REGRESSION (r167879): Heap-use-after-free in WebCore::RenderFlexibleBox

[WebKit-https.git] / Source / WebCore / ChangeLog

2014-04-29  Manuel Rego Casasnovas  <rego@igalia.com>

        REGRESSION (r167879): Heap-use-after-free in WebCore::RenderFlexibleBox
        https://bugs.webkit.org/show_bug.cgi?id=132337

        Reviewed by Simon Fraser.

        From Blink r154582 by <jchaffraix@chromium.org>

        This is a regression from the changes in OrderIterator. The issue is
        that we don't invalidate our iterator when a child is removed. This
        means that we could hold onto free'd memory until the next layout
        when we will recompute the iterator.

        The solution is simple: just clear the memory when we remove a child.

        Note that RenderGrid is not impacted by this bug as we don't use the
        iterator outside layout yet, but if we do it at some point the very same
        problem will arise, so the same treatment was applied to the class.

        Test: fast/flexbox/order-iterator-crash.html

        * rendering/OrderIterator.cpp:
        (WebCore::OrderIterator::invalidate): Clear m_children Vector.
        * rendering/OrderIterator.h:
        (WebCore::OrderIteratorPopulator::OrderIteratorPopulator): Use
        invalidate() method.
        * rendering/RenderFlexibleBox.cpp:
        (WebCore::RenderFlexibleBox::removeChild): Invalidate m_orderIterator.
        * rendering/RenderFlexibleBox.h: Add removeChild() signature.
        * rendering/RenderGrid.cpp: Invalidate m_orderIterator.
        (WebCore::RenderGrid::removeChild):
        * rendering/RenderGrid.h: Add removeChild() header.

2014-04-29  Enrica Casucci  <enrica@apple.com>

        iOS build fix after http://trac.webkit.org/changeset/167937.
        Unreviewed.

        * rendering/RenderThemeIOS.mm:
        (WebCore::RenderThemeIOS::adjustButtonStyle):

2014-04-29  Hans Muller  <hmuller@adobe.com>

        [CSS Shapes] off-by-one error in Shape::createRasterShape()
        https://bugs.webkit.org/show_bug.cgi?id=132154

        Reviewed by Bem Jones-Bey.

        This is a port of a patch for a bug that was reported by and fixed in Blink by
        David Vest: https://codereview.chromium.org/237123002/.  Shape::createRasterShape()
        now consistently reports "end-point exclusive" intervals. Before the patch
        an entire row of pixels was above the shape-image-threshold, the interval's end
        index was reported as image.width. Now it's image.width + 1, which is consistent
        with the way the end index is reported if the last above threshold pixel is within
        an image row.

        Two existing tests were revised to account for this change.

        * rendering/shapes/RasterShape.cpp:
        (WebCore::RasterShape::getExcludedIntervals):
        * rendering/shapes/Shape.cpp:
        (WebCore::Shape::createRasterShape):

2014-04-29  Bem Jones-Bey  <bjonesbe@adobe.com>

        Wrap CSS length conversion arguments in an object
        https://bugs.webkit.org/show_bug.cgi?id=131552

        Reviewed by Andreas Kling.

        This patch introduces a class CSSToLengthConversionData to wrap the
        data required to convert CSS lengths to Lengths. This simplifies the
        plumbing that goes on whenever we need to resolve CSS lengths and
        makes it easier to update the arguments needed for resolving these (in
        particular adding a RenderView for resolving viewport units at style
        recalc time; removing the computingFontSize bool also appears
        possible).

        Note that the zoom argument, which was previously a float in some
        places and a double in others is now a float.

        This is a port of a Blink patch by timloh@chromium.org.

        No new tests, no behavior change.

        * CMakeLists.txt:
        * WebCore.vcxproj/WebCore.vcxproj:
        * WebCore.xcodeproj/project.pbxproj:
        * css/BasicShapeFunctions.cpp:
        (WebCore::convertToLength):
        (WebCore::convertToLengthSize):
        (WebCore::convertToCenterCoordinate):
        (WebCore::cssValueToBasicShapeRadius):
        (WebCore::basicShapeForValue):
        * css/BasicShapeFunctions.h:
        * css/CSSCalculationValue.cpp:
        (WebCore::CSSCalcValue::computeLengthPx):
        (WebCore::determineCategory):
        * css/CSSCalculationValue.h:
        (WebCore::CSSCalcValue::createCalculationValue):
        * css/CSSGradientValue.cpp:
        (WebCore::CSSGradientValue::addStops):
        (WebCore::positionFromValue):
        (WebCore::CSSGradientValue::computeEndPoint):
        (WebCore::CSSLinearGradientValue::createGradient):
        (WebCore::CSSRadialGradientValue::resolveRadius):
        (WebCore::CSSRadialGradientValue::createGradient):
        * css/CSSGradientValue.h:
        * css/CSSPrimitiveValue.cpp:
        (WebCore::CSSPrimitiveValue::computeLength):
        (WebCore::CSSPrimitiveValue::computeLengthDouble):
        * css/CSSPrimitiveValue.h:
        * css/CSSPrimitiveValueMappings.h:
        (WebCore::CSSPrimitiveValue::convertToLength):
        * css/CSSToLengthConversionData.cpp: Added.
        (WebCore::CSSToLengthConversionData::zoom):
        * css/CSSToLengthConversionData.h: Added.
        (WebCore::CSSToLengthConversionData::CSSToLengthConversionData):
        (WebCore::CSSToLengthConversionData::style):
        (WebCore::CSSToLengthConversionData::rootStyle):
        (WebCore::CSSToLengthConversionData::computingFontSize):
        (WebCore::CSSToLengthConversionData::copyWithAdjustedZoom):
        * css/CSSToStyleMap.cpp:
        (WebCore::CSSToStyleMap::CSSToStyleMap):
        (WebCore::CSSToStyleMap::mapFillSize):
        (WebCore::CSSToStyleMap::mapFillXPosition):
        (WebCore::CSSToStyleMap::mapFillYPosition):
        (WebCore::CSSToStyleMap::mapNinePieceImageQuad):
        * css/CSSToStyleMap.h:
        (WebCore::CSSToStyleMap::CSSToStyleMap): Deleted.
        * css/DeprecatedStyleBuilder.cpp:
        (WebCore::ApplyPropertyAuto::applyValue):
        (WebCore::ApplyPropertyClip::convertToLength):
        (WebCore::ApplyPropertyLength::applyValue):
        (WebCore::ApplyPropertyBorderRadius::applyValue):
        (WebCore::ApplyPropertyComputeLength::applyValue):
        (WebCore::ApplyPropertyFontSize::applyValue):
        (WebCore::csstoLengthConversionDataWithTextZoomFactor):
        (WebCore::ApplyPropertyMarqueeIncrement::applyValue):
        (WebCore::ApplyPropertyLineHeight::applyValue):
        (WebCore::ApplyPropertyLineHeightForIOSTextAutosizing::applyValue):
        (WebCore::ApplyPropertyWordSpacing::applyValue):
        (WebCore::ApplyPropertyPageSize::mmLength):
        (WebCore::ApplyPropertyPageSize::inchLength):
        (WebCore::ApplyPropertyPageSize::applyValue):
        (WebCore::ApplyPropertyVerticalAlign::applyValue):
        (WebCore::ApplyPropertyClipPath::applyValue):
        (WebCore::ApplyPropertyShape::applyValue):
        (WebCore::ApplyPropertyTextIndent::applyValue):
        * css/MediaQueryEvaluator.cpp:
        (WebCore::colorMediaFeatureEval):
        (WebCore::color_indexMediaFeatureEval):
        (WebCore::monochromeMediaFeatureEval):
        (WebCore::orientationMediaFeatureEval):
        (WebCore::aspect_ratioMediaFeatureEval):
        (WebCore::device_aspect_ratioMediaFeatureEval):
        (WebCore::device_pixel_ratioMediaFeatureEval):
        (WebCore::resolutionMediaFeatureEval):
        (WebCore::gridMediaFeatureEval):
        (WebCore::computeLength):
        (WebCore::device_heightMediaFeatureEval):
        (WebCore::device_widthMediaFeatureEval):
        (WebCore::heightMediaFeatureEval):
        (WebCore::widthMediaFeatureEval):
        (WebCore::min_colorMediaFeatureEval):
        (WebCore::max_colorMediaFeatureEval):
        (WebCore::min_color_indexMediaFeatureEval):
        (WebCore::max_color_indexMediaFeatureEval):
        (WebCore::min_monochromeMediaFeatureEval):
        (WebCore::max_monochromeMediaFeatureEval):
        (WebCore::min_aspect_ratioMediaFeatureEval):
        (WebCore::max_aspect_ratioMediaFeatureEval):
        (WebCore::min_device_aspect_ratioMediaFeatureEval):
        (WebCore::max_device_aspect_ratioMediaFeatureEval):
        (WebCore::min_device_pixel_ratioMediaFeatureEval):
        (WebCore::max_device_pixel_ratioMediaFeatureEval):
        (WebCore::min_heightMediaFeatureEval):
        (WebCore::max_heightMediaFeatureEval):
        (WebCore::min_widthMediaFeatureEval):
        (WebCore::max_widthMediaFeatureEval):
        (WebCore::min_device_heightMediaFeatureEval):
        (WebCore::max_device_heightMediaFeatureEval):
        (WebCore::min_device_widthMediaFeatureEval):
        (WebCore::max_device_widthMediaFeatureEval):
        (WebCore::min_resolutionMediaFeatureEval):
        (WebCore::max_resolutionMediaFeatureEval):
        (WebCore::animationMediaFeatureEval):
        (WebCore::transitionMediaFeatureEval):
        (WebCore::transform_2dMediaFeatureEval):
        (WebCore::transform_3dMediaFeatureEval):
        (WebCore::view_modeMediaFeatureEval):
        (WebCore::video_playable_inlineMediaFeatureEval):
        (WebCore::hoverMediaFeatureEval):
        (WebCore::pointerMediaFeatureEval):
        (WebCore::MediaQueryEvaluator::eval):
        * css/SVGCSSStyleSelector.cpp:
        (WebCore::StyleResolver::applySVGProperty):
        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::State::clear):
        (WebCore::StyleResolver::State::initForStyleResolve):
        (WebCore::StyleResolver::convertToIntLength):
        (WebCore::StyleResolver::convertToFloatLength):
        (WebCore::createGridTrackBreadth):
        (WebCore::StyleResolver::applyProperty):
        (WebCore::StyleResolver::createFilterOperations):
        * css/StyleResolver.h:
        (WebCore::StyleResolver::State::setStyle):
        (WebCore::StyleResolver::State::cssToLengthConversionData):
        * css/TransformFunctions.cpp:
        (WebCore::convertToFloatLength):
        (WebCore::transformsForValue):
        * css/TransformFunctions.h:
        * css/WebKitCSSMatrix.cpp:
        (WebCore::WebKitCSSMatrix::setMatrixValue):
        * rendering/RenderThemeIOS.mm:
        (WebCore::applyCommonButtonPaddingToStyle):
        (WebCore::RenderThemeIOS::adjustButtonStyle):

2014-04-29  Zoltan Horvath  <zoltan@webkit.org>

        [CSS Shapes] complex calc args for inset round vanish
        https://bugs.webkit.org/show_bug.cgi?id=132293

        Reviewed by Bem Jones-Bey.

        In order to use calc in the rounded parameters for inset shapes, we need
        to pass RenderStyle for the value creation as we did for the width arguments.
        Without taking RenderStyle into account, we hit an assert not reache
        in CSSPrimitiveValue::init in the debug builds.

        I've added new parsing test.

        * css/BasicShapeFunctions.cpp:
        (WebCore::valueForBasicShape):
        * css/CSSPrimitiveValue.cpp:
        (WebCore::CSSPrimitiveValue::CSSPrimitiveValue):
        (WebCore::CSSPrimitiveValue::init):
        * css/CSSPrimitiveValue.h:
        (WebCore::CSSPrimitiveValue::create):
        * css/CSSValuePool.h:
        (WebCore::CSSValuePool::createValue):

2014-04-29  Zoltan Horvath  <zoltan@webkit.org>

        [CSS Shapes] complex calc values for shape-margin return null for computed style
        https://bugs.webkit.org/show_bug.cgi?id=132313

        Reviewed by Bem Jones-Bey.

        We need to pass RenderStyle* to the cssValuePool when parsing
        shape-margin in order to use calc() as a parameter.

        I've added the new test case to parsing-shape-margin.html

        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::ComputedStyleExtractor::propertyValue):

2014-04-29  Chris Fleizach  <cfleizach@apple.com>

        AX: Row span info is wrong for table cells when a footer section is placed above a body section
        https://bugs.webkit.org/show_bug.cgi?id=131832

        Reviewed by Mario Sanchez Prada.

        If a <footer> section is placed before the body, it renders AX row information and order incorrectly.
        This also affects ARIA tables because they add their children by looking at renderer children, instead
        interrogating the RenderTable directly.

        Test: accessibility/table-with-footer-section-above-body.html

        * accessibility/AccessibilityARIAGrid.cpp:
        (WebCore::AccessibilityARIAGrid::addTableCellChild):
        (WebCore::AccessibilityARIAGrid::addChildren):
        * accessibility/AccessibilityTable.cpp:
        (WebCore::AccessibilityTable::addChildren):
        (WebCore::AccessibilityTable::addChildrenFromSection):
        * accessibility/AccessibilityTable.h:
        * accessibility/AccessibilityTableCell.cpp:
        (WebCore::AccessibilityTableCell::rowIndexRange):
        (WebCore::AccessibilityTableCell::columnIndexRange):

2014-04-29  Chris Fleizach  <cfleizach@apple.com>

        AX: SpeechSynthesisUtterance cannot addEventListener
        https://bugs.webkit.org/show_bug.cgi?id=132321

        Reviewed by Mario Sanchez Prada.

        Modified an existing test (speech-synthesis-speak.html) to use addEventTarget.

        * Modules/speech/SpeechSynthesisUtterance.idl:

2014-04-29  Hans Muller  <hmuller@adobe.com>

        [CSS Shapes] shape-outside polygon fails when first vertex is 0,0
        https://bugs.webkit.org/show_bug.cgi?id=132132

        Reviewed by Bem Jones-Bey.

        ShapeInterval now distinguishes between x1==x2 - isEmpty() and x1,x2 haven't been
        set yet - isUndefined(). Removed the ShapeInterval setX1() and setX2() methods, since
        they're no longer used.

        The polygon algorithm for computing excluded intervals now ignores horizontal
        edges. It also ignores edges whose lower vertex matches the top of the line, if
        the edge's Y direction is upwards (away from the top of the line). The rationale
        for this was explained here:
        http://hansmuller-webkit.blogspot.com/2012/11/revised-horizontal-box-algorithm.html

        Test: fast/shapes/shape-outside-floats/shape-outside-polygon-zero-vertex.html

        * rendering/shapes/PolygonShape.cpp:
        (WebCore::OffsetPolygonEdge::clippedEdgeXRange):
        (WebCore::PolygonShape::getExcludedIntervals):
        * rendering/shapes/ShapeInterval.h:
        (WebCore::ShapeInterval::ShapeInterval):
        (WebCore::ShapeInterval::isUndefined):
        (WebCore::ShapeInterval::x1):
        (WebCore::ShapeInterval::x2):
        (WebCore::ShapeInterval::width):
        (WebCore::ShapeInterval::isEmpty):
        (WebCore::ShapeInterval::setX1):
        (WebCore::ShapeInterval::setX2):
        (WebCore::ShapeInterval::overlaps):
        (WebCore::ShapeInterval::contains):
        (WebCore::ShapeInterval::unite):

2014-04-29  Andrei Bucur  <abucur@adobe.com>

        [CSS Regions] Fix getClientRects() for content nodes
        https://bugs.webkit.org/show_bug.cgi?id=117407

        Reviewed by David Hyatt.

        This patch modifies getClientRects() to return a list of fragments
        for a fragmented box instead of a single rectangle positioned inside
        the region where the box center would appear.

        The approach is to split the border box of the element in regions using
        the layout positioning. Then each fragment is mapped to the view coordinates
        and the result added to the list of rectangles. To preserve the originating
        region when mapping the fragment through the ancestor tree I've introduced
        the concept of a current region. The current region is stored inside a
        CurrentRenderRegionMaintainer object, created whenever an algorithm needing
        it needs to run. When the maintainer is destroyed, the cleanup is made
        automatically. The RenderFlowThread holds a pointer to this structure for
        easy access.

        Tests: fast/regions/cssom/client-rects-fixed-content.html
               fast/regions/cssom/client-rects-forced-breaks.html
               fast/regions/cssom/client-rects-inline-complex.html
               fast/regions/cssom/client-rects-inline.html
               fast/regions/cssom/client-rects-nested-regions.html
               fast/regions/cssom/client-rects-positioned.html
               fast/regions/cssom/client-rects-relative-position.html
               fast/regions/cssom/client-rects-simple-block.html
               fast/regions/cssom/client-rects-transforms.html
               fast/regions/cssom/client-rects-unsplittable-float.html

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::absoluteQuads): Split the box in fragments.
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::absoluteQuads): Split the box in fragments.
        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::RenderFlowThread):
        (WebCore::RenderFlowThread::mapFromFlowToRegion):
        (WebCore::RenderFlowThread::mapLocalToContainer):
        (WebCore::RenderFlowThread::currentRegion):
        * rendering/RenderFlowThread.h:
        * rendering/RenderNamedFlowFragment.cpp:
        (WebCore::RenderNamedFlowFragment::absoluteQuadsForBoxInRegion): Get
        the fragments for this box in the region.
        * rendering/RenderNamedFlowFragment.h:
        * rendering/RenderNamedFlowThread.cpp:
        (WebCore::RenderNamedFlowThread::absoluteQuadsForBox): Virtual function
        that can be used to implement fragments to client rects mapping.
        * rendering/RenderNamedFlowThread.h:
        * rendering/RenderRegion.cpp:
        (WebCore::RenderRegion::rectFlowPortionForBox): Small change to correctly
        map empty rectangles to containers.
        (WebCore::CurrentRenderRegionMaintainer::CurrentRenderRegionMaintainer):
        (WebCore::CurrentRenderRegionMaintainer::~CurrentRenderRegionMaintainer):
        * rendering/RenderRegion.h:
        (WebCore::RenderRegion::absoluteQuadsForBoxInRegion):
        (WebCore::CurrentRenderRegionMaintainer::region):

2014-04-29  Andrei Bucur  <abucur@adobe.com>

        Store the containing region map inside the flow thread
        https://bugs.webkit.org/show_bug.cgi?id=131647

        Reviewed by Mihnea Ovidenie.

        The patch moves the containing region map inside the flow thread where
        it can be better handled in case the region chain changes and the map
        needs to be cleared.

        As a result of this move we are able to also cleanup the lines region
        information of a block flow when it is removed from the tree.

        Test: fast/regions/inline-strike-through.html

        * rendering/InlineFlowBox.h:
        (WebCore::InlineFlowBox::InlineFlowBox):
        * rendering/RenderBlockLineLayout.cpp:
        (WebCore::RenderBlockFlow::addOverflowFromInlineChildren):
        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::removeFlowChildInfo):
        (WebCore::RenderFlowThread::invalidateRegions):
        (WebCore::RenderFlowThread::removeLineRegionInfo):
        (WebCore::RenderFlowThread::checkLinesConsistency):
        (WebCore::RenderFlowThread::containingRegionMap):
        * rendering/RenderFlowThread.h:
        * rendering/RootInlineBox.cpp:
        (WebCore::containingRegionMap):
        (WebCore::RootInlineBox::~RootInlineBox):
        (WebCore::RootInlineBox::paint):
        (WebCore::RootInlineBox::containingRegion):
        (WebCore::RootInlineBox::clearContainingRegion):
        (WebCore::RootInlineBox::setContainingRegion):

2014-04-28  Benjamin Poulain  <benjamin@webkit.org>

        SelectorCodeGenerator::generateElementIsNthChild() leaks the parent register :nth-child() is non-filtering
        https://bugs.webkit.org/show_bug.cgi?id=132311

        Reviewed by Andreas Kling.

        In two cases, the parent register was never returned to the register allocator:
        -Non filtering selectors (the early return).
        -Non marking selectors (at the moment: only querySelector API).

        Unfortunately, generateElementIsNthChild() makes function call, which forces us to do this manual allocation
        of the parentElement register. Long term, I want RegisterAllocator and FunctionCall to have a special type for that.

        Test: fast/selectors/several-nth-child.html

        * cssjit/SelectorCompiler.cpp:
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateElementIsNthChild):

2014-04-28  Yusuke Suzuki  <utatane.tea@gmail.com>

        CSS JIT: backtracking with current / parent element for child
        https://bugs.webkit.org/show_bug.cgi?id=132057

        Reviewed by Benjamin Poulain.

        Calculate appropriate backtracking start height from the closest
        descendant. And at first, we use it for a simple optimization.

        1. When backtracking start height equals to current height, we
        can simply jump to a descendant element check phase.
        2. When backtracking start height equals to current height + 1, we
        can simply jump to a descendant element traversing phase.

        We can apply this optimization to fragments with adjacent combinators.
        But, in the meantime, we start to implement it for a fragment with
        child combinator.

        * cssjit/SelectorCompiler.cpp:
        (WebCore::SelectorCompiler::SelectorFragment::SelectorFragment):
        (WebCore::SelectorCompiler::TagNamePattern::TagNamePattern):
        (WebCore::SelectorCompiler::solveDescendantBacktrackingActionForChild):
        (WebCore::SelectorCompiler::solveBacktrackingAction):
        (WebCore::SelectorCompiler::equalTagNames):
        (WebCore::SelectorCompiler::equalTagNamePatterns):
        (WebCore::SelectorCompiler::computeBacktrackingStartHeightFromDescendant):
        (WebCore::SelectorCompiler::computeBacktrackingHeightFromDescendant):
        (WebCore::SelectorCompiler::requiresAdjacentTail):
        (WebCore::SelectorCompiler::requiresDescendantTail):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::computeBacktrackingInformation):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateSelectorChecker):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateWalkToParentNode):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateWalkToParentElement):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateParentElementTreeWalker):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateAncestorTreeWalker):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateDirectAdjacentTreeWalker):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateIndirectAdjacentTreeWalker):
        (WebCore::SelectorCompiler::SelectorCodeGenerator::generateElementMatching):

2014-04-28  Benjamin Poulain  <bpoulain@apple.com>

        [iOS][WK2] Restore the scroll position and scale from the HistoryItem (mostly)
        https://bugs.webkit.org/show_bug.cgi?id=132307

        Reviewed by Simon Fraser.

        * WebCore.exp.in:

2014-04-28  Beth Dakin  <bdakin@apple.com>

        Scrollbars do not update properly when topContentInset changes dynamically
        https://bugs.webkit.org/show_bug.cgi?id=132309
        -and corresponding-
        <rdar://problem/16642232>

        Reviewed by Tim Horton.

        It is not sufficient to do a layout and call updateScrollbars(). We must also call 
        RenderLayerCompositor::frameViewDidChangeSize() in order to properly adjust the 
        size and position of all of the scrolling-related layers.
        * page/FrameView.cpp:
        (WebCore::FrameView::topContentInsetDidChange):

2014-04-28  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] event.offsetX/offsetY don't work correctly
        https://bugs.webkit.org/show_bug.cgi?id=132284

        Reviewed by Simon Fraser.

        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint):
        Change the code here to only trigger for CSS Regions and not for
        multi-column. Add a FIXME pointing out that the code is broken even for
        CSS regions.

         * rendering/RenderMultiColumnFlowThread.cpp:
        (WebCore::RenderMultiColumnFlowThread::mapAbsoluteToLocalPoint):
        Override mapAbsoluteToLocalPoint in order to guess a region and attempt
        to translate the point from that region to the flow thread local coordinate
        space.

        (WebCore::RenderMultiColumnFlowThread::physicalTranslationFromRegionToFlow):
        * rendering/RenderMultiColumnFlowThread.h:
        New helper function that just wraps calling the region's logical translation
        function and converting to/from physical coordinates.

2014-04-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167857.
        https://bugs.webkit.org/show_bug.cgi?id=132305

        the change was rolled out, roll out the new expectations as
        well (Requested by thorton on #webkit).

        Reverted changeset:

        "Unreviewed. Updating one bindings test baseline after
        r167855."
        http://trac.webkit.org/changeset/167857

2014-04-28  Dean Jackson  <dino@apple.com>

        [Mac] Use the animated version of setHighlighted on NSButtonCell where available
        https://bugs.webkit.org/show_bug.cgi?id=132295
        <rdar://problem/16747240>

        Reviewed by Beth Dakin.

        Like setState, there is an animated version of setHighlighted available.

        * platform/mac/ThemeMac.mm:
        (WebCore::updateStates): Use private version of _setHighlighted where possible.

2014-04-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167855.
        https://bugs.webkit.org/show_bug.cgi?id=132301

        Broke the windows build (Requested by bfulgham on #webkit).

        Reverted changeset:

        "ScriptExecutionContext::Task should work well with C++11
        lambdas"
        https://bugs.webkit.org/show_bug.cgi?id=129795
        http://trac.webkit.org/changeset/167855

2014-04-24  Andy Estes  <aestes@apple.com>

        [iOS] Implement WebQuickLookHandleClient for WebKit2
        https://bugs.webkit.org/show_bug.cgi?id=132157

        Reviewed by Darin Adler.

        * WebCore.exp.in: Exported QuickLookHandle::previewUTI().
        * platform/network/ios/QuickLook.h:
        * platform/network/ios/QuickLook.mm:
        (WebCore::QuickLookHandle::previewFileName): Changed to return a WTF::String.
        (WebCore::QuickLookHandle::previewUTI): Added.

2014-04-28  Chris Fleizach  <cfleizach@apple.com>

        REGRESSION: Intermittent crash in SpeechSynthesis::didFinishSpeaking
        https://bugs.webkit.org/show_bug.cgi?id=111613

        Reviewed by Mark Lam.

        I think it's possible that didFinishSpeaking ends up calling directly back into start speaking, and the utterance reference
        we were holding can get cleared, so protecting this should avoid a few asserts.

        * platform/mock/PlatformSpeechSynthesizerMock.cpp:
        (WebCore::PlatformSpeechSynthesizerMock::speakingFinished):

2014-04-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167871.
        https://bugs.webkit.org/show_bug.cgi?id=132290

        broke a newmulticol test (spanner-nested-dynamic) (Requested
        by thorton on #webkit).

        Reverted changeset:

        "Store the containing region map inside the flow thread"
        https://bugs.webkit.org/show_bug.cgi?id=131647
        http://trac.webkit.org/changeset/167871

2014-04-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167853.
        https://bugs.webkit.org/show_bug.cgi?id=132288

        caused crashes+timeouts+layout test failures described in the
        bug (Requested by thorton on #webkit).

        Reverted changeset:

        "Coalesce responses on network process side"
        https://bugs.webkit.org/show_bug.cgi?id=132229
        http://trac.webkit.org/changeset/167853

2014-04-24  Simon Fraser  <simon.fraser@apple.com>

        [iOS WK2] flickery scrolling with overflow-scrolling:touch
        https://bugs.webkit.org/show_bug.cgi?id=132150

        Reviewed by Tim Horton.

        Fix typo in a comment.

        * page/scrolling/AsyncScrollingCoordinator.cpp:
        (WebCore::AsyncScrollingCoordinator::scheduleUpdateScrollPositionAfterAsyncScroll):

2014-04-28  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Builtin cursors do not properly handle transparency
        https://bugs.webkit.org/show_bug.cgi?id=131866

        Reviewed by Gustavo Noronha Silva.

        Tested by ManualTests/cursor.html.

        * platform/gtk/CursorGtk.cpp:
        (WebCore::createNamedCursor): Instead of interpreting the source bitmap as an A1 image, use
        it as a 1-bit black and white image. We do this by:
            1. Painting the result to a full color image with transparency instead of an alpha-only surface.
            2. Masking a white background using the cursor alpha surface.
            3. Painting the black parts of the cursor by painting the source surface, where black pixels
            will be interpreted as full opaque pixels.

2014-04-28  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Update GObject DOM bindings symbols file.

        * bindings/gobject/webkitdom.symbols: Add missing symbols.

2014-04-28  Manuel Rego Casasnovas  <rego@igalia.com>

        OrderIterator refactoring to avoid extra loops
        https://bugs.webkit.org/show_bug.cgi?id=119061

        Reviewed by Darin Adler.

        This patch removes order values Vector and use a Vector of pairs instead. The pairs are formed by a child
        (RenderBox) and the index of this child. In addition, OrderIterator code is simplified.

        It provides a helper class OrderIteratorPopulator, used for manipulating the Vector directly. Which allows to
        consolidate the code into a single implementation across flexbox and grid. OrderIteratorPopulator part is based
        on a patch from Blink r153971 by <jchaffraix@chromium.org>.

        Current implementation is O(number of children * number of order values). Now it will just do a sort operation
        and then a regular loop. So if you have different order values in a flexbox or grid the performance will
        improve.

        Comparing results of perf-tests:
        * Layout/auto-grid-lots-of-data: ~0.5% worse.
        * Layout/fixed-grid-lots-of-data: ~0.5% worse.
        * Layout/fixed-grid-lots-of-data (setting 100 different order values): ~50% better.
        * Layout/flexbox-lots-of-data: ~5% better.

        No new tests, already covered by current tests.

        * rendering/OrderIterator.cpp:
        (WebCore::OrderIterator::currentChild): Return current child according to m_childrenIndex.
        (WebCore::OrderIterator::first): Initialize m_childrenIndex and return current child.
        (WebCore::OrderIterator::next): Increase m_childrenIndex and return current child.
        (WebCore::compareByOrderValueAndIndex): Sorts the Vector by order value and index.
        (WebCore::OrderIteratorPopulator::~OrderIteratorPopulator): Calls compareByOrderValueAndIndex() if there is any
        child with non default order value.
        (WebCore::OrderIteratorPopulator::collectChild): Adds the child and index to the Vector. Update
        m_allChildrenHaveDefaultOrderValue accordingly.
        (WebCore::OrderIterator::OrderIterator): Deleted.
        (WebCore::OrderIterator::setOrderValues): Deleted.
        (WebCore::OrderIterator::reset): Deleted.
        * rendering/OrderIterator.h:
        (WebCore::OrderIteratorPopulator::OrderIteratorPopulator): New helper class to manipulate the Vector.
        (WebCore::OrderIterator::currentChild): Deleted.
        * rendering/RenderFlexibleBox.cpp:
        (WebCore::RenderFlexibleBox::RenderFlexibleBox): Remove OrderIterator intialization.
        (WebCore::RenderFlexibleBox::layoutBlock): Remove unneeded code related to old OrderValues vector.
        (WebCore::RenderFlexibleBox::prepareOrderIteratorAndMargins): Populate OrderIterator using collectChild().
        (WebCore::RenderFlexibleBox::computeMainAxisPreferredSizes): Deleted.
        * rendering/RenderFlexibleBox.h: Rename computeMainAxisPreferredSizes() to prepareOrderIteratorAndMargins().
        * rendering/RenderGrid.cpp:
        (WebCore::RenderGrid::RenderGrid): Remove OrderIterator initialization.
        (WebCore::RenderGrid::populateExplicitGridAndOrderIterator): Populate OrderIterator using collectChild().

2014-04-28  Zan Dobersek  <zdobersek@igalia.com>

        std::bitset<>::test() does unnecessary bounds checks on CSSPropertyID bitsets
        https://bugs.webkit.org/show_bug.cgi?id=131685

        Reviewed by Darin Adler.

        Use std::bitset<>::operator[]() instead of std::bitset<>::test() to avoid
        bounds checks which are not necessary as long as a CSSPropertyID value is used.

        * css/CSSParser.cpp:
        (WebCore::filterProperties):
        * css/StyleProperties.cpp:
        (WebCore::StyleProperties::asText):
        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::CascadedProperties::hasProperty):
        (WebCore::StyleResolver::CascadedProperties::set):

2014-04-28  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] TextTrack kind and mode attributes are enums since r166180
        https://bugs.webkit.org/show_bug.cgi?id=132228

        Reviewed by Martin Robinson.

        Improve coding style according to review comments, that I forgot
        to do before landing previous commit.

        * bindings/gobject/WebKitDOMCustom.cpp:
        (webkit_dom_text_track_get_kind):
        (webkit_dom_text_track_get_mode):
        (webkit_dom_text_track_set_mode):

2014-04-28  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] TextTrack kind and mode attributes are enums since r166180
        https://bugs.webkit.org/show_bug.cgi?id=132228

        Reviewed by Martin Robinson.

        We don't support enum values yet in GObject DOM bindings, but they
        are internally strings anyway, so we can keep the old
        implementations using strings as custom functions until we
        properly support enums.

        * bindings/gobject/WebKitDOMCustom.cpp:
        (webkit_dom_text_track_get_kind):
        (webkit_dom_text_track_get_mode):
        (webkit_dom_text_track_set_mode):
        * bindings/gobject/WebKitDOMCustom.h:
        * bindings/gobject/WebKitDOMCustom.symbols:

2014-04-28  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] TextTrack::addCue can raise an exception since r163974
        https://bugs.webkit.org/show_bug.cgi?id=132227

        Reviewed by Martin Robinson.

        webkit_dom_text_track_add_cue() now receives a GError paramater
        which is an API break. Add
        webkit_dom_text_track_add_cue_with_error and keep
        webkit_dom_text_track_add_cue as deprecated to keep API
        compatibility.

        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_text_track_add_cue):
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols:
        * bindings/gobject/webkitdom.symbols:
        * bindings/scripts/CodeGeneratorGObject.pm:
        (GetEffectiveFunctionName):

2014-04-28  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] TextTrackCue API changed in r163649
        https://bugs.webkit.org/show_bug.cgi?id=132226

        Reviewed by Martin Robinson.

        TextTrackCue is now a base class and part of its API was moved to
        the derived class VTTCue. Update the GObject DOM bindings to keep
        backwards compatibility.

        * PlatformGTK.cmake: Generate bindings for DataCue and VTTCue.
        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_text_track_cue_get_cue_as_html): Mark as deprecated in
        favor of VTTCue API.
        (webkit_dom_text_track_cue_get_vertical): Ditto.
        (webkit_dom_text_track_cue_set_vertical): Ditto.
        (webkit_dom_text_track_cue_get_snap_to_lines): Ditto.
        (webkit_dom_text_track_cue_set_snap_to_lines): Ditto.
        (webkit_dom_text_track_cue_get_line): Ditto.
        (webkit_dom_text_track_cue_set_line): Ditto.
        (webkit_dom_text_track_cue_get_position): Ditto.
        (webkit_dom_text_track_cue_set_position): Ditto.
        (webkit_dom_text_track_cue_get_size): Ditto.
        (webkit_dom_text_track_cue_set_size): Ditto.
        (webkit_dom_text_track_cue_get_align): Ditto.
        (webkit_dom_text_track_cue_set_align): Ditto.
        (webkit_dom_text_track_cue_get_text): Ditto.
        (webkit_dom_text_track_cue_set_text): Ditto.
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols: Add new deprecated symbols.
        * bindings/gobject/WebKitDOMPrivate.cpp:
        (WebKit::wrap): Add generic wrap for TextTrackCue now that it's a
        base class to generate DataCue or VTTCue objects.
        * bindings/gobject/WebKitDOMPrivate.h:
        * bindings/gobject/webkitdom.symbols: Add DataCue symbols.
        * bindings/scripts/CodeGeneratorGObject.pm:
        (IsPolymorphic): Add TextTrackCue to the list of polymorphic classes.

2014-04-27  Andrei Bucur  <abucur@adobe.com>

        Store the containing region map inside the flow thread
        https://bugs.webkit.org/show_bug.cgi?id=131647

        Reviewed by Mihnea Ovidenie.

        The patch moves the containing region map inside the flow thread where
        it can be better handled in case the region chain changes and the map
        needs to be cleared.

        As a result of this move we are able to also cleanup the lines region
        information of a block flow when it is removed from the tree.

        Test: fast/regions/inline-strike-through.html

        * rendering/InlineFlowBox.h:
        (WebCore::InlineFlowBox::InlineFlowBox):
        * rendering/RenderBlockLineLayout.cpp:
        (WebCore::RenderBlockFlow::addOverflowFromInlineChildren):
        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::removeFlowChildInfo):
        (WebCore::RenderFlowThread::invalidateRegions):
        (WebCore::RenderFlowThread::removeLineRegionInfo):
        (WebCore::RenderFlowThread::checkLinesConsistency):
        (WebCore::RenderFlowThread::containingRegionMap):
        * rendering/RenderFlowThread.h:
        * rendering/RootInlineBox.cpp:
        (WebCore::containingRegionMap):
        (WebCore::RootInlineBox::~RootInlineBox):
        (WebCore::RootInlineBox::paint):
        (WebCore::RootInlineBox::containingRegion):
        (WebCore::RootInlineBox::clearContainingRegion):
        (WebCore::RootInlineBox::setContainingRegion):

2014-04-27  Darin Adler  <darin@apple.com>

        REGRESSION (r159345): The hover state for links in the top navigation of Yahoo.com doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=132241
        rdar://problem/16501924

        Reviewed by Andreas Kling.

        Test: fast/text/simple-lines-hover-underline.html

        Checked that this does not hurt performance by running the
        run-perf-tests PerformanceTests/Layout/line-layout.html command before and after.

        * rendering/RenderBlockFlow.cpp:
        (WebCore::RenderBlockFlow::hitTestInlineChildren): Use simpleLineLayout function rather than
        getting at the data member directly.
        (WebCore::RenderBlockFlow::firstLineBaseline): Ditto.
        (WebCore::RenderBlockFlow::inlineBlockBaseline): Ditto.
        (WebCore::RenderBlockFlow::lineCount): Ditto.
        (WebCore::RenderBlockFlow::paintInlineChildren): Ditto.
        (WebCore::RenderBlockFlow::hasLines): Ditto.
        (WebCore::RenderBlockFlow::simpleLineLayout): Added logic to determine which path to use if
        m_lineLayoutPath is undetermined, and call createLineBoxes if it's not simple.
        (WebCore::RenderBlockFlow::ensureLineBoxes): Factored out most of the code into a new
        createLineBoxes function.
        (WebCore::RenderBlockFlow::createLineBoxes): Ditto.

        * rendering/RenderBlockFlow.h: Made simpleLineLayout function no longer an inline.
        Added a private createLineBoxes function.

2014-04-27  Praveen R Jadhav  <praveen.j@samsung.com>

        [MediaStream] .ended shouldn't be part of MediaStream IDL
        https://bugs.webkit.org/show_bug.cgi?id=132104

        Reviewed by Eric Carlson.

        .ended attribute is spec'ed out of MediaStream IDL. Instead, .active
        is introduced to handle more scenarios. This patch replaces all 'ended'
        attribute calls with corresponding 'active' attributes. 

        MediaStream-add-remove-tracks.html is updated.

        * Modules/mediastream/MediaStream.cpp:
        (WebCore::MediaStream::addTrack): Replaced ended() with active().
        (WebCore::MediaStream::removeTrack): setEnded() isn't called. setActive()
        is retained which propagates oninactive event.
        (WebCore::MediaStream::trackDidEnd): setEnded() isn't called.
        (WebCore::MediaStream::removeRemoteSource): Replaced ended() with active().
        (WebCore::MediaStream::addRemoteTrack): Replaced ended() with active().
        (WebCore::MediaStream::removeRemoteTrack): Replaced ended() with active().
        (WebCore::MediaStream::ended): Deleted.
        (WebCore::MediaStream::setEnded): Deleted.
        (WebCore::MediaStream::streamDidEnd): Deleted.
        * Modules/mediastream/MediaStream.h:
        * Modules/mediastream/MediaStream.idl:
        * Modules/mediastream/RTCPeerConnection.cpp:
        (WebCore::RTCPeerConnection::didRemoveRemoteStream): Replaced setEnded()
        with setActive().
        * platform/mediastream/MediaStreamPrivate.cpp:
        (WebCore::MediaStreamPrivate::MediaStreamPrivate):
        (WebCore::MediaStreamPrivate::setActive): Updated comment from bug 
        https://bugs.webkit.org/show_bug.cgi?id=131973
        (WebCore::MediaStreamPrivate::setEnded): Deleted.
        * platform/mediastream/MediaStreamPrivate.h:
        (WebCore::MediaStreamPrivate::ended): Deleted.

2014-04-25  Andy Estes  <aestes@apple.com>

        [iOS] Stop creating a WKWebResourceQuickLookDelegate for every WebResourceLoader
        https://bugs.webkit.org/show_bug.cgi?id=132215

        Reviewed by Dan Bernstein.

        * WebCore.exp.in: Moved QuickLook symbols to the USE(QUICK_LOOK) stanza.
        * platform/network/ios/QuickLook.h: Changed one of the create() overloads to no longer take a delegate argument.
        * platform/network/ios/QuickLook.mm: Moved WKWebResourceQuickLookDelegate to here and renamed to WebResourceLoaderQuickLookDelegate.
        (WebCore::QuickLookHandle::create): Created a WebResourceLoaderQuickLookDelegate only if QuickLook can handle the response.

2014-04-27  Sam Weinig  <sam@webkit.org>

        [iOS WebKit2] Add support for text autosizing
        <rdar://problem/16545245>
        https://bugs.webkit.org/show_bug.cgi?id=132237

        Reviewed by Tim Horton.

        Move text autosizing width from Frame to Page, as it is a Page level concept.

        * WebCore.exp.in:
        * page/Frame.cpp:
        (WebCore::Frame::textAutosizingWidth): Deleted.
        (WebCore::Frame::setTextAutosizingWidth): Deleted.
        * page/Frame.h:
        * page/FrameView.cpp:
        (WebCore::FrameView::layout):
        * page/Page.cpp:
        (WebCore::Page::Page):
        * page/Page.h:
        (WebCore::Page::textAutosizingWidth):
        (WebCore::Page::setTextAutosizingWidth):

2014-04-27  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed. Updating one bindings test baseline after r167855.

        * bindings/scripts/test/JS/JSTestCallback.cpp:
        (WebCore::JSTestCallback::~JSTestCallback):

2014-04-27  Darin Adler  <darin@apple.com>

        Webpages can trigger loads with invalid URLs
        https://bugs.webkit.org/show_bug.cgi?id=132224
        rdar://problem/16697142

        Reviewed by Alexey Proskuryakov.

        Invalid URLs can be a way to trick the user about what website they
        are looking at.  Still trying to figure out a good way to regression-test this.

        * dom/Document.cpp:
        (WebCore::Document::processHttpEquiv): Pass a URL rather than a String to
        the navigation scheduler.
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::receivedFirstData): Ditto.

        * loader/NavigationScheduler.cpp:
        (WebCore::ScheduledURLNavigation::ScheduledURLNavigation): Take a URL rather
        than a string.
        (WebCore::ScheduledURLNavigation::url): Ditto.
        (WebCore::ScheduledRedirect::ScheduledRedirect): Ditto.
        (WebCore::ScheduledLocationChange::ScheduledLocationChange): Ditto.
        (WebCore::ScheduledRefresh::ScheduledRefresh): Ditto.
        (WebCore::NavigationScheduler::shouldScheduleNavigation): Added a check that
        prevents navigation to any URL that is invalid, except for JavaScript URLs,
        which need not be valid.
        (WebCore::NavigationScheduler::scheduleRedirect): Use URL instead of String.
        (WebCore::NavigationScheduler::scheduleLocationChange): Use URL instead of
        String. Also got rid of empty string check since empty URLs are also invalid,
        and so shouldScheduleNavigation will take care of it.
        (WebCore::NavigationScheduler::scheduleRefresh): Use URL instead of String.

        * loader/NavigationScheduler.h: Take URL instead of String. Also removed some
        unneeded incldues and uses of WTF_MAKE_NONCOPYABLE. NavigationScheduler is
        already noncopyable because it has a reference for a data member, and the
        disabler doesn't have any real reason to be noncopyable.

        * loader/SubframeLoader.cpp:
        (WebCore::SubframeLoader::loadOrRedirectSubframe): Pass a URL rather than a
        String to the NavigationScheduler.
        * page/DOMWindow.cpp:
        (WebCore::DOMWindow::createWindow): Ditto.

        * page/SecurityOrigin.cpp:
        (WebCore::SecurityOrigin::urlWithUniqueSecurityOrigin): Return a URL instead
        of a String.
        * page/SecurityOrigin.h: Updated for above change.

2014-04-27  Zan Dobersek  <zdobersek@igalia.com>

        ScriptExecutionContext::Task should work well with C++11 lambdas
        https://bugs.webkit.org/show_bug.cgi?id=129795

        Reviewed by Darin Adler.

        Instead of having classes that subclass ScriptExecutionContext::Task and override
        the performTask(ScriptExecutionContext*) method, have the ScriptExecutionContext::Task
        take in a std::function<void (ScriptExecutionContext*)>-like object trough the constructor
        which would contain the code currently kept in the performTask() methods.

        This enables inlining C++11 lambdas into ScriptExecutionContext::postTask() calls. For
        cleanup tasks, the Task object can be implicitly constructed by using the initializer list
        constructor with the first argument being the ScriptExecutionContext::Task::CleanupTask tag.
        The ScriptExecutionContext class remains non-copyable and now stores the passed-in invokable
        object in the std::function wrapper, along with a boolean member that indicates whether the
        task is of cleanup nature.

        * Modules/quota/StorageErrorCallback.cpp:
        (WebCore::StorageErrorCallback::CallbackTask::CallbackTask):
        (WebCore::StorageErrorCallback::CallbackTask::performTask): Deleted.
        * Modules/quota/StorageErrorCallback.h:
        (WebCore::StorageErrorCallback::CallbackTask::create): Deleted.
        * Modules/webdatabase/Database.cpp:
        (WebCore::Database::~Database):
        (WebCore::Database::runTransaction):
        (WebCore::Database::scheduleTransactionCallback):
        (WebCore::DerefContextTask::create): Deleted.
        (WebCore::DerefContextTask::performTask): Deleted.
        (WebCore::DerefContextTask::isCleanupTask): Deleted.
        (WebCore::DerefContextTask::DerefContextTask): Deleted.
        (WebCore::callTransactionErrorCallback): Deleted.
        (WebCore::DeliverPendingCallbackTask::create): Deleted.
        (WebCore::DeliverPendingCallbackTask::performTask): Deleted.
        (WebCore::DeliverPendingCallbackTask::DeliverPendingCallbackTask): Deleted.
        * Modules/webdatabase/DatabaseManager.cpp:
        (WebCore::DatabaseManager::openDatabase):
        (WebCore::DatabaseCreationCallbackTask::create): Deleted.
        (WebCore::DatabaseCreationCallbackTask::performTask): Deleted.
        (WebCore::DatabaseCreationCallbackTask::DatabaseCreationCallbackTask): Deleted.
        * Modules/webdatabase/DatabaseSync.cpp:
        (WebCore::CloseSyncDatabaseOnContextThreadTask::create): Deleted.
        (WebCore::CloseSyncDatabaseOnContextThreadTask::performTask): Deleted.
        (WebCore::CloseSyncDatabaseOnContextThreadTask::CloseSyncDatabaseOnContextThreadTask): Deleted.
        * Modules/webdatabase/SQLCallbackWrapper.h:
        (WebCore::SQLCallbackWrapper::clear):
        (WebCore::SQLCallbackWrapper::SafeReleaseTask::create): Deleted.
        (WebCore::SQLCallbackWrapper::SafeReleaseTask::performTask): Deleted.
        (WebCore::SQLCallbackWrapper::SafeReleaseTask::isCleanupTask): Deleted.
        (WebCore::SQLCallbackWrapper::SafeReleaseTask::SafeReleaseTask): Deleted.
        * Modules/websockets/ThreadableWebSocketChannelClientWrapper.cpp:
        (WebCore::ThreadableWebSocketChannelClientWrapper::didConnect):
        (WebCore::ThreadableWebSocketChannelClientWrapper::didReceiveMessage):
        (WebCore::ThreadableWebSocketChannelClientWrapper::didReceiveBinaryData):
        (WebCore::ThreadableWebSocketChannelClientWrapper::didUpdateBufferedAmount):
        (WebCore::ThreadableWebSocketChannelClientWrapper::didStartClosingHandshake):
        (WebCore::ThreadableWebSocketChannelClientWrapper::didClose):
        (WebCore::ThreadableWebSocketChannelClientWrapper::didReceiveMessageError):
        (WebCore::ThreadableWebSocketChannelClientWrapper::processPendingTasks):
        * Modules/websockets/ThreadableWebSocketChannelClientWrapper.h:
        * Modules/websockets/WorkerThreadableWebSocketChannel.cpp:
        (WebCore::WorkerThreadableWebSocketChannel::Bridge::mainThreadInitialize):
        (WebCore::WorkerThreadableWebSocketChannel::mainThreadDestroy):
        (WebCore::WorkerThreadableWebSocketChannel::Bridge::disconnect):
        (WebCore::WorkerThreadableWebSocketChannel::WorkerGlobalScopeDidInitializeTask::create): Deleted.
        (WebCore::WorkerThreadableWebSocketChannel::WorkerGlobalScopeDidInitializeTask::~WorkerGlobalScopeDidInitializeTask): Deleted.
        (WebCore::WorkerThreadableWebSocketChannel::WorkerGlobalScopeDidInitializeTask::WorkerGlobalScopeDidInitializeTask): Deleted.
        * Modules/websockets/WorkerThreadableWebSocketChannel.h:
        * bindings/js/JSCallbackData.h:
        (WebCore::DeleteCallbackDataTask::DeleteCallbackDataTask):
        (WebCore::DeleteCallbackDataTask::create): Deleted.
        (WebCore::DeleteCallbackDataTask::performTask): Deleted.
        (WebCore::DeleteCallbackDataTask::isCleanupTask): Deleted.
        * bindings/js/JSDOMGlobalObjectTask.cpp:
        (WebCore::JSGlobalObjectTask::JSGlobalObjectTask):
        (WebCore::JSGlobalObjectTask::~JSGlobalObjectTask): Deleted.
        (WebCore::JSGlobalObjectTask::performTask): Deleted.
        * bindings/js/JSDOMGlobalObjectTask.h:
        * bindings/js/JSDOMWindowBase.cpp:
        (WebCore::JSDOMWindowBase::queueTaskToEventLoop):
        * bindings/js/JSWorkerGlobalScopeBase.cpp:
        (WebCore::JSWorkerGlobalScopeBase::queueTaskToEventLoop):
        * bindings/scripts/CodeGeneratorJS.pm:
        (GenerateCallbackImplementation):
        * dom/CrossThreadTask.h:
        (WebCore::CrossThreadTask1::performTask):
        (WebCore::CrossThreadTask2::performTask):
        (WebCore::CrossThreadTask3::performTask):
        (WebCore::CrossThreadTask4::performTask):
        (WebCore::CrossThreadTask5::performTask):
        (WebCore::CrossThreadTask6::performTask):
        (WebCore::CrossThreadTask7::performTask):
        (WebCore::CrossThreadTask8::performTask):
        (WebCore::createCallbackTask):
        (WebCore::CrossThreadTask1::create): Deleted.
        (WebCore::CrossThreadTask2::create): Deleted.
        (WebCore::CrossThreadTask3::create): Deleted.
        (WebCore::CrossThreadTask4::create): Deleted.
        (WebCore::CrossThreadTask5::create): Deleted.
        (WebCore::CrossThreadTask6::create): Deleted.
        (WebCore::CrossThreadTask7::create): Deleted.
        (WebCore::CrossThreadTask8::create): Deleted.
        * dom/Document.cpp:
        (WebCore::Document::addConsoleMessage):
        (WebCore::Document::addMessage):
        (WebCore::Document::postTask):
        (WebCore::Document::pendingTasksTimerFired):
        (WebCore::PerformTaskContext::PerformTaskContext): Deleted.
        (WebCore::Document::didReceiveTask): Deleted.
        * dom/Document.h:
        * dom/ScriptExecutionContext.cpp:
        (WebCore::ScriptExecutionContext::processMessagePortMessagesSoon):
        (WebCore::ScriptExecutionContext::timerAlignmentInterval):
        (WebCore::ProcessMessagesSoonTask::create): Deleted.
        (WebCore::ScriptExecutionContext::AddConsoleMessageTask::performTask): Deleted.
        (WebCore::ScriptExecutionContext::Task::~Task): Deleted.
        * dom/ScriptExecutionContext.h:
        (WebCore::ScriptExecutionContext::Task::Task):
        (WebCore::ScriptExecutionContext::Task::performTask):
        (WebCore::ScriptExecutionContext::Task::isCleanupTask):
        (WebCore::ScriptExecutionContext::AddConsoleMessageTask::AddConsoleMessageTask):
        (WebCore::ScriptExecutionContext::AddConsoleMessageTask::create): Deleted.
        * dom/StringCallback.cpp:
        (WebCore::StringCallback::scheduleCallback):
        * loader/appcache/ApplicationCacheGroup.cpp:
        (WebCore::ApplicationCacheGroup::postListenerTask):
        (WebCore::CallCacheListenerTask::create): Deleted.
        (WebCore::CallCacheListenerTask::CallCacheListenerTask): Deleted.
        * workers/DefaultSharedWorkerRepository.cpp:
        (WebCore::SharedWorkerProxy::postTaskToLoader):
        (WebCore::SharedWorkerProxy::postTaskForModeToWorkerGlobalScope):
        (WebCore::SharedWorkerConnectTask::SharedWorkerConnectTask):
        (WebCore::DefaultSharedWorkerRepository::workerScriptLoaded):
        (WebCore::DefaultSharedWorkerRepository::connectToWorker):
        (WebCore::SharedWorkerConnectTask::create): Deleted.
        (WebCore::SharedWorkerConnectTask::performTask): Deleted.
        * workers/WorkerEventQueue.cpp:
        (WebCore::WorkerEventQueue::EventDispatcher::EventDispatcher):
        (WebCore::WorkerEventQueue::EventDispatcher::~EventDispatcher):
        (WebCore::WorkerEventQueue::EventDispatcher::dispatch):
        (WebCore::WorkerEventQueue::enqueueEvent):
        (WebCore::WorkerEventQueue::cancelEvent):
        (WebCore::WorkerEventQueue::close):
        * workers/WorkerEventQueue.h:
        * workers/WorkerGlobalScope.cpp:
        (WebCore::WorkerGlobalScope::close):
        (WebCore::WorkerGlobalScope::postTask):
        (WebCore::WorkerGlobalScope::addConsoleMessage):
        (WebCore::WorkerGlobalScope::addMessage):
        (WebCore::CloseWorkerGlobalScopeTask::create): Deleted.
        (WebCore::CloseWorkerGlobalScopeTask::performTask): Deleted.
        (WebCore::CloseWorkerGlobalScopeTask::isCleanupTask): Deleted.
        * workers/WorkerGlobalScope.h:
        * workers/WorkerLoaderProxy.h:
        * workers/WorkerMessagingProxy.cpp:
        (WebCore::WorkerMessagingProxy::postMessageToWorkerObject):
        (WebCore::WorkerMessagingProxy::postMessageToWorkerGlobalScope):
        (WebCore::WorkerMessagingProxy::postTaskForModeToWorkerGlobalScope):
        (WebCore::WorkerMessagingProxy::postTaskToLoader):
        (WebCore::WorkerMessagingProxy::postExceptionToWorkerObject):
        (WebCore::WorkerMessagingProxy::workerThreadCreated):
        (WebCore::WorkerMessagingProxy::notifyNetworkStateChange):
        (WebCore::WorkerMessagingProxy::workerGlobalScopeDestroyed):
        (WebCore::WorkerMessagingProxy::workerGlobalScopeClosed):
        (WebCore::WorkerMessagingProxy::postMessageToPageInspector):
        (WebCore::WorkerMessagingProxy::confirmMessageFromWorkerObject):
        (WebCore::WorkerMessagingProxy::reportPendingActivity):
        (WebCore::MessageWorkerGlobalScopeTask::create): Deleted.
        (WebCore::MessageWorkerGlobalScopeTask::MessageWorkerGlobalScopeTask): Deleted.
        (WebCore::MessageWorkerGlobalScopeTask::performTask): Deleted.
        (WebCore::MessageWorkerTask::create): Deleted.
        (WebCore::MessageWorkerTask::MessageWorkerTask): Deleted.
        (WebCore::MessageWorkerTask::performTask): Deleted.
        (WebCore::WorkerExceptionTask::create): Deleted.
        (WebCore::WorkerExceptionTask::WorkerExceptionTask): Deleted.
        (WebCore::WorkerExceptionTask::performTask): Deleted.
        (WebCore::WorkerGlobalScopeDestroyedTask::create): Deleted.
        (WebCore::WorkerGlobalScopeDestroyedTask::WorkerGlobalScopeDestroyedTask): Deleted.
        (WebCore::WorkerGlobalScopeDestroyedTask::performTask): Deleted.
        (WebCore::WorkerTerminateTask::create): Deleted.
        (WebCore::WorkerTerminateTask::WorkerTerminateTask): Deleted.
        (WebCore::WorkerTerminateTask::performTask): Deleted.
        (WebCore::WorkerThreadActivityReportTask::create): Deleted.
        (WebCore::WorkerThreadActivityReportTask::WorkerThreadActivityReportTask): Deleted.
        (WebCore::WorkerThreadActivityReportTask::performTask): Deleted.
        (WebCore::PostMessageToPageInspectorTask::create): Deleted.
        (WebCore::PostMessageToPageInspectorTask::PostMessageToPageInspectorTask): Deleted.
        (WebCore::PostMessageToPageInspectorTask::performTask): Deleted.
        (WebCore::NotifyNetworkStateChangeTask::create): Deleted.
        (WebCore::NotifyNetworkStateChangeTask::NotifyNetworkStateChangeTask): Deleted.
        (WebCore::NotifyNetworkStateChangeTask::performTask): Deleted.
        * workers/WorkerMessagingProxy.h:
        * workers/WorkerRunLoop.cpp:
        (WebCore::WorkerRunLoop::postTask):
        (WebCore::WorkerRunLoop::postTaskAndTerminate):
        (WebCore::WorkerRunLoop::postTaskForMode):
        (WebCore::WorkerRunLoop::Task::create):
        (WebCore::WorkerRunLoop::Task::performTask):
        (WebCore::WorkerRunLoop::Task::Task):
        * workers/WorkerRunLoop.h:
        * workers/WorkerThread.cpp:
        (WebCore::WorkerThread::stop):
        (WebCore::WorkerThread::releaseFastMallocFreeMemoryInAllThreads):
        (WebCore::WorkerThreadShutdownFinishTask::create): Deleted.
        (WebCore::WorkerThreadShutdownFinishTask::performTask): Deleted.
        (WebCore::WorkerThreadShutdownFinishTask::isCleanupTask): Deleted.
        (WebCore::WorkerThreadShutdownStartTask::create): Deleted.
        (WebCore::WorkerThreadShutdownStartTask::performTask): Deleted.
        (WebCore::WorkerThreadShutdownStartTask::isCleanupTask): Deleted.

2014-04-27  Antti Koivisto  <antti@apple.com>

        Coalesce responses on network process side
        https://bugs.webkit.org/show_bug.cgi?id=132229

        Reviewed by Andreas Kling.

        * WebCore.exp.in:

2014-04-27  David Kilzer  <ddkilzer@apple.com>

        Roll out changes not part of the patch reviewed for Bug 132089
        <http://webkit.org/b/132089>

        * loader/SubframeLoader.cpp:
        (WebCore::SubframeLoader::loadOrRedirectSubframe):
        * page/DOMWindow.cpp:
        (WebCore::DOMWindow::setLocation):
        (WebCore::DOMWindow::createWindow):
        (WebCore::DOMWindow::open):

2014-04-26  Darin Adler  <darin@apple.com>

        Frame and page lifetime fixes in WebCore::createWindow
        https://bugs.webkit.org/show_bug.cgi?id=132089

        Reviewed by Sam Weinig.

        Speculative fix because I was unable to reproduce the crash that was
        reported with the test case attached to this bug.

        * loader/FrameLoader.cpp:
        (WebCore::createWindow): Changed code to remove the assumption that calls
        out will not destroy the page or frame. Use RefPtr for the frame, and
        added early exits if frame->page() becomes null at any point before we
        use a page pointer.

2014-04-26  Alexey Proskuryakov  <ap@apple.com>

        Local files should not be allowed to read pasteboard data during drag
        https://bugs.webkit.org/show_bug.cgi?id=131767

        Reviewed by Sam Weinig.

        Test: fast/files/local-file-drag-security.html

        * page/DragController.cpp:
        (WebCore::DragController::dragExited):
        (WebCore::DragController::tryDHTMLDrag):
        Make an old Dashboard quirk really Dashboard only.

2014-04-24  Darin Adler  <darin@apple.com>

        REGRESSION (r164133): Selection doesn't paint when scrolling some pages
        https://bugs.webkit.org/show_bug.cgi?id=132172
        rdar://problem/16719473

        Reviewed by Brent Fulgham.

        Tests: fast/dynamic/remove-invisible-node-inside-selection.html
               fast/dynamic/remove-node-inside-selection.html

        * editing/FrameSelection.cpp:
        (WebCore::clearRenderViewSelection): Changed to take a Node& because having
        this take a Position& was unnecessary and strange, when really it just needs
        to take a document as an argument.
        (WebCore::DragCaretController::nodeWillBeRemoved): Updated for the above.
        (WebCore::FrameSelection::respondToNodeModification): Added code to set the
        m_pendingSelectionUpdate flag and call RenderView::setNeedsLayout so the
        selection will be recomputed after it's temporarily cleared when one of
        the selected nodes is removed.

2014-04-25  Ryosuke Niwa  <rniwa@webkit.org>

        REGRESSION (r167689): Hovering file name in a file input causes a crash
        https://bugs.webkit.org/show_bug.cgi?id=132214

        Reviewed by Andreas Kling.

        The bug was caused by callDefaultEventHandlersInTheBubblingOrder unconditionally
        accessing path.contextAt(0) even if the event path was empty.

        Fixed the bug by exiting early when the event path is empty.

        Test: fast/events/shadow-event-path-2.html

        * dom/EventDispatcher.cpp:
        (WebCore::callDefaultEventHandlersInTheBubblingOrder):

2014-04-25  Tim Horton  <timothy_horton@apple.com>

        REGRESSION (r167828): http/tests/media/hls/video-controls-live-stream.html fails

        * English.lproj/mediaControlsLocalizedStrings.js:
        Add 'Live Broadcast' to the localized strings list.

2014-04-25  Brady Eidson  <beidson@apple.com>

        Add a selection overlay.
        <rdar://problem/16727797> and https://bugs.webkit.org/show_bug.cgi?id=132200

        Reviewed by David Hyatt.

        No new tests (WK2 feature in development).

        * WebCore.xcodeproj/project.pbxproj:

        Add a SelectionRectGathterer class.
        It creates a Notifier (given a RenderView) then accepts Rects from the RenderView.
        When the Notifier is destroyed, the appropriate EditorClient is notified of the gathered rects.
        * editing/SelectionRectGatherer.cpp: Added.
        (WebCore::SelectionRectGatherer::SelectionRectGatherer):
        (WebCore::SelectionRectGatherer::addRect):
        (WebCore::SelectionRectGatherer::addRects):
        (WebCore::SelectionRectGatherer::Notifier::Notifier):
        (WebCore::SelectionRectGatherer::Notifier::~Notifier):
        (WebCore::SelectionRectGatherer::clearAndCreateNotifier):
        * editing/SelectionRectGatherer.h: Added.

        * page/EditorClient.h:
        (WebCore::EditorClient::selectionRectsDidChange):

        * rendering/RenderView.cpp:
        (WebCore::RenderView::RenderView):
        (WebCore::RenderView::setSelection): Clear the gatherer’s rects then create a Notifier.
        (WebCore::RenderView::setSubtreeSelection): Give all the selection rects to be painted to
          the SelectionRectGatherer.
        * rendering/RenderView.h:

2014-04-08  Jer Noble  <jer.noble@apple.com>

        Support "Live" streams in media controls.
        https://bugs.webkit.org/show_bug.cgi?id=131390

        Reviewed by Brent Fulgham.

        Test: http/tests/media/hls/video-controls-live-stream.html

        Support "Live" streams by adding an isLive property to our media controls.

        * Modules/mediacontrols/mediaControlsApple.css:
        (audio::-webkit-media-controls-status-display):
        (video:-webkit-full-screen::-webkit-media-controls-status-display):
        * Modules/mediacontrols/mediaControlsApple.js:
        (Controller): isLive defaults to false.
        (Controller.prototype.setIsLive): Set the isLive property and conditionally reconfigure the controls.
        (Controller.prototype.configureInlineControls): Don't add the timeline if we are live.
        (Controller.prototype.configureFullScreenControls): Ditto.
        (Controller.prototype.updateStatusDisplay): Added.
        (Controller.prototype.handleLoadStart): Call updateStatusDisplay().
        (Controller.prototype.handleError): Ditto.
        (Controller.prototype.handleAbort): Ditto.
        (Controller.prototype.handleSuspend): Ditto.
        (Controller.prototype.handleStalled): Ditto.
        (Controller.prototype.handleWaiting): Ditto.
        (Controller.prototype.updateDuration): Ditto.
        (Controller.prototype.updateReadyState): Ditto.

2014-04-25  Dean Jackson  <dino@apple.com>

        Allow a platform-specific size enumeration to be passed into popup-menu display
        https://bugs.webkit.org/show_bug.cgi?id=132195

        Reviewed by Brent Fulgham. With some in-person review comments from Sam Weinig.

        Platforms like OS X use a set of predefined sizes for built-in controls
        used for <select>: normal, small and mini. Expose that information to
        the PopupMenuClient via the PopupMenuStyle, allowing it to be passed
        into the platform code in WebKitSystemInterface.

        * platform/PopupMenuStyle.h: Add a menu size enum.
        (WebCore::PopupMenuStyle::PopupMenuStyle):
        (WebCore::PopupMenuStyle::menuSize):
        * platform/mac/WebCoreSystemInterface.h: Pass in NSControlSize as a parameter
        to WKPopupMenu.
        * platform/mac/WebCoreSystemInterface.mm: Ditto.
        * rendering/RenderMenuList.cpp:
        (RenderMenuList::menuStyle): Ask the RenderTheme to calculate the size
        of the menu button, so that it can be added to the PopupMenuStyle.
        * rendering/RenderTheme.h: New method to retrieve the menu size.
        (WebCore::RenderTheme::popupMenuSize): Convert an NSControlSize into a PopupMenuSize.
        * rendering/RenderThemeMac.h: Override the base function, and add a
        controlSizeForCell helper.
        * rendering/RenderThemeMac.mm:
        (WebCore::RenderThemeMac::controlSizeForCell): Used by this new
        code and the old setControlSizeForCell to calculate the NSControlSize
        that would be used for the button.
        (WebCore::RenderThemeMac::setControlSize): Call the new helper.
        (WebCore::RenderThemeMac::popupMenuSize): Return the value from the helper.

2014-04-25  Javier Fernandez  <jfernandez@igalia.com>

        REGRESSION(r167799): ASSERTION in parseGridTemplateShorthand in fast/css-grid-layout/grid-template-shorthand-get-set.html
        https://bugs.webkit.org/show_bug.cgi?id=132194

        Reviewed by Martin Robinson.

        Properly resolving the grid-template shorthand for the corresponding longhand
        properties.

        No new tests, grid-template-shorthand-get-set.html already covers this case.

        * css/StyleProperties.cpp:
        (WebCore::StyleProperties::getPropertyValue):
        * css/StylePropertyShorthand.cpp:
        (WebCore::shorthandForProperty):
        (WebCore::matchingShorthandsForLonghand):
        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::applyProperty):

2014-04-25  David Hyatt  <hyatt@apple.com>

        Column rules not respecting scroll offsets.
        https://bugs.webkit.org/show_bug.cgi?id=109683

        Reviewed by Dean Jackson.

        Added fast/multicol/scrolling-column-rules.html

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::paintColumnRules):
        Make paintColumnRules virtual so that it works with both column implementations.

        (WebCore::RenderBlock::paintObject):
        Changed to call paintColumnRules with the adjusted scroll offset and to do it after
        bailing on the root background only check.

        * rendering/RenderBlock.h:
        paintColumnRules is now virtual.

        * rendering/RenderBlockFlow.cpp:
        (WebCore::RenderBlockFlow::paintColumnRules):
        (WebCore::RenderBlockFlow::paintBoxDecorations): Deleted.
        * rendering/RenderBlockFlow.h:
        Got rid of paintBoxDecorations override since it failed when hasBoxDecorations was false
        anyway. Override paintColumnRules instead to paint at the right time.

2014-04-23  Jon Honeycutt  <jhoneycutt@apple.com>

        Crash applying editing commands from iframe onload event

        <https://bugs.webkit.org/show_bug.cgi?id=132103>
        <rdar://problem/15696351>

        This patch merges the Chromium bug workaround from
        <http://src.chromium.org/viewvc/blink?revision=162080&view=revision>,
        which prevents reentrancy in CompositeEditCommand::apply().

        Reviewed by Darin Adler.

        Test: editing/apply-style-iframe-crash.html

        * editing/CompositeEditCommand.cpp:
        (WebCore::HTMLNames::ReentrancyGuard::isRecursiveCall):
        (WebCore::HTMLNames::ReentrancyGuard::Scope::Scope):
        (WebCore::HTMLNames::ReentrancyGuard::Scope::~Scope):
        (WebCore::CompositeEditCommand::apply):
        If this is a recursive call, return early.

2014-04-25  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] fast/multicol/hit-test-* layout tests all fail
        https://bugs.webkit.org/show_bug.cgi?id=132081

        Reviewed by Dean Jackson.

        Added a bunch of tests in fast/multicol/newmulticol/compare-with-old-impl/hit-test-*.html

        * rendering/RenderBlock.h:
        Make offsetForContents public, since I need to call it from RenderMultiColumnSet.

        * rendering/RenderMultiColumnFlowThread.cpp:
        (WebCore::RenderMultiColumnFlowThread::populate):
        Stop an ASSERT in the new columns code on the hit tests by making sure layout state is
        disabled when moving children around.

        * rendering/RenderMultiColumnSet.cpp:
        (WebCore::RenderMultiColumnSet::positionForPoint):
        Refactor this function to call a helper function instead, translateRegionPointToFlowThread.

        (WebCore::RenderMultiColumnSet::translateRegionPointToFlowThread):
        This function is logical (unlike the mistaken physical function I first implemented in
        positionForPoint).

        (WebCore::RenderMultiColumnSet::updateHitTestResult):
        * rendering/RenderMultiColumnSet.h:
        Overridden to fill in the correct local coordinate when the HTML document is inside a paginated
        RenderView. Note that column spans don't actually work, but once we move over to a 
        non-column based pagination API, that will become irrelevant.

2014-04-25  Andreas Kling  <akling@apple.com>

        Mark some things with WTF_MAKE_FAST_ALLOCATED.
        <https://webkit.org/b/132198>

        Use FastMalloc for more things.

        Reviewed by Anders Carlsson.

        * bindings/js/ScriptController.h:
        * dom/DocumentOrderedMap.h:
        * inspector/InspectorCSSAgent.h:
        * inspector/InspectorDOMAgent.h:
        * inspector/InspectorDOMDebuggerAgent.h:
        * inspector/InspectorDOMStorageAgent.h:
        * inspector/InspectorDatabaseAgent.h:
        * inspector/InspectorLayerTreeAgent.h:
        * inspector/InspectorPageAgent.h:
        * inspector/InspectorResourceAgent.h:
        * inspector/InspectorTimelineAgent.h:
        * inspector/InspectorWorkerAgent.h:
        * inspector/PageRuntimeAgent.h:
        * loader/HistoryController.h:
        * page/DeviceClient.h:
        * page/DeviceController.h:
        * page/EventHandler.h:
        * page/Page.h:
        * page/scrolling/ScrollingStateNode.h:
        * platform/graphics/FontGenericFamilies.h:
        * platform/graphics/FontPlatformData.h:

2014-04-25  Radu Stavila  <stavila@adobe.com>

        [CSS Regions] Rename objectShouldPaintInFlowRegion to something more clear
        https://bugs.webkit.org/show_bug.cgi?id=132050

        Reviewed by Andreas Kling.

        The objectShouldPaintInFlowRegion is no longer used only by the painting process
        but also for hit-testing, so it was renamed to something more generic (objectShouldFragmentInFlowRegion).

        No new tests required, it's just a method rename.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::paint):
        (WebCore::RenderBlock::selectionGaps):
        (WebCore::RenderBlock::nodeAtPoint):
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::positionForPoint):
        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::objectShouldFragmentInFlowRegion):
        (WebCore::RenderFlowThread::objectShouldPaintInFlowRegion): Deleted.
        * rendering/RenderFlowThread.h:
        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::paintLayer):
        (WebCore::RenderLayer::hitTestLayer):
        * rendering/RenderRegion.cpp:
        (WebCore::RenderRegion::ensureOverflowForBox):
        * rendering/RenderReplaced.cpp:
        (WebCore::RenderReplaced::shouldPaint):

2014-04-25  Enrica Casucci  <enrica@apple.com>

        iOS build fix after http://trac.webkit.org/changeset/167803
        Unreviewed.

        * page/Frame.cpp:
        (WebCore::Frame::checkOverflowScroll):
        * rendering/RenderBlock.cpp:
        (WebCore::positionForPointRespectingEditingBoundaries):

2014-04-24  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] Add support for offsetLeft and offsetTop.
        https://bugs.webkit.org/show_bug.cgi?id=132080

        Reviewed by Andrei Bucur.

        Added fast/multicol/client-spanners-complex.html and offset-top-left.html

        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::adjustedPositionRelativeToOffsetParent):
        Patch the offsetLeft/Top loop to handle calling into RenderMultiColumnFlowThread
        in order to adjust the coordinates for the new multicolumn layout.

        * rendering/RenderMultiColumnFlowThread.cpp:
        (WebCore::RenderMultiColumnFlowThread::mapFromFlowToRegion):
        Modified to use a helper that can be shared by offsetLeft/Top code. This code
        ran for client rects, and I'm moving/refactoring it for more sharing.

        (WebCore::RenderMultiColumnFlowThread::physicalTranslationOffsetFromFlowToRegion):
        (WebCore::RenderMultiColumnFlowThread::physicalTranslationFromFlowToRegion):
        * rendering/RenderMultiColumnFlowThread.h:
        New functions that beef up what was in mapFromFlowToRegion and fix some bugs
        with the translation code.

        * rendering/RenderMultiColumnSet.cpp:
        (WebCore::RenderMultiColumnSet::columnTranslationForOffset):
        Patched to factor in the flow thread portion rect of the specific multicolumn set.

        * rendering/RenderObject.h:
        (WebCore::RenderObject::isRenderMultiColumnFlowThread):
        Added for toRenderMultiColumnFlowThread capability.

2014-04-25  Brent Fulgham  <bfulgham@apple.com>

        ScrollingCoordinator is unaware of topContentInset
        https://bugs.webkit.org/show_bug.cgi?id=132158
        <rdar://problem/16706152>

        Reviewed by Darin Adler.

        Test: platform/mac/fast/scrolling/scroll-select-bottom-test.html

        The calculation of non-fast-scrollable regions does not currently take
        the topContentOffset into account. Consequently, the logic that decides
        whether to stay on the scrolling thread, or drop down to an individual
        page element, can make the wrong choice. This is especially true for
        small scrollable regions (such as <select> elements), where the
        topContentInset may be quite close to the size of the scrollable
         element itself.

        * page/scrolling/ScrollingCoordinator.cpp:
        (WebCore::ScrollingCoordinator::computeNonFastScrollableRegion): Also
        include the topContentInset value in our calculation.

2014-04-25  Javier Fernandez  <jfernandez@igalia.com>

        REGRESSION(r167799): Breaks debug build
        https://bugs.webkit.org/show_bug.cgi?id=132194

        Reviewed by Andrei Bucur.

        Fix the debug bots after r167799

        No new tests, no new functionality.

        * css/CSSParser.cpp:
        (WebCore::CSSParser::parseGridTemplateShorthand):

2014-04-25  Miyoung Shin  <myid.shin@samsung.com>

        Web process is crashed during dispatching touchEvent created by JS.
        https://bugs.webkit.org/show_bug.cgi?id=113225

        Reviewed by Benjamin Poulain.

        TouchEvent created by JS should have the necessary attributes
        of touches, targetTouches and changedTouches.
        It should be verified weather there are touchLists before dispatching touch event.

        Test: fast/events/touch/create-touch-event-without-touchList.html

        * dom/EventDispatcher.cpp:
        (WebCore::EventDispatcher::dispatchEvent):
        (WebCore::EventPath::updateTouchLists):
        (WebCore::addRelatedNodeResolversForTouchList): Deleted.

2014-04-25  Philippe Normand  <pnormand@igalia.com>

        [GTK] File webkitRelativePath attribute was removed in r163483
        https://bugs.webkit.org/show_bug.cgi?id=132193

        Reviewed by Carlos Garcia Campos.

        Add the removed getter as deprecated API to keep backwards compatibility.

        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_file_get_webkit_relative_path):
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols:

2014-04-25  Radu Stavila  <stavila@adobe.com>

        [CSS Regions] Overflow selection doesn't work properly
        https://bugs.webkit.org/show_bug.cgi?id=130715

        Reviewed by David Hyatt.

        When hit-testing, painting block selection gaps and searching for the node at a specific point inside a flow thread,
        the region range of the box being checked must be validated in order to not return false positives. Otherwise, hit-testing
        at the top of region B could hit elements that overflow the bottom of region A.

        Tests: fast/regions/selection-in-overflow-hit-testing.html
               fast/regions/selection-in-overflow.html
               fast/regions/selection-in-text-after-overflow-hit-testing.html

        * accessibility/AccessibilityRenderObject.cpp:
        (WebCore::AccessibilityRenderObject::visiblePositionRangeForLine):
        (WebCore::AccessibilityRenderObject::visiblePositionForPoint):
        * dom/Document.cpp:
        (WebCore::Document::caretRangeFromPoint):
        * editing/FrameSelection.cpp:
        (WebCore::FrameSelection::contains):
        * editing/VisibleUnits.cpp:
        (WebCore::previousLinePosition):
        (WebCore::nextLinePosition):
        * page/EventHandler.cpp:
        (WebCore::EventHandler::selectClosestWordFromHitTestResult):
        (WebCore::EventHandler::selectClosestWordOrLinkFromMouseEvent):
        (WebCore::EventHandler::handleMousePressEventTripleClick):
        (WebCore::EventHandler::handleMousePressEventSingleClick):
        (WebCore::selectionExtentRespectingEditingBoundary):
        (WebCore::EventHandler::updateSelectionForMouseDrag):
        (WebCore::EventHandler::handleMouseReleaseEvent):
        * page/Frame.cpp:
        (WebCore::Frame::visiblePositionForPoint):
        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::selectionGaps):
        (WebCore::RenderBlock::nodeAtPoint):
        (WebCore::positionForPointRespectingEditingBoundaries):
        (WebCore::RenderBlock::positionForPointWithInlineChildren):
        (WebCore::isChildHitTestCandidate):
        (WebCore::RenderBlock::positionForPoint):
        * rendering/RenderBlock.h:
        * rendering/RenderBlockFlow.cpp:
        (WebCore::RenderBlockFlow::positionForPointWithInlineChildren):
        (WebCore::RenderBlockFlow::positionForPoint):
        * rendering/RenderBlockFlow.h:
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::positionForPoint):
        * rendering/RenderBox.h:
        * rendering/RenderFileUploadControl.cpp:
        (WebCore::RenderFileUploadControl::positionForPoint):
        * rendering/RenderFileUploadControl.h:
        * rendering/RenderInline.cpp:
        (WebCore::RenderInline::positionForPoint):
        * rendering/RenderInline.h:
        * rendering/RenderLineBreak.cpp:
        (WebCore::RenderLineBreak::positionForPoint):
        * rendering/RenderLineBreak.h:
        * rendering/RenderMultiColumnSet.cpp:
        (WebCore::RenderMultiColumnSet::positionForPoint):
        * rendering/RenderMultiColumnSet.h:
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::positionForPoint):
        * rendering/RenderObject.h:
        * rendering/RenderRegion.cpp:
        (WebCore::RenderRegion::positionForPoint):
        * rendering/RenderRegion.h:
        * rendering/RenderReplaced.cpp:
        (WebCore::RenderReplaced::positionForPoint):
        * rendering/RenderReplaced.h:
        * rendering/RenderText.cpp:
        (WebCore::RenderText::positionForPoint):
        * rendering/RenderText.h:
        * rendering/svg/RenderSVGInlineText.cpp:
        (WebCore::RenderSVGInlineText::positionForPoint):
        * rendering/svg/RenderSVGInlineText.h:
        * rendering/svg/RenderSVGText.cpp:
        (WebCore::RenderSVGText::positionForPoint):
        * rendering/svg/RenderSVGText.h:

2014-04-25  Philippe Normand  <pnormand@igalia.com>

        [GTK] Iframe seamless support was removed in r163427
        https://bugs.webkit.org/show_bug.cgi?id=132192

        Reviewed by Carlos Garcia Campos.

        Add the removed get and set methods as deprecated API to keep
        backwards compatibility.

        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_processing_instruction_set_data):
        (webkit_dom_html_iframe_element_get_seamless):
        (webkit_dom_html_iframe_element_set_seamless):
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols:

2014-04-25  Philippe Normand  <pnormand@igalia.com>

        [GTK] HTMLInputElement webkitdirectory property was removed in r163483
        https://bugs.webkit.org/show_bug.cgi?id=132191

        Reviewed by Carlos Garcia Campos.

        Add the removed get and set methods as deprecated API to keep
        backwards compatibility.

        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_html_input_element_get_webkitdirectory):
        (webkit_dom_html_input_element_set_webkitdirectory):
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols:

2014-04-25  Javier Fernandez  <jfernandez@igalia.com>

        [CSS Grid Layout] Implementation of the grid-template shorthand.
        https://bugs.webkit.org/show_bug.cgi?id=128980

        Reviewed by Darin Adler.

        This shorthand sets the values for the grid-template-columns,
        grid-template-rows and grid-template-areas, so the implementation
        tries to reuse as much available parsing functions as possible.

        The "parsingGridTrackList" was refactored to return a CSSValue and
        let the "parseValue" function to assign the property value. The
        "forwardSlash" operator is now valid when the track-list clause is
        part of a shorthand. The "parseValue" function checkouts that only
        additional clauses are allowed when processing shorthands; the
        grid-columns-rows-get-set.html tests was modified to verify this.

        The "parseGridTemplateAreas" was refactored too, in order to
        process single areas's rows. This is very useful for the
        gris-template secondary syntax, which mixes areas and rows values.

        Finally, the "parseGirdLineNames" function was modified as well by
        defining an new argument to concatenate head/tail custom-ident
        elements and ensure the identList is at the heading index, since
        it's now possible the parseList was rewound.

        The implementation of the grid-template shorthand tries first to
        match the <grid-template-columns> / <grid-template-rows> syntax,
        failing back to the secondary syntax if needed.  This approach
        requires to rewind the parseList but it produces a clearer code.

        Test: fast/css-grid-layout/grid-template-shorthand-get-set.html

        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::ComputedStyleExtractor::propertyValue):
        * css/CSSParser.cpp:
        (WebCore::CSSParser::parseValue):
        (WebCore::CSSParser::parseGridTemplateRowsAndAreas):
        (WebCore::CSSParser::parseGridTemplateShorthand):
        (WebCore::CSSParser::parseGridLineNames):
        (WebCore::CSSParser::parseGridTrackList):
        (WebCore::CSSParser::parseGridTemplateAreasRow):
        (WebCore::CSSParser::parseGridTemplateAreas):
        * css/CSSParser.h:
        * css/CSSParserValues.h:
        (WebCore::CSSParserValueList::setCurrentIndex):
        * css/CSSPropertyNames.in:
        * css/StylePropertyShorthand.cpp:
        (WebCore::webkitGridTemplateShorthand):
        * css/StylePropertyShorthand.h:

2014-04-25  Andreas Kling  <akling@apple.com>

        Remove two unused SVGDocument functions.
        <https://webkit.org/b/132178>

        Reviewed by Antti Koivisto.

        * svg/SVGDocument.cpp:
        (WebCore::SVGDocument::dispatchZoomEvent): Deleted.
        (WebCore::SVGDocument::dispatchScrollEvent): Deleted.
        * svg/SVGDocument.h:

2014-04-25  Ion Rosca  <rosca@adobe.com>

        Incomplete body painting when using blend modes
        https://bugs.webkit.org/show_bug.cgi?id=131889

        The incomplete painting was caused by the transparency layer created for
        the root renderer. We can safely skip creating this transparency layer at
        the root level, as there is nothing else being painted behind this layer that
        could be used erroneously as a backdrop.

        Reviewed by Simon Fraser.

        Test: css3/compositing/blend-mode-with-body.html

        * rendering/RenderLayer.h:
        Changing RenderLayer::paintsWithTransparency so that it will not
        return true when the root renderer needs to isolate blending.

2014-04-25  Darin Adler  <darin@apple.com>

        ASSERTION FAILED: "!m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction" in svg/custom/use-instanceRoot-event-listeners.xhtml
        https://bugs.webkit.org/show_bug.cgi?id=132148

        Reviewed by Andreas Kling.

        Changed how JSCustomMarkFunction generation works. Instead of leaving out
        the generated visitChildren function, just generate a call to visitAdditionalChildren.
        This eliminates the need to repeat boilerplate.

        The fix for the above bug was to correct mistaken logic where JSSVGElementInstance
        had a visitChildren that did not properly mark event listeners because it explicitly
        did not call through to the base class visitChildren. The new arrangement makes that
        mistake impossible.

        * bindings/js/JSAttrCustom.cpp:
        (WebCore::JSAttr::visitAdditionalChildren): Use this instead of visitChildren.
        * bindings/js/JSAudioTrackCustom.cpp:
        (WebCore::JSAudioTrack::visitAdditionalChildren): Ditto.
        * bindings/js/JSAudioTrackListCustom.cpp:
        (WebCore::JSAudioTrackList::visitAdditionalChildren): Ditto.
        * bindings/js/JSCSSRuleCustom.cpp:
        (WebCore::JSCSSRule::visitAdditionalChildren): Ditto.
        * bindings/js/JSCSSStyleDeclarationCustom.cpp:
        (WebCore::JSCSSStyleDeclaration::visitAdditionalChildren): Ditto.
        * bindings/js/JSCanvasRenderingContextCustom.cpp:
        (WebCore::JSCanvasRenderingContext::visitAdditionalChildren): Ditto.
        * bindings/js/JSCryptoKeyPairCustom.cpp:
        (WebCore::JSCryptoKeyPair::visitAdditionalChildren): Ditto.
        * bindings/js/JSDOMWindowCustom.cpp:
        (WebCore::JSDOMWindow::visitAdditionalChildren): Ditto.
        * bindings/js/JSMessageChannelCustom.cpp:
        (WebCore::JSMessageChannel::visitAdditionalChildren): Ditto.
        * bindings/js/JSMessagePortCustom.cpp:
        (WebCore::JSMessagePort::visitAdditionalChildren): Ditto.
        * bindings/js/JSNodeCustom.cpp:
        (WebCore::JSNode::visitAdditionalChildren): Ditto.
        * bindings/js/JSNodeFilterCustom.cpp:
        (WebCore::JSNodeFilter::visitAdditionalChildren): Ditto.
        * bindings/js/JSNodeIteratorCustom.cpp:
        (WebCore::JSNodeIterator::visitAdditionalChildren): Ditto.
        * bindings/js/JSSVGElementInstanceCustom.cpp:
        (WebCore::JSSVGElementInstance::visitAdditionalChildren): Ditto.
        * bindings/js/JSSharedWorkerCustom.cpp:
        (WebCore::JSSharedWorker::visitAdditionalChildren): Ditto.
        * bindings/js/JSStyleSheetCustom.cpp:
        (WebCore::JSStyleSheet::visitAdditionalChildren): Ditto.
        * bindings/js/JSTextTrackCueCustom.cpp:
        (WebCore::JSTextTrackCue::visitAdditionalChildren): Ditto.
        * bindings/js/JSTextTrackCustom.cpp:
        (WebCore::JSTextTrack::visitAdditionalChildren): Ditto.
        * bindings/js/JSTextTrackListCustom.cpp:
        (WebCore::JSTextTrackList::visitAdditionalChildren): Ditto.
        * bindings/js/JSTreeWalkerCustom.cpp:
        (WebCore::JSTreeWalker::visitAdditionalChildren): Ditto.
        * bindings/js/JSVideoTrackCustom.cpp:
        (WebCore::JSVideoTrack::visitAdditionalChildren): Ditto.
        * bindings/js/JSVideoTrackListCustom.cpp:
        (WebCore::JSVideoTrackList::visitAdditionalChildren): Ditto.
        * bindings/js/JSWebGLRenderingContextCustom.cpp:
        (WebCore::JSWebGLRenderingContext::visitAdditionalChildren): Ditto.
        * bindings/js/JSWorkerGlobalScopeCustom.cpp:
        (WebCore::JSWorkerGlobalScope::visitAdditionalChildren): Ditto.
        * bindings/js/JSXMLHttpRequestCustom.cpp:
        (WebCore::JSXMLHttpRequest::visitAdditionalChildren): Ditto.
        * bindings/js/JSXPathResultCustom.cpp:
        (WebCore::JSXPathResult::visitAdditionalChildren): Ditto.

        * bindings/js/JSDOMGlobalObject.cpp:
        (WebCore::JSDOMGlobalObject::visitChildren): Rewrote to use modern for loops.

        * bindings/scripts/CodeGeneratorJS.pm:
        (GenerateHeader): Generate declaration of visitAdditionalChildren.
        (GenerateImplementation): Generate call to visitAdditionalChildren.

2014-04-24  Andreas Kling  <akling@apple.com>

        [iOS WebKit2] Enable optimization to mmap downloaded resources once they become file-backed.
        <https://webkit.org/b/132171>
        <rdar://problem/16720733>

        Add a missing export for the USE(CFNETWORK) + WebKit2 combo.

        Reviewed by Antti Koivisto.

        * WebCore.exp.in:

2014-04-24  Darin Adler  <darin@apple.com>

        FrameLoader::checkCompleted can hit the "ref'ing while destroyed" assertion
        https://bugs.webkit.org/show_bug.cgi?id=132163
        rdar://problem/16720640

        Reviewed by Brady Eidson.

        Couldn't find a way to test this yet. Would be nice to have a test.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::checkCompleted): Move protector until after we check
        if the frame is already complete. That can happen in practice when this is
        called from within the frame's destructor. All the code that runs before the
        protector simply checks state and does not require protection.

2014-04-24  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Mark Supplement instead of RefCountedSupplement in NavigatorContentUtils 
        https://bugs.webkit.org/show_bug.cgi?id=132151

        Reviewed by Darin Adler.

        Though Original goal was to make it sharable across navigator instances, the NavigatorContentUtils
        has used RefCountedSupplement<Page> instead of RefCountedSupplement<Navigator>. This patch makes it
        use Supplement<Page> because there is no scenario which needs to be shared across navigator instances.

        Blink merge from https://src.chromium.org/viewvc/blink?view=rev&revision=171403.

        No new tests, no behavior changes.

        * Modules/navigatorcontentutils/NavigatorContentUtils.cpp:
        (WebCore::NavigatorContentUtils::from):
        (WebCore::NavigatorContentUtils::create):
        (WebCore::provideNavigatorContentUtilsTo):
        * Modules/navigatorcontentutils/NavigatorContentUtils.h:

2014-04-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167700.
        https://bugs.webkit.org/show_bug.cgi?id=132142

        Incorrectly reverted the change in r167547 for
        webkit.org/b/131898 (Requested by rniwa on #webkit).

        Reverted changeset:

        "Cursor doesn't change back to pointer when leaving the Safari
        window"
        https://bugs.webkit.org/show_bug.cgi?id=132038
        http://trac.webkit.org/changeset/167700

2014-04-24  Brady Eidson  <beidson@apple.com>

        Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
        https://bugs.webkit.org/show_bug.cgi?id=132155

        Reviewed by Tim Horton.

        No new tests (No change in behavior).

        * Configurations/FeatureDefines.xcconfig:
        * DerivedSources.make:
        * WebCore.exp.in:
        * css/CSSDefaultStyleSheets.cpp:
        (WebCore::CSSDefaultStyleSheets::ensureDefaultStyleSheetsForElement):
        * css/CSSPrimitiveValueMappings.h:
        (WebCore::CSSPrimitiveValue::CSSPrimitiveValue):
        * css/CSSValueKeywords.in:
        * dom/Node.h:
        * html/HTMLImageElement.cpp:
        (WebCore::HTMLImageElement::HTMLImageElement):
        (WebCore::HTMLImageElement::parseAttribute):
        (WebCore::HTMLImageElement::didAttachRenderers):
        * html/HTMLImageElement.h:
        * html/shadow/ImageControlsRootElement.cpp:
        * html/shadow/ImageControlsRootElement.h:
        * html/shadow/mac/ImageControlsButtonElementMac.cpp:
        * html/shadow/mac/ImageControlsButtonElementMac.h:
        * html/shadow/mac/ImageControlsRootElementMac.cpp:
        * html/shadow/mac/ImageControlsRootElementMac.h:
        * page/ContextMenuContext.cpp:
        (WebCore::ContextMenuContext::ContextMenuContext):
        * page/ContextMenuContext.h:
        * page/ContextMenuController.cpp:
        (WebCore::ContextMenuController::maybeCreateContextMenu):
        (WebCore::ContextMenuController::populate):
        * page/ContextMenuController.h:
        * page/Settings.in:
        * platform/ThemeTypes.h:
        * rendering/RenderImage.cpp:
        (WebCore::RenderImage::canHaveChildren):
        * rendering/RenderTheme.cpp:
        (WebCore::RenderTheme::adjustStyle):
        (WebCore::RenderTheme::paint):
        (WebCore::RenderTheme::paintBorderOnly):
        (WebCore::RenderTheme::paintDecorations):
        * rendering/RenderTheme.h:
        * rendering/RenderThemeMac.h:
        * rendering/RenderThemeMac.mm:
        (WebCore::RenderThemeMac::servicesRolloverButtonCell):
        (WebCore::RenderThemeMac::paintImageControlsButton):
        (WebCore::RenderThemeMac::imageControlsButtonSize):

2014-04-24  Timothy Hatcher  <timothy@apple.com>

        Web Inspector: Restore PageDebuggerAgent::enable / disable
        https://bugs.webkit.org/show_bug.cgi?id=132156

        Restore functions that were eroniously removed in r167530.

        Reviewed by Joseph Pecoraro.

        * inspector/PageDebuggerAgent.cpp:
        (WebCore::PageDebuggerAgent::enable): Added.
        (WebCore::PageDebuggerAgent::disable): Added.
        * inspector/PageDebuggerAgent.h:

2014-04-24  Alexey Proskuryakov  <ap@apple.com>

        Dropzone effects don't work in non-file documents
        https://bugs.webkit.org/show_bug.cgi?id=131770

        Reviewed by Darin Adler.

        File documents have two quirks that were making dropzone work in these before:
        1. An ancient hack for Dashboard allows pasteboard access from JS.
        2. On Mac, sandbox doesn't prevent File object creation, as we already have the access.

        * dom/DataTransfer.cpp:
        (WebCore::DataTransfer::hasFileOfType):
        (WebCore::DataTransfer::hasStringOfType):
        * dom/DataTransfer.h:
        Moved these functions from EventHandler to DataTransfer. We can't create a DataTransfer
        with Files while dragging, security doesn't permit us to. But we can get the file name.

        * fileapi/File.cpp:
        (WebCore::createBlobDataForFile):
        (WebCore::createBlobDataForFileWithName):
        (WebCore::File::contentTypeFromFilePath):
        (WebCore::getContentTypeFromFileName): Deleted.
        * fileapi/File.h:
        Exposed a function to get file type from path without creating a File first.
        This is much cheaper than creating a File, and works even when sandbox disallows
        read access to content, such as when dragging over a target.

        * page/EventHandler.cpp:
        (WebCore::hasDropZoneType):
        (WebCore::hasFileOfType): Deleted.
        (WebCore::hasStringOfType): Deleted.

2014-04-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167441.
        https://bugs.webkit.org/show_bug.cgi?id=132152

        Caused full screen regressions on vimeo, youtube, and others.
        (Requested by jernoble on #webkit).

        Reverted changeset:

        "Fullscreen media controls are unusable in pagination mode"
        https://bugs.webkit.org/show_bug.cgi?id=131705
        http://trac.webkit.org/changeset/167441

2014-04-24  Adenilson Cavalcanti  <cavalcantii@gmail.com>

        Unused class forward declarations in Page
        https://bugs.webkit.org/show_bug.cgi?id=132141

        Reviewed by Benjamin Poulain.

        No new tests, no change on behavior.

        * page/Page.h:

2014-04-24  Eric Carlson  <eric.carlson@apple.com>

        [Mac] don't ask for AVAssetTrack properties before they are available
        https://bugs.webkit.org/show_bug.cgi?id=131902
        <rdar://problem/16505076>

        Reviewed by Brent Fulgham.

        No new tests, the behavior this changes can not be tested with a layout test.

        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h:
        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
        (WebCore::MediaPlayerPrivateAVFoundationObjC::MediaPlayerPrivateAVFoundationObjC): Initialize
            m_cachedTotalBytes.
        (WebCore::MediaPlayerPrivateAVFoundationObjC::beginLoadingMetadata): Don't report that
            metadata has been loaded until the track properties we need have been loaded too.
        (WebCore::MediaPlayerPrivateAVFoundationObjC::totalBytes): Cache totalBytes instead
            of recalculating it every time.
        (WebCore::MediaPlayerPrivateAVFoundationObjC::tracksDidChange): Invalidate cached
            total bytes.
        (WebCore::assetTrackMetadataKeyNames): Array of AVAssetTrack properties we use.

2014-04-24  Myles C. Maxfield  <mmaxfield@apple.com>

        Unify platformWidthForGlyph across OS X and iOS
        https://bugs.webkit.org/show_bug.cgi?id=132036

        Reviewed by Darin Adler.

        This patch creates on shared SimpleFontData::platformWidthForGlyph() function for both OS X and iOS.

        No new tests are necessary because there should be no behavior changes.

        * platform/graphics/SimpleFontData.h: Signatures for two helper functions
        * platform/graphics/ios/SimpleFontDataIOS.mm: Replace iOS implementation of platformWidthForGlyph() with
        implementations of only the two helper functions
        (WebCore::SimpleFontData::getRenderingStyle): Compute style argument to CGFontGetGlyphAdvancesForStyle()
        (WebCore::SimpleFontData::advanceForColorBitmapFont): iOS doesn't have color bitmap fonts
        (WebCore::SimpleFontData::platformWidthForGlyph): Deleted.
        * platform/graphics/mac/SimpleFontDataMac.mm:
        (WebCore::SimpleFontData::getRenderingStyle): Compute style argument to CGFontGetGlyphAdvancesForStyle()
        (WebCore::SimpleFontData::advanceForColorBitmapFont): Use [NSFont advancementForGlyph] to compute the advance
        (WebCore::hasCustomTracking): Removed #if
        (WebCore::isEmoji): Only relevant on iOS
        (WebCore::SimpleFontData::platformWidthForGlyph): Shared implementation. Calls helper functions.

2014-04-24  Zalan Bujtas  <zalan@apple.com>

        Subpixel rendering: Clipping on text areas when shifted by one device pixel.
        https://bugs.webkit.org/show_bug.cgi?id=132008

        Reviewed by Darin Adler.

        Make RenderTheme paint* functions LayoutRect aware. Textarea is device pixel snapped, while
        other theme controls are still on integral size/positions.

        Test: fast/forms/hidpi-textarea-on-subpixel-position.html

        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::paintBoxDecorations):
        * rendering/RenderTheme.cpp:
        (WebCore::RenderTheme::paint):
        (WebCore::RenderTheme::paintBorderOnly):
        (WebCore::RenderTheme::paintDecorations):
        * rendering/RenderTheme.h:
        (WebCore::RenderTheme::paintTextField):
        (WebCore::RenderTheme::paintTextFieldDecorations):
        (WebCore::RenderTheme::paintTextArea):
        (WebCore::RenderTheme::paintTextAreaDecorations):
        * rendering/RenderThemeIOS.h:
        * rendering/RenderThemeIOS.mm:
        (WebCore::RenderThemeIOS::paintTextFieldDecorations):
        (WebCore::RenderThemeIOS::paintTextAreaDecorations):
        * rendering/RenderThemeMac.h:
        * rendering/RenderThemeMac.mm:
        (WebCore::RenderThemeMac::paintTextField):
        (WebCore::RenderThemeMac::paintTextArea):

2014-04-24  Myles C. Maxfield  <mmaxfield@apple.com>

        FontCache::fontCache() never returns nullptr so it can be made to return a reference instead
        https://bugs.webkit.org/show_bug.cgi?id=132110

        Reviewed by Tim Horton.

        Updates callers to use '.' instead of '->'.

        No new tests are necessary because there should be no behavior change.

        * css/CSSFontFaceSource.cpp:
        (WebCore::CSSFontFaceSource::getFontData):
        * css/CSSFontSelector.cpp:
        (WebCore::CSSFontSelector::CSSFontSelector):
        (WebCore::CSSFontSelector::~CSSFontSelector):
        (WebCore::CSSFontSelector::addFontFaceRule):
        (WebCore::fontDataForGenericFamily):
        (WebCore::CSSFontSelector::getFallbackFontData):
        * platform/MemoryPressureHandler.cpp:
        (WebCore::MemoryPressureHandler::releaseMemory):
        * platform/graphics/FontCache.cpp:
        (WebCore::fontCache): Return a reference
        * platform/graphics/FontCache.h:
        (WebCore::FontCachePurgePreventer::FontCachePurgePreventer):
        (WebCore::FontCachePurgePreventer::~FontCachePurgePreventer):
        * platform/graphics/FontGlyphs.cpp:
        (WebCore::FontGlyphs::FontGlyphs):
        (WebCore::FontGlyphs::releaseFontData):
        (WebCore::FontGlyphs::realizeFontDataAt):
        (WebCore::FontGlyphs::glyphDataAndPageForCharacter):
        * platform/graphics/freetype/FontPlatformDataFreeType.cpp:
        (WebCore::FontPlatformData::verticalData):
        * platform/graphics/ios/SimpleFontDataIOS.mm:
        (WebCore::SimpleFontData::platformCreateScaledFontData):
        * platform/graphics/mac/ComplexTextControllerCoreText.mm:
        (WebCore::ComplexTextController::collectComplexTextRunsForCharacters):
        * platform/graphics/mac/FontCacheMac.mm:
        (WebCore::invalidateFontCache):
        (WebCore::fontCacheRegisteredFontsChangedNotificationCallback):
        * platform/graphics/mac/SimpleFontDataMac.mm:
        (WebCore::SimpleFontData::platformDestroy):
        (WebCore::SimpleFontData::platformCreateScaledFontData):
        * platform/graphics/win/FontCacheWin.cpp:
        (WebCore::getCJKCodePageMasks):
        * platform/graphics/win/SimpleFontDataWin.cpp:
        (WebCore::SimpleFontData::containsCharacters):
        * platform/graphics/wince/FontCacheWinCE.cpp:
        (WebCore::getCJKCodePageMasks):
        * platform/graphics/wince/FontPlatformData.cpp:
        (WebCore::FontFamilyCodePageInfo::codePages):
        (WebCore::FixedSizeFontData::create):
        * platform/graphics/wince/GlyphPageTreeNodeWinCE.cpp:
        (WebCore::GlyphPage::fill):
        * platform/graphics/wince/SimpleFontDataWinCE.cpp:
        (WebCore::SimpleFontData::platformCreateScaledFontData):
        (WebCore::SimpleFontData::containsCharacters):

2014-04-24  Eric Carlson  <eric.carlson@apple.com>

        [iOS] Manage AudioSession category according to media type
        https://bugs.webkit.org/show_bug.cgi?id=132096

        Reviewed by Jer Noble.

        * WebCore.exp.in: Export setting.

        * html/HTMLMediaSession.cpp:
        (WebCore::HTMLMediaSession::HTMLMediaSession):
        (WebCore::initializeAudioSession): Deleted.

        * page/Settings.cpp:
        * page/Settings.h:
        (WebCore::Settings::setShouldManageAudioSession): New.
        (WebCore::Settings::shouldManageAudioSession): Ditto.

        * platform/audio/ios/AudioDestinationIOS.cpp:
        (WebCore::AudioDestinationIOS::AudioDestinationIOS): Use a MediaSession instead of inheriting
            from AudioListener and calling the AudioSession directly.
        (WebCore::AudioDestinationIOS::~AudioDestinationIOS): Ditto.
        (WebCore::AudioDestinationIOS::start): Notify session.
        (WebCore::AudioDestinationIOS::stop): Ditto.
        (WebCore::AudioDestinationIOS::beganAudioInterruption): Deleted.
        (WebCore::AudioDestinationIOS::endedAudioInterruption): Deleted.
        * platform/audio/ios/AudioDestinationIOS.h:
        (WebCore::AudioDestinationIOS::mediaType):
        (WebCore::AudioDestinationIOS::canReceiveRemoteControlCommands):
        (WebCore::AudioDestinationIOS::didReceiveRemoteControlCommand):
        (WebCore::AudioDestinationIOS::isPlaying): Deleted.

        * platform/audio/ios/AudioSessionIOS.mm:
        (WebCore::categoryName): Debug-only logging function.
        (WebCore::AudioSession::setCategory): Don't stick with "media" once it is set.

        * platform/audio/ios/MediaSessionManagerIOS.mm:
        (WebCore::MediaSessionManageriOS::resetRestrictions): Set up restrictions for WebAudio.
        (WebCore::MediaSessionManageriOS::updateNowPlayingInfo): Don't set invalid start time.

        * platform/audio/mac/MediaSessionManagerMac.cpp:
        (MediaSessionManager::updateSessionState): Manage AudioSession.active when WebAudio clients
            come and go. Manage AudioSession.category according to the number of WebAudio and
            HTMLMediaElement clients.

2014-04-24  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] Client rects don't work with column spans.
        https://bugs.webkit.org/show_bug.cgi?id=132131

        Reviewed by Dean Jackson.
        
        Don't factor in the offset of the multicolumn set from the top
        of the multicolumn block. This was added already, and it doesn't
        need to be a part of columnTranslationForOffset.

        Added fast/multicol/client-rects-spanners.html

        * rendering/RenderMultiColumnSet.cpp:
        (WebCore::RenderMultiColumnSet::columnTranslationForOffset):

2014-04-24  Praveen R Jadhav  <praveen.j@samsung.com>

        [EFL] WebKit build fails when MEDIA_SOURCE is enabled
        https://bugs.webkit.org/show_bug.cgi?id=132118

        Reviewed by Brent Fulgham.

        Files MediaSourceGStreamer.cpp, SourceBufferPrivateGStreamer.cpp and
        WebKitMediaSourceGStreamer.cpp are included for EFL port build.

        No new tests. No change in behaviour.

        * PlatformEfl.cmake: MediaSourceGStreamer.cpp, SourceBufferPrivateGStreamer.cpp
        and WebKitMediaSourceGStreamer.cpp are included for compilation.

2014-04-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>

        ASSERTION FAILED: !begin.isIndefinite() in WebCore::SVGSMILElement::resolveFirstInterval.
        https://bugs.webkit.org/show_bug.cgi?id=131097

        Reviewed by Darin Adler.

        According to smil animation reference, max attribute cannot be 0.

        Test: svg/animations/smil-animation-max-attribute-zero-crash.svg

        * svg/animation/SVGSMILElement.cpp:
        (WebCore::SVGSMILElement::maxValue):
          changed (result < 0) to (result <= 0)

2014-04-24  Ryuan Choi  <ryuan.choi@samsung.com>

        Remove screenColorProfile()
        https://bugs.webkit.org/show_bug.cgi?id=132035

        Reviewed by Darin Adler.

        Only chromium used screenColorProfile() since r120789.

        * platform/PlatformScreen.h:
        * platform/efl/PlatformScreenEfl.cpp:
        (WebCore::screenColorProfile): Deleted.
        * platform/gtk/PlatformScreenGtk.cpp:
        (WebCore::screenColorProfile): Deleted.
        * platform/image-decoders/ImageDecoder.h:
        (WebCore::ImageDecoder::qcmsOutputDeviceProfile):
        * platform/ios/PlatformScreenIOS.mm:
        (WebCore::screenColorProfile): Deleted.
        * platform/mac/PlatformScreenMac.mm:
        (WebCore::screenColorProfile): Deleted.
        * platform/win/PlatformScreenWin.cpp:
        (WebCore::screenColorProfile): Deleted.

2014-04-24  Zalan Bujtas  <zalan@apple.com>

        One more unreviewed build fix after r167755.

        * html/shadow/mac/ImageControlsButtonElementMac.cpp:
        (WebCore::RenderImageControlsButton::updateLogicalWidth):
        (WebCore::RenderImageControlsButton::computeLogicalHeight):

2014-04-24  Zalan Bujtas  <zalan@apple.com>

        Unreviewed build fix after r167755.

        * rendering/RenderThemeMac.h:

2014-04-24  Zalan Bujtas  <zalan@apple.com>

        Transition RenderTheme API from RenderObject* to const RenderObject&
        https://bugs.webkit.org/show_bug.cgi?id=132037

        Reviewed by Andreas Kling.

        Using const references provides better encapsulation and improve security.

        No change in behavior.

        * accessibility/AccessibilityObject.cpp:
        (WebCore::AccessibilityObject::boundingBoxForQuads):
        * dom/Element.cpp:
        (WebCore::Element::setActive):
        (WebCore::Element::setHovered):
        * editing/FrameSelection.cpp:
        (WebCore::FrameSelection::focusedOrActiveStateChanged):
        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::disabledStateChanged):
        (WebCore::HTMLFormControlElement::readOnlyAttributeChanged):
        * html/HTMLInputElement.cpp:
        (WebCore::HTMLInputElement::setChecked):
        (WebCore::HTMLInputElement::setIndeterminate):
        * html/HTMLOptionElement.cpp:
        (WebCore::HTMLOptionElement::parseAttribute):
        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::addVisualOverflowFromTheme):
        (WebCore::RenderBlock::baselinePosition):
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::paintBoxDecorations):
        * rendering/RenderButton.cpp:
        (WebCore::RenderButton::styleDidChange):
        * rendering/RenderFileUploadControl.cpp:
        (WebCore::RenderFileUploadControl::paintObject):
        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::addRegionsVisualOverflowFromTheme):
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::drawLineForBoxSide):
        * rendering/RenderObject.h:
        * rendering/RenderProgress.cpp:
        (WebCore::RenderProgress::computeLogicalHeight):
        * rendering/RenderTextControlSingleLine.cpp:
        (WebCore::RenderTextControlSingleLine::paint):
        * rendering/RenderTheme.cpp:
        (WebCore::RenderTheme::paint):
        (WebCore::RenderTheme::paintBorderOnly):
        (WebCore::RenderTheme::paintDecorations):
        (WebCore::RenderTheme::baselinePosition):
        (WebCore::RenderTheme::adjustRepaintRect):
        (WebCore::RenderTheme::stateChanged):
        (WebCore::RenderTheme::updateControlStatesForRenderer):
        (WebCore::RenderTheme::extractControlStatesForRenderer):
        (WebCore::RenderTheme::isActive):
        (WebCore::RenderTheme::isChecked):
        (WebCore::RenderTheme::isIndeterminate):
        (WebCore::RenderTheme::isEnabled):
        (WebCore::RenderTheme::isFocused):
        (WebCore::RenderTheme::isPressed):
        (WebCore::RenderTheme::isSpinUpButtonPartPressed):
        (WebCore::RenderTheme::isReadOnlyControl):
        (WebCore::RenderTheme::isHovered):
        (WebCore::RenderTheme::isSpinUpButtonPartHovered):
        (WebCore::RenderTheme::isDefault):
        (WebCore::RenderTheme::paintInputFieldSpeechButton):
        (WebCore::RenderTheme::paintMeter):
        (WebCore::RenderTheme::paintSliderTicks):
        (WebCore::RenderTheme::progressBarRectForBounds):
        * rendering/RenderTheme.h:
        (WebCore::RenderTheme::controlSupportsTints):
        (WebCore::RenderTheme::paintCapsLockIndicator):
        (WebCore::RenderTheme::paintFileUploadIconDecorations):
        (WebCore::RenderTheme::imageControlsButtonSize):
        (WebCore::RenderTheme::paintCheckbox):
        (WebCore::RenderTheme::paintRadio):
        (WebCore::RenderTheme::paintButton):
        (WebCore::RenderTheme::paintInnerSpinButton):
        (WebCore::RenderTheme::paintCheckboxDecorations):
        (WebCore::RenderTheme::paintRadioDecorations):
        (WebCore::RenderTheme::paintButtonDecorations):
        (WebCore::RenderTheme::paintTextField):
        (WebCore::RenderTheme::paintTextFieldDecorations):
        (WebCore::RenderTheme::paintTextArea):
        (WebCore::RenderTheme::paintTextAreaDecorations):
        (WebCore::RenderTheme::paintMenuList):
        (WebCore::RenderTheme::paintMenuListDecorations):
        (WebCore::RenderTheme::paintMenuListButtonDecorations):
        (WebCore::RenderTheme::paintPushButtonDecorations):
        (WebCore::RenderTheme::paintSquareButtonDecorations):
        (WebCore::RenderTheme::paintProgressBar):
        (WebCore::RenderTheme::paintSliderTrack):
        (WebCore::RenderTheme::paintSliderThumb):
        (WebCore::RenderTheme::paintSliderThumbDecorations):
        (WebCore::RenderTheme::paintSearchField):
        (WebCore::RenderTheme::paintSearchFieldDecorations):
        (WebCore::RenderTheme::paintSearchFieldCancelButton):
        (WebCore::RenderTheme::paintSearchFieldDecorationPart):
        (WebCore::RenderTheme::paintSearchFieldResultsDecorationPart):
        (WebCore::RenderTheme::paintSearchFieldResultsButton):
        (WebCore::RenderTheme::paintMediaFullscreenButton):
        (WebCore::RenderTheme::paintMediaPlayButton):
        (WebCore::RenderTheme::paintMediaOverlayPlayButton):
        (WebCore::RenderTheme::paintMediaMuteButton):
        (WebCore::RenderTheme::paintMediaSeekBackButton):
        (WebCore::RenderTheme::paintMediaSeekForwardButton):
        (WebCore::RenderTheme::paintMediaSliderTrack):
        (WebCore::RenderTheme::paintMediaSliderThumb):
        (WebCore::RenderTheme::paintMediaVolumeSliderContainer):
        (WebCore::RenderTheme::paintMediaVolumeSliderTrack):
        (WebCore::RenderTheme::paintMediaVolumeSliderThumb):
        (WebCore::RenderTheme::paintMediaRewindButton):
        (WebCore::RenderTheme::paintMediaReturnToRealtimeButton):
        (WebCore::RenderTheme::paintMediaToggleClosedCaptionsButton):
        (WebCore::RenderTheme::paintMediaControlsBackground):
        (WebCore::RenderTheme::paintMediaCurrentTime):
        (WebCore::RenderTheme::paintMediaTimeRemaining):
        (WebCore::RenderTheme::paintMediaFullScreenVolumeSliderTrack):
        (WebCore::RenderTheme::paintMediaFullScreenVolumeSliderThumb):
        (WebCore::RenderTheme::paintSnapshottedPluginOverlay):
        (WebCore::RenderTheme::paintImageControlsButton):
        * rendering/RenderThemeIOS.h:
        * rendering/RenderThemeIOS.mm:
        (WebCore::RenderThemeIOS::addRoundedBorderClip):
        (WebCore::RenderThemeIOS::paintCheckboxDecorations):
        (WebCore::RenderThemeIOS::baselinePosition):
        (WebCore::RenderThemeIOS::paintRadioDecorations):
        (WebCore::RenderThemeIOS::paintTextFieldDecorations):
        (WebCore::RenderThemeIOS::paintTextAreaDecorations):
        (WebCore::RenderThemeIOS::paintMenuListButtonDecorations):
        (WebCore::RenderThemeIOS::paintSliderTrack):
        (WebCore::RenderThemeIOS::paintSliderThumbDecorations):
        (WebCore::RenderThemeIOS::paintProgressBar):
        (WebCore::RenderThemeIOS::paintSearchFieldDecorations):
        (WebCore::RenderThemeIOS::paintButtonDecorations):
        (WebCore::RenderThemeIOS::paintPushButtonDecorations):
        (WebCore::RenderThemeIOS::paintFileUploadIconDecorations):
        * rendering/RenderThemeMac.h:
        (WebCore::RenderThemeMac::updateActiveState):
        * rendering/RenderThemeMac.mm:
        (WebCore::RenderThemeMac::documentViewFor):
        (WebCore::RenderThemeMac::adjustRepaintRect):
        (WebCore::RenderThemeMac::convertToPaintingRect):
        (WebCore::RenderThemeMac::updateCheckedState):
        (WebCore::RenderThemeMac::updateEnabledState):
        (WebCore::RenderThemeMac::updateFocusedState):
        (WebCore::RenderThemeMac::updatePressedState):
        (WebCore::RenderThemeMac::controlSupportsTints):
        (WebCore::RenderThemeMac::paintTextField):
        (WebCore::RenderThemeMac::paintCapsLockIndicator):
        (WebCore::RenderThemeMac::paintTextArea):
        (WebCore::RenderThemeMac::paintMenuList):
        (WebCore::RenderThemeMac::paintMeter):
        (WebCore::RenderThemeMac::progressBarRectForBounds):
        (WebCore::RenderThemeMac::paintProgressBar):
        (WebCore::RenderThemeMac::paintMenuListButtonGradients):
        (WebCore::RenderThemeMac::paintMenuListButtonDecorations):
        (WebCore::RenderThemeMac::setPopupButtonCellState):
        (WebCore::RenderThemeMac::paintSliderTrack):
        (WebCore::RenderThemeMac::paintSliderThumb):
        (WebCore::RenderThemeMac::paintSearchField):
        (WebCore::RenderThemeMac::setSearchCellState):
        (WebCore::RenderThemeMac::paintSearchFieldCancelButton):
        (WebCore::RenderThemeMac::paintSearchFieldDecorationPart):
        (WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart):
        (WebCore::RenderThemeMac::paintSearchFieldResultsButton):
        (WebCore::RenderThemeMac::paintSnapshottedPluginOverlay):
        (WebCore::RenderThemeMac::paintImageControlsButton):
        (WebCore::RenderThemeMac::imageControlsButtonSize):

2014-04-23  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] HTML Media capture attribute is a boolean since r163958
        https://bugs.webkit.org/show_bug.cgi?id=132061

        Reviewed by Gustavo Noronha Silva.

        Add new methods webkit_dom_html_input_element_get_capture_enabled
        and webkit_dom_html_input_element_set_capture_enabled using a
        boolean and deprecate the old methods.

        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_html_input_element_get_capture):
        (webkit_dom_html_input_element_set_capture):
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols:
        * bindings/gobject/webkitdom.symbols:
        * bindings/scripts/CodeGeneratorGObject.pm:
        (GetEffectiveFunctionName): Helper function to rename API methods
        for special cases.
        (GenerateFunction): Use GetEffectiveFunctionName().

2014-04-23  Praveen R Jadhav  <praveen.j@samsung.com>

        [MediaStream] Implement MediaStream active attribute
        https://bugs.webkit.org/show_bug.cgi?id=131973

        Reviewed by Eric Carlson.

        MediaStream .active attribute are introduced which will replace
        .ended attribute. This patch implements the newly introduced attributes.

        MediaStream-add-remove-tracks.html is updated to handle this scenario.

        * Modules/mediastream/MediaStream.cpp:
        (WebCore::MediaStream::active): Added.
        (WebCore::MediaStream::setActive): Added.
        (WebCore::MediaStream::addTrack): Propagates 'onactive' event when required.
        (WebCore::MediaStream::removeTrack): Propagates 'oninactive' event when required.
        (WebCore::MediaStream::trackDidEnd): Propagates 'oninactive' event when required.
        (WebCore::MediaStream::streamDidEnd):
        (WebCore::MediaStream::setStreamIsActive): Added.
        * Modules/mediastream/MediaStream.h:
        * Modules/mediastream/MediaStream.idl:
        * dom/EventNames.h:
        * platform/mediastream/MediaStreamPrivate.cpp:
        (WebCore::MediaStreamPrivate::MediaStreamPrivate): Initialize .active attribute
        (WebCore::MediaStreamPrivate::setEnded):
        (WebCore::MediaStreamPrivate::setActive): Added.
        * platform/mediastream/MediaStreamPrivate.h:
        (WebCore::MediaStreamPrivate::active): Added.

2014-04-23  Darin Adler  <darin@apple.com>

        [Cocoa] fix CF leaks found by code inspection
        https://bugs.webkit.org/show_bug.cgi?id=132106

        Reviewed by Andreas Kling.

        * page/CaptionUserPreferencesMediaAF.cpp:
        (WebCore::trackDisplayName): Added a missing adoptCF.

        * platform/Language.cpp:
        (WebCore::displayNameForLanguageLocale): Added a missing adoptCF.

        * platform/graphics/FontPlatformData.cpp:
        (WebCore::FontPlatformData::openTypeTable): Added a missing adoptCF.

        * platform/graphics/avfoundation/cf/InbandTextTrackPrivateAVCF.cpp:
        (WebCore::InbandTextTrackPrivateAVCF::label): Added two missing adoptCF.

        * platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp:
        (WebCore::AVFWrapper::createImageForTimeInRect): Added two missing adoptCF.

        * platform/graphics/cg/PDFDocumentImage.cpp:
        (WebCore::PDFDocumentImage::createPDFDocument): Added missing adoptCF.

        * platform/graphics/cocoa/FontPlatformDataCocoa.mm:
        (WebCore::cascadeToLastResortFontDescriptor): Added two missing adoptCF.

        * platform/graphics/mac/FontMac.mm:
        (WebCore::Font::primaryFontDataIsSystemFont): Added missing adoptCF.

        * platform/graphics/mac/SimpleFontDataMac.mm:
        (WebCore::hasCustomTracking): Added missing adoptCF.

        * platform/image-decoders/ImageDecoder.h:
        (WebCore::ImageDecoder::qcmsOutputDeviceProfile): Added CFRelease.

        * plugins/mac/PluginPackageMac.cpp:
        (WebCore::readPListFile): Added two missing adoptCF.

2014-04-23  Ryosuke Niwa  <rniwa@webkit.org>

        REGRESSION (r157328): popover to check into flight ba.com dismisses instantly when focusing form
        https://bugs.webkit.org/show_bug.cgi?id=131949

        Address the review comment.

        * dom/EventDispatcher.cpp:
        (WebCore::EventRelatedNodeResolver::findHostOfTreeScopeInTargetTreeScope):

2014-04-23  Andreas Kling  <akling@apple.com>

        CachedResourceLoader hoards URLs indefinitely for no good reason.
        <https://webkit.org/b/132102>
        <rdar://problem/16708265>

        Since we don't care about CachedResourceLoader::m_validatedURL's after
        the Document has finished dispatching its initial load event, clear the
        set at that point, and don't add any new URLs to it.

        Reviewed by Anders Carlsson.

        * dom/Document.cpp:
        (WebCore::Document::dispatchWindowLoadEvent):
        * loader/cache/CachedResourceLoader.cpp:
        (WebCore::CachedResourceLoader::requestResource):
        (WebCore::CachedResourceLoader::documentDidFinishLoadEvent):
        * loader/cache/CachedResourceLoader.h:

2014-04-23  Andreas Kling  <akling@apple.com>

        Canvas cache of clean URLs can grow without bounds.
        <https://webkit.org/b/132091>
        <rdar://problem/16695665>

        Remove a silly "optimization" that kept a cache of clean URLs
        that can be drawn into a canvas without tainting it, all to avoid
        the "expensive" checks to determine whether it would taint.

        Reviewed by Benjamin Poulain.

        * html/canvas/CanvasRenderingContext.cpp:
        (WebCore::CanvasRenderingContext::wouldTaintOrigin):
        * html/canvas/CanvasRenderingContext.h:

2014-04-23  Benjamin Poulain  <bpoulain@apple.com>

        [iOS][WK2] Fix a few mistakes affecting the initial layout and the initial unobscured rect
        https://bugs.webkit.org/show_bug.cgi?id=132093

        Reviewed by Tim Horton.

        Change the minimum layout size to float point values to account for size defined on retina displays.
        The minimum layout size supports half-pixels, the value is rounded later when computing the layout size
        in document coordinates.

        * WebCore.exp.in:
        * page/ViewportConfiguration.cpp:
        (WebCore::ViewportConfiguration::ViewportConfiguration):
        Setting the initial content size is incorrect. The layout size computation already take into account
        empty size for the first layout.

        Setting the content size upfront make the first computation incorrect when the viewport arguments specify
        the initial scale.

        (WebCore::ViewportConfiguration::setMinimumLayoutSize):
        * page/ViewportConfiguration.h:
        (WebCore::ViewportConfiguration::minimumLayoutSize):

2014-04-23  Brent Fulgham  <bfulgham@apple.com>

        [Mac, iOS] Stop buffering media when on an inactive tab. 
        https://bugs.webkit.org/show_bug.cgi?id=132077

        Reviewed by Eric Carlson.

        * html/HTMLMediaElement.cpp: Rename 'm_isDisplaySleepDisablingSuspended'
        to 'm_elementIsHidden'.
        (WebCore::HTMLMediaElement::HTMLMediaElement):
        (WebCore::HTMLMediaElement::visibilityStatusChanged): Notify the
        media session that the element is (or is not) hidden.
        (WebCore::HTMLMediaElement::setShouldBufferData): Added.
        * html/HTMLMediaElement.h:
        * platform/audio/MediaSession.cpp:
        (WebCore::MediaSession::clientWillBeginPlayback): Tell media to
        buffer if not hidden or playing.
        (WebCore::MediaSession::clientWillPausePlayback): Ditto.
        (WebCore::MediaSession::visibilityChanged): Added. Client API, just relays call
        to updateClientDataBuffering.
        (WebCore::MediaSession::updateClientDataBuffering): Tell client it should only
        buffer data if it's currently playing, or not hidden.
        * platform/audio/MediaSession.h:
        * platform/graphics/MediaPlayer.cpp:
        (WebCore::MediaPlayer::setShouldBufferData): Added: Just relays to
        MediaPlayerPrivate object.
        * platform/graphics/MediaPlayer.h:
        * platform/graphics/MediaPlayerPrivate.h:
        (WebCore::MediaPlayerPrivateInterface::setShouldBufferData):
        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h:
        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
        (WebCore::MediaPlayerPrivateAVFoundationObjC::MediaPlayerPrivateAVFoundationObjC):
        (WebCore::MediaPlayerPrivateAVFoundationObjC::setShouldBufferData): Added.
        Detach the player item from the player if we don't want to continue
        buffering or other background tasks.

2014-04-23  Alexey Proskuryakov  <ap@apple.com>

        Eliminate internals.setMockScrollbarsEnabled()
        https://bugs.webkit.org/show_bug.cgi?id=132085

        Reviewed by Tim Horton.

        This was essentially unused, and also didnt work.

        * testing/InternalSettings.cpp:
        (WebCore::InternalSettings::Backup::restoreTo):
        (WebCore::InternalSettings::setMockScrollbarsEnabled): Deleted.
        * testing/InternalSettings.h:
        * testing/InternalSettings.idl:

2014-04-23  Anders Carlsson  <andersca@apple.com>

        Don't migrate the WKView.h header from WebCore to WebKit
        https://bugs.webkit.org/show_bug.cgi?id=132086

        Reviewed by Dan Bernstein.

        * WebCore.xcodeproj/project.pbxproj:
        Add WAKViewInternal.h.

        * platform/WAKViewInternal.h: Added.

        * platform/ios/wak/WAKClipView.m:
        Import WAKViewInternal.h instead of WAKViewPrivate.h.

        * platform/ios/wak/WAKScrollView.mm:
        Import WAKViewInternal.h instead of WAKViewPrivate.h.

        * platform/ios/wak/WAKView.h:
        Move ivars to a class extension in WAKViewInternal.h and remove WKView.h import.

        * platform/ios/wak/WAKView.mm:
        Import WAKViewInternal.h instead of WAKViewPrivate.h.

        * platform/ios/wak/WAKViewPrivate.h:
        Import WKViewPrivate.h.

2014-04-23  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] fast/multicol/fixed-column-percent-logical-height-orthogonal-writing-mode.html fails
        https://bugs.webkit.org/show_bug.cgi?id=132078

        Reviewed by Anders Carlsson.

        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::skipContainingBlockForPercentHeightCalculation):
        Add a parameter to test for orthogonal writing modes. If we're perpendicular,
        then we should not skip the flow thread, since we resolve relative to the column width,
        and that is always set.

        (WebCore::RenderBox::computePercentageLogicalHeight):
        Patched to pass in whether or not the box and the ancestor block are perpendicular.

        * rendering/RenderBox.h:
        Patched the signature of skipContainingBlockForPercentHeightCalculation

2014-04-23  Myles C. Maxfield  <mmaxfield@apple.com>

        [OS X] Make checking if a font is the system font more robust
        https://bugs.webkit.org/show_bug.cgi?id=132030

        Reviewed by Dean Jackson.

        Instead of inspecting a font's name to determine if it is a system font,
        on OS X we can ask the system directly.

        This patch also moves a platform-specific check into platform-specific
        code, so that other platforms don't check for OS X-specific behavior.

        Covered by existing tests.

        * platform/graphics/Font.cpp:
        (WebCore::Font::hasValidAverageCharWidth):
        * platform/graphics/Font.h:
        * platform/graphics/mac/FontMac.mm:
        (WebCore::Font::primaryFontDataIsSystemFont):

2014-04-23  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] Assertion failure in huge-column-count.html
        https://bugs.webkit.org/show_bug.cgi?id=132071

        Reviewed by Dean Jackson.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::regionAtBlockOffset):
        Back out this change, since it wasn't general enough.

        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::getRegionRangeForBox):
        The real issue was that this loop needed to consider the actual box
        rather than starting from the parent. This was a non-issue for normal
        regions (which cannot have nested flow threads), but for columns, you 
        have to consider the fact that the box could itself be a flow thread.

2014-04-23  Andreas Kling  <akling@apple.com>

        [iOS] Memory pressure notification should fire on main thread.
        <https://webkit.org/b/132074>

        Rejig the memory pressure notification to fire on the main queue
        directly instead of rerouting it manually.

        Reviewed by Mark Rowe.

        * platform/cocoa/MemoryPressureHandlerCocoa.mm:
        (WebCore::MemoryPressureHandler::install):

2014-04-23  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167720.
        https://bugs.webkit.org/show_bug.cgi?id=132075

        broke eight newmulticol tests (Requested by thorton on
        #webkit).

        Reverted changeset:

        "[New Multicolumn] Assertion failure in huge-column-
        count.html"
        https://bugs.webkit.org/show_bug.cgi?id=132071
        http://trac.webkit.org/changeset/167720

2014-04-23  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] Assertion failure in huge-column-count.html
        https://bugs.webkit.org/show_bug.cgi?id=132071

        Reviewed by Dean Jackson.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::regionAtBlockOffset):
        Remove the code that returned 0 here, since we're going to patch a lower-level
        function to catch all cases.

        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::getRegionRangeForBox):
        Don't allow in-flow RenderFlowThreads to ever have a region range. The sets
        are what should have ranges... the flow thread needs to just be ignored.

2014-04-23  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] Crasher when clearing out a flow thread in multicolumn layout.
        https://bugs.webkit.org/show_bug.cgi?id=132069

        Reviewed by Dean Jackson.

        This is imported from a patch Morten did for Blink, but I had to change it a fair
        bit. deleteLines() is used to handle simple line box layout instead of just calling
        deleteLineBoxTree.
        
        I also had to disable the layout state to stop asserts on repaint when the children
        get moved. Not sure why Blink didn't hit this, but it's simple enough to add a
        LayoutStateDisabler to stop the assert.

        Added fast/multicol/inline-children-crash.html

        * rendering/RenderMultiColumnFlowThread.cpp:
        (WebCore::RenderMultiColumnFlowThread::evacuateAndDestroy):

2014-04-23  Andreas Kling  <akling@apple.com>

        [iOS WebKit2] IOSurfacePool should force CA to actually garbage collect surfaces.
        <https://webkit.org/b/132065>
        <rdar://problem/16110687>

        Add a platformGarbageCollectNow() helper function to IOSurfacePool that
        triggers a sweep of the IOSurfaces. Call this from collectionTimerFired()
        and discardAllSurfaces().

        This lets us drop all otherwise-unused 420f surfaces on memory pressure.

        Reviewed by Tim Horton.

        * WebCore.xcodeproj/project.pbxproj:
        * platform/graphics/cg/IOSurfacePool.cpp:
        (WebCore::IOSurfacePool::collectionTimerFired):
        (WebCore::IOSurfacePool::discardAllSurfaces):
        * platform/graphics/cg/IOSurfacePool.h:
        * platform/graphics/cocoa/IOSurfacePoolCocoa.mm: Added.
        (WebCore::IOSurfacePool::platformGarbageCollectNow):

2014-04-23  Morten Stenshorne  <mstensho@opera.com>

        REGRESSION (Safari 6 - ToT): Incorrectly assumes that RenderStyle data can be shared
        https://bugs.webkit.org/show_bug.cgi?id=113058

        Reviewed by David Hyatt.

        Before sharing CSS properties with an element in the cache, we need to
        check that the new element is suitable for this, just like we check
        elements before inserting them into the cache.

        Test: fast/css/identical-logical-height-decl.html

        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::applyMatchedProperties):

2014-04-23  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167713.
        https://bugs.webkit.org/show_bug.cgi?id=132070

        broke hundreds of tests (Requested by thorton on #webkit).

        Reverted changeset:

        "[OS X] Make checking if a font is the system font more
        robust"
        https://bugs.webkit.org/show_bug.cgi?id=132030
        http://trac.webkit.org/changeset/167713

2014-04-22  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] Nested columns not working at all.
        https://bugs.webkit.org/show_bug.cgi?id=131805

        Reviewed by Dean Jackson.

        Add support for nested pagination contexts, allowing for an arbitrary level
        of nesting of multicolumn layouts. There were a number of things that had to
        be patched in order for this to work.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::regionAtBlockOffset):
        Make sure RenderMultiColumnFlowThreads just return null for regions at any
        block offset. Individual region sets will be created as you cross ancestor
        regions eventually, so this is just getting in the way.

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::enclosingPaginationLayerInSubtree):
        Add a new helper method for obtaining an enclosingPaginationLayer when
        constrained by some root. This function ensures you don't accidentally
        cross your subtree root when looking for enclosing pagination layers.

        (WebCore::RenderLayer::collectFragments):
        Patch collectFragments to know how to recur to collect ancestor fragments
        in order to apply nested splitting as you cross pagination boundaries.

        (WebCore::RenderLayer::updatePaintingInfoForFragments):
        (WebCore::RenderLayer::calculateClipRects):
        * rendering/RenderLayer.h:
        (WebCore::LayerFragment::LayerFragment):
        (WebCore::LayerFragment::setRects):
        (WebCore::LayerFragment::moveBy):
        (WebCore::LayerFragment::intersect):
        Improve the LayerFragment so that it caches transformed bounding boxes as
        well. This is needed to fix intersectsDamageRect so that it doesn't grab
        the wrong bounding box when checking inline layers that are paginated.

        * rendering/RenderMultiColumnFlowThread.cpp:
        (WebCore::RenderMultiColumnFlowThread::flowThreadDescendantInserted):
        Ignore inserted flow threads inside an ancestor flow thread, since we only
        care about what the sets do.
        
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::insertedIntoTree):
        Make sure that nested flow thread layers return themselves when a child
        is inserted directly under them.

2014-04-22  Myles C. Maxfield  <mmaxfield@apple.com>

        [OS X] Make checking if a font is the system font more robust
        https://bugs.webkit.org/show_bug.cgi?id=132030

        Reviewed by Dean Jackson.

        Instead of inspecting a font's name to determine if it is a system font,
        on OS X we can ask the system directly.

        This patch also moves a platform-specific check into platform-specific
        code, so that other platforms don't check for OS X-specific behavior.

        Covered by existing tests.

        * platform/graphics/Font.cpp:
        (WebCore::Font::hasValidAverageCharWidth):
        * platform/graphics/Font.h:
        * platform/graphics/mac/FontMac.mm:
        (WebCore::Font::primaryFontDataIsSystemFont):

2014-04-23  Philippe Normand  <pnormand@igalia.com>

        [GTK] Focus management API was moved from HTMLDocument to Document in r166668
        https://bugs.webkit.org/show_bug.cgi?id=132060

        Reviewed by Carlos Garcia Campos.

        Deprecate the removed methods in WebKitDOMHTMLDocument to keep API compatibility.

        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_html_document_get_active_element):
        (webkit_dom_html_document_has_focus):
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols:
        * bindings/gobject/webkitdom.symbols:

2014-04-22  Andreas Kling  <akling@apple.com>

        [iOS WebKit1] MemoryPressureHandler::respondToMemoryPressure called on wrong thread.
        <https://webkit.org/b/132041>
        <rdar://problem/16687238>

        Always dispatch the memory pressure relief code on the main queue.
        This is really only needed for iOS/WK1, but we might as well share the code.

        Reviewed by Michael Saboff.

        * platform/cocoa/MemoryPressureHandlerCocoa.mm:
        (WebCore::MemoryPressureHandler::install):

2014-04-23  Philippe Normand  <pnormand@igalia.com>

        [GTK] ShadowRoot API was removed in r164131
        https://bugs.webkit.org/show_bug.cgi?id=132059

        Reviewed by Gustavo Noronha Silva.

        Add ShadowRoot removed API to WebKitDOMDeprecated to keep API/ABI compatibility.

        * bindings/gobject/WebKitDOMDeprecated.cpp:
        (webkit_dom_shadow_root_class_init):
        (webkit_dom_shadow_root_init):
        (webkit_dom_shadow_root_element_from_point):
        (webkit_dom_shadow_root_get_active_element):
        (webkit_dom_shadow_root_get_apply_author_styles):
        (webkit_dom_shadow_root_get_element_by_id):
        (webkit_dom_shadow_root_get_elements_by_class_name):
        (webkit_dom_shadow_root_get_elements_by_tag_name):
        (webkit_dom_shadow_root_get_elements_by_tag_name_ns):
        (webkit_dom_shadow_root_get_inner_html):
        (webkit_dom_shadow_root_get_reset_style_inheritance):
        (webkit_dom_shadow_root_get_selection):
        (webkit_dom_shadow_root_set_apply_author_styles):
        (webkit_dom_shadow_root_set_inner_html):
        (webkit_dom_shadow_root_set_reset_style_inheritance):
        * bindings/gobject/WebKitDOMDeprecated.h:
        * bindings/gobject/WebKitDOMDeprecated.symbols:

2014-04-23  Morten Stenshorne  <mstensho@opera.com>

        [New Multicolumn] fast/multicol/overflow-content.html displays red
        https://bugs.webkit.org/show_bug.cgi?id=131809

        Reviewed by David Hyatt.

        Insert a break at end of content on our own in the multicol code, to make sure
        that overflow is accounted for, and also to make sure that we account for all
        content in non-final sets (i.e. those preceding spanners).

        In other words, this will additionally fix balancing issues in sets preceding
        a spanner. Added a test for that.

        Tests: fast/multicol/break-in-columns-before-spanner.html
               fast/multicol/newmulticol/compare-with-old-impl/overflow-content.html

        * rendering/RenderFlowThread.cpp:
        (WebCore::RenderFlowThread::regionInRange): Deleted.
        * rendering/RenderFlowThread.h:
        * rendering/RenderMultiColumnSet.cpp:
        (WebCore::RenderMultiColumnSet::distributeImplicitBreaks):
        * rendering/RenderNamedFlowThread.cpp:
        (WebCore::RenderNamedFlowThread::applyBreakAfterContent):
        * rendering/RenderNamedFlowThread.h:

2014-04-23  Morten Stenshorne  <mstensho@opera.com>

        Overflow propagation broken in BTT and RTL writing-modes
        https://bugs.webkit.org/show_bug.cgi?id=113781

        Reviewed by David Hyatt.

        Overflow rectangles are not quite physical, not quite logical. This
        means that we cannot use clientBoxRect() directly to represent a
        rectangle that expresses exactly no overflow. This rectangle is the
        padding box (relative to the border box) in vertical-lr and
        horizontal-tb, but the block-direction borders need to be flipped in
        vertical-rl and horizontal-bt.

        Tests: fast/css/overflow-btt-border-after.html
               fast/css/overflow-rtl-border-after.html

        * WebCore.exp.in:
        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::computeOverflow):
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::addLayoutOverflow):
        (WebCore::RenderBox::addVisualOverflow):
        (WebCore::RenderBox::layoutOverflowRectForPropagation):
        * rendering/RenderBox.h:
        (WebCore::RenderBox::layoutOverflowRect):

2014-04-23  Andrei Bucur  <abucur@adobe.com>

        [CSS Regions] Improve the debugging infrastructure
        https://bugs.webkit.org/show_bug.cgi?id=132042

        Reviewed by Mihnea Ovidenie.

        This patch improves the debugging code for CSS Regions.

        Tests: No function change. No new tests.

        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::showRegionsInformation): Print brackets around the region range when dumping
        the render tree to the console.
        * rendering/RootInlineBox.cpp:
        (WebCore::RootInlineBox::containingRegion): Convert the ASSERT to an ASSERT_WITH_SECURITY_IMPLICATION.

2014-04-22  Ryosuke Niwa  <rniwa@webkit.org>

        Cursor doesn't change back to pointer when leaving the Safari window
        https://bugs.webkit.org/show_bug.cgi?id=132038

        Reviewed by Alexey Proskuryakov.

        r147739 incorrectly added an early exit in EventHandler::selectCursor when hit test result didn't have
        any node associated with it. Since we will hit this code when the cursor is outside of the WebView,
        we still need to take the CURSOR_AUTO path as did the code before r147739.

        No new test is added since this behavior can't be tested in DRT or WTR.

        * page/EventHandler.cpp:
        (WebCore::EventHandler::selectCursor):

2014-04-22  Zalan Bujtas  <zalan@apple.com>

        Do not paint border image when the border rect is empty.
        https://bugs.webkit.org/show_bug.cgi?id=131988

        Reviewed by Darin Adler.

        http://trac.webkit.org/changeset/167351 introduced an early return when border
        rect is empty. This patch ensures that border image is not painted either in that case.

        Modified padding-margin-negative-border.html to cover border-image case.

        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::paintBorder):

2014-04-22  Tim Horton  <timothy_horton@apple.com>

        ASSERTION FAILED: scrollerImp == scrollbarPainterForScrollbar(_scrollbar) on two API tests
        https://bugs.webkit.org/show_bug.cgi?id=132034
        <rdar://problem/16624332>

        Reviewed by Simon Fraser.

        * platform/mac/ScrollAnimatorMac.mm:
        (-[WebScrollbarPainterDelegate shouldUseLayerPerPartForScrollerImp:]):
        scrollerImpWithStyle:controlSize:horizontal:replacingScrollerImp: moves the delegate
        from the old scrollerImp to the new one, and also happens to call shouldUseLayerPerPartForScrollerImp.
        Since scrollerImpWithStyle: has not returned yet, the scrollbarPainterForScrollbar still returns the old scrollerImp,
        so this assertion fires. It's safe to remove this because supportsUpdateOnSecondaryThread doesn't make use of the imp.

2014-04-22  Ryosuke Niwa  <rniwa@webkit.org>

        REGRESSION (r157328): popover to check into flight ba.com dismisses instantly when focusing form
        https://bugs.webkit.org/show_bug.cgi?id=131949

        Reviewed by Darin Adler.

        The regression was caused by two bugs:
        1. The event didn't stop propagating itself even when it should.
           If the related target is same as the event origin, the event propagation should stop when the event reaches
           the root of the related target's tree scope. Otherwise, it should stop when it reaches the related target.

        2. Mouse event's related target exposed nodes inside a user-agent shadow DOM when the related target appeared
           inside the origin.

        Fixed the bugs by re-introducing path shrinkage algorithm removed in r157328 into EventPath::setRelatedTarget
        and adding an algorithm to determine the least common ancestor of the related target and the current target
        in moveToParentOrShadowHost. The latter algorithm doesn't match the shadow DOM specification:
        http://www.w3.org/TR/2013/WD-shadow-dom-20130514/
        but it's good enough in terms of the Web exposed behavior as we don't support author defined insertion points.

        Test: fast/events/shadow-event-path.html

        * dom/EventDispatcher.cpp:
        (WebCore::EventRelatedNodeResolver::moveToParentOrShadowHost):
        (WebCore::EventRelatedNodeResolver::findHostOfTreeScopeInTargetTreeScope): Added.
        (WebCore::EventDispatcher::dispatchEvent):
        (WebCore::EventPath::setRelatedTarget):

2014-04-22  Ryosuke Niwa  <rniwa@webkit.org>

        Rollout r156635 since the old behavior was intentional.

        * page/EventHandler.cpp:
        (WebCore::EventHandler::selectCursor):

2014-04-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167674.
        https://bugs.webkit.org/show_bug.cgi?id=132025

        Going a different way with this (Requested by bradee-oh on
        #webkit).

        Reverted changeset:

        "Change Image Controls replacement to use selection and paste"
        https://bugs.webkit.org/show_bug.cgi?id=131992
        http://trac.webkit.org/changeset/167674

2014-04-22  Brent Fulgham  <bfulgham@apple.com>

        [Win] Support Python 2.7 in Cygwin
        https://bugs.webkit.org/show_bug.cgi?id=132023

        Reviewed by Michael Saboff.

        * DerivedSources.make: Use proper path to Cygwin on
        all platforms.

2014-04-22  Andreas Kling  <akling@apple.com>

        REGRESSION (r151839): Subframe keeps getting mousemove events with the same coordinates after hiding a hovered element.
        <https://webkit.org/b/131974>
        <rdar://problem/15907469>

        When the currently hovered element disappears as a result of style recalc,
        we send a fake mousemove event to the page, to see if anything newly added
        should become hovered.

        The faking mechanism lives in EventHandler and simply synthesizes a new
        mousemove event using the last seen mouse location.

        The problem here is that we were sending this fake mousemove event to the
        subframe where the hovered element lived. Since subframes aren't kept up
        to date on recent mouse locations, this could cause some strange behavior
        where a subframe would dispatch mousemove events with stale coordinates.

        The solution is to always dispatch fake mousemove events from the main
        frame's event handler. This is how real event delivery happens, and hit
        testing will then find the appropriate subframe, if any.

        Reviewed by Benjamin Poulain.

        Test: fast/events/ghostly-mousemoves-in-subframe.html

        * dom/Document.cpp:
        (WebCore::Document::recalcStyle):

2014-04-22  Myles C. Maxfield  <mmaxfield@apple.com>

        [OS X] Glyph spacing for system fonts may be incorrect
        https://bugs.webkit.org/show_bug.cgi?id=131967

        Unreviewed iOS build fix after r167679.

        * platform/graphics/mac/SimpleFontDataMac.mm:

2014-04-22  Myles C. Maxfield  <mmaxfield@apple.com>

        [OS X] Glyph spacing for system fonts may be incorrect
        https://bugs.webkit.org/show_bug.cgi?id=131967

        Unreviewed build fix after r167679.

        * platform/graphics/mac/SimpleFontDataMac.mm:
        (WebCore::hasCustomTracking):

2014-04-21  Myles C. Maxfield  <mmaxfield@apple.com>

        [OS X] Glyph spacing for system fonts may be incorrect
        https://bugs.webkit.org/show_bug.cgi?id=131967

        Reviewed by Simon Fraser.

        Covered by existing tests.

        * platform/graphics/mac/SimpleFontDataMac.mm:
        (WebCore::SimpleFontData::platformWidthForGlyph): Update to use CTFontGetAdvancesForGlyphs() for system fonts
        (WebCore::hasCustomTracking):

2014-04-22  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] widows/orphans cause assertion failures.
        https://bugs.webkit.org/show_bug.cgi?id=131233

        Reviewed by Dean Jackson.

        * rendering/RenderMultiColumnSet.cpp:
        (WebCore::RenderMultiColumnSet::recordSpaceShortage):
        Fix an obvious bug where the space shortage is recorded twice (and the
        if statement that kept it from being negative is accidentally ignored).

2014-04-22  David Hyatt  <hyatt@apple.com>

        [New Multicolumn] Make sure columnTranslationForOffset has the same column-span-aware
        translation that fragment collection does.
        https://bugs.webkit.org/show_bug.cgi?id=131738

        Reviewed by Anders Carlsson.

        * rendering/RenderMultiColumnSet.cpp:
        (WebCore::RenderMultiColumnSet::collectLayerFragments):
        Remove a FIXME that is no longer needed, since the translation offset of the 
        column set did get patched.

        (WebCore::RenderMultiColumnSet::columnTranslationForOffset):
        Add the exact same fix to columnTranslationForOffset that was applied to collectLayerFragments.

2014-04-22  Mark Lam  <mark.lam@apple.com>

        WebCore::HTMLMediaElement::ensureMediaControlsInjectedScript() needs to acquire the JSLock before calling into JS.
        <https://webkit.org/b/132021>

        Reviewed by Mark Hahnenberg.

        Covered by existing layout test.

        * html/HTMLMediaElement.cpp:
        (WebCore::HTMLMediaElement::parseAttribute):

2014-04-22  Manuel Rego Casasnovas  <rego@igalia.com>

        REGRESSION (r167652): Broke fast/regions/cssom/region-range-for-box-crash.html in debug mode
        https://bugs.webkit.org/show_bug.cgi?id=131982

        Reviewed by David Hyatt.

        The problem was creating the Range from the arguments received at RenderView::setSelection(). Specifically
        in this test endPos is 1 when the element has not children which creates an invalid Range.

        * rendering/RenderView.cpp:
        (WebCore::RenderView::splitSelectionBetweenSubtrees): Pass 0 as startPos and endPos to Range::create() as we are
        not interested in the positions at this point.

2014-04-22  Brady Eidson  <beidson@apple.com>

        Change Image Controls replacement to use selection and paste
        <rdar://problem/16302722> and https://bugs.webkit.org/show_bug.cgi?id=131992

        Reviewed by Tim Horton.

        * WebCore.exp.in: Remove deleted symbol.

        * html/shadow/mac/ImageControlsButtonElementMac.cpp:
        (WebCore::ImageControlsButtonElementMac::defaultEventHandler):

        * page/ContextMenuController.cpp:
        (WebCore::ContextMenuController::showImageControlsMenu): Select the image element
          before showing the menu.
        (WebCore::ContextMenuController::replaceControlledImage): Deleted.
        * page/ContextMenuController.h:

2014-04-22  David Hyatt  <hyatt@apple.com>

        REGRESSION: Hitting asserts in new flow thread selection code.
        https://bugs.webkit.org/show_bug.cgi?id=132019

        Reviewed by Anders Carlsson.

        Null checking flowThreadController is not enough. The list of threads
        can be null even when the flowThreadController is not. That's why you
        use hasRenderNamedFlowThreads. I patched the two bad places in the code
        to use hasRenderNamedFlowThreads to stop the crashes.
        
        * rendering/RenderView.cpp:
        (WebCore::RenderView::selectionBounds):
        (WebCore::RenderView::repaintSelection):

2014-04-22  Brent Fulgham  <bfulgham@apple.com>

        Check (rather than assume) element is a RenderTableSection before using it
        https://bugs.webkit.org/show_bug.cgi?id=121858

        Reviewed by David Kilzer.

        Test: fast/table/table-insert-object-before-td-crash.html

        * rendering/RenderTable.cpp:
        (WebCore::RenderTable::addChild): Check that lastBox is a table section before