, modernized code; used C++11 range
-based for-loop instead of const_iterator idiom.
(WebCore::StyleResolver::loadPendingSVGDocuments): Skip CSP check when requesting subresources as a byproduct of
resolving style for an element in a user agent shadow tree.
(WebCore::StyleResolver::loadPendingImage): Ditto.
(WebCore::StyleResolver::loadPendingShapeImage): Ditto.

  • css/StyleRuleImport.cpp:

(WebCore::StyleRuleImport::requestStyleSheet): Added FIXME comment to skip Content Security Policy check when
when stylesheet is in a user agent shadow tree.

  • dom/Element.h:
  • dom/InlineStyleSheetOwner.cpp:

(WebCore::InlineStyleSheetOwner::createSheet): Skip CSP check for an inline <style> that is in a user agent shadow tree.

  • dom/Node.cpp:

(WebCore::Node::isInUserAgentShadowTree): Added.

  • dom/Node.h:
  • dom/ScriptElement.cpp:

(WebCore::ScriptElement::requestScript): Skip CSP check for an external JavaScript script in a user agent shadow tree.
(WebCore::ScriptElement::executeScript): Skip CSP check for an inline JavaScript script that is in a user agent shadow tree.

  • dom/StyledElement.cpp:

(WebCore::StyledElement::styleAttributeChanged): Skip CSP check when modifying the inline style of an element in a user
agent shadow tree.

  • html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::isSafeToLoadURL): Skip CSP check for a <audio>, <video> in a user agent shadow tree.
(WebCore::HTMLMediaElement::outOfBandTrackSources): Ditto.

  • html/HTMLTrackElement.cpp:

(WebCore::HTMLTrackElement::canLoadURL): Ditto.

  • html/track/LoadableTextTrack.cpp:

(WebCore::LoadableTextTrack::loadTimerFired): Determine whether the <track> is in a user agent shadow tree
and pass the appropriate value when calling TextTrackLoader::load().

  • loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::startLoadingMainResource): Do CSP check when loading a resource by default.

  • loader/ImageLoader.cpp:

(WebCore::ImageLoader::updateFromElement): Skip CSP check for an image that is in a user agent shadow tree.

  • loader/MediaResourceLoader.cpp:

(WebCore::MediaResourceLoader::start): Instantiate ResourceLoaderOptions passing placeholder value ContentSecurityPolicyImposition::DoPolicyCheck.
This value does not affect the request because we do not check the Content Security Policy for raw resource requests.

  • loader/NetscapePlugInStreamLoader.cpp:

(WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added FIXME comment to skip Content Security Policy check
when when associated plugin element is in a user agent shadow tree.

  • loader/PolicyChecker.cpp:

(WebCore::PolicyChecker::checkNavigationPolicy): Skip CSP check for a <iframe> in a user agent shadow tree.

  • loader/ResourceLoaderOptions.h: Defined enum class ContentSecurityPolicyImposition with explicit type uint8_t so

as to provide a hint to the compiler (for better packing) when it computes the memory layout for struct that
contains an instance of this class.
(WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added argument contentSecurityPolicyImposition.
(WebCore::ResourceLoaderOptions::contentSecurityPolicyImposition): Added.
(WebCore::ResourceLoaderOptions::setContentSecurityPolicyImposition): Added.

  • loader/SubframeLoader.cpp:

(WebCore::SubframeLoader::pluginIsLoadable): Skip CSP check for a plugin element that is in a user agent shadow tree.
(WebCore::SubframeLoader::createJavaAppletWidget): Skip CSP check for an applet element that is in a user agent shadow tree.

  • loader/TextTrackLoader.cpp:

(WebCore::TextTrackLoader::load): Take a boolean, isInitiatingElementInUserAgentShadowTree, and sets the appropriate
Content Security Policy imposition for the text track request.

  • loader/TextTrackLoader.h:
  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Skip CSP check for a user-specified stylesheet.
(WebCore::CachedResourceLoader::canRequest): Only check the CSP of the page if specified in the resource loader options for the request.
(WebCore::CachedResourceLoader::defaultCachedResourceOptions): Add ContentSecurityPolicyImposition::DoPolicyCheck to the default
resource loader options so that do check the CSP policy of the page before performing a resource request by default.

  • loader/cache/CachedSVGDocumentReference.cpp:

(WebCore::CachedSVGDocumentReference::load): Take a ResourceLoaderOptions as an argument and passes it as appropriate.

  • loader/cache/CachedSVGDocumentReference.h:
  • loader/icon/IconLoader.cpp:

(WebCore::IconLoader::startLoading): Instantiate ResourceLoaderOptions passing placeholder value ContentSecurityPolicyImposition::DoPolicyCheck.
This value does not affect the request because we do not check the Content Security Policy for raw resource requests.

  • page/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowJavaScriptURLs): Take an argument called overrideContentSecurityPolicy (defaults to false). When
overrideContentSecurityPolicy := true, this function unconditionally returns true.
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers): Ditto.
(WebCore::ContentSecurityPolicy::allowInlineScript): Ditto.
(WebCore::ContentSecurityPolicy::allowInlineStyle): Ditto.
(WebCore::ContentSecurityPolicy::allowEval): Ditto.
(WebCore::ContentSecurityPolicy::allowPluginType): Ditto.
(WebCore::ContentSecurityPolicy::allowScriptFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowObjectFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowImageFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowStyleFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFontFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowMediaFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowConnectToSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFormAction): Ditto.
(WebCore::ContentSecurityPolicy::allowBaseURI): Ditto.

  • page/ContentSecurityPolicy.h:
  • page/DOMSecurityPolicy.cpp:
  • page/EventSource.cpp:

(WebCore::EventSource::create): Pass shouldBypassMainWorldContentSecurityPolicy to ContentSecurityPolicy::allowConnectToSource().

  • platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:

(WebCore::WebCoreAVFResourceLoader::startLoading): Instantiate ResourceLoaderOptions passing placeholder value ContentSecurityPolicyImposition::DoPolicyCheck.
This value does not affect the request because we do not check the Content Security Policy for raw resource requests.

  • svg/SVGFEImageElement.cpp:

(WebCore::SVGFEImageElement::requestImageResource): Skip CSP check for a SVG FEImage element in a user agent shadow tree.

  • svg/SVGFontFaceUriElement.cpp:

(WebCore::SVGFontFaceUriElement::loadFont): Skip CSP check for a SVG font-face-uri element in a user agent shadow tree.

  • svg/SVGUseElement.cpp:

(WebCore::SVGUseElement::updateExternalDocument): Skip CSP check for a SVG use element in a user agent shadow tree.

  • testing/Internals.cpp:

(WebCore::Internals::ensureUserAgentShadowRoot): Added.

  • testing/Internals.h:
  • testing/Internals.idl: Added declaration for ensureUserAgentShadowRoot().
  • xml/XMLHttpRequest.cpp:

(WebCore::XMLHttpRequest::open): Pass shouldBypassMainWorldContentSecurityPolicy to ContentSecurityPolicy::allowConnectToSource().

LayoutTests:

Add tests to ensure that we exempt nodes in a user agent shadow tree from the Content Security Policy (CSP) of the page.

Updated test LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html to ensure that
we do not bypass the CSP of the page for a script that executes in an isolated world and renamed the
file image-load-should-not-bypass-main-world-csp.html.

  • http/tests/security/contentSecurityPolicy/resources/alert-pass-and-notify-done.js: Added.
  • http/tests/security/contentSecurityPolicy/resources/wait-until-done.js: Added.

(alertAndDone):

  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-background-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-background.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-cursor-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-cursor.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-filter-on-image-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-filter-on-image.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-webkit-image-set-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-webkit-image-set.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-embed-plugin-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-embed-plugin.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-external-script-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-external-script.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-iframe-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-iframe.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-after-redirect-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-after-redirect.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-style-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-style.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-stylesheet-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-stylesheet.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-plugin-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-plugin.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-feimage-element-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-feimage-element.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-use-element-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-use-element.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-track-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-track.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-allowed.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3.html: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/allow-inline-script.js: Added.

(window.onload):
(testPassed):

  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/floodGreenFilter.svg: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/video-controls-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/userAgentShadowDOM/video-controls-allowed.html: Added.
  • http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt: Renamed from LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt.
  • http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html: Renamed from LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html.
5:23 PM Changeset in webkit [186387] by Matt Baker
  • 4 edits in trunk/Source/WebInspectorUI

Web Inspector: Rendering Frame bars appear misaligned and contain gaps when displaying small task segments
https://bugs.webkit.org/show_bug.cgi?id=146475

Reviewed by Timothy Hatcher.

Displaying all task segments within a frame in the Rendering Frames graph is impossible, as very short tasks
would result in a bar with a height of less than 1 pixel. Consecutive small tasks, each less than a visible
pixel, appear as gaps in the frame bar. This patch addresses these shortcomings by introducing a minimum
displayable frame height (3 pixels), and setting the height of every frame to a multiple of the minimum height.

  • UserInterface/Base/Utilities.js:

(.value):
Added Math.roundTo to simplify rounding to arbitrary intervals.

  • UserInterface/Views/TimelineRecordFrame.css:

(.timeline-record-frame):
(.timeline-record-frame > .frame > .duration):
Enforce 3px min height for frames & segments. TimelineRenderingFrame's segment height calculator
creates segments that are always at least 3px, this is just a precaution.

  • UserInterface/Views/TimelineRecordFrame.js:

(WebInspector.TimelineRecordFrame.prototype._calculateFrameDisplayData.updateDurationRemainder):
(WebInspector.TimelineRecordFrame.prototype._calculateFrameDisplayData.pushCurrentSegment):
(WebInspector.TimelineRecordFrame.prototype._calculateFrameDisplayData.invisibleSegments.forEach):
(WebInspector.TimelineRecordFrame.prototype._updateChildElements.createDurationElement): Deleted.
Added algorithm for calculating frame segment heights, rather than simply dividing each task's
duration by the frame duration. Results are cached so the segment heights aren't needlessly
recalculated on every scroll/zoom.

5:21 PM Changeset in webkit [186386] by timothy@apple.com
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Force show Console tab when supportsSplitContentBrowser is false
https://bugs.webkit.org/show_bug.cgi?id=146661

Reviewed by Joseph Pecoraro.

  • UserInterface/Base/Main.js:

(WebInspector.showConsoleTab):

4:41 PM Changeset in webkit [186385] by Brent Fulgham
  • 9 edits in trunk/Source

Ensure media playback is stopped during page close
https://bugs.webkit.org/show_bug.cgi?id=146554
<rdar://problem/18033944>

Reviewed by Brady Eidson.

Source/WebCore:

  • Modules/webaudio/AudioContext.h:

(WebCore::WebAudio::hostingDocument): Added.

  • html/HTMLMediaElement.h:

(WebCore::HTMLMediaElement::hostingDocument): Added.

  • dom/Document.cpp:

(WebCore::Document::~Document): Call new 'stopAllMediaPlaybackForDocument' at destruction time.

  • platform/audio/PlatformMediaSession.h:

Made PlatformMediaSessionManager a friend so it can access the protected 'client' accessor.
Updated PlatformMediaSessionClient to require clients to have a "hostingDocument" member.

  • platform/audio/PlatformMediaSessionManager.cpp:

(WebCore::PlatformMediaSessionManager::stopAllMediaPlaybackForDocument): Added. Only pauses
playback on elements that match the provided document.
(WebCore::PlatformMediaSessionManager::stopAllMediaPlaybackForProcess): Added. Pauses playback
on all elements in the current process.

  • platform/audio/PlatformMediaSessionManager.h:

Source/WebKit2:

  • WebProcess/WebProcess.cpp:

(WebKit::WebProcess::didClose): Make sure to clean up any running media sessions when
the process is being shut down.

4:27 PM Changeset in webkit [186384] by dino@apple.com
  • 2 edits in trunk/Source/WebCore

Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
https://bugs.webkit.org/show_bug.cgi?id=146652
<rdar://problem/21567767>

Follow-up fix.

  • html/canvas/WebGLRenderingContextBase.cpp:

(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0):

4:26 PM Changeset in webkit [186383] by achristensen@apple.com
  • 10 edits in trunk

[Content Extensions] Remove memory page reporting
https://bugs.webkit.org/show_bug.cgi?id=146659

Reviewed by Benjamin Poulain.

Source/WebCore:

  • contentextensions/CompiledContentExtension.cpp:

(WebCore::ContentExtensions::CompiledContentExtension::~CompiledContentExtension):
(WebCore::ContentExtensions::CompiledContentExtension::globalDisplayNoneSelectors):

  • contentextensions/CompiledContentExtension.h:
  • contentextensions/ContentExtension.cpp:

(WebCore::ContentExtensions::ContentExtension::globalDisplayNoneStyleSheet):

  • contentextensions/ContentExtension.h:

(WebCore::ContentExtensions::ContentExtension::compiledExtension):

  • contentextensions/ContentExtensionsBackend.cpp:

(WebCore::ContentExtensions::ContentExtensionsBackend::actionsForResourceLoad):

  • contentextensions/DFABytecodeInterpreter.cpp:

(WebCore::ContentExtensions::getBits):
(WebCore::ContentExtensions::getInstruction):
(WebCore::ContentExtensions::jumpSizeInBytes):
(WebCore::ContentExtensions::getJumpSize):
(WebCore::ContentExtensions::getJumpDistance):
(WebCore::ContentExtensions::DFABytecodeInterpreter::interpretAppendAction):
(WebCore::ContentExtensions::DFABytecodeInterpreter::interpretTestFlagsAndAppendAction):
(WebCore::ContentExtensions::DFABytecodeInterpreter::actionsForDefaultStylesheetFromDFARoot):
(WebCore::ContentExtensions::DFABytecodeInterpreter::interpret):

  • contentextensions/DFABytecodeInterpreter.h:

Don't keep track of memory page usage. It wasn't even correct anyways.

Tools:

  • TestWebKitAPI/Tests/WebCore/ContentExtensions.cpp:

(TestWebKitAPI::TEST_F):

4:06 PM Changeset in webkit [186382] by matthew_hanson@apple.com
  • 5 edits in tags/Safari-601.1.38.1/Source

Versioning.

4:01 PM Changeset in webkit [186381] by achristensen@apple.com
  • 2 edits in trunk/Source/WebCore

[Content Extensions] Increase maxNFASize
https://bugs.webkit.org/show_bug.cgi?id=146656

Reviewed by Benjamin Poulain.

Because of memory improvements in r186375, r186374, and r186079,
we can now increase the maximum number of NFA nodes in order to avoid
long compile times of some large, complicated content blockers.
This also improves the interpreting time of content blockers.

  • contentextensions/ContentExtensionCompiler.cpp:

(WebCore::ContentExtensions::compileRuleList):
Increase maxNFASize to 75000 to avoid long compile times.

3:34 PM Changeset in webkit [186380] by dino@apple.com
  • 2 edits in trunk/Source/WebCore

Memory corruption in WebGLRenderingContext::simulateVertexAttrib0
https://bugs.webkit.org/show_bug.cgi?id=146652
<rdar://problem/21567767>

Reviewed by Brent Fulgham.

The expression "(numVertex + 1) * 4 * sizeof(GC3Dfloat)" could potentially
overflow. Make it use checked arithmetic.

I couldn't make a test case that reliably exercised this.

  • html/canvas/WebGLRenderingContextBase.cpp:

(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Used Checked<GC3Dsizeiptr>
for calculating the size of the buffer.

3:18 PM Changeset in webkit [186379] by saambarati1@gmail.com
  • 8 edits
    3 adds in trunk

JSC's parser should follow the ES6 spec with respect to parsing Declarations
https://bugs.webkit.org/show_bug.cgi?id=146621

Reviewed by Mark Lam.

Source/JavaScriptCore:

There were a few locations where JSC would allow declaration statements
in incorrect ways. JSC didn't distinguish between 'Statement' and
'StatementListItem' grammar productions. The relevant grammar is here:
http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements

From the ECMA Script 6.0 spec:

  1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems. (Same with 'while/for/do-while' loop bodies).
  2. Section 13 ECMAScript Language: Statements and Declarations (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations) defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations (const, let, see 13.3.1 Let and Const Declarations). Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2).

Hence, the following style of declarations are no longer allowed:

'if/for/while (condition) const x = 40;'
'if/for/while (condition) class C { }'

Instead, we mandate such declaration constructs are within a StatementList

(which is the production that JSC's Parser::parseSourceElements function parses):

'if/for/while (condition) { const x = 40; }'
'if/for/while (condition) { class C { } }'

  • parser/Parser.cpp:

(JSC::Parser<LexerType>::parseSourceElements):
(JSC::Parser<LexerType>::parseStatementListItem):
(JSC::Parser<LexerType>::parseVarDeclaration):
(JSC::Parser<LexerType>::parseStatement):
(JSC::Parser<LexerType>::parseExpressionStatement):

  • parser/Parser.h:

(JSC::Parser::getLabel):

LayoutTests:

  • js/parser-syntax-check-expected.txt:
  • js/script-tests/const.js:

(with1):
(with2):

  • js/script-tests/parser-syntax-check.js:
  • js/script-tests/statement-list-item-syntax-errors.js: Added.

(testSyntax):
(runTests):

  • js/statement-list-item-syntax-errors-expected.txt: Added.
  • js/statement-list-item-syntax-errors.html: Added.
  • sputnik/Conformance/07_Lexical_Conventions/7.5_Tokens/7.5.3_Future_Reserved_Words/S7.5.3_A1.5-expected.txt:
3:03 PM Changeset in webkit [186378] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html crashes on Windows sometimes

<http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Ftests%2Fsecurity%2FXFrameOptions%2Fx-frame-options-deny-meta-tag.html>

  • platform/win/TestExpectations: Mark test as crashing, too:
  • http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag.html
2:31 PM Changeset in webkit [186377] by commit-queue@webkit.org
  • 8 edits in trunk/Source/WebKit2

Allow UIDelegate to customize link actions in preview.
https://bugs.webkit.org/show_bug.cgi?id=146567

Add a new UIDelegate method to pass the defaultActions and elementInfo to client to allow
the client customize the actions based on the element. Also add a new SPI runActionWithElementInfo:
to _WKElementAction and make it aware of the WKActionSheetAssistant that creates it, so that
the client can run the action without knowing WKActionSheetAssistant.

Patch by Yongjun Zhang <yongjun_zhang@apple.com> on 2015-07-06
Reviewed by Beth Dakin.

  • UIProcess/API/Cocoa/WKUIDelegatePrivate.h: Add delegate method _webView:previewViewControllerForURL:defaultActions:elementInfo:.
  • UIProcess/API/Cocoa/_WKElementAction.h: Add a SPI runActionWithElementInfo:.
  • UIProcess/API/Cocoa/_WKElementAction.mm:

(-[_WKElementAction _initWithTitle:actionHandler:type:assistant:]): Modified initializer, also initialize _defaultActionSheetAssistant

iVar if the caller provides that.

(+[_WKElementAction elementActionWithTitle:actionHandler:]): Use the new initializer.
(+[_WKElementAction _elementActionWithType:customTitle:assistant:]): A new helper method to create _WKElementAction with assistant.
(+[_WKElementAction _elementActionWithType:assistant:]):
(+[_WKElementAction elementActionWithType:customTitle:]):
(-[_WKElementAction runActionWithElementInfo:]):

  • UIProcess/API/Cocoa/_WKElementActionInternal.h:
  • UIProcess/ios/WKActionSheetAssistant.h: Add a method defaultActionsForLinkSheet.
  • UIProcess/ios/WKActionSheetAssistant.mm:

(-[WKActionSheetAssistant defaultActionsForLinkSheet]): Get default actions for current link that is activated.
(-[WKActionSheetAssistant showLinkSheet]): Use defaultActionsForLinkSheet.

  • UIProcess/ios/WKContentViewInteraction.mm:

(-[WKContentView previewViewControllerForPosition:inSourceView:]): Pass defaultActions and elementInfo to UIDelegate when querying

for preview view controller.

(-[WKContentView didDismissPreviewViewController:committing:]):

2:11 PM Changeset in webkit [186376] by commit-queue@webkit.org
  • 2 edits in trunk/Source/WebCore

[Mac] REGRESSION: (r181403) Enter/Exit full screen on 1x secondary display plugged into 2x Mac displays WebView as 1/4 size during transition
https://bugs.webkit.org/show_bug.cgi?id=146651

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2015-07-06
Reviewed by Simon Fraser.

  • platform/mac/WebCoreFullScreenPlaceholderView.mm: set layerContentsPlacement

to NSViewLayerContentsPlacementScaleProportionallyToFit so AppKit resizes the
content CALayer to fit in the WebView.

2:07 PM Changeset in webkit [186375] by benjamin@webkit.org
  • 5 edits
    2 copies in trunk/Source/WebCore

Reduce the memory usage of the prefix tree
https://bugs.webkit.org/show_bug.cgi?id=146615

Reviewed by Sam Weinig.

This patch introduces two little changes that reduces the size
of the prefix tree by about 40%.

First, the Terms are interned. The new class CombinedFiltersAlphabet
takes care of keeping a unique version of each term for use
by the CombinedURLFilters.

Since each Term is fairly big but we have a small number of
unique term, we significantly reduce the edge size.

Second, the actions are no longer stored on each Vertex.
They are now stored on the side, in a HashMap indexed by
their Vertex.

This works well because the Actions are sparse over the tree.
Typically, only the leaves have actions. Internal vertices
sometime get actions but that's uncommon.

---

The next step to reduce the memory footprint would be to
make PrefixTreeVertex into a custom packed structure instead
of using a Vector.

Such change is very invasive and more error prone so I decided
against it for this patch.

  • WebCore.xcodeproj/project.pbxproj:
  • contentextensions/CombinedFiltersAlphabet.cpp: Copied from Source/WebCore/contentextensions/CombinedURLFilters.h.

(WebCore::ContentExtensions::TermCreatorTranslator::hash):
(WebCore::ContentExtensions::TermCreatorTranslator::equal):
(WebCore::ContentExtensions::TermCreatorTranslator::translate):
(WebCore::ContentExtensions::CombinedFiltersAlphabet::interned):
(WebCore::ContentExtensions::CombinedFiltersAlphabet::memoryUsed):

  • contentextensions/CombinedFiltersAlphabet.h: Copied from Source/WebCore/contentextensions/CombinedURLFilters.h.

(WebCore::ContentExtensions::CombinedFiltersAlphabet::TermPointerHash::hash):
(WebCore::ContentExtensions::CombinedFiltersAlphabet::TermPointerHash::equal):

  • contentextensions/CombinedURLFilters.cpp:

(WebCore::ContentExtensions::recursiveMemoryUsed):
(WebCore::ContentExtensions::CombinedURLFilters::memoryUsed):
(WebCore::ContentExtensions::prefixTreeVertexToString):
(WebCore::ContentExtensions::recursivePrint):
(WebCore::ContentExtensions::CombinedURLFilters::addPattern):
(WebCore::ContentExtensions::generateNFAForSubtree):
(WebCore::ContentExtensions::CombinedURLFilters::processNFAs):

  • contentextensions/CombinedURLFilters.h:
  • contentextensions/ContentExtensionsDebugging.h:
  • contentextensions/Term.h:

(WebCore::ContentExtensions::Term::isValid):
(WebCore::ContentExtensions::Term::destroy):
(WebCore::ContentExtensions::Term::memoryUsed):
(WebCore::ContentExtensions::Term::toString): Deleted.
(WebCore::ContentExtensions::TermHash::hash): Deleted.
(WebCore::ContentExtensions::TermHash::equal): Deleted.
(WebCore::ContentExtensions::Term::Term): Deleted.
(WebCore::ContentExtensions::Term::isKnownToMatchAnyString): Deleted.
(WebCore::ContentExtensions::Term::hasFixedLength): Deleted.
(WebCore::ContentExtensions::Term::operator==): Deleted.
(WebCore::ContentExtensions::Term::hash): Deleted.
(WebCore::ContentExtensions::Term::isDeletedValue): Deleted.
(WebCore::ContentExtensions::Term::isUniversalTransition): Deleted.
(WebCore::ContentExtensions::Term::generateSubgraphForAtom): Deleted.

2:06 PM Changeset in webkit [186374] by achristensen@apple.com
  • 16 edits
    1 add in trunk

[Content Extensions] Make the DFA transitions ranges instead of characters
https://bugs.webkit.org/show_bug.cgi?id=146575

Patch by Benjamin Poulain <benjamin@webkit.org> on 2015-07-06
Reviewed by Alex Christensen.

Source/WebCore:

This patch changes the DFA and code using the DFA to use ranges
to represent the transitions between any two nodes.

This patch builds on top of the tools introduced in r186079.

The DFA structure is basically the same as ImmutableNFA but without
any epsilon transitions.

This patch introduces a transition iterator to make the DFA
compatible with the existing algorithms.

---

The DFA combiner is rebuilt on top of MutableRangeList. Combining the transitions
of two nodes is one by merging the range list of each not into a common
MutableRangeList.
The data converter takes care of creating the signature of the combination.

The code got simpler since MutableRangeList does most of the work now. It is also
much faster.

---

The minimizer is more intersting.

With the current algorithm, we cannot resolve overlaps between ranges. On the other
hand, the minimizer does not care about the symbol of the transitions if we are careful
to partition transitions of the same symbol together.

What I did was to turn the minimizer into a pure transition based one, BUT each
"symbol" is actually an unbreakable range.

The first step is to go over all the transitions of all the nodes and find the largest
ranges such that the alphabet of interest is covered but there is not a single intersection
between any two nodes (what I called "singular transitions" in the code).

This can be done efficiently with MutableRangeList.
A little trick there is that I also used the converter to count how many real transition
overlaps any singular transition.

Those singular transitions become the alphabet of our minimizer. The "symbol" of our alphabet
is simply the position of the singular transition in the list.

The partition of transition is created by populating each set with all the transition that
overlaps the symbols.
Note that since the partition is created on the fly, the Transition structure used for
repartitioning only contains the source of the transitions.

Once our transition parition has been carefuly created, we can completely forget about
the symbols and only work with subsets.

Since the singular transitions have no overlap (unlike fallback transitions), this new minimizer
will find the minimial solution for well formed input.

  • WebCore.xcodeproj/project.pbxproj:
  • contentextensions/DFA.cpp:

(WebCore::ContentExtensions::DFA::memoryUsed):
(WebCore::ContentExtensions::printTransitions):
(WebCore::ContentExtensions::DFANode::actions): Deleted.
(WebCore::ContentExtensions::DFANode::transitions): Deleted.
(WebCore::ContentExtensions::DFANode::fallbackTransitionDestination): Deleted.
(WebCore::ContentExtensions::DFANode::changeFallbackTransition): Deleted.
(WebCore::ContentExtensions::DFANode::addFallbackTransition): Deleted.
(WebCore::ContentExtensions::DFANode::containsTransition): Deleted.
(WebCore::ContentExtensions::DFANode::kill): Deleted.
(WebCore::ContentExtensions::DFA::debugPrintDot): Deleted.

  • contentextensions/DFA.h:

(WebCore::ContentExtensions::DFANode::ConstRangeIterator::range):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::target):
(WebCore::ContentExtensions::DFANode::RangeIterator::range):
(WebCore::ContentExtensions::DFANode::RangeIterator::target):
(WebCore::ContentExtensions::DFANode::RangeIterator::resetTarget):

  • contentextensions/DFABytecodeCompiler.cpp:

(WebCore::ContentExtensions::DFABytecodeCompiler::ranges):
(WebCore::ContentExtensions::DFABytecodeCompiler::nodeTransitionsMaxBytecodeSize):
(WebCore::ContentExtensions::DFABytecodeCompiler::compileNodeTransitions):

  • contentextensions/DFACombiner.cpp:

(WebCore::ContentExtensions::DFAMerger::TargetConverter::convert):
(WebCore::ContentExtensions::DFAMerger::TargetConverter::extend):
(WebCore::ContentExtensions::DFAMerger::TargetConverter::setHalfSignature):
(WebCore::ContentExtensions::DFAMerger::merge):
(WebCore::ContentExtensions::DFAMerger::getOrCreateCombinedNode):
(WebCore::ContentExtensions::DFAMerger::setHalfSignature): Deleted.
(WebCore::ContentExtensions::DFAMerger::populateTransitions): Deleted.
(WebCore::ContentExtensions::DFAMerger::populateFromFallbackTransitions): Deleted.
(WebCore::ContentExtensions::DFAMerger::createTransitions): Deleted.
(WebCore::ContentExtensions::DFAMerger::createFallbackTransitionIfNeeded): Deleted.

  • contentextensions/DFAMinimizer.cpp:

(WebCore::ContentExtensions::DFAMinimizer::minimize):

  • contentextensions/DFANode.cpp: Added.

(WebCore::ContentExtensions::DFANode::actions):
(WebCore::ContentExtensions::DFANode::containsTransition):
(WebCore::ContentExtensions::DFANode::kill):
(WebCore::ContentExtensions::DFANode::canUseFallbackTransition):
(WebCore::ContentExtensions::DFANode::bestFallbackTarget):

  • contentextensions/DFANode.h:

(WebCore::ContentExtensions::CharRange::size):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::operator*):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::operator==):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::operator!=):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::operator++):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::first):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::last):
(WebCore::ContentExtensions::DFANode::ConstRangeIterator::data):
(WebCore::ContentExtensions::DFANode::IterableConstRange::begin):
(WebCore::ContentExtensions::DFANode::IterableConstRange::end):
(WebCore::ContentExtensions::DFANode::transitions):
(WebCore::ContentExtensions::DFANode::RangeIterator::operator*):
(WebCore::ContentExtensions::DFANode::RangeIterator::operator==):
(WebCore::ContentExtensions::DFANode::RangeIterator::operator!=):
(WebCore::ContentExtensions::DFANode::RangeIterator::operator++):
(WebCore::ContentExtensions::DFANode::RangeIterator::first):
(WebCore::ContentExtensions::DFANode::RangeIterator::last):
(WebCore::ContentExtensions::DFANode::RangeIterator::data):
(WebCore::ContentExtensions::DFANode::IterableRange::begin):
(WebCore::ContentExtensions::DFANode::IterableRange::end):
(WebCore::ContentExtensions::DFANode::hasFallbackTransition): Deleted.
(WebCore::ContentExtensions::DFANode::transitionsLength): Deleted.
(WebCore::ContentExtensions::DFANode::transitionsStart): Deleted.
(WebCore::ContentExtensions::DFANode::resetTransitions): Deleted.
(WebCore::ContentExtensions::DFANode::setHasFallbackTransitionWithoutChangingDFA): Deleted.

  • contentextensions/ImmutableNFA.h:

(WebCore::ContentExtensions::ImmutableNFA::ConstRangeIterator::first):
(WebCore::ContentExtensions::ImmutableNFA::ConstRangeIterator::last):
(WebCore::ContentExtensions::ImmutableNFA::ConstRangeIterator::data):
(WebCore::ContentExtensions::ImmutableNFA::ConstRangeIterator::range):
(WebCore::ContentExtensions::ImmutableNFA::ConstRangeIterator::operator*): Deleted.
(WebCore::ContentExtensions::ImmutableNFA::ConstRangeIterator::operator->): Deleted.

  • contentextensions/ImmutableNFANodeBuilder.h:

(WebCore::ContentExtensions::ImmutableNFANodeBuilder::FakeRangeIterator::first):
(WebCore::ContentExtensions::ImmutableNFANodeBuilder::FakeRangeIterator::last):
(WebCore::ContentExtensions::ImmutableNFANodeBuilder::FakeRangeIterator::operator*): Deleted.
(WebCore::ContentExtensions::ImmutableNFANodeBuilder::FakeRangeIterator::operator->): Deleted.

  • contentextensions/MutableRange.h:

(WebCore::ContentExtensions::MutableRange::size): Deleted.

  • contentextensions/MutableRangeList.h:

(WebCore::ContentExtensions::MutableRangeList::ConstIterator::first):
(WebCore::ContentExtensions::MutableRangeList::ConstIterator::last):
(WebCore::ContentExtensions::MutableRangeList::ConstIterator::data):
(WebCore::ContentExtensions::MutableRangeList::extend):
(WebCore::ContentExtensions::MutableRangeList::size):
(WebCore::ContentExtensions::MutableRangeList::initializeFrom):

  • contentextensions/NFAToDFA.cpp:

(WebCore::ContentExtensions::NFAToDFA::convert):
(WebCore::ContentExtensions::canUseFallbackTransition): Deleted.
(WebCore::ContentExtensions::findBestFallbackTarget): Deleted.

Tools:

  • TestWebKitAPI/Tests/WebCore/ContentExtensions.cpp:
  • TestWebKitAPI/Tests/WebCore/DFAMinimizer.cpp:

Since the minimizer is perfect, we get the minimal solution now,
which is really cool!

1:51 PM Changeset in webkit [186373] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html crashes on Windows sometimes

<http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Ftests%2Fsecurity%2FXFrameOptions%2Fx-frame-options-parent-same-origin-deny.html>

  • platform/win/TestExpectations: Mark test as crashing, too:
  • http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html
1:45 PM Changeset in webkit [186372] by timothy@apple.com
  • 2 edits in trunk/Source/WebCore

Fix ASSERT causing crashes in Inspector tests on the bots.

  • inspector/InspectorPageAgent.cpp:

(WebCore::InspectorPageAgent::enable): Reset stopwatch before starting it.

1:14 PM Changeset in webkit [186371] by beidson@apple.com
  • 5 edits in trunk

ShouldOpenExternalURLsPolicy should default to "Allow" for WK2 API loads.
<rdar://problem/21640050> and https://bugs.webkit.org/show_bug.cgi?id=146563

Reviewed by Geoff Garen.

Source/WebKit2:

  • UIProcess/API/Cocoa/WKWebView.mm:

(-[WKWebView loadRequest:]): Move _loadRequest:withOptions: logic back here, just without options.
(-[WKWebView _loadRequest:withOptions:]): This SPI is now unneeded, but must remain inactive.

  • UIProcess/WebPageProxy.h:

Tools:

  • WebKitTestRunner/TestInvocation.cpp:

(WTR::TestInvocation::invoke): For testing purposes, all pages should start with the

ShouldOpenExternalURLsPolicy set to "ShouldNotAllow"

12:55 PM Changeset in webkit [186370] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Clearing the console does not remove the unread message icon
https://bugs.webkit.org/show_bug.cgi?id=146649

Reviewed by Timothy Hatcher.

  • UserInterface/Views/LogContentView.js:

(WebInspector.LogContentView.prototype._clearLog): Removes the "unread" class from all scope bar items.

12:45 PM Changeset in webkit [186369] by beidson@apple.com
  • 4 edits in trunk/Source/WebCore

Remove unused "m_isPrivate" flag on NetworkStorageSession.
https://bugs.webkit.org/show_bug.cgi?id=146648

Reviewed by Alex Christensen.

No new tests (No behavior change).

  • platform/network/NetworkStorageSession.h:

(WebCore::NetworkStorageSession::isPrivateBrowsingSession): Deleted.

  • platform/network/cf/NetworkStorageSessionCFNet.cpp:

(WebCore::NetworkStorageSession::NetworkStorageSession): Deleted.
(WebCore::NetworkStorageSession::createPrivateBrowsingSession): Deleted.

  • platform/network/soup/NetworkStorageSessionSoup.cpp:

(WebCore::NetworkStorageSession::NetworkStorageSession): Deleted.
(WebCore::NetworkStorageSession::createPrivateBrowsingSession): Deleted.

12:44 PM Changeset in webkit [186368] by timothy@apple.com
  • 12 edits
    6 adds in trunk/Source

Web Inspector: Add a dedicated Network tab that is always live
https://bugs.webkit.org/show_bug.cgi?id=146568

Source/WebCore:

Make sure the executionStopwatch is always started and never stops so resource loads
always get timestamps, even when Timeline is not recording.

Reviewed by Joseph Pecoraro.

  • inspector/InspectorPageAgent.cpp:

(WebCore::InspectorPageAgent::enable): Start executionStopwatch.
(WebCore::InspectorPageAgent::frameStartedLoading): Reset and start executionStopwatch.

  • inspector/InspectorTimelineAgent.cpp:

(WebCore::InspectorTimelineAgent::internalStart): Removed executionStopwatch code.
(WebCore::InspectorTimelineAgent::internalStop): Ditto.

Source/WebInspectorUI:

Reviewed by Joseph Pecoraro.

  • Localizations/en.lproj/localizedStrings.js: Updated.
  • UserInterface/Base/Main.js:

(WebInspector.loaded):
(WebInspector.isTabTypeAllowed):
(WebInspector._tabContentViewForType):
(WebInspector._updateNewTabButtonState):
Add NetworkTabContentView to the right places.

  • UserInterface/Controllers/TimelineManager.js:

(WebInspector.TimelineManager):
(WebInspector.TimelineManager.prototype.get persistentNetworkTimeline):
(WebInspector.TimelineManager.prototype._mainResourceDidChange):
(WebInspector.TimelineManager.prototype._resourceWasAdded):
Add a persistent network timeline that always has all resources.

  • UserInterface/Images/Network.svg: Added.
  • UserInterface/Main.html: Added new files.
  • UserInterface/Views/NavigationSidebarPanel.css:

(.sidebar > .panel.navigation > .content):
Drive-by fix. The bottom was off by one. This caused misalignment between sidebar and content view when
scrolled all the way to the bottom of the content view.

  • UserInterface/Views/NetworkGridContentView.css: Added.

(.content-view.network-grid > .data-grid):
(.content-view.network-grid > .data-grid th):
(.content-view.network-grid > .data-grid td):
(.content-view.network-grid > .data-grid table.data):
Mostly copied from TimelineView.css and NetworkTimelineView.css.

  • UserInterface/Views/NetworkGridContentView.js: Added.

(WebInspector.NetworkGridContentView):
(WebInspector.NetworkGridContentView.prototype.get navigationSidebarTreeOutline):
(WebInspector.NetworkGridContentView.prototype.get selectionPathComponents):
(WebInspector.NetworkGridContentView.prototype.get zeroTime):
(WebInspector.NetworkGridContentView.prototype.shown):
(WebInspector.NetworkGridContentView.prototype.hidden):
(WebInspector.NetworkGridContentView.prototype.closed):
(WebInspector.NetworkGridContentView.prototype.updateLayout):
(WebInspector.NetworkGridContentView.prototype.needsLayout):
(WebInspector.NetworkGridContentView.prototype.reset):
(WebInspector.NetworkGridContentView.prototype._processPendingRecords):
(WebInspector.NetworkGridContentView.prototype._networkTimelineReset):
(WebInspector.NetworkGridContentView.prototype._networkTimelineRecordAdded):
(WebInspector.NetworkGridContentView.prototype._treeElementPathComponentSelected):
(WebInspector.NetworkGridContentView.prototype._dataGridNodeSelected):
Mostly copied from NetworkTimelineView.

  • UserInterface/Views/NetworkSidebarPanel.css: Added.

(.sidebar > .panel.navigation.network > :matches(.content, .empty-content-placeholder)):
(.sidebar > .panel.navigation.network > .navigation-bar):
(.sidebar > .panel.navigation.network > .title-bar):
(.sidebar > .panel.navigation.network.network-grid-content-view-showing > .content):
(.sidebar > .panel.navigation.network .item:hover:not(.selected) .status .close.status-button):
(.sidebar > .panel.navigation.network:not(.network-grid-content-view-showing) .status .go-to-arrow.status-button):
(.sidebar > .panel.navigation.network.network-grid-content-view-showing .status .close.status-button):
(.sidebar > .panel.navigation.network.network-grid-content-view-showing .navigation-sidebar-panel-content-tree-outline.network-grid .item .subtitle):
(.sidebar > .panel.navigation.network > .content > .navigation-sidebar-panel-content-tree-outline):
(.sidebar > .panel.navigation.network.network-grid-content-view-showing > .content > .navigation-sidebar-panel-content-tree-outline):
Mostly copied from TimelineSidebarPanel.css and NetworkTimelineView.css.

  • UserInterface/Views/NetworkSidebarPanel.js: Added.

(WebInspector.NetworkSidebarPanel):
(WebInspector.NetworkSidebarPanel.prototype.closed):
(WebInspector.NetworkSidebarPanel.prototype.showDefaultContentView):
(WebInspector.NetworkSidebarPanel.prototype.saveStateToCookie):
(WebInspector.NetworkSidebarPanel.prototype.restoreStateFromCookie):
(WebInspector.NetworkSidebarPanel.prototype.hasCustomFilters):
(WebInspector.NetworkSidebarPanel.prototype.matchTreeElementAgainstCustomFilters.match):
(WebInspector.NetworkSidebarPanel.prototype.matchTreeElementAgainstCustomFilters):
(WebInspector.NetworkSidebarPanel.prototype.treeElementAddedOrChanged):
(WebInspector.NetworkSidebarPanel.prototype._networkTimelineReset):
(WebInspector.NetworkSidebarPanel.prototype._contentBrowserCurrentContentViewDidChange):
(WebInspector.NetworkSidebarPanel.prototype._treeElementGoToArrowWasClicked):
(WebInspector.NetworkSidebarPanel.prototype._treeElementCloseButtonClicked):
(WebInspector.NetworkSidebarPanel.prototype._canShowDifferentContentView):
(WebInspector.NetworkSidebarPanel.prototype._treeElementSelected):
(WebInspector.NetworkSidebarPanel.prototype._scopeBarSelectionDidChange):
A hybrid of ResourceSidebarPanel and TimelineSidebarPanel.

  • UserInterface/Views/NetworkTabContentView.js: Added.

(WebInspector.NetworkTabContentView):
(WebInspector.NetworkTabContentView.prototype.get type):
(WebInspector.NetworkTabContentView.prototype.canShowRepresentedObject):

  • UserInterface/Views/NewTabContentView.js:

(WebInspector.NewTabContentView): Add Network tab and sort the tabs by their localized name.

  • UserInterface/Views/TabBar.js:

(WebInspector.TabBar.prototype._handleNewTabClick):
Drive-by fix. Don't fire the click event if the new tab button is disabled.

12:44 PM Changeset in webkit [186367] by timothy@apple.com
  • 2 edits in trunk/Source/WebCore

Update the localized strings file.

  • English.lproj/Localizable.strings: Updated with the script.
12:37 PM Changeset in webkit [186366] by Alan Bujtas
  • 3 edits in trunk/Source/WebCore

Crash: LayoutState root's container is nullptr when the layout root is detached.
https://bugs.webkit.org/show_bug.cgi?id=146646
rdar://problem/21371544

Reviewed by Simon Fraser.

This is a speculative fix to ensure that when the root of the LayoutState is detached
we don't try to access its container (nullptr).
This is related to trac.webkit.org/r185484.

Not reproducible.

  • rendering/LayoutState.cpp:

(WebCore::LayoutState::LayoutState):

  • rendering/LayoutState.h:

(WebCore::LayoutState::LayoutState): Deleted.

12:19 PM Changeset in webkit [186365] by Csaba Osztrogonác
  • 2 edits in trunk/Source/WebKit2

URTBF after r186357 to fix non Cocoa platforms.

  • NetworkProcess/NetworkProcess.cpp:

(WebKit::NetworkProcess::deleteWebsiteData):

11:36 AM Changeset in webkit [186364] by matthew_hanson@apple.com
  • 6 edits in tags/Safari-601.1.38.1/Source/WebKit2

Merge r186148. rdar://problem/20655729

11:14 AM Changeset in webkit [186363] by achristensen@apple.com
  • 2 edits in trunk/Source/JavaScriptCore

Unreviewed debug build fix after r186358.

  • runtime/JSArray.cpp:

(JSC::JSArray::fastConcatWith):
Pass vm parameter to fastConcatType.

11:04 AM Changeset in webkit [186362] by Antti Koivisto
  • 2 edits in trunk/Source/WebKit2

With multipart/replaced (e.g. motion JPEG), m_bufferedDataForCache grows unbounded in Networking process
https://bugs.webkit.org/show_bug.cgi?id=146630
<rdar://problem/21677340>

Follow-up.

  • NetworkProcess/NetworkResourceLoader.cpp:

(WebKit::NetworkResourceLoader::didReceiveBuffer):

Typo 1014 -> 1024

11:04 AM Changeset in webkit [186361] by eric.carlson@apple.com
  • 6 edits in trunk/Source/WebCore

[Mac] Inactive AirPlay route should automatically timeout
https://bugs.webkit.org/show_bug.cgi?id=146642
<rdar://problem/21602955>

Automatically clear a media element's AirPlay connection after it has been paused
for 60 minutes, or after 8 minutes if it played to the end before pausing.

Reviewed by Brent Fulgham.

  • Modules/mediasession/WebMediaSessionManager.cpp:

(WebCore::WebMediaSessionManager::WebMediaSessionManager): Initialize m_watchdogTimer.
(WebCore::WebMediaSessionManager::clientStateDidChange): Schedule watchdog timer configuration

if the client started playing or paused.

(WebCore::WebMediaSessionManager::configurePlaybackTargetClients): Schedule watchdog timer configuration.
(WebCore::WebMediaSessionManager::toString): Print watchdog configuration flag.
(WebCore::WebMediaSessionManager::taskTimerFired): Call configureWatchdogTimer.
(WebCore::WebMediaSessionManager::configureWatchdogTimer): New, start or stop watchdog timer.
(WebCore::WebMediaSessionManager::watchdogTimerFired): Stop monitoring for targets, which

clears the route.

  • Modules/mediasession/WebMediaSessionManager.h:
  • html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::mediaState): Set DidPlayToEnd when appropriate.

  • page/MediaProducer.h: Add DidPlayToEnd.
  • platform/graphics/avfoundation/objc/MediaPlaybackTargetPickerMac.mm:

(WebCore::MediaPlaybackTargetPickerMac::~MediaPlaybackTargetPickerMac): Clear m_client, call

stopMonitoringPlaybackTargets.

(WebCore::MediaPlaybackTargetPickerMac::pendingActionTimerFired): Send a neutered

MediaPlaybackTarget when m_outputDeviceMenuController is NULL.

(WebCore::MediaPlaybackTargetPickerMac::devicePicker): Add logging.
(WebCore::MediaPlaybackTargetPickerMac::stopMonitoringPlaybackTargets): Clear the menu

controller to cancel the route.

10:59 AM Changeset in webkit [186360] by commit-queue@webkit.org
  • 2 edits in trunk/Source/WebKit2

Unreviewed, rolling out r185896.
https://bugs.webkit.org/show_bug.cgi?id=146647

Caused by a refcounting error in GTK+; it's actually legal for
the event to be null, just the gi annotations were wrong.
(Requested by mcatanzaro on #webkit).

Reverted changeset:

"[GTK] Crash performing drag-and-drop"
https://bugs.webkit.org/show_bug.cgi?id=146267
http://trac.webkit.org/changeset/185896

10:58 AM Changeset in webkit [186359] by Lucas Forschler
  • 1 copy in tags/Safari-601.1.38.1

New Tag.

10:45 AM Changeset in webkit [186358] by rniwa@webkit.org
  • 4 edits in trunk/Source/JavaScriptCore

Array.concat should be fast for integer or double arrays
https://bugs.webkit.org/show_bug.cgi?id=146260

Reviewed by Darin Adler.

Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous
arrays, simply memcopy the arrays into a new uninitialized buffer.

This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro.

  • runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncConcat):

  • runtime/JSArray.cpp:

(JSC::JSArray::fastConcatWith): Added.

  • runtime/JSArray.h:

(JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use
the fact path. Returns NonArray otherwise.

10:42 AM Changeset in webkit [186357] by andersca@apple.com
  • 9 edits in trunk/Source/WebKit2

Provide API to clear the HSTS cache
https://bugs.webkit.org/show_bug.cgi?id=146565
rdar://problem/20023805

Reviewed by Tim Horton.

  • NetworkProcess/NetworkProcess.cpp:

(WebKit::NetworkProcess::deleteWebsiteData):

  • NetworkProcess/NetworkProcess.h:
  • NetworkProcess/cocoa/NetworkProcessCocoa.mm:

(WebKit::NetworkProcess::clearHSTSCache):

  • Shared/WebsiteData/WebsiteDataTypes.h:
  • UIProcess/API/Cocoa/WKWebsiteDataRecord.mm:

(dataTypesToString):

  • UIProcess/API/Cocoa/WKWebsiteDataRecordInternal.h:

(WebKit::toWebsiteDataTypes):
(WebKit::toWKWebsiteDataTypes):

  • UIProcess/API/Cocoa/WKWebsiteDataRecordPrivate.h:
  • UIProcess/WebsiteData/WebsiteDataStore.cpp:

(WebKit::computeNetworkProcessAccessTypeForDataRemoval):

10:10 AM Changeset in webkit [186356] by dbates@webkit.org
  • 2 edits in trunk/Tools

Unreviewed, rolling out r170639.

Broke using webkit-patch apply-attachment to apply an
attachment from a security bug. The patch incorrectly assumed
that Bugzilla returns a non-HTTP 200 status code in its HTTP
response when authentication is required.

Reverted changeset:

"webkit-patch apply-from-bug / apply-attachment should not ask
for credentials if none are required"
https://bugs.webkit.org/show_bug.cgi?id=40095
http://trac.webkit.org/changeset/170639

9:44 AM Changeset in webkit [186355] by Antti Koivisto
  • 2 edits in trunk/Source/WebKit2

With multipart/replaced (e.g. motion JPEG), m_bufferedDataForCache grows unbounded in Networking process
https://bugs.webkit.org/show_bug.cgi?id=146630
<rdar://problem/21677340>

Reviewed by Chris Dumez.

  • NetworkProcess/NetworkResourceLoader.cpp:

(WebKit::NetworkResourceLoader::didReceiveResponseAsync):

Don't buffer multipart/x-mixed-replace. We never want to cache these.

(WebKit::NetworkResourceLoader::didReceiveBuffer):

Limit the maximum size of the cache buffer to 10MB. This prevents unbounded memory growth if the resource
keeps streaming. It also prevents giant entries from pushing other data out of the cache.

(WebKit::NetworkResourceLoader::didFinishLoading):

8:08 AM Changeset in webkit [186354] by Nikita Vasilyev
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Mark console filters that have unseen messages by colored dots
https://bugs.webkit.org/show_bug.cgi?id=146616

Reviewed by Timothy Hatcher.

  • UserInterface/Views/LogContentView.css:

(.log-scope-bar > li.unread::before):
(.log-scope-bar > li.unread:hover::before):
(.log-scope-bar > li.unread.errors::before):
(.log-scope-bar > li.unread.warnings::before):
(.log-scope-bar > li.unread.logs::before):
(@keyframes unread-background-pulse):

7:03 AM Changeset in webkit [186353] by Carlos Garcia Campos
  • 13 edits
    15 deletes in releases/WebKitGTK/webkit-2.8

Merge r185269 - Regression(r176212): Broke app switching on iCloud.com
https://bugs.webkit.org/show_bug.cgi?id=145708
<rdar://problem/21235277>

Reviewed by Simon Fraser.

Source/WebCore:

Roll out r176212 and follow-up fixes for now, to fix iCloud.com.
We can reconsider later how to do this in a safer way.

  • bindings/js/JSCSSStyleDeclarationCustom.cpp:

(WebCore::JSCSSStyleDeclaration::putDelegate): Deleted.
(WebCore::JSCSSStyleDeclaration::getOwnPropertyNames): Deleted.

  • dom/Element.cpp:
  • dom/Element.h:
  • dom/ElementRareData.cpp:
  • dom/ElementRareData.h:

(WebCore::ElementRareData::ElementRareData):
(WebCore::ElementRareData::~ElementRareData): Deleted.

  • dom/Node.cpp:

(WebCore::Node::materializeRareData):

  • html/HTMLCanvasElement.cpp:

(WebCore::HTMLCanvasElement::notifyObserversCanvasChanged): Deleted.

  • page/DOMTimer.cpp:

(WebCore::DOMTimerFireState::scriptMadeNonUserObservableChanges): Deleted.
(WebCore::DOMTimerFireState::scriptMadeUserObservableChanges): Deleted.
(WebCore::NestedTimersMap::instanceForContext): Deleted.
(WebCore::DOMTimer::install): Deleted.
(WebCore::DOMTimer::fired): Deleted.
(WebCore::DOMTimer::alignedFireTime): Deleted.
(WebCore::DOMTimer::activeDOMObjectName): Deleted.

  • page/DOMTimer.h:
  • page/FrameView.cpp:

(WebCore::FrameView::reset): Deleted.
(WebCore::FrameView::viewportContentsChanged): Deleted.
(WebCore::FrameView::autoSizeIfEnabled): Deleted.

  • page/FrameView.h:

LayoutTests:

Remove layout tests covering DOM Timer throttling.

  • fast/canvas/canvas-outside-viewport-timer-throttling-expected.txt: Removed.
  • fast/canvas/canvas-outside-viewport-timer-throttling.html: Removed.
  • fast/dom/nested-timer-display-none-element-throttling-expected.txt: Removed.
  • fast/dom/nested-timer-display-none-element-throttling.html: Removed.
  • fast/dom/repeating-timer-display-none-element-throttling-expected.txt: Removed.
  • fast/dom/repeating-timer-display-none-element-throttling.html: Removed.
  • fast/dom/repeating-timer-element-overflow-hidden-throttling-expected.txt: Removed.
  • fast/dom/repeating-timer-element-overflow-hidden-throttling.html: Removed.
  • fast/dom/resources/timer-throttling-iframe.html: Removed.
  • fast/dom/timer-throttle-on-scrolling-iframe-away-expected.txt: Removed.
  • fast/dom/timer-throttle-on-scrolling-iframe-away.html: Removed.
  • fast/dom/timer-unthrottle-on-layout-expected.txt: Removed.
  • fast/dom/timer-unthrottle-on-layout.html: Removed.
  • fast/dom/timer-unthrottle-on-scroll-expected.txt: Removed.
  • fast/dom/timer-unthrottle-on-scroll.html: Removed.
6:52 AM WebKitGTK/2.8.x edited by Carlos Garcia Campos
(diff)
6:40 AM Changeset in webkit [186352] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185256 - Underlines too close in vertical Chinese text.
https://bugs.webkit.org/show_bug.cgi?id=145651
<rdar://problem/11105920>

Reviewed by Simon Fraser.

Source/WebCore:

Added fast/text/decorations-vertical-underline.html

  • style/InlineTextBoxStyle.cpp:

(WebCore::computeUnderlineOffset):
Make sure the to map text-underline-position: auto to under when a line has an ideographic baseline.

LayoutTests:

  • fast/text/decorations-vertical-underline-expected.html: Added.
  • fast/text/decorations-vertical-underline.html: Added.
6:36 AM Changeset in webkit [186351] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185232 - Crash in EventDispatcher::dispatchEvent entering a location on Google Maps
https://bugs.webkit.org/show_bug.cgi?id=145677
rdar://problem/20698280

Reviewed by Dean Jackson.

If a transition is running on a pseudo-element, and the host element is removed
from the DOM just as the transition ends, and there is a transition event listener,
then we'd crash with a null dereference in event dispatch code.

AnimationController tries to clean up running animations when renderers are destroyed,
but omitted to remove the element from two vectors that store element references.
Elements are only added to these vectors briefly on animation end, before firing
events, but failure to remove the vector entries could result in attempting
to fire an event on a pseudo-element with no host element.

Also convert EventDispatcher code to be more robust to potentially null event
targets, since it's not clear that eventTargetRespectingTargetRules() can always
manage to return a non-null node.

Hard to make a test because this is timing sensitive.

  • dom/EventDispatcher.cpp:

(WebCore::eventTargetRespectingTargetRules):
(WebCore::EventDispatcher::dispatchScopedEvent):
(WebCore::EventDispatcher::dispatchEvent):
(WebCore::EventPath::EventPath):

  • page/animation/AnimationController.cpp:

(WebCore::AnimationControllerPrivate::clear):

6:32 AM Changeset in webkit [186350] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185195 - Shrink the ArabicCharShapingMode enum in SVGGlyph.cpp
https://bugs.webkit.org/show_bug.cgi?id=145564

Reviewed by Darin Adler.

Shrink the ArabicCharShapingMode enum to just one byte.
This drops the size of the static s_arabicCharShapingMode
array of ArabicCharShapingMode values from 888 bytes to 222.

  • platform/graphics/SVGGlyph.cpp:

(WebCore::processArabicFormDetection):

6:29 AM Changeset in webkit [186349] by Carlos Garcia Campos
  • 4 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185152 - Subpixel rendering: Composited layer with subpixel gap does not get painted properly when its position changes.
https://bugs.webkit.org/show_bug.cgi?id=145587

Reviewed by Simon Fraser.

The composited layer always snaps to an enclosing device pixel (floors) while the renderer rounds.
At certain positions (for example 0.5px on a 1x display), a gap is formed between the layer(0px) and its renderer(1px).
In such cases, when the the renderer moves to a position (1.1px) where the gap is closed, we need to issue repaint on the layer
in order to get the renderering right.

Source/WebCore:

Test: compositing/child-layer-with-subpixel-gap-needs-repaint-when-parent-moves.html

  • rendering/RenderLayerBacking.cpp:

(WebCore::RenderLayerBacking::updateAfterLayout):
(WebCore::devicePixelFractionGapFromRendererChanged):
(WebCore::RenderLayerBacking::updateGeometry):

  • rendering/RenderLayerBacking.h:

LayoutTests:

  • compositing/child-layer-with-subpixel-gap-needs-repaint-when-parent-moves-expected.html: Added.
  • compositing/child-layer-with-subpixel-gap-needs-repaint-when-parent-moves.html: Added.
5:55 AM Changeset in webkit [186348] by Carlos Garcia Campos
  • 4 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r185093 - REGRESSION (179771): zooming on facebook images covers image
https://bugs.webkit.org/show_bug.cgi?id=145485

Reviewed by Simon Fraser.

Scaling an infinite rect should always produce an infinite rect.
(Based on Simon Fraser's patch)

Source/WebCore:

Test: compositing/layer-creation/zoomed-clip-intersection.html

  • platform/graphics/LayoutRect.cpp:

(WebCore::LayoutRect::scale):

LayoutTests:

  • compositing/layer-creation/zoomed-clip-intersection-expected.txt: Added.
  • compositing/layer-creation/zoomed-clip-intersection.html: Added.
5:34 AM Changeset in webkit [186347] by Carlos Garcia Campos
  • 4 edits in releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore

Merge r185084 - Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24
https://bugs.webkit.org/show_bug.cgi?id=145527

Reviewed by Filip Pizlo.

If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it.
Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo
is going away.

  • bytecode/CallLinkInfo.h:

(JSC::CallLinkInfo::~CallLinkInfo):

  • jit/PolymorphicCallStubRoutine.cpp:

(JSC::PolymorphicCallNode::unlink):
(JSC::PolymorphicCallNode::clearCallLinkInfo):
(JSC::PolymorphicCallCase::dump):
(JSC::PolymorphicCallStubRoutine::edges):
(JSC::PolymorphicCallStubRoutine::clearCallNodesFor):
(JSC::PolymorphicCallStubRoutine::visitWeak):

  • jit/PolymorphicCallStubRoutine.h:

(JSC::PolymorphicCallNode::hasCallLinkInfo):

5:28 AM Changeset in webkit [186346] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185071 - [CSS JIT] Fail to compile when we are out of executable memory
https://bugs.webkit.org/show_bug.cgi?id=145483
rdar://problem/21166612

Patch by Benjamin Poulain <bpoulain@apple.com> on 2015-06-01
Reviewed by Andreas Kling.

We should use a soft failure when the Linker fails to allocate
executable memory for the CSS JIT. We will just fallback to slow
code when that happen, better slow CSS than crashing.

Credit to Chris for finding this problem.

  • cssjit/SelectorCompiler.cpp:

(WebCore::SelectorCompiler::SelectorCodeGenerator::compile):

5:23 AM Changeset in webkit [186345] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r185030 - Web Inspector: Crash closing a related tab with Web Inspector open while page is refreshing
https://bugs.webkit.org/show_bug.cgi?id=145488

Reviewed by Alexey Proskuryakov.

  • WebProcess/WebPage/WebInspector.h:
  • WebProcess/WebPage/WebInspector.cpp:

(WebKit::WebInspector::~WebInspector):
Ensure, no matter how we close, that we have invalidated the
frontend connection of which we are the client.

(WebKit::WebInspector::createInspectorPage):
This member variable will never be null.

5:20 AM Changeset in webkit [186344] by Carlos Garcia Campos
  • 3 edits
    4 adds in releases/WebKitGTK/webkit-2.8

Merge r185019 - Text disappears shortly after page load on Nexus 7 site.
https://bugs.webkit.org/show_bug.cgi?id=145467
rdar://problem/18327239

Reviewed by Simon Fraser.

This patch ensures that overlap testing for composited layers works properly when the sibling
layer gets composited through its child.

When a layer gets composited through its child content, the recursive overlap testing should build up the
overlapmap stack so that sibling content is intersected both against the child and its parent bounds.

Source/WebCore:

Tests: compositing/sibling-layer-does-not-get-composited-overflow-hidden-case.html

compositing/sibling-layer-does-not-get-composited-transform-case.html

  • rendering/RenderLayerCompositor.cpp:

(WebCore::RenderLayerCompositor::addToOverlapMapRecursive):
(WebCore::RenderLayerCompositor::OverlapMap::contains): Deleted.

LayoutTests:

  • compositing/sibling-layer-does-not-get-composited-overflow-hidden-case-expected.html: Added.
  • compositing/sibling-layer-does-not-get-composited-overflow-hidden-case.html: Added.
  • compositing/sibling-layer-does-not-get-composited-transform-case-expected.html: Added.
  • compositing/sibling-layer-does-not-get-composited-transform-case.html: Added.
5:17 AM Changeset in webkit [186343] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185018 - Review feedback followup for r185003.
https://bugs.webkit.org/show_bug.cgi?id=145463

Reviewed by Darin Adler.

  • platform/sql/SQLiteDatabase.cpp:

(WebCore::SQLiteDatabase::overrideUnauthorizedFunctions): static const one thing, c++-style cast another.

5:16 AM Changeset in webkit [186342] by Carlos Garcia Campos
  • 8 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r186005 - Prevent new loads while in PageCache (or being added to PageCache)
https://bugs.webkit.org/show_bug.cgi?id=146299
<rdar://problem/21523788>

Reviewed by Darin Adler.

Generalize the change in r185337 to prevent new loads while in the
PageCache (or being added to the PageCache), instead of merely
preventing new loads in pagehide event handlers. We should never
have any pages that are still loading inside the PageCache.

The fix in r185337 was apparently insufficient to address the
problem so generalizing the check / policy will hopefully catch
more cases where content is able to start loads while being added
to the PageCache. This patch also removes some of the complexity
added in r185337 as it is no longer needed.

No new tests, already covered by:
http/tests/navigation/image-load-in-pagehide-handler.html
http/tests/navigation/subframe-pagehide-handler-starts-load.html
http/tests/navigation/subframe-pagehide-handler-starts-load2.html

  • loader/FrameLoader.cpp:

(WebCore::FrameLoader::stopLoading):
(WebCore::FrameLoader::loadURL):
(WebCore::FrameLoader::loadWithDocumentLoader):
(WebCore::FrameLoader::stopAllLoaders):
(WebCore::FrameLoader::handleBeforeUnloadEvent):
(WebCore::FrameLoader::FrameLoader): Deleted.

  • loader/FrameLoader.h:

(WebCore::FrameLoader::pageDismissalEventBeingDispatched):

  • loader/ImageLoader.cpp:

(WebCore::pageIsBeingDismissed):

  • loader/cache/CachedResource.cpp:

(WebCore::CachedResource::load):

  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestImage):

  • page/Page.cpp:

(WebCore::Page::inPageCache):

  • page/Page.h:

(WebCore::Page::group): Deleted.

4:27 AM Changeset in webkit [186341] by Carlos Garcia Campos
  • 12 edits
    10 adds in releases/WebKitGTK/webkit-2.8

Merge r185337 - WebContent crash in WebCore::Page::sessionID() const + 0 (Page.cpp:1660)
https://bugs.webkit.org/show_bug.cgi?id=145748
<rdar://problem/21226577>

Reviewed by Brady Eidson.

Source/WebCore:

We would sometimes crash when pruning the PageCache because it was
possible for frames to still be loading while in the PageCache and
we would try to stop the load when the CachedFrame is destroyed. This
code path was not supposed to be exercised as we were not supposed to
have pages still loading inside the PageCache.

r185017 made sure we don't insert into the PageCache pages that are
still loading. However, nothing was preventing content from starting
new loads in their 'pagehide' event handlers, *after* the decision
to put the page in the PageCache was made.

This patch prevents content from starting loads from a 'pagehide'
event handler so that we can no longer have content that is loading
inside the PageCache. 'ping' image loads still go through though as
these are specially handled and use PingLoaders.

Tests: http/tests/navigation/image-load-in-pagehide-handler.html

http/tests/navigation/subframe-pagehide-handler-starts-load.html
http/tests/navigation/subframe-pagehide-handler-starts-load2.html

  • loader/FrameLoader.cpp:

(WebCore::FrameLoader::FrameLoader):
(WebCore::FrameLoader::stopLoading):
(WebCore::FrameLoader::loadURL):
(WebCore::FrameLoader::loadWithDocumentLoader):
(WebCore::FrameLoader::stopAllLoaders):
(WebCore::FrameLoader::handleBeforeUnloadEvent):

  • loader/FrameLoader.h:

(WebCore::FrameLoader::pageDismissalEventBeingDispatched):
(WebCore::FrameLoader::PageDismissalEventType::PageDismissalEventType):
(WebCore::FrameLoader::PageDismissalEventType::operator Page::DismissalType):

Add wrapper class for m_pageDismissalEventBeingDispatched member type.
The wrapper takes care of updating the m_dismissalEventBeingDispatched
member on the Page every time the member on FrameLoader is updated. We
now cache this information on the Page so that clients can cheaply
query if a dismissal event is being dispatched in any of the Page's
frame, without having to traverse the frame tree.

  • loader/ImageLoader.cpp:

(WebCore::pageIsBeingDismissed):

  • loader/cache/CachedResource.cpp:

(WebCore::CachedResource::load):

Abort the load early if we are currently dispatching a 'pagehide'
event. We don't allow new loads at such point because we've already
made the decision to add the Page to the PageCache.

  • loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestImage):

  • page/Chrome.cpp:

(WebCore::Chrome::runModal): Deleted.
(WebCore::Chrome::setToolbarsVisible): Deleted.
(WebCore::Chrome::toolbarsVisible): Deleted.
(WebCore::Chrome::runJavaScriptConfirm): Deleted.
(WebCore::Chrome::runJavaScriptPrompt): Deleted.
(WebCore::Chrome::shouldInterruptJavaScript): Deleted.

  • page/Chrome.h:
  • page/ChromeClient.h:
  • page/DOMWindow.cpp:

(WebCore::DOMWindow::canShowModalDialogNow):

Drop ChromeClient::shouldRunModalDialogDuringPageDismissal() and code
using it as it is unused and I did not think it was worth updating
this code.

  • page/Page.h:

(WebCore::Page::dismissalEventBeingDispatched):
(WebCore::Page::setDismissalEventBeingDispatched):

Add a m_dismissalEventBeingDispatched member to the Page so that we can
easily query if a dismissal event is being dispatched in any of the
frames, without having to traverse the frame tree. I suspect more call
sites of FrameLoader::pageDismissalEventBeingDispatched() may actually
want this but I did not make such change in this patch. It is important
to check all the frames and not simply the current one because a frame's
pagehide event handler may trigger a load in another frame.

LayoutTests:

  • http/tests/navigation/image-load-in-pagehide-handler-expected.txt: Added.
  • http/tests/navigation/image-load-in-pagehide-handler.html: Added.
  • http/tests/navigation/resources/image-load-in-pagehide-handler-2.html: Added.

Add layout test to make sure that ping loads in 'pagehide' handlers are
still going through after this change.

  • http/tests/navigation/resources/frame-do-load.html: Added.
  • http/tests/navigation/resources/frame-pagehide-starts-load-in-subframe.html: Added.
  • http/tests/navigation/resources/frame-pagehide-starts-load.html: Added.
  • http/tests/navigation/subframe-pagehide-handler-starts-load-expected.txt: Added.
  • http/tests/navigation/subframe-pagehide-handler-starts-load.html: Added.
  • http/tests/navigation/subframe-pagehide-handler-starts-load2-expected.txt: Added.
  • http/tests/navigation/subframe-pagehide-handler-starts-load2.html: Added.

Add layout tests to make sure we don't crash if a frame starts an XHR load
from the 'pagehide' event handler. One of the tests covers the case where a
frame's pagehide handler starts a load in a subframe as this case is
requires a bit more handling.

4:13 AM Changeset in webkit [186340] by Carlos Garcia Campos
  • 4 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185017 - WebContent crash in WebCore::Page::sessionID() const + 0 (Page.cpp:1660)
https://bugs.webkit.org/show_bug.cgi?id=145422
<rdar://problem/20613631>

Reviewed by Brady Eidson.

We sometimes crash when destroying a PageCache CachedFrame because its
DocumentLoader is still loading. This should never happen as we are not
supposed to let pages are still have pending loads into the PageCache.

However, we were using DocumentLoader::isLoadingInAPISense() as check
in PageCache::canCachePageContainingThisFrame() which is not exactly
what we want. isLoadingInAPISense() no longer considers subresource
loads once the frame as loaded. This means if the JS triggers a new
load in a subframe after it has been loaded, then isLoadingInAPISense()
will return false, despite the pending load.

This patch replaces the isLoadingInAPISense() check with isLoading()
as this will consider all pending loads, even after the frame is
loaded.

In most cases, using isLoadingInAPISense() was not an issue because
we call DocumentLoader::stopLoading() in all subframes before starting
a provisional load. However, nothing seems to prevent JS from
triggering a new load after that and before the new load gets committed
(which is when we save the page into PageCache).

No new test as we don't have a reliable reproduction case and the
issue is timing related.

  • history/PageCache.cpp:

(WebCore::logCanCacheFrameDecision):
(WebCore::PageCache::canCachePageContainingThisFrame):

  • page/DiagnosticLoggingKeys.cpp:

(WebCore::DiagnosticLoggingKeys::isLoading):
(WebCore::DiagnosticLoggingKeys::loadingAPISenseKey): Deleted.

  • page/DiagnosticLoggingKeys.h:
4:08 AM Changeset in webkit [186339] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r185003 - WebSQL default functions can bypass authorizer.
<rdar://problem/21048994> and https://bugs.webkit.org/show_bug.cgi?id=145463

Reviewed by Sam Weinig and Alexey Proskuryakov.

No new tests yet.

  • platform/sql/SQLiteDatabase.cpp:

(WebCore::unauthorizedSQLFunction): Function to install into SQLite to override some built-in functions.
(WebCore::SQLiteDatabase::open):
(WebCore::SQLiteDatabase::overrideUnauthorizedFunctions): Install function overrides for functions that

take arbitrary input that are also meant to be disabled by virtue of them not being whitelisted.

  • platform/sql/SQLiteDatabase.h:
4:03 AM Changeset in webkit [186338] by Carlos Garcia Campos
  • 5 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r184970 - Subpixel rendering: Pixel crack in text selection of simple text in <textarea>.
https://bugs.webkit.org/show_bug.cgi?id=145393
rdar://problem/19918941

Reviewed by Darin Adler.

Float to LayoutUnit conversion is lossy. To ensure that selection
painting always lines up (snaps) properly, the calculated width needs to
be adjusted by ceiling the float to the next LayoutUnit value.

Source/WebCore:

Test: fast/text/hidpi-text-selection-gap-between-words.html

  • platform/graphics/FontCascade.cpp:

(WebCore::FontCascade::adjustSelectionRectForSimpleText):

  • platform/graphics/cocoa/FontCascadeCocoa.mm:

(WebCore::FontCascade::adjustSelectionRectForComplexText):

LayoutTests:

  • fast/text/hidpi-text-selection-gap-between-words-expected.html: Added.
  • fast/text/hidpi-text-selection-gap-between-words.html: Added.
  • platform/mac/platform/mac/editing/input/caret-primary-bidi-expected.txt:
4:01 AM Changeset in webkit [186337] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184965 - Crash under ICU with ASAN during editing/selection/move-by-word-visually-crash-test-5.html
https://bugs.webkit.org/show_bug.cgi?id=145429
<rdar://problem/20992218>

Reviewed by Alexey Proskuryakov.

WebKit uses some strings which contain the lower 8-bits of UTF-16 (thereby saving space). However,
ICU doesn't understand this encoding. When we want to use ICU functions with strings in this encoding,
we create a UTextProvider which converts our encoded strings to UTF-16 for ICU, one chunk at a time.
This object contains a vtable which we populate to perform the conversion.

The WebKit function which actually returns the UTF-16 chunks has two relevant arguments: an index into
the encoded string which ICU is requesting, and a direction from that index which ICU is interested
in. This function populates a "chunk" which is characterized by a pointer to a buffer, the length of
the populated data in the buffer, and an offset into the chunk which represents the index that the
requested character was put into.

When ICU requests data going backward, we fill in the chunk accordingly, with the requested character
all the way at the end. We then set the offset equal to the length of the buffer. However, this length
value is stale from the previous time the function ran. Therefore, ICU was reading the wrong index in
the chunk when expecting the requested character.

Covered by editing/selection/move-by-word-visually-crash-test-5.html.

  • platform/text/icu/UTextProviderLatin1.cpp:

(WebCore::uTextLatin1Access):

3:05 AM Changeset in webkit [186336] by Carlos Garcia Campos
  • 5 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r184885 - Overhanging float sets are not cleaned up properly when floating renderer is destroyed.
https://bugs.webkit.org/show_bug.cgi?id=145323
rdar://problem/20980628

Reviewed by Dave Hyatt.

This patch ensures when an overhanging float renderer is destroyed,
all the sibling containers' floating object set(m_floatingObjects) gets properly cleaned up.

When an overhanging float is present, we cache the renderer on the parent and on the affected
sibling containers too. (RenderBlockFlow::m_floatingObjects) These caches(sets) get cleared and repopulated
during ::layout(). In order to have a float renderer removed from a set, a layout needs to be initiated on the container.
This is normally done through RenderBlockFlow::markSiblingsWithFloatsForLayout() and RenderBlockFlow::markAllDescendantsWithFloatsForLayout().
However, when the float container's parent's writing direction changes (and we promote the children containers to new formatting contexts),
the layout propagation through siblings does not work anymore.

The avoidsFloats() check in RenderBlockFlow::markSiblingsWithFloatsForLayout() has very little performance gain, but it prevents us
from propagating layout to siblings when certain properties of the parent container changes.

Source/WebCore:

Test: fast/block/float/crash-when-floating-object-is-removed.xhtml

  • rendering/RenderBlockFlow.cpp:

(WebCore::RenderBlockFlow::markSiblingsWithFloatsForLayout):

  • rendering/RenderBox.cpp:

(WebCore::outermostBlockContainingFloatingObject):
(WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
(WebCore::RenderBox::outermostBlockContainingFloatingObject): Deleted.

  • rendering/RenderBox.h:

LayoutTests:

  • fast/block/float/crash-when-floating-object-is-removed-expected.txt: Added.
  • fast/block/float/crash-when-floating-object-is-removed.xhtml: Added.
2:56 AM Changeset in webkit [186335] by Carlos Garcia Campos
  • 4 edits in releases/WebKitGTK/webkit-2.8/Source/bmalloc

Merge r184883 - Integer overflow in XLarge allocation (due to unchecked roundUpToMultipleOf)
https://bugs.webkit.org/show_bug.cgi?id=145385

Reviewed by Andreas Kling.

Added some checking to verify that round-up operations will not overflow
a size_t.

The simplest way to do this was to introduce a notion of xLargeMax, like
we have for smallMax, mediumMax, and largeMax. It's a bit surprising at
first to think that there is an xLargeMax, since xLarge is what we use
to handle the biggest things. But computers have limits, so it makes sense.

FWIW, TCMalloc used to have an xLargeMax too, which it called kMaxValidPages.

No test because this bug was found by code inspection and I don't know
of a practical way to convince WebKit to make an allocation this large.

  • bmalloc/Allocator.cpp:

(bmalloc::Allocator::tryAllocate):
(bmalloc::Allocator::allocate):
(bmalloc::Allocator::reallocate):
(bmalloc::Allocator::allocateSlowCase): Check against xLargeMax to avoid
overflow when rounding up.

  • bmalloc/BAssert.h: Added support for explicit crashing.
  • bmalloc/Sizes.h:
2:55 AM Changeset in webkit [186334] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r184874 - SVG fragment identifier rendering issue
https://bugs.webkit.org/show_bug.cgi?id=137328

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2015-05-26
Reviewed by Darin Adler.

Source/WebCore:

This is a follow up for http://trac.webkit.org/changeset/164983. In this
changeset, scrolling to the fragment should have been added before the
the paint to guarantee setting the proper display position for the SVG
fragment.

Test: svg/css/svg-resource-fragment-identifier-order.html

  • svg/graphics/SVGImage.cpp:

(WebCore::SVGImage::draw): Move view->scrollToFragment() before calling
view->paint().

LayoutTests:

  • svg/css/svg-resource-fragment-identifier-order-expected.html: Added.
  • svg/css/svg-resource-fragment-identifier-order.html: Added.

Ensure the SVG fragment is drawn correctly when the same SVG image is
referenced multiple times.

2:48 AM Changeset in webkit [186333] by zandobersek@gmail.com
  • 2 edits in trunk/Source/WebKit2

[GTK] Guard X11-specific code in webkitWebViewBaseDidRelaunchWebProcess()
https://bugs.webkit.org/show_bug.cgi?id=146627

Reviewed by Carlos Garcia Campos.

  • UIProcess/API/gtk/WebKitWebViewBase.cpp:

(webkitWebViewBaseDidRelaunchWebProcess):
Guard calls to DrawingAreaImpl::setNativeSurfaceHandleForCompositing()
that pass in an X11 Window ID with the PLATFORM(X11) build guards.

2:46 AM Changeset in webkit [186332] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184857 - [ARM] Build SVGPathElement.cpp with -O2 due to a GCC bug
https://bugs.webkit.org/show_bug.cgi?id=145377

Reviewed by Carlos Garcia Campos.

  • CMakeLists.txt:
2:44 AM Changeset in webkit [186331] by Carlos Garcia Campos
  • 13 edits in releases/WebKitGTK/webkit-2.8

Merge r184846 - Crash when using a removed ScriptMessageHandler
<rdar://problem/20888499>
https://bugs.webkit.org/show_bug.cgi?id=145359

Reviewed by Dan Bernstein.

Source/WebCore:

Added tests:

WKUserContentController.ScriptMessageHandlerBasicRemove
WKUserContentController.ScriptMessageHandlerCallRemovedHandler

  • page/UserMessageHandler.cpp:

(WebCore::UserMessageHandler::~UserMessageHandler):
(WebCore::UserMessageHandler::postMessage):
(WebCore::UserMessageHandler::name):

  • page/UserMessageHandler.h:

(WebCore::UserMessageHandler::create):

  • page/UserMessageHandler.idl:
  • page/UserMessageHandlerDescriptor.cpp:

(WebCore::UserMessageHandlerDescriptor::UserMessageHandlerDescriptor):

  • page/UserMessageHandlerDescriptor.h:

(WebCore::UserMessageHandlerDescriptor::client):
(WebCore::UserMessageHandlerDescriptor::invalidateClient):
Add support for invalidating the descriptor and throw an exception if someone tries
to post a message using an invalidated descriptor.

  • page/UserMessageHandlersNamespace.cpp:

(WebCore::UserMessageHandlersNamespace::handler):
Add logic to remove message handlers if their descriptor has been invalidated.

Source/WebKit2:

  • WebProcess/UserContent/WebUserContentController.cpp:

(WebKit::WebUserMessageHandlerDescriptorProxy::~WebUserMessageHandlerDescriptorProxy):
Invalidate the descriptor when the message handler client (as implemented by WebUserMessageHandlerDescriptorProxy)
goes away. This will happen if a script message handler is removed at the API level or the WebUserContentController
is destroyed (which will happen if all the pages get destroyed).

Tools:

  • TestWebKitAPI/Tests/WebKit2Cocoa/UserContentController.mm:

Add tests for removing script message handlers.

2:41 AM Changeset in webkit [186330] by zandobersek@gmail.com
  • 2 edits in trunk/Source/WebCore

[GTK] Fix build errors with OpenGL ES
https://bugs.webkit.org/show_bug.cgi?id=146626

Reviewed by Carlos Garcia Campos.

  • platform/graphics/ANGLEWebKitBridge.h: Include <GLES2/gl2.h>

when building with OpenGL ES 2 support enabled.
(WebCore::ANGLEShaderSymbol::isSampler): Don't test for
OpenGL-specific GL_SAMPLER_2D_RECT_ARB value when OpenGL ES 2
support is enabled.

2:33 AM Changeset in webkit [186329] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184816 - Document::ensurePlugInsInjectedScript() should evaluate the injected script on its own frame.
https://bugs.webkit.org/show_bug.cgi?id=145328

Reviewed by Jon Lee.

trac.webkit.org/r184329 fixed HTMLPlugInImageElement::didAddUserAgentShadowRoot()
to use the document's frame instead of the page's main frame. However,
Document::ensurePlugInsInjectedScript() is still evaluating the injected script on
the main frame.

As a result, HTMLPlugInImageElement::didAddUserAgentShadowRoot()'s attempt to get
the injected createOverlay function from the document frame's global object will
fail. Fixing Document::ensurePlugInsInjectedScript() to evaluating the injected
script on the document's frame fixes the issue.

No new tests.

  • dom/Document.cpp:

(WebCore::Document::ensurePlugInsInjectedScript):

2:30 AM Changeset in webkit [186328] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184793 - [CG] Regression(r78652): Partially decoded images are not properly removed from MemoryCache when pruning
https://bugs.webkit.org/show_bug.cgi?id=145310

Reviewed by Antti Koivisto.

r78652 added partially decoded images to the MemoryCache's list of live
decoded resources so that they can be pruned on memory pressure. This
was needed because CG decodes part of the image to determine its
properties (e.g. its size). On memory pressure, we call
BitmapImage::destroyDecodedData() which clears the ImageSource and
frees up this extra decoded data.

However, we would fail to remove such partially decoded images from the
MemoryCache's list of live resources when pruning. This is because
BitmapImage::destroyMetadataAndNotify() fails to take into account the
decoded properties size when no frame has been cleared. We would thus
fail to detect a decoded size change and not call
CachedImage::decodedSizeChanged(). As a result, the CachedImage's
decoded size is not reset to 0 and we don't remove it from live decoded
resources.

This patch updates BitmapImage::destroyMetadataAndNotify() to account
for m_decodedPropertiesSize even if frameBytesCleared is 0. This way,
images for which we have't decoded any frames yet will correctly report
that we cleared the decoded data used to determine the image properties
and their decoded size will be properly reset to 0. As a result, these
will be removed from the MemoryCache's list of live decoded resources.

  • platform/graphics/BitmapImage.cpp:

(WebCore::BitmapImage::destroyDecodedData):
(WebCore::BitmapImage::destroyMetadataAndNotify):
(WebCore::BitmapImage::dataChanged):

  • platform/graphics/BitmapImage.h:
2:27 AM Changeset in webkit [186327] by Carlos Garcia Campos
  • 1 edit
    1 add in releases/WebKitGTK/webkit-2.8/Source/WebCore/platform/gtk/po

Merge r184766 - [l10n] Add Catalan translation for WebKitGTK+
https://bugs.webkit.org/show_bug.cgi?id=142928

Patch by Jordi Mas <jmas@softcatala.org> on 2015-05-22
Reviewed by Carlos Garcia Campos.

  • ca.po: Added.
2:21 AM Changeset in webkit [186326] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r184719 - SVG as image uses very tiny default font-size
https://bugs.webkit.org/show_bug.cgi?id=68090

Patch by Said Abou-Hallawa <sabouhallawa@apple.com> on 2015-05-21
Reviewed by Darin Adler.

Source/WebCore:

When loading a document, WebKit creates a Page object and then changes its setting
from the browser's preferences. This is true for interactive resources also, such as a
stand-alone SVG or an SVG embedded in an <object> tag for example. For non-interactive
resources, like an SVG embedded in an <img> tag for example, this function is called
after loading the resource is finished. This function creates an artificial page and
fabricates a scoped settings for it. This turns out to be problematic for cases like
the default font size because its initial value is zero. We cannot go from WebCore to
WebKit to ask for the global settings. But we can inherit the global settings from the
the master page. This is not the best solution because of two reasons. (1) Once the
resource is cached and the styles for the text elements are calculated, nothing can
change the values of styles except removing the resource itself from the cache if the
browser's preferences change. Also there is no mechanism to notify this artificial
page if the browser's preferences change. (2) An image like a non-interactive SVG,
should be displayed the same way regardless of the browser's preferences. A user may
be able to change the default font size for other text. But this should not affect
images even if they are vector images like SVG. An easy and more agreeable solution
is to hard-code the default font size for this case and do not depend on the global
settings at all.

Test: svg/text/text-default-font-size.html

  • page/Settings.in: Set the initial value of the setting defaultFontSize to be 16.

LayoutTests:

  • svg/text/text-default-font-size-expected.html: Added.
  • svg/text/text-default-font-size.html: Added.

Ensure the default font size for non-interactive SVG images is not zero.

2:08 AM Changeset in webkit [186325] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r184692 - dispatchViewStateChange should not wait for sync reply if the page isn't visible
https://bugs.webkit.org/show_bug.cgi?id=145242
<rdar://problem/20967937>

Reviewed by Ben Poulain.

This is particularly problematic on iOS, since if the page isn't visible the process is likely suspended.

  • UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::dispatchViewStateChange):
(WebKit::WebPageProxy::waitForDidUpdateViewState):

2:04 AM Changeset in webkit [186324] by Carlos Garcia Campos
  • 4 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r184675 - REGRESSION (r172591): Can no longer style <optgroup> with colors (LayoutTests/fast/forms/select/optgroup-rendering.html)
https://bugs.webkit.org/show_bug.cgi?id=145227
Source/WebCore:

rdar://problem/20967472

Reviewed by Darin Adler.

Test: fast/forms/select/select-painting.html

Use computedStyle() consistently for option and optgroup items.

  • rendering/RenderListBox.cpp:

(WebCore::RenderListBox::paintItemForeground):
(WebCore::RenderListBox::paintItemBackground):

We can always use computedStyle() and it can't be null. If there was renderer style it would return that.

  • rendering/RenderMenuList.cpp:

(RenderMenuList::itemStyle):
(RenderMenuList::getItemBackgroundColor):

LayoutTests:

Reviewed by Darin Adler.

Add ref test for select painting.

  • fast/forms/select/select-painting-expected.html: Added.
  • fast/forms/select/select-painting.html: Added.
2:02 AM Changeset in webkit [186323] by youenn.fablet@crf.canon.fr
  • 13 edits in trunk/Source

[Streams API] Remove ReadableStream custom constructor
https://bugs.webkit.org/show_bug.cgi?id=146547

Reviewed by Darin Adler.

Source/JavaScriptCore:

Adding helper function to throw range errors.

  • runtime/Error.h:

(JSC::throwRangeError):
(JSC::throwVMRangeError):

Source/WebCore:

Removed custom binding.
Made use of Dictionary in lieu of JSObject to reduce readable stream constructor parameter parsing.
Added support for passing ExecState to construtor within binding generator.

No change in behavior.

  • Modules/streams/ReadableStream.cpp:

(WebCore::ReadableStream::create):

  • Modules/streams/ReadableStream.h:

(WebCore::ReadableStream::create):

  • Modules/streams/ReadableStream.idl:
  • bindings/js/JSDictionary.cpp:

(WebCore::JSDictionary::convertValue):

  • bindings/js/JSDictionary.h:
  • bindings/js/JSReadableStreamCustom.cpp:
  • bindings/js/ReadableJSStream.cpp:

(WebCore::ReadableJSStream::create):
(WebCore::ReadableJSStream::ReadableJSStream):

  • bindings/js/ReadableJSStream.h:
  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateConstructorDefinition):

  • bindings/scripts/IDLAttributes.txt:
2:01 AM Changeset in webkit [186322] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184657 - ThreadableLoaderOptions::isolatedCopy() doesn't produce a copy that is safe for sending to another thread
https://bugs.webkit.org/show_bug.cgi?id=145217

Reviewed by Anders Carlsson.

Caught by existing tests, rarely. I don't know how to catch such bugs more reliably.

  • loader/ThreadableLoader.cpp: (WebCore::ThreadableLoaderOptions::isolatedCopy):
  • loader/ThreadableLoader.h:
1:55 AM Changeset in webkit [186321] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebKit2

Merge r184638 - [GTK] Add some documentation to WebKitWebExtension
https://bugs.webkit.org/show_bug.cgi?id=142786

Patch by Marcos Chavarría Teijeiro <mchavarria@igalia.com> on 2015-05-20
Reviewed by Carlos Garcia Campos.

WebKitWebExtension API documentation lacks of some details and the information
available is in some contributors blog posts. I add the section
documentation with a small guide about how to use WebExtensions.

The code examples were taken from Carlos García and Adrián Pérez blog
posts.

  • WebProcess/InjectedBundle/API/gtk/WebKitWebExtension.cpp:
1:53 AM Changeset in webkit [186320] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184615 - Crash under WebCore::invalidateStyleRecursively
https://bugs.webkit.org/show_bug.cgi?id=145186
rdar://problem/19736838

Reviewed by Andreas Kling

We have seen crashes where we run out of stack under invalidateStyleRecursively in StyleInvalidationAnalysis
on some devices.

Switch to iterative algorithm.

  • css/StyleInvalidationAnalysis.cpp:

(WebCore::StyleInvalidationAnalysis::StyleInvalidationAnalysis):
(WebCore::invalidateIfNeeded):
(WebCore::invalidateStyleForTree):
(WebCore::StyleInvalidationAnalysis::invalidateStyle):
(WebCore::invalidateStyleRecursively): Deleted.

1:47 AM Changeset in webkit [186319] by Carlos Garcia Campos
  • 13 edits
    4 adds in releases/WebKitGTK/webkit-2.8

Merge r184598 - X-Frame-Options headers not respected when loading from application cache.
<rdar://problem/14877623> and https://bugs.webkit.org/show_bug.cgi?id=131800

Reviewed by Alexey Proskuryakov.

Source/WebCore:

Test: http/tests/appcache/x-frame-options-prevents-framing.php

This patch updates SubstituteData to hold on to a ResourceResponse instead of just a URL.

It also updates all users of SubstituteData to reflect this.

Finally it updates ApplicationCacheHost to put the full response (including x-frame-options header)
in the SubstituteData so they can be checked at the appropriate times.

  • loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::handleSubstituteDataLoadNow):
(WebCore::DocumentLoader::responseReceived): Update an ASSERT to reflect that it's okay to not have

a main resource as long as you have a substitute identifier for it.

(WebCore::DocumentLoader::documentURL):
(WebCore::DocumentLoader::contentFilterDidDecide):

  • loader/FrameLoader.cpp:

(WebCore::FrameLoader::loadArchive):
(WebCore::FrameLoader::defaultSubstituteDataForURL):

  • loader/SubstituteData.h:

(WebCore::SubstituteData::SubstituteData):
(WebCore::SubstituteData::shouldRevealToSessionHistory):
(WebCore::SubstituteData::mimeType):
(WebCore::SubstituteData::textEncoding):
(WebCore::SubstituteData::response):
(WebCore::SubstituteData::responseURL): Deleted.

  • loader/appcache/ApplicationCacheHost.cpp:

(WebCore::ApplicationCacheHost::maybeLoadMainResource): Put the full ResourceResponse here, which

includes x-frame-options headers sent back when the resources was initially loaded from the network.

  • platform/network/ResourceResponseBase.h:

Source/WebKit/mac:

  • WebView/WebFrame.mm:

(-[WebFrame _loadData:MIMEType:textEncodingName:baseURL:unreachableURL:]):

Source/WebKit/win:

  • WebFrame.cpp:

(WebFrame::loadData):

Source/WebKit2:

  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::loadDataImpl):

LayoutTests:

  • http/tests/appcache/resources/x-frame-options-prevents-framing-test.html: Added.
  • http/tests/appcache/resources/x-frame-options-prevents-framing.manifest: Added.
  • http/tests/appcache/x-frame-options-prevents-framing-expected.txt: Added.
  • http/tests/appcache/x-frame-options-prevents-framing.php: Added.
1:31 AM Changeset in webkit [186318] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore

Merge r184581 - Fix the build of a universal binary with ARMv7k of JavaScriptCore.
https://bugs.webkit.org/show_bug.cgi?id=145143

Reviewed by Geoffrey Garen.

The offlineasm works in 3 phases:

Phase 1:

Parse the llint asm files for config options and desired offsets.
Let's say the offlineasm discovers C unique options and O unique offsets.
The offlineasm will then generate a LLIntDesiredOffsets.h file with
C x C build configurations, each with a set of O offsets.

Each of these build configurations is given a unique configuration index number.

Phase 2:

Compile the LLIntDesiredOffsets.h file into a JSCLLIntOffsetsExtractor binary.

If we're building a fat binary with 2 configurations: armv7, and armv7k,
then the fat binary will contain 2 blobs of offsets, one for each of these
build configurations.

Phase 3:

Parse the llint asm files and emit asm code using the offsets that are
extracted from the JSCLLIntOffsetsExtractor binary for the corresponding
configuration index number.

In the pre-existing code, there are no "if ARMv7k" statements in the llint asm
source. As a result, OFFLINE_ASM_ARMv7k is not one of the config options in
the set of C unique options.

For armv7k builds, OFFLINE_ASM_ARMv7 is also true. As a result, for an armv7k
target, we will end up building armv7 source. In general, this is fine except:

  1. armv7k has different alignment requirements from armv7. Hence, their offset values (in JSCLLIntOffsetsExtractor) will be different.
  1. The offlineasm was never told that it needed to make a different configuration for armv7k builds. Hence, the armv7k build of LLIntDesiredOffsets.h will build the armv7 configuration, and consequently, the armv7k blob of offsets in JSCLLIntOffsetsExtractor will have the same configuration index number as the armv7 blob of offsets.

In phase 3, when the offlineasm parses the JSCLLIntOffsetsExtractor fat binary
looking for the armv7 build's configuration index number, it discovers the
armv7k blob which has the same configuration number. As a result, it
erroneously thinks the armv7k offsets are appropriate for emitting armv7 code.
Needless to say, armv7 code using armv7k offsets will lead to incorrect behavior
and all round badness.

The fix is to add a simple "if ARMv7k" statement to the llint asm files. While
the if statement has no body, it does make the offlineasm aware of the need for
ARMv7k as a configuration option. As a result, it will generate an armv7k
variant configuration in the LLIntDesiredOffsets.h file with its own unique
configuration index number. With that, the JSCLLIntOffsetsExtractor fat binary
will no longer have duplicate configuration index numbers for the armv7 and
armv7k blobs of offsets, and the issue is resolved.

  • llint/LLIntOfflineAsmConfig.h:
  • llint/LowLevelInterpreter.asm:
1:29 AM Changeset in webkit [186317] by Carlos Garcia Campos
  • 3 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r184577 - Merged anonymous blocks should invalidate simple line layout path.
https://bugs.webkit.org/show_bug.cgi?id=145104
rdar://problem/20980930

Reviewed by Antti Koivisto.

When anonymous blocks are merged together, it's not guaranteed that the final block can use simple line layout.
This patch ensures that the flow block, where the other block's content gets moved to, is no longer on simple line layout path.
Whether the final flow block ends up using inline boxes or simple line layout will be determined during the next layout.

Source/WebCore:

Test: fast/block/crash-when-anonymous-blocks-are-merged-with-simple-line-layout.html

  • rendering/RenderElement.cpp:

(WebCore::RenderElement::insertChildInternal):

LayoutTests:

  • fast/block/crash-when-anonymous-blocks-are-merged-with-simple-line-layout-expected.txt: Added.
  • fast/block/crash-when-anonymous-blocks-are-merged-with-simple-line-layout.html: Added.
1:27 AM Changeset in webkit [186316] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184576 - Crash in WebCore::RenderLayer::updateScrollbarsAfterLayout
https://bugs.webkit.org/show_bug.cgi?id=145142

Reviewed by Simon Fraser.

I have not been able to reproduce this crash, but according to symbolication
m_vBar is null. It seems like this crash was probably caused by
http://trac.webkit.org/changeset/173668 which made it so that overflow:scroll
behaves like overflow:auto when the scrollbars are overlay. I can see how you
could encounter this crash with that change if the layout caused
styleRequiresScrollbar() to return true when it used to return false. Then this
code, by failing to null-check the scrollbars, assumes that
styleRequiresScrollbar() could not have changed based on a layout. But it could
change if the css changed the scrollbars to be custom or if the user managed
switch to legacy style scrollbars at just the wrong time. Or I suppose it could
also happen if the user has legacy scrollbars and the style switched from auto to
scroll during the layout.

Anyway, we should null-check the scrollbars. This is a speculative fix.

  • rendering/RenderLayer.cpp:

(WebCore::RenderLayer::updateScrollbarsAfterLayout):

1:26 AM Changeset in webkit [186315] by Carlos Garcia Campos
  • 32 edits in releases/WebKitGTK/webkit-2.8/Source

Merge r184555 - Mark static variables as const when possible
https://bugs.webkit.org/show_bug.cgi?id=145161

Reviewed by Andreas Kling.

Source/WebCore:

  • Modules/mediasession/WebMediaSessionManager.cpp:
  • Modules/mediasource/SourceBuffer.cpp:
  • Modules/webdatabase/SQLException.cpp:
  • dom/DOMCoreException.cpp:
  • inspector/NetworkResourcesData.cpp:
  • loader/icon/IconDatabase.cpp:

(WebCore::urlForLogging):

  • page/AutoscrollController.cpp:
  • page/Page.cpp:
  • platform/RuntimeApplicationChecksIOS.mm:

(WebCore::applicationIsAdSheet):
(WebCore::applicationIsMobileMail):
(WebCore::applicationIsMobileSafari):
(WebCore::applicationIsDumpRenderTree):
(WebCore::applicationIsWebApp):
(WebCore::applicationIsOkCupid):
(WebCore::applicationIsFacebook):
(WebCore::applicationIsEpicurious):
(WebCore::applicationIsDaijisenDictionary):
(WebCore::applicationIsNASAHD):
(WebCore::applicationIsMASH):
(WebCore::applicationIsTheEconomistOnIPhone):
(WebCore::applicationIsWebProcess):
(WebCore::applicationIsIBooksOnIOS):

  • platform/audio/HRTFElevation.cpp:
  • platform/audio/mac/AudioHardwareListenerMac.cpp:

(WebCore::processIsRunningPropertyDescriptor):
(WebCore::outputDevicePropertyDescriptor):

  • platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm:
  • platform/graphics/ca/GraphicsLayerCA.cpp:
  • platform/graphics/mac/FontCacheMac.mm:

(WebCore::toCoreTextFontWeight):
(WebCore::toAppKitFontWeight):
(WebCore::toNSFontWeight):

  • platform/mac/ScrollAnimatorMac.mm:

(supportsUIStateTransitionProgress):
(supportsExpansionTransitionProgress):
(supportsContentAreaScrolledInDirection):

  • platform/mac/ScrollbarThemeMac.mm:
  • platform/mac/WebCoreNSURLExtras.mm:

(WebCore::dataForURLComponentType):

  • platform/mock/ScrollbarThemeMock.cpp:
  • platform/text/icu/UTextProviderLatin1.cpp:
  • platform/text/ios/LocalizedDateCache.mm:

(WebCore::LocalizedDateCache::calculateMaximumWidth):

  • rendering/RenderBlockLineLayout.cpp:

(WebCore::RenderBlockFlow::matchedEndLine):

  • rendering/RenderBoxModelObject.cpp:

(WebCore::RenderBoxModelObject::paintTranslucentBorderSides):

  • rendering/RenderFrameBase.cpp:

(WebCore::shouldExpandFrame):

  • rendering/RenderTableSection.cpp:
  • rendering/RenderThemeIOS.mm:

(WebCore::getInsetGradient):
(WebCore::getShineGradient):
(WebCore::getShadeGradient):
(WebCore::getConvexGradient):
(WebCore::getConcaveGradient):
(WebCore::getSliderTrackGradient):
(WebCore::getReadonlySliderTrackGradient):
(WebCore::getSliderThumbOpaquePressedGradient):
(WebCore::RenderThemeIOS::paintCheckboxDecorations):
(WebCore::RenderThemeIOS::paintRadioDecorations):

  • rendering/RenderThemeMac.mm:

(WebCore::toFontWeight):
(WebCore::TopGradientInterpolate):
(WebCore::BottomGradientInterpolate):
(WebCore::MainGradientInterpolate):
(WebCore::TrackGradientInterpolate):

Source/WebKit2:

  • Platform/IPC/MessageEncoder.cpp:
  • UIProcess/Cocoa/WebProcessPoolCocoa.mm:

(WebKit::networkProcessLatencyQOS):
(WebKit::networkProcessThroughputQOS):
(WebKit::webProcessLatencyQOS):
(WebKit::webProcessThroughputQOS):

  • UIProcess/Plugins/mac/PluginProcessProxyMac.mm:

(WebKit::PluginProcessProxy::pluginNeedsExecutableHeap):
(WebKit::pluginProcessLatencyQOS):
(WebKit::pluginProcessThroughputQOS):

  • WebProcess/WebPage/WebPage.cpp:

Source/WTF:

  • wtf/dtoa.cpp:

(WTF::pow5mult):

1:17 AM Changeset in webkit [186314] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore

Merge r184501 - [JSC] Speed up URL encode/decode by using bitmaps instead of strchr().
<https://webkit.org/b/145115>

Reviewed by Anders Carlsson.

We were calling strchr() for every character when doing URL encoding/decoding and it stood out
like a sore O(n) thumb in Instruments. Optimize this by using a Bitmap<256> instead.

5.5% progression on Kraken/stanford-crypto-sha256-iterative.

  • runtime/JSGlobalObjectFunctions.cpp:

(JSC::makeCharacterBitmap):
(JSC::encode):
(JSC::decode):
(JSC::globalFuncDecodeURI):
(JSC::globalFuncDecodeURIComponent):
(JSC::globalFuncEncodeURI):
(JSC::globalFuncEncodeURIComponent):
(JSC::globalFuncEscape):

1:13 AM Changeset in webkit [186313] by Carlos Garcia Campos
  • 7 edits
    2 deletes in releases/WebKitGTK/webkit-2.8/Source

Merge r180968 - Remove unused compression code
https://bugs.webkit.org/show_bug.cgi?id=142237

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

  • bytecode/UnlinkedCodeBlock.h:

Source/WTF:

  • WTF.vcxproj/WTF.vcxproj:
  • WTF.vcxproj/WTF.vcxproj.filters:
  • WTF.xcodeproj/project.pbxproj:
  • wtf/CMakeLists.txt:
  • wtf/Compression.cpp: Removed.
  • wtf/Compression.h: Removed.
1:10 AM Changeset in webkit [186312] by youenn.fablet@crf.canon.fr
  • 6 edits in trunk

Promise-returning functions should reject promises if the callee is not of the expected type
https://bugs.webkit.org/show_bug.cgi?id=146585

Reviewed by Darin Adler.

Source/WebCore:

Updated binding generator to reject promise in case the casting of the thisValue is not working properly
(i.e. the callee is not wrapping a DOM object of the expected class.

Covered by rebased test and binding expectations.

  • bindings/js/JSDOMPromise.h:

(WebCore::callPromiseFunction): Removed wrapper class parameter.

  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateImplementation):

  • bindings/scripts/test/JS/JSTestObj.cpp: Updated binding expectations.

(WebCore::jsTestObjPrototypeFunctionTestPromiseFunction):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionPromise):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithFloatArgument):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithFloatArgumentPromise):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithException):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithExceptionPromise):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithOptionalIntArgument):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithOptionalIntArgumentPromise):

LayoutTests:

  • streams/reference-implementation/brand-checks-expected.txt:
1:08 AM Changeset in webkit [186311] by Carlos Garcia Campos
  • 6 edits in releases/WebKitGTK/webkit-2.8/Source

Merge r184448 - Do not use fastMallocGoodSize anywhere
https://bugs.webkit.org/show_bug.cgi?id=145103

Reviewed by Michael Saboff.

Source/JavaScriptCore:

  • assembler/AssemblerBuffer.h:

(JSC::AssemblerData::AssemblerData):
(JSC::AssemblerData::grow):

Source/WTF:

It is silly we see fastMallocGoodSize in profiles, it does absolutely nothing.

This patch keeps fastMallocGoodSize() around for older code linking
with newer WebKit, but remove any use of it inside WebKit.

  • wtf/FastMalloc.cpp:

(WTF::fastMallocGoodSize):

  • wtf/FastMalloc.h:
  • wtf/Vector.h:

(WTF::VectorBufferBase::allocateBuffer):
(WTF::VectorBufferBase::tryAllocateBuffer):
(WTF::VectorBufferBase::reallocateBuffer):

12:42 AM Changeset in webkit [186310] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184443 - Crash when uploading huge files to YouTube or Google Drive
https://bugs.webkit.org/show_bug.cgi?id=145083
rdar://problem/15468529

Reviewed by Darin Adler.

This fixes the crash, but uploading will fail.

  • fileapi/FileReaderLoader.cpp:

(WebCore::FileReaderLoader::start): Tell SubresourceLoader to not store a copy of
all received data, FileReaderLoader has its own buffer.
(WebCore::FileReaderLoader::didReceiveResponse): Fixed a bounds check - not every
64-bit value that doesn't fit into 32 bits is negative. With this, FileReader fails
on huge files right away, as intended.
(WebCore::FileReaderLoader::didReceiveData): Fixed multiple bugs in code that's
executed when size is not available upfront. This is the code that used to crash,
but with the above fix, it's not executed by YouTube.
Not only overflow was handled incorrectly, but even simply growing a buffer for
append was buggy.

12:41 AM Changeset in webkit [186309] by Carlos Garcia Campos
  • 3 edits
    4 adds in releases/WebKitGTK/webkit-2.8

Merge r184440 - REGRESSION (Subpixel): Dashed underline is missing when box is positioned at subpixels.
https://bugs.webkit.org/show_bug.cgi?id=145097
rdar://problem/18588415

Reviewed by Simon Fraser.

Dashed and dotted border painting needs clipping in order to properly display corners.
Similarly to solid border's quad calculation, we pixelsnap the border positions before computing the clipping quad values.

Source/WebCore:

Test: fast/borders/dashed-border-on-subpixel-position.html

fast/borders/dotted-border-on-subpixel-position.html

  • rendering/RenderBoxModelObject.cpp:

(WebCore::RenderBoxModelObject::clipBorderSidePolygon):

LayoutTests:

  • fast/borders/dashed-border-on-subpixel-position-expected.html: Added.
  • fast/borders/dashed-border-on-subpixel-position.html: Added.
  • fast/borders/dotted-border-on-subpixel-position-expected.html: Added.
  • fast/borders/dotted-border-on-subpixel-position.html: Added.
12:40 AM Changeset in webkit [186308] by Carlos Garcia Campos
  • 11 edits
    2 adds in releases/WebKitGTK/webkit-2.8

Merge r184434 - When redirecting to data URL use HTTP response for same origin policy checks
https://bugs.webkit.org/show_bug.cgi?id=145054
rdar://problem/20299050

Reviewed by Alexey Proskuryakov.

Source/WebCore:

Test: http/tests/security/canvas-remote-read-data-url-image-redirect.html

  • dom/ScriptElement.cpp:

(WebCore::ScriptElement::notifyFinished):

  • dom/ScriptExecutionContext.cpp:

(WebCore::ScriptExecutionContext::sanitizeScriptError):

  • html/canvas/CanvasRenderingContext.cpp:

(WebCore::CanvasRenderingContext::wouldTaintOrigin):

  • loader/ImageLoader.cpp:

(WebCore::ImageLoader::notifyFinished):

  • loader/MediaResourceLoader.cpp:

(WebCore::MediaResourceLoader::responseReceived):

  • loader/TextTrackLoader.cpp:

(WebCore::TextTrackLoader::notifyFinished):

  • loader/cache/CachedImage.cpp:

(WebCore::CachedImage::isOriginClean):

  • loader/cache/CachedResource.cpp:

(WebCore::CachedResource::passesAccessControlCheck):
(WebCore::CachedResource::passesSameOriginPolicyCheck):

Factor repeatedly used same origin policy test into a function.

(WebCore::CachedResource::redirectReceived):

When redirecting to a data URL save the redirect response.

(WebCore::CachedResource::responseForSameOriginPolicyChecks):

In case we got redirected to data use that response instead of the final data response for policy checks.

  • loader/cache/CachedResource.h:

LayoutTests:

  • http/tests/security/canvas-remote-read-data-url-image-redirect-expected.txt: Added.
  • http/tests/security/canvas-remote-read-data-url-image-redirect.html: Added.
12:19 AM Changeset in webkit [186307] by Carlos Garcia Campos
  • 2 edits in releases/WebKitGTK/webkit-2.8/Source/JavaScriptCore

Merge r184414 - [ARM64] Do not fail branchConvertDoubleToInt32 when the result is zero and not negative zero
https://bugs.webkit.org/show_bug.cgi?id=144976

Patch by Benjamin Poulain <bpoulain@apple.com> on 2015-05-15
Reviewed by Michael Saboff.

Failing the conversion on zero is pretty dangerous as we discovered on x86.

This patch does not really impact performance significantly because
r184220 removed the zero checks from Kraken. This patch is just to be
on the safe side for cases not covered by existing benchmarks.

  • assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::branchConvertDoubleToInt32):

12:13 AM Changeset in webkit [186306] by timothy@apple.com
  • 4 edits in trunk/Source/WebInspectorUI

Web Inspector: Exceptions in Network timeline when resource updates and filters are applied
https://bugs.webkit.org/show_bug.cgi?id=146609

Reviewed by Joseph Pecoraro.

  • UserInterface/Views/DataGrid.js:

(WebInspector.DataGrid.prototype.insertChild):
(WebInspector.DataGrid.prototype.removeChild):
(WebInspector.DataGridNode.prototype.savePosition):
Convert exceptions to asserts and early returns.

  • UserInterface/Views/TimelineDataGrid.js:

(WebInspector.TimelineDataGrid.prototype._refreshDirtyDataGridNodes): Add some asserts and checks.

  • UserInterface/Views/TreeOutline.js:

(WebInspector.TreeOutline.prototype.appendChild):
(WebInspector.TreeOutline.prototype.insertChild):
(WebInspector.TreeOutline.prototype.removeChildAtIndex):
(WebInspector.TreeOutline.prototype.removeChild):
Convert exceptions to asserts and early returns.

12:02 AM Changeset in webkit [186305] by Carlos Garcia Campos
  • 3 edits in releases/WebKitGTK/webkit-2.8/Source/WebCore

Merge r184394 - Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count
https://bugs.webkit.org/show_bug.cgi?id=145042

Reviewed by David Hyatt.

RenderFlowThread previously used a ListHashSet to store its stack of active objects. This
is problematic because, if the same object is pushed twice, only a single entry of that
object is added to the stack. After this occurs, a matching number of pushes will pop too
many items off the stack, causing a crash when popping a stack with zero items. This
specifically happens in FrameView::layout(), which will push its root renderer on the stack
of active items, and then ask the root to layout(), which will attempt to push itself on the
stack of active items.

Instead of a ListHashSet, use a Vector, which has similar memory characteristics and no
uniqueness requirements.

  • rendering/RenderFlowThread.cpp:

(WebCore::RenderFlowThread::pushFlowThreadLayoutState):
(WebCore::RenderFlowThread::popFlowThreadLayoutState):

  • rendering/RenderFlowThread.h:

Jul 5, 2015:

11:32 PM Changeset in webkit [186304] by Chris Dumez
  • 5 edits in trunk/Source

[WK2] Current page's scroll position is lost when transferring sessionState from one view to another
https://bugs.webkit.org/show_bug.cgi?id=146625
<rdar://problem/21585268>

Reviewed by Gavin Barraclough.

Source/WebCore:

Export HistoryController:saveScrollPositionAndViewStateToItem()
so that it can be called from WebKit2.

  • loader/HistoryController.h:

Source/WebKit2:

The current page's scroll position was lost when transferring the
sessionState from one view to another. This is because we only update
the current WebBackForwardListItem after navigating away.
However, when the client swaps WebViews for navigating, we don't detect
this as navigating away and the current WebBackForwardListItem is not
updated with the current page's state (including the scroll position).
This means that the information is not transferred via the sessionState
and the scroll position (among other things) ends up being lost when
navigating back in the new WebView.

Retrieving the session state is a synchronous API and we want to avoid
doing a synchronous IPC between the UIProcess and the WebProcess to
retrieve the current page's state. Therefore, the approach chosen in
this patch is to detect when the user is done scrolling the main frame
(using a HystererisActivity) and then update the scroll position on the
current HistoryItem. This way, the current WebBackForwardListItem
normally has an up-to-date scroll position for the main frame when the
sessionState is queried by the client.

The solution is not perfect as we don't keep the whole page state
up-to-date for the current WebBackForwardListItem, only the main frame
state. However, the proposed solution is cheap, avoid synchronous IPC
and provides a much better user experience in most cases.

  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::WebPage):
(WebKit::WebPage::pageDidScroll):
(WebKit::WebPage::pageStoppedScrolling):

  • WebProcess/WebPage/WebPage.h:
11:26 PM Changeset in webkit [186303] by timothy@apple.com
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Cached resources are missing startTime and size in Network timeline
https://bugs.webkit.org/show_bug.cgi?id=146607

Reviewed by Joseph Pecoraro.

  • UserInterface/Controllers/FrameResourceManager.js:

(WebInspector.FrameResourceManager.prototype.resourceRequestWasServedFromMemoryCache): Pass elapsedTime in the right argument order.
Add missing calls to Resource.increaseSize and Resource.increaseTransferSize.
(WebInspector.FrameResourceManager.prototype.resourceRequestDidReceiveResponse): Pass elapsedTime in the right argument order.

11:23 PM Changeset in webkit [186302] by timothy@apple.com
  • 7 edits in trunk/Source/WebInspectorUI

Web Inspector: Dim more borders when the window is inactive
https://bugs.webkit.org/show_bug.cgi?id=146608

Reviewed by Joseph Pecoraro.

  • UserInterface/Views/DataGrid.css:

(body.window-inactive .data-grid th):
(body.window-inactive .data-grid :matches(th, td):not(:last-child)):

  • UserInterface/Views/NavigationSidebarPanel.css:

(body.window-inactive .sidebar > .panel.navigation > .overflow-shadow):

  • UserInterface/Views/OverviewTimelineView.css:

(body.window-inactive .timeline-view.overview > .timeline-ruler > .header):

  • UserInterface/Views/TimelineDataGrid.css:

(body.window-inactive .data-grid.timeline th):
(body.window-inactive .data-grid.timeline > .navigation-bar-container > .navigation-bar):

  • UserInterface/Views/TimelineRuler.css:

(body.window-inactive .timeline-ruler > .header):
(body.window-inactive .timeline-ruler > .header > .divider):

  • UserInterface/Views/TimelineSidebarPanel.css:

(body.window-inactive .sidebar > .panel.navigation.timeline > .status-bar):
(body.window-inactive .sidebar > .panel.navigation.timeline > .title-bar):
(body.window-inactive .sidebar > .panel.navigation.timeline > .title-bar.timeline-events):

11:20 PM Changeset in webkit [186301] by timothy@apple.com
  • 6 edits in trunk/Source/WebInspectorUI

Web Inspector: Timeline row selection should have same background color in sidebar and data grid
https://bugs.webkit.org/show_bug.cgi?id=146606

Support a force-focus class name that TreeOutlineDataGridSynchronizer applies when one of the
elements is focused, so the other can look focused too.

Reviewed by Joseph Pecoraro.

  • UserInterface/Views/DataGrid.css:

(.data-grid:matches(:focus, .force-focus) tr.selected td:not(:last-child)):
(.data-grid:matches(:focus, .force-focus) tr.parent.selected td.disclosure::before):
(.data-grid:matches(:focus, .force-focus) tr.parent.expanded.selected td.disclosure::before):
(.data-grid:matches(:focus, .force-focus) tr.selected):
(.data-grid:matches(:focus, .force-focus) tr.selected td .subtitle):

  • UserInterface/Views/Main.css:

(:matches(:focus, .force-focus) .selected .go-to-arrow):
(:matches(:focus, .force-focus) .selected .go-to-arrow:active):

  • UserInterface/Views/NavigationSidebarPanel.css:

(.navigation-sidebar-panel-content-tree-outline:matches(:focus, .force-focus) .item.selected .disclosure-button):
(.navigation-sidebar-panel-content-tree-outline:matches(:focus, .force-focus) .item.selected.expanded .disclosure-button):
(.navigation-sidebar-panel-content-tree-outline:matches(:focus, .force-focus) .item.selected):
(.navigation-sidebar-panel-content-tree-outline:matches(:focus, .force-focus) .item.selected .subtitle):

  • UserInterface/Views/TreeElementStatusButton.css:

(:matches(:focus, .force-focus) .item.selected > .status > .status-button > svg .filled):
(:matches(:focus, .force-focus) .item.selected > .status > .status-button > svg .stroked):

  • UserInterface/Views/TreeOutlineDataGridSynchronizer.js:

(WebInspector.TreeOutlineDataGridSynchronizer):
(WebInspector.TreeOutlineDataGridSynchronizer.prototype._dataGridGainedFocus): Added.
(WebInspector.TreeOutlineDataGridSynchronizer.prototype._dataGridLostFocus): Added.
(WebInspector.TreeOutlineDataGridSynchronizer.prototype._treeOutlineGainedFocus): Added.
(WebInspector.TreeOutlineDataGridSynchronizer.prototype._treeOutlineLostFocus): Added.

9:36 PM Changeset in webkit [186300] by Yusuke Suzuki
  • 3 edits in trunk/LayoutTests

Update toLength / toInteger names in control profiler test results
https://bugs.webkit.org/show_bug.cgi?id=146229

Reviewed by Simon Fraser.

ToLength / ToInteger are renamed to toLength / toInteger.
Update the names in the test results for control profiler.

  • fast/profiler/built-in-function-calls-anonymous-expected.txt:
  • fast/profiler/built-in-function-calls-user-defined-function-expected.txt:
9:29 PM Changeset in webkit [186299] by Simon Fraser
  • 5 edits
    2 adds in trunk

REGRESSION (r180582): background-attachment: local; does not scroll the background image when scrolling the the element's contents
https://bugs.webkit.org/show_bug.cgi?id=146623

Reviewed by Zalan Bujtas.

Source/WebCore:

r180582 erroneously asserted that m_destOrigin in BackgroundImageGeometry was unused.
However, it is needed to compute the correct phase when the destination rect is
altered by clipping.

Test: fast/backgrounds/background-attachment-local.html

  • rendering/RenderBoxModelObject.cpp:

(WebCore::RenderBoxModelObject::paintFillLayerExtended):
(WebCore::RenderBoxModelObject::calculateBackgroundImageGeometry):

  • rendering/RenderBoxModelObject.h:

(WebCore::BackgroundImageGeometry::BackgroundImageGeometry):
(WebCore::BackgroundImageGeometry::relativePhase):

  • rendering/svg/RenderSVGResourceMasker.cpp:

(WebCore::RenderSVGResourceMasker::drawMaskForRenderer):

LayoutTests:

Ref test for background-attachment: local.

  • fast/backgrounds/background-attachment-local-expected.html: Added.
  • fast/backgrounds/background-attachment-local.html: Added.
7:01 PM Changeset in webkit [186298] by Yusuke Suzuki
  • 23 edits
    2 moves
    4 adds
    2 deletes in trunk

[ES6] Implement the latest Promise spec in JS
https://bugs.webkit.org/show_bug.cgi?id=146229

Reviewed by Sam Weinig.

Source/JavaScriptCore:

Updated the Promise implementation to meet to the ES6 spec.
This patch

  1. Implement ES6 Promise and related abstract operations in builtins JS
  2. Expose @enqueueJob private function to JS world to post the microtask

Updated implementation has one-on-one correspondence to the ES6 spec description.
And keep the JSPromiseDeferred because it is the interface used from the WebCore.

(reduce):
(reduceRight):
(every):
(forEach):
(filter):
(map):
(some):
(fill):
(find):
(findIndex):
(includes):
(copyWithin):
ToInteger / ToLength are renamed to toInteger and toLength.

  • builtins/ArrayConstructor.js:

(from):
ToInteger / ToLength are renamed to toInteger and toLength.

  • builtins/GlobalObject.js:

(toInteger):
(toLength):
(isObject):
(ToInteger): Deleted.
(ToLength): Deleted.
ToInteger / ToLength are renamed to toInteger and toLength.
Add new abstract operation, isObject.

  • builtins/Operations.Promise.js: Added.

(isPromise):
(newPromiseReaction):
(newPromiseDeferred):
(newPromiseCapability.executor):
(newPromiseCapability):
(triggerPromiseReactions):
(rejectPromise):
(fulfillPromise):
(createResolvingFunctions.resolve):
(createResolvingFunctions.reject):
(createResolvingFunctions):
(promiseReactionJob):
(promiseResolveThenableJob):
(initializePromise):
Added Promise related abstract operations.

  • builtins/Promise.prototype.js:

(catch):
(.onFulfilled):
(.onRejected):
(then):
Promise#then implementation in JS.

  • builtins/PromiseConstructor.js: Added.

(all.newResolveElement):
(all):
(race):
(reject):
(resolve):
Promise static functions implementations in JS.

  • builtins/StringConstructor.js:

(raw):
ToInteger / ToLength are renamed to toInteger and toLength.

  • inspector/JSInjectedScriptHost.cpp:

(Inspector::JSInjectedScriptHost::getInternalProperties):

  • runtime/CommonIdentifiers.h:
  • runtime/JSGlobalObject.cpp:

(JSC::enqueueJob):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):

  • runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::initializePromiseFunction):
(JSC::JSGlobalObject::newPromiseDeferredFunction):

  • runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h.

(JSC::createJSJob):
(JSC::JSJobMicrotask::run):

  • runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h.
  • runtime/JSPromise.cpp:

(JSC::JSPromise::create):
(JSC::JSPromise::JSPromise):
(JSC::JSPromise::finishCreation):
(JSC::JSPromise::result):
(JSC::JSPromise::destroy): Deleted.
(JSC::JSPromise::visitChildren): Deleted.
(JSC::JSPromise::reject): Deleted.
(JSC::JSPromise::resolve): Deleted.
(JSC::JSPromise::appendResolveReaction): Deleted.
(JSC::JSPromise::appendRejectReaction): Deleted.
(JSC::triggerPromiseReactions): Deleted.

  • runtime/JSPromise.h:

(JSC::JSPromise::status): Deleted.
(JSC::JSPromise::result): Deleted.
(JSC::JSPromise::constructor): Deleted.

  • runtime/JSPromiseConstructor.cpp:

(JSC::constructPromise):
(JSC::JSPromiseConstructorFuncResolve): Deleted.
(JSC::JSPromiseConstructorFuncReject): Deleted.
(JSC::performPromiseRaceLoop): Deleted.
(JSC::JSPromiseConstructorFuncRace): Deleted.
(JSC::performPromiseAll): Deleted.
(JSC::JSPromiseConstructorFuncAll): Deleted.

  • runtime/JSPromiseDeferred.cpp:

(JSC::JSPromiseDeferred::create):
(JSC::createJSPromiseDeferredFromConstructor): Deleted.
(JSC::updateDeferredFromPotentialThenable): Deleted.
(JSC::performDeferredResolve): Deleted.
(JSC::performDeferredReject): Deleted.
(JSC::abruptRejection): Deleted.

  • runtime/JSPromiseDeferred.h:
  • runtime/JSPromiseFunctions.cpp: Removed.

(JSC::deferredConstructionFunction): Deleted.
(JSC::createDeferredConstructionFunction): Deleted.
(JSC::identifyFunction): Deleted.
(JSC::createIdentifyFunction): Deleted.
(JSC::promiseAllCountdownFunction): Deleted.
(JSC::createPromiseAllCountdownFunction): Deleted.
(JSC::promiseResolutionHandlerFunction): Deleted.
(JSC::createPromiseResolutionHandlerFunction): Deleted.
(JSC::rejectPromiseFunction): Deleted.
(JSC::createRejectPromiseFunction): Deleted.
(JSC::resolvePromiseFunction): Deleted.
(JSC::createResolvePromiseFunction): Deleted.
(JSC::throwerFunction): Deleted.
(JSC::createThrowerFunction): Deleted.

  • runtime/JSPromisePrototype.cpp:

(JSC::JSPromisePrototypeFuncThen): Deleted.

  • runtime/JSPromiseReaction.cpp: Removed.

(JSC::createExecutePromiseReactionMicrotask): Deleted.
(JSC::ExecutePromiseReactionMicrotask::run): Deleted.
(JSC::JSPromiseReaction::create): Deleted.
(JSC::JSPromiseReaction::JSPromiseReaction): Deleted.
(JSC::JSPromiseReaction::finishCreation): Deleted.
(JSC::JSPromiseReaction::visitChildren): Deleted.

  • runtime/VM.cpp:

(JSC::VM::VM): Deleted.

  • runtime/VM.h:

LayoutTests:

Add a test to guarantee that Promise.resolve looks up then field synchronously.

  • js/dom/Promise-resolve-lookup-then-expected.txt: Added.
  • js/dom/Promise-resolve-lookup-then.html: Added.
5:04 PM WebKitGTK/2.8.x edited by Michael Catanzaro
Un-propose r185320, it got reverted (diff)
5:00 PM WebKitGTK/2.8.x edited by Michael Catanzaro
Propose r186296 (diff)
4:09 PM Changeset in webkit [186297] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

REGRESSION (El Capitan): Slider thumb of range input is rotated on reference tests

Fix tracked by <rdar://problem/21677831>.

  • platform/mac/TestExpectations: Mark tests as image-only failures:
  • css3/flexbox/flexitem-stretch-range.html
  • fast/forms/range/input-appearance-range-rtl.html
  • fast/forms/range/range-change-min-max.html
1:36 PM Changeset in webkit [186296] by timothy@apple.com
  • 2 edits in trunk/Source/WebKit2

Crash when closing the web inspector
https://bugs.webkit.org/show_bug.cgi?id=146620

Reviewed by Darin Adler.

  • WebProcess/WebPage/WebInspectorUI.cpp:

(WebKit::WebInspectorUI::closeWindow): Null check the connection, like it is
in other places where it is used.

12:10 PM Changeset in webkit [186295] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

REGRESSION (r186198): js/dom/global-constructors-attributes.html fails on El Capitan

  • platform/mac/js/dom/global-constructors-attributes-expected.txt:

Update results after r186198.

12:10 PM Changeset in webkit [186294] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

fast/canvas/webgl/oes-texture-half-float-linear.html is flakey on Yosemite Release/Debug WK1/WK2

<http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=fast%2Fcanvas%2Fwebgl%2Foes-texture-half-float-linear.html>

  • platform/mac/TestExpectations: Mark test as flaky:
  • fast/canvas/webgl/oes-texture-half-float-linear.html
12:10 PM Changeset in webkit [186293] by ddkilzer@apple.com
  • 4 edits in trunk/LayoutTests

fast/forms/textarea/textarea-state-restore.html is flaky on WK2

<http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=fast%2Fforms%2Ftextarea%2Ftextarea-state-restore.html>

Fix tracked by <http://webkit.org/b/90980>.

  • platform/efl/TestExpectations: Move expectation from here...
  • platform/gtk/TestExpectations: ...and here...
  • platform/wk2/TestExpectations: ...to here:
  • fast/forms/textarea/textarea-state-restore.html
12:10 PM Changeset in webkit [186292] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow.html crashes on Windows Debug

<https://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Ftests%2Fsecurity%2FXFrameOptions%2Fx-frame-options-parent-same-origin-allow.html>

  • platform/win/TestExpectations: Mark as crashing:
  • http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow.html
12:10 PM Changeset in webkit [186291] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

webgl/1.0.2/conformance/more/functions/copyTexImage2DBadArgs.html fails due to truncated expected results on Yosemite Debug WK1

<http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=webgl%2F1.0.2%2Fconformance%2Fmore%2Ffunctions%2FcopyTexImage2DBadArgs.html>

Fix tracked by <http://webkit.org/b/146622>.

  • platform/mac-wk1/TestExpectations: Mark as flaky:
  • webgl/1.0.2/conformance/more/functions/copyTexImage2DBadArgs.html
12:10 PM Changeset in webkit [186290] by ddkilzer@apple.com
  • 2 edits in trunk/LayoutTests

fast/preloader/document-write-2.html is flaky on WK2

<http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=fast%2Fpreloader%2Fdocument-write-2.html>

When the test fails, the first two lines are reversed:

@@ -1,2 +1,2 @@
+script1.js has MIME type text/javascript

document-write-plaintext.js has MIME type text/javascript

-script1.js has MIME type text/javascript

  • platform/wk2/TestExpectations: Mark test as flaky:
  • fast/preloader/document-write-2.html
11:46 AM Changeset in webkit [186289] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Deleting in the CSS sidebar causes the warning icon to appear mid-word
https://bugs.webkit.org/show_bug.cgi?id=146617

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationTextEditor.js:

(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleBeforeChange): Now removes all marks whenever the user deletes.
(WebInspector.CSSStyleDeclarationTextEditor.prototype._createTextMarkerForPropertyIfNeeded): The invalid marker now calculates
it's position based off of where the semicolon is in the property text.

11:23 AM Changeset in webkit [186288] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: CSS rule with 2 pseudo-selectors appears twice
https://bugs.webkit.org/show_bug.cgi?id=146576

Reviewed by Timothy Hatcher.

  • UserInterface/Views/RulesStyleDetailsPanel.js:

(WebInspector.RulesStyleDetailsPanel.prototype.refresh):
Only adds pseudo-elements if the previous pseudo-element has a different selector.

1:15 AM Changeset in webkit [186287] by Chris Dumez
  • 4 edits in trunk/Source/WebCore

[WK2] WebBackForwardListItems' pageState is not kept up-to-date
https://bugs.webkit.org/show_bug.cgi?id=146614
<rdar://problem/21585268>

Reviewed by Gavin Barraclough.

WebBackForwardListItems' pageState on UIProcess-side were not kept
up-to-date when it was updated on WebContent process side. This meant
that we were losing the scroll position (among other things) when
transferring the session state over from one view to another.

We now call notifyHistoryItemChanged(item) after saving the scroll
position and the view state on the HistoryItem. As a result, the
WebBackForwardListProxy will send the updated pageState to the
UIProcess.

  • history/HistoryItem.cpp:

(WebCore::HistoryItem::notifyChanged):

  • history/HistoryItem.h:
  • loader/HistoryController.cpp:

(WebCore::HistoryController::saveScrollPositionAndViewStateToItem):

Jul 4, 2015:

2:51 PM Changeset in webkit [186286] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Wrong cursor position in styles panel when deleting a line break
https://bugs.webkit.org/show_bug.cgi?id=146577

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationTextEditor.js:

(WebInspector.CSSStyleDeclarationTextEditor):
(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleBeforeChange): If the change is a deletion at the beginning of a line,
remove all markers on that line to ensure that there is no blank space on the previous line after deleting.

2:49 PM Changeset in webkit [186285] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Pressing tab on a newline in the console should insert a tab character
https://bugs.webkit.org/show_bug.cgi?id=146612

Reviewed by Timothy Hatcher.

  • UserInterface/Views/ConsolePrompt.js:

(WebInspector.ConsolePrompt.prototype._handleTabKey): Tabs can now be inserted at the beginning of newlines and before the first
non-space character on any other line.

2:48 PM Changeset in webkit [186284] by Devin Rousso
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: Pressing enter on a newline in the styles sidebar inserts a semicolon
https://bugs.webkit.org/show_bug.cgi?id=146611

Reviewed by Timothy Hatcher.

  • UserInterface/Views/CSSStyleDeclarationTextEditor.js:

(WebInspector.CSSStyleDeclarationTextEditor.prototype._handleEnterKey): Now returns if the line is empty.

2:46 PM Changeset in webkit [186283] by Devin Rousso
  • 6 edits in trunk/Source/WebInspectorUI

Web Inspector: Console should indicate if you have unseen messages in console due to filters
https://bugs.webkit.org/show_bug.cgi?id=143166

Reviewed by Timothy Hatcher.

  • UserInterface/Controllers/JavaScriptLogViewController.js:

(WebInspector.JavaScriptLogViewController.prototype.updatePreviousMessageRepeatCount): Now returns true/false depending on if
the message count was actually updated.

  • UserInterface/Views/LogContentView.css:

(.log-scope-bar > li.unread): Applies the unread-border-pulse keyframe animation.
(.log-scope-bar > li.unread.errors): The pulsing border is colored red.
(.log-scope-bar > li.unread.warnings): The pulsing border is colored yellow(ish).
(.log-scope-bar > li.unread.logs): The pulsing border is colored grey.
(@keyframes unread-border-pulse): Changes the color of the border from transparent to whatever is specificed.

  • UserInterface/Views/LogContentView.js:

(WebInspector.LogContentView):
(WebInspector.LogContentView.prototype._determineMessageLevel):
(WebInspector.LogContentView.prototype._pulseScopeBarItemBorder): Adds the class "unread" to the scope bar item whose panel
the newest message belongs to, but only if that panel or the All panel is not visible.
(WebInspector.LogContentView.prototype._messageAdded):
(WebInspector.LogContentView.prototype._previousMessageRepeatCountUpdated):
(WebInspector.LogContentView.prototype._scopeBarSelectionDidChange): Clears the "unread" class on the selected scope bar item.
(WebInspector.LogContentView.prototype._filterMessageElements):

  • UserInterface/Views/ScopeBar.js:

(WebInspector.ScopeBar.prototype.get items): Returns a list of all the items in the scope bar.

  • UserInterface/Views/ScopeBarItem.js:

(WebInspector.ScopeBarItem): Added another parameter to allow for a custom class name.

2:44 PM Changeset in webkit [186282] by Devin Rousso
  • 3 edits in trunk/Source/WebInspectorUI

Web Inspector: Pseudo Styles Ordering and Media Queries
https://bugs.webkit.org/show_bug.cgi?id=145979

Reviewed by Timothy Hatcher.

  • UserInterface/Views/RulesStyleDetailsPanel.css:

(.sidebar > .panel.details.css-style > .content.filter-in-progress .label:not(.filter-section-non-matching) + .label.filter-matching-label:not(.filter-section-non-matching)):
Fix filter label styling with pseudo selectors.

  • UserInterface/Views/RulesStyleDetailsPanel.js:

(WebInspector.RulesStyleDetailsPanel.prototype.refresh): Pseudo-selector rules will now order directly after the last style that
matches the pseudo-selector without the pseudo-element. If no rules match, place the pseudo-selector rules above the first
inherited or UserAgent rule (whichever comes first).

2:41 PM Changeset in webkit [186281] by Devin Rousso
  • 3 edits
    6 adds in trunk/Source/WebInspectorUI

REGRESSION(r184000): Web Inspector: Multiline CSS in Styles Sidebar is marked as invalid
https://bugs.webkit.org/show_bug.cgi?id=146178

Reviewed by Timothy Hatcher.

First changes made by Tobias Reiss <tobi+webkit@basecode.de>

  • Tools/PrettyPrinting/css-rule-tests/add-whitespace-between-values-expected.css: Added.
  • Tools/PrettyPrinting/css-rule-tests/add-whitespace-between-values.css: Added.
  • Tools/PrettyPrinting/css-rule-tests/add-whitespace-between-rules-expected.css: Added.
  • Tools/PrettyPrinting/css-rule-tests/add-whitespace-between-rules.css: Added.
  • Tools/PrettyPrinting/css-rule-tests/remove-newline-between-values-expected.css: Added.
  • Tools/PrettyPrinting/css-rule-tests/remove-newline-between-values.css: Added.
  • Tools/PrettyPrinting/index.html:

Add regression tests.

  • UserInterface/Views/CodeMirrorFormatters.js:

Remove newlines before values that belong in one line and add whitespace between values.

2:31 PM Changeset in webkit [186280] by Chris Dumez
  • 3 edits in trunk/Source/WebCore

Unreviewed Windows build fix after r186279.

  • platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp:

(WebCore::AVFWrapper::destroyVideoLayer):

  • platform/graphics/ca/win/CACFLayerTreeHost.cpp:

(WebCore::CACFLayerTreeHost::destroyRenderer):

12:42 PM Changeset in webkit [186279] by Chris Dumez
  • 199 edits in trunk

Drop RefPtr::clear() method
https://bugs.webkit.org/show_bug.cgi?id=146556

Reviewed by Brady Eidson.

Source/JavaScriptCore:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.

Source/WebCore:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.

Source/WebKit:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.

Source/WebKit/mac:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.

Source/WebKit/win:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.

Source/WebKit2:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.

Source/WTF:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.
Also made the "= nullptr;" pattern as efficient as clear()
by providing a operator=(nullptr_t) overload. Local micro-
benchmarking showed that "= nullptr;" used to be ~1.7% slower
than clear().

Tools:

Drop RefPtr::clear() method in favor of "= nullptr;" pattern.

7:45 AM Changeset in webkit [186278] by Nikita Vasilyev
  • 2 edits in trunk/Source/WebInspectorUI

Web Inspector: The arrow that appears for Web Inspector Layout & Rendering records overlaps the category switcher
https://bugs.webkit.org/show_bug.cgi?id=146605

Reviewed by Timothy Hatcher.

  • UserInterface/Views/TimelineDataGrid.css:

(.data-grid.timeline > .navigation-bar-container):

Jul 3, 2015:

9:13 PM Changeset in webkit [186277] by mitz@apple.com
  • 3 edits in trunk/Source/JavaScriptCore

Just give up on -Wunreachable-code in JavaScriptCore.

  • Configurations/Base.xcconfig:
  • llint/LowLevelInterpreter.cpp:

(JSC::CLoop::execute):

9:11 PM Changeset in webkit [186276] by mitz@apple.com
  • 2 edits in trunk/Source/WebCore

Fixed the iOS 8 build.

  • editing/cocoa/HTMLConverter.mm:
8:56 PM Changeset in webkit [186275] by Chris Dumez
  • 10 edits
    2 adds in trunk

REGRESSION (r178097): HTMLSelectElement.add(option, undefined) prepends option to the list of options; should append to the end of the list of options
https://bugs.webkit.org/show_bug.cgi?id=146566
<rdar://problem/21663919>

Reviewed by Ryosuke Niwa.

Source/WebCore:

HTMLSelectElement.add(X, undefined) is supposed to be equivalent to
HTMLSelectElement.add(X) which should *append* X. The same is true
for HTMLOptionsCollection.add(X, undefined).

However, due to a bug in our bindings generator for overloaded
operations, the actual behavior was not the expected one. The
second overload would be chosen: add(X, index) and undefined would
be converted as 0-index, which would *prepend* X.

This patch fixes the bindings generator so that undefined is allowed
for optional parameters of an overload operation, when doing the
overload resolution.

Tests:

  • fast/dom/HTMLSelectElement/add.html
  • fast/dom/HTMLSelectElement/options-collection-add.html
  • http/tests/websocket/tests/hybi/undefined-protocol.html
  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateParametersCheckExpression):
Allow undefined value for optional parameters when doing the overload
resolution.

  • bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::jsTestObjPrototypeFunctionOverloadedMethod):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethodWithOptionalParameter1):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethodWithOptionalParameter2):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethodWithOptionalParameter):

  • bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:

(WebCore::JSTestOverloadedConstructorsConstructor::constructJSTestOverloadedConstructors):

  • bindings/scripts/test/TestObj.idl:

Add bindings tests coverage and rebaseline.

LayoutTests:

  • fast/dom/HTMLSelectElement/add-expected.txt:
  • fast/dom/HTMLSelectElement/add.html:
  • fast/dom/HTMLSelectElement/options-collection-add-expected.txt:
  • fast/dom/HTMLSelectElement/options-collection-add.html:

Update tests so that calling add(X, undefined) is expected to append X,
not prepend it.

  • http/tests/websocket/tests/hybi/undefined-protocol-expected.txt: Added.
  • http/tests/websocket/tests/hybi/undefined-protocol.html: Added.

Add test coverage for "new WebSocket(url, undefined)" as WebSocket is
using constructor overloads with optional parameters. Previously, calling
new WebSocket(url, undefined) was equivalent to calling
new WebSocket(url, "undefined") even though it is supposed to be
equivalent to calling new WebSocket(url).

8:12 PM Changeset in webkit [186274] by mitz@apple.com
  • 2 edits in trunk/Tools

Fixed the iOS build.

  • DumpRenderTree/mac/EventSendingController.mm:

(+[EventSendingController isSelectorExcludedFromWebScript:]):
(+[EventSendingController webScriptNameForSelector:]):

7:55 PM Changeset in webkit [186273] by mitz@apple.com
  • 2 edits in trunk/Source/JavaScriptCore

Fixed the LLINT CLoop build.

  • llint/LowLevelInterpreter.cpp:

(JSC::CLoop::execute):

7:54 PM Changeset in webkit [186272] by mitz@apple.com
  • 2 edits in trunk/Source/WebCore

Fixed the Mavericks build after r186236.

  • loader/cache/CachedResource.h:

(WebCore::CachedResource::url): Removed the export macro from this inline function.

6:41 PM Changeset in webkit [186271] by mitz@apple.com
  • 2 edits in trunk/Source/WebCore

Tried to fix the iOS build.

  • bridge/objc/objc_class.mm:

(JSC::Bindings::ObjcClass::fieldNamed):

6:24 PM Changeset in webkit [186270] by mitz@apple.com
  • 2 edits in trunk/Source/WebCore

Tried to fix the iOS build.

  • editing/cocoa/HTMLConverter.mm:
5:35 PM Changeset in webkit [186269] by mitz@apple.com
  • 2 edits in trunk/Source/WebCore

Tried to fix the iOS build.

  • page/FrameView.cpp:

(WebCore::FrameView::calculateExtendedBackgroundMode):

2:58 PM Changeset in webkit [186268] by mitz@apple.com
  • 45 edits
    1 move in trunk

[Xcode] Update some build settings as recommended by Xcode 7
https://bugs.webkit.org/show_bug.cgi?id=146597

Reviewed by Sam Weinig.

Source/bmalloc:

  • Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE, GCC_NO_COMMON_BLOCKS,

and ENABLE_STRICT_OBJC_MSGSEND. Removed GCC_MODEL_TUNING.

  • bmalloc.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.

Source/JavaScriptCore:

  • Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and

GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.

  • dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings.

Source/ThirdParty/ANGLE:

  • ANGLE.xcodeproj/project.pbxproj: Enabled CLANG_WARN_BOOL_CONVERSION,

CLANG_WARN_ENUM_CONVERSION, CLANG_WARN_INT_CONVERSION, ENABLE_STRICT_OBJC_MSGSEND and
GCC_NO_COMMON_BLOCKS.

  • Configurations/Base.xcconfig: Updated LastUpgradeCheck.

Source/WebCore:

  • Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE,

GCC_WARN_UNDECLARED_SELECTOR, and GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.

  • WebCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck. Disabled -Wunreachable-code

for two bison-generated source files. Updated for rename of WebScriptObject.h.

  • bindings/objc/WebScriptObject.mm:

(-[WebUndefined dealloc]): Removed unreachable code and suppressed warning about not calling
super.

  • bridge/objc/WebScriptObject.h: Renamed to WebScriptObjectProtocol.h to enabled inlcuding

the other WebScriptObject.h.

  • bridge/objc/WebScriptObjectProtocol.h: Renamed from WebScriptObject.h.
  • bridge/objc/objc_class.mm: Updated for rename and included WebScriptObject.h because we

use selectors declared in that file.

  • bridge/objc/objc_instance.mm: Ditto.

(ObjCRuntimeMethod::create): Resolved ambiguity between JSC::JSValue and the Objective-C
JSValue class.
(ObjCRuntimeMethod::createStructure): Ditto.
(ObjcInstance::invokeMethod): Ditto.
(ObjcInstance::invokeObjcMethod): Ditto.
(ObjcInstance::invokeDefaultMethod): Ditto.
(ObjcInstance::setValueOfUndefinedField): Ditto.
(ObjcInstance::getValueOfUndefinedField): Ditto.
(ObjcInstance::defaultValue): Ditto.
(ObjcInstance::stringValue): Ditto.
(ObjcInstance::numberValue): Ditto.
(ObjcInstance::booleanValue): Ditto.
(ObjcInstance::valueOf): Ditto,

  • bridge/objc/objc_runtime.h: Moved definition of isFallbackMethod() from here to the

implementation.

  • bridge/objc/objc_runtime.mm: Updated for rename and included WebScriptObject.h because we

use selectors declared in that file.
(JSC::Bindings::ObjcMethod::isFallbackMethod): Moved definition from the header to here.

  • bridge/objc/objc_utility.mm: Updated for rename.
  • cssjit/SelectorCompiler.cpp:

(WebCore::SelectorCompiler::addScrollbarPseudoClassType): Removed unreachable code.

  • platform/graphics/mac/MediaPlayerPrivateQTKit.mm:

Added declarations to the WebCoreMovieObserver interface.
(WebCore::MediaPlayerPrivateQTKit::disableUnsupportedTracks): Suppressed
-Wundeclared-selector around invocation of a selector that is not declared anywhere.

Source/WebInspectorUI:

  • Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and

GCC_NO_COMMON_BLOCKS.

  • WebInspectorUI.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.

Source/WebKit:

  • WebKit.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.

Source/WebKit/mac:

  • Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE,

GCC_WARN_UNDECLARED_SELECTOR and GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.

Source/WebKit2:

  • Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and

GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.

  • WebKit2.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.

Source/WTF:

  • Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and

GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING.

  • WTF.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.

Tools:

  • DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
  • DumpRenderTree/mac/Configurations/Base.xcconfig: Enabled GCC_NO_COMMON_BLOCKS,

ENABLE_STRICT_OBJC_MSGSEND, CLANG_WARN_BOOL_CONVERSION, CLANG_WARN_CONSTANT_CONVERSION,
CLANG_WARN_EMPTY_BODY, CLANG_WARN_ENUM_CONVERSION, CLANG_WARN_INT_CONVERSION,
CLANG_WARN_UNREACHABLE_CODE, GCC_WARN_ABOUT_RETURN_TYPE,
GCC_WARN_UNINITIALIZED_AUTOS, and GCC_WARN_UNDECLARED_SELECTOR.

  • DumpRenderTree/mac/EventSendingController.mm:

(+[EventSendingController webScriptNameForSelector:]): Removed check for setDragMode:,
which was removed in r19101.

  • DumpRenderTree/mac/TextInputController.m:

(-[TextInputController interpretKeyEvents:withSender:]): Suppressed -Wundeclared-selector
around used of a selector not that is not declared anywhere.

  • MiniBrowser/Configurations/Base.xcconfig: Enabled GCC_NO_COMMON_BLOCKS.
  • MiniBrowser/MiniBrowser.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
  • TestWebKitAPI/Configurations/Base.xcconfig: Enabled GCC_NO_COMMON_BLOCKS,

ENABLE_STRICT_OBJC_MSGSEND, CLANG_WARN_BOOL_CONVERSION, CLANG_WARN_CONSTANT_CONVERSION,
CLANG_WARN_EMPTY_BODY, CLANG_WARN_ENUM_CONVERSION, CLANG_WARN_INT_CONVERSION,
CLANG_WARN_UNREACHABLE_CODE, GCC_WARN_ABOUT_RETURN_TYPE,
GCC_WARN_UNINITIALIZED_AUTOS, and GCC_WARN_UNDECLARED_SELECTOR.

  • TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: Updated LastUpgradeCheck.
2:55 PM Changeset in webkit [186267] by commit-queue@webkit.org
  • 3 edits in trunk/Source/WebCore

Memory leak for a protected Element having pending events in ImageLoader.
https://bugs.webkit.org/show_bug.cgi?id=146538

Patch by Kyounga Ra <kyounga@alticast.com> on 2015-07-03
Reviewed by Brady Eidson.

If ImageLoader is destroyed before an active derefElementTimer is fired, protected element's refCount never be zero..

  • loader/ImageLoader.cpp:

(WebCore::ImageLoader::~ImageLoader):
(WebCore::ImageLoader::updateFromElement):
(WebCore::ImageLoader::updateRenderer):
(WebCore::ImageLoader::updatedHasPendingEvent):
(WebCore::ImageLoader::timerFired):

  • loader/ImageLoader.h:
2:55 PM Changeset in webkit [186266] by Chris Dumez
  • 2 edits in trunk/LayoutTests

Unreviewed, skip http/tests/xmlhttprequest/cross-origin-cookie-storage.html on Windows.

Windows' DumpRenderTree does not implement testRunner.setAlwaysAcceptCookies().

  • platform/win/TestExpectations:
2:15 PM WebKitGTK/2.8.x edited by mario@webkit.org
(diff)
1:54 PM Changeset in webkit [186265] by dbates@webkit.org
  • 19 edits
    2 adds in trunk

REGRESSION (r178097): JavaScript TypeError after clicking on compose button in Yahoo Mail
https://bugs.webkit.org/show_bug.cgi?id=146515
<rdar://problem/21348421>

Reviewed by Chris Dumez.

Source/WebCore:

Fixes an issue where extra arguments passed to a Web IDL overloaded function, whose implementation
is generated by the bindings generator script, are not ignored as per the note in section "Interface object Call? method"
of the Web IDL spec, <http://www.w3.org/TR/2012/CR-WebIDL-20120419/> (19 April 2012).

Currently for an overloaded function the JavaScript bindings generator script emits code to
throw a TypeError when it cannot find a candidate function that takes the same number of
arguments as passed by a caller. Prior to the change made in bug #139179 (r178097), the
bindings code for HTMLSelectElement.add() was written by hand and ignored extra arguments
that were passed to it. Following this change, the bindings code for HTMLSelectElement.add()
is generated by the bindings generator script. Therefore, we throw a TypeError when Yahoo Mail
calls HTMLSelectElement.add() with extra arguments because the code emitted by the bindings
generator script does not ignore them.

  • bindings/scripts/CodeGeneratorJS.pm:

(LengthOfLongestFunctionParameterList): Added. Computes the length of longest overload parameter list.
(GenerateOverloadedFunction): Emit code that ignores more arguments than LengthOfLongestFunctionParameterList().
(GenerateOverloadedConstructorDefinition): Ditto.

  • bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::jsTestObjPrototypeFunctionOverloadedMethod12): Added; expected result for an overloaded
function that takes a variadic number of Blob elements.
(WebCore::jsTestObjPrototypeFunctionOverloadedMethod): Update expected result. The added
if-conditional expression for the IDL declaration overloadedMethod(Blob... blobArgs) is empty
because we do not support overloading of functions with variadic arguments.
(WebCore::jsTestObjConstructorFunctionOverloadedMethod1):

  • bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:

(WebCore::JSTestOverloadedConstructorsConstructor::constructJSTestOverloadedConstructors5): Added; expected
result for an overloaded constructors that takes a variadic number of long arguments.
(WebCore::JSTestOverloadedConstructorsConstructor::constructJSTestOverloadedConstructors): Update expected
result. The added if-conditional expression for the IDL declaration Constructor(long... longArgs) is empty
because we do not support overloading of constructors with variadic arguments.

  • bindings/scripts/test/TestObj.idl: Added declaration overloadedMethod(Blob...). Also fixed

typo in license block text.

  • bindings/scripts/test/TestOverloadedConstructors.idl: Added declaration Constructor(long... longArgs).

Also fixed typo in license block text.

LayoutTests:

Add new sub-tests to LayoutTests/fast/dom/HTMLSelectElement/{add, options-collection-add}.html,
simplify existing test code, share common code, and update expected results.

Additionally, update results for tests in LayoutTests/fast/canvas now that we ignore extra
arguments passed to a Web IDL overloaded function whose implementation is generated by the
bindings generator script.

  • fast/canvas/canvas-overloads-drawImage-expected.txt:
  • fast/canvas/canvas-overloads-setFillColor-expected.txt:
  • fast/canvas/canvas-overloads-setShadow-expected.txt:
  • fast/canvas/canvas-overloads-setStrokeColor-expected.txt:
  • fast/canvas/script-tests/canvas-overloads-drawImage.js:
  • fast/canvas/script-tests/canvas-overloads-setFillColor.js:
  • fast/canvas/script-tests/canvas-overloads-setShadow.js:
  • fast/canvas/script-tests/canvas-overloads-setStrokeColor.js:
  • fast/dom/HTMLSelectElement/add-expected.txt:
  • fast/dom/HTMLSelectElement/add.html:
  • fast/dom/HTMLSelectElement/options-collection-add-expected.txt:
  • fast/dom/HTMLSelectElement/options-collection-add.html:
  • fast/dom/HTMLSelectElement/resources/html-select-and-options-collection-utilities.js: Added.

(createSelectElementWithTestData):
(deepCopy):
(createOption):
(createGroup):

1:50 PM Changeset in webkit [186264] by Chris Dumez
  • 3 edits in trunk/LayoutTests

Unreviewed, tentative fix for flaky layout test introduced in r186256.

  • platform/mac/accessibility/selection-notification-focus-change-expected.txt:
  • platform/mac/accessibility/selection-notification-focus-change.html:
1:39 PM Changeset in webkit [186263] by mario@webkit.org
  • 2 edits in trunk/Source/WebCore

Crash on xLarge memory allocation using bmalloc on 32bit systems
https://bugs.webkit.org/show_bug.cgi?id=146440

Reviewed by Gustavo Noronha Silva.

Disable the gcc's -ftree-sra optimization (automatically enabled
with -O1 and higher levels) for WebCore and 32bit Intel architectures,
as that causes the crash in bmalloc when allocating large amounts of
memory from the texture mapper's tiled backing store implementation.

  • CMakeLists.txt: Pass -fno-free-sra to gcc on 32bit Intel architectures.
11:45 AM Changeset in webkit [186262] by peavo@outlook.com
  • 4 edits in trunk/Source/ThirdParty/ANGLE

[WinCairo][WebGL] Enable HLSL.
https://bugs.webkit.org/show_bug.cgi?id=146559

Reviewed by Alex Christensen.

High Level Shader Language needs to be enabled for WebGL to work on Windows.

  • ANGLE.vcxproj/translatorCommon.props:
  • ANGLE.vcxproj/translator_hlsl.vcxproj:
  • ANGLE.vcxproj/translator_hlsl.vcxproj.filters:
11:41 AM Changeset in webkit [186261] by Csaba Osztrogonác
  • 2 edits in trunk/Source/WebCore

Fix the !ENABLE(VIDEO) build after r186054
https://bugs.webkit.org/show_bug.cgi?id=146592

Reviewed by Eric Carlson.

  • platform/MemoryPressureHandler.cpp:

(WebCore::MemoryPressureHandler::releaseCriticalMemory):

10:38 AM Changeset in webkit [186260] by Yusuke Suzuki
  • 2 edits in trunk/Source/JavaScriptCore

Relax builtin JS restriction about try-catch
https://bugs.webkit.org/show_bug.cgi?id=146555

Reviewed by Sam Weinig.

When retrieving the captured variables from the full activated scope,
it swapped the given vector with the stored declared variables vector.
This is because retrieving the captured variables are executed in the
last sequence of the parser, so declared variables are no longer used.
However, in builtins functions case, after retrieving the captured
variables, we check the variables by using declared variables vector.
So at that time, the declared variables vector becomes empty and it
raises assertion failures when the builtins function contains the full
activated scope. try-catch's catch scope requires the upper scope full
activated, so JS code in the builtins cannot use the try-catch.

This patch relaxes this restriction. When retrieving the captured
variables from the scope, just copy to the given vector.

  • parser/Parser.h:

(JSC::Scope::getCapturedVariables):

8:14 AM Changeset in webkit [186259] by Martin Robinson
  • 3 edits in trunk

[GTK] Forcefully disable gtk-doc and gobject-introspection when crossbuilding
https://bugs.webkit.org/show_bug.cgi?id=146590

Patch by Emanuele Aina <Emanuele Aina> on 2015-07-03
Reviewed by Martin Robinson.

  • Source/PlatformGTK.cmake: override the cached variables to

forcefully disable gtk-doc and gobject-introspection when
crosscompiling.

  • Source/cmake/OptionsGTK.cmake: avoid running gtk-doc to check the

documentation syntax when cross-building.

1:45 AM Changeset in webkit [186258] by Carlos Garcia Campos
  • 3 edits in trunk/Source/WebKit2

REGRESSION(r186025): [SOUP] NetworkCache gets blocked in traverse since r186025
https://bugs.webkit.org/show_bug.cgi?id=146545

Reviewed by Sergio Villar Senin.

In r186025 the readSync method used when traversing the cache
files was removed in favor of using parallel async reads to speed
up the traverse. The approach used doesn't work for soup, because
the IO operations are async, but run their callbacks in the
current thread. The network cache now runs up to 5 async reads in
the io work queue thread, and waits for them to finish, and those
asycn reads never finish for the soup backend because the thread
is blocked waiting for them. We need to use a different thread to
run those reads.

  • NetworkProcess/cache/NetworkCacheIOChannel.h: Add

readSyncInThread private method.

  • NetworkProcess/cache/NetworkCacheIOChannelSoup.cpp:

(WebKit::NetworkCache::IOChannel::read): When not called in the
main thread, call readSyncInThread() instead.
(WebKit::NetworkCache::IOChannel::readSyncInThread): Run the read
operation synchronously in a different thread, since the current
thread might be blocked waiting for us.

12:28 AM Changeset in webkit [186257] by youenn.fablet@crf.canon.fr
  • 8 edits in trunk/Source/WebCore

[Streams API] Remove ReadableStream and Reader cancel() custom binding
https://bugs.webkit.org/show_bug.cgi?id=146458

Reviewed by Darin Adler.

Removed stream and reader cancel custom binding.
Updated binding generator to correctly handle promise-based APIs with optional parameters.

No behavior changes.

  • Modules/streams/ReadableStream.idl: Removed custom
  • Modules/streams/ReadableStreamReader.idl: Ditto.
  • bindings/js/JSReadableStreamCustom.cpp:

(WebCore::JSReadableStream::cancel): Deleted.

  • bindings/js/JSReadableStreamReaderCustom.cpp:

(WebCore::JSReadableStreamReader::cancel): Deleted.

  • bindings/scripts/CodeGeneratorJS.pm: Handling of promise parameter in case of optional arguments.

(GenerateParametersCheck):
(GenerateReturnParameters): Utility function to generate return parameters (exception and promise).

  • bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithOptionalIntArgument):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithOptionalIntArgumentPromise):

  • bindings/scripts/test/TestObj.idl:
Note: See TracTimeline for information about the timeline view.