Possible crash computing event regions
[WebKit-https.git] / Source / WebCore / ChangeLog
index 2e90414..3cdf793 100644 (file)
+2018-01-06  Simon Fraser  <simon.fraser@apple.com>
+
+        Possible crash computing event regions
+        https://bugs.webkit.org/show_bug.cgi?id=181368
+        rdar://problem/34847081
+
+        Reviewed by Zalan Bujtas.
+
+        Don't trigger layout in Element::absoluteEventHandlerBounds(), since this can run arbirary script
+        which might delete elements or re-enter Document::absoluteRegionForEventTargets().
+
+        It's OK to not trigger layout, because if layout is dirty, the next layout will update event regions again.
+
+        Add a LayoutDisallowedScope to check that Document::absoluteRegionForEventTargets() doesn't
+        trigger layout, and move the check for LayoutDisallowedScope::isLayoutAllowed() from Document::updateLayout()
+        to LayoutContext::layout(), since some layouts don't happen via the former (e.g. the one being removed here).
+
+        The test checks that the assertion does not fire. I was not able to get a reliable test for any crash.
+
+        Test: fast/events/event-handler-regions-layout.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateLayout):
+        (WebCore::Document::absoluteRegionForEventTargets):
+        * dom/Element.cpp:
+        (WebCore::Element::absoluteEventHandlerBounds):
+        * page/LayoutContext.cpp:
+        (WebCore::LayoutContext::layout):
+        * rendering/LayoutDisallowedScope.h: Move the #ifdefs around to avoid defining the enum twice.
+        (WebCore::LayoutDisallowedScope::LayoutDisallowedScope):
+        (WebCore::LayoutDisallowedScope::isLayoutAllowed):
+
+2018-01-06  Simon Fraser  <simon.fraser@apple.com>
+
+        Crash under RenderLayer::scrollTo() with marquee
+        https://bugs.webkit.org/show_bug.cgi?id=181349
+        rdar://problem/36190168
+
+        Reviewed by Zalan Bujtas.
+
+        Don't call updateWidgetPositions() synchonously during RenderLayer scrolling, because it
+        can run arbitrary script which may trigger destruction of this RenderLayer.
+
+        Instead, queue up updateWidgetPositions() on a zero-delay timer.
+
+        Under some circumstances this may allow a paint to occur before the widgets have been
+        updated (which could be fixed with a more invasive change), but in practice I saw no
+        painting issues with plug-ins or iframes inside overflow scroll, in WebKit or LegacyWebKit.
+
+        Test: fast/scrolling/marquee-scroll-crash.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::FrameView):
+        (WebCore::FrameView::updateWidgetPositions):
+        (WebCore::FrameView::scheduleUpdateWidgetPositions):
+        (WebCore::FrameView::updateWidgetPositionsTimerFired):
+        * page/FrameView.h:
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::scrollTo):
+
+2018-01-05  Dean Jackson  <dino@apple.com>
+
+        Accurately clip copyTexImage2D and copyTexSubImage2D
+        https://bugs.webkit.org/show_bug.cgi?id=181356
+        <rdar://problem/35083877>
+
+        Reviewed by Eric Carlson.
+
+        The code to make sure copyTexSubImage2D and copyTexImage2D will not try to read
+        out of bounds had a bad bug introduced here:
+        https://bugs.webkit.org/show_bug.cgi?id=51421
+
+        With appropriate parameters, it would produce a rectangle with
+        negative dimensions. Most GL drivers just ignored this, but some
+        are not happy.
+
+        Test: fast/canvas/webgl/copy-tex-image-and-sub-image-2d-bad-input.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::clip2D): Reimplement this in a more sane manner, and use
+        checked arithmetic while here.
+        * html/canvas/WebGLRenderingContextBase.h:
+        (WebCore::clip1D): Deleted.
+        (WebCore::clip2D): Deleted.
+
+2018-01-06  Antti Koivisto  <antti@apple.com>
+
+        Use WeakPtr for RenderTreePosition::m_nextSibling
+        https://bugs.webkit.org/show_bug.cgi?id=181363
+
+        Reviewed by Zalan Bujtas.
+
+        For safety. In most cases it is null and won't cause us to instantiate WeakReferences for
+        many new objects.
+
+        * rendering/updating/RenderTreePosition.cpp:
+        (WebCore::RenderTreePosition::computeNextSibling):
+        * rendering/updating/RenderTreePosition.h:
+        (WebCore::RenderTreePosition::RenderTreePosition):
+        (WebCore::RenderTreePosition::nextSibling const):
+
+2018-01-05  David Kilzer  <ddkilzer@apple.com>
+
+        Re-enable -Wcast-qual in WebCore for Apple ports
+        <https://webkit.org/b/177895>
+        <rdar://problem/34960830>
+
+        Reviewed by Joseph Pecoraro.
+
+        * Configurations/Base.xcconfig:
+        (WARNING_CFLAGS): Remove FIXME and add -Wcast-qual back to
+        arguments.
+
+        * crypto/mac/SerializedCryptoKeyWrapMac.mm:
+        (WebCore::createAndStoreMasterKey):
+        - Use checked_cf_cast<SecACLRef>().
+
+        * editing/cocoa/DataDetection.mm:
+        (WebCore::detectItemAtPositionWithRange):
+        - Manually cast CFTypeRef to DDResultRef until
+          DDResultGetTypeID() is available as SPI.
+
+        * platform/gamepad/mac/HIDGamepad.cpp:
+        (WebCore::HIDGamepad::initElementsFromArray):
+        - Use checked_cf_cast<IOHIDElementRef>().
+
+        * platform/graphics/avfoundation/objc/MediaSampleAVFObjC.mm:
+        (WebCore::MediaSampleAVFObjC::createImageSample):
+        (WebCore::CMSampleBufferIsRandomAccess):
+        (WebCore::CMSampleBufferIsNonDisplaying):
+        (WebCore::MediaSampleAVFObjC::createNonDisplayingCopy const):
+        - Use checked_cf_cast<CFMutableDictionaryRef>() and
+          checked_cf_cast<CFDictionaryRef>().
+
+        * platform/graphics/cocoa/IOSurface.h:
+        (WebCore::IOSurface::asLayerContents):
+        - Use reinterpret_cast<id>() to cast from IOSurfaceRef to id.
+
+        * platform/graphics/cocoa/WebCoreDecompressionSession.mm:
+        (WebCore::WebCoreDecompressionSession::getFirstVideoFrame):
+        (WebCore::WebCoreDecompressionSession::automaticDequeue):
+        (WebCore::WebCoreDecompressionSession::imageForTime):
+        (WebCore::WebCoreDecompressionSession::getDecodeTime):
+        (WebCore::WebCoreDecompressionSession::getPresentationTime):
+        (WebCore::WebCoreDecompressionSession::getDuration):
+        - Use checked_cf_cast<CMSampleBufferRef>().
+
+        * platform/graphics/Font.h:
+        (WebCore::Font::m_kernedCFStringAttributes):
+        (WebCore::Font::m_nonKernedCFStringAttributes):
+        - Change type from RetainPtr<CFDictionaryRef> to
+          RetainPtr<CFMutableDictionaryRef> since that's what they are.
+        * platform/graphics/mac/SimpleFontDataCoreText.cpp:
+        (WebCore::Font::getCFStringAttributes const):
+        - Replace local `mutableAttributes` variable with
+          `attributesDictionary.get()` since it returns the correct type
+          now.
+
+        * platform/ios/wak/WAKView.mm:
+        (-[WAKView _initWithViewRef:]):
+        (_WAKCopyWrapper):
+        * platform/ios/wak/WKView.mm:
+        (_WKViewClearSuperview):
+        (WKViewFirstChild):
+        (WKViewNextSibling):
+        - Use static_cast<WKViewRef>(const_cast<void*>()) to convert
+          const void* variable to WKViewRef.
+
+        * platform/mac/PasteboardMac.mm:
+        (WebCore::flipImageSpec):
+        (WebCore::setDragImageImpl):
+        - Use const_cast<> to remove 'const' modifier from
+          unsigned char pointers.  This regressed while -Wcast-qual was
+          disabled for WebCore.
+
+        * platform/mac/SSLKeyGeneratorMac.mm:
+        (WebCore::signedPublicKeyAndChallengeString):
+        - Use checked_cf_cast<SecACLRef>().
+
+        * platform/mediastream/mac/RealtimeIncomingVideoSourceCocoa.cpp:
+        (WebCore::RealtimeIncomingVideoSourceCocoa::OnFrame):
+        - Use checked_cf_cast<CFMutableDictionaryRef>().
+
+        * platform/network/cf/SocketStreamHandleImplCFNet.cpp:
+        (WebCore::copyCONNECTProxyResponse):
+        - Use checked_cf_cast<CFHTTPMessageRef>().
+
+        * platform/network/cocoa/ResourceResponseCocoa.mm:
+        (WebCore::ResourceResponse::platformCertificateInfo const):
+        - Use checked_cf_cast<SecTrustRef>().
+
+        * platform/network/mac/CertificateInfoMac.mm:
+        (WebCore::CertificateInfo::containsNonRootSHA1SignedCertificate const):
+        (WebCore::CertificateInfo::dump const):
+        - Use checked_cf_cast<SecCertificateRef>().
+
+        * testing/cocoa/WebArchiveDumpSupport.mm:
+        (WebCoreTestSupport::createCFURLResponseFromResponseData):
+        - Use checked_cf_cast<>() for CFMutable* types.
+
+2018-01-05  John Wilander  <wilander@apple.com>
+
+        Storage Access API: Refactor to make naming accurate and explicit, simplify access table, and prepare for access removal for page
+        https://bugs.webkit.org/show_bug.cgi?id=181357
+        <rdar://problem/36331031>
+
+        Reviewed by Alex Christensen.
+
+        No new tests. The only changed functionality that isn't covered
+        by existing tests is cross-origin iframes in the same partition
+        should be handled as already having access. This cannot be
+        tested in layout tests since they don't support subdomains.
+
+        This change does the following:
+        - Changes function and message names to reflect how this feature
+          was eventually implemented, i.e. access per frame.
+        - Makes it explicit that the UI process is only involved in
+          granting storage access and not removing storage access.
+          The latter is done directly by the web process.
+        - Simplifies the network process' entry map since only needs to
+          be able to give access to one domain in one frame at a time.
+          Access goes away on frame navigation so there can only be one
+          domain at a time per frame. Also, the map now uses pageIDs as
+          main keys to prepare for efficient access removal for all
+          frames under a page.
+        - Fixes a bug in so that a cross-origin iframe with the same
+          partition as the top frame correctly is handled as already
+          having access.
+
+        * platform/network/NetworkStorageSession.h:
+        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
+        (WebCore::NetworkStorageSession::cookieStoragePartition const):
+            The only change here is the changed named of the call to
+            NetworkStorageSession::hasStorageAccessForFrame().
+        (WebCore::NetworkStorageSession::hasStorageAccessForFrame const):
+        (WebCore::NetworkStorageSession::grantStorageAccessForFrame):
+        (WebCore::NetworkStorageSession::removeStorageAccessForFrame):
+        (WebCore::NetworkStorageSession::isStorageAccessGranted const): Deleted.
+        (WebCore::NetworkStorageSession::setStorageAccessGranted): Deleted.
+        (WebCore::NetworkStorageSession::removeStorageAccess): Deleted.
+
+2018-01-05  Youenn Fablet  <youenn@apple.com>
+
+        Implement Cache API partitioning based on ClientOrigin
+        https://bugs.webkit.org/show_bug.cgi?id=181240
+
+        Reviewed by Alex Christensen.
+
+        Covered by updated tests.
+
+        Previously, cache storage was partitioned according the origin of the client, represented as a String.
+        We now partition according both client and top origins, represented as a ClientOrigin
+
+        Minor refactoring to use more makePendingActivity.
+        Added support for IPC serialization of ClientOrigin.
+        Added SecurityOriginData::toString which is used by WebKit2 Cache Storage implementation.
+
+        * Modules/cache/CacheStorageConnection.cpp:
+        (WebCore::CacheStorageConnection::open):
+        (WebCore::CacheStorageConnection::retrieveCaches):
+        * Modules/cache/CacheStorageConnection.h:
+        (WebCore::CacheStorageConnection::clearMemoryRepresentation):
+        (WebCore::CacheStorageConnection::doOpen):
+        (WebCore::CacheStorageConnection::doRetrieveCaches):
+        * Modules/cache/DOMCacheStorage.cpp:
+        (WebCore::DOMCacheStorage::origin const):
+        (WebCore::DOMCacheStorage::retrieveCaches):
+        (WebCore::DOMCacheStorage::open):
+        (WebCore::DOMCacheStorage::remove):
+        * Modules/cache/DOMCacheStorage.h:
+        * Modules/cache/WorkerCacheStorageConnection.cpp:
+        (WebCore::WorkerCacheStorageConnection::doOpen):
+        (WebCore::WorkerCacheStorageConnection::doRetrieveCaches):
+        * Modules/cache/WorkerCacheStorageConnection.h:
+        * page/ClientOrigin.h:
+        (WebCore::ClientOrigin::isolatedCopy const):
+        (WebCore::ClientOrigin::encode const):
+        (WebCore::ClientOrigin::decode):
+        * page/SecurityOriginData.cpp:
+        (WebCore::SecurityOriginData::toString const):
+        (WebCore::SecurityOriginData::debugString const): Deleted.
+        * page/SecurityOriginData.h:
+        (WebCore::SecurityOriginData::debugString const):
+        * testing/Internals.cpp:
+        (WebCore::Internals::clearCacheStorageMemoryRepresentation):
+
+2018-01-05  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        [Attachment Support] Add a way to write blob data to a file URL from the UI process
+        https://bugs.webkit.org/show_bug.cgi?id=181236
+
+        Reviewed by Brady Eidson.
+
+        Add support for writing a blob to a designated file path. See comments below for more detail. No new tests, as
+        there change in behavior yet. See part 2: https://bugs.webkit.org/show_bug.cgi?id=181199.
+
+        * page/DragController.cpp:
+        (WebCore::DragController::dragAttachmentElement):
+        * platform/PromisedBlobInfo.h:
+
+        Remove PromisedBlobData entirely. This was added with the premise of having the web process deliver blob data to
+        the UI process. However, the new approach I'm taking just has the UI process tell the network process to write
+        a blob to a given location, so a data structure to deliver blob data over IPC is no longer necessary.
+
+        (WebCore::PromisedBlobData::hasData const): Deleted.
+        (WebCore::PromisedBlobData::hasFile const): Deleted.
+        (WebCore::PromisedBlobData::operator bool const): Deleted.
+        (WebCore::PromisedBlobData::fulfills const): Deleted.
+        * platform/network/BlobRegistryImpl.cpp:
+        (WebCore::BlobRegistryImpl::populateBlobsForFileWriting):
+
+        Introduce a new helper to build a list of blob data for file writing.
+
+        (WebCore::writeFilePathsOrDataBuffersToFile):
+
+        Introduce a new static helper to write blob data (a list of file paths and data buffers) to a given file handle.
+        Automatically closes the given file handle upon exit.
+
+        (WebCore::BlobRegistryImpl::writeBlobsToTemporaryFiles):
+        (WebCore::BlobRegistryImpl::writeBlobToFilePath):
+
+        Pull out common logic in writeBlobsToTemporaryFiles and writeBlobToFilePath into helper methods (see above), and
+        refactor both methods to use the helpers.
+
+        * platform/network/BlobRegistryImpl.h:
+
+2018-01-05  Alex Christensen  <achristensen@webkit.org>
+
+        Forbid < and > in URL hosts
+        https://bugs.webkit.org/show_bug.cgi?id=181308
+        <rdar://problem/36012757>
+
+        Reviewed by Tim Horton.
+
+        https://url.spec.whatwg.org/#forbidden-host-code-point does not include these characters yet, but I think it should.
+        Firefox fails to parse URLs with < or > in the host.  Chrome percent encodes them.  Safari needs to do something.
+        The web platform tests are unclear on this case, and they will need to be updated with the specification.
+        They do show a change in behavior, though.
+
+        * platform/URLParser.cpp:
+        Add < and > to the list of forbidden host code points.
+
+2018-01-05  Eric Carlson  <eric.carlson@apple.com>
+
+        [MediaStream] Add Mac screen capture source
+        https://bugs.webkit.org/show_bug.cgi?id=181333
+        <rdar://problem/36323219>
+
+        Reviewed by Dean Jackson.
+
+        * SourcesCocoa.txt: Add ScreenDisplayCaptureSourceMac.mm.
+
+        * WebCore.xcodeproj/project.pbxproj: Ditto.
+
+        * platform/cocoa/CoreVideoSoftLink.cpp: Declare new constants used.
+        * platform/cocoa/CoreVideoSoftLink.h:
+
+        * platform/mediastream/mac/DisplayCaptureManagerCocoa.cpp:
+        (WebCore::displayReconfigurationCallBack): Call refreshCaptureDevices.
+        (WebCore::DisplayCaptureManagerCocoa::~DisplayCaptureManagerCocoa): Unregister for display
+        reconfiguration callbacks.
+        (WebCore::DisplayCaptureManagerCocoa::captureDevices): Register for display reconfigrations.
+        (WebCore::DisplayCaptureManagerCocoa::refreshCaptureDevices): Use CGActiveDisplayList to
+        get list of active screens.
+        (WebCore::DisplayCaptureManagerCocoa::screenCaptureDeviceWithPersistentID): Validate screen
+        ID, return CaptureDevice.
+        * platform/mediastream/mac/DisplayCaptureManagerCocoa.h:
+
+        * platform/mediastream/mac/RealtimeMediaSourceCenterMac.cpp:
+        (WebCore::VideoCaptureSourceFactoryMac::createVideoCaptureSource): Deal with screen capture
+        on macOS.
+
+        Implement Mac screen capture with CGDisplayStream.
+        * platform/mediastream/mac/ScreenDisplayCaptureSourceMac.h: Added.
+        (WebCore::ScreenDisplayCaptureSourceMac::DisplaySurface::~DisplaySurface):
+        (WebCore::ScreenDisplayCaptureSourceMac::DisplaySurface::operator=):
+        (WebCore::ScreenDisplayCaptureSourceMac::DisplaySurface::ioSurface const):
+        * platform/mediastream/mac/ScreenDisplayCaptureSourceMac.mm: Added.
+        (WebCore::roundUpToMacroblockMultiple):
+        (WebCore::ScreenDisplayCaptureSourceMac::updateDisplayID):
+        (WebCore::ScreenDisplayCaptureSourceMac::create):
+        (WebCore::ScreenDisplayCaptureSourceMac::ScreenDisplayCaptureSourceMac):
+        (WebCore::ScreenDisplayCaptureSourceMac::~ScreenDisplayCaptureSourceMac):
+        (WebCore::ScreenDisplayCaptureSourceMac::createDisplayStream):
+        (WebCore::ScreenDisplayCaptureSourceMac::startProducingData):
+        (WebCore::ScreenDisplayCaptureSourceMac::stopProducingData):
+        (WebCore::ScreenDisplayCaptureSourceMac::sampleBufferFromPixelBuffer):
+        (WebCore::ScreenDisplayCaptureSourceMac::pixelBufferFromIOSurface):
+        (WebCore::ScreenDisplayCaptureSourceMac::generateFrame):
+        (WebCore::ScreenDisplayCaptureSourceMac::startDisplayStream):
+        (WebCore::ScreenDisplayCaptureSourceMac::applySize):
+        (WebCore::ScreenDisplayCaptureSourceMac::applyFrameRate):
+        (WebCore::ScreenDisplayCaptureSourceMac::commitConfiguration):
+        (WebCore::ScreenDisplayCaptureSourceMac::displayWasReconfigured):
+        (WebCore::ScreenDisplayCaptureSourceMac::displayReconfigurationCallBack):
+        (WebCore::ScreenDisplayCaptureSourceMac::frameAvailable):
+
+2018-01-05  Don Olmstead  <don.olmstead@sony.com>
+
+        [curl] Can't load file:// URL with a URL fragment identifier
+        https://bugs.webkit.org/show_bug.cgi?id=181170
+
+        Reviewed by Alex Christensen.
+
+        No new tests. No change in behavior.
+
+        * platform/network/curl/CurlRequest.cpp:
+        (WebCore::CurlRequest::invokeDidReceiveResponseForFile):
+
+2018-01-05  Don Olmstead  <don.olmstead@sony.com>
+
+        TextCodec uses std::array but does not include it
+        https://bugs.webkit.org/show_bug.cgi?id=181340
+
+        Reviewed by Alex Christensen.
+
+        No new tests. No change in behavior.
+
+        * platform/text/TextCodec.h:
+
+2018-01-05  Said Abou-Hallawa  <sabouhallawa@apple.com>
+
+        SVGAnimatedListPropertyTearOff::synchronizeWrappersIfNeeded() should do nothing if the property is not animating
+        https://bugs.webkit.org/show_bug.cgi?id=181316
+        <rdar://problem/36147545>
+
+        Reviewed by Simon Fraser.
+
+        This is a speculative change to fix a crash which appeared after r226065.
+        The crash is very intermittent and sometimes very hard to reproduce. The
+        basic code analysis did not show how this crash can even happen.
+
+        * svg/SVGAnimatedTypeAnimator.h:
+        (WebCore::SVGAnimatedTypeAnimator::resetFromBaseValues): For SVG property
+        with two values, e.g. <SVGAngleValue, SVGMarkerOrientType>,  we need to
+        detach the wrappers of the animated property if the animated values are
+        going to change. This is similar to what we did in resetFromBaseValue().
+
+        * svg/properties/SVGAnimatedListPropertyTearOff.h:
+        (WebCore::SVGAnimatedListPropertyTearOff::synchronizeWrappersIfNeeded):
+
+2018-01-05  Matt Lewis  <jlewis3@apple.com>
+
+        Unreviewed, rolling out r226401.
+
+        This caused timeouts on multiple platforms.
+
+        Reverted changeset:
+
+        "Implement Cache API partitioning based on ClientOrigin"
+        https://bugs.webkit.org/show_bug.cgi?id=181240
+        https://trac.webkit.org/changeset/226401
+
+2018-01-05  Dan Bernstein  <mitz@apple.com>
+
+        Fixed the build following AppKit API deprecations in a recent SDKs
+
+        * platform/mac/PasteboardMac.mm:
+        (WebCore::setDragImageImpl): Suppressed deprecation warnings.
+        * platform/mac/WidgetMac.mm:
+        (WebCore::Widget::paint): Ditto.
+
+2018-01-05  Joseph Pecoraro  <pecoraro@apple.com>
+
+        ServiceWorkers: Enable UserTiming / ResourceTiming
+        https://bugs.webkit.org/show_bug.cgi?id=181297
+        <rdar://problem/36307306>
+
+        Reviewed by Youenn Fablet.
+
+        Tests: http/tests/workers/service/service-worker-resource-timing.https.html
+               http/tests/workers/service/service-worker-user-timing.https.html
+
+        * loader/ResourceTiming.cpp:
+        (WebCore::ResourceTiming::ResourceTiming):
+        We used to clear extra NetworkLoadMetrics data early on. However,
+        for Workers we want to pass the complete NetworkLoadMetrics to
+        the Worker so that a Worker inspector has access to it.
+
+        * page/PerformanceResourceTiming.cpp:
+        (WebCore::PerformanceResourceTiming::PerformanceResourceTiming):
+        Instead move the clearing of extra data to here, when the NetworkLoadMetrics
+        have finally settled into being used only for a performance entry.
+
+2018-01-04  Philippe Normand  <pnormand@igalia.com>
+
+        [EME][GStreamer] Fix wrong ifdef
+        https://bugs.webkit.org/show_bug.cgi?id=181289
+
+        Reviewed by Alex Christensen.
+
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
+        (WebCore::MediaPlayerPrivateGStreamer::handleMessage): Remove the
+        ENCRYPTED_MEDIA ifdef from the VIDEO_TRACK ifdef block. Both have
+        nothing to do together.
+
+2018-01-05  Fujii Hironori  <Hironori.Fujii@sony.com>
+
+        [Cairo] Canvas: Path::clear should clear its transform
+        https://bugs.webkit.org/show_bug.cgi?id=181320
+
+        Reviewed by Carlos Garcia Campos.
+
+        Path of Cairo port has its cairo context. Path::clear() didn't
+        clear the transform matrix of the context.
+
+        Test: fast/canvas/reset-scaling-by-height-change.html
+
+        * platform/graphics/cairo/PathCairo.cpp:
+        (WebCore::Path::clear): Reset the transform matrix of Path.
+
+2018-01-04  Devin Rousso  <webkit@devinrousso.com>
+
+        Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
+        https://bugs.webkit.org/show_bug.cgi?id=180770
+
+        Reviewed by Joseph Pecoraro.
+
+        No change in functionality.
+
+        * html/HTMLCanvasElement.h:
+        * html/HTMLCanvasElement.cpp:
+        (WebCore::HTMLCanvasElement::createContext2d):
+        (WebCore::HTMLCanvasElement::createContextWebGL):
+        (WebCore::HTMLCanvasElement::createContextWebGPU):
+        (WebCore::HTMLCanvasElement::createContextBitmapRenderer):
+        (WebCore::HTMLCanvasElement::reset):
+        (WebCore::HTMLCanvasElement::paint):
+        (WebCore::HTMLCanvasElement::setImageBuffer const):
+        (WebCore::HTMLCanvasElement::addObserver): Deleted.
+        (WebCore::HTMLCanvasElement::removeObserver): Deleted.
+        (WebCore::HTMLCanvasElement::cssCanvasClients): Deleted.
+        (WebCore::HTMLCanvasElement::notifyObserversCanvasChanged): Deleted.
+        * html/OffscreenCanvas.h:
+        * html/canvas/CanvasRenderingContext.h:
+        * html/canvas/CanvasRenderingContext.cpp:
+        * html/canvas/CanvasRenderingContext2D.h:
+        * html/canvas/CanvasRenderingContext2D.cpp:
+        (WebCore::CanvasRenderingContext2D::create):
+        * html/canvas/CanvasRenderingContext2DBase.h:
+        * html/canvas/ImageBitmapRenderingContext.h:
+        * html/canvas/ImageBitmapRenderingContext.cpp:
+        (WebCore::ImageBitmapRenderingContext::create):
+        * html/canvas/WebGL2RenderingContext.h:
+        * html/canvas/WebGL2RenderingContext.cpp:
+        (WebCore::WebGL2RenderingContext::create):
+        * html/canvas/WebGLRenderingContext.h:
+        * html/canvas/WebGLRenderingContext.cpp:
+        (WebCore::WebGLRenderingContext::create):
+        * html/canvas/WebGLRenderingContextBase.h:
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::create):
+        * html/canvas/WebGPURenderingContext.cpp:
+        (WebCore::WebGPURenderingContext::create):
+        Instead of adding didCreateCanvasRenderingContext calls at the construction sites of each
+        context, we can make the constructors private and force the usage of static `create` functions.
+        This way, we have access to the fully constructed object and have a guaranteed path for creation.
+
+        * html/CanvasBase.h:
+        * html/CanvasBase.cpp:
+        (WebCore::CanvasBase::~CanvasBase):
+        (WebCore::CanvasBase::renderingContext const):
+        (WebCore::CanvasBase::addObserver):
+        (WebCore::CanvasBase::removeObserver):
+        (WebCore::CanvasBase::notifyObserversCanvasChanged):
+        (WebCore::CanvasBase::notifyObserversCanvasResized):
+        (WebCore::CanvasBase::notifyObserversCanvasDestroyed):
+        (WebCore::CanvasBase::cssCanvasClients const):
+        * Modules/mediastream/CanvasCaptureMediaStreamTrack.h:
+        * Modules/mediastream/CanvasCaptureMediaStreamTrack.cpp:
+        (WebCore::CanvasCaptureMediaStreamTrack::Source::canvasDestroyed):
+        (WebCore::CanvasCaptureMediaStreamTrack::Source::canvasResized):
+        (WebCore::CanvasCaptureMediaStreamTrack::Source::canvasChanged):
+        * css/CSSCanvasValue.h:
+        Move the CanvasObserver class to CanvasBase so that it can also be used for OffscreenCanvas.
+
+        * inspector/InspectorInstrumentation.h:
+        (WebCore::InspectorInstrumentation::didChangeCSSCanvasClientNodes):
+        (WebCore::InspectorInstrumentation::didCreateCanvasRenderingContext):
+        (WebCore::InspectorInstrumentation::didChangeCanvasMemory):
+        (WebCore::InspectorInstrumentation::recordCanvasAction):
+        (WebCore::InspectorInstrumentation::didFinishRecordingCanvasFrame):
+        (WebCore::InspectorInstrumentation::didEnableExtension):
+        (WebCore::InspectorInstrumentation::didCreateProgram):
+        (WebCore::InspectorInstrumentation::willDeleteProgram):
+        (WebCore::InspectorInstrumentation::isShaderProgramDisabled):
+        (WebCore::InspectorInstrumentation::consoleStartRecordingCanvas):
+        (WebCore::InspectorInstrumentation::didCreateCSSCanvas): Deleted.
+        * inspector/InspectorInstrumentation.cpp:
+        (WebCore::InspectorInstrumentation::consoleStartRecordingCanvasImpl):
+        (WebCore::InspectorInstrumentation::didChangeCSSCanvasClientNodesImpl):
+        (WebCore::InspectorInstrumentation::didCreateCanvasRenderingContextImpl):
+        (WebCore::InspectorInstrumentation::didChangeCanvasMemoryImpl):
+        (WebCore::InspectorInstrumentation::didFinishRecordingCanvasFrameImpl):
+        (WebCore::InspectorInstrumentation::didEnableExtensionImpl):
+        (WebCore::InspectorInstrumentation::didCreateProgramImpl):
+        (WebCore::InspectorInstrumentation::didCreateCSSCanvasImpl): Deleted.
+
+        * inspector/agents/InspectorCanvasAgent.h:
+        * inspector/agents/InspectorCanvasAgent.cpp:
+        (WebCore::InspectorCanvasAgent::enable):
+        (WebCore::InspectorCanvasAgent::requestNode):
+        (WebCore::InspectorCanvasAgent::requestContent):
+        (WebCore::InspectorCanvasAgent::requestCSSCanvasClientNodes):
+        (WebCore::contextAsScriptValue):
+        (WebCore::InspectorCanvasAgent::resolveCanvasContext):
+        (WebCore::InspectorCanvasAgent::startRecording):
+        (WebCore::InspectorCanvasAgent::stopRecording):
+        (WebCore::InspectorCanvasAgent::updateShader):
+        (WebCore::InspectorCanvasAgent::frameNavigated):
+        (WebCore::InspectorCanvasAgent::didChangeCSSCanvasClientNodes):
+        (WebCore::InspectorCanvasAgent::didCreateCanvasRenderingContext):
+        (WebCore::InspectorCanvasAgent::didChangeCanvasMemory):
+        (WebCore::InspectorCanvasAgent::recordCanvasAction):
+        (WebCore::InspectorCanvasAgent::canvasDestroyed):
+        (WebCore::InspectorCanvasAgent::didFinishRecordingCanvasFrame):
+        (WebCore::InspectorCanvasAgent::consoleStartRecordingCanvas):
+        (WebCore::InspectorCanvasAgent::didEnableExtension):
+        (WebCore::InspectorCanvasAgent::didCreateProgram):
+        (WebCore::InspectorCanvasAgent::canvasRecordingTimerFired):
+        (WebCore::InspectorCanvasAgent::clearCanvasData):
+        (WebCore::InspectorCanvasAgent::unbindCanvas):
+        (WebCore::InspectorCanvasAgent::findInspectorCanvas):
+        (WebCore::InspectorCanvasAgent::unbindProgram):
+        (WebCore::InspectorCanvasAgent::didCreateCSSCanvas): Deleted.
+
+        * inspector/InspectorCanvas.h:
+        * inspector/InspectorCanvas.cpp:
+        (WebCore::InspectorCanvas::create):
+        (WebCore::InspectorCanvas::InspectorCanvas):
+        (WebCore::InspectorCanvas::canvasElement):
+        (WebCore::InspectorCanvas::resetRecordingData):
+        (WebCore::InspectorCanvas::recordAction):
+        (WebCore::InspectorCanvas::buildObjectForCanvas):
+        (WebCore::InspectorCanvas::getCanvasContentAsDataURL):
+        (WebCore::InspectorCanvas::buildInitialState):
+        (WebCore::InspectorCanvas::~InspectorCanvas): Deleted.
+
+        * inspector/InspectorShaderProgram.h:
+        * inspector/InspectorShaderProgram.cpp:
+        (WebCore::InspectorShaderProgram::context const):
+
+        * page/PageConsoleClient.cpp:
+        (WebCore::PageConsoleClient::record):
+        (WebCore::PageConsoleClient::recordEnd):
+
+        * dom/Document.h:
+        * dom/Document.cpp:
+        (WebCore::Document::getCSSCanvasElement):
+        (WebCore::Document::nameForCSSCanvasElement const):
+        We have no reason to save the CSS canvas name for each InspectorCanvas object, so instead we
+        can just query for the name based on the CanvasRenderingContext's HTMLCanvasElement (assuming
+        it is not an OffscreenCanvas) when we need it.
+
+2018-01-04  Chris Fleizach  <cfleizach@apple.com>
+
+        AX: Implement updated CSS3 Speech for 'speak' and 'speak-as' properties
+        https://bugs.webkit.org/show_bug.cgi?id=180361
+
+        Reviewed by Zalan Bujtas.
+
+        Change speak -> speakAs, and allow a combination of properties.
+
+        Tests: Updated accessibility/mac/css-speech-speak.html
+
+        * accessibility/AccessibilityObject.h:
+        (WebCore::AccessibilityObject::speakAsProperty const):
+        (WebCore::AccessibilityObject::speakProperty const): Deleted.
+        * accessibility/AccessibilityRenderObject.cpp:
+        (WebCore::AccessibilityRenderObject::speakAsProperty const):
+        (WebCore::AccessibilityRenderObject::speakProperty const): Deleted.
+        * accessibility/AccessibilityRenderObject.h:
+        * accessibility/ios/WebAccessibilityObjectWrapperIOS.mm:
+        (-[WebAccessibilityObjectWrapper accessibilitySpeechHint]):
+        * accessibility/mac/WebAccessibilityObjectWrapperBase.h:
+        * accessibility/mac/WebAccessibilityObjectWrapperBase.mm:
+        (-[WebAccessibilityObjectWrapperBase baseAccessibilitySpeechHint]):
+        * accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
+        (-[WebAccessibilityObjectWrapper accessibilityAttributeValue:]):
+        * css/CSSComputedStyleDeclaration.cpp:
+        (WebCore::speakAsToCSSValue):
+        (WebCore::ComputedStyleExtractor::propertyValue):
+        * css/CSSPrimitiveValueMappings.h:
+        (WebCore::CSSPrimitiveValue::CSSPrimitiveValue):
+        (WebCore::CSSPrimitiveValue::operator ESpeakAs const):
+        (WebCore::CSSPrimitiveValue::operator ESpeak const): Deleted.
+        * css/CSSProperties.json:
+        * css/StyleBuilderConverter.h:
+        (WebCore::StyleBuilderConverter::convertSpeakAs):
+        * css/parser/CSSParserFastPaths.cpp:
+        (WebCore::CSSParserFastPaths::isValidKeywordPropertyAndValue):
+        (WebCore::CSSParserFastPaths::isKeywordPropertyID):
+        * css/parser/CSSPropertyParser.cpp:
+        (WebCore::consumeSpeakAs):
+        (WebCore::CSSPropertyParser::parseSingleValue):
+        * rendering/style/RenderStyle.h:
+        (WebCore::RenderStyle::speakAs const):
+        (WebCore::RenderStyle::setSpeakAs):
+        (WebCore::RenderStyle::initialSpeakAs):
+        (WebCore::RenderStyle::speak const): Deleted.
+        (WebCore::RenderStyle::setSpeak): Deleted.
+        (WebCore::RenderStyle::initialSpeak): Deleted.
+        * rendering/style/RenderStyleConstants.h:
+        (WebCore::operator| ):
+        (WebCore::operator|= ):
+        * rendering/style/StyleRareInheritedData.cpp:
+        (WebCore::StyleRareInheritedData::StyleRareInheritedData):
+        (WebCore::StyleRareInheritedData::operator== const):
+        * rendering/style/StyleRareInheritedData.h:
+
+2018-01-04  Brian Burg  <bburg@apple.com>
+
+        Web Inspector: Capture Element Screenshot looks fuzzy
+        https://bugs.webkit.org/show_bug.cgi?id=175734
+        <rdar://problem/33803377>
+
+        Reviewed by Joseph Pecoraro and Simon Fraser.
+
+        Screenshots taken by Web Inspector were being downscaled from the
+        internal size to the logical size, causing them to be blurry when
+        later upscaled to the internal size.
+
+        Replace ScaleBehavior { Scaled, Unscaled } with PreserveResolution { No, Yes }.
+        This is a lot less confusing to read both inside ImageBuffer and at its use sites.
+
+        Remove unused CoordinateSystem argument for ImageBuffer::toDataURL,
+        and replace it with PreserveResolution. Plumb PreserveResolution into toCFData
+        so that PreserveResolution::Yes will preserve the internal size of
+        the image buffer, just as it does in other methods that take PreserveResolution.
+
+        At the use site in InspectorPageAgent, always request PreserveResolution::Yes snapshots
+        when taking an element screenshot. For now, keep using downscaled (smaller)
+        snapshots when capturing canvas previews, as the previews are not full-size.
+
+        Test: inspector/page/hidpi-snapshot-size.html
+
+        * html/HTMLCanvasElement.cpp:
+        (WebCore::HTMLCanvasElement::makePresentationCopy):
+        (WebCore::HTMLCanvasElement::copiedImage const):
+        * html/canvas/CanvasRenderingContext2DBase.cpp:
+        (WebCore::CanvasRenderingContext2DBase::createPattern):
+        * inspector/agents/InspectorPageAgent.cpp:
+        (WebCore::InspectorPageAgent::snapshotNode):
+        (WebCore::InspectorPageAgent::snapshotRect):
+        * page/TextIndicator.cpp:
+        (WebCore::takeSnapshot):
+        * platform/DragImage.cpp:
+        (WebCore::createDragImageFromSnapshot):
+        * platform/graphics/BitmapImage.cpp:
+        (WebCore::BitmapImage::drawPattern):
+        * platform/graphics/ImageBuffer.h:
+        * platform/graphics/cairo/ImageBufferCairo.cpp:
+        (WebCore::ImageBuffer::sinkIntoImage):
+        (WebCore::ImageBuffer::copyImage const):
+        (WebCore::ImageBuffer::toDataURL const):
+        * platform/graphics/cg/ImageBufferCG.cpp:
+        (WebCore::createBitmapImageAfterScalingIfNeeded):
+        (WebCore::ImageBuffer::copyImage const):
+        (WebCore::ImageBuffer::sinkIntoImage):
+        (WebCore::ImageBuffer::toDataURL const):
+        (WebCore::ImageBuffer::toData const):
+        (WebCore::ImageBuffer::toCFData const):
+        * platform/graphics/gtk/ImageBufferGtk.cpp:
+        (WebCore::ImageBuffer::toDataURL const):
+        * platform/graphics/win/ImageBufferDirect2D.cpp:
+        (WebCore::ImageBuffer::copyImage const):
+        (WebCore::ImageBuffer::sinkIntoImage):
+        (WebCore::ImageBuffer::toDataURL const):
+        * svg/graphics/SVGImage.cpp:
+        (WebCore::SVGImage::drawPatternForContainer):
+
+2018-01-04  John Wilander  <wilander@apple.com>
+
+        Storage Access API: Turn feature on by default in Settings.yaml
+        https://bugs.webkit.org/show_bug.cgi?id=181298
+        <rdar://problem/36302506>
+
+        Reviewed by Brent Fulgham.
+
+        No new tests. This is just a feature settings change.
+
+        * page/Settings.yaml:
+
+2018-01-04  Zalan Bujtas  <zalan@apple.com>
+
+        WebContent process crashes while loading https://www.classicspecs.com
+        https://bugs.webkit.org/show_bug.cgi?id=181290
+        <rdar://problem/36225906>
+
+        Reviewed by Simon Fraser.
+
+        Floats can overhang multiple blocks (they are called intruding floats).
+        Each block keeps track of such intruding floats. When an overhanging float box is destroyed,
+        we need to deregister it from all those blocks. We do it by walking up the ancestor block chain
+        and check if the parent (grandparent etc) block still contains this float. Once we find the topmost block, 
+        we start deregistering it by traversing back on the descendant blocks.
+        Normally we do it in RenderElement::takeChildInternal right before the box is getting detached.
+        However in certain cases (like when the float's parent happens to be an anonymous wrapper)
+        by the time we get to ::takeChildInternal the subtree is already detached and we can't access all the
+        ancestors.
+        This patch ensure that the floating box is still attached during de-registration. 
+
+        Test: fast/block/float/crash-when-intruding-float-has-anonymous-parent-and-detach.html
+
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers):
+
+2018-01-04  Eric Carlson  <eric.carlson@apple.com>
+
+        [MediaStream] Add Mock screen capture source
+        https://bugs.webkit.org/show_bug.cgi?id=181291
+        <rdar://problem/36298164>
+
+        Reviewed by Dean Jackson.
+
+        Tests:  http/tests/media/media-stream/get-display-media-prompt.html
+                GetDisplayMediaTest.BasicPrompt
+                GetDisplayMediaTest.Constraints
+
+        * Modules/mediastream/MediaDevices.cpp:
+        (WebCore::MediaDevices::MediaDevices): Add static_assert to ensure MediaDevices::DisplayCaptureSurfaceType
+        and RealtimeMediaSourceSettings::DisplaySurfaceType values are equivalent.
+        (WebCore::MediaDevices::getSupportedConstraints): Remove bogus code.
+        * Modules/mediastream/MediaDevices.h: Add DisplayCaptureSurfaceType.
+        * Modules/mediastream/MediaDevices.idl: Ditto.
+
+        * Modules/mediastream/MediaStreamTrack.cpp:
+        (WebCore::MediaStreamTrack::getSettings const): Add a FIXME.
+        * Modules/mediastream/MediaStreamTrack.h: Add displaySurface and logicalSurface.
+
+        * Modules/mediastream/MediaTrackSupportedConstraints.h: Remove displaySurface and logicalSurface.
+        * Modules/mediastream/MediaTrackSupportedConstraints.idl:
+
+        * SourcesCocoa.txt: Add DisplayCaptureManagerCocoa.cpp and DisplayCaptureSourceCocoa.cpp.
+
+        * WebCore.xcodeproj/project.pbxproj: Ditto.
+
+        * platform/mediastream/CaptureDevice.h:
+        (WebCore::CaptureDevice::encode const): Add.
+        (WebCore::CaptureDevice::decode):
+
+        * platform/mediastream/RealtimeMediaSourceCenter.cpp:
+        (WebCore::RealtimeMediaSourceCenter::getMediaStreamDevices): Include display capture "devices".
+        (WebCore::RealtimeMediaSourceCenter::validateRequestConstraints): Deal with display capture devices.
+        (WebCore::RealtimeMediaSourceCenter::captureDeviceWithPersistentID): Ditto.
+        * platform/mediastream/RealtimeMediaSourceCenter.h:
+
+        * platform/mediastream/RealtimeMediaSourceSettings.h:
+        (WebCore::RealtimeMediaSourceSettings::displaySurface const): Return a DisplaySurfaceType.
+        (WebCore::RealtimeMediaSourceSettings::setDisplaySurface): Take a DisplaySurfaceType.
+
+        * platform/mediastream/mac/DisplayCaptureManagerCocoa.cpp:
+        (WebCore::DisplayCaptureManagerCocoa::singleton):
+        (WebCore::DisplayCaptureManagerCocoa::~DisplayCaptureManagerCocoa):
+        (WebCore::DisplayCaptureManagerCocoa::captureDevices):
+        (WebCore::DisplayCaptureManagerCocoa::screenCaptureDeviceWithPersistentID):
+        (WebCore::DisplayCaptureManagerCocoa::captureDeviceWithPersistentID):
+        * platform/mediastream/mac/DisplayCaptureManagerCocoa.h:
+
+        * platform/mediastream/mac/DisplayCaptureSourceCocoa.cpp: Added.
+        (WebCore::DisplayCaptureSourceCocoa::DisplayCaptureSourceCocoa):
+        (WebCore::DisplayCaptureSourceCocoa::~DisplayCaptureSourceCocoa):
+        (WebCore::DisplayCaptureSourceCocoa::capabilities const):
+        (WebCore::DisplayCaptureSourceCocoa::settings const):
+        (WebCore::DisplayCaptureSourceCocoa::settingsDidChange):
+        (WebCore::DisplayCaptureSourceCocoa::startProducingData):
+        (WebCore::DisplayCaptureSourceCocoa::stopProducingData):
+        (WebCore::DisplayCaptureSourceCocoa::elapsedTime):
+        (WebCore::DisplayCaptureSourceCocoa::applyFrameRate):
+        (WebCore::DisplayCaptureSourceCocoa::emitFrame):
+        * platform/mediastream/mac/DisplayCaptureSourceCocoa.h:
+
+        * platform/mediastream/mac/RealtimeMediaSourceCenterMac.cpp:
+        (WebCore::RealtimeMediaSourceCenterMac::displayCaptureDeviceManager): New.
+        * platform/mediastream/mac/RealtimeMediaSourceCenterMac.h:
+
+        * platform/mock/MockRealtimeMediaSource.cpp:
+        (WebCore::deviceMap): Add screen capture "devices".
+        (WebCore::MockRealtimeMediaSource::displayDevices): New.
+        * platform/mock/MockRealtimeMediaSource.h:
+
+        * platform/mock/MockRealtimeMediaSourceCenter.cpp: Clean up includes.
+        * platform/mock/MockRealtimeMediaSourceCenter.h:
+
+        * platform/mock/MockRealtimeVideoSource.cpp:
+        (WebCore::MockRealtimeVideoSource::MockRealtimeVideoSource): Mock two screen devices.
+        (WebCore::MockRealtimeVideoSource::updateSettings): Deal with mock screens.
+        (WebCore::MockRealtimeVideoSource::initializeCapabilities): Ditto.
+        (WebCore::MockRealtimeVideoSource::initializeSupportedConstraints): Ditto.
+        (WebCore::MockRealtimeVideoSource::drawText): Ditto.
+        (WebCore::MockRealtimeVideoSource::generateFrame): Ditto.
+        * platform/mock/MockRealtimeVideoSource.h:
+        (WebCore::MockRealtimeVideoSource::mockCamera const):
+        (WebCore::MockRealtimeVideoSource::mockScreen const):
+
+2018-01-04  Youenn Fablet  <youenn@apple.com>
+
+        FetchResponse should set its internal response text encoding name
+        https://bugs.webkit.org/show_bug.cgi?id=181284
+
+        Reviewed by Alex Christensen.
+
+        Covered by rebased test.
+
+        * Modules/fetch/FetchResponse.cpp:
+        (WebCore::FetchResponse::create): Set response text encoding based on content type charset.
+
+2018-01-04  John Wilander  <wilander@apple.com>
+
+        Storage Access API: Remove JavaScript confirm() prompt from Document::requestStorageAccess()
+        https://bugs.webkit.org/show_bug.cgi?id=181276
+        <rdar://problem/36290463>
+
+        Reviewed by Alex Christensen.
+
+        No new tests. Existing test expectations updated.
+
+        * dom/Document.cpp:
+        (WebCore::Document::requestStorageAccess):
+
+2018-01-04  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [GTK] Issues with Ahem's ex / x-height
+        https://bugs.webkit.org/show_bug.cgi?id=180581
+
+        Reviewed by Michael Catanzaro.
+
+        Get the x-height value from the TT_OS2 table if available.
+
+        Fixes: fast/text/break-word-pre-wrap.html
+               imported/w3c/web-platform-tests/css/css-shapes-1/shape-outside/values/shape-outside-shape-arguments-000.html
+
+        * platform/graphics/freetype/SimpleFontDataFreeType.cpp:
+        (WebCore::Font::platformInit):
+
+2018-01-04  Philippe Normand  <pnormand@igalia.com>
+
+        Unreviewed, GTK build fix attempt after r226357
+
+        * platform/graphics/gstreamer/GStreamerUtilities.h: The
+        GST_BUFFER_DTS_OR_PTS macro was added in GStreamer 1.8 but old
+        versions of Debian might not have this release yet.
+
+2018-01-04  Youenn Fablet  <youenn@apple.com>
+
+        Implement Cache API partitioning based on ClientOrigin
+        https://bugs.webkit.org/show_bug.cgi?id=181240
+
+        Reviewed by Alex Christensen.
+
+        Covered by updated tests.
+
+        Previously, cache storage was partitioned according the origin of the client, represented as a String.
+        We now partition according both client and top origins, represented as a ClientOrigin
+
+        Minor refactoring to use more makePendingActivity.
+        Added support for IPC serialization of ClientOrigin.
+        Added SecurityOriginData::toString which is used by WebKit2 Cache Storage implementation.
+
+        * Modules/cache/CacheStorageConnection.cpp:
+        (WebCore::CacheStorageConnection::open):
+        (WebCore::CacheStorageConnection::retrieveCaches):
+        * Modules/cache/CacheStorageConnection.h:
+        (WebCore::CacheStorageConnection::clearMemoryRepresentation):
+        (WebCore::CacheStorageConnection::doOpen):
+        (WebCore::CacheStorageConnection::doRetrieveCaches):
+        * Modules/cache/DOMCacheStorage.cpp:
+        (WebCore::DOMCacheStorage::origin const):
+        (WebCore::DOMCacheStorage::retrieveCaches):
+        (WebCore::DOMCacheStorage::open):
+        (WebCore::DOMCacheStorage::remove):
+        * Modules/cache/DOMCacheStorage.h:
+        * Modules/cache/WorkerCacheStorageConnection.cpp:
+        (WebCore::WorkerCacheStorageConnection::doOpen):
+        (WebCore::WorkerCacheStorageConnection::doRetrieveCaches):
+        * Modules/cache/WorkerCacheStorageConnection.h:
+        * page/ClientOrigin.h:
+        (WebCore::ClientOrigin::isolatedCopy const):
+        (WebCore::ClientOrigin::encode const):
+        (WebCore::ClientOrigin::decode):
+        * page/SecurityOriginData.cpp:
+        (WebCore::SecurityOriginData::toString const):
+        (WebCore::SecurityOriginData::debugString const): Deleted.
+        * page/SecurityOriginData.h:
+        (WebCore::SecurityOriginData::debugString const):
+        * testing/Internals.cpp:
+        (WebCore::Internals::clearCacheStorageMemoryRepresentation):
+
+2018-01-04  Youenn Fablet  <youenn@apple.com>
+
+        Service Worker should expose redirect mode for navigation loads as manual
+        https://bugs.webkit.org/show_bug.cgi?id=181067
+
+        Reviewed by Alex Christensen.
+
+        Covered by rebased tests.
+
+        * loader/CrossOriginAccessControl.cpp: Removing ContentType header only if affecting CORS checks.
+        This allows extending header filtering in service worker to all modes, including Navigate.
+        * workers/service/context/ServiceWorkerFetch.cpp:
+        (WebCore::ServiceWorkerFetch::dispatchFetchEvent): Ideally, document loading code should set redirect to manual.
+        Since it is not the case yet and that would require changes to various places, manual is set before exposing the corresponding fetch event.
+
+2018-01-04  Youenn Fablet  <youenn@apple.com>
+
+        ServiceWorkerThreadProxy::postTaskForModeToWorkerGlobalScope should be a no-op if worker is being terminated
+        https://bugs.webkit.org/show_bug.cgi?id=181245
+
+        Reviewed by Alex Christensen.
+
+        Stop appending tasks to a terminating worker and returning false in that case.
+        This mirrors what is done for regular workers.
+
+        * workers/service/context/SWContextManager.cpp:
+        (WebCore::SWContextManager::terminateWorker):
+        * workers/service/context/ServiceWorkerThreadProxy.cpp:
+        (WebCore::ServiceWorkerThreadProxy::postTaskForModeToWorkerGlobalScope):
+        * workers/service/context/ServiceWorkerThreadProxy.h:
+
+2018-01-04  Youenn Fablet  <youenn@apple.com>
+
+        Cancel pending script loads when service worker is being terminated
+        https://bugs.webkit.org/show_bug.cgi?id=181250
+
+        Reviewed by Alex Christensen.
+
+        Covered by service worker tests no longer crashing in ASAN builds.
+
+        * workers/WorkerScriptLoader.cpp:
+        (WebCore::WorkerScriptLoader::notifyFinished): Clearing loader when finished.
+        (WebCore::WorkerScriptLoader::cancel): Implementing cancel of a script loader by cancelling the underlying threadable loader.
+        * workers/WorkerScriptLoader.h:
+        * workers/service/ServiceWorkerContainer.cpp: Canceling loads of all pending jobs.
+        (WebCore::ServiceWorkerContainer::stop):
+        * workers/service/ServiceWorkerJob.cpp:
+        (WebCore::ServiceWorkerJob::cancelPendingLoad):
+        * workers/service/ServiceWorkerJob.h:
+
+2018-01-04  Youenn Fablet  <youenn@apple.com>
+
+        Implement  https://fetch.spec.whatwg.org/#main-fetch default referrer policy setting
+        https://bugs.webkit.org/show_bug.cgi?id=181239
+
+        Reviewed by Alex Christensen.
+
+        Covered by updated and rebased test.
+
+        Setting the request referrer policy to the Document referrer policy if no one is set.
+        If Document has no referrer policy, use no-referrer-when-downgrade as per the spec.
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::updateHTTPRequestHeaders):
+        (WebCore::CachedResourceLoader::requestResource):
+        * loader/cache/CachedResourceLoader.h:
+        * loader/cache/CachedResourceRequest.cpp:
+        (WebCore::CachedResourceRequest::updateReferrerPolicy):
+        (WebCore::CachedResourceRequest::updateReferrerOriginAndUserAgentHeaders):
+        * loader/cache/CachedResourceRequest.h:
+
+2018-01-03  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        [Attachment Support] Create attachment elements when dropping files on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=181192
+        <rdar://problem/36280945>
+
+        Reviewed by Tim Horton.
+
+        Implements support for dropping data as attachment elements on iOS. See comments below for more detail.
+
+        Tests:  WKAttachmentTests.InsertDroppedRichAndPlainTextFilesAsAttachments
+                WKAttachmentTests.InsertDroppedZipArchiveAsAttachment
+                WKAttachmentTests.InsertDroppedItemProvidersInOrder
+
+        * WebCore.xcodeproj/project.pbxproj:
+        * editing/WebContentReader.cpp:
+        (WebCore::WebContentReader::ensureFragment):
+
+        Add a new helper to create the WebContentReader's fragment, if it hasn't already been created.
+
+        * editing/WebContentReader.h:
+        * editing/cocoa/WebContentReaderCocoa.mm:
+        (WebCore::WebContentReader::readFilePaths):
+
+        Rename readFilenames to readFilePaths (which better reflects its parameters, which are file paths). Also, move
+        the implementation of readFilePaths to shared iOS/macOS code in WebContentReaderCocoa, and remove the stub
+        implementation on iOS.
+
+        There's a bit of code here that I kept macOS-only which deals with inserting file paths as plain text in
+        editable areas, but it's unclear to me why and if WebKit clients currently find this useful, so I left a FIXME
+        to investigate removing this altogether. Code for handling this plain text insertion of file paths on Mac was
+        introduced in r67403.
+
+        * editing/ios/WebContentReaderIOS.mm:
+        (WebCore::WebContentReader::readFilenames): Deleted.
+        * editing/mac/WebContentReaderMac.mm:
+        (WebCore::WebContentReader::readFilenames): Deleted.
+        * page/mac/DragControllerMac.mm:
+        (WebCore::DragController::updateSupportedTypeIdentifiersForDragHandlingMethod const):
+
+        Teach DragController to accept all types conforming to "public.item" and "public.content" on iOS, only when
+        attachment elements are enabled. This allows us to load content from item providers that we otherwise would not
+        have loaded, since we now have the ability to fall back to attachment element insertion if the type is not have
+        a default representation using standard web content.
+
+        * platform/Pasteboard.h:
+        * platform/PasteboardItemInfo.h: Added.
+        (WebCore::PasteboardItemInfo::encode const):
+        (WebCore::PasteboardItemInfo::decode):
+
+        Add PasteboardItemInfo, a struct that describes an item on the pasteboard. Also, implement encoding and decoding
+        support for PasteboardItemInfo. So far, the item info only describes file information about the pasteboard item,
+        and flags indicating whether the item prefers attachment or inline presentation.
+
+        * platform/PasteboardStrategy.h:
+
+        Replace getFilenamesForDataInteraction with informationForItemAtIndex. Instead of returning all of the file
+        paths associated with any item on the pasteboard, fetch a PasteboardItemInfo at a given item index, which
+        includes information about the file path as well as some other metadata we'll need when deciding how to read
+        pasteboard contents as a document fragment.
+
+        * platform/PlatformPasteboard.h:
+        * platform/cocoa/PasteboardCocoa.mm:
+        (WebCore::Pasteboard::read):
+        * platform/ios/AbstractPasteboard.h:
+        * platform/ios/PasteboardIOS.mm:
+        (WebCore::Pasteboard::read):
+        (WebCore::Pasteboard::readRespectingUTIFidelities):
+
+        Teach the iOS Pasteboard to read web content using attachment elements, if enabled. There are two scenarios in
+        which we would want to insert an attachment element:
+        (1) The item provider uses a preferred presentation style of attachment, in which case we bail out of trying to
+            handle the drop using the default mechanisms, and simply insert it as an attachment. We need this to deal
+            with the case where we drop text or HTML files from the Files app, so that we don't try and insert the
+            contents of the text or HTML as inline web content.
+        (2) The item provider doesn't have a preferred attachment presentation style, but there's nothing WebKit would
+            otherwise do with the dropped content, so insert an attachment element as a fallback. Examples where this is
+            relevant are dropping a PDF or ZIP archive without attachment presentation style explicitly set.
+        We first check if we fall into case (1). If so, we can bail early by inserting an attachment; otherwise, we
+        proceed normally and see if we can read the contents of the drop as web content. If, at the end of default drop
+        handling, we don't still have a way to represent the dropped content, enter case (2).
+
+        (WebCore::Pasteboard::readFilePaths):
+        (WebCore::Pasteboard::readFilenames): Deleted.
+
+        Rename readFilenames to readFilePaths, and reimplement it using informationForItemAtIndex.
+
+        * platform/ios/PlatformPasteboardIOS.mm:
+        (WebCore::pasteboardItemPresentationStyle):
+        (WebCore::PlatformPasteboard::informationForItemAtIndex):
+        (WebCore::PlatformPasteboard::filenamesForDataInteraction): Deleted.
+
+        Implement informationForItemAtIndex and remove filenamesForDataInteraction. As before, we ask the pasteboard
+        (i.e. WebItemProviderPasteboard) for information about dropped file URLs. This time, we limit this to a single
+        file, so we don't end up creating multiple attachment elements for each representation of a single item
+        provider. See below for -preferredFileUploadURLAtIndex:fileType: for more detail.
+
+        * platform/ios/WebItemProviderPasteboard.h:
+        * platform/ios/WebItemProviderPasteboard.mm:
+        (-[WebItemProviderLoadResult initWithItemProvider:typesToLoad:]):
+        (-[WebItemProviderLoadResult canBeRepresentedAsFileUpload]):
+
+        Remove this synthesized instance variable and instead just check the item provider's preferredPresentationStyle.
+
+        (-[WebItemProviderLoadResult description]):
+
+        Add a verbose -description to the load result object. Useful for debugging what was content was loaded from an
+        item provider on drop.
+
+        (-[WebItemProviderPasteboard preferredFileUploadURLAtIndex:fileType:]):
+
+        Return the highest fidelity loaded type identifier for a given item.
+
+        (-[WebItemProviderPasteboard allDroppedFileURLs]):
+        (-[WebItemProviderPasteboard typeIdentifiersToLoadForRegisteredTypeIdentfiers:]):
+
+        Prefer flat RTFD to RTFD. In the case where attachments are enabled and we're accepting all types of content
+        using attachment elements as a fallback representation, if the source writes attributed strings to the
+        pasteboard with com.apple.rtfd at a higher fidelity than com.apple.flat-rtfd, we'll end up loading only
+        com.apple.rtfd and dropping the text as an attachment element because we cannot convert the dropped content to
+        markup. Instead, if flat RTFD is present in the item provider, always prefer that over RTFD so that dropping as
+        regular web content isn't overridden when attachment elements are enabled.
+
+        (-[WebItemProviderPasteboard doAfterLoadingProvidedContentIntoFileURLs:synchronousTimeout:]):
+        (-[WebItemProviderPasteboard droppedFileURLs]): Deleted.
+        * platform/mac/DragDataMac.mm:
+        (WebCore::DragData::containsCompatibleContent const):
+
+        DragData::containsCompatibleContent should be true when attachment elements are enabled, and there are files we
+        can drop as attachment elements.
+
+        * platform/mac/PasteboardMac.mm:
+        (WebCore::Pasteboard::read):
+        (WebCore::Pasteboard::readFilePaths):
+        (WebCore::Pasteboard::readFilenames): Deleted.
+
+2018-01-03  Ting-Wei Lan  <lantw44@gmail.com>
+
+        Replace hard-coded paths in shebangs with #!/usr/bin/env
+        https://bugs.webkit.org/show_bug.cgi?id=181040
+
+        Reviewed by Alex Christensen.
+
+        * bindings/scripts/InFilesCompiler.pm:
+        * bindings/scripts/InFilesParser.pm:
+        * bindings/scripts/generate-bindings-all.pl:
+        * bindings/scripts/generate-bindings.pl:
+        * bindings/scripts/preprocess-idls.pl:
+        * css/make-css-file-arrays.pl:
+        * css/makeprop.pl:
+        * css/makevalues.pl:
+        * dom/make_event_factory.pl:
+        * dom/make_names.pl:
+        * extract-localizable-strings.pl:
+        * make-hash-tools.pl:
+
+2018-01-03  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        [Attachment Support] Add plumbing for starting a drag with promised blob data
+        https://bugs.webkit.org/show_bug.cgi?id=181201
+
+        Reviewed by Tim Horton.
+
+        Adds logic to allow dragging an attachment element as a file by sending promised blob information to the UI
+        process. See comments below for more detail.
+
+        The only change in behavior is that dragging an attachment element will no longer write web content and injected
+        bundle data to the pasteboard if the attachment element's file attribute is nonnull. This will cause one
+        existing WK1 layout test to fail, but will otherwise not affect any attachment editing clients. On iOS,
+        attachment elements in the Mail viewer can be dragged, but each attachment's file is null, so we fall back to
+        current behavior; on macOS, Mail currently overrides the drag completely, beginning at -mouseDown:, so this
+        doesn't make a difference to macOS Mail either.
+
+        * editing/Editor.h:
+        * editing/cocoa/EditorCocoa.mm:
+        (WebCore::Editor::getPasteboardTypesAndDataForAttachment):
+
+        Add a helper method to retrieve an attachment element as web archive data, for moving attachments within the
+        same document. Also gives the injected editor bundle a chance to supply custom pasteboard types.
+
+        * loader/EmptyClients.cpp:
+        * page/DragClient.h:
+        (WebCore::DragClient::prepareToDragPromisedBlob):
+
+        Add new DragClient methods to send information about a promised blob to the UI process.
+
+        * page/DragController.cpp:
+        (WebCore::DragController::startDrag):
+
+        Call dragAttachmentElement when starting a drag on an attachment element.
+
+        (WebCore::DragController::dragAttachmentElement):
+
+        Try to begin dragging a given attachment element, propagating promised blob information to the client layers.
+        Returns true iff the attachment is backed by blob data (i.e. the file is nonnull).
+
+        * platform/PromisedBlobInfo.h:
+
+        Add a list of additional types and data to PromisedBlobInfo. In addition to the promised blob info, this would
+        allow injected bundle data and other private types alongside the main attachment data on the pasteboard.
+
+2018-01-03  Simon Fraser  <simon.fraser@apple.com>
+
+        Remove the 'resolutionScale' parameter from ImageBufferDataCG get/putBytes
+        https://bugs.webkit.org/show_bug.cgi?id=181268
+
+        Reviewed by Alex Christensen.
+
+        These functions were always called with resolutionScale=1.
+
+        * platform/graphics/cg/ImageBufferCG.cpp:
+        (WebCore::ImageBuffer::getUnmultipliedImageData const):
+        (WebCore::ImageBuffer::getPremultipliedImageData const):
+        (WebCore::ImageBuffer::putByteArray):
+        * platform/graphics/cg/ImageBufferDataCG.cpp:
+        (WebCore::ImageBufferData::getData const):
+        (WebCore::ImageBufferData::putData):
+        (WebCore::affineWarpBufferData): Deleted.
+        * platform/graphics/cg/ImageBufferDataCG.h:
+
+2018-01-03  John Wilander  <wilander@apple.com>
+
+        Storage Access API: Refactor XPC for access removal to go straight from the web process to the network process
+        https://bugs.webkit.org/show_bug.cgi?id=181270
+        <rdar://problem/36289544>
+
+        Reviewed by Alex Christensen.
+
+        No new tests. Existing test re-enabled.
+
+        This change refactors how the web process tells the network process
+        to remove storage access. Previously, this was done over the UI process
+        just like requests for storage access. But since no further reasoning
+        is needed, the message should go straight from the web process to the
+        network process for performance reasons and to minimize the risk of a
+        race.
+
+        As a consequence, the XPC code for storage access removal in the UI
+        process is deleted.
+
+        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
+        (WebCore::NetworkStorageSession::cookieStoragePartition const):
+            Removes the storageAccessAPIEnabled check since the flag
+            doesn't get propagated when the network process is created.
+            Figuring this out will take some work which is unnecessary
+            when we already gate access to the feature in Document.idl.
+
+2018-01-03  James Craig  <jcraig@apple.com>
+
+        AX: when invert colors is on, double-invert certain media elements in UserAgentStyleSheet
+        https://bugs.webkit.org/show_bug.cgi?id=168447
+        <rdar://problem/30559874>
+
+        Reviewed by Simon Fraser.
+
+        Double-invert video when platform 'invert colors' setting is enabled. Behavior matches 
+        current 'Smart Invert' feature of Safari Reader on macOS/iOS and other iOS native apps.
+
+        Tests: accessibility/smart-invert-reference.html
+               accessibility/smart-invert.html
+
+        * Modules/modern-media-controls/controls/media-controls.css:
+        (@media (inverted-colors)):
+        (:host):
+        (picture):
+        * css/html.css:
+        (@media (inverted-colors)):
+        (video):
+
+2018-01-03  Youenn Fablet  <youenn@apple.com>
+
+        LayoutTest http/tests/media/media-stream/disconnected-frame.html to consistently fail an assertion: !m_adoptionIsRequired
+        https://bugs.webkit.org/show_bug.cgi?id=181264
+
+        Reviewed by Eric Carlson.
+
+        Covered by http/tests/media/media-stream/disconnected-frame.html not crashing anymore in Debug builds.
+        Calling suspendIfNeeded in create method instead of constructor.
+
+        * Modules/mediastream/UserMediaRequest.cpp:
+        (WebCore::UserMediaRequest::create):
+        (WebCore::UserMediaRequest::UserMediaRequest):
+
+2018-01-03  Antti Koivisto  <antti@apple.com>
+
+        Remove DeprecatedCSSOMValue::equals
+        https://bugs.webkit.org/show_bug.cgi?id=181241
+
+        Reviewed by Zalan Bujtas.
+
+        This is dead code.
+
+        * css/DeprecatedCSSOMValue.cpp:
+        (WebCore::compareCSSOMValues): Deleted.
+        (WebCore::DeprecatedCSSOMValue::equals const): Deleted.
+        * css/DeprecatedCSSOMValue.h:
+        (WebCore::DeprecatedCSSOMValue::operator== const): Deleted.
+        (WebCore::DeprecatedCSSOMComplexValue::equals const): Deleted.
+        * css/DeprecatedCSSOMValueList.cpp:
+        (WebCore::DeprecatedCSSOMValueList::equals const): Deleted.
+        * css/DeprecatedCSSOMValueList.h:
+
+2018-01-03  Simon Fraser  <simon.fraser@apple.com>
+
+        feLighting is broken with primitiveUnits="objectBoundingBox"
+        https://bugs.webkit.org/show_bug.cgi?id=181197
+
+        Reviewed by Tim Horton.
+
+        With <filter primitiveUnits="objectBoundingBox"> we need to convert the coordinates
+        of fePointLights and feSpotLights into user space coordinates. Following
+        https://www.w3.org/TR/SVG/filters.html#FilterElementPrimitiveUnitsAttribute
+        this is done by treating them as fractions of the bounding box on the referencing
+        element, with treatment for z following https://www.w3.org/TR/SVG/coords.html#Units_viewport_percentage
+        
+        To do this, store the bounds of the referencing elemenet on SVGFilterBuilder as
+        targetBoundingBox, and store the primitiveUnits type. Then do the conversion of lighting
+        coordinates in SVGFESpecularLightingElement::build() and SVGFEDiffuseLightingElement::build().
+
+        Remove SVGFELightElement::findLightSource(), since we need to be able to pass the SVGFilterBuilder
+        to the lightSource() function so hoist the code up.
+
+        Tests: svg/filters/feDiffuseLighting-fePointLight-primitiveUnits-objectBoundingBox-expected.svg
+               svg/filters/feDiffuseLighting-fePointLight-primitiveUnits-objectBoundingBox.svg
+               svg/filters/feDiffuseLighting-feSpotLight-primitiveUnits-objectBoundingBox-expected.svg
+               svg/filters/feDiffuseLighting-feSpotLight-primitiveUnits-objectBoundingBox.svg
+               svg/filters/feSpecularLighting-fePointLight-primitiveUnits-objectBoundingBox-expected.svg
+               svg/filters/feSpecularLighting-fePointLight-primitiveUnits-objectBoundingBox.svg
+
+        * rendering/svg/RenderSVGResourceFilter.cpp:
+        (WebCore::RenderSVGResourceFilter::buildPrimitives const):
+        * svg/SVGFEDiffuseLightingElement.cpp:
+        (WebCore::SVGFEDiffuseLightingElement::build):
+        * svg/SVGFEDistantLightElement.cpp:
+        (WebCore::SVGFEDistantLightElement::lightSource const):
+        * svg/SVGFEDistantLightElement.h:
+        * svg/SVGFELightElement.cpp:
+        (WebCore::SVGFELightElement::findLightSource): Deleted.
+        * svg/SVGFELightElement.h:
+        * svg/SVGFEPointLightElement.cpp:
+        (WebCore::SVGFEPointLightElement::lightSource const):
+        * svg/SVGFEPointLightElement.h:
+        * svg/SVGFESpecularLightingElement.cpp:
+        (WebCore::SVGFESpecularLightingElement::build):
+        * svg/SVGFESpotLightElement.cpp:
+        (WebCore::SVGFESpotLightElement::lightSource const):
+        * svg/SVGFESpotLightElement.h:
+        * svg/graphics/filters/SVGFilterBuilder.h:
+        (WebCore::SVGFilterBuilder::setTargetBoundingBox):
+        (WebCore::SVGFilterBuilder::targetBoundingBox const):
+        (WebCore::SVGFilterBuilder::primitiveUnits const):
+        (WebCore::SVGFilterBuilder::setPrimitiveUnits):
+
+2018-01-03  Antti Koivisto  <antti@apple.com>
+
+        Crash beneath CSSValue::equals @ csas.cz
+        https://bugs.webkit.org/show_bug.cgi?id=181243
+        <rdar://problem/35990826>
+
+        Reviewed by Alex Christensen.
+
+        Test: fast/text/oblique-degree-equals-crash.html
+
+        * css/CSSFontStyleValue.cpp:
+        (WebCore::CSSFontStyleValue::equals const):
+
+        Null check both oblique pointers.
+
+2018-01-03  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Slow open time enumerating system fonts (FontCache::systemFontFamilies)
+        https://bugs.webkit.org/show_bug.cgi?id=180979
+        <rdar://problem/36146670>
+
+        Reviewed by Matt Baker.
+
+        * platform/graphics/cocoa/FontCacheCoreText.cpp:
+        (fontNameIsSystemFont):
+        (WebCore::FontCache::systemFontFamilies):
+        Switch to the original Mac algorithm before r180979 that uses
+        CTFontManagerCopyAvailableFontFamilyNames. Previously this wasn't
+        available on iOS but now it is. This is a performance improvement on
+        both platforms, but significantly so on macOS. It also finds more,
+        valid, family names.
+
+2018-01-03  Michael Catanzaro  <mcatanzaro@igalia.com>
+
+        ASSERTION FAILED: !source || is<Target>(*source) in CoordinatedGraphicsLayer::removeFromParent
+        https://bugs.webkit.org/show_bug.cgi?id=166568
+
+        Reviewed by Simon Fraser.
+
+        When a GraphicsLayer has a mask layer, it fails to properly unparent the mask layer before
+        it is destroyed. This leaves the mask layer with a dangling parent pointer. Fix it, while
+        taking care not to introduce yet another virtual function call during the execution of the
+        destructor.
+
+        * platform/graphics/GraphicsLayer.cpp:
+        (WebCore::GraphicsLayer::willBeDestroyed):
+
+2018-01-03  Simon Fraser  <simon.fraser@apple.com>
+
+        SVG lighting filter lights are in the wrong coordinate system
+        https://bugs.webkit.org/show_bug.cgi?id=181147
+
+        Reviewed by Zalan Bujtas.
+
+        Point and spot light coordinates weren't being converted into buffer-relative
+        coordinates before being fed into the lighting math, resulting in incorrect light
+        rendering on Retina devices, and when the filter primitive region was clipped.
+
+        Fix by storing absoluteUnclippedSubregion on FilterEffect, which allows us to map
+        lighting points from user space coordinates into the coordinates of the buffer being
+        used for rendering. Also scale the light z coordinate by doing a dummy point mapping in x.
+
+        Rename members of PointLightSource and SpotLightSource to make it clear which coordinate
+        system they are in.
+
+        Tests include HiDPI tests.
+
+        Tests: svg/filters/fePointLight-coordinates-expected.svg
+               svg/filters/fePointLight-coordinates.svg
+               svg/filters/feSpotLight-coordinates-expected.svg
+               svg/filters/feSpotLight-coordinates.svg
+               svg/filters/hidpi/fePointLight-coordinates-expected.svg
+               svg/filters/hidpi/fePointLight-coordinates.svg
+               svg/filters/hidpi/feSpotLight-coordinates-expected.svg
+               svg/filters/hidpi/feSpotLight-coordinates.svg
+
+        * platform/graphics/FloatPoint3D.h: Make it easy to get and set the X and Y coords as a FloatPoint.
+        (WebCore::FloatPoint3D::xy const):
+        (WebCore::FloatPoint3D::setXY):
+        * platform/graphics/GeometryUtilities.cpp:
+        (WebCore::mapPoint):
+        (WebCore::mapRect):
+        * platform/graphics/GeometryUtilities.h: Helper to make a point between rects.
+        * platform/graphics/filters/DistantLightSource.cpp:
+        (WebCore::DistantLightSource::initPaintingData):
+        * platform/graphics/filters/DistantLightSource.h:
+        * platform/graphics/filters/FELighting.cpp:
+        (WebCore::FELighting::drawLighting):
+        * platform/graphics/filters/FilterEffect.cpp:
+        (WebCore::FilterEffect::mapPointFromUserSpaceToBuffer const):
+        * platform/graphics/filters/FilterEffect.h:
+        (WebCore::FilterEffect::setUnclippedAbsoluteSubregion):
+        * platform/graphics/filters/LightSource.h:
+        * platform/graphics/filters/PointLightSource.cpp:
+        (WebCore::PointLightSource::initPaintingData):
+        (WebCore::PointLightSource::computePixelLightingData const):
+        (WebCore::PointLightSource::setX):
+        (WebCore::PointLightSource::setY):
+        (WebCore::PointLightSource::setZ):
+        * platform/graphics/filters/PointLightSource.h:
+        (WebCore::PointLightSource::position const):
+        (WebCore::PointLightSource::PointLightSource):
+        * platform/graphics/filters/SpotLightSource.cpp:
+        (WebCore::SpotLightSource::initPaintingData):
+        (WebCore::SpotLightSource::computePixelLightingData const):
+        (WebCore::SpotLightSource::setX):
+        (WebCore::SpotLightSource::setY):
+        (WebCore::SpotLightSource::setZ):
+        (WebCore::SpotLightSource::setPointsAtX):
+        (WebCore::SpotLightSource::setPointsAtY):
+        (WebCore::SpotLightSource::setPointsAtZ):
+        * platform/graphics/filters/SpotLightSource.h:
+        (WebCore::SpotLightSource::position const):
+        (WebCore::SpotLightSource::direction const):
+        (WebCore::SpotLightSource::SpotLightSource):
+        * rendering/svg/RenderSVGResourceFilter.cpp:
+        (WebCore::RenderSVGResourceFilter::buildPrimitives const):
+        * rendering/svg/RenderSVGResourceFilterPrimitive.cpp:
+        (WebCore::RenderSVGResourceFilterPrimitive::determineFilterPrimitiveSubregion):
+
+2018-01-03  Youenn Fablet  <youenn@apple.com>
+
+        Select service worker for documents with data/blob URLS
+        https://bugs.webkit.org/show_bug.cgi?id=181213
+
+        Reviewed by Alex Christensen.
+
+        Covered by updated test.
+
+        Reusing the service worker of the parent for blob/data URL documents.
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::isLocalURL):
+        (WebCore::DocumentLoader::commitData):
+
+2018-01-03  Ryan Haddad  <ryanhaddad@apple.com>
+
+        Unreviewed, rolling out r226352.
+
+        Breaks Sierra and El Capitan builds.
+
+        Reverted changeset:
+
+        "Web Inspector: Slow open time enumerating system fonts
+        (FontCache::systemFontFamilies)"
+        https://bugs.webkit.org/show_bug.cgi?id=180979
+        https://trac.webkit.org/changeset/226352
+
+2018-01-03  Philippe Normand  <pnormand@igalia.com>
+
+        [GStreamer] The bus synchronous handler should be in the base player class
+        https://bugs.webkit.org/show_bug.cgi?id=181237
+
+        Reviewed by Carlos Garcia Campos.
+
+        Because this is where video rendering is handled.
+
+        No new tests, this is only a refactoring.
+
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
+        (WebCore::MediaPlayerPrivateGStreamer::createGSTPlayBin):
+        * platform/graphics/gstreamer/MediaPlayerPrivateGStreamerBase.cpp:
+        (WebCore::MediaPlayerPrivateGStreamerBase::setPipeline):
+
 2018-01-03  Philippe Normand  <pnormand@igalia.com>
 
         [GStreamer] move MediaSample implementation out of mse/