2016-06-17 Babak Shafiei Merge r202174. 2016-06-17 John Wilander Ignore case in the check for security origin inheritance https://bugs.webkit.org/show_bug.cgi?id=158878 Reviewed by Alex Christensen. Darin Adler commented in https://bugs.webkit.org/show_bug.cgi?id=158855: "Are these comparisons intentionally case sensitive? Shouldn’t they ignore ASCII case? We could use equalIgnoringASCIICase and equalLettersIgnoringASCIICase for those two lines instead of using ==. URL::parse normalizes letters in the scheme and host by using toASCIILower, but does not normalize letters elsewhere in the URL, such as in the "blank" or "srcdoc" in the above URLs." Test: http/tests/dom/window-open-about-uppercase-blank-and-access-document.html * platform/URL.cpp: (WebCore::URL::shouldInheritSecurityOriginFromOwner): 2016-06-17 Babak Shafiei Merge r202151. 2016-06-16 John Wilander Restrict security origin inheritance to empty, about:blank, and about:srcdoc URLs https://bugs.webkit.org/show_bug.cgi?id=158855 Reviewed by Alex Christensen. Tests: http/tests/dom/window-open-about-blank-and-access-document.html http/tests/dom/window-open-about-webkit-org-and-access-document.html Document.cpp previously checked whether a document should inherit its owner's security origin by checking if the URL is either empty or blank. URL.cpp in turn only checks if the protocol is "about:" in the isBlankURL() function. Thus all about:* URLs inherited security origin. This patch restricts security origin inheritance to empty, about:blank, and about:srcdoc URLs. Quotes and links from the WHATWG spec regarding about:srcdoc: 7.1 Browsing contexts A browsing context can have a creator browsing context, the browsing context that was responsible for its creation. If a browsing context has a parent browsing context, then that is its creator browsing context. Otherwise, if the browsing context has an opener browsing context, then that is its creator browsing context. Otherwise, the browsing context has no creator browsing context. https://html.spec.whatwg.org/multipage/browsers.html#concept-document-bc 7.1.1 Nested browsing contexts Certain elements (for example, iframe elements) can instantiate further browsing contexts. These are called nested browsing contexts. If a browsing context P has a Document D with an element E that nests another browsing context C inside it, then C is said to be nested through D, and E is said to be the browsing context container of C. If the browsing context container element E is in the Document D, then P is said to be the parent browsing context of C and C is said to be a child browsing context of P. Otherwise, the nested browsing context C has no parent browsing context. https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context 4.8.5 The iframe element The iframe element represents a nested browsing context. ... If the srcdoc attribute is specified Navigate the element's child browsing context to a new response whose url list consists of about:srcdoc ... https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-srcdoc * dom/Document.cpp: (WebCore::Document::initSecurityContext): Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead. (WebCore::Document::initContentSecurityPolicy): Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead. (WebCore::shouldInheritSecurityOriginFromOwner): Deleted. Moved to URL::shouldInheritSecurityOriginFromOwner() and restricted the check. * platform/URL.cpp: (WebCore::URL::shouldInheritSecurityOriginFromOwner): * platform/URL.h: Moved the function from Document and restricted the check to only allow security origin inheritance for empty, about:blank, and about:srcdoc URLs. 2016-06-01 Babak Shafiei Merge r201561. 2016-06-01 Said Abou-Hallawa SVGImage should report its memory cost to JS garbage collector https://bugs.webkit.org/show_bug.cgi?id=158139 Reviewed by Geoffrey Garen. Like what we do in HTMLImageLoader::notifyFinished() by reporting the memory cost of the BitmapImage, we need to do something similar for the SVGImage. In SVGImage::dataChange() and when allDataReceived is true, we can calculate the size of all DOM nodes and their renderers. The size of the encoded data has to be added as well to the total memory cost. An approximation for the memory cost has to be used since it is costly to get an accurate number. * bindings/js/JSDocumentCustom.cpp: (WebCore::reportMemoryForDocumentIfFrameless): Use Node::approximateMemoryCost() instead of sizeof(Node). A Node's descendant can override this function and return a more accurate memory cost. * dom/Node.h: (WebCore::Node::approximateMemoryCost): Define this new virtual function in the Node class. Its default value is sizeof(Node) but any descendant can return a more accurate number. * platform/graphics/Image.h: (WebCore::Image::data): Define a const version of data() so it can be called the const function SVGImage::reportApproximateMemoryCost(). * svg/SVGGraphicsElement.h: Override approximateMemoryCost() to return sizeof(SVGGraphicsElement). * svg/SVGPathElement.cpp: (WebCore::SVGPathElement::approximateMemoryCost): Override this function to return the memory cost of the points and the m_path of the renderer. * svg/SVGPathElement.h: * svg/SVGPolyElement.cpp: (WebCore::SVGPolyElement::approximateMemoryCost): Override this function to return the memory cost of the points and the m_path of the renderer. * svg/SVGPolyElement.h: * svg/graphics/SVGImage.cpp: (WebCore::SVGImage::reportApproximateMemoryCost): Calculate the memory cost of the nodes in the SVGDocument of an SVGImage. Then report this number to the JS garbage collector. (WebCore::SVGImage::dataChanged): After loading all the SVG encoded data and building its DOM tree and the render tree, report the total memory cost to the JS garbage collector. * svg/graphics/SVGImage.h: 2016-05-16 Babak Shafiei Merge r200986. 2016-05-16 Brent Fulgham heap use-after-free at WebCore::TimerBase::heapPopMin() https://bugs.webkit.org/show_bug.cgi?id=157742 Reviewed by David Kilzer. Tested by fast/frames/resources/crash-during-iframe-load-stop.html. * loader/FrameLoader.cpp: (WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still being used by the current stack frame. (WebCore::FrameLoader::frameDetached): Ditto. (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto. 2016-05-12 Babak Shafiei Merge r200466. 2016-05-05 Eric Carlson [iOS] Media information is sometimes not shown in Control Center https://bugs.webkit.org/show_bug.cgi?id=157377 Reviewed by Jer Noble. * platform/audio/ios/MediaSessionManagerIOS.h: * platform/audio/ios/MediaSessionManagerIOS.mm: (WebCore::MediaSessionManageriOS::updateNowPlayingInfo): Store values passed to MPNowPlayingInfoCenter individually instead of in a dictionary. 2016-05-12 Matthew Hanson Merge r199351. rdar://problem/26228860 2016-04-12 Eric Carlson [iOS] media title sometimes remain in Control Center after tab is closed https://bugs.webkit.org/show_bug.cgi?id=156243 Reviewed by Darin Adler. * Modules/webaudio/AudioContext.h: Implement characteristics. * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::mediaLoadingFailed): Call mediaSession->clientCharacteristicsChanged. (WebCore::HTMLMediaElement::setReadyState): Ditto. (WebCore::HTMLMediaElement::clearMediaPlayer): Ditto. (WebCore::HTMLMediaElement::stop): Call mediaSession->stopSession. (WebCore::HTMLMediaElement::characteristics): New, return current characteristics. * html/HTMLMediaElement.h: * platform/audio/PlatformMediaSession.cpp: (WebCore::PlatformMediaSession::stopSession): Suspend playback, and remove the session from the manager, it will never play again. (WebCore::PlatformMediaSession::characteristics): Return client characteristics. (WebCore::PlatformMediaSession::clientCharacteristicsChanged): * platform/audio/PlatformMediaSession.h: * platform/audio/PlatformMediaSessionManager.cpp: (WebCore::PlatformMediaSessionManager::stopAllMediaPlaybackForProcess): Call stopSession instead of pauseSession to signal that playback will never start again. * platform/audio/PlatformMediaSessionManager.h: * platform/audio/ios/MediaSessionManagerIOS.h: * platform/audio/ios/MediaSessionManagerIOS.mm: (WebCore::MediaSessionManageriOS::sessionWillBeginPlayback): Add logging. (WebCore::MediaSessionManageriOS::removeSession): Update NowPlaying. (WebCore::MediaSessionManageriOS::sessionWillEndPlayback): Add logging. (WebCore::MediaSessionManageriOS::clientCharacteristicsChanged): Update NowPlaying. (WebCore::MediaSessionManageriOS::nowPlayingEligibleSession): New, return the first session that is an audio or video element with playable audio. WebAudio is not currently controllable so it isn't appropriate to show it in the NowPlaying info center. (WebCore::MediaSessionManageriOS::updateNowPlayingInfo): Remember the last state passed to NowPlaying so we can call it only when something has changed. 2016-05-12 Matthew Hanson Merge r200375. rdar://problem/26064990 2016-05-03 Pranjal Jumde WorkerGlobalScope's self, location and navigator attributes should not be replaceable https://bugs.webkit.org/show_bug.cgi?id=157296 Reviewed by Chris Dumez. Tests: http/tests/workers/location-readonly.html http/tests/workers/navigator-readonly.html http/tests/workers/self-readonly.html * workers/WorkerGlobalScope.idl: The 'self', 'location', and 'navigator' properties of the WorkerGlobalScope must be immutable. See: https://html.spec.whatwg.org/multipage/workers.html#the-workerglobalscope-common-interface 2016-05-12 Matthew Hanson Merge r200091. rdar://problem/26228870 2016-04-26 Brent Fulgham GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight() https://bugs.webkit.org/show_bug.cgi?id=157020 Reviewed by Darin Adler. Calls to setIntegralAttribute triggers event handling code, which can cause the underlying m_frameOwnerElement member to be deleted. We could clone this object, but since we only want the width and height we should just read them while we know the object is in a good state, then execute the potentially mutating methods. Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html. * html/HTMLBodyElement.cpp: (WebCore::HTMLBodyElement::insertedInto): Read margin width and height before calling setIntegralAttribute. 2016-05-12 Matthew Hanson Merge r199243. rdar://problem/26228921 2016-04-08 Said Abou-Hallawa Timing attack on SVG feComposite filter circumvents same-origin policy https://bugs.webkit.org/show_bug.cgi?id=154338 Reviewed by Oliver Hunt. Ensure the FEComposite arithmetic filter is clamping the resulted color components in a constant time. * platform/graphics/filters/FEComposite.cpp: (WebCore::clampByte): (WebCore::computeArithmeticPixels): 2016-05-12 Matthew Hanson Merge r199101. rdar://problem/26228884 2016-04-06 Zalan Bujtas ASSERTION FAILED: !floatingObject->originatingLine() in WebCore::RenderBlockFlow::linkToEndLineIfNeeded https://bugs.webkit.org/show_bug.cgi?id=153001 Reviewed by Dan Bernstein. 1. Float boxes are always attached to the line where we see them first. 2. Float box can only be attached to one line. 3. RenderBlockFlow can perform partial layout on dirty lines only. In certain cases, the last dirty line can "pull up" float boxes from the first clean line. It simply means that due to some layout changes on previous lines now we see those floats on this last dirty line first. If after placing the float we still find it on the same position, the line below is still considered clean. Remove the float box from its original line if the line above already placed it. Test: fast/block/float/float-moves-between-lines.html * rendering/RenderBlockFlow.h: * rendering/RenderBlockLineLayout.cpp: (WebCore::RenderBlockFlow::reattachCleanLineFloats): (WebCore::RenderBlockFlow::linkToEndLineIfNeeded): (WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange): Deleted. 2016-05-12 Matthew Hanson Merge r198780. rdar://problem/26228892 2016-03-29 Eric Carlson media/track/track-remove-track.html is flaky, crashing and failing https://bugs.webkit.org/show_bug.cgi?id=130971 Reviewed by Alexey Proskuryakov. Prevent HTMLMediaElement from being collected while it is creating media controls. These changes prevent the test from crashing but they do not fix the flakiness, which is caused by another bug. Fixing that is tracked by https://bugs.webkit.org/show_bug.cgi?id=155956. * html/HTMLMediaElement.cpp: (WebCore::actionName): New, debugging-only helper function. (WebCore::HTMLMediaElement::HTMLMediaElement): Initialize new variables. (WebCore::HTMLMediaElement::scheduleDelayedAction): Log the flag names to make debugging easier. (WebCore::HTMLMediaElement::scheduleNextSourceChild): Add logging. (WebCore::HTMLMediaElement::updateActiveTextTrackCues): Update logging. (WebCore::HTMLMediaElement::configureTextTrackGroup): Drive-by optimization: don't call updateCaptionContainer here, call it before exiting configureTextTracks so we only call it once instead of once per track group. (WebCore::controllerJSValue): (WebCore::HTMLMediaElement::ensureMediaControlsShadowRoot): New, wrapper around calling ensureUserAgentShadowRoot so m_creatingControls can be set and cleared appropriately. (WebCore::HTMLMediaElement::updateCaptionContainer): ensureUserAgentShadowRoot -> ensureMediaControlsShadowRoot. Drive by optimization: set/test m_haveSetupCaptionContainer so we only do this setup once. (WebCore::HTMLMediaElement::configureTextTracks): Call updateCaptionContainer. (WebCore::HTMLMediaElement::clearMediaPlayer): Log flag names. (WebCore::HTMLMediaElement::hasPendingActivity): Return true when creating controls so GC won't happen during controls setup. (WebCore::HTMLMediaElement::updateTextTrackDisplay): ensureUserAgentShadowRoot -> ensureMediaControlsShadowRoot. (WebCore::HTMLMediaElement::createMediaControls): Ditto. (WebCore::HTMLMediaElement::configureMediaControls): Ditto. (WebCore::HTMLMediaElement::configureTextTrackDisplay): Ditto. * html/HTMLMediaElement.h: 2016-05-12 Matthew Hanson Merge r200738. rdar://problem/26228887 2016-05-11 Matthew Hanson Merge r198701. rdar://problem/26228577 2016-03-25 Zalan Bujtas RenderImage::repaintOrMarkForLayout fails when the renderer is detached. https://bugs.webkit.org/show_bug.cgi?id=155885 Reviewed by Simon Fraser. Making containingBlockFor* functions standalone ensures that we don't call them on an invalid object. Covered by existing tests. * dom/Element.cpp: (WebCore::layoutOverflowRectContainsAllDescendants): * rendering/LogicalSelectionOffsetCaches.h: (WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches): * rendering/RenderElement.cpp: (WebCore::containingBlockForFixedPosition): (WebCore::containingBlockForAbsolutePosition): (WebCore::containingBlockForObjectInFlow): (WebCore::RenderElement::containingBlockForFixedPosition): Deleted. (WebCore::RenderElement::containingBlockForAbsolutePosition): Deleted. (WebCore::isNonRenderBlockInline): Deleted. (WebCore::RenderElement::containingBlockForObjectInFlow): Deleted. * rendering/RenderElement.h: * rendering/RenderInline.cpp: (WebCore::RenderInline::styleWillChange): * rendering/RenderObject.cpp: (WebCore::RenderObject::containingBlock): 2016-05-12 Matthew Hanson Merge r200735. rdar://problem/26228904 2016-05-11 Matthew Hanson Merge r198143. rdar://problem/26228593 2016-03-14 Chris Vienneau PingHandle delete's itself but pointer is still used by handleDataURL https://bugs.webkit.org/show_bug.cgi?id=154752 Reviewed by Alex Christensen. When a PingHandle is destroyed, we should tell its client so that the client can clear the pointer it holds to the element to avoid accidentally attempting to use deallocated memory. The ResourceHandle's client member may be null after "didReceiveResponse" is called. We should confirm the client is still valid after these calls. * platform/network/DataURL.cpp: (WebCore::handleDataURL): Check the client pointer before using it. * platform/network/PingHandle.h: (WebCore::PingHandle::~PingHandle): Notify the client we are being destroyed. * platform/platform/network/ResourceHandle.h: 2016-05-12 Matthew Hanson Merge r198050. rdar://problem/26228899 2016-03-11 Jiewen Tan WebKit should not be redirected to an invalid URL https://bugs.webkit.org/show_bug.cgi?id=155263 Reviewed by Brent Fulgham. Test: http/tests/navigation/redirect-to-invalid-url.html * loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::willSendRequestInternal): 2016-05-12 Matthew Hanson Merge r195724. rdar://problem/26228915 2016-01-27 Said Abou-Hallawa Garbage is displayed when root svg element has mix-blend-mode set https://bugs.webkit.org/show_bug.cgi?id=150556 Reviewed by Darin Adler. This bug happens when compositing on a CALayer and drawing on a transparent layer, so it happens with WK2 with . And it can happen with WK1 also with . But in both cases, the SVG root renderer should be the root of the render tree. So it happens only with the stand alone SVG documents. SVGRenderContext::prepareToRenderSVGContent() ignores the opacity of the SVG root but it creates a transparent layer for the blend-mode. But RenderLayer::beginTransparencyLayers() creates a transparent layer for opacity and it sets the blend-mode also. The fix is to begin two transparent layers for the SVG root renderer: one for the opacity and the second for the blend-mode. The opacity transparent layer will be still managed by RenderLayer::beginTransparencyLayers(). While the blend-mode transparent layer will be managed by SVGRenderContext ::prepareToRenderSVGContent(). Tests: svg/css/mix-blend-mode-background-root.svg svg/css/mix-blend-mode-opacity-root.svg * rendering/RenderLayer.cpp: (WebCore::RenderLayer::beginTransparencyLayers): 2016-05-12 Matthew Hanson Merge r195004. rdar://problem/26228875 2016-01-13 Brent Fulgham Cross-protocol, cross-site scripting (XPSS) using HTML forms https://bugs.webkit.org/show_bug.cgi?id=153017 Reviewed by David Kilzer. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::responseReceived): If response HTTP version is 0.9, sandbox against script execution and plugins. * loader/ResourceLoader.cpp: (WebCore::ResourceLoader::didReceiveResponse): Ditto. * loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::didReceiveResponse): Ditto. * platform/network/ResourceResponseBase.cpp: (WebCore::ResourceResponseBase::adopt): Update for HTTP version. (WebCore::ResourceResponseBase::copyData): Ditto. (WebCore::ResourceResponseBase::httpVersion): Added. (WebCore::ResourceResponseBase::setHTTPVersion): Ditto. * platform/network/ResourceResponseBase.h: (WebCore::ResourceResponseBase::encode): Update for HTTP version. (WebCore::ResourceResponseBase::decode): Ditto. * platform/network/cf/ResourceResponseCFNet.cpp: (WebCore::ResourceResponse::platformLazyInit): Capture HTTP version. * platform/network/cocoa/ResourceResponseCocoa.mm: (WebCore::ResourceResponse::platformLazyInit): Ditto. 2016-05-12 Matthew Hanson Merge r194399. rdar://problem/26228911 2015-12-23 Pranjal Jumde Avoids stack recursion when indexed propertyNames defined using Object.defineProperty are deleted. https://bugs.webkit.org/show_bug.cgi?id=149179 . Reviewed by Filip Pizlo. * runtime/JSObject.cpp: (JSStorage::deletePropertyByIndex was invoking Base::deleteProperty for indexed propertyNames instead of Base::deletePropertyByIndex leading to a stack recursion) 2016-05-12 Matthew Hanson Merge r194290. rdar://problem/26228866 2015-12-18 Brent Fulgham Place an upper bound on canvas pixel count https://bugs.webkit.org/show_bug.cgi?id=151825 Reviewed by Simon Fraser (Relanded by Brent Fulgham) Malformed JavaScript can attempt to create lots of canvas contexts. Limit the amount of memory we will use for this purpose to some percentage of system RAM. * html/HTMLCanvasElement.cpp: (WebCore::removeFromActivePixelMemory): Added helper function (WebCore::HTMLCanvasElement::~HTMLCanvasElement): Call new 'releaseImageBufferAndContext' method to ensure ImageBuffer and graphics context state are properly cleaned up. (WebCore::maxActivePixels): Use one quarter of the system RAM, or 2 GB (whichever is more) as an upper bound on active pixel memory. (WebCore::HTMLCanvasElement::getContext): If we are attempting to create a context that will cause us to exceed the allowed active pixel count, fail. (WebCore::HTMLCanvasElement::releaseImageBufferAndContext): Added helper function (WebCore::HTMLCanvasElement::setSurfaceSize): Use the new 'releaseImageBufferAndContext' method to handle active pixel memory counts. (WebCore::HTMLCanvasElement::createImageBuffer): Refuse to create a backing buffer if it will exceed our available pixel memory. 2016-05-12 Matthew Hanson Merge r190820. rdar://problem/26228881 2015-10-09 Simon Fraser Garbage texture data with composited table row https://bugs.webkit.org/show_bug.cgi?id=148984 Reviewed by Zalan Bujtas. Don't pretend to know if the layer for a table header, section or cell is opaque, since table painting is special. Test: compositing/contents-opaque/table-parts.html * rendering/RenderLayer.cpp: (WebCore::RenderLayer::backgroundIsKnownToBeOpaqueInRect): 2016-04-22 Matthew Hanson Merge r199881. rdar://problem/25879593 2016-04-22 Antti Koivisto REGRESSION (r194898): Multi download of external SVG defs file by xlinks:href (caching) https://bugs.webkit.org/show_bug.cgi?id=156368 Reviewed by Simon Fraser. We would load svg resources with fragment identifier again because the encoding never matched. Test: http/tests/svg/svg-use-external.html * loader/TextResourceDecoder.cpp: (WebCore::TextResourceDecoder::setEncoding): (WebCore::TextResourceDecoder::hasEqualEncodingForCharset): Encoding can depend on mime type. Add a comparison function that takes this into account. (WebCore::findXMLEncoding): * loader/TextResourceDecoder.h: (WebCore::TextResourceDecoder::encoding): * loader/cache/CachedCSSStyleSheet.h: * loader/cache/CachedResource.h: (WebCore::CachedResource::textResourceDecoder): Add a way to get the TextResourceDecoder from a cached resource. * loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::determineRevalidationPolicy): Use the new comparison function. * loader/cache/CachedSVGDocument.h: * loader/cache/CachedScript.h: * loader/cache/CachedXSLStyleSheet.h: 2016-04-15 Babak Shafiei Merge r199598. 2016-04-15 Said Abou-Hallawa Calling SVGAnimatedPropertyTearOff::animationEnded() will crash if the SVG property is not animating https://bugs.webkit.org/show_bug.cgi?id=156549 Reviewed by Darin Adler. A speculative fix for a crash which may happen when calling animationEnded() of any SVGAnimatedProperty while it is not animating. * svg/SVGAnimatedTypeAnimator.h: (WebCore::SVGAnimatedTypeAnimator::executeAction): 2016-04-08 Babak Shafiei Merge r199253. 2016-04-08 Jer Noble Unreviewed 32-bit build fix; make type of std::min<> explicit. * platform/audio/ios/AudioDestinationIOS.cpp: (WebCore::AudioDestinationIOS::render): 2016-04-08 Babak Shafiei Merge r199252. 2016-04-08 Jer Noble CRASH in AudioDestinationNode::render() https://bugs.webkit.org/show_bug.cgi?id=156308 Reviewed by Eric Carlson. Yet another math error in AudioDestinationIOS::render(). It is possible for the difference between m_startSpareFrame and m_endSpareFrame to be greater than the numberOfFrames to be rendered. Protect against this case by taking the min() of those two values and only advancing m_startSpareFrame by that amount. This guarantees that framesThisTime will never underflow, and that data will not be written past the end of the ioData parameter. * platform/audio/ios/AudioDestinationIOS.cpp: (WebCore::AudioDestinationIOS::render): 2016-04-06 Matthew Hanson Merge r199116. rdar://problem/25468815 2016-04-06 Jer Noble CRASH in AudioDestinationNode::render() https://bugs.webkit.org/show_bug.cgi?id=156308 Reviewed by Eric Carlson. AudioDestinationNode::render() will crash when passed in a zero-length frame count. Rather than get into this bad state, ASSERT() and bail out early in this case. Also, address the situation in AudioDestinationIOS::render which can cause this 0-frame count to occur. * Modules/webaudio/AudioDestinationNode.cpp: (WebCore::AudioDestinationNode::render): * platform/audio/ios/AudioDestinationIOS.cpp: (WebCore::AudioDestinationIOS::render): 2016-04-05 Matthew Hanson Merge r199042. rdar://problem/25533763 2016-04-04 Jer Noble [iOS] Crash when playing element while it waits for the loading operation to complete. Once finished, whether successfully or with an error, it derefs the . Since we never fired notifyFinished(), we ended up with an extra ref on these forever, and then the element kept its document alive too. Test: fast/dom/ImageDocument-world-leak.html * loader/ImageLoader.cpp: (WebCore::ImageLoader::updateFromElement): 2016-03-24 Matthew Hanson Merge custom patch. rdar://problem/25152415. * rendering/OrderIterator.cpp: 2016-03-24 Matthew Hanson Merge r198157. rdar://problem/25271134 2016-03-14 Simon Fraser Fix crash when reloading a page using requestAnimationFrame on iOS https://bugs.webkit.org/show_bug.cgi?id=155465 rdar://problem/25100202 Reviewed by Tim Horton. On iOS, it's possible for all clients for a DisplayRefreshMonitor to be unregistered, but still get a subsequent displayDidRefresh() for that monitor. In this case, we would remove(notFound) which release-asserts. Fix by just checking for notFound. Unable to test because requestAnimationFrame doesn't work in the simulator. * platform/graphics/DisplayRefreshMonitorManager.cpp: (WebCore::DisplayRefreshMonitorManager::displayDidRefresh): 2016-03-24 Matthew Hanson Merge r195614. rdar://problem/24850429 2016-01-26 Philip Rogers Let SVG images not taint canvases except when containing foreignObjects https://bugs.webkit.org/show_bug.cgi?id=119639 Reviewed by Brent Fulgham. r153876 caused SVG images to not taint canvases but the patch allowed for subimage resources. This can be a problem if a subimage (e.g., data uri image) contains a foreignObject which can violate security (e.g., visited links). This patch updates SVGImage::hasSingleSecurityOrigin to check if the image contains any foreignObjects or images that themselves contain foreignObjects. SVG images without foreignObjects are allowed to not taint canvases. Canvas patterns are problematic because an animated SVG image can switch between tainting and not tainting the canvas. A FIXME has been added to solve this, and in the meantime we cause SVG images to taint patterns. Tests: svg/as-image/svg-canvas-pattern-with-link-tainted.html svg/as-image/svg-canvas-svg-with-feimage-with-link-tainted.html svg/as-image/svg-canvas-svg-with-image-with-link-tainted.html * html/canvas/CanvasPattern.cpp: (WebCore::CanvasPattern::CanvasPattern): (WebCore::CanvasPattern::~CanvasPattern): * svg/SVGFEImageElement.cpp: (WebCore::SVGFEImageElement::~SVGFEImageElement): (WebCore::SVGFEImageElement::hasSingleSecurityOrigin): (WebCore::SVGFEImageElement::clearResourceReferences): * svg/SVGFEImageElement.h: * svg/SVGImageElement.cpp: (WebCore::SVGImageElement::create): (WebCore::SVGImageElement::hasSingleSecurityOrigin): (WebCore::SVGImageElement::isSupportedAttribute): * svg/SVGImageElement.h: * svg/graphics/SVGImage.cpp: (WebCore::SVGImage::hasSingleSecurityOrigin): 2016-03-21 Matthew Hanson Merge r197967. rdar://problem/25271137 2016-03-10 Said Abou-Hallawa REGRESSION: GuardMallloc crash in SVGListPropertyTearOff::processIncomingListItemWrapper https://bugs.webkit.org/show_bug.cgi?id=154969 Reviewed by Darin Adler. The life cycle of the SVGAnimatedPropertyTearOff::m_baseVal and m_animVal was not correct. Like what was done in SVGAnimatedListPropertyTearOff, m_baseVal and m_animVal have to be raw RefCounted pointers. When requested through, SVGAnimatedPropertyTearOff::baseVal() and animVal() they are encapsulated in a RefPtr to ensure they existence as long as they are referenced. When the animated property object (which is stored in either m_baseVal or m_animVal) is not referenced by anyone, it is going to be deleted. In the destructor of their class, SVGAnimatedPropertyTearOff will be notified of this deletion through propertyWillBeDeleted() to clean its member m_baseVal or m_animVal. * bindings/scripts/CodeGeneratorJS.pm: (NativeToJSValue): Now all the SVG animated property return RefPtrs. In addition to that, SVGViewSpec.transform also returns RefPtr. * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::animVal): (WebCore::SVGAnimatedListPropertyTearOff::currentAnimatedValue): (WebCore::SVGAnimatedListPropertyTearOff::animationStarted): (WebCore::SVGAnimatedListPropertyTearOff::animationEnded): (WebCore::SVGAnimatedListPropertyTearOff::synchronizeWrappersIfNeeded): (WebCore::SVGAnimatedListPropertyTearOff::isAnimating): (WebCore::SVGAnimatedListPropertyTearOff::propertyWillBeDeleted): Change propertyWillBeDeleted() to be virtual and make it takes an SVGProperty*. Rename m_animatingAnimVal to be m_animatedProperty. Add isAnimating() which returns true if m_animatedProperty is not null. Use isAnimating() instead of m_isAnimating because it's deleted from the base class. * svg/properties/SVGAnimatedProperty.cpp: (WebCore::SVGAnimatedProperty::SVGAnimatedProperty): (WebCore::SVGAnimatedProperty::~SVGAnimatedProperty): * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::isAnimating): (WebCore::SVGAnimatedProperty::propertyWillBeDeleted): Delete m_isAnimating since its value can be deduced from the value of m_animatedProperty in the derived class. Add propertyWillBeDeleted() and isAnimating() as virtual functions with the default behavior. * svg/properties/SVGAnimatedPropertyTearOff.h: (WebCore::SVGAnimatedPropertyTearOff::baseVal): (WebCore::SVGAnimatedPropertyTearOff::animVal): Like SVGAnimatedListPropertyTearOff::baseVal() and animVal() create the value if it does not exist. Keep a raw RefCounted pointer but return a RefPtr. (WebCore::SVGAnimatedPropertyTearOff::isAnimating): (WebCore::SVGAnimatedPropertyTearOff::propertyWillBeDeleted): Override virtual functions. (WebCore::SVGAnimatedPropertyTearOff::currentAnimatedValue): (WebCore::SVGAnimatedPropertyTearOff::animationStarted): (WebCore::SVGAnimatedPropertyTearOff::animationEnded): (WebCore::SVGAnimatedPropertyTearOff::animValWillChange): (WebCore::SVGAnimatedPropertyTearOff::animValDidChange): Replace m_isAnimating with isAnimating(). Ensure that we get a new animated property through animVal() and store it in a RefPtr to ensure it will not go away while animating. * svg/properties/SVGAnimatedStaticPropertyTearOff.h: (WebCore::SVGAnimatedStaticPropertyTearOff::isAnimating): (WebCore::SVGAnimatedStaticPropertyTearOff::currentAnimatedValue): (WebCore::SVGAnimatedStaticPropertyTearOff::animationStarted): (WebCore::SVGAnimatedStaticPropertyTearOff::animationEnded): (WebCore::SVGAnimatedStaticPropertyTearOff::animValWillChange): (WebCore::SVGAnimatedStaticPropertyTearOff::animValDidChange): Add isAnimating() and replace all the instances of m_isAnimating with calls to isAnimating(). * svg/properties/SVGPropertyTearOff.h: (WebCore::SVGPropertyTearOff::animatedProperty): (WebCore::SVGPropertyTearOff::setAnimatedProperty): (WebCore::SVGPropertyTearOff::contextElement): (WebCore::SVGPropertyTearOff::SVGPropertyTearOff): (WebCore::SVGPropertyTearOff::~SVGPropertyTearOff): SVGPropertyTearOff is what SVGAnimatedPropertyTearOff creates for its baseVal() and animVal() values. These values can be null anytime once they are not referenced. The SVGAnimatedPropertyTearOff holds only raw RefCounted pointer for them. So (1) SVGPropertyTearOff needs to hold a RefPtr for its SVGAnimatedProperty and (2) it needs to notify its SVGAnimatedProperty when it's deleted by calling propertyWillBeDeleted() from the destructor. Also there is no need to get the contextElement() and save it in class member, m_contextElement since it can be always be retrieved from SVGAnimatedProperty::contextElement(). 2016-03-18 Babak Shafiei Merge r192285. * dom/ContainerNode.cpp: (WebCore::ContainerNode::ensurePreInsertionValidity): Added. * dom/ContainerNode.h: 2015-11-10 Pranjal Jumde Fixed crash loading Mozilla layout test editor/libeditor/crashtests/431086-1.xhtml. https://bugs.webkit.org/show_bug.cgi?id=150252 Reviewed by Brent Fulgham. * Source/WebCore/editing/ios/EditorIOS.mm * Source/WebCore/editing/mac/EditorMac.mm In Editor::fontForSelection moved the node removal code, so that the node is only removed if style is not NULL. * Source/WebCore/editing/cocoa/EditorCocoa.mm In Editor::styleForSelectionStart checking if the parentNode can accept the styleElement node. 2016-03-18 Babak Shafiei Merge r198377. 2016-03-17 Brent Fulgham [XSS Auditor] Off by one in XSSAuditor::canonicalizedSnippetForJavaScript() https://bugs.webkit.org/show_bug.cgi?id=155624 Unreviewed merge from Blink (patch by Tom Sepez ): Test: http/tests/security/xssAuditor/script-tag-with-trailing-script-and-urlencode.html * html/parser/XSSAuditor.cpp: (WebCore::XSSAuditor::canonicalizedSnippetForJavaScript): Correct off-by-one error. 2016-03-18 Babak Shafiei Merge r198372. 2016-03-17 Zalan Bujtas Don't initiate a style recall while drawing text https://bugs.webkit.org/show_bug.cgi?id=155618 Reviewed by Simon Fraser. This patch ensures that we don't initiate a style recalc while in the middle of text drawing. Test: fast/canvas/crash-while-resizing-canvas.html * html/canvas/CanvasRenderingContext2D.cpp: (WebCore::CanvasRenderingContext2D::drawTextInternal): 2016-03-18 Babak Shafiei Merge r198370. 2016-03-17 Eric Carlson Improve some metadata tests https://bugs.webkit.org/show_bug.cgi?id=155616 Reviewed by Saam Barati. * html/track/DataCue.cpp: (WebCore::DataCue::DataCue): (WebCore::DataCue::setData): 2016-03-18 Babak Shafiei Merge r198361. 2016-03-17 Brent Fulgham Some media tests are flaky. https://bugs.webkit.org/show_bug.cgi?id=155614 Reviewed by Eric Carlson. * html/track/TextTrack.cpp: (WebCore::TextTrack::~TextTrack): 2016-03-18 Babak Shafiei Merge r192770. 2015-11-25 Pranjal Jumde Checks for buffer-overflows when reading characters from textRun https://bugs.webkit.org/show_bug.cgi?id=151055 Reviewed by Myles C. Maxfield. Prevents an off by one error when adding the last font data to the GlyphBuffer. * Source/WebCore/platform/graphics/WidthIterator.cpp: * Source/WebCore/platform/graphics/FontCascade.cpp: 2016-03-18 Babak Shafiei Merge r192499. 2015-11-16 Pranjal Jumde Fixes the buffer-overflow when reading characters from textRun https://bugs.webkit.org/attachment.cgi?bugid=151055 Reviewed by Brent Fulgham. * platform/graphics/FontCascade.cpp 2016-03-18 Babak Shafiei Merge r192252. 2015-11-10 Zalan Bujtas Force display: block on ::-webkit-media-controls. https://bugs.webkit.org/show_bug.cgi?id=149178 Reviewed by Simon Fraser. This patch ensures that we always have a block level container for media controls so that continuation never needs to split RenderMedia into multiple subtrees. Current inline continuation logic assumes that only inline elements with RenderInline type of renderers participate in continuation. This is mostly the case since other inline renderers such as RenderReplaced, RenderImage, RenderEmbeddedObject etc can't have (accessible) children. (Unlike video::-webkit-media-controls) Test: media/webkit-media-controls-display.html * Modules/mediacontrols/mediaControlsApple.css: (::-webkit-media-controls): * Modules/mediacontrols/mediaControlsiOS.css: (::-webkit-media-controls): * css/mediaControls.css: (::-webkit-media-controls): 2016-03-18 Babak Shafiei Merge r192853. 2015-11-30 Simon Fraser Fix possible crash with animated layers in reflections https://bugs.webkit.org/show_bug.cgi?id=151689 rdar://problem/23018612 Reviewed by Darin Adler. Reflections create additional PlatformCALayers whose owner is set to the GraphicsLayerCA. Those PlatformCALayers need their owner pointer cleared out when the GraphicsLayerCA is destroyed. Tested by compositing/reflections/nested-reflection-transition.html * platform/graphics/ca/GraphicsLayerCA.cpp: * platform/graphics/ca/GraphicsLayerCA.h: 2016-03-14 Matthew Hanson Merge r197125. rdar://problem/24860685 2016-02-25 Said Abou-Hallawa REGRESSION (r196268): Many assertion failures and crashes on SVG path animation tests when JS garbage collection happens quickly https://bugs.webkit.org/show_bug.cgi?id=154331 Reviewed by Darin Adler. This is not an actual regression. The bug did exist before r196268 but the whole document was leaking once an SVGAnimatedProperty was created so there was no way to produce this bug. After fixing the leak, one crash and one assert got uncovered. Both of them happen because of the fact: "if an SVGAnimatedProperty is not referenced it will be deleted." * svg/SVGPathElement.cpp: (WebCore::SVGPathElement::lookupOrCreateDWrapper): The code in this function was assuming that the wrapper will be created only once which happens when SVGAnimatedProperty::lookupOrCreateWrapper() is called. Before making this single call, lookupOrCreateDWrapper() was building an initial SVGPathSegList from byte stream. But now SVGAnimatedProperty::lookupWrapper() can return false even after creating the SVGAnimatedProperty because it was deleted later. Calling buildSVGPathSegListFromByteStream() more than once was causing SVGAnimatedListPropertyTearOff::animationStarted() to fire the assertion ASSERT(m_values.size() == m_wrappers.size()) because the path segments were appended twice to m_values which is in fact SVGPathElement::m_pathSegList.value. The fix is to build the initial SVGPathSegList only once which should happen when m_pathSegList.value.isEmpty(). (WebCore::SVGPathElement::animatedPropertyWillBeDeleted): * svg/SVGPathElement.h: * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: (WebCore::SVGAnimatedPathSegListPropertyTearOff::~SVGAnimatedPathSegListPropertyTearOff): SVGPathElement is assuming the following equivalence relation: m_pathSegList.shouldSynchronize ~ SVGAnimatedProperty_is_created_and_not_null. SVGPathElement::animatedPathSegList() and animatedNormalizedPathSegList() set m_pathSegList.shouldSynchronize to true when SVGAnimatedProperty is created but nothing sets m_pathSegList.shouldSynchronize back to false. This was not a problem when the SVGAnimatedProperty was leaking but after ensuring it is deleted when it is not referenced this equivalence relation becomes untrue sometimes. This caused SVGPathElement::svgAttributeChanged() to crash when we check m_pathSegList.shouldSynchronize and if it is true we assume that SVGAnimatedProperty::lookupWrapper() will return a non-null pointer and therefore we deference this pointer and call SVGAnimatedProperty::isAnimating(). To fix this crash we need to set m_pathSegList.shouldSynchronize back to false when the associated SVGAnimatedProperty is deleted. 2016-03-14 Matthew Hanson Merge r196670. rdar://problem/24860681 2016-02-16 Said Abou-Hallawa REGRESSION(r196268): WTFCrashWithSecurityImplication on SVG path animation tests https://bugs.webkit.org/show_bug.cgi?id=154221 Reviewed by Brent Fulgham. In r196268, a destructor was added to SVGListPropertyTearOff that notifies its wrapper (the SVGAnimatedListPropertyTearoff) about its deletion. This allows the wrapper to nullify any references to the wrapped content. We needed to do the same thing for SVGPathSegListPropertyTearOff. Both SVGPathSegListPropertyTearOff and SVGListPropertyTearOff inherit from SVGListProperty and both hold pointers to SVGAnimatedListPropertyTearOff which needs to be notified. Tests: exiting svg path animation tests should not crash. * svg/properties/SVGPathSegListPropertyTearOff.h: (WebCore::SVGPathSegListPropertyTearOff::~SVGPathSegListPropertyTearOff): 2016-03-14 Matthew Hanson Merge r196268. rdar://problem/24748259 2016-02-08 Said Abou-Hallawa REGRESSION(r181345): SVG polyline and polygon leak page https://bugs.webkit.org/show_bug.cgi?id=152759 Reviewed by Darin Adler. The leak happens because of cyclic reference between SVGListPropertyTearOff and SVGAnimatedListPropertyTearOff which is derived from SVGAnimatedProperty. There is also cyclic reference between SVGAnimatedProperty and SVGElement and this causes the whole document to be leaked. So if the JS requests, for example, an instance of SVGPolylineElement.points, the whole document will be leaked. The fix depends on having the cyclic reference as is since the owning and the owned classes have to live together if any of them is referenced. But the owning class caches a raw 'ref-counted' pointer of the owned class. If it is requested for an instance of the owned class it returned a RefPtr<> of it. Once the owned class is not used, it can delete itself. The only thing needed here is to notify the owner class of the deletion so it cleans its caches and be able to create a new pointer if it is requested for an instance of the owned class later. Revert the change of r181345 in SVGAnimatedProperty::lookupOrCreateWrapper() to break the cyclic reference between SVGElement and SVGAnimatedProperty. Also apply the same approach in SVGAnimatedListPropertyTearOff::baseVal() and animVal() to break cyclic reference between SVGListPropertyTearOff and SVGAnimatedListPropertyTearOff. Test: svg/animations/smil-leak-list-property-instances.svg * bindings/scripts/CodeGeneratorJS.pm: (NativeToJSValue): The SVG non-string list tear-off properties became of type RefPtr<>. So we need to use get() with the casting expressions. * svg/SVGMarkerElement.cpp: (WebCore::SVGMarkerElement::orientType): Use 'auto' type for the return of SVGAnimatedProperty::lookupWrapper(). * svg/SVGPathElement.cpp: (WebCore::SVGPathElement::pathByteStream): (WebCore::SVGPathElement::lookupOrCreateDWrapper): Since SVGAnimatedProperty::lookupWrappe() returns a RefPtr<> we need to use get() for the casting expressions. (WebCore::SVGPathElement::pathSegList): (WebCore::SVGPathElement::normalizedPathSegList): (WebCore::SVGPathElement::animatedPathSegList): (WebCore::SVGPathElement::animatedNormalizedPathSegList): * svg/SVGPathElement.h: Change the return value from raw pointer to RefPtr<>. * svg/SVGPathSegWithContext.h: (WebCore::SVGPathSegWithContext::animatedProperty): Change the return type to be RefPtr<> to preserve the value from being deleted. * svg/SVGPolyElement.cpp: (WebCore::SVGPolyElement::parseAttribute): Since SVGAnimatedProperty::lookupWrapper() returns a RefPtr<> we need to use get() for the casting expressions. (WebCore::SVGPolyElement::points): (WebCore::SVGPolyElement::animatedPoints): * svg/SVGPolyElement.h: Change the return value from raw pointer to RefPtr<>. * svg/SVGViewSpec.cpp: (WebCore::SVGViewSpec::setTransformString): Since SVGAnimatedProperty::lookupWrapper() returns a RefPtr<> we need to use get() for the casting expressions. (WebCore::SVGViewSpec::transform): * svg/SVGViewSpec.h: Change the return value from raw pointer to RefPtr<>. * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::baseVal): (WebCore::SVGAnimatedListPropertyTearOff::animVal): Change the return value from raw pointer to RefPtr<> and change the cached value from RefPtr<> to raw pointer. If the property is null, it will be created, its raw pointer will be cached and the only ref-counted RefPtr<> will be returned. This will guarantee, the RefPtr<> will be deleted once it is not used anymore. (WebCore::SVGAnimatedListPropertyTearOff::propertyWillBeDeleted): Clean the raw pointer caches m_baseVal and m_animVal upon deleting the actual pointer. This function will be called from the destructor of SVGListPropertyTearOff. (WebCore::SVGAnimatedListPropertyTearOff::findItem): (WebCore::SVGAnimatedListPropertyTearOff::removeItemFromList): We have to ensure the baseVal() is created before using it. (WebCore::SVGAnimatedListPropertyTearOff::detachListWrappers): (WebCore::SVGAnimatedListPropertyTearOff::currentAnimatedValue): (WebCore::SVGAnimatedListPropertyTearOff::animationStarted): (WebCore::SVGAnimatedListPropertyTearOff::animationEnded): (WebCore::SVGAnimatedListPropertyTearOff::synchronizeWrappersIfNeeded): (WebCore::SVGAnimatedListPropertyTearOff::animValWillChange): (WebCore::SVGAnimatedListPropertyTearOff::animValDidChange): For animation, a separate RefPtr<> 'm_animatingAnimVal' will be assigned to the animVal(). This will prevent deleting m_animVal while animation. * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: (WebCore::SVGAnimatedPathSegListPropertyTearOff::baseVal): (WebCore::SVGAnimatedPathSegListPropertyTearOff::animVal): Same as what is done in SVGAnimatedListPropertyTearOff. (WebCore::SVGAnimatedPathSegListPropertyTearOff::findItem): (WebCore::SVGAnimatedPathSegListPropertyTearOff::removeItemFromList): Same as what is done in SVGAnimatedListPropertyTearOff. * svg/properties/SVGAnimatedProperty.h: (WebCore::SVGAnimatedProperty::lookupOrCreateWrapper): Change the return value from raw reference to Ref<> and change the cached value from Ref<> to raw pointer. This reverts the change of r181345 in this function. (WebCore::SVGAnimatedProperty::lookupWrapper): Change the return value from raw pointer to RefPtr<>. * svg/properties/SVGAnimatedPropertyMacros.h: Use 'auto' type for the return of SVGAnimatedProperty::lookupWrapper(). * svg/properties/SVGAnimatedTransformListPropertyTearOff.h: (WebCore::SVGAnimatedTransformListPropertyTearOff::baseVal): (WebCore::SVGAnimatedTransformListPropertyTearOff::animVal): Same as what is done in SVGAnimatedListPropertyTearOff. * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::~SVGListPropertyTearOff): Call the SVGAnimatedListPropertyTearOff::propertyWillBeDeleted() to clean its raw pointers when the RefPtr<> deletes itself. 2016-02-12 Babak Shafiei Merge r196401. 2016-02-10 Eric Carlson Update "manual" caption track logic https://bugs.webkit.org/show_bug.cgi?id=154084 Reviewed by Dean Jackson. No new tests, media/track/track-manual-mode.html was updated. * English.lproj/Localizable.strings: Add new string. * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::addTextTrack): track.setManualSelectionMode is no more. (WebCore::HTMLMediaElement::configureTextTrackGroup): Never enable a track automatically when in manual selection mode. (WebCore::HTMLMediaElement::captionPreferencesChanged): track.setManualSelectionMode is no more. * html/track/TextTrack.cpp: (WebCore::TextTrack::containsOnlyForcedSubtitles): Return true for forced tracks. (WebCore::TextTrack::kind): Deleted. * html/track/TextTrack.h: * html/track/TrackBase.h: (WebCore::TrackBase::kind): De-virtualize, nobody overrides it. * page/CaptionUserPreferencesMediaAF.cpp: (WebCore::trackDisplayName): Include "forced" in the name of forced tracks. * platform/LocalizedStrings.cpp: (WebCore::forcedTrackMenuItemText): New. * platform/LocalizedStrings.h: 2016-02-03 Matthew Hanson Merge r195837. rdar://problem/24001782 2016-01-29 Brent Fulgham [WebGL] Check vertex array bounds before permitting a glDrawArrays to execute https://bugs.webkit.org/show_bug.cgi?id=153643 Reviewed by Dean Jackson. Tested by fast/canvas/webgl/webgl-drawarrays-crash.html. * html/canvas/WebGLRenderingContextBase.cpp: (WebCore::WebGLRenderingContextBase::validateDrawArrays): Make sure that we have at least one buffer bound to a program if a drawArray call with a non-zero range of requested data is being made. (WebCore::WebGLRenderingContextBase::validateDrawElements): Drive-by formatting fix. 2016-02-03 Matthew Hanson Merge r196096. rdar://problem/24416768 2016-02-03 Matthew Hanson Merge r196010. rdar://problem/24417428 2016-02-02 Eric Carlson Allow ports to disable automatic text track selection https://bugs.webkit.org/show_bug.cgi?id=153761 Reviewed by Darin Adler. Test: media/track/track-manual-mode.html * Modules/mediacontrols/MediaControlsHost.cpp: (WebCore::MediaControlsHost::manualKeyword): New. (WebCore::MediaControlsHost::captionDisplayMode): Support 'manual' mode. * Modules/mediacontrols/MediaControlsHost.h: * Modules/mediacontrols/mediaControlsApple.js: (Controller.prototype.buildCaptionMenu): Check the 'off' item when in manual mode. * html/HTMLMediaElement.cpp: (WebCore::HTMLMediaElement::addTextTrack): Update m_captionDisplayMode when called for the first time so it is always correct. Set the track's manual selection mode as appropriate. (WebCore::HTMLMediaElement::captionPreferencesChanged): Set each track's manual selection mode as appropriate. * html/track/TextTrack.cpp: (WebCore::TextTrack::kind): Return 'subtitles' for forced tracks when in manual mode. * html/track/TextTrack.h: * html/track/TrackBase.h: (WebCore::TrackBase::kind): Make virtual. * page/CaptionUserPreferences.cpp: (WebCore::CaptionUserPreferences::beginBlockingNotifications): New. (WebCore::CaptionUserPreferences::endBlockingNotifications): Ditto. (WebCore::CaptionUserPreferences::notify): Don't notify when blocked. * page/CaptionUserPreferences.h: * page/CaptionUserPreferencesMediaAF.cpp: (WebCore::CaptionUserPreferencesMediaAF::CaptionUserPreferencesMediaAF): Set manual mode when appropriate. (WebCore::CaptionUserPreferencesMediaAF::captionDisplayMode): Check manual mode. (WebCore::CaptionUserPreferencesMediaAF::setCaptionDisplayMode): Ditto. (WebCore::CaptionUserPreferencesMediaAF::setPreferredLanguage): Ditto. (WebCore::CaptionUserPreferencesMediaAF::textTrackSelectionScore): Return zero when in manual mode. (WebCore::CaptionUserPreferencesMediaAF::sortedTrackListForMenu): Consider manual mode. Fix typos in logging. * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::mediaDescriptionForKind): Return 'auxiliary' when in manual mode. * testing/Internals.cpp: (WebCore::Internals::setCaptionDisplayMode): Support manual mode. 2016-02-03 Matthew Hanson Merge r196095. rdar://problem/24416768 2016-02-03 Matthew Hanson Merge r195912. rdar://problem/24417428 2016-01-30 Eric Carlson More than one audio and/or text track sometimes selected in media controls menu https://bugs.webkit.org/show_bug.cgi?id=153664 Use an element for the track menu item checkmark instead of a background image and the ::before selector. Reviewed by Jer Noble. Test: media/controls/track-menu.html * Modules/mediacontrols/mediaControlsApple.css: (audio::-webkit-media-controls-closed-captions-container li:hover): (audio::-webkit-media-controls-closed-captions-container li .checkmark-container): (audio::-webkit-media-controls-closed-captions-container li.selected .checkmark-container): (audio::-webkit-media-controls-closed-captions-container li.selected:hover .checkmark-container): (audio::-webkit-media-controls-closed-captions-container li.selected::before): Deleted. (audio::-webkit-media-controls-closed-captions-container li.selected:hover::before): Deleted. * Modules/mediacontrols/mediaControlsApple.js: (Controller.prototype.buildCaptionMenu): (Controller.prototype.): (Controller.prototype.getCurrentControlsStatus): 2016-02-03 Matthew Hanson Merge r196094. rdar://problem/24416768 2016-02-03 Matthew Hanson Merge r192570. rdar://problem/24417428 2015-11-18 Aaron Chu AX: Shadow DOM video player controls menus need aria-owns on the trigger buttons https://bugs.webkit.org/show_bug.cgi?id=127065 Reviewed by Darin Adler. Test: media/accessibility-closed-captions-has-aria-owns.html * Modules/mediacontrols/mediaControlsApple.js: (Controller.prototype.createControls): (Controller.prototype.buildCaptionMenu): * Modules/mediacontrols/mediaControlsBase.js: (Controller.prototype.createControls): (Controller.prototype.buildCaptionMenu): 2016-01-31 Babak Shafiei Merge r195932. 2016-01-28 Babak Shafiei Merge r195751 and r195761. 2016-01-28 Babak Shafiei Merge r195607. 2016-01-27 Dean Jackson [iOS] Documents without an explicit width should not get fast tapping https://bugs.webkit.org/show_bug.cgi?id=153465 Reviewed by Simon Fraser (and Wenson Hseih). As the title says, documents that do not set a viewport should not get the fast click behaviour. There were complaints that we broke double-tap to scroll in ImageDocuments where the image was narrow and long. The fix is to just keep a flag that tells the UI process if the width was explicit. However, it turns out that those ImageDocuments are given an explicit device-width, which is fine for scaling but really should behave as auto for fast tapping. So we also need to tell the UIProcess if the viewport arguments came from an ImageDocument. Test: fast/events/ios/viewport-no-width-value-allows-double-tap.html * dom/ViewportArguments.cpp: (WebCore::findSizeValue): Add a parameter that toggles a flag if the size was explicitly set. (WebCore::setViewportFeature): Remember if the width was explicit. * dom/ViewportArguments.h: Add a widthWasExplicit flag. (WebCore::ViewportArguments::operator==): 2016-01-28 Babak Shafiei Follow-up fix for r195625. 2016-01-27 Babak Shafiei Merge r195625. 2016-01-26 Brady Eidson History.pushState causes intense memory pressure. https://bugs.webkit.org/show_bug.cgi?id=153435 Reviewed by Sam Weinig, Oliver Hunt, and Geoff Garen. Tests: fast/loader/stateobjects/pushstate-frequency-iframe.html fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html fast/loader/stateobjects/pushstate-frequency.html fast/loader/stateobjects/replacestate-frequency-iframe.html fast/loader/stateobjects/replacestate-frequency-with-user-gesture.html fast/loader/stateobjects/replacestate-frequency.html loader/stateobjects/pushstate-size-iframe.html loader/stateobjects/pushstate-size.html loader/stateobjects/replacestate-size-iframe.html loader/stateobjects/replacestate-size.html Add restrictions on how frequently push/replaceState can be called, as well as how much of a cumulative payload they can deliver. * bindings/js/JSHistoryCustom.cpp: (WebCore::JSHistory::pushState): (WebCore::JSHistory::replaceState): * page/History.cpp: (WebCore::History::stateObjectAdded): * page/History.h: 2016-01-27 Babak Shafiei Merge r195671. 2016-01-26 Jer Noble Calling video.controls=true during a scrub operation cancels scrub. https://bugs.webkit.org/show_bug.cgi?id=153494 Reviewed by Eric Carlson. Test: media/media-controls-drag-timeline-set-controls-property.html Verify that the video.controls attribute actually changed before tearing down and re-adding the media controls to the Shadow DOM. * Modules/mediacontrols/mediaControlsApple.js: (Controller.prototype.handleControlsChange): (Controller.prototype.hasControls): 2016-01-26 Matthew Hanson Merge r195606. rdar://problem/24243317 2016-01-25 Dave Hyatt Speculative fixes for crashing in viewportChangeAffectedPicture https://bugs.webkit.org/show_bug.cgi?id=153450 Reviewed by Dean Jackson. Don't attach any conditions to the removal of a picture element from the document's HashSet. This ensures that if the condition is ever wrong for any reason, we'll still remove the picture element on destruction. Fix the media query evaluation to match the other evaluations (used by the preload scanner and HTMLImageElement). This includes using the document element's computed style instead of our own and also null checking the document element first. This is the likely cause of the crashes. * html/HTMLPictureElement.cpp: (WebCore::HTMLPictureElement::~HTMLPictureElement): (WebCore::HTMLPictureElement::didMoveToNewDocument): (WebCore::HTMLPictureElement::viewportChangeAffectedPicture): 2016-01-20 Andy Estes Re-enable synchronous popstate event for safari-601-branch https://bugs.webkit.org/show_bug.cgi?id=153297 rdar://problem/24154417 Reviewed by Brent Fulgham. r192369 made the popstate event dispatch asynchronously, which matches what the HTML5 spec says to do. However, due to compatibility regressions, we do not want to include this behavior change in safari-601-branch. This change reverts r192369's changes to Document.cpp, but retains the new tests. This change is intended only for safari-601-branch and its copies. The popstate event should remain asynchronous in trunk. Firing popstate synchronously makes both fast/loader/remove-iframe-during-history-navigation-different. Html and fast/loader/remove-iframe-during-history-navigation-same.html crash, because their onpopstate handlers remove frames from the document that will later be accessed by HistoryController::recursiveGoToItem(). To prevent the crashes, this change does two things: 1. Keep a reference to the current frame inside FrameLoader::loadSameDocumentItem(), since calling loadInSameDocument() might otherwise delete it. 2. Handle a null frame when iterating a HistoryItem's child frames in HistoryController::recursiveGoToItem(), since calling goToItem() on one frame might cause another frame to be deleted. Covered by existing tests. fast/loader/stateobjects/popstate-is-asynchronous-expected.txt was updated to expect popstate to be synchronous. * dom/Document.cpp: (WebCore::Document::enqueuePopstateEvent): * loader/FrameLoader.cpp: (WebCore::FrameLoader::loadSameDocumentItem): * loader/HistoryController.cpp: (WebCore::HistoryController::recursiveGoToItem): 2016-01-25 Matthew Hanson Merge r195477. rdar://problem/24001780 2016-01-21 Sam Weinig Treat non-https actions on secure pages as mixed content https://bugs.webkit.org/show_bug.cgi?id=153322 Reviewed by Alexey Proskuryakov. Tests: http/tests/security/mixedContent/insecure-form-in-iframe.html http/tests/security/mixedContent/insecure-form-in-main-frame.html http/tests/security/mixedContent/javascript-url-form-in-main-frame.html * html/HTMLFormElement.cpp: (WebCore::HTMLFormElement::parseAttribute): Check form actions for mixed content. * loader/MixedContentChecker.cpp: (WebCore::MixedContentChecker::checkFormForMixedContent): * loader/MixedContentChecker.h: Add new function to check and warn if a form's action is mixed content. 2016-01-25 Matthew Hanson Merge r195393. rdar://problem/24042909 2016-01-20 David Kilzer ResourceHandleCFURLConnectionDelegateWithOperationQueue delegate methods don't NULL-check m_handle->client() Reviewed by Brent Fulgham. * platform/network/cf/ResourceHandleCFURLConnectionDelegateWithOperationQueue.cpp: (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didReceiveResponse): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didReceiveData): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didFinishLoading): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didFail): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::willCacheResponse): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didSendBodyData): (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didReceiveDataArray): - Add NULL check for m_handle->client() as is done in the WebCoreResourceHandleAsOperationQueueDelegate class in WebCoreResourceHandleAsOperationQueueDelegate.mm. (The NULL check for -connection:didReceiveResponse: is currently missing, but there are crashes there, too, that are covered by Bug 152673.) 2016-01-20 Matthew Hanson Merge r195150. rdar://problem/24208162 2016-01-15 Myles C. Maxfield [Cocoa] Font features are not applied to the system font https://bugs.webkit.org/show_bug.cgi?id=153053 Reviewed by Dean Jackson. We simply need to call preparePlatformFont() on it. Test: fast/text/system-font-features.html * platform/graphics/cocoa/FontCacheCoreText.cpp: (WebCore::fontWithFamily): 2016-01-20 Babak Shafiei Merge r195132. 2016-01-15 Dave Hyatt Avoid downloading the wrong image for elements. https://bugs.webkit.org/show_bug.cgi?id=153027 Reviewed by Dean Jackson. No tests, since they are always flaky. * html/HTMLImageElement.cpp: (WebCore::HTMLImageElement::HTMLImageElement): (WebCore::HTMLImageElement::~HTMLImageElement): (WebCore::HTMLImageElement::createForJSConstructor): (WebCore::HTMLImageElement::bestFitSourceFromPictureElement): (WebCore::HTMLImageElement::insertedInto): (WebCore::HTMLImageElement::removedFrom): (WebCore::HTMLImageElement::pictureElement): (WebCore::HTMLImageElement::setPictureElement): (WebCore::HTMLImageElement::width): * html/HTMLImageElement.h: (WebCore::HTMLImageElement::hasShadowControls): * html/HTMLPictureElement.h: * html/parser/HTMLConstructionSite.cpp: (WebCore::HTMLConstructionSite::createHTMLElement): * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute): Images that are built underneath a element are now connected to that picture element via a setPictureNode call from the parser. This ensures that the correct elements are examined before checking the image. This connection between images and their picture owners is handled using a static HashMap in HTMLImageElement. This connection is made both from the parser and from DOM insertions, and the map is queried now instead of looking directly at the image's parentNode(). 2016-01-20 Babak Shafiei Merge r195075. 2016-01-14 Daniel Bates Disallow use of Geolocation service from unique origins https://bugs.webkit.org/show_bug.cgi?id=153102 Reviewed by Alexey Proskuryakov. Tests: fast/dom/Geolocation/dataURL-getCurrentPosition.html fast/dom/Geolocation/dataURL-watchPosition.html fast/dom/Geolocation/srcdoc-getCurrentPosition.html fast/dom/Geolocation/srcdoc-watchPosition.html http/tests/security/sandboxed-iframe-geolocation-getCurrentPosition.html http/tests/security/sandboxed-iframe-geolocation-watchPosition.html * Modules/geolocation/Geolocation.cpp: (WebCore::Geolocation::securityOrigin): Convenience function to get the SecurityOrigin object associated with this script execution context. (WebCore::Geolocation::startRequest): Notify requester POSITION_UNAVAILABLE when requested from a document with a unique origin. * Modules/geolocation/Geolocation.h: * page/SecurityOrigin.h: (WebCore::SecurityOrigin::canRequestGeolocation): Added. 2016-01-20 Babak Shafiei Merge r195162. 2016-01-15 Jiewen Tan FrameLoaderClient::didReceiveServerRedirectForProvisionalLoadForFrame() is never called when loading a main resource from the memory cache https://bugs.webkit.org/show_bug.cgi?id=152520 Reviewed by Andy Estes. Test: http/tests/loading/server-redirect-for-provisional-load-caching.html * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::responseReceived): Dispatch message to notify client that a cached resource was redirected. So, client can make proper actions to treat server side redirection. * loader/cache/CachedRawResource.h: Add a method to tell whether the cached resource was redirected. 2016-01-20 Timothy Hatcher CrashTracer: com.apple.WebKit.WebContent at …pector::CSSFrontendDispatcher::mediaQueryResultChanged + 316 Reviewed by Joseph Pecoraro. * inspector/InspectorCSSAgent.cpp: (WebCore::InspectorCSSAgent::willDestroyFrontendAndBackend): Call disable(). (WebCore::InspectorCSSAgent::mediaQueryResultChanged): Add null check. 2016-01-20 Matthew Hanson Merge r195088. rdar://problem/24101168 2016-01-14 Myles C. Maxfield Mixing Content Blocking of fonts and display:none rules causes battery drain https://bugs.webkit.org/show_bug.cgi?id=153051 Reviewed by Alex Christensen. If we have applied a rule before and we are not applying it again, don't resolve the style again. Test: http/tests/contentextensions/font-display-none-repeated-layout.html * contentextensions/ContentExtensionStyleSheet.cpp: (WebCore::ContentExtensions::ContentExtensionStyleSheet::addDisplayNoneSelector): * contentextensions/ContentExtensionStyleSheet.h: * dom/ExtensionStyleSheets.cpp: (WebCore::ExtensionStyleSheets::addDisplayNoneSelector): 2016-01-20 Matthew Hanson Merge r195082. rdar://problem/23633319 2016-01-14 Simon Fraser Remove workaround for rdar://problem/23623670 https://bugs.webkit.org/show_bug.cgi?id=153107 rdar://problem/23633319 Reviewed by Tim Horton. Remove the code that uses IOSurfaceAcceleratorTransformSurface() when copying from back-to-front buffer, now that CGIOSurfaceContextCreate()-code path works correctly. * platform/graphics/cocoa/IOSurface.h: * platform/graphics/cocoa/IOSurface.mm: (IOSurface::ensurePlatformContext): (IOSurface::copyToSurface): Deleted. 2016-01-20 Matthew Hanson Merge r188377. rdar://problem/24208161 2015-08-12 Myles C. Maxfield [Cocoa] [CJK-configured device] System font has vertical punctuation https://bugs.webkit.org/show_bug.cgi?id=147964 Reviewed by Dean Jackson. GlyphPage::fill() has multiple code paths to accomplish its goal. It uses the shouldUseCoreText() helper function to determine which one of the paths should be taken. However, not all of the code paths in GlyphPage::fill() are able of handling all situations. Indeed, the CoreText code paths in GlyphPage::fill() are only able to handle the situations which shouldUseCoreText() returns true for. This happens in the following cases: 1. If the font is a composite font 2. If the font is used for text-combine 3. If the font has vertical glyphs In r187693, I added one more case to this list: If the font is the system font. However, I failed to add the necessary support to GlyphPage::fill() for this case. Becasue of this, we just happened to fall into the case of vertical fonts (just by coincidence), which causes us to use CTFontGetVerticalGlyphsForCharacters() instead of CTFontGetGlyphsForCharacters(). The solution is to adopt the same behavior we were using before r187693. Back then, we were using CGFontGetGlyphsForUnichars(), which always returned horizontal glyphs. We should simply adopt this same behavior, except in the Core Text case. Therefore, this patch is just a simple check to see if we are using the system font when determining which Core Text function to use. Test: fast/text/system-font-punctuation.html * platform/graphics/FontDescription.h: (WebCore::FontDescription::setWidthVariant): * platform/graphics/FontPlatformData.h: (WebCore::FontPlatformData::isForTextCombine): * platform/graphics/mac/GlyphPageMac.cpp: (WebCore::shouldUseCoreText): (WebCore::GlyphPage::fill): * rendering/RenderCombineText.cpp: (WebCore::RenderCombineText::combineText): 2016-01-19 Matthew Hanson Merge r188263. rdar://problem/24208161 2015-08-11 Myles C. Maxfield [iOS] Arabic letter Yeh is drawn in LastResort https://bugs.webkit.org/show_bug.cgi?id=147862 Reviewed by Darin Adler. In order to perform font fallback, we must know which fonts support which characters. We perform this check by asking each font to map a sequence of codepoints to glyphs, and any glyphs which end up with a 0 value are unsupported by the font. One of the mechanisms that we use to do this is to combine the code points into a string, and tell Core Text to lay out the string. However, this is fundamentally a different operation than the one we are trying to perform. Strings combine adjacent codepoints into grapheme clusters, and CoreText operates on these. However, we are trying to gain information regarding codepoints, not grapheme clusters. Instead of taking this string-based approach, we should try harder to use Core Text functions which operate on ordered collections of characters, rather than strings. In particular, CTFontGetGlyphsForCharacters() and CTFontGetVerticalGlyphsForCharacters() have the behavior we want where any unmapped characters end up with a 0 value glyph. Previously, we were only using the result of those functions if they were successfully able to map their entire input. However, given the fact that we can degrade gracefully in the case of a partial mapping, we shouldn't need to bail completely to the string-based approach should a partial mapping occur. At some point we should delete the string-based approach entirely. However, this path is still explicitly used for composite fonts. Fixing that use case is out of scope for this patch. Test: fast/text/arabic-glyph-cache-fill-combine.html * platform/graphics/mac/GlyphPageMac.cpp: (WebCore::GlyphPage::fill): 2016-01-19 Matthew Hanson Merge r187693. rdar://problem/24208161 2015-07-31 Myles C. Maxfield [Cocoa] Latin quotes are used with the system font on Chinese devices https://bugs.webkit.org/show_bug.cgi?id=147504 Reviewed by Dean Jackson. The system font has some fancy logic regarding character selection which requires using Core Text for glyph selection. No new tests because tests can't change the system language of the device. * platform/graphics/mac/GlyphPageMac.cpp: (WebCore::shouldUseCoreText): 2016-01-13 Matthew Hanson Merge r194950. rdar://problem/23270886 2016-01-08 Andy Estes [Content Filtering] Lazily load platform frameworks https://bugs.webkit.org/show_bug.cgi?id=152881 rdar://problem/23270886 Reviewed by Brady Eidson. On Cocoa platforms, ContentFilter soft-links two frameworks that perform the underlying filtering operations. There is a one-time cost associated with the soft-linking, and the current design requires all clients to pay this cost whether or not they ever load a resource that is subject to filtering. Addressed this by deferring the loading of frameworks until it is known that a resource will require filtering. It is rather simple to defer the soft-linking at the PlatformContentFilter level, but doing this alone would mean that every CachedRawResourceClient callback would be routed through ContentFilter, even in the very common case where both platform content filters are disabled. This is because checking if a platform content filter is enabled involves loading its framework, so creating a ContentFilter (which DocumentLoader will add as the CachedRawResource client in place of itself) cannot be avoided by checking that all its platform content filters are disabled. Resolved this by inverting the relationship between ContentFilter and DocumentLoader. Instead of ContentFilter being the CachedRawResource's client and forwarding callbacks to DocumentLoader when one or more platform filters are enabled, DocumentLoader is now always the client and it forwards callbacks to ContentFilter. ContentFilter then returns a boolean value indicating whether or not DocumentLoader should proceed with each callback. New API test: ContentFiltering.LazilyLoadPlatformFrameworks * loader/ContentFilter.cpp: (WebCore::ContentFilter::create): Renamed from createIfEnabled(). Since the enabled check causes frameworks to be loaded, the check is skipped here and all types are always created. (WebCore::ContentFilter::continueAfterWillSendRequest): Renamed from willSendRequest(). Renamed requestCopy to originalRequest, and only created it for logging purposes. Since the copy was only used for logging purposes, request is now modified directly. Returned false if request is null. (WebCore::ContentFilter::continueAfterResponseReceived): Renamed from responseReceived(). Stopped asserting that resource is non-null, since it will be null in the case of substitute data loads. Stopped asserting that m_state is not Initialized, since that state was removed and the function can now be called in all states. Only logged if m_state is Filtering. Returned false if m_state is Blocked. (WebCore::ContentFilter::continueAfterDataReceived): Renamed from dataReceived(). Stopped asserting that resource is non-null and that m_state is Initialized, and moved the logging, for the same reasons as above. Returned false if m_state is Filtering or Blocked. (WebCore::ContentFilter::continueAfterNotifyFinished): Renamed from notifyFinished(). Stopped asserting that resource is non-null and that m_state is not Initialized, and moved the logging, for the same reasons as above. If m_state is not Blocked at this point, set m_state to Allowed in order for deliverResourceData() to not get caught in continueAfterDataReceived(). Returned false if m_state is Blocked or Stopped after delivering data. (WebCore::ContentFilter::createIfEnabled): Renamed to create(). (WebCore::ContentFilter::~ContentFilter): Stopped removing ourself as m_mainResource's client. (WebCore::ContentFilter::willSendRequest): Renamed to continueAfterWillSendRequest(). (WebCore::ContentFilter::startFilteringMainResource): Stopped adding ourself as m_mainResource's client. Stopped asserting that m_state is not Initialized and instead returned early if m_state is not Stopped. (WebCore::ContentFilter::stopFilteringMainResource): Stopped removing ourself as m_mainResource's client. (WebCore::ContentFilter::responseReceived): Renamed to continueAfterResponseReceived(). (WebCore::ContentFilter::dataReceived): Renamed to continueAfterDataReceived(). (WebCore::ContentFilter::redirectReceived): Removed. DocumentLoader now calls continueAfterWillSendRequest() directly on redirects. (WebCore::ContentFilter::notifyFinished): Renamed to continueAfterNotifyFinished(). (WebCore::ContentFilter::didDecide): Instead of calling DocumentLoader::contentFilterDidDecide(), called DocumentLoader::contentFilterDidBlock() when m_state is Blocked. (WebCore::ContentFilter::deliverResourceData): Asserted that m_state is Allowed. * loader/ContentFilter.h: Stopped inheriting from CachedRawResourceClient. Redeclared the CachedRawResourceClient virtual functions as the continue* functions mentioned above. Made State enum private and removed Initialized. Initialized m_state to Stopped and removed its getter. (WebCore::ContentFilter::type): Returned a ContentFilter::Type that does not include an enabled function. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::notifyFinished): Returned early if ContentFilter::continueAfterNotifyFinished() returned false. (WebCore::DocumentLoader::willSendRequest): Called ContentFilter::continueAfterWillSendRequest() even for redirects, since ContentFilter is no longer a CachedRawResourceClient and so will no longer receive redirectReceived(). Returned early if continueAfterWillSendRequest() returns false. (WebCore::DocumentLoader::responseReceived): Returned early if ContentFilter::continueAfterResponseReceived() returned false. (WebCore::DocumentLoader::dataReceived): Ditto for ContentFilter::continueAfterDataReceived(). (WebCore::DocumentLoader::startLoadingMainResource): Called ContentFilter::create(), not createIfEnabled(). (WebCore::DocumentLoader::becomeMainResourceClient): Called ContentFilter::startFilteringMainResource() even if m_state is not Initialized. Added ourself as a client of m_mainResource unconditionally. (WebCore::DocumentLoader::contentFilterDidBlock): Renamed from contentFilterDidDecide. Removed assertions and the early return when m_state is Allowed, since the state is guaranteed to be Blocked. (WebCore::DocumentLoader::contentFilterDidDecide): Renamed to contentFilterDidBlock. * platform/cocoa/NetworkExtensionContentFilter.h: Moved definition of HAVE_NETWORK_EXTENSION to Platform.h so that this file doesn't need to become a Private header. Made enabled() private, and declared initialize(). * platform/cocoa/NetworkExtensionContentFilter.mm: (WebCore::NetworkExtensionContentFilter::initialize): Added a function to lazily initialize the object. (WebCore::NetworkExtensionContentFilter::willSendRequest): For the modern NEFilterSource, checked if it is enabled only after checking if the request is HTTP(S). If both checks pass, then called initialize(). (WebCore::NetworkExtensionContentFilter::responseReceived): Ditto for the legacy NEFilterSource. * platform/cocoa/ParentalControlsContentFilter.h: Made enabled() private. * platform/cocoa/ParentalControlsContentFilter.mm: (WebCore::ParentalControlsContentFilter::responseReceived): Checked if WebFilterEvaluator is enabled only after checking if the response is from a protocol that can be handled. * testing/MockContentFilter.cpp: (WebCore::MockContentFilter::willSendRequest): Immediately set m_status to Status::Allowed if !enabled(). * testing/MockContentFilter.h: Made enabled() private. 2016-01-13 Matthew Hanson Merge r194927. rdar://problem/24101173 2016-01-12 Daniel Bates XSS Auditor should navigate to empty substitute data on full page block https://bugs.webkit.org/show_bug.cgi?id=152868 Reviewed by David Kilzer and Andy Estes. Derived from Blink patch (by Tom Sepez ): Test: http/tests/security/xssAuditor/block-does-not-leak-that-page-was-blocked-using-empty-data-url.html * html/parser/XSSAuditorDelegate.cpp: (WebCore::XSSAuditorDelegate::didBlockScript): Modified to call NavigationScheduler::schedulePageBlock(). * loader/NavigationScheduler.cpp: (WebCore::ScheduledPageBlock::ScheduledPageBlock): Added. (WebCore::NavigationScheduler::schedulePageBlock): Navigate to empty substitute data with the same URL as the originating document. * loader/NavigationScheduler.h: 2016-01-13 Matthew Hanson Merge r194898. rdar://problem/24154420 2016-01-12 Antti Koivisto Don't reuse memory cache entries with different charset https://bugs.webkit.org/show_bug.cgi?id=110031 rdar://problem/13666418 Reviewed by Andreas Kling. Test: fast/loader/cache-encoding.html * loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::requestResource): (WebCore::logResourceRevalidationDecision): (WebCore::CachedResourceLoader::determineRevalidationPolicy): Pass full CachedResourceRequest to the function. If charset differs don't reuse the cache entry. * loader/cache/CachedResourceLoader.h: 2016-01-13 Matthew Hanson Merge r194865. rdar://problem/24154421 2016-01-11 Dave Hyatt Picture element needs to work with the preload scanner and select the correct source element instead of loading the image. https://bugs.webkit.org/show_bug.cgi?id=152983 Reviewed by Dean Jackson. Added new tests in http/tests/loading. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::tagIdFor): (WebCore::TokenPreloadScanner::initiatorFor): (WebCore::TokenPreloadScanner::StartTagScanner::StartTagScanner): (WebCore::TokenPreloadScanner::StartTagScanner::processAttributes): (WebCore::TokenPreloadScanner::StartTagScanner::processImageAndScriptAttribute): (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute): (WebCore::TokenPreloadScanner::StartTagScanner::resourceType): (WebCore::TokenPreloadScanner::scan): * html/parser/HTMLPreloadScanner.h: (WebCore::TokenPreloadScanner::setPredictedBaseElementURL): (WebCore::TokenPreloadScanner::inPicture): 2016-01-13 Matthew Hanson Merge r191180. rdar://problem/24154421 2015-10-16 Chris Dumez HTMLPreloadScanner should preload iframes https://bugs.webkit.org/show_bug.cgi?id=150097 Reviewed by Antti Koivisto. HTMLPreloadScanner should preload iframes to decrease page load time. Tests: - fast/preloader/frame-src.html - http/tests/loading/preload-no-store-frame-src.html * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::tagIdFor): (WebCore::TokenPreloadScanner::initiatorFor): (WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest): (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute): (WebCore::TokenPreloadScanner::StartTagScanner::resourceType): (WebCore::TokenPreloadScanner::StartTagScanner::setUrlToLoad): Deleted. (WebCore::TokenPreloadScanner::StartTagScanner::charset): Deleted. * html/parser/HTMLPreloadScanner.h: 2016-01-13 Matthew Hanson Merge r190641. rdar://problem/24154421 2015-10-06 Chris Dumez Refactor TokenPreloadScanner::StartTagScanner::processAttribute() https://bugs.webkit.org/show_bug.cgi?id=149847 Reviewed by Antti Koivisto. Refactor TokenPreloadScanner::StartTagScanner::processAttribute() to only process attributes that make sense given the current tagId. In particular, - We only process the charset parameter if the tag is a link or a script. - We only process the sizes / srcset attributes if the tag is an img. * html/parser/HTMLPreloadScanner.cpp: (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute): (WebCore::TokenPreloadScanner::StartTagScanner::setUrlToLoad): Deleted. 2016-01-11 Matthew Hanson Merge r194751. rdar://problem/24042915 2016-01-07 Brent Fulgham Correct missing EXT_sRGB Format Handling https://bugs.webkit.org/show_bug.cgi?id=152876 Reviewed by Alex Christensen. Tested by WebGL 1.0.4 suite. * platform/graphics/GraphicsContext3D.cpp: (getDataFormat): Handle missing SRGB and SRGB_ALPHA cases. * platform/graphics/GraphicsContext3D.h: Add missing SRGB_ALPHA value from the Khronos standard. * platform/graphics/opengl/GraphicsContext3DOpenGL.cpp: (WebCore::GraphicsContext3D::texImage2D): Add an assertion that we are not being handed an internal format to a method that works with normal formats. 2016-01-11 Matthew Hanson Merge r194750. rdar://problem/24074335 2016-01-07 Simon Fraser Use an appropriate buffer format for swipe snapshots https://bugs.webkit.org/show_bug.cgi?id=152880 rdar://problem/23728299 Reviewed by Tim Horton. Choose an appropriate buffer format for swipe snapshots, and avoid converting them to YUV422. * platform/graphics/cocoa/IOSurface.h: * platform/graphics/cocoa/IOSurface.mm: (IOSurface::allowConversionFromFormatToFormat): 2016-01-11 Matthew Hanson Merge r194667. rdar://problem/24074334 2016-01-06 Simon Fraser [iOS] Revert overflow:hidden on the body affecting viewport scale (r186786) https://bugs.webkit.org/show_bug.cgi?id=152803 rdar://problem/22242515 Reviewed by Tim Horton. You can't assume that if an author uses overflow:hidden on the body, they have no content outside the body that is important. Sites like Google Translate put abspos elements outside the body. So revert the change. * page/FrameView.cpp: (WebCore::FrameView::contentsSizeRespectingOverflow): Deleted. * page/FrameView.h: 2016-01-11 Matthew Hanson Merge r194666. rdar://problem/24101185 2016-01-06 Brent Fulgham Port blocking bypass issue using 307 redirect https://bugs.webkit.org/show_bug.cgi?id=152801 Reviewed by Anders Carlsson. Tested by http/tests/security/blocked-on-redirect.html. Make sure that 307 redirects check the requested URL via 'portAllowed'. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::willSendRequest): Confirm that the requested port is valid, and block load if it is not. * loader/FrameLoader.cpp: (WebCore::FrameLoader::reportBlockedPortFailed): Added. (WebCore::FrameLoader::blockedError): Added. * loader/FrameLoader.h: 2016-01-11 Matthew Hanson Merge r194038. rdar://problem/24101170 2015-12-14 Daniel Bates [iOS] DOM click event may not be dispatched when page has :active style and https://bugs.webkit.org/show_bug.cgi?id=144451 Reviewed by Simon Fraser. Fixes an issue where a DOM click event is not dispatched to an element in a subframe on a page that has a and defines a CSS :active pseudo-class for the HTML body element. On iOS we only dispatch a DOM click event if the content of the page does not change as part of dispatching a DOM mousemove event at the tapped element as a means of providing a good user experience on web pages that reveal or hide content based on mouse hover. Currently we consider the content of the page to have changed if the visibility of any element on the page changes. In particular we consider the content of the page to have changed if the visibility of a user agent shadow DOM element changes (e.g. the search field cancel button). Instead we should only consider visibility changes to the actual web page content and ignore visibility changes to user agent shadow DOM elements. Tests: fast/events/can-click-element-on-page-with-active-pseudo-class-and-search-field.html fast/forms/search/search-cancel-button-visible-when-input-becomes-disabled.html fast/forms/search/search-cancel-button-visible-when-input-becomes-readonly.html fast/forms/search/search-cancel-in-formerly-invisible-element.html fast/forms/search/search-cancel-toggle-visibility-initially-hidden.html fast/forms/search/search-cancel-toggle-visibility-initially-visible.html * style/StyleResolveTree.cpp: (WebCore::Style::CheckForVisibilityChangeOnRecalcStyle::~CheckForVisibilityChangeOnRecalcStyle): Ignore visibility changes to user agent shadow DOM elements. 2016-01-11 Matthew Hanson Merge r192186. rdar://problem/24101174 2015-11-09 Joseph Pecoraro Web Inspector: $0 stops working after navigating to a different domain https://bugs.webkit.org/show_bug.cgi?id=147962 Reviewed by Brian Burg. Test: http/tests/inspector/console/cross-domain-inspected-node-access.html The inspector backend injects the CommandLineAPI Source with a corresponding CommandLineAPIHost into each execution context created by the page (main frame, sub frames, etc). When creating the JSValue wrapper for the CommandLineAPIHost using the generated toJS(...) DOM bindings, we were using the cached CommandLineAPIHost wrapper values in the single DOMWrapperWorld shared across all frames. This meant that the first time the wrapper was needed it was created in context A. But when needed for context B it was using the wrapper created in context A. Using this wrapper in context B was producing unexpected cross-origin warnings. The solution taken here, is to create a new JSValue wrapper for the CommandLineAPIHost per execution context. This way each time the CommandLineAPIHost wrapper is used in a frame, it is using the one created for that frame. The C++ host object being wrapped has a lifetime equivalent to the Page. It does not change in this patch. The wrapper values are cleared on page navigation or when the page is closed, and will be garbage collected. * WebCore.vcxproj/WebCore.vcxproj: * WebCore.vcxproj/WebCore.vcxproj.filters: * ForwardingHeaders/inspector/PerGlobalObjectWrapperWorld.h: Added. New forwarding header. * inspector/CommandLineAPIHost.h: * inspector/CommandLineAPIHost.cpp: (WebCore::CommandLineAPIHost::CommandLineAPIHost): (WebCore::CommandLineAPIHost::wrapper): Cached JSValue wrappers per GlobalObject. (WebCore::CommandLineAPIHost::clearAllWrappers): Clear any wrappers we have, including the $0 value itself which we weren't explicitly clearing previously. * inspector/CommandLineAPIModule.cpp: (WebCore::CommandLineAPIModule::host): Simplify creating the wrapper. * inspector/WebInjectedScriptManager.h: * inspector/WebInjectedScriptManager.cpp: (WebCore::WebInjectedScriptManager::discardInjectedScripts): When the main frame window object clears, also clear the CommandLineAPI wrappers we may have created. Also take this opportunity to clear any $0 value that may have pointed to a value in the previous page. 2016-01-08 Timothy Hatcher REGRESSION (193350): CrashTracer: [USER] com.apple.WebKit.WebContent at …: Inspector::CSSFrontendDispatcher::styleSheetRemoved + 768 Reviewed by Joseph Pecoraro. * inspector/InspectorCSSAgent.cpp: (WebCore::InspectorCSSAgent::setActiveStyleSheetsForDocument): Add null check before using m_frontendDispatcher. 2016-01-06 Matthew Hanson Merge r194485. rdar://problem/23978916 2015-12-22 Brent Fulgham [WebGL] Blacklisted OpenGL contexts are not safe to use https://bugs.webkit.org/show_bug.cgi?id=152513 Reviewed by Zalan Bujtas. When the GPU has blacklisted an OpenGL context, it is not safe to use -- even to attempt to release GL resources. Instead, our only correct behavior is to terminate the WebProcess. * platform/graphics/mac/GraphicsContext3DMac.mm: (WebCore::GraphicsContext3D::checkGPUStatusIfNecessary): If the context was lost because the GPU blacklisted it, terminate the process. 2016-01-06 Matthew Hanson Merge r194662. rdar://problem/24043055 2016-01-05 Matthew Hanson Merge for rdar://problem/24043055. * dom/EventDispatcher.cpp: (WebCore::EventPath::EventPath): Set the isMouseOrFocusEvent boolean flag to True if the event is a wheelEvent. 2015-12-21 Babak Shafiei Merge r194114. 2015-12-15 Myles C. Maxfield [Font Features] TrueType fonts trigger real features even when synthesis is applied https://bugs.webkit.org/show_bug.cgi?id=152287 Reviewed by Darin Adler. When using a font feature that is synthesizable, and synthesis is triggered, we should make sure to turn off the original font feature. Otherwise, the feature will be applied twice on top of itself. This worked for OpenType fonts, but not for TrueType fonts. Tests: css3/font-variant-petite-caps-synthesis.html css3/font-variant-small-caps-synthesis.html css3/font-variant-petite-caps-synthesis-coverage.html css3/font-variant-small-caps-synthesis-coverage.html * platform/graphics/cocoa/FontCocoa.mm: (WebCore::defaultSelectorForTrueTypeFeature): (WebCore::removedFeature): (WebCore::createCTFontWithoutSynthesizableFeatures): 2015-12-21 Babak Shafiei Merge r188802. 2015-08-21 Myles C. Maxfield [OS X] Remove dead code from FontCache::systemFallbackForCharacters() https://bugs.webkit.org/show_bug.cgi?id=148218 Reviewed by Daniel Bates. lookupCTFont() in FontCacheMac.mm will always return the best font (because CTFontCreateForCharactersWithLanguage() does so). Also, all fonts that will be created on WebKit's behalf are already printer fonts. No new tests because there is no behavior change. * platform/graphics/mac/FontCacheMac.mm: (WebCore::FontCache::systemFallbackForCharacters): Deleted. 2015-12-18 Matthew Hanson Merge r194206. rdar://problem/23824469 2015-12-16 Simon Fraser ViewportConfiguration functions should return a bool to say if anything changed https://bugs.webkit.org/show_bug.cgi?id=152353 Reviewed by Tim Horton. Rather than callers all checking whether setting ViewportConfiguration values changes state, have its functions return a bool if the values change. * page/ViewportConfiguration.cpp: (WebCore::ViewportConfiguration::setContentsSize): (WebCore::ViewportConfiguration::setMinimumLayoutSize): (WebCore::ViewportConfiguration::setViewportArguments): (WebCore::ViewportConfiguration::setCanIgnoreScalingConstraints): * page/ViewportConfiguration.h: (WebCore::ViewportConfiguration::setCanIgnoreScalingConstraints): Deleted. 2015-12-18 Babak Shafiei Merge r192582. 2015-11-18 Chris Dumez Null dereference in Performance::Performance(WebCore::Frame*) https://bugs.webkit.org/show_bug.cgi?id=151390 Reviewed by Brady Eidson. Based on the stack trace, it appears the DocumentLoader can be null when constructing the Performance object. This patch thus adds a null check before trying to dereference it. No new tests, was not able to reproduce. * page/DOMWindow.cpp: (WebCore::DOMWindow::navigator): (WebCore::DOMWindow::performance): * page/Performance.cpp: (WebCore::Performance::Performance): (WebCore::Performance::scriptExecutionContext): * page/Performance.h: 2015-12-17 Matthew Hanson Merge r191076. rdar://problem/23941411 2015-10-14 Andy Estes [iOS] QuickLook documents loaded over https do not load their subresources https://bugs.webkit.org/show_bug.cgi?id=150145 Reviewed by Alexey Proskuryakov. When QuickLook generates an HTML preview of a document, subresources are referenced using the x-apple-ql-id scheme, for which QuickLook installs an NSURLProtocol. If a document is loaded over https, then this scheme needs to be considered secure in order to avoid mixed content errors. Test: http/tests/quicklook/secure-document-with-subresources.html * platform/SchemeRegistry.cpp: (WebCore::secureSchemes): Registered QLPreviewProtocol() as a secure scheme. 2015-12-17 Matthew Hanson Merge r193932. rdar://problem/23903295 2015-12-10 Myles C. Maxfield [Font Features] r193894 introduces leaks https://bugs.webkit.org/show_bug.cgi?id=152154 Reviewed by Joe Pecoraro. * platform/graphics/cocoa/FontCocoa.mm: (WebCore::smallCapsTrueTypeDictionary): (WebCore::createCTFontWithoutSynthesizableFeatures): 2015-12-17 Matthew Hanson Merge r193894. rdar://problem/23769696 2015-12-10 Myles C. Maxfield font-variant-caps does not work if the font does not support font features https://bugs.webkit.org/show_bug.cgi?id=149774 Reviewed by Antti Koivisto. This test implements synthesis for small-caps and all-small-caps. It does so by moving font variant selection into a higher level (ComplexTextController). In general, the approach is to use the pure font feature until we encounter a character which needs to be uppercased, and which the font feature does not support uppercasing. In this situation, we try again with synthesis. In this case, synthesis means artificially uppercasing letters and rendering them with a smaller font. We require system support to know which glyphs a particular font feature supports. Therefore, on operating systems which do not include this support, we will simply say that the font feature does not support any glyphs. Test: css3/font-variant-small-caps-synthesis.html css3/font-variant-petite-caps-synthesis.html * platform/graphics/Font.cpp: (WebCore::Font::noSmallCapsFont): Return the same font, but without smcp or c2sc. This function utilizes a cache. * platform/graphics/Font.h: (WebCore::Font::variantFont): Small caps should never go through this function anymore. * platform/graphics/FontCascade.h: Because we're moving variant selection into a higher level, we remove the FontVariant argument from the lower-level call. * platform/graphics/FontCascadeFonts.cpp: (WebCore::FontCascadeFonts::glyphDataForVariant): Use early-return style. (WebCore::FontCascadeFonts::glyphDataForNormalVariant): Ditto. * platform/graphics/cocoa/FontCascadeCocoa.mm: (WebCore::FontCascade::fontForCombiningCharacterSequence): Because we're moving variant selection into a higher level, we remove the FontVariant argument from the lower-level call. * platform/graphics/cocoa/FontCocoa.mm: (WebCore::Font::smallCapsSupportsCharacter): (WebCore::Font::allSmallCapsSupportsCharacter): (WebCore::smallCapsOpenTypeDictionary): Helper function for smallCapsSupportsCharacter(). (WebCore::smallCapsTrueTypeDictionary): Ditto. (WebCore::unionBitVectors): (WebCore::Font::glyphsSupportedBySmallCaps): Compute a bit vector of supported glyphs. (WebCore::Font::glyphsSupportedByAllSmallCaps): Ditto. (WebCore::createDerivativeFont): Moving common code into its own helper function. (WebCore::Font::createFontWithoutSmallCaps): (WebCore::Font::platformCreateScaledFont): Use the common code. * platform/graphics/mac/ComplexTextController.cpp: (WebCore::capitalized): What is the capitalized form of a character? (WebCore::ComplexTextController::collectComplexTextRuns): Implement the core logic of this patch. This includes the retry when we encounter a character which is not supported by the font feature. * platform/spi/cocoa/CoreTextSPI.h: 2015-12-17 Babak Shafiei Merge r194209. 2015-12-16 Andy Estes [iOS] Block loading external stylesheets in the Content-Disposition: attachment sandbox https://bugs.webkit.org/show_bug.cgi?id=152375 Reviewed by Darin Adler. Tests: http/tests/contentdispositionattachmentsandbox/at-import-stylesheets-disabled.html http/tests/contentdispositionattachmentsandbox/external-stylesheets-disabled.html http/tests/contentdispositionattachmentsandbox/xml-stylesheet-processing-instructions-disabled.html * loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::canRequest): Moved handling of CachedResource::MainResource to canRequestInContentDispositionAttachmentSandbox(). (WebCore::CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox): In addition to handling CachedResource::MainResource, added handling for CachedResource::CSSStyleSheet. Added a FIXME asking whether we should handle other types of resources, too. * loader/cache/CachedResourceLoader.h: 2015-12-14 Matthew Hanson Merge r194001. rdar://problem/23814327 2015-12-11 Jiewen Tan Strip out Referer header when requesting subresources or following links for documents with "Content-Disposition: attachment" https://bugs.webkit.org/show_bug.cgi?id=152102 Reviewed by Andy Estes. Keep the ReferrerPolicy for a document as ReferrerPolicyNever if the document is loaded with "Content-Disposition: attachment". Test: http/tests/contentdispositionattachmentsandbox/subresource-request-not-include-referer-header.html * dom/Document.cpp: (WebCore::Document::processReferrerPolicy): (WebCore::Document::applyContentDispositionAttachmentSandbox): 2015-12-14 Matthew Hanson Merge r193885. rdar://problem/23860425 2015-12-09 Daniel Bates [iOS] Suspend and resume device motion and device orientation updates when page is hidden and visible, respectively https://bugs.webkit.org/show_bug.cgi?id=151840 Reviewed by Simon Fraser. * dom/Document.cpp: (WebCore::Document::suspendDeviceMotionAndOrientationUpdates): Added. (WebCore::Document::resumeDeviceMotionAndOrientationUpdates): Added. (WebCore::Document::platformSuspendOrStopActiveDOMObjects): Moved logic to suspend device motion and orientation updates from here to Document::suspendDeviceMotionAndOrientationUpdates(). (WebCore::Document::suspendActiveDOMObjects): Modified to call Document::suspendDeviceMotionAndOrientationUpdates(). (WebCore::Document::resumeActiveDOMObjects): Modified to call Document::resumeDeviceMotionAndOrientationUpdates(). * dom/Document.h: * page/Page.cpp: (WebCore::Page::setIsVisibleInternal): Suspend device motion and orientation updates when the page is hidden and resume updates when the page is visible. (WebCore::Page::suspendDeviceMotionAndOrientationUpdates): Added. (WebCore::Page::resumeDeviceMotionAndOrientationUpdates): Added. * page/Page.h: 2015-12-10 Matthew Hanson Merge r193876. rdar://problem/23305376 2015-12-09 Simon Fraser Adjust layer backing store format https://bugs.webkit.org/show_bug.cgi?id=152097 rdar://problem/23305376 Reviewed by Tim Horton. Call setBackingStoreFormat() on UIWebView tile grid layers, and on compositing layers which can allocate backing store. * platform/graphics/ca/cocoa/PlatformCALayerCocoa.mm: (WebCore::setBackingStoreFormat): (PlatformCALayerCocoa::commonInit): * platform/ios/LegacyTileGridTile.mm: (WebCore::setBackingStoreFormat): (WebCore::LegacyTileGridTile::LegacyTileGridTile): 2015-12-09 Matthew Hanson Merge r192712. rdar://problem/23814340 2015-11-20 Simon Fraser More deviceRGB color cleanup https://bugs.webkit.org/show_bug.cgi?id=151523 Reviewed by Tim Horton. Replace calls to deviceRGBColorSpaceRef() with sRGBColorSpaceRef(), and use sRGBColorSpaceRef() in a few places that were manually creating the colorspace. Also use cachedCGColor() in a more places that were manually constructing CGColorRefs from Colors. * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm: (WebCore::MediaPlayerPrivateAVFoundationObjC::createImageForTimeInRect): (WebCore::createImageFromPixelBuffer): * platform/graphics/ca/cocoa/PlatformCAFiltersCocoa.mm: * platform/graphics/ca/cocoa/PlatformCALayerCocoa.mm: (PlatformCALayerCocoa::setBackgroundColor): (PlatformCALayerCocoa::setBorderColor): * platform/graphics/ca/cocoa/WebSystemBackdropLayer.mm: (-[WebLightSystemBackdropLayer init]): (-[WebDarkSystemBackdropLayer init]): * platform/graphics/cg/GradientCG.cpp: (WebCore::Gradient::platformGradient): * platform/graphics/cg/GraphicsContext3DCG.cpp: (WebCore::GraphicsContext3D::ImageExtractor::extractImage): (WebCore::GraphicsContext3D::paintToCanvas): * platform/graphics/cg/ImageBufferCG.cpp: (WebCore::ImageBuffer::copyImage): (WebCore::ImageBuffer::toDataURL): (WebCore::ImageDataToDataURL): * platform/graphics/mac/GraphicsContextMac.mm: (WebCore::linearRGBColorSpaceRef): * platform/graphics/mac/WebGLLayer.mm: (-[WebGLLayer copyImageSnapshotWithColorSpace:]): * platform/mediastream/mac/AVVideoCaptureSource.mm: (WebCore::AVVideoCaptureSource::currentFrameCGImage): * rendering/RenderThemeIOS.mm: (WebCore::drawRadialGradient): * rendering/RenderThemeMac.mm: (WebCore::RenderThemeMac::paintMenuListButtonGradients): (WebCore::RenderThemeMac::paintSliderTrack): 2015-12-11 Matthew Hanson Merge r193859. rdar://problem/23814345 2015-12-09 David Hyatt Picture element needs to respond to dynamic viewport changes. https://bugs.webkit.org/show_bug.cgi?id=152013 Reviewed by Dean Jackson. Added new tests in fast/picture. * css/MediaQueryEvaluator.cpp: (WebCore::MediaQueryEvaluator::evalCheckingViewportDependentResults): Add new evaluation method that adds viewport dependent results to a vector. A follow-up patch will refactor the style resolver code to use this function instead of the special style resolver one, in order to get rid of the code duplication. Tracked by https://bugs.webkit.org/show_bug.cgi?id=152089. * css/MediaQueryEvaluator.h: (WebCore::MediaQueryResult::MediaQueryResult): * css/StyleResolver.h: (WebCore::MediaQueryResult::MediaQueryResult): Deleted. Move MediaQueryResult into a header since it is used in multiple places now and not just by the style resolver. * dom/Document.cpp: (WebCore::Document::evaluateMediaQueryList): (WebCore::Document::checkViewportDependentPictures): (WebCore::Document::optimizedStyleSheetUpdateTimerFired): (WebCore::Document::applyContentDispositionAttachmentSandbox): (WebCore::Document::addViewportDependentPicture): (WebCore::Document::removeViewportDependentPicture): * dom/Document.h: The document now maintains a HashSet of viewport-dependent pictures, and it checks them whenever the viewport changes. If their media queries stay the same, then nothing happens. If they change, then the will go back and re-check all its elements to see what the new best candidate is. * html/HTMLImageElement.cpp: (WebCore::HTMLImageElement::bestFitSourceFromPictureElement): Revised to check for viewport dependencies and to cache viewport-dependent results on the elements. When a is found to be viewport-dependent (or not) it is also added to or removed from the document's set of tracked pictures. * html/HTMLPictureElement.cpp: (WebCore::HTMLPictureElement::HTMLPictureElement): (WebCore::HTMLPictureElement::~HTMLPictureElement): (WebCore::HTMLPictureElement::didMoveToNewDocument): (WebCore::HTMLPictureElement::create): (WebCore::HTMLPictureElement::sourcesChanged): (WebCore::HTMLPictureElement::viewportChangeAffectedPicture): * html/HTMLPictureElement.h: New caching of results and updating of the document HashSet when the picture gets destroyed or moves to a different document. * html/HTMLSourceElement.cpp: (WebCore::HTMLSourceElement::parseAttribute): * html/HTMLSourceElement.h: Cache the media attribute in a parsed form. A follow-up patch will improve the