date:20151207

[webkit-changes] [193709] branches/safari-601.1.46.60-branch

2015-12-07 Thread bshafiei

Title: [193709] branches/safari-601.1.46.60-branch








Revision 193709
Author bshaf...@apple.com
Date 2015-12-07 23:59:04 -0800 (Mon, 07 Dec 2015)


Log Message
Merged r191731.  rdar://problem/23787044

Modified Paths

branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/rendering/svg/RenderSVGResourcePattern.cpp
branches/safari-601.1.46.60-branch/Source/WebCore/rendering/svg/RenderSVGResourcePattern.h
branches/safari-601.1.46.60-branch/Source/WebCore/rendering/svg/RenderSVGRoot.cpp
branches/safari-601.1.46.60-branch/Source/WebCore/rendering/svg/SVGRenderTreeAsText.cpp
branches/safari-601.1.46.60-branch/Source/WebCore/svg/SVGPatternElement.cpp


Added Paths

branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle-expected.svg
branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle.svg




Diff

Modified: branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog (193708 => 193709)

--- branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:55:57 UTC (rev 193708)
+++ branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:59:04 UTC (rev 193709)
@@ -1,5 +1,23 @@
 2015-12-07  Babak Shafiei  
 
+Merge r191731.
+
+2015-10-29  Said Abou-Hallawa  
+
+Exploitable crash happens when an SVG contains an indirect resource inheritance cycle
+https://bugs.webkit.org/show_bug.cgi?id=150203
+
+Reviewed by Brent Fulgham.
+
+Ensure that we do not crash when an SVG has an indirect cyclic resource
+inheritance. Make sure the cyclic resource was just ignored as if it did
+not exist.
+
+* svg/custom/pattern-content-inheritance-cycle-expected.svg: Added.
+* svg/custom/pattern-content-inheritance-cycle.svg: Added.
+
+2015-12-07  Babak Shafiei  
+
 Merge r192604.
 
 2015-11-18  Jiewen Tan  


Copied: branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle-expected.svg (from rev 191731, trunk/LayoutTests/svg/custom/pattern-content-inheritance-cycle-expected.svg) (0 => 193709)

--- branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle-expected.svg	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle-expected.svg	2015-12-08 07:59:04 UTC (rev 193709)
@@ -0,0 +1,16 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+


Copied: branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle.svg (from rev 191731, trunk/LayoutTests/svg/custom/pattern-content-inheritance-cycle.svg) (0 => 193709)

--- branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle.svg	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/svg/custom/pattern-content-inheritance-cycle.svg	2015-12-08 07:59:04 UTC (rev 193709)
@@ -0,0 +1,56 @@
+
+
+
+
+
+
+
+ m => n => l -->
+
+
+
+
+ q -->
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+// Add q => p to get p => q => p
+document.getElementById("q").setAttributeNS("http://www.w3.org/1999/xlink", "href", "#p");
+
+// Add s => t to get s => t => s
+document.getElementById("r").setAttribute("fill", "url(#t)");
+
+// Force layout
+document.documentElement.removeAttribute("class");
+
+


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog (193708 => 193709)

--- branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:55:57 UTC (rev 193708)
+++ branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:59:04 UTC (rev 193709)
@@ -1,5 +1,71 @@
 2015-12-07  Babak Shafiei  
 
+Merge r191731.
+
+2015-10-29  Said Abou-Hallawa  
+
+Exploitable crash happens when an SVG contains an indirect resource inheritance cycle
+https://bugs.webkit.org/show_bug.cgi?id=150203
+
+Reviewed by Brent Fulgham.
+
+Detecting cycles in SVG resource references happens in two places.
+1. In SVGResourcesCycleSolver::resolveCycles() which it is called from 
+   SVGResourcesCache::addResourcesFromRenderer(). When a cycle is deleted,
+   SVGResourcesCycleSolver::breakCycle() is called to break the link. In
+   the case of a cyclic resource inheritance, SVGResources::resetLinked

[webkit-changes] [193708] branches/safari-601.1.46.60-branch

2015-12-07 Thread bshafiei

Title: [193708] branches/safari-601.1.46.60-branch








Revision 193708
Author bshaf...@apple.com
Date 2015-12-07 23:55:57 -0800 (Mon, 07 Dec 2015)


Log Message
Merged r192604.  rdar://problem/23786994

Modified Paths

branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog
branches/safari-601.1.46.60-branch/LayoutTests/platform/mac-wk2/TestExpectations
branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/page/PerformanceTiming.cpp


Added Paths

branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869.html
branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/resources/window-property-collector.js




Diff

Modified: branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog (193707 => 193708)

--- branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:53:52 UTC (rev 193707)
+++ branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:55:57 UTC (rev 193708)
@@ -1,5 +1,30 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192604.
+
+2015-11-18  Jiewen Tan  
+
+[WK1] Crash loading Blink layout test fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
+https://bugs.webkit.org/show_bug.cgi?id=150198
+
+
+Reviewed by Brent Fulgham.
+
+* fast/dom/Window/666869-expected.txt: Added.
+* fast/dom/Window/666869.html: Added.
+Test case is from Mozilla.
+* fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt: Added.
+* fast/dom/Window/property-access-on-cached-window-after-frame-removed.html: Added.
+* fast/dom/Window/resources/window-property-collector.js: Added.
+(collectProperties):
+(emitExpectedResult):
+(collectPropertiesHelper):
+Test case is from Blink r168256:
+https://codereview.chromium.org/131113003
+* platform/mac-wk2/TestExpectations:
+
+2015-12-07  Babak Shafiei  
+
 Merge r192433.
 
 2015-11-13  Jiewen Tan  


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869-expected.txt (from rev 192604, trunk/LayoutTests/fast/dom/Window/666869-expected.txt) (0 => 193708)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869-expected.txt	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869-expected.txt	2015-12-08 07:55:57 UTC (rev 193708)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869.html (from rev 192604, trunk/LayoutTests/fast/dom/Window/666869.html) (0 => 193708)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/666869.html	2015-12-08 07:55:57 UTC (rev 193708)
@@ -0,0 +1,20 @@
+
+
+
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+function boom()
+{
+var f = document.getElementById("f");
+var frameWin = f.contentWindow;
+document.body.removeChild(f);
+frameWin.performance;
+
+document.write("PASS. WebKit didn't crash.");
+}
+
+
+


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt (from rev 192604, trunk/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt) (0 => 193708)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt	2015-12-08 07:55:57 UTC (rev 193708)
@@ -0,0 +1 @@
+Pass. WebKit didn't crash.


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html (from rev 192604, trunk/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html) (0 => 193708)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html	2015-12-08 07:55:57 UTC (rev 193708)
@@ -0,0 +1,31 @@
+
+
+
+var childWindow;
+var propertiesToVerify = [];
+
+function insertExpectedResult(path, expected)
+{
+

[webkit-changes] [193707] branches/safari-601.1.46.60-branch

2015-12-07 Thread bshafiei

Title: [193707] branches/safari-601.1.46.60-branch








Revision 193707
Author bshaf...@apple.com
Date 2015-12-07 23:53:52 -0800 (Mon, 07 Dec 2015)


Log Message
Merged r192433.  rdar://problem/23787047

Modified Paths

branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/dom/Element.cpp


Added Paths

branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html




Diff

Modified: branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog (193706 => 193707)

--- branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:51:59 UTC (rev 193706)
+++ branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:53:52 UTC (rev 193707)
@@ -1,5 +1,20 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192433.
+
+2015-11-13  Jiewen Tan  
+
+Element::focus() should acquire the ownership of Frame.
+https://bugs.webkit.org/show_bug.cgi?id=150204
+
+
+Reviewed by Brent Fulgham.
+
+* editing/selection/focus-iframe-removal-crash-expected.txt: Added.
+* editing/selection/focus-iframe-removal-crash.html: Added.
+
+2015-12-07  Babak Shafiei  
+
 Merge r192389.
 
 2015-11-12  Zalan Bujtas  


Copied: branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt (from rev 192433, trunk/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt) (0 => 193707)

--- branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash-expected.txt	2015-12-08 07:53:52 UTC (rev 193707)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.


Copied: branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html (from rev 192433, trunk/LayoutTests/editing/selection/focus-iframe-removal-crash.html) (0 => 193707)

--- branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/editing/selection/focus-iframe-removal-crash.html	2015-12-08 07:53:52 UTC (rev 193707)
@@ -0,0 +1,24 @@
+
+
+
+
+
+if (window.testRunner)
+testRunner.dumpAsText();
+
+function run()
+{
+var iframe = document.getElementsByTagName('iframe')[0];
+iframe.contentDocument.documentElement.contentEditable = true;
+iframe.contentDocument.documentElement.addEventListener('focusout', function () {
+iframe.parentNode.removeChild(iframe);
+}, false);
+iframe.contentDocument.documentElement.focus();
+
+document.write("PASS. WebKit didn't crash.");
+}
+
+document.addEventListener('DOMContentLoaded', run);
+
+
+


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog (193706 => 193707)

--- branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:51:59 UTC (rev 193706)
+++ branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:53:52 UTC (rev 193707)
@@ -1,5 +1,27 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192433.
+
+2015-11-13  Jiewen Tan  
+
+Element::focus() should acquire the ownership of Frame.
+https://bugs.webkit.org/show_bug.cgi?id=150204
+
+
+Reviewed by Brent Fulgham.
+
+The FrameSelection::setSelection method sometimes releases the last reference to a frame.
+When this happens, the Element::updateFocusAppearance would attempt to use dereferenced memory.
+Instead, we should ensure that the Frame lifetime is guaranteed to extend through the duration
+of the method call.
+
+Test: editing/selection/focus-iframe-removal-crash.html
+
+* dom/Element.cpp:
+(WebCore::Element::updateFocusAppearance):
+
+2015-12-07  Babak Shafiei  
+
 Merge r192389.
 
 2015-11-12  Zalan Bujtas  


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/dom/Element.cpp (193706 => 193707)

--- branches/safari-601.1.46.60-branch/Source/WebCore/dom/Element.cpp	2015-12-08 07:51:59 UTC (rev 193706)
+++ branches/safari-601.1.46.60-branch/Source/WebCore/dom/Element.cpp	2015-12-08 07:53:52 UTC (rev 193707)
@@ -2186,7 +2186,8 @@
 void Element::updateFocusAppearance(bool /*restorePreviousSelection*/)
 {
 if (isRootEditableElement()) {
-Frame* frame = document().frame();
+// Keep frame alive in this method, since setSelection() may release the last reference to |frame|.
+RefPtr frame = document().frame();
 if (!frame)
 return;
 






___
webkit-changes mai

[webkit-changes] [193706] branches/safari-601.1.46.60-branch

2015-12-07 Thread bshafiei

Title: [193706] branches/safari-601.1.46.60-branch








Revision 193706
Author bshaf...@apple.com
Date 2015-12-07 23:51:59 -0800 (Mon, 07 Dec 2015)


Log Message
Merged r192389.  rdar://problem/23786983

Modified Paths

branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/rendering/RenderTheme.cpp
branches/safari-601.1.46.60-branch/Source/WebCore/rendering/style/RenderStyle.h


Added Paths

branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input-expected.html
branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input.html




Diff

Modified: branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog (193705 => 193706)

--- branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:50:20 UTC (rev 193705)
+++ branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:51:59 UTC (rev 193706)
@@ -1,5 +1,20 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192389.
+
+2015-11-12  Zalan Bujtas  
+
+Ignore visited background color when deciding if the input renderer needs to be painted natively.
+https://bugs.webkit.org/show_bug.cgi?id=151211
+rdar://problem/21449823
+
+Reviewed by Antti Koivisto.
+
+* fast/css/pseudo-visited-background-color-on-input-expected.html: Added.
+* fast/css/pseudo-visited-background-color-on-input.html: Added.
+
+2015-12-07  Babak Shafiei  
+
 Merge r192369.
 
 2015-11-11  Jon Honeycutt  


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input-expected.html (from rev 192389, trunk/LayoutTests/fast/css/pseudo-visited-background-color-on-input-expected.html) (0 => 193706)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input-expected.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input-expected.html	2015-12-08 07:51:59 UTC (rev 193706)
@@ -0,0 +1,21 @@
+
+
+
+This tests that we draw the input natively when :visited background-color is set.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input.html (from rev 192389, trunk/LayoutTests/fast/css/pseudo-visited-background-color-on-input.html) (0 => 193706)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/css/pseudo-visited-background-color-on-input.html	2015-12-08 07:51:59 UTC (rev 193706)
@@ -0,0 +1,26 @@
+
+
+
+This tests that we draw the input natively when :visited background-color is set.
+
+	a:visited input {
+		background-color: red;
+	}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog (193705 => 193706)

--- branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:50:20 UTC (rev 193705)
+++ branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:51:59 UTC (rev 193706)
@@ -1,5 +1,23 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192389.
+
+2015-11-12  Zalan Bujtas  
+
+Ignore visited background color when deciding if the input renderer needs to be painted natively.
+https://bugs.webkit.org/show_bug.cgi?id=151211
+rdar://problem/21449823
+
+Reviewed by Antti Koivisto.
+
+Test: fast/css/pseudo-visited-background-color-on-input.html
+
+* rendering/RenderTheme.cpp:
+(WebCore::RenderTheme::isControlStyled):
+* rendering/style/RenderStyle.h:
+
+2015-12-07  Babak Shafiei  
+
 Merge r192369.
 
 2015-11-11  Jon Honeycutt  


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/rendering/RenderTheme.cpp (193705 => 193706)

--- branches/safari-601.1.46.60-branch/Source/WebCore/rendering/RenderTheme.cpp	2015-12-08 07:50:20 UTC (rev 193705)
+++ branches/safari-601.1.46.60-branch/Source/WebCore/rendering/RenderTheme.cpp	2015-12-08 07:51:59 UTC (rev 193706)
@@ -703,7 +703,7 @@
 // Test the style to see if the UA border and background match.
 return (style.border() != border
 || *style.backgroundLayers() != background
-|| style.visitedDependentColor(CSSPropertyBackgroundColor) != backgroundColor);
+|| !style.backgroundColorEqualsToColorIgnoringVisited(backgroundColor));
 default:
 return false;
 }


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/rendering/style/RenderStyle.h (193705 => 193706)

--- branches/safari-601.1.46.60-branch/Source/WebCore/rendering/style/RenderStyle.h	2015-12-08 07:50:20 UTC (rev 193705)
+++ branches/safari-601.1.46.60-branch/S

[webkit-changes] [193705] branches/safari-601.1.46.60-branch

2015-12-07 Thread bshafiei

Title: [193705] branches/safari-601.1.46.60-branch








Revision 193705
Author bshaf...@apple.com
Date 2015-12-07 23:50:20 -0800 (Mon, 07 Dec 2015)


Log Message
Merged r192369.  rdar://problem/23787037

Modified Paths

branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog
branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/stateobjects/popstate-fires-on-history-traversal.html
branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/dom/Document.cpp


Added Paths

branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different.html
branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-same-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-same.html
branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/stateobjects/popstate-is-asynchronous-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/stateobjects/popstate-is-asynchronous.html




Diff

Modified: branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog (193704 => 193705)

--- branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:48:11 UTC (rev 193704)
+++ branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:50:20 UTC (rev 193705)
@@ -1,5 +1,31 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192369.
+
+2015-11-11  Jon Honeycutt  
+
+popstate event should be dispatched asynchronously
+https://bugs.webkit.org/show_bug.cgi?id=36202
+
+
+Based on an original patch by Mihai Parparita .
+
+Reviewed by Brent Fulgham.
+
+* fast/loader/remove-iframe-during-history-navigation-different-expected.txt: Added.
+* fast/loader/remove-iframe-during-history-navigation-different.html: Added.
+Imported from Blink.
+* fast/loader/remove-iframe-during-history-navigation-same-expected.txt: Added.
+* fast/loader/remove-iframe-during-history-navigation-same.html: Added.
+Ditto.
+* fast/loader/stateobjects/popstate-fires-on-history-traversal.html:
+Modified to account for popstate firing asynchronously.
+* fast/loader/stateobjects/popstate-is-asynchronous-expected.txt: Added.
+* fast/loader/stateobjects/popstate-is-asynchronous.html: Added.
+Based on Mihai's original test. Modified to pass in current WebKit.
+
+2015-12-07  Babak Shafiei  
+
 Merge r192316.
 
 2015-11-10  Jon Honeycutt  


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different-expected.txt (from rev 192369, trunk/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different-expected.txt) (0 => 193705)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different-expected.txt	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different-expected.txt	2015-12-08 07:50:20 UTC (rev 193705)
@@ -0,0 +1 @@
+TEST PASSED


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different.html (from rev 192369, trunk/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different.html) (0 => 193705)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-different.html	2015-12-08 07:50:20 UTC (rev 193705)
@@ -0,0 +1,31 @@
+
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+// One iframe's popstate handler removes another iframe from the
+// document during a history navigation that affects both frames. The
+// history navigation loads a different document in the other frame.
+window._onload_ = function () {
+frames[0].history.pushState("first", "first");
+frames[0]._onpopstate_ = function () {
+document.body.innerHTML = "TEST PASSED";
+if (window.testRunner)
+testRunner.notifyDone();
+};
+document.querySelectorAll("iframe")[1]._onload_ = function () {
+setTimeout("history.go(-2);", 10);
+};
+setTimeout(function () {
+frames[1].location.href = ""
+}, 10);
+}
+
+
+
+NOT TESTED
+


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/loader/remove-iframe-during-history-navigation-same-expected.txt (from rev 192369, trunk/LayoutTests/fast/loader/remove-ifr

[webkit-changes] [193704] branches/safari-601.1.46.60-branch

2015-12-07 Thread bshafiei

Title: [193704] branches/safari-601.1.46.60-branch








Revision 193704
Author bshaf...@apple.com
Date 2015-12-07 23:48:11 -0800 (Mon, 07 Dec 2015)


Log Message
Merged r192316.  rdar://problem/23787021

Modified Paths

branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp


Added Paths

branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html




Diff

Modified: branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog (193703 => 193704)

--- branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:46:28 UTC (rev 193703)
+++ branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:48:11 UTC (rev 193704)
@@ -1,5 +1,20 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192316.
+
+2015-11-10  Jon Honeycutt  
+
+Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+https://bugs.webkit.org/show_bug.cgi?id=150201
+
+
+Reviewed by Brent Fulgham.
+
+* fast/parser/strip-script-attrs-on-input-expected.txt: Added.
+* fast/parser/strip-script-attrs-on-input.html: Added.
+
+2015-12-07  Babak Shafiei  
+
 Merge r192281.
 
 2015-11-10  Brent Fulgham  


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt (from rev 192316, trunk/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt) (0 => 193704)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input-expected.txt	2015-12-08 07:48:11 UTC (rev 193704)
@@ -0,0 +1 @@
+Text for WebKit bug #150201. Test passes if it does not crash in an ASan build.


Copied: branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html (from rev 192316, trunk/LayoutTests/fast/parser/strip-script-attrs-on-input.html) (0 => 193704)

--- branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/fast/parser/strip-script-attrs-on-input.html	2015-12-08 07:48:11 UTC (rev 193704)
@@ -0,0 +1,30 @@
+
+
+
+
+
+
+if (window.testRunner) {
+testRunner.dumpAsText();
+testRunner.waitUntilDone();
+}
+
+requestAnimationFrame(function() {
+var target = document.getElementById("target");
+var selection = window.getSelection();
+var range = document.createRange();
+range.selectNodeContents(target);
+selection.addRange(range);
+
+document.execCommand("Cut");
+document.execCommand("Paste");
+
+target.innerHTML = '';
+testRunner.notifyDone();
+});
+
+
+Text for WebKit bug #
+


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog (193703 => 193704)

--- branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:46:28 UTC (rev 193703)
+++ branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog	2015-12-08 07:48:11 UTC (rev 193704)
@@ -1,5 +1,25 @@
 2015-12-07  Babak Shafiei  
 
+Merge r192316.
+
+2015-11-10  Jon Honeycutt  
+
+Crash loading Blink layout test fast/parser/strip-script-attrs-on-input.html
+https://bugs.webkit.org/show_bug.cgi?id=150201
+
+
+Reviewed by Brent Fulgham.
+
+Test: fast/parser/strip-script-attrs-on-input.html
+
+* html/parser/HTMLTreeBuilder.cpp:
+(WebCore::HTMLTreeBuilder::processStartTagForInBody):
+Get the attribute after calling
+HTMLConstructionSite::insertSelfClosingHTMLElement(), as this may
+mutate the token's attributes.
+
+2015-12-07  Babak Shafiei  
+
 Merge r192281.
 
 2015-11-10  Brent Fulgham  


Modified: branches/safari-601.1.46.60-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (193703 => 193704)

--- branches/safari-601.1.46.60-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2015-12-08 07:46:28 UTC (rev 193703)
+++ branches/safari-601.1.46.60-branch/Source/WebCore/html/parser/HTMLTreeBuilder.cpp	2015-12-08 07:48:11 UTC (rev 193704)
@@ -774,9 +774,9 @@
 return;
 }
 if (token.name() == inputTag) {
-Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
 m_tree.reconstructTheActiveFormattingElements();
 m_tree.insertSelfClosingHTMLElement(&token);
+Attribute* typeAttribute = findAttribute(token.attributes(), typeAttr);
 if (!typeAt

[webkit-changes] [193703] branches/safari-601.1.46.60-branch

2015-12-07 Thread bshafiei

Title: [193703] branches/safari-601.1.46.60-branch








Revision 193703
Author bshaf...@apple.com
Date 2015-12-07 23:46:28 -0800 (Mon, 07 Dec 2015)


Log Message
Merged r192281.  rdar://problem/23787006

Modified Paths

branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/ChangeLog
branches/safari-601.1.46.60-branch/Source/WebCore/Modules/webaudio/PannerNode.cpp
branches/safari-601.1.46.60-branch/Source/WebCore/Modules/webaudio/PannerNode.h


Added Paths

branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop-expected.txt
branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop.html




Diff

Modified: branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog (193702 => 193703)

--- branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 05:41:20 UTC (rev 193702)
+++ branches/safari-601.1.46.60-branch/LayoutTests/ChangeLog	2015-12-08 07:46:28 UTC (rev 193703)
@@ -1,3 +1,21 @@
+2015-12-07  Babak Shafiei  
+
+Merge r192281.
+
+2015-11-10  Brent Fulgham  
+
+Crash running webaudio/panner-loop.html
+https://bugs.webkit.org/show_bug.cgi?id=150200
+
+
+Reviewed by Jer Noble.
+
+This is based on the changes in Blink r164822:
+https://codereview.chromium.org/130003002
+
+* webaudio/panner-loop-expected.txt: Added.
+* webaudio/panner-loop.html: Added.
+
 2015-10-29  Lucas Forschler  
 
 Merge r191706. rdar://problem/23319282


Copied: branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop-expected.txt (from rev 192281, trunk/LayoutTests/webaudio/panner-loop-expected.txt) (0 => 193703)

--- branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop-expected.txt	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop-expected.txt	2015-12-08 07:46:28 UTC (rev 193703)
@@ -0,0 +1,9 @@
+Test PannerNode handling of feedback loops
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS Rendering successfully completed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+


Copied: branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop.html (from rev 192281, trunk/LayoutTests/webaudio/panner-loop.html) (0 => 193703)

--- branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop.html	(rev 0)
+++ branches/safari-601.1.46.60-branch/LayoutTests/webaudio/panner-loop.html	2015-12-08 07:46:28 UTC (rev 193703)
@@ -0,0 +1,84 @@
+
+
+  
+
+
+  
+
+
+