2015-03-31 Babak Shafiei Merge r182204. 2015-03-31 Jer Noble [Mac] Songza.com fails to play; QTKit path reports it is always "seeking". https://bugs.webkit.org/show_bug.cgi?id=143274 Rubber-stamped by Eric Carlson. MediaTime::invalidTime() is always greater than any valid time. So when checking to see if MediaPlayerPrivateQTKit is seeking, first check if the m_seekTo time is valid before checking whether it's > 0. * platform/graphics/mac/MediaPlayerPrivateQTKit.mm: (WebCore::MediaPlayerPrivateQTKit::seeking): 2015-03-26 Babak Shafiei Merge r182014. 2015-03-26 Jer Noble [Mac][EME] Crash at com.apple.WebCore: WebCore::CDMSessionMediaSourceAVFObjC::releaseKeys + 177 https://bugs.webkit.org/show_bug.cgi?id=143080 Reviewed by Eric Carlson. Null-check m_certificate before dereferencing. * platform/graphics/avfoundation/objc/CDMSessionMediaSourceAVFObjC.mm: (WebCore::CDMSessionMediaSourceAVFObjC::releaseKeys): 2015-03-16 Babak Shafiei Merge r181587. 2015-03-16 Brent Fulgham WebKit1 Clients Are Not Reliably Repainted https://bugs.webkit.org/show_bug.cgi?id=142750 Reviewed by Simon Fraser. * page/FrameView.cpp: (WebCore::FrameView::paintContents): Move "Red Rect" debug painting before the early return so we can see when this happening in debug builds. * page/FrameView.h: (WebCore::FrameView::inPaintableState): Added. 2015-03-16 Babak Shafiei Merge r181575. 2015-03-16 Brady Eidson Addressing additional review feedback after http://trac.webkit.org/changeset/181565 https://bugs.webkit.org/show_bug.cgi?id=142604 Reviewed by Darin Adler. * loader/icon/IconController.cpp: (WebCore::IconController::startLoader): Null check page() 2015-03-16 Babak Shafiei Merge r181565. 2015-03-16 Brady Eidson URLs visited during private browsing show up in WebpageIcons.db rdar://problem/11254910 and https://bugs.webkit.org/show_bug.cgi?id=142733 Patch by Sam Weinig. Reviewed by Brady Eidson. * loader/icon/IconController.cpp: (WebCore::IconController::startLoader): Bail early here if the page is using an ephemeral session. (WebCore::IconController::continueLoadWithDecision): Instead of here. 2015-03-11 Babak Shafiei Merge patch for rdar://problem/20128856. 2015-03-10 Babak Shafiei Merge r181351. 2015-03-10 Enrica Casucci Add support for more emoji with variation. https://bugs.webkit.org/show_bug.cgi?id=142548 rdar://problem/20105008 Reviewed by Tim Horton. Update ICU rules to support new emoji with variation. Test: editing/selection/extend-by-character-007.html * platform/text/TextBreakIterator.cpp: (WebCore::cursorMovementIterator): 2015-03-09 Babak Shafiei Merge r179958. 2015-02-11 Chris Dumez Turn recent assertions into release assertions to help track down crash in DocumentLoader::stopLoadingForPolicyChange() https://bugs.webkit.org/show_bug.cgi?id=141484 Reviewed by Andy Estes. Turn recent assertions into release assertions to help track down crash in DocumentLoader::stopLoadingForPolicyChange(). This should increase the likelyhood of tripping them so that we better understand why this happens. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::~DocumentLoader): (WebCore::DocumentLoader::detachFromFrame): 2015-03-09 Babak Shafiei Merge r179895. 2015-02-10 Chris Dumez Add another assertion to help track down crash in DocumentLoader::stopLoadingForPolicyChange() https://bugs.webkit.org/show_bug.cgi?id=141447 Reviewed by Alexey Proskuryakov. Add another assertion to help track down crash in DocumentLoader::stopLoadingForPolicyChange(). The trace seems to hint that frameLoader() returns null when stopLoadingForPolicyChange() is called. frameLoader() can only return null after DocumentLoader::detachFromFrame() has been called. Also, stopLoadingForPolicyChange() here is called from the DocumentLoader::continueAfterContentPolicy() policy callback which requires m_waitingForContentPolicy to be true. Therefore, we should assert that m_waitingForContentPolicy is false when m_frame is cleared in DocumentLoader::detachFromFrame(). * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::detachFromFrame): 2015-03-09 Babak Shafiei Merge r179880. 2015-02-10 Chris Dumez Add assertion to help track down WebCore::DocumentLoader::stopLoadingForPolicyChange() crash https://bugs.webkit.org/show_bug.cgi?id=141441 Reviewed by Alexey Proskuryakov. Add assertion to help track down a crash in WebCore::DocumentLoader::stopLoadingForPolicyChange(). * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::~DocumentLoader): Make sure the DocumentLoader is not waiting for a content policy response when it is destroyed. If this were to happen, then the lambda function passed to PolicyChecker::checkContentPolicy() would outlive the DocumentLoader. This is an issue because that lambda function captures [this], which is the DocumentLoader. This would cause DocumentLoader::continueAfterContentPolicy() to be called after the DocumentLoader has been destroyed, which would explain the crash. 2015-03-04 Lucas Forschler Merge r181038 2015-03-04 Dean Jackson REGRESSION (r179597): Can't see power saver banner for plugins https://bugs.webkit.org/show_bug.cgi?id=142312 Reviewed by Brent Fulgham. We were being a bit too restrictive when deciding a child should not create a renderer. All shadow root children of the snapshotted plugin need one. * html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::childShouldCreateRenderer): Test if we're part of the shadow tree. 2015-03-04 Lucas Forschler Merge r176554 2014-11-27 Antti Koivisto CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::HTMLPlugInImageElement::updateSnapshot + 108 https://bugs.webkit.org/show_bug.cgi?id=139057 Reviewed by Anders Carlsson. No test, don't know how to repro. * html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::updateSnapshot): Null check the renderer. 2015-03-04 Lucas Forschler Merge r181005 2015-03-04 Jer Noble [MSE][EME][Mac] Calling close on a MediaKeysSession will cause many decoding errors to be emitted https://bugs.webkit.org/show_bug.cgi?id=142285 Reviewed by Eric Carlson. When a MediaKeySession (backed by CDMSessionMediaSourceAVFObjC) is closed and the underlying AVStreamSession is invalidated, the decryption context for in-flight CMSampleBuffers is also invalidated, and the AVSampleBufferDisplayLayer will issue one error for each enqueued and un-displayed sample in its image-queue. -flush-ing the AVSampleBufferDisplayLayer is not enough, as the flush only takes effect asynchronously the next time the layer needs new samples. Add a workaround until framework-level support lands to fully flush enqueued and encrypted frames. When the CDMSessionMediaSOurceAVFObjC object recieves an error from the layer, check to see if the session has been stopped. If so, and if the error in question is one that indicates that the samples decryption context has been invalidated, suppress the error and instruct the sender to suppress the error as well. This workaround will be removed once real support for synchronous flushing lands in Still, we'll make our best effort to flush undisplayed frames when our CDM session is invalidated. Move away from std::map and instead use HashMap to store the set of AVSampleBufferAudioRenderers. This allows us to use C++11 style loops against just the HashMap's set of values. * platform/graphics/avfoundation/objc/CDMSessionMediaSourceAVFObjC.h: * platform/graphics/avfoundation/objc/CDMSessionMediaSourceAVFObjC.mm: (WebCore::CDMSessionMediaSourceAVFObjC::releaseKeys): Flush and set m_stopped. (WebCore::CDMSessionMediaSourceAVFObjC::layerDidReceiveError): Check m_stopped and the error code and bail before issuing the error. (WebCore::CDMSessionMediaSourceAVFObjC::rendererDidReceiveError): Ditto. * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.h: * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm: (-[WebAVSampleBufferErrorListener layerFailedToDecode:]): Drive-by fix. Check whether the layer is in the set of listened-to layers only back in the main thread; the listnener may have been unregistered by the time the main thread was called. (WebCore::SourceBufferPrivateAVFObjC::destroyRenderers): std::map -> HashMap. (WebCore::SourceBufferPrivateAVFObjC::trackDidChangeEnabled): Ditto. (WebCore::SourceBufferPrivateAVFObjC::flushAndEnqueueNonDisplayingSamples): Ditto. (WebCore::SourceBufferPrivateAVFObjC::enqueueSample): Ditto. (WebCore::SourceBufferPrivateAVFObjC::isReadyForMoreSamples): Ditto. (WebCore::SourceBufferPrivateAVFObjC::didBecomeReadyForMoreSamples): Ditto. (WebCore::SourceBufferPrivateAVFObjC::notifyClientWhenReadyForMoreSamples): Ditto. (WebCore::SourceBufferPrivateAVFObjC::flush): Added; call -flush on all the display layers and audio renderers. (WebCore::SourceBufferPrivateAVFObjC::layerDidReceiveError): Check if any clients asked to ignore the error, and if so, bail. (WebCore::SourceBufferPrivateAVFObjC::rendererDidReceiveError): Ditto. 2015-03-04 Lucas Forschler Merge r180065 2015-02-13 Jer Noble [MSE][Mac] Crash at WebCore::SourceBufferPrivateAVFObjC::didParseStreamDataAsAsset + 2357 https://bugs.webkit.org/show_bug.cgi?id=141566 rdar://problem/19826075 Reviewed by Andreas Kling. Null check m_mediaSource before dereferencing. * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm: (WebCore::SourceBufferPrivateAVFObjC::didParseStreamDataAsAsset): 2015-03-04 Lucas Forschler Merge r180839 2015-02-28 Simon Fraser Fullscreen video layers are off by one sometimes https://bugs.webkit.org/show_bug.cgi?id=142122 rdar://problem/19878821 Reviewed by Eric Carlson. Convert MediaPlayer::naturalSize() to return a FloatSize, since the natural size isn't always integral (because of preserving pixel aspect ratio etc). Fix all the media backends to use FloatSizes for natural size. Convert the video image drawing code paths to FloatSize, since naturalSize is used on the destination rect computation, and painting should be floating point anyway. Give the layer created by SourceBufferPrivateAVFObjC a name in debug builds. * html/HTMLVideoElement.cpp: (WebCore::HTMLVideoElement::videoWidth): (WebCore::HTMLVideoElement::videoHeight): (WebCore::HTMLVideoElement::paintCurrentFrameInContext): * html/HTMLVideoElement.h: * html/canvas/CanvasRenderingContext2D.cpp: (WebCore::size): (WebCore::CanvasRenderingContext2D::drawImage): * html/canvas/WebGLRenderingContextBase.cpp: (WebCore::WebGLRenderingContextBase::videoFrameToImage): * platform/graphics/MediaPlayer.cpp: (WebCore::NullMediaPlayerPrivate::naturalSize): (WebCore::MediaPlayer::naturalSize): (WebCore::MediaPlayer::paint): (WebCore::MediaPlayer::paintCurrentFrameInContext): (WebCore::NullMediaPlayerPrivate::paint): Deleted. * platform/graphics/MediaPlayer.h: * platform/graphics/MediaPlayerPrivate.h: (WebCore::MediaPlayerPrivateInterface::paintCurrentFrameInContext): * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp: (WebCore::MediaPlayerPrivateAVFoundation::naturalSize): (WebCore::MediaPlayerPrivateAVFoundation::setNaturalSize): * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h: * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h: * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::paintCurrentFrameInContext): (WebCore::MediaPlayerPrivateAVFoundationObjC::paint): (WebCore::MediaPlayerPrivateAVFoundationObjC::paintWithImageGenerator): (WebCore::MediaPlayerPrivateAVFoundationObjC::createImageForTimeInRect): (WebCore::MediaPlayerPrivateAVFoundationObjC::tracksChanged): (WebCore::MediaPlayerPrivateAVFoundationObjC::sizeChanged): (WebCore::MediaPlayerPrivateAVFoundationObjC::paintWithVideoOutput): * platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.h: * platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm: (WebCore::MediaPlayerPrivateMediaSourceAVFObjC::naturalSize): (WebCore::MediaPlayerPrivateMediaSourceAVFObjC::paint): (WebCore::MediaPlayerPrivateMediaSourceAVFObjC::paintCurrentFrameInContext): * platform/graphics/avfoundation/objc/MediaSourcePrivateAVFObjC.h: * platform/graphics/avfoundation/objc/MediaSourcePrivateAVFObjC.mm: (WebCore::MediaSourcePrivateAVFObjC::naturalSize): * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.h: * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm: (WebCore::SourceBufferPrivateAVFObjC::trackDidChangeEnabled): (WebCore::SourceBufferPrivateAVFObjC::naturalSize): * platform/graphics/avfoundation/objc/VideoTrackPrivateMediaSourceAVFObjC.h: * platform/graphics/avfoundation/objc/VideoTrackPrivateMediaSourceAVFObjC.mm: (WebCore::VideoTrackPrivateMediaSourceAVFObjC::naturalSize): * platform/graphics/mac/MediaPlayerPrivateQTKit.h: * platform/graphics/mac/MediaPlayerPrivateQTKit.mm: (WebCore::MediaPlayerPrivateQTKit::naturalSize): (WebCore::MediaPlayerPrivateQTKit::paintCurrentFrameInContext): (WebCore::MediaPlayerPrivateQTKit::paint): * platform/mock/mediasource/MockMediaPlayerMediaSource.cpp: (WebCore::MockMediaPlayerMediaSource::naturalSize): (WebCore::MockMediaPlayerMediaSource::paint): * platform/mock/mediasource/MockMediaPlayerMediaSource.h: * rendering/RenderVideo.cpp: (WebCore::RenderVideo::calculateIntrinsicSize): (WebCore::RenderVideo::paintReplaced): 2015-03-04 Said Abou-Hallawa Crash when accessing an item in SVGTransformList and then removing a previous item from this list. https://bugs.webkit.org/show_bug.cgi?id=141550. Reviewed by Darin Adler. Tests: LayoutTests/svg/dom/SVGTransformList-basics.xhtml: This test is modified to include a new test case. * svg/properties/SVGMatrixTearOff.h: m_value of SVGMatrixTearOff will be a null pointer. There is no point in having SVGMatrixTearOff points to the parent and the property of the parent at the same time. (WebCore::SVGMatrixTearOff::create): SVGMatrixTearOff will hold a pointer to the parent SVGPropertyTearOff. But it should overrides setValue() and propertyReference() so it can set and get the SVGMatrix from the SVGTransform parent. (WebCore::SVGMatrixTearOff::SVGMatrixTearOff): Pass a nullptr to the base class. SVGMatrixTearOff will act as a proxy of the parent. It does not hold any data by itself but it knows what property to set and get from the parent. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::create): Add a create method which can take a pointer value. (WebCore::SVGPropertyTearOff::propertyReference): (WebCore::SVGPropertyTearOff::setValue): Make these functions virtual so concrete classes like SVGMatrixTearOff can override them. (WebCore::SVGPropertyTearOff::SVGPropertyTearOff): Add a new constructor. 2015-02-25 Dana Burkart Merged r180364. 2015-02-19 David Hyatt Columns are splitting unsplittable content. https://bugs.webkit.org/show_bug.cgi?id=141807 Reviewed by Dean Jackson. Added inline-table-dynamic-movement.html * rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::pageLogicalTopForOffset): (WebCore::RenderBlockFlow::pageLogicalHeightForOffset): Patch these functions to always check the layout state for a zero pageLogicalHeight, since that is actually our indicator that we're doing column balancing and don't have a height set yet. * rendering/RenderMultiColumnFlowThread.cpp: (WebCore::RenderMultiColumnFlowThread::isPageLogicalHeightKnown): * rendering/RenderMultiColumnSet.cpp: (WebCore::RenderMultiColumnSet::RenderMultiColumnSet): (WebCore::RenderMultiColumnSet::setAndConstrainColumnHeight): (WebCore::RenderMultiColumnSet::prepareForLayout): * rendering/RenderMultiColumnSet.h: The function for deciding whether the logical height of the columns was known was checking for a zero computedColumnHeight. However, a column set can legitimately compute a zero column height, and with the fix to examine the layout state, this bug was exposed. The fix is to add a new variable that caches whether or not the column height has been computed, so that even if it computes to zero, we aren't fooled. 2015-02-25 Dana Burkart Merged r180174. 2015-02-16 Zalan Bujtas RenderTableCell can't access its parent while in detached state. https://bugs.webkit.org/show_bug.cgi?id=141639 rdar://problem/19850760 Reviewed by Simon Fraser. Null check against ancestor chain so that certain methods in RenderTableCell can be called even if the renderer is not yet attached. Test: fast/table/table-cell-crash-when-detached-state.html * rendering/RenderTableCell.cpp: (WebCore::RenderTableCell::borderLeft): (WebCore::RenderTableCell::borderRight): (WebCore::RenderTableCell::borderTop): (WebCore::RenderTableCell::borderBottom): (WebCore::RenderTableCell::borderStart): (WebCore::RenderTableCell::borderEnd): (WebCore::RenderTableCell::borderBefore): (WebCore::RenderTableCell::borderAfter): * rendering/RenderTableCell.h: 2015-02-23 Babak Shafiei Follow-up merge for r179877. 2015-02-20 Dana Burkart Merged r180087. 2015-02-12 Enrica Casucci Additional emoji group support. https://bugs.webkit.org/show_bug.cgi?id=141539 rdar://problem/19727527 Reviewed by Sam Weinig. Adding some new emoji ligatures. Updated existing test to include the new sequences. * platform/text/TextBreakIterator.cpp: (WebCore::cursorMovementIterator): * rendering/RenderText.cpp: (WebCore::isEmojiGroupCandidate): 2015-02-20 Dana Burkart Merge r179567. 2015-02-02 Enrica Casucci Additional emoji support. https://bugs.webkit.org/show_bug.cgi?id=141047 rdar://problem/19045135 Reviewed by Darin Adler. Adds support for emoji modifiers and group emoji. Test: editing/deleting/delete-emoji.html * platform/graphics/FontCascade.cpp: (WebCore::FontCascade::characterRangeCodePath): * platform/text/TextBreakIterator.cpp: (WebCore::cursorMovementIterator): * rendering/RenderText.cpp: (WebCore::isEmojiGroupCandidate): (WebCore::isEmojiModifier): (WebCore::RenderText::previousOffsetForBackwardDeletion): 2015-02-20 Dana Burkart Merge r176473. * rendering/SimpleLineLayout.cpp: (WebCore::SimpleLineLayout::canUseFor): Change from r176473 not listed in that ChangeLog. (WebCore::SimpleLineLayout::createLineRuns): Call nextBreakablePositionNonLoosely() in place of nextBreakablePosition(). 2014-11-21 Glenn Adams and Myles C. Maxfield Add support to -webkit-line-break property for CSS3 Text line-break property values and semantics. https://bugs.webkit.org/show_bug.cgi?id=89235 Reviewed by Eric Seidel and Dave Hyatt. This patch adds semantic support for the CSS3 line-break property (qua -webkit-line-break), and enables testing on (apple) mac ports. Follow on patches will enable these tests on other ports as they are incrementally verified. See also wiki documentation at: [1] http://trac.webkit.org/wiki/LineBreaking [2] http://trac.webkit.org/wiki/LineBreakingCSS3Mapping Tests: css3/line-break/line-break-auto-centered.html css3/line-break/line-break-auto-half-kana.html css3/line-break/line-break-auto-hyphens.html css3/line-break/line-break-auto-inseparables.html css3/line-break/line-break-auto-iteration-marks.html css3/line-break/line-break-auto-postfixes.html css3/line-break/line-break-auto-prefixes.html css3/line-break/line-break-auto-sound-marks.html css3/line-break/line-break-loose-centered.html css3/line-break/line-break-loose-half-kana.html css3/line-break/line-break-loose-hyphens.html css3/line-break/line-break-loose-inseparables.html css3/line-break/line-break-loose-iteration-marks.html css3/line-break/line-break-loose-postfixes.html css3/line-break/line-break-loose-prefixes.html css3/line-break/line-break-loose-sound-marks.html css3/line-break/line-break-normal-centered.html css3/line-break/line-break-normal-half-kana.html css3/line-break/line-break-normal-hyphens.html css3/line-break/line-break-normal-inseparables.html css3/line-break/line-break-normal-iteration-marks.html css3/line-break/line-break-normal-postfixes.html css3/line-break/line-break-normal-prefixes.html css3/line-break/line-break-normal-sound-marks.html css3/line-break/line-break-strict-centered.html css3/line-break/line-break-strict-half-kana.html css3/line-break/line-break-strict-hyphens.html css3/line-break/line-break-strict-inseparables.html css3/line-break/line-break-strict-iteration-marks.html css3/line-break/line-break-strict-postfixes.html css3/line-break/line-break-strict-prefixes.html css3/line-break/line-break-strict-sound-marks.html These tests were previously added in http://trac.webkit.org/changeset/143378, but skipped in generic TestExpectations. In this patch, they are marked as Pass for the (apple) mac ports. * platform/text/LineBreakIteratorPoolICU.h: (WebCore::LineBreakIteratorPool::makeLocaleWithBreakKeyword): Add static function to construct ICU locale argument (also used as pool key) with additional break keyword. (LineBreakIteratorPool): (WebCore::LineBreakIteratorPool::take): (WebCore::LineBreakIteratorPool::put): Remove direct dependency from ICU library (and types), moving that dependency into new {open,close}LineBreakIterator() functions (defined in TextBreakIteratorICU.cpp). Update to take line break mode into account. Create (and cache) different break iterators depending on line break mode (in addition to locale), which entails expanding pool entry key format to optionally append "@break=" + "loose"|"normal"|"strict" keyword to locale string. * platform/text/TextBreakIterator.h: (WebCore::LazyLineBreakIterator::LazyLineBreakIterator): (WebCore::LazyLineBreakIterator::isLooseCJKMode): (WebCore::LazyLineBreakIterator::get): (WebCore::LazyLineBreakIterator::reset): (LazyLineBreakIterator): Define LineBreakIteratorMode enumeration for use in TextBreakIterator et al. Add state member to indicate line break mode. * platform/text/TextBreakIteratorICU.cpp: (WebCore::acquireLineBreakIterator): Use new line break mode when making iterator from pool. Handle change of return type of LineBreakIteratorPool::take() to non-ICU type, i.e., TextBreakIterator* instead of ICU's UBreakIterator*. (WebCore::releaseLineBreakIterator): Handle change of parameter type of LineBreakIteratorPool::put() to non-ICU type, i.e., TextBreakIterator* instead of ICU's UBreakIterator*. (WebCore): (WebCore::isCJKLocale): New functions for determining if CJK rules apply. (WebCore::openLineBreakIterator): New function for abstracting opening of ICU style line break iterator. This is now used in LineBreakIteratorPoolICU.h rather than having direct ICU API dependency there. This function also takes into account the line break mode. Note that this function only calls ubrk_openRules() when the author has opted-in via using the -webkit-line-break CSS property. Eventually, we would like to be able to customize the rules that ICU's line breaking algorithm uses (especially for CJK text); however, ubrk_openRules() currently parses its input string to create a DFA and is therefore very slow. In fact, it's so slow that increasing our cache size in LineBreakIteratorPool doesn't actually help enough. Also note that the default value for the line-break CSS property is 'auto'. (WebCore::closeLineBreakIterator): (WebCore::mapLineIteratorModeToRules): New function for abstracting closing of ICU style line break iterator. This is now used in LineBreakIteratorPoolICU.h rather than having direct ICU API dependency there. * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlock::LineBreaker::nextSegmentBreak): Pass line break iterator mode flag when reseting LazyLineBreakIterator. Add looseMode local variable to prevent need for computing under isBreakable(). * rendering/RenderText.cpp: (WebCore::mapLineBreakToIteratorMode): Add implementation for mapLineBreakToIteratorMode(), used by both RenderText::computePreferredLogicalWidths and RenderBlock::LineBreaker::nextLineBreak. (WebCore): (WebCore::RenderText::computePreferredLogicalWidths): Ensure (lazy line) breakIterator is initialized for line break mode. Ensure isBreakable() is passed loose mode flag to match behavior in RenderBlock::LineBreaker::nextLineBreak. * rendering/RenderText.h: (WebCore): Add declaration for mapLineBreakToIteratorMode(), used by both RenderText::computePreferredLogicalWidths and RenderBlock::LineBreaker::nextLineBreak. * rendering/break_lines.cpp: (WebCore): Introduce (local) enum NBSPBehavior for expanding template on nextBreakablePosition. (WebCore::isBreakableSpace): Add externally specified loose mode parameter to prevent need to invoke line break iterator accessor method on each invocation. Use new loose mode flavors off NBP functions. (WebCore::needsLineBreakIterator): Use enum NBSP behavior template parameter rather than boolean. (WebCore::nextBreakablePositionNonLoosely): Extend name to distinguish from loose flavor of this function. (WebCore::nextBreakablePositionLoosely): Add loose flavor of NBP invoked only when loose mode applies, in which case ASCII shortcut table cannot be used. (WebCore::nextBreakablePosition): (WebCore::nextBreakablePositionIgnoringNBSP): Use (renamed) non-loose flavor of NBP. (WebCore::nextBreakablePositionLoose): (WebCore::nextBreakablePositionIgnoringNBSPLoose): Introduce loose flavor of NBP template expansions. * rendering/break_lines.h: (WebCore): (WebCore::isBreakable): Add externally specified loose mode parameter to prevent need to invoke line break iterator accessor method on each invocation. 2015-02-20 Dana Burkart Merged r180278. 2015-02-18 Myles C. Maxfield Justified ruby can cause lines to grow beyond their container https://bugs.webkit.org/show_bug.cgi?id=141732 Reviewed by David Hyatt. After we re-layout RenderRubyRuns, this can change the environment upon which ruby's overhang calculation is sensitive to. Before this patch, we would recalculate the overhang after the RenderRubyRun gets relaid out. However, doing such causes the effective width of the RenderRubyRun to change, which causes out subsequent justification calculations to be off. Therefore, we have a cycle; the amount of ruby overhang can change the justification in a line, and the layout of the line affects the ruby overhang calculation. Instead of performing a layout in a loop until it converges, this patch simply observes that having a flush right edge is more valuable than having a perfectly correct overhang. It therefore simply removes the secondary overhang calculation. Test: fast/text/ruby-justification-flush.html * rendering/RenderBlockFlow.h: * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlockFlow::updateRubyForJustifiedText): (WebCore::RenderBlockFlow::computeExpansionForJustifiedText): (WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment): 2015-02-20 Dana Burkart Merged r180150. 2015-02-12 David Hyatt text-underline-position:under has multiple correctness issues https://bugs.webkit.org/show_bug.cgi?id=141528 Reviewed by Dean Jackson. Added a bunch of new tests in fast/text * rendering/InlineFlowBox.cpp: (WebCore::InlineFlowBox::maxLogicalBottomForTextDecorationLine): (WebCore::InlineFlowBox::minLogicalTopForTextDecorationLine): (WebCore::InlineFlowBox::computeMaxLogicalBottom): Deleted. * rendering/InlineFlowBox.h: These functions have been re-written to take an enclosing renderer that specified the decoration. This way they can properly limit the bottom/top computation to only line boxes that are contained inside the renderer. * rendering/InlineTextBox.cpp: (WebCore::InlineTextBox::paintDecoration): Tweak the call to get the decoration colors now that quirks mode has been removed. * rendering/RenderElement.cpp: (WebCore::RenderElement::enclosingRendererWithTextDecoration): * rendering/RenderElement.h: New function that finds the enclosing renderer that specified a text decoration. For now this is only used in the "under" position computation, but soon we'll be using it everywhere. * rendering/RenderObject.cpp: (WebCore::RenderObject::getTextDecorationColors): * rendering/RenderObject.h: Remove the quirks mode argument, since we were always passing true anyway (making the argument dead). * rendering/RootInlineBox.cpp: (WebCore::RootInlineBox::maxLogicalBottom): Deleted. * rendering/RootInlineBox.h: Get rid of these functions and just have InlineTextBoxStyle's computeUnderLineOffset function call the InlineFlowBox functions directly. * style/InlineTextBoxStyle.cpp: (WebCore::computeUnderlineOffset): Re-written to fetch the enclosingRendererWithTextDecoration so that it can be passed to the logical top/bottom computation to limit which line boxes get included. 2015-02-20 Dana Burkart Merged r180147. 2015-02-16 Brent Fulgham FEGaussianBlur::calculateUnscaledKernelSize does unspeakable things with signed and unsigned values https://bugs.webkit.org/show_bug.cgi?id=141596 Reviewed by Zalan Bujtas. No new tests. Covered by css3/filters/huge-blur-value.html Avoid overflowing the signed integer values by not converting from unsigned until the maximum size has been clamped to the expected max. * platform/graphics/filters/FEGaussianBlur.cpp: (WebCore::FEGaussianBlur::calculateUnscaledKernelSize): 2015-02-19 Dana Burkart Merged r180128. 2015-02-15 Said Abou-Hallawa Crash when accessing an item in SVGLengthList and then replacing it with a previous item in the list. https://bugs.webkit.org/show_bug.cgi?id=141552. Reviewed by Darin Adler. Tests: LayoutTests/svg/dom/SVGLengthList-basics.xhtml: This test is modified to include a new test case. * svg/properties/SVGListPropertyTearOff.h: Commit the removal of the replacing item before trying to detach the wrapper of the item which going to be replaced. 2015-02-15 David Kilzer CoreText only needs to be soft-linked on Windows More work towards the Maverick Debug build fix: REGRESSION (r180082): WebCore Debug builds fail on Mavericks due to weak export symbols * page/CaptionUserPreferencesMediaAF.cpp: 2015-02-19 Dana Burkart Merged r180076. 2015-02-13 Brent Fulgham [Mac, iOS] Adjust pagination behavior for Mail.app printing use https://bugs.webkit.org/show_bug.cgi?id=141569 Reviewed by Anders Carlsson. * page/Settings.in: Add new pagination setting flag. * rendering/RenderBlockFlow.cpp: (WebCore::messageContainerName): Added. (WebCore::needsPaginationQuirk): Added. (WebCore::RenderBlockFlow::adjustLinePositionForPagination): Don't move the message content div to a new page when using this special printing mode. 2015-02-19 Dana Burkart Merged r180063. 2015-02-13 Simon Fraser Crashes under RenderLayer::hitTestLayer under determinePrimarySnapshottedPlugIn() https://bugs.webkit.org/show_bug.cgi?id=141551 Reviewed by Zalan Bujtas. It's possible for a layout to dirty the parent frame's state, via the calls to ownerElement()->scheduleSetNeedsStyleRecalc() that RenderLayerCompositor does when iframes toggle their compositing mode. That could cause FrameView::updateLayoutAndStyleIfNeededRecursive() to fail to leave all the frames in a clean state. Later on, we could enter hit testing, which calls document().updateLayout() on each frame's document. Document::updateLayout() does layout on all ancestor documents, so in the middle of hit testing, we could layout a subframe (dirtying an ancestor frame), then layout another frame, which would forcing that ancestor to be laid out while we're hit testing it, thus corrupting the RenderLayer tree while it's being iterated over. Fix by having FrameView::updateLayoutAndStyleIfNeededRecursive() do a second layout after laying out subframes, which most of the time will be a no-op. Also add a stronger assertion, that this frame and all subframes are clean at the end of FrameView::updateLayoutAndStyleIfNeededRecursive() for the main frame. Various existing frames tests hit the new assertion if the code change is removed, so this is covered by existing tests. * page/FrameView.cpp: (WebCore::FrameView::needsStyleRecalcOrLayout): (WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive): * page/FrameView.h: * rendering/RenderWidget.cpp: (WebCore::RenderWidget::willBeDestroyed): 2015-02-19 Dana Burkart Merged r180062. 2015-02-12 Simon Fraser determinePrimarySnapshottedPlugIn() should only traverse visible Frames https://bugs.webkit.org/show_bug.cgi?id=141547 Part of rdar://problem/18445733. Reviewed by Anders Carlsson. There's an expectation from clients that FrameView::updateLayoutAndStyleIfNeededRecursive() updates layout in all frames, but it uses the widget tree, so only hits frames that are parented via renderers (i.e. not display:none frames or their descendants). Moving towards a future where we remove Widgets, fix by adding a FrameTree traversal function that only finds rendered frames (those with an ownerRenderer). Not testable. * page/FrameTree.cpp: (WebCore::FrameTree::firstRenderedChild): (WebCore::FrameTree::nextRenderedSibling): (WebCore::FrameTree::traverseNextRendered): (printFrames): * page/FrameTree.h: * page/FrameView.cpp: (WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive): 2015-02-19 Dana Burkart Merged r179956. 2015-02-11 Jer Noble [MSE] SampleMap::addRange() returns an inverted iterator_range, possibly causing a crash when that iterator_range is traversed. https://bugs.webkit.org/show_bug.cgi?id=141479 rdar://problem/19067597 Reviewed by Chris Dumez. When looking backwards through a presentationOrder map to find samples, we then reverse our iterators and put them in an iterator_range to return to the caller. But in addition to reversing the iterators themselves, we also need to put them in the iterator_range in reverse order, so that when the caller iterates from iterator_range.first -> iterator_range.second, they don't end up off the end of the the underlying storage. * Modules/mediasource/SampleMap.cpp: (WebCore::PresentationOrderSampleMap::findSamplesWithinPresentationRangeFromEnd): 2015-02-19 Dana Burkart Merged r179937. 2015-02-11 Sam Weinig performance.now can crash if accessed from a window that has navigated https://bugs.webkit.org/show_bug.cgi?id=141478 Reviewed by Alexey Proskuryakov. Test: fast/performance/performance-now-crash-on-navigated-window.html * page/Performance.cpp: (WebCore::Performance::now): Check for a null frame, which can happen when the window has been navigated. 2015-02-19 Dana Burkart Merged r179933. 2015-02-10 Alexey Proskuryakov URL::setUser and URL::setPass don't percent encode https://bugs.webkit.org/show_bug.cgi?id=141453 rdar://problem/14844503&16551802&19623145 Reviewed by Darin Adler. Tests: fast/url/url-credentials-escaping.html http/tests/xmlhttprequest/basic-auth-credentials-escaping.html Start adding some code that performs escaping in a way that matches the URL Standard. Right now, it's only used where we failed to do any escaping at all, and over time, we'll be moving towards a new implementation. * html/URLUtils.h: (WebCore::URLUtils::username): (WebCore::URLUtils::password): * platform/URL.cpp: (WebCore::isSchemeFirstChar): (WebCore::URL::user): (WebCore::URL::pass): (WebCore::URL::encodedUser): (WebCore::URL::encodedPass): (WebCore::URL::setUser): (WebCore::URL::setPass): (WebCore::encodeWithURLEscapeSequences): * platform/URL.h: 2015-02-19 Dana Burkart Merged r179877. 2015-02-07 Zalan Bujtas REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency https://bugs.webkit.org/show_bug.cgi?id=133462 Reviewed by David Hyatt. RenderFlowThread::m_lineToRegionMap stores pointers to the root inlineboxes in the block flow. Normally root inlineboxes remove themselves from this map in their dtors. However when collapsing an anonymous block, we detach the inline tree first and destroy them after. The detached root boxes can't access the flowthread containing block and we end up with dangling pointers in this map. Call removeFlowChildInfo() before detaching the subtree to ensure proper pointer removal. Test: fast/multicol/newmulticol/crash-when-switching-to-floating.html * rendering/RenderBlock.cpp: (WebCore::RenderBlock::collapseAnonymousBoxChild): 2015-02-19 Dana Burkart Merged r179776. 2015-02-06 Zalan Bujtas ASSERT repaintContainer->hasLayer() in WebCore::RenderObject::repaintUsingContainer https://bugs.webkit.org/show_bug.cgi?id=140750 Reviewed by Simon Fraser. There's a short period of time when RenderObject::layer() still returns a valid pointer even though we already cleared the hasLayer() flag. Do not use the layer as repaint container in such cases. Test: compositing/repaint-container-assertion-when-toggling-compositing.html * rendering/RenderObject.cpp: (WebCore::RenderObject::enclosingLayer): 2015-02-16 Lucas Forschler Merge r180191 2015-02-16 Enrica Casucci Emoji sequences do not render properly. https://bugs.webkit.org/show_bug.cgi?id=141661 rdar://problem/19820463 Reviewed by Sam Weinig. Emoji sequences and emoji with variations should be rendered using the Complex code path and should be treated as graphemes. This change modifies advanceByCombiningCharacterSequence to add this logic. Test: fast/text/emoji.html * WebCore.xcodeproj/project.pbxproj: * platform/graphics/FontCascade.cpp: (WebCore::FontCascade::characterRangeCodePath): * platform/graphics/mac/ComplexTextController.cpp: (WebCore::advanceByCombiningCharacterSequence): Implements a simple logic to treat emoji sequences and emoji with variations as graphemes. * platform/text/CharacterProperties.h: Added. (WebCore::isEmojiGroupCandidate): (WebCore::isEmojiModifier): (WebCore::isVariationSelector): * rendering/RenderText.cpp: (WebCore::isEmojiGroupCandidate): Deleted. (WebCore::isEmojiModifier): Deleted. 2015-02-12 Brent Fulgham Merge r173806. 2014-09-22 Mihnea Ovidenie [CSS Regions] Assertion failure and null dereference crash when using animations and regions https://bugs.webkit.org/show_bug.cgi?id=136918 Reviewed by Andrei Bucur. In some situations, for instance when an image has an attached animation, the style change caused by the animation triggers a geometry update for the backing store associated with the image's layer. This may occur before the layout for the image has finished. Moreover, if the image in such situation - having a composited layer - is displayed in a region, sicne the layout did not finish yet, the mappings between the layers of the elements collected in the named flow and the regions associated with the named flow are not updated and cannot be used. Therefore in those situations, we have to bail out early and use these mappings only after the layout has finished. This patch also changes RenderLayerBacking method updateAfterDescendents -> updateAfterDescendants. Test: fast/regions/animated-image-in-region.html * rendering/RenderFlowThread.cpp: (WebCore::RenderFlowThread::cachedRegionForCompositedLayer): * rendering/RenderLayer.cpp: (WebCore::RenderLayer::calculateClipRects): * rendering/RenderLayerBacking.cpp: (WebCore::RenderLayerBacking::updateAfterDescendants): * rendering/RenderLayerBacking.h: * rendering/RenderLayerCompositor.cpp: (WebCore::RenderLayerCompositor::rebuildCompositingLayerTree): (WebCore::RenderLayerCompositor::updateLayerTreeGeometry): (WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry): 2015-02-12 Babak Shafiei Merge r180028. 2015-02-12 Timothy Horton Crashes under detectItemAroundHitTestResult when DataDetectors is not available https://bugs.webkit.org/show_bug.cgi?id=141549 Reviewed by Dan Bernstein. * editing/mac/DataDetection.mm: (WebCore::DataDetection::detectItemAroundHitTestResult): Bail out from data detection if either of the relevant frameworks aren't loaded. 2015-01-12 Pratik Solanki CrashTracer: [USER] com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::SharedBuffer::createPurgeableBuffer const + 14 Rubber-stamped by Matthew Hanson. Speculative fix for the above crash. The current theory is that a timer is being fired for a CachedResource that has been freed. Add a marker field in CachedResource to do an early return from CachedResource::makePurgeable() when this happens. No new tests because I can't reproduce the crash. * loader/cache/CachedResource.cpp: (WebCore::CachedResource::CachedResource): (WebCore::CachedResource::~CachedResource): (WebCore::CachedResource::makePurgeable): * loader/cache/CachedResource.h: 2015-02-12 Matthew Hanson Merge r179883. rdar://problem/19790645 2015-02-09 David Hyatt text-underline-position: under is broken https://bugs.webkit.org/show_bug.cgi?id=141400 Reviewed by Simon Fraser. Added fast/text/text-underline-position-under.html * rendering/InlineFlowBox.cpp: (WebCore::InlineFlowBox::computeMaxLogicalBottom): (WebCore::InlineFlowBox::computeMaxLogicalTop): Deleted. * rendering/InlineFlowBox.h: Switch to using the bottom to compute the offset. Using the top is incorrect, since the heights of boxes can vary. Fix a bug where the y() of the box was being used instead of the logical value, making the result wrong for vertical text. * rendering/RootInlineBox.cpp: (WebCore::RootInlineBox::maxLogicalBottom): (WebCore::RootInlineBox::maxLogicalTop): Deleted. Switch to using the bottom instead of the top. Make sure the root box contributes its own bottom, since the old code just ignored the root's placement. * rendering/RootInlineBox.h: * style/InlineTextBoxStyle.cpp: (WebCore::computeUnderlineOffset): Call the bottom function now instead of the top. 2015-02-11 Lucas Forschler Merge r177377 2014-12-16 Myles C. Maxfield Ruby does not preserve expansion opportunities from enclosing context https://bugs.webkit.org/show_bug.cgi?id=139618 Reviewed by David Hyatt. There is currently no sharing of expansion opportunity information between ruby bases and the text surrounding the ruby. This patch adds a bit on RenderText, m_contentIsKnownToFollow, which affects how expansion opportunities are handled at paint-time, as well as a bit on RenderRubyBase, m_isAfterExpansion, which affects how expansions are calculated when laying out a line. This patch also adds a field to RenderRubyBase which represents the base's starting position within a ruby. This field is necessary because an expansion from a line might occur at the very beginning of a ruby base, so we have to remember some state from expansion time to RenderRubyBase layout time. Added more tests to fast/ruby/ruby-justification.html. * rendering/InlineBox.h: (WebCore::InlineBox::setExpansionWithoutGrowing): (WebCore::InlineBox::expansion): * rendering/InlineFlowBox.cpp: (WebCore::InlineFlowBox::removeChild): Keep the bit on InlineTextBox up to date. (WebCore::InlineFlowBox::placeBoxRangeInInlineDirection): Set expansion information in InlineFlowBoxes so the total expansion for a whole line is held in the RootInlineBox's expansion. * rendering/InlineTextBox.h: (WebCore::InlineTextBox::expansionBehavior): * rendering/RenderBlockFlow.h: * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlockFlow::updateRubyForJustifiedText): updateRubyForJustifiedText() had a bunch of problems with it. First of all, it didn't actually set the InlineBoxes as dirty, so the second layout pass sometimes wouldn't perform any updates. Secondarily, it didn't take overhangs into account. Thirdly, it didn't mark the ruby base and text as needing layout so that subsequent layouts would actually traverse into them. (WebCore::RenderBlockFlow::computeExpansionForJustifiedText): (WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment): This nested if triangle is super nasty, but I'm not sure of a better way to write it. (WebCore::updateRubyForJustifiedText): Deleted. (WebCore::computeExpansionForJustifiedText): Deleted. * rendering/RenderRubyBase.cpp: (WebCore::RenderRubyBase::RenderRubyBase): (WebCore::RenderRubyBase::adjustInlineDirectionLineBounds): * rendering/RenderRubyBase.h: * rendering/RenderRubyRun.cpp: (WebCore::RenderRubyRun::layout): * rendering/RenderText.cpp: (WebCore::RenderText::RenderText): * rendering/RenderText.h: (WebCore::RenderText::contentIsKnownToFollow): (WebCore::RenderText::setContentIsKnownToFollow): 2015-02-11 Lucas Forschler Merge r179750 2015-02-06 Maciej Stachowiak REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit). https://bugs.webkit.org/show_bug.cgi?id=141324 Reviewed by Alexey Proskuryakov. No new tests. This is caught by existing tests under ASAN, and I don't know how to reproduce it without ASAN. * rendering/RenderLineBoxList.cpp: (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Give up and just always invalidate the next line. It's too hard to come up with the condition that catches all needed cases, doesn't itself cause a crash, and isn't overzealous. And we do this for the previous line anyway. Also clean up the code a bit since it confusingly reuses a variable, and declares it uninitialized, for no good reason. 2015-02-11 Lucas Forschler Merge r179706 2015-02-05 Maciej Stachowiak Crash due to failing to dirty a removed text node's line box https://bugs.webkit.org/show_bug.cgi?id=136544 Reviewed by David Hyatt. Test: fast/text/remove-text-node-linebox-not-dirty-crash.html * rendering/RenderLineBoxList.cpp: (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Make the check for dirtying the next line box a bit more inclusive to avoid a case of a line box for a destroyed render object not being dirtied. In particular, when the text node's parent has no line boxes but contains BRs. 2015-02-11 Lucas Forschler Merge r179772 2015-02-06 Said Abou-Hallawa Invalid cast in WebCore::SVGAnimateElement::calculateAnimatedValue. https://bugs.webkit.org/show_bug.cgi?id=135171. Reviewed by Dean Jackson. The bug happens when an SVG element is animated by followed by an or an and the values of the "attributeName" in both elements are the same. The problem is should not have an attribute to animate. If it does by fuzz or by mistake, then we assume the and the animate the same attribute for the same element target. Therefore we schedule them in the same AnimationVector in SMILTimeContainer::schedule(). When we call SVGAnimateElementBase::calculateAnimatedValue() for an SVGAnimateColorElement and the resultElement is SVGAnimateMotionElement, we fail to cast it to SVGAnimateElementBase because SVGAnimateMotionElement is derived from SVGAnimationElement which is the base class of all animate elements including SVGAnimateElementBase. The fix is to nullify setting "attributeName" of an SVGAnimationElement. By doing so, "attributeName" and its value will be ignored from the which is correct. Tests: svg/animations/animate-montion-invalid-attribute.svg. * svg/SVGAnimateElementBase.cpp: (WebCore::SVGAnimateElementBase::setAttributeName): Do not call SVGAnimationElement::setAttributeName() since SVGAnimationElement should not have an attribute to animate. We prevent this by bypassing the parent in the class hierarchy: SVGAnimationElement and calling SVGSMILElement::setAttributeName() directly. * svg/SVGAnimationElement.cpp: (WebCore::SVGAnimationElement::setAttributeName): Deleted. * svg/SVGAnimationElement.h: SVGAnimationElement should not have an attribute to animate. So implement its setAttributeName() as a null function. 2015-02-11 Lucas Forschler Merge r179691 2015-02-05 Zalan Bujtas Do not destroy RenderQuote's text fragment child when quotation mark string is changing. https://bugs.webkit.org/show_bug.cgi?id=141271 rdar://problem/18169375 Reviewed by Antti Koivisto. Similar approach as https://codereview.chromium.org/679593004/ This patch ensures that laying out a RenderQuote does not force a sibling RenderQuote's child renderer(RenderText) to be destroyed. BreakingContext holds a pointer to the next renderer on the line (BreakingContext::m_nextObject). While laying out the line, initiated by BreakingContext, placing the current renderer could end up destroying the "next" renderer. This happens when the pseudo after quotation mark(RenderQuote) becomes floated, the sibling 's pseudo before text needs to be changed (from " to ') so that we don't end up with 2 sets of the same opening strings. The fix is to reuse the RenderTextFragment object instead of destroy/recreate it. Test: fast/css/content/quote-crash-when-floating.html * rendering/RenderQuote.cpp: (WebCore::RenderQuote::RenderQuote): (WebCore::fragmentChild): (WebCore::RenderQuote::updateText): * rendering/RenderQuote.h: * rendering/RenderTextFragment.cpp: (WebCore::RenderTextFragment::setText): (WebCore::RenderTextFragment::setContentString): * rendering/RenderTextFragment.h: 2015-02-11 Lucas Forschler Merge r179627 2015-02-03 David Hyatt Tables don't repaginate properly when the pagination height changes or the pagination offset changes. https://bugs.webkit.org/show_bug.cgi?id=141207 Reviewed by Dean Jackson. Added fast/multicol/table-dynamic-movement.html Change markForPaginationRelayoutIfNeeded to be called always and to check needsLayout inside it. Make RenderTable override markForPaginationRelayoutIfNeeded and also dirty the sections if the table ended up getting marked for relayout. Make sure rows do the right thing as well. * rendering/RenderBlock.cpp: (WebCore::RenderBlock::layoutPositionedObjects): (WebCore::RenderBlock::markForPaginationRelayoutIfNeeded): * rendering/RenderBlock.h: * rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::layoutBlockChild): (WebCore::RenderBlockFlow::adjustBlockChildForPagination): (WebCore::RenderBlockFlow::positionNewFloats): * rendering/RenderDeprecatedFlexibleBox.cpp: (WebCore::RenderDeprecatedFlexibleBox::layoutHorizontalBox): (WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox): * rendering/RenderTable.cpp: (WebCore::RenderTable::markForPaginationRelayoutIfNeeded): * rendering/RenderTable.h: * rendering/RenderTableRow.cpp: (WebCore::RenderTableRow::layout): * rendering/RenderTableSection.cpp: (WebCore::RenderTableSection::layout): 2015-02-11 Lucas Forschler Merge r179597 2015-02-03 Maciej Stachowiak Crash when printing snapshotted plugins https://bugs.webkit.org/show_bug.cgi?id=141212 Reviewed by Simon Fraser. Test: plugins/snapshotting/print-snapshotted-plugin.html * html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::childShouldCreateRenderer): New method. If the current renderer is a snapshotted plugin, only allow children to create renderers if they are part of the snapshot shadow dom. Otherwise RenderEmbeddedObject invariants will be violated. This DOM class can have many other renderers, but they can just follow their own rules. (WebCore::HTMLPlugInImageElement::partOfSnapshotOverlay): Make this const-correct, and don't create UA shadow DOM as a side effect if it doesn't already exist. * html/HTMLPlugInImageElement.h: 2015-02-11 Lucas Forschler Merge r179569 2015-02-03 Ryosuke Niwa Smart quoting could move the caret backwards in some configurations https://bugs.webkit.org/show_bug.cgi?id=141203 Reviewed by Enrica Casucci. The bug was caused by markAndReplaceFor not running the code to preserve the selection after text replacement only when smart quote is enabled. Furthermore, when smart link was disabled, we never applied smart quote due to the following condition at line 2502: if (!(shouldPerformReplacement || shouldCheckForCorrection || shouldMarkLink) || !doReplacement) continue; This condition prevented the code to apply smart quote from running when both continuous spellchecking, smart link, and text replacement are disabled. Fixed the bug by treating smart quotes and smart dashes like any other text replacement and set shouldPerformReplacement to true whenever either one of those text checking options are present. Smart link didn't have this issue due to the explicit check for shouldMarkLink. Smart dashes didn't suffer this problem either because dashes replacement happens only once the caret has moved past the dashes but his patch makes go through the same code path to preserve the selection as well for consistency. Test: editing/inserting/smart-quote-with-all-configurations.html * editing/Editor.cpp: (WebCore::Editor::markAndReplaceFor): 2015-02-11 Lucas Forschler Merge r179567 2015-02-02 Enrica Casucci Additional emoji support. https://bugs.webkit.org/show_bug.cgi?id=141047 rdar://problem/19045135 Reviewed by Darin Adler. Adds support for emoji modifiers and group emoji. Test: editing/deleting/delete-emoji.html * platform/graphics/FontCascade.cpp: (WebCore::FontCascade::characterRangeCodePath): * platform/text/TextBreakIterator.cpp: (WebCore::cursorMovementIterator): * rendering/RenderText.cpp: (WebCore::isEmojiGroupCandidate): (WebCore::isEmojiModifier): (WebCore::RenderText::previousOffsetForBackwardDeletion): 2015-02-11 Lucas Forschler Merge r179563 2015-02-03 Jer Noble [Mac][EME] Crash in CDMSessionMediaSourceAVFObjC::layerDidReceiveError() - NSError not KVO compliant for key NSUnderlyingError. https://bugs.webkit.org/show_bug.cgi?id=140529 Reviewed by Darin Adler. The underlying error should be fetched from the userInfo dictionary, not the error itself. * platform/graphics/avfoundation/objc/CDMSessionMediaSourceAVFObjC.mm: (WebCore::systemCodeForError): 2015-02-05 Lucas Forschler Merge r179366 2015-01-20 David Hyatt Japanese line breaking rules need to be respected before and after Ruby. https://bugs.webkit.org/show_bug.cgi?id=91588 Reviewed by Dean Jackson. Added fast/ruby/ruby-punctuation-avoid-breaking.html. This patch has to add support for following line breaking rules at both sides of a Ruby boundary. For breaking before a Ruby, unfortunately we just hard-code the rules (and apply this hard-coding only to Ruby and not to other inline replaced elements). For breaking after a Ruby we do better. The Ruby run caches its prior characters and line layout is able to obtain them and use them when deciding whether or not to break. This means for the "after" side of a Ruby, we're able to behave the same as if no Ruby was used. * rendering/RenderBlockFlow.h: (WebCore::RenderBlockFlow::cachePriorCharactersIfNeeded): * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange): * rendering/RenderRubyBase.cpp: (WebCore::RenderRubyBase::cachePriorCharactersIfNeeded): * rendering/RenderRubyBase.h: * rendering/RenderRubyRun.cpp: (WebCore::RenderRubyRun::RenderRubyRun): (WebCore::RenderRubyRun::updatePriorContextFromCachedBreakIterator): (WebCore::RenderRubyRun::canBreakBefore): * rendering/RenderRubyRun.h: * rendering/RenderRubyText.cpp: (WebCore::RenderRubyText::canBreakBefore): * rendering/RenderRubyText.h: * rendering/line/BreakingContextInlineHeaders.h: (WebCore::BreakingContext::handleReplaced): (WebCore::BreakingContext::canBreakAtThisPosition): (WebCore::BreakingContext::commitAndUpdateLineBreakIfNeeded): 2015-02-10 Lucas Forschler Merge r177849 2015-01-01 Jeff Miller Update user-visible copyright strings to include 2015 https://bugs.webkit.org/show_bug.cgi?id=139880 Reviewed by Darin Adler. * Info.plist: 2015-02-10 Lucas Forschler Merge r177504 & r178298 2015-01-12 Chris Dumez Log navigation types using DiagnosticLoggingClient https://bugs.webkit.org/show_bug.cgi?id=140323 Reviewed by Darin Adler. Log navigation types using DiagnosticLoggingClient to help us understand what types of navigations are common and give us an estimate on the total number of navigations. * loader/FrameLoader.cpp: (WebCore::logNavigation): (WebCore::FrameLoader::loadWithDocumentLoader): (WebCore::logNavigationWithFeatureCounter): Deleted. * page/DiagnosticLoggingKeys.cpp: (WebCore::DiagnosticLoggingKeys::navigationKey): * page/DiagnosticLoggingKeys.h: 2015-02-10 Lucas Forschler Merge r176899 2014-12-05 Simon Fraser Programmatic scrolling and content changes are not always synchronized https://bugs.webkit.org/show_bug.cgi?id=139245 rdar://problem/18833612 Reviewed by Anders Carlsson. For programmatic scrolls, AsyncScrollingCoordinator::requestScrollPositionUpdate() calls updateScrollPositionAfterAsyncScroll(), then dispatches the requested scroll position to the scrolling thread. Once the scrolling thread commits, it calls back to the main thread via scheduleUpdateScrollPositionAfterAsyncScroll(), which schedules a second call to updateScrollPositionAfterAsyncScroll() on a timer. That's a problem, because some other scroll may have happened in the meantime; when the timer fires, it can sometimes restore a stale scroll position. Fix by bailing early from scheduleUpdateScrollPositionAfterAsyncScroll() for programmatic scrolls, since we know that requestScrollPositionUpdate() already did the updateScrollPositionAfterAsyncScroll(). Test: ManualTests/programmatic-scroll-flicker.html * page/FrameView.cpp: (WebCore::FrameView::reset): nullptr. (WebCore::FrameView::setScrollPosition): Ditto. (WebCore::FrameView::setWasScrolledByUser): Ditto. * page/scrolling/AsyncScrollingCoordinator.cpp: (WebCore::AsyncScrollingCoordinator::requestScrollPositionUpdate): Use a local variable for isProgrammaticScroll just to make sure we use the same value for the duration of this function. (WebCore::AsyncScrollingCoordinator::scheduleUpdateScrollPositionAfterAsyncScroll): Do nothing if this is a programmatic scroll. 2015-02-06 Babak Shafiei Merge r179758. 2015-02-06 Timothy Horton REGRESSION: Lookup doesn't work in RTL https://bugs.webkit.org/show_bug.cgi?id=141338 Reviewed by Dan Bernstein. * editing/Editor.cpp: (WebCore::Editor::scanSelectionForTelephoneNumbers): * editing/mac/DictionaryLookup.mm: (WebCore::rangeExpandedAroundPositionByCharacters): Positions are independent of writing direction, so we don't need to (and shouldn't) do anything special for RTL here. 2015-01-24 David Kilzer Merge r176262. 2014-11-17 David Hyatt Improve Ruby selection (getting rid of overlap and improving gap filling) https://bugs.webkit.org/show_bug.cgi?id=138250 Reviewed by Dean Jackson. * rendering/RenderBlock.cpp: (WebCore::RenderBlock::selectionGaps): (WebCore::RenderBlock::blockSelectionGaps): Add Ruby text in along with the Ruby base. * rendering/RenderBlockFlow.cpp: (WebCore::RenderBlockFlow::inlineSelectionGaps): Don't let block gaps get filled in here. * rendering/RenderRubyBase.h: Expose accessor to the ruby run. * rendering/RenderRubyText.cpp: (WebCore::RenderRubyText::rubyRun): * rendering/RenderRubyText.h: Add accessor to the ruby run. * rendering/RootInlineBox.cpp: (WebCore::RootInlineBox::selectionTop): (WebCore::RootInlineBox::selectionBottom): Improve selectionTop and selectionBottom of ruby bases to avoid the ruby text. Improve the selectionTop and selectionBottom of ruby texts to fill the gap up to the previous/next line as appropriate. 2015-01-24 David Kilzer Merge r175260. 2014-10-28 David Hyatt Selection gap painting is ugly for ruby bases. https://bugs.webkit.org/show_bug.cgi?id=138136 Reviewed by Dean Jackson. * rendering/RenderBlock.cpp: (WebCore::RenderBlock::selectionGaps): For ruby bases don't fill to the end of the block (in the block direction), since ideographic baselines push that end below the text baseline. (WebCore::RenderBlock::blockSelectionGaps): * rendering/RenderBlockFlow.cpp: Skip ruby bases for block selection gap filling. 2015-02-04 Matthew Hanson Merge r178490. rdar://problem/19687156 2015-01-14 Simon Fraser Graphics corruption after Find on some pages https://bugs.webkit.org/show_bug.cgi?id=140489 Reviewed by Zalan Bujtas. After doing a Find on http://shop.outlier.cc/shop/retail/chino.html, garbage could appear on some parts of the page. This is caused by creating a compositing layer which is marked as opaque, yet failing to paint the entire layer contents. This was caused by a bug in RenderBox::computeBackgroundIsKnownToBeObscured() logic. On the page in question, doing a Find could cause overflow:hidden sections to get scrolled (since Find can reveal the selection by scrolling overflow). However, the render tree walking under RenderBox::foregroundIsKnownToBeOpaqueInRect() fails to take overflow scrolling into account, so gives the wrong answer in some content configurations. As a result, we'd think that the background is obscured, and never paint it. Conservative fix is to have isCandidateForOpaquenessTest() return false when the content has any non-zero scroll offset. Tests: compositing/contents-opaque/opaque-with-scrolled.html fast/backgrounds/opaque-scrolled-paint-background.html * rendering/RenderBox.cpp: (WebCore::isCandidateForOpaquenessTest): 2015-02-03 Matthew Hanson Merge r178462. rdar://problem/19673708 2015-01-14 Enrica Casucci REGRESSION (r165385): Crash when applying autocorrection exceeds maximum text area length. https://bugs.webkit.org/show_bug.cgi?id=137902 rdar://problem/18568864 Reviewed by Darin Adler. Test: editing/text-iterator/invalid-subrange.html characterSubrange should check the iterator position after each advance. This changed adds a new method to the Internals object to be able to test this. * editing/TextIterator.cpp: (WebCore::characterSubrange): (WebCore::TextIterator::subrange): (WebCore::findPlainText): * testing/Internals.cpp: (WebCore::Internals::subrange): * testing/Internals.h: * testing/Internals.idl: 2015-02-04 Matthew Hanson Merge r176750. rdar://problem/19617755 2014-12-03 Zalan Bujtas ASSERTION: RenderMultiColumnFlowThread::processPossibleSpannerDescendant() when column spanner's parent is not a RenderBlockFlow. https://bugs.webkit.org/show_bug.cgi?id=139188 rdar://problem/18502182 Reviewed by David Hyatt. This patch ensures that the validation check for spanner in isValidColumnSpanner() is in synch with the expectation in RenderMultiColumnFlowThread::processPossibleSpannerDescendant(). (descendant's parent is expected to be a RenderBlockFlow) Test: fast/multicol/svg-content-as-column-spanner-crash.html * rendering/RenderMultiColumnFlowThread.cpp: (WebCore::isValidColumnSpanner): 2015-02-04 Matthew Hanson Merge r175236. rdar://problem/19451378 2014-10-24 David Hyatt text-combine needs to center text within the vertical space using glyph bounds https://bugs.webkit.org/show_bug.cgi?id=138056 Reviewed by Dean Jackson. Added fast/text/tatechuyoko.html * rendering/RenderCombineText.cpp: (WebCore::RenderCombineText::RenderCombineText): (WebCore::RenderCombineText::adjustTextOrigin): (WebCore::RenderCombineText::combineText): * rendering/RenderCombineText.h: 2015-01-24 David Kilzer Merge r176321. 2014-11-19 Chris Fleizach AX: Safari fails to load a web page with VoiceOver https://bugs.webkit.org/show_bug.cgi?id=138849 Reviewed by Mario Sanchez Prada. Sometimes an inlineElementContinuation will continue to an inline RenderBlock, so we case this incorrectly and bad things happen. Test: accessibility/inline-block-assertion.html * accessibility/AccessibilityRenderObject.cpp: (WebCore::startOfContinuations): 2015-01-24 David Kilzer Merge r174860. 2014-10-18 Chris Fleizach AX: Tables with are not reporting table column headers https://bugs.webkit.org/show_bug.cgi?id=137846 Reviewed by Mario Sanchez Prada. The code to search for header objects was getting stuck on anonymous RenderTableSections. We also need to check more rows for headers, in case the first row or more is not visible or is empty. Test: accessibility/table-column-headers-with-captions.html * accessibility/AccessibilityTableColumn.cpp: (WebCore::AccessibilityTableColumn::headerObject): (WebCore::AccessibilityTableColumn::headerObjectForSection): 2015-02-04 David Kilzer Merge r175641. 2014-11-04 David Hyatt Descendant ends up in wrong flow thread with nested columns and spans. https://bugs.webkit.org/show_bug.cgi?id=137273 Reviewed by Simon Fraser. Unskipped the two problematic span tests. * rendering/RenderMultiColumnFlowThread.cpp: (WebCore::isValidColumnSpanner): Remove the guard and comment and added the assertion back in. (WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted): Changed to no longer use handleSpannerRemoval. Because the spanner was removed from the flow thread's map, handleSpannerRemoval was a no-op. So instead I just removed the placeholder by hand. The second fix was to stop destroying the placeholder. Since the placeholder can just have been inserted, you can't delete it, since otherwise code further up the stack will access the deleted object. For now, we just leak the placeholder. The third fix is to make sure the subtreeRoot is properly updated to be the new placeholder. 2015-02-04 David Kilzer Merge r174085. 2014-09-29 David Hyatt REGRESSION (r168046): Confused column spans when combined with dynamic animations https://bugs.webkit.org/show_bug.cgi?id=134048. Reviewed by Dean Jackson. Added fast/multicol/multicol-fieldset-span-changes.html * rendering/RenderMultiColumnFlowThread.cpp: (WebCore::RenderMultiColumnFlowThread::processPossibleSpannerDescendant): Refactor handling of insertions into the multicolumn flow thread into a helper function, processPossibleSpannerDescendant. This makes it easier to call the code from more than one place. (WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted): Modify the nested columns span shifting code to avoid problems. The new code suppresses notifications and does the move of the spanner back into the original spot *before* removing the placeholder. This ensures that the placeholder parent still exists. The stale placeholder is then removed and destroyed after the spanner has been put back into place. (WebCore::RenderMultiColumnFlowThread::handleSpannerRemoval): (WebCore::RenderMultiColumnFlowThread::flowThreadRelativeWillBeRemoved): Refactor the removal notifications for spanners into a helper function so that it can be called to do cleanup from the code that cleans up stale placeholders on a shift. * rendering/RenderMultiColumnFlowThread.h: Modified to add the new helpers. 2015-02-03 Dean Jackson Merge r178380. 2015-01-13 Dean Jackson Filters aren't applied to elements in columns after the first https://bugs.webkit.org/show_bug.cgi?id=140331 Reviewed by Simon Fraser. The important bits of this change came from Simon. Filters and clipping were not taking columns into account when using their offset rectangles. The fix is to recalculate the rects if you're in such a situation. Tests: fast/multicol/clip-in-columns.html fast/multicol/filter-in-columns.html * rendering/RenderLayer.cpp: (WebCore::RenderLayer::hasFilterThatIsPainting): New method used to check if we're about to paint a filter. (WebCore::RenderLayer::setupFilters): Use the new helper if possible. (WebCore::RenderLayer::paintLayerContents): If we're in columns, and we either have a clip or a filter, recalculate the offset rectangles. * rendering/RenderLayer.h: 2015-02-02 Brent Fulgham Merge r178661. rdar://problem/19617731 2015-01-19 Brent Fulgham Layers need to be already updated before we call adjustViewSize https://bugs.webkit.org/show_bug.cgi?id=135514 Reviewed by Simon Fraser. Tested by 'fast/dynamic/layer-no-longer-paginated.html' Defer painting operations until we have finished layout. This has a couple of benefits: (1) We do not attempt to modify render layers during layout. (2) In WK1 we do not attempt to paint during layout. Add a new virtual predicate to ScrollView indicating when we are in layout so that calls to setContentsSize do not attempt to adjust scrollbars. Modify FrameView to set its ScrollView state to block paint operations during layout. Also add a post-layout handler to complete the scrollbar updates after layout is finished. * WebCore.exp.in: Move linker symbol to ScrollView (from FrameView). * page/FrameView.cpp: (WebCore::FrameView::layout): (WebCore::FrameView::shouldDeferScrollUpdateAfterContentSizeChange): Added. (WebCore::FrameView::scrollPositionChangedViaPlatformWidget): Removed (Renamed). (WebCore::FrameView::scrollPositionChangedViaPlatformWidgetImpl): Added (Renamed) (WebCore::FrameView::paintContents): Do not paint if we are inside view size adjustment. * page/FrameView.h: * platform/ScrollView.cpp: (WebCore::ScrollView::scrollPositionChangedViaPlatformWidget): Added. Checks whether we need to defer painting, and calls virtual scrollPositionChangedViaPlatformWidgetImpl if we do not. (WebCore::FrameView::scrollPositionChangedViaPlatformWidgetImpl): Added. (WebCore::ScrollView::handleDeferredScrollUpdateAfterContentSizeChange): Added. (WebCore::ScrollView::scrollTo): If we should defer painting, cache the the scroll delta and apply it after the layout is complete. (WebCore::ScrollView::completeUpdatesAfterScrollTo): Split off part of 'scrollTo' into its own method so we can reuse it in handleDeferredScrollUpdateAfterContentSizeChange. * platform/ScrollView.h: (WebCore::ScrollView::shouldDeferScrollUpdateAfterContentSizeChange): Added. 2015-01-21 Babak Shafiei Merge r177000. 2014-12-08 Dean Jackson [Apple] Use Accelerate framework to speed-up FEGaussianBlur https://bugs.webkit.org/show_bug.cgi?id=139310 Reviewed by Simon Fraser. Using Apple's Accelerate framework provides faster blurs than the parallel jobs approach, especially since r168577 which started performing retina-accurate filters. Using Accelerate.framework to replace the existing box blur (what we use to approximate Gaussian blurs) gets about a 20% speedup on desktop class machines, but between a 2x-6x speedup on iOS hardware. Obviously this depends on the size of the content being blurred, but it is still good. The change is to intercept the platformApply function on FEGaussianBlur and send it off to Accelerate. There is an interactive performance test: PerformanceTests/Interactive/blur-filter-timing.html * platform/graphics/filters/FEGaussianBlur.cpp: (WebCore::kernelPosition): Move this to a file static function from the .h. (WebCore::accelerateBoxBlur): The Accelerate implementation. (WebCore::standardBoxBlur): The default generic/standard implementation. (WebCore::FEGaussianBlur::platformApplyGeneric): Use accelerate or the default form. (WebCore::FEGaussianBlur::platformApply): Don't try the parallelJobs approach if Accelerate is available. * platform/graphics/filters/FEGaussianBlur.h: (WebCore::FEGaussianBlur::kernelPosition): Deleted. Move into the .cpp. 2015-01-21 Babak Shafiei Merge r176484. 2014-11-21 Chris Fleizach AX: com.apple.WebKit.WebContent crashed at WebCore: WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored const https://bugs.webkit.org/show_bug.cgi?id=138905 Reviewed by Mario Sanchez Prada. The crash log indicates that m_renderer is null at the time we ask ancestorsOfType(). This is more of a speculative fix, since I am not entirely sure m_renderer is null when we enter the method. Unable to determine cause of crash or how to reproduce on demand. * accessibility/AccessibilityRenderObject.cpp: (WebCore::AccessibilityRenderObject::computeAccessibilityIsIgnored): 2015-01-21 Babak Shafiei Merge r176447. 2014-11-21 Chris Fleizach AX: MathML expressions are misread by VoiceOver https://bugs.webkit.org/show_bug.cgi?id=138948 Reviewed by Mario Sanchez Prada. The logic for deciding what's the radicand and an index was too tied to children placement. We should instead pull directly from the source. Test: platform/mac/accessibility/mathml-root.html * accessibility/AccessibilityRenderObject.cpp: (WebCore::AccessibilityRenderObject::mathRadicandObject): (WebCore::AccessibilityRenderObject::mathRootIndexObject): * rendering/mathml/RenderMathMLRoot.h: 2015-01-21 Babak Shafiei Merge r176372. 2014-11-19 Myles C. Maxfield [OS X] Upright vertical text is completely broken for multi-code-unit codepoints https://bugs.webkit.org/show_bug.cgi?id=138891 Reviewed by Dan Bernstein. We were assuming that we can use the string index (in UTF-16) as the glyph index. This falls down when a single codepoint (and glyph) contians multiple code units. Test: platform/mac/fast/text/multiple-codeunit-vertical-upright.html * platform/graphics/GlyphPage.h: * platform/graphics/mac/GlyphPageTreeNodeMac.cpp: (WebCore::GlyphPage::fill): 2015-01-21 Babak Shafiei Merge r176318. 2014-11-19 Chris Fleizach AX: Screen braille input doesn't work on forms. https://bugs.webkit.org/show_bug.cgi?id=138804 Reviewed by Mario Sanchez Prada. Allow iOS to set values of text fields through the API. Test: platform/ios-sim/accessibility/set-value.html * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm: (-[WebAccessibilityObjectWrapper _accessibilitySetValue:]): 2015-01-21 Babak Shafiei Merge r175818. 2014-11-10 Simon Fraser [iOS WK2] Layers with negative z position disapear behind the page tiles https://bugs.webkit.org/show_bug.cgi?id=138571 rdar://problem/18873480 Reviewed by Dean Jackson. Some crufty iOS-only code in RenderLayerBacking::parentForSublayers() caused us to fail to use the m_childContainmentLayer as the ancestor for descendants, so layers with negative z position would get depth-sorted behind the tiles. Fix by removing that code. This should have been detected by compositing/tile-cache-must-flatten.html, but testing infrastructure suck prevented us from doing so. * rendering/RenderLayerBacking.cpp: (WebCore::RenderLayerBacking::parentForSublayers): * rendering/RenderLayerBacking.h: Just some nullptr cleanup. 2015-01-21 Babak Shafiei Merge r175277. 2014-10-24 Jeffrey Pfau FrameProgressTracker expects Page to not have detached https://bugs.webkit.org/show_bug.cgi?id=138061 Reviewed by Alexey Proskuryakov. In some cases, a Page may be detached from a Frame before its FrameLoader is torn down, causing FrameProgressTracker's destructor to hit a null pointer. No new tests; it is impossible to reliably simulate the null pointer case without intrusive code changes. * loader/FrameLoader.cpp: (WebCore::FrameLoader::FrameProgressTracker::~FrameProgressTracker): 2015-01-20 Babak Shafiei Merge r175241. 2014-10-27 Chris Fleizach AX: input type=hidden is being exposed when aria-hidden=false https://bugs.webkit.org/show_bug.cgi?id=138106 Reviewed by Benjamin Poulain. If an input type=hidden was inside an aria-hidden=false, it would appear because the lack of a RenderObject behind that object was not blocking its adoption into the AX tree. We should explicity check for whether the type is hidden and then return an appropriate role. Test: accessibility/input-type-hidden-in-aria-hidden-false.html * accessibility/AccessibilityNodeObject.cpp: (WebCore::AccessibilityNodeObject::determineAccessibilityRole): (WebCore::AccessibilityNodeObject::computeAccessibilityIsIgnored): 2015-01-20 Babak Shafiei Merge r174832. 2014-10-17 Dean Jackson [Media] Always update controls for