Source/WebCore: Crash in Document::recalcStyleSelector
[webkit:qtwebkit.git] / Source / WebCore / ChangeLog
1 2011-08-17  Abhishek Arya  <inferno@chromium.org>
2
3         Crash in Document::recalcStyleSelector
4         https://bugs.webkit.org/show_bug.cgi?id=66335
5
6         Reviewed by Simon Fraser.
7
8         When node is getting destroyed and its removedFromDocument
9         is not called due to entire document structure torn down(using
10         removeAllChildren), make sure to clear out the stylesheet
11         candidate node from document's structures in its destructor.
12
13         Test: svg/dom/stylesheet-candidate-node-crash-main.html
14
15         * dom/ProcessingInstruction.cpp:
16         (WebCore::ProcessingInstruction::~ProcessingInstruction):
17         * html/HTMLLinkElement.cpp:
18         (WebCore::HTMLLinkElement::~HTMLLinkElement):
19         * html/HTMLStyleElement.cpp:
20         (WebCore::HTMLStyleElement::~HTMLStyleElement):
21         * svg/SVGStyleElement.cpp:
22         (WebCore::SVGStyleElement::~SVGStyleElement):
23
24 2011-08-12  Abhishek Arya  <inferno@chromium.org>
25
26         Crash in WebCore::editingIgnoresContent
27         https://bugs.webkit.org/show_bug.cgi?id=66125
28
29         Reviewed by Ryosuke Niwa.
30
31         RefPtr a few nodes in case they get blown away in
32         dispatchEvent calls.
33
34         Test: editing/selection/select-start-remove-root-crash.html
35
36         * editing/FrameSelection.cpp:
37         (WebCore::FrameSelection::selectAll):
38         * editing/ReplaceSelectionCommand.cpp:
39         (WebCore::ReplacementFragment::ReplacementFragment):
40
41 2011-08-13  Abhishek Arya  <inferno@chromium.org>
42
43         Crash in HTMLTreeBuilder::processAnyOtherEndTagForInBody
44         https://bugs.webkit.org/show_bug.cgi?id=66187
45
46         Reviewed by Adam Barth.
47
48         RefPtr a few ContainerNodes to prevent premature deletion.
49
50         Test: fast/html/process-end-tag-for-inbody-crash.html
51
52         * html/parser/HTMLTreeBuilder.cpp:
53         (WebCore::HTMLTreeBuilder::processCloseWhenNestedTag):
54         (WebCore::HTMLTreeBuilder::processAnyOtherEndTagForInBody):
55         (WebCore::HTMLTreeBuilder::callTheAdoptionAgency):
56
57 2011-08-10  Abhishek Arya  <inferno@chromium.org>
58
59         Check that we do not need layout before trying to dirty
60         m_originatingLine for our floats.
61         https://bugs.webkit.org/show_bug.cgi?id=65938
62
63         Reviewed by Dave Hyatt.
64
65         Test: fast/block/float/float-originating-line-deleted-crash.html
66
67         * rendering/RenderBlock.cpp:
68         (WebCore::RenderBlock::removeFloatingObject):
69         (WebCore::RenderBlock::clearFloats):
70
71 2011-08-11  Alexis Menard  <alexis.menard@openbossa.org>
72
73         Unreviewed build fix for Qt.
74
75         Make sure we build when Qt is namespaced.
76
77         * platform/graphics/gstreamer/PlatformVideoWindowPrivate.h:
78
79 2011-08-06  Aron Rosenberg  <arosenberg@logitech.com>
80
81         Reviewed by Benjamin Poulain.
82
83         [Qt] Fix build with Intel compiler on Windows
84         https://bugs.webkit.org/show_bug.cgi?id=65088
85
86         Intel compiler needs .lib suffixes instead of .a
87
88         * WebCore.pri:
89
90 2011-08-03  Kent Tamura  <tkent@chromium.org>
91
92         Fix incorrect checks for HTMLMediaElement
93         https://bugs.webkit.org/show_bug.cgi?id=65590
94
95         Reviewed by Dimitri Glazkov.
96
97         <video> and <audio> can be an HTMLElement instance instead of
98         HTMLMediaElement if MediaPlayer::isAvailable() returns false or
99         the media feature is disabled at runtime.
100
101         * html/HTMLSourceElement.cpp:
102         (WebCore::HTMLSourceElement::insertedIntoTree):
103         (WebCore::HTMLSourceElement::willRemove):
104         * html/HTMLTrackElement.cpp:
105         (WebCore::HTMLTrackElement::insertedIntoTree):
106         (WebCore::HTMLTrackElement::willRemove):
107         * html/shadow/MediaControlElements.cpp:
108         (WebCore::toParentMediaElement):
109         * page/FrameView.cpp:
110         (WebCore::FrameView::updateWidget):
111         * platform/efl/RenderThemeEfl.cpp:
112         (WebCore::RenderThemeEfl::paintMediaMuteButton):
113         * platform/gtk/RenderThemeGtk.cpp:
114         (WebCore::getMediaElementFromRenderObject):
115         * rendering/RenderThemeMac.mm:
116         (WebCore::RenderThemeMac::paintMediaSliderTrack):
117         * rendering/RenderThemeWinCE.cpp:
118         (WebCore::mediaElementParent):
119
120 2011-07-28  Abhishek Arya  <inferno@chromium.org>
121
122         Regression(82144): Crash in TrailingObjects::updateMidpointsForTrailingBoxes
123         https://bugs.webkit.org/show_bug.cgi?id=65137
124
125         Fix the looping condition to prevent trailingSpaceMidpoint from becoming negative.
126
127         Reviewed by Dave Hyatt.
128
129         Test: fast/block/update-midpoints-for-trailing-boxes-crash.html
130
131         * rendering/RenderBlockLineLayout.cpp:
132         (WebCore::TrailingObjects::updateMidpointsForTrailingBoxes):
133
134 2011-08-01  Jochen Eisinger  <jochen@chromium.org>
135
136         Never override the policy URL on form submissions.
137         https://bugs.webkit.org/show_bug.cgi?id=61809
138
139         Reviewed by Adam Barth.
140
141         Tests: http/tests/security/cookies/third-party-cookie-blocking-main-frame.html
142                http/tests/security/cookies/third-party-cookie-blocking-user-action.html
143                http/tests/security/cookies/third-party-cookie-blocking.html
144
145         * loader/FrameLoader.cpp:
146         (WebCore::FrameLoader::loadURL):
147         (WebCore::FrameLoader::addExtraFieldsToSubresourceRequest):
148         (WebCore::FrameLoader::addExtraFieldsToMainResourceRequest):
149         (WebCore::FrameLoader::addExtraFieldsToRequest):
150         (WebCore::FrameLoader::loadPostRequest):
151         (WebCore::FrameLoader::loadDifferentDocumentItem):
152         * loader/FrameLoader.h:
153
154
155 2011-07-27  Alexis Menard  <alexis.menard@openbossa.org>
156
157         [Qt] Unreviewed build fix for mac.
158
159         QtKit is now our default media player, the define is WTF_USE_QTKIT and it's not part
160         of the options passed to build-webkit, therefore DerivedSources should now generate the
161         includes when it's mac.
162
163         * DerivedSources.pro:
164         * WebCore.pro:
165
166 2011-07-07  Julien Chaffraix  <jchaffraix@webkit.org>
167
168         Reviewed by David Hyatt.
169
170         Partial layout when a flex-box has visibility: collapse
171         https://bugs.webkit.org/show_bug.cgi?id=63776
172
173         Tests: fast/flexbox/crash-button-input-autofocus.html
174                fast/flexbox/crash-button-keygen.html
175                fast/flexbox/crash-button-relayout.html
176
177         The issue is that FlexBoxIterator would skip any child if it has visibility: collapsed.
178         However if one of the child is anonymous, it may wrap some other child that would be skipped.
179         Now FlexBoxIterator is called during the layout phase and thus some nodes would not relayouted
180         as expected.
181
182         * rendering/RenderDeprecatedFlexibleBox.cpp:
183         (WebCore::FlexBoxIterator::next): When iterating, don't skip anonymous content as there may
184         be real content hiding below.
185
186 2011-06-30  Julien Chaffraix  <jchaffraix@webkit.org>
187
188         Reviewed by Nikolas Zimmermann.
189
190         Update SVG position values on SVG DOM updates
191         https://bugs.webkit.org/show_bug.cgi?id=62439
192
193         Test: svg/custom/crash-textPath-attributes.html
194
195         * rendering/svg/RenderSVGInline.cpp:
196         (WebCore::RenderSVGInline::destroy): Notify our containing RenderSVGText that it needs
197         to update its positioning information.
198
199         * rendering/svg/SVGInlineFlowBox.cpp:
200         (WebCore::SVGInlineFlowBox::calculateBoundaries): Check the type of the InlineBox
201         like the rest of the code (fixes an ASSERT_NOT_REACHED in InlineBox::calculateBoudaries).
202
203         * rendering/svg/SVGTextLayoutAttributesBuilder.cpp:
204         (WebCore::SVGTextLayoutAttributesBuilder::buildLayoutAttributesForTextSubtree): Clear
205         our cached layout attributes every time we invalidate them. This avoids keeping stale
206         attribute that have a backpointer to a RenderObject.
207
208 2011-07-13  John Knottenbelt  <jknotten@chromium.org>
209
210         Reference Geolocation object from GeoNotifier and Geolocation::setIsAllowed.
211         https://bugs.webkit.org/show_bug.cgi?id=64363
212
213         Reviewed by Tony Gentilcore.
214
215         Test: fast/dom/Geolocation/remove-remote-context-in-error-callback-crash.html
216
217         * page/Geolocation.cpp:
218         (WebCore::Geolocation::setIsAllowed):
219         * page/Geolocation.h:
220
221 2011-06-26  Adam Barth  <abarth@webkit.org>
222
223         Reviewed by Kent Tamura.
224
225         m_formElementsWithFormAttribute doesn't ref the objects it holds
226         https://bugs.webkit.org/show_bug.cgi?id=62956
227
228         Test: fast/forms/form-associated-element-crash3.html
229
230         * dom/Document.h:
231
232 2011-05-26  David Levin  <levin@chromium.org>
233
234         Reviewed by Dmitry Titov.
235
236         WebKit's font notification has problems when the WebKit main thread != UI thread.
237         https://bugs.webkit.org/show_bug.cgi?id=61391
238
239         This doesn't happen in DumpRenderTree, so it needs a unit test which is taking me
240         some time to write correctly. In the meantime, this issues happens to be causing
241         some crashes in Chrome so here's the fix alone for the time being.
242
243         * platform/graphics/mac/FontCacheMac.mm:
244         (WebCore::invalidateFontCache): Ensure that FontCache::invalidate is only called on WebKit's main thread.
245         (WebCore::fontCacheRegisteredFontsChangedNotificationCallback): Call common function for font cache invalidation.
246          Note that the call to fontCache() is fine since the singleton is initialized well before calling this function. Theoretically,
247          there could be a problem due to a lack of a memory barrier but that is highly unlikely and this is debug only code.
248         (WebCore::fontCacheATSNotificationCallback): Ditto.
249
250 2011-07-07  Gavin Peters  <gavinp@chromium.org>
251
252         Reviewed by Alexey Proskuryakov.
253
254         fast/dom/HTMLLinkElement/link-and-subresource-test.html is flaky on chromium debug bots
255         https://bugs.webkit.org/show_bug.cgi?id=60097
256
257         The culprit was that CachedResource:stopLoading() was using *this
258         after a call to checkNotify(), which isn't kosher.  This patch
259         uses a CachedResourceHandle to keep the CachedResource alive.
260
261         The test is a very close copy of the eponymous
262         link-and-subresource-test.html, only substituting invalid
263         resources for the valid ones in that test.  The reproduction is
264         timing related, and happens much more consistantly with an invalid
265         resource for whatever reason.
266         Test: fast/dom/HTMLLinkElement/link-and-subresource-test-nonexistent.html
267
268         * loader/cache/CachedResource.cpp:
269         (WebCore::CachedResource::stopLoading):
270
271 2011-06-08  Mikołaj Małecki  <m.malecki@samsung.com>
272
273         Reviewed by Pavel Feldman.
274
275         Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
276         https://bugs.webkit.org/show_bug.cgi?id=52791
277
278         No new tests. The problem can be reproduced by trying to create InspectorValue
279         from 1.0e-100 and call ->toJSONString() on this.
280
281         * inspector/InspectorValues.cpp:
282         (WebCore::InspectorBasicValue::writeJSON):
283         Added checking the predicted buffer size and choosing exponential format, or
284         eventually "NaN" if the buffer is too small for decimal format.
285
286 2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>
287
288         [Qt] Disable video support on linux if the dependencies are not found.
289
290         If we can't find the necessary dependencies to build the GStreamer media player
291         we disable the video support. This is related to http://trac.webkit.org/changeset/91752.
292
293         Reviewed by Holger Freyther.
294
295         No new tests, it's a build fix.
296
297         * features.pri:
298
299 2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>
300
301         Reviewed by Andreas Kling.
302
303         [Qt] Change default backend to use GStreamer on Linux and QuickTime on Mac.
304         https://bugs.webkit.org/show_bug.cgi?id=63472
305
306         Enable the GStreamer backend and the QuickTime backend as default media players
307         for the Qt port on Mac and Linux. QtMultimedia is now a fallback option that you
308         can enable by passing DEFINES+=USE_QT_MULTIMEDIA=1 to enforce its usage.
309
310         No new tests. The media layout tests are disabled on the Qt port but hopefully with this
311         switch we can enable them again.
312
313         * WebCore.pri:
314         * WebCore.pro:
315         * features.pri:
316
317 2011-06-23  Alexis Menard  <alexis.menard@openbossa.org>
318
319         Reviewed by Eric Carlson.
320
321         [Qt] Implement fullscreen support on Mac with the QuickTime backend.
322         https://bugs.webkit.org/show_bug.cgi?id=61728
323
324         Implement fullscreen support for Qt when using the QuickTime backend.
325         We mostly use what is already done for the Mac port.
326
327         * DerivedSources.pro: We use the mac files and they have <WebCore/x> type
328         of includes. We need to generate those headers.
329         * WebCore.pro:
330         * platform/mac/WebVideoFullscreenController.h:
331         * platform/mac/WebVideoFullscreenController.mm:
332         * platform/mac/WebVideoFullscreenHUDWindowController.h:
333         * platform/mac/WebVideoFullscreenHUDWindowController.mm:
334         * platform/qt/WebCoreSystemInterface.h:
335         * platform/qt/WebCoreSystemInterface.mm:
336
337 2011-06-21  Alexey Proskuryakov  <ap@apple.com>
338
339         Fix Mac build in some configurations.
340
341         * platform/mac/WebCoreSystemInterface.h: Added an enum matching WKSI one, since we cannot use
342         WKSI in WebCore.
343
344         * platform/mac/WebVideoFullscreenHUDWindowController.mm: Removed an include of WebKitSystemInterface.h.
345         It's not meant to be used from WebCore, and if included, a wrong copy may be used.
346         (createControlWithMediaUIControlType): Added a FIXME about problems with Leopard build.
347         (-[WebVideoFullscreenHUDWindowController windowDidLoad]): Ditto. Switched enum values to
348         WCSI style (lower level "wk").
349
350 2011-06-20  Jer Noble  <jer.noble@apple.com>
351
352         Unreviewed build fix; Fix Leopard WebCore build.
353
354         * platform/mac/WebVideoFullscreenHUDWindowController.mm: On Leopard, NSWindowDelegate
355             is a category, not a protocol.
356
357 2011-06-20  Jer Noble  <jer.noble@apple.com>
358
359         Unreviewed build fix; Fix 32-bit build.
360
361         Code recently moved from WebKit -> WebCore does not pass WebCore's more strict compiler warnings.  Use 
362         CGFloat, and float constants wherever possible, and use narrowPrecisionToFloat() where not.
363
364         * WebCore.xcodeproj/project.pbxproj: Add '-Wno-undef' flag for WebVideoFullScreenController.mm 
365         * platform/mac/WebVideoFullscreenController.mm:
366         (constrainFrameToRatioOfFrame): Use CGFloat instead of Double.
367         (-[WebVideoFullscreenWindow animateFromRect:toRect:withSubAnimation:controllerAction:]): Use float constant.
368         * platform/mac/WebVideoFullscreenHUDWindowController.mm:
369         (-[WebVideoFullscreenHUDWindowController updateVolume]): Use float for volume.
370         (-[WebVideoFullscreenHUDWindowController maxVolume]): Ditto.
371         (-[WebVideoFullscreenHUDWindowController volumeChanged:]): Ditto.
372         (-[WebVideoFullscreenHUDWindowController decrementVolume]): Ditto.
373         (-[WebVideoFullscreenHUDWindowController incrementVolume]): Ditto.
374         (-[WebVideoFullscreenHUDWindowController volume]): Ditto.
375         (-[WebVideoFullscreenHUDWindowController setVolume:]): Ditto. 
376         (timeToString): Narrow precision to float when converting to seconds.
377         * platform/mac/WebWindowAnimation.mm:
378         (scaledRect): Use CGFloat.
379         (-[WebWindowScaleAnimation init]): Use float constant.
380         (-[WebWindowScaleAnimation currentValue]): Ditto.
381         (-[WebWindowScaleAnimation additionalDurationNeededToReachFinalFrame]): Ditto.
382         (-[WebWindowFadeAnimation currentAlpha]): Ditto.
383
384 2011-06-01  Jer Noble  <jer.noble@apple.com>
385
386         Reviewed by Eric Carlson.
387
388         Move Full Screen Controllers into WebCore.
389
390         Remove dependency on QTKit from wekitExitFullscreen()
391         https://bugs.webkit.org/show_bug.cgi?id=61843
392
393         No new tests; the existing media full screen tests are sufficient.
394
395         * WebCore.exp.in: Add new exports.
396         * WebCore.xcodeproj/project.pbxproj: Add references to moved files.
397         * platform/mac/WebCoreSystemInterface.h: Add new WCSI interfaces to WKSI functions.
398         * platform/mac/WebCoreSystemInterface.mm:
399         * platform/mac/WebVideoFullscreenController.h: Renamed from Source/WebKit/mac/WebView/WebVideoFullscreenController.h.
400         * platform/mac/WebVideoFullscreenController.mm: Renamed from Source/WebKit/mac/WebView/WebVideoFullscreenController.mm.
401         
402         The following functions have had UNUSED_PARAM added:
403         (-[WebVideoFullscreenController applicationDidResignActive:]):
404         (-[WebVideoFullscreenController applicationDidChangeScreenParameters:]):
405         (-[WebVideoFullscreenWindow mouseMoved:]):
406
407 Source/WebKit/mac/WebView/WebVideoFullscreenHUDWindowController.h.
408         * platform/mac/WebVideoFullscreenHUDWindowController.mm: Renamed from Source/WebKit/mac/WebView/WebVideoFullscreenHUDWindowController.mm.
409         
410         The following functions have had UNUSED_PARAM added:
411         (-[WebVideoFullscreenHUDWindow cancelOperation:]):
412         (-[WebVideoFullscreenHUDWindowController timelinePositionChanged:]):
413         (-[WebVideoFullscreenHUDWindowController setVolumeToZero:]):
414         (-[WebVideoFullscreenHUDWindowController setVolumeToMaximum:]):
415         (-[WebVideoFullscreenHUDWindowController togglePlaying:]):
416         (-[WebVideoFullscreenHUDWindowController mouseEntered:]):
417         (-[WebVideoFullscreenHUDWindowController mouseExited:]):
418         (-[WebVideoFullscreenHUDWindowController rewind:]):
419         (-[WebVideoFullscreenHUDWindowController fastForward:]):
420         (-[WebVideoFullscreenHUDWindowController windowDidExpose:]):
421         (-[WebVideoFullscreenHUDWindowController windowDidClose:]):
422
423         The following functions have had WKSI calls converted to WCSI ones:
424         (createControlWithMediaUIControlType):
425         (createTimeTextField):
426         
427         * platform/mac/WebWindowAnimation.h: Renamed from Source/WebKit/mac/WebView/WebWindowAnimation.h.
428         * platform/mac/WebWindowAnimation.mm: Renamed from Source/WebKit/mac/WebView/WebWindowAnimation.m.
429         (WebWindowAnimationDurationFromDuration):
430
431         The following functions have had WKSI calls converted to WCSI ones:
432         (-[WebWindowScaleAnimation setCurrentProgress:]):
433         (-[WebWindowFadeAnimation initWithDuration:window:initialAlpha:finalAlpha:]):
434
435 2011-07-27  Ryosuke Niwa  <rniwa@webkit.org>
436
437         Calling window.find immediately after mutating the document crashes WebKit.
438         https://bugs.webkit.org/show_bug.cgi?id=65296
439
440         Reviewed by Darin Adler.
441
442         Don't forget to layout first.
443
444         Test: editing/text-iterator/find-after-mutation.html
445
446         * editing/TextIterator.cpp:
447         (WebCore::findPlainText):
448
449 2011-07-27  MORITA Hajime  <morrita@google.com>
450
451         Inconsistent state of TreeScope reference.
452         https://bugs.webkit.org/show_bug.cgi?id=65235
453         
454         The tree scope pointers on shadow tree nodes didn't cleared.
455         even when the tree scope (shadow root) is destroyed.
456         This change clear these poitners before detaching the shadow root.
457
458         Reviewed by Dimitri Glazkov.
459
460         Test: fast/dom/shadow/tree-scope-crash.html
461
462         * dom/Element.cpp:
463         (WebCore::Element::removeShadowRoot):
464
465 2011-05-22  Dominic Cooney  <dominicc@chromium.org>
466
467         Reviewed by Dimitri Glazkov.
468
469         When removing a shadow root, also remove it from the render tree.
470         https://bugs.webkit.org/show_bug.cgi?id=61245
471
472         Test: existing fast/dom/shadow/layout-tests-can-access-shadow.html
473
474         * dom/Element.cpp:
475         (WebCore::Element::removeShadowRoot): Call detach if attached.
476
477 2011-07-22  Sergey Glazunov  <serg.glazunov@gmail.com>
478
479         Perform the JavaScript navigation check on a complete URL
480         https://bugs.webkit.org/show_bug.cgi?id=65038
481
482         Reviewed by Adam Barth.
483
484         Test: http/tests/security/xss-DENIED-document-baseURI-javascript.html
485
486         * page/DOMWindow.cpp:
487         (WebCore::DOMWindow::setLocation):
488         (WebCore::DOMWindow::createWindow):
489         (WebCore::DOMWindow::open):
490
491 2011-07-22  David Grogan  <dgrogan@chromium.org>
492
493         Fix crash in IDBRequest::abort
494         https://bugs.webkit.org/show_bug.cgi?id=64740
495
496         Reviewed by Nate Chapin.
497
498         Tested manually with the testcase in the bug.
499
500         * storage/IDBRequest.cpp:
501         (WebCore::IDBRequest::~IDBRequest):
502         (WebCore::IDBRequest::abort):
503
504 2011-07-25  Daniel Bates  <dbates@rim.com>
505
506         REGRESSION (r85964): Improper relayout of some nested positioned elements
507         https://bugs.webkit.org/show_bug.cgi?id=64286
508
509         Reviewed by David Hyatt.
510
511         Fixes an issue when traversing up the containing block hierarchy after skipping
512         relatively positioned inlines.
513
514         When processing a positioned element we skip any intermediate inlines to get to
515         to enclosing block B, but don't use the containing block for B (call this P_B) to
516         properly continue traversing up the containing block hierarchy. So, B may be
517         considered again instead of looking at P_B. Hence, we don't set the correct dirty
518         bits for P_B and may not schedule a relayout with respect to the correct layout node.
519
520         Test: fast/block/positioning/relayout-nested-positioned-elements-crash.html
521
522         * rendering/RenderObject.h:
523         (WebCore::RenderObject::markContainingBlocksForLayout):
524
525 2011-07-26  David Hyatt  <hyatt@apple.com>
526
527         https://bugs.webkit.org/show_bug.cgi?id=60778
528
529         Use after free because of line box culling optimization regression.
530
531         In the case of a child with no line box being removed (typically
532         a <br> in quirks mode), if there is no previous sibling with a line
533         box, then we have a potential problem with the culling optimization.
534
535         The culled inline may still have other leaf line box children, but
536         they may follow the removed <br>. In this case we can't rely on
537         them, since we need a line box that comes before the <br>.
538
539         The fix is to simply recur up to the parent if we are a culled inline
540         and could not find a previous line box.
541
542         Reviewed by Dan Bernstein.
543
544         Added editing/execCommand/crash-line-break-after-outdent.html
545
546         * rendering/RenderLineBoxList.cpp:
547         (WebCore::RenderLineBoxList::dirtyLinesFromChangedChild):
548
549 2011-07-19  Abhishek Arya  <inferno@chromium.org>
550
551         Crash when removing unrenderered nodes in replacement fragment.
552         https://bugs.webkit.org/show_bug.cgi?id=64801
553
554         Reviewed by Ryosuke Niwa.
555
556         Test: editing/pasteboard/replacement-fragment-remove-unrendered-node-crash.html
557
558         * editing/ReplaceSelectionCommand.cpp:
559         (WebCore::ReplacementFragment::removeUnrenderedNodes):
560
561 2011-07-21  Gavin Peters  <gavinp@chromium.org>
562
563         Extend the protector of a CSS style sheet.  Because checkLoaded() can recursively delete
564         parent style elements, the protector should be extended to include the parent call.
565
566         https://bugs.webkit.org/show_bug.cgi?id=64736
567
568         Reviewed by Simon Fraser.
569
570         Test: fast/css/css-imports-2.html
571
572         * css/CSSStyleSheet.cpp:
573         (WebCore::CSSStyleSheet::checkLoaded):
574
575 2011-07-20  Tony Chang  <tony@chromium.org>
576
577         Stale pointer due to floats not removed (flexible box display)
578         https://bugs.webkit.org/show_bug.cgi?id=64603
579
580         Reviewed by David Hyatt.
581
582         Flexbox items should avoid floats.
583
584         Test: fast/flexbox/horizontal-box-float-crash.html
585
586         * rendering/RenderBox.cpp:
587         (WebCore::RenderBox::avoidsFloats):
588         * rendering/RenderBox.h:
589         (WebCore::RenderBox::isDeprecatedFlexItem):
590
591 2011-07-12  Hui Huang  <Hui.2.Huang@nokia.com>
592
593         Reviewed by Laszlo Gombos.
594
595         [Qt] Fix compiling errors with QtWebkit 2.2 WINSCW build.
596         https://bugs.webkit.org/show_bug.cgi?id=64391
597
598         (QtWebKit-2.2 only, patch not in webkit trunk)
599
600         * bindings/generic/ActiveDOMCallback.cpp:
601         * css/CSSStyleSelector.h:
602         * page/PrintContext.cpp:
603         * page/PrintContext.h:
604         * platform/network/HTTPHeaderMap.cpp:
605         * xml/XPathFunctions.cpp:
606         * xml/XPathPredicate.cpp:
607         * xml/XPathResult.cpp:
608
609 2011-07-16  Sergey Glazunov  <serg.glazunov@gmail.com>
610
611         DOMWindow::open performs a security check on a wrong window
612         https://bugs.webkit.org/show_bug.cgi?id=64651
613
614         Reviewed by Adam Barth.
615
616         Test: http/tests/security/xss-DENIED-window-open-parent.html
617
618         * page/DOMWindow.cpp:
619         (WebCore::DOMWindow::open):
620
621 2011-07-14  Adam Barth  <abarth@webkit.org>
622
623         The beforeload event allows tracking URI changes in a frame
624         https://bugs.webkit.org/show_bug.cgi?id=64482
625
626         Reviewed by Nate Chapin.
627
628         Tests: http/tests/security/beforeload-iframe-client-redirect.html
629                http/tests/security/beforeload-iframe-server-redirect.html
630
631         Only dispatch the beforeload event for a frame if we haven't yet
632         committed our first real load.  The URL that we send to our parent will
633         be the same URL the parent seens in the src attribute.
634
635         * loader/FrameLoader.cpp:
636         (WebCore::FrameLoader::loadWithDocumentLoader):
637
638 2011-07-14  Tim Horton  <timothy_horton@apple.com>
639
640         Clear SVGElementInstance's children immediately upon detachment
641         https://bugs.webkit.org/show_bug.cgi?id=63739
642         <rdar://problem/9705708>
643
644         Reviewed by Nikolas Zimmermann.
645
646         In addition to clearing the instance's children in the destructor,
647         clear them when the instance is detached from its <use>. This way,
648         we won't attempt to use them after we're detached but before the
649         destructor has been called.
650
651         Test: svg/custom/use-crash-using-children-before-destroy.svg
652
653         * svg/SVGElementInstance.cpp:
654         (WebCore::SVGElementInstance::~SVGElementInstance):
655         (WebCore::SVGElementInstance::clearChildren):
656         * svg/SVGElementInstance.h:
657         * svg/SVGUseElement.cpp:
658         (WebCore::SVGUseElement::detachInstance):
659
660 2011-06-20  Andras Becsi  <abecsi@webkit.org>
661
662         Reviewed by Csaba Osztrogonác.
663
664         make-hash-tools.pl: Perl 5.14 compatibility
665         https://bugs.webkit.org/show_bug.cgi?id=61890
666
667         No new tests needed.
668
669         * make-hash-tools.pl: Use if/elsif instead of switch/case.
670
671 2011-07-13  Abhishek Arya  <inferno@chromium.org>
672
673         Reviewed by Adam Barth.
674
675         Issue with Frame lifetime due to deletion in beforeload event.
676         https://bugs.webkit.org/show_bug.cgi?id=64457
677
678         Copy the Frame protector higher in the stack from loadWithDocumentLoader
679         to loadFrameRequest since any of loadPostRequest or loadURL can call
680         loadWithDocumentLoader, thereby dispatching the beforeload event and
681         blowing away the frame. This deleted frame will be later accessed in
682         the loadFrameRequest function causing a crash.       
683  
684         Test: fast/events/form-iframe-target-before-load-crash2.html
685
686         * loader/FrameLoader.cpp:
687         (WebCore::FrameLoader::loadFrameRequest):
688         (WebCore::FrameLoader::loadWithDocumentLoader):
689
690 2011-06-03  Yael Aharon  <yael.aharon@nokia.com>
691
692         Reviewed by Kenneth Rohde Christiansen.
693
694         Frame flattening is broken with nested frames
695         https://bugs.webkit.org/show_bug.cgi?id=61491
696
697         Do not flatten offscreen iframes during frame flattening, as flattening might make them visible.
698
699         Test: fast/frames/flattening/iframe-flattening-out-of-view.html
700               fast/frames/flattening/iframe-flattening-out-of-view-and-scroll.html
701               fast/frames/flattening/iframe-flattening-out-of-view-scroll-and-relayout.html
702
703         * rendering/RenderIFrame.cpp:
704         (WebCore::RenderIFrame::flattenFrame):
705
706 2011-06-23  Robert Hogan  <robert@webkit.org>
707
708         Reviewed by Simon Hausmann.
709
710         [Qt] Windowless Plugins : <input> cursor blinks even after transferring focus to plugin
711         https://bugs.webkit.org/show_bug.cgi?id=30355
712
713         Test: plugins/mouse-click-plugin-clears-selection.html
714
715         PluginView needs to use page->focusController()->setFocusedNode() when focusing a plugin
716         in order to clear the FrameSelection in the currently focused node. In its platform-specific
717         code Chromium already does this (WebPluginContainerImpl.cpp).
718
719         * WebCore.exp.in: Add symbol for FocusController::setFocusedNode
720         * plugins/PluginView.cpp:
721         (WebCore::PluginView::focusPluginElement): Using FocusController::setFocusedNode() makes
722                                                    the call to FocusController:setFocusedFrame() and Document::setFocusedNode()
723                                                    redundant, since it calls both.
724
725 2011-06-30  Julien Chaffraix  <jchaffraix@webkit.org>
726
727         Reviewed by Nikolas Zimmermann.
728
729         Assertion failure in RenderSVGInlineText::characterStartsNewTextChunk
730         https://bugs.webkit.org/show_bug.cgi?id=63076
731
732         Tests: svg/custom/crash-text-in-textpath.svg
733                svg/custom/text-node-in-text-invalidated.svg
734
735         The problem was that we did not call setNeedsPositionUpdate on RenderSVGText. When
736         doing our layout, we would not update the attributes on our SVGRenderInlineText as
737         we would not lay it out.
738
739         This was caused by childrenChanged being overridden on SVGTextPositioningElement but
740         not on SVGTextPathElement.
741
742         As both classes shared the same mother class, it made sense to move the logic here.
743         There should be no other side effects as SVGTextPathElement and SVGTextPositioningElement
744         are the only classes deriving from SVGTextContentElement.
745
746         * svg/SVGTextContentElement.cpp:
747         (WebCore::SVGTextContentElement::childrenChanged): Moved this method from SVGTextPositioningElement.
748         * svg/SVGTextContentElement.h:
749         * svg/SVGTextPositioningElement.cpp:
750         (WebCore::SVGTextPositioningElement::svgAttributeChanged): Updated after updatePositioningValuesInRenderer
751         removal, replaced by RenderSVGText::locateRenderSVGTextAncestor.
752         * svg/SVGTextPositioningElement.h:
753
754 2011-06-30  Abhishek Arya  <inferno@chromium.org>
755
756         Reviewed by Ryosuke Niwa.
757
758         Crash when calling DOMSubtreeModified event when extracting range
759         contents.
760         https://bugs.webkit.org/show_bug.cgi?id=63650
761
762         Convert a few nodes to RefPtrs and add commonRoot verification checks
763         for Range::processContents.
764
765         Tests: fast/dom/Range/range-extract-contents-event-fire-crash.html
766                fast/dom/Range/range-extract-contents-event-fire-crash2.html
767
768         * dom/Range.cpp:
769         (WebCore::childOfCommonRootBeforeOffset):
770         (WebCore::Range::processContents):
771         (WebCore::Range::processContentsBetweenOffsets):
772         (WebCore::Range::processAncestorsAndTheirSiblings):
773
774 2011-06-23  Abhishek Arya  <inferno@chromium.org>
775
776         Reviewed by James Robinson.
777
778         In RenderBlock, RenderWidget and RenderReplaced destroy functions,
779         call dirtyLinesFromChangedChild to tell our parent that we are going away.
780         https://bugs.webkit.org/show_bug.cgi?id=60307
781
782         Test: fast/block/child-not-removed-from-parent-lineboxes-crash.html
783               fast/block/block-not-removed-from-parent-lineboxes-crash.html
784
785         * rendering/RenderBlock.cpp:
786         (WebCore::RenderBlock::destroy):
787         * rendering/RenderReplaced.cpp:
788         (WebCore::RenderReplaced::destroy):
789         * rendering/RenderReplaced.h:
790         * rendering/RenderWidget.cpp:
791         (WebCore::RenderWidget::destroy):
792
793 2011-05-05  David Hyatt  <hyatt@apple.com>
794
795         Reviewed by Darin Adler.
796
797         <rdar://problem/9354979> REGRESSION (r83070-r83126): Conversation takes 10 seconds to load and makes mail unresponsive
798
799         Culled inlines were triggering some pathological line box tree groveling that isn't even necessary.
800         Removed the ancient code (that used to be in RenderFlow), since it made no sense in the RenderBlock case
801         (it was running for inline blocks, which was definitely not even the intent) or in the RenderInline case
802         (the object being removed has no effect on any lines).
803         
804         Also tweaked culledInlineFirstLineBox and culledInlineLastLineBox to avoid bailing if the first replaced object that
805         is encountered has a null inlineBoxWrapper().  Just a slight speed optimization to avoid an extra null check.
806         
807         * rendering/RenderBlock.cpp:
808         (WebCore::RenderBlock::destroy):
809         * rendering/RenderInline.cpp:
810         (WebCore::RenderInline::destroy):
811         (WebCore::RenderInline::culledInlineFirstLineBox):
812         (WebCore::RenderInline::culledInlineLastLineBox):
813
814 2011-06-28  Roland Steiner  <rolandsteiner@chromium.org>
815
816         Reviewed by Eric Seidel.
817
818         Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
819         https://bugs.webkit.org/show_bug.cgi?id=55930
820
821         Don't set style type BEFORE/AFTER on anonymous wrapper block.
822         Rather, check style type on generated wrapped child.
823
824         Tests: fast/ruby/generated-after-counter-doesnt-crash.html
825                fast/ruby/generated-before-and-after-counter-doesnt-crash.html
826                fast/ruby/generated-before-counter-doesnt-crash.html
827
828         * rendering/RenderRuby.cpp:
829         (WebCore::isAnonymousRubyInlineBlock):
830         (WebCore::isRubyBeforeBlock):
831         (WebCore::isRubyAfterBlock):
832         (WebCore::rubyBeforeBlock):
833         (WebCore::rubyAfterBlock):
834         (WebCore::createAnonymousRubyInlineBlock):
835         (WebCore::RenderRubyAsInline::addChild):
836         (WebCore::RenderRubyAsBlock::addChild):
837
838 2011-05-23  Matthew Delaney  <mdelaney@apple.com>
839
840         Reviewed by Simon Fraser.
841
842         Remove safeFloatToInt() in FloatRect.cpp and replace with working version of clampToInteger()
843         https://bugs.webkit.org/show_bug.cgi?id=58216
844
845         No new tests. The SVG tests mask-excessive-malloc.svg and pattern-excessive-malloc.svg exercise this code path.
846
847         * platform/graphics/FloatRect.cpp:
848         (WebCore::enclosingIntRect):
849
850 2011-06-27  Joe Wild  <joseph.wild@nokia.com>
851
852         Reviewed by Simon Fraser.
853
854         Crash on www.crave.cnet.com in FrameView::windowClipRect()
855         https://bugs.webkit.org/show_bug.cgi?id=56393
856
857         Check for a null renderer to fix a crash. This situation can
858         arise when external content/plugins is referenced from html
859         elements with style="display:none".
860
861         Test: plugins/hidden-iframe-with-swf-plugin.html
862
863         * page/FrameView.cpp:
864         (WebCore::FrameView::windowClipRect):
865
866 2011-06-15  Jer Noble  <jer.noble@apple.com>
867
868         Reviewed by Timothy Hatcher.
869
870         Full-screen live streams have status text in wrong location
871         https://bugs.webkit.org/show_bug.cgi?id=62733
872
873         Fix a misspelling in the user-agent stylesheet for full-screen mode.
874
875         * css/fullscreenQuickTime.css:
876         (video:-webkit-full-screen::-webkit-media-controls-status-display):
877
878 2011-06-27  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
879
880         Reviewed by Andreas Kling.
881
882         [Qt] tst_QWebFrame::overloadedSlots() fails
883         https://bugs.webkit.org/show_bug.cgi?id=37319
884
885         This patch is based on Noam Rosenthal original patch in the same bug.
886
887         When hinted with QWebElement metatype, we qualify the conversion
888         from JSElement as a "perfect match".
889
890         The test was failing because the wrong slot was called, since the QWebElement
891         match was taken as equal to the others and not chosen when the metacall happened.
892
893         * bridge/qt/qt_runtime.cpp:
894         (JSC::Bindings::convertValueToQVariant): Identify the conversion between JSElement
895         to QWebElement as a "perfect match" (dist = 0). Add comments to explain the reason
896         why we have the implicit conversion.
897
898 2011-06-27  Abhishek Arya  <inferno@chromium.org>
899
900         Reviewed by Simon Fraser.
901
902         Fix removal of overhanging floats on style changes to absolute/fixed position.
903         https://bugs.webkit.org/show_bug.cgi?id=63355
904
905         1. If we are not currently positioned.
906         2. And we are not floating. (If we are floating, then this will be automatically
907            done in RenderBox::styleWillChange as part of removeFloatingOrPositionedChildFromBlockLists) 
908         3. And we have overhanging floats from previous sibling blocks.
909         4. And our new new style tells that we will have absolute or fixed position.
910
911         Then, we mark all our descendants with floats for layout. This will make sure that
912         overhanging floats are removed. Also, it is important to do that since if that previous
913         sibling block goes away, it is not able to tell us that to remove those floats thinking 
914         that being a positioned block, we should have removed them already.
915
916         Tests: fast/block/float/intruding-float-add-in-sibling-block-on-static-position.html
917                fast/block/float/intruding-float-add-in-sibling-block-on-static-position2.html
918                fast/block/float/intruding-float-remove-from-sibling-block-on-absolute-position.html
919                fast/block/float/intruding-float-remove-from-sibling-block-on-absolute-position2.html
920                fast/block/float/intruding-float-remove-from-sibling-block-on-fixed-position.html
921                fast/block/float/intruding-float-remove-from-sibling-block-on-fixed-position2.html
922                fast/block/float/overhanging-float-add-in-static-position-block.html
923                fast/block/float/overhanging-float-add-in-static-position-block2.html
924                fast/block/float/overhanging-float-remove-from-absolute-position-block.html
925                fast/block/float/overhanging-float-remove-from-absolute-position-block2.html
926                fast/block/float/overhanging-float-remove-from-fixed-position-block.html
927                fast/block/float/overhanging-float-remove-from-fixed-position-block2.html
928
929         * rendering/RenderBlock.cpp:
930         (WebCore::RenderBlock::styleWillChange):
931
932 2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>
933
934         Reviewed by Kent Tamura.
935
936         Crash in TextIterator
937         https://bugs.webkit.org/show_bug.cgi?id=63334
938
939         Fix a crash in TextIterator. Keep m_sortedTextBoxes and renderer consistent
940         and check !m_offset when handling first letter.
941
942         Also add more assertions to help detecting similar bugs.
943
944         Test: editing/text-iterator/first-letter-rtl-crash.html
945
946         * editing/TextIterator.cpp:
947         (WebCore::TextIterator::handleTextNode):
948         (WebCore::TextIterator::emitText):
949
950 2011-06-27  Huang Dongsung  <luxtella@company100.net>
951
952         Reviewed by Kenneth Rohde Christiansen.
953
954         TiledBackingStore endlessly creates and destroys tiles due to an off-by-one
955         error.
956         https://bugs.webkit.org/show_bug.cgi?id=62422
957
958         REGRESSION(r77286): Remove bottomRight().
959         REGRESSION(r77312): Change the logic to get the bottom right point.
960         REGRESSION(r77928): Cause off-by-one error in TiledBackingStore.
961         REGRESSION(r78783): Cause off-by-one error in TiledDrawingAreaProxy.
962         REGRESSION(r78785): Cause off-by-one error in TiledDrawingAreaProxy.
963
964         If the viewport width equals the contents width, especially in the mobile
965         device, TiledBackingStore endlessly creates and deletes the rightmost
966         column and bottom row of tiles.
967         In the detail, dropTilesOutsideRect() in TiledBackingStore::createTiles()
968         deletes tiles and setTile(coordinate, Tile::create(this, coordinate)) creates
969         tiles infinitely.
970         Modified TiledDrawingAreaProxy also.
971
972         * platform/graphics/TiledBackingStore.cpp:
973         (WebCore::innerBottomRight):
974         (WebCore::TiledBackingStore::invalidate):
975         (WebCore::TiledBackingStore::paint):
976         (WebCore::TiledBackingStore::createTiles):
977
978 2011-06-27  Alexis Menard  <alexis.menard@openbossa.org>
979
980         Reviewed by Kenneth Rohde Christiansen.
981
982         [Qt] Remove Phonon MediaPlayer from the tree.
983         https://bugs.webkit.org/show_bug.cgi?id=63448
984
985         Remove Phonon mediaplayer as it is unused, not finished and
986         unmaintained.
987
988         * WebCore.gypi:
989         * WebCore.pri:
990         * WebCore.pro:
991         * features.pri:
992         * platform/graphics/MediaPlayer.cpp:
993         * platform/graphics/qt/MediaPlayerPrivatePhonon.cpp: Removed.
994         * platform/graphics/qt/MediaPlayerPrivatePhonon.h: Removed.
995
996 2011-06-10  Darin Adler  <darin@apple.com>
997
998         Reviewed by Eric Carlson.
999
1000         REGRESSION: Fullscreen video controller can't be dragged
1001         https://bugs.webkit.org/show_bug.cgi?id=62462
1002
1003         No regression test because we don't have machinery for testing the fullscreen
1004         mode. We may find a way to add this in the future.
1005
1006         * html/shadow/MediaControlElements.cpp:
1007         (WebCore::MediaControlPanelElement::MediaControlPanelElement): Initialize new
1008         booleans related to dragging.
1009         (WebCore::MediaControlPanelElement::startDrag): Added. Starts drag if dragging
1010         is allowed and a drag isn't already in progress.
1011         (WebCore::MediaControlPanelElement::continueDrag): Added. Moves the window if
1012         dragging is already in progress.
1013         (WebCore::MediaControlPanelElement::endDrag): Added. Ends the capture that is
1014         done during the dragging process.
1015         (WebCore::MediaControlPanelElement::setPosition): Added. Positions the panel
1016         using explicit top/left.
1017         (WebCore::MediaControlPanelElement::resetPosition): Added. Removes the positioning
1018         done by setPosition.
1019         (WebCore::MediaControlPanelElement::defaultEventHandler): Added. Calls startDrag,
1020         continueDrag, and endDrag in response to mouse events.
1021         (WebCore::MediaControlPanelElement::setCanBeDragged): Added.
1022         * html/shadow/MediaControlElements.h: Added new function and data members
1023         as mentioned above.
1024
1025         * html/shadow/MediaControlRootElement.cpp:
1026         (WebCore::MediaControlRootElement::enteredFullscreen): Call setCanBeDragged(true)
1027         so you can drag the panel while in fullscreen.
1028         (WebCore::MediaControlRootElement::exitedFullscreen): Call setCanBeDragged(false)
1029         so you can't drag the panel while not in fullscreen. Also call resetPosition so
1030         position changes from dragging don't affect the panel in other contexts.
1031
1032 2011-06-24  Dimitri Glazkov  <dglazkov@chromium.org>
1033
1034         Reviewed by Darin Adler.
1035
1036         REGRESSION (r77740): Shadow DOM pseudo elements aren't matching when combined with descendant selectors
1037         https://bugs.webkit.org/show_bug.cgi?id=63373
1038
1039         * css/CSSStyleSelector.cpp:
1040         (WebCore::CSSStyleSelector::pushParentStackFrame): Changed to use parentOrHostElement.
1041         (WebCore::CSSStyleSelector::pushParent): Ditto.
1042         * dom/Node.cpp:
1043         (WebCore::Node::parentOrHostElement): Added.
1044         * dom/Node.h:
1045
1046 2011-06-24  Alexey Proskuryakov  <ap@apple.com>
1047
1048         Rubber-stamped by Maciej Stachowiak.
1049
1050         REGRESSION (r88984): Infinite recursion in DocumentLoader::detachFromFrame/stopLoading
1051
1052         No new tests, as there is no known way to reproduce this (but we'll keep investigating, as
1053         the rollout will re-introduce the older less frequent crash).
1054
1055         * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::detachFromFrame): Rollout the fix
1056         for bug 62764.
1057
1058 2011-06-23  Abhishek Arya  <inferno@chromium.org>
1059
1060         Reviewed by Adam Barth.
1061
1062         RefPtr m_style in MediaQueryEvaluator in case of callers like
1063         MediaQueryMatcher::prepareEvaluator that do not retain its reference.
1064         https://bugs.webkit.org/show_bug.cgi?id=63264
1065
1066         Test: fast/css/media-query-evaluator-crash.html
1067
1068         * css/MediaQueryEvaluator.cpp:
1069         (WebCore::MediaQueryEvaluator::eval):
1070         * css/MediaQueryEvaluator.h:
1071
1072 2011-06-22  Annie Sullivan  <sullivan@chromium.org>
1073
1074         Reviewed by Ryosuke Niwa.
1075
1076         REGRESSION: Hitting enter in the middle of this span causes the cursor to go to the end of the span
1077         https://bugs.webkit.org/show_bug.cgi?id=61594
1078
1079         When the tree is split at the cursor in InsertParagraphSeparatorCommand, it is possible for the position
1080         split at to be at the end of a text node. The code assumes the position is at the start of the node, so
1081         pass the correct node into splitTreeToNode() in that case.
1082
1083         Tests: editing/inserting/return-key-before-br-in-span.html
1084                editing/inserting/return-key-middle-of-span.html
1085
1086         * editing/InsertParagraphSeparatorCommand.cpp:
1087         (WebCore::InsertParagraphSeparatorCommand::doApply):
1088
1089 2011-05-24  Matthew Delaney  <mdelaney@apple.com>
1090
1091         Reviewed by Simon Fraser.
1092
1093         Clamp coordinates to integers for canvas create/getImageData routines
1094         https://bugs.webkit.org/show_bug.cgi?id=61135
1095
1096         Test: fast/canvas/canvas-getImageData-largeNonintegralDimensions.html
1097
1098         * html/HTMLCanvasElement.cpp:
1099         (WebCore::HTMLCanvasElement::convertLogicalToDevice): clamp to ints
1100         * html/canvas/CanvasRenderingContext2D.cpp:
1101         (WebCore::CanvasRenderingContext2D::createImageData):
1102         (WebCore::CanvasRenderingContext2D::getImageData):
1103         * platform/graphics/cg/ImageBufferDataCG.cpp:
1104         (WebCore::ImageBufferData::getData):
1105
1106 2011-06-09  Adam Barth  <abarth@webkit.org>
1107
1108         Reviewed by Eric Seidel.
1109
1110         Running script from attach can remove elements from the stack of open elements
1111         https://bugs.webkit.org/show_bug.cgi?id=62160
1112
1113         When the tree build runs script synchronously, that script can remove
1114         arbitrary elements from the stack of open elements.  We need to hold a
1115         reference to |parent| in attach instead of rely upon the reference in
1116         the stack of open elements.
1117
1118         Test: fast/parser/document-write-onload-clear.html
1119
1120         * html/parser/HTMLConstructionSite.cpp:
1121         (WebCore::HTMLConstructionSite::attach):
1122
1123 2011-06-09  Mike Lawther  <mikelawther@chromium.org>
1124
1125         Reviewed by Kent Tamura.
1126
1127         Parsing issue with -webkit-calc
1128         https://bugs.webkit.org/show_bug.cgi?id=62276
1129
1130         Set the CSSParserString for the calc functions.
1131
1132         Test: css3/calc/regression-62276.html
1133
1134         * css/CSSParser.cpp:
1135         (WebCore::CSSParser::lex):
1136
1137 2011-06-20  Adam Barth  <abarth@webkit.org>
1138
1139         Reviewed by Alexey Proskuryakov.
1140
1141         ASSERT in WebCore::HTMLToken::appendToAttributeName when visiting www.nba.com
1142         https://bugs.webkit.org/show_bug.cgi?id=61774
1143
1144         This ASSERT triggers for the same underlying issue that causes
1145         Bug 62971: When we tokenize a </script> tag, we don't realize that
1146         we've already consumed the "</script>" from the input stream when we
1147         extracted the previous token.  That causes the source tracker to be
1148         out-of-sync, triggering the incorrect view-source highlighting and this
1149         ASSERT.
1150
1151         For now, let's just silence the assert while we work on Bug 62971.
1152
1153         Test: fast/parser/attributes-on-close-script.html
1154
1155         * html/parser/HTMLToken.h:
1156         (WebCore::HTMLToken::appendToAttributeName):
1157         (WebCore::AtomicHTMLToken::initializeAttributes):
1158
1159 2011-06-16  Abhishek Arya  <inferno@chromium.org>
1160
1161         Reviewed by Adam Barth.
1162
1163         RefPtr frame since it can get removed in
1164         FrameLoader::finishedParsing.
1165         https://bugs.webkit.org/show_bug.cgi?id=62812
1166
1167         Tests: already tested by fast/parser/document-write-into-initial-document.html.
1168
1169         * dom/Document.cpp:
1170         (WebCore::Document::finishedParsing):
1171
1172 2011-06-07  Abhishek Arya  <inferno@chromium.org>
1173
1174         Reviewed by Dan Bernstein.
1175
1176         Replicate WidthIterator.cpp fix from r88139.
1177         https://bugs.webkit.org/show_bug.cgi?id=62238
1178
1179         No new tests. Covered by existing layout tests on XP debug bots.
1180
1181         * platform/graphics/win/UniscribeController.cpp:
1182         (WebCore::UniscribeController::advance):
1183
1184 2011-06-01  Abhishek Arya  <inferno@chromium.org>
1185
1186         Unreviewed.
1187
1188         Coding style nit. Move ec=0 initialization, change
1189         recommended by Alexey in bug.
1190         https://bugs.webkit.org/show_bug.cgi?id=60831
1191
1192         * dom/Document.cpp:
1193         (WebCore::Document::setBody):
1194
1195 2011-06-01  Abhishek Arya  <inferno@chromium.org>
1196
1197         Reviewed by Alexey Proskuryakov.
1198
1199         Fix setting of document.body
1200         https://bugs.webkit.org/show_bug.cgi?id=60831
1201
1202         1. Only allowing setting to an element if it has a body tag.
1203         2. If element is from another document, import it.
1204
1205         Test: fast/dom/document-set-body.html
1206
1207         * dom/Document.cpp:
1208         (WebCore::Document::setBody):
1209
1210 2011-06-01  Abhishek Arya  <inferno@chromium.org>
1211
1212         Reviewed by Antti Koivisto.
1213
1214         Do not use the pushed style selector if it is not equal to the
1215         parent document's style selector. It usually means that it is
1216         in a bad state, e.g. already cleared.
1217         https://bugs.webkit.org/show_bug.cgi?id=61737
1218
1219         * dom/Element.cpp:
1220         (WebCore::StyleSelectorParentPusher::~StyleSelectorParentPusher):
1221
1222 2011-06-17  Abhishek Arya  <inferno@chromium.org>
1223
1224         Reviewed by Dave Hyatt.
1225
1226         When we lose ability to propagate floats, need to find topmost
1227         parent with that overhanging float, and then iterate over its
1228         sibling blocks to remove the float.
1229         https://bugs.webkit.org/show_bug.cgi?id=62875
1230
1231         Test: fast/block/float/float-not-removed-from-next-sibling5.html
1232
1233         * rendering/RenderBlock.cpp:
1234         (WebCore::RenderBlock::styleDidChange):
1235         (WebCore::RenderBlock::hasOverhangingFloat):
1236         * rendering/RenderBlock.h:
1237
1238 2011-05-10  Abhishek Arya  <inferno@chromium.org>
1239
1240         Reviewed by Simon Fraser.
1241
1242         Add containsFloats call to hasOverhangingFloats.
1243         https://bugs.webkit.org/show_bug.cgi?id=60537
1244
1245         Test: fast/block/float/no-overhanging-float-crash.html
1246
1247         * rendering/RenderBlock.cpp:
1248         (WebCore::RenderBlock::repaintOverhangingFloats):
1249         * rendering/RenderBlock.h:
1250         (WebCore::RenderBlock::hasOverhangingFloats):
1251
1252 2011-05-05  Abhishek Arya  <inferno@chromium.org>
1253
1254         Reviewed by Dave Hyatt.
1255
1256         When style changes for a RenderBlock and we lose our ability to intrude into
1257         floats in the next siblings block (e.g a position change), make sure to mark
1258         our childs with floats for layout and iterate through our next sibling block
1259         chain to see which ones contain the float that also exists in our floating
1260         objects list and clear those using markAllDescendantsWithFloatsForLayout.
1261         https://bugs.webkit.org/show_bug.cgi?id=56299
1262
1263         Tests: fast/block/float/float-not-removed-from-next-sibling-crash.html
1264                fast/block/float/float-not-removed-from-next-sibling.html
1265                fast/block/float/float-not-removed-from-next-sibling2.html
1266                fast/block/float/float-not-removed-from-next-sibling3.html
1267                fast/block/float/float-not-removed-from-next-sibling4.html
1268
1269         * rendering/RenderBlock.cpp:
1270         (WebCore::RenderBlock::styleWillChange):
1271         (WebCore::RenderBlock::styleDidChange):
1272         (WebCore::RenderBlock::markSiblingsWithFloatsForLayout):
1273         * rendering/RenderBlock.h:
1274
1275 2011-06-16  Gabor Loki  <loki@webkit.org>
1276
1277         [Qt] Unreviewed, build fix after r89118.
1278
1279         * dom/XMLDocumentParserQt.cpp:
1280         (WebCore::XMLDocumentParser::initializeParserContext):
1281
1282 2011-06-16  Jeffrey Pfau  <jpfau@apple.com>
1283
1284         Reviewed by Alexey Proskuryakov.
1285
1286         Using null bytes when setting innerHTML in XTHML results in assertion and a crash due to null-pointer dereference
1287         https://bugs.webkit.org/show_bug.cgi?id=61053
1288
1289         XML parsing in-memory XML chunks now passes around a string object instead of a C string, ensuring null characters are properly handled.
1290
1291         Tests: fast/parser/xhtml-innerhtml-null-byte-first.xhtml
1292                fast/parser/xhtml-innerhtml-null-byte.xhtml
1293
1294         * dom/XMLDocumentParser.h:
1295         * dom/XMLDocumentParserLibxml2.cpp:
1296         (WebCore::XMLParserContext::createMemoryParser):
1297         (WebCore::XMLDocumentParser::initializeParserContext):
1298         (WebCore::XMLDocumentParser::appendFragmentSource):
1299
1300 2011-06-15  Abhishek Arya  <inferno@chromium.org>
1301
1302         Reviewed by Antti Koivisto.
1303
1304         Revert speculative fix in r84151. It caused some issues with
1305         stylesheet lifetimes.
1306         https://bugs.webkit.org/show_bug.cgi?id=62586
1307
1308         Tests: fast/dom/body-clone-link-decl-parent-crash.html
1309                fast/dom/styled-clone-inline-style-decl-parent-crash.html
1310                fast/dom/styled-not-in-document-clone-inline-style-decl-parent-crash.html
1311
1312         * dom/Document.cpp:
1313         (WebCore::Document::removedLastRef):
1314
1315 2011-06-15  Sam Weinig  <sam@webkit.org>
1316
1317         Reviewed by Alexey Proskuryakov.
1318
1319         Frequent crashes due to null frame below ApplicationCacheHost::scheduleLoadFallbackResourceFromApplicationCache
1320         https://bugs.webkit.org/show_bug.cgi?id=62764
1321
1322         This is an non-reproducible high volume crash, so no test :(. 
1323
1324         * loader/DocumentLoader.cpp:
1325         (WebCore::DocumentLoader::detachFromFrame):
1326         Be conservative and stop loading when we detach a document loader from a frame.
1327
1328 2011-06-14  Jeffrey Pfau  <jpfau@apple.com>
1329
1330         Reviewed by David Hyatt.
1331
1332         Null dereference in WebCore::RenderBlock::splitFlow regarding use of multicol, inline-block, and spanning elements
1333         https://bugs.webkit.org/show_bug.cgi?id=60028
1334
1335         Ensure that the parent block of a spanning element, if it is not itself
1336         a multicol element, is not inline.
1337
1338         Test: fast/multicol/span/span-as-nested-inline-block-child.html
1339
1340         * rendering/RenderBlock.cpp:
1341         (WebCore::RenderBlock::columnsBlockForSpanningElement):
1342
1343 2011-06-14  Viatcheslav Ostapenko  <ostapenko.viatcheslav@nokia.com>
1344
1345         Reviewed by Laszlo Gombos.
1346
1347         [Qt] [Symbian] GraphicsLayer: support plugins on symbian
1348         https://bugs.webkit.org/show_bug.cgi?id=57418
1349
1350         Implement graphics layer for plugins on Symbian.
1351
1352         * plugins/PluginView.h:
1353         * plugins/qt/PluginViewQt.cpp:
1354         (WebCore::PluginView::shouldUseAcceleratedCompositing):
1355         (WebCore::PluginView::platformStart):
1356         * plugins/symbian/PluginViewSymbian.cpp:
1357         (WebCore::PluginGraphicsLayerQt::PluginGraphicsLayerQt):
1358         (WebCore::PluginGraphicsLayerQt::~PluginGraphicsLayerQt):
1359         (WebCore::PluginGraphicsLayerQt::paint):
1360         (WebCore::PluginView::shouldUseAcceleratedCompositing):
1361         (WebCore::PluginView::paint):
1362         (WebCore::PluginView::invalidateRect):
1363         (WebCore::PluginView::platformStart):
1364         (WebCore::PluginView::platformLayer):
1365
1366 2011-06-16  Sheriff Bot  <webkit.review.bot@gmail.com>
1367
1368         Unreviewed, rolling out r88796.
1369         http://trac.webkit.org/changeset/88796
1370         https://bugs.webkit.org/show_bug.cgi?id=62790
1371
1372         It made fast/dom/nodesFromRect-basic.html time out on Qt,
1373         64-bit, debug mode (Requested by Ossy on #webkit).
1374
1375         * bridge/qt/qt_runtime.cpp:
1376         (JSC::Bindings::convertValueToQVariant):
1377
1378 2011-06-13  Jeffrey Pfau  <jpfau@apple.com>
1379
1380         Reviewed by Darin Adler.
1381
1382         Crash in WebCore::RenderMathMLUnderOver::layout()
1383         https://bugs.webkit.org/show_bug.cgi?id=57900
1384
1385         Add more null checks so that removing children in MathML elements does not cause crashes.
1386         Note that this only half fixes the third repro in the Bugzilla bug, as another bug will
1387         still crash that repro.
1388
1389         Test: mathml/munderover-remove-children.html
1390
1391         * rendering/mathml/RenderMathMLSubSup.cpp:
1392         (WebCore::RenderMathMLSubSup::stretchToHeight):
1393         * rendering/mathml/RenderMathMLUnderOver.cpp:
1394         (WebCore::RenderMathMLUnderOver::layout):
1395         (WebCore::RenderMathMLUnderOver::nonOperatorHeight):
1396
1397 2011-06-13  Ryosuke Niwa  <rniwa@webkit.org>
1398
1399         Reviewed by Dan Bernstein.
1400
1401         REGRESSION (r81518): Crash in makeRange() when invoking the dictionary panel over a file input
1402         https://bugs.webkit.org/show_bug.cgi?id=62544
1403
1404         Fixed the crash by adding null pointer checks.
1405
1406         No new tests since there's no way to open dictionary panel.
1407
1408         * dom/Position.cpp:
1409         (WebCore::Position::parentAnchoredEquivalent):
1410         * editing/VisiblePosition.cpp:
1411         (WebCore::makeRange):
1412         * page/Frame.cpp:
1413         (WebCore::Frame::rangeForPoint):
1414
1415 2011-06-14  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
1416
1417         Reviewed by Andreas Kling.
1418
1419         [Qt] tst_QWebFrame::overloadedSlots() fails
1420         https://bugs.webkit.org/show_bug.cgi?id=37319
1421
1422         Increase the likeness that JSElements are converted to QWebElements. When hinted
1423         with QWebElement metatype, we qualify the conversion from JSElement as a "perfect
1424         match".
1425
1426         The test was failing because the wrong slot was called, since the QWebElement
1427         match was taken as equal to the others and not chosen when the metacall happened.
1428
1429         We also remove the implicit conversion between JSDocument (which is not an
1430         element) to QWebElement. The conversion only worked for calling slots, while
1431         without hint it returned a QVariantMap (as can be seen in domCycles test). It was
1432         added for supporting DRT, but since this change we can use it as QVariantMap and
1433         get the value for "documentElement".
1434
1435         This patch is based on Noam Rosenthal original patch in the same bug.
1436
1437         * bridge/qt/qt_runtime.cpp:
1438         (JSC::Bindings::hintForRealType):
1439         Extracted function to choose the metatype hint based on the JSValue type.  Add
1440         QWebElement metatype as a hint for JSElement objects, this way if no hint is
1441         provided, JSElement objects will always be converted to QWebElements.
1442
1443         (JSC::Bindings::convertValueToQVariant):
1444         Use previous function. Identify the conversion between JSElement to QWebElement
1445         as a "perfect match" (dist = 0). And remove the implicit conversion when the hint
1446         is QWebElement metatype and we have a JSDocument.  Changed from JSHTMLElement to
1447         JSElement to cover the 'documentElement'.
1448
1449 2011-06-12  Dan Bernstein  <mitz@apple.com>
1450
1451         Reviewed by Darin Adler.
1452
1453         <rdar://problem/9513180> REGRESSION (r84166): recalcStyle for display:inline to display:none transition has complexity N^2 where N is the number of child Text nodes
1454         https://bugs.webkit.org/show_bug.cgi?id=61557
1455
1456         Replaced the fix for bug 58500 with a refined version.
1457
1458         * rendering/RenderText.cpp:
1459         (WebCore::RenderText::clippedOverflowRectForRepaint): Use the containing block unless it is
1460         across a layer boundary.
1461
1462 2011-06-10  Abhishek Arya  <inferno@chromium.org>
1463
1464         Reviewed by Simon Fraser.
1465
1466         Null parent element sheet pointers in CSSMutableStyleDeclaration consumers
1467         when removed from document, set them when reinserted into document.
1468         https://bugs.webkit.org/show_bug.cgi?id=62230
1469
1470         When a HTMLBodyElement, StyledElement are removed from document,
1471         we didn't clear out the parent pointers from their link, style declarations.
1472         These parent pointers pointed to the document's element sheet which will
1473         get removed when document is getting destroyed. It does make sense to
1474         clear out parent pointers when we are getting removed from document and
1475         readd them when we get inserted again.
1476
1477         Tests: fast/dom/body-link-decl-parent-crash.html
1478                fast/dom/styled-inline-style-decl-parent-crash.html
1479
1480         * dom/StyledElement.cpp:
1481         (WebCore::StyledElement::insertedIntoDocument):
1482         (WebCore::StyledElement::removedFromDocument):
1483         * dom/StyledElement.h:
1484         * html/HTMLBodyElement.cpp:
1485         (WebCore::HTMLBodyElement::parseMappedAttribute):
1486         (WebCore::HTMLBodyElement::insertedIntoDocument):
1487         (WebCore::HTMLBodyElement::removedFromDocument):
1488         (WebCore::HTMLBodyElement::didMoveToNewOwnerDocument):
1489         * html/HTMLBodyElement.h:
1490
1491 2011-06-10  James Simonsen  <simonjam@chromium.org>
1492
1493         Reviewed by Tony Gentilcore.
1494
1495         Don't execute scripts in shadow SVG.
1496         https://bugs.webkit.org/show_bug.cgi?id=62225
1497
1498         Test: svg/dom/use-style-recalc-script-execute-crash.html
1499
1500         * dom/ScriptElement.cpp:
1501         (WebCore::ScriptElement::prepareScript):
1502
1503 2011-06-09  Jian Li  <jianli@chromium.org>
1504
1505         Reviewed by David Levin.
1506
1507         Calling WebKitBlobBuilder.append with null argument should not crash
1508         https://bugs.webkit.org/show_bug.cgi?id=62419
1509
1510         Test: fast/files/blob-builder-crash.html
1511
1512         * fileapi/WebKitBlobBuilder.cpp:
1513         (WebCore::WebKitBlobBuilder::append):
1514
1515 2011-06-09  Julien Chaffraix  <jchaffraix@codeaurora.org>
1516
1517         Reviewed by Antti Koivisto.
1518
1519         REGRESSION(84329): Stylesheets on some pages do not load
1520         https://bugs.webkit.org/show_bug.cgi?id=61400
1521
1522         Test: fast/css/link-disabled-attr.html
1523
1524         Fixed r84329: the change did not take into account the fact
1525         that HTMLLinkElement did already contain the disabled information
1526         and the 2 information were not linked as they should have!
1527
1528         The new logic pushes the information to the stylesheet as this
1529         is what the spec mandates and what FF is doing. Also it keeps
1530         one bit of information (that JS enabled the stylesheet) as it
1531         is needed for the recalcStyleSelector logic.
1532
1533         * dom/Document.cpp:
1534         (WebCore::Document::recalcStyleSelector): s/isDisabled/disabled.
1535
1536         * html/HTMLLinkElement.cpp:
1537         (WebCore::HTMLLinkElement::HTMLLinkElement): Removed m_disabledState,
1538         replaced by m_isEnabledViaScript.
1539         (WebCore::HTMLLinkElement::setDisabled): Updated the logic after
1540         m_disabledState removal. It also matches the spec by forwarding
1541         the disabled state to our stylesheet if we have one.
1542         (WebCore::HTMLLinkElement::parseMappedAttribute): Removed harmful
1543         handling of the disabledAttr.
1544         (WebCore::HTMLLinkElement::process): Updated after m_disabledState removal.
1545         * html/HTMLLinkElement.h:
1546         (WebCore::HTMLLinkElement::isEnabledViaScript): Ditto.
1547         (WebCore::HTMLLinkElement::isAlternate): Ditto.
1548
1549 2011-06-09  Simon Fraser  <simon.fraser@apple.com>
1550
1551         Reviewed by Darin Adler.
1552
1553         Crashes in RenderLayerBacking::paintingGoesToWindow
1554         https://bugs.webkit.org/show_bug.cgi?id=61159
1555
1556         Speculative fix for unreproducible crash that can occur when RenderObject::repaintUsingContainer()
1557         finds a repaintContainer that is not the RenderView, but that is also not
1558         composited (for unknown reasons), by checking to see if the layer is
1559         compositing before using backing(). An assertion remains to try to catch
1560         this in debug builds.
1561
1562         * rendering/RenderLayer.cpp:
1563         (WebCore::RenderLayer::setBackingNeedsRepaintInRect):
1564
1565 2011-06-09  Julien Chaffraix  <jchaffraix@webkit.org>
1566
1567         Reviewed by Darin Adler.
1568
1569         WebCore::WebKitCSSKeyframesRuleInternal::nameAttrSetter() - crash
1570         https://bugs.webkit.org/show_bug.cgi?id=62384
1571
1572         Test: fast/css/webkit-keyframes-crash.html
1573
1574         * css/WebKitCSSKeyframesRule.cpp:
1575         (WebCore::WebKitCSSKeyframesRule::setName): stylesheet() is never garanteed
1576         to return a non-null pointer. Thus null-check here like the rest of the code.
1577
1578 2011-06-08  Adam Barth  <abarth@webkit.org>
1579
1580         Reviewed by Eric Seidel.
1581
1582         constructTreeFromToken can re-enter parser, causing ASSERTs
1583         https://bugs.webkit.org/show_bug.cgi?id=62160
1584
1585         This patch clears the HTMLToken before constructing the tree from the
1586         token, putting the HTMLDocumentParser in a good state to be re-entered.
1587
1588         Tests: fast/parser/document-write-onload-nesting.html
1589                fast/parser/document-write-onload-ordering.html
1590
1591         * html/parser/HTMLDocumentParser.cpp:
1592         (WebCore::HTMLDocumentParser::pumpTokenizer):
1593         * html/parser/HTMLToken.h:
1594         (WebCore::HTMLToken::isUninitialized):
1595         * html/parser/HTMLTreeBuilder.cpp:
1596         (WebCore::HTMLTreeBuilder::constructTreeFromToken):
1597
1598 2011-06-08  Yael Aharon  <yael.aharon@nokia.com>
1599
1600         Reviewed by Andreas Kling.
1601
1602         [Qt] Build fix for building QtWebKit inside of Qt.
1603         https://bugs.webkit.org/show_bug.cgi?id=62280
1604
1605         Remove CONFIG=staticlib, because it causes the configure script to add -lwebcore
1606         into QtWebKit.prl.
1607
1608         No new tests, as this is just a build fix.
1609
1610         * WebCore.pri:
1611
1612 2011-06-08  Andreas Kling  <andreas.kling@nokia.com>
1613
1614         Reviewed by Laszlo Gombos.
1615
1616         [Symbian] Float{32,64}Array and Int16Array fail to build.
1617         https://bugs.webkit.org/show_bug.cgi?id=62219
1618
1619         For some reason, RVCT 2.x is moaning about "class member designated by
1620         a using-declaration must be visible in a direct base class".
1621         Apply same fix as r69122 and r76592.
1622
1623         * html/canvas/Float32Array.h:
1624         (WebCore::Float32Array::set):
1625         * html/canvas/Float64Array.h:
1626         (WebCore::Float64Array::set):
1627         * html/canvas/Int16Array.h:
1628         (WebCore::Int16Array::set):
1629
1630 2011-06-07  Yi Shen  <yi.4.shen@nokia.com>
1631
1632         Reviewed by Simon Hausmann.
1633
1634         [Qt] Fix the error code for media resource failures when using QtMobility
1635         https://bugs.webkit.org/show_bug.cgi?id=55901
1636
1637         To indicate the media resource failures, set the network state to
1638         MediaPlayer::FormatError when receives QMediaPlayer::InvalidMedia or
1639         QMediaPlayer::ResourceError.
1640
1641         * platform/graphics/qt/MediaPlayerPrivateQt.cpp:
1642         (WebCore::MediaPlayerPrivateQt::updateStates):
1643
1644 2011-06-05  Igor Oliveira  <igor.oliveira@openbossa.org>
1645
1646         Reviewed by Kenneth Rohde Christiansen.
1647
1648         fast/viewport/viewport-45.html fails in GTK+/Qt
1649         https://bugs.webkit.org/show_bug.cgi?id=47481
1650
1651         computeViewportAttributes does many math operations with float point arithmetic
1652         and in some cases there is loss of precision making tests have incorrect values.
1653
1654         * dom/ViewportArguments.cpp:
1655         (WebCore::computeViewportAttributes):
1656
1657 2011-06-04  Abhishek Arya  <inferno@chromium.org>
1658
1659         Reviewed by Kent Tamura.
1660
1661         Add some asserts for array boundary checks in TextRun. Fix
1662         an integer issue in linux text controller code.
1663         https://bugs.webkit.org/show_bug.cgi?id=62085
1664
1665         Testing ComplexTextControllerLinux change requires a testcase
1666         > 32 kb which is not feasible. All other changes are tested by
1667         existing layouttests.
1668
1669         * platform/graphics/TextRun.h:
1670         (WebCore::TextRun::operator[]): add assert.
1671         (WebCore::TextRun::data): add assert.
1672         * platform/graphics/WidthIterator.cpp:
1673         (WebCore::WidthIterator::advance): bail early and prevent access
1674         to one byte across the text run boundary.
1675         * platform/graphics/chromium/ComplexTextControllerLinux.cpp:
1676         (WebCore::ComplexTextController::getNormalizedTextRun): wrong
1677         int16 vs int comparison.
1678         * rendering/svg/SVGTextRunRenderingContext.cpp:
1679         (WebCore::SVGTextRunWalker::walk): bail early when from and to
1680         is outside the text run boundary. this hit easily after adding
1681         the assert when from = to = end and read in run.data(from). 
1682
1683 2011-06-04  Jeffrey Pfau  <jpfau@apple.com>
1684
1685         Reviewed by Beth Dakin.
1686
1687         Crash in WebCore::RenderMathMLSubSup::baselinePosition()
1688         https://bugs.webkit.org/show_bug.cgi?id=57897
1689
1690         Simple patch adding NULL checks in each function.
1691         Test: mathml/msubsup-remove-children.xhtml
1692
1693         * rendering/mathml/RenderMathMLSubSup.cpp:
1694         (WebCore::RenderMathMLSubSup::stretchToHeight):
1695         (WebCore::RenderMathMLSubSup::baselinePosition):
1696
1697 2011-06-03  Alexis Menard  <alexis.menard@openbossa.org>
1698
1699         Reviewed by Andreas Kling.
1700
1701         To support building namespaced Qt, we require that forward-declarations
1702         of Qt classes be wrapped in QT_BEGIN_NAMESPACE and QT_END_NAMESPACE.
1703
1704         * platform/network/qt/QtMIMETypeSniffer.h:
1705
1706 2011-06-01  Andras Becsi  <abecsi@webkit.org>
1707
1708         Reviewed by Csaba Osztrogonác.
1709
1710         [Qt] Fix the Phonon build when logging is disabled
1711         https://bugs.webkit.org/show_bug.cgi?id=61869
1712
1713         No new tests needed.
1714
1715         * platform/graphics/qt/MediaPlayerPrivatePhonon.cpp: Add missing guards.
1716         (WebCore::MediaPlayerPrivatePhonon::networkState):
1717         (WebCore::MediaPlayerPrivatePhonon::readyState):
1718         (WebCore::MediaPlayerPrivatePhonon::updateStates):
1719         (WebCore::MediaPlayerPrivatePhonon::stateChanged):
1720
1721 2011-05-31  Abhishek Arya  <inferno@chromium.org>
1722
1723         Reviewed by Dimitri Glazkov.
1724
1725         Improve hasMediaControls logic to check that node has
1726         media controls. This can be false when cloning nodes.
1727         https://bugs.webkit.org/show_bug.cgi?id=61765
1728
1729         Test: media/media-controls-clone-crash.html
1730
1731         * dom/Node.h:
1732         (WebCore::Node::isMediaControls):
1733         * html/HTMLMediaElement.cpp:
1734         (WebCore::HTMLMediaElement::mediaControls):
1735         (WebCore::HTMLMediaElement::hasMediaControls):
1736         * html/shadow/MediaControls.h:
1737         (WebCore::MediaControls::isMediaControls):
1738         (WebCore::toMediaControls):
1739
1740 2011-05-30  Eric Carlson  <eric.carlson@apple.com>
1741
1742         Reviewed by Alexey Proskuryakov.
1743
1744         Audio and video files saved to the Application Cache should preserve the original file extension
1745         https://bugs.webkit.org/show_bug.cgi?id=61750
1746         <rdar://9524922>
1747
1748         No new tests, it isn't possible to check the name of the file in the cache from within
1749         DRT. Changes verified manually.
1750
1751         * loader/appcache/ApplicationCacheStorage.cpp:
1752         (WebCore::ApplicationCacheStorage::store): Append the original file extension to the cache
1753             file name.
1754         (WebCore::ApplicationCacheStorage::writeDataToUniqueFileInDirectory): Add extension parameter.
1755         * loader/appcache/ApplicationCacheStorage.h:
1756
1757 2011-05-30  Jer Noble  <jer.noble@apple.com>
1758
1759         Reviewed by Darin Adler and Simon Fraser.
1760
1761         REGRESSION (r87622): Scrubbing a Vimeo movie when in fullscreen stops playback; no way to make it start again
1762         https://bugs.webkit.org/show_bug.cgi?id=61717
1763         rdar://problem/9522272
1764
1765         May be some good way to test this later. No immediate idea about the best way.
1766
1767         When a media element is taken into full-screen mode, stop events from propagating
1768         outside the media element's shadow DOM, EventDispatcher::determineDispatchBehavior()
1769         has been changed to take a shadow root node. In our full screen media element check,
1770         we check to see if the passed shadow root is the shadow root of the full screen media
1771         element, and if so, specify events should StayInsideShadowDOM. The end result is that
1772         inside EventDispatcher::ensureEventAncestors, an ancestor chain is built up all the
1773         way from the SliderThumb to the video element's shadow root, but no further.
1774
1775         * dom/EventDispatcher.cpp:
1776         (WebCore::EventDispatcher::determineDispatchBehavior): Restrict events to the
1777         shadow DOM when showing a full screen video.
1778
1779         * html/HTMLMediaElement.cpp:
1780         (WebCore::HTMLMediaElement::HTMLMediaElement): Removed code to manage full screen controls.
1781         The events telling us about activity in the shadow DOM no longer bubble out so we need to
1782         handle this inside the shadow DOM on the root element.
1783         (WebCore::HTMLMediaElement::play): Ditto.
1784         (WebCore::HTMLMediaElement::playbackProgressTimerFired): Ditto.
1785         (WebCore::HTMLMediaElement::defaultEventHandler): Ditto.
1786         (WebCore::HTMLMediaElement::enterFullscreen): Ditto.
1787         (WebCore::HTMLMediaElement::exitFullscreen): Ditto.
1788         * html/HTMLMediaElement.h: Added isPlaying function, removed things moved to the root element.
1789
1790         * html/shadow/MediaControlElements.cpp:
1791         (WebCore::MediaControlVolumeSliderContainerElement::defaultEventHandler): Rolled out
1792         changes that tried to make special rules for events using preDispatchEventHandler and such.
1793         This rolls out both r87622 and r87655.
1794         (WebCore::MediaControlMuteButtonElement::defaultEventHandler): Ditto.
1795         (WebCore::MediaControlPanelMuteButtonElement::defaultEventHandler): Ditto.
1796         (WebCore::MediaControlPlayButtonElement::defaultEventHandler): Ditto.
1797         (WebCore::MediaControlSeekButtonElement::defaultEventHandler): Ditto.
1798         (WebCore::MediaControlRewindButtonElement::defaultEventHandler): Ditto.
1799         (WebCore::MediaControlReturnToRealtimeButtonElement::defaultEventHandler): Ditto.
1800         (WebCore::MediaControlToggleClosedCaptionsButtonElement::defaultEventHandler): Ditto.
1801         (WebCore::MediaControlTimelineElement::defaultEventHandler): Ditto.
1802         (WebCore::MediaControlVolumeSliderElement::defaultEventHandler): Ditto.
1803         (WebCore::MediaControlFullscreenButtonElement::defaultEventHandler): Ditto.
1804         (WebCore::MediaControlFullscreenVolumeMinButtonElement::defaultEventHandler): Ditto.
1805         (WebCore::MediaControlFullscreenVolumeMaxButtonElement::defaultEventHandler): Ditto.
1806         * html/shadow/MediaControlElements.h: Ditto.
1807
1808         * html/shadow/MediaControlRootElement.cpp:
1809         (WebCore::MediaControlRootElement::MediaControlRootElement): Initialize new data members.
1810         (WebCore::MediaControlRootElement::playbackStarted): Start the timer so we will consider
1811         hiding the controls later.
1812         (WebCore::MediaControlRootElement::playbackProgressed): Hide the controls if the mouse
1813         is no longer over the controls.
1814         (WebCore::MediaControlRootElement::playbackStopped): Stop the timer since we only hide
1815         automatically if we're playing.
1816         (WebCore::MediaControlRootElement::enteredFullscreen): Start the timer.
1817         (WebCore::MediaControlRootElement::exitedFullscreen): Stop the timer since we only care
1818         if we are full screen.
1819         (WebCore::MediaControlRootElement::containsRelatedTarget): Added. Helper for next function.
1820         (WebCore::MediaControlRootElement::defaultEventHandler): Do the hide/show and timer functions
1821         as the mouse is moved in and out.
1822         (WebCore::MediaControlRootElement::startHideFullscreenControlsTimer): Start the timer if
1823         needed.
1824         (WebCore::MediaControlRootElement::hideFullscreenControlsTimerFired): Hide if the conditions
1825         are met.
1826         (WebCore::MediaControlRootElement::stopHideFullscreenControlsTimer): Stop the timer.
1827
1828         * html/shadow/MediaControlRootElement.h: Added new functions and data members.
1829
1830
1831 2011-05-29  Brian Weinstein  <bweinstein@apple.com>
1832
1833         Reviewed by Darin Adler.
1834
1835         Controls never hide in full screen after user stops moving mouse
1836         https://bugs.webkit.org/show_bug.cgi?id=61715
1837         <rdar://problem/9522182>
1838         
1839         When we get a mouse move event in HTMLMediaElement::defaultEventHandler, and we are in full screen,
1840         show the media controls, and then start a timer.
1841         
1842         The timer fires 3 seconds after the user's last mouse movement (timer is restarted on every mouse
1843         move), and hides the controls.
1844
1845         * html/HTMLMediaElement.cpp:
1846         (WebCore::HTMLMediaElement::HTMLMediaElement): Initialize our new timer.
1847         (WebCore::HTMLMediaElement::play): If we are in full screen mode, start our timer to hide the full screen
1848             controls. We don't want the user to have to move the mouse to hide them when they use the spacebar
1849             to play.
1850         (WebCore::HTMLMediaElement::startHideFullscreenControlsTimer): Starts a oneshot timer 3 seconds in the future
1851             if we are in full screen.
1852         (WebCore::HTMLMediaElement::hideFullscreenControlsTimerFired): Make sure that we are currently playing, and
1853             we are in full screen, and hide the controls. We don't want to hide the controls if we are paused.
1854         (WebCore::HTMLMediaElement::stopHideFullscreenControlsTimer): Stops the timer.
1855         (WebCore::HTMLMediaElement::defaultEventHandler): If we get a mouse move event and are in full screen, show the
1856             controls and start a timer to hide them.
1857         (WebCore::HTMLMediaElement::enterFullscreen): Start a timer to hide the full screen controls. The user shouldn't
1858             have the move the mouse once they enter full screen to hide the controls.
1859         (WebCore::HTMLMediaElement::exitFullscreen): Stop the timer to hide the full screen controls.
1860         * html/HTMLMediaElement.h:
1861         * html/shadow/MediaControls.h: Added pure virtual shouldHideControls() method.
1862         * html/shadow/MediaControlRootElement.cpp:
1863         (WebCore::MediaControlRootElement::playbackStopped): Stop the timer to hide the full screen controls.
1864         (WebCore::MediaControlRootElement::shouldHideControls): Added, only report that
1865             the caller should hide the controls if the panel is not hovered.
1866         * html/shadow/MediaControlRootElement.h:
1867
1868 2011-05-29  Darin Adler  <darin@apple.com>
1869
1870         Reviewed by Kevin Decker.
1871
1872         REGRESSION (r87622): In media documents, clicking the full screen button and the play button pauses the video
1873         https://bugs.webkit.org/show_bug.cgi?id=61713
1874
1875         We need to come up with a way to regression-test these changes. Nothing at the moment.
1876
1877         The bug is that we removed calls to preventDefault, but we still do need to prevent
1878         default handling of this event.
1879
1880         * html/shadow/MediaControlElements.cpp:
1881         (WebCore::MediaControlElement::preDispatchEventHandler): Add back the preventDefault
1882         that was in here before r87622 as well as the stopPropagation that was added in r87622.
1883         (WebCore::MediaControlMuteButtonElement::preDispatchEventHandler): Ditto.
1884         (WebCore::MediaControlPlayButtonElement::preDispatchEventHandler): Ditto.
1885         (WebCore::MediaControlSeekButtonElement::preDispatchEventHandler): Ditto.
1886         (WebCore::MediaControlRewindButtonElement::preDispatchEventHandler): Ditto.
1887         (WebCore::MediaControlReturnToRealtimeButtonElement::preDispatchEventHandler): Ditto.
1888         (WebCore::MediaControlToggleClosedCaptionsButtonElement::preDispatchEventHandler): Ditto.
1889         (WebCore::MediaControlFullscreenButtonElement::preDispatchEventHandler): Ditto.
1890         (WebCore::MediaControlFullscreenVolumeMinButtonElement::preDispatchEventHandler): Ditto.
1891         (WebCore::MediaControlFullscreenVolumeMaxButtonElement::preDispatchEventHandler): Ditto.
1892
1893 2011-05-28  Jer Noble  <jer.noble@apple.com>
1894
1895         Reviewed by Maciej Stachowiak.
1896
1897         Mouse clicks propagate outside full-screen media controls.
1898         https://bugs.webkit.org/show_bug.cgi?id=61689
1899
1900         Mouse click events are propagating out of the media controls, so mouse click
1901         listeners registered on the video element are getting fired when the user
1902         clicks on media controller buttons.  By default, block propagation of click 
1903         events from MediaControlElements by overriding preDispatchEventHandler, and
1904         convert all instances of defaultEventHandler -> preDispatchEventHandler.  Change
1905         all calls of event->setDefaultHandled() to event->stopPropagation().
1906
1907         * html/shadow/MediaControlElements.cpp:
1908         (WebCore::MediaControlElement::preDispatchEventHandler): Added.  Block 
1909             propagation of all mouse click events.
1910         (WebCore::MediaControlVolumeSliderContainerElement::preDispatchEventHandler):
1911             Renamed from setDefaultHandled.
1912         (WebCore::MediaControlMuteButtonElement::preDispatchEventHandler): Ditto.
1913         (WebCore::MediaControlPanelMuteButtonElement::preDispatchEventHandler): Ditto.
1914         (WebCore::MediaControlPlayButtonElement::preDispatchEventHandler): Ditto.
1915         (WebCore::MediaControlSeekButtonElement::preDispatchEventHandler): Ditto.
1916         (WebCore::MediaControlRewindButtonElement::preDispatchEventHandler): Ditto.
1917         (WebCore::MediaControlReturnToRealtimeButtonElement::preDispatchEventHandler): Ditto.
1918         (WebCore::MediaControlToggleClosedCaptionsButtonElement::preDispatchEventHandler): Ditto.
1919         (WebCore::MediaControlTimelineElement::preDispatchEventHandler): Ditto.
1920         (WebCore::MediaControlVolumeSliderElement::preDispatchEventHandler): Ditto.
1921         (WebCore::MediaControlFullscreenButtonElement::preDispatchEventHandler): Ditto.
1922         (WebCore::MediaControlFullscreenVolumeMinButtonElement::preDispatchEventHandler): Ditto.
1923         (WebCore::MediaControlFullscreenVolumeMaxButtonElement::preDispatchEventHandler): Ditto.
1924         * html/shadow/MediaControlElements.h:
1925
1926 2011-05-26  Alexis Menard  <alexis.menard@openbossa.org>
1927
1928         Unreviewed build fix for Qt and QuickTime backend.
1929
1930         r87328 added a new system interface, we need to add it too.
1931
1932         * platform/qt/WebCoreSystemInterface.h:
1933         * platform/qt/WebCoreSystemInterface.mm:
1934
1935 2011-05-24  Jer Noble  <jer.noble@apple.com>
1936
1937         Reviewed by Darin Adler.
1938
1939         Video fails to play on Vimeo
1940         https://bugs.webkit.org/show_bug.cgi?id=61403
1941
1942         No new tests; Covered by media/video-canvas-source.html.
1943
1944         Vimeo redirects their assets from player.vimeo.com to av.vimeo.com, which is rejected
1945         by AVFoundation and QTKit due to our setting a ForbidCrossSiteReference option when
1946         creating an AVAsset or QTMovie. Instead, we should just reject local->remote and
1947         remote->local and make our answer to hasSingleSecurityOrigin dynamic.
1948
1949         When checking whether a given request has a single security origin, use a 
1950         SecurityOrigin to check the host, port, and scheme.
1951
1952         * WebCore.exp.in:
1953         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
1954         (WebCore::MediaPlayerPrivateAVFoundation::assetURL): Added.
1955         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.h:
1956         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.mm:
1957         (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVAssetForURL): Exchange ForbidCrossSiteReference
1958             for ForbidRemoteReferenceToLocal and ForbidLocalReferenceToRemote
1959         (WebCore::MediaPlayerPrivateAVFoundationObjC::hasSingleSecurityOrigin): Check to see that the
1960             requested and resolved URLs have the same host and port.
1961         * platform/graphics/mac/MediaPlayerPrivateQTKit.mm:
1962         (WebCore::MediaPlayerPrivateQTKit::commonMovieAttributes): Exchange NoCrossSiteAttribute for 
1963             NoRemoteToLocalSiteAttribute and NoLocalToRemoteSiteAttribute.
1964         (WebCore::MediaPlayerPrivateQTKit::hasSingleSecurityOrigin):     Check to see that the
1965                 requested and resolved URLs have the same host and port.
1966         * platform/mac/WebCoreSystemInterface.h: Added wkAVAssetResolvedURL.
1967         * platform/mac/WebCoreSystemInterface.mm: Ditto.
1968
1969 2011-05-15  Eric Carlson  <eric.carlson@apple.com>
1970
1971         Reviewed by Maciej Stachowiak.
1972
1973         Use new AVAssetReferenceRestrictions to prevent cross site media references
1974         https://bugs.webkit.org/show_bug.cgi?id=60791
1975         <rdar://problem/9374202>
1976
1977         Test: http/tests/media/video-cross-site.html
1978
1979         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.mm:
1980         (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVAssetForURL): Set restriction
1981             to prevent cross-domain references from being followed.
1982
1983 2011-05-10  Eric Carlson  <eric.carlson@apple.com>
1984
1985         Reviewed by Darin Adler.
1986
1987         Files that load quickly sometimes won't play.
1988         https://bugs.webkit.org/show_bug.cgi?id=60556
1989         <rdar://problem/9330567>
1990
1991         No new tests, this failure is very difficult to reproduce on some machines. The fix was
1992         verified manually.
1993
1994         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp:
1995         (WebCore::MediaPlayerPrivateAVFoundation::playabilityKnown): Move the call to updateStates
1996             to dispatchNotification so it is more obvious which state changes call it.
1997         (WebCore::MediaPlayerPrivateAVFoundation::setNaturalSize): Correct logging typo.
1998         (WebCore::MediaPlayerPrivateAVFoundation::metadataLoaded): Move updateStates call to 
1999             dispatchNotification.
2000         (WebCore::MediaPlayerPrivateAVFoundation::rateChanged): Ditto.
2001         (WebCore::MediaPlayerPrivateAVFoundation::loadedTimeRangesChanged): Ditto.
2002         (WebCore::MediaPlayerPrivateAVFoundation::dispatchNotification): Call updateStates after
2003             processing "size changed" notification so we detect all state changes. Consolidate
2004             calls to updateStates here.
2005
2006         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.mm:
2007         (WebCore::MediaPlayerPrivateAVFoundationObjC::createVideoLayer): Name the video layer in
2008             a debug build.
2009
2010 2011-05-05  Eric Carlson  <eric.carlson@apple.com>
2011
2012         Reviewed by Adam Roben.
2013
2014         Block callbacks delivered during destruction
2015         https://bugs.webkit.org/show_bug.cgi?id=60291
2016         <rdar://problem/9382942>
2017
2018         No new tests, tested by existing tests.
2019
2020         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp:
2021         (WebCore::MediaPlayerPrivateAVFoundation::~MediaPlayerPrivateAVFoundation): Call 
2022             setIgnoreLoadStateChanges(true) to cancel all callbacks.
2023         (WebCore::MediaPlayerPrivateAVFoundation::updateStates): Return immediately if 
2024             m_ignoreLoadStateChanges is true.
2025         (WebCore::MediaPlayerPrivateAVFoundation::dispatchNotification): loadStateChanged -> updateStates.
2026             Don't call updateStates after calling loadedTimeRangesChanged, it already does it.
2027         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
2028
2029 2011-05-25  Andrew Scherkus  <scherkus@chromium.org>
2030
2031         Reviewed by Eric Carlson.
2032
2033         Fix media element regression where ended event stopped firing after changing the src attribute.
2034
2035         https://bugs.webkit.org/show_bug.cgi?id=61336
2036
2037         Test: media/media-ended.html
2038
2039         * html/HTMLMediaElement.cpp:
2040         (WebCore::HTMLMediaElement::prepareForLoad):
2041
2042 2011-05-25  Jer Noble  <jer.noble@apple.com>
2043
2044         Reviewed by Darin Adler.
2045
2046         REGRESSION: Fullscreen button on embedded Vimeo videos does nothing
2047         https://bugs.webkit.org/show_bug.cgi?id=61461
2048
2049         Tests: fullscreen/full-screen-iframe-legacy.html
2050
2051         Allow calls from the legacy full-screen API to bypass the iframe
2052         "webkitallowfullscreen" requirement by adding a parameter to 
2053         Document::webkitRequestFullScreenForElement specifying the strictness
2054         of that check.  Specify this new parameter everywhere that function is 
2055         called, including in the default controls' full-screen button handler.
2056
2057         * dom/Document.cpp:
2058         (WebCore::Document::webkitRequestFullScreenForElement):
2059         * dom/Document.h:
2060         * dom/Element.cpp:
2061         (WebCore::Element::requestFullScreen): Renamed from webkitRequestFullScreen.
2062         * html/HTMLMediaElement.cpp:
2063         (WebCore::HTMLMediaElement::enterFullscreen):
2064         * html/shadow/MediaControlElements.cpp:
2065         (WebCore::MediaControlFullscreenButtonElement::defaultEventHandler):
2066
2067 2011-05-25  Alexis Menard  <alexis.menard@openbossa.org>
2068
2069         Reviewed by Eric Carlson.
2070
2071         [Qt] Enable usage of QuickTime mediaplayer for the Qt port on Mac.
2072         https://bugs.webkit.org/show_bug.cgi?id=61279
2073
2074         Enable the QuickTime backend for the Qt port on Mac. The patch adds the bits in WebCore
2075         to enable the QTKit backend of the Mac port. It can be enabled by passing DEFINES+=USE_QTKIT=1
2076         when calling build-webkit.
2077
2078         * WebCore.pri:
2079         * WebCore.pro:
2080         * features.pri:
2081         * platform/KURL.h:
2082         * platform/SharedBuffer.h:
2083         * platform/cf/KURLCFNet.cpp:
2084         * platform/cf/SharedBufferCF.cpp:
2085         * platform/graphics/FloatSize.h:
2086         * platform/graphics/IntRect.h:
2087         * platform/graphics/IntSize.h:
2088         * platform/graphics/MediaPlayer.cpp:
2089         * platform/graphics/cg/FloatSizeCG.cpp:
2090         * platform/graphics/cg/IntRectCG.cpp:
2091         * platform/graphics/mac/MediaPlayerPrivateQTKit.h:
2092         * platform/graphics/mac/MediaPlayerPrivateQTKit.mm:
2093         (WebCore::MediaPlayerPrivateQTKit::createQTMovieView):
2094         (WebCore::MediaPlayerPrivateQTKit::createQTVideoRenderer):
2095         (WebCore::MediaPlayerPrivateQTKit::createQTMovieLayer):
2096         (WebCore::MediaPlayerPrivateQTKit::preferredRenderingMode):
2097         (WebCore::MediaPlayerPrivateQTKit::paint):
2098         (-[WebCoreMovieObserver layerHostChanged:]):
2099         * platform/mac/KURLMac.mm:
2100         * platform/mac/SharedBufferMac.mm:
2101         (+[WebCoreSharedBufferData initialize]):
2102         * platform/mac/WebCoreObjCExtras.mm:
2103         * platform/qt/WebCoreSystemInterface.h: Added.
2104         * platform/qt/WebCoreSystemInterface.mm: Added.
2105
2106 2011-05-16  Jeremy Noble  <jer.noble@apple.com>
2107
2108         Unreviewed; build fix for non-SnowLeopard builds.
2109
2110         * platform/graphics/mac/MediaPlayerPrivateQTKit.mm: Wrap definition 
2111             of layerIsDescendentOf in a #if check.
2112
2113 2011-05-13  Jer Noble  <jer.noble@apple.com>
2114
2115         Reviewed by Simon Fraser.
2116
2117         Video is blank, controller is misplaced on trailers.apple.com movie in fullscreen (with two screens)
2118         https://bugs.webkit.org/show_bug.cgi?id=60826
2119
2120         Listen for a WebKitLayerHostChanged notification and, if the affected layer is an
2121         ancestor layer of the qtMovieLayer, tear down the layer and recreate it the
2122         next time setVisible(true) is called.
2123
2124         * dom/Document.cpp:
2125         (WebCore::Document::webkitDidEnterFullScreenForElement):  Call setFullScreenRootLayer(0) 
2126             before disabling animation on the full screen renderer.
2127         * platform/graphics/mac/MediaPlayerPrivateQTKit.h:
2128         * platform/graphics/mac/MediaPlayerPrivateQTKit.mm:
2129         (WebCore::MediaPlayerPrivateQTKit::createQTMovie): Register an observer for the new 
2130             WebKitLayerHostChanged notification.
2131         (WebCore::layerIsDescendentOf): Added.
2132         (WebCore::MediaPlayerPrivateQTKit::layerHostChanged): Added.  If the changed
2133             layer is an ancestor of the movie layer, tear down rendering and re-
2134             create the next time setVisible(true) is called.
2135         (-[WebCoreMovieObserver layerHostChanged:]):  Added ObjC listener wrapper.
2136
2137 2011-05-18  Jeremy Noble  <jer.noble@apple.com>
2138
2139         Reviewed by Darin Adler.
2140
2141         Poster is not shown in Safari for video element with no playable source elements.
2142         https://bugs.webkit.org/show_bug.cgi?id=61109
2143
2144         Test: media/video-src-invalid-poster.html
2145
2146         In the case where no video sources are playable, update the display state and 
2147         renderer, allowing the poster image to display.
2148
2149         * html/HTMLMediaElement.cpp:
2150         (WebCore::HTMLMediaElement::waitForSourceChange): 
2151
2152 2011-05-14  Jeremy Noble  <jer.noble@apple.com>
2153
2154         Reviewed by Darin Adler.
2155
2156         Exiting full screen causes <video> element inline controls to become visible
2157         https://bugs.webkit.org/show_bug.cgi?id=60142
2158
2159         Create a queue of elements who must be targeted with webkitfullscreenchange events. Instead of dispatching
2160         a single event with whatever the current value of m_fullScreenElement is (which may have been cleared, or
2161         changed since the timer was asked to fire), dispatch one event for each entry in the queue.
2162
2163         Test: fullscreen/video-controls-override.html
2164
2165         * dom/Document.cpp:
2166         (WebCore::Document::webkitDidEnterFullScreenForElement): Push current full screen element onto the
2167             webkitfullscreenchange event delay queue.
2168         (WebCore::Document::webkitDidExitFullScreenForElement): Ditto.
2169         (WebCore::Document::fullScreenElementRemoved): Ditto.
2170         (WebCore::Document::fullScreenChangeDelayTimerFired): Empty the queue, dispatching a 
2171             webkitfullscreenchange event for each entry.
2172         * dom/Document.h:
2173
2174 2011-05-05  Jer Noble  <jer.noble@apple.com>
2175
2176         Reviewed by Maciej Stachowiak.
2177
2178         Removing the full screen element via parent.innerHTML="" does not result in a webkitfullscreenchange event.
2179         https://bugs.webkit.org/show_bug.cgi?id=60278
2180
2181         Handle the removal of a full screen element from within Node::willRemove() instead
2182         of Document::nodeWillBeRemoved().  The new function Document::fullScreenElementWillBeRemoved() will
2183         be called by Node::willRemove() to handle those changes which used to occur in nodeWillBeRemoved().
2184
2185         Test: fullscreen/full-screen-remove-children.html
2186
2187         * dom/Document.cpp:
2188         (WebCore::Document::nodeWillBeRemoved): Removed the code checking for the full screen element.
2189         (WebCore::Document::fullScreenElementWillBeRemoved): Added, moved from nodeWillBeRemoved.
2190         * dom/Document.h:
2191         * dom/Node.cpp:
2192         (WebCore::Node::willRemove): Check to see if this is the current full screen element.
2193
2194 2011-05-04  Philippe Normand  <pnormand@igalia.com>
2195
2196         Reviewed by Martin Robinson.
2197
2198         [Gtk+] deadlock in gstreamer video player when exiting fullscreen
2199         https://bugs.webkit.org/show_bug.cgi?id=58548
2200
2201         Block data flow towards the pipeline branch to remove to avoid
2202         potential deadlocks during the PAUSED->READY transitions of the
2203         elements to remove.
2204
2205         * platform/graphics/gstreamer/GStreamerGWorld.cpp:
2206         (WebCore::GStreamerGWorld::exitFullscreen):
2207
2208 2011-05-11  Eric Carlson  <eric.carlson@apple.com>
2209
2210         Reviewed by Darin Adler.
2211
2212         Video track sometimes fails to draw.
2213         https://bugs.webkit.org/show_bug.cgi?id=60635
2214         <rdar://problem/9281951>
2215
2216         No new tests, covered by existing pixel tests.
2217
2218         * html/HTMLMediaElement.cpp:
2219         (WebCore::HTMLMediaElement::loadResource): Set display mode to "Unknown" to force a 
2220             recalculation, and media engine notification, the next time the state machine runs.
2221
2222 2011-05-05  Eric Carlson  <eric.carlson@apple.com>
2223
2224         Reviewed by Adam Roben.
2225
2226         The preload attribute of the video tag is not completely implemented
2227         https://bugs.webkit.org/show_bug.cgi?id=43673
2228         <rdar://problem/9369746>
2229
2230         This change implements "preload=metadata" for the AVFoundation backend.
2231         Tested manually with manual-tests/media-elements/video-preload.html.
2232
2233         * html/HTMLMediaElement.cpp:
2234         (WebCore::HTMLMediaElement::HTMLMediaElement): Initialize m_havePreparedToPlay.
2235         (WebCore::HTMLMediaElement::prepareForLoad): Ditto.
2236         (WebCore::HTMLMediaElement::prepareToPlay): New, tell player to prepare to play.
2237         (WebCore::HTMLMediaElement::seek): Call prepareToPlay when preload is less than 'auto'
2238             because we need to have media data loaded to seek.
2239         (WebCore::HTMLMediaElement::updatePlayState): Call prepareToPlay.
2240         * html/HTMLMediaElement.h:
2241
2242         * manual-tests/media-elements/video-preload.html: Make changing urls work. 
2243
2244         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.cpp:
2245         (WebCore::MediaPlayerPrivateAVFoundation::MediaPlayerPrivateAVFoundation):  Remove 
2246             m_videoFrameHasDrawn and m_delayingLoad as they are no longer used.
2247         (WebCore::MediaPlayerPrivateAVFoundation::resumeLoad): Removed.
2248         (WebCore::MediaPlayerPrivateAVFoundation::load): Don't initialize m_videoFrameHasDrawn. 
2249             Move all preload logic to setPreload, call it from here.
2250         (WebCore::MediaPlayerPrivateAVFoundation::prepareToPlay): Move all preload logic to 
2251             setPreload, call it.
2252         (WebCore::MediaPlayerPrivateAVFoundation::duration): Don't cache duration = 0, it is
2253             unlikely to be correct and isn't worth caching. Use invalidTime() function.
2254         (WebCore::MediaPlayerPrivateAVFoundation::seeking): Use invalidTime() function.
2255         (WebCore::MediaPlayerPrivateAVFoundation::setNaturalSize): Add logging.
2256         (WebCore::MediaPlayerPrivateAVFoundation::updateStates): Update for name change AVAssetStatus
2257             to AssetStatus. Always create a AVPlayerItem for live streams because they can't be inspected
2258             without one. Set networkState to 'idle' when the playback buffer is full because that is
2259             a signal that AVFoundation won't do any more IO. Set readyState to 'HAVE_CURRENT_DATA' 
2260             when the first frame is available.
2261         (WebCore::MediaPlayerPrivateAVFoundation::metadataLoaded): Call tracksChanged so we cache
2262             width, height, hasVideo, etc.
2263         (WebCore::MediaPlayerPrivateAVFoundation::loadedTimeRangesChanged): Use invalidTime() function.
2264         (WebCore::MediaPlayerPrivateAVFoundation::timeChanged): Ditto.
2265         (WebCore::MediaPlayerPrivateAVFoundation::seekCompleted): Ditto.
2266         (WebCore::MediaPlayerPrivateAVFoundation::repaint): Don't set m_videoFrameHasDrawn, it is done
2267             in derived classes.
2268         (WebCore::MediaPlayerPrivateAVFoundation::setPreload): Centralize all logic about when to create
2269             AVAsset and AVPlayerItem here.
2270         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundation.h:
2271
2272         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.h:
2273         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.mm:
2274         (WebCore::MediaPlayerPrivateAVFoundationObjC::MediaPlayerPrivateAVFoundationObjC): Initialize
2275             m_videoFrameHasDrawn.
2276         (WebCore::MediaPlayerPrivateAVFoundationObjC::hasAvailableVideoFrame): New, renamed from
2277             videoLayerIsReadyToDisplay. Return true if we have a layer with frames available or
2278             if we have painted a frame to the context.
2279         (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVAssetForURL): New, create the AVAsset
2280             if necessary.
2281         (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVAssetForCacheResource): Ditto.
2282         (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVPlayer): Restructure logic.
2283         (WebCore::MediaPlayerPrivateAVFoundationObjC::createAVPlayerItem): New, create AVPlayerItem.
2284         (WebCore::MediaPlayerPrivateAVFoundationObjC::beginLoadingMetadata): Correct logging.
2285         (WebCore::MediaPlayerPrivateAVFoundationObjC::playerItemStatus): Return "buffer full" when
2286             the buffer is full.
2287         (WebCore::MediaPlayerPrivateAVFoundationObjC::platformDuration): Get the duration from the
2288             AVAsset when we haven't allocated the AVPlayerItem yet so that we can return duration
2289             when we only have metadata.
2290         (WebCore::MediaPlayerPrivateAVFoundationObjC::assetStatus): Update for name change.
2291         (WebCore::MediaPlayerPrivateAVFoundationObjC::paint): Set m_videoFrameHasDrawn.
2292         (WebCore::MediaPlayerPrivateAVFoundationObjC::tracksChanged): Get attributes from AVAsset
2293             when when we haven't allocated the AVPlayerItem yet so that we can report attributes
2294             when we only have metadata.
2295         (WebCore::MediaPlayerPrivateAVFoundationObjC::sizeChanged): Guard against being called before
2296             we have allocated the AVPlayerItem.
2297
2298 2011-06-03  Doreen Jiang  <doreen.jiang@nokia.com>
2299
2300         Reviewed by Benjamin Poulain.
2301
2302         [Qt]The minimum size of the select menu list is incorrect for qtwebkit
2303         https://bugs.webkit.org/show_bug.cgi?id=56752
2304
2305         The minimum width of the select-box is calculated to be as small as possible 
2306         instead of hardcoded value (width of 7 characters) in minimumMenuListSize() function
2307         This will avoid overapping the select lists in popular websites.
2308
2309         Test: fast/forms/selectlist-minsize.html
2310
2311         * platform/qt/RenderThemeQt.cpp:
2312         (WebCore::RenderThemeQt::minimumMenuListSize):
2313
2314 2011-06-02  Ryosuke Niwa  <rniwa@webkit.org>
2315
2316         Reviewed by Eric Seidel.
2317
2318         REGRESSION: inline style is lost when deleting line break between paragraphs with same style
2319         https://bugs.webkit.org/show_bug.cgi?id=61899
2320
2321         The bug was caused by ReplaceSelectionCommand::doApply's calling handleStyleSpansBeforeInsertion
2322         before insertionPos is adjusted by positionAvoidingPrecedingNodes and positionOutsideTabSpan.
2323
2324         Fixed the bug by calling handleStyleSpansBeforeInsertion after the calls to these two functions.
2325
2326         Test: editing/deleting/delete-line-break-between-paragraphs-with-same-style.html
2327
2328         * editing/ReplaceSelectionCommand.cpp:
2329         (WebCore::ReplaceSelectionCommand::doApply):
2330
2331 2011-06-01  Ryosuke Niwa  <rniwa@webkit.org>
2332
2333         Reviewed by Simon Fraser.
2334
2335         REGRESSION: Text selection broken for text with line-height applied
2336         https://bugs.webkit.org/show_bug.cgi?id=54929
2337
2338         The bug was caused by RenderText::positionForPoint's not considering the case where a point is
2339         above selectionTop and below lineTop of the first root inline box. Fixed the bug by considering
2340         any point between selectionTop and lineTop to be inside a root inline box. This condition is
2341         consistent with the condition we use to determine the bottom of a line.
2342
2343         Test: editing/selection/hit-test-on-text-with-line-height.html
2344
2345         * rendering/RenderBlock.cpp:
2346         (WebCore::RenderBlock::positionForPointWithInlineChildren): Fixed a condition to determine whether
2347         or not a point is above the first root line box. We need to check both selectionTop and logicalTop
2348         for the same reason explained above.
2349         * rendering/RenderText.cpp:
2350         (WebCore::RenderText::positionForPoint): See above.
2351
2352 2011-06-02  Andreas Kling  <kling@webkit.org>
2353
2354         Rubber-stamped by Simon Hausmann.
2355
2356         Remove Qt's precompiled header hack as it was broken, and was not even
2357         used unless building WebKit inside a Qt tree.
2358
2359         * WebCore.pri:
2360
2361 2011-06-01  David Carson  <dacarson@apple.com>
2362
2363         Reviewed by Antti Koivisto.
2364
2365         https://bugs.webkit.org/show_bug.cgi?id=61831
2366         If width and height of an iframe is fixed and should not be visible, then
2367         it shouldn't be flattened.
2368
2369         Test: fast/frames/flattening/iframe-flattening-fixed-width-and-height-zero-size.html
2370
2371         * rendering/RenderIFrame.cpp:
2372         (WebCore::RenderIFrame::flattenFrame): add a check for a zero width or height
2373
2374 2011-06-02  Aparna Nandyal  <aparna.nand@wipro.com>
2375
2376         Reviewed by Andreas Kling.
2377
2378         [Qt] Multiple drop events when doing DnD of images.
2379         https://bugs.webkit.org/show_bug.cgi?id=61504
2380
2381         Duplicate entries of the url were getting added into drag data
2382         which is removed. The duplicate entries were causing the same image
2383         url to be copied twice. The code changes now match other webkit ports.
2384
2385         * platform/qt/ClipboardQt.cpp:
2386         (WebCore::ClipboardQt::declareAndWriteDragImage):
2387
2388 2011-05-31  Rafael Brandao  <rafael.lobo@openbossa.org>
2389
2390         Reviewed by Andreas Kling.
2391
2392         [Qt] tst_QWebFrame::render() failing
2393         https://bugs.webkit.org/show_bug.cgi?id=60893
2394
2395         Due a problem on QPicture (http://bugreports.qt.nokia.com/browse/QTBUG-19496),
2396         this test was calculating the final geometry incorrectly. As the order between
2397         a translate and a draw operation could be relevant for it, but not for the
2398         final rendered result, they were changed on ScrollbarThemeQt::paint.
2399
2400         * platform/qt/ScrollbarThemeQt.cpp:
2401         (WebCore::ScrollbarThemeQt::paint):
2402
2403 2011-05-31  B.J. Wever  <skylined@chromium.org>
2404
2405         Reviewed by Adam Barth.
2406
2407         requestFileSystem and resolveLocalFileSystemURI are not checking if
2408         errorCallback is NULL before scheduling a callback on error.
2409         https://bugs.webkit.org/show_bug.cgi?id=49539
2410
2411         Test: fast/filesystem/filesystem-no-callback-null-ptr-crash.html
2412
2413         * fileapi/DOMFileSystem.cpp:
2414         (WebCore::DOMFileSystem::scheduleCallback): Only call callback if
2415           one is supplied.
2416
2417 2011-05-31  Abhishek Arya  <inferno@chromium.org>
2418
2419         Reviewed by Dimitri Glazkov.
2420
2421         Convert raw ptr to RefPtr for documentElement.
2422         https://bugs.webkit.org/show_bug.cgi?id=61688
2423
2424         Test: fast/dom/xml-parser-error-message-crash.svg
2425
2426         * dom/XMLDocumentParser.cpp:
2427         (WebCore::XMLDocumentParser::insertErrorMessageBlock):
2428
2429 2011-05-31  Yael Aharon  <yael.aharon@nokia.com>
2430
2431         Reviewed by Kenneth Rohde Christiansen.
2432
2433         Frame flattening is broken with nested frames
2434         https://bugs.webkit.org/show_bug.cgi?id=61491
2435
2436         After r77988, when frame flattening is enabled, performPostLayoutTasks() is called on a timer for iframes.
2437         This causes layout of nested iframes to sometimes happen asynchronously, but WebCore expects layout to always finish synchronously.
2438         Added a call to updateWidgetPosition() for cases that performPostLayoutTasks() is now happening asynchronously.
2439
2440         Test: fast/frames/flattening/iframe-flattening-nested.html
2441
2442         * page/FrameView.cpp:
2443         (WebCore::FrameView::layout):
2444
2445 2011-05-13  Adam Roben  <aroben@apple.com>
2446
2447         Build fix after r86418
2448
2449         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.h:
2450         Made the destructor public so that this class can be used with
2451         [Pass]OwnPtr.
2452
2453 2011-05-13  Patrick Gansterer  <paroga@webkit.org>
2454
2455         Reviewed by Adam Barth.
2456
2457         Enable OwnPtr strict mode in MediaPlayer
2458         https://bugs.webkit.org/show_bug.cgi?id=59466
2459
2460         Let the CreateMediaEnginePlayer function return a PassOwnPtr instead of a raw pointer.
2461         Also fix the templete argument of OwnPtr for the m_private member variable.
2462
2463         * platform/graphics/MediaPlayer.cpp:
2464         (WebCore::MediaPlayer::MediaPlayer):
2465         (WebCore::MediaPlayer::loadWithNextMediaEngine):
2466         * platform/graphics/MediaPlayer.h:
2467         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.h:
2468         * platform/graphics/avfoundation/MediaPlayerPrivateAVFoundationObjC.mm:
2469         (WebCore::MediaPlayerPrivateAVFoundationObjC::create):
2470         * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
2471         (WebCore::MediaPlayerPrivateGStreamer::create):
2472         * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h:
2473         * platform/graphics/mac/MediaPlayerPrivateQTKit.h:
2474         * platform/graphics/mac/MediaPlayerPrivateQTKit.mm:
2475         (WebCore::MediaPlayerPrivateQTKit::create):
2476         * platform/graphics/qt/MediaPlayerPrivatePhonon.cpp:
2477         (WebCore::MediaPlayerPrivatePhonon::create):
2478         * platform/graphics/qt/MediaPlayerPrivatePhonon.h:
2479         * platform/graphics/qt/MediaPlayerPrivateQt.cpp:
2480         (WebCore::MediaPlayerPrivateQt::create):
2481         * platform/graphics/qt/MediaPlayerPrivateQt.h:
2482         * platform/graphics/win/MediaPlayerPrivateQuickTimeVisualContext.cpp:
2483         (WebCore::MediaPlayerPrivateQuickTimeVisualContext::create):
2484         * platform/graphics/win/MediaPlayerPrivateQuickTimeVisualContext.h:
2485         * platform/graphics/win/MediaPlayerPrivateQuickTimeWin.cpp:
2486         (WebCore::MediaPlayerPrivate::create):
2487         * platform/graphics/win/MediaPlayerPrivateQuickTimeWin.h:
2488         * platform/graphics/wince/MediaPlayerPrivateWinCE.h:
2489
2490 2011-05-12  Maciej Stachowiak  <mjs@apple.com>
2491
2492         Reviewed by Darin Adler.
2493
2494         XMLDocumentParserLibxml2 should play nice with strict OwnPtrs
2495         https://bugs.webkit.org/show_bug.cgi?id=59394
2496
2497         Properly fix this (formerly rolled out for breaking the build). I think the original
2498         failure had nothing to do with Deque<OwnPtr>, which in fact appears to work fine.
2499
2500         * dom/XMLDocumentParserLibxml2.cpp:
2501         (WebCore::PendingCallbacks::~PendingCallbacks):
2502         (WebCore::PendingCallbacks::create):
2503         (WebCore::PendingCallbacks::appendStartElementNSCallback):
2504         (WebCore::PendingCallbacks::appendEndElementNSCallback):
2505         (WebCore::PendingCallbacks::appendCharactersCallback):
2506         (WebCore::PendingCallbacks::appendProcessingInstructionCallback):
2507         (WebCore::PendingCallbacks::appendCDATABlockCallback):
2508         (WebCore::PendingCallbacks::appendCommentCallback):
2509         (WebCore::PendingCallbacks::appendInternalSubsetCallback):
2510         (WebCore::PendingCallbacks::appendErrorCallback):
2511         (WebCore::PendingCallbacks::PendingCallbacks):
2512         (WebCore::XMLDocumentParser::XMLDocumentParser):
2513
2514 2011-05-31  Oleg Romashin  <oleg.romashin@nokia.com>
2515
2516         Reviewed by Benjamin Poulain.
2517
2518         Fix compilation with debug enabled, m_lightSource.type is not valid anymore
2519         https://bugs.webkit.org/show_bug.cgi?id=61719
2520
2521         * platform/graphics/filters/arm/FELightingNEON.h:
2522         (WebCore::FELighting::platformApplyNeon):
2523
2524 2011-05-12  Daniel Bates  <dbates@rim.com>
2525
2526         Attempt to fix the build after changeset 86391 <http://trac.webkit.org/changeset/86391>
2527         (https://bugs.webkit.org/show_bug.cgi?id=60681).
2528
2529         * page/PluginHalter.cpp:
2530         (WebCore::PluginHalter::PluginHalter): Substitute m_client for client in ASSERT_ARG since client is now of type PassOwnPtr
2531         so it becomes 0 when assigned to another variable.
2532
2533 2011-05-12  Patrick Gansterer  <paroga@webkit.org>
2534
2535         Reviewed by Adam Barth.
2536
2537         Enable OwnPtr strict mode in PluginHalter
2538         https://bugs.webkit.org/show_bug.cgi?id=60681
2539
2540         Pass PluginHalterClient as (Pass)OwnPtr to Page and PluginHalter.
2541
2542         * WebCore.exp.in:
2543         * page/Page.cpp:
2544         (WebCore::Page::Page):
2545         (WebCore::Page::PageClients::PageClients):
2546         * page/Page.h:
2547         * page/PluginHalter.cpp:
2548         (WebCore::PluginHalter::PluginHalter):
2549         * page/PluginHalter.h:
2550
2551 2011-05-28  Alexey Proskuryakov  <ap@apple.com>
2552
2553         Suggested by Simon Fraser.
2554
2555         REGRESSION (r85375): Load event is sometimes lost when multiple image elements use the same URL
2556         https://bugs.webkit.org/show_bug.cgi?id=61692
2557         <rdar://problem/9488628>
2558
2559         * loader/ImageLoader.cpp: (WebCore::ImageLoader::notifyFinished): There was no need to use
2560         ASSERT_UNUSED here.
2561
2562 2011-05-28  Alexey Proskuryakov  <ap@apple.com>
2563
2564         Reviewed by Geoff Garen.
2565
2566         REGRESSION (r85375): Load event is sometimes lost when multiple image elements use the same URL
2567         https://bugs.webkit.org/show_bug.cgi?id=61692
2568         <rdar://problem/9488628>
2569
2570         Test: fast/dom/gc-image-element-2.html
2571
2572         Manually verified that tests from bug 59604 and from bug 40926 still pass.
2573
2574         The problem here was that HTMLImageElement::hasPendingActivity() could return false when
2575         a load (or error) event was still expected to fire.
2576
2577         * loader/cache/CachedResource.cpp:
2578         (WebCore::CachedResource::setRequest):
2579         * loader/cache/CachedResource.h:
2580         (WebCore::CachedResource::wasCanceled):
2581         (WebCore::CachedResource::errorOccurred):
2582         Track whether the load was canceled. We want to always notify clients of load outcome,
2583         as that's the only way they could make intelligent decisions.
2584
2585         * dom/ScriptElement.cpp: (WebCore::ScriptElement::execute): Cached resource clients now
2586         get a notifyFinished call on cancellation. Handle this case, where we don't need the
2587         execute the script, but also don't need to fire an error event.
2588
2589         * html/HTMLImageElement.cpp: Moved hasPendingActivity() to header, since it's just a single
2590         function call now.
2591
2592         * html/HTMLImageElement.h: (WebCore::HTMLImageElement::hasPendingActivity): There is a large
2593         window between when CachedResource::isLoading() becomes false and events are queued.
2594         ImageLoader::haveFiredLoadEvent() is a much better indication of whether we are expecting
2595         an event to fire.
2596
2597         * html/HTMLLinkElement.cpp: (WebCore::HTMLLinkElement::onloadTimerFired): Again, don't do
2598         anything on cancellation.
2599
2600         * loader/ImageLoader.cpp:
2601         (WebCore::ImageEventSender::hasPendingEvents): Made it debug-only again, and fixed to
2602         give an accurate result while looping over the list of events to dispatch.
2603         (WebCore::ImageLoader::notifyFinished): Don't do anything when cancelled. We don't want to
2604         switch to a broken image icon, or to dispatch events.
2605         (WebCore::ImageEventSender::dispatchPendingEvents): Clear the current loader from dispatching
2606         list, as the event is no longer pending when it's being dispatched.
2607
2608         * loader/ImageLoader.h: Removed unnecessary hasPendingLoadEvent(). We don't care whether one
2609         is already pending, we only care if one is expected at some time in the future, and
2610         !haveFiredLoadEvent() is our best idea of that.
2611
2612         * dom/XMLDocumentParser.cpp: (WebCore::XMLDocumentParser::notifyFinished): Another place to
2613         handle cancellation.
2614
2615 2011-05-23  Syed Idris Shah  <syed.idris-shah@nokia.com>
2616
2617         Reviewed by Andreas Kling.
2618
2619         GraphicsContext3DInternal object should be called for getAttachedShaders.
2620         [Qt] fast/canvas/webgl/gl-object-get-calls.html crash for Qt based webkit
2621         https://bugs.webkit.org/show_bug.cgi?id=61202 
2622
2623         LayoutTests/fast/canvas/webgl/gl-object-get-calls.html
2624
2625         getAttachedShaders should be called on GraphicsContext3DInternal instance.
2626         It was left out by mistake.
2627
2628         * platform/graphics/qt/GraphicsContext3DQt.cpp: 
2629         (WebCore::GraphicsContext3D::getAttachedShaders): GraphicsContext3DInternal instance should be called.
2630
2631 2011-05-26  MORITA Hajime  <morrita@google.com>
2632
2633         Reviewed by Kent Tamura.
2634
2635         WebCore::HTMLSummaryElement::isMainSummary ReadAV@NULL
2636         https://bugs.webkit.org/show_bug.cgi?id=61511
2637
2638         Removed Unnecessary wrong cast to Elmement, which can be non-Element.
2639
2640         Test: fast/html/details-summary-document-child.html
2641
2642         * html/HTMLSummaryElement.cpp:
2643         (WebCore::HTMLSummaryElement::detailsElement):
2644
2645 2011-05-26  Shane Stephens  <shanestephens@google.com>
2646
2647         Reviewed by James Robinson.
2648
2649         REGRESSION (r81992): layout triggered by position update fails to apply when transform is updated at same time
2650         https://bugs.webkit.org/show_bug.cgi?id=60689
2651
2652         When a transform is modified in a style, we were upgrading our understanding
2653         of the difference from PositionedMovementOnly to SimplifiedLayout.  However,
2654         if the position of the style is independently changed at the same time, both
2655         PositionedMovement and SimplifiedLayout passes are required.
2656
2657         Test: transforms/2d/set-transform-and-top.html
2658
2659         * rendering/RenderObject.cpp:
2660         Added checks for SimplifiedLayoutAndPositionedMovement - when encountered,
2661         set both PositionedMovement and SimplifiedLayout update flasgs.
2662         * rendering/style/RenderStyleConstants.h:
2663         Added a new StyleDifference enum value (SimplifiedLayoutAndPositionedMovement) for
2664         cases when both PositionedMovement and SimplifiedLayout are required.
2665
2666 2011-05-26  Syed Idris Shah  <syed.idris-shah@nokia.com>
2667
2668         Reviewed by Andreas Kling.
2669
2670         [Qt] fast/canvas/webgl/gl-uniform-arrays.html failing for Qt on Linux
2671         https://bugs.webkit.org/show_bug.cgi?id=60377 
2672
2673         LayoutTests/fast/canvas/webgl/gl-uniform-arrays.html
2674
2675         For an array of active uniform, we should be careful while truncating the name of the uniform. 
2676         Currently we are truncating the last three characters of an array with out checking for [0]. 
2677         As a result we are truncating the the actual name of the active uniforms i.e. color to co. 
2678
2679         * html/canvas/WebGLRenderingContext.cpp:
2680         (WebCore::WebGLRenderingContext::getUniform): Strip "[0]" from the name if it's an array and is part of the name.
2681
2682 2011-05-24  Syed Idris Shah  <syed.idris-shah@nokia.com>
2683
2684         Reviewed by Andreas Kling.
2685
2686         [Qt] fast/canvas/webgl/gl-uniform-arrays.html failing for Qt on Linux
2687         https://bugs.webkit.org/show_bug.cgi?id=60377 
2688
2689         LayoutTests/fast/canvas/webgl/gl-uniform-arrays.html
2690
2691         We do not need assert for the useProgram as program can be null.
2692
2693         * platform/graphics/qt/GraphicsContext3DQt.cpp:
2694         (WebCore::GraphicsContext3D::useProgram): Program can be null. Removing assert.
2695
2696 2011-05-26  Sheriff Bot  <webkit.review.bot@gmail.com>
2697
2698         Unreviewed, rolling out r87368.
2699         http://trac.webkit.org/changeset/87368
2700         https://bugs.webkit.org/show_bug.cgi?id=61564
2701
2702         Wrong approach, will do the wrong thing if the element needs
2703         simplified normal flow layout but is not positioned (Requested
2704         by jamesr on #webkit).
2705
2706         * rendering/RenderObject.h:
2707         (WebCore::RenderObject::needsPositionedMovementLayout):
2708
2709 2011-05-20  Abhishek Arya  <inferno@chromium.org>
2710
2711         Reviewed by Kent Tamura.
2712
2713         Make auto-focus a post attach callback in
2714         HTMLFormControlElement::attach().
2715         https://bugs.webkit.org/show_bug.cgi?id=32882
2716
2717         Original patch by Darin Adler. This one uses a part of it.
2718         
2719         Test: fast/forms/input-element-attach-crash.html
2720
2721         * dom/Document.cpp:
2722         (WebCore::Document::recalcStyle): Make sure that m_inStyleRecalc is
2723         already false by the time post-attach callbacks are done so that
2724         layout triggered inside those callbacks can work properly.
2725         * html/HTMLFormControlElement.cpp:
2726         (WebCore::shouldAutofocus): Helper function that expresses
2727         the rule for which form control elements should auto-focus.
2728         (WebCore::focusPostAttach): Called post-attach to focus an
2729         element if we discover it should be focused during attach.
2730         (WebCore::HTMLFormControlElement::attach): Refactored code for
2731         which elements need auto-focus into a separate function. Instead
2732         of focusing right away, use the focusPostAttach function to focus
2733         after attach is done. Also added calls to suspendPostAttachCallbacks
2734         and resumePostAttachCallbacks so post-attach callbacks happen late
2735         enough. Before, they could run inside the base attach function.
2736         * html/HTMLInputElement.cpp:
2737         (WebCore::HTMLInputElement::attach): Added calls to
2738         suspendPostAttachCallbacks and resumePostAttachCallbacks so
2739         post-attach callbacks happen late enough
2740
2741 2011-05-18  Rob Buis  <rbuis@rim.com>
2742
2743         Reviewed by Nikolas Zimmermann.
2744
2745         NULL deref when SVG elements have table styles 
2746         https://bugs.webkit.org/show_bug.cgi?id=45561
2747
2748         Restrict computed CSS values for SVG display property to block, inline or none.
2749
2750         Tests: svg/custom/display-table-caption-foreignObject.svg
2751                svg/custom/display-table-caption-inherit-foreignObject.xhtml
2752                svg/custom/display-table-caption-inherit-text.xhtml
2753                svg/custom/display-table-caption-text.svg
2754
2755         * css/CSSStyleSelector.cpp:
2756         (WebCore::SVGDisplayPropertyGuard::SVGDisplayPropertyGuard):
2757         (WebCore::SVGDisplayPropertyGuard::~SVGDisplayPropertyGuard):
2758         (WebCore::isAcceptableForSVGElement):
2759         (WebCore::CSSStyleSelector::applyProperty):
2760
2761 2011-05-17  Cris Neckar  <cdn@chromium.org>
2762
2763         Reviewed by Adam Barth.
2764
2765         Clear the image from ImageLoader rather than clearing the ImageLoader in HTMLObjectElement::renderFallbackContent.
2766         https://bugs.webkit.org/show_bug.cgi?id=61005
2767
2768         Test: http/tests/loading/nested_bad_objects.php
2769
2770         * html/HTMLObjectElement.cpp:
2771         (WebCore::HTMLObjectElement::renderFallbackContent):
2772
2773 2011-05-10  MORITA Hajime  <morrita@google.com>
2774
2775         Reviewed by Kent Tamura.
2776
2777         Crashes if the document inside iframe is removed during pasting some text into it.
2778         https://bugs.webkit.org/show_bug.cgi?id=60534
2779
2780         Added missing null check.
2781         
2782         Test: editing/pasteboard/paste-removing-iframe.html
2783
2784         * editing/Editor.cpp:
2785         (WebCore::Editor::shouldChangeSelection):
2786
2787 2011-05-11  Sam Weinig  <sam@webkit.org>
2788
2789         Reviewed by Eric Seidel.
2790
2791         Frequent crashes beneath WebCore::ScriptElement::prepareScript
2792         https://bugs.webkit.org/show_bug.cgi?id=60559
2793
2794         * html/parser/HTMLScriptRunner.cpp:
2795         (WebCore::HTMLScriptRunner::runScript):
2796         Add null check and explanation that we are keeping the ASSERT to help
2797         track down the cause and produce a test.
2798
2799 2011-05-08  Dan Bernstein  <mitz@apple.com>
2800
2801         Reviewed by Darin Adler.
2802
2803         <rdar://problem/9401853> REGRESSION (r78846): Insufficient expansion for justification when there are multiple inline boxes
2804         https://bugs.webkit.org/show_bug.cgi?id=60432
2805
2806         * rendering/InlineTextBox.h:
2807         (WebCore::InlineTextBox::setExpansion): Changed back to take a int, since the m_expansion member
2808         variable is a (truncated) int anyway.
2809         * rendering/RenderBlockLineLayout.cpp:
2810         (WebCore::computeExpansionForJustifiedText): Changed the expansion local variable into an int
2811         so that the right amount is added to the total width. Also changed to use an early return.
2812
2813 2011-05-06  Jon Lee  <jonlee@apple.com>
2814
2815         Reviewed by Alice Liu.
2816
2817         Crash when sending a wheel event to a node with no shadow ancestor node
2818         https://bugs.webkit.org/show_bug.cgi?id=60429
2819         <rdar://problem/9389619>
2820
2821         * page/EventHandler.cpp:
2822         (WebCore::EventHandler::handleWheelEvent):add check to see if the shadow ancestor node of the node that was under the mouse exists before trying to dispatch the wheel event to it.
2823
2824 2011-05-25  Simon Fraser  <simon.fraser@apple.com>
2825
2826         Reviewed by Dan Bernstein.
2827
2828         Always antialias borders, outlines and rules when scaling
2829         https://bugs.webkit.org/show_bug.cgi?id=61502
2830         
2831         r84273 changed the behavior of drawLineForBoxSide() to never antialias by default.
2832         This actually disabled antialiasing in some circumstances where it used to be enabled,
2833         for example collapsed table border drawing.
2834         
2835         Fix by allowing antialiasing for collapsed table borders, column rules and span
2836         outlines when the context is scaled.
2837
2838         Test: fast/borders/border-antialiasing.html
2839
2840         * rendering/RenderBlock.cpp:
2841         (WebCore::RenderBlock::paintColumnRules):
2842         * rendering/RenderInline.cpp:
2843         (WebCore::RenderInline::paintOutline):
2844         (WebCore::RenderInline::paintOutlineForLine):
2845         * rendering/RenderTableCell.cpp:
2846         (WebCore::RenderTableCell::paintCollapsedBorder):
2847
2848 2011-05-26  Igor Oliveira  <igor.oliveira@openbossa.org>
2849
2850         Reviewed by Andreas Kling.
2851
2852         drag-not-loaded-image.html test crashes when WebKit is built with debug option
2853         https://bugs.webkit.org/show_bug.cgi?id=61480
2854
2855         Checks if image has content before starting to drag.
2856
2857         * page/DragController.cpp:
2858         (WebCore::DragController::startDrag):
2859
2860 2011-05-25  Igor Oliveira  <igor.oliveira@openbossa.org>
2861
2862         Reviewed by Antonio Gomes.
2863
2864         [Qt] QtWebKit crashes when dragging not loaded images
2865         https://bugs.webkit.org/show_bug.cgi?id=61314
2866
2867         Checks if nativeImageForCurrentFrame is a valid pointer.
2868
2869         Test: http/tests/misc/drag-not-loaded-image.html
2870
2871         * platform/qt/DragImageQt.cpp:
2872         (WebCore::createDragImageFromImage):
2873
2874 2011-05-26  Shane Stephens  <shanestephens@google.com>
2875
2876         Reviewed by James Robinson.
2877
2878         REGRESSION (r81992): layout triggered by position update fails to apply when transform is updated at same time
2879         https://bugs.webkit.org/show_bug.cgi?id=60689
2880
2881         Test: transforms/2d/set-transform-and-top.html
2882
2883         * rendering/RenderBlock.cpp:
2884         (WebCore::RenderBlock::simplifiedLayout):
2885
2886 2011-05-25  Alexis Menard  <alexis.menard@openbossa.org>
2887
2888         Reviewed by Antonio Gomes.
2889
2890         [Qt] When QWebView has a different style set on it then the scrollbars are not rendered correctly
2891         https://bugs.webkit.org/show_bug.cgi?id=34635
2892
2893         Make sure the scrollbar is properly rendered on Mac with another style than the Mac style. The code had
2894         two paths, one for Mac and one for any other styles. The problem is that on Mac you can still run the
2895         application with -style plastique for example, therefore the code used for other styles should also be
2896         used whenever the current style is not the Mac style.
2897
2898         * platform/qt/ScrollbarThemeQt.cpp:
2899         (WebCore::ScrollbarThemeQt::paint):
2900
2901 2011-05-24  Leo Yang  <leo.yang@torchmobile.com.cn>
2902
2903         Reviewed by Ryosuke Niwa.
2904
2905         [SVG] Assertion failure by dragging text between input fields inside <foreignObject>s
2906         https://bugs.webkit.org/show_bug.cgi?id=60692
2907
2908         Add NULL check of 'holder' in WebCore::ReplacementFragment::ReplacementFragment()
2909         before call VisibleSelection::selectionFromContentsOfNode() to prevent crashing.
2910
2911         Test: editing/pasteboard/drag-drop-input-in-svg.svg
2912
2913         * editing/ReplaceSelectionCommand.cpp:
2914         (WebCore::ReplacementFragment::ReplacementFragment):
2915
2916 2011-05-24  Andy Estes  <aestes@apple.com>
2917
2918         Reviewed by Geoffrey Garen.
2919
2920         REGRESSION (r70748): WebKit cannot play QuickTime movies on Mac OS X Wiki Server pages
2921         https://bugs.webkit.org/show_bug.cgi?id=61229
2922
2923         This site-specific hack maintains compatibility with Mac OS X Wiki Server,
2924         which embeds QuickTime movies using an object tag containing QuickTime's
2925         ActiveX classid. Treat this classid as valid only if OS X Server's unique
2926         'generator' meta tag is present. Only apply this quirk if there is no
2927         fallback content, which ensures the quirk will disable itself if Wiki
2928         Server is updated to generate an alternate embed tag as fallback content.
2929
2930         * html/HTMLObjectElement.cpp:
2931         (WebCore::HTMLObjectElement::shouldAllowQuickTimeClassIdQuirk): Return
2932         true if site-specific quirks are enabled, the object element has no
2933         fallback content, the classid attribute matches QuickTime's classid and
2934         the document has a 'generator' meta tag matching Mac OS X Web Services
2935         Server's unique generator string.
2936         (WebCore::HTMLObjectElement::hasValidClassId): Call
2937         shouldAllowQuickTimeClassIdQuirk()
2938         * html/HTMLObjectElement.h:
2939
2940 2011-05-24  Tony Chang  <tony@chromium.org>
2941
2942         Reviewed by James Robinson.
2943
2944         fix render overflow computation for input type=range
2945         https://bugs.webkit.org/show_bug.cgi?id=61132
2946
2947         Test: fast/forms/slider-hit-testing.html
2948
2949         We need to clear m_overflow otherwise we use the first
2950         size of the slider for hit testing (i.e., changes to the size
2951         cause problems).  This only shows up if the thumb isn't contained
2952         in the bounds of the slider.  Making the range have a smaller height
2953         than the thumb shows the bug.
2954
2955         * rendering/RenderSlider.cpp:
2956         (WebCore::RenderSlider::layout): Clear the overflow during layout
2957             so we re-compute the overflow based on the current size of the
2958             slider.
2959
2960 2011-05-14  Abhishek Arya  <inferno@chromium.org>
2961
2962         Reviewed by Dan Bernstein.
2963
2964         As per spec, only allow one font family name in a font face rule.
2965         Other things like initial value, inherited value or multiple names
2966         are discarded.
2967         https://bugs.webkit.org/show_bug.cgi?id=60837
2968
2969         Test: fast/css/invalid-font-family-in-font-face-crash.html
2970
2971         * css/CSSParser.cpp:
2972         (WebCore::CSSParser::createFontFaceRule):
2973
2974 2011-05-18  Abhishek Arya  <inferno@chromium.org>
2975
2976         Reviewed by Dirk Schulze.
2977
2978         When SMIL element is getting removed, make sure to remove it
2979         from target's animation elements list.
2980         https://bugs.webkit.org/show_bug.cgi?id=60980
2981
2982         Test: svg/animations/smil-element-not-removed-crash.html
2983
2984         * svg/animation/SVGSMILElement.cpp:
2985         (WebCore::SVGSMILElement::~SVGSMILElement):
2986
2987 2011-05-23  James Simonsen  <simonjam@chromium.org>
2988
2989         Reviewed by Adam Barth.
2990
2991         Convert raw pointer to RefPtr.
2992         https://bugs.webkit.org/show_bug.cgi?id=61196
2993
2994         * dom/XMLDocumentParserLibxml2.cpp:
2995         (WebCore::XMLDocumentParser::endElementNs):
2996         * dom/XMLDocumentParserQt.cpp:
2997         (WebCore::XMLDocumentParser::parseEndElement):
2998
2999 2011-05-23  Sheriff Bot  <webkit.review.bot@gmail.com>
3000
3001         Unreviewed, rolling out r87007.
3002         http://trac.webkit.org/changeset/87007
3003         https://bugs.webkit.org/show_bug.cgi?id=61329
3004
3005         patch unnecessarily breaks HTML5 compatibility (Requested by
3006         estes on #webkit).
3007
3008         * html/HTMLObjectElement.cpp:
3009         (WebCore::HTMLObjectElement::hasValidClassId):
3010
3011 2011-05-23  Julien Chaffraix  <jchaffraix@codeaurora.org>
3012
3013         Reviewed by Darin Adler.
3014
3015         Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
3016         https://bugs.webkit.org/show_bug.cgi?id=57140
3017
3018         Test: fast/storage/storage-detached-iframe.html
3019
3020         Access of localStorage on a detached iframe was causing a crash because a detached 
3021         iframe has a null m_page, and WebCore::privateBrowsingEnabled() wasn't testing for such.
3022
3023         * storage/StorageAreaImpl.cpp:
3024         (WebCore::privateBrowsingEnabled): check that child->page() is non-null before
3025         accessing it.
3026
3027 2011-05-20  Ryosuke Niwa  <rniwa@webkit.org>
3028
3029         Reviewed by Enrica Casucci.
3030
3031         REGRESSION(r84311): WebKit copies too much styles when copying
3032         https://bugs.webkit.org/show_bug.cgi?id=60914
3033
3034         The bug was caused by WebKit's cloning node hierarchy up until the node that has background color.
3035         Fixed the bug by not cloning background color and adding the effective background color to the wrapping
3036         style span.
3037
3038         Tests: editing/pasteboard/do-no-clone-unnecessary-styles-2.html
3039                editing/pasteboard/do-no-clone-unnecessary-styles.html
3040
3041         * editing/EditingStyle.cpp:
3042         (WebCore::cssValueToRGBA): Extracted from getRGBAFontColor.
3043         (WebCore::getRGBAFontColor): Moved.
3044         (WebCore::rgbaBackgroundColorInEffect): Added.
3045         (WebCore::EditingStyle::init): Added support for InheritablePropertiesAndBackgroundColorInEffect.
3046         (WebCore::EditingStyle::prepareToApplyAt): Include the effective background color at the given position.
3047         Also remove the background color property when the effective background color is equal to the background
3048         color property (in terms of RGBA value) of the editing style.
3049         (WebCore::hasTransparentBackgroundColor): Moved from Editor class.
3050         (WebCore::backgroundColorInEffect): Extracted from Editor::selectionStartCSSPropertyValue.
3051         * editing/EditingStyle.h: Added prototypes for hasTransparentBackgroundColor and backgroundColorInEffect.
3052         * editing/Editor.cpp:
3053         (WebCore::Editor::selectionStartCSSPropertyValue): Calls backgroundColorInEffect.
3054         * editing/Editor.h: Removed hasTransparentBackgroundColor.
3055         * editing/markup.cpp:
3056         (WebCore::isElementPresentational): Reverted r85090 and r84311.
3057         (WebCore::createMarkup): Include the background color in effect when computing the editing style.
3058
3059 2011-05-20  Ryosuke Niwa  <rniwa@webkit.org>
3060
3061         Reviewed by Enrica Casucci.
3062
3063         Wrap copied contents by one style span instead of two
3064         https://bugs.webkit.org/show_bug.cgi?id=60988
3065
3066         Replaced sourceDocumentStyleSpan and copiedRangeStyleSpan by one wrapping style span. Instead
3067         of wrapping the copied contents by user-applied style and document default style in serialization,
3068         take the difference with the document default's style in paste code.
3069
3070         This will dramatically simplify our copy and paste code and pave a way to fix the bug 60914.
3071
3072         No new tests because copy & paste is tested by existing layout tests.
3073
3074         * editing/EditingStyle.cpp:
3075         (WebCore::EditingStyle::prepareToApplyAt): Remove the color property if RGBA values of color
3076         matches that of the computed style at the specified position.
3077         * editing/ReplaceSelectionCommand.cpp:
3078         (WebCore::ReplaceSelectionCommand::handleStyleSpans): Replaced sourceDocumentStyleSpan and
3079         copiedRangeStyleSpan by wrappingStyleSpan. When pasting as a quotation, compare style against
3080         the document's default style to avoid keeping the document default style (tested by
3081         editing/pasteboard/4930986-3.html).
3082         * editing/ReplaceSelectionCommand.h:
3083         * editing/markup.cpp:
3084         (WebCore::createMarkup): Only use one style span to wrap the serialized contents.
3085
3086 2011-05-23  Abhishek Arya  <inferno@chromium.org>
3087
3088         Reviewed by Simon Fraser.
3089
3090         Terminate css color parsing on integers which are not followed
3091         by a terminator.
3092         https://bugs.webkit.org/show_bug.cgi?id=61293
3093
3094         Test: fast/css/parse-color-int-or-percent-crash.html
3095
3096         * css/CSSParser.cpp:
3097         (WebCore::parseColorIntOrPercentage):
3098
3099 2011-05-21  Dirk Schulze  <krit@webkit.org>
3100
3101         Reviewed by Darin Adler.
3102
3103         REGRESSION(r66731): pointer-events are broken in some cases
3104         https://bugs.webkit.org/show_bug.cgi?id=45467
3105
3106         The SVGSVGElement shouldn't be the target of a mouse event, if its pointer-events attribute is set
3107         to 'none'. This matches the behavior on Firefox where an embedded SVG element is the target of an event,
3108         if none of its childs caught the event. This is the case for all pointer-events other than 'none'.
3109
3110         Tests: svg/custom/pointer-events-on-svg-with-pointer.xhtml
3111                svg/custom/pointer-events-on-svg-without-pointer.xhtml
3112
3113         * rendering/svg/RenderSVGRoot.cpp:
3114         (WebCore::RenderSVGRoot::nodeAtPoint):
3115
3116 2011-05-21  Dan Bernstein  <mitz@apple.com>
3117
3118         Reviewed by Darin Adler.
3119
3120         <rdar://problem/9479926> REGRESSION (r82144): Icon overlaps text in Twitter message dialog
3121         https://bugs.webkit.org/show_bug.cgi?id=61241
3122
3123         Test: fast/block/positioning/start-ignoring-before.html
3124
3125         * rendering/RenderBlockLineLayout.cpp:
3126         (WebCore::TrailingObjects::updateMidpointsForTrailingBoxes): Added a boolean parameter saying
3127         whether to merge the first trailing space with the line break.
3128         (WebCore::RenderBlock::LineBreaker::nextLineBreak): When adding a midpoint behind the current
3129         character, account for trailing positioned objects that occurred after the midpoint by calling
3130         updateMidpointsForTrailingBoxes(), which adds midpoints for them.
3131
3132 2011-05-20  Andy Estes  <aestes@apple.com>
3133
3134         Reviewed by Darin Adler.
3135
3136         REGRESSION (r70748): WebKit cannot play videos created by Podcast Producer.
3137         https://bugs.webkit.org/show_bug.cgi?id=61229
3138         
3139         Podcast Producer uses an object tag with a classid attribute to embed
3140         QuickTime Player into a page. In r70748, we changed our behavior to
3141         render the object's fallback content when a non-empty classid is
3142         encountered, per HTML5. Since Podcast Producer videos have no fallback
3143         content, this change in behavior causes the video to fail to load.
3144         
3145         Since the object tag has a valid type attribute, we would be able to
3146         load it if weren't for the non-empty classid. This patch changes our
3147         policy to allow objects with non-empty classids if there is no fallback
3148         content. We still continue to prefer fallback content if it exists,
3149         however.
3150
3151         * html/HTMLObjectElement.cpp:
3152         (WebCore::HTMLObjectElement::hasValidClassId): Treat a non-empty
3153         classid as valid if the object has no fallback content.
3154
3155 2011-05-20  Dirk Schulze  <krit@webkit.org>
3156
3157         Reviewed by Eric Seidel.
3158
3159         SVG Large curve path segment OOM crash
3160         https://bugs.webkit.org/show_bug.cgi?id=42079
3161
3162         Limit the depth of repeatedly splitting a segment on length calculation to 20. The limitation
3163         is necessary for very big segments that would be splitter into millions of parts otherwise.
3164         The limitation just cause a less accurate approximation.
3165         At the moment the limit is fixed to 20. This is comparable with splitting the segment into 
3166         ~1 million parts as a worst case. We might want to be more flexible later.
3167
3168         Test: svg/custom/path-getTotalLength-on-big-segment-crash.svg
3169
3170         * platform/graphics/PathTraversalState.cpp:
3171         (WebCore::midPoint):
3172         (WebCore::curveLength):
3173         (WebCore::PathTraversalState::PathTraversalState):
3174         (WebCore::PathTraversalState::moveTo):
3175         (WebCore::PathTraversalState::quadraticBezierTo):
3176         (WebCore::PathTraversalState::cubicBezierTo):
3177         * platform/graphics/PathTraversalState.h:
3178
3179 2011-05-19  Andrew Wilson  <atwilson@chromium.org>
3180
3181         Reviewed by Darin Adler.
3182
3183         MessagePortArray cloning code needs to verify source before copying.
3184         https://bugs.webkit.org/show_bug.cgi?id=61130
3185
3186         * bindings/js/JSMessagePortCustom.cpp:
3187         (WebCore::fillMessagePortArray):
3188         Changed code to not pre-allocate the destination array.
3189         * bindings/v8/custom/V8MessagePortCustom.cpp:
3190         (WebCore::getMessagePortArray):
3191         Changed code to not pre-allocate the destination array.
3192
3193 2011-05-06  Alexis Menard  <alexis.menard@openbossa.org>
3194
3195         Reviewed by Darin Adler.
3196
3197         Fix two warnings of unused variables.
3198         https://bugs.webkit.org/show_bug.cgi?id=60370
3199
3200         Remove two unused local variable from the code.
3201
3202         No new tests, the existing ones should cover.
3203
3204         * rendering/RenderFlexibleBox.cpp:
3205         (WebCore::RenderFlexibleBox::layoutVerticalBox):
3206         * svg/animation/SVGSMILElement.cpp:
3207         (WebCore::SVGSMILElement::calculateNextProgressTime):
3208
3209 2011-05-18  Alexis Menard  <alexis.menard@openbossa.org>, Simon Hausmann  <simon.hausmann@nokia.com>
3210
3211         Reviewed by Eric Carlson.
3212
3213         MediaElements fails to load the data in some cases.
3214         https://bugs.webkit.org/show_bug.cgi?id=60760
3215
3216         WebKitWebSourceGStreamer is the interface between WebKit and GStreamer
3217         that uses the ResourceHandle API to request data and pass it down. For
3218         our builds it is absolutely essential that we have a NetworkingContext
3219         available there, in order to get access to the QNetworkAccessManager.
3220         No access means we basically cannot load the video. The WebSource gains
3221         access to the NetworkingContext through a WebCore::Frame pointer it has.
3222
3223         MediaPlayerPrivateGStreamer is responsible for propagating a pointer of
3224         the WebCore::Frame to the WebKitWebSource in
3225         mediaPlayerPrivateSourceChangedCallback. In there we used the MediaPlayer's
3226         frameView() accessor to access the frame. However the frameView() member
3227         is only set through the render tree's RenderVideo, which is rather unreliable
3228         given that some sites create "fake" video tags initially that only become
3229         visible later (or never).
3230
3231         A more reliable way is to simply use the document of the MediaPlayerClient,
3232         which is provided at constructor time.
3233
3234         Test: http/tests/media/media-can-load-when-hidden.html
3235
3236         * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
3237         (WebCore::MediaPlayerPrivateGStreamer::sourceChanged):
3238
3239 2011-05-19  Andrew Wason  <rectalogic@rectalogic.com>
3240
3241         Reviewed by Darin Adler.
3242
3243         Fix GraphicsContext3DQt.cpp compile error
3244         https://bugs.webkit.org/show_bug.cgi?id=61128
3245
3246         * platform/graphics/qt/GraphicsContext3DQt.cpp:
3247         (WebCore::GraphicsContext3D::GraphicsContext3D):
3248          clear() m_internal OwnPtr.
3249
3250 2011-05-19  Ryosuke Niwa  <rniwa@webkit.org>
3251
3252         Reviewed by Darin Adler.
3253
3254         REGRESSION (r83322): Many crashes in Mail.app in WebCore::Node::nodeIndex
3255         https://bugs.webkit.org/show_bug.cgi?id=61012
3256
3257         The crash was caused by ReplaceSelectionCommand's inserting content into a middle of the paragraph
3258         being moved when the insertion position's container node is the node to split to. Fixed the crash
3259         by not changing the insertion position in such a case.
3260
3261         Unfortunately, this fix caused markup to bloat in some tests but we'll take this regression since
3262         it's much better than crashing.
3263
3264         Test: editing/pasteboard/paste-after-inline-style-element.html
3265
3266         * editing/ReplaceSelectionCommand.cpp:
3267         (WebCore::ReplaceSelectionCommand::doApply):
3268
3269 2011-05-19  Emil A Eklund  <eae@chromium.org>
3270
3271         Reviewed by Alexey Proskuryakov.
3272
3273         REGRESSION (r80808): Multiple <select> - Selection reset to first element from multiple selected ones
3274         https://bugs.webkit.org/show_bug.cgi?id=60986
3275
3276         * html/HTMLSelectElement.cpp:
3277         (WebCore::HTMLSelectElement::setMultiple):
3278         Don't restore selection if the multiple attribute hasn't changed.
3279
3280 2011-05-18  Yi Shen  <yi.4.shen@nokia.com>
3281
3282         Reviewed by Andreas Kling.
3283
3284         [Qt] Enterkey to go to Newline does not work in the text area(in HTML form)
3285         https://bugs.webkit.org/show_bug.cgi?id=33179
3286
3287         Fill the missing key text for the EnterKey event.
3288
3289         Tests: fast/events/onsearch-enter.html
3290
3291         * platform/qt/PlatformKeyboardEventQt.cpp:
3292         (WebCore::keyTextForKeyEvent):
3293
3294 2011-05-18  Oliver Hunt  <oliver@apple.com>
3295
3296         Reviewed by Sam Weinig.
3297
3298         JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
3299         https://bugs.webkit.org/show_bug.cgi?id=61090
3300
3301         Rather than having Constructor objects create their structure
3302         as part of initialisation, we now pass their expected structure
3303         in as an argument.  This required fixing the few custom Constructors
3304         and the code generator.
3305
3306         * bindings/js/JSAudioConstructor.cpp:
3307         (WebCore::JSAudioConstructor::JSAudioConstructor):
3308         * bindings/js/JSAudioConstructor.h:
3309         * bindings/js/JSDOMGlobalObject.h:
3310         (WebCore::getDOMConstructor):
3311           Pass the Constructor objects structure in as an argument
3312         * bindings/js/JSImageConstructor.cpp:
3313         (WebCore::JSImageConstructor::JSImageConstructor):
3314         * bindings/js/JSImageConstructor.h:
3315         * bindings/js/JSOptionConstructor.cpp:
3316         (WebCore::JSOptionConstructor::JSOptionConstructor):
3317         * bindings/js/JSOptionConstructor.h:
3318         * bindings/scripts/CodeGeneratorJS.pm:
3319
3320 2011-05-18  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>
3321
3322         Reviewed by Andreas Kling.
3323
3324         [Qt] Fix tst_QWebFrame::getSetStaticProperty() autotest
3325         https://bugs.webkit.org/show_bug.cgi?id=60984
3326
3327         The code for converting objects to QVariantMap was causing exception,
3328         that was "leaking" to the next evaluation. One situation was reading
3329         the property 'localStorage' when we do not have a proper security
3330         origin, which throws a SECURITY_ERR.
3331
3332         Now, we will simply not include on the QVariantMap those properties,
3333         and make sure that we clean the exception if necessary.
3334
3335         * bridge/qt/qt_runtime.cpp:
3336         (JSC::Bindings::convertValueToQVariantMap):
3337         Extracted function that performs conversion from JSObject to a QVariantMap. This
3338         functions makes sure that exception is clean after its execution.
3339
3340         (JSC::Bindings::convertValueToQVariant):
3341         Use the previous function. Add a comment explaining the choice of distance value.
3342
3343 2011-05-18  Abhishek Arya  <inferno@chromium.org>
3344
3345         Reviewed by Beth Dakin.
3346
3347         Remove removeChild on table caption since destroy call
3348         already does that.
3349         https://bugs.webkit.org/show_bug.cgi?id=61083
3350
3351         Test: fast/table/table-captions-child-visible-crash.html
3352
3353         * rendering/RenderTable.cpp:
3354         (WebCore::RenderTable::recalcCaption):
3355
3356 2011-05-09  Luiz Agostini  <luiz.agostini@openbossa.org>
3357
3358         Reviewed by Kenneth Rohde Christiansen.
3359
3360         [Qt] Redirection of HTTP POST (3xx) incorrectly includes original POST data
3361         https://bugs.webkit.org/show_bug.cgi?id=60440
3362
3363         Makes sure that the HTTP headers Content-type and Content-length are not included in
3364         the requests that do not have any content.
3365
3366         Tests: http/tests/navigation/post-301-response.html
3367                http/tests/navigation/post-302-response.html
3368                http/tests/navigation/post-303-response.html
3369                http/tests/navigation/post-307-response.html
3370
3371         * platform/network/qt/QNetworkReplyHandler.cpp:
3372         (WebCore::QNetworkReplyHandler::sendNetworkRequest):
3373
3374 2011-05-17  Andreas Kling  <kling@webkit.org>
3375
3376         Reviewed by Benjamin Poulain.
3377
3378         [Qt] GraphicsLayerQtImpl: Remove an unused variable.
3379
3380         * platform/graphics/qt/GraphicsLayerQt.cpp:
3381         (WebCore::GraphicsLayerQtImpl::paint):
3382
3383 2011-05-17  Sam Magnuson  <smagnuson@netflix.com>
3384
3385         Reviewed by Kenneth Rohde Christiansen.
3386
3387         [Qt] Node that have both an opacity and a transform animation on them seem not to fire.
3388         https://bugs.webkit.org/show_bug.cgi?id=40841
3389
3390         Test: compositing/animation/busy-indicator.html
3391
3392         * platform/graphics/qt/GraphicsLayerQt.cpp:
3393         (WebCore::GraphicsLayerQtImpl::recache):
3394         (WebCore::GraphicsLayerQtImpl::flushChanges):
3395         (WebCore::GraphicsLayerQt::setContentsToImage):
3396         (WebCore::TransformAnimationQt::getAnimatedProperty):
3397         (WebCore::OpacityAnimationQt::getAnimatedProperty):
3398         (WebCore::GraphicsLayerQt::addAnimation):
3399
3400 2011-05-16  Adam Barth  <abarth@webkit.org>
3401
3402         Reviewed by Eric Seidel.
3403
3404         Remove bogus ASSERT in Document::setCompatibilityMode
3405         https://bugs.webkit.org/show_bug.cgi?id=60935
3406
3407         The ASSERT is invalid when the parser is in the initial state and the
3408         document is non-empty, which is strange but not impossible.
3409
3410         Test: fast/parser/append-child-followed-by-document-write.html
3411
3412         * dom/Document.cpp:
3413         (WebCore::Document::setCompatibilityMode):
3414
3415 2011-05-15  Geoffrey Garen  <ggaren@apple.com>
3416
3417         Reviewed by Gavin Barraclough.
3418
3419         https://bugs.webkit.org/show_bug.cgi?id=59699
3420         Global object is recreated on teardown, for no good reason
3421         
3422         (Another partial fix for <rdar://problem/9417875> REGRESSION: SunSpider
3423         ~7% slower in browser than on command line (was 17%))
3424         
3425         I'm basically rolling out http://trac.webkit.org/changeset/49786 because
3426
3427         (a) it created this performance problem
3428         
3429         and
3430         
3431         (b) a more complete fix, which obsoletes http://trac.webkit.org/changeset/49786,
3432         was committed in http://trac.webkit.org/changeset/53439.
3433         
3434         Tested with the file attached to https://bugs.webkit.org/show_bug.cgi?id=29832.
3435
3436         * page/Frame.cpp:
3437         (WebCore::Frame::~Frame): Don't create a new window every time we destroy
3438         a frame.
3439
3440 2011-05-13  Mikhail Naganov  <mnaganov@chromium.org>
3441
3442         Web Inspector: Unreviewed image glyph position fix in CSS after r85588.
3443
3444         * inspector/front-end/heapProfiler.css:
3445         (.heapshot-help-status-bar-item .glyph):
3446
3447 2011-05-13  Alexey Proskuryakov  <ap@apple.com>
3448
3449         Reviewed by Joseph Pecoraro.
3450
3451         Hide appcache status bar items
3452         https://bugs.webkit.org/show_bug.cgi?id=60799
3453
3454         We have a number of non-trivial bugs that make these more misleading than helpful to developers.
3455
3456         * inspector/front-end/ApplicationCacheItemsView.js: (WebInspector.ApplicationCacheItemsView):