DFG backends shouldn't emit type checks at KnownBlah edges
https://bugs.webkit.org/show_bug.cgi?id=157025

Reviewed by Michael Saboff.

This fixes a crash I found when browsing Bing maps with forceEagerCompilation. I include a
100% repro test case.

The issue is that our code still doesn't fully appreciate the devious implications of
KnownBlah use kinds. Consider KnownCell for example. It means: "trust me, I know that this
value will be a cell". You aren't required to provide a proof when you use KnownCell. Often,
we use it as a result of a path-sensitive proof. The abstract interpreter is not
path-sensitive, so AI will be absolutely sure that the KnownCell use might see a non-cell.
This can lead to debug assertions (which this change removes) and it can lead to the backends
emitting a type check. That type check can be pure evil if the node that has this edge does
not have an exit origin. Such a node would have passed validation because the validater would
have thought that the node cannot exit (after all, according to the IR semantics, there is no
speculation at KnownCell).

This comprehensively fixes the issue by recognizing that Foo(KnownCell:@x) means: I have
already proved that by the time you start executing Foo, @x will already be a cell. I cannot
tell you how I proved this but you can rely on it anyway. AI now takes advantage of this
meaning and will always do filtering of KnownBlah edges regardless of whether the backend
actually emits any type checks for those edges. Since the filtering runs before the backend,
the backend will not emit any checks because it will know that the edge was already checked
(by whatever mechanism we used when we made the edge KnownBlah).

Note that it's good that we found this bug now. The DFG currently does very few
sparse-conditional or path-sensitive optimizations, but it will probably do more in the
future. The bug happens because GetByOffset and friends can achieve path-sensitive proofs via
watchpoints on the inferred type. Normally, AI can follow along with this proof. But in the
example program, and on Bing maps, we would GCSE one GetByOffset with another that had a
weaker proven type. That turned out to be completely sound - between the two GetByOffset's
there was a Branch to null check it. The inferred type of the second GetByOffset ended up
knowing that it cannot be null because null only occurred in some structures but not others.
If we added more sparse-conditional stuff to Branch, then AI would know how to follow along
with the proof but it would also create more situations where we'd have a path-sensitive
proof. So, it's good that we're now getting this right.

* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::filterEdgeByUse):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEdges):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeKnownEdgeTypes):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
* tests/stress/path-sensitive-known-cell-crash.js: Added.
(bar):
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200096 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Enable separated heap by default on ios
https://bugs.webkit.org/show_bug.cgi?id=156720

Unreviewed rollout - caused memory regression.

* runtime/Options.cpp:
(JSC::recomputeDependentOptions):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200095 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Make FontPlatformData immutable
https://bugs.webkit.org/show_bug.cgi?id=157024

Reviewed by Darin Adler.

This patch deletes all functions which modify a FontPlatformData once
it has been created. This makes for a cleaner design.

No new tests because there is no behavior change.

* platform/graphics/Font.cpp:
(WebCore::Font::verticalRightOrientationFont):
(WebCore::Font::nonSyntheticItalicFont):
* platform/graphics/FontPlatformData.cpp:
(WebCore::FontPlatformData::FontPlatformData):
(WebCore::FontPlatformData::cloneWithOrientation):
(WebCore::FontPlatformData::cloneWithSyntheticOblique):
* platform/graphics/FontPlatformData.h:
(WebCore::FontPlatformData::setIsSystemFont): Deleted.
(WebCore::FontPlatformData::setSize): Deleted.
(WebCore::FontPlatformData::setOrientation): Deleted.
(WebCore::FontPlatformData::setSyntheticOblique): Deleted.
* platform/graphics/cocoa/FontCacheCoreText.cpp:
(WebCore::FontCache::systemFallbackForCharacters):
* platform/graphics/cocoa/FontCascadeCocoa.mm:
(WebCore::FontCascade::drawGlyphs):
* platform/graphics/cocoa/FontCocoa.mm:
(WebCore::Font::platformInit):
(WebCore::Font::platformCharWidthInit):
(WebCore::createDerivativeFont):
(WebCore::Font::createFontWithoutSynthesizableFeatures):
(WebCore::Font::platformCreateScaledFont):
(WebCore::Font::platformWidthForGlyph):
* platform/graphics/cocoa/FontPlatformDataCocoa.mm:
(WebCore::FontPlatformData::openTypeTable):
* platform/graphics/win/FontPlatformDataCairoWin.cpp:
(WebCore::FontPlatformData::platformDataInit):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200094 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Unreviewed, rolling out r200089.

This change causes API test failures

Reverted changeset:

"WebCore on Mac ignores the user's preferred region (country)
while getting the language"
https://bugs.webkit.org/show_bug.cgi?id=156993
http://trac.webkit.org/changeset/200089

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200093 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Improve jsc --help and making sampling options
https://bugs.webkit.org/show_bug.cgi?id=157015

Patch by Joseph Pecoraro <pecoraro@apple.com> on 2016-04-26
Reviewed by Saam Barati.

Simplify sampling options to be easier to remember:

  * --reportSamplingProfilerData => --sample
  * --samplingProfilerTimingInterval => --sampleInterval

Update the --help to mention --sample, and restore the behavior of
--options outputing all possible options so you can discover which
options are available.

* jsc.cpp:
(printUsageStatement):
(CommandLine::parseArguments):
Improve help and modify option dumping.

* runtime/Options.h:
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::SamplingProfiler):
Rename the sampling interval option.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200092 268f45cc-cd09-0410-ab3c-d52691b4dbfc

GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
https://bugs.webkit.org/show_bug.cgi?id=157020
<rdar://problem/25148315>

Reviewed by Darin Adler.

Calls to setIntegralAttribute triggers event handling code, which can cause
the underlying m_frameOwnerElement member to be deleted. We could clone this
object, but since we only want the width and height we should just read them
while we know the object is in a good state, then execute the potentially
mutating methods.

Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html.

* html/HTMLBodyElement.cpp:
(WebCore::HTMLBodyElement::insertedInto): Read margin width and height before
calling setIntegralAttribute.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200091 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Chart status should always be computed against prior values
https://bugs.webkit.org/show_bug.cgi?id=157014

Reviewed by Darin Adler.

Compare the current value against the last baseline or target value that appear before the current value in time
so that the comparison stay the same even when new baseline and target values are reported. Also include the compared
baseline or target value in the label for clarity.

* public/v3/components/chart-status-view.js:
(ChartStatusView.prototype._computeChartStatus):
(ChartStatusView.prototype._computeChartStatus.labelForDiff):
(ChartStatusView.prototype._findLastPointPriorToTime): Extracted from _relativeDifferenceToLaterPointInTimeSeries.
Now finds the last point before the current point's time if there is any, or the last point in baseline / target.
(ChartStatusView.prototype._relativeDifferenceToLaterPointInTimeSeries): Deleted.
* public/v3/models/metric.js:
(Metric.prototype.makeFormatter): Don't use SI units for unit-less metrics.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200090 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore on Mac ignores the user's preferred region (country) while getting the language
https://bugs.webkit.org/show_bug.cgi?id=156993

Reviewed by Geoffrey Garen.

I don't know how to test this since this depends on user settings.

WebCore was previously getting the list of preferred languages, and for each one, deducing
the default region. That's wrong, since for example it doesn't respect the user's choice (in
System Preferences) to display dates/calenders/etc according to a different region (like how
I have my machine set to en-pl right now).

It might be possible for the country code we get via kCFLocaleCountryCode to be something
that our ICU doesn't handle. To defend against this, we search for the resulting country
code in ICU's ISO countries list. If it doesn't appear in that list, we fall back on old
behavior.

* platform/mac/Language.mm:
(WebCore::httpStyleLanguageCode):
(WebCore::platformUserPreferredLanguages):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200089 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Web IDL] Specify default values for optional parameters of TypedArray types
https://bugs.webkit.org/show_bug.cgi?id=157017

Reviewed by Darin Adler.

Specify default values for optional parameters of TypedArray types and let
the bindings generator use WTF::Optional<> for the ones that do not have a
default value.

* bindings/scripts/CodeGeneratorJS.pm:
(CanUseWTFOptionalForParameter): Deleted.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::webkitGenerateKeyRequest):
(WebCore::HTMLMediaElement::webkitAddKey):
(WebCore::HTMLMediaElement::webkitCancelKeyRequest): Deleted.
* html/HTMLMediaElement.h:
* html/HTMLMediaElement.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200088 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Web IDL] Specify default values for optional parameters of type 'long' / 'unrestricted double'
https://bugs.webkit.org/show_bug.cgi?id=157012

Reviewed by Darin Adler.

Specify default values for optional parameters of type 'long' / 'unrestricted double'
and let the bindings generator use WTF::Optional<> for the ones that do not have a
default value.

* Modules/mediastream/RTCDTMFSender.cpp:
(WebCore::RTCDTMFSender::insertDTMF):
(WebCore::RTCDTMFSender::didPlayTone): Deleted.
* Modules/mediastream/RTCDTMFSender.h:
* Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::start):
(WebCore::AudioBufferSourceNode::startPlaying): Deleted.
* Modules/webaudio/AudioBufferSourceNode.h:
* Modules/webaudio/AudioBufferSourceNode.idl:
* Modules/webaudio/AudioContext.cpp:
(WebCore::AudioContext::createDelay): Deleted.
* Modules/webaudio/AudioContext.h:
* Modules/webaudio/AudioContext.idl:
* Modules/webaudio/AudioScheduledSourceNode.cpp:
(WebCore::AudioScheduledSourceNode::start): Deleted.
(WebCore::AudioScheduledSourceNode::stop): Deleted.
* Modules/webaudio/AudioScheduledSourceNode.h:
* Modules/webaudio/OscillatorNode.idl:
* bindings/scripts/CodeGeneratorJS.pm:
(CanUseWTFOptionalForParameter): Deleted.
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::jsTestObjPrototypeFunctionMethodWithOptionalArg):
(WebCore::jsTestObjPrototypeFunctionMethodWithNonOptionalArgAndOptionalArg):
(WebCore::jsTestObjPrototypeFunctionMethodWithNonOptionalArgAndTwoOptionalArgs):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethod2):
(WebCore::jsTestObjPrototypeFunctionOverloadedMethodWithOptionalParameter2):
(WebCore::jsTestObjConstructorFunctionClassMethodWithOptional):
(WebCore::jsTestObjPrototypeFunctionTestPromiseFunctionWithOptionalIntArgumentPromise):
(WebCore::jsTestObjPrototypeFunctionMethodWithOptionalArgAndDefaultValue): Deleted.
(WebCore::jsTestObjPrototypeFunctionMethodWithOptionalString): Deleted.
(WebCore::jsTestObjPrototypeFunctionOverloadedMethod4): Deleted.
(WebCore::jsTestObjConstructorFunctionClassMethod2): Deleted.
(WebCore::jsTestObjConstructorFunctionOverloadedMethod1): Deleted.
(WebCore::jsTestObjPrototypeFunctionTestPromiseOverloadedFunction2Promise): Deleted.
* html/HTMLInputElement.idl:
* page/WindowTimers.idl:
* testing/Internals.h:
* testing/Internals.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200087 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: Clarify Heap Snapshot instance Retained Size by hiding retained size of non-dominated children
https://bugs.webkit.org/show_bug.cgi?id=157018

Patch by Joseph Pecoraro <pecoraro@apple.com> on 2016-04-26
Reviewed by Timothy Hatcher.

* UserInterface/Proxies/HeapSnapshotNodeProxy.js:
(WebInspector.HeapSnapshotNodeProxy):
(WebInspector.HeapSnapshotNodeProxy.deserialize):
* UserInterface/Workers/HeapSnapshot/HeapSnapshot.js:
(HeapSnapshot.prototype.serializeNode):
Include dominatorNodeIdentifier in the default proxy properties.

* UserInterface/Views/HeapSnapshotInstanceDataGridNode.js:
(WebInspector.HeapSnapshotInstanceDataGridNode):
(WebInspector.HeapSnapshotInstanceDataGridNode.prototype.get node):
(WebInspector.HeapSnapshotInstanceDataGridNode.prototype.createCellContent):
(WebInspector.HeapSnapshotInstanceDataGridNode.prototype._isDominatedByBase):
(WebInspector.HeapSnapshotInstanceDataGridNode.prototype._isDominatedByNonBaseParent):
(WebInspector.HeapSnapshotInstanceDataGridNode.prototype._populate):
* UserInterface/Views/HeapSnapshotInstancesContentView.css:
(.heap-snapshot > .data-grid td .sub-retained):
Save the base HeapSnapshotInstanceDataGridNode so that it can be referenced by
children. When expanding an instance, hide the retained size for children
that are not dominated by the base object. Show the retained size for children
for children that are dominated. If dominated directly, show the size in the
normal black. If dominated transitively, show the size in a dimmed gray.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200086 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[WinCairo][WebGL] Enable ESSL and GLSL translators.
https://bugs.webkit.org/show_bug.cgi?id=157002

Reviewed by Darin Adler.

Enable support for ESSL and GLSL translators, and add missing files.

* CMakeLists.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200085 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Unreviewed, rolling out r200083.
https://bugs.webkit.org/show_bug.cgi?id=157033

 It brokes the debug build (Requested by gskachkov on
#webkit).

Reverted changeset:

"calling super() a second time in a constructor should throw"
https://bugs.webkit.org/show_bug.cgi?id=151113
http://trac.webkit.org/changeset/200083

Patch by Commit Queue <commit-queue@webkit.org> on 2016-04-26

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200084 268f45cc-cd09-0410-ab3c-d52691b4dbfc

calling super() a second time in a constructor should throw
https://bugs.webkit.org/show_bug.cgi?id=151113

Reviewed by Saam Barati and Keith Miller.

Source/JavaScriptCore:

Currently, our implementation checks if 'super()' was called in a constructor more
than once and raises a RuntimeError before the second call. According to the spec
we need to raise an error just after the second super() is finished and before
the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour.
To implement this behavior this patch adds a new op code, op_is_empty, that is used
to check if 'this' is empty.

* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitIsEmpty):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::FunctionCallValueNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_is_empty):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_is_empty):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* tests/stress/class-syntax-double-constructor.js: Added.

LayoutTests:

* js/class-syntax-super-expected.txt:
* js/script-tests/class-syntax-super.js:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200083 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Remove hard-wraps from the feature policy markdown so it renders full width on the site.

* feature-policy.md:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200082 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from SpeechSynthesis
https://bugs.webkit.org/show_bug.cgi?id=156901

Reviewed by Darin Adler.

Source/WebCore:

SpeechSynthesis.speak will now throw in case of bad parameters instead of silently failing.
Started refactoring to use more references where possible.

Covered by updated test.

* Modules/speech/SpeechSynthesis.cpp:
(WebCore::SpeechSynthesis::startSpeakingImmediately): Refactored to get a reference.
(WebCore::SpeechSynthesis::speak):
(WebCore::SpeechSynthesis::fireEvent):
(WebCore::SpeechSynthesis::handleSpeakingCompleted): Removing first item in utteranceQueue unconditionally,
since that would crash in Debug mode otherwise.
(WebCore::SpeechSynthesis::boundaryEventOccurred):
(WebCore::SpeechSynthesis::didStartSpeaking):
(WebCore::SpeechSynthesis::didPauseSpeaking):
(WebCore::SpeechSynthesis::didResumeSpeaking):
(WebCore::SpeechSynthesis::didFinishSpeaking):
(WebCore::SpeechSynthesis::speakingErrorOccurred):
* Modules/speech/SpeechSynthesis.h:
* Modules/speech/SpeechSynthesis.idl:

LayoutTests:

Updated test to handle speak throwing behavior in case of bad parameters.

* fast/speechsynthesis/speech-synthesis-crash-on-bad-utterance-expected.txt:
* fast/speechsynthesis/speech-synthesis-crash-on-bad-utterance.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200080 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from WebKitNamedFlow
https://bugs.webkit.org/show_bug.cgi?id=156979

Reviewed by Chris Dumez.

No change of behavior.

* dom/WebKitNamedFlow.idl: Marking contentNode parameter as nullable.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200079 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from EventTarget
https://bugs.webkit.org/show_bug.cgi?id=156977

Reviewed by Chris Dumez.

Source/WebCore:

No change of behavior.

* dom/EventTarget.idl:

LayoutTests:

* fast/events/dispatchEvent-crash-expected.txt:
* fast/events/dispatchEvent-crash.html: Ensuring exceptions are logged.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200078 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[EFL] Update expectation result in ewk_context_preferred_languages API test
https://bugs.webkit.org/show_bug.cgi?id=157027

Reviewed by Carlos Garcia Campos.

platformLanguage() has been returning lower case value since r199815. Thus existing expected result
needs to be updated together.

* UIProcess/API/efl/tests/test_ewk2_context.cpp: Change en-US with en-us.
(TEST_F):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200077 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Mark two methods in the CoordinatedGraphicsScene and the
ThreadedCoordinatedLayerTreeHost classes as overrides, fixing
the compiler warnings.

Rubber-stamped by Carlos Garcia Campos.

* Shared/CoordinatedGraphics/CoordinatedGraphicsScene.h:
* WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200076 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Remove the build flag for template elements
https://bugs.webkit.org/show_bug.cgi?id=157022

Reviewed by Daniel Bates.

.:

* Source/cmake/OptionsEfl.cmake:
* Source/cmake/OptionsMac.cmake:
* Source/cmake/OptionsWin.cmake:
* Source/cmake/WebKitFeatures.cmake:
* Source/cmake/tools/vsprops/FeatureDefines.props:
* Source/cmake/tools/vsprops/FeatureDefinesCairo.props:

Source/JavaScriptCore:

* Configurations/FeatureDefines.xcconfig:

Source/WebCore:

Removed the build flag.

* Configurations/FeatureDefines.xcconfig:
* DerivedSources.cpp:
* bindings/js/JSHTMLTemplateElementCustom.cpp:
(WebCore::JSHTMLTemplateElement::content):
* css/html.css:
(summary::-webkit-details-marker):
(template):
(bdi, output):
* dom/ContainerNode.cpp:
(WebCore::isInTemplateContent):
(WebCore::containsConsideringHostElements):
(WebCore::ContainerNode::parserInsertBefore):
(WebCore::ContainerNode::parserAppendChild):
* dom/Document.cpp:
(WebCore::Document::Document):
(WebCore::Document::~Document):
(WebCore::Document::getCachedLocale):
(WebCore::Document::ensureTemplateDocument):
(WebCore::Document::fonts):
* dom/Document.h:
(WebCore::Document::setTemplateDocumentHost):
(WebCore::Document::templateDocumentHost):
(WebCore::Document::hasDisabledFieldsetElement):
(WebCore::Document::textEncoding):
(WebCore::Document::templateDocument):
* dom/Element.cpp:
(WebCore::Element::setInnerHTML):
* dom/Node.cpp:
(WebCore::Node::containsIncludingHostElements):
(WebCore::Node::pseudoAwarePreviousSibling):
* dom/TemplateContentDocumentFragment.h:
* editing/MarkupAccumulator.cpp:
(WebCore::MarkupAccumulator::serializeNodesWithNamespaces):
* editing/markup.cpp:
(WebCore::createFragmentForInnerOuterHTML):
* html/HTMLTagNames.in:
* html/HTMLTemplateElement.cpp:
(WebCore::HTMLTemplateElement::didMoveToNewDocument):
* html/HTMLTemplateElement.h:
* html/HTMLTemplateElement.idl:
* html/parser/HTMLConstructionSite.cpp:
(WebCore::insert):
(WebCore::HTMLConstructionSite::insertTextNode):
(WebCore::HTMLConstructionSite::ownerDocumentForCurrentNode):
(WebCore::HTMLConstructionSite::findFosterSite):
* html/parser/HTMLElementStack.cpp:
(WebCore::HTMLNames::isScopeMarker):
(WebCore::HTMLNames::isTableScopeMarker):
(WebCore::HTMLNames::isTableBodyScopeMarker):
(WebCore::HTMLNames::isTableRowScopeMarker):
(WebCore::HTMLElementStack::inSelectScope):
(WebCore::HTMLElementStack::hasTemplateInHTMLScope):
(WebCore::HTMLElementStack::htmlElement):
* html/parser/HTMLElementStack.h:
* html/parser/HTMLPreloadScanner.cpp:
(WebCore::TokenPreloadScanner::scan):
* html/parser/HTMLPreloadScanner.h:
* html/parser/HTMLStackItem.h:
(WebCore::isSpecialNode):
* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::isParsingTemplateContents):
(WebCore::HTMLTreeBuilder::isParsingFragmentOrTemplateContents):
(WebCore::HTMLTreeBuilder::HTMLTreeBuilder):
(WebCore::HTMLTreeBuilder::processStartTagForInBody):
(WebCore::HTMLTreeBuilder::didCreateCustomOrCallbackElement):
(WebCore::HTMLTreeBuilder::processTemplateStartTag):
(WebCore::HTMLTreeBuilder::processEndOfFileForInTemplateContents):
(WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
(WebCore::HTMLTreeBuilder::processStartTagForInTable):
(WebCore::HTMLTreeBuilder::processStartTag):
(WebCore::HTMLTreeBuilder::processHtmlStartTagForInBody):
(WebCore::HTMLTreeBuilder::resetInsertionModeAppropriately):
(WebCore::HTMLTreeBuilder::processEndTagForInCell):
(WebCore::HTMLTreeBuilder::processEndTagForInBody):
(WebCore::HTMLTreeBuilder::processEndTag):
(WebCore::HTMLTreeBuilder::processCharacterBuffer):
(WebCore::HTMLTreeBuilder::processEndOfFile):
(WebCore::HTMLTreeBuilder::processStartTagForInHead):
(WebCore::HTMLTreeBuilder::finished):
* html/parser/HTMLTreeBuilder.h:
* inspector/InspectorDOMAgent.cpp:
(WebCore::InspectorDOMAgent::buildObjectForNode):
* inspector/InspectorInstrumentation.h:
(WebCore::InspectorInstrumentation::instrumentingAgentsForDocument):
* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::startElementNs):

Source/WebKit/mac:

* Configurations/FeatureDefines.xcconfig:

Source/WebKit2:

* Configurations/FeatureDefines.xcconfig:

Source/WTF:

* wtf/FeatureDefines.h:

Tools:

Removed the build option.

* Scripts/webkitperl/FeatureList.pm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200075 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[iOS] ftp links crash @ WebCore::FTPDirectoryDocumentParser::appendEntry
https://bugs.webkit.org/show_bug.cgi?id=157019
<rdar://problem/24292650>

Reviewed by Chris Dumez.

Create separate Ref<Element> object for every row element instead of reusing
one because Ref<>'s operator=() does not allow assignment after a WTFMove().

* html/FTPDirectoryDocument.cpp:
(WebCore::FTPDirectoryDocumentParser::appendEntry):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200074 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Fix text in log files autogenerated by import-w3c-tests
https://bugs.webkit.org/show_bug.cgi?id=157021

Reviewed by Chris Dumez.

s/Webkit/WebKit/ and end each sentence with a period.

* Scripts/webkitpy/w3c/test_importer.py:
(TestImporter.write_import_log):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200073 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Update template element tests
https://bugs.webkit.org/show_bug.cgi?id=154996

Reviewed by Daniel Bates.

LayoutTests/imported/w3c:

Reimported W3C tests for template elements as of d5a4c5bdf8a1837b4fcf50bbd2efd4150ddafa99.
Also moved the parser tests from html-templates to web-platform-tests/html/syntax to match the upstream directory structure.

* html-templates: Removed.
* html-templates/parsing-html-templates: Removed.
* html-templates/parsing-html-templates/additions-to-foster-parenting: Removed.
* html-templates/parsing-html-templates/additions-to-foster-parenting/template-is-a-foster-parent-element-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-foster-parenting/template-is-a-foster-parent-element.html: Removed.
* html-templates/parsing-html-templates/additions-to-foster-parenting/template-is-not-a-foster-parent-element-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-foster-parenting/template-is-not-a-foster-parent-element.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/generating-of-implied-end-tags-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/generating-of-implied-end-tags.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-body-token-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-body-token.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-frameset-token-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-frameset-token.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-head-token-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-head-token.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-html-token-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/ignore-html-token.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/start-tag-body-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/start-tag-body.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/start-tag-html-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/start-tag-html.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/template-end-tag-without-start-one-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-body-insertion-mode/template-end-tag-without-start-one.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-frameset-insertion-mode: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-frameset-insertion-mode/end-tag-frameset-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-frameset-insertion-mode/end-tag-frameset.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-head-insertion-mode: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-head-insertion-mode/generating-of-implied-end-tags-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-head-insertion-mode/generating-of-implied-end-tags.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-head-insertion-mode/template-end-tag-without-start-one-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-head-insertion-mode/template-end-tag-without-start-one.html: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-table-insertion-mode: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-table-insertion-mode/end-tag-table-expected.txt: Removed.
* html-templates/parsing-html-templates/additions-to-the-in-table-insertion-mode/end-tag-table.html: Removed.
* html-templates/parsing-html-templates/appending-to-a-template: Removed.
* html-templates/parsing-html-templates/appending-to-a-template/template-child-nodes-expected.txt: Removed.
* html-templates/parsing-html-templates/appending-to-a-template/template-child-nodes.html: Removed.
* html-templates/parsing-html-templates/clearing-the-stack-back-to-a-given-context: Removed.
* html-templates/parsing-html-templates/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-body-context-expected.txt: Removed.
* html-templates/parsing-html-templates/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-body-context.html: Removed.
* html-templates/parsing-html-templates/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-context-expected.txt: Removed.
* html-templates/parsing-html-templates/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-context.html: Removed.
* html-templates/parsing-html-templates/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-row-context-expected.txt: Removed.
* html-templates/parsing-html-templates/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-row-context.html: Removed.
* html-templates/parsing-html-templates/creating-an-element-for-the-token: Removed.
* html-templates/parsing-html-templates/creating-an-element-for-the-token/template-owner-document-expected.txt: Removed.
* html-templates/parsing-html-templates/creating-an-element-for-the-token/template-owner-document.html: Removed.
* html-templates/resources: Removed.
* html-templates/resources/end-template-tag-in-body.html: Removed.
* html-templates/resources/end-template-tag-in-head.html: Removed.
* html-templates/resources/frameset-end-tag.html: Removed.
* html-templates/resources/head-template-contents-div-no-end-tag.html: Removed.
* html-templates/resources/head-template-contents-table-no-end-tag.html: Removed.
* html-templates/resources/html-start-tag.html: Removed.
* html-templates/resources/template-child-nodes-div.xhtml: Removed.
* html-templates/resources/template-child-nodes-nested.xhtml: Removed.
* html-templates/resources/template-contents-attribute.html: Removed.
* html-templates/resources/template-contents-body.html: Removed.
* html-templates/resources/template-contents-div-no-end-tag.html: Removed.
* html-templates/resources/template-contents-empty.html: Removed.
* html-templates/resources/template-contents-frameset.html: Removed.
* html-templates/resources/template-contents-head.html: Removed.
* html-templates/resources/template-contents-html.html: Removed.
* html-templates/resources/template-contents-nested.html: Removed.
* html-templates/resources/template-contents-table-no-end-tag.html: Removed.
* html-templates/resources/template-contents-text.html: Removed.
* html-templates/resources/template-contents.html: Removed.
* html-templates/resources/template-descendant-body.html: Removed.
* html-templates/resources/template-descendant-frameset.html: Removed.
* html-templates/resources/template-descendant-head.html: Removed.
* html-templates/resources/two-templates.html: Removed.
* html-templates/testcommon.js: Removed.
* web-platform-tests/html/syntax: Added.
* web-platform-tests/html/syntax/parsing: Added.
* web-platform-tests/html/syntax/parsing/template: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-foster-parenting: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-foster-parenting/template-is-a-foster-parent-element-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-foster-parenting/template-is-a-foster-parent-element.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-foster-parenting/template-is-not-a-foster-parent-element-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-foster-parenting/template-is-not-a-foster-parent-element.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-foster-parenting/w3c-import.log: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/generating-of-implied-end-tags-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/generating-of-implied-end-tags.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-body-token-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-body-token.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-frameset-token-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-frameset-token.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-head-token-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-head-token.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-html-token-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/ignore-html-token.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/start-tag-body-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/start-tag-body.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/start-tag-html-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/start-tag-html.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/template-end-tag-without-start-one-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/template-end-tag-without-start-one.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-body-insertion-mode/w3c-import.log: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-frameset-insertion-mode: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-frameset-insertion-mode/end-tag-frameset-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-frameset-insertion-mode/end-tag-frameset.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-frameset-insertion-mode/w3c-import.log: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-head-insertion-mode: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-head-insertion-mode/generating-of-implied-end-tags-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-head-insertion-mode/generating-of-implied-end-tags.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-head-insertion-mode/template-end-tag-without-start-one-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-head-insertion-mode/template-end-tag-without-start-one.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-head-insertion-mode/w3c-import.log: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-table-insertion-mode: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-table-insertion-mode/end-tag-table-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-table-insertion-mode/end-tag-table.html: Added.
* web-platform-tests/html/syntax/parsing/template/additions-to-the-in-table-insertion-mode/w3c-import.log: Added.
* web-platform-tests/html/syntax/parsing/template/appending-to-a-template: Added.
* web-platform-tests/html/syntax/parsing/template/appending-to-a-template/template-child-nodes-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/appending-to-a-template/template-child-nodes.html: Added.
* web-platform-tests/html/syntax/parsing/template/appending-to-a-template/w3c-import.log: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-body-context-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-body-context.html: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-context-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-context.html: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-row-context-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context/clearing-stack-back-to-a-table-row-context.html: Added.
* web-platform-tests/html/syntax/parsing/template/clearing-the-stack-back-to-a-given-context/w3c-import.log: Added.
* web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token: Added.
* web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token/template-owner-document-expected.txt: Added.
* web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token/template-owner-document.html: Added.
* web-platform-tests/html/syntax/parsing/template/creating-an-element-for-the-token/w3c-import.log: Added.

LayoutTests:

* platform/mac/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200072 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[JSC] Constant folding of UInt32ToNumber is incorrect
https://bugs.webkit.org/show_bug.cgi?id=157011
rdar://problem/25769641

Patch by Benjamin Poulain <bpoulain@apple.com> on 2016-04-25
Reviewed by Geoffrey Garen.

UInt32ToNumber should return the unsigned 32bit value of
its child. The abstract interpreter fails to do that when handling
Int52.

None of the tests caught that because the bytecode generator already
fold the operation if given a constant. If the constant is not visible
from the bytecode generator (for example because it comes from an inlined call),
then the abstract interpreter folding was producing invalid results.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* tests/stress/uint32-to-number-constant-folding.js: Added.
(uint32ToNumberMinusOne):
(uint32ToNumberMinusOnePlusInteger):
(inlineMinusOne):
(uint32ToNumberOnHiddenMinusOne):
(uint32ToNumberOnHiddenMinusOnePlusInteger):
(inlineLargeNegativeNumber1):
(inlineLargeNegativeNumber2):
(inlineLargeNegativeNumber3):
(uint32ToNumberOnHiddenLargeNegativeNumber1):
(uint32ToNumberOnHiddenLargeNegativeNumber2):
(uint32ToNumberOnHiddenLargeNegativeNumber3):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200071 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Cocoa] Guarantee FontPlatformData's m_cgFont is never nullptr
https://bugs.webkit.org/show_bug.cgi?id=156929

Reviewed by Darin Adler.

Source/WebCore:

After some investigation, it turns out that there is no place where it is meaningful
to pass us a null CoreText font. Therefore, the CoreGraphics font is also never null.

We should simply check for these null values at the ingestion site in order to
make the guarantee internally of having non-null values.

* platform/graphics/FontPlatformData.cpp:
(WebCore::FontPlatformData::FontPlatformData): Because the pointer is never null, we
can delete the code which handles that case.
* platform/graphics/FontPlatformData.h:
* platform/graphics/cocoa/FontPlatformDataCocoa.mm: Ditto.
(WebCore::webFallbackFontFamily): Deleted.
(WebCore::FontPlatformData::setFallbackCGFont): Deleted.
* platform/graphics/mac/ComplexTextControllerCoreText.mm:
(WebCore::ComplexTextController::collectComplexTextRunsForCharacters): Asking the
CTRun for its kCTFontAttributeName will always return non-null.
* platform/graphics/mac/FontCustomPlatformData.cpp:
(WebCore::FontCustomPlatformData::fontPlatformData): Once we have a font descriptor,
CTFontCreateWithFontDescriptor() will always return non-null. We check if the font
descriptor is null elsewhere.
* platform/mac/DragImageMac.mm: The fonts in this file are gotten by asking for the
system font, which will always return non-null.
(WebCore::fontFromNSFont):
(WebCore::widthWithFont):
(WebCore::drawAtPoint):
(WebCore::createDragImageForLink):

Source/WebKit/mac:

* Misc/WebKitNSStringExtras.mm:
(-[NSString _web_drawAtPoint:font:textColor:allowingFontSmoothing:]): Drawing
a string with a null font shouldn't do anything.
* Misc/WebStringTruncator.mm: We can't truncate a string if we don't have a font
to use.
(+[WebStringTruncator centerTruncateString:toWidth:]):
(+[WebStringTruncator centerTruncateString:toWidth:withFont:]):
(+[WebStringTruncator rightTruncateString:toWidth:withFont:]):
(+[WebStringTruncator widthOfString:font:]):

Tools:

* TestWebKitAPI/Tests/mac/StringTruncator.mm:
(TestWebKitAPI::TEST):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200070 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Cloning a textarea does not clone the textarea's value
https://bugs.webkit.org/show_bug.cgi?id=156637

Reviewed by Chris Dumez.

https://dom.spec.whatwg.org/#concept-node-clone describes that the value
of a node shouldn't be copied when cloning the node.

* fast/forms/checkValidity-cloneNode-crash-expected.txt:
* fast/forms/checkValidity-cloneNode-crash.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200069 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Heap corruption is detected when destructing JSGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=156831

Patch by Fujii Hironori <Hironori.Fujii@sony.com> on 2016-04-25
Reviewed by Mark Lam.

WebKit uses CRT static library on Windows.  Each copy of the CRT
library has its own heap manager, allocating memory in one CRT
library and passing the pointer across a DLL boundary to be freed
by a different copy of the CRT library is a potential cause for
heap corruption.

  Potential Errors Passing CRT Objects Across DLL Boundaries
  <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>

JSGlobalObject::createRareDataIfNeeded is inlined but
JSGlobalObject::~JSGlobalObject is not.  Then, the heap of
allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
JavaScriptCore.dll.  Adding WTF_MAKE_FAST_ALLOCATED to
JSGlobalObjectRareData ensures heap consistency of it.  WTF::Lock
also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
the inlined constructor of JSGlobalObjectRareData.

Source/JavaScriptCore:

Test: fast/dom/insertedIntoDocument-iframe.html

* runtime/JSGlobalObject.h:
Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.

Source/WTF:

* wtf/Lock.h: Add WTF_MAKE_FAST_ALLOCATED.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200068 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: hook up grid row filtering in the new Timelines UI
https://bugs.webkit.org/show_bug.cgi?id=154924
<rdar://problem/24934607>

Reviewed by Timothy Hatcher.

Re-implement timeline data grid filtering that previously existed in the
navigation sidebar. This patch adds support for filter text, scope bars,
and filtering based on ruler selection.

Multi-column filter support is now part of DataGrid. The grid checks compares
filter text against cell data of type string. DataGridNode subclasses may
provide custom string data for columns that format complex objects (such
as SourceCodeLocations). Cells containing data of type number are not
considered for filtering at this time.

* UserInterface/Views/DataGrid.js:
(WebInspector.DataGrid):
(WebInspector.DataGrid.prototype.set filterText):
(WebInspector.DataGrid.prototype.get filterDelegate):
(WebInspector.DataGrid.prototype.set filterDelegate):
(WebInspector.DataGrid.prototype.filterDidChange):
Called internally by the grid whenever the filter text or delegate changes.
Also called by clients that implement a filter delegate, to inform the
grid that a custom filter has changed.

(WebInspector.DataGrid.prototype.hasCustomFilters):
(WebInspector.DataGrid.prototype.matchNodeAgainstCustomFilters):
Calls the filter delegate, if it exists, and provides a hook for
subclasses to provide custom filtering.

(WebInspector.DataGrid.prototype._applyFiltersToNode.matchTextFilter):
(WebInspector.DataGrid.prototype._applyFiltersToNode.makeVisible):
(WebInspector.DataGrid.prototype._applyFiltersToNode):
Filters data grid nodes and fires filter events as needed.
(WebInspector.DataGrid.prototype._hasFilterDelegate):
Helper function.
(WebInspector.DataGrid.prototype._updateVisibleRows):
Exclude hidden nodes from revealed rows.
(WebInspector.DataGrid.prototype._updateFilter):
Filtering entry point, called on an animation frame. Updates visible
rows if any node was filtered/unfiltered.

(WebInspector.DataGridNode):
(WebInspector.DataGridNode.prototype.get filterableData):
Gets an array of filterable strings for the node.
(WebInspector.DataGridNode.prototype.refresh):
Resets cached filterable strings.
(WebInspector.DataGridNode.prototype.filterableDataForColumn):
Can be overridden by subclasses to provide filterable text for complex
cell data, like as objects formatted as document fragments.

* UserInterface/Views/LayoutTimelineDataGridNode.js:
(WebInspector.LayoutTimelineDataGridNode.prototype.get data):

* UserInterface/Views/LayoutTimelineView.js:
(WebInspector.LayoutTimelineView):
Register grid and remove logic that has been moved to the base class.
(WebInspector.LayoutTimelineView.prototype.filterDidChange):
Update highlight after grid filter change.
(WebInspector.LayoutTimelineView.prototype._dataGridSelectedNodeChanged):
Update highlight when selection changes.
(WebInspector.LayoutTimelineView.prototype.matchTreeElementAgainstCustomFilters): Deleted.
(WebInspector.LayoutTimelineView.prototype.treeElementDeselected): Deleted.
(WebInspector.LayoutTimelineView.prototype._dataGridFiltersDidChange): Deleted.
(WebInspector.LayoutTimelineView.prototype._dataGridNodeSelected): Deleted.
No longer needed.

* UserInterface/Views/NetworkTimelineView.js:
(WebInspector.NetworkTimelineView):
Register grid and remove logic that has been moved to the base class.
(WebInspector.NetworkTimelineView.prototype.matchTreeElementAgainstCustomFilters): Deleted.
(WebInspector.NetworkTimelineView.prototype._dataGridFiltersDidChange): Deleted.
(WebInspector.NetworkTimelineView.prototype._dataGridNodeSelected): Deleted.
No longer needed.

* UserInterface/Views/OverviewTimelineView.js:
(WebInspector.OverviewTimelineView):
Register grid and remove logic that has been moved to the base class.
(WebInspector.OverviewTimelineView.prototype._dataGridNodeSelected): Deleted.
No longer needed.

* UserInterface/Views/RenderingFrameTimelineView.js:
(WebInspector.RenderingFrameTimelineView):
Register grid and remove logic that has been moved to the base class.
(WebInspector.RenderingFrameTimelineView.prototype.get filterStartTime):
(WebInspector.RenderingFrameTimelineView.prototype.get filterEndTime):
Convert selection indices into filter start and end times.
(WebInspector.RenderingFrameTimelineView.prototype.matchDataGridNodeAgainstCustomFilters):
Perform custom filtering on rendering frame duration.
(WebInspector.RenderingFrameTimelineView.prototype._scopeBarSelectionDidChange):
Inform grid of custom filter change.
(WebInspector.RenderingFrameTimelineView.prototype.matchTreeElementAgainstCustomFilters): Deleted.
(WebInspector.RenderingFrameTimelineView.prototype._dataGridNodeSelected): Deleted.
No longer needed.

* UserInterface/Views/ResourceTimelineDataGridNode.js:
(WebInspector.ResourceTimelineDataGridNode.prototype.filterableDataForColumn):
Use URL string for filtering "name" column.

* UserInterface/Views/ScriptClusterTimelineView.js:
(WebInspector.ScriptClusterTimelineView.prototype.updateFilter):
Forwarding for TimelineView API.
(WebInspector.ScriptClusterTimelineView.prototype.matchDataGridNodeAgainstCustomFilters):
(WebInspector.ScriptClusterTimelineView.prototype.matchTreeElementAgainstCustomFilters): Deleted.
Renamed to matchDataGridNodeAgainstCustomFilters.
(WebInspector.ScriptClusterTimelineView.prototype._scriptClusterViewCurrentContentViewDidChange): Deleted.
Removed FIXME comment. Updating TimelineView times is sufficient to trigger filtering.

* UserInterface/Views/ScriptDetailsTimelineView.js:
(WebInspector.ScriptDetailsTimelineView):
Register grid and remove logic that has been moved to the base class.
(WebInspector.ScriptDetailsTimelineView.prototype._dataGridFiltersDidChange): Deleted.
(WebInspector.ScriptDetailsTimelineView.prototype._dataGridNodeSelected): Deleted.
No longer needed.

* UserInterface/Views/ScriptTimelineDataGridNode.js:
(WebInspector.ScriptTimelineDataGridNode.prototype.filterableDataForColumn):
Use main title and subtitle strings for filtering "name" column.
(WebInspector.ScriptTimelineDataGridNode.prototype._createNameCellDocumentFragment):
(WebInspector.ScriptTimelineDataGridNode.prototype._subtitle):
Break out for use in filterableDataForColumn.

* UserInterface/Views/TimelineDataGrid.js:
(WebInspector.TimelineDataGrid):
Cleanup variable names.
(WebInspector.TimelineDataGrid.prototype.hasCustomFilters):
Always true because filtering on ruler selection always occurs.
(WebInspector.TimelineDataGrid.prototype.matchNodeAgainstCustomFilters):
Match nodes against scope bar filters.
(WebInspector.TimelineDataGrid.prototype._scopeBarSelectedItemsDidChange):
Inform grid of custom filter change.
(WebInspector.TimelineDataGrid.prototype.treeElementMatchesActiveScopeFilters): Deleted.
Re-implemented as _nodeMatchesActiveScopeFilters.
(WebInspector.TimelineDataGrid.prototype._updateScopeBarForcedVisibility): Deleted.
Old UI. No longer needed.

* UserInterface/Views/TimelineDataGridNode.js:
(WebInspector.TimelineDataGridNode.prototype.filterableDataForColumn):
Filter strings for SourceCodeLocation and CallFrame objects.

* UserInterface/Views/TimelineRecordingContentView.js:
(WebInspector.TimelineRecordingContentView):
Listen for FilterBar changes and TimelineView record filtering.
(WebInspector.TimelineRecordingContentView.prototype._filterDidChange):
Update grid filters when filter bar changes.
(WebInspector.TimelineRecordingContentView.prototype._recordWasFiltered):
Update overview when records are filtered/unfiltered.
(WebInspector.TimelineRecordingContentView.prototype.filterDidChange): Deleted.
(WebInspector.TimelineRecordingContentView.prototype.recordWasFiltered): Deleted.
(WebInspector.TimelineRecordingContentView.prototype.matchTreeElementAgainstCustomFilters.checkTimeBounds): Deleted.
(WebInspector.TimelineRecordingContentView.prototype.matchTreeElementAgainstCustomFilters): Deleted.
Re-implemented in DataGrid.
(WebInspector.TimelineRecordingContentView.prototype._updateTimes): Deleted.
FIXME comment removed. Filtering occurs when TimelineView times are updated.
(WebInspector.TimelineRecordingContentView.prototype._timeRangeSelectionChanged): Deleted.

* UserInterface/Views/TimelineView.js:
(WebInspector.TimelineView):
(WebInspector.TimelineView.prototype.get navigationItems):
Used by TimelineRecordingContentView to add scope bar items to the
lower content browser's navigation bar.

(WebInspector.TimelineView.prototype.set startTime):
(WebInspector.TimelineView.prototype.set endTime):
(WebInspector.TimelineView.prototype.set currentTime):
Update grid filter when recording times change.
(WebInspector.TimelineView.prototype.get filterStartTime):
(WebInspector.TimelineView.prototype.get filterEndTime):
Let subclasses (RenderingFrameTimelineView) provide filter start/end times.
(WebInspector.TimelineView.prototype.setupDataGrid):
Register the grid used by the TimelineView subclass, allowing the base
class to hook into common event listeners and provide boilerplate functionality.

(WebInspector.TimelineView.prototype.updateFilter):
For data grid views, updates grid filters and sets new filter text.
(WebInspector.TimelineView.prototype.matchDataGridNodeAgainstCustomFilters):
(WebInspector.TimelineView.prototype.dataGridMatchNodeAgainstCustomFilters.checkTimeBounds):
(WebInspector.TimelineView.prototype.dataGridMatchNodeAgainstCustomFilters):
DataGrid filter delegate. Lets subclasses apply custom filters first,
then filters based on ruler selection if needed.

(WebInspector.TimelineView.prototype.filterDidChange):
Hook for subclasses to respond to filter changes.
(WebInspector.TimelineView.prototype._filterTimesDidChange.delayedWork):
(WebInspector.TimelineView.prototype._filterTimesDidChange):
Helper function for coalescing ruler selection updates into a single
filter update.

(WebInspector.TimelineView.prototype.matchTreeElementAgainstCustomFilters): Deleted.
(WebInspector.TimelineView.prototype.filterUpdated): Deleted.
No longer needed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200067 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Crash under MemoryCache::remove()
https://bugs.webkit.org/show_bug.cgi?id=157000
<rdar://problem/23344660>

Reviewed by Andreas Kling.

MemoryCache::evictResources() was caching the number of resources ('size')
in the cache for a particular sessionID, and then proceed to call
MemoryCache::remove() 'size' times using the first item in the HashMap
each time. This was unsafe because resources may be ref'ing each other
and therefore removing one may cause other resources to get removed as
well. In such case, we would call remove() too many times and crash because
we dereferenced resources.begin()->value (with the HashMap being empty).

This patch avoids the issue by copying the resources to a Vector and
ref'ing them first, before going on to remove each one from the cache.

* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::forEachSessionResource):
(WebCore::MemoryCache::evictResources):
* loader/cache/MemoryCache.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200066 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: React.js JSXTransformer produces bogus error locations
https://bugs.webkit.org/show_bug.cgi?id=150010
<rdar://problem/23062233>

Reviewed by Timothy Hatcher.

Source/WebInspectorUI:

Show dynamically added <script> elements added to a frame as resources.
For cases where the scripts had source map resources or error messages
we have a root from which to associate them to.

* Localizations/en.lproj/localizedStrings.js:
"Script Element %d" tree element title.

* UserInterface/Models/Frame.js:
(WebInspector.Frame.prototype.commitProvisionalLoad):
(WebInspector.Frame.prototype.get extraScripts):
(WebInspector.Frame.prototype.addExtraScript):
Have a frame keep a list of its extra scripts.

* UserInterface/Models/Script.js:
(WebInspector.Script):
(WebInspector.Script.prototype.get displayName):
(WebInspector.Script.prototype.get dynamicallyAddedScriptElement):
Identify dynamically added script elements and associate them
with the frame, instead of the frame's main resource.

* UserInterface/Views/FrameTreeElement.js:
(WebInspector.FrameTreeElement.prototype.onpopulate):
(WebInspector.FrameTreeElement.prototype._extraScriptAdded):
Show named / source mapped dynamic script elements under a frame.

* UserInterface/Views/ResourceSidebarPanel.js:
(WebInspector.ResourceSidebarPanel.prototype._scriptWasAdded):
Dynamically added script element Scripts will be added by the frame that
owns them.

* UserInterface/Views/ScriptTreeElement.js:
(WebInspector.ScriptTreeElement):
Don't include a subtitle for dynamicallyAddedScriptElement, details match
the frame that owns them.

LayoutTests:

* inspector/model/frame-extra-scripts-expected.txt: Added.
* inspector/model/frame-extra-scripts.html: Added.
Add a test for a WebInspector.Frame's extraScripts list.

* inspector/model/script-resource-relationship-expected.txt
* inspector/model/script-resource-relationship.html
Add a test for a dynamicallyAddedScriptElement.
Remove debug logging.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200065 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: Line error widget showed in the wrong resource
https://bugs.webkit.org/show_bug.cgi?id=150009
<rdar://problem/23062199>

Reviewed by Timothy Hatcher.

This addresses a few long standing issues:

    - IssueMessage and ConsoleMessage should not fight eachother
    - Displayed issue messages now correctly have format string formatting, e.g. console.error("Foo %s", str)
    - IssueMessage wraps a ConsoleMessage, so we don't duplicate everything
    - Gives ConsoleMessage a sourceCodeLocation (lazy)
        - Since a sourceCodeLocation can have the exact SourceCode, if it was a Script
          without a Resource, we can only show the error in the Script's editor.

* UserInterface/Models/CallFrame.js:
(WebInspector.CallFrame.fromPayload):
Prefer the script identifier lookup first. And from the Script go
to a resource if possible. This allows us to distinguish a location
that should be in a Script that doesn't have a Resource when there
exists a Resource with the same URL. This will soon be the case
for dyanamic <script> elements append to a document.

* UserInterface/Controllers/IssueManager.js:
(WebInspector.IssueManager.issueMatchSourceCode):
Consolidate all the different checks to this one function.

(WebInspector.IssueManager.prototype.issueWasAdded):
Create IssueMessages with ConsoleMessages.

(WebInspector.IssueManager.prototype.issuesForSourceCode):
Simplify now that we have the better check.

* UserInterface/Controllers/LogManager.js:
(WebInspector.LogManager.prototype.messageWasAdded):
Once a ConsoleMessage has been created (and modified `parameters` for us)
create the IssueMessage if it was an issue.

* UserInterface/Models/ConsoleMessage.js:
(WebInspector.ConsoleMessage.prototype.get sourceCodeLocation):
Lazily create a source code from the best possible location. This can
be the top call frame or the url/line/column combination.

* UserInterface/Models/IssueMessage.js:
(WebInspector.IssueMessage):
Creation and most properties just call through to a ConsoleMessage.
The `type` and `text` are Issue specific. Anything that uses location
data should use the sourceCodeLocation.

(WebInspector.IssueMessage.prototype.saveIdentityToCookie):
Fix implementation that didn't account for a null sourceCodeLocation.

(WebInspector.IssueMessage.prototype._formatTextIfNecessary):
Basic text format message formatting.

* UserInterface/Protocol/ConsoleObserver.js:
(WebInspector.ConsoleObserver.prototype.messageAdded):
No longer call IssueMessage from the observer. Let LogManager trigger issues.

* UserInterface/Views/ContentView.js:
(WebInspector.ContentView.createFromRepresentedObject):
(WebInspector.ContentView.resolvedRepresentedObjectForRepresentedObject):
(WebInspector.ContentView.isViewable):
An IssueMessage represented object for an IssueMessageTreeElement should be
restorable by just going to the sourceCodeLocation it references. This is
identical to a Breakpoint.

* UserInterface/Views/IssueTreeElement.js:
(WebInspector.IssueTreeElement.prototype._updateTitles):
(WebInspector.IssueTreeElement):
* UserInterface/Views/ResourceContentView.js:
(WebInspector.ResourceContentView.prototype._issueWasAdded):
* UserInterface/Views/SourceCodeTextEditor.js:
(WebInspector.SourceCodeTextEditor.prototype._issueWasAdded):
(WebInspector.SourceCodeTextEditor.prototype._addIssue):
(WebInspector.SourceCodeTextEditor.prototype._reinsertAllIssues):
(WebInspector.SourceCodeTextEditor.prototype._matchesIssue): Deleted.
Update to use Issue's sourceCodeLocation or IssueManager's new APIs.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200064 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Marking fast/layers/no-clipping-overflow-hidden-added-after-transform.html as flaky on mac-wk1
https://bugs.webkit.org/show_bug.cgi?id=157007

Unreviewed test gardening.

* platform/mac-wk1/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200063 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Crash under WebCore::MutationObserver::deliverAllMutations()
https://bugs.webkit.org/show_bug.cgi?id=156997
<rdar://problem/16542323>

Reviewed by Ryosuke Niwa.

The crash traces indicate that we may derefence a null pointer when
dereferencing MutationCallback::scriptExecutationContext() in
MutationObserver::canDeliver(). This can happen when the script
execution context gets destroyed as a JSMutationCallback is an
ActiveDOMObject, which is a ContextDestructionObserver.

This patch refactors the code so that MutationObserver::canDeliver()
now simply asks JSMutationCallback if it can invoke its callback.
JSMutationCallback makes this decision using
ActiveDOMCallback::canInvokeCallback() which does a proper null
check of the ScriptExecutationContext. This avoids some code
duplication and fixes the crash.

* bindings/js/JSMutationCallback.h:
* dom/MutationCallback.h:
* dom/MutationObserver.cpp:
(WebCore::MutationObserver::canDeliver):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200062 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Fix a flaky test after r200032

* fileapi/File.cpp:
(WebCore::File::lastModified): This used to return a date object which did a WTF::timeClip on the double,
  but now that we're returning a raw double we need to WTF::timeClip it ourselves.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200061 268f45cc-cd09-0410-ab3c-d52691b4dbfc

bmalloc: Misc improvements to MallocBench
https://bugs.webkit.org/show_bug.cgi?id=157004

Reviewed by Darin Adler.

* MallocBench/run-malloc-benchmarks: Added --memory and --memory_warning
modes for focused memory testing.

* MallocBench/MallocBench/Benchmark.cpp:
(Benchmark::printReport): Clarified output.

(Benchmark::currentMemoryBytes): Added compressed memory because top
does the same. (It always happens to zero in the benchmarks we run. But
this is good for sanity.)

* MallocBench/MallocBench/CommandLine.cpp: Moved up to 8 runs to reduce
variance.

* MallocBench/MallocBench/alloc_free.cpp:
(benchmark_alloc_free): Cycle a single allocation in order to stress
the effect of merging on calls to madvise.

* MallocBench/MallocBench/big.cpp:
(benchmark_big): Graduated to 8kB-128kB because medium tests up to 8 and
our large allocator doesn't kick in until 64kB.

* MallocBench/MallocBench/medium.cpp:
(benchmark_medium): Test all the way down to 1kB because our large
allocator used to service 1kB allocations and 1kB is an interesting
middle size where memory is unusually large but allocation throughput
still matters.

* MallocBench/MallocBench/stress.cpp:
(benchmark_stress): Reduced the churn count to match stress_aligned
because this test was taking too long to complete.

* MallocBench/MallocBench/stress_aligned.cpp:
(benchmark_stress_aligned): Our new large allocator can handle even
more absurdly large values.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200060 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Tools] whitelist all-uppercase JSTokenType enum in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=156976

Patch by Caitlin Potter <caitp@igalia.com> on 2016-04-25
Reviewed by Darin Adler.

Mitigate style-checker spam on bugs which introduce new JavaScript
token types.

* Scripts/webkitpy/style/checkers/cpp.py:
(_EnumState.__init__):
(_EnumState.process_clean_line):
* Scripts/webkitpy/style/checkers/cpp_unittest.py:
(NoNonVirtualDestructorsTest.test_enum_casing):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200059 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Web IDL] Specify default values for optional parameters of type 'float' / 'unrestricted float'
https://bugs.webkit.org/show_bug.cgi?id=156995

Reviewed by Darin Adler.

Specify default values for optional parameters of type 'float' / 'unrestricted float'
and let the bindings generator use WTF::Optional<> for the ones that do not have a
default value.

* bindings/scripts/CodeGeneratorJS.pm:
(CanUseWTFOptionalForParameter): Deleted.
* bindings/scripts/test/JS/JSTestTypedefs.cpp:
(WebCore::jsTestTypedefsPrototypeFunctionSetShadow):
* html/canvas/CanvasRenderingContext2D.cpp:
(WebCore::CanvasRenderingContext2D::setStrokeColor):
(WebCore::CanvasRenderingContext2D::setFillColor):
(WebCore::CanvasRenderingContext2D::setShadow):
(WebCore::CanvasRenderingContext2D::fillText):
(WebCore::CanvasRenderingContext2D::strokeText):
(WebCore::CanvasRenderingContext2D::drawTextInternal):
(WebCore::CanvasRenderingContext2D::clearShadow): Deleted.
(WebCore::normalizeSpaces): Deleted.
(WebCore::CanvasRenderingContext2D::measureText): Deleted.
* html/canvas/CanvasRenderingContext2D.h:
* html/canvas/CanvasRenderingContext2D.idl:
* testing/Internals.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200058 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebEditorClient should properly write to m_rangeForCandidates
https://bugs.webkit.org/show_bug.cgi?id=157003
-and corresponding-
rdar://problem/25910418

Reviewed by Tim Horton.

Actually write to m_rangeForCandidates instead of declaring a local variable
of the same name. :-/
* WebCoreSupport/WebEditorClient.mm:
(WebEditorClient::requestCandidatesForSelection):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200057 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Add port 4190 (managesieve) to port blacklist
https://bugs.webkit.org/show_bug.cgi?id=156986
<rdar://problem/9119470>

Reviewed by Daniel Bates.

Source/WebCore:

Tested by security/block-test.html.

* platform/URL.cpp:
(WebCore::portAllowed): Add 4190 to the port blacklist.

LayoutTests:

* platform/mac/security/block-test-expected.txt
* security/block-test-expected.txt:
* security/block-test.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200056 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Rebaseline editing tests for ios-simulator-wk1

Unreviewed test gardening

* platform/ios-simulator-wk1/editing/deleting/delete-at-paragraph-boundaries-002-expected.txt:
* +71 more

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200055 268f45cc-cd09-0410-ab3c-d52691b4dbfc

AX: Crash at -[WebAccessibilityObjectWrapper accessibilityAttributeValue:] + 4391
https://bugs.webkit.org/show_bug.cgi?id=156987

Reviewed by Chris Fleizach.

Source/WebCore:

When we hit test on a slider indicator asking for the value when the parent slider's
accessibility object is not created or the parent slider has been removed, it will cause
crash. Fixed it by adding a check to see if the object is detached from the parent.

Test: accessibility/mac/slider-thumb-value-crash.html

* accessibility/mac/WebAccessibilityObjectWrapperMac.mm:
(-[WebAccessibilityObjectWrapper accessibilityAttributeValue:]):

LayoutTests:

* accessibility/mac/slider-thumb-value-crash-expected.txt: Added.
* accessibility/mac/slider-thumb-value-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200054 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Fix issues with content-animation performance tests
https://bugs.webkit.org/show_bug.cgi?id=157001

Reviewed by Sam Weinig.

Add patch content for svg-animation.html, and fix the paths in the patch so
it applies correctly.

Add the patch file to the .plan file.

* Scripts/webkitpy/benchmark_runner/data/patches/ContentAnimation.patch:
* Scripts/webkitpy/benchmark_runner/data/plans/content-animation.plan:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200053 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebKitPlaybackSessionModelMediaElement should initialize the interface added by setWebPlaybackSessionInterface() with initial data
https://bugs.webkit.org/show_bug.cgi?id=156996

Reviewed by Beth Dakin.

Notify the interface of the current values in the media element when the model is given an interface.

* platform/cocoa/WebPlaybackSessionModelMediaElement.mm:
(WebPlaybackSessionModelMediaElement::setWebPlaybackSessionInterface):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200052 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Attempt to fix a flaky test after r200032
https://bugs.webkit.org/show_bug.cgi?id=156994

* http/tests/local/fileapi/script-tests/file-last-modified-after-delete.js: Missed renaming this along with all the others.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200051 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Crash under -[WKWebView _mayAutomaticallyShowVideoPictureInPicture] + 32 (WKWebView.mm:309)
https://bugs.webkit.org/show_bug.cgi?id=156990
<rdar://problem/25904376>

Reviewed by Jer Noble.

In case of WebProcess crash, WebPageProxy::processDidCrash() will call resetState() which
will nullify WebPageProxy::m_videoFullscreenManager. In WebPageProxy::reattachToWebProcess(),
we then call updateViewState() before re-initializing m_videoFullscreenManager, and
updateViewState() ends up calling [WKWebView _mayAutomaticallyShowVideoPictureInPicture]
which dereferences WebPageProxy::m_videoFullscreenManager without null check. This patch
adds a null check for m_videoFullscreenManager in _mayAutomaticallyShowVideoPictureInPicture.

* UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _mayAutomaticallyShowVideoPictureInPicture]):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200050 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Add a content animation test that uses SVG animation.
https://bugs.webkit.org/show_bug.cgi?id=156827

* Animation/svg-animation.html: Added.
* Skipped:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200049 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Crash using @tryGetById in DFG
https://bugs.webkit.org/show_bug.cgi?id=156992

Reviewed by Filip Pizlo.

We need to spill live registers when compiling TryGetById in DFG.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileTryGetById):
* tests/stress/regress-156992.js: New test.
(tryMultipleGetByIds):
(test):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200048 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Toggling animation-play-state can re-start a finished animation
https://bugs.webkit.org/show_bug.cgi?id=156731

Reviewed by Dean Jackson.

Source/WebCore:

After an animation completed, CompositeAnimation::updateKeyframeAnimations() cleared
all state that the animation had run on the element, so changing the value of some
animation property triggered the animation to run again. This is wrong, since animation-name
still applied to the element.

Fix by keeping state for keyframe animations in the Done state in the m_keyframeAnimations
map. This allows for the removal of the index property on KeyframeAnimation.

Tests: animations/change-completed-animation-transform.html
       animations/change-completed-animation.html

* page/animation/AnimationBase.cpp:
(WebCore::AnimationBase::timeToNextService):
* page/animation/AnimationBase.h:
(WebCore::AnimationBase::isAnimatingProperty):
* page/animation/CompositeAnimation.cpp: Add animations that should stick around to AnimationNameMap,
and swap with m_keyframeAnimations at the end.
(WebCore::CompositeAnimation::updateKeyframeAnimations):
* page/animation/KeyframeAnimation.cpp:
(WebCore::KeyframeAnimation::KeyframeAnimation):
(WebCore::KeyframeAnimation::getAnimatedStyle):
* page/animation/KeyframeAnimation.h:

LayoutTests:

* animations/animation-direction-reverse-expected.txt:
* animations/animation-direction-reverse.html: This is a progression. The test was detecting a
restarted animation.
* animations/change-completed-animation-expected.txt: Added.
* animations/change-completed-animation-transform-expected.html: Added.
* animations/change-completed-animation-transform.html: Added. Ref test that ensures that the final
state for normal and accelerated animations is correct.
* animations/change-completed-animation.html: Added. Tests that changing a property doesn't trigger
another animation, by detecting a second animationstart event.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200047 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[GTK] Crashes if DISPLAY is unset
https://bugs.webkit.org/show_bug.cgi?id=156972

Reviewed by Carlos Garcia Campos.

If DISPLAY is unset then m_display will be NULL, crashing WebKit
when XCloseDisplay is called in the PlatformDisplayX11 destructor.

* platform/graphics/x11/PlatformDisplayX11.cpp:
(WebCore::PlatformDisplayX11::~PlatformDisplayX11):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200046 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Tweaking IndexedDB watchlist and adding myself to it.

* Scripts/webkitpy/common/config/watchlist:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200045 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Update JS bindings test results after r200037

Unreviewed test gardening.

* bindings/scripts/test/JS/JSTestTypedefs.cpp:
(WebCore::jsTestTypedefsPrototypeFunctionFuncWithClamp):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200044 268f45cc-cd09-0410-ab3c-d52691b4dbfc

play-state not parsed as part of animation shorthand
https://bugs.webkit.org/show_bug.cgi?id=156959

Reviewed by Darin Adler.

Source/WebCore:

We failed to parse animation-play-state as part of the animation shorthand, contrary
to the spec and other browsers.

Fix for both the prefixed and unprefixed properties. There is some compat risk here,
but only changing unprefixed behavior will probably lead to more author confusion.

Test: animations/play-state-in-shorthand.html

* css/CSSParser.cpp:
(WebCore::CSSParser::parseAnimationShorthand):
* css/CSSPropertyNames.in:
* css/StylePropertyShorthand.cpp:
(WebCore::animationShorthandForParsing): Remove the long comment which is no longer relevant
now that the behavior has been written into the spec.

LayoutTests:

* animations/animation-shorthand-expected.txt:
* animations/animation-shorthand.html:
* animations/play-state-in-shorthand-expected.txt: Added.
* animations/play-state-in-shorthand.html: Added.
* animations/resources/animation-test-helpers.js:
(getPropertyValue):
(comparePropertyValue):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200043 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Negative animation-delay is treated as 0s
https://bugs.webkit.org/show_bug.cgi?id=141008

Reviewed by Daniel Bates.

Source/WebCore:

Fix keyframe animations which start in the paused state.

Explicitly move such animations from the new to the paused state, and
set m_pauseTime to 0, rather than leaving it at -1. Fix getElapsedTime()
to compute a correct time elapsed time for such animations, which takes
negative delay into account correctly.

Fix assertions which need to account for the new transition of New -> PlayStatePaused.

Test: animations/play-state-start-paused.html

* page/animation/AnimationBase.cpp:
(WebCore::AnimationBase::updateStateMachine):
(WebCore::AnimationBase::getElapsedTime):
* page/animation/KeyframeAnimation.cpp:
(WebCore::KeyframeAnimation::animate):

LayoutTests:

Ref test that has an initially-paused animation on 'left' and with a
3d transform.

* animations/play-state-start-paused-expected.html: Added.
* animations/play-state-start-paused.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200042 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Inline RenderStyle into RenderElement
https://bugs.webkit.org/show_bug.cgi?id=156981

Reviewed by Andreas Kling.

We can save memory and reduce indirection of style access by inlining RenderStyle to RenderElement.

This patch also makes RenderStyle moveable and switches from std::unique_ptr<RenderStyle> to RenderStyle&&
in many places where ownership is passed.

* Modules/plugins/PluginReplacement.h:
(WebCore::PluginReplacement::scriptObject):
(WebCore::PluginReplacement::willCreateRenderer):
* Modules/plugins/QuickTimePluginReplacement.h:
* Modules/plugins/QuickTimePluginReplacement.mm:
(WebCore::QuickTimePluginReplacement::~QuickTimePluginReplacement):
(WebCore::QuickTimePluginReplacement::createElementRenderer):
* Modules/plugins/YouTubePluginReplacement.cpp:
(WebCore::YouTubePluginReplacement::YouTubePluginReplacement):
(WebCore::YouTubePluginReplacement::createElementRenderer):
* Modules/plugins/YouTubePluginReplacement.h:
* css/StyleResolver.cpp:
(WebCore::StyleResolver::styleForElement):
(WebCore::StyleResolver::styleForKeyframe):
(WebCore::StyleResolver::pseudoStyleForElement):
(WebCore::StyleResolver::styleForPage):
(WebCore::StyleResolver::defaultStyleForElement):
(WebCore::StyleResolver::addToMatchedPropertiesCache):
(WebCore::StyleResolver::applyPropertyToStyle):
* dom/Document.cpp:
(WebCore::Document::recalcStyle):
(WebCore::Document::webkitWillEnterFullScreenForElement):
(WebCore::Document::setFullScreenRenderer):
* dom/Element.cpp:
(WebCore::Element::rendererIsNeeded):
(WebCore::Element::createElementRenderer):
* dom/Element.h:
(WebCore::Element::copyNonAttributePropertiesFromElement):
* dom/PseudoElement.cpp:
(WebCore::PseudoElement::resolveCustomStyle):
(WebCore::PseudoElement::didAttachRenderers):
(WebCore::PseudoElement::didRecalcStyle):
* html/BaseButtonInputType.cpp:
(WebCore::BaseButtonInputType::appendFormData):
(WebCore::BaseButtonInputType::createInputRenderer):
* html/BaseButtonInputType.h:
* html/FileInputType.cpp:
(WebCore::FileInputType::handleDOMActivateEvent):
(WebCore::FileInputType::createInputRenderer):
* html/FileInputType.h:
* html/HTMLAppletElement.cpp:
(WebCore::HTMLAppletElement::rendererIsNeeded):
(WebCore::HTMLAppletElement::createElementRenderer):

...

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200041 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Unreviewed, rolling out r199916.
https://bugs.webkit.org/show_bug.cgi?id=156989

Might break buildbot when master is restarted (Requested by
Srinivasan Vijayaraghava, Guest100, on #webkit).

Reverted changeset:

"Add JSC test results in json format to a buildbot log"
https://bugs.webkit.org/show_bug.cgi?id=156920
http://trac.webkit.org/changeset/199916

Patch by Commit Queue <commit-queue@webkit.org> on 2016-04-25

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200040 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Stop listening for "media can start" notifications when media player is cleared
https://bugs.webkit.org/show_bug.cgi?id=156985
<rdar://problem/23158505>

Reviewed by Jer Noble.

No new tests, I have not been able to create a test that reliably reproduces this.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::loadInternal): Add logging.
(WebCore::HTMLMediaElement::selectMediaResource): Assert and return early if there is
  no media player.
(WebCore::HTMLMediaElement::clearMediaPlayer): Stop listening for can start notifications.
(WebCore::HTMLMediaElement::visibilityStateChanged): Add logging.
(WebCore::HTMLMediaElement::mediaCanStart): Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200039 268f45cc-cd09-0410-ab3c-d52691b4dbfc

We don't have to parse a function's parameters every time if the function is in the source provider cache
https://bugs.webkit.org/show_bug.cgi?id=156943

Reviewed by Filip Pizlo.

This patch makes a few changes to make parsing inner functions
faster.

First, we were always parsing an inner function's parameter
list using the templatized TreeBuiler. This means if our parent scope
was building an AST, we ended up building AST nodes for the inner
function's parameter list even though these nodes would go unused.
This patch fixes that to *always* build an inner function's parameter
list using the SyntaxChecker. (Note that this is consistent now with
always building an inner function's body with a SyntaxChecker.)

Second, we were always parsing an inner function's parameter list
even if we had that function saved in the source provider cache.
I've fixed that bug and made it so that we skip over the parsing
of a function's parameter list when it's in the source provider
cache. We could probably enhance this in the future to skip
over the entirety of a function starting at the "function"
keyword or any other start of the function (depending on
the function type: arrow function, method, etc).

This patch also renames a few fields. First, I fixed a typo
from "tocken" => "token" for a few field names. Secondly,
I renamed a field that was called 'bodyStartColumn' to
'parametersStartColumn' because the field really held the
parameter list's start column.

I'm benchmarking this as a 1.5-2% octane/jquery speedup
on a 15" MBP.

* parser/ASTBuilder.h:
(JSC::ASTBuilder::createFunctionExpr):
(JSC::ASTBuilder::createMethodDefinition):
(JSC::ASTBuilder::createArrowFunctionExpr):
(JSC::ASTBuilder::createGetterOrSetterProperty):
(JSC::ASTBuilder::createFuncDeclStatement):
* parser/Lexer.cpp:
(JSC::Lexer<T>::lex):
* parser/Lexer.h:
(JSC::Lexer::currentPosition):
(JSC::Lexer::positionBeforeLastNewline):
(JSC::Lexer::lastTokenLocation):
(JSC::Lexer::setLastLineNumber):
(JSC::Lexer::lastLineNumber):
(JSC::Lexer::prevTerminator):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
(JSC::Parser<LexerType>::parseFunctionBody):
(JSC::stringForFunctionMode):
(JSC::Parser<LexerType>::parseFunctionParameters):
(JSC::Parser<LexerType>::parseFunctionInfo):
* parser/Parser.h:
(JSC::Scope::usedVariablesContains):
(JSC::Scope::forEachUsedVariable):
(JSC::Scope::useVariable):
(JSC::Scope::copyCapturedVariablesToVector):
(JSC::Scope::fillParametersForSourceProviderCache):
(JSC::Scope::restoreFromSourceProviderCache):
* parser/ParserFunctionInfo.h:
* parser/SourceProviderCacheItem.h:
(JSC::SourceProviderCacheItem::endFunctionToken):
(JSC::SourceProviderCacheItem::usedVariables):
(JSC::SourceProviderCacheItem::SourceProviderCacheItem):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200038 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Web IDL] Specify default values for parameters of type 'unsigned short'
https://bugs.webkit.org/show_bug.cgi?id=156967

Reviewed by Darin Adler.

Specify default values for parameters of type 'unsigned short' and let
the bindings generator use WTF::Optional<> for the ones without a
default value.

* bindings/scripts/CodeGeneratorJS.pm:
(CanUseWTFOptionalForParameter):
(GenerateParametersCheck):
* testing/Internals.cpp:
(WebCore::Internals::layerTreeAsText): Deleted.
(WebCore::Internals::displayListForElement): Deleted.
(WebCore::Internals::replayDisplayListForElement): Deleted.
* testing/Internals.h:
* testing/Internals.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200037 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Win][IndexedDB] Fix build errors.
https://bugs.webkit.org/show_bug.cgi?id=156713

Reviewed by Alex Christensen.

Fix compile and link errors when building with IndexedDB enabled.

Source/WebCore:

* Modules/indexeddb/IDBCursor.h:
* Modules/indexeddb/IDBTransaction.cpp:
* Modules/indexeddb/server/MemoryBackingStoreTransaction.h:
* Modules/indexeddb/server/MemoryIDBBackingStore.h:
* PlatformWin.cmake:
* platform/win/FileSystemWin.cpp:
(WebCore::hardLinkOrCopyFile):

Source/WebKit:

* PlatformWin.cmake:

Source/WebKit/win:

* WebView.cpp:
(WebView::notifyPreferencesChanged):
* storage: Added.
* storage/WebDatabaseProvider.cpp: Added.
(WebDatabaseProvider::indexedDatabaseDirectoryPath):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200036 268f45cc-cd09-0410-ab3c-d52691b4dbfc

2016-04-25  Geoffrey Garen  <ggaren@apple.com>

        bmalloc: vm allocations should plant guard pages
        https://bugs.webkit.org/show_bug.cgi?id=156937

        Rolling back in r199936 with a fix for the memory regression.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200035 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Renaming SpecInt32, SpecInt52, MachineInt to SpecInt32Only, SpecInt52Only, AnyInt.
https://bugs.webkit.org/show_bug.cgi?id=156941

Reviewed by Filip Pizlo.

While looking at https://bugs.webkit.org/show_bug.cgi?id=153431, it was decided
that SpecInt32Only, SpecInt52Only, and AnyInt would be better names for
SpecInt32, SpecInt52, and MachineInt.  Let's do a bulk rename.

This is only a renaming patch, and deletion of a piece of unused code.  There are
no semantic changes.

* bindings/ScriptValue.cpp:
(Inspector::jsToInspectorValue):
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromValue):
(JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
(JSC::typeOfDoubleNegation):
(JSC::typeOfDoubleRounding):
* bytecode/SpeculatedType.h:
(JSC::isInt32Speculation):
(JSC::isInt32OrBooleanSpeculation):
(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt32OrBooleanSpeculationForArithmetic):
(JSC::isInt32OrBooleanSpeculationExpectingDefined):
(JSC::isInt52Speculation):
(JSC::isAnyIntSpeculation):
(JSC::isAnyIntAsDoubleSpeculation):
(JSC::isDoubleRealSpeculation):
(JSC::isMachineIntSpeculation): Deleted.
(JSC::isInt52AsDoubleSpeculation): Deleted.
(JSC::isIntegerSpeculation): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::resultType):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::validateType):
* dfg/DFGArgumentsUtilities.cpp:
(JSC::DFG::emitCodeToGetArgumentsArrayLength):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToThis):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixIntConvertingEdge):
(JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
(JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
(JSC::DFG::FixupPhase::truncateConstantToInt32):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
(JSC::DFG::FixupPhase::prependGetArrayLength):
(JSC::DFG::FixupPhase::fixupChecksInBlock):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addShouldSpeculateInt32):
(JSC::DFG::Graph::addShouldSpeculateAnyInt):
(JSC::DFG::Graph::binaryArithShouldSpeculateInt32):
(JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt):
(JSC::DFG::Graph::unaryArithShouldSpeculateInt32):
(JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt):
(JSC::DFG::Graph::addShouldSpeculateMachineInt): Deleted.
(JSC::DFG::Graph::binaryArithShouldSpeculateMachineInt): Deleted.
(JSC::DFG::Graph::unaryArithShouldSpeculateMachineInt): Deleted.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToIdentityOn):
* dfg/DFGNode.h:
(JSC::DFG::Node::asNumber):
(JSC::DFG::Node::isAnyIntConstant):
(JSC::DFG::Node::asAnyInt):
(JSC::DFG::Node::isBooleanConstant):
(JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
(JSC::DFG::Node::shouldSpeculateAnyInt):
(JSC::DFG::Node::shouldSpeculateDouble):
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::isMachineIntConstant): Deleted.
(JSC::DFG::Node::asMachineInt): Deleted.
(JSC::DFG::Node::shouldSpeculateMachineInt): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
(JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileArithAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::speculateInt32):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateMisc):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::spill):
(JSC::DFG::SpeculativeJIT::isKnownInteger):
(JSC::DFG::SpeculativeJIT::isKnownCell):
(JSC::DFG::SpeculativeJIT::isKnownNotInteger):
(JSC::DFG::SpeculativeJIT::isKnownNotNumber):
(JSC::DFG::SpeculativeJIT::isKnownNotCell):
(JSC::DFG::SpeculativeJIT::isKnownNotOther):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::blessBoolean):
(JSC::DFG::SpeculativeJIT::convertAnyInt):
(JSC::DFG::SpeculativeJIT::speculateAnyInt):
(JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
(JSC::DFG::SpeculativeJIT::convertMachineInt): Deleted.
(JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
(JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): Deleted.
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
(JSC::DFG::isDouble):
* dfg/DFGValidate.cpp:
* dfg/DFGVariableAccessData.cpp:
(JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
(JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
(JSC::DFG::VariableAccessData::flushFormat):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileInt52Constant):
(JSC::FTL::DFG::LowerDFGToB3::compileInt52Rep):
(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::strictInt52ToInt32):
(JSC::FTL::DFG::LowerDFGToB3::isInt32):
(JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
(JSC::FTL::DFG::LowerDFGToB3::jsValueToStrictInt52):
(JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateAnyInt):
(JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepReal):
(JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepAnyInt):
(JSC::FTL::DFG::LowerDFGToB3::speculateMachineInt): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::speculateDoubleRepMachineInt): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_profile_type):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_profile_type):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::isInt52):
(JSC::JSValue::isAnyInt):
(JSC::JSValue::asAnyInt):
(JSC::JSValue::isMachineInt): Deleted.
(JSC::JSValue::asMachineInt): Deleted.
* runtime/RuntimeType.cpp:
(JSC::runtimeTypeForValue):
(JSC::runtimeTypeAsString):
* runtime/RuntimeType.h:
* runtime/TypeSet.cpp:
(JSC::TypeSet::dumpTypes):
(JSC::TypeSet::displayName):
(JSC::TypeSet::inspectorTypeSet):
(JSC::TypeSet::toJSONString):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200034 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Fix a couple of mistakes from r199700.

Rubber-stamped by Anders Carlsson.

* UIProcess/API/Cocoa/WKPreferencesPrivate.h: Added availability attributes to new properties.
* WebKit2.xcodeproj/project.pbxproj: Demoted _WKExperimentalFeatureInternal.h from Private to Project.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200033 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Implement latest File object spec (including its constructor).
https://bugs.webkit.org/show_bug.cgi?id=156511

Reviewed by Darin Adler.

Source/WebCore:

Test: fast/files/file-constructor.html

* CMakeLists.txt:
* WebCore.xcodeproj/project.pbxproj:

* bindings/js/JSDictionary.cpp:
(WebCore::JSDictionary::convertValue):
* bindings/js/JSDictionary.h:

* bindings/js/JSFileCustom.cpp: Added.
(WebCore::constructJSFile):

* fileapi/File.cpp:
(WebCore::File::File):
(WebCore::File::lastModified):
(WebCore::File::lastModifiedDate): Deleted.
* fileapi/File.h:
* fileapi/File.idl:

LayoutTests:

* fast/files/file-constructor-expected.txt: Added.
* fast/files/file-constructor.html: Added.

* http/tests/local/fileapi/file-last-modified-after-delete-expected.txt:
* http/tests/local/fileapi/script-tests/file-last-modified-after-delete.js:

* http/tests/local/fileapi/file-last-modified-expected.txt:
* http/tests/local/fileapi/script-tests/file-last-modified.js:

* imported/blink/storage/indexeddb/blob-basics-metadata-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200032 268f45cc-cd09-0410-ab3c-d52691b4dbfc

REGRESSION(r156846): Crashes with guard malloc
https://bugs.webkit.org/show_bug.cgi?id=156984

Reviewed by Andreas Kling.

RenderElement::cachedFirstLineStyle() returns pointer to local std::unique_ptr.

* rendering/RenderElement.cpp:
(WebCore::RenderElement::uncachedFirstLineStyle):
(WebCore::RenderElement::cachedFirstLineStyle):
(WebCore::RenderElement::firstLineStyle):
(WebCore::firstLineStyleForCachedUncachedType): Deleted.

    Don't try to use a single function for the cached and uncached cases. Separate the cases into the calling functions.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200031 268f45cc-cd09-0410-ab3c-d52691b4dbfc

REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'
https://bugs.webkit.org/show_bug.cgi?id=156935
<rdar://problem/25351286>

Reviewed by Darin Adler.

Source/WebCore:

Fixes an issue where subresource load may be blocked by the Content Security Policy (CSP) if its URL only
matched 'self'. In particular, the load would be blocked if initiated from a document that inherited the
origin of its owner document (e.g. the document contained in <iframe src="about:blank"></iframe>).

Following r196012 we compute and cache 'self' and its protocol on instantiation of a ContentSecurityPolicy
object for use when matching a URL against it. These cached values become out-of-date if the document
subsequently inherits the origin of its owner document. Therefore matches against 'self' will fail and
CSP will block a load if its not otherwise allowed by the policy. Previously we would compute 'self' when
parsing the definition of a source list and compute the protocol for 'self' each time we tried to match a
URL against 'self'. So, 'self' would always be up-to-date with respect to the origin of the document.

Tests: http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html
       http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Extract out logic for computing and caching
'self' and its protocol into ContentSecurityPolicy::updateSourceSelf() and make use of this function.
(WebCore::ContentSecurityPolicy::updateSourceSelf): Computes and caches 'self' and its protocol with
respect to the specified SecurityOrigin.
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Call ContentSecurityPolicy::updateSourceSelf()
to ensure that we have an up-to-date representation for 'self' and the protocol of 'self' which can
become out-of-date if the document inherited the origin of its owner document.
* page/csp/ContentSecurityPolicy.h:

LayoutTests:

Add tests to ensure that we match 'self' correctly in an iframe with an about:blank document.

* http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200030 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Marking media/video-fullscreen-restriction-removed.html as flaky on Mac
https://bugs.webkit.org/show_bug.cgi?id=156983

Unreviewed test gardening.

* platform/mac/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200029 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from TextTrack
https://bugs.webkit.org/show_bug.cgi?id=156899

Reviewed by Chris Dumez.

No behavior changes.

* html/track/TextTrack.idl: Marking cue and region parameter as nullable.
Also marking cues and activeCues as nullable attributes.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199986 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from File API interfaces
https://bugs.webkit.org/show_bug.cgi?id=156898

Reviewed by Chris Dumez.

Source/WebCore:

Making FileReaderSync API API throwing a TypeError in case of null parameters, in lieu of a NOT_FOUND_ERR.
Making FileReader API taking nullable parameters as a temporary fix.

Test: fast/files/workers/worker-file-reader-sync-bad-parameter.html

* Modules/websockets/WebSocketChannel.cpp:
(WebCore::WebSocketChannel::processOutgoingFrameQueue): Updated to cope with FileReaderLoader::start taking a Blob&.
* fileapi/FileReader.cpp:
(WebCore::FileReader::readAsArrayBuffer): Updated to cope with readInternal taking a Blob&.
(WebCore::FileReader::readAsBinaryString): Ditto.
(WebCore::FileReader::readAsText): Ditto.
(WebCore::FileReader::readAsDataURL): Ditto.
(WebCore::FileReader::readInternal):  Updated to cope with FileReaderLoader::start taking a Blob&.
* fileapi/FileReader.h:
* fileapi/FileReader.idl: Marking the readXX methods as taking a nullable blob parameter to keep compatibility, at least temporarily.
* fileapi/FileReaderLoader.cpp:
(WebCore::FileReaderLoader::start): It now takes a Blob& as input.
* fileapi/FileReaderLoader.h:
* fileapi/FileReaderSync.cpp:
(WebCore::FileReaderSync::readAsArrayBuffer): Taking a Blob& as input.
(WebCore::FileReaderSync::readAsBinaryString): Ditto.
(WebCore::FileReaderSync::readAsText): Ditto.
(WebCore::FileReaderSync::readAsDataURL): Ditto.
(WebCore::FileReaderSync::startLoading) Ditto.
* fileapi/FileReaderSync.h:
(WebCore::FileReaderSync::readAsText): Ditto.
* fileapi/FileReaderSync.idl:

LayoutTests:

Checking FileReaderSync send method in case of null or undefined blob parameter.
worker-read-blob-sync.html and worker-read-file-sync check the case of badly typed parameters.
In all cases, TypeError is thrown.

* fast/files/workers/resources/worker-file-reader-sync-bad-parameter.js: Added.
(test):
* fast/files/workers/worker-file-reader-sync-bad-parameter-expected.txt: Added.
* fast/files/workers/worker-file-reader-sync-bad-parameter.html: Added.
* fast/files/workers/worker-read-blob-sync-expected.txt: Rebasing expectation.
* fast/files/workers/worker-read-file-sync-expected.txt: Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199985 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[css-grid] Fix grid-template-columns|rows computed style with content alignment
https://bugs.webkit.org/show_bug.cgi?id=156793

Reviewed by Darin Adler.

Source/WebCore:

Computed style of grid-template-columns and grid-template-rows properties
was including the distribution offset because of content alignment.
We should subtract that offset, like we do for the case of gaps,
when we're calculating the computed style.

Test: fast/css-grid-layout/grid-template-columns-rows-computed-style-gaps-content-alignment.html

* css/CSSComputedStyleDeclaration.cpp:
(WebCore::valueForGridTrackList):
* rendering/RenderGrid.cpp:
(WebCore::RenderGrid::offsetBetweenTracks):
(WebCore::RenderGrid::populateGridPositions): Deleted FIXME.
* rendering/RenderGrid.h:

LayoutTests:

* fast/css-grid-layout/grid-template-columns-rows-computed-style-gaps-content-alignment-expected.txt: Added.
* fast/css-grid-layout/grid-template-columns-rows-computed-style-gaps-content-alignment.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199981 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Refactor RenderMathMLMenclose.
https://bugs.webkit.org/show_bug.cgi?id=155019

Patch by Frederic Wang <fwang@igalia.com> on 2016-04-25
Reviewed by Sergio Villar Senin.

Source/WebCore:

Tests: mathml/presentation/menclose-notation-equivalence.html
       mathml/presentation/menclose-notation-values.html

We rewrite RenderMathMLMenclose so that layout functions correctly override the
behavior of RenderMathMLRow. We try and rely on the draft  of the MathML in HTML5
implementation note, to make easier to get consistency with other rendering engines
in the future. All notations are now drawn with GraphicContext functions instead of
mixing them with CSS style. To save memory space, the list of known notations are
now saved on a short integer using bit masks instead of a vector of string names.
Finally, we remove support for the radical notation so that we no longer need to
create an anonymous RenderMathMLRoot.

* mathml/MathMLMencloseElement.cpp: Remove code for some special notations and just
reimplement parsing of the notation attribute.
(WebCore::MathMLMencloseElement::MathMLMencloseElement): By default, the notation is longdiv.
(WebCore::MathMLMencloseElement::parseAttribute): By default, the list of notation is empty.
If there is no notation attribute, the default value longdiv is used.
Otherwise, we parse the notation attribute and add each notation, using some equivalences
for box, actuarial and madruwb.
(WebCore::MathMLMencloseElement::isPresentationAttribute): Deleted. No need to define
specific style for some notation.
(WebCore::MathMLMencloseElement::finishParsingChildren): Deleted. No need to add an
anonymous square root.
(WebCore::MathMLMencloseElement::collectStyleForPresentationAttribute): Deleted. No need to
define specific style for some notation.
(WebCore::MathMLMencloseElement::longDivLeftPadding): Deleted. RenderMathMLMenclose uses an
arbitrary size instead of measure a glyph.
* mathml/MathMLMencloseElement.h: Define simple bit mask for each notation, add a short
integer to store the list of notations together with helper functions. Remove old code.
* rendering/mathml/RenderMathMLMenclose.cpp: Rewrite RenderMathMLMenclose so that layout
functions correctly override the behavior of RenderMathMLRow.
(WebCore::RenderMathMLMenclose::RenderMathMLMenclose): Init m_ascent to 0.
(WebCore::RenderMathMLMenclose::ruleThickness): For now, we use the fallback value used by
for other bars. We may refine that in the future.
(WebCore::RenderMathMLMenclose::getSpaceAroundContent): Helper function to retrieve the
space to add around the content, depending on the notations specified. Note that for
notation circle, this spacing depends on the content size.
(WebCore::RenderMathMLMenclose::computePreferredLogicalWidths): Reimplement this function.
This is just adding left/right spacing around the content.
(WebCore::RenderMathMLMenclose::layoutBlock): Reimplement this function. We do the normal
RenderMathMLRow layout, adjust spacing and child position and
calculate m_ascent and m_contentRect.
(WebCore::RenderMathMLMenclose::firstLineBaseline): Implement this function.
We just return m_ascent.
(WebCore::drawLine): Helper function to draw a line using strokePath.
(WebCore::RenderMathMLMenclose::paint): We reimplement this function to draw
all notations using GraphicContext.
(WebCore::RenderMathMLMenclose::addChild): Deleted. No need to manage anonymous renderers.
(WebCore::RenderMathMLMenclose::updateLogicalHeight): Deleted. Height is now calculated
in layoutBlock.
(WebCore::RenderMathMLMenclose::checkNotationalValuesValidity): Deleted.
* rendering/mathml/RenderMathMLMenclose.h: Update member definitions.
* rendering/mathml/RenderMathMLRoot.cpp: We no longer need anonymous roots.
(WebCore::RenderMathMLRoot::RenderMathMLRoot): Deleted.
* rendering/mathml/RenderMathMLRoot.h: We no longer need anonymous roots.
* rendering/mathml/RenderMathMLRow.cpp: Allow to get the exact metrics of the chid row,
for use in RenderMathMLRoot.
(WebCore::RenderMathMLRow::computeLineVerticalStretch): rename parameters.
(WebCore::RenderMathMLRow::layoutRowItems): Set parameters to the final ascent, descent and
logical width of the chid row. Set the temporary logical width for RenderMathMenclose before
laying the children out.
(WebCore::RenderMathMLRow::layoutBlock): Rename parameters ; add a dummy logicalWidth
parameter.
* rendering/mathml/RenderMathMLRow.h: Make some functions accessible or overridable by
RenderMathMLRoot. Make layoutRowItems return the final ascent, descent and logical width
after the chid row is laid out.
* rendering/mathml/RenderMathMLSquareRoot.cpp: We no longer need anonymous roots.
(WebCore::RenderMathMLSquareRoot::RenderMathMLSquareRoot): Deleted.
(WebCore::RenderMathMLSquareRoot::createAnonymousWithParentRenderer): Deleted.
* rendering/mathml/RenderMathMLSquareRoot.h: We no longer need anonymous roots.

LayoutTests:

* mathml/presentation/menclose-notation-attribute-set1.html: Removed.
This is replaced with menclose-notation-values.
* mathml/presentation/menclose-notation-attribute-set1-expected.txt: Removed.
This is replaced with menclose-notation-values.
* mathml/presentation/menclose-notation-attribute-set2-expected-mismatch.html: Removed.
This is replaced with menclose-notation-values.
* mathml/presentation/menclose-notation-attribute-set2.html: Removed.
This is replaced with menclose-notation-values.
* mathml/presentation/menclose-notation-values.html: Added.
This test verifies the rendering of various menclose notations.
* mathml/presentation/menclose-notation-equivalence.html: Added.
This test verifies some equivalence for the notation attribute value.
* mathml/presentation/menclose-notation-equivalence-expected.html: Added.
* mathml/presentation/menclose-notation-radical.html: Update the test now that support for
the radical notation is removed.
* mathml/presentation/menclose-notation-radical-expected.html: ditto.
* platform/gtk/mathml/presentation/menclose-notation-default-longdiv-expected.png: Update
reference due to small changes in longdiv implementation.
* platform/gtk/mathml/presentation/menclose-notation-default-longdiv-expected.txt: ditto.
* platform/mac/mathml/presentation/menclose-notation-default-longdiv-expected.png: ditto.
* platform/mac/mathml/presentation/menclose-notation-default-longdiv-expected.txt: ditto.
* platform/ios-simulator/mathml/presentation/menclose-notation-default-longdiv-expected.txt: ditto
* platform/gtk/mathml/presentation/menclose-notation-values-expected.png: Added.
* platform/gtk/mathml/presentation/menclose-notation-values-expected.txt: Added.
* platform/mac/mathml/presentation/menclose-notation-values-expected.png: Added.
* platform/mac/mathml/presentation/menclose-notation-values-expected.txt: Added.
* platform/ios-simulator/mathml/presentation/menclose-notation-values-expected.txt: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199980 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Minor refactoring in RenderMathMLOperator
https://bugs.webkit.org/show_bug.cgi?id=156906

Patch by Frederic Wang <fwang@igalia.com> on 2016-04-25
Reviewed by Martin Robinson.

No new tests, this is only minor refactoring that does not change the behavior.

* rendering/mathml/RenderMathMLOperator.cpp:
(WebCore::RenderMathMLOperator::getGlyphAssemblyFallBack):
We rename the "state" integer to an "expected" enum indicating the next expected part.
(WebCore::RenderMathMLOperator::paintGlyph): We add a missing dot at the end of a sequence.
We also replace ceil(x+1) with ceil(x)+1 to get rid of the temporary variable.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199978 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[EFL] Update the ewk_settings_offline_web_application_cache_enabled_get() expected value after r199854.
https://bugs.webkit.org/show_bug.cgi?id=156968

Reviewed by Gyuyoung Kim.

* UIProcess/API/C/WKPreferencesRef.h: Update the comment.
* UIProcess/API/efl/tests/test_ewk2_settings.cpp:
(TEST_F):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199977 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[Web IDL] Specify default values for boolean parameters
https://bugs.webkit.org/show_bug.cgi?id=156964

Reviewed by Darin Adler.

Specify default values for boolean parameters in our IDL files and
let the bindings generator use WTF::Optional<> for the ones without
a default value.

* CMakeLists.txt:
* Modules/indexeddb/IDBKeyRange.cpp:
* Modules/indexeddb/IDBKeyRange.h:
* Modules/indexeddb/IDBKeyRange.idl:
* WebCore.xcodeproj/project.pbxproj:
* bindings/js/JSBindingsAllInOne.cpp:

* bindings/js/JSDOMTokenListCustom.cpp: Removed.
We no longer need these custom bindings as the bindings generator
will now provide the implementation with an Optional<bool>, given
that the parameter has no default value.

* bindings/scripts/CodeGeneratorJS.pm:
(CanUseWTFOptionalForParameterType): Deleted.
* bindings/scripts/test/GObject/WebKitDOMTestObj.cpp:
(webkit_dom_test_obj_method_with_optional_boolean):
(webkit_dom_test_obj_method_with_optional_boolean_is_false):
* bindings/scripts/test/GObject/WebKitDOMTestObj.h:
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::jsTestObjPrototypeFunctionMethodWithOptionalBoolean):
(WebCore::jsTestObjPrototypeFunctionMethodWithOptionalBooleanIsFalse):
* bindings/scripts/test/ObjC/DOMTestObj.h:
* bindings/scripts/test/ObjC/DOMTestObj.mm:
(-[DOMTestObj methodWithOptionalBoolean:]):
(-[DOMTestObj methodWithOptionalBooleanIsFalse:]):
* bindings/scripts/test/TestObj.idl:
* dom/Document.h:
* dom/Document.idl:
* dom/Element.idl:
* dom/EventTarget.idl:
* html/DOMTokenList.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199976 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[EFL] Some media tests have been failed after bumping gstreamer ver.

Unreviewed EFL gardening. Mark failing tests to timeout or failure.

* platform/efl/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199975 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: Can't sort by name/source code location columns in Timeline data grids
https://bugs.webkit.org/show_bug.cgi?id=156965
<rdar://problem/25898716>

Reviewed by Timothy Hatcher.

Add support for sorting SourceCodeLocation objects to TimelineDataGrid,
and include a grid delegate so that views can extend sorting logic for
other document fragment columns.

* UserInterface/Views/NetworkTimelineView.js:
(WebInspector.NetworkTimelineView):
(WebInspector.NetworkTimelineView.prototype.dataGridSortComparator):
Sort "name" column by display name first, then resource URL.

* UserInterface/Views/ScriptDetailsTimelineView.js:
(WebInspector.ScriptDetailsTimelineView):
(WebInspector.ScriptDetailsTimelineView.prototype.dataGridSortComparator):
Sort "name" column by display name first, then subtitle.

* UserInterface/Views/ScriptTimelineDataGridNode.js:
(WebInspector.ScriptTimelineDataGridNode.prototype.get subtitle):
Make subtitle accessible externally for sorting.
(WebInspector.ScriptTimelineDataGridNode.prototype._createNameCellDocumentFragment):
(WebInspector.ScriptTimelineDataGridNode):

* UserInterface/Views/TimelineDataGrid.js:
(WebInspector.TimelineDataGrid):
(WebInspector.TimelineDataGrid.prototype.get sortDelegate):
(WebInspector.TimelineDataGrid.prototype.set sortDelegate):
Fire a SortChanged event if the delegate changed and the grid is sorted.
(WebInspector.TimelineDataGrid.prototype._sort):
If a sort delegate exists, and it returns a numeric value, skip the
default compare.

(WebInspector.TimelineDataGrid.prototype._sortComparator):
Add support for sorting SourceCodeLocation columns.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199974 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Unreviewed, revert part of r199970 that shouldn't have been committed.

* web-platform-tests/IndexedDB/idbfactory_open9.htm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199973 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: Error when selecting a bar in the Frames timeline
https://bugs.webkit.org/show_bug.cgi?id=156960
<rdar://problem/25897955>

Reviewed by Timothy Hatcher.

Fixes timeline grid node selection when record selected in the overview.
Adds general purpose `findNode` method to DataGrid.

* UserInterface/Views/DataGrid.js:
(WebInspector.DataGrid.prototype.findNode):
Basic find function for locating a grid node in linear time.

* UserInterface/Views/TimelineRecordingContentView.js:
(WebInspector.TimelineRecordingContentView.prototype._recordSelected):
Remove tree outline references, call generic select method.

* UserInterface/Views/TimelineView.js:
(WebInspector.TimelineView.prototype.selectRecord):
If a data grid was set, deselect current selection and select the node
associated with the timeline record.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199972 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: Events in JavaScript & Events timeline have no profile children
https://bugs.webkit.org/show_bug.cgi?id=156627
<rdar://problem/25749740>

Reviewed by Timothy Hatcher.

ProfileNodeDataGridNode should handle `populate` events when expanded.
This was previously done by ProfileNodeTreeElement, which is no longer
used in the Timelines tab.

* UserInterface/Views/ProfileDataGridNode.js:
(WebInspector.ProfileDataGridNode.prototype._updateChildrenForModifiers):
(WebInspector.ProfileDataGridNode.prototype._populate):
(WebInspector.ProfileDataGridNode):
DataGridNode sets `shouldRefreshChildren` to false after populating
child nodes. No need to track with a separate flag.

* UserInterface/Views/ProfileNodeDataGridNode.js:
(WebInspector.ProfileNodeDataGridNode):
(WebInspector.ProfileNodeDataGridNode.prototype._populate):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199971 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Autogenerated IDBFactory.open() does the wrong thing if you pass an explicit 'undefined' as the second argument
https://bugs.webkit.org/show_bug.cgi?id=156939

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Re-sync tests from upstream b1818929.

* IndexedDB-private-browsing/idbfactory_open9-expected.txt:
* IndexedDB-private-browsing/idbfactory_open9.html:
* web-platform-tests/IndexedDB/idbfactory_open9-expected.txt:
* web-platform-tests/IndexedDB/idbfactory_open9.htm:

Source/WebCore:

As per WebIDL, if undefined is passed by JS for an optional parameter then
we should use its default value if it has one, or use the special value
"missing":
http://heycam.github.io/webidl/#es-overloads (step 10.4)

Our bindings generator was already mapping undefined to the parameter's
default value when present. However, it was missing the notion of
"missing" value when there no default value. This patch adds supports
for its by passing Optional<>(Nullopt) to the implementation in such
case. This means that the implementation will need to use WTF::Optional<>
type for parameters that do not have a default value. Thankfully though,
in most cases, we will be able to specify a default value in the IDL
so cases where we will need to use WTF::Optional<> will actually be
rare.

To avoid having to do too much refactoring in this patch, the support
for WTF::Optional is currently blacklisted for most IDL types. I will
gradually stop blacklisting each type in follow-up patches, as I either:
- Add default parameter values in our IDL (preferred)
- Use WTF::Optional<> in our implementation (when we cannot specify a
  default value).

This patch fixes a bug with IDBFactory.open()'s second parameter (version)
for which undefined should not throw and indicate that the version
should not be changed. We now use WTF::Optional in the implementation to
distinguish this case and not throw.

No new tests, existing tests were updated / rebaselined.

* Modules/indexeddb/IDBFactory.cpp:
(WebCore::IDBFactory::open):
(WebCore::IDBFactory::openInternal): Deleted.
* Modules/indexeddb/IDBFactory.h:
* bindings/scripts/CodeGeneratorJS.pm:
(ShouldUseWTFOptionalForParameterType):
(GenerateParametersCheck):
* fileapi/Blob.idl:
* inspector/InspectorIndexedDBAgent.cpp:

LayoutTests:

Update / rebaseline existing test now that passing undefined as second parameter to
IDBFactory.open() no longer throws.

* storage/indexeddb/intversion-bad-parameters-expected.txt:
* storage/indexeddb/intversion-bad-parameters-private-expected.txt:
* storage/indexeddb/resources/intversion-bad-parameters.js:
(deleteSuccess):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199970 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[WebIDL] Drop [Default] WebKit-IDL extended attribute
https://bugs.webkit.org/show_bug.cgi?id=156955

Reviewed by Darin Adler.

LayoutTests/imported/w3c:

Rebaseline some tests now that a different exception type is thrown
for some of our APIs when passing null.

* web-platform-tests/dom/interfaces-expected.txt:
* web-platform-tests/html/dom/interfaces-expected.txt:

Source/WebCore:

Drop [Default] WebKit-IDL extended attribute in favor of the standard
WebIDL syntax for parameters' default value.

Here is what it looks like:
[Default=NullString] optional DOMString a -> optional DOMString a = null
[Default=NullString] optional DOMString? a -> optional DOMString? a = null
[Default=Undefined] optional DOMString a -> optional DOMString a = "undefined"
[Default=Undefined] optional DOMString? a -> optional DOMString? a = null
[Default=Undefined] optional long a -> optional long a = 0
[Default=Undefined] optional bool a -> optional bool a = false
[Default=Undefined] optional unrestricted double a -> optional unrestricted double a = NaN
[Default=Undefined] optional unrestricted float a -> optional unrestricted float a = NaN
[Default=Undefined] optional sequence<DOMString> a -> optional sequence<DOMString> a = []

These do not cause any Web-Exposed behavior change. However, when getting
rid of [Default] started passing more parameters by derefence instead of
pointer (as is expected for parameters not marked as nullable). As a result,
I had to mark a few parameters as nullable in the IDL to maintain the
previous behavior. In some cases, the implementation was already throwing
when passing null. In such cases, I have not marked the type as nullable
so that the generated bindings now throw the exception instead of our
implementation code. In some cases, the exception being thrown is now
different. This is why some of the layout tests had to be rebaselined.

No new tests, existing tests have been rebaselined. No significant Web
exposed behavior change is expected from this patch, beside exceptions
type sometimes being different.

* Modules/encryptedmedia/MediaKeys.idl:
* Modules/fetch/FetchRequest.idl:
* Modules/gamepad/deprecated/GamepadList.idl:
* Modules/indexeddb/IDBDatabase.idl:
* Modules/mediastream/RTCStatsResponse.idl:
* Modules/notifications/Notification.idl:
* Modules/speech/SpeechSynthesisUtterance.idl:
* Modules/webaudio/AudioNode.idl:
* Modules/websockets/WebSocket.idl:
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateParametersCheck):
* bindings/scripts/IDLAttributes.txt:
* bindings/scripts/IDLParser.pm:
(parseDefault):
(parseDefaultValue):
* bindings/scripts/test/TestInterface.idl:
* bindings/scripts/test/TestNamedConstructor.idl:
* bindings/scripts/test/TestObj.idl:
* bindings/scripts/test/TestOverrideBuiltins.idl:
* css/CSSKeyframesRule.idl:
* css/CSSMediaRule.idl:
* css/CSSPrimitiveValue.idl:
* css/CSSRuleList.idl:
* css/CSSStyleDeclaration.idl:
* css/CSSStyleSheet.idl:
* css/CSSSupportsRule.idl:
* css/CSSValueList.idl:
* css/MediaList.idl:
* css/MediaQueryList.idl:
* css/MediaQueryListListener.idl:
* css/StyleMedia.idl:
* css/StyleSheetList.idl:
* css/WebKitCSSFilterValue.idl:
* css/WebKitCSSMatrix.idl:
* css/WebKitCSSTransformValue.idl:
* dom/ClientRectList.idl:
* dom/Comment.idl:
* dom/CompositionEvent.idl:
* dom/CustomEvent.h:
* dom/CustomEvent.idl:
* dom/DOMImplementation.idl:
* dom/DOMStringList.idl:
* dom/DataTransferItem.idl:
* dom/DataTransferItemList.idl:
* dom/DeviceMotionEvent.idl:
* dom/DeviceOrientationEvent.idl:
* dom/Document.cpp:
(WebCore::Document::adoptNode):
* dom/Document.idl:
* dom/Element.cpp:
(WebCore::Element::setAttributeNode):
(WebCore::Element::setAttributeNodeNS):
(WebCore::Element::removeAttributeNode):
(WebCore::Element::parseAttributeName): Deleted.
* dom/Element.h:
* dom/Element.idl:
* dom/Event.idl:
* dom/HashChangeEvent.idl:
* dom/KeyboardEvent.idl:
* dom/MessageEvent.idl:
* dom/MouseEvent.idl:
* dom/MutationEvent.idl:
* dom/NamedNodeMap.cpp:
(WebCore::NamedNodeMap::setNamedItem):
(WebCore::NamedNodeMap::setNamedItemNS):
(WebCore::NamedNodeMap::item): Deleted.
* dom/NamedNodeMap.h:
* dom/NamedNodeMap.idl:
* dom/Node.idl:
* dom/NodeFilter.idl:
* dom/NonElementParentNode.idl:
* dom/OverflowEvent.idl:
* dom/Range.idl:
* dom/Text.idl:
* dom/TextEvent.idl:
* dom/TouchEvent.idl:
* dom/UIEvent.idl:
* dom/WheelEvent.idl:
* html/DOMFormData.idl:
* html/HTMLAllCollection.idl:
* html/HTMLAudioElement.idl:
* html/HTMLCanvasElement.idl:
* html/HTMLCollection.idl:
* html/HTMLDocument.idl:
* html/HTMLElement.cpp:
(WebCore::HTMLElement::insertAdjacentElement):
(WebCore::contextElementForInsertion): Deleted.
* html/HTMLElement.h:
* html/HTMLElement.idl:
* html/HTMLFormControlsCollection.idl:
* html/HTMLInputElement.idl:
* html/HTMLMediaElement.idl:
* html/HTMLOptionElement.idl:
* html/HTMLOptionsCollection.idl:
* html/HTMLSelectElement.idl:
* html/HTMLTableElement.idl:
* html/HTMLTableRowElement.idl:
* html/HTMLTableSectionElement.idl:
* html/HTMLTextAreaElement.idl:
* html/ImageData.idl:
* html/canvas/CanvasGradient.idl:
* html/canvas/CanvasRenderingContext2D.idl:
* html/canvas/DOMPath.idl:
* html/canvas/OESVertexArrayObject.idl:
* page/DOMSelection.cpp:
(WebCore::DOMSelection::extend):
(WebCore::DOMSelection::getRangeAt): Deleted.
* page/DOMSelection.h:
* page/DOMSelection.idl:
* page/DOMWindow.idl:
* page/History.idl:
* page/Performance.idl:
* page/WindowTimers.idl:
* plugins/DOMMimeTypeArray.idl:
* plugins/DOMPlugin.idl:
* plugins/DOMPluginArray.idl:
* storage/StorageEvent.idl:
* svg/SVGAnimationElement.idl:
* svg/SVGDocument.idl:
* svg/SVGElement.idl:
* svg/SVGFEDropShadowElement.idl:
* svg/SVGFEGaussianBlurElement.idl:
* svg/SVGFEMorphologyElement.idl:
* svg/SVGFilterElement.idl:
* svg/SVGGraphicsElement.idl:
* svg/SVGMarkerElement.idl:
* svg/SVGPathElement.idl:
* svg/SVGSVGElement.idl:
* svg/SVGTests.idl:
* svg/SVGTextContentElement.idl:
* xml/DOMParser.idl:
* xml/XMLSerializer.cpp:
(WebCore::XMLSerializer::serializeToString):
* xml/XMLSerializer.h:
* xml/XMLSerializer.idl:
* xml/XPathEvaluator.idl:
* xml/XPathExpression.idl:
* xml/XPathNSResolver.idl:
* xml/XPathResult.idl:
* xml/XSLTProcessor.idl:

Tools:

* WebKitTestRunner/InjectedBundle/Bindings/TestRunner.idl:

LayoutTests:

Rebaseline some tests now that a different exception type is thrown
for some of our APIs when passing null.

* editing/selection/extend-expected.txt:
* fast/dom/Element/attr-param-typechecking-expected.txt:
* fast/dom/NamedNodeMap-setNamedItem-crash-expected.txt:
* fast/dynamic/insertAdjacentElement-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199969 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[JSC] Optimize JSON.parse string fast path
https://bugs.webkit.org/show_bug.cgi?id=156953

Reviewed by Mark Lam.

This patch further optimizes the string parsing fast path.
Previously, we generated the WTF::String to hold the ownership of the token's string.
And always copied the token in LiteralParser side.
Instead, we hold the ownership of the token String by the StringBuilder in LiteralParser::Lexer,
and remove the processing in the string parsing fast path.
This patch gives us stable 1 - 2.5% improvement in Kraken json-parse-financial.

                               Baseline                  Modified

json-parse-financial        41.383+-0.248      ^      40.894+-0.189         ^ definitely 1.0120x faster

* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::tryJSONPParse):
(JSC::LiteralParser<CharType>::Lexer::lex):
(JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
(JSC::LiteralParser<CharType>::parse):
(JSC::LiteralParser<CharType>::Lexer::lexString): Deleted.
* runtime/LiteralParser.h:
(JSC::LiteralParser::tryLiteralParse):
(JSC::LiteralParser::Lexer::currentToken):
(JSC::LiteralParser::Lexer::LiteralParserTokenPtr::LiteralParserTokenPtr):
(JSC::LiteralParser::Lexer::LiteralParserTokenPtr::operator->):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199968 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[INTL] Implement String.prototype.localeCompare in ECMA-402
https://bugs.webkit.org/show_bug.cgi?id=147607

Patch by Filip Pizlo <fpizlo@apple.com> and Andy VanWagoner <thetalecrafter@gmail.com> on 2016-04-24
Reviewed by Darin Adler.
Source/JavaScriptCore:

Part of this change is just rolling 194394 back in.

The other part is making that not a regression on CDjs. Other than the fact that it uses
bound functions, the problem with this new localeCompare implementation is that it uses
the arguments object. It uses it in a way that *seems* like ArgumentsEliminationPhase
ought to handle, but to my surprise it didn't:

- If we have a ForceExit GetByVal on the arguments object, we would previously assume that
  it escaped. That's false since we just exit at ForceExit. On the other hand we probably
  should be pruning unreachable paths before we get here, but that's a separate issue. I
  don't want to play with phase order right now.

- If we have a OutOfBounds GetByVal on the arguments object, then the best that would
  previously happen is that we'd compile it into an in-bounds arguments access. That's quite
  bad, as Andy's localeCompare illustrates: it uses out-of-bounds access on the arguments
  object to detect if an argument was passed. This change introduces an OutOfBounds version
  of GetMyArgumentByVal for this purpose.

This change required registering sane chain watchpoints. In the process, I noticed that the
old way of doing it had a race condition: we might register watchpoints for the structure
that had become insane. This change introduces a double-checking idiom that I believe works
because once the structure becomes insane it can't go back to sane and watchpoints
registration already involves executing the hardest possible fences.

* builtins/StringPrototype.js:
(repeat):
(localeCompare):
(search):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
* ftl/FTLTypedPointer.h:
(JSC::FTL::TypedPointer::TypedPointer):
(JSC::FTL::TypedPointer::operator bool):
(JSC::FTL::TypedPointer::heap):
(JSC::FTL::TypedPointer::operator!): Deleted.
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):

LayoutTests:

* js/dom/script-tests/string-prototype-properties.js:
* js/dom/string-prototype-properties-expected.txt:
* js/regress/locale-compare.html: Added.
* js/regress/locale-compare-expected.txt: Added.
* js/regress/scripts-tests/locale-compare.js: Added.
* js/script-tests/string-localeCompare.js:
* js/string-localeCompare-expected.txt:
* js/string-localeCompare.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199967 268f45cc-cd09-0410-ab3c-d52691b4dbfc

RenderStyle should not be reference counted
https://bugs.webkit.org/show_bug.cgi?id=156846

Reviewed by Andreas Kling.

RenderStyle reference counts its substructures. We no longer share RenderStyle objects between normal renderers
so there is no reason to refcount the RenderStyles themselves too. Making it a non-refcounted type clarifies
ownership relations, reduces branchiness and saves some memory.

This patches switches mostly mechanically from Ref/RefPtr<RenderStyle> to std::unique_ptr<RenderStyle>. In
the future RenderStyle can be given regular value semantics.

* Modules/plugins/PluginReplacement.h:
(WebCore::PluginReplacement::scriptObject):
(WebCore::PluginReplacement::willCreateRenderer):
* Modules/plugins/QuickTimePluginReplacement.h:
* Modules/plugins/QuickTimePluginReplacement.mm:
(WebCore::QuickTimePluginReplacement::~QuickTimePluginReplacement):
(WebCore::QuickTimePluginReplacement::createElementRenderer):
* Modules/plugins/YouTubePluginReplacement.cpp:
(WebCore::YouTubePluginReplacement::YouTubePluginReplacement):
(WebCore::YouTubePluginReplacement::createElementRenderer):
* Modules/plugins/YouTubePluginReplacement.h:
* css/CSSComputedStyleDeclaration.cpp:
(WebCore::ComputedStyleExtractor::getFontSizeCSSValuePreferringKeyword):
(WebCore::ComputedStyleExtractor::useFixedFontDefaultSize):
(WebCore::updateStyleIfNeededForNode):
(WebCore::computeRenderStyleForProperty):
(WebCore::ComputedStyleExtractor::customPropertyValue):
(WebCore::ComputedStyleExtractor::propertyValue):
* css/MediaQueryEvaluator.cpp:
(WebCore::MediaQueryEvaluator::MediaQueryEvaluator):
(WebCore::MediaQueryEvaluator::eval):
* css/MediaQueryEvaluator.h:

    Clarify in code that MediaQueryEvaluator does not own the style.

* css/MediaQueryMatcher.cpp:
(WebCore::MediaQueryMatcher::mediaType):
(WebCore::MediaQueryMatcher::documentElementUserAgentStyle):
(WebCore::MediaQueryMatcher::evaluate):
(WebCore::MediaQueryMatcher::matchMedia):
(WebCore::MediaQueryMatcher::styleResolverChanged):
(WebCore::MediaQueryMatcher::prepareEvaluator): Deleted.
* css/MediaQueryMatcher.h:
* css/StyleMedia.cpp:
(WebCore::StyleMedia::matchMedium):
* css/StyleResolver.cpp:
(WebCore::StyleResolver::State::clear):
(WebCore::StyleResolver::State::updateConversionData):
(WebCore::StyleResolver::State::setStyle):
(WebCore::StyleResolver::State::setParentStyle):

    State owns the style explicitly set by setParentStyle but not the one given via constructor.

(WebCore::isAtShadowBoundary):
(WebCore::StyleResolver::styleForElement):
(WebCore::StyleResolver::styleForKeyframe):
(WebCore::StyleResolver::keyframeStylesForAnimation):
(WebCore::StyleResolver::pseudoStyleForElement):
(WebCore::StyleResolver::styleForPage):
(WebCore::StyleResolver::defaultStyleForElement):
(WebCore::StyleResolver::applyMatchedProperties):
(WebCore::StyleResolver::applyPropertyToStyle):
* css/StyleResolver.h:
(WebCore::ElementStyle::ElementStyle):
(WebCore::StyleResolver::style):
(WebCore::StyleResolver::parentStyle):
(WebCore::StyleResolver::setOverrideDocumentElementStyle):
(WebCore::StyleResolver::State::document):
(WebCore::StyleResolver::State::element):
(WebCore::StyleResolver::State::style):
(WebCore::StyleResolver::State::takeStyle):
(WebCore::StyleResolver::State::parentStyle):
(WebCore::StyleResolver::State::rootElementStyle):
(WebCore::StyleResolver::State::regionForStyling):
(WebCore::StyleResolver::State::setParentStyle): Deleted.
* dom/Document.cpp:
(WebCore::Document::recalcStyle):
(WebCore::Document::updateLayoutIgnorePendingStylesheets):
(WebCore::Document::styleForElementIgnoringPendingStylesheets):
(WebCore::Document::isPageBoxVisible):
(WebCore::Document::pageSizeAndMarginsInPixels):
(WebCore::Document::addAutoSizingNode):
(WebCore::Document::validateAutoSizingNodes):
(WebCore::Document::resetAutoSizingNodes):
(WebCore::Document::setFullScreenRenderer):
* dom/Document.h:
* dom/Element.cpp:
(WebCore::Element::rendererIsNeeded):
(WebCore::Element::createElementRenderer):
(WebCore::Element::resolveComputedStyle):
* dom/Element.h:
(WebCore::Element::copyNonAttributePropertiesFromElement):
* dom/ElementRareData.h:

...

* page/animation/AnimationBase.h:
* page/animation/AnimationController.cpp:
(WebCore::AnimationControllerPrivate::receivedStartTimeResponse):
(WebCore::AnimationControllerPrivate::getAnimatedStyleForRenderer):
(WebCore::AnimationControllerPrivate::computeExtentOfAnimation):
(WebCore::AnimationController::cancelAnimations):
(WebCore::AnimationController::updateAnimations):

    std::unique_ptr<RenderStyle& animatedStyle argument is now expected no be initially null and
    is only set if a new style is created.

(WebCore::AnimationController::getAnimatedStyleForRenderer):
* page/animation/AnimationController.h:
* page/animation/AnimationControllerPrivate.h:
* page/animation/CompositeAnimation.cpp:
(WebCore::CompositeAnimation::updateTransitions):
(WebCore::CompositeAnimation::updateKeyframeAnimations):
(WebCore::CompositeAnimation::animate):
(WebCore::CompositeAnimation::getAnimatedStyle):
* page/animation/CompositeAnimation.h:
* page/animation/ImplicitAnimation.cpp:
(WebCore::ImplicitAnimation::ImplicitAnimation):
(WebCore::ImplicitAnimation::shouldSendEventForListener):
(WebCore::ImplicitAnimation::animate):
(WebCore::ImplicitAnimation::getAnimatedStyle):
(WebCore::ImplicitAnimation::onAnimationEnd):
(WebCore::ImplicitAnimation::reset):
* page/animation/ImplicitAnimation.h:
* page/animation/KeyframeAnimation.cpp:
(WebCore::KeyframeAnimation::KeyframeAnimation):
(WebCore::KeyframeAnimation::fetchIntervalEndpointsForProperty):
(WebCore::KeyframeAnimation::animate):
(WebCore::KeyframeAnimation::getAnimatedStyle):
* page/animation/KeyframeAnimation.h:
* rendering/RenderAttachment.cpp:
(WebCore::RenderAttachment::RenderAttachment):
* rendering/RenderAttachment.h:
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::RenderBlock):
(WebCore::RenderBlock::styleDidChange):
(WebCore::RenderBlock::clone):
(WebCore::RenderBlock::updateFirstLetterStyle):
(WebCore::RenderBlock::createFirstLetterRenderer):
* rendering/RenderBlock.h:
* rendering/RenderBlockFlow.cpp:
(WebCore::RenderBlockFlow::MarginInfo::MarginInfo):
(WebCore::RenderBlockFlow::RenderBlockFlow):
* rendering/RenderBlockFlow.h:
* rendering/RenderBox.cpp:
(WebCore::skipBodyBackground):
(WebCore::RenderBox::RenderBox):
* rendering/RenderBox.h:
* rendering/RenderBoxModelObject.cpp:
(WebCore::RenderBoxModelObject::suspendAnimations):
(WebCore::RenderBoxModelObject::RenderBoxModelObject):
* rendering/RenderBoxModelObject.h:
* rendering/RenderButton.cpp:
(WebCore::RenderButton::RenderButton):
(WebCore::RenderButton::setupInnerStyle):
* rendering/RenderButton.h:
* rendering/RenderCombineText.h:
* rendering/RenderDeprecatedFlexibleBox.cpp:
(WebCore::RenderDeprecatedFlexibleBox::RenderDeprecatedFlexibleBox):
* rendering/RenderDeprecatedFlexibleBox.h:
* rendering/RenderDetailsMarker.cpp:
(WebCore::RenderDetailsMarker::RenderDetailsMarker):
* rendering/RenderDetailsMarker.h:
* rendering/RenderElement.cpp:
(WebCore::controlStatesRendererMap):
(WebCore::RenderElement::RenderElement):
(WebCore::RenderElement::~RenderElement):
(WebCore::RenderElement::createFor):
(WebCore::firstLineStyleForCachedUncachedType):
(WebCore::RenderElement::uncachedFirstLineStyle):
(WebCore::RenderElement::cachedFirstLineStyle):
(WebCore::RenderElement::initializeStyle):
(WebCore::RenderElement::setStyle):
(WebCore::RenderElement::propagateStyleToAnonymousChildren):
(WebCore::RenderElement::styleDidChange):
(WebCore::RenderElement::getCachedPseudoStyle):

    Return plain pointer as the cache owns the style.

(WebCore::RenderElement::getUncachedPseudoStyle):

    return std::unique_ptr<RenderStyle>

(WebCore::RenderElement::selectionColor):
(WebCore::RenderElement::selectionPseudoStyle):
(WebCore::RenderElement::selectionBackgroundColor):
* rendering/RenderElement.h:
(WebCore::RenderElement::hasInitializedStyle):
(WebCore::RenderElement::style):
(WebCore::RenderElement::element):
(WebCore::RenderElement::setStyleInternal):
* rendering/RenderEmbeddedObject.cpp:

...

(WebCore::RenderImage::imageResource):
* rendering/RenderInline.cpp:
(WebCore::RenderInline::RenderInline):
(WebCore::updateStyleOfAnonymousBlockContinuations):
(WebCore::RenderInline::styleDidChange):

    Continuations now get their own RenderStyles.

(WebCore::RenderInline::addChildIgnoringContinuation):
(WebCore::RenderInline::clone):
* rendering/RenderInline.h:
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::currentTransform):
(WebCore::RenderLayer::calculateClipRects):
* rendering/RenderLayer.h:

...

* rendering/style/KeyframeList.cpp:
(WebCore::KeyframeList::operator==):
(WebCore::KeyframeList::insert):

    KeyframeValue is now movable but not copyable type. Adjust accordingly.

* rendering/style/KeyframeList.h:
(WebCore::KeyframeValue::KeyframeValue):
(WebCore::KeyframeValue::setKey):
(WebCore::KeyframeValue::style):
(WebCore::KeyframeValue::setStyle):
(WebCore::KeyframeList::animationName):
(WebCore::KeyframeList::addProperty):
(WebCore::KeyframeList::containsProperty):
* rendering/style/RenderStyle.cpp:
(WebCore::defaultStyle):
(WebCore::RenderStyle::create):
(WebCore::RenderStyle::createDefaultStyle):
(WebCore::RenderStyle::createAnonymousStyleWithDisplay):
(WebCore::RenderStyle::clone):
(WebCore::RenderStyle::createStyleInheritingFromPseudoStyle):

    Return std::unique_ptr<RenderStyle> instead of Ref<RenderStyle>.

(WebCore::RenderStyle::RenderStyle):
(WebCore::RenderStyle::~RenderStyle):
(WebCore::resolveAlignmentData):
(WebCore::RenderStyle::operator==):
(WebCore::RenderStyle::hasUniquePseudoStyle):
(WebCore::RenderStyle::getCachedPseudoStyle):
(WebCore::RenderStyle::addCachedPseudoStyle):
(WebCore::RenderStyle::isStyleAvailable): Deleted.
* rendering/style/RenderStyle.h:
(WebCore::RenderStyle::setStyleType):
(WebCore::RenderStyle::cachedPseudoStyles):
(WebCore::RenderStyle::initialIsolation):
(WebCore::RenderStyle::isPlaceholderStyle):
(WebCore::RenderStyle::setIsPlaceholderStyle):

    Add placeholder style bit to rareNonInheritedData. We no longer rely on RenderStyle identity for this test.

(WebCore::RenderStyle::noninheritedFlagsMemoryOffset):
* rendering/style/SVGRenderStyle.cpp:
(WebCore::defaultSVGStyle):
(WebCore::SVGRenderStyle::createDefaultStyle):
* rendering/style/StyleRareNonInheritedData.cpp:
(WebCore::StyleRareNonInheritedData::StyleRareNonInheritedData):
(WebCore::StyleRareNonInheritedData::operator==):
(WebCore::StyleRareNonInheritedData::contentDataEquivalent):
* rendering/style/StyleRareNonInheritedData.h:

...

(WebCore::findRenderingRoot):
(WebCore::findRenderingRoots):
(WebCore::RenderTreeUpdater::commit):

    Style::Update is no longer const as we move the styles from it to the render tree.

(WebCore::pseudoStyleCacheIsInvalid):
(WebCore::RenderTreeUpdater::updateElementRenderer):
(WebCore::moveToFlowThreadIfNeeded):
(WebCore::RenderTreeUpdater::createRenderer):
(WebCore::RenderTreeUpdater::updateBeforeOrAfterPseudoElement):
* style/RenderTreeUpdater.h:
* style/StyleResolveForDocument.cpp:
(WebCore::Style::resolveForDocument):
* style/StyleResolveForDocument.h:
* style/StyleSharingResolver.cpp:
(WebCore::Style::elementHasDirectionAuto):
(WebCore::Style::SharingResolver::resolve):
* style/StyleSharingResolver.h:
* style/StyleTreeResolver.cpp:
(WebCore::Style::ensurePlaceholderStyle):

    Set the placeholder.

(WebCore::Style::TreeResolver::Parent::Parent):
(WebCore::Style::TreeResolver::pushScope):
(WebCore::Style::TreeResolver::pushEnclosingScope):
(WebCore::Style::TreeResolver::popScope):

    Set and clear StyleResolver overrideDocumentElementStyle as needed. It is owned by the TreeResolver.

(WebCore::Style::TreeResolver::styleForElement):

    Clone the placeholder style.

(WebCore::Style::TreeResolver::resolveElement):
(WebCore::Style::TreeResolver::pushParent):
(WebCore::Style::TreeResolver::resolveComposedTree):
(WebCore::Style::TreeResolver::resolve):

    Adopt to the std::unique_ptr and ElementStyle move semantics.

* style/StyleTreeResolver.h:
(WebCore::Style::TreeResolver::scope):
* style/StyleUpdate.cpp:
(WebCore::Style::Update::elementUpdate):
(WebCore::Style::Update::textUpdate):
(WebCore::Style::Update::elementStyle):
(WebCore::Style::Update::addElement):
(WebCore::Style::Update::addText):
* style/StyleUpdate.h:
(WebCore::Style::Update::roots):
(WebCore::Style::Update::document):
* svg/SVGAElement.cpp:
(WebCore::SVGAElement::svgAttributeChanged):
(WebCore::SVGAElement::createElementRenderer):

...

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199964 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from MediaControlsHost
https://bugs.webkit.org/show_bug.cgi?id=156903

Reviewed by Chris Dumez.

No change of behavior.

* Modules/mediacontrols/MediaControlsHost.idl: Marking some parameters as nullable.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199963 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from WebGLRenderingContext
https://bugs.webkit.org/show_bug.cgi?id=156909

Reviewed by Chris Dumez.

No change of behavior.

Marking a lot of method parameters as nullable.

* html/canvas/WebGLRenderingContextBase.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199962 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Drop [UsePointersEvenForNonNullableObjectArguments] from WebSocket
https://bugs.webkit.org/show_bug.cgi?id=156897

Reviewed by Chris Dumez.

No change of behavior.

Updating WebSocket::send methods to take references, except for ArrayBufferView, which is not yet supported by the binding generator.

* Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::send):
* Modules/websockets/WebSocket.h:
* Modules/websockets/WebSocket.idl:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199961 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Fix issues found by the clang static analyzer
https://bugs.webkit.org/show_bug.cgi?id=156956

Reviewed by Alexey Proskuryakov.

Source/WebCore:

* editing/cocoa/DataDetection.mm:
(WebCore::DataDetection::detectContentInRange): Stored tz in a RetainPtr.
* platform/cf/KeyedDecoderCF.cpp:
(WebCore::KeyedDecoderCF::KeyedDecoderCF): If dynamic_cf_cast returned nullptr, the result of
CFPropertyListCreateWithData would leak. Stored the CFPropertyListRef in a RetainPtr, then leaked/adopted it
into m_rootDictionary (to avoid retain count churn) if it is a CFDictionary.
* platform/ios/WebAVPlayerController.mm:
(-[WebAVPlayerController dealloc]): Released _externalPlaybackAirPlayDeviceLocalizedName.
(-[WebAVMediaSelectionOption dealloc]): Added to release _localizedDisplayName.
* platform/ios/WebVideoFullscreenInterfaceAVKit.mm:
(-[WebAVPlayerLayer dealloc]): Released _pixelBufferAttributes.
* platform/network/cocoa/WebCoreNSURLSession.h: Removed the readwrite attributes from properties, since
properties are readwrite by default.
* platform/network/cocoa/WebCoreNSURLSession.mm: Removed @dynamic, which isn't necessary just for defining a custom getter.
(-[WebCoreNSURLSessionDataTask dealloc]): Added to release copied ivars.

Source/WebKit/mac:

* WebView/WebDeviceOrientationProviderMock.mm:
(-[WebDeviceOrientationProviderMock dealloc]): [super dealloc] should be called last.

Source/WebKit2:

* UIProcess/API/Cocoa/WKPreviewActionItem.mm:
(-[WKPreviewAction dealloc]): Added to release _identifier.
* UIProcess/_WKWebViewPrintFormatter.mm:
(-[_WKWebViewPrintFormatter dealloc]): Released _frameToPrint.
* UIProcess/ios/WKContentViewInteraction.mm:
(-[WKContentView inputView]): -createPeripheralWithView: returned a retained object, but the method name did not
match Cocoa conventions. Called -initWithView: instead.
(-[WKContentView _showAttachmentSheet]): Stored the _WKActivatedElementInfo in a RetainPtr.
(-[WKContentView _dataForPreviewItemController:atPosition:type:]): Ditto.
(+[WKAutocorrectionContext autocorrectionContextWithData:markedText:selectedText:afterText:selectedRangeInMarkedText:]):
The properties contextBeforeSelection, selectedText, markedText, and contextAfterSelection have the 'copy'
annotation in UIWKAutocorrectionContext, so the additional copy made here would be leaked. Removed the extra copy.
(-[WKAutocorrectionContext dealloc]): Deleted.
* UIProcess/ios/forms/WKFormInputControl.h: Removed -createPeripheralWithView: and declared -initWithView:.
* UIProcess/ios/forms/WKFormInputControl.mm:
(-[WKFormInputControl initWithView:]): Changed to return instancetype.
(+[WKFormInputControl createPeripheralWithView:]): Deleted.
* UIProcess/ios/forms/WKFormSelectControl.h: Removed -createPeripheralWithView: and declared -initWithView:.
* UIProcess/ios/forms/WKFormSelectControl.mm:
(+[WKFormSelectControl createPeripheralWithView:]): Deleted.
* UIProcess/mac/LegacySessionStateCoding.cpp:
(WebKit::decodeLegacySessionState): If dynamic_cf_cast returned nullptr, the result of
CFPropertyListCreateWithData would leak. Stored the CFPropertyListRef in a RetainPtr before calling dynamic_cf_cast.
* UIProcess/mac/ServicesController.mm:
(WebKit::ServicesController::refreshExistingServices): Used a RetainPtr for attachment and cell.
* UIProcess/mac/WebContextMenuProxyMac.mm:
(WebKit::WebContextMenuProxyMac::setupServicesMenu): Used a RetainPtr for groupEntry.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199960 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Really enable INDEXED_DATABASE on Apple Mac cmake build
https://bugs.webkit.org/show_bug.cgi?id=156902

Reviewed by Michael Catanzaro.

* Scripts/webkitperl/FeatureList.pm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199959 268f45cc-cd09-0410-ab3c-d52691b4dbfc

check-webkit-style: fix false-positive warnings about @synchronized
https://bugs.webkit.org/show_bug.cgi?id=156957

Reviewed by Dan Bernstein.

* Scripts/webkitpy/style/checkers/cpp.py:
(check_spacing_for_function_call): Ignore @synchronized lines.
(check_braces): Ditto.
* Scripts/webkitpy/style/checkers/cpp_unittest.py:
(CppStyleTest.test_brace_at_begin_of_line): Added a test case.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199958 268f45cc-cd09-0410-ab3c-d52691b4dbfc

<rdar://problem/25894586> A project has failed to build because WTF_MAKE_FAST_ALLOCATED was not defined

Rubber-stamped by Chris Dumez.

Reverted the IntSize part of r199735, to let IntSize.h keep being used in another project.

* platform/graphics/IntSize.h:
(WebCore::IntSize::IntSize):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199956 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Tie the DiagnosticLoggingClient's lifetime to the Page
https://bugs.webkit.org/show_bug.cgi?id=156938
<rdar://problem/25851499>

Reviewed by Antti Koivisto.

Source/WebCore:

Tie the DiagnosticLoggingClient's lifetime to the Page rather than to the
MainFrame. The diagnostic logging client in WebKit2 requires the WebPage
to be alive in order to send IPC to the UIProcess. The WebPage owns the
Page and Page is not refCounted so the lifetime of the
DiagnosticLoggingClient should now be tied to the one of the WebPage as
well.

Previously, the DiagnosticLoggingClient would stay alive as long as the
MainFrame and could apparently in rare cases outlive the WebPage, thus
crashing when trying to send the IPC.

* history/PageCache.cpp:
(WebCore::logPageCacheFailureDiagnosticMessage):
(WebCore::canCachePage):
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::loadResource):
(WebCore::logMediaLoadRequest):
(WebCore::HTMLMediaElement::updatePlayState):
(WebCore::HTMLMediaElement::mediaPlayerEngineFailedToLoad):
* loader/EmptyClients.h:
* loader/FrameLoader.cpp:
(WebCore::logNavigation):
(WebCore::FrameLoader::checkLoadCompleteForThisFrame):
(WebCore::FrameLoader::continueLoadAfterNavigationPolicy):
* loader/ResourceLoader.cpp:
(WebCore::logResourceResponseSource):
* loader/SubframeLoader.cpp:
(WebCore::logPluginRequest):
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::willSendRequestInternal):
(WebCore::SubresourceLoader::didReceiveResponse):
(WebCore::logResourceLoaded):
* loader/cache/CachedResourceLoader.cpp:
(WebCore::logMemoryCacheResourceRequest):
(WebCore::logResourceRevalidationDecision):
* page/DiagnosticLoggingClient.h:
* page/MainFrame.cpp:
(WebCore::MainFrame::MainFrame): Deleted.
(WebCore::MainFrame::~MainFrame): Deleted.
(WebCore::MainFrame::diagnosticLoggingClient): Deleted.
* page/MainFrame.h:
* page/Page.cpp:
(WebCore::Page::Page):
(WebCore::Page::~Page):
(WebCore::Page::diagnosticLoggingClient):
* page/Page.h:

Source/WebKit2:

* WebProcess/WebCoreSupport/WebDiagnosticLoggingClient.cpp:
(WebKit::WebDiagnosticLoggingClient::pageDestroyed):
(WebKit::WebDiagnosticLoggingClient::mainFrameDestroyed): Deleted.
* WebProcess/WebCoreSupport/WebDiagnosticLoggingClient.h:
* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::willStartUserTriggeredZooming):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199955 268f45cc-cd09-0410-ab3c-d52691b4dbfc

<rdar://problem/25893246> WebKit2 has failed to build: error: use of undeclared identifier 'm_playbackSessionManager'

Fixed the non-AVKit build.

* UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _isShowingVideoPictureInPicture]):
(-[WKWebView _mayAutomaticallyShowVideoPictureInPicture]):
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::fullScreenManager):
(WebKit::WebPageProxy::playbackSessionManager):
* UIProcess/WebPageProxy.h:
* UIProcess/ios/WebPageProxyIOS.mm:
(WebKit::WebPageProxy::applicationDidBecomeActive):
* WebProcess/WebCoreSupport/WebChromeClient.cpp:
(WebKit::WebChromeClient::createScrollingCoordinator):
(WebKit::WebChromeClient::supportsVideoFullscreen):
* WebProcess/WebCoreSupport/WebChromeClient.h:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::inspectorUI):
(WebKit::WebPage::playbackSessionManager):
* WebProcess/WebPage/WebPage.h:
* WebProcess/cocoa/WebVideoFullscreenManager.h:
* WebProcess/cocoa/WebVideoFullscreenManager.mm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199951 268f45cc-cd09-0410-ab3c-d52691b4dbfc

bmalloc: vm allocations should plant guard pages
https://bugs.webkit.org/show_bug.cgi?id=156937

Rolling out - looks like this is memory regression.

* bmalloc/Object.h:
(bmalloc::Object::operator+):
(bmalloc::Object::operator<=):
(bmalloc::Object::operator-): Deleted.
* bmalloc/VMAllocate.h:
(bmalloc::vmDeallocate):
(bmalloc::vmRevokePermissions): Deleted.
* bmalloc/VMHeap.cpp:
(bmalloc::VMHeap::allocateSmallChunk):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199950 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Unreviewed, unbreak cloop.

* runtime/VM.cpp:
(JSC::VM::getHostFunction):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199949 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Updated Hungarian translation
https://bugs.webkit.org/show_bug.cgi?id=156952

Patch by Gabor Kelemen <kelemeng@ubuntu.com> on 2016-04-23
Rubber-stamped by Michael Catanzaro.

* hu.po:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199948 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Web Inspector: HeapAllocationsTimeline grid should use built-in grid column icons
https://bugs.webkit.org/show_bug.cgi?id=156934

Reviewed by Timothy Hatcher.

* UserInterface/Views/HeapAllocationsTimelineDataGridNode.js:
(WebInspector.HeapAllocationsTimelineDataGridNode):
Use existing base class helper function to create main title text.
(WebInspector.HeapAllocationsTimelineDataGridNode.prototype.createCellContent):
Add icon class names to cell, remove icon element.

* UserInterface/Views/HeapAllocationsTimelineView.js:
(WebInspector.HeapAllocationsTimelineView):
Turn on icons for the column.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199947 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Speed up bound functions a bit
https://bugs.webkit.org/show_bug.cgi?id=156889

Reviewed by Saam Barati.
Source/JavaScriptCore:

Bound functions are hard to optimize because JSC doesn't have a good notion of non-JS code
that does JS-ey things like make JS calls. What I mean by "non-JS code" is code that did not
originate from JS source. A bound function does a highly polymorphic call to the target
stored in the JSBoundFunction. Prior to this change, we represented it as native code that
used the generic native->JS call API. That's not cheap.

We could model bound functions using a builtin, but it's not clear that this would be easy
to grok, since so much of the code would have to access special parts of the JSBoundFunction
type. Doing it that way might solve the performance problems but it would mean extra work to
arrange for the builtin to have speedy access to the call target, the bound this, and the
bound arguments. Also, optimizing bound functions that way would mean that bound function
performance would be gated on the performance of a bunch of other things in our system. For
example, we'd want this polymorphic call to be handled like the funnel that it is: if we're
compiling the bound function's outgoing call with no context then we should compile it as
fully polymorphic but we can let it assume basic sanity like that the callee is a real
function; but if we're compiling the call with any amount of calling context then we want to
use normal call IC's.

Since the builtin path wouldn't lead to a simpler patch and since I think that the VM will
benefit in the long run from using custom handling for bound functions, I kept the native
code and just added Intrinsic/thunk support.

This just adds an Intrinsic for bound function calls where the JSBoundFunction targets a
JSFunction instance and has no bound arguments (only bound this). This intrinsic is
currently only implemented as a thunk and not yet recognized by the DFG bytecode parser.

I needed to loosen some restrictions to do this. For one, I was really tired of our bad use
of ENABLE(JIT) conditionals, which made it so that any serious client of Intrinsics would
have to have #ifdefs. Really what should happen is that if the JIT is not enabled then we
just ignore intrinsics. Also, the code was previously assuming that having a native
constructor and knowing the Intrinsic for your native call were mutually exclusive. This
change makes it possible to have a native executable that has a custom function, custom
constructor, and an Intrinsic.

This is a >4x speed-up on bound function calls with no bound arguments.

In the future, we should teach the DFG Intrinsic handling to deal with bound functions and
we should teach the inliner (and ByteCodeParser::handleCall() in general) how to deal with
the function call inside the bound function. That would be super awesome.

* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::timesPtr):
(JSC::AbstractMacroAssembler::Address::withOffset):
(JSC::AbstractMacroAssembler::BaseIndex::BaseIndex):
(JSC::MacroAssemblerType>::Address::indexedBy):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::storeCell):
(JSC::AssemblyHelpers::loadCell):
(JSC::AssemblyHelpers::storeValue):
(JSC::AssemblyHelpers::emitSaveCalleeSaves):
(JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
(JSC::AssemblyHelpers::emitRestoreCalleeSaves):
(JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
(JSC::AssemblyHelpers::copyCalleeSavesToVMCalleeSavesBuffer):
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiNativeTailCall):
(JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
(JSC::JITThunks::ctiStub):
(JSC::JITThunks::hostFunctionStub):
(JSC::JITThunks::clearHostFunctionStubs):
* jit/JITThunks.h:
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
(JSC::SpecializedThunkJIT::tagReturnAsInt32):
(JSC::SpecializedThunkJIT::emitSaveThenMaterializeTagRegisters): Deleted.
(JSC::SpecializedThunkJIT::emitRestoreSavedTagRegisters): Deleted.
* jit/ThunkGenerators.cpp:
(JSC::virtualThunkFor):
(JSC::nativeForGenerator):
(JSC::nativeCallGenerator):
(JSC::nativeTailCallGenerator):
(JSC::nativeTailCallWithoutSavedTagsGenerator):
(JSC::nativeConstructGenerator):
(JSC::randomThunkGenerator):
(JSC::boundThisNoArgsFunctionCallGenerator):
* jit/ThunkGenerators.h:
* runtime/Executable.cpp:
(JSC::NativeExecutable::create):
(JSC::NativeExecutable::destroy):
(JSC::NativeExecutable::createStructure):
(JSC::NativeExecutable::finishCreation):
(JSC::NativeExecutable::NativeExecutable):
(JSC::ScriptExecutable::ScriptExecutable):
* runtime/Executable.h:
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncBind):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorPrototypeGetterCompare):
* runtime/Intrinsic.h:
* runtime/JSBoundFunction.cpp:
(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):
(JSC::getBoundFunctionStructure):
(JSC::JSBoundFunction::create):
(JSC::JSBoundFunction::customHasInstance):
(JSC::JSBoundFunction::JSBoundFunction):
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::targetFunction):
(JSC::JSBoundFunction::boundThis):
(JSC::JSBoundFunction::boundArgs):
(JSC::JSBoundFunction::createStructure):
(JSC::JSBoundFunction::offsetOfTargetFunction):
(JSC::JSBoundFunction::offsetOfBoundThis):
* runtime/JSFunction.cpp:
(JSC::JSFunction::lookUpOrCreateNativeExecutable):
(JSC::JSFunction::create):
* runtime/VM.cpp:
(JSC::thunkGeneratorForIntrinsic):
(JSC::VM::getHostFunction):
* runtime/VM.h:
(JSC::VM::getCTIStub):
(JSC::VM::exceptionOffset):

LayoutTests:

This microbenchmark speeds up by >4x with this change.

* js/regress/bound-function-call-expected.txt: Added.
* js/regress/bound-function-call.html: Added.
* js/regress/script-tests/bound-function-call.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199946 268f45cc-cd09-0410-ab3c-d52691b4dbfc

[JSC] Fix build break since r199866
https://bugs.webkit.org/show_bug.cgi?id=156892

Reviewed by Darin Adler.

* runtime/MathCommon.cpp: Follow up to r199913. Remove 'include cmath' in cpp file.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199943 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Cannot access the SQLTransaction.constructor.prototype
https://bugs.webkit.org/show_bug.cgi?id=156613

Reviewed by Darin Adler.

Source/WebCore:

Drop [NoInterfaceObject] from the following SQL interfaces:
Database, SQLError, SQLResultSet, SQLResultSetRowList and SQLTransaction.

This matches the specification:
https://dev.w3.org/html5/webdatabase/

This was causing the 'constructor' property to be wrong for these
interfaces as it would be a generic Object.

Test: storage/websql/transaction-prototype.html

* Modules/webdatabase/Database.idl:
* Modules/webdatabase/SQLError.idl:
* Modules/webdatabase/SQLResultSet.idl:
* Modules/webdatabase/SQLResultSetRowList.idl:
* Modules/webdatabase/SQLTransaction.idl:

LayoutTests:

Rebaseline existing test now that more SQL constructors are exposed on the
global Window object. Also add a test to confirm that it is possible to
access SQLTransaction.constructor.prototype and that it seems correct.

* js/dom/global-constructors-attributes-expected.txt:
* platform/mac-mavericks/js/dom/global-constructors-attributes-expected.txt:
* platform/mac-yosemite/js/dom/global-constructors-attributes-expected.txt:
* platform/mac/js/dom/global-constructors-attributes-expected.txt:
* storage/websql/transaction-prototype-expected.txt: Added.
* storage/websql/transaction-prototype.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199942 268f45cc-cd09-0410-ab3c-d52691b4dbfc