1. 31 Jan, 2011 2 commits
    • carlosgc@webkit.org's avatar
      2011-01-31 Carlos Garcia Campos <cgarcia@igalia.com> · ccc992ad
      carlosgc@webkit.org authored
              Unreviewed, fix the build with current GTK+ 3.x.
      
              * plugins/gtk/gtk2xtbin.c:
              * plugins/gtk/gtk2xtbin.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77115 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ccc992ad
    • tkent@chromium.org's avatar
      2011-01-30 Kenichi Ishibashi <bashi@google.com> · fc192901
      tkent@chromium.org authored
              Reviewed by Kent Tamura.
      
              Dangling form associated elements should not be registered on the document
              https://bugs.webkit.org/show_bug.cgi?id=53223
      
              Adds insertedIntoDocument() and remvoedFromDocument() to
              FormAssociatedElement class to register the element on the document
              if and only if it actually inserted into (removed from) the document.
      
              Test: fast/forms/dangling-form-element-crash.html
      
              * html/FormAssociatedElement.cpp:
              (WebCore::FormAssociatedElement::insertedIntoDocument): Added.
              (WebCore::FormAssociatedElement::removedFromDocument): Ditto.
              (WebCore::FormAssociatedElement::insertedIntoTree): Don't register
              the element to a document.
              (WebCore::FormAssociatedElement::removedFromTree): Don't unregister
              the element from a document.
              * html/FormAssociatedElement.h:
              * html/HTMLFormControlElement.cpp:
              (WebCore::HTMLFormControlElement::insertedIntoDocument): Added.
              (WebCore::HTMLFormControlElement::removedFromDocument): Ditto.
              * html/HTMLFormControlElement.h:
              * html/HTMLObjectElement.cpp:
              (WebCore::HTMLObjectElement::insertedIntoDocument): Calls
              FormAssociatedElement::insertedIntoDocument().
              (WebCore::HTMLObjectElement::removedFromDocument): Calls
              FormAssociatedElement::removedFromDocument().
      
      2011-01-30  Kenichi Ishibashi  <bashi@google.com>
      
              Reviewed by Kent Tamura.
      
              Dangling form associated elements should not be registered on the document
              https://bugs.webkit.org/show_bug.cgi?id=53223
      
              Adds a test that ensures dangling form associated elements are not
              registered on the document.
      
              * fast/forms/dangling-form-element-crash-expected.txt: Added.
              * fast/forms/dangling-form-element-crash.html: Added.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77114 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      fc192901
  2. 30 Jan, 2011 14 commits
    • ossy@webkit.org's avatar
      2011-01-30 Csaba Osztrogonác <ossy@webkit.org> · ad0e9df1
      ossy@webkit.org authored
              Unreviewed, rolling out r77098, r77099, r77100, r77109, and
              r77111.
              http://trac.webkit.org/changeset/77098
              http://trac.webkit.org/changeset/77099
              http://trac.webkit.org/changeset/77100
              http://trac.webkit.org/changeset/77109
              http://trac.webkit.org/changeset/77111
              https://bugs.webkit.org/show_bug.cgi?id=53219
      
              Qt build is broken
      
              * API/JSCallbackObject.h:
              (JSC::JSCallbackObjectData::setPrivateProperty):
              (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
              (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
              (JSC::JSCallbackObjectData::JSPrivatePropertyMap::markChildren):
              (JSC::JSCallbackObject::setPrivateProperty):
              * API/JSCallbackObjectFunctions.h:
              (JSC::::put):
              (JSC::::staticFunctionGetter):
              * API/JSObjectRef.cpp:
              (JSObjectMakeConstructor):
              (JSObjectSetPrivateProperty):
              * API/JSWeakObjectMapRefInternal.h:
              * JavaScriptCore.exp:
              * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
              * JavaScriptCore.xcodeproj/project.pbxproj:
              * bytecode/CodeBlock.cpp:
              (JSC::CodeBlock::markAggregate):
              * bytecode/CodeBlock.h:
              (JSC::CodeBlock::globalObject):
              * bytecompiler/BytecodeGenerator.cpp:
              (JSC::BytecodeGenerator::BytecodeGenerator):
              (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
              (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
              (JSC::BytecodeGenerator::findScopedProperty):
              * debugger/Debugger.cpp:
              (JSC::evaluateInGlobalCallFrame):
              * debugger/DebuggerActivation.cpp:
              (JSC::DebuggerActivation::DebuggerActivation):
              (JSC::DebuggerActivation::markChildren):
              * debugger/DebuggerActivation.h:
              * debugger/DebuggerCallFrame.cpp:
              (JSC::DebuggerCallFrame::evaluate):
              * interpreter/CallFrame.h:
              (JSC::ExecState::exception):
              * interpreter/Interpreter.cpp:
              (JSC::Interpreter::resolve):
              (JSC::Interpreter::resolveSkip):
              (JSC::Interpreter::resolveGlobal):
              (JSC::Interpreter::resolveGlobalDynamic):
              (JSC::Interpreter::resolveBaseAndProperty):
              (JSC::Interpreter::unwindCallFrame):
              (JSC::appendSourceToError):
              (JSC::Interpreter::execute):
              (JSC::Interpreter::tryCacheGetByID):
              (JSC::Interpreter::privateExecute):
              * jit/JITStubs.cpp:
              (JSC::JITThunks::tryCacheGetByID):
              (JSC::DEFINE_STUB_FUNCTION):
              * jsc.cpp:
              (GlobalObject::GlobalObject):
              * runtime/ArgList.cpp:
              (JSC::MarkedArgumentBuffer::markLists):
              * runtime/Arguments.cpp:
              (JSC::Arguments::markChildren):
              (JSC::Arguments::getOwnPropertySlot):
              (JSC::Arguments::getOwnPropertyDescriptor):
              (JSC::Arguments::put):
              * runtime/Arguments.h:
              (JSC::Arguments::setActivation):
              (JSC::Arguments::Arguments):
              * runtime/ArrayConstructor.cpp:
              (JSC::ArrayConstructor::ArrayConstructor):
              (JSC::constructArrayWithSizeQuirk):
              * runtime/ArrayPrototype.cpp:
              (JSC::arrayProtoFuncSplice):
              * runtime/BatchedTransitionOptimizer.h:
              (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
              (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
              * runtime/BooleanConstructor.cpp:
              (JSC::BooleanConstructor::BooleanConstructor):
              (JSC::constructBoolean):
              (JSC::constructBooleanFromImmediateBoolean):
              * runtime/BooleanPrototype.cpp:
              (JSC::BooleanPrototype::BooleanPrototype):
              * runtime/ConservativeSet.cpp:
              (JSC::ConservativeSet::grow):
              * runtime/ConservativeSet.h:
              (JSC::ConservativeSet::~ConservativeSet):
              (JSC::ConservativeSet::mark):
              * runtime/DateConstructor.cpp:
              (JSC::DateConstructor::DateConstructor):
              * runtime/DateInstance.cpp:
              (JSC::DateInstance::DateInstance):
              * runtime/DatePrototype.cpp:
              (JSC::dateProtoFuncSetTime):
              (JSC::setNewValueFromTimeArgs):
              (JSC::setNewValueFromDateArgs):
              (JSC::dateProtoFuncSetYear):
              * runtime/ErrorConstructor.cpp:
              (JSC::ErrorConstructor::ErrorConstructor):
              * runtime/ErrorInstance.cpp:
              (JSC::ErrorInstance::ErrorInstance):
              * runtime/ErrorPrototype.cpp:
              (JSC::ErrorPrototype::ErrorPrototype):
              * runtime/FunctionConstructor.cpp:
              (JSC::FunctionConstructor::FunctionConstructor):
              * runtime/FunctionPrototype.cpp:
              (JSC::FunctionPrototype::FunctionPrototype):
              * runtime/GetterSetter.cpp:
              (JSC::GetterSetter::markChildren):
              * runtime/GetterSetter.h:
              (JSC::GetterSetter::GetterSetter):
              (JSC::GetterSetter::getter):
              (JSC::GetterSetter::setGetter):
              (JSC::GetterSetter::setter):
              (JSC::GetterSetter::setSetter):
              * runtime/GlobalEvalFunction.cpp:
              (JSC::GlobalEvalFunction::GlobalEvalFunction):
              (JSC::GlobalEvalFunction::markChildren):
              * runtime/GlobalEvalFunction.h:
              (JSC::GlobalEvalFunction::cachedGlobalObject):
              * runtime/Heap.cpp:
              (JSC::Heap::markProtectedObjects):
              (JSC::Heap::markTempSortVectors):
              (JSC::Heap::markRoots):
              * runtime/InternalFunction.cpp:
              (JSC::InternalFunction::InternalFunction):
              * runtime/JSAPIValueWrapper.h:
              (JSC::JSAPIValueWrapper::value):
              (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
              * runtime/JSActivation.cpp:
              (JSC::JSActivation::markChildren):
              (JSC::JSActivation::put):
              * runtime/JSArray.cpp:
              (JSC::JSArray::JSArray):
              (JSC::JSArray::getOwnPropertySlot):
              (JSC::JSArray::getOwnPropertyDescriptor):
              (JSC::JSArray::put):
              (JSC::JSArray::putSlowCase):
              (JSC::JSArray::deleteProperty):
              (JSC::JSArray::increaseVectorLength):
              (JSC::JSArray::setLength):
              (JSC::JSArray::pop):
              (JSC::JSArray::push):
              (JSC::JSArray::unshiftCount):
              (JSC::JSArray::sort):
              (JSC::JSArray::fillArgList):
              (JSC::JSArray::copyToRegisters):
              (JSC::JSArray::compactForSorting):
              * runtime/JSArray.h:
              (JSC::JSArray::getIndex):
              (JSC::JSArray::setIndex):
              (JSC::JSArray::uncheckedSetIndex):
              (JSC::JSArray::markChildrenDirect):
              * runtime/JSByteArray.cpp:
              (JSC::JSByteArray::JSByteArray):
              * runtime/JSCell.h:
              (JSC::JSCell::JSValue::toThisObject):
              (JSC::JSCell::MarkStack::append):
              * runtime/JSFunction.cpp:
              (JSC::JSFunction::JSFunction):
              (JSC::JSFunction::getOwnPropertySlot):
              * runtime/JSGlobalData.h:
              * runtime/JSGlobalObject.cpp:
              (JSC::markIfNeeded):
              (JSC::JSGlobalObject::reset):
              (JSC::JSGlobalObject::resetPrototype):
              (JSC::JSGlobalObject::markChildren):
              * runtime/JSGlobalObject.h:
              (JSC::JSGlobalObject::JSGlobalObjectData::JSGlobalObjectData):
              (JSC::JSGlobalObject::regExpConstructor):
              (JSC::JSGlobalObject::errorConstructor):
              (JSC::JSGlobalObject::evalErrorConstructor):
              (JSC::JSGlobalObject::rangeErrorConstructor):
              (JSC::JSGlobalObject::referenceErrorConstructor):
              (JSC::JSGlobalObject::syntaxErrorConstructor):
              (JSC::JSGlobalObject::typeErrorConstructor):
              (JSC::JSGlobalObject::URIErrorConstructor):
              (JSC::JSGlobalObject::evalFunction):
              (JSC::JSGlobalObject::objectPrototype):
              (JSC::JSGlobalObject::functionPrototype):
              (JSC::JSGlobalObject::arrayPrototype):
              (JSC::JSGlobalObject::booleanPrototype):
              (JSC::JSGlobalObject::stringPrototype):
              (JSC::JSGlobalObject::numberPrototype):
              (JSC::JSGlobalObject::datePrototype):
              (JSC::JSGlobalObject::regExpPrototype):
              (JSC::JSGlobalObject::methodCallDummy):
              (JSC::Structure::prototypeForLookup):
              (JSC::constructArray):
              * runtime/JSONObject.cpp:
              (JSC::Stringifier::Holder::object):
              (JSC::Stringifier::markAggregate):
              (JSC::Stringifier::stringify):
              (JSC::Stringifier::Holder::appendNextProperty):
              (JSC::Walker::callReviver):
              (JSC::Walker::walk):
              * runtime/JSObject.cpp:
              (JSC::JSObject::defineGetter):
              (JSC::JSObject::defineSetter):
              (JSC::JSObject::removeDirect):
              (JSC::JSObject::putDirectFunction):
              (JSC::JSObject::putDirectFunctionWithoutTransition):
              (JSC::putDescriptor):
              (JSC::JSObject::defineOwnProperty):
              * runtime/JSObject.h:
              (JSC::JSObject::getDirectOffset):
              (JSC::JSObject::putDirectOffset):
              (JSC::JSObject::flattenDictionaryObject):
              (JSC::JSObject::putDirectInternal):
              (JSC::JSObject::putDirect):
              (JSC::JSObject::putDirectFunction):
              (JSC::JSObject::putDirectWithoutTransition):
              (JSC::JSObject::putDirectFunctionWithoutTransition):
              (JSC::JSValue::putDirect):
              (JSC::JSObject::allocatePropertyStorageInline):
              (JSC::JSObject::markChildrenDirect):
              * runtime/JSPropertyNameIterator.cpp:
              (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
              (JSC::JSPropertyNameIterator::get):
              * runtime/JSPropertyNameIterator.h:
              * runtime/JSStaticScopeObject.cpp:
              (JSC::JSStaticScopeObject::markChildren):
              * runtime/JSString.cpp:
              (JSC::StringObject::create):
              * runtime/JSValue.h:
              * runtime/JSWrapperObject.cpp:
              (JSC::JSWrapperObject::markChildren):
              * runtime/JSWrapperObject.h:
              (JSC::JSWrapperObject::internalValue):
              (JSC::JSWrapperObject::setInternalValue):
              * runtime/LiteralParser.cpp:
              (JSC::LiteralParser::parse):
              * runtime/Lookup.cpp:
              (JSC::setUpStaticFunctionSlot):
              * runtime/Lookup.h:
              (JSC::lookupPut):
              * runtime/MarkStack.h:
              (JSC::MarkStack::appendValues):
              * runtime/MathObject.cpp:
              (JSC::MathObject::MathObject):
              * runtime/NativeErrorConstructor.cpp:
              (JSC::NativeErrorConstructor::NativeErrorConstructor):
              * runtime/NativeErrorPrototype.cpp:
              (JSC::NativeErrorPrototype::NativeErrorPrototype):
              * runtime/NumberConstructor.cpp:
              (JSC::NumberConstructor::NumberConstructor):
              (JSC::constructWithNumberConstructor):
              * runtime/NumberObject.cpp:
              (JSC::constructNumber):
              * runtime/NumberPrototype.cpp:
              (JSC::NumberPrototype::NumberPrototype):
              * runtime/ObjectConstructor.cpp:
              (JSC::ObjectConstructor::ObjectConstructor):
              (JSC::objectConstructorGetOwnPropertyDescriptor):
              * runtime/Operations.h:
              (JSC::normalizePrototypeChain):
              (JSC::resolveBase):
              * runtime/PrototypeFunction.cpp:
              (JSC::PrototypeFunction::PrototypeFunction):
              * runtime/PutPropertySlot.h:
              (JSC::PutPropertySlot::setExistingProperty):
              (JSC::PutPropertySlot::setNewProperty):
              (JSC::PutPropertySlot::base):
              * runtime/RegExpConstructor.cpp:
              (JSC::RegExpConstructor::RegExpConstructor):
              * runtime/ScopeChain.cpp:
              (JSC::ScopeChainNode::print):
              * runtime/ScopeChain.h:
              (JSC::ScopeChainNode::~ScopeChainNode):
              (JSC::ScopeChainIterator::operator*):
              (JSC::ScopeChainIterator::operator->):
              (JSC::ScopeChain::top):
              * runtime/ScopeChainMark.h:
              (JSC::ScopeChain::markAggregate):
              * runtime/SmallStrings.cpp:
              (JSC::isMarked):
              (JSC::SmallStrings::markChildren):
              * runtime/SmallStrings.h:
              (JSC::SmallStrings::emptyString):
              (JSC::SmallStrings::singleCharacterString):
              (JSC::SmallStrings::singleCharacterStrings):
              * runtime/StringConstructor.cpp:
              (JSC::StringConstructor::StringConstructor):
              * runtime/StringObject.cpp:
              (JSC::StringObject::StringObject):
              * runtime/StringObject.h:
              * runtime/StringPrototype.cpp:
              (JSC::StringPrototype::StringPrototype):
              * runtime/Structure.cpp:
              (JSC::Structure::Structure):
              (JSC::Structure::addPropertyTransition):
              (JSC::Structure::toDictionaryTransition):
              (JSC::Structure::flattenDictionaryStructure):
              * runtime/Structure.h:
              (JSC::Structure::storedPrototype):
              * runtime/WeakGCMap.h:
              (JSC::WeakGCMap::uncheckedGet):
              (JSC::WeakGCMap::isValid):
              (JSC::::get):
              (JSC::::take):
              (JSC::::set):
              (JSC::::uncheckedRemove):
              * runtime/WriteBarrier.h: Removed.
      2011-01-30  Csaba Osztrogonác  <ossy@webkit.org>
      
              Unreviewed, rolling out r77098, r77099, r77100, r77109, and
              r77111.
              http://trac.webkit.org/changeset/77098
              http://trac.webkit.org/changeset/77099
              http://trac.webkit.org/changeset/77100
              http://trac.webkit.org/changeset/77109
              http://trac.webkit.org/changeset/77111
              https://bugs.webkit.org/show_bug.cgi?id=53219
      
              Qt build is broken
      
              * JSValueWrapper.cpp:
              (JSValueWrapper::JSObjectMark):
      2011-01-30  Csaba Osztrogonác  <ossy@webkit.org>
      
              Unreviewed, rolling out r77098, r77099, r77100, r77109, and
              r77111.
              http://trac.webkit.org/changeset/77098
              http://trac.webkit.org/changeset/77099
              http://trac.webkit.org/changeset/77100
              http://trac.webkit.org/changeset/77109
              http://trac.webkit.org/changeset/77111
              https://bugs.webkit.org/show_bug.cgi?id=53219
      
              Qt build is broken
      
              * ForwardingHeaders/runtime/WriteBarrier.h: Removed.
              * WebCore.exp.in:
              * bindings/js/DOMWrapperWorld.h:
              * bindings/js/JSAudioConstructor.cpp:
              (WebCore::JSAudioConstructor::JSAudioConstructor):
              * bindings/js/JSDOMBinding.cpp:
              (WebCore::markDOMNodesForDocument):
              (WebCore::markDOMObjectWrapper):
              (WebCore::markDOMNodeWrapper):
              * bindings/js/JSDOMGlobalObject.cpp:
              (WebCore::JSDOMGlobalObject::markChildren):
              (WebCore::JSDOMGlobalObject::setInjectedScript):
              (WebCore::JSDOMGlobalObject::injectedScript):
              * bindings/js/JSDOMGlobalObject.h:
              (WebCore::JSDOMGlobalObject::JSDOMGlobalObjectData::JSDOMGlobalObjectData):
              (WebCore::getDOMConstructor):
              * bindings/js/JSDOMWindowCustom.cpp:
              (WebCore::JSDOMWindow::setLocation):
              (WebCore::DialogHandler::dialogCreated):
              * bindings/js/JSDOMWindowShell.cpp:
              (WebCore::JSDOMWindowShell::JSDOMWindowShell):
              (WebCore::JSDOMWindowShell::setWindow):
              (WebCore::JSDOMWindowShell::markChildren):
              (WebCore::JSDOMWindowShell::unwrappedObject):
              * bindings/js/JSDOMWindowShell.h:
              (WebCore::JSDOMWindowShell::window):
              (WebCore::JSDOMWindowShell::setWindow):
              * bindings/js/JSDeviceMotionEventCustom.cpp:
              (WebCore::createAccelerationObject):
              (WebCore::createRotationRateObject):
              * bindings/js/JSEventListener.cpp:
              (WebCore::JSEventListener::JSEventListener):
              (WebCore::JSEventListener::markJSFunction):
              * bindings/js/JSEventListener.h:
              (WebCore::JSEventListener::jsFunction):
              * bindings/js/JSHTMLDocumentCustom.cpp:
              (WebCore::JSHTMLDocument::setAll):
              * bindings/js/JSImageConstructor.cpp:
              (WebCore::JSImageConstructor::JSImageConstructor):
              * bindings/js/JSImageDataCustom.cpp:
              (WebCore::toJS):
              * bindings/js/JSJavaScriptCallFrameCustom.cpp:
              (WebCore::JSJavaScriptCallFrame::scopeChain):
              (WebCore::JSJavaScriptCallFrame::scopeType):
              * bindings/js/JSNodeFilterCondition.cpp:
              (WebCore::JSNodeFilterCondition::markAggregate):
              (WebCore::JSNodeFilterCondition::acceptNode):
              * bindings/js/JSNodeFilterCondition.h:
              * bindings/js/JSNodeFilterCustom.cpp:
              * bindings/js/JSOptionConstructor.cpp:
              (WebCore::JSOptionConstructor::JSOptionConstructor):
              * bindings/js/JSSQLResultSetRowListCustom.cpp:
              (WebCore::JSSQLResultSetRowList::item):
              * bindings/js/ScriptCachedFrameData.cpp:
              (WebCore::ScriptCachedFrameData::restore):
              * bindings/js/ScriptObject.cpp:
              (WebCore::ScriptGlobalObject::set):
              * bindings/js/SerializedScriptValue.cpp:
              (WebCore::CloneDeserializer::putProperty):
              * bindings/scripts/CodeGeneratorJS.pm:
              * bridge/qt/qt_instance.cpp:
              (JSC::Bindings::QtInstance::QtInstance):
              (JSC::Bindings::QtInstance::removeCachedMethod):
              (JSC::Bindings::QtInstance::markAggregate):
              * bridge/qt/qt_instance.h:
              * bridge/qt/qt_runtime.cpp:
              (JSC::Bindings::QtRuntimeMetaMethod::QtRuntimeMetaMethod):
              (JSC::Bindings::QtRuntimeMetaMethod::markChildren):
              (JSC::Bindings::QtRuntimeMetaMethod::connectGetter):
              (JSC::Bindings::QtRuntimeMetaMethod::disconnectGetter):
              * bridge/qt/qt_runtime.h:
              * bridge/runtime_root.cpp:
              (JSC::Bindings::RootObject::invalidate):
              * bridge/runtime_root.h:
              * dom/Document.h:
      2011-01-30  Csaba Osztrogonác  <ossy@webkit.org>
      
              Unreviewed, rolling out r77098, r77099, r77100, r77109, and
              r77111.
              http://trac.webkit.org/changeset/77098
              http://trac.webkit.org/changeset/77099
              http://trac.webkit.org/changeset/77100
              http://trac.webkit.org/changeset/77109
              http://trac.webkit.org/changeset/77111
              https://bugs.webkit.org/show_bug.cgi?id=53219
      
              Qt build is broken
      
              * WebView/WebScriptDebugDelegate.mm:
              (-[WebScriptCallFrame scopeChain]):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77113 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ad0e9df1
    • simon.fraser@apple.com's avatar
      2011-01-30 Sheriff Bot <webkit.review.bot@gmail.com> · 60341277
      simon.fraser@apple.com authored
              Unreviewed, rolling out r77107.
              http://trac.webkit.org/changeset/77107
              https://bugs.webkit.org/show_bug.cgi?id=53412
      
              Caused 5 new form-related test crashes (Requested by smfr on
              #webkit).
      
              * css/CSSSelector.cpp:
              (WebCore::CSSSelector::pseudoId):
              (WebCore::nameToPseudoTypeMap):
              (WebCore::CSSSelector::extractPseudoType):
              * css/CSSSelector.h:
              * html/HTMLProgressElement.cpp:
              (WebCore::HTMLProgressElement::parseMappedAttribute):
              (WebCore::HTMLProgressElement::attach):
              * html/HTMLProgressElement.h:
              * rendering/RenderProgress.cpp:
              (WebCore::RenderProgress::~RenderProgress):
              (WebCore::RenderProgress::updateFromElement):
              (WebCore::RenderProgress::layoutParts):
              (WebCore::RenderProgress::shouldHaveParts):
              * rendering/RenderProgress.h:
              * rendering/style/RenderStyleConstants.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77112 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      60341277
    • simon.fraser@apple.com's avatar
      2011-01-30 Simon Fraser <simon.fraser@apple.com> · 36a7cc24
      simon.fraser@apple.com authored
              Reviewed by Sam Weinig.
      
              Enhance ShadowBlur to render inset box shadows
              https://bugs.webkit.org/show_bug.cgi?id=51567
      
              Use ShadowBlur for inset box-shadows with CG. It
              currently lacks a tiled version, but is still much
              faster than CG shadows.
      
              Test: fast/box-shadow/inset-box-shadow-radius.html
      
              * platform/graphics/ShadowBlur.cpp:
              * platform/graphics/ShadowBlur.h: New method for inset
              shadows.
              (WebCore::ShadowBlur::drawInsetShadow):
      
              * platform/graphics/GraphicsContext.cpp: #ifdef out
              fillRectWithRoundedHole() for CG.
      
              * platform/graphics/cg/GraphicsContextCG.cpp:
              (WebCore::GraphicsContext::fillRectWithRoundedHole): If there's
              a shadow with a radius > 0, use ShadowBlur.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77110 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      36a7cc24
    • kbr@google.com's avatar
      2011-01-28 Kenneth Russell <kbr@google.com> · bb1c5656
      kbr@google.com authored
              Reviewed by Chris Marrin.
      
              WebGL shows PNG Textures with indexed colors too dark
              https://bugs.webkit.org/show_bug.cgi?id=47477
      
              Added test case for upload of indexed PNG images to
              gl-teximage.html in the Khronos WebGL conformance tests.
              Synchronized this test with the Khronos repository.
      
              * fast/canvas/webgl/gl-teximage-expected.txt:
              * fast/canvas/webgl/gl-teximage.html:
              * fast/canvas/webgl/resources/red-indexed.png: Added.
      2011-01-28  Kenneth Russell  <kbr@google.com>
      
              Reviewed by Chris Marrin.
      
              WebGL shows PNG Textures with indexed colors too dark
              https://bugs.webkit.org/show_bug.cgi?id=47477
      
              Properly handle indexed PNG images by re-rendering them as RGBA
              images before upload. Verified with this layout test and the test
              cases from bugs 47477 and 53269.
      
              * platform/graphics/cg/GraphicsContext3DCG.cpp:
              (WebCore::GraphicsContext3D::getImageData):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77108 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bb1c5656
    • morrita@google.com's avatar
      2011-01-27 MORITA Hajime <morrita@google.com> · 45c6a5f4
      morrita@google.com authored
              Reviewed by Dimitri Glazkov.
      
              Convert <progress> shadow DOM to a DOM-based shadow.
              https://bugs.webkit.org/show_bug.cgi?id=50660
      
              * Removed RenderProgress::m_valuePart, moved the shadow node
                to the shadow root of HTMLProgressElement.
              * Removed hard-coded pseudo ID for -webkit-progress-bar-value.
                ProgressBarValueElement is defined only for overriding
                shadowPseudoId().
      
              No new tests. No behavioral change.
      
              * css/CSSSelector.cpp:
              (WebCore::CSSSelector::pseudoId):
              (WebCore::nameToPseudoTypeMap):
              (WebCore::CSSSelector::extractPseudoType):
              * css/CSSSelector.h:
              * html/HTMLProgressElement.cpp:
              (WebCore::ProgressBarValueElement::ProgressBarValueElement):
              (WebCore::ProgressBarValueElement::shadowPseudoId):
              (WebCore::ProgressBarValueElement::create):
              (WebCore::HTMLProgressElement::parseMappedAttribute):
              (WebCore::HTMLProgressElement::attach):
              (WebCore::HTMLProgressElement::valuePart):
              (WebCore::HTMLProgressElement::didElementStateChange):
              (WebCore::HTMLProgressElement::createShadowSubtreeIfNeeded):
              * html/HTMLProgressElement.h:
              * rendering/RenderProgress.cpp:
              (WebCore::RenderProgress::~RenderProgress):
              (WebCore::RenderProgress::updateFromElement):
              (WebCore::RenderProgress::layoutParts):
              (WebCore::RenderProgress::shouldHaveParts):
              (WebCore::RenderProgress::valuePart):
              * rendering/RenderProgress.h:
              * rendering/style/RenderStyleConstants.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77107 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      45c6a5f4
    • simon.fraser@apple.com's avatar
      2011-01-30 Simon Fraser <simon.fraser@apple.com> · 33875137
      simon.fraser@apple.com authored
              Reviewed by Ariya Hidayat.
      
              Enhance ShadowBlur to render inset box shadows; Part 1.
              https://bugs.webkit.org/show_bug.cgi?id=51567
      
              Add a new method to GraphicsContext to render a rect with a rounded hole,
              for use by inset box-shadow code. Knowledge that we're rendering a rounded
              hole will enable ShadowBlur to be used here in future.
      
              * platform/graphics/GraphicsContext.cpp:
              (WebCore::GraphicsContext::fillRectWithRoundedHole):
              * platform/graphics/GraphicsContext.h:
              * rendering/RenderBoxModelObject.cpp:
              (WebCore::RenderBoxModelObject::paintBoxShadow):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77106 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      33875137
    • morrita@google.com's avatar
      2011-01-23 MORITA Hajime <morrita@google.com> · 2d33a85b
      morrita@google.com authored
              Reviewed by Eric Seidel.
      
              REGRESSION: Inset shadow with too large border radius misses rounded corner.
              https://bugs.webkit.org/show_bug.cgi?id=52800
      
              * fast/box-shadow/inset-with-extraordinary-radii-and-border.html: Added.
              * platform/mac/fast/box-shadow/inset-with-extraordinary-radii-and-border-expected.checksum: Added.
              * platform/mac/fast/box-shadow/inset-with-extraordinary-radii-and-border-expected.png: Added.
              * platform/mac/fast/box-shadow/inset-with-extraordinary-radii-and-border-expected.txt: Added.
      2011-01-23  MORITA Hajime  <morrita@google.com>
      
              Reviewed by Eric Seidel.
      
              REGRESSION: Inset shadow with too large border radius misses rounded corner.
              https://bugs.webkit.org/show_bug.cgi?id=52800
      
              The refactoring on r76083 broke the invariant between border
              IntRect and its radii because RoundedIntRect::setRect() is called
              after getRoundedInnerBorderWithBorderWidths(), which enforces the
              invariant. Th rounded-rect clipping code verifies the invariant,
              and discard the invalid radii, that results broken paintings.
      
              This change moved setRect() before
              getRoundedInnerBorderWithBorderWidths() not to modify the valid
              RoundedIntRect value.
      
              Test: fast/box-shadow/inset-with-extraordinary-radii-and-border.html
      
              * rendering/RenderBoxModelObject.cpp:
              (WebCore::RenderBoxModelObject::paintBoxShadow):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77105 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      2d33a85b
    • simon.fraser@apple.com's avatar
      2011-01-30 Simon Fraser <simon.fraser@apple.com> · e33f672b
      simon.fraser@apple.com authored
              Attempt to fix Windows build by adding ShadowBlur.cpp/h to the
              vcproj.
      
              * WebCore.vcproj/WebCore.vcproj:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77103 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e33f672b
    • simon.fraser@apple.com's avatar
      2011-01-30 Simon Fraser <simon.fraser@apple.com> · 9d92cc2a
      simon.fraser@apple.com authored
              Reviewed by Dan Bernstein.
      
              -webkit-box-shadow causes awful scroll/resize/redraw performance
              https://bugs.webkit.org/show_bug.cgi?id=22102
      
              Use ShadowBlur for CG, whe rendering shadows on rects and
              rounded rects outside of canvas.
      
              CG shadows with a radius of more than 8px do not render
              correctly. We preserve this incorrect rendering by compensating
              for it when rending -webkit-box-shadow. Calls that should use
              this deprecated radius behavior now use setLegacyShadow().
      
              Test: fast/box-shadow/box-shadow-transformed.html
      
              * html/canvas/CanvasRenderingContext2D.cpp: Use setLegacyShadow()
              for canvas, to indicate that it should use the deprecated radius
              behavior.
              (WebCore::CanvasRenderingContext2D::setAllAttributesToDefault): Ditto.
              (WebCore::CanvasRenderingContext2D::setShadow): Ditto.
              (WebCore::CanvasRenderingContext2D::applyShadow): Ditto.
      
              * platform/graphics/GraphicsContext.cpp:
              (WebCore::GraphicsContext::setLegacyShadow): Set the m_state.shadowsUseLegacyRadius bit.
      
              * platform/graphics/GraphicsContext.h:
              (WebCore::GraphicsContextState::GraphicsContextState): Add a
              shadowsUseLegacyRadius bit to the state.
      
              * platform/graphics/cg/GraphicsContextCG.cpp:
              (WebCore::radiusToLegacyRadius): Map from the actual radius to one
              that approximates CG behavior.
              (WebCore::hasBlurredShadow): Helper that returns true if we have a shadow
              with a non-zero blur radius.
              (WebCore::GraphicsContext::fillRect): Use ShadowBlur if not canvas.
              (WebCore::GraphicsContext::fillRoundedRect): Ditto.
              (WebCore::GraphicsContext::setPlatformShadow): Comment.
      
              * rendering/RenderBoxModelObject.cpp:
              (WebCore::RenderBoxModelObject::paintBoxShadow): Call setLegacyShadow()
              for -webkit-box-shadow.
      
              * platform/graphics/ShadowBlur.cpp:
              (WebCore::ShadowBlur::calculateLayerBoundingRect): Fix some pixel crack issues
              by rounding up the blur radius.
              (WebCore::ShadowBlur::drawRectShadow): Ditto
              (WebCore::ShadowBlur::drawRectShadowWithTiling): Ditto.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77101 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9d92cc2a
    • oliver@apple.com's avatar
      Try to fix Qt build (again). · d395a38d
      oliver@apple.com authored
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77100 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d395a38d
    • oliver@apple.com's avatar
      Try to fix Qt build. · 1a14b16f
      oliver@apple.com authored
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77099 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1a14b16f
    • oliver@apple.com's avatar
      Convert markstack to a slot visitor API · ba805bee
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=53219
      
      rolling r77006 and r77020 back in.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77098 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ba805bee
    • simon.fraser@apple.com's avatar
      2011-01-30 Simon Fraser <simon.fraser@apple.com> · 6651a517
      simon.fraser@apple.com authored
              Reviewed by Sam Weinig.
      
              Make ContextShadow code cross-platform
              https://bugs.webkit.org/show_bug.cgi?id=51312
      
              Add a new class, ShadowBlur, that contains most of the
              code from ContextShadow, but is fully cross-platform.
              It depends on one new method, GraphicsContext::clipBounds(),
              which platforms will have to implement.
      
              Add ShadowBlur to the Mac Xcode project, but don't use it
              anywhere yet.
      
              * WebCore.xcodeproj/project.pbxproj:
              * platform/graphics/GraphicsContext.cpp:
              (WebCore::GraphicsContext::clipBounds):
              * platform/graphics/GraphicsContext.h:
              * platform/graphics/ShadowBlur.cpp: Added.
              (WebCore::roundUpToMultipleOf32):
              (WebCore::ScratchBuffer::ScratchBuffer):
              (WebCore::ScratchBuffer::getScratchBuffer):
              (WebCore::ScratchBuffer::scheduleScratchBufferPurge):
              (WebCore::ScratchBuffer::timerFired):
              (WebCore::ScratchBuffer::clearScratchBuffer):
              (WebCore::ScratchBuffer::shared):
              (WebCore::ShadowBlur::ShadowBlur):
              (WebCore::ShadowBlur::blurLayerImage):
              (WebCore::ShadowBlur::adjustBlurDistance):
              (WebCore::ShadowBlur::calculateLayerBoundingRect):
              (WebCore::ShadowBlur::beginShadowLayer):
              (WebCore::ShadowBlur::endShadowLayer):
              (WebCore::ShadowBlur::drawRectShadow):
              (WebCore::ShadowBlur::drawRectShadowWithoutTiling):
              (WebCore::ShadowBlur::drawRectShadowWithTiling):
              (WebCore::ShadowBlur::clipBounds):
              * platform/graphics/ShadowBlur.h: Added.
              (WebCore::ShadowBlur::setShadowsIgnoreTransforms):
              (WebCore::ShadowBlur::shadowsIgnoreTransforms):
              * platform/graphics/cg/GraphicsContextCG.cpp:
              (WebCore::GraphicsContext::clipBounds):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77097 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      6651a517
    • simon.fraser@apple.com's avatar
      2011-01-29 Simon Fraser <simon.fraser@apple.com> · 4f8c2fc9
      simon.fraser@apple.com authored
              Reviewed by Dan Bernstein.
      
              CSS3 gradients with em-based stops fail to repaint when font size changes
              https://bugs.webkit.org/show_bug.cgi?id=51845
      
              Mark as uncacheable gradidients whose color stops depend on font size,
              and don't attempt to put these into CSSImageGeneratorValue's image cache.
              This means we return a new gradient each time, which is fairly cheap, and
              fixes repaint issues under changing font size.
      
              Test: fast/repaint/gradients-em-stops-repaint.html
      
              * css/CSSGradientValue.cpp:
              (WebCore::CSSGradientValue::image):
              (WebCore::CSSGradientValue::isCacheable):
              * css/CSSGradientValue.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4f8c2fc9
  3. 29 Jan, 2011 18 commits
    • ggaren@apple.com's avatar
      Undo try to fix the Qt build. · c67fd789
      ggaren@apple.com authored
              
      My guess didn't work.
      
      * WebCore.pro:
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77079 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c67fd789
    • ggaren@apple.com's avatar
      Try to fix the Qt build. · cb8529b3
      ggaren@apple.com authored
      * WebCore.pro: Added platform/text/CharacterNames.h.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77078 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      cb8529b3
    • ggaren@apple.com's avatar
      2011-01-28 Geoffrey Garen <ggaren@apple.com> · 07050262
      ggaren@apple.com authored
              Reviewed by Maciej Stachowiak.
      
              Some more Heap cleanup.
              https://bugs.webkit.org/show_bug.cgi?id=53357
              
              * JavaScriptCore.exp:
              * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Updated exported symbols.
      
              * runtime/Heap.cpp:
              (JSC::Heap::reportExtraMemoryCostSlowCase): Renamed recordExtraCost to 
              reportExtraMemoryCostSlowCase to match our naming conventions.
      
              (JSC::Heap::capacity): Renamed size to capacity because this function
              returns the capacity of the heap, including unused portions.
      
              * runtime/Heap.h:
              (JSC::Heap::globalData):
              (JSC::Heap::markedSpace):
              (JSC::Heap::machineStackMarker):
              (JSC::Heap::reportExtraMemoryCost): Moved statics to the top of the file.
              Moved ctor and dtor to the beginning of the class definition. Grouped
              functions by purpose.
      
              * runtime/MarkedSpace.cpp:
              (JSC::MarkedSpace::capacity): Renamed size to capacity because this
              function returns the capacity of the heap, including unused portions.
      
              * runtime/MarkedSpace.h: Removed statistics and the Statistics class because
              the same information can be gotten just by calling size() and capacity().
      
              * runtime/MemoryStatistics.cpp:
              * runtime/MemoryStatistics.h: Ditto.
      2011-01-28  Geoffrey Garen  <ggaren@apple.com>
      
              Reviewed by Maciej Stachowiak.
      
              Some more Heap cleanup.
              https://bugs.webkit.org/show_bug.cgi?id=53357
      
              Updated for JavaScriptCore changes.
      
              * Misc/WebCoreStatistics.mm:
              (+[WebCoreStatistics memoryStatistics]):
      2011-01-28  Geoffrey Garen  <ggaren@apple.com>
      
              Reviewed by Maciej Stachowiak.
      
              Some more Heap cleanup.
              https://bugs.webkit.org/show_bug.cgi?id=53357
              
              Updated for JavaScriptCore changes.
      
              * bindings/js/ScriptGCEvent.cpp:
              (WebCore::ScriptGCEvent::getHeapSize):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77077 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      07050262
    • abarth@webkit.org's avatar
      2011-01-29 Adam Barth <abarth@webkit.org> · efee1173
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              Fix XSSFilter crash when extracting the source for a token twice
              https://bugs.webkit.org/show_bug.cgi?id=53368
      
              Previously, it was unsafe to extract the source for the same token
              twice because the HTMLSourceTracker would advance its internal
              representation of the SegmentedString.  This patch introduces a cache
              to make calling HTMLSourceTracker::sourceForToken multiple times safe.
      
              * html/parser/HTMLSourceTracker.cpp:
              (WebCore::HTMLSourceTracker::end):
              (WebCore::HTMLSourceTracker::sourceForToken):
              * html/parser/HTMLSourceTracker.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77076 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      efee1173
    • mjs@apple.com's avatar
      2011-01-29 Maciej Stachowiak <mjs@apple.com> · 4ed02680
      mjs@apple.com authored
              Reviewed by Dan Bernstein.
      
              Fix fat build for both 32-bit and 64-bit under llvm-gcc 4.2
              https://bugs.webkit.org/show_bug.cgi?id=53386
      
              * platform/mac/ScrollAnimatorMac.mm:
              (WebCore::elasticDeltaForReboundDelta):
              (WebCore::scrollWheelMultiplier):
              (WebCore::ScrollAnimatorMac::smoothScrollWithEvent):
              (WebCore::ScrollAnimatorMac::beginScrollGesture):
              (WebCore::roundTowardZero):
              (WebCore::ScrollAnimatorMac::snapRubberBandTimerFired):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77075 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4ed02680
    • dbates@webkit.org's avatar
      2011-01-29 Daniel Bates <dbates@rim.com> · c5f7d59c
      dbates@webkit.org authored
              Reviewed by Maciej Stachowiak.
      
              Remove reference to ${CMAKE_SOURCE_DIR}/Source in CMake files
              https://bugs.webkit.org/show_bug.cgi?id=53382
      
              Our file system hierarchy ensures that CMAKE_SOURCE_DIR is defined to be /Source.
              So, ${CMAKE_SOURCE_DIR}/Source evaluates to the non-existent directory /Source/Source.
              Therefore, we should remove such references.
      
              * Source/cmake/OptionsCommon.cmake:
      2011-01-29  Daniel Bates  <dbates@rim.com>
      
              Reviewed by Maciej Stachowiak.
      
              Remove reference to ${CMAKE_SOURCE_DIR}/Source in CMake files
              https://bugs.webkit.org/show_bug.cgi?id=53382
      
              Our file system hierarchy ensures that CMAKE_SOURCE_DIR is defined to be /Source.
              So, ${CMAKE_SOURCE_DIR}/Source evaluates to the non-existent directory /Source/Source.
              Therefore, we should remove such references.
      
              * CMakeLists.txt:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77073 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      c5f7d59c
    • weinig@apple.com's avatar
      Fix 32-bit build on the Mac. · 9e84c4e3
      weinig@apple.com authored
      Reviewed by Jon Honeycutt.
      
      * platform/mac/ScrollAnimatorMac.mm:
      (WebCore::roundTowardZero):
      (WebCore::roundToDevicePixelTowardZero):
      Use floats instead of doubles to avoid double-to-float conversion
      issues.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77071 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      9e84c4e3
    • simon.fraser@apple.com's avatar
      2011-01-28 Simon Fraser <simon.fraser@apple.com> · 79042471
      simon.fraser@apple.com authored
              Reviewed by Adam Barth.
      
              Use clampToInteger() functions in a few places
              https://bugs.webkit.org/show_bug.cgi?id=53363
      
              * css/CSSStyleSelector.cpp:
              (WebCore::CSSStyleSelector::applyProperty): Use clampToInteger() for z-index.
              (WebCore::CSSStyleSelector::createTransformOperations): Use clampToPositiveInteger().
              * platform/graphics/transforms/PerspectiveTransformOperation.cpp: Ditto.
              (WebCore::PerspectiveTransformOperation::blend): Ditto.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77064 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      79042471
    • paroga@webkit.org's avatar
      2011-01-29 Patrick Gansterer <paroga@webkit.org> · 10c9e1b0
      paroga@webkit.org authored
              Reviewed by David Kilzer.
      
              Move CharacterNames.h into WTF directory
              https://bugs.webkit.org/show_bug.cgi?id=49618
      
              * GNUmakefile.am:
              * JavaScriptCore.gypi:
              * JavaScriptCore.vcproj/WTF/WTF.vcproj:
              * JavaScriptCore.xcodeproj/project.pbxproj:
              * wtf/CMakeLists.txt:
              * wtf/unicode/CharacterNames.h: Renamed from WebCore/platform/text/CharacterNames.h.
              * wtf/unicode/UTF8.cpp:
      2011-01-29  Patrick Gansterer  <paroga@webkit.org>
      
              Reviewed by David Kilzer.
      
              Move CharacterNames.h into WTF directory
              https://bugs.webkit.org/show_bug.cgi?id=49618
      
              * ForwardingHeaders/wtf/unicode/CharacterNames.h: Added.
              * GNUmakefile.am:
              * WebCore.gypi:
              * WebCore.vcproj/WebCore.vcproj:
              * WebCore.xcodeproj/project.pbxproj:
              * accessibility/AccessibilityObject.cpp:
              * accessibility/AccessibilityRenderObject.cpp:
              * bindings/cpp/WebDOMHTMLDocumentCustom.cpp:
              * bindings/js/JSHTMLDocumentCustom.cpp:
              * dom/Position.cpp:
              * dom/SelectElement.cpp:
              * editing/CompositeEditCommand.cpp:
              * editing/Editor.cpp:
              * editing/HTMLInterchange.cpp:
              * editing/InsertTextCommand.cpp:
              * editing/MarkupAccumulator.cpp:
              * editing/TextIterator.cpp:
              * editing/VisibleSelection.cpp:
              * editing/htmlediting.cpp:
              * editing/htmlediting.h:
              * editing/markup.cpp:
              * html/FTPDirectoryDocument.cpp:
              * html/HTMLFormControlElement.cpp:
              * html/parser/HTMLTreeBuilder.cpp:
              * loader/appcache/ManifestParser.cpp:
              * platform/chromium/PopupMenuChromium.cpp:
              * platform/graphics/Font.h:
              * platform/graphics/FontFastPath.cpp:
              * platform/graphics/GlyphPageTreeNode.cpp:
              * platform/graphics/StringTruncator.cpp:
              * platform/graphics/mac/ComplexTextController.cpp:
              * platform/graphics/mac/ComplexTextControllerATSUI.cpp:
              * platform/graphics/wince/GraphicsContextWinCE.cpp:
              * platform/mac/PasteboardMac.mm:
              * platform/text/TextCodecICU.cpp:
              * platform/text/mac/TextCodecMac.cpp:
              * platform/text/transcoder/FontTranscoder.cpp:
              * rendering/RenderBlockLineLayout.cpp:
              * rendering/RenderFlexibleBox.cpp:
              * rendering/RenderListMarker.cpp:
              * rendering/RenderText.cpp:
              * rendering/RenderTextControl.cpp:
              * rendering/RenderTreeAsText.cpp:
              * rendering/break_lines.cpp:
              * rendering/mathml/RenderMathMLOperator.h:
              * websockets/WebSocketHandshake.cpp:
              * wml/WMLTableElement.cpp:
      2011-01-29  Patrick Gansterer  <paroga@webkit.org>
      
              Reviewed by David Kilzer.
      
              Move CharacterNames.h into WTF directory
              https://bugs.webkit.org/show_bug.cgi?id=49618
      
              * src/ChromeClientImpl.cpp:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77062 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      10c9e1b0
    • commit-queue@webkit.org's avatar
      2011-01-29 Dan Winship <danw@gnome.org> · ff9e75c1
      commit-queue@webkit.org authored
              Reviewed by Xan Lopez.
      
              [GTK] Require the latest glib and libsoup, and remove conditional
              support for older versions
              https://bugs.webkit.org/show_bug.cgi?id=50675
      
              * autotools/webkit.m4: use AM_PATH_GLIB_2_0 rather than doing
              basically the same work by hand
              * configure.ac:
      2011-01-29  Dan Winship  <danw@gnome.org>
      
              Reviewed by Xan Lopez.
      
              [GTK] Remove HAVE_LIBSOUP_2_29_90 conditionals; we depend on
              libsoup 2.33.1 now.
              https://bugs.webkit.org/show_bug.cgi?id=50675
      
              * platform/network/soup/CookieJarSoup.cpp:
              (WebCore::defaultCookieJar):
              (WebCore::setCookies):
              * platform/network/soup/ResourceHandleSoup.cpp:
              (WebCore::ResourceHandle::prepareForURL):
              (WebCore::restartedCallback):
              (WebCore::startHttp):
              * platform/network/soup/ResourceRequestSoup.cpp:
              (WebCore::ResourceRequest::updateSoupMessage):
              (WebCore::ResourceRequest::toSoupMessage):
              (WebCore::ResourceRequest::updateFromSoupMessage):
      2011-01-29  Dan Winship  <danw@gnome.org>
      
              Reviewed by Xan Lopez.
      
              [GTK] Remove HAVE_LIBSOUP_2_29_90 conditionals; we depend on
              libsoup 2.33.1 now.
              https://bugs.webkit.org/show_bug.cgi?id=50675
      
              * ewk/ewk_cookies.cpp:
              (ewk_cookies_file_set):
              (ewk_cookies_policy_set):
              (ewk_cookies_policy_get):
      2011-01-29  Dan Winship  <danw@gnome.org>
      
              Reviewed by Xan Lopez.
      
              [GTK] Remove HAVE_LIBSOUP_2_29_90 and HAVE_GSETTINGS conditionals;
              we depend on glib 2.27.4 and libsoup 2.33.1 now.
              https://bugs.webkit.org/show_bug.cgi?id=50675
      
              * GNUmakefile.am:
              * WebCoreSupport/InspectorClientGtk.cpp:
              (WebKit::InspectorClient::storeSetting):
              * webkit/webkitprivate.cpp:
              (inspectorGSettings):
              * webkit/webkitprivate.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77061 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      ff9e75c1
    • abarth@webkit.org's avatar
      2011-01-29 Adam Barth <abarth@webkit.org> · 115b6bb5
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              XSSFilter should replace URLs with about:blank instead of the empty string
              https://bugs.webkit.org/show_bug.cgi?id=53370
      
              Using the empty string will make the URL complete to the current
              document's URL, which isn't really what we want.  Instead, we want to
              use about:blank, which is safe.
      
              * html/parser/XSSFilter.cpp:
              (WebCore::XSSFilter::filterObjectToken):
              (WebCore::XSSFilter::filterEmbedToken):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77060 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      115b6bb5
    • abarth@webkit.org's avatar
      2011-01-29 Adam Barth <abarth@webkit.org> · 18c14eef
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              XSSFilter should pass xssAuditor/script-tag-addslashes*
              https://bugs.webkit.org/show_bug.cgi?id=53365
      
              We need to canonicalize strings to avoid being tricked by addslashes.
      
              * html/parser/XSSFilter.cpp:
              (WebCore::HTMLNames::isNonCanonicalCharacter):
                  - This function is copied from the XSSAuditor (with some tweaks).
                    We'll eventually remove the XSSAuditor once we've got XSSFilter
                    working properly.
              (WebCore::HTMLNames::canonicalize):
              (WebCore::HTMLNames::decodeURL):
              (WebCore::XSSFilter::isContainedInRequest):
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77059 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      18c14eef
    • abarth@webkit.org's avatar
      2011-01-29 Adam Barth <abarth@webkit.org> · d8984fa2
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              XSSFilter should pass xssAuditor/script-tag-with-source-same-host.html
              and xssAuditor/script-tag-post-*
              https://bugs.webkit.org/show_bug.cgi?id=53364
      
              We're supposed to allow loading same-origin resources even if they
              appear as part of the request.
      
              Also, we're supposed to look at the POST data too.  :)
      
              * html/parser/XSSFilter.cpp:
              (WebCore::XSSFilter::eraseAttributeIfInjected):
              (WebCore::XSSFilter::isSameOriginResource):
                  - Copy/paste from XSSAuditor::isSameOriginResource.  We'll
                    eventually remove the XSSAuditor version when XSSFilter is done.
              * html/parser/XSSFilter.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77058 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d8984fa2
    • abarth@webkit.org's avatar
      2011-01-29 Adam Barth <abarth@webkit.org> · 62d3c6c1
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              XSSFilter should pass 16 of the xssAuditor/script-tag* tests
              https://bugs.webkit.org/show_bug.cgi?id=53362
      
              Turns out we need to replace the src attribute of script tags with
              about:blank to avoid loading the main document URL as a script.  Also,
              move misplaced return statement that was triggering the console message
              too often.
      
              * html/parser/HTMLToken.h:
              (WebCore::HTMLToken::appendToAttributeValue):
              * html/parser/XSSFilter.cpp:
              (WebCore::XSSFilter::filterScriptToken):
              (WebCore::XSSFilter::eraseAttributeIfInjected):
              * html/parser/XSSFilter.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77057 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      62d3c6c1
    • jhoneycutt@apple.com's avatar
      Downloads in WK2 on Windows should write resume data to bundle · e22c1afe
      jhoneycutt@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=53282
      <rdar://problem/8753077>
      
      Reviewed by Alice Liu.
      
      Source/WebCore:
      
      * WebCore.vcproj/WebCore.vcproj:
      Added new files to project.
      
      * platform/network/cf/DownloadBundle.h: Added.
      * platform/network/win/DownloadBundleWin.cpp: Added.
      (WebCore::DownloadBundle::magicNumber):
      Moved from WebKit's WebDownload so that WebKit and WebKit2 can share
      it.
      (WebCore::DownloadBundle::fileExtension):
      Ditto.
      (WebCore::DownloadBundle::appendResumeData):
      Ditto - but modified to return bool rather than HRESULT and to clean up
      whitespace.
      (WebCore::DownloadBundle::extractResumeData):
      Ditto - modified to clean up whitespace.
      
      Source/WebKit/win:
      
      * WebDownload.cpp:
      (WebDownload::bundlePathForTargetPath):
      Use the new WebCore::DownloadBundle function.
      (WebDownload::request):
      
      * WebDownload.h:
      Removed declarations for functions that were moved to a new location.
      
      * WebDownloadCFNet.cpp:
      (WebDownload::initToResumeWithBundle):
      Use the new WebCore::DownloadBundle function.
      (WebDownload::cancelForResume):
      Fix a leak of the resume data CFDataRef by using adoptCF(). Use the new
      WebCore::DownloadBundle function.
      
      Source/WebKit2:
      
      * WebProcess/Downloads/Download.cpp:
      (WebKit::Download::decideDestinationWithSuggestedFilename):
      Call didDecideDestination(), now that the destination is decided.
      
      * WebProcess/Downloads/Download.h:
      Declare didDecideDestination(). Added member variables to hold the
      destination file path and the download bundle path.
      (WebKit::Download::destination):
      Return the path to the final destination for this download.
      
      * WebProcess/Downloads/cf/DownloadCFNet.cpp:
      (WebKit::Download::start):
      Remove the name of an unused param.
      (WebKit::Download::startWithHandle):
      Ditto.
      (WebKit::Download::cancel):
      Tell CFNetwork not to delete the file upon failure, and tell it to
      cancel the download. Copy the resume data for the download, and append
      it to the download bundle. Call didCancel() with an empty
      DataReference, since we have written our own resume data.
      (WebKit::decideDestinationWithSuggestedObjectNameCallback):
      Remove some unused param names. Removed the call to
      CFURLDownloadSetDestination() - this is now handled in
      Download::didDecideDestination().
      (WebKit::didCreateDestinationCallback):
      Report that the final destination was created, rather than the download
      bundle, matching old WebKit.
      (WebKit::Download::didDecideDestination):
      Store the final destination and the download bundle paths, and call
      CFURLDownloadSetDestination(), passing the path to the download bundle.
      
      * WebProcess/Downloads/curl/DownloadCurl.cpp:
      (WebKit::Download::didDecideDestination):
      Stubbed.
      
      * WebProcess/Downloads/mac/DownloadMac.mm:
      (WebKit::Download::didDecideDestination):
      Stubbed - unneeded on the Mac.
      
      * WebProcess/Downloads/qt/DownloadQt.cpp:
      (WebKit::Download::didDecideDestination):
      Stubbed.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77055 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      e22c1afe
    • rniwa@webkit.org's avatar
      2011-01-29 Sheriff Bot <webkit.review.bot@gmail.com> · dc5de698
      rniwa@webkit.org authored
              Unreviewed, rolling out r77050.
              http://trac.webkit.org/changeset/77050
              https://bugs.webkit.org/show_bug.cgi?id=53371
      
              Caused a crash in Chromium's test_shell_tests (Requested by
              rniwa on #webkit).
      
              * resources/performance-test.js: Removed.
              * tiny-innerHTML.html: Removed.
      2011-01-29  Sheriff Bot  <webkit.review.bot@gmail.com>
      
              Unreviewed, rolling out r77050.
              http://trac.webkit.org/changeset/77050
              https://bugs.webkit.org/show_bug.cgi?id=53371
      
              Caused a crash in Chromium's test_shell_tests (Requested by
              rniwa on #webkit).
      
              * html/parser/HTMLTreeBuilder.cpp:
              (WebCore::HTMLTreeBuilder::FragmentParsingContext::FragmentParsingContext):
              (WebCore::HTMLTreeBuilder::FragmentParsingContext::document):
              (WebCore::HTMLTreeBuilder::FragmentParsingContext::finished):
              * html/parser/HTMLTreeBuilder.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77053 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      dc5de698
    • eric@webkit.org's avatar
      2011-01-28 Eric Seidel <eric@webkit.org> · 61acd1c1
      eric@webkit.org authored
              Reviewed by Darin Adler.
      
              HTML5 TreeBuilder regressed a Peacekeeper DOM test by 40%
              https://bugs.webkit.org/show_bug.cgi?id=48719
      
              It's unclear exactly what the Peacekeeper benchmark is testing,
              because I haven't found a way to run it myself.
      
              However, I constructed a benchmark which shows at least one possible slow point.
              The HTML5 spec talks about creating a new document for every time we use
              the fragment parsing algorithm.  Document() it turns out, it a huge bloated
              mess, and the constructor and destructor do a huge amount of work.
              To avoid constructing (or destructing) documents for each innerHTML call,
              this patch adds a shared dummy document used by all innerHTML calls.
      
              * benchmarks/parser/tiny-innerHTML.html: Added.
      2011-01-28  Eric Seidel  <eric@webkit.org>
      
              Reviewed by Darin Adler.
      
              HTML5 TreeBuilder regressed a Peacekeeper DOM test by 40%
              https://bugs.webkit.org/show_bug.cgi?id=48719
      
              It's unclear exactly what the Peacekeeper benchmark is testing,
              because I haven't found a way to run it myself.
      
              However, I constructed a benchmark which shows at least one possible slow point.
              The HTML5 spec talks about creating a new document for every time we use
              the fragment parsing algorithm.  Document() it turns out, it a huge bloated
              mess, and the constructor and destructor do a huge amount of work.
              To avoid constructing (or destructing) documents for each innerHTML call,
              this patch adds a shared dummy document used by all innerHTML calls.
      
              This patch brings us from 7x slower than Safari 5 on tiny-innerHTML
              to only 1.5x slower than Safari 5.  I'm sure there is more work to do here.
      
              Saving a shared Document like this is error prone.  Currently
              DummyDocumentFactory::releaseDocument() calls removeAllChildren()
              in an attempt to clear the Document's state. However it's possible
              that that call is not sufficient and we'll have future bugs here.
      
              * html/parser/HTMLTreeBuilder.cpp:
              (WebCore::DummyDocumentFactory::createDummyDocument):
              (WebCore::DummyDocumentFactory::releaseDocument):
              (WebCore::HTMLTreeBuilder::FragmentParsingContext::FragmentParsingContext):
              (WebCore::HTMLTreeBuilder::FragmentParsingContext::document):
              (WebCore::HTMLTreeBuilder::FragmentParsingContext::finished):
              * html/parser/HTMLTreeBuilder.h:
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77050 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      61acd1c1
    • jnd@chromium.org's avatar
      2011-01-28 Johnny Ding <jnd@chromium.org> · df0c4676
      jnd@chromium.org authored
              Reviewed by Adam Barth.
      
              Gesture API, disallow popup bypass with using iframe src.
              https://bugs.webkit.org/show_bug.cgi?id=53244
      
              * fast/events/popup-blocked-from-iframe-src-expected.txt: Added.
              * fast/events/popup-blocked-from-iframe-src.html: Added.
      2011-01-28  Johnny Ding  <jnd@chromium.org>
      
              Reviewed by Adam Barth.
      
              Gesture API: Don't use current gesture status to set "forceUserGesture" parameter when calling ScriptController::executeScript.
              The "forceUserGesture" parameter should be only set when you are definitely sure that the running script is from a hyper-link.
              https://bugs.webkit.org/show_bug.cgi?id=53244
      
              Test: fast/events/popup-blocked-from-iframe-src.html
      
              * bindings/ScriptControllerBase.cpp:
              (WebCore::ScriptController::executeIfJavaScriptURL):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77049 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      df0c4676
  4. 28 Jan, 2011 6 commits
    • simon.fraser@apple.com's avatar
      2011-01-28 Simon Fraser <simon.fraser@apple.com> · 991ac213
      simon.fraser@apple.com authored
              Reviewed by Gavin Barraclough.
      
              Add various clampToInt() methods to MathExtras.h
              https://bugs.webkit.org/show_bug.cgi?id=52910
      
              Use clampToInteger() from MathExtras.h
      
              * css/CSSParser.cpp:
              (WebCore::CSSParser::parseCounter):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77045 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      991ac213
    • rniwa@webkit.org's avatar
      2011-01-28 Sheriff Bot <webkit.review.bot@gmail.com> · 3857b1ea
      rniwa@webkit.org authored
              Unreviewed, rolling out r77006 and r77020.
              http://trac.webkit.org/changeset/77006
              http://trac.webkit.org/changeset/77020
              https://bugs.webkit.org/show_bug.cgi?id=53360
      
              "Broke Windows tests" (Requested by rniwa on #webkit).
      
              * API/JSCallbackObject.h:
              (JSC::JSCallbackObjectData::setPrivateProperty):
              (JSC::JSCallbackObjectData::JSPrivatePropertyMap::getPrivateProperty):
              (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
              (JSC::JSCallbackObjectData::JSPrivatePropertyMap::markChildren):
              (JSC::JSCallbackObject::setPrivateProperty):
              * API/JSCallbackObjectFunctions.h:
              (JSC::::put):
              (JSC::::staticFunctionGetter):
              * API/JSObjectRef.cpp:
              (JSObjectMakeConstructor):
              (JSObjectSetPrivateProperty):
              * API/JSWeakObjectMapRefInternal.h:
              * JavaScriptCore.exp:
              * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
              * JavaScriptCore.xcodeproj/project.pbxproj:
              * bytecode/CodeBlock.cpp:
              (JSC::CodeBlock::markAggregate):
              * bytecode/CodeBlock.h:
              (JSC::CodeBlock::globalObject):
              * bytecompiler/BytecodeGenerator.cpp:
              (JSC::BytecodeGenerator::BytecodeGenerator):
              (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
              (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
              (JSC::BytecodeGenerator::findScopedProperty):
              * debugger/Debugger.cpp:
              (JSC::evaluateInGlobalCallFrame):
              * debugger/DebuggerActivation.cpp:
              (JSC::DebuggerActivation::DebuggerActivation):
              (JSC::DebuggerActivation::markChildren):
              * debugger/DebuggerActivation.h:
              * debugger/DebuggerCallFrame.cpp:
              (JSC::DebuggerCallFrame::evaluate):
              * interpreter/CallFrame.h:
              (JSC::ExecState::exception):
              * interpreter/Interpreter.cpp:
              (JSC::Interpreter::resolve):
              (JSC::Interpreter::resolveSkip):
              (JSC::Interpreter::resolveGlobal):
              (JSC::Interpreter::resolveGlobalDynamic):
              (JSC::Interpreter::resolveBaseAndProperty):
              (JSC::Interpreter::unwindCallFrame):
              (JSC::appendSourceToError):
              (JSC::Interpreter::execute):
              (JSC::Interpreter::tryCacheGetByID):
              (JSC::Interpreter::privateExecute):
              * jit/JITStubs.cpp:
              (JSC::JITThunks::tryCacheGetByID):
              (JSC::DEFINE_STUB_FUNCTION):
              * jsc.cpp:
              (GlobalObject::GlobalObject):
              * runtime/ArgList.cpp:
              (JSC::MarkedArgumentBuffer::markLists):
              * runtime/Arguments.cpp:
              (JSC::Arguments::markChildren):
              (JSC::Arguments::getOwnPropertySlot):
              (JSC::Arguments::getOwnPropertyDescriptor):
              (JSC::Arguments::put):
              * runtime/Arguments.h:
              (JSC::Arguments::setActivation):
              (JSC::Arguments::Arguments):
              * runtime/ArrayConstructor.cpp:
              (JSC::ArrayConstructor::ArrayConstructor):
              (JSC::constructArrayWithSizeQuirk):
              * runtime/ArrayPrototype.cpp:
              (JSC::arrayProtoFuncSplice):
              * runtime/BatchedTransitionOptimizer.h:
              (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
              (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
              * runtime/BooleanConstructor.cpp:
              (JSC::BooleanConstructor::BooleanConstructor):
              (JSC::constructBoolean):
              (JSC::constructBooleanFromImmediateBoolean):
              * runtime/BooleanPrototype.cpp:
              (JSC::BooleanPrototype::BooleanPrototype):
              * runtime/ConservativeSet.cpp:
              (JSC::ConservativeSet::grow):
              * runtime/ConservativeSet.h:
              (JSC::ConservativeSet::~ConservativeSet):
              (JSC::ConservativeSet::mark):
              * runtime/DateConstructor.cpp:
              (JSC::DateConstructor::DateConstructor):
              * runtime/DateInstance.cpp:
              (JSC::DateInstance::DateInstance):
              * runtime/DatePrototype.cpp:
              (JSC::dateProtoFuncSetTime):
              (JSC::setNewValueFromTimeArgs):
              (JSC::setNewValueFromDateArgs):
              (JSC::dateProtoFuncSetYear):
              * runtime/ErrorConstructor.cpp:
              (JSC::ErrorConstructor::ErrorConstructor):
              * runtime/ErrorInstance.cpp:
              (JSC::ErrorInstance::ErrorInstance):
              * runtime/ErrorPrototype.cpp:
              (JSC::ErrorPrototype::ErrorPrototype):
              * runtime/FunctionConstructor.cpp:
              (JSC::FunctionConstructor::FunctionConstructor):
              * runtime/FunctionPrototype.cpp:
              (JSC::FunctionPrototype::FunctionPrototype):
              * runtime/GetterSetter.cpp:
              (JSC::GetterSetter::markChildren):
              * runtime/GetterSetter.h:
              (JSC::GetterSetter::GetterSetter):
              (JSC::GetterSetter::getter):
              (JSC::GetterSetter::setGetter):
              (JSC::GetterSetter::setter):
              (JSC::GetterSetter::setSetter):
              * runtime/GlobalEvalFunction.cpp:
              (JSC::GlobalEvalFunction::GlobalEvalFunction):
              (JSC::GlobalEvalFunction::markChildren):
              * runtime/GlobalEvalFunction.h:
              (JSC::GlobalEvalFunction::cachedGlobalObject):
              * runtime/Heap.cpp:
              (JSC::Heap::markProtectedObjects):
              (JSC::Heap::markTempSortVectors):
              (JSC::Heap::markRoots):
              * runtime/InternalFunction.cpp:
              (JSC::InternalFunction::InternalFunction):
              * runtime/JSAPIValueWrapper.h:
              (JSC::JSAPIValueWrapper::value):
              (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
              * runtime/JSActivation.cpp:
              (JSC::JSActivation::markChildren):
              (JSC::JSActivation::put):
              * runtime/JSArray.cpp:
              (JSC::JSArray::JSArray):
              (JSC::JSArray::getOwnPropertySlot):
              (JSC::JSArray::getOwnPropertyDescriptor):
              (JSC::JSArray::put):
              (JSC::JSArray::putSlowCase):
              (JSC::JSArray::deleteProperty):
              (JSC::JSArray::increaseVectorLength):
              (JSC::JSArray::setLength):
              (JSC::JSArray::pop):
              (JSC::JSArray::push):
              (JSC::JSArray::unshiftCount):
              (JSC::JSArray::sort):
              (JSC::JSArray::fillArgList):
              (JSC::JSArray::copyToRegisters):
              (JSC::JSArray::compactForSorting):
              * runtime/JSArray.h:
              (JSC::JSArray::getIndex):
              (JSC::JSArray::setIndex):
              (JSC::JSArray::uncheckedSetIndex):
              (JSC::JSArray::markChildrenDirect):
              * runtime/JSByteArray.cpp:
              (JSC::JSByteArray::JSByteArray):
              * runtime/JSCell.h:
              (JSC::JSCell::JSValue::toThisObject):
              (JSC::JSCell::MarkStack::append):
              * runtime/JSFunction.cpp:
              (JSC::JSFunction::JSFunction):
              (JSC::JSFunction::getOwnPropertySlot):
              * runtime/JSGlobalData.h:
              * runtime/JSGlobalObject.cpp:
              (JSC::markIfNeeded):
              (JSC::JSGlobalObject::reset):
              (JSC::JSGlobalObject::resetPrototype):
              (JSC::JSGlobalObject::markChildren):
              * runtime/JSGlobalObject.h:
              (JSC::JSGlobalObject::JSGlobalObjectData::JSGlobalObjectData):
              (JSC::JSGlobalObject::regExpConstructor):
              (JSC::JSGlobalObject::errorConstructor):
              (JSC::JSGlobalObject::evalErrorConstructor):
              (JSC::JSGlobalObject::rangeErrorConstructor):
              (JSC::JSGlobalObject::referenceErrorConstructor):
              (JSC::JSGlobalObject::syntaxErrorConstructor):
              (JSC::JSGlobalObject::typeErrorConstructor):
              (JSC::JSGlobalObject::URIErrorConstructor):
              (JSC::JSGlobalObject::evalFunction):
              (JSC::JSGlobalObject::objectPrototype):
              (JSC::JSGlobalObject::functionPrototype):
              (JSC::JSGlobalObject::arrayPrototype):
              (JSC::JSGlobalObject::booleanPrototype):
              (JSC::JSGlobalObject::stringPrototype):
              (JSC::JSGlobalObject::numberPrototype):
              (JSC::JSGlobalObject::datePrototype):
              (JSC::JSGlobalObject::regExpPrototype):
              (JSC::JSGlobalObject::methodCallDummy):
              (JSC::Structure::prototypeForLookup):
              (JSC::constructArray):
              * runtime/JSONObject.cpp:
              (JSC::Stringifier::Holder::object):
              (JSC::Stringifier::markAggregate):
              (JSC::Stringifier::stringify):
              (JSC::Stringifier::Holder::appendNextProperty):
              (JSC::Walker::callReviver):
              (JSC::Walker::walk):
              * runtime/JSObject.cpp:
              (JSC::JSObject::defineGetter):
              (JSC::JSObject::defineSetter):
              (JSC::JSObject::removeDirect):
              (JSC::JSObject::putDirectFunction):
              (JSC::JSObject::putDirectFunctionWithoutTransition):
              (JSC::putDescriptor):
              (JSC::JSObject::defineOwnProperty):
              * runtime/JSObject.h:
              (JSC::JSObject::getDirectOffset):
              (JSC::JSObject::putDirectOffset):
              (JSC::JSObject::flattenDictionaryObject):
              (JSC::JSObject::putDirectInternal):
              (JSC::JSObject::putDirect):
              (JSC::JSObject::putDirectFunction):
              (JSC::JSObject::putDirectWithoutTransition):
              (JSC::JSObject::putDirectFunctionWithoutTransition):
              (JSC::JSValue::putDirect):
              (JSC::JSObject::allocatePropertyStorageInline):
              (JSC::JSObject::markChildrenDirect):
              * runtime/JSPropertyNameIterator.cpp:
              (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
              (JSC::JSPropertyNameIterator::get):
              * runtime/JSPropertyNameIterator.h:
              * runtime/JSStaticScopeObject.cpp:
              (JSC::JSStaticScopeObject::markChildren):
              * runtime/JSString.cpp:
              (JSC::StringObject::create):
              * runtime/JSValue.h:
              * runtime/JSWrapperObject.cpp:
              (JSC::JSWrapperObject::markChildren):
              * runtime/JSWrapperObject.h:
              (JSC::JSWrapperObject::internalValue):
              (JSC::JSWrapperObject::setInternalValue):
              * runtime/LiteralParser.cpp:
              (JSC::LiteralParser::parse):
              * runtime/Lookup.cpp:
              (JSC::setUpStaticFunctionSlot):
              * runtime/Lookup.h:
              (JSC::lookupPut):
              * runtime/MarkStack.h:
              (JSC::MarkStack::appendValues):
              * runtime/MathObject.cpp:
              (JSC::MathObject::MathObject):
              * runtime/NativeErrorConstructor.cpp:
              (JSC::NativeErrorConstructor::NativeErrorConstructor):
              * runtime/NativeErrorPrototype.cpp:
              (JSC::NativeErrorPrototype::NativeErrorPrototype):
              * runtime/NumberConstructor.cpp:
              (JSC::NumberConstructor::NumberConstructor):
              (JSC::constructWithNumberConstructor):
              * runtime/NumberObject.cpp:
              (JSC::constructNumber):
              * runtime/NumberPrototype.cpp:
              (JSC::NumberPrototype::NumberPrototype):
              * runtime/ObjectConstructor.cpp:
              (JSC::ObjectConstructor::ObjectConstructor):
              (JSC::objectConstructorGetOwnPropertyDescriptor):
              * runtime/Operations.h:
              (JSC::normalizePrototypeChain):
              (JSC::resolveBase):
              * runtime/PrototypeFunction.cpp:
              (JSC::PrototypeFunction::PrototypeFunction):
              * runtime/PutPropertySlot.h:
              (JSC::PutPropertySlot::setExistingProperty):
              (JSC::PutPropertySlot::setNewProperty):
              (JSC::PutPropertySlot::base):
              * runtime/RegExpConstructor.cpp:
              (JSC::RegExpConstructor::RegExpConstructor):
              * runtime/ScopeChain.cpp:
              (JSC::ScopeChainNode::print):
              * runtime/ScopeChain.h:
              (JSC::ScopeChainNode::~ScopeChainNode):
              (JSC::ScopeChainIterator::operator*):
              (JSC::ScopeChainIterator::operator->):
              (JSC::ScopeChain::top):
              * runtime/ScopeChainMark.h:
              (JSC::ScopeChain::markAggregate):
              * runtime/SmallStrings.cpp:
              (JSC::isMarked):
              (JSC::SmallStrings::markChildren):
              * runtime/SmallStrings.h:
              (JSC::SmallStrings::emptyString):
              (JSC::SmallStrings::singleCharacterString):
              (JSC::SmallStrings::singleCharacterStrings):
              * runtime/StringConstructor.cpp:
              (JSC::StringConstructor::StringConstructor):
              * runtime/StringObject.cpp:
              (JSC::StringObject::StringObject):
              * runtime/StringObject.h:
              * runtime/StringPrototype.cpp:
              (JSC::StringPrototype::StringPrototype):
              * runtime/Structure.cpp:
              (JSC::Structure::Structure):
              (JSC::Structure::addPropertyTransition):
              (JSC::Structure::toDictionaryTransition):
              (JSC::Structure::flattenDictionaryStructure):
              * runtime/Structure.h:
              (JSC::Structure::storedPrototype):
              * runtime/WeakGCMap.h:
              (JSC::WeakGCMap::uncheckedGet):
              (JSC::WeakGCMap::isValid):
              (JSC::::get):
              (JSC::::take):
              (JSC::::set):
              (JSC::::uncheckedRemove):
              * runtime/WriteBarrier.h: Removed.
      2011-01-28  Sheriff Bot  <webkit.review.bot@gmail.com>
      
              Unreviewed, rolling out r77006 and r77020.
              http://trac.webkit.org/changeset/77006
              http://trac.webkit.org/changeset/77020
              https://bugs.webkit.org/show_bug.cgi?id=53360
      
              "Broke Windows tests" (Requested by rniwa on #webkit).
      
              * JSValueWrapper.cpp:
              (JSValueWrapper::JSObjectMark):
      2011-01-28  Sheriff Bot  <webkit.review.bot@gmail.com>
      
              Unreviewed, rolling out r77006 and r77020.
              http://trac.webkit.org/changeset/77006
              http://trac.webkit.org/changeset/77020
              https://bugs.webkit.org/show_bug.cgi?id=53360
      
              "Broke Windows tests" (Requested by rniwa on #webkit).
      
              * WebView/WebScriptDebugDelegate.mm:
              (-[WebScriptCallFrame scopeChain]):
      2011-01-28  Sheriff Bot  <webkit.review.bot@gmail.com>
      
              Unreviewed, rolling out r77006 and r77020.
              http://trac.webkit.org/changeset/77006
              http://trac.webkit.org/changeset/77020
              https://bugs.webkit.org/show_bug.cgi?id=53360
      
              "Broke Windows tests" (Requested by rniwa on #webkit).
      
              * ForwardingHeaders/runtime/WriteBarrier.h: Removed.
              * WebCore.exp.in:
              * bindings/js/DOMWrapperWorld.h:
              * bindings/js/JSAudioConstructor.cpp:
              (WebCore::JSAudioConstructor::JSAudioConstructor):
              * bindings/js/JSDOMBinding.cpp:
              (WebCore::markDOMNodesForDocument):
              (WebCore::markDOMObjectWrapper):
              (WebCore::markDOMNodeWrapper):
              * bindings/js/JSDOMGlobalObject.cpp:
              (WebCore::JSDOMGlobalObject::markChildren):
              (WebCore::JSDOMGlobalObject::setInjectedScript):
              (WebCore::JSDOMGlobalObject::injectedScript):
              * bindings/js/JSDOMGlobalObject.h:
              (WebCore::JSDOMGlobalObject::JSDOMGlobalObjectData::JSDOMGlobalObjectData):
              (WebCore::getDOMConstructor):
              * bindings/js/JSDOMWindowCustom.cpp:
              (WebCore::JSDOMWindow::setLocation):
              (WebCore::DialogHandler::dialogCreated):
              * bindings/js/JSDOMWindowShell.cpp:
              (WebCore::JSDOMWindowShell::JSDOMWindowShell):
              (WebCore::JSDOMWindowShell::setWindow):
              (WebCore::JSDOMWindowShell::markChildren):
              (WebCore::JSDOMWindowShell::unwrappedObject):
              * bindings/js/JSDOMWindowShell.h:
              (WebCore::JSDOMWindowShell::window):
              (WebCore::JSDOMWindowShell::setWindow):
              * bindings/js/JSDeviceMotionEventCustom.cpp:
              (WebCore::createAccelerationObject):
              (WebCore::createRotationRateObject):
              * bindings/js/JSEventListener.cpp:
              (WebCore::JSEventListener::JSEventListener):
              (WebCore::JSEventListener::markJSFunction):
              * bindings/js/JSEventListener.h:
              (WebCore::JSEventListener::jsFunction):
              * bindings/js/JSHTMLDocumentCustom.cpp:
              (WebCore::JSHTMLDocument::setAll):
              * bindings/js/JSImageConstructor.cpp:
              (WebCore::JSImageConstructor::JSImageConstructor):
              * bindings/js/JSImageDataCustom.cpp:
              (WebCore::toJS):
              * bindings/js/JSJavaScriptCallFrameCustom.cpp:
              (WebCore::JSJavaScriptCallFrame::scopeChain):
              (WebCore::JSJavaScriptCallFrame::scopeType):
              * bindings/js/JSNodeFilterCondition.cpp:
              (WebCore::JSNodeFilterCondition::markAggregate):
              (WebCore::JSNodeFilterCondition::acceptNode):
              * bindings/js/JSNodeFilterCondition.h:
              * bindings/js/JSNodeFilterCustom.cpp:
              * bindings/js/JSOptionConstructor.cpp:
              (WebCore::JSOptionConstructor::JSOptionConstructor):
              * bindings/js/JSSQLResultSetRowListCustom.cpp:
              (WebCore::JSSQLResultSetRowList::item):
              * bindings/js/ScriptCachedFrameData.cpp:
              (WebCore::ScriptCachedFrameData::restore):
              * bindings/js/ScriptObject.cpp:
              (WebCore::ScriptGlobalObject::set):
              * bindings/js/SerializedScriptValue.cpp:
              (WebCore::CloneDeserializer::putProperty):
              * bindings/scripts/CodeGeneratorJS.pm:
              * bridge/qt/qt_runtime.cpp:
              (JSC::Bindings::QtRuntimeMetaMethod::QtRuntimeMetaMethod):
              (JSC::Bindings::QtRuntimeMetaMethod::markChildren):
              (JSC::Bindings::QtRuntimeMetaMethod::connectGetter):
              (JSC::Bindings::QtRuntimeMetaMethod::disconnectGetter):
              * bridge/qt/qt_runtime.h:
              * bridge/runtime_root.cpp:
              (JSC::Bindings::RootObject::invalidate):
              * bridge/runtime_root.h:
              * dom/Document.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77044 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      3857b1ea
    • abarth@webkit.org's avatar
      2011-01-28 Adam Barth <abarth@webkit.org> · bfc7fcf5
      abarth@webkit.org authored
              Reviewed by Eric Seidel.
      
              XSSFilter should log to the console when it blocks something
              https://bugs.webkit.org/show_bug.cgi?id=53354
      
              This patch refactors a bunch of methods in XSSFilter to return a bool
              indicating whether they blocked anything.  Using this bool, we decide
              whether to log to the console.  We're using the same log message as the
              XSSAuditor, but it seems likely we can improve this message in the
              future (especially by piping in the correct line number, which is now
              accessible via the parser).
      
              * html/parser/XSSFilter.cpp:
              (WebCore::HTMLNames::isNameOfInlineEventHandler):
              (WebCore::XSSFilter::filterToken):
              (WebCore::XSSFilter::filterTokenInitial):
              (WebCore::XSSFilter::filterTokenAfterScriptStartTag):
              (WebCore::XSSFilter::filterScriptToken):
              (WebCore::XSSFilter::filterObjectToken):
              (WebCore::XSSFilter::filterEmbedToken):
              (WebCore::XSSFilter::filterAppletToken):
              (WebCore::XSSFilter::filterMetaToken):
              (WebCore::XSSFilter::filterBaseToken):
              (WebCore::XSSFilter::eraseInlineEventHandlersIfInjected):
              * html/parser/XSSFilter.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77041 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      bfc7fcf5
    • abarth@webkit.org's avatar
      2011-01-28 Adam Barth <abarth@webkit.org> · 015fdee4
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              Wire up settings->xssAuditorEnabled to XSSFilter
              https://bugs.webkit.org/show_bug.cgi?id=53345
      
              * html/parser/XSSFilter.cpp:
              (WebCore::XSSFilter::XSSFilter):
              (WebCore::XSSFilter::filterToken):
              * html/parser/XSSFilter.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      015fdee4
    • abarth@webkit.org's avatar
      2011-01-28 Adam Barth <abarth@webkit.org> · 0fbacc01
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              Teach XSSFilter about <meta> and <base> tags
              https://bugs.webkit.org/show_bug.cgi?id=53339
      
              I'm not 100% sure we need to block <meta http-equiv>, but it seems
              prudent given how powerful that attribute is.  We definitely need to
              block injection of <base href> because that can redirect script tags
              that use relative URLs.
      
              * html/parser/XSSFilter.cpp:
              (WebCore::XSSFilter::filterToken):
              (WebCore::XSSFilter::filterMetaToken):
              (WebCore::XSSFilter::filterBaseToken):
              * html/parser/XSSFilter.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77033 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      0fbacc01
    • abarth@webkit.org's avatar
      2011-01-28 Adam Barth <abarth@webkit.org> · 87e8410e
      abarth@webkit.org authored
              Reviewed by Daniel Bates.
      
              Teach XSSFilter about <applet>
              https://bugs.webkit.org/show_bug.cgi?id=53338
      
              HTML5 is pretty light on information about how the <applet> tag works.
              According to this site:
      
              http://download.oracle.com/javase/1.4.2/docs/guide/misc/applet.html
      
              The "code" and "object" attributes are the essential attributes for
              determining which piece of Java to run.  We might need to expand to the
              codebase and archive attributes at some point, but hopefully code and
              object will be sufficient.
      
              * html/parser/XSSFilter.cpp:
              (WebCore::XSSFilter::filterToken):
              (WebCore::XSSFilter::filterAppletToken):
              * html/parser/XSSFilter.h:
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77032 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      87e8410e