Commit 95743967 authored by Alberto Garcia's avatar Alberto Garcia
Browse files

Imported Upstream version 2.12.3

parent ebb63d4e
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -14,7 +14,7 @@
<div class="titlepage">
<div>
<div><table class="navigation" id="top" width="100%" cellpadding="2" cellspacing="0"><tr><th valign="middle"><p class="title">WebKit2GTK+ Reference Manual</p></th></tr></table></div>
<div><p class="releaseinfo">for WebKit2GTK+ 2.12.2</p></div>
<div><p class="releaseinfo">for WebKit2GTK+ 2.12.3</p></div>
</div>
<hr>
</div>
......
......@@ -177,7 +177,7 @@ against at application run time.</p>
<hr>
<div class="refsect2">
<a name="WEBKIT-MICRO-VERSION:CAPS"></a><h3>WEBKIT_MICRO_VERSION</h3>
<pre class="programlisting">#define WEBKIT_MICRO_VERSION (2)
<pre class="programlisting">#define WEBKIT_MICRO_VERSION (3)
</pre>
<p>Like <a class="link" href="webkit2gtk-4.0-WebKitVersion.html#webkit-get-micro-version" title="webkit_get_micro_version ()"><code class="function">webkit_get_micro_version()</code></a>, but from the headers used at
application compile time, rather than from the library linked
......
......@@ -14,7 +14,7 @@
<div class="titlepage">
<div>
<div><table class="navigation" id="top" width="100%" cellpadding="2" cellspacing="0"><tr><th valign="middle"><p class="title">WebKitDOMGTK+ Reference Manual</p></th></tr></table></div>
<div><p class="releaseinfo">for WebKitDOMGTK+ 2.12.2</p></div>
<div><p class="releaseinfo">for WebKitDOMGTK+ 2.12.3</p></div>
</div>
<hr>
</div>
......
==================
WebKitGTK+ 2.12.3
==================
What's new in WebKitGTK+ 2.12.3?
- Improved the detection of supported MIME types supported by the media player.
- Fix web process crash when playing adaptive streaming media.
- Change the volume while thumb slider is dragged, not only when released.
- Fix leaked thread in network process.
- Fix several crashes and rendering issues.
- Translation updates: Hungarian.
- Security fixes: CVE-2016-1857, CVE-2016-1856.
==================
WebKitGTK+ 2.12.2
==================
......
......@@ -2190,6 +2190,12 @@ bool ByteCodeParser::handleIntrinsicCall(int resultOperand, Intrinsic intrinsic,
}
case StringPrototypeReplaceIntrinsic: {
if (!isFTL(m_graph.m_plan.mode)) {
// This is a marginally profitable intrinsic. We've only the work to make it an
// intrinsic on the fourth tier.
return false;
}
if (argumentCountIncludingThis != 3)
return false;
......
......@@ -6678,18 +6678,13 @@ void SpeculativeJIT::speculateFinalObject(Edge edge)
speculateCellType(edge, operand.gpr(), SpecFinalObject, FinalObjectType);
}
void SpeculativeJIT::speculateRegExpObject(Edge edge, GPRReg cell)
{
speculateCellType(edge, cell, SpecRegExpObject, RegExpObjectType);
}
void SpeculativeJIT::speculateRegExpObject(Edge edge)
{
if (!needsTypeCheck(edge, SpecRegExpObject))
return;
SpeculateCellOperand operand(this, edge);
speculateRegExpObject(edge, operand.gpr());
speculateCellType(edge, operand.gpr(), SpecRegExpObject, RegExpObjectType);
}
void SpeculativeJIT::speculateObjectOrOther(Edge edge)
......
......@@ -1272,16 +1272,6 @@ public:
m_jit.setupArgumentsWithExecState(arg1, arg2);
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(J_JITOperation_EJssReo operation, GPRReg result, GPRReg arg1, GPRReg arg2)
{
m_jit.setupArgumentsWithExecState(arg1, arg2);
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(J_JITOperation_EJssReoJss operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
{
m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(J_JITOperation_EJssZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
{
m_jit.setupArgumentsWithExecState(arg1, arg2);
......@@ -1445,25 +1435,20 @@ public:
m_jit.setupArgumentsWithExecState(arg1, arg2);
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(J_JITOperation_EJJ operation, GPRReg result, GPRReg arg1, int32_t imm)
JITCompiler::Call callOperation(J_JITOperation_EJJ operation, GPRReg result, GPRReg arg1, MacroAssembler::TrustedImm32 imm)
{
m_jit.setupArgumentsWithExecState(arg1, MacroAssembler::TrustedImm64(JSValue::encode(jsNumber(imm))));
m_jit.setupArgumentsWithExecState(arg1, MacroAssembler::TrustedImm64(JSValue::encode(jsNumber(imm.m_value))));
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(J_JITOperation_EJJ operation, GPRReg result, int32_t imm, GPRReg arg2)
JITCompiler::Call callOperation(J_JITOperation_EJJ operation, GPRReg result, MacroAssembler::TrustedImm32 imm, GPRReg arg2)
{
m_jit.setupArgumentsWithExecState(MacroAssembler::TrustedImm64(JSValue::encode(jsNumber(imm))), arg2);
m_jit.setupArgumentsWithExecState(MacroAssembler::TrustedImm64(JSValue::encode(jsNumber(imm.m_value))), arg2);
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(J_JITOperation_EJJ operation, JSValueRegs result, JSValueRegs arg1, JSValueRegs arg2)
{
return callOperation(operation, result.payloadGPR(), arg1.payloadGPR(), arg2.payloadGPR());
}
JITCompiler::Call callOperation(J_JITOperation_EJJJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
{
m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
return appendCallSetResult(operation, result);
}
JITCompiler::Call callOperation(J_JITOperation_ECC operation, GPRReg result, GPRReg arg1, GPRReg arg2)
{
m_jit.setupArgumentsWithExecState(arg1, arg2);
......@@ -1649,16 +1634,6 @@ public:
m_jit.setupArgumentsWithExecState(arg1, arg2);
return appendCallSetResult(operation, resultPayload, resultTag);
}
JITCompiler::Call callOperation(J_JITOperation_EJssReo operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2)
{
m_jit.setupArgumentsWithExecState(arg1, arg2);
return appendCallSetResult(operation, resultPayload, resultTag);
}
JITCompiler::Call callOperation(J_JITOperation_EJssReoJss operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2, GPRReg arg3)
{
m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
return appendCallSetResult(operation, resultPayload, resultTag);
}
JITCompiler::Call callOperation(J_JITOperation_EPS operation, GPRReg resultTag, GPRReg resultPayload, void* pointer, size_t size)
{
m_jit.setupArgumentsWithExecState(TrustedImmPtr(pointer), TrustedImmPtr(size));
......@@ -1816,11 +1791,6 @@ public:
{
return callOperation(operation, result.tagGPR(), result.payloadGPR(), arg1.tagGPR(), arg1.payloadGPR(), arg2.tagGPR(), arg2.payloadGPR());
}
JITCompiler::Call callOperation(J_JITOperation_EJJJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload, GPRReg arg3Tag, GPRReg arg3Payload)
{
m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2Payload, arg2Tag, arg3Payload, arg3Tag);
return appendCallSetResult(operation, resultPayload, resultTag);
}
JITCompiler::Call callOperation(J_JITOperation_ECJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload)
{
......@@ -2502,7 +2472,6 @@ public:
void speculateObject(Edge);
void speculateFunction(Edge);
void speculateFinalObject(Edge);
void speculateRegExpObject(Edge, GPRReg cell);
void speculateRegExpObject(Edge);
void speculateObjectOrOther(Edge);
void speculateString(Edge edge, GPRReg cell);
......
......@@ -2910,74 +2910,6 @@ void SpeculativeJIT::compile(Node* node)
booleanResult(result.gpr(), node);
break;
}
case StringReplace: {
if (node->child1().useKind() == StringUse
&& node->child2().useKind() == RegExpObjectUse
&& node->child3().useKind() == StringUse) {
if (JSString* replace = node->child3()->dynamicCastConstant<JSString*>()) {
if (!replace->length()) {
SpeculateCellOperand string(this, node->child1());
SpeculateCellOperand regExp(this, node->child2());
GPRReg stringGPR = string.gpr();
GPRReg regExpGPR = regExp.gpr();
speculateString(node->child1(), stringGPR);
speculateRegExpObject(node->child2(), regExpGPR);
flushRegisters();
GPRFlushedCallResult2 resultTag(this);
GPRFlushedCallResult resultPayload(this);
callOperation(
operationStringProtoFuncReplaceRegExpEmptyStr, resultTag.gpr(),
resultPayload.gpr(), stringGPR, regExpGPR);
m_jit.exceptionCheck();
cellResult(resultPayload.gpr(), node);
break;
}
}
SpeculateCellOperand string(this, node->child1());
SpeculateCellOperand regExp(this, node->child2());
SpeculateCellOperand replace(this, node->child3());
GPRReg stringGPR = string.gpr();
GPRReg regExpGPR = regExp.gpr();
GPRReg replaceGPR = replace.gpr();
speculateString(node->child1(), stringGPR);
speculateRegExpObject(node->child2(), regExpGPR);
speculateString(node->child3(), replaceGPR);
flushRegisters();
GPRFlushedCallResult2 resultTag(this);
GPRFlushedCallResult resultPayload(this);
callOperation(
operationStringProtoFuncReplaceRegExpString, resultTag.gpr(), resultPayload.gpr(),
stringGPR, regExpGPR, replaceGPR);
m_jit.exceptionCheck();
cellResult(resultPayload.gpr(), node);
break;
}
JSValueOperand string(this, node->child1());
JSValueOperand regExp(this, node->child2());
JSValueOperand replace(this, node->child3());
GPRReg stringTagGPR = string.tagGPR();
GPRReg stringPayloadGPR = string.payloadGPR();
GPRReg regExpTagGPR = regExp.tagGPR();
GPRReg regExpPayloadGPR = regExp.payloadGPR();
GPRReg replaceTagGPR = replace.tagGPR();
GPRReg replacePayloadGPR = replace.payloadGPR();
flushRegisters();
GPRFlushedCallResult2 resultTag(this);
GPRFlushedCallResult resultPayload(this);
callOperation(
operationStringProtoFuncReplaceGeneric, resultTag.gpr(), resultPayload.gpr(),
stringTagGPR, stringPayloadGPR, regExpTagGPR, regExpPayloadGPR, replaceTagGPR,
replacePayloadGPR);
m_jit.exceptionCheck();
cellResult(resultPayload.gpr(), node);
break;
}
case ArrayPush: {
ASSERT(node->arrayMode().isJSArray());
......@@ -4938,6 +4870,7 @@ void SpeculativeJIT::compile(Node* node)
case KillStack:
case GetStack:
case GetMyArgumentByVal:
case StringReplace:
DFG_CRASH(m_jit.graph(), node, "unexpected node in DFG backend");
break;
}
......
......@@ -44,7 +44,6 @@
#include "ObjectPrototype.h"
#include "SetupVarargsFrame.h"
#include "SpillRegistersMode.h"
#include "StringPrototype.h"
#include "TypeProfilerLog.h"
#include "Watchdog.h"
......@@ -3057,67 +3056,6 @@ void SpeculativeJIT::compile(Node* node)
jsValueResult(result.gpr(), node, DataFormatJSBoolean);
break;
}
case StringReplace: {
if (node->child1().useKind() == StringUse
&& node->child2().useKind() == RegExpObjectUse
&& node->child3().useKind() == StringUse) {
if (JSString* replace = node->child3()->dynamicCastConstant<JSString*>()) {
if (!replace->length()) {
SpeculateCellOperand string(this, node->child1());
SpeculateCellOperand regExp(this, node->child2());
GPRReg stringGPR = string.gpr();
GPRReg regExpGPR = regExp.gpr();
speculateString(node->child1(), stringGPR);
speculateRegExpObject(node->child2(), regExpGPR);
flushRegisters();
GPRFlushedCallResult result(this);
callOperation(
operationStringProtoFuncReplaceRegExpEmptyStr, result.gpr(), stringGPR,
regExpGPR);
m_jit.exceptionCheck();
cellResult(result.gpr(), node);
break;
}
}
SpeculateCellOperand string(this, node->child1());
SpeculateCellOperand regExp(this, node->child2());
SpeculateCellOperand replace(this, node->child3());
GPRReg stringGPR = string.gpr();
GPRReg regExpGPR = regExp.gpr();
GPRReg replaceGPR = replace.gpr();
speculateString(node->child1(), stringGPR);
speculateRegExpObject(node->child2(), regExpGPR);
speculateString(node->child3(), replaceGPR);
flushRegisters();
GPRFlushedCallResult result(this);
callOperation(
operationStringProtoFuncReplaceRegExpString, result.gpr(), stringGPR, regExpGPR,
replaceGPR);
m_jit.exceptionCheck();
cellResult(result.gpr(), node);
break;
}
JSValueOperand string(this, node->child1());
JSValueOperand regExp(this, node->child2());
JSValueOperand replace(this, node->child3());
GPRReg stringGPR = string.gpr();
GPRReg regExpGPR = regExp.gpr();
GPRReg replaceGPR = replace.gpr();
flushRegisters();
GPRFlushedCallResult result(this);
callOperation(
operationStringProtoFuncReplaceGeneric, result.gpr(), stringGPR, regExpGPR,
replaceGPR);
m_jit.exceptionCheck();
cellResult(result.gpr(), node);
break;
}
case ArrayPush: {
ASSERT(node->arrayMode().isJSArray());
......@@ -5007,6 +4945,7 @@ void SpeculativeJIT::compile(Node* node)
case PutStack:
case KillStack:
case GetStack:
case StringReplace:
DFG_CRASH(m_jit.graph(), node, "Unexpected node");
break;
}
......
......@@ -45,7 +45,6 @@ class JSArray;
class JSFunction;
class JSLexicalEnvironment;
class JSScope;
class RegExpObject;
class Register;
class StructureStubInfo;
class SymbolTable;
......@@ -95,7 +94,6 @@ typedef char* UnusedPtr;
Pc: Instruction* i.e. bytecode PC
Q: int64_t
R: Register
Reo: RegExpObject*
S: size_t
Sprt: SlowPathReturnType
Ssi: StructureStubInfo*
......@@ -130,13 +128,9 @@ typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJA)(ExecState*, EncodedJS
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJI)(ExecState*, EncodedJSValue, UniquedStringImpl*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJIdc)(ExecState*, EncodedJSValue, const Identifier*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJJ)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJAp)(ExecState*, EncodedJSValue, EncodedJSValue, ArrayProfile*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJBy)(ExecState*, EncodedJSValue, EncodedJSValue, ByValInfo*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJJ)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJssZ)(ExecState*, JSString*, int32_t);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJssReo)(ExecState*, JSString*, RegExpObject*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJssReoJss)(ExecState*, JSString*, RegExpObject*, JSString*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJP)(ExecState*, EncodedJSValue, void*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EP)(ExecState*, void*);
typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EPP)(ExecState*, void*, void*);
......
......@@ -491,9 +491,8 @@ static inline JSValue join(ExecState& state, JSObject* thisObject, StringView se
bool holesKnownToBeOK = false;
for (unsigned i = 0; i < length; ++i) {
if (JSValue value = data[i].get()) {
joiner.append(state, value);
if (state.hadException())
return jsUndefined();
if (!joiner.appendWithoutSideEffects(state, value))
goto generalCase;
} else {
if (!holesKnownToBeOK) {
if (holesMustForwardToPrototype(state, thisObject))
......@@ -541,9 +540,8 @@ static inline JSValue join(ExecState& state, JSObject* thisObject, StringView se
auto data = storage.vector().data();
for (unsigned i = 0; i < length; ++i) {
if (JSValue value = data[i].get()) {
joiner.append(state, value);
if (state.hadException())
return jsUndefined();
if (!joiner.appendWithoutSideEffects(state, value))
goto generalCase;
} else
joiner.appendEmptyString();
}
......
......@@ -181,6 +181,8 @@ private:
typedef HashMap<OpaqueJSClass*, std::unique_ptr<OpaqueJSClassContextData>> OpaqueJSClassDataMap;
struct JSGlobalObjectRareData {
WTF_MAKE_FAST_ALLOCATED;
public:
JSGlobalObjectRareData()
: profileGroup(0)
{
......
......@@ -37,6 +37,7 @@ public:
JSStringJoiner(ExecState&, StringView separator, unsigned stringCount);
void append(ExecState&, JSValue);
bool appendWithoutSideEffects(ExecState&, JSValue);
void appendEmptyString();
JSValue join(ExecState&);
......@@ -96,7 +97,7 @@ ALWAYS_INLINE void JSStringJoiner::appendEmptyString()
m_strings.uncheckedAppend({ { }, { } });
}
ALWAYS_INLINE void JSStringJoiner::append(ExecState& state, JSValue value)
ALWAYS_INLINE bool JSStringJoiner::appendWithoutSideEffects(ExecState& state, JSValue value)
{
// The following code differs from using the result of JSValue::toString in the following ways:
// 1) It's inlined more than JSValue::toString is.
......@@ -104,34 +105,43 @@ ALWAYS_INLINE void JSStringJoiner::append(ExecState& state, JSValue value)
// 3) It doesn't create a JSString for numbers, true, or false.
// 4) It turns undefined and null into the empty string instead of "undefined" and "null".
// 5) It uses optimized code paths for all the cases known to be 8-bit and for the empty string.
// If we might make an effectful calls, return false. Otherwise return true.
if (value.isCell()) {
if (value.asCell()->isString()) {
append(asString(value)->viewWithUnderlyingString(state));
return;
}
append(value.toString(&state)->viewWithUnderlyingString(state));
return;
if (!value.asCell()->isString())
return false;
append(asString(value)->viewWithUnderlyingString(state));
return true;
}
if (value.isInt32()) {
append8Bit(state.vm().numericStrings.add(value.asInt32()));
return;
return true;
}
if (value.isDouble()) {
append8Bit(state.vm().numericStrings.add(value.asDouble()));
return;
return true;
}
if (value.isTrue()) {
append8Bit(state.vm().propertyNames->trueKeyword.string());
return;
return true;
}
if (value.isFalse()) {
append8Bit(state.vm().propertyNames->falseKeyword.string());
return;
return true;
}
ASSERT(value.isUndefinedOrNull());
appendEmptyString();
return true;
}
ALWAYS_INLINE void JSStringJoiner::append(ExecState& state, JSValue value)
{
if (!appendWithoutSideEffects(state, value)) {
JSString* jsString = value.toString(&state);
append(jsString->viewWithUnderlyingString(state));
}
}
}
......
......@@ -113,6 +113,7 @@ protected:
class Lock : public LockBase {
WTF_MAKE_NONCOPYABLE(Lock);
WTF_MAKE_FAST_ALLOCATED;
public:
Lock()
{
......
......@@ -56,6 +56,7 @@ public:
m_low = seed;
m_high = seed;
advance();
}
unsigned seed() const { return m_seed; }
......
......@@ -390,7 +390,7 @@ Controller.prototype = {
volume.min = 0;
volume.max = 1;
volume.step = .01;
this.listenFor(volume, 'change', this.handleVolumeSliderChange);
this.listenFor(volume, 'input', this.handleVolumeSliderInput);
var captionButton = this.controls.captionButton = document.createElement('button');
captionButton.setAttribute('pseudo', '-webkit-media-controls-toggle-closed-captions-button');
......@@ -820,7 +820,7 @@ Controller.prototype = {
this.video.volume = 1;
},
handleVolumeSliderChange: function(event)
handleVolumeSliderInput: function(event)
{
if (this.video.muted) {
this.video.muted = false;
......
......@@ -159,7 +159,7 @@ void AccessibilityNodeObject::childrenChanged()
cache->postLiveRegionChangeNotification(parent);
// If this element is an ARIA text control, notify the AT of changes.
if ((parent->isARIATextControl() || parent->hasContentEditableAttributeSet()) && !parent->isNativeTextControl())
if (parent->isNonNativeTextControl())
cache->postNotification(parent, parent->document(), AXObjectCache::AXValueChanged);
}
}
......@@ -739,24 +739,6 @@ bool AccessibilityNodeObject::isMultiSelectable() const
return node() && node()->hasTagName(selectTag) && downcast<HTMLSelectElement>(*node()).multiple();
}
bool AccessibilityNodeObject::isReadOnly() const
{
Node* node = this->node();
if (!node)
return true;
if (is<HTMLTextAreaElement>(*node))
return downcast<HTMLTextAreaElement>(*node).isReadOnly();
if (is<HTMLInputElement>(*node)) {
HTMLInputElement& input = downcast<HTMLInputElement>(*node);
if (input.isTextField())
return input.isReadOnly();
}
return !node->hasEditableStyle();
}
bool AccessibilityNodeObject::isRequired() const
{
// Explicit aria-required values should trump native required attributes.
......@@ -1978,6 +1960,57 @@ bool AccessibilityNodeObject::canSetFocusAttribute() const
return element.supportsFocus();
}
bool AccessibilityNodeObject::canSetValueAttribute() const
{
Node* node = this->node();
if (!node)
return false;
// The host-language readonly attribute trumps aria-readonly.
if (is<HTMLTextAreaElement>(*node))
return !downcast<HTMLTextAreaElement>(*node).isReadOnly();
if (is<HTMLInputElement>(*node)) {
HTMLInputElement& input = downcast<HTMLInputElement>(*node);
if (input.isTextField())
return !input.isReadOnly();
}
String readOnly = ariaReadOnlyValue();
if (!readOnly.isEmpty())
return readOnly == "true" ? false : true;
if (isNonNativeTextControl())
return true;
if (isMeter())
return false;
if (isProgressIndicator() || isSlider())
return true;
#if PLATFORM(GTK) || PLATFORM(EFL)
// In ATK, input types which support aria-readonly are treated as having a
// settable value if the user can modify the widget's value or its state.
if (supportsARIAReadOnly() || isRadioButton())
return true;
#endif
if (isWebArea()) {
Document* document = this->document();
if (!document)
return false;