ThreadTimers should not store a raw pointer in its heap
[WebKit-https.git] / Source / WebCore / ChangeLog
index 3b718d1..becfba6 100644 (file)
@@ -1,3 +1,933 @@
+2019-01-09  Ryosuke Niwa  <rniwa@webkit.org>
+
+        ThreadTimers should not store a raw pointer in its heap
+        https://bugs.webkit.org/show_bug.cgi?id=192975
+        <rdar://problem/46893946>
+
+        Reviewed by Geoffrey Garen.
+
+        Right now, ThreadTimers's heap data structure stores a raw pointer to TimerBase. In order to harden the timer code,
+        this patch replaces it with ThreadTimerHeapItem, a newly introduced struct, which effectively acks like
+        WeakReference<TimerBase*> as the timer heap and TimerBase both store RefPtr to it, and TimerBase's destructor clears
+        the raw pointer back to TimerBase*.
+
+        This approach was taken instead of an out-right adoptation of WeakPtr since the heap data structure requires each node
+        in the heap to have a fixed "priority" yet WeakPtr with no valid pointer back to TimerBase would effectively lose its
+        "priority" thereby corrupting the heap data structure. That is, each item in the heap must remember its fire time and
+        insertion order even when the underlying TimerBase had gone away (this should never happen but the whole point of this
+        hardening is to make it work even in the precense of such a bug).
+
+        This patch also moves the heap index in TimerBase to ThreadTimerHeapItem, and replaces the pointer to the heap vector
+        in TimerBase by a reference to ThreadTimers in ThreadTimerHeapItem. Note that ThreadTimers is a per-thread singleton.
+
+        The correctness of this hardening was tested by commenting out the call to stop() and !isInHeap() assertion in
+        TimerBase::~TimerBase() as well as the !isInHeap() assertion in ThreadTimerHeapItem::clearTimer() and observing that
+        layout tests run successfully without hitting any debug assertions.
+
+        No new tests since there should be no observable behavior difference.
+
+        * WebCore.xcodeproj/project.pbxproj: Export ThreadTimers.h as a private header since it's now included in Timer.h
+        * platform/ThreadTimers.cpp:
+        (WebCore::ThreadTimers::updateSharedTimer): Delete ThreadTimerHeapItem's with nullptr TimerBase* (TimerBase had
+        already been deleted). This should only happen when TimerBase's destructor failed to remove itself from the timer heap,
+        which should never happen.
+        (WebCore::ThreadTimers::sharedTimerFiredInternal): Ditto. Also removed the redundant code which had removed the timer
+        from the heap since setNextFireTime does the removal already.
+        * platform/ThreadTimers.h: Outdented the whole file.
+        (WebCore::ThreadTimers::timerHeap): We use Vector<RefPtr<ThreadTimerHeapItem>> instead of Vector<Ref<~>> since Ref<~>
+        doesn't have a copy constructor which is used by std::push_heap.
+        (WebCore::ThreadTimerHeapItem): Added.
+        (WebCore::ThreadTimerHeapItem::hasTimer const): Added.
+        (WebCore::ThreadTimerHeapItem::setNotInHeap): Added. ThreadTimerHeapItem uses unsigned -1 as the single value which
+        signifies the item not being in the heap instead of all negative values as in the old code in TimerBase.
+        (WebCore::ThreadTimerHeapItem::isInHeap const): Added.
+        (WebCore::ThreadTimerHeapItem::isFirstInHeap const): Added.
+        (WebCore::ThreadTimerHeapItem::timer): Added.
+        (WebCore::ThreadTimerHeapItem::clearTimer): Added.
+        (WebCore::ThreadTimerHeapItem::heapIndex const): Added.
+        (WebCore::ThreadTimerHeapItem::setHeapIndex): Added.
+        (WebCore::ThreadTimerHeapItem::timerHeap const): Added.
+        * platform/Timer.cpp:
+        (WebCore::threadGlobalTimerHeap): This function is now only used in assertions.
+        (WebCore::ThreadTimerHeapItem::ThreadTimerHeapItem): Added.
+        (WebCore::ThreadTimerHeapItem::create): Added.
+        (WebCore::TimerHeapPointer::TimerHeapPointer):
+        (WebCore::TimerHeapPointer::operator-> const):
+        (WebCore::TimerHeapReference::TimerHeapReference): Added a copy constructor.
+        (WebCore::TimerHeapReference::copyRef const): Added.
+        (WebCore::TimerHeapReference::operator RefPtr<ThreadTimerHeapItem>& const):
+        (WebCore::TimerHeapPointer::operator* const):
+        (WebCore::TimerHeapReference::operator=): Use move assignment operator.
+        (WebCore::TimerHeapReference::swapWith):
+        (WebCore::TimerHeapReference::updateHeapIndex): Extracted to share code between two verions of operator=.
+        (WebCore::swap):
+        (WebCore::TimerHeapIterator::TimerHeapIterator):
+        (WebCore::TimerHeapIterator::operator-> const):
+        (WebCore::TimerHeapLessThanFunction::compare): Added variants which take RefPtr<ThreadTimerHeapItem>.
+        (WebCore::TimerHeapLessThanFunction::operator() const):
+        (WebCore::TimerBase::TimerBase):
+        (WebCore::TimerBase::~TimerBase):Clear the raw pointer in ThreadTimerHeapItem.
+        (WebCore::TimerBase::stop):
+        (WebCore::TimerBase::nextFireInterval const):
+        (WebCore::TimerBase::checkHeapIndex const): Added the consistency check for other items in the heap.
+        (WebCore::TimerBase::checkConsistency const):
+        (WebCore::TimerBase::heapDecreaseKey):
+        (WebCore::TimerBase::heapDelete):
+        (WebCore::TimerBase::heapDeleteMin):
+        (WebCore::TimerBase::heapIncreaseKey):
+        (WebCore::TimerBase::heapInsert):
+        (WebCore::TimerBase::heapPop):
+        (WebCore::TimerBase::heapPopMin):
+        (WebCore::TimerBase::heapDeleteNullMin): Added. Used to delete ThreadTimerHeapItem which no longer has a valid TimerBase.
+        (WebCore::parentHeapPropertyHolds):
+        (WebCore::childHeapPropertyHolds):
+        (WebCore::TimerBase::hasValidHeapPosition const):
+        (WebCore::TimerBase::updateHeapIfNeeded): Tweaked the heap index assertion as heapIndex() itself would assert when called
+        on an item with an invalid (-1) heap index.
+        (WebCore::TimerBase::setNextFireTime): Create ThreadTimerHeapItem. Note m_heapItem is never cleared until this TimerBase
+        is deleted.
+        (WebCore::TimerHeapReference::operator TimerBase* const): Deleted.
+        * platform/Timer.h:
+        (WebCore::TimerBase): Replaced m_nextFireTime, m_heapIndex, m_heapInsertionOrder, and m_cachedThreadGlobalTimerHeap
+        by m_heapItem, RefPtr to an ThreadTimerHeapItem.
+        (WebCore::TimerBase::augmentFireInterval):
+        (WebCore::TimerBase::inHeap const):
+        (WebCore::TimerBase::nextFireTime const):
+        (WebCore::TimerBase::isActive const):
+        (WebCore::TimerBase:: const): Deleted.
+
+2019-01-09  Alex Christensen  <achristensen@webkit.org>
+
+        REGRESSION(239737) iOS quicklook tests should not dereference null
+        https://bugs.webkit.org/show_bug.cgi?id=193307
+
+        Reviewed by Brent Fulgham.
+
+        The quicklook tests rely on ResourceHandle on iOS for some reason.
+        This is a problem we'll fix later, but for now keep them working by not crashing.
+
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::createNSURLConnection):
+        (WebCore::ResourceHandle::start):
+        (WebCore::ResourceHandle::willSendRequest):
+        (WebCore::ResourceHandle::tryHandlePasswordBasedAuthentication):
+        (WebCore::ResourceHandle::receivedCredential):
+
+2019-01-09  Zalan Bujtas  <zalan@apple.com>
+
+        [Datalist] Crash when input with datalist is dynamically added.
+        https://bugs.webkit.org/show_bug.cgi?id=193012
+        <rdar://problem/45923457>
+
+        Reviewed by Brent Fulgham.
+
+        In certain cases (cloning, setAttribute), it's too early to check for the list attribute in createShadowSubtree
+        to see whether the input needs datalist related items. The list attribute is simply not set yet.
+        This patch only addresses the obvious crash. m_dataListDropdownIndicator clearly lacks proper lifecycle management (see webkit.org/b/193032). 
+
+        Test: fast/forms/datalist/datalist-crash-when-dynamic.html
+
+        * html/TextFieldInputType.cpp:
+        (WebCore::TextFieldInputType::createShadowSubtree):
+        (WebCore::TextFieldInputType::attributeChanged):
+        (WebCore::TextFieldInputType::createDataListDropdownIndicator):
+        * html/TextFieldInputType.h:
+
+2019-01-09  Justin Fan  <justin_fan@apple.com>
+
+        [WebGPU] Fix vertex-buffer-triangle-strip test and small update to GPURenderPipeline
+        https://bugs.webkit.org/show_bug.cgi?id=193289
+
+        Reviewed by Dean Jackson.
+
+        Fix broken test after pipeline layouts were added, and a small refactoring to GPURenderPipeline to avoid
+        retaining its descriptor after creation.
+
+        * platform/graphics/gpu/GPURenderPipeline.h:
+        (WebCore::GPURenderPipeline::primitiveTopology const):
+        * platform/graphics/gpu/cocoa/GPURenderPipelineMetal.mm:
+        (WebCore::GPURenderPipeline::GPURenderPipeline):
+
+2019-01-09  Devin Rousso  <drousso@apple.com>
+
+        Web Inspector: Protocol Logging: log messages as objects if inspector^2 is open
+        https://bugs.webkit.org/show_bug.cgi?id=193284
+
+        Reviewed by Joseph Pecoraro.
+
+        No newe tests, as this is simply exposes a value.
+
+        * inspector/InspectorFrontendHost.idl:
+        * inspector/InspectorFrontendHost.h:
+        * inspector/InspectorFrontendHost.cpp:
+        (WebCore::InspectorFrontendHost::isBeingInspected): Added.
+
+2019-01-09  Zalan Bujtas  <zalan@apple.com>
+
+        [LFC][BFC][MarginCollapsing] Add support for peculiar cases.
+        https://bugs.webkit.org/show_bug.cgi?id=192625
+
+        Reviewed by Antti Koivisto.
+
+        Implement some of the more peculiar cases like margin collpasing through multiple boxes etc.
+        Add ~100 new passing cases.
+
+        * layout/FormattingContextGeometry.cpp:
+        (WebCore::Layout::FormattingContext::Geometry::inlineReplacedHeightAndMargin):
+        * layout/LayoutState.h:
+        (WebCore::Layout::LayoutState::hasFormattingState const):
+        * layout/MarginTypes.h:
+        * layout/blockformatting/BlockFormattingContext.cpp:
+        (WebCore::Layout::BlockFormattingContext::computeEstimatedMarginBefore const):
+        (WebCore::Layout::BlockFormattingContext::computeEstimatedMarginBeforeForAncestors const):
+        (WebCore::Layout::hasPrecomputedMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::computeFloatingPosition const):
+        (WebCore::Layout::BlockFormattingContext::computePositionToAvoidFloats const):
+        (WebCore::Layout::BlockFormattingContext::computeVerticalPositionForFloatClear const):
+        (WebCore::Layout::BlockFormattingContext::computeHeightAndMargin const):
+        (WebCore::Layout::BlockFormattingContext::adjustedVerticalPositionAfterMarginCollapsing const):
+        * layout/blockformatting/BlockFormattingContext.h:
+        (WebCore::Layout::BlockFormattingContext::blockFormattingState const):
+        * layout/blockformatting/BlockFormattingContextGeometry.cpp:
+        (WebCore::Layout::BlockFormattingContext::Geometry::inFlowNonReplacedHeightAndMargin):
+        (WebCore::Layout::BlockFormattingContext::Geometry::inFlowHeightAndMargin):
+        (WebCore::Layout::BlockFormattingContext::Geometry::estimatedMarginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::Geometry::estimatedMarginAfter): Deleted.
+        * layout/blockformatting/BlockFormattingContextQuirks.cpp:
+        (WebCore::Layout::BlockFormattingContext::Quirks::stretchedInFlowHeight):
+        (WebCore::Layout::BlockFormattingContext::Quirks::shouldIgnoreMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::Quirks::stretchedHeight): Deleted.
+        * layout/blockformatting/BlockFormattingState.h:
+        (WebCore::Layout::BlockFormattingState::setPositiveAndNegativeVerticalMargin):
+        (WebCore::Layout::BlockFormattingState::hasPositiveAndNegativeVerticalMargin const):
+        (WebCore::Layout::BlockFormattingState::positiveAndNegativeVerticalMargin const):
+        (WebCore::Layout::BlockFormattingState::setHasEstimatedMarginBefore):
+        (WebCore::Layout::BlockFormattingState::clearHasEstimatedMarginBefore):
+        (WebCore::Layout::BlockFormattingState::hasEstimatedMarginBefore const):
+        * layout/blockformatting/BlockMarginCollapse.cpp:
+        (WebCore::Layout::hasClearance):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithParentMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithParentMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithPreviousSiblingMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithFirstInFlowChildMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithSiblingMarginBeforeWithClearance):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithParentMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithLastInFlowChildMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithNextSiblingMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginsCollapseThrough):
+        (WebCore::Layout::computedPositiveAndNegativeMargin):
+        (WebCore::Layout::marginValue):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::updateCollapsedMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::positiveNegativeValues):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::positiveNegativeMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::positiveNegativeMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::estimatedMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::collapsedVerticalValues):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::computedNonCollapsedMarginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::computedNonCollapsedMarginAfter): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::nonCollapsedMarginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::nonCollapsedMarginAfter): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::collapsedMarginBeforeFromFirstChild): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::collapsedMarginAfterFromLastChild): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithPreviousSibling): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithNextSibling): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfter): Deleted.
+        * layout/displaytree/DisplayBox.cpp:
+        (WebCore::Display::Box::Box):
+        * layout/displaytree/DisplayBox.h:
+        (WebCore::Display::Box::hasClearance const):
+        (WebCore::Display::Box::setEstimatedMarginBefore):
+        (WebCore::Display::Box::estimatedMarginBefore const):
+        (WebCore::Display::Box::setHasClearance):
+        (WebCore::Display::Box::invalidateEstimatedMarginBefore):
+        (WebCore::Display::Box::setVerticalMargin):
+        (WebCore::Display::Box::rectWithMargin const):
+        * layout/floats/FloatingContext.cpp:
+        (WebCore::Layout::FloatingContext::verticalPositionWithClearance const):
+        * layout/inlineformatting/InlineFormattingContext.cpp:
+        (WebCore::Layout::InlineFormattingContext::collectInlineContentForSubtree const):
+
+2019-01-09  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        REGRESSION(r239156): [FreeType] fixed width, and synthetic bold/italic not correctly applied since r239156
+        https://bugs.webkit.org/show_bug.cgi?id=193276
+
+        Reviewed by Žan Doberšek.
+
+        FontCache::createFontPlatformData() is calling getFontPropertiesFromPattern() with the configure pattern instead
+        of the result one after the match.
+
+        * platform/graphics/freetype/FontCacheFreeType.cpp:
+        (WebCore::FontCache::createFontPlatformData):
+
+2019-01-08  Dean Jackson  <dino@apple.com>
+
+        Blob references for System Previews don't get a correct file extension
+        https://bugs.webkit.org/show_bug.cgi?id=193268
+        <rdar://problem/47133037>
+
+        Reviewed by Tim Horton.
+
+        Apple platforms don't yet have a mapping from the USD MIME type to
+        file extensions (and we support some non-standard MIME types), which
+        means that downloads from Blob references don't get correctly named.
+
+        Fix this by adding an explicit mapping between System Preview types
+        and ".usdz".
+
+        WebKit API test: _WKDownload.SystemPreviewUSDZBlobNaming
+
+        * platform/MIMETypeRegistry.cpp:
+        (WebCore::MIMETypeRegistry::isSystemPreviewMIMEType): Remove USE(SYSTEM_PREVIEW) since
+        this applies to macOS and iOS now.
+        * platform/MIMETypeRegistry.h:
+        * platform/cocoa/MIMETypeRegistryCocoa.mm:
+        (WebCore::MIMETypeRegistry::getPreferredExtensionForMIMEType): Add a mapping
+        for USDZ.
+
+2019-01-08  Tim Horton  <timothy_horton@apple.com>
+
+        Editable images sometimes don't become focused when tapped
+        https://bugs.webkit.org/show_bug.cgi?id=193259
+        <rdar://problem/47038424>
+
+        Reviewed by Wenson Hsieh.
+
+        Often when tapping an editable image inside an editable text area, the
+        text area's selection will change instead of focusing the editable image.
+
+        No new tests; I have had no luck writing a test that reliably failed 
+        beforehand (the "sometimes" is a problem).
+
+        * html/HTMLImageElement.cpp:
+        (WebCore::HTMLImageElement::defaultEventHandler):
+        * html/HTMLImageElement.h:
+        Override mousedown on editable images, focus the image, and prevent
+        the default behavior.
+
+2019-01-08  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Support U2F HID Authenticators on macOS
+        https://bugs.webkit.org/show_bug.cgi?id=191535
+        <rdar://problem/47102027>
+
+        Reviewed by Brent Fulgham.
+
+        This patch changes U2fCommandConstructor to produce register commands with
+        enforcing test of user presence. Otherwise, authenticators would silently
+        generate credentials. It also renames readFromU2fSignResponse to
+        readU2fSignResponse.
+
+        Tests: http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html
+               http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html
+               http/wpt/webauthn/public-key-credential-create-success-u2f.https.html
+               http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html
+               http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html
+               http/wpt/webauthn/public-key-credential-get-success-u2f.https.html
+
+        * Modules/webauthn/fido/U2fCommandConstructor.cpp:
+        (fido::WebCore::constructU2fRegisterCommand):
+        * Modules/webauthn/fido/U2fResponseConverter.cpp:
+        (fido::readU2fSignResponse):
+        (fido::readFromU2fSignResponse): Deleted.
+        * Modules/webauthn/fido/U2fResponseConverter.h:
+
+2019-01-08  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        [iOS] Dispatch a synthetic mousedown event prior to starting drags
+        https://bugs.webkit.org/show_bug.cgi?id=193229
+        <rdar://problem/46717097>
+
+        Reviewed by Tim Horton.
+
+        Tweaks some drag initiation logic on iOS to actually send a "mousedown" event to the page prior to drag start.
+        This improves drag and drop compatibility with web pages that expect a mousedown to always precede dragging.
+        Additionally, ensure that preventing the "mousedown" event also prevents "dragstart", which matches macOS
+        behavior.
+
+        Test: DragAndDropTests.PreventingMouseDownShouldPreventDragStart
+
+        * page/EventHandler.cpp:
+
+        Make the text drag delay 0 on iOS. This was introduced on iOS when originally bringing up drag and drop, and was
+        made to simply match macOS. However, it doesn't make sense to respect the delay here, since the purpose of this
+        delay is to disambiguate between making a text selection and starting a drag when pressing on text that is
+        already selected; on iOS (including iOSMac), this gesture conflict is already resolved by platform gesture
+        recognizers in the client layer, so there is always no delay between mouse down and drag here.
+
+        * page/ios/EventHandlerIOS.mm:
+
+        Dispatch a mousedown and inspect the value of `m_mouseDownMayStartDrag` when starting a drag on iOS. This brings
+        our behavior closer in line with macOS.
+
+        (WebCore::EventHandler::tryToBeginDataInteractionAtPoint):
+
+2019-01-08  Youenn Fablet  <youenn@apple.com>
+
+        service worker fetch handler results in bad referrer
+        https://bugs.webkit.org/show_bug.cgi?id=188248
+        <rdar://problem/47050478>
+
+        Reviewed by Alex Christensen.
+
+        Response sanitization was removing the ReferrerPolicy header from opaque redirect responses.
+        Reduce sanitization of opaque redirect responses to opaque responses and allow Location header.
+        Make sure referrer policy is updated for all load redirections, not only CORS loads.
+
+        Test: http/tests/security/referrer-policy-redirect-link-downgrade.html
+
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
+        * platform/network/ResourceResponseBase.cpp:
+        (WebCore::isSafeCrossOriginResponseHeader):
+        (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting):
+
+2019-01-08  Youenn Fablet  <youenn@apple.com>
+
+        IDB storage of Crypto keys does not work in private browsing mode
+        https://bugs.webkit.org/show_bug.cgi?id=193219
+
+        Reviewed by Brady Eidson.
+
+        https://trac.webkit.org/changeset/238677 moved from using a JSGlobalObject to a JSDOMGlobalObject for serialization/deserialization.
+        This does not work for crypto keys as they require not only a JSDOMGlobalObject but either a window or worker global object.
+
+        To fix the issue, revert 238677, and fix it by checking whether the dumping of an ArrayBuffer happens for a JSDOMGlobalObject or a JSGlobalObject.
+        If it is the latter, use JSC routines instead of toJS() which requires a JSDOMGlobalObject.
+
+        Covered by updated test.
+
+        * Modules/indexeddb/server/UniqueIDBDatabase.cpp:
+        (WebCore::IDBServer::UniqueIDBDatabase::databaseThreadVM):
+        (WebCore::IDBServer::UniqueIDBDatabase::databaseThreadExecState):
+        * bindings/js/JSDOMGlobalObject.cpp:
+        * bindings/js/JSDOMGlobalObject.h:
+        * bindings/js/JSDOMWrapper.cpp:
+        (WebCore::JSDOMObject::JSDOMObject):
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneSerializer::dumpArrayBufferView):
+        (WebCore::CloneSerializer::toJSArrayBuffer):
+
+2019-01-08  Justin Fan  <justin_fan@apple.com>
+
+        [WebGPU] Update createRenderPipeline for WebGPUPipelineLayout
+        https://bugs.webkit.org/show_bug.cgi?id=193247
+
+        Reviewed by Dean Jackson.
+
+        Add WebGPUPipelineLayout to WebGPURenderPipeline via WebGPUPipelineDescriptorBase.
+
+        Test: Updated render-pipelines.html to test new functionality.
+
+        * Modules/webgpu/WebGPUDevice.cpp:
+        (WebCore::WebGPUDevice::createRenderPipeline const): Convert WebGPUPipelineLayout to GPUPipelineLayout.
+        * Modules/webgpu/WebGPUPipelineDescriptorBase.h:
+        * Modules/webgpu/WebGPUPipelineDescriptorBase.idl: Add layout field.
+        * Modules/webgpu/WebGPUPipelineLayout.h: 
+        (WebCore::WebGPUPipelineLayout::pipelineLayout): Added. Getter.
+        * platform/graphics/gpu/GPUPipelineDescriptorBase.h: Updated from out-of-date version.
+        * platform/graphics/gpu/GPUPipelineLayout.cpp:
+        (WebCore::GPUPipelineLayout::GPUPipelineLayout): Now retains bindGroupLayouts from descriptor.
+        * platform/graphics/gpu/GPUPipelineLayout.h:
+        * platform/graphics/gpu/GPURenderPipelineDescriptor.h: Now inherits from GPUPipelineDescriptorBase.
+        (WebCore::GPURenderPipelineDescriptor::GPURenderPipelineDescriptor): Custom constructor for non-aggregate struct.
+
+2019-01-08  Chris Dumez  <cdumez@apple.com>
+
+        Prevent cross-site top-level navigations from third-party iframes
+        https://bugs.webkit.org/show_bug.cgi?id=193076
+        <rdar://problem/36074736>
+
+        Reviewed by Alex Christensen.
+
+        Prevent cross-site top-level navigations from third-party iframes if the following conditions are met:
+        1. Its tries to navigate the top-level page cross-site (different eTDL+1)
+        2. The user has never interacted with the third-party iframe or any of its subframes
+
+        This experiment's intent is to block suspicious main-frame navigations by third-party content. The feature
+        is behind a runtime experimental feature flag, on by default.
+
+        Tests: http/tests/security/allow-top-level-navigations-by-third-party-iframes-to-same-origin.html
+               http/tests/security/allow-top-level-navigations-by-third-party-iframes-with-previous-user-activation.html
+               http/tests/security/allow-top-level-navigations-by-third-party-iframes-with-user-activation.html
+               http/tests/security/block-top-level-navigations-by-third-party-iframes.html
+
+        * dom/Document.cpp:
+        (WebCore::printNavigationErrorMessage):
+        (WebCore::Document::canNavigate):
+        (WebCore::Document::canNavigateInternal):
+        (WebCore::Document::isNavigationBlockedByThirdPartyIFrameRedirectBlocking):
+        * dom/Document.h:
+        * dom/UserGestureIndicator.cpp:
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::setLocation):
+        * page/DOMWindow.h:
+        * page/Frame.h:
+        * page/Location.cpp:
+        (WebCore::Location::replace):
+        (WebCore::Location::setLocation):
+        * page/Settings.yaml:
+
+2019-01-08  Alex Christensen  <achristensen@webkit.org>
+
+        Stop using NetworkStorageSession in WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=193236
+
+        Reviewed by Don Olmstead.
+
+        No change in behavior.  Some code was only used for ResourceHandle, which isn't used in modern WebKit,
+        and for cookies, which are handled in the NetworkProcess in modern WebKit.
+
+        * loader/CookieJar.cpp:
+        (WebCore::storageSession):
+        * loader/EmptyClients.cpp:
+        * platform/network/NetworkingContext.h:
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::createNSURLConnection):
+        (WebCore::ResourceHandle::start):
+        (WebCore::ResourceHandle::platformLoadResourceSynchronously):
+        (WebCore::ResourceHandle::willSendRequest):
+        (WebCore::ResourceHandle::tryHandlePasswordBasedAuthentication):
+        (WebCore::ResourceHandle::receivedCredential):
+
+2019-01-08  Alex Christensen  <achristensen@webkit.org>
+
+        Unreviewed, rolling out r239727.
+
+        Broke API tests
+
+        Reverted changeset:
+
+        "Stop using NetworkStorageSession in WebProcess"
+        https://bugs.webkit.org/show_bug.cgi?id=193236
+        https://trac.webkit.org/changeset/239727
+
+2019-01-08  Alex Christensen  <achristensen@webkit.org>
+
+        Stop using NetworkStorageSession in WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=193236
+
+        Reviewed by Don Olmstead.
+
+        No change in behavior.  Some code was only used for ResourceHandle, which isn't used in modern WebKit,
+        and for cookies, which are handled in the NetworkProcess in modern WebKit.
+
+        * loader/CookieJar.cpp:
+        (WebCore::storageSession):
+        * loader/EmptyClients.cpp:
+        * platform/network/NetworkingContext.h:
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::createNSURLConnection):
+        (WebCore::ResourceHandle::start):
+        (WebCore::ResourceHandle::platformLoadResourceSynchronously):
+        (WebCore::ResourceHandle::willSendRequest):
+        (WebCore::ResourceHandle::tryHandlePasswordBasedAuthentication):
+        (WebCore::ResourceHandle::receivedCredential):
+
+2019-01-08  Chris Dumez  <cdumez@apple.com>
+
+        Regression(PSON-r239182): Blank view when navigating back and forth between google.com and stack overflow
+        https://bugs.webkit.org/show_bug.cgi?id=193224
+        <rdar://problem/47097726>
+
+        Reviewed by Alex Christensen.
+
+        Since r239182, pages get suspended in-place when we suspend the old process after a process-swap on navigation.
+        When we return to a suspended page, we load the current history item again and it normally properly restores
+        the page from PageCache, even though we load the same history item and the current one and even though the
+        page is suspended in-place (i.e. we did not navigate away, which is the usual case for page cache).
+
+        The issue is that if the page URL contains a fragment, FrameLoader::shouldPerformFragmentNavigation() would
+        return true because both the source and destination URLs (which are the same) contains a fragment. To address
+        the issue, update FrameLoader::shouldPerformFragmentNavigation() to return false if the current page is
+        suspended.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::shouldPerformFragmentNavigation):
+
+2019-01-08  Alex Christensen  <achristensen@webkit.org>
+
+        Move Windows-specific code from NetworkStorageSessionCFNet.cpp to its own file
+        https://bugs.webkit.org/show_bug.cgi?id=192958
+
+        Reviewed by Yusuke Suzuki.
+
+        This makes it easier to reason about what code is used where.
+
+        * PlatformAppleWin.cmake:
+        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
+        (WebCore::createPrivateStorageSession): Deleted.
+        (WebCore::cookieDomain): Deleted.
+        (WebCore::canonicalCookieTime): Deleted.
+        (WebCore::cookieCreatedTime): Deleted.
+        (WebCore::cookieExpirationTime): Deleted.
+        (WebCore::cookieName): Deleted.
+        (WebCore::cookiePath): Deleted.
+        (WebCore::cookieValue): Deleted.
+        (WebCore::filterCookies): Deleted.
+        (WebCore::copyCookiesForURLWithFirstPartyURL): Deleted.
+        (WebCore::createCookies): Deleted.
+        (WebCore::NetworkStorageSession::setCookiesFromDOM const): Deleted.
+        (WebCore::containsSecureCookies): Deleted.
+        (WebCore::NetworkStorageSession::cookiesForDOM const): Deleted.
+        (WebCore::NetworkStorageSession::cookieRequestHeaderFieldValue const): Deleted.
+        (WebCore::NetworkStorageSession::cookiesEnabled const): Deleted.
+        (WebCore::NetworkStorageSession::getRawCookies const): Deleted.
+        (WebCore::NetworkStorageSession::deleteCookie const): Deleted.
+        (WebCore::NetworkStorageSession::getHostnamesWithCookies): Deleted.
+        (WebCore::NetworkStorageSession::deleteAllCookies): Deleted.
+        (WebCore::NetworkStorageSession::deleteCookiesForHostnames): Deleted.
+        (WebCore::NetworkStorageSession::deleteAllCookiesModifiedSince): Deleted.
+        * platform/network/cf/NetworkStorageSessionCFNetWin.cpp: Added.
+        (WebCore::createPrivateStorageSession):
+        (WebCore::NetworkStorageSession::setCookies):
+        (WebCore::cookieDomain):
+        (WebCore::canonicalCookieTime):
+        (WebCore::cookieCreatedTime):
+        (WebCore::cookieExpirationTime):
+        (WebCore::cookieName):
+        (WebCore::cookiePath):
+        (WebCore::cookieValue):
+        (WebCore::filterCookies):
+        (WebCore::copyCookiesForURLWithFirstPartyURL):
+        (WebCore::createCookies):
+        (WebCore::NetworkStorageSession::setCookiesFromDOM const):
+        (WebCore::containsSecureCookies):
+        (WebCore::NetworkStorageSession::cookiesForDOM const):
+        (WebCore::NetworkStorageSession::cookieRequestHeaderFieldValue const):
+        (WebCore::NetworkStorageSession::cookiesEnabled const):
+        (WebCore::NetworkStorageSession::getRawCookies const):
+        (WebCore::NetworkStorageSession::deleteCookie const):
+        (WebCore::NetworkStorageSession::getHostnamesWithCookies):
+        (WebCore::NetworkStorageSession::deleteAllCookies):
+        (WebCore::NetworkStorageSession::deleteCookiesForHostnames):
+        (WebCore::NetworkStorageSession::deleteAllCookiesModifiedSince):
+
+2018-12-19  Antoine Quint  <graouts@apple.com>
+
+        [Web Animations] Compute animation effect timing properties in batch
+        https://bugs.webkit.org/show_bug.cgi?id=192850
+
+        Reviewed by Dean Jackson.
+
+        We remove a host of functions from AnimationEffect that would allow the computation of various timing properties
+        defined by the Web Animations specification: phase, progress, current iteration, etc. Indeed, a lot of these functions
+        would call each other in a chain, and we would re-compute a lot of the earlier properties in those chains several times
+        when doing something like querying the animation progress. Additionally, some functions, such as WebAnimation::computeRelevance()
+        and WebAnimation::timeToNextTick() would yield the computation of several such properties numerous times. All of those
+        functions are called during each animation frame and are ripe for optimizations.
+
+        We now compute all timing properties across two functions:
+        
+        1. the new AnimationEffect::getBasicTiming() which computes the local time, end time, active duration, active time and phase,
+        2. the existing AnimationEffect::getComputedTiming() which now also exposes the phase and simple iteration progress.
+
+        To support this we introduce a new BasicEffectTiming struct to contain the values computed in AnimationEffect::getBasicTiming()
+        and spun the AnimationEffect::Phase struct as AnimationEffectPhase so that it may be used across BasicEffectTiming and
+        ComputedEffectTiming.
+
+        No new test since there is no user-observable change.
+
+        * WebCore.xcodeproj/project.pbxproj:
+        * animation/AnimationEffect.cpp:
+        (WebCore::AnimationEffect::getTiming const):
+        (WebCore::AnimationEffect::getBasicTiming const):
+        (WebCore::AnimationEffect::getComputedTiming const):
+        (WebCore::AnimationEffect::localTime const): Deleted.
+        (WebCore::AnimationEffect::phase const): Deleted.
+        (WebCore::AnimationEffect::activeTime const): Deleted.
+        (WebCore::AnimationEffect::overallProgress const): Deleted.
+        (WebCore::AnimationEffect::simpleIterationProgress const): Deleted.
+        (WebCore::AnimationEffect::currentIteration const): Deleted.
+        (WebCore::AnimationEffect::currentDirection const): Deleted.
+        (WebCore::AnimationEffect::directedProgress const): Deleted.
+        (WebCore::AnimationEffect::transformedProgress const): Deleted.
+        (WebCore::AnimationEffect::iterationProgress const): Deleted.
+        (WebCore::AnimationEffect::getTiming): Deleted.
+        (WebCore::AnimationEffect::getComputedTiming): Deleted.
+        (WebCore::AnimationEffect::endTime const): Deleted.
+        (WebCore::AnimationEffect::activeDuration const): Deleted.
+        * animation/AnimationEffect.h:
+        * animation/AnimationEffectPhase.h: Copied from Source/WebCore/animation/ComputedEffectTiming.h.
+        * animation/AnimationTimeline.cpp:
+        (WebCore::AnimationTimeline::updateCSSTransitionsForElement):
+        * animation/AnimationTimeline.h:
+        * animation/BasicEffectTiming.h: Copied from Source/WebCore/animation/ComputedEffectTiming.h.
+        * animation/ComputedEffectTiming.h:
+        * animation/DeclarativeAnimation.cpp:
+        (WebCore::DeclarativeAnimation::cancel):
+        (WebCore::DeclarativeAnimation::phaseWithoutEffect const):
+        (WebCore::DeclarativeAnimation::invalidateDOMEvents):
+        * animation/DeclarativeAnimation.h:
+        * animation/KeyframeEffect.cpp:
+        (WebCore::KeyframeEffect::apply):
+        (WebCore::KeyframeEffect::getAnimatedStyle):
+        * animation/WebAnimation.cpp:
+        (WebCore::WebAnimation::effectEndTime const):
+        (WebCore::WebAnimation::computeRelevance):
+        (WebCore::WebAnimation::timeToNextTick const):
+
+2019-01-07  Youenn Fablet  <youenn@apple.com>
+
+        Crash in SWServer::Connection::resolveRegistrationReadyRequests
+        https://bugs.webkit.org/show_bug.cgi?id=193217
+
+        Reviewed by Chris Dumez.
+
+        As can be seen from the traces, SWServer might clear its connections HashMap in its destructor.
+        This might then trigger calling SWServer::resolveRegistrationReadyRequests.
+        This method is iterating on the connections HashMap which is being cleared.
+        To remove this problem, move the HashMap in a temporary variable and clear the temporary variable.
+
+        * workers/service/server/SWServer.cpp:
+        (WebCore::SWServer::~SWServer):
+
+2019-01-07  Jer Noble  <jer.noble@apple.com>
+
+        REGRESSION (r239519): ASSERTION FAILED: !m_adoptionIsRequired in com.apple.WebCore: void WTF::refIfNotNull<WebCore::CDMSessionMediaSourceAVFObjC> + 53
+        https://bugs.webkit.org/show_bug.cgi?id=193211
+        <rdar://problem/46937412>
+
+        Reviewed by Eric Carlson.
+
+        Make CDMSessionMediaSourceAVFObjC a CanMakeWeakPtr rather than RefCounted, as CDMSessions are stored in
+        std::unique_ptrs, and not in Ref or RefPtr.
+
+        * platform/graphics/avfoundation/objc/CDMSessionMediaSourceAVFObjC.h:
+        * platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.h:
+        * platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm:
+        (WebCore::MediaPlayerPrivateMediaSourceAVFObjC::setCDMSession):
+
+2019-01-07  David Kilzer  <ddkilzer@apple.com>
+
+        Prefer RetainPtr<NSObject> to RetainPtr<NSObject *>
+        <https://webkit.org/b/193056>
+
+        Reviewed by Alex Christensen.
+
+        * platform/graphics/avfoundation/objc/SourceBufferPrivateAVFObjC.mm:
+        (-[WebAVStreamDataParserListener streamDataParser:didParseStreamDataAsAsset:]):
+        (-[WebAVStreamDataParserListener streamDataParser:didParseStreamDataAsAsset:withDiscontinuity:]):
+        * platform/network/cf/AuthenticationChallenge.h:
+        - Remove '*' from RetainPtr<> type.
+
+        * platform/network/cocoa/NetworkStorageSessionCocoa.mm:
+        (WebCore::cookiesForURL):
+        - Once retainPtr() was changed to return RetainPtr<NSArray>
+          instead of RetainPtr<NSArray *> here, that forced the type of
+          `cookiesPtr` to change as well since
+          Optional<RetainPtr<NSArray>> is not assignable to
+          Optional<RetainPtr<NSArray *>> without further template
+          specialization, which didn't seem useful since
+          Optional<RetainPtr<>> variable types are rarely used.
+
+2019-01-07  Devin Rousso  <drousso@apple.com>
+
+        Web Inspector: extend XHR breakpoints to work with fetch
+        https://bugs.webkit.org/show_bug.cgi?id=185843
+        <rdar://problem/40431027>
+
+        Reviewed by Matt Baker.
+
+        Test: inspector/dom-debugger/url-breakpoints.html
+
+        * Modules/fetch/FetchResponse.cpp:
+        (WebCore::FetchResponse::fetch):
+
+        * inspector/InspectorInstrumentation.h:
+        (WebCore::InspectorInstrumentation::willFetch): Added.
+        * inspector/InspectorInstrumentation.cpp:
+        (WebCore::InspectorInstrumentation::willFetchImpl): Added.
+
+        * inspector/agents/InspectorDOMDebuggerAgent.h:
+        * inspector/agents/InspectorDOMDebuggerAgent.cpp:
+        (WebCore::InspectorDOMDebuggerAgent::disable):
+        (WebCore::InspectorDOMDebuggerAgent::discardBindings):
+        (WebCore::InspectorDOMDebuggerAgent::setURLBreakpoint): Added.
+        (WebCore::InspectorDOMDebuggerAgent::removeURLBreakpoint): Added.
+        (WebCore::InspectorDOMDebuggerAgent::breakOnURLIfNeeded): Added.
+        (WebCore::InspectorDOMDebuggerAgent::willSendXMLHttpRequest):
+        (WebCore::InspectorDOMDebuggerAgent::willFetch): Added.
+        (WebCore::InspectorDOMDebuggerAgent::setXHRBreakpoint): Deleted.
+        (WebCore::InspectorDOMDebuggerAgent::removeXHRBreakpoint): Deleted.
+
+2019-01-07  Eric Carlson  <eric.carlson@apple.com>
+
+        Cleanup AudioTrackPrivateMediaStreamCocoa
+        https://bugs.webkit.org/show_bug.cgi?id=193208
+        <rdar://problem/42225870>
+
+        Reviewed by Youenn Fablet.
+
+        * platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp:
+        (WebCore::AudioTrackPrivateMediaStreamCocoa::audioSamplesAvailable): Clear input and
+        output format descriptions after stopping the audio unit.
+
+2019-01-07  Devin Rousso  <drousso@apple.com>
+
+        Web Inspector: Network: show secure connection details per-request
+        https://bugs.webkit.org/show_bug.cgi?id=191539
+        <rdar://problem/45979891>
+
+        Reviewed by Joseph Pecoraro.
+
+        Test: http/tests/inspector/network/resource-security-connection.html
+
+        * platform/network/NetworkLoadMetrics.h:
+        (WebCore::NetworkLoadMetrics:isolatedCopy):
+        (WebCore::NetworkLoadMetrics:clearNonTimingData):
+        (WebCore::NetworkLoadMetrics:operator==):
+        (WebCore::NetworkLoadMetrics:encode):
+        (WebCore::NetworkLoadMetrics:decode):
+
+        * inspector/agents/InspectorNetworkAgent.cpp:
+        (WebCore::InspectorNetworkAgent::buildObjectForMetrics):
+
+2019-01-07  Eric Carlson  <eric.carlson@apple.com>
+
+        Deactivate audio session whenever possible
+        https://bugs.webkit.org/show_bug.cgi?id=193188
+        <rdar://problem/42678977>
+
+        Reviewed by Jer Noble.
+
+        Test: media/deactivate-audio-session.html
+
+        * platform/audio/AudioSession.cpp:
+        (WebCore::AudioSession::tryToSetActive):
+        (WebCore::AudioSession::tryToSetActiveInternal):
+        * platform/audio/AudioSession.h:
+        (WebCore::AudioSession::isActive const):
+
+        * platform/audio/PlatformMediaSessionManager.cpp:
+        (WebCore::PlatformMediaSessionManager::removeSession):
+        (WebCore::deactivateAudioSession):
+        (WebCore::PlatformMediaSessionManager::shouldDeactivateAudioSession):
+        (WebCore::PlatformMediaSessionManager::setShouldDeactivateAudioSession):
+        * platform/audio/PlatformMediaSessionManager.h:
+
+        * platform/audio/ios/AudioSessionIOS.mm:
+        (WebCore::AudioSession::tryToSetActiveInternal):
+        (WebCore::AudioSession::tryToSetActive): Deleted.
+
+        * platform/audio/mac/AudioSessionMac.cpp:
+        (WebCore::AudioSession::tryToSetActiveInternal):
+        (WebCore::AudioSession::tryToSetActive): Deleted.
+
+        * testing/Internals.cpp:
+        (WebCore::Internals::audioSessionActive const):
+        * testing/Internals.h:
+        * testing/Internals.idl:
+
+2019-01-07  David Kilzer  <ddkilzer@apple.com>
+
+        PlatformECKey should use a std::unique_ptr
+        <https://webkit.org/b/193170>
+
+        Reviewed by Brent Fulgham.
+
+        Broadly:
+        - Switch from using raw pointers to using std::unique_ptr<> to
+          hold PlatformECKey.
+        - Introduce PlatformECKeyContainer type to handle different
+          std::unique_ptr<> types on each platform.
+        - Get rid of custom CryptoKeyEC destructors since the
+          std::unique_ptr<> handles that with a Deleter.
+        - Initialize stack variables to nullptr.
+
+        * crypto/gcrypt/CryptoKeyECGCrypt.cpp:
+        (WebCore::CryptoKeyEC::keySizeInBits const):
+        (WebCore::CryptoKeyEC::platformGeneratePair):
+        (WebCore::CryptoKeyEC::platformImportRaw):
+        (WebCore::CryptoKeyEC::platformImportJWKPublic):
+        (WebCore::CryptoKeyEC::platformImportJWKPrivate):
+        (WebCore::CryptoKeyEC::platformImportSpki):
+        (WebCore::CryptoKeyEC::platformImportPkcs8):
+        (WebCore::CryptoKeyEC::platformExportRaw const):
+        (WebCore::CryptoKeyEC::platformAddFieldElements const):
+        (WebCore::CryptoKeyEC::platformExportSpki const):
+        (WebCore::CryptoKeyEC::platformExportPkcs8 const):
+        (WebCore::CryptoKeyEC::~CryptoKeyEC): Deleted.
+        * crypto/keys/CryptoKeyEC.cpp:
+        (WebCore::CryptoKeyEC::CryptoKeyEC):
+        * crypto/keys/CryptoKeyEC.h:
+        (WebCore::CCECCryptorRefDeleter::operator() const):
+        * crypto/mac/CryptoKeyECMac.cpp:
+        (WebCore::CryptoKeyEC::keySizeInBits const):
+        (WebCore::CryptoKeyEC::platformGeneratePair):
+        (WebCore::CryptoKeyEC::platformImportRaw):
+        (WebCore::CryptoKeyEC::platformExportRaw const):
+        (WebCore::CryptoKeyEC::platformImportJWKPublic):
+        (WebCore::CryptoKeyEC::platformImportJWKPrivate):
+        (WebCore::CryptoKeyEC::platformAddFieldElements const):
+        (WebCore::CryptoKeyEC::platformImportSpki):
+        (WebCore::CryptoKeyEC::platformExportSpki const):
+        (WebCore::CryptoKeyEC::platformImportPkcs8):
+        (WebCore::CryptoKeyEC::platformExportPkcs8 const):
+        (WebCore::CryptoKeyEC::~CryptoKeyEC): Deleted.
+
+2019-01-07  Antti Koivisto  <antti@apple.com>
+
+        UI process side scrollbars for UI side compositing on Mac
+        https://bugs.webkit.org/show_bug.cgi?id=193106
+
+        Reviewed by Tim Horton.
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::paintScrollCorner):
+        * page/scrolling/AsyncScrollingCoordinator.cpp:
+        (WebCore::AsyncScrollingCoordinator::frameViewLayoutUpdated):
+
+        Pass scrollbar host layers and the dark appearance bit to the scrolling tree.
+
+        * page/scrolling/ScrollingCoordinator.cpp:
+        (WebCore::ScrollingCoordinator::verticalScrollbarLayerForFrameView):
+        (WebCore::ScrollingCoordinator::horizontalScrollbarLayerForFrameView):
+        * page/scrolling/ScrollingCoordinator.h:
+        (WebCore::ScrollableAreaParameters::ScrollableAreaParameters):
+        (WebCore::ScrollableAreaParameters::operator== const):
+        * page/scrolling/ScrollingStateFrameScrollingNode.cpp:
+        (WebCore::ScrollingStateFrameScrollingNode::ScrollingStateFrameScrollingNode):
+        (WebCore::ScrollingStateFrameScrollingNode::setScrollbarLayers):
+        * page/scrolling/ScrollingStateFrameScrollingNode.h:
+        * page/scrolling/ScrollingTreeFrameScrollingNode.h:
+        * page/scrolling/ScrollingTreeScrollingNode.h:
+        (WebCore::ScrollingTreeScrollingNode::scrollableAreaSize const):
+        (WebCore::ScrollingTreeScrollingNode::totalContentsSize const):
+        (WebCore::ScrollingTreeScrollingNode::useDarkAppearanceForScrollbars const):
+        (WebCore::ScrollingTreeScrollingNode::lastCommittedScrollPosition const):
+        * page/scrolling/mac/ScrollingTreeFrameScrollingNodeMac.h:
+        * platform/ScrollableArea.cpp:
+        (WebCore::ScrollableArea::useDarkAppearanceForScrollbars const):
+
+        Factor into a function as this is used in several places.
+
+        * platform/ScrollableArea.h:
+        * platform/mac/NSScrollerImpDetails.h:
+        * platform/mac/ScrollAnimatorMac.mm:
+        (-[WebScrollerImpDelegate effectiveAppearanceForScrollerImp:]):
+        * platform/mac/ScrollbarThemeMac.h:
+
+2019-01-07  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        Native caret shows up alongside the page's caret when requesting desktop site on jsfiddle.net
+        https://bugs.webkit.org/show_bug.cgi?id=193180
+        <rdar://problem/45971041>
+
+        Reviewed by Tim Horton.
+
+        Adjust a method on RenderObject to additionally detect when the RenderObject is inside of an `overflow: hidden`
+        container that is also empty. See WebKit ChangeLog for more details.
+
+        Test:   editing/selection/ios/hide-selection-in-empty-overflow-hidden-container.html
+                editing/selection/ios/show-selection-in-empty-overflow-hidden-document.html
+
+        * rendering/RenderObject.cpp:
+        (WebCore::RenderObject::isTransparentOrFullyClippedRespectingParentFrames const):
+        (WebCore::RenderObject::isTransparentRespectingParentFrames const): Deleted.
+        * rendering/RenderObject.h:
+
 2019-01-07  Zalan Bujtas  <zalan@apple.com>
 
         [LFC][BFC] Margin collapsing should not be limited to in-flow non-replaced boxes.