2014-05-30 Dana Burkart Supplementary build fix for , borrowed from . * WebCore.exp.in: 2014-05-29 Jeffrey Pfau Build fix for Mavericks * WebCore.exp.in: 2014-05-29 Jeffrey Pfau Build fix * WebCore.exp.in: 2014-05-27 Jeffrey Pfau Workaround for Reviewed by David Kilzer. * platform/network/mac/ResourceRequestMac.mm: (WebCore::ResourceRequest::doUpdatePlatformRequest): 2014-05-27 Lucas Forschler Fix for Fix by Jon Honeycutt. * rendering/RenderLayer.cpp: (WebCore::RenderLayer::filterNeedsRepaint): 2014-05-23 Lucas Forschler Rollout r169219 2014-05-23 Dana Burkart Merge r165862 2014-03-18 Jeffrey Pfau Unify element callback registration and unregistration https://bugs.webkit.org/show_bug.cgi?id=130417 Reviewed by Eric Carlson. * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::HTMLMediaElement): (WebCore::HTMLMediaElement::~HTMLMediaElement): (WebCore::HTMLMediaElement::registerWithDocument): (WebCore::HTMLMediaElement::unregisterWithDocument): (WebCore::HTMLMediaElement::didMoveToNewDocument): * html/HTMLMediaElement.h: 2014-05-23 Dana Burkart Merge r160847 2013-12-19 Ryosuke Niwa overflowchanged event could cause a crash https://bugs.webkit.org/show_bug.cgi?id=125978 Reviewed by Tim Horton. Made the event asynchrnous by re-using Document's event queuing ability. Also removed the infrastructure to queue up events in FrameView. Test: fast/events/overflowchanged-inside-selection-collapse-crash.html * dom/Document.cpp: (WebCore::Document::recalcStyle): (WebCore::Document::enqueueOverflowEvent): * dom/Document.h: * page/FrameView.cpp: (WebCore::FrameView::FrameView): (WebCore::FrameView::~FrameView): (WebCore::FrameView::layout): (WebCore::FrameView::performPostLayoutTasks): (WebCore::FrameView::updateOverflowStatus): * page/FrameView.h: * rendering/RenderBlock.cpp: (WebCore::OverflowEventDispatcher::~OverflowEventDispatcher): * rendering/RenderLayer.cpp: (WebCore::RenderLayer::scrollRectToVisible): * rendering/RenderMarquee.cpp: (WebCore::RenderMarquee::start): 2014-05-22 Lucas Forschler Merge r168915 2014-05-15 Daniel Bates SVG element may reference arbitrary DOM element before running its insertion logic https://bugs.webkit.org/show_bug.cgi?id=132757 Reviewed by Ryosuke Niwa. Fixes an issue where an SVG element may reference an arbitrary DOM element e before e finished being inserted in the tree. Currently when an SVG element A is inserted into a document we use document.getElementById() to find the element B it references (if any). If A is inserted before B and B has the same id as a later element in the document then A can find B before B is notified that its been inserted into the document (i.e. before Element::insertedFrom() is called on B). Instead, A should call document.getElementById() only after cessation of the insertion operation that inserted it to ensure that all inserted nodes (including B) processed their insertion-specific logic. Tests: svg/custom/reparent-animate-element.html svg/custom/reparent-feimage-element.html svg/custom/reparent-mpath-element.html svg/custom/reparent-textpath-element.html svg/custom/reparent-tref-element.html svg/custom/reparent-use-element.html * svg/SVGFEImageElement.cpp: (WebCore::SVGFEImageElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that we are called back to resolve our target element (i.e. call SVGFEImageElement::buildPendingResources()) after the subtree we're in is inserted. (WebCore::SVGFEImageElement::didNotifySubtreeInsertions): Added; turns around and calls SVGFEImageElement::buildPendingResources(). * svg/SVGFEImageElement.h: * svg/SVGMPathElement.cpp: (WebCore::SVGMPathElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that we are called back to resolve our target element (i.e. call SVGMPathElement::buildPendingResources()) after the subtree we're in is inserted. (WebCore::SVGMPathElement::didNotifySubtreeInsertions): Added; turns around and calls SVGMPathElement::buildPendingResources(). * svg/SVGMPathElement.h: * svg/SVGTRefElement.cpp: (WebCore::SVGTRefElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that we are called back to resolve our target element (i.e. call SVGTRefElement::buildPendingResources()) after the subtree we're in is inserted. (WebCore::SVGTRefElement::didNotifySubtreeInsertions): Added; turns around and calls SVGTRefElement::buildPendingResources(). * svg/SVGTRefElement.h: * svg/SVGTextPathElement.cpp: (WebCore::SVGTextPathElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that we are called back to resolve our target element (i.e. call SVGTextPathElement::buildPendingResources()) after the subtree we're in is inserted. (WebCore::SVGTextPathElement::didNotifySubtreeInsertions): Added; turns around and calls SVGTextPathElement::buildPendingResources(). * svg/SVGTextPathElement.h: * svg/SVGUseElement.cpp: (WebCore::SVGUseElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that we are called back to resolve our target element (i.e. call SVGUseElement::buildPendingResources()) after its subtree is inserted. (WebCore::SVGUseElement::didNotifySubtreeInsertions): Added; turns around and calls SVGUseElement::buildPendingResources(). * svg/SVGUseElement.h: * svg/animation/SVGSMILElement.cpp: (WebCore::SVGSMILElement::insertedInto): Return InsertionShouldCallDidNotifySubtreeInsertions so that we are called back to resolve our target element (i.e. call SVGSMILElement::buildPendingResources()) after the subtree we're in is inserted. (WebCore::SVGSMILElement::didNotifySubtreeInsertions): Added; turns around and calls SVGSMILElement::buildPendingResources(). * svg/animation/SVGSMILElement.h: 2014-05-22 Dana Burkart Merge r169007 2014-05-17 Maciej Stachowiak Don't attempt to update id or name for nodes that are already removed https://bugs.webkit.org/show_bug.cgi?id=133041 Reviewed by Sam Weinig. Tests: fast/dom/remove-element-with-id-that-was-inserted-on-DOMNodeRemoved.html fast/dom/remove-element-with-name-that-was-inserted-on-DOMNodeRemoved.html * dom/Element.cpp: (WebCore::Element::removedFrom): Skip updating ids and names for an element not in a treescope, as we already do for elements not in a document. 2014-05-22 Lucas Forschler Merge r168636 2014-05-12 Martin Hock Disallow drag and drop of non-displayable resources. https://bugs.webkit.org/show_bug.cgi?id=132745 Reviewed by Alexey Proskuryakov. Test: http/tests/security/drag-drop-local-file.html * page/DragController.cpp: (WebCore::DragController::startDrag): 2014-05-22 Lucas Forschler Merge r166741 2014-04-02 Simon Fraser Harden FilterOperation type casting https://bugs.webkit.org/show_bug.cgi?id=131142 Reviewed by Sam Weinig. DefaultFilterOperation had an error-prone behavior where it set the base class OperationType to the type of some other filter class, but overrode isDefault(). This made it very easy to write incorrect code that casted incorrectly based on type(). Fix by making adding a DEFAULT filter operation type, and storing the represented type on DefaultFilterOperation(). Also remove the OperationType argument for constructors of FilterOperations that can only be of one type, to avoid possible mistakes. Make the type cast macros a bit more normal, and use them in a few places. Fixed PlatformCAFiltersMac to handle the default filter case more cleanly. * WebCore.exp.in: * css/CSSComputedStyleDeclaration.cpp: (WebCore::ComputedStyleExtractor::valueForFilter): * css/StyleResolver.cpp: (WebCore::StyleResolver::createFilterOperations): * platform/graphics/ca/PlatformCAFilters.h: * platform/graphics/ca/mac/PlatformCAFiltersMac.mm: (PlatformCAFilters::filterValueForOperation): (PlatformCAFilters::colorMatrixValueForFilter): * platform/graphics/filters/FilterOperation.cpp: (WebCore::DefaultFilterOperation::operator==): (WebCore::ReferenceFilterOperation::ReferenceFilterOperation): (WebCore::ReferenceFilterOperation::operator==): (WebCore::BlurFilterOperation::operator==): (WebCore::BlurFilterOperation::blend): (WebCore::DropShadowFilterOperation::operator==): (WebCore::DropShadowFilterOperation::blend): * platform/graphics/filters/FilterOperation.h: (WebCore::FilterOperation::blend): (WebCore::FilterOperation::type): (WebCore::FilterOperation::isBasicColorMatrixFilterOperation): (WebCore::FilterOperation::isBasicComponentTransferFilterOperation): (WebCore::FilterOperation::isSameType): (WebCore::DefaultFilterOperation::create): (WebCore::DefaultFilterOperation::representedType): (WebCore::DefaultFilterOperation::DefaultFilterOperation): (WebCore::ReferenceFilterOperation::create): (WebCore::BlurFilterOperation::create): (WebCore::BlurFilterOperation::BlurFilterOperation): (WebCore::DropShadowFilterOperation::create): (WebCore::DropShadowFilterOperation::DropShadowFilterOperation): (WebCore::FilterOperation::isDefault): Deleted. * platform/graphics/filters/FilterOperations.cpp: (WebCore::FilterOperations::outsets): * rendering/FilterEffectRenderer.cpp: (WebCore::FilterEffectRenderer::build): * rendering/RenderLayerFilterInfo.cpp: (WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients): 2014-05-22 Dana Burkart Merge r167851 2014-04-26 Darin Adler Frame and page lifetime fixes in WebCore::createWindow https://bugs.webkit.org/show_bug.cgi?id=132089 Reviewed by Sam Weinig. Speculative fix because I was unable to reproduce the crash that was reported with the test case attached to this bug. * loader/FrameLoader.cpp: (WebCore::createWindow): Changed code to remove the assumption that calls out will not destroy the page or frame. Use RefPtr for the frame, and added early exits if frame->page() becomes null at any point before we use a page pointer. 2014-05-22 Dana Burkart Merge r168641 2014-05-09 Jon Honeycutt REGRESSION (r167818): editing/inserting/typing-space-to-trigger-smart-link.html fails on WebKit1 bots Reverts the previous workaround in favor of a more specific fix for the null dereference. Reviewed by Darin Adler. * editing/ApplyStyleCommand.cpp: (WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange): Check whether the run's start and end are still in the document, as removeConflictingInlineStyleFromRun() may have removed them. * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::apply): Reverted previous workaround. (WebCore::ApplyEditCommand::ReentrancyGuard::isRecursiveCall): Deleted. (WebCore::ApplyEditCommand::ReentrancyGuard::Scope::Scope): Deleted. (WebCore::ApplyEditCommand::ReentrancyGuard::Scope::~Scope): Deleted. 2014-05-22 Lucas Forschler Merge r167635 2014-04-21 Dan Bernstein WebCore part of Page::setDefersLoading doesn’t do anything when using the Network process https://bugs.webkit.org/show_bug.cgi?id=131939 Reviewed by David Kilzer. * WebCore.exp.in: Exported WebCore::ResourceHandle::setDefersLoading. * loader/ResourceLoadScheduler.cpp: (WebCore::ResourceLoadScheduler::setDefersLoading): Added a no-op implementation. * loader/ResourceLoadScheduler.h: Declared new virtual member function setDefersLoading. * loader/ResourceLoader.cpp: (WebCore::ResourceLoader::setDefersLoading): Added a call to the above function. 2014-05-22 Dana Burkart Merge r167818 2014-04-23 Jon Honeycutt Crash applying editing commands from iframe onload event This patch merges the Chromium bug workaround from , which prevents reentrancy in CompositeEditCommand::apply(). Reviewed by Darin Adler. Test: editing/apply-style-iframe-crash.html * editing/CompositeEditCommand.cpp: (WebCore::HTMLNames::ReentrancyGuard::isRecursiveCall): (WebCore::HTMLNames::ReentrancyGuard::Scope::Scope): (WebCore::HTMLNames::ReentrancyGuard::Scope::~Scope): (WebCore::CompositeEditCommand::apply): If this is a recursive call, return early. 2014-05-22 Dana Burkart Merge r167264 2014-04-14 Jer Noble Use after free in WebCore::CachedResourceHandleBase::~CachedResourceHandleBase / WebCore::removeDetachedChildrenInContainer https://bugs.webkit.org/show_bug.cgi?id=131169 Reviewed by Eric Carlson. Invalidate the WebCoreAVFResourceLoader owned by MediaPlayerPrivateAVFoundationObjC in its destructor, to prevent a private function being called in response to the WebCoreAVFResourceLoader being stopped. * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC): * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h: * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm: (WebCore::WebCoreAVFResourceLoader::invalidate): 2014-05-22 Dana Burkart Merge r166628 2014-04-13 Darin Adler userVisibleString should not try to "encode" host names https://bugs.webkit.org/show_bug.cgi?id=131587 rdar://problem/14686849 Reviewed by Alexey Proskuryakov. * WebCore.exp.in: Updated for WebCoreNSURLExtras argument type changes. * platform/mac/WebCoreNSURLExtras.h: Removed unneeded code to make this Objective-C++ header compile in plain C++ files, which we never need to do. Added missing argument name, baseURL, and changed mysterious CFIndex arguments to the correct type, CFURLComponentType. * platform/mac/WebCoreNSURLExtras.mm: (WebCore::isLookalikeCharacter): Removed the inline keyword from this, and added more lookalike characters from the Mozilla list referenced here. (WebCore::URLByTruncatingOneCharacterBeforeComponent): Updated argument type. (WebCore::dataForURLComponentType): Ditto. (WebCore::userVisibleString): Only call mapHostNames if host name decoding is needed; no encoding here. 2014-05-22 Dana Burkart Merge r166628 2014-04-01 Jon Honeycutt Crash in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients Reviewed by Dean Jackson. Test: svg/filters/first-letter-crash.html * rendering/FilterEffectRenderer.cpp: (WebCore::FilterEffectRenderer::buildReferenceFilter): Added a null check to prevent crashes for anonymous RenderObjects. * rendering/RenderLayer.cpp: (WebCore::RenderLayer::filterNeedsRepaint): Get the enclosing element, if there is one, and recalculate its style. We use the enclosing element so that we recalculate style for the ancestor of an anonymous RenderElement. (WebCore::RenderLayer::enclosingElement): Remove an assertion; we may now reach this condition if loading a cached SVG document results in RenderLayer::filterNeedsRepaint() being called before the object has been inserted into the render tree. * rendering/RenderLayerFilterInfo.cpp: (WebCore::RenderLayer::FilterInfo::notifyFinished): Tell the RenderLayer that the filter needs repainting. (WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients): Get the Element from the renderer rather than asking the renderer's Element, which will be null for anonymous RenderObjects. * rendering/RenderLayerFilterInfo.h: Removed declaration for the old workaround function, layerElement(). 2014-05-22 Dana Burkart Merge r165206 2014-03-05 Jon Honeycutt Invalid cast in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients() Clang appears to be optimizing out a branch in RenderObject::node() when compiling RenderLayer::FilterInfo::updateReferenceFilterClients(). We'll work around this by factoring out the code in question into a separate member function marked NEVER_INLINE. No test possible due to . Reviewed by David Kilzer. * rendering/RenderLayerFilterInfo.cpp: (WebCore::RenderLayer::FilterInfo::layerElement): Code moved from updateReferenceFilterClients(). Returns the Element* for m_layer. (WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients): Use layerElement(). * rendering/RenderLayerFilterInfo.h: Declared layerElement(). 2014-05-22 Lucas Forschler Merge r164950 2014-03-02 Dean Jackson Add protected casting to FilterOperation classes. https://bugs.webkit.org/show_bug.cgi?id=124062 Reviewed by Sam Weinig. Use the type cast macro generators to produce some toFilterOperation-style functions, and then use them in our PlatformCA filter code. Test: css3/filters/animation-from-initial-values-with-color-matrix.html * platform/graphics/ca/mac/PlatformCAFiltersMac.mm: Use the toFilterOperation methods, in some cases removing the unnecessary double cast. (PlatformCAFilters::filterValueForOperation): (PlatformCAFilters::colorMatrixValueForFilter): * platform/graphics/filters/FilterOperation.cpp: (WebCore::BasicColorMatrixFilterOperation::blend): (WebCore::BasicColorMatrixFilterOperation::operator==): Move this to the .cpp file so it can use the casting methods. (WebCore::BasicComponentTransferFilterOperation::blend): (WebCore::BasicComponentTransferFilterOperation::operator==): Ditto. * platform/graphics/filters/FilterOperation.h: Add the casting macros. 2014-05-22 Lucas Forschler Merge r157816 2013-10-22 Tim Horton GammaFilterOperation seems to be dead code https://bugs.webkit.org/show_bug.cgi?id=123173 Reviewed by Simon Fraser. * platform/graphics/filters/FilterOperation.cpp: * platform/graphics/filters/FilterOperation.h: Remove dead code. 2014-05-22 Lucas Forschler Merge r155315 2013-09-08 Andreas Kling FrameView::scheduleEvent() is over-engineered. Reviewed by Antti Koivisto. Remove gratuitous FrameActionScheduler class that was really only being used to defer the occassional "overflowchanged" event until layout had finished. * CMakeLists.txt: * GNUmakefile.list.am: * Target.pri: * WebCore.vcxproj/WebCore.vcxproj: * WebCore.vcxproj/WebCore.vcxproj.filters: * WebCore.xcodeproj/project.pbxproj: * page/FrameActionScheduler.cpp: * page/FrameActionScheduler.h: Removed FrameActionScheduler. * page/FrameView.h: * page/FrameView.cpp: (WebCore::FrameView::FrameView): (WebCore::FrameView::~FrameView): (WebCore::FrameView::layout): (WebCore::FrameView::ScheduledEvent::ScheduledEvent): (WebCore::FrameView::scheduleEvent): (WebCore::FrameView::pauseScheduledEvents): (WebCore::FrameView::resumeScheduledEvents): (WebCore::FrameView::performPostLayoutTasks): (WebCore::FrameView::updateOverflowStatus): Replaced it with a Vector and a suppression counter. A ScheduledEvent is just a { Node, Event } pair. 2014-05-19 Lucas Forschler erge r169098 2013-09-19 Bear Travis CSS_SHAPES not supported on AppleWin port https://bugs.webkit.org/show_bug.cgi?id=118810 Reviewed by Brent Fulgham. Enabling fast/shapes on windows. * WebCore.vcxproj/WebCore.vcxproj: Add missing shape includes. * WebCore.vcxproj/WebCoreCommon.props: Include shapes source folder. * WebCore.vcxproj/copyForwardingHeaders.cmd: Copy shapes headers. * css/CSSPropertyNames.in: Tweak to ensure shapes properties are regenerated. 2014-05-08 Matthew Hanson Rollout r168034. 2014-05-07 Lucas Forschler Rollout r168104 2014-05-05 Andy Estes Fix the Mountain Lion build. Some versions of Clang on Mountain Lion do not set __cplusplus to 201103L when compiling with -std=gnu++11, which causes CF_ENUMs to be weakly-typed. Detect this case and export the correct symbols. On Lion, CFURLComponentType is not defined using CF_ENUM, so it will always be a weakly-typed enum. * WebCore.exp.in: 2014-05-03 Babak Shafiei Follow-up fix for the merge of r167480. Rubber stamped by Tim Horton. * platform/KURL.cpp: (WebCore::KURL::host): Return empty string instead of null string. 2014-05-02 Matthew Hanson Merge r166420. 2014-03-28 Myles C. Maxfield Clear SVGInlineTextBox fragments when the text changes. https://bugs.webkit.org/show_bug.cgi?id=130879 Reviewed by Darin Adler. Ported from Blink: https://src.chromium.org/viewvc/blink?revision=150456&view=revision This patch modifies SVGInlineTextBox::dirtyLineBoxes to clear all following text boxes when invoked. Typically this method is called when the underlying text string changes, and that change needs to be propagated to all the boxes that use the text beyond the point where the text is first modified. Also cleans up final function keywords for SVGRootInlineBox. Test: svg/custom/unicode-in-tspan-multi-svg-crash.html * rendering/InlineTextBox.h: Added (non-recursive) dirtyOwnLineBoxes() function (WebCore::InlineTextBox::dirtyOwnLineBoxes): Calls dirtyLineBoxes() * rendering/svg/SVGInlineTextBox.h: Added (non-recursive) dirtyOwnLineBoxes() function (WebCore::SVGInlineTextBox::dirtyOwnLineBoxes): * rendering/svg/SVGInlineTextBox.cpp: (WebCore::SVGInlineTextBox::dirtyOwnLineBoxes): Non-recursive part of dirtyLineBoxes() (WebCore::SVGInlineTextBox::dirtyLineBoxes): Calls dirtyOwnLineBoxes() in a loop * rendering/svg/SVGRootInlineBox.h: 2014-05-02 Matthew Hanson Merge r165053. 2014-03-03 David Kilzer SVGPropertyTearOffs should detachChildren before deleting its value. Reviewed by Maciej Stachowiak. Merged from Blink (patch by kouhei@chromium.org): https://src.chromium.org/viewvc/blink?revision=158563&view=revision http://crbug.com/296276 Test: svg/transforms/svg-matrix-tearoff-crash.html NOTE: The test does not reproduce a crash on WebKit using JavaScriptCore. * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::setValue): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): - Call detachChildren() if m_value is a copy. The original Blink patch did not modify the destructor code path, although that seems obvious via code inspection. 2014-05-01 Matthew Hanson Merge r164917. 2014-03-01 David Kilzer Fix lifetime handling of SVGPropertyTearOffs Reviewed by Maciej Stachowiak. Merged from Blink (patch by Ojan Vafai): https://src.chromium.org/viewvc/blink?revision=157801&view=revision http://crbug.com/288771 -Replace SVGStaticPropertyWithParentTearOff with SVGMatrixTearOff since it's only used in that one place. This means we can get rid of the templatizing and the method pointer. -Change SVGPropertyTearOff to keep track of it's child tearoffs and call detachWrapper on its child tearoffs when it's destroyed or when it's wrapper is detached. -Have SVGPropertyTearOff hold WeakPtrs to the child tearoffs to avoid having a cycle. Test: svg/transforms/svg-matrix-tearoff-crash.html * GNUmakefile.list.am: * WebCore.vcxproj/WebCore.vcxproj: * WebCore.vcxproj/WebCore.vcxproj.filters: * WebCore.xcodeproj/project.pbxproj: * bindings/scripts/CodeGeneratorJS.pm: (NativeToJSValue): * svg/properties/SVGMatrixTearOff.h: Renamed from Source/WebCore/svg/properties/SVGStaticPropertyWithParentTearOff.h. (WebCore::SVGMatrixTearOff::create): (WebCore::SVGMatrixTearOff::commitChange): (WebCore::SVGMatrixTearOff::SVGMatrixTearOff): * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::addChild): (WebCore::SVGPropertyTearOff::detachChildren): 2014-05-01 Matthew Hanson Merge r167295. 2014-04-14 Jon Honeycutt Assertion failure under FEImage::determineAbsolutePaintRect() This patch merges Chromium r149536 (see ), which moves m_absoluteTransform out of SVGFilter and into the base Filter class, so that it isn't necessary to cast a Filter to SVGFilter to get the absolute transform. Reviewed by Geoffrey Garen. Test: svg/filters/feImage-filter-assertion.html * platform/graphics/filters/Filter.h: (WebCore::Filter::Filter): Changed to take the absolute transform. (WebCore::Filter::absoluteTransform): Moved from SVGFilter. (WebCore::Filter::mapAbsolutePointToLocalPoint): Ditto. * rendering/FilterEffectRenderer.cpp: (WebCore::FilterEffectRenderer::FilterEffectRenderer): Pass a default AffineTransform() to the Filter base class. * svg/graphics/filters/SVGFEImage.cpp: (WebCore::FEImage::determineAbsolutePaintRect): Use the Filter without casting it to SVGFilter. (WebCore::FEImage::platformApplySoftware): Ditto. * svg/graphics/filters/SVGFilter.cpp: (WebCore::SVGFilter::SVGFilter): Pass the transform to the base class, and remove initialization of a removed member var. * svg/graphics/filters/SVGFilter.h: Member var moved to Filter.h. 2014-05-01 Matthew Hanson Merge r166736. 2014-04-03 David Hyatt Continuations casting issue. https://bugs.webkit.org/show_bug.cgi?id=130057 Reviewed by Simon Fraser. The code to update relative positioned anonymous block continuations should not have assumed that all siblings were RenderBlocks. Make the code smarter and make it bail when it hits something that isn't part of the block continuation chain. Added fast/block/continuation-crash.html * rendering/RenderInline.cpp: (WebCore::updateStyleOfAnonymousBlockContinuations): 2014-05-01 Matthew Hanson Merge r167480. 2014-04-17 Darin Adler origin spoofing possible (HTTP Origin, postMessage event.origin) due to inappropriate URL escape sequence decoding https://bugs.webkit.org/show_bug.cgi?id=131837 rdar://problem/15211936 Reviewed by Anders Carlsson and Dave Hyatt. Tests: fast/dom/DOMURL/parsing.html fast/dom/HTMLAnchorElement/anchor-element-href-parsing.html * platform/URL.cpp: (WebCore::URL::host): Removed unnecessary call to decodeURLEscapeSequences, which caused problems and was not needed. 2014-05-01 Matthew Hanson Merge r167524. 2014-04-18 Jon Honeycutt Harden RenderInline::inlineElementContinuation() Reviewed by Sam Weinig. No new tests, as there are no known cases of this happening. * rendering/RenderInline.cpp: (WebCore::RenderInline::inlineElementContinuation): Return nullptr if the continuation is neither a RenderInline nor a RenderBlock. 2014-05-01 Matthew Hanson Merge r167672. 2014-04-22 Brent Fulgham Check (rather than assume) element is a RenderTableSection before using it https://bugs.webkit.org/show_bug.cgi?id=121858 Reviewed by David Kilzer. Test: fast/table/table-insert-object-before-td-crash.html * rendering/RenderTable.cpp: (WebCore::RenderTable::addChild): Check that lastBox is a table section before using the node as if it was one. 2014-05-01 Matthew Hanson Merge r167569 (committing on behalf of Dana Burkart.) 2014-04-19 Alexey Proskuryakov Crashes in HTMLFormElement::submit. https://bugs.webkit.org/show_bug.cgi?id=131910 Based on a patch by Kent Tamura. Reviewed by Anders Carlsson. Tests: fast/forms/form-submission-crash-2.html fast/forms/form-submission-crash.html Code that executes arbitrary JS needs to protect objects that it uses afterwards. * html/HTMLFormElement.cpp: (WebCore::HTMLFormElement::prepareForSubmission): (WebCore::HTMLFormElement::submit): * loader/FrameLoader.cpp: (WebCore::FrameLoader::submitForm): 2014-05-01 Matthew Hanson Merge r166650. 2014-04-02 David Kilzer Use outermost containing isolate when constructing bidi runs Reviewed by Darin Adler. Merged from Blink (patch by jww@chromium.org): https://src.chromium.org/viewvc/blink?revision=157268&view=revision http://crbug.com/279277 Update containingIsolate to go back all the way to top isolate from current root, rather than stopping at the first isolate it finds. This works because the current root is always updated with each isolate run. Tests: fast/text/international/unicode-bidi-isolate-nested-with-removes-not-adjacent.html fast/text/international/unicode-bidi-isolate-nested-with-removes.html * rendering/InlineIterator.h: (WebCore::highestContainingIsolateWithinRoot): * rendering/RenderBlockLineLayout.cpp: (WebCore::constructBidiRunsForSegment): 2014-04-30 Lucas Forschler Rollout r168020. This causes build failures on Lion/ML. 2014-04-30 Lucas Forschler Merge r166049 2014-03-21 Andreas Kling HTMLFrameOwnerElement should obey the SubframeLoadingDisabler when creating subframes Merge Blink r156744 by Adam Klein. Test: fast/frames/set-iframe-src-in-pagehide-crash.html * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::loadSubframe): 2014-04-30 Lucas Forschler Merge r167278 2014-04-14 Jon Honeycutt Assertion failure !node || node->isElementNode() in WebCore::RenderBlock::inlineElementContinuation https://bugs.webkit.org/show_bug.cgi?id=108829 I can't reproduce this assertion failure, but there seems to be an invalid assumption in RenderBlock::inlineElementContinuation() that anything with the "isInline()" bit set is a RenderInline. No new test because the test case in the bug does not repro for me. Reviewed by Brent Fulgham. * rendering/RenderBlock.cpp: (WebCore::RenderBlock::inlineElementContinuation): Dave Hyatt says that this function should only return RenderInline objects (not non-RenderInline inline objects), so update the checks from isInline() to isRenderInline() before casting with toRenderInline(). * rendering/RenderInline.cpp: (WebCore::RenderInline::inlineElementContinuation): Ditto. 2014-04-30 Lucas Forschler Merge r167211 2014-04-13 Darin Adler userVisibleString should not try to "encode" host names https://bugs.webkit.org/show_bug.cgi?id=131587 rdar://problem/14686849 Reviewed by Alexey Proskuryakov. * WebCore.exp.in: Updated for WebCoreNSURLExtras argument type changes. * platform/mac/WebCoreNSURLExtras.h: Removed unneeded code to make this Objective-C++ header compile in plain C++ files, which we never need to do. Added missing argument name, baseURL, and changed mysterious CFIndex arguments to the correct type, CFURLComponentType. * platform/mac/WebCoreNSURLExtras.mm: (WebCore::isLookalikeCharacter): Removed the inline keyword from this, and added more lookalike characters from the Mozilla list referenced here. (WebCore::URLByTruncatingOneCharacterBeforeComponent): Updated argument type. (WebCore::dataForURLComponentType): Ditto. (WebCore::userVisibleString): Only call mapHostNames if host name decoding is needed; no encoding here. 2014-04-30 Lucas Forschler Merge r167167 2014-04-11 Jon Honeycutt Assertion failure changing select element size during focus event dispatch Reviewed by Andy Estes. Test: fast/forms/select-change-size-during-focus.html * html/HTMLSelectElement.cpp: (WebCore::HTMLSelectElement::listBoxDefaultEventHandler): Adopt the fix from Chromium r171216; check that the renderer is still of the expected type, and return early if it is not. 2014-04-30 Lucas Forschler Merge r167135 2014-04-10 Chris Fleizach Heap-use-after-free in WebCore::SpeechSynthesisUtterance::startTime https://bugs.webkit.org/show_bug.cgi?id=131482 Reviewed by David Kilzer. Hold onto the utterance until it has time to fire, in case other references have been removed. Merged from Blink r171077 by Test: platform/mac/fast/speechsynthesis/speech-synthesis-gc-utterance-crash.html * Modules/speech/SpeechSynthesis.cpp: (WebCore::SpeechSynthesis::handleSpeakingCompleted): 2014-04-30 Lucas Forschler Merge r167093 2014-04-08 Jon Honeycutt Assertion failure in WebCore::FlexBoxIterator::next() Code added in r115687 began removing anonymous wrappers when children become inline. However, there are some objects, like RenderDeprecatedFlexBox, whose children should always be blocks. Reviewed by Tim Horton. * rendering/RenderBlock.h: (WebCore::RenderBlock::canCollapseAnonymousBlockChild): Made public. * rendering/RenderObject.cpp: (WebCore::RenderObject::removeAnonymousWrappersForInlinesIfNecessary): Return early if we can't collapse anonymous block children. 2014-04-30 Lucas Forschler Merge r167092 2014-04-07 Jon Honeycutt Assertion failure, !node || node->isElementNode(), in WebCore::RenderBlock::clone() Reviewed by Antti Koivisto. We're ending up in RenderBlock::splitBlocks() with |this| == |fromBlock|. We then try to climb the ancestor block chain from this->parent() to |fromBlock|, but this->parent() is already above |fromBlock|, so we end up climbing up to the RenderView and trying to clone it, causing the assertion failure. Adopt Chromium's mitigation for this from . This is not intended as a fix for the underlying issue. Also, fix another issue that occurs with this fuzzed test case that's not handled by the Chromium fix. * rendering/RenderBlock.cpp: (WebCore::RenderBlock::splitBlocks): Ensure while we're in the loop that |curr| is a descendant of |fromBlock|. From the Chromium patch: We need to check in every iteration of the loop because moveChildrenTo could have moved |curr|. This is a mitigation and not really a fix against a class of tree craziness. Finally, before moving children from |fromBlock| to |toBlock|, ensure that the children are children of |fromBlock|. If we never entered the loop, they will be siblings of |fromBlock|, not children. 2014-04-30 Lucas Forschler Merge r166601 2014-04-01 Daniel Bates RenderQuote must destroy remaining text renderer before first letter renderer https://bugs.webkit.org/show_bug.cgi?id=78023 Reviewed by Brent Fulgham. Merged from Blink (patch by Abhishek Arya): https://src.chromium.org/viewvc/blink?view=rev&revision=151270 Following the fix for , a RenderQuote may have child render objects for the first letter of its text and everything following the first letter so as to support the CSS first- letter property. The latter renderer is responsible for destroying the former on destruction. It's sufficient to reverse the destruction of the children of RenderQuote to ensure that we destroy the remaining text renderer before we destroy the first letter renderer. Test: fast/css-generated-content/quote-first-letter-crash.html * rendering/RenderQuote.cpp: (WebCore::RenderQuote::updateText): 2014-04-30 Lucas Forschler Merge r166457 2014-03-29 David Kilzer Preserve selection end positions in directionOfSelection Reviewed by Brent Fulgham. Merged from Blink (patch by kenrb@chromium.org): https://src.chromium.org/viewvc/blink?revision=150621&view=revision http://crbug.com/164263 VisibleSelection::visibleStart() and VisibleSelection::visibleEnd() can both cause layouts, which has the potential to invalidate any rendertree-based objects. This was causing a problem in FrameSelection::directionOfSelection(), where a reference to a lineBox was being held across a call to visibleEnd(). This patch ensures that the any layout is completed before linebox references are retrieved. Test: editing/selection/layout-during-move-selection-crash.html * editing/FrameSelection.cpp: (WebCore::FrameSelection::directionOfSelection): 2014-04-30 Lucas Forschler Merge r166428 2014-03-28 Radu Stavila In some situations, partial layouts of floating elements produce incorrect results. https://bugs.webkit.org/show_bug.cgi?id=122668 Reviewed by David Hyatt. When performing partial layout of float elements and checking if other float elements are encountered, incorrect results were obtained by not checking the size of the existing floats vector. Test: fast/block/float/floats-in-clean-line-crash.html * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlockFlow::checkFloatsInCleanLine): 2014-04-30 Lucas Forschler Merge r166236 2014-03-25 David Kilzer Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit Reviewed by Darin Adler. Merged from Blink (patch by Ian Beer): http://crbug.com/303657 https://src.chromium.org/viewvc/blink?view=rev&revision=158938 Test: fast/forms/form-submission-crash-successful-submit-button.html * html/HTMLFormElement.cpp: (WebCore::HTMLFormElement::submit): 2014-03-26 Matthew Hanson Merge r160010. 2013-12-03 László Langó ASSERTION FAILED: !value || (value->isPrimitiveValue()) in WebCore::StyleProperties::getLayeredShorthandValue. https://bugs.webkit.org/show_bug.cgi?id=125146 Reviewed by Darin Adler. Do not presume that |yValue| is primitive if |value| is implicit in StylePropertySerializer. An implicit y-value can become explicit if specified as a separate longhand. At the same time, its new value can be non-primitive. Backported from Blink: http://src.chromium.org/viewvc/blink?view=rev&rev=153678 Test: fast/css/webkit-mask-crash-implicit.html * css/StyleProperties.cpp: (WebCore::StyleProperties::getLayeredShorthandValue): 2014-03-26 Matthew Hanson Remove extraneous ! from merge of r166304. 2014-03-26 Matthew Hanson Merge r166304. 2014-03-26 Jer Noble REGRESSION(r162679): Poster image visible under the video https://bugs.webkit.org/show_bug.cgi?id=130783 Reviewed by Simon Fraser. In the listed revision, we started checking for isRenderImage() instead of isImage(). RenderMedias return 'true' for the first but 'false' for the second. Change the if() statement to check for isRenderMedia() in addition to !isRenderImage(). * rendering/RenderLayerBacking.cpp: (WebCore::RenderLayerBacking::isDirectlyCompositedImage): 2014-03-24 Matthew Hanson Remove a commented line of code introduced by r166104. Reviewed by Babak Shafiei. A line was commented out when it should have been deleted. This patch corrects that oversight. * bindings/js/JSDocumentCustom.cpp: (WebCore::JSDocument::location): 2014-03-22 Matthew Hanson Finish merge of r160065. The changes from Source/WebCore/rendering/RenderView.cpp were incorrectly omitted from the original merge in r165142. 2013-12-03 Ryosuke Niwa Potential crash in RenderView::selectionBounds and RenderView::repaintSelection https://bugs.webkit.org/show_bug.cgi?id=125207 Reviewed by Simon Fraser. Merge https://chromium.googlesource.com/chromium/blink/+/f9e6e288a5aa959f05c374806121aaf0fc52d440 Update style in FrameSelection instead of RenderView's member functions. These are the last two member functions of RenderView that updates the style. * editing/FrameSelection.cpp: (WebCore::FrameSelection::focusedOrActiveStateChanged): (WebCore::FrameSelection::bounds): * rendering/RenderView.cpp: (WebCore::RenderView::selectionBounds): (WebCore::RenderView::repaintSelection): 2014-03-21 Matthew Hanson Merge r166090. 2014-03-21 Oliver Hunt Fix a crash when assigning an object to document.location https://bugs.webkit.org/show_bug.cgi?id=130213 Reviewed by Geoffrey Garen. Convert location to string before we make use the document. This prevents us from attempting to navigate a frame that has already been removed. Test: fast/dom/navigation-with-sideeffects-crash.html * bindings/js/JSDocumentCustom.cpp: (WebCore::JSDocument::location): (WebCore::JSDocument::setLocation): 2014-03-20 Matthew Hanson Merge r165821. 2014-03-18 Antti Koivisto Mutating rules returned by getMatchedCSSRules can result in crash https://bugs.webkit.org/show_bug.cgi?id=130209 Reviewed by Andreas Kling. The non-standard getMatchedCSSRules API returns CSSStyleRule objects that don't have parent stylesheet pointer (as we don't know which sheet the rule originated from). Mutating the rule via such wrapper can lead to crashes later as we fail to invalidate the underlying stylesheet. Fix by disallowing mutation of style rules that don't have parent sheet pointer. CSSStyleRule has two mutable properties selectorText and style. The latter gives back CSSStyleDeclaration. This patch disallows mutations in both cases for CSSStyleRules that don't have parent stylesheet pointer. While it is technically possible to have CSSRules that are legitimately disconnected from stylesheet (by removing rule from sheet while holding a reference to it) it never makes sense to mutate such rule as there is no way to do anything with it afterwards. Tests: fast/css/getMatchedCSSProperties-rule-mutation.html fast/css/getMatchedCSSRules-crash.html * css/CSSStyleRule.cpp: (WebCore::CSSStyleRule::setSelectorText): Bail out if parent stylesheet is null. * css/PropertySetCSSStyleDeclaration.cpp: (WebCore::PropertySetCSSStyleDeclaration::setCssText): (WebCore::PropertySetCSSStyleDeclaration::setProperty): (WebCore::PropertySetCSSStyleDeclaration::removeProperty): (WebCore::PropertySetCSSStyleDeclaration::setPropertyInternal): Allow StyleRuleCSSStyleDeclaration subclass cancel the mutation via boolean return value from willMutate. (WebCore::StyleRuleCSSStyleDeclaration::willMutate): Disallow mutation if the owning CSSStyleRule is null or has null stylesheet. (WebCore::StyleRuleCSSStyleDeclaration::didMutate): We never get here with null rule or stylesheet anymore. * css/PropertySetCSSStyleDeclaration.h: (WebCore::PropertySetCSSStyleDeclaration::willMutate): 2014-03-20 Matthew Hanson Merge r165921. 2014-03-19 Antti Koivisto Crash with long selector list https://bugs.webkit.org/show_bug.cgi?id=123006 Reviewed by Andreas Kling. Test: fast/css/long-selector-list-crash.html * css/CSSSelectorList.cpp: (WebCore::CSSSelectorList::CSSSelectorList): (WebCore::CSSSelectorList::adoptSelectorVector): (WebCore::CSSSelectorList::operator=): * css/StyleRule.cpp: (WebCore::StyleRule::create): Add a bunch of asserts. (WebCore::StyleRule::splitIntoMultipleRulesWithMaximumSelectorComponentCount): This could produce a zero-length selector list. 2014-03-18 Jer Noble Unreviewed Win64 build fix; explicit operators are not valid in VS2010. With the 'explicit bool' operator removed, just test weakThis.get() explicitly. * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::checkPlayability): 2014-03-18 Jer Noble Merge r165478. 2014-03-12 Jer Noble [Mac] Crash when running media/fallback.html test in MediaPlayerPrivateAVFoundation::scheduleMainThreadNotification() https://bugs.webkit.org/show_bug.cgi?id=130136 Reviewed by Eric Carlson. MediaPlayerPrivateAVFoundation is trying to lock its m_queueMutex from an async thread after while being destroyed in the main thread. To resolve this race condition, redispatch from the async thread to the main thread, and use a WeakPtr to determine whether the object has been destroyed or not. * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::checkPlayability): 2014-03-18 Matthew Hanson Follow-up fix for the merge of r163579. 2014-03-17 Jeffrey Pfau Merge parts from Blink CLs 169865acce3b6bc85ac1adf07b2798aaf9aad67a and 04f613e7f0c35f444d5a9bd42da55c69df65cf64 that weren't merged to trunk Unreviewed Layout Test fix. * html/parser/HTMLConstructionSite.cpp: (WebCore::insert): (WebCore::executeInsertTask): (WebCore::executeReparentTask): (WebCore::executeInsertAlreadyParsedChildTask): 2014-03-17 Matthew Hanson Merge r165753. 2014-03-16 Brent Fulgham Provide preference to enable additional AVFoundation options https://bugs.webkit.org/show_bug.cgi?id=130275 Reviewed by Eric Carlson. * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::doesHaveAttribute): Added. * html/HTMLMediaElement.h: * page/Settings.in: Add new attribute. * platform/graphics/MediaPlayer.cpp: (WebCore::MediaPlayer::doesHaveAttribute): Added stub to call private player object's implementation of doesHaveAttribute. * platform/graphics/MediaPlayer.h: (WebCore::MediaPlayerClient::doesHaveAttribute): * platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp: (WebCore::MediaPlayerPrivateAVFoundationCF::AVFWrapper::createAssetForURL): Check the object, and notify AVFoundationCF to use URI option if relevant. * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVAssetForURL): Check the object, and notify AVFoundation to use URI option if relevant. 2014-03-17 Joseph Pecoraro Merge r165583. 2014-03-13 Joseph Pecoraro Web Inspector: Network.loadResource should include the response status code https://bugs.webkit.org/show_bug.cgi?id=130216 Reviewed by Timothy Hatcher. * inspector/InspectorResourceAgent.cpp: Record and send the http status code. * inspector/protocol/Network.json: Include status code property in the success callback. 2014-03-17 Joseph Pecoraro Merge r165582. 2014-03-13 Joseph Pecoraro Web Inspector: Network.loadResource XHR crash if page reloaded while request is ongoing https://bugs.webkit.org/show_bug.cgi?id=130211 Reviewed by Timothy Hatcher. Merged from Blink with changes, (patch by vsevik@chromium.org): http://src.chromium.org/viewvc/blink?view=revision&revision=152712 Using an XMLHttpRequest to download resources had a few issues. Being an Active DOM Object the load could be paused. Without an extra retain, when the load was cancelled (e.g. a page reload) the XHR would get destructed and could cause a crash if the list of active DOM objects was actively being iterated. Switch to a DocumentThreadableLoader to manage the load ourselves. This still uses the Memory cache, but we have a little more control. * inspector/InspectorResourceAgent.h: * inspector/InspectorResourceAgent.cpp: (WebCore::InspectorResourceAgent::InspectorResourceAgent): (WebCore::InspectorResourceAgent::loadResource): Switch from XHR to DocumentThreadableLoader. * xml/XMLHttpRequest.h: * xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::XMLHttpRequest): (WebCore::XMLHttpRequest::createRequest): (WebCore::XMLHttpRequest::sendForInspector): Remove the now unnecessary XHR sendForInspector path. 2014-03-17 Matthew Hanson Merge r165548. 2014-03-13 Andreas Kling Don't send synchronous resize events when FrameView has auto-sizing enabled. Reviewed by Dan Bernstein. * page/FrameView.cpp: (WebCore::FrameView::sendResizeEventIfNeeded): 2014-03-17 Matthew Hanson Reverse merge r165286. 2014-03-07 Matthew Hanson Merge r165206. 2014-03-05 Jon Honeycutt Invalid cast in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients() Clang appears to be optimizing out a branch in RenderObject::node() when compiling RenderLayer::FilterInfo::updateReferenceFilterClients(). We'll work around this by factoring out the code in question into a separate member function marked NEVER_INLINE. No test possible due to . Reviewed by David Kilzer. * rendering/RenderLayerFilterInfo.cpp: (WebCore::RenderLayer::FilterInfo::layerElement): Code moved from updateReferenceFilterClients(). Returns the Element* for m_layer. (WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients): Use layerElement(). * rendering/RenderLayerFilterInfo.h: Declared layerElement(). 2014-03-12 Matthew Hanson Merge r165331. 2014-03-10 Timothy Hatcher Load source maps and their resources asynchronously. https://bugs.webkit.org/show_bug.cgi?id=112071 Reviewed by Joseph Pecoraro. * inspector/InspectorPageAgent.cpp: (WebCore::InspectorPageAgent::buildObjectForFrameTree): Honor the hiddenFromInspector flag. * inspector/InspectorResourceAgent.cpp: (WebCore::InspectorResourceAgent::willSendRequest): (WebCore::InspectorResourceAgent::markResourceAsCached): (WebCore::InspectorResourceAgent::didReceiveResponse): (WebCore::InspectorResourceAgent::didReceiveData): (WebCore::InspectorResourceAgent::didFinishLoading): (WebCore::InspectorResourceAgent::didFailLoading): (WebCore::InspectorResourceAgent::replayXHR): (WebCore::InspectorResourceAgent::loadResource): * inspector/InspectorResourceAgent.h: Honor the hiddenFromInspector flag by keeping track of hidden identifiers in a HashSet. * inspector/protocol/Network.json: (Network.loadResource): Added. * platform/network/ResourceRequestBase.h: (WebCore::ResourceRequestBase::hiddenFromInspector): Added. (WebCore::ResourceRequestBase::setHiddenFromInspector): Added. (WebCore::ResourceRequestBase::ResourceRequestBase): Add a flag to hide the request from the Inspector. * xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::XMLHttpRequest): (WebCore::XMLHttpRequest::sendForInspector): Added. (WebCore::XMLHttpRequest::sendForInspectorXHRReplay): Renamed. (WebCore::XMLHttpRequest::createRequest): * xml/XMLHttpRequest.h: Make Inspector loads allow cross-origins and hide their request from the Inspector itself. 2014-03-10 Brent Fulgham [Win] Build fix after r165379. * bindings/js/SerializedScriptValue.cpp: (WebCore::SerializedScriptValue::SerializedScriptValue): Revert to older-style C++ iteration for Windows compatibility. This can be reverted when we use VS2013 on this branch. 2014-03-07 Myles C. Maxfield Merge r162972 and r163007. 2014-03-07 Myles C. Maxfield ASSERT_WITH_SECURITY_IMPLICATION in WebCore::InlineTextBox::paint https://bugs.webkit.org/show_bug.cgi?id=114586 Reviewed by Dave Hyatt. Taken mostly from https://chromium.googlesource.com/chromium/blink/+/cb2297db16f2e9328cb4dd8b552093d6b22340a8 If RenderQuote is a subclass of RenderObject, it can't be split by the first-letter CSS pseudoclass. Instead, we should make it a subclass of RenderElement, so that it can be split properly. Test: fast/css-generated-content/quote-first-letter.html * dom/PseudoElement.cpp: (WebCore::PseudoElement::didRecalcStyle): * rendering/RenderQuote.cpp: (WebCore::RenderQuote::RenderQuote): (WebCore::RenderQuote::willBeDestroyed): (WebCore::RenderQuote::willBeRemovedFromTree): (WebCore::RenderQuote::styleDidChange): (WebCore::RenderQuote::updateText): (WebCore::RenderQuote::computeText): (WebCore::RenderQuote::updateDepth): * rendering/RenderQuote.h: * rendering/style/ContentData.cpp: (WebCore::QuoteContentData::createContentRenderer): 2014-03-10 Matthew Hanson Merge r165339. 2014-03-08 Oliver Hunt SerializedScriptValue may move Identifiers between worlds https://bugs.webkit.org/show_bug.cgi?id=129979 Reviewed by Andreas Kling. Test: fast/workers/worker-copy-shared-blob-url.html Don't use Strings to store blob URLs as String's may be Identifiers and they can only exist in one world/thread at a time. * Modules/indexeddb/IDBObjectStore.cpp: (WebCore::IDBObjectStore::put): * bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::deserializeString): (WebCore::SerializedScriptValue::addBlobURL): (WebCore::SerializedScriptValue::SerializedScriptValue): * bindings/js/SerializedScriptValue.h: 2014-03-07 Matthew Hanson Merge r165138. 2014-03-05 David Kilzer Fix crash in CompositeEditCommand::cloneParagraphUnderNewElement() Reviewed by Jon Honeycutt. Merged from Blink (patch by Yuta Kitamura): https://src.chromium.org/viewvc/blink?revision=168160&view=revision http://crbug.com/345005 The root cause is CompositeEditCommand::moveParagraphWithClones() passing two positions |start| and |end| which do not follow the document order, i.e. in some situations |start| is located after |end| because of the difference in affinity. This patch fixes this crash by normalizing |end| to |start| in such situations. It also adds an ASSERT that checks the relationship between |start| and |end|. Test: editing/execCommand/format-block-crash.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement): (WebCore::CompositeEditCommand::moveParagraphWithClones): * editing/CompositeEditCommand.h: 2014-03-07 Matthew Hanson Merge r164876. 2014-02-28 Bem Jones-Bey Properly clear m_logicallyLastRun to remove use-after-free possibility https://bugs.webkit.org/show_bug.cgi?id=129489 Reviewed by David Hyatt. A use-after-free issue was caught in Blink because m_logicallyLastRun is not cleared when the item it points to is deleted. Clearing it turns the use-after-free into a segfault, and prevents any future use-after-frees from happening. * platform/text/BidiRunList.h: (WebCore::BidiRunList::deleteRuns): 2014-03-07 Matthew Hanson Merge r165206. 2014-03-05 Jon Honeycutt Invalid cast in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients() Clang appears to be optimizing out a branch in RenderObject::node() when compiling RenderLayer::FilterInfo::updateReferenceFilterClients(). We'll work around this by factoring out the code in question into a separate member function marked NEVER_INLINE. No test possible due to . Reviewed by David Kilzer. * rendering/RenderLayerFilterInfo.cpp: (WebCore::RenderLayer::FilterInfo::layerElement): Code moved from updateReferenceFilterClients(). Returns the Element* for m_layer. (WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients): Use layerElement(). * rendering/RenderLayerFilterInfo.h: Declared layerElement(). 2014-03-06 Matthew Hanson Merge r164249. 2014-02-17 Chris Fleizach AX: Invalid cast in WebCore::AccessibilityTable::isDataTable (CRBug 280352) Merged from Blink (patch by Dominic Mazzoni): https://src.chromium.org/viewvc/blink?revision=159711&view=revision Reviewed by Oliver Hunt. Don't cast to a table cell element unless we are sure it is one. Test: accessibility/display-table-cell-causes-crash.html * accessibility/AccessibilityTable.cpp: (WebCore::AccessibilityTable::isDataTable): 2014-03-06 Matthew Hanson Merge r159489. 2013-11-19 Ryosuke Niwa Add more assertions with security implications in DocumentOrderedMap https://bugs.webkit.org/show_bug.cgi?id=124559 Reviewed by Antti Koivisto. Assert that newly added elements and existing elements in the document ordered map are in the same tree scope as the document ordered map. Also exit early if we're about to add an element in a wrong document to the map. We don't exit early in get() because the damage has already been done at that point (the element may have been deleted already). * dom/Document.cpp: (WebCore::Document::addImageElementByLowercasedUsemap): * dom/DocumentOrderedMap.cpp: (WebCore::DocumentOrderedMap::add): Assert that the newly added element is in the current tree scope. Also exit early if either the element is not in the tree scope or not in the right document. While this doesn't make the function completely fault safe, it'll catch when we try to add a detached node. (WebCore::DocumentOrderedMap::remove): Convert existing assertions to ones with security implication. (WebCore::DocumentOrderedMap::get): Assert with security implication that the element we're about to return is in the current tree scope. The element may have already been deleted if we ever hit these assertions. (WebCore::DocumentOrderedMap::getAllElementsById): Convert an existing assertion to an assertion with security implication. * dom/DocumentOrderedMap.h: * dom/TreeScope.cpp: (WebCore::TreeScope::addElementById): (WebCore::TreeScope::addElementByName): (WebCore::TreeScope::addImageMap): (WebCore::TreeScope::addLabel): * html/HTMLDocument.cpp: (WebCore::HTMLDocument::addDocumentNamedItem): (WebCore::HTMLDocument::addWindowNamedItem): * html/HTMLImageElement.cpp: (WebCore::HTMLImageElement::insertedInto): Set InTreeScope flag before calling addImageElementByLowercasedUsemap. * html/HTMLMapElement.cpp: (WebCore::HTMLMapElement::insertedInto): Ditto for addImageMap. 2014-03-06 Matthew Hanson Merge r165145. 2014-03-05 Daniel Bates And Alexey Proskuryakov ASSERT(newestManifest) fails in WebCore::ApplicationCacheGroup::didFinishLoadingManifest() https://bugs.webkit.org/show_bug.cgi?id=129753 Reviewed by Alexey Proskuryakov. Fixes an issue where an assertion failure would occur when visiting a web site whose on-disk app cache doesn't contain a manifest resource. For some reason an app cache for a web site may be partially written to disk. In particular, the app cache may only contain a CacheGroups entry. That is, the manifest resource and origin records may not be persisted to disk. From looking over the code, we're unclear how such a situation can occur and hence have been unable to create such an app cache. We were able to reproduce this issue using an app cache database file that was provided by a person that was affected by this issue. No test included because it's not straightforward to write a test for this change. * loader/appcache/ApplicationCacheGroup.cpp: (WebCore::ApplicationCacheGroup::checkIfLoadIsComplete): Assert that m_cacheBeingUpdated->manifestResource() is non-null. Currently we only document this assumption in a code comment. Also separated a single assertion expression into two assertion expressions to make it straightforward to identify the failing sub-expression on failure. * loader/appcache/ApplicationCacheStorage.cpp: (WebCore::ApplicationCacheStorage::store): Modified to call ApplicationCacheStorage::deleteCacheGroupRecord() to remove a cache group and associated cache records (if applicable) before inserting a cache group entry. This replacement approach will ultimately repair incomplete app cache data for people affected by this bug. (WebCore::ApplicationCacheStorage::loadCache): Log an error and return nullptr if the cache we loaded doesn't have a manifest resource. (WebCore::ApplicationCacheStorage::deleteCacheGroupRecord): Added. (WebCore::ApplicationCacheStorage::deleteCacheGroup): Extracted deletion logic for cache group record into ApplicationCacheStorage::deleteCacheGroupRecord(). * loader/appcache/ApplicationCacheStorage.h: 2014-03-06 Matthew Hanson Merge r156716. 2013-10-01 Myles C. Maxfield Center misspelling dots across width of word https://bugs.webkit.org/show_bug.cgi?id=122046 Reviewed by Darin Adler. Test: editing/spelling/spelling.html * platform/graphics/GraphicsContext.h: * platform/graphics/mac/GraphicsContextMac.mm: (WebCore::GraphicsContext::drawLineForDocumentMarker): 2014-03-06 Matthew Hanson Merge r153788. 2013-08-07 Antti Koivisto 2.5% regression on page cycler moz https://bugs.webkit.org/show_bug.cgi?id=102822 Reviewed by Andreas Kling. DocumentStyleSheetCollection::invalidateInjectedStyleSheetCache() triggers a style recalc for quirks mode documents in the beginning of document parsing via Document::setCompatibilityMode. This often coalesces with style recalc triggered by stylesheet loading. However on very simple documents it can generate genuinely unnecessary work. * dom/DocumentStyleSheetCollection.cpp: (WebCore::DocumentStyleSheetCollection::invalidateInjectedStyleSheetCache): Check that we actually have cached injected stylesheets before triggering style recalc. * page/PageGroup.cpp: (WebCore::PageGroup::addUserStyleSheetToWorld): (WebCore::PageGroup::removeUserStyleSheetFromWorld): (WebCore::PageGroup::removeUserStyleSheetsFromWorld): (WebCore::PageGroup::removeAllUserContent): Fix a misspelling. (WebCore::PageGroup::invalidateInjectedStyleSheetCacheInAllFrames): Always invalidate style when user sheets change since we don't do that in DocumentStyleSheetCollection::invalidateInjectedStyleSheetCache anymore. * page/PageGroup.h: 2014-03-06 Matthew Hanson Merge r155071. 2013-09-04 Pratik Solanki Document::updateHoverActiveState() should allow for deferred style recalcs https://bugs.webkit.org/show_bug.cgi?id=120700 Reviewed by Simon Fraser. Add an extra argument to Document::updateHoverActiveState() to specify if a style recalc should be done. The default value keeps the current behavior of doing a style recalc. iOS touch handling code will pass in DeferRecalcStyleIfNeeded to avoid the work. No new tests because no functional changes. * dom/Document.cpp: (WebCore::Document::updateHoverActiveState): * dom/Document.h: 2014-03-05 Matthew Hanson Merge r158802. 2013-11-06 Ryosuke Niwa Crash in SliderThumbElement::dragFrom https://bugs.webkit.org/show_bug.cgi?id=123873 Reviewed by Sam Weinig. Moved Ref. * html/RangeInputType.cpp: (WebCore::RangeInputType::handleMouseDownEvent): * html/shadow/SliderThumbElement.cpp: (WebCore::SliderThumbElement::dragFrom): 2014-03-05 Matthew Hanson Merge r158724. 2013-11-05 Ryosuke Niwa Use-after-free in SliderThumbElement::dragFrom https://bugs.webkit.org/show_bug.cgi?id=123873 Reviewed by Andreas Kling. Ref the SliderThumbElement since it could go away inside dragFrom. Test: fast/forms/range/range-type-change-onchange-2.html * html/RangeInputType.cpp: (WebCore::RangeInputType::handleMouseDownEvent): 2014-03-05 Matthew Hanson Merge r163599. 2014-02-06 Jeffrey Pfau loadSubframe can return null in SubframeLoader::loadOrRedirectSubframe https://bugs.webkit.org/show_bug.cgi?id=128344 Reviewed by Ryosuke Niwa. * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::loadOrRedirectSubframe): 2014-03-05 Matthew Hanson Merge r164170. 2014-02-15 Renata Hodovan ASSERT_WITH_SECURITY_IMPLICATION in WebCore::toElement https://bugs.webkit.org/show_bug.cgi?id=128810 Reviewed by Ryosuke Niwa. Make CompositeEditCommand::cloneParagraphUnderNewElement() to work when |outerNode| doesn't contain |start|. Before this patch, CompositeEditCommand::cloneParagraphUnderNewElement() tried to copy ancestry nodes from |start| to Document node when |start| position isn't in |outerNode|. This patch changes CompositeEditCommand::cloneParagraphUnderNewElement() to copy |start| to |outerNode| only if |outerNode| contains |start| position. Merged from Blink https://src.chromium.org/viewvc/blink?revision=161762&view=revision by yosin@chromium.org. Test: editing/execCommand/indent-with-uneditable-crash.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement): 2014-03-05 Matthew Hanson Merge r160065. 2013-12-03 Ryosuke Niwa Potential crash in RenderView::selectionBounds and RenderView::repaintSelection https://bugs.webkit.org/show_bug.cgi?id=125207 Reviewed by Simon Fraser. Merge https://chromium.googlesource.com/chromium/blink/+/f9e6e288a5aa959f05c374806121aaf0fc52d440 Update style in FrameSelection instead of RenderView's member functions. These are the last two member functions of RenderView that updates the style. * editing/FrameSelection.cpp: (WebCore::FrameSelection::focusedOrActiveStateChanged): (WebCore::FrameSelection::bounds): * rendering/RenderView.cpp: (WebCore::RenderView::selectionBounds): (WebCore::RenderView::repaintSelection): 2014-03-05 Matthew Hanson Merge r164367. 2014-02-19 Daniel Bates Do not dispatch change event twice in single step action https://bugs.webkit.org/show_bug.cgi?id=116936 Reviewed by Ryosuke Niwa. Merged from Blink (patch by Kent Tamura): https://src.chromium.org/viewvc/blink?view=rev&revision=151175 Test: fast/forms/number/number-type-update-by-change-event.html * html/InputType.cpp: (WebCore::InputType::stepUpFromRenderer): 2014-03-05 Matthew Hanson Merge r164204. 2014-02-16 Andreas Kling Ensure that removing an iframe from the DOM tree disconnects its Frame. Merged from Blink (patch by Adam Klein): https://src.chromium.org/viewvc/blink?revision=156174&view=revision SubframeLoadingDisabler wasn't catching the case when an