When navigating, discard decoded image data that is only live due to page cache.

[WebKit-https.git] / Source / WebCore / ChangeLog

2016-06-20  Andreas Kling  <akling@apple.com>

        When navigating, discard decoded image data that is only live due to page cache.
        <https://webkit.org/b/158941>

        Reviewed by Antti Koivisto.

        A resource is "live" if it's currently in use by a web page, and "dead" if it's
        only kept alive by the memory cache.

        This patch adds a mechanism that looks at CachedImage resources to see if all the
        clients that make them appear "live" are actually pages in the page cache.

        If so, we let the "jettison expensive objects on top-level navigation" mechanism
        discard the decoded data for such half-live images. This can reduce the peak
        memory usage during navigations quite a bit.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::commitProvisionalLoad): Move the call to MemoryPressureHandler
        before we add the outgoing page to the page cache. This allows the jettisoning code
        to make decisions based on which pages were cached *before* the navigation.

        * loader/cache/CachedImageClient.h:
        (WebCore::CachedImageClient::inPageCache):
        * loader/ImageLoader.h:
        * loader/ImageLoader.cpp:
        (WebCore::ImageLoader::inPageCache):
        * rendering/RenderObject.h:
        (WebCore::RenderObject::inPageCache): Added a CachedImageClient::inPageCache() virtual
        to determine which clients are currently in page cache (answered by their Document.)

        * loader/cache/CachedImage.h:
        * loader/cache/CachedImage.cpp:
        (WebCore::CachedImage::areAllClientsInPageCache): Walks all CachedImageClient clients
        and returns true if all of them are inPageCache().

        * platform/MemoryPressureHandler.cpp:
        (WebCore::MemoryPressureHandler::jettisonExpensiveObjectsOnTopLevelNavigation):
        Walk all the known CachedImages and nuke decoded data for those that have some but
        are only considered live due to clients in the page cache.

2016-06-20  Chris Dumez  <cdumez@apple.com>

        Unreviewed, fix post-landing review comment from Darin on r202188.

        * platform/network/CacheValidation.cpp:
        (WebCore::parseCacheHeader):

2016-06-19  Antti Koivisto  <antti@apple.com>

        Updating class name of a shadow host does not update the style applied by :host()
        https://bugs.webkit.org/show_bug.cgi?id=158900
        <rdar://problem/26883707>

        Reviewed by Simon Fraser.

        Test: fast/shadow-dom/shadow-host-style-update.html

        Teach style invalidation optimization code about :host.

        * style/AttributeChangeInvalidation.cpp:
        (WebCore::Style::mayBeAffectedByHostStyle):
        (WebCore::Style::AttributeChangeInvalidation::invalidateStyle):
        * style/ClassChangeInvalidation.cpp:
        (WebCore::Style::computeClassChange):
        (WebCore::Style::mayBeAffectedByHostStyle):
        (WebCore::Style::ClassChangeInvalidation::invalidateStyle):
        * style/IdChangeInvalidation.cpp:
        (WebCore::Style::mayBeAffectedByHostStyle):
        (WebCore::Style::IdChangeInvalidation::invalidateStyle):

2016-06-19  Gavin & Ellie Barraclough  <barraclough@apple.com>

        Remove hasStaticPropertyTable (part 5: done!)
        https://bugs.webkit.org/show_bug.cgi?id=158431

        Reviewed by Chris Dumez.

        * bindings/scripts/CodeGeneratorJS.pm:
        (GenerateHeader):
            - remove hasStaticPropertyTable.
        * bindings/scripts/test/JS/JSInterfaceName.h:
        (WebCore::JSInterfaceName::create):
        * bindings/scripts/test/JS/JSTestActiveDOMObject.h:
        (WebCore::JSTestActiveDOMObject::create):
        * bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.h:
        (WebCore::JSTestClassWithJSBuiltinConstructor::create):
        * bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.h:
        (WebCore::JSTestCustomConstructorWithNoInterfaceObject::create):
        * bindings/scripts/test/JS/JSTestCustomNamedGetter.h:
        (WebCore::JSTestCustomNamedGetter::create):
        * bindings/scripts/test/JS/JSTestEventConstructor.h:
        (WebCore::JSTestEventConstructor::create):
        * bindings/scripts/test/JS/JSTestEventTarget.h:
        (WebCore::JSTestEventTarget::create):
        * bindings/scripts/test/JS/JSTestException.h:
        (WebCore::JSTestException::create):
        * bindings/scripts/test/JS/JSTestGenerateIsReachable.h:
        (WebCore::JSTestGenerateIsReachable::create):
        * bindings/scripts/test/JS/JSTestGlobalObject.h:
        * bindings/scripts/test/JS/JSTestInterface.h:
        * bindings/scripts/test/JS/JSTestJSBuiltinConstructor.h:
        (WebCore::JSTestJSBuiltinConstructor::create):
        * bindings/scripts/test/JS/JSTestMediaQueryListListener.h:
        (WebCore::JSTestMediaQueryListListener::create):
        * bindings/scripts/test/JS/JSTestNamedConstructor.h:
        (WebCore::JSTestNamedConstructor::create):
        * bindings/scripts/test/JS/JSTestNode.h:
        * bindings/scripts/test/JS/JSTestNondeterministic.h:
        (WebCore::JSTestNondeterministic::create):
        * bindings/scripts/test/JS/JSTestObj.h:
        (WebCore::JSTestObj::create):
        * bindings/scripts/test/JS/JSTestOverloadedConstructors.h:
        (WebCore::JSTestOverloadedConstructors::create):
        * bindings/scripts/test/JS/JSTestOverrideBuiltins.h:
        (WebCore::JSTestOverrideBuiltins::create):
        * bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.h:
        (WebCore::JSTestSerializedScriptValueInterface::create):
        * bindings/scripts/test/JS/JSTestTypedefs.h:
        (WebCore::JSTestTypedefs::create):
        * bindings/scripts/test/JS/JSattribute.h:
        (WebCore::JSattribute::create):
        * bindings/scripts/test/JS/JSreadonly.h:
        (WebCore::JSreadonly::create):

2016-06-19  Youenn Fablet  <youenn.fablet@crf.canon.fr>

        The JSBuiltinConstructor feature can't handle a JS interface extending an other JS interface
        https://bugs.webkit.org/show_bug.cgi?id=158834

        Reviewed by Eric Carlson.

        No change of behavior.

        * bindings/scripts/CodeGeneratorJS.pm:
        (GenerateHeader): Explicitly setting DOMWrapped type definition from
        JSXX class deriving from another JSYY class.
        * bindings/scripts/test/JS/JSTestEventTarget.h: Rebased.
        * bindings/scripts/test/JS/JSTestNode.h: Ditto.

2016-06-18  Antti Koivisto  <antti@apple.com>

        Use time literals in WebCore
        https://bugs.webkit.org/show_bug.cgi?id=158905

        Reviewed by Andreas Kling.

        std::chrono::milliseconds(1) -> 1ms etc.

        * dom/Document.cpp:
        (WebCore::Document::minimumLayoutDelay):
        (WebCore::Document::elapsedTime):
        * fileapi/FileReader.cpp:
        (WebCore::FileReader::create):
        * inspector/InspectorOverlay.cpp:
        (WebCore::InspectorOverlay::showPaintRect):
        * loader/CrossOriginPreflightResultCache.cpp:
        (WebCore::CrossOriginPreflightResultCache::CrossOriginPreflightResultCache):
        * loader/ProgressTracker.cpp:
        (WebCore::ProgressTracker::progressStarted):
        * loader/cache/CachedResource.cpp:
        (WebCore::CachedResource::freshnessLifetime):
        * page/ChromeClient.h:
        * page/DOMTimer.cpp:
        (WebCore::DOMTimer::intervalClampedToMinimum):
        (WebCore::DOMTimer::alignedFireTime):
        * page/DOMTimer.h:
        * page/FrameView.cpp:
        (WebCore::FrameView::scrollPositionChanged):
        * page/ResourceUsageThread.cpp:
        (WebCore::ResourceUsageThread::threadBody):
        * page/Settings.cpp:
        (WebCore::Settings::Settings):
        * page/mac/ServicesOverlayController.mm:
        (WebCore::ServicesOverlayController::remainingTimeUntilHighlightShouldBeShown):
        * platform/graphics/FontCache.cpp:
        (WebCore::FontCache::fontForFamily):
        * platform/network/CacheValidation.cpp:
        (WebCore::computeCurrentAge):
        (WebCore::computeFreshnessLifetimeForHTTPFamily):

2016-06-17  Benjamin Poulain  <benjamin@webkit.org>

        :indeterminate pseudo-class should match radios whose group has no checked radio
        https://bugs.webkit.org/show_bug.cgi?id=156270

        Reviewed by Simon Fraser.

        The pseudo-class ":indeterminate" is supposed to match radio buttons
        for which the entire group has no checked button.
        Spec: https://html.spec.whatwg.org/#pseudo-classes:selector-indeterminate

        The change is straightforward with one non-obvious choice:
        I added matchesIndeterminatePseudoClass() in addition to shouldAppearIndeterminate().

        The reason is shouldAppearIndeterminate() is used for styling and AX of elements
        with an indeterminate states (check boxes and progress element). There is no such
        UI for radio boxes.
        I could have extended shouldAppearIndeterminate() to radio box
        then filter out this case in RenderTheme. The problem is doing that would also requires
        changes to the repaint logic to match :indeterminate. It seemed overkill to me to
        change repaint() for a case that is never used in practice.

        Tests: fast/css/pseudo-indeterminate-radio-buttons-basics.html
               fast/css/pseudo-indeterminate-with-radio-buttons-style-invalidation.html
               fast/selectors/detached-radio-button-checked-and-indeterminate-states.html
               fast/selectors/pseudo-indeterminate-with-radio-buttons-style-update.html

        * css/SelectorCheckerTestFunctions.h:
        (WebCore::shouldAppearIndeterminate):
        * dom/Element.cpp:
        (WebCore::Element::matchesIndeterminatePseudoClass):
        * dom/Element.h:
        * dom/RadioButtonGroups.cpp:
        (WebCore::RadioButtonGroup::setCheckedButton):
        (WebCore::RadioButtonGroup::updateCheckedState):
        (WebCore::RadioButtonGroup::remove):
        (WebCore::RadioButtonGroup::setNeedsStyleRecalcForAllButtons):
        (WebCore::RadioButtonGroups::hasCheckedButton):
        * dom/RadioButtonGroups.h:
        * html/CheckboxInputType.cpp:
        (WebCore::CheckboxInputType::matchesIndeterminatePseudoClass):
        (WebCore::CheckboxInputType::shouldAppearIndeterminate):
        (WebCore::CheckboxInputType::supportsIndeterminateAppearance): Deleted.
        * html/CheckboxInputType.h:
        * html/HTMLInputElement.cpp:
        (WebCore::HTMLInputElement::setChecked):
        (WebCore::HTMLInputElement::matchesIndeterminatePseudoClass):
        (WebCore::HTMLInputElement::shouldAppearIndeterminate):
        (WebCore::HTMLInputElement::radioButtonGroups):
        * html/HTMLInputElement.h:
        * html/InputType.cpp:
        (WebCore::InputType::matchesIndeterminatePseudoClass):
        (WebCore::InputType::shouldAppearIndeterminate):
        (WebCore::InputType::supportsIndeterminateAppearance): Deleted.
        * html/InputType.h:
        * html/RadioInputType.cpp:
        (WebCore::RadioInputType::matchesIndeterminatePseudoClass):
        (WebCore::RadioInputType::willDispatchClick): Deleted.
        (WebCore::RadioInputType::didDispatchClick): Deleted.
        (WebCore::RadioInputType::supportsIndeterminateAppearance): Deleted.
        The iOS specific code is just plain wrong.
        It was changing the indeterminate state of the input element.
        The spec clearly says that state is only used by checkbox:
        https://html.spec.whatwg.org/#dom-input-indeterminate

        Moreover, the style update would not change the indeterminate state
        of other buttons in the Button Group, which is just bizarre.
        RenderThemeIOS does not make use of any of this with the current style.

        * html/RadioInputType.h:
        * style/StyleSharingResolver.cpp:
        (WebCore::Style::SharingResolver::canShareStyleWithElement):
        (WebCore::Style::canShareStyleWithControl): Deleted.
        (WebCore::Style::SharingResolver::sharingCandidateHasIdenticalStyleAffectingAttributes): Deleted.
        Style sharing is unified behind the selector matching which is neat.

2016-06-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r202152.
        https://bugs.webkit.org/show_bug.cgi?id=158897

        The new test is very unstable, timing out frequently
        (Requested by ap on #webkit).

        Reverted changeset:

        "Web Inspector: console.profile should use the new Sampling
        Profiler"
        https://bugs.webkit.org/show_bug.cgi?id=153499
        http://trac.webkit.org/changeset/202152

2016-06-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r202068, r202115, and r202128.
        https://bugs.webkit.org/show_bug.cgi?id=158896

        The new test is very unstable, timing out frequently
        (Requested by ap on #webkit).

        Reverted changesets:

        "decompose4 return value is unchecked, leading to potentially
        uninitialized data."
        https://bugs.webkit.org/show_bug.cgi?id=158761
        http://trac.webkit.org/changeset/202068

        "[mac] LayoutTest transforms/undecomposable.html is a flaky
        timeout"
        https://bugs.webkit.org/show_bug.cgi?id=158816
        http://trac.webkit.org/changeset/202115

        "[mac] LayoutTest transforms/undecomposable.html is a flaky
        timeout"
        https://bugs.webkit.org/show_bug.cgi?id=158816
        http://trac.webkit.org/changeset/202128

2016-06-17  Chris Fleizach  <cfleizach@apple.com>

        AX: HTML indeterminate IDL attribute not mapped to checkbox value=2 for native checkboxes
        https://bugs.webkit.org/show_bug.cgi?id=158876
        <rdar://problem/26842619>

        Reviewed by Joanmarie Diggs.

        The indeterminate state was not being reported for native checkboxes. 

        Also the isIndeterminate() method was relying on whether the appearance changed, which does not happen on Mac, so that
        was not being reported correctly. Changed that to check the actual attribute.

        Test: accessibility/checkbox-mixed-value.html

        * accessibility/AccessibilityNodeObject.cpp:
        (WebCore::AccessibilityNodeObject::isIndeterminate):
        (WebCore::AccessibilityNodeObject::isPressed):
        (WebCore::AccessibilityNodeObject::checkboxOrRadioValue):
        * accessibility/AccessibilityObject.cpp:
        (WebCore::AccessibilityObject::checkboxOrRadioValue):

2016-06-17  Dean Jackson  <dino@apple.com>

        REGRESSION (r199819): CrashTracer: [GraphicsContext3D::getInternalFramebufferSize
        https://bugs.webkit.org/show_bug.cgi?id=158895
        <rdar://problem/26423617>

        Reviewed by Zalan Bujtas.

        In r199819 we started resetting contexts if the page had too
        many. Unfortunately there were entry points in the WebGL context
        that didn't check for the validity of the object before trying
        to access the lower level objects.

        Test: webgl/many-contexts-access-after-loss.html

        * html/canvas/WebGLRenderingContextBase.cpp:
        (WebCore::WebGLRenderingContextBase::drawingBufferWidth): Return 0 if we're lost.
        (WebCore::WebGLRenderingContextBase::drawingBufferHeight): Ditto.

2016-06-17  Daniel Bates  <dabates@apple.com>

        Unreviewed, rolling out r202186.

        Broke the Apple Windows, Apple Yosemite, GTK, and WinCairo
        builds.

        Reverted changeset:

        "File scheme should not allow access of a resource on a
        different volume."
        https://bugs.webkit.org/show_bug.cgi?id=158552
        http://trac.webkit.org/changeset/202186

2016-06-17  Daniel Bates  <dabates@apple.com>

        Unreviewed, rolling out r202187.

        202186

        Reverted changeset:

        "Unreviewed clean-up after r202186."
        http://trac.webkit.org/changeset/202187

2016-06-17  Chris Dumez  <cdumez@apple.com>

        Optimize parseCacheHeader() by using StringView
        https://bugs.webkit.org/show_bug.cgi?id=158891

        Reviewed by Darin Adler.

        Optimize parseCacheHeader() and avoid some temporary String allocations
        by using StringView. We now strip the whitespaces in the input string
        at the beginning of the function, at the same as as we strip the
        control characters. We are then able to leverage StringView in the
        rest of the function to get substrings without the need for extra
        String allocations.

        * platform/network/CacheValidation.cpp:
        (WebCore::isControlCharacterOrSpace):
        (WebCore::trimToNextSeparator):
        (WebCore::parseCacheHeader):

2016-06-17  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed clean-up after r202186.

        * platform/FileSystem.cpp:
        (WebCore::filesHaveSameVolume): Don't use C-style formatting.

2016-06-17  Pranjal Jumde  <pjumde@apple.com>

        File scheme should not allow access of a resource on a different volume.
        https://bugs.webkit.org/show_bug.cgi?id=158552
        <rdar://problem/15307582>

        Reviewed by Brent Fulgham.

        Tests: Tools/TestWebKitAPI/Tests/mac/CrossPartitionFileSchemeAccess.mm

        * page/SecurityOrigin.cpp:
        (WebCore::SecurityOrigin::canDisplay):
        * platform/FileSystem.cpp:
        (WebCore::platformFileStat):
        (WebCore::filesHaveSameVolume):
        Returns true if the files are on the same volume
        * platform/FileSystem.h:

2016-06-17  Antoine Quint  <graouts@apple.com>

        Web video playback controls should have RTL volume slider
        https://bugs.webkit.org/show_bug.cgi?id=158856
        <rdar://problem/25971769>

        Reviewed by Tim Horton.

        We reproduce the system used to propagate the page scale factor from the WebPage to the media controls to
        propagate the user interface layout direction.

        The Page exposes a new setUserInterfaceLayoutDirection() method which is set by the WebPage. The Page
        then notifies the Document of a change, which propagates down to registered media elements, and finally sets
        the usesLTRUserInterfaceLayoutDirection property on the media controller object in the injected JavaScript.
        Based on the value of that property we toggle a new .uses-ltr-user-interface-layout-direction CSS class on the
        .volume-box which applies a translate to the right and flips the volume controls on the x axis.

        Since we're setting a new JS property from HTMLMediaController, we refactor much of the code out of the existing
        pageScaleFactorChanged() and setPageScaleFactorProperty() into the new setControllerJSProperty() method so that
        can easily set a named JS property with a given JSValue.

        For testing purposes, we expose the WebCore::Page::setUserInterfaceLayoutDirection() method through Internals.

        Test: fullscreen/video-controls-rtl.html

        * Modules/mediacontrols/mediaControlsApple.css:
        (video:-webkit-full-screen::-webkit-media-controls-panel .volume-box:not(.uses-ltr-user-interface-layout-direction)):
        * Modules/mediacontrols/mediaControlsApple.js:
        (Controller.prototype.set usesLTRUserInterfaceLayoutDirection):
        * WebCore.xcodeproj/project.pbxproj:
        * dom/Document.cpp:
        (WebCore::Document::registerForUserInterfaceLayoutDirectionChangedCallbacks):
        (WebCore::Document::unregisterForUserInterfaceLayoutDirectionChangedCallbacks):
        (WebCore::Document::userInterfaceLayoutDirectionChanged):
        * dom/Document.h:
        * html/HTMLMediaElement.cpp:
        (WebCore::HTMLMediaElement::registerWithDocument):
        (WebCore::HTMLMediaElement::unregisterWithDocument):
        (WebCore::HTMLMediaElement::updatePageScaleFactorJSProperty):
        (WebCore::HTMLMediaElement::updateUsesLTRUserInterfaceLayoutDirectionJSProperty):
        (WebCore::HTMLMediaElement::setControllerJSProperty):
        (WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
        (WebCore::HTMLMediaElement::pageScaleFactorChanged):
        (WebCore::HTMLMediaElement::userInterfaceLayoutDirectionChanged):
        (WebCore::setPageScaleFactorProperty): Deleted.
        * html/HTMLMediaElement.h:
        * page/Page.cpp:
        (WebCore::Page::setUserInterfaceLayoutDirection):
        * page/Page.h:
        (WebCore::Page::userInterfaceLayoutDirection):
        * platform/UserInterfaceLayoutDirection.h: Renamed from Source/WebKit2/UIProcess/UserInterfaceLayoutDirection.h.
        * testing/Internals.cpp:
        (WebCore::Internals::setUserInterfaceLayoutDirection):
        * testing/Internals.h:
        * testing/Internals.idl:

2016-06-17  Chris Dumez  <cdumez@apple.com>

        TouchEvent should have a constructor
        https://bugs.webkit.org/show_bug.cgi?id=158883
        <rdar://problem/26063585>

        Reviewed by Benjamin Poulain.

        TouchEvent should have a constructor:
        - https://w3c.github.io/touch-events/#touchevent-interface

        Chrome already ships this:
        - https://bugs.chromium.org/p/chromium/issues/detail?id=508675

        Test: fast/events/touch/touch-event-constructor.html

        * bindings/js/JSDictionary.cpp:
        (WebCore::JSDictionary::convertValue):
        * bindings/js/JSDictionary.h:
        * dom/TouchEvent.cpp:
        (WebCore::TouchEvent::TouchEvent):
        * dom/TouchEvent.h:
        * dom/TouchEvent.idl:

2016-06-17  Zalan Bujtas  <zalan@apple.com>

        Potential null dereferencing on a detached positioned renderer.
        https://bugs.webkit.org/show_bug.cgi?id=158879

        Reviewed by Simon Fraser.

        This patch fixes the case when the while loop to search for the absolute positioned ancestor
        returns null (it happens when positioned renderer has been detached from the render tree).

        Speculative fix.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded):
        * rendering/RenderBlock.h:

2016-06-17  Chris Dumez  <cdumez@apple.com>

        URL hash setter does not remove fragment identifier if argument is an empty string
        https://bugs.webkit.org/show_bug.cgi?id=158869
        <rdar://problem/26863430>

        Reviewed by Darin Adler.

        URL hash setter and URLUtils hash setter should remove the fragment identifier
        if set to "#" or "":
        - https://url.spec.whatwg.org/#dom-url-hash
        - https://html.spec.whatwg.org/multipage/semantics.html#dom-hyperlink-hash

        This patch aligns our behavior with the specification and with other browsers
        (tested Firefox and Chrome).

        This patch also updates HTMLAnchorElement to inherit URLUtils to avoid code
        duplication. HTMLAnchorElement already implements URLUtils in the IDL, as per
        the specification:
        - https://html.spec.whatwg.org/multipage/semantics.html#htmlanchorelement

        No new tests, rebaselined existing tests.

        * html/HTMLAnchorElement.cpp:
        (WebCore::HTMLAnchorElement::origin): Deleted.
        (WebCore::HTMLAnchorElement::text): Deleted.
        (WebCore::HTMLAnchorElement::setText): Deleted.
        (WebCore::HTMLAnchorElement::toString): Deleted.
        (WebCore::HTMLAnchorElement::isLiveLink): Deleted.
        (WebCore::HTMLAnchorElement::sendPings): Deleted.
        (WebCore::HTMLAnchorElement::handleClick): Deleted.
        (WebCore::HTMLAnchorElement::eventType): Deleted.
        (WebCore::HTMLAnchorElement::treatLinkAsLiveForEventType): Deleted.
        (WebCore::isEnterKeyKeydownEvent): Deleted.
        (WebCore::shouldProhibitLinks): Deleted.
        (WebCore::HTMLAnchorElement::willRespondToMouseClickEvents): Deleted.
        (WebCore::rootEditableElementMap): Deleted.
        (WebCore::HTMLAnchorElement::rootEditableElementForSelectionOnMouseDown): Deleted.
        (WebCore::HTMLAnchorElement::clearRootEditableElementForSelectionOnMouseDown): Deleted.
        (WebCore::HTMLAnchorElement::setRootEditableElementForSelectionOnMouseDown): Deleted.
        * html/HTMLAnchorElement.h:
        (WebCore::HTMLAnchorElement::invalidateCachedVisitedLinkHash): Deleted.
        * html/URLUtils.h:
        (WebCore::URLUtils<T>::setHash):

2016-06-17  John Wilander  <wilander@apple.com>

        Ignore case in the check for security origin inheritance
        https://bugs.webkit.org/show_bug.cgi?id=158878

        Reviewed by Alex Christensen.

        Darin Adler commented in https://bugs.webkit.org/show_bug.cgi?id=158855:
        "Are these comparisons intentionally case sensitive? Shouldn’t they ignore ASCII 
        case? We could use equalIgnoringASCIICase and equalLettersIgnoringASCIICase for 
        those two lines instead of using ==. URL::parse normalizes letters in the scheme 
        and host by using toASCIILower, but does not normalize letters elsewhere in the 
        URL, such as in the "blank" or "srcdoc" in the above URLs."

        Test: http/tests/dom/window-open-about-uppercase-blank-and-access-document.html

        * platform/URL.cpp:
        (WebCore::URL::shouldInheritSecurityOriginFromOwner):

2016-06-17  Hyungwook Lee  <hyungwook.lee@navercorp.com>

        Fix compilation errors when we enable DUMP_NODE_STATISTICS in Node.h
        https://bugs.webkit.org/show_bug.cgi?id=158868

        Reviewed by Alex Christensen.

        Fix compilation errors in Node.cpp when we enable DUMP_NODE_STATISTICS

        * dom/Node.cpp:
        (WebCore::Node::dumpStatistics):

2016-06-17  Per Arne Vollan  <pvollan@apple.com>

        [Win] Scrolling in popup menu scrolls past last entry.
        https://bugs.webkit.org/show_bug.cgi?id=158870

        Reviewed by Brent Fulgham.

        When the popup has a scrollbar, the content size is not equal to the popup window size.
  
        * platform/win/PopupMenuWin.cpp:
        (WebCore::PopupMenuWin::contentsSize):

2016-06-17  Frederic Wang  <fwang@igalia.com>

        Refactor RenderMathMLRoot layout function to avoid using flexbox
        https://bugs.webkit.org/show_bug.cgi?id=153987

        Reviewed by Brent Fulgham.

        No new tests, already covered by existing tests.
        A case for RTL root has been added to roots.xhtml.

        We reimplement RenderMathMLRoot without any flexbox or anonymous.
        The anonymous RenderMathMLRadicalOperator used to draw the radical sign is replaced with
        the MathOperator class introduced in bug 152244.
        msqrt (row of children under a square root) is now implemented directly in RenderMathMLRoot,
        so RenderMathMLSquareRoot is removed and RenderMathMLRoot now inherits from RenderMathMLRow.

        * CMakeLists.txt: Remove files for RenderMathMLRadicalOperator and RenderMathMLSquareRoot.
        * WebCore.xcodeproj/project.pbxproj: ditto.
        * accessibility/AccessibilityRenderObject.cpp: Update code now that we do not use any
        radical wrappers.
        (WebCore::AccessibilityRenderObject::isMathRow): Now that RenderMathMLRoot inherits from
        RenderMathMLRow, we must exclude MathRoot or otherwise some accessibility code may treat
        roots as rows.
        (WebCore::AccessibilityRenderObject::mathRadicandObject): Return the first child for
        Root/SquareRoot or nullptr.
        (WebCore::AccessibilityRenderObject::mathRootIndexObject): Return the second child for
        Root and nullptr for SquareRoot.
        * mathml/MathMLInlineContainerElement.cpp:
        (WebCore::MathMLInlineContainerElement::childrenChanged): We no longer need a special case
        for msqrt, it is treated as a normal RenderMathMLRow.
        (WebCore::MathMLInlineContainerElement::createElementRenderer): Make msqrt create a
        RenderMathMLRoot object.
        * rendering/RenderObject.h:
        (WebCore::RenderObject::isRenderMathMLRadicalOperator): Deleted.
        * rendering/mathml/RenderMathMLBlock.cpp:
        (WebCore::RenderMathMLBlock::mirrorIfNeeded): New function to mirror a child horizontal
        offset according to the parent width.
        (WebCore::RenderMathMLBlock::renderName):
        * rendering/mathml/RenderMathMLBlock.h:
        (WebCore::RenderMathMLBlock::mirrorIfNeeded): Moved from RenderMathMLScripts, just forward
        call to the other mirrorIfNeeded function.
        * rendering/mathml/RenderMathMLOperator.cpp: We no longer need this trailingSpaceError hack.
        (WebCore::RenderMathMLOperator::trailingSpaceError): Deleted.
        * rendering/mathml/RenderMathMLOperator.h: ditto.
        * rendering/mathml/RenderMathMLRadicalOperator.cpp: Removed. The radical sign is now drawn
        with a MathOperator.
        * rendering/mathml/RenderMathMLRadicalOperator.h: Removed.
        * rendering/mathml/RenderMathMLRoot.cpp: Complete refactoring to avoid using flexbox and
        anonymous wrappers.
        (WebCore::RenderMathMLRoot::RenderMathMLRoot): Set m_kind parameters to distinguish between
        square root and general root and set the MathOperator member to draw the radical sign.
        (WebCore::RenderMathMLRoot::isValid): Helper function to verify whether the child list is valid.
        (WebCore::RenderMathMLRoot::getBase): Get the base of an mroot.
        (WebCore::RenderMathMLRoot::getIndex): Get the index of an mroot.
        (WebCore::RenderMathMLRoot::styleDidChange): Be sure to keep the style of the
        MathOperator in sync with ours ; no need to skip empty roots.
        (WebCore::RenderMathMLRoot::updateFromElement): Call the function from the new parent class ;
        no need to skip empty roots.
        (WebCore::RenderMathMLRoot::updateStyle): Remove the isEmpty ASSERT as it is valid to have
        empty square root. Set the m_kernBeforeDegree, m_kernBeforeDegree members.
        No need to set style for anonymous.
        (WebCore::RenderMathMLRoot::computePreferredLogicalWidths): Implement this function.
        (WebCore::RenderMathMLRoot::layoutBlock): Implement this function.
        (WebCore::RenderMathMLRoot::paintChildren): Implement this function.
        (WebCore::RenderMathMLRoot::paint): Remove the trailingSpaceError hack ;
        paint the radical sign via MathOperator::paint
        (WebCore::RenderMathMLRoot::baseWrapper): Deleted.
        (WebCore::RenderMathMLRoot::radicalWrapper): Deleted.
        (WebCore::RenderMathMLRoot::indexWrapper): Deleted.
        (WebCore::RenderMathMLRoot::radicalOperator): Deleted.
        (WebCore::RenderMathMLRoot::restructureWrappers): Deleted.
        (WebCore::RenderMathMLRoot::addChild): Deleted.
        (WebCore::RenderMathMLRoot::firstLineBaseline): Deleted.
        (WebCore::RenderMathMLRoot::layout): Deleted.
        (WebCore::RenderMathMLRootWrapper::createAnonymousWrapper): Deleted.
        (WebCore::RenderMathMLRootWrapper::removeChildWithoutRestructuring): Deleted.
        (WebCore::RenderMathMLRootWrapper::removeChild): Deleted.
        * rendering/mathml/RenderMathMLRoot.h: Make RenderMathMLRoot inherit from RenderMathMLRow.
        Make RenderMathMLRoot support <msqrt>.
        Remove all the anonymous wrapper stuff and instead use a MathOperator for the radical symbol.
        Update function declaration to implement layout without flexbox and add some helper functions.
        * rendering/mathml/RenderMathMLRow.cpp: Allow to get the exact metrics of the chid row,
        for use in RenderMathMLRoot.
        (WebCore::RenderMathMLRow::computeLineVerticalStretch): rename parameters.
        (WebCore::RenderMathMLRow::layoutRowItems): Set parameters to the final ascent, descent and
        logical width of the chid row. Set the temporary logical width for RenderMathRoot before
        laying the children out.
        (WebCore::RenderMathMLRow::layoutBlock): Rename parameters ; add a dummy logicalWidth
        parameter.
        * rendering/mathml/RenderMathMLRow.h: Make some functions accessible or overridable by
        RenderMathMLRoot. Make layoutRowItems return the final ascent, descent and logical width
        after the chid row is laid out.
        * rendering/mathml/RenderMathMLScripts.cpp: Move mirrorIfNeeded to RenderMathMLBlock.
        (WebCore::RenderMathMLScripts::mirrorIfNeeded): Deleted.
        * rendering/mathml/RenderMathMLScripts.h: Move mirrorIfNeeded to RenderMathMLBlock.
        * rendering/mathml/RenderMathMLSquareRoot.cpp: Removed.
        * rendering/mathml/RenderMathMLSquareRoot.h: Removed.
        * rendering/mathml/MathOperator.cpp:
        (WebCore::MathOperator::paint): Apply a mirroring scale transform to radical symbol
        in RTL direction.

2016-06-17  Chris Dumez  <cdumez@apple.com>

        Drop some unnecessary header includes
        https://bugs.webkit.org/show_bug.cgi?id=158864

        Reviewed by Alexey Proskuryakov.

        Drop some unnecessary header includes to try and reduce build times.

        * WebCore.xcodeproj/project.pbxproj:
        * accessibility/AccessibilityList.cpp:
        * css/CSSComputedStyleDeclaration.cpp:
        * css/MediaQueryMatcher.cpp:
        * css/StyleMedia.cpp:
        * css/TransformFunctions.cpp:
        * dom/NodeRenderStyle.h:
        * dom/PseudoElement.h:
        (isType): Deleted.
        * html/HTMLTitleElement.cpp:
        * html/shadow/MediaControlElementTypes.h:
        * html/shadow/MediaControls.cpp:
        * inspector/InspectorDOMAgent.h:
        * inspector/InspectorLayerTreeAgent.h:
        * inspector/InspectorPageAgent.cpp:
        * page/scrolling/AsyncScrollingCoordinator.cpp:
        * page/scrolling/ScrollingCoordinator.h:
        * rendering/BidiRun.h:
        * rendering/BorderEdge.h:
        * rendering/RenderElement.h:
        * rendering/RenderObject.h:
        (WebCore::AnnotatedRegionValue::operator==): Deleted.
        (WebCore::AnnotatedRegionValue::operator!=): Deleted.
        * rendering/RenderObjectEnums.h: Added.
        * rendering/RenderTheme.h:
        * rendering/SimpleLineLayoutFlowContents.h:
        * rendering/SimpleLineLayoutTextFragmentIterator.h:
        * rendering/TextPainter.h:
        * rendering/style/RenderStyle.h:
        (WebCore::pseudoElementRendererIsNeeded):
        * rendering/style/ShapeValue.cpp:
        * rendering/style/ShapeValue.h:
        * style/ClassChangeInvalidation.cpp:
        * style/ClassChangeInvalidation.h:
        * style/InlineTextBoxStyle.h:
        * style/StyleUpdate.cpp:

2016-06-17  Andreas Kling  <akling@apple.com>

        [iOS] Throw away linked code when navigating to a new page.
        <https://webkit.org/b/153851>

        Reviewed by Antti Koivisto.

        When navigating to a new page, tell JSC to throw out any linked code it has lying around.
        Linked code is tied to a specific global object, and as we're creating a new one for the
        new page, none of it is useful to us here.

        In the event that the user navigates back, the cost of relinking some code will be far
        lower than the memory cost of keeping all of it around.

        This was in-tree before but was rolled out due to regressing JSBench. It was a slowdown
        due to the benchmark harness using top-level navigations to drive the tests.
        This new version avoids that problem by only throwing out code if we haven't navigated
        in the last 2 seconds. This also prevents excessive work in response to redirects.

        I've also moved this into MemoryPressureHandler so we don't make a mess in FrameLoader.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::commitProvisionalLoad):
        * platform/MemoryPressureHandler.cpp:
        (WebCore::MemoryPressureHandler::jettisonExpensiveObjectsOnTopLevelNavigation):
        * platform/MemoryPressureHandler.h:

2016-06-17  Youenn Fablet  <youenn.fablet@crf.canon.fr>

        CORS preflight with a non-200 response should be a preflight failure
        https://bugs.webkit.org/show_bug.cgi?id=111008

        Reviewed by Darin Adler.

        Covered by rebased tests.

        * Modules/fetch/FetchResponse.h: Making use of ResourceResponse::isSuccessful.
        * loader/CrossOriginPreflightChecker.cpp:
        (WebCore::CrossOriginPreflightChecker::validatePreflightResponse): Checking that response status is code is
        successful. If not, calling preflight failure callback.
        (WebCore::CrossOriginPreflightChecker::startPreflight): Putting in manual redirection mode so that redirection
        responses are processed as other responses.
        * loader/ResourceLoaderOptions.h:
        (WebCore::ResourceLoaderOptions::fetchOptions): Adding a non-const getter and fixing const getter to return a
        const reference.
        (WebCore::ResourceLoaderOptions::setFetchOptions): Passing options by reference.
        * platform/network/ResourceResponseBase.cpp:
        (WebCore::ResourceResponseBase::isSuccessful): Utility function.
        * platform/network/ResourceResponseBase.h:

2016-06-17  Frederic Wang  <fwang@igalia.com>

        MathOperator: Add fallback mechanisms for stretching and mirroring radical symbols
        https://bugs.webkit.org/show_bug.cgi?id=156836

        Reviewed by Sergio Villar Senin.

        Some platforms do not have OpenType MATH fonts pre-installed and thus can not draw stretchy
        operators using size variants or glyph assembly. This is especially problematic for the
        radical symbol which is used to write roots. Currently, we have some fallback code to draw
        that symbol using graphical primitives but it is a bit complex and makes the style of radical
        inconsistent with the font used. We solve these issues by just scaling the base glyph via a
        scale transform. Such scale transform is also used to mirror the radical symbol so that we
        have some support for right-to-left roots until we can do glyph-level mirroring
        via the OpenType rtlm feature.

        Test: mathml/radical-fallback.html

        * rendering/mathml/MathOperator.cpp: Add a constant for the code point U+221A of the radical.
        (WebCore::MathOperator::reset): In general, we don't need any vertical scaling for radical
        symbols so m_radicalVerticalScale is initialized to 1.
        (WebCore::MathOperator::calculateStretchyData): If we don't have a font with a MATH table and we
        try streching a radical, then we update the vertical metrics to match the target size and
        set m_radicalVerticalScale to the value necessary to make the base glyph scaled to that size.
        (WebCore::MathOperator::paint): For a radical operator, we may apply a scale transform of
        parameters (radicalHorizontalScale, m_radicalVerticalScale) in order to support RTL
        mirroring or vertical stretching.
        * rendering/mathml/MathOperator.h: We add a m_radicalVerticalScale member to indicate the
        scaling to apply to the base radical glyph when the stretchy fallback is necessary.
        (WebCore::MathOperator::isStretched): The operator is also considered stretched when the
        m_radicalVerticalScale is applied to the base size.
        * rendering/mathml/RenderMathMLRadicalOperator.cpp: Remove code specific to the old fallback mechanism.
        * rendering/mathml/RenderMathMLRadicalOperator.h: Ditto.

2016-06-16  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r202147.
        https://bugs.webkit.org/show_bug.cgi?id=158867

        Broke scrolling tests on iOS Simulator (Requested by ap on
        #webkit).

        Reverted changeset:

        "Focus event dispatched in iframe causes parent document to
        scroll incorrectly"
        https://bugs.webkit.org/show_bug.cgi?id=158629
        http://trac.webkit.org/changeset/202147

2016-06-16  Benjamin Poulain  <bpoulain@apple.com>

        :in-range & :out-of-range CSS pseudo-classes shouldn't match disabled or readonly inputs
        https://bugs.webkit.org/show_bug.cgi?id=156530

        Reviewed by Simon Fraser.

        Elements should only match :in-range and :out-of-range
        when they are candidate for constraint validation.

        Tests: fast/css/pseudo-in-range-on-disabled-input-basics.html
               fast/css/pseudo-in-range-on-readonly-input-basics.html
               fast/css/pseudo-in-range-out-of-range-on-disabled-input-trivial.html
               fast/css/pseudo-out-of-range-on-disabled-input-basics.html
               fast/css/pseudo-out-of-range-on-readonly-input-basics.html
               fast/selectors/in-range-out-of-range-style-update.html

        * html/BaseDateAndTimeInputType.cpp:
        (WebCore::BaseDateAndTimeInputType::minOrMaxAttributeChanged):
        * html/NumberInputType.cpp:
        (WebCore::NumberInputType::minOrMaxAttributeChanged):
        I forgot to handle style update in r202143.
        This is covered by the new style invalidation test.

        * html/BaseDateAndTimeInputType.h:
        * html/HTMLInputElement.cpp:
        (WebCore::HTMLInputElement::isInRange):
        (WebCore::HTMLInputElement::isOutOfRange):

2016-06-16  Frederic Wang  <fwang@igalia.com>

        Add separate MathOperator for selection/measuring/drawing of stretchy operators
        https://bugs.webkit.org/show_bug.cgi?id=152244

        Reviewed by Brent Fulgham.

        We complete the class to select, measure and draw stretchy operators that is independent
        from RenderMathMLOperator. That way, we will be able use stretchy operator without having
        to introduce & manage anonymous RenderMathMLOperator's
        (e.g for <mroot>, <msqrt> and <mfenced>).

        No new tests, already covered by existing tests.

        * rendering/mathml/MathOperator.cpp:
        (WebCore::ascentForGlyph): Add this helper function to get glyph ascent.
        (WebCore::descentForGlyph): Add this helper function to get glyph descent.
        (WebCore::MathOperator::reset): Initialize all the data and calculate ascent/descent of the
        base glyph.
        (WebCore::MathOperator::setSizeVariant): Set the width/ascent/descent.
        (WebCore::MathOperator::setGlyphAssembly): Ditto.
        (WebCore::MathOperator::calculateDisplayStyleLargeOperator): Remove the STIX Word hack and
        change m_maxPreferredWidth to use the actual width instead.
        (WebCore::MathOperator::stretchTo): New functions to execute the actual operator streching.
        (WebCore::MathOperator::fillWithVerticalExtensionGlyph): Add a FIXME for bug 155434.
        (WebCore::MathOperator::fillWithHorizontalExtensionGlyph): Align all the glyph baselines on
        the same axis, given by m_ascent.
        Add a FIXME for bug 155434.
        (WebCore::MathOperator::paintHorizontalGlyphAssembly): Ditto.
        (WebCore::MathOperator::paint): Public function to do the painting.
        (WebCore::MathOperator::paintVerticalGlyphAssembly): Deleted.
        * rendering/mathml/MathOperator.h: Update declarations and make most of the members private.
        (WebCore::MathOperator::ascent): Function to expose m_ascent.
        (WebCore::MathOperator::descent): Function to expose m_descent.
        * rendering/mathml/RenderMathMLOperator.cpp:
        (WebCore::RenderMathMLOperator::stretchTo): Forward the stretching call to MathOperator.
        (WebCore::RenderMathMLOperator::computePreferredLogicalWidths): Unfold advanceForGlyph
        since we delete RenderMathMLOperator::advanceForGlyph. Just rely on
        MathOperator::maxPreferredWidth to determine the preferred width of stretchy operators.
        For horizontal operators, we just use the width of the base glyph.
        Finally, we remove the dirty flag on preferred logical width.
        (WebCore::RenderMathMLOperator::rebuildTokenContent): Reinit the MathOperator instance.
        (WebCore::RenderMathMLOperator::updateFromElement): Force more updates of
        RenderMathMLOperator to avoid test breakage.
        (WebCore::RenderMathMLOperator::styleDidChange): Call MathOperator::reset to take into
        account style change.
        (WebCore::RenderMathMLOperator::updateStyle): Remove unused code.
        (WebCore::RenderMathMLOperator::firstLineBaseline): Use MathOperator::ascent() function.
        (WebCore::RenderMathMLOperator::computeLogicalHeight): Use MathOperator::ascent() and
        MathOperator::descent() functions to calculate the height.
        (WebCore::RenderMathMLOperator::paint): Only stretched operators are treated specially.
        We center horizontal operator and forward the paint() call to MathOperator.
        (WebCore::RenderMathMLOperator::trailingSpaceError): The error is now just the difference
        between the values returned by MathOperator::maxPreferredWidth() and
        MathOperator::width().
        (WebCore::boundsForGlyph): Deleted.
        (WebCore::heightForGlyph): Deleted.
        (WebCore::advanceWidthForGlyph): Deleted.
        (WebCore::RenderMathMLOperator::updateStyle): Deleted.

2016-06-16  Jiewen Tan  <jiewen_tan@apple.com>

        CSP: Content Security Policy should allow '*' to match the originating page's scheme
        https://bugs.webkit.org/show_bug.cgi?id=158811
        <rdar://problem/26819568>

        Reviewed by Daniel Bates.

        Tests: security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html
               security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html
               security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html
               security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star.html

        * page/csp/ContentSecurityPolicySourceList.cpp:
        (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar):

2016-06-16  Chris Dumez  <cdumez@apple.com>

        Add HTTPHeaderMap::set() overload taking a NSString*
        https://bugs.webkit.org/show_bug.cgi?id=158857

        Reviewed by Darin Adler.

        Add HTTPHeaderMap::set() overloading taking a NSString* in addition to
        the one taking a CFStringRef. It is useful for the Cocoa implementation
        of ResourceRequest::doUpdateResourceRequest().

        * platform/network/HTTPHeaderMap.h:
        (WebCore::HTTPHeaderMap::set):

2016-06-16  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.profile should use the new Sampling Profiler
        https://bugs.webkit.org/show_bug.cgi?id=153499
        <rdar://problem/24352431>

        Reviewed by Timothy Hatcher.

        Test: inspector/timeline/setInstruments-programmatic-capture.html

        * inspector/InspectorTimelineAgent.cpp:
        (WebCore::InspectorTimelineAgent::startFromConsole):
        (WebCore::InspectorTimelineAgent::stopFromConsole):
        (WebCore::InspectorTimelineAgent::mainFrameStartedLoading):
        (WebCore::InspectorTimelineAgent::startProgrammaticCapture):
        (WebCore::InspectorTimelineAgent::stopProgrammaticCapture):
        (WebCore::InspectorTimelineAgent::toggleInstruments):
        (WebCore::InspectorTimelineAgent::toggleScriptProfilerInstrument):
        (WebCore::InspectorTimelineAgent::toggleHeapInstrument):
        (WebCore::InspectorTimelineAgent::toggleMemoryInstrument):
        (WebCore::InspectorTimelineAgent::toggleTimelineInstrument):
        * inspector/InspectorTimelineAgent.h:
        Web implementation of console.profile/profileEnd.
        Make helpers for startings / stopping instruments.

2016-06-16  John Wilander  <wilander@apple.com>

        Restrict security origin inheritance to empty, about:blank, and about:srcdoc URLs
        https://bugs.webkit.org/show_bug.cgi?id=158855
        <rdar://problem/26142632>

        Reviewed by Alex Christensen.

        Tests: http/tests/dom/window-open-about-blank-and-access-document.html
               http/tests/dom/window-open-about-webkit-org-and-access-document.html

        Document.cpp previously checked whether a document should inherit its owner's 
        security origin by checking if the URL is either empty or blank. URL.cpp in 
        turn only checks if the protocol is "about:" in the isBlankURL() function. 
        Thus all about:* URLs inherited security origin. This patch restricts 
        security origin inheritance to empty, about:blank, and about:srcdoc URLs.

        Quotes and links from the WHATWG spec regarding about:srcdoc:

        7.1 Browsing contexts
        A browsing context can have a creator browsing context, the browsing context 
        that was responsible for its creation. If a browsing context has a parent 
        browsing context, then that is its creator browsing context. Otherwise, if the 
        browsing context has an opener browsing context, then that is its creator 
        browsing context. Otherwise, the browsing context has no creator browsing 
        context.
        https://html.spec.whatwg.org/multipage/browsers.html#concept-document-bc

        7.1.1 Nested browsing contexts
        Certain elements (for example, iframe elements) can instantiate further 
        browsing contexts. These are called nested browsing contexts. If a browsing 
        context P has a Document D with an element E that nests another browsing 
        context C inside it, then C is said to be nested through D, and E is said to 
        be the browsing context container of C. If the browsing context container 
        element E is in the Document D, then P is said to be the parent browsing 
        context of C and C is said to be a child browsing context of P. Otherwise, 
        the nested browsing context C has no parent browsing context.
        https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context

        4.8.5 The iframe element
        The iframe element represents a nested browsing context.
        ...
        If the srcdoc attribute is specified
            Navigate the element's child browsing context to a new response whose 
            url list consists of about:srcdoc ...
        https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-srcdoc

        * dom/Document.cpp:
        (WebCore::Document::initSecurityContext):
            Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead.
        (WebCore::Document::initContentSecurityPolicy):
            Now uses the URL::shouldInheritSecurityOriginFromOwner() function instead.
        (WebCore::shouldInheritSecurityOriginFromOwner): Deleted.
            Moved to URL::shouldInheritSecurityOriginFromOwner() and restricted the check.
        * platform/URL.cpp:
        (WebCore::URL::shouldInheritSecurityOriginFromOwner):
        * platform/URL.h:
            Moved the function from Document and restricted the check to only allow
            security origin inheritance for empty, about:blank, and about:srcdoc URLs.

2016-06-16  Simon Fraser  <simon.fraser@apple.com>

        [iOS] Focus event dispatched in iframe causes parent document to scroll incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=158629
        rdar://problem/26521616

        Reviewed by Enrica Casucci.

        When focussing elements in iframes, the page could scroll to an incorrect location.
        This happened because code in Element::focus() tried to disable scrolling on focus,
        but did so only for the current frame, so ancestor frames got programmatically scrolled.
        On iOS we handle the scrolling in the UI process, so never want the web process to
        do programmatic scrolling.

        Fix by changing the focus and cache restore code to use SelectionRevealMode::DoNotReveal,
        rather than manually prohibiting frame scrolling.

        Tests: fast/forms/ios/focus-input-in-iframe.html
               fast/forms/ios/programmatic-focus-input-in-iframe.html

        * dom/Element.cpp:
        (WebCore::Element::focus):
        * history/CachedPage.cpp:
        (WebCore::CachedPage::restore):

2016-06-16  Zalan Bujtas  <zalan@apple.com>

        [New Block-Inside-Inline Model] Do not attempt to re-run margin collapsing on the block sequence.
        https://bugs.webkit.org/show_bug.cgi?id=158854

        Reviewed by David Hyatt.

        Test: fast/block/inside-inlines/crash-on-first-line-change.html

        * rendering/RenderBlockLineLayout.cpp:
        (WebCore::RenderBlockFlow::marginCollapseLinesFromStart):

2016-06-16  Ting-Wei Lan  <lantw44@gmail.com>

        Include cstdlib before using std::atexit
        https://bugs.webkit.org/show_bug.cgi?id=158681

        Reviewed by Brent Fulgham.

        * platform/graphics/PlatformDisplay.cpp:

2016-06-16  Chris Dumez  <cdumez@apple.com>

        Use StringView::toAtomicString() in HTMLImageElement::setBestFitURLAndDPRFromImageCandidate()
        https://bugs.webkit.org/show_bug.cgi?id=158853

        Reviewed by Brent Fulgham.

        Use StringView::toAtomicString() in HTMLImageElement::setBestFitURLAndDPRFromImageCandidate()
        as m_bestFitImageURL data member is an AtomicString. This avoids constructing a String and
        then atomizing it.

        * html/HTMLImageElement.cpp:
        (WebCore::HTMLImageElement::setBestFitURLAndDPRFromImageCandidate):

2016-06-16  Benjamin Poulain  <bpoulain@apple.com>

        :in-range & :out-of-range CSS pseudo-classes shouldn't match inputs without range limitations
        https://bugs.webkit.org/show_bug.cgi?id=156558

        Reviewed by Simon Fraser.

        The pseudo selectors :in-range and :out-of-range should only
        apply if:
        -minimum/maximum are defined for the input type
        -the input value is/is-not suffering from underflow/overflow.

        Only certain types have a valid minimum and maximum:
        -number
        -range
        -date
        -month
        -week
        -time
        -datetime-local

        Of those, only one has a default minimum and maximum: range.
        For all the others, the minimum or maximum is only defined
        if the min/max attribute is defined and valid.

        This patch addresses these constraints for number and range.
        The date types range validation is severely broken and is
        left untouched. It really needs a clean rewrite.

        Tests: fast/css/pseudo-in-range-basics.html
               fast/css/pseudo-in-range-out-of-range-trivial.html
               fast/css/pseudo-out-of-range-basics.html

        * html/DateInputType.cpp:
        (WebCore::DateInputType::createStepRange):
        * html/DateTimeInputType.cpp:
        (WebCore::DateTimeInputType::createStepRange):
        * html/DateTimeLocalInputType.cpp:
        (WebCore::DateTimeLocalInputType::createStepRange):
        * html/InputType.cpp:
        (WebCore::InputType::isInRange):
        (WebCore::InputType::isOutOfRange):
        Notice the isEmpty() shortcut.
        A value can only overflow/underflow if it is not empty.

        * html/MonthInputType.cpp:
        (WebCore::MonthInputType::createStepRange):
        * html/NumberInputType.cpp:
        (WebCore::NumberInputType::createStepRange):
        * html/RangeInputType.cpp:
        (WebCore::RangeInputType::createStepRange):
        * html/StepRange.cpp:
        (WebCore::StepRange::StepRange):
        * html/StepRange.h:
        (WebCore::StepRange::hasRangeLimitations):
        * html/WeekInputType.cpp:
        (WebCore::WeekInputType::createStepRange):

2016-06-16  Anders Carlsson  <andersca@apple.com>

        Fix macOS Sierra build
        https://bugs.webkit.org/show_bug.cgi?id=158849

        Reviewed by Tim Horton.

        Add WebCore:: qualifiers for IOSurface, to avoid conflicts with the IOSurface Objective-C class.
        
        Also, add an asLayerContents() getter that will return an id that's suitable for setting 
        as the contents of a CALayer.

        * platform/graphics/cocoa/IOSurface.h:
        * platform/graphics/cocoa/IOSurface.mm:

2016-06-16  Andreas Kling  <akling@apple.com>

        REGRESSION(r196217): 3% JSBench regression on iPhone 5.
        <https://webkit.org/b/158848>
        <rdar://problem/26609622>

        Unreviewed rollout.

        Don't jettison linked code on every top-level navigation as that was hurting JSBench on iPhone 5.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::commitProvisionalLoad):

2016-06-16  Adam Bergkvist  <adam.bergkvist@ericsson.com>

        WebRTC: Check type of this in RTCPeerConnection JS built-in functions
        https://bugs.webkit.org/show_bug.cgi?id=151303

        Reviewed by Youenn Fablet.

        Check type of 'this' in RTCPeerConnection JS built-in functions.

        Test: fast/mediastream/RTCPeerConnection-js-built-ins-check-this.html

        * Modules/mediastream/RTCPeerConnection.js:
        (createOffer):
        (createAnswer):
        (setLocalDescription):
        (setRemoteDescription):
        (addIceCandidate):
        (getStats):
        Reject if 'this' isn't of type RTCPeerConnection.
        * Modules/mediastream/RTCPeerConnectionInternals.js:
        (isRTCPeerConnection):
        Add helper function to perform type check. Needs further robustifying.

2016-06-16  Myles C. Maxfield  <mmaxfield@apple.com>

        Sporadic crash in HashTableAddResult following CSSValuePool::createFontFamilyValue
        https://bugs.webkit.org/show_bug.cgi?id=158297

        Reviewed by Darin Adler.

        In an effort to reduce the flash of unstyled content, we force all elements
        to have display: none during an external stylesheet load. We do this by
        ignoring the CSS cascade and forcing all elements to have a placeholder style
        which hardcodes display: none. (This is necessary to make elements created by
        script during the stylesheet load not flash.)

        This style is exposed to web content via getComputedStyle(), which means it
        needs to maintain the invariant that font-families can never be null strings.
        We enforce this by forcing the font-family to be the standard font name.

        Test: fast/text/placeholder-renderstyle-null-font.html

        * style/StyleTreeResolver.cpp:
        (WebCore::Style::ensurePlaceholderStyle):

2016-06-16  Chris Dumez  <cdumez@apple.com>

        Avoid some temporary String allocations for common HTTP headers in ResourceResponse::platformLazyInit()
        https://bugs.webkit.org/show_bug.cgi?id=158827

        Reviewed by Darin Adler.

        Add a HTTPHeaderMap::set() overload taking in a CFStringRef. The
        implementation has a fast path which gets the internal characters
        of the CFStringRef when possible and constructs a StringView for
        it in order to call findHTTPHeaderName(). As a result, we avoid
        allocating a temporary String when findHTTPHeaderName() succeeds.

        This new HTTPHeaderMap::set() overload is called from both the
        CF and Cocoa implementations of ResourceResponse::platformLazyInit().

        I have confirmed locally on both Mac and iOS that the fast path
        is used ~93% of the time. CFStringGetCStringPtr() returns null in
        rare cases, causing the regular code path to be used.

        * platform/network/HTTPHeaderMap.cpp:
        (WebCore::HTTPHeaderMap::set):
        * platform/network/HTTPHeaderMap.h:

2016-06-15  Zalan Bujtas  <zalan@apple.com>

        Decouple the percent height and positioned descendants maps.
        https://bugs.webkit.org/show_bug.cgi?id=158773

        Reviewed by David Hyatt and Chris Dumez.

        We track renderers with percent height across multiple containers using
        HashMap<const RenderBox*, std::unique_ptr<HashSet<const RenderBlock*>>>.
        We also use the same data structure to track positioned descendants.
        However a positioned renderer can have only one containing block so tracking it
        with a 1:many type is defective.
        It allows multiple inserts for positioned descendants, which could lead to
        inconsistent layout state as the rendering logic expects these type of renderers
        with only one containing block.
        This patch decouples percent height and positioned tracking by introducing
        the PositionedDescendantsMap class. This class is responsible for tracking
        the positioned descendants inbetween layouts.

        No change in functionality.

        Tests: fast/block/positioning/change-containing-block-for-absolute-positioned.html
               fast/block/positioning/change-containing-block-for-fixed-positioned.html

        * rendering/RenderBlock.cpp:
        (WebCore::insertIntoTrackedRendererMaps):
        (WebCore::removeFromTrackedRendererMaps):
        (WebCore::PositionedDescendantsMap::addDescendant): Add more defensive ASSERT_NOT_REACHED
        to the double insert branch when webkit.org/b/158772 gets fixed.
        (WebCore::PositionedDescendantsMap::removeDescendant):
        (WebCore::PositionedDescendantsMap::removeContainingBlock):
        (WebCore::PositionedDescendantsMap::positionedRenderers):
        (WebCore::positionedDescendantsMap):
        (WebCore::removeBlockFromPercentageDescendantAndContainerMaps):
        (WebCore::RenderBlock::~RenderBlock):
        (WebCore::RenderBlock::positionedObjects):
        (WebCore::RenderBlock::insertPositionedObject):
        (WebCore::RenderBlock::removePositionedObject):
        (WebCore::RenderBlock::addPercentHeightDescendant):
        (WebCore::RenderBlock::removePercentHeightDescendant):
        (WebCore::RenderBlock::percentHeightDescendants):
        (WebCore::RenderBlock::checkPositionedObjectsNeedLayout):
        (WebCore::removeBlockFromDescendantAndContainerMaps): Deleted.
        * rendering/RenderBlock.h:

2016-06-15  David Kilzer  <ddkilzer@apple.com>

        Move SoftLinking.h to platform/cococa from platform/mac
        <https://webkit.org/b/158825>

        Reviewed by Andy Estes.

        * PlatformMac.cmake: Update for new directory.
        * WebCore.xcodeproj/project.pbxproj: Ditto.
        * platform/cocoa/SoftLinking.h: Renamed from Source/WebCore/platform/mac/SoftLinking.h.

2016-06-15  Chris Dumez  <cdumez@apple.com>

        [Cocoa] Clean up / optimize ResourceResponse::platformLazyInit(InitLevel)
        https://bugs.webkit.org/show_bug.cgi?id=158809

        Reviewed by Darin Adler.

        Clean up / optimize ResourceResponse::platformLazyInit(InitLevel).

        * platform/network/HTTPParsers.cpp:
        (WebCore::extractReasonPhraseFromHTTPStatusLine):
        * platform/network/HTTPParsers.h:
        Have extractReasonPhraseFromHTTPStatusLine() return an AtomicString as the
        Reason is stored as an AtomicString on ResourceResponse. Have the
        implementation use StringView::subString()::toAtomicString().

        * platform/network/cocoa/ResourceResponseCocoa.mm:
        (WebCore::stripLeadingAndTrailingDoubleQuote):
        Move the stripLeadingAndTrailingDoubleQuote logic from platformLazyInit()
        to its own function. Have it use StringView::subString()::toAtomicString()
        to avoid unnecessarily atomizing the textEncodingName that has surrounding
        double-quotes.

        (WebCore::initializeHTTPHeaders):
        Move HTTP headers initialization to its own function for clarity.

        (WebCore::extractHTTPStatusText):
        Move HTTP status Text extraction to its own function for clarity.

        (WebCore::ResourceResponse::platformLazyInit):
        - The function is streamlined a bit because most of the logic was moved
          into separate functions.
        - Drop unnecessary (initLevel >= CommonFieldsOnly) check in the first
          if case and replace with an assertion. This function is always called
          with CommonFieldsOnly or above (AllFields).
        - Drop unnecessary (m_initLevel < AllFields) check in the second if
          case as this is always true. If not, we would have returned early
          at the beginning of the function when checking
          m_initLevel >= initLevel.
        - Use AutodrainedPool instead of NSAutoreleasePool for convenience and have
          only 1 pool instead of 2.
        - Drop unnecessary copyNSURLResponseStatusLine() function and call directly
          CFHTTPMessageCopyResponseStatusLine() since we already have a
          CFHTTPMessageRef at the call site.

2016-06-15  Tim Horton  <timothy_horton@apple.com>

        <attachment> elements jump around a lot around when subtitle text changes slightly
        https://bugs.webkit.org/show_bug.cgi?id=158818
        <rdar://problem/24450270>

        Reviewed by Simon Fraser.

        Test: fast/attachment/attachment-subtitle-resize.html

        * rendering/RenderAttachment.cpp:
        (WebCore::RenderAttachment::layout):
        * rendering/RenderAttachment.h:
        * rendering/RenderThemeMac.mm:
        (WebCore::AttachmentLayout::AttachmentLayout):
        (WebCore::RenderThemeMac::paintAttachment):
        In order to avoid changes to the centered subtitle text causing the whole
        attachment to bounce around a lot, make it so that attachment width can only
        increase, never decrease, and round the subtitle's width up to the nearest
        increment of 10px when determining its affect on the whole element's width.
        Also, center the attachment in its element, instead of left-aligning it,
        so that the extra width we may have is evenly distributed between the two sides.

2016-06-15  Ryan Haddad  <ryanhaddad@apple.com>

        Reset bindings test results after r202105

        Unreviewed test gardening.

        * bindings/scripts/test/JS/JSTestObj.cpp:

2016-06-15  Adam Bergkvist  <adam.bergkvist@ericsson.com>

        WebRTC: (Refactor) Align the structure of RTCPeerConnection.idl with the header file
        https://bugs.webkit.org/show_bug.cgi?id=158779

        Reviewed by Eric Carlson.

        Restructure RTCPeerConnection.idl to make it easer to read and extend in the future.

        No change in behavior.

        * Modules/mediastream/RTCPeerConnection.idl:

2016-06-15  Chris Dumez  <cdumez@apple.com>

        Drop some unnecessary header includes
        https://bugs.webkit.org/show_bug.cgi?id=158788

        Reviewed by Alexey Proskuryakov.

        Drop some unnecessary header includes in headers to speed up build time.

        * Modules/encryptedmedia/MediaKeySession.cpp:
        * Modules/gamepad/GamepadManager.cpp:
        * Modules/indexeddb/IDBDatabase.cpp:
        * Modules/indexeddb/IDBOpenDBRequest.cpp:
        * Modules/indexeddb/IDBRequest.cpp:
        * Modules/indexeddb/IDBTransaction.cpp:
        * Modules/mediasource/MediaSource.cpp:
        * Modules/mediasource/SourceBuffer.cpp:
        * Modules/mediasource/SourceBufferList.cpp:
        * Modules/mediastream/MediaStream.cpp:
        * Modules/mediastream/MediaStreamTrack.cpp:
        * Modules/speech/SpeechSynthesis.cpp:
        * Modules/webaudio/AudioScheduledSourceNode.cpp:
        * Modules/webaudio/ScriptProcessorNode.cpp:
        * bindings/scripts/CodeGeneratorJS.pm:
        (GenerateImplementation):
        * dom/CharacterData.cpp:
        * dom/ContainerNode.cpp:
        * dom/DOMNamedFlowCollection.cpp:
        * dom/DeviceMotionController.cpp:
        * dom/DeviceOrientationController.cpp:
        * dom/Document.cpp:
        * dom/Document.h:
        * dom/DocumentEventQueue.cpp:
        * dom/DocumentOrderedMap.h:
        * dom/Element.cpp:
        * dom/Event.cpp:
        * dom/EventDispatcher.cpp:
        * dom/EventTarget.cpp:
        * dom/EventTarget.h:
        * dom/KeyboardEvent.cpp:
        * dom/MessageEvent.cpp:
        * dom/MessagePort.cpp:
        * dom/ScriptElement.cpp:
        * dom/ScriptExecutionContext.cpp:
        * dom/ScriptExecutionContext.h:
        * dom/SecurityContext.h:
        * dom/SimulatedClick.cpp:
        * dom/TextEvent.cpp:
        * dom/WebKitNamedFlow.cpp:
        * editing/FrameSelection.cpp:
        * fileapi/FileReader.cpp:
        * html/HTMLLinkElement.cpp:
        * html/HTMLPlugInImageElement.cpp:
        * html/HTMLStyleElement.cpp:
        * html/HTMLSummaryElement.cpp:
        * html/HTMLTrackElement.cpp:
        * html/HTMLVideoElement.cpp:
        * html/InputType.cpp:
        * html/MediaController.cpp:
        * html/TextFieldInputType.cpp:
        * html/canvas/WebGLRenderingContextBase.cpp:
        * html/parser/HTMLScriptRunner.cpp:
        * html/shadow/MediaControlElementTypes.cpp:
        * html/shadow/MediaControls.cpp:
        * html/shadow/MediaControlsApple.cpp:
        * html/shadow/SliderThumbElement.cpp:
        * html/shadow/mac/ImageControlsButtonElementMac.cpp:
        * inspector/InspectorIndexedDBAgent.cpp:
        * loader/DocumentLoader.cpp:
        * loader/ImageLoader.cpp:
        * loader/PolicyChecker.cpp:
        * mathml/MathMLSelectElement.cpp:
        * page/DOMWindow.h:
        * page/EventSource.cpp:
        * page/FrameView.cpp:
        * page/Performance.cpp:
        * page/csp/ContentSecurityPolicy.cpp:
        * platform/graphics/opengl/GraphicsContext3DOpenGLCommon.cpp:
        * platform/network/HTTPHeaderMap.h:
        * platform/network/ResourceHandle.cpp:
        * rendering/RenderEmbeddedObject.cpp:
        * rendering/RenderSnapshottedPlugIn.cpp:
        * svg/SVGSVGElement.cpp:
        * svg/SVGUseElement.cpp:
        * svg/animation/SVGSMILElement.cpp:
        * workers/WorkerGlobalScope.h:
        * xml/XMLHttpRequest.cpp:
        * xml/XMLHttpRequestProgressEventThrottle.cpp:
        * xml/XMLHttpRequestUpload.cpp:

2016-06-15  Antti Koivisto  <antti@apple.com>

        GoogleMaps transit schedule explorer comes up blank initially
        https://bugs.webkit.org/show_bug.cgi?id=158803
        rdar://problem/25818080

        Reviewed by Andreas Kling.

        In case we had something like

        .foo bar { ... }

        and later a new stylesheet was added dynamically that contained

        .foo baz { ... }

        we would fail to add the new rules to the descendant invalidation rule sets for ".foo". This could
        cause some style invalidations to be missed.

        * css/DocumentRuleSets.cpp:
        (WebCore::DocumentRuleSets::collectFeatures):

        Reset the ancestorClassRules and ancestorAttributeRulesForHTML rule set caches when new style sheets
        are added (==collectFeatures is called).

2016-06-15  Javier Fernandez  <jfernandez@igalia.com>

        [css-sizing] Item borders are missing with 'min-width:-webkit-fill-available' and zero available width
        https://bugs.webkit.org/show_bug.cgi?id=158258

        Reviewed by Darin Adler.

        The "fill-available" size is defined as the containing block's size less
        the box's border and padding size. However, when used for min-width we
        should ensure we don't get negative values as result of logical width
        computation.

        http://www.w3.org/TR/css-sizing-3/#fill-available-sizing

        This patch ensure fill-available value computed value will be always
        greater than box's boder and padding width.

        Test: fast/css-intrinsic-dimensions/fill-available-with-zero-width.html

        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::computeIntrinsicLogicalWidthUsing):

2016-06-15  Alex Christensen  <achristensen@webkit.org>

        Fix 2d canvas transform after r192900
        https://bugs.webkit.org/show_bug.cgi?id=158725
        rdar://problem/26774230

        Reviewed by Dean Jackson.

        Test: fast/canvas/canvas-transform-inverse.html

        * html/canvas/CanvasRenderingContext2D.cpp:
        (WebCore::CanvasRenderingContext2D::transform):
        r192900 was intended to have no change in behavior, but I made a typo.
        We need to apply the inverse of the original transform to the path to be correct.
        This affects transforms applied to the canvas during the creation of a path.

2016-06-15  Eric Carlson  <eric.carlson@apple.com>

        [iOS] Make HTMLMediaElement.muted mutable
        https://bugs.webkit.org/show_bug.cgi?id=158787
        <rdar://problem/24452567>

        Reviewed by Dean Jackson.

        Tests: media/audio-playback-restriction-removed-muted.html
               media/audio-playback-restriction-removed-track-enabled.html

        * html/HTMLMediaElement.cpp:
        (WebCore::HTMLMediaElement::audioTrackEnabledChanged): Remove most behavior restrictions if
          the track state was changed as a result of a user gesture.
        (WebCore::HTMLMediaElement::setMuted): Ditto.
        (WebCore::HTMLMediaElement::removeBehaviorsRestrictionsAfterFirstUserGesture): Add mask 
          parameter so caller can choose which restrictions are removed.
        * html/HTMLMediaElement.h:

        * html/MediaElementSession.cpp:
        (WebCore::restrictionName): Drive-by fix: remove duplicate label.
        * html/MediaElementSession.h:

        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.h:
        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
        (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVPlayer): Set muted on AVPlayer if setMuted
          was called before the player was created.
        (WebCore::MediaPlayerPrivateAVFoundationObjC::setVolume): Drive-by fix: return early if there
          is no AVPlayer, not if we won't have metadata yet.
        (WebCore::MediaPlayerPrivateAVFoundationObjC::setMuted): New.

2016-06-15  Romain Bellessort  <romain.bellessort@crf.canon.fr>

        Enabling Shadow DOM for all platforms
        https://bugs.webkit.org/show_bug.cgi?id=158738

        Reviewed by Ryosuke Niwa.

        No new tests (no new behavior to be tested).

        Removed Shadow DOM from options (enabled by default)
        (comprises removal of corresponding preprocessor directives)

        * Configurations/FeatureDefines.xcconfig:
        * DerivedSources.make:
        * bindings/generic/RuntimeEnabledFeatures.h:
        * bindings/js/JSDocumentFragmentCustom.cpp:
        * bindings/js/JSNodeCustom.cpp:
        * css/CSSGrammar.y.in:
        * css/CSSParser.cpp:
        * css/CSSParserValues.cpp:
        * css/CSSParserValues.h:
        * css/CSSSelector.cpp:
        * css/CSSSelector.h:
        * css/ElementRuleCollector.cpp:
        * css/ElementRuleCollector.h:
        * css/RuleSet.cpp:
        * css/RuleSet.h:
        * css/SelectorChecker.cpp:
        * css/SelectorChecker.h:
        * css/SelectorPseudoClassAndCompatibilityElementMap.in:
        * css/StyleResolver.cpp:
        * cssjit/SelectorCompiler.cpp:
        * dom/ComposedTreeAncestorIterator.h:
        * dom/ComposedTreeIterator.cpp:
        * dom/ComposedTreeIterator.h:
        * dom/ContainerNode.cpp:
        * dom/Document.cpp:
        * dom/Document.h:
        * dom/Element.cpp:
        * dom/Element.h:
        * dom/Element.idl:
        * dom/Event.idl:
        * dom/EventPath.cpp:
        * dom/Node.cpp:
        * dom/Node.h:
        * dom/NonDocumentTypeChildNode.idl:
        * dom/ShadowRoot.cpp:
        * dom/ShadowRoot.h:
        * dom/ShadowRoot.idl:
        * dom/SlotAssignment.cpp:
        * dom/SlotAssignment.h:
        * html/HTMLSlotElement.cpp:
        * html/HTMLSlotElement.h:
        * html/HTMLSlotElement.idl:
        * html/HTMLTagNames.in:
        * page/FocusController.cpp:
        * style/StyleSharingResolver.cpp:
        * style/StyleTreeResolver.cpp:

2016-06-15  Andreas Kling  <akling@apple.com>

        [Cocoa] Add two notify listeners for poking the garbage collector.
        <https://webkit.org/b/158783>

        Reviewed by Antti Koivisto.

        Add two new notify listeners:

        - com.apple.WebKit.fullGC

            Trigger a full garbage collection in the main WebCore VM immediately.

        - com.apple.WebKit.deleteAllCode

            Throw away all of JSC's linked and unlinked code, and do a full GC.

        These will make it easier to diagnose memory growth issues by having a lever that
        eliminates many of the large object graphs without going after behavior-changing things
        like the memory cache.

        * platform/MemoryPressureHandler.cpp:
        (WebCore::MemoryPressureHandler::platformInitialize):
        * platform/MemoryPressureHandler.h:
        * platform/cocoa/MemoryPressureHandlerCocoa.mm:
        (WebCore::MemoryPressureHandler::platformInitialize):

2016-06-15  Antti Koivisto  <antti@apple.com>

        Vary:Cookie validation doesn't work in private browsing
        https://bugs.webkit.org/show_bug.cgi?id=158616
        <rdar://problem/26755067>

        Reviewed by Andreas Kling.

        There wasn't a way to get cookie based on SessionID from WebCore.

        * platform/CookiesStrategy.h:

            Add a cookie retrival function that takes SessionID instead of NetworkStorageSession.

        * platform/network/CacheValidation.cpp:
        (WebCore::headerValueForVary):

            Use it.

        (WebCore::verifyVaryingRequestHeaders):

2016-06-15  Per Arne Vollan  <pvollan@apple.com>

        [Win] The test accessibility/selected-text-range-aria-elements.html is failing.
        https://bugs.webkit.org/show_bug.cgi?id=158732

        Reviewed by Brent Fulgham.

        Implement support for getting selected text range.

        * accessibility/win/AccessibilityObjectWrapperWin.cpp:
        (WebCore::AccessibilityObjectWrapper::accessibilityAttributeValue):

2016-06-14  Myles C. Maxfield  <mmaxfield@apple.com>

        Addressing post-review comments after r201971
        https://bugs.webkit.org/show_bug.cgi?id=158450

        Unreviewed.

        * css/CSSFontFaceSet.cpp:
        (WebCore::CSSFontFaceSet::add):
        (WebCore::CSSFontFaceSet::remove):

2016-06-14  Myles C. Maxfield  <mmaxfield@apple.com>

        Honor bidi unicode codepoints
        https://bugs.webkit.org/show_bug.cgi?id=149170
        <rdar://problem/26527378>

        Reviewed by Simon Fraser.

        BidiResolver doesn't have any concept of isolate Unicode code points, so produces
        unexpected output when they are present. Fix by considering such code points as
        whitespace in the bidi algorithm. This is a stop-gap measure until we can support
        the codepoints fully in our Bidi algorithm.

        Test: fast/text/isolate-ignore.html

        * platform/graphics/Font.cpp:
        (WebCore::createAndFillGlyphPage):
        * platform/text/BidiResolver.h:
        (WebCore::Subclass>::createBidiRunsForLine):

2016-06-14  Antoine Quint  <graouts@apple.com>

        [iOS] Play glyph is pixelated when the page zoom is large
        https://bugs.webkit.org/show_bug.cgi?id=158770
        <rdar://problem/26092124>

        Reviewed by Dean Jackson.

        Use the same technique that we use to scale the video controls by using a combination
        of CSS "zoom" and "transform" properties to have the video play glyph scaled at its
        native size regardless of page zoom.

        * Modules/mediacontrols/mediaControlsiOS.js:
        (ControllerIOS.prototype.set pageScaleFactor):

2016-06-14  Chris Dumez  <cdumez@apple.com>

        Regression(r201534): Compile time greatly regressed
        https://bugs.webkit.org/show_bug.cgi?id=158765
        <rdar://problem/26587342>

        Reviewed by Darin Adler.

        Compile time greatly regressed by r201534 due to Document.h now including
        TextAutoSizing.h. Move the TextAutoSizingTraits back to Document.h to
        restore pre-r201534 behavior.

        * WebCore.xcodeproj/project.pbxproj:
        * dom/Document.cpp:
        (WebCore::TextAutoSizingTraits::constructDeletedValue):
        (WebCore::TextAutoSizingTraits::isDeletedValue):
        * dom/Document.h:
        * rendering/TextAutoSizing.h:
        (WebCore::TextAutoSizingTraits::constructDeletedValue): Deleted.
        (WebCore::TextAutoSizingTraits::isDeletedValue): Deleted.

2016-06-14  Antoine Quint  <graouts@apple.com>

        Inline media controls cut off PiP and fullscreen buttons on cnn.com
        https://bugs.webkit.org/show_bug.cgi?id=158766
        <rdar://problem/24175161>

        Reviewed by Dean Jackson.

        The display of the picture-in-picture and fullscreen buttons are dependent on the availability
        of video tracks through a call to hasVideo(). We need to ensure that the display properties of
        both those buttons are updated when the number of video tracks has changed since the controls
        may be populated prior to the availability of video tracks.

        * Modules/mediacontrols/mediaControlsApple.js:
        (Controller.prototype.updateHasVideo):

2016-06-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Rename Timeline.setAutoCaptureInstruments to Timeline.setInstruments
        https://bugs.webkit.org/show_bug.cgi?id=158762

        Reviewed by Timothy Hatcher.

        Test: inspector/timeline/setInstruments-errors.html

        * inspector/InspectorTimelineAgent.cpp:
        (WebCore::InspectorTimelineAgent::willDestroyFrontendAndBackend):
        (WebCore::InspectorTimelineAgent::setInstruments):
        (WebCore::InspectorTimelineAgent::mainFrameStartedLoading):
        (WebCore::InspectorTimelineAgent::setAutoCaptureInstruments): Deleted.
        * inspector/InspectorTimelineAgent.h:

2016-06-14  Dean Jackson  <dino@apple.com>

        decompose4 return value is unchecked, leading to potentially uninitialized data.
        https://bugs.webkit.org/show_bug.cgi?id=158761
        <rdar://problem/17526268>

        Reviewed by Simon Fraser.

        WebCore::decompose4 could return early without initializing data.
        I now initialize it, but I also started checking the return
        value at all the call sites to make sure everything is sensible.

        Test: transforms/undecomposable.html

        * platform/graphics/transforms/PerspectiveTransformOperation.cpp:
        (WebCore::PerspectiveTransformOperation::blend):
        * platform/graphics/transforms/RotateTransformOperation.cpp:
        (WebCore::RotateTransformOperation::blend):
        * platform/graphics/transforms/TransformationMatrix.cpp:
        (WebCore::decompose4):
        (WebCore::TransformationMatrix::blend4):
        * platform/graphics/transforms/TransformationMatrix.h:

2016-06-14  Benjamin Poulain  <bpoulain@apple.com>

        Add the unprefixed version of the pseudo element ::placeholder
        https://bugs.webkit.org/show_bug.cgi?id=158653

        Reviewed by Dean Jackson.

        Test: fast/forms/placeholder-pseudo-element-with-webkit-prefix.html

        The pseudo element ::-webkit-input-placeholder is stupidly popular
        which forces other engines to support this exact name.

        The pseudo-element spec provides a new standard name we can adopt
        to drop the prefix: https://drafts.csswg.org/css-pseudo-4/#placeholder-pseudo

        This patch does just that, make ::placeholder the standard name to select
        the placeholder element in the shadow dom of input elements.

        Unlike pseudo classes, we did not have any support for prefixes and aliasing.
        I want to keep the absurdly efficient matching we currently use for styling
        because style updates are more common than stylesheet updates.
        With that constraint in mind, the value of CSSSelector has to be the unprefixed
        version for both forms of input.

        This leaves us with the problem of displaying the CSSSelector for CSSOM.
        To differentiate the legacy form from the standard form, I added
        a new type of PseudoElement: PseudoElementWebKitCustomLegacyPrefixed.
        When parsing, PseudoElementWebKitCustomLegacyPrefixed let us replace
        the original value "-webkit-input-placeholder" by the standard value.
        When creating the selectorText for CSSOM, PseudoElementWebKitCustomLegacyPrefixed
        let us replace the standard for by the legacy form.

        * css/CSSParserValues.cpp:
        (WebCore::CSSParserSelector::parsePseudoElementSelector):
        * css/CSSSelector.cpp:
        (WebCore::CSSSelector::pseudoId):
        (WebCore::CSSSelector::selectorText):
        * css/CSSSelector.h:
        (WebCore::CSSSelector::isCustomPseudoElement):
        (WebCore::CSSSelector::isWebKitCustomPseudoElement):
        * css/SelectorChecker.cpp:
        (WebCore::SelectorChecker::matchRecursively):
        * css/SelectorPseudoElementTypeMap.in:
        * css/html.css:
        (::placeholder):
        (input::placeholder, isindex::placeholder):
        (textarea::placeholder):
        (::-webkit-input-placeholder): Deleted.
        (input::-webkit-input-placeholder, isindex::-webkit-input-placeholder): Deleted.
        (textarea::-webkit-input-placeholder): Deleted.
        * features.json:
        * html/shadow/TextControlInnerElements.cpp:
        (WebCore::TextControlPlaceholderElement::TextControlPlaceholderElement):

2016-06-14  Doug Russell  <d_russell@apple.com>

        AX: Form label text should be exposed as static text if it contains only static text
        https://bugs.webkit.org/show_bug.cgi?id=158634

        Reviewed by Chris Fleizach.

        Use AccessibilityLabel to represent HTMLLabelElement to assistive technology.
        AccessibilityLabel::containsOnlyStaticText() searches label subtree to evaluate 
        if all children are static text.
        AccessibilityLabel::stringValue() consults containsOnlyStaticText() and returns
        textUnderElement() if true.
        WebAccessibilityObjectWrapperMac consults containsOnlyStaticText() and substitutes
        StaticTextRole for LabelRole if true.
        Cache containsOnlyStaticText() in the common case when updating children.

        Tests: accessibility/mac/label-element-all-text-string-value.html
               accessibility/mac/label-element-with-link-string-value.html

        * CMakeLists.txt:
        * WebCore.xcodeproj/project.pbxproj:
        * accessibility/AXObjectCache.cpp:
        (WebCore::createFromRenderer):
        * accessibility/AccessibilityAllInOne.cpp:
        * accessibility/AccessibilityLabel.cpp: Added.
        (WebCore::AccessibilityLabel::AccessibilityLabel):
        (WebCore::AccessibilityLabel::~AccessibilityLabel):
        (WebCore::AccessibilityLabel::create):
        (WebCore::AccessibilityLabel::computeAccessibilityIsIgnored):
        (WebCore::AccessibilityLabel::stringValue):
        (WebCore::childrenContainOnlyStaticText):
        (WebCore::AccessibilityLabel::containsOnlyStaticText):
        (WebCore::AccessibilityLabel::updateChildrenIfNecessary):
        (WebCore::AccessibilityLabel::clearChildren):
        (WebCore::AccessibilityLabel::insertChild):
        * accessibility/AccessibilityLabel.h: Added.
        * accessibility/AccessibilityObject.h:
        (WebCore::AccessibilityObject::isLabel):
        * accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
        (-[WebAccessibilityObjectWrapper role]):

2016-06-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r202057.
        https://bugs.webkit.org/show_bug.cgi?id=158749

        This change broke the Windows build. (Requested by ryanhaddad
        on #webkit).

        Reverted changeset:

        "Honor bidi unicode codepoints"
        https://bugs.webkit.org/show_bug.cgi?id=149170
        http://trac.webkit.org/changeset/202057

2016-06-14  Myles C. Maxfield  <mmaxfield@apple.com>

        Honor bidi unicode codepoints
        https://bugs.webkit.org/show_bug.cgi?id=149170
        <rdar://problem/26527378>

        Reviewed by Simon Fraser.

        BidiResolver doesn't have any concept of isolate Unicode code points, so produces
        unexpected output when they are present. Fix by considering such code points as
        whitespace in the bidi algorithm. This is a stop-gap measure until we can support
        the codepoints fully in our Bidi algorithm.

        Test: fast/text/isolate-ignore.html

        * platform/graphics/Font.cpp:
        (WebCore::createAndFillGlyphPage):
        * platform/text/BidiResolver.h:
        (WebCore::Subclass>::createBidiRunsForLine):

2016-06-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r200455.
        https://bugs.webkit.org/show_bug.cgi?id=158740

        hangs twitter/facebook (Requested by mcatanzaro on #webkit).

        Reverted changeset:

        "[GStreamer] Adaptive streaming issues"
        https://bugs.webkit.org/show_bug.cgi?id=144040
        http://trac.webkit.org/changeset/200455

2016-06-14  Nael Ouedraogo  <nael.ouedraogo@crf.canon.fr>

        WebRTC: RTCPeerConnection::addTrack() should throw InvalidAccessError instead of InvalidModificationError.
        https://bugs.webkit.org/show_bug.cgi?id=158735

        Reviewed by Eric Carlson.

        Throw InvalidAccessError instead of InvalidModificationError when track already exists in connection's
        set of senders as per specification (https://w3c.github.io/webrtc-pc/#dom-rtcpeerconnection-addtrack).

        Updated existing test results: fast/mediastream/RTCPeerConnection-add-removeTrack-expected.txt

        * Modules/mediastream/RTCPeerConnection.cpp:
        (WebCore::RTCPeerConnection::addTrack):

2016-06-14  Adam Bergkvist  <adam.bergkvist@ericsson.com>

        WebRTC: Imlement MediaEndpointPeerConnection::addIceCandidate()
        https://bugs.webkit.org/show_bug.cgi?id=158690

        Reviewed by Eric Carlson.

        Implement MediaEndpointPeerConnection::addIceCandidate() that is the MediaEndpoint
        implementation of RTCPeerConnection.addIceCandidate() [1].

        [1] https://w3c.github.io/webrtc-pc/archives/20160513/webrtc.html#dom-peerconnection-addicecandidate

        Test: fast/mediastream/RTCPeerConnection-addIceCandidate.html

        * Modules/mediastream/MediaEndpointPeerConnection.cpp:
        (WebCore::MediaEndpointPeerConnection::addIceCandidate):
        (WebCore::MediaEndpointPeerConnection::addIceCandidateTask):
        Implemented.
        * Modules/mediastream/MediaEndpointPeerConnection.h:
        * platform/mediastream/MediaEndpoint.h:
        Use mid instead of mdescIndex to identify the target media description in the backend.
        * platform/mock/MockMediaEndpoint.cpp:
        Update mock method signature accordingly.
        (WebCore::MockMediaEndpoint::addRemoteCandidate):
        * platform/mock/MockMediaEndpoint.h:

2016-06-14  Zalan Bujtas  <zalan@apple.com>

        Make RenderBlock::insertInto/RemoveFromTrackedRendererMaps functions static.
        https://bugs.webkit.org/show_bug.cgi?id=158722

        Reviewed by Simon Fraser.

        These functions manipulate static tracker hashmaps. They don't need to be on RenderBlock.
        This is also in preparation for decoupling positioned descendant tracking from descendent percentage height handling.
        (gPositionedDescendantsMap and gPercentHeightDescendantsMap) 

        No change in functionality.

        * rendering/RenderBlock.cpp:
        (WebCore::insertIntoTrackedRendererMaps):
        (WebCore::removeFromTrackedRendererMaps):
        (WebCore::removeBlockFromDescendantAndContainerMaps):
        (WebCore::RenderBlock::insertPositionedObject):
        (WebCore::RenderBlock::addPercentHeightDescendant):
        (WebCore::RenderBlock::insertIntoTrackedRendererMaps): Deleted.
        (WebCore::RenderBlock::removeFromTrackedRendererMaps): Deleted.
        * rendering/RenderBlock.h:

2016-06-14  Adam Bergkvist  <adam.bergkvist@ericsson.com>

        WebRTC: Add media setup test where media is set up in one direction at a time
        https://bugs.webkit.org/show_bug.cgi?id=158691

        Reviewed by Eric Carlson.

        Add test for setting up media in one direction at a time. This requires a change in sdp.js
        to allow an SDP that doesn't contain a stream id or track id (representing
        a track being sent). In this test, the first answer doesn't contain any sending media.

        Test: fast/mediastream/RTCPeerConnection-media-setup-two-dialogs.html

        * Modules/mediastream/sdp.js:

2016-06-14  Chris Dumez  <cdumez@apple.com>

        [Cocoa] Avoid extra copy of headers dictionary in ResourceResponse::platformLazyInit()
        https://bugs.webkit.org/show_bug.cgi?id=158717

        Reviewed by Alex Christensen.

        Avoid extra copy of headers dictionary in ResourceResponse::platformLazyInit() by
        calling CFHTTPMessageCopyAllHeaderFields() instead of [NSURLResponse allHeaderFields].

        CFHTTPMessageCopyAllHeaderFields() creates only 1 copy while
        [NSURLResponse allHeaderFields] creates 2 (see <rdar://problem/26778863>).

        * platform/network/cocoa/ResourceResponseCocoa.mm:
        (WebCore::addToHTTPHeaderMap):
        (WebCore::ResourceResponse::platformLazyInit):

2016-06-14  David Kilzer  <ddkilzer@apple.com>

        REGRESSION (r151608): Leak of QTMovieLayer or AVPlayerLayer in -[WebVideoFullscreenController setVideoElement:]
        <https://webkit.org/b/158729>

        Reviewed by Eric Carlson.

        * platform/mac/WebVideoFullscreenController.mm:
        (-[WebVideoFullscreenController setVideoElement:]): Use
        RetainPtr<> to prevent leaks.
        * platform/mac/WebVideoFullscreenHUDWindowController.mm:
        Drive-by fix to remove unused <wtf/RetainPtr.h> import.

2016-06-14  Nael Ouedraogo  <nael.ouedraogo@crf.canon.fr>

        The vector of mediastreams should be passed via a reference to RTCPeerConnection::addTrack()
        https://bugs.webkit.org/show_bug.cgi?id=158701

        Pass vector of mediastreams by reference.

        Reviewed by Youenn Fablet.

        * Modules/mediastream/RTCPeerConnection.cpp:
        (WebCore::RTCPeerConnection::addTrack):
        * Modules/mediastream/RTCPeerConnection.h:

2016-06-14  Ryosuke Niwa  <rniwa@webkit.org>

        Crash inside firstPositionInNode in checkLoadCompleteForThisFrame
        https://bugs.webkit.org/show_bug.cgi?id=158724

        Reviewed by Alex Christensen.

        Added null checks for document and document element since they could be nullptr here.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::checkLoadCompleteForThisFrame):

2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>

        Remove hasStaticPropertyTable (part 3: JSLocation::putDelegate)
        https://bugs.webkit.org/show_bug.cgi?id=158431

        Unreviewed build fix.

        * bindings/js/JSLocationCustom.cpp:
        (WebCore::JSLocation::putDelegate):

2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>

        Remove hasStaticPropertyTable (part 4: JSHTMLDocument & JSStorage)
        https://bugs.webkit.org/show_bug.cgi?id=158431

        Reviewed by Chris Dumez.

        All uses of hasStaticPropertyTable flag generated by bindings are wrong.

        JSHTMLDocument & JSStorage contain a number of static_asserts claiming that
        various methods do not support static properties. These asserts were likely
        correct at the time they were added, as JSObject::getOwnPropertySlot and
        JSObject::deleteProperty did not support getting / deleting static value.
        This is no longer the case, and these asserts are now incorrect.

        * bindings/js/JSHTMLDocumentCustom.cpp:
        (WebCore::JSHTMLDocument::getOwnPropertySlot):
        * bindings/js/JSStorageCustom.cpp:
        (WebCore::JSStorage::deleteProperty):
        (WebCore::JSStorage::deletePropertyByIndex):
        (WebCore::JSStorage::putDelegate):
            - remove incorrect static_asserts.

2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>

        Remove hasStaticPropertyTable (part 3: JSLocation::putDelegate)
        https://bugs.webkit.org/show_bug.cgi?id=158431

        Reviewed by Geoff Garen.

        All uses of hasStaticPropertyTable flag generated by bindings are wrong.

        JSLocation::putDelegate checks the static property table redundantly.

        In the case of same origin access, if the property is not in the static
        table the method will call JSObject::put and return true (indicating the
        delegate handled the put). If the property is in the static table, the
        method will return false (indicating the the delegate did not handle the
        access) - in which case the calling function will call JSObject::put.
        Checking for the property in the static table is redundant - same origin
        access does not require any special handling, and should just always
        return false & let the caller handle the put.

        In the case of cross origin access, if the property is not in the static
        table we return true (indicating the access was handled, and silently
        blocking it). If it is a static property, we check the name, and if the
        name is not 'href' we also return true, silently blocking. In the case
        that the name is 'href' we'll return false, indicating to the caller
        that the access was not handled by the delegate, resulting in it taking
        place. The additional check of the static table is redundant, since we
        only have special behaviour in the case of 'href'. (Moreover it is
        unnecesszarily fragile, since if we made a change such that 'href' was no
        longer implemented as a static property with would fail.)

        - for same origin, always return false.
        - for cross origin, return false for 'href', otherwise return true.

        * bindings/js/JSLocationCustom.cpp:
        (WebCore::JSLocation::putDelegate):
            - restructure & remove static table check.

2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>

        Remove hasStaticPropertyTable (part 2: JSPluginElement)
        https://bugs.webkit.org/show_bug.cgi?id=158431

        Reviewed by Chris Dumez.

        All uses of hasStaticPropertyTable flag generated by bindings are wrong.

        The check in pluginElementCustomGetOwnPropertySlot was somewhat dubious in the
        first place (for types with static properties it would give precedence to both
        static and also property storage properties; for types without static properties
        it would check neither - an odd asymetry in the case of values in the storage
        array, and was depending on an implementation detail that could change).

        This is all now redundant anyway. None of these types have static properties.
        All properties are now corretcly on the prototype (which is handled appropriately
        below). This is just dead code.

        * bindings/js/JSPluginElementFunctions.h:
        (WebCore::pluginElementCustomGetOwnPropertySlot):
            - remove dead code.

2016-06-13  Gavin & Ellie Barraclough  <barraclough@apple.com>

        Remove hasStaticPropertyTable (part 1: DOM bindings)
        https://bugs.webkit.org/show_bug.cgi?id=158431

        Reviewed by Chris Dumez.

        All uses of hasStaticPropertyTable flag generated by bindings are wrong.

        * bindings/js/JSDOMBinding.h:
        (WebCore::getStaticValueSlotEntryWithoutCaching): Deleted.
        (WebCore::getStaticValueSlotEntryWithoutCaching<JSDOMObject>): Deleted.
            - this method is not used anywhere.

2016-06-13  Adam Bergkvist  <adam.bergkvist@ericsson.com>

        WebRTC: Imlement MediaEndpointPeerConnection::replaceTrack()
        https://bugs.webkit.org/show_bug.cgi?id=158688

        Reviewed by Eric Carlson.

        Implement MediaEndpointPeerConnection::replaceTrack() that is the MediaEndpoint implementation
        of RTCRtpSender.replaceTrack() [1].

        [1] https://w3c.github.io/webrtc-pc/archives/20160513/webrtc.html#dom-rtcrtpsender-replacetrack

        Updated fast/mediastream/RTCRtpSender-replaceTrack.html

        * Modules/mediastream/MediaEndpointPeerConnection.cpp:
        (WebCore::MediaEndpointPeerConnection::replaceTrack):
        (WebCore::MediaEndpointPeerConnection::replaceTrackTask):
        Implemented.
        * Modules/mediastream/MediaEndpointPeerConnection.h:
        * Modules/mediastream/PeerConnectionBackend.h:
        * Modules/mediastream/RTCPeerConnection.cpp:
        (WebCore::RTCPeerConnection::replaceTrack):
        * Modules/mediastream/RTCPeerConnection.h:
        Move the MediaStreamTrack instance of sending a reference to it. This change is the main
        reason many files are touched by this change.
        * Modules/mediastream/RTCRtpSender.h:
        * Modules/mediastream/RTCRtpSender.idl:
        * platform/mediastream/MediaEndpoint.h:
        Use mid instead of mdescIndex to identify the media description in the backend.
        * platform/mock/MockMediaEndpoint.cpp:
        (WebCore::MockMediaEndpoint::replaceSendSource):
        * platform/mock/MockMediaEndpoint.h:

2016-06-13  Joseph Pecoraro  <pecoraro@apple.com>

        window.onerror should pass the ErrorEvent's 'error' property as the 5th argument to the event handler
        https://bugs.webkit.org/show_bug.cgi?id=55092
        <rdar://problem/25731279>

        Reviewed by Dean Jackson.

        This includes the actual Error in window.error / ErrorEvent:
        https://html.spec.whatwg.org/multipage/webappapis.html#the-errorevent-interface

        This is useful for scripts to be able to get an error stack
        from uncaught exceptions, by checking the error itself.

        Tests: fast/events/window-onerror17.html
               http/tests/security/cross-origin-script-error-event-redirected.html
               http/tests/security/cross-origin-script-error-event.html
               http/tests/security/script-crossorigin-error-event-information.html
               http/tests/security/script-no-crossorigin-error-event-should-be-sanitized.html
               userscripts/window-onerror-for-isolated-world-3.html

        * CMakeLists.txt:
        * WebCore.xcodeproj/project.pbxproj:
        * bindings/js/JSBindingsAllInOne.cpp:
        Add new custom error event file.

        * bindings/js/JSDOMBinding.cpp:
        (WebCore::reportException):
        Include the JSC::Exception when reporting exceptions, so the error value is available.
        
        * bindings/js/JSErrorEventCustom.cpp:
        (WebCore::JSErrorEvent::error):
        Sanitized access to the ErrorEvent's error property to prevent leaking objects
        across isolated world boundaries. This is like CustomEvent's data property.

        * bindings/js/JSErrorHandler.cpp:
        (WebCore::JSErrorHandler::handleEvent):
        * bindings/js/JSErrorHandler.h:
        Include the error object as the 4th argument to the window.onerror event handler.

        * dom/ScriptExecutionContext.cpp:
        (WebCore::ScriptExecutionContext::sanitizeScriptError):
        (WebCore::ScriptExecutionContext::reportException):
        (WebCore::ScriptExecutionContext::dispatchErrorEvent):
        * dom/ScriptExecutionContext.h:
        Include the error object in the ErrorEvent constructed when dispatching error events.

        * dom/ErrorEvent.cpp:
        (WebCore::ErrorEvent::ErrorEvent):
        (WebCore::ErrorEvent::sanitizedErrorValue):
        (WebCore::ErrorEvent::trySerializeError):
        * dom/ErrorEvent.h:
        * dom/ErrorEvent.idl:
        Include an any "error" property on the ErrorEvent, and allow it in initialization.

        * bindings/js/WorkerScriptController.cpp:
        (WebCore::WorkerScriptController::evaluate):
        * workers/WorkerMessagingProxy.cpp:
        (WebCore::WorkerMessagingProxy::postExceptionToWorkerObject):
        Within the Worker world, the error is included in the event.
        When re-dispatching the error on the world object in the world that spawned the
        Worker the event does not include an error object. This matches other browsers
        right now, but could be improved to have the same cross world serialization
        as isolated worlds have with the error data.

        * dom/CustomEvent.h:
        Remove unimplemented stale method.

2016-06-13  Dean Jackson  <dino@apple.com>

        SVG elements don't blend correctly into HTML
        https://bugs.webkit.org/show_bug.cgi?id=158718
        <rdar://problem/26782004>

        Reviewed by Antoine Quint.

        We were not creating any transparency layers for the root SVG nodes.
        This is ok if the SVG is the root document, because it is the backdrop.
        However, if it is inline SVG, it needs to apply the operation in
        order to composite into the document.

        Test: svg/css/mix-blend-mode-with-inline-svg.html

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::beginTransparencyLayers):

2016-06-13  Brady Eidson  <beidson@apple.com>

        storage/indexeddb/modern/leaks-1.html leaks the database connection handle.
        https://bugs.webkit.org/show_bug.cgi?id=158643

        Reviewed by Alex Christensen.

        Tested by changes to existing test.

        * Modules/indexeddb/IDBDatabase.cpp:
        (WebCore::IDBDatabase::hasPendingActivity):
        
        * dom/EventTarget.h:
        (WebCore::EventTarget::eventTargetData):
        (WebCore::EventTarget::hasEventListeners):


2016-06-13  Enrica Casucci  <enrica@apple.com>

        REGRESSION(r201956): Failure to initialize new internal settings produced random test failures in release.
        https://bugs.webkit.org/show_bug.cgi?id=158713
        rdar://26769957

        Reviewed by Simon Fraser.

        Failed to initialize the new member variable in both Settings and InternalSettings classes.

        * page/Settings.cpp:
        (WebCore::Settings::Settings):
        * testing/InternalSettings.cpp:
        (WebCore::InternalSettings::Backup::Backup):

2016-06-13  Chris Dumez  <cdumez@apple.com>

        Drop HipChat hack introduced in r197548
        https://bugs.webkit.org/show_bug.cgi?id=158711

        Reviewed by Geoffrey Garen.

        Drop HipChat hack introduced in r197548. This hack is no longer needed
        as the bug was fixed in HipChat since then:
        https://support.atlassian.com/servicedesk/customer/portal/32/HCP-7532

        I have confirmed locally that the latest version (4.0.12.665) is able
        to connect without the hack.

        * bindings/js/JSLocationCustom.cpp:
        (WebCore::JSLocation::putDelegate): Deleted.
        * platform/RuntimeApplicationChecks.h:
        * platform/RuntimeApplicationChecks.mm:
        (WebCore::MacApplication::isHipChat): Deleted.

2016-06-13  Chris Fleizach  <cfleizach@apple.com>

        AX: CrashTracer: com.apple.WebKit.WebContent at WebCore::AccessibilityRenderObject::remoteSVGRootElement const + 227
        https://bugs.webkit.org/show_bug.cgi?id=158685

        Reviewed by David Kilzer.

        Crash reports show a null access at a line that tries to dereference a pointer. 
        I still don't have a way to layout test this, as it seems tied to tear down of the main document.

        * accessibility/AccessibilityRenderObject.cpp:
        (WebCore::AccessibilityRenderObject::remoteSVGRootElement):

2016-06-13  Jeremy Jones  <jeremyj@apple.com>

        Use two video layer solution only on mac.
        https://bugs.webkit.org/show_bug.cgi?id=158705
        rdar://problem/26776360

        Reviewed by Jer Noble.

        Two video layer solution is only useful on the mac to prevent flicker, so don't do it elsewhere.

        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
        (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVPlayerLayer):

2016-06-13  Jeremy Jones  <jeremyj@apple.com>

        Decrease PiP flicker by not removing window prematurely.
        https://bugs.webkit.org/show_bug.cgi?id=158436
        <rdar://problem/19052639>

        Reviewed by Darin Adler.

        UIWindow shouldn't be removed until cleanupFullscreen, so the video layer has a chance
        to be reparented in the DOM first.

        * platform/ios/WebVideoFullscreenInterfaceAVKit.mm:
        (WebVideoFullscreenInterfaceAVKit::didStopPictureInPicture):

2016-06-13  Alex Christensen  <achristensen@webkit.org>

        Add WebSocketProvider stub
        https://bugs.webkit.org/show_bug.cgi?id=158702

        Reviewed by Brady Eidson.

        No new tests.  No change in behavior.

        * WebCore.xcodeproj/project.pbxproj:
        * dom/DocumentMarkerController.cpp:
        * dom/ScriptedAnimationController.cpp:
        * html/HTMLMediaElement.cpp:
        * html/MediaDocument.cpp:
        * html/shadow/MediaControlElements.cpp:
        * html/shadow/MediaControls.cpp:
        * html/shadow/MediaControls.h:
        * html/shadow/MediaControlsApple.cpp:
        * inspector/InspectorInstrumentation.cpp:
        * inspector/InspectorInstrumentation.h:
        * inspector/InspectorOverlay.cpp:
        (WebCore::InspectorOverlay::overlayPage):
        * loader/EmptyClients.h:
        * loader/FrameLoader.cpp:
        * loader/FrameLoader.h:
        * loader/appcache/ApplicationCacheHost.cpp:
        * loader/cache/CachedResource.cpp:
        * page/FrameView.cpp:
        * page/Page.cpp:
        (WebCore::Page::Page):
        * page/Page.h:
        (WebCore::Page::applicationCacheStorage):
        (WebCore::Page::databaseProvider):
        (WebCore::Page::socketProvider):
        (WebCore::Page::storageNamespaceProvider):
        * page/PageConfiguration.cpp:
        (WebCore::PageConfiguration::PageConfiguration):
        * page/PageConfiguration.h:
        * page/ResourceUsageOverlay.cpp:
        * page/SocketProvider.h: Added.
        (WebCore::SocketProvider::~SocketProvider):
        * page/cocoa/ResourceUsageOverlayCocoa.mm:
        * rendering/RenderElement.cpp:
        * rendering/RenderLayerBacking.cpp:
        * style/StyleResolveForDocument.cpp:
        * style/StyleTreeResolver.cpp:
        * svg/graphics/SVGImage.cpp:
        (WebCore::SVGImage::dataChanged):
        * testing/MockPageOverlayClient.cpp:

2016-06-13  Brady Eidson  <beidson@apple.com>

        Crashes in WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTask.
        <rdar://problem/26768449> and https://bugs.webkit.org/show_bug.cgi?id=158696

        Reviewed by David Kilzer.

        No new tests (Covered by all existing tests in Gmalloc/ASAN configs).

        * Modules/indexeddb/server/UniqueIDBDatabase.cpp:
        (WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTask):
        (WebCore::IDBServer::UniqueIDBDatabase::executeNextDatabaseTaskReply):

2016-06-13  Brady Eidson  <beidson@apple.com>

        Modern IDB: IDBOpenDBRequest objects leak.
        https://bugs.webkit.org/show_bug.cgi?id=158694

        Reviewed by Alex Christensen.

        No new tests (Currently have no testing strategy for guaranteeing lifetime of WebCore DOM objects)

        * Modules/indexeddb/client/IDBConnectionProxy.cpp:
        (WebCore::IDBClient::IDBConnectionProxy::completeOpenDBRequest): At this point we never need the
            request again, so remove it from the map.

2016-06-13  Chris Dumez  <cdumez@apple.com>

        Make sure HTTPHeaderMap gets a move constructor / assignment operator
        https://bugs.webkit.org/show_bug.cgi?id=158695
        <rdar://problem/26729511>

        Reviewed by Alex Christensen.

        Make sure HTTPHeaderMap gets a move constructor / assignment operator.
        It was not getting an implicit one because of its user-declared
        destructor. This patch drops the user-declared destructor so that
        HTTPHeaderMap now gets an implicit move constructor / assignment
        operator.

        Not having a move constructor / assignment operator is an issue because
        we rely on HTTPHeaderMap::isolatedCopy() / WTFMove() since r201623 to
        pass HTTPHeaderMap across thread.

        * platform/network/HTTPHeaderMap.cpp:
        (WebCore::HTTPHeaderMap::~HTTPHeaderMap): Deleted.
        * platform/network/HTTPHeaderMap.h:

2016-06-13  Nael Ouedraogo  <nael.ouedraogo@crf.canon.fr>

        Remove useless parameter from GenerateParametersCheck signature
        https://bugs.webkit.org/show_bug.cgi?id=158692

        Reviewed by Chris Dumez.

        Remove one parameter which is passed to GenerateParametersCheck
        but never used in the caller code.

        * bindings/scripts/CodeGeneratorJS.pm:
        (GenerateImplementation):
        (GenerateParametersCheck):
        (GenerateConstructorDefinition):

2016-06-13  Nael Ouedraogo  <nael.ouedraogo@crf.canon.fr>

        Improve code generator for functions with variadic parameters
        https://bugs.webkit.org/show_bug.cgi?id=158529

        Reviewed by Darin Adler.

        JS bindings code of functions with variadic parameters is improved.

        Functions with variadic parameters are skipped for ObjC and GObject code generators.

        * bindings/scripts/CodeGeneratorGObject.pm:
        (SkipFunction): Skip functions with variadic parameters.
        * bindings/scripts/CodeGeneratorJS.pm:
        (GenerateParametersCheck):
        * bindings/scripts/CodeGeneratorObjC.pm:
        (SkipFunction): Skip functions with variadic parameters.
        * bindings/scripts/test/GObject/WebKitDOMTestObj.cpp:
        (webkit_dom_test_obj_any): Deleted.
        (webkit_dom_test_obj_attach_shadow_root): Deleted.
        (webkit_dom_test_obj_get_read_only_long_attr): Deleted.
        (webkit_dom_test_obj_get_read_only_string_attr): Deleted.
        * bindings/scripts/test/GObject/WebKitDOMTestObj.h:
        * bindings/scripts/test/JS/JSTestObj.cpp:
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod12):
        (WebCore::jsTestObjPrototypeFunctionVariadicStringMethod):
        (WebCore::jsTestObjPrototypeFunctionVariadicDoubleMethod):
        (WebCore::jsTestObjPrototypeFunctionVariadicNodeMethod):
        * bindings/scripts/test/ObjC/DOMTestObj.h:
        * bindings/scripts/test/ObjC/DOMTestObj.mm:

2016-06-12  Zalan Bujtas  <zalan@apple.com>

        Cleanup RenderBlock::removePositionedObjects
        https://bugs.webkit.org/show_bug.cgi?id=158670

        Reviewed by Simon Fraser.

        No change in functionality.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::insertPositionedObject):
        (WebCore::RenderBlock::removePositionedObject):
        (WebCore::RenderBlock::removePositionedObjects):
        * rendering/RenderBlock.h:

2016-06-12  Zalan Bujtas  <zalan@apple.com>

        Remove positioned descendants when RenderBlock is no longer a containing block.
        https://bugs.webkit.org/show_bug.cgi?id=158655
        <rdar://problem/26510032>

        Reviewed by Simon Fraser.

        Normally the RenderView is the containing block for fixed positioned renderers.
        However when a renderer acquires some transform related properties, it becomes the containing
        block for all the fixed positioned renderers in its descendant tree.
        When the last transform related property is removed, the renderer is no longer a containing block
        and we need to remove all these positioned renderers from the descendant tracker map (gPositionedDescendantsMap).
        They will be inserted back into the tracker map during the next layout (either under the RenderView or
        under the next transformed renderer in the ancestor chain).

        Test: fast/block/fixed-position-reparent-when-transition-is-removed.html

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::removePositionedObjectsIfNeeded):

2016-06-11  Myles C. Maxfield  <mmaxfield@apple.com>

        Addressing post-review comments after r201978.
        https://bugs.webkit.org/show_bug.cgi?id=158649
        <rdar://problem/13258122>

        Unreviewed.

        * platform/graphics/FontCache.cpp:
        (WebCore::FontCache::alternateFamilyName):
        * platform/graphics/cocoa/FontCacheCoreText.cpp:
        (WebCore::FontCache::platformAlternateFamilyName):

2016-06-11  Darin Adler  <darin@apple.com>

        Tighten code to build set of tag names
        https://bugs.webkit.org/show_bug.cgi?id=158662

        Reviewed by Alexey Proskuryakov.

        * dom/Element.cpp:
        (WebCore::canAttachAuthorShadowRoot): Use an array of pointers that the loader
        can initialize as part of loading the library, rather than an array that needs
        to be initialized with code at runtime.

2016-06-11  Myles C. Maxfield  <mmaxfield@apple.com>

        [Win] [EFL] Build fix after r201978.
        https://bugs.webkit.org/show_bug.cgi?id=158649
        <rdar://problem/13258122>

        Unreviewed

        * platform/graphics/freetype/FontCacheFreeType.cpp:
        (WebCore::FontCache::platformAlternateFamilyName):
        * platform/graphics/win/FontCacheWin.cpp:

2016-06-11  Myles C. Maxfield  <mmaxfield@apple.com>

        [Cocoa] Map commonly used Chinese Windows font names to names present on Cocoa operating systems
        https://bugs.webkit.org/show_bug.cgi?id=158649
        <rdar://problem/13258122>

        Reviewed by Darin Adler.

        There are many Chinese websites which hardcode Windows font names.
        We should map these to fonts which best match them on Cocoa operating
        systems. We can do this by using our existing fallback font name
        infrastructure.

        Tests: fast/text/chinese-font-name-aliases-2.html
               fast/text/chinese-font-name-aliases.html

        * platform/graphics/FontCache.cpp:
        (WebCore::FontCache::alternateFamilyName):
        (WebCore::alternateFamilyName): Deleted.
        * platform/graphics/FontCache.h:
        * platform/graphics/cocoa/FontCacheCoreText.cpp:
        (WebCore::FontCache::platformAlternateFamilyName):
        * platform/graphics/freetype/FontCacheFreeType.cpp:
        (WebCore::FontCache::platformAlternateFamilyName):
        * platform/graphics/win/FontCacheWin.cpp:
        (WebCore::FontCache::platformAlternateFamilyName):

2016-06-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r201967, r201968, and r201972.
        https://bugs.webkit.org/show_bug.cgi?id=158665

        Caused flaky failures on IndexedDB tests (Requested by ap on
        #webkit).

        Reverted changesets:

        "Vary:Cookie validation doesn't work in private browsing"
        https://bugs.webkit.org/show_bug.cgi?id=158616
        http://trac.webkit.org/changeset/201967

        "Build fix."
        http://trac.webkit.org/changeset/201968

        "WinCairo build fix attempt."
        http://trac.webkit.org/changeset/201972

2016-06-11  Konstantin Tokarev  <annulen@yandex.ru>

        Fixed compilation of LocaleICU with ENABLE(DATE_AND_TIME_INPUT_TYPES)
        https://bugs.webkit.org/show_bug.cgi?id=158659

        Reviewed by Darin Adler.

        No new tests needed.

        * platform/text/LocaleICU.cpp:
        (WebCore::getFormatForSkeleton):
        (WebCore::LocaleICU::monthFormat):
        (WebCore::LocaleICU::shortMonthFormat):

2016-06-11  Antti Koivisto  <antti@apple.com>

        WinCairo build fix attempt.

        * platform/network/NetworkStorageSession.cpp:
        * platform/network/NetworkStorageSession.h:
        * platform/network/NetworkStorageSessionStub.cpp:
        (WebCore::NetworkStorageSession::NetworkStorageSession):
        (WebCore::NetworkStorageSession::context):
        (WebCore::NetworkStorageSession::createPrivateBrowsingSession):
        (WebCore::NetworkStorageSession::switchToNewTestingSession):
        (WebCore::NetworkStorageSession::~NetworkStorageSession): Deleted.
        (WebCore::defaultSession): Deleted.
        (WebCore::NetworkStorageSession::defaultStorageSession): Deleted.

2016-06-11  Myles C. Maxfield  <mmaxfield@apple.com>

        Deleting a CSSOM style rule invalidates any previously-added FontFaces
        https://bugs.webkit.org/show_bug.cgi?id=158450

        Reviewed by Darin Adler.

        This patch has two pieces: updating the CSSOM when the FontFace changes, and
        updating the FontFace when the CSSOM changes.

        1: Updating the CSSOM when the FontFace changes: CSSFontFaces already have a RefPtr
        to their StyleRuleFontFace which represents their CSS-connection. When changing a
        property of the CSSFontFace, we simply reach into the StyleRule and update it to
        match. Our existing infrastructure of invalidation due to the attribute changes
        makes sure that all the necessary updates occur.

        2. Updating the FontFace when the CSSOM changes: If the CSSOM changes in a trivial
        way (for example, a new @font-face is appended to the end of the last <style>
        element), we can handle it directly. However, when something more invasive occurs,
        we end up clearing the entire CSSFontSelector, and then adding all the style rules
        from scratch. This involves three steps:
            a) CSSFontSelector::buildStarted() is run, which means "we're about to start
               building up all the @font-face rules from scratch." We take this opportunity
               to purge as many fonts as possible. This is valuable because, for example,
               this function gets run when the page gets put into the page cache, so we
               want to destroy as much as possible. Not everything can be purged, however -
               only CSS-connected fonts which have never been inspected by script are
               purgeable. We don't allow fonts inspected by script to be purged because
               purging might result in a font appearing from JavaScript to transition from
               a success -> failure state, which we don't allow.
            b) Upon style recalc (possibly asynchronously) CSSFontSelector::addFontFaceRule()
               is called for each @font-face rule. We actually detect that we're in the
               middle of a style rebuild, and defer this step.
            c) When we're done adding all the font face rules, we call
               CSSFontSelector::buildCompleted(). This is where we compare the newly built-
               up list of font faces with what existed previously (as remembered in
               CSSFontSelector::buildStarted()) in order to detect font faces which were
               deleted from the document. Fonts which were newly added to the document
               are handled naturally.
               Fonts which have a property modified on them are created as if they were new.
               However, instead of simply adding the CSSFontFace, we search for the existing
               CSSFontFace (by CSS connection pointer) and tell the existing FontFace to
               adopt this new CSSFontFace. This means that the JavaScript object will just
               pick up any newly-written values in the CSSOM. It also means that the
               "status" attribute of the JavaScript object is reset, but this is expected
               and allowed by the spec. (For example, if you change the "src" attribute of
               an @font-face block via the CSSOM, all bets are off when you inspect the
               FontFace JS object representing that block.)

        Test: fast/text/font-face-set-cssom.html

        * css/CSSFontFace.cpp:
        (WebCore::CSSFontFace::CSSFontFace):
        (WebCore::CSSFontFace::setFamilies):
        (WebCore::CSSFontFace::setStyle):
        (WebCore::CSSFontFace::setWeight):
        (WebCore::CSSFontFace::setUnicodeRange):
        (WebCore::CSSFontFace::setVariantLigatures):
        (WebCore::CSSFontFace::setVariantPosition):
        (WebCore::CSSFontFace::setVariantCaps):
        (WebCore::CSSFontFace::setVariantNumeric):
        (WebCore::CSSFontFace::setVariantAlternates):
        (WebCore::CSSFontFace::setVariantEastAsian):
        (WebCore::CSSFontFace::setFeatureSettings):
        (WebCore::CSSFontFace::initializeWrapper):
        (WebCore::CSSFontFace::wrapper):
        (WebCore::CSSFontFace::setWrapper):
        (WebCore::CSSFontFace::purgeable):
        (WebCore::CSSFontFace::updateStyleIfNeeded):
        * css/CSSFontFace.h:
        * css/CSSFontFaceSet.cpp:
        (WebCore::CSSFontFaceSet::remove):
        (WebCore::CSSFontFaceSet::containsCSSConnection):
        (WebCore::CSSFontFaceSet::purge):
        * css/CSSFontFaceSet.h:
        * css/CSSFontSelector.cpp:
        (WebCore::CSSFontSelector::buildStarted):
        (WebCore::CSSFontSelector::buildCompleted):
        (WebCore::CSSFontSelector::addFontFaceRule):
        * css/CSSFontSelector.h:
        * css/FontFace.cpp:
        (WebCore::FontFace::family):
        (WebCore::FontFace::style):
        (WebCore::FontFace::weight):
        (WebCore::FontFace::unicodeRange):
        (WebCore::FontFace::variant):
        (WebCore::FontFace::featureSettings):
        (WebCore::FontFace::adopt):
        * css/FontFace.h:

2016-06-11  Chris Dumez  <cdumez@apple.com>

        WorkerNavigator is missing some attributes
        https://bugs.webkit.org/show_bug.cgi?id=158593
        <rdar://problem/26731334>

        Reviewed by Darin Adler.

        Add attributes that are missing on WorkerNavigator:
        - appCodeName
        - hardwareConcurrency
        - language
        - product
        - productSub
        - vendor
        - vendorSub

        Firefox and Chrome already expose those attributes.

        Relevant specification:
        https://html.spec.whatwg.org/multipage/workers.html#the-workernavigator-object

        This patch also refactors the IDL to match the specification more
        closely and promote sharing between Navigator and WorkerNavigator.

        No new tests, updated existing test.

        * CMakeLists.txt:
        * DerivedSources.make:
        Add new supplemental IDL files.

        * page/Navigator.cpp:
        * page/Navigator.h:
        Moved language() / hardwareConcurrency() from Navigator to NavigatorBase
        so that it can be used by NavigatorWorker as well.

        * page/NavigatorBase.h:
        * page/NavigatorBase.cpp:
        (WebCore::NavigatorBase::language):
        The implementation still calls defaultLanguage() but I updated it to be
        thread safe on all platforms.

        (WebCore::NavigatorBase::hardwareConcurrency):
        Use std::call_once() for thread safety.

        * page/Navigator.idl:
        * page/NavigatorConcurrentHardware.idl: Copied from Source/WebCore/page/WorkerNavigator.idl.
        * page/NavigatorID.idl: Copied from Source/WebCore/page/WorkerNavigator.idl.
        * page/NavigatorLanguage.idl: Copied from Source/WebCore/page/WorkerNavigator.idl.
        * page/NavigatorOnLine.idl: Copied from Source/WebCore/page/WorkerNavigator.idl.
        * page/WorkerNavigator.idl:
        Move several attributes to their own supplemental interfaces to match
        the specification and promote sharing with WorkerNavigator.

        * platform/Language.cpp:
        (WebCore::userPreferredLanguages):
        * platform/Language.h:
        Made thread-safe on all platforms.

2016-06-11  Antti Koivisto  <antti@apple.com>

        Build fix.

        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
        (WebCore::NetworkStorageSession::switchToNewTestingSession):

2016-06-10  Antti Koivisto  <antti@apple.com>

        Vary:Cookie validation doesn't work in private browsing
        https://bugs.webkit.org/show_bug.cgi?id=158616
        rdar://problem/26755067

        Reviewed by Darin Adler.

        This wasn't implemented because there was no way to get NetworkStorageSession from
        a SessionID on WebCore side.

        The patch adds a simple WebCore level weak map that allows getting NetworkStorageSessions
        from SessionID. This seemed like the cleanest way to do this without a big refactoring
        around the currently WebKit2 level SessionTracker.

        * CMakeLists.txt:
        * WebCore.xcodeproj/project.pbxproj:
        * platform/network/CacheValidation.cpp:
        (WebCore::headerValueForVary):

            Get NetworkStorageSession from SessionID for cookies

        (WebCore::verifyVaryingRequestHeaders):
        * platform/network/NetworkStorageSession.cpp: Added.

            Add platform independent .cpp for NetworkStorageSession.
            Implement a weak map for SessionID -> NetworkStorageSession.

        (WebCore::sessionsMap):
        (WebCore::NetworkStorageSession::NetworkStorageSession):
        (WebCore::NetworkStorageSession::~NetworkStorageSession):
        (WebCore::NetworkStorageSession::forSessionID):

            Get NetworkStorageSession for sessionID.

        * platform/network/NetworkStorageSession.h:
        (WebCore::NetworkStorageSession::sessionID):
        (WebCore::NetworkStorageSession::credentialStorage):
        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
        (WebCore::NetworkStorageSession::NetworkStorageSession):

            Call to common constructor.

        (WebCore::defaultNetworkStorageSession):
        * platform/network/soup/NetworkStorageSessionSoup.cpp:
        (WebCore::NetworkStorageSession::NetworkStorageSession):

            Call to common constructor.

        (WebCore::defaultSession):
        (WebCore::NetworkStorageSession::~NetworkStorageSession): Deleted.

2016-06-10  Ada Chan  <adachan@apple.com>

        Use the video element's video box when getting the inline video rect in WebVideoFullscreenManager
        https://bugs.webkit.org/show_bug.cgi?id=158351
        <rdar://problem/26567938>

        Reviewed by Darin Adler.

        * WebCore.xcodeproj/project.pbxproj:
        Change the visibility of RenderVideo.h and RenderMedia.h since we'll be importing RenderVideo.h from WebKit2.
        * rendering/RenderVideo.h:

2016-06-10  Benjamin Poulain  <bpoulain@apple.com>

        Add support for passive event listeners on touch events
        https://bugs.webkit.org/show_bug.cgi?id=158601

        Reviewed by Simon Fraser.

        This patch wires "passive" state of EventTarget to the delivery of touch
        events in WebKit2.

        Instead of having a NonFastScrollableRegion, we have a pair of regions
        in EventTrackingRegions.
        The "asynchronousDispatchRegion" tracks the area for which all event
        listeners are passive. For those, events should be dispatched asynchronously.
        The "synchronousDispatchRegion" tracks the area for which there is at
        least one active event listener. Events have to be dispatched synchronously
        for correctness.

        Tests: fast/events/touch/ios/tap-with-active-listener-on-elements.html
               fast/events/touch/ios/tap-with-active-listener-on-window.html
               fast/events/touch/ios/tap-with-passive-listener-on-elements.html
               fast/events/touch/ios/tap-with-passive-listener-on-window.html

        * WebCore.xcodeproj/project.pbxproj:
        * dom/Document.cpp:
        (WebCore::Document::wheelEventHandlersChanged):
        (WebCore::Document::Document): Deleted.
        * dom/Document.h:

        * dom/EventListenerMap.cpp:
        (WebCore::EventListenerMap::containsActive):
        If a Target has multiple listener for an event type, we want to know
        if any of them is active.

        * dom/EventListenerMap.h:
        * dom/EventTarget.cpp:
        (WebCore::EventTarget::hasActiveEventListeners):
        (WebCore::EventTarget::hasActiveTouchEventListeners):
        * dom/EventTarget.h:

        * page/DebugPageOverlays.cpp:
        (WebCore::NonFastScrollableRegionOverlay::updateRegion):
        I did not change the debug overlays.
        The NonFastScrollable area is the region for which events needs
        synchronous dispatch. Everything else should scroll without delay.

        * page/FrameView.cpp:
        (WebCore::FrameView::scrollableAreaSetChanged):
        * page/Page.cpp:
        (WebCore::Page::nonFastScrollableRects):
        * page/scrolling/AsyncScrollingCoordinator.cpp:
        (WebCore::AsyncScrollingCoordinator::setEventTrackingRegionsDirty):
        (WebCore::AsyncScrollingCoordinator::willCommitTree):
        (WebCore::AsyncScrollingCoordinator::updateEventTrackingRegions):
        (WebCore::AsyncScrollingCoordinator::frameViewLayoutUpdated):
        (WebCore::AsyncScrollingCoordinator::frameViewEventTrackingRegionsChanged):
        (WebCore::AsyncScrollingCoordinator::scrollingStateTreeAsText):
        (WebCore::AsyncScrollingCoordinator::setNonFastScrollableRegionDirty): Deleted.
        (WebCore::AsyncScrollingCoordinator::updateNonFastScrollableRegion): Deleted.
        (WebCore::AsyncScrollingCoordinator::frameViewNonFastScrollableRegionChanged): Deleted.
        * page/scrolling/AsyncScrollingCoordinator.h:
        (WebCore::AsyncScrollingCoordinator::eventTrackingRegionsDirty):
        (WebCore::AsyncScrollingCoordinator::nonFastScrollableRegionDirty): Deleted.

        * page/scrolling/ScrollingCoordinator.cpp:
        (WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame):
        (WebCore::ScrollingCoordinator::absoluteEventTrackingRegions):
        (WebCore::ScrollingCoordinator::absoluteNonFastScrollableRegionForFrame): Deleted.
        (WebCore::ScrollingCoordinator::absoluteNonFastScrollableRegion): Deleted.
        I intentionally left the Wheel event with synchronous dispatch.
        This use case will need its own set of tests.

        * page/scrolling/ScrollingCoordinator.h:
        (WebCore::ScrollingCoordinator::frameViewEventTrackingRegionsChanged):
        (WebCore::ScrollingCoordinator::frameViewNonFastScrollableRegionChanged): Deleted.
        * page/scrolling/ScrollingStateFrameScrollingNode.cpp:
        (WebCore::ScrollingStateFrameScrollingNode::ScrollingStateFrameScrollingNode):
        (WebCore::ScrollingStateFrameScrollingNode::setEventTrackingRegions):
        (WebCore::ScrollingStateFrameScrollingNode::dumpProperties):
        (WebCore::ScrollingStateFrameScrollingNode::setNonFastScrollableRegion): Deleted.
        * page/scrolling/ScrollingStateFrameScrollingNode.h:
        * page/scrolling/ScrollingTree.cpp:
        (WebCore::ScrollingTree::shouldHandleWheelEventSynchronously):
        (WebCore::ScrollingTree::commitNewTreeState):
        (WebCore::ScrollingTree::eventTrackingTypeForPoint):
        (WebCore::ScrollingTree::isPointInNonFastScrollableRegion): Deleted.
        * page/scrolling/ScrollingTree.h:
        * page/scrolling/mac/ScrollingCoordinatorMac.mm:
        (WebCore::ScrollingCoordinatorMac::scheduleTreeStateCommit):
        * platform/EventTrackingRegions.h: Added.
        (WebCore::EventTrackingRegions::isEmpty):
        (WebCore::EventTrackingRegions::trackingTypeForPoint):
        (WebCore::operator==):

2016-06-10  Enrica Casucci  <enrica@apple.com>

        REGRESSION(r198177): Cannot paste an image when the pasteboard format is mime type.
        https://bugs.webkit.org/show_bug.cgi?id=158590
        rdar://problem/25471371

        Reviewed by Darin Adler.

        When creating a fragment from an image resource, the resource needs to
        be added to the document loader before setting the src attribute to the
        image element, otherwise loading is triggered and the loading fails.
        In r198177 the order of the operations was changed causing the bug.
        This patch adds support to test the scenario where the image in the pasteboard
        is available only as mime type (not WebArchive or RTFD), a situation that occurs
        more frequently on iOS.

        Test: editing/pasteboard/image-in-iframe.html

        * editing/ios/EditorIOS.mm:
        (WebCore::Editor::createFragmentForImageResourceAndAddResource):
        * editing/mac/EditorMac.mm:
        (WebCore::Editor::WebContentReader::readWebArchive):
        (WebCore::Editor::WebContentReader::readRTFD):
        (WebCore::Editor::WebContentReader::readRTF):
        (WebCore::Editor::createFragmentForImageResourceAndAddResource):
        * page/Settings.cpp:
        (WebCore::Settings::setImagesEnabled):
        (WebCore::Settings::setPreferMimeTypeForImages):
        (WebCore::Settings::setForcePendingWebGLPolicy):
        * page/Settings.h:
        (WebCore::Settings::areImagesEnabled):
        (WebCore::Settings::preferMimeTypeForImages):
        (WebCore::Settings::arePluginsEnabled):
        * testing/InternalSettings.cpp:
        (WebCore::InternalSettings::Backup::restoreTo):
        (WebCore::InternalSettings::setLangAttributeAwareFormControlUIEnabled):
        (WebCore::InternalSettings::setPreferMimeTypeForImages):
        (WebCore::InternalSettings::setImagesEnabled):
        * testing/InternalSettings.h:
        * testing/InternalSettings.idl:

2016-06-10  Alex Christensen  <achristensen@webkit.org>

        Fix WinCairo build after r201943

        * platform/network/curl/MultipartHandle.cpp:
        (WebCore::MultipartHandle::didReceiveResponse):
        * platform/network/curl/ResourceHandleManager.cpp:
        (WebCore::handleLocalReceiveResponse):
        (WebCore::headerCallback):
        (WebCore::ResourceHandleManager::dispatchSynchronousJob):

2016-06-10  Alex Christensen  <achristensen@webkit.org>

        handleDataURL is only used by curl
        https://bugs.webkit.org/show_bug.cgi?id=158636

        Reviewed by Tim Horton.

        * CMakeLists.txt:
        * platform/network/DataURL.cpp: Removed.
        * platform/network/DataURL.h: Removed.
        * platform/network/curl/ResourceHandleManager.cpp:
        (WebCore::ResourceHandleManager::startScheduledJobs):
        (WebCore::handleDataURL):
        (WebCore::ResourceHandleManager::dispatchSynchronousJob):

2016-06-10  Alex Christensen  <achristensen@webkit.org>

        Reduce ResourceResponse copying
        https://bugs.webkit.org/show_bug.cgi?id=158232

        Reviewed by Darin Adler.

        No new tests.  No change in behavior except removing an unnecessary copy on cocoa platforms.

        * loader/ResourceLoader.cpp:
        (WebCore::ResourceLoader::didSendData):
        (WebCore::ResourceLoader::didReceiveResponse):
        * loader/ResourceLoader.h:
        * loader/appcache/ApplicationCacheGroup.cpp:
        (WebCore::ApplicationCacheGroup::createResourceHandle):
        (WebCore::ApplicationCacheGroup::didReceiveResponse):
        * loader/appcache/ApplicationCacheGroup.h:
        * platform/graphics/PlatformMediaResourceLoader.h:
        (WebCore::PlatformMediaResourceClient::~PlatformMediaResourceClient):
        (WebCore::PlatformMediaResourceClient::responseReceived):
        (WebCore::PlatformMediaResourceClient::redirectReceived):
        (WebCore::PlatformMediaResourceClient::shouldCacheResponse):
        (WebCore::PlatformMediaResourceClient::dataSent):
        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.h:
        * platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
        (ResourceHandleStreamingClient::willSendRequest):
        (ResourceHandleStreamingClient::didReceiveResponse):
        * platform/network/BlobResourceHandle.cpp:
        (WebCore::BlobResourceHandle::notifyResponseOnSuccess):
        (WebCore::BlobResourceHandle::notifyResponseOnError):
        (WebCore::BlobResourceHandle::notifyReceiveData):
        * platform/network/DataURL.cpp:
        (WebCore::handleDataURL):
        * platform/network/PingHandle.h:
        (WebCore::PingHandle::PingHandle):
        * platform/network/ResourceHandleClient.cpp:
        (WebCore::ResourceHandleClient::willSendRequestAsync):
        (WebCore::ResourceHandleClient::didReceiveResponseAsync):
        * platform/network/ResourceHandleClient.h:
        (WebCore::ResourceHandleClient::didSendData):
        (WebCore::ResourceHandleClient::didReceiveResponse):
        (WebCore::ResourceHandleClient::didReceiveData):
        * platform/network/ResourceResponseBase.cpp:
        (WebCore::ResourceResponseBase::ResourceResponseBase):
        (WebCore::ResourceResponseBase::includeCertificateInfo):
        (WebCore::ResourceResponseBase::suggestedFilename):
        (WebCore::ResourceResponseBase::certificateInfo): Deleted.
        * platform/network/ResourceResponseBase.h:
        (WebCore::ResourceResponseBase::certificateInfo):
        (WebCore::ResourceResponseBase::encode):
        (WebCore::ResourceResponseBase::decode):
        (WebCore::ResourceResponseBase::containsCertificateInfo): Deleted.
        * platform/network/SynchronousLoaderClient.cpp:
        (WebCore::SynchronousLoaderClient::canAuthenticateAgainstProtectionSpace):
        (WebCore::SynchronousLoaderClient::didReceiveResponse):
        (WebCore::SynchronousLoaderClient::didReceiveData):
        * platform/network/SynchronousLoaderClient.h:
        * platform/network/cf/ResourceHandleCFURLConnectionDelegateWithOperationQueue.cpp:
        (WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didReceiveResponse):
        * platform/network/cf/SynchronousResourceHandleCFURLConnectionDelegate.cpp:
        (WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didReceiveResponse):
        (WebCore::SynchronousResourceHandleCFURLConnectionDelegate::didReceiveData):
        * platform/network/mac/WebCoreResourceHandleAsDelegate.mm:
        (-[WebCoreResourceHandleAsDelegate connection:didReceiveResponse:]):
        * platform/network/mac/WebCoreResourceHandleAsOperationQueueDelegate.mm:
        (-[WebCoreResourceHandleAsOperationQueueDelegate connection:didReceiveResponse:]):
        * platform/network/soup/ResourceHandleSoup.cpp:
        (WebCore::nextMultipartResponsePartCallback):
        (WebCore::sendRequestCallback):

2016-06-09  Ryosuke Niwa  <rniwa@webkit.org>

        Add SPI to disable spellchecking on auto-fillable text fields
        https://bugs.webkit.org/show_bug.cgi?id=158611

        Reviewed by Anders Carlsson.

        Added a boolean flag m_isSpellCheckingEnabled to HTMLInputElement. This flag defaults to true, and can be set
        to false by WebKit2 C API.

        * editing/Editor.cpp:
        (WebCore::Editor::isSpellCheckingEnabledFor): Fixed a bug that we were calling isSpellCheckingEnabled on
        the div inside an input element's shadow tree instead of the input element itself.
        * html/HTMLInputElement.cpp:
        (WebCore::HTMLInputElement::HTMLInputElement): Initialize m_spellcheckEnabled to true (it's a bit field).
        (WebCore::HTMLInputElement::isSpellCheckingEnabled): Added. Return false if m_spellcheckEnabled is false.
        * html/HTMLInputElement.h:
        (WebCore::HTMLInputElement::setSpellcheckEnabled): Added.

2016-06-10  Alex Christensen  <achristensen@webkit.org>

        Introduce WTF::UniqueRef
        https://bugs.webkit.org/show_bug.cgi?id=158596

        Reviewed by Brady Eidson.

        No new tests.  No change in behavior.

        * inspector/InspectorOverlay.cpp:
        (WebCore::InspectorOverlay::overlayPage):
        * loader/EmptyClients.cpp:
        (WebCore::fillWithEmptyClients):
        * page/Page.cpp:
        (WebCore::Page::Page):
        * page/Page.h:
        (WebCore::Page::canStartMedia):
        (WebCore::Page::editorClient):
        (WebCore::Page::plugInClient):
        (WebCore::Page::mainFrame):
        (WebCore::Page::groupPtr): Deleted.
        * page/PageConfiguration.cpp:
        (WebCore::PageConfiguration::PageConfiguration):
        * page/PageConfiguration.h:
        * svg/graphics/SVGImage.cpp:
        (WebCore::SVGImage::dataChanged):

2016-06-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Cleanup InspectorIndexedDBAgent a bit
        https://bugs.webkit.org/show_bug.cgi?id=158598

        Reviewed by Darin Adler.

        * inspector/InspectorIndexedDBAgent.cpp:

2016-06-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>

        Origin header is not included in CORS requests for preloaded cross-origin resources
        https://bugs.webkit.org/show_bug.cgi?id=155761
        <rdar://problem/25351850>

        Reviewed by Alex Christensen.

        Making HTML preloader fully aware of crossorigin attribute value.
        Introducing CachedResourceRequest::setAsPotentiallyCrossOrigin as a helper routine to activate CORS mode.
        Making HTMLLinkElement and HTMLResourcePreloader use that routine.
        Making TokenPreloadScanner store the crossorigin attribute value in preload requests.
        Making TokenPreloadScanner store the crossorigin attribute value for link elements.

        Test: http/tests/security/cross-origin-css-9.html

        * html/HTMLLinkElement.cpp:
        (WebCore::HTMLLinkElement::process):
        * html/parser/HTMLPreloadScanner.cpp:
        (WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest):
        (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute):
        * html/parser/HTMLResourcePreloader.cpp:
        (WebCore::crossOriginModeAllowsCookies):
        (WebCore::PreloadRequest::resourceRequest):
        * html/parser/HTMLResourcePreloader.h:
        (WebCore::PreloadRequest::setCrossOriginMode):
        (WebCore::PreloadRequest::PreloadRequest): Deleted.
        (WebCore::PreloadRequest::resourceType): Deleted.
        * loader/cache/CachedResourceRequest.cpp:
        (WebCore::CachedResourceRequest::setAsPotentiallyCrossOrigin):
        * loader/cache/CachedResourceRequest.h:

2016-06-10  Chris Dumez  <cdumez@apple.com>

        ErrorEvent / ProgressEvent should be exposed to workers
        https://bugs.webkit.org/show_bug.cgi?id=158606

        Reviewed by Brady Eidson.

        ErrorEvent / ProgressEvent should be exposed to workers:
        - https://html.spec.whatwg.org/multipage/webappapis.html#errorevent
        - https://xhr.spec.whatwg.org/#interface-progressevent

        Firefox and Chrome both already expose those.

        No new tests, rebaselined existing test.

        * dom/ErrorEvent.idl:
        * dom/ProgressEvent.idl:

2016-06-10  Chris Dumez  <cdumez@apple.com>

        MessagePort should be exposed to workers
        https://bugs.webkit.org/show_bug.cgi?id=158607

        Reviewed by Brady Eidson.

        MessagePort should be exposed to workers:
        https://html.spec.whatwg.org/multipage/comms.html#messageport

        Firefox and Chrome both already expose it.

        No new tests, rebaselined existing test.

        * dom/MessagePort.idl:

2016-06-10  Youenn Fablet  <youenn.fablet@crf.canon.fr>

        Move preflight check code outside of DocumentThreadableLoader
        https://bugs.webkit.org/show_bug.cgi?id=158425

        Reviewed by Darin Adler.

        Moving preflight check code in its own class.
        This allows code to be easier to read, use/reuse and update.

        Behavior should be the same as before except in the case of a preflight response
        being a 3XX redirect response.
        Before this patch, the 3XX response was directly passed to the code processing regular responses.
        To keep compatibility with existing tests, a didFailRedirectCheck callback is called.
        This should be change to a preflight failure.

        Covered by existing tests.

        * CMakeLists.txt:
        * WebCore.xcodeproj/project.pbxproj:
        * loader/CrossOriginPreflightChecker.cpp: Added.
        (WebCore::CrossOriginPreflightChecker::CrossOriginPreflightChecker):
        (WebCore::CrossOriginPreflightChecker::~CrossOriginPreflightChecker):
        (WebCore::CrossOriginPreflightChecker::handleLoadingFailure):
        (WebCore::CrossOriginPreflightChecker::validatePreflightResponse):
        (WebCore::CrossOriginPreflightChecker::notifyFinished):
        (WebCore::CrossOriginPreflightChecker::startPreflight):
        (WebCore::CrossOriginPreflightChecker::doPreflight):
        (WebCore::CrossOriginPreflightChecker::redirectReceived):
        (WebCore::CrossOriginPreflightChecker::setDefersLoading):
        (WebCore::CrossOriginPreflightChecker::isXMLHttpRequest):
        * loader/CrossOriginPreflightChecker.h: Added.
        * loader/DocumentThreadableLoader.cpp:
        (WebCore::DocumentThreadableLoader::create):
        (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequest):
        (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight):
        (WebCore::DocumentThreadableLoader::setDefersLoading):
        (WebCore::DocumentThreadableLoader::clearResource):
        (WebCore::DocumentThreadableLoader::didReceiveResponse):
        (WebCore::DocumentThreadableLoader::didReceiveData):
        (WebCore::DocumentThreadableLoader::notifyFinished):
        (WebCore::DocumentThreadableLoader::didFinishLoading):
        (WebCore::DocumentThreadableLoader::didFail):
        (WebCore::DocumentThreadableLoader::preflightSuccess):
        (WebCore::DocumentThreadableLoader::preflightFailure):
        (WebCore::DocumentThreadableLoader::loadRequest):
        (WebCore::DocumentThreadableLoader::responseReceived): Deleted.
        (WebCore::DocumentThreadableLoader::dataReceived): Deleted.
        (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Deleted.
        * loader/DocumentThreadableLoader.h:
        (WebCore::DocumentThreadableLoader::options):
        (WebCore::DocumentThreadableLoader::isLoading):
        (WebCore::DocumentThreadableLoader::document):

2016-06-10  Adam Bergkvist  <adam.bergkvist@ericsson.com>

        WebRTC: Imlement MediaEndpointPeerConnection::createAnswer()
        https://bugs.webkit.org/show_bug.cgi?id=158566

        Reviewed by Eric Carlson.

        Add the MediaEndpointPeerConnection implementation of RTCPeerConnection.createAnswer [1].
        createAnswer() creates a 'reply' to an remote offer set with setRemoteDescription(),
        completes the offer/answer dialog and brings the RTCPeerConnection back to the 'stable'
        signaling state.

        [1] https://w3c.github.io/webrtc-pc/archives/20160513/webrtc.html#dom-rtcpeerconnection-createanswer

        Test: fast/mediastream/RTCPeerConnection-inspect-answer.html

        * Modules/mediastream/MediaEndpointPeerConnection.cpp:
        (WebCore::MediaEndpointPeerConnection::createOfferTask):
        Align creation of RTCSessionDescription with createAnswerTask.
        (WebCore::MediaEndpointPeerConnection::createAnswer):
        (WebCore::MediaEndpointPeerConnection::createAnswerTask):
        Add Implementation.
        * Modules/mediastream/MediaEndpointPeerConnection.h:

2016-06-08  Sergio Villar Senin  <svillar@igalia.com>

        [css-grid] CRASH when getting the computed style of a grid with only absolutely positioned children
        https://bugs.webkit.org/show_bug.cgi?id=158537

        Reviewed by Darin Adler.

        Absolute positioning occurs after layout of the grid and its in-flow contents, and does not
        contribute to the sizing of any grid tracks or affect the size/configuration of the grid in
        any way. This means that we should treat as empty any grid whose only children are
        absolutely positioned items.

        Since r201510 empty grids are no longer internally represented by a 1x1 matrix. As we were
        not considering grids-with-only-absolutely-positioned-children as empty, we were trying to
        access some invalid position in the internal representation of the grid triggering an ASSERT
        in debug builds and a crash in release.

        Test: fast/css-grid-layout/grid-only-abspos-item-computed-style-crash.html

        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::valueForGridTrackList):

2016-06-10  Chris Dumez  <cdumez@apple.com>

        DOMException should be exposed to workers
        https://bugs.webkit.org/show_bug.cgi?id=158608

        Reviewed by Alex Christensen.

        DOMException should be exposed to workers:
        https://heycam.github.io/webidl/#es-DOMException-call

        Both Firefox and Chrome expose DOMException to workers already.

        No new tests, rebaselined existing test.

        * dom/DOMCoreException.idl:

2016-06-09  Alex Christensen  <achristensen@webkit.org>

        Fix CMake build.

        * PlatformMac.cmake:

2016-06-09  Alex Christensen  <achristensen@webkit.org>

        Fix AppleWin build after r201901.
        https://bugs.webkit.org/show_bug.cgi?id=119839

        * platform/graphics/ca/win/PlatformCALayerWin.cpp:
        (PlatformCALayerWin::backingStoreAttached):
        (PlatformCALayerWin::userInteractionEnabled):
        (PlatformCALayerWin::setUserInteractionEnabled):
        (PlatformCALayerWin::geometryFlipped):
        * platform/graphics/ca/win/PlatformCALayerWin.h:

2016-06-09  Chris Fleizach  <cfleizach@apple.com>

        AX: VoiceOver Unable to View Download Progress or Completion Status for Mail Attachments
        https://bugs.webkit.org/show_bug.cgi?id=158581

        Reviewed by Darin Adler.

        Update attachment element accessibility so that:
           1) the action name comes first to match UI
           2) on iOS, it has the updates frequently trait

        Make sure this test now runs on iOS as well.

        Modified tests: accessibility/attachment-element.html

        * accessibility/AccessibilityAttachment.cpp:
        (WebCore::AccessibilityAttachment::accessibilityText):
        * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm:
        (-[WebAccessibilityObjectWrapper accessibilityCanFuzzyHitTest]):
        (-[WebAccessibilityObjectWrapper accessibilityTraits]):
        (-[WebAccessibilityObjectWrapper accessibilityValue]):