ChangeLog   [plain text]


2013-01-30  Lucas Forschler  <lforschler@apple.com>

        Merge r138606

    2013-01-01  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/12942239> Update copyright strings

            Reviewed by Sam Weinig.

            * Info.plist:

2012-12-12  Lucas Forschler  <lforschler@apple.com>

        Merge r137393

    2012-12-11  Tim Horton  <timothy_horton@apple.com>

            -webkit-svg-shadow radius changes don't cause children's boundaries to be recomputed
            https://bugs.webkit.org/show_bug.cgi?id=104722
            <rdar://problem/12821080>

            Reviewed by Simon Fraser.

            Changes to -webkit-svg-shadow currently cause a relayout of the directly affected renderer
            and its parents, but not its children. However, children have the shadow radius
            baked into their cached boundaries, so these need to be invalidated.

            Test: svg/repaint/repaint-webkit-svg-shadow-container.html

            * rendering/RenderObject.h: Expose needsBoundariesUpdate().
            * rendering/svg/RenderSVGContainer.h: Expose needsBoundariesUpdate().
            * rendering/svg/RenderSVGImage.h: Expose needsBoundariesUpdate().
            * rendering/svg/RenderSVGRoot.h: Expose needsBoundariesUpdate().
            * rendering/svg/RenderSVGShape.h: Expose needsBoundariesUpdate().
            * rendering/svg/SVGRenderSupport.cpp:
            (WebCore::SVGRenderSupport::layoutChildren): If the renderer has a shadow and
            is in needs of a boundaries update, mark children as needing boundaries updates too.

2012-11-29  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12781055>
        
        Merge r136174

    2012-11-29  Simon Fraser  <simon.fraser@apple.com>
    
            Avoid painting lots of small rects in WebLayer painting
            https://bugs.webkit.org/show_bug.cgi?id=103673
    
            Reviewed by Tim Horton.
    
            r109186 added code in drawLayerContents() to enumerate over the rects in
            the CALayer's dirty region, and paint them individually. This was done
            to help performance on the IE Maze Solver test.
            
            On large, complex pages like Facebook, the overhead of traversing the
            RenderLayer tree for painting is such that it's better to paint a single,
            or fewer rects rather than lots of little ones.
            
            So adopt a heuristic similar to that in DrawingArea, where if the
            combined area of the small rects is 75% or more of the combined rect,
            just paint the combined rect. Also paint the combined rect if there
            are more than 5 individual rects.
            
            I verified that this preserves the optimization for IE Maze Solver.
    
            * platform/graphics/mac/WebLayer.mm:
            (drawLayerContents):

2012-11-28  Lucas Forschler  <lforschler@apple.com>

        Windows build fix after r134704.

        * WebCore.vcproj/WebCore.vcproj:

2012-11-28  Lucas Forschler  <lforschler@apple.com>

        Merge r135992

    2012-11-28  Roger Fong  <roger_fong@apple.com>

            Initialize identity matrix in SimpleFontData::initGDIFont() properly.
            https://bugs.webkit.org/show_bug.cgi?id=103499
            <rdar://problem/12400700>

            Reviewed by Timothy Horton.

            We are incorrectly initializing the matrix passed into GetGlyphOutline.
            This patch fixes MAT2 initialization to match the way we initialize the 
            identity matrix in SimpleFontData::boundsForGDIGlyph and SimpleFontData::widthForGDIGlyph.

            * platform/graphics/win/SimpleFontDataWin.cpp:
            (WebCore::SimpleFontData::initGDIFont):

2012-11-28  Lucas Forschler  <lforschler@apple.com>

        Merge r119546

    2012-06-05  Stephanie Lewis  <slewis@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=88370
            Memory sampler should trigger low memory signal

            Reviewed by Geoff Garen.

            No new tests. Verify by running stress test which crashes 
            in a few minutes without the fix.

            Fix assumption in block code.  We could get in a state where timer_event_source
            had already been released before the block ran.

            * platform/mac/MemoryPressureHandlerMac.mm:
            (WebCore::MemoryPressureHandler::holdOff):

2012-11-27  Lucas Forschler  <lforschler@apple.com>

        Merge r133338

    2012-11-02  Anders Carlsson  <andersca@apple.com>

            Add a PluginInactive plug-in unavailability reason
            https://bugs.webkit.org/show_bug.cgi?id=101089

            Reviewed by Sam Weinig.

            This is to be used by Mac WebKit and WebKit2 shortly.

            * English.lproj/Localizable.strings:
            * platform/LocalizedStrings.cpp:
            (WebCore::inactivePluginText):
            (WebCore):
            * platform/LocalizedStrings.h:
            (WebCore):
            * platform/blackberry/LocalizedStringsBlackBerry.cpp:
            (WebCore::inactivePluginText):
            (WebCore):
            * platform/efl/LocalizedStringsEfl.cpp:
            (WebCore::inactivePluginText):
            (WebCore):
            * platform/gtk/LocalizedStringsGtk.cpp:
            (WebCore::inactivePluginText):
            (WebCore):
            * platform/qt/LocalizedStringsQt.cpp:
            (WebCore::inactivePluginText):
            (WebCore):
            * rendering/RenderEmbeddedObject.cpp:
            (WebCore::unavailablePluginReplacementText):
            * rendering/RenderEmbeddedObject.h:

2012-11-27  Lucas Forschler  <lforschler@apple.com>

        <rdar://problem/12704510>
        Merge r134666

    2012-11-14  Mark Lam  <mark.lam@apple.com>

            Fixed regressions due to adding JSEventListener::m_wrapper null checks.
            https://bugs.webkit.org/show_bug.cgi?id=102183.

            Reviewed by Geoffrey Garen.

            Fixed JSEventListener::operator==() to work within the contract that
            when m_wrapper is 0, m_jsFunction is also expected to be 0. Also fixed
            some typos in comments.

            No new tests.

            * bindings/js/JSEventListener.cpp:
            (WebCore::JSEventListener::visitJSFunction):
            (WebCore::JSEventListener::operator==):
            * bindings/js/JSEventListener.h:
            (WebCore::JSEventListener::jsFunction):

2012-11-27  Lucas Forschler  <lforschler@apple.com>

        <rdar://problem/12696290>
        Merge r134495

    2012-11-13  Mark Lam  <mark.lam@apple.com>

            JSEventListener should not access m_jsFunction when its wrapper is gone.
            https://bugs.webkit.org/show_bug.cgi?id=101985.

            Reviewed by Geoffrey Garen.

            Added a few null checks for m_wrapper before we do anything with m_jsFunction.

            No new tests.

            * bindings/js/JSEventListener.cpp:
            (WebCore::JSEventListener::initializeJSFunction):
            - Removed a now invalid assertion. m_wrapper is expected to have a
              valid non-zero value when jsFunction is valid. However, in the case
              of JSLazyEventListener (which extends JSEventListener), m_wrapper is
              initially 0 when m_jsFunction has not been realized yet. When
              JSLazyEventListener::initializeJSFunction() realizes m_jsFunction,
              it will set m_wrapper to an appropriate wrapper object.

              For this reason, JSEventListener::jsFunction() cannot do the null
              check on m_wrapper until after the call to initializeJSFunction.

              This, in turns, means that in the case of the non-lazy
              JSEventListener, initializeJSFunction() will also be called, and
              if the GC has collected the m_wrapper but the JSEventListener has
              not been removed yet, it is possible to see a null m_wrapper while
              m_jsFunction contains a non-zero stale value.

              Hence, this assertion of (m_wrapper || !m_jsFunction) in
              JSEventListener::initializeJSFunction() is not always true and
              should be removed.

            (WebCore::JSEventListener::visitJSFunction):
            (WebCore::JSEventListener::operator==):
            * bindings/js/JSEventListener.h:
            (WebCore::JSEventListener::jsFunction):

2012-11-26  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12755408>
        Merge r135080

    2012-11-18  Simon Fraser  <simon.fraser@apple.com>
    
            Make convertToLayerCoords iterative, rather than recursive
            https://bugs.webkit.org/show_bug.cgi?id=102618
    
            Reviewed by Antti Koivisto.
    
            RenderLayer::convertToLayerCoords() is a hot function on profiles.
            Change it to be iterative, rather than recursive, so that the
            bulk of the function can be inlined.
            
            Was tested with assertions against the old code during development.
    
            * rendering/RenderLayer.cpp:
            (WebCore::accumulateOffsetTowardsAncestor):
            (WebCore::RenderLayer::convertToLayerCoords):

2012-11-26  Lucas Forschler  <lforschler@apple.com>

        Merge r134327

    2012-11-12  Roger Fong  <roger_fong@apple.com>

            Web Inspector: Fix docking behaviour on Windows.
            https://bugs.webkit.org/show_bug.cgi?id=101978

            Reviewed by Brian Weinstein.

            There are a number of problems with docking behaviour on Windows.
            For starters, it does not ever constrain the inspector's size properly while docked.
            It also does not properly set the whether or not the inspector can be docked/undocked.
            This patch fixes both issues.

            * inspector/InspectorFrontendClientLocal.cpp:
            (WebCore::InspectorFrontendClientLocal::frontendLoaded):
            Switch order of calling bringToFront and setDockingUnavailable.

2012-11-26  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12751360>
        Merge r135746

    2012-11-26  Simon Fraser  <simon.fraser@apple.com>
    
            Optimize layer updates after scrolling
            https://bugs.webkit.org/show_bug.cgi?id=102635
    
            Reviewed by Sam Weinig.
    
            updateLayerPositionsAfterScroll() previously unconditionally cleared clip
            rects, and recomputed repaint rects too often. Recomputing both of these
            can be very expensive, as they involve tree walks up to the root.
            
            We can optimize layer updates after document scrolling by only clearing clip
            rects, and recomputing repaint rects, if we encounter a fixed- or sticky-position
            element. For overflow scroll, we have to clear clip rects and recompute repaint rects.
    
            * page/FrameView.cpp:
            (WebCore::FrameView::repaintFixedElementsAfterScrolling): Call updateLayerPositionsAfterDocumentScroll().
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::updateLayerPositions): Call clearClipRects() because
            updateLayerPosition() no longer does.
            (WebCore::RenderLayer::updateLayerPositionsAfterDocumentScroll): Version of updateLayerPositionsAfterScroll()
            that is for document scrolls. It has no need to push layers to the geometry map.
            (WebCore::RenderLayer::updateLayerPositionsAfterOverflowScroll): Pushes layers to the geometry map,
            and calls updateLayerPositionsAfterScroll() with the IsOverflowScroll flag.
            (WebCore::RenderLayer::updateLayerPositionsAfterScroll): Set the HasChangedAncestor flag
            if our location changed, and use that as a hint to clear cached rects. Be more conservative
            than before about when to clear cached clip rects.
            (WebCore::RenderLayer::updateLayerPosition):  Move responsibility for calling
            clearClipRects() ouf of this function and into callers.
            (The one caller outside RenderLayer will be removed via bug 102624).
            Return a bool indicating whether our position changed.
            (WebCore::RenderLayer::scrollTo): Call updateLayerPositionsAfterOverflowScroll().
            (WebCore::RenderLayer::updateClipRects): Added some #ifdeffed out code that is useful
            to verify that cached clips are correct; it's too slow to leave enabled in debug builds.
            * rendering/RenderLayer.h:
            (WebCore::RenderLayer::setLocation): Change to take a LayoutPoint, rather than separate
            x and y.

2012-11-26  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12753059>
        Merge r135025

    2012-11-12  Simon Fraser  <simon.fraser@apple.com>
    
            Eliminate ancestor tree walk computing outlineBoundsForRepaint() when updating layer positions
            https://bugs.webkit.org/show_bug.cgi?id=101874
    
            Reviewed by Dave Hyatt.
    
            RenderLayer::updateLayerPositions() and updateLayerPositionsAfterScroll() spend a
            lot of time in computeRepaintRects(), which does two ancestor tree walks, once
            for clippedOverflowRectForRepaint(), and one for outlineBoundsForRepaint().
    
            Eliminate the ancestor tree walk in outlineBoundsForRepaint() by maintaining
            a RenderGeometryMap as we traverse the layer tree, and then using it to map
            the outline bounds to the repaint container. Replace the hokey cached offsetFromRoot
            now that the RenderGeometryMap can do a better job.
            
            The clipped overflow rect cannot be mapped simply, so cannot yet make use of
            the geometry map.
            
            Modify the RenderGeometryMap to support mapping to some repaintContainer ancestor.
            Add a RenderObject walk that is necessary to detect flipped writing mode blocks.
            
            Pass the RenderGeometryMap as an optional parameter to outlineBoundsForRepaint.
            
            * page/FrameView.cpp:
            (WebCore::FrameView::layout): Make a RenderGeometryMap and pass it down
            to updateLayerPositions(). For partial layouts, we have to push layers
            between the root and the enclosing layer of the layout subtree.
            The geometry map used for repainting does not use SnapOffsetForTransforms,
            so initialize it explicitly with just the UseTransforms flag.
            (WebCore::FrameView::repaintFixedElementsAfterScrolling): Make a RenderGeometryMap
            to pass along to updateLayerPositionsAfterScroll().
            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::outlineBoundsForRepaint): Replace the optional cachedOffsetToRepaintContainer
            parameter with an optional RenderGeometryMap, and it use to map the compute rect to
            repaintContainer coordinates.
            * rendering/RenderBox.h:
            * rendering/RenderGeometryMap.cpp:
            (WebCore::RenderGeometryMap::RenderGeometryMap): This now has to store the mapping
            flags to use, so that its behavior can match that of mapLocalToContainer(). The
            pertinent flag is the confusingly named SnapOffsetForTransforms.
            (WebCore::RenderGeometryMap::absolutePoint): Call the new mapToContainer() with
            a null container.
            (WebCore::RenderGeometryMap::absoluteRect): Ditto.
            (WebCore::RenderGeometryMap::mapToContainer): Map to the supplied container,
            asserting that we found it. Add point- and rect-based mapping methods
            akin to the old absoluteRect/absolutePoint.
            (WebCore::canMapViaLayer): We need to test for isRenderFlowThread() here too.
            (WebCore::RenderGeometryMap::pushMappingsToAncestor): When mapping via
            layers, ensure that the RenderView is pushed as the first step.
            * rendering/RenderGeometryMap.h:
            (RenderGeometryMap):
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::updateLayerPositionsAfterLayout): New wrapper for updateLayerPositions()
            that makes the geometry map.
            (WebCore::RenderLayer::updateLayerPositionsAfterScroll): New wrapper for updateLayerPositionsAfterScroll
            that makes the geometry map.
            (WebCore::RenderLayer::updateLayerPositions): Now takes an optional RenderGeometryMap.
            Remove the old offsetFromRoot code. Push and pop layers to/from the geometry map. Use
            the geometry map to get the offsetFromRoot as needed by overflow controls. Pass
            it to computeRepaintRects().
            (WebCore::RenderLayer::computeRepaintRects): Pass the geometry map to outlineBoundsForRepaint().
            (WebCore::RenderLayer::updateLayerPositionsAfterScroll): Push and pop to/from the
            geometry map, and pass it to computeRepaintRects().
            (WebCore::RenderLayer::removeOnlyThisLayer): Remove the offsetFromRootBeforeMove
            computation; this could use a geometry map in future if it is shown to be a bottleneck.
            * rendering/RenderLayer.h:
            (WebCore::RenderLayer::canUseConvertToLayerCoords): It was thought that the isComposited()
            was there because the older cached offsetFromRoot logic was sensitive to compositing,
            but convertToLayerCoords() is not affected by compositing so this check is not needed,
            and actually harmful.
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::OverlapMap::OverlapMap): The geometry map
            used for overlap testing should not use SnapOffsetForTransforms, so initialize
            it explicitly with just the UseTransforms flag.
            * rendering/RenderObject.h:
            (WebCore::RenderObject::outlineBoundsForRepaint):
            * rendering/svg/RenderSVGModelObject.cpp:
            (WebCore::RenderSVGModelObject::outlineBoundsForRepaint):
            * rendering/svg/RenderSVGModelObject.h:
            (RenderSVGModelObject):
    
2012-11-26  Lucas Forschler  <lforschler@apple.com>

        Merge r133834

    2012-11-07  Tim Horton  <timothy_horton@apple.com>

            Repaint issues with -webkit-svg-shadow used on a container
            https://bugs.webkit.org/show_bug.cgi?id=65643
            <rdar://problem/7600532>

            Reviewed by Simon Fraser.

            SVG renderer repaint rects are currently expanded only by the shadow of
            the renderer itself; however, the area they need to repaint can be larger
            than that, if their parents also have shadows. We need to take into account
            parent's shadows (respecting transforms, as well).

            clippedOverflowRectForRepaint already recurses upwards through the render tree,
            and ends up with a rect in layout coordinates, so we manually apply the shadow
            at each step (repaintRectInLocalCoordinatesExcludingSVGShadow was added to allow
            us to get the raw repaint rect without the shadow baked-in).

            repaintRectInLocalCoordinates now includes shadows from all parents.

            Also, RenderSVGRoot was clipping repaint rects to the viewport before applying
            shadows, so offscreen elements with on-screen shadows (applied by the root) would not paint the shadows.
            We can just swap the order of these things to correct this.

            Tests: svg/css/parent-shadow-offscreen.svg, svg/css/root-shadow-offscreen.svg, svg/repaint/repaint-webkit-svg-shadow.svg

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::addChild): Mark the child being added as having an SVG shadow if it is being added as a child of an element that does.
            (WebCore::RenderObject::styleDidChange): Mark the child being added as having an SVG shadow if its new style has a shadow.
            * rendering/svg/RenderSVGImage.cpp:
            (WebCore::RenderSVGImage::layout): Cache the repaint rect before intersecting it with the shadow.
            * rendering/svg/RenderSVGImage.h:
            (WebCore::RenderSVGImage::repaintRectInLocalCoordinatesExcludingSVGShadow): Return the cached repaint rect for the renderer without the shadow included.
            * rendering/svg/RenderSVGModelObject.cpp:
            (WebCore::RenderSVGModelObject::RenderSVGModelObject): Renderers do not have a shadow by default.
            * rendering/svg/RenderSVGModelObject.h:
            (WebCore::RenderSVGModelObject::repaintRectInLocalCoordinatesExcludingSVGShadow): Return the cached repaint rect for the renderer without the shadow included.
            (WebCore::RenderSVGModelObject::hasSVGShadow): Return whether or not the renderer has a shadow.
            (WebCore::RenderSVGModelObject::setHasSVGShadow): Set whether or not the renderer has a shadow.
            * rendering/svg/RenderSVGRoot.cpp:
            (WebCore::RenderSVGRoot::RenderSVGRoot):
            (WebCore::RenderSVGRoot::computeFloatRectForRepaint): Apply the shadow before clipping to the viewport, so we draw shadows for elements outside the viewport.
            (WebCore::RenderSVGRoot::updateCachedBoundaries): Cache the repaint rect before intersecting it with the shadow.
            * rendering/svg/RenderSVGRoot.h:
            (WebCore::RenderSVGRoot::hasSVGShadow): Return whether or not the renderer has a shadow.
            (WebCore::RenderSVGRoot::setHasSVGShadow): Set whether or not the renderer has a shadow.
            (WebCore::RenderSVGRoot::repaintRectInLocalCoordinatesExcludingSVGShadow): Return the cached repaint rect for the renderer without the shadow included.
            * rendering/svg/RenderSVGShape.cpp:
            (WebCore::RenderSVGShape::updateRepaintBoundingBox): Cache the repaint rect before intersecting it with the shadow.
            * rendering/svg/RenderSVGShape.h:
            (WebCore::RenderSVGShape::repaintRectInLocalCoordinatesExcludingSVGShadow): Return the cached repaint rect for the renderer without the shadow included.
            * rendering/svg/SVGRenderSupport.cpp:
            (WebCore::SVGRenderSupport::repaintRectForRendererInLocalCoordinatesExcludingSVGShadow): Return the cached repaint rect for the renderer without the shadow included.
            (WebCore::SVGRenderSupport::clippedOverflowRectForRepaint): Apply shadows as we walk through our parents, instead of only applying the renderer's own shadow.
            (WebCore::SVGRenderSupport::rendererHasSVGShadow): Return whether or not the renderer has a shadow.
            (WebCore::SVGRenderSupport::setRendererHasSVGShadow): Set whether or not the renderer has a shadow.
            (WebCore::SVGRenderSupport::intersectRepaintRectWithShadows): Walk through the element's parents, adding shadows to the repaint rect as we go, eventually
            transforming the repaint rect back into local coordinates.
            (WebCore::SVGRenderSupport::intersectRepaintRectWithResources): Don't add shadows by default, just other resources, so that we can cache repaint rects with and without shadows.
            * rendering/svg/SVGRenderSupport.h:

2012-11-26  Lucas Forschler  <lforschler@apple.com>

        Merge r132924

    2012-10-30  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/12395187> REGRESSION (r121299): OS X Text Replacement forces cursor out of text fields
            https://bugs.webkit.org/show_bug.cgi?id=100768

            Reviewed by Anders Carlsson.

            r121299 introduced code to restore the paragraph range by saving its length and start offset
            relative to the document. The latter was obtained by iterating over the range starting at
            the beginning of the document and ending at the beginning of the paragraph range. However,
            such a range could not be constructed if the paragraph range was contained in a shadow DOM,
            since a range must have both its endpoints within the same shadow tree (or not in a shadow
            tree).

            Test: platform/mac/editing/spelling/autocorrection-in-textarea.html

            * editing/Editor.cpp:
            (WebCore::Editor::markAndReplaceFor): Changed paragraphStartIndex to be relative to the
            root container of paragraphRange, using the same logic used by
            checkForDifferentRootContainer() in Range.cpp.

2012-11-18  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12726004> Chopin: Don't say there are dirty overlay scrollbars when they are clipped out (102609)
        Merge r135064

    2012-11-17  Simon Fraser  <simon.fraser@apple.com>
    
            Don't say there are dirty overlay scrollbars when they are clipped out
            https://bugs.webkit.org/show_bug.cgi?id=102609
    
            Reviewed by Brady Eidson.
    
            Painting overlay scrollbars involves a second painting pass over the entire
            RenderLayer subtree for a compositing layer, which can be very expensive.
            
            Avoid this when possible by detecting when overflow controls are not in
            the damage rect.
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::rectForHorizontalScrollbar): Compute a local rect
            for the horizontal scrollbar.
            (WebCore::RenderLayer::rectForVerticalScrollbar): Compute a local rect
            for the vertical scrollbar.
            (WebCore::RenderLayer::positionOverflowControls): Use rectForHorizontalScrollbar()
            and rectForVerticalScrollbar().
            (WebCore::RenderLayer::overflowControlsIntersectRect): Return true if any
            of the present overflow controls intersect the given local rect.
            (WebCore::RenderLayer::paintOverflowControls): Bail if the damage rect
            doesn't intersect any of the overflow controls.
            * rendering/RenderLayer.h:
            (RenderLayer):

2012-11-18  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12725998> Simplify bounds computation for the RenderView's layer (102597)
        Merge r135059

    2012-11-17  Simon Fraser  <simon.fraser@apple.com>
    
            Simplify bounds computation for the RenderView's layer
            https://bugs.webkit.org/show_bug.cgi?id=102597
    
            Reviewed by Anders Carlsson.
    
            Computing the bounds of the main layer (that of the RenderView) used to do
            a full RenderLayer walk, taking the union of the bounds of all the sublayers,
            which is very expensive on large pages.
            
            For the RenderView we can avoid that entirely and just use the RenderView's
            document rect. Since page scaling happens as a transform on this layer,
            we want the unscaled document rect.
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::calculateLayerBounds):

2012-11-18  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12725980> Fix overlay scrollbar painting in compositing layers (102442)
        Merge r135029

    2012-11-16  Simon Fraser  <simon.fraser@apple.com>
    
            Fix overlay scrollbar painting in compositing layers
            https://bugs.webkit.org/show_bug.cgi?id=102442
    
            Reviewed by Beth Dakin.
    
            There were two issues with overlay scrollbar painting in
            compositing layers.
            
            First, we'd only ever call setContainsDirtyOverlayScrollbars()
            on the RenderView's layer, even when encountering an overlay scrollbar
            in some descendant compositing layer. This meant that we'd never
            run the paintOverlayScrollbars() code for those child compositing
            layers, so sometimes scrollbars were missing there.
            
            Even after fixing that, we would fail to render scrollbars that
            were not in the composited RenderLayer itself. This happened because
            we called into RenderLayer::paintOverlayScrollbars(), which called
            paintLayer() with flags that only said to paint the overlay scrollbars
            but not any descendants, so this paint path would not walk child
            RenderLayers.
            
            Also remove the containsScrollableAreaWithOverlayScrollbars() flag on
            ScrollView which is no longer used.
    
            * platform/ScrollView.cpp:
            (WebCore::ScrollView::ScrollView): Remove containsScrollableAreaWithOverlayScrollbars().
            (WebCore::ScrollView::paint): Remove setting of m_containsScrollableAreaWithOverlayScrollbars.
            * platform/ScrollView.h:
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paintOverflowControls): Call setContainsDirtyOverlayScrollbars()
            on the compositing ancestor or the root.
            Remove call to setContainsScrollableAreaWithOverlayScrollbars().
            (WebCore::RenderLayer::paintOverlayScrollbars): When painting overlay
            scrollbars, no need to say we have transparency, and no need to use 
            temporary clip rects.
            (WebCore::RenderLayer::paintLayer): The PaintLayerPaintingOverlayScrollbars
            check here was only needed because the compositing entrypoint to painting
            overlay scrollbars went via paintLayer(), which isn't normally used as
            a composited painting entry point. Now that we no longer call that, we
            don't need this special check.
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::paintIntoLayer): Jump into overlay scrollbar
            painting via paintLayerContents(), not paintOverlayScrollbars(), since
            the latter does not traverse sublayers.

2012-11-18  Simon Fraser  <simon.fraser@apple.com>

        Prerequisite for <rdar://problem/12725980> Fix overlay scrollbar painting in compositing layers (102442)
        Merge r127943

    2012-09-07  Simon Fraser  <simon.fraser@apple.com>
    
            box-shadow causes overlay scrollbars to be in the wrong position when element is composited
            https://bugs.webkit.org/show_bug.cgi?id=85647
    
            Reviewed by James Robinson.
    
            The code that positioned the GraphicsLayers for scrollbars failed to take
            into account any offset between the origin of the compositing layer,
            and the renderer. This caused scrollbar layers to be misplaced or hidden
            on layers with, for example, box-shadows.
            
            Also moved the code that positions the scrollbar layers into RendderLayerBacking,
            since this is where all the rest of the GraphicsLayer-positioning code lives.
            
            Renamed an "offsetFromLayer" param to "offsetFromRoot" which is more accurate.
    
            Manual test, since overlay scrollbars are not enabled in DRT/WTR:
                ManualTests/scrollbars/scrollbars-in-composited-layers.html
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::positionOverflowControls):
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::positionOverflowControlsLayers):
            * rendering/RenderLayerBacking.h:
            (RenderLayerBacking):

2012-11-16  Andy Estes  <aestes@apple.com>

        Fix the Mountain Lion build after r135007.

        * bindings/js/JSDesktopNotificationsCustom.cpp:
        (WebCore::JSNotificationCenter::requestPermission):

2012-11-16  Lucas Forschler  <lforschler@apple.com>

        Merge r131779

    2012-10-18  Jer Noble  <jer.noble@apple.com>

            Add diagnostic logging to track per-page media engine usage.
            https://bugs.webkit.org/show_bug.cgi?id=99615
            <rdar://problem/12476473>

            Reviewed by Eric Carlson.

            Add diagnostic logging triggered only once-per-page and once-per-page-per-engine.

            * html/HTMLMediaElement.cpp:
            (WebCore::logMediaLoadRequest): Encapsulate diagnostic logging into single static method.
            (WebCore::HTMLMediaElement::mediaLoadingFailed): Call logMediaLoadRequest.
            (WebCore::HTMLMediaElement::setReadyState): Ditto.
            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::dispatchDidCommitLoad): Reset the set of seen media engines.

            Add new methods to Page to track per-page media engine diagnostic info, similar to plugin diagnostic info.
            * page/Page.cpp:
            (WebCore::Page::hasSeenAnyMediaEngine):
            (WebCore::Page::hasSeenMediaEngine):
            (WebCore::Page::sawMediaEngine):
            (WebCore::Page::resetSeenMediaEngines):
            * page/Page.h:

            Add new static logging key definitions:
            * page/DiagnosticLoggingKeys.cpp:
            (WebCore::DiagnosticLoggingKeys::pageContainsMediaEngineKey):
            (WebCore::DiagnosticLoggingKeys::pageContainsAtLeastOneMediaEngineKey):
            * page/DiagnosticLoggingKeys.h:

2012-11-16  Lucas Forschler  <lforschler@apple.com>

        Merge r131280

    2012-10-14  Jon Lee  <jonlee@apple.com>

            Allow notification origin permission request when no js callback is provided
            https://bugs.webkit.org/show_bug.cgi?id=63615
            <rdar://problem/11059590>

            Reviewed by Sam Weinig.

            Instead of throwing a type error when no callback is provided, we pass a null callback.

            Test: http/tests/notifications/legacy/request-no-callback.html

            * bindings/js/JSDesktopNotificationsCustom.cpp:
            (WebCore::JSNotificationCenter::requestPermission):

2012-11-16  Lucas Forschler  <lforschler@apple.com>

        Merge r130565

    2012-10-05  Tim Horton  <timothy_horton@apple.com>

            [cg] GraphicsContextCG should ask CG whether the shadow offset workaround is required
            https://bugs.webkit.org/show_bug.cgi?id=98565
            <rdar://problem/12436468>

            Reviewed by Simon Fraser.

            On Mountain Lion and above, CG can tell us whether we need to work around incorrect
            shadow offsets. Prior to Mountain Lion, we should assume we need to apply the workaround.

            No new tests, as this requires an obscure configuration to test.

            * WebCore.exp.in:
            * platform/graphics/cg/GraphicsContextCG.cpp:
            (WebCore::applyShadowOffsetWorkaroundIfNeeded):
            (WebCore::GraphicsContext::setPlatformShadow):
            * platform/mac/WebCoreSystemInterface.h: Add wkCGContextDrawsWithCorrectShadowOffsets.
            * platform/mac/WebCoreSystemInterface.mm: Add wkCGContextDrawsWithCorrectShadowOffsets.

2012-11-16  Lucas Forschler  <lforschler@apple.com>

        Merge r134903

    2012-11-15  Jer Noble  <jer.noble@apple.com>

            Crash at WebCore::PluginData::pluginFileForMimeType const + 38
            https://bugs.webkit.org/show_bug.cgi?id=102454

            Reviewed by Dan Bernstein.

            NULL-check the return value of Page::pluginData().

            * loader/SubframeLoader.cpp:
            (WebCore::logPluginRequest):

2012-11-15  Andy Estes  <aestes@apple.com>

        Merge r130266.

    2012-10-03  Dominic Mazzoni  <dmazzoni@google.com>

        AX: Heap-use-after-free when deleting a ContainerNode with an AX object
        https://bugs.webkit.org/show_bug.cgi?id=98073

        Reviewed by Hajime Morita.

        Calls axObjectCache()->remove(this) in ~ContainerNode so that the AX tree
        doesn't try to access the container node while walking up the parent chain
        from one of the container node's children.

        Test: accessibility/container-node-delete-causes-crash.html

        * dom/ContainerNode.cpp:
        (WebCore::ContainerNode::~ContainerNode):
        * dom/Node.cpp:
        (WebCore::Node::~Node):
        * dom/Node.h:
        (WebCore::Node::document):
        (WebCore::Node::documentInternal):

2012-11-15  Andy Estes  <aestes@apple.com>

        Merge r116629 and r127534.

    2012-09-04  Sergey Glazunov  <serg.glazunov@gmail.com>

        Frame element doesn't always unload its child frame.
        https://bugs.webkit.org/show_bug.cgi?id=94717

        Reviewed by Hajime Morita.

        It's possible for a frame element that has been removed from the document
        to retain an active child frame. This inconsistent state may become a source
        of security vulnerabilities.

        The patch adds a global HashSet to store the nodes currently processed by
        ChildFrameDisconnector. Insertion into these nodes' subtrees is not allowed until
        the processing is complete.

        Also, the ChildFrameDisconnector call in removeChild(ren) is now immediately
        followed by the actual removal.

        Test: fast/frames/out-of-document-iframe-has-child-frame.html

        * dom/ContainerNode.cpp:
        (WebCore::willRemoveChildren): Move the ChildFrameDisconnector call out of a loop.
        (WebCore::ContainerNode::removeChild): Rearrange some event firing code.
        (WebCore::ContainerNode::removeChildren): Ditto.
        * dom/ContainerNodeAlgorithms.cpp:
        (WebCore::ChildFrameDisconnector::collectDescendant): Pass a new parameter to collectDescendant(Node*).
        * dom/ContainerNodeAlgorithms.h:
        (WebCore::ChildFrameDisconnector::ChildFrameDisconnector):
        (ChildFrameDisconnector): Maintain a list of nodes that have an active ChildFrameDisconnector.
        (WebCore::ChildFrameDisconnector::~ChildFrameDisconnector):
        (WebCore::ChildFrameDisconnector::rootNodes):
        (WebCore::ChildFrameDisconnector::collectDescendant): Add ShouldIncludeRoot parameter.
        (WebCore::ChildFrameDisconnector::nodeHasDisconnector):
        (WebCore):
        * dom/Node.cpp:
        (WebCore::checkAcceptChild): Reject a parent node if it or one of its parents has an active ChildFrameDisconnector.
        * html/HTMLFrameElementBase.cpp:
        (WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions): Check if an element is still in the document.

    2012-05-10  MORITA Hajime  <morrita@google.com>

        Remove support for Node::willRemove()
        https://bugs.webkit.org/show_bug.cgi?id=55209

        Reviewed by Ryosuke Niwa.

        This change de-virtualizes Node::willRemove(), gains
        5% speedup on Dromaeo dom-modify.

        Originally there were 5 willRemove() overrides:
        - Element
        - HTMLStyleElement
        - HTMLSourceElement
        - HTMLTrackElement
        - HTMLFrameOwnerElement

        For first 4 items, this change moves their implementations to
        Node::removedFrom() overrides.

        Then HTMLFrameOwnerElement is the only class which needs the
        notification.  Because it emits the "unload" event, it needs some
        notification _before_ its removal. To handle that, this change
        introduces ChildFrameDisconnector which collects
        corresponding decendant elements and disconnect their content frame.

        Even though this approach doesn't kill pre-removal tree traversal
        completely, it's a bit more efficient due to the de-virtualization.

        No new tests. Covered by existing test.

        * dom/ContainerNode.cpp:
        (WebCore::willRemoveChild): Replaced willRemove() call with ChildFrameDisconnector.
        (WebCore::willRemoveChildren): Ditto.
        (WebCore::ContainerNode::disconnectDescendantFrames): Added. Used from FrameLoader to replace Document::willRemove() call.
        (WebCore):
        * dom/ContainerNode.h:
        (ContainerNode):
        * dom/ContainerNodeAlgorithms.cpp:
        (WebCore::ChildFrameDisconnector::collectDescendant):
        (WebCore):
        (WebCore::ChildFrameDisconnector::Target::disconnect):
        * dom/ContainerNodeAlgorithms.h:
        (ChildFrameDisconnector):
        (Target):
        (WebCore::ChildFrameDisconnector::Target::Target):
        (WebCore::ChildFrameDisconnector::Target::isValid):
        (WebCore):
        (WebCore::ChildFrameDisconnector::ChildFrameDisconnector):
        (WebCore::ChildFrameDisconnector::collectDescendant):
        (WebCore::ChildFrameDisconnector::disconnect):
        * dom/Element.cpp:
        (WebCore::Element::removedFrom):
        * dom/Element.h:
        * dom/ElementShadow.cpp:
        * dom/ElementShadow.h:
        (ElementShadow):
        * dom/Node.cpp:
        * dom/Node.h: Added IsFrameOwnerElement flag to de-virtualize IsFrameOwnerElement().
        (WebCore::Node::isFrameOwnerElement): De-virtualized.
        (Node):
        * html/HTMLElement.h:
        (HTMLElement):
        (WebCore::HTMLElement::HTMLElement):
        * html/HTMLFrameOwnerElement.cpp:
        (WebCore::HTMLFrameOwnerElement::HTMLFrameOwnerElement):
        (WebCore::HTMLFrameOwnerElement::disconnectContentFrame): Extracted from original willRemove().
        * html/HTMLFrameOwnerElement.h:
        (HTMLFrameOwnerElement):
        (WebCore::toFrameOwnerElement):
        (WebCore):
        * html/HTMLMediaElement.cpp:
        (WebCore::HTMLMediaElement::sourceWasRemoved): Renamed from sourceWillBeRemoved(), dealing with the timing change.
        * html/HTMLMediaElement.h:
        (HTMLMediaElement):
        (WebCore::isMediaElement):
        (WebCore):
        (WebCore::toMediaElement):
        * html/HTMLSourceElement.cpp:
        (WebCore::HTMLSourceElement::removedFrom): Moved some code from willRemove().
        * html/HTMLSourceElement.h:
        (HTMLSourceElement):
        * html/HTMLStyleElement.cpp:
        (WebCore::HTMLStyleElement::removedFrom):
        (WebCore):
        * html/HTMLStyleElement.h:
        (HTMLStyleElement):
        * html/HTMLTrackElement.cpp:
        (WebCore::HTMLTrackElement::removedFrom): Moved some code from willRemove().
        * html/HTMLTrackElement.h:
        (HTMLTrackElement):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::clear):

2012-11-15  Lucas Forschler  <lforschler@apple.com>

        Merge r134083

    2012-11-09  Jer Noble  <jer.noble@apple.com>

            Plugin diagnostic logging should send plugin file basename instead of MIME type.
            https://bugs.webkit.org/show_bug.cgi?id=101679

            Reviewed by Eric Carlson.

            Log the basename of the plugin file rather than the mime type so as to more
            accurately log which plugin was used to handle the request.

            * loader/SubframeLoader.cpp:
            (WebCore::logPluginRequest): Log the plugin 'file' field, if present.
            * plugins/PluginData.cpp:
            (WebCore::PluginData::pluginInfoForMimeType): Factored out from pluginNameForMimeType.
            (WebCore::PluginData::pluginNameForMimeType): Use pluginInfoForMimeType to retrieve name field.
            (WebCore::PluginData::pluginFileForMimeType): Use pluginInfoForMimeType to retrieve file field.
            * plugins/PluginData.h:

2012-11-15  Lucas Forschler  <lforschler@apple.com>

        Merge r130449

    2012-10-04  Nate Chapin  <japhet@chromium.org>

            Crash in EventHandler::mouseMoved().
            https://bugs.webkit.org/show_bug.cgi?id=98460

            Reviewed by Abhishek Arya.

            No new tests, this fixes fast/events/mouse-moved-remove-frame-crash.html.

            * page/EventHandler.cpp:
            (WebCore::EventHandler::mouseMoved):

2012-11-14  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705908> Scrolling some versions of the facebook page is very slow
        
        Merge r134737

    2012-11-14  Simon Fraser  <simon.fraser@apple.com>
    
            Don't use temporary clip rects when hit testing
            https://bugs.webkit.org/show_bug.cgi?id=102329
    
            Reviewed by Beth Dakin.
    
            We now cache clip rects separately for painting, hit testing etc. Hit testing
            clip rects are always shrunk to exclude scrollbars (so that hit testing on
            the scrollbars works), so we no longer every need to use temporary clip rects
            during hit testing.
    
            Added an assertion that the scrollbar relevancy when we computed the clip rects
            is the same as that when using them.
            
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::hitTestLayer):
            (WebCore::RenderLayer::updateClipRects):
            * rendering/RenderLayer.h:
            (WebCore::ClipRectsCache::ClipRectsCache):
            (ClipRectsCache):

2012-11-14  Timothy Hatcher  <timothy@apple.com>

        Merge r134100

    2012-10-28  Timothy Hatcher  <timothy@apple.com>

        Make -webkit-canvas in CSS use the full backing store instead
        of always 1x when rendering.

        https://bugs.webkit.org/show_bug.cgi?id=100611

        Reviewed by Dean Jackson.

        Test: fast/canvas/canvas-as-image-hidpi.html

        * html/HTMLCanvasElement.cpp:
        (WebCore::HTMLCanvasElement::makePresentationCopy): Pass Unscaled to copyImage.
        (WebCore::HTMLCanvasElement::copiedImage): Ditto.
        * platform/graphics/ImageBuffer.h:
        * platform/graphics/cg/ImageBufferCG.cpp:
        (WebCore::ImageBuffer::copyImage): Added Scale parameter and use copyNativeImage for Unscaled.
        * platform/graphics/cairo/ImageBufferCairo.cpp:
        (WebCore::ImageBuffer::copyImage): Added unnamed ScaleBehavior parameter.
        * platform/graphics/qt/ImageBufferQt.cpp:
        (WebCore::ImageBuffer::copyImage): Ditto.
        * platform/graphics/skia/ImageBufferSkia.cpp:
        (WebCore::ImageBuffer::copyImage): Ditto.
        * platform/graphics/wince/ImageBufferWinCE.cpp:
        (WebCore::ImageBuffer::copyImage): Ditto.
        * platform/graphics/wx/ImageBufferWx.cpp:
        (WebCore::ImageBuffer::copyImage): Ditto.

2012-11-14  Timothy Hatcher  <timothy@apple.com>

        Merge r134099

    2012-10-28  Timothy Hatcher  <timothy@apple.com>

        Reset the canvas backing store pixel ratio when the buffer resizes.

        The backing store was not being recreated using the current page pixel ratio
        when a resize occurred.

        https://bugs.webkit.org/show_bug.cgi?id=100608

        Reviewed by Darin Adler.

        Test: fast/canvas/canvas-resize-reset-pixelRatio.html

        * html/HTMLCanvasElement.cpp:
        (WebCore::HTMLCanvasElement::HTMLCanvasElement): Use targetDeviceScaleFactor.
        (WebCore::HTMLCanvasElement::reset): Do a clear only if the pixel ratios also
        match. Store the new pixel ratio in m_deviceScaleFactor.
        (WebCore::HTMLCanvasElement::targetDeviceScaleFactor): Added.
        * html/HTMLCanvasElement.h:
        (WebCore::HTMLCanvasElement::setSize): Return early only if the sizes and
        pixel ratios match.

2012-11-14  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705731> Don't pass a paintingRoot when painting from RenderLayerBacking (102256)

        Merge r134642

    2012-11-14  Simon Fraser  <simon.fraser@apple.com>
    
            Don't pass a paintingRoot when painting from RenderLayerBacking
            https://bugs.webkit.org/show_bug.cgi?id=102256
    
            Reviewed by David Hyatt.
    
            The 'paintingRoot' parameter to the RenderLayer paint functions
            is used when painting just a subtree (e.g. when painting dragged
            selections). There is no need to pass it when a RenderLayerBacking
            paints its contents or overlay scrollbars.
            
            Passing it requires an expensive isDescendant() check, so passing
            null is more efficient.
            
            * rendering/RenderLayer.h:
            (WebCore::RenderLayer::LayerPaintingInfo::LayerPaintingInfo):
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::paintIntoLayer):
            (WebCore::RenderLayerBacking::paintContents):
            * rendering/RenderLayerBacking.h:
            (RenderLayerBacking):

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705458> Chopin: Avoid calling calculateLayerBounds() and convertToLayerCoords() more than once per layer paint (102031)

        Merge r134356

    2012-11-12  Simon Fraser  <simon.fraser@apple.com>
    
            Avoid calling calculateLayerBounds() and convertToLayerCoords() more than once per layer paint
            https://bugs.webkit.org/show_bug.cgi?id=102031
    
            Reviewed by Beth Dakin.
    
            RenderLayer::paintLayerContents() and callees could end up calling convertToLayerCoords()
            and calculateLayerBounds() multiple times for painting a single layer.
            
            Keep track of whether we've computed the root-relative bounds and do it on demand.
            Compute the offset relative to rootLayer once, and pass it around as an optional parameter
            to functions that need it.
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paintLayerContents):
            (WebCore::RenderLayer::hitTestLayer):
            (WebCore::RenderLayer::calculateRects):
            (WebCore::RenderLayer::intersectsDamageRect):
            (WebCore::RenderLayer::boundingBox):
            (WebCore::RenderLayer::calculateLayerBounds):
            * rendering/RenderLayer.h:
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::calculateCompositedBounds):

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        Prerequisite for <rdar://problem/12705357>.
        
        Merge r134355

    2012-11-12  Simon Fraser  <simon.fraser@apple.com>
    
            Change calculateLayerBounds() from a static function to a member function
            https://bugs.webkit.org/show_bug.cgi?id=102022
    
            Reviewed by Beth Dakin.
    
            calculateLayerBounds() has grown into a substantial function after
            starting live as a little utility function, so make it a member function
            of RenderLayer, and adjust callers accordingly.
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::setFilterBackendNeedsRepaintingInRect):
            (WebCore::RenderLayer::paintLayerContents):
            (WebCore::RenderLayer::calculateLayerBounds):
            * rendering/RenderLayer.h:
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::calculateCompositedBounds):

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        Merge r134330

    2012-11-12  Simon Fraser  <simon.fraser@apple.com>
    
            Fix filter dirty rect regression from r134311
            https://bugs.webkit.org/show_bug.cgi?id=102002
    
            Reviewed by Beth Dakin.
    
            When rendering with filters, the code can inflate the root-relative
            paintDirtyRect in RenderLayer::paintLayerContents(), and my cleanup
            broke this behavior.
        
            Fix by making a local copy of LayerPaintingInfo, updating its paintDirtyRect,
            and using it for the rest of the function.
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paintLayerContents):

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705446> Reduce the crazy number of parameters to RenderLayer painting member functions (101895)

        Merge r134311

    2012-11-12  Simon Fraser  <simon.fraser@apple.com>
    
            Reduce the crazy number of parameters to RenderLayer painting member functions
            https://bugs.webkit.org/show_bug.cgi?id=101895
    
            Reviewed by Beth Dakin.
    
            The various RenderLayer::paintLayer* functions took a lot of arguments, most
            of which were passed down directly to descendants.
            
            Gather these arguments into a LayerPaintingInfo struct.
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paint): Create a LayerPaintingInfo struct to pass
            to descendant paint calls.
            (WebCore::RenderLayer::paintOverlayScrollbars): Ditto.
            (WebCore::RenderLayer::paintLayer): When painting transformed layers, we
            make a new LayerPaintingInfo because the root layer is shifted.
            (WebCore::RenderLayer::paintLayerContentsAndReflection):
            (WebCore::RenderLayer::paintLayerContents):
            (WebCore::RenderLayer::paintList):
            (WebCore::RenderLayer::paintPaginatedChildLayer):
            (WebCore::RenderLayer::paintChildLayerIntoColumns): Create a new LayerPaintingInfo
            struct for column painting.
            * rendering/RenderLayer.h:
            (WebCore::RenderLayer::LayerPaintingInfo::LayerPaintingInfo):
            (LayerPaintingInfo):
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::paintIntoLayer): Build a LayerPaintingInfo
            to enter layer painting.
            * rendering/RenderReplica.cpp:
            (WebCore::RenderReplica::paint): Ditto.

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705577> Save one call to containerForRepaint() when updating layer positions (101856)

        Merge r134174

    2012-11-10  Simon Fraser  <simon.fraser@apple.com>
    
            Save one call to containerForRepaint() when updating layer positions
            https://bugs.webkit.org/show_bug.cgi?id=101856
    
            Reviewed by Dan Bernstein.
    
             RenderLayer::updateLayerPositions() has already computed the repaint container,
             but calls computeRepaintRects() which computes it again. Computing the repaint
             container involves a walk back up the layer tree, so calling it during a tree
             traversal is costly.
             
             Fix by passing the repaint container down into computeRepaintRects().
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::updateLayerPositions):
            (WebCore::RenderLayer::computeRepaintRects):
            (WebCore::RenderLayer::computeRepaintRectsIncludingDescendants):
            (WebCore::RenderLayer::updateLayerPositionsAfterScroll):
            (WebCore::RenderLayer::setHasVisibleContent):
            * rendering/RenderLayer.h:
            (RenderLayer):

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705261> Cache absolute clip rects on RenderLayer for compositing overlap testing (87212)

        Merge r119458

    2012-06-04  Simon Fraser  <simon.fraser@apple.com>
    
            Leaking ClipRects
            https://bugs.webkit.org/show_bug.cgi?id=88282
    
            Reviewed by Dan Bernstein.
    
            In r118562 I made the ClipRectsCache use RefPtr<ClipRects>. However, ClipRects
            was initialized with m_refCnt=0, not 1 as adoptRef() and friends expect. Also,
            there was a manual ref() in RenderLayer::updateClipRects() which this patch removes.
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::updateClipRects):
            * rendering/RenderLayer.h:
            (WebCore::ClipRects::ClipRects):

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705261> Cache absolute clip rects on RenderLayer for compositing overlap testing (87212)

        Merge r118612

    2012-05-26  Simon Fraser  <simon.fraser@apple.com>
    
            Clip rects assertion when hovering div with transform
            https://bugs.webkit.org/show_bug.cgi?id=87580
    
            Reviewed by Eric Seidel.
            
            Hit testing used to use temporary clip rects in composited documents,
            until r118562. Now that we cache clip rects for hit testing, we need
            to clear the cache on descendant layers when a layer gains or loses
            a transform.
    
            Test: fast/layers/clip-rects-assertion.html
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::updateTransform):

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705261> Cache absolute clip rects on RenderLayer for compositing overlap testing (87212)

        Merge r119458.

    2012-05-25  Simon Fraser  <simon.fraser@apple.com>
    
            Cache absolute clip rects on RenderLayer for compositing overlap testing
            https://bugs.webkit.org/show_bug.cgi?id=87212
    
            Reviewed by Dave Hyatt.
            
            Enhance the cache of ClipRects on RenderLayers to store three
            different types of ClipRects, rather than just one.
            
            We need to compute clip rects relative to different layers
            for different purposes. For painting, we compute relative to
            the compositing layer which is acting as a painting root.
            For hit testing, we compute relative to the root, except
            for transformed layers. For composting overlap testing, we
            compute relative to the root ("absolute"). At other times, we do one-off
            computation which we never want to cache ("temporary clip rects").
            
            This change allows us to cache rects for hit testing, and for
            compositing overlap testing. This has huge performance benefits
            on some pages (bug 84410).
            
            This change also makes ClipRects not arena-allocated, so we
            can use RefPtr<ClipRect>.
    
            No testable behavior change.
    
            * rendering/RenderBoxModelObject.cpp:
            (WebCore::RenderBoxModelObject::willBeDestroyed): No need for the
            explicit clipRects teardown, since clipRects don't need a live
            RenderObject for arena-based destruction.
    
            * rendering/RenderLayer.cpp: Remove arena-related new and delete.
            (WebCore::RenderLayer::RenderLayer): No need to explicitly initialize m_clipRects,
            since it's an OwnPtr now.
            (WebCore::RenderLayer::~RenderLayer): No explicit clipRect teardown required.
            (WebCore::RenderLayer::clippingRootForPainting): Renamed to make its purpose
            more obvious.
            (WebCore::RenderLayer::paintLayer): Use the TemporaryClipRects type when necessary.
            (WebCore::RenderLayer::paintLayerContents): Ditto
            (WebCore::RenderLayer::hitTestLayer): No longer need to use temporary clipRects when
            hit testing since we cache clip rects for hit testing.
            (WebCore::RenderLayer::updateClipRects): Take a ClipRectsType and pass it through.
            (WebCore::RenderLayer::calculateClipRects): Ditto
            (WebCore::RenderLayer::parentClipRects): Ditto
            (WebCore::RenderLayer::backgroundClipRect): Ditto
            (WebCore::RenderLayer::calculateRects): Take ClipRectsType, which obviates temporaryClipRects.
            (WebCore::RenderLayer::childrenClipRect): Use clippingRootForPainting().
            (WebCore::RenderLayer::selfClipRect): Ditto
            (WebCore::RenderLayer::localClipRect): Ditto
            (WebCore::RenderLayer::clearClipRectsIncludingDescendants): Take a type of clip rect to clear
            (include all). Allows us to just clear painting clip rects.
            (WebCore::RenderLayer::clearClipRects):
    
            * rendering/RenderLayer.h:
            (WebCore::ClipRects::create): We don't use RefCounted<> in order to use a bit in
            the refCount for a flag. Add create() method.
            (WebCore::ClipRects::deref): No longer arena-allocated.
            (WebCore::ClipRectsCache::ClipRectsCache): Struct that holds a small
            array of the 3 types of clipRects (and, in debug, the layer relative
            to which they were computed).
            (WebCore::RenderLayer::clipRects):
    
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::updateCompositedBounds): Use AbsoluteClipRects; rootLayer
            is always the RenderView's layer here.
            (WebCore::RenderLayerBacking::updateGraphicsLayerGeometry): Use TemporaryClipRects.
            (WebCore::RenderLayerBacking::setRequiresOwnBackingStore): When this variable changes,
            we need to invalidate painting clipRects, since it affects the ancestor relative to which
            those rects are computed.
    
            * rendering/RenderLayerBacking.h:
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::updateBacking): When the composited state
            of a layer changes, we have to clear all descendant clip rects, since this
            can affect the layers relative to which clip rects are computed.
            (WebCore::RenderLayerCompositor::addToOverlapMap): Use AbsoluteClipRects.
            (WebCore::RenderLayerCompositor::computeCompositingRequirements): No need
            to call updateLayerPosition(), since that should have always happened after
            layout. That call cleared clip rects, so removing it is very beneficial.
            (WebCore::RenderLayerCompositor::clippedByAncestor): Use TemporaryClipRects.
    
            * rendering/RenderTreeAsText.cpp:
            (WebCore::writeLayers): Use TemporaryClipRects.

2012-11-13  Simon Fraser  <simon.fraser@apple.com>

        <rdar://problem/12705190> Terrible performance on http://alliances.commandandconquer.com/ and http://www.lordofultima.com/ and App Store (84410)

        Merge r118567, r118617, r118957, r119172, r121124, r121130, r121306, r121446, r122376, r122653 (partial), r122802 (partial),
        r133248

    2012-11-01  Tien-Ren Chen  <trchen@chromium.org>
    
            Fix assertion failure in RenderGeometryMap::absoluteRect when frame scale != 1.0
            https://bugs.webkit.org/show_bug.cgi?id=100912
    
            Reviewed by Simon Fraser.
    
            Frame scale will add transformation to RenderView, so fixed position doesn't
            get propagated up to the viewport by RenderGeometryMap. This is handled
            correctly in RenderView::mapLocalToContainer, causing the assertion to fail.
            This patch corrects RenderGeometryMap::mapToAbsolute to handle the RenderView
            transformation case.
    
            A layout test is added to catch this issue. The test will crash debug build
            without this patch.
    
            Test: compositing/geometry/fixed-position-composited-page-scale-scroll.html
    
            * rendering/RenderGeometryMap.cpp:
            (WebCore::RenderGeometryMap::mapToAbsolute):

    2012-07-16  Kiran Muppala  <cmuppala@apple.com>
    
            REGRESSION: RenderInline::absoluteQuads produces incorrect results for fixed position.
            https://bugs.webkit.org/show_bug.cgi?id=91451
    
            Reviewed by Simon Fraser.
    
            RenderInline::absoluteQuads relies on copies of RenderGeometryMap,
            created indirectly by passing AbsoluteQuadsGeneratorContext object by
            value.  These copies are unsafe because the individual transform steps
            within the geometry map include a owned poitner to their respective
            transform.
    
            Modify the callee methods to take context by reference and disable
            copy constructor for RenderGeometryMap.
    
            Test: fast/inline/inline-fixed-position-boundingbox.html
    
            * rendering/RenderGeometryMap.h:
            (WebCore::RenderGeometryMapStep::RenderGeometryMapStep): Add missing
            m_offset to copy constructor initialization list.
            (RenderGeometryMap): Disable copy constructor.
            * rendering/RenderInline.cpp: Pass context object by reference.
            (WebCore::RenderInline::generateLineBoxRects): 
            (WebCore::RenderInline::generateCulledLineBoxRects):
            (WebCore::RenderInline::absoluteRects):
            (WebCore::RenderInline::absoluteQuads):
            (WebCore::RenderInline::linesBoundingBox):
            (WebCore::RenderInline::culledInlineVisualOverflowBoundingBox):
            (WebCore::RenderInline::addFocusRingRects):
            * rendering/RenderInline.h:
            (RenderInline::generateLineBoxRects): Update method declarations to
            show pass by reference context parameter.
            (RenderInline::generateCulledLineBoxRects): Ditto.

    2012-07-13  Kiran Muppala  <cmuppala@apple.com>
    
            REGRESSION: RenderInline boundingBox ignores relative position offset
            https://bugs.webkit.org/show_bug.cgi?id=91168
    
            Reviewed by Simon Fraser.
    
            RenderGeometryMap, used for caching the transform to the view,
            expects the first mapping pushed, to be that of the view itself.
            RenderInline was instead pushing it's own offset first.  Besides
            the offset of the view itself was not being pushed.
    
            Relaxed the RenderGeometryMap restriction that the first pushed
            step should be of the view.  It is sufficient that the view's mapping
            is pushed in the first call to pushMappingsToAncestor.  Modified
            RenderInline to push the offset of the view also to the geometry map.
    
            Test: fast/inline/inline-relative-offset-boundingbox.html
    
            * rendering/RenderGeometryMap.cpp:
            (WebCore::RenderGeometryMap::pushMappingsToAncestor): Add assertion to
            check if mapping to view was pushed in first invocation.
            (WebCore::RenderGeometryMap::pushView): Correct assertion that checks
            if the view's mapping is the first one to be applied.
            (WebCore::RenderGeometryMap::stepInserted): Use isRenderView to check if
            a mapping step belongs to a view instead of using mapping size.
            (WebCore::RenderGeometryMap::stepRemoved): Ditto.
            * rendering/RenderInline.cpp:
            (WebCore::(anonymous namespace)::AbsoluteQuadsGeneratorContext::AbsoluteQuadsGeneratorContext):
            Push mappings all the way up to and including the view.

    2012-07-10  Simon Fraser  <simon.fraser@apple.com>
    
            Assertion ASSERTION FAILED: enclosingIntRect(rendererMappedResult) == enclosingIntRect(FloatQuad(result).boundingBox()) when compositing in paginated mode
            https://bugs.webkit.org/show_bug.cgi?id=90919
    
            Reviewed by Antti Koivisto.
    
            r121124 added a fast path for geometry mapping that goes via layers
            when possible. However, this broke paginated pages, which put
            the root (RenderView) layer into column mode, because it failed
            to check for columns on the ancestor layer.
            
            Rather than make a risky change to convertToLayerCoords(), add a local
            function canMapViaLayer(), which is like RenderLayer::canUseConvertToLayerCoords(),
            but doesn't check for compositing (compositing itself is not a reason
            to avoid convertToLayerCoords). Call canMapViaLayer() with the ancestorLayer
            to check whether the ancestor has columns, which fixes the bug.
    
            Test: compositing/columns/geometry-map-paginated-assert.html
    
            * rendering/RenderGeometryMap.cpp:
            (WebCore::canMapViaLayer):
            (WebCore::RenderGeometryMap::pushMappingsToAncestor):

    2012-06-28  Antti Koivisto  <antti@apple.com>
    
            Don't malloc RenderGeometryMap steps individually
            https://bugs.webkit.org/show_bug.cgi?id=90074
    
            Reviewed by Simon Fraser.
    
            Mallocs and frees for steps under RenderGeometryMap::pus/popMappingsToAncestor can total ~2% of the profile when animating transforms.
    
            * rendering/RenderGeometryMap.cpp:
            (WebCore):
            (WebCore::RenderGeometryMap::absolutePoint):
            (WebCore::RenderGeometryMap::absoluteRect):
            (WebCore::RenderGeometryMap::mapToAbsolute):
            (WebCore::RenderGeometryMap::push):
            (WebCore::RenderGeometryMap::pushView):
            (WebCore::RenderGeometryMap::popMappingsToAncestor):
            * rendering/RenderGeometryMap.h:
            (WebCore):
            (WebCore::RenderGeometryMapStep::RenderGeometryMapStep):
            
                Move to header.
    
            (RenderGeometryMapStep):
            (RenderGeometryMap):
            
                Make the step vector hold RenderGeometryMapSteps instead of RenderGeometryMapStep*'s.
    
            (WTF):
            
                Give RenderGeometryMapSteps SimpleClassVectorTraits. This is needed for dealing with OwnPtr in the struct (and makes it faster too).
                The type is simple enought to move by memcpy.

    2012-06-26  Simon Fraser  <simon.fraser@apple.com>
    
            Optimize mappings of simple transforms in RenderGeometryMap
            https://bugs.webkit.org/show_bug.cgi?id=90034
    
            Reviewed by Dean Jackson.
            
            For transforms that are identity or simple translations, don't
            fall off the fast path in RenderGeometryMap; we can just
            treat them as offsets.
            
            Improves performance on pages with lots of translateZ(0) elements.
            
            Remove RenderGeometryMapStep::mapPoint() and mapQuad(), which
            were unused.
    
            No new tests; optimization only, and tested by assertions.
    
            * rendering/RenderGeometryMap.cpp:
            (WebCore::RenderGeometryMap::push):

    2012-06-24  Antti Koivisto  <antti@apple.com>
    
            REGRESSION(r121124): LayoutTests/fast/block/inline-children-root-linebox-crash.html asserts
            https://bugs.webkit.org/show_bug.cgi?id=89844
            
            Reviewed by Dan Bernstein.
    
            We need to check for the flipped writing mode and take the slow path if it is used.
    
            * rendering/RenderGeometryMap.cpp:
            (WebCore::RenderGeometryMap::pushMappingsToAncestor):

    2012-06-24  Antti Koivisto  <antti@apple.com>
    
            Optimize RenderGeometryMap mappings gathering
            https://bugs.webkit.org/show_bug.cgi?id=89828
    
            Reviewed by Simon Fraser.
    
            RenderGeometryMap currently gathers mappings by climbing the rendering tree. This is slow and can produce 
            large number of mapping steps. In the common case we already have the child layer coordinates available in
            the layer tree and we can just use that.
            
            The combination of faster mappings gathering and fewer number of applying steps reduces time spent under 
            RenderLayerCompositor::computeCompositingRequirements to less than half when scrolling the mobile version
            of twitter.com.
            
            * rendering/RenderGeometryMap.cpp:
            (WebCore):
            (WebCore::RenderGeometryMap::pushMappingsToAncestor):
            
                Use pre-computed mapping from the layer tree when possible.
    
            (WebCore::RenderGeometryMap::popMappingsToAncestor):
            * rendering/RenderGeometryMap.h:
            
                Add some inline capacity.
    
            (WebCore):
            (RenderGeometryMap):
            * rendering/RenderLayer.h:
            (WebCore::RenderLayer::canUseConvertToLayerCoords):
            (RenderLayer):
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::addToOverlapMapRecursive):
            (WebCore::RenderLayerCompositor::computeCompositingRequirements):

    2012-05-31  Simon Fraser  <simon.fraser@apple.com>
    
            RenderLayerCompositor cleanup: make RenderGeometryMap part of the OverlapMap
            https://bugs.webkit.org/show_bug.cgi?id=88021
    
            Reviewed by James Robinson.
            
            We only ever use the RenderGeometryMap when we have an OverlapMap, so make
            it a member of the OverlapMap.
    
            No behavior change.
    
            * rendering/RenderLayerCompositor.cpp:
            (RenderLayerCompositor::OverlapMap):
            (WebCore::RenderLayerCompositor::OverlapMap::geometryMap):
            (WebCore::RenderLayerCompositor::updateCompositingLayers):
            (WebCore::RenderLayerCompositor::addToOverlapMap):
            (WebCore::RenderLayerCompositor::addToOverlapMapRecursive):
            (WebCore::RenderLayerCompositor::computeCompositingRequirements):
            * rendering/RenderLayerCompositor.h:
            (WebCore):
            (RenderLayerCompositor):

    2012-05-29  Adrienne Walker  <enne@google.com>
    
            Transformed fixed position layers have an incorrect overlap map entry
            https://bugs.webkit.org/show_bug.cgi?id=64201
    
            Reviewed by Darin Adler.
    
            Previously, layers that both had a transform and were fixed position
            were not considered as being fixed position in RenderGeometryMap or in
            RenderBox::mapLocalToContainer (although this case is not incorrect in
            the case of painting, so an external caller likely adjusts for this).
    
            Tests: compositing/layer-creation/fixed-position-and-transform.html
                   compositing/layer-creation/fixed-position-under-transform.html
    
            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::mapLocalToContainer):
            * rendering/RenderGeometryMap.cpp:
            (WebCore::RenderGeometryMap::mapToAbsolute):

    2012-05-26  Simon Fraser  <simon.fraser@apple.com>
    
            fast/block/inline-children-root-linebox-crash.html asserts after r118567
            https://bugs.webkit.org/show_bug.cgi?id=87544
    
            Reviewed by Darin Adler.
            
            Remove fast/block/inline-children-root-linebox-crash.html from the skipped
            list.
            
            New, more complex writing mode flipping test with compositing.
    
            * compositing/geometry/flipped-blocks-inline-mapping-expected.txt: Added.
            * compositing/geometry/flipped-blocks-inline-mapping.html: Added.
            * platform/mac/Skipped:

    2012-05-25  Simon Fraser  <simon.fraser@apple.com>
    
            Terrible performance on http://alliances.commandandconquer.com/ and http://www.lordofultima.com/
            https://bugs.webkit.org/show_bug.cgi?id=84410
    
            Reviewed by Dave Hyatt.
            
            First part of fixing O(N^2) issues when walking the RenderLayer tree
            for computeCompositingRequirements().
            
            For each layer that goes into the OverlapMap, we were computing an absolute
            layer bounds, which requires walking back to the root of the tree.
            Optimize this when possible by storing a stack of offsets as we walk
            the tree, and using this stack to do the mapping.
            
            The stack of offsets and transforms is managed by RenderGeometryMap.
            When visiting a RenderLayer, RenderLayerCompositor pushes onto
            the geometry map stack data about offsets and transforms between
            the current layer and its stacking-parent. RenderGeometryMap handles
            the case where the previous renderer pushed is between the current
            renderer and its container. RenderGeometryMap can also handle callers
            pushing renderers with multiple containers between them.
            
            RenderGeometryMap stores some flags about whether the set of mapping
            steps in the stack involve transforms, fixed position, or special non-uniform
            mappings like CSS columns. In some cases, it falls back to mapping via
            renderers.
    
            Once constructed, the RenderGeometryMap stack can be used to map multiple
            rects or points efficiently. Stacks consisting of simple offsets are
            collapsed to a single offset.
            
            Mappings between renderers and their containers are pushed by pushMappingToContainer()
            methods, which are similar to mapLocalToContainer() methods. Having this code
            in RenderObjects was deemed preferable to handling columns, transforms etc. all in
            RenderLayer code.
    
            Tested by assertions in RenderGeometryMap code that its mapping matches
            mapping via localToAbsolute() calls.
            
            RenderLayerCompositor::updateCompositingLayers() creates a RenderGeometryMap,
            and pushes and pops layer renderers as it visits them. The geometry map is used
            by RenderLayerCompositor::addToOverlapMap() when computing absolute layer bounds.
            
            Futher optimizations in RenderGeometryMap are possible, especially with stacks that
            have many offsets and a few transforms.
    
            Tests: compositing/geometry/composited-in-columns.html
                   compositing/geometry/flipped-writing-mode.html
    
            * CMakeLists.txt: Add RenderGeometryMap
            * GNUmakefile.list.am: Ditt
            * Target.pri: Ditto
            * WebCore.gypi: Ditto
            * WebCore.vcproj/WebCore.vcproj: Ditto
            * WebCore.xcodeproj/project.pbxproj: Ditto
            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::absoluteContentBox):
            (WebCore::RenderBox::pushMappingToContainer):
            (WebCore::RenderBox::offsetFromContainer):
            * rendering/RenderBox.h:
            * rendering/RenderGeometryMap.cpp: Added.
            (RenderGeometryMapStep):
            (WebCore::RenderGeometryMapStep::RenderGeometryMapStep):
            (WebCore::RenderGeometryMapStep::mapPoint):
            (WebCore::RenderGeometryMapStep::mapQuad):
            (WebCore::RenderGeometryMap::RenderGeometryMap):
            (WebCore::RenderGeometryMap::~RenderGeometryMap):
            (WebCore::RenderGeometryMap::absolutePoint):
            (WebCore::RenderGeometryMap::absoluteRect):
            (WebCore::RenderGeometryMap::mapToAbsolute):
            (WebCore::RenderGeometryMap::pushMappingsToAncestor):
            (WebCore::RenderGeometryMap::push):
            (WebCore::RenderGeometryMap::pushView):
            (WebCore::RenderGeometryMap::popMappingsToAncestor):
            (WebCore::RenderGeometryMap::stepInserted):
            (WebCore::RenderGeometryMap::stepRemoved):
            * rendering/RenderGeometryMap.h: Added.
            (RenderGeometryMap):
            (WebCore::RenderGeometryMap::hasNonUniformStep):
            (WebCore::RenderGeometryMap::hasTransformStep):
            (WebCore::RenderGeometryMap::hasFixedPositionStep):
            * rendering/RenderInline.cpp:
            (WebCore::RenderInline::offsetFromContainer):
            (WebCore::RenderInline::pushMappingToContainer):
            * rendering/RenderInline.h:
            (RenderInline):
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::updateCompositingLayers):
            (WebCore::RenderLayerCompositor::addToOverlapMap):
            (WebCore::RenderLayerCompositor::addToOverlapMapRecursive):
            (WebCore::RenderLayerCompositor::computeCompositingRequirements):
            * rendering/RenderLayerCompositor.h:
            (RenderLayerCompositor):
            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::mapLocalToContainer):
            (WebCore::RenderObject::pushMappingToContainer):
            (WebCore::RenderObject::offsetFromContainer):
            (WebCore::RenderObject::container):
            * rendering/RenderObject.h:
            * rendering/RenderTableCell.cpp:
            (WebCore::RenderTableCell::offsetFromContainer):
            * rendering/RenderTableCell.h:
            (RenderTableCell):
            * rendering/RenderView.cpp:
            (WebCore::RenderView::pushMappingToContainer):
            * rendering/RenderView.h:
            * rendering/svg/RenderSVGForeignObject.cpp:
            (WebCore::RenderSVGForeignObject::pushMappingToContainer):
            * rendering/svg/RenderSVGForeignObject.h:
            (RenderSVGForeignObject):
            * rendering/svg/RenderSVGInline.cpp:
            (WebCore::RenderSVGInline::pushMappingToContainer):
            * rendering/svg/RenderSVGInline.h:
            (RenderSVGInline):
            * rendering/svg/RenderSVGModelObject.cpp:
            (WebCore::RenderSVGModelObject::pushMappingToContainer):
            * rendering/svg/RenderSVGModelObject.h:
            (RenderSVGModelObject):
            * rendering/svg/RenderSVGRoot.cpp:
            (WebCore::RenderSVGRoot::pushMappingToContainer):
            * rendering/svg/RenderSVGRoot.h:
            (RenderSVGRoot):
            * rendering/svg/RenderSVGText.cpp:
            (WebCore::RenderSVGText::pushMappingToContainer):
            * rendering/svg/RenderSVGText.h:
            (RenderSVGText):
            * rendering/svg/SVGRenderSupport.cpp:
            (WebCore::SVGRenderSupport::pushMappingToContainer):
            * rendering/svg/SVGRenderSupport.h:
            (SVGRenderSupport):

2012-11-14  Beth Dakin  <bdakin@apple.com>

        Merge r134348

    2012-11-12  Beth Dakin  <bdakin@apple.com>
    
            https://bugs.webkit.org/show_bug.cgi?id=101787
            Zoomed-in scrolling is very slow when deviceScaleFactor > 1
    
            Reviewed by Simon Fraser.
    
            This patch adds a new member to the GraphicsContextState that tracks 
            whether or not fonts should be subpixel-quantized. We want to default 
            to sibpixel-quantizing, but we'll turn it off if we're scrolling 
            content that cannot be scrolled on the scrolling thread.

            State has a new bool shouldSubpixelQuantizeFonts. It defaults to true 
            since normally we do want to quantize.
            * platform/graphics/GraphicsContext.cpp:
            (WebCore::GraphicsContext::setShouldSubpixelQuantizeFonts):
            (WebCore::GraphicsContext::shouldSubpixelQuantizeFonts):
            * platform/graphics/GraphicsContext.h:
            (WebCore::GraphicsContextState::GraphicsContextState):
            (GraphicsContextState):
            (GraphicsContext):
    
            wkSetCGFontRenderingMode now takes a BOOL parameter which indicates 
            whether or not it should try to subpixel-quantize the fonts.
            * platform/graphics/mac/FontMac.mm:
            (WebCore::Font::drawGlyphs):
            * platform/mac/WebCoreSystemInterface.h:
            * platform/mac/WebCoreSystemInterface.mm:
    
            Disable subpixel-quantization for overflow areas, subframes, and 
            content that is scrolling on the main thread.
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paintLayerContents):

2012-11-13  Lucas Forschler  <lforschler@apple.com>

        Merge r127508

    2012-09-04  Michael Saboff  <msaboff@apple.com>

            equal() in CSSParser.cpp should check the length of characters
            https://bugs.webkit.org/show_bug.cgi?id=95706

            Reviewed by Abhishek Arya.

            Pass the length of string literals to CSSParser static functions equal() and 
            equalIgnoringCase() so that checks won't access out of bounds memory.

            Added test fast/css/crash-comparing-equal.html.

            * css/CSSParser.cpp:
            (WebCore::equal): Use template to retrieve the length of string literal.
            (WebCore::equalIgnoringCase): Ditto.
            (WebCore::CSSParser::parseDashboardRegions): Use const char[] instead of const char*

2012-11-13  Lucas Forschler  <lforschler@apple.com>

        Merge r123433

    2012-07-24  Kentaro Hara  <haraken@chromium.org>

            [JSC] REGRESSION(r122912): CodeGeneratorJS.pm should not
            implicitly assume ScriptExecutionContext for static attributes
            https://bugs.webkit.org/show_bug.cgi?id=91924

            Reviewed by Adam Barth.

            r122912 implemented static attributes in CodeGeneratorJS.pm.
            However, the generated code assumes that static attributes
            always require ScriptExecutionContext, which is wrong.
            If we need a ScriptExecutionContext, we should specify
            [CallWith=ScriptExecutionContext].

            This patch fixes CodeGeneratorJS.pm so that static attributes
            do not assume ScriptExecutionContext. This fix aligns with
            the fix in CodeGeneratorV8.pm in r123308.

            Test: bindings/scripts/test/TestObj.idl

            * bindings/scripts/CodeGeneratorJS.pm:
            (GenerateImplementation):
            * bindings/scripts/test/JS/JSTestInterface.cpp:
            (WebCore::jsTestInterfaceConstructorSupplementalStaticReadOnlyAttr):
            (WebCore::jsTestInterfaceConstructorSupplementalStaticAttr):
            (WebCore::setJSTestInterfaceConstructorSupplementalStaticAttr):
            * bindings/scripts/test/JS/JSTestObj.cpp:
            (WebCore::jsTestObjConstructorStaticReadOnlyIntAttr):
            (WebCore::jsTestObjConstructorStaticStringAttr):
            (WebCore::setJSTestObjConstructorStaticStringAttr):

2012-11-13  Lucas Forschler  <lforschler@apple.com>

        Merge r122912

    2012-07-17  Jon Lee  <jonlee@apple.com>

            Teach CodeGenerator to support for static, readonly, attributes
            https://bugs.webkit.org/show_bug.cgi?id=88920
            <rdar://problem/11650330>

            Reviewed by Oliver Hunt.

            Update the parser to be able to accept the static keyword for attribute. We will treat static attributes
            like custom static functions. They call the implementing class directly, and pass in the ExecState as a script context.

            * bindings/scripts/CodeGeneratorJS.pm:
            (GetAttributeGetterName): Factor out the construction of the attribute getter function name.
            (GetAttributeSetterName): Factor out the construction of the attribute setter function name.
            (GenerateHeader): Determine that a class has read-write properties only if there is a read-write attribute that
            is not static.
            (GenerateAttributesHashTable): Skip static attributes in the object hash table. They will be added to the constructor
            hash table.
            (GenerateImplementation): Look for static attributes to add to the constructor hash table. Make a call to the static
            function in the class.
            * bindings/scripts/IDLParser.pm:
            (ParseInterface): Update the processing because of the regex change.
            * bindings/scripts/IDLStructure.pm: Update the attribute regex.
            * bindings/scripts/test/JS/JSTestObj.cpp: Update test results.
            * bindings/scripts/test/JS/JSTestObj.h: Update test results.
            * bindings/scripts/test/TestObj.idl: Add test cases.

2012-11-13  Lucas Forschler  <lforschler@apple.com>

        Merge r125280

    2012-08-10  Jon Lee  <jonlee@apple.com>

            Change Notification.permissionLevel() to Notification.permission
            https://bugs.webkit.org/show_bug.cgi?id=88919
            <rdar://problem/11650319>

            Reviewed by Kentaro Hara.

            Retrieving the permission level has changed to Notification.permission, per this discussion:
            http://lists.w3.org/Archives/Public/public-web-notification/2012Jun/0000.html

            Test: fast/notifications/notifications-permission.html

            * Modules/notifications/Notification.cpp: Rename to match attribute name.
            (WebCore::Notification::permission):
            * Modules/notifications/Notification.h: Rename to match attribute name.
            (Notification):
            * Modules/notifications/Notification.idl: Change to static readonly attribute.

2012-11-13  Lucas Forschler  <lforschler@apple.com>

        Merge r127000

    2012-08-29  Alexander Pavlov  <apavlov@chromium.org>

            Web Inspector: Page with @import and :last-child in an edited stylesheet will crash
            https://bugs.webkit.org/show_bug.cgi?id=95324

            Reviewed by Antti Koivisto.

            Ensure the destroyed StyleRules removal from StyleResolver by creating a separate RuleMutationScope for clearing the StyleSheetContents.

            Test: inspector/styles/import-pseudoclass-crash.html

            * inspector/InspectorStyleSheet.cpp:
            (WebCore::InspectorStyleSheet::reparseStyleSheet):

2012-11-13  Lucas Forschler  <lforschler@apple.com>

        Rollout r133090

2012-11-12  Lucas Forschler  <lforschler@apple.com>

        Merge r133469

    2012-11-05  Antti Koivisto  <antti@apple.com>

            Protect against resource deletion during iteration in MemoryCache::pruneDeadResourcesToSize
            https://bugs.webkit.org/show_bug.cgi?id=101211

            Reviewed by Andreas Kling.

            Some crashes have been seen under MemoryCache::pruneDeadResourcesToSize. A possible cause is that
            destroyDecodedData() call ends up evicting the resource pointed by 'previous' pointer during iteration
            and deleting the object. This looks in principle possible via stylesheets and SVG images.

            Speculative fix, no repro, no obvious way to construct a test.

            * loader/cache/MemoryCache.cpp:
            (WebCore::MemoryCache::pruneDeadResourcesToSize):

                Use CachedResourceHandle to protect the 'previous' pointer during iteration. Check if the
                resource has been kicked out from the cache during destroyDecodedData() and stop iterating
                if has (as it may die when CachedResourceHandle releases it).
                The 'current' pointer is not protected as the resource it points to is allowed to die.

2012-11-12  Lucas Forschler  <lforschler@apple.com>

        Merge r131077

    2012-10-11  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/12477191> Combined text reverts to full-width font after a style change
            https://bugs.webkit.org/show_bug.cgi?id=99009

            Reviewed by John Sullivan.

            Test: fast/text/text-combine-width-after-style-change.html

            * rendering/RenderCombineText.cpp:
            (WebCore::RenderCombineText::styleDidChange): Changed to reset m_isCombined to false, to
            ensure that combineText() is called on the next layout.

2012-11-12  Lucas Forschler  <lforschler@apple.com>

        Merge r131018

    2012-10-10  Jer Noble  <jer.noble@apple.com>

            Disallow full screen mode keyboard access by default.
            https://bugs.webkit.org/show_bug.cgi?id=98971
            <rdar://problem/12474226>

            Reviewed by Sam Weinig.

            Fall back to requesting non-keyboard access if the client refuses to allow keyboard access.

            * dom/Document.cpp:
            (WebCore::Document::requestFullScreenForElement):

2012-11-12  Lucas Forschler  <lforschler@apple.com>

        Merge r130855

    2012-10-09  Philip Rogers  <pdr@google.com>

            Recursively detach SVGElementInstances
            https://bugs.webkit.org/show_bug.cgi?id=98851

            Reviewed by Ryosuke Niwa and Abhishek Arya

            Before this patch, SVGElementInstance child nodes were not being detached. This
            patch makes detach() recursively detach SVGElementInstances.

            * svg/SVGElementInstance.cpp:
            (WebCore::SVGElementInstance::detach):

2012-11-12  Lucas Forschler  <lforschler@apple.com>

        Merge r129796

    2012-09-27  Philip Rogers  <pdr@google.com>

            Rewrite multithreaded filter job dispatching
            https://bugs.webkit.org/show_bug.cgi?id=97500

            Reviewed by Dean Jackson.

            This patch solves the problem of splitting up images into subregions for multithreaded
            filters. This fixes the way we partition the image array into equal-sized chunks.
            If we have an array of length N and want to split it into K chunks, we calculate:
              int jobSize = N / K; // integer division, so this is floored
              int jobSizeExtra = N % K; // modulus produces the remainder
            We then split the array into jobSizeExtra number of jobs with size jobSize + 1
            and (K - jobSizeExtra) number of jobs with size jobSize. This pattern
            is used in each of the 5 filters in this patch.

            This patch primarily fixes an error in FEMorphology::platformApply where
            the image array was partitioned into (1 + (N / K)) pieces with the last job
            taking the remainder. Unfortunately, this can cause overruns in the 2nd-to-last job.
            Consider N = 2373 and K = 64 jobs. Job 0 would take indices 0...38, job 1 would take
            38...76, etc. Unfortunately the 62nd job takes 2356...2394 which overruns.

            To prevent similar issues elsewhere this patch updates all of the filters
            to use the same pattern as FEMorphology.

            Test: svg/filters/feMorphology-crash.html

            * platform/graphics/filters/FEConvolveMatrix.cpp:
            (WebCore::FEConvolveMatrix::platformApplySoftware):
            * platform/graphics/filters/FEGaussianBlur.cpp:
            (WebCore::FEGaussianBlur::platformApply):
            * platform/graphics/filters/FELighting.cpp:
            (WebCore::FELighting::platformApplyGeneric):
            * platform/graphics/filters/FEMorphology.cpp:
            (WebCore::FEMorphology::platformApply):

                Some special care is taken for Gaussian Blur because there is an
                extraHeight parameter for sampling outside the image's dimensions.
                This means we use the same partitioning algorithm but add
                extraHeight padding on the lower and upper bounds.

            * platform/graphics/filters/FETurbulence.cpp:
            (WebCore::FETurbulence::platformApplySoftware):

2012-11-09  Lucas Forschler  <lforschler@apple.com>

        Merge r132427

    2012-10-24  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=100169
            We should make TileCache tiles the size of the tile coverage rect 
            when we can't do fast scrolling
            -and-
            <rdar://problem/12505021>

            Reviewed by Simon Fraser.

            Some websites that don't do fast scrolling still scroll slower than 
            they do with tiled drawing disabled. 
            https://bugs.webkit.org/show_bug.cgi?id=99768 addressed some of this 
            performance problem, but there is still more ground to make up. This 
            patch addresses the remaining issue by making tiles the size of the 
            window when we can't do fast scrolling. 

            The constructor and create function no longer take a size parameter. 
            That's all fully controlled within TileCache now. m_tileSize is no 
            longer const.
            * platform/graphics/ca/mac/TileCache.h:

            Store the current default size as constants so that we can access it 
            in both the constructor and adjustTileSizeForCoverageRect().
            * platform/graphics/ca/mac/TileCache.mm:
            (WebCore::TileCache::TileCache):

            This new function will set m_tileSize to the size of the tile 
            coverage rect if the tile coverage is limited to the visible area. 
            Otherwise, the tiles are set to be the default size.
            (WebCore::TileCache::adjustTileSizeForCoverageRect):

            Call adjustTileSizeForCoverageRect().
            (WebCore::TileCache::revalidateTiles):

            No need to send in a size anymore.
            * platform/graphics/ca/mac/WebTileCacheLayer.h:
            (WebCore):

2012-11-09  Lucas Forschler  <lforschler@apple.com>

        Merge r131939

    2012-10-19  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=99768
            We should limit the tile cache coverage when a page can't take 
            advantage of fast tile scrolling anyway

            Reviewed by Simon Fraser.

            When sites can't use fast-scrolling, there is no need to inflate the 
            tile cache. In fact, we get a performance boost by keeping it small 
            on painting-intensive sites. 

            Instead of just looking a whether or not the FrameView 
            canHaveScrollbar(), consult 
            shouldUpdateScrollLayerPositionOnMainThread().
            * page/FrameView.cpp:
            (WebCore::FrameView::performPostLayoutTasks):
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::RenderLayerBacking):

            Expose shouldUpdateScrollLayerPositionOnMainThread().
            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::ScrollingCoordinator::hasNonLayerFixedObjects):
            (WebCore::ScrollingCoordinator::shouldUpdateScrollLayerPositionOnMainThread):
            (WebCore):
            (WebCore::ScrollingCoordinator::updateShouldUpdateScrollLayerPositionOnMainThread):
            * page/scrolling/ScrollingCoordinator.h:
            (ScrollingCoordinator):

            Bug fix. Should be bitwise and.
            * platform/graphics/ca/mac/TileCache.mm:
            (WebCore::TileCache::tileCoverageRect):

2012-11-09  Lucas Forschler  <lforschler@apple.com>

        Merge r130236

    2012-10-02  Simon Fraser  <simon.fraser@apple.com>

            Make TiledBacking slightly less aware of scrolling
            https://bugs.webkit.org/show_bug.cgi?id=98216

            Reviewed by Anders Carlsson.

            TiledBacking shouldn't really care about there being scrollbars;
            recast this in terms of "tile coverage", described by a bitfield
            that has flags for coverage optimized for horizontal and vertical
            scrolling. This allows for additional tile coverage behaviors later.

            * page/FrameView.cpp:
            (WebCore::FrameView::performPostLayoutTasks):
            * platform/graphics/TiledBacking.h:
            * platform/graphics/ca/mac/TileCache.h:
            * platform/graphics/ca/mac/TileCache.mm:
            (WebCore::TileCache::TileCache): Initialize m_isInWindow to false to
            be more conservative. It gets explicitly set by the only caller now, so this is
            not a behavior change.
            (WebCore::TileCache::setIsInWindow):
            (WebCore::TileCache::setTileCoverage):
            (WebCore::TileCache::tileCoverageRect):
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::RenderLayerBacking):

2012-11-09  Lucas Forschler  <lforschler@apple.com>

        Merge r126251.
        
    2012-08-21  Julien Chaffraix  <jchaffraix@webkit.org>
    
            Crash in RenderTableSection::setCellLogicalWidths
            https://bugs.webkit.org/show_bug.cgi?id=94291
    
            Reviewed by Abhishek Arya.
    
            This issue was that splitAnonymousBoxesAroundChild would move a table section
            into a newly created table *without* marking it as needing cell recalc. The table
            would thus never build its structure to match its sections. The fix is to hop on
            the new willBeRemovedFromTree signal so that the section invalidates itself properly.
    
            Test: fast/table/crash-split-table-section-no-cell-recalc.html
    
            * rendering/RenderTableSection.cpp:
            (WebCore::RenderTableSection::willBeRemovedFromTree):
            * rendering/RenderTableSection.h:
            Replaced willBeDestroyed by willBeRemovedFromTree in RenderTableSection. This ensures that it is called
            when moving sections in the tree to mark them as needing cell recalc.

2012-11-09  Lucas Forschler  <lforschler@apple.com>

        Merge r126048.
        Prerequisite for <rdar://problem/12536470>

    2012-08-20  Julien Chaffraix  <jchaffraix@webkit.org>

            Introduce a will-be-removed-from-tree notification in RenderObject
            https://bugs.webkit.org/show_bug.cgi?id=94271

            Reviewed by Abhishek Arya.

            Following bug 93874, we have an insertion notification. This change adds the
            matching removal notification (willBeRemovedFromTree).

            Refactoring covered by existing tests.

            * rendering/RenderObjectChildList.cpp:
            (WebCore::RenderObjectChildList::removeChildNode):
            Removed the code from here and moved it below.

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::willBeRemovedFromTree):
            * rendering/RenderObject.h:
            This is the base function that should be called by every instance.

            * rendering/RenderListItem.cpp:
            (WebCore::RenderListItem::willBeRemovedFromTree):
            * rendering/RenderListItem.h:
            * rendering/RenderQuote.cpp:
            (WebCore::RenderQuote::willBeRemovedFromTree):
            * rendering/RenderQuote.h:
            * rendering/RenderRegion.cpp:
            (WebCore::RenderRegion::willBeRemovedFromTree):
            * rendering/RenderRegion.h:
            Overriden functions.
        
2012-11-09  Lucas Forschler  <lforschler@apple.com>

        Merge r125737.
        Prerequisite for <rdar://problem/12536470>

    2012-08-15  Julien Chaffraix  <jchaffraix@webkit.org> 

            Add a was-inserted-into-tree notification to RenderObject 
            https://bugs.webkit.org/show_bug.cgi?id=93874 

            Reviewed by Eric Seidel. 

            This change adds insertedIntoTree to RenderObject so that renderers 
            can now do their post-insertion task inside this function. 

            Our current architecture has 2 ways of doing post-insertion tasks: 
            - overriding RenderObject::addChild 
            - RenderObjectChildList::insertChildNode / appendChildNode 

            Because the former is not guaranteed to be called for each insertion 
            (on top of being called on the parent and not the inserted child), the 
            2 latter functions are the one that have been mostly used recently. This 
            led to code duplication between the functions but also doesn't scale as 
            other renderers need to hop on this notification and currently don't (for 
            example, table parts). The other renderer's migration will be done in 
            follow-up patches. 

            Refactoring covered by existing tests. 

            * rendering/RenderObjectChildList.cpp: 
            (WebCore::RenderObjectChildList::removeChildNode): 
            * rendering/RenderObject.cpp: 
            (WebCore::RenderObject::enclosingRenderNamedFlowThread): 
            Moved the code from renderNamedFlowThreadContainer to RenderObject::enclosingRenderNamedFlowThread. 
            This is needed as now 2 classes need to access the function. 

            * rendering/RenderObjectChildList.cpp: 
            (WebCore::RenderObjectChildList::appendChildNode): 
            (WebCore::RenderObjectChildList::insertChildNode): 
            Moved the code duplicated from those 2 functions into 
            the instances of insertedIntoTree below. 

            * rendering/RenderObject.cpp: 
            (WebCore::RenderObject::insertedIntoTree): 
            Base function that needs to be called from all the other 
            specialized functions below. 

            * rendering/RenderListItem.cpp: 
            (WebCore::RenderListItem::insertedIntoTree): 
            * rendering/RenderListItem.h: 
            * rendering/RenderObject.h: 
            * rendering/RenderObjectChildList.h: 
            * rendering/RenderRegion.cpp: 
            (WebCore::RenderRegion::insertedIntoTree): 
            * rendering/RenderRegion.h: 
            Added the overriden insertedIntoTree function. 

            * rendering/RenderQuote.h: 
            Moved the comment from RenderObjectChildList about RenderQuote here.
             
2012-11-09  Lucas Forschler  <lforschler@apple.com>

        Merge r125635

    2012-08-14  Ojan Vafai  <ojan@chromium.org>

            Fix access to m_markupBox in WebCore::EllipsisBox::paint
            https://bugs.webkit.org/show_bug.cgi?id=91138

            Reviewed by Abhishek Arya.

            EllipsisBox would hold on to m_markupBox, which would then get destroyed during
            the followup layoutIfNeeded in layoutVerticalBox. Instead, have EllipsisBox
            dynamically grab to pointer to the markup box during paint since there's no
            straightforward way to notify the EllipsisBox that the markupBox has been destroyed
            and/or point it at the new markupBox.

            Test: fast/overflow/line-clamp-and-columns.html

            * rendering/EllipsisBox.cpp:
            (WebCore::EllipsisBox::paint):
            (WebCore):
            (WebCore::EllipsisBox::paintMarkupBox):
            * rendering/EllipsisBox.h:
            (WebCore::EllipsisBox::EllipsisBox):
            Just store a boolean that we have a markup box that needs painting.
            * rendering/RenderDeprecatedFlexibleBox.cpp:
            (WebCore::RenderDeprecatedFlexibleBox::applyLineClamp):
            Clearing the override size right after setting it was incorrect because
            there are cases where we'll do a followup layout in layoutVerticalBox, at which
            point we'll still need the override size.
            (WebCore::RenderDeprecatedFlexibleBox::clearLineClamp):
            Clear the override size here to handle cases where line clamp is removed since
            we don't call applyLineClamp in those cases.

2012-11-08  Lucas Forschler  <lforschler@apple.com>

        Merge r125597

    2012-08-13  Adrienne Walker  <enne@google.com>

            REGRESSION (r109851): Video controls do not render
            https://bugs.webkit.org/show_bug.cgi?id=93859

            Reviewed by Simon Fraser.

            Because video layers can't act as an ancestor composited layer whose
            backing can be shared by child layers, any child layer of a video
            layer needs to be put into its own composited layer. Because this is
            technically overlap, the "overlap" indirect compositing reason is
            reused for this case.

            Test: compositing/video/video-controls-layer-creation.html

            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::computeCompositingRequirements):

2012-11-07  Lucas Forschler  <lforschler@apple.com>

        Merge r129652

    2012-09-26  Brady Eidson  <beidson@apple.com>

            (Threaded scrolling) WebKit not scrolling to the correct location upon going back on macsurfer.com
            <rdar://problem/12039913> and https://bugs.webkit.org/show_bug.cgi?id=97617

            Reviewed by Anders Carlsson.

            In the asynchronous land of threaded scrolling we lose the information about whether or not a scroll
            is programmatic.

            This caused all scrolls to be treated as user scrolls and to generated scroll events.

            We can fix this by passing the programmatic bit to the scrolling thread and re-applying it back in the main thread.

            Unable to test threaded scrolling at this time.

            Include the "Is programmatic scroll" bit in the scroll state:
            * page/scrolling/ScrollingTreeState.cpp:
            (WebCore::ScrollingTreeState::ScrollingTreeState):
            (WebCore::ScrollingTreeState::setRequestedScrollPosition): Also set whether or not this represents a programmatic scroll.
            * page/scrolling/ScrollingTreeState.h:
            (ScrollingTreeState):
            (WebCore::ScrollingTreeState::requestedScrollPositionRepresentsProgrammaticScroll):

            Pass that bit back to the ScrollingCoordinator:
            * page/scrolling/ScrollingTree.cpp:
            (WebCore::ScrollingTree::ScrollingTree):
            (WebCore::ScrollingTree::commitNewTreeState):
            (WebCore::ScrollingTree::updateMainFrameScrollPosition):
            * page/scrolling/ScrollingTree.h:

            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::ScrollingCoordinator::requestScrollPositionUpdate): Pass the "is programmatic scroll" bit to the scrolling thread.
            (WebCore::ScrollingCoordinator::updateMainFrameScrollPosition): Reset the "is programmatic scroll" bit on the FrameView.
            * page/scrolling/ScrollingCoordinator.h:
            (ScrollingCoordinator):

            * page/FrameView.h:
            (FrameView):
            (WebCore::FrameView::inProgrammaticScroll): Expose setter/getters for the programmatic scroll flag.
            (WebCore::FrameView::setInProgrammaticScroll):

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r129469

    2012-09-25  MORITA Hajime  <morrita@google.com>

            adoptNode() shouldn't reset ownerDocument if the source node failed to remove itself
            https://bugs.webkit.org/show_bug.cgi?id=97527

            Reviewed by Ryosuke Niwa.

            Document::adoptNode() overlooked an error which can happen in Node::removeChild().
            Which results an assertion failure. This change adds an error check for that code path.

            Test: fast/dom/adopt-node-prevented.html

            * dom/Document.cpp:
            (WebCore::Document::adoptNode):

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r129270

    2012-09-21  Jeremy Apthorp  <jeremya@chromium.org>

            Crash in WebCore::Document::fullScreenChangeDelayTimerFired
            https://bugs.webkit.org/show_bug.cgi?id=97367

            Reviewed by Abhishek Arya.

            The document could be destroyed during the processing of the
            fullscreenchange event, if the document was destroyed as a result of
            one of the dispatchEvent calls.

            This bug isn't reliably reproducible, so no new tests.

            * dom/Document.cpp:
            (WebCore::Document::fullScreenChangeDelayTimerFired):

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r128964

    2012-09-18  Eric Carlson  <eric.carlson@apple.com>

            Check settings before registering AVFoundation media engine.
            https://bugs.webkit.org/show_bug.cgi?id=97048
            <rdar://problem/12313594>

            Reviewed by Dan Bernstein.

            Fix the bug introduced in r122676.

            * platform/graphics/MediaPlayer.cpp:
            (WebCore::installedMediaEngines): Uncomment the call to check AVFoundation settings.

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r128654

    2012-09-14  Tom Sepez  <tsepez@chromium.org>

            ImageLoader can't be cleared when video element poster attribute removed.
            https://bugs.webkit.org/show_bug.cgi?id=96301

            Reviewed by Abhishek Arya.

            Same problem as in https://bugs.webkit.org/show_bug.cgi?id=90801. We can't
            clear the image loader when the src attribute is cleared, because we might be
            inside a handler called on top of an image loader event dispatch. Instead we
            will rely on the OwnPtr relationship between the Element and the Image Loader
            to limit the lifetime of the loader to that of the element.

            Test: fast/dom/beforeload/clear-video-poster-in-beforeload-listener.html

            * html/HTMLVideoElement.cpp:
            (WebCore::HTMLVideoElement::parseAttribute):
            Remove permature clearing of m_imageLoader.
            * html/HTMLEmbedElement.cpp:
            (WebCore::HTMLEmbedElement::parseAttribute):
            Remove permature clearing of m_imageLoader.
            * html/HTMLObjectElement.cpp:
            (WebCore::HTMLObjectElement::parseAttribute):
            Remove permature clearing of m_imageLoader.

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r127082

    2012-08-29  Michael Saboff  <msaboff@apple.com>

            use after free in WebCore::FileReader::doAbort
            https://bugs.webkit.org/show_bug.cgi?id=91004

            Reviewed by Jian Li.

            Added check in FileReader::abort to not process the abort if we aren't in the LOADING
            state.  This is per the FileAPI spec section 8.5.6 step #1.

            Tests: fast/files/file-reader-immediate-abort.html
                   fast/files/file-reader-done-reading-abort.html

            * fileapi/FileReader.cpp:
            (WebCore::FileReader::abort):

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r126657

    2012-08-24  Florin Malita  <fmalita@chromium.org>

            ASSERTION FAILED: !attached() in WebCore::Node::attach()
            https://bugs.webkit.org/show_bug.cgi?id=94650

            Reviewed by Abhishek Arya.

            Prevent SVGTests::handleAttributeChange() from attaching elements with detached parents.

            Test: svg/custom/system-language-crash.html

            * svg/SVGTests.cpp:
            (WebCore::SVGTests::handleAttributeChange):

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r126205

    2012-08-21  Florin Malita  <fmalita@chromium.org>

            ASSERT triggered in SVGTRefTargetEventListener::handleEvent()
            https://bugs.webkit.org/show_bug.cgi?id=94487

            Reviewed by Nikolas Zimmermann.

            The current way of tracking tref target elements by id can leave stale event listeners
            under certain circumstances. This patch switches to storing a target RefPtr instead
            to avoid an id lookup which may not return the original/attached element.

            Test: svg/custom/tref-stale-listener-crash.html

            * svg/SVGTRefElement.cpp:
            (SVGTRefTargetEventListener):
            (WebCore::SVGTRefTargetEventListener::isAttached): use m_target instead of an explicit bool.
            (WebCore::SVGTRefTargetEventListener::SVGTRefTargetEventListener):
            (WebCore::SVGTRefTargetEventListener::attach): save a target RefPtr instead of an id.
            (WebCore::SVGTRefTargetEventListener::detach): detach the target element directly without
            going through a lookup.
            (WebCore::SVGTRefTargetEventListener::handleEvent):
            (WebCore::SVGTRefElement::updateReferencedText): use an explicit target pointer instead of
            the id-based lookup.
            (WebCore::SVGTRefElement::buildPendingResource):
            * svg/SVGTRefElement.h:
            (SVGTRefElement):

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r126131

    2012-08-20  MORITA Hajime  <morrita@google.com>

            load event shouldn't fired during node insertion traversals.
            https://bugs.webkit.org/show_bug.cgi?id=94447

            Reviewed by Ryosuke Niwa.

            HTMLFrameElementBase::didNotifyDescendantInsertions() with empty @src
            can trigger a load event during ChildNodeInsertionNotifier
            traversal, whose handler can make DOM tree state inconsistent.

            This change introduces a post traversal hook,
            didNotifySubtreeInsertions(), for the insertion traversal and
            replaces the problematic didNotifyDescendantInsertions() with it.

            Since didNotifySubtreeInsertions() is invoked after the traversal,
            it is safe for event handlers to mutate the tree.

            Test: fast/frames/iframe-onload-and-domnodeinserted.html

            * dom/ContainerNodeAlgorithms.h:
            (ChildNodeInsertionNotifier): Added a post subtree notification.
            (WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument):
            (WebCore::ChildNodeInsertionNotifier::notify):
            * dom/Node.h:
            (WebCore::Node::didNotifySubtreeInsertions): Newly added.
            * html/HTMLFrameElementBase.cpp:
            (WebCore::HTMLFrameElementBase::insertedInto): Now returns InsertionShouldCallDidNotifySubtreeInsertions
            (WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions): Replaced didNotifyDescendantInsertions()
            * html/HTMLFrameElementBase.h:
            (HTMLFrameElementBase):

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r125988

    2012-08-19  MORITA Hajime  <morrita@google.com>

            DOM mutation against including <link> shouldn't trigger pending HTML parser.
            https://bugs.webkit.org/show_bug.cgi?id=93641

            Reviewed by Ryosuke Niwa.

            HTMLLinkElement::removedFrom() invoked Document::removePendingSheet(), which can trigger
            HTMLParser that can mutate DOM tree. DOM mutation reentrancy on like this is problematic and
            should be prohibited.

            This change add an variation of Document::removePendingSheet() which postpones the notification
            which triggers DOM mutation, and flush such pending notifications at the end of ongoing mutation.

            Test: http/tests/loading/remove-child-triggers-parser.html

            * dom/ContainerNodeAlgorithms.h:
            (WebCore::ChildNodeRemovalNotifier::notify): Flushed pending notifications at the end.
            * dom/Document.cpp:
            (WebCore::Document::Document):
            (WebCore::Document::removePendingSheet): Added RemovePendingSheetNotificationType parameter.
            (WebCore):
            (WebCore::Document::didRemoveAllPendingStylesheet): Extracted from removePendingSheet()
            * dom/Document.h:
            (Document):
            (WebCore::Document::setNeedsNotifyRemoveAllPendingStylesheet): A flag setter.
            (WebCore::Document::notifyRemovePendingSheetIfNeeded):
            (WebCore):
            * html/HTMLLinkElement.cpp:
            (WebCore::HTMLLinkElement::removedFrom): Switched to use "notification later" version of removePendingSheet()
            (WebCore::HTMLLinkElement::removePendingSheet): Added RemovePendingSheetNotificationType parameter.
            * html/HTMLLinkElement.h:

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r125631

    2012-08-14  Chris Evans  <cevans@google.com>

            Handle the XPath / (root) operator correctly for nodes that aren't attached to the document.
            https://bugs.webkit.org/show_bug.cgi?id=36427

            Reviewed by Abhishek Arya.

            We now behave the same as Firefox 14.
            The consensus seems to be that the XPath spec is ambiguous for the case of detached nodes, and that using the fragment root is more intuitive than the document root for the case of detached nodes.
            For example, http://www.w3.org/TR/xpath/ section 2 "Location Paths" is only clear for attached nodes: "A / by itself selects the root node of the document containing the context node. If it is followed by a relative location path, then the location path selects the set of nodes that would be selected by the relative location path relative to the root node of the document containing the context node."

            Test: fast/xpath/xpath-detached-nodes.html

            * xml/XPathPath.cpp:
            (WebCore::XPath::LocationPath::evaluate): Jump to the root of the detached subtree instead of the parent document if the node isn't attached to the document.

2012-11-06  Lucas Forschler  <lforschler@apple.com>

        Merge r125503

    2012-08-13  Douglas Stockwell  <dstockwell@chromium.org>

            Crash in WebCore::RenderBlock::LineBreaker::nextLineBreak
            https://bugs.webkit.org/show_bug.cgi?id=93806

            Reviewed by Abhishek Arya.

            When looking for line breaks on the first line, existing code was
            checking for text-combine only in the first-line style. Since
            text-combine isn't inherited this resulted in a line break being
            chosen before combineText was called. When this happened and then
            combineText was called subsequently, the position of the line break
            iterator would be invalid.

            This patch changes the check to use the regular style as in
            skipLeadingWhitespace and textWidth.

            Test: fast/text/text-combine-first-line-crash.html

            * rendering/RenderBlockLineLayout.cpp:
            (WebCore::RenderBlock::LineBreaker::nextLineBreak): Don't use the
            first-line style when checking text-combine.

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125353

    2012-08-11  Abhishek Arya  <inferno@chromium.org>

            Unreviewed. 

            Removing newly added assert in r125351 since it is exposing
            legitimate layout bugs in few tests. We will re-add the assert
            after fixing those bugs. Failures are tracked in webkit bug 93766. 

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::removeFromTrackedRendererMaps):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125351

    2012-08-11  Levi Weintraub  <leviw@chromium.org>

            Track block's positioned objects like percent-height descendants
            https://bugs.webkit.org/show_bug.cgi?id=89848

            Reviewed by Abhishek Arya.

            The previous method for tracking a RenderBlock's out-of-flow positioned descendants was error prone,
            subject to becoming inconsistent, and in the case of removePositionedObjects, inefficient. This patch 
            extracts the algorithm used for percent height descendants and re-uses it for positioned objects. This same
            method could further be re-used for floats.

            This change removes the m_positionedObjects pointer, which brings RenderBlock's size down (yay!).

            Test: fast/block/positioning/relayout-nested-positioned-elements-crash-2.html

            * rendering/RenderBlock.cpp:
            (SameSizeAsRenderBlock):
            (WebCore):
            (WebCore::removeBlockFromDescendantAndContainerMaps):
            (WebCore::RenderBlock::~RenderBlock):
            (WebCore::RenderBlock::addOverflowFromPositionedObjects):
            (WebCore::RenderBlock::layoutBlockChildren):
            (WebCore::RenderBlock::layoutPositionedObjects):
            (WebCore::RenderBlock::markPositionedObjectsForLayout):
            (WebCore::clipOutPositionedObjects):
            (WebCore::RenderBlock::selectionGaps):
            (WebCore::RenderBlock::insertIntoTrackedRendererMaps):
            (WebCore::RenderBlock::removeFromTrackedRendererMaps):
            (WebCore::RenderBlock::positionedObjects):
            (WebCore::RenderBlock::insertPositionedObject):
            (WebCore::RenderBlock::removePositionedObject):
            (WebCore::RenderBlock::removePositionedObjects):
            (WebCore::RenderBlock::addPercentHeightDescendant):
            (WebCore::RenderBlock::removePercentHeightDescendant):
            (WebCore::RenderBlock::percentHeightDescendants):
            (WebCore::RenderBlock::checkPositionedObjectsNeedLayout):
            * rendering/RenderBlock.h:
            (WebCore):
            (RenderBlock):
            (WebCore::RenderBlock::hasPositionedObjects):
            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
            * rendering/RenderBoxModelObject.cpp:
            (WebCore::RenderBoxModelObject::moveChildTo): Changing the fixme to reflect the assumption that the caller
            has taken care of updating the positioned renderer maps is a decision not a bug. The ASSERT should help
            assure this.
            * rendering/RenderTableSection.cpp:
            (WebCore::RenderTableSection::layoutRows):
            * rendering/RenderView.cpp:
            (WebCore::RenderView::setFixedPositionedObjectsNeedLayout):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125315

    2012-08-10  Abhishek Arya  <inferno@chromium.org>

            Crash on accessing a removed layout root in FrameView::scheduleRelayout.
            https://bugs.webkit.org/show_bug.cgi?id=91368

            Reviewed by Levi Weintraub.

            We were calling setNeedsLayoutAndPrefWidthsRecalc() in RenderBlock::collapseAnonymousBoxChild
            even when documentBeingDestroyed() was true. This ends up accessing stale layout root and bypasses
            mitigation added in r109406. There is no need to waste time merging up anonymous blocks in
            RenderBlock::removeChild when documentBeingDestroyed() is true.

            No new tests. The test is time sensitive, requires a bunch of reloads, and only reproduces on chromium linux.

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::collapseAnonymousBoxChild):
            (WebCore::RenderBlock::removeChild):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125237

    2012-08-09  MORITA Hajime  <morrita@google.com>

            https://bugs.webkit.org/show_bug.cgi?id=93587
            Node::replaceChild() can create bad DOM topology with MutationEvent, Part 2

            Reviewed by Kent Tamura.

            This is a followup of r124156. replaceChild() has yet another hidden
            MutationEvent trigger. This change added a guard for it.

            Test: fast/events/mutation-during-replace-child-2.html

            * dom/ContainerNode.cpp:
            (WebCore::ContainerNode::replaceChild):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125234

    2012-08-09  Julien Chaffraix  <jchaffraix@webkit.org>

            Crash in WebCore::RenderTable::cellBefore
            https://bugs.webkit.org/show_bug.cgi?id=91160

            Reviewed by Abhishek Arya.

            The issue was that we wouldn't properly set the row index on row in a newly split table. When inserting
            the cell into the new row, we would try to repaint the cell which would access the row index and crash.
            This came from splitAnonymousBoxesAroundChild calling RenderObjectChildList::insertChildNode directly
            which doesn't invoke the row setting logic (RenderTableSection::addChild for example but we cannot call
            addChild due to concern over splitting flows in the general case).

            Test: fast/table/split-anonymous-boxes-around-table-repaint-crash.html

            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::splitAnonymousBoxesAroundChild):
            Dirty our parent box, which forces a cell recomputation which will set the row index. This needs to
            be done *before* we insert the child to avoid crashing when repainting the new child.

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125162

    2012-08-09  MORITA Hajime  <morrita@google.com>

            DOMCharacterDataModified should not be fired inside shadows
            https://bugs.webkit.org/show_bug.cgi?id=93427

            Reviewed by Ryosuke Niwa.

            CharacterData::dispatchModifiedEvent() fires DOMCharacterDataModified event even if
            the node is in shadow. But it shouldn't. Check dispatchChildInsertionEvents() and
            dispatchChildRemovalEvents() to see how other MutationEvents are suppressed behind shadows.
            This change follows the same path to suppress DOMCharacterDataModified.

            Tests: fast/dom/shadow/suppress-mutation-events-in-shadow-characterdata.html
                   fast/forms/textarea-and-mutation-events-appending-text.html

            * dom/CharacterData.cpp:
            (WebCore::CharacterData::dispatchModifiedEvent):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125147

    2012-08-08  MORITA Hajime  <morrita@google.com>

            [SVG] load events shouldn't be fired during Node::insrtedInto()
            https://bugs.webkit.org/show_bug.cgi?id=92969

            Reviewed by Ryosuke Niwa.

            Event dispatches during insertedInto() allow event handlers to
            break DOM tree cosistency. This chagne makes them async for load
            events which are dispatched during insertedInto() call. This
            prevents event handlers from breaking tree consistency while the
            notification traversal.

            Test: svg/custom/loadevents-async.html

            * svg/SVGElement.cpp:
            (WebCore::SVGElement::sendSVGLoadEventIfPossibleAsynchronously): Added.
            (WebCore):
            (WebCore::SVGElement::svgLoadEventTimerFired): Added.
            (WebCore::SVGElement::svgLoadEventTimer):
            - Added a stub. Implemented in SVGScriptElement, SVGStopElement, SVGUseElement
              where the load event happens.
            * svg/SVGElement.h:
            (SVGElement):
            * svg/SVGExternalResourcesRequired.cpp:
            (WebCore::SVGExternalResourcesRequired::insertedIntoDocument):
            - Replaces event dispatch call with async version.
            * svg/SVGScriptElement.h:
            * svg/SVGStyleElement.h:
            * svg/SVGUseElement.h:

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125091

    2012-08-08  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=92275
            Need a way to get a snapshot image that does not show the selection
            -and corresponding-
            <rdar://problem/11956802>

            Reviewed by Anders Carlsson.

            New function FrameView::paintContentsForSnapshot() has the option to 
            exclude selection from the snapshot.

            Export new function
            * WebCore.exp.in:

            Clear the selection from the RenderView when selection is to be excluded. Restore 
            all of this information via FrameSelection::updateAppearance() after calling 
            paintContents().
            * page/FrameView.cpp:
            (WebCore::FrameView::paintContentsForSnapshot):
            (WebCore):
            * page/FrameView.h:

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r125052

    2012-08-08  Tom Sepez  <tsepez@chromium.org>

            Video element image loader must persist after element detach.  
            https://bugs.webkit.org/show_bug.cgi?id=90801

            Reviewed by Eric Carlson.

            We rely on the OwnPtr in the element to cleanup the loader.     

            Test: fast/dom/beforeload/remove-video-poster-in-beforeload-listener.html

            * html/HTMLVideoElement.cpp:
            (WebCore):
            * html/HTMLVideoElement.h:
            (HTMLVideoElement):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r124924

    2012-08-07  Anders Carlsson  <andersca@apple.com>

            Knob slot animation is flipped
            https://bugs.webkit.org/show_bug.cgi?id=93396

            Reviewed by Beth Dakin.

            When painting the scrollbar knob slot, use rectForPart: since it correctly takes the expansion transition state into account.

            * platform/mac/ScrollbarThemeMac.mm:
            (WebCore::scrollbarPainterPaint):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r124919

    2012-08-07  Adrienne Walker  <enne@google.com>

            50% fixed position coverage slow scroll heuristic is incorrect when invalidations aren't clipped
            https://bugs.webkit.org/show_bug.cgi?id=92011

            Reviewed by Simon Fraser.

            The heuristic in scrollContentsFastPath to slow scroll by invalidating
            the entire frame if fixed position elements cover 50% of the frame
            takes away the ability of ports to make their own decisions about how
            to best handle invalidations. Therefore, remove this heuristic.

            * page/FrameView.cpp:
            (WebCore::FrameView::scrollContentsFastPath):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r124914

    2012-08-07  Abhishek Arya  <inferno@chromium.org>

            Crash in ContainerNode::cloneChildNodes.
            https://bugs.webkit.org/show_bug.cgi?id=93378

            Reviewed by Levi Weintraub.

            Re-enabling the editing delete button controller in cloneChildNode was causing style changes,
            thereby causing load events to fire. The load event can blow our nodes from underneath. This causes
            crashes when we are nested inside cloneChildNodes. The patch just skips the delete button controller's
            container element from being cloned and removes the hacky enable/disable logic. 

            Test: fast/dom/clone-node-load-event-crash.html

            * dom/ContainerNode.cpp:
            (WebCore::ContainerNode::cloneChildNodes):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r124888

    2012-08-07  Abhishek Arya  <inferno@chromium.org>

            Crash in InlineFlowBox::deleteLine.
            https://bugs.webkit.org/show_bug.cgi?id=88795

            Reviewed by Tony Chang.

            When we move the fullscreen object from its parent to RenderFullScreen, we forgot to clear the
            line box tree underneath the object's containing block and mark it for layout. Before the patch,
            the containing block never got laid out and maintained references to removed line boxes (since the
            object moved under RenderFullScreen did get laid out and its lineboxes replaced with new ones).

            Test: fullscreen/full-screen-line-boxes-crash.html

            * rendering/RenderFullScreen.cpp:
            (RenderFullScreen::wrapRenderer):

2012-11-05  Lucas Forschler  <lforschler@apple.com>

        Merge r124843

    2012-08-06  Shinya Kawanaka  <shinyak@chromium.org>

            Crash in GenericEventQueue::timerFired since the owner of GenericEventQueue is deleted during dispatching events.
            https://bugs.webkit.org/show_bug.cgi?id=92946

            Reviewed by Eric Carlson.

            In GenericEventQueue::timerFired(), the owner of GenericEventQueue might be deleted.
            We have to protect the owner of GenericEventQueue during dispatching events.

            Test: media/event-queue-crash.html

            * dom/GenericEventQueue.cpp:
            (WebCore::GenericEventQueue::timerFired): Added a protection.

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124776

    2012-08-06  Abhishek Arya  <inferno@chromium.org>

            Crash in FrameLoader::stopAllLoaders.
            https://bugs.webkit.org/show_bug.cgi?id=90805

            Reviewed by Nate Chapin.

            Calling m_provisionalDocumentLoader->stopLoading() can blow away the frame
            from underneath. Protect it with a RefPtr.

            No new tests. We don't have a reliable testcase to reproduce this. However,
            the crash and free stack from ClusterFuzz point clearly at the bug.

            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::stopAllLoaders):

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124733

    2012-08-05  Philip Rogers  <pdr@google.com>

            Fix assertion during detach of SVG wrappers without baseVal
            https://bugs.webkit.org/show_bug.cgi?id=93063

            Reviewed by Nikolas Zimmermann.

            r131583 introduced a change where SVGAnimatedListPropertyTearOff required
            a baseVal to be set before detaching wrappers. This caused an assertion
            to be hit if no baseVal was set.
            This patch changes this behavior so that wrappers are detached even if
            no baseVal is set.

            Test: svg/animations/dynamic-modify-transform-without-baseval.html

            * svg/properties/SVGAnimatedListPropertyTearOff.h:
            (WebCore::SVGAnimatedListPropertyTearOff::detachListWrappers):
            * svg/properties/SVGListProperty.h:
            (WebCore::SVGListProperty::detachListWrappersAndResize): Extracted this static method for detaching wrappers without needing an SVGListProperty.
            (SVGListProperty):
            (WebCore::SVGListProperty::detachListWrappers):

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124681

    2012-08-03  Florin Malita  <fmalita@chromium.org>

            [SVG] Tref target event listener cleanup
            https://bugs.webkit.org/show_bug.cgi?id=93004

            Reviewed by Abhishek Arya.

            Currently SVGTRefElement allocates event listeners dynamically as it attaches to its
            targets. Synchronizing the lifetime of the target listener vs. the tref element is
            error prone, as various events can stack and trigger nested handlers.

            In order to reduce complexity and address a couple of outstanding issues, this patch
            changes the way event listeners are allocated: only one target listener is created
            for the lifetime of the SVGTRefElement, and gets reused if the target element changes.

            Test: svg/custom/tref-nested-events-crash.svg

            * dom/EventListener.h:
            Added new <tref> target event listener type.
            * svg/SVGTRefElement.cpp:
            (WebCore):
            (WebCore::SVGTRefTargetEventListener::create):
            (WebCore::SVGTRefTargetEventListener::cast):
            (SVGTRefTargetEventListener):
            (WebCore::SVGTRefTargetEventListener::isAttached):
            (WebCore::SVGTRefTargetEventListener::SVGTRefTargetEventListener):
            (WebCore::SVGTRefTargetEventListener::attach):
            (WebCore::SVGTRefTargetEventListener::detach):
            (WebCore::SVGTRefTargetEventListener::operator==):
            (WebCore::SVGTRefTargetEventListener::handleEvent):
            No need to check m_trefElement anymore - the listener is allocated for the whole element
            lifetime, detached when the element is removed and deallocated when the element is
            destroyed.
            (WebCore::SVGTRefElement::SVGTRefElement):
            Allocate one target listener per element, at construction time.
            (WebCore::SVGTRefElement::~SVGTRefElement):
            Detach the listener if necessary.
            (WebCore::SVGTRefElement::detachTarget):
            Check whether the element is still in document after updating the text (may have been
            removed by event handlers).
            (WebCore::SVGTRefElement::buildPendingResource):
            Attach the event listener before updating the text content to avoid racing with event
            handlers (which can remove the element).
            (WebCore::SVGTRefElement::removedFrom):
            * svg/SVGTRefElement.h:
            (WebCore):
            (SVGTRefElement):

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124654

    2012-08-03  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/12005188> REGRESSION (Safari 5.1 - 6): Cannot correctly display Traditional Mongolian Script
            https://bugs.webkit.org/show_bug.cgi?id=92864

            Reviewed by Sam Weinig.

            Test: platform/mac/fast/text/combining-character-sequence-vertical.html

            * platform/graphics/SimpleFontData.cpp:
            (WebCore::SimpleFontData::glyphForCharacter): Added this helper function.
            * platform/graphics/SimpleFontData.h:
            (SimpleFontData): Declared glyphDataForCharacter.
            * platform/graphics/mac/FontComplexTextMac.cpp:
            (WebCore::Font::fontDataForCombiningCharacterSequence): Added logic to use the appropriate
            variant of each font in the fallback list, which mimcs the equivalent logic in
            glyphDataAndPageForCharacter().

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124645

    2012-08-03  Anna Cavender  <annacc@chromium.org>

            Negative timestamps for TextTrackCues should not be allowed.
            https://bugs.webkit.org/show_bug.cgi?id=92939

            Reviewed by Eric Carlson.

            Make sure cues added in JavaScript are not allowed negative timestamps.
            Attempting to add a cue with a negative timestamp is not successful
            and setting a timestamp to a negative value has no effect.

            Test: media/track/track-cue-negative-timestamp.html

            * html/track/TextTrack.cpp:
            (WebCore::TextTrack::addCue): If the cue's startTime or endTime is 
                negative, do not add the cue.
            * html/track/TextTrackCue.cpp:
            (WebCore::TextTrackCue::setStartTime): Ignore negative values.
            (WebCore::TextTrackCue::setEndTime): Ignore negative values.
            * html/track/TextTrackCueList.cpp:
            (WebCore::TextTrackCueList::add): Add ASSERTs to check startTime and
                endTime are positive.

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124631

    2012-08-03  Stephen Chenney  <schenney@chromium.org>

            Crash when a clip path referencing a clip path changes documents
            https://bugs.webkit.org/show_bug.cgi?id=93023

            Reviewed by Dirk Schulze.

            The SVGClipPathElement is set to not need pending resource handling,
            when in fact it can have pending resources. The result is a crash when
            the element is moved to a new document (which deletes all resources
            and leaves them pending) and then immediately deleted (which asserts
            that there are no pending resources). There is code to remove pending
            resources upon deletion and removal from the DOM, but it was not
            executing for clips because of the aforementioned code claiming that
            clips don't require such handling.

            The assertion that there be no pending resources is necessary to
            prevent caches of pending resources from trying to access the deleted
            element.

            This change removes the check for needsPendingResourceHandling in
            SVGStyledElement upon deletion and removal from the DOM. Pending resources
            will always be checked in such cases to ensure we do not introduce
            security issues.

            Test: svg/custom/clip-path-document-change-assert.html

            * svg/SVGStyledElement.cpp:
            (WebCore::SVGStyledElement::~SVGStyledElement): Removed needsPendingResourceHandling in the conditional to clean up resources.
            (WebCore::SVGStyledElement::removedFrom): Removed needsPendingResourceHandling in the conditional to clean up resources.

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124626

    2012-07-20  Jon Lee  <jonlee@apple.com>

            Crash in Notification when setting a non-object as an event listener (91881)
            https://bugs.webkit.org/show_bug.cgi?id=91881
            <rdar://problem/11923341>

            Reviewed by Oliver Hunt.

            Check to make sure that the value being retrieved is an object. This is similar
            to the isObject() check done in the bindings code.

            Test: fast/notifications/notifications-event-listener-crash.html

            * bindings/js/Dictionary.h:
            (WebCore::Dictionary::getEventListener):

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124588

    2012-08-03  Adam Barth  <abarth@webkit.org>

            WebCore::DragController::cleanupAfterSystemDrag should null-check page
            https://bugs.webkit.org/show_bug.cgi?id=61815

            Reviewed by Eric Seidel.

            * page/DragController.cpp:
            (WebCore::DragController::dragEnteredOrUpdated):
            (WebCore::DragController::doSystemDrag):

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124580

    2012-08-03  Abhishek Arya  <inferno@chromium.org>

            Regression(r124564): Wrong inlineChildrenBlock->hasLayer() computed in RenderBlock::removeChild.
            https://bugs.webkit.org/show_bug.cgi?id=90800

            Reviewed by Eric Seidel.

            r124564 reversed the sequence of setStyle and removeChildNode calls, but failed to cache the value
            of inlineChildrenBlock->hasLayer(). So, it will be null when the layer is removed from parent in setStyle.
            Fixed by the caching the bool value. 

            Covered by existing test fast/block/layer-not-removed-from-parent-crash.html.

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::removeChild):

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124564

    2012-08-02  Abhishek Arya  <inferno@chromium.org>

            Crash due to layer not removed from parent for anonymous block.
            https://bugs.webkit.org/show_bug.cgi?id=90800

            Reviewed by Kent Tamura.

            Reverse the order of setStyle and removeChildNode calls. This ensures that setting the style
            properly removes its layer from the parent in RenderBoxModelObject::styleDidChange. Calling
            removeChildNode before calling setStyle is problematic since the parent layer never gets
            notified.

            Test: fast/block/layer-not-removed-from-parent-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::removeChild):

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124556

    2012-08-02  Kent Tamura  <tkent@chromium.org>

            Fix crashes for <input> and <textarea> with display:run-in.
            https://bugs.webkit.org/show_bug.cgi?id=87300

            Reviewed by Abhishek Arya.

            Introduce RenderObject::canBeReplacedWithInlineRunIn, and renderers which
            should not be run-in override it so that it returns false.

            Test: fast/runin/input-text-runin.html
                  fast/runin/textarea-runin.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::moveRunInUnderSiblingBlockIfNeeded):
            Checks canBeReplacedWithInlineRunIn instead of checking tag names.
            * rendering/RenderFileUploadControl.cpp:
            (WebCore::RenderFileUploadControl::canBeReplacedWithInlineRunIn):
            Added. Disallow run-in.
            * rendering/RenderFileUploadControl.h:
            (RenderFileUploadControl): Declare canBeReplacedWithInlineRunIn.
            * rendering/RenderListBox.cpp:
            (WebCore::RenderListBox::canBeReplacedWithInlineRunIn):
            Added. Disallow run-in. This is not a behavior change.
            * rendering/RenderListBox.h:
            (RenderListBox): Declare canBeReplacedWithInlineRunIn.
            * rendering/RenderMenuList.cpp:
            (WebCore::RenderMenuList::canBeReplacedWithInlineRunIn):
            Added. Disallow run-in. This is not a behavior change.
            * rendering/RenderMenuList.h:
            (RenderMenuList): Declare canBeReplacedWithInlineRunIn.
            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::canBeReplacedWithInlineRunIn):
            Added. Allow run-in by default.
            * rendering/RenderObject.h:
            (RenderObject): Declare canBeReplacedWithInlineRunIn.
            * rendering/RenderProgress.cpp:
            (WebCore::RenderProgress::canBeReplacedWithInlineRunIn):
            Added. Disallow run-in. This is not a behavior change.
            * rendering/RenderProgress.h:
            (RenderProgress): Declare canBeReplacedWithInlineRunIn.
            * rendering/RenderSlider.cpp:
            (WebCore::RenderSlider::canBeReplacedWithInlineRunIn):
            Added. Disallow run-in.
            * rendering/RenderSlider.h:
            (RenderSlider): Declare canBeReplacedWithInlineRunIn.
            * rendering/RenderTextControl.cpp:
            (WebCore::RenderTextControl::canBeReplacedWithInlineRunIn):
            Added. Disallow run-in.
            * rendering/RenderTextControl.h:
            (RenderTextControl): Declare canBeReplacedWithInlineRunIn.

2012-11-02  Lucas Forschler  <lforschler@apple.com>

        Merge r124520

    2012-08-02  Ryosuke Niwa  <rniwa@webkit.org>

            scripts in formaction should be stripped upon paste
            https://bugs.webkit.org/show_bug.cgi?id=92298

            Reviewed by Eric Seidel.

            Strip formaction attribute values when the URL is of javascript protocol.

            Test: editing/pasteboard/paste-noscript-xhtml.html
                  editing/pasteboard/paste-noscript.html

            * dom/Element.cpp:
            (WebCore::isAttributeToRemove): Explicitly compare with href and nohref instead of comparing
            the ends of strings since comparing two AtomicString is much faster.

2012-11-01  Lucas Forschler  <lforschler@apple.com>

        Merge r124491

    2012-08-02  Abhishek Arya  <inferno@chromium.org>

            No isChildAllowed checked when adding RenderFullScreen as the child..
            https://bugs.webkit.org/show_bug.cgi?id=92995

            Reviewed by Eric Seidel.

            Test: fullscreen/fullscreen-child-not-allowed-crash.html

            * dom/Document.cpp:
            (WebCore::Document::webkitWillEnterFullScreenForElement): pass the object's parent
            pointer as an additional argument.
            * dom/NodeRenderingContext.cpp:
            (WebCore::NodeRendererFactory::createRendererIfNeeded): pass the to be parent |parentRenderer|
            as the argument. 
            * rendering/RenderFullScreen.cpp:
            (RenderFullScreen::wrapRenderer): make sure that parent allows RenderFullScreen as the child.
            * rendering/RenderFullScreen.h: 
            (RenderFullScreen): support the object's parent
            pointer as an additional argument.

2012-11-01  Lucas Forschler  <lforschler@apple.com>

        Merge r124258

    2012-07-31  Luke Macpherson   <macpherson@chromium.org>

            Heap-use-after-free in WebCore::StyleResolver::loadPendingImage
            https://bugs.webkit.org/show_bug.cgi?id=92606

            Reviewed by Abhishek Arya.

            Changes StyleResolver's m_pendingImageProperties set to a map, such that for each property we keep
            a RefPtr to the CSSValue used to set that property. This ensures that CSSValues are not freed before
            they are needed by loadPendingImage.

            Test: fast/css/variables/deferred-image-load-from-variable.html

            * css/StyleResolver.cpp:
            * css/StyleResolver.h:

2012-11-01  Lucas Forschler  <lforschler@apple.com>

        Merge r124156

    2012-07-30  MORITA Hajime  <morrita@google.com>

            Node::replaceChild() can create bad DOM topology with MutationEvent
            https://bugs.webkit.org/show_bug.cgi?id=92619

            Reviewed by Ryosuke Niwa.

            Node::replaceChild() calls insertBeforeCommon() after dispatching
            a MutationEvent event for removeChild(). But insertBeforeCommon()
            expects call sites to check the invariant and doesn't have
            suffient check. So a MutationEvent handler can let some bad tree
            topology to slip into insertBeforeCommon().

            This change adds a guard for checking the invariant using
            checkReplaceChild() between removeChild() and insertBeforeCommon().

            Test: fast/events/mutation-during-replace-child.html

            * dom/ContainerNode.cpp:
            (WebCore::ContainerNode::replaceChild): Added a guard.

2012-11-01  Lucas Forschler  <lforschler@apple.com>

        Merge r124089

    2012-07-30  Andreas Kling  <kling@webkit.org>

            REGRESSION(r123636): Heap-use-after-free in StyleResolver::collectMatchingRules.
            <http://webkit.org/b/92430>

            Reviewed by Antti Koivisto.

            Don't hold on to a reference to StyledElement::classNames() as that may become
            invalid after mutating the element's attribute data.

            In this case it was happening below Element::hasAttributes() which is unfortunately
            naive enough to always serialize lazy attributes. That is a minor inefficiency that
            can be addressed in a separate patch.

            Covered by valgrind on existing tests.

            * css/StyleResolver.cpp:
            (WebCore::StyleResolver::collectMatchingRules):

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r123131

    2012-07-19  Raymond Toy  <rtoy@google.com>

            Limit maximum delay of DelayNode.
            https://bugs.webkit.org/show_bug.cgi?id=91675

            Reviewed by Kenneth Russell.

            Clip the maximum delay of a DelayNode to a reasonable maximum.

            Test: webaudio/delaynode-maxdelaylimit.html

            * Modules/webaudio/DelayNode.cpp:
            (WebCore): Add maximumAllowedDelayTime.
            (WebCore::DelayNode::DelayNode): Clip max delay.

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r123128

    2012-07-19  Douglas Stockwell  <dstockwell@google.com>

            Crash in WebCore::StyleResolver::collectMatchingRulesForList
            https://bugs.webkit.org/show_bug.cgi?id=90803

            Reviewed by Andreas Kling.

            When a ProcessingInstruction was removed from the document the owner
            was removed, but the style resolver was not guaranteed to be updated.
            It was then possible for an inconsistent version of the stylesheet to
            remain visible in the DOM. Fixed by removing an invalid condition and
            mirroring the logic from StyleElement.

            Test: fast/css/xml-stylesheet-removed.xhtml

            * dom/ProcessingInstruction.cpp:
            (WebCore::ProcessingInstruction::removedFrom): Mirror the logic from
            StyleElement -- always update the style resolver.

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r123062

    2012-07-18  Julien Chaffraix  <jchaffraix@webkit.org>

            Crash in RenderTableSection::addCell.
            http://webkit.org/b/89496

            Reviewed by Abhishek Arya.

            The issue comes from RenderBox::splitAnonymousBoxesAroundChild that would move sections
            across tables but didn't force the table to do a synchronous section recalc. This opened
            the way for race conditions where we would query the table column structure while it's dirty
            (this is not uncommon but as usually the table's column representation is always bigger or
            more split than a section's, it's usually harmless).

            The fix is to force a synchronous section recalc.

            Test: fast/table/split-table-no-section-update-crash.html

            * rendering/RenderBox.cpp:
            (WebCore::markBoxForRelayoutAfterSplit):
            Changed to call forceSectionsRecalc ie force a section recalc.

            * rendering/RenderTable.cpp:
            (WebCore::RenderTable::recalcSections):
            Added missing ASSERT for unneeded calls.

            * rendering/RenderTable.h:
            (WebCore::RenderTable::forceSectionsRecalc):
            Added this helper function.

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r122755

    2012-07-16  Florin Malita  <fmalita@chromium.org>

            SVGAnimationElement::currentValuesForValuesAnimation crash
            https://bugs.webkit.org/show_bug.cgi?id=91326

            Reviewed by Simon Fraser.

            SVGSMILElement::progress() assumes that seekToIntervalCorrespondingToTime() always
            lands inside a defined interval, but one can force arbitrary time offsets using
            setCurrentTime(). This patch adds logic for handling non-interval time offsets
            gracefully.

            Test: svg/animations/smil-setcurrenttime-crash.svg

            * svg/animation/SVGSMILElement.cpp:
            (WebCore::SVGSMILElement::progress):

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r122278

    2012-07-10  Philip Rogers  <pdr@google.com>

            Crash due to SVG animation element not removed from target (before reset)
            https://bugs.webkit.org/show_bug.cgi?id=90750

            Reviewed by Abhishek Arya.

            Previously we were not removing an animation element from
            SVGDocumentExtensions::m_animatedElements which led to a crash.
            This change properly removes animation elements in resetTargetElement
            which both fixes this bug and will prevent others from hitting it in
            the future.

            Test: svg/animations/dynamic-modify-attributename-crash2.svg

            * svg/SVGDocumentExtensions.cpp:
            (WebCore::SVGDocumentExtensions::removeAllAnimationElementsFromTarget):

            removeAllAnimationElementsFromTarget now adds all the animation elements
            to a vector and iterates over it because the changes to resetTargetElement
            would have caused us to modify the underlying hashset as we iterated. Note that
            before we deleted animationElementsForTarget in removeAllAnimationElementsFromTarget
            but that logic is now handled in removeAnimationElementFromTarget which is called
            during resetTargetElement.

            * svg/animation/SVGSMILElement.cpp:
            (WebCore::SVGSMILElement::removedFrom):

            Because of the changes in resetTargetElement, removedFrom was able to be
            refactored. This patch changes removedFrom to call resetTargetElement rather
            than have duplicated logic. There is a very small change in logic here:
            animationAttributeChanged() is now called in removedFrom().

            (WebCore::SVGSMILElement::resetTargetElement):

            resetTargetElement now fully resets the target, including removing it from
            m_animatedElements. This will prevent future instances of this bug.

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r121930

    2012-07-05  Hayato Ito  <hayato@chromium.org>

            [Crash] Click an element which will be 'display: none' on focus.
            https://bugs.webkit.org/show_bug.cgi?id=90516

            Reviewed by Hajime Morita.

            EventHandler::handleMousePressEventSingleClick checks whether
            innerNode has a renderer in the beginning of the function.  But
            the renderer may disappear in the middle of the function since its
            style has just become 'display:none'.  As a result, it touches null renderer
            in EventHandler.cpp:517:
                VisiblePosition visiblePos(innerNode->renderer()->positionForPoint(event.localPoint()));
            In the case of 'display:none', we don't have to continue.  So call
            updateLayoutIgnorePendingStylesheets() in the beginning so that we
            can early exit and do not touch null renderer.

            Test: fast/events/display-none-on-focus-crash.html

            * page/EventHandler.cpp:
            (WebCore::EventHandler::handleMousePressEventSingleClick):

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r121491

    2012-06-28  Philip Rogers  <pdr@google.com>

            Prevent crash in animate resource handling
            https://bugs.webkit.org/show_bug.cgi?id=90042

            Reviewed by Abhishek Arya.

            This patch adds a check that we are in a document before registering animation
            resources and creating a target element in SVGSMILElement. This prevents a crash where
            we would register resources and create the target when we were not in a document
            but fail to deregister / reset the target when we were removed from a document.
            In failing to reset the target, we can crash when trying to deregister resources that
            were not created after being inserted into a document and then removed.

            The existence of m_targetResources and registered animation resources is now
            tied to being in a document.

            Test: svg/custom/animate-reference-crash.html

            * svg/animation/SVGSMILElement.cpp:
            (WebCore::SVGSMILElement::targetElement):

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r121003

    2012-06-21  Ryosuke Niwa  <rniwa@webkit.org>

            LabelsNodeList isn't updated properly after its owner node is adopted into a new document
            https://bugs.webkit.org/show_bug.cgi?id=89730

            Reviewed by Darin Adler.

            When a node is adopted, node lists that are invalidated at document level need to be unregistered
            from old document and registered to new document so that DOM mutations in new document will invalidate
            caches in the node lists. Done that in NodeListsNodeData::adoptTreeScope, which was extracted from
            TreeScopeAdopter::moveTreeToNewScope.

            Also renamed DynamicNodeList::node() and m_node to rootNode() and m_ownerNode to better express
            their semantics and added ownerNode() to make m_ownerNode private to DynamicNodeList.

            Test: fast/forms/label/labels-owner-node-adopted.html

            * bindings/js/JSNodeListCustom.cpp:
            (WebCore::JSNodeListOwner::isReachableFromOpaqueRoots):
            * dom/ChildNodeList.cpp:
            (WebCore::ChildNodeList::~ChildNodeList):
            (WebCore::ChildNodeList::length):
            (WebCore::ChildNodeList::item):
            (WebCore::ChildNodeList::nodeMatches):
            * dom/ClassNodeList.cpp:
            (WebCore::ClassNodeList::ClassNodeList):
            (WebCore::ClassNodeList::~ClassNodeList):
            * dom/DynamicNodeList.cpp:
            (WebCore::DynamicSubtreeNodeList::length):
            (WebCore::DynamicSubtreeNodeList::itemForwardsFromCurrent):
            (WebCore::DynamicSubtreeNodeList::itemBackwardsFromCurrent):
            (WebCore::DynamicSubtreeNodeList::item):
            (WebCore::DynamicNodeList::itemWithName):
            * dom/DynamicNodeList.h:
            (WebCore::DynamicNodeList::DynamicNodeList):
            (WebCore::DynamicNodeList::ownerNode):
            (WebCore::DynamicNodeList::rootedAtDocument):
            (WebCore::DynamicNodeList::shouldInvalidateOnAttributeChange):
            (WebCore::DynamicNodeList::rootNode):
            (WebCore::DynamicNodeList::document):
            (DynamicNodeList):
            * dom/NameNodeList.cpp:
            (WebCore::NameNodeList::~NameNodeList):
            * dom/NodeRareData.h:
            (WebCore::NodeListsNodeData::adoptTreeScope):
            (NodeListsNodeData):
            * dom/TagNodeList.cpp:
            (WebCore::TagNodeList::~TagNodeList):
            * dom/TreeScopeAdopter.cpp:
            (WebCore::TreeScopeAdopter::moveTreeToNewScope):
            * html/LabelsNodeList.cpp:
            (WebCore::LabelsNodeList::~LabelsNodeList):
            (WebCore::LabelsNodeList::nodeMatches):
            * html/RadioNodeList.cpp:
            (WebCore::RadioNodeList::~RadioNodeList):
            (WebCore::RadioNodeList::checkElementMatchesRadioNodeListFilter):

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r121001

    2012-06-21  Abhishek Arya  <inferno@chromium.org>

            Crash in RenderBlock::layoutPositionedObjects.
            https://bugs.webkit.org/show_bug.cgi?id=89599

            Reviewed by Julien Chaffraix.

            Test: fast/table/table-split-positioned-object-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::splitBlocks): no longer need to explicitly call
            removePositionedObjects, since it is part of moveChildrenTo.
            * rendering/RenderBlock.h:
            (WebCore::RenderBlock::hasPositionedObjects): helper to tell if we have
            positioned objects in our list.
            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::splitAnonymousBoxesAroundChild): Like r102263, this
            condition was wrong and while moving children across completely different 
            trees, we need fullRemoveInsert as true.
            * rendering/RenderBoxModelObject.cpp:
            (WebCore::RenderBoxModelObject::moveChildTo): see code comment.
            (WebCore::RenderBoxModelObject::moveChildrenTo): see code comment. 

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r118249

    2012-05-23  Abhishek Arya  <inferno@chromium.org>

            Crash in run-ins with continuations while moving back to original position.
            https://bugs.webkit.org/show_bug.cgi?id=87264

            Reviewed by Julien Chaffraix.

            Run-in that are now placed in sibling block can break up into continuation
            chains when new children are added to it. We cannot easily send them back to their
            original place since that requires writing integration logic with RenderInline::addChild
            and all other places that might cause continuations to be created (without blowing away
            |this|). Disabling this feature for now to prevent crashes.

            Test: fast/runin/runin-continuations-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::moveRunInToOriginalPosition):

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r117971

    2012-05-22  Nikolas Zimmermann  <nzimmermann@rim.com>

            Crash in WebCore::RenderSVGContainer::paint
            https://bugs.webkit.org/show_bug.cgi?id=86392

            Reviewed by Rob Buis.

            Modernize the <marker> code, switch to the same design pattern used for handling zero-length subpaths.
            Decouple the generation of the marker start/mid/end positions from the actual usage of these information.
            Only generate those marker positions if the underlying Path changes, and never else.

            When figuring out the bounds for a shape, access to current set of RenderSVGResourceMarker start/mid/end resources
            and ask the marker resources for their bounds using the previously figured out marker positions on the Path.
            Drawing markers is handled in the same way.

            Remove SVGMarkerLayoutInfo alltogether which stored raw pointers to the RenderSVGResourceMarkers.
            We assumed that those objects would stay alive from layout() to paint(), but that assumption is wrong.

            Tests: svg/custom/bug86392.html
                   svg/custom/marker-zero-length-linecaps-expected.svg
                   svg/custom/marker-zero-length-linecaps.svg

            * CMakeLists.txt: Remove SVGMarkerLayoutInfo.*.
            * GNUmakefile.list.am: Ditto.
            * Target.pri: Ditto.
            * WebCore.gypi: Ditto.
            * WebCore.order: Ditto.
            * WebCore.vcproj/WebCore.vcproj: Ditto.
            * WebCore.xcodeproj/project.pbxproj: Ditto.
            * rendering/svg/RenderSVGAllInOne.cpp: Ditto.
            * rendering/svg/RenderSVGShape.cpp: Handle markers just like the existing zero leng subpath code, which is superior.
            (WebCore::RenderSVGShape::createShape):
            (WebCore::RenderSVGShape::layout):
            (WebCore::RenderSVGShape::shouldGenerateMarkerPositions):
            (WebCore::RenderSVGShape::paint):
            (WebCore::markerForType):
            (WebCore::RenderSVGShape::markerRect):
            (WebCore::RenderSVGShape::inflateWithStrokeAndMarkerBounds):
            (WebCore::RenderSVGShape::drawMarkers):
            (WebCore::RenderSVGShape::processMarkerPositions):
            * rendering/svg/RenderSVGShape.h:
            (RenderSVGShape):
            * rendering/svg/SVGMarkerData.h:
            (WebCore::MarkerPosition::MarkerPosition):
            (MarkerPosition):
            (WebCore::SVGMarkerData::SVGMarkerData):
            (WebCore::SVGMarkerData::updateFromPathElement):
            (WebCore::SVGMarkerData::pathIsDone):
            (SVGMarkerData):
            (WebCore::SVGMarkerData::currentAngle):
            * rendering/svg/SVGMarkerLayoutInfo.cpp: Removed.
            * rendering/svg/SVGMarkerLayoutInfo.h: Removed.
            * rendering/svg/SVGResourcesCache.cpp:
            (WebCore::resourcesCacheFromRenderObject):
            (WebCore::SVGResourcesCache::cachedResourcesForRenderObject):
            * rendering/svg/SVGResourcesCache.h:
            (SVGResourcesCache):

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r117865

    2012-05-21  Abhishek Arya  <inferno@chromium.org>

            Regression(r117482): Run-in crashes relating to generated content and inline line box clearing.
            https://bugs.webkit.org/show_bug.cgi?id=86879

            Reviewed by Julien Chaffraix.

            Tests: fast/runin/generated-content-crash.html
                   fast/runin/move-run-in-original-position-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks): Use the new helper
            placeRunInIfNeeded. Do not place the run-in if it is a generated container since
            the caller such as updateBeforeAfterContent might be keeping a reference to it
            and adding children to it later.
            (WebCore::destroyRunIn): Add ability to clear line box tree for inlines.
            (WebCore::RenderBlock::placeRunInIfNeeded): Helper to place run-in. Add an
            argument to not modify generated content during addChild, it should be moved
            only at end of updateBeforeAfterContent.
            (WebCore::RenderBlock::moveRunInUnderSiblingBlockIfNeeded): 
            (WebCore::RenderBlock::runInIsPlacedIntoSiblingBlock): helper to tell if this run-in
            is actually placed into the next sibling block.
            (WebCore::RenderBlock::moveRunInToOriginalPosition):
            * rendering/RenderInline.cpp:
            (WebCore::RenderInline::deleteLineBoxTree): like RenderBlock, add a helper
            for deleteLineBoxTree. Virtualizing this might not be good, since this is
            the only call site for inline line box tree clearing and RenderBlock::deleteLineBoxTree
            is called a lot.
            * rendering/RenderObjectChildList.cpp:
            (WebCore::createRendererForBeforeAfterContent): fix a typo.
            (WebCore::RenderObjectChildList::updateBeforeAfterContent): If insertBefore is equal
            to the intruded run-in, then set it to next sibling so that new child will come after it. At
            the end, place the generatedContainer if it is a run-in.

2012-10-31  Lucas Forschler  <lforschler@apple.com>

        Merge r117482

    2012-05-17  Abhishek Arya  <inferno@chromium.org>

            Move run-in handling to addChild, instead of in layout.
            https://bugs.webkit.org/show_bug.cgi?id=86387

            Reviewed by Julien Chaffraix.

            Tests: fast/runin/insert-before-run-in.html
                   fast/runin/run-in-after-run-in.html
                   fast/runin/run-in-parent-add-child.html
                   fast/runin/run-in-parent-block-child-add-and-intrude.html
                   fast/runin/run-in-parent-block-child-add.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks): handle run-ins here
            instead of layout. We do run-in handling when we see a new child with run-in display
            or add a new block whose previous sibling is run-in.
            (WebCore::RenderBlock::makeChildrenNonInline): if we will have block children, need
            to move run-in back to its original position.
            (WebCore::RenderBlock::handleSpecialChild): no longer need to handle run-ins during layout.
            (WebCore::destroyRunIn): helper to destroy a block or inline run-in.
            (WebCore):
            (WebCore::RenderBlock::createReplacementRunIn): helper to create the new replacement run-in.
            For moveRunInUnderSiblingBlockIfNeeded, it will be used to create a new inline run-in
            that goes into the next sibling block. For moveRunInToOriginalPosition, it creates a new
            block run-in that goes back to where it came from.
            (WebCore::RenderBlock::moveRunInUnderSiblingBlockIfNeeded): almost same as previous
            handleRunInChild function, but with the return type removed. Also, we don't allow
            a run-in to intrude into a block that already has a run-in.
            (WebCore::RenderBlock::moveRunInToOriginalPosition): moves run-in back to where it came from.
            * rendering/RenderBlock.h:
            (RenderBlock):
            * rendering/RenderBox.cpp:
            * rendering/RenderBox.h:
            (RenderBox):
            * rendering/RenderBoxModelObject.cpp: move all moveChild* functions from RenderBox, since
            they can now be used to move children of inlines.
            (WebCore::RenderBoxModelObject::moveChildTo): same.
            (WebCore):
            (WebCore::RenderBoxModelObject::moveChildrenTo): same.
            * rendering/RenderBoxModelObject.h:
            (RenderBoxModelObject):
            (WebCore::RenderBoxModelObject::moveChildTo): same.
            (WebCore::RenderBoxModelObject::moveAllChildrenTo): same.
            (WebCore::RenderBoxModelObject::moveChildrenTo): same.

2012-10-30  Lucas Forschler  <lforschler@apple.com>

        Merge r117224

    2012-05-15  Abhishek Arya  <inferno@chromium.org>

            Crash in Document::nodeChildrenWillBeRemoved.
            https://bugs.webkit.org/show_bug.cgi?id=85247

            Reviewed by Hajime Morita.

            Reverse ordering of commands to ref ptr the children set
            first before calling nodeChildrenWillBeRemoved, since it
            can fire mutation events.

            Test: fast/dom/HTMLObjectElement/beforeload-set-text-crash.xhtml

            * dom/ContainerNode.cpp:
            (WebCore::willRemoveChildren):

2012-10-30  Lucas Forschler  <lforschler@apple.com>

        Merge r116255.

    2012-05-06  MORITA Hajime  <morrita@google.com>

            [Shadow DOM] Node distribution should be refreshed before style recalc.
            https://bugs.webkit.org/show_bug.cgi?id=85259

            Reviewed by Dimitri Glazkov.

            Element::recalcStyle() calls child element's recalcStyle()
            recursively, following ShadowTree::recalcShadowTreeStyle(). But
            recalcShadowTreeStyle() should be called before such recursion if
            necessary.

            This is because style calculation and following renderer attachment
            of each child element depends on up-to-date node distribution result
            which is computed during the recalcShadowTreeStyle().

            Test: fast/dom/shadow/shadow-dynamic-style-change-via-mutation-and-selector.html

            * dom/Element.cpp: Moved recalcShadowTreeStyle() before child traversals.
            (WebCore::Element::recalcStyle):

2012-09-18  Lucas Forschler  <lforschler@apple.com>

    Merge r128845.

    2012-09-17  Roger Fong  <roger_fong@apple.com>

            [Win] Null check timing function received from CoreAnimation when calling CACFAnimationGetTimingFunction.
            https://bugs.webkit.org/show_bug.cgi?id=96972

            Timothy Horton

            When paused, some CSS animations cause CoreAnimation to pass back a null timing function when calling CACFAnimationGetTimingFunction.
            This patch fixes this simply by ensuring that if the output of this method is null, it does not get passed into CACFAnimationSetTimingFunction
            via the PlatformCAAnimation::copyTimingFunctionFrom method.

            * platform/graphics/ca/win/PlatformCAAnimationWin.cpp:
            (PlatformCAAnimation::copyTimingFunctionFrom):

2012-09-18  Lucas Forschler  <lforschler@apple.com>

    Merge r126666.

    2012-08-24  Roger Fong  <roger_fong@apple.com>

            -webkit-font-smoothing: antialiased should use CG font rendering code path, not GDI
            https://bugs.webkit.org/show_bug.cgi?id=54004
            <rdar://problem/8971429>

            Reviewed by Dan Bernstein.

            When specifying -webkit-font-smoothing: antialised; the code path ends up using GDI to draw the text. 
            GDI ends up drawing subpixel antialiased text, not aliased text anyways.
            The CG code path also has the capability of drawing antialiased text. The reason that the GDI path was 
            used in the first place is no longer a concern here so we can stop using the GDI code path.

            * platform/graphics/win/FontCGWin.cpp: Removing GDI font drawing code path.
            (WebCore):
            (WebCore::Font::drawGlyphs):

2012-08-29  Timothy Hatcher  <timothy@apple.com>

        Merge r126921.

    2012-08-29  Jer Noble  <jer.noble@apple.com>

        Crash in WebCore::logPluginRequest + 183
        https://bugs.webkit.org/show_bug.cgi?id=95218

        Reviewed by Oliver Hunt.

        Crash is within findPluginMIMETypeFromURL, caused by a null-dereference of 
        page()->pluginData().  Add a null-check and return an empty string.

        * loader/SubframeLoader.cpp:
        (WebCore::findPluginMIMETypeFromURL):

2012-08-20  Mark Rowe  <mrowe@apple.com>

        Merge r122354.

    2012-07-11  Dean Jackson  <dino@apple.com>

        TileCache layers have wrong border debug color
        https://bugs.webkit.org/show_bug.cgi?id=90922

        Reviewed by Simon Fraser.

        Commit r122152 updated the layer hierarchy when a tile
        cache is being used by the view. As part of that, GraphicsLayerClient::shouldUseTileCache()
        was changed to return false in some situations (the idea was that it
        should only be called from the createGraphicsLayer method). However
        there were two other call points: one that sets the debug colors on
        borders, the other was a call that keeps the document background in sync.

        Add a new method usingTileCache() that returns the current state. Also fix
        a FIXME where the debug code always called into the client rather than
        caching the value on the GraphicsLayer.

        Test: compositing/document-background-color.html

        * platform/graphics/GraphicsLayer.cpp:
        (WebCore::GraphicsLayer::GraphicsLayer):
        (WebCore::GraphicsLayer::updateDebugIndicators): check the local variable when
        setting the debug colors.
        * platform/graphics/GraphicsLayer.h:
        (GraphicsLayer): new bool member variable m_usingTileCache.
        * platform/graphics/GraphicsLayerClient.h:
        (WebCore::GraphicsLayerClient::usingTileCache): new virtual method to query if
        this client is actually using the tile cache.
        * platform/graphics/ca/GraphicsLayerCA.cpp:
        (WebCore::GraphicsLayerCA::GraphicsLayerCA): set the member variable m_usingTileCache
        if the GraphicsLayerClient says we are.
        * rendering/RenderLayerBacking.h:
        (WebCore::RenderLayerBacking::usingTileCache):
        * rendering/RenderLayerCompositor.cpp:
        (WebCore::RenderLayerCompositor::documentBackgroundColorDidChange): call usingTileCache()
        rather than shouldUseTileCache(), because the latter's value might not always reflect
        the existence of a cache.

2012-08-14  Lucas Forschler  <lforschler@apple.com>

    Merge r124268.

    2012-07-31  Sam Weinig  <sam@webkit.org>

            Stop masking 8 bits off of the visited link hash. We need all the bits!
            https://bugs.webkit.org/show_bug.cgi?id=92799

            Reviewed by Anders Carlsson.

            * loader/appcache/ApplicationCacheStorage.cpp:
            (WebCore::urlHostHash):
            * platform/network/blackberry/CredentialBackingStore.cpp:
            (WebCore::hashCredentialInfo):
            * plugins/blackberry/PluginPackageBlackBerry.cpp:
            (WebCore::PluginPackage::hash):
            Update for new function names.

2012-08-13  Andy Estes  <aestes@apple.com>

        <rdar://problem/12050793> Brahms: REGRESSION (r113584): Apple reseller website does not display correctly. (91452)

        Roll out <http://trac.webkit.org/changeset/94492>,
        <http://trac.webkit.org/changeset/103851>, and
        <http://trac.webkit.org/changeset/113584> from safari-536.26-branch.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::layoutPositionedObjects):
        * rendering/RenderBlock.h:
        (RenderBlock):
        * rendering/RenderBlockLineLayout.cpp:
        (WebCore::LineInfo::LineInfo):
        (WebCore::LineInfo::floatPaginationStrut):
        (LineInfo):
        (WebCore::RenderBlock::constructLine):
        (WebCore):
        (WebCore::RenderBlock::computeInlineDirectionPositionsForLine):
        (WebCore::setStaticPositions):
        (WebCore::RenderBlock::layoutRunsAndFloatsInRange):
        (WebCore::RenderBlock::LineBreaker::skipLeadingWhitespace):

2012-08-13  Lucas Forschler  <lforschler@apple.com>

    Merge r125104.

    2012-08-08  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=93393
            Overflow regions sometimes repaint incorrectly after going into or 
            coming out of compositing mode
            -and corresponding-
            <rdar://problem/12006463>

            Reviewed by Simon Fraser.

            My first patch to fix this bug removed an if (parent()) check that is 
            needed to prevent a table crash seen in 
            fast/table/table-row-compositing-repaint-crash.html  
            The parent() check was actually added originally to prevent this same 
            crash. See http://trac.webkit.org/changeset/110456  
            This patch adds that check back, but really we should delay the 
            computation of repaint rects if layout has not happened yet.
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::updateBacking):

2012-08-13  Lucas Forschler  <lforschler@apple.com>

    Merge r125086.

    2012-08-08  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=93393
            Overflow regions sometimes repaint incorrectly after going into or 
            coming out of compositing mode
            -and corresponding-
            <rdar://problem/12006463>

            Reviewed by Simon Fraser.

            New RenderLayer function computeRepaintRectsIncludingDescendants()
            * rendering/RenderLayer.cpp:
            (WebCore):
            (WebCore::RenderLayer::computeRepaintRectsIncludingDescendants):
            * rendering/RenderLayer.h:
            (RenderLayer):

            It is not sufficient to compute repaint rects just for the current 
            layer when compositing changes. They must be recomputed for all 
            descendant layers as well.
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::updateBacking):

2012-08-13  Lucas Forschler  <lforschler@apple.com>

    Merge r123013.

    2012-07-18  Oliver Hunt  <oliver@apple.com>

            WebKit provides APIs that make it possible for JSC to attempt to initialise the heap without initialising threading
            https://bugs.webkit.org/show_bug.cgi?id=91663

            Reviewed by Filip Pizlo.

            Initialising a JSGlobalData now requires us to have initialised JSC's threading
            logic, as that also initialises the JSC VM runtime options.  WebKit provides a
            number of routines that make use of commonJSGlobalData() that can be used before
            webcore has called the appropriate initialisation routine.  This patch makes the
            minimal change of ensuring that commonJSGlobalData initialises threading before
            attempting to create the common heap.

            * bindings/js/JSDOMWindowBase.cpp:
            (WebCore::JSDOMWindowBase::commonJSGlobalData):

2012-08-13  Lucas Forschler  <lforschler@apple.com>

    Merge r118725.

    2012-05-28  Kent Tamura  <tkent@chromium.org>

            Fix a crash in HTMLFormControlElement::disabled().
            https://bugs.webkit.org/show_bug.cgi?id=86534

            Reviewed by Ryosuke Niwa.

            Stop to hold pointers of fildset and legend elements. We can avoid it by
            holding ancestor's disabled state.

            The ancesotr's disabled state should be invalidated when
             - fieldset's disabled value is changed.
             - fieldset's children is updated because a legend position might be changed.
             - A form control is attached to or detached from a tree.

            No new tests. It's almost impossible to make a reliable test.

            * html/HTMLFieldSetElement.cpp:
            (WebCore::HTMLFieldSetElement::invalidateDisabledStateUnder):
            Added. Invalidate disabled state of form controls under the specified node.
            (WebCore::HTMLFieldSetElement::disabledAttributeChanged):
            Uses invalidateDisabledStateUnder().
            (WebCore::HTMLFieldSetElement::childrenChanged):
            Added new override function. We need invalidate disabled state of form
            controls under legend elements.

            * html/HTMLFieldSetElement.h:
            (HTMLFieldSetElement): Add invalidateDisabledStateUnder() and childrenChanged().

            * html/HTMLFormControlElement.cpp:
            (WebCore::HTMLFormControlElement::HTMLFormControlElement):
            Remove initialization of the removed data members.
            Initialize m_ancestorDisabledState.
            (WebCore::HTMLFormControlElement::updateAncestorDisabledState):
            Update m_ancestorDisabledState. It should be
            AncestorDisabledStateDisabled if the control is under a disabled
            fieldset and not under the first legend child of the disabled filedset.
            (WebCore::HTMLFormControlElement::ancestorDisabledStateWasChanged):
            Invalidate m_ancestorDisabledState.
            (WebCore::HTMLFormControlElement::insertedInto): ditto.
            (WebCore::HTMLFormControlElement::removedFrom): ditto.
            (WebCore::HTMLFormControlElement::disabled):
            Calls updateAncestorDisabledState() if needed.
            (WebCore::HTMLFormControlElement::recalcWillValidate):
            Remove unnecessary check for m_legendAncestor.

            * html/HTMLFormControlElement.h:
            (HTMLFormControlElement):
            - Rename updateFieldSetAndLegendAncestor() to updateAncestorDisabledState(), and make it private.
            - Remove m_fieldSetAncestor, m_legendAncestor, and m_fieldSetAncestorValid.
            - Add m_ancestorDisabledState.

2012-08-13  Lucas Forschler  <lforschler@apple.com>

    Merge r118721

    2012-05-28  Kent Tamura  <tkent@chromium.org>

            Form controls in <fieldset disabled> should not be validated.
            https://bugs.webkit.org/show_bug.cgi?id=87381

            Reviewed by Hajime Morita.

            We need to use disabeld() instead of m_disabled to calculate
            willValidate property. Also, we need to update willValidate if
            necessary.

            Test: fast/forms/fieldset/validation-in-fieldset.html

            * html/HTMLFieldSetElement.cpp:
            (WebCore::HTMLFieldSetElement::disabledAttributeChanged):
             - Do not traverse this.
             - Calls ancestorDisabledStateWasChanged() instead of
              setNeedsStyleRecalc() because we'd like to do additional tasks.
            * html/HTMLFormControlElement.cpp:
            (WebCore::HTMLFormControlElement::ancestorDisabledStateWasChanged):
            Added. Just calls disabledAttributeChanged().
            (WebCore::HTMLFormControlElement::parseAttribute):
            Do not call setNeedsWillValidateCheck() whenever an attribute is updated.
            It should be called only if disabled or readonly attribute is updated.
            (WebCore::HTMLFormControlElement::disabledAttributeChanged):
            Add setNeedsWillValidateCheck(). It was moved from parseAttribute().
            (WebCore::HTMLFormControlElement::insertedInto):
            Invalidate ancestor information.
            (WebCore::HTMLFormControlElement::recalcWillValidate):
            Use disabled() instead of m_disabled. disabled() takes care of
            ancestor's disabled state.
            * html/HTMLFormControlElement.h:
            (HTMLFormControlElement):

2012-08-10  Lucas Forschler  <lforschler@apple.com>

    Merge r125124.

    2012-08-08  Brady Eidson  <beidson@apple.com>

            Google search query text reverts to original search query after multiple searches
            <rdar://problem/10800686> and https://bugs.webkit.org/show_bug.cgi?id=93544

            Reviewed by Darin Adler.

            For security sensitive fields we normally clear "autocomplete=off" form elements when
            restoring a page from the page cache.

            If the element is textual and has a defaultValue then "clearing" it actually restores 
            the default value.

            There's no scenario we can imagine where that makes sense so we should not reset the 
            value in such fields.

            Test: fast/forms/autocomplete-off-with-default-value-does-not-clear.html

            * html/HTMLInputElement.cpp:
            (WebCore::HTMLInputElement::parseAttribute): Update suspension callback registration as needed.
            (WebCore::HTMLInputElement::needsSuspensionCallback): Don't reset text fields with a non-empty default value.

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 123121

    2012-07-19  James Simonsen  <simonjam@chromium.org>

            Regression(120096): Protect the element used by ImageLoader until the end of notifyFinished().
            https://bugs.webkit.org/show_bug.cgi?id=90471

            Reviewed by Brady Eidson.

            Test: http/tests/security/video-poster-cross-origin-crash.html

            * html/HTMLImageLoader.cpp:
            (WebCore::HTMLImageLoader::notifyFinished): Hang on to the element until we're done.
            * loader/ImageLoader.cpp:
            (WebCore::ImageLoader::setImage): No behavior change.
            (WebCore):
            (WebCore::ImageLoader::setImageWithoutConsideringPendingLoadEvent): Split off from old setImage, minus calling updatedHasPendingLoadEvent().
            (WebCore::ImageLoader::notifyFinished): Invoke updatedHasPendingLoadEvent when done with cross origin errors.
            * loader/ImageLoader.h:
            (ImageLoader):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 120096

    2012-06-12  Brady Eidson  <beidson@apple.com>

            <rdar://problem/11593686> and https://bugs.webkit.org/show_bug.cgi?id=88683
            Garbage collection of an <img> element can cause reentrant event dispatch.

            Reviewed by Darin Adler.

            The most straightforward solution is for ImageLoader to keep its Element alive
            with ref/deref any time the Image is actually loading.

            ImageLoader should always do this for all Elements, and if those Elements want/need
            different behavior for when they are detached then they need to manually stop their
            loads.

            Tests: http/tests/loading/embed-image-load-outlives-gc-without-crashing.html
                   http/tests/loading/image-input-type-outlives-gc-without-crashing.html
                   http/tests/loading/image-load-outlives-gc-without-crashing.html
                   http/tests/loading/object-image-load-outlives-gc-without-crashing.html
                   http/tests/loading/svg-image-load-outlives-gc-without-crashing.html
                   http/tests/loading/video-poster-image-load-outlives-gc-without-crashing.html

            * loader/ImageLoader.cpp:
            (WebCore::ImageLoader::ImageLoader):
            (WebCore::ImageLoader::~ImageLoader):
            (WebCore::ImageLoader::setImage):
            (WebCore::ImageLoader::updateFromElement):
            (WebCore::ImageLoader::notifyFinished):
            (WebCore::ImageLoader::updatedHasPendingLoadEvent):
            (WebCore::ImageLoader::dispatchPendingBeforeLoadEvent):
            (WebCore::ImageLoader::dispatchPendingLoadEvent):
            * loader/ImageLoader.h:
            (ImageLoader):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 123936

    2012-07-27  Brady Eidson  <beidson@apple.com>

            Plugins should not be allowed to override standard properties/attributes in non-standard worlds
            <rdar://problem/11975252> and https://bugs.webkit.org/show_bug.cgi?id=92519

            Reviewed by Anders Carlsson.

            Change the 3 plugin-owning element's custom bindings to prefer built-in properties if they exist.
            When they do they don't give the plugin a chance to override.

            Test: plugins/npruntime/overrides-all-properties.html

            Add plugin custom functions to prefer built-in properties over plugin scriptable object properties:
            * bindings/js/JSPluginElementFunctions.h:
            (WebCore::pluginElementCustomGetOwnPropertySlot):
            (WebCore::pluginElementCustomGetOwnPropertyDescriptor):

            Use those new custom functions for getting properties:
            * bindings/js/JSHTMLAppletElementCustom.cpp:
            (WebCore::JSHTMLAppletElement::getOwnPropertySlotDelegate):
            (WebCore::JSHTMLAppletElement::getOwnPropertyDescriptorDelegate):
            * bindings/js/JSHTMLEmbedElementCustom.cpp:
            (WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate):
            (WebCore::JSHTMLEmbedElement::getOwnPropertyDescriptorDelegate):
            * bindings/js/JSHTMLObjectElementCustom.cpp:
            (WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate):
            (WebCore::JSHTMLObjectElement::getOwnPropertyDescriptorDelegate):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 120328

    2012-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>

            Worker tear-down can re-enter JSC during GC finalization pt. 2
            https://bugs.webkit.org/show_bug.cgi?id=88601

            Reviewed by David Levin.

            No new tests. Current regression tests are sufficient.

            * workers/WorkerMessagingProxy.cpp:
            (WebCore::WorkerMessagingProxy::WorkerMessagingProxy):
            (WebCore::WorkerMessagingProxy::workerObjectDestroyed): We clear the m_workerObject here because 
            we don't want anybody else trying to send messages to the Worker now that it has been destroyed.
            We also queue the asynchronous task for the various other cleanup that still needs to be done. 
            This allows us to avoid the problem of re-entrant JS code execution during GC.
            (WebCore):
            (WebCore::WorkerMessagingProxy::workerObjectDestroyedInternal): Here we set m_mayBeDestroyed to true.
            This is the point after which deleting the WorkerMessagingProxy in workerContextDestroyedInternal()
            is okay. It could happen during this function call if the worker thread has been shutdown already, or 
            it could be called later after we shut down the worker thread.
            (WebCore::WorkerMessagingProxy::workerContextDestroyedInternal): We check m_mayBeDestroyed here 
            instead of checking m_workerObject. This change effectively orthogonalizes the roles that m_workerObject 
            was filling. Since we were eagerly clearing m_workerObject, but we wanted to asynchronously call 
            workerObjectDestroyed(), we needed to make sure we didn't accidentally try to delete the WorkerMessagingProxy
            twice (once from destroying the Worker and once from destroying the WorkerContext). This boolean field 
            should fix that issue--we set it lazily like we wanted to do without being in danger of causing use-after-free
            issues with m_workerObject.
            * workers/WorkerMessagingProxy.h: Added the new field and function.
            (WorkerMessagingProxy):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 119740

    2012-06-07  Mark Hahnenberg  <mhahnenberg@apple.com>

            Worker tear-down can re-enter JSC during GC finalization
            https://bugs.webkit.org/show_bug.cgi?id=88449

            Reviewed by Geoffrey Garen.

            No new tests. 

            This is the first of two patches to fix this issue with Workers.

            * workers/AbstractWorker.cpp:
            (WebCore::AbstractWorker::~AbstractWorker): We don't need to call onDestroyWorker() here, it 
            will be called elsewhere in contextDestroyed().

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 124811

    2012-08-06  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=93199
            REGRESSION (r124489): Crash in FrameView::scrollContentsFastPath when 
            scrolling Facebook and Google image search
            -and corresponding-
            <rdar://problem/12035066>

            Reviewed by Anders Carlsson.

            As the comment in setShouldUpdateScrollLayerPositionOnMainThread() 
            indicates, the goal of adding a call to 
            updateMainFrameScrollPositionAndScrollLayerPosition() within that 
            function was just to make sure the layer position was up-to-date 
            since that is what is not kept up to date when scrolling is happening 
            on the scrolling thread. So I'm fixing this crash by having that code 
            ONLY update the layer position instead of also updating the scroll 
            position, since it was updating the scroll position that led to this 
            crash.

            New function updateMainFrameScrollLayerPosition() will update JUST 
            the layer position.
            * page/scrolling/ScrollingCoordinator.h:
            (ScrollingCoordinator):        
            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::ScrollingCoordinator::updateMainFrameScrollLayerPosition):

            Update just the layer position here instead of the layer position and 
            the scroll position.
            (WebCore)::
            (WebCore::ScrollingCoordinator::setShouldUpdateScrollLayerPositionOnMainThread):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 124102

    2012-07-30  Anders Carlsson  <andersca@apple.com>

            Crash in logging code if MIME type is null
            https://bugs.webkit.org/show_bug.cgi?id=92683
            <rdar://problem/11985295>

            Reviewed by Dan Bernstein.

            If the MIME type is null, try to figure it out from the URL extension. If this fails, return early instead of crashing
            trying to insert the null string into a hash set.

            * loader/SubframeLoader.cpp:
            (WebCore::logPluginRequest):

2012-08-08  Lucas Forschler  <lforschler@apple.com>

    Merge 124720

    2012-08-05  Antti Koivisto  <antti@apple.com>

            Don't reuse cached stylesheet with failed or canceled resource loads
            https://bugs.webkit.org/show_bug.cgi?id=93203

            Reviewed by Simon Fraser.

            1) Go to apple.com
            2) Reload repeatedly

            Eventually you can get into state where some images don't load.

            The problem is that a cached stylesheet may end up pointing to image resources that have been canceled (by the reload).
            If this happens they stay in the canceled state even when the stylesheet is applied to a new document.

            Fix by checking if all loads are complete (or pending) when restoring a cached stylesheet. The sheet is only used
            if there are no failed or canceled loads. There are potential more sophisticated fixes but this is simple and safe.
            Walking the sheet is fast and since it is only done on cache restore the cost is minimal.

            No regression test yet though the new code does get exercised by the existing tests.

            * css/CSSCrossfadeValue.cpp:
            (WebCore::CSSCrossfadeValue::hasFailedOrCanceledSubresources):
            (WebCore):
            * css/CSSCrossfadeValue.h:
            (CSSCrossfadeValue):
            * css/CSSFontFaceSrcValue.cpp:
            (WebCore::CSSFontFaceSrcValue::hasFailedOrCanceledSubresources):
            (WebCore):
            * css/CSSFontFaceSrcValue.h:
            (CSSFontFaceSrcValue):
            * css/CSSImageSetValue.cpp:
            (WebCore::CSSImageSetValue::hasFailedOrCanceledSubresources):
            (WebCore):
            * css/CSSImageSetValue.h:
            (CSSImageSetValue):
            * css/CSSImageValue.cpp:
            (WebCore::CSSImageValue::hasFailedOrCanceledSubresources):
            (WebCore):
            * css/CSSImageValue.h:
            (CSSImageValue):
            * css/CSSValue.cpp:
            (WebCore::CSSValue::hasFailedOrCanceledSubresources):
            (WebCore):
            * css/CSSValue.h:
            (CSSValue):
            * css/CSSValueList.cpp:
            (WebCore::CSSValueList::hasFailedOrCanceledSubresources):
            (WebCore):
            * css/CSSValueList.h:
            (CSSValueList):
            * css/StylePropertySet.cpp:
            (WebCore::StylePropertySet::hasFailedOrCanceledSubresources):
            (WebCore):
            * css/StylePropertySet.h:
            (StylePropertySet):
            * css/StyleSheetContents.cpp:
            (WebCore::childRulesHaveFailedOrCanceledSubresources):
            (WebCore):
            (WebCore::StyleSheetContents::hasFailedOrCanceledSubresources):
            * css/StyleSheetContents.h:
            (StyleSheetContents):
            * loader/cache/CachedCSSStyleSheet.cpp:
            (WebCore::CachedCSSStyleSheet::restoreParsedStyleSheet):
            * loader/cache/CachedResource.h:
            (WebCore::CachedResource::loadFailedOrCanceled):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 116291

    2012-05-07  Antti Koivisto  <antti@apple.com>

            Share stylesheet data structures between documents
            https://bugs.webkit.org/show_bug.cgi?id=85598

            Reviewed by Darin Adler.

            We currently make a copy of the data structures when restoring a cached stylesheet. This patch lets us share
            the data until someone uses a mutating CSSOM API to modify the sheet.

            The patch implements copy-on-write for the internal style sheet data structures. If any mutating CSSOM API is
            invoked, we check if the mutation is safe (there is only one client, the sheet is not cached). If not then the
            internal structures are copied and any existing CSSOM objects are re-attached to the new style tree. The copied
            tree is mutated while the other clients stay attached to the original tree.

            Sharing can save significant amount of memory on sites with large stylesheets. For example if you have
            multiple articles open on wsj.com this saves ~2.6MB per tab.

            Test: http/tests/css/shared-stylesheet-mutation.html
                  http/tests/css/shared-stylesheet-mutation-preconstruct.html

            * css/CSSFontFaceRule.cpp:
            (WebCore::CSSFontFaceRule::reattach):
            (WebCore):
            * css/CSSFontFaceRule.h:
            (CSSFontFaceRule):
            * css/CSSMediaRule.cpp:
            (WebCore::CSSMediaRule::insertRule):
            (WebCore::CSSMediaRule::deleteRule):
            (WebCore::CSSMediaRule::reattach):
            (WebCore):
            * css/CSSMediaRule.h:
            (CSSMediaRule):
            * css/CSSPageRule.cpp:
            (WebCore::CSSPageRule::setSelectorText):
            (WebCore::CSSPageRule::reattach):
            (WebCore):
            * css/CSSPageRule.h:
            (CSSPageRule):
            * css/CSSRule.cpp:
            (WebCore::CSSRule::reattach):

                After the internal stylerule tree has been copied, the existing wrappers are re-attached using recursive reattach() function.

            * css/CSSRule.h:
            (WebCore):
            (CSSRule):
            * css/CSSStyleRule.cpp:
            (WebCore::CSSStyleRule::setSelectorText):
            (WebCore::CSSStyleRule::reattach):
            (WebCore):
            * css/CSSStyleRule.h:
            (CSSStyleRule):
            * css/CSSStyleSheet.cpp:
            (WebCore::StyleSheetInternal::StyleSheetInternal):
            (WebCore::StyleSheetInternal::isCacheable):
            (WebCore::StyleSheetInternal::ruleAt):

                Add ruleAt(), use it for both wrapper creation and reattaching.  Remove createChildRuleCSSOMWrapper .

            (WebCore):
            (WebCore::StyleSheetInternal::wrapperInsertRule):
            (WebCore::StyleSheetInternal::wrapperDeleteRule):

                Invalidation moves to the calling wrapper.

            (WebCore::StyleSheetInternal::addedToMemoryCache):
            (WebCore::StyleSheetInternal::removedFromMemoryCache):
            (WebCore::CSSStyleSheet::willMutateRules):

                This is called whenever StyleSheetInternal is going to be mutated. It will do copy-on-write if needed.

                Usually invoked by CSSStyleSheet::RuleMutation RAII type.

            (WebCore::CSSStyleSheet::didMutateRules):

                This is called after the mutation is complete and will trigger the style recalc in the document.

            (WebCore::CSSStyleSheet::didMutate):

                This is called directly after mutations that don't change StyleSheetInternal so don't require copy-on-write.

            (WebCore::CSSStyleSheet::reattachChildRuleCSSOMWrappers):
            (WebCore::CSSStyleSheet::setDisabled):
            (WebCore::CSSStyleSheet::insertRule):
            (WebCore::CSSStyleSheet::deleteRule):
            * css/CSSStyleSheet.h:
            (StyleSheetInternal):
            (WebCore::StyleSheetInternal::hasOneClient):
            (WebCore::StyleSheetInternal::isMutable):
            (WebCore::StyleSheetInternal::setMutable):

                Track mutability. Mutation is allowed only after willMutate call.

            (WebCore::StyleSheetInternal::isInMemoryCache):

                Track if the object is in memory cache.

            (WebCore::CSSStyleSheet::clearOwnerRule):
            (CSSStyleSheet):
            * css/MediaList.cpp:
            (WebCore::MediaList::setMediaText):
            (WebCore::MediaList::deleteMedium):
            (WebCore::MediaList::appendMedium):
            (WebCore::MediaList::didMutate):
            (WebCore):
            (WebCore::MediaList::reattach):
            * css/MediaList.h:
            (MediaList):
            * css/PropertySetCSSStyleDeclaration.cpp:
            (WebCore::PropertySetCSSStyleDeclaration::setCssText):
            (WebCore::PropertySetCSSStyleDeclaration::setProperty):
            (WebCore::PropertySetCSSStyleDeclaration::removeProperty):
            (WebCore::PropertySetCSSStyleDeclaration::setPropertyInternal):
            (WebCore):
            (WebCore::StyleRuleCSSStyleDeclaration::willMutate):
            (WebCore::StyleRuleCSSStyleDeclaration::didMutate):
            (WebCore::StyleRuleCSSStyleDeclaration::reattach):
            (WebCore::InlineCSSStyleDeclaration::didMutate):
            * css/PropertySetCSSStyleDeclaration.h:
            (WebCore::PropertySetCSSStyleDeclaration::willMutate):
            (WebCore::PropertySetCSSStyleDeclaration::didMutate):
            (StyleRuleCSSStyleDeclaration):
            * css/WebKitCSSKeyframesRule.cpp:
            (WebCore::WebKitCSSKeyframesRule::setName):
            (WebCore::WebKitCSSKeyframesRule::insertRule):
            (WebCore::WebKitCSSKeyframesRule::deleteRule):
            (WebCore::WebKitCSSKeyframesRule::reattach):
            (WebCore):
            * css/WebKitCSSKeyframesRule.h:
            (WebKitCSSKeyframesRule):
            * css/WebKitCSSRegionRule.cpp:
            (WebCore::WebKitCSSRegionRule::reattach):
            * css/WebKitCSSRegionRule.h:
            (WebKitCSSRegionRule):
            * inspector/InspectorStyleSheet.cpp:
            (WebCore::InspectorStyleSheet::reparseStyleSheet):
            * loader/cache/CachedCSSStyleSheet.cpp:
            (WebCore::CachedCSSStyleSheet::~CachedCSSStyleSheet):
            (WebCore::CachedCSSStyleSheet::destroyDecodedData):
            (WebCore::CachedCSSStyleSheet::restoreParsedStyleSheet):

                Don't copy when restoring. It is no longer necessary.
                Set the cache bit on the stylesheet.

            (WebCore::CachedCSSStyleSheet::saveParsedStyleSheet):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 124829

    2012-08-06  Anders Carlsson  <andersca@apple.com>

            Clear out the TileCache backpointer for all tile layers when the tile cache is destroyed
            https://bugs.webkit.org/show_bug.cgi?id=93317
            <rdar://problem/11566543>

            Reviewed by Dean Jackson.

            It seems that in some rare cases, the tile cache layer can be destroyed in the same transaction as tile layers
            are being asked to paint. Make sure to null out the TileCache back pointer for all layers in the TileCache destructor.

            * platform/graphics/ca/mac/TileCache.mm:
            (WebCore::TileCache::~TileCache):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 124714

    2012-08-04  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/11875795> REGRESSION (tiled drawing): Page’s scroll bars flash with each character you type in a textarea (affects Wikipedia and YouTube)
            https://bugs.webkit.org/show_bug.cgi?id=91348

            Reviewed by Andy Estes.

            * platform/ScrollableArea.cpp:
            (WebCore::ScrollableArea::scrollPositionChanged): Changed to call notifyContentAreaScrolled()
            only if the scroll position after the change differs from what it was before the change.
            * rendering/RenderListBox.cpp:
            (WebCore::RenderListBox::scrollPosition): Added an override of this ScrollableArea function.
            * rendering/RenderListBox.h:

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 124510

    2012-08-02  Oliver Hunt  <oliver@apple.com>

            A few objects aren't being safely protected from GC in all cases
            https://bugs.webkit.org/show_bug.cgi?id=93031

            Reviewed by Filip Pizlo.

            I haven't seen evidence that anyone is hitting bugs due to this, but any
            GC error can lead to later -- hard to diagnose -- bugs if they result in
            resurrecting dead objects.

            * bindings/js/JSCustomXPathNSResolver.cpp:
            (WebCore::JSCustomXPathNSResolver::create):
            (WebCore::JSCustomXPathNSResolver::JSCustomXPathNSResolver):
            (WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):
            * bindings/js/JSCustomXPathNSResolver.h:
            (JSCustomXPathNSResolver):
            * bindings/js/JSDictionary.cpp:
            (WebCore::JSDictionary::tryGetProperty):
            * bindings/js/JSDictionary.h:
            (WebCore::JSDictionary::JSDictionary):
            (WebCore::JSDictionary::initializerObject):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 124489

    2012-08-02  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=93020
            REGRESSION (tiled scrolling): Full-screen video is broken if page is 
            scrolled
            -and corresponding-
            <rdar://problem/11629778>

            Reviewed by Anders Carlsson.

            The bug here is that ScrollingTreeNodeMac::setScrollLayerPosition() 
            uses the CALayer (PlatformLayer) directly to set the position. That 
            means that the GraphicsLayer that owns that PlatformLayer does not 
            have updated position information. That results in this bug when we 
            switch from fast scrolling to main thread scrolling, because at that 
            point, the GraphicsLayer needs to have the correct information. So 
            make sure to update the main thread scroll position and layer 
            position before transitioning to main thread scrolling.
            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::ScrollingCoordinator::setShouldUpdateScrollLayerPositionOnMainThread):

2012-08-07  Lucas Forschler  <lforschler@apple.com>

    Merge 124463

    2012-08-02  Antti Koivisto  <antti@apple.com>

            Inline stylesheets can confuse style sharing
            https://bugs.webkit.org/show_bug.cgi?id=92970

            Reviewed by Dan Bernstein.

            Consider document 

            <div class="i30"></div>
            <style>.i30 { background-color:green; }</style>
            <div class="i30"></div>

            When processing the <style> element the scope optimization marks the first div as needing style recalc. 
            Next the parser adds the second div to the tree and immediately calculates its style. Since it looks exactly 
            like the first div the style sharing optimization copies the style from there. The pending recalc of the
            first div is resolved by a timer but the second div is left with the old style.

            Fix by disallowing style sharing from elements with pending style recalc.

            Test: fast/css/style-sharing-inline-stylesheet.html

            * css/StyleResolver.cpp:
            (WebCore::StyleResolver::canShareStyleWithElement):

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123942

    2012-07-27  Jer Noble  <jer.noble@apple.com>

            Reset the set of "seen" plugins when the main frame load is committed.
            https://bugs.webkit.org/show_bug.cgi?id=92564

            Reviewed by Anders Carlsson.

            Because the Page object is re-used across navigation and reload, reset the list
            of seen plugins when the main frame load commits. This gives a good baseline to
            compare against the number of pages loaded.

            No new tests; the "seen" plugin list is for diagnostic purposes only.

            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::dispatchDidCommitLoad):
            * page/Page.cpp:
            (WebCore::Page::resetSeenPlugins):
            * page/Page.h:

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123930

    2012-07-27  Jer Noble  <jer.noble@apple.com>

            Add diagnostic logging for plugins-per-page.
            https://bugs.webkit.org/show_bug.cgi?id=92538

            Reviewed by Anders Carlsson.

            Add some diagnostic logging for whether a page has seen a plugin, and 
            whether a page has seen a plugin of a specific type.

            Move the diagnostic logging out of the elemements themselves:
            * html/HTMLEmbedElement.cpp:
            (WebCore::HTMLEmbedElement::updateWidget):
            * html/HTMLObjectElement.cpp:
            (WebCore::HTMLObjectElement::updateWidget):

            Instead, log when the plugin is requested, thereby catching plugins which are
            rejected because, e.g., Java is disabled or not installed:
            * loader/SubframeLoader.cpp:
            (WebCore::logPluginRequest):
            (WebCore::SubframeLoader::requestObject):
            (WebCore::SubframeLoader::createJavaAppletWidget):

            Add new diagnostic key values:
            * page/DiagnosticLoggingKeys.cpp:
            (WebCore::DiagnosticLoggingKeys::pageContainsPluginKey):
            (WebCore::DiagnosticLoggingKeys::pageContainsAtLeastOnePluginKey):
            * page/DiagnosticLoggingKeys.h:

            Add a map of plugin types seen per-page for diagnostic purposes:
            * page/Page.cpp:
            (WebCore::Page::hasSeenAnyPlugin):
            (WebCore::Page::hasSeenPlugin):
            (WebCore::Page::sawPlugin):
            * page/Page.h:

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123907

    2012-07-27  Anders Carlsson  <andersca@apple.com>

            Show the unavailable plug-in indicator for Java applets as well
            https://bugs.webkit.org/show_bug.cgi?id=92521

            Reviewed by Sam Weinig.

            Now that <applet> behaves more like <embed> and <object>, make sure that we show the unavailable plug-in indicator
            and call the correct error callbacks if we fail to instantiate the plug-in.

            * WebCore.exp.in:
            Export a symbol needed by WebKit2.

            * html/HTMLAppletElement.cpp:
            (WebCore::HTMLAppletElement::HTMLAppletElement):
            Set the correct service type.

            * loader/SubframeLoader.cpp:
            (WebCore::SubframeLoader::createJavaAppletWidget):
            Enable the unavailable plug-in indicator if we fail to create the java applet widget.

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123811

    2012-07-26  Anders Carlsson  <andersca@apple.com>

            HTMLAppletElement should inherit from HTMLPlugInImageElement
            https://bugs.webkit.org/show_bug.cgi?id=92320

            Reviewed by Eric Seidel.

            In order to simplify the class hierarchy and eventually merge HTMLPlugInImageElement and HMTLPlugInElement,
            make HTMLAppletElement inherit from HTMLPlugInImageElement. While this does mean that HTMLAppletElement will grow by
            a couple of words, in practice it won't matter.

            Also, make RenderApplet inherit from RenderEmbeddedObject and move the plug-in instantiation to HTMLAppletElement which matches
            both HTMLEmbedElement and HTMLObjectElement.

            * html/HTMLAppletElement.cpp:
            (WebCore::HTMLAppletElement::HTMLAppletElement):
            (WebCore::HTMLAppletElement::create):
            (WebCore::HTMLAppletElement::parseAttribute):
            (WebCore::HTMLAppletElement::rendererIsNeeded):
            (WebCore::HTMLAppletElement::createRenderer):
            (WebCore):
            (WebCore::HTMLAppletElement::renderWidgetForJSBindings):
            (WebCore::HTMLAppletElement::updateWidget):
            * html/HTMLAppletElement.h:
            (HTMLAppletElement):
            * html/HTMLTagNames.in:
            * loader/SubframeLoader.cpp:
            (WebCore::SubframeLoader::createJavaAppletWidget):
            * loader/SubframeLoader.h:
            (SubframeLoader):
            * page/FrameView.cpp:
            (WebCore::FrameView::updateWidget):
            * rendering/RenderApplet.cpp:
            (WebCore::RenderApplet::RenderApplet):
            * rendering/RenderApplet.h:
            (RenderApplet):
            * rendering/RenderEmbeddedObject.h:
            (WebCore::toRenderEmbeddedObject):
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::shouldBeNormalFlowOnly):
            (WebCore::RenderLayer::shouldBeSelfPaintingLayer):
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::updateGraphicsLayerConfiguration):
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::requiresCompositingForPlugin):
            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::setStyle):
            * rendering/RenderObject.h:

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 121929

    2012-07-05  Benjamin Poulain  <bpoulain@apple.com>

            Double release of resources if the load is canceled in a callback of ResourceLoader::didFinishLoading
            https://bugs.webkit.org/show_bug.cgi?id=90431

            Reviewed by Anders Carlsson.

            In ResourceLoader::didFinishLoadingOnePart(), we invoke didFinishLoad() on the WebKit client. If WebKit
            causes the current frame to cancel the load synchronously, the resources are already freed when
            ResourceLoader::didFinishLoadingOnePart() ends.
            When ResourceLoader::didFinishLoading() subsequently invokes releaseResources(), we are releasing the
            resources a second time.

            This patch add a second check for cancellation after invoking ResourceLoader::didFinishLoadingOnePart() to
            avoid such issues.

            The previous check at the beginning of ResourceLoader::didFinishLoading() has been removed because it is
            redundant with ResourceLoader::didFinishLoadingOnePart().

            * loader/ResourceLoader.cpp:
            (WebCore::ResourceLoader::didFinishLoading):
            (WebCore::ResourceLoader::didFinishLoadingOnePart):

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 118236

    2012-05-23  Abhishek Arya  <inferno@chromium.org>

            ASSERT failure toRenderProgress in HTMLProgressElement::didElementStateChange
            https://bugs.webkit.org/show_bug.cgi?id=87274

            Reviewed by Darin Adler.

            Progress bar can't run-in. Prevent it from becoming a run-in, leading to an
            unworkable RenderInline.

            Test: fast/runin/progress-run-in-crash.html

            * html/HTMLProgressElement.cpp:
            (WebCore::HTMLProgressElement::didElementStateChange):
            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::moveRunInUnderSiblingBlockIfNeeded):

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 121803

    2012-07-03  Nate Chapin  <japhet@chromium.org>

            Protect this DocumentThreadableLoader in cancel() to handle reentrancy properly.
            https://bugs.webkit.org/show_bug.cgi?id=90483

            Reviewed by Abhishek Arya.

            No new tests, covered by http/tests/xmlhttprequest/reentrant-cancel.html

            * loader/DocumentThreadableLoader.cpp:
            (WebCore::DocumentThreadableLoader::cancel):

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 120845

    2012-06-20  Nate Chapin  <japhet@chromium.org>

            Don't re-enter CachedResource::removeClient() if an XHR
            is canceled and restarted multiple times.
            https://bugs.webkit.org/show_bug.cgi?id=89378

            Reviewed by Eric Seidel.

            Test: http/tests/xmlhttprequest/reentrant-cancel.html

            * loader/DocumentThreadableLoader.cpp:
            (WebCore::DocumentThreadableLoader::cancel):
            (WebCore::DocumentThreadableLoader::clearResource): Save off a copy of m_resource
               then clear it, so we don't call clearResource() multiple times for the same resource.

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Revert 116203

    2012-05-04  Julien Chaffraix  <jchaffraix@webkit.org>
    
            Leaf non self-painting layers should bail out early in RenderLayer::paintLayer
            https://bugs.webkit.org/show_bug.cgi?id=85678
    
            Reviewed by Darin Adler.
    
            Performance optimization, no expected change in behavior.
    
            The gist of the change is that leaf non self-painting layers don't need to be painted as their
            associated RenderBoxModelObject should properly paint itself without any help.
    
            For RenderLayer trees that have a large number of leafs nodes (like a table with a leaf RenderLayer for
            each cells), not bailing out is a big overhead as it ends up doing a lot of computation for no real
            painting. See http://dglazkov.github.com/performance-tests/biggrid.html for a benchmark for that. On
            my machine, it reduces the paint time when scrolling to 70ms from 120ms (45% speedup).
    
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paintLayer):
    
2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123780

    2012-07-25  Jer Noble  <jer.noble@apple.com>

            Add diagnostic messages when media and plugins load or fail to load.
            https://bugs.webkit.org/show_bug.cgi?id=92341

            Reviewed by Anders Carlsson.

            Send diagnostic messages when a media or plugin element loads or fails to load. Include in
            the trace the media engine description, error code, or plugin mime type.

            * html/HTMLEmbedElement.cpp:
            (WebCore::HTMLEmbedElement::updateWidget): Send a diagnostic message.
            * html/HTMLMediaElement.cpp:
            (WebCore::stringForNetworkState): Added convenience function to stringify network states.
            (WebCore::HTMLMediaElement::mediaLoadingFailed): Send a diagnostic message.
            (WebCore::HTMLMediaElement::setReadyState): Send a diagnostic message.
            * html/HTMLObjectElement.cpp:
            (WebCore::HTMLObjectElement::updateWidget): Send a diagnostic message.

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123778

    2012-07-26  Jer Noble  <jer.noble@apple.com>

            Add a ChromeClient method to send diagnostic logging messages from WebCore to the client.
            https://bugs.webkit.org/show_bug.cgi?id=92340

            Reviewed by Anders Carlsson.

            Add a new ChromeClient menthod, to be implemented by WebKit and WebKit2, which sends
            a diagnostic logging message up to the client.

            * page/ChromeClient.h:
            (WebCore::ChromeClient::logDiagnosticMessage):
            * page/ChromeClient.h:
            (WebCore::ChromeClient::logDiagnosticMessage):
            (ChromeClient):
            * page/DiagnosticLoggingKeys.cpp: Added.
            (WebCore::DiagnosticLoggingKeys::mediaLoadedKey):
            (WebCore::DiagnosticLoggingKeys::mediaLoadingFailedKey):
            (WebCore::DiagnosticLoggingKeys::pluginLoadedKey):
            (WebCore::DiagnosticLoggingKeys::pluginLoadingFailedKey):
            (WebCore::DiagnosticLoggingKeys::passKey):
            (WebCore::DiagnosticLoggingKeys::failKey):
            (WebCore::DiagnosticLoggingKeys::noopKey):
            * page/DiagnosticLoggingKeys.h: Added.
            (DiagnosticLoggingKeys):

            Add the new files DiagnosticLoggingKeys.cpp,h to the project:
            * CMakeLists.txt:
            * GNUmakefile.list.am:
            * Target.pri:
            * WebCore.gypi:
            * WebCore.vcproj/WebCore.vcproj:
            * WebCore.xcodeproj/project.pbxproj:

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123775

    2012-07-25  Jer Noble  <jer.noble@apple.com>

            Add setting to enable and disable diagnostic logging.
            https://bugs.webkit.org/show_bug.cgi?id=92337

            Reviewed by Anders Carlsson.

            Add a new entry in Settings, defaulting to false.

            * page/Settings.cpp:
            (WebCore::Settings::Settings): Default the new setting to false.
            * page/Settings.h:
            (WebCore::Settings::setDiagnosticLoggingEnabled): Simple accessor.
            (WebCore::Settings::diagnosticLoggingEnabled): Ditto.

2012-08-06  Lucas Forschler  <lforschler@apple.com>

    Merge 123747

    2012-07-26  Jer Noble  <jer.noble@apple.com>

            Add a MediaPlayer API to retrieve the description of the current media engine.
            https://bugs.webkit.org/show_bug.cgi?id=92336

            Reviewed by Eric Carlson.

            Add a utility function which retrieves, for diagnostic purposes, a brief description
            of the current media engine. Stubs have been added for each of the MediaPlayerPrivate
            subclasses which return the name of the class.

            * platform/graphics/MediaPlayer.cpp:
            (WebCore::MediaPlayer::engineDescription):
            * platform/graphics/MediaPlayer.h:
            * platform/graphics/MediaPlayerPrivate.h:
            (WebCore::MediaPlayerPrivateInterface::engineDescription):
            * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
            (WebCore::MediaPlayerPrivateAVFoundation::engineDescription):
            * platform/graphics/blackberry/MediaPlayerPrivateBlackBerry.h:
            (WebCore::MediaPlayerPrivate::engineDescription):
            * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
            (WebCore::MediaPlayerPrivateGStreamer::engineDescription):
            * platform/graphics/mac/MediaPlayerPrivateQTKit.h:
            (WebCore::MediaPlayerPrivateQTKit::engineDescription):
            * platform/graphics/qt/MediaPlayerPrivateQt.h:
            (WebCore::MediaPlayerPrivateQt::engineDescription):
            * platform/graphics/wince/MediaPlayerPrivateWinCE.h:
            (WebCore::MediaPlayerPrivate::engineDescription):
            * platform/graphics/win/MediaPlayerPrivateQuickTimeVisualContext.h:
            (WebCore::MediaPlayerPrivateQuickTimeVisualContext::engineDescription):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 122676

    2012-07-14  Eric Carlson  <eric.carlson@apple.com>

            Enable AVCF hardware video decoding
            https://bugs.webkit.org/show_bug.cgi?id=90015
            <rdar://problem/10770317>

            Reviewed by Anders Carlsson.

            * html/HTMLMediaElement.cpp:
            (WebCore):
            (WebCore::HTMLMediaElement::mediaPlayerGraphicsDeviceAdapter): New, return the client's graphics 
                device adapter.
            * html/HTMLMediaElement.h:

            * page/ChromeClient.h:
            (WebCore::ChromeClient::graphicsDeviceAdapter): New.

            * platform/graphics/MediaPlayer.cpp:
            (WebCore::MediaPlayer::graphicsDeviceAdapter): New, ask the media element for the graphics
                device adapter.
            * platform/graphics/MediaPlayer.h:

            * platform/graphics/avfoundation/cf/AVFoundationCFSoftLinking.h: Soft-link AVCFPlayerSetDirect3DDevice
                and AVCFPlayerEnableHardwareAcceleratedVideoDecoderKey.

            * platform/graphics/avfoundation/cf/MediaPlayerPrivateAVFoundationCF.cpp: 
            (WebCore::MediaPlayerPrivateAVFoundationCF::createAVAssetForURL): Pass the current d3d9
                device interface to the AVFWrapper.
            (WebCore::AVFWrapper::createAssetForURL): If the d3d9 device implements IDirect3DDevice9Ex,
                tell the AVAsset to enable hardware video decoding.
            (WebCore::AVFWrapper::createPlayer): Pass the d3d9 device to the player if it implements IDirect3DDevice9Ex.

            * platform/graphics/ca/win/CACFLayerTreeHost.h:
            (WebCore::CACFLayerTreeHost::graphicsDeviceAdapter): New, default implementation.

            * platform/graphics/ca/win/LegacyCACFLayerTreeHost.h:
            (WebCore::LegacyCACFLayerTreeHost::graphicsDeviceAdapter): New, default implementation.
            * platform/graphics/ca/win/WKCACFViewLayerTreeHost.cpp:
            (WebCore::WKCACFViewLayerTreeHost::graphicsDeviceAdapter): New.
            * platform/graphics/ca/win/WKCACFViewLayerTreeHost.h:

            * platform/win/SoftLinking.h: Define SOFT_LINK_DLL_IMPORT_OPTIONAL, SOFT_LINK_LOADED_LIBRARY,
                and SOFT_LINK_VARIABLE_DLL_IMPORT_OPTIONAL.

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 123912

    2012-07-27  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=92327
            -webkit-background-clip:text is blurry in WebKit 1 apps when
            deviceScaleFactor > 1
            -and corresponding-
            <rdar://problem/11683788>

            Reviewed by Simon Fraser.

            The bug here is that the code to make createCompatibleBuffer() HiDPI-savvy 
            assumed that the deviceScaleFactor would always be baked into the CTM of the
            GraphicsContext. But that is NOT the case in WebKit 1.

            createCompatibleBuffer() is used for clip text and gradients.

            Now getCTM() takes a parameter indicating whether the result should definitely
            include the device scale, or if it should possibly included the device scale, 
            which is the option that matches old behavior.
            * platform/graphics/GraphicsContext.h:
            (GraphicsContext):
            * platform/graphics/cairo/GraphicsContextCairo.cpp:
            (WebCore::GraphicsContext::getCTM):
            * platform/graphics/openvg/GraphicsContextOpenVG.cpp:
            (WebCore::GraphicsContext::getCTM):
            * platform/graphics/qt/GraphicsContextQt.cpp:
            (WebCore::GraphicsContext::getCTM):
            * platform/graphics/skia/GraphicsContextSkia.cpp:
            (WebCore::GraphicsContext::getCTM):
            * platform/graphics/wince/GraphicsContextWinCE.cpp:
            (WebCore::GraphicsContext::getCTM):
            * platform/graphics/wx/GraphicsContextWx.cpp:
            (WebCore::GraphicsContext::getCTM):

            Actually use the new parameter in the CG implementation. Use CG API to get a
            matrix that definitely includes the device scale when that is required. 
            * platform/graphics/cg/GraphicsContextCG.cpp:
            (WebCore::GraphicsContext::getCTM):

            Remove some symbol cruft that doesn't seem to require a replacement.
            * WebCore.exp.in:

            Use DefinitelyIncludeDeviceScale when getting the CTM in the buggy spot.
            * platform/graphics/GraphicsContext.cpp:
            (WebCore::GraphicsContext::createCompatibleBuffer):

            The ImageBuffer for gradients is created using createCompatibleBuffer(), and since 
            createCompatibleBuffer() now uses getCTM(DefinitelyIncludeDeviceScale) to 
            determine appropriate sizing, drawPattern() should use that same matrix to 
            determine pattern sizing.
            * platform/graphics/GeneratorGeneratedImage.cpp:
            (WebCore::GeneratorGeneratedImage::drawPattern):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 122293

    2012-07-10  Shinya Kawanaka  <shinyak@chromium.org>

            Crash in nextLinePosition() due to accessing a removed root line box.
            https://bugs.webkit.org/show_bug.cgi?id=90484

            Reviewed by Abhishek Arya.

            When <object> element is reattached, the 'content' style is compared to the old style.
            If it is not the same, a flag to recalc style is enabled. Because of this, the recalc style flag
            is not cleared in updateLayoutIgnorePendingStyleSheets() in nextLinePosition(), and it causes
            the second layout in isEditablePosition(p). Then 'RootInlineBox root' is invalidated, but
            it's used after that.

            When the content of the same <object> elements are compared, they should be the same.
            However, operator== for ContentData is not implemented correctly (it compares a pointer instead of
            content). So operator== does not hold for the content of the same <object> elements.

            Test: editing/execCommand/crash-extend-selection-forward.html

            * rendering/style/ContentData.cpp:
            (WebCore::operator==): Compares the instance of data instead of pointer.

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 122188

    2012-07-09  Kent Tamura  <tkent@chromium.org>

            REGRESSION(r114862-r114886): Fix a crash by switching the input type to hidden.
            https://bugs.webkit.org/show_bug.cgi?id=90774

            Reviewed by Andreas Kling.

            Test: fast/forms/hidden/change-type-to-hidden-after-updating-value.html

            * dom/Element.cpp:
            (WebCore::Element::setAttributeInternal):
            Pass a copy of the existing Attribute object.

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 121388

    2012-06-27  Daniel Cheng  <dcheng@chromium.org>

            Fix crash in Frame::nodeImage.
            https://bugs.webkit.org/show_bug.cgi?id=89911

            Reviewed by Abhishek Arya.

            We were caching a pointer to a RenderObject and then calling updateLayout(). Instead, we
            need to get a pointer to the RenderObject again after updateLayout().

            Test: fast/events/drag-display-none-element.html

            * page/Frame.cpp:
            (WebCore::Frame::nodeImage):
            * page/mac/FrameMac.mm:
            (WebCore::Frame::snapshotDragImage):
            (WebCore::Frame::nodeImage):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 121279

    2012-06-26  Julien Chaffraix  <jchaffraix@webkit.org>

            Crash in FixedTableLayout::layout
            https://bugs.webkit.org/show_bug.cgi?id=88676

            Unreviewed typo fix, pointed out by Darin Adler.

            * rendering/AutoTableLayout.cpp:
            (WebCore::AutoTableLayout::layout):
            * rendering/FixedTableLayout.cpp:
            (WebCore::FixedTableLayout::layout):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 121275

    2012-06-26  Julien Chaffraix  <jchaffraix@webkit.org>

            Crash in FixedTableLayout::layout
            https://bugs.webkit.org/show_bug.cgi?id=88676

            Reviewed by Abhishek Arya.

            Tests: fast/table/auto-table-layout-colgroup-removal-crash.html
                   fast/table/fixed-table-layout/colgroup-removal-crash.html
                   fast/table/fixed-table-layout/prepend-in-fixed-table.html

            The issue comes from RenderTable not properly dirtying its preferred logical
            widths. As the table layout codes (both fixed and auto), recomputes their internal
            structures at computePreferredLogicalWidth, the internal structure doesn't match
            the table sizing and we crash.

            This fix adds a work-around in FixedTableLayout::layout (which matches AutoTableLayout).
            The long-term fix would be to properly fix the logic but this is a lot safer, especially
            since our logic is really not bullet-proof at the moment.

            * rendering/FixedTableLayout.cpp:
            (WebCore::FixedTableLayout::layout):
            Added an internal structure recomputation, if we have drifted from our table's structure.
            Also we need to update nEffCols if we call calcWidthArray.

            * rendering/AutoTableLayout.cpp:
            (WebCore::AutoTableLayout::layout):
            Added a comment matching FixedTableLayout. The nEffCols is unneeded but kept for consistency
            with FixedTableLayout.

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 121031

    2012-06-22  Abhishek Arya  <inferno@chromium.org>

            Crash in DragController::concludeEditDrag.
            https://bugs.webkit.org/show_bug.cgi?id=89762

            Reviewed by Ryosuke Niwa.

            RefPtr the innerFrame since it can get destroyed due to mutation
            event fired in DragController::dispatchTextInputEventFor().

            Test: editing/pasteboard/drop-text-events-sideeffect-crash.html

            * page/DragController.cpp:
            (WebCore::DragController::concludeEditDrag):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 120862

    2012-06-20  Abhishek Arya  <inferno@chromium.org>

            Crash on accessing a removed renderer from percent height descendant map.
            https://bugs.webkit.org/show_bug.cgi?id=88017

            Reviewed by Eric Seidel.

            Test: fast/block/percent-height-descendant-not-removed-crash2.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::hasPercentHeightContainerMap): helper to tell
            if we have a height container map.
            (WebCore):
            (WebCore::RenderBlock::hasPercentHeightDescendant): change from a debug
            only function to a regular function for use. no need to null check
            for a percent height container map in this function.
            (WebCore::RenderBlock::clearPercentHeightDescendantsFrom): helper to
            clear all percent height descendants under us.
            (WebCore::RenderBlock::removePercentHeightDescendantIfNeeded): helper to
            clear the box if it exists in the percent height descendant map.
            * rendering/RenderBlock.h:
            (RenderBlock):
            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::willBeDestroyed): remove the assert and change the
            percent height detection check to use removePercentHeightDescendantIfNeeded.
            We shouldn't rely on logicalHeight().isPercent() as it can change when our
            writing mode changes. Instead, just query the map directly to see if we exist.
            (WebCore::RenderBox::styleDidChange): when our writing mode changes from
            horizontal to vertical or vice versa, we clear all our descendants from
            the percent height descendant map. Cache the value of isHorizontalWritingMode()
            before it changes in styleDidChange and compare it with the new value
            (can't use oldStyle->isHorizontalWritingMode() since it can be inherited
            and already updated).

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 120801

    2012-06-19  Cris Neckar  <cdn@chromium.org>

            Fixes condition where inserting a CounterNode subtree which could result in incorrect placement.
            https://bugs.webkit.org/show_bug.cgi?id=88142

            Reviewed by Adam Barth.

            Test: fast/css/counters/counter-reset-subtree-insert-crash.html

            * rendering/CounterNode.cpp:
            (WebCore::CounterNode::insertAfter):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 120761

    2012-06-19  Ken Buchanan  <kenrb@chromium.org>

            Absolute positioned objects should not be added to anonymous block lists
            https://bugs.webkit.org/show_bug.cgi?id=87768

            Reviewed by Abhishek Arya.

            containingBlock() was returning an anonymous block for absolute
            positioned objects under a relative positioned inline in the case
            that the inline is split and the object is underneath the block
            continuation. Anonymous blocks should never have anything in their
            positioned object lists because they can be destroyed at any time
            for a different reasons such as anonymous block merging, which is
            a problem for layout if they have m_posChildNeedsLayout set.

            This patch adds a generic check for anonymous blocks in
            containingBlock() to correct this problem.

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::containingBlock):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 120731

    2012-06-19  Abhishek Arya  <inferno@chromium.org>

            Crash in WebCore::RenderSVGModelObject::checkIntersection
            https://bugs.webkit.org/show_bug.cgi?id=89059

            Reviewed by Rob Buis.

            getElementCTM updates layout causing the renderer to be destroyed. We get
            the new renderer by storing the element pointer and later accessing it using
            the element pointer.

            Test: svg/custom/intersection-list-crash.svg

            * rendering/svg/RenderSVGModelObject.cpp:
            (WebCore::RenderSVGModelObject::checkIntersection):
            (WebCore::RenderSVGModelObject::checkEnclosure):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 120559

    2012-06-17  Philip Rogers  <pdr@google.com>

            Prevent crash in SVGDocumentExtensions::removeAllElementReferencesForTarget.
            https://bugs.webkit.org/show_bug.cgi?id=88144

            Reviewed by Abhishek Arya.

            When iterating over referencing elements to rebuild after a reference change in
            SVGDocumentExtensions::removeAllElementReferencesForTarget, we can
            modify the underlying toBeNotified vector, invalidating it. This change checks
            that a vector element is valid before rebuilding, preventing a crash.

            Some definitions from SVGDocumentExtensions that may put this patch in context:
                An example of a "referenced elements" is a <path>.
                An example of a "referencing element" is a <textPath href='some_path_id'>.
                m_elementDependencies is a map from referenced elements (e.g., paths) to
                a set of referencing elements (e.g., textPaths).

            The check that the vector element is valid relies on checking if the referencing
            element is in m_elementDependencies. This check is allowed because in the
            destructor of SVGTextPathElement (and SVGFeImageElement),
            removeAllTargetReferencesForElement() is called, removing the referencing element
            from m_elementDependencies.

            Simply checking if the referencing element is anywhere in m_elementDependencies
            is enough to show it is valid, but that requires iterating over all referenced
            elements to see if the given referencing element is present. This change
            only checks if the textPath is still in the elements referencing the
            path being removed, and only removes the referenced element from
            m_elementDependencies after forcing the referencing elements to be rebuilt.

            Test: svg/text/textpath-reference-crash.html

            * svg/SVGDocumentExtensions.cpp:
            (WebCore::SVGDocumentExtensions::removeAllElementReferencesForTarget):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 120554

    2012-06-15  Darin Adler  <darin@apple.com>

            REGRESSION (r111041): Missing element type check in RenderThemeMac::paintMediaFullscreenButton
            https://bugs.webkit.org/show_bug.cgi?id=89270

            Reviewed by Oliver Hunt.

            * rendering/RenderThemeMac.mm:
            (WebCore::RenderThemeMac::paintMediaFullscreenButton): Use the proper idiom for getting
            a media control element's type.

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 119914

    2012-06-09  Florin Malita  <fmalita@chromium.org>

            Fixed-position foreignObject descendants should be relative to the foreignObject viewport
            https://bugs.webkit.org/show_bug.cgi?id=88547

            Reviewed by Abhishek Arya.

            Tests: svg/foreignObject/fO-fixed-position-crash.html
                   svg/foreignObject/fixed-position-expected.svg
                   svg/foreignObject/fixed-position.svg

            Fixed position elements are currently registered with the top level
            RenderView even when embedded within an SVG foreignOject. This patch
            changes containingBlock() & container() to return the containing
            foreignObject renderer instead.

            The new foreignObject fixed position behavior matches that of current
            FireFox and Opera versions and is consistent with the spec:
            http://www.w3.org/TR/CSS2/visuren.html#fixed-positioning
            http://www.w3.org/TR/SVG/coords.html#EstablishingANewViewport

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::containingBlock):
            (WebCore::RenderObject::container):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 119911

    2012-06-09  Pablo Flouret  <pablof@motorola.com>

            The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests
            https://bugs.webkit.org/show_bug.cgi?id=88139

            Reviewed by Adam Barth.

            Compare a request's origin with the value given in any
            Access-Control-Allow-Origin headers in an exact, case-sensitive manner,
            instead of using SecurityOrigin::isSameSchemeHostPort(). Per step 3 of
            the resource sharing check algorithm in
            http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check

            Test: http/tests/xmlhttprequest/origin-exact-matching.html

            * loader/CrossOriginAccessControl.cpp:
            (WebCore::passesAccessControlCheck):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 119870

    2012-06-08  Ryosuke Niwa  <rniwa@webkit.org>

            Crash in WebCore::InsertParagraphSeparatorCommand::doApply
            https://bugs.webkit.org/show_bug.cgi?id=88108

            Reviewed by Levi Weintraub.

            Use NodeVector instead of walking through siblings as we mutate the DOM.

            No new tests are added since there is no reliable reduction.

            * editing/BreakBlockquoteCommand.cpp:
            (WebCore::BreakBlockquoteCommand::doApply):
            * editing/CompositeEditCommand.cpp:
            (WebCore::CompositeEditCommand::moveRemainingSiblingsToNewParent):
            (WebCore):
            * editing/CompositeEditCommand.h:
            (CompositeEditCommand):
            * editing/InsertParagraphSeparatorCommand.cpp:
            (WebCore::InsertParagraphSeparatorCommand::doApply):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 119439

    2012-06-04  Jeffrey Pfau  <jpfau@apple.com>

            Document cleanup can get confused if parser still exists
            https://bugs.webkit.org/show_bug.cgi?id=88250

            Reviewed by Geoffrey Garen.

            No new tests; no behavior changes.

            * dom/Document.cpp:
            (WebCore::Document::removedLastRef): Detach parser earlier

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 119050

    2012-05-30  Abhishek Arya  <inferno@chromium.org>

            Crash in ContainerNode::parserAddChild.
            https://bugs.webkit.org/show_bug.cgi?id=87903

            Reviewed by Ryosuke Niwa.

            Call the ChildNodeInsertionNotifier.notify call at the end since
            it can destroy |this| and some of the local pointers like |last|.
            This also matches the order of calls - childrenChanged precedes
            ChildNodeInsertionNotifier.notify in updateTreeAfterInsertion and
            ContainerNode::parserInsertBefore.

            Also remove a FIXME since we use ChildNodeInsertionNotifier.notify
            instead of ChildNodeInsertionNotifier.notifyInsertedIntoDocument
            (as recommended in the FIXME).

            Test: fast/dom/child-insertion-notify-crash.html

            * dom/ContainerNode.cpp:
            (WebCore::ContainerNode::parserAddChild):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 118816

    2012-05-29  Abhishek Arya  <inferno@chromium.org>

            Crash due to text fragment destruction when updating first-letter block.
            https://bugs.webkit.org/show_bug.cgi?id=87751

            Reviewed by Eric Seidel.

            Test: fast/text/text-fragment-first-letter-update-crash.html

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::setStyle):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 118703

    2012-05-28  Yong Li  <yoli@rim.com>

            Crash on incomplete :not().
            https://bugs.webkit.org/show_bug.cgi?id=86673

            Reviewed by Antti Koivisto.

            Add back null-checks for incomplete :not() class
            which were dropped by r81845.

            * css/CSSSelector.cpp:
            (WebCore::CSSSelector::specificityForOneSelector):
            (WebCore::CSSSelector::selectorText):
            * css/SelectorChecker.cpp:
            (WebCore::SelectorChecker::checkOneSelector):
            (WebCore::SelectorChecker::determineLinkMatchType):

2012-08-02  Lucas Forschler  <lforschler@apple.com>

    Merge 118592

    2012-05-25  Abhishek Arya  <inferno@chromium.org>

            Crash in RenderTableSection::paintCell.
            https://bugs.webkit.org/show_bug.cgi?id=87445

            Reviewed by Eric Seidel and Julien Chaffraix.

            Fix the crash by preventing table parts from being set
            as layout root. This prevents us from accessing removed
            table cells which can happen if RenderTableSection::layout
            is called directly without calling RenderTable::layout first
            (in case of cell recalc).

            Add ASSERTs to RenderTableSection::layout to prevent
            layout to happen when we are already pending cell recalc
            or our table is pending section recalc. In those cases,
            RenderTable::layout should be called first to relayout
            the entire table.

            Test: tables/table-section-overflow-clip-crash.html

            * rendering/RenderObject.cpp:
            (WebCore::objectIsRelayoutBoundary):
            * rendering/RenderTableSection.cpp:
            (WebCore::RenderTableSection::layout):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 123637

    2012-07-25  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=89114
            REGRESSION (r112919): Setting scrollTop after setting display from none to block 
            fails
            -and corresponding-
            <rdar://problem/11656050>

            Reviewed by Simon Fraser.

            ScrollAnimatorMac::immediateScrollTo() and ScrollAnimatorMac::immediateScrollBy() 
            both have an optimization in place so that they do not call 
            notifyPositionChanged() if the new scroll offset matches the ScrollAnimator's 
            cached m_currentPosX and m_currentPosY. So revision 112919 caused troubled with 
            this optimization because it allowed RenderLayers to restore a scrollOffset from 
            the Element if there is one cached there. This caused the RenderLayer to have a 
            scrollOffset that is improperly out-of-synch with the ScrollAnimator's 
            currentPosition (which will just be 0,0 since it is being re-created like the 
            RenderLayer). This fix makes sure they are in synch by calling 
            setCurrentPosition() on the ScrollAnimator when the cached position is non-zero.
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::RenderLayer):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 123486

    2012-07-24  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/11945102> REGRESSION (r109451): Overlay scrollbars always use the default style, regardless of background color
            https://bugs.webkit.org/show_bug.cgi?id=92115

            Reviewed by Mark Rowe.

            * platform/Scrollbar.cpp:
            (WebCore::Scrollbar::scrollbarOverlayStyle): Reversed an incorrect null check.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 123411

    2012-07-23  Roger Fong  <roger_fong@apple.com>

            On Windows, if select element is off screen horizontally, 
            menu is either inappropriately resized or positioned offscreen.
            https://bugs.webkit.org/show_bug.cgi?id=91913
            <rdar://problem/7611229>

            Reviewed by Tim Horton.

            If the select element is positioned off the edge of the screen to the left, 
            the menu is resized. It should not be resized, just shifted to remain on the screen.
            If the select element is positioned off the edge of the screen to the right, 
            the menu goes off screen instead of being shifted over to appear on screen.
            This problem only occurs on Windows.

            Test: ManualTests/win/select-menu-off-screen.html

            * platform/win/PopupMenuWin.cpp:
            (WebCore::PopupMenuWin::calculatePositionAndSize):
            Modified final horizontal position calculation code to position
            popup menu on screen if it would otherwise go off.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 122271

    2012-07-10  Dean Jackson  <dino@apple.com>

            REGRESSION (r109610): Order of values in shorthand animation makes a difference
            https://bugs.webkit.org/show_bug.cgi?id=84533
            <rdar://problem/11831924>
            <rdar://problem/11815787>

            Reviewed by Simon Fraser.

            A previous revision (r109610) updated the parsing of the animation shorthand
            to make sure that animation-name wouldn't clobber other styles. The side effect
            of this was that we'd no longer find animation-name if it wasn't first in the
            list. This commit reverts the change and fixes it in a different way, by always
            parsing animation-name as the last property in the shorthand. This means that
            keywords for timing functions, fill modes and iteration will match before
            animation name. In other words, if you want an animation called "forwards"
            you should use the longhand property, because the shorthand will first match
            that against animation-fill-mode.

            Test: animations/animation-shorthand-name-order.html

            * css/CSSParser.cpp:
            (WebCore::CSSParser::parseAnimationShorthand): make a new array of longhand
            properties to check for, with name as the last entry rather than the first.
            Use this array to test the properties in the shorthand.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 122228

    2012-07-10  Alice Cheng  <alice_cheng@apple.com>

            Editing: Reproducible crasher when pasting a 0x0 image into Mail
            https://bugs.webkit.org/show_bug.cgi?id=90640
            <rdar://problem/11141920>

            Reviewed by Brady Eidson.

            0x0 images don't get a resource representation in the WebArchive, so we need a null check

            Test: TestWebKitAPI/Tests/mac/0.png
                  TestWebKitAPI/Tests/mac/WebViewCanPasteZeroPng.mm

            * platform/mac/PasteboardMac.mm:
            (WebCore::documentFragmentWithImageResource):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 122152

    2012-07-09  Dean Jackson  <dino@apple.com>

            Tiled drawing means some elements can disappear behind the page
            https://bugs.webkit.org/show_bug.cgi?id=88906

            Reviewed by Simon Fraser.

            The compositing layers in the tile cache could become siblings
            of the compositing layers for page elements. This meant that in
            some 3d transforms, the elements could disappear behind the
            page background (which is rendered into the tile cache) or intersect
            with the tile cache tiles.

            Fix this by inserting a flattening layer between the tile cache
            and the page, ensuring that the cache will always be rendered
            first. I was able to reuse the clipping layer for this, because
            the tile cache is attached to the RenderView, so there should never
            be a case where we have both a clipping layer and tiles.

            The unfortunate part of this code is the temporary state variable
            that wraps the call to GraphicsLayer::create. Because that method
            calls back into the object, we need to make sure we don't create
            another tile cache.

            Also added some obvious names to the tile cache layers to
            help with debugging.

            Test: compositing/tile-cache-must-flatten.html

            * platform/graphics/ca/mac/TileCache.mm:
            (WebCore::TileCache::TileCache): give the tile host layer a name.
            (WebCore::TileCache::createTileLayer):
            * platform/graphics/ca/mac/WebTileCacheLayer.mm:
            (WebCore): give each tile layer a name.
            * rendering/RenderLayerBacking.cpp:
            (WebCore):
            (WebCore::RenderLayerBacking::shouldUseTileCache): check if we're in the middle
            of creating the primary graphics layer before answering.
            (WebCore::RenderLayerBacking::createPrimaryGraphicsLayer): wrap our call to
            createGraphicsLayer with a message to indicate we are making the layer that should
            get a tile cache.
            (WebCore::RenderLayerBacking::destroyGraphicsLayers):
            (WebCore::RenderLayerBacking::updateGraphicsLayerConfiguration): needs to make
            sure the flattening layer is in the tree.
            (WebCore::RenderLayerBacking::updateGraphicsLayerGeometry):
            (WebCore::RenderLayerBacking::updateInternalHierarchy):
            (WebCore::RenderLayerBacking::updateClippingLayers):
            (WebCore::RenderLayerBacking::backingStoreMemoryEstimate):
            * rendering/RenderLayerBacking.h: rename m_clippingLayer to m_containmentLayer
            because it can now either be the clip or the tile cache flattener. Also
            a new state property used when creating the main graphics layer.
            (WebCore::RenderLayerBacking::hasClippingLayer):
            (WebCore::RenderLayerBacking::clippingLayer):
            (WebCore::RenderLayerBacking::parentForSublayers):
            (WebCore::RenderLayerBacking::hasTileCacheFlatteningLayer):
            (WebCore::RenderLayerBacking::tileCacheFlatteningLayer):
            (RenderLayerBacking):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 122082

    2012-07-05  MORITA Hajime  <morrita@google.com>

            Heap-use-after-free in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers
            https://bugs.webkit.org/show_bug.cgi?id=90480

            Reviewed by Kent Tamura.

            If <select> has any insertion point, the attachment phase
            unpextedly creates a renderer for distributed node and added to
            the renderer of the <select>, which breaks an assumption and
            results the crash.

            This change tighten the childShouldCreateRenderer() to forbid
            child renderers even from distributed nodes.

            There is an exception as always: ValidationMessage can create a
            ShadowRoot to <select>, which generates usually-forbidden child
            renderers.  This change introduces HTMLFormControlElement::validationMessageContains()
            to let these renderers in.

            Test: fast/dom/shadow/insertion-point-list-menu-crash.html

            * html/HTMLFormControlElement.cpp:
            (WebCore::HTMLFormControlElement::validationMessageContains):
            (WebCore):
            * html/HTMLFormControlElement.h:
            (HTMLFormControlElement):
            * html/HTMLSelectElement.cpp:
            (WebCore::HTMLSelectElement::childShouldCreateRenderer):
            * html/ValidationMessage.cpp:
            (WebCore::ValidationMessage::contains):
            (WebCore):
            * html/ValidationMessage.h:
            (WebCore):
            (ValidationMessage):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 121912

    2012-07-05  Nate Chapin  <japhet@chromium.org>

            REGRESSION (r115654): Sometimes does not replace content for multipart/x-mixed-replace
            https://bugs.webkit.org/show_bug.cgi?id=88436

            Reviewed by Brady Eidson.

            Test: http/tests/multipart/multipart-replace-non-html-content.php

            * loader/DocumentLoader.cpp:
            (WebCore::DocumentLoader::commitData): We should only send receivedFirstData() once per main resource load,
                rather than multiple times in a multipart load. 
            (WebCore::DocumentLoader::setupForReplaceByMIMEType): m_gotFirstByte isn't set to true until data is
                actually committed, and multipart data is often not committed until the part is finished. Check
                whether the SharedBuffer is non-null instead.
            * testing/js/WebCoreTestSupport.cpp:
            (WebCoreTestSupport::resetInternalsObject): The JSInternals object my have already been cleared if the window shell
                was cleared as part of creation of a new Document. Check it before using it.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 121646

    2012-07-01  Timothy Hatcher  <timothy@apple.com>

            Make the "Inspect Element" context menu item appear in nightly builds again.

            rdar://problem/11702613
            https://webkit.org/b/89323

            Reviewed by Dan Bernstein.

            * platform/ContextMenuItem.h:
            Fix the order of the ContextMenuAction enum to be binary compatible with
            older versions of WebKit.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 121645

    2012-07-01  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/11785743> [mac] Non-BMP characters in vertical text appear as missing glyphs
            https://bugs.webkit.org/show_bug.cgi?id=90349

            Reviewed by Dean Jackson.

            Test: platform/mac/fast/text/vertical-surrogate-pair.html

            * platform/graphics/mac/GlyphPageTreeNodeMac.cpp:
            (WebCore::GlyphPage::fill): When calling wkGetVerticalGlyphsForCharacters or
            CTFontGetGlyphsForCharacters with a buffer consisting of surrogate pair, account for those
            functions’ behavior of placing glyphs at indices corresponding to the first character of
            each pair.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 121643

    2012-07-01  Kenichi Ishibashi  <bashi@chromium.org>

            Arabic shaping is incorrect if ZWNJ exist
            https://bugs.webkit.org/show_bug.cgi?id=89843

            Reviewed by Dan Bernstein.

            mac port treats ZWJ (zero-width-joiner) and ZWNJ (zero-width-non-joiner) as a part of combining
            character sequence. This could cause a problem when the font doesn't have glyph mapping of ZWJ and ZWNJ.
            Suppose the text to be rendered is "U+0645(MEEM) U+06CC(FARSI YEH) U+200C(ZWNJ)". In this case, U+0645
            and U+06CC are rendered in isolated form if the font doesn't have a glyph for ZWNJ. They should be joined.

            This patch changes handling of ZWJ and ZWNJ. Treats ZWJ and ZWNJ as base characters so that a complex text
            run isn't separate at the point of ZWJ and ZWNJ even the font doesn't contain glyphs for them.
            If ComplexTextController finds ZWJ, it doesn't split the current complex text run.

            Test: platform/mac/fast/text/arabic-zwj-and-zwnj.html

            * platform/graphics/mac/ComplexTextController.cpp:
            (WebCore::advanceByCombiningCharacterSequence): Don't treat ZWJ and ZWNJ as a part of combining character sequence.
            (WebCore::ComplexTextController::collectComplexTextRuns): Set fontData to nextFontData if the baseCharacter is ZWJ.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 121299

    2012-06-26  Alice Cheng  <alice_cheng@apple.com>

            Crash at WebCore::TextIterator::handleTextBox
            https://bugs.webkit.org/show_bug.cgi?id=89526
            <rdar://problem/10305315>

            Reviewed by Darin Adler.

            The range used for marking becomes invalid after SpellingCorrectionCommand, due to changes in the DOM made by ReplaceSelectionCommand. 
            This invalid range caused marking to be incorrect, and Mail.app to crash when iterating through the invalid range.  To fix this,
            recalculate the range for marking after SpellingCorrectionCommand.

            Test: platform/mac/editing/spelling/autocorrection-blockquote-crash.html

            * editing/AlternativeTextController.cpp:
            (WebCore::AlternativeTextController::applyAlternativeTextToRange):
            * editing/Editor.cpp:  (WebCore::Editor::markAndReplaceFor):
            * testing/Internals.cpp:
            (WebCore):
            (WebCore::Internals::hasAutocorrectedMarker):
            * testing/Internals.h: (Internals):
            * testing/Internals.idl:

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 120954

    2012-06-21  Brady Eidson  <beidson@apple.com>

            <rdar://problem/11718988> and https://bugs.webkit.org/show_bug.cgi?id=89673
            showModalDialog fix creates risk of never returning from RunLoop::performWork, potentially blocking other event sources

            In case handling a function on the queue places additional functions on the queue, we should
            limit the number of functions each invocation of performWork() performs so it can return and
            other event sources have a chance to spin.

            The showModalDialog fix in question is http://trac.webkit.org/changeset/120879

            Reviewed by Darin Adler and Anders Carlson.

            * platform/RunLoop.cpp:
            (WebCore::RunLoop::performWork): If there are only N functions in the queue when performWork is called,
              only handle up to N functions before returning. Any additional functions will be handled the next time
              the runloop spins.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 120662

    2012-06-18  Mike Lawther  <mikelawther@chromium.org>

            Crash when setting title dynamically
            https://bugs.webkit.org/show_bug.cgi?id=88083

            Reviewed by Dan Bernstein.

            Test: fast/text/title-crash.html

            The crashing code takes a rare branch in StyleResolver::styleForElement() where
            m_parentStyle is set to point to m_style. Consequently, while applying properties
            to m_style we end up mutating m_parentStyle.

            In this situation, we clone style() and point m_parentStyle at the clone. The
            clone is destroyed at the end of StyleResolver::styleForElement().

            * css/StyleResolver.cpp:
            (WebCore::StyleResolver::collectMatchingRulesForList):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 119409

    2012-06-04  Abhishek Arya  <inferno@chromium.org>

            Crash in multi-column layout.
            https://bugs.webkit.org/show_bug.cgi?id=88022

            Reviewed by Ojan Vafai.

            The patch addresses two problems::
            1. |this| in RenderBlock::splitBlocks can get destroyed when we
            move its children to the clone and later call updateBeforeAfterContent
            on the parent. So, we stop accessing its member variables and cache
            it in a local.
            2. Positioned objects were not getting cleared from our grand parents.
            This will happen if our immediate children got moved to a clone tree,
            however at our parent nothing was moved. So, we make sure to remove
            the positioned objects at every level while we are doing the cloning.

            Tests: fast/multicol/span/empty-anonymous-block-split-crash.html
                   fast/multicol/span/positioned-objects-not-removed-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::splitBlocks):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 119227

    2012-06-01  Dan Bernstein  <mitz@apple.com>

            Layout not updated after setting -webkit-line-clamp to none
            https://bugs.webkit.org/show_bug.cgi?id=88049

            Reviewed by Abhishek Arya.

            Test: fast/flexbox/line-clamp-removed-dynamically.html

            * rendering/RenderDeprecatedFlexibleBox.cpp:
            (WebCore::RenderDeprecatedFlexibleBox::styleWillChange): Added. Calls clearLineClamp if
            line-clamp will change to none.
            (WebCore::RenderDeprecatedFlexibleBox::clearLineClamp): Added. Marks possibly-clamped
            children for layout and clears truncation from blocks.
            * rendering/RenderDeprecatedFlexibleBox.h:

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 119184

    2012-05-31  Tom Sepez  <tsepez@chromium.org>

            XSSAuditor bypass with leading /*///*/ comment
            https://bugs.webkit.org/show_bug.cgi?id=88002

            Reviewed by Adam Barth.

            Fixes issue in xssauditor's parsing of /*/.

            Test: http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html

            * html/parser/XSSAuditor.cpp:
            (WebCore::XSSAuditor::decodedSnippetForJavaScript):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118542

    2012-05-25  Ken Buchanan  <kenrb@chromium.org>

            Layout root not getting cleared for anonymous renderers geting destroyed
            https://bugs.webkit.org/show_bug.cgi?id=84002

            Reviewed by Abhishek Arya.

            This is a follow-up to r109406, which added a check to clear layout
            roots when they point to a renderer that is being destroyed. The
            thinking was that layout roots would never be anonymous renderers,
            but there are some cases where this is not true (in particular,
            generated content containers with overflow clips can be layout roots).

            As in r109406, this patch has no layout test. This is because any test
            that exercises this behavior is caused by an existing layout bug where
            a child is not properly getting layout (or a renderer is getting dirtied
            out of order during layout) and will fail multiple ASSERTs:
            in particular, ASSERT(!m_layoutRoot->container() || !m_layoutRoot->
            container()->needsLayout()) in FrameView::scheduleRelayoutOfSubtree(),
            and ASSERT_NOT_REACHED() in RenderObject::clearLayoutRootIfNeeded().
            We are preventing those bugs from manifesting as security issues with
            this patch.

            This also removes an ASSERT from the RenderObject destructor. This is
            redundant with the condition in RenderObject::clearLayoutRootIfNeeded()
            which is always called in RenderObject::willBeDestroyed(), so the check 
            is not needed. It had to be removed because it fails when I try to
            adjust the ASSERT condition by removing the !node()
            check, due to RenderWidget clearing its node() during destruction.

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::~RenderObject):
            (WebCore::RenderObject::willBeDestroyed):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118478 (required 118143)

    2012-05-24  Dominic Mazzoni  <dmazzoni@google.com>

            Crash in WebCore::AccessibilityTable::isDataTable
            https://bugs.webkit.org/show_bug.cgi?id=87409

            Reviewed by Abhishek Arya.

            Use Node::rendererIsEditable everywhere rather than
            Node::isContentEditable because the latter can trigger a layout
            and destroy the renderer. New test covers the change to
            AccessibilityTable.cpp, changes to AccessibilityRenderObject.cpp
            are covered by existing tests.

            Test: accessibility/contenteditable-table-check-causes-crash.html

            * accessibility/AccessibilityRenderObject.cpp:
            (WebCore::AccessibilityRenderObject::isReadOnly):
            (WebCore::AccessibilityRenderObject::contentChanged):
            * accessibility/AccessibilityTable.cpp:
            (WebCore::AccessibilityTable::isDataTable):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118471

    2012-05-24  Hayato Ito  <hayato@chromium.org>

            Fix crashes caused by a DOMCharacterDataModified event on a text node.
            https://bugs.webkit.org/show_bug.cgi?id=86953

            Reviewed by Dimitri Glazkov.

            TextNode can be released while CharacterData::setData() will dispatch a mutation event.
            So protect it.

            Mutation event itself should not be dispatched on the test case.
            This is being tracked by webkit bug https://bugs.webkit.org/show_bug.cgi?id=87372.

            Test: fast/events/dom-character-data-modified-textarea-crash.html

            * dom/CharacterData.cpp:
            (WebCore::CharacterData::setData):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118420

    2012-05-24  Levi Weintraub  <leviw@chromium.org>

            Avoid creating InlineBoxes for floating and positioned objects in isolates.
            https://bugs.webkit.org/show_bug.cgi?id=87277

            Reviewed by Eric Seidel.

            We currently will create a placeholder run for the first object we encounter inside an isolate. Then
            in RenderBlockLineLayout's constructBidiRuns, we replace that run with the contents of the Isolate.
            We run into problems when there are no valid contents in the Isolate. We can't simply remove the
            placeholder if there's nothing to replace it with since it may be the logically last run, which we
            track but can't rebuild by the time we're handling isolates (we've already shuffled the BidiRuns around).

            With this change, we avoid creating a placeholder altogether until we hit contents in the isolate
            that would warrant a BidiRun in the first place.

            Test: fast/text/international/float-as-only-child-of-isolate-crash.html

            * rendering/InlineIterator.h:
            (WebCore::IsolateTracker::addFakeRunIfNecessary):
            * rendering/RenderBlock.h:
            (RenderBlock):
            (WebCore::RenderBlock::shouldSkipCreatingRunsForObject):
            * rendering/RenderBlockLineLayout.cpp:
            (WebCore::RenderBlock::appendRunsForObject):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118316

    2012-05-23  Julien Chaffraix  <jchaffraix@webkit.org>

            Crash in RenderTableCol::nextColumn
            https://bugs.webkit.org/show_bug.cgi?id=87314

            Reviewed by Abhishek Arya.

            Tests: fast/table/canvas-column-in-column-group.html
                   fast/table/columngroup-inside-columngroup.html

            The issue comes from elements not abiding by the display property (e.g. canvas). This means
            that any renderer with display: table-column would pass the current isChildAllowed check and
            would confuse our algorithm to iterate.

            We were getting away with allowing those children as table columns or column groups don't
            paint themselves but it's better to just not allow such children in the first place.

            * rendering/RenderTableCol.cpp:
            (WebCore::RenderTableCol::isChildAllowed):
            Fixed the logic to only accept proper column renderer (RenderTableCol with display: column
            to ignore column-groups). Also removed an unneeded NULL-check.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118248

    2012-05-23  Abhishek Arya  <inferno@chromium.org>

            Crash in RenderInline::linesVisualOverflowBoundingBox.
            https://bugs.webkit.org/show_bug.cgi?id=85804

            Reviewed by Dave Hyatt.

            Defer layout of replaced elements to the next line break function.
            We shouldn't do it while we are clearing our inline chilren
            lineboxes in full layout mode.

            Test: fast/block/inline-children-root-linebox-crash.html

            * rendering/RenderBlockLineLayout.cpp:
            (WebCore::RenderBlock::layoutInlineChildren):
            (WebCore::RenderBlock::LineBreaker::nextLineBreak):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118213

    2012-05-23  Chris Fleizach  <cfleizach@apple.com>

            Regression(r112694): Crash in WebCore::AXObjectCache::postNotification 
            https://bugs.webkit.org/show_bug.cgi?id=86029

            Reviewed by Abhishek Arya.

            Test: accessibility/content-changed-notification-causes-crash.html

            * accessibility/AccessibilityObject.h:
            (WebCore::AccessibilityObject::isDetached):
            (AccessibilityObject):
            * accessibility/AccessibilityRenderObject.cpp:
            (WebCore::AccessibilityRenderObject::contentChanged):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117792

    2012-05-21  Stephen Chenney  <schenney@chromium.org>

            SVGAnimatedPropertyTearOff does not clear a self pointer on deletion
            https://bugs.webkit.org/show_bug.cgi?id=86119

            Reviewed by Nikolas Zimmermann.

            SVGAnimatedPropertyTearOff contains two SVGPropertyTearOff objects
            that have a pointer back to the SVGAnimatedPropertyTearOff. JS may
            also have a reference to these SVGPropertyTearOff objects. When the
            SVGAnimatedPropertyTearOff is deleted, the SVGPropertyTearOff objects
            may live on, but the pointer back to the deleted animated property
            tear off is left invalid. This patch clears the pointers on destruction
            of the SVGAnimatedPropertyTearOff.

            Test: svg/custom/bug86119.html

            * svg/properties/SVGAnimatedPropertyTearOff.h:
            (WebCore::SVGAnimatedPropertyTearOff::~SVGAnimatedPropertyTearOff):
            (SVGAnimatedPropertyTearOff):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116653

    2012-05-10  Abhishek Arya  <inferno@chromium.org>

            Crash in InsertParagraphSeparatorCommand::doApply.
            https://bugs.webkit.org/show_bug.cgi?id=84995

            Reviewed by Ryosuke Niwa.

            Test: editing/inserting/insert-paragraph-seperator-crash.html

            * editing/DeleteSelectionCommand.cpp:
            (WebCore::DeleteSelectionCommand::mergeParagraphs): no need of static cast, since
            type of enclosingBlock returned is already Element*.
            * editing/IndentOutdentCommand.cpp:
            (WebCore::IndentOutdentCommand::tryIndentingAsListItem): no need of static cast, since
            type of enclosingBlock returned is already Element*.
            * editing/InsertParagraphSeparatorCommand.cpp:
            (WebCore::InsertParagraphSeparatorCommand::doApply): RefPtr startBlock to guard against
            mutation events.
            * editing/htmlediting.cpp:
            (WebCore::enclosingBlock): make sure type of enclosingNode is an element before doing
            the static cast. This was already failing in a couple of layout tests. Also, isBlock
            check already exists in the function call to enclosingNodeOfType, so don't need it
            again on enclosingNode's renderer.
            * editing/htmlediting.h: 
            (WebCore):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118005

    2012-05-22  Abhishek Arya  <inferno@chromium.org>

            Assertion failure (toRenderBox() called on a RenderInline) beneath RenderBlock::blockBeforeWithinSelectionRoot()
            https://bugs.webkit.org/show_bug.cgi?id=86500

            Reviewed by Ojan Vafai.

            Patch by Dan Bernstein<mitz@apple.com>. I just added the test.

            Test: fast/block/line-layout/selection-highlight-crash.html

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::blockBeforeWithinSelectionRoot): Demoted the object local variable to
            RenderObject, changed use of parentBox() to parent(), and added toRenderBlock() in two places.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117957

    2012-05-22  Hayato Ito  <hayato@chromium.org>

            Fix crashes when a mouse points a <svg> element in shadow DOM subtree.
            https://bugs.webkit.org/show_bug.cgi?id=86795

            Reviewed by Nikolas Zimmermann.

            <svg> elements in shadow dom subtree are still not supported.
            This fixes only crashes.

            Test: fast/dom/shadow/shadow-dom-event-dispatching.html

            * dom/EventDispatcher.cpp:
            (WebCore::eventTargetRespectingSVGTargetRules):
            * page/EventHandler.cpp:
            (WebCore::instanceAssociatedWithShadowTreeElement):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117376

    2012-05-16  James Robinson  <jamesr@chromium.org>

            CachedImage does not clear the ImageObserver pointer when dropping its Image ref
            https://bugs.webkit.org/show_bug.cgi?id=86689

            Reviewed by Eric Seidel.

            Image instances keep a weak pointer to their ImageObserver, which may be null. CachedImage is an ImageObserver
            and holds a RefPtr<Image> m_image. When CachedImage initializes its m_image to either an SVGImage or BitmapImage,
            it sets itself as that Image's ImageObserver. However, CachedImage never clears the ImageObserver pointer, even
            when dropping its reference to the Image. This means if other code holds a RefPtr<Image> there is no promise
            that calls on that Image will be valid. This patch clears the CachedImage::m_image's ImageObserver pointer
            whenever the CachedImage drops its reference. Image already has null checks for its m_imageObserver so this is
            always a safe operation.

            * loader/cache/CachedImage.cpp:
            (WebCore::CachedImage::~CachedImage):
            (WebCore::CachedImage::clear):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117309

    2012-05-16  Ken Buchanan  <kenrb@chromium.org>

            Crash due to first-letter not getting computed on RenderTableCell
            https://bugs.webkit.org/show_bug.cgi?id=86133

            Reviewed by Abhishek Arya.

            RenderTableCell overrides RenderBlock::layout() but doesn't call
            updateFirstLetter() in it. This is normally not a problem because
            updateFirstLetter() gets called during preferred logical width
            computation, but there exist rare occasions when layout of the table
            cell happens without preferred logical widths being dirty, in which
            case the first-letter update can be skipped.

            This patch adds a call to updateFirstLetter() to
            RenderTableCell::layout(). This ensures that the first-letter is up
            to date before commencing block layout.

            * rendering/RenderTableCell.cpp:
            (WebCore::RenderTableCell::layout)

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117304

    2012-05-16  Abhishek Arya  <inferno@chromium.org>

            Missing RenderApplet cast check in HTMLAppletElement::renderWidgetForJSBindings.
            https://bugs.webkit.org/show_bug.cgi?id=86627

            Reviewed by Andreas Kling.

            Test: java/inline-applet-crash.html

            * html/HTMLAppletElement.cpp:
            (WebCore::HTMLAppletElement::renderWidgetForJSBindings):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117289

    2012-05-16  Rob Buis  <rbuis@rim.com>

            SVGSVGElement checkIntersection and checkEnclosure Mem corruption
            https://bugs.webkit.org/show_bug.cgi?id=67923

            Reviewed by Nikolas Zimmermann.

            Only call checkIntersection/checkEnclosure when we have a valid renderer.

            Test: svg/custom/intersection-list-null.svg

            * svg/SVGSVGElement.cpp:
            (WebCore::SVGSVGElement::checkIntersection):
            (WebCore::SVGSVGElement::checkEnclosure):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117161

    2012-05-15  Abhishek Arya  <inferno@chromium.org>

            Crash due shadow tree parent confusion in SVG.
            https://bugs.webkit.org/show_bug.cgi?id=84248

            Reviewed by Nikolas Zimmermann.

            Test: svg/foreignObject/viewport-foreignobject-crash.html

            When we try to make a decision on whether we need an outer
            SVGRoot container, we detect if we are in shadow tree or not.
            We also need to make sure that our parentOrHostElement is also
            an svg element. 

            * svg/SVGElement.cpp:
            (WebCore::SVGElement::isOutermostSVGSVGElement):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 117007

    2012-05-14  Takashi Sakamoto  <tasak@google.com>

            Crash in WebCore::RenderObject::repaint
            https://bugs.webkit.org/show_bug.cgi?id=86162

            Reviewed by Abhishek Arya.

            As RenderScrollbarPart has no parent renderer, we crash in
            WebCore::RenderBoxModelObject::paddingLeft when paddingLeft has
            percent value, e.g. 5%. However if we set the scrollbar's parent
            renderer to a renderer owning the scrollbar by using setParent method,
            RenderScrollbarPart::styleWillChange will invoke parent renderer's
            repaint. This causes crash in WebCore::RenderObject::repaint if the
            owning renderer is already destroyed.
            To fix the first crash without the second crash, modify
            RenderObject::containingBlock() to check isRenderScrollbarPart or not,
            if parent() is 0.
            If so, use scrollbar's owningRenderer from RenderScrollbarPart.

            Test: scrollbars/scrollbar-percent-padding-crash.html
                  scrollbars/scrollbar-scrollbarparts-repaint-crash.html

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::containingBlock):
            Modifying containingBlock. If parent() is 0 and isRenderScrollbarPart()
            is true, use RenderScrollbarPart's m_scrollbar->owningRenderer()
            instead of parent().
            * rendering/RenderObject.h:
            (WebCore::RenderObject::isRenderScrollbarPart):
            (RenderObject):
            Adding a new method, isRenderScrollbarPart.
            * rendering/RenderScrollbarPart.cpp:
            (WebCore::RenderScrollbarPart::rendererOwningScrollbar):
            (WebCore):
            Adding a new method, scrollbarOwningRenderer to obtain m_scrollar's
            owningRenderer.
            * rendering/RenderScrollbarPart.h:
            (RenderScrollbarPart):
            Removing "friend class RenderScrollbar".
            (WebCore::RenderScrollbarPart::isRenderScrollbarPart):
            (WebCore::toRenderScrollbarPart):
            (WebCore):
            Implementing isRenderScrollbarPart and toRenderScrollbarPart.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116860

    2012-05-12  Philip Rogers  <pdr@google.com>

            Cleanup before changing attributeName in SVG <animate>
            https://bugs.webkit.org/show_bug.cgi?id=86100

            Reviewed by Nikolas Zimmermann.

            Changing attributeName caused a crash because references were not removed from the old target.
            This change simply cleans up before changing attributeName in SVG animation elements.

            Test: svg/animations/dynamic-modify-attributename-crash.svg

            * svg/animation/SVGSMILElement.cpp:
            (WebCore::SVGSMILElement::svgAttributeChanged):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116827

    2012-05-11  David Barton  <dbarton@mathscribe.com>

            use after free in WebCore::RenderObject::document
            https://bugs.webkit.org/show_bug.cgi?id=84891

            Reviewed by Julien Chaffraix.

            Change RenderMathMLFenced::addChild() to use the beforeChild parameter. When beforeChild
            is 0, insert child renderers before the closing fence, which might not be the same as
            this->lastChild(), e.g. possibly due to anonymous blocks or generated content.

            Tests: mathml/presentation/mfenced-add-child1-expected.html
                   mathml/presentation/mfenced-add-child1.html
                   mathml/presentation/mfenced-add-child2-expected.html
                   mathml/presentation/mfenced-add-child2.html

            * rendering/mathml/RenderMathMLFenced.cpp:
            (WebCore::RenderMathMLFenced::RenderMathMLFenced):
            (WebCore::RenderMathMLFenced::makeFences):
            (WebCore::RenderMathMLFenced::addChild):
            * rendering/mathml/RenderMathMLFenced.h:
            (RenderMathMLFenced):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116717

    2012-05-10  Abhishek Arya  <inferno@chromium.org>

            Crash in swapInNodePreservingAttributesAndChildren.
            https://bugs.webkit.org/show_bug.cgi?id=85197

            Reviewed by Ryosuke Niwa.

            Keep the children in a ref vector before adding them to newNode.
            They can get destroyed due to mutation events.

            No new tests because we don't have a reduction.

            * editing/ReplaceNodeWithSpanCommand.cpp:
            (WebCore::swapInNodePreservingAttributesAndChildren):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116698

    2012-05-10  Abhishek Arya  <inferno@chromium.org>

            Crash in FontCache::releaseFontData due to infinite float size.
            https://bugs.webkit.org/show_bug.cgi?id=86110

            Reviewed by Andreas Kling.

            New callers always forget to clamp the font size, which overflows
            to infinity on multiplication. It is best to clamp it at the end
            to avoid getting greater than std::numeric_limits<float>::max().

            Test: fast/css/large-font-size-crash.html

            * platform/graphics/FontDescription.h:
            (WebCore::FontDescription::setComputedSize):
            (WebCore::FontDescription::setSpecifiedSize):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116683

    2012-05-10  Abhishek Arya  <inferno@chromium.org>

            Crash due to floats not removed from first-letter element.
            https://bugs.webkit.org/show_bug.cgi?id=86019

            Reviewed by Julien Chaffraix.

            Move clearing logic of a floating/positioned object from removeChild
            to removeChildNode. There are lot of places which use removeChildNode
            directly and hence the object is not removed from the floating or
            positioned objects list.

            Test: fast/block/float/float-not-removed-from-first-letter.html

            * rendering/RenderObject.cpp:
            (WebCore::RenderObject::removeChild):
            * rendering/RenderObjectChildList.cpp:
            (WebCore::RenderObjectChildList::removeChildNode):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116669

    2012-05-10  Abhishek Arya  <inferno@chromium.org>

            Crash in ApplyStyleCommand::joinChildTextNodes.
            https://bugs.webkit.org/show_bug.cgi?id=85939

            Reviewed by Ryosuke Niwa.

            Test: editing/style/apply-style-join-child-text-nodes-crash.html

            * editing/ApplyStyleCommand.cpp:
            (WebCore::ApplyStyleCommand::applyRelativeFontStyleChange): add conditions
            to bail out if our start and end position nodes are removed due to 
            mutation events in joinChildTextNodes.
            (WebCore::ApplyStyleCommand::applyInlineStyle): this executes after
            applyRelativeFontStyleChange in ApplyStyleCommand::doApply. So, need
            to bail out if our start and end position nodes are removed due to
            mutation events.
            (WebCore::ApplyStyleCommand::joinChildTextNodes): hold all the children
            in a ref vector to prevent them from getting destroyed due to mutation events.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116647

    2012-05-10  Stephen Chenney  <schenney@chromium.org>

            SVG Filters allow invalid elements as children
            https://bugs.webkit.org/show_bug.cgi?id=83979

            Reviewed by Nikolas Zimmermann.

            According to the SVG spec, there are numerous restrictions on the
            content of nodes (that is, their children). Specific to this problem,
            SVGFilter elements may only contain SVGFilterPrimitive elements, and
            those may only contain animation related elements. This patch enforces
            the restriction on filters in the render tree, thus preventing us from
            having (for instance) content that is inside a filter yet filtered by
            the filter.

            Manual test: ManualTests/bugzilla-83979.svg

            * svg/SVGFilterElement.cpp:
            (WebCore::SVGFilterElement::childShouldCreateRenderer): Added to only allow renderers for fe* children
            (WebCore):
            * svg/SVGFilterElement.h:
            (SVGFilterElement):
            * svg/SVGFilterPrimitiveStandardAttributes.h: Do not allow any children at all for fe* elements.
            (SVGFilterPrimitiveStandardAttributes):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116642

    2012-05-10  Keishi Hattori  <keishi@webkit.org>

            Crash in HTMLFormControlElement::m_fieldSetAncestor
            https://bugs.webkit.org/show_bug.cgi?id=86070

            Reviewed by Kent Tamura.

            No new tests.

            The previous patch r115990 didn't completely resolve the crash (Bug 85453)
            We don't have a reproducible test case, so we are reverting to the old code for setting m_fieldSetAncestor.

            * html/HTMLFormControlElement.cpp:
            (WebCore::HTMLFormControlElement::HTMLFormControlElement):
            (WebCore::HTMLFormControlElement::updateFieldSetAndLegendAncestor):
            (WebCore::HTMLFormControlElement::insertedInto): Set m_dataListAncestorState to Unknown because ancestor has changed. Call setNeedsWillValidateCheck because style might need to be updated.
            (WebCore::HTMLFormControlElement::removedFrom):
            (WebCore::HTMLFormControlElement::disabled):
            (WebCore::HTMLFormControlElement::recalcWillValidate):
            (WebCore::HTMLFormControlElement::willValidate):
            (WebCore::HTMLFormControlElement::setNeedsWillValidateCheck):
            * html/HTMLFormControlElement.h:
            (HTMLFormControlElement): Added m_dataListAncestorState.

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116551

    2012-05-09  Ken Buchanan  <kenrb@chromium.org>

            Crash from removal of a line break object
            https://bugs.webkit.org/show_bug.cgi?id=85997

            Reviewed by David Hyatt.

            Regression from r115343. That replaced a call to setNeedsLayout()
            with a separate call that used a different bit during linebox
            invalidation after renderer child removal. There are special cases
            where layout isn't marked on parent nodes just from the removal, so
            line dirtying needs to explicitly mark ancestors for layout.

            * rendering/RenderObject.h:
            (WebCore::RenderObject::setAncestorLineBoxDirty):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116545

    2012-05-09  Abhishek Arya  <inferno@chromium.org>

            Crash in ReplaceSelectionCommand::performTrivialReplace
            https://bugs.webkit.org/show_bug.cgi?id=85943

            Reviewed by Ryosuke Niwa.

            RefPtr nodeAfterInsertionPos to guard against mutation events.

            Test: editing/inserting/insert-html-crash.html

            * editing/ReplaceSelectionCommand.cpp:
            (WebCore::ReplaceSelectionCommand::performTrivialReplace):

2012-07-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116476

    2012-05-08  Abhishek Arya  <inferno@chromium.org>

            Crash due to owning renderer not removed from custom scrollbar.
            https://bugs.webkit.org/show_bug.cgi?id=80610

            Reviewed by Eric Seidel.

            Test: scrollbars/scrollbar-owning-renderer-crash.html

            Changed RenderScrollbar to keep pointer to owning node, instead of the
            renderer. Renderer can get destroyed without informing the scrollbar, causing
            crashes later. Remove code from r94107 since it is not needed anymore and saves
            times when RenderBox is getting destroyed.

            * page/FrameView.cpp:
            (WebCore::FrameView::createScrollbar): pass renderer's node.
            * page/FrameView.h:
            * rendering/RenderBox.cpp:
            (WebCore::RenderBox::willBeDestroyed): no longer need this. came originally from r94107.
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::createScrollbar): pass renderer's node.
            (WebCore::RenderLayer::destroyScrollbar): no longer need to clear owning renderer.
            * rendering/RenderListBox.cpp:
            (WebCore::RenderListBox::createScrollbar): pass renderer's node.
            * rendering/RenderMenuList.cpp:
            (WebCore::RenderMenuList::createScrollbar): pass renderer's node.
            * rendering/RenderScrollbar.cpp:
            (WebCore::RenderScrollbar::createCustomScrollbar): Store owner node instead of renderer.
            (WebCore::RenderScrollbar::RenderScrollbar): Store owner node instead of renderer.
            (WebCore::RenderScrollbar::owningRenderer): calculate owning renderer from owner node.
            * rendering/RenderScrollbar.h:
            (RenderScrollbar):
            * rendering/RenderTextControlSingleLine.cpp:
            (WebCore::RenderTextControlSingleLine::createScrollbar): pass renderer's node.

2012-07-27  Lucas Forschler  <lforschler@apple.com>

    Merge 116357

    2012-05-07  Ken Buchanan  <kenrb@chromium.org>

            Crash due to positioned object list not being cleared during block flow split
            https://bugs.webkit.org/show_bug.cgi?id=85074

            Reviewed by Abhishek Arya.

            When an element is being split due to a column span element being
            inserted, any of its ancestors that are underneath the column
            containing block also get split. If an ancestor has an object in
            its positioned object list from a previous layout, then the list
            will have to be cleared because the positioned object could have moved
            to be under the continuation. This patch causes the list to be
            cleared.

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::splitBlocks):

2012-07-26  Lucas Forschler  <lforschler@apple.com>

    Merge 116325

    2012-05-07  Abhishek Arya  <inferno@chromium.org>

            Crash in RenderBlock::updateFirstLetterStyle.
            https://bugs.webkit.org/show_bug.cgi?id=85759

            Reviewed by Julien Chaffraix.

            Test: fast/css-generated-content/first-letter-next-sibling-crash.html

            RenderBlock::removeChild can bring up the children from last single anonymous block,
            causing |nextSibling| in RenderBlock::updateFirstLetterStyle to go stale. We prevent
            this by removing the child safely using removeChildNode before destroying it.

            * rendering/RenderBlock.cpp:
            (WebCore::RenderBlock::updateFirstLetterStyle):

2012-06-22  Lucas Forschler  <lforschler@apple.com>

    Rollout 121034
    This was 120954 from trunk.
    
2012-06-22  Lucas Forschler  <lforschler@apple.com>

    Merge 120954

    2012-06-21  Brady Eidson  <beidson@apple.com>

            <rdar://problem/11718988> and https://bugs.webkit.org/show_bug.cgi?id=89673
            showModalDialog fix creates risk of never returning from RunLoop::performWork, potentially blocking other event sources

            In case handling a function on the queue places additional functions on the queue, we should
            limit the number of functions each invocation of performWork() performs so it can return and
            other event sources have a chance to spin.

            The showModalDialog fix in question is http://trac.webkit.org/changeset/120879

            Reviewed by Darin Adler and Anders Carlson.

            * platform/RunLoop.cpp:
            (WebCore::RunLoop::performWork): If there are only N functions in the queue when performWork is called,
              only handle up to N functions before returning. Any additional functions will be handled the next time
              the runloop spins.

2012-06-20  Lucas Forschler  <lforschler@apple.com>

    Merge 120879

    2012-06-20  Brady Eidson  <beidson@apple.com>

            <rdar://problem/11653784> and https://bugs.webkit.org/show_bug.cgi?id=89590
            showModalDialog message handling is flaky in WebKit2

            Because RunLoop::performWork() swaps the function queue to a temporary Vector before calling
            the functions an inner run-loop - such as we see with running a modal dialog - does not have
            a change to handle any of the functions that were queued after the WebPageProxy::RunModal message.

            By servicing the functions in the queue one at a time we can give the RunLoop a chance to pick up
            where it left off if RunLoop::performWork is re-entered.

            To guarantee RunLoop::performWork is re-entered to handle those functions we also need to signal
            its source before entering the modal run loop so our RunLoop is woken up.

            Reviewed by Darin Adler.

            * WebCore.exp.in:
            * platform/RunLoop.cpp:
            (WebCore::RunLoop::performWork): Take the first function off the queue one at a time so subsequent
              functions remain in the queue and can be handled by an inner modal run loop.
            * platform/RunLoop.h:
            (RunLoop): Change the function queue to be a Deque to efficiently support "takeFirst" 

2012-06-12  Lucas Forschler  <lforschler@apple.com>

    Merge 120364

    2012-06-14  Andreas Kling  <kling@webkit.org>

            Crashes below IconDatabase::performPendingRetainAndReleaseOperations().
            <http://webkit.org/b/88846>
            <rdar://problem/11629106>

            Reviewed by Brady Eidson.

            Put isolatedCopy() strings in the retain/release operation queues to make sure it's safe
            for secondary threads to ref/deref them in performPendingRetainAndReleaseOperations().
            Also added assertions as appropriate.

            * loader/icon/IconDatabase.cpp:
            (WebCore::IconDatabase::retainIconForPageURL):
            (WebCore::IconDatabase::releaseIconForPageURL):
            (WebCore::IconDatabase::performPendingRetainAndReleaseOperations):

2012-06-12  Lucas Forschler  <lforschler@apple.com>

    Merge 120357

    2012-06-14  Jia Pu  <jpu@apple.com>

            Mark text with text alternative with blue underline.
            https://bugs.webkit.org/show_bug.cgi?id=83047

            Reviewed by Enrica Casucci.

            Tests: platform/mac/editing/input/edit-dictated-text-with-alternative.html
                   platform/mac/editing/input/insert-dictated-text.html

            This patch implements visual indication on dictated text with alternatives, and provides UI
            to show alternative text on OS X. Majority of the changes is for generalizing existing AlternativeTextController
            class to handle dictation alternatives. The two new classes, AlternativeTextUIController and
            TextAlternativeWithRange, are used by both WebKit and WK2. So WebCore seems to be the natural place
            for them.

            * WebCore.exp.in:
            * WebCore.xcodeproj/project.pbxproj:
            * editing/AlternativeTextController.cpp: Expanded exising class interface to support dictation alternatives.
            (DictationAlternativeDetails): Marker detail class for dictation alternative mark.
            (WebCore::DictationAlternativeDetails::create):
            (WebCore::DictationAlternativeDetails::dictationContext):
            (WebCore::DictationAlternativeDetails::DictationAlternativeDetails):
            (WebCore::markerTypesForAppliedDictationAlternative):
            (WebCore::AlternativeTextController::applyAlternativeTextToRange): Generalized existing applyAlternativeTextToRange() to handle dictation alternatives.
            (WebCore::AlternativeTextController::timerFired): Expanded existing code to handle dictation alternatives.
            (WebCore::AlternativeTextController::handleAlternativeTextUIResult): Expanded existing code to handle dictation alternatives.
            (WebCore::AlternativeTextController::respondToChangedSelection): Moved part of the function into respondToMarkerAtEndOfWord() to improve readability.
            (WebCore::AlternativeTextController::shouldStartTimerFor):
            (WebCore::AlternativeTextController::respondToMarkerAtEndOfWord):
            (WebCore::AlternativeTextController::markerDescriptionForAppliedAlternativeText):
            (WebCore::AlternativeTextController::removeDictationAlternativesForMarker):
            (WebCore::AlternativeTextController::dictationAlternativesForMarker):
            (WebCore::AlternativeTextController::applyDictationAlternative):
            * editing/AlternativeTextController.h:
            * editing/Editor.cpp:
            (WebCore::Editor::notifyComponentsOnChangedSelection): Renamed existing respondToChangedSelection() function to avoid naming collision.
            (WebCore::Editor::appliedEditing):
            (WebCore::Editor::unappliedEditing):
            (WebCore::Editor::reappliedEditing):
            (WebCore::Editor::updateMarkersForWordsAffectedByEditing):
            (WebCore::Editor::changeSelectionAfterCommand):
            (WebCore::Editor::respondToChangedSelection):
            (WebCore::Editor::dictationAlternativesForMarker):
            (WebCore::Editor::applyDictationAlternativelternative):
            * editing/Editor.h:
            * editing/FrameSelection.h:
            * editing/mac/AlternativeTextUIController.h: Added. WK1 and WK2 use this class to keep track of text alternatives objects.
            (AlternativeTextUIController):
            (WebCore::AlternativeTextUIController::AlternativeTextUIController):
            (AlernativeTextContextController):
            (WebCore::AlternativeTextUIController::AlernativeTextContextController::AlernativeTextContextController):
            * editing/mac/AlternativeTextUIController.mm: Added.
            (WebCore::AlternativeTextUIController::AlernativeTextContextController::addAlternatives):
            (WebCore::AlternativeTextUIController::AlernativeTextContextController::alternativesForContext):
            (WebCore::AlternativeTextUIController::AlernativeTextContextController::removeAlternativesForContext):
            (WebCore::AlternativeTextUIController::AlernativeTextContextController::clear):
            (WebCore::AlternativeTextUIController::addAlternatives):
            (WebCore::AlternativeTextUIController::alternativesForContext):
            (WebCore::AlternativeTextUIController::clear):
            (WebCore::AlternativeTextUIController::showAlternatives):
            (WebCore::AlternativeTextUIController::handleAcceptedAlternative):
            (WebCore::AlternativeTextUIController::dismissAlternatives):
            (WebCore::AlternativeTextUIController::removeAlternatives):
            * editing/mac/TextAlternativeWithRange.h: Added.  A simple struct to make it easier to pass around a pair of text alternatives object and range.
            * editing/mac/TextAlternativeWithRange.mm: Added.
            (WebCore::TextAlternativeWithRange::TextAlternativeWithRange):
            (WebCore::collectDictationTextAlternatives):
            * page/AlternativeTextClient.h:
            * page/ContextMenuController.cpp: Added code to show alternative dictated text in context menu.
            (WebCore::ContextMenuController::contextMenuItemSelected):
            (WebCore::ContextMenuController::populate):
            (WebCore::ContextMenuController::checkOrEnableIfNeeded):
            * platform/ContextMenuItem.h:
            * rendering/HitTestResult.cpp:
            (WebCore::HitTestResult::dictationAlternatives):
            * rendering/HitTestResult.h:
            * rendering/InlineTextBox.cpp:
            (WebCore::InlineTextBox::paintDocumentMarker):

2012-06-12  Lucas Forschler  <lforschler@apple.com>

    Merge 119739

    2012-06-07  Jer Noble  <jer.noble@apple.com>

            sometimes all slaved videos don't start playing
            https://bugs.webkit.org/show_bug.cgi?id=88553

            Reviewed by Darin Adler.

            Test: media/media-controller-time-clamp.html

            Some PlatformClock classes will occasionally return times < 0 and will
            always return times slightly > duration() when playback has ended.  Clamp
            the value of currentTime() to the specified [0..duration] range.

            * html/MediaController.cpp:
            (MediaController::currentTime):

2012-06-12  Lucas Forschler  <lforschler@apple.com>

    Merge 119644

    2012-06-06  Brady Eidson  <beidson@apple.com>

            <rdar://problem/11575112> and https://bugs.webkit.org/show_bug.cgi?id=88428
            REGRESSION (r115654): Opening many non-English WebArchives shows obvious encoding issues

            Reviewed by Nate Chapin.

            Test: fast/loader/webarchive-encoding-respected.html

            * loader/DocumentLoader.cpp:
            (WebCore::DocumentLoader::commitData): Properly set the main resource encoding from the webarchive.

2012-06-06  Mark Rowe  <mrowe@apple.com>

        Merge r119548.

    2012-06-05  Vitaly Buka  <vitalybuka@chromium.org>

        Special layout handler should be done on top frame being printed.
        https://bugs.webkit.org/show_bug.cgi?id=88201

        Reviewed by Brady Eidson.

        No new tests. Root case is already covered by tests.
        Case described in the issue can be reproduced only by direct call
        to Frame::setPrinting of subframe. Probably it's not possible with
        layout tests.

        * page/Frame.cpp:
        (WebCore::Frame::setPrinting):
        Use shouldUsePrintingLayout to choose proper version of forceLayout().
        (WebCore::Frame::shouldUsePrintingLayout):
        Checks if current frame is the top frame being printed.
        * rendering/RenderView.cpp:
        (WebCore::RenderView::shouldUsePrintingLayout): Forward to Frame.

2012-06-06  Mark Rowe  <mrowe@apple.com>

        Merge r119136.

    2012-05-31  Brady Eidson  <beidson@apple.com>

        <rdar://problem/11544454> and https://bugs.webkit.org/show_bug.cgi?id=87990
        Crashes unregistering DOMWindowProperties while releasing CachedPages

        Reviewed by Jessie Berlin.

        This patch rewrites DOMWindowProperty to always keep direct track of the DOMWindow
        it has registered with and to only ever unregister from that very same DOMWindow.

        No new tests. (While the direct cause of the crash is understood, reproducing it is not)

        * page/DOMWindowProperty.cpp:
        (WebCore::DOMWindowProperty::DOMWindowProperty):
        (WebCore::DOMWindowProperty::~DOMWindowProperty):
        (WebCore::DOMWindowProperty::disconnectFrameForPageCache):
        (WebCore::DOMWindowProperty::reconnectFrameFromPageCache):
        (WebCore::DOMWindowProperty::willDestroyGlobalObjectInCachedFrame):
        (WebCore::DOMWindowProperty::willDestroyGlobalObjectInFrame):
        (WebCore::DOMWindowProperty::willDetachGlobalObjectFromFrame):
        * page/DOMWindowProperty.h:
        (DOMWindowProperty):

2012-06-06  Mark Rowe  <mrowe@apple.com>

        Merge r119274.

    2012-06-01  Beth Dakin  <bdakin@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=87774
        REGRESSION (r105515): reflection masks are truncated at zoom levels < 1
        -and corresponding-
        <rdar://problem/11387506>

        Reviewed by Simon Fraser.

        paintNinePieceImage() expects un-zoomed results from 
        calculateImageIntrinsicDimensions(). This was previously addressed by having 
        paintNinePieceImage() divide the effective zoom out of the result from 
        calculateImageIntrinsicDimensions(). However, that results in buggy behavior for 
        generated images and images with percentage sizes. In the end it seems best to 
        just send a parameter to calculateImageIntrinsicDimensions() indicating whether 
        the caller wants the result to be scaled by the effective zoom when appropriate.

        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::calculateImageIntrinsicDimensions):
        (WebCore::RenderBoxModelObject::calculateFillTileSize):
        (WebCore::RenderBoxModelObject::paintNinePieceImage):
        * rendering/RenderBoxModelObject.h:
        (RenderBoxModelObject):

2012-05-31  Tim Horton  <timothy_horton@apple.com>

        Disable CSS regions and exclusions on the Ampere branch
        <rdar://problem/10887709>

        Reviewed by Alexey Proskuryakov.

        Fix mismerge of regions-disabling patch (broke -webkit-print-color-adjust)

        * css/CSSParser.cpp:
        (WebCore::isValidKeywordPropertyAndValue):
        * dom/Document.idl:

2012-05-31  Ojan Vafai  <ojan@chromium.org>

        add back the ability to disable flexbox
        https://bugs.webkit.org/show_bug.cgi?id=87147

        Reviewed by Tony Chang.

        * Configurations/FeatureDefines.xcconfig:
        * css/CSSParser.cpp:
        (WebCore::isValidKeywordPropertyAndValue):

2012-05-31  Tim Horton  <timothy_horton@apple.com>

        Disable CSS3 flexbox
        <rdar://problem/11524921>

        Reviewed by John Sullivan.

        * Configurations/FeatureDefines.xcconfig:

2012-05-31  Tim Horton  <timothy_horton@apple.com>

        ENABLE_CSS3_FLEXBOX is insufficient to disable all web-facing bits of the feature
        https://bugs.webkit.org/show_bug.cgi?id=87537
        <rdar://problem/11524921>

        Reviewed by Simon Fraser.

        Allow the feature flag to disable more web-facing parts of the CSS3 flexbox
        implementation (primarily fallout from hiding it from computed style).

        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue):
        * css/CSSParser.cpp:
        (WebCore::isValidKeywordPropertyAndValue):
        (WebCore::isKeywordPropertyID):
        (WebCore::CSSParser::parseValue):
        * css/CSSPrimitiveValueMappings.h:
        (WebCore::CSSPrimitiveValue::CSSPrimitiveValue):
        * css/CSSProperty.cpp:
        (WebCore::CSSProperty::isInheritedProperty):
        * css/CSSPropertyNames.in:
        * css/CSSValueKeywords.in:
        * css/StyleBuilder.cpp:
        (WebCore::StyleBuilder::StyleBuilder):
        * css/StylePropertySet.cpp:
        (WebCore::StylePropertySet::getPropertyValue):
        (WebCore::StylePropertySet::asText):
        * css/StylePropertyShorthand.cpp:
        (WebCore::shorthandForProperty):
        * css/StylePropertyShorthand.h:
        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::collectMatchingRulesForList):
        * page/animation/CSSPropertyAnimation.cpp:
        (WebCore::CSSPropertyAnimation::ensurePropertyMap):
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::createObject):
        * rendering/style/RenderStyleConstants.h:

2012-05-31  Tim Horton  <timothy_horton@apple.com>

        Add feature defines for web-facing parts of CSS Regions and Exclusions
        https://bugs.webkit.org/show_bug.cgi?id=87442
        <rdar://problem/10887709>

        Reviewed by Dan Bernstein.

        * Configurations/FeatureDefines.xcconfig:
        * GNUmakefile.am:
        * bindings/generic/RuntimeEnabledFeatures.cpp:
        * bindings/generic/RuntimeEnabledFeatures.h:
        (RuntimeEnabledFeatures):
        (WebCore::RuntimeEnabledFeatures::setCSSExclusionsEnabled):
        (WebCore::RuntimeEnabledFeatures::cssExclusionsEnabled):
        * bindings/js/JSCSSRuleCustom.cpp:
        (WebCore::toJS):
        * bindings/objc/DOMCSS.mm:
        (kitClass):
        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue):
        * css/CSSParser.cpp:
        (WebCore::isSimpleLengthPropertyID):
        (WebCore::isValidKeywordPropertyAndValue):
        (WebCore::isKeywordPropertyID):
        (WebCore::CSSParser::parseValue):
        (WebCore::CSSParser::detectAtToken):
        * css/CSSProperty.cpp:
        (WebCore::CSSProperty::isInheritedProperty):
        * css/CSSPropertyNames.in:
        * css/CSSRule.cpp:
        (WebCore::CSSRule::cssText):
        (WebCore::CSSRule::destroy):
        (WebCore::CSSRule::reattach):
        * css/CSSRule.h:
        (WebCore::CSSRule::isRegionRule):
        * css/CSSRule.idl:
        * css/StyleBuilder.cpp:
        (WebCore::StyleBuilder::StyleBuilder):
        * css/StylePropertySet.cpp:
        (WebCore::StylePropertySet::getPropertyValue):
        (WebCore::StylePropertySet::asText):
        * css/StylePropertyShorthand.cpp:
        (WebCore::shorthandForProperty):
        * css/StylePropertyShorthand.h:
        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::collectMatchingRulesForList):
        * css/StyleRule.cpp:
        (WebCore::StyleRuleBase::destroy):
        (WebCore::StyleRuleBase::copy):
        (WebCore::StyleRuleBase::createCSSOMWrapper):
        * css/WebKitCSSRegionRule.cpp:
        * css/WebKitCSSRegionRule.h:
        * css/WebKitCSSRegionRule.idl:
        * dom/Document.cpp:
        * dom/Document.h:
        * dom/Document.idl:
        * page/DOMWindow.idl:
        * page/Settings.cpp:
        (WebCore::Settings::Settings):
        * page/Settings.h:
        (WebCore::Settings::setCSSRegionsEnabled):
        (WebCore::Settings::cssRegionsEnabled):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118891

    2012-05-29  Yoshifumi Inoue  <yosin@chromium.org>

            REGRESSION(r111497): The "option" element doesn't match CSS pseudo class :enabled
            https://bugs.webkit.org/show_bug.cgi?id=87719

            Reviewed by Kent Tamura.

            This patch added checking of "option" element for CSS pseudo class :enabled as same as
            :disabled to selector checker. Before r111497, it was done by using isFormControlElement.
            After that revision, HTMLOptionElement was no longer derived from HTMLFormControlElement.

            Test: fast/form/select/optgroup-rendering.html

            * css/SelectorChecker.cpp:
            (WebCore::SelectorChecker::checkOneSelector): Checking element is option element as same
            as PseudoDisabled in PseudoEnabled case.

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118883

    2012-05-29  Eric Seidel  <eric@webkit.org>

            Fix ENABLE_IFRAME_SEAMLESS to actually fully disable <iframe seamless>
            https://bugs.webkit.org/show_bug.cgi?id=87646

            Reviewed by Adam Barth.

            In the process of moving the seamless feature out of github and into bugs.webkit.org
            multiple versions of the shouldDisplaySeamlessly function got written
            (and moved from HTMLIFrameElement to Document), but only one of them was wrapped
            in ENABLE_IFRAME_SEAMLESS.  HTMLIFrameElement was checking mayDisplaySeamlessly
            directly (as was my original design), which got around the ENABLE_IFRAME_SEAMLESS check.
            I've fixed this oversight, and the feature is now off when we tell it to be off.

            This is covered by many existing tests.  I've verified locally that
            all tests fail when ENABLE_IFRAME_SEAMLESS is disabled instead of
            only some of them.

            * dom/SecurityContext.h:
            (SecurityContext):
            * html/HTMLIFrameElement.cpp:
            (WebCore::HTMLIFrameElement::shouldDisplaySeamlessly):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118820

    2012-05-29  John Sullivan  <sullivan@apple.com>

            Update label for blacklisted plug-in
            https://bugs.webkit.org/show_bug.cgi?id=87767
            rdar://problem/11550048

            Reviewed by Kevin Decker.

            * English.lproj/Localizable.strings:
            Regenerated.

            * platform/LocalizedStrings.cpp:
            (WebCore::insecurePluginVersionText):
            Changed this string.

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118553

    2012-05-25  Dean Jackson  <dino@apple.com>
    
            Unreviewed, rolling out r112155.
            http://trac.webkit.org/changeset/112155
            https://bugs.webkit.org/show_bug.cgi?id=79389
            Hitch (due to style recalc?) when starting CSS3 animation
    
            This caused a number of issues, including:
            https://bugs.webkit.org/show_bug.cgi?id=87146
            https://bugs.webkit.org/show_bug.cgi?id=84194
            <rdar://problem/11506629>
            <rdar://problem/11267408>
            <rdar://problem/11531859>
    
2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118450

    2012-05-24  Anders Carlsson  <andersca@apple.com>

            Corrupted pages rendering when images are zoomed on Google+
            https://bugs.webkit.org/show_bug.cgi?id=87439
            <rdar://problem/11503078>

            Reviewed by Beth Dakin.

            The rect that's given to scrollContentsSlowPath is in frame view coordinates, but if we end up
            passing them to RenderLayer::setBackingNeedsRepaintInRect we need to account for the frame scale factor.

            * page/FrameView.cpp:
            (WebCore::FrameView::scrollContentsSlowPath):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118411

    2012-05-24  Jer Noble  <jer.noble@apple.com>

            MediaControlTimelineElement is adjusting time 3 times per click
            https://bugs.webkit.org/show_bug.cgi?id=58160

            Reviewed by Eric Carlson.

            No new tests; we intentionally throttle timeupdate events for the same
            movie time, so there is no way to write a layout test for this case.

            Only call setCurrentTime() on mousedown or mousemove events.

            * html/shadow/MediaControlElements.cpp:
            (WebCore::MediaControlTimelineElement::defaultEventHandler):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118314

    2012-05-23  Jer Noble  <jer.noble@apple.com>

            REGRESSION: compositing/video/video-poster.html fails on Mac
            https://bugs.webkit.org/show_bug.cgi?id=87199

            Reviewed by Maciej Stachowiak.

            No new tests; fixes failing compositing/video/video-poster.html test.

            Instead of creating the video layer directly, simply allow the layer
            to be created in updateStates() by changing the definition of
            isReadyForVideoSetup() to bypass the m_isAllowedToRender check if
            the player reports a video track is present.  This causes the video layer
            to be created and for future calls to prepareForRendering() to result
            in calls to mediaPlayerRenderingModeChanged().

            * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp:
            (WebCore::MediaPlayerPrivateAVFoundation::isReadyForVideoSetup):
            (WebCore::MediaPlayerPrivateAVFoundation::metadataLoaded):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118087

    2012-05-22  Jer Noble  <jer.noble@apple.com>

            REGRESSION (r98359): Video does not render on http://panic.com/dietcoda/
            https://bugs.webkit.org/show_bug.cgi?id=87171

            Reviewed by Maciej Stachowiak.

            No new tests; behavior is very timing specific and only occurs on a subset of all platforms.

            Instead of calling prepareForRendering() from metadataLoaded(), which may fail and cause subsequent
            calls to prepareForRendering() to short circuit, call createVideoLayer() directly, which achieves
            the original goals of the fix for http://webkit.org/b/70448, but without breaking subsequent calls
            to prepareForRendering() if called at the wrong time.

            * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp:
            (WebCore::MediaPlayerPrivateAVFoundation::metadataLoaded):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 116319

    2012-05-07  Nat Duca  <nduca@chromium.org>

            Unreviewed, rolling out r115525.
            http://trac.webkit.org/changeset/115525
            https://bugs.webkit.org/show_bug.cgi?id=66683

            Too many pages rely on DOMTimeStamp as first argument.
            Reverting while we consider next steps.

            * WebCore.exp.in:
            * bindings/js/JSRequestAnimationFrameCallbackCustom.cpp:
            (WebCore::JSRequestAnimationFrameCallback::handleEvent):
            * dom/Document.cpp:
            (WebCore::Document::serviceScriptedAnimations):
            * dom/Document.h:
            (Document):
            * dom/RequestAnimationFrameCallback.h:
            (RequestAnimationFrameCallback):
            * dom/RequestAnimationFrameCallback.idl:
            * dom/ScriptedAnimationController.cpp:
            (WebCore::ScriptedAnimationController::ScriptedAnimationController):
            (WebCore::ScriptedAnimationController::serviceScriptedAnimations):
            (WebCore):
            (WebCore::ScriptedAnimationController::windowScreenDidChange):
            (WebCore::ScriptedAnimationController::scheduleAnimation):
            (WebCore::ScriptedAnimationController::animationTimerFired):
            * dom/ScriptedAnimationController.h:
            (ScriptedAnimationController):
            (WebCore::ScriptedAnimationController::displayRefreshFired):
            * page/FrameView.cpp:
            (WebCore::FrameView::serviceScriptedAnimations):
            * page/FrameView.h:
            (FrameView):
            * platform/graphics/DisplayRefreshMonitor.cpp:
            (WebCore::DisplayRefreshMonitor::DisplayRefreshMonitor):
            (WebCore::DisplayRefreshMonitor::notifyClients):
            * platform/graphics/DisplayRefreshMonitor.h:
            (DisplayRefreshMonitor):
            * platform/graphics/blackberry/DisplayRefreshMonitorBlackBerry.cpp:
            (WebCore::DisplayRefreshMonitor::displayLinkFired):
            * platform/graphics/mac/DisplayRefreshMonitorMac.cpp:
            (WebCore):
            (WebCore::DisplayRefreshMonitor::requestRefreshCallback):
            (WebCore::DisplayRefreshMonitor::displayLinkFired):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Rollout 115573

    2012-04-26  Emil A Eklund  <eae@chromium.org> and Levi Weintraub  <leviw@chromium.org>
    
            Move Length and CSS length computation to float
            https://bugs.webkit.org/show_bug.cgi?id=84801
    
            Reviewed by Eric Seidel.
    
            Change Length and CSS length computation to floating point. This gets us
            closer to the goal of supporting subpixel layout and improves precision
            for SVG which already uses floating point for its layout.
    
            This change makes computedStyle return fractional values for pixel values
            if a fraction is specified. It also changes the result of computations
            where two or more values with fractional precision. Prior to this change
            the result of Length(2.9) + Length(2.9) would be 4 as each value would be
            floored. With this change the result is 5 as the addition is done with
            floating point precision and then the result will be floored. Once we
            enable subpixel layout the resulting value in this example would be 5.8.
    
            Updated existing layout tests.
    
            * css/CSSComputedStyleDeclaration.cpp:
            (WebCore::zoomAdjustedPixelValue):
            * css/CSSPrimitiveValue.cpp:
            (WebCore::CSSPrimitiveValue::computeLength):
            * css/CSSPrimitiveValue.h:
            (WebCore):
            (WebCore::roundForImpreciseConversion):
            Add specialized float version of roundForImpreciseConversion that matches
            the int versions rounding logic.
            
            If a value is sufficiently close to the next integer round it up to
            ensure that a style rule such as "width: 4.999px" evaluates to 5px
            instead of 4px. This is needed as, although Lengths are using floating
            point, the layout system still uses integer precision and floors the
            Length values.
            This will change once we move to FractionalLayoutUnits but for now this
            is needed to ensure compatibility with the existing system and tests.
            
            Without this specialized rounding logic we fail a handful of tests
            including acid3.
            
            * platform/Length.h:
            (WebCore::Length::value):
            (Length):
            (WebCore::Length::intValue):
            * rendering/RenderTableCell.cpp:
            (WebCore::RenderTableCell::styleOrColLogicalWidth):
    
2012-05-28  Lucas Forschler  <lforschler@apple.com>

    Merge 118399

    2012-05-24  Jessie Berlin  <jberlin@apple.com>

            REGRESSION(r109663) All the the dom/html/level2/html/HTMLFrameElement* tests crash on Windows
            https://bugs.webkit.org/show_bug.cgi?id=87410

            Reviewed by Anders Carlsson.

            Do not pass a reference type to va_start (see r75435).

            * platform/LocalizedStrings.cpp:
            (WebCore::formatLocalizedString):

2012-05-28  Lucas Forschler  <lforschler@apple.com>

    Merge 118397

    2012-05-24  Alexey Proskuryakov  <ap@apple.com>

            [WK2] Let the client give local files universal access on a case by case basis
            https://bugs.webkit.org/show_bug.cgi?id=87174
            <rdar://problem/11024330>

            Reviewed by Maciej Stachowiak.

            * dom/Document.cpp: (WebCore::Document::initSecurityContext): When settings->allowUniversalAccessFromFileURLs()
            is false, also try asking the client for an indulgence.

            * loader/FrameLoaderClient.h: (WebCore::FrameLoaderClient::shouldForceUniversalAccessFromLocalURL):
            Default implementation doesn't change anything.

2012-05-28  Lucas Forschler  <lforschler@apple.com>

    Merge 118039

    2012-05-22  Vitaly Buka  <vitalybuka@chromium.org>

            Fix iframe printing.
            https://bugs.webkit.org/show_bug.cgi?id=85118

            Reviewed by Darin Adler, Eric Seidel.

            Patch fixed two issues by disabling special handling of subframes for printing.
            1. Regression. Division by zero when forceLayoutForPagination called for subframes
            and page sizes set to zero.
            2. Old issue. RendererView adjusted layout of subframes for printing and set invalid
            dimensions. Sometimes it caused missing iframe when printed.

            Test: printing/iframe-print.html

            * page/Frame.cpp:
            (WebCore::Frame::setPrinting): Calls forceLayoutForPagination for root frames only.
            (WebCore::Frame::resizePageRectsKeepingRatio): Added ASSERTs to catch division by zero.
            * rendering/RenderView.cpp: Replaced printing() with shouldUsePrintingLayout() for most calls.
            (WebCore::RenderView::computeLogicalHeight):
            (WebCore::RenderView::computeLogicalWidth):
            (WebCore::RenderView::layout):
            (WebCore::RenderView::shouldUsePrintingLayout): Returns true only if printing enabled and it's a root frame.
            (WebCore::RenderView::viewRect):
            (WebCore::RenderView::viewHeight):
            (WebCore::RenderView::viewWidth):
            * rendering/RenderView.h:

2012-05-24  Lucas Forschler  <lforschler@apple.com>

    Merge 118204

    2012-05-22  Jer Noble  <jer.noble@apple.com>

            PlatformClockCM has uninitialized m_rate member.
            https://bugs.webkit.org/show_bug.cgi?id=87217

            Reviewed by Eric Carlson.

            Test: media/media-controller-time.html

            Initialize the m_rate member to a default of 1 (second-per-second), matching the implementation
            of ClockGeneric.

            * platform/mac/PlatformClockCM.mm:
            (PlatformClockCM::PlatformClockCM):

2012-05-24  Lucas Forschler  <lforschler@apple.com>

    Merge 118086

    2012-05-22  Tim Horton  <timothy_horton@apple.com>

            Add a quirk for applications that depend on the relative ordering of progressCompleted/didFinishLoad
            https://bugs.webkit.org/show_bug.cgi?id=87178
            <rdar://problem/11468434>

            Reviewed by Maciej Stachowiak.

            Some applications depend on the relative ordering of progressCompleted/didFinishLoad, which was changed
            to be more correct in http://trac.webkit.org/changeset/94105. For applications built before 94105, we can
            provide the old behavior. For the time being, this will only apply to Mail.app.

            No new tests, will not affect behavior for any application except Mail.

            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::checkLoadCompleteForThisFrame):
            * page/Settings.cpp:
            (WebCore::Settings::Settings):
            * page/Settings.h:
            (WebCore::Settings::setNeedsDidFinishLoadOrderQuirk):
            (WebCore::Settings::needsDidFinishLoadOrderQuirk):

2012-05-24  Lucas Forschler  <lforschler@apple.com>

    Merge 117471

    2012-05-16  Andreas Kling  <kling@webkit.org>

            Make PluginInfoStore properly thread-safe.
            <http://webkit.org/b/86648>
            <rdar://problem/11451178>

            Reviewed by Darin Adler.

            * plugins/PluginData.h:
            (WebCore::MimeClassInfo::isolatedCopy):
            (WebCore::PluginInfo::isolatedCopy):

2012-05-23  Lucas Forschler  <lforschler@apple.com>

    Merge 117744

    2012-05-18  Andreas Kling  <kling@webkit.org>

            REGRESSION(r117501): IconDatabase asserts on startup in synchronousIconForPageURL().
            <http://webkit.org/b/86935>
            <rdar://problem/11480012>

            Reviewed by Anders Carlsson.

            - Correctly set m_retainOrReleaseIconRequested to true in retainIconForPageURL().
              This was causing the assertions, as we would end up doing nothing until the first
              icon release request came in.

            - Require that m_urlsToRetainOrReleaseLock be held when accessing m_retainOrReleaseIconRequested.
              This removes a possible race condition in double checked locking.

            - Swap over the retain/release work queues while holding m_urlsToRetainOrReleaseLock
              and release it right away to avoid sitting on the lock while updating the database.

            * loader/icon/IconDatabase.cpp:
            (WebCore::IconDatabase::synchronousIconForPageURL):
            (WebCore::IconDatabase::retainIconForPageURL):
            (WebCore::IconDatabase::releaseIconForPageURL):
            (WebCore::IconDatabase::retainedPageURLCount):
            (WebCore::IconDatabase::performURLImport):
            (WebCore::IconDatabase::syncThreadMainLoop):
            (WebCore::IconDatabase::performPendingRetainAndReleaseOperations):
            * loader/icon/IconDatabase.h:
            (IconDatabase):

2012-05-23  Lucas Forschler  <lforschler@apple.com>

    Merge 117625

    2012-05-18  Viatcheslav Ostapenko  <ostapenko.viatcheslav@nokia.com>

            [Qt] REGRESSION(r117501): It made almost all tests assert in debug mode
            https://bugs.webkit.org/show_bug.cgi?id=86854

            Reviewed by Andreas Kling.

            Initialize boolean flag in constructor and recheck the flag which can be 
            modified by another thread under mutex.

            No new tests, fixes regression that caused layout test crash.

            * loader/icon/IconDatabase.cpp:
            (WebCore::IconDatabase::IconDatabase):
            (WebCore::IconDatabase::syncThreadMainLoop):

2012-05-23  Lucas Forschler  <lforschler@apple.com>

    Merge 117501

    2012-05-15  Andreas Kling  <kling@webkit.org>

            IconDatabase: Move icon retain/release off of the main thread.
            <http://webkit.org/b/85799>
            <rdar://problem/9507113>

            Reviewed by Brady Eidson.

            Batch up the retain/release operations and execute them as part of the sync thread loop.
            The batch execution is guarded by a new mutex (m_urlsToRetainOrReleaseLock.)
            This avoids blocking the main thread on m_urlAndIconLock for basic retain/release.

            There is one exception; if there are pending retain/release operations in synchronousIconForPageURL,
            it will acquire the lock and flush the operations.

            There should be no behavior change, this is only meant to reduce lock contention.

            * loader/icon/PageURLRecord.h:
            (WebCore::PageURLRecord::retain):
            (WebCore::PageURLRecord::release):

                Added a 'count' argument to these so we can batch up the operations in IconDatabase.

            * loader/icon/IconDatabase.h:
            * loader/icon/IconDatabase.cpp:
            (WebCore::IconDatabase::performScheduleOrDeferSyncTimer):
            (WebCore::IconDatabase::performScheduleOrDeferSyncTimerOnMainThread):
            (WebCore::IconDatabase::scheduleOrDeferSyncTimer):

                Perform the the timer scheduling on the main thread as it can be done on a different
                thread by way of retainIconForPageURL or releaseIconForPageURL.

            (WebCore::IconDatabase::synchronousIconForPageURL):
            (WebCore::IconDatabase::retainIconForPageURL):
            (WebCore::IconDatabase::performRetainIconForPageURL):
            (WebCore::IconDatabase::releaseIconForPageURL):
            (WebCore::IconDatabase::performReleaseIconForPageURL):
            (WebCore::IconDatabase::retainedPageURLCount):
            (WebCore::IconDatabase::IconDatabase):
            (WebCore::IconDatabase::performURLImport):
            (WebCore::IconDatabase::syncThreadMainLoop):
            (WebCore::IconDatabase::performPendingRetainAndReleaseOperations):

2012-05-23  Lucas Forschler  <lforschler@apple.com>

    Merge 116543

    2012-05-03  Shawn Singh  <shawnsingh@chromium.org>

            Hit testing is incorrect in some cases with perspective transforms
            https://bugs.webkit.org/show_bug.cgi?id=79136

            Reviewed by Simon Fraser.

            Tests: transforms/3d/hit-testing/coplanar-with-camera.html
                   transforms/3d/hit-testing/perspective-clipped.html

            * platform/graphics/transforms/TransformationMatrix.cpp:
            (WebCore::TransformationMatrix::projectPoint): Fix a
            divide-by-zero error so that values do not become Inf or Nan. Also
            fix an overflow error by using a large, but not-too-large constant
            to represent infinity.

            (WebCore::TransformationMatrix::projectQuad): Fix an error where
            incorrect quads were being returned. Incorrect quads can occur
            when projectPoint clamped==true after returning.

2012-05-23  Lucas Forschler  <lforschler@apple.com>

    Merge 116486

    2012-05-08  Benjamin Poulain  <bpoulain@apple.com>

            [JSC] Regression: addEventListener() and removeEventListener() raise an exception on missing args
            https://bugs.webkit.org/show_bug.cgi?id=85928

            Reviewed by Geoffrey Garen.

            The functions addEventListener() and removeEventListener() raise an exception if there are missin arguments.
            This behavior breaks existing content.

            This patch change the code generator of JavaScript core to have an exception for addEventListener() and removeEventListener().
            For those function, we do not raise an exception on missin argument.

            This patch does not modify the V8 code generator because such exceptions are already in place there.

            Tests: fast/dom/Window/window-legacy-event-listener.html
                   fast/dom/XMLHttpRequest-legacy-event-listener.html
                   fast/dom/node-legacy-event-listener.html

            * bindings/scripts/CodeGeneratorJS.pm:
            (GenerateImplementation):

2012-05-23  Lucas Forschler  <lforschler@apple.com>

    Merge 116319

    2012-05-07  Nat Duca  <nduca@chromium.org>

            Unreviewed, rolling out r115525.
            http://trac.webkit.org/changeset/115525
            https://bugs.webkit.org/show_bug.cgi?id=66683

            Too many pages rely on DOMTimeStamp as first argument.
            Reverting while we consider next steps.

            * WebCore.exp.in:
            * bindings/js/JSRequestAnimationFrameCallbackCustom.cpp:
            (WebCore::JSRequestAnimationFrameCallback::handleEvent):
            * dom/Document.cpp:
            (WebCore::Document::serviceScriptedAnimations):
            * dom/Document.h:
            (Document):
            * dom/RequestAnimationFrameCallback.h:
            (RequestAnimationFrameCallback):
            * dom/RequestAnimationFrameCallback.idl:
            * dom/ScriptedAnimationController.cpp:
            (WebCore::ScriptedAnimationController::ScriptedAnimationController):
            (WebCore::ScriptedAnimationController::serviceScriptedAnimations):
            (WebCore):
            (WebCore::ScriptedAnimationController::windowScreenDidChange):
            (WebCore::ScriptedAnimationController::scheduleAnimation):
            (WebCore::ScriptedAnimationController::animationTimerFired):
            * dom/ScriptedAnimationController.h:
            (ScriptedAnimationController):
            (WebCore::ScriptedAnimationController::displayRefreshFired):
            * page/FrameView.cpp:
            (WebCore::FrameView::serviceScriptedAnimations):
            * page/FrameView.h:
            (FrameView):
            * platform/graphics/DisplayRefreshMonitor.cpp:
            (WebCore::DisplayRefreshMonitor::DisplayRefreshMonitor):
            (WebCore::DisplayRefreshMonitor::notifyClients):
            * platform/graphics/DisplayRefreshMonitor.h:
            (DisplayRefreshMonitor):
            * platform/graphics/blackberry/DisplayRefreshMonitorBlackBerry.cpp:
            (WebCore::DisplayRefreshMonitor::displayLinkFired):
            * platform/graphics/mac/DisplayRefreshMonitorMac.cpp:
            (WebCore):
            (WebCore::DisplayRefreshMonitor::requestRefreshCallback):
            (WebCore::DisplayRefreshMonitor::displayLinkFired):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117652

    2012-05-18  Dan Bernstein  <mitz@apple.com>

            Build fix after r117607.

            * platform/mac/WebCoreNSCellExtras.m:

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117607

    2012-05-18  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/11467250> No focus ring around popup buttons

            Reviewed by Anders Carlsson.

            The exact same issue was fixed for buttons drawn in ThemeMac.mm in <rdar://problem/10542095>.
            This change extends the fix to also cover buttons drawn in RenderThemeMac.mm.

            * WebCore.xcodeproj/project.pbxproj: Added WebCoreNSCellExtras.{h.m}.
            * platform/mac/ThemeMac.mm: Removed the definitions of BUTTON_CELL_DRAW_WITH_FRAME_DRAWS_FOCUS_RING
            and -[NSCell _web_drawFocusRingWithFrame:inView:] from here. They are now in WebCoreNSCellExtras.
            * platform/mac/WebCoreNSCellExtras.h: Added.
            * platform/mac/WebCoreNSCellExtras.m: Added.
            (-[NSCell _web_drawFocusRingWithFrame:inView:]): Moved from ThemeMac.mm here.
            * rendering/RenderThemeMac.mm:
            (WebCore::RenderThemeMac::paintMenuList): Changed to use -_web_drawFocusRingWithFrame:inView:.
            (WebCore::RenderThemeMac::setPopupButtonCellState): Removed call to updateFocusedState() when
            the focus ring is drawn separately.

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117537

    2012-05-17  Dan Bernstein  <mitz@apple.com>

            <rdar://problem/11419933> Problems with flipped writing modes and compositing
            https://bugs.webkit.org/show_bug.cgi?id=86032

            Reviewed by Anders Carlsson.

            Test: compositing/bounds-in-flipped-writing-mode.html

            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::calculateLayerBounds): Apply a writing-mode flip to the bounding box
            if needed.

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117502

    2012-05-17  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=86266
            r112643/r116697 break Webview form input fields
            -and corresponding-
            <rdar://problem/11400430>

            Reviewed by Dan Bernstein.

            There is a recent history of changes in this are that seem worth documenting. 
            First was the change to switch to using NSTextFieldCell to draw text fields: 
            http://trac.webkit.org/changeset/104240

            That led to problems because of the clear background that I thought at the time 
            were specific to MountainLion. To fix that, I made this change:
            http://trac.webkit.org/changeset/110480

            But that change resulted in styled text fields getting an un-themed border, which 
            led to this change on the branch: http://trac.webkit.org/changeset/112643 and a 
            change on TOT that was identical for Lion and SnowLeopard but introduced new 
            behavior for MountainLion: http://trac.webkit.org/changeset/116697

            And that brings us to this bug, where it turns out the clear background is a 
            problem on Lion and SnowLeopard too. This patch fixes the bug by using the 
            original WebCoreSystemInterface function to paint all text fields on Lion and 
            SnowLeopard that are styled. This is what we used to paint all text fields before 
            r104240, which is the first change listed above. Un-styled text fields will still 
            use NSTextFieldCell on these platforms, but with a hardcoded white background. 
            * rendering/RenderThemeMac.h:
            (RenderThemeMac):
            * rendering/RenderThemeMac.mm:
            (WebCore::RenderThemeMac::paintTextField):
            (WebCore::RenderThemeMac::textField):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117366

    2012-05-16  Jon Lee  <jonlee@apple.com>

            Animated GIFs in page cache get updated
            https://bugs.webkit.org/show_bug.cgi?id=86668
            <rdar://problem/11395549>

            Reviewed by Brady Eidson.

            Test: fast/loader/image-in-page-cache.html

            * rendering/RenderImage.cpp:
            (WebCore::RenderImage::imageChanged): When we are notified by the CachedImage that the image has
            changed, we check to see if the document is in the page cache. If so, we should not be updating,
            so we bail out early.

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117365

    2012-05-16  Tim Horton  <timothy_horton@apple.com>

            Crash if SVG gradient stop has display: none set
            https://bugs.webkit.org/show_bug.cgi?id=86686
            <rdar://problem/10751905>

            Reviewed by Dean Jackson.

            Create a renderer for SVGStopElement regardless of the "display" property.
            This matches the behavior of Opera and the SVG specification.

            Test: svg/custom/gradient-stop-display-none-crash.svg

            * svg/SVGStopElement.cpp:
            (WebCore::SVGStopElement::rendererIsNeeded):
            (WebCore):
            * svg/SVGStopElement.h:
            (SVGStopElement):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117326

    2012-05-16  Jer Noble  <jer.noble@apple.com>

            <video> elements with no video tracks report false for webkitSupportsFullscreen.
            https://bugs.webkit.org/show_bug.cgi?id=86650

            Reviewed by Eric Carlson.

            No new tests; updated media/media-fullscreen-inline.html.

            With the new Full Screen API, the restriction that only video elements with
            video tracks can enter full screen seems arbitrary. Some media types will
            occasionally determine they have video tracks long after loadedmetadata, which
            breaks websites who check for webkitSupportsFullscreen(). Relax the restriction
            on webkitSupportsFullscreen() for ports where the Full Screen API is enabled and
            supported so as to no longer require hasVideo().

            * html/HTMLVideoElement.cpp:
            (WebCore::HTMLVideoElement::supportsFullscreen):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117314

    2012-05-16  Tim Horton  <timothy_horton@apple.com>

            Scrollbar layers should respect accelerated drawing setting
            https://bugs.webkit.org/show_bug.cgi?id=86644
            <rdar://problem/11462038>

            Reviewed by Simon Fraser.

            When creating scrollbar layers, pass through the accelerated drawing setting.

            No new tests.

            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::updateOverflowControlsLayers):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117313

    2012-05-16  Tim Horton  <timothy_horton@apple.com>

            FrameView::scrollContentsFastPath should use painted area to determine whether to drop out of the fast path
            https://bugs.webkit.org/show_bug.cgi?id=86651
            <rdar://problem/11459243>

            Reviewed by Simon Fraser.

            Previously, we decided to fall out of the fast scrolling path by the number of fixed-position elements
            on the page. This was less than ideal if a single fixed position element took up a significant portion
            of the page, or if there were many small, cheap-to-paint fixed elements.

            Instead, we should use the fast path if less than 50% of the page will be repainted by fixed-position
            elements, and otherwise fall back to the slow path.

            I've tested a few different thresholds with an internal test; 50% seems to work relatively well,
            but the ideal value is hard to determine and likely depends on hardware.

            No new tests, performance improvement with few large fixed-position objects or many small ones.

            * page/FrameView.cpp:
            (WebCore::FrameView::scrollContentsFastPath):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117336

    2012-05-16  Jeffrey Pfau  <jpfau@apple.com>

            ImageLoader can still dispatch beforeload events for ImageDocuments
            https://bugs.webkit.org/show_bug.cgi?id=86658
            <rdar://problem/11465863>

            Reviewed by Brady Eidson.

            Prevent flags regarding sending beforeload events from being set on ImageDocuments.

            No new tests; testing framework doesn't allow for testing ImageDocuments with injected JavaScript.

            * loader/ImageLoader.cpp:
            (WebCore::ImageLoader::updateFromElement):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117185

    2012-05-15  Jeffrey Pfau  <jpfau@apple.com>

            ImageDocuments erroneously trigger beforeload events for the main resource
            https://bugs.webkit.org/show_bug.cgi?id=86543
            <rdar://problem/11309013>

            Reviewed by Brady Eidson.

            No new tests; testing framework doesn't allow for testing ImageDocuments with injected JavaScript.

            * loader/ImageLoader.cpp:
            (WebCore::ImageLoader::updateFromElement):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 116864

    2012-05-12  Abhishek Arya  <inferno@chromium.org>

            Crash in HTMLSelectElement::setOption
            https://bugs.webkit.org/show_bug.cgi?id=85420

            Reviewed by Eric Seidel

            RefPtr before option in HTMLSelectElement::setOption since it
            can get destroyed due to mutation events.

            Test: fast/dom/HTMLSelectElement/option-add-crash.html

            * html/HTMLSelectElement.cpp:
            (WebCore::HTMLSelectElement::setOption):

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 116595

    2012-05-09  Jessie Berlin  <jberlin@apple.com>

            Crash using the new WKBundleDOMWindowExtensions APIs.
            https://bugs.webkit.org/show_bug.cgi?id=85888

            Reviewed by Brady Eidson.

            WKBundlePageWillDestroyGlobalObjectForDOMWindowExtensionCallback was only being invoked when
            the WKPage was destroyed, and then only for the child frames. In addition, the
            DOMWindowExtension was holding onto a destroyed DOMWindow and attempting to unregister from
            when the WK2 wrapper object was attempting to destroy the DOMWindowExtension.

            The underlying issue here was that the DOMWindowProperties were getting disconnectFrame
            and willDetachPage called on them at the wrong times.

            Rename DOMWindowProperty::disconnectFrame and reconnectFrame to disconnectFrameForPageCache
            and reconnectFrameFromPageCache for clarity.

            Only invoke DOMWindowProperty::disconnectFrameForPageCache when the frame is going into the
            page cache.

            In the cases where the DOMWindow is getting destroyed, the frame is being destroyed, or the
            DOMWindow is getting cleared because the frame is being navigated, invoke
            DOMWindowProperty::willDestroyGlobalObjectInFrame instead of disconnectFrame.

            Invoke DOMWindowProperty::willDetachGlobalObjectFromFrame when a document is being detached
            because the frame has been detached (e.g. fast/storage/storage-detached-iframe.html) and
            won't be immediately destroyed.

            Invoke DOMWindowProperty::willDestroyGlobalObjectInCachedFrame when a cached frame is
            being destroyed.

            New WK2 API Test: DOMWindowExtensionNoCache.

            * Modules/indexeddb/DOMWindowIndexedDatabase.cpp:
            (WebCore::DOMWindowIndexedDatabase::disconnectFrameForPageCache):
            Updated for disconnectFrame rename.
            (WebCore::DOMWindowIndexedDatabase::reconnectFrameFromPageCache):
            Updated for reconnectFrame rename.
            (WebCore::DOMWindowIndexedDatabase::willDestroyGlobalObjectInCachedFrame):
            Get rid of the suspended IDBFactory.
            (WebCore::DOMWindowIndexedDatabase::willDestroyGlobalObjectInFrame):
            Get rid of the IDBFactory.
            (WebCore::DOMWindowIndexedDatabase::willDetachGlobalObjectFromFrame):
            Ditto.
            * Modules/indexeddb/DOMWindowIndexedDatabase.h:

            * dom/Document.cpp:
            (WebCore::Document::prepareForDestruction):
            Tell the DOMWindow before detaching the Document.
            * dom/Document.h:

            * history/CachedFrame.cpp:
            (WebCore::CachedFrame::destroy):
            Tell the DOMWindow.

            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::clear):
            Use Document::prepareForDestruction so that the DOMWindow is told about the main frame
            navigation before detaching the Document.

            * loader/appcache/DOMApplicationCache.cpp:
            (WebCore::DOMApplicationCache::disconnectFrameForPageCache):
            Updated for the disconnectFrame rename.
            (WebCore::DOMApplicationCache::reconnectFrameFromPageCache):
            Updated for the reconnectFrame rename.
            (WebCore::DOMApplicationCache::willDestroyGlobalObjectInFrame):
            Cover the cases formerly covered by disconnectFrame (which was sometimes being called when
            called when the frame was destroyed).
            * loader/appcache/DOMApplicationCache.h:

            * notifications/DOMWindowNotifications.cpp:
            (WebCore::DOMWindowNotifications::disconnectFrameForPageCache):
            Updated for the disconnectFrame rename.
            (WebCore::DOMWindowNotifications::reconnectFrameFromPageCache):
            Updated for the reconnectFrame rename.
            (WebCore::DOMWindowNotifications::willDestroyGlobalObjectInCachedFrame):
            Get rid of the suspended notification center.
            (WebCore::DOMWindowNotifications::willDestroyGlobalObjectInFrame):
            Get rid of the notification center.
            (WebCore::DOMWindowNotifications::willDetachGlobalObjectFromFrame):
            Do not allow use of the notification center by detached frames.
            * notifications/DOMWindowNotifications.h:

            * page/DOMWindow.cpp:
            (WebCore::DOMWindow::clearDOMWindowProperties):
            Do not call disconnectDOMWindowProperties. It is now the responsibility of the callers to
            tell the DOMWindowProperties the correct cause of being cleared.
            (WebCore::DOMWindow::~DOMWindow):
            Make sure the DOMWindowProperties still know that the DOMWindow is going away.
            (WebCore::DOMWindow::frameDestroyed):
            Invoke willDestroyGlobalObjectInFrame on the DOMWindowProperties.
            (WebCore::DOMWindow::willDetachPage):
            It is no longer necessary to tell the DOMWindowProperties anything here.
            (WebCore::DOMWindow::willDestroyCachedFrame):
            Tell the DOMWindowProperties.
            (WebCore::DOMWindow::willDestroyDocumentInFrame):
            Ditto.
            (WebCore::DOMWindow::willDetachDocumentFromFrame):
            Ditto.
            (WebCore::DOMWindow::clear):
            Ditto.
            (WebCore::DOMWindow::disconnectDOMWindowProperties):
            Updated for the disconnectFrame rename.
            (WebCore::DOMWindow::reconnectDOMWindowProperties):
            Ditto.
            * page/DOMWindow.h:

            * page/DOMWindowExtension.cpp:
            (WebCore::DOMWindowExtension::DOMWindowExtension):
            Move the responsibility for tracking the disconnected DOMWindow to DOMWindowProperty, since
            DOMWindowProperty will need it to unregister the property when a cached frame is destroyed.
            (WebCore::DOMWindowExtension::disconnectFrameForPageCache):
            Remove the code to check for disconnectFrame being called twice - it is now only called when
            a frame goes into the page cache.
            Let the DOMWindowProperty keep track of the disconnected DOMWindow.
            (WebCore::DOMWindowExtension::reconnectFrameFromPageCache):
            Let the DOMWindowProperty keep track of the disconnected DOMWindow.
            (WebCore::DOMWindowExtension::willDestroyGlobalObjectInCachedFrame):
            Dispatch the willDestroyGlobalObjectForDOMWindowExtension callback.
            (WebCore::DOMWindowExtension::willDestroyGlobalObjectInFrame):
            Ditto, but only if the callback hasn't already been sent because the frame has been detached.
            (WebCore::DOMWindowExtension::willDetachGlobalObjectFromFrame):
            Send the callback because nothing interesting can be done in the frame once it has been
            detached.
            * page/DOMWindowExtension.h:

            * page/DOMWindowProperty.cpp:
            (WebCore::DOMWindowProperty::DOMWindowProperty):
            Keep track of the disconnected DOMWindow so it can be used to unregister the property when a
            cached frame is destroyed.
            (WebCore::DOMWindowProperty::~DOMWindowProperty):
            Also unregister the property when a DOMWindowProperty for a cached frame is destroyed.
            (WebCore::DOMWindowProperty::disconnectFrameForPageCache):
            Keep track of the disconnected DOMWindow.
            (WebCore::DOMWindowProperty::reconnectFrameFromPageCache):
            Ditto.
            (WebCore::DOMWindowProperty::willDestroyGlobalObjectInCachedFrame):
            Unregister the property from the disconnected DOMWindow.
            (WebCore::DOMWindowProperty::willDestroyGlobalObjectInFrame):
            Unregister the property from the DOMWindow and stop keeping track of the frame.
            (WebCore::DOMWindowProperty::willDetachGlobalObjectFromFrame):
            Do not set m_frame to 0 because detached frames still have access to the DOMWindow, even if
            they can't do anything meaningful with it.
            * page/DOMWindowProperty.h:

            * page/Frame.cpp:
            (WebCore::Frame::setView):
            Tell the DOMWindow that the Document is being detached so it can tell the
            DOMWindowProperties.

            * page/PointerLock.cpp:
            (WebCore::PointerLock::disconnectFrameForPageCache):
            Updated for disconnectFrame rename.
            (WebCore::PointerLock::willDestroyGlobalObjectInFrame):
            Cover the cases formerly covered by disconnectFrame (which was sometimes being called when
            called when the frame was destroyed).
            * page/PointerLock.h:

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117196

    2012-05-15  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=86549
            Page Scale + Tiled Drawing: Twitter sign in page content disappears 
            after typing into name and enabling password field
            -and corresponding-
            <rdar://problem/11415352>

            Reviewed by Oliver Hunt.

            The enormous rect we used to use would overflow in CA and do nothing 
            when there was any scale > 1 on the context. Instead, just call 
            setNeedsDisplay on each tile.
            * platform/graphics/ca/mac/TileCache.mm:
            (WebCore::TileCache::setNeedsDisplay):

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117165

    2012-05-15  Jer Noble  <jer.noble@apple.com>

            r117147 causes a null-deref crash in DOMImplementation::createDocument()
            https://bugs.webkit.org/show_bug.cgi?id=86532

            Reviewed by James Robinson.

            No new tests, but fixes many crashing tests.

            Protect against the possibility of being passed a NULL frame in
            DOMImplementation::createDocument().

            * dom/DOMImplementation.cpp:
            (WebCore::DOMImplementation::createDocument):

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117158

    2012-05-15  Jer Noble  <jer.noble@apple.com>

            Unreviewed build fix [Qt].

            Protect the definition of DOMImplementationSupportsTypeClient class with
            #if ENABLE(VIDEO) so as not to cause compilation errors on ports with
            VIDEO disabled.

            * dom/DOMImplementation.cpp:

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117147

    2012-05-14  Jer Noble  <jer.noble@apple.com>

            Site-specific hack: Disclaim WebM as a supported type on Mac for YouTube.
            https://bugs.webkit.org/show_bug.cgi?id=86409

            Reviewed by Darin Adler.

            No new tests; site specific hack.

            Add a Mac-only site-specific hack which disclaims both video/webm and video/x-flv
            as supported types when the media element's document has a host of youtube.com.

            Add a new, pure-virtual prototype class for use by MediaPlayer::supportsType:
            * platform/graphics/MediaPlayer.h:
            (MediaPlayerSupportsTypeClient):
            (WebCore::MediaPlayerSupportsTypeClient::~MediaPlayerSupportsTypeClient):
            (WebCore::MediaPlayerSupportsTypeClient::mediaPlayerNeedsSiteSpecificHacks):
            (WebCore::MediaPlayerSupportsTypeClient::mediaPlayerDocumentHost):

            Use these new client calls to determine whether to apply the site-specific
            hack:
            * platform/graphics/MediaPlayer.cpp:
            (WebCore::MediaPlayer::supportsType):

            Add this prototype class as a superclass of HTMLMediaElement.  Pass in the
            HTMLMediaElement's this pointer when calling MediaPlayer::supportsType():
            * html/HTMLMediaElement.cpp:
            (WebCore::HTMLMediaElement::canPlayType):
            (WebCore::HTMLMediaElement::selectNextSourceChild):
            (WebCore::HTMLMediaElement::mediaPlayerNeedsSiteSpecificHacks):
            (WebCore::HTMLMediaElement::mediaPlayerDocumentHost):
            * html/HTMLMediaElement.h:

            As is HTMLMediaElement, a MediaPlayerSupportsTypeClient class is needed. Add a
            new class DOMImplementationSupportsTypeClient, an instance of which will be 
            passed to MediaPlayer::supportsType():
            * dom/DOMImplementation.cpp:
            (DOMImplementationSupportsTypeClient):
            (WebCore::DOMImplementationSupportsTypeClient::DOMImplementationSupportsTypeClient):
            (WebCore::DOMImplementation::createDocument):
            (WebCore::DOMImplementation::mediaPlayerNeedsSiteSpecificHacks):
            (WebCore::DOMImplementation::mediaPlayerDocumentHost):
            * dom/DOMImplementation.h:

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117129

    2012-05-15  Anders Carlsson  <andersca@apple.com>

            Use unaccelerated scrolling deltas when rubber-banding
            https://bugs.webkit.org/show_bug.cgi?id=86503
            <rdar://problem/11378742>

            Reviewed by Sam Weinig.

            * WebCore.exp.in:
            * platform/PlatformWheelEvent.h:
            (WebCore::PlatformWheelEvent::PlatformWheelEvent):
            (PlatformWheelEvent):
            (WebCore::PlatformWheelEvent::scrollCount):
            (WebCore::PlatformWheelEvent::unacceleratedScrollingDeltaX):
            (WebCore::PlatformWheelEvent::unacceleratedScrollingDeltaY):
            Add scroll count and unaccelerated scrolling deltas.

            * platform/mac/ScrollElasticityController.mm:
            (WebCore::elasticDeltaForTimeDelta):
            (WebCore::elasticDeltaForReboundDelta):
            (WebCore::reboundDeltaForElasticDelta):
            Call the new WKSI functions.

            (WebCore::ScrollElasticityController::handleWheelEvent):
            Use the unaccelerated scrolling deltas when needed.

            * platform/mac/WebCoreSystemInterface.h:
            * platform/mac/WebCoreSystemInterface.mm:
            Add new WKSI functions.

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117113

    2012-05-15  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=86506
            REGRESSION (tiled drawing): No scrollbar while page is loading
            -and corresponding
            <rdar://problem/11444589>

            Reviewed by Anders Carlsson.

            We have always had a mechanism in place to suppress painting overlay 
            scrollbars while the page is loading. However, that mechaism is 
            overriden if the page has been scrolled. It should be, anyway. It was 
            not being overriden when the scrolling was handled as a wheel event by 
            the scrolling tree. This patch takes advantage of the fact that 
            ScrollingTree::handleWheelEvent() already calls back to the main 
            thread for handleWheelEventPhase() and just patches 
            handleWheelEventPhase to mark m_haveScrolledSincePageLoad as true.
            * platform/mac/ScrollAnimatorMac.mm:
            (WebCore::ScrollAnimatorMac::handleWheelEventPhase):

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117108

    2012-05-15  Andreas Kling  <kling@webkit.org>

            Deep copy PluginModuleInfo before passing across thread boundary.
            <http://webkit.org/b/86491>
            <rdar://problem/11451178>

            Reviewed by Anders Carlsson.

            * plugins/PluginData.h:
            (MimeClassInfo):
            (WebCore::MimeClassInfo::isolatedCopy):
            (PluginInfo):
            (WebCore::PluginInfo::isolatedCopy):

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117032

    2012-05-14  Tim Horton  <timothy_horton@apple.com>

            RenderLayer::repaintRectIncludingDescendants shouldn't include repaint rects of composited descendants
            https://bugs.webkit.org/show_bug.cgi?id=86429
            <rdar://problem/11445132>

            Reviewed by Simon Fraser.

            Change repaintRectIncludingDescendants to not include repaint rects for composited child layers,
            and rename the function to make it more clear that that's what it does now.

            No new tests, scrolling performance optimization.

            * page/FrameView.cpp:
            (WebCore::FrameView::scrollContentsFastPath):
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::repaintRectIncludingNonCompositingDescendants):
            * rendering/RenderLayer.h:
            (RenderLayer):

2012-05-16  Lucas Forschler  <lforschler@apple.com>

    Merge 117021

    2012-05-14  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=86420
            ScrollbarPainter should support expansionTransitionProgress

            Reviewed by Sam Weinig.

            expansionTransitionProgress works the same as 
            uiStateTransitionProgress. This code just echoes that code, but for 
            expansion instead of uiState.
            * platform/mac/NSScrollerImpDetails.h:
            * platform/mac/ScrollAnimatorMac.mm:
            (supportsExpansionTransitionProgress):
            (-[WebScrollbarPartAnimation setCurrentProgress:]):
            (-[WebScrollbarPainterDelegate cancelAnimations]):
            (-[WebScrollbarPainterDelegate scrollerImp:animateExpansionTransitionWithDuration:]):
            (-[WebScrollbarPainterDelegate invalidate]):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    rollout 116009

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    rollout 116013

2012-05-15  Sam Weinig  <sam@webkit.org>

        <rdar://problem/11401642> ENABLE_IFRAME_SEAMLESS should be turned off on the branch

        Reviewed by Andy Estes.

        * Configurations/FeatureDefines.xcconfig:
        Disable ENABLE_IFRAME_SEAMLESS.

2012-05-15  Sam Weinig  <sam@webkit.org>

        Disable CSS regions
        <rdar://problem/10887709>

        Reviewed by Anders Carlsson.

        * dom/Document.idl:
        #ifdef out webkitGetFlowByName.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116960

    2012-05-14  Eric Carlson  <eric.carlson@apple.com>

            <video> won't load when URL ends with .php
            https://bugs.webkit.org/show_bug.cgi?id=86308

            Reviewed by Darin Adler.

            Test: http/tests/media/video-query-url.html

            * platform/graphics/MediaPlayer.cpp:
            (WebCore::MediaPlayer::MediaPlayer): Initialize m_typeInferredFromExtension.
            (WebCore::MediaPlayer::load): Set m_typeInferredFromExtension appropriately.
            (WebCore::MediaPlayer::loadWithNextMediaEngine): If we don't find a media engine registered
                for a MIME type, and the type was inferred from the extension, give the first registered
                media engine a chance anwyay just as we do when there is no MIME type at all.
            * platform/graphics/MediaPlayer.h: Add m_typeInferredFromExtension.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116831

    2012-05-11  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=86278
            Composited layers should only run the overlay scrollbars painting pass 
            if necessary

            Reviewed by Dan Bernstein.

            It's not enough that the rootLayer has dirty scrollbars; we also have 
            to actually be doing the overlay scrollbars painting pass to skip the 
            early return.
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paintLayer):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116830

    2012-05-11  Anders Carlsson  <andersca@apple.com>

            Comcast website displays bottom of page when loaded
            https://bugs.webkit.org/show_bug.cgi?id=86277
            <rdar://problem/11426887>

            Reviewed by Beth Dakin.

            There were two bugs here. The first bug was that FrameView::setScrollPosition didn't end up calling into the scrolling coordinator
            to update the scroll position. The second bug was that ScrollingTreeNodeMac::setScrollPosition didn't constrain the scroll position
            to the edge of the page.

            * page/FrameView.cpp:
            (WebCore::FrameView::setScrollPosition):
            Call requestScrollPositionUpdate.

            * page/scrolling/ScrollingTree.cpp:
            * page/scrolling/ScrollingTree.h:
            Remove setMainFrameScrollPosition, it is not called by anyone.

            * page/scrolling/mac/ScrollingTreeNodeMac.h:
            * page/scrolling/mac/ScrollingTreeNodeMac.mm:
            (WebCore::ScrollingTreeNodeMac::setScrollPosition):
            Clamp to the page size and call setScrollPositionWithoutContentEdgeConstraints.

            (WebCore::ScrollingTreeNodeMac::setScrollPositionWithoutContentEdgeConstraints):
            Update the scroll layer position and call back to the main thread.

            (WebCore::ScrollingTreeNodeMac::scrollBy):
            Call setScrollPosition.

            (WebCore::ScrollingTreeNodeMac::scrollByWithoutContentEdgeConstraints):
            Call setScrollPositionWithoutContentEdgeConstraints.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116824

    2012-05-11  Anders Carlsson  <andersca@apple.com>

            Can't scroll on webpage after following links from Blogger
            https://bugs.webkit.org/show_bug.cgi?id=86274
            <rdar://problem/11431352>

            Reviewed by Beth Dakin.

            When committing a new scroll layer, make sure to reset the scroll position.

            * page/scrolling/ScrollingTree.cpp:
            (WebCore::ScrollingTree::commitNewTreeState):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116821

    2012-05-10  Timothy Hatcher  <timothy@apple.com>

            Instrument timer function calls so they show up in the Web Inspector Timeline.

            https://webkit.org/b/86173

            Reviewed by Pavel Feldman.

            Test: inspector/timeline/timeline-timer.html

            * bindings/js/ScheduledAction.cpp:
            (WebCore::ScheduledAction::executeFunctionInContext): Wrap the call with JSMainThreadExecState::instrumentFunctionCall
            and InspectorInstrumentation::didCallFunction.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116799

    2012-05-11  Tim Horton  <timothy_horton@apple.com>

            FrameView->m_lastPaintTime is not updated in the tiled drawing case
            https://bugs.webkit.org/show_bug.cgi?id=86246
            <rdar://problem/11248475>

            Reviewed by Simon Fraser.

            Update FrameView's m_lastPaintTime from RenderLayerBacking::paintContents
            if the RenderLayerBacking is backing a tiled drawing layer.

            In the future we might want to consider updating m_lastPaintTime when any
            compositing layer is painted into, but this change gets us on par with the
            non-tiled-drawing case as it stands now.

            No new tests.

            * page/FrameView.h:
            (WebCore::FrameView::setLastPaintTime):
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::paintContents):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116832

    2012-05-11  Jeffrey Pfau  <jpfau@apple.com>

            REGRESSION (r114170): Scroll areas in nested frames improperly placed when tiled drawing is enabled
            https://bugs.webkit.org/show_bug.cgi?id=86239

            Reviewed by Anders Carlsson.

            Fixes a regression introduced in r114170 by recursively adding positions of parent frames to placement of nested frame scroll areas.

            Manual tests: ManualTests/scrollable-positioned-frame.html
                          ManualTests/scrollable-positioned-nested-frame.html

            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::computeNonFastScrollableRegion):
            (WebCore::ScrollingCoordinator::frameViewLayoutUpdated):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116720

    2012-05-10  Anders Carlsson  <andersca@apple.com>

            PDF files won't scroll in Safari when using Adobe plug-in
            https://bugs.webkit.org/show_bug.cgi?id=86167
            <rdar://problem/11389719>

            Reviewed by Sam Weinig.

            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::computeNonFastScrollableRegion):
            Loop over the frame view children looking for plug-in views that want wheel events
            and add them to the non-fast scrollable region. Ideally, the plug-ins should be added
            to the set of scrollable areas, but PluginView in WebKit2 is not a ScrollableArea yet.

            * plugins/PluginViewBase.h:
            (PluginViewBase):
            (WebCore::PluginViewBase::wantsWheelEvents):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116720

    2012-05-10  Anders Carlsson  <andersca@apple.com>

            PDF files won't scroll in Safari when using Adobe plug-in
            https://bugs.webkit.org/show_bug.cgi?id=86167
            <rdar://problem/11389719>

            Reviewed by Sam Weinig.

            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::computeNonFastScrollableRegion):
            Loop over the frame view children looking for plug-in views that want wheel events
            and add them to the non-fast scrollable region. Ideally, the plug-ins should be added
            to the set of scrollable areas, but PluginView in WebKit2 is not a ScrollableArea yet.

            * plugins/PluginViewBase.h:
            (PluginViewBase):
            (WebCore::PluginViewBase::wantsWheelEvents):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116711

    2012-05-10  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=86158
            Overlay scrollbars without layers never paint in overflow regions in 
            tiled drawing mode
            -and corresponding-
            <rdar://problem/11289546>

            Reviewed by Darin Adler.

            RenderLayers paint scrollbars that do not have their own layers by 
            running a second pass through the layer tree after the layer tree has 
            painted. This ensures that the scrollbars always paint on top of 
            content. However, this mechanism was relying on 
            FrameView::paintContents() as a choke-point for all painting to 
            trigger the second painting pass. That is not a reasonable choke-point 
            in tiled drawing, so this patch adds similar code to 
            RenderLayerBacking.

            Only opt into the second painting pass for scrollbars that do not have 
            their own layers.
            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::paintOverflowControls):

            A layer that paints into its backing cannot return early here if it 
            has overlay scrollbars to paint.
            (WebCore::RenderLayer::paintLayer):

            This replicates code in FrameView::paintContents(). After painting the 
            owning layer, do a second pass if there are overlay scrollbars to 
            paint.
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::paintIntoLayer):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116697

    2012-05-10  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=82131
            [Mac] REGRESSION (r110480): Text field that specifies background-color 
            (or is auto-filled) gets un-themed border
            -and corresponding-
            <rdar://problem/11115221>

            Reviewed by Maciej Stachowiak.

            This change rolls out r110480 which is what caused styled text fields 
            to get the un-themed border, and it does a bunch of work to make sure 
            we get the pretty, new version of the NSTextField art whenever 
            possible. We do this differently for post-Lion OS's since there is now 
            a way to opt into it all the time. Lion and SnowLeopard can only use 
            the new art in HiDPI mode when the background color of the text field 
            is just white.

            RenderThemeMac::textField() takes a boolean paramter used to determine 
            if the new gradient will be used.
            * rendering/RenderThemeMac.h:
            (RenderThemeMac):

            This is the post-Lion workaround. This code has no effect on Lion and 
            SnowLeopard. This allows up to opt into a version of [NSTextField drawWithFrame:] that will only draw the frame of the text field; without this, it will draw the frame and the background, which creates a number of problems with styled text fields and text fields in HiDPI. There is a less comprehesive workaround for Lion and SnowLeopard in place in RenderThemeMac::textField().
            * rendering/RenderThemeMac.mm:
            (-[WebCoreTextFieldCell _coreUIDrawOptionsWithFrame:inView:includeFocus:]):

            This is the roll-out of r110480.
            (WebCore::RenderThemeMac::isControlStyled):

            See the comments for a full explanation, but this is mostly code for 
            Lion and SnowLeopard to determine if we can opt into the new artwork.
            (WebCore::RenderThemeMac::paintTextField):
            (WebCore::RenderThemeMac::textField):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116794

    2012-05-11  Anders Carlsson  <andersca@apple.com>

            REGRESSION(r116687): [Chromium] plugins/embed-attributes-style.html shows a garbled string
            https://bugs.webkit.org/show_bug.cgi?id=86170

            Reviewed by Andreas Kling.

            The string we are passing to the TextRun constructor needs to stay alive for longer so revert back to the old
            behavior where we store it as a member variable.

            * rendering/RenderEmbeddedObject.cpp:
            (WebCore::unavailablePluginReplacementText):
            (WebCore):
            (WebCore::RenderEmbeddedObject::setPluginUnavailabilityReason):
            (WebCore::RenderEmbeddedObject::getReplacementTextGeometry):
            * rendering/RenderEmbeddedObject.h:
            (RenderEmbeddedObject):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116695

    2012-05-10  Anders Carlsson  <andersca@apple.com>

            WebKit1: Add a way to blacklist specific plug-ins/plug-in versions
            https://bugs.webkit.org/show_bug.cgi?id=86150
            <rdar://problem/9551196>

            Reviewed by Sam Weinig.

            * English.lproj/Localizable.strings:
            Update.

            * loader/SubframeLoader.cpp:
            (WebCore::SubframeLoader::loadPlugin):
            It is possible that the client has already set the unavailability reason so don't try to set it twice.

            * platform/LocalizedStrings.cpp:
            (WebCore::insecurePluginVersionText):
            * platform/LocalizedStrings.h:
            Add insecure plug-in version text.

            * rendering/RenderEmbeddedObject.cpp:
            (WebCore::RenderEmbeddedObject::unavailablePluginReplacementText):
            * rendering/RenderEmbeddedObject.h:
            Add InsecurePluginVersion unavailability reason.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116687

    2012-05-10  Anders Carlsson  <andersca@apple.com>

            Rename the missing plug-in indicator to the unavailable plug-in indicator
            https://bugs.webkit.org/show_bug.cgi?id=86136

            Reviewed by Sam Weinig.

            Since the indicator is shown for more than just missing plug-ins, generalize it and use a plug-in unavailability
            reason enum to make it easier to extend. Also, pass the unavailability reason to the ChromeClient member functions.

            * WebCore.exp.in:
            * html/HTMLEmbedElement.cpp:
            (WebCore::HTMLEmbedElement::updateWidget):
            * html/HTMLObjectElement.cpp:
            (WebCore::HTMLObjectElement::updateWidget):
            * html/HTMLPlugInElement.cpp:
            (WebCore::HTMLPlugInElement::defaultEventHandler):
            * html/HTMLPlugInImageElement.cpp:
            (WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary):
            * loader/SubframeLoader.cpp:
            (WebCore::SubframeLoader::loadPlugin):
            * page/ChromeClient.h:
            (WebCore::ChromeClient::shouldUnavailablePluginMessageBeButton):
            (WebCore::ChromeClient::unavailablePluginButtonClicked):
            * page/FrameView.cpp:
            (WebCore::FrameView::updateWidget):
            * rendering/RenderEmbeddedObject.cpp:
            (WebCore::RenderEmbeddedObject::RenderEmbeddedObject):
            (WebCore::RenderEmbeddedObject::setPluginUnavailabilityReason):
            (WebCore::RenderEmbeddedObject::showsUnavailablePluginIndicator):
            (WebCore::RenderEmbeddedObject::setUnavailablePluginIndicatorIsPressed):
            (WebCore::RenderEmbeddedObject::paint):
            (WebCore::RenderEmbeddedObject::paintReplaced):
            (WebCore::RenderEmbeddedObject::getReplacementTextGeometry):
            (WebCore::RenderEmbeddedObject::unavailablePluginReplacementText):
            (WebCore):
            (WebCore::RenderEmbeddedObject::isInUnavailablePluginIndicator):
            (WebCore::shouldUnavailablePluginMessageBeButton):
            (WebCore::RenderEmbeddedObject::handleUnavailablePluginIndicatorEvent):
            (WebCore::RenderEmbeddedObject::getCursor):
            * rendering/RenderEmbeddedObject.h:
            (RenderEmbeddedObject):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116685

    2012-05-10  Brady Eidson  <beidson@apple.com>

            <rdar://problem/10972577> and https://bugs.webkit.org/show_bug.cgi?id=80170
            Contents of noscript elements turned into strings in WebArchives

            Reviewed by Andy Estes.

            There's a much deeper question about how innerHTML of <noscript> is expected to work in 
            both a scripting and non-scripting environment that we should pursue separately.

            But for webarchives, we can solve this by filtering out the <noscript> elements completely 
            if scripting is enabled.

            Test: webarchive/ignore-noscript-if-scripting-enabled.html

            * WebCore.exp.in:

            Add arguments to createMarkup and MarkupAccumulator methods to pass a Vector of QualifiedNames
            that should be filtered from the resulting markup:
            * editing/MarkupAccumulator.cpp:
            (WebCore::MarkupAccumulator::serializeNodes):
            (WebCore::MarkupAccumulator::serializeNodesWithNamespaces):
            * editing/MarkupAccumulator.h:
            * editing/markup.cpp:
            (WebCore::createMarkup):
            * editing/markup.h:

            If scripting is enabled, add the noscriptTag to the tag names to filter:
            * loader/archive/cf/LegacyWebArchive.cpp:
            (WebCore::LegacyWebArchive::create):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116579

    2012-05-09  Anders Carlsson  <andersca@apple.com>

            Speed up some parts of TileCache drawing
            https://bugs.webkit.org/show_bug.cgi?id=86033
            <rdar://problem/10919373>

            Reviewed by Sam Weinig.

            * platform/graphics/ca/mac/TileCache.mm:
            (WebCore::TileCache::tileCoverageRect):
            If we can't have scrollbars, there's not much need to extend the tile coverage rect outside of the visible rect, since it's
            unlikely that we'll do any form of scrolling here.

            (WebCore::TileCache::revalidateTiles):
            Don't update the tile layer frame if it's big enough to contain the tile size. Also, if there are no new tiles created,
            don't call platformCALayerDidCreateTiles since that will trigger an extra layer flush.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116570

    2012-05-09  Beth Dakin  <bdakin@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=86025
            RTL and vertical text documents do no scroll properly with the new 
            tiled scrolling model
            -and corresponding-
            <rdar://problem/11077589>

            Reviewed by Dan Bernstein.

            Most of the fix here is just to teach the scrolling tree about the 
            scroll origin.
            * page/scrolling/ScrollingCoordinator.cpp:
            (WebCore::ScrollingCoordinator::frameViewLayoutUpdated):
            (WebCore::ScrollingCoordinator::setScrollParameters):
            * page/scrolling/ScrollingCoordinator.h:
            (ScrollParameters):
            * page/scrolling/ScrollingTreeNode.cpp:
            (WebCore::ScrollingTreeNode::update):
            * page/scrolling/ScrollingTreeNode.h:
            (WebCore::ScrollingTreeNode::scrollOrigin):
            (ScrollingTreeNode):
            * page/scrolling/ScrollingTreeState.cpp:
            (WebCore::ScrollingTreeState::setScrollOrigin):
            (WebCore):
            * page/scrolling/ScrollingTreeState.h:
            (WebCore::ScrollingTreeState::scrollOrigin):
            (ScrollingTreeState):
            * page/scrolling/mac/ScrollingTreeNodeMac.mm:
            (WebCore::ScrollingTreeNodeMac::scrollPosition):
            (WebCore::ScrollingTreeNodeMac::setScrollLayerPosition):
            (WebCore::ScrollingTreeNodeMac::minimumScrollPosition):
            (WebCore::ScrollingTreeNodeMac::maximumScrollPosition):
            * rendering/RenderLayerCompositor.cpp:
            (WebCore::RenderLayerCompositor::frameViewDidScroll):

            Teaching the scrolling tree about the scroll origin revealed this pre-
            existing bug. layoutOverflowRect() is not the right rect to use since 
            it is not writing-mode savvy. unscaledDocumentRect() is the right rect 
            for the view's bounds.
            * rendering/RenderLayerBacking.cpp:
            (WebCore::RenderLayerBacking::updateCompositedBounds):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116473

    2012-05-08  Jon Lee  <jonlee@apple.com>

            Safari warns that it needs to resend the form in an iFrame when going back
            https://bugs.webkit.org/show_bug.cgi?id=82658
            <rdar://problem/11292558>

            Reviewed by Darin Adler.

            Test: http/tests/loading/post-in-iframe-with-back-navigation.html

            * WebCore.exp.in: Add _wkCFURLRequestAllowAllPostCaching.
            * platform/mac/WebCoreSystemInterface.h: Add wkCFURLRequestAllowAllPostCaching.
            * platform/mac/WebCoreSystemInterface.mm: Add wkCFURLRequestAllowAllPostCaching.
            * platform/network/cf/ResourceRequestCFNet.cpp:
            (WebCore::ResourceRequest::doUpdatePlatformRequest): Set the bit to cache all POST responses.
            * platform/network/mac/ResourceRequestMac.mm:
            (WebCore::ResourceRequest::doUpdatePlatformRequest): Set the bit to cache all POST responses.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116458

    2012-05-08  Philip Rogers  <pdr@google.com>

            Prevent crash in animated lists
            https://bugs.webkit.org/show_bug.cgi?id=85382

            Reviewed by Nikolas Zimmermann.

            Animated lists blindly assign the last list value to m_toAtEndOfDurationType
            in SVGAnimationElement::startedActiveInterval. If the last list value's length
            is larger or smaller than the animated "to" length, we crash.

            This change prevents accessing values off the end of toAtEndOfDuration by adding
            a check for this case. It may seem inefficient to perform this check on every
            animation update but the "to" value can change (in cardinality) while animating.

            I checked each of the other animation types (e.g., SVGAnimatedAngle,
            SVGAnimatedBoolean, etc.) and was only able to hit this style of crash
            in the three types modified in this change:
            SVGAnimatedLengthList, SVGAnimatedNumberList, and SVGAnimatedPointList.

            Tests: svg/animations/animate-linear-discrete-additive-b-expected.svg
                   svg/animations/animate-linear-discrete-additive-b.svg
                   svg/animations/animate-linear-discrete-additive-c-expected.svg
                   svg/animations/animate-linear-discrete-additive-c.svg
                   svg/animations/animate-linear-discrete-additive-expected.svg
                   svg/animations/animate-linear-discrete-additive.svg
                   svg/animations/animate-list-crash.svg

            * svg/SVGAnimatedLengthList.cpp:
            (WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue):
            * svg/SVGAnimatedNumberList.cpp:
            (WebCore::SVGAnimatedNumberListAnimator::calculateAnimatedValue):
            * svg/SVGAnimatedPointList.cpp:
            (WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116449

    2012-05-08  Timothy Hatcher  <timothy@apple.com>

            Fix the SOFT_LINK_STAGED_FRAMEWORK_OPTIONAL macro so it passes the full path to dlopen.

            dyld only considers libraries in the versioned framework path if their install name
            matches the library that it is attempting to load. The path we were passing to
            dlopen lacked the Versions/A component of the path so dyld did not recognize that
            we wanted it to use the staged version if it is newer.

            <rdar://problem/11406517>

            Reviewed by Mark Rowe.

            * platform/mac/SoftLinking.h: Have SOFT_LINK_STAGED_FRAMEWORK_OPTIONAL take the
            framework version as an argument and use it when constructing the path to dlopen.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116427

    2012-05-08  Stephen Chenney  <schenney@chromium.org>

            Shrink ElementAttributeData by factoring out Attr object count.
            https://bugs.webkit.org/show_bug.cgi?id=85825

            Unreviewed build fix.

            * dom/ElementAttributeData.cpp:
            (WebCore::attrListForElement): Was returning false instead of 0 for a pointer value. Now returns 0.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116419

    2012-05-08  Andreas Kling  <kling@webkit.org>

            Shrink ElementAttributeData by factoring out Attr object count.
            <http://webkit.org/b/85825>

            Reviewed by Antti Koivisto.

            Stop tracking the number of Attr objects that point to a given Element on the
            Element itself and manage this by having a global hashmap of Element => AttrList,
            where AttrList is a vector of (pointers to) the associated Attr objects.

            This shrinks ElementAttributeData by one integer, effectively reducing memory
            consumption by ~530kB when viewing the full HTML5 spec at <http://whatwg.org/c>.

            * dom/ElementAttributeData.h:
            (ElementAttributeData):

                Remove m_attrCount...

            * dom/Node.h:
            (WebCore::Node::hasAttrList):
            (WebCore::Node::setHasAttrList):
            (WebCore::Node::clearHasAttrList):

                ...replacing it with a Node flag that tells us whether there's an Attr
                object map for this Node (only applies to Elements.)

            * dom/ElementAttributeData.cpp:
            (WebCore::attrListMap):
            (WebCore::attrListForElement):
            (WebCore::ensureAttrListForElement):
            (WebCore::removeAttrListForElement):
            (WebCore::ElementAttributeData::attrIfExists):
            (WebCore::ElementAttributeData::ensureAttr):
            (WebCore::ElementAttributeData::setAttr):
            (WebCore::ElementAttributeData::removeAttr):
            (WebCore::ElementAttributeData::detachAttributesFromElement):

                Map Element => per-Element AttrList in a global hash.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116395

    2012-05-07  Simon Fraser  <simon.fraser@apple.com>

            Compositing layers with transformed children not large enough to show contents
            https://bugs.webkit.org/show_bug.cgi?id=85855

            Reviewed by Dan Bernstein.

            r114518 added a code path to RenderLayer::calculateLayerBounds() which
            does an early return if the layer has clipping. However, this code
            path omitted to take local transforms into account.

            Fix is to handle transforms as we do in the non-clipped case.

            Test: compositing/geometry/bounds-clipped-composited-child.html

            * rendering/RenderLayer.cpp:
            (WebCore::RenderLayer::calculateLayerBounds):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116368

    2012-05-07  Enrica Casucci  <enrica@apple.com>

            REGRESSION (r101575): Chinese input is broken when composing mail in iCloud using Safari.
            https://bugs.webkit.org/show_bug.cgi?id=85840
            <rdar://problem/11115520> 

            Reviewed by Alexey Proskuryakov.

            The revision that broke this, introduced a way to sanitize the markup when deleting a range selection.
            iCloud listens for DOM modification events and clears the selection, altering the input method state.
            The fix consists in adding a paramenter to DeleteSelectionCommand to control when we sanitize the
            markup.

            * editing/CompositeEditCommand.cpp:
            (WebCore::CompositeEditCommand::deleteSelection):
            * editing/CompositeEditCommand.h:
            * editing/DeleteSelectionCommand.cpp:
            (WebCore::DeleteSelectionCommand::DeleteSelectionCommand):
            (WebCore::DeleteSelectionCommand::doApply):
            * editing/DeleteSelectionCommand.h:
            (WebCore::DeleteSelectionCommand::create):
            * editing/InsertTextCommand.cpp:
            (WebCore::InsertTextCommand::doApply):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116367

    2012-05-07  Andy Estes  <aestes@apple.com>

            ENABLE_IFRAME_SEAMLESS should be part of FEATURE_DEFINES.

            * Configurations/FeatureDefines.xcconfig:

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116356

    2012-05-07  Eric Seidel  <eric@webkit.org>

            Add ENABLE_IFRAME_SEAMLESS so Apple can turn off SEAMLESS if needed
            https://bugs.webkit.org/show_bug.cgi?id=85822

            Reviewed by Adam Barth.

            * Configurations/FeatureDefines.xcconfig:
            * dom/Document.cpp:
            (WebCore::Document::shouldDisplaySeamlesslyWithParent):

2012-05-04  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: annotate ProfilerAgent.
        https://bugs.webkit.org/show_bug.cgi?id=85630

        Reviewed by Pavel Feldman.

        * inspector/Inspector.json:
        * inspector/InspectorProfilerAgent.cpp:
        (WebCore::InspectorProfilerAgent::createProfileHeader):
        (WebCore::InspectorProfilerAgent::createSnapshotHeader):
        (WebCore::InspectorProfilerAgent::getProfileHeaders):
        (WebCore):
        (WebCore::InspectorProfilerAgent::getProfile):
        * inspector/InspectorProfilerAgent.h:
        (InspectorProfilerAgent):
        * inspector/front-end/CSSSelectorProfileView.js:
        * inspector/front-end/HeapSnapshotView.js:
        (WebInspector.HeapSnapshotProfileType.prototype.createProfile):
        * inspector/front-end/ProfileView.js:
        * inspector/front-end/ProfilesPanel.js:
        (WebInspector.ProfilesPanel.prototype.addProfileHeader):
        (WebInspector.ProfilesPanel.prototype._addHeapSnapshotChunk):
        (WebInspector.ProfilerDispatcher.prototype.resetProfiles):

2012-05-04  Gustavo Noronha Silva  <gns@gnome.org>

        [GTK] Simplify how libWebCoreModules is linked in, and fix WebKit2 build
        https://bugs.webkit.org/show_bug.cgi?id=85691

        * GNUmakefile.am: link libWebCoreModules into libWebCore.

2012-05-04  Kent Tamura  <tkent@chromium.org>

        Rename ICULocale to LocaleICU, part 1
        https://bugs.webkit.org/show_bug.cgi?id=85688

        Reviewed by Kentaro Hara.

        Rename it for consistency. Our convention is Foo<Platform>.{cpp,h}.
        This patch changes only file names. We'll rename ICULocale class
        by a following patch.

        No behavior changes.

        * WebCore.gypi:
        * platform/text/LocaleICU.cpp: Renamed from Source/WebCore/platform/text/ICULocale.cpp.
        * platform/text/LocaleICU.h: Renamed from Source/WebCore/platform/text/ICULocale.h.
        * platform/text/LocalizedDateICU.cpp: Rename ICULocale.h to LocaleICU.h.
        * platform/text/LocalizedNumberICU.cpp: ditto.

2012-05-04  Julien Chaffraix  <jchaffraix@webkit.org>

        Leaf non self-painting layers should bail out early in RenderLayer::paintLayer
        https://bugs.webkit.org/show_bug.cgi?id=85678

        Reviewed by Darin Adler.

        Performance optimization, no expected change in behavior.

        The gist of the change is that leaf non self-painting layers don't need to be painted as their
        associated RenderBoxModelObject should properly paint itself without any help.

        For RenderLayer trees that have a large number of leafs nodes (like a table with a leaf RenderLayer for
        each cells), not bailing out is a big overhead as it ends up doing a lot of computation for no real
        painting. See http://dglazkov.github.com/performance-tests/biggrid.html for a benchmark for that. On
        my machine, it reduces the paint time when scrolling to 70ms from 120ms (45% speedup).

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::paintLayer):

2012-05-04  Rob Buis  <rbuis@rim.com>

        Remove InlineBox::next()
        https://bugs.webkit.org/show_bug.cgi?id=85668

        Reviewed by Nikolas Zimmermann.

        InlineBox::next() not needed since nextOnLine() does the same.

        * rendering/InlineBox.h:
        (InlineBox):
        * rendering/InlineFlowBox.h:
        (WebCore::InlineFlowBox::setConstructed):

2012-05-04  Chris Rogers  <crogers@google.com>

        Oscillator must implement noteOn() and noteOff()
        https://bugs.webkit.org/show_bug.cgi?id=85236

        Reviewed by Kenneth Russell.

        Test: webaudio/oscillator-scheduling.html
        to be landed separately to get proper platform baselines

        * Modules/webaudio/AudioBufferSourceNode.cpp:
        (WebCore::AudioBufferSourceNode::process):
        Simplify/remove zeroing-out silence at end of buffer, since it's now handled in the base-class AudioScheduledSourceNode::updateSchedulingInfo().

        * Modules/webaudio/AudioContext.cpp:
        (WebCore::AudioContext::createBufferSource):
        Improve comment about ownership and dynamic-lifetime of AudioBufferSourceNode.

        (WebCore::AudioContext::createOscillator):
        AudioContext keeps a reference to the Oscillator and that reference is released in AudioScheduledSourceNode,
        when it has finished playing.

        * Modules/webaudio/AudioScheduledSourceNode.h:
        * Modules/webaudio/AudioScheduledSourceNode.cpp:
        (WebCore::AudioScheduledSourceNode::updateSchedulingInfo):
        updateSchedulingInfo() is now responsible for zeroing out the very start (before a note starts)
        and the very end (after note ends) of the output AudioBus.  We've also simplified the number
        of arguments passed to this method, because of this. It now handles playbackState transition to FINISHED_STATE.

        * Modules/webaudio/Oscillator.cpp:
        (WebCore::Oscillator::Oscillator):
        (WebCore::Oscillator::calculateSampleAccuratePhaseIncrements):
        The frequency value needs to snap immediately to its correct value the very first time.
        This bug needs to be fixed here so that the Oscillator layout scheduling test works correctly.

        (WebCore::Oscillator::process):
        Since Oscillator in now changing to be a AudioScheduledSourceNode, we need to call AudioScheduledSourceNode::updateSchedulingInfo()
        to handle playbackState for us.

        (WebCore::Oscillator::propagatesSilence):
        Add scheduling logic for propagatesSilence().

        (Oscillator):
        * Modules/webaudio/Oscillator.idl:
        Add noteOn(), noteOff() methods and playbackState according to specification.

2012-05-04  Andy Estes  <aestes@apple.com>

        Remove uses of ASSERT(false)
        https://bugs.webkit.org/show_bug.cgi?id=85686

        Reviewed by Dean Jackson.

        Replace uses of ASSERT(false) with ASSERT_NOT_REACHED(). Also, in two places, there was code structured like:

        if (expr) {
            // do something
        } else {
            ASSERT(false);
        }

        Replace this with:

        ASSERT(expr);
        if (!expr)
            return;

        // do something

        * Modules/webdatabase/DatabaseTracker.cpp:
        (WebCore::DatabaseTracker::deleteOrigin):
        (WebCore::DatabaseTracker::doneCreatingDatabase):
        (WebCore::DatabaseTracker::doneDeletingDatabase):
        (WebCore::DatabaseTracker::deleteDatabase):
        * bridge/objc/objc_instance.mm:
        (ObjcInstance::invokeObjcMethod):
        * bridge/objc/objc_utility.mm:
        (JSC::Bindings::convertObjcValueToValue):
        (JSC::Bindings::objcValueTypeForType):
        * dom/Node.cpp:
        (WebCore::Node::createRenderer):
        * loader/icon/IconDatabase.cpp:
        (WebCore::IconDatabase::setIconURLForPageURLInSQLDatabase):
        (WebCore::IconDatabase::setIconIDForPageURLInSQLDatabase):
        * platform/graphics/GraphicsContext3D.cpp:
        (WebCore::doPacking):
        * platform/text/BidiResolver.h:
        (WebCore::::createBidiRunsForLine):

2012-05-04  Noel Gordon  <noel.gordon@gmail.com>

        [CG] Minor refactor of ImageBuffer::CGImageToDataURL and its callers
        https://bugs.webkit.org/show_bug.cgi?id=85280

        Reviewed by Kenneth Russell.

        This patch means to simplify the diff of an upcoming patch. Refactoring
        here in preparation for that patch.

        No new tests. No behavioral change. Covered by canvas 2d and 3d tests:
          canvas/philip/tests/*toDataURL*.html
          fast/canvas/webgl/premultiplyalpha-test.html

        * platform/graphics/cg/ImageBufferCG.cpp:
        (WebCore::CGImageToDataURL): Move the invalid image (!image) test here.
        The comments are about JPEG images; say that. Rename out to base64Data.
        (WebCore::ImageBuffer::toDataURL): Remove the !image test.
        (WebCore::ImageDataToDataURL): Move and define variables where used and
        make the code flow read similarly to toDataURL. Remove the !image test.

2012-05-04  Shawn Singh  <shawnsingh@chromium.org>

        [chromium] Changes to layer tree structure need to be tracked properly
        https://bugs.webkit.org/show_bug.cgi?id=85421

        Reviewed by Adrienne Walker.

        Unit test added: TreeSynchronizerTest.syncSimpleTreeAndTrackStackingOrderChange

        Earlier, we were relying on WebCore behavior that always called
        setNeedsDisplay whenever the layer tree structure changed.
        However, in general it is more correct to consider layer tree
        changes even when things don't need repainting; for example Aura
        code is encountring this bug now. This patch corrects the
        compositor so that layer tree structural changes are considered
        property changes, without requiring that layers needed to be
        repainted.

        * platform/graphics/chromium/LayerChromium.cpp:
        (WebCore::LayerChromium::LayerChromium):
        (WebCore::LayerChromium::insertChild):
        (WebCore::LayerChromium::pushPropertiesTo):
        * platform/graphics/chromium/LayerChromium.h:
        (LayerChromium):
        * platform/graphics/chromium/cc/CCLayerImpl.cpp:
        (WebCore::CCLayerImpl::setStackingOrderChanged):
        (WebCore):
        * platform/graphics/chromium/cc/CCLayerImpl.h:
        (CCLayerImpl):

2012-05-04  Jeffrey Pfau  <jpfau@apple.com>

        Unreviewed; build fix after r116191.

        * bindings/js/JSEventListener.h:

2012-05-04  Enrica Casucci  <enrica@apple.com>

        REGRESSION: Cursor jumps to the first line after deleting the last word.
        https://bugs.webkit.org/show_bug.cgi?id=85334
        <rdar://problem/11210059>

        Reviewed by Ryosuke Niwa.

        This regression was introduced with the work to remove redundant divs.
        When we decide to remove a DIV, we need to adjust the selection, if it is
        expressed in terms of the node being removed. The new position was computed
        using updatePositionForNodeRemoval that was not designed for the case where we
        remove preserving children.
        This patch adds a new method to CompositeEditCommand to do this properly.
        
        Test: editing/deleting/delete-word-from-unstyled-div.html

        * editing/CompositeEditCommand.cpp:
        (WebCore::CompositeEditCommand::isRemovableBlock): Code clenup.
        (WebCore::CompositeEditCommand::updatePositionForNodeRemovalPreservingChildren): Added.
         * editing/CompositeEditCommand.h:
        * editing/DeleteSelectionCommand.cpp:
        (WebCore::DeleteSelectionCommand::removeRedundantBlocks): Uses updatePositionForNodeRemovalPreservingChildren.

2012-05-04  Jeffrey Pfau  <jpfau@apple.com>

        Prevent early EventListener deletion
        https://bugs.webkit.org/show_bug.cgi?id=73970

        Reviewed by Oliver Hunt.

        Test: fast/events/attribute-listener-deletion-crash.html

        * bindings/js/JSEventListener.h:
        (WebCore::JSEventListener::jsFunction):

2012-05-04  Yongjun Zhang  <yongjun_zhang@apple.com>

        Add "combining short stroke overlay character (u0335)" to lookalike characters blacklist.
        https://bugs.webkit.org/show_bug.cgi?id=85440

        Reviewed by David Kilzer.

        We should add u0335 to the characters blacklist.

        * platform/mac/WebCoreNSURLExtras.mm:
        (WebCore::isLookalikeCharacter):

2012-05-04  Satoru Takabayashi  <satorux@chromium.org>

        [chromium] Add plumbing for file display names for drag and drop
        https://bugs.webkit.org/show_bug.cgi?id=85673

        Reviewed by Darin Fisher.

        No new tests: this change itself shouldn't change existing behavior.

        * platform/chromium/ChromiumDataObject.cpp:
        (WebCore::ChromiumDataObject::addFilename):
        * platform/chromium/ChromiumDataObject.h:
        (ChromiumDataObject):

2012-05-04  Levi Weintraub  <leviw@chromium.org>

        Correct pixel snapping in RenderSVGRoot::paintReplaced
        https://bugs.webkit.org/show_bug.cgi?id=85671

        Reviewed by Eric Seidel.

        SVG root elements are still painted on pixel boundaries, so their children should
        apply transforms based on their actual painted location, not their sub-pixel
        one. This corrects a clipping and painting issue where these sub-pixel units are
        incorrectly applied to the graphics context.

        Covered by existing tests when sub-pixel layout is enabled.

        * rendering/svg/RenderSVGRoot.cpp:
        (WebCore::RenderSVGRoot::paintReplaced):

2012-05-04  Adam Barth  <abarth@webkit.org>

        Refactor CSP state to prepare for having both a ReportOnly and an Enforced policy
        https://bugs.webkit.org/show_bug.cgi?id=85662

        Reviewed by Eric Seidel.

        This patch refactors the ContentSecurityPolicy state into a separate
        DirectiveList class to prepare for
        https://bugs.webkit.org/show_bug.cgi?id=85561, which will cause us to
        need two directive lists: one for enforcement and one for monitoring.

        This patch shouldn't cause any change in behavior.

        * page/ContentSecurityPolicy.cpp:
        (CSPDirectiveList):
        (WebCore::CSPDirectiveList::header):
        (WebCore::CSPDirectiveList::headerType):
        (WebCore::CSPDirectiveList::denyIfEnforcingPolicy):
        (WebCore):
        (WebCore::CSPDirectiveList::CSPDirectiveList):
        (WebCore::CSPDirectiveList::create):
        (WebCore::CSPDirectiveList::reportViolation):
        (WebCore::CSPDirectiveList::logUnrecognizedDirective):
        (WebCore::CSPDirectiveList::checkEval):
        (WebCore::CSPDirectiveList::operativeDirective):
        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
        (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
        (WebCore::CSPDirectiveList::allowInlineScript):
        (WebCore::CSPDirectiveList::allowInlineStyle):
        (WebCore::CSPDirectiveList::allowEval):
        (WebCore::CSPDirectiveList::allowScriptFromSource):
        (WebCore::CSPDirectiveList::allowObjectFromSource):
        (WebCore::CSPDirectiveList::allowChildFrameFromSource):
        (WebCore::CSPDirectiveList::allowImageFromSource):
        (WebCore::CSPDirectiveList::allowStyleFromSource):
        (WebCore::CSPDirectiveList::allowFontFromSource):
        (WebCore::CSPDirectiveList::allowMediaFromSource):
        (WebCore::CSPDirectiveList::allowConnectFromSource):
        (WebCore::CSPDirectiveList::parse):
        (WebCore::CSPDirectiveList::parseDirective):
        (WebCore::CSPDirectiveList::parseReportURI):
        (WebCore::CSPDirectiveList::createCSPDirective):
        (WebCore::CSPDirectiveList::applySandboxPolicy):
        (WebCore::CSPDirectiveList::addDirective):
        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
        (WebCore::ContentSecurityPolicy::~ContentSecurityPolicy):
        (WebCore::ContentSecurityPolicy::copyStateFrom):
        (WebCore::ContentSecurityPolicy::didReceiveHeader):
        (WebCore::ContentSecurityPolicy::setOverrideAllowInlineStyle):
        (WebCore::ContentSecurityPolicy::header):
        (WebCore::ContentSecurityPolicy::headerType):
        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
        (WebCore::ContentSecurityPolicy::allowInlineScript):
        (WebCore::ContentSecurityPolicy::allowInlineStyle):
        (WebCore::ContentSecurityPolicy::allowEval):
        (WebCore::ContentSecurityPolicy::allowScriptFromSource):
        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
        (WebCore::ContentSecurityPolicy::allowImageFromSource):
        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
        (WebCore::ContentSecurityPolicy::allowFontFromSource):
        (WebCore::ContentSecurityPolicy::allowMediaFromSource):
        (WebCore::ContentSecurityPolicy::allowConnectFromSource):
        * page/ContentSecurityPolicy.h:
        (WebCore):
        * workers/WorkerMessagingProxy.cpp:
        (WebCore::WorkerMessagingProxy::startWorkerContext):

2012-05-04  Abhishek Arya  <inferno@chromium.org>

        ASSERT(beforeChildAnonymousContainer->isTable()); fails in RenderBlock::addChildIgnoringAnonymousColumnBlocks.
        https://bugs.webkit.org/show_bug.cgi?id=84606

        Reviewed by Julien Chaffraix.

        RenderBlock::removeChild forgot to set display on the anonymous block, causing it
        to display as INLINE. To prevent this kind of failure in future, we replace
        createAnonymousStyle with createAnonymousStyleWithDisplay to make everyone explictly
        pass display as the argument.

        Test: fast/block/block-add-child-crash.html

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::removeChild): 
        (WebCore::RenderBlock::createAnonymousWithParentRendererAndDisplay):
        (WebCore::RenderBlock::createAnonymousColumnsWithParentRenderer):
        (WebCore::RenderBlock::createAnonymousColumnSpanWithParentRenderer):
        * rendering/RenderInline.cpp:
        (WebCore::updateStyleOfAnonymousBlockContinuations):
        (WebCore::RenderInline::addChildIgnoringContinuation):
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::propagateStyleToAnonymousChildren):
        * rendering/RenderRuby.cpp:
        (WebCore::createAnonymousRubyInlineBlock):
        * rendering/RenderRubyRun.cpp:
        (WebCore::RenderRubyRun::createRubyBase):
        (WebCore::RenderRubyRun::staticCreateRubyRun):
        * rendering/RenderTable.cpp:
        (WebCore::RenderTable::createAnonymousWithParentRenderer):
        * rendering/RenderTableCell.cpp:
        (WebCore::RenderTableCell::createAnonymousWithParentRenderer):
        * rendering/RenderTableRow.cpp:
        (WebCore::RenderTableRow::createAnonymousWithParentRenderer):
        * rendering/RenderTableSection.cpp:
        (WebCore::RenderTableSection::createAnonymousWithParentRenderer):
        * rendering/mathml/RenderMathMLBlock.cpp:
        (WebCore::RenderMathMLBlock::createAlmostAnonymousBlock):
        * rendering/mathml/RenderMathMLRow.cpp:
        (WebCore::RenderMathMLRow::createAnonymousWithParentRenderer):
        * rendering/mathml/RenderMathMLSubSup.cpp:
        (WebCore::RenderMathMLSubSup::addChild):
        * rendering/style/RenderStyle.cpp:
        (WebCore::RenderStyle::createAnonymousStyleWithDisplay):
        * rendering/style/RenderStyle.h:

2012-04-27  Erik Arvidsson  <arv@chromium.org>

        WebKit IDL does not use exception syntax
        https://bugs.webkit.org/show_bug.cgi?id=85100

        Reviewed by Dimitri Glazkov.

        This adds support for exception ExceptionName { ... } which currently sets a flag
        on the domClass.

        Binding tests updated.

        * Modules/indexeddb/IDBDatabaseException.idl:
        * Modules/webdatabase/SQLException.idl:
        * bindings/scripts/IDLParser.pm:
        (ParseInterface):
        (DetermineParseMode):
        (ProcessSection):
        * bindings/scripts/IDLStructure.pm:
        * bindings/scripts/test/CPP/WebDOMTestException.cpp: Added.
        (WebDOMTestException::WebDOMTestExceptionPrivate::WebDOMTestExceptionPrivate):
        (WebDOMTestException::WebDOMTestExceptionPrivate):
        (WebDOMTestException::WebDOMTestException):
        (WebDOMTestException::operator=):
        (WebDOMTestException::impl):
        (WebDOMTestException::~WebDOMTestException):
        (WebDOMTestException::name):
        (toWebCore):
        (toWebKit):
        * bindings/scripts/test/CPP/WebDOMTestException.h: Added.
        (WebCore):
        (WebDOMTestException):
        * bindings/scripts/test/GObject/WebKitDOMTestException.cpp: Added.
        (WebKit):
        (WebKit::kit):
        (WebKit::core):
        (WebKit::wrapTestException):
        (webkit_dom_test_exception_finalize):
        (webkit_dom_test_exception_set_property):
        (webkit_dom_test_exception_get_property):
        (webkit_dom_test_exception_constructed):
        (webkit_dom_test_exception_class_init):
        (webkit_dom_test_exception_init):
        (webkit_dom_test_exception_get_name):
        * bindings/scripts/test/GObject/WebKitDOMTestException.h: Added.
        (_WebKitDOMTestException):
        (_WebKitDOMTestExceptionClass):
        * bindings/scripts/test/GObject/WebKitDOMTestExceptionPrivate.h: Added.
        (WebKit):
        * bindings/scripts/test/JS/JSTestException.cpp: Added.
        (WebCore):
        (WebCore::JSTestExceptionConstructor::JSTestExceptionConstructor):
        (WebCore::JSTestExceptionConstructor::finishCreation):
        (WebCore::JSTestExceptionConstructor::getOwnPropertySlot):
        (WebCore::JSTestExceptionConstructor::getOwnPropertyDescriptor):
        (WebCore::JSTestExceptionPrototype::self):
        (WebCore::JSTestException::JSTestException):
        (WebCore::JSTestException::finishCreation):
        (WebCore::JSTestException::createPrototype):
        (WebCore::JSTestException::destroy):
        (WebCore::JSTestException::~JSTestException):
        (WebCore::JSTestException::getOwnPropertySlot):
        (WebCore::JSTestException::getOwnPropertyDescriptor):
        (WebCore::jsTestExceptionName):
        (WebCore::jsTestExceptionConstructor):
        (WebCore::JSTestException::getConstructor):
        (WebCore::isObservable):
        (WebCore::JSTestExceptionOwner::isReachableFromOpaqueRoots):
        (WebCore::JSTestExceptionOwner::finalize):
        (WebCore::toJS):
        (WebCore::toTestException):
        * bindings/scripts/test/JS/JSTestException.h: Added.
        (WebCore):
        (JSTestException):
        (WebCore::JSTestException::create):
        (WebCore::JSTestException::createStructure):
        (WebCore::JSTestException::impl):
        (WebCore::JSTestException::releaseImpl):
        (WebCore::JSTestException::releaseImplIfNotNull):
        (JSTestExceptionOwner):
        (WebCore::wrapperOwner):
        (WebCore::wrapperContext):
        (JSTestExceptionPrototype):
        (WebCore::JSTestExceptionPrototype::create):
        (WebCore::JSTestExceptionPrototype::createStructure):
        (WebCore::JSTestExceptionPrototype::JSTestExceptionPrototype):
        (JSTestExceptionConstructor):
        (WebCore::JSTestExceptionConstructor::create):
        (WebCore::JSTestExceptionConstructor::createStructure):
        * bindings/scripts/test/ObjC/DOMTestException.h: Added.
        * bindings/scripts/test/ObjC/DOMTestException.mm: Added.
        (-[DOMTestException dealloc]):
        (-[DOMTestException finalize]):
        (-[DOMTestException name]):
        (core):
        (kit):
        * bindings/scripts/test/ObjC/DOMTestExceptionInternal.h: Added.
        (WebCore):
        * bindings/scripts/test/TestException.idl: Copied from Source/WebCore/xml/XPathException.idl.
        * bindings/scripts/test/V8/V8TestException.cpp: Added.
        (WebCore):
        (TestExceptionV8Internal):
        (WebCore::TestExceptionV8Internal::V8_USE):
        (WebCore::TestExceptionV8Internal::nameAttrGetter):
        (WebCore::ConfigureV8TestExceptionTemplate):
        (WebCore::V8TestException::GetRawTemplate):
        (WebCore::V8TestException::GetTemplate):
        (WebCore::V8TestException::HasInstance):
        (WebCore::V8TestException::wrapSlow):
        (WebCore::V8TestException::derefObject):
        * bindings/scripts/test/V8/V8TestException.h: Added.
        (WebCore):
        (V8TestException):
        (WebCore::V8TestException::toNative):
        (WebCore::V8TestException::wrap):
        (WebCore::toV8):
        * dom/DOMCoreException.idl:
        * dom/EventException.idl:
        * dom/RangeException.idl:
        * fileapi/FileException.idl:
        * fileapi/OperationNotAllowedException.idl:
        * svg/SVGException.idl:
        * xml/XMLHttpRequestException.idl:
        * xml/XPathException.idl:

2012-05-04  Rafael Weinstein  <rafaelw@chromium.org>

        V8RecursionScope not declared in V8Proxy::newInstance which causes ASSERT() failure from NPAPI
        https://bugs.webkit.org/show_bug.cgi?id=85659

        Reviewed by Ojan Vafai.

        Added a stack-allocted V8RecursionScope to the newInstance call.

        No new tests. No change in observable behavior.

        * bindings/v8/V8Proxy.cpp:
        (WebCore::V8Proxy::newInstance):

2012-05-04  Joshua Bell  <jsbell@chromium.org>

        IndexedDB: Remove all index metadata records when deleting an index
        https://bugs.webkit.org/show_bug.cgi?id=85557

        Reviewed by Tony Chang.

        An assert is hit when re-loading database from backing store due to stale index
        metadata entry. Do a range delete to clear all metadata entries when deleting an
        index. Define metadata entries as enum and limits as consts instead of hardcoded ints.

        No new tests - issue does not repro as layout test. Will land test in Chromium.

        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore::getBool): Helper functions; replaces pattern of putInt()/read only lead byte.
        (WebCore):
        (WebCore::putBool):
        (WebCore::IDBLevelDBBackingStore::getObjectStores): Skip stale data. Use enums, helpers.
        (WebCore::IDBLevelDBBackingStore::createObjectStore): Use enums.
        (WebCore::IDBLevelDBBackingStore::deleteObjectStore): Use enums.
        (WebCore::getNewVersionNumber): Use enums.
        (WebCore::IDBLevelDBBackingStore::getIndexes): Skip stale data. Use enums, helpers.
        (WebCore::getNewIndexId): Use enums.
        (WebCore::IDBLevelDBBackingStore::createIndex): Use enums.
        (WebCore::IDBLevelDBBackingStore::deleteIndex): Delete metadata by range.
        * Modules/indexeddb/IDBLevelDBCoding.cpp:
        (IDBLevelDBCoding): Add constants for metadata maximum values.
        (WebCore::IDBLevelDBCoding::encodeBool):
        (WebCore::IDBLevelDBCoding::decodeBool):
        (WebCore::IDBLevelDBCoding::ObjectStoreMetaDataKey::encodeMaxKey): Use consts.
        (WebCore::IDBLevelDBCoding::IndexMetaDataKey::encodeMaxKey): Use consts.
        * Modules/indexeddb/IDBLevelDBCoding.h:
        (IDBLevelDBCoding): Expose enums for metadata types.

2012-05-04  Anders Carlsson  <andersca@apple.com>

        Move markPagesForFullStyleRecalc to PageCache
        https://bugs.webkit.org/show_bug.cgi?id=85664

        Reviewed by Dan Bernstein.

        Instead of going through all the history items in the back/forward list looking for cached pages, just iterate over the cached pages in the page.

        * history/BackForwardController.cpp:
        * history/BackForwardController.h:
        * history/HistoryItem.cpp:
        * history/HistoryItem.h:
        * history/PageCache.cpp:
        (WebCore::PageCache::markPagesForFullStyleRecalc):
        (WebCore):
        * history/PageCache.h:
        (PageCache):
        * page/Frame.cpp:
        (WebCore::Frame::setPageAndTextZoomFactors):
        * page/Page.cpp:
        (WebCore::Page::setDeviceScaleFactor):
        (WebCore::Page::setPagination):

2012-05-04  Tony Chang  <tony@chromium.org>

        The computed style of flex-item-align should never be auto.
        https://bugs.webkit.org/show_bug.cgi?id=85656

        Reviewed by Ojan Vafai.

        If the node lacks a parent and flex-item-align is auto, we should
        return stretch. This was recently clarified in the spec.

        New testcase in css3/flexbox/css-properties.html.

        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue):

2012-05-04  Christophe Dumez  <christophe.dumez@intel.com>

        [soup] URL of the ResourceResponse passed to willSendRequest is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=85072

        Reviewed by Gustavo Noronha Silva.

        Store the response message by catching the "got-headers" signal so
        that it can be passed later to willSendRequest() in case of
        redirection. This is required because the SoupMessage headers and URL
        have already been updated once restartedCallback() is called.

        * platform/network/soup/ResourceHandleSoup.cpp:
        (WebCore):
        (WebCore::gotHeadersCallback):
        (WebCore::restartedCallback):
        (WebCore::sendRequestCallback):
        (WebCore::startHTTPRequest):

2012-05-04  Ian Vollick  <vollick@chromium.org>

        [chromium] CCProxy's shouldn't try to draw if there is no layer renderer
        https://bugs.webkit.org/show_bug.cgi?id=85218

        Reviewed by Adrienne Walker.

        * platform/graphics/chromium/cc/CCThreadProxy.cpp:
        (WebCore::CCThreadProxy::scheduledActionDrawAndSwapInternal):

2012-05-04  Rob Buis  <rbuis@rim.com>

        [BlackBerry] Rendering bmp file as text file when Content-Type:image/x-ms-bmp from apache web server.
        https://bugs.webkit.org/show_bug.cgi?id=85036

        Reviewed by Antonio Gomes.

        Move getNormalizedMIMEType from WebKit into MIMETypeRegistry. This way we support uncommon mime types like image/pjpeg
        and image/x-ms-bmp out of the box since we map to the more common image/jpeg and image/bmp respectively.

        * platform/MIMETypeRegistry.cpp:
        (WebCore::initializeSupportedImageMIMETypes):
        (WebCore::MIMETypeRegistry::isSupportedImageMIMEType):
        (WebCore::MIMETypeRegistry::isSupportedImageResourceMIMEType):
        (WebCore):
        (WebCore::mimeTypeAssociationMap):
        (WebCore::MIMETypeRegistry::getNormalizedMIMEType):
        * platform/MIMETypeRegistry.h:
        (MIMETypeRegistry):

2012-05-04  Sami Kyostila  <skyostil@chromium.org>

        [chromium] Revert compositor layer scrolling
        https://bugs.webkit.org/show_bug.cgi?id=85644

        Reviewed by Steve Block.

        This patch reverts the following commits because they were found to
        trigger crashes. See discussion at http://code.google.com/p/chromium/issues/detail?id=124393.

            [chromium] Allow scrolling non-root layers in the compositor thread
            http://trac.webkit.org/changeset/114651

            [chromium] Don't crash when scrolling empty layer tree
            http://trac.webkit.org/changeset/114761

            [chromium] Don't keep pointers to released layer tree
            http://trac.webkit.org/changeset/115080

        * platform/graphics/chromium/ContentLayerChromium.cpp:
        * platform/graphics/chromium/ContentLayerChromium.h:
        (ContentLayerChromium):
        * platform/graphics/chromium/GraphicsLayerChromium.h:
        (GraphicsLayerChromium):
        * platform/graphics/chromium/LayerChromium.cpp:
        (WebCore::LayerChromium::pushPropertiesTo):
        * platform/graphics/chromium/LayerChromium.h:
        (LayerChromium):
        * platform/graphics/chromium/cc/CCLayerImpl.cpp:
        * platform/graphics/chromium/cc/CCLayerImpl.h:
        * platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
        (WebCore::CCLayerTreeHost::applyScrollAndScale):
        * platform/graphics/chromium/cc/CCLayerTreeHostCommon.h:
        (CCLayerTreeHostCommon):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.cpp:
        (WebCore::CCLayerTreeHostImpl::CCLayerTreeHostImpl):
        (WebCore::CCLayerTreeHostImpl::startPageScaleAnimation):
        (WebCore::CCLayerTreeHostImpl::calculateRenderSurfaceLayerList):
        (WebCore::CCLayerTreeHostImpl::contentSize):
        (WebCore::CCLayerTreeHostImpl::prepareToDraw):
        (WebCore::findScrollLayer):
        (WebCore::CCLayerTreeHostImpl::setRootLayer):
        (WebCore::CCLayerTreeHostImpl::setPageScaleFactorAndLimits):
        (WebCore):
        (WebCore::CCLayerTreeHostImpl::adjustScrollsForPageScaleChange):
        (WebCore::CCLayerTreeHostImpl::setPageScaleDelta):
        (WebCore::CCLayerTreeHostImpl::applyPageScaleDeltaToScrollLayer):
        (WebCore::CCLayerTreeHostImpl::updateMaxScrollPosition):
        (WebCore::CCLayerTreeHostImpl::scrollBegin):
        (WebCore::CCLayerTreeHostImpl::scrollBy):
        (WebCore::CCLayerTreeHostImpl::scrollEnd):
        (WebCore::CCLayerTreeHostImpl::pinchGestureUpdate):
        (WebCore::CCLayerTreeHostImpl::computePinchZoomDeltas):
        (WebCore::CCLayerTreeHostImpl::makeScrollAndScaleSet):
        (WebCore::CCLayerTreeHostImpl::processScrollDeltas):
        (WebCore::CCLayerTreeHostImpl::animatePageScale):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.h:
        (WebCore::CCLayerTreeHostImpl::releaseRootLayer):
        (WebCore::CCLayerTreeHostImpl::scrollLayer):
        (CCLayerTreeHostImpl):

2012-05-04  Ojan Vafai  <ojan@chromium.org>

        Remove file that was deleted in http://trac.webkit.org/changeset/116085/.
        For some reason, this was breaking the chromium build (probably a gyp bug
        since chromium shouldn't be pulling in this file).

        * WebCore.gypi:

2012-05-04  Tony Chang  <tony@chromium.org>

        fix bit packing in FillLayer on Windows
        https://bugs.webkit.org/show_bug.cgi?id=85636

        Reviewed by Ryosuke Niwa.

        Use unsigned for all bit packed types. I manually verified that
        the current uses of these member variables always assign true or false.

        No new tests, adding a compile assert to verify bit packing.

        * rendering/style/FillLayer.cpp:
        (SameSizeAsFillLayer): Added compile assert.
        (WebCore):
        (WebCore::FillLayer::FillLayer): Reorder m_sizeLength so bit packed fields are adjacent.
        (WebCore::FillLayer::operator=): Ditto.
        * rendering/style/FillLayer.h:
        (FillLayer): Convert bools to unsigned to match other bit packed fields.

2012-05-04  Tommy Widenflycht  <tommyw@google.com>

        MediaStream API: Make PeerConnection00's API fully compliant with the draft
        https://bugs.webkit.org/show_bug.cgi?id=85491

        Reviewed by Adam Barth.

        Mainly making the relevant API's use objects (aka Dictionaries) instead of the temporary strings,
        but also making a few API's exception aware and changing the name of a flag.

        Test: fast/mediastream/peerconnection-iceoptions.html

        * Modules/mediastream/PeerConnection00.cpp:
        (WebCore::PeerConnection00::createMediaHints):
        (WebCore::PeerConnection00::createOffer):
        (WebCore):
        (WebCore::PeerConnection00::createAnswer):
        (WebCore::PeerConnection00::createIceOptions):
        (WebCore::PeerConnection00::createDefaultIceOptions):
        (WebCore::PeerConnection00::startIce):
        (WebCore::PeerConnection00::addStream):
        (WebCore::PeerConnection00::changeReadyState):
        * Modules/mediastream/PeerConnection00.h:
        (WebCore):
        (PeerConnection00):
        * Modules/mediastream/PeerConnection00.idl:
        * platform/mediastream/chromium/PeerConnection00HandlerInternal.cpp:
        (WebCore::PeerConnection00HandlerInternal::startIce):

2012-05-04  David Tseng  <dtseng@google.com>

        Chromium should include MenuListPopups' and MenuListOptions' within the ax tree.
        https://bugs.webkit.org/show_bug.cgi?id=85541

        Reviewed by Chris Fleizach.

        Covered by existing tests. 
        LayoutTests/accessibility/menu-list-sends-change-notification.html

        * accessibility/AccessibilityMockObject.h:
        (WebCore::AccessibilityMockObject::accessibilityIsIgnored):
        * accessibility/chromium/AccessibilityObjectChromium.cpp:
        (WebCore::AccessibilityObject::accessibilityPlatformIncludesObject):

2012-05-04  Levi Weintraub <leviw@chromium.org>

        Unreviewed. Fixing ChangeLog conflict markers after 116009.

2012-05-04  Dan Winship  <danw@gnome.org>

        [GTK] ASSERTION FAILED: shouldLoadAsEmptyDocument(r.url()) ||
        !defersLoading() in MainResourceLoader.cpp:382

        Remove a soup_session_pause_message() call that got left behind,
        update the defersLoading stuff to handle this case.

        https://bugs.webkit.org/show_bug.cgi?id=85159

        Reviewed by Martin Robinson.

        No new tests. Now passes loader/load-defer-resume-crash.html under
        debug build.

        * platform/network/soup/ResourceHandleSoup.cpp:
        (WebCore::sendRequestCallback):
        (WebCore::ResourceHandle::platformSetDefersLoading):

2012-05-03  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Rework IME handling to fix bugs and prepare for WebKit2
        https://bugs.webkit.org/show_bug.cgi?id=84556

        Reviewed by Gustavo Noronha Silva.

        No new tests. This change is already covered by a suite of keyboard
        handling unit tests in WebKitGTK+. There are some changes in behavior,
        but they are difficult to test without mocking out an entire GtkIMContext.

        Add a struct, CompositionResults, which is used by PlatformKeyboardEvent
        to package composition information with a keyboard event. Also add some logic
        to PlatformKeyboardEvent to give the right information when it has composition
        results.

        * GNUmakefile.list.am: Added new sources to the list.
        * platform/PlatformKeyboardEvent.h:  Added a new CompositionResults member,
        getter, and argument to the constructor.
        * platform/gtk/CompositionResults.h: Added.
        * platform/gtk/GtkInputMethodFilter.cpp: Added.
        * platform/gtk/GtkInputMethodFilter.h: Added.
        * platform/gtk/PlatformKeyboardEventGtk.cpp:
        (WebCore::PlatformKeyboardEvent::windowsKeyCodeForGdkKeyCode): When
        the key value is void return the VK_PROCESS keycode, which is the keycode
        that web content expects with keystrokes that trigger composition events.
        (WebCore::eventTypeForGdkKeyEvent): Abstract out this helper.
        (WebCore::modifiersForGdkKeyEvent): Abstract out this helper.
        (WebCore::PlatformKeyboardEvent::PlatformKeyboardEvent): When a PlatformKeyEvent
        has composition results, use VK_PROCESS as the keycode for this event.
        (WebCore::PlatformKeyboardEvent::disambiguateKeyDownEvent): When this event is
        transformed into a Char event, the PlatformKeyboardEvent used for DOM keypress
        events, and it has composition results clear the text members. This forces the
        EventHandler code to drop the keypress event. Platform events that change the
        composition states do not have corresponding keypress DOM events (only keydown
        and keyup events), so this is necessary to ensure web compatibility.

2012-05-04  Jochen Eisinger  <jochen@chromium.org>

        Correctly update the outgoing referrer when navigating back from an history item created by pushState/replaceState
        https://bugs.webkit.org/show_bug.cgi?id=85374

        Reviewed by Nate Chapin.

        Test: http/tests/history/history-navigations-set-referrer.html

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::loadInSameDocument):

2012-05-04  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Clean up and split features.prf into a static list of defaults

        The static list of feature defaults is used as a fallback for any
        feature that's not dynamically detected or overriden on the command
        line (though build-webkit or passing DEFINES+= to qmake).

        The static list is complete, which allows for auto-generation based
        on Features.py (see bug https://bugs.webkit.org/show_bug.cgi?id=85456)

        https://bugs.webkit.org/show_bug.cgi?id=85611

        Reviewed by Simon Hausmann.

        * Target.pri:

2012-05-04  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r116085, r116091, and r116095.
        http://trac.webkit.org/changeset/116085
        http://trac.webkit.org/changeset/116091
        http://trac.webkit.org/changeset/116095
        https://bugs.webkit.org/show_bug.cgi?id=85628

        We are not ready with dependencies on all platform yet (mac) +
        problems with debug builds. (Requested by Zoltan on #webkit).

        * Target.pri:
        * WebCore.pri:
        * platform/MIMETypeRegistry.cpp:
        (WebCore::initializeSupportedImageMIMETypes):
        (WebCore::initializeSupportedImageMIMETypesForEncoding):
        * platform/graphics/ImageSource.cpp:
        * platform/graphics/ImageSource.h:
        (WebCore):
        * platform/graphics/qt/ImageDecoderQt.cpp:
        (WebCore::ImageDecoder::create):
        (WebCore):
        (WebCore::ImageDecoderQt::filenameExtension):
        (WebCore::ImageDecoderQt::internalHandleCurrentImage):
        (WebCore::ImageDecoderQt::clearPointers):
        * platform/image-decoders/ImageDecoder.cpp:
        (WebCore::ImageDecoder::create):
        * platform/image-decoders/ImageDecoder.h:
        (WebCore::ImageFrame::getAddr):
        (ImageFrame):
        * platform/image-decoders/qt/ImageFrameQt.cpp: Added.
        (WebCore):
        (WebCore::ImageFrame::ImageFrame):
        (WebCore::ImageFrame::operator=):
        (WebCore::ImageFrame::clearPixelData):
        (WebCore::ImageFrame::zeroFillPixelData):
        (WebCore::ImageFrame::copyBitmapData):
        (WebCore::ImageFrame::setSize):
        (WebCore::ImageFrame::asNewNativeImage):
        (WebCore::ImageFrame::hasAlpha):
        (WebCore::ImageFrame::setHasAlpha):
        (WebCore::ImageFrame::setColorProfile):
        (WebCore::ImageFrame::setStatus):
        (WebCore::ImageFrame::setPixmap):
        (WebCore::ImageFrame::width):
        (WebCore::ImageFrame::height):

2012-05-04  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: eliminate temporaryProfile property from ProfilesPanel.
        https://bugs.webkit.org/show_bug.cgi?id=85623

        We can run different profilers at the same time therefore we have to keep temorary profile per profiler type.

        Reviewed by Yury Semikhatsky.

        * inspector/front-end/CSSSelectorProfileView.js:
        (WebInspector.CSSSelectorProfileType.prototype.createView):
        (WebInspector.CSSSelectorProfileType.prototype.createTemporaryProfile):
        (WebInspector.CSSSelectorProfileType.prototype.createProfile):
        * inspector/front-end/HeapSnapshotView.js:
        (WebInspector.HeapSnapshotProfileType.prototype.createView):
        (WebInspector.HeapSnapshotProfileType.prototype.createTemporaryProfile):
        (WebInspector.HeapSnapshotProfileType.prototype.createProfile):
        * inspector/front-end/ProfileView.js:
        (WebInspector.CPUProfileType.prototype.startRecordingProfile):
        (WebInspector.CPUProfileType.prototype.createView):
        (WebInspector.CPUProfileType.prototype.createTemporaryProfile):
        (WebInspector.CPUProfileType.prototype.createProfile):
        * inspector/front-end/ProfilesPanel.js:
        (WebInspector.ProfileType.prototype.createSidebarTreeElementForProfile):
        (WebInspector.ProfileType.prototype.createTemporaryProfile):
        (WebInspector.ProfileType.prototype.createProfile):
        (WebInspector.ProfileHeader):
        (WebInspector.HeapProfileHeader):
        (WebInspector.ProfilesPanel.prototype.addProfileHeader):
        (WebInspector.ProfilesPanel.prototype.findTemporaryProfile):
        (WebInspector.ProfilesPanel.prototype._removeTemporaryProfile):
        (WebInspector.ProfilesPanel.prototype._populateProfiles.populateCallback.var):
        (WebInspector.ProfilesPanel.prototype._populateProfiles.populateCallback):
        (WebInspector.ProfilesPanel.prototype._populateProfiles):
        (WebInspector.ProfilesPanel.prototype.setRecordingProfile):
        (WebInspector.ProfilesPanel.prototype.takeHeapSnapshot):
        (WebInspector.ProfilesPanel.prototype._reportHeapSnapshotProgress):
        (WebInspector.ProfilerDispatcher.prototype.addProfileHeader):

2012-05-04  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: [chromium] ScriptGCEvent should not be static.
        https://bugs.webkit.org/show_bug.cgi?id=80788

        The static members of ScriptGCEvent were moved into per isolate data structure.
        Drive by fix: Sometimes the used heap size after a GC is slightly more than it was before.

        Reviewed by Yury Semikhatsky.

        * bindings/v8/ScriptGCEvent.cpp:
        (WebCore::ScriptGCEvent::gcPrologueCallback):
        (WebCore::ScriptGCEvent::gcEpilogueCallback):
        * bindings/v8/V8Binding.h:
        (WebCore::GCEventData::GCEventData):
        (WebCore::GCEventData::clear):
        (GCEventData):
        (WebCore):
        (WebCore::V8BindingPerIsolateData::gcEventData):
        (V8BindingPerIsolateData):

2012-05-04  Kent Hansen <kent.hansen@nokia.com>

        [Qt] Update Qt bridge after changes to QMetaMethod
        https://bugs.webkit.org/show_bug.cgi?id=85478

        Reviewed by Tor Arne Vestbø.

        QMetaMethod::signature() has been renamed to methodSignature() and
        returns a QByteArray.

        The new function QMetaMethod::name() gives direct access to a
        method's name. returnType(), parameterCount(), and parameterType()
        give direct access to type information.

        Ported the custom QtConnectionObject meta-object to revision 7;
        revision 6 and below aren't supported (and don't compile) with Qt5.

        * Target.pri:
        * bridge/qt/qt_class.cpp:
        (JSC::Bindings::QtClass::fallbackObject):
        * bridge/qt/qt_instance.cpp:
        (JSC::Bindings::QtInstance::getPropertyNames):
        * bridge/qt/qt_runtime.cpp:
        (JSC::Bindings::findMethodIndex):
        (Bindings):
        (qt_meta_stringdata_QtConnectionObject_t):
        (JSC::Bindings::QtConnectionObject::qt_static_metacall):
        (JSC::Bindings::QtConnectionObject::qt_metacast):
        (JSC::Bindings::QtConnectionObject::qt_metacall):
        (JSC::Bindings::QtConnectionObject::execute):
        * bridge/qt/qt_runtime.h:
        (QtConnectionObject):
        * bridge/qt/qt_runtime_qt4.cpp: Copied from Source/WebCore/bridge/qt/qt_runtime.cpp.
        (Bindings):
        (QWKNoDebug):
        (JSC::Bindings::QWKNoDebug::QWKNoDebug):
        (JSC::Bindings::QWKNoDebug::~QWKNoDebug):
        (JSC::Bindings::QWKNoDebug::operator<<):
        (JSC::Bindings::operator<<):
        (RuntimeConversion):
        (JSC::Bindings::registerCustomType):
        (JSC::Bindings::isJSUint8ClampedArray):
        (JSC::Bindings::valueRealType):
        (JSC::Bindings::convertValueToQVariantMap):
        (JSC::Bindings::convertValueToQVariant):
        (JSC::Bindings::convertQVariantToValue):
        (JSC::Bindings::QtRuntimeMethod::QtRuntimeMethod):
        (JSC::Bindings::QtRuntimeMethod::finishCreation):
        (JSC::Bindings::QtRuntimeMethod::~QtRuntimeMethod):
        (JSC::Bindings::QtRuntimeMethod::destroy):
        (JSC::Bindings::QtRuntimeMethodData::~QtRuntimeMethodData):
        (JSC::Bindings::QtRuntimeMethodData::finalize):
        (JSC::Bindings::QtRuntimeMetaMethodData::~QtRuntimeMetaMethodData):
        (JSC::Bindings::QtRuntimeConnectionMethodData::~QtRuntimeConnectionMethodData):
        (QtMethodMatchType):
        (JSC::Bindings::QtMethodMatchType::QtMethodMatchType):
        (JSC::Bindings::QtMethodMatchType::kind):
        (JSC::Bindings::QtMethodMatchType::isValid):
        (JSC::Bindings::QtMethodMatchType::isVariant):
        (JSC::Bindings::QtMethodMatchType::isMetaType):
        (JSC::Bindings::QtMethodMatchType::isUnresolved):
        (JSC::Bindings::QtMethodMatchType::isMetaEnum):
        (JSC::Bindings::QtMethodMatchType::enumeratorIndex):
        (JSC::Bindings::QtMethodMatchType::variant):
        (JSC::Bindings::QtMethodMatchType::metaType):
        (JSC::Bindings::QtMethodMatchType::metaEnum):
        (JSC::Bindings::QtMethodMatchType::unresolved):
        (JSC::Bindings::QtMethodMatchType::typeId):
        (JSC::Bindings::QtMethodMatchType::name):
        (QtMethodMatchData):
        (JSC::Bindings::QtMethodMatchData::QtMethodMatchData):
        (JSC::Bindings::QtMethodMatchData::isValid):
        (JSC::Bindings::QtMethodMatchData::firstUnresolvedIndex):
        (JSC::Bindings::indexOfMetaEnum):
        (JSC::Bindings::findMethodIndex):
        (JSC::Bindings::findSignalIndex):
        (JSC::Bindings::QtRuntimeMetaMethod::QtRuntimeMetaMethod):
        (JSC::Bindings::QtRuntimeMetaMethod::finishCreation):
        (JSC::Bindings::QtRuntimeMetaMethod::visitChildren):
        (JSC::Bindings::QtRuntimeMetaMethod::call):
        (JSC::Bindings::QtRuntimeMetaMethod::getCallData):
        (JSC::Bindings::QtRuntimeMetaMethod::getOwnPropertySlot):
        (JSC::Bindings::QtRuntimeMetaMethod::getOwnPropertyDescriptor):
        (JSC::Bindings::QtRuntimeMetaMethod::getOwnPropertyNames):
        (JSC::Bindings::QtRuntimeMetaMethod::lengthGetter):
        (JSC::Bindings::QtRuntimeMetaMethod::connectGetter):
        (JSC::Bindings::QtRuntimeMetaMethod::disconnectGetter):
        (JSC::Bindings::QtRuntimeConnectionMethod::QtRuntimeConnectionMethod):
        (JSC::Bindings::QtRuntimeConnectionMethod::finishCreation):
        (JSC::Bindings::QtRuntimeConnectionMethod::call):
        (JSC::Bindings::QtRuntimeConnectionMethod::getCallData):
        (JSC::Bindings::QtRuntimeConnectionMethod::getOwnPropertySlot):
        (JSC::Bindings::QtRuntimeConnectionMethod::getOwnPropertyDescriptor):
        (JSC::Bindings::QtRuntimeConnectionMethod::getOwnPropertyNames):
        (JSC::Bindings::QtRuntimeConnectionMethod::lengthGetter):
        (JSC::Bindings::QtConnectionObject::QtConnectionObject):
        (JSC::Bindings::QtConnectionObject::~QtConnectionObject):
        (JSC::Bindings::QtConnectionObject::metaObject):
        (JSC::Bindings::QtConnectionObject::qt_metacast):
        (JSC::Bindings::QtConnectionObject::qt_metacall):
        (JSC::Bindings::isJavaScriptFunction):
        (JSC::Bindings::QtConnectionObject::execute):
        (JSC::Bindings::QtConnectionObject::match):
        (JSC::Bindings::QtConnectionObject::createWithInternalJSC):
        (JSC::Bindings::::QtArray):
        (JSC::Bindings::::~QtArray):
        (JSC::Bindings::::rootObject):
        (JSC::Bindings::::setValueAt):
        (JSC::Bindings::::valueAt):

2012-05-04  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: use single method for retrieving evaluation context in the runtime agent
        https://bugs.webkit.org/show_bug.cgi?id=85621

        Reviewed by Pavel Feldman.

        Merged two script state retrieval methods into one. Moved Page specific logic
        into PageRuntimeAgent.

        * inspector/InspectorRuntimeAgent.cpp:
        (WebCore::InspectorRuntimeAgent::evaluate):
        * inspector/InspectorRuntimeAgent.h:
        (InspectorRuntimeAgent):
        * inspector/PageRuntimeAgent.cpp:
        (WebCore::PageRuntimeAgent::scriptStateForEval):
        * inspector/PageRuntimeAgent.h:
        (PageRuntimeAgent):
        * inspector/WorkerRuntimeAgent.cpp:
        (WebCore::WorkerRuntimeAgent::scriptStateForEval):
        * inspector/WorkerRuntimeAgent.h:
        (WorkerRuntimeAgent):

2012-05-04  Jochen Eisinger  <jochen@chromium.org>

        Unreviewed, rolling out r115549.
        http://trac.webkit.org/changeset/115549
        https://bugs.webkit.org/show_bug.cgi?id=83894

        The newly added CRASH() statements are triggered too often

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::init):
        (WebCore::FrameLoader::setupForReplace):
        (WebCore::FrameLoader::stopAllLoaders):
        (WebCore::FrameLoader::clearProvisionalLoad):
        (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy):
        (WebCore::FrameLoader::continueLoadAfterNavigationPolicy):

2012-05-04  Zoltan Horvath  <zoltan@webkit.org>

        [Qt] Error message fix after r116091
        https://bugs.webkit.org/show_bug.cgi?id=85614

        Reviewed by Alexis Menard.

        No new tests : error message fix.

        * WebCore.pri:

2012-05-04  Alexis Menard  <alexis.menard@openbossa.org>

        [Qt] Build fix when using libpng version > 1.2.
        https://bugs.webkit.org/show_bug.cgi?id=85614

        Reviewed by Tor Arne Vestbø.

        Don't enforce the version of libpng when passing the option to the linker.

        No new tests : build fix.

        * WebCore.pri:

2012-05-04  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Images are scaled badly in WebKit2
        https://bugs.webkit.org/show_bug.cgi?id=85610

        Reviewed by Jocelyn Turcotte.

        Enable smooth pixmap transforms when rendering into the GraphicsSurface image.
        This class is only used in WK2.

        * platform/graphics/surfaces/qt/GraphicsSurfaceQt.cpp:
        (WebCore::GraphicsSurface::platformBeginPaint):

2012-05-04  Zoltan Horvath  <zoltan@webkit.org>

        [Qt] Remove unnecessary executeable bits after r116085

        No new tests.

        * Target.pri:
        * WebCore.pri:
        * platform/graphics/ImageSource.cpp:
        * platform/graphics/ImageSource.h:
        * platform/graphics/qt/ImageDecoderQt.cpp:
        * platform/graphics/qt/ImageDecoderQt.h:
        * platform/image-decoders/ImageDecoder.cpp:
        * platform/image-decoders/ImageDecoder.h:

2012-05-04  Zoltan Horvath  <zoltan@webkit.org>

        [Qt] Set WebCore imagedecoders as default and add fallback to QImageDecoder
        https://bugs.webkit.org/show_bug.cgi?id=80400

        This change modifies the default ImageDecoder for Qt-port from QImageDecoder to WebCore ImageDecoder.
        The new behavior is to use QImageDecoder only if WebCoreImageDecoder doesn't support the requested
        image type.
        The WTF_USE_QT_IMAGE_DECODER macro has been removed, since it is no longer needed.

        This change adds build depedency for libpng-dev and libjpeg-dev packages, becuase PNG and JPEG imagedecoders
        need not only these libraries, but their headers also. Qmake-config tests for these libraries were
        introduced in r110045.

        Reviewed by Simon Hausmann.

        No new tests needed.

        * Target.pri: Move WebCore ImageDecoder files out of guards. Remove ImageFrameQt.cpp from sources.
        * WebCore.pri: Move WebCore ImageDecoder include paths out of guards.
        * platform/MIMETypeRegistry.cpp:
        (WebCore::initializeSupportedImageMIMETypes): Add WebCore supported and Qt supported MIME types.
        (WebCore::initializeSupportedImageMIMETypesForEncoding): Use Qt supported MIME types.
        * platform/graphics/ImageSource.cpp: Remove unnecessary includes.
        * platform/graphics/ImageSource.h: Remove unnecessary typedefs.
        (WebCore):
        * platform/graphics/qt/ImageDecoderQt.cpp:
        (WebCore::ImageDecoderQt::filenameExtension): Remove unnecessary semicolon.
        (WebCore::ImageDecoderQt::internalHandleCurrentImage): Use QImage and ImageFrame instead of QPixmap.
        (WebCore):
        (WebCore::ImageFrame::asNewNativeImage): Moved here from removed ImageFrameQt.cpp.
        * platform/image-decoders/ImageDecoder.cpp: Reorganize the includes of the header.
        (WebCore::ImageDecoder::create): Add platform macro guarded fallback case for QImageDecoder.
        * platform/image-decoders/ImageDecoder.h: Remove Qt-specific codes.
        (WebCore::ImageFrame::getAddr): Remove Qt-specific case, since it is no longer needed.
        (ImageFrame):
        * platform/image-decoders/qt/ImageFrameQt.cpp: Removed. Dead code, other code has been moved to
        ImageDecoderQt.cpp.

2012-05-03  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: createRawLocationByURL is too slow if a big number of evals happen.
        https://bugs.webkit.org/show_bug.cgi?id=85477

        It iterates through all the _scripts even they have no url.
        We can keep a separate map of scripts with url.

        Reviewed by Yury Semikhatsky.

        * inspector/front-end/DebuggerModel.js:
        (WebInspector.DebuggerModel):
        (WebInspector.DebuggerModel.prototype._globalObjectCleared):
        (WebInspector.DebuggerModel.prototype._resetScriptsMap):
        (WebInspector.DebuggerModel.prototype._parsedScriptSource):
        (WebInspector.DebuggerModel.prototype.createRawLocationByURL):

2012-05-03  David Barr  <davidbarr@chromium.org>

        Antialias single-edge solid borders
        https://bugs.webkit.org/show_bug.cgi?id=85031

        Reviewed by Simon Fraser.

        Antialiasing is avoided for adjacent edges due to artifacts at the seam.
        There are no such artifacts for single-edge borders so enable antialiasing.

        Test: fast/css/border-solid-single-edge-antialias.html

        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::paintBorder):

2012-05-03  Adam Barth  <abarth@webkit.org>

        CSP: Eval isn't blocked in about:blank subframes
        https://bugs.webkit.org/show_bug.cgi?id=85553

        Reviewed by Eric Seidel.

        ContentSecurityPolicy has a back pointer to ScriptExecutionContext.
        That means we shouldn't share a single ContentSecurityPolicy object
        between multiple ScriptExecutionContexts.  This patch copies the state
        from one ScriptExecutionContext to another rather than sharing the
        ContentSecurityPolicy object itself.

        This resulted in a subtle but w.r.t. blocking eval.  Because we block
        eval by setting a bit in the JavaScript engine when enforcing the
        policy, that bit wasn't copied along with the rest of the state when we
        were sharing the ContentSecurityPolicy object.  Now that we use the
        more robust ContentSecurityPolicy::copyStateFrom function, we don't
        have that bug.

        Test: http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html

        * dom/Document.cpp:
        (WebCore::Document::initSecurityContext):
        (WebCore):
        (WebCore::Document::initContentSecurityPolicy):
        * dom/Document.h:
        (Document):
        * dom/SecurityContext.cpp:
        (WebCore::SecurityContext::setContentSecurityPolicy):
        * dom/SecurityContext.h:
        (SecurityContext):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::didBeginDocument):
        * page/ContentSecurityPolicy.h:
        (WebCore::ContentSecurityPolicy::create):

2012-05-03  Abhishek Arya  <inferno@chromium.org>

        Regression(r113769): Crash in AudioNodeOutput::disconnectAllParams.
        https://bugs.webkit.org/show_bug.cgi?id=85196

        Reviewed by Chris Rogers.

        RefPtr the AudioParam hashset in AudioNodeOutput to prevent accessing
        destroyed entries.

        No new tests. Unable to reproduce it in DRT.

        * Modules/webaudio/AudioNodeOutput.cpp:
        (WebCore::AudioNodeOutput::disconnectAllParams):
        * Modules/webaudio/AudioNodeOutput.h:
        (AudioNodeOutput):

2012-05-03  Noel Gordon  <noel.gordon@gmail.com>

        PNGImageDecoder: Clean up rowAvailable() some more
        https://bugs.webkit.org/show_bug.cgi?id=85464

        Reviewed by Eric Seidel.

        No new tests. Covered by existing tests: fast/images/png-extra-row-crash.html in
        particular.

        * platform/image-decoders/png/PNGImageDecoder.cpp:
        (WebCore::PNGImageDecoder::rowAvailable): Use colorChannels consistently. Split
        the useful libpng comments in two, then place the early-out code and conditions
        inbetween. The png variable is only used in one place so move it there.

2012-05-03  Ojan Vafai  <ojan@chromium.org>

        Histogram total allocated bytes in the arena in addition to the render tree size
        https://bugs.webkit.org/show_bug.cgi?id=85537

        Reviewed by Eric Seidel.

        We only free bytes allocated to a RenderArena when destroying the Document.
        Histogram both the render tree size and the total bytes allocated. This
        gives a better sense of the overhead of RenderArena as well as giving a more
        accurate number for the amount of actual memory used by the render tree.

        No new tests. This is not webfacing, so this can't be tested without adding
        API to layout test controller, which doesn't seem worth it for this code.

        * page/Page.cpp:
        (WebCore::Page::renderTreeSize):
        (WebCore::Page::setVisibilityState):
        * page/Page.h:
        (Page):
        * platform/Arena.cpp:
        (WebCore::ArenaAllocate):
        * platform/Arena.h:
        (WebCore):
        * rendering/RenderArena.cpp:
        (WebCore::RenderArena::allocate):
        * rendering/RenderArena.h:
        (WebCore::RenderArena::totalRenderArenaAllocatedBytes):
        (RenderArena):

2012-05-03  Mary Wu  <mary.wu@torchmobile.com.cn>

        [BlackBerry] Add missed member in CrossThreadResourceRequestData
        https://bugs.webkit.org/show_bug.cgi?id=85448

        Reviewed by Antonio Gomes.

        * platform/network/blackberry/ResourceRequest.h:
        (CrossThreadResourceRequestData):
        * platform/network/blackberry/ResourceRequestBlackBerry.cpp:
        (WebCore::ResourceRequest::doPlatformCopyData):
        (WebCore::ResourceRequest::doPlatformAdopt):

2012-05-03  Adam Barth  <abarth@webkit.org>

        CSP shouldn't block about:blank for iframes
        https://bugs.webkit.org/show_bug.cgi?id=85233

        Reviewed by Eric Seidel.

        As discussed at the W3C WebAppSec face-to-face meeting, there's no
        point in blocking about:blank iframes or objects because blocking a
        frame or object just results in displaying about:blank anyway.  This
        patch just removes the spurious console message and violation report.

        Test: http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html

        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):

2012-05-03  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r116040.
        http://trac.webkit.org/changeset/116040
        https://bugs.webkit.org/show_bug.cgi?id=85559

        Broke a few IndexedDB browsertests (Requested by zhenyao on
        #webkit).

        * Modules/indexeddb/IDBCursor.cpp:
        (WebCore::IDBCursor::direction):
        * Modules/indexeddb/IDBCursor.h:
        (IDBCursor):
        * Modules/indexeddb/IDBCursor.idl:
        * Modules/indexeddb/IDBDatabase.cpp:
        (WebCore::IDBDatabase::transaction):
        (WebCore):
        * Modules/indexeddb/IDBDatabase.h:
        * Modules/indexeddb/IDBDatabase.idl:
        * Modules/indexeddb/IDBIndex.cpp:
        (WebCore::IDBIndex::openCursor):
        (WebCore::IDBIndex::openKeyCursor):
        * Modules/indexeddb/IDBIndex.h:
        (WebCore::IDBIndex::openCursor):
        (WebCore::IDBIndex::openKeyCursor):
        * Modules/indexeddb/IDBIndex.idl:
        * Modules/indexeddb/IDBObjectStore.cpp:
        (WebCore::IDBObjectStore::openCursor):
        * Modules/indexeddb/IDBObjectStore.h:
        (WebCore::IDBObjectStore::openCursor):
        (IDBObjectStore):
        * Modules/indexeddb/IDBObjectStore.idl:
        * Modules/indexeddb/IDBRequest.cpp:
        (WebCore::IDBRequest::IDBRequest):
        (WebCore::IDBRequest::readyState):
        (WebCore::IDBRequest::markEarlyDeath):
        (WebCore::IDBRequest::resetReadyState):
        (WebCore::IDBRequest::abort):
        (WebCore::IDBRequest::finishCursor):
        (WebCore::IDBRequest::onSuccess):
        (WebCore::IDBRequest::stop):
        * Modules/indexeddb/IDBRequest.h:
        * Modules/indexeddb/IDBRequest.idl:
        * Modules/indexeddb/IDBTransaction.cpp:
        (WebCore::IDBTransaction::mode):
        * Modules/indexeddb/IDBTransaction.h:
        (IDBTransaction):
        * Modules/indexeddb/IDBTransaction.idl:

2012-05-03  Raphael Kubo da Costa  <rakuco@webkit.org>

        [CMake] Rewrite FindCairo.cmake.
        https://bugs.webkit.org/show_bug.cgi?id=84895

        Reviewed by Daniel Bates.

        The old approach relied on pkg-config for finding Cairo (which
        introduced a dependency on pkg-config that could be avoided), used
        the LibFindMacros code that we should probably remove in the
        future and did not use the FindPackageHandleStandardArguments
        module.

        Change all that by rewriting the module.
        - Use the pkg-config output optionally instead of requiring it
        like LibFindMacros did.
        - Remove the implicit dependency on FreeType which often found it
        the wrong way via pkg-config and without considering
        CMAKE_PREFIX_PATH.
        - Retrieve the Cairo version by looking at cairo-version.h instead
        of relying on pkg-config. It requires some additional code for
        checking if the desired version has been found, but that will not
        be needed once we start depending on CMake 2.8.3 or later.

        The only downside is that FPHSA sets <UPPERCASED_NAME>_FOUND
        instead of <Name>_FOUND, and to keep things consistent
        Cairo_LIBRARIES and Cairo_INCLUDE_DIRS have become CAIRO_LIBRARIES
        and CAIRO_INCLUDE_DIRS.

        No new tests, build system change.

        * PlatformEfl.cmake: Use CAIRO_FOO instead of Cairo_FOO.

2012-05-03  Anders Carlsson  <andersca@apple.com>

        Focus ring only appears in top-left tile
        https://bugs.webkit.org/show_bug.cgi?id=85556
        <rdar://problem/11359656>

        Reviewed by Simon Fraser.

        It is sufficient to just apply the current CTM to the clip rect and set that as the focus ring clip rect.

        * platform/graphics/mac/WebLayer.mm:
        (drawLayerContents):

2012-05-03  Alec Flett  <alecflett@chromium.org>

        IndexedDB: Replace numeric constants with strings
        https://bugs.webkit.org/show_bug.cgi?id=84894

        Reviewed by Tony Chang.

        Test: storage/indexeddb/legacy-constants.html

        Update IDBObjectStore.openCursor, IDBIndex.openCursor,
        IDBIndex.openKeyCursor, IDBDatabase.transaction,
        IDBCursor.direction, IDBTransaction.mode, and
        IDBRequest.readyState to meet the latest spec. All of these APIs
        now support string-based values in addition to the
        legacy/deprecated enum-based values.

        * Modules/indexeddb/IDBCursor.cpp:
        (WebCore):
        (WebCore::IDBCursor::direction):
        (WebCore::IDBCursor::stringToDirection):
        (WebCore::IDBCursor::directionToString):
        * Modules/indexeddb/IDBCursor.h:
        (IDBCursor):
        * Modules/indexeddb/IDBCursor.idl:
        * Modules/indexeddb/IDBDatabase.cpp:
        (WebCore::IDBDatabase::transaction):
        (WebCore):
        * Modules/indexeddb/IDBDatabase.h:
        (IDBDatabase):
        * Modules/indexeddb/IDBDatabase.idl:
        * Modules/indexeddb/IDBIndex.cpp:
        (WebCore::IDBIndex::openCursor):
        (WebCore):
        (WebCore::IDBIndex::openKeyCursor):
        * Modules/indexeddb/IDBIndex.h:
        (WebCore::IDBIndex::openCursor):
        (IDBIndex):
        (WebCore::IDBIndex::openKeyCursor):
        * Modules/indexeddb/IDBIndex.idl:
        * Modules/indexeddb/IDBObjectStore.cpp:
        (WebCore::IDBObjectStore::openCursor):
        (WebCore):
        * Modules/indexeddb/IDBObjectStore.h:
        (WebCore::IDBObjectStore::openCursor):
        (IDBObjectStore):
        * Modules/indexeddb/IDBObjectStore.idl:
        * Modules/indexeddb/IDBRequest.cpp:
        (WebCore::IDBRequest::IDBRequest):
        (WebCore::IDBRequest::readyState):
        (WebCore::IDBRequest::markEarlyDeath):
        (WebCore::IDBRequest::resetReadyState):
        (WebCore::IDBRequest::abort):
        (WebCore::IDBRequest::finishCursor):
        (WebCore::IDBRequest::onSuccess):
        (WebCore::IDBRequest::stop):
        * Modules/indexeddb/IDBRequest.h:
        * Modules/indexeddb/IDBRequest.idl:
        * Modules/indexeddb/IDBTransaction.cpp:
        (WebCore):
        (WebCore::IDBTransaction::mode):
        (WebCore::IDBTransaction::stringToMode):
        (WebCore::IDBTransaction::modeToString):
        * Modules/indexeddb/IDBTransaction.h:
        (IDBTransaction):
        * Modules/indexeddb/IDBTransaction.idl:

2012-05-03  Sam Weinig  <sam@webkit.org>

        Add an eventPhase NONE constant
        https://bugs.webkit.org/show_bug.cgi?id=85397

        Reviewed by Anders Carlsson.

        Updates existing tests.

        * dom/Event.h:
        * dom/Event.idl:
        Add NONE constant.

2012-05-03  Tony Chang  <tony@chromium.org>

        Height overflow when nesting multiple new Flexbox'es.
        https://bugs.webkit.org/show_bug.cgi?id=83572

        Reviewed by Ojan Vafai.

        Test: css3/flexbox/nested-stretch.html

        * rendering/RenderFlexibleBox.cpp:
        (WebCore::RenderFlexibleBox::computeAvailableFreeSpace):

2012-05-03  Julien Chaffraix  <jchaffraix@webkit.org>

        ASSERT(!m_zOrderListsDirty) is triggering in Safari
        https://bugs.webkit.org/show_bug.cgi?id=85512

        Reviewed by Simon Fraser.

        Unfortunately no test as I don't think the 2 cases are testable reliably.

        A better fix would be to introduce some iterator that handle updating the
        lists for you. For now, just adding the missing updateLayerListsIfNeeded()
        calls.

        * rendering/RenderLayerBacking.cpp:
        (WebCore::RenderLayerBacking::hasVisibleNonCompositingDescendantLayers):
        * rendering/RenderLayerCompositor.cpp:
        (WebCore::RenderLayerCompositor::layerHas3DContent):

2012-05-03  Philip Rogers  <pdr@google.com>

        Fix numeric precision issue in SVG animations
        https://bugs.webkit.org/show_bug.cgi?id=85502

        Reviewed by Dirk Schulze.

        r93938 had a bug where floating point numbers where compared exactly,
        exposing a bug when floating point precision was not sufficient. This
        change compares against an epsilon value to get around these precision
        issues.

        Test: svg/animations/animate-end-attribute-numeric-precision.html

        * svg/animation/SVGSMILElement.cpp:
        (WebCore::SVGSMILElement::calculateAnimationPercentAndRepeat):

2012-05-03  Joshua Bell  <jsbell@chromium.org>

        Fix coding style issues in IDBLevelDBCoding.cpp
        https://bugs.webkit.org/show_bug.cgi?id=85536

        Reviewed by Tony Chang.

        No tests - just code formatting changes.

        * Modules/indexeddb/IDBLevelDBCoding.cpp:
        (WebCore::IDBLevelDBCoding::encodeIDBKey):
        (WebCore::IDBLevelDBCoding::decodeIDBKey):
        (WebCore::IDBLevelDBCoding::extractEncodedIDBKey):
        (WebCore::IDBLevelDBCoding::compareEncodedIDBKeys):

2012-04-30  Filip Pizlo  <fpizlo@apple.com>

        PageCache autorelease should not wait until 3 seconds and 42 pages
        https://bugs.webkit.org/show_bug.cgi?id=85254
        <rdar://problem/11349613>

        Reviewed by Geoffrey Garen.

        No new tests, since there is no change in behavior.

        * history/PageCache.cpp:
        (WebCore):
        (WebCore::PageCache::PageCache):
        (WebCore::PageCache::releaseAutoreleasedPagesNowDueToTimer):
        * history/PageCache.h:
        (PageCache):

2012-05-03  Levi Weintraub  <leviw@chromium.org>

        Unreviewed build fix for Mac WK2. Adding a mistakenly removed symbol back to WebCore.exp.in.

        * WebCore.exp.in:

2012-05-03  Levi Weintraub  <leviw@chromium.org>

        Unreviewed build fix for Qt after 116009. No changes in behavior.

        * rendering/RenderTreeAsText.cpp:
        (WebCore::RenderTreeAsText::writeRenderObject):

2012-05-03  W. James MacLean  <wjmaclean@chromium.org>

        [chromium] Revise touchpad fling curve to use exponential curve, to improve feel and small fling performance.
        https://bugs.webkit.org/show_bug.cgi?id=85530

        Reviewed by Kenneth Russell.

        Existing unit tests updated for new curve.

        Modifies TouchpadFLingGestureCurve to use an exponential, rather than polynomial, curve.
        This change appears to improve the overall feel of touchpad fling, and substantially
        improves small-fling performance.

        * platform/TouchpadFlingPlatformGestureCurve.cpp:
        (WebCore::TouchpadFlingPlatformGestureCurve::create):
        (WebCore):
        (WebCore::position):
        (WebCore::velocity):
        (WebCore::TouchpadFlingPlatformGestureCurve::TouchpadFlingPlatformGestureCurve):

2012-04-23  Levi Weintraub  <leviw@chromium.org> and Emil A Eklund <eae@chromium.org>

        [meta] Switch away from integers representing pixels for layout/event handling/rendering
        https://bugs.webkit.org/show_bug.cgi?id=60318

        Reviewed by Eric Seidel.

        Swapping the LayoutUnit backend to FractionalLayoutUnit from int.
        
        FractionalLayoutUnit is a new type that uses an integer to represent a fraction of a pixel.
        We're also adding a feature flag -- ENABLE_SUBPIXEL_LAYOUT -- that toggles this fraction
        between 1/1 and 1/60. Initially, all platforms will default to subpixel layout being off,
        so FractionalLayoutUnits will effectively continue to act as integers.
        
        With ENABLE_SUBPIXEL_LAYOUT turned on, FractionalLayoutUnits accumulate error from sub-pixel
        CSS values and applied zooming, and painting uses pixel-snapping to align these values
        to pixels. See http://trac.webkit.org/wiki/LayoutUnit for details.

        In a number of previous patches, LayoutUnits were plumbed throughout the rendering tree
        to prepare for this change. This included a number of functions in LayoutTypes.h and
        the IntRect/Point/Size classes that were effectively no-ops while LayoutUnits were
        integers. Subsequent patches will remove unnecessary versions of these functions; see
        http://webkit.org/b/84616 for tracking these changes.

        Tests: fast/sub-pixel/client-width-height-snapping.html
               fast/sub-pixel/layout-boxes-with-zoom.html
               fast/sub-pixel/size-of-box-with-zoom.html

        * WebCore.exp.in: Updating function signatures that expose FractionalLayoutUnits.
        * WebCore.xcodeproj/project.pbxproj: Adding missing FractionalLayoutPoint.h header.
        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::zoomAdjustedPixelValue): Using adjustFloatForAbsoluteZoom instead of int
        to make use of extra precision before returning the pixel value.
        * css/CSSPrimitiveValue.cpp:
        (WebCore::CSSPrimitiveValue::computeLength): No longer rounds for imprecise conversion
        when sub-pixel layout is enabled.
        (WebCore::CSSPrimitiveValue::customCssText): Returning integer values for pixels.
        * dom/Element.cpp:
        (WebCore::adjustForLocalZoom): Using rounding instead of incrementing the value before
        adjusting to account for truncation when sub-pixel layout is enabled.
        * page/SpatialNavigation.cpp:
        (WebCore::distanceDataForNode): Using FractionalLayoutUnit::abs instead of std::abs.
        * platform/FractionalLayoutUnit.h: Adding some missing operators and a flag around the
        constant denominator to switch it between 1/1 and 1/60 depending on the feature flag.
        * platform/Length.h: Changing the default type for value to float, and adding intValue
        since this more closely matches usage in a sub-pixel layout world.
        * platform/win/PopupMenuWin.cpp:
        (WebCore::PopupMenuWin::paint): Using minimumIntValueForLength in this platform code
        instead of LayoutUnits.
        * rendering/InlineFlowBox.cpp:
        (WebCore::InlineFlowBox::placeBoxesInBlockDirection):
        * rendering/LayoutTypes.h: This file contains the actual switch for changing LayoutUnits
        to be FractionalLayoutUnits. Also updating stub methods with their proper implementations.
        * rendering/PaintInfo.h:
        (WebCore::PaintInfo::infiniteRect): Ensuring the infiniteRect doesn't overflow the
        FractionalLayoutUnit bounds.
        * rendering/RenderBlockLineLayout.cpp:
        (WebCore::RenderBlock::checkPaginationAndFloatsAtEndLine): Switch to
        FractionalLayoutUnit's abs function instead of std::abs.
        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::calculateBackgroundImageGeometry): Add rounding for
        setting the phase of the background geometry before applying modulo from the tile size.
        * rendering/RenderDeprecatedFlexibleBox.cpp:
        (WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox): Stop applying flex when
        we have less than a pixel to distribute.
        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::backgroundClipRect): Replace PaintInfo::infiniteRect with the
        LayoutRect equivalent.
        * rendering/RenderLineBoxList.cpp:
        (WebCore::RenderLineBoxList::rangeIntersectsRect): Using FractionalLayoutUnit::abs
        instead of std::abs.
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::repaintAfterLayoutIfNeeded): Ditto.
        * rendering/RenderObject.h:
        (WebCore): Removing unnecessary adjustForAbsoluteZoom function.
        (WebCore::RenderObject::outlineSize): Outlines remain ints.
        * rendering/RenderTableCell.cpp:
        (WebCore::RenderTableCell::styleOrColLogicalWidth): Build fix. Using floats because
        colWidthSum is a Length which uses floats.
        * rendering/RenderThemeChromiumSkia.cpp:
        (WebCore::RenderThemeChromiumSkia::paintSearchFieldResultsButton): Explicit templatization
        for max.
        * rendering/RenderTreeAsText.cpp: Adding code to minimize test expectation churn. It
        may be worth outputting float values in test expectations, but this isn't done with
        the inline box tree yet, either.
        * rendering/RenderTreeAsText.h:
        (WebCore): Adding a FractionalLayoutPoint operator.
        * rendering/RenderWidget.cpp:
        (WebCore::RenderWidget::updateWidgetGeometry): Adding missing pixel snapping, and switching
        absoluteContentBox to an IntRect, as this is what boundingBox returns.
        * rendering/svg/SVGRenderTreeAsText.cpp:
        (WebCore::writePositionAndStyle): Adding an enclosingIntRect for consistency with old results.

2012-05-03  Levi Weintraub  <leviw@chromium.org> and Emil A Eklund <eae@chromium.org>

        [meta] Switch away from integers representing pixels for layout/event handling/rendering
        https://bugs.webkit.org/show_bug.cgi?id=60318

        Reviewed by Eric Seidel.

        Swapping the LayoutUnit backend to FractionalLayoutUnit from int.
        
        FractionalLayoutUnit is a new type that uses an integer that can represent a fraction of a
        pixel. The ENABLE_SUBPIXEL_LAYOUT feature flags toggles this fraction between 1/1 and 1/60.
        Initially, all platforms will default to subpixel layout being off, so FractionalLayoutUnits
        will effectively continue to act as integers.
        
        With ENABLE_SUBPIXEL_LAYOUT turned on, FractionalLayoutUnits accumulate error from sub-pixel
        CSS values and applied zooming, and painting uses pixel-snapping to align these values
        to pixels and prevent unwanted anti-aliasing. See http://trac.webkit.org/wiki/LayoutUnit for
        details.

        In a number of previous patches, LayoutUnits were plumbed throughout the rendering tree to
        prepare for this change. This included a number of functions in LayoutTypes.h and the
        IntRect/Point/Size classes that were effectively no-ops while LayoutUnits were integers. See
        http://webkit.org/b/60318 for the exhaustive list of changes that were done in preparation
        for this. Subsequent patches will remove unnecessary versions of these functions.
        http://webkit.org/b/84616 tracks these changes.

        Tests: fast/sub-pixel/client-width-height-snapping.html
               fast/sub-pixel/layout-boxes-with-zoom.html
               fast/sub-pixel/size-of-box-with-zoom.html

        * WebCore.exp.in: Updating function signatures that expose FractionalLayoutUnits.
        * WebCore.order: Ditto.
        * WebCore.xcodeproj/project.pbxproj: Adding missing FractionalLayoutPoint.h header.
        * css/CSSPrimitiveValue.cpp:
        (WebCore::CSSPrimitiveValue::computeLength): No longer rounds for imprecise conversion
        when sub-pixel layout is enabled.
        * dom/Element.cpp:
        (WebCore::adjustForLocalZoom): Using rounding instead of incrementing the value before
        adjusting to account for truncation when sub-pixel layout is enabled.
        * rendering/mathml/RenderMathMLBlock.cpp:
        (WebCore): Fixing a static initializer build error by moving an integer constant to be
        an int.
        * rendering/LayoutTypes.h: This file contains the actual switch for changing LayoutUnits
        to be FractionalLayoutUnits. Also updating stub methods with their proper implementations.
        * rendering/PaintInfo.h:
        (WebCore::PaintInfo::infiniteRect): Ensuring the infiniteRect doesn't overflow the
        FractionalLayoutUnit bounds. LayoutRect::infiniteRect() is the largest rectangle that can
        be represented using LayoutUnits.
        * rendering/RenderLayer.h:
        (WebCore::ClipRect::operator!=): Add overload of != to fix complaining compilers when
        * rendering/RenderTreeAsText.cpp: Adding code to minimize test expectation churn. It
        may be worth outputting float values in test expectations, but this isn't done with
        the inline box tree yet, either.
        * rendering/RenderTreeAsText.h:
        (WebCore): Adding a FractionalLayoutPoint operator.
        * rendering/svg/SVGRenderTreeAsText.cpp:
        (WebCore::writePositionAndStyle):
        (WebCore): Adding a FractionalLayoutPoint operator.

2012-05-03  Anders Carlsson  <andersca@apple.com>

        Move repaint counter drawing code out into a separate function
        https://bugs.webkit.org/show_bug.cgi?id=85539

        Reviewed by Simon Fraser.

        The majority of code in TileCache::drawLayer deals with drawing the repaint counter. Move this code out
        into a separate function to make it more clear what drawLayer does.

        * platform/graphics/ca/mac/TileCache.h:
        (TileCache):
        * platform/graphics/ca/mac/TileCache.mm:
        (WebCore::TileCache::drawLayer):
        (WebCore::TileCache::drawRepaintCounter):
        (WebCore):

2012-05-03  Simon Fraser  <simon.fraser@apple.com>

        Compositing 'requiresOwnBackingStore' logic caused new clip rect assertions
        https://bugs.webkit.org/show_bug.cgi?id=85455

        Reviewed by Dean Jackson.
        
        r114283 added logic that allows compositing layers to avoid allocating their own
        backing store and to paint into an ancestor instead. However, that caused
        assertions in RenderLayer::updateClipRects() about m_clipRectsRoot being
        incorrect, because clip rect code assumed that compositing layers
        always painted themselves.
        
        Fixed by calling paintsIntoCompositedAncestor() in RenderLayer::clippingRoot(),
        so that clip rect computation matches painting.

        I wasn't able to easily make a test that reproduces the assertion in DRT.

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::clippingRoot):

2012-05-03  Tim Horton  <timothy_horton@apple.com>

        REGRESSION(99539): SVG <img> disregards page scale and device scale
        https://bugs.webkit.org/show_bug.cgi?id=77237
        <rdar://problem/10767413>

        Reviewed by Simon Fraser.

        Rename SVGImageCache::SizeAndZoom to SVGImageCache::SizeAndScales, as it carries more than just zoom now.

        Pass the product of the device and page scales through everything that takes a SVGImageCache::SizeAndScales,
        using it to inflate the size of the buffer created in lookupOrCreateBitmapImageForRenderer,
        and to inflate the destination rectangle passed to SVGImage::draw, which will cause a transformation
        on the context being drawn into.

        Invalidate the SVGImageCache entry on device/page scale changes in addition to zoom changes.

        This patch does not cause SVGImageCache to take into account scale caused by CSS transforms; that is tracked
        separately by https://bugs.webkit.org/show_bug.cgi?id=85335.

        Tests: svg/as-image/image-respects-deviceScaleFactor.html
               svg/as-image/image-respects-pageScaleFactor.html

        * loader/cache/CachedImage.cpp:
        (WebCore::CachedImage::setContainerSizeForRenderer):
        (WebCore::CachedImage::imageSizeForRenderer):
        * svg/graphics/SVGImage.cpp:
        (WebCore::SVGImage::drawSVGToImageBuffer):
        * svg/graphics/SVGImage.h:
        * svg/graphics/SVGImageCache.cpp:
        (WebCore::SVGImageCache::~SVGImageCache):
        (WebCore::SVGImageCache::removeRendererFromCache):
        (WebCore::SVGImageCache::setRequestedSizeAndScales):
        (WebCore::SVGImageCache::requestedSizeAndScales):
        (WebCore::SVGImageCache::redraw):
        (WebCore::SVGImageCache::lookupOrCreateBitmapImageForRenderer):
        * svg/graphics/SVGImageCache.h:
        (WebCore::SVGImageCache::SizeAndScales::SizeAndScales):
        (SizeAndScales):
        (SVGImageCache):
        (WebCore::SVGImageCache::ImageData::ImageData):
        (ImageData):

2012-05-03  Fady Samuel  <fsamuel@chromium.org>

        Removing line in computeViewportAttributes that enforces a minimum scale factor to never allow zooming out more than viewport
        https://bugs.webkit.org/show_bug.cgi?id=70609

        Reviewed by Kenneth Rohde Christiansen.

        Make Viewport Attributes' layoutSize be a FloatRect to avoid rounding
        too early, and the occasional off by one fixed layout dimensions.

        * dom/ViewportArguments.cpp:
        (WebCore::computeViewportAttributes):
        * dom/ViewportArguments.h:
        (ViewportAttributes):

2012-05-03  Joshua Bell  <jsbell@chromium.org>

        IndexedDB: Handle generated keys up to 2^53
        https://bugs.webkit.org/show_bug.cgi?id=85114

        The spec defines the behavior for generated keys up to 2^53
        (the maximum integer storable as an ECMAScript number) and
        the error case when going beyond that. Ensure that we can
        handle values up to that point and generate errors beyond.

        Reviewed by Tony Chang.

        Test: storage/indexeddb/key-generator.html

        * Modules/indexeddb/IDBBackingStore.h:
        (IDBBackingStore):
        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore::IDBLevelDBBackingStore::nextAutoIncrementNumber):
        * Modules/indexeddb/IDBLevelDBBackingStore.h:
        (IDBLevelDBBackingStore):
        * Modules/indexeddb/IDBObjectStoreBackendImpl.cpp:
        (WebCore::IDBObjectStoreBackendImpl::putInternal):
        (WebCore::IDBObjectStoreBackendImpl::genAutoIncrementKey):
        * Modules/indexeddb/IDBObjectStoreBackendImpl.h:
        (IDBObjectStoreBackendImpl):

2012-05-03  Simon Fraser  <simon.fraser@apple.com>

        Remove RenderLayerCompositor::didStartAcceleratedAnimation()
        https://bugs.webkit.org/show_bug.cgi?id=85514

        Reviewed by Antti Koivisto.
        
        Remove RenderLayerCompositor::didStartAcceleratedAnimation(), which is no longer
        needed.

        Code removal, no new tests.

        * rendering/RenderLayerBacking.cpp:
        (WebCore::RenderLayerBacking::startAnimation):
        (WebCore::RenderLayerBacking::startTransition):
        * rendering/RenderLayerCompositor.cpp:
        * rendering/RenderLayerCompositor.h:

2012-05-03  Andreas Kling  <kling@webkit.org>

        REGRESSION(r111387): CSSOM representation of 'background-image' values should be CSSPrimitiveValue.
        <http://webkit.org/b/85500>

        Reviewed by Antti Koivisto.

        Use the cloneForCSSOM() mechanism in CSSValue to expose CSSImageValue to bindings as a URI
        primitive value. This matches the specced behavior of computed image values, and restores our
        previous behavior without having CSSImageValue subclass CSSPrimitiveValue.

        Also added a failsafe return after the isCSSOMSafe() assertion in the JSC bindings, since it's
        better to expose an incorrect return value than an insecurely shared one, should we have or add
        bugs in this code.

        * bindings/js/JSCSSValueCustom.cpp:
        (WebCore::toJS):
        * css/CSSImageValue.cpp:
        (WebCore::CSSImageValue::cloneForCSSOM):
        * css/CSSImageValue.h:
        * css/CSSValue.cpp:
        (WebCore::CSSValue::cloneForCSSOM):

2012-05-03  Keishi Hattori  <keishi@webkit.org>

        Crash in HTMLFormControlElement::m_fieldSetAncestor
        https://bugs.webkit.org/show_bug.cgi?id=85453

        Reviewed by Kent Tamura.

        Modified tests: fast/forms/datalist/datalist-child-validation.html
                        fast/forms/form-control-element-crash.html

        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::removedFrom): Only set the invalid ancestor flag.
        The element will be detached from the document so there is no need to update the style.
        And the validation message will be hidden by the blur event.
        (WebCore::HTMLFormControlElement::willValidate): Because of the change to removedFrom,
        m_ancestorsValid may be false.

2012-05-03  Simon Fraser  <simon.fraser@apple.com>

        Keep overlap testing for compositing on pages with 3d transforms when possible
        https://bugs.webkit.org/show_bug.cgi?id=62487

        Reviewed by Antti Koivisto.
        
        Change RenderLayerCompositor to always use overlap testing when possible.

        Rather than turn off overlap testing wholesale when encountering a non-affine
        transform, or starting an accelerated transform animation, we constrain
        the disabling of overlap testing to within overflow:hidden areas when possible.

        Tests: compositing/layer-creation/overlap-animation.html
               compositing/layer-creation/overlap-transforms.html

        * rendering/RenderLayerBacking.cpp:
        (WebCore::RenderLayerBacking::setCompositedBounds): Whitespace fix.
        * rendering/RenderLayerCompositor.cpp:
        (WebCore::CompositingState::CompositingState):
        (CompositingState): Add a member boolean to track whether we're testing overlap. Add a copy
        constructor.
        (WebCore::RenderLayerCompositor::updateCompositingLayers): Initialize the 'testing overlap'
        setting based on m_compositingConsultsOverlap (though this will always be true until removed
        in a future commit).
        (WebCore::RenderLayerCompositor::updateBacking): No longer turn off overlap testing
        when we see a non-affine transform.
        (WebCore::RenderLayerCompositor::computeCompositingRequirements): No need for the 'struct'
        in the arguments.
        Consult compositingState.m_testingOverlap to see if we want to test overlap.
        Use the new CompositingState copy ctor for childState, but set m_subtreeIsCompositing to false
        as before.
        If this layer is composited, look to see if need to disable over lap testing based on
        the transform or an animation.
        Just as we propagate m_subtreeIsCompositing, we have to propagate m_testingOverlap=false
        for the rest of the traverse.
        If we've just processed a layer which clips compositing descendants, we can go back
        to testing for overlap.
        (WebCore::RenderLayerCompositor::didStartAcceleratedAnimation): No need to do anything
        here now. It will be removed in future.
        (WebCore::RenderLayerCompositor::hasNonAffineTransform): No longer check
        perspective here, since that doesn't affect whether _this_ layer should disable
        overlap testing. Checking for a non-affine transform is sufficient.
        (WebCore::RenderLayerCompositor::isRunningAcceleratedTransformAnimation):
        New method to check if AnimationController is running a transform animation.
        * rendering/RenderLayerCompositor.h:
        (RenderLayerCompositor):

2012-05-03  Chris Fleizach  <cfleizach@apple.com>

        accessibility/misspelled-attributed-string.html test sometimes throws exceptions
        https://bugs.webkit.org/show_bug.cgi?id=85081

        Reviewed by Darin Adler.

        Add in more range checking in case we get back ranges from spell checking that are wrong.

        * accessibility/mac/WebAccessibilityObjectWrapper.mm:
        (AXAttributeStringSetFont):
        (AXAttributeStringSetColor):
        (AXAttributeStringSetNumber):
        (AXAttributeStringSetBlockquoteLevel):
        (AXAttributeStringSetHeadingLevel):
        (AXAttributeStringSetElement):

2012-05-03  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: move canonical mime type calculation to Resource
        https://bugs.webkit.org/show_bug.cgi?id=85507

        Reviewed by Yury Semikhatsky.

        Drive-by: small refactoring that prepares code for formatter extraction.

        * inspector/front-end/BreakpointsSidebarPane.js:
        * inspector/front-end/DebuggerModel.js:
        (WebInspector.DebuggerModel.prototype.createLiveLocation):
        (WebInspector.DebuggerModel.prototype.rawLocationToUILocation):
        * inspector/front-end/DebuggerPresentationModel.js:
        (WebInspector.DebuggerPresentationModelResourceBinding.prototype._uiSourceCodeForResource):
        * inspector/front-end/NetworkManager.js:
        (WebInspector.NetworkDispatcher.prototype._createNetworkRequest):
        (get WebInspector):
        * inspector/front-end/Resource.js:
        (WebInspector.Resource.prototype.requestContent):
        (WebInspector.Resource.prototype.canonicalMimeType):
        (WebInspector.Resource.prototype._innerRequestContent.callback):
        (WebInspector.Resource.prototype._innerRequestContent):
        * inspector/front-end/ResourceView.js:
        (WebInspector.ResourceSourceFrame.prototype.requestContent):
        (WebInspector.ResourceSourceFrame.prototype._contentChanged):

2012-05-03  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: 'expires' value is incorrect for cookies
        https://bugs.webkit.org/show_bug.cgi?id=85489

        Reviewed by Pavel Feldman.

        Fixed cookie 'expires' property type from integer to number so that
        we don't lose precision when assembling Cookie parameter in InspectorResourceAgent.

        * inspector/Inspector.json:

2012-05-03  Dan Bernstein  <mitz@apple.com>

        highlight for Ruby text is mispositioned in the Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=82684

        Reviewed by Simon Fraser.

        Tests: fast/writing-mode/flipped-blocks-inline-map-local-to-container-expected.html
               fast/writing-mode/flipped-blocks-inline-map-local-to-container.html

        In flipped blocks writing modes, flipping was being applied twice to box descendants of
        inline children of the flipped block, once during RenderBox::mapLocalToContainer, and then
        again by RenderInline::mapLocalToContainer. The fix is to make the latter only apply the
        flip to local coordinates originating in the inline or a descendant inline. This is done
        by adding a parameter of type ApplyContainerFlipOrNot, which defaults to ApplyContainerFlip
        but is reset to DoNotApplyContainerFlip in recursive calls into mapLocalToContainer().

        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::mapLocalToContainer): Added ApplyContainerFlipOrNot parameter, passing
        DoNotApplyContainerFlip when recursing into the container.
        * rendering/RenderBox.h:

        * rendering/RenderInline.cpp:
        (WebCore::RenderInline::mapLocalToContainer): Added ApplyContainerFlipOrNot paramerer, and
        made the flipping conditional on its value.

        * rendering/RenderInline.h:

        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::mapLocalToContainer): Added ApplyContainerFlipOrNot parameter,
        passing DoNotApplyContainerFlip when recursing into the container.
        (WebCore::RenderObject::localToContainerQuad): Pass ApplyContainerFlip.
        (WebCore::RenderObject::localToContainerPoint): Ditto.
        * rendering/RenderObject.h:

        * rendering/RenderView.cpp:
        (WebCore::RenderView::mapLocalToContainer): Added ApplyContainerFlipOrNot parameter.
        * rendering/RenderView.h:

        * rendering/svg/RenderSVGForeignObject.cpp:
        (WebCore::RenderSVGForeignObject::mapLocalToContainer): Ditto.
        * rendering/svg/RenderSVGForeignObject.h:

        * rendering/svg/RenderSVGInline.cpp:
        (WebCore::RenderSVGInline::mapLocalToContainer): Ditto.
        * rendering/svg/RenderSVGInline.h:

        * rendering/svg/RenderSVGModelObject.cpp:
        (WebCore::RenderSVGModelObject::mapLocalToContainer): Ditto.
        * rendering/svg/RenderSVGModelObject.h:

        * rendering/svg/RenderSVGRoot.cpp:
        (WebCore::RenderSVGRoot::mapLocalToContainer): Ditto.
        * rendering/svg/RenderSVGRoot.h:

        * rendering/svg/RenderSVGText.cpp:
        (WebCore::RenderSVGText::mapLocalToContainer): Ditto.
        * rendering/svg/RenderSVGText.h:

        * rendering/svg/SVGRenderSupport.cpp:
        (WebCore::SVGRenderSupport::mapLocalToContainer): Pass DoNotApplyContainerFlip when
        recursing into the parent.

2012-05-03  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: make Script a ContentProvider.
        https://bugs.webkit.org/show_bug.cgi?id=85486

        Reviewed by Yury Semikhatsky.

        This allows us to get rid of the corresponding content provider wrapper.

        * inspector/front-end/ContentProviders.js:
        * inspector/front-end/RawSourceCode.js:
        (WebInspector.RawSourceCode.prototype._createContentProvider):
        * inspector/front-end/Script.js:
        (WebInspector.Script.prototype.contentURL):
        (WebInspector.Script.prototype.requestContent.didGetScriptSource):
        (WebInspector.Script.prototype.requestContent):
        * inspector/front-end/SnippetsModel.js:
        (WebInspector.SnippetsScriptMapping.prototype._createUISourceCodeForScript):

2012-05-03  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Remove extra checks for empty string when parsing CSS value
        https://bugs.webkit.org/show_bug.cgi?id=85480

        Reviewed by Alexis Menard.

        Each parse value helper function was checking whether the value string was empty. For the
        common case this check is already done by StylePropertySet::setProperty(). So this patch
        make CSSParser::parseValue() assume the value string is not empty, and fix the other two
        clients.

        Test: fast/html/font-face-empty-should-not-crash.html

        * css/CSSParser.cpp:
        (WebCore::parseColorValue): Replace the string empty check by an ASSERT() to document
        function's expectations.
        (WebCore::parseSimpleLengthValue): Ditto.
        (WebCore::parseKeywordValue): Ditto.
        (WebCore::CSSParser::parseFontFaceValue): This will be covered by the added test.
        (WebCore::CSSParser::parseValue):
        * css/WebKitCSSMatrix.cpp:
        (WebCore::WebKitCSSMatrix::setMatrixValue): This is already covered by
        transforms/cssmatrix-2d-interface.xhtml.

2012-05-03  Arpita Bahuguna  <arpitabahuguna@gmail.com>

        Broken handling of pseudo-elements in selectors API
        https://bugs.webkit.org/show_bug.cgi?id=83446

        Reviewed by Antti Koivisto.

        Test: fast/dom/Window/querySelectorAll-with-pseudo-elements.html

        * css/SelectorChecker.cpp:
        (WebCore::SelectorChecker::SelectorChecker):
        Setting the default value for the enum member m_mode to ResolvingStyle.

        (WebCore::SelectorChecker::checkSelector):
        Instead of verifying against the bool m_isCollectingRulesOnly, we now check whether or not
        m_mode is set to ResolvingStyle.

        (WebCore::SelectorChecker::checkOneSelector):
        Instead of verifying against the bool m_isCollectingRulesOnly, we now check whether or not
        m_mode is set to ResolvingStyle. Also, for the pseudo-elements case we check if its
        value is set to QueryingRules in which case we return false.

        * css/SelectorChecker.h:
        (WebCore::SelectorChecker::mode):
        Returns the mode (m_mode) value.

        (WebCore::SelectorChecker::setMode):
        Sets the mode (m_mode) to the passed enum value.

        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::sortAndTransferMatchedRules):
        (WebCore::StyleResolver::collectMatchingRulesForList):
        Retrieves SelectorChecker's mode value.

        * dom/SelectorQuery.cpp:
        (WebCore::SelectorQuery::SelectorQuery):
        Sets SelectorChecker's mode to QueryingRules.

        * html/shadow/ContentSelectorQuery.cpp:
        (WebCore::ContentSelectorQuery::ContentSelectorQuery):
        Sets SelectorChecker's mode to CollectingRules.

2012-05-03  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: EXC_BAD_ACCESS in DOM breakpoint processing code.
        https://bugs.webkit.org/show_bug.cgi?id=85482

        Reviewed by Yury Semikhatsky.

        0 check added since we are guaranteed to get immediate parent, but not the whole ancestor tree.

        * inspector/InspectorDOMDebuggerAgent.cpp:
        (WebCore::InspectorDOMDebuggerAgent::descriptionForDOMEvent):

2012-05-03  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: compile time ambiguity happens when I try to assign a TypeBuilder object to an out argument.
        https://bugs.webkit.org/show_bug.cgi?id=85462

        It happens because we have type casting operators for both types RefPtr<*Type*> and PassRefPtr<*Type*>.
        I think we can drop PassRefPtr type casting operator and use a named function 'release'.

        Reviewed by Yury Semikhatsky.

        * inspector/CodeGeneratorInspector.py:
        * inspector/ContentSearchUtils.cpp:
        (WebCore::ContentSearchUtils::buildObjectForSearchMatch):
        * inspector/InspectorApplicationCacheAgent.cpp:
        (WebCore::InspectorApplicationCacheAgent::buildObjectForApplicationCache):
        * inspector/InspectorPageAgent.cpp:
        (WebCore::buildObjectForCookie):
        (WebCore::buildObjectForSearchResult):
        * inspector/InspectorResourceAgent.cpp:
        (WebCore::buildObjectForTiming):
        (WebCore::InspectorResourceAgent::buildInitiatorObject):
        * inspector/ScriptCallFrame.cpp:
        (WebCore::ScriptCallFrame::buildInspectorObject):

2012-05-03  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: crash in InspectorResourceAgent::didReceiveWebSocketFrame
        https://bugs.webkit.org/show_bug.cgi?id=85394

        Reviewed by Pavel Feldman.

        Pass string length explicitely when creating String object from non-null-terminated
        char* strings.

        * inspector/InspectorResourceAgent.cpp:
        (WebCore):
        (WebCore::InspectorResourceAgent::didReceiveWebSocketFrame):
        (WebCore::InspectorResourceAgent::didSendWebSocketFrame):

2012-05-03  'Pavel Feldman'  <pfeldman@chromium.org>

        Not reviewed: never surround InspectorInstrumentation:: with ENABLED(INSPECTOR)

        * dom/ContainerNode.cpp:
        (WebCore::ContainerNode::insertBefore):
        (WebCore::ContainerNode::replaceChild):
        (WebCore::ContainerNode::appendChild):
        (WebCore::dispatchChildRemovalEvents):

2012-04-30  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: migrate breakpoint manager to live locations.
        https://bugs.webkit.org/show_bug.cgi?id=85136

        Reviewed by Yury Semikhatsky.

        - Merges Breakpoint and UIBreakpoint to have single instance
        - Extracts storage from the breakpoint manager
        - Makes breakpoint manager use source mapping from the script, not the presentation model
        - Removes breakpoints collection from the UISourceCode
        Unfortunately, there are too many inter-dependencies that require that these changes are done simultaneously.

        * inspector/front-end/BreakpointManager.js:
        (WebInspector.BreakpointManager):
        (WebInspector.BreakpointManager.prototype.setBreakpoint):
        (WebInspector.BreakpointManager.prototype.breakpoint):
        (WebInspector.BreakpointManager.prototype.breakpointLocationsForUISourceCode):
        (WebInspector.BreakpointManager.prototype.removeAllBreakpoints):
        (WebInspector.BreakpointManager.prototype.reset):
        (WebInspector.BreakpointManager.prototype.debuggerReset):
        (WebInspector.BreakpointManager.prototype._breakpointResolved):
        (WebInspector.BreakpointManager.prototype._removeBreakpoint):
        (WebInspector.BreakpointManager.prototype._uiLocationAdded):
        (WebInspector.BreakpointManager.prototype._uiLocationRemoved):
        (WebInspector.BreakpointManager.prototype.storage):
        (WebInspector.BreakpointManager.Breakpoint):
        (WebInspector.BreakpointManager.Breakpoint.prototype.primaryUILocation):
        (WebInspector.BreakpointManager.Breakpoint.prototype._addResolvedLocation):
        (WebInspector.BreakpointManager.Breakpoint.prototype.enabled):
        (WebInspector.BreakpointManager.Breakpoint.prototype.setEnabled):
        (WebInspector.BreakpointManager.Breakpoint.prototype.condition):
        (WebInspector.BreakpointManager.Breakpoint.prototype.setCondition):
        (WebInspector.BreakpointManager.Breakpoint.prototype._updateBreakpoint):
        (WebInspector.BreakpointManager.Breakpoint.prototype.remove):
        (WebInspector.BreakpointManager.Breakpoint.prototype._setInDebugger.didSetBreakpoint):
        (WebInspector.BreakpointManager.Breakpoint.prototype._setInDebugger):
        (WebInspector.BreakpointManager.Breakpoint.prototype._removeFromDebugger):
        (WebInspector.BreakpointManager.Breakpoint.prototype._resetLocations):
        (WebInspector.BreakpointManager.Breakpoint.prototype._breakpointStorageId):
        (WebInspector.BreakpointManager.Breakpoint.prototype._fakeBreakpointAtPrimaryLocation):
        (WebInspector.BreakpointManager.Storage.get this):
        (WebInspector.BreakpointManager.Storage):
        (WebInspector.BreakpointManager.Storage.prototype.restoreBreakpoints):
        (WebInspector.BreakpointManager.Storage.prototype._updateBreakpoint):
        (WebInspector.BreakpointManager.Storage.prototype._removeBreakpoint):
        (WebInspector.BreakpointManager.Storage.prototype._save):
        (set WebInspector.BreakpointManager.Storage.Item):
        * inspector/front-end/BreakpointsSidebarPane.js:
        (WebInspector.JavaScriptBreakpointsSidebarPane):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype._breakpointAdded.didRequestContent):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype._breakpointAdded):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype._breakpointRemoved):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype.highlightBreakpoint):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype._createBreakpointItemId):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype._breakpointClicked):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype._breakpointCheckboxClicked):
        (WebInspector.JavaScriptBreakpointsSidebarPane.prototype._breakpointContextMenu):
        * inspector/front-end/DebuggerModel.js:
        (WebInspector.DebuggerModel):
        (WebInspector.DebuggerModel.prototype.breakpointsActive):
        (WebInspector.DebuggerModel.prototype.createLiveLocation):
        * inspector/front-end/DebuggerPresentationModel.js:
        (WebInspector.DebuggerPresentationModel.prototype._handleUISourceCodeListChanged):
        (WebInspector.DebuggerPresentationModelResourceBinding.prototype._setContentWithInitialContent):
        * inspector/front-end/JavaScriptSource.js:
        (WebInspector.JavaScriptSource):
        (WebInspector.JavaScriptSource.prototype.consoleMessagesCleared):
        * inspector/front-end/JavaScriptSourceFrame.js:
        (WebInspector.JavaScriptSourceFrame):
        (WebInspector.JavaScriptSourceFrame.prototype.canEditSource):
        (WebInspector.JavaScriptSourceFrame.prototype.editContent):
        (WebInspector.JavaScriptSourceFrame.prototype._onContentChanged):
        (WebInspector.JavaScriptSourceFrame.prototype.populateLineGutterContextMenu):
        (WebInspector.JavaScriptSourceFrame.prototype.beforeTextChanged):
        (WebInspector.JavaScriptSourceFrame.prototype.didEditContent):
        (WebInspector.JavaScriptSourceFrame.prototype._addBreakpointDecoration):
        (WebInspector.JavaScriptSourceFrame.prototype._onMouseDown):
        (WebInspector.JavaScriptSourceFrame.prototype._editBreakpointCondition.finishEditing):
        (WebInspector.JavaScriptSourceFrame.prototype._editBreakpointCondition):
        (WebInspector.JavaScriptSourceFrame.prototype._breakpointAdded):
        (WebInspector.JavaScriptSourceFrame.prototype._breakpointRemoved):
        (WebInspector.JavaScriptSourceFrame.prototype.onTextViewerContentLoaded):
        (WebInspector.JavaScriptSourceFrame.prototype._setBreakpoint):
        (WebInspector.JavaScriptSourceFrame.prototype._continueToLine):
        (WebInspector.JavaScriptSourceFrame.prototype._updateBreakpointsAfterLiveEdit):
        * inspector/front-end/Script.js:
        (WebInspector.Script.prototype.rawLocationToUILocation):
        * inspector/front-end/ScriptsPanel.js:
        (WebInspector.ScriptsPanel.prototype._uiSourceCodeAdded):
        (WebInspector.ScriptsPanel.prototype._uiSourceCodeRemoved):
        (WebInspector.ScriptsPanel.prototype._debuggerPaused.else.didGetUILocation):
        (WebInspector.ScriptsPanel.prototype._debuggerPaused):
        (WebInspector.ScriptsPanel.prototype._uiSourceCodeReplaced):
        * inspector/front-end/UISourceCode.js:
        (WebInspector.UISourceCode.prototype.contentChanged):

2012-05-03  Andrey Kosyakov  <caseq@chromium.org>

        Unreviewed attemp to fix chromium win build broken at r115943.

        * notifications/NotificationClient.h:
        (WebCore):

2012-05-03  Vivek Galatage  <vivekgalatage@gmail.com>

        Linker warnings due to duplicate symbols for SimplifyMarkupCommand.cpp on Windows
        https://bugs.webkit.org/show_bug.cgi?id=85467

        Reviewed by Ryosuke Niwa.

        Removed the multiple inclusion of the file SimplifyMarkupCommand.cpp 

        No new tests required.

        * WebCore.vcproj/WebCore.vcproj:

2012-05-03  Uday Kiran  <udaykiran@motorola.com>

        CSS clip: auto clips to box borders instead of removing clipping
        https://bugs.webkit.org/show_bug.cgi?id=36772

        Reviewed by Andreas Kling.

        According to CSS 2.1 spec, http://www.w3.org/TR/CSS2/visufx.html#propdef-clip,
        clip property with value 'auto' the element does not clip.
        Also getPropertyValue for clip when auto is specified should return "auto"
        and not "rect(0px 0px 0px 0px)".

        Tests: css2.1/20110323/clip-001-expected.html
               css2.1/20110323/clip-001.html

        * css/StyleBuilder.cpp:
        (WebCore::ApplyPropertyClip::applyValue):

2012-05-02  Antti Koivisto  <antti@apple.com>

        Add temporary feature define for parsed stylesheet caching
        https://bugs.webkit.org/show_bug.cgi?id=85413

        Rubber-stamped by Nikolas Zimmermann.

        While not an externally visible feature this is still a significant internal change.
        It is good to have define in case someone has an urgent need to turn it off.
        
        Caching is enabled by default on all platforms. The define should be removed after some bake time.

        * html/HTMLLinkElement.cpp:
        (WebCore::HTMLLinkElement::setCSSStyleSheet):

2012-05-03  Nikolas Zimmermann  <nzimmermann@rim.com>

        Accumulation for values-animation is broken
        https://bugs.webkit.org/show_bug.cgi?id=85158

        Reviewed by Zoltan Herczeg.

        Follow-up patch: Add const Foo& foo() const accessors to SVGAnimatedType,
        to avoid the "Foo& foo = animated->foo()" idiom in all cases where we
        don't need to mutate 'foo'. Use "const Foo& foo = animated->foo()" instead.
        Inline all of these methods to avoid the function call overhead.

        For to-animations we actually mutated the from value before, but it wasn't a
        problem in practive, as we did that on every animation step. Fully avoid these
        inconsitencies by never mutating the from/to types stored in SVGAnimateElement.

        Cache toAtEndOfDurationType just like m_toType/m_fromType in SVGAnimateElement,
        to avoid reconstructing it on every animation step.

        No new tests, only design/performance fixes.

        * svg/SVGAnimateElement.cpp:
        (WebCore::SVGAnimateElement::calculateAnimatedValue):
        (WebCore::SVGAnimateElement::calculateToAtEndOfDurationValue):
        (WebCore::SVGAnimateElement::targetElementWillChange):
        * svg/SVGAnimateElement.h:
        (SVGAnimateElement):
        * svg/SVGAnimateMotionElement.cpp:
        (WebCore::SVGAnimateMotionElement::SVGAnimateMotionElement):
        (WebCore::SVGAnimateMotionElement::calculateToAtEndOfDurationValue):
        (WebCore::SVGAnimateMotionElement::calculateFromAndToValues):
        (WebCore::SVGAnimateMotionElement::calculateFromAndByValues):
        (WebCore::SVGAnimateMotionElement::calculateAnimatedValue):
        * svg/SVGAnimateMotionElement.h:
        (SVGAnimateMotionElement):
        * svg/SVGAnimatedAngle.cpp:
        (WebCore::SVGAnimatedAngleAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedAngleAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedBoolean.cpp:
        (WebCore::SVGAnimatedBooleanAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedColor.cpp:
        (WebCore::SVGAnimatedColorAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedEnumeration.cpp:
        (WebCore::SVGAnimatedEnumerationAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedInteger.cpp:
        (WebCore::SVGAnimatedIntegerAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedIntegerOptionalInteger.cpp:
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedLength.cpp:
        (WebCore::SVGAnimatedLengthAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedLengthAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedLengthList.cpp:
        (WebCore::SVGAnimatedLengthListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumber.cpp:
        (WebCore::SVGAnimatedNumberAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumberList.cpp:
        (WebCore::SVGAnimatedNumberListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedNumberListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumberOptionalNumber.cpp:
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPath.cpp:
        (WebCore::SVGAnimatedPathAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPointList.cpp:
        (WebCore::SVGAnimatedPointListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPreserveAspectRatio.cpp:
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedRect.cpp:
        (WebCore::SVGAnimatedRectAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedString.cpp:
        (WebCore::SVGAnimatedStringAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedTransformList.cpp:
        (WebCore::SVGAnimatedTransformListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedType.cpp:
        * svg/SVGAnimatedType.h:
        (WebCore::SVGAnimatedType::angleAndEnumeration):
        (SVGAnimatedType):
        (WebCore::SVGAnimatedType::boolean):
        (WebCore::SVGAnimatedType::color):
        (WebCore::SVGAnimatedType::enumeration):
        (WebCore::SVGAnimatedType::integer):
        (WebCore::SVGAnimatedType::integerOptionalInteger):
        (WebCore::SVGAnimatedType::length):
        (WebCore::SVGAnimatedType::lengthList):
        (WebCore::SVGAnimatedType::number):
        (WebCore::SVGAnimatedType::numberList):
        (WebCore::SVGAnimatedType::numberOptionalNumber):
        (WebCore::SVGAnimatedType::path):
        (WebCore::SVGAnimatedType::pointList):
        (WebCore::SVGAnimatedType::preserveAspectRatio):
        (WebCore::SVGAnimatedType::rect):
        (WebCore::SVGAnimatedType::string):
        (WebCore::SVGAnimatedType::transformList):
        * svg/SVGAnimationElement.cpp:
        (WebCore::SVGAnimationElement::currentValuesForValuesAnimation):
        (WebCore::SVGAnimationElement::startedActiveInterval):
        (WebCore::SVGAnimationElement::updateAnimation):
        * svg/SVGAnimationElement.h:
        (WebCore::SVGAnimationElement::adjustFromToListValues):
        (WebCore::SVGAnimationElement::animateDiscreteType):
        (SVGAnimationElement):

2012-05-02  Alexander Færøy  <ahf@0x90.dk>

        Rename deviceDPI to devicePixelRatio
        https://bugs.webkit.org/show_bug.cgi?id=85049

        Reviewed by Kenneth Rohde Christiansen.

        No new tests added since this is a minor refactoring with no changes
        that should affect tests.

        * page/Settings.cpp:
        (WebCore::Settings::Settings):
        * page/Settings.h:
        (WebCore::Settings::setDevicePixelRatio):
        (WebCore::Settings::devicePixelRatio):
        (Settings):

2012-05-03  Nikolas Zimmermann  <nzimmermann@rim.com>

        Fix multiple begin values support - especially with seeking through setCurrentTime
        https://bugs.webkit.org/show_bug.cgi?id=85372

        Reviewed by Zoltan Herczeg.

        Multiple begin values aka. begin="0s; 2s" aren't correctly handled - resulting in broken & unexpected behavior.
        Supporting seeking properly on documents containing such animations is very important, otherwise we can't reliable
        test animations using either reftests or the SVG JS animation test framework.

        Testcase:
        <rect height="100" fill="green">
            <animate attributeName="width" begin="0s; 2s" dur="8s" from="0" to="100" fill="freeze"/>
        </rect>

        What's expected?
        Two times should be contained in the 'begin' times list in SVGSMILElement: m_beginTimes = { 0s, 2s }.
        The initial first resolved interval is: m_intervalBegin=0.0s, m_intervalEnd=8.0s.

        During t=0s..1.9999s the m_intervalBegin/m_intervalEnd are correct.
        At t=2s, a new interval can be started. m_intervalEnd should be set to nextBeginTime, where nextBeginTime=2s.
        The current interval should get cropped to: m_intervalBegin=0s, m_intervalEnd=2s. The following call to
        resolveNextInterval() sees that elapsed >= m_intervalEnd, and thus moves on to the next interval.
        m_intervalBegin should be 2s and m_intervalEnd=10s after that.

        In trunk this behavior is only partly implemented and broken. Especially broken together with seeking via SVGSVGElement.setCurrentTime.
        That's because we don't correctly seek to the right interval in case of multiple begin values, eg. if we sample an animation with
        begin="0s; 3s" dur="6s" we always remain in the first interval and don't move on.

        Fix all of these issues, making lots more tests work in Dr. Olaf Hofmanns SVG Animation test suite.

        Tests: svg/animations/multiple-begin-additive-animation.html
               svg/animations/multiple-begin-animation-discrete-expected.svg
               svg/animations/multiple-begin-animation-discrete.svg
               svg/animations/multiple-begin-animation-expected.svg
               svg/animations/multiple-begin-animation.svg

        * svg/animation/SMILTimeContainer.cpp:
        (WebCore::SMILTimeContainer::begin):
        (WebCore::SMILTimeContainer::setElapsed):
        (WebCore::SMILTimeContainer::updateAnimations):
        * svg/animation/SMILTimeContainer.h:
        (SMILTimeContainer):
        * svg/animation/SVGSMILElement.cpp:
        (WebCore::SVGSMILElement::findInstanceTime):
        (WebCore::SVGSMILElement::resolveInterval):
        (WebCore::SVGSMILElement::resolveNextInterval):
        (WebCore):
        (WebCore::SVGSMILElement::checkRestart):
        (WebCore::SVGSMILElement::seekToIntervalCorrespondingToTime):
        (WebCore::SVGSMILElement::progress):
        * svg/animation/SVGSMILElement.h:
        (SVGSMILElement):

2012-05-03  Dana Jansens  <danakj@chromium.org>

        [chromium] Don't add small opaque areas to the occlusion tracker's Region
        https://bugs.webkit.org/show_bug.cgi?id=85297

        Reviewed by Adrienne Walker.

        Don't add small opaque areas (smaller than 160x160) to the occlusion
        tracker's Region objects to avoid high Region::unite() costs.

        We would like Region to just be fast enough that this isn't a concern,
        and there are patches in flight to do this, but at the moment, small
        opaque areas add significant cost if there is many of them, for
        potentially small gains since they do not cover entire tiles.

        Comments in http://code.google.com/p/chromium/issues/detail?id=124687
        motivate this approach for now, and point to around 160x160 being
        a reasonable threshold.

        Removes the opaque paint tracking flag while we're here. The flag is
        no longer used, and was broken when we moved the "paint vs opaque
        flag" distinction out to the layers.

        Unit test: CCOcclusionTrackerTestMinimumTrackingSize

        * platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
        (WebCore::CCLayerTreeHost::paintLayerContents):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.cpp:
        (WebCore::CCLayerTreeHostImpl::calculateRenderPasses):
        * platform/graphics/chromium/cc/CCOcclusionTracker.cpp:
        (WebCore::::CCOcclusionTrackerBase):
        (WebCore::addOcclusionBehindLayer):
        (WebCore::::markOccludedBehindLayer):
        * platform/graphics/chromium/cc/CCOcclusionTracker.h:
        (WebCore::CCOcclusionTrackerBase::setMinimumTrackingSize):
        (CCOcclusionTrackerBase):
        (WebCore::CCOcclusionTrackerBase::preferredMinimumTrackingSize):

2012-05-02  Jon Lee  <jonlee@apple.com>

        Migrate permission functions to Notification from NotificationCenter
        https://bugs.webkit.org/show_bug.cgi?id=80485
        <rdar://problem/10965458>

        Reviewed by Jian Li.

        * notifications/Notification.idl: Add permission functions.
        * notifications/DOMWindowNotifications.idl: Wrap webkitNotifications as part of legacy API.

        * notifications/Notification.cpp: New permission functions are wrapped with ENABLE(NOTIFICATIONS)
        (WebCore::Notification::taskTimerFired): Use the new permission functions to determine whether we can show the
        notification.
        (WebCore::Notification::permissionLevel):
        (WebCore::Notification::permissionString): Declare three static locals for each of the values, and return
        based on the permission enum.
        (WebCore::Notification::requestPermission): Forward request to client.
        * notifications/Notification.h:

        * notifications/NotificationPermissionCallback.h: Added.
        (NotificationPermissionCallback):
        (WebCore::NotificationPermissionCallback::~NotificationPermissionCallback):
        * notifications/NotificationPermissionCallback.idl: Added.

        * notifications/NotificationCenter.cpp: Wrap permission functions in ENABLE(LEGACY_NOTIFICATIONS)
        * notifications/NotificationCenter.h: Wrap permission functions in ENABLE(LEGACY_NOTIFICATIONS)
        * notifications/NotificationCenter.idl: Refactor conditionals to make the center available only when
        ENABLE(LEGACY_NOTIFICATIONS) is on.
        * notifications/NotificationPresenter.h:
        (WebCore::NotificationPresenter::requestPermission): Add new requestPermission() function for new
        NotificationPermissionCallback type. Make it a stub implementation until all ports have adopted.

        * notifications/NotificationClient.h: Add another requestPermission() client call, wrapped in
        ENABLE(NOTIFICATIONS) that accepts the NotificationPermissionCallback. Wrap the original one in
        ENABLE(LEGACY_NOTIFICATIONS).

        * bindings/js/JSDesktopNotificationsCustom.cpp: Change to include the implementation only in
        ENABLE(LEGACY_NOTIFICATIONS).
        * bindings/js/JSNotificationsCustom.cpp: Custom implementation of requestPermission().
        * bindings/v8/custom/V8NotificationCustom.cpp: Custom implementation of requestPermission().

        * notifications/WorkerContextNotifications.idl: Make webktNotifications available only in legacy API.
        * CMakeLists.txt: Add new callback idl.
        * DerivedSources.make: Add new callback idl.
        * DerivedSources.pri: Add new callback idl.
        * GNUmakefile.list.am: Add NotificationPermissionCallback files.
        * Target.pri: Include JSNotificationCustom.cpp, V8NotificationCustom.cpp
        * UseJSC.cmake: Include JSNotificationCustom.cpp
        * UseV8.cmake: Include V8NotificationCustom.cpp
        * WebCore.gypi: Include JSNotificationCustom.cpp, V8NotificationCustom.cpp, JSNotificationPermissionCallback.{h,cpp}
        * WebCore.vcproj/WebCore.vcproj: Include JSNotificationCustom.cpp, JSNotificationPermissionCallback.{h,cpp}
        * WebCore.exp.in: Export permissionString().
        * WebCore.xcodeproj/project.pbxproj: Add callback idl, h, and cpp files.

2012-05-02  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r115907.
        http://trac.webkit.org/changeset/115907
        https://bugs.webkit.org/show_bug.cgi?id=85458

        It broke all viewport tests on Qt and on GTK (Requested by
        Ossy on #webkit).

        * dom/ViewportArguments.cpp:
        (WebCore::computeViewportAttributes):
        * dom/ViewportArguments.h:
        (ViewportAttributes):

2012-05-02  Gustavo Noronha Silva  <gns@gnome.org>

        [GTK] Finish moving modules into libWebCoreModules.la
        https://bugs.webkit.org/show_bug.cgi?id=85449

        Unreviewed build fix.

        * GNUmakefile.list.am: move remaining modules source files into the
        libWebCoreModules library, this should fix the problems people had
        building the 1.9.1 tarball with unpatched make.

2012-05-02  Dongwoo Im  <dw.im@samsung.com>

        [EFL] Unreviewed, Fix build break when WEB_AUDIO is enabled.
        https://bugs.webkit.org/show_bug.cgi?id=85443

        Unreviewed build fix.

        Three new files were added in the Modules/webaudio directory.
        These files should be included into the CMakeLists.txt file.

        * CMakeLists.txt: Add the newly created files into the CMakeLists.txt

2012-05-02  Eric Seidel  <eric@webkit.org>

        Sort ENABLE_ defines in FeatureDefines.xcconfig files to make them easier to compare with one another (and easier to autogenerate)
        https://bugs.webkit.org/show_bug.cgi?id=85433

        Reviewed by Adam Barth.

        I have a script which can autogenerate these xcconfig files as well as the
        vsprops files (and soon the Chromium, cmake, gnumake and qmake) feature lists
        from a central feature list file.
        In preparation for posting such a tool, I'm re-sorting these xcconfig files to be
        alphabetically ordered (currently they're close, but not quite).
        There is also at least one inconsistency between these files (CSS_LEGACY_PREFIXES) which
        I will fix in a second pass.  I will also sort the FEATURE_DEFINES = line in a follow-up patch.

        * Configurations/FeatureDefines.xcconfig:

2012-05-02  Dana Jansens  <danakj@chromium.org>

        [chromium] Don't occlude pixels in a surface that are needed for a background filter blur
        https://bugs.webkit.org/show_bug.cgi?id=84317

        Reviewed by Adrienne Walker.

        Blur filters move pixels around, so a pixel can influence the value of
        pixels at some distance away. If a pixel is not occluded, then all
        pixels within the radius of the blur may influence the value of that
        pixel, so they should also stay unoccluded.

        For background filters, the pixels are read from the filter's target
        surface, so we remove occlusion from that target surface from pixels
        that will blur into visible pixels.

        Unit test: CCOcclusionTrackerTestDontOccludePixelsNeededForBackgroundFilter
                   CCOcclusionTrackerTestTwoBackgroundFiltersReduceOcclusionTwice
                   CCOcclusionTrackerTestDontOccludePixelsNeededForBackgroundFilterWithClip
                   CCOcclusionTrackerTestDontReduceOcclusionBelowBackgroundFilter
                   CCOcclusionTrackerTestDontReduceOcclusionIfBackgroundFilterIsOccluded
                   CCOcclusionTrackerTestReduceOcclusionWhenBackgroundFilterIsPartiallyOccluded

        * platform/graphics/chromium/cc/CCOcclusionTracker.cpp:
        (WebCore::reduceOcclusion):
        (WebCore):
        (WebCore::reduceOcclusionBelowSurface):
        (WebCore::::leaveToTargetRenderSurface):
        (WebCore::::unoccludedContributingSurfaceContentRect):
        * platform/graphics/chromium/cc/CCOcclusionTracker.h:
        (CCOcclusionTrackerBase):
        * platform/graphics/chromium/cc/CCQuadCuller.cpp:
        (WebCore::CCQuadCuller::appendSurface):
        (WebCore::CCQuadCuller::appendReplica):

2012-05-02  Levi Weintraub  <leviw@chromium.org>

        Convert FractionalLayoutUnit overflow assertions to stderr warnings
        https://bugs.webkit.org/show_bug.cgi?id=85393

        Reviewed by Eric Seidel.

        Writing warnings to stderr when FractionalLayoutUnits overflow on debug builds instead of asserting
        and crashing. It can be very useful to WebKit developers know when overflow is occurring, but it's
        not always a programming error, so assert wasn't the right action.

        No new tests. No change in behavior.

        * platform/FractionalLayoutUnit.h:
        (WebCore):
        (WebCore::FractionalLayoutUnit::FractionalLayoutUnit):
        (WebCore::FractionalLayoutUnit::toUnsigned):
        (WebCore::FractionalLayoutUnit::setRawValue):

2012-04-18  Jon Honeycutt  <jhoneycutt@apple.com>

        FrameLoaderClient::dispatchWillSendSubmitEvent() should be given more
        information about the form being submitted
        https://bugs.webkit.org/show_bug.cgi?id=84297

        Reviewed by Andy Estes.

        * html/HTMLFormElement.cpp:
        (WebCore::HTMLFormElement::prepareForSubmission):
        Get the form field names and values, and use them to create a FormState
        object. Pass this object when calling dispatchWillSendSubmitEvent().
        (WebCore::HTMLFormElement::getTextFieldValues):
        Loop over the associated elements, looking for <input> elements.
        Collect their names and values.

        * html/HTMLFormElement.h:
        Declare getTextFieldData().

        * loader/EmptyClients.h:
        (WebCore::EmptyFrameLoaderClient::dispatchWillSendSubmitEvent):
        Updated declaration for new parameter type.

        * loader/FrameLoaderClient.h:
        Updated declaration of dispatchWillSendSubmitEvent() for new param
        type.

2012-04-13  Jon Honeycutt  <jhoneycutt@apple.com>

        Make Page::setDefersLoading() have a call count so that each time
        loading is deferred, it must be balanced with a call to resume.
        https://bugs.webkit.org/show_bug.cgi?id=84522

        Reviewed by Andy Estes.

        * page/Page.cpp:
        (WebCore::Page::Page):
        Initialize new call count member.
        (WebCore::Page::setDefersLoading):
        Check whether the callers wants balanced defer/resume loading behavior.
        If the call count is not changing from 0 to 1 or 1 to 0, return early.
        Otherwise, defer or resume loading for frames in this page.

        * page/Page.h:
        (WebCore::Page::defersLoading):
        Added a member to hold the call count.

        * page/Settings.cpp:
        (WebCore::Settings::Settings):
        Initialized new member m_wantsBalancedSetDefersLoadingBehavior.

        * page/Settings.h:
        (Settings):
        Added new member m_wantsBalancedSetDefersLoadingBehavior.
        (WebCore::Settings::setWantsBalancedSetDefersLoadingBehavior):
        Setter.
        (WebCore::Settings::wantsBalancedSetDefersLoadingBehavior):
        Getter.

2012-05-02  Ojan Vafai  <ojan@chromium.org>

        Add a histogram for rendertree size
        https://bugs.webkit.org/show_bug.cgi?id=85226

        Reviewed by Eric Seidel.

        We record it when the page gets hidden, since this is a point
        at which, in theory, we could kill the rendertree.

        No new tests. This isn't web visible, so there's no way to test it.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::clear):
        * page/Page.cpp:
        (WebCore::Page::renderTreeSize):
        (WebCore):
        (WebCore::Page::setVisibilityState):
        * page/Page.h:
        (Page):
        * platform/HistogramSupport.cpp:
        (WebCore::HistogramSupport::histogramCustomCounts):
        (WebCore):
        * platform/HistogramSupport.h:
        (HistogramSupport):
        * platform/chromium/HistogramSupportChromium.cpp:
        (WebCore::HistogramSupport::histogramCustomCounts):
        (WebCore):

2012-05-02  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r115902.
        http://trac.webkit.org/changeset/115902
        https://bugs.webkit.org/show_bug.cgi?id=85441

        Compile failure on linux 32 (Requested by zhenyao on #webkit).

        * Modules/indexeddb/IDBBackingStore.h:
        (IDBBackingStore):
        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore::IDBLevelDBBackingStore::nextAutoIncrementNumber):
        * Modules/indexeddb/IDBLevelDBBackingStore.h:
        (IDBLevelDBBackingStore):
        * Modules/indexeddb/IDBObjectStoreBackendImpl.cpp:
        (WebCore::IDBObjectStoreBackendImpl::putInternal):
        (WebCore::IDBObjectStoreBackendImpl::genAutoIncrementKey):
        * Modules/indexeddb/IDBObjectStoreBackendImpl.h:
        (IDBObjectStoreBackendImpl):

2012-05-02  Julien Chaffraix  <jchaffraix@webkit.org>

        Add ASSERTs to avoid querying dirtied z-index or normal flow lists on RenderLayer
        https://bugs.webkit.org/show_bug.cgi?id=84920

        Reviewed by Simon Fraser.

        Covered by existing tests in Debug (at least several time!).

        This change adds some ASSERTs on RenderLayer that prevent any use of its lists if they
        are dirtied.

        On top of this change, we added an invariant that non-stacking contexts should have their
        z-index lists NULL (instead of empty or NULL previously). This is enforced at
        updateZOrderLists time as we now ensure that it is called in a timely manner.

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::calculateLayerBounds):
        Added call to updateLayersIfNeeded as we will query them later and there is no guarantee
        that they are not dirty (we recurse in our children as part of calculateLayerBounds).
        This was causing the new ASSERTs to trigger on css3/filter/ tests.

        (WebCore::RenderLayer::dirtyZOrderLists):
        Added a comment as to why we can't ASSERT that we are in a stacking context here.

        (WebCore::RenderLayer::rebuildZOrderLists):
        Added an ASSERT that we only rebuild z-index lists for dirtied stacking context.

        (WebCore::RenderLayer::updateLayerListsIfNeeded):
        Updated to ensure that the reflection layer has its layers updated too. This was triggering
        the new ASSERTs on fast/runins/run-in-layer-not-removed-crash.html.

        (WebCore::RenderLayer::updateCompositingAndLayerListsIfNeeded):
        Updated to use the new isDirtyStackingContext function.

        * rendering/RenderLayer.h:
        (WebCore::RenderLayer::isDirtyStackingContext):
        New helper function. Also made updateLayerListsIfNeeded() the only way
        to update layer. That should prevent any misuse.

        (WebCore::RenderLayer::posZOrderList):
        (WebCore::RenderLayer::negZOrderList):
        (WebCore::RenderLayer::normalFlowList):
        ASSERT that we don't query any of the previous lists if they are dirty. Also
        enforce the invariant that non-stacking contexts should have NULL z-index lists.

        (WebCore::RenderLayer::clearZOrderLists):
        New function to clearZOrderLists so that we can enfore the previous invariant.

        (WebCore::RenderLayer::updateZOrderLists):
        Updated to clear the dirty flag and the z-index lists for non-stacking context.

        * rendering/RenderLayerCompositor.cpp:
        (WebCore::RenderLayerCompositor::addToOverlapMapRecursive):
        (WebCore::RenderLayerCompositor::computeCompositingRequirements):
        (WebCore::RenderLayerCompositor::rebuildCompositingLayerTree):
        Removed the explicit ASSERTs.

        (WebCore::RenderLayerCompositor::updateLayerTreeGeometry):
        (WebCore::RenderLayerCompositor::canBeComposited):
        Disabled compositing on RenderLayer in flow thread. Because flow thread's
        RenderLayer are not collected as part of RenderLayer's lists and could be composited,
        this was causing the new ASSERTs to trigger (e.g. on fast/regions/webkit-flow-renderer-layer.html).

        * rendering/RenderTreeAsText.cpp:
        (WebCore::writeLayers):
        Updated to use updateLayerListsIfNeeded().

2012-05-02  Levi Weintraub  <leviw@chromium.org>

        Remove unused adjustForAbsoluteZoom method in RenderObject.h
        https://bugs.webkit.org/show_bug.cgi?id=85396

        Reviewed by Eric Seidel.

        We only want to use the integer adjustForAbsoluteZoom method, so this remnant is both unused
        and potentially confusing.

        No new tests. Removing unused code.

        * rendering/RenderObject.h:
        (WebCore):

2012-05-02  Fady Samuel  <fsamuel@chromium.org>

        Removing line in computeViewportAttributes that enforces a minimum scale factor to never allow zooming out more than viewport
        https://bugs.webkit.org/show_bug.cgi?id=70609

        Reviewed by Kenneth Rohde Christiansen.

        Make ViewportAttributes' layoutSize be a FloatRect to avoid rounding
        too early, and the occasional off by one fixed layout dimensions.

        * dom/ViewportArguments.cpp:
        (WebCore::computeViewportAttributes):
        * dom/ViewportArguments.h:
        (ViewportAttributes):

2012-05-02  Joshua Bell  <jsbell@chromium.org>

        IndexedDB: Handle generated keys up to 2^53
        https://bugs.webkit.org/show_bug.cgi?id=85114

        The spec defines the behavior for generated keys up to 2^53
        (the maximum integer storable as an ECMAScript number) and
        the error case when going beyond that. Ensure that we can
        handle values up to that point and generate errors beyond.

        Reviewed by Tony Chang.

        Test: storage/indexeddb/key-generator.html

        * Modules/indexeddb/IDBBackingStore.h:
        (IDBBackingStore):
        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore::IDBLevelDBBackingStore::nextAutoIncrementNumber):
        * Modules/indexeddb/IDBLevelDBBackingStore.h:
        (IDBLevelDBBackingStore):
        * Modules/indexeddb/IDBObjectStoreBackendImpl.cpp:
        (WebCore::IDBObjectStoreBackendImpl::putInternal):
        (WebCore::IDBObjectStoreBackendImpl::genAutoIncrementKey):
        * Modules/indexeddb/IDBObjectStoreBackendImpl.h:
        (IDBObjectStoreBackendImpl):

2012-05-02  Adam Klein  <adamk@chromium.org>

        Childlist mutations in shadow DOM should be observable with MutationObservers
        https://bugs.webkit.org/show_bug.cgi?id=85402

        Reviewed by Ojan Vafai.

        Though Mutation Events are not supported in Shadow DOM,
        MutationObservers are supposed to be. Due to a misplacement of the
        ChildListMutationScope, they were erroneously getting skipped.

        This patch moves code around to properly notify when childlist are
        mutated in shadow DOM and covers that change with a new test.

        Test: fast/mutation/shadow-dom.html

        * dom/ContainerNode.cpp:
        (WebCore::willRemoveChild): Handle notification of removal directly.
        (WebCore::willRemoveChildren): ditto.
        (WebCore::dispatchChildInsertionEvents): Remove notification of insertion.
        (WebCore::dispatchChildRemovalEvents): Remove notification of removal.
        (WebCore::updateTreeAfterInsertion): Handle notification of insertion directly.

2012-05-02  Eric Carlson  <eric.carlson@apple.com>

        Crash in WebCore::TextTrackList::remove
        https://bugs.webkit.org/show_bug.cgi?id=85095

        Reviewed by Maciej Stachowiak.

        Test: media/track/track-remove-quickly.html

        * html/HTMLMediaElement.cpp:
        (WebCore::HTMLMediaElement::willRemoveTrack): Return immediately if the tracks collection
            has not been allocated yet.

2012-05-02  David Barton  <dbarton@mathscribe.com>

        After appending MathML with jquery the table renders with overlaps
        https://bugs.webkit.org/show_bug.cgi?id=52444

        Reviewed by Julien Chaffraix.

        This patch also fixes bugs 72834 and 47781. The main problem is that correct preferred
        logical widths are affected by operator stretching. Thus we add a call to
        setNeedsLayoutAndPrefWidthsRecalc() after the stretching code in
        RenderMathMLOperator.cpp, and change RenderMathMLBlock and RenderMathMLRow to make sure
        that stretching of children is done before an <mrow>'s preferred logical widths are
        computed.
        
        Test: Added a test to mathml/presentation/mo-stretch.html

        * rendering/mathml/RenderMathMLBlock.cpp:
        (WebCore::RenderMathMLBlock::RenderMathMLBlock):
        (WebCore::RenderMathMLBlock::computePreferredLogicalWidths):
        (WebCore::RenderMathMLBlock::computeChildrenPreferredLogicalHeights):
        (WebCore::RenderMathMLBlock::preferredLogicalHeightAfterSizing):
        * rendering/mathml/RenderMathMLBlock.h:
        (WebCore::RenderMathMLBlock::unembellishedOperator):
        (WebCore::RenderMathMLBlock::isPreferredLogicalHeightDirty):
        (WebCore::RenderMathMLBlock::preferredLogicalHeight):
        (WebCore::RenderMathMLBlock::setPreferredLogicalHeight):
            - Add m_preferredLogicalHeight and methods to compute and return it.
            - Remove stretchToHeight() from most classes as it no longer needs to be done
              recursively. We just call it on the base of an embellished operator, and that
              calls setNeedsLayoutAndPrefWidthsRecalc() to mark itself and its container
              chain.
        
        * rendering/mathml/RenderMathMLOperator.cpp:
        (WebCore::RenderMathMLOperator::stretchToHeight):
            - Don't compare an unexpanded height to an expanded one.
        (WebCore::RenderMathMLOperator::computePreferredLogicalWidths):
        (WebCore::RenderMathMLOperator::updateFromElement):
            - After stretching, call setNeedsLayoutAndPrefWidthsRecalc().
        * rendering/mathml/RenderMathMLOperator.h:
        (RenderMathMLOperator):
        
        * rendering/mathml/RenderMathMLRow.cpp:
        (WebCore::RenderMathMLRow::computePreferredLogicalWidths):
        (WebCore::RenderMathMLRow::layout):
        * rendering/mathml/RenderMathMLRow.h:
        (RenderMathMLRow):
            - Add computePreferredLogicalWidths(), using computeChildrenPreferredLogicalHeights()
              to compute our children's preferred logical heights if necessary, followed by
              operator stretching.
        
        * rendering/mathml/RenderMathMLSubSup.cpp:
        * rendering/mathml/RenderMathMLSubSup.h:
        (RenderMathMLSubSup):
        * rendering/mathml/RenderMathMLUnderOver.cpp:
        * rendering/mathml/RenderMathMLUnderOver.h:
        (RenderMathMLUnderOver):

2012-05-02  Dana Jansens  <danakj@chromium.org>

        [chromium] Avoid extra Region copies in CCOcclusionTracker
        https://bugs.webkit.org/show_bug.cgi?id=85257

        Reviewed by Adrienne Walker.

        Instead of making a Region for each layer and then uniting the region
        with the current occlusion, directly add the rects for the given layer
        to the current occlusion.

        When subtracting a region from a rect, just subtract the region
        directly instead of computing the intersecting region.

        Covered by existing tests.

        * platform/graphics/chromium/cc/CCOcclusionTracker.cpp:
        (WebCore::addOcclusionBehindLayer):
        (WebCore::::markOccludedBehindLayer):
        (WebCore::rectSubtractRegion):

2012-05-02  Keith Rosenblatt  <keith.rosenblatt@nokia.com>

        [Qt] ASSERT in FontCustomPlatformDataQt.cpp with invalid font in data URI
        https://bugs.webkit.org/show_bug.cgi?id=85089

        Reviewed by Simon Hausmann.

        Do not return data referencing an invalid QRawFont from createFontCustomPlatformData().  Instead
        return null.

        Test: fast/css/font-face-data-uri-invalid.html

        * platform/graphics/qt/FontCustomPlatformDataQt.cpp:
        (WebCore::createFontCustomPlatformData):

2012-05-02  Michal Mocny  <mmocny@google.com>

        [chromium] Set contents texture manager preferred memory limit based on GpuMemoryManager suggestion.
        https://bugs.webkit.org/show_bug.cgi?id=84270

        Reviewed by Kenneth Russell.

        Updates the content texture manager memory limits based on GpuMemoryManager memory allocation suggestions.

        The memory allocation size (in bytes) is fed from LayerRendererChromium memory allocation changed callback
        handler to CCLayerTreeHost.  At that point we adjust the limits, using the existing notions of preferred and
        max limits.

        On android, the preferred limit is half the maximum (as it has always been), but on all other platforms the
        preferred limit is now equal to max, in order to allow more agressive prepainting.

        Finally, android has memory constraints dependant on viewportSize, but that logic has been pushed into
        the GpuMemoryManager.

        * platform/graphics/chromium/LayerRendererChromium.cpp:
        (WebCore::LayerRendererGpuMemoryAllocationChangedCallbackAdapter::onGpuMemoryAllocationChanged):
        (WebCore::LayerRendererChromium::beginDrawingFrame):
        * platform/graphics/chromium/LayerRendererChromium.h:
        (LayerRendererChromiumClient):
        * platform/graphics/chromium/TextureManager.cpp:
        (WebCore::TextureManager::setMemoryAllocationLimitBytes):
        (WebCore):
        * platform/graphics/chromium/TextureManager.h:
        (TextureManager):
        * platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
        (WebCore::CCLayerTreeHost::setViewportSize):
        (WebCore::CCLayerTreeHost::setContentsMemoryAllocationLimitBytes):
        (WebCore):
        * platform/graphics/chromium/cc/CCLayerTreeHost.h:
        (CCLayerTreeHost):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.cpp:
        (WebCore::CCLayerTreeHostImpl::setContentsMemoryAllocationLimitBytes):
        (WebCore):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.h:
        (CCLayerTreeHostImplClient):
        * platform/graphics/chromium/cc/CCSingleThreadProxy.cpp:
        (WebCore::CCSingleThreadProxy::postSetContentsMemoryAllocationLimitBytesToMainThreadOnImplThread):
        (WebCore):
        * platform/graphics/chromium/cc/CCSingleThreadProxy.h:
        * platform/graphics/chromium/cc/CCThreadProxy.cpp:
        (WebCore::CCThreadProxy::postSetContentsMemoryAllocationLimitBytesToMainThreadOnImplThread):
        (WebCore):
        (WebCore::CCThreadProxy::setContentsMemoryAllocationLimitBytes):
        * platform/graphics/chromium/cc/CCThreadProxy.h:
        (CCThreadProxy):

2012-05-02  Emil A Eklund  <eae@chromium.org>

        Fix usage of layout types in platform code
        https://bugs.webkit.org/show_bug.cgi?id=85392

        Reviewed by Eric Seidel.

        No new tests, no change in functionality.

        * page/EventHandler.cpp:
        (WebCore::EventHandler::handleGestureTap):
        Use rounded point for gestures as event handling is still mostly int based.

2012-05-02  Kenneth Russell  <kbr@google.com>

        Don't allocate stencil buffer if stencil flag is false in context creation attributes
        https://bugs.webkit.org/show_bug.cgi?id=85317

        Reviewed by Dimitri Glazkov.

        Make it appear to WebGL application that there is no stencil
        buffer even if the underlying GraphicsContext3D allocated one.
        Verified intended behavior with test case from Mozilla's bug report.

        Updated context-attributes-alpha-depth-stencil-antialias.html test
        from Khronos repository. Ran WebGL layout tests on Linux in
        Chrome's DRT and on Mac OS in Safari's.

        * html/canvas/WebGLFramebuffer.cpp:
        (WebCore::WebGLFramebuffer::hasStencilBuffer): Added query method.
        (WebCore): Changed desired semantics of isValidRenderbuffer.
        * html/canvas/WebGLFramebuffer.h:
        (WebGLFramebuffer): Added hasStencilBuffer.
        * html/canvas/WebGLRenderingContext.cpp:
        (WebCore):
        (WebCore::WebGLRenderingContext::initializeNewContext):
            Clear new flag.
        (WebCore::WebGLRenderingContext::bindFramebuffer):
            Reset stencil test upon framebuffer change.
        (WebCore::WebGLRenderingContext::disable):
            Cache flag; reset stencil test.
        (WebCore::WebGLRenderingContext::enable):
            Cache flag; reset stencil test.
        (WebCore::WebGLRenderingContext::framebufferRenderbuffer):
            Reset stencil test upon renderbuffer change.
        (WebCore::WebGLRenderingContext::getContextAttributes):
            Force depth and stencil to false if false was requested.
        (WebCore::WebGLRenderingContext::isEnabled):
            Return cached flag.
        (WebCore::WebGLRenderingContext::renderbufferStorage):
            Reset stencil test upon renderbuffer reallocation.
        (WebCore::WebGLRenderingContext::applyStencilTest):
            Enable or disable stencil test based on request and availability.
        (WebCore::WebGLRenderingContext::enableOrDisable):
            Helper function.
        * html/canvas/WebGLRenderingContext.h:
        (WebGLRenderingContext):
            Added cache of STENCIL_TEST flag. Deleted unused m_stencilBits.

2012-05-02  Ryosuke Niwa  <rniwa@webkit.org>

        Drag and drop text into table is pasting the text in the next <td> element
        https://bugs.webkit.org/show_bug.cgi?id=75004

        Reviewed by Darin Adler.

        The bug was caused by ReplaceSelectionCommand adjusting the insertion position to be before
        of the block element containing the insertion position even when the block element is a table cell.

        Fixed the bug by not moving the insertion position before the table cell in this case.

        Test: editing/pasteboard/paste-into-table-cell.html

        * editing/ReplaceSelectionCommand.cpp:
        (WebCore::ReplaceSelectionCommand::doApply):

2012-05-02  Beth Dakin  <bdakin@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=85309
        supportsExpandedScrollbars() should check for the method we actually call rather 
        than a related method

        Reviewed by Anders Carlsson.

        Missing colon.
        * platform/mac/ScrollbarThemeMac.mm:
        (WebCore::supportsExpandedScrollbars):

2012-05-02  Antti Koivisto  <antti@apple.com>

        Move title and media queries from StyleSheetInternal to CSSStyleSheet
        https://bugs.webkit.org/show_bug.cgi?id=85387

        Reviewed by Anders Carlsson.

        Stylesheet title and media queries are determined by the owner, not by the stylesheet itself.
        The fields belong to CSSStyleSheet.
        
        This will make it easier to share StyleSheetInternal instances between documents.

        * css/CSSStyleSheet.cpp:
        (WebCore::StyleSheetInternal::StyleSheetInternal):
        (WebCore::StyleSheetInternal::isCacheable):
        (WebCore):
        (WebCore::CSSStyleSheet::setDisabled):
        
            Invalidate the document style directly instead of ping-ponging through StyleSheetInternal.

        (WebCore::CSSStyleSheet::setMediaQueries):
        (WebCore::CSSStyleSheet::media):
        * css/CSSStyleSheet.h:
        (StyleSheetInternal):
        (WebCore::StyleSheetInternal::originalURL):
        (WebCore::StyleSheetInternal::hasCharsetRule):
        (WebCore::CSSStyleSheet::mediaQueries):
        (CSSStyleSheet):
        (WebCore::CSSStyleSheet::setTitle):
        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::appendAuthorStylesheets):
        (WebCore::StyleResolver::collectMatchingRulesForList):
        * dom/DOMImplementation.cpp:
        (WebCore::DOMImplementation::createCSSStyleSheet):
        * dom/ProcessingInstruction.cpp:
        (WebCore::ProcessingInstruction::setCSSStyleSheet):
        * dom/StyleElement.cpp:
        (WebCore::StyleElement::createSheet):
        * html/HTMLLinkElement.cpp:
        (WebCore::HTMLLinkElement::parseAttribute):
        (WebCore::HTMLLinkElement::setCSSStyleSheet):
        * html/HTMLStyleElement.cpp:
        (WebCore::HTMLStyleElement::parseAttribute):
        * svg/SVGStyleElement.cpp:
        (WebCore::SVGStyleElement::parseAttribute):

2012-05-02  Alexis Menard  <alexis.menard@openbossa.org>

        Unreviewed Qt build fix with GCC 4.7.0.

        * platform/qt/DeviceMotionProviderQt.h:
        (DeviceMotionProviderQt):
        * platform/qt/DeviceOrientationProviderQt.cpp:
        (WebCore::DeviceOrientationProviderQt::~DeviceOrientationProviderQt):
        (WebCore):
        * platform/qt/DeviceOrientationProviderQt.h:
        (DeviceOrientationProviderQt):

2012-05-02  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Texmap] Enable css filters in TextureMapperGL
        https://bugs.webkit.org/show_bug.cgi?id=75778

        Unreviewed build fix to greenify the Qt Minimal bot.

        * platform/graphics/texmap/TextureMapperShaderManager.h:

2012-05-02  Philippe Normand  <pnormand@igalia.com>

        [GTK] Compilation warnings in RenderTheme
        https://bugs.webkit.org/show_bug.cgi?id=85286

        Reviewed by Martin Robinson.

        Removed un-needed code and refactored fileListNameForWidth
        accordingly to avoid un-used variable warnings during compilation.

        * platform/gtk/RenderThemeGtk.cpp:
        (WebCore):
        (WebCore::RenderThemeGtk::fileListNameForWidth):

2012-05-02  Ryosuke Niwa  <rniwa@webkit.org>

        NULL ptr in WebCore::AppendNodeCommand::AppendNodeCommand
        https://bugs.webkit.org/show_bug.cgi?id=75843

        Reviewed by Tony Chang.

        The crash was caused by indentIntoBlockquote's passing a bad outerBlock to moveParagraphsWithClone.

        When the position is created after blockquote in the following DOM:
        BODY
        * BLOCKQUOTE style=margin: 0 0 0 40px; border: none; padding: 0px;
            E
                #text "\nx\n"
        VisiblePosition's constructor (of startOfContents) turns the position into a legacy position (blockquote, 0).
        The crash occurs because this position doesn't belong in the same paragraph as E, which is the paragraph
        we're trying to move into the blockquote.

        Fixed bug by calling positionInParentAfterNode instead of positionAfterNode for now. We should eventually be
        able to use positionAfterNode here once VisiblePosition's constructor starts handling before/after positions
        properly.

        Test: editing/execCommand/indent-with-after-content-crash.html

        * editing/IndentOutdentCommand.cpp:
        (WebCore::IndentOutdentCommand::indentIntoBlockquote):

2012-05-02  Jer Noble  <jer.noble@apple.com>

        WebWindowFadeAnimation ignores "duration" parameter.
        https://bugs.webkit.org/show_bug.cgi?id=85386

        Reviewed by Brady Eidson.

        Ignoring the "duration" parameter causes the full screen fade and scale animations
        to get out of sync.

        * platform/mac/WebWindowAnimation.mm:
        (-[WebWindowFadeAnimation initWithDuration:window:initialAlpha:finalAlpha:]):

2012-05-02  Julien Chaffraix  <jchaffraix@webkit.org>

        REGRESSION(110072): Clipping is not applied on layers that are animated using platform code
        https://bugs.webkit.org/show_bug.cgi?id=83954

        Reviewed by Simon Fraser.

        Tests: fast/layers/no-clipping-overflow-hidden-added-after-transform-expected.html
               fast/layers/no-clipping-overflow-hidden-added-after-transform.html
               fast/layers/no-clipping-overflow-hidden-added-after-transition-expected.html
               fast/layers/no-clipping-overflow-hidden-added-after-transition.html
               fast/layers/no-clipping-overflow-hidden-hardware-acceleration-expected.html
               fast/layers/no-clipping-overflow-hidden-hardware-acceleration.html
               (and all the tests that will need to be rebaselined)

        r110072 changed the way we create layers to lazily allocate overflow: hidden ones
        based on layout overflow. However with hardware acceleration, certain operations
        do cause overflow without actually calling layout (the test cases added as part
        of this change are using transition / animation). This means that those cases
        wouldn't properly clip.

        Due to the above issue and the other regressions from r110072, the easiest fix is
        to just to roll it out.

        * rendering/RenderBox.h:
        Changed to allocate a layer whenever we have an overflow clip.

        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::scrolledContentOffset):
        (WebCore::RenderBox::cachedSizeForOverflowClip):
        Reverted those 2 to avoid using the cached size logic.

        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::updateScrollInfoAfterLayout):
        (WebCore::RenderBlock::layoutBlock):
        (WebCore::RenderBlock::paint):
        (WebCore::RenderBlock::isPointInOverflowControl):
        * rendering/RenderBlock.h:
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::willBeDestroyed):
        (WebCore::RenderBox::styleDidChange):
        (WebCore::RenderBox::layout):
        (WebCore::RenderBox::scrollWidth):
        (WebCore::RenderBox::scrollHeight):
        (WebCore::RenderBox::scrollLeft):
        (WebCore::RenderBox::scrollTop):
        (WebCore::RenderBox::setScrollLeft):
        (WebCore::RenderBox::setScrollTop):
        (WebCore::RenderBox::includeVerticalScrollbarSize):
        (WebCore::RenderBox::includeHorizontalScrollbarSize):
        (WebCore::RenderBox::pushContentsClip):
        (WebCore::RenderBox::popContentsClip):
        (WebCore::RenderBox::addLayoutOverflow):
        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::styleDidChange):
        * rendering/RenderBoxModelObject.h:
        (RenderBoxModelObject):
        * rendering/RenderDeprecatedFlexibleBox.cpp:
        (WebCore::RenderDeprecatedFlexibleBox::layoutBlock):
        * rendering/RenderFlexibleBox.cpp:
        (WebCore::RenderFlexibleBox::layoutBlock):
        * rendering/RenderTable.cpp:
        (WebCore::RenderTable::layout):
        * rendering/RenderTableRow.h:
        (RenderTableRow):
        * rendering/RenderTableSection.cpp:
        (WebCore::RenderTableSection::layout):
        Removed the previous scaffolding code and reverted some functions to
        being private (as they were prior to r110072).

2012-05-02  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Texmap] Enable css filters in TextureMapperGL
        https://bugs.webkit.org/show_bug.cgi?id=75778

        Reviewed by Jocelyn Turcotte.

        Added support for color filters in TextureMapperGL. Blur and shadow would be done in a
        different patch.

        Modified BitmapTexture::applyFilters to return a texture, since GL cannot paint a texture
        into itself.
        Created a shader map for standard filters, since all of them work more or less the same way
        with a single uniform. Added the colorization shaders based on the W3C filter spec, as
        already implemented in FEFilterRenderer.cpp and FEColorMatrix.cpp.
        We use two swapping textures to render the filters.

        Covered by tests in css3/filters.

        * platform/graphics/texmap/TextureMapper.cpp:
        (WebCore::TextureMapper::acquireTextureFromPool):
        * platform/graphics/texmap/TextureMapper.h:
        (WebCore::BitmapTexture::applyFilters):
        * platform/graphics/texmap/TextureMapperGL.cpp:
        (WebCore::BitmapTextureGL::updateContents):
        (WebCore):
        (WebCore::TextureMapperGL::drawFiltered):
        (WebCore::BitmapTextureGL::applyFilters):
        (WebCore::BitmapTextureGL::bind):
        * platform/graphics/texmap/TextureMapperGL.h:
        (TextureMapperGL):
        (BitmapTextureGL):
        * platform/graphics/texmap/TextureMapperImageBuffer.cpp:
        (WebCore::BitmapTextureImageBuffer::applyFilters):
        * platform/graphics/texmap/TextureMapperImageBuffer.h:
        (BitmapTextureImageBuffer):
        * platform/graphics/texmap/TextureMapperLayer.cpp:
        (WebCore::applyFilters):
        (WebCore::TextureMapperLayer::syncCompositingStateSelf):
        * platform/graphics/texmap/TextureMapperShaderManager.cpp:
        (WebCore::TextureMapperShaderManager::~TextureMapperShaderManager):
        (WebCore):
        (WebCore::StandardFilterProgram::~StandardFilterProgram):
        (WebCore::StandardFilterProgram::StandardFilterProgram):
        (WebCore::StandardFilterProgram::create):
        (WebCore::StandardFilterProgram::prepare):
        (WebCore::TextureMapperShaderManager::getShaderForFilter):
        * platform/graphics/texmap/TextureMapperShaderManager.h:
        (WebCore):
        (StandardFilterProgram):
        (WebCore::StandardFilterProgram::vertexAttrib):
        (WebCore::StandardFilterProgram::texCoordAttrib):
        (WebCore::StandardFilterProgram::textureUniform):
        (TextureMapperShaderManager):

2012-05-02  Philippe Normand  <pnormand@igalia.com>

        [GTK] media/track/track-cue-rendering-snap-to-lines-not-set.html fails
        https://bugs.webkit.org/show_bug.cgi?id=84378

        Reviewed by Eric Carlson.

        Fix positioning of the controls panel back to relative, as it is
        in the parent CSS. Also remove some duplicate CSS attributes.

        * css/mediaControlsGtk.css:
        (audio::-webkit-media-controls-panel, video::-webkit-media-controls-panel):

2012-05-02  Beth Dakin  <bdakin@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=85309
        supportsExpandedScrollbars() should check for the method we actually call rather 
        than a related method
        -and corresponding-
        <rdar://problem/11065691>

        Reviewed by Anders Carlsson.

        * platform/mac/ScrollbarThemeMac.mm:
        (WebCore::supportsExpandedScrollbars):

2012-05-02  Zalan Bujtas  <zbujtas@gmail.com>

        [Qt] Remove redundant updateViewportArguments() call from HTMLBodyElement::didNotifyDescendantInseretions()
        https://bugs.webkit.org/show_bug.cgi?id=84241

        Reviewed by Kenneth Rohde Christiansen.

        No need to update viewport arguments when the body element is inserted into the Document.
        Viewport arguments are updated first when the Document is set on the Frame, and later
        on any subsequent occurence of the viewport meta tag in the document.
        It is sufficient to dispatch viewport update once per main frame, if no viewport meta tag is present.

        Also add a flag to be able to track viewport argument update dispatch.

        No tests. Currrent viewport tests cover this behaviour.

        * dom/Document.cpp:
        (WebCore::Document::Document):
        (WebCore::Document::updateViewportArguments):
        (WebCore::Document::documentWillSuspendForPageCache):
        * dom/Document.h:
        (Document):
        (WebCore::Document::didDispatchViewportPropertiesChanged):
        * html/HTMLBodyElement.cpp:
        (WebCore::HTMLBodyElement::didNotifyDescendantInseretions):

2012-05-02  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: Cannot read property 'length' of undefined TextEditorModel.js:467
        https://bugs.webkit.org/show_bug.cgi?id=85360

        Reviewed by Yury Semikhatsky.

        Added the undo/redo stack length checks.

        * inspector/front-end/TextEditorModel.js:
        (WebInspector.TextEditorModel.endsWithBracketRegex.):

2012-05-02  Pavel Feldman  <pfeldman@chromium.org>

        WebInspector: Scripts panel editor dirty state is cleared when the tab with editor is closed.
        https://bugs.webkit.org/show_bug.cgi?id=85361

        Reviewed by Yury Semikhatsky.

        Added content validation upon script show.

        * inspector/front-end/JavaScriptSourceFrame.js:
        (WebInspector.JavaScriptSourceFrame.prototype.wasShown):

2012-05-02  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: breakpoints are de-activated only upon the second click.
        https://bugs.webkit.org/show_bug.cgi?id=85359

        Reviewed by Yury Semikhatsky.

        Initial value for activated state is set.

        * inspector/front-end/DebuggerModel.js:
        (WebInspector.DebuggerModel):

2012-05-02  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: live edit fails to report error
        https://bugs.webkit.org/show_bug.cgi?id=85357

        Reviewed by Yury Semikhatsky.

        ProtocolError is now a string, not an error object.

        * inspector/front-end/DatabaseQueryView.js:
        (WebInspector.DatabaseQueryView.prototype._queryError):
        * inspector/front-end/SourceFrame.js:
        (WebInspector.SourceFrame.prototype.didEditContent):

2012-05-02  Lars Knudsen  <lars.knudsen@nokia.com>

        [Qt] Make DeviceMotion and DeviceOrientation work with WebKit2
        https://bugs.webkit.org/show_bug.cgi?id=64595

        Reviewed by Kenneth Rohde Christiansen.

        No new tests added.  This change adds support for WK2
        what was in WK1.

        Also moving DeviceMotion and DeviceOrientation clients and
        providers to WebCore.  This is done to allow clean dependencies
        when statically linking WK2.

        * Target.pri:
        * WebCore.pri:
        * platform/qt/DeviceMotionClientQt.cpp: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceMotionClientQt.cpp.
        (WebCore):
        (WebCore::DeviceMotionClientQt::~DeviceMotionClientQt):
        (WebCore::DeviceMotionClientQt::deviceMotionControllerDestroyed):
        (WebCore::DeviceMotionClientQt::setController):
        (WebCore::DeviceMotionClientQt::startUpdating):
        (WebCore::DeviceMotionClientQt::stopUpdating):
        (WebCore::DeviceMotionClientQt::currentDeviceMotion):
        * platform/qt/DeviceMotionClientQt.h: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceMotionClientQt.h.
        (WebCore):
        (DeviceMotionClientQt):
        (WebCore::DeviceMotionClientQt::DeviceMotionClientQt):
        * platform/qt/DeviceMotionProviderQt.cpp: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceMotionProviderQt.cpp.
        (WebCore):
        (WebCore::DeviceMotionProviderQt::DeviceMotionProviderQt):
        (WebCore::DeviceMotionProviderQt::~DeviceMotionProviderQt):
        (WebCore::DeviceMotionProviderQt::setController):
        (WebCore::DeviceMotionProviderQt::start):
        (WebCore::DeviceMotionProviderQt::stop):
        (WebCore::DeviceMotionProviderQt::filter):
        * platform/qt/DeviceMotionProviderQt.h: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceMotionProviderQt.h.
        (WebCore):
        (DeviceMotionProviderQt):
        (WebCore::DeviceMotionProviderQt::currentDeviceMotion):
        * platform/qt/DeviceOrientationClientQt.cpp: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceOrientationClientQt.cpp.
        (WebCore):
        (WebCore::DeviceOrientationClientQt::deviceOrientationControllerDestroyed):
        (WebCore::DeviceOrientationClientQt::setController):
        (WebCore::DeviceOrientationClientQt::startUpdating):
        (WebCore::DeviceOrientationClientQt::stopUpdating):
        (WebCore::DeviceOrientationClientQt::lastOrientation):
        * platform/qt/DeviceOrientationClientQt.h: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceOrientationClientQt.h.
        (WebCore):
        (DeviceOrientationClientQt):
        * platform/qt/DeviceOrientationProviderQt.cpp: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceOrientationProviderQt.cpp.
        (WebCore):
        (WebCore::DeviceOrientationProviderQt::DeviceOrientationProviderQt):
        (WebCore::DeviceOrientationProviderQt::~DeviceOrientationProviderQt):
        (WebCore::DeviceOrientationProviderQt::setController):
        (WebCore::DeviceOrientationProviderQt::start):
        (WebCore::DeviceOrientationProviderQt::stop):
        (WebCore::DeviceOrientationProviderQt::filter):
        * platform/qt/DeviceOrientationProviderQt.h: Renamed from Source/WebKit/qt/WebCoreSupport/DeviceOrientationProviderQt.h.
        (WebCore):
        (DeviceOrientationProviderQt):
        (WebCore::DeviceOrientationProviderQt::isActive):
        (WebCore::DeviceOrientationProviderQt::lastOrientation):
        (WebCore::DeviceOrientationProviderQt::hasAlpha):

2012-05-02  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: exception in console when there are watch expressions
        https://bugs.webkit.org/show_bug.cgi?id=85351

        Check if script execution is still paused before trying to resolve an
        object for script popover because execution may be resumed after popover
        showing is scheduled but before we start resolving the object under
        the cursor in which case there is no selected call frame any more and
        we should hide the popover.

        Reviewed by Pavel Feldman.

        * inspector/front-end/JavaScriptSourceFrame.js:
        (WebInspector.JavaScriptSourceFrame.prototype._resolveObjectForPopover):

2012-05-02  Tommy Widenflycht  <tommyw@google.com>

        MediaStream API: Changing webkitGetUserMedia to take an object instead of a string
        https://bugs.webkit.org/show_bug.cgi?id=84850

        Reviewed by Dimitri Glazkov.

        The standard changed a while back to use an object as a dictionary but since JSC
        didn't support the Dictionary class until just recently we have not updated the API until now.

        Change covered by existing, and edited, tests.

        * Modules/mediastream/NavigatorMediaStream.cpp:
        (WebCore::NavigatorMediaStream::webkitGetUserMedia):
        * Modules/mediastream/NavigatorMediaStream.h:
        (WebCore):
        (NavigatorMediaStream):
        * Modules/mediastream/NavigatorMediaStream.idl:
        * Modules/mediastream/UserMediaRequest.cpp:
        (WebCore::UserMediaRequest::create):
        (WebCore::UserMediaRequest::UserMediaRequest):
        * Modules/mediastream/UserMediaRequest.h:
        (WebCore):
        (UserMediaRequest):
        * platform/mediastream/MediaStreamSourcesQueryClient.h:
        (MediaStreamSourcesQueryClient):

2012-05-02  Antti Koivisto  <antti@apple.com>

        StyleSheetInternal::parseUserStyleSheet() should be called parseAuthorStyleSheet().

        Rubber-stamped by Nikolas Zimmermann.

        * css/CSSImportRule.cpp:
        (WebCore::StyleRuleImport::setCSSStyleSheet):
        * css/CSSStyleSheet.cpp:
        (WebCore::StyleSheetInternal::parseAuthorStyleSheet):
        * css/CSSStyleSheet.h:
        (StyleSheetInternal):
        * html/HTMLLinkElement.cpp:
        (WebCore::HTMLLinkElement::setCSSStyleSheet):

2012-05-02  Yury Semikhatsky  <yurys@chromium.org>

        REGRESSION: Web Inspector doesn't show cookies anymore
        https://bugs.webkit.org/show_bug.cgi?id=85349

        Pass root node instead of DataGrid object to the "populateNode" method.
        Added compiler annotations so that closure compiler catches such errors.

        Reviewed by Pavel Feldman.

        * inspector/front-end/CookiesTable.js:
        (WebInspector.CookiesTable.prototype._rebuildTable):
        * inspector/front-end/NetworkRequest.js:
        (WebInspector.NetworkRequest.prototype.addFrameError):

2012-05-02  Dongwoo Im  <dw.im@samsung.com>

        [EFL] Implement the Web Audio API feature.
        https://bugs.webkit.org/show_bug.cgi?id=78688

        Reviewed by Philippe Normand.

        Implement the Web Audio API feature on the EFL port.
        https://dvcs.w3.org/hg/audio/raw-file/tip/webaudio/specification.html

        * CMakeLists.txt: Add the list of the files which are needed for the Web Audio APi.
        * PlatformEfl.cmake: Add the list of the files which are needed for the Web Audio APi.
        * UseJSC.cmake: Add the list of the files which are needed for the Web Audio APi.
        * platform/audio/HRTFElevation.cpp: Enable the USE_CONCATENATED_IMPULSE_RESPONSES macro.
        (WebCore):
        * platform/audio/efl/AudioBusEfl.cpp: Added.
        (WebCore):
        (WebCore::AudioBus::loadPlatformResource): Create the absolute path of the audio resource.

2012-05-01  Kentaro Hara  <haraken@chromium.org>

        [V8] Add an Isolate parameter to setJSWrapperForXXX()
        https://bugs.webkit.org/show_bug.cgi?id=85329

        Reviewed by Adam Barth.

        The objective is to pass Isolate around in V8 bindings.
        This patch adds an Isolate parameter to setJSWrapperForXXX()
        and passes Isolate to setJSWrapperForXXX() in CodeGeneratorV8.pm.
        I'll pass Isolate to setJSWrapperForXXX() in custom bindings
        in a follow-up patch.

        No tests. No change in behavior.

        * bindings/scripts/CodeGeneratorV8.pm: Modified as described above.
        (GenerateConstructorCallback):
        (GenerateEventConstructorCallback):
        (GenerateNamedConstructorCallback):
        (GenerateToV8Converters):
        * bindings/v8/V8DOMWrapper.cpp:
        (WebCore::V8DOMWrapper::setJSWrapperForDOMNode):
        (WebCore::V8DOMWrapper::setJSWrapperForActiveDOMNode):
        * bindings/v8/V8DOMWrapper.h:
        (V8DOMWrapper):
        (WebCore::V8DOMWrapper::setJSWrapperForDOMObject):
        (WebCore::V8DOMWrapper::setJSWrapperForActiveDOMObject):

        * bindings/scripts/test/V8/V8Float64Array.cpp: Updated run-bindings-tests results.
        (WebCore::V8Float64Array::wrapSlow):
        * bindings/scripts/test/V8/V8TestActiveDOMObject.cpp:
        (WebCore::V8TestActiveDOMObject::wrapSlow):
        * bindings/scripts/test/V8/V8TestCustomNamedGetter.cpp:
        (WebCore::V8TestCustomNamedGetter::wrapSlow):
        * bindings/scripts/test/V8/V8TestEventConstructor.cpp:
        (WebCore::V8TestEventConstructor::constructorCallback):
        (WebCore::V8TestEventConstructor::wrapSlow):
        * bindings/scripts/test/V8/V8TestEventTarget.cpp:
        (WebCore::V8TestEventTarget::wrapSlow):
        * bindings/scripts/test/V8/V8TestInterface.cpp:
        (WebCore::V8TestInterface::constructorCallback):
        (WebCore::V8TestInterface::wrapSlow):
        * bindings/scripts/test/V8/V8TestMediaQueryListListener.cpp:
        (WebCore::V8TestMediaQueryListListener::wrapSlow):
        * bindings/scripts/test/V8/V8TestNamedConstructor.cpp:
        (WebCore::V8TestNamedConstructorConstructorCallback):
        (WebCore::V8TestNamedConstructor::wrapSlow):
        * bindings/scripts/test/V8/V8TestNode.cpp:
        (WebCore::V8TestNode::constructorCallback):
        (WebCore::V8TestNode::wrapSlow):
        * bindings/scripts/test/V8/V8TestObj.cpp:
        (WebCore::V8TestObj::constructorCallback):
        (WebCore::V8TestObj::wrapSlow):
        * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp:
        (WebCore::V8TestSerializedScriptValueInterface::constructorCallback):
        (WebCore::V8TestSerializedScriptValueInterface::wrapSlow):

2012-05-01  Eric Seidel  <eric@webkit.org>

        Add <iframe seamless> navigation code (and pass all the navigation tests)
        https://bugs.webkit.org/show_bug.cgi?id=85340

        Reviewed by Adam Barth.

        This code was primarily written by Adam Barth and then submitted to my
        GitHub branch via a pull request:
        https://github.com/eseidel/webkit/compare/master...seamless
        https://github.com/eseidel/webkit/pull/2
        https://github.com/eseidel/webkit/pull/3

        I rewrote parts of it to use Docment::shouldDisplaySeamlesslyWithParent.

        Other parts of the original change have already been committed to WebKit by Adam
        as part of prep-work for making the loader seamless-ready.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::findFrameForNavigation):

2012-05-01  Vincent Scheib  <scheib@chromium.org>

        Fullscreen pop-up logic restored to using processingUserGesture.
        https://bugs.webkit.org/show_bug.cgi?id=85105

        WebKit was recently updated to the new Fullscreen API:
        http://dvcs.w3.org/hg/fullscreen/raw-file/tip/Overview.html#api
        http://trac.webkit.org/changeset/111028

        This change reverts back to using processingUserGesture() instead
        of DOMWindow::allowPopUp(). This fixes incorrect behavior in
        at least the Chromium port and is consistent with the cited
        definition of "allowed to show a pop-up":
          An algorithm is allowed to show a pop-up if, in the task in which the algorithm is running, either:
          - an activation behavior is currently being processed whose click event was trusted, or
          - the event listener for a trusted click event is being handled.

        Reviewed by Dimitri Glazkov.

        No new tests.

        * dom/Document.cpp:
        (WebCore::Document::requestFullScreenForElement):

2012-05-01  Xiaomei Ji  <xji@chromium.org>

        enable ctrl-arrow move by word visually in non-Windows platforms.
        https://bugs.webkit.org/show_bug.cgi?id=85017

        Reviewed by Ryosuke Niwa.

        Enable ctrl-arrow moves caret by word in visual order in non-Windows platforms that use ICU word
        break iterator (it is not enabled for WinCE and Qt where ICU is not used). For those platforms, ctrl-arrow
        moves caret to word break position before spaces. For example, given a logical text "abc def hij", the word
        break positions using ctrl-left-arrow from rightmost position are "|abc |def |hij".
        The word break positions using ctrl-right-arrow from leftmost position are "abc| def| hij|".

        Test: editing/selection/move-by-word-visually-mac.html

        * editing/EditingBehavior.h:
        (EditingBehavior):
        (WebCore::EditingBehavior::shouldEatSpaceToNextWord): To control different word break positions
        (regards to space) for different platforms.
        * editing/FrameSelection.cpp:
        (WebCore::FrameSelection::modifyMovingRight): Enable visual word movement for all platforms that use ICU.
        (WebCore::FrameSelection::modifyMovingLeft):
        * editing/visible_units.cpp:
        (WebCore::visualWordPosition): Determine the right word break position (regards to space) based on EditingBehavior.
        (WebCore::leftWordPosition):
        (WebCore::rightWordPosition):
        * editing/visible_units.h:

2012-05-01  Raymond Liu  <raymond.liu@intel.com>

        Modify RealtimeAnalyserNode pull mechanism
        https://bugs.webkit.org/show_bug.cgi?id=77515

        Reviewed by Chris Rogers.

        Test: webaudio/automatic-pull-node.html

        * GNUmakefile.list.am:
        * Modules/webaudio/AudioBasicInspectorNode.cpp: Added.
        (WebCore):
        (WebCore::AudioBasicInspectorNode::AudioBasicInspectorNode):
        (WebCore::AudioBasicInspectorNode::pullInputs):
        (WebCore::AudioBasicInspectorNode::connect):
        (WebCore::AudioBasicInspectorNode::disconnect):
        (WebCore::AudioBasicInspectorNode::checkNumberOfChannelsForInput):
        (WebCore::AudioBasicInspectorNode::updatePullStatus):
        * Modules/webaudio/AudioBasicInspectorNode.h: Added.
        (WebCore):
        (AudioBasicInspectorNode):
        * Modules/webaudio/AudioContext.cpp:
        (WebCore::AudioContext::AudioContext):
        (WebCore::AudioContext::~AudioContext):
        (WebCore::AudioContext::handlePreRenderTasks):
        (WebCore::AudioContext::handlePostRenderTasks):
        (WebCore::AudioContext::markForDeletion):
        (WebCore):
        (WebCore::AudioContext::addAutomaticPullNode):
        (WebCore::AudioContext::removeAutomaticPullNode):
        (WebCore::AudioContext::updateAutomaticPullNodes):
        (WebCore::AudioContext::processAutomaticPullNodes):
        * Modules/webaudio/AudioContext.h:
        (AudioContext):
        * Modules/webaudio/AudioDestinationNode.cpp:
        (WebCore::AudioDestinationNode::provideInput):
        * Modules/webaudio/AudioNode.h:
        (AudioNode):
        * Modules/webaudio/AudioNodeOutput.h:
        (WebCore::AudioNodeOutput::isConnected):
        (AudioNodeOutput):
        * Modules/webaudio/RealtimeAnalyserNode.cpp:
        (WebCore::RealtimeAnalyserNode::RealtimeAnalyserNode):
        * Modules/webaudio/RealtimeAnalyserNode.h:
        (RealtimeAnalyserNode):
        * WebCore.gypi:
        * WebCore.xcodeproj/project.pbxproj:

2012-05-01  Keishi Hattori  <keishi@webkit.org>

        datalist: Form control in a <datalist> should be barred from constraint validation
        https://bugs.webkit.org/show_bug.cgi?id=84359

        Reviewed by Kent Tamura.

        Tests: fast/forms/datalist/datalist-child-validation.html
               fast/forms/form-control-element-crash.html

        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::HTMLFormControlElement):
        (WebCore::HTMLFormControlElement::updateAncestors): Updates the ancestor information.
        (WebCore::HTMLFormControlElement::insertedInto): Invalidate the ancestor information and call setNeedsWillValidateCheck because willValidate might have changed.
        (WebCore::HTMLFormControlElement::removedFrom): Ditto.
        (WebCore::HTMLFormControlElement::disabled):
        (WebCore::HTMLFormControlElement::recalcWillValidate): Returns false if element has a datalist ancestor.
        (WebCore::HTMLFormControlElement::willValidate): Check if ancestor information is valid too.
        (WebCore::HTMLFormControlElement::setNeedsWillValidateCheck):
        * html/HTMLFormControlElement.h:
        (HTMLFormControlElement):

2012-05-01  Kent Tamura  <tkent@chromium.org>

        Calendar Picker: Close the picker by ESC key
        https://bugs.webkit.org/show_bug.cgi?id=85337

        Reviewed by Kentaro Hara.

        No new tests. Calendar picker is not testable in DRT yet.

        * Resources/calendarPicker.js:
        (handleGlobalKey): Close the popup by ESC key.

2012-05-01  Noel Gordon  <noel.gordon@gmail.com>

        PNGImageDecoder: Handle interlace buffer allocation failure
        https://bugs.webkit.org/show_bug.cgi?id=85276

        Reviewed by Eric Seidel.

        No new tests. Not something we can easily test (malloc failure).

        * platform/image-decoders/png/PNGImageDecoder.cpp:
        (WebCore::PNGImageDecoder::rowAvailable): Check interlace buffer allocations
        and bail via longjmp on failure. Note PNG_INTERLACE_ADAM7 is the only libpng
        supported interlace type so test for it explicitly.

2012-05-01  Kent Tamura  <tkent@chromium.org>

        Calendar Picker: Too wide in Japanese locale
        https://bugs.webkit.org/show_bug.cgi?id=85331

        Reviewed by Kentaro Hara.

        No new tests. This is a locale-specific behavior.

        * Resources/calendarPicker.js:
        (formatJapaneseImperialEra):
        Do not show an imperial era later than 平成99年 to avoid very long
        year string like "275760年(平成273772年)."
        (YearMonthController.prototype.attachTo):
        - Respect the maximum year specfied by <input max=...>
          If <input max="9999-12-31"> is specified, we don't need to
          secure space for the year 275,760.
        - Check the width for 平成99年 as well as the maximum year because
          "2087年(平成99年)" is usually wider than "275760年".

2012-05-01  Noel Gordon  <noel.gordon@gmail.com>

        PNGImageDecoder: Add ENABLE(IMAGE_DECODER_DOWN_SAMPLING) guards to rowAvailable
        https://bugs.webkit.org/show_bug.cgi?id=85268

        Reviewed by Eric Seidel.

        PNGImageDecoder supports image downsampling. Add ENABLE guards to show where
        downsampling is applied when outputting decoded rows to the frame buffer. Most
        ports don't enable the flag: don't penalize them in terms speed in this tight
        row pixel write loop. s/y/destY/ to match setRGBA() and amend some comments.

        No new tests. No change in behavior.

        * platform/image-decoders/png/PNGImageDecoder.cpp:
        (WebCore::PNGImageDecoder::rowAvailable):

2012-05-01  Eric Seidel  <eric@webkit.org>

        Remove uneeded min/max pref width assignment from RenderView
        https://bugs.webkit.org/show_bug.cgi?id=85325

        Reviewed by Julien Chaffraix.

        This code has been with us since the original import from KDE:
        http://trac.webkit.org/browser/trunk/WebCore/khtml/rendering/render_root.cpp?annotate=blame&rev=4#L93
        It's never been documented, or explained.  Removing it showed no
        effect on my local layout tests run.
        However this code blocks proper implementation of <iframe seamless>
        as we have to do proper min/max width negotiation across the iframe boundary.

        I would remove the whole function, but doing so opens a whole can of worms
        as this override is public, yet normally this function is *private* (well protected on RenderBox).
        It seems plausible that frame flattening code needs this override since it doesn't always
        call the min/maxPreferredWidth() calls which normally automatically call this compute*
        function if the pref-widths are dirty.
        Instead of trying to track that all down, I'm just removing this line, and we'll go
        back and remove the whole function at a later date if possible.

        * rendering/RenderView.cpp:
        (WebCore::RenderView::computePreferredLogicalWidths):

2012-05-01  Nate Chapin  <japhet@chromium.org>

        REGRESSION(r115654): PDFs come up blank
        https://bugs.webkit.org/show_bug.cgi?id=85275

        Reviewed by Alexey Proskuryakov.

        Test: http/tests/loading/pdf-commit-load-callbacks.html

        * loader/DocumentLoader.cpp:
        (WebCore::DocumentLoader::finishedLoading): The load needs to be
            committed before we call finishedLoading on the
            FrameLoaderClient.
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::transitionToCommitted): We're guaranteeing
            that receivedFirstData() will be called other ways (namely,
            DocumentLoader won't finish without doing so). This call now
            causes custom representations to double-commit, which is bad.

2012-05-01  Eric Seidel  <eric@webkit.org>

        Add support for seamless attribute as well as seamless sandbox flag and default CSS styling
        https://bugs.webkit.org/show_bug.cgi?id=85302

        Reviewed by Ojan Vafai.

        This also adds support for the seamless sandbox flag from HTML 5.
        The sandbox flag is not speficially overridable in the current HTML5,
        but it is set (like all sandbox flags) by default when sandbox is specified.
        Unfortunately this support is not yet observable in this patch, as
        this patch adds not observable features of seamless.

        This patch also adds the html.css additions for seamless, as specified:
        http://www.whatwg.org/specs/web-apps/current-work/multipage/rendering.html#replaced-elements

        I noticed that my previous testing did not confirm that iframes marked
        for seamless (but not possible to display as seamless due to sandbox, etc.)
        were still to have this seamless styling.  I've added additional testing for this case.

        I also added another test for the about:blank FIXME added as part of this change.

        In order to support srcdoc w/ seamless, we needed to move the srcdoc determination
        sooner in the initSecurityContext function (before the should-inherit early return).

        The next patch will make seamless actually observable from JS/DOM, this one
        just lays down all the plumbing, and separates the security aspects for
        easy review.

        Test: fast/frames/seamless/seamless-inherited-origin.html

        * css/html.css:
        (iframe:not([seamless])):
        (iframe[seamless]):
        * dom/Document.cpp:
        (WebCore::isEligibleForSeamless):
        (WebCore):
        (WebCore::Document::initSecurityContext):
        (WebCore::Document::seamlessParentIFrame):
        (WebCore::Document::shouldDisplaySeamlesslyWithParent):
        * dom/Document.h:
        (WebCore):
        (Document):
        * dom/SecurityContext.cpp:
        (WebCore::SecurityContext::SecurityContext):
        * dom/SecurityContext.h:
        (WebCore::SecurityContext::mayDisplaySeamlessWithParent):
        (SecurityContext):
        * html/HTMLAttributeNames.in:
        * html/HTMLIFrameElement.cpp:
        (WebCore::HTMLIFrameElement::shouldDisplaySeamlessly):
        (WebCore):
        * html/HTMLIFrameElement.h:
        (HTMLIFrameElement):
        * html/HTMLIFrameElement.idl:

2012-05-01  Min Qin  <qinmin@google.com>

        use USE(NATIVE_FULLSCREEN_VIDEO) instead of ENABLE(NATIVE_FULLSCREEN_VIDEO)
        https://bugs.webkit.org/show_bug.cgi?id=85316

        Reviewed by Kent Tamura.

        NATIVE_FULLSCREEN_VIDEO means the fullscreen video is implemented by native
        system view instead of webkit.
        So it is more appropriate to use USE(NATIVE_FULLSCREEN_VIDEO).
        This chagne also disabled the rendering of the fullscreen video element in webkit
        when that flag is set.
        Just renaming the variable, no new tests.

        * dom/Document.cpp:
        (WebCore::Document::webkitWillEnterFullScreenForElement):
        (WebCore):
        * platform/graphics/MediaPlayer.cpp:
        (WebCore):
        * platform/graphics/MediaPlayer.h:
        (MediaPlayer):
        * platform/graphics/MediaPlayerPrivate.h:
        (MediaPlayerPrivateInterface):

2012-05-01  Jeffrey Pfau  <jpfau@apple.com>

        <rdar://problem/10422318> Support for web content filter delegate for filtering https content
        https://bugs.webkit.org/show_bug.cgi?id=85300

        Reviewed by Alexey Proskuryakov.

        No new tests.

        * WebCore.exp.in:
        * loader/MainResourceLoader.cpp:
        (WebCore::MainResourceLoader::MainResourceLoader):
        (WebCore::MainResourceLoader::~MainResourceLoader):
        (WebCore::MainResourceLoader::didCancel):
        (WebCore::MainResourceLoader::didReceiveResponse):
        (WebCore::MainResourceLoader::didReceiveData):
        (WebCore::MainResourceLoader::didFinishLoading):
        (WebCore::MainResourceLoader::didFail):
        * loader/MainResourceLoader.h:
        (MainResourceLoader):
        * platform/mac/WebCoreSystemInterface.h:
        * platform/mac/WebCoreSystemInterface.mm:

2012-05-01  Kent Tamura  <tkent@chromium.org>

        Calendar Picker: Add capability to add platform-specific style sheet
        https://bugs.webkit.org/show_bug.cgi?id=85272

        Reviewed by Kentaro Hara.

        Add RenderTheme::extraCalendarPickerStyleSheet(). The resultant string
        of the function is inserted into the calendar picker page.

        No new tests. Calendar picker apperance is not testable yet.

        * Resources/calendarPicker.css: Removed styles for year-month buttons.
        * Resources/calendarPickerMac.css:
        Moved from calendarPicker.css, and adjust styles so that they look
        standard Lion buttons.
        (.year-month-button):
        (.year-month-button:active):
        (.year-month-button:disabled):
        * WebCore.gyp/WebCore.gyp: Add a rule to produce CalendarPickerMac.{cpp,h}.
        * html/shadow/CalendarPickerElement.cpp:
        (WebCore::CalendarPickerElement::writeDocument):
        Add extraCalendarPickerStyleSheet() result to the document.
        * rendering/RenderTheme.cpp:
        (WebCore::RenderTheme::extraCalendarPickerStyleSheet):
        Added. Returns an empty CString by default.
        * rendering/RenderTheme.h:
        (RenderTheme): Added extraCalendarPickerStyleSheet().
        * rendering/RenderThemeChromiumMac.h: Added extraCalendarPickerStyleSheet().
        * rendering/RenderThemeChromiumMac.mm:
        (WebCore::RenderThemeChromiumMac::extraCalendarPickerStyleSheet):
        Added. Returns the content of Resources/calendarPickerMac.css.

2012-05-01  James Simonsen  <simonjam@chromium.org>

        Ensure HTMLElementStack fails gracefully if it has a non-Element.
        https://bugs.webkit.org/show_bug.cgi?id=85167

        Reviewed by Adam Barth.

        Test: Added to html5lib/resources/webkit02.dat

        * html/parser/HTMLElementStack.cpp:
        (WebCore::HTMLElementStack::oneBelowTop):
        * html/parser/HTMLTreeBuilder.cpp:
        (WebCore::HTMLTreeBuilder::processEndTag):

2012-05-01  Ryosuke Niwa  <rniwa@webkit.org>

        *Command.h files shouldn't be exported to WebKit layer
        https://bugs.webkit.org/show_bug.cgi?id=74778

        Reviewed by Eric Seidel.

        Remove the dependency on *Command.h files from Mac port's WebKit layer.
        Also wrapped the call to TypingCommand::insertParagraphSeparatorInQuotedContent in the Editor class
        so that we can just expose Editor's method instead of directly exposing the said static method.

        * WebCore.exp.in:
        * WebCore.xcodeproj/project.pbxproj:
        * editing/Editor.h:
        (Editor):
        * editing/mac/EditorMac.mm:
        (WebCore::Editor::insertParagraphSeparatorInQuotedContent):
        (WebCore):

2012-05-01  Julien Chaffraix  <jchaffraix@webkit.org>

        Remove one bit from m_column to pack RenderTableCell bits more
        https://bugs.webkit.org/show_bug.cgi?id=85291

        Reviewed by Ojan Vafai.

        Memory improvement, covered by the existing unit tests.

        * rendering/RenderTableCell.cpp:
        * rendering/RenderTableCell.h:
        Remove one bit from m_column (which should be fine as I wouldn't expect tables above 1 millions
        columns to render at all anyway) to pack the bitfields in 32 bits. Re-arranged the bits to have the bigger
        bitfield first.

2012-05-01  Anders Carlsson  <andersca@apple.com>

        Slow scrolling on www.sholby.net
        https://bugs.webkit.org/show_bug.cgi?id=85304
        <rdar://problem/11138952>

        Reviewed by Beth Dakin.

        Fix two performance issues that showed up on the profiles.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::checkLoadCompleteForThisFrame):
        Reset the relevant painted object counter; it's only interesting when loading.

        * page/Page.cpp:
        (WebCore::Page::startCountingRelevantRepaintedObjects):
        Set m_isCountingRelevantRepaintedObjects to true after calling reset, since reset now sets it to false.

        (WebCore::Page::resetRelevantPaintedObjectCounter):
        Set m_isCountingRelevantRepaintedObjects to false.

        (WebCore::Page::addRelevantRepaintedObject):
        Use HashSet::find to avoid an extra hash lookup.

        * page/scrolling/ScrollingCoordinator.cpp:
        (WebCore::ScrollingCoordinator::updateMainFrameScrollPositionAndScrollLayerPosition):
        Remove the call to FrameView::updateCompositingLayersAfterLayout now, since FrameView::notifyScrollPositionChanged
        already calls this and was making us to a lot of work twice.

2012-05-01  Silvia Pfeiffer  <silviapf@chromium.org>

        Audio controls have a 1px surplus outline coming from RenderImage::paintReplaced base class,
        which needs overwriting.
        https://bugs.webkit.org/show_bug.cgi?id=84570

        Reviewed by Eric Carlson.

        No new tests - covered by existing audio rendering tests.

        * rendering/RenderMedia.cpp:
        (WebCore::RenderMedia::paintReplaced): Overwrite inherited function.
        (WebCore):
        * rendering/RenderMedia.h:
        (RenderMedia):

2012-05-01  Terry Anderson  <tdanderson@chromium.org>

        Allow a pre-targeted node to be specified when dispatching a GestureTap event
        https://bugs.webkit.org/show_bug.cgi?id=85296

        Reviewed by Adam Barth.

        https://bugs.webkit.org/show_bug.cgi?id=85101
            The new parameter will be used and tested in this patch.

        * page/EventHandler.cpp:
        (WebCore::EventHandler::handleGestureTap):
            The new preTargetedNode parameter can be used to pass in the Node that is
            the target of the GestureTap event. If this parameter is used, adjustedPoint
            is changed to be the center of the Node's bounding rectangle.
        * page/EventHandler.h:
        (EventHandler):

2012-05-01  Jessie Berlin  <jberlin@apple.com>

        Crash calling disconnectFrame on a DOMWindowExtension a second time.
        https://bugs.webkit.org/show_bug.cgi?id=85301

        Reviewed by Darin Adler.

        DOMWindowExtension::disconnectFrame assumed it would only be called when there was a frame
        to disconnect. However, DOMWindow's destructor invokes disconnectFrame on all its
        DOMWindowProperties, even if it already did so when it entered the page cache.

        * page/DOMWindowExtension.cpp:
        (WebCore::DOMWindowExtension::disconnectFrame):
        Don't do anything if the frame has already been disconnected.

2012-05-01  Aaron Colwell  <acolwell@chromium.org>

        Temporarily remove webkitSourceAddId() & webkitSourceRemoveId() from DOM
        until the rest of the Media Source v0.5 methods are implemented. This is
        to prevent ambiguity about whether v0.5 is fully supported or not.
        https://bugs.webkit.org/show_bug.cgi?id=85295

        Reviewed by Eric Carlson.

        No new tests. Removing methods from DOM so relevant tests are removed.

        * html/HTMLMediaElement.idl:

2012-05-01  Douglas Stockwell  <dstockwell@chromium.org>

        IndexedDB: stale index entries may not be removed in some cases
        https://bugs.webkit.org/show_bug.cgi?id=85224

        Reviewed by Ojan Vafai.

        Ensure that stale index entries are removed when the corresponding
        object store entry no longer exists.

        No new tests. Addresses a performance / storage leak that is
        not amenable to verification in a layout test.

        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore):

2012-05-01  Igor Oliveira  <igor.o@sisa.samsung.com>

        Use HashMap<OwnPtr> for CounterMap in RenderCounter
        https://bugs.webkit.org/show_bug.cgi?id=85294

        Reviewed by Eric Seidel.

        * rendering/RenderCounter.cpp:
        (WebCore):
        (WebCore::makeCounterNode):
        (WebCore::RenderCounter::destroyCounterNodes):

2012-05-01  Philip Rogers  <pdr@google.com>

        Skip building instance tree for disallowed target
        https://bugs.webkit.org/show_bug.cgi?id=85202

        Reviewed by Nikolas Zimmermann.

        When the target of a use is disallowed (e.g., a mask element) we can
        skip building the instance tree because the shadow tree will be
        skipped as well.

        Test: svg/custom/animate-disallowed-mask-element.svg

        * svg/SVGUseElement.cpp:
        (WebCore::SVGUseElement::buildInstanceTree):

2012-04-29  Nikolas Zimmermann  <nzimmermann@rim.com>

        Accumulation for values-animation is broken
        https://bugs.webkit.org/show_bug.cgi?id=85158

        Reviewed by Darin Adler.

        Example:
        <rect width="999" height="100" fill="green"/>
            <animate begin="0s" values="0; 30; 20" accumulate="sum" repeatCount="5" dur="2s"/>
        </rect>

        The rect should animate like this:
        0.000s -> 0
        0.500s -> 15
        1.000s -> 30
        1.500s -> 25
        1.999s -> 20
        2.000s -> 20 (first accumulation, starts accumulating from the last set value, here '20').
        2.500s -> 45
        3.000s -> 50
        3.500s -> 45
        3.999s -> 40
        4.000s -> 40 (second accumulation)
        etc.

        This is currently broken for values-animation. The accumulation should happen after a full cycle of the values animation ran (aka. at the end of the duration).
        A values animation works like this: iterate over the list of values, and calculate a 'from' and 'to' value for a given time. Example for values="0; 30; 20" dur="2s":
            - 0.0s .. 1.0s -> from=0, to=30
            - 1.0s .. 2.0s -> from=30, to=20

        Accumulation currently is taken into account at each interval for a values-animation instead of the end of the cycle. Fix that
        by passing an additional 'toAtEndOfDuration' type to calculateAnimatedValue() which is used for accumulation instead of the
        current 'to' value.

        Test: svg/animations/accumulate-values-width-animation.html

        * svg/SVGAnimateElement.cpp:
        (WebCore::SVGAnimateElement::calculateAnimatedValue):
        * svg/SVGAnimateElement.h:
        (SVGAnimateElement):
        * svg/SVGAnimateMotionElement.cpp:
        (WebCore::SVGAnimateMotionElement::calculateAnimatedValue):
        * svg/SVGAnimateMotionElement.h:
        (SVGAnimateMotionElement):
        * svg/SVGAnimatedAngle.cpp:
        (WebCore::SVGAnimatedAngleAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedAngle.h:
        (SVGAnimatedAngleAnimator):
        * svg/SVGAnimatedBoolean.cpp:
        (WebCore::SVGAnimatedBooleanAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedBoolean.h:
        (SVGAnimatedBooleanAnimator):
        * svg/SVGAnimatedColor.cpp:
        (WebCore::SVGAnimatedColorAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedColor.h:
        (SVGAnimatedColorAnimator):
        * svg/SVGAnimatedEnumeration.cpp:
        (WebCore::SVGAnimatedEnumerationAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedEnumeration.h:
        (SVGAnimatedEnumerationAnimator):
        * svg/SVGAnimatedInteger.cpp:
        (WebCore::SVGAnimatedIntegerAnimator::calculateAnimatedInteger):
        (WebCore::SVGAnimatedIntegerAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedInteger.h:
        (SVGAnimatedIntegerAnimator):
        * svg/SVGAnimatedIntegerOptionalInteger.cpp:
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedIntegerOptionalInteger.h:
        (SVGAnimatedIntegerOptionalIntegerAnimator):
        * svg/SVGAnimatedLength.cpp:
        (WebCore::SVGAnimatedLengthAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedLength.h:
        (SVGAnimatedLengthAnimator):
        * svg/SVGAnimatedLengthList.cpp:
        (WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedLengthList.h:
        (SVGAnimatedLengthListAnimator):
        * svg/SVGAnimatedNumber.cpp:
        (WebCore::SVGAnimatedNumberAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumber.h:
        (SVGAnimatedNumberAnimator):
        * svg/SVGAnimatedNumberList.cpp:
        (WebCore::SVGAnimatedNumberListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumberList.h:
        (SVGAnimatedNumberListAnimator):
        * svg/SVGAnimatedNumberOptionalNumber.cpp:
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumberOptionalNumber.h:
        (SVGAnimatedNumberOptionalNumberAnimator):
        * svg/SVGAnimatedPath.cpp:
        (WebCore::SVGAnimatedPathAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPath.h:
        (SVGAnimatedPathAnimator):
        * svg/SVGAnimatedPointList.cpp:
        (WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPointList.h:
        (SVGAnimatedPointListAnimator):
        * svg/SVGAnimatedPreserveAspectRatio.cpp:
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPreserveAspectRatio.h:
        (SVGAnimatedPreserveAspectRatioAnimator):
        * svg/SVGAnimatedRect.cpp:
        (WebCore::SVGAnimatedRectAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedRect.h:
        (SVGAnimatedRectAnimator):
        * svg/SVGAnimatedString.cpp:
        (WebCore::SVGAnimatedStringAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedString.h:
        (SVGAnimatedStringAnimator):
        * svg/SVGAnimatedTransformList.cpp:
        (WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedTransformList.h:
        (SVGAnimatedTransformListAnimator):
        * svg/SVGAnimatedTypeAnimator.h:
        (SVGAnimatedTypeAnimator):
        * svg/SVGAnimationElement.cpp:
        (WebCore::SVGAnimationElement::currentValuesForValuesAnimation):
        (WebCore::SVGAnimationElement::updateAnimation):
        * svg/SVGAnimationElement.h:
        (WebCore::SVGAnimationElement::animateAdditiveNumber):
        (SVGAnimationElement):

2012-05-01  Beth Dakin  <bdakin@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=85231
        Fixed position objects that are removed from the DOM don't kick off 
        fixed position recalculation
        -and corresponding-
        <rdar://problem/11297916>

        Reviewed by Darin Adler.

        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::willBeDestroyed):

2012-05-01  Dana Jansens  <danakj@chromium.org>

        Early-out for subtracting a non-intersecting region
        https://bugs.webkit.org/show_bug.cgi?id=85258

        Reviewed by Hajime Morita.

        Given regions A and B, if the bounds of the regions do not intersect,
        then the regions themselves do not intersect. If the intersection of
        A and B is empty, then A subtract B == A.

        * platform/graphics/Region.cpp:
        (WebCore::Region::subtract):

2012-04-30  Kent Tamura  <tkent@chromium.org>

        [Chromium/Windows] Add LocalizedDateWin
        https://bugs.webkit.org/show_bug.cgi?id=84935

        Reviewed by Kentaro Hara.

        LocalizedDateICU.cpp doesn't reflect system settings. So there were some
        problems such as <input type=date> doesn't use system's date format.

        We need to use Windows API to get a date format and calendar parameters.

        We obtain a date format like "MM/dd/yy" via Windows API, and
        format/parse dates for the format by our own code because Windows API
        can't handle years older than 1601 and doesn't have date parsing API.

        Unit test: Source/WebKit/chromium/tests/LocaleWinTest.cpp

        * WebCore.gypi: Add LocalizedDateWin.cpp.
        * WebCore.gyp/WebCore.gyp:
        For Windows, remove LocalizedDateICU.cpp and add LocalizedDateWin.cpp.
        All of *Win.cpp files are excluded by default.

        * platform/text/LocaleWin.cpp: Added.
        (WebCore::LocaleWin::LocaleWin):
        (WebCore::LocaleWin::create):
        (WebCore::LocaleWin::currentLocale):
        (WebCore::LocaleWin::~LocaleWin):
        (WebCore::LocaleWin::getLocaleInfoString):
        A helper function to obtain a string by GetLocaleInfo().
        (WebCore::LocaleWin::initializeShortMonthLabels):
        Obtain short month names from Windows.

        (WebCore::DateFormatToken): A struct to represent a token in a date format.
        e.g. A format string "MM/dd/yy" generates five DateFormatToken:
         Month2, Literal, Day2, Literal, Year2.
        (isEraSymbol): A readability helper function.
        (isYearSymbol): ditto.
        (isMonthSymbol): ditto.
        (isDaySymbol): ditto.
        (countContinuousLetters):
        (commitLiteralToken): A helper for parseDateFormat().
        (parseDateFormat):
        Parse a format string, and generate a list of DateFormatToken.

        (WebCore::parseNumber): A helper for parseDate().
        (WebCore::LocaleWin::parseNumberOrMonth): ditto.
        (WebCore::LocaleWin::parseDate):
        Parse a user-provided date string by matching with a DateFormatToken list.

        (WebCore::appendNumber): A helper for formatDate().
        (WebCore::appendTwoDigitsNumber): ditto. Write at least two digits.
        (WebCore::appendFourDigitsNumber): ditto. Write at least four digits.
        (WebCore::LocaleWin::formatDate):
        Format a DateComponents by iterating a DateFormatToken list.

        (WebCore::LocaleWin::initializeShortDateTokens):
        (WebCore::substituteLabelsIntoFormat):
        Creates a user-visible format string by iterating a DateFormatToken list.
        (WebCore::LocaleWin::dateFormatText):
        (WebCore::LocaleWin::initializeMonthLabels):
        Creates month names by Windows API.
        (WebCore::LocaleWin::initializeWeekDayShortLabels):
         Creates day names by Windows API.
        (WebCore::LocaleWin::monthLabels):
        Public accessor function for month names.
        (WebCore::LocaleWin::weekDayShortLabels):
        Public accessor function for day names.
        * platform/text/LocaleWin.h: Added.

        * platform/text/LocalizedDateWin.cpp:
        Added. The following functions simply delegate to LocaleWin::currentLocale().
        (WebCore::parseLocalizedDate):
        (WebCore::formatLocalizedDate):
        (WebCore::localizedDateFormatText):
        (WebCore::monthLabels):
        (WebCore::weekDayShortLabels):
        (WebCore::firstDayOfWeek):

2012-04-30  Kent Tamura  <tkent@chromium.org>

        REGRESSION(r115600): parseLocalizedDate() should fail for invalid inputs
        https://bugs.webkit.org/show_bug.cgi?id=85176

        Reviewed by Kentaro Hara.

        Test: fast/forms/date/input-date-commit-valid-only.html

        * platform/text/mac/LocalizedDateMac.mm:
        (WebCore::parseLocalizedDate):
        We should check nil for the result of NSDateFormtter::dateFromString.

2012-04-30  Mark Rowe  <mrowe@apple.com>

        Fix another leak due to misuse of createCFString.

        Reviewed by Darin Adler.

        * plugins/mac/PluginPackageMac.cpp:
        (WebCore::PluginPackage::fetchInfo): Adopt the result of createCFString.

2012-04-30  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/11312198> Many leaks during fast/events/dropzone-002.html

        Reviewed by Darin Adler.

        * platform/mac/ClipboardMac.mm:
        (WebCore::utiTypeFromCocoaType): Adopt the result of createCFString.

2012-04-30  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/11352575> Many CGImageRefs leaked during media layout tests

        Reviewed by Brian Weinstein.

        * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:
        (WebCore::MediaPlayerPrivateAVFoundationObjC::createImageForTimeInRect): Adopt the CGImageRef.

2012-04-30  Emil A Eklund  <eae@chromium.org>

        Change RenderBoxModelObject::calculateBackgroundImageGeometry to use roundToInt
        https://bugs.webkit.org/show_bug.cgi?id=85249

        Reviewed by Eric Seidel.

        Prepare RenderBoxModelObject for FractionalLayoutUnits by adding rounding
        logic to calculateBackgroundImageGeometry. Background images, as all
        images, needs to be layed out on pixel boundaries thus we need to convert
        it to a integer value.

        No new tests, no change in functionality.

        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::calculateBackgroundImageGeometry):

2012-04-30  Ilya Sherman  <isherman@chromium.org>

        Unreviewed, rolling out r113511.
        http://trac.webkit.org/changeset/113511
        https://bugs.webkit.org/show_bug.cgi?id=66032
        https://bugs.webkit.org/show_bug.cgi?id=85150

        Regression: Many autofilled form fields lack the default
        autofill background even when authors don’t override the
        autofill colors

        * css/html.css:
        (input:-webkit-autofill): Restore !important modifiers

2012-04-30  Julien Chaffraix  <jchaffraix@webkit.org>

        Move RenderTableCell's row index to RenderTableRow
        https://bugs.webkit.org/show_bug.cgi?id=85229

        Reviewed by Ojan Vafai.

        Covered by the existing table tests.

        Row index is a RenderTableRow concept and as such this change moves
        the relevant logic into the class.

        While touching the code, renamed row() -> rowIndex() as now RenderTableCell
        can return its parent RenderTableRow and we were returning an index, not the row
        itself.

        * accessibility/AccessibilityTable.cpp:
        (WebCore::AccessibilityTable::cellForColumnAndRow):
        * accessibility/AccessibilityTableCell.cpp:
        (WebCore::AccessibilityTableCell::rowIndexRange):
        (WebCore::AccessibilityTableCell::titleUIElement):
        * rendering/RenderTable.cpp:
        (WebCore::RenderTable::cellAbove):
        (WebCore::RenderTable::cellBelow):
        (WebCore::RenderTable::cellBefore):
        (WebCore::RenderTable::cellAfter):
        * rendering/RenderTreeAsText.cpp:
        (WebCore::RenderTreeAsText::writeRenderObject):
        Updated after the renaming RenderTableCell::row() -> rowIndex().

        * rendering/RenderTableCell.cpp:
        (WebCore::RenderTableCell::RenderTableCell):
        (WebCore::RenderTableCell::computeCollapsedBeforeBorder):
        (WebCore::RenderTableCell::computeCollapsedAfterBorder):
        Updated after m_rowIndex removal and row() -> rowIndex() renaming.

        (WebCore::RenderTableCell::styleDidChange):
        Switched the rowWasSet check to an ASSERT. The new logic guarantees that
        row index was set straight when we insert the row. The previous logic was
        opened to some race conditions as we could wait for a recalcCells call before
        setting the index on the rows which made this check necessary.

        * rendering/RenderTableCell.h:
        (WebCore::RenderTableCell::row):
        Added this RenderTableRow getter.

        (WebCore::RenderTableCell::rowIndex):
        Renamed from row().

        * rendering/RenderTableRow.cpp:
        (WebCore::RenderTableRow::RenderTableRow):
        (WebCore::RenderTableRow::styleDidChange):
        Updated after adding m_rowIndex / rowIndex().

        * rendering/RenderTableRow.h:
        (WebCore::RenderTableRow::setRowIndex):
        (WebCore::RenderTableRow::rowIndex):
        Added those getter / setter. Also kept m_rowIndex's smaller size
        for future optimization and for symmetry with the column index on
        RenderTableCell.

        * rendering/RenderTableSection.cpp:
        (WebCore::RenderTableSection::addChild):
        (WebCore::RenderTableSection::recalcCells):
        Made sure that whenever we insert or update our row index
        we do call setRowIndex().

        (WebCore::RenderTableSection::addCell):
        This logic now doesn't need to query insertionRow as the cell's
        should have the index of the row in which it is inserted.

        (WebCore::RenderTableSection::calcRowLogicalHeight):
        (WebCore::RenderTableSection::layoutRows):
        (WebCore::compareCellPositionsWithOverflowingCells):
        More updates after row() -> rowIndex() renaming.

        * rendering/RenderTableSection.h:
        Removed rowIndexForRenderer now that the row caches this informatin.

2012-04-30  Keishi Hattori  <keishi@webkit.org>

        datalist: Inconsistent behavior of HTMLInputElement::list
        https://bugs.webkit.org/show_bug.cgi?id=84351

        Each platform will have a different set of input types that support the datalist UI.
        This patch makes shouldRespectListAttribute ask the RenderTheme if it supports datalist UI for that input type.
        Thus making it possible to do feature detection with JS.

        Reviewed by Kent Tamura.

        * WebCore.gypi: Added RenderThemeChromiumCommon.{cpp,h}
        * html/ColorInputType.cpp:
        (WebCore::ColorInputType::shouldRespectListAttribute):
        (WebCore):
        * html/ColorInputType.h:
        (ColorInputType):
        * html/InputType.cpp:
        (WebCore::InputType::themeSupportsDataListUI): Static method used by TextFieldInputType, RangeInputType, and ColorInputType.
        (WebCore):
        * html/InputType.h:
        (InputType):
        * html/RangeInputType.cpp:
        (WebCore::RangeInputType::shouldRespectListAttribute):
        * html/TextFieldInputType.cpp:
        (WebCore::TextFieldInputType::shouldRespectListAttribute):
        * rendering/RenderTheme.h:
        (RenderTheme):
        (WebCore::RenderTheme::supportsDataListUI): Returns true if the platform can show the datalist suggestions for a given input type.
        * rendering/RenderThemeChromiumCommon.cpp: Added.
        (WebCore):
        (WebCore::RenderThemeChromiumCommon::supportsDataListUI):
        * rendering/RenderThemeChromiumCommon.h: Added.
        (WebCore):
        (RenderThemeChromiumCommon):
        * rendering/RenderThemeChromiumMac.h:
        (RenderThemeChromiumMac):
        * rendering/RenderThemeChromiumMac.mm:
        (WebCore::RenderThemeChromiumMac::supportsDataListUI):
        (WebCore):
        * rendering/RenderThemeChromiumSkia.cpp:
        (WebCore::RenderThemeChromiumMac::supportsDataListUI):
        (WebCore):
        * rendering/RenderThemeChromiumSkia.h:
        (RenderThemeChromiumSkia):

2012-04-30  Levi Weintraub  <leviw@chromium.org>

        RenderObject incorrectly lists maximalOutlineSize as a LayoutUnit
        https://bugs.webkit.org/show_bug.cgi?id=85248

        Reviewed by Eric Seidel.

        Reverting RenderObject::maximalOutlineSize to int. This is a slop value for repaint
        rects that doesn't affect layout. It also derives its value from RenderView's function
        of the same name, which is already an integer.

        No new tests. No change in behavior.

        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::maximalOutlineSize):
        * rendering/RenderObject.h:
        (RenderObject):

2012-04-30  Xingnan Wang  <xingnan.wang@intel.com>

        Add multichannel support for input of JavaScriptAudioNode
        https://bugs.webkit.org/show_bug.cgi?id=84687

        Reviewed by Chris Rogers.

        Tests: webaudio/javascriptaudionode-downmix8-2channel-input.html
               webaudio/javascriptaudionode-upmix2-8channel-input.html

        * Modules/webaudio/JavaScriptAudioNode.cpp:
        (WebCore::JavaScriptAudioNode::create):
        (WebCore::JavaScriptAudioNode::JavaScriptAudioNode):
        (WebCore::JavaScriptAudioNode::initialize):
        (WebCore::JavaScriptAudioNode::process):
        * Modules/webaudio/JavaScriptAudioNode.h:
        (JavaScriptAudioNode):

2012-04-30  Oliver Hunt  <oliver@apple.com>

        Harden arithmetic in ImageBufferDataCG
        https://bugs.webkit.org/show_bug.cgi?id=61373

        Reviewed by Gavin Barraclough.

        We have a checked type that allows us to automate many of the
        bounds checks we want here, so let's replace the floating point
        math, and just use Checked<> throughout.  We use a non-recording
        Checked<> as no overflows should reach this point, so we'll take
        a hard early failure, over the cost of many branches when
        accessing the raw values in loops.

        * platform/graphics/cg/ImageBufferDataCG.cpp:
        (WebCore::ImageBufferData::getData):
        (WebCore::ImageBufferData::putData):

2012-04-30  Levi Weintraub  <leviw@chromium.org>

        Add absoluteValue method for LayoutUnits to allow overloading abs()
        https://bugs.webkit.org/show_bug.cgi?id=85214

        Reviewed by Eric Seidel.

        Adding an absoluteValue free inline function that operates on LayoutUnits, which
        allows us to have one function signature for ints or FractionalLayoutUnits. We
        can't simply add a FractionalLayoutUnit flavor of abs because it confuses
        some compilers due to the implicit FractionalLayoutUnit constructors that take
        ints and floats.

        No new tests. No change in behavior.

        * page/SpatialNavigation.cpp:
        (WebCore::distanceDataForNode):
        * rendering/LayoutTypes.h:
        (WebCore::absoluteValue):
        (WebCore):
        * rendering/RenderBlockLineLayout.cpp:
        (WebCore::RenderBlock::checkPaginationAndFloatsAtEndLine):
        * rendering/RenderLineBoxList.cpp:
        (WebCore::RenderLineBoxList::rangeIntersectsRect):
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::repaintAfterLayoutIfNeeded):

2012-04-30  Levi Weintraub  <leviw@chromium.org>

        Update LayoutUnit usage in InlineFlowBox and RenderWidget
        https://bugs.webkit.org/show_bug.cgi?id=85239

        Reviewed by Eric Seidel.

        Updating LayoutUnit usage in a pair of remaining functions to minimize the remaining work to switching
        to FractionalLayoutUnits for layout instead of integers.

        No new tests. No change in behavior.

        * rendering/InlineFlowBox.cpp:
        (WebCore::InlineFlowBox::placeBoxesInBlockDirection): Though stored as a float, the top is always
        set to an integer value. When we move to sub-pixel, we need to preserve this. Not preserving this
        behavior affects text decorations, most notably underlines.
        * rendering/RenderWidget.cpp:
        (WebCore::RenderWidget::updateWidgetGeometry): Adding pixel snapping for the content box if it's
        not transformed (absoluteContentBox includes pixel snapping), and properly treating the boundingBox
        as an IntRect.

2012-04-30  Levi Weintraub  <leviw@chromium.org>

        Prepare RenderDeprecatedFlexibleBox for sub-pixel layout
        https://bugs.webkit.org/show_bug.cgi?id=85217

        Reviewed by Eric Seidel.

        Bailing from the space distribution loop in layoutHorizontal/VerticalBox when
        the remaining space falls below one pixel. This has no effect in whole-pixel
        layout, but avoids unnecessary work/infinite loops in the sub-pixel case.

        No new tests. No change in behavior.

        * rendering/RenderDeprecatedFlexibleBox.cpp:
        (WebCore::RenderDeprecatedFlexibleBox::layoutHorizontalBox):
        (WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox):

2012-04-30  Ryosuke Niwa  <rniwa@webkit.org>

        NULL ptr in WebCore::Range::getBorderAndTextQuads
        https://bugs.webkit.org/show_bug.cgi?id=77218

        Reviewed by Eric Seidel.

        The crash was caused by a malformed range obtained within an event handler of mutation events
        (DOMNodeRemovedFromDocument). Because this range wasn't updated per node removal, range functions
        end up not behaving well.

        Fixed the bug by changing the order of the notifications in ContainerNode::willRemoveChild.
        We now fire mutation events first before updating ranges so that any range created inside those
        event handlers can also be updated prior to the actual node removal.

        Test: fast/dom/Range/range-created-in-mutation-event-crash.xhtml

        * dom/ContainerNode.cpp:
        (WebCore::willRemoveChild):

2012-04-30  Anders Carlsson  <andersca@apple.com>

        ScrollingCoordinator::requestScrollPositionUpdate should not update the main frame scroll position
        https://bugs.webkit.org/show_bug.cgi?id=85240
        <rdar://problem/11286609>

        Reviewed by Sam Weinig.

        The call to updateMainFrameScrollPosition was added to make the WebKit2 find overlay work, since it relies
        on scroll position updates being synchronous. Change the find code in WebKit2 to handle asynchronous scroll
        position updates and remove the call to updateMainFrameScrollPosition.

        * page/scrolling/ScrollingCoordinator.cpp:
        (WebCore::ScrollingCoordinator::requestScrollPositionUpdate):

2012-04-30  Anders Carlsson  <andersca@apple.com>

        Add a way to asynchronously call a function once the scroll position of a page has been updated
        https://bugs.webkit.org/show_bug.cgi?id=85237

        Reviewed by Sam Weinig.

        * WebCore.exp.in:
        Export functions needed by WebKit2.

        * page/scrolling/ScrollingCoordinator.h:
        Make commitTreeStateIfNeeded public.

2012-04-30  Kentaro Hara  <haraken@chromium.org>

        WebGLRenderingContext methods should throw TypeError for not enough arguments
        https://bugs.webkit.org/show_bug.cgi?id=84787

        Reviewed by Kenneth Russell.

        Currently, WebGLRenderingcontext methods implement
        "Not enough arguments" error as SyntaxError. The Web IDL
        spec requires that it should be TypeError:
        http://www.w3.org/TR/WebIDL/#dfn-overload-resolution-algorithm

        This patch changes SyntaxError to TypeError.

        I wanted to confirm the behavior of Firefox and Opera,
        but they do not implement WebGL yet.

        Test: fast/canvas/webgl/webgl-exceptions.html

        * bindings/js/JSWebGLRenderingContextCustom.cpp:
        (WebCore::getObjectParameter):
        (WebCore::JSWebGLRenderingContext::getAttachedShaders):
        (WebCore::JSWebGLRenderingContext::getExtension):
        (WebCore::JSWebGLRenderingContext::getFramebufferAttachmentParameter):
        (WebCore::JSWebGLRenderingContext::getParameter):
        (WebCore::JSWebGLRenderingContext::getProgramParameter):
        (WebCore::JSWebGLRenderingContext::getShaderParameter):
        (WebCore::JSWebGLRenderingContext::getUniform):
        (WebCore::dataFunctionf):
        (WebCore::dataFunctioni):
        (WebCore::dataFunctionMatrix):
        * bindings/v8/custom/V8WebGLRenderingContextCustom.cpp:
        (WebCore::getObjectParameter):
        (WebCore::V8WebGLRenderingContext::getAttachedShadersCallback):
        (WebCore::V8WebGLRenderingContext::getExtensionCallback):
        (WebCore::V8WebGLRenderingContext::getFramebufferAttachmentParameterCallback):
        (WebCore::V8WebGLRenderingContext::getParameterCallback):
        (WebCore::V8WebGLRenderingContext::getProgramParameterCallback):
        (WebCore::V8WebGLRenderingContext::getShaderParameterCallback):
        (WebCore::V8WebGLRenderingContext::getUniformCallback):
        (WebCore::vertexAttribAndUniformHelperf):
        (WebCore::uniformHelperi):
        (WebCore::uniformMatrixHelper):

2012-04-30  Emil A Eklund  <eae@chromium.org>

        [gtk, qt, chromium, win] Fix usage of LayoutUnits and rounding in platform code
        https://bugs.webkit.org/show_bug.cgi?id=85222

        Reviewed by Eric Seidel.

        Update platform code to use the pixel snapped values for painting rects
        to line up with device pixels and change platform specific hit testing
        code to use roundedPoint as hit testing is still mostly done on integer
        bounds.

        No new tests, no change in functionality.

        * platform/qt/RenderThemeQt.cpp:
        (WebCore::RenderThemeQt::paintMediaVolumeSliderTrack):
        * platform/win/PopupMenuWin.cpp:
        (WebCore::PopupMenuWin::paint):
        * rendering/RenderThemeChromiumSkia.cpp:
        (WebCore::RenderThemeChromiumSkia::paintSearchFieldCancelButton):
        (WebCore::RenderThemeChromiumSkia::paintSearchFieldResultsDecoration):
        (WebCore::RenderThemeChromiumSkia::paintSearchFieldResultsButton):

2012-04-30  Kentaro Hara  <haraken@chromium.org>

        [V8][JSC] Remove hard-coded "Not enough arguments" errors
        https://bugs.webkit.org/show_bug.cgi?id=85207

        Reviewed by Sam Weinig.

        In bug 85022 and bug 85097, we implemented
        createNotEnoughArgumentsError() in JSC and
        V8Proxy::throwNotEnoughArgumentsError() in V8 and partially
        removed hard-coded "Not enough arguments" errors.
        This patch removes hard-coded "Not enough arguments"
        errors by using the helper methods.

        No tests. No change in behavior.

        * bindings/js/JSAudioContextCustom.cpp:
        (WebCore::JSAudioContextConstructor::constructJSAudioContext):
        * bindings/js/JSSVGLengthCustom.cpp:
        (WebCore::JSSVGLength::convertToSpecifiedUnits):
        * bindings/js/JSWebSocketCustom.cpp:
        (WebCore::JSWebSocketConstructor::constructJSWebSocket):
        (WebCore::JSWebSocket::send):
        * bindings/js/JSXMLHttpRequestCustom.cpp:
        (WebCore::JSXMLHttpRequest::open):
        * bindings/v8/ScriptController.cpp:
        (WebCore::setValueAndClosePopupCallback):
        * bindings/v8/custom/V8AudioContextCustom.cpp:
        (WebCore::V8AudioContext::constructorCallback):
        * bindings/v8/custom/V8SVGLengthCustom.cpp:
        (WebCore::V8SVGLength::convertToSpecifiedUnitsCallback):
        * bindings/v8/custom/V8WebSocketCustom.cpp:
        (WebCore::V8WebSocket::constructorCallback):
        (WebCore::V8WebSocket::sendCallback):
        * bindings/v8/custom/V8XMLHttpRequestCustom.cpp:
        (WebCore::V8XMLHttpRequest::openCallback):

2012-04-30  Benjamin Poulain  <benjamin@webkit.org>

        Add String::startsWith() and endsWith() for string literals
        https://bugs.webkit.org/show_bug.cgi?id=85154

        Reviewed by Darin Adler.

        Update WebCore to use the simpler startsWith() and endsWith() taking
        a UChar.

        * css/CSSParser.cpp:
        (WebCore::CSSParser::markPropertyEnd):
        * css/WebKitCSSKeyframeRule.cpp:
        (WebCore::StyleKeyframe::parseKeyString):
        * editing/markup.cpp:
        (WebCore::createFragmentFromText):
        * html/HTMLObjectElement.cpp:
        (WebCore::HTMLObjectElement::addSubresourceAttributeURLs):
        * html/HTMLTextFormControlElement.cpp:
        (WebCore::HTMLTextFormControlElement::setInnerTextValue):
        * inspector/ContentSearchUtils.cpp:
        (WebCore::ContentSearchUtils::getRegularExpressionMatchesByLines):
        * inspector/InspectorCSSAgent.cpp:
        (WebCore::InspectorCSSAgent::SetPropertyTextAction::redo):
        * loader/MainResourceLoader.cpp:
        (WebCore::MainResourceLoader::substituteMIMETypeFromPluginDatabase):
        * loader/appcache/ManifestParser.cpp:
        (WebCore::parseManifest):
        * platform/blackberry/CookieManager.cpp:
        (WebCore::CookieManager::shouldRejectForSecurityReason):
        * platform/posix/FileSystemPOSIX.cpp:
        (WebCore::pathByAppendingComponent):
        * plugins/PluginDatabase.cpp:
        (WebCore::PluginDatabase::findPlugin):
        * svg/SVGStopElement.cpp:
        (WebCore::SVGStopElement::parseAttribute):
        * svg/animation/SVGSMILElement.cpp:
        (WebCore::SVGSMILElement::parseOffsetValue):
        (WebCore::SVGSMILElement::parseCondition):

2012-04-30  Abhishek Arya  <inferno@chromium.org>

        Remove positioned float code.
        https://bugs.webkit.org/show_bug.cgi?id=84795

        Reviewed by Dan Bernstein.

        Backout r92004 and some pieces from r91702.

        Test: fast/block/float/positioned-float-crash.html

        * css/CSSParser.cpp:
        (WebCore::isValidKeywordPropertyAndValue):
        * css/CSSPrimitiveValueMappings.h:
        (WebCore::CSSPrimitiveValue::CSSPrimitiveValue):
        (WebCore::CSSPrimitiveValue::operator EFloat):
        * css/CSSValueKeywords.in:
        * rendering/RenderBlock.cpp:
        (WebCore::RenderBlock::RenderBlock):
        (WebCore::RenderBlock::layoutBlock):
        (WebCore::RenderBlock::addOverflowFromFloats):
        (WebCore::RenderBlock::layoutBlockChild):
        (WebCore::RenderBlock::simplifiedLayout):
        (WebCore::RenderBlock::layoutPositionedObjects):
        (WebCore::RenderBlock::insertFloatingObject):
        (WebCore::RenderBlock::positionNewFloats):
        (WebCore::RenderBlock::clearFloats):
        (WebCore::RenderBlock::FloatingObjects::clear):
        (WebCore::RenderBlock::FloatingObjects::increaseObjectsCount):
        (WebCore::RenderBlock::FloatingObjects::decreaseObjectsCount):
        * rendering/RenderBlock.h:
        (RenderBlock):
        (WebCore::RenderBlock::forceLayoutInlineChildren):
        (FloatingObject):
        (WebCore::RenderBlock::FloatingObject::FloatingObject):
        (WebCore::RenderBlock::hasOverhangingFloats):
        (WebCore::RenderBlock::FloatingObjects::FloatingObjects):
        (FloatingObjects):
        * rendering/RenderBox.cpp:
        (WebCore::RenderBox::updateBoxModelInfoFromStyle):
        * rendering/RenderDeprecatedFlexibleBox.cpp:
        (WebCore::RenderDeprecatedFlexibleBox::layoutBlock):
        * rendering/RenderDeprecatedFlexibleBox.h:
        (RenderDeprecatedFlexibleBox):
        * rendering/RenderFlexibleBox.cpp:
        (WebCore::RenderFlexibleBox::layoutBlock):
        * rendering/RenderFlexibleBox.h:
        (RenderFlexibleBox):
        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::updateScrollbarsAfterLayout):
        * rendering/style/RenderStyleConstants.h:

2012-04-29  Sam Weinig  <sam@webkit.org>

        Remove BlobBuilder
        https://bugs.webkit.org/show_bug.cgi?id=84036

        Reviewed by Anders Carlsson.

        * GNUmakefile.am:
        * fileapi/WebKitBlobBuilder.idl:
        * page/DOMWindow.idl:
        * workers/WorkerContext.idl:
        Make exposing the WebKitBlobBuilder JS object conditional on a new
        ENABLE_LEGACY_WEBKIT_BLOB_BUILDER flag. Don't enable this for the Mac,
        but do for everyone else.

2012-04-30  Anders Carlsson  <andersca@apple.com>

        Add a barrier-style dispatch member function to ScrollingThread
        https://bugs.webkit.org/show_bug.cgi?id=85228

        Reviewed by Sam Weinig.

        Add a ScrollingThread::dispatchBarrier function which takes a WTF::Function and dispatches it to the main thread
        once all the currently scheduled scrolling thread functions have run. This is to be used for synchronization between the
        scrolling thread and the main thread.

        * page/scrolling/ScrollingThread.cpp:
        (WebCore::callFunctionOnMainThread):
        (WebCore):
        (WebCore::ScrollingThread::dispatchBarrier):
        * page/scrolling/ScrollingThread.h:
        (ScrollingThread):

2012-04-30  Min Qin  <qinmin@google.com>

        Expose a flag so that fullscreen video on android can work with FULLSCREEN_API
        https://bugs.webkit.org/show_bug.cgi?id=84414

        Reviewed by Darin Fisher.

        No tests, just exposing the flag, and will be used by android later.
        Sorry, there is a merge error during the previous commit, resolved now

        * platform/graphics/MediaPlayer.cpp:
        (WebCore::MediaPlayer::setControls):
        (WebCore):
        (WebCore::MediaPlayer::enterFullscreen):
        (WebCore::MediaPlayer::exitFullscreen):
        * platform/graphics/MediaPlayer.h:
        (MediaPlayer):
        * platform/graphics/MediaPlayerPrivate.h:
        (MediaPlayerPrivateInterface):
        (WebCore::MediaPlayerPrivateInterface::enterFullscreen):

2012-04-30  Nate Chapin  <japhet@chromium.org>

        Move more of committing and starting to write a Document
        to DocumentLoader.
        https://bugs.webkit.org/show_bug.cgi?id=83908

        Reviewed by Adam Barth.

        No new tests, refactor only.

        * loader/DocumentLoader.cpp:
        (WebCore::DocumentLoader::commitIfReady): Ignore m_gotFirstByte here, since
            it was always true here anyway.
        (WebCore::DocumentLoader::finishedLoading): If we are finishing an empty
            document, create the document now, so that FrameLoaderClient doesn't
            have to do it later (FrameLoaderClient code will be removed in a later
            patch).
        (WebCore::DocumentLoader::commitData): Call receivedFirstData() directly and
            do some work receivedFirstData() used to do, setEncoding() only once per
            load.
        (WebCore::DocumentLoader::receivedData):
        (WebCore::DocumentLoader::maybeCreateArchive):
        * loader/DocumentLoader.h:
        * loader/DocumentWriter.cpp:
        (WebCore::DocumentWriter::setEncoding):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::receivedFirstData): Move DocumentLoader calls
            to DocumentLoader.
        * loader/FrameLoader.h: Remove m_hasReceivedFirstData and willSetEncoding(),
            allow hasReceivedData() to be called directly.
        (FrameLoader):

2012-04-30  Kentaro Hara  <haraken@chromium.org>

        Unreviewed. Fix test crashes in Win/Linux debug builds.

        * bindings/v8/V8LazyEventListener.cpp:
        (WebCore::V8LazyEventListener::V8LazyEventListener):
        (WebCore::V8LazyEventListener::prepareListenerObject):
        * bindings/v8/V8LazyEventListener.h:
        (V8LazyEventListener):

2012-04-30  Tommy Widenflycht  <tommyw@google.com>

        MediaStream API: Change LocalMediaStream::stop to be synchronous
        https://bugs.webkit.org/show_bug.cgi?id=84942

        Reviewed by Dimitri Glazkov.

        Since I changed LocalMediaStream to be a ActiveDOMObject recently the stop()
        behaviour needs to change since it is no longer a good idea to start a timer when called.

        Not possible to write a test for this.

        * Modules/mediastream/LocalMediaStream.cpp:
        (WebCore::LocalMediaStream::LocalMediaStream):
        (WebCore::LocalMediaStream::stop):
        * Modules/mediastream/LocalMediaStream.h:
        (LocalMediaStream):

2012-04-28  Emil A Eklund  <eae@chromium.org> and Levi Weintraub  <leviw@chromium.org>

        Add ENABLE_SUBPIXEL_LAYOUT controlling FractionalLayoutUnit denominator
        https://bugs.webkit.org/show_bug.cgi?id=85146

        Reviewed by Eric Seidel.

        Add a new flag for controlling the fixed point denominator in
        FractionalLayoutUnit. Controls whether the denominator is set to 60 or 1.
        Until we change the LayoutUnit typedef this change will have no effect.

        No new tests, no change in functionality.

        * platform/FractionalLayoutUnit.h:
        (WebCore):
        (WebCore::FractionalLayoutUnit::operator++):
        (WebCore::operator/):
        (WebCore::operator+):
        Add ++, / double and and + double operators. These are needed when
        ENABLE_SUBPIXEL_LAYOUT is not enabled.
        
        * platform/graphics/FractionalLayoutRect.cpp:
        (WebCore::enclosingFractionalLayoutRect):

2012-04-30  Justin Schuh  <jschuh@chromium.org>

        loadOrRedirectSubframe should return the owner element's frame
        https://bugs.webkit.org/show_bug.cgi?id=84780

        Reviewed by Nate Chapin.

        Test: fast/loader/javascript-url-iframe-remove-on-navigate.html

        * loader/SubframeLoader.cpp:
        (WebCore::SubframeLoader::loadOrRedirectSubframe):

2012-04-30  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Use Vector<Attribute> directly instead of encapsulating it in AttributeVector
        https://bugs.webkit.org/show_bug.cgi?id=84413

        Reviewed by Andreas Kling.

        As commented in https://bugs.webkit.org/show_bug.cgi?id=79963#c16 we do not
        usually subclass basic types like Vector. This patch changes code to use
        Vector<Attribute> directly and move around the functionality of the former
        methods to more specific helper functions or inline code at the callers.

        * dom/Element.cpp:
        (WebCore::Element::parserSetAttributes):
        (WebCore::Element::normalizeAttributes):
        * dom/Element.h:
        (Element):
        * dom/ElementAttributeData.cpp:
        * dom/ElementAttributeData.h:
        (WebCore::findAttributeInVector):
        (WebCore::ElementAttributeData::getAttributeItem):
        (ElementAttributeData):
        (WebCore::ElementAttributeData::attributeVector):
        (WebCore::ElementAttributeData::clonedAttributeVector):
        (WebCore::ElementAttributeData::getAttributeItemIndex):
        (WebCore):
        * html/parser/HTMLConstructionSite.cpp:
        (WebCore::HTMLConstructionSite::createHTMLElementFromSavedElement):
        * html/parser/HTMLToken.h:
        (WebCore::AtomicHTMLToken::AtomicHTMLToken):
        * html/parser/HTMLTreeBuilder.cpp:
        (WebCore::HTMLTreeBuilder::processFakeStartTag):
        (WebCore::HTMLTreeBuilder::attributesForIsindexInput): Loop through the attributes
        backwards so we can remove items without affecting the rest of the loop run.
        * html/parser/HTMLTreeBuilder.h:
        * html/parser/TextDocumentParser.cpp:
        (WebCore::TextDocumentParser::insertFakePreElement):
        * xml/XMLErrors.cpp:
        (WebCore::createXHTMLParserErrorHeader):
        (WebCore::XMLErrors::insertErrorMessageBlock):
        * xml/parser/MarkupTokenBase.h:
        (WebCore::AtomicMarkupTokenBase::AtomicMarkupTokenBase):
        (WebCore::AtomicMarkupTokenBase::getAttributeItem):
        (WebCore::AtomicMarkupTokenBase::attributes):
        (AtomicMarkupTokenBase):
        (WebCore::::initializeAttributes):
        * xml/parser/XMLToken.h:
        (WebCore::AtomicXMLToken::AtomicXMLToken):

2012-04-30  Mark Pilgrim  <pilgrim@chromium.org>

        [Chromium] Remove PlatformSupport::loadPlatformAudioResource, call loadResource directly
        https://bugs.webkit.org/show_bug.cgi?id=85193

        Reviewed by Kentaro Hara.

        Part of a refactoring series. See tracking bug 82948.

        * platform/audio/chromium/AudioBusChromium.cpp:
        (WebCore::AudioBus::loadPlatformResource):
        * platform/chromium/PlatformSupport.h:
        (PlatformSupport):

2012-04-30  Mark Pilgrim  <pilgrim@chromium.org>

        [Chromium] Call defaultLocale directly
        https://bugs.webkit.org/show_bug.cgi?id=85192

        Reviewed by Kentaro Hara.

        Part of a refactoring series. See tracking bug 82948.

        * platform/chromium/LanguageChromium.cpp:
        (WebCore::platformLanguage):
        * platform/chromium/PlatformSupport.h:
        (PlatformSupport):

2012-04-30  Beth Dakin  <bdakin@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=82922
        border-image with image-set does not render correctly when viewed at 
        2x
        -and corresponding-
        <rdar://problem/11167820>

        Reviewed by Dan Bernstein.

        StyleImage::computeIntrinsicDimensions() is only called from one 
        place: RenderBoxModelObject::calculateIntrinsicDimensions(), and that 
        is only used for background images and border images. In my original 
        image-set work, I decided that 
        StyleCachedImageSet::computeIntrinsicDimensions() would compute 
        "intrinsic" dimensions, meaning that they would compute the dimensions 
        that the image resource was pretending to be rather than the actual 
        dimensions of the resource. I chose to do this because it made 
        background images work great without changing the call-site. But border 
        images need to know the actual intrinsic dimensions, so this design 
        decision (which was admittedly questionable from the start) won't 
        stick.
        
        This patch makes StyleImage::computeIntrinsicDimensions() return 
        actual intrinsic dimensions. Then the border-image and background-
        image code is very lightly patched to account for the image's scale 
        factor.

        These functions no longer need the scale factor parameter.
        * loader/cache/CachedImage.cpp:
        (WebCore::CachedImage::computeIntrinsicDimensions):
        * loader/cache/CachedImage.h:
        (CachedImage):
        * platform/graphics/GeneratedImage.h:
        (GeneratedImage):
        * platform/graphics/GeneratorGeneratedImage.cpp:
        (WebCore::GeneratedImage::computeIntrinsicDimensions):
        * platform/graphics/Image.cpp:
        (WebCore::Image::computeIntrinsicDimensions):
        * platform/graphics/Image.h:
        (Image):
        * platform/graphics/cg/PDFDocumentImage.cpp:
        (WebCore::PDFDocumentImage::computeIntrinsicDimensions):
        * platform/graphics/cg/PDFDocumentImage.h:
        (PDFDocumentImage):
        * svg/graphics/SVGImage.cpp:
        (WebCore::SVGImage::computeIntrinsicDimensions):
        * svg/graphics/SVGImage.h:
        (SVGImage):
        * rendering/style/StyleCachedImageSet.cpp:
        (WebCore::StyleCachedImageSet::computeIntrinsicDimensions):
        
        New function on StyleImage returns the image's scale factor. 
        * rendering/style/StyleCachedImageSet.h:
        (WebCore::StyleCachedImageSet::imageScaleFactor):
        * rendering/style/StyleImage.h:
        (WebCore::StyleImage::imageScaleFactor):

        Scale the intrinsic size of the background image down by the scale 
        factor.
        * rendering/RenderBoxModelObject.cpp:
        (WebCore::RenderBoxModelObject::calculateFillTileSize):
        
        Slices should be multiplied by the image's scale factor since they are 
        always expected to the specified in the 1x image's coordinate space.
        (WebCore::RenderBoxModelObject::paintNinePieceImage):

2012-04-30  Arko Saha  <arko@motorola.com>

        Remove custom bindings code in JSHTMLCollectionCustom.cpp for HTMLPropertiesCollection.
        https://bugs.webkit.org/show_bug.cgi?id=85172

        Reviewed by Kentaro Hara.

        Use [JSGenerateToJSObject] in HTMLPropertiesCollection.idl, so that it can generate toJS()
        in JSHTMLPropertiesCollection.cpp automatically.

        * bindings/js/JSHTMLCollectionCustom.cpp:
        (WebCore::toJS):
        * html/HTMLPropertiesCollection.idl:

2012-04-30  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Texmap] TextureMapperLayer uses intermediate surfaces too eagerly
        https://bugs.webkit.org/show_bug.cgi?id=85103

        Reviewed by Kenneth Rohde Christiansen.

        Instead of automatically using an intermediate surface for layers with opacity and
        children, we limit surface usage for layers with more than one child and for layers with
        one child and contents of its own.

        This prevents us from using intermediate surfaces in cases where a single layer with
        opacity has a single descendant with content, in which case normal blending can be used.

        Covered by existing compositing layout tests.

        * platform/graphics/texmap/TextureMapperLayer.cpp:
        (WebCore):
        * platform/graphics/texmap/TextureMapperLayer.h:

2012-04-30  Yi Shen  <yi.4.shen@nokia.com>

        Inserting a paragraph between quoted lines in editing/deleting/delete-4038408-fix.html doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=78193

        Reviewed by Ryosuke Niwa.

        When pasting a copied portion of a blockquote with a newline at the end into an unquoted area,
        the newline is inserted after the blockquote since we don't want it also to be quoted. However,
        this behavior has also applied when we insert a paragraph between quoted lines, which is incorrect.
        To figure out the right place to insert a paragraph, we need providing more information to the
        InsertParagraphSeparatorCommand by introducing a boolean parameter "pasteBlockqutoeIntoUnquotedArea".

        Tests: editing/inserting/insert-paragraph-separator-in-blockquote.html
               editing/pasteboard/paste-wrapped-blockquote-into-nonblockquote.html

        * editing/CompositeEditCommand.cpp:
        (WebCore::CompositeEditCommand::insertParagraphSeparator):
        * editing/CompositeEditCommand.h:
        (CompositeEditCommand):
        * editing/InsertParagraphSeparatorCommand.cpp:
        (WebCore::InsertParagraphSeparatorCommand::InsertParagraphSeparatorCommand):
        (WebCore::InsertParagraphSeparatorCommand::doApply):
        * editing/InsertParagraphSeparatorCommand.h:
        (WebCore::InsertParagraphSeparatorCommand::create):
        (InsertParagraphSeparatorCommand):
        * editing/ReplaceSelectionCommand.cpp:
        (WebCore::ReplaceSelectionCommand::doApply):

2012-04-30  Antti Koivisto  <antti@apple.com>

        Protect current element in HTMLLinkElement::setCSSStyleSheet
        https://bugs.webkit.org/show_bug.cgi?id=85166

        Reviewed by Andreas Kling.
        
        Stylesheet loading can trigger script execution.
        
        Test: fast/css/cached-sheet-restore-crash.html

        * html/HTMLLinkElement.cpp:
        (WebCore::HTMLLinkElement::setCSSStyleSheet):

2012-04-29  Keishi Hattori  <keishi@webkit.org>

        Build fix for LocalizedDateMac.mm
        https://bugs.webkit.org/show_bug.cgi?id=85164

        Reviewed by Kent Tamura.

        * platform/text/mac/LocalizedDateMac.mm:
        (WebCore::monthLabels):

2012-04-29  Luke Macpherson  <macpherson@chromium.org>

        Initialize member variables in CSSParser's constructor.
        https://bugs.webkit.org/show_bug.cgi?id=84377

        Reviewed by Kentaro Hara.

        It is good practice not to leave member variables uninitialized. They make debugging more difficult by reducing
        repeatability, and in some cases lead to the possibility of information leakage occuring. This patch simply adds
        initialization of m_numParsedPropertiesBeforeMarginBox to CSSParser's constructor to INVALID_NUM_PARSED_PROPERTIES
        so that the initial state is the same as the state after the properties are cleared.

        No tests added because this is a code style fix, not an actual bug so long as the bison generated code calls
        startDeclarationsForMarginBox() and endDeclarationsForMarginBox() symmetrically. The lack of initialization was
        originally detected by coverity.

        * css/CSSParser.cpp:
        (WebCore::CSSParser::CSSParser):

2012-04-29  Kent Tamura  <tkent@chromium.org>

        [Mac] Add LocalizedDateMac
        https://bugs.webkit.org/show_bug.cgi?id=85039

        Reviewed by Kentaro Hara.

        A date shown <input type=date> should be formatted for user's OS
        settings. Chromium-Mac used LocalizedDateICU.cpp to format/parse visible
        date strings and it didn't reflect user-settings.

        Test: covered by fast/forms/date/date-appearance.html

        * WebCore.gyp/WebCore.gyp:
        Use LocalizedDateMac.mm for OS X instead of LocalizedDateICU.cpp.
        * WebCore.gypi: Add LocalizedDateMac.mm
        * platform/text/mac/LocalizedDateMac.mm: Added.
        (WebCore::createShortDateFormatter):
        Creates a NSDateFormatter with desired settings.
        (WebCore::parseLocalizedDate): Impelment for tyep=date.
        (WebCore::formatLocalizedDate): ditto.
        (WebCore::isYearSymbol): A readability helper for format string parsing.
        (WebCore::isMonthSymbol): ditto.
        (WebCore::isDaySymbol): ditto.
        (WebCore::localizeDateFormat):
        Parse a format string, and replace symbols with user-friendly labels.
        (WebCore::localizedDateFormatText):
        Gets a format string, and apply localizeDateFormat().
        (WebCore::monthLabels): Obtain month names from the system.
        (WebCore::weekDayShortLabels): Obtain week day symbols from the system.
        (WebCore::firstDayOfWeek): Obtain first day of week from the system.
        * platform/text/ICULocale.cpp:
        (WebCore::createFallbackMonthLabels): Uses WTF::monthFullName.

2012-04-29  Sam Weinig  <sam@webkit.org>

        Add support for the Blob constructor (Part 2)
        https://bugs.webkit.org/show_bug.cgi?id=84555

        Address additional feedback on Blob construction.
        - Add exception when the dictionary is not an object.
        - Ensure the proper ordering of dictionary access. Tested via
          throwing exceptions in toString, and ensuring correct one is
          fired first.
        - Changed type of exception throw for invalid enumeration to a
          TypeError.

        Reviewed by Kentaro Hara.

        Updated fast/files/blob-constructor.html to be more comprehensive.

        * bindings/js/JSBlobCustom.cpp:
        (WebCore::JSBlobConstructor::constructJSBlob):
        * bindings/v8/custom/V8BlobCustom.cpp:
        (WebCore::V8Blob::constructorCallback):

2012-04-29  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Texmap] Leaves demo: wrong geometry when opacity animation kicks in
        https://bugs.webkit.org/show_bug.cgi?id=85096

        Reviewed by Kenneth Rohde Christiansen.

        We should use combined() instead of combinedForChildren() since we don't allow
        intermediate surfaces for preserves-3d. Also, we should apply the offset before
        multiplying the transforms, otherwise the transform-origin is incorrect.

        Covered by existing compositing tests.

        * platform/graphics/texmap/TextureMapperLayer.cpp:
        (WebCore::TextureMapperLayer::paintSelf):
        (WebCore::TextureMapperLayer::paintRecursive):

2012-04-29  Mark Pilgrim  <pilgrim@chromium.org>

        [Chromium] Call highUsageDeltaMB directly
        https://bugs.webkit.org/show_bug.cgi?id=84844

        Reviewed by Kentaro Hara.

        Part of a refactoring series. See tracking bug 82948.

        * bindings/v8/V8GCController.cpp:
        (WebCore::V8GCController::checkMemoryUsage):
        * platform/MemoryUsageSupport.cpp:
        (WebCore):
        (WebCore::MemoryUsageSupport::highUsageDeltaMB):
        * platform/MemoryUsageSupport.h:
        (MemoryUsageSupport):
        * platform/chromium/MemoryUsageSupportChromium.cpp:
        (WebCore::MemoryUsageSupport::highUsageDeltaMB):
        (WebCore):
        * platform/chromium/PlatformSupport.h:
        (PlatformSupport):

2012-04-29  Kentaro Hara  <haraken@chromium.org>

        REGRESSION(r113086): onresize event handler can be deleted in popup window
        https://bugs.webkit.org/show_bug.cgi?id=84908

        Reviewed by Ojan Vafai.

        In a nutshell, an onresize event handler in the popup window
        can be non-deterministically deleted. For more details, please
        look at Chromium issue 123642:
        http://code.google.com/p/chromium/issues/detail?id=123642

        I confirmed that this bug is the regression caused by r113086.

        r113086 introduced the following code:

        void V8LazyEventListener::prepareListenerObject(...) {
            if (hasExistingListenerObject())
                return;
            ...;
            // Since we only parse once, there's no need to keep data
            // used for parsing around anymore.
            m_functionName = String();
            m_code = String();
            m_eventParameterName = String();
            m_sourceURL = String();

            setListenerObject(wrappedFunction);
        }

        This is not correct. The parsing can be done more than once,
        and thus we cannot clear data. This patch removes the above code.

        Consider the following situation:

        (1) Assume '<body onresize="f()"></body>'.
        (2) prepareListenerObject() runs.
        (3) Since this is the first parsing, hasExistingListenerObject()
        returns false. After the parsing, the listener object is set
        by setListenerObject().
        (4) GC runs. Since there is no strong reference to the listener
        object, weakEventListenerCallback() is called back, and the listener
        object is disposed.
        (5) A resize event is triggered.
        (6) prepareListenerObject() is called again. Since the listener object
        is already disposed, hasExistingListenerObject() returns false,
        and the second parsing starts.

        In my investigation, the above situation is happening in the reported
        Chromium bug. Anyway, I am sure that potentially the parsing can be
        done more than once, and thus we must keep m_xxxx data.

        However, this is just a temporary fix. We should fix the code so that
        an alive event listener object is never reclaimed.
        See https://bugs.webkit.org/show_bug.cgi?id=85152 for more details.

        No tests: I tried hard to create a DRT test, but could not.
        The bug depends on the behavior of GC, and thus the reported bug is
        non-deterministic. For example, (as explained in the Chromium issue,)
        the bug does not happen if we load an HTML from network because
        the network latency hides the bug. Also the bug happens in the
        popup window only. If we open the reported HTML in the main window,
        we cannot reproduce the bug.

        * bindings/v8/V8LazyEventListener.cpp:
        (WebCore::V8LazyEventListener::prepareListenerObject):

2012-04-28  Sam Weinig  <sam@webkit.org>

        Smooth scrolling needs a new key
        <rdar://problem/11331632>

        Reviewed by Geoffrey Garen.

        * platform/mac/ScrollAnimatorMac.mm:
        (WebCore::scrollAnimationEnabledForSystem):
        (WebCore::ScrollAnimatorMac::scroll):
        Update for new key.

2012-04-28  Li Yin  <li.yin@intel.com>

        MessagePort must set m_closed to be true at the end of MessagePort::close function
        https://bugs.webkit.org/show_bug.cgi?id=85139

        In the function MessagePort::close, the "m_closed = true" must be executed at the end, not at the beginning.
        Or, the m_entangledChannel->close() will not be executed.
        And it resulted in the failure of MS bench mark messagechannel_close.htm.
        http://samples.msdn.microsoft.com/ietestcenter/WebWorkers/messagechannel_close.htm

        Reviewed by Kentaro Hara.

        Test: fast/events/message-port-close.html

        * dom/MessagePort.cpp:
        (WebCore::MessagePort::close):

2012-04-28  Sam Weinig  <sam@webkit.org>

        And again.

        * bindings/v8/custom/V8BlobCustom.cpp:
        (WebCore::V8Blob::constructorCallback):

2012-04-28  Sam Weinig  <sam@webkit.org>

        Once again, try to make these puppies work.

        * bindings/v8/custom/V8BlobCustom.cpp:

2012-04-28  Sam Weinig  <sam@webkit.org>

        Fix the Chromium build.

        * bindings/v8/custom/V8BlobCustom.cpp:
        (WebCore::V8Blob::constructorCallback):

2012-04-27  Sam Weinig  <sam@webkit.org>

        Add support for the Blob constructor
        https://bugs.webkit.org/show_bug.cgi?id=84555

        Reviewed by Maciej Stachowiak.

        Test: fast/files/blob-constructor.html

        This adds an implementation of the Blob constructor that willfully
        violates the W3C Editor’s Draft 29 February 2012 in the following ways:
        - Elements in the parts array are coerced to DOMStrings https://www.w3.org/Bugs/Public/show_bug.cgi?id=16721 
        - Don't throw for invalid key in the dictionary https://www.w3.org/Bugs/Public/show_bug.cgi?id=16727
        - Values for the endings property are treated as enums https://www.w3.org/Bugs/Public/show_bug.cgi?id=16729 

        * bindings/js/JSBlobCustom.cpp:
        (WebCore::JSBlobConstructor::constructJSBlob):
        Implement blob constructor.

        * bindings/v8/custom/V8BlobCustom.cpp:
        (WebCore::V8Blob::constructorCallback):
        Implement blob constructor.

        * fileapi/Blob.idl:
        Add constructor to IDL.

        * workers/WorkerContext.idl:
        Add Blob constructor to the worker global object.

2012-04-28  Igor Oliveira  <igor.o@sisa.samsung.com>

        Move PropertyWrapper out of the  AnimationBase
        https://bugs.webkit.org/show_bug.cgi?id=84978

        Reviewed by Dean Jackson.

        AnimationBase is a complex class. It has a state machine and a bunch of
        property handlers. This patch moves the property handlers to a separate
        class making AnimationBase simpler.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * Target.pri:
        * WebCore.gypi:
        * WebCore.vcproj/WebCore.vcproj:
        * WebCore.xcodeproj/project.pbxproj:
        * page/animation/AnimationBase.cpp:
        * page/animation/AnimationBase.h:
        (AnimationBase):
        * page/animation/AnimationController.cpp:
        (WebCore::AnimationController::supportsAcceleratedAnimationOfProperty):
        * page/animation/CSSPropertyAnimation.cpp: Added.
        (WebCore):
        (WebCore::blendFunc):
        (WebCore::crossfadeBlend):
        (AnimationPropertyWrapperBase):
        (WebCore::AnimationPropertyWrapperBase::AnimationPropertyWrapperBase):
        (WebCore::AnimationPropertyWrapperBase::~AnimationPropertyWrapperBase):
        (WebCore::AnimationPropertyWrapperBase::isShorthandWrapper):
        (WebCore::AnimationPropertyWrapperBase::property):
        (WebCore::AnimationPropertyWrapperBase::animationIsAccelerated):
        (WebCore::addPropertyWrapper):
        (WebCore::wrapperForProperty):
        (PropertyWrapperGetter):
        (WebCore::PropertyWrapperGetter::PropertyWrapperGetter):
        (WebCore::PropertyWrapperGetter::equals):
        (PropertyWrapper):
        (WebCore::PropertyWrapper::PropertyWrapper):
        (WebCore::PropertyWrapper::blend):
        (RefCountedPropertyWrapper):
        (WebCore::RefCountedPropertyWrapper::RefCountedPropertyWrapper):
        (WebCore::RefCountedPropertyWrapper::blend):
        (StyleImagePropertyWrapper):
        (WebCore::StyleImagePropertyWrapper::StyleImagePropertyWrapper):
        (WebCore::StyleImagePropertyWrapper::equals):
        (PropertyWrapperColor):
        (WebCore::PropertyWrapperColor::PropertyWrapperColor):
        (WebCore::PropertyWrapperColor::blend):
        (PropertyWrapperAcceleratedOpacity):
        (WebCore::PropertyWrapperAcceleratedOpacity::PropertyWrapperAcceleratedOpacity):
        (WebCore::PropertyWrapperAcceleratedOpacity::animationIsAccelerated):
        (WebCore::PropertyWrapperAcceleratedOpacity::blend):
        (PropertyWrapperAcceleratedTransform):
        (WebCore::PropertyWrapperAcceleratedTransform::PropertyWrapperAcceleratedTransform):
        (WebCore::PropertyWrapperAcceleratedTransform::animationIsAccelerated):
        (WebCore::PropertyWrapperAcceleratedTransform::blend):
        (PropertyWrapperAcceleratedFilter):
        (WebCore::PropertyWrapperAcceleratedFilter::PropertyWrapperAcceleratedFilter):
        (WebCore::PropertyWrapperAcceleratedFilter::animationIsAccelerated):
        (WebCore::PropertyWrapperAcceleratedFilter::blend):
        (WebCore::shadowListLength):
        (WebCore::shadowForBlending):
        (PropertyWrapperShadow):
        (WebCore::PropertyWrapperShadow::PropertyWrapperShadow):
        (WebCore::PropertyWrapperShadow::equals):
        (WebCore::PropertyWrapperShadow::blend):
        (WebCore::PropertyWrapperShadow::blendSimpleOrMatchedShadowLists):
        (WebCore::PropertyWrapperShadow::blendMismatchedShadowLists):
        (PropertyWrapperMaybeInvalidColor):
        (WebCore::PropertyWrapperMaybeInvalidColor::PropertyWrapperMaybeInvalidColor):
        (WebCore::PropertyWrapperMaybeInvalidColor::equals):
        (WebCore::PropertyWrapperMaybeInvalidColor::blend):
        (PropertyWrapperVisitedAffectedColor):
        (WebCore::PropertyWrapperVisitedAffectedColor::PropertyWrapperVisitedAffectedColor):
        (WebCore::PropertyWrapperVisitedAffectedColor::equals):
        (WebCore::PropertyWrapperVisitedAffectedColor::blend):
        (FillLayerAnimationPropertyWrapperBase):
        (WebCore::FillLayerAnimationPropertyWrapperBase::FillLayerAnimationPropertyWrapperBase):
        (WebCore::FillLayerAnimationPropertyWrapperBase::~FillLayerAnimationPropertyWrapperBase):
        (FillLayerPropertyWrapperGetter):
        (WebCore::FillLayerPropertyWrapperGetter::FillLayerPropertyWrapperGetter):
        (WebCore::FillLayerPropertyWrapperGetter::equals):
        (FillLayerPropertyWrapper):
        (WebCore::FillLayerPropertyWrapper::FillLayerPropertyWrapper):
        (WebCore::FillLayerPropertyWrapper::blend):
        (FillLayerRefCountedPropertyWrapper):
        (WebCore::FillLayerRefCountedPropertyWrapper::FillLayerRefCountedPropertyWrapper):
        (WebCore::FillLayerRefCountedPropertyWrapper::blend):
        (FillLayerStyleImagePropertyWrapper):
        (WebCore::FillLayerStyleImagePropertyWrapper::FillLayerStyleImagePropertyWrapper):
        (WebCore::FillLayerStyleImagePropertyWrapper::equals):
        (FillLayersPropertyWrapper):
        (WebCore::FillLayersPropertyWrapper::FillLayersPropertyWrapper):
        (WebCore::FillLayersPropertyWrapper::equals):
        (WebCore::FillLayersPropertyWrapper::blend):
        (ShorthandPropertyWrapper):
        (WebCore::ShorthandPropertyWrapper::ShorthandPropertyWrapper):
        (WebCore::ShorthandPropertyWrapper::isShorthandWrapper):
        (WebCore::ShorthandPropertyWrapper::equals):
        (WebCore::ShorthandPropertyWrapper::blend):
        (WebCore::ShorthandPropertyWrapper::propertyWrappers):
        (PropertyWrapperFlex):
        (WebCore::PropertyWrapperFlex::PropertyWrapperFlex):
        (WebCore::PropertyWrapperFlex::equals):
        (WebCore::PropertyWrapperFlex::blend):
        (PropertyWrapperSVGPaint):
        (WebCore::PropertyWrapperSVGPaint::PropertyWrapperSVGPaint):
        (WebCore::PropertyWrapperSVGPaint::equals):
        (WebCore::PropertyWrapperSVGPaint::blend):
        (WebCore::addShorthandProperties):
        (WebCore::CSSPropertyAnimation::ensurePropertyMap):
        (WebCore::gatherEnclosingShorthandProperties):
        (WebCore::CSSPropertyAnimation::blendProperties):
        (WebCore::CSSPropertyAnimation::animationOfPropertyIsAccelerated):
        (WebCore::CSSPropertyAnimation::animatableShorthandsAffectingProperty):
        (WebCore::CSSPropertyAnimation::propertiesEqual):
        (WebCore::CSSPropertyAnimation::getPropertyAtIndex):
        (WebCore::CSSPropertyAnimation::getNumProperties):
        * page/animation/CSSPropertyAnimation.h: Added.
        (WebCore):
        (CSSPropertyAnimation):
        * page/animation/CompositeAnimation.cpp:
        (WebCore::CompositeAnimation::updateTransitions):
        (WebCore::CompositeAnimation::pauseTransitionAtTime):
        * page/animation/ImplicitAnimation.cpp:
        (WebCore::ImplicitAnimation::animate):
        (WebCore::ImplicitAnimation::getAnimatedStyle):
        (WebCore::ImplicitAnimation::isTargetPropertyEqual):
        (WebCore::ImplicitAnimation::blendPropertyValueInStyle):
        (WebCore::ImplicitAnimation::timeToNextService):
        * page/animation/KeyframeAnimation.cpp:
        (WebCore::KeyframeAnimation::animate):
        (WebCore::KeyframeAnimation::getAnimatedStyle):
        (WebCore::KeyframeAnimation::timeToNextService):
        * rendering/style/RenderStyle.h:

2012-04-28  Geoffrey Garen  <ggaren@apple.com>

        Clarified JSGlobalData (JavaScript VM) lifetime
        https://bugs.webkit.org/show_bug.cgi?id=85142

        Reviewed by Anders Carlsson.

        * bindings/js/WorkerScriptController.cpp:
        (WebCore::WorkerScriptController::~WorkerScriptController): Slightly 
        simpler than before. We can't just rely on our default destructor 
        because we need to hold the JSLock when we tear down the VM.

        * bridge/NP_jsobject.cpp:
        (_NPN_InvokeDefault):
        (_NPN_Invoke):
        (_NPN_Evaluate):
        (_NPN_Construct): Don't RefPtr<> the JSGlobalData because it makes it 
        seem like you know something the rest of our code doesn't know. The 
        plugin JSGlobalData is immortal, anyway.

        I also removed some timeout checker related code because that feature 
        doesn't work anymore, so it was effectively dead code.

2012-04-28  Ilya Tikhonovsky  <loislo@chromium.org>

        Web Inspector: InspectorFrontendHost.append has to be implemented for saving heap snapshots.
        https://bugs.webkit.org/show_bug.cgi?id=85137

        We can save a file with help of InspectorFrontendHost.save method,
        but it is suitable only for relatively small portions of data and
        can't process the 6Gb heap snapshot.
        These methods just pass the url and content into embedder.

        Reviewed by Yury Semikhatsky.

        * inspector/InspectorFrontendClient.h:
        (InspectorFrontendClient):
        * inspector/InspectorFrontendClientLocal.h:
        (WebCore::InspectorFrontendClientLocal::append):
        * inspector/InspectorFrontendHost.cpp:
        (WebCore::InspectorFrontendHost::append):
        (WebCore):
        * inspector/InspectorFrontendHost.h:
        (InspectorFrontendHost):
        * inspector/InspectorFrontendHost.idl:

2012-04-28  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Qt][Texmap] Error of cross-compiling webkit with Qt 4.8.1
        https://bugs.webkit.org/show_bug.cgi?id=84321

        Speculative build-fix for Qt 4.8.
        Use QGLContext for Qt 4.x instead of the platform-specific context.

        Reviewed by Simon Hausmann.

        No new tests, build fix.

        * platform/graphics/texmap/TextureMapperGL.cpp:
        (SharedGLData):
        (WebCore::TextureMapperGLData::SharedGLData::getCurrentGLContext):

2012-04-28  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Texmap] Falling leaves demo missing opacity fade out animation
        https://bugs.webkit.org/show_bug.cgi?id=83691

        Reviewed by Martin Robinson.

        The bug originated from clearing an intermediate surface with glClear while the scissor
        state was wrong.
        When using intermediate surfaces, maintain a clip-stack for each surface, rather than
        a single clip-stack for the whole scene. When a surface is bound, its clip stack should
        be applied.

        Covered by existing compositing tests.

        * platform/graphics/texmap/TextureMapperGL.cpp:
        (SharedGLData):
        (WebCore::TextureMapperGL::ClipStack::push):
        (WebCore):
        (WebCore::TextureMapperGL::ClipStack::pop):
        (WebCore::scissorClip):
        (WebCore::TextureMapperGL::ClipStack::apply):
        (WebCore::TextureMapperGL::clipStack):
        (WebCore::TextureMapperGL::beginPainting):
        (WebCore::TextureMapperGL::drawTexture):
        (WebCore::BitmapTextureGL::didReset):
        (WebCore::BitmapTextureGL::clearIfNeeded):
        (WebCore::BitmapTextureGL::createFboIfNeeded):
        (WebCore::BitmapTextureGL::bind):
        (WebCore::TextureMapperGL::bindDefaultSurface):
        (WebCore::TextureMapperGL::bindSurface):
        (WebCore::TextureMapperGL::beginScissorClip):
        (WebCore::TextureMapperGL::beginClip):
        (WebCore::TextureMapperGL::endClip):
        * platform/graphics/texmap/TextureMapperGL.h:
        (TextureMapperGL):
        (ClipState):
        (WebCore::TextureMapperGL::ClipState::ClipState):
        (ClipStack):
        (WebCore::TextureMapperGL::ClipStack::current):
        (WebCore::TextureMapperGL::ClipStack::clear):
        (BitmapTextureGL):
        (WebCore::BitmapTextureGL::BitmapTextureGL):

2012-04-26  Emil A Eklund  <eae@chromium.org> and Levi Weintraub  <leviw@chromium.org>

        Move Length and CSS length computation to float
        https://bugs.webkit.org/show_bug.cgi?id=84801

        Reviewed by Eric Seidel.

        Change Length and CSS length computation to floating point. This gets us
        closer to the goal of supporting subpixel layout and improves precision
        for SVG which already uses floating point for its layout.

        This change makes computedStyle return fractional values for pixel values
        if a fraction is specified. It also changes the result of computations
        where two or more values with fractional precision. Prior to this change
        the result of Length(2.9) + Length(2.9) would be 4 as each value would be
        floored. With this change the result is 5 as the addition is done with
        floating point precision and then the result will be floored. Once we
        enable subpixel layout the resulting value in this example would be 5.8.

        Updated existing layout tests.

        * css/CSSComputedStyleDeclaration.cpp:
        (WebCore::zoomAdjustedPixelValue):
        * css/CSSPrimitiveValue.cpp:
        (WebCore::CSSPrimitiveValue::computeLength):
        * css/CSSPrimitiveValue.h:
        (WebCore):
        (WebCore::roundForImpreciseConversion):
        Add specialized float version of roundForImpreciseConversion that matches
        the int versions rounding logic.
        
        If a value is sufficiently close to the next integer round it up to
        ensure that a style rule such as "width: 4.999px" evaluates to 5px
        instead of 4px. This is needed as, although Lengths are using floating
        point, the layout system still uses integer precision and floors the
        Length values.
        This will change once we move to FractionalLayoutUnits but for now this
        is needed to ensure compatibility with the existing system and tests.
        
        Without this specialized rounding logic we fail a handful of tests
        including acid3.
        
        * platform/Length.h:
        (WebCore::Length::value):
        (Length):
        (WebCore::Length::intValue):
        * rendering/RenderTableCell.cpp:
        (WebCore::RenderTableCell::styleOrColLogicalWidth):

2012-04-28  Alexander Pavlov  <apavlov@chromium.org>

        Web Inspector: Enable touch events feature fails touch feature detection
        https://bugs.webkit.org/show_bug.cgi?id=84397

        Whenever the touch emulation is enabled, Inspector adds a script to evaluate on load,
        that adds ontouch(start|end|move|cancel) properties to window.__proto__ and document.__proto__.

        Reviewed by Pavel Feldman.

        * inspector/front-end/DOMAgent.js:
        (WebInspector.DOMAgent.prototype._emulateTouchEventsChanged.get if):
        (WebInspector.DOMAgent.prototype._emulateTouchEventsChanged.scriptAddedCallback):
        (WebInspector.DOMAgent.prototype._emulateTouchEventsChanged):
        * inspector/front-end/inspector.js:

2012-04-28  Eugene Klyuchnikov  <eustas.bug@gmail.com>

        Web Inspector: Shortcuts screen UI polish
        https://bugs.webkit.org/show_bug.cgi?id=84708

          1) remove inconsistent shadow;
          2) reduce border radius;
          3) vertically center the “X” button;
          4) replace unreadable symbolic shortcuts with text;
          5) gaps / colors / opacity adjustments;
          6) section-to-column distribution algorithm is replaced with a fair one.

        Reviewed by Pavel Feldman.

        This is a UI polising patch, so no new tests added.

        * English.lproj/localizedStrings.js: added keyboars arrow keys items
        * inspector/front-end/KeyboardShortcut.js: replace unreadable symbolic shortcuts with text
        * inspector/front-end/ShortcutsScreen.js:
        (WebInspector.ShortcutsScreen):
        (WebInspector.ShortcutsScreen.prototype.show): remove redundant parameter
        (WebInspector.ShortcutsScreen.prototype._buildTable): change section distributing algorithm
        (WebInspector.ShortcutsSection.prototype.renderSection): render colon with margins
        (WebInspector.ShortcutsSection.prototype._renderHeader): apply classname to th elements
        * inspector/front-end/helpScreen.css:
        (.help-window-main): reduce radius, remove shadow; tune color and opacity
        (.help-window-caption): fix spacing; add ruler
        (.help-window-title): fix spacing; remove ruler
        (.help-content): fix spacing
        (.help-close-button): fix spacing; adjust background color
        (.help-column-table): fix spacing
        (.help-table > tr > th): fix color
        (.help-key): fix color
        (.help-combine-keys, .help-key-delimiter): extract common style
        (.help-combine-keys): remove dupe
        (.help-section-title): add space between sections

2012-04-28  Noel Gordon  <noel.gordon@gmail.com>

        Remove PlatformTouchPointQt.cpp PlatformTouchEventQt.cpp from the gyp projects
        https://bugs.webkit.org/show_bug.cgi?id=85132

        Unreviewed VS2010 gyp project generation fix.

        PlatformTouchPointQt.cpp and PlatformTouchEventQt.cpp were removed in r115312,
        so remove them from the gyp projects.

        * WebCore.gypi:

2012-04-28  Nikolas Zimmermann  <nzimmermann@rim.com>

        <animateTransform type="scale"> should use '0' as effective from value not '1', if no base value is specified and from is not given
        https://bugs.webkit.org/show_bug.cgi?id=85133

        It should start from scale=0. I had that fixed before, but it got lost during merging. Restore the fix.
        See bug 85051, for more context why this is correct.

        Tests: svg/animations/animateTransform-by-scale-1-expected.svg
               svg/animations/animateTransform-by-scale-1.svg

        * svg/SVGAnimatedTransformList.cpp:
        (WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue):

2012-04-28  Nikolas Zimmermann  <nzimmermann@rim.com>

        SVGAnimateColorElement doesn't support by/to animations properly
        https://bugs.webkit.org/show_bug.cgi?id=36704

        Reviewed by Antti Koivisto.

        Switch AnimatedColorAnimator to use the standard animateAdditiveNumber() method, taking progress & repeatCount into account.
        This gives us accumulation/repeatCount support for free.

        We just animate the four color components on their own now and clamp once at the end after addition/accumulation finished.
        Import <animateColor> tests from Dr. Olaf Hoffmanns SVG Animation test suite, which all pass now.

        While I was at it, remove the includeSMILProperties boolean from computeCSSPropertyValue - we always use the computed style
        without SMIL effects included, whenever we want to retrieve the "base value", or handle "inherit/currentColor".

        Tests: svg/animations/animateColor-additive-2a-expected.svg
               svg/animations/animateColor-additive-2a.svg
               svg/animations/animateColor-additive-2b-expected.svg
               svg/animations/animateColor-additive-2b.svg
               svg/animations/animateColor-additive-2c-expected.svg
               svg/animations/animateColor-additive-2c.svg
               svg/animations/animateColor-additive-2d-expected.svg
               svg/animations/animateColor-additive-2d.svg

        * svg/ColorDistance.cpp:
        (WebCore::ColorDistance::clampColor):
        (WebCore::ColorDistance::addColors):
        (WebCore::ColorDistance::addToColor):
        * svg/ColorDistance.h:
        (ColorDistance):
        * svg/SVGAnimateElement.cpp:
        (WebCore::SVGAnimateElement::resetToBaseValue):
        * svg/SVGAnimatedColor.cpp:
        (WebCore::SVGAnimatedColorAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedColorAnimator::calculateAnimatedValue):
        * svg/SVGAnimationElement.cpp:
        (WebCore::SVGAnimationElement::computeCSSPropertyValue):
        (WebCore::SVGAnimationElement::adjustForInheritance):
        * svg/SVGAnimationElement.h:
        (SVGAnimationElement):

2012-04-28  Nikolas Zimmermann  <nzimmermann@rim.com>

        Not reviewed. Fix Qt build -- I was too quick.

        * rendering/svg/SVGPathData.cpp: Add back Path.h include.

2012-04-28  Nikolas Zimmermann  <nzimmermann@rim.com>

        Rename SVGPathParserFactory to SVGPathUtilities and remove the obsolete singleton
        https://bugs.webkit.org/show_bug.cgi?id=85129

        SVGPathParserFactory implements the singleton pattern, but stores no members.
        Remove the singleton and move all functions to free-functions into SVGPathUtilities.h.

        Makes the code easier to read - doesn't affect any tests.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * Target.pri:
        * WebCore.gypi:
        * WebCore.vcproj/WebCore.vcproj:
        * WebCore.xcodeproj/project.pbxproj:
        * rendering/svg/SVGPathData.cpp:
        (WebCore::updatePathFromPathElement):
        * rendering/svg/SVGRenderTreeAsText.cpp:
        (WebCore::operator<<):
        * svg/SVGAllInOne.cpp:
        * svg/SVGAnimateMotionElement.cpp:
        (WebCore::SVGAnimateMotionElement::parseAttribute):
        * svg/SVGAnimatedPath.cpp:
        (WebCore::SVGAnimatedPathAnimator::constructFromString):
        (WebCore::SVGAnimatedPathAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedPathAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedPathAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedPathAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedType.cpp:
        * svg/SVGGlyphElement.cpp:
        (WebCore::SVGGlyphElement::buildGenericGlyphIdentifier):
        * svg/SVGPathBlender.cpp: Fix typo s/;;/;/
        * svg/SVGPathElement.cpp:
        (WebCore::SVGPathElement::getTotalLength):
        (WebCore::SVGPathElement::getPointAtLength):
        (WebCore::SVGPathElement::getPathSegAtLength):
        (WebCore::SVGPathElement::parseAttribute):
        (WebCore::SVGPathElement::svgAttributeChanged):
        (WebCore::SVGPathElement::lookupOrCreateDWrapper):
        (WebCore::SVGPathElement::pathSegListChanged):
        * svg/SVGPathParserFactory.h: Removed.
        * svg/SVGPathSegList.cpp:
        (WebCore::SVGPathSegList::valueAsString):
        * svg/SVGPathUtilities.cpp: Renamed from Source/WebCore/svg/SVGPathParserFactory.cpp.
        (WebCore):
        (WebCore::globalSVGPathBuilder):
        (WebCore::globalSVGPathSegListBuilder):
        (WebCore::globalSVGPathByteStreamBuilder):
        (WebCore::globalSVGPathStringBuilder):
        (WebCore::globalSVGPathTraversalStateBuilder):
        (WebCore::globalSVGPathParser):
        (WebCore::globalSVGPathBlender):
        (WebCore::buildPathFromString):
        (WebCore::buildSVGPathByteStreamFromSVGPathSegList):
        (WebCore::buildPathFromByteStream):
        (WebCore::buildSVGPathSegListFromByteStream):
        (WebCore::buildStringFromByteStream):
        (WebCore::buildStringFromSVGPathSegList):
        (WebCore::buildSVGPathByteStreamFromString):
        (WebCore::buildAnimatedSVGPathByteStream):
        (WebCore::addToSVGPathByteStream):
        (WebCore::getSVGPathSegAtLengthFromSVGPathByteStream):
        (WebCore::getTotalLengthOfSVGPathByteStream):
        (WebCore::getPointAtLengthOfSVGPathByteStream):
        * svg/SVGPathUtilities.h: Added.
        (WebCore):
        * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h:
        (WebCore::SVGAnimatedPathSegListPropertyTearOff::animValDidChange):

2012-04-28  Nikolas Zimmermann  <nzimmermann@rim.com>

        Fix repetitions & by animation support for path animations
        https://bugs.webkit.org/show_bug.cgi?id=85071

        Rubber-stamped by Antti Koivisto.

        Cleanup SVGPathBlender, to make it more readable.

        * svg/SVGPathBlender.cpp:
        (WebCore::SVGPathBlender::blendLineToHorizontalSegment):
        (WebCore::SVGPathBlender::blendLineToVerticalSegment):
        (WebCore::SVGPathBlender::blendArcToSegment):
        (WebCore::SVGPathBlender::blendAnimatedPath):

2012-04-28  Yury Semikhatsky  <yurys@chromium.org>

        Unreviewed. Qt build fix: added new exported symbols.

        * WebCore.exp.in:

2012-04-28  Yury Semikhatsky  <yurys@chromium.org>

        Unreviewed. Fix Qt minimal build after r115553.

        * inspector/InspectorConsoleAgent.h:

2012-04-27  Nikolas Zimmermann  <nzimmermann@rim.com>

        Fix repetitions & by animation support for path animations
        https://bugs.webkit.org/show_bug.cgi?id=85071

        Reviewed by Antti Koivisto.

        Implement additive="sum" / by-animation support for path animations, eg.
        <path d="M 10 10 L 10 100 Z">
            <animate attributeName="d" begin="0s" dur="4s" by="M 0 0 L 90 0 Z"/>
        <path>

        animates the d attribute to "M 10 10 L 100 100 0 Z".

        Now only <animateColor> and <animateMotion> are left to be fixed, all other types are working as expected now in all additive/accumulate/from-by/by/from-to animations.

        Tests: svg/animations/path-animation-expected.svg
               svg/animations/repeating-path-animation-expected.svg
               svg/animations/repeating-path-animation.svg

        * svg/SVGAnimatedPath.cpp:
        (WebCore::SVGAnimatedPathAnimator::addAnimatedTypes): Implemented, to support by-animations, instead of falling back to to-animations.
        (WebCore::SVGAnimatedPathAnimator::calculateAnimatedValue): Handle repetitions, accumulation & addition.
        * svg/SVGPathBlender.cpp: Allow empty from source everywhere, use default values if no from value is specified, needed for by-animations.
        (WebCore::SVGPathBlender::SVGPathBlender):
        (WebCore::SVGPathBlender::blendAnimatedDimensonalFloat):
        (WebCore::SVGPathBlender::blendAnimatedFloatPoint):
        (WebCore::SVGPathBlender::blendMoveToSegment):
        (WebCore::SVGPathBlender::blendLineToSegment):
        (WebCore::SVGPathBlender::blendLineToHorizontalSegment):
        (WebCore::SVGPathBlender::blendLineToVerticalSegment):
        (WebCore::SVGPathBlender::blendCurveToCubicSegment):
        (WebCore::SVGPathBlender::blendCurveToCubicSmoothSegment):
        (WebCore::SVGPathBlender::blendCurveToQuadraticSegment):
        (WebCore::SVGPathBlender::blendCurveToQuadraticSmoothSegment):
        (WebCore::SVGPathBlender::blendArcToSegment):
        (WebCore::SVGPathBlender::addAnimatedPath):
        (WebCore::SVGPathBlender::blendAnimatedPath):
        * svg/SVGPathBlender.h: Add new addAnimatedPath function.
        (SVGPathBlender):
        * svg/SVGPathByteStream.h:
        (SVGPathByteStream): Make SVGPathByteStreams copyable, needed for SVGAnimatedPathAnimator.
        (WebCore::SVGPathByteStream::size): Returns size of the SVGPathByteStream.
        * svg/SVGPathParserFactory.cpp:
        (WebCore::SVGPathParserFactory::buildAnimatedSVGPathByteStream): Allow empty from streams, needed for by animations. 
        (WebCore::SVGPathParserFactory::addToSVGPathByteStream): Add 'byStream' 'repeatCount' times to 'toStream'. Both streams must match in size.
        * svg/SVGPathParserFactory.h: Add new addToSVGPathByteStream function.
        * svg/SVGPointList.cpp: Remove dead code.
        * svg/SVGPointList.h: Ditto.
        (SVGPointList):

2012-04-28  Nikolas Zimmermann  <nzimmermann@rim.com>

        SVGAnimateMotion does not handle accumulation
        https://bugs.webkit.org/show_bug.cgi?id=18564

        Reviewed by Antti Koivisto.

        Implement accumulation for <animateMotion>. Add lots of new
        reftests, verifying additive/accumulate behavior is correct.

        Tests: svg/animations/animateMotion-additive-1-expected.svg
               svg/animations/animateMotion-additive-1.svg
               svg/animations/animateMotion-additive-2a-expected.svg
               svg/animations/animateMotion-additive-2a.svg
               svg/animations/animateMotion-additive-2b-expected.svg
               svg/animations/animateMotion-additive-2b.svg
               svg/animations/animateMotion-additive-2c-expected.svg
               svg/animations/animateMotion-additive-2c.svg
               svg/animations/animateMotion-additive-2d-expected.svg
               svg/animations/animateMotion-additive-2d.svg
               svg/animations/mozilla/animateMotion-by-1-expected.svg
               svg/animations/mozilla/animateMotion-by-1.svg
               svg/animations/mozilla/animateMotion-from-to-1-expected.svg
               svg/animations/mozilla/animateMotion-from-to-1.svg
               svg/animations/mozilla/animateMotion-indefinite-to-1-expected.svg
               svg/animations/mozilla/animateMotion-indefinite-to-1.svg
               svg/animations/mozilla/animateMotion-indefinite-to-2-expected.svg
               svg/animations/mozilla/animateMotion-indefinite-to-2.svg
               svg/animations/mozilla/animateMotion-mpath-pathLength-1-expected.svg
               svg/animations/mozilla/animateMotion-mpath-pathLength-1.svg
               svg/animations/mozilla/animateMotion-mpath-targetChange-1-expected.svg
               svg/animations/mozilla/animateMotion-mpath-targetChange-1.svg
               svg/animations/mozilla/animateMotion-to-overridden-1-expected.svg
               svg/animations/mozilla/animateMotion-to-overridden-1.svg

        * svg/SVGAnimateMotionElement.cpp:
        (WebCore::SVGAnimateMotionElement::SVGAnimateMotionElement):
        (WebCore::SVGAnimateMotionElement::buildTransformForProgress):
        (WebCore::SVGAnimateMotionElement::calculateAnimatedValue):
        * svg/SVGAnimateMotionElement.h:

2012-04-27  Yury Semikhatsky  <yurys@chromium.org>

        ScriptStateProtectedPtr should not keep a strong reference to the context
        https://bugs.webkit.org/show_bug.cgi?id=85009

        Delete console message arguments when DOMWindow where the messages were created
        is reset on its frame.

        Reviewed by Pavel Feldman.

        Test: http/tests/inspector-enabled/console-clear-arguments-on-frame-navigation.html

        * inspector/ConsoleMessage.cpp:
        (WebCore::ConsoleMessage::addToFrontend):
        (WebCore::ConsoleMessage::windowCleared):
        (WebCore::ConsoleMessage::argumentCount):
        (WebCore):
        * inspector/ConsoleMessage.h:
        (ConsoleMessage):
        * inspector/InspectorConsoleAgent.cpp:
        (WebCore::InspectorConsoleAgent::consoleMessageArgumentCounts):
        (WebCore):
        * inspector/InspectorConsoleAgent.h:
        (InspectorConsoleAgent):
        * page/Frame.cpp:
        (WebCore::Frame::clearDOMWindow):
        (WebCore::Frame::setDOMWindow):
        * testing/Internals.cpp:
        (WebCore):
        (WebCore::Internals::consoleMessageArgumentCounts):
        * testing/Internals.h:
        (Internals):
        * testing/Internals.idl:

2012-04-27  Jochen Eisinger  <jochen@chromium.org>

        Ensure that there's always a provisional document loader if the frame loader is in provisional state
        https://bugs.webkit.org/show_bug.cgi?id=83894

        Reviewed by Nate Chapin.

        We're still seeing crashes in the FrameLoader where the FrameLoader's
        state is "provisional" but there is no provisional document loader. I
        added code to update the FrameLoader's state everytime the provisional
        document loader is cleared, and added checks that the FrameLoader's
        state can't be set to provisional without a provisional loader.

        If the crashes go away, or the newly added checks reveal the culprit,
        we should relex the checks to use ASSERT() instead of CRASH().

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::init):
        (WebCore::FrameLoader::setupForReplace):
        (WebCore::FrameLoader::stopAllLoaders):
        (WebCore::FrameLoader::clearProvisionalLoad):
        (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy):
        (WebCore::FrameLoader::continueLoadAfterNavigationPolicy):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Qt build.

        * bridge/qt/qt_runtime.cpp:
        (JSC::Bindings::QtRuntimeMethod::finishCreation):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Made WeakSet::allocate() static and removed its JSGlobalData argument
        https://bugs.webkit.org/show_bug.cgi?id=85128

        Reviewed by Anders Carlsson.

        Mechanically removed JSGlobalData arguments from PassWeak<T> and Weak<T> allocation.

        * bindings/js/JSDOMBinding.cpp:
        (WebCore::jsStringSlowCase):
        * bindings/js/JSEventListener.h:
        (WebCore::JSEventListener::setWrapper):
        * bindings/js/JSNodeFilterCondition.cpp:
        (WebCore::JSNodeFilterCondition::JSNodeFilterCondition):
        * bindings/js/ScriptWrappable.h:
        (WebCore::ScriptWrappable::setWrapper):
        * bridge/jsc/BridgeJSC.cpp:
        (JSC::Bindings::Instance::createRuntimeObject):
        * bridge/qt/qt_runtime.cpp:
        (JSC::Bindings::QtRuntimeMethod::finishCreation):
        * bridge/runtime_root.cpp:
        (JSC::Bindings::RootObject::addRuntimeObject):

2012-04-27  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/11313710> Leaks under WebCore::CSSImageSetValue::cachedImageSet when running tests

        There was a reference cycle between CSSImageSetValue and StyleCachedImageSet via
        CSSImageSetValue::m_imageSet / StyleCachedImageSet::m_imageSetValue. Break the cycle
        by having StyleCachedImageSet hold a weak reference to the CSSImageSetValue rather
        than a strong reference.

        Reviewed by Geoff Garen.

        * rendering/style/StyleCachedImageSet.cpp:
        (WebCore::StyleCachedImageSet::StyleCachedImageSet):
        * rendering/style/StyleCachedImageSet.h:
        (StyleCachedImageSet):

2012-04-27  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/10346980> REGRESSION: Cannot enter text in Dashboard widget fields that have placeholder attribute

        Remove a dashboard backwards compatibility quirk that was in place to support an old version
        of the Stocks widget. It prevented the pointer-events property from being applied in Dashboard
        widgets, which caused -webkit-input-placeholder elements to eat mouse clicks rather than giving
        focus to the containing input elements. The offending widget has long since been fixed.

        Reviewed by Dan Bernstein.

        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::collectMatchingRulesForList):

2012-04-27  Dean Jackson  <dino@apple.com>

        Support reverse and alternate-reverse in CA animations
        https://bugs.webkit.org/show_bug.cgi?id=78041

        Reviewed by Beth Dakin.

        CoreAnimation does not natively support reverse and alternate-reverse
        animation directions so we need to flip the animation values (keyframe
        keys and timing functions) that we send to GraphicsLayerCA. Unfortunately
        this code adds a lot of conditionals because it isn't as simple as
        reversing the order of keys. You also now have a different alignment of
        timing functions to the reversed list.

        New tests to cover the two new directions, making sure the timing
        functions are correctly inverted, and exercising fill modes.

        Tests: animations/animation-direction-reverse-fill-mode-hardware.html
               animations/animation-direction-reverse-fill-mode.html
               animations/animation-direction-reverse-hardware-opacity.html
               animations/animation-direction-reverse-hardware.html
               animations/animation-direction-reverse-non-hardware.html
               animations/animation-direction-reverse-timing-functions-hardware.html
               animations/animation-direction-reverse-timing-functions.html

        * platform/graphics/ca/GraphicsLayerCA.cpp:
          Handle the previously unsupported animation directions, reversing
          the list of values and keytimes that would be used to create
          the CA Animation.
        (WebCore::GraphicsLayerCA::addAnimation):
          Do not create an animation if on Windows and using a reverse
          direction.
        (WebCore::GraphicsLayerCA::createFilterAnimationsFromKeyframes):
        (WebCore::GraphicsLayerCA::setupAnimation):
        (WebCore::GraphicsLayerCA::setAnimationEndpoints):
        (WebCore::GraphicsLayerCA::setAnimationKeyframes):
        (WebCore::GraphicsLayerCA::setTransformAnimationEndpoints):
        (WebCore::GraphicsLayerCA::setTransformAnimationKeyframes):
        (WebCore::GraphicsLayerCA::setFilterAnimationEndpoints):
        (WebCore::GraphicsLayerCA::setFilterAnimationKeyframes):
        * platform/graphics/ca/PlatformCAAnimation.h:
        (PlatformCAAnimation): Pass through a flag that tells the CA Animation
        that it should invert the timing functions.
        * platform/graphics/ca/mac/PlatformCAAnimationMac.mm:
        (toCAMediaTimingFunction): Add a parameter that will invert the timing
        function coefficients if necessary.
        (PlatformCAAnimation::setTimingFunction):
        (PlatformCAAnimation::setTimingFunctions):
        * platform/graphics/ca/win/PlatformCAAnimationWin.cpp:
        (toCACFTimingFunction):
          New unused parameter.

2012-04-27  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r115407.
        http://trac.webkit.org/changeset/115407
        https://bugs.webkit.org/show_bug.cgi?id=85126

        Caused heap use after free (Requested by keishi_ on #webkit).

        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::HTMLFormControlElement):
        (WebCore::HTMLFormControlElement::updateFieldSetAndLegendAncestor):
        (WebCore::HTMLFormControlElement::insertedInto):
        (WebCore::HTMLFormControlElement::removedFrom):
        (WebCore::HTMLFormControlElement::disabled):
        (WebCore::HTMLFormControlElement::recalcWillValidate):
        (WebCore::HTMLFormControlElement::setNeedsWillValidateCheck):
        * html/HTMLFormControlElement.h:
        (HTMLFormControlElement):

2012-04-27  Kentaro Hara  <haraken@chromium.org>

        [JSC] Implement a helper method createNotEnoughArgumentsError()
        https://bugs.webkit.org/show_bug.cgi?id=85102

        Reviewed by Geoffrey Garen.

        In bug 84787, kbr@ requested to avoid hard-coding
        createTypeError(exec, "Not enough arguments") here and there.
        This patch implements createNotEnoughArgumentsError(exec)
        and uses it in JSC bindings.

        c.f. a corresponding bug for V8 bindings is bug 85097.

        Test: bindings/scripts/test/TestObj.idl

        * bindings/scripts/CodeGeneratorJS.pm: Modified as described above.
        (GenerateArgumentsCountCheck):

        * bindings/js/JSDataViewCustom.cpp: Ditto.
        (WebCore::getDataViewMember):
        (WebCore::setDataViewMember):
        * bindings/js/JSDeprecatedPeerConnectionCustom.cpp:
        (WebCore::JSDeprecatedPeerConnectionConstructor::constructJSDeprecatedPeerConnection):
        * bindings/js/JSDirectoryEntryCustom.cpp:
        (WebCore::JSDirectoryEntry::getFile):
        (WebCore::JSDirectoryEntry::getDirectory):
        * bindings/js/JSSharedWorkerCustom.cpp:
        (WebCore::JSSharedWorkerConstructor::constructJSSharedWorker):
        * bindings/js/JSWebKitMutationObserverCustom.cpp:
        (WebCore::JSWebKitMutationObserverConstructor::constructJSWebKitMutationObserver):
        (WebCore::JSWebKitMutationObserver::observe):
        * bindings/js/JSWorkerCustom.cpp:
        (WebCore::JSWorkerConstructor::constructJSWorker):

        * bindings/scripts/test/JS/JSFloat64Array.cpp: Updated run-bindings-tests.
        (WebCore::jsFloat64ArrayPrototypeFunctionFoo):
        * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
        (WebCore::jsTestActiveDOMObjectPrototypeFunctionExcitingFunction):
        (WebCore::jsTestActiveDOMObjectPrototypeFunctionPostMessage):
        * bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
        (WebCore::jsTestCustomNamedGetterPrototypeFunctionAnotherFunction):
        * bindings/scripts/test/JS/JSTestEventTarget.cpp:
        (WebCore::jsTestEventTargetPrototypeFunctionItem):
        (WebCore::jsTestEventTargetPrototypeFunctionAddEventListener):
        (WebCore::jsTestEventTargetPrototypeFunctionRemoveEventListener):
        (WebCore::jsTestEventTargetPrototypeFunctionDispatchEvent):
        * bindings/scripts/test/JS/JSTestInterface.cpp:
        (WebCore::JSTestInterfaceConstructor::constructJSTestInterface):
        (WebCore::jsTestInterfacePrototypeFunctionSupplementalMethod2):
        * bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
        (WebCore::jsTestMediaQueryListListenerPrototypeFunctionMethod):
        * bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
        (WebCore::JSTestNamedConstructorNamedConstructor::constructJSTestNamedConstructor):
        * bindings/scripts/test/JS/JSTestObj.cpp:
        (WebCore::JSTestObjConstructor::constructJSTestObj):
        (WebCore::jsTestObjPrototypeFunctionVoidMethodWithArgs):
        (WebCore::jsTestObjPrototypeFunctionIntMethodWithArgs):
        (WebCore::jsTestObjPrototypeFunctionObjMethodWithArgs):
        (WebCore::jsTestObjPrototypeFunctionMethodWithSequenceArg):
        (WebCore::jsTestObjPrototypeFunctionMethodReturningSequence):
        (WebCore::jsTestObjPrototypeFunctionMethodThatRequiresAllArgsAndThrows):
        (WebCore::jsTestObjPrototypeFunctionSerializedValue):
        (WebCore::jsTestObjPrototypeFunctionIdbKey):
        (WebCore::jsTestObjPrototypeFunctionOptionsObject):
        (WebCore::jsTestObjPrototypeFunctionAddEventListener):
        (WebCore::jsTestObjPrototypeFunctionRemoveEventListener):
        (WebCore::jsTestObjPrototypeFunctionMethodWithNonOptionalArgAndOptionalArg):
        (WebCore::jsTestObjPrototypeFunctionMethodWithNonOptionalArgAndTwoOptionalArgs):
        (WebCore::jsTestObjPrototypeFunctionMethodWithCallbackArg):
        (WebCore::jsTestObjPrototypeFunctionMethodWithNonCallbackArgAndCallbackArg):
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod1):
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod2):
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod3):
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod4):
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod5):
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod6):
        (WebCore::jsTestObjPrototypeFunctionOverloadedMethod7):
        (WebCore::jsTestObjConstructorFunctionClassMethod2):
        (WebCore::jsTestObjConstructorFunctionOverloadedMethod11):
        (WebCore::jsTestObjConstructorFunctionOverloadedMethod12):
        (WebCore::jsTestObjPrototypeFunctionMethodWithUnsignedLongArray):
        (WebCore::jsTestObjPrototypeFunctionConvert1):
        (WebCore::jsTestObjPrototypeFunctionConvert2):
        (WebCore::jsTestObjPrototypeFunctionConvert3):
        (WebCore::jsTestObjPrototypeFunctionConvert4):
        (WebCore::jsTestObjPrototypeFunctionConvert5):
        (WebCore::jsTestObjPrototypeFunctionStrictFunction):
        * bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
        (WebCore::JSTestSerializedScriptValueInterfaceConstructor::constructJSTestSerializedScriptValueInterface):
        (WebCore::jsTestSerializedScriptValueInterfacePrototypeFunctionAcceptTransferList):

2012-04-27  Mark Pilgrim  <pilgrim@chromium.org>

        [Chromium] Call highMemoryUsageMB directly
        https://bugs.webkit.org/show_bug.cgi?id=84841

        Reviewed by Kentaro Hara.

        Part of a refactoring series. See tracking bug 82948.

        * bindings/v8/V8GCController.cpp:
        (WebCore::V8GCController::checkMemoryUsage):
        * platform/MemoryUsageSupport.cpp:
        (WebCore::MemoryUsageSupport::highMemoryUsageMB):
        (WebCore):
        * platform/MemoryUsageSupport.h:
        (MemoryUsageSupport):
        * platform/chromium/MemoryUsageSupportChromium.cpp:
        (WebCore::MemoryUsageSupport::highMemoryUsageMB):
        (WebCore):
        * platform/chromium/PlatformSupport.h:
        (PlatformSupport):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Only allow non-null pointers in the WeakSet
        https://bugs.webkit.org/show_bug.cgi?id=85119

        Reviewed by Darin Adler.

        * bridge/jsc/BridgeJSC.cpp:
        (JSC::Bindings::Instance::Instance): Don't allocate a WeakImpl just to
        store null. This was needless, and is now a compile error. Instead,
        rely on the default constructor, which will produce a cheap null.

2012-04-27  Kentaro Hara  <haraken@chromium.org>

        "Not enough arguments" error should be TypeError
        https://bugs.webkit.org/show_bug.cgi?id=84628

        Reviewed by Darin Adler.

        Currently, some custom bindings implement "Not enough arguments"
        error as SyntaxError. The Web IDL spec requires that it should be
        TypeError: http://www.w3.org/TR/WebIDL/#dfn-overload-resolution-algorithm
        Thus, this patch changes SyntaxError to TypeError.

        Tests: http/tests/websocket/tests/hixie76/url-parsing.html:
               http/tests/websocket/tests/hybi/url-parsing.html:
               http/tests/xmlhttprequest/exceptions.html:
               svg/dom/SVGLength.html:
               webaudio/audionode.html:

        * bindings/js/JSAudioContextCustom.cpp:
        (WebCore::JSAudioContextConstructor::constructJSAudioContext):
        * bindings/js/JSSVGLengthCustom.cpp:
        (WebCore::JSSVGLength::convertToSpecifiedUnits):
        * bindings/js/JSWebSocketCustom.cpp:
        (WebCore::JSWebSocketConstructor::constructJSWebSocket):
        (WebCore::JSWebSocket::send):
        * bindings/js/JSXMLHttpRequestCustom.cpp:
        (WebCore::JSXMLHttpRequest::open):
        * bindings/v8/custom/V8AudioContextCustom.cpp:
        (WebCore::V8AudioContext::constructorCallback):
        * bindings/v8/custom/V8SVGLengthCustom.cpp:
        (WebCore::V8SVGLength::convertToSpecifiedUnitsCallback):
        * bindings/v8/custom/V8WebSocketCustom.cpp:
        (WebCore::V8WebSocket::constructorCallback):
        (WebCore::V8WebSocket::sendCallback):
        * bindings/v8/custom/V8XMLHttpRequestCustom.cpp:
        (WebCore::V8XMLHttpRequest::openCallback):

2012-04-27  Kenneth Russell  <kbr@google.com>

        Remove SHADER_COMPILER constant
        https://bugs.webkit.org/show_bug.cgi?id=85115

        Reviewed by Darin Adler.

        Removed constant which was previously removed from spec. Updated
        layout test and expected results.

        * html/canvas/WebGLRenderingContext.idl:

2012-04-27  Arvid Nilsson  <anilsson@rim.com>

        [BlackBerry] Fixed background is scrolling in http://www.nieuwecode.nl
        https://bugs.webkit.org/show_bug.cgi?id=85109

        Reviewed by Antonio Gomes.

        Since the BlackBerry port uses very similar fixed position acceleration
        as the Qt WebKit2 port, the same fix that worked for them in bug 83980
        works for us.

        Fixed by opting in to the FIXED_POSITION_CREATES_STACKING_CONTEXT
        mechanism.

        Covered by existing manual test fixed-position-no-z-index.html.

        * css/StyleResolver.cpp:

2012-04-27  Nat Duca  <nduca@chromium.org>

        Expose high-resolution on requestAnimationFrame callback
        https://bugs.webkit.org/show_bug.cgi?id=66683

        This changes requestAnimationFrame's animationStartTime argument
        to be a high resolution DOM timestamp, per disucssion here:
        http://lists.w3.org/Archives/Public/public-web-perf/2012Apr/0004.html

        Reviewed by James Robinson.

        Covered by existing requestAnimationFrame tests.

        * dom/Document.cpp:
        (WebCore::Document::serviceScriptedAnimations):
        * dom/Document.h:
        (Document):
        * dom/ScriptedAnimationController.cpp:
        (WebCore::ScriptedAnimationController::ScriptedAnimationController):
        (WebCore::ScriptedAnimationController::serviceScriptedAnimations):
        (WebCore):
        (WebCore::ScriptedAnimationController::windowScreenDidChange):
        (WebCore::ScriptedAnimationController::scheduleAnimation):
        (WebCore::ScriptedAnimationController::animationTimerFired):
        (WebCore::ScriptedAnimationController::displayRefreshFired):
        * dom/ScriptedAnimationController.h:
        (ScriptedAnimationController):
        * page/FrameView.cpp:
        (WebCore::FrameView::serviceScriptedAnimations):
        * page/FrameView.h:
        (FrameView):
        * platform/graphics/DisplayRefreshMonitor.cpp:
        (WebCore::DisplayRefreshMonitor::DisplayRefreshMonitor):
        (WebCore::DisplayRefreshMonitor::notifyClients):
        * platform/graphics/DisplayRefreshMonitor.h:
        (DisplayRefreshMonitor):
        * platform/graphics/blackberry/DisplayRefreshMonitorBlackBerry.cpp:
        (WebCore::DisplayRefreshMonitor::displayLinkFired):
        * platform/graphics/mac/DisplayRefreshMonitorMac.cpp:
        (WebCore):
        (WebCore::DisplayRefreshMonitor::requestRefreshCallback):
        (WebCore::DisplayRefreshMonitor::displayLinkFired):

2012-04-27  Kentaro Hara  <haraken@chromium.org>

        [V8] Implement a helper method V8Proxy::throwNotEnoughArgumentsError()
        https://bugs.webkit.org/show_bug.cgi?id=85097

        Reviewed by Kenneth Russell.

        In bug 84787, kbr requested to avoid hard-coding
        throwError("Not enough arguments", V8Proxy::TypeError) here and there.
        This patch implements V8Proxy::throwNotEnoughArgumentsError()
        and uses it in V8 bindings.

        No tests. No change in behavior.

        * bindings/scripts/CodeGeneratorV8.pm:
        (GenerateArgumentsCountCheck):
        (GenerateEventConstructorCallback):
        * bindings/v8/V8Proxy.cpp:
        (WebCore::V8Proxy::throwNotEnoughArgmentsError):
        (WebCore):
        * bindings/v8/V8Proxy.h:
        (V8Proxy):
        * bindings/v8/custom/V8DataViewCustom.cpp:
        (WebCore::V8DataView::getInt8Callback):
        (WebCore::V8DataView::getUint8Callback):
        (WebCore::V8DataView::setInt8Callback):
        (WebCore::V8DataView::setUint8Callback):
        * bindings/v8/custom/V8DirectoryEntryCustom.cpp:
        (WebCore::V8DirectoryEntry::getDirectoryCallback):
        (WebCore::V8DirectoryEntry::getFileCallback):
        * bindings/v8/custom/V8IntentConstructor.cpp:
        (WebCore::V8Intent::constructorCallback):
        * bindings/v8/custom/V8WebKitMutationObserverCustom.cpp:
        (WebCore::V8WebKitMutationObserver::constructorCallback):
        (WebCore::V8WebKitMutationObserver::observeCallback):

        Test: bindings/scripts/test/TestObj.idl

        * bindings/scripts/CodeGeneratorV8.pm: Modified as described above.
        (GenerateArgumentsCountCheck):
        (GenerateEventConstructorCallback):

        * bindings/v8/V8Proxy.cpp: Ditto.
        (WebCore::V8Proxy::throwNotEnoughArgumentsError):
        (WebCore):
        * bindings/v8/V8Proxy.h:
        (V8Proxy):
        * bindings/v8/custom/V8DataViewCustom.cpp:
        (WebCore::V8DataView::getInt8Callback):
        (WebCore::V8DataView::getUint8Callback):
        (WebCore::V8DataView::setInt8Callback):
        (WebCore::V8DataView::setUint8Callback):
        * bindings/v8/custom/V8DirectoryEntryCustom.cpp:
        (WebCore::V8DirectoryEntry::getDirectoryCallback):
        (WebCore::V8DirectoryEntry::getFileCallback):
        * bindings/v8/custom/V8IntentConstructor.cpp:
        (WebCore::V8Intent::constructorCallback):
        * bindings/v8/custom/V8WebKitMutationObserverCustom.cpp:
        (WebCore::V8WebKitMutationObserver::constructorCallback):
        (WebCore::V8WebKitMutationObserver::observeCallback):

        * bindings/scripts/test/V8/V8Float64Array.cpp: Updated run-bindings-tests.
        (WebCore::Float64ArrayV8Internal::fooCallback):
        * bindings/scripts/test/V8/V8TestActiveDOMObject.cpp:
        (WebCore::TestActiveDOMObjectV8Internal::excitingFunctionCallback):
        (WebCore::TestActiveDOMObjectV8Internal::postMessageCallback):
        * bindings/scripts/test/V8/V8TestCustomNamedGetter.cpp:
        (WebCore::TestCustomNamedGetterV8Internal::anotherFunctionCallback):
        * bindings/scripts/test/V8/V8TestEventConstructor.cpp:
        (WebCore::V8TestEventConstructor::constructorCallback):
        * bindings/scripts/test/V8/V8TestEventTarget.cpp:
        (WebCore::TestEventTargetV8Internal::itemCallback):
        (WebCore::TestEventTargetV8Internal::dispatchEventCallback):
        * bindings/scripts/test/V8/V8TestInterface.cpp:
        (WebCore::TestInterfaceV8Internal::supplementalMethod2Callback):
        (WebCore::V8TestInterface::constructorCallback):
        * bindings/scripts/test/V8/V8TestMediaQueryListListener.cpp:
        (WebCore::TestMediaQueryListListenerV8Internal::methodCallback):
        * bindings/scripts/test/V8/V8TestNamedConstructor.cpp:
        (WebCore::V8TestNamedConstructorConstructorCallback):
        * bindings/scripts/test/V8/V8TestObj.cpp:
        (WebCore::TestObjV8Internal::voidMethodWithArgsCallback):
        (WebCore::TestObjV8Internal::intMethodWithArgsCallback):
        (WebCore::TestObjV8Internal::objMethodWithArgsCallback):
        (WebCore::TestObjV8Internal::methodWithSequenceArgCallback):
        (WebCore::TestObjV8Internal::methodReturningSequenceCallback):
        (WebCore::TestObjV8Internal::methodThatRequiresAllArgsAndThrowsCallback):
        (WebCore::TestObjV8Internal::serializedValueCallback):
        (WebCore::TestObjV8Internal::idbKeyCallback):
        (WebCore::TestObjV8Internal::optionsObjectCallback):
        (WebCore::TestObjV8Internal::methodWithNonOptionalArgAndOptionalArgCallback):
        (WebCore::TestObjV8Internal::methodWithNonOptionalArgAndTwoOptionalArgsCallback):
        (WebCore::TestObjV8Internal::methodWithCallbackArgCallback):
        (WebCore::TestObjV8Internal::methodWithNonCallbackArgAndCallbackArgCallback):
        (WebCore::TestObjV8Internal::overloadedMethod1Callback):
        (WebCore::TestObjV8Internal::overloadedMethod2Callback):
        (WebCore::TestObjV8Internal::overloadedMethod3Callback):
        (WebCore::TestObjV8Internal::overloadedMethod4Callback):
        (WebCore::TestObjV8Internal::overloadedMethod5Callback):
        (WebCore::TestObjV8Internal::overloadedMethod6Callback):
        (WebCore::TestObjV8Internal::overloadedMethod7Callback):
        (WebCore::TestObjV8Internal::overloadedMethod11Callback):
        (WebCore::TestObjV8Internal::overloadedMethod12Callback):
        (WebCore::TestObjV8Internal::enabledAtRuntimeMethod1Callback):
        (WebCore::TestObjV8Internal::enabledAtRuntimeMethod2Callback):
        (WebCore::TestObjV8Internal::convert1Callback):
        (WebCore::TestObjV8Internal::convert2Callback):
        (WebCore::TestObjV8Internal::convert3Callback):
        (WebCore::TestObjV8Internal::convert4Callback):
        (WebCore::TestObjV8Internal::convert5Callback):
        (WebCore::TestObjV8Internal::strictFunctionCallback):
        (WebCore::V8TestObj::constructorCallback):
        * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp:
        (WebCore::TestSerializedScriptValueInterfaceV8Internal::acceptTransferListCallback):
        (WebCore::V8TestSerializedScriptValueInterface::constructorCallback):

2012-04-27  Mark Pilgrim  <pilgrim@chromium.org>

        [Chromium] Call lowMemoryUsageMB directly
        https://bugs.webkit.org/show_bug.cgi?id=84840

        Reviewed by Kentaro Hara.

        Part of a refactoring series. See tracking bug 82948.

        * bindings/v8/V8GCController.cpp:
        (WebCore::V8GCController::checkMemoryUsage):
        * platform/MemoryUsageSupport.cpp:
        (WebCore::MemoryUsageSupport::lowMemoryUsageMB):
        (WebCore):
        * platform/MemoryUsageSupport.h:
        (MemoryUsageSupport):
        * platform/chromium/MemoryUsageSupportChromium.cpp:
        (WebCore::MemoryUsageSupport::lowMemoryUsageMB):
        (WebCore):
        * platform/chromium/PlatformSupport.h:
        (PlatformSupport):

2012-04-27  Yi Shen  <yi.4.shen@nokia.com>

        REGRESSION(113723): Pressing enter in this list example deletes the whole list
        https://bugs.webkit.org/show_bug.cgi?id=85016

        Reviewed by Enrica Casucci.

        The bug was caused by CompositeEditCommand::breakOutOfEmptyListItem, which calls isListItem
        on the empty list's siblings to decide which part of the list should get removed. However,
        the check fails when the empty list's sibling is a text node, or a list element (e.g. ul, ol).
        Fixed it by skipping empty list's non-element sibling and calling isListElement to do further
        check.

        Test: added new test cases in the existing test (break-out-of-empty-list-item.html)

        * editing/CompositeEditCommand.cpp:
        (WebCore::CompositeEditCommand::breakOutOfEmptyListItem):

2012-04-27  Ian Vollick  <vollick@chromium.org>

        [chromium] Add pause and resume support for accelerated css animations.
        https://bugs.webkit.org/show_bug.cgi?id=84601

        Reviewed by James Robinson.

        Tested in:
        CCLayerAnimationControllerTest.syncPauseResume
        CCActiveAnimationTest.TrimTimeTimeOffset
        CCActiveAnimationTest.TrimTimeSuspendResume
        CCActiveAnimationTest.IsFinishedNeedsSynchronizedStartTime
        CCActiveAnimationTest.RunStateChangesIgnoredWhileSuspended

        * platform/graphics/chromium/GraphicsLayerChromium.cpp:
        (WebCore::GraphicsLayerChromium::suspendAnimations):
        (WebCore::GraphicsLayerChromium::resumeAnimations):
        * platform/graphics/chromium/GraphicsLayerChromium.h:
        (GraphicsLayerChromium):
        * platform/graphics/chromium/LayerChromium.cpp:
        (WebCore::LayerChromium::suspendAnimations):
        (WebCore::LayerChromium::resumeAnimations):
        * platform/graphics/chromium/LayerChromium.h:
        (LayerChromium):
        * platform/graphics/chromium/cc/CCActiveAnimation.cpp:
        (WebCore::CCActiveAnimation::CCActiveAnimation):
        (WebCore::CCActiveAnimation::setRunState):
        (WebCore::CCActiveAnimation::suspend):
        (WebCore::CCActiveAnimation::resume):
        (WebCore::CCActiveAnimation::isFinishedAt):
        (WebCore::CCActiveAnimation::trimTimeToCurrentIteration):
        (WebCore::CCActiveAnimation::cloneForImplThread):
        (WebCore::CCActiveAnimation::pushPropertiesTo):
        * platform/graphics/chromium/cc/CCActiveAnimation.h:
        (CCActiveAnimation):
        (WebCore::CCActiveAnimation::setStartTime):
        (WebCore::CCActiveAnimation::timeOffset):
        (WebCore::CCActiveAnimation::setTimeOffset):
        (WebCore::CCActiveAnimation::isFinished):
        * platform/graphics/chromium/cc/CCLayerAnimationController.cpp:
        (WebCore::CCLayerAnimationController::addAnimation):
        (WebCore::CCLayerAnimationController::pauseAnimation):
        (WebCore::CCLayerAnimationController::suspendAnimations):
        (WebCore::CCLayerAnimationController::resumeAnimations):
        (WebCore::CCLayerAnimationController::pushAnimationUpdatesTo):
        (WebCore::CCLayerAnimationController::getActiveAnimation):
        (WebCore::CCLayerAnimationController::pushNewAnimationsToImplThread):
        (WebCore::CCLayerAnimationController::removeAnimationsCompletedOnMainThread):
        (WebCore::CCLayerAnimationController::pushPropertiesToImplThread):
        (WebCore):
        (WebCore::CCLayerAnimationController::tickAnimations):
        * platform/graphics/chromium/cc/CCLayerAnimationController.h:
        (CCLayerAnimationController):

2012-04-27  Tim Horton  <timothy_horton@apple.com>

        SMIL animation causes leak of the related Document (and many elements)
        https://bugs.webkit.org/show_bug.cgi?id=83856
        <rdar://problem/11216047>

        Reviewed by Dean Jackson.

        The SVGAnimatedProperty cache was previously holding a reference to the properties it contained;
        said references were cleared in the SVGAnimatedProperty destructor (which was never called because
        there was always one remaining reference from the cache).

        The SVGAnimatedProperty cache now holds raw pointers instead of RefPtrs; the SVGAnimateElement now
        owns its own SVGAnimatedProperties, both for itself and for any <use/> instances of itself. They're
        cleared and destroyed within SVGAnimateElement::targetElementWillChange, at which time they're removed
        from the cache.

        SVGPropertyTearOffs now keep a reference to their SVGElement (m_contextElement) instead of their SVGAnimatedProperty;
        this way, there is no reference cycle, but the animated property (owned by the element) and the element itself are
        kept alive until the TearOff is garbage collected.

        Tests: svg/animations/smil-leak-dynamically-added-element-instances.svg
               svg/animations/smil-leak-elements.svg
               svg/animations/smil-leak-element-instances-noBaseValRef.svg
               svg/animations/smil-leak-element-instances.svg
               svg/animations/svglength-element-removed-crash.svg

        * svg/SVGAnimateElement.cpp:
        (WebCore::SVGAnimateElement::calculateAnimatedValue):
        (WebCore::propertyTypesAreConsistent):
        (WebCore::SVGAnimateElement::resetToBaseValue):
        (WebCore::SVGAnimateElement::applyResultsToTarget):
        (WebCore::SVGAnimateElement::targetElementWillChange):
        * svg/SVGAnimateElement.h:
        (SVGAnimateElement):
        * svg/SVGAnimatedAngle.cpp:
        (WebCore::SVGAnimatedAngleAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedAngleAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedAngleAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedAngleAnimator::animValWillChange):
        (WebCore::SVGAnimatedAngleAnimator::animValDidChange):
        * svg/SVGAnimatedAngle.h:
        (SVGAnimatedAngleAnimator):
        * svg/SVGAnimatedBoolean.cpp:
        (WebCore::SVGAnimatedBooleanAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedBooleanAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedBooleanAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedBooleanAnimator::animValWillChange):
        (WebCore::SVGAnimatedBooleanAnimator::animValDidChange):
        * svg/SVGAnimatedBoolean.h:
        (SVGAnimatedBooleanAnimator):
        * svg/SVGAnimatedColor.h:
        (WebCore::SVGAnimatedColorAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedColorAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedColorAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedColorAnimator::animValWillChange):
        (WebCore::SVGAnimatedColorAnimator::animValDidChange):
        * svg/SVGAnimatedEnumeration.cpp:
        (WebCore::SVGAnimatedEnumerationAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedEnumerationAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedEnumerationAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedEnumerationAnimator::animValWillChange):
        (WebCore::SVGAnimatedEnumerationAnimator::animValDidChange):
        * svg/SVGAnimatedEnumeration.h:
        (SVGAnimatedEnumerationAnimator):
        * svg/SVGAnimatedInteger.cpp:
        (WebCore::SVGAnimatedIntegerAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedIntegerAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedIntegerAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedIntegerAnimator::animValWillChange):
        (WebCore::SVGAnimatedIntegerAnimator::animValDidChange):
        * svg/SVGAnimatedInteger.h:
        (SVGAnimatedIntegerAnimator):
        * svg/SVGAnimatedIntegerOptionalInteger.cpp:
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::animValWillChange):
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::animValDidChange):
        * svg/SVGAnimatedIntegerOptionalInteger.h:
        (SVGAnimatedIntegerOptionalIntegerAnimator):
        * svg/SVGAnimatedLength.cpp:
        (WebCore::SVGAnimatedLengthAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedLengthAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedLengthAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedLengthAnimator::animValWillChange):
        (WebCore::SVGAnimatedLengthAnimator::animValDidChange):
        * svg/SVGAnimatedLength.h:
        (SVGAnimatedLengthAnimator):
        * svg/SVGAnimatedLengthList.cpp:
        (WebCore::SVGAnimatedLengthListAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedLengthListAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedLengthListAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedLengthListAnimator::animValWillChange):
        (WebCore::SVGAnimatedLengthListAnimator::animValDidChange):
        * svg/SVGAnimatedLengthList.h:
        (SVGAnimatedLengthListAnimator):
        * svg/SVGAnimatedNumber.cpp:
        (WebCore::SVGAnimatedNumberAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedNumberAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedNumberAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedNumberAnimator::animValWillChange):
        (WebCore::SVGAnimatedNumberAnimator::animValDidChange):
        * svg/SVGAnimatedNumber.h:
        (SVGAnimatedNumberAnimator):
        * svg/SVGAnimatedNumberList.cpp:
        (WebCore::SVGAnimatedNumberListAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedNumberListAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedNumberListAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedNumberListAnimator::animValWillChange):
        (WebCore::SVGAnimatedNumberListAnimator::animValDidChange):
        * svg/SVGAnimatedNumberList.h:
        (SVGAnimatedNumberListAnimator):
        * svg/SVGAnimatedNumberOptionalNumber.cpp:
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::animValWillChange):
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::animValDidChange):
        * svg/SVGAnimatedNumberOptionalNumber.h:
        (SVGAnimatedNumberOptionalNumberAnimator):
        * svg/SVGAnimatedPath.cpp:
        (WebCore::SVGAnimatedPathAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedPathAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedPathAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedPathAnimator::animValWillChange):
        (WebCore::SVGAnimatedPathAnimator::animValDidChange):
        * svg/SVGAnimatedPath.h:
        (SVGAnimatedPathAnimator):
        * svg/SVGAnimatedPointList.cpp:
        (WebCore::SVGAnimatedPointListAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedPointListAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedPointListAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedPointListAnimator::animValWillChange):
        (WebCore::SVGAnimatedPointListAnimator::animValDidChange):
        * svg/SVGAnimatedPointList.h:
        (SVGAnimatedPointListAnimator):
        * svg/SVGAnimatedPreserveAspectRatio.cpp:
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::animValWillChange):
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::animValDidChange):
        * svg/SVGAnimatedPreserveAspectRatio.h:
        (SVGAnimatedPreserveAspectRatioAnimator):
        * svg/SVGAnimatedRect.cpp:
        (WebCore::SVGAnimatedRectAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedRectAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedRectAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedRectAnimator::animValWillChange):
        (WebCore::SVGAnimatedRectAnimator::animValDidChange):
        * svg/SVGAnimatedRect.h:
        (SVGAnimatedRectAnimator):
        * svg/SVGAnimatedString.cpp:
        (WebCore::SVGAnimatedStringAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedStringAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedStringAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedStringAnimator::animValWillChange):
        (WebCore::SVGAnimatedStringAnimator::animValDidChange):
        * svg/SVGAnimatedString.h:
        (SVGAnimatedStringAnimator):
        * svg/SVGAnimatedTransformList.cpp:
        (WebCore::SVGAnimatedTransformListAnimator::startAnimValAnimation):
        (WebCore::SVGAnimatedTransformListAnimator::stopAnimValAnimation):
        (WebCore::SVGAnimatedTransformListAnimator::resetAnimValToBaseVal):
        (WebCore::SVGAnimatedTransformListAnimator::animValWillChange):
        (WebCore::SVGAnimatedTransformListAnimator::animValDidChange):
        * svg/SVGAnimatedTransformList.h:
        (SVGAnimatedTransformListAnimator):
        * svg/SVGAnimatedTypeAnimator.h:
        (SVGAnimatedTypeAnimator):
        (WebCore::SVGAnimatedTypeAnimator::findAnimatedPropertiesForAttributeName):
        (WebCore::SVGAnimatedTypeAnimator::findAnimatedPropertiesFromInstancesForAttributeName):
        (WebCore::SVGAnimatedTypeAnimator::constructFromBaseValue):
        (WebCore::SVGAnimatedTypeAnimator::resetFromBaseValue):
        (WebCore::SVGAnimatedTypeAnimator::stopAnimValAnimationForType):
        (WebCore::SVGAnimatedTypeAnimator::animValDidChangeForType):
        (WebCore::SVGAnimatedTypeAnimator::animValWillChangeForType):
        (WebCore::SVGAnimatedTypeAnimator::constructFromBaseValues):
        (WebCore::SVGAnimatedTypeAnimator::resetFromBaseValues):
        (WebCore::SVGAnimatedTypeAnimator::stopAnimValAnimationForTypes):
        (WebCore::SVGAnimatedTypeAnimator::animValDidChangeForTypes):
        (WebCore::SVGAnimatedTypeAnimator::animValWillChangeForTypes):
        (WebCore::SVGAnimatedTypeAnimator::castAnimatedPropertyToActualType):
        (WebCore::SVGAnimatedTypeAnimator::executeAction):
        * svg/properties/SVGAnimatedProperty.h:
        (SVGAnimatedProperty):
        * svg/properties/SVGPropertyTearOff.h:
        (WebCore::SVGPropertyTearOff::animatedProperty):
        (SVGPropertyTearOff):

2012-04-27  Adam Klein  <adamk@chromium.org>

        Remove misspelled, unused, unimplemented method from V8Proxy
        https://bugs.webkit.org/show_bug.cgi?id=85091

        Reviewed by Dimitri Glazkov.

        * bindings/v8/V8Proxy.h:
        (V8Proxy):

2012-04-24  Jeffrey Pfau  <jpfau@apple.com>

        Disable RTF in JavaScript drag-and-drop
        https://bugs.webkit.org/show_bug.cgi?id=76597

        Reviewed by Maciej Stachowiak.

        Test: fast/events/drag-and-drop-subframe-dataTransfer.html

        * platform/mac/ClipboardMac.mm:
        (WebCore::cocoaTypeFromHTMLClipboardType):

2012-04-26  James Robinson  <jamesr@chromium.org>

        [chromium] Separate IOSurface layer type from texture layers
        https://bugs.webkit.org/show_bug.cgi?id=85030

        Reviewed by Adrienne Walker.

        Adds a new layer type for IOSurface layers and pipes through a separate path through to rendering. IOSurface
        layers are very simple - they have an IOSurface id and size, nothing else. All IOSurface layers are "flipped" in
        our terminology.

        * WebCore.gypi:
        * platform/graphics/chromium/IOSurfaceLayerChromium.cpp:
        (WebCore):
        (WebCore::IOSurfaceLayerChromium::create):
        (WebCore::IOSurfaceLayerChromium::IOSurfaceLayerChromium):
        (WebCore::IOSurfaceLayerChromium::~IOSurfaceLayerChromium):
        (WebCore::IOSurfaceLayerChromium::setIOSurfaceProperties):
        (WebCore::IOSurfaceLayerChromium::createCCLayerImpl):
        (WebCore::IOSurfaceLayerChromium::drawsContent):
        (WebCore::IOSurfaceLayerChromium::pushPropertiesTo):
        * platform/graphics/chromium/IOSurfaceLayerChromium.h:
        (WebCore):
        (IOSurfaceLayerChromium):
        * platform/graphics/chromium/LayerRendererChromium.cpp:
        (WebCore::LayerRendererChromium::drawIOSurfaceQuad):
        (WebCore::LayerRendererChromium::cleanupSharedObjects):
        * platform/graphics/chromium/LayerRendererChromium.h:
        (LayerRendererChromium):
        * platform/graphics/chromium/TextureLayerChromium.cpp:
        (WebCore::TextureLayerChromium::TextureLayerChromium):
        (WebCore::TextureLayerChromium::drawsContent):
        (WebCore::TextureLayerChromium::pushPropertiesTo):
        * platform/graphics/chromium/TextureLayerChromium.h:
        (TextureLayerChromium):
        * platform/graphics/chromium/cc/CCIOSurfaceDrawQuad.cpp:
        (WebCore::CCIOSurfaceDrawQuad::create):
        (WebCore::CCIOSurfaceDrawQuad::CCIOSurfaceDrawQuad):
        * platform/graphics/chromium/cc/CCIOSurfaceDrawQuad.h:
        (CCIOSurfaceDrawQuad):
        * platform/graphics/chromium/cc/CCIOSurfaceLayerImpl.cpp:
        (WebCore):
        (WebCore::CCIOSurfaceLayerImpl::CCIOSurfaceLayerImpl):
        (WebCore::CCIOSurfaceLayerImpl::~CCIOSurfaceLayerImpl):
        (WebCore::CCIOSurfaceLayerImpl::willDraw):
        (WebCore::CCIOSurfaceLayerImpl::appendQuads):
        (WebCore::CCIOSurfaceLayerImpl::dumpLayerProperties):
        (WebCore::CCIOSurfaceLayerImpl::didLoseContext):
        (WebCore::CCIOSurfaceLayerImpl::setIOSurfaceProperties):
        * platform/graphics/chromium/cc/CCIOSurfaceLayerImpl.h:
        (WebCore):
        (CCIOSurfaceLayerImpl):
        (WebCore::CCIOSurfaceLayerImpl::create):
        * platform/graphics/chromium/cc/CCTextureLayerImpl.cpp:
        (WebCore::CCTextureLayerImpl::CCTextureLayerImpl):
        (WebCore::CCTextureLayerImpl::~CCTextureLayerImpl):
        (WebCore::CCTextureLayerImpl::appendQuads):
        (WebCore::CCTextureLayerImpl::didLoseContext):
        * platform/graphics/chromium/cc/CCTextureLayerImpl.h:
        (CCTextureLayerImpl):

2012-04-27  Arvid Nilsson  <anilsson@rim.com>

        [BlackBerry] OpenGL related bug fixes
        https://bugs.webkit.org/show_bug.cgi?id=84836

        Reviewed by Antonio Gomes.

        PR147254, 148933, 149117, 149721, 150228

        No new tests, covered by existing BlackBerry browser stress tests

        * platform/graphics/blackberry/CanvasLayerWebKitThread.cpp:
        (WebCore::CanvasLayerWebKitThread::updateTextureContentsIfNeeded):
        * platform/graphics/blackberry/LayerCompositingThread.cpp:
        (WebCore::LayerCompositingThread::drawTextures):
        * platform/graphics/blackberry/LayerRenderer.cpp:
        (WebCore::LayerRenderer::~LayerRenderer):
        (WebCore::LayerRenderer::drawLayers):
        (WebCore::LayerRenderer::initializeSharedGLObjects):

2012-04-27  Nat Duca  <nduca@chromium.org>

        Implement high-resolution time via window.performance.webkitNow()
        https://bugs.webkit.org/show_bug.cgi?id=66684

        This implements the high resolution time spec from
        http://www.w3.org/TR/hr-time/, giving javascript access to
        sub-millisecond timestamps that increase over time instead of being
        subject to skewing, for example when the host machine's clock changes.

        Reviewed by Tony Gentilcore.

        Test: fast/performance/performance-now-timestamps.html

        * page/Performance.cpp:
        (WebCore::Performance::now):
        (WebCore):
        * page/Performance.h:
        (Performance):
        * page/Performance.idl:

2012-04-27  Filip Pizlo  <fpizlo@apple.com>

        If you get a list of DOMWrapperWorld*'s and then plan to allocate in the heap, you should ref
        the DOMWrapperWorld*'s
        https://bugs.webkit.org/show_bug.cgi?id=85098
        <rdar://problem/11318170>

        Reviewed by Sam Weinig.

        No new tests because this addresses hard-to-repro flaky behavior arising from GCs at inconvenient
        times.

        * bindings/js/ScriptController.cpp:
        (WebCore::ScriptController::getAllWorlds):
        * bindings/js/ScriptController.h:
        (ScriptController):
        * bindings/js/WebCoreJSClientData.h:
        (WebCore::WebCoreJSClientData::getAllWorlds):
        * bindings/v8/ScriptController.cpp:
        (WebCore::ScriptController::getAllWorlds):
        * bindings/v8/ScriptController.h:
        (ScriptController):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::dispatchDidClearWindowObjectsInAllWorlds):
        (WebCore::FrameLoader::dispatchGlobalObjectAvailableInAllWorlds):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Removed the sole use of Weak<Unknown>
        https://bugs.webkit.org/show_bug.cgi?id=85099

        Reviewed by Sam Weinig.

        The semantics and implementation of Weak<Unknown> are unclear because:
            - Should you call a finalizer for a non-GC thingy? If so, when?

                * Possible answer: No.

            - If WeakImpls for GC thingies live with the GC thingies in the
              heap, where do WeakImpls for non-GC thingies live?

                * Possible answer: Directly in the Weak<T>.

        Since no clients actually want these behaviors, it's hard to tell if
        they're the right behaviors, and it's not worth the implementation
        complexity. If we come up with a client that wants these behaviors, we
        can always revisit this.

        * bindings/js/JSNodeFilterCondition.cpp:
        (WebCore::JSNodeFilterCondition::JSNodeFilterCondition): Just leave our
        filter NULL if it's not an object -- that's a better way to indicate
        "not a valid filter object".

        (WebCore::JSNodeFilterCondition::acceptNode): Fixed up some naming to
        clarify that the object we're working with is not necessarily a function.

        * bindings/js/JSNodeFilterCondition.h:
        (JSNodeFilterCondition): Use Weak<JSObject>, since that more closely
        matches what we're trying to do.

2012-04-26  Kentaro Hara  <haraken@chromium.org>

        [V8] Pass Isolate to getDOMXXXMap()
        https://bugs.webkit.org/show_bug.cgi?id=85022

        Reviewed by Nate Chapin.

        The objective is to pass Isolate around in V8 bindings.
        This patch passes Isolate to getDOMXXXMap().

        Also this patch removes DOMMap::getDOMDataStore() and
        DOMData::getDefalutStore(), since the indirection by the
        methods is redundant. This is not for performance
        optimization but just for refactoring.

        No tests. No change in behavior.

        * bindings/v8/DOMData.cpp:
        (WebCore::DOMData::getCurrentStore):
        * bindings/v8/DOMData.h:
        (DOMData):
        * bindings/v8/V8DOMMap.cpp:
        (WebCore::getDOMNodeMap):
        (WebCore::getActiveDOMNodeMap):
        (WebCore::getDOMObjectMap):
        (WebCore::getActiveDOMObjectMap):
        (WebCore::removeAllDOMObjects):
        * bindings/v8/V8DOMMap.h:
        (WebCore):

2012-04-26  Kentaro Hara  <haraken@chromium.org>

        [V8] Pass Isolate to V8BindingPerIsolateData::current()
        https://bugs.webkit.org/show_bug.cgi?id=85023

        Reviewed by Nate Chapin.

        The objective is to pass Isolate around in V8 bindings.
        This patch passes Isolate to V8BindingPerIsolateData::current().

        No tests. No change in behavior.

        * bindings/v8/V8Binding.h:
        (WebCore::V8BindingPerIsolateData::current):
        (WebCore::v8ExternalString):

2012-04-27  Dimitri Glazkov  <dglazkov@chromium.org>

        Unreviewed, rolling out r115484.
        http://trac.webkit.org/changeset/115484
        https://bugs.webkit.org/show_bug.cgi?id=84555

        Broke Chromium compile.

        * bindings/js/JSBlobCustom.cpp:
        * bindings/v8/custom/V8BlobCustom.cpp:
        * fileapi/Blob.cpp:
        * fileapi/Blob.h:
        (Blob):
        * fileapi/Blob.idl:
        * workers/WorkerContext.idl:

2012-04-27  Alexandru Chiculita  <achicu@adobe.com>

        [CSS Shaders] Implement CSS Animations and Transitions for CSS Shaders
        https://bugs.webkit.org/show_bug.cgi?id=71406

        Reviewed by Dean Jackson.

        I've implemented the blend function for the CustomFilterOperation. This should enable animations for CSS Shaders.
        Currently, just floats are implemented. If any of the filter attributes like shader, mesh size or box mode are different, 
        the fallback is to use the "to" part of the animation instead. If other shader parameters do not match, it will merge the parameter values
        between the "from" and "to" states.

        Test: css3/filters/custom/custom-filter-animation.html

        * platform/graphics/filters/CustomFilterNumberParameter.h:
        (WebCore::CustomFilterNumberParameter::blend):
        (CustomFilterNumberParameter):
        (WebCore::CustomFilterNumberParameter::operator==):
        * platform/graphics/filters/CustomFilterOperation.cpp:
        (WebCore::equalCustomFilterParameters):
        (WebCore):
        (WebCore::checkCustomFilterParametersOrder):
        (WebCore::blendCustomFilterParameters):
        (WebCore::CustomFilterOperation::CustomFilterOperation):
        (WebCore::CustomFilterOperation::blend):
        * platform/graphics/filters/CustomFilterOperation.h:
        (WebCore):
        (CustomFilterOperation):
        (WebCore::CustomFilterOperation::operator==):
        (WebCore::CustomFilterOperation::operator!=):
        * platform/graphics/filters/CustomFilterParameter.h:
        (CustomFilterParameter):
        (WebCore::CustomFilterParameter::isSameType):
        (WebCore::CustomFilterParameter::operator==):
        (WebCore::CustomFilterParameter::operator!=):
        * platform/graphics/filters/CustomFilterProgram.h:
        * rendering/style/StyleCustomFilterProgram.h:
        (StyleCustomFilterProgram):
        (WebCore::StyleCustomFilterProgram::cachedVertexShader):
        (WebCore::StyleCustomFilterProgram::cachedFragmentShader):
        (WebCore::StyleCustomFilterProgram::operator==):

2012-04-27  Chris Rogers  <crogers@google.com>

        Re-factor scheduling logic from AudioBufferSourceNode into AudioScheduledSourceNode
        https://bugs.webkit.org/show_bug.cgi?id=84639

        Reviewed by Eric Carlson.

        Playback logic involving noteOn(), noteOff(), and playbackState were intertwined with
        the AudioBufferSourceNode's buffer playback code.  These are more general concepts and
        may be implemented separately in another class called AudioScheduledSourceNode.

        No new tests. Covered by existing layout tests.

        * GNUmakefile.list.am:
        Add AudioScheduledSourceNode files to makefile.

        * Modules/webaudio/AudioBufferSourceNode.cpp:
        (WebCore):
        (WebCore::AudioBufferSourceNode::AudioBufferSourceNode):
        Re-factor some member variables into new base class AudioScheduledSourceNode.

        (WebCore::AudioBufferSourceNode::process):
        Re-factor scheduling logic into AudioScheduledSourceNode.

        * Modules/webaudio/AudioBufferSourceNode.h:
        (AudioBufferSourceNode):
        Simplify by re-factoring scheduling logic into AudioScheduledSourceNode.

        * Modules/webaudio/AudioScheduledSourceNode.cpp: Added.
        (WebCore):
        (WebCore::AudioScheduledSourceNode::AudioScheduledSourceNode):
        (WebCore::AudioScheduledSourceNode::updateSchedulingInfo):
        Get frame information for the current time quantum.

        * Modules/webaudio/AudioScheduledSourceNode.h: Added.
        (WebCore::AudioScheduledSourceNode::noteOn):
        (WebCore::AudioScheduledSourceNode::noteOff):
        (WebCore::AudioScheduledSourceNode::finish):
        (WebCore::AudioScheduledSourceNode::playbackState):
        (WebCore::AudioScheduledSourceNode::isPlayingOrScheduled):
        (WebCore::AudioScheduledSourceNode::hasFinished):
        Re-factored from AudioBufferSourceNode.

        * WebCore.gypi:
        * WebCore.xcodeproj/project.pbxproj:
        Add AudioScheduledSourceNode files to makefiles.
    
2012-04-26  Sam Weinig  <sam@webkit.org>

        Add support for the Blob constructor
        https://bugs.webkit.org/show_bug.cgi?id=84555

        Reviewed by Maciej Stachowiak.

        Test: fast/files/blob-constructor.html

        This adds an implementation of the Blob constructor that willfully
        violates the W3C Editor’s Draft 29 February 2012 in the following ways:
        - Elements in the parts array are coerced to DOMStrings https://www.w3.org/Bugs/Public/show_bug.cgi?id=16721 
        - Don't throw for invalid key in the dictionary https://www.w3.org/Bugs/Public/show_bug.cgi?id=16727
        - Values for the endings property are treated as enums https://www.w3.org/Bugs/Public/show_bug.cgi?id=16729 

        * bindings/js/JSBlobCustom.cpp:
        (WebCore::JSBlobConstructor::constructJSBlob):
        Implement blob constructor.

        * bindings/v8/custom/V8BlobCustom.cpp:
        (WebCore::V8Blob::constructorCallback):
        Implement blob constructor.

        * fileapi/Blob.idl:
        Add constructor to IDL.

        * workers/WorkerContext.idl:
        Add Blob constructor to the worker global object.

2012-04-27  Allan Sandfeld Jensen  <allan.jensen@nokia.com>

        [Qt] Fix minimal build.
        https://bugs.webkit.org/show_bug.cgi?id=85045

        Reviewed by Tor Arne Vestbø.

        Compile LIBXML XML parser even if ENABLE_XSLT is not set.

        * Target.pri:

2012-04-27  Shawn Singh  <shawnsingh@chromium.org>

        Infinite backgroundClipRect should not be scrolled.
        https://bugs.webkit.org/show_bug.cgi?id=84979

        Reviewed by Adrienne Walker.

        Test: compositing/iframes/scroll-fixed-transformed-element.html

        By accidentally scrolling clipRects that should be considered
        "infinite", they were no longer being considered infinite. This
        caused a chain of un-intended code paths that caused fixed
        position elements to stutter when scrolling in Chromium.

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::backgroundClipRect):

2012-04-27  Ryosuke Niwa  <rniwa@webkit.org>

        FormatBlock crashes when body element is removed prior to the command execution
        https://bugs.webkit.org/show_bug.cgi?id=84937

        Reviewed by Tony Chang.

        The crash was because because DOM had been modified since the last time selection had been "validated",
        and therefore frame selection's endpoints are no longer visible when we instantiated visibleStart
        and visibleEnd from m_endingSelection of the edit command.

        Fixed the bug by checking the nullity and orphanedness of visible start and visible end directly.
        I suspect we have similar bugs in other commands. The fundamental problem is that the copy constructor
        of VisibleSelection never validates so when a VisibleSelection is passed from one class to another
        (e.g. FrameSelection to EditCommand), we may not adjust end points as needed.

        Test: editing/execCommand/format-block-without-body-crash.html

        * editing/ApplyBlockElementCommand.cpp:
        (WebCore::ApplyBlockElementCommand::doApply):

2012-04-27  Enrica Casucci  <enrica@apple.com>

        REGRESSION(r96257): Deleting a large amount of text is very slow.
        https://bugs.webkit.org/show_bug.cgi?id=83983
        <rdar://problem/10826076>
        
        Reviewed by Ryosuke Niwa.

        The change in r96257 did not cause the performance regression per se,
        but exposed a problem in the way we calculate the offset in container
        node when the anchorType is PositionIsOffsetInAnchor.
        The offset was computed as the minimum between the given offset and
        lastOffsetInNode. If the container has a very large number of children,
        we walk the entire list of child nodes in the container simply to find
        out how many they are.
        Looking through the entire editing code, I found other 2 cases (one
        is only an ASSERT) where we could do a similar optimization.

        No new tests. No behavior change, only performance optimization.

        * dom/Position.cpp:
        (WebCore::Position::computeOffsetInContainerNode):
        * dom/Position.h:
        (WebCore::minOffsetForNode):
        (WebCore::offsetIsBeforeLastNodeOffset):
        * editing/ApplyStyleCommand.cpp:
        (WebCore::ApplyStyleCommand::removeInlineStyle):
        (WebCore::ApplyStyleCommand::mergeEndWithNextIfIdentical):

2012-04-27  Julien Chaffraix  <jchaffraix@webkit.org>

        NULL-deref in RenderBox::clippedOverflowRectForRepaint
        https://bugs.webkit.org/show_bug.cgi?id=84774

        Reviewed by Tony Chang.

        Test: fast/inline/crash-new-continuation-with-outline.html

        The bug comes from trying to repaint the :after content as part of updateBeforeAfterContent.
        The repainting logic would query the yet-to-be-inserted continuation(). Then we would crash in
        RenderBox::clippedOverflowRectForRepaint as we didn't have an enclosingLayer() (which any
        RenderObject in the tree will have).

        The fix is to check in RenderInline::clippedOverflowRectForRepaint that our continuation()
        is properly inserted in the tree. We could check that it isRooted() but it's an overkill here.

        * rendering/RenderInline.cpp:
        (WebCore::RenderInline::clippedOverflowRectForRepaint):

2012-04-27  Antti Koivisto  <antti@apple.com>

        Memory cache pruning should be protected against reentering.
        https://bugs.webkit.org/show_bug.cgi?id=85077

        Reviewed by Alexey Proskuryakov.

        MemoryCache::pruneDeadResourcesToSize() has some ad-hock protection against reentering.
        This patch adds more complete protection.

        * loader/cache/MemoryCache.cpp:
        (WebCore::MemoryCache::MemoryCache):
        (WebCore::MemoryCache::pruneLiveResourcesToSize):
        
            Protect live resource pruning too.

        (WebCore::MemoryCache::pruneDeadResourcesToSize):
        
            Remove the existing weak reentrancy handling in favor of full proctection.

        * loader/cache/MemoryCache.h:
        (MemoryCache):

2012-04-27  Alexander Pavlov  <apavlov@chromium.org>

        Web Inspector: Implement the "Disable JavaScript" option in the settings dialog
        (re-landing r115417 with a test that should work on Windows.)
        https://bugs.webkit.org/show_bug.cgi?id=84946

        Reviewed by Yury Semikhatsky.

        Test: inspector/debugger/disable-script.html

        * inspector/Inspector.json:
        * inspector/InspectorPageAgent.cpp:
        (PageAgentState):
        (WebCore::InspectorPageAgent::enable):
        (WebCore::InspectorPageAgent::disable):
        (WebCore::InspectorPageAgent::getScriptExecutionStatus):
        (WebCore):
        (WebCore::InspectorPageAgent::setScriptExecutionDisabled):
        * inspector/InspectorPageAgent.h:
        * inspector/front-end/Settings.js:
        * inspector/front-end/SettingsScreen.js:
        (WebInspector.SettingsScreen):
        (WebInspector.SettingsScreen.prototype.get _updateScriptDisabledCheckbox):
        (WebInspector.SettingsScreen.prototype._javaScriptDisabledChanged):
        * inspector/front-end/inspector.js:

2012-04-27  Keishi Hattori  <keishi@webkit.org>

        IETC HTML5: verify HTMLDataListElement - instanceof HTMLDataListElement fails.
        https://bugs.webkit.org/show_bug.cgi?id=81196

        Reviewed by Kent Tamura.

        Test: fast/dom/Window/window-properties.html, fast/dom/Window/window-lookup-precedence.html

        HTMLDataListElement should be available on DOMWindow.

        * page/DOMWindow.idl: Added HTMLDataListElement.

2012-04-27  Dimitri Glazkov  <dglazkov@chromium.org>

        Unreviewed, rolling out r115417.
        http://trac.webkit.org/changeset/115417
        https://bugs.webkit.org/show_bug.cgi?id=84946

        Added test is broken on windows.

        * inspector/Inspector.json:
        * inspector/InspectorPageAgent.cpp:
        (WebCore::InspectorPageAgent::enable):
        (WebCore::InspectorPageAgent::disable):
        * inspector/InspectorPageAgent.h:
        * inspector/front-end/Settings.js:
        * inspector/front-end/SettingsScreen.js:
        (WebInspector.SettingsScreen):
        * inspector/front-end/inspector.js:

2012-04-27  Gavin Peters  <gavinp@chromium.org>

        Add new ENABLE_LINK_PRERENDER define to control the Prerendering API
        https://bugs.webkit.org/show_bug.cgi?id=84871

        Reviewed by Adam Barth.

        Prerendering is currently covered by the ENABLE_LINK_PREFETCH macro, but the new Prerendering
        API separates it from prefetching.  Having separate include guards lets ports enable prefetching,
        a relatively easy change, without needing to build the infrastructure for prerendering, which
        is considerably more complicated.

        * Configurations/FeatureDefines.xcconfig:

2012-04-27  Zan Dobersek  <zandobersek@gmail.com>

        [Gtk][DOM Bindings] Feature-protected properties are put under condition guards
        https://bugs.webkit.org/show_bug.cgi?id=85068

        Reviewed by Martin Robinson.

        Generated feature-dependent properties are now present regardless of that
        feature being enabled. On getting or setting that property's value a warning
        is thrown if the feature is not enabled. Additionally, if the generated
        interface is feature-dependant, when getting or setting any property's value
        a warning is thrown if the feature is not enabled.

        No new tests - covered by existing bindings tests.

        * bindings/scripts/CodeGeneratorGObject.pm:
        (GenerateProperty):
        (GenerateProperties):
        * bindings/scripts/test/GObject/WebKitDOMTestInterface.cpp: Rebaseline.
        (webkit_dom_test_interface_set_property):
        (webkit_dom_test_interface_get_property):
        (webkit_dom_test_interface_class_init):
        * bindings/scripts/test/GObject/WebKitDOMTestObj.cpp: Ditto.
        (webkit_dom_test_obj_set_property):
        (webkit_dom_test_obj_get_property):
        (webkit_dom_test_obj_class_init):
        * bindings/scripts/test/GObject/WebKitDOMTestSerializedScriptValueInterface.cpp: Ditto.
        (webkit_dom_test_serialized_script_value_interface_get_property):

2012-04-27  Zan Dobersek  <zandobersek@gmail.com>

        [Gtk][DOM Bindings] Conditional string in implementation file generated in wrong place after 113450
        https://bugs.webkit.org/show_bug.cgi?id=85065

        Reviewed by Martin Robinson.

        Put the condition string in implementation file after the header inclusions. This ensures
        that build errors do not occur when disabling the future that applies to the condition string
        because of WebCore objects and methods that are still in use despite the feature being disabled.

        No new tests - covered by bindings tests.

        * bindings/scripts/CodeGeneratorGObject.pm:
        (WriteData):
        * bindings/scripts/test/GObject/WebKitDOMTestCallback.cpp: Rebaseline generated results.
        * bindings/scripts/test/GObject/WebKitDOMTestInterface.cpp: Ditto.
        * bindings/scripts/test/GObject/WebKitDOMTestSerializedScriptValueInterface.cpp: Ditto.

2012-04-27  Andreas Kling  <kling@webkit.org>

        Avoid mutating Element attribute storage in StepRange constructor.
        <http://webkit.org/b/84797>

        Reviewed by Antti Koivisto.

        Test: fast/selectors/querySelector-in-range-crash.html

        * dom/Attribute.h:

            Add comment about the volatility of references returned by getters.

        * html/StepRange.cpp:
        (WebCore::StepRange::StepRange):

            Replace hasAttribute/getAttribute pair by a single fastGetAttribute.

        * html/HTMLInputElement.cpp:
        (WebCore::HTMLInputElement::updateType):
        (WebCore::HTMLInputElement::value):

            Store the value attribute in an local variable before passing it to sanitizeValue().

2012-04-27  Rob Buis  <rbuis@rim.com>

        SVG inline style of 'marker-*' does not override
        https://bugs.webkit.org/show_bug.cgi?id=84824

        Reviewed by Nikolas Zimmermann.

        Properly handle CSSValueNone for clip-path, filter, mask and marker-* properties. Instead
        of bailing out, set the none value explicitly, since an earlier match may have set it to
        something other than none.

        Tests: svg/custom/inline-style-overrides-clipPath-expected.svg
               svg/custom/inline-style-overrides-clipPath.svg
               svg/custom/inline-style-overrides-filter-expected.svg
               svg/custom/inline-style-overrides-filter.svg
               svg/custom/inline-style-overrides-markers-expected.svg
               svg/custom/inline-style-overrides-markers.svg
               svg/custom/inline-style-overrides-mask-expected.svg
               svg/custom/inline-style-overrides-mask.svg

        * css/SVGCSSStyleSelector.cpp:
        (WebCore::StyleResolver::applySVGProperty):

2012-04-27  Christophe Dumez  <christophe.dumez@intel.com>

        [EFL] media/video-controls-rendering-toggle-display-none.html is failing
        https://bugs.webkit.org/show_bug.cgi?id=84949

        Reviewed by Antonio Gomes.

        Fix volume slider rendering so that the
        media/video-controls-rendering-toggle-display-none.html passes.

        * css/mediaControlsEfl.css:
        (audio::-webkit-media-controls-mute-button, video::-webkit-media-controls-mute-button):
        (audio::-webkit-media-controls-volume-slider-container, video::-webkit-media-controls-volume-slider-container):
        (audio::-webkit-media-controls-volume-slider, video::-webkit-media-controls-volume-slider):

2012-04-27  Nikolas Zimmermann  <nzimmermann@rim.com>

        Support values animation mode with just a single value
        https://bugs.webkit.org/show_bug.cgi?id=85064

        Reviewed by Antti Koivisto.

        values="a" is equal to <set to="a"> per SMIL specification.
        We currently only support values animation if at least two values are given, fix that.

        The reference animations in Dr. Olaf Hoffmanns SVG Animation test suite are mostly using
        values animations, sometimes with only a single value given. Lots of the reference animations
        are broken in trunk w/o this patch and now work as expected.

        See http://hoffmann.bplaced.net/svgtest/index.php?s=en&in=start.

        Test: svg/animations/single-values-animation.html

        * svg/SVGAnimationElement.cpp:
        (WebCore::SVGAnimationElement::calculateKeyTimesForCalcModePaced):
        (WebCore::SVGAnimationElement::currentValuesForValuesAnimation):
        (WebCore::SVGAnimationElement::startedActiveInterval):

2012-04-27  Konrad Piascik  <kpiascik@rim.com>

        Web Inspector: Allow inspection of Web Socket Frames
        https://bugs.webkit.org/show_bug.cgi?id=83282

        Reviewed by Pavel Feldman.

        Tests: http/tests/inspector/web-socket-frame-error.html
               http/tests/inspector/web-socket-frame.html

        * English.lproj/localizedStrings.js: Added new Web Inspector front-end UI strings.
        * Modules/websockets/WebSocketChannel.cpp:  Added InspectorInstrumentation calls to
                                                    the following methods.
        (WebCore::WebSocketChannel::fail):
        (WebCore::WebSocketChannel::processFrame):
        (WebCore::WebSocketChannel::sendFrame):
        * WebCore.gypi: Added new Web Inspector resource file.
        * WebCore.vcproj/WebCore.vcproj: Added new Web Inspector resource file.
        * inspector/Inspector.json: Added new Web Inspector resource file.
        * inspector/InspectorInstrumentation.cpp: Added new methods for instrumenting a Web Socket frame or error.
        (WebCore::InspectorInstrumentation::didReceiveWebSocketFrameImpl):
        (WebCore::InspectorInstrumentation::didReceiveWebSocketFrameErrorImpl):
        (WebCore::InspectorInstrumentation::didSendWebSocketFrameImpl):
        * inspector/InspectorInstrumentation.h:
        (WebCore):
        (InspectorInstrumentation):
        (WebCore::InspectorInstrumentation::didReceiveWebSocketFrame):
        (WebCore::InspectorInstrumentation::didReceiveWebSocketFrameError):
        (WebCore::InspectorInstrumentation::didSendWebSocketFrame):
        * inspector/InspectorResourceAgent.cpp:
        (WebCore::InspectorResourceAgent::didReceiveWebSocketFrame):
        (WebCore):
        (WebCore::InspectorResourceAgent::didSendWebSocketFrame):
        (WebCore::InspectorResourceAgent::didReceiveWebSocketFrameError):
        * inspector/InspectorResourceAgent.h:
        (WebCore):
        (InspectorResourceAgent):
        * inspector/compile-front-end.py: Added new Web Inspector resource file.
        * inspector/front-end/NetworkItemView.js: Added a new View for inspecting Web Socket frames and errors.
        (WebInspector.NetworkItemView):
        * inspector/front-end/NetworkManager.js: Implemented callback called by InspectorResourceAgent for
                                                 the new Web Socket frame and error calls.
        (WebInspector.NetworkDispatcher.prototype.webSocketFrameReceived):
        (WebInspector.NetworkDispatcher.prototype.webSocketFrameSent):
        (WebInspector.NetworkDispatcher.prototype.webSocketFrameError):
        * inspector/front-end/NetworkRequest.js: Added a frames array to a Resource request along
                                                 with accessor and helper methods
        (WebInspector.NetworkRequest):
        (WebInspector.NetworkRequest.prototype.resource):
        (WebInspector.NetworkRequest.prototype.hasFrames):
        (WebInspector.NetworkRequest.prototype.frameLength):
        (WebInspector.NetworkRequest.prototype.getFrame):
        (WebInspector.NetworkRequest.prototype.addFrameError):
        (WebInspector.NetworkRequest.prototype.addFrame):
        (WebInspector.NetworkRequest.prototype._pushFrame):
        * inspector/front-end/ResourceWebSocketFrameView.js: Added to help display Web Socket frame and error data.
        (WebInspector.ResourceWebSocketFrameView):
        * inspector/front-end/WebKit.qrc: Added new Web Inspector resource file.
        * inspector/front-end/inspector.html: Added new Web Inspector resource file.

2012-04-27  Nikolas Zimmermann  <nzimmermann@rim.com>

        Fix repetitions & by animation support for SVGAnimateTransformElement
        https://bugs.webkit.org/show_bug.cgi?id=85051

        Reviewed by Antti Koivisto.

        Repetitions are currently handled by adjusting percentage (percentage += repeatCount).
        This doesn't work for <animateTransform> as each repetition has to be post-multiplied to the animated transform list. Fix that.

        By-animations are equal to values="0;by" animations in SMIL. '0' is the neutral element of addition, which is the _zero_ matrix,
        not the identity matrix for SVGTransform. Add a new construction mode to SVGTransform to be able to construct zero transforms.

        Tests: svg/animations/animateTransform-accumulation-expected.svg
               svg/animations/animateTransform-accumulation.svg
               svg/animations/animateTransform-by-scale-expected.svg
               svg/animations/animateTransform-by-scale.svg
               svg/animations/animateTransform-from-by-from-to-comparision-expected.svg
               svg/animations/animateTransform-from-by-from-to-comparision.svg
               svg/animations/animateTransform-from-by-scale-additive-sum-expected.svg
               svg/animations/animateTransform-from-by-scale-additive-sum.svg
               svg/animations/animateTransform-from-by-scale-expected.svg
               svg/animations/animateTransform-from-by-scale.svg
               svg/animations/animateTransform-rotate-around-point-expected.svg
               svg/animations/animateTransform-rotate-around-point.svg
               svg/animations/animateTransform-skewX-expected.svg
               svg/animations/animateTransform-skewX.svg
               svg/animations/animateTransform-skewY-expected.svg
               svg/animations/animateTransform-skewY.svg
               svg/animations/animateTransform-translate-expected.svg
               svg/animations/animateTransform-translate.svg
               svg/animations/multiple-animateTransform-additive-sum-expected.svg
               svg/animations/multiple-animateTransform-additive-sum.svg

        * svg/SVGAnimateTransformElement.cpp:
        (WebCore::SVGAnimateTransformElement::parseAttribute):
        * svg/SVGAnimatedTransformList.cpp:
        (WebCore::SVGAnimatedTransformListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedTransformListAnimator::calculateAnimatedValue):
        * svg/SVGAnimationElement.h:
        (WebCore::SVGAnimationElement::adjustFromToListValues):
        * svg/SVGTransform.cpp:
        (WebCore::SVGTransform::SVGTransform):
        * svg/SVGTransform.h:
        * svg/SVGTransformDistance.cpp:
        (WebCore::SVGTransformDistance::SVGTransformDistance):
        (WebCore::SVGTransformDistance::scaledDistance):
        (WebCore::SVGTransformDistance::addSVGTransforms):
        (WebCore::SVGTransformDistance::addToSVGTransform):
        (WebCore::SVGTransformDistance::distance):
        * svg/SVGTransformDistance.h:
        (SVGTransformDistance):

2012-04-27  Nikolas Zimmermann  <nzimmermann@rim.com>

        SVG Animations update baseVal instead of animVal
        https://bugs.webkit.org/show_bug.cgi?id=12437

        Reviewed by Dirk Schulze.

        Cleanup animation code, remove last remaining crufts of the old setAttribute() animation model.
        Now only two animation modes remain: animate SVG DOM animVal properties or CSS properties.

        Stop caching base values per string in SMILTimeContainer, as it breaks additive="sum" for CSS
        properties if the underlying base value is changed from the outside (eg. when calling
        style.fontSize="20px", if font-size was 10px, and we're running an additive by-animation with 50px).

        This requires us to cache the computed style of a SVGElement, without SMIL style property changes,
        in SVGElementRareData, similar to how the computed style itself is cached in ElementRareData.
        To be able to compute the base value for a CSS property at any time, we have to exclude any
        previous animation effects residing in the SMIL animated style properties, per SMIL2/3 specs.

        NOTE: This doesn't change or affect the way CSS Animations/Transitions are applied, we still
              have some bugs in that area, but this patch doesn't address them. The idea is to only
              remove the cache, to pave the way for future additive="sum" patches.

        Tests: svg/animations/change-css-property-while-animating-fill-freeze.html
               svg/animations/change-css-property-while-animating-fill-remove.html

        * dom/Element.cpp:
        (WebCore::Element::recalcStyle):
        * dom/Node.h:
        * svg/SVGAnimateElement.cpp:
        (WebCore::propertyTypesAreConsistent):
        (WebCore::SVGAnimateElement::resetToBaseValue):
        (WebCore::SVGAnimateElement::applyResultsToTarget):
        * svg/SVGAnimateElement.h:
        (SVGAnimateElement):
        * svg/SVGAnimateMotionElement.cpp:
        (WebCore::SVGAnimateMotionElement::resetToBaseValue):
        * svg/SVGAnimateMotionElement.h:
        (SVGAnimateMotionElement):
        * svg/SVGAnimationElement.cpp:
        (WebCore::applyCSSPropertyToTarget):
        (WebCore::SVGAnimationElement::setTargetAttributeAnimatedCSSValue):
        * svg/SVGAnimationElement.h:
        * svg/SVGElement.cpp:
        (WebCore::SVGElement::SVGElement):
        (WebCore::SVGElement::willRecalcStyle):
        (WebCore):
        (WebCore::SVGElement::rareSVGData):
        (WebCore::SVGElement::ensureRareSVGData):
        (WebCore::SVGElement::computedStyle):
        (WebCore::SVGElement::isAnimatableAttribute):
        * svg/SVGElement.h:
        (SVGElement):
        * svg/SVGElementRareData.h:
        (WebCore::SVGElementRareData::SVGElementRareData):
        (WebCore::SVGElementRareData::ensureAnimatedSMILStyleProperties):
        (WebCore::SVGElementRareData::destroyAnimatedSMILStyleProperties):
        (WebCore::SVGElementRareData::overrideComputedStyle):
        (WebCore::SVGElementRareData::setUseOverrideComputedStyle):
        * svg/animation/SMILTimeContainer.cpp:
        (WebCore::SMILTimeContainer::updateAnimations):
        * svg/animation/SMILTimeContainer.h:
        (SMILTimeContainer):
        * svg/animation/SVGSMILElement.h:
        (SVGSMILElement):

2012-04-26  Alexander Pavlov  <apavlov@chromium.org>

        Web Inspector: Implement the "Disable JavaScript" option in the settings dialog
        (re-landing r115323 with a fixed test.)
        https://bugs.webkit.org/show_bug.cgi?id=84946

        Based on user actions in the Inspector frontend, InspectorPageAgent invokes Settings::setScriptEnabled()
        for the associated page to switch the script execution therein.

        Reviewed by Yury Semikhatsky.

        Test: inspector/debugger/disable-script.html

        * inspector/Inspector.json:
        * inspector/InspectorPageAgent.cpp:
        (PageAgentState):
        (WebCore::InspectorPageAgent::enable):
        (WebCore::InspectorPageAgent::disable):
        (WebCore::InspectorPageAgent::getScriptExecutionStatus):
        (WebCore):
        (WebCore::InspectorPageAgent::setScriptExecutionDisabled):
        * inspector/InspectorPageAgent.h:
        * inspector/front-end/Settings.js:
        * inspector/front-end/SettingsScreen.js:
        (WebInspector.SettingsScreen):
        (WebInspector.SettingsScreen.prototype.get _updateScriptDisabledCheckbox):
        (WebInspector.SettingsScreen.prototype._javaScriptDisabledChanged):
        * inspector/front-end/inspector.js:

2012-04-26  Ryosuke Niwa  <rniwa@webkit.org>

        REGRESSION (r94497): Pressing Command+A when inline (Marked Text) is not empty will clean whole content
        https://bugs.webkit.org/show_bug.cgi?id=84501

        Reviewed by Alexey Proskuryakov.

        The bug was caused by setComposition, which is called by cancelComposition, deleting the contents when
        the passed text is empty. Fixed it by not deleting text when canceling compositions. This is okay because
        as the comment above the line suggests, this particular call to TypingCommand::deleteSelection is only useful
        when the confirmed text is empty and the composition text had previously been non-empty.

        Test: editing/input/select-all-clear-input-method.html

        * editing/Editor.cpp:
        (WebCore::Editor::setComposition):

2012-04-26  Keishi Hattori  <keishi@webkit.org>

        datalist: Form control in a <datalist> should be barred from constraint validation
        https://bugs.webkit.org/show_bug.cgi?id=84359

        http://www.whatwg.org/specs/web-apps/current-work/multipage/the-button-element.html#the-datalist-element
        According to this, if an element has a datalist element ancestor, it is barred from constraint validation.

        Reviewed by Kent Tamura.

        Test: fast/forms/datalist/datalist-child-validation.html

        * html/HTMLFormControlElement.cpp:
        (WebCore::HTMLFormControlElement::HTMLFormControlElement):
        (WebCore::HTMLFormControlElement::updateAncestors): Updates the ancestor information.
        (WebCore::HTMLFormControlElement::insertedInto): Invalidates the ancestor information and calls setNeedsWillValidateCheck
        (WebCore::HTMLFormControlElement::removedFrom): Invalidates the ancestor information and calls setNeedsWillValidateCheck
        (WebCore::HTMLFormControlElement::disabled):
        (WebCore::HTMLFormControlElement::recalcWillValidate): Returns false if element has a datalist ancestor.
        (WebCore::HTMLFormControlElement::setNeedsWillValidateCheck): Check if ancestor information is valid too.
        * html/HTMLFormControlElement.h:
        (HTMLFormControlElement):

2012-04-26  Adrienne Walker  <enne@google.com>

        [chromium] Remove unused CCLayerImpl::debugID()
        https://bugs.webkit.org/show_bug.cgi?id=85019

        Reviewed by James Robinson.

        CCLayerSorter used debugID() but it was never set anywhere. Change
        the CCLayerSorter LOG messages to use id(), which does get set.

        * platform/graphics/chromium/cc/CCLayerImpl.h:
        (CCLayerImpl):
        * platform/graphics/chromium/cc/CCLayerSorter.cpp:
        (WebCore::CCLayerSorter::createGraphNodes):
        (WebCore::CCLayerSorter::createGraphEdges):
        (WebCore::CCLayerSorter::sort):

2012-04-26  Nico Weber  <thakis@chromium.org>

        [chromium] Fix C++ language use.
        https://bugs.webkit.org/show_bug.cgi?id=85015

        Reviewed by James Robinson.

        Even though MSVC allows it, a sizeof followed by a non-parenthesized
        typename is not valid C++.

        No functionality change.

        * rendering/RenderThemeChromiumWin.cpp:
        (WebCore):
        (WebCore::getNonClientMetrics):

2012-04-24  James Robinson  <jamesr@chromium.org>

        [chromium] Move ProgramBinding definitions to LayerRendererChromium and normalize naming
        https://bugs.webkit.org/show_bug.cgi?id=84808

        Reviewed by Adrienne Walker.

        The GL programs used are logically part of LayerRendererChromium and not something specific to a layer type,
        since a different renderer would want to use a different thing to render the same layer types. This moves all of
        the ProgramBinding definitions into LayerRendererChromium and gives them consistent names. With the exception of
        CCRenderSurface (noted by an inline comment), these programs are private to LRC.

        This patch also deduplicates programs a bit:
        1.) Video's NativeTexture and RGBA programs were the same thing, folded.
        2.) The TexStretch and TexTransform shaders are basically the same thing, folded together.

        * platform/graphics/chromium/LayerChromium.h:
        (LayerChromium):
        * platform/graphics/chromium/LayerRendererChromium.cpp:
        (WebCore::LayerRendererChromium::drawCheckerboardQuad):
        (WebCore::LayerRendererChromium::drawDebugBorderQuad):
        (WebCore::LayerRendererChromium::drawSolidColorQuad):
        (WebCore::LayerRendererChromium::drawTileQuad):
        (WebCore::LayerRendererChromium::drawYUV):
        (WebCore::LayerRendererChromium::drawRGBA):
        (WebCore::LayerRendererChromium::drawNativeTexture2D):
        (WebCore::LayerRendererChromium::drawStreamTexture):
        (WebCore::LayerRendererChromium::drawTextureQuad):
        (WebCore::LayerRendererChromium::drawHeadsUpDisplay):
        (WebCore::LayerRendererChromium::initializeSharedObjects):
        (WebCore::LayerRendererChromium::tileCheckerboardProgram):
        (WebCore::LayerRendererChromium::solidColorProgram):
        (WebCore::LayerRendererChromium::headsUpDisplayProgram):
        (WebCore::LayerRendererChromium::renderSurfaceProgram):
        (WebCore::LayerRendererChromium::renderSurfaceProgramAA):
        (WebCore::LayerRendererChromium::renderSurfaceMaskProgram):
        (WebCore::LayerRendererChromium::renderSurfaceMaskProgramAA):
        (WebCore::LayerRendererChromium::tileProgram):
        (WebCore::LayerRendererChromium::tileProgramOpaque):
        (WebCore::LayerRendererChromium::tileProgramAA):
        (WebCore::LayerRendererChromium::tileProgramSwizzle):
        (WebCore::LayerRendererChromium::tileProgramSwizzleOpaque):
        (WebCore::LayerRendererChromium::tileProgramSwizzleAA):
        (WebCore::LayerRendererChromium::textureProgramFlip):
        (WebCore::LayerRendererChromium::textureTexRectProgram):
        (WebCore::LayerRendererChromium::textureTexRectProgramFlip):
        (WebCore::LayerRendererChromium::videoRGBAProgram):
        (WebCore::LayerRendererChromium::videoYUVProgram):
        (WebCore::LayerRendererChromium::videoStreamTextureProgram):
        (WebCore::LayerRendererChromium::cleanupSharedObjects):
        * platform/graphics/chromium/LayerRendererChromium.h:
        (WebCore):
        (LayerRendererChromium):
        * platform/graphics/chromium/ShaderChromium.cpp:
        * platform/graphics/chromium/ShaderChromium.h:
        * platform/graphics/chromium/cc/CCHeadsUpDisplay.h:
        (CCHeadsUpDisplay):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.cpp:
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.h:
        (WebCore):
        * platform/graphics/chromium/cc/CCRenderSurface.cpp:
        (WebCore::CCRenderSurface::copyTextureToFramebuffer):
        (WebCore::CCRenderSurface::drawLayer):
        * platform/graphics/chromium/cc/CCRenderSurface.h:
        (CCRenderSurface):
        * platform/graphics/chromium/cc/CCSingleThreadProxy.cpp:
        * platform/graphics/chromium/cc/CCTextureLayerImpl.h:
        (CCTextureLayerImpl):
        * platform/graphics/chromium/cc/CCThreadProxy.cpp:
        * platform/graphics/chromium/cc/CCTiledLayerImpl.h:
        (CCTiledLayerImpl):
        * platform/graphics/chromium/cc/CCVideoLayerImpl.h:
        (WebCore):
        (CCVideoLayerImpl):

2012-04-26  Jeffrey Pfau  <jpfau@apple.com>

        Invalid cast in WebCore::HTMLCollection::isAcceptableElement
        https://bugs.webkit.org/show_bug.cgi?id=84626

        Reviewed by Darin Adler.

        Check if the object is an HTMLElement before casting.

        Test: fast/dom/htmlcollection-non-html.html

        * html/HTMLCollection.cpp:
        (WebCore::HTMLCollection::isAcceptableElement):

2012-04-26  Dana Jansens  <danakj@chromium.org>

        [chromium] Some background filters require inflating damage on the surface behind them
        https://bugs.webkit.org/show_bug.cgi?id=84479

        Reviewed by Adrienne Walker.

        A layer with a background blur will expand the damage from pixels in the
        surface below it. We extend the damage tracker to expand damage in a
        surface below such layers.

        Unit test: CCDamageTrackerTest.verifyDamageForBackgroundBlurredChild

        * platform/graphics/chromium/cc/CCDamageTracker.cpp:
        (WebCore::expandPixelOutsetsWithFilters):
        (WebCore):
        (WebCore::expandDamageRectInsideRectWithFilters):
        (WebCore::expandDamageRectWithFilters):
        (WebCore::CCDamageTracker::updateDamageTrackingState):
        (WebCore::CCDamageTracker::trackDamageFromActiveLayers):
        * platform/graphics/chromium/cc/CCDamageTracker.h:
        (CCDamageTracker):

2012-04-26  Simon Fraser  <simon.fraser@apple.com>

        Improve compositing logging output
        https://bugs.webkit.org/show_bug.cgi?id=85010

        Reviewed by Dean Jackson.

        In the compositing log channel output, indent the layers
        based on z-order tree depth. Tabulate the summary, and
        show obligate and secondary backing store area separately.

        * rendering/RenderLayer.cpp:
        (WebCore::RenderLayer::updateClipRects):
        * rendering/RenderLayerCompositor.cpp:
        (WebCore::RenderLayerCompositor::RenderLayerCompositor):
        (WebCore::RenderLayerCompositor::updateCompositingLayers):
        (WebCore::RenderLayerCompositor::logLayerInfo):
        (WebCore::RenderLayerCompositor::rebuildCompositingLayerTree):
        (WebCore::RenderLayerCompositor::updateLayerTreeGeometry):
        (WebCore::RenderLayerCompositor::reasonForCompositing):
        * rendering/RenderLayerCompositor.h:
        (RenderLayerCompositor):

2012-04-26  Anders Carlsson  <andersca@apple.com>

        REGRESSION (r115163): Unable to scroll article body with trackpad on altdevblogaday.com blog post
        https://bugs.webkit.org/show_bug.cgi?id=85024
        <rdar://problem/11330758>

        Reviewed by Sam Weinig.

        Fix broken logic in canHaveScrollbars.

        * page/scrolling/ScrollingTreeNode.h:
        (WebCore::ScrollingTreeNode::canHaveScrollbars):

2012-04-24  James Robinson  <jamesr@chromium.org>

        [chromium] Use different CCDrawQuad types for textures vs IOSurfaces
        https://bugs.webkit.org/show_bug.cgi?id=84811

        Reviewed by Adrienne Walker.

        IOSurface and texture backed layers share few properties (only the flipped bool), so it doesn't make a lot of
        sense for them to use the same CCDrawQuad type for both. This splits IOSurfaces out to a dedicated quad type to
        make it easier to understand which bits of state apply to each.

        The logical next step after this is to split the layer type as well, but that will be awkward until bug 84808 is
        resolved.

        * WebCore.gypi:
        * platform/graphics/chromium/LayerRendererChromium.cpp:
        (WebCore::LayerRendererChromium::drawQuad):
        (WebCore::LayerRendererChromium::drawTextureQuad):
        (WebCore):
        (WebCore::LayerRendererChromium::drawIOSurfaceQuad):
        * platform/graphics/chromium/LayerRendererChromium.h:
        (LayerRendererChromium):
        * platform/graphics/chromium/cc/CCDrawQuad.cpp:
        (WebCore::CCDrawQuad::toIOSurfaceDrawQuad):
        (WebCore):
        * platform/graphics/chromium/cc/CCDrawQuad.h:
        (WebCore):
        (CCDrawQuad):
        * platform/graphics/chromium/cc/CCIOSurfaceDrawQuad.cpp: Copied from Source/WebCore/platform/graphics/chromium/cc/CCTextureDrawQuad.cpp.
        (WebCore):
        (WebCore::CCIOSurfaceDrawQuad::create):
        (WebCore::CCIOSurfaceDrawQuad::CCIOSurfaceDrawQuad):
        * platform/graphics/chromium/cc/CCIOSurfaceDrawQuad.h: Copied from Source/WebCore/platform/graphics/chromium/cc/CCTextureDrawQuad.h.
        (WebCore):
        (CCIOSurfaceDrawQuad):
        (WebCore::CCIOSurfaceDrawQuad::flipped):
        (WebCore::CCIOSurfaceDrawQuad::ioSurfaceSize):
        (WebCore::CCIOSurfaceDrawQuad::ioSurfaceTextureId):
        * platform/graphics/chromium/cc/CCTextureDrawQuad.cpp:
        (WebCore::CCTextureDrawQuad::create):
        (WebCore::CCTextureDrawQuad::CCTextureDrawQuad):
        * platform/graphics/chromium/cc/CCTextureDrawQuad.h:
        (CCTextureDrawQuad):
        * platform/graphics/chromium/cc/CCTextureLayerImpl.cpp:
        (WebCore::CCTextureLayerImpl::appendQuads):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Use WebKit types for the cache of ObjcClass::methodsNamed()
        https://bugs.webkit.org/show_bug.cgi?id=85012

        Reviewed by Geoffrey Garen.

        This patch redefines the method cache ObjcClass to avoid memory allocations in the case of positive match.

        Instead of using the converted name as the key, the original identifier string is used. This shortcuts
        all the other operations when there is a match.

        A side effect is a method can appear multiple times in the cache if it is invoked with different names using
        the escape character "$". An attaquer could bloat the cache with a few hundreds strings.
        In the common case, having each name mapped is an improvment.

        * bridge/objc/objc_class.h:
        (ObjcClass):
        * bridge/objc/objc_class.mm:
        (JSC::Bindings::ObjcClass::ObjcClass):
        (JSC::Bindings::ObjcClass::methodsNamed):

2012-04-26  Ojan Vafai  <ojan@chromium.org>

        Delete dead code in Arena.h/cpp
        https://bugs.webkit.org/show_bug.cgi?id=84997

        Reviewed by Eric Seidel.

        Also cleaned up some style issues. Renamed some single-letter variable names.
        Avoided anything other than totally trivial style changes to be 100% sure
        that there is no change in behavior.

        No new tests. There's no non-style code changes except inlining CLEAR_UNUSED
        and CLEAR_ARENA.

        * platform/Arena.cpp:
        (WebCore):
        (WebCore::CeilingLog2):
        (WebCore::InitArenaPool):
        (WebCore::ArenaAllocate):
        (WebCore::FreeArenaList):
        (WebCore::FinishArenaPool):
        * platform/Arena.h:
        (WebCore):

2012-04-26  Shawn Singh  <shawnsingh@chromium.org>

        Re-implement backFaceVisibility to avoid dealing with perspective w < 0 problem
        https://bugs.webkit.org/show_bug.cgi?id=84059

        Reviewed by Adrienne Walker.

        Unit tests added to CCMathUtilTest.cpp.

        This patch changes the implementation of backFaceIsVisible so that
        it doesn't need to deal with the w < 0 problem from of perspective
        projections. Instead, it is equally correct to simply use the
        inverse-transpose of the matrix, and quickly check the third row,
        third column element. Additionally, it was appropriate to move
        this function into TransformationMatrix itself.

        Making this change fixes some issues related to disappearing
        layers in Chromium (where the compositor incorrectly thought that
        the back face was visible, and skipped the layer).

        * platform/graphics/chromium/cc/CCLayerTreeHostCommon.cpp:
        (WebCore::calculateVisibleLayerRect):
        (WebCore::layerShouldBeSkipped):
        * platform/graphics/transforms/TransformationMatrix.cpp:
        (WebCore::TransformationMatrix::isBackFaceVisible):
        (WebCore):
        * platform/graphics/transforms/TransformationMatrix.h:
        (TransformationMatrix):

2012-04-26  Martin Robinson  <mrobinson@igalia.com>

        [Cairo] Wrap cairo surfaces in a class when storing native images
        https://bugs.webkit.org/show_bug.cgi?id=83611

        Reviewed by Alejandro G. Castro.

        No new tests. This is just a refactoring. This shouldn't change
        functionality.

        Added class that wraps Cairo images surfaces to serve as the "native image"
        type for the Cairo platform. This will allow the addition of caching resampled
        images as well as versions of the image for non-image Cairo backends. Also
        split out BitmapImageCairo.cpp from ImageCairo.cpp since these classes are
        defined in two headers.

        * GNUmakefile.list.am: Added new files.
        * platform/graphics/BitmapImage.h: Added a factory method that takes an image surface to
        reduce code churn.
        * platform/graphics/ImageSource.h: NativeImagePtr is now NativeImageCairo*.
        (WebCore):
        * platform/graphics/cairo/BitmapImageCairo.cpp: Copied from Source/WebCore/platform/graphics/cairo/ImageCairo.cpp.
        * platform/graphics/cairo/GraphicsContext3DCairo.cpp: Updated to reflect use of NativeImageCairo.
        * platform/graphics/cairo/ImageCairo.cpp: Ditto.
        * platform/graphics/cairo/NativeImageCairo.cpp: Added.
        * platform/graphics/cairo/NativeImageCairo.h: Added.
        * platform/graphics/cairo/PatternCairo.cpp: Updated to reflect use of NativeImageCairo.
        * platform/graphics/gtk/ImageGtk.cpp: Ditto.
        * platform/image-decoders/cairo/ImageDecoderCairo.cpp: Ditto.

2012-04-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        [GTK] Massive media tests failures since r115288
        https://bugs.webkit.org/show_bug.cgi?id=84950

        Reviewed by Filip Pizlo.

        No new tests.

        Since the "cross-platform" WebCore timer is at too high of a level in terms of the layers 
        of WebKit for JSC to use, we are not currently able to use it in JSC, thus only those 
        platforms that support CoreFoundation can currently take advantage of the new and improved 
        GC activity timer. We've restored the old code paths for those platforms that don't have 
        CF so that they will at least have the same behavior as before when calling garbageCollectSoon.

        * bindings/js/GCController.cpp: Added back the old WebCore timer along with some 
        if-defs that do away with the WebCore timer on platforms that support CoreFoundation.
        (WebCore::GCController::GCController):
        (WebCore::GCController::garbageCollectSoon):
        (WebCore):
        (WebCore::GCController::gcTimerFired):
        * bindings/js/GCController.h: Ditto.
        (GCController):

2012-04-26  Adam Klein  <adamk@chromium.org>

        Don't include V8Proxy.h in ScriptValue.h when V8GCController is all that's required
        https://bugs.webkit.org/show_bug.cgi?id=84986

        Reviewed by Kentaro Hara.

        This makes it easier to include ScriptValue.h since it greatly reduces
        that header's dependencies.

        * bindings/v8/ScriptValue.h: Changed to include just V8GCController.h and
        removed comment which is redundant with explicit V8GCController references nearby.

2012-04-26  Aaron Colwell  <acolwell@chromium.org>

        Fix missing sourceState change on MEDIA_ERR_SOURCE_NOT_SUPPORTED error.
        https://bugs.webkit.org/show_bug.cgi?id=84996

        Reviewed by Eric Carlson.

        No new tests. http/tests/media/media-source/webm/video-media-source-errors.html was updated to verify that webkitSourceState is always SOURCE_CLOSED when the onerror event fires.

        * html/HTMLMediaElement.cpp:
        (WebCore::HTMLMediaElement::noneSupported):

2012-04-26  Antti Koivisto  <antti@apple.com>

        Cache parsed stylesheets
        https://bugs.webkit.org/show_bug.cgi?id=85004

        Reviewed by Andreas Kling.

        CSS parsing is 1-2% of WebKit CPU usage on average pages, more on sites with large stylesheets.
        We currently reparse all stylesheets from source text when they are encountered again. In many
        browsing scenarios we can eliminate lot of this by caching the parsed stylesheets. For example 
        it is very common for subpages of a site to share the stylesheets.
        
        This patch enables memory caching for stylesheet loaded using the <link> element. Only stylesheets
        that have no import rules are cacheable for now.
        
        Cached stylesheets are copied on restore so there is no sharing (and no memory wins) yet.
        In the future we will also be able to share the actual data structures between pages for 
        significant memory savings.
        
        After browsing around for a while <5% of the memory cache data was in parsed stylesheets so this
        does not bloat the cache significantly.

        * css/CSSStyleSheet.cpp:
        (WebCore):
        (WebCore::StyleSheetInternal::estimatedSizeInBytes):
        
            Estimate stylesheet size so we can handle decoded data pruning correctly.

        * css/CSSStyleSheet.h:
        (StyleSheetInternal):
        * css/StylePropertySet.cpp:
        (WebCore::StylePropertySet::averageSizeInBytes):
        (WebCore):
        * css/StylePropertySet.h:
        (StylePropertySet):
        * css/StyleRule.cpp:
        (WebCore::StyleRule::averageSizeInBytes):
        (WebCore):
        * css/StyleRule.h:
        (StyleRule):
        * html/HTMLLinkElement.cpp:
        (WebCore::HTMLLinkElement::setCSSStyleSheet):
        
            Save and restore parsed stylesheet. The current CSS parse context must be identical to the cached 
            stylesheets. This ensures that the parsing results would be identical.

        * loader/cache/CachedCSSStyleSheet.cpp:
        (WebCore):
        (WebCore::CachedCSSStyleSheet::destroyDecodedData):
        (WebCore::CachedCSSStyleSheet::restoreParsedStyleSheet):
        (WebCore::CachedCSSStyleSheet::saveParsedStyleSheet):
        * loader/cache/CachedCSSStyleSheet.h:
        
            The parsed stylesheet cache is considered decoded data, similar to the image bitmaps. It uses the
            same mechanism for pruning.

        (WebCore):
        (CachedCSSStyleSheet):

2012-04-26  Anders Carlsson  <andersca@apple.com>

        A TileCache should never outlive its WebTileCacheLayer
        https://bugs.webkit.org/show_bug.cgi?id=85008
        <rdar://problem/11141172>

        Reviewed by Andreas Kling.

        Since WebTileCacheLayer objects can be destroyed on the scrolling thread, make sure to delete the TileCache layer
        when the PlatformCALayer is destroyed. This fixes a crash when the tile revalidation timer fires after the WebTileCacheLayer has
        been destroyed, but before the TileCache itself has been destroyed.

        * platform/graphics/ca/mac/PlatformCALayerMac.mm:
        (PlatformCALayer::~PlatformCALayer):
        * platform/graphics/ca/mac/WebTileCacheLayer.h:
        * platform/graphics/ca/mac/WebTileCacheLayer.mm:
        (-[WebTileCacheLayer dealloc]):
        (-[WebTileCacheLayer invalidate]):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Use String instead of RefPtr<StringImpl> for the cache of ObjcClass
        https://bugs.webkit.org/show_bug.cgi?id=84932

        Reviewed by Andreas Kling.

        The cache with RefPtr<StringImpl*> was added with r115007.

        This patch aims at making the code a little easier to read. By using String,
        one would not need to know the Traits for StringImpl.

        * bridge/objc/objc_class.h:
        (ObjcClass):

2012-04-26  Kentaro Hara  <haraken@chromium.org>

        [V8] Pass Isolate to wrap() in SerializedScriptValue.cpp
        https://bugs.webkit.org/show_bug.cgi?id=84923

        Reviewed by Nate Chapin.

        The objective is to pass Isolate around in V8 bindings.
        In this bug we pass Isolate to wrap() in SerializedScriptValue.cpp.

        No tests. No change in behavior.

        * bindings/v8/SerializedScriptValue.cpp:

2012-04-26  Hao Zheng  <zhenghao@chromium.org>

        [chromium] Complex text support for Android.
        https://bugs.webkit.org/show_bug.cgi?id=84431

        Complex text support is different on Android from other platforms.
        There are 2 kinds of font on Android: system fonts and fallback fonts.
        System fonts have a name, and are accessible in FontPlatformData.
        Fallback fonts do not have specific names, so they are not accessible
        from WebKit directly. There is one font for each script support.
        To feed Harfbuzz, use a trick to get correct SkTypeface based on script.

        Reviewed by Tony Chang.

        No new tests. Current tests are runnable on Android.

        * platform/graphics/FontCache.h:
        (FontCache): Make ComplexTextController friend of FontCache on Android.
        * platform/graphics/chromium/FontCacheAndroid.cpp:
        (WebCore::FontCache::createFontPlatformData):
        * platform/graphics/harfbuzz/ComplexTextControllerHarfBuzz.cpp:
        (WebCore::ComplexTextController::getComplexFontPlatformData):
        (WebCore):
        (WebCore::ComplexTextController::setupFontForScriptRun):
        * platform/graphics/harfbuzz/ComplexTextControllerHarfBuzz.h:
        (ComplexTextController):

2012-04-26  Kentaro Hara  <haraken@chromium.org>

        [V8] Pass Isolate to wrap() (Part2)
        https://bugs.webkit.org/show_bug.cgi?id=84922

        Reviewed by Nate Chapin.

        The objective is to pass Isolate around in V8 bindings.
        This patch passes Isolate to wrap() in custom bindings.

        No tests. No change in behavior.

        * bindings/v8/custom/V8LocationCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8NamedNodeMapCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8SVGPathSegCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8StyleSheetCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Uint16ArrayCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Uint32ArrayCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Uint8ArrayCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Uint8ClampedArrayCustom.cpp:
        (WebCore::toV8):

2012-04-26  Jon Lee  <jonlee@apple.com>

        [WK2] AlternativeTextClient leaks when the page is destroyed
        https://bugs.webkit.org/show_bug.cgi?id=84307
        <rdar://problem/11328431>

        Reviewed by Enrica Casucci.

        * page/AlternativeTextClient.h: Add pageDestroyed() call, as in EditorClient.
        (AlternativeTextClient):
        * page/Page.cpp:
        (WebCore::Page::~Page): When the page is destroyed, notify the client if it exists.

2012-04-26  Kentaro Hara  <haraken@chromium.org>

        [V8] Pass Isolate to wrap() (Part1)
        https://bugs.webkit.org/show_bug.cgi?id=84921

        Reviewed by Nate Chapin.

        The objective is to pass Isolate around in V8 bindings.
        This patch passes Isolate to wrap() in custom bindings.

        No tests. No change in behavior.

        * bindings/v8/custom/V8BlobCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8CSSRuleCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8CSSStyleSheetCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8CSSValueCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8DOMStringMapCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8DOMTokenListCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8DataViewCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8EventCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Float32ArrayCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Float64ArrayCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8HTMLCollectionCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8ImageDataCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Int16ArrayCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Int32ArrayCustom.cpp:
        (WebCore::toV8):
        * bindings/v8/custom/V8Int8ArrayCustom.cpp:
        (WebCore::toV8):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        ObjcClass::methodsNamed() can leak if buffer is dynamically allocated
        https://bugs.webkit.org/show_bug.cgi?id=84668

        Reviewed by Alexey Proskuryakov.

        Change ObjcClass::methodsNamed() to be based on a vector instead of managing
        the memory manually.

        Tests: platform/mac/plugins/bindings-objc-long-method-name.html
               platform/mac/plugins/bindings-objc-method-name-conversion.html

        * bridge/objc/objc_class.mm:
        (Bindings):
        (JSC::Bindings::convertJSMethodNameToObjc):
        (JSC::Bindings::ObjcClass::methodsNamed):

2012-04-26  Justin Novosad  <junov@chromium.org>

        [Chromium] Single buffered canvas layers with the threaded compositor
        https://bugs.webkit.org/show_bug.cgi?id=80540

        Reviewed by James Robinson.

        Tests:
        CCLayerTreeHostTestWriteLayersRedraw
        CCLayerTreeHostTestWriteLayersAfterVisible
        Canvas2DLayerChromiumTest.testFullLifecycleSingleThreadDeferred
        Canvas2DLayerChromiumTest.testFullLifecycleThreadDeferred
        CCSchedulerTest.VisibilitySwitchWithTextureAcquisition
        CCSchedulerTest.TextureAcquisitionCollision

        Disable double buffering and rate limiting on accelerated canvas
        when the threaded compositor and deferred canvas are enabled.
        Concurrent access to the layer texture by the main renderer thread and
        the compositor thread is avoided by enforcing a lock. The state of the
        lock is maintained by CCSchedulerStateMachine. Write access by the main
        thread is acquired through a signal round trip to the compositor thread,
        which may block the main thread in the event that one or more committed
        layers need to be protected until the compositor completes the requested
        draw. Draws on the impl thread are cancelled if the main thread has
        obtained write access to the texture.  The write access is relinquished
        by the main thread upon commit completion.  The scheduler state machine
        is responsible for preventing the texture lock from causing deadlocks by
        detecting and resolving problematic states.

        * platform/graphics/chromium/Canvas2DLayerChromium.cpp:
        (WebCore::Canvas2DLayerChromium::create):
        (WebCore::Canvas2DLayerChromium::Canvas2DLayerChromium):
        (WebCore::Canvas2DLayerChromium::~Canvas2DLayerChromium):
        (WebCore::Canvas2DLayerChromium::drawingIntoImplThreadTexture):
        (WebCore):
        (WebCore::Canvas2DLayerChromium::setTextureId):
        (WebCore::Canvas2DLayerChromium::setNeedsDisplayRect):
        (WebCore::Canvas2DLayerChromium::update):
        (WebCore::Canvas2DLayerChromium::layerWillDraw):
        (WebCore::Canvas2DLayerChromium::pushPropertiesTo):
        * platform/graphics/chromium/Canvas2DLayerChromium.h:
        * platform/graphics/chromium/cc/CCLayerTreeHost.cpp:
        (WebCore::CCLayerTreeHost::acquireLayerTextures):
        (WebCore):
        * platform/graphics/chromium/cc/CCLayerTreeHost.h:
        (CCLayerTreeHost):
        * platform/graphics/chromium/cc/CCProxy.h:
        (CCProxy):
        * platform/graphics/chromium/cc/CCScheduler.cpp:
        (WebCore::CCScheduler::setMainThreadNeedsLayerTextures):
        (WebCore):
        (WebCore::CCScheduler::processScheduledActions):
        * platform/graphics/chromium/cc/CCScheduler.h:
        (CCSchedulerClient):
        (CCScheduler):
        * platform/graphics/chromium/cc/CCSchedulerStateMachine.cpp:
        (WebCore::CCSchedulerStateMachine::CCSchedulerStateMachine):
        (WebCore::CCSchedulerStateMachine::drawSuspendedUntilCommit):
        (WebCore):
        (WebCore::CCSchedulerStateMachine::scheduledToDraw):
        (WebCore::CCSchedulerStateMachine::shouldDraw):
        (WebCore::CCSchedulerStateMachine::shouldAcquireLayerTexturesForMainThread):
        (WebCore::CCSchedulerStateMachine::nextAction):
        (WebCore::CCSchedulerStateMachine::updateState):
        (WebCore::CCSchedulerStateMachine::setMainThreadNeedsLayerTextures):
        * platform/graphics/chromium/cc/CCSchedulerStateMachine.h:
        (CCSchedulerStateMachine):
        * platform/graphics/chromium/cc/CCSingleThreadProxy.h:
        * platform/graphics/chromium/cc/CCThreadProxy.cpp:
        (WebCore::CCThreadProxy::CCThreadProxy):
        (WebCore::CCThreadProxy::beginFrame):
        (WebCore::CCThreadProxy::scheduledActionDrawAndSwapInternal):
        (WebCore):
        (WebCore::CCThreadProxy::acquireLayerTextures):
        (WebCore::CCThreadProxy::acquireLayerTexturesForMainThreadOnImplThread):
        (WebCore::CCThreadProxy::scheduledActionAcquireLayerTexturesForMainThread):
        * platform/graphics/chromium/cc/CCThreadProxy.h:
        (CCThreadProxy):
        * platform/graphics/skia/ImageBufferSkia.cpp:
        (WebCore):
        (WebCore::AcceleratedDeviceContext::AcceleratedDeviceContext):
        (WebCore::AcceleratedDeviceContext::prepareForDraw):
        (AcceleratedDeviceContext):
        (WebCore::createAcceleratedCanvas):
        (WebCore::ImageBuffer::context):

2012-04-26  Kentaro Hara  <haraken@chromium.org>

        [V8] Pass Isolate to toV8() in SerializedScriptValue.cpp
        https://bugs.webkit.org/show_bug.cgi?id=84918

        Reviewed by Nate Chapin.

        This is the last step to pass Isolate around in
        SerializedScriptValue.cpp. This patch passes Isolate
        to toV8().

        No tests. No change in behavior.

        * bindings/v8/SerializedScriptValue.cpp:

2012-04-26  Kentaro Hara  <haraken@chromium.org>

        [V8] Pass Isolate to wrapSlow()
        https://bugs.webkit.org/show_bug.cgi?id=84919

        Reviewed by Nate Chapin.

        The objective is to pass Isolate around in V8 bindings.
        In this bug, we pass Isolate to wrapSlow().

        Test: bindings/scripts/test/TestObj.idl etc

        * bindings/scripts/CodeGeneratorV8.pm: Modified as described above.
        (GenerateHeader):
        (GenerateToV8Converters):

        * bindings/scripts/test/V8/V8Float64Array.cpp: Updated run-bindings-tests.
        (WebCore::V8Float64Array::wrapSlow):
        * bindings/scripts/test/V8/V8Float64Array.h:
        (V8Float64Array):
        (WebCore::V8Float64Array::wrap):
        * bindings/scripts/test/V8/V8TestActiveDOMObject.cpp:
        (WebCore::V8TestActiveDOMObject::wrapSlow):
        * bindings/scripts/test/V8/V8TestActiveDOMObject.h:
        (V8TestActiveDOMObject):
        (WebCore::V8TestActiveDOMObject::wrap):
        * bindings/scripts/test/V8/V8TestCustomNamedGetter.cpp:
        (WebCore::V8TestCustomNamedGetter::wrapSlow):
        * bindings/scripts/test/V8/V8TestCustomNamedGetter.h:
        (V8TestCustomNamedGetter):
        (WebCore::V8TestCustomNamedGetter::wrap):
        * bindings/scripts/test/V8/V8TestEventConstructor.cpp:
        (WebCore::V8TestEventConstructor::wrapSlow):
        * bindings/scripts/test/V8/V8TestEventConstructor.h:
        (V8TestEventConstructor):
        (WebCore::V8TestEventConstructor::wrap):
        * bindings/scripts/test/V8/V8TestEventTarget.cpp:
        (WebCore::V8TestEventTarget::wrapSlow):
        * bindings/scripts/test/V8/V8TestEventTarget.h:
        (V8TestEventTarget):
        (WebCore::V8TestEventTarget::wrap):
        * bindings/scripts/test/V8/V8TestInterface.cpp:
        (WebCore::V8TestInterface::wrapSlow):
        * bindings/scripts/test/V8/V8TestInterface.h:
        (V8TestInterface):
        (WebCore::V8TestInterface::wrap):
        * bindings/scripts/test/V8/V8TestMediaQueryListListener.cpp:
        (WebCore::V8TestMediaQueryListListener::wrapSlow):
        * bindings/scripts/test/V8/V8TestMediaQueryListListener.h:
        (V8TestMediaQueryListListener):
        (WebCore::V8TestMediaQueryListListener::wrap):
        * bindings/scripts/test/V8/V8TestNamedConstructor.cpp:
        (WebCore::V8TestNamedConstructor::wrapSlow):
        * bindings/scripts/test/V8/V8TestNamedConstructor.h:
        (V8TestNamedConstructor):
        (WebCore::V8TestNamedConstructor::wrap):
        * bindings/scripts/test/V8/V8TestNode.cpp:
        (WebCore::V8TestNode::wrapSlow):
        * bindings/scripts/test/V8/V8TestNode.h:
        (V8TestNode):
        (WebCore::V8TestNode::wrap):
        * bindings/scripts/test/V8/V8TestObj.cpp:
        (WebCore::V8TestObj::wrapSlow):
        * bindings/scripts/test/V8/V8TestObj.h:
        (V8TestObj):
        (WebCore::V8TestObj::wrap):
        * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.cpp:
        (WebCore::V8TestSerializedScriptValueInterface::wrapSlow):
        * bindings/scripts/test/V8/V8TestSerializedScriptValueInterface.h:
        (V8TestSerializedScriptValueInterface):
        (WebCore::V8TestSerializedScriptValueInterface::wrap):

2012-04-25  Antonio Gomes  <agomes@rim.com>

        Add ScrollAnimatorBlackBerry as an extension to ScrollAnimatorNone
        https://bugs.webkit.org/show_bug.cgi?id=84625

        Reviewed by Anders Carlsson.

        Patch adds ScrollAnimatorBlackBerry class as an extension to of
        ScrollAnimatorNone. The main goal here is extending the later to allow
        overscrolling while the animation runs.

        Once the animation finishes, the flag gets reseted and
        ScrollableArea::constrainsScrollingtoContentEdge is set back to the value
        it had before, so this method has to be explicitly called anytime it is wanted.

        * CMakeLists.txt:
        * platform/ScrollAnimator.h:
        (WebCore::ScrollAnimator::animationWillStart):
        (WebCore::ScrollAnimator::animationDidFinish):
        (ScrollAnimator):
        * platform/ScrollAnimatorNone.cpp:
        (WebCore):
        (WebCore::ScrollAnimatorNone::scroll):
        (WebCore::ScrollAnimatorNone::animationTimerFired):
        * platform/blackberry/ScrollAnimatorBlackBerry.cpp: Added.
        (WebCore):
        (WebCore::ScrollAnimator::create):
        (WebCore::ScrollAnimatorBlackBerry::ScrollAnimatorBlackBerry):
        (WebCore::ScrollAnimatorBlackBerry::animationWillStart):
        (WebCore::ScrollAnimatorBlackBerry::animationDidFinish):
        (WebCore::ScrollAnimatorBlackBerry::setDisableConstrainsScrollingToContentEdgeWhileAnimating):
        * platform/blackberry/ScrollAnimatorBlackBerry.h: Added.
        (WebCore):
        (ScrollAnimatorBlackBerry):

2012-04-26  Antonio Gomes  <agomes@rim.com>

        [BlackBerry] Add smooth_scrolling options to CMAKE and enable it for Blackberry
        https://bugs.webkit.org/show_bug.cgi?id=84954

        Reviewed by Daniel Bates.

        Add the default scroll animator to the build system (ScrollAnimatorNone.cpp)

        * CMakeLists.txt:

2012-04-25  Antonio Gomes  <agomes@rim.com>

        Make ScrollView::scrollSize scrollbar-independent
        https://bugs.webkit.org/show_bug.cgi?id=84873

        Reviewed by Anders Carlsson.

        For ports that disable scrollbars creation at FrameView creation time
        ScrollView::scrollSize should still return the scrollable ammount of
        content (if any) if scrolling is not prohibted.

        No new test, but it makes ScrollAnimator work for the BlackBerry port.

        * platform/ScrollView.cpp:
        (WebCore::ScrollView::scrollSize):

2012-04-25  Anders Carlsson  <andersca@apple.com>

        The tile cache should know if a frame view can ever have scrollbars
        https://bugs.webkit.org/show_bug.cgi?id=84888

        Reviewed by Andreas Kling.

        If a frame view has overflow: hidden on its body element we know that the document will most
        likely never be scrolled. The tile cache should know about this so we can optimize.

        * page/FrameView.cpp:
        (WebCore::FrameView::performPostLayoutTasks):
        * platform/graphics/TiledBacking.h:
        (TiledBacking):
        * platform/graphics/ca/mac/TileCache.h:
        (TileCache):
        * platform/graphics/ca/mac/TileCache.mm:
        (WebCore::TileCache::TileCache):
        (WebCore::TileCache::setCanHaveScrollbars):
        (WebCore):
        * rendering/RenderLayerBacking.cpp:
        (WebCore::RenderLayerBacking::RenderLayerBacking):

2012-04-26  Ken Buchanan  <kenrb@chromium.org>

        Crash from removal of line break object after layout
        https://bugs.webkit.org/show_bug.cgi?id=75461

        Reviewed by David Hyatt.

        There is a condition where objects can get removed from underneath
        inlines while they represent a line break object in a RootInlineBox
        of an ancestor block. If an intermediary inline has already been
        marked as needing layout, then the line box will not get dirtied
        because dirtyLineFromChangedChild thinks it already has been.

        This patch introduces a new set in RenderObject to indicate whether
        an ancestral line box corresponding to the current line has been
        marked dirty or not. dirtyLinesFromChangedChild() can use this set 
        rather than m_selfNeedsLayout, so it will not be confused if a
        container was dirtied for some other reason that did not affect the
        line box.

        * rendering/RenderLineBoxList.cpp:
        (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild): Use the new
        set rather than m_selfNeedsLayout in the container to determine
        whether to continue propagating upward.
        * rendering/RenderObject.cpp:
        (WebCore::RenderObject::s_ancestorLineboxDirtySet): Instantiate the
        static member.
        (WebCore::RenderObject::willBeDestroyed): Clears the object from the
        linebox set when it is being destroyed.
        * rendering/RenderObject.h:
        (WebCore::RenderObject::s_ancestorLineboxDirtySet): Added static
        member set.
        (WebCore::RenderObject::setNeedsLayout): Clears the
        object from the linebox set when layout bits are getting cleared.
        (WebCore::RenderObject::ancestorLineBoxDirty): Added.
        (WebCore::RenderObject::setAncestorLineBoxDirty): Added.

2012-04-26  Christophe Dumez  <christophe.dumez@intel.com>

        [EFL] Enable VIDEO_TRACK feature
        https://bugs.webkit.org/show_bug.cgi?id=84830

        Reviewed by Gustavo Noronha Silva.

        Enable support for VIDEO_TRACK feature by default for EFL port.

        * UseJSC.cmake:
        * bindings/generic/RuntimeEnabledFeatures.cpp:
        (WebCore):

2012-04-26  Antti Koivisto  <antti@apple.com>

        Implement StyleSheetInternal copying
        https://bugs.webkit.org/show_bug.cgi?id=84969

        Reviewed by Andreas Kling.

        We need to be able to copy stylesheets to cache them. Copying is already implement for
        most of the stylesheet data types but StyleSheetInternal::copy() is still missing.
        
        Preparation for stylesheet caching. The copying code is not used yet.

        * css/CSSNamespace.h:
        
            Instead of making it copyable, remove CSSNamespace class.
    
        * css/CSSParser.cpp:
        (WebCore::operator==):
        (WebCore):
        (WebCore::CSSParser::addNamespace):
        
            Avoid ping-ponging to StyleSheetInternal and back to set the default namespace.

        * css/CSSParserMode.h:
        (WebCore):
        (WebCore::operator!=):

            Add equality comparison operator to CSSParseMode. This will be needed to determine
            if a cached copy can be used.
            
        * css/CSSStyleSheet.cpp:
        (WebCore::StyleSheetInternal::StyleSheetInternal):
        (WebCore):
        (WebCore::StyleSheetInternal::isCacheable):
        (WebCore::StyleSheetInternal::parserAddNamespace):
        (WebCore::StyleSheetInternal::determineNamespace):
        
            Use HashMap instead of iterating a linked list of CSSNamespaces.

        (WebCore::StyleSheetInternal::styleSheetChanged):
        
            Add mutation bit.

        * css/CSSStyleSheet.h:
        (WebCore):
        (StyleSheetInternal):
        (WebCore::StyleSheetInternal::copy):
        
            Copy constructor. It only usable for cacheable stylesheets.

2012-04-26  Philip Rogers  <pdr@google.com>

        Fix Skia's SkPathContainsPoint to work with sub-pixel accuracy
        https://bugs.webkit.org/show_bug.cgi?id=84117

        Reviewed by Eric Seidel.

        Because we do hit testing in object-space (i.e., we may see a 0.1px*0.1px path) we
        need to support sub-pixel hit testing in Skia. Skia does not provide analytical
        path hit testing, so hit tests are done by rasterizing a path and checking if a
        specific pixel is drawn. SkPathContainsPoint did not work with sub-pixel values
        because this rasterization was sometimes very small which did not give enough
        resolution to check if the hit test pixel was drawn.

        This patch scales the path to a very large size during hit testing so that Skia's
        raster-based hit testing will work properly. Because Skia avoids unnecessary
        path rasterization, this is actually inexpensive.

        Below is a summary of a performance test on simple and complex paths:
                                                 (before patch, after patch)
        Skia/Chrome 10,000 hit tests on a simple path:  (229ms, 238ms)
        Skia/Chrome 10,000 hit tests on a complex path: (701ms, 704ms)
        For comparison, CG/Safari takes 236ms on the simple path and 466ms on the complex path.
 
        Therefore, this patch introduces small but measurable regression in hit testing
        performance due to scaling the path.

        Test: svg/hittest/svg-small-path.xhtml

        * platform/graphics/skia/SkiaUtils.cpp:
        (WebCore::SkPathContainsPoint):

2012-04-26  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r115323.
        http://trac.webkit.org/changeset/115323
        https://bugs.webkit.org/show_bug.cgi?id=84975

        Bad test, breaks all builds (Requested by apavlov1 on
        #webkit).

        * inspector/Inspector.json:
        * inspector/InspectorPageAgent.cpp:
        (WebCore::InspectorPageAgent::enable):
        (WebCore::InspectorPageAgent::disable):
        * inspector/InspectorPageAgent.h:
        * inspector/front-end/Settings.js:
        * inspector/front-end/SettingsScreen.js:
        (WebInspector.SettingsScreen):
        * inspector/front-end/inspector.js:

2012-04-26  Douglas Stockwell  <dstockwell@chromium.org>

        IndexedDB: cursor does not correctly iterate over keys added and removed during iteration
        https://bugs.webkit.org/show_bug.cgi?id=84467

        Reviewed by Ojan Vafai.

        Ensure that the iterator over the tree of cached adds/removes always points at
        the current key, or if the db iterator is current, the next key:
        
        - When refreshing the tree iterator after a mutation, always seek unless the
        tree iterator is current.
        
        - When handing conflicts and delete markers, only advance the tree iterator as
        far as the db iterator.
        
        Remove the expensive (and now redundant) logic that issued a get() to check
        whether an item had been deleted.

        Test: storage/indexeddb/cursor-added-bug.html

        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore):
        * platform/leveldb/LevelDBTransaction.cpp:
        (WebCore::LevelDBTransaction::TransactionIterator::refreshTreeIterator):
        (WebCore::LevelDBTransaction::TransactionIterator::handleConflictsAndDeletes):

2012-04-26  Alexander Pavlov  <apavlov@chromium.org>

        Web Inspector: Implement the "Disable JavaScript" option in the settings dialog
        https://bugs.webkit.org/show_bug.cgi?id=84946

        Based on user actions in the Inspector frontend, InspectorPageAgent invokes Settings::setScriptEnabled()
        for the associated page to switch the script execution therein.

        Reviewed by Yury Semikhatsky.

        Test: inspector/debugger/disable-script.html

        * inspector/Inspector.json:
        * inspector/InspectorPageAgent.cpp:
        (PageAgentState):
        (WebCore::InspectorPageAgent::enable):
        (WebCore::InspectorPageAgent::disable):
        (WebCore::InspectorPageAgent::getScriptExecutionStatus):
        (WebCore):
        (WebCore::InspectorPageAgent::setScriptExecutionDisabled):
        * inspector/InspectorPageAgent.h:
        * inspector/front-end/Settings.js:
        * inspector/front-end/SettingsScreen.js:
        (WebInspector.SettingsScreen):
        (WebInspector.SettingsScreen.prototype.get _updateScriptDisabledCheckbox):
        (WebInspector.SettingsScreen.prototype._javaScriptDisabledChanged):
        * inspector/front-end/inspector.js:

2012-04-26  Dominik Röttsches  <dominik.rottsches@linux.intel.com>

        [cairo] CairoGraphicsContext fillRect (with Color) overrides composite operator
        https://bugs.webkit.org/show_bug.cgi?id=84848

        Reviewed by Martin Robinson.

        FillRectWithColor used to be called fillRectSourceOver before r89314
        where this operator still made sense. The way this function is used
        these days doesn't expect the composite operator to be overridden anymore.

        No new tests, covered by existing tests, e.g.
        svg/filters/feDropShadow.svg

        * platform/graphics/cairo/GraphicsContextCairo.cpp:
        (WebCore::fillRectWithColor):

2012-04-26  Nikolas Zimmermann  <nzimmermann@rim.com>

        Fix additive by animations for most SMIL list types
        https://bugs.webkit.org/show_bug.cgi?id=84968

        Reviewed by Antti Koivisto.

        Unify SMIL list animation code, to correctly respect the underlying from value for by-animations.
        Add lots of new tests covering by-animations for all primitives (except AnimatedPath/TransformList).
        AnimatedTransformList is not working correctly yet, and will be covered in a follow-up patch.
        AnimatdPath by-animations are complex, and thus also handled in another follow-up patch.

        Tests: svg/animations/additive-type-by-animation.html
               svg/animations/length-list-animation-expected.svg
               svg/animations/length-list-animation.svg
               svg/animations/svglength-additive-by-1.html
               svg/animations/svglength-additive-by-2.html
               svg/animations/svglength-additive-by-3.html
               svg/animations/svglength-additive-by-4.html
               svg/animations/svglength-additive-by-5.html
               svg/animations/svglength-additive-by-6.html
               svg/animations/svglength-additive-from-by-1.html
               svg/animations/svglength-additive-from-by-2.html
               svg/animations/svglength-additive-from-by-3.html
               svg/animations/svglength-additive-from-by-4.html

        * svg/SVGAnimatedLengthList.cpp:
        (WebCore::SVGAnimatedLengthListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumberList.cpp:
        (WebCore::SVGAnimatedNumberListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedNumberListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPointList.cpp:
        (WebCore::SVGAnimatedPointListAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedPointListAnimator::calculateAnimatedValue):
        * svg/SVGAnimationElement.h:
        (WebCore::SVGAnimationElement::adjustFromToListValues):

2012-04-26  Antti Koivisto  <antti@apple.com>

        Add copy constructor to CSSSelector
        https://bugs.webkit.org/show_bug.cgi?id=84956

        Reviewed by Anders Carlsson.

        To copy CSSSelectorLists correctly CSSSelector needs a copy constructor.
        
        This will be needed to implement stylesheet caching. The code is not used yet.

        * css/CSSSelector.cpp:
        (WebCore::CSSSelector::createRareData):
        * css/CSSSelector.h:
        (CSSSelector):
        (WebCore::CSSSelector::RareData::create):
        (RareData):
        
            Refcount RareData to make copying easier. This has no significant memory impact, rare data is rare.

        (WebCore::CSSSelector::CSSSelector):
        (WebCore):
        (WebCore::CSSSelector::~CSSSelector):
        * css/CSSSelectorList.cpp:
        (WebCore::CSSSelectorList::CSSSelectorList):
        
            Use copy constructor instead of memcpy (which doesn't work).

2012-04-26  Raphael Kubo da Costa  <rakuco@webkit.org>

        [EFL] Fix the build with DRAG_SUPPORT disabled.
        https://bugs.webkit.org/show_bug.cgi?id=84963

        Reviewed by Antonio Gomes.

        No new tests, build system-related change.

        EventHandlerEfl.cpp always assumed DRAG_SUPPORT was enabled and lacked
        the proper #if ENABLED() checks for some member variables and methods
        conditionally defined in EventHandler.h.

        * page/efl/EventHandlerEfl.cpp:
        (WebCore):

2012-04-26  Pavel Feldman  <pfeldman@chromium.org>

        Web Inspector: remove stackTrace property from requestWillBeSent - it is already a part of the initiator.
        https://bugs.webkit.org/show_bug.cgi?id=84964

        Reviewed by Yury Semikhatsky.

        * inspector/InspectorResourceAgent.cpp:
        (WebCore::InspectorResourceAgent::willSendRequest):
        * inspector/front-end/ConsoleMessage.js:
        (WebInspector.ConsoleMessageImpl.prototype._formatMessage):
        * inspector/front-end/NetworkManager.js:
        (WebInspector.NetworkDispatcher.prototype.requestWillBeSent):
        (WebInspector.NetworkDispatcher.prototype.requestServedFromMemoryCache):
        (WebInspector.NetworkDispatcher.prototype._appendRedirect):
        (WebInspector.NetworkDispatcher.prototype._createNetworkRequest):
        (get WebInspector):

2012-04-26  Stephen Chenney  <schenney@chromium.org>

        SVG FEConvolveMatrix does not check for invalid property values
        https://bugs.webkit.org/show_bug.cgi?id=84363

        Reviewed by Dirk Schulze.

        Adding code to check for valid input values on SVG feConvolveMatrix properties.
        And adding some of the first effective error reporting for SVG elements.

        Tests: svg/filters/feConvolveMatrix-invalid-targetX-expected.svg
               svg/filters/feConvolveMatrix-invalid-targetX.svg
               svg/filters/feConvolveMatrix-invalid-targetY-expected.svg
               svg/filters/feConvolveMatrix-invalid-targetY.svg
               svg/filters/feConvolveMatrix-negative-kernelUnitLengthX-expected.svg
               svg/filters/feConvolveMatrix-negative-kernelUnitLengthX.svg
               svg/filters/feConvolveMatrix-negative-kernelUnitLengthY-expected.svg
               svg/filters/feConvolveMatrix-negative-kernelUnitLengthY.svg
               svg/filters/feConvolveMatrix-negative-orderX-expected.svg
               svg/filters/feConvolveMatrix-negative-orderX.svg
               svg/filters/feConvolveMatrix-negative-orderY-expected.svg
               svg/filters/feConvolveMatrix-negative-orderY.svg
               svg/filters/feConvolveMatrix-non-integral-order-expected.svg
               svg/filters/feConvolveMatrix-non-integral-order.svg
               svg/filters/feConvolveMatrix-zero-divisor-expected.svg
               svg/filters/feConvolveMatrix-zero-divisor.svg

        * platform/graphics/filters/FEConvolveMatrix.cpp:
        (WebCore::FEConvolveMatrix::FEConvolveMatrix):
        (WebCore::FEConvolveMatrix::setKernelSize):
        (WebCore::FEConvolveMatrix::setDivisor):
        (WebCore::FEConvolveMatrix::setKernelUnitLength):
        * svg/SVGFEConvolveMatrixElement.cpp:
        (WebCore::SVGFEConvolveMatrixElement::parseAttribute):
        (WebCore::SVGFEConvolveMatrixElement::build):

2012-04-26  Allan Sandfeld Jensen  <allan.jensen@nokia.com>

        Move WebKit1 specific conversion of touch-events to WebKit1.
        https://bugs.webkit.org/show_bug.cgi?id=84951

        Reviewed by Kenneth Rohde Christiansen.

        No change in functionality. No new tests. 

        * Target.pri:
        * platform/PlatformTouchEvent.h:
        (PlatformTouchEvent):
        * platform/PlatformTouchPoint.h:
        (PlatformTouchPoint):
        * platform/qt/PlatformTouchEventQt.cpp: Removed.
        * platform/qt/PlatformTouchPointQt.cpp: Removed.

2012-04-26  Nikolas Zimmermann  <nzimmermann@rim.com>

        Share code used to animate numbers types between all animators
        https://bugs.webkit.org/show_bug.cgi?id=84945

        Reviewed by Antti Koivisto.

        Refactor animateAdditiveNumber() from SVGAnimatedNumberAnimator into SVGAnimationElement,
        to reuse it for all primitives. Converted most primitives to use the new code. Lists, paths,
        colors are still todo.

        Doesn't affect any tests.

        * svg/SVGAnimatedAngle.cpp:
        (WebCore::SVGAnimatedAngleAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedInteger.cpp:
        (WebCore::SVGAnimatedIntegerAnimator::calculateAnimatedInteger):
        (WebCore::SVGAnimatedIntegerAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedInteger.h:
        (SVGAnimatedIntegerAnimator):
        * svg/SVGAnimatedIntegerOptionalInteger.cpp:
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedIntegerOptionalIntegerAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedLength.cpp:
        (WebCore::SVGAnimatedLengthAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedLengthList.cpp:
        (WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumber.cpp:
        (WebCore::SVGAnimatedNumberAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumber.h:
        * svg/SVGAnimatedNumberList.cpp:
        (WebCore::SVGAnimatedNumberListAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumberOptionalNumber.cpp:
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedNumberOptionalNumberAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedNumberOptionalNumber.h:
        * svg/SVGAnimatedRect.cpp:
        (WebCore::SVGAnimatedRectAnimator::calculateAnimatedValue):
        * svg/SVGAnimationElement.h:
        (WebCore::SVGAnimationElement::animateAdditiveNumber):
        (SVGAnimationElement):

2012-04-26  Ryosuke Niwa  <rniwa@webkit.org>

        Forgotten build fix after r115227.

        * css/StylePropertySet.cpp:
        (WebCore::StylePropertySet::get4Values):

2012-04-26  Mihnea Ovidenie  <mihnea@adobe.com>

        Crash when collecting svg symbol element in named flow.
        https://bugs.webkit.org/show_bug.cgi?id=84493

        Reviewed by David Hyatt.

        Test: fast/regions/symbol-in-named-flow-crash.svg

        * dom/Element.cpp:
        (WebCore::Element::~Element):
        Add an assert that an element that was collected into a named flow was already removed at this point
        (when the document is not in the process of destruction)
        (WebCore::Element::unregisterNamedFlowContentNode):
        Created a new function for unregistering a content node. In the future, this function may be used for
        content nodes from shadow dom.
        (WebCore::Element::detach):
        * dom/Element.h:
        (Element):
        * dom/NodeRenderingContext.cpp:
        (WebCore::NodeRenderingContext::moveToFlowThreadIfNeeded):
        Prevent elements that are part of shadow dom to be collected into a named flow.

2012-04-26  Nikolas Zimmermann  <nzimmermann@rim.com>

        Share code used to animate discrete types between all animators
        https://bugs.webkit.org/show_bug.cgi?id=84853

        Reviewed by Andreas Kling.

        Share by-animation handling for non-additive types in a central method in SVGAnimatedTypeAnimator,
        to be reusable by SVGAnimatedBoolean/Enumeration/PreserveAspectRatio/String. Add a new test covering
        these animations have no effect.

        Test: svg/animations/non-additive-type-by-animation.html

        * svg/SVGAnimateElement.cpp:
        (WebCore::SVGAnimateElement::calculateFromAndByValues):
        (WebCore::SVGAnimateElement::isAdditive):
        * svg/SVGAnimateElement.h:
        (SVGAnimateElement):
        * svg/SVGAnimateMotionElement.cpp:
        (WebCore::SVGAnimateMotionElement::calculateFromAndByValues):
        * svg/SVGAnimatedBoolean.cpp:
        (WebCore::isTrueString):
        (WebCore::SVGAnimatedBooleanAnimator::constructFromString):
        (WebCore::SVGAnimatedBooleanAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedBooleanAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedEnumeration.cpp:
        (WebCore::SVGAnimatedEnumerationAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedEnumerationAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedPreserveAspectRatio.cpp:
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedPreserveAspectRatioAnimator::calculateAnimatedValue):
        * svg/SVGAnimatedString.cpp:
        (WebCore::SVGAnimatedStringAnimator::addAnimatedTypes):
        (WebCore::SVGAnimatedStringAnimator::calculateAnimatedValue):
        * svg/SVGAnimationElement.cpp:
        (WebCore::SVGAnimationElement::startedActiveInterval):
        * svg/SVGAnimationElement.h:
        (SVGAnimationElement):
        (WebCore::SVGAnimationElement::animateDiscreteType):

2012-04-26  Chris Fleizach2  <cfleizach@apple.com>

        CrashTracer: [USER] 157 crashes in WebProcess at com.apple.WebCore: WebCore::AccessibilityRenderObject::isAttachment const + 29
        https://bugs.webkit.org/show_bug.cgi?id=84463

        Reviewed by Darin Adler.

        Accessibility was not being enabled when WK2 was asking only for the focused UI element.

        No layout test could be written because the WKTestRunner mechanism works differently when asking for this.

        * accessibility/AXObjectCache.cpp:
        (WebCore::AXObjectCache::focusedUIElementForPage):
        (WebCore::AXObjectCache::rootObject):
        (WebCore::AXObjectCache::rootObjectForFrame):

2012-04-25  Dana Jansens  <danakj@chromium.org>

        [chromium] Remove guarded virtual methods from WebFilterOperation API
        https://bugs.webkit.org/show_bug.cgi?id=84926

        Reviewed by James Robinson.

        * WebCore.gypi:
        * platform/chromium/support/WebFilterOperation.cpp: Removed.
        * platform/chromium/support/WebFilterOperations.cpp:
        (WebKit::WebFilterOperations::append):

2012-04-25  Benjamin Poulain  <benjamin@webkit.org>

        Add a version of StringImpl::find() without offset
        https://bugs.webkit.org/show_bug.cgi?id=83968

        Reviewed by Sam Weinig.

        Remove the zero offset of the find() functions on strings.

        * html/parser/XSSAuditor.cpp:
        (WebCore::XSSAuditor::init):
        * platform/network/ResourceResponseBase.cpp:
        (WebCore::trimToNextSeparator):
        (WebCore::parseCacheHeader):

2012-04-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        WebCore shouldn't call collectAllGarbage directly
        https://bugs.webkit.org/show_bug.cgi?id=84897

        Reviewed by Geoffrey Garen.

        No new tests. 

        Currently, GCController calls Heap::collectAllGarbage directly, which leads 
        to an overload of collections as the timer in GCController and the timer in 
        GCActivityCallback compete for collection time and fire independently. As a 
        result, we end up doing almost 600 full collections during an in-browser run 
        of SunSpider, or 20 full collections on a single load of TechCrunch. 

        We can do better by preventing WebCore from calling collectAllGarbage directly 
        and instead going through Heap::reportAbandonedObjectGraph, since that is what 
        WebCore is trying to do--notify the Heap that a lot of garbage may have just 
        been generated when we left a page.

        * WebCore.exp.in:
        * bindings/js/GCController.cpp: Removed all timer stuff.
        (WebCore::GCController::GCController):
        (WebCore::GCController::garbageCollectSoon): Changed to call Heap::reportAbandonedObjectGraph.
        (WebCore::GCController::garbageCollectNow): Changed to still directly call collectAllGarbage.
        We will deprecate this function soon hopefully.
        * bindings/js/GCController.h: Removed timer stuff.
        (GCController):
        * bindings/js/ScriptProfiler.cpp:
        (WebCore::ScriptProfiler::collectGarbage): Changed to call garbageCollectSoon.

2012-04-25  James Robinson  <jamesr@chromium.org>

        [chromium] REGRESSION(112286) Compositor initialization blocks for program compilation / linking
        https://bugs.webkit.org/show_bug.cgi?id=84822

        Reviewed by Adrienne Walker.

        r112286 introduced a subtle regression in the chromium compositor startup sequence - by querying the texture
        copy program's uniform location at the end of LayerRendererChromium::initialize(), the compositor's thread was
        blocked until the service side compiled _all_ eagerly initialized shaders. The intent of the way the compositor
        programs are created is that a set of commonly-used programs are sent to the service side, but no blocking calls
        are made until after we go through the first paint (with the hope that the service side will complete the
        compilation by then).

        Fixed by moving program initialization (which also grabs uniform locations) until the first actual use of the
        copier. It may be worth deferring the program initialization completely if it's not used very often.

        Added unit test in LayerRendererChromiumTests to make sure LRC initialization does not make any
        synchronous calls (like getUniformLocation()).

        * platform/graphics/chromium/TextureCopier.cpp:
        (WebCore::AcceleratedTextureCopier::AcceleratedTextureCopier):
        (WebCore::AcceleratedTextureCopier::copyTexture):

2012-04-25  Jason Liu  <jason.liu@torchmobile.com.cn>

        [BlackBerry] Authenticated proxy isn't working.
        https://bugs.webkit.org/show_bug.cgi?id=84579

        Reviewed by Antonio Gomes.

        We should try to get username and password from WiFi advanced configuration first
        when 407 is received.

        No new tests. This is covered by existing http tests when proxy's username and password
        are configured for WiFi.

        * platform/network/blackberry/NetworkJob.cpp:
        (WebCore::NetworkJob::sendRequestWithCredentials):

2012-04-25  Alec Flett  <alecflett@chromium.org>

        IndexedDB: implement cursor.advance()
        https://bugs.webkit.org/show_bug.cgi?id=84174

        Reviewed by Ojan Vafai.

        Implement IDBCursor.advance() to spec.

        Test: storage/indexeddb/cursor-advance.html

        * Modules/indexeddb/IDBBackingStore.h:
        * Modules/indexeddb/IDBCursor.cpp:
        (WebCore::IDBCursor::advance):
        (WebCore):
        * Modules/indexeddb/IDBCursor.h:
        (IDBCursor):
        * Modules/indexeddb/IDBCursor.idl:
        * Modules/indexeddb/IDBCursorBackendImpl.cpp:
        (WebCore::IDBCursorBackendImpl::advance):
        (WebCore):
        (WebCore::IDBCursorBackendImpl::advanceInternal):
        * Modules/indexeddb/IDBCursorBackendImpl.h:
        (IDBCursorBackendImpl):
        * Modules/indexeddb/IDBCursorBackendInterface.h:
        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore):

2012-04-24  Adrienne Walker  <enne@google.com>

        [chromium] Hold video provider lock from willDraw to didDraw
        https://bugs.webkit.org/show_bug.cgi?id=84805

        Reviewed by James Robinson.

        * platform/graphics/chromium/cc/CCVideoLayerImpl.cpp:
        (WebCore::CCVideoLayerImpl::willDraw):
        (WebCore):
        (WebCore::CCVideoLayerImpl::willDrawInternal):
        (WebCore::CCVideoLayerImpl::appendQuads):
        (WebCore::CCVideoLayerImpl::didDraw):
        * platform/graphics/chromium/cc/CCVideoLayerImpl.h:

2012-04-25  Adrienne Walker  <enne@google.com>

        [chromium] Prevent CCLayerImpl::willDraw/didDraw mismatches
        https://bugs.webkit.org/show_bug.cgi?id=84812

        Reviewed by James Robinson.

        Because some layers lock/unlock resources, it needs to be guaranteed
        that if willDraw is called on a layer then didDraw will also be called
        on that layer before another willDraw or before layer destruction. Add
        asserts to make sure that this is the case.

        willDraw is called via CCLayerTreeHostImpl::prepareToDraw ->
        calculateRenderPasses. didDraw was previously called in
        CCLayerTreeHostImpl::drawLayers. Sometimes drawLayers was being
        skipped by the caller of these functions based on what prepareToDraw
        returned (causing didDraw to not be called). Fix this by having an
        explicit step to call didDraw on all layers. This new didDrawAllLayers
        function must be called if and only if prepareToDraw is called.

        Tested by existing tests via new asserts in CCLayerImpl.

        * platform/graphics/chromium/cc/CCLayerImpl.cpp:
        (WebCore::CCLayerImpl::CCLayerImpl):
        (WebCore::CCLayerImpl::~CCLayerImpl):
        (WebCore::CCLayerImpl::willDraw):
        (WebCore):
        (WebCore::CCLayerImpl::didDraw):
        * platform/graphics/chromium/cc/CCLayerImpl.h:
        (CCLayerImpl):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.cpp:
        (WebCore::CCLayerTreeHostImpl::drawLayers):
        (WebCore::CCLayerTreeHostImpl::didDrawAllLayers):
        (WebCore):
        * platform/graphics/chromium/cc/CCLayerTreeHostImpl.h:
        (CCLayerTreeHostImpl):
        * platform/graphics/chromium/cc/CCScrollbarLayerImpl.cpp:
        (WebCore::CCScrollbarLayerImpl::willDraw):
        (WebCore::CCScrollbarLayerImpl::didDraw):
        * platform/graphics/chromium/cc/CCSingleThreadProxy.cpp:
        (WebCore::CCSingleThreadProxy::doComposite):
        * platform/graphics/chromium/cc/CCTextureLayerImpl.cpp:
        (WebCore::CCTextureLayerImpl::willDraw):
        * platform/graphics/chromium/cc/CCThreadProxy.cpp:
        (WebCore::CCThreadProxy::scheduledActionDrawAndSwapInternal):
        * platform/graphics/chromium/cc/CCVideoLayerImpl.cpp:
        (WebCore::CCVideoLayerImpl::willDraw):
        (WebCore::CCVideoLayerImpl::didDraw):

2012-04-24  Kent Tamura  <tkent@chromium.org>

        Calendar Picker: Resize to minimal size to fit the content
        https://bugs.webkit.org/show_bug.cgi?id=84826

        Reviewed by Hajime Morita.

        Using fixed-size popup isn't nice. The calender picker popup size should
        be minimal.

        The minimal size depends on font settings, localized labels, and
        localized formats. So we put visible objects on a transparent element,
        calculate minimal size, resize the popup, then show the objects.

        * Resources/calendarPicker.css:
        (body): Don't use purple. It was for debugging purpose.
        The body is visible for a short period becuse we use transparent element.
        (#main):
         - Add nowrap to avoid text wrapping.
         - Add wider width to avoid wrapping.
         - Add opacity to hide incomplete layout.
        (.year-month-upper): Don't set flexible box yet.
        (.month-selector-box): Fix incorrect display value.
        (.days-area):
        Don't set table-layout:fixed and width:100% in order that it has the
        minimal width.

        * Resources/calendarPicker.js:
        (initialize): Make a new functio to resize.
        (fixWindowSize):
        Compute the required width from the right edge of the next year button,
        the maximum cell width, and so on.  Then, set CSS properties to have
        correct layout.
        (YearMonthController.prototype.attachTo):
        Set min-width property for a long year-month string.
        (YearMonthController.prototype._showPopup):
        Center the _monthPopup vertically.

        * html/shadow/CalendarPickerElement.cpp:
        (WebCore::CalendarPickerElement::contentSize):
        Specify small size for the initial size. It's better than showing a
        large window then shrink the size.
        * page/PagePopupClient.h:
        (PagePopupClient): Remove a false comment. We should support resize*().

2012-04-25  Kent Tamura  <tkent@chromium.org>

        Unreviewed. Sort Xcode project file.

        * WebCore.xcodeproj/project.pbxproj:

2012-04-25  Alpha Lam  <hclam@chromium.org>

        Unreviewed, rolling out r115260.
        http://trac.webkit.org/changeset/115260
        https://bugs.webkit.org/show_bug.cgi?id=84467

        r115260 is crashing a list of IndexDB tests, revert.

        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore):
        * platform/leveldb/LevelDBTransaction.cpp:
        (WebCore::LevelDBTransaction::TransactionIterator::refreshTreeIterator):
        (WebCore::LevelDBTransaction::TransactionIterator::handleConflictsAndDeletes):
        * platform/leveldb/LevelDBTransaction.h:
        (TransactionIterator):

2012-04-25  James Simonsen  <simonjam@chromium.org>

        [Web Timing] Add a vendor-prefixed Performance Timeline API
        https://bugs.webkit.org/show_bug.cgi?id=80350

        As described here: http://dvcs.w3.org/hg/webperf/raw-file/tip/specs/PerformanceTimeline/Overview.html

        The API is there and should be correct, but it isn't particularly useful,
        because nothing is populated. Upcoming changes will add Navigation Timing
        and Resource Timing.

        Reviewed by Tony Gentilcore.

        No new tests. Functionality is disabled on all platforms.

        * CMakeLists.txt: Added PerformanceEntry* files.
        * DerivedSources.pri: Ditto.
        * GNUmakefile.list.am: Ditto.
        * WebCore.gypi: Ditto.
        * WebCore.vcproj/WebCore.vcproj: Ditto.
        * WebCore.xcodeproj/project.pbxproj: Ditto.
        * page/Performance.cpp:
        (WebCore::Performance::webkitGetEntries): Added.
        (WebCore::Performance::webkitGetEntriesByType): Added.
        (WebCore::Performance::webkitGetEntriesByName): Added.
        * page/Performance.h:
        (Performance):
        * page/Performance.idl:
        * page/PerformanceEntry.cpp: Added.
        (WebCore):
        (WebCore::PerformanceEntry::PerformanceEntry):
        (WebCore::PerformanceEntry::name):
        (WebCore::PerformanceEntry::entryType):
        (WebCore::PerformanceEntry::startTime):
        (WebCore::PerformanceEntry::duration):
        * page/PerformanceEntry.h: Added.
        (WebCore):
        (PerformanceEntry):
        * page/PerformanceEntry.idl: Added.
        * page/PerformanceEntryList.cpp: Added.
        (WebCore):
        (WebCore::PerformanceEntryList::PerformanceEntryList):
        (WebCore::PerformanceEntryList::~PerformanceEntryList):
        (WebCore::PerformanceEntryList::length):
        (WebCore::PerformanceEntryList::item):
        (WebCore::PerformanceEntryList::append):
        * page/PerformanceEntryList.h: Added.
        (WebCore):
        (PerformanceEntryList):
        (WebCore::PerformanceEntryList::create):
        * page/PerformanceEntryList.idl: Added.

2012-04-25  Benjamin Poulain  <bpoulain@apple.com>

        Move convertJSMethodNameToObjc() to be a utility function of ObjcClass
        https://bugs.webkit.org/show_bug.cgi?id=84915

        Reviewed by Darin Adler.

        The function convertJSMethodNameToObjc() is only useful for ObjcClass::methodsNamed().

        This patch moves the function from objc_utility.mm to be a static function in objc_class.mm.
        It aims at simplifying the code for future changes of ObjcClass.

        * bridge/objc/objc_class.mm:
        (Bindings):
        (JSC::Bindings::convertJSMethodNameToObjc):
        * bridge/objc/objc_utility.h:
        * bridge/objc/objc_utility.mm:
        (Bindings):

2012-04-25  Kent Tamura  <tkent@chromium.org>

        Unreviewed. Sort Xcode project file.

        * WebCore.xcodeproj/project.pbxproj:

2012-04-25  Greg Billock  <gbillock@google.com>

        Implement object-literal constructor for the Intent object.
        https://bugs.webkit.org/show_bug.cgi?id=84220

        Reviewed by Kentaro Hara.

        The use of the custom constructor will hopefully be temporary, as we plan
        to convert to just using the object literal constructor, which can then use codegen.
        See spec: http://dvcs.w3.org/hg/web-intents/raw-file/tip/spec/Overview.html

        Added support for the service and extras parameters in the Intent
        object to support the speced members in the object literal constructor.

        Added supporting accessor to Dictionary to retrieve a sub-Dictionary,
        and a utility to ScriptValue to serialize with ports.

        Test: webintents/web-intent-obj-constructor.html

        (WebCore):
        * Modules/intents/Intent.cpp:
        (WebCore::Intent::create):
        (WebCore::Intent::Intent):
        (WebCore::Intent::service):
        (WebCore):
        (WebCore::Intent::extras):
        * Modules/intents/Intent.h:
        (WebCore):
        (Intent):
        * Modules/intents/Intent.idl:
        * WebCore.gypi:
        * bindings/v8/Dictionary.cpp:
        (WebCore::Dictionary::get):
        (WebCore):
        * bindings/v8/Dictionary.h:
        (Dictionary):
        * bindings/v8/ScriptValue.cpp:
        (WebCore::ScriptValue::serialize):
        (WebCore):
        * bindings/v8/ScriptValue.h:
        (WTF):
        (WebCore):
        (ScriptValue):
        * bindings/v8/custom/V8IntentConstructor.cpp: Added.
        (WebCore):
        (WebCore::V8Intent::constructorCallback):

2012-04-25  Alexandru Chiculita  <achicu@adobe.com>

        CSS Shaders: Use u_texture instead of s_texture. It was updated in the spec
        https://bugs.webkit.org/show_bug.cgi?id=82618

        Reviewed by Dean Jackson.
        
        Changed the uniform name passed to the CSS Shaders from s_texture to u_texture.
        https://dvcs.w3.org/hg/FXTF/raw-file/tip/filters/index.html

        No new tests, just updating existing ones.

        * platform/graphics/filters/CustomFilterShader.cpp:
        (WebCore::CustomFilterShader::defaultFragmentShaderString):
        (WebCore::CustomFilterShader::initializeParameterLocations):

2012-04-25  Douglas Stockwell  <dstockwell@chromium.org>

        IndexedDB: cursor does not correctly iterate over keys added and removed during iteration
        https://bugs.webkit.org/show_bug.cgi?id=84467

        Reviewed by Ojan Vafai.

        Ensure that the iterator over the tree of cached adds/removes always points at
        the current key, or if the db iterator is current, the next key:
        
        - When refreshing the tree iterator after a mutation, always seek unless the
        tree iterator is current.
        
        - When handing conflicts and delete markers, only advance the tree iterator as
        far as the db iterator.
        
        Remove the expensive (and now redundant) logic that issued a get() to check
        whether an item had been deleted.

        Test: storage/indexeddb/cursor-added-bug.html

        * Modules/indexeddb/IDBLevelDBBackingStore.cpp:
        (WebCore):
        * platform/leveldb/LevelDBTransaction.cpp:
        (WebCore::LevelDBTransaction::TransactionIterator::refreshTreeIterator):
        (WebCore::LevelDBTransaction::TransactionIterator::handleConflictsAndDeletes):

2012-04-25  Antti Koivisto  <antti@apple.com>

        Try to fix build with STYLE_SCOPED enabled.

        Not reviewed.

        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::determineScope):

2012-04-25  Alec Flett  <alecflett@chromium.org>

        IndexedDB: support openCursor(IDBKey)
        https://bugs.webkit.org/show_bug.cgi?id=84652

        Reviewed by Ojan Vafai.

        Add signatures for openCursor/openKeyCursor(IDBKey).

        Test: storage/indexeddb/opencursor-key.html

        * Modules/indexeddb/IDBIndex.cpp:
        (WebCore::IDBIndex::openCursor):
        (WebCore):
        (WebCore::IDBIndex::openKeyCursor):
        * Modules/indexeddb/IDBIndex.h:
        (WebCore::IDBIndex::openCursor):
        (IDBIndex):
        (WebCore::IDBIndex::openKeyCursor):
        * Modules/indexeddb/IDBIndex.idl:
        * Modules/indexeddb/IDBObjectStore.cpp:
        (WebCore::IDBObjectStore::openCursor):
        (WebCore):
        * Modules/indexeddb/IDBObjectStore.h:
        (WebCore::IDBObjectStore::openCursor):
        (IDBObjectStore):
        * Modules/indexeddb/IDBObjectStore.idl:

2012-04-25  Antti Koivisto  <antti@apple.com>

        Remove owner node pointer from StyleSheetInternal 
        https://bugs.webkit.org/show_bug.cgi?id=84882

        Reviewed by Andreas Kling.

        To make sharing between multiple nodes possible StyleSheetInternal should not have a Node pointer.
        
        - Make StyleSheetInternal constructor take CSSParserContext instead of Node*
        - Move owner node pointer to CSSStyleSheet. CSSStyleSheet now acts as a client for StyleSheetInternal.
        
        This gets us closer to being able to cache stylesheet data structures.
        
        * css/CSSImportRule.cpp:
        (WebCore::StyleRuleImport::setCSSStyleSheet):
        (WebCore::StyleRuleImport::requestStyleSheet):
        
            Setup CSSParserContext.
            Remove FIXME about updateBaseURL(). It is no longer possible to change URL of StyleSheetInternal.

        * css/CSSPageRule.cpp:
        (WebCore::CSSPageRule::setSelectorText):
        * css/CSSParser.cpp:
        (WebCore::CSSParserContext::CSSParserContext):
        * css/CSSParserMode.h:
        (CSSParserContext):
    
            Expand CSSParserContext constructors.

        * css/CSSStyleRule.cpp:
        (WebCore::CSSStyleRule::setSelectorText):
        * css/StyleResolver.cpp:
        (WebCore::StyleResolver::StyleResolver):
        (WebCore::StyleResolver::addAuthorRulesAndCollectUserRulesFromSheets):
        (WebCore::StyleResolver::collectMatchingRulesForList):
        * css/StyleResolver.h:
        (StyleResolver):
        * css/CSSStyleSheet.cpp:

            User stylesheets went back to being CSSStyleSheets. Adapt to that.

        (WebCore::StyleSheetInternal::StyleSheetInternal):
        (WebCore):
        (WebCore::StyleSheetInternal::checkLoaded):
        (WebCore::StyleSheetInternal::startLoadingDynamicSheet):
        (WebCore::StyleSheetInternal::rootStyleSheet):
        (WebCore::StyleSheetInternal::singleOwnerNode):
        (WebCore::StyleSheetInternal::singleOwnerDocument):
        (WebCore::StyleSheetInternal::styleSheetChanged):
        
            The owner node is now located through CSSStyleSheet. Only one client is supported atm.

        (WebCore::StyleSheetInternal::registerClient):
        (WebCore::StyleSheetInternal::unregisterClient):
        
            Register CSSStyleSheets.

        (WebCore::CSSStyleSheet::CSSStyleSheet):
        (WebCore::CSSStyleSheet::~CSSStyleSheet):
        (WebCore::CSSStyleSheet::rules):
        (WebCore::CSSStyleSheet::cssRules):
        (WebCore::CSSStyleSheet::ownerDocument):
        * css/CSSStyleSheet.h:
        (WebCore::StyleSheetInternal::create):
        (WebCore::StyleSheetInternal::createInline):
        (StyleSheetInternal):
        (WebCore::CSSStyleSheet::create):
        (CSSStyleSheet):
        
            Moved m_ownerNode.
            Changed constructors
            Removed setFinalURL(). 

        * css/PropertySetCSSStyleDeclaration.cpp:
        (WebCore::StyleRuleCSSStyleDeclaration::setNeedsStyleRecalc):
        * dom/Document.cpp:
        (WebCore::Document::updateBaseURL):
        
            Instead of setFinalURL, construct a new StyleSheetInternal if the base url ever changes.

        (WebCore::Document::pageUserSheet):
        (WebCore::Document::pageGroupUserSheets):
        (WebCore::Document::addUserSheet):
        (WebCore::Document::elementSheet):
        * dom/Document.h:
        (Document):
        (WebCore::Document::documentUserSheets):
        
            Adapt to the new interface.
            Turned user stylesheets CSSStyleSheets so they can find the owner node.

        * dom/ProcessingInstruction.cpp:
        (WebCore::ProcessingInstruction::setCSSStyleSheet):
        * dom/StyleElement.cpp:
        (WebCore::StyleElement::createSheet):
        * html/HTMLLinkElement.cpp:
        (WebCore::HTMLLinkElement::setCSSStyleSheet):
        * inspector/InspectorCSSAgent.cpp:
        (WebCore::SelectorProfile::startSelector):
        (WebCore::InspectorCSSAgent::bindStyleSheet):
        * inspector/InspectorStyleSheet.cpp:
        (WebCore::fillMediaListChain):
        (WebCore::InspectorStyleSheet::ownerDocument):
        * page/PageSerializer.cpp:
        (WebCore::PageSerializer::serializeCSSStyleSheet):

2012-04-25  Adam Klein  <adamk@chromium.org>

        Fix uninitialized variable warnings in PasteboardMac.mm after 115145
        https://bugs.webkit.org/show_bug.cgi?id=84879

        Reviewed by Enrica Casucci.

        * platform/mac/PasteboardMac.mm:
        (WebCore::Pasteboard::getDataSelection): Initialize attributedString to nil.
        (WebCore::Pasteboard::writeSelectionForTypes): ditto.

2012-04-25  Kenneth Russell  <kbr@google.com>

        Delete CanvasPixelArray, ByteArray, JSByteArray and JSC code once unreferenced
        https://bugs.webkit.org/show_bug.cgi?id=83655

        Reviewed by Oliver Hunt.

        Removed last few references to ByteArray, replacing with
        Uint8ClampedArray as necessary, and deleted now-obsolete
        CanvasPixelArray, ByteArray and JSByteArray. Removed code from
        JavaScriptCore special-casing ByteArray.

        No new tests. Did full layout test run on Mac OS; no regressions
        seen from this change.

        * CMakeLists.txt:
        * DerivedSources.pri:
        * ForwardingHeaders/runtime/JSByteArray.h: Removed.
        * GNUmakefile.list.am:
        * PlatformBlackBerry.cmake:
        * Target.pri:
        * UseV8.cmake:
        * WebCore.gypi:
        * WebCore.order:
        * WebCore.vcproj/WebCore.vcproj:
        * WebCore.xcodeproj/project.pbxproj:
        * bindings/v8/SerializedScriptValue.cpp:
        * bindings/v8/V8Binding.h:
        (WebCore::isHostObject):
        * bindings/v8/custom/V8CanvasPixelArrayCustom.cpp: Removed.
        * bindings/v8/custom/V8InjectedScriptHostCustom.cpp:
        (WebCore::V8InjectedScriptHost::typeCallback):
        * bridge/qt/qt_runtime.cpp:
        (JSC::Bindings::isJSUint8ClampedArray):
        (Bindings):
        (JSC::Bindings::valueRealType):
        (JSC::Bindings::convertValueToQVariant):
        (JSC::Bindings::convertQVariantToValue):
        * html/canvas/CanvasPixelArray.cpp: Removed.
        * html/canvas/CanvasPixelArray.h: Removed.
        * html/canvas/CanvasPixelArray.idl: Removed.
        * html/canvas/WebGLRenderingContext.cpp:
        (WebCore):
        * platform/graphics/filters/FEConvolveMatrix.h:
        * rendering/svg/RenderSVGResourceMasker.cpp:

2012-04-25  <