Safari Crashing in Version 12.0.1 (14606.2.104.1.1) WebCore::GraphicsLayerCA::updateB...
[WebKit-https.git] / Source / WebCore / ChangeLog
index 1975dd2..e6bdff6 100644 (file)
@@ -1,3 +1,562 @@
+2019-01-09  Dean Jackson  <dino@apple.com>
+
+        Safari Crashing in Version 12.0.1 (14606.2.104.1.1) WebCore::GraphicsLayerCA::updateBackdropFilters
+        https://bugs.webkit.org/show_bug.cgi?id=193309
+        <rdar://problem/45279224>
+
+        Reviewed by Antoine Quint.
+
+        A speculative fix for a CheckedArithmetic crash triggered in updateBackdropFilters.
+
+        The crash log indicates we crash in a Checked<> class that is not recording
+        overflow i.e. it is crashing due to an overflow. The only place in this function
+        where that could happen is when we convert the FloatRect for the backdrop
+        region into a Checked<unsigned> for width and height. This suggests that either
+        the width or height are negative, or the float values are too large for integers,
+        or the product of the two overflows.
+
+        Avoid this by using RecordOverflow, but also changing the code a little to
+        bail if the rectangle is incorrect.
+
+        * platform/graphics/ca/GraphicsLayerCA.cpp:
+        (WebCore::GraphicsLayerCA::updateBackdropFilters):
+
+2019-01-10  Oriol Brufau  <obrufau@igalia.com>
+
+        [css-grid] Let abspos items reference implicit grid lines
+        https://bugs.webkit.org/show_bug.cgi?id=193313
+
+        Reviewed by Manuel Rego Casasnovas.
+
+        While they can't create new implicit grid lines, abspos items
+        can reference existing ones as clarified in
+        https://github.com/w3c/csswg-drafts/commit/511bb63
+
+        This patch makes WebKit match Blink, Firefox and Edge.
+
+        Tests: web-platform-tests/css/css-grid/abspos/grid-positioned-items-padding-001.html
+               web-platform-tests/css/css-grid/abspos/grid-positioned-items-unknown-named-grid-line-001.html
+
+        * rendering/RenderGrid.cpp:
+        (WebCore::RenderGrid::populateExplicitGridAndOrderIterator const):
+        Remove argument from spanSizeForAutoPlacedItem call.
+        (WebCore::RenderGrid::createEmptyGridAreaAtSpecifiedPositionsOutsideGrid const):
+        Remove argument from spanSizeForAutoPlacedItem call.
+        (WebCore::RenderGrid::placeSpecifiedMajorAxisItemsOnGrid const):
+        Remove argument from spanSizeForAutoPlacedItem call.
+        (WebCore::RenderGrid::placeAutoMajorAxisItemOnGrid const):
+        Remove argument from spanSizeForAutoPlacedItem call.
+        (WebCore::RenderGrid::gridAreaBreadthForOutOfFlowChild):
+        Don't treat implicit grid lines as 'auto'.
+        * rendering/RenderGrid.h:
+        Remove unused gridPositionIsAutoForOutOfFlow.
+        * rendering/style/GridPositionsResolver.cpp:
+        (WebCore::adjustGridPositionsFromStyle):
+        Don't treat implicit grid lines as 'auto'.
+        Remove unused gridContainerStyle parameter.
+        (WebCore::GridPositionsResolver::spanSizeForAutoPlacedItem):
+        Remove argument from adjustGridPositionsFromStyle call.
+        Remove unused gridContainerStyle parameter.
+        (WebCore::resolveGridPositionFromStyle):
+        Remove unnecessary assert that uses isValidNamedLineOrArea.
+        (WebCore::GridPositionsResolver::resolveGridPositionsFromStyle):
+        Remove argument from adjustGridPositionsFromStyle call.
+        * rendering/style/GridPositionsResolver.h:
+        Remove unused isValidNamedLineOrArea.
+        Remove unused parameter from spanSizeForAutoPlacedItem.
+
+2019-01-09  Matt Rajca  <mrajca@apple.com>
+
+        Put per-document autoplay behavior behind runtime website policies quirk instead of a compile time flag
+        https://bugs.webkit.org/show_bug.cgi?id=193301
+
+        Reviewed by Jer Noble.
+
+        Instead of unconditionally enabling this with a compile-time flag, let clients
+        enable the quirk on a per-load basis.
+
+        Tests: added API tests in favor of the current layout test as this behavior is no
+               longer on by default unless a client opts in.
+
+        * html/MediaElementSession.cpp:
+        (WebCore::needsPerDocumentAutoplayBehaviorQuirk):
+        (WebCore::MediaElementSession::playbackPermitted const):
+        * loader/DocumentLoader.h:
+
+2019-01-10  Zalan Bujtas  <zalan@apple.com>
+
+        [LFC][BFC][MarginCollapsing] Take collapsed through siblings into account when computing vertical position
+        https://bugs.webkit.org/show_bug.cgi?id=193310
+
+        Reviewed by Antti Koivisto.
+
+        If the block inflow element has previous siblings with collapsed through vertical margins,
+        then this box's before margin could _indirectly_ collapse with the parent. Use the previous siblings
+        to check for margin collapsing.
+
+        Test: fast/block/block-only/collapsed-through-siblings.html
+
+        * layout/blockformatting/BlockFormattingContext.cpp:
+        (WebCore::Layout::BlockFormattingContext::adjustedVerticalPositionAfterMarginCollapsing const):
+        * page/FrameViewLayoutContext.cpp:
+        (WebCore::layoutUsingFormattingContext):
+
+2019-01-10  Alicia Boya García  <aboya@igalia.com>
+
+        [MSE][GStreamer] Use GRefPtr in AppendPipeline::pushNewBuffer()
+        https://bugs.webkit.org/show_bug.cgi?id=192934
+
+        Reviewed by Xabier Rodriguez-Calvar.
+
+        * platform/graphics/gstreamer/mse/AppendPipeline.cpp:
+        (WebCore::AppendPipeline::pushNewBuffer):
+        * platform/graphics/gstreamer/mse/AppendPipeline.h:
+        * platform/graphics/gstreamer/mse/MediaSourceClientGStreamerMSE.cpp:
+        (WebCore::MediaSourceClientGStreamerMSE::append):
+
+2019-01-10  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [FreeType] Color emoji not properly supported
+        https://bugs.webkit.org/show_bug.cgi?id=191976
+
+        Reviewed by Michael Catanzaro.
+
+        Always try to fallback to a colored font for emojis.
+
+        Test: platform/gtk/fonts/font-emoji-system-fallback.html
+
+        * platform/graphics/ComplexTextController.cpp:
+        (WebCore::advanceByCombiningCharacterSequence): Group regional indicators in pairs.
+        * platform/graphics/Font.cpp:
+        (WebCore::CharacterFallbackMapKey::CharacterFallbackMapKey):
+        (WebCore::Font::systemFallbackFontForCharacter const): Pass PreferColoredFont::No to FontCache::systemFallbackForCharacters.
+        * platform/graphics/Font.h: Add IsForPlatformFont enum to replace the bool parameter in systemFallbackFontForCharacter().
+        * platform/graphics/FontCache.h:
+        * platform/graphics/FontCascadeFonts.cpp:
+        (WebCore::FontCascadeFonts::glyphDataForSystemFallback):
+        * platform/graphics/cairo/FontCairoHarfbuzzNG.cpp:
+        (WebCore::characterSequenceIsEmoji): Check whether the character sequence is an emoji.
+        (WebCore::FontCascade::fontForCombiningCharacterSequence const): In case of emojis try to fallback to a colored
+        font even if base font can render the emoji in black and white.
+        * platform/graphics/cocoa/FontCacheCoreText.cpp:
+        (WebCore::FontCache::systemFallbackForCharacters): Add PreferColoredFont parameter that is ignored.
+        * platform/graphics/freetype/FontCacheFreeType.cpp:
+        (WebCore::FontCache::systemFallbackForCharacters): Add PreferColoredFont parameter.
+        * platform/graphics/freetype/FontPlatformDataFreeType.cpp:
+        (WebCore::FontPlatformData::FontPlatformData): Initialize m_isColorBitmapFont.
+        * platform/graphics/freetype/SimpleFontDataFreeType.cpp:
+        (WebCore::Font::variantCapsSupportsCharacterForSynthesis const): Moved from cross-platform file.
+        (WebCore::Font::platformSupportsCodePoint const): Add freetype implementation.
+        * platform/graphics/win/FontCacheWin.cpp:
+        (WebCore::FontCache::systemFallbackForCharacters): Add PreferColoredFont parameter that is ignored.
+        * platform/text/CharacterProperties.h:
+        (WebCore::isEmojiKeycapBase):
+        (WebCore::isEmojiRegionalIndicator):
+        (WebCore::isEmojiWithPresentationByDefault):
+        (WebCore::isEmojiModifierBase):
+
+2019-01-09  Antoine Quint  <graouts@apple.com>
+
+        [Web Animations] Audit Web Animations classes for memory reduction
+        https://bugs.webkit.org/show_bug.cgi?id=193195
+
+        Reviewed by Simon Fraser and Yusuke Suzuki.
+
+        The classes, enums and structs added to support Web Animations were not as memory-efficient as they could be. We now order
+        members in a way that reduces padding, use Markable<T, Traits> instead of Optional<T> where applicable, declare enums as uint8_t
+        and removed unnecessary members.
+
+        As a result, classes and structs have shrunk as follows:
+
+        WebAnimation: 256 > 216
+        DeclarativeAnimation: 392 > 344
+        CSSAnimation: 416 > 368
+        CSSTransition: 440 > 392
+        AnimationEffect: 88 > 72
+        KeyframeEffect: 208 > 184
+        AnimationPlaybackEvent: 104 > 88
+        EffectTiming: 72 > 64
+        ComputedEffectTiming: 136 > 112
+        AnimationTimeline: 264 > 248
+        DocumentTimeline: 496 > 464
+        OptionalEffectTiming: 112 > 80
+        BaseKeyframe: 32 > 24
+        ParsedKeyframe: 80 > 72
+        BaseComputedKeyframe: 40 > 32
+
+        * animation/AnimationEffect.h: Order members in decreasing size, except for m_fill and m_direction, which we put at the top to
+        save 8 bytes (2 bytes of padding instead of 4 before m_animation and saving 6 bytes of padding at the end).
+        * animation/AnimationPlaybackEvent.cpp:
+        (WebCore::AnimationPlaybackEvent::AnimationPlaybackEvent):
+        * animation/AnimationPlaybackEvent.h:
+        * animation/AnimationPlaybackEventInit.h:
+        * animation/AnimationTimeline.cpp:
+        (WebCore::AnimationTimeline::AnimationTimeline):
+        (WebCore::AnimationTimeline::updateCSSTransitionsForElement):
+        * animation/AnimationTimeline.h: We remove the m_classType member and instead make isDocumentTimeline() virtual.
+        (WebCore::AnimationTimeline::isDocumentTimeline const):
+        (): Deleted.
+        (WebCore::AnimationTimeline::classType const): Deleted.
+        * animation/CompositeOperation.h:
+        * animation/CompositeOperationOrAuto.h:
+        * animation/ComputedEffectTiming.h:
+        * animation/DeclarativeAnimation.cpp:
+        (WebCore::DeclarativeAnimation::DeclarativeAnimation):
+        (WebCore::DeclarativeAnimation::invalidateDOMEvents):
+        * animation/DeclarativeAnimation.h: We keep m_wasPending and m_previousPhase at the top to save some padding at the end.
+        * animation/DocumentTimeline.cpp:
+        (WebCore::DocumentTimeline::DocumentTimeline):
+        * animation/DocumentTimeline.h:
+        * animation/EffectTiming.h:
+        * animation/FillMode.h:
+        * animation/IterationCompositeOperation.h:
+        * animation/KeyframeEffect.cpp:
+        (WebCore::computeMissingKeyframeOffsets):
+        (WebCore::KeyframeEffect::create):
+        (WebCore::KeyframeEffect::KeyframeEffect):
+        * animation/KeyframeEffect.h:
+        * animation/OptionalEffectTiming.h:
+        * animation/PlaybackDirection.h:
+        * animation/WebAnimation.h:
+        * animation/WebAnimationUtilities.h:
+        (WebCore::WebAnimationsMarkableDoubleTraits::isEmptyValue):
+        (WebCore::WebAnimationsMarkableDoubleTraits::emptyValue):
+
+2019-01-09  Ryosuke Niwa  <rniwa@webkit.org>
+
+        ThreadTimers should not store a raw pointer in its heap
+        https://bugs.webkit.org/show_bug.cgi?id=192975
+        <rdar://problem/46893946>
+
+        Reviewed by Geoffrey Garen.
+
+        Right now, ThreadTimers's heap data structure stores a raw pointer to TimerBase. In order to harden the timer code,
+        this patch replaces it with ThreadTimerHeapItem, a newly introduced struct, which effectively acks like
+        WeakReference<TimerBase*> as the timer heap and TimerBase both store RefPtr to it, and TimerBase's destructor clears
+        the raw pointer back to TimerBase*.
+
+        This approach was taken instead of an out-right adoptation of WeakPtr since the heap data structure requires each node
+        in the heap to have a fixed "priority" yet WeakPtr with no valid pointer back to TimerBase would effectively lose its
+        "priority" thereby corrupting the heap data structure. That is, each item in the heap must remember its fire time and
+        insertion order even when the underlying TimerBase had gone away (this should never happen but the whole point of this
+        hardening is to make it work even in the precense of such a bug).
+
+        This patch also moves the heap index in TimerBase to ThreadTimerHeapItem, and replaces the pointer to the heap vector
+        in TimerBase by a reference to ThreadTimers in ThreadTimerHeapItem. Note that ThreadTimers is a per-thread singleton.
+
+        The correctness of this hardening was tested by commenting out the call to stop() and !isInHeap() assertion in
+        TimerBase::~TimerBase() as well as the !isInHeap() assertion in ThreadTimerHeapItem::clearTimer() and observing that
+        layout tests run successfully without hitting any debug assertions.
+
+        No new tests since there should be no observable behavior difference.
+
+        * WebCore.xcodeproj/project.pbxproj: Export ThreadTimers.h as a private header since it's now included in Timer.h
+        * platform/ThreadTimers.cpp:
+        (WebCore::ThreadTimers::updateSharedTimer): Delete ThreadTimerHeapItem's with nullptr TimerBase* (TimerBase had
+        already been deleted). This should only happen when TimerBase's destructor failed to remove itself from the timer heap,
+        which should never happen.
+        (WebCore::ThreadTimers::sharedTimerFiredInternal): Ditto. Also removed the redundant code which had removed the timer
+        from the heap since setNextFireTime does the removal already.
+        * platform/ThreadTimers.h: Outdented the whole file.
+        (WebCore::ThreadTimers::timerHeap): We use Vector<RefPtr<ThreadTimerHeapItem>> instead of Vector<Ref<~>> since Ref<~>
+        doesn't have a copy constructor which is used by std::push_heap.
+        (WebCore::ThreadTimerHeapItem): Added.
+        (WebCore::ThreadTimerHeapItem::hasTimer const): Added.
+        (WebCore::ThreadTimerHeapItem::setNotInHeap): Added. ThreadTimerHeapItem uses unsigned -1 as the single value which
+        signifies the item not being in the heap instead of all negative values as in the old code in TimerBase.
+        (WebCore::ThreadTimerHeapItem::isInHeap const): Added.
+        (WebCore::ThreadTimerHeapItem::isFirstInHeap const): Added.
+        (WebCore::ThreadTimerHeapItem::timer): Added.
+        (WebCore::ThreadTimerHeapItem::clearTimer): Added.
+        (WebCore::ThreadTimerHeapItem::heapIndex const): Added.
+        (WebCore::ThreadTimerHeapItem::setHeapIndex): Added.
+        (WebCore::ThreadTimerHeapItem::timerHeap const): Added.
+        * platform/Timer.cpp:
+        (WebCore::threadGlobalTimerHeap): This function is now only used in assertions.
+        (WebCore::ThreadTimerHeapItem::ThreadTimerHeapItem): Added.
+        (WebCore::ThreadTimerHeapItem::create): Added.
+        (WebCore::TimerHeapPointer::TimerHeapPointer):
+        (WebCore::TimerHeapPointer::operator-> const):
+        (WebCore::TimerHeapReference::TimerHeapReference): Added a copy constructor.
+        (WebCore::TimerHeapReference::copyRef const): Added.
+        (WebCore::TimerHeapReference::operator RefPtr<ThreadTimerHeapItem>& const):
+        (WebCore::TimerHeapPointer::operator* const):
+        (WebCore::TimerHeapReference::operator=): Use move assignment operator.
+        (WebCore::TimerHeapReference::swapWith):
+        (WebCore::TimerHeapReference::updateHeapIndex): Extracted to share code between two verions of operator=.
+        (WebCore::swap):
+        (WebCore::TimerHeapIterator::TimerHeapIterator):
+        (WebCore::TimerHeapIterator::operator-> const):
+        (WebCore::TimerHeapLessThanFunction::compare): Added variants which take RefPtr<ThreadTimerHeapItem>.
+        (WebCore::TimerHeapLessThanFunction::operator() const):
+        (WebCore::TimerBase::TimerBase):
+        (WebCore::TimerBase::~TimerBase):Clear the raw pointer in ThreadTimerHeapItem.
+        (WebCore::TimerBase::stop):
+        (WebCore::TimerBase::nextFireInterval const):
+        (WebCore::TimerBase::checkHeapIndex const): Added the consistency check for other items in the heap.
+        (WebCore::TimerBase::checkConsistency const):
+        (WebCore::TimerBase::heapDecreaseKey):
+        (WebCore::TimerBase::heapDelete):
+        (WebCore::TimerBase::heapDeleteMin):
+        (WebCore::TimerBase::heapIncreaseKey):
+        (WebCore::TimerBase::heapInsert):
+        (WebCore::TimerBase::heapPop):
+        (WebCore::TimerBase::heapPopMin):
+        (WebCore::TimerBase::heapDeleteNullMin): Added. Used to delete ThreadTimerHeapItem which no longer has a valid TimerBase.
+        (WebCore::parentHeapPropertyHolds):
+        (WebCore::childHeapPropertyHolds):
+        (WebCore::TimerBase::hasValidHeapPosition const):
+        (WebCore::TimerBase::updateHeapIfNeeded): Tweaked the heap index assertion as heapIndex() itself would assert when called
+        on an item with an invalid (-1) heap index.
+        (WebCore::TimerBase::setNextFireTime): Create ThreadTimerHeapItem. Note m_heapItem is never cleared until this TimerBase
+        is deleted.
+        (WebCore::TimerHeapReference::operator TimerBase* const): Deleted.
+        * platform/Timer.h:
+        (WebCore::TimerBase): Replaced m_nextFireTime, m_heapIndex, m_heapInsertionOrder, and m_cachedThreadGlobalTimerHeap
+        by m_heapItem, RefPtr to an ThreadTimerHeapItem.
+        (WebCore::TimerBase::augmentFireInterval):
+        (WebCore::TimerBase::inHeap const):
+        (WebCore::TimerBase::nextFireTime const):
+        (WebCore::TimerBase::isActive const):
+        (WebCore::TimerBase:: const): Deleted.
+
+2019-01-09  Alex Christensen  <achristensen@webkit.org>
+
+        REGRESSION(239737) iOS quicklook tests should not dereference null
+        https://bugs.webkit.org/show_bug.cgi?id=193307
+
+        Reviewed by Brent Fulgham.
+
+        The quicklook tests rely on ResourceHandle on iOS for some reason.
+        This is a problem we'll fix later, but for now keep them working by not crashing.
+
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::createNSURLConnection):
+        (WebCore::ResourceHandle::start):
+        (WebCore::ResourceHandle::willSendRequest):
+        (WebCore::ResourceHandle::tryHandlePasswordBasedAuthentication):
+        (WebCore::ResourceHandle::receivedCredential):
+
+2019-01-09  Zalan Bujtas  <zalan@apple.com>
+
+        [Datalist] Crash when input with datalist is dynamically added.
+        https://bugs.webkit.org/show_bug.cgi?id=193012
+        <rdar://problem/45923457>
+
+        Reviewed by Brent Fulgham.
+
+        In certain cases (cloning, setAttribute), it's too early to check for the list attribute in createShadowSubtree
+        to see whether the input needs datalist related items. The list attribute is simply not set yet.
+        This patch only addresses the obvious crash. m_dataListDropdownIndicator clearly lacks proper lifecycle management (see webkit.org/b/193032). 
+
+        Test: fast/forms/datalist/datalist-crash-when-dynamic.html
+
+        * html/TextFieldInputType.cpp:
+        (WebCore::TextFieldInputType::createShadowSubtree):
+        (WebCore::TextFieldInputType::attributeChanged):
+        (WebCore::TextFieldInputType::createDataListDropdownIndicator):
+        * html/TextFieldInputType.h:
+
+2019-01-09  Justin Fan  <justin_fan@apple.com>
+
+        [WebGPU] Fix vertex-buffer-triangle-strip test and small update to GPURenderPipeline
+        https://bugs.webkit.org/show_bug.cgi?id=193289
+
+        Reviewed by Dean Jackson.
+
+        Fix broken test after pipeline layouts were added, and a small refactoring to GPURenderPipeline to avoid
+        retaining its descriptor after creation.
+
+        * platform/graphics/gpu/GPURenderPipeline.h:
+        (WebCore::GPURenderPipeline::primitiveTopology const):
+        * platform/graphics/gpu/cocoa/GPURenderPipelineMetal.mm:
+        (WebCore::GPURenderPipeline::GPURenderPipeline):
+
+2019-01-09  Devin Rousso  <drousso@apple.com>
+
+        Web Inspector: Protocol Logging: log messages as objects if inspector^2 is open
+        https://bugs.webkit.org/show_bug.cgi?id=193284
+
+        Reviewed by Joseph Pecoraro.
+
+        No newe tests, as this is simply exposes a value.
+
+        * inspector/InspectorFrontendHost.idl:
+        * inspector/InspectorFrontendHost.h:
+        * inspector/InspectorFrontendHost.cpp:
+        (WebCore::InspectorFrontendHost::isBeingInspected): Added.
+
+2019-01-09  Zalan Bujtas  <zalan@apple.com>
+
+        [LFC][BFC][MarginCollapsing] Add support for peculiar cases.
+        https://bugs.webkit.org/show_bug.cgi?id=192625
+
+        Reviewed by Antti Koivisto.
+
+        Implement some of the more peculiar cases like margin collpasing through multiple boxes etc.
+        Add ~100 new passing cases.
+
+        * layout/FormattingContextGeometry.cpp:
+        (WebCore::Layout::FormattingContext::Geometry::inlineReplacedHeightAndMargin):
+        * layout/LayoutState.h:
+        (WebCore::Layout::LayoutState::hasFormattingState const):
+        * layout/MarginTypes.h:
+        * layout/blockformatting/BlockFormattingContext.cpp:
+        (WebCore::Layout::BlockFormattingContext::computeEstimatedMarginBefore const):
+        (WebCore::Layout::BlockFormattingContext::computeEstimatedMarginBeforeForAncestors const):
+        (WebCore::Layout::hasPrecomputedMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::computeFloatingPosition const):
+        (WebCore::Layout::BlockFormattingContext::computePositionToAvoidFloats const):
+        (WebCore::Layout::BlockFormattingContext::computeVerticalPositionForFloatClear const):
+        (WebCore::Layout::BlockFormattingContext::computeHeightAndMargin const):
+        (WebCore::Layout::BlockFormattingContext::adjustedVerticalPositionAfterMarginCollapsing const):
+        * layout/blockformatting/BlockFormattingContext.h:
+        (WebCore::Layout::BlockFormattingContext::blockFormattingState const):
+        * layout/blockformatting/BlockFormattingContextGeometry.cpp:
+        (WebCore::Layout::BlockFormattingContext::Geometry::inFlowNonReplacedHeightAndMargin):
+        (WebCore::Layout::BlockFormattingContext::Geometry::inFlowHeightAndMargin):
+        (WebCore::Layout::BlockFormattingContext::Geometry::estimatedMarginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::Geometry::estimatedMarginAfter): Deleted.
+        * layout/blockformatting/BlockFormattingContextQuirks.cpp:
+        (WebCore::Layout::BlockFormattingContext::Quirks::stretchedInFlowHeight):
+        (WebCore::Layout::BlockFormattingContext::Quirks::shouldIgnoreMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::Quirks::stretchedHeight): Deleted.
+        * layout/blockformatting/BlockFormattingState.h:
+        (WebCore::Layout::BlockFormattingState::setPositiveAndNegativeVerticalMargin):
+        (WebCore::Layout::BlockFormattingState::hasPositiveAndNegativeVerticalMargin const):
+        (WebCore::Layout::BlockFormattingState::positiveAndNegativeVerticalMargin const):
+        (WebCore::Layout::BlockFormattingState::setHasEstimatedMarginBefore):
+        (WebCore::Layout::BlockFormattingState::clearHasEstimatedMarginBefore):
+        (WebCore::Layout::BlockFormattingState::hasEstimatedMarginBefore const):
+        * layout/blockformatting/BlockMarginCollapse.cpp:
+        (WebCore::Layout::hasClearance):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithParentMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithParentMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithPreviousSiblingMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithFirstInFlowChildMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithSiblingMarginBeforeWithClearance):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithParentMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithLastInFlowChildMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithNextSiblingMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginsCollapseThrough):
+        (WebCore::Layout::computedPositiveAndNegativeMargin):
+        (WebCore::Layout::marginValue):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::updateCollapsedMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::positiveNegativeValues):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::positiveNegativeMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::positiveNegativeMarginAfter):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::estimatedMarginBefore):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::collapsedVerticalValues):
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::computedNonCollapsedMarginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::computedNonCollapsedMarginAfter): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::nonCollapsedMarginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::nonCollapsedMarginAfter): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::collapsedMarginBeforeFromFirstChild): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::collapsedMarginAfterFromLastChild): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBeforeCollapsesWithPreviousSibling): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfterCollapsesWithNextSibling): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginBefore): Deleted.
+        (WebCore::Layout::BlockFormattingContext::MarginCollapse::marginAfter): Deleted.
+        * layout/displaytree/DisplayBox.cpp:
+        (WebCore::Display::Box::Box):
+        * layout/displaytree/DisplayBox.h:
+        (WebCore::Display::Box::hasClearance const):
+        (WebCore::Display::Box::setEstimatedMarginBefore):
+        (WebCore::Display::Box::estimatedMarginBefore const):
+        (WebCore::Display::Box::setHasClearance):
+        (WebCore::Display::Box::invalidateEstimatedMarginBefore):
+        (WebCore::Display::Box::setVerticalMargin):
+        (WebCore::Display::Box::rectWithMargin const):
+        * layout/floats/FloatingContext.cpp:
+        (WebCore::Layout::FloatingContext::verticalPositionWithClearance const):
+        * layout/inlineformatting/InlineFormattingContext.cpp:
+        (WebCore::Layout::InlineFormattingContext::collectInlineContentForSubtree const):
+
+2019-01-09  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        REGRESSION(r239156): [FreeType] fixed width, and synthetic bold/italic not correctly applied since r239156
+        https://bugs.webkit.org/show_bug.cgi?id=193276
+
+        Reviewed by Žan Doberšek.
+
+        FontCache::createFontPlatformData() is calling getFontPropertiesFromPattern() with the configure pattern instead
+        of the result one after the match.
+
+        * platform/graphics/freetype/FontCacheFreeType.cpp:
+        (WebCore::FontCache::createFontPlatformData):
+
+2019-01-08  Dean Jackson  <dino@apple.com>
+
+        Blob references for System Previews don't get a correct file extension
+        https://bugs.webkit.org/show_bug.cgi?id=193268
+        <rdar://problem/47133037>
+
+        Reviewed by Tim Horton.
+
+        Apple platforms don't yet have a mapping from the USD MIME type to
+        file extensions (and we support some non-standard MIME types), which
+        means that downloads from Blob references don't get correctly named.
+
+        Fix this by adding an explicit mapping between System Preview types
+        and ".usdz".
+
+        WebKit API test: _WKDownload.SystemPreviewUSDZBlobNaming
+
+        * platform/MIMETypeRegistry.cpp:
+        (WebCore::MIMETypeRegistry::isSystemPreviewMIMEType): Remove USE(SYSTEM_PREVIEW) since
+        this applies to macOS and iOS now.
+        * platform/MIMETypeRegistry.h:
+        * platform/cocoa/MIMETypeRegistryCocoa.mm:
+        (WebCore::MIMETypeRegistry::getPreferredExtensionForMIMEType): Add a mapping
+        for USDZ.
+
+2019-01-08  Tim Horton  <timothy_horton@apple.com>
+
+        Editable images sometimes don't become focused when tapped
+        https://bugs.webkit.org/show_bug.cgi?id=193259
+        <rdar://problem/47038424>
+
+        Reviewed by Wenson Hsieh.
+
+        Often when tapping an editable image inside an editable text area, the
+        text area's selection will change instead of focusing the editable image.
+
+        No new tests; I have had no luck writing a test that reliably failed 
+        beforehand (the "sometimes" is a problem).
+
+        * html/HTMLImageElement.cpp:
+        (WebCore::HTMLImageElement::defaultEventHandler):
+        * html/HTMLImageElement.h:
+        Override mousedown on editable images, focus the image, and prevent
+        the default behavior.
+
+2019-01-08  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Support U2F HID Authenticators on macOS
+        https://bugs.webkit.org/show_bug.cgi?id=191535
+        <rdar://problem/47102027>
+
+        Reviewed by Brent Fulgham.
+
+        This patch changes U2fCommandConstructor to produce register commands with
+        enforcing test of user presence. Otherwise, authenticators would silently
+        generate credentials. It also renames readFromU2fSignResponse to
+        readU2fSignResponse.
+
+        Tests: http/wpt/webauthn/public-key-credential-create-failure-u2f-silent.https.html
+               http/wpt/webauthn/public-key-credential-create-failure-u2f.https.html
+               http/wpt/webauthn/public-key-credential-create-success-u2f.https.html
+               http/wpt/webauthn/public-key-credential-get-failure-u2f-silent.https.html
+               http/wpt/webauthn/public-key-credential-get-failure-u2f.https.html
+               http/wpt/webauthn/public-key-credential-get-success-u2f.https.html
+
+        * Modules/webauthn/fido/U2fCommandConstructor.cpp:
+        (fido::WebCore::constructU2fRegisterCommand):
+        * Modules/webauthn/fido/U2fResponseConverter.cpp:
+        (fido::readU2fSignResponse):
+        (fido::readFromU2fSignResponse): Deleted.
+        * Modules/webauthn/fido/U2fResponseConverter.h:
+
 2019-01-08  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [iOS] Dispatch a synthetic mousedown event prior to starting drags