
--------

Backdrop renderer removal leaves associated layout box behind (279651@main)
(REGRESSION 278380@main)Bad repaint when hovering over GitHub Reviewers gear icon (279644@main)
[Invalidation] Teardown root should take care of marking ancestors dirty on behalf of its subtree (279377@main partial)
[RenderTreeBuilder] Subtree teardown should trigger repaint only on destroy root (278380@main)

Check that objects have inline storage before trying to copy it (278270@main)
[JSC] Cloning via Object Literal + 1 Spread should be super fast (277097@main)

REGRESSION (iOS 17.5): Method call silently fails since iOS 17.5/ MacOS 14.5 after a warmup period (279790@main)
[JSC] Handle OutOfBounds GetByVal of TypedArray (277050@main)

[JSC] Remove the redundant NodeResultInt32 check in addImmediateShouldSpeculateInt32 (276983@main)

REGRESSION (249229@main): CSS filter does not update on hover (256920@main)
[GPU Process] CSSFilter should be created only at the painting time (249229@main)

Fix buffer overflow in FEConvolveMatrixSoftwareApplier (264527@main)
[Filters] Implement identity filters (253098@main complete revisited)
[GPU Process] [Filters] Remove SVGFilterBuilder (r295517)
[GPU Process] [Filters] Simplify the dynamic update of the SVG filter elements (r295498)

jsc_fuz/wktr: null ptr deref in WebCore::invokeWritableStreamFunction(...) (InternalWritableStream.cpp:49) (272251@main)

[JSC] rename Array#group/Array#groupByToMap to Object.groupBy/Map.groupBy (265632@main)
[JSC] Rename Array#groupBy to Array#group and enable them (253101@main)
Implement Array.prototype.groupBy and Array.prototype.groupByToMap (r287136)

REGRESSION (262875@main): animation of rotate property doesn't work if there's a `scale` (269453@main)
REGRESSION (262875@main / iOS 17): fill: 'both' not respected with animation (265909@main)
REGRESSION (262875@main / iOS 17): fill: 'both' not respected with animation (265498@main)
REGRESSION (260399@main): animations flicker on https://payto.com.au (262875@main)
WPT css/css-animations/flip-running-animation-via-variable.html is a failure (260399@main)

REGRESSION(270890@main): Animation doesn't trigger when custom property initial value matches the first frame (271268@main)
Add style invalidity state for animations (270890@main)

[JSC] Array.from fast path should only handle pure JSArray (271720@main)
[JSC] Array.from fast path should handle array with holes (270748@main)
[JSC] Add Array.from(Array) fast path  (269690@main)

[JSC] TypedArray setFromArrayLike condition is wrong (269106@main)
Intermittent removal of adoptedStyleSheet CSSStyleSheet instances when assigning adoptedStyleSheet array (266464@main)
[JSC] TypedArray construction should scan JSArray in faster way (266182@main)
[JSC] Add fast path for TypedArray::setArrayLike (265346@main)
[JSC] Do not use Vector as intermediate transfer buffer for typed array (263942@main)
[JSC] Implement growable SharedArrayBuffer part 2 (256766@main)
[JSC] TypedArray can stop [[Prototype]] lookup chain (254264@main)

REGRESSION (266316@main): Disabled checkboxes change state when clicked (269376@main)
Enable SendMouseEventsToDisabledFormControlsEnabled by default in stable (266316@main)
Event dispatching on disabled form controls (264098@main complete revisited)

REGRESSION(268480@main): test/language/arguments-object/S10.6_A5_T3.js test262 test is failing (268601@main)
Add fast path of getting arguments.length for LLInt and Baseline (268480@main)

REGRESSION(267280@main): costco.com crash in WebCore::ShorthandSerializer::serializeGridTemplate const (267989@main)
Use ShorthandSerializer for grid-template shorthand. (267280@main)

Back button needs to be pressed twice to go back on https://www.liveilpalazzoapartments.com (267287@main)
Ignore history items added by JS without user interaction when navigation back/forward via the WKWebView API (r295778)

REGRESSION: (264863@main) Fix regression in CSSCalcValue (265667@main)
Ensure we don't crash with calc(round()) (264863@main)

[JSC] isNaN should insert Check instead of fixup edge when converting it to constant (265570@main)
[JSC] Implement isNaN / Number.isNaN in C++ (264768@main)

Regression(264594@main) Unable to search for flights on delta.com (265501@main)
[Bindings] Align [[DefineOwnProperty]], [[Set]] & [[Delete]] with the Web IDL specification (264594@main)

DatabaseContext should not prevent entering the back/forward cache (r252064)
Fix thread safety issue in Database::scheduleTransactionCallback() (r247219 + r252824 revisited)
Begin moving member functions from SQLTransactionBackend to SQLTransaction (r204356)

Regression(260713@main) https://www.theverge.com/2023/5/17/23686294/montana-tiktok-ban-signed-governor-gianforte-court load never completes (265391@main)
Lazily loaded frames should still get a contentWindow/contentDocument as soon as they get inserted into the document (260713@main)

Avoid creating an entry in RenderSVGResourceClipper::m_clipperMap if we can do path-only clipping (264557@main)
Make RenderSVGResourceClipper lazily recompute clip-path data when referencing element is changed (252311@main)
Make RenderSVGResourceGradient lazily recompute gradients when referencing element is changed (252268@main)

overflow:clip fails when intrusive float is present (264101@main)

Reland 263531@main without Speedometer regression (264218@main)
Repaint issues with currentColor & color-mix() (263531@main)

REGRESSION (259904@main): @math operation cannot trigger in Quip app (266781@main)
REGRESSION (259904@main): window.getSelection() is empty for selection inside textarea (263280@main)
Fix caret move by line when padding-top is set (259906@main)
Selection API: Return live range synchronized with selection from getRangeAt and throw errors as specified (259904@main)

REGRESSION (Safari 16.4, 258767@main): Carcassonne game on boardgamearena.com unplayable (serialization bug affecting background-position) (265056@main)
REGRESSION (258767@main): image on studioneat.com is strangely masked (261808@main)
REGRESSION (STP 164): new failure in css/css-backgrounds/parsing/background-shorthand-serialization.html (261250@main)
Values set by mask and background shorthands should not serialize as "initial" (260157@main)
Shorthands are still using "initial" for longhands that are set implicitly (258061@main + 258087@main rolled out + 258767@main)

REGRESSION(249934@main): Captions fail to load on ESPN.com (259781@main)
TextTrackLoader should use SameOrigin mode by default  (r293311, 249934@main)

Invoke ValidatedFormListedElement::parseReadOnlyAttribute() conditionally (258621@main + 258898@main rolled out + 258964@main)

[JSC] WTF::CrashOnOverflow::crash() with ''.search('(?<A>)|(?<A>)*\\k<A>'); (264441@main)
ASAN_BUS | Yarr::Interpreter::matchDisjunction; Yarr::Interpreter::backtrackParentheses; Yarr::Interpreter::matchDisjunction (264264@main complete revisited)
[JSC] Fix Paren Context allocation and use with Duplicate Named Capture groups (262239@main)
REGRESSION(260692@main) 14 Test262 tests fail after this this change (261405@main)
[JSC] Implement RegExp Duplicate Named Capture Groups (260692@main)

[JSC] Use storage node in ArrayPush for SlowPutArray (255454@main)
[JSC] Relax ArrayPush DFG optimization (255366@main)

Remove behavior that makes <br> boxes 0-height in quirks mode (r253326)

Serialize template content correctly (255526@main)
Serialize DOM trees iteratively (253838@main)
Rename MarkupAccumulator::appendStartTag, appendElement, etc... for clarity (r237025)

REGRESSION(205039@main): StyledMarkupAccumulator sometimes does not emit an end tag (257977@main)
REGRESSION(r236609): API tests for mso list preservation are failing (r236618)
Simplify StyledMarkupAccumulator::traverseNodesForSerialization (r236609/205039@main)

REGRESSION (r223440): Copying & pasting a list from Microsoft Word to TinyMCE fails (r228482)
REGRESSION (r223440): Copying & pasting a list from Microsoft Word to TinyMCE fails (r228352)
Cannot access images included in the content pasted from Microsoft Word (r223440)

[JSC] JSPropertyNameEnumerator should not have cached prototype chain since empty JSPropertyNameEnumerator is shared (r283556)
[JSC] Validate JSPropertyNameEnumerator via watchpoints (r282014)
for-in should only emit one loop in bytecode (r280760)
[JSC] Optimize getEnumerableLength (r273766)

Implement GetByVal inline caching for 32-bit JITs (r252974)
GetByStatus should not say it took the slow path for multiple identifiers and should have a way to indicate if the StructureStubInfo it saw took the slow path (r252763)
Regression (r252680): JSCOnly build broken: no matching function for call to JSC::DFG::SpeculativeJIT::jsValueResult (r252690 complete revisited)
GetByVal should use polymorphic access and hook into a status object (r252684)

Unreviewed, fix simple goof that was causing 32-bit DFG crashes. (r229545)
Split DirectArguments into JSValueOOB and JSValueStrict parts (r229518)

Follow up to bug#179762. Fix PreciseLocalClobberize to handle Spread/PhantomSpread(PhantomNewArrayBuffer) (r226081)
We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize (r225834)
Spread can escape when CreateRest does not (r225202)
We should be able optimize the pattern where we spread a function's rest parameter to another call (r209121)

Lifetime of HTMLMediaElement is not properly handled in asynchronous actions (r238788)

Remove unnecessary Structure flags from generated bindings (r170074)
Extract prototype declaration generation into a helper function (r170044)

[image-decoders] Make ImageDecoder::size() lazily decode the image if needed to return a valid size (r202800 complete revisited)
REGRESSION(r198782, r201043): [image-decoders] Flickering with some animated gif (r202616 complete revisited)
BitmapImage::destroyDecodedDataIfNecessary() should only count frames with image data (r201043)
Create a CG ImageDecoder class instead of defining it as CGImageSourceRef (r198782)

[Cocoa] Google Fonts doesn't work if the user has the requested font locally-installed (r233447)
Refactor user-installed font setting for clarity (r226172)
[Cocoa] Add SPI to disallow user-installed fonts (r225641)

[CSS OM] StyledElementInlineStylePropertyMap creates a Ref cycle with its owner element (r243239)
CSS Typed OM should expose attributeStyleMap (r239341)
Implement feature flag for CSS Typed OM (r239098)
Replace some stack raw pointers with RefPtrs within WebCore/svg (r224615 complete revisited)

JSObject::getOwnPropertyDescriptor is missing an exception check (r245249 complete revisited)
[WebIDL] Replace some custom bindings code in JSCSSStyleDeclarationCustom.cpp with named getters/setters (r219622 complete revisited)
[WebIDL] Move plugin object customization into the generator (r219302 complete revisited)

======Bindings======
[WebIDL] Add complete support for stringifier (r218789 complete revisited)
[WebIDL] Add support for record types (r208893)
[WebIDL] Restructure IDLParser structs to better match modern WebIDL concepts (r208134)
[WebIDL] Update parser and code generators to only access type information through the type property (r208066)
[WebIDL] Move code generators off of domSignature::type and onto domSignature::idlType (r208023)
MessageEvent's source property should be a (DOMWindow or MessagePort)? rather than a EventTarget? (r207381 complete revisited)
Add initial support for IDL union conversion (r206691)

Kill [StrictTypeChecking] IDL extended attribute (r204033)
Drop [StrictTypeChecking] in cases where it is a no-op (r203956)
Pass reference instead of pointer to IDL attribute setters if not nullable (r200316)
[Web IDL] Pass even more types by reference (r200298)
Remove UsePointersEvenForNonNullableObjectArguments keyword (r200236)

Cache cross-origin methods / accessors of Window and Location per lexical global object (r274379 + r274393 reverted + r274528 + r274911)
Have an OOB+SaneChain Array::Speculation (r265775 + r265893 + r266254 + r266813)
[JSC] Use CacheableIdentifier for all ById case (r259175)
Fix instances of new.target that should be syntax errors (r259131)
OSR exit shouldn't bother updating get_by_id array profiles that have changed modes (r250440)
[JSC] Use finalizer in JSGlobalLexicalEnvironment and JSGlobalObject (r243279)
JSSegmentedVariableObject and its subclasses should have a sane destruction story (r210912)
optional sequence values not handled correctly by binding generator (r209303 complete revisited + r209310)
Simplify SerializedScriptValue, MessagePortArray and ArrayBufferArray to ease generation (r207505 complete revisited)

======JSC Upstream changes======
JSC [158000-173298][checked][264417-265373]

Generated serializers do not properly handle optional interface attributes (r223780)
[WebIDL] Add support for serializers that have members that are themselves serializers (or inherit being a serializer from a parent) (r218511)
[WebIDL] Use the term 'operation' more consistently (r217451)
[WebIDL] Improve serializer = { inherit } (r212344)
[WebIDL] Add support for inherit serializer attribute (r211409)
Autogenerate passing union types as part of a functions variadic arguments (r206956)
Support WebIDL unions (Part 1) (r204404 + r204412 rolled out + r204626)

Crash in HTMLCanvasElement::createContext2d after the element got adopted to a new document (r243820)
Add a base class for HTMLCanvasElement and OffscreenCanvas (r224929 + r225119)
Stub implementations of OffscreenCanvas getContext and transferToImageBitmap (r224836)
[Canvas] Split CanvasRenderingContext2D.idl into separate IDLs to match current HTML spec (r221598)
[WebIDL] Add complete support for stringifier (r218789 partial)
Make a base class for WebGL and WebGPU contexts (r214017)

Update ANGLE (r208036)

Assertion failure when opening a file with a missing tag closing bracket (r221335)
Streamline and speed up tokenizer and segmented string classes (r209058 + r209120 rolled out + r209129 complete revisited)
Avoid copying vector of attributes as much as possible in the HTML parser (r208776)
REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag (r207848)
Modernize and streamline HTMLTokenizer (r178154 + r178163 + r178164 + r178173 rolled out + r178265)

Clients should have a way to extend rendering suppression (r150388)
Need a LayoutMilestone to fire when we have done our first paint after suppressing incremental layout (r149317)

Refine the DOM element iterator implementation (r257192 partial)
Use DOM element iterators more, and more consistently (r257188 partial revisited)
  > nodelist-iterable.html

Make it safe to store a ThreadSafeRefCounted object in Ref & RefPtr safe inside its destructor (r251034)

AudioScheduledSourceNodes leak if they have an attached onended EventTarget (r252389)

Use WeakPtrs to avoid using deallocated Widgets and ScrollableAreas (r199331)
[WK1] Wheel event callback removing the window causes crash in WebCore (r199245)
[GTK] No hover-horizontal scrolling available (r196640)
Scroll latching logic can get stuck in 'scrollable="no"' iframes (r181879)
Latching in iframes is not working as expected (r173784)
[Mac] Gesture scrolls don't work in the WebKit1 clients after scrolling a non-scrollable iFrame (r172703)
Crashes seen in wheel event handling (r171283)
[Mac] WebKit1 WebView iframe not responding to scroll gestures (r170765)
[Mac] Follow-up: After a horizontal overflow scroll with a mechanical wheel mouse, vertical scrolling no longer works (r167650)
[Mac] After a horizontal overflow scroll with a mechanical wheel mouse, vertical scrolling no longer works (r167648)
Latched scrolling may interact badly with custom programmatic scrolling (r167560)
Wheel events don't latch to inner scrollable elements  (r163975)

[JSC] Implement JSMapIterator/JSSetIterator with JSInternalFieldObjectImpl (r260181, 223467@main)
[JSC] Remove IsDone from JSArrayIterator (r254419)
[JSC] Introduce JSArrayIterator (r254252 complete revisited)
[JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl (r249547 complete revisited)

Implement the updated port/area-based Scroll Snap Module Level 1 Spec (r210024)
Negative scroll snap repeat values cause web process to hang indefinitely (r186840)
Scroll-snap points do not handle margins and padding propertly (r183906)
scroll-snap-destination and scroll-snap-coordinate do not seem to work together properly (r181855)
CSS scroll-snap-destination and scroll-snap-coordinate are not honoring position values (r181352)
Add 'initial' keyword support for scroll snap CSS properties (r181189)
Move '-webkit-scroll-snap-*' CSS properties to the new StyleBuilder (r177958)
Scroll snap properties don't handle inherit and initial propertly. (r173659)
Implement parsing for CSS scroll snap points (r172192)

Simplify and streamline some Color-related code to prepare for some Color/ExtendedColor work (r225680)
[CSS Parser] Enable CSS Deferred Parsing (r209862 + r209997 rolled out)
[CSS Parser] Make deferred parsing retain the sheet text. Fix invalidation to avoid deferred parsing. (r209835)
[CSS Parser] Implement deferred parsing of properties, @media, @supports and @keyframes (r209826)
[CSS Parser] Implement deferred parsing of properties, @media, @supports and @keyframes (r209718)
CSS parsing should use Color not RGBA32 (r207317 + r207342 rolled out + r207361)
Tidy handling of type=color in HTMLInputElement a bit (r191876)
Move -webkit-tap-highlight-color / -webkit-overflow-scrolling / -webkit-touch-callout to the new StyleBuilder (r178108)
  => [Old Parser] css3test.com 50% 1523 tests out of 2879 total for 656 features

Rename override sizes to overriding sizes (r268919)

imported/w3c/web-platform-tests/fetch/api/request/destination/fetch-destination-worker.https.html is a flaky crash (253280@main)
Implement quota limitation for keepalive Fetch requests (r220751)

Simplify DOMWindowProperty code / handling (r242676)

Avoid SVG-induced layouts inside Element::absoluteEventBounds() (r191525)
Make it possible to compute a region for elements on the page that have wheel event handlers (r182215)

Avoid keeping the frame alive when ref'ing a WindowProxy (r231963)
Rename WindowProxyController to WindowProxy (r230794)
Split WindowProxy handling out of ScriptController and into a new class owned by AbstractFrame (r230643)

Avoid null deref after inserting a text field with a list attribute (r259402)
Datalist option's label not used (r259330)
Fix HTMLDataListElement.options to include even options that are not suggestions (r257194)

InlineTextBoxes containing Zero Width Joiner, `Zero Width Non-Joiner`, or `Zero Width No-Break Space` characters must not use simplified text measuring (259618@main)
Let content with newlineCharacter be measured by FontCascade::widthForSimpleText (r282051)
Let content with newlineCharacter be measured by FontCascade::widthForSimpleText (r281978)
REGRESSION(r281389): using font-variant-ligatures causes Unicode bidi isolation control characters to render (r288107)
REGRESSION(r281389): Text wraps unnecessarily within intrinsically-sized elements when using certain fonts and the inner HTML of the element contains a new line that is not preceded by a space (r287724)
REGRESSION(r281389): canUseSimplifiedTextMeasuring() needs to match with WidthIterator::applyCSSVisibilityRules() (r281423)
overwriteCodePoint() in createAndFillGlyphPage() is wrong (r281389)
GlyphBuffer can become inconsistent with its backing string (r281300)
The fast text codepath does not handle run initial advances (r281294)
Shaping can be performed on glyphIDs from the wrong font (r265455)

[JSC] JSFunction's m_executable / m_rareData should be merged (r253932)

[CSS] Fix memory leak in CSSSelector copy ctor (263859@main)
CSS Nesting: nested selector matching (258367@main)

[CSS Cascade Layers] Add fonts and keyframes in cascade layer order (r283216)

[css-ui] Fix interpolation of accent-color (r283980)
[css-ui] Parsing support for accent-color (r283742)

[content-visibility] it should trigger a layout if the value of content-visibility is changed from hidden to others (257484@main)
[CSS contain] The size should be updated if layout containment is inside a fit-content parent (r285854)
[CSS contain] Support contain:size (r277321)
Support contain: layout (r276235)
[css-contain] Parse CSS contain property (r274793)

Separate scrolling code out of RenderLayer (r271559)
Introduce RenderLayerScrollableArea (r271111)

[DFG] InById should be converted to MatchStructure (r232400)
DFG should inline InstanceOf ICs (r232000)

Fix assertion added in r285592 (r286070)
in_by_val should not constant fold to in_by_id when the property is a property index (r285592)
[JSC] JSC should have consistent InById IC (r231998 + r232017 + r232029 rolled out + r232047)

JIT call inline caches should cache calls to objects with getCallData/getConstructData traps (r224487 complete revisited)

Keep promise in scope when calling DeferredPromise::reject (r290152)
Fetch using FormData with file doesn't go through Service Worker (r287612)

Nullptr crash with :has(~sibling) invalidation in shadow tree (267454@main)
Changing the dir attribute of documentElement doesn't update a child element matching :dir pseudo class (265332@main)
Fix css/selectors/invalidation/nth-child-of-has.html WPT (265021@main)
Fix style invalidation of IDs within :nth-child/:nth-last-child (264986@main)
:dir pseudo class doesn't invalidate after removing dir content attribute from document element (263357@main)
Fix hasRareData() check in Element (256125@main)
:has(~:dir(~)) should work (254017@main)
REGRESSION(253764@main): Disconnecting a subtree makes :lang pseudo class to never match (253915@main)
:has(:lang(~)) doesn't get invalidated (253764@main)
Fix invalidation with scope breaking :is/not() (r295035)
Invalidation fails if the mutated elements subtree has been marked invalid (r294423)
[:has() pseudo-class] Ignore :visited inside :has() (r288304)
[:has pseudo-class] Support :has(:not(foo)) (r288303)
[:has() pseudo-class] Compute specificity correctly (r288196)
[:has() pseudo-class] Disallow nested :has() (r288111)
[:has() pseudo-class] Avoid O(n^2) in style invalidation with repeated DOM mutations (r288012)
[:has() pseudo-class] Collect invalidation selectors for child invalidation (r287973)
[:has() pseudo-class] Style invalidation for :valid and :invalid (r287551)
[:has() pseudo-class] :has() selector does not render on first pass? (r287362)
REGRESSION(r286169): 0.3% Speedometer regression (r287325)
[:has() pseudo-class] Use Bloom filter to quickly reject :has() selectors (r287091)
Use more specific keys for pseudo-class invalidation (r286598)
[:has() pseudo-class] Improve result caching (r286494)
[:has() pseudo-class] Invalidation in non-subject position (r286433)
[:has() pseudo-class] Sibling combinator invalidation (r286365)
[:has() pseudo-class] Cache :has() failures for subtrees (r286302)
[:has() pseudo-class] id invalidation support (r286226)
[:has() pseudo-class] Invalidation support for adding and removing elements (r286188)
[:has() pseudo-class] Don't traverse descendants during selector matching unless needed (r286180)
[:has() pseudo-class] Invalidation support for adding and removing nodes (r286169)
[:has() pseudo-class] Basic invalidation support (r286135)

REGRESSION (r290628): Scrubber makes a visual trail when scrubbing on tv.youtube.com (r291493)
Compositing/paint invalidation with transforms (r290628)

Move RuleSet to Style namespace (r252599)
Update remaining DOM events to stop using legacy [ConstructorTemplate=Event] (r207215)
Update WheelEvent / MouseEvent to stop using legacy [ConstructorTemplate=Event] (r207041)

Fix hasExplicitlySetBorderRadius flag (r291536)
[Apple Pay] Buttons render with a corner radius of PKApplePayButtonDefaultCornerRadius even when explicitly specifying "border-radius: 0px" (r262279)

[css-cascade] Don't defer applying text decoration properties (r291568)
[css] text-decoration is not implemented as a shorthand (r291244)

Stack overflow with revert-layer (r285801)
Stack overflow with revert and revert-layer (r285713)
[CSS Cascade Layers] Support 'revert-layer' value (r285624)

[css-cascade] Fix cascade rollback for deferred properties (r293485)
[css-cascade] Optimize code for deferred properties  (r293100)

Move some of the work from Element::insertedIntoAncestor() / removedFromAncestor() to subclasses (r294930)

Remove some unnecessary work from the Node destructor (r294980)
Optimize setting SVG element transforms (r294970)

Avoid ElementIdentifier-related work under Element::removedFromAncestor() (r294931)
Add SPI to retrieve the set of text inputs in a given rect, and later focus one (r242696)

ASSERTION FAILED: !m_needExceptionCheck while converting IDLSequence<T> (r276949 partial)

:hover with descendant selector not invalidated correctly in shadow tree (r286063)
Factor pseudo class invalidation code in Document::updateHoverActiveState into a lambda (r277722)
REGRESSION (r271584): Hovering slowly over and out of "Top 100" items on liberation.fr does not restore animated state (r271930 rolled in)
Optimize :hover/:active style invalidation for deep trees and descendant selectors (r271584 rolled in)
  > Toggle button display issue on AXIS M4206-V Network Camera #settings->System->TCP/IP with mouse/touch.

Content sometimes missing in nested scrollers with border-radius (r263578)

Caret does not appear in text field inside a transformed, overflow: hidden container (r249339)
[iOS WK2] Avoid lots of compositing backing store for offscreen position:fixed descendants (r247540)

Fix long standing FIXME in parseNumericColor about not doubly clamping color components (r272226)
Fix alpha value rounding to match the CSS Color spec (r252598)

REGRESSION (r232991): Switching to dark mode in Mail does not update the message view to be transparent (r239414)
Unpainted area while scrolling in Reader is white (r232991)

intersectsWithAncestor should take fragmented boxes into account. (r292350)
Position:fixed layers shouldn't allocate a backing buffer if all children are offscreen. (r288429)

Make GraphicsLayers ref-counted, so their tree can persist when disconnected from RenderLayerBackings (r235953 + r235979 rolled out + r236016)

Simplify grid RTL handling (r290491)

Place vertical scrollbars at (inline/block)-end edge in all writing modes. (r276182 partial revisited)
Composited layers are misplaced inside RTL overflow scroller with visible scrollbar (r260482)
Horizontal overflow overlay scrollbar is misplaced in RTL (r260445)

Scrollbars are not clipped to layer bounds in RenderLayerBacking (r278883)
Minor overflow layers cleanup (r262833)
Group overflow controls layers into a single container layer (r260305)

REGRESSION (Safari 16): Input placeholder misplaced on revaaa.com (254962@main)
REGRESSION (250414@main): Placeholder text is vertically off center on mail.163.com (253500@main)

[web-animations] "Commits transforms as a transform list" subtest fails in web-animations/interfaces/Animation/commitStyles.html (255946@main)
When interpolating between transform lists partial prefix matches should not use matrix interpolation (r290667)

font-face must accept ranges in reverse order, and reverse them for *computed* style (255893@main)

css/css-fonts/animations/font-stretch-interpolation.html has failures (264206@main)
[web-animations] Animation.commitStyles() triggers a mutation even when the styles are unchanged (255129@main)
[web-animations] support custom properties in Animation.commitStyles() (251858@main)
[web-animations] support custom properties in JS-originated animations (251856@main)
[Web Animations] Suspend animations when required (r230581 + r230582)

Refactor KeyframeEffect::getKeyframes() (r288560)

Don't copy shorthands in ComputedStyleExtractor::copyProperties() (255318@main)
[css-cascade] Sort shorthand properties at the end of CSSPropertyID enum (r293622)
Fix CSS cascade regarding logical properties (r293543)
[css-cascade] Sort deferred properties at the end of CSSPropertyID enum (r292639)

[JSC] Fix ArithMin/ArithMax handling for double, and Int32 speculation (255465@main)
[JSC] Optimize 3~ parameter Math.min / Math.max (255288@main)

REGRESSION(r264280) [GTK][WPE] fast/gradients/conic-gradient-alpha.html is failing (r264449)
Simplify and improve Gradient, some other small color-related removals (r264280 + r264510)

Create a temporary grid for computing intrinsic sizes. (256624@main)
Don't mutate children during RenderGrid::computeIntrinsicLogicalWidths unless we're about to re-layout. (249006@main)

[JSC] WeakMap / WeakSet constructor should accept symbols (256758@main)
Optimize constructors of ES6 collections (r275271)

REGRESSION (259663@main): lowes.com: Product image is blank (262342@main)
(REGRESSION(257434@main): https://readwise.io/read image squished (259663@main)
Replaced elements with aspect ratio and size in one dimension should respect min-max constraints in opposite dimension. (257434@main)

Support percentages in the scale() transform functions, and the scale property (r282144)
Factor out token-type dependent CSS property parsing functions to allow more code sharing (r278311)
Additional cleanup of CSSPropertyParserHelpers (r272121)

JSGenericTypedArrayView<Adaptor>::set crashes if the length + objectOffset is > UINT32_MAX (r285117)

Fix invalidation for class names within :nth-child() selector lists (258917@main)
Make separate invalidation rulesets for negated selectors (inside :not()) (r287772)

No gap between the hero image and text on amazon product page (259125@main)
Implement margin-trim for flexbox. (258563@main)
Initial implementation margin-trim for block containers (without floats and margin collapsing). (258457@main)

REGRESSION(259818@main...259759@main?): CSS variables are not applied to the SVG use element's shadow tree (262698@main)
Assertion failure in StyleGeneratedImage::removeClient (264116@main)
[@Property] Set registered initial values to RenderStyle (259807@main)

Detect complex custom property cycles involving multiple loops (259506@main)
Nullptr crash accessing font under CSSPropertyParser::parseTypedCustomPropertyValue (259195@main)
[@Property] Handle unit cycles correctly (258357@main)
[@Property] Register custom properties from @Property rules (258106@main)
[@Property] Save parsed syntax in property registration (257732@main)

Calculate CSS unit x as resolution for calc combination (265469@main)
Recognize CSSUnitType::CSS_X as a resolution calc unit category (260678@main)
[@Property] Support <time> and <dimension> syntax (257706@main)

Add Style types for generated image derived classes in preparation of moving functionality (255386@main)

Take legend element into account in propagateRepaintToParentWithOutlineAutoIfNeeded (264350@main)
Do not update hasOutlineAutoAncestor when moving out a spanner's renderer (263501@main)
Fix infinite recursion in propagateRepaintToParentWithOutlineAutoIfNeeded (259725@main)
Fix traversal for moved out elements by mapping placeholders (259412@main)
REGRESSION (r294902): Overflowed area is not repainted when just changed to "hidden". (255312@main)
REGRESSION (r294902): Content with continuation leaves decoration bits behind when removed (r295665)
Do not issue repaint when the ancestor layer has already been scheduled for one (r294902)

[JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector (r249668)

REGRESSION (258514@main): Transition of !important property fails to animate (260880@main)
A test case in imported/w3c/web-platform-tests/shadow-dom/focus/click-focus-delegatesFocus-click.html fails (259990@main)
WPT: A subtest in shadow-dom/focus/focus-method-with-delegatesFocus.html fails (259707@main)
CSS animations on pseudo elements should participate in the cascade (258622@main)
CSS animations should participate in the cascade  (258514@main)

Allow CSS font-styling for canvas without RenderStyle (r273964 complete revisited)
REGRESSION(r269957): Empty font names passed to canvas2d cause all text routines to crash (r273512)
Make CSS font shorthands parsable within a worker (i.e. without CSSValuePool) (r269957)

[JSC] Additional check for transitioning for Object.assign's cloning (272870@main)
Unreviewed, butterfly should be created only when propertyCapacity is larger than 0 (272800@main)
[JSC] Use cloning for Object.assign with empty object (272794@main)
JSObject::anyObjectInChainMayInterceptIndexedAccesses and JSObject::didBecomePrototype need to account for JSGlobalProxy (270121@main)
[JSC] Shouldn't use the fast path of copying indexed properties if saw indexed GetterSetter properties (268567@main)
[JSC] Add fast path for Object.assign(target, NamedProperties + IndexedProperties) (267797@main)
[JSC] Object.assign empty object optimization should check seenProperties instead of propertyHash (267762@main)
[JSC] Optimize Object.assign with empty object (263444@main)
[JSC] Fix Object.assign fast path to accept undefined/null (r279690)
[JSC] Optimize Object.assign and putDirectInternal (r279604)

[JSC] YarrJIT optimization for character BM search (r288748)
[JSC] Yarr BoyerMoore search should support character-class (r280570)
[JSC] Yarr should perform BoyerMoore search (r280452)

[JSC][32bit] Fix regexp crash on ARMv7 (r288400 + r288401 rolled out + r288476 partial)
Refactor YARR Stack Overflow Checks (r259092)

[JSC] Call toThis for Object#toString in DFG / FTL (259016@main)
[JSC] Optimize ObjectToString in DFG / FTL (255417@main)

Implement contain flag for ray() in offset path (r294520)
Support ray() shape in offset-path (r294001)
Implement parsing and animation support for offset shorthand (r289876)
Implement parsing and animation support for offset-rotate (r285822)

REGRESSION(252324@main): crash in WebCore::Style::ElementRuleCollector::ruleMatches (264534@main)
:focus-within pseudo class doesn't get invalidated when frame loses focus (252324@main)

[WebIDL] Convert MutationCallback to be a normal generated callback (r219361 + 219421 rolled out + r220210)

Make MatchElement in RuleFeature non-optional (r287479)
[CSS Cascade Layers] Factor RuleSet building into a Builder type (r281742 partial)

Crash in DOMTimer::fired (r241499)
Support throttling of DOMTimers using nested setTimeout() calls (r175830)

CSP: Fix script-src-elem policies in workers (r293940)
CSP: Fix incorrect blocked-uri for inline scripts and strict-dynamic policies (r293897)
CSP: Fix mixing strict-dynamic and unsafe-inline policies (r293603)
CSP: Clean up effective-violation handling in reports (r288678)
CSP: Improve handling of multiple policies (r288132)
CSP: strict-dynamic is causing incorrect and unexpected behavior (r287783)
Implement CSP strict-dynamic for module scripts (r287756)
CSP: Implement src-elem and src-attr directives (r284254)
CSP: Implement unsafe-hashes (r284067)
CSP: Implement 'strict-dynamic' source expression (r283192)
Add initial support for 'Cross-Origin-Opener-Policy' HTTP header (r280504)

REGRESSION(r286955): Rendering Links during search: highlighting fails (r291552)
REGRESSION(r286955): Fix painting text-decorations with combined text (r287488)
Fix paint order of CSS text decorations (r286955)

REGRESSION (r226138): WebCore::subdivide() may return an empty vector; Web process can crash when performing find in Epiphany (r235485)
Standardize terminology for marked text (r229079)
REGRESSION (r226138): Selecting a line that ends with zero-width joiner (ZWJ) may cause text transformation (r227533)
Implement InlineTextBox painting using marker subranges (r226138)
Add support for computing the frontmost longest effective marker subrange (r226137)
Spelling and grammar dots should not overlap (r222298)

Negative size box with border radius causes hang under WebCore::approximateAsRegion (r248722)
Hit-testing of boxes over scrollers should account for border-radius (r243674)

Regression(262976@main) Images do not show in Microsoft Word Online (267969@main)
data: URL base64 handling different from atob() (262976@main)
Parse content after # in data URLs with HLS mime types (r270526)
WebKit doesn't parse "#" as delimiter for fragment identifier in data URIs (r267995)

REGRESSION(267786@main): Crash under RenderBlock::isSelectionRoot() with query container (272334@main)
REGRESSION(267786@main): Nullptr crash under resolveComputedStyle when there is no render tree (267952@main)
canvas-as-container-005.html & canvas-as-container-006.html fail (267786@main)
Remove DisplayContentsChanged flag (263359@main)
REGRESSION (256782@main): Animating visibility with a display:contents child causes an element to disappear (260270@main)
imported/w3c/web-platform-tests/inert/inert-node-is-unfocusable.html is failing (256782@main)
html/semantics/interactive-elements/the-dialog-element/dialog-focus-shadow.html fails (256672@main)
Update shadow DOM and dialog element focusing to latest spec (252959@main)

[JSC] Remove JSPromiseDeferred (r251691)

Nullptr crash in elementCannotHaveEndTag (269320@main)
Serialize DOM trees iteratively (253838@main)

[WebIDL] Align property order of DOM constructors with ECMA-262 counterparts (r283233)

Implement faster lookup of HTML tags in the HTML parser (r292417)

[JSC] Call custom accessors / values with their holder's global object (r280256)

Implement EventTarget constructor (r256716)
Cache Structure::attributeChangeTransition() (r265642)

REGRESSION (271254@main): Partial box-shadow left behind when resizing elements (279717@main)
When repainting after layout, compute the outline bounds in the same pass as the clipped overflow rect (271495@main)
RenderBox::applyVisualEffectOverflow() and RenderBox::outlineBoundsForRepaint() use different ways of computing outline/shadow extent (271254@main)

Do a full repaint when the old and new clippedOverflowRects don't overlap (271443@main)
Clean up RenderElement::repaintAfterLayoutIfNeeded() (271435@main)

Basic support for CSS based Ruby in IFC (267937@main partial)

Add style invalidity state for animations (270890@main)

html/semantics/forms/form-submission-0/jsurl-navigation-then-form-submit.html is failing in WebKit (253350@main)

Server-Timing data can be read cross-origin (260006@main)

[web-animations] setting currentTime=0 when animation-play-state=paused, doesn't restart animation after unpausing it (271872@main)

Overflow should establish an independent formatting context on only block boxes. (273134@main)
Grid items that establish an independent formatting context should not be subgrids. (r292524 partial)

Bake offsets into shape-outside Shapes (261331@main)
Factor Shape computation into a standalone function (261169@main)

Element::parserSetAttributes shouldn't trigger shadow tree construction in TextFieldInputType::attributeChanged (273461@main)

CloneSerializer/Deserializer's objectPool should match. (273557@main)

airbnb.com: When trying to select days for checkin checkout, the date widget is empty (276866@main)

Remove PropertyCascade::PropertyType::VariableReference (272963@main)

Really allow explicit inherit in matched declarations cache (267001@main)
Allow explicit inherit in matched declarations cache (266986@main)

Unreviewed, revert speculation change in 252675@main (253197@main)
[JSC] BakcwardPropagationPhase should carry NaN / Infinity handling (252675@main)

[JSC] sourceURLStripped should be cached (266728@main)
Error object stacktraces may leak sensitive data in URL query parameters (262420@main)

[DFG][FTL] WeakMap#set should have DFG node (r227723)
[JSC] Implement optimized WeakMap and WeakSet (r225832)

Unreviewed, 32bit JSEmpty is not nullptr + CellTag (r225971)
[DFG] Reduce register pressure of WeakMapGet to be used for 32bit (r225952)
[DFG] Optimize WeakMap::get by adding intrinsic and fixup (r221854 + r221876 rolled out + r221959)

[JSC] Carefully avoid speculation when it is not necessary in CompareStrictEq (277771@main)
[JSC] Add Misc BinaryUse case for CompareStrictEq (277222@main)
[JSC] Add StringOrOther speculation against ToPrimitive / ToString (275280@main)
[JSC] Clean up Float32Array access a bit more (273481@main)

[JSC] Fix StrCat(ToPrimitive(x), ...) in attemptToMakeFastStringAdd (265927@main)
[JSC] Use MakeRope for StrCat(ToPrimitive(x), ...) (265636@main)

Unreviewed, fix ArithFround mayExit (265094@main)
Make DFG mayExit more precise (265077@main)

WeakRef deref can return null instead of undefined (r289152)
Enable WeakRefs/FinalizationRegistries by default. (r268284)
Add support for FinalizationRegistries (r264617)
Add support for WeakRef (r246565)

[JSC] for-await-of loop should annotate UseAwait (252405@main)
Implement the Top-level await proposal (r273225)

ToPropertyKeyOrNumber incorrectly says it doesn't return a number in AI (278136@main)
[JSC] Bracket compound assignment should resolve property key at most once (275944@main + 275962@main reverted + 276014@main)

Assertion may fail when repainting the RenderView of an SVGImage (278734@main)

transform-style:preserve-3d doesn't work across display:contents ancestors (278499@main)
REGRESSION(r262728): elementsFromPoint misses elements if they are in different paint passes. (262897@main)
transform-style:preserve-3d has incorrect hit-testing of negative z-index ::after. (262728@main)
Preserve-3d isn't applied to pseudo elements. (260324@main)

Constructed FormData object should not contain entries for the Image Button submitter by default (278944@main)
A FormData constructed in the form's submit event listener shouldn't include the submitter (r286988 + r288955 reverted + r293444, 249999@main)
Remove the multipart parameter to FormAssociatedElement::appendFormData, InputType::appendFormData and HTMLFormElement::constructEntryList (r286447, 244789@main)
File inputs in non-multipart form submissions show up as string values in the formdata event (r286427, 244773@main)
Form submission should be cancelled if the form gets detached from inside the formdata event handler (r284660)
RELEASE_ASSERT(result) under FormSubmission::create() (r284656)
Added FormDataEvent support. (r280310 + r280332)

[ECMA-402] Implement unified Intl.NumberFormat (r266031, 228508@main)
[ECMA-402] Implement Intl.DisplayNames (r264639, 227385@main)

REGRESSION (r226981): ASSERTION FAILED: startY >= 0 && endY <= height && startY < endY in WebCore::FEMorphology::platformApplyGeneric (227374, 197794@main)
Rename applyHorizontalScale/applyVerticalScale in SVG filters, and related cleanup (r226981, 197531@main)

[JSC] Align stringification algorithm of the Function constructor with the spec (268633@main)

[@property] Cache tokens in CSSCustomPropertyValue (259813@main)
[web-animations] keyframes should be recomputed when a parent element changes value for a custom property set to "inherit" (259812@main)
[web-animations] keyframes should be recomputed when the "currentcolor" value is used on a custom property (259808@main)
[@property] Validate universal syntax initial value as <declaration-value> (258204@main)
Re-use isCSSWideKeyword in CSSCustomPropertyValue::createWithID (r285714, 244173@main)

Remove NFC normalization when submitting forms and encoding URL queries and fix EUC-JP encoding (r266330, 228766@main)

[JSC] Emit up to 2 less bytecodes for try statement (281203@main)
[JSC] DestructuringAssignmentTarget should be evaluated prior to calling [[Get]] / stepping iterator (281013@main)
[JSC] Skip putting home objects for functions not having "super" (277989@main)
[JSC] More aggressive application of call_ignore_result (277902@main)
[JSC] Extend call_ignore_result coverage (277866@main)
[JSC] Add op_call_ignore_result (266519@main + 266524@main reverted + 266537@main)

JSGlobalObject's m_customGetterFunctionMap and m_customSetterFunctionMap should be sets, not maps, and should use both the identifier and function pointer as the key (r275261, 235948@main)

[Grid][Replaced] flydenver.com: Images of airlines logos have incorrect sizes. (281378@main)
[Cleanup] Remove RenderBox::hasOverridingContainingBlock* (278616@main + 278654@main reverted + 278670@main)

[WebIDL] Merge JSDictionary into Dictionary, and remove unused bits (r209674, 183330@main)

Jul 30, 2024
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb/clang 12.0.8/Android/hard float. 
    [JIT tests/ACID3/ACID2/V8 3333/SunSpider 606.7ms/Factory Demo/EPG Guide/EBench 2004 6905.67ms | 2013 7149.67ms/es2016plus 82%/Google Maps]
    [arewefastyet/Speedometer 2.0 29.92/Kraken 10404.0ms/JetStream 1.1 ?/Dromaeo DOM Core & JavaScript Library & CSS Selector/css3test 2752 of 5883]
	[JetStream2 ARES 26.176 | CDJS 20.698 | CodeLoad 60.521 | Octane ? | RexBench 22.400 | SeaMonster 54.837 | Simple 5.655 | SunSpider 55.144 | WSL 0.106 | WTB 2.235 | Workers 7.193]

Jul 25, 2024
============
Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time (r198478, 173806@main revisited)
[JSC] JSCustomGetterFunction/JSCustomSetterFunction should use Identifier for their field (r274817, 235615@main complete revisited)

Jul 24, 2024
============
[Cairo] Avoid extra copy when drawing images (r160177, 143400@main)
[Cairo] Avoid extra copy when drawing images (r159314, 142584@main)
[GTK] fast/canvas/DrawImageSinglePixelStretch.html fails (r148681, 133203@main)
Avoid invalid cairo matrix when drawing surfaces too small (r158861, 142173@main)
[Cairo] Canvas-shadow behavior is not being as expected (r148923 + r148947 reverted)
Parallel copy phase synchronization should be simplified (r190185, 167610@main)

Jul 23, 2024
============
Return opaque origin for blob: URL containing inner non-http(s): URL (266247@main)
Remove unused functions in URL (r204046, 178609@main)
Optimize SVGSMILElement::addInstanceTime (281237@main)

Jul 19, 2024
============
[css-flexbox] SVGs as flex items (imported/w3c/web-platform-tests/css/css-flexbox/svg-root-as-flex-item-002.html FAILS) (281049@main)

Jul 18, 2024
============
Adopt ASCIILiteral in TextEncoding code (270903@main)
[WTF] Add Converter traits to StringHasher instead of function pointer (r225751, 196567@main)
Use relaxed constexpr for StringHasher (r225726 + r225730)

Jul 17, 2024
============
[JSC] Fix regression caused by 254938@main (256869@main)
[ARMv7][32bit] ASSERTION FAILED: CacheableIdentifier::isCacheableIdentifierCell(fieldNameValue) (254938@main)
[JSC] Clean up StructureStubInfo (r287758, 245821@main partial)
[RenderTreeBuilder] Crash in WebCore::RenderLayer::removeChild when continuation is present (280907@main)
[continuation] Merge anonymous block containers when continuation triggering box is going away (280630@main)

Jul 04, 2024
============
CopiedBlock::pin can call into fastFree while forbidden (r164448, 147156@main revisited)

Jul 03, 2024
============
Document is never released if an image's src attribute is changed to a url blocked by content-security-policy. (r141667 complete revisited)
Regression(r291141) Flashing when hovering photos on nytimes.com (251802@main)
Main document is leaking on haaretz.co.il due to lazy image loading (r291141 partial)

Jul 02, 2024
============
SEGV YarrJIT.h:350:28 (275528) (280563@main)

Jul 01, 2024
============
[MathML] <mfrac> with out-of-flow numerator/denominator produces unexpected result (280505@main)

Jun 30, 2024
============
RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83 (r235685, 204321@main partial)

Jun 25, 2024
============
[JSC] Remove JSGlobalObject::hasVarDeclaration() (280316@main)

Jun 22, 2024
============
REGRESSION(277275@main) Excel login window is compressed (280277@main)

Jun 21, 2024
============
[JSC] Iterator skipping should check protocol is intact too (280240@main)
[JSC] Add JSString::resolveRopeWithoutGC and use it in GC end phase (280239@main)

Jun 19, 2024
============
Remove non-standard getTransformToElement from SVGGraphicsElement (280208@main)
Ignore instance times from endElement*() for inactive timed elements (280184@main)

Jun 18, 2024
============
[WebCore] Cache inline styles (275795@main)
4. We found a bug in StyleSheetContents where we didn't check m_namespaceRules size for `isCacheable()` condition (As a result,
   we observed crashes in some of LayoutTests). This patch fixes it so that we do not say `isCacheable()` => true when there is
   m_namespaceRules.
   
Jun 17, 2024
============
Refactor sorted array mapping machinery in LocaleToScriptMapping.cpp for reuse elsewhere (r276303, 236785@main partial)

Jun 15, 2024
============
[JSC] Align Function#name behavior with spec (257114@main)
Add an OOME check in ClonedArguments::createEmpty. (279057@main partial)

Jun 14, 2024
============
Constructible EventTarget does create a path during dispatch (280014@main)
Crash under RenderObject::createVisiblePosition() while dragging the volume scrubber on a video player (280013@main)
Use binary-search in LocaleToScriptMapping (r276225, 236707@main)
Delete LocaleToScriptMappingICU.cpp since it is no longer used (r267126, 229402@main)

Jun 13, 2024
============
Tidy up instance time handling in SVGSMILElement (279971@main)

Jun 11, 2024
============
static_reference_cast(const Ref<X, Y>&) causes unnecessary ref-counting churn (r293682, 250182@main)
[JSC] Use `RegExp.prototype[@@split]` slow path if `hasIndices` and `dotAll` getters has been overwritten (279905@main)
[JSC] try/catch should not intercept errors originated in [[Construct]] of derived class (275353@main)

Jun 11, 2024
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb/clang 12.0.8/Android/hard float. 
    [JIT tests/ACID3/ACID2/V8 3427/SunSpider 603.2ms/Factory Demo/EPG Guide/EBench 2004 6801.67ms | 2013 7186.00ms/es2016plus 87%/Google Maps]
    [arewefastyet/Speedometer 2.0 29.76/Kraken 10381.3ms/JetStream 1.1 25.755/Dromaeo DOM Core & JavaScript Library & CSS Selector/css3test 2746 of 5896]
	[JetStream2 ARES 25.812 | CDJS 20.565 | CodeLoad 61.440 | Octane 26.502 | RexBench 22.329 | SeaMonster 56.837 | Simple 5.635 | SunSpider 54.974 | WSL 0.100 | WTB 2.567 | Workers 7.444]

Jun 10, 2024
============
[JSC] Set correct ConstructorKind when reparsing functions (275189@main)
[JSC] Make Promise implementation faster (r249509, 215115@main partial)
Unreviewed, partial rolling in r237254 (This only adds Parser.{cpp,h}. And it is not used in this patch.) (r237586, 205874@main)
[JSC] Top-level function declarations should be lexical in module code (269485@main)
[JSC] Avoid calling setIsFunction() for function name bindings (269379@main)
[JSC] Duplicate lexical bindings should only be allowed for FunctionDeclarations (268671@main)
[JSC] Block-level function declarations shouldn't be allowed to shadow `var` bindings (268634@main)
[JSC] Implement Annex B block-level function hoisting for global scope (268553@main)

Jun 07, 2024
============
[JSC] Generator functions should not be Annex B hoisting candidates (268352@main)
[JSC] Implement HasVarDeclaration abstract operation (267891@main)
[JSC] Implement CanDeclareGlobalFunction abstract operation and friends (267655@main)
[JSC] Implement lexical scope chain walk to correctly determine Annex B hoisted functions (268302@main)
CSS transition on SVG inside href fails when link already visited (279807@main)
After closing a modal <dialog>, elements can be z-ordered incorrectly (279785@main)

Jun 06, 2024
============
Optimize FEGaussian blur (r166084, 148625@main)

Jun 06, 2024
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb/clang 12.0.8/Android/hard float. 
    [JIT tests/ACID3/ACID2/V8 3435/SunSpider 606.0ms/Factory Demo/EPG Guide/EBench 2004 6641.33ms | 2013 7072.67ms/es2016plus 87%/Google Maps]
    [arewefastyet/Speedometer 2.0 29.61/Kraken 10381.0ms/JetStream 1.1 25.687/Dromaeo DOM Core & JavaScript Library & CSS Selector/css3test 2743 of 5893]
	[JetStream2 ARES 26.568 | CDJS 20.688 | CodeLoad 60.331 | Octane 26.502 | RexBench 21.416 | SeaMonster 53.899 | Simple 5.657 | SunSpider 54.623 | WSL 0.102 | WTB 2.263 | Workers 7.117]

Jun 06, 2024
============
[JSC] Use -2 for grouping options in IntlRelativeTimeFormat (r266341, 228777@main)
Unreviewed, address Darin's feedback on r263227. (r263243, 226154@main)
[Intl] Enable RelativeTimeFormat and Locale by default (r263227, 226145@main)

Jun 05, 2024
============
Simplify amortized cleanup algorighm for weak hash structures (266713@main)
Regression: NetworkDataTask's ThreadSafeWeakPtrControlBlock are leaking (266594@main)
JSEventListener doesn't need to register itself to commonVM's JSVMClientData (273008@main)

Jun 04, 2024
============
[WTF] Removing a smart pointer from HashTable issues two stores to the same location (r198827, 174126@main)
HashMap<Ref<P>, V> asserts when V is not zero for its empty value (r234879, 203672@main)
Make it safe to re-enter HashMap::clear() (r271296, 232875@main)

Jun 03, 2024
============
REGRESSION (279348@main): Flickr photos flash at wrong offset when paging through album (279667@main)
WebCore::WillChangeData::AnimatableFeature constructor does not always initialize m_cssPropertyID (279624@main)

Jun 02, 2024
============
[JSC] Potential GC fix for JSPropertyNameEnumerator (r247888, 214004@main partial)
Remove unused VM members (r217808, 189833@main partial)
[JSC] JSMapIterator and JSSetIterator are CellType (r258540, 222078@main)

May 30, 2024
============
<input> field changes sizes briefly while typing (279536@main)
WebCore::XPath::Value has uninitialized fields after construction (279506@main)
WebCore::XPath::Parser::Token contains uninitialized fields after construction (279493@main)
Unreviewed, reverting 279411@main. (279500@main)

May 29, 2024
============
image/apng not recognized in source tag (r251182, 216458@main)
[GTK+] Crash in WebCore::ImageFrame::ImageFrame() (r215458, 187866@main)
Fix render tree construction when inlines are inserted in reverse after a block in a continuation (279422@main)
[CSS] Fix link invalidation when color depends on the visited style (279411@main)
Adjust error-handling for invalid filter primitive references (279421@main)

May 28, 2024
============
Crash with ruby and continuations (279408@main)

May 27, 2024
============
[Invalidation] Removed redundant "normal child needs layout" invalidation for out of flow boxes (279348@main)
[Invalidation] Table rows and sections don't get their preferredLogicalWidthsDirty flags cleared (279358@main)

May 27, 2024
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb/clang 12.0.8/Android/hard float. 
    [JIT tests/ACID3/ACID2/V8 3443/SunSpider 601.7ms/Factory Demo/EPG Guide/EBench 2004 6517.33ms | 2013 7271.33ms/es2016plus 88%/Google Maps]
    [arewefastyet/Speedometer 2.0 28.85/Kraken 10381.0ms/JetStream 1.1 25.687/Dromaeo DOM Core & JavaScript Library & CSS Selector/css3test 2743 of 5893]
	[JetStream2 ARES 26.568 | CDJS 20.688 | CodeLoad 60.331 | Octane 26.502 | RexBench 21.416 | SeaMonster 53.899 | Simple 5.657 | SunSpider 54.623 | WSL 0.102 | WTB 2.577 | Workers 7.255]

May 25, 2024
============
REGRESSION: (r276031) PremiereMax.com no longer loads properly (279209@main)
[JSC] RegExp /u flag doesn't respect atomicity of surrogate pairs (276031@main complete revisited)

May 24, 2024
============
[JSC] RegExp /u flag doesn't respect atomicity of surrogate pairs (276031@main part 1)

May 23, 2024
============
Remove 'presentational hints' from width attribute for <hr> (279245@main)
ASAN_TRAP | WTF::Vector::expandCapacity; WTF::Vector::expandCapacity; WTF::Vector::appendSlowCase (279229@main)

May 22, 2024
============
Flaky crash under WorkerDedicatedRunLoop::runCleanupTasks() during fuzzing (279132@main)
nonce hiding in SVG is buggy (279131@main)
Use DataRef for SVGPathByteStream::Data (278907@main)
MediaFragmentURIParser rejects valid NPT strings if 'hours' is defined using 1 digit (278951@main)
Break a mutual recursion cycle laying out SVG elements. (279105@main)
[JSC] presenceConditionIfConsistent should check knownBase's structure is in the structure set (279106@main)

May 21, 2024
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb/clang 12.0.8/Android/hard float. 
    [JIT tests/ACID3/ACID2/V8 3495/SunSpider 593.7ms/Factory Demo/EPG Guide/EBench 2004 6364.33ms | 2013 7206.00ms/es2016plus 88%/Google Maps]
    [arewefastyet/Speedometer 2.0 31.19/Kraken 10481.5ms/JetStream 1.1/Dromaeo DOM Core & JavaScript Library & CSS Selector/css3test 2743 of 5884]
	[JetStream2 (11 sub-tests) (runWasm = false in JetStreamDriver.js)]
  
May 20, 2024
============
[JSC] Clean up Structure transition watchpoint firing to pave a way to faster / cheap adaptive watchpoint (257515@main)

May 19, 2024
============
[JSC] AI should observe attribute change transitions for PutByIdDirect in DFG compilation (278870@main partial)

May 17, 2024
============
Make containing block of position:fixed dialog children the viewport (256724@main)
Special case treatment of out-of-flow RenderLineBreak (278867@main)
[Cleanup] RenderElement::containingBlockFor*(fixed/absolute/inflow)Position is slightly confusing (r287744, 245814@main)
[CSS] Fix bug when using a coalesced CSSValuePair with Typed OM (278891@main partial)
ASAN_ILL | WTF::Vector::expandCapacity; WTF::Vector::expandCapacity; WebCore::StyleGradientImage::computeStops (278883@main)
Added default length to createGridTrackBreadth() when length is undefined (278871@main)

May 16, 2024
============
Changing a JSFunction's prototype property should clear allocation caches (278869@main)
REGRESSION(277476@main): [GTK] Crash in WebCore::GIFImageDecoder::haveDecodedRow (278739@main partial reverted - Apache missing icon)
[Yarr] Regex Lookbehinds differs from v8 (278863@main)
DFG Constant Folding phase can see inconsistent view of world, causing LICM to miscompile (278842@main)
Verify range of ArrayBuffer when deserializing an ArrayBufferView (278814@main)

May 15, 2024
============
Unreviewed, reverting 276904@main (1ff045b) and 277023@main (191d3fc) (278825@main)
Font sizes are rounded to the nearest 1px (265657@main)

May 14, 2024
============
REGRESSION (278522@main): Broken internal API tests (278785@main)
Rename hasTransform() to isTransformed() on RenderObject and RenderLayer (259171@main complete)
Fixed backgrounds should behave like 'scroll' inside transformed elements (255055@main)
IntersectionObserver callback for a visible sentinel node within a container with CSS transform animations is triggered multiple times, but should only be triggered once (278763@main)
Rename hasTransform() to isTransformed() on RenderObject and RenderLayer (259171@main partial)
REGRESSION(277476@main): [GTK] Crash in WebCore::GIFImageDecoder::haveDecodedRow (278739@main partial)
Inline DOMTokenList::associatedAttributeValueChanged (278728@main)

May 13, 2024
============
Stop using CheckedPtr with ChildNodeList / EmptyNodeList (272123@main)
SVG non-rendered elements should not get 'focus' despite tabindex (278694@main)
Fill layer pattern for mask-mode is not correctly applied (278698@main)
[Cleanup] Remove RenderBoxModelObject::overridingContainingBlockContentWidth&co virtual functions (278596@main + 278654@main reverted + 278662@main)

May 11, 2024
============
[JSC] Private brand can be empty in computed property name (278642@main)

May 09, 2024
============
Facebook.com: Text overlaps in videos up next sidebar (258093@main)
Implement hit-testing changes for transform-style:preserve-3d and perspective to only apply to direct DOM children. (257255@main)

May 08, 2024
============
innerText getter fails tests for `<p>` without margin and `<h1>`-`<h6>` (278522@main)
Fix find-in-page for words spanning display:contents (278377@main)
Make rendering changes to make transform-style:preserve-3d and perspective only apply to direct DOM children. (257190@main)
[JSC] Bracket update expression should resolve property key at most once (275531@main complete revisited)
[JSC] Simplify excludedSet handling in object rest expression (r273135, 234332@main)

May 07, 2024
============
repeatedly running css3/flexbox/image-percent-max-height.html is failing (278461@main)
REGRESSION (252960@main, WPT resync): [ macOS Debug ] imported/w3c/web-platform-tests/html/semantics/document-metadata/the-style-element/style-load-after-mutate.html is a flaky failure (256535@main)
Support for SVG `beginEvent` event and `onbegin` attribute (r191494, 168648@main)
Support for the SVG `onend` attribute (r191392, 168557@main)
Make sure that begin time cannot be greater than SMILTime::indefiniteValue unintentionally. (r172496, 153729@main)
ASSERTION FAILED: !begin.isIndefinite() in WebCore::SVGSMILElement::resolveFirstInterval. (r167761, 150175@main)
Use counters for pending events (r274054, 234990@main + r274199, 235117@main reverted)
Dispatch pending events only for current page (r262003, 225073@main)
Use more smart pointers in ProcessingInstruction & PseudoElement (269694@main partial)
	(WebCore::ProcessingInstruction::checkStyleSheet):
	Drop some unnecessary code that was used to check if we got disconnected
	after firing the beforeload event (as you can see in https://commits.webkit.org/187003@main).
	We've stopped firing the beforeload event a while back but this code wasn't simplified.
Delete most code for beforeload event (r288793, 246570@main)
Disable support for BeforeLoadEvent (r261946, 225028@main)

May 06, 2024
============
REGRESSION (277924@main): nullptr deref crash calling XSLTProcessor.transformToFragment() before parsing XML (278419@main)
[WK1] WebKit XML parsing can deny external entity loads from other in-process libxml2 clients (278168@main)

May 05, 2024
============
Remove RenderBlockFlow::lineGridBox() (268541@main)
[Multi-column] Ignore line grid offset when the grid line is shorter than 0.5px (r274456, 235312@main)
[LFC][Integration] Rename top/bottomWithLeading to lineBoxTop/Bottom (r269149, 231022@main)
[LayoutState cleanup] Move RenderMultiColumnFlow::computeLineGridPaginationOrigin to LayoutState (r224616, 195515@main)
Move layoutBlock and layoutBlockChildren into RenderBlockFlow (r155377 revisited + r155390)
[Line clamp] Reddit shows overlapping text when line-clamped content dynamically changes (278384@main)

May 04, 2024
============
Inline dialog.css into html.css (271006@main)
Use Canvas/CanvasText system colors for <dialog> default styling (r292029, 248972@main)
Add visibility: visible to modal dialogs in UA sheet (r288233, 246190@main)
Implement CSS :modal pseudo class (r293987, 250424@main)
ASAN_SEGV | WebCore::RenderFragmentedFlow::objectShouldFragmentInFlowFragment (278372@main)
[popover] Don't throw when popover/dialog is in requested state (263957@main partial)

May 03, 2024
============
A response body promise should be rejected in case of a failure happening after the HTTP response (r251101, 216384@main)
Stop to use ActiveDOMObject::setPendingActivity() for Modules/fetch (r262972, 225920@main)

May 02, 2024
============
Use an inline capacity 2 for the vector for LayerAndBounds (278229@main)

May 01, 2024
============
[JSC] ASSERTION FAILED: pos >= negativePositionOffest in char32_t JSC::Yarr::Interpreter<unsigned char>::InputStream::readChecked(unsigned int) (278204@main)

Apr 30, 2024
============
[JSC] Use Vector with inline capacity in ObjectPropertyConditionSet creation (r292682, 249474@main)
pral.com.pk - Double bounce animation compared to other browsers (278156@main)
Invalidate rebuild root renderer on child node removal (271202@main)
Move renderer invalidity into a separate bit, out from Style::Validity enum (271144@main)
Remove redundant ChildrenAffectedByPropertyBasedBackwardPositionalRules flag (263303@main)

Apr 29, 2024
============
WPT dom/events/shadow-relatedTarget.html fails partially (278090@main)
composedPath returns empty array for blur/focus/pagehide/pageshow events on window (261463@main)
Unexpose event.relatedTarget when shadow tree state has changed (252631@main)
Event improvements (r228260 partial revisited)

Apr 26, 2024
============
Element::boundingClientRect should check the state of the tree (276918@main + 278063@main reverted)

Apr 25, 2024
============
Use smart pointers with WebCore::CachedResourceLoader in libxml2/libxslt code (277956@main)
REGRESSION (269108@main): Same-origin XSLT document() loads fail (277924@main)
Check if external entity loads from libxslt are allowed before loading them (269108@main)

Apr 24, 2024
============
Rebuild continuations when position property changes (277912@main)
Intruduce concept of render tree rebuild root (271082@main)

Apr 23, 2024
============
TextIterator::emitText: cap textEndOffset to renderer's string length (277858@main)

Apr 18, 2024
============
Get rid of duplicate SVGPropertyRegistry data members in SVG elements (254050@main)

Apr 16, 2024
============
ASAN_BUS | Yarr::Interpreter::matchDisjunction; Yarr::Interpreter::backtrackParentheses; Yarr::Interpreter::matchDisjunction (264264@main partial)
[JSC] Use RegExpGlobalData::performMatch instead of RegExp::match for RegExp.prototype.@@split (277559@main)
Simplify SVGPropertyOwnerRegistry slightly (r294789, 250948@main)
URL::setHostAndPort() needs to be aware of host delimiters (277531@main)
File URLs with hostnames are misleading (r262707, 225704@main)
Move URL to use StringView when returning substrings of the URL (r260707, 223908@main partial revisited)
Ignore URL host for schemes that are not using host information (r253946, 218822@main)

Apr 15, 2024
============
ActiveScratchBufferScope should take the buffer as argument (r279560, 239391@main partial part 2)
Move setting of scratch buffer active lengths to the runtime functions. (r278875, 238819@main partial part 2)
ActiveScratchBufferScope should take the buffer as argument (r279560, 239391@main partial part 1)
Move setting of scratch buffer active lengths to the runtime functions. (r278875, 238819@main partial part 1)
Meta-program setupArguments and callOperation (r229391, 199098@main partial)
[svg] WPT test svg/animations/animateMotion-keyPoints-001.html fails in WebKit only (277450@main)
SVG paced value animations overwrite user-provided keyTimes (r275868, 236433@main)

Apr 14, 2024
============
[JSC] We should fix the backwards propagation for DFG node use flags after the fixup phase (277456@main)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float. 
    [JIT tests/ACID3/ACID2/V8 Score 749/SunSpider 2895.5ms/Factory Demo/EPG Guide/EBench 2004 22183.67ms/Google Maps]
    [arewefastyet/Speedometer Score 6.410/Dromaeo DOM Core & JavaScript Library & CSS Selector/es2016plus 77%/css3test 2738 of 5878]
  => Not tested
    [CanvasMark/html5test/EBench 2013|2016/JetStream/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]
    
Apr 13, 2024
============
Unreviewed, reverting 276654@main. (276751@main)

Apr 12, 2024
============
[DFG] Define defs for MapSet/SetAdd to participate in CSE (r226408, 197131@main)
[DFG][FTL] Support MapSet / SetAdd intrinsics (r225072)
[JSC] Optimize Map iteration with intrinsic (r221110 complete revisited)
[JSC] Optimize Map iteration with intrinsic (r221110 part 1)

Apr 11, 2024
============
Optimize compareStrictEq when neither side is a double and at least one is not a BigInt (r282200, 241487@main)
[JSC] DFG NotCellUse is used without considering about BigInt32 (r261147, 224320@main)
[JSC] Fix incorrect register reuse in 32bit after r278568 (r278662)
Optimize compareStrictEq when neither side is a double and at least one is neither a string nor a BigInt (r278568, 238566@main)
Don't emit the NotDouble checks if we're already NotDouble. (r278476)
DFG should speculate on CompareStrictEq(@x, @x) (r278465, 238485@main)
StrictEq should not care about masqueradesAsUndefinedWatchpoint (r266022, 228499@main)
Web Inspector: Crash generating object preview for ArrayIterator (r218836)

Apr 10, 2024
============
REGRESSION(267236@main): SVG may incorrectly be clipped when an SVGFilter is applied to its root (267236@main)
[RenderTreeBuilder] Out-of-flow box does not stretch its containing block (and not even its parent) (277275@main partial)
[RenderTreeBuilder] RenderFlexibleBox::clearCachedMainSizeForChild should only be called when child "ever had layout" (277161@main)
[Grid] Incorrect grid item positioning with out-of-flow sibling (277300@main)
We should have a more concise way of determining when we're varargs calling a function using rest parameters (r208584 + r208592 reverted + r208637 complete revisited)
We should have a more concise way of determining when we're varargs calling a function using rest parameters (r208584 + r208592 reverted + r208637 partial revisited)

Apr 09, 2024
============
Check whether the iterator is callable in spread (r267125)
[JSC] Make JSMap and JSSet construction more simple and efficient (253133@main partial revisited)
Missing exception check in HashMapImpl::add(). (r275299)
[JSC] Map and Set constructors should have fast path for cloning (r217525)
[DFG] Introduce {Set,Map,WeakMap}Fields (r225151)
[DFG] Add NormalizeMapKey DFG IR (r225154)

Apr 08, 2024
============
[JSC] DFG strcat should handle OOM thrown from ToString(BigInt) (254570@main)
JSTests/stress/array-isarray-error-message.js fails when run with --useJIT=0. (256314@main)
Fix error message for O.p.toString on revoked proxy (254134@main)
[JSC] Add ValueOf fast path in toPrimitive (r279053, 238973@main)
[JSC] Cache toString / valueOf / @@toPrimitive for major cases (r266567, 228956@main + r266694)

Apr 07, 2024
============
[JSC] Reduce size of AST nodes (r233937)
Define Intl[Symbol.toStringTag] (r266015, 228492@main)

Apr 06, 2024
============
Array.prototype.toLocaleString does not respect deletion of Object.prototype.toLocaleString (r287560 complete revisited)
[JSC] Enable Object.hasOwn (r281835)
Implement Object.hasOwn() (r281799)
[JSC] Enable Array#findLast method (r281369)
Implement Array.prototype.findLast and Array.prototype.findLastIndex (r279937)
[JSC] Replace toInteger with toIntegerOrInfinity (r272471)
Array's toString() is incorrect if join() is non-callable (r275544)
[JSC] Enable String,TypedArray#at (r281370)
[JSC] Reinstate String#at (r270005)
[JSC] Rename item() to at() and move it behind a flag (r268760)
[JSC] Revert String.prototype.item (r268165)
[JSC] Add Array#item to @@unscopables (r267912)
[JSC] Implement item method proposal (r267814)

Apr 05, 2024
============
SourceParseMode should be a member of the JSC::Parser (r272086)
[JSC] Handle syntactic production for `#x in expr` correctly (r282968)
Fix statement depth for parsing static block (259981@main)
Fix duplicated name in class static block (256311@main)
[JSC] Implement support for class static initialization blocks (255173@main)
Support Ergonomic Brand Checks proposal (`#x in obj`) (r277926 + r277933 complete revisited)
Support Ergonomic Brand Checks proposal (`#x in obj`) (r277926 + r277933 part 1)

Apr 04, 2024
============
Fix StructuredClone for streams to handle BigInt64Array / BigUint64Array (r279769)
[JSC] Implement BigInt64Array and BigUint64Array (r272170)
[JSC] BigInt should work with Map / Set (267373 + r267624)

Apr 03, 2024
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float. 
    [JIT tests/Google Maps/es2016plus 80%]
Remove unused getPrimitiveNumber() methods (r270298)
[JSC] Replace JSBigInt::toUint64 with JSBigInt::toBigUInt64 (r271217)
[WASM] [BigInt] Add I64 to BigInt conversion (r271168 partial)
[JSC] Fix 32bit JSBigInt with INT32_MAX < x <= UINT32_MAX (r262012)
[JSC] Implement BigInt.asIntN and BigInt.asUintN (r261199)
[JSC] JSBigInt::maxLengthBits and JSBigInt::maxLength are wrong (r261174)
[JSC] Fix DataFormatJSBigInt32 missing part (r260674)
[JSC] DFG compare should speculate BigInt well (r260660)
[JSC] DFG AI for some bitops + BigInt32 should be precise (r260651)
BigInt32 parsing should be precise (r260550)
[JSC] JSBigInt inc operation does not produce right HeapBigInt zero (r260522)
Edge use kind asserts are wrong for BigInt32 on ValueBitLShift (r260549)
[JSC] SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq should expect AnyBigIntUse (r260490)
[JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results (r260512)
Canonicalize JSBigInt generated by structured-cloning by calling rightTrim (r260489)
StructuredClone algorithm should be aware of BigInt (r260358)

Apr 02, 2024
============
Support an inlined representation in JSValue of small BigInts ("BigInt32") (r260331)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float. 
    [JIT tests]
[JSC] BigInt constructor should accept larger integers than safe-integers (r260863)
[JSC] Function.prototype.toString should print set / get for accessor properties (276904@main)

Apr 01, 2024
============
Guard MatchedDeclarationsCache against destruction while modifying m_entries map (265998@main)
Allow styles with appearance in matched declaration cache (r291790, 248818@main)
System colors do not always respect inherited color-scheme values (253041@main)
Disallow styles using container units from matched declarations cache (r295211 partial)
[css-ui] getComputedStyle() must return the specified value for '-webkit-appearance' (r283269 revisited)
Regression(r255359): imported/mozilla/svg/svg-integration/clipPath-html-06.xhtml is failing consistently on windows (r255490 revisited)
Skip matched declarations cache only for length resolution affecting font properties (r252370)
Factor matched declarations cache into a class (r252208)
English Heritage Members' Area overlapping layout (276880@main)

Mar 31, 2024
============
[JSC] Private names should be handled by usedVariables mechanism (r279447)
[JSC] Use ResolvedClosureVar to get brand from scope (r278591)
[JSC] Private static method should define privateClassBrandIdentifier in class-scope (r278510)
Using an undeclared private field inside eval shouldn't crash (r274102)
[ESNext] Private methods can't be named as '#constructor' (r273846)
[JSC] Implement private static method (r273107)

Mar 30, 2024
============
[ESNext] Implement private accessors (r272883)

Mar 29, 2024
============
nullptr crash in moveOutOfAllShadowRoots (276815@main)

Mar 28, 2024
============
[ESNext] Implement private methods (r272580 partial revisited)
Invalidate SVG filter results in SVGResourcesCache::clientLayoutChanged() (276808@main)
BrandedStructure should keep its members alive. (r274722 complete revisited)
[ESNext] Implement private methods (r272580 part 3)
Switch to using a linked list for the TDZ environment instead of a Vector (r270870)
Better cache our serialization of the outer TDZ environment when creating FunctionExecutables during bytecode generation (r269115)
Fix warning introduced by r272580 (r272612)
[ESNext] Implement private methods (r272580 part 2)

Mar 27, 2024
============
Separate storage of Structure::m_offset into transition and max offset (r206365 partial)
Rework StructureTransitionTable::Hash::Key encoding (r265640)
BrandedStructure should keep its members alive. (r274722 partial)
[ESNext] Implement private methods (r272580 part 1)

Mar 26, 2024
============
We need to PreferNumber when calling toPrimitive for coercion to BigInt (r285317 partial)
Use `isControlCharacter()` helper (260081@main)

Mar 26, 2024
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float. 
    [JIT tests/ACID3/ACID2/V8 Score 715/SunSpider 3035.7ms/Factory Demo/EPG Guide/EBench 2004 25988.00ms/Google Maps]
    [arewefastyet/Speedometer Score 6.150/Dromaeo DOM Core & JavaScript Library & CSS Selector/es2016plus 77%/css3test 2738 of 5689]
  => Not tested
    [CanvasMark/html5test/EBench 2013|2016/JetStream/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Mar 26, 2024
============
[JSC] Remove the first LocalCSE (r204207, 178743@main)
[JSC] Since ArrayBufferViewWatchpointAdaptor::add can fire watchpoints, DFG::Plan should check validity of CodeBlock after executing reallyAdd (r259576, 222967@main complete revisited)
[JSC] We should fix the backwards propagation for DFG node use flags after the fixup phase (276654@main)
REGRESSION: JavaScriptCore: JSC::ScopedArguments::setIndexQuickly (276646@main)
[JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG (r199342 complete revisited)

Mar 24, 2024
============
[JSC] get_by_id_with_this + ProxyObject can leak JSScope objects (276104@main partial)
ASSERTION FAILED: watchpoints (./runtime/ScopedArgumentsTable.cpp(130)) (276598@main)

Mar 22, 2024
============
Scoped Arguments needs to alias between named and unnamed accesses and across nested scopes (272253@main + 272387@main reverted + 276437@main)
ASAN_TRAP | WTF::Vector::reserveCapacity; WTF::Vector::expandCapacity; WTF::Vector::appendSlowCase (276504@main)

Mar 19, 2024
============
[JSC] Use DeferGCForAWhile instead of DeferGC in computeErrorInfo (276346@main)

Mar 18, 2024
============
NULL Object : Crash under WebCore::RenderObject::~RenderObject; WebCore::RenderText::~RenderText; WebCore::RenderTreeBuilder::destroy (276275@main)
Crash in ImageEventListener::handleEvent (276236@main)
[JSC] Fix Re-entrancy in ErrorInstance::computeErrorInfo (276233@main)

Mar 15, 2024
============
[JSC] PropertyCondition::isValidValueForAttributes should handle custom accessor and custom value (276183@main)
[JSC] Do not use temp RegisterID when initializing local FunctionDeclaration (275818@main)

Mar 14, 2024
============
ASAN_ILL | WebCore::RenderTableSection::layoutRows; WebCore::RenderTable::simplifiedNormalFlowLayout; WebCore::RenderBlock::simplifiedLayout. (276103@main)
REGRESSION (iOS 17.4, macOS 14.4, 270890@main): Animating element with display: none still remain visible (276035@main)

Mar 12, 2024
============
[JSC] Bracket compound assignment should resolve property key at most once (275944@main + 275962@main reverted)

Mar 09, 2024
============
[JSC] Do not emit jsUndefined constant (275813@main partial)

Mar 06, 2024
============
Ignore unsupported disposal methods when decoding GIF (275749@main)

Mar 05, 2024
============
MarkedSpace should have more precise allocators. (r195575)
Wasted vector capacity in RenderLayer lists (r275632)
Entity storage is not very compact (261245@main)

Mar 03, 2024
============
Text disappears due to unknown max/min width after style change (275605@main)

Mar 02, 2024
============
Null pointer dereference in WebCore::ImageDocument::createDocumentStructure. (275537@main)
[JSC] Bracket update expression should resolve property key at most once (275531@main partial)

Feb 29, 2024
============
[WTF] Add user-defined literal for ASCIILiteral (r233122 partial)
URL pathname and search setter incorrectly strips trailing spaces (266252@main)
Align some internal URL concepts with the URL Standard (266090@main)
Extract a portion of NodeIteratorBase::acceptNode which checks bit flags into its own function (275468@main)

Feb 28, 2024
============
[JSC] Remove ArrayPatternNode::emitDirectBinding() (275474@main)
[WPE][GTK] Prevent HarfBuzz advance overflow (260882@main)
Strip tab and newline from Location/URL/<a>/<area>'s protocol setter (261017@main)
URL host setter should pass host to URLParser instead of trying to encode it itself (r279680, 239485@main)
Add functions for parsing URL query string (r280626, 240239@main)
Update and fix URL WPT tests (r279895, 239646@main complete revisited)
[JSC] emitReturn() should load this value from arrow function lexical environment prior to TDZ check (275425@main)
heap-use-after-free | WTF::URLParser::parse; WTF::URLParser::URLParser; WTF::URL::URL (272134@main)
Make URL's protocol setter forbid changing a special URL to a non-special URL (267445@main)

Feb 27, 2024
============
Remove unnecessary calls to CachedResource::updateBuffer and CachedResource::updateData (r293857 partial)
Eliminate ResourceBuffer and use SharedBuffer directly instead (r175406 + r175491 rolled out + r175549)

Feb 26, 2024
============
URLParser should parse URLs including authority and a backslash after the host (274915@main)
instanceof should not get RHS prototype when LHS is primitive (275318@main)

Feb 23, 2024
============
[JSC] Don't optimize String.prototype.replace for RegExp searchValue with non-numeric lastIndex. (275255@main)
[JSC] Fold empty string + value in bytecode generator (275230@main reverted)
  -> Possible error at https://www.google.co.jp/maps/@35.673343,139.710388,11z?hl=ja
HTMLDataListElement::childrenChanged doesn't call HTMLElement::childrenChanged (275221@main)
Displayed datalist dropdown is out of sync with datalist options elements after DOM update (274608@main)
Avoid an ancestor walk in HTMLFormControlElement::computeWillValidate() (r272358)
Redraw slider tick marks when datalist changes. (r123081 complete revisited)
[JSC] Fold empty string + value in bytecode generator (275230@main)

Feb 22, 2024
============
Improve SVG Markers (275167@main)
[JSC] Fix parsing of private fields with Unicode start characters (275152@main)

Feb 20, 2024
============
Use 32 for EventPath m_path (275065@main)
Normalize Latin-1 characters in String#normalize("NFKC")` (275062@main)

Feb 17, 2024
============
[SVG2] getPointAtLength should throw exception when in non-rendered document for SVGPathElement (274308@main + 274929@main reverted)
Make MarkedBlock and WeakBlock 4x smaller. (r182878, 161819@main complete, not affect memory fragmentation)

Feb 15, 2024
============
Make MarkedBlock and WeakBlock 4x smaller. (r182878, 161819@main reverted to reduce memory fragmentation)

Feb 14, 2024
============
XMLTreeViewer shouldn't use the view source mode (r162269)
Unstyled XML viewer crashes when XML contains an element with id="tree" (r151080)
Force XML comments to maintain whitespace (r126241)
XML documents end up with a unique origin in WebKit only (r280300)

Feb 12, 2024
============
Reduce padding in MacroAssembler::Jump on ARM64 (270716@main)
Fix -Wdeprecated-copy warnings in WTF and JavaScriptCore (r268657, 230615@main partial)
[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg (r234984, 203763@main partial)

Feb 10, 2024
============
[JSC] Spew strict-eq Baseline JIT code with constant strings (274418@main partial)

Feb 09, 2024
============
  => Passed stress Baseline JIT on ARM64 GCC10.2.0 with hard float (noGL, 228000 cap, no enforce).
    [JIT tests/ACID3/ACID2/V8 Score 788/SunSpider 1120.4ms/Factory Demo/EPG Guide/EBench 2004 13180.00ms/Google Maps]
    [arewefastyet/Speedometer Score 19.52/Dromaeo DOM Core & JavaScript Library & CSS Selector/es2016plus 77%/css3test 2738 of 5687]
  => Not tested
    [CanvasMark/html5test/EBench 2013|2016/JetStream/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Feb 08, 2024
============
REGRESSION(r269017): Speedometer2 1% regression (r272621, 233882@main)
Assert that WTF::HashTable does not visit the same bucket twice (r269017 + r269478 + r272095)
[WTF] HashTable::rehash should not perform key comparison (252386@main)
[WTF] Use quadratic-probing instead of double-hashing (r293579, 250093@main)

Feb 07, 2024
============
Destructuring exception shouldn't crash (274213@main)
detik.com: Menu text is not shown in safari at top left corner of header (274191@main)

Feb 05, 2024
============
Replace incorrect ASSERTs in RenderBox::containingBlockLogicalWidthForPositioned/containingBlockLogicalHeightForPositioned (274092@main)
[JSC] Rest parameter should be evaluated before VariableEnvironment is set (274109@main)
WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support (r244821 + r244827 rolled out + r244828 revisited)
Stack-buffer-overflow in decodeURIComponent (r245645)

Feb 04, 2024
============
text-transform test failures due to Lithuanian rules and out-of-flow characters (274073@main)
Greek uppercase transforms fail for some characters (274036@main)

Feb 01, 2024
============
Implement Request/Response consuming as FormData (r266087 complete revisited)
Add some assertions to convertUTF8ToUTF16(). (r250520)
WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support (r244821 + r244827 rolled out + r244828 partial)
REGRESSION (r131836): failures in list styles tests on EFL, GTK (r132507)
Regression(266170@main) Crash under CachedRawResource::switchClientsToRevalidatedResource() (266216@main)
RELEASE_ASSERT(!resources.get(key)) hit in MemoryCache::revalidationSucceeded() (266170@main)
While composing an email when using Gmail in Safari, using a double space creates an extra line/visible character in space between paragraphs in email. (252683@main)
Release assert in Document::updateLayout() via HTMLTextAreaElement::childrenChanged (r294610, 250836@main)
Release assert in Document::updateLayout() via HTMLTextAreaElement::childrenChanged (r294523 + r294550 reverted)
Release assert in Document::updateLayout() via HTMLTextAreaElement::childrenChanged (r291789 + r291807 reverted)
Factor some post-updateRendering code into its own function (r258509)
ASSERTION FAILED: m_state == State::Committed in WebKit::FrameLoadState::didFailLoad() (r274526)

Jan 31, 2024
============
Start passing RenderStyle around with PassRef. (r157665 partial)
Don't use the inherited custom properties to store environment variables. (r260340)
Allow credentials for same-origin css mask images (r260598)
Attempt to fix media control layout tests after r230006 (r230016)
CSS mask images should be retrieved using potentially CORS-enabled fetch (r229868 + r229933 rolled out + r230006)
Second div within a rotated and overflow:hidden parent div does not render. (271894@main)

Jan 29, 2024
============
Ignore the title argument to history.pushState()/history.replaceState(273650@main partial)
PAL::ErrorCallbackSetter has two uninitialized fields when m_shouldStopOnEncodingErrors is false (273666@main)

Jan 27, 2024
============
[Content-visibility][repaint] Boxes with "content-visibility: hidden" lingers around (273602@main)
Make LayerRepaintRects internal to RenderLayer (270550@main)

Jan 26, 2024
============
Crash under SubresourceLoader::didReceiveBuffer() (273553@main)
MathML does not always handle positioned objects correctly (273555@main)

Jan 25, 2024
============
[Content-visibility] RenderTreeNeedsLayoutChecker asserts on fixed positioned box inside skipped subtree (273504@main)
[JSC] Remove DFGDesiredObjectProperties (273487@main)
[JSC] DFG constant property load should check the validity at the main thread (273486@main)
Crash in SVGGeometryElement::isPointInFill (273494@main)
[SVG] Add ShapeType to LegacyRenderSVGShape (268961@main)
ASAN_ILL | LayoutIntegration::BoxTree::rendererForLayoutBox; WebCore::TextBoxPainter::TextBoxPainter; WebCore::ModernTextBoxPainter::ModernTextBoxPainter (273482@main)
ASAN_ILL | WebCore::TreeScopeOrderedMap::getElementById; WebCore::TreeScope::getElementById; WebCore::SVGURIReference::targetElementFromIRIString. (273473@main)

Jan 24, 2024
============
[CSS Shapes] Bound RasterShapeInterval size to int (r169697)
[CSS Shapes] Simplify RasterShape implementation (r166522 complete revisited)
[JSC] parseObjectLiteral() should always create the node with expression start location (273450@main)
[JSC] parseMemberExpression() should create NewExpr with expression start location (273440@main)
jsc_fuz/wktr: null ptr deref in WebCore::RenderMenuList::computeIntrinsicLogicalWidths (273429@main)
DOM: Make sure to set tree scope during parser insertion (273421@main)
Unprefix -webkit-backface-visibility (r281009 + r281025 reverted + r281512)
[css-shapes] Shapes are not resolved the same way in shape-inside and clip-path (r156545 complete revisited)
[CSS Shapes] Shape-Margin should be animatable (r157400 partial)
[CSS Shapes] Shape-Image-Threshold should be animatable (r157309 partial)
[CSS Regions][CSS Shapes] Content in region doesn't respect shape-outside after initial layout pass (r158630)
[CSS Shapes] Fix inset when only a subset of the arguments are defined (r160176)
[CSS Shapes] Adjust lineTop position to the next available wrapping location at shape-outsides (r164613)
[CSS Shapes] polygon default fill-rule should be omitted from the serialization (r165638)
[CSS Shapes] shape-outside from image doesn't load properly (r167150)
[CSS Shapes] complex calc args for inset round vanish (r167936)
[CSS Shapes] inset complex calc() args vanish in serialized computed style (r166894)
[CSS Shapes] Fix off by one in creating a RasterShape (r169604)
[CSS Shapes] shape-margin not respected when it extends beyond an explicitly set margin (r172010)
[CSS Shapes] Positioned polygon reftests failing (r172973)
[CSS Shapes] Content does not wrap with overflow: hidden and reference box different from margin-box (r178045)
Large values for line-height cause integer overflow in RenderStyle::computedLineHeight (r182974)
Handle shapeMargin becoming NaN (r271738, 233245@main)

Jan 23, 2024
============
Avoid conversion to UTF-8 in ContentSecurityPolicy::allowInlineStyle when no algorithm is specified (273375@main)
Make the SVG parser interpret form feed as whitespace (273353@main)
jsc_fuz/wktr: null ptr deref in WebCore::SVGResources::buildCachedResources(WebCore::RenderElement const&, WebCore::RenderStyle const&) + 368 (SVGResources.cpp:251) (269561@main)
[CSS Masking] SVG masks are not working as 'mask-image' (268272@main + 268391@main rolled out + 268629@main)

Jan 22, 2024
============
REGRESSION(265672@main) Netflix.com video is zoomed in and cropped in Fullscreen (273277@main)
Resizing video on YouTube can result in aliasing (266284@main)
Fullscreen video does not always match window size at certain resolutions (265672@main)
[JSC] Node's JSTokenLocation sometimes doesn't point to the start of an expression (273255@main)

Jan 21, 2024
============
heap-use-after-free | Style::Scope::removeStyleSheetCandidateNode; WebCore::SVGStyleElement::~SVGStyleElement; WebCore::ContainerNode::~ContainerNode (270128@main complete revisited)
Make getPath() virtual for PathOperation (252623@main)
Support rendering url(), CSS basic shapes other than path(), and coord-box for offset-path (r292382)

Jan 20, 2024
============
SVG fragment reference fails in shadow tree under some circumstances (265565@main complete)
Move SVG pending resources handling out of Element::removedFromAncestor() (253721@main)

Jan 19, 2024
============
SVG fragment reference fails in shadow tree under some circumstances (265565@main part 1)
Timer::stop can short-circuit in most cases (273212@main)

Jan 18, 2024
============
Mask clipping determination insufficient for <use> elements (265238@main)
Sync 'SVGClipPathElement' with IDL Spec and add 'transform' as well (263808@main)
SVG clip-path is sometimes broken on stevejobsarchive.com (263087@main partial)
REGRESSION(273101@main?): [ wk2 debug ] imported/w3c/web-platform-tests/css/css-flexbox/anonymous-flex-item-006.html is flakily crashing. (273192@main)
Regression(r255359): imported/mozilla/svg/svg-integration/clipPath-html-06.xhtml is failing consistently on windows (r255490)
REGRESSION: WK1 Accessibility: ASSERTION FAILED: FontCache::singleton().generation() == m_generation (r255359)
[SVG] -webkit-clip-path treats url(abc#xyz) as url(#xyz) because it checks only URL fragment part (r249040)
[cairo] Entering text into forms on github.com creates a trapezoid artifact (r246431)
Accumulating offsets to handle fixed position container has a transform-related property but not a transform. (273161@main)

Jan 17, 2024
============
Computed regions appear incorrect in fullscreen (253803@main)
Stop adjusting position to absolute for root element in fullscreen (257946@main)
[Deprecated flexbox] Do not try to float position direct inflow children (272271@main)
Style change unnecessarily computed as Change::NonInherited when nothing changes (262148@main)
The effect of writing-mode property remains after the property is removed (on the root element) (256353@main)
Use iterative algorithm for resetStyleForNonRenderedDescendants (253837@main)
Move Style::Resolver::State out of header (r284604)
Rename ScrollView::styleDidChange to styleAndRenderTreeDidChange (r256911)
Move clearChildNeedsStyleRecalc into resetStyleForNonRenderedDescendants. (r233251)
[JSC] Reduce maxPolymorphicCallVariantListSize from 15 to 8 (273105@main)

Jan 16, 2024
============
Remove unneeded flow thread awareness from accumulateOffsetTowardsAncestor() (273085@main)
offsetHeight and offsetWidth of inline box wrapping a block box is 0 (272386@main + 273084@main reverted)

Jan 15, 2024
============
[JSC] Redeclaring parameter of a generator / async function makes it `undefined` (272666@main)
Replaced elements avoid floats, including check boxes and radio boxes when turned into block box (273047@main)

Jan 14, 2024
============
[JSC] Add support for static private class fields (r270043)
[JSC] Add support for static public class fields (r269922)
textPath layout performance improvement. (r182828 revisited)
Move transformationForTextBox() call out of the fragment-loop (258886@main)

Jan 11, 2024
============
Relative -webkit-scrollbar width value may lead to unstable layout (r281971)

Jan 10, 2024
============
SVG element is not displayed if it is inside a <switch> element and it has an SVGFilter resource (272831@main)

Jan 09, 2024
============
Delete ChildNodesLazySnapshot (272803@main)

Jan 07, 2024
============
[cairo] freeze under WebCore::Cairo::fillRect at https://dev.orthologiq.net/ (272730@main)
Optimize SVGRenderSupport::layoutDifferentRootIfNeeded() (272696@main)
Input element with inherited display:ruby hits assert (272693@main)

Jan 05, 2024
============
ArrayBuffer species should be ignored when cloning a Typed Array (r294329, 251040@main)
Remove the isLoadingCustomFonts() check in FontCascade::operator== (272673@main)

Jan 04, 2024
============
Repaint issues with currentColor & color-mix() (263531@main + 263831@main partial)
Stop inheriting text-decoration-thickness CSS property (254010@main)
Various minor RenderStyle::diff() optimizations (272645@main)
isStillValidAssumingImpurePropertyWatchpoint AbsenceOfSetEffect should check special property first (272614@main)

Jan 02, 2024
============
Fix rounding of very large and very small LayoutUnits (272534@main)
[Win] LayoutUnit.h(84) : warning C4756: overflow in constant arithmetic (263770@main)
Use shifts to speedup floor() and round() (260422@main)
Remove ENABLE(SATURATED_LAYOUT_ARITHMETIC) guards (r192357)
Saturated arithmetics: Incorrect float/double clamping. (r177845)
Fix overflow in LayoutUnit::ceil and floor for SATURATED_LAYOUT_ARITHMETIC (r138736 complete revisited)
Clamp values in LayoutUnit::operator/ when SATURATED_LAYOUT_ARITHMETIC is enabled (r137924)
Improve saturation arithmetic support in FractionalLayoutUnit (r129958)
Add saturation arithmetic support to FractionalLayoutUnit (r126509)
[Table] Enable vertical writing mode(s) for table cells (272535@main + 272537@main reverted)
Make iframe containing SVG behave as every other iframe (272503@main)

Dec 21, 2023
============
[SVG] BreakingContext::handleEndOfLine should commit m_lastObject (272396@main)

Dec 20, 2023
============
Crash under PAL::newTextCodec(PAL::TextEncoding const&) (272391@main)
jsc_fuz/wktr: ASSERT_WITH_SECURITY_IMPLICATION(position <= size()); in CSSStyleSheet::insertRule(...) CSSStyleSheet.cpp:365 (272384@main)
J414s/23C25: 1Password extension does not work and keeps trying to open a blank new tab (Unhandled Promise Rejection: AbortError: IDBTransaction will abort due to uncaught exception in an event handler) (272378@main)
Unreviewed, reverting 272253@main (272387@main)
Scoped Arguements needs to alias between named and unnamed accesses and across nested scopes (272253@main)

Dec 19, 2023
============
WTFCrashWithSecurityImplication in WebCore::RenderFragmentedFlow::removeLineFragmentInfo() (272294@main)
Remove double negative from ArithClz32 backwards propagation (272302@main)
[JSC] return in async generators doesn't correctly await its value (272289@main)
[JSC] Untie emitAwait() from emitYield() to reduce bytecode size of async functions (269321@main)

Dec 17, 2023
============
CloneDeserializer::readTerminal() should fail decoding if tag is not exposed to current JS context (272136@main)
The deserializer should fail properly if it cannot materialize ArrayBufferViews. (272131@main)
jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) &WTF::downcast(Source &) [Target = WebCore::CSSValuePair, Source = const WebCore::CSSValue] at StyleBuilderConverter.h:1632 (272171@main)
jsc_fuz/wktr: ASSERTION FAILED: is<Target>(source) downcast(Source &) [Target = WebCore::CSSFunctionValue, Source = const WebCore::CSSValue] (272139@main)

Dec 16, 2023
============
Take block execution count estimates into account when voting double (r167600 partial revisited)
[JSC] DFG might force a local to be double even if we store non-numeric values into it (272168@main)
Array iterator creation intrinsics need ToThis (272163@main)

Dec 15, 2023
============
An Array index in CloneSerializer and CloneDeserializer can be confused for NonIndexPropertiesTag. (272088@main)
jsc_fuz/wktr: segfault with .attributeStyleMap.set('font-family', new CSSKeywordValue('x')) (272089@main)
[JSC] Assertion in JSC::Yarr::Interpreter<unsigned char>::InputStream::uncheckInput called from backtrackPatternCasedCharacter (272039@main)
canDoFastSpread should also check that the Structure is from the global object we're watching (r284699)
Nullptr crash in CSSValue::cssText() via DeleteSelectionCommand::calculateTypingStyleAfterDelete (r282074)
Do not try to remove and already removed node while deleting selection (r277202)
Crash in InsertTextCommand::positionInsideTextNode (r277163)
Crash in InsertTextCommand::doApply (r272779)
Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected. (r262593)
Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply (r282260 complete revisited)
Potential crash under CachedRawResource::didAddClient() (r282241 partial revisited)
Nullptr crash in DeleteSelectionCommand::removeNodeUpdatingStates (r282075)
Mail hangs when removing multiple rows from large table. (r212151)

Dec 14, 2023
============
Speculative fix for a null pointer dereference in ByteCodeParser::handlePutByVal. (r283632 partial revisited)
Check if start and end positions are still valid after updating them through mergeEndWithNextIfIdentical (r284739)
Null check in traverseNodesForSerialization (r284754)
nullptr deref in CompositeEditCommand::insertNodeAt (r285813)
Nullptr crash in SimplifiedBackwardsTextIterator::range() via previousSentencePosition (r286049)
Fix parentNode in CompositeEditCommand::splitTreeToNode (r286531)
ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style (r284792)
Nullptr crash in editingIgnoresContent via InsertParagraphSeparatorCommand::doApply (r272483)
Null check in shouldUseBreakElement (r286553)
null ptr deref in WebCore::ApplyStyleCommand::applyRelativeFontStyleChange (r287118)
Mark range boundary point containers (r287131)
Selection API: Extend lifetime of selection live range to preserve expando properties (r267313)
[css-flex] Flex layout should not invalidate preferred width bits of flex items at the end of layout. (271995@main)
REGRESSION(264666@main): Layout of the <tspan> elements inside a <textPath> is incorrect (271996@main)
replaceState cause back/forward malfunction on html page with <base href="/"> tag (r229375 complete revisited)
Simplify test for startOfLastParagraph in InsertListCommand::doApply (r287428, 245563@main)
null ptr deref in DocumentTimeline::animate (r287354, 245496@main)
null ptr deref in WebCore::ReplaceSelectionCommand::moveNodeOutOfAncestor() (r288052, 246072@main)
null ptr deref in WebCore::ModifySelectionListLevelCommand::appendSiblingNodeRange (r287812, 245864@main)

Dec 13, 2023
============
Scripting attributes are sometimes not properly stripped from elements when JS is disabled (r286308, 244667@main)
WPT version of css/css-cascade/parsing/layer-import-parsing.html crashes with nullptr (r288362, 246266@main)
XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls (r288589, 246411@main)
Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply (r289736, 247221@main)
Expand RefPtr / Ref use in FrameLoader (r288539, 246371@main)
Fix handling of access key events (r288867, 246619@main)
HTML form validation bubble disappears (r238038)
Add support for reportValidity() on form and form control elements (r207380)
[svg] applying rx or ry through CSS exclusively has no effect (271970@main)

Dec 12, 2023
============
[JSC] Make JSMap and JSSet construction more simple and efficient (253133@main partial)

Dec 11, 2023
============
Trace trap in JIT-compiled code. (256197@main partial)
Remove inheritance of designMode attribute (262352@main)
RenderElement::updateFillImages must fix the clients of the CSS image whose URL is invalid (r279906)
Treat image data url's as not identical (r279321)
CSS custom properties on pseudo elements background gradients causes infinite layout and high CPU load (r277112)
RenderElement::updateFillImages should take pointer arguments like other similar functions (256215@main)
[JSC] Should model BigInt with side effects (255368@main)
Type getter is not needed for internal ReadableStream sources (257063@main)
NavigationAction does not need to hold initiating DOM Event (r232316)
clientX/clientY on TouchEvent.touches are wrong (r219571)
Add location to NavigationActionData (r219304 partial)

Dec 10, 2023
============
Remove unnecessary release assertion from mixed content checker. (266682@main)
Framed pages have ability to bypass Mixed Content restrictions (266644@main)
Block mixed content synchronous XHR (r203542)
FrameLoader using bitwise instead of logical operator on booleans (254590@main)
Navigating a cross-origin iframe to the same URL should not replace the current HistoryItem (254563@main)
Make it safe to store a ThreadSafeRefCounted object in Ref & RefPtr safe inside its destructor (r251034)
Block sandboxed frames from navigating to javascript URLs without allow-scripts sandbox flag. (266689@main partial)
NavigationAction should not hold a strong reference to a Document (r232216 partial)
API::FrameInfo should know the web page that contains the frame; add API property webView to WKFrameInfo (r219013 partial)
WebKit policy delegate should suggest if a navigation should be allowed to open URLs externally. (r185111 partial)
Null check provisionalItem in FrameLoader::continueLoadAfterNavigationPolicy (r247021)

Dec 09, 2023
============
[JSC] Refine Object.create modeling in DFG after mayBePrototype bit is mored to Structure (263889@main)

Dec 08, 2023
============
[JSC] Avoid checking if any function parameter is captured unless necessary (271719@main)

Dec 07, 2023
============
CloneDeserializer::deserialize() should store cell pointers in a MarkedVector. (263041@main partial)
Do not synchronously measure SVG text every time it changes (271678@main)

Dec 06, 2023
============
[web-animations] effect targeting an element with display: none should not schedule immediate animation resolution (affects reddit.com) (271614@main)

Dec 05, 2023
============
REGRESSION(r293956): Bad color inheritance due to disallowsFastPathInheritance bit missing from RenderStyle::copyNonInheritedFrom (r294620)
Avoid resolving style for elements that only inherit changes from parent (r293956)
Rename updatePreferredWidth to make it more explicit. (r173134)
Subpixel layout: Remove float to LayoutUnit ceil/round function wrappers. (r172970)
Missing underline after the first character in contenteditable (262914@main)
[IFC][Integration] Fix editing/input/composition-underline-color.html (255381@main)
Text in flex items not breaking under specific conditions (271122@main)
Avoid integer overflow in LayoutUnit's unary minus operator (271550@main)

Dec 04, 2023
============
Increase styleType bits to 5 on RenderStyle::NonInheritedFlags (271441@main)
CSS Counters not properly updated on style changes (271451@main)

Dec 03, 2023
============
::backdrop is tree-abiding and should be allowed after ::slotted() (271366@main)
Fix shadow repaint issue in vertical-rl mode (271416@main)

Dec 01, 2023
============
Element.setAttributeNode() should not treat attribute names case insensitively (271363@main)

Nov 30, 2023
============
Sync 'SVGFESpecularLightingElement' with WebIDL Specification (271329@main)

Nov 29, 2023
============
[JSC] PolymorphicCallNode should unchain itself first in unlink (271246@main)

Nov 27, 2023
============
[cssom] Fix serialization of identity transforms in individual transform functions (271115@main)

Nov 23, 2023
============
Re-align DocumentAndElementEventHandlers.idl, GlobalEventHandlers.idl and WindowEventHandlers.idl with the HTML spec (r267791)
onwebkit{animation, transition}XX handlers missing from Document (r258697)
Implement MathMLIDL / HTMLOrForeignElement (r249572)
Introduce DocumentAndElementEventHandlers IDL interface (r216542)

Nov 22, 2023
============
[CSS-Sizing] Fix to respect block size with max-content and min-content in a table (271054@main)
[css-flexbox] Account for captions when flexing tables with specified sizes (r286593)
[css-flexbox] Table layout disregards overriding height (r276240)
Safari blocking JS reading nonce for <style> and <link> (271046@main)

Nov 21, 2023
============
[FreeType] Do not special case the "sans" font family name (271007@main)
FontCascade::glyphDataForCharacter is a somewhat expensive call (270976@main)
REGRESSION (260675@main): [ macOS, iOS ] 2 x fast/text/glyph-display-lis t tests are a constant failure. (262113@main)

Nov 17, 2023
============
Remove special handling of ::before and ::after on RUBY elements (270823@main)
Improve rebuilding of ruby subtrees (r291852)

Nov 16, 2023
============
REGRESSION(268278@main): WTFCrash in ~CanMakeCheckedPtrBase of ~EventTarget (270813@main)

Nov 15, 2023
============
Merge hasGetterSetterProperties() and hasCustomGetterSetterProperties() structure flags (261556@main)
Make assertion in JSObject::putOwnDataProperty more precise (r250543)
Ensure iframe requests include Referer when location.replace or location.assign is called (270741@main)
Update CSP handling of javascript URLs (r290550)
[CSP] Check policy before opening a new window to a JavaScript URL (r222788 + r227567)
Memory consumption/leak with img out of viewport and lazy loading (270745@main)
ASSERTION FAILED: !((anchorType == PositionIsBeforeChildren || anchorType == PositionIsAfterChildren) && (is<Text>(*m_anchorNode) || editingIgnoresContent(*m_anchorNode))) in WebCore::Position::Position (270763@main)

Nov 15, 2023
============
Structure::hasCustomGetterSetterProperties() is incorrect for non-reified static properties (261082@main)
  => Passed stress Baseline JIT on ARM64 GCC10.2.0 with hard float.
    [JIT tests/ACID3/ACID2/V8 Score 790/SunSpider 1128.6ms/Factory Demo/EPG Guide/EBench 2004 12040.67ms/Google Maps]
    [arewefastyet/Speedometer Score 19.51/Dromaeo DOM Core & JavaScript Library & CSS Selector/es2016plus 74%/css3test 2735 of 5471]
  => Not tested
    [CanvasMark/html5test/EBench 2013|2016/JetStream/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Nov 14, 2023
============
putInlineFastReplacingStaticPropertyIfNeeded should handle custom values (r280505)
definePropertyOnReceiver should check if receiver canPerformFastPutInline (r280463)
[WebIDL] Properly validate and merge descriptors in [Replaceable] setter (r280280)
JSON.parse should not modify non-configurable properties. (r264833)
Implement self.origin (r214147)
Object.freeze(this) at the global scope can lose a reference to a WatchpointSet (r274882)
REGRESSION (r274308): Two assertions in JSGlobalObject::defineOwnProperty() are failing (r274406)
Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes (r274308)

Nov 12, 2023
============
toLocaleLowerCase and toLocaleUpperCase do not throw on empty string (259242@main)
Window should behave like a legacy platform object without indexed setter (r278585)
window proxy of detached iframe doesn't respect updates to global values (r273901 complete revisited)

Nov 10, 2023
============
When no clearance applies to an element with clear set, place the element below the float just as we would if it was `clear:none` (270525@main)
Throw exception if querying SVGAnimationElement with unresolved interval (270519@main)

Nov 09, 2023
============
initial value for border-image-outset should be 0 (r273882)
CSS Triangles Rendering Regression affecting CSS Ribbons. (r199034)
Always render at least a device pixel line when border/outline width > 0. (r192444)
ASAN_SEGV | WebCore::RenderBox::repaintLayerRectsForImage; WebCore::RenderBox::imageChanged; WebCore::CachedImage::notifyObservers) (270487@main)
[JSC] Fix addImmediateShouldSpeculateInt32 for case int32 + constant double (270481@main)

Nov 09, 2023
============
REGRESSION (251613@main): Missing exception check in JSFunction::put() (r295659)
CommonSlowPaths::putDirectWithReify() is incorrect for DontDelete properties (r295608, 251613@main)
[JSC] Public Class Field initialization is slow (r286251)
Speed up setting JSFunction's "prototype" property (r283167)
  => Passed stress Baseline JIT on ARM64 GCC10.2.0 with hard float.
    [JIT tests/ACID3/ACID2/css3test/V8 Score 804/SunSpider 1115.7ms/arewefastyet/Speedometer Score 19.64/es2016plus 74%/Factory Demo/EPG Guide/EBench 2004 12202.67ms/Google Maps]
  => Not tested
    [CanvasMark/html5test/EBench 2013|2016/JetStream/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Nov 08, 2023
============
[WebIDL] %Interface%.prototype.constructor should be defined on [[Set]] receiver (r268710 complete revisited)
Add PropertyName parameter to custom setters to allow shared implementations to do late name lookup (r274724)
[JSC] Check NullSetterFunction under strict-mode context since structure / PropertyCondition are unaware of this (r263134 partial)

Nov 07, 2023
============
[JSC] PropertySlot should allow passing custom setters (r272885)
[JSC] Throw TypeError when getFunctionRealm hits revoked Proxy (r273661)
[Readable Streams API] Add ReadableStreamBYOBReader closed getter (r216775)
nullptr crash in EventPath::eventTargetRespectingTargetRules via EventPath::buildPath (270295@main)
InternalFunction::createSubclassStructure should use newTarget's globalObject (r260732)
[JSC] NativeErrorConstructor should not have own IsoSubspace (r240543)

Nov 06, 2023
============
[JSC] Remove m_globalObject field from JSFunction (r253862 partial)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float.
    [JIT tests - get-private-name-with-different-symbol.js crash with DFG inline enabled]
    [ACID3/ACID2/css3test/V8 Score 754/SunSpider 3027.7ms/arewefastyet/Speedometer Score 6.32/Factory Demo/EPG Guide/EBench 2004 30524.00ms]
  => Not tested
    [CanvasMark/html5test/EBench 2013|2016/JetStream/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]
[CSS Highlight API] REGRESSION(270146@main): Crash trying to serialize `::highlight` (270229@main)
[CSS Highlight API] Argument is missing from CSS highlight pseudo-element serialization (270146@main)
Remove runtime setting for enabling/disabling CSS shadow parts (r267172)
Regression(270013@main): Crash when loading bgtime.tv (r270190)

Nov 03, 2023
============
[Mac] Add support for MouseEvent.buttons (r223264)
[JSC] Use m_structureCacheClearedWatchpoint in more DFG nodes (r295714)
Clear StructureCache if it has Structure with relevant JSGlobalObjects (r294619)
Regression(265870.536@safari-7616-branch) Crashes under DeferredPromise::callFunction() (270157@main)
CloneDeserializer should always purifyNaN all double values it reads. (270153@main)
Correct URL encoding of CSS (270169@main)
[JSC] DFG AI GetById adhoc folding should insert watchpoints for structures (270143@main)

Nov 02, 2023
============
SVGTextMetricsBuilder::measureTextRenderer exhibits O(n^2) behavior (270110@main)
heap-use-after-free | Style::Scope::removeStyleSheetCandidateNode; WebCore::SVGStyleElement::~SVGStyleElement; WebCore::ContainerNode::~ContainerNode (270128@main partial)
Crash under HTMLBodyElement::didFinishInsertingNode() (270130@main)
[JSC] Move StructureCache from VM to JSGlobalObject (r292795)
The prototype cache should be aware of the Executable it generates a Structure for (r223125)
Add support for CanvasPattern.setTransform() (r225121)
[JSC] Do not declare callee name when it is function declaration (270095@main)
[css-grid][aspect-ratio] availableLogicalHeightUsing needs to consider AvailableLogicalHeightType when computing logical height from the aspect ratio (270098@main)

Nov 01, 2023
============
Reflect.construct can churn cached internalFunctionAllocationStructure (270084@main)
InternalFunction::createSubclassStructure() should use base object's global object (r292883 + r292886)

Oct 31, 2023
============
Cache the viewport size inside SVGLengthContext (r293989)
[SVG] Add support for 'lighter' operator in feComposite (r195745)
Unreviewed, reverting 267648@main. (269969@main)

Oct 30, 2023
============
Optimize FEMorphology (r225172)
feMorphology is not rendered correctly on Retina display (r188271)
FEMorphology::platformApplyGeneric() should bail out if the radius is less than or equal to zero. (r182067)
Do some minor FEColorMatrix code cleanup and optimization (r214916)
Optimize ColorMatrix filter (r136661 complete revisited)
Fix a bug in FEGaussianBlur where the output of the last blur pass wasn't copied to the result buffer (r225147 partial)
Cache an entire attribute QualifiedName when parsing HTML, not just its local name AtomString (r289991)
feLighting is broken with primitiveUnits="objectBoundingBox" (r226373)
SVGFilterBuilder should not be ref-counted. (r157899)
Simplify 'normalizeAngles' function and potential assertion fix 'newStartAngle >= 0...' (269925@main)
Allow extraction of transform from inline renderer (269920@main)
[JSC] yield is not a valid BindingIdentifier for AsyncGeneratorExpression (269801@main)

Oct 26, 2023
============
SVG lighting colors need to be converted into linearSRGB (r226315 complete revisited)
Do not try to issue repaint while the render tree is being destroyed. (r245300 complete revisited)
Crash on loading SVG filter resource on HTML element (r136225)
Stack overflow with enormous SVG filter (r174137)
Filters should test for area instead of single dimension (r164886 complete revisited)
[Cairo] Fix canvas drawing of SVG-based patterns and remove NativeImageCairo (r147643)
Regression(r142765) Broke Custom SVG cursors and SVG canvas drawing for Chromium (r147622)

Oct 25, 2023
============
Drawing an SVG image into a canvas using drawImage() ignores globalAlpha. (r180511)
Add all blend modes to feBlend (r170433 complete revisited)
[CSS Background Blending] -webkit-background-blend-mode fails for certain SVG files (r162517)
[CSS Background Blending] Enable CSS Background blending for layers with SVGs. (r151566)
Add a fast path for atomizing strings when parsing HTML (r282142)
Make setting a link@rel=stylesheet to disabled remove the stylesheet (269168@main + 269203@main reverted + 269753@main)

Oct 24, 2023
============
[WebIDL] DOM constructors should extend InternalFunction (r282864)
Protect Element before calling dispatchMouseEvent() on it (r278964 partial)
[JSC] ForStatement should call CreatePerIterationEnvironment before first iteration (269653@main)

Oct 23, 2023
============
To get lexical JSGlobalObject in a super fast way, we put it in JSFunction/InternalFunction's field. (r250803 partial)
JSDOMConstructorNotConstructable should be a constructor (r265749)
Reduce size limit for item in the SVGPathElement cache (269636@main)

Oct 20, 2023
============
Regression(269372@main) Crash under SVGPathElement::attributeChanged() after memory pressure (269547@main)
Share inline stylesheets between shadow trees (r207339)

Oct 19, 2023
============
Deeply nested SVG patterns can take log time to invalidate the target element (269516@main)
[JSC] Escaped contextual keywords should be allowed as label identifiers (269495@main)
[JSC] Align negative lookahead assertion of ExpressionStatement with the spec (269430@main)
[JSC] Generator declaration should not be allowed in single statement context (r267306)
[JSC] async function cannot appear in single-statement context (r266340)
[JSC] `let [` sequence cannot appear in ExpressionStatement context (r266327)

Oct 18, 2023
============
[Filters] Implement identity filters (253098@main partial)
Restrict SVG filters to accessible security origins (r216294 + r216336 reverted + r216541)
Regression(269372@main) Crash under SVGPathElement::attributeChanged() (269431@main)

Oct 17, 2023
============
An SVG element with a CSS reference filter fails to repaint when the filter changes (269413@main)
REGRESSION(265135@main): CSS filter is not applied on SVG element (267236@main)
SVGResourcesCache::addResourcesFromRenderObject should not allocate SVGResources unconditionally (269397@main)
Add cache for SVGPathElement "d" attribute parsing (269372@main)

Oct 15, 2023
============
Use StringView in CSSParserToken and simplify its code (268760@main + 269335@main reverted)

Oct 13, 2023
============
Crash under SVGImageChromeClient::invalidateContentsAndRootView() (269092@main)
[iOS] [WK1] Release assert in Document::resolveStyle (269278@main partial)
Cleanup Document::resolveStyle (263768@main partial)
Revert 268148@main, caused 0.9% JetStream regression (269281@main)
[JSC] REGRESSION(269099@main) Fix the regression caused by HeapLocation with an extra state (269295@main)

Oct 12, 2023
============
Unable to scroll results.webkit.org results using the scrollbars (269255@main partial)
Release assert in CSSPrimitiveValue::create due to undefined perspective length value (269244@main)
Element application crashes in WebCore::Path::isEmpty() (269223@main partial)

Oct 11, 2023
============
Fix reset to baseVal after animation end for SVGTransformList (268987@main)
Legends could be valid non-spanner siblings of RenderMultiColumnSet (269104@main)
Do not prepend implicit type selectors to :host rules (269134@main)
Use of many shadow trees with unique style triggers significant CPU usage and a rise in process size (269142@main)
Ignore calc() values on colgroup elements (261623@main + 261755@main reverted + 269200@main)
Fix imported/w3c/web-platform-tests/css/css-tables/auto-layout-calc-width-001.html (269139@main)
Removed dead support for relative length in table code (253879@main)
clobberize needs to be more precise with the *ByOffset nodes (269099@main)
CSE DataViewGet* DFG nodes (r235515 partial)

Oct 03, 2023
============
Add per-fragment early-out for getCharNumAtPosition (268730@main)
Drop early-outs for "no boxes" in SVGTextQuery entrypoints (268702@main)
Simplify (and optimize) SVGTextQuery::characterNumberAtPositionCallback (268628@main)
REGRESSION (268511@main): Crash under ~LegacyRenderSVGRoot() when loading nytimes.com (268678@main)
Simplify SVGTextQuery::modifyStartEndPositionsRespectingLigatures (268751@main)

Oct 02, 2023
============
Unreviewed, rolling in the rest of r237254 (r238365 partial)
Improve rejection test for character-based SVG text queries (268656@main)
Skip non-text svg elements in Position [upstream | downstream] (268699@main)
Inline nullQName() function (268695@main)

Sep 28, 2023
============
Animated GIF imagery with finite looping are falling one loop short (r230712)
[GTK][WPE] GIFImageDecoder never clears decoded frames even when told to do so (r222910)
[GTK][WPE] Fix playback of GIFs (r222836)
Checking if frame is complete and access duration doesn't need a decode (r151957 + r152531 + r153475 rolled out)
GIFImageReader should reports parsing error to client (r146737 complete revisited)
Webkit unable to show gifs with applcation extension string shorter than 11 bytes (r145569 complete revisited)
Optimization in image decoding (r135976 complete revisited)
GIFImageReader: fix tautological compare (r129523 complete revisited)
PNGImageDecoder: report no repetition for non-animated images (r237725)
[GTK+] PNG animations that should run once are not played at all (r214939)
Rename FrameData to ImageFrame, move it to a separate file and use it for all ports (r206156 partial)
Get rid of the m_premultiplyAlpha flag of the ImageFrame class (r205877)
APNG decoder: only decode the frames up to haltAtFrame (r194503)
Add APNG support (r181553)

Sep 27, 2023
============
[JSC] Implement Intl Language Tag Parser (r266039 + r266043)
[JSC] Avoid JSString creation in Intl.Locale#{minimize,maximize} (r264285)
Intl.Locale maximize, minimize should return Intl.Locale instead of String (r264275)
[JSC] Intl.Collator should set usage:"search" option through ICU locale (r263833)
[ECMA-402] Implement Intl.Locale (r261215 complete revisited)
[ECMA-402] Intl.RelativeTimeFormat missing in WebKit (r260349 complete revisited)

Sep 26, 2023
============
Clean up some Intl classes following the ICU upgrade (r260265)
IntlNumberFormat can be shrunk by 16 bytes (r242716)
[INTL] improve efficiency of Intl.NumberFormat formatToParts (r240992)
[ECMA-402] Extension values should default to true, canonicalize without "-true" (r260151 + r260161 + r260162)
[ECMA-402] Fix Intl.DateTimeFormat patterns and fields in WebKit (r260145)
REGRESSION(r259480): Two new failing i18n tests (r260237)
REGRESSION(r260697): [Intl] "missing script" locales like zh-TW are no longer mapped (r262890)
[Intl] Locale validation/canonicalization should defer to ICU (r260697)
[ECMA-402] Intl.RelativeTimeFormat missing in WebKit (r260349 partial)
Move singleton Intl string locales out of JSGlobalObject. (r255120)
IntlObject's cached strings should be immortal and safe for concurrent access. (r255112)
[JSC] Update RegExp UCD to version 15.0.0 (260607@main)
[JSC] Update UCD to Unicode 14.0.0 (r287545)
Treat huge 'repeatCount' values as invalid (268420@main)

Sep 25, 2023
============
ASSERTION FAILED: foundContainer on media/modern-media-controls/pip-support/pip-support-click.html. (268304@main)
ReadableStream::create() should handle any exceptions that may be thrown during construction. (r263883 complete revisited)
FetchResponse::url should return the empty string for tainted responses (r240158)
Clean up URL.h (r224984 partial)
REGRESSION(268343@main): Crash under WebCore::PositionedDescendantsMap::removeContainingBlock (268373@main)

Sep 22, 2023
============
Crash under DateTimeEditElement::blurFromField (r267699, 229836@main)
[macOS] Return key binding for date inputs conflicts with return to submit form (r272495, 233809@main)
[macOS] Date/time inputs should focus the next editable component when entering a separator key (r267281, 229519@main)
input.validity reports valid: true for partially completed dates/times (263748@main)
css/filter-effects/backdrop-filter-containing-block.html fails because backdrop-filter doesn't create a containing block. (268161@main)
REGRESSION(266134@main): 3D border-style have very low contrast with very dark border-color (268265@main)
Stop resolving border's current color to some hardcoded value (266134@main)

Sep 21, 2023
============
[JSC] for-of uses AssignmentExpression while for-in uses Expression (r266326)
[JSC] for-of / for-in left-hand-side target should be simple-assignment-target (r266324)
[JSC] SyntaxError message for missing statement as the body of for-in / for-of has a typo (268271@main)
[JSC] SyntaxError message for function declaration duplicating lexical one is misleading (268262@main)
EventHandler references deleted Scrollbar (r180548)
Do not show context menu when right clicking on a scrollbar (r196112)
Crash on OS X when shift clicking outside of input (r148894)
Revert an accidentally changed line of EventHander::handleMousePressEvent(PlatformMouseEvent&) in r135650. (r141088)
Opacity and root element background image doesn't render. (268156@main)
Regression(268146@main) inspector/css/stylesheet-events-imports.html is flakily crashing (268209@main)

Sep 20, 2023
============
Office.com is slow to respond (268148@main)
[First paint] Let optional style recalcs go through while in visually-non-empty state. (r257126)
Add mutation events tests for ContainerNode::replaceChildren and refactor the code (267565@main + 268143@main rolled out)

Sep 15, 2023
============
alignment-baseline should not support the value "auto" (268008@main)

Sep 14, 2023
============
Disable display-p3 canvas and ImageData on platforms other than Monterey+ and iOS 15+ (r282513 partial)
Add preliminary support for specifying a color space for 2D canvas (r277024 partial)
Add support for CanvasRenderingContext2DSettings (r276777)
[web-animations] text-emphasis-style should support discrete animations (r290888)

Sep 13, 2023
============
[css-logical] Implement logical border-radius (r271447)
Unprefix text-emphasis CSS properties (r162207)
Unify private browsing with sessions. (r166661 partial)
  > (WebCore::Page::Page): Initialize with defaultSessionID.
Avoid branching in CSSParserToken's value() & initValueFromStringView() (267911@main)

Sep 12, 2023
============
Add support for creating/accessing/setting non-sRGB ImageData via canvas (r277569 partial)

Sep 11, 2023
============
Regression(r236795) Check boxes are sometimes checked when they should not be (r237211)
input.checked is incorrect while we're parsing its children (r236795)
Correct URL encoding of fetch module (267841@main)

Sep 08, 2023
============
Drop legacy Document.defaultCharset attribute (r204113)
Document.characterSet should return "UTF-8" by default. (r189564 + r189771)
FormDataBuilder should not use Document (r175369)
Setting outerHTML on child of DocumentFragment should not throw error (266086@main)
Relax "parent must be an HTMLElement" restriction in outerHTML setter (r278821, 238774@main)

Sep 07, 2023
============
TextDecoder doesn't detect invalid UTF-8 sequences early enough (r287024)
TextCodec refinements (r266681 + r266749)
TextDecoder should properly handle streams (r266668)
TextDecoder should ignore byte-order-mark like other browsers and spec (r266528)
Align UTF-16 decoder with Chrome, Firefox, and specification (r266457)
Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp (r225618 partial)
UTF-8 decoding produces one replacement character per byte; Encoding standard requires one replacement character per illegal sequence instead (r223329)

Sep 06, 2023
============
[Gtk] NBSP are not replaced when using X clipboard (r145542 complete revisited)
Subpixel rendering: Make selection gaps painting subpixel aware. (r168111)
To avoid circular dependency, use the intrinsic size of replaced element as width (267648@main)

Sep 05, 2023
============
Invalidate :nth-child() selectors correctly when not in subject position (267600@main partial)
Correct URL encoding of SVG <image> elements (267593@main)
Correct URL encoding of <base> elements (267585@main)
Document.baseURI is inaccurate for iframe srcdoc documents (r280855)
Document's fallback base URL should be deduced from its creator when URL is about:blank (r280491 + r280498)
XML external entity resources should only be loaded from XML MIME types (r261443)
Content-Type & Nosniff Ignored on XML External Entity Resources (r258799)
Add routines to check about:blank and about:srcdoc URLs (r258769)
Unique origins should not be Potentially Trustworthy (r258494)
Fetch: URL parser not always using UTF-8 (r254672)
Consider top-level context whose origin is unique as insecure (r253563)
ScriptExecutionContext: Use FINAL instead of foo() { virtualFoo() } (r155304)
Some code incorrectly compares Document objects using CSSParserContext's comparison operator (267577@main partial)
Remove leftover seamless iframe logic from containerForRepaint(). (r163459)
nullptr dereference in WebCore::WebSocket::close() (267575@main)
Correct dynamic handling of <base> elements (267498@main)
Disallow setting base URL to a data or JavaScript URL (r256191)
Dont open details when interacting with interactive summary descendants (267491@main)
 
Sep 01, 2023
============
Remove GraphicsContext::drawConvexPolygon() and GraphicsContext::clipConvexPolygon() (r195170 partial revisited)
Web Inspector: console.assert should do far less work when the assertion is true (r200371)
Unreviewed follow-up testapi fix after r200355. (r200367)
Make console a namespace object (like Math/JSON), allowing functions to be called unbound (r200350)

Aug 31, 2023
============
[Yarr] Yarr JIT returns a nested capture when an outer paren matches a zero length string (267486@main)
[JSC] Improve RegExp Lookbehind Character Class Backtracking (265593@main)
AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result can be an int32 (r254188)
Avoid null pointer dereference when creating ImageBitmap from a null image. (r284522 partial)
Support negative sw/sh values in createImageBitmap(). (r231440)
Avoid uninitialized memory read. (r230907)
Implement createImageBitmap(Blob) (r230350)
Support transferring ImageBitmap objects (r230348)
A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject> (r226599 complete revisited)

Aug 30, 2023
============
DOMStringList, TextMetrics & ImageBitmapRenderingContext should be exposed to workers (r269476)
Initialize ImageBitmap::m_bitmapData in the constructor. (r228153)
Implement createImageBitmap(ImageBitmap) (r226500)
Accept Settings object in ImageBitmapRenderingContext constructor and getContext (r224255)
Implement "bitmaprenderer" CanvasRenderingContext (r224195)
Place an upper bound on canvas pixel count (r193500 + r193912 rolled out + r194290 partial)
Add basic support for getting a ImageBitmapRenderingContext (r222997)
TransformationMatrix::Recompose() and Decompose() incorrectly transpose rotation. (267424@main)

Aug 29, 2023
============
createImageBitmap with HTMLCanvasElement (r224158)
Implement resizing options for ImageBitmap rendering (r223925 + r223939)
Implement drawImage(ImageBitmap) on 2d canvas (r223843)
createImageBitmap with basic HTMLImageElement (r223819)
Add createImageBitmap to Window and Worker (r223775)
Align ImageData constructor with the specification (r223611)
ImageData does not match specification (r209005)
Add support for ImageData.data attribute (r206634)
Implement ImageData constructors and WebWorkers exposure (r166246)

Aug 28, 2023
============
ImageBitmap API stubs (r222986)

Aug 25, 2023
============
Crash under WebCore::cachedDocumentWrapper() (r238905 complete revisited)
Do not dispatch SVG load event in frameless documents (r216023 complete revisted)
It should be possible to dispatch events on template documents (r206541)
xhr/overridemimetype-blob.html WPT test is failing in WebKit (252832@main)
Alternate stylesheets are not present in document.styleSheets (252781@main)
Template element should parse in XHTML just as it does in HTML (r140631)
xhr/json.any.html WPT test is failing in WebKit (252838@main)
Remove dead code for UTF-32 (r228594)
[XHTML] innerHTML and outerHTML setters use a wrong default namespace (253039@main)
Use DOM element iterators more, and more consistently (r257188 partial revisited)
Default NamepaceURI must be gotten from the topmost parent before the SVG <foreignObject> (r252230)
[XML Parser] Insert the error message block when stopping parsing and an error occurred (r243817)
Update Node.lookupNamespaceURI() and XPathEvaluatorBase.createNSResolver() (260848@main)
Align isDefaultNamespace() / lookupPrefix() / lookupNamespaceURI() with the specification (r204536)
Kill Node::ancestorElement() (r200741)
XPath: Do not accept whitespace characters other than #x20, #x9, #xD, and #xA & fix normalize-space() (263311@main)
<a>/<area>'s protocol setter incorrectly works for non-parsable URLs (267265@main)
<a>/<area>'s origin getter returns "null" rather than "" when URL cannot be parsed (267222@main)

Aug 24, 2023
============
Be more restrictive about when canvas2d is allowed to update style (r274531)
Implement new TextMetrics, returned by canvas measureText() (r219970)
Canvas direction should reflect change in dir attribute and also across save/restore operations (r172995)
Implement CanvasRenderingContext2D direction attribute (r172723)
XSLImportRule and XSLStyleSheet should use weak pointers instead of raw pointers (253695@main)
Crash in libxml2.2.dylib: xmlDictReference (r216889)
Avoid reparsing an XSLT stylesheet after the first failure. (r190339 + r190579)
Documents created using DOMParser.parseFromString should inherit their context document's origin / URL (r216046)
It should be possible to dispatch events on documents created using DOMParser (r206469)
DOMParser.parseFromString() should support creating HTML Document with mime-type text/html (r155584)
[Cairo] Don't use a static cairo_surface_t object for CairoPath contexts (r225774 complete revisited)

Aug 23, 2023
============
[Cairo] Fix Path::boundingRectSlowCase when the path is a single MoveTo (r278730)
[Cairo] Path copy constructor and operator must also copy over CTM (r258497)
[Cairo][SVG] marker-mid isn't shown on a joint of rectilinearly connected line-to path segments (r258492)
[Cairo] Remove PlatformPathCairo (r258204)

Aug 22, 2023
============
Don't compute selection painting info when we don't have selection. (r184293)
REGRESSION (r169024): Undetermined text is not displayed in the search field of Adobe Help Website (r174807)
Broken text rendering when input field has selection. (r157392)
Find doesn't always scroll search results into view (r261819 partial)
[GTK] Crash in WebCore::SelectionRangeData::apply (r224087)
SelectionRangeData should not hold raw RenderObject pointers (r222738)
RenderView does not need to be a SelectionSubtreeRoot (r222697 + r222700 + r222701)
Remove redundant RenderObject::selectionRoot and dependencies (r222677 complete revisited)
Remove redundant SelectionSubtreeData functions. (r222310)
[CSSSRegions] Incorrect selection clearing on a document without regions (r173061)
[rendering] Use foreground color to render the overtype caret (r151322)

Aug 21, 2023
============
Remove ASSERT in RenderListItem::computeMarkerStyle (r275087 complete revisited)
ASSERTION FAILED: m_truncation != cFullTruncation in InlineTextBox::clampedOffset() (r223553)
REGRESSION (r222670 and r222732): RTL truncated text may not be drawn (r223552)
Teach InlineTextBox::clampOffset() about combined text and hyphenation (r223259)
No need to truncate text after calling InlineTextBox::text() (r222745)
Remove length argument from TextPainter::paint() (r222732)
Extract logic to compute text to render into common function (r222670)
Simplify InlineTextBox::selectionStartEnd() (r199307)
InlineTextBox::isSelected() should only return true for a non-empty selection and remove incorrect FIXME from InlineTextBox::localSelectionRect() (r223196)
Remove SelectionSubtreeRoot::RenderSubtreesMap (r222669)
Fix GTK Debug bots after r204400 (r204453)
Migrate from ints to unsigneds when referring to indices into strings (r204400)
REGRESSION (r169105): Do not assign a renderer to multiple selection subtrees. (r186984)
REGRESSION(169105): CSS Regions: renderer returns wrong selection root when it is inside a column flow. (r186474)
REGRESSION(r169105) Dangling renderer pointer in SelectionSubtreeRoot::SelectionSubtreeData. (r185838)
Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock(). (r183538)
Clean up subtrees selection code (r175252)
Member name collision in RenderView and SelectionSubtreeRoot (r171797)
REGRESSION (r169105): Crash in selection (r171676)
REGRESSION(r169105): fast/regions/cssom/region-range-for-box-crash.html is more crashy than before (r169273)
[CSS Regions] Crash while painting block selection gaps in regions (r169105)
[CSS Regions] Selection highlight doesn't match DOM selection (r167652)
Use InlineTextBox::lineFont() in more places (r222758)
Make fontToUse() a member function of InlineTextBox (r222532)
Extract out combined text query into a member function (r222528)
A composition underline is placed to wrong position in RTL (r202250 complete revisited)
Move decoration context setup calls to InlineTextBox::paintDecoration. (r194467)
Text decorations are rotated when text-combine takes effect (r136765)
Cleanup TextPainter (r220988)

Aug 20, 2023
============
Add support for CSS properties paint-order, stroke-linecap, and stroke-linejoin in text rendering. (r212808 partial revisited)
REGRESSION (r193857): Text selection causes text to disappear. (r199304)
Simple line layout: Use TextPainter to draw simple line text. (r193934)
TextPainter: Add support for painting multiple text runs. (r193929)
TextPainter: Make before and after selection painting more explicit. (r193891)
TextPainter: Rename start and end position to selectionStart and selectionEnd. (r193857)
Light cleanup in TextPainter. (r193779)
Make paintTextWithShadows a member function (TextPainter). (r193688)
Refactor TextPainter::paintText() into sub methods. (r193656)

Aug 19, 2023
============
SVGInlineTextBox::acquirePaintingResource() should return false if the resource can't be applied (r279792)
Nullptr crash in InlineTextBox::emphasisMarkExistsAndIsAbove (r259286)
Subpixel rendering: Slow paint path for inlines should snap to device pixels. (r166929)
TextDecorationPainter::m_wavyOffset should be a float (r222862)
Move computeLineBoundsForText from GraphicsContext* to GraphicsContext. (r194757)
Use wavy offset for decoration painting when line style is TextDecorationStyleWavy. (r194736 complete revisited)
Delete class SavedDrawingStateForMask (r173502)
text-decoration-skip: ink does not work with line wraps (r161608 complete revisited)
Faster implementation of text-decoration-skip: ink (r160951 complete revisited)

Aug 18, 2023
============
[Cocoa] Text shadow sometimes clipped unexpectedly (r200807 complete revisited)
REGRESSION: Text with a zero offset, zero blur shadow vanishes (r173941 + r173942)
REGRESSION (r172153): Text drawn with wrong color when second text shadow has zero offset and blur (breaks buttons at aws.amazon.com) (r173418)
Text-shadow with (0, 0) offset and radius = 0 is ugly (r172153)
[iOS DnD] Text indicators for dragged links should always be legible if the link is legible (r219033 partial)
Delete unused TextPainter function (r159214)
Move InlineTextBox's text painting to it's own class (r158232 + r158233)
Emphasis marks has wrong color. (r157518)
Factor text paint style computation out from InlineTextBox (r157015)

Aug 17, 2023
============
REGRESSION(r221839): Fix requests with FormData containing empty files (r230963)
Finish off the FormData implementation (r221839 complete revisited + r221936)
Finish off the FormData implementation (r221839 partial + r221936)

Aug 15, 2023
============
Positive look-behind RegExp doesn't match in JSC but does match in V8 (266912@main)
Remove redundant GraphicsContext::clip(const Path&, WindRule) (r191617)
Subpixel rendering: ebay.com rotating billboard on the main page has cut off buttons. (r170817)
border-radius on html does not render properly. (r172218)
[Subpixel] Replaced content bleeds over content box when border radius is set (r263136)
[CSS] shadow from radius has wrong render in webkit (r145474)

Aug 14, 2023
============
[IntersectionObserver] Fix some edge cases in parsing options (266856@main)

Aug 09, 2023
============
Text selection color is hard to see in dark mode web views. (r234512)

Aug 08, 2023
============
SVG rect with rx or ry set to zero is drawn incorrectly (266641@main)
[JSC] IntrinsicGetter AccessCase should not use Equivalent condition (266659@main)

Aug 06, 2023
============
[JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take all put() overrides into account (266436@main)
[JSC] Remove ReflectSet PutPropertySlot context (264520@main)
[JSC] definePropertyOnReceiver() doesn't account for put_by_val_with_this bytecode op (263559@main)

Aug 05, 2023
============
[JSC] PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take non-reified static properties into account (266582@main)

Aug 04, 2023
============
Align Range.createContextualFragment() input validation with the specification (r204235)
Align our implementation of Range.createContextualFragment with the specification (r197012)
Switch createContextualFragment to element iterator (r158537)
Add helpers for partial descendant traversal to element iterators (r158530 partial)
Compute the correct overflow-x and overflow-y values for table elements (266560@main)

Aug 03, 2023
============
jsc_fuzz: ASSERTION FAILED: !is8Bit() || isEmpty() in stringProtoFuncToWellFormed() (266450@main)
[JSC] String#toWellFormed should return stringified value (260043@main)
[JSC] Implement String#isWellFormed and String#toWellFormed (257250@main)
String.prototype.includes incorrectly returns false when string is empty and position is past end of string (254319@main)
`highWaterMark` should be a readonly WebIDL attribute of queuing strategies (r283765)
ReadableStream's pipeTo() and pipeThrough() don't properly check for AbortSignal (r280627)
ReadableStream's pipeTo() and pipeThrough() don't handle options in spec-perfect way (r280593)
Unreviewed, reverting r279628. (r279639)
Unreviewed, reverting r279546, r279554, r279558 and r279567. (r279769)
SubtleCrypto should only be exposed to secure contexts (r279628)
Use AbortSignal's [PrivateIdentifier] whenSignalAborted() static method (r279567)
[WebIDL] Rework runtime enabled properties leveraging PropertyCallback (r279546)

Aug 02, 2023
============
ReadableStream.getReader do not throw a proper exception when parameter is of wrong type (r279472)
CountQueuingStrategy.constructor misses checking the type of init param (r278710)
Streams: new test failure for canceling the branches of an errored tee'd stream (r275667)
Add support for TextEncoderStream (r266332)
Fix type confusion in StyleBuilder::ConvertGridTrackSizeList. (266445@main)
VisibleSelection::nonBoundaryShadowTreeRootNode should return null when its anchor is a shadow root (266505@main)

Aug 01, 2023
============
initializeReadableStream should check for highWaterMark be undefined (r266283)
Fix propagation of errors in TransformStream (r266243)
Add support for TransformStream (r266228)
unionRect(const Vector<LayoutRect>&) behaves incorrectly with empty rects (266479@main)
Implement AbortSignal.throwIfAborted (r286904)
Add abort reason to AbortSignal (r285428)
Implement AbortSignal.abort() (r274773)
Abort pipeTo based on AbortSignal (r266177)

Jul 31, 2023
============
pipeThrough should check for readableStream type (r266162)
Refresh ReadableStream.pipeTo implementation up to spec (r266129)
Check WritableStream underlyingSink methods (r265747)
Always resolve ReadableStream's tee()'s cancel promise after the stream closes or errors (r265417)
Use usual promise in readableStreamTee (r262739)
Response constructor doesn't throw on disturbed ReadableStream (r248283)
readableStreamDefaultControllerError should return early if stream is not readable (r231789)
'hr' with width as 0 or 0px get 1px (266418@main)

Jul 30, 2023
============
Add a JS built-in routine to mark a promise as handled (r265810)
Make ReadableStream robust against user code (r263141)

Jul 29, 2023
============
Make sure writableStreamDefaultWriterEnsureClosedPromiseRejected overwrite the closedPromise if needed (r265748)
WritableStream rejected promises should be marked as handled as per spec (r265732)
WritableStreamDefaultWriterEnsureReadyPromiseRejected should create a new readPromise if the current readyPromise is not pending (r265676)
Refresh WritableStream up to spec (r265548)

Jul 28, 2023
============
Unreviewed, reverting 263420@main. (266356@main)

Jul 27, 2023
============
[Tables] Do not try to invalidate columns when the entire table is being destroyed (266344@main)
Set intrinsic size for inline SVG earlier (266314@main)
[JSC] Use DFG::Call when calling typed array constructor without keyword new (266331@main)

Jul 26, 2023
============
Only special-case document element outermost svg embedded via a frame (266251@main)

Jul 25, 2023
============
Implement Crypto.randomUUID() (r281206 + r281215 rolled out + r281284)
Remove EAffinity, UPSTREAM, DOWNSTREAM, SEL_DEFAULT_AFFINITY, and VisibleSelection::selectionType (r266557 partial revisited)
REGRESSION (r158617): Find on Page can get stuck in a loop when the search string occurs in an <input> in a <fieldset> (r167291 complete revisited)
createMarkupInternal should protect its pointer to the Range's common ancestor (r222220)
Moving right by word boundary right before an object element followed by a br element hangs (r247881)
Unreviewed, reverting 265833@main. (265913@main)
[JSC] Align duplicate declaration checks in EvalDeclarationInstantiation with the spec (266229@main)
[JSC] Align duplicate declaration checks in EvalDeclarationInstantiation with the spec (265614@main complete revisited + 265915@main rolled out)

Jul 24, 2023
============
Implement PostMessageOptions for postMessage (r253497 partial)

Jul 07, 2023
============
DFG should update backwards propogation after fixup. (265833@main -> 265913@main rolled out)

Jul 05, 2023
============
HTMLTableSectionElement.insertRow(0) / HTMLTableRowElement.insertCell(0) do not behave correctly (265768@main)
Make Attr.nodeValue/textContent not nullable (265769@main)
[ECMA-402] Properly implement BigInt.prototype.toLocaleString (r259919)
[JSC] Drop direct references to Intl constructors by rewriting Intl JS builtins in C++ (r242047)
[JSC] Intl constructors should fit in sizeof(InternalFunction) (r240273)
Remove rendererWillBeDestroyed() from HTMLTextAreaElement.h and RenderTextControlMultiLine.cpp (265755@main)

Jul 04, 2023
============
[JSC] NumberConstructor should accept BigInt (r260834)
[ESNext][BigInt] We don't support BigInt literal as PropertyName (r256541)
[ESNext] Enables a way to throw an error on ByteCodeGenerator step (r254738)
[JSC] Align duplicate declaration checks in EvalDeclarationInstantiation with the spec (265614@main partial)
[JSC] JSScope::resolveScopeForHoistingFuncDeclInEval() should skip simple parameter catch scopes (265331@main)

Jul 03, 2023
============
Regression (r252680): JSCOnly build broken: no matching function for call to JSC::DFG::SpeculativeJIT::jsValueResult (r252690 partial)
[ESNext][BigInt] Add support for op_inc (r252680)

Jul 02, 2023
============
[BigInt] Add ValueBitRShift into DFG (r250313)

Jun 30, 2023
============
[BigInt] Add ValueBitLShift into DFG (r247387)
  => Passed stress DFG (executionCounterIncrementForEntry=150, executionCounterIncrementForLoop=10) on ARMv7 Thumb GCC8.3.0 with hard float.
    [V8 Score 742/SunSpider 3795.1ms]
ValuePow's constant folding rule differs from what the runtime does (r251408)
JSBigInt::m_length should be immutable. (r248927)
[ESNext][BigInt] Implement support for "**" (r246041)
[BigInt] Add ValueMod into DFG (r245063)
AbstractValue can represent more than int52 (r244480)
r244079 logically broke shouldSpeculateInt52 (r244238)
Clean up Int52 code and some bugs in it (r244079)
Refactor clz/ctz and fix getLSBSet. (r243418 complete revisited)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float.
    [JetStream 1.1 Score 6.1154]

Jun 29, 2023
============
[ESNext][BigInt] Implement "~" unary operation (r242715)
DFGByteCodeParser rules for bitwise operations should consider type of their operands (r239980)
[JSC][32bit] Use constexpr tags instead of enums (r292535)
[BigInt] Support BigInt in JSON.stringify (r239544)
[BigInt] We should enable CSE into arithmetic operations that speculate BigIntUse (r239438)
Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes. (r241753)
DoesGC rule is wrong for nodes with BigIntUse (r240244)
[BigInt] Add ValueDiv into DFG (r239158)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float.
    [JetStream2 Octane Score 5.253]
[BigInt] Add ValueMul into DFG (r239045)
Teach the bytecode that arithmetic operations can return bigints (r254716)
Test262-runner should always consider crashes as new failures (r258286)
[BigInt] Implement DFG/FTL typeof for BigInt (r239141)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float.
    [JIT tests - get-private-name-with-different-symbol.js crash with DFG inline enabled]
    [ACID3/ACID2/css3test/V8 Score 761/SunSpider 2998.9ms/Speedometer Score 6.292/Factory Demo/EPG Guide/EBench 2004 21297.67ms]
  => Not tested
    [CanvasMark/html5test/EBench 2013|2016/JetStream/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]
[JSC] Fold GetArrayLength(String) in DFG (265613@main)

Jun 28, 2023
============
AI rule for ValueBitNot/ValueBitXor/ValueBitAnd/ValueBitOr is wrong (r243206)
[JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result (r249736)
Selection should not set the cursor type to text over the explicitly set cursor type (265597@main)
[JSC] __proto__ produces incorrect value after Object.prototype.__proto__ changes (265594@main)
[JSC] >>> should call ToNumeric (r260805)
Non-speculative Branch should be fast in the FTL (r185002 complete revisited)
[ESNext][BigInt] Support logic operations (r238861)
[ESNext][BigInt] Implement support for "<<" and ">>" (r238790)
[BigInt] Implement ValueBitXor into DFG (r238732)
Re-introduce op_bitnot (r238543)
[BigInt] Literal parsing is crashing when used inside a Object Literal (r239961)
[JSC] Keep TypeMaybeBigInt small (r238778)
[BigInt] JSBigInt::createWithLength should throw when length is greater than JSBigInt::maxLength (r238425)
[BigInt] Add support to BigInt into ValueAdd (r237972)
[ESNext][BigInt] Implement support for "^" (r237296)

Jun 27, 2023
============
[BigInt] Add ValueSub into DFG (r237285)
[ESNext][BigInt] Implement support for "|" (r236901)
[ESNext][BigInt] Implement support for "&" (r236637)
[BigInt] BigInt.proptotype.toString is broken when radix is power of 2 (r236737)
[ESNext][BigInt] Implement support for addition operations (r232449)
[JSC] Correct values and members of JSBigInt appropriately (r232401)
[ESNext][BigInt] Implement support for "=<" and ">=" relational operation (r232386)
[ESNext][BigInt] Implement support for "%" operation (r232295)
[ESNext][BigInt] Implement support for "<" and ">" relational operation (r232273)
[ESNext][BigInt] Implement "+" and "-" unary operation (r232232)
[Debug] imported/w3c/web-platform-tests/dom/events/preventDefault-during-activation-behavior.html is crashing (265538@main)
[JSC] Suppress StringCharAt when OutOfBounds exit happens frequently (265541@main)

Jun 26, 2023
============
dominant-baseline property should be inherited (265525@main)
[DFG] Remove compileBigIntEquality in DFG 32bit (r230577)
[ESNext][BigInt] Add support for BigInt in SpeculatedType (r230516)
We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms (r218137 partial)
Speedometer 3: Charts-chartjs spends a lot of CPU time in RenderImage::updateInnerContentRect (265499@main)
Throw when constructing a SharedWorker in a detached document (265483@main)
[CSS-Text-Decoration] Text decorations should propagate into tables (265488@main)
[css-text-decor] Don't propagate decorations to inline-flex/inline-grid (265471@main)
REGRESSION(265249@main): Infinite recursion in LegacyRenderSVGContainer::layout and SVGRenderSupport::layoutChildren (265468@main)
REGRESSION(264618@main): Infinite mutual recursion in SVGRenderSupport::layoutDifferentRootIfNeeded (265249@main)

Jun 23, 2023
============
JITMathIC should not use integer offsets into machine code. (r236554)
[JSC] JSBigInt::digitDiv has undefined behavior which causes test failures (r232253)
Conversion misspelled "Convertion" in error message string (r232110)
[ESNext][BigInt] Implement support for "/" operation (r231886)
[ESNext][BigInt] Implement support for "*" operation (r231733)
[ESNext][BigInt] Implement support for "==" operation (r231629)
[BigInt] Simplifying JSBigInt by using bool addition (r231546)
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t (r227271 complete revisited)
[ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype (r226338)

Jun 22, 2023
============
[ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check (r225851)
[ESNext][BigInt] Implement BigInt literals and JSBigInt (r225799)
Change FrameLoadRequest from a struct to a class (r218665)
Cleanup FrameLoadRequest (r218649)

Jun 21, 2023
============
"http:" should not be a valid URL (r267931)
Remove unnecessary check in TreeResolver::resolvePseudoElement() (265318@main)

Jun 20, 2023
============
Correct return value in URLParser::defaultPortForProtocol() (264661@main)
Guarantee order of WebSocket events in case of being resumed (r284472 partial)
WebSocket should not fire events after being stopped (r241599)
Treat non-https actions on secure pages as mixed content (r195477)
Mixed content blocking is bypassed for WebSockets in Workers (159726) (r250300)
Check CachedResourceLoader's document WeakPtr in more places (265259@main partial)
Make MixedContentChecker stateless (r270931)

Jun 19, 2023
============
Resolution context for ::backdrop must not use element's style as parent style (265300@main)
Computed display of form inside table elements should be display:none (265283@main)

Jun 18, 2023
============
Remove remaining bits of dynamic <link> rel='icon' loading (r199752)
CSP: Remove stubs for dynamically-added favicons (via link rel="icon") (r199673)
Remove support for beforeload on link=prefetch (r247481)
The HTMLPreloadScanner ignores the referrerpolicy attribute for img elements (265223@main)
Link headers for subresources are not being processes (r229196)
Added mime type check to the picture source preloader to avoid downloading incompatible resources. (r224928)
[preload] Mandatory `as` value and related spec alignments (r217962)

Jun 17, 2023
============
Add referrerpolicy attribute support for <link> (r263356 + r263442)
Introduce LinkLoadParameters (r246786)
Implement imagesrcset and imagesizes attributes on link rel=preload (r245475 + r245825 rolled out + r246045)
Drop non-const getter for CachedResource::resourceRequest() (r220632)
[preload] Add media and type attribute support. (r217247)
Link preload HTMLPreloadScanner support (r216143)
Add Link header support for preload. (r210914)
Avoid unnecessary call to Document::completeURL() in HTMLLinkElement::process() (r201311)
REGRESSION (r191180): Safari does not send Referer Header to iframe src in certain situations (r198917)
Avoid downloading the wrong image for <picture> elements. (r195064 + r195092 rolled out + r195132 complete revisited)
Picture element needs to work with the preload scanner and select the correct source element instead of loading the image. (r194865)
HTMLPreloadScanner should preload iframes (r191180)
Refactor TokenPreloadScanner::StartTagScanner::processAttribute() (r190641 complete revisited)
data: URLs should not be preloaded (r190605 + r190755)
Handle meta viewport in HTMLPreloadScanner (r183951)
HTMLLinkElement should resolve resource URLs when resources will be fetched (r147291)

Jun 16, 2023
============
module's default cross-origin value should be "anonymous" (r260003 + r260030 rolled out + r260038)
Always use iOS preload behavior (r208049)
Origin header is not included in CORS requests for preloaded cross-origin resources (r201930 complete revisited)
PreloadScanner preloads external CSS with non-matching media attribute (r153689)
Make the existing HTMLPreloadScanner threading-aware (r142427)
[Template] Avoid reading beyond the end of the buffer in preload scanner when check for </template> (r140064)
Prevent HTMLPreloadScanner from fetching resources inside <template> (r139502)
HTML preload scanner doesn't need to remember whether we're scanning the body (r138658)
Tidy a bit of StringBuilder usage (r253963 partial)
Avoid unnecessary ancestor traversal in Range::selectNodeContents() (r190175 complete revisited)
Fix two assertion failures in Range::insertNode (r151627 complete revisited)
[JSC] delete operator shouldn't perform TDZ checks (265212@main)

Jun 15, 2023
============
Setting the "vector-effect" attribute in the SVG <text> tag to "non-scaling-stroke" has no effect (265204@main)
XMLHttpRequest.responseXML.characterSet may be inaccurate (265210@main)
Make sure the context document is set BEFORE we parse the document contents. (r256715 partial)
[XHR] Document.lastModified doesn't work for non-rendered documents (r238628)
Prevent decoded images from being destroyed when they're in use. (r173172)
FileReaderLoader::convertToDataURL should use application/octet-stream if MIME type is empty (r269875 complete revisited)
[JSC] Anonymous built-in functions should have empty string for a name (r252520 partial revisited)
Make `errors` an own property of `AggregateError` instead of a prototype accessor (r263006)
Implement Promise.any and AggregateError (r260273 complete revisited)
Drive-by: fix incorrect usage of `ErrorInstanceType` since `ErrorPrototype` does not inherit from `ErrorInstance` (and therefore neither does `NativeErrorPrototype`) (r260273 partial).
Regression(264098@main) HTMLFieldsetElement behavior for :enabled / :disabled CSS selectors is incorrect (265166@main)
Event dispatching on disabled form controls (264098@main partial)
HTMLOptionElement::defaultSelected should affect selection state of other option elements once added or removed (265167@main)
readAsDataURL.readAsDataURL() is incorrect for empty blobs (265153@main)

Jun 14, 2023
============
Remove the Timer parameters from timer callbacks (r176495)
REGRESSION (r239814): Most classes that user Timer have 7 bytes of padding after the Timer (r243022)
ThreadTimers should not store a raw pointer in its heap (r239814)
REGRESSION: SVGMaskElement maskUnits/maskContentUnits dynamic updates broken (265137@main)
REGRESSION: Dynamic attribute updates partly broken for SVG (265069@main)
Crash in SVGElement::removeEventListener with symbol element (r257897)

Jun 13, 2023
============
<feColorMatrix> filter doesn't work properly when defined inside then set directly on the <svg> element (265135@main)
Move focus management API from HTMLDocument to Document (r166668 complete revisited)
Document needn't expose its active element. (r153700)
ENABLE(PAN_SCROLLING) AutoscrollController::updateAutoscrollRenderer calls hitTestResultAtPoint with `true` for HitTestRequestType (r151281)
Remove PurgeableBuffer since it is not very useful any more (r172790)
Use more weak pointers for CachedResource / CachedResourceClient (260388@main partial revisited)
Keep all memory cache resources in ListHashSets (r180207)

Jun 12, 2023
============
Move tracking and computation of timer heap current insertion order to ThreadTimers (r251810)
TimerBase::m_heapInsertionOrder calculation is racy (r180058)
Don't restart shared timer if both the current and the new fire time are in the past (r142811)
Avoid updating timer heap when nothing changes (r142764 complete revisited)
Remove code behind ENABLE(CSS_IMAGE_RESOLUTION) (265048@main)

Jun 09, 2023
============
[CSS] Remove unused/broken CSSSelector equality operator (265014@main)
Correct serialization of Selectors (264980@main)

Jun 08, 2023
============
[WebCore] Shrink sizeof(RuleFeature) (r254065)
  => css3test.com 47% 2151/4542 1042 features (All except CSS 2.2), 52% 2676/5067 1164 features (All)
[JSC] Use array-move shift with threshold (256082@main)
Attempting to [[Set]] JSArray's read-only "length" should throw even with current [[Value]] (r289164)
ArraySetLength should coerce [[Value]] before descriptor validation (r267037)
ProxyObject callees should be skipped during Function.prototype.caller resolution (r280364)
<textarea> with float:left disappears when editing text (264943@main)

Jun 07, 2023
============
Modify obsolete code in User Timing (r132146)
[User Timing] implement main interface in of User Timing, according to http://www.w3.org/TR/2012/CR-user-timing-20120726/ (r131693)
Array.prototype.toLocaleString does not respect deletion of Object.prototype.toLocaleString (r287560 partial)
Partly implement Function.prototype.{caller,arguments} reflection proposal (r280289)

Jun 06, 2023
============
Don't stop text-decoration-propagation in general for UA shadows (264901@main)
Stop propagating text decorations on outermost SVG roots (264894@main)
`text-decoration: underline` is not applied to web component (r278602)
Object replacement character (0xFFFC) generates null (0) glyph (264886@main)

Jun 05, 2023
============
workers/opaque-origin.html WPT is failing in WebKit only (264799@main complete revisited)
BlobURLHandle doesn't work as intended for opaque origin Blob URLs (254238@main)
Blob URLs with fragment from opaque/unique origins cannot be loaded (253498@main)
workers/opaque-origin.html WPT is failing in WebKit only (264799@main partial)
Always use no-quirks mode for CSS.supports() (264835@main)
Remove superfluous call in RenderElement::clearChildNeedsLayout (264843@main)
Take overflow: clip into account when computing table overflow (264849@main)
Remaining page height should never be 0 (264857@main)

Jun 02, 2023
============
There should be one MicrotaskQueue per EventLoop (r253279)
Perform microtask checkpoint after each task as spec'ed (r253091)
Handle multiple fragments in the getCharNumberAtPosition SVGTextQuery (264796@main)
visualViewport.addEventListener("scroll"*** fires permanently after zoom or orientation change (r263858)
Remove DocumentEventQueue and WorkerEventQueue (r253141)
Use the event loop instead of DocumentEventQueue and WorkerEventQueue (r252824)
Associate each microtask with a task group and remove ActiveDOMCallbackMicrotask (r252820)
JS wrappers of scroll event targets can get prematurely collected by GC (r252504)
Integrate scroll event into HTML5 event loop (r252205)
Frame flattening: Change the logic on whether resize event needs to be dispatched. (r153640)
With frame flattening on, too many resize events fired if document is resized in onresize handler. (r153397)
Frame flattening prevents <HTML> in <OBJECT> from having scrollbars (r150234)
REGRESSION(r149287): FoldingText only shows me half of my text. (r150011)
REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flattening-crash.html (r149435)
REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flattening-crash.html (r149382)
When updating geometry, send JavaScript resize before before layout/paint. (r149287)
Revert "Throttle resize events during live window resize." (r149002)
Throttle resize events during live window resize. (r148031)

Jun 01, 2023
============
MicrotaskQueue should be accessed via EventLoop (r252723)
Unable to paste from Notes into Excel 365 spreadsheet (r247222)
Perform a microtask checkpoint before creating a custom element (r234944)
Unique origin's window must get its own event loop (r253265)
WindowEventLoop should be shared among similar origin documents (r252221)
Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient (r173251)

May 31, 2023
============
REGRESSION(262844@main): svg/dynamic-updates/SVGFE* tests no longer react on changes (264763@main)
Input renderer applies overflow clipping to the content box (264731@main)
Potential high CPU usage on macrumors.com (r287689)
Crash under WebGLRenderingContextBase::scheduleTaskToDispatchContextLostEvent() (r269285)
REGRESSION (r269227): Crash in WebCore::WorkerOrWorkletGlobalScope::prepareForDestruction (r269275 partial)
Promises returned by our DOM API have the caller's global instead of the callee's (r269227)
ServiceWorkers API should reject promises when calling objects inside detached frames (r225577 partial)
'textLength' support for 'tspan' elements is incomplete (264666@main)
Placeholder text inside input overflows (264684@main)
Clipping a caret rect results in its size changing instead of actually clipping (264708@main)

May 30, 2023
============
Modernize uses of ConsoleClient (r275845)
Web Inspector: Expose the console object in JSContexts to interact with Web Inspector (r165199 + r165214)
Add a missing ": " between the URL and exception in STDOUT logs. (r163993)
[Multicolumn] Avoid floating point when calculating the actual column count (264667@main)
[ macOS debug arm64 ] ASSERTION FAILED: count >= 1 ./rendering/RenderMultiColumnSet.cpp(450) : unsigned int WebCore::RenderMultiColumnSet::columnCount() const (r274774)

May 29, 2023
============
XMLTreeViewer should be created only in the XML viewer mode (r153707)
Display property as specified on svg elements (264627@main)
Match elements without parent with child-indexed pseudo-classes (264620@main)
Nested use of same SVG resource fails (264618@main)
wrong input text position with line-height (264613@main)
Resolve percentage in use against the instance's viewport element (264596@main)
[SVG] animateMotion accumulate doesn't work properly with rotate: auto / auto-reverse (264595@main)
Stop treating "text/xsl" as a XML MIME type (264585@main)
SVGTextLayoutEngine m_textPathStartOffset is uninitialized (264580@main)
[SVG] Interval should not be created if a value in begin-value-list doesn't have a matching value in end-value-list (264635@main)
Remove redundant RenderTextControl::textBlockLogicalWidth (264645@main)
Create SmallHeap for JSStrings (264588@main + 264631@main reverted)
[JSC] Extend NumericStrings cache (264545@main + 264636@main reverted)

May 26, 2023
============
Make DeferredPromise behave nicely with regards to the back/forward cache (r252263 complete revisited)
FetchRequest should not prevent entering the back/forward cache (r251495)
Make DeferredPromise behave nicely with regards to the back/forward cache (r252263 partial)
Move the space transform outside the Gradient class (r271472)
Some further streamlining of Gradient handling code (r264290 partial)
ASSERTION FAILED: rootRenderer.isDocumentElementRenderer() for fast/body-propagation/background-image/007-xhtml.xhtml (264535@main)
Simplify RenderElement's shouldRepaintForImageAnimation() (r179145)

May 25, 2023
============
Change event isn't firing when the user reverts the value of color/date/time/datetime input after JS changed the value (264528@main)
Remove unused ChromeClient::formStateDidChange(). (r163724)
XSLTProcessor fails when xsl calls exsl:node-set() on empty variable (264508@main)
Update layout of child frames before hit testing a document if necessary (264497@main)
[Hittest] Move hittesting from RenderView to Document (r245716)
<input type=radio> crashes in removeInvalidElementToAncestorFromInsertionPoint() during GC (264496@main partial)

May 24, 2023
============
Support AbortSignal in addEventListenerOptions to unsubscribe from events (r271806)
Implement EventListenerOptions argument to addEventListener (r201757 partial revisited)
output element doesn't react properly to node tree mutations (r277527)
HTMLOptionElement text setter should not have non-conforming observable behavior (264442@main)
Drop unnecessary ExceptionOr<> return types (r292506 partial)
Clean up some .text attribute setters that don't throw. (r215104)

May 23, 2023
============
Document::m_nodeIterators should be WeakHashSet (264334@main)
Text not wrapping in nested grid (264252@main)
Fix that CSSSelectorParser::consumeName doesn't work properly for '|'. (264246@main)
textareas logical height with overflow auto shouldn't add scrollbar-thickness (264251@main)
Clear UserActionElement state for the node when it is moved from the Document to a different one (264272@main)
Eliminate some cases of double hashing, other related refactoring (r225037 partial)
Remove unnecessary UserActionElementSet constructor, destructor (r164309)
[Multicolumn] Handle multicol intrinsic inline-size changes (264292@main)
DocumentLoader might be null when calling HistoryController::updateCurrentItem (264336@main)
Adapt OOF with specified height case in availableLogicalHeightForPercentageComputation (264352@main)
Fix heap use-after-free in Update::addSVGRendererUpdate (264355@main)
Fix spanner reset logic (264361@main)
Improve isInsideMulticolumnFlow lambda for top-layer elements (264362@main)
Potential use-after-free in WebAnimation::commitStyles (264363@main)
Fix crash when innerTextElement() can be null when designMode="off" (264372@main)
[JSC] RegExpGlobalData::performMatch issue leading to OOB read (264365@main)

May 19, 2023
============
ASSERTION FAILED: m_wrapper on webgl/max-active-contexts-webglcontextlost-prevent-default.html (r259364)
[StressGC] ASSERTION FAILED: m_wrapper under WebCore::WebGLRenderingContextBase::dispatchContextLostEvent (r259130)
Pages using WebGLRenderingContext fail to enter the back/forward cache (r250464)
XPath: Fix context node after evaluating an expression in a predicate (264210@main)
XPath: Some operators / functions are using the wrong EvaluationContext for non-first arguments (252846@main)
Use unique_ptr instead of deleteAllValues in XPath (r157205 partial)

May 18, 2023
============
[StressGC] ASSERTION FAILED: m_wrapper under WebCore::MainThreadGenericEventQueue::dispatchOneEvent (r259122)
Add a helper function to schedule a task to dispatch an event to ActiveDOMObject (r251975)
Rename AbstractEventLoop to EventLoop and move to its own cpp file (r252646)
Share more code between WindowEventLoop and WorkerEventLoop by introducing EventLoopTaskGroup (r252607)
[JSC] StringConstructor constant function inlining is incorrect in case of [[Construct]] (264191@main)

May 17, 2023
============
Implement Strict Mixed Content Checking (r209577)
Sites served over insecure connections should not be allowed to use geolocation. (r200686 + r200691 rolled out + r201423)
REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self' (r200030 complete revisited)
Disallow use of Geolocation service from unique origins (r195075)
Minor clean-up related to DocumentThreadableLoader redirections (r217494)
DocumentThreadableLoader::redirectReceived() should not rely on the resource's loader (r217445)
[Fetch API] Forbid redirection to non-HTTP(s) URL in non-navigation mode. (r206716 + r206717 rolled out + r206858)
http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html is flaky (r205481)
[iOS] Block loading external stylesheets in the Content-Disposition: attachment sandbox (r194209)
CachedResourceLoader::allCachedSVGImages() reparses resource URLs unnecessarily (r290341)
Safari takes too long to fetch images from memory cache (r266699)
Memory cache should not reuse resources with different credential fetch option (r226333)
REGRESSION(r218896): ASSERT in WebPageProxy::dataCallback (r218954)
DocumentLoader should always notify the client if there are pending icon loads when the load is stopped. (r218896)
Add release assertion to make sure callbackIdentifier is not 0 in DocumentLoader::finishedLoadingIcon() (r218775)
Cleanup IconLoader stuff when a DocumentLoader detaches from its frame. (r218502)
REGRESSION (r218015) IconLoaders for already-cached resources expect to be asynchronous, no longer are. (r218409)
CSP: Apply img-src directive to favicon loads (r218015)
Make NetworkCache aware of fetch cache mode (r207330)
Block insecure script running in a data: frame when the top-level page is HTTPS (r203300)
Add null check in CachedResourceLoader::determineRevalidationPolicy (r198542)
CachedResource::MediaResource types shouldn't be blocked due to mixed-content. (r198436)
<video> and <audio> elements do not obey Content Security Policy on redirect (r198292)
Cover memory cache subresource validation policy with cache tests (r188468)
Block mixed mode content (r181134)
Change BaselineGroup's items HashSet to WeakHashSet. (264132@main)

May 16, 2023
============
Make possible HashSet<std::unique_ptr<>> (r173801 partial revisited)
Remove RefPtrHashMap (r174268 rolled in)
Make possible HashSet<std::unique_ptr<>> (r173801 partial revisited)
Make possible HashSet<std::unique_ptr<>> (r173801 partial)
HashSet: reverse the order of the template arguments at alternate 'find', 'contains' and 'add' methods (r151800)
ASan violation in IconLoader::stopLoading (r214276)
Add _WKIconLoadingDelegate SPI. (r208865 + r209599 rolled out + r209640)
LinkIconCollector refactoring. (r209613)
Add injected bundle SPI for getting favicon and touch icon URLs (r200591)
overflow:clip fails when intrusive float is present (264101@main)
XPath: Fix context node of rhs of union operator (264097@main)
Fix width of textarea with overflow hidden including scrollbar thickness (264095@main)
Fix the bug that @supports selector() fails for all -webkit- pseudo elements. (264090@main)
REGRESSION(r258464): SVG use element doesn't render if it references a subsequent element after a style resolution (264085@main)

May 15, 2023
============
XPath: Apply ignore-case matching to attribute names (264030@main)
SVG syncbase animation no longer supports cyclic references (264018@main)
Document leak on pages with text input forms such as google.com (264022@main partial)
REGRESSION(STP169): wpt/css/css-overflow/webkit-line-clamp-040.html (264048@main partial)
REGRESSION [IFC][line-clamp] walmart.com: Product details text overlaps (263289@main partial)
[Line-clamp] Introduce RenderLayoutState::LineClamp (263178@main partial)
[IFC][Integration][Line clamp] LayoutStateMaintainer should not reset line clamp (256974@main partial)
[IFC][Integration][Line clamp] Add line clamp state to RenderLayoutState (256898@main partial)

May 12, 2023
============
Regression(r186020): Null dereference in getStartDate() (r205744)
Supporting getStartDate and added tests (r186020)
No gap between the hero image and text on amazon product page (259125@main)
Use intrinsic ratio of replaced elements when computing flex sizes (257474@main)
Use formatting context root's writing mode and text orientation when synthesizing baselines. (257239@main)
Move synthesizedBaselineFromBorderBox to RenderBox (r275494)
Use min-intrinsic size to compute min-content size for non-replaced flex items. (255858@main)
Consider Container Percentage Sizes When Determining Definite Cross Size (254758@main)
Unreviewed, reverting r253389@main. (254567@main)
Include aspect-ratio when calculating inline min-content size and add min-content block computation (253740@main)
overflow="visible" has no effect on the dimension of a use element unless its dimensions are specified (263977@main)

May 11, 2023
============
Fix negative shadow repaint issue (263899@main)
[Repaint] Cleanup RenderElement::repaintAfterLayoutIfNeeded (263890@main)
Activate text rendering, by re-using RenderSVGText (r294385 partial)
imported/w3c/web-platform-tests/html/interaction/focus/the-autofocus-attribute/document-with-fragment-valid.html is a flaky text failure. (263893@main)
Don't get transitions of zoom (263908@main)
ResizeObserver: Fix node depth computation for shadow nodes (263920@main)
[cairo] Clamp the clip rect expanded to the infinity (263943@main)

May 10, 2023
============
EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds (263909@main partial)
Backspace/delete at start of table cell shouldn't step out of cell (r145871)
InsertUnorderedList can lead to lost content and assertions in moveParagraphs (r144995)
  => css3test.com 47% 2151/4542 1042 features (All except CSS 2.2), 52% 2676/5067 1164 features (All)
Map align='abscenter' to vertical-align: middle (263852@main)
Selector filter fails to collect hash for the first simple selector in :is() (259144@main)
Selector filter should include hashes from single argument :is() (259089@main)

May 09, 2023
============
Preserve styling elements in DeleteSelectionCommand (r125955)
Perform layout before running Editor::findString (r272488)
Assertion failure in ContainerNode::removeAllChildrenWithScriptAssertion (262544@main)
ASSERTION FAILED: !document().selection().selection().isOrphan() in ContainerNode::removeNodeWithScriptAssertion (259294@main)
[Live Range Selection] Debug assertion failure in FrameSelection::setSelectionWithoutUpdatingAppearance (255226@main)
nullptr crash in ApplyStyleCommand::applyRelativeFontStyleChange (r280174)
Nullptr crash in HTMLConverter::convert (r274862)
Release assertion failures under Editor::scanSelectionForTelephoneNumbers (r274203)
REGRESSION (r272928): ASSERT NOT REACHED in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance (r273298)
EventHandler::updateSelectionForMouseDownDispatchingSelectStart should not use an orphaned selection (r272928)
Input element gains focus when a selectstart event listener on document prevents the default action (r238409)
Safari does not emit composition end if blurred for dead key / Japanese IME (r208406)
Shift clicking on an element with -webkit-user-select: all doesn't extend selection (r147022)
REGRESSION(r267329): Crash in VisibleSelection::toNormalizedRange() (r269136)
Stop gap patch fix for regression in r267329. (r268847)
REGRESSION (r267329): Crash due to null-dereference of frame pointer in DOMSelection::rangeCount (r267706)
[GTK] REGRESSION(r267329): imported/blink/editing/undo/crash-redo-with-iframes.html is crashing (r267457)
Selection API: A few more refinements to DOMSelection and VisibleSelection to pass all WPT tests (r267362)
Selection API: Further improvements to VisibleSelection, FrameSelection, and DOMSelection to preserve anchor and focus (r267329)
Unreviewed, reverting r259497@main. (263818@main)

May 08, 2023
============
WebDriver Input clear/value commands fails when target is inside shadow dom (r267978 complete revisited)
Selection API: Introduce LiveRangeSelectionEnabled, off by default (r267220 complete revisited)
Selecting a link and pasting plain text changes text in the link, but not the link href (263539@main)
Remove another function that implicitly uses the composed tree (intersects with range) (r269662 + r269715)
Remove another function that implicitly uses the composed tree (documentOrder on nodes and boundary points) (r269568)
Remove more functions that implicitly use composed tree (r269442)
Start removing functions that implicitly use composed tree (r269253)
Fix root cause of problem with text replacements at the beginnings of sentences so we can remove the workaround (r266987)
Text replacements at the beginning of a second line are replaced too early (r266909 complete revisited)
Remove comparePositions and make VisiblePosition improvements (r266487)
Fix type confusion in StyleBuilderCustom::ApplyValueWillChange. (263789@main)
HTMLCanvasElement is orphaned causing a HTMLDocument leak on YouTube video pages (263774@main)
Replace a FIXME comment in CanvasGradient::addColorStop(). (r226220)

May 07, 2023
============
REGRESSION(r266295): DOMSelection's addRange and containsNode behave incorrectly when selection crosses shadow boundaries (r268940)
REGRESSION(r266295): Range allows start and end containers to belong to different trees (r268800)
Remove almost all the remaining uses of live ranges (r266295)

May 06, 2023
============
REGRESSION (r266028): platform/ios/ios/fast/coordinates/range-client-rects.html (r266123)
Move node geometry functions from Range to RenderObject (r266028)
Simplify / Optimize DataDetector's searchForLinkRemovingExistingDDLinks() (r202262)
[iOS WebKit2] Find-in-page indicator (r167169)
Make element predicates and type casts work more consistently on more types (r157375 partial revisited)
Remove "lazy offset" optmization from Range to prepare to derive it from SimpleRange (r268651)
Create documentOrder function, start refactoring to use it instead of Range::compare functions (r266026 complete revisited)
Create documentOrder function, start refactoring to use it instead of Range::compare functions (r266026 partial)

May 05, 2023
============
Remove some member functions of Range and many calls to createLiveRange (r265190)
Crash under DOMSelection::deleteFromDocument() (r211201)
Selection.deleteFromDocument should not leave a selection character (r199585)
Remove Range::create and many more uses of live ranges (r265176)
Remove live ranges from Document.h, AlternativeTextController.h, DictionaryLookup.h, and WebPage.h (r264247)
Move more from live range to SimpleRange: callers of absoluteTextRects (r259933)
Fix type confusion in StyleBuilderConverter::ConvertShapeValue. (263679@main)
Fix type confusion in BuilderConverter::convertPathOperation (263226@main)

May 04, 2023
============
Further reduction in the use of live ranges, particularly in headers (r265084)
Improve range idioms and other changes to prepare the way for more reduction in live range use (r265044)
Stop using live ranges in SpellChecker.h and TextCheckingHelper.h (r264905)
Replace more uses of live ranges with SimpleRange (r260753)
click event does not dispatch to parent when child target stops hit testing after mousedown (r219568)
Clicks inside button elements are sometimes discarded when the mouse moves (r200414 + r201292 rolled out)
Mouse release on AutoFill button activates it; should only activate on click (r185341)

May 03, 2023
============
Remove live ranges from Editor.h and EditorClient.h (r264692)
Remove live ranges from AccessibilityObject.h, AccessibilityObjectInterface.h, AccessibilityRenderObject.h, AXIsolatedObject.h (r264271)
Stop using live ranges in functions that return range of the selection (r260725)

May 02, 2023
============
Null check parent node in InsertListCommand::unlistifyParagraph (r295764)
Null check m_spanElement (r285764)
REGRESSION (r259930): Dictation marker at start of text is removed when added trailing whitespace is collapsed (r261903)
Blue dotted underline with alternatives only shown for last word, gets lost for previous insertions (r261897)
Use Node::length to replace Node::maxCharacterOffset and lastOffsetInNode; switch more offsets from int to unsigned (r259930)
Nullptr crash in WebCore::lastPositionInNode when indenting text node that has user-select:all parent. (r259619)
Null dereference loading Blink layout test editing/execCommand/format-block-uneditable-crash.html (r191647)
Remove two unused Range functions. (r172621)
Stop using live ranges in DocumentMarkerController (r259575 complete revisited)

May 01, 2023
============
Stop using live ranges in DocumentMarkerController (r259575 partial)
Crash in WebCore::Range::borderAndTextRects (r263302)
First character in each word-wrapped line has incorrect character rect when requested range spans multiple lines (r254144 + r254151 rolled out + r254153)
Long press hint of AirPods buy buttons are tall and narrow during animation (r247730)
Preview of <picture> element doesn't match element bounds (r246695)
Refactor and improve TextIndicator to prepare for tests (r188420)
Drag and Drop preview image for Twitter link is the wrong shape (r219756 + r219761)
Move Range from ExceptionCode to ExceptionOr (r208479 partial)
Second parameter to Range.isPointInRange() / comparePoint() should be mandatory (r203733)
Second parameter to Range.setStart() / setEnd() should be mandatory (r203713)

Apr 30, 2023
============
Remove all uses of live ranges from TextIterator (r259401)
Hairline pixel crack around background-clip: text (263526@main)
[JSC] Skip ProxyObject's ICs trap result validation in the common case (263443@main + 263461@main reverted)
Make HTMLConverter work across shadow boundaries (r239190)

Apr 28, 2023
============
Crash in WebCore::StyledMarkupAccumulator::traverseNodesForSerialization (r265647)
REGRESSION (r236785): Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization (r238465)
Copying content with shadow DOM doesn't copy any contents (r236785)
Use Position instead of Range in createMarkupInternal (r236649)
Rename createMarkup to serializePreservingVisualAppearance (r236612)
Use enum class in createMarkup arguments (r236583)
No need for documentTypeString function in Frame (r154575)
REGRESSION (r259184): Typing -- then Return into an email moves the selection by two lines (r265678)
Move TextIterator::rangeFromLocationAndLength off of live ranges (r259184)
[macOS] Text replacements that end with symbols are expanded immediately (r233412)
findFirstGrammarDetail doesn't need to be exposed. (r153512)
REGRESSSION(r151632) : Build error on ASSERT(WTF_USE_GRAMMAR_CHECKING) (r151640)
Remove Editor::setSelectionOffsets (r149785)

Apr 27, 2023
============
Crash from CompositeEditCommand::moveParagraphs() using Position instead of VisiblePosition (r272008)
Release assertion failure in Optional<WebCore::SimpleRange>::operator* via CompositeEditCommand::moveParagraphs (r269946)
Check whether destination still can be selected (r269894)
Text replacements at the beginning of a second line are replaced too early (r266909 partial)
REGRESSION (r258871): Shift + click to extend selection loses currently selected text (r264690)
Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. (r261664)
Nullptr crash in CompositeEditCommand::moveParagraphs when changing style on elements that are user-select:none and dir:rtl. (r261126)
Change TextIterator::rangeLength to not require a live range (r258871)
Nullptr crash in CompositeEditCommand::moveParagraphs when root editable element goes away (r244181)
Executing "insertunorderedlist" while selecting a contenteditable element inside a shadow dom hangs the browser (r238693)
REGRESSION(r236609): API tests for mso list preservation are failing (r236618)
Simplify StyledMarkupAccumulator::traverseNodesForSerialization (r236609)
REGRESSION (r258525): Occasional crashes under TextManipulationController::observeParagraphs (r259766)
Move most of TextIterator off of live ranges (r258525)
Change all return values in TextIterator header from live ranges to SimpleRange (r258475)
Make TextIterator::range return a SimpleRange (r258250)
editing/firstPositionInNode-crash.html in crashing in Debug (r251683)
AccessibilityRenderObject::setSelectedTextRange fails to set the selection passed an empty line. (r249565)
AX: Re-enable accessibility/set-selected-text-range-after-newline.html test. (r248037)
Safari hanging while loading pages - WebCore::AccessibilityRenderObject::visiblePositionRangeForLine. (r247093)
REGRESSION(r245912): Crash in TextIterator::range via visiblePositionForIndexUsingCharacterIterator (r246653)
Inserting a newline in contenteditable causes two characters to be added instead of one (r245912 + r245980)
AX: WKContentView needs to implement UITextInput methods to make speak selection highlighting work (r211356)
Text::splitText doesn't update Range end points anchored on parent nodes (r195281)
Cannot select text within a label element that is linked to an input field (263420@main -> 266356@main rolled out)
ASSERTION FAILED: !image->size().isEmpty(): [ iOS, macOS ] imported/w3c/web-platform-tests/css/css-backgrounds/background-size/background-size-near-zero-svg.html is a constant crash. (263430@main)
Begin moving off of live ranges for WebKit internals (r258129)
REGRESSION(r8780): Backwards delete by word incorrectly appends deleted text to kill ring, should be prepend (r192641)
Implement StaticRange constructor (r249079)

Apr 26, 2023
============
Nullptr crash in null ptr deref in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline (r279110)
null m_lastNodeInserted dereference at ReplaceSelectionCommand::InsertedNodes::lastLeafInserted (r228724)
Support "insertFromDrop" and "deleteByDrag" for the InputEvent spec (r208014)
Crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline (r184355)
Copying and pasting trivial H2 content causes a crash in firstPositionInNode (r171383)
Dragging text from one paragraph to another does not render as expected (r168460)
After sending message, Mail changes formatting (r145253)
WebKit can erroneously strip font-size CSS property from font element with size attribute (r143821)
Support InputEvent.dataTransfer for the InputEvent spec (r207841)
event.(dataTransfer|clipboardData).getData('text/html') (onpaste, ondrop) (r207797)
[Mac] Write WebArchive to the pasteboard when copying image in WebKit (r206965)
[GTK] Rename DataObjectGtk as SelectionData (r206256)
[GTK] Clean up DataObjectGtk handling (r206197)
[GTK][Wayland] Implement clipboard support (r205909)
[GTK] Get rid of DataObjectGtk::forClipboard and cleanup pasteboard code (r205860)
Move DragController::createFragmentFromDragData implementation to the editor (r174314)
[GTK] Fix layering violations in PasteboardGtk (r173687)
DragData should not depend on Clipboard, DocumentFragment, and Document (r173686)

Apr 25, 2023
============
setData() of DataTransfer has a void return type (r169327)
Upstream changes to Pasteboard implementation for iOS. (r156588)
Upstream changes to Pasteboard implementation for iOS. (r156350)
Remove unused function didSetSelectionTypesForPasteboard from EditorClient. (r155971)
Remove layering-violating Pasteboard::plainText function (for all platforms now) (r155715)
Remove layering-violating Pasteboard::writeURL (for all platforms now) (r155709 + r155762)
Finish removing layer-violating code from Pasteboard (just for Mac during this first step) (r155700)
[EFL] Get rid of layering violations in PasteboardEfl.cpp (r155638 + r155907)
Reorganize Pasteboard.h to make it easier to read, and express plan for future work (r155635)
Move layering-violating code from Pasteboard::plainText into Editor (Mac only at first) (r155625)
Refactor URL and image writing so layer-violating parts are in Editor, not Pasteboard (Mac-only at first) (r154939)
[Mac] No need for Pasteboard::getDataSelection (r154900)
Pasteboard::writeSelection violates layering (first step, fixes it for Mac platform only) (r154836)
Eliminate Pasteboard::generalPasteboard (r154750)
No need for generalPasteboard (aside from "global selection mode") (r154712)
Dropzone effects don't work in non-file documents (r167784)
Make JavaScript binding for Clipboard::types more normal (r154578)
REGRESSION: SVG does not support link dragging (r182957)
Factor Clipboard into drag and non-drag parts (r154260 + r154350)
Change drag-specific clipboard writing in DragController to go straight to Pasteboard, not forward through Clipboard (r154231)
Move some code used only by EventHandler from Clipboard to EventHandler (r154229)
Remove custom binding for Clipboard setDragImage function (r150926)
Remove custom binding for the Clipboard clearData function (r150373)
Use Element instead of Node in DragState, also redo DragState struct (r150354 partial revisited)
Data store should be readable in dragstart/copy/cut events (r146644)
[css-tables] Percentage sizing of table cell replaced children with scrollbar (263318@main)

Apr 24, 2023
============
Remove some unused clipboard and pasteboard code (r154227)
[iOS] Get iOS port off legacy clipboard (r154160)
Move Clipboard::declareAndWriteDragImage to DragController (r153978)
Move Pasteboard::getStringSelection to Editor, fixing a layering violation (r151620)
Eliminate the Editor::newGeneralClipboard function (r150351)
[GTK] Move GTK port off legacy clipboard (r150334)
[Mac] Make Clipboard::create functions for Mac platform independent by moving Pasteboard creation to Pasteboard functions (r150183)
[Mac] Change Clipboard::create functions so they don't use ClipboardMac::create any more (r150127)
[Mac] Remove call to ClipboardMac::create from Editor::newGeneralClipboard (r150125)
[Mac] Remove call to ClipboardMac::create from EventHandler::createDraggingClipboard (r150124)
[Mac] Thin out the ClipboardMac class and header file to prepare for deleting them (r150122)
[Mac] Make Clipboard::declareAndWriteDragImage non-virtual (r150119)
[Mac] Make Clipboard::createDragImage non-virtual (r150107)
[Mac] Move setDragImage from ClipboardMac to PasteboardMac (r150100)
Upstream iOS Clipboard and Pasteboard changes (r150049)
[Mac] Move writeRange/PlainText/URL from ClipboardMac to PasteboardMac (r150016)
[Mac] Moved files function from ClipboardMac to PasteboardMac (r149985)
[Mac] Move types function from ClipboardMac to PasteboardMac (r149983)
[Mac] Move setData from ClipboardMac to PasteboardMac (r149982)
[Mac] Move getData from ClipboardMac to PasteboardMac (r149981)
[Mac] Move clearAllData from ClipboardMac to PasteboardMac (r149979)
[Mac] Move clearData from ClipboardMac to PasteboardMac (r149977)
[Mac] Move hasData from ClipboardMac to PasteboardMac (r149976)
[Mac] Give every Clipboard an underlying Pasteboard (r149972)
Data store should be readable in dragstart/copy/cut events (r146646)
When editing IME, `compositionend` events should fire after input events (r208462)
Support (insertFrom|deleteBy)Composition and (insert|delete)CompositionText inputTypes for InputEvents (r207698)
Implement InputEvent.getTargetRanges() for the input events spec (r207670)
compositionstart event should contain the text to be replaced (r152668)
[SVG] Fixed invalid input values in lighting filters (263279@main)

Apr 22, 2023
============
Support InputEvent.data for the new InputEvent spec (r207010 + r207018)
Undoing a candidate insertion results in the replaced text being selected (r205870)
Candidates that don't end in spaces shouldn't have spaces arbitrarily appended to them (r205788)
Text replacement candidates don't always overwrite the entire original string (r205765)
charactersAroundPosition can be wrong because it crosses editing boundaries (r205044)
Accepted candidates should not be autocorrected (r196090)
Handle soft spaces after accepted candidates (r195547)
WK2: Request completion candidates when needed (r195072 + r195059 rolled out + r195078)
Null dereference loading Blink layout test editing/inserting/insert-html-crash-01.html (r192170)
Range's setStartBefore() / setStartAfter() / setEndBefore() / setEndAfter() do not match the specification (r190174)
iOS WebKit: Crash in charactersAroundPosition. (r169728)
REGRESSION (WebKit2): space space to insert period doesn't work in web forms. (r169500)
[iOS] Upstream WebCore/dom changes (r160679 partial revisited)

Apr 21, 2023
============
Image alt text not included in plain-text version when copying (r146835)
X11 Global Selection (r127862)
Mouse-select then Cut, results in preceding character being lost (r125247)

Apr 20, 2023
============
FrameSelection: Remove two unused member functions. (r156982 complete revisited)
Ctrl+Shift+Right in Windows should select the spacing after the word (r148987)
Remove WebCore::(enable|disable)SecureTextInput methods (r147920)
Early return in HTMLInputElement::attributeChanged() when the attribute value hasn't changed (263151@main)
Attribute-dependent state is not updated for changes of certain attributes (263005@main)
Accessibility is not informed of changes to several attributes (262988@main)
REGRESSION(262844@main): css3/filters/reference-filter-change-repaint.html is randomly failing (262985@main)
Drop Element::parseAttribute() (262844@main)
[SVG2] SVGSymbolElement should inherits SVGGraphicsElement (r251764)
Nullopt crash in DOMSelection::getRangeAt (r272777)
Fix some strange uses of start/endOfDocument (r259987 partial)
Selection should work across shadow boundary when initiated by a mouse drag (r236519 + r236522)
Remove PLATFORM(IOS) from WebCore/editing (Part 2). (r173287)

Apr 19, 2023
============
REGRESSION (r260831): Web process crashes under Editor::setComposition() after navigating with marked text (r265420)
Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode (r260831)
Next step on moving to modern way to return DOM exceptions (r206960 partial)
REGRESSION (Async Text Input): Text input method state is not reset when reloading a page (r177152)
Remove the unused deletion UI feature (r175647)
Applied background color is not retained after typing a characters (r158815)
Navigation policy callback not called when performing the same fragment navigation twice (r157756)
When deleting editable content, typing style should be reset when moving into another node. (r155425)
Simplify Editor's back-pointer to the Frame. (r154237)
Remove unused EditorClient::frameWillDetachPage() callback. (r154235)
[Mac] Downloaded file name encoding is incorrect when download link opens in a new window (r151793 complete revisited)
Text input is largely broken when there are subframes loading (r150291)

Apr 18, 2023
============
Implement "create a potential-CORS request" (r254821)
Implement "create a potential-CORS request" (r254000)
Make StoredCredentials an enum class and rename its header (r222467)
Add helper function to create a potential CORS request (r235617)
Image Loader should use FetchOptions::mode according its crossOrigin attribute (r205134)
A canvas should not be tainted if it draws a data URL SVGImage with a <foreignObject> (r226599 partial)
Move HTML canvas and tracks from ExceptionCode to Exception (r207720 partial)
Remove SecurityOrigin::taintsCanvas (r207537)
Canvas cache of clean URLs can grow without bounds. (r167741)
Fetch API: Network process leaks when blobs are unused (r284971)
Blob URL changes after loading it (r280824 partial revisited)
imported/w3c/web-platform-tests/webmessaging/broadcastchannel/blobs.html is a flaky failure since implementing BlobChannel (r280547 partial revisited)
NetworkProcess crashes at ResourceHandle::continueDidReceiveResponse (r168909 partial revisited)
REGRESSION(262860@main): [GTK] icons broken, rendering errors on reddit.com and many other websites, flickering on cnn.com (263036@main)
Fix SEGV in ReplaceSelectionCommand::makeInsertedContentRoundTrippableWithHTMLTreeBuilder (263051@main)

Apr 17, 2023
============
SubresourceLoader::didFail() should only log message if state is Initialized (r233117)
Make DocumentThreadableLoader error logging more consistent (r231000)
Blob URL changes after loading it (r280824 partial)
Revoking Blob URL after calling XMLHttpRequest::open() causes the XHR to fail (r279881 partial)
Blob URLs should use for their owner origin for CSP checks (r276230)
Can not read blobs in sandboxed iframes (r273879)
Remove unused BlobURL::getIdentifier (r262421)
SecurityOrigin should be unique for null blob URLs that have been unregistered (r253544)
Heap-use-after-free regression (r146935 complete revisited)

Apr 15, 2023
============
Yellow highlight has gray background color when invoking Lookup on an address in a Google Maps drop down (r183227)
Table flex-item inside inline-flex with column flex-direction has incorrect cross-size (width) (263001@main)
[css-flexbox] Table layout disregards overriding width (r276572, 237008@main)

Apr 14, 2023
============
[Fetch API] Blob not found URL should result in a network error (r205190)
REGRESSION(r173272): Two blob tests failing on WK1 (r173314)
Unregistered blob URLs have incorrect MIME type (r143349)
Sync XHR 'load' event is always has total/loaded=0 (r279967)
xhr.send(URLSearchParams) should align default Content-Type header field with Chrome and Firefox (r279380)
Make xhr.response more conforming to the specification (r267959)
Remove responseIsXML (r267821)
XMLHttpRequest: responseXML returns null if the Content-Type is valid (end in +xml) in some cases (r249361)
Remove XMLMIMETypeRegExp (r151126)

Apr 13, 2023
============
Bug 207424: Crash in WebCore::ParsedContentType::parseContentType when parsing invalid MIME type (r256395)
Adjust XMLHttpRequest Content-Type handling (r242284)
Update MIME type parser (r241863)
Implement serializing in MIME type parser (r241291)
Align with Fetch on data: URLs (r240706)
Update MIME type parser (r240331)
XMLHTTPRequest.send for Document should have same Content-Type processing rules as String (r235360)
XHR should not combine empty content-type value with default one (r192620)
Content-Type parameter values should allow empty quoted strings (r238124)
Align XMLHttpRequest's overrideMimeType() with the standard (r236663)
XMLHttpRequest: overrideMimeType should not update the response's "Content-Type" header (r235844)
Document.contentType implementation (r177366)
The overrideMimeType in XMLHttpRequest should throw the exception. (r173552)
[XHR] overrideMimeType() should be able to change encoding in HEADERS RECEIVED state (r170960)
XMLHttpRequest: getAllResponseHeaders() sorting (r258866)
XMLHttpRequest::createResponseBlob() should create a Blob with type for empty response (r236031)
XMLHttpRequest.setRequestHeader() should allow Content-Transfer-Encoding header; remove duplicate logic to check for a forbidden XHR header field (r222807)
XMLHttpRequest: getAllResponseHeaders() should lowercase header names before sorting (r214252)

Apr 12, 2023
============
XHR should only fire an abort event if the cancellation was requested by the client (r220731 revisited)
Unable to have new lines in HTMLTextArea's placeholder text (r288005)
CanvasRenderingContext2D::drawImage() doesn't work correctly with transform when copying from self (262841@main)
drawImage() clears the canvas if it's the source of the image and globalCompositeOperation is "copy" (r241840)
Cap height is incorrect on platforms using FreeType. (262860@main)
[FreeType] Add support for text-underline-offset and text-decoration-thickness (r264646)
[GTK] Issues with Ahem's ex / x-height (r226404 complete revisited)
[WPE] Bump freetype version to 2.8.0 (r221858)
[GTK] Fix support for the initial-letter CSS property to first-letter (r174002)

Apr 11, 2023
============
REGRESSION (255086@main): Safari 16.4 and above does not render <option> label/text updates until <select> is focused (262791@main)

Apr 10, 2023
============
Crash in SVGFontFaceElement::associatedFontElement crash when removing SVGFontFaceElement (262756@main)

Apr 07, 2023
============
MathML element in "display: flex" is not repainted on content change. (262674@main)

Apr 06, 2023
============
Remove the mechanism for blocking paint on non-final style (262641@main)
Legend needs to be included in normal flow layout when isFloating() (252628@main)

Apr 05, 2023
============
Daring Fireball long press highlights are unnecessarily inflated due to false illegibility (r247792)
Rename color-filter to -apple-color-filter and do not expose it to Web content (r232559)
SVG lighting colors need to be converted into linearSRGB (r231559)
Implement rendering support for the color-filter CSS property (r231082)
SVG lighting colors need to be converted into linearSRGB (r226315 partial)

Apr 04, 2023
============
[macOS] Adjust date input placeholder color based on specified text color (r270875)
Use real dates and times as placeholders for date/time inputs with editable components (r270245)
[macOS] Update the appearance of editable date/time controls to match the system (r267701)
[macOS] Support stepping using keyboard in date inputs (r266524)
Consolidate BaseDateAndTimeInputType and BaseChooserOnlyDateAndTimeInputType (r267003)
AX: VoiceOver can't activate combobox when textfield is inside it (r259687)
AX: AXPress does not work in SVG (r155708)
[macOS] Add editability to input type=month (r268276)
Element should not set an attribute inside its constructor (r267074 partial)
[macOS] Add editability to input type=datetime-local (r266830)
Cleanup DetailsMarkerControl (r171834)
[macOS] Add editability to input type=time (r266779 + r266824)
[macOS] Add disabled and readonly behaviors to date inputs (r266514)
[macOS] Update date picker when the inner control is edited (r266461)
Use more weak pointers for CachedResource / CachedResourceClient (260388@main partial)
Don't show 'cursor: pointer' on unclickable <area> by updating UA Stylesheet (262559@main)
designMode should not affect shadow tree (262563@main)
HTML parser: remove support for layer and nolayer (262553@main)
Fix UAF in RenderTreeAsText for RenderWidget (262542@main)
Nullptr crash in DateTimeFieldElement::isFocusable() (262540@main)
Use WeakPtr to track resources in SubresourceLoader (262538@main)
Handle lone surrogates correctly for non-UTF-8 encodings (262513@main)

Apr 03, 2023
============
Performance Timing: Convert WTF::MonotonicTime and WTF::Seconds (r211665)
Support Performance API (performance.now(), UserTiming) in Workers (r211594)
[macOS] Handle events for date inputs with editable components (r266396)
Use high resolution timestamp for event time (r222392 partial)
Performance Timeline: Prepare for Worker support (r211527)
window.performance object resets script-applied properties (r205823)
Serialize xmlns attributes first (262492@main)
innerHTML serialization should not have a special handling for javascript: URLs (262267@main)
XMLSerializer.serializeToString() doesn't properly escape \n, \n and \t (r279815)
Element.outerHTML is missing attribute prefixes in some cases in HTML documents (r248042)
[macOS] Date inputs should contain editable components (r266351)
U_STRING_NOT_TERMINATED_WARNING ICU must be handled when using the output buffer as a C string (r260882 partial revisited)
Prepare to improve handling of conversion of float to strings (r242360)
Add String::numberToFixedPrecisionString() (r129165)

Apr 02, 2023
============
[macOS] Show picker for date and datetime-local input types (r266063)
Convert DateComponents parsing code to use Optional based return values rather than out-parameters (r263900)
Add the ability to use numbers in makeString() (r210790)
Support unclosed parentheses at end of sizes attribute (262477@main)
Fix use of uninitialized memory in TransformationMatrix decompose() (262471@main)
Fix layout for positioned children for RenderMathMLUnderOver (262472@main)
Hold reference to shadowRoot and document when timer is triggered (262473@main)
Let siblings layout if an adjacent float may no longer affect them (262481@main)
Fix some errors reported by cppcheck (262483@main partial)

Apr 01, 2023
============
[iOS] Should not scroll when checkbox, radio, submit, reset, or button is spacebar activated (r242518)
unicode-range may cause us to use Times's font metrics erroneously (262464@main)
font-display:fallback can cause a visual flash (which is supposed to be impossible) (r226668)
Fix layout for positioned children for RenderMathMLToken (262449@main)
[MathML] Assertion failure in RenderTreeNeedsLayoutChecker (r276630)
With async scrolling enabled, this MathML test asserts (r244595)
Overflow of formulas is hidden for display mathematics (r227722)
Split layout of RenderMathMLRow into smaller steps (r226180)
ASSERTION FAILED: !renderer->needsLayout() in WebCore::RenderBlock::checkPositionedObjectsNeedLayout with MathML (r224894)
Ensure MathML render tree are clean by the end of FrameView::layout(). (r208648)
Refactor RenderMathMLSpace to avoid using flexbox (r199771)
Recalculate normal flow value in RenderLayer::establishesTopLayerDidChange (262445@main)
Do not skip fragmented flow thread descendents (262444@main)
(REGRESSION 256601@main) ASAN_SEGV | WebCore::RenderObject::pushOntoGeometryMap; WebCore::RenderInline::pushMappingToContainer; (262443@main)
Toggling "display: contents" to "display: none" fails to hide the element (r243444)
Make SMIL interval position calculations more resilient (262425@main)
Verify that style update roots are for correct document (262416@main)

Mar 31, 2023
============
Straighten out HTMLInputElement attribute handling (r232335 + r232349)
<input type="range"> changing to disabled while active breaks all pointer events (r214955)
Move code to find elements in slider shadow tree into RangeInputType class, since it creates that tree (r157353)
Input type range slider is not updated when min or max are changed (r151719)
iOS: setting 'defaultValue' of input type=date from script should cause a UI update (r232289)
Date input values should not overlap with menu list dropdown button on iOS (r191751)
Remove ENABLE_INPUT_MULTIPLE_FIELDS_UI. (r150876)
Date selection from calendar picker should dispatch 'input' event in addition to 'change' event (r140385)
BaseDateAndTimeInputType should not inherit from TextFieldInputType (r139429)
Don't use RenderTextControlSingleLine for date/time input types without the multiple-fields UI (r134036)
BaseChooserOnlyDateAndTimeInputType should implement DateTimeChooserClient (r133441)
BaseChooserOnlyDateAndTimeInputType should have BaseClickableWithKeyInputType behavior (r133427)
Add a common base class for date/time input types without inline editing behavior (r133282)
Remove unused Locale::parseDateTime (r133134)
[Forms] multiple fields time input UI should save/restore its value even if it has an empty field. (r128575)
[Forms] Step mismatched value should be editable in multiple field time UI. (r126534)
[Forms] Make input type "time" to use multiple field time input UI (r125634)
CSP bypass due to incorrect handling of wildcard character in host expression (262355@main)
Reduce String allocations (r232302 partial)
Check displayContentsChanged in destroyRenderTreeIfNeeded (262348@main)
Assertion failure in TreeScopeOrderedMap::add by TreeScope::addElementByName (256286@main)
Simplify / Optimize Element::insertedIntoAncestor() a bit (253965@main)
Simplify / optimize Element::removedFromAncestor() a bit (253924@main)
display: flex element not ignore font (content) like as other browser engines. (262341@main)

Mar 30, 2023
============
transientRegistry should be WeakHashSet instead of HashSet of raw pointers (259793@main)
Use HashSet<RefPtr<Node>> instead of HashSet<Node*> (r277281 + r277307 rolled out + r277382 partial)
Use WeakPtr to store RenderSVGResourceContainer (259498@main)
Amortized behaviors of iterators and hasNullReferences should be consistent between WeakHashSet and WeakHashMap (259341@main)
Rename WeakHashSet::computesEmpty to WeakHashSet::isEmptyIgnoringNullReferences (259339@main partial)
Do amortized clean up in WeakHashSet (256541@main)
innerHTML escapes <, >, &, and nbsp inside noembed, noframes, iframe and plaintext (262285@main)
XMLSerializer doesn't correctly encode entities in <style> element (r253988)
Use Ref for m_node in ComposedTreeAncestorIterator (262298@main)
RenderLayer::hasVisibleContent() incorrect when layer removed (262284@main)
REGRESSION (r265908): Crash under Blob::arrayBuffer() / Blob::text() in stress GC (r266168)
Blob is missing text() & arrayBuffer() operations (r265908)
Remove code guarded with ENABLE(STREAM) (r158956)

Mar 29, 2023
============
FetchResponse.formData() should not reject promise if the body is null and the MIME Type is "application/x-www-form-urlencoded" (r280046)
Fix read-after-free introduced in r266087 (r266140)
Implement Request/Response consuming as FormData (r266087 partial)
Factor out duplicated functions from HTTPParsers.cpp and HTTPHeaderField.cpp (r249826)
[Cache API] Add response body storage (r220928)
window.HTMLDetailsElement should exist (r189762)
REGRESSION: (r257905) [ Mac wk2 Debug ] ASSERTION FAILED: !m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction (r258189)
Heap use-after-free in DOMWrapperWorld::~DOMWrapperWorld (262247@main)

Mar 28, 2023
============
Use-after-free in FetchBodyConsumer::resolve (262229@main)
FetchResponse should support ConsumeData callback on chunk data is received: handling ReadableStream bodies (r227760)
HTML Comments after </body> are placed at the bottom of the <body> contents (262222@main)
Fix use-after-free in DFGFixupPhase for array indexOf (262250@main)
[Web Animations] CSSAnimation::setBindingsEffect should also add KeyFrames to overriddenProperties (262179@main)
Regression(262103@main) JSRopeString::resolveRopeToAtomString() no longer reports extra memory (262158@main)
JSRopeString::resolveRopeToAtomString() doesn't need to copy characters to a buffer when it is a substring (262103@main)

Mar 27, 2023
============
wtf/Optional.h: move-constructor and move-assignment operator should disengage the value being moved from (r239427 partial)
Fix unsafe access to m_upload in XMLHttpRequest::virtualHasPendingActivity() (r278329)
[ Mac wk1] ASSERTION FAILED: m_wrapper under WebCore::XMLHttpRequestUpload::dispatchProgressEvent (r259080)
Align garbage collection for XMLHttpRequest objects with the specification (r258159 + r258165)
FileReader should not prevent entering the back/forward cache (r251327 partial)
XMLHttpRequestUpload's loadstart event not correct initialized (r243551 + r243756 rolled out + r243765)

Mar 24, 2023
============
Animations inside a Details tag only fire once (262076@main)
m_styleScope should be a WeakPtr in InlineStyleSheetOwner (262070@main)
Make m_viewportConstrainedObjects into a WeakHashSet (r257933)
Make m_slowRepaintObjects a WeakHashSet (r257902 complete revisited)
Viewport-constrained renderers are always RenderLayerModelObjects (r238837)
Regression: Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath (r127497 complete revisited)
Treat display: -webkit-box as block type (RenderStyle::isDisplayBlockType) (255590@main complete revisited)
[LFC][IFC] fix fast/block/float/022.html (254930@main partial revisited)
Table with fixed layout behaves like auto layout when its width is set by JS instead of css (260143@main)
Fix inline-block abspos bug (262042@main)
Table-layout:fixed is not applied when width is max-content (260501@main)
Assertion failure in CompositeEditCommand::moveParagraph via InsertListCommand::listifyParagraph (262051@main)
Make sure calling moveParagaph() with proper parameters in InsertListCommand::listifyParagraph() (258416@main)
Potential Crash fix by making InsertListCommand check endingSelection() editability (257811@main)
Null dereference in CompositeEditCommand::splitTreeToNode() due to not checking for top of DOM tree (r269609)
Nullptr crash in CompositeEditCommand::moveParagraphs when inserting OL into uneditable parent. (r259153)
Nullptr crash in WebCore::canHaveChildrenForEditing via CompositeEditCommand::insertNode (r257536)
Crash from CompositeEditCommand::moveParagraphs() being passed null end (r271510)
REGRESSION(r124739): fast/lists/list-marker-remove-crash.html hits an assertion in MoveParagraphs (r144213)
Crash in WebCore::RenderListItem::updateMarkerLocation (r124739 revisited)

Mar 23, 2023
============
  => css3test.com 47% 2119/4454 1031 features (All except CSS 2.2), 53% 2644/4979 1153 features (All)
DocumentTimeline doesn't need to unregister itself from DocumentTimelinesController (262002@main)

Mar 22, 2023
============
Add support for inline-{start/end} values to float & clear properties (r276216)
getClientRects doesn't work with list box option elements (r220313)

Mar 21, 2023
============
margin-top is ignored on elements with zero-height (and clear set) if they appear after floating elements (261926@main)
REGRESSION(r164401): Placing a caret doesn't bring up autocorrection panel (r171580)
Debug build fix after r164401. Removed a bogus assertion in comparePositions. (r164404)
Changing selection shouldn't synchronously update editor UI components (r164401)
HTMLTextFormControlElement::subtreeHasChanged should be called before updating selection (r164183)
selectionStart/selectionEnd return "obsolete" values when requested during "input" event (r151009)
Support InputEvent.inputType for the new InputEvent spec (r206979 partial revisited)
AX: new lines in content editable elements don't notify accessibility (r199030 partial)
Drop StringHasher::hashMemory() and use the modern Hasher instead (r290349 partial)
Fix WTF::Hasher tuple expansion with variadic args (r225727)
Add WTF::Hasher, an easier to use replacement for WTF::IntegerHasher (r225463)
Simplify the insides of DocumentSharedObjectPool and reduce memory usage. (r161210)
border-image-repeat:round output doesn't match other browsers (261903@main)
Protect the response in FetchResponse::addAbortSteps (261909@main)

Mar 20, 2023
============
Crash under JSIntersectionObserverCallback::handleEvent() (r281188 complete resivisted)
Calling unobserve on ResizeObserver should not clear existing observations in active targets (r280551)
ResizeObserver / IntersectionObserver memory leak on detached & out of reference elements (r279800 complete resivisted)
Make SVGElement::getBoundingBox retrieve bbox from RenderObject (r275935)
ResizeObserver is not properly garbage collected (r268860)
The change of zoom shouldn't affect ResizeObserverSize (r259578)
Crash in Document::deliverResizeObservations (r248830)
JS wrapper of target in ResizeObserverEntry/ResizeObserver shouldn't get collected ahead (r246057)
requestAnimationFrame should execute before the next frame (r242624 + r242643 + r242688 + r242714 rolled out + r244182 complete revisited)
Implement ResizeObserver. (r243643)
RenderObject::markContainingBlocksForLayout should check for non-positioned RenderLineBreaks too (and not just for RenderText) (261859@main)

Mar 17, 2023
============
Hardcode Visual Viewports on everywhere except iOS WK1 (r241934)
REGRESSION (r219342): Touch event coordinates and elementFromPoint coordinates differ (r228714)
REGRESSION (r219342): Scaled HTML widget is not responding to a clicks outside the body (r227974)
Element with position:fixed stops scrolling at the bottom of the page, but is painted in the right place on Chacos.com. (r227430)
On macOS, getBoundingClientRect gives incorrect values when pinch-zoomed (r226791)
Document::updateLayout() could destroy current frame. (r225719)
Wrong caret position for input field inside a fixed position parent on iOS 11 (r225715 partial)
Change "client" coordinates back to match scrolling coordinates (r219829)
getBoundingClientRects not updated for programmatic scrolls (r219668)
elementFromPoint() should consider x and y to be in client (layout viewport) coordinates (r219342)
[WK2 iOS] REGRESSION (r216803) During momentum scroll, getBoundingClientRect returns wrong coordinates (missing images on pinterest, elle.com and many other sites) (r219320)
getBoundingClientRect returns wrong value for combination of page zoom and scroll (r218982)
event.clientX/clientY should be in layout viewport coordinates (r216824)
Incorrect position when dragging jQuery Draggable elements with position fixed after pinch zoom (r216803)
Fixed elements bounce when rubber-banding at the bottom of the page (r212559)
Fixed elements should not rubber-band in WK2, nor remain at negative offsets (r211379)
Fixed bars are positioned incorrectly when there are header and footer banners (r210059)
Two tiled drawing tests failing with visual viewports enabled. (r209447)
Enable visual viewports by default on Mac, and iOS Wk2 (r209409)
[iOS WK2] Implement support for visual viewports (r208748)
Layout viewport wrong with RTL documents (r208409)
Add basic visual/layout viewport support for fixed position layout (r208213)
Intersection Observer: bounding client rect is wrong for an inline element (r245642)
ASSERT(m_callback->hasCallback()) under IntersectionObserver::notify() (r283590)
Crash under JSIntersectionObserverCallback::handleEvent() (r281188 partial)
REGRESSION(r279800): IntersectionObserver may never get a delivery of an observation if the element has been unobserved and is disconnected (r280549)
ResizeObserver / IntersectionObserver memory leak on detached & out of reference elements (r279800 partial)

Mar 16, 2023
============
The rootBounds of IntersectionObserverEntry is not correct when {root:document} (r271433)
Web Automation: elements larger than the viewport have incorrect in-view center point (r245320)
IntersectionObserverCallback leaks (r269141)
Unreviewed, reverting r261623@main. (261755@main)
REGRESSION (r261874): Typing near the bottom of a scrollable document causes the scroll position to jump (r264627)
[iOS] Programmaic scroll of "scrolling=no" iframe fails (r261874)
[iOS] Handle hit testing for subframes (r240249)
Support InputEvent.inputType for the new InputEvent spec (r206979 partial)
Support onbeforeinput event handling for the new InputEvent spec (r206944)
Introduce InputEvent bindings in preparation for the input events spec (r206843)
On iOS, we never want to make scrollbar layers (r162030)
Tiled drawing should not imply threaded scrolling (r156472)
Regression: svg/text/modify-text-node-in-tspan.html is flaky crashing (261729@main)
Timestamps should be the same for all rendering update steps (r260800)
Rendering update steps should use Seconds for the timestamps (r260736 + r260870)
Remove legacy webkitRequestAnimationFrame time quirk (r243810)

Mar 15, 2023
============
REGRESSION(r256659): We try to remove fonts from the CSSFontFace which were never added (r281648)
new FontFace() should not throw when failing to parse arguments (r256659)
Ensure non-initial values for CSS Font properties (r255485)
Fix specification violation in Font Loading API (r254220)
ActiveDOMObject::hasPendingActivity() should stop preventing wrapper collection after ActiveDOMObject::stop() has been called (r259419 partial revisited)
Overrides of ActiveDOMObject::hasPendingActivity() should not need to query the base class's hasPendingActivity() (r259252)
HTMLTrackElement should be pending while it is waiting for LoadableTextTrack request (r259138)
Garbage collection prevents FontFace.loaded promise from getting resolved (r257676)
Make sure ActiveDOMObject properly deals with detached documents (r250843)
Intersection Observer intersections are wrong with zooming (r258787)

Mar 14, 2023
============
REGRESSION(261586@main): The assertion is randomly failing (261634@main)
[intersection-observer] Accept a Document as an explicit root (r258648)
[intersection-observer] Accept a Document as an explicit root (r257976)
IntersectionObserverEntry#intersectionRatio can be larger than 1 (r249845)
IntersectionObserver rootMargin detection fails when `root` is an element (r246432)
REGRESSION (r245396): Page load time performance regression (r246267)
REGRESSION (r245396): Page load time performance regression (r245958)
[IntersectionObserver] Regression: No initial observation when nothing else triggers rendering (r245396)
requestAnimationFrame should execute before the next frame (r242624 + r242643 + r242688 + r242714 rolled out + r244182 partial revisited)
IntersectionObserverEntry doesn't keep JS wrappers of rects alive (r237929)
IntersectionObserver doesn't keep target's JS wrapper alive (r237880)
Allow cross-document intersection observing (r237737)
Hit-testing broken in WebKit 1 views with AppKit's contentInsets (r171891)
Intersection Observer: rootMargin: '' gives weird results (r238610)
[IntersectionObserver] Account for CSS zoom when computing client rects (r237862)
[IntersectionObserver] Fix isIntersecting computation when 0 is not a threshold (r237798)
REGRESSION (r237255): Text selection is broken in form fields (r237449)
[IntersectionObserver] Handle zero-area intersections (r237284)
[IntersectionObserver] Factor out rect mapping and clipping logic from computeRectForRepaint (r237255)
Ignore calc() values on colgroup elements (261623@main)
Inline Document's svgExtensions() & cssTarget() (261590@main)
Update Document::m_ranges to be a WeakHashSet (261586@main)
Concat with a CSSStyleSheet and shadowRoot.adoptedStyleSheets returns array in array (261604@main)
IntersectionObserver is causing massive document leaks on haaretz.co.il (r291030)
Flaky IntersectionObserver web platform tests involving style updates (r237218)
[IntersectionObserver] Implement rootMargin expansion (r235943)

Mar 13, 2023
============
IntersectionObserver leaks documents (r235736)
[IntersectionObserver]  Implement intersection logic for the same-document implicit root case (r235459)
[IntersectionObserver] Schedule intersection observation updates (r235424 + r235428)
[IntersectionObserver] Implement intersection logic for the explicit root case (r235358)
[IntersectionObserver] Fire an initial dummy notification (r235014)
[IntersectionObserver] Do not hold a strong reference to the root element (r234884)
[IntersectionObserver] Validate threshold values (r234818)
[IntersectionObserver] Implement rootMargin parsing (r234761 + r234851)
Update IDL for IntersectionObserverEntry and IntersectionObserverEntryInit (r234732)
Implement IntersectionObserver (r208181)

Mar 11, 2023
============
Use a WeakPtr for InlineCSSStyleDeclaration::m_parentElement (261517@main)
Fix undefined behavior in valueFromPool(Span<LazyNeverDestroyed<CSSPrimitiveValue>>, double) (261527@main partial)
Drop unnecessary work from ~HTMLAnchorElement() (261539@main)
Use WeakHashMap and WeakPtr with Node in more places (r279439 partial revisited)

Mar 10, 2023
============
Summary element is not focusable with tabindex (261497@main)
document.adoptNode is a no-op when called on a template element's document fragment (261491@main)
Change adoptNode() for a DocumentFragment with host (252098@main)
Document.adoptNode() should be able to explicitly adopt a DocumentType node (r189681)
Document::adoptNode shouldn't special-case <iframe> (r131500)
adoptNode() shouldn't reset ownerDocument if the source node failed to remove itself (r129469)
Revert [261440@main] Use a WeakPtr for InlineCSSStyleDeclaration::m_parentElement (261475@main)
Improve assertion in ValidatedFormListedElement() (261441@main + 261486@main rolled out)

Mar 09, 2023
============
Crash under WebCore: WebCore::CachedResourceClientWalker<WebCore::CachedImageClient>::next() (r293804 complete revisited)
Use WeakHashMap and WeakPtr with Node in more places (r279439 partial revisited)
WeakHashMap::ensure() may crash if the map contains null references (r295092)
[WTF] Fix clang tidy bugprone-move-forwarding-reference static analyzer warnings from WebCore/WebKit (r289602 complete revisited)
Use a WeakPtr for InlineCSSStyleDeclaration::m_parentElement (261440@main)
Move caret rect computation out of render tree (r270220)
Replace confusing extraWidthToEndOfLine parameter with an enum (r269693)
Dictionary hotkey does not work on vertical text (r153060)
First step to fix hacked isReplaced: Rename isReplaced functions to isReplacedOrInlineBlock (r288067)
REGRESSION(r152313): Inline-block element doesn't wrap properly (r176287 complete revisited)
Empty RenderInline objects should not be line break objects. (r167628)
[svg] text transformation not starting on initial render (261408@main)
Fix problems on changing 'multiple' state SELECT element to 'single' state (261380@main)

Mar 08, 2023
============
REGRESSION(r203289):Assertion in MathOperator::stretchTo() on Wikipedia Page (r208296)
MathOperator: Improve alignment for vertical size variant (r203289)
Use parameters from the OpenType MATH table for <munderover> (r203074)
Use Radical* constants from the OpenType MATH table. (r202977)
Use OpenType MATH constant AxisHeight. (r202973)
Add support for movablelimits. (r202970)
Implement an internal style property for displaystyle. (r202960)
NeverDestroyed related leaks seen on bots (r220183)
Relax adoption requirements of RefCounted objects that are NeverDestroyed (r167206)
Support Unicode 11 in RegExp (r232934 complete revisited)
[python] Replace print operator with print() function for python3 compatibility (r225698 partial)

Mar 07, 2023
============
[css-overflow] Implement clip value for overflow (r280509)
[css-scroll-snap] scroll-snap-align not honored on child with non-visible overflow (r240921 partial)
Rename hasOverflowClip() to prepare for the real overflow:clip (r279918)
Remove some duplicated code related to scrollbars (r278527)
Enable CSSOMViewScrollingAPI (r240250)
Simplify the logic around has*ScrollbarWithAutoBehavior (r236356)
[CSSOM View] Handle the scrollingElement in Element::scroll(Left/Top/Width/Height/To) (r235806)
[CSSOM View] Implement standard behavior for scrollingElement (r235539 partial)
Consider implementing Document.scrollingElement (r183967)
ASSERT in RenderBox::instrinsicScrollbarLogicalWidth opening the inspector (r173734)

Mar 06, 2023
============
Implement parsing and animation support for ray() shape accepted by offset-path (r286086)
Add discrete animation support between PathOperations (r284961)
  => css3test.com 49% 1855/3697 878 features (All except CSS 2.2), 56% 2380/4222 1000 features (All)
Unreviewed, reverting r260874@main. (261266@main)
Implement parsing and animation support for offset-path (r285343)
Implement parsing and animation support for offset-distance, offset-position, offset-anchor (r284361)
Add interpolation for object-position CSS property (r275104)
  => css3test.com 49% 1849/3697 878 features (All except CSS 2.2), 56% 2374/4222 1000 features (All)
CSS @imports in HTML missing quote marks are mistakenly hidden from the Preload Scanner (261254@main)

Mar 03, 2023
============
RenderElement::updateOutlineAutoAncestor should deal with moved out renderers (261148@main)
Get rid of unnecessary layouts on body elements with quirky children (261134@main)
[JSC] OrdinarySet should invoke custom [[Set]] methods (r276592 + r277665 rolled out + r278589)
Turn callGetter() / callSetter() into instance methods (r277541)

Mar 02, 2023
============
Rename Clipboard to DataTransfer (r166965)

Mar 02, 2023
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float.
    [JIT tests - get-private-name-with-different-symbol.js crash with DFG inline enabled]
    [css3test/Speedometer web score 6.291]
[JSC] Simplify toThis operation (256115@main complete revisited)
[JSC] Add more JSType based fast path for jsDynamicCast (r229362 partial)
[JSC] Simplify toThis operation (256115@main rolled out)
  => JIT/Class tests failure

Feb 28, 2023
============
[JSC] Simplify toThis operation (256115@main)
[JSC] ResolveNode can't always skip the extra move (261006@main)
Use Element instead of Node in DragState, also redo DragState struct (r150354 partial)
Simplify event dispatch code and make it a bit more consistent (r224459 partial revisited)
Restore 100,000 limit in HTMLOptionsCollection.length setter (260896@main)
[JSC] Avoid unnecessary move in FunctionCallResolveNode (260872@main)
[JSC] Fix unnecessary moves in read/modify assignment (260874@main)

Feb 27, 2023
============
HTML maxlength attribute treats emoji of string length 11 as length 1 (260838@main)
Refine the DOM element iterator implementation (r257132)
Make normal case fast in the input element limitString function (r208963 partial)
REGRESSION(r164329): Input fields are not honoring the maxlength attribute (r177098)
Final newline (LF or CRLF) in paste buffer is converted to space (r131032)
(REGRESSION) Increasing column-count above 2 at runtime has no effect (260849@main)
[JSC] UAF Yarr::YarrPatternConstructor::atomParenthesesEnd; Yarr::Parser::parseTokens; JSC::Yarr::parse (259657@main)
REGRESSION(257823@main): named-groups/lookbehind.js Test262-test is failing (258195@main + 258310@main reverted + 258441@main)
REGRESSION(257823@main): 4X Test262-test are constant failures (258139@main)
Add support for RegExp lookbehind assertions (257823@main)
[JSC] Change most of enum in Yarr to enum-class (r280285 partial)

Feb 24, 2023
============
WTF::CrashOnOverflow::crash() with /((a{100000000})*b{2100000000})+/.test(); (r294411, 250703@main)
[JSC] YarrJIT m_checkedOffset should be pre-computed and stored to Yarr op (r288995)
[JSC] Avoid saving top-level scope for non-module code (260743@main)

Feb 23, 2023
============
Remove TextRun::allowsRoundingHacks() (r195180)
ch unit fallback size doesn't match the spec (r289151)
Implement the 'ic' unit from CSS Values 4 (r283279)
Allow CSS font-styling for canvas without RenderStyle (r273964 partial)
Null pointer deref in WidthIterator (r235416)
  => css3test.com 49% 1822/3673 878 features (All except CSS 2.2), 55% 2347/4198 1000 features (All)
Support the `x` resolution unit (r282396)
Remove hardcoded CSSUnitType enum values (r281785)
-webkit-image-set should support resolution units other than 'x' (r255228)
"image-src" support is missing. We only support "-webkit-image-src" (r202765)
image-set doesn't round-trip properly with cssText (r132388)
  => css3test.com 49% 1821/3673 878 features (All except CSS 2.2), 55% 2346/4198 1000 features (All)

Feb 22, 2023
============
[ESNext][JIT] Add support for UntypedUse on PutPrivateName's base operand (r268656)
[JSC] Use emitPutProperty / emitGetPropertyValue consistently to handle private names in edge cases (r287531)
[JSC] Read-modify-write operation's second put-to-scope should not throw error if binding does not exist (r287544)
BytecodeGenerator::fuseCompareAndJump() fails for some language constructs (r273649)
Use @putByValDirect instead of Array.prototype.@push in built-ins (r268489 partial revisited + r268528)

Feb 21, 2023
============
[JSC] Make Operator an enum class to avoid Op* identifiers (r259150)
AbstractMacroAssembler::Jump class has uninitialized instance variables (r266530)
Invalid early errors for class methods named "constructor" and "prototype" (r265966)
RegExp.prototype getters should throw on cross-realm access (r262908)
[JSC] Use symbols as identifiers for class fields computed names storage (r269801)
[JSC] eval?.() should be indirect eval (r264633)
[JSC] DFG::AbstractValue::filterByValue should re-filter configured m_value via m_type (r264857)
for-of should check the iterable is a JSArray for FastArray in DFG iterator_open (r262252 partial)
[JSC] Remove unnecessary move in ResolveNode's bytecode (260555@main)

Feb 21, 2023
============
Remove a bad assertion in ByteCodeParser::inlineCall(). (r249279)
[JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser (r244939)
[JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame (r244864)
Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit (r222115 partial revisited)
Support compiling catch in the DFG (r221196 partial revisited)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 Thumb GCC8.3.0 with hard float.
    [JIT tests - get-private-name-with-different-symbol.js crash with DFG inline enabled]
  => Not tested
    [ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016]
    [V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Feb 20, 2023
============
[JSC] support op_get_private_name in DFG and FTL (r268794)
Don't emit OpSpread with a constant as the destination (r268593)
[JSC] BytecodeGenerator should be robust against failed constant generation (r264059)

Feb 19, 2023
============
[Multicolumn] Margins incorrectly accounted for before forced breaks (260510@main)
[CSS Regions] Break after doesn't work correctly with auto-height regions (r145728)
Scrollbar should be removed from hasOverridingLogicalHeight() (260503@main)

Feb 18, 2023
============
[JSC] ToThis object folding should check if AbstractValue is always an object (260455@main)
AI should do int32 optimization in ValueRep (r292269)
AI should not set the structure for ObjectCreate (r291891)

Feb 17, 2023
============
[JSC] add IC support for op_get_private_name (r265000)
Not using strict mode within ClassDeclaration statement (r259676 + r259715 revisited)
  => Fixed redefine-property-writable failure
  
Feb 16, 2023
============
Array.prototype.indexOf constant-folding should account for non-numeric index (256590@main complete revisited)
Fix bugs from r228411 (r228565 partial)
Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA (r228411 partial)
[DFG] More ArrayIndexOf fixups for various types (r218525 complete revisited)
  => Passed DFG [JIT tests] on ARMv7 Thumb GCC8.3.0 with hard float.
[JSC][ESNext] Create a new opcode to handle private fields store/define (r267489)

Feb 15, 2023
============
fetch() with subresource integrity crashes on zero length body (r234678)
Implement Subresource Integrity (SRI) (r216553 complete revisited)
Merging ThreadableLoader redundant options on filtering responses (r210514)

Feb 14, 2023
============
[JSC] handle Put/DefinePrivateField in resetPutByID (r263491)
[JSC] Add support for private class fields (r262613)

Feb 10, 2023
============
[JSC] BuiltinNames' HashMap should be small (r257681)
incorrect repainting when a table has a transform (r149550)
Table rows repaint entire table when their background color changes. (r176124)
Tables don't repaginate properly when the pagination height changes or the pagination offset changes. (r179627)
Table cells, rows, sections or column (groups) don't support margins (259955@main)
Summary on details has not right margin on RTL (260063@main)
Attribute change results in assertion failure checking for parent node for a parent less element. (260072@main)
[JSC] PrivateName to PublicName hash table is wasteful (r241104)

Feb 09, 2023
============
Style::RuleFeatureSet wastes vector capacity (260021@main partial)
Fix canvas fallback content focusability computation (258043@main)
Element::isFocusableWithoutResolvingFullStyle() inert checks do not update right away (256601@main)
Remove Element::focusDelegate() (252926@main)

Feb 08, 2023
============
Stop atomizing all-whitespace strings when parsing HTML (260039@main)
[WTF] Introduce Private Symbols (r220053)
[JSC] Introduce static symbols (r219731)
[WTF] Drop SymbolRegistry::keyForSymbol (r219042)
[WTF] Add RegisteredSymbolImpl (r218066)
Refactor SymbolImpl layout (r209309)
[JSC] Lexer flags should be an OptionSet (r251684)
[JSC] Add support for private class fields (r262613 part 1)

Feb 07, 2023
============
HTMLFrameOwnerElement::getSVGDocument should return null rather than throwing (259905@main)
EventListenerMap's m_entries vector wastes a lot of vector capacity (259920@main)

Feb 06, 2023
============
SVGLengthValue::fromCSSPrimitiveValue() doesn't have enough context to resolve font-relative units ((259836@main))
Ref document in Document::postTask() lambda to make sure it stays alive during the task execution (259841@main)
Fix variable liveness for try catch in DFG (259839@main)
Not using strict mode within ClassDeclaration statement (r259676 + r259715)

Feb 03, 2023
============
Updated to use smart pointers in MutationObserver. (r279434)
Unreviewed, reverting r267175 and r267779. (r268695 rolled out)
Crash while loading a confluence page (r267779)
MutationObserverRegistration should be ref counted (r267175)

Feb 02, 2023
============
Avoid heap allocation for EventContexts (r273477 + r273486)
Event improvements (r228260 partial revisited)
REGRESSION (r228260): Events handled by input method invoke default event handler (r234718)
REGRESSION(r228260):WebHTMLView beeps at every keydown for Chinese/Japanese/Korean Input Method (r230173)
Unreviewed, tiny partial rollout of r228260 as it caused some worker failures (r228276 partial)
Event improvements (r228260 partial revisited)
m_styleSheetCandidateNodes in StyleScope should be WeakListHashSet (259698@main)
[css-animations] composite operation of implicit keyframes for CSS Animations should be "replace" (259739@main)
[web-animations] ASSERT(node.isConnected()) reached in Style::Scope::forNode() in css/css-animations/CSSAnimation-getKeyframes-crash.html (259735@main)
Don't create renderer for foreignElement when it has no parent (259685@main)
Event improvements (r228260 partial revisited)

Feb 01, 2023
============
REGRESSION (236779) scandinaviandesigns.com product pages auto redirect to product image (r237413)
Regression(r236779): Crash when changing the input element type from inside an 'input' event listener (r236803 + r236837 rolled out + r236841)
radio / checkbox inputs should fire "click, input, change" events in order when clicked (r236779)
<input disabled> does not fire click events after dispatchEvent (r269452)
Asssertion failure in dispatchSubtreeModifiedEvent due to TextFieldInputType updating UA shadow tree inside Element::removedFromAncestor (r245746)
Add credit card autofill button (r237647)
Regression(r236779): Crash when changing the input element type from inside an 'input' event listener 
Need ability to specify alternate image for AutoFill button in input fields. (r195685)
Fix anomaly where isMouseEvent returns false for wheel events (r192903)
Allow adding a button in input elements for auto fill related functionality (r181408)
Add checked casts for Event. (r164194 partial)

Jan 31, 2023
============
[css-flexbox] Do not use margins when computing aspect ratio cross sizes (r277371)
Solidus stripping in DOMURL::setHostname seems wrong (259366@main)
URLParser should reject hosts with C0 control characters or U+007F (r284588)
Reject non-IPv4 hostnames that end in numbers (r281963)
Fix some whitespace handling issues in URL setters (r279760)
Check for "xn--" in any subdomain when parsing URL hosts (r278879)
Forbid '|' in URL hosts (r271899)
Disallow ports in file URLs (r268479)
URLParser should fail to parse URLs with hosts containing invalid punycode encodings (r267965)
Non-special URLs are not idempotent (r267837)
URLParser should use TextEncoding through an abstract class (r236565)
URL::appendEncodedHostName is using the deprecated uidna_IDNToASCII function (r231110)
Use unsigned for locations in URL (r204334)
imported/w3c/web-platform-tests/css/css-transitions/parsing/transition-timing-function-computed.html crashes (libc++ assertions) (259559@main)

Jan 30, 2023
============
URL path setter messes up UTF-8 encoding after ? (r278091)
Allow setting empty hosts of URLs with non-special schemes (r279666)
URL path setter should add "./" before non-empty path and after empty host for URLs with non-special schemes (r279662)
Update and pass new URL web platform tests (r268853)
Align URL setters with reasonably behaving other browsers (r268050)
Streamline URLDecomposition::setHash (r264611)
Setting URL.hash to '#' should preserve '#' (r264599)
Changing URL.host should not override port (r264516)
Improve IPv6 detection when setting host/hostname (r264282)
Allow setting empty host/hostname on URLs if they use file scheme (r263971)
Setting url.search="??" (two questionmarks) has incorrect behavior (r263637)
Improve url-setters.html WPT test (r262900)
Fix setting host on URL when no port is specified (r261212)
A URL cannot have a username/password/port if its host is null (r261173)
Remove unnecessary inlining and templates for URL decomposition DOM functions (r260724)
REGRESSION (r294291): Another nullptr crash with ::first-letter (r294736)
REGRESSION (r294291): Nullptr crash with :first-letter (r294485)
Resolve ::first-letter eagerly (r294291)
Cannot style ::selection for a flex container (r262049)
CSS ::selection stroke-color and stroke-width are not applied to selected text in text fields
  and ::selection:window-inactive stroke-color and stroke-width are never applied (r229147)
[Web Animations] Implied keyframes should not account for animations on siblings (r270837)

Jan 29, 2023
============
Document::m_inDocumentShadowRoots should be a WeakListHashSet (259522@main)
Style resolution sometimes fails to create all style resolvers for shadow trees. (r263455)

Jan 27, 2023
============
Fix negative shadow repaint issue (259497@main)

Jan 27, 2023
============
Access key should work on focusable element. (r287529)
Remove unused :-internal-direct-focus pseudo-class (r287222)
[selectors] Match :focus-visible on <select> elements (r286776)
[selectors] Use :focus-visible in the user agent style sheet (r286775)
Add :focus-visible to focus bucket in RuleSet (r286134)
[selectors] :focus-visible implementation (r273812 complete reivisited)
[selectors] :focus-visible parsing and experimental flag (r272983)
[WPE] focus-visible-003.html and focus-visible-004.html are timing out in input tags (r271671)
  => [New Parser] css3test.com 49% 1820/3673 878 features (All except CSS 2.2), 55% 2345/4198 1000 features (All)
HTMLInputElement::setValueForUser should dispatch an input event (259434@main)
Disconnected <fieldset> elements sometimes incorrectly match :valid / :invalid selectors (259422@main)

Jan 26, 2023
============
cross origin iframe load event can be used for a malicious way (259384@main)
Protect against empty layout state (259376@main)
Fix int overflow leading to OOB write (259375@main)
HTMLFrameOwnerElement: use Document::creationURL() for self-reference check (259370@main)
No need for isURLAllowed function in Frame (r247529)
Implement Feature policy self/none/* parsing (r245625)
Fix security check in ScriptController::canAccessFromCurrentOrigin() (r245538)
Remove unused parameters from FrameLoaderClient::createFrame (r237138)
Implement <iframe allow="camera; microphone"> (r225963)
Move URL to use StringView when returning substrings of the URL (r260707 partial)
Remove out-of-date FIXME on collapsing margins (259361@main)
Incorrect association of the URL object with the value port (r252998)
Parsed protocol of javascript URLs with embedded newlines and carriage returns do not match parsed protocol in Chrome and Firefox (r239642)
Implement URL's toJSON() (r212193)
Align URL setters with spec for URLs that cannot be a base URL (r211636)

Jan 25, 2023
============
Properly mark history items added without user gesture (259319@main)
Editor can hold references to Documents after you navigate away (r232434)
UAF crash occurs during a style update when an older freed HTMLElement is accessed (259321@main)
Document::m_cssTarget should be a smart pointer (259311@main)
Assertion hit under IdTargetObserverRegistry::notifyObservers() (259290@main)
Use DOM element iterators more, and more consistently (r257188 partial revisited)
DFG should not speculate Int32 for NaN constants (259340@main)

Jan 24, 2023
============
Font loads are triggered too late (r270590)
REGRESSION(r266148) Cancelling a navigation in decidePolicyForNavigationAction should not suspend the previous document's font loading timer
Font loads quickly followed by navigations may fail indefinitely (r266148)
Integrate resize event with HTML5 event loop (r251867)
document.fonts.size needs to update style so it doesn't return stale values (r281845)
CSSFontFace should not need its m_fontSelector data member (r272849 + r273094 rolled out + r273650)
Remove FontSelector dependence in CSSFontFace when creating a new FontFace wrapper (r272727)
Remove another use of FontSelector from within CSSFontFace (r272715)
Remove some uses of FontSelector from within CSSFontFace (r272045)
CSSFontFaceSet.clear() should not clear CSS-connected members (r281842)
[SVG] Handle animation freeze when 'repeatDur' is not a multiple of 'dur' (259212@main)
[Multicolumn] Improve balancing for border/padding and empty block content (259246@main)
REGRESSION (254522@main): HTMLSelectElement's value setter sets incorrect values if there are grouped options (259249@main)

Jan 23, 2023
============
Minor cleanup in CSSFontFaceSetClient (r272047)
CSS :visited color taken on non-visited link when using CSS variables (r266656)
Remove support for some SVG properties (r284447)
SVGRenderStyle should repaint on resolved color change (259082@main)

Jan 23, 2023
============
Remove some @apply leftover code (r292455 complete revisited)
Remove constant() in favor of env() (r222627)
Add env() as an alias of constant() (r222402)
Add an experimental feature flag for constant properties (r216611)
Expose obscured insets to web content (as "safe area insets") (r215597 + r215605 rolled out + r215607)
  => [New Parser] css3test.com 49% 1822/3673 878 features (All except CSS 2.2), 55% 2347/4198 1000 features (All)

Jan 22, 2023
============
Remove zoom special casing of SVG when computing border-widths (259170@main)
Incorrect paint of 'translate' property animation (259173@main)
Prevent overflow of width/height of layout overflow rectangle which can cause scroll bar to malfunction (259178@main)
Reduce calls to LayoutUnit and use default constructors for containers (259177@main)

Jan 20, 2023
============
Use WeakPtr to store CSSFontFace::Client and FontSelector (259118@main partial)

Jan 19, 2023
============
AsyncGenerator should await "return" completions (r262979)
Require Int32 when constant-folding ParseInt in DFG (259102@main)
[Legacy line layout] Zero height float boxes do not shrink/indent line boxes (259034@main)
Remove HTMLFrameElement.location (259067@main)

Jan 18, 2023
============
HTMLFormControlElement: refine a few overrides with final specifier (259001@main partial)

Jan 17, 2023
============
Introduce release assert for using threads before threading is initialized (r187177)
Replace WTF::ThreadingOnce with std::call_once (r161146 partial)
Remove unused RenderListBox::valueChanged (258955@main)
Handle special case of merging lists in mergeParagraphs() (257650@main + 258972@main rolled out)

Jan 16, 2023
============
Floating point exception in RenderListBox::numVisibleItems (r289883)
Cache integer font metrics for performance (r252927)
StyleRule accessor in RuleData should return a const reference (r253959)
Unreviewed, revert 255917@main (258905@main)
SVG textLength not working correctly (258921@main)
Compute the keyTimes index correctly for discrete (values) animations (258939@main)
<object> element shouldn't override FormListedElement::setCustomValidity() (258945@main)

Jan 13, 2023
============
Delete line boxes when moving text renderers between block flows (r259611, 222992@main)
Use std::call_once + LazyNeverDestroyed to initialize complex data structures (r265735 partial)
Delete button doesn't fully delete certain emoji (r223110 + r223134 rolled out + r223578)
Use RAII for ICU breaking iterators (r213093)
Stop compiling our own cursorMovementIterator() (r213020)
Stop reinterpret_casting UBreakIterators to the undefined type TextBreakIterator (r209907)
Rename isEmojiModifier to isEmojiFitzpatrickModifier to better capture its function (r203042)
Takes two delete key presses to delete pasted emoji up-pointing index finger with skin tone (r185393)
Additional emoji support. (r179567)

Jan 12, 2023
============
Logical Assignment: perform NamedEvaluation of anonymous functions (r262638)
Rename NullishEq / NULLISHEQUAL to CoalesceEq / COALESCEEQUAL to match the spec (r260275)
Don't unconditionally reset TextIterator::m_handledChildren for display: contents nodes. (r217238)
Do not skip <slot> children when collecting content for innerText. (r216966)
Finding text doesn't work across shadow boundary (r210432)
Modernize findPlainText (r210078)
REGRESSION (r201701): Unable to copy from CodeMirror editor version used in Jenkins install website (r205246)
Find on page finds too many matches (r201701)
TextIteratorStopsOnFormControls is never used (r200744)
INPUT_MULTIPLE_FIELDS_UI: Mouse click not on sub-fields in multiple fields input  should not move focus (r142592)
Move dispatching of focus-related events from Node to Element. (r150801)
Add FocusDirection argument to HTMLTextFormControlElement::handleFocusEvent (r141738)
It should not be possible to trigger a load while in the middle of restoring a page in PageCache (r247025 complete revisited)
Avoid keeping FormState alive longer than necessary (r232081 + r201342 rolled out + r232147)
Set a trap to catch an infrequent form-related nullptr crash  (r199350)

Jan 11, 2023
============
Fix *-baseline computation for {text-,}after-edge/ideographic/baseline (258791@main)
font-face src list fails early if component fails (258749@main)

Jan 10, 2023
============
Change the default oblique angle from 20deg to 14deg (258722@main)
Remove SVGFEMorphologyElement.setRadius(radiusX, radiusY) (258733@main)
Fix potential VACCUM error by counting destructor (258673@main)
Regression(r277571) Call to SQLiteDatabase::turnOnIncrementalAutoVacuum() from ITP fails (r282030)
font-face src local() doesn't invalidate css-wide keywords (258695@main)
Do not require whitespace between of and selector list in `:nth-child`/`:nth-last-child` (258703@main)
Remove "bgpropertiesAttr" (258704@main)
[css-transitions] css/css-properties-values-api/animation/custom-property-transition-inherited-used-by-standard-property.html is a failure (258714@main)

Jan 09, 2023
============
[Multicolumn] Guard against zero or negative space shortage (258647@main)

Jan 08, 2023
============
Frozen animations still contribute to the sandwich/animation stack (258630@main)
text-decoration-thickness property doesn't always trigger repaint when changed (258641@main)
Remove HTMLFrameElement.width/height (258573@main)

Jan 05, 2023
============
Align %TypedArray% behavior with recent spec adjustments (r269670)
  => [New Parser] css3test.com 49% 1812/3672 877 features (All except CSS 2.2), 55% 2337/4197 999 features (All)
Remove HTMLPreElement.wrap IDL attribute (258445@main)
Shrink isValidNameNonASCII by using U16_NEXT only once (258456@main)
Potential Assertion Fix - Fix loop condition in BidiRunList::replaceRunWithRuns (258465@main)

Jan 04, 2023
============
[SVG2] Stop accepting 'defer' in preserveAspectRatio (258253@main)
Fix behavior of nested click event on label element with checkbox (258287@main)
Computed value for stroke-dasharray should be in px (258300@main)
Reset algorithm is incorrect for select element with first option disabled (258313@main)
Fix CSSSelector copy constructor bug (258339@main)
Set value of m_textAsOfLastFormControlChangeEvent before triggering change event (258395@main)
Move Node::dispatchChangeEvent() to HTMLFormControlElement. (r150805)
Move some form control things from Element to HTMLFormControlElement. (r150711)
Delaying 'change' and 'input' event dispatching during HTMLInputElement::setValue (r132983)

Dec 22, 2022
============
  => [New Parser] css3test.com 50% 1808/3566 849 features (All except CSS 2.2), 56% 2333/4091 971 features (All)
Ensure transferred max size is floored by transferred min size in RenderReplaced::computeIntrinsicSizesConstrainedByTransferredMinMaxSizes. (258210@main)
Correctly handle loading subframes in WebArchives (258117@main + 258206@main rolled out)
Consider focusability even when tabs-to-links is enabled for <svg:a> (258228@main)
Make sure rows are updated during simplified layout (258227@main)
Give up on stretching columns if they have already reached max height (258230@main)

Dec 21, 2022
============
BitStack::top() should calculate an index instead of always using m_words.last() (258190@main)
Avoid uint64_t overflow in Decimal::operator/() and fix static MaxCoefficient value (258174@main)

Dec 20, 2022
============
Counters are always generated content and cannot be selected (258080@main)
Shorthands are still using "initial" for longhands that are set implicitly (258061@main + 258087@main rolled out)
Correctly teardown children for elements with NULL renderer which have display contents changed. (258098@main)
Escape '&' in javascript URLs for innerHTML/outerHTML (258112@main)
HTML fragment serialization should not strip whitespace from URL attribute values (r243821)
Update EventHandler::nodeWillBeRemoved to cover ShadowDOM as well (258122@main)
White spaces in the 'keyTimes' attribute should be ignored (258129@main)

Dec 19, 2022
============
[Cleanup] Remove redundant BreakingContext::m_currentStyle (r276207)
Don't auto-wrap 'svg:text' (257993@main)
Fix a bug that mousedown without mouseup in a frame disturbs click event in another frame (258055@main)
Use double precision for CalcExpressionBlendLength. (258072@main)
legend.focus() should not delegate focus (258074@main)

Dec 16, 2022
============
Make sure DocumentLoader::interruptedForPolicyChangeError returns a cancellation error in all code paths (257986@main)
Clicking a link to a download file served by a service-worker with a fetch event handler yields "Frame load interrupted" error (256725@main)
Recalculate intrinsic widths in the old containing block chain when going out of flow (257980@main)

Dec 15, 2022
============
Make sure computed values for 'baseline-shift' CSS property have 'px' unit for lengths (257928@main)
HTMLImageElement width/height should update renderer first (257961@main)
Fix computed value for transform property (257964@main)
[WebIDL] Add support for having dictionaries in their own IDL file (r206877 partial revisited)
Align element.scroll() / scrollTo() / scrollBy() with the CSSOM specification (r205505)
Align window.scroll() / scrollTo() / scrollBy() with the CSSOM specification (r200907)
Legacy scroll behavior on HTMLBodyElement should only apply to the first body element of a document (r182677)

Dec 13, 2022
============
Add over-constrained direction check to computePositionedLogicalHeightUsing (254324@main)
[css-aspect-ratio] The transferred min/max sizes should be constrained by defined sizes (253262@main)

Dec 12, 2022
============
Crash in FormData::flatten (256613@main)
Javascript URLs do not run in the right context when using frame targeting (r285214 complete)
Rename executeIfJavaScriptURL to executeJavaScriptURL (r263008)
Improve CSP compliance under PSON (r262870)
Exit early in FrameLoader::loadURL when redirecting to another frame (r260423)
Remove LockHistory parameter from loadWithNavigationAction (r259544)
[PSON] Add support for cross-site client-side redirects (r237355)
http/tests/security/cors-post-redirect-307.html fails with PSON enabled (r232730)
html/browsers/browsing-the-web/navigating-across-documents/006.html fails with async policy delegates (r229108)
[Content Filtering] Load blocked pages more like other error pages are loaded (r202944 + r202995 rolled out + r203003 partial)

Dec 09, 2022
============
Add referrerpolicy attribute support for <script> elements (r247509)
Add referrerpolicy attribute support for anchors (r257707)
Consider supporting the `referrerpolicy` attribute. (r242534)
Referrer-Policy response header is ignored (r232310 + r232348)
Form navigations with target=_blank should not have an opener (r284821)
Add support for rel="noopener/noreferrer" on <form> elements (r284749)
REGRESSION: (r251677) imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-double-submit-3.html is a flaky failure (r253799)
REGRESSION: (r251677) imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-double-submit-3.html is a flaky failure (r253493 + r253666 rolled out)
FrameLoader::receivedMainResourceError doesn't handle GET cancellations well. (r125436)
Small FrameLoader refactoring. (r184987 + r184988)
<a rel="opener noopener" target="_blank"> should create a window without opener (r280933)
Experiment: target=_blank on anchors should imply rel=noopener (r237144)

Dec 08, 2022
============
Unreviewed, reverting r255406@main. (257574@main)
Unreviewed, reverting r256901@main. (257580@main)
[JSC] CallData/ConstructData should include CallType/ConstructType (r260744)
Only apply automatic minimum block-size aspect-ratio rules to non-replaced elements (r288003)
Fix block-aspect-ratio-037.html (251908@main)

Dec 07, 2022
============
Replace hardcoded <hr> rendering rules with 'overflow: hidden' UA style (257446@main)

Dec 05, 2022
============
Crash when setting the default value of a <textarea> (257097@main)
Setting the value of a textarea is much slower in WebKit than it is in Chromium (256596@main)
Remove a float from an element's list even if its style suggests it can't contain floats (257370@main)
<area> needs to be connected in order to navigate (r262359)
Implement rel=noopener (r207840)
Index setters of HTMLSelectElement and HTMLOptionsCollection should do nothing if the requested index is too large (257351@main)

Dec 03, 2022
============
Enable form.requestSubmit() (r288179)
Implement <form>.requestSubmit() (r277257)
Devirtualize InputType::supportsValidation() (r272180)
Avoid a virtual function call in HTMLInputElement::value() (r272298)
Devirtualize some functions on InputType (r272097)
Fix CSS.supports behaviour with regards to !important and whitespace (257313@main)
::backdrop UA styles should be appended unconditionally (257194@main + 257263@main reverted + 257320@main)
Unreviewed, reverting r257267@main. (257298@main)
Don't crash when RenderStyle is NULL for elements like optgroup when rendering (257295@main)

Dec 02, 2022
============
Potential Crash fix by not propagating empty value for face attribute (257248@main)
::backdrop UA styles should be appended unconditionally (257267@main)
Unreviewed, revert [257194@main] Support ::backdrop renderer on all elements (257263@main)
Refactor ReadableStream like done for WritableStream (r257174@main + 257269@main rolled out)
Unreviewed, reverting r257196@main. (257270@main)

Dec 01, 2022
============
Don't paint focus ring for anonymous block continuations (257199@main)
Fix CSS.supports behaviour with regards to !important and whitespace (257196@main)
Support ::backdrop renderer on all elements (257194@main)
Do not create backdrop renderer for elements that can't have generated content (252452@main)
Textarea placeholder text does not disappear when inserting text without a user gesture (257210@main)

Nov 29, 2022
============
[cssom] Implement border-image serialization (r291537)
ASSERTION FAILED: !hasEllipsisBox() (257115@main)

Nov 27, 2022
============
Spatial Navigation handling of space key in <select> appears to confuse listIndex and optionIndex. (r152919)
text controls are sized too small when a percentage height is set (r139089 complete revisited)
[SVG] Default for x1, y1 and y2 is 0% for LinearGradient (257032@main)
RenderListBox::setScrollTop should allow out-of-range values but clamp them (257012@main)

Nov 25, 2022
============
[web-animations] correctly blend transform with iterationComposite is set to "accumulate" (256996@main)
When interpolating between transform lists partial prefix matches should not use matrix interpolation (r290667)
[web-animations] do not account for progress for additivity and accumulation interpolation for transforms (256997@main)

Nov 24, 2022
============
[LBSE] Assure <foreignObject> HTML descendants create a new formatting context (255626@main + 255793@main rolled out + 256960@main)
REGRESSION(r260276): Overflow scrolling layers misplaced inside SVG foreign object (r264269)
[web-animations] support blending of mismatched filter lists (256975@main)
  => [New Parser] css3test.com 50% 1795/3498 828 features (All except CSS 2.2), 57% 2320/4023 950 features (All)
[web-animations] filter values containing a url() should animate discretely (256970@main)
[web-animations] correctly accumulate and clamp filter values when blending with "none" (256976@main)

Nov 23, 2022
============
[web-animations] baseline-shift animation is incorrect (256934@main)
[web-animations] web-animations/animation-model/keyframe-effects/computed-keyframes-shorthands.html is a failure (256935@main)
Strings are not wrapped at zero width spaces when "word-break: keep-all" is set (256937@main)
Ideographic space behaves as breaking space (r283872)
[web-animations] word-spacing should support animating between percentage and fixed values (256951@main)
[web-animations] implement correct accumulation support for the `filter` property (256952@main)
Fix some CSS filter interpolation issues (r287815)
[web-animations] implement correct additivity support for the filter property (256955@main)
[Multicol] Incorrect clipping when a layer is present between the column and the content layer (256953@main)
WebKit fails to render extreme border-radius (256943@main)
border-radius with different width and height rendered wrong (r201868)

Nov 22, 2022
============
Accelerate HTMLInputElement creation (r271672)
Remove support for ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE (r263916)
Add more auto fill button types (r225879)
Implement form[method=dialog] (r279401)
WKBundlePageWillSendSubmitEventCallback is called with incorrect frame parameter (r224206)

Nov 21, 2022
============
[Web Animations] Make WPT test at animation-model/keyframe-effects/effect-value-context.html pass reliably (256889@main)
Fix focus traversal for HTMLPluginElement (256900@main)
Percent-width blocks cannot form a re-layout boundary (256901@main)

Nov 19, 2022
============
Legend tags are not accepting the full range of display styling possibilities (256841@main)

Nov 18, 2022
============
Fix for pixel-moving CSS filters with clipping (256825@main)
Hidden buttons can't be used as the submitter in an implicit submission (256813@main)
Do a subtree cleanup on float style change (256799@main)

Nov 17, 2022
============
Evaluate right-hand-side of assignment before TDZ check (256743@main)
Add numeric identifier to generated getter name (256740@main)

Nov 16, 2022
============
Incorrect Static Position of Absolute Positioned Elements inside Rel-Positioned Containers (256722@main)
Move CFStringRef and NSString support from StringBuilder into StringConcatenateCF (r277744 partial)
Animation.commitStyles() doesn't change "style" attribute for individual CSS transform properties (256728@main)
[web-animations] Animation.commitStyles() triggers a mutation even when the styles are unchanged (255129@main)
Make StringBuilder movable (r222346)

Nov 15, 2022
============
Fix assertions seen when trying to draw an absurdly large shadow (r261291)
Align CSS hsl() -> rgb() color conversion with the spec (r251750)
REGRESSION (r183498): Certain types of frame loads in iframes with <base target="_blank"> can open urls in new window/tabs (r185155)
Consolidate most "frame load" arguments into FrameLoadRequest. (r183498)
Introduce LockHistory and LockBackForwardList enums to use in place of bools. (r166684)
SVG text selection doesn't work with hyperlinked text (r124538)
Remove FrameLoadRequest's m_lockHistory member since it's always false. (r166685)
Consolidate FrameLoader::load() into one function taking a FrameLoadRequest (r135952)
MouseClick offsetX/offsetY different between Safari 15.5 and Safari 16 (256679@main)
[css-transitions] setting transition-property to "none" does not disassociate CSS Transition from owning element (256666@main)
Fix reassigning to class name during static field initialization (256663@main)

Nov 14, 2022
============
Setting -webkit-column-count to auto is the same as not setting it (256607@main)
Don't detach whitespace nodes when the previous sibling is an out of flow block (256602@main)
Grid track sizing should reset the override width as well as height to compute intrinsic sizing. (256622@main)
Check if length isSpecified before accessing in RenderTableSection.cpp for minimumValueForLength (256614@main)
Fix broken preferred widths optimization involving subtree layout roots (256623@main)
Move SpeculativeJIT::compileNewArray operand.use() calls to separate loop (256611@main)
Iterator completion should check for exceptions. (256593@main)
Array.prototype.indexOf constant-folding should account for non-numeric index (256590@main partial)
TypeError is expected when reassigning to const during destructuring in for statement (256580@main)

Nov 11, 2022
============
Regression(254699@main): fast/events/remove-iframe-during-toggle-crash.html is crashing (256552@main)
Stop assuming shorthand is serializable when longhand has a pending-substitution value (256564@main)
Serialize the auto-flow variant of the 'grid' shorthand correctly. (254974@main)
  => [New Parser] css3test.com 51% 1793/3474 822 features (All except CSS 2.2), 57% 2318/3999 944 features (All)

Nov 10, 2022
============
Test addition (247071@main): [ macOS wk1 Debug ] Two imported/w3c/web-platform-tests/xhr/ tests are a flaky failure (256512@main)
Make blob size computation lazy (r168435)
Move Blob.slice() implementation into BlobRegistryImpl (r168054)
Remove Blob.webkitSlice (r129082)
Simplify paint rect calculations in RenderReplaced::shouldPaint (256521@main)
Error() ICs should not cache special properties. (256519@main)
Function epxression, class expression and template literal should reset noLHSCount (256500@main)
Fix in operator inside for statement destructuring (256497@main)

Nov 09, 2022
============
Assertion in WebCore::calculateAdjustedInnerBorder() (256445@main partial)
Fix SyntaxError thrown when parameter in array pattern and function have same name (256478@main)
Property access of sparse array in LHS throws unexpected SyntaxError (256471@main)
Access of import in LHS throws unexpected SyntaxError (256470@main)

Nov 08, 2022
============
XML Parser: &AMP;, &LT;, and &nvlt; should work (256391@main)
Update XHTMLParser to recognize "-//W3C//DTD MathML 2.0//EN" public identifier (r206118)
Handle XHTML entities in XHTML Mobile Profile 1.1 and 1.2. We previously only handled them in XHTML Mobile Profile 1.0. (r145744)
WebKit should support decoding multi-byte entities in XML content (r140610)
Make sure scriptExecutionContext stays around when invoking listeners (256402@main)
Crash when displaying autofill buttons (256431@main)
stagent.dev: Clicking email field on sign up form does not allow input until you click a second time (255229@main)

Nov 07, 2022
============
[GTK][WPE] Elliptic radial gradients are not working (r280654)
[GLIB] fast/canvas/canvas-conic-gradient-angle.html is failing since added in r277547 (r277857)
[GTK][WPE] Timeouts on WPT css/css-images ref-tests after updating WPT import (r275200)
[WinCairo] Conic gradients support (r264273)
[Cairo] Do not use old-style GNU field initializers (r255911)
[GTK][WPE] Wrong visualization of Conic gradients in high resolution displays (r253817)
[GTK][WPE] Renderization of Conic gradients (r253685)
Correctly interpret from angle for conic gradients (r235877)
Correctly interpret from angle for conic gradients (r235868)
Add Support for Conic Gradients (r235772 + r235774)
  => [New Parser] css3test.com 51% 1793/3474 822 features (All except CSS 2.2), 57% 2318/3999 944 features (All)
Null check document element in createGradient (r272497)
[Cairo] Null-check cairo_pattern_t gradient objects (r236386)
Clean up gradient code in preparation for conic gradients (r225036)
[Cairo] Create Cairo patterns from Gradient objects on-the-fly (r222975)
[Conic Gradients] Add support for parsing conic gradients (r224165)
[Color] Make gradients work with ExtendedColors (r215809 + r218717)
Get rid of Gradient::getColor() (r150088)
Only update the resources when rendering SVG selected text (r271232)
Rebuild SVGResources when relevant style property changes even with StyleDifference::Equal (256335@main)
Set the correct style on the middle anonymous block in continuations (256321@main)

Nov 04, 2022
============
Use device pixel scaled backing store for <canvas> with image-rendering: pixelated. (256299@main)
Positioned element with percentage padding should recalc width when containing block changed (256315@main)
[content-visibility] Fix content-visibility-canvas.html (256316@main)

Nov 03, 2022
============
Assertion failure in RenderView::decrementRendersWithOutline (256297@main)
Support background images on ::first-line (253553@main)
WebKit should adopt journal_mode=wal for all SQLite databases. (r199309 partial)
Clear floats added dynamically to previous siblings (256238@main)
ASSERT(!m_beginTime) in SMILTimeContainer::begin fires on many sites (256253@main)
Typo error in RenderLayerCompositor::destroyRootLayer() for Horizontal Scrollbar (256247@main)
Strength reduction analyzes RegEx.exec incorrectly and generate a hole for the result array (256241@main)

Nov 01, 2022
============
Web process is put to suspended when holding locked WebSQL files (r242983)
Do not attempt to set WAL Journal mode on a readonly SQLite database (r242307)
SQLiteDatabase::open is constantly printing "SQLite database failed to checkpoint: database table is locked" errors (r238652)
IndexedDB: WAL file keeps growing (r237882)

Oct 31, 2022
============
Allow calc() with combined percentages and lengths for line-height (256095@main)
  => [New Parser] css3test.com 50% 1785/3474 822 features (All except CSS 2.2), 57% 2310/3999 944 features (All)
Elements with negative margins do not avoid floats when appropriate (256132@main)

Oct 28, 2022
============
[JSC] alignas for RegisterState should respect alignof(RegisterState) too (r234975 + 235740)
REGRESSION(r212778): It made 400 tests crash on AArch64 Linux (r213472)
JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object (256086@main)

Oct 27, 2022
============
telerik.com: Placeholder text is misaligned in search text box (r258806)
REGRESSION (r238522): Erratic scrolling on Google flights search result page and vrbo.com (r239652)
Caret disappears at end of password field when caps lock indicator is shown; password field (r238522)
input and textarea elements should reveal selection in setSelection when focused (r227092)
Focus event dispatched in iframe causes parent document to scroll incorrectly (r202243 + r202263 rolled out + r202292)
REGRESSION (r181972): Scroll position changes to top of youtube page when switching tabs (r191451)
Null check containingShadowRoot in more places (256005@main)
ASSERTION FAILED: !s_isInvalidatingStyleWithRuleSets in com.apple.WebCore: WebCore::DocumentRuleSets::collectFeatures const (r248945)
This ensures that the viewport anchor layer will be updated when updating compositing layers upon style change (256025@main)
[JSC] Prefer array move in unshift (256033@main)

Oct 26, 2022
============
Placeholder text is not repainted after caps lock indicator is hidden (r238519)

Oct 25, 2022
============
When table cell have inline children which change writing-mode, the cell overflows its contents (255919@main)
Change ::computeLogicalHeight's computedValues out argument to the return value. (r209903)
SVG rendering ignores xml:space="preserve" attribute for text (255917@main)
[css-transforms] properly handle interpolation of non-invertible matrices (r289862)
Animation from "scale()" to "scale() translate()" does not yield the expected result (r289732)
Web animations- Composite operation accumulation support for transform properties (r289599)

Oct 24, 2022
============
[web-animations] commitStyles() fails to commit a relative line-height value (255912@main)
Omit "normal" values from font shorthand (255905@main)
HTML Parser: Update formatting element list bookmarks on element removal (255907@main)

Oct 23, 2022
============
[web-animations] setting iterationComposite should invalidate the effect  (255865@main)
[web-animations] updating timing should invalidate the effect (255863@main)

Oct 21, 2022
============
[LBSE] Assure <foreignObject> HTML descendants create a new formatting context (255626@main) (255793@main rolled out)
Make dropAnonymousBoxChild rely on moveAllChildrenToInternal (255822@main)
  [1] https://bugs.webkit.org/show_bug.cgi?id=230896 (r289814)
  [2] https://bugs.webkit.org/show_bug.cgi?id=242734 (252456@main)

Oct 20, 2022
============
Don't unnecessarily tear down top layer renderers in RenderTreeUpdater (255733@main)
  The element.isInTopLayer() check added by https://commits.webkit.org/246767@main is there is because
  entering top layer forces `display: contents` style to `display: block`. This check is now redundant
  with https://commits.webkit.org/255527@main, since it is fixing the same issue more globally.

Oct 17, 2022
============
JPEGImageDecoder: use libjpeg-turbo RGBA output path even for Adobe transform=0 JPEGs (r250029)
Treat 'rem' and 'rlh' as absolute units for font size (255594@main)
StringImpl::copyCharacters incorrectly uses memcpy on destination pointers that may be null (255600@main partial)

Oct 14, 2022
============
Accept image/jpg for compatibility reasons (255268@main)
Tear down child renderers when removing display: contents (255527@main)
CSP: Implement protections against nonce-hijacking (r286860)

Oct 12, 2022
============
Enable platform code to implement text track menu (r145322 partial)
HTMLMediaElement::resume() should schedule a load rather than load immediately (r139371)
Handle transform changes causing overflow updates (255406@main)

Oct 11, 2022
============
Replace CSSPropertyNames.in with a JSON file (r209001 partial)
KeyframeEffect::setAnimation should clear blending key frames for an old CSSAnimation (255308@main)
Clean up virtual methods on AnimationEffect (r286544)
[Web Animations] Move all effect-specific parts of WebAnimation::timeToNextTick() to effect classes (r269914)
Removing table border attribute should remove the visual border (255322@main)
When we do setAttribute("border", null) on a table we should create a border like every other browser (r140436)
Add margin when comptuing baseline position for tables. (255357@main)

Oct 07, 2022
============
[FreeType] Unable to render some Hebrew characters (r241402)
Improve additivity support when animating the transform property (r285631)
[Web Animations] Add support for composite operations for software animations (r285397, 243954@main)
Integer interpolation in animations should be rounded towards positive infinity, not away from zero. (r284725)
Improve interpolation of the shape-outside CSS property (r275015)
Simplify transform blending for simple cases (r270801)
[Web Animations] Calling reverse() on an accelerated animation has no effect (r261637)

Oct 06, 2022
============
Pass CompositeOperation to CSSPropertyAnimation::blendProperties and through more blending functions (r284600)
REGRESSION(254760@main): mobile version of apple.com/iphone-14 doesn't display (255216@main)
Refactor parameters to blending functions (r276141)
Fix interpolation of clip CSS property (r274391)
Fix interpolation of box-shadow and text-shadow CSS properties (r274272)
Correctly blend the flex-basis CSS property (r274198)
SVGLengthValue should use two enums for 'type' and 'mode' instead of one unsigned for 'units' (r249822 partial revisited)
WebContent crash when pasting into input fields at com.apple.WebCore: WebCore::ResourceRequestBase::url const + 9 (r211625)
Reduce TransformationMatrix copies in MatrixTransformOperation, Matrix3DTransformOperation (r184271)
[CSS Shaders] Implement transform parameter animations for CSS Custom Filters (r128380 partial revisited)
Fix interpolation of the rotate CSS property (r276231)
Implicit keyframe for a CSS Animation should always use the underlying style (r287827 partial revisited)
Interpolation for the "filter" property fails with a single keyframe (r287826)
[css-animations] implicit keyframes should be inserted after explicit keyframes with the same offset (290561) (247839@main)
[Web Animations] Animation engine should not wake up every tick for steps timing functions (r261926)
[Web Animations] [WK1] REGRESSION: opacity doesn't animate (r255504)

Oct 05, 2022
============
Redefining @keyframes does not work (r288882)
Animation from scale(0) has missing backing store (r288881)
m_lastStyleChangeEventStyle null ptr deref for accelerated CSS Animation with no duration and an implicit keyframe (r288423)
Inserting a new @keyframes rule does not start animations that already used this name (r287769)
[Web Animations] inserting a rule within a @keyframes rule should update animations (r287707 + r287741)
REGRESSION (r255383): Transition from email to password field on login.live.com stutters after going back and forth (r266972)
Remove CompositingChangeRepaint which was always CompositingChangeRepaintNow (r259000)
[Web Animations] Animations should run accelerated even if other animations targeting the same element are not accelerated (r255383)
Crash in KeyframeList.cpp:183 in WebCore::KeyframeList::fillImplicitKeyframes (r291281)
[web-animations] Animation.commitStyles() should use the non-animated style (r289453)
[css-grid] Layout excluded children before updateLogicalWidth (255163@main)

Oct 04, 2022
============
Percentage-based translations don't work with SVG <text> (254777@main)
Perspective should not be affected by transform-origin (r294615)
Extract transform-origin handling out of RenderStyle::applyTransform() (r291338)
Unify reference box / CTM computation in RenderLayer (r292575)
[LBSE] Begin stub implementation of transform support for SVG layers (r289606)
Change event should not be dispatched by clicking a scrollbar of select listbox (r152330)
Updating Text nodes children of an OPTION element should not reset selection of the owner SELECT element (255086@main)

Oct 03, 2022
============
css/css-transforms/animation/transform-interpolation-inline-value.html has failures (255038@main)
Blending between scaleZ() and scale() transforms should serialize as scale3d() (254794@main)
Blending between two rotateZ() transform values should serialize as rotate3d() (254782@main)
getComputedStyle() on transform property should return function list (254760@main)
transform: perspective(0) should not be considered an identity operation (r289903)
Transform interpolation should blend between shared transform function primitives (r289032)
perspective() <= 1px should be clamped to 1px (r286591)
Transition from perspective(500px) to 'none' is probably wrong (r286289)
implement transform: perspective(none) (r285255)
  => [New Parser] css3test.com 51% 1782/3435 819 features (All except CSS 2.2), 57% 2307/3960 941 features (All)
Recompute transforms on SVG containers if bounds have changed during layout (255060@main)
SUMMARY element: click() for invisible SUMMARY should toggle DETAILS element (https://commits.webkit.org/255073@main)

Sep 30, 2022
============
Do not consider min/max sizes when computing width as flex base size. (255002@main)

Sep 29, 2022
============
Use shortest possible serialization for grid-area/grid-row/grid-column. (254942@main)
  => [New Parser] css3test.com 51% 1781/3435 819 features (All except CSS 2.2), 57% 2306/3960 941 features (All)
Hide Strong Password label when text field is too narrow (r230874)

Sep 28, 2022
============
Fix calculation of direction for text form control elements with dir="auto" (254943@main)
Cleanup directionality code (253589@main)
Align the directionality of bdi and input elements with HTML5 spec (252779@main)
Add the runtime flag and basic implementation of :dir (252737@main)
Make unicode-bidi:isolate the default for an element with a dir attribute (instead of unicode-bidi:embed) (r262406)
Invalid dir attributes should resolve to ltr (r160719)
Bail out early if query evaluation causes document detachment (254906@main)
MediaQueryList.matches should update parent document layout for viewport-dependent media queries (253123@main)
getBoundingClientRect() returns wrong value for tr, td and its descendants for a vertical table (254918@main)

Sep 27, 2022
============
Remove SVGZoomEvent (254852@main)

Sep 26, 2022
============
SVG.currentScale should only set page zoom for standalone SVG (254787@main)

Sep 23, 2022
============
Unify 'transform-box' reference box computation (r292525 + r292526)

Sep 22, 2022
============
Unreviewed, reverting r254656@main. (254735@main)

Sep 21, 2022
============
document.open() should abort all loads when the document is navigating (254699@main)
Nullptr crash in Document::open after calling policyChecker().stopCheck() (r243738)
Document.open() cancels existing provisional load but not navigation policy check (r228922)
'select' controls doesn't render size=2 or size=3 properly (254698@main)

Sep 20, 2022
============
Make a few built-in methods throw if called as top-level functions (r267029)
Remove quirk: Floating list-items are display:block (254643@main)
Percentage-based translations don't work with SVG <text> (254656@main)
Make MessagePort's close() set [[Detached]] (254661@main)
Update MessagePort terminology to match HTML5 (r146110)

Sep 19, 2022
============
rel="noreferrer" should make window.opener null (r180110)
Fix flaky beforeload tests (r170135)

Sep 16, 2022
============
text-decoration-color animation should not be discrete (r270597)
Add support for discrete animations of many CSS properties (r269812)
align-self should be a discrete animatable property (r269624)
align-items should be a discrete animatable property (r269357)
HTMLSelectElement::listItems should use WeakPtr (254522@main)
DumpRenderTree crashed in com.apple.WebCore: WebCore::HTMLSelectElement::updateSelectedState (r202320)
Location.replace() is missing canNavigate() check (254518@main)
Setting window.location.href to an invalid URL should throw a TypeError (r281472)
window.location.replace with invalid urls should throw (r263647)
Prevent cross-site top-level navigations from third-party iframes (r239742)
PopState event should be fired synchronously, even before the load event (254519@main)
Revert to dispatching the popstate event synchronously (r192369 + r196807 rolled out)
popstate is fired at the wrong time on load (r190505)
Update transforms on SVG shapes/groups when root element size changed (254538@main)

Sep 15, 2022
============
Support <string> as unprefixed keyframe name (254444@main)
'animation-foo' declarations in @Keyframes should be parse error (254468@main)
Revert [253685@main] Incorrect behavior of "cursor: auto" over links (254480@main)
Forgiving selectors should not be reported as supported with CSS.supports("selector(...)") (254489@main)
html/browsers/browsing-the-web/history-traversal/persisted-user-state-restoration/scroll-restoration-fragment-scrolling-samedoc.html is failing in WebKit (254493@main)
WebKit ignores the nowrap on 'td nowrap="nowrap"', if an absolute width is specified (254505@main)
Don't force display:table-cell, display:inline-table/table and float:none on table cell elements when in quirks mode (254475@main)
Remove filterRes parameter from SVG filters (r236447 complete revisited)

Sep 14, 2022
============
CSS reference filter that references a tiled feTurbulence is blank (r235644)
SVG lighting filter lights are in the wrong coordinate system (r226363)
[ARM] Building FELightingNEON.cpp fails due to missing lightVector member (r226391)
REGRESSION (r225122): fePointLights don't work (r226317)
FELighting cleanup and optimization (r225122)
Some FELighting cleanup (r225088)
[SVG] Remove explicit LightSource dispatchers (r146503)
SVGFilterBuilder should drive the builtin sourceAlpha from the passed sourceGraphic (r183381)

Sep 13, 2022
============
ReferenceFilterOperation doesn't need to store the FilterEffect (r236413 complete revisited)
Subpixel rendering: Paint the filter effect result image on device pixel position. (r166926 complete revisited)
SVG reference filter chain with errors applies only some of the filters, producing incorrect output (r271785)
feComposite filter does not clip the paint rect to its effect rect when the operator is 'in' or 'atop' (r185392)
Safari v14.1 CSP Violation - Usage of "element.removeAttribute("style")" causes style-src CSP Violation. (254409@main)
Fix serialization of translate property to not strip 0% (254422@main)
css/css-transforms/translate-getComputedStyle.html fails (r282315)
  => [New Parser] css3test.com 51% 1781/3429 816 features (All except CSS 2.2), 57% 2306/3954 938 features (All)

Sep 12, 2022
============
Try to fix assertion failures seem on bots. (r156709 complete revisited)
filter: drop-shadow doesnot support viewport units (r156606 complete revisited)
Accelerated animations on ::backdrop shouldn't affect <dialog> (backdrop-animate-002.html fails) (r284313 complete revisited)
::backdrop pseudo element should react to associated element event listeners (r287878)
If the drop-shadow filter has no color, it should use the value of the color property (r287817)
Support animations on ::backdrop (r282133)
Implement ::backdrop pseudo element (r281229, 240666@main)
Crash inside ImageLoader::updateFromElement() (r225878 + r225951 rolled out)
Image `crossorigin` mutations should be considered "relevant mutations" (r263345 complete revisited + r263350)
Fix conditions in HTMLSourceElement and HTMLTrackElement's insertedInto and removedFrom (r223801)
Incorrect image srcset candidate chosen for <img> cloned from <template> (254361@main)
Image `crossorigin` mutations should be considered "relevant mutations" (r263345 + r263350)
Image `referrerpolicy` mutations should be considered "relevant mutations" (r263167)
Update transforms for table sections (254351@main)

Sep 09, 2022
============
REGRESSION (248115@main): list-style shorthand property doesn't work with `inside none` but with `none inside` (254282@main)
Parsing of list-style shorthand is incorrect (248115@main)
Add helper to add CSS property with implicit default (r285837)
link elements should be able to fire more than one load / error event (254290@main)

Sep 08, 2022
============
Inline String::substring() (254074@main)
Optimize SpaceSplitString creation in classAttributeChanged() & partAttributeChanged() (254139@main)
Resolve cases when border and padding are added twice to computed min and max sizes (254190@main)
Revert 252943@main for causing constant flickering on aa.com (254213@main)

Sep 07, 2022
============
REGRESSION (r269812): Amazon Prime: thumbnail fails to expand properly (r270589 complete revisited)
align-content should be a discrete animatable property (r269333)
Improve background-size interpolation (r274234)
Make input placeholder line-height declaration !important (r293976 | 250414@main)
HTMLElement.innerText setter should convert new lines to <br> (r280482 + r280502 rolled out + r280541)
Simplify some editing code (r266498 + r266556 rolled out + r266618)
Align the innerText setter with the HTML spec and Gecko (r210767)
Fix serialization of bgsound, keygen and track elements (r206246)
Line snapping fails when the content is taller than the page. (r270990)
getComputedStyle rounds lineHeight to nearest pixel (r270248)

Sep 06, 2022
============
getComputedStyle for line-height: normal should return the keyword instead of a length (r249686)
Tapping after CSS-based table casues an infinite loop in wordRangeFromPosition (r231717)
Eliminate the use of lastChild in TextIterator (r210131)
line-height: <number> gets visually applied twice when text autosizing is in effect (r219543)
Clean up line-height and minimumFontSize functions (r219539)
Minimum font size pref breaks SVG text very badly. (r182876 + r182955)
Outline corners do not align properly for multiline inlines. (r196334)
outline-offset does not work for inlines. (r195306)
REGRESSION (r176751): line-height ignored in <button> elements (r183366)
Regression(r222993) Code in addChildNodesToDeletionQueue() that checks that node has a refcount of 0 is now dead (254044@main complete revisited)
Divs with border-radius are not repainted correctly when bounds change (254041@main)
focusing of disabled fieldset element is not prevented (253993@main)
Class matching fails after moving an element from a quirks-mode document to a standards-mode document. (253975@main)

Aug 30, 2022
============
propertyRegistry() was not overridden for SVGFEFloodElement and SVGFEMergeElement (r244690)
Don't mutate children during RenderGrid::computeIntrinsicLogicalWidths unless we're about to re-layout. (r292079)
Fit-border-to-line may change the layout constraints between 2 paginated line layouts (r274421)
Fix GridTrackSize::operator== (r146117 complete revisited)
Relayout the slider track when a data list is set (r135416 complete revisited)
CSSComputedStyleDeclaration::getPropertyCSSValue() triggering unnecessary relayouts and style recalcs (r129844 complete revisited)
[Ruby] Remove incorrect implicit integral floor in RenderRubyText::adjustInlineDirectionLineBounds (r292270)
Crash under RenderLayer::scrollTo() with marquee (r226491)
RenderStyle::getRoundedInnerBorderFor should never produce a rect with negative width/height (r274440)
Floating-point math causes shrink-wrapped content to line wrap sometimes (r267923)
SIGILL @ WebCore::Shape::createRasterShape -- DOS ASAN (r261363)
REGRESSION (r263179): CSS checkbox no longer visible in iOS 14 (r269450)
quikr.com: unable to select item from dropdown (r263179)

Aug 29, 2022
============
REGRESSION (r230480): Cannot adjust photo position on LinkedIn's profile page (r232663)
REGRESSION (r219121): Airmail 3 prints header part only. (r220333)
FrameView should not set RenderView::logicalWidth directly for printing (r219121)
enclosingIntRect returns a rect with -1 width/height when the input FloatRect overflows integer. (r217521)
Subpixel layout: Rename FloatPoint/FloatRect device pixel snapping functions. (r173045)
[Cairo] Incorrect rendering for 135-deg skews (r237119)
[Cairo] Draw Cairo patterns with cairo_paint_with_alpha() (r229796)
[CAIRO] Painting an image mask with a matrix above Pixman's limit breaks internal states of Cairo (r216859 complete revisited)
[GTK] scroll with transparent background not repainted after scrollY >= 32768 (r211967 + r212346 rolled out + r212431)
REGRESSION(r210226): overflow:scroll scroll position not restored on back navigation (r210329)
Infinite recursion when viewport is set to the size of the content but the content overflows the viewport. (r209745)
ASSERTION FAILED: count >= 1 in WebCore::RenderMultiColumnSet::columnCount (r209487)
REGRESSION (Safari 10): Scrolling not working inside height 100% table (r209421 complete revisited)
<table> inside <div align="right"> with large content inside = no scrollbar (r205489)
Fix aspect-ratio-intrinsic-size-004.html (r282264)
REGRESSION (r158254): Rubber-banding at Bing image search causes the toolbar to move up and away (r165185 complete revisited)
  > b9b9c2fc3438a263d7e65a0c405259601e08c66f (4/10/2018 7:34:14 AM)
REGRESSION(r154614): Opening and closing a picture on Facebook resets scroll position (r158254)
REGRESSION (r154614): Setting the document scroll position isn't symmetric; can successfully set document.body.scrollTop, but can only read from document.documentElement.scrollTop (r156605)
document.body.scrollTop & document.documentElement.scrollTop differ cross-browser (r154614)
Reverting revisions 155139, 155141, 155142, and 155145 since they appear to have caused about 50 new test failures. (r155162)
RenderBox::hasRenderOverflow should return bool instead of RenderOverflow* (r152002)
Remove overflow dead code (r149867)
Incorrect scrollable height during simplified layout (r140171 complete revisited)
Optimize LayoutUnit::boundedMultiply (r138041)
[css-contain] Fix contain-size-replaced-002.html (r288057)
Crash in RenderBlock::addOverflowFromChildren (r275944)
Clipping along compositing borders in svg-edit (r193613)

Aug 27, 2022
============
Don't mutate a NinePieceImage to create a mask default image (r251156)
REGRESSION (r190883): Error calculating the tile size for an SVG with no intrinsic size but with large floating intrinsic ratio (r192161)
REGRESSION(r184895): border-image should always slice the SVG image to nine pieces when drawing it in the container element (r190883)
REGRESSION (r184895): Vertical border elements ([-webkit]-border-image set to 'repeat') that used to render perfectly are now rendering incorrectly. (r185438)
An SVG with no intrinsic size does not draw correct slices when used as a border-image for an HTML element. (r184895)
list-style-image with SVG image renders at incorrect size. (r182751)

Aug 26, 2022
============
Remove dependency on RenderStyle from FractionalLayoutBoxExtent and LayoutBox (r126437)
Disallow styles using container units from matched declarations cache (r295211 partial)
font-size with viewport units in calc() doesn't change when viewport resizes (r276187)
SVGMatrix should have the access right of its owner SVGTransform always (r258459)
Crash when animating an enum attribute for multiple instances of an SVG element (r253017)
SVG pair properties must be detached from their owner before it's deleted (r251957)
Release assert in ScriptController::canExecuteScripts via WebCore::SVGUseElement::insertedIntoAncestor (r233324)
Clean up QualifiedName-as-hash-key scenario. (r131993 complete revisited)
Add a mechanism to request a UA shadow tree update before style (r290574)
Browser does not fall back to SVG attribute value when CSS style value is invalid or not supported (r192788 complete revisited)
Null dereference loading Blink layout test svg/custom/use-href-attr-removal-crash.html (r190012 complete revisited)
CSSFontFaceSrcValue should use WeakPtr<SVGFontFaceElement> instead of SVGFontFaceElement* (253772@main)
SVGFontFaceElement should use WeakPtr<SVGFontElement> instead of a raw pointer (253770@main)

Aug 25, 2022
============
CSS clip-path is applied to the <svg> root element in the view-box coordinates (r264622)
Changes to clip-path and filter SVG elements referenced by CSS don't trigger repaints (r281967)
Replace raw pointers in SVGElementRareData and SVGDocumentExtensions with WeakHashMap and WeakPtr (r277078)
Different output during v.test(...) with custom valueOf func (253766@main)
Fix getTotalLength() and getPointAtLength() for optimized rect and ellipse renderers (r252563)
[SVG2] Fix SVGElement to conform with SVG2 (r251499)
Drop SVGElement.xmlbase attribute (r203438)
[SVG] fragment-only url 'url(#fragment)' should be resolved against the current document with regardless to HTML <base> element (r249416)
SVGPathSegList.insertItemBefore() should fail if the newItem belongs to an animating animPathSegList (r242515 complete revisited)
Disconnect the SVGPathSegList items from their SVGPathElement before rebuilding a new list (r229830 complete revisited)
Make shrink-wrapping test a ref-test instead of pixel-test (r187018 complete revisited)
Remove Document::idAttributeName(). (r165045)
Background-blend-mode doesn't work for an element with an SVG image as background and border-style or padding set. (r162341)
Background-blend-mode doesn't work for an element with an SVG image as background and border-style or padding set. (r162066 + r162080 rolled out)
Background-blend-mode doesn't work for an element with an SVG image as background and border-style or padding set. (r161964 + r161965 + r161981 rolled out)
Elements with rendering disabled due to dimensions should not contribute to parent bounding box (r171046)
Centering text inside a button set to display flex and justify-content: center is impossible (r213173)
[Mac] WebKit contains dead source code for OS X Mavericks and earlier (r194318 partial)
Add first-letter assert exception in RenderButton::setupInnerStyle(). (r183981)

Aug 25, 2022
============
Remove redundant text-align-last BuilderCustom functions (r295541)
Unprefix -webkit-text-align-last and add match-parent value support (r295021)
  => [New Parser] css3test.com 51% 1780/3429 816 features (All except CSS 2.2), 57% 2305/3954 938 features (All)
Add support for animating the vertical-align CSS property (r275160)

Aug 24, 2022
============
[selectors] Default namespace gets ignored inside non-type selectors for :is() and :not() (r270955)
CrashTracer: com.apple.WebKit.WebContent.Development at com.apple.WebCore: WTF::match_constness<WebCore::CSSValue, WebCore::CSSContentDistributionValue>::type&
  WTF::downcast<WebCore::CSSContentDistributionValue, WebCore::CSSValue> + 65 (r209659)
[css-align] Initial values are parsed as invalid for some Alignment properties (r205807 complete revisited)
Optimize matchesLangPseudoClass() of :lang() (r179532 + r179739)
[CSS Shapes] Simplify CSSBasicShapeInset::cssText (r163452)
CSS ellipse() doesn't accept single <shape-radius> (r250653 complete revisited)
[CSS Parser] Fix crash in -webkit-shape-outside parsing (r209137)
[CSS Shapes] Remove unused CSSBasicShape::m_referenceBox (r189139)
[CSS Shapes] serialization of the computed value should omit the default radii (r169406)
[CSS Shapes] inset args and radial args should serialize to the simplest form (r167132)
[CSS Shapes] Remove CSSBoxType member from BasicShape and CSSBasicShape (r166830)
[CSS Shapes] Correctly serialize ellipse positions (r165277)
[CSS Shapes] Serialize circle positions (r164998)
[CSS Shapes] inset() function with multiple spaces on element style (r162848)
The computed values of fix length padding should be subpixel precision like margin (r153067 complete revisited)
Use start instead of -webkit-auto in default and quirks mode stylesheets. (r130598)

Aug 24, 2022
============
Fix styling of th elements when explicitly specifiying text-align:inherit (r295625)
text-align: match-parent on root handles direction incorrectly (r295120)
Unprefix CSS value text-align: -webkit-match-parent (r286803)
text-align start / end failure in table cells (r215375)
  => [New Parser] css3test.com 51% 1779/3429 816 features (All except CSS 2.2), 57% 2304/3954 938 features (All)
[Table layout] Incorrect vertical position when the inline level box has 0px used height. (r282256)
[css-position-sticky] Sticky constraints are calculated incorrectly when scrolling container has padding and borders (r282138)
Change computeStickyPositionConstraints to use LayoutBoxExtent for margins (r143410)
Create a RenderLineBreak when BR element has unsupported content data style (r281444)
Make synthesizedBaselineFromContentBox return LayoutUnit (r275594)
[Subpixel layout] Bad scrolling on mercurynews.com article (r262127)
Computed style for "outline-offset" is wrong when "outline-style" is "none" (r259562)
[SVG2]: Implement support for the 'pathLength' attribute (r254657)
[css-grid] Fix grid container baseline alignment for orthogonal items (r243432)
Use WeakPtr in GridCell (r231245)
Padding added to table-cell element after font-size change. (r194867)
in safari,the background-color of input[type="search"] can't work (r157443 + r164145 rolled out)
Cell heights are disproportional when a row-spanning cell contains a block element that determines the height of the rows (r150023 + r150083 rolled out)
table's text aligned on top instead of center because of rowspan (r148944)
[CSS Filters] Filter outsets clipped on composited layers when filter is applied after first layout (r147502 + r147937 rolled out)
top and bottom black background line not getting displayed (r160410)
Floor cell widths in AutoTableLayout::recalcColumn (r146600 complete revisited)
REGRESSION(r145305) Performance: 1.3% mac-release-10.6-webkit-latest/intl2/times/t change after rev 145300 (r145822)
display:none file upload button crashes (r142054)
[Sub-pixel Layout] Block selection gap repainting can leave one pixel gaps (r126110)
translateZ(0) shifts file name in file input (r124960)
Image, Media, Model, and Plugin documents should use weak pointers instead of raw pointers (253703@main partial)
Deploy smart pointers in EventPath (253717@main)
CSSStyleSheet should use weak pointers instead of raw pointers (253693@main)
Incorrect behavior of "cursor: auto" over links (253685@main)
Enable :any-link by default (r182129)
TemplateContentDocumentFragment should use WeakPtr<Element> instead of Element* (253700@main)

Aug 23, 2022
============
play.google.com: App preview images are clipped (r271348)
Text form controls can scroll by 1px when value is the same length as size. No scrolling should happen. (r263073)
paypal.com: text at the bottom of the page is not aligned properly (r271284)
[LegacyLineLayout] Inline level box should not stick out at the bottom of its containing block (r273386 complete revisited)
[Legacy Line Layout] Multiple inline boxes may stretch the line (r271875)
[Legacy Line Layout] Remove unnecessary 'vertical-align: middle' integral rounding (r271110)
[Legacy Line Layout] Inline box's subpixel vertical top position should be enclosed (r270044)
clip-path: path() ignores page zooming (Command-+) (r268138)
Cache the Path instead of creating it every time it is required (r195970)
Refactor AtomicStringKeyedMRUCache to be a generic LRU cache (r195356)
:has(:lang(~)) doesn't get invalidated (253610@main + 253668@main rolled out)
Attr should use WeakPtr<Element> instead of a raw pointer (253666@main)
HTMLDetailsElement should use WeakPtrs instead of raw pointers. (253653@main)
StyledElement: Tweak signature of collectStyleForPresentationAttribute(). (r143843)

Aug 22, 2022
============
Nullptr crash in MediaQueryMatcher::evaluateAll (r261778)
REGRESSION (r260243): [ Mac WK1 ] fast/media/mq-inverted-colors-live-update-for-listener.html is a flaky failure (r261012)
MediaQueryList should extend EventTarget (r260243)
Media queries and platform screen modernization and streamlining (r201441 partial + r202658)
Do not consider title from non-css stylesheet for preferred set (253632@main)
Pseudo-elements not treated as ASCII case-insensitive (253631@main)
data-x-2="" not represented in dataset (253625@main)
Speed up DatasetDOMStringMap::item() when the element has multiple attributes (r163847)

Aug 20, 2022
============
Avoid copying ListHashSet inside RenderLayer::topLayerRenderLayers() (253614@main)
Adds "box-sizing: border-box" to table in UA stylesheet (253581@main)
PseudoElement should use WeakPtr<Element> instead of Element* (253571@main)
Assertion failure when using evaluated empty catch block (253605@main)

Aug 19, 2022
============
SVG2: Add length, item getter and item setter to all SVG lists (r249191)
[cairo][SVG] If clipPath has multiple elements, clip-path doesn't work with transform (r246391)
[cairo][SVG] Putting multiple path elements in clippath causes rendering artifacts (r246350 + r246354 rolled out)
[cairo][SVG] Putting multiple path elements in clippath causes rendering artifacts (r246309)
[CAIRO] Painting an image mask with a matrix above Pixman's limit breaks internal states of Cairo (r216859)
Don't modify fragment-only or empty image URLs (r286061)
REGRESSION (r275227): Check boxes on V-Safe site flicker when selected (r278376)
CSS properties backed by StyleImage should not interpolate when one of the values is "none" (r275227)

Aug 19, 2022
============
Use checked item method in StyleProperties::getLayeredShorthandValue (252509@main complete revisited)
Unprefix -webkit-mask (r286795)
Support interpolation of the background-repeat shorthand (r276553)
  => [New Parser] css3test.com 51% 1776/3409 804 features (All except CSS 2.2), 58% 2301/3934 926 features (All)

Aug 18, 2022
============
Fix CSS serialization issues affecting css-counter-styles tests (r279050 + r279311)
REGRESSION(r279050): Crash under CSSImageValue::createDeprecatedCSSOMWrapper with cursor images (r280599)
-webkit-image-set should support all the image functions WebKit supports, not just url() (r254861)
Add a temporarily prefixed property for mask-mode, aliased to -webkit-mask-source-type (r282058 + r282069 rolled out + r282143)
Make RenderLayer::hitTestLayer not assume its renderer is a RenderBox (r278969 complete revisited)
Place vertical scrollbars at (inline/block)-end edge in all writing modes. (r276182 partial)
paddingBoxRect() is wrong with RTL scrollbars on the left (r246389)
[WK2] [OS X] Create API for switching RTL scrollbar policy (r200116 partial)
Allow listbox content and scrollbar to intrude padding area. (r199553)
[OS X] [RTL Scrollbars] List boxes should obey RTL scrollbars (r198843)
composited scrolling interferes with the propagation of perspective (r261632)
The perspective matrix is affected by overflow:hidden on a box with borders (r261619)
Move perspective-setting code into its own function (r261592)
Crack in hero text on https://www.apple.com/mac-mini/ (r278443)
REGRESSION (r278377): incorrect hit-testing with clip-path() (r279544)
Hit-testing does not account for clip-path set on parent of <iframe> (r278377)
[css-masking] Unprefix -webkit-clip-path (r251776)
Hit-testing does not account for clip-path on <iframe> (r278343)
clip-path: <geometry-box> mapping incorrect (r250778)
REGRESSION (Safari 11): Buttons inside a fieldset legend cannot be clicked on in Safari 11 (r227346)
REGRESSION (r145870): Can't get insertion point to appear in some input and textareas on wordpress (r147635)
Clickable area is incorrect for elements with border-radius (r145870)
feMorphology filter in CSS doesn't update when element moves (r236416)
REGRESSION: Media control glyphs appear to invert colors when video is dragged (r218396)
Make sure the "inwindow" flag propagates to TiledBackings for masks and reflections (r212153)

Aug 17, 2022
============
Layout table captions in simplified layout (r295204 complete revisited)
Table caption jumps to the bottom of the table after simplified table relayout (r275931)
[Tables] Simplified layout skips captions. (r208281)
MaskImageOperation code does not manage CachedImageClients correctly (r184779 complete revisited)
[EFL] Fix crash introduced in r178029 (r178176)
Subpixel rendering: (RenderLayer)Pass non-css-pixel-snapped dirty rects to PaintInfo when painting renderer(). (r164411)
clip-path swaps bottom radii for the inset shape (r163044 complete revisited)
[CSS Shapes] rectangle and inset-rectangle do not properly handle rx and ry (r151517 complete revisited)
Regression: Crash when selecting Hebrew and numbers in a list (r147087 complete revisited)
Change RenderTableCell to use pixelSnappedSize when painting (r146072 complete revisited)
Caret is not displayed when trying to focus inside a contenteditable element containing an empty block. (r143313)
SVG should not paint selection within a mask (r207692)
svg/custom/hidpi-masking-clipping.svg fails with accelerated drawing on (r190079)
updateMaskedAncestorShouldIsolateBlending() should check the Nullability of the computedStyle() of the element's ancestors (r224269)
REGRESSION (r188647): Teamtreehouse website sidebar buttons are not rendered (r198075)
[CSS Blending] Add -webkit-blend-mode support for SVG. (r164294)
SVG clipping, masking, and gradients-on-text do not respect the device scale factor (r154856)
Incorrect large-area clipping (r126993 complete revisited)
HTML parser should ignore head start tags in "in head noscript" state (253489@main)
HTML foster-parenting algorithm no longer requires foster parents to be elements (253504@main)
Implement HTML spec change to Adoption Agency Algorithm to not reverse the order of nodes in the document,
  by removing nodes that we're not recreating from the stack of open elements (253505@main)

Aug 16, 2022
============
Charset of blobs are incorrectly ignored (253458@main)

Aug 15, 2022
============
[Legacy line layout] Do not integral snap non-baseline aligned content (253407@main)

Aug 14, 2022
============
Clean up some transformOrigin and perspectiveOrigin code (r261585 complete revisited)
[CSS Shapes] Properly handle negative reference box widths and center coordinates (r182560)
[CSS Masking][CSS Shapes] Large corner radii use with inset() clip-path are not properly constrained (r178015)

Aug 13, 2022
============
Use align-content when calculating the static position of absolutely-positioned flexbox children. (253389@main)

Aug 12, 2022
============
iframe srcdoc with quirky doctype should be no-quirks mode (253326@main)
Remove dependency on Document from HTMLConstructionSite::inQuirksMode() (r139141)
HTMLTreeBuilder shouldn't keep a Document pointer (r139042)
HTMLTreeBuilder should not depend on Frame (r139020)
Introduce HTMLParserOptions to encapsulate HTML parser options (r139008)
[Templates]: Fix assert in colgroup parse handling (r138546 complete revisited)

Aug 11, 2022
============
Add the initial matching implementation for attribute selectors with case-insensitive value (r180123)
Fix window-inactive css selectors when using querySelector. (r171378)
When applying style, attribute value matching should be case sensitive for SVG (r164203)
REGRESSION (r280017): Calling getBoundingClientRect() on an empty element with "break-before: column" in columns returns a rect with all zeros (r282063)
getBoundingClientRect() returns the incorrect rectangle on elements whose parent element is set -webkit-column-count (r280017)
Use logical top/bottom/height when computing available height for out of flow block. (253312@main)

Aug 10, 2022
============
composited canvas element should update the layer configuration after creating a WebGL context (253231@main)

Aug 09, 2022
============
[CSS Regions] Harden the layout in case there are no regions (r167541 complete revisited)
[CSS Regions] Enable accelerated compositing for fixed elements in named flows (r162117 complete revisited)
[CSS Regions] Selection dragged from a region paints its background (r151571 complete revisited)
[CSS Regions] -webkit-background-clip: text; does not clip the background in regions (r151555 complete revisited)
[CSSRegions] Constrain auto-height region computation in a different way (r150427 complete revisited)
[CSSRegions] Improve hit testing for empty regions (r150078 complete revisited)
[CSS Regions] Selecting text inside an empty region causes selection outside the region area (r145884 complete revisited)
[CSSRegions]Refactor RenderFlowThread::contentLogical(Width/Height/Left)OfFirstRegion (r129733 complete revisited)
Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count (r184394 complete revisited)
REGRESSION: [CSS Regions] Regions with overflow:auto generate scrollbars even if the content flows into the following regions and as such, should not be scrolled (r169586 complete revisited)
Remove unused RenderFragmentedFlow::createFragmentedFlowStyle. (r227673)
Remove some more code from RenderFlowThread (r222350)
[CSSRegions] Make RenderFlowThread::regionAtBlockOffset const (r174562)
[CSS Regions] Simplify the RenderFlowThread state pusher (r166631)
Enhance showLayerTree() to show fragments (r215964 + r215978)
Some minor optimizations in RenderLayer (r134162)
Subpixel rendering: Push named flows in region to device pixel when painting. (r168972 complete revisited)
[CSS Regions] Elements with overflow:auto are not painted inside regions when following a float (r168288 complete revisited)
[CSS Regions] Implement visual overflow computation for inline elements (r161626)
Make containerForElement logic more explicit (r283615)
RenderObject::*positioned() naming cleanup (r224404)
Optimize topLeftLocationOffset() addition in updateLayerPosition (r183885)
Avoid containingBlock() calls when no writing mode flipping is needed. (r183636)

Aug 08, 2022
============
Every RenderLayer should not have to remove itself from the scrollableArea set (r196666)
Rename isRootLayer to isRenderViewLayer (r221958)
Rubber-banding overflow-scrolling-touch shows black (r224265)
Overflow scrolling layers need to be self-painting (r238725 complete revisited)
Make a helper function to check for reflection layers (r237122)
Animation and other code is too aggressive about invalidating layer composition (r239965)
REGRESSION (r245170): gmail.com inbox table header flickers (r245490 complete revisited)
Optimize computation of AbsoluteClipRects clip rects (r249120)
Don't call clipCrossesPaintingBoundary() when not necessary (r249044 complete revisited)
Minor optimization in determineNonLayerDescendantsPaintedContent() (r249352)
SVG filter triggers unstable layout. (r258278)
Use an Optional<> for LayerFragment::boundingBox (r262133)
REGRESSION (r275641): [ iPad Debug ] accessibility/ios-simulator/scroll-in-overflow-div.html is asserting (r284655)
Remove RepaintLayoutRectsMap (r275641)
REGRESSION(r274025-r273811): Crash under RenderLayerBacking::updateGeometry() (r274137 partial revisited)
@supports should not work if "not", "or", or "and" isn't follow by a space (253194@main)
Implement @supports selector(). (r266253)

Aug 07, 2022
============
Fix a parenting issue in the Adoption Agency Algorithm (253155@main)
Fix abs-pos breadth issue when using 'auto' (r290032)
[css-multicol] OOM with 1px height columns (r271644 + r276458 rolled out)
Multi-column state propagation should follow containing block rules (r274217)
[css-grid][css-flex] <table> grid item should fill the grid area for 'stretch'/'normal' self alignment (r272308)
[css-grid] Fix referencing grid line names with auto repeat() (r262262 complete revisited)
Crash in RenderBox::overrideContainingBlockContentHeight() (r269728)
[css-grid] Fix percentages in relative offsets for grid items (r239502)
Optimize relativePositionOffset() to avoid doing unnecessary work (r183879)
[css-grid] Fix line name positions after implicit tracks (r264465)
[css-grid] Preserve auto repeat() in getComputedStyle() for non-grids (r250715)
[AutoTableLayout] REGRESSION(r263855) Paypal email is rendered right aligned on Safari (r265499)
Overlapping content on earny.co (r263855)

Aug 06, 2022
============
[css-grid] Fix referencing grid line names with auto repeat() (r262262)
[css-grid] [css-flex] Width of table as grid/flex item is infinite when the sum of columns' width exceed 100% (r261996)
[MultiColumn] Infinite loop in RenderBlockFlow::pushToNextPageWithMinimumLogicalHeight (r259455)
Division by zero in RenderBlockFlow::computeColumnCountAndWidth (r259210)
[MultiColumn] Infinite recursion in RenderBlockFlow::relayoutToAvoidWidows (r258967)
[Multicolumn] RenderListItem::positionListMarker should not fail when the list marker is inside a spanner. (r258680)
[css-grid] Exclude implicit grid tracks from the resolved value (r254561 + r260249 rolled out)
Use RenderBox::previousSiblingBox/nextSiblingBox in RenderMultiColumnFlow (r242919)
[css-grid] align-self center and position sticky don't work together (r238551)
Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock (r204980 complete revisited)
[css-grid] Add support for calc() in gutter properties (r234131)
Multicol: RenderMultiColumnFlow should not inherit the flow state (r227087)
RenderMultiColumnFlow populate/evacuate should not disable layout state. (r222881 complete revisited)
RenderMultiColumnFlow::m_beingEvacuated is redundant. (r222874)
Remove RenderTreeInternalMutationScope (r222857 complete revisited)
Forced page break on :after triggers infinite loop in column balancing (r215805)
CSS Multicolumn should not clip columns horizontally (r213593)
Column progression wrong after enabling pagination on RTL document (r211564)
Region based columns not clipped properly (r153722)
Remove redundant LayoutUnit conversions. (r209277)
[MultiCol] Render tree should be all clean by the end of FrameView::layout(). (r208731 complete revisited)
[css-grid] mimax(auto, <flex>) should be serialized as <flex> (r208277)
Ignore out-of-flow siblings when searching for a spanner candidate. (r207930 complete revisited)
Stop searching for first-letter containers at multi-column boundary. (r207631)
[css-grid] Too many gaps with trailing collapsing tracks (r205954)
ASSERTION FAILED: !paintInfo.overlapTestRequests->contains(this) in WebCore::RenderWidget::paintContents (r205510)
Scrolling broken in iTunes connect pages (r201218 complete revisited)
[css-grid] Consider container's writing mode to get grid item's margin (r279278)
[css-grid] last-baseline shouldn't affect baseline alignment (r276356)
[css-grid] Do not allow negative heights (r273470 + r273492 rolled out + r274933)
[css-grid] Let abspos items reference implicit grid lines (r239831)
[css-grid] Relayout grid items when definiteness changes. (r271745)
Mark only child for layout (r271521)
[css-grid] Consider scrollbars in populateGridPositionsForDirection() (r238220 + r238242 rolled out + r238395)
[css-grid] Refactor information stored related to column positions (r200427 complete revisited)

Aug 05, 2022
============
[css-grid] Use grid-template-areas to determine the explicit grid (r199661 complete revisited)
WebCore::RenderTableCell::setCol should put a cap on the column value. (r198506)
[css-grid] Changes in grid or elements inside the grid affects margin on other elements in the grid (r258735)
[css-grid] margin-left:auto and margin-top:auto discards the margin on opposite side (r193000)
[CSS Grid Layout] min-content row does not always shrink (r191879 complete revisited)
[css-grid] Percentage columns should remove scrollbar's width (r189702 complete revisited)
[css-grid] Percentage columns shouldn't include border and padding (r189550 complete revisited)
Fix for unsplittable content being paginated by columns. (r180364)
ASSERTION: RenderMultiColumnFlowThread::processPossibleSpannerDescendant() when column spanner's parent is not a RenderBlockFlow. (r176750 complete revisited)
Multicolumn layout with negative line spacing and orphans causes pieces of letters to be shown at the bottom of columns (r176285)
REGRESSION: Search highlight is broken in RTL multicolumn content (r171882)
[CSS Multicolumn] Clear the lines when switching to multi-column layout (r171849 complete revisited)
[New Multicolumn] RenderViews paginated as RL or LR don't handle percentage widths correctly. (r171609)
[New Multicolumn] Assertion failure when an input element has multicolumn style (r171511)
[New Multicolumn] Region offset not factored in when mapping to local coords (r168024)
[New Multicolumn] fast/multicol/overflow-content.html displays red (r167707)
[CSSRegions] Wrong auto-height region computation for nested named flows (r153781)
[New Multicolumn] widows/orphans cause assertion failures. (r167678)
REGRESSION (r287524): hihello.me does not show sliding sheet at the bottom of the page (r290201)
[Web Animations] getKeyframes() for a CSS Animation should not use computed style for keyframes (part 2) (r287835)
Implicit keyframe for a CSS Animation should always use the underlying style (r287827)
[Web Animations] getKeyframes() for a CSS Animation should not use computed style for keyframes (r287820)
When transform-style: preserve-3d is used with a grouping property it should still create a containing block (r287742)
A mask or isolation should set transform-style to flat (r285482)
Walk up stacking contexts in RenderLayerBacking::compositingOpacity (r281364)
Ensure ancestors with opacity don't affect top layer elements (r281299)
Release assert in ContainerNode::takeAllChildrenFrom via executeTakeAllChildrenAndReparentTask (253119@main)
Remove HTMLElement::createElementRenderer (253103@main)
Scrollbars/indicators are sometimes incorrectly drawn when async overflow scrolling is enabled (r278129)
Stop special-casing wbr elements in HTMLElement::createElementRenderer() (r175720)

Aug 04, 2022
============
Twitter Photo gallery incorrectly rendered after opening another modal (r268898)
Rendering artifacts when scrolling overlays (r262177)
border-radius fails to clip iframe contents (r260950)
REGRESSION (r256095): Adding a border-radius, border, or box-shadow breaks animations from scale(0) (r278610)
WebContent jetsams on Sony lens webpage due to spike of IOSurfaces (r256214)
There's an event loop cycle between an animation finishing, and it being removed from GraphicsLayerCA (r256181)
Extent of a composited animation should not include the untransformed position (r256095)
REGRESSION (r251385): box-shadow interferes with backdrop-filter (r258985)
Setting border-radius on <video> element clips top and left sections of video (r251385)
Trigger a compositing update when video element is changing (r247187)
Overflow scrollIntoView wrong with borders (r269070)
Cleanup code that computes iframe content offsets in FrameView (r225512)
Bottom/right sticky positioning don't correctly handle scroll containers with padding (r164324)
Remove redundant painting phase arguments from GraphicsLayerClient functions (r249455)
Move code that sets compositing paint phases into a single function (r245977)
Use an OptionSet<> for GraphicsLayerPaintingPhase (r245950)
Translucent gradient rendering bug due to will-change transform (r245207)
On RenderBox, make client sizing be derived from padding box sizing (r240218)

Aug 03, 2022
============
Elements animated on-screen are missing sometimes (r225983)
Async frame scrolling: handle fixed root backgrounds in frames (r225092)
Clarify some terminology in RenderLayerBacking (r213429)
Clean up some RenderLayerBacking code (r213405)
child-transform-with-anchor-point-expected.html renders incorrectly (r204337)
REGRESSION (r260808): Backdrops on music.apple.com are offset (r260858)
Do correct clipping of composited replaced elements with border-radius (r260808)
Incorrect clippping with overflow:scroll inside oveflow:hidden with border-radius (r246845)
Memory is written to after deallocated, in GraphicsLayer::setMaskLayer. (r179495)
REGRESSION(r178029): [GTK][EFL] Caused no-backing-for-clip-overlap test failures (r178308)
Subpixel rendering: Directly composited image layers need pixelsnapping. (r198309)
Add a more correct way to compare floating point numbers and use it (r175796)
Implement round-rect clipping on video elements (r175794)
[aspect-ratio] Use correct box-sizing when calculating block size (253064@main)
nullptr crash in XMLDocumentParser::doEnd() (253025@main)
Fix aspect-ratio/flex-aspect-ratio-031.html (252949@main)

Aug 02, 2022
============
Should never be reached failure in WebCore::backgroundRectForBox (r191680)
Tiny cleanup in RenderLayer::enclosingCompositingLayerForRepaint() (r189083)
Fix repaint issue on "paints into ancestor" filtered layers (r155131)
Video posters disappear once media has loaded (r186968)
Some assertion failures in compositing code after r183820 (r184992)
REGRESSION (r183820): webkit.org/blog/ background painting issue on reload, when the page contains videos (r184932)
Images on www.fitstylelife.com jiggle on hover. (r184373 complete revisited)
Unreviewed. Some assertion failures in compositing code after r183820. (r183843)
Fix Border-radius clipping issue on a composited descendants (r179147)
[iOS WK2] Layers with negative z position disapear behind the page tiles (r175818)
[CSS Regions] Fix positioning composited layers when the region has overflow:hidden (r162605 complete revisited)
Fix compositing layers in columns (r154785 complete revisited)
Content disappears when scrolling http://www.childrenscancer.org/zach/ (r150213)
Constrain fixed layers to the viewport, not the document (r143073)
Make some RenderLayer tree traversal in RenderLayerBacking more generic (r213435)
Rename descendentxxx to descendantxxxx in RenderLayerBacking (r179244)
REGRESSION (r128787): Fixed position div causes other elements to not update correctly (r131479)
Images/replaced elements that are as tall as a page should be on their own page (r176354)
YouTube embedding iframes in WebView sometimes go blank when the video starts playing (r247246)
REGRESSION (r260276): Unable to click on image and text link at the bottom of https://www.nytimes.com/ article (r268947 + r268997 rolled out + r269000)
Deeply nested phrasing content is parsed incorrectly (252979@main)
CSS.supports returns false for custom properties (252987@main)
[LFC][Integration] Wire line counting functions in RenderBlockFlow (r253205)
compat/webkit-box-clamp-visibility-change.html WPT test is failing in WebKit (252997@main)
RenderDeprecatedFlexibleBox::applyLineClamp should use size_t (r292948)
[Line clamp] Move line clamp only code from RenderBlockFlow to RenderDeprecatedFlexibleBox (r292691)
Line clamp specific line-count code should be in RenderDeprecatedFlexibleBox (r292689)

Jul 31, 2022
============
Safari pages are blank sometimes (missing tiles) (r211750)
Clean up how GraphicsLayer's "inWindow" state is set, and fix some issues with Page Overlays (r211683)
Correctly maintain the "isInWindow" state for all TiledBackings (r169096)
Text is clipped when rendered with fonts which have a negative line gap metric (r261573)
[FTW] Adopt DirectWrite in place of Uniscribe (r251900 partial)
REGRESSION (r262237) Safari 14.x shows graphics artifacts when scrolling, using drop-down menus or just moving the mouse (r279636 partial)
Incorrect clipping of absolute and fixed elements inside stacking-context composited overflow:hidden (r262237)

Jul 30, 2022
============
Hide RenderLayer z-order and normal flow lists behind iterators (r237058)
link elements should be able to fire more than one load / error event (252943@main)

Jul 29, 2022
============
HTML widget displays blank when playing on page (r233442 complete revisited)
Non-composited negative z-order children should not trigger creation of a foreground layer (r246017)
REGRESSION (r238357): Pins on Yelp map disappear (r239146)
Avoid triggering compositing updates when only the root layer is composited (r238357 + r238523 rolled out + r238583)
Fix an error in 238354 - !=, not ==. (r238355)
Clarify RenderLayerCompositor::hasAnyAdditionalCompositedLayers() and related code. (r238354)
Rename RenderLayerCompositor::inCompositingMode() to usesCompositing() (r238352)
REGRESSION(r209865): Crash when navigating back to some pages with compositing layers. (r210142)
Always clear RenderLayer backing stores when going into page cache. (r209865)

Jul 27, 2022
============
Bubbles appear split for a brief moment in Messages (r203409)
Make LayoutUnit::operator bool() explicit. (r201124)
Pixel turds when bordered div is resized on SMF forum software. (r198771)
Page::renderTreeSize() does not include anonymous renderers. (r188821)
Element jumps to wrong position after perspective change on ancestor (r252935)
[Web Animations] Layout of children of element with forwards-filling opacity animation may be incorrect after removal (r252879)

Jul 26, 2022
============
RenderLayer::updateLayerPositions() doesn't propagate the ancestor flags correctly (r249088)
RenderLayerModelObject should not call private RenderLayer functions (r249080)
[iOS] Dark flash when opening Google AMP pages (r242248)
[CSSRegions] Computed z-Index should return 0 instead of auto for a region (r157121 complete revisited)
Make RenderLayer::updateLayerPosition() private (r136280)
REGRESSION (r249434): flashy menus on wellsfargo.com (r252439)
Content can disappear with a combination of <video> with controls and clipping (r252070 partial)
Make "clips compositing descendants" an indirect compositing reason (r249434)
REGRESSION (r246869): ASSERTION FAILED: !renderer().hasRepaintLayoutRects() || renderer().repaintLayoutRects().m_repaintRect == renderer().clippedOverflowRectForRepaint(renderer().containerForRepaint()) (r246899)
[Async overflow scrolling] Fix missing or misplaced content inside overflow:scroll (r246869 partial)
Remove unused RenderLayerCompositor member variable (r281283)
Media controls are missing content in fullscreen when document has scroll offset. (r219645)
REGRESSION (r196892): Crash in DocumentLoader::startLoadingMainResource() (r196965)
3D-transformed video does not display on platforms without accelerated video rendering (r185402)
Dont apply aspect-ratio if grid item percentage width is resolvable (252819@main)
Fix aspect-ratio/fieldset-element-001.html (252817@main)
Fix grid aspect-ratio tests (r280075)
[CSS-grid] Ignore the aspect-ratio of a replaced element if stretch alignments are applied to both axes (r280022)
[AspectRatio] Out-of-flow box with intrinsic width (e.g. <img>) may trigger infinite recursion (r275430)
Cleanup shouldComputeLogicalWidthFromAspectRatio and shouldComputeLogicalWidthFromAspectRatioAndInsets (r275357)
Support aspect-ratio on grid items (r272307)

Jul 25, 2022
============
SVGImageForContainer reports true for is<SVGImage>() but it doesn't inherit from SVGImage (r279793)
<img>.naturalWidth should return the density-corrected intrinsic width (r254229)
Drawing an SVG image into a <canvas> that is not in the DOM draws the wrong region (r202712)
An SVG inherits the container size of the previously drawn HTMLImageElement when drawing it on a canvas (r190274)
drawImage: clip source image when source rectangle outside of source image. (252731@main)
Context2D drawImage(img, x, y, w, h) should not throw IndexSizeError when width == 0 or height == 0 (r291748)
ctx.drawImage should clip source rect if it is outside the source image (r204517)
Table border radius is not applied when the border color is transparent or semitransparent (252741@main)
Verify DOM and Render text lengths are in sync in RenderTextLineBoxes::dirtyRange() (252736@main)
REGRESSION (251189@main): Photos in Facebook partially render on iOS (252767@main)

Jul 22, 2022
============
Change determineNonLayerDescendantsPaintedContent to max out based on renderers traversed (r213600)
Avoid backing store for layers with empty text nodes in a few more cases (r213440)
ASSERTION FAILED: willBeComposited == needsToBeComposited(layer) in WebCore::RenderLayerCompositor::computeCompositingRequirements (r205999 complete revisited)
MaskImageOperation code does not manage CachedImageClients correctly (r184749 complete revisited)
RenderLayerCompositor: Strange comparison of opacity (float) to boolean. (r178565)
Avoid backing store for opacity:0 descendant layers (r175656 + r175679)
Border drawing incorrect when using both border-collapse: collapse and overflow: hidden on a table (r153089)
containing blocks with non visible overflow wrongly clip fixed positioned descendants (252721@main)
Transformed element with overflow:hidden fails to clip absolutely positioned descendants (252387@main complete revisited)
REGRESSION (Safari 7.1/8.0): Border-radius and overflow hidden renders incorrectly. (r174716 complete revisited)
Set cliprect radius unconditionally in RenderLayer. (r170532)

Jul 21, 2022
============
Crash in WebCore::RenderElement::containingBlockForObjectInFlow (r197716 complete revisited)
Cannot interact with video controls in ePubs (r171074)
REGRESSION (r249091): Can't click on a video in the second column of a paginated web view (r261774)
Have RenderLayer::calculateClipRects() use offsetFromAncestor() when possible (r249091)
Elements with overflow and border-radius don't show in multicolumn properly. (r195453)
Remove redundant offsetFromAncestor() call from RenderLayer::localClipRect(). (r170528)
Remove redundant RenderLayer::computeOffsetFromRoot() function. (r170200)
background-clip:var(--a) invalidates -webkit-background-clip:text when --a:text (r268158)
REGRESSION (async oveflow): scrubber missing from inline video inside overflow scroll (r262174)
fast/hidpi/video-controls-in-hidpi.html sometimes asserts in WK1 (r245147 complete revisited)
Introduce the concept of "opportunistic" stacking contexts (r244509 complete revisited)
Do GrpahicsContext and EventRegion clipping-related save/restore via RAII objects (r284684 partial)
Make clipToRect() and restoreClip() have similar signatures (r200284)
Garbage in page tiles when document is too long. (r193511)
Avoid applying the clip-path when painting, if a layer also has a shape layer mask (r180948)
RenderLayer WIP (Merge relative and absolute offsets in RenderLayer r287385)
[Performance] Optimize RenderLayer::clipCrossesPaintingBoundary (r283354 + r286982 rolled out)
Cleanup RenderLayer::currentTransform() (r291105)
element.scrollIntoView() sometimes doesn't scroll (r288358)
Move the code that computes layer content visibility into its own function (r288000)
Remove some unused RenderLayer code (r236611)
Remove the old "AcceleratedCompositingForOverflowScroll" code (r236424)

Jul 20, 2022
============
[CSS3 Backgrounds and Borders] The border image area should be empty if border-style is none and border-image-width is not set (r281724)
Video elements are painted twice, in PaintPhaseForeground and PaintPhaseSelfOutline (r201752)
SVG outline property is broken and inefficient (r168645)
RenderImageResource::hasImage is redundant and RenderImageResourceStyleImage's override is incorrect. (r216728)
[SVG] Subpixel rendering: Mask with transformed text does not render. (r169689 complete revisited)
Crash in WebCore::TextResourceDecoder::checkForCSSCharset (r169318)
CSS @charset parsing is too loose, doesn't match other browsers (r134518)

Jul 19, 2022
============
Clarify RenderElement::adjustStyleDifference() (r181069)
getComputedStyle(img).height returns string of a rounded int not a float (252583@main)
[Legacy Line Layout] Do not integral round the root inlinebox's top position (r282306)
[Legacy line layout] Inline content on subpixel position makes the table cell scroll (r279673)
Remove integral snapping functions from InlineBox class. (r189931)
Subpixel-layout: width: max-content; property might cause unnecessary scrollbar. (r180815)

Jul 18, 2022
============
REGRESSION (r271584): Hovering slowly over and out of "Top 100" items on liberation.fr does not restore animated state (r271930 rolled out)
Optimize :hover/:active style invalidation for deep trees and descendant selectors (r271584 rolled out)
  > Toggle button display issue on AXIS M4206-V Network Camera /#settings/system/network/ip.
SVGDocument getElementById returns null when svg element is disconnected from documents (252478@main)
Transformed element with overflow:hidden fails to clip absolutely positioned descendants (252387@main partial)
REGRESSION (r238524): SVG textPath cannot be rendered when <text> element is referred by <use> element (252547@main)
Use checked item method in StyleProperties::getLayeredShorthandValue (252509@main partial)

Jul 17, 2022
============
Unable to enter text in https://eat.fi (r249194)
More is<> and downcast<>, less static_cast<> (r224740 partial HTMLLabelElement::defaultEventHandler)
Input element that becomes visible during a simulated click event from an associated label element doesn't get focused (r152705)

Jul 16, 2022
============
JSErrorHandler should not set window.event if invocation target is in shadow tree (r286871)
Event targets should be cleared after dispatch if target pointed to a shadow tree (r269546)
window.event should not be affected by nodes moving post-dispatch (r269500)
window.event may get set on wrong global when dispatching an event (r269414)
Missing exception check while handling the onbeforeunload event. (r266383)
The return value of an OnBeforeUnloadEventHandler should always be coerced into a DOMString (r236633)
Improve window.event compliance: Should not be set when target is in shadow tree (r233489)
onbeforeunload event return value coercion is not per-spec (r212625)

Jul 15, 2022
============
Update composedPath to match the latest spec (r236103)
Capturing event listeners are called during bubbling phase for shadow hosts (r236002)
Replace isUnclosedNode by isClosedShadowHidden (r209661)
SVGStyleElement.sheet is undefined (252491@main)
izurvive.com map does not stretch all the way to the bottom of the viewport (252470@main)

Jul 14, 2022
============
Do not clear fragmented state when removing inline renderer's anonymous wrapper (252456@main)
Don't allow Flush/PhantomLocal to be the head variable in a block in (252192@main)

Jun 30, 2022
============
Make scrolling to the focused element async (r227664 rolled out, some contents do not scroll down)
REGRESSION (r295094): Rivians reservation page is blank  (251933@main)
Revert [251706@main] getComputedStyle(img).height returns string of a rounded int not a float (251955@main)

Jun 24, 2022
============
Regression(r191815): 5.3% regression on Dromaeo JS Library Benchmark (r192321 complete revisited)

Jun 23, 2022
============
Adding padding on a horizontal scroller prevents last item from being fully viewable (r295765)
Remove redundant logical right computation for grid items in RenderBlock::computeOverflow (r295633)
Grid may be empty in certain scenarios (r289437)
Incorrect scrollable height during simplified layout (r140576)
RenderElement::addLayers should check for dialog content before inserting layers (r295767)

Jun 22, 2022
============
Eliminate one repaint from SVGResourcesCache::clientLayoutChanged (r295722)
RenderBox::hasHorizontalLayoutOverflow/hasVerticalLayoutOverflow use incorrect coordinate space (r295715)
getComputedStyle(img).height returns string of a rounded int not a float (r295701)
When destroying a resource, register "only" the clients who are losing their resource as having pending resources (r223789)
Move more of SVG resources cache to using RenderElement. (r158209 revisited)

Jun 20, 2022
============
Inline cache Replace and Setters on PureForwardingProxy (r265600)
   
Jun 17, 2022
============
AbsenceOfSetEffect property condition should mind put() overrides (r295610)

Jun 16, 2022
============
Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII (r225117 partial)
The simple text codepath does not handle unpaired surrogates (r281731)
ASSERTION FAILED: markFontData in FontCascade::emphasisMarkHeight (r191386)

Jun 16, 2022
============
REGRESSION (r287195): Safari fails to correctly render indented numbered lists with custom CSS and hyphenation ON (r295573)
Refactor hyphenation logic in RenderText::computePreferredLogicalWidths() (r287195)
'overflow-wrap: anywhere' should be considered when calculating min-content intrinsic sizes. (r283493)
[LFC][IFC] Add support for overflow-wrap: anywhere (r281259)
Small cleanup in RenderText::computePreferredLogicalWidths() (r183799)
Move characterAt index checks from InlineIterator to RenderText (r163465)
Mitigate out-of-bounds access in InlineIterator (r139213)
  => [New Parser] css3test.com 51% 1744/3411 804 features (All except CSS 2.2), 57% 2269/3936 926 features (All)

Jun 15, 2022
============
Track SVG renderer updates using a NodeFlag instead of on Style::Update (r295539)
Treat the composite operator for the bottom mask layer as source-over. (r295538)
Nullptr crash in RenderLayerCompositor::requiresCompositingLayer (r295531)

Jun 14, 2022
============
Make SecurityOrigin safe to create and use from any thread (r230205 partial)
Avoid constructing SecurityOrigin objects from non-main threads (r230009 partial)
Modernize lambda captures in WorkerThreadableWebSocketChannel (r201543 partial)
Remove wtf/TypeTraits.h (r155402)
Stop using WTF type traits in WebCore (r155380)
Begin moving off of TypeTraits.h (r155357)
Clean up HasTrivialConstructor/Destructor (r129780 + r129999)
Use WTF::HasTrivialDestructor instead of compiler-specific versions in JSC::NeedsDestructor (r128900)

Jun 13, 2022
============
ReadableStream::lock should check whether there is an exception when getting ReadableStreamDefaultReader private constructor (r287711)
Handle TerminationException in WebCore::ReadableStream::create() (r286840)
Beef up worker termination handling in ReadableStream routines (r284861)
ReadableStream C++ methods should check for exception (r272166)
ReadableStream::create() should handle any exceptions that may be thrown during construction. (r263883 partial)
[iOS Sim Debug] ASSERTION FAILED The atomic string comes from an other thread! Layout Test imported/w3c/web-platform-tests/workers/WorkerNavigator_appName.htm is a flaky crash (r244927)
Incorrect sizing of elements with visually hidden text inside (r295478)
Reset the dirty bit on the inline level renderers when counter is present (r295477)
Move InlineWalker to a file of its own and make it use RenderIterator (r283365)

Jun 10, 2022
============
Repatch should be able to polymorphic call with arity fixup. (r295423)

Jun 09, 2022
============
Fix invalid isInShadowRoot flag during input element removal (r295436)
convertingToLengthRequiresNonNullStyle needs to consider calc values (r295425)
RenderImageResource::setCachedImage may produce a null renderer (r295393)

Jun 08, 2022
============
Port ServiceWorkerContainer to the HTML5 event loop (r251934 partial revisited)
XMLHttpRequest should not prevent entering the back/forward cache (r251366)
XMLHttpRequests should not prevent a page from entering PageCache (r181480)

Jun 07, 2022
============
Remove separate classes for CSS wide keywords (initial/inherit/unset/revert) (r285373)
Tables with just border-style set on the cells do not get a grid (r126683)

Jun 06, 2022
============
Worker should support unhandled promise rejections (r234846 + r234854)
RejectedPromiseTracker should produce better callstacks and avoid capturing callstacks unless there is a debugger/inspector (r216035)
[JSC] Remove defaultValue() from the method table (r276660)
Symbol and BigInt wrapper objects should perform OrdinaryToPrimitive (r275569)

Jun 04, 2022
============
Allow image map adding/removing when in tree scope (r295210)
Layout table captions in simplified layout (r295204)

Jun 03, 2022
============
Unprefix -webkit-text-orientation (r259006)
Remove unimplemented property error log in when getting a property value from a computed style (r252176)
Automate generation of computedProperties (r251581)
Regression(r294902) Web Inspector highlight gets stuck when hovering over items. (r295155)

Jun 02, 2022
============
Time channel attack on SVG Filters (r214125)
Eliminate Color constructors that take strings, moving color parsing entirely into the CSS parser (r262155)
  => [New Parser] css3test.com 51% 1742/3411 804 features (All except CSS 2.2), 57% 2267/3936 926 features (All)
JSAccessibilityUIElement.cpp:802:72: runtime error: -1 is outside the range of representable values of type 'unsigned int' (r274919 partial)
CSS angle unit conversions should consistently use the same associativity (r267551)
clampTo(): do not convert the input to double when dealing with integers (r241192 partial)
Spacing after some posts is too large on Dead by Daylight forums (r295094)
DOMPromiseProxyWithResolveCallback<IDLType>::promise() should not use |this| after calling resolve() / reject() (r295118)

Jun 01, 2022
============
REGRESSION (r291788): MotionMark Suits subtest is 9% regressed (r294067 complete revisited)
setNeedsLayout() should not be called when changing the SVG properties (r291788)
Rename invalidation methods in SVGElement (r291162)
Use PropertyRegistry consistently in svgAttributeChanged (r291108)
SVG <animateMotion> does not reset the element to its first animation frame if its fill is "remove" (r249974)
Updating href on textPath doesn't update its rendering (r238464)
Assertion in RenderTreeBuilder::attachToRenderElementInternal (r295083)
Avoid GCReacheableRefMap lookup inside JSNodeOwner::isReachableFromOpaqueRoots() (r295059)
Remove unused NodeFlag::HasCSSAnimation (r267377)

May 31, 2022
============
Stop returning NodeVector from functions (r291416)
Reduce the overhead of DocumentFragment in innerHTML & outerHTML (r272703)
Avoid creating JS wrapper on a removed node when the subtree is not observable (r272394)
replaceChildren() (with no arguments) silently does nothing rather than removing the children (r268314)
Rename replaceAllChildren to replaceAllChildrenWithNewText (r265844)
REGRESSION(r262381): replaceChildren should not use DeferChildrenChanged::No (r265831)
Implement ParentNode.prototype.replaceChildren (r262381)
Crash in WebCore::TreeScope::documentScope (r222474)
innerText should replace existing text node (r211023)
Document title changed twice when setting document.title (r210833 + r210839)
Align Range.surroundContents() with the latest DOM specification (r204390)
Range.surroundContents() should check for partially contained non-Text nodes first (r190139)
Range API is throwing wrong exception type (r189202)
REGRESSION(r286112): Style invalidation for text mutation happening after event dispatch (r286179)
Factor child change invalidation into class (r286058 + r286091 rolled out + r286112)
Suspend widget hierarchy updates while executing node insertion (r274146)
Consolidate calls to insertedInto and expand the coverage of NoEventDispatchAssertion (r223687)

May 30, 2022
============
[FrameView::layout cleanup] Drop allowSubtree parameter (r223821)
[FrameView::layout cleanup] Use SetForScope to ensure layout state correctness (r223805)
[FrameView::layout cleanup] Scheduling layout should be disabled for FrameView::layout (r223792)
[FrameView::layout cleanup] Move can-enter-layout logic to a separate function (r223776)
[FrameView::layout cleanup] Move style update related logic to a separate function (r223742)
[FrameView::layout cleanup] Move post layout task scheduling logic to a separate function (r223717)
[FrameView::layout cleanup] Move scrollbars setup logic to a separate function (r223712)
[FrameView::layout cleanup] Do not reenter FrameView::performPostLayoutTasks (r223696)
[FrameView::layout cleanup] Replace m_nestedLayoutCount with isLayoutNested() (r223689)
[FrameView::layout cleanup] Group related pre-layout code to improve readability (r223649)
[FrameView::layout cleanup] Use SetForScope to protect m_needsFullRepaint's value on reentrancy (r223633)
[FrameView::layout cleanup] Remove InPreLayoutStyleUpdate. (r223631)
[FrameView::layout cleanup] Move root/body marking dirty logic to a separate function (r223622)
[FrameView::layout cleanup] Move frame flattening layout logic to a separate function (r223605)
[FrameView::layout cleanup] Remove redundant body->renderer()->setChildNeedsLayout() call (r223590)
ASSERTION FAILED: !renderer().view().needsLayout() while running media/video-main-content-autoplay.html (r217286)
Remove redundant FrameView ref in FrameView::performPostLayoutTasks (r217196)
Remove unused ChromeClient::layoutUpdated(). (r163726)
REGRESSION (r132422): Page content and scrollbars are incorrectly offset after restoring a page from the page cache (r142416)
Make it easier to hit the significant rendered text layout milestone on pages with main article elements (r233794)
Oversized caret and selection rects in text fields on ganji.com and netflix.com/login (r260367)
Caret is painted horizontally in vertical writing mode when there are no visible text (r136225)

May 29, 2022
============
REGRESSION(r158561): fast/block/float/float-append-child-crash.html asserting. (r158598)
Can not select whole line when using flexbox (r209427)

May 28, 2022
============
Nullptr crash in RenderStyle::shapeOutside() (r274645)
REGRESSION (r268947) Some table elements become blank when scroll-bar is toggled (r271933)
REGRESSION(r155906): Page content disappears on Tuaw article after loading (r177049)

May 27, 2022
============
[SVG2] Add the 'orient' property of the interface SVGMarkerElement (r252444)
[SVG2]: Remove the SVGExternalResourcesRequired interface (r251318)

May 26, 2022
============
Incorrect layout on iframe with object-fit (r294880)
Load event must be fired only for the SVG structurally external elements and the outermost SVG element (r251290)
SMILTimeContainer must protect its m_scheduledAnimations while it does updateAnimations() (r262180)
Crash when removing the target element while animating its attributes (r250488)
Assertion fires when animating the 'class' attribute of an SVG element (r247085)
[iOS] Throttle SVG SMIL animations to 30fps in low power mode (r213393)
[SVG] Handle endEvent for svg animations (r190890)
SMIL animations of SVG <view> element have no effect (r249843)
SVG scrolling anchor should be reset if the fragmentIdentifier does not exist or is not provided (r224973)
Avoid a redundant scroll to 0,0 when navigating back to a url with no fragment (r212197)

May 25, 2022
============
SVGLengthValue should use two enums for 'type' and 'mode' instead of one unsigned for 'units' (r249822 partial revisited)
Remove SVG properties tear-off objects (r243830)
Updating href on linearGradient and radialGradient doesn't update its rendering (r238651)
Prefer null namespace 'href' over 'xlink:href' on SVG elements (r249593)
Remove the SVG tear off objects for SVGMatrix, SVGTransfrom, SVGTransformList and SVGAnimatedTransformList (r243730)
SVGMatrix.IDL methods do not conform to the specs (r243703)
Remove floating objects during tree normalization after style changes (r294779)
Obey intrinsic min-height in nested column flex container (r294744)
WPT test css/css-flexbox/flex-minimum-height-flex-items-023.html fails (r273955)
isContentEditable returns false for `display:none` contenteditable elements, but true for children (r294753)
Invisible border should not trigger Repaint diff when currentColor changes (r294618)
A float avoider should never take a vertical position where a float is present even when its used width is zero (r292532 + r294754 rolled out)
Remove the SVG tear off objects for SVGPathSeg, SVGPathSegList and SVGAnimatedPathSegList (r243555)
Get rid of SVGPathSeg* special casing in the bindings generator (r152565)

May 24, 2022
============
REGRESSION (r243121): Load event should not be fired while animating the 'externalResourcesRequired' attribute  (r246170 complete revisited)
Remove the SVG tear off objects for SVGLength, SVGLengthList and SVGAnimatedLengthList (r243515)
Remove the SVG tear off objects for SVGAngle, SVGAnimatedAngle and SVGAnimatedEnumeration (r243478)
Remove the SVG tear off objects for SVGNumber, SVGNumberList and SVGAnimatedNumberList (r243362)
Remove the SVG tear off objects for SVGPoint, SVGPointList and SVGAnimatedPointList (r243336)
getCharNumAtPosition should take DOMPointInit as argument (r231266)

May 20, 2022
============
Remove the SVG property tear off objects for SVGAnimatedString (r243333)
REGRESSION (r243266): SVGStopElement does not react upon 'offset' attribute changes (r271975)
Remove the SVG property tear off objects for SVGAnimatedNumber (r243266)
Remove the SVG tear off objects for SVGColorAnimator (r243259)
Remove the SVG property tear off objects of SVGAnimatedPreserveAspectRatio (r243185)
REGRESSION (r243121): Load event should not be fired while animating the 'externalResourcesRequired' attribute  (r246170 partial)
Remove the SVG property tear off objects of SVGAnimatedRect (r243183)
Remove the SVG property tear off objects for SVGStringList (r243130)
Remove the SVG property tear off objects for SVGAnimatedBoolean (r243121)
Changing text color and removing line-clamp on hover causes text to disappear permanently (r294503)
REGRESSION (r293126): Gmail formatting menu/panel in compose view becomes blank/empty while scrolling (r294530)
Define the type of SVGPropertyOwnerRegistry for all SVG elements (r243114)

May 19, 2022
============
Remove the SVG property tear off objects for SVGAnimatedInteger (r243036)
Invalid cast in WebCore::SVGAnimateElement::calculateAnimatedValue. (r179772)
ASSERTION FAILED: resultAnimationElement->m_animatedType in WebCore::SVGAnimateElement::calculateAnimatedValue (r154049)
Rename SVGProperty to SVGLegacyProperty and rename SVGAnimatedProperty to SVGLegacyAnimatedProperty (r242978)
SVGViewSpec objects should mark relevant SVG elements (r239070)
Allow href attribute without xlink on SVG elements (r234683 complete revisited)
Remove the SVG elements' attributes macros (r234620 + r236991)

May 18, 2022
============
Clean up SVGScriptElement (r160389 + r160451)

May 17, 2022
============
Do not fire load event for SVGElements that are detached or in frameless documents (r217172)
Drop SVGDocument as per the SVG2 specification (r204246)
REGRESSION (r291788): MotionMark Suits subtest is 9% regressed (r294067 partial)
Don't schedule text rendering updates for a non-rendered Document (r282390)
Take intrinsicBorderForFieldset() into account in intrinsically sized fieldset (r294275)
Treat intrinsic like *-content (r278705)
Treat min-intrinsic like *-content (r274419)
Crash in WebCore::InsertTextCommand::positionInsideTextNode (r294281)
Template TextBoxPainter on line layout path (r294204 + r294262 + r294279 rolled out)
REGRESSION (r201667): ASSERTION FAILED: !m_anchorNode || !editingIgnoresContent(*m_anchorNode) (r201823)
Crash under VisibleSelection::firstRange() (r201667)
[iOS] Crash long pressing on <input type=file> (r185613)
Editing: wrong text position when you click enter on the text behind the image (r151604)
REGRESSION(r130411): Copying & pasting the first line of text can move caret to the end of text area (r131824)
Build fix after r130411. Add the right offset. Also use RefPtr instead of a raw pointer for next and previous pointers. (r130429)
ReplaceSelectionCommand should merge text nodes (r130411)

May 16, 2022
============
REGRESSION (r194898): Multi download of external SVG defs file by <use> xlinks:href (caching) (r199881)
Make it clear to get m_svgExtensions using svgExtensions(). (r170287 + r170519 rolled out)
[Repaint] Border ignores currentColor change when hovering (r294195)
Changing text color and removing line-clamp on hover causes text to disappear permanently (r294211)

May 13, 2022
============
Remove DocumentThreadableLoaderClient.h (r169420)
[Curl] Compile error. (r173329)
Remove ResourceResponse::m_suggestedFilename (r173272)
[Curl] Compile errors related to http header field names. (r170153)
[Curl] Compile errors related to http headers. (r169970)
[curl] Improve multipart response handling (r155633)

May 12, 2022
============
html/semantics/embedded-content/the-img-element/adoption.html is timing out (r284894 + r294125 rolled out)
Remove PassRefPtr from more of "platform" (r210758 partial revisited)
DataRef<T> should use Ref<T> internally. (r157568 complete revisited)
Use of uninitialized variable in WebCore::RenderBox::paintFillLayers (r136742)
Some RenderStyle::diff() optimizations (r294094)
currentColor isn't recalculated when a text node doesn't exist (r267528)
Remove -webkit-{border-fit/margin-collapse} leftovers in StyleRareNonInheritedData (r287448 complete revisited)
removed -webkit-border-fit. (r285615)
Accept two values in the overflow shorthand (r250849)
Remove -webkit-{border-fit/margin-collapse} leftovers in StyleRareNonInheritedData (r287448 partial)
removed -webkit-margin-collapse properties. (r287429)

May 11, 2022
============
Unreviewed, revert r288307 as it caused correctness issues (r294018)
REGRESSION(r288307): instanceof value wrong in MutationObserver callback for Safari extensions (r291694)
Callback functions / interfaces should use global object of its _value_ for errors and lifecycle (r288307)
Fix inertness of pseudo-elements (r294012)

May 10, 2022
============
Don't leak documents with a pending requestIdleCallback (r251924)
Introduce WorkerEventLoop and use it in FetchBodyOwner::runNetworkTaskWhenPossible (r251792)
Refactor AbstractEventLoop out of WindowEventLoop (r251308)
Make requestIdleCallback suspendable (r251258)
Do not use the cached renderer's parent in handleFragmentedFlowStateChange lambda (r293998)
Add lambda for fragmented flow state change handling (r293895)
[RenderTreeBuilder] Clean up descendant floats when a block container becomes float (r290549)
[RenderTreeBuilder] Clean up column spanners when style change affects containing block (r289098 + r289135 rolled out + r289157)
[Multi-column] Adjust fragmented flow state of the out-of-flow descendants (r274144)
Reset fragment line info when the relatively positioned inline box becomes static with block child. (r262540)
Check if node is connected after calling mergeWithNeighboringLists (r294003)
Nullptr crash in RenderObject::parent (r270018)
Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands. (r261777)
Nullptr crash in CompositeEditCommand::splitTreeToNode (r257407)

May 09, 2022
============
ASSERT in WebCore::RenderTreeUpdater::updateRenderTree (r293981)
Make WebSockets work in network process (r214413 partial)

May 09, 2022
============
[selectors] Double script focus after mouse click shouldn't match :focus-visible (r293926)
null ptr deref in WebCore::Frame::setPrinting (r293922)
ASSERT in WebCore::StyleProperties::getGridTemplateValue (r293916)
Fix serialization of grid-template (r291955)
CSS revert should serialize as "revert", not "Revert" (r266660)
Using char* instead of String for StyleProperties::getShorthandValue() (r252913)
[css-grid] Serialization of grid-area, grid-row and grid-column should include "/" separator (r252901)
[css-grid] Implement CSSGridTemplateAreasValue::equals (r199551)
CSP blocks inline style when cloning a node (r147558)
  => [New Parser] css3test.com 51% 1742/3411 804 features (All except CSS 2.2), 57% 2267/3936 926 features (All)

May 06, 2022
============
Use an OptionSet<MapCoordinatesMode> in place of MapCoordinatesFlags (r281239)
Remove unused RenderObject::isOutOfFlowRenderFragmentedFlow (r276707 complete revisited)
[New Multicolumn] event.offsetX/offsetY don't work correctly (r167910)
Make readArrayBufferViewImpl defensive (r293884)
Reduce the number of calls to canContainFixedPositionObjects() (r293880 partial)
`contain: layout` on the html element should change position:fixed behavior (r293209 partial)

May 05, 2022
============
Make TransformIterator::TransformIterator() take rvalue references (r170615)
Some WeakPtr cleanup (r245972)
Crash in WindowProxy::setDOMWindow (r293819 partial)
Crash under WorkerThreadableLoader::MainThreadBridge::notifyIsDone() (r272880 partial)

May 02, 2022
============
[Web Animations] Coordinate "update animations and send events" procedure across multiple timelines (r260525)
ASSERT(parent->element()) triggered in Styleable::fromRenderer (r284871)
Getting the computed style should resolve animations using the last style change event style (r272866)
[Web Animations] KeyframeEffect.pseudoElement does not return a valid string when targeting ::marker or ::first-letter (r269623)
Only stretch the percent height <body> when it is the document element's child (r293647)
REGRESSION(r290770): element.scrollIntoViewIfNeeded() scrolls to top even when element is already in viewport (r293642)
Incorrect aspect ratio size (r287023)
Use double division (r274646)

Apr 29, 2022
============
Leverage the known length of an ASCIILiteral when comparing it to a String / AtomString (r293588)

Apr 28, 2022
============
Store StyleScope during CSSStyleSheet Creation (r293232)
REGRESSION (r276882): Shadow trees may use stale style information after inline stylesheet is mutated via CSSOM (r281700)
Remove the Timer from Style::Scope (r272370 + r280112 rolled out)
REGRESSION (maybe r276882): custom properties not available on host on initial paint (r278478)
REGRESSION(r276882): Style not invalidated correctly for media queries in shadow trees that share style (r278346)
Share style resolvers between author shadow trees with identical style (r276882)
Make HashMap and HashSet work with Refs (r202002 + r202111 + r202136 rolled out + r202254 complete revisited)
We should be able to use std::tuples as keys in HashMap (r212969 + r212992)
Provide implementation for WTF::DefaultHash<bool> (r179061)
Outsets for referenced SVG filters are always zero (r251119)

Apr 27, 2022
============
Simplify RenderLayer filter code (r235630)
Applying a filter on an SVG element, which is larger than 4096 pixels, causes this element to be rendered shifted to the left (r183960)
Applying a filter on an SVG element, which is larger than 4096 pixels, causes this element to be rendered shifted to the left (r183956)
Subpixel rendering: Buttons in default media controls shift vertically when controls fade in or out. (r169615)
-webkit-filter prevents rendering at retina scale (r168577)
[core] FEGaussianBlur: use IntSize to simplify member function interface (r166214)
Use edgeMode=duplicate for blurring on filter() function (r154954)
[skia] Implement reference (url) filters on composited layers. (r133608 partial)
[CSS Shaders] CustomFilterOperation should be converted to ValidatedCustomFilterOperation before using it (r133242)
::first-letter does not work if used only in shadow content (r293497)

Apr 26, 2022
============
Refactored script content removal in the fragment parser for clarity and speed (r146264 complete revisited)
scripts in formaction should be stripped upon paste (r124520)
anchor.relList.supports("opener") should return true (r284745)
Add support for SVGAElement's rel / relList attributes (r264789)
XLinkNames namespace is required before the 'href' attribute of SVG animate elements (r249216)
Visited link hash should be computed only once (r244642)
Allow href attribute without xlink on SVG elements (r234683 partial)
Rename computeSharedStringHash() overload taking a URL to computedVisitedLinkHash() (r222767)
Add support for DOMTokenList.supports() (r206561)
[iOS][WK2] Prefetch DNS hostnames on tap highlight (r168339 partial)
[iOS] Upstream WebCore/svg changes (r160668)
Refactored script content removal in the fragment parser for clarity and speed (r146264 partial)

Apr 25, 2022
============
Rename FilterEffectRenderer to CSSFilter (r235586)

Apr 22, 2022
============
Remove PassRefPtr use from "rendering" directory, other improvements (r210469 partial)
Use OwnPtr in the RenderLayerFilterInfo map (r155047)

Apr 21, 2022
============
Make WidgetHierarchyUpdatesSuspensionScope cheaper if it has nothing to do (r289692)
Release Assert @ WebCore::RenderTreeBuilder::RenderTreeBuilder (r262835 + r262877)

Apr 20, 2022
============
REGRESSION (r281913): Map toolbar flickers when dragging the map on https://gis.ee/ (r293126)
Remove unnecessary call to enclosingClippingScopes() (r249047)
Layers painting into shared backing need to contribute to overlap (r245502 complete revisited)
user-select: none shouldn't affect editability (r293028)
Rename RenderStyle::userSelectIncludingInert to RenderStyle::effectiveUserSelect (r290305)

Apr 19, 2022
============
Rename URL::copy() to URL::isolatedCopy() to match String. (r183901)
XMLHttpRequest / XMLHttpRequestUpload should inherit XMLHttpRequestEventTarget (r196599)
Move some functions from RenderBlockFlow to RenderDeprecatedFlexbox (r268986)
Deploy more child renderer iterators in RenderBlockFlow. (r161278)
Clean up Element::isFocusableWithoutResolvingFullStyle() (r293011)
Remove Node::deprecatedIsInert (r290554)

Apr 18, 2022
============
XMLHttpRequest.responseXML url should be the HTTP response URL (r251542)
XMLHttpRequest has the wrong fallback encoding (r244377)
Align XMLHttpRequest's open() / send() / abort() with the latest specification (r230066)
XMLHttpRequest: do not sniff text/html, and do not sniff XML when responseType is set to "text" (r223217)
XMLHttpRequest's responseXML should be annotated with [Exposed=Window] (r222690)
CSP: Block XHR when calling XMLHttpRequest.send() and throw network error. (r199221)
Harden JSObject::setPrototypeOf. (r292950)
Implement polymorphic prototypes (r222827 partial revisited)
REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size (r246792)
[YARR] Properly handle RegExp's that require large ParenContext space (r245815)
Cleanup Yarr regexp code around paren contexts. (r245586)
Parent Mismatch (r292911)
Take top layers into account in addLayers/removeLayers (r292596)

Apr 14, 2022
============
NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe. (r216217 partial revisited)
[web-animations] REGRESSION(r291527): assertion hit during teardown of document with CSS Animations (r292858)
Dialog element only animates once (r289498 + r289682 rolled out + r291282 + r291318 rolled out + r291527)
Move AnimationTimeline methods related to Styleable to Styleable (r275346)
Remove the Silently argument to WebAnimation::cancel() (r275280)
Release assert in compareAnimationsByCompositeOrder (r275228)
REGRESSION (r292043): [ Mac ] fast/block/positioning/fixed-container-with-relative-parent.html is a flaky image failure (r292817 + r292834 rolled out + r292855)

Apr 13, 2022
============
Remove ImplicitAddress (r283970)

Apr 12, 2022
============
Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction (r160587 complete revisited)
[JSC] Reduce use of unnecessary cryptographicallyRandom numbers (r292714 partial)
Clarify that some UUID routines are dedicated to UUID v4 (r288950 partial)
[SVG2]: Add auto behavior for rx and ry to the SVG <ellipse> and<rect> elements (r250103 + r250147)
Turn r/rx/ry to presentation attributes (r172647)
  => [New Parser] css3test.com 52% 1740/3393 788 features (All except CSS 2.2), 58% 2265/3918 910 features (All)
StyleResolver state should store user agent appearance style as RenderStyle (r252255)
[css-lists] Implement list-style-type: <string> (r252076 + r252336 rolled out)
Move static StyleResolver functions to Style namespace (r153906 partial revisited)

Apr 08, 2022
============
Iterate over copy of animated properties in WebCore::WebAnimation::commitStyles (r292560)
[web-animations] REGRESSION (r287881): loading performance for diply.com regressed (r292561)
[css-logical] [css-transitions] Resolve logic properties when compiling the list of transition properties (r289167)
[CSS transition] can't use CSS logical properties in transition syntax (r289161)
[JSC] Fire structure transition watchpoint in Structure::finishCreation instead of Structure constructor (r292594 partial)
Resolve ::first-line style eagerly (r290867) (248098@main)
Introduce SelectorMatchingState and move SelectorFilter there (r285630)

Apr 07, 2022
============
Simplify pseudo element resolution (r290779)
Render tree updates for Text node content mutations should happen during rendering update (r276287)
Remove added element from Style::Update root set (r273680)
Selection API: Introduce LiveRangeSelectionEnabled, off by default (r267220 partial)
CharacterData.data setter optimization is not spec-compliant and is observable (r204316)
[JSC] Substring resolving should check 8bit / 16bit again (r292484)

Apr 06, 2022
============
CSS parser "consume declaration" algorithm does not handle whitespace correctly (r279358)
Remove some @apply leftover code (r292455 partial)

Apr 04, 2022
============
Don't dispatch "focusin" / "focusout" events if there are no listeners (r287802)
Remove obsolete DOM Level 2 "DOMFocusIn" / "DOMFocusOut" events (r287787)
Document::addListenerTypeIfNeeded should not call pthread_get_specific 14 times (r292277)
Remove unused Document::ListenerType enumerators (r288584)
Remove unused DOMAttrModified from EventsNames and Document::ListenerType (r129551)

Apr 03, 2022
============
[Ruby] Statically positioned out-of-flow block boxes are mispositioned (r292226)

Apr 02, 2022
============
Change GraphicsContext image-drawing functions to take references (r191049 partial)

Apr 01, 2022
============
Add RenderGrid parameter to resolveGridPositionsFromStyle (r292221)

Mar 31, 2022
============
Add HashTranslator for ASCIILiteral for faster lookup in HashMaps / HashSets (r292106)

Mar 30, 2022
============
Replace TCSpinLock with a new WTF::SpinLock based on WTF::Atomic. (r181485)
WebCore::LegacyRootInlineBox::lineSnapAdjustment should bail out on grid line height < 1 (r292054)
Always use the compiler's CAS implementation and get rid of ENABLE(COMPARE_AND_SWAP) (r190103)
Remove atomicIncrement/atomicDecrement (r162777)

Mar 29, 2022
============
RenderText::width should call FontCascade directly on single space characters (r292043)
Percentage word spacing doesn't incorporate synthetic bold expansion (r289007)
Speed up Element::removedFromAncestor() (r291981 partial)
The lazy symbolObjectStructure should be realized before we allocate a SymbolObject. (r292009)
Check for re-entrancy in stopForBackForwardCache (r292002)
Bail out early in stopForUserCancel (r289203)
Provisional / scheduled loads in subframes should not prevent a page from entering the back/forward cache (r250686)
Ping loads should not prevent page caching (r248265)
RELEASE_ASSERT hit in CachedFrame constructor (r246187)
REGRESSION (r195605): ASSERTION FAILED: !NoEventDispatchAssertion::isEventDispatchForbidden() (r198924)

Mar 28, 2022
============
Lazily allocate backing store for grid columns. (r291952)
[css-grid] Rename SmallestTrackStart to ExplicitGridStart (r264403)

Mar 25, 2022
============
Reduce EventListenerVector's minimum capacity from 16 to 2 (r291866)
[css-cascade] Fix 'revert' on low-priority properties (r291260)
REGRESSION (Safari 15.4): Nonce from link isn't used when loading style sheet (r291816)

Mar 24, 2022
============
[MotionMark - Multiply] Web process spends ~1% of total samples in PropertyCascade::resolveDirectionAndWritingMode (r266689)
Tatechuyoko in ruby sits too high (r192639)
tate-chu-yoko should shrink to fit when it exceeds the available width. (r192269)
Some style changes cause tatechuyoko to be drawn off center (r192169)
Devirtualize RenderText::width (r291793)
Fonts lie about being monospaced (r266118)
Remove TextRun::setCharactersLength() and TextRun::charactersLength() (r222637)
Ruby base ending in tatechuyoko forces a line break before the tatechuyoko (r192042)

Mar 23, 2022
============
No breakpoints hit on github.com, and some are invalid (r291746)
Style::Builder should not depend on StyleResolver (r251916)
Introduce Style::Builder (r251864)
Rename StyleBuilder to Style::BuilderGenerated (r251841)
Fix CSS cascade regarding logical properties (r291546 + r291690 rolled out)

Mar 22, 2022
============
Move style building state to a class of its own (r251796)
[JSC] ReferenceError when using extra parens in class fields (r291577)

Mar 21, 2022
============
Optimize EventTarget::visitJSEventListeners() (r291538)

Mar 19, 2022
============
Optimize AtomHTMLToken::initializeAttributes() (r291508)
Avoid extra pointer dereference in EventListenerMap::m_entries (r291495)
document.open() event listener removal is not immediate (r231248)

Mar 18, 2022
============
Make scrolling to the focused element async (r227664)
ASSERT(m_column != unsetColumnIndex) in RenderTable::cellBefore (r257720)

Mar 17, 2022
============
REGRESSION (iOS 15.4 / r287669): Mobile app stopped working due to CSS / angular animation (r291420)
Render tree updates for Text node content mutations should happen during rendering update (r276287 rolled out)
  -> Crash in HTML UI history when clicked item.
Render tree updates for Text node content mutations should happen during rendering update (r273621 + r275657 rolled out + r276287)
Rename scheduleTimedRenderingUpdate() to scheduleRenderingUpdate() everywhere (r268049)
Remove Page::scheduleImmediateRenderingUpdate() (r268034)
Use the "triggerRenderingUpdate" terminology in ChromeClient (r268028)
ChromeClient::needsImmediateRenderingUpdate() only existing to work around a WebKit1 bug (r268022)
Remove FrameView::scheduleRenderingUpdate() (r258511)

Mar 16, 2022
============
Sign MacroAssembler::jumpsToLink (r269020)
[GTK][WPE][JSCOnly] compile error when -DWTF_CPU_ARM64_CORTEXA53=ON set for arm64 (r260680)
Dialog element only animates once (r291282 + r291318 rolled out)
null ptr deref in RenderTreeBuilder::Block::attachIgnoringContinuation (r289060) (246767@main)
REGRESSION(r271515): ::marker fired at wrong time (r272927)
REGRESSION(r269813): PLT5 regressed by 0.5% (r271515)
Support animations on more pseudo-elements (r269813)

Mar 15, 2022
============
background-clip:text doesn't work with display:flex (r291303)
Factor style resolver context arguments into a struct (r284693)
Animated pseudo element style resolved against wrong parent style (r275277)
Don't create a scroll corner without renderer (r291238)
Remove scrollbars explicitly when destroying render tree (r283868)

Mar 14, 2022
============
Use LineLayoutTraversal for RenderText functions (r250390)

Mar 13, 2022
============
Remove Simple Line Layout (r267565)
[LFC][Integration] Fix compositing/masks/compositing-clip-path-change-no-repaint.html (r254041)

Mar 11, 2022
============
Attempt to fix failing tests following r235615 (r235621)
Document is leaking on haaretz.co.il due to an async script (r291127)
Assertion when encountering U_OTHER_NEUTRAL in createBidiRunsForLine at end of run (r253068)
Destroy linebox tree from ComplexLineLayout destructor (r252891)
Only construct ComplexLineLayout when needed (r248528)
Factor complex line layout path out from RenderBlockFlow (r248517)
Remove redundant inline text boxes for empty combined text (r235615)
RenderRubyRun should not mark child renderers dirty at the end of layout. (r207275)
Remove statusWithDirection static function from RenderBlockLineLayout (r160279)

Mar 10, 2022
============
[css-lists] css/css-lists/inherit-overwrites.html and css/css-lists/li-counter-increment-computed-style.html are unique failures (r291054)

Mar 09, 2022
============
Content disappears on mouse over. (r200220)
REGRESSION (r251015): Hitting return before a space deletes text after the insertion position (r253750)
Position::upstream/downstream should not need to call ensureLineBoxes (r251015)
[:has() pseudo-class] Basic support (r281295)

Mar 08, 2022
============
Home link on weather.gov is not working (r290849)
Make "true" count as truthy in window.open()'s boolean features (r290899)
Support "noreferrer" for window.open() (r243705)
Passing noopener=NOOPENER to window.open() should cause the new window to not have an opener (r236802 + r237002 rolled out)
Implement the "noopener" feature for window.open() (r214251)
Use WTF::Optional in WindowFeatures (r188386)

Mar 07, 2022
============
Release_Assert | WebCore::Document::addTopLayerElement() (r290878)
Remove non-standard display:block UA stylesheet rule for <layer> (r290870)
Optimize the padding in StyleRareInheritedData (r290861)

Mar 04, 2022
============
Top layers should not be moved (r290832)
A text node longer than 65,535 characters following another text node is invisible in a scrolling context (r290782)

Mar 03, 2022
============
When appending a Windows drive letter to a file URL, remove any path we may have copied from the base URL (r267964)
Fix UTF-8 encoding in URL parsing (r267963)
Add extra slash after empty host copied from base URL if path is also empty (r267933)
Copy host from base file URL (r267896)
Update URL fragment percent encode set (r266399)
Make host parser fail on ^ (r261764)
Reduce size of WebCore::URL (r233742 + r233755 rolled out + r233789)
REGRESSION (r290512): imported/blink/fast/table/crash-output-element-as-column-group.html asserts sometimes (r290773)
Treat empty intersection correctly in RenderLayer::getRectToExpose (r290770)
[css] Implement 'text-decoration' as a shorthand. (r290756 + r290772 rolled out)
[web-animations] setting the composite property on a keyframe effect should invalidate the target style (r290741)
Outline-width with transition don't animate correctly (r290735)

Mar 02, 2022
============
Remove TrailingFloatsRootInlineBox (r278407)
Migrate layout ascents and descents to LayoutUnits instead of ints (r275502)
REGRESSION (r273129): Text contents in <span> with opacity not repainting/updating when sibling element has "will-change: transform" (r290645)
Scrolling on https://www.apple.com/ipad-air/ can jitter on certain sections (r273129)
[Fullscreen] Do not create composited layers for renderers unless they are part of the fullscreen subtree. (r234291)
REGRESSION(r285232) https://alvaromontoro.github.io/almond.css/demo/ looks wrong in Safari, ok in Chrome and Firefox (r290706)
Use static position relative to parent for abs-pos items within nested grids. (r290674)
[web-animations] ::placeholder should not be a valid pseudo-element for a KeyframeEffect target (r290662)
[web-animations] web-animations/interfaces/Animatable/getAnimations-iframe.html is a unique failure (r290644)
[css-grid] Properly handle static positions of abspos inside grid items (r240333)

Mar 01, 2022
============
Explicitly disable style sharing for form controls (r290640)
Handle perpendicular containing blocks when computing available logical height. (r290634)
Handle widow relayout differently (r290615)
[css-writing-modes] Fix absolutely positioning with orthogonal writing modes (r281995)
Composited layer that painted into composited ancestor is not repainted after moving (r157108)

Feb 28, 2022
============
[web-animations] web-animations/interfaces/KeyframeEffect/processing-a-keyframes-argument-001.html is a unique failure (r290584)
Compute correct containing block override size for items that are subgridden in one dimension only. (r290577 + r290579 rolled out)
[web-animations] web-animations/timing-model/animations/setting-the-timeline-of-an-animation.html is a unique failure (r290573)
[Tables] Incorrect table sizing when colgroup comes after tbody (r290512)

Feb 25, 2022
============
REGRESSION(r239915): [FreeType] White space skipped when rendering plain text with noto CJK font (r245095)
Web Animations JS API does not support "inherit" CSS values for keyframes (r272904)
RELEASE_ASSERT(!renderer()); in WebCore::Node::~Node() + 479 (Node.cpp:366) (r290430, 247737@main)

Feb 24, 2022
============
Remove pixelSnapped* functions from RenderBoxModelObject/RenderBox. (r188433)
Subpixel layout: Remove unused pixel snapping functions. (r173073)
REGRESSION(r268615): certain animations break when moving from one to display to another or resizing the window (r268932)
Support accelerated animation of individual transform CSS properties (r268615)
Call transition and animation callbacks on non-composited renderers too. (r243112)
Move animation and transition functions from RenderBoxModelObject to RenderElement (r243103)

Feb 23, 2022
============
Style::Resolver::styleForKeyframe() should take in the parent style (r272898)

Feb 22, 2022
============
[JSC] Add explicit exception check after appendWithoutSideEffects (r290265)
Stop propagating inertness through iframes in Node::deprecatedIsInert() (r290197)
REGRESSION (r263506): timing of CSS Animation on https://animate.style is incorrect (r266241)

Feb 17, 2022
============
Crash under KeyframeEffect::setTarget() (r273752)
Implement <forgiving-selector-list> for :is/:where (r268741)
Share style resolvers between author shadow trees without style sheets (r276836)
Refcount Style::Resolver (r276588)
SVG SMIL restart="never" does not behave correctly (r290010, 247396@main)
Revert r275772: inflated FloatSize memory layout unnecessarily (r289999)

Feb 16, 2022
============
[Cocoa] Reduce uses of CGFonts (r204858)
Remove useless RenderBlockFlow overrides. (r227672)
[CSS Shapes] Remove some leftover shape-inside code (r167283)
Skip positioned objects and line break boxes as they have no affect on width (r289859)
Do not update the fragmented flow state while internally mutating the render tree (r289814)
No need to update the list marker number during internal move (e.g. result of anonymous collapsing) (r275478)
Possible nullptr dereference when applying pagination to viewport (r209951)
REGRESSION: SVG clip-path doesn't work on root <svg> (r204872)
Crash in RenderTableSection::setCellLogicalWidths (r126251)

Feb 15, 2022
============
Pass in IsComposed flag to Event constructors (r235331)
MouseEvent's coordinates should be 0 for simulated clicks (r207544)
Refine SimulatedMouseEvent to support Event.isTrusted (r196598)
AXPress event coordinates are always sent as (0, 0) (r160032)
Fix crash with deeply nested async overflow scroll (r289776)
REGRESSION (r271584): Hovering slowly over and out of "Top 100" items on liberation.fr does not restore animated state (r271930)
Optimize :hover/:active style invalidation for deep trees and descendant selectors (r271584)
Update hover state in composed tree (r238404)
mouseenter and mouseleave events don't get dispatched even when there is a capturing event listener for a slot ancestor (r235865)
Text nodes assigned to a linked slot are not clickable (r206605)

Feb 14, 2022
============
Suppress style invalidation when matching :checked (r289693)
Look up InputTypeFactoryMap with an ASCII lowercase string instead of using a ASCIICaseInsensitiveHash (r289691)
Keep promise in scope when calling DeferredPromise::reject (r289640)
:focus-visible with click on radio/checkbox labels is broken (r289521)
[selectors] :focus-visible not matching on accessKey focus after focusing something via mouse (r287563)
[:has() pseudo-class] Support :disabled and :enabled pseudo-class invalidation (r287445)
[:has() pseudo-class] :has() selector invalidation issue with toggling :checked (r287363)
[selectors] :focus-visible should stop matching after blur (r286415)
[selectors] Using a modifier key on an element makes it stop matching :focus-visible (r276698)
REGRESSION (r276264): Reproducible crash in WebCore::UserActionElementSet::clearFlags (r276628)
Move selectedOptions cache invalidation timing (r276547)
[selectors] Script focus and :focus-visible (r276264)
[selectors] :focus-visible matches body after keyboard event (r274365)
autofocus of text input should not select text (r269587)
label element with tabindex >= 0 is not focusable (r210267)

Feb 11, 2022
============
Crash in in WebCore::CSSStyleSheet::didMutateRules (r289567)
[:has() pseudo-class] Nullptr crash with non-function :has (r289526)
compositing/masks/compositing-clip-path-mask-change.html is failing for ports using TextureMapper (r289497)
Register strings in CSSTokenizer created from preprocessing (r289493)
Allow :is/:where after all pseudo elements (r285054)
runtime error: signed integer overflow: 268435455 * 16 cannot be represented in type 'int' (r275048)
querySelector("#\u0000") should match an element with ID U+FFFD (rt259773)
Rename StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32) to avoid accidental change in behavior when replacing append with flexibleAppend (r248659)
Abstract the logic for appending a UChar32 onto StringBuilder (r140731)

Feb 09, 2022
============
Make HTMLToken::beginStartTag tag an 8 bit character (r289410)

Feb 08, 2022
============
Updating grid gap value does not recalculate styles (r289241)

Feb 07, 2022
============
Object literal doesn't properly resolve name clash between an accessor and a constant property (r289166)

Feb 04, 2022
============
testair sometimes crashes due to races in initialization of ARC4RandomNumberGenerator (r232227)

Feb 03, 2022
============
Incorrect KeyframesEffect generated for background (r289048)

Feb 02, 2022
============
Refactor KeyframesRuleMap to use AtomString for the key (r288907)

Jan 28, 2022
============
Node.replaceChild()'s pre-replacement validations are not done in the right order (r249821)
appendChild should throw when inserting an ancestor of a template into its content adopted to another document (r243233)
Reparenting during a mutation event inside appendChild could result in a circular DOM tree (r243175)

Jan 27, 2022
============
Optimization in Node.replaceChild() is not spec-compliant (r204326)
a.replaceChild(a, a) should throw a HierarchyRequestError (r204237)
Update Node::appendChild() / replaceChild() / removeChild() / insertBefore() to take references instead of pointers (r200696 partial revisited)
Node.replaceChild() does not behave according to the specification (r190233)
Rewrite Range::insertNode() as per the latest DOM specification (r190229 + r190243)
Node.appendChild(null) / replaceChild(null, null) / removeChild(null) / insertBefore(null, ref) should throw a TypeError (r189576 partial revisited)
HTMLTableElement.tHead / tFoot / caption should be nullable (r189537)
Optimization in Node.insertBefore() is not spec-compliant (r204368)
Optimization in Node::appendChild() is not spec-compliant (r204322)
Update Node::appendChild() / replaceChild() / removeChild() / insertBefore() to take references instead of pointers (r200696 partial)
Node.appendChild(null) / replaceChild(null, null) / removeChild(null) / insertBefore(null, ref) should throw a TypeError (r189576 partial)

Jan 26, 2022
============
Avoid repeated is<MutableStyleProperties>() checks in StyleProperties (r175067)
Specialize propertyCount() in StylePropertySet subclasses. (r148404)

Jan 25, 2022
============
[Hardening] Have the Ref<> destructor null out its pointer (r278132)
WebProcessPool should store Vector<Ref<WebProcessProxy>> instead of Vector<RefPtr> (r275916 partial)
Remove PassRef.h after r177259 (r203907)
Replace PassRef with Ref/Ref&& across the board. (r177259)
[css-grid] Fix grid shorthand expansion of initial values (r288544)

Jan 24, 2022
============
Node.appendChild(null) / replaceChild(null, null) / removeChild(null) / insertBefore(null, ref) should throw a TypeError (r189576 partial)
Pasting multiple lines into a textarea can introduce extra new lines (r154252)

Jan 21, 2022
============
Parameter to Node.compareDocumentPosition() should be mandatory and non-nullable (r203601)
Drop [UsePointersEvenForNonNullableObjectArguments] from Node (r200197)
Improve Node pre-insertion validation when the parent is a Document (r189682)

Jan 20, 2022
============
<dialog> with transformed ancestor asserts under RenderGeometryMap (r288267)
[JSC] Fix YarrJIT backtrackCharacterClassNonGreedy breakpoint (r288224)
Null check m_progressTracker in clearProvisionalLoad (r288215)
Clean up some code around RenderElement::addLayers() (r288127)
Make a function that returns the ordered list of top layer RenderLayers (r288059)

Jan 19, 2022
============
[css-flexbox] Add support for intrinsic sizes to the flex shorthand (r288184)
Remove the legacy animation code (r267188)

Jan 18, 2022
============
[css-flexbox] Add support for intrinsic sizes in flex-basis (r288113)
Treat width: intrinsic as non definite (r278275)
REGRESSION: CSS animations inside an embedded SVG image do not animate (r259830)
[Web Animations] Animation with a single keyframe is not accelerated (r261756)
transition-property is not computed correctly when transition-duration is set to "inherit" (r259720)
Remove use of PseudoElement in ComputedStyleExtractor (r287987)
Accelerated animations on ::backdrop shouldn't affect <dialog> (backdrop-animate-002.html fails) (r284313 partial)

Jan 17, 2022
============
Crash may occur under ComputedStyleExtractor::propertyValue() (r288101)

Jan 14, 2022
============
[css-grid] Fix rounding of distributed free space to flexible tracks (r287977)

Jan 13, 2022
============
[css-flexbox] Incorrect height of flex items with aspect-ratio whenever the cross axis intrinsic size is larger than the viewport (r287976)
Correctly dirty z-order lists when showing a modal dialog (r287939)
css/css-transitions/pseudo-elements-002.html WPT is a failure (r287926)

Jan 12, 2022
============
Interpolation during animation of two empty transform lists should always yield "none" (r287917)
css/css-transitions/KeyframeEffect-setKeyframes.tentative.html is a failure (part 2) (r287896)
css/css-transitions/KeyframeEffect-setKeyframes.tentative.html is a failure (r287881)
[Web Animations] reversing factor should be computed before canceling the previous transition (r287548)
[Web Animations] getKeyframes() should handle multiple 0% and 100% keyframes (r287524)
[Web Animations] getKeyframes() should ensure that all properties are present on 0% and 100% keyframes (r287518)
[Web Animations] getKeyframes() should return an empty object when there are no animatable properties in @keyframes rule (r287517)
[Web Animations] setKeyframes does not preserve animation's current offset (r274165)
Protect DocumentLoader when a reference to its members is used. (r287914)

Jan 11, 2022
============
Some css-transforms tests assert in debug (r287875)
null ptr deref in WebCore::LayoutIntegration::LineLayout::collectOverflow() (r287867)
will-change: position should not create a containing block for position: fixed elements (r277579)
Create a containing block when relevant properties are set in the current element will-change (r276627)
will-change: transform should affect nested position:fixed (r276377)
ASSERTION FAILED in RenderLayer::updateClipRects (r287847)
REGRESSION(r287683): <dialog> elements inside clipped/overflowed elements are no longer shown (r287845)
Incorrect clipping across compositing boundary. (r239661)

Jan 10, 2022
============
translate() function in transform property should remove trailing 0 value when parsing (r287822)
nullptr deref in ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded (r287771)
Transitions without an explicit property-name should not be considered (r287764)
Ensure that the top layer is always anchored to the RenderView (r287683)
computed style for transition longhand properties is wrong (r287678)

Jan 07, 2022
============
REGRESSION(r239915): css3/font-feature-font-face-local.html failing on WPE (r240848)
REGRESSION(r239915): about 130 test failures on WPE (r240231)
[FreeType] Cache the zero-width space glyph in GlyphPage::fill() (r240034)
[FreeType] Support emoji modifiers (r239915)

Jan 06, 2022
============
Drop unnecessary data member in WorkerThreadableLoader (r287692)
Text-decoration color not changing back after input blur with outline removed (r287674)
Refactor computed style code for transition-property and the transition shorthand (r287669)
REGRESSION (r269146): ASSERTION FAILED: didNeedLayout || logicalHeight() == oldHeight in WebCore::RenderBlockFlow::ensureLineBoxes (r269188)
RenderBlock hit testing should ignore PseudoElements (r138317)
  => [New Parser] css3test.com 52% 1745 tests out of 3397 total for 791 features

Jan 05, 2022
============
Change offsetParent to match spec change (r287610)
Unreviewed, reverting r285915. (r287609)
CSS `transform` property  should take into account transform reference box (r287606)
WPT test css/css-transitions/parsing/transition-shorthand.html has failures (r287602)
Refactor code creating css values and lists for animation and transition properties (r287537)
Support the "animation" shorthand property in the computed style (r287535)
"animation" shorthand should list all longhand values when serializing (r287534)

Jan 04, 2022
============
[Web Animations] calling setKeyframes() on a running CSS Transition has no immediate effect (r287549)
REGRESSION(Containment) nullptr deref in RenderBox::styleDidChange (r287417)
[REGRESSION][[css-flexbox] child elements are shrunk to fit into container after r286206 (r287355)
<dialog> should generate implied end tags (r287309)
Don't include SVGImageForContainers in allCachedSVGImages (r287286)
[css-flexbox] Pre-layout orthogonal children to compute the preferred logical width (r287263)
null ptr deref in WebCore::findPlaceForCounter (r287194)
[JSC][32bit] Fix undefined behavior causing miscompilation with clang 13 on ARM (r287235)

Dec 16, 2021
============
[JSC] Generated code size reductions for baseline JIT (all architectures) (r286424 partial)
[JSC] Add branchTest16 operation (r286020 partial)
Flexbox ignores margins of absolute positioned children when `align-items: flex-end` or `justify-content: flex-end` (r287128)
[css-flexbox] Add support for left & right css-align-3 positional alignment properties (r282078)
[css-flexbox] Add initial support for css-align-3 positional alignment properties (r281840)
Fix SVG resource invalidation logic causing incorrect layout state. (r287076)

Dec 15, 2021
============
[ macOS iOS ] REGRESSION(r261600?): imported/w3c/web-platform-tests/html/dom/reflection-embedded.html & imported/w3c/web-platform-tests/html/dom/reflection-forms.html are flaky failures (r262231)
Implement @isConstructor bytecode intrinsic and bytecode for that (r261600)
[JSC] Align upon the name isCallable instead of isFunction (r260848)
[JSC] Clearly distinguish isConstructor from getConstructData (r260735)
[JSC] isCallable is redundant with isFunction (r260722)
Introduce OpIsCallable bytecode and intrinsic (r265907)
[JSC] Pass VM& parameter as much as possible (r232337 partial)
[css-flexbox] Absolutely positioned children should be aligned using the margin box (r287064)
Fix that height is calculated incorrectly when using display:table, box-sizing:border-box and padding. (r287063)

Dec 14, 2021
============
JIT call inline caches should cache calls to objects with getCallData/getConstructData traps (r224487 partial)
Null pointer crash in FetchResponse::clone (r287017)
FetchResponse::clone should use the relevant realm for the cloned response (r286970)

Dec 13, 2021
============
[css-writing-modes] Use the correct margins in computeInlinePreferredLogicalWidths in orthogonal flows (r286952)
Get rid of ThreadRestrictionVerifier (r161999)
`transform-origin` on SVG elements does not take into account the transform reference box origin (r286942)
nullptr deref in ComputeFloatOffsetForLineLayoutAdapter<FloatingObject::FloatLeft>::updateOffsetIfNeeded (r286866)

Dec 10, 2021
============
Stack-overflow crash in WebCore::RenderBox::computeLogicalHeight() (r286827)

Dec 09, 2021
============
[css-flexbox] `gap` does not work correctly when `flex-direction: column-reverse` is applied (r286654)
'border-radius shorthand is getting expanded in WebKit (r286652)

Dec 08, 2021
============
TypedArray prototype set should go down the fast path when using non clamped integer types of the same byte size (r286639)
Assertion after removing stylesheet with loading @import rule (r286599)

Dec 06, 2021
============
CSS animation sorting may crash due to AnimationList copy upon CSS Animation removal (r286532)

Dec 03, 2021
============
html/semantics/forms/constraints/form-validation-validity-valid.html WPT test is failing (r286482)
html/semantics/forms/constraints/input-number-validity-dynamic-value-no-change.html WPT test is failing (r286444)
validity.valueMissing should not rely on element's disabled state for inputs of type radio/file/checkbox (r286413)
Several WPT tests under html/semantics/forms/constraints are failing due to extraneous willValidate() checks (r286316)
html/semantics/forms/constraints/form-validation-validity-patternMismatch.html WPT test is failing (r286315)
Verify borderRect is Renderable (r286449)
Fix crash in GraphicsContextCG::endTransparencyLayer (r286439 + r286441)
Add a fast path for empty string to setInnerHTML() (r286425)
Reset height definiteness when constructing flex items (r286421)
sticky th or td in table does not stops at specified top (r286417)
Remove isOrphan check in ShadowRoot::setInnerHTML (r235864)

Nov 30, 2021
============
Speed up setting attributes of input elements of type 'text' (r208653)
Remove shadowPseudoId() override from the shadow media controls (r171907)
Specify Shadow DOM Pseudo IDs in Media Element Constructors (r166395)
INPUT_MULTIPLE_FIELDS_UI: Don't update shadow tree by updating any attribute (r146029)
Only handle ident tokens in consumeWillChange (r286220)
Refactor consumeWillChange() to make better use of consumeCustomIdent() (r285492)
Use isValidCustomIdentifier in consumeWillChange (r285487)

Nov 29, 2021
============
RenderTreeUpdater::current() returns null_ptr when mutation is done through Document::resolveStyle. (r226797)
[css-grid] Track sizing algorithm not repeated even if used flex fraction would change (r286148)
Serialize computed style of background shorthand with multiple layers correctly. (r286200)
[css-flexbox] Do not shrink tables bellow their intrinsic sizes (r286207)
[css-flexbox] Add support for replaced elements with intrinsic ratio and no intrinsic size (r286206)

Nov 23, 2021
============
rem in media queries should be calculated using font-size:initial, not root element font-size (r286123)
calc() should not contain 0 values other than percentages (r276052)
calc() simplification for a multiplication should apply the multiplication to each value of an addition (r275793 + r275855 rolled out + r275869)
[css-values-4] Support font-relative lh and rlh unit (r259703)
REGRESSION (r226385?): Crash in com.apple.WebCore: WebCore::MediaQueryEvaluator::evaluate const + 32 (r227082)
ASSERTION FAILED: m_fonts in &WebCore::FontCascade::primaryFont (r207726 complete revisited)
CrashTracer: com.apple.WebKit.WebContent at WebCore: WebCore::MediaQueryEvaluator::evaluate const (r203265)
RenderElement::style() should return const RenderStyle (r200098)
Remove unused RenderTextControl::textBaseStyle(). (r158178)

Nov 22, 2021
============
[MSVC] RenderBlock.cpp(2259): warning C4239: nonstandard extension used: 'initializing': conversion from 'WebCore::Length' to 'WebCore::Length &' (r286118)
Implement tab-size with units (r246193)
  => [New Parser] css3test.com 55% 1695 tests out of 3104 total for 719 features
Nullptr crash in CSSCalcValue::category() via HTMLConverterCaches::floatPropertyValueForNode (r276262 complete revisited)
calc() values resulting from blending mixed type lengths should be simplified (r275763)
Remove the confusing Value struct used for calc results (r253002)
CSSCalcOperation constructor wastes 6KB of Vector capacity on cnn.com (r238089)
Remove PassRefPtr use from the "css" directory, related cleanup (r210215 partial)
calc() serialization doesn't match the spec (r253079)
[css-grid] svg image as grid items should use the overriding logical width/height when defined to compute the logical height/width (r286100)
[css-grid] Images as grid items should use the overridingLogicalHeight when defined to compute the logical width (r280024)
Improve if condition in RenderReplaced::computeReplacedLogicalWidth (r278300)
Take box-sizing into account in replaced element intrinsic sizing (r273753)

Nov 21, 2021
============
Factor child change invalidation into class (r286058 + r286091 rolled out)
DFGByteCodeParser.cpp should avoid resizing the Operands<> of every BasicBlock on every inlining (r286030 + r286083 rolled out)

Nov 19, 2021
============
Handle custom identifiers and strings separately, so we can quote strings correctly consistently (r278540)

Nov 18, 2021
============
Images as grid items should use the overridingLogicalWidth when defined to compute the logical Height (r285998)
Rename customCssText -> customCSSText to match WebKit style (r155060)
SVGLengthValue should use two enums for 'type' and 'mode' instead of one unsigned for 'units' (r249822 partial)
Run the memmove fast path in JSGenericTypedArrayView<Adaptor>::set when using a combination of Uint8 and Uint8Clamped (r285971)
border-radius inline style should serialize with valid syntax (r285915)
[JSC] TypedArray GetArrayLength should not use Reuse (r285978)
Don't allow descriptors to be set to CSS-wide keywords (r280316)
Using CSS wide keywords as a fallback for variable substitution works inconsistently. (r268157)
Crash in match_constness<WebCore::CSSValue, WebCore::CSSPrimitiveValue>::type& WTF::downcast<WebCore::CSSPrimitiveValue, WebCore::CSSValue> -- ASAN (r261208)
Rename CSSCalcPrimitiveValue to CSSCalcPrimitiveValueNode, and CSSCalcOperation to CSSCalcOperationNode (r252971)
Can't change @font-face descriptors from fontFaceRule.style.setProperty() (r251655)
[css-grid] Preserve repeat() notation when serializing declared values (r245798)
Implement page-break-* and -webkit-column-break-* as legacy-shorthands. (r245276)
REGRESSION (Safari 11): custom <font-face> tag crashes a page (r225808)
Converting time, angle and frequency units in CSS calc() function (r178627)

Nov 16, 2021
============
:host::part(foo) selector does not select elements inside shadow roots (r285262)
::slotted element style not invalidated correctly in nested case (r285211)
::slotted shouldn't match an active <slot> (r285209)
Use Style::ScopeOrdinal for finding the right scope for ::part matching (r285202)
Support ::before and ::after pseudo elements after ::slotted (r284973)
Fix ::part(foo):hover (r284865)
Images as grid items should use the overridingLogicalWidth when defined to compute the logical Height (r280078 + r280290 + r282008 + r285857 rolled out)
  => [New Parser] css3test.com 55% 1694 tests out of 3107 total for 719 features
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 GCC8.3.0 with hard float.
    [JIT tests/V8/SunSpider/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016]
    [JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]
Revert r285235 (r285827)
Implement serialization of CSSPropertyGap (r266659 complete revisited)
REGRESSION (r283858): Intense white hover state appears on playback controls on Netflix/YouTube (r284169)
Add support for '-webkit-appearance: auto' (r283858)
Introduce ShadowPseudoIds to store all UA shadow root pseudo-element ids (r283757)
[css-ui] getComputedStyle() must return the specified value for '-webkit-appearance' (r283269)
RTL non-native <select> buttons should have arrows on the left (r200165)

Nov 15, 2021
============
Modal dialogs should make the root element unfocusable (r285791)
Fix mouse selection on modal <dialog> text nodes (r284366)
Replace Node::isInert() with RenderStyle::effectiveInert() (r283105)
Add more inert checks for selection-related functionality (r281930)
Align implementation of PositionIterator::isCandidate() on Position::isCandidate() (r280585)
Elements in a table are incorrectly selected in JavaScript. (r271635)
Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable (r261666)
ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate (r260207)
Unable to move selection into editable roots with 0 height (r240905)
An element with -webkit-user-select: all should be selected on single click (r152198)
Part2 of: Extend -webkit-user-select with new value "all" (r133224)

Nov 14, 2021
============
[css-flexbox] Add flex-basis: content support (r284440 + r284397 + r284359 + r285045 rolled out + r285709)
  => [New Parser] css3test.com 55% 1693 tests out of 3107 total for 719 features
Prevent fused multiply add during ParseInt (r285788)
[css-flexbox] Improve & simplify the flex-basis computation (r285623)
[aspect-ratio] Treat border/padding correctly for box-sizing: border-box (r276745)
Handle aspect-ratio: auto m/n for replaced elements (r272360)
Fix aspect ratio handling in RenderBox::computeLogicalWidthInFragment (r271223)
In regular block layout, the width of a child's margin box should always be equal to that of its containing block (r222321)
[css-grid] Stretch should grow and shrink items to fit its grid area (r213449 complete revisited)

Nov 13, 2021
============
Unreviewed, revert r284440, r284397, r284359 (r285045)
REGRESSION(r285481): Infinite recursion with cyclic filter reference (r285769)
Remove filterRes parameter from SVG filters (r236447)

Nov 11, 2021
============
Default computed value for "content" should be "none" for ::before and ::after (r285621)
The cssText property for a computed style should return an empty string (r285604)

Nov 10, 2021
============
When inlining NewSymbol in the DFG don't universally call ToString on the input (r285525)
[DFG][FTL] Add NewSymbol (r239142)
[ESNext] Symbol.prototype.description (r235712 complete revisited)
Fix crash in GraphicsContextCG::endTransparencyLayer (r285570)
Wavy decorations don't cover the whole line length (r285567)
[css-grid] update the content-sized grid width before laying out a grid item with block constraints and aspect-ratio (r285497)
[css-grid] WPT test css/css-grid/grid-model/grid-box-sizing-001.html fails (r272302)
Layout overflow is computed incorrectly inside flexbox (breaks sticky positioning) (r271053)
[css-grid] Set available column space before grid items prelayout (r266173)
Scroll position gets reset when overflow:scroll is inside grid (r243687)
[css-grid] Fix grid container sizing under min-content height (r238488)
hasOverflowClip() does not necessarily mean valid layer(). (r191915 complete revisited)
Element within flattened frame may update its scroll state during the layout phase of the wrong RenderView (r169128)

Nov 09, 2021
============
Rendering bug with height: min-content, position: absolute, and box-sizing: border-box (r285495)
Implement nonce-hiding (r285478)
Clicking an HTMLLinkElement should not trigger a navigation (r280479)
Call SVGTRefElement::buildPendingResource in SVGElement::didFinishInsertingNode (r258464)
Add missing call to completionHandler (r256569 partial)
Implement HTMLOrForeignElement (r249212 + r249249)
CSP status-code incorrect for document blocked due to violation of its frame-ancestors directive (r231464)
CSP should be passed the referrer (r231445)
FetchResponse should keep unfiltered ResourceResponse so that it can be used in Service Worker (r225702)
Service Worker fetch should transmit headers to its client (r224344 partial)
[Beacon] Do connect-src CSP check on redirects as well (r220549 partial)
Move dataset attribute from Element to HTMLElement / SVGElement (r204377)
Support activation behavior of link element (r174637)

Nov 08, 2021
============
REGRESSION (r283935): [ macOS wk1 ] imported/w3c/web-platform-tests/html/semantics/interactive-elements/the-dialog-element/dialog-autofocus-multiple-times.html is a flaky failure (r285449)

Nov 06, 2021
============
box-shadow and text-shadow do not yield float values while interpolating (r282768 + r282826 reverted + r284437)
Minor RenderStyle boxShadow cleanup (r269835)

Nov 04, 2021
============
WebDriver Input clear/value commands fails when target is inside shadow dom (r267978 partial)
Remove support for enabling subpixel CSSOM values, it's off by default everywhere and known to be not-compatible with the web (r267970)
Make table's clientWidth/Height include its border sizes. (r250553)
Some refinements for Node and Document (r241932 partial revisited)
offsetLeft and offsetParent should adjust across shadow boundaries (r239313)
Move offsetParent / offsetLeft / offsetTop / offsetWidth / offsetHeight from Element to HTMLElement (r216466)
REGRESSION (r268932): CPU usage higher than expected with sibling elements running WebAnimations (r285256)
border-radius inline style should serialize with valid syntax (r285235)
Return nullopt in aspect-ratio+intrinsic width case (r285232)
Implement serialization of CSSPropertyGap (r266659)
Shrink WebCore::Pair (r233652)

Nov 03, 2021
============
Clean up GraphicsContext use in RenderLayer::paintLayerContents() (r200279)
REGRESSION (r200283): Transform, overflow hidden and filter combination completely hides the element (r209697)
Blur filter escapes an enclosing overflow:hidden (r200283)
Uninitialized variables in RenderLayer (r253466)
Introduce the concept of "opportunistic" stacking contexts (r244509)
Normal-flow-only flex items don't correctly respect z-index (r238058)
RenderLayer tree-related cleanup (r237117)
Remove ClipRects's custom refcounting. (r206661)
RenderLayer::clipRects may return nullptr. (r206639)
ASSERTION FAILED: clipRectsContext.rootLayer == m_clipRectsCache->m_clipRectsRoot[clipRectsType] while loading guardian.co.uk (r206100)
Cleanup RenderLayer::shouldBeNormalFlowOnly (r205970)
ASSERT(!m_zOrderListsDirty) when mousing over web view with incremental rendering suppressed (r185858)
Crash in RenderLayer::rebuildZOrderLists (r285192)
Captcha images render as blank white space (r252353)

Nov 02, 2021
============
REGRESSION (r273003): Animated style may lose original display property value (r274170)
Animated keyframe style needs to go through full style adjuster (r273003)
REGRESSION (r254054): finance.google.com watch list renders initially then disappears for 5+ seconds before reappearing (r258336)
REGRESSION (r252724): Unable to tap on play button on google video 'See the top search trends of 2019' (r254054)
getComputedStyle returns "auto" for zIndex property even after it has been set, on non-positioned elements (r252724)
Animations should only trigger layer recomposite when necessary (r240012)
Simplify isRunningAnimationOnRenderer() (r239985)
Ignore visited background color when deciding if the input renderer needs to be painted natively. (r192389)
ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object (r285123)
Align %TypedArray% constructor behavior with spec (r270552 + r270554 + r270571)
[JSC] Support @@species in ArrayBuffer / SharedArrayBuffer slice (r269574)
Avoid unnecessary repaints when transforms change (r274597)
[Repaint] RenderLayerModelObject::styleWillChange may issue redundant repaint (r266901)

Nov 01, 2021
============
[Repaint] RenderElement::setStyle may issue redundant repaint (r266818)
[Repaint] styleWillChange may call repaint on the same renderer multiple times. (r266803)
opacity should flatten when combined with transform-style: preserve-3d (r285021)
ASSERTION FAILED: accumulation == TransformState::FlattenTransform in WebCore::GraphicsLayerCA::computeVisibleAndCoverageRect (r199847)
Sticky positioning is broken for table rows (r162960 complete revisited)
Move style adjustment code out of StyleResolver and into a class of its own (r252308)
Fix :host invalidation when combined with pseudo classes in descendant position (r285100)
[CSS Shadow Parts] Internal shadow pseudo elements should work with ::part (r250817)

Oct 31, 2021
============
Change some bitwise OR operators to logical OR (r285091)

Oct 30, 2021
============
Port WebAnimation to the HTML5 event loop (r252007 partial revisited)
Invoke callbacks registered by requestIdleCallback (r251050)
Add IDL for requestIdleCallback (r250816)
WTF::Deque should work with move only types (r155898)

Oct 29, 2021
============
if border-radius includes a var(), the value is not readable from .style (r285015)
[Web Animations] Add a supporting object for Document to manage timelines (r260504)
Consolidate detachment of document timeline into Document::commonTeardown. (r258267)
[Web Animations] Ensure CSS Transition and CSS Animation events are queued, sorted and dispatched by their timeline (r256619)
[Web Animations] Make all animation event types inherit from the same base class (r256610)
[Web Animations] Separate setting a timeline's current time from updating its animations (r255260)
Stop active DOM objects in removedLastRef (r253300)
Port WebAnimation to the HTML5 event loop (r252007 partial)
[Web Animations] Add support for AnimationEvent.pseudoElement (r251840)
WebAnimation should never prevent entering the back/forward cache (r251742 partial)

Oct 28, 2021
============
CSS Animations creation and sorting is incorrect and may lead to crash (r284312)
REGRESSION (r267571): black line appears upon navigating back from apple.com shopping bag (r271435)
Reduce the reliance on PseudoElement in the animation code (r267571)
Relative font size values (em) within CSS animations compound (r262946)
Pseudo-elements (::after) in shadow roots don't animate (r262711)
[Web Animations] Refactor animation comparison by composite order in a single utility function (r261470)
Fix animation ordering to make imported/w3c/web-platform-tests/css/css-animations/Element-getAnimations.tentative.html pass (r261217)
Add release asserts to KeyframeEffectStack::ensureEffectsAreSorted() (r259630)
Additional sanity checks in compareAnimationsByCompositeOrder() (r259538)
[Web Animations] REGRESSION: Changing the animation-duration of a CSS Animation may not resume it (r253901)
Assertions in findFirstSlotElement hit when removing two slots with the same name in a single shadow tree (r284969)
Changing the src attribute of the <img> element inside an ImageDocument does not trigger a load (r284901)
Incorrect call to StyledElement::setInlineStyleProperty in ImageDocument::createDocumentStructure (r219479)
REGRESSION(r189555): ImageDocument title no longer includes the size of the image (r210536 + r210556)
[iOS][wk2] Use ImageDocument to display subframe PDFs (r170091)
Clean up Image Document and tweak the layout and viewport (r168327)

Oct 27, 2021
============
Remove AnimationTimeline::animationsForElement() and the CSS Transitions and CSS Animations accessors on ElementAnimationRareData (r267204)
[Web Animations] Add support for `pseudoElement` on `KeyframeEffect` and `KeyframeEffectOptions` (r260139)
[Web Animations] Store an Element / PseudoId pair to define the KeyframeEffect target (r260076 + r268730)
[Web Animations] Crash under `KeyframeEffect::getKeyframes` for a `DeclarativeAnimation` (r259205)
[Web Animations] Changing the delay of an accelerated animation doesn't seek the animation (r255422)
[Web Animations] getKeyframes() doesn't return the right timing function for declarative animations (r251649)
Fix CSS serialization affecting grid-auto-flow (r284876)
[Web Animations] Move Document.getAnimations() to DocumentOrShadowRoot (r259577)
[Web Animations] Add support for the options parameter to getAnimations() (r255149)

Oct 26, 2021
============
Factor PseudoElement creation calls into a single Element::ensurePseudoElement(pseudoId) method (r260088)
::before/::after elements not filling their grid cell when container has display: contents (r251780)
PseudoElement created for any ::before/::after selector regardless of whether a content property exists (r241189)
Enable selector filtering for ::before and ::after pseudo element resolution (r225485)
Serialize :part() argument as identifier (r284863)
Don't forget about the outer selector when matching ::slotted(). (r281692)
Fix nth-child An+B serialization to match the spc (r251647)
[CSS Shadow Parts] Correct interaction with other pseudo elements (r250701)
Text representation of pseudo elements, '::-webkit-distributed', is wrong in CSSSelector::selectorText(). (r147295)
  => [New Parser] css3test.com 55% 1669 tests out of 3061 total for 709 features
Fix issue for transform-origin in SVG (r284853)
[JSC] Fix stale assertion in InternalFunctionAllocationProfile after r284757 (r284852)
[JSC][32bit] Don't speculate Cell on PutByVal (r284788)

Oct 25, 2021
============
[CSS-grid] Need to set prefer width dirty for the child that has constraints to the grid area (r284793)
REGRESSION (r263729): transform transition doesn't restart (r268809)
REGRESSION (r263729): Carousel freezes on "fourth page"/fourth click on right arrow on netflix.com (r265985)
[Web Animations] REGRESSION: Bootstrap Carousel component v4.1 regressed with Web Animations (r263729)
REGRESSION: Delayed updating of the parallax images on pacificvoyages.net/posts (r263464)
[Web Animations] Ensure calling Web Animations APIs override future CSS Animations style properties (r260671)
[Web Animations] Forward-filling animations should not schedule updates while filling (r252944 + r252951 rolled out + r252957)
[Web Animations] Precompute an animation effect's active duration and end time (r251785)
[Web Animations] Setting the style at the last style change event to null should not create an ElementAnimationRareData object (r262897)
Hardware fill-forwards animation and transitions don't interact correctly (r262154)
[Web Animations] ElementAnimationRareData is created too frequently (r258834)
[css-writing-modes] Fix sizing of orthogonal elements with percentage margins (r284773)
[JSC][32bit] Re-enable compileEnumeratorGetByVal fast path (r284700)
  I've also updated the 32 bits version of compileGetByVal to be closer to the 64 bits version.
InternalFunction::createSubclassStructure() should use prototype's global object (r284757)

Oct 22, 2021
============
The intrisic size of picture image inside a template is always zero (r284667)
REGRESSION (r277997): Max-height not applied for image (r280889)
REGRESSION (r277997) Images get stretched with aspect-ratio and max-width: x% (r280631)
Implement width and height attributes on source elements of <picture> (r279108)
Use HTMLDimension to parse different HTML attribute length values (r278765)
Aspect ratio from width and height attribute is not compatible to string with invalid ends (r278689)
Use the parsed width and height attributes as a presentational hint for aspect-ratio CSS property (r277997)
Not computing image aspect ratios from width and height attributes for lazy loaded images (r276521)
Fix max-content on tables with percentage cell widths. (r275462)
"min-content" & "max-content" keywords should behave as initial value in block axis (but WebKit improperly treats them as the content-size) (r273206)
Handle min-width/min-height:auto for aspect-ratio (r272718 revisited complete)
Add [ActiveDOMObject] to IDLs of ActiveDOMObjects (r251040 + r251051 rolled out + r251053 partial)
Add support for HTMLSourceElement.prototype.sizes / HTMLSourceElement.prototype.srcset (r206140)
Make WebGLRenderingContext inherit from ActiveDOMObject (r139142)

Oct 21, 2021
============
Computed style for the translate CSS property should use px for the z value (r276551)
Updating an individual transform CSS property has no visual change when composited (r268547)
transform-origin is applied on top of invidivual CSS transform properties on composited layers (r268444)
CSS transform computed style should not reflect individual transform properties (r268263)
Add support for non-accelerated animation of individual transform properties (r268173)
  => [New Parser] css3test.com 55% 1669 tests out of 3061 total for 709 features
Add non-animated support for the CSS rotate property (r267985)
Add non-animated support for the CSS scale property (r267958)
Add non-animated support for the CSS translate property (r267887 + r267898 rolled out + r267937)
SVGTransformListValues wastes 127KB of Vector capacity on nytimes.com (r232942)
[Web Animations] Animated transform styles are ignored when calling getComputedStyle() (r229889)
Eliminate "FractionConversion" from CSSPrimitiveValue::convertToLength (r171871)
CSS3 calc: working with translate and scale transforms (r138833)
Fix percentages on orthogonal replaced children (r284548)
Don't use intrinsic width if our container's width is zero (r223389)
We should watch isHavingABadTime if we read from the structureCache (r284576)

Oct 20, 2021
============
Don't re-evaluate viewport dependent media queries if the viewport doesn't change (r284536)
[css-flexbox] Add flex-basis: content support (r284440)
canDoFastSpread should also check that the Structure is from the global object we're watching (r284506)
Regression(r284336): [ iOS 15 ] system-preview/badge.html is image failing (r284490)
Origin of opaque blob: URLs ends up as empty string (r284478)

Oct 19, 2021
============
AnimationTimeline should not have multiple HashMaps with raw Element* keys (r258316)
[Web Animations] Support multiple CSS Animations with the same name in animation-name (r255076)
[Web Animations] Make AnimationList ref-counted (r254991)
[css-flexbox] Do not clamp flex base size with {min|max}-{height|width} (r284397)
[css-flexbox] Improve & simplify the flex-basis computation (r284359)
[css-flexbox] Do not compute the min-max sizes of flex items twice (r278865)
Cleanup RenderFlexibleBox (r274284)
REGRESSION (r191336): RenderFlexibleBox::adjustChildSizeForMinAndMax crashes in std::optional<>::value() (r235590)
background-clip:text doesn't paint correctly for inline box spanning multiple lines (r284380)

Oct 18, 2021
============
REGRESSION (r270850): Reference clip path clips in the wrong place when inside non-visible overflow (r284336)
Zooming browser does not properly scale SVG clip paths (r281736)
REGRESSION (r259137): Clip-path rendering regression when element contains transformed child (r270850)
Hovering over countries at https://covidinc.io/ shows bizarre rendering artifacts (r259137)
[css-masking] Black backdrop on -webkit-clip-path on SVG root (r234136)

Oct 16, 2021
============
Make sure child layers of top layer elements are rendered and correctly z-ordered (top-layer-stacking.html fails) (r284314)
REGRESSION (r276370): Elements with animated transform property might not properly rendered (r284247)

Oct 15, 2021
============
[Web Animations] Implement Animation.commitStyles() (r252966)
[LayoutState cleanup] Remove explicit pop from LayoutState (r224653)
[LayoutState cleanup] Remove conditional push from RenderTableSection::calcRowLogicalHeight (r224641)
[LayoutState cleanup] LayouState::m_lineGrid should be a weak pointer (r224632)
Fix grid-auto-repeat-dynamic-003.html (r284235)
Don't run focusing steps on disconnected or inert <dialog> (r284174)

Oct 14, 2021
============
Remove useless isConnected() check from HTMLDialogElement::close() (r284149)
Implement <dialog> focusing steps (r284116)
Implement new autofocus behavior (r283935)
Reset m_isModal flag when removing <dialog> from document (r283631)
Make inert nodes invisible to hit testing (r283079)
Implement inert attribute behind feature flag (r281490)
Initial implementation of inert subtrees (r281309)
REGRESSION (Safari 14): Menu items jump around on codelearn.cat (r278428)
REGRESSION (r270849): Button content fails to render on apple.com "Blood Oxygen"/"ECG" (r275607)
Toggling pointer-events on body does not re-enable scrolling on child (r270339 + r270363 rolled out + r270849)
Detach frame from document when entering page cache (r212173 + r212174)
Crash when navigating back to a page in PacheCache when one of its frames has been removed (r211254)
Ensure navigation only allowed for documents not in the page cache (r210474 + r211256 rolled out)

Oct 13, 2021
============
MessagePort messages sent in iframe unload event not received (r284101)
Make "overflow: overlay" a synonym for "overflow: auto" (r236341)
Remove overflow: -webkit-marquee (r198255)
overflow:scroll should not leave space for a scroll corner with overlay scrollbars (r173668)
Fix spec-correctness when inlining __proto__ intrinsic using get_by_id_with_this (r284036)
Correctly interpolate stroke-dasharray in the discrete case (r276643)

Oct 12, 2021
============
Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser (r283862)
RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp* (r283818)
[JSC] Implement RegExp Match Indices proposal (r273086 + r273160)
Refactor clz/ctz and fix getLSBSet. (r243418 partial)

Oct 07, 2021
============
[Performance] Optimize RenderLayer::establishesTopLayer (r283441)
Top layer: handle display: contents and non out-of-flow position values (r281252)
Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser (r283623)
Prune code after ForceOSRExit (r243176)
We can't remove code after ForceOSRExit until after FixupPhase (r242989)
Fix serialization of CSSMediaRule (r283637)
Ensure that the top layer is always anchored to the RenderView (r283634 + 283672 rolled out)
Re-generalize top layer element concept (r281793)
removeFromTopLayer shouldn't be called in every removal of an element (r281548)

Oct 06, 2021
============
Move cancel dialog task to `defaultKeyboardEventHandler`. (r281492)
Implement top layer rendering bits (r281296)
Check for dialog existence in top layer in HTMLDialogElement::showModal & close (r281014)
Implement support for <dialog> element cancel event (r280703)
<dialog> element: do not perform close() method steps when removing open attribute. (r279950)
Make topLayerElements() use Ref instead of RefPtr (r279783)
Add topLayerElements() and activeModalDialog() to Document (r279780)
Use setBooleanAttribute instead of setAttributeWithoutSynchronization(X, Y ? emptyAtom() : nullAtom()); (r279643)
Add modal dialog UA styles (r279414)
Support -internal- prefix for pseudo classes and rename :-webkit-direct-focus to :-internal-direct-focus (r279408)
Implement support for <dialog> element close event (r279406)
Add basic <dialog> element UA styles (r278003)
Very basic <dialog> show/close support (r253880)
Add a runtime-disabled dialog element skeleton (r247527)
Remove code behind ENABLE(DIALOG_ELEMENT) (r154835)
Don't pass DontBuildStrings to next token after parsing an empty parameter list (r283600)
Incorrect Length constructor used after blending negative Length (r283568)
Unsupported blending of mixed length types leads to nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType() (r283562)
radial-gradient does not accept calc values that combine length and percent (r283561)
Blend using calc() when necessary (r276138)
Blending lengths of different types should be allowed outside of the [0-1] range (r274353)

Oct 05, 2021
============
IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this (r283512)

Oct 04, 2021
============
WebCore::Length incorrectly uses memcpy() for copy constructors/operator and IPC encoding/decoding (r283470 partial)
Incorrect preferred width computation when trimmable leading whitespace is present (r283481)
[css-grid] Accommodate spanning items crossing flexible tracks (r283439)
[css-grid] Replace the use of -1 with WTF::nullopt (r274477)
[css-grid] Do not allow negative heights (r273470 + r273492 rolled out)
[css-grid] max-height percentages are wrongly resolved for replaced grid items (r272309)
[css-grid] Prevent FindUsedFlexFraction from iterating items twice (r269509)
[css-grid] Clear the override width for computing percent margins (r261841 + r262809 rolled out + r267503)
[css-grid] Improve performance of track sizing algorithm for spanning items (r256826)
[css-grid] Always consider baseline shim for the minimum contribution (r243218)
[css-grid] Apply automatic minimum size clamping to spanning items too (r228661)
[css-grid] Spanning Grid item has too much space at the bottom / is too high (r227288)
[css-grid] Automatic minimum size is not clamped if min track sizing function is auto (r225776)

Oct 01, 2021
============
The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable (r283332)
[css-grid]  Transfer sizes from the aspect-ratio while resolving min-length for auto repetitions (r283321)
Remove OpIsObjectOrNull from ClassExprNode::emitBytecode() (r265744)

Sep 30, 2021
============
DFG strength reduction on % operator should handle an INT_MIN divisor. (r283300)
Thin hairline gap displayed for subpixel sized inset box-shadows (r283258)
Remove rounding logic in RenderGeometryMap::mapContainer (r276629)
[css-grid] Set hasIntrinsicWidth & hasIntrinsicHeight properties for SVG element's intrinsic size (r275772)
ASSERTION FAILED: roundedIntPoint(LayoutPoint(rendererMappedResult)) == result in WebCore::RenderGeometryMap::mapToContainer (r257046)

Sep 29, 2021
============
Pagination mode: Increase the amount of recursions allowed by RenderTable::layout() (r274627)
Support aspect-ratio on <body> in quirks mode (r272193)
Angled gradient backgrounds in body render vertically when body height is 0 (r236636)
CounterMaps should hold a unique_ptr of CounterMap. (r235537)
Paginated mode: Infinite recursion in RenderTable::layout (r219394)
REGRESSION(r214712): Infinite recursion in RenderTable::layout in paginated mode (r218721)
<table>: Including <caption>, <thead> or <tbody> causes clipping across page breaks (r214712)

Sep 28, 2021
============
Render: properly update body's background image (r179871 + r188190 rolled out)
REGRESSION: Fixed background on ColterReed.com scrolls (r149949)
RenderLayer::scrollTo() should call FrameLoaderClient::didChangeScrollOffset() (r143825 + r146185 rolled out + r146260)
Fix overlay scrollbar painting in compositing layers (r135029)
The CSS 'columns' property when set on the <body> element makes short columns (r209719)
ASSERTION FAILED: !newRelayoutRoot.container() || !newRelayoutRoot.container()->needsLayout() in WebCore::FrameView::scheduleRelayoutOfSubtree (r195069)
[New Multicolumn] Column set drawing under horizontal scrollbar. (r167617)
REGRESSION (r227011): fast/frames/hidpi-position-iframe-on-device-pixel.html times out (r227379)
Can't scroll iframe after toggling it to display:none and back (r227011)

Sep 24, 2021
============
[RenderTreeUpdater] NULL ptr deref in updateRenderTree (r283030)

Sep 23, 2021
============
RenderBox is a RenderElement which can have image updates from style changes. (r282880)

Sep 22, 2021
============
REGRESSION(r282129): Double clicking margin of a block inside a <span> may select a wrong block (r282816)

Sep 21, 2021
============
[css-grid] When the max is less than the min in minmax(), the max will be floored by the min (r282804)
[css-grid] FlexType is not applicable to min track sizing (r282801)
[css-grid] Fix auto repeat with multiple tracks and gutters (r261949)
[css-grid] Use max size to compute auto repeat tracks (r245279)

Sep 20, 2021
============
Fix computed style for transform-origin on SVG boxes (r282379)
Perpective origin should be relative to the reference box (r261575)
[clip-path] Implement support for margin-box as reference box and box shape (r233886)
[SVG] Fix CSS transform handling when zoomed (r166967)
user-select: none cursor turns to I-beam on mouse dragging (r156635 + r167688 rolled out)

Sep 17, 2021
============
font-weight should always serialize as a number (r282545)
Test variation font ranges in the CSS Font Loading API (r214433)

Sep 16, 2021
============
[css-grid] Overflow should be computed with the actual logical bottom (r282463)
[css-flexbox] Implement row-gap and column-gap for flex layout (r267829)
offsetLeft on display:inline element in vertical-rl parent can return a negative number (r282447)
Cull inline culling (r282223)
RenderInline offsetTop/Left should not switch to legacy layout (r282202 partial)
Disable inline culling (r282129)
[LFC][RenderTreeDump] Expand RenderInline 0 height quirk logic to previous/next siblings (r271773)
[_WKActivatedElementInfo image] is often empty (r171284)

Sep 15, 2021
============
Fix button-min-width.html (r282440)
imported/w3c/web-platform-tests/css/css-sizing/image-min-max-content-intrinsic-size-change* tests fail (r282438)
URLs in CSS variables must be resolved against the base URL of the stylesheet, not the document (r282403)
Tighten up CSSPendingSubstitutionValue (r257697)
Opacity should always serialize as a number (r251828)
Serialization of custom props in longhand should be "" not value of shorthand (r214383)
  => [New Parser] css3test.com 58% 1650 tests out of 2983 total for 676 features

Sep 14, 2021
============
[css-flexbox] percent children don't resolve against the flex basis on a fully inflexible item with fixed flex-basis (r276634)
[css-flexbox] max-height percentages are wrongly resolved for replaced grid items in nested percentage flexboxes (r275758)
Fix replaced element definiteness as a grid-item (r274099)
[css-flex] Don't skip flexboxes with auto height for percentage computations in quirks mode (r266716)
REGRESSION (r262124): Twitter videos go blank after exiting fullscreen (r263389)
[css-grid] calling correct offset function for RTL for out of flow child (r282340)

Sep 10, 2021
============
changing border size on rows with border-collapse not redrawing (r282266)
Eagerly resolve slot elements to simply the code in SlotAssignment (r281878 + r282120)

Sep 09, 2021
============
Interoperability issue in margin collapsing with overflow:hidden elements (r282085)
Do not let RenderFragmentContainers create new formatting contexts (r282083)

Sep 06, 2021
============
Ensure fragmented flow state invalidation even when the cached fragmented flow is not present. (r282047)
[JSC] Yarr::ByteTerm sometimes leaves fields uninitialized (r282023)
Absolutely positioned and negative z-index div with canvas child gets drawn with wrong stacking order (r281913)
resetFlowThreadContainingBlockAndChildInfoIncludingDescendants should not ignore RenderElement subtrees. (r216549)

Sep 01, 2021
============
visualWordPosition should operate on a clean tree (r281847)
REGRESSION (r272900): wpt.fyi loading performance is very slow (regressed, and slower than other browsers) (r281813)
REGRESSION (r275756): Accelerated animations freeze when invalidating layout with shadow dom (r281128, 240582@main)
[Web Animations] Refactor cancelDeclarativeAnimationsForElement and willDestroyRendererForElement on AnimationTimeline (r258842)
Accelerated animations freeze on render tree rebuild (r255663)

Aug 31, 2021
============
DoubleToStringConverter::ToExponential() should null terminate its string. (r250636)

Aug 27, 2021
============
Float32Arrays.sort() return undefined when length < 2 (r281686)
[css-grid] Fix min/max widths of grid affected by ancestor (r273435 + r273606 rolled out + r275754 + r281662 rolled out)

Aug 24, 2021
============
Sticky position should not use transformed position to compute sticky offset. (r281446)
position: sticky with display: inline-block (r281185)

Aug 20, 2021
============
document.hasFocus() returns true for unfocused pages (r281228)

Aug 16, 2021
============
Remove shadow related SVG functionality (r281064)
Remove support for -webkit-svg-shadow (r238071)

Aug 13, 2021
============
Fix bounds checks for WhitespaceCache string lengths (r281008)

Aug 12, 2021
============
Move resolving direction and writing mode to PropertyCascade (r251644)
Move StyleResolver::applyProperty to PropertyCascade (r251636)
Build cascade in PropertyCascade constructor (r251632)
Support iterating over an OptionSet and checking if it is empty (r197788)

Aug 11, 2021
============
Move more cascade related code from StyleResolver to PropertyCascade (r251611)
Update CSS Properties and Values API to use new cycle fallback behaviour (r239365)

Aug 10, 2021
============
Move property cascade out of StyleResolver (r251540)
[JSC] super-Latin1 white space and line terminator after regular expression literal misinterpreted as flags (r280825)

Aug 09, 2021
============
Remove some 16bits conversion. (r150985)
Do not bloat HTMLTokenizer with a giant inline InputStreamPreprocessor::peek (r150105)
Fold MarkupTokenizerBase into HTMLTokenizer now that it is the only subclass (r142535)
Make WebVTTTokenizer stop inheriting from MarkupTokenizerBase (r142497)
Modernize and streamline HTMLToken and AtomicHTMLToken (r177952 + r177962 + r177968)
Cache recently atomized all-whitespace strings for use by the HTML parser (r280772)
Increase inline size of HTMLToken::Attribute::value (r280771)
Remove the size of DataVector in HTMLToken (r150912)

Aug 06, 2021
============
REGRESSION (r274038): Keyframe animation with top/left with percentages fails to animate (r280721)
Improve blending of Length and other Length-related types (r274038)
Adjust progress parameter before calling blend() for discrete interpolations (r273896)
border-image-slice blending does not account for the fill keyword (r273625)
Improve blending of LengthBox values (r273623)
Length blending should allow for a ValueRange parameter (r273603)
CSS properties that disallow negative values should not animate to negative values (r273001)
[Web Animations] Interpolation between lengths with an "auto" value should be discrete (r233892)

Aug 06, 2021
============
Comparing styles with large but identical custom property maps is slow (r266717)
CSS Custom Properties API Should Support syntax="*" and "<length>", and handle cycles properly (r237697)
Remove an unused member and constructor parameter from CSSPropertyParser (r215058)
  => [New Parser] css3test.com 58% 1650 tests out of 2973 total for 675 features

Aug 05, 2021
============
Registered custom properties should support syntax parameter for <length> and * (r237347 + r237570 rolled out)
Properly determine if css custom property values are computationally independent (r236895)
Registered custom properties should allow inheritance to be controlled (r236828)
Implement initialValue support for CSS Custom Properties and Values API (r236379)

Aug 04, 2021
============
Implement CSS Custom Properties and Values Skeleton (r236273)

Aug 03, 2021
============
Use WeakPtr instead of manual raw pointer management in URLSearchParams (r280594)
Check that shadow root is connected in invalidateStyleAfterStyleSheetChange (r280586)
REGRESSION (r273072): Images do not layout correctly on walmart.com/grocery (r280530)
[css-flexbox] Improve computation of intrinsic sizes of flex items with aspect ratio (r279286)
[css-flexbox] Do not clamp flex base size with {min|max}-{height|width} (r279271 + r279657 rolled out)
[css-flexbox] Cleanup OverridingSizesScope RAII class (r279274)
[css-flexbox] Move flex item preferred width computation specifics to RenderFlexibleBox class (r279268)
[css-flexbox] Sanitize the aspect ratio handling code (r278450)
[css-flex] Refactoring of code retrieving main/cross size lengths from children (r273242)
Improve readability in RenderFlexibleBox::childIntrinsicLogicalWidth (r272846)

Jul 29, 2021
============
Crash in ApplyStyleCommand::applyRelativeFontStyleChange (r280381)

Jul 28, 2021
============
Refactor MASM probe CPUState to use arrays for register storage. (r219740 partial)
4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
   This is inconsistent with how every other CPU architecture implements
   lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
   updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
   
Jul 28, 2021
============
[ARM] Disable Inline Caching on ARMv7 traditional until proper fix (r203272)
[ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0 (r218519 + r218527)
[ARM] Disable Inline Caching on ARMv7 traditional until proper fix (r204025)
[ARM] Build broken on armv7hl after r235517 (r236315)
[ARM] MacroAssembler generating incorrect code on ARM32 Traditional (r173179)
[arm] Use specific PatchableJump implementation for CPU(ARM_TRADITIONAL). (r158915);
[Qt][ARM] REGRESSION(r130826): It made 33 JSC test and 466 layout tests crash (r135717 complete revisited)
Add moveDoubleToInts and moveIntsToDouble to MacroAssemblerARM (r130872 complete revisited)
Buildfix after r125541 (r125704 complete revisited)
[Qt][ARM]ARMAssembler needs buildfix afert r123417 (r123735 complete revisited)
REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)' (r231011)
[arm] Fix lots of crashes because of 4th argument register trampling (r158208 complete revisited)
revertBranchPtrWithPatch is incorrect on ARM traditional (r143346)

Jul 23, 2021
============
Unreviewed, reverting 280130. (r280213)

Jul 22, 2021
============
REGRESSION(r209495): materiauxlaverdure.com fails to load (r218446)
CSS.supports("font-variation-settings", "'wght' 500") erroneously returns false (r208321)
Implement `CSS.escape` as per CSSOM (r204952)
window.CSS should be a constructor with static functions (r199112)
[JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants (r234090)

Jul 21, 2021
============
Missing layouts when using simplified layout with OOF positioned elements (r280130)
[RenderTreeBuilder] Update the fragmented status of the renderer when it becomes in-flow (r279996)
[JSC] invalidParameterInstanceofSourceAppender should care direct call of Symbol.hasInstance (r280097)
DFG's parseIntResult() should check for negative zero. (r280060)
FetchBodySource/FetchBodyOwner cleanup (r280005)

Jul 13, 2021
============
[YARR] Interpreter incorrectly matches non-BMP characters with multiple . w/dotAll flag (r274945)
[YARR] Properly handle surrogates when matching back references (r250568 complete revisited)
[JSC] Perform check again when we found non-BMP characters (r249926 complete revisited)
REGRESSION (r243642): Crash in reddit.com page (r243967)
REGRESSION (r243642): com.apple.JavaScriptCore crash in JSC::RegExpObject::execInline (r243839)
[YARR] Precompute BMP / non-BMP status when constructing character classes (r243642 complete revisited)
[YARR] Allow for Unicode named capture group identifiers in non-Unicode regular expressions (r260033)
Add support in named capture group identifiers for direct surrogate pairs (r259262)
Invalid numeric and named references should be early syntax errors (r259026)

Jul 12, 2021
============
[ESNExt] String.prototype.matchAll (r246567)
String.prototype.matchAll should throw on non-global regex (r251483)
Fix missing exception check in replaceUsingStringSearch(). (r252767)
replaceUsingStringSearch() should not use CachedCall with host functions. (r252766)
Fix broken String.prototype.replace() and replaceAll(). (r252758)
Implement String.prototype.replaceAll (r252683 + r252721 + r252753 rolled out + r252754 rolled in)
:link and :visited pseudo-class selectors should not match <link> elements (r279818)
document.readyState should be "complete" after calling DOMParser.parseFromString() (r279803 + r279808 rolled out + r279814)
Continue to consult InlineAccess's Structure even after switching to a stub IC (r279813)

Jul 09, 2021
============
RegExp.prototype[Symbol.replace] does not support named capture groups (r254195)
[JSC] DFG strength reduction should define "groups" for RegExp constant-folded result (r252514)
RegExpBuiltinExec should create "groups" property unconditionally (r252374)
Shadow host stops rendering after removing a slot, updating style, then its assigned node (r279721)

Jul 08, 2021
============
[WPE] Fieldset elements can incorrectly get treated as opaque with async scrolling overflow areas enabled (r279640)

Jul 06, 2021
============
[FreeType] Simple and complex paths are not applied consistently (r224223)
[FreeType] Complex text is enabled too often after r221909 (r222077)

Jun 30, 2021
============
[iOS] Upstream JavaScriptCore support for ARM64 (r157474 complete revisited)
Sign m_offset in AssemblerLabel (r272191)
[ARM64] Do not fail branchConvertDoubleToInt32 when the result is zero and not negative zero (r184414)
[JSC] JIT::assertStackPointerOffset() crashes on ARM64 (r171705)
REGRESSION(159395) Fix branch8(, AbsoluteAddress, ) in ARM64 MacroAssembler (r159653 revisited)
Add MacroAssembler::patchableBranch64 and fix ARM64's patchableBranchPtr (r188135 complete revisited)
Unreviewed, another ARM64 build fix. (r157621)
GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64 (r165362)

Jun 29, 2021
============
Workaround for Cortex-A53 erratum 843419 (r184170)
Workaround for Cortex-A53 erratum 835769 (r175514)
ARM64: Update getHostCallReturnValue() to use architected frame pointer register (r159466)
[ARM64] GCC generates wrong code with -O2 flag in WTF::weakCompareAndSwap (r166234)

Jun 28, 2021
============
ARM64 moveConditionallyDouble() for DoubleNotEqualAndOrdered is wrong. (r259556)
Fix some issues in the ARM64 moveConditionallyAfterFloatingPointCompare() and moveDoubleConditionallyAfterFloatingPointCompare(). (r258038)
[JSC][ARM64] Fix branchTest32/64 taking an immediate as mask (r204009)
[JSC] Get the JavaScriptCore framework to build on ARM64 with B3 enabled (r194388 partial)
Fix flakey dfg-int8array.js and dfg-int16array.js tests for ARM64 (r182091)
Take care of some ARM64 test failures (r169092)
REGRESSION(r167591): ARM64 and ARM traditional builds broken (r167599)
ARM64 rshift64 should be an arithmetic shift (r164663)
ARM64: Crash in JIT code due to improper reuse of cached memory temp register (r160056)
aarch64: JSC::ARM64Assembler::LinkRecord::<unnamed union>::RealTypes::m_compareRegister is too small to hold all values of JSC::ARM64Assembler::RegisterID {aka enum JSC::ARM64Registers::RegisterID} (r246151)
[JSC] ZeroExtend and SignExtend use incorrect addressing on ARM64 (r196544)
ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister. (r194707 revisited + r194711)
[JSC] Get more of testb3 to pass on ARM64 (r194635)
[JSC] Build B3 by default on iOS ARM64 (r194530)
Fix JSC::ARM64Assembler::LinkRecord::RealTypes (r172578)
REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices (r167782)
[ARM64] Fix assembler build issues and add cacheFlush support for Linux (r165961)

Jun 23, 2021
============
[RenderTreeBuilder] ASSERTION FAILED: m_renderer in FloatingObject::renderer() (r279142)
Make rendererIsEverNeeded check less strict (r279118)
[Web Animations] Stop creating CSS Animations for <noscript> elements (r254201)

Jun 21, 2021
============
Crash in WebCore::SlotAssignment::assignedNodesForSlot (r279010)
REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor (r277373)

Jun 15, 2021
============
logged in GitHub issue pages have bad layout for "Notifications Customize" link (r278864)
Enable <summary> to be a flex container (r278280)

Jun 14, 2021
============
[Datalist] Display prefix-matched suggestions first (r235490)
Dismiss HTML form validation popover when pressing Escape key (r211653)
Make sure HTML validation bubble gets dismissed when its associated element's frame gets detached (r210939)
Make sure HTML validation bubble's state is updated after layout (r209901)
Compute document marker rects at use time instead of paint time (r190363 complete revisited)
ShortCircuitReadModifyResolveNode can't emit a value into its result until after it emits a TDZ check. (r278819)
EventSource.constructor throws an exception when the url param is an empty string (r278763)

Jun 11, 2021
============
Drop unnecessary call to StringView::toStringWithoutCopying() in shouldTreatAsPotentiallyTrustworthy() (r278749)
URL::host should return a StringView to reduce allocations (r232198)
Add URL::hostAndPort() (r208945)
Fix StringView misplaced implementations after r181525 and r181558 (r181717)

Jun 10, 2021
============
Function.toString() should also copy the source code Functions that are class definitions. (r236713)
Simplify the CachedScript ASCII optimization. (r194529)
jsc CLI tool crashes on EOF. (r194409)
CachedScript could have a copy-free path for all-ASCII scripts. (r194017)
FixupPhase should be more eager to demote bit math to untyped (r200958)
Polymorphic operand types for DFG and FTL bit operators. (r194113 complete revisited)
Factoring out common DFG code for bitwise and shift operators. (r193795)
REGRESSION: [Mac wk1] imported/w3c/web-platform-tests/mathml/presentation-markup/scripts/underover-parameters-3.html is a flakey failure (r255414)
document.fonts.ready is resolved too quickly (r249295)

Jun 09, 2021
============
[Flexbox] FlexItem stays invisible after initial layout (r278659)
Short circuit read modify write nodes emit byte code that uses the wrong locals (r278578)
[ESNext] Implement logical assignment operators (r260119)
Ripping out broken Baseline JIT rare case profiling. (r277758)
Missing arithMode for ArithAbs and ArithNegate in DFGClobberize (r258452 complete revisited)
DFG JIT: compileMathIC produces incorrect machine code (r233716)
[JSC] op_negate should with any type (r207369)

Jun 08, 2021
============
[JSC] Shrink the Math inline caches some more (r206392)
[JSC] Use an inline cache to generate op_negate (r206289 + r206297)
Sub should be a Math IC (r203979)
Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly (r205364)
JITMathIC was misusing maxJumpReplacementSize (r205283)
MathICs should be able to emit only a jump along the inline path when they don't have any type data (r203786)
op_mul/ArithMul(Untyped,Untyped) should be an IC (r203693)
REGRESSION(r203537): It made many tests crash on ARMv7 Linux platforms (r203615)
[ARM] Unreviewed EABI buildfix after r203537. (r203595)
op_add/ValueAdd should be an IC in all JIT tiers (r203537)

Jun 07, 2021
============
Diff aspect-ratio property values correct (r278524)
aspect-ratio not recomputed on hover (r275377)

Jun 04, 2021
============
[RenderTreeBuilder] Reset the "children inline" state when merging anonymous table boxes (r276872)
Remove redundant RenderObject::isInFlowRenderFragmentedFlow (r276718)
Remove unused RenderObject::isOutOfFlowRenderFragmentedFlow (r276707)
[RenderTreeBuilder] Multi-column spanners are not part of the enclosing multi-column renderer's subtree (r276464)
Ignore column spanner property for the inner part of a text control. (r276419)
[RenderTreeBuilder] Do not try to collapse anonymous blocks when cleaning up the first-letter subtree (r276137)
[RenderTreeBuilder] Cleanup the inline tree when moving subtrees (r275761 + r275852 rolled out + r276014)
Ignore non-null lastQuote ASSERT when continuation is broken (r275606)
[RenderTreeBuilder] Do not merge anonymous table cells with mismatching children types (r275278)
[RenderTreeBuilder] Anonymous table cell collapsing should also cleanup the inline tree (r275205)
[Multicolumn] Do not try to re-validate a multicol spanner when the renderer is moved internally (r275133)
[RenderTreeBuilder] No need to update the counters when the renderer is moved internally (r275126)
[RenderTreeBuilder] Do not try to normalize the tree while destroying the multicolumn flow (r275067)
Collapse newly adjacent anonymous table cells when a table cell is detached from between them. (r275059)
[New Multicolumn] Assertion failure in huge-column-count.html (r167720 + r167721 rolled out + r167723)
[RenderTreeBuilder] ASSERTION FAILED: ancestor->style().columnSpan() != ColumnSpan::All || !isValidColumnSpanner(fragmentedFlow, *ancestor) in WebCore::isValidColumnSpanner (r276637)
[RenderTreeBuilder] Subtree moving should clear the floats on all the descendants (r276549)
Anonymous table rows do not collapse if there are any other non-anonymous table row siblings. (r274739)
Do not collapse the anonymous block when it is a candidate container for the list marker (r274437)
RenderLineBreak should stay inline level box even when display property says otherwise. (r274398)
Cleanup references to float and out-of-flow renderers before destroying them. (r274278)
[Multi-column] Adjust the flow state of the descendants when going from not-inside-flow to inside-flow (r274212)
Clean up the text boxes when the associated text renderer is detached from the tree (r274211)
[RenderTreeBuilder] Invalidate beforeChild when parent changes to RubyBase (r274039)
[RenderTreeBuilder] Readjust the first child when it is the multicolumn container (r274035)
Render tree updates for Text node content mutations should happen during rendering update (r273621 + r275657 rolled out)
[Multicol] set the childrenInline flag on the RenderBlockFlow properly (r271394)
[css-multicol] Restore placeholders on multicolumn children position changes. (r271357)
[css-multicol] Update fragment flow state on element insertion when element position changes (r271356)
[css-multicol] Do not attach <legend> to <fieldset> multicolumn containers (r271130)
Multicolumn children becoming in-flow elements should be inserted into the multicolumn flow (r270580)
RenderTreeBuilderBlock using an incorrect anonymous parent to attach a new renderer (r269954)

Jun 03, 2021
============
[Multicol] Reset the childrenInline state on the RenderBlockFlow when destroying the multicolumn context (r263435)
Release Assert @ WebCore::RenderTreeBuilder::RenderTreeBuilder (r262524 + r262651 rolled out + r262743)
ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder (r262095)
Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when parent and beforeChild are siblings (r262093)
Don't put out-of-flow boxes in anonymous flex/grid items (r262061)
[css-grid] Don't create renderers for whitespace nodes (r262033)
Do not clear selection/repaint when the renderer gets moved during tree normalization. (r261675)
Use more WeakPtr in RenderTreeBuilder::FirstLetter (r259798)
[MultiColumn] Call RenderTreeBuilder::multiColumnDescendantInserted only when the enclosing fragmented flow has changed (r259334)
[Tables] Infinite recursion in RenderTreeBuilder::attach (r259296)
[RenderTreeBuilder] Destroy the child first in RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers (r259160)
Nullptr crash in InlineTextBox::emphasisMarkExistsAndIsAbove (r259158 + r259232 rolled out)
[MultiColumn] Ignore spanner boxes inside <legend> (r258666)
[Tree building] Reset the fragmented flow status before calling child.willBeRemovedFromTree. (r258466)
[Tree building] Block::attachIgnoringContinuation should allow inline tables as before child container (r258455)
Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant (r257129)
Crash in RenderTreeBuilder::Table::findOrCreateParentForChild with multicol spanner (r256089)
Null Ptr Deref READ @ WebCore::RenderMultiColumnFlow::lastMultiColumnSet const (r255113)
Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when an element is inserted before legend under multi-column layout. (r255083)
fast/css/first-letter-and-float-crash.html asserts under ComplexLineLayout::createLineBoxes (r254976)
RenderTreeBuilder::Block::attachIgnoringContinuation should handle inline-block anonymous containers. (r254484)
Nullptr crash in WebCore::RenderTreeBuilder::attach (r253806)
CrashOnOverflow in WebCore::RenderTable::cellBefore(WebCore::RenderTableCell const*) (r278219)
Do not collapse the anonymous block when it is a candidate container for the list marker (r274437)
Do not mix inline and block level boxes. (r245158)
Do not insert the first-letter anonymous container until after we've constructed the first-letter renderer. (r243331)
Do not collapse the soon-to-be-parent anon block when we shuffle around the marker item renderer. (r238119)
RenderSVGInline has to be inline always regardless of its css display value (r233056)
RenderBox::parent/firstChild/nextSibling/previousSiblingBox() functions should type check. (r230004)
[RenderTreeBuilder] Move styleDidChange mutation logic to RenderTreeUpdater (r229200)
[RenderTreeBuilder] Move RenderFullScreen::createPlaceholder to RenderTreeBuilder (r228949)
ASSERTION FAILED: !object || !isRuby(object->parent()) || is<RenderRubyRun>(*object) || (object->isInline() && (object->isBeforeContent() || object->isAfterContent())) || (object->isAnonymous() && is<RenderBlock>(*object) && object->style().display() == D (r251799)
Anonymous block collapsing can destroy the renderer's parent. (r232920 complete revisited)
Folding anonymous blocks should not result in deleting content. (r230313)
[RenderTreeBuilder] Add WARN_UNUSED_RETURN to detach() (r228948)
[RenderTreeBuilder] Rename insertChild() -> attach(), takeChild() -> detach() and removeAndDestroy() -> destroy() (r228938)
[RenderTreeBuilder] Move RenderObject::insertedInto() mutation logic to RenderTreeBuilder (r228914)
[RenderTreeBuilder] Move RenderView::willBeRemoved() mutation logic to RenderTreeBuilder (r228889)
Make RenderPtr a type alias of std::unique_ptr (r222740 partial)
[css-grid] Crash on debug changing the style of a positioned element (r238888)
Do not reuse generated inline renderer for the first letter. (r233055)
[RenderTreeBuilder] ::willBeRemoved() does not need RenderTreeBuilder anymore. (r228908)
[RenderTreeBuilder] Move RenderBoxModelObject::willBeRemoved() mutation logic to RenderTreeBuilder (r228899)
[RenderTreeBuilder] Move RenderTextFragment::willBeRemoved() mutation logic to RenderTreeBuilder (r228884)
[RenderTreeBuilder] Move RenderFullScreen::willBeRemoved() mutation logic to RenderTreeBuilder (r228862)
[RenderTreeBuilder] Move RenderListItem::willBeRemoved() mutation logic to RenderTreeBuilder (r228858)
[RenderTreeBuilder] Rename RenderTreeBuilder::removeAndDestroyChild() -> removeAndDestroy() (r228704)
[RenderTreeBuilder] Remove redundant RenderObject::removeFromParentAndDestroy (r228701)
[RenderTreeBuilder] Move RenderElement::removeAndDestroyChild() to RenderTreeBuilder (r228683)

Jun 02, 2021
============
[RenderTreeBuilder] Cleanup RenderTreeBuilder (r228595)
[RenderTreeBuilder] Move RenderBoxModelObject::moveChild*() to RenderTreeBuilder (r228593)
[RenderTreeBuilder] Move RenderElement::insertChildInternal() to RenderTreeBuilder (r228588)
[RenderTreeBuilder] Move RenderBlock/RenderInline::addChildIgnoringContinuation() to RenderTreeBuilder (r228578)
[RenderTreeBuilder] Move RenderElement::addChild() to RenderTreeBuilder (r228566)
[RenderTreeBuilder] Move RenderBlock/RenderBlockFlow::addChild() to RenderTreeBuilder (r228559)
[RenderTreeBuilder] parent.Render*::addChild() cleanup (r228550)
[RenderTreeBuilder] Move RenderMenuList::addChild() to RenderTreeBuilder (r228547)
[RenderTreeBuilder] Move RenderTableRow::addChild() to RenderTreeBuilder (r228542)
[RenderTreeBuilder] Move RenderTableSection::addChild() to RenderTreeBuilder (r228530)
[RenderTreeBuilder] Move RenderTable::addChild() to RenderTreeBuilder (r228529)
[RenderTreeBuilder] Move RenderInline/RenderGrid::addChild() to RenderTreeBuilder (r228520)
Don't use RenderTreeBuilder::current() in RenderTreeUpdater (r230823)
RenderTreeBuilder::splitAnonymousBoxesAroundChild should take multicolumn spanners into account. (r229474)
[RenderTreeBuilder] Move RenderMathMLFenced::addChild() to RenderTreeBuilder (r228503)
[RenderTreeBuilder] Move RenderSVG*::addChild() to RenderTreeBuilder (r228492)
[RenderTreeBuilder] Remove redundant RenderTreeBuilder methods (r228465)
[RenderTreeBuilder] Move RenderElement::takeChild() to RenderTreeBuilder (r228464)
[RenderTreeBuilder] Move RenderBlock::takeChild() to RenderTreeBuilder (r228441)
[RenderTreeBuilder] Move RenderBlockFlow::takeChild() to RenderTreeBuilder (r228432)
[RenderTreeBuilder] Move RenderSVG*::takeChild() to RenderTreeBuilder (r228429)
[RenderTreeBuilder] Move RenderGrid::takeChild() to RenderTreeBuilder (r228428)
[RenderTreeBuilder] Move RenderButton::takeChild() to RenderTreeBuilder (r228423)
[RenderTreeBuilder] Move RenderMenuList::takeChild() to RenderTreeBuilder (r228414)
[RenderTreeBuilder] Introduce RenderTreebuilder::takeChild (r228400)
Anonymous block collapsing can destroy the renderer's parent. (r232920)
[RenderTreeBuilder] Make RenderTreeBuilder::* classes WTF_MAKE_FAST_ALLOCATED (r228954)
[RenderTreeBuilder] Move RenderBlock::dropAnonymousBoxChild to RenderTreeBuilder (r228391)
[RenderTreeBuilder] Move RenderBlock::takeChild mutation to a RenderTreeBuilder (r228365)
[RenderTreeBuilder] Move RenderRubyRun::takeChild mutation to a RenderTreeBuilder (r228345)
[RenderTreeBuilder] Move RenderRubyAsInline/AsBlock::takeChild mutation to a RenderTreeBuilder (r228339)
[RenderTreeBuilder] Introduce RenderTreeBuilder to willBeDestoryed/removeFromParentAndDestroy (r228337)

Jun 01, 2021
============
[RenderTreeBuilder] Move multicolumn descendant/sibling removal logic to RenderTreeBuilder (r228327)
[RenderTreeBuilder] Move multicolumn spanner mutation logic to RenderTreeBuilder (r228320)
[RenderTreeBuilder] Introduce RenderTreeBuilder to moveChild(ren)To() functions (r228284)
[RenderTreeBuilder] REGRESSION(r228238) Detach renderer before destroying its subtree. (r228606)
[RenderTreeBuilder] Do not use RenderTreeBuilder::current() in RenderRubyRun::takeChild (r228289)
[RenderTreeBuilder] Move RenderElement::removeAnonymousWrappersForInlinesIfNecessary to RenderTreeBuilder (r228274)
[RenderTreeBuilder] Remove RenderElement::destroyLeftoverChildren. (r228238)
[RenderTreeBuilder] Move RenderBlock::removeLeftoverAnonymousBlock to RenderTreeBuilder (r228224)
Add assert verifying all renderers get destroyed (r222863 + r222867)
[RenderTreeBuilder] Move RenderRubyRun::rubyBaseSafe to RenderTreeBuilder::Ruby (r227980)
[RenderTreeBuilder] Introduce RenderTreeBuilder to takeChild() (r227977)
[RenderTreeBuilder] Move RenderTableRow::collapseAndDestroyAnonymousSiblingRows to RenderTreeBuilder (r227963)
[RenderTreeBuilder] Move RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers to RenderTreeBuilder. (r227928)
[RenderTreeBuilder] Move RenderMultiColumnFlow::resolveMovedChild to RenderTreeBuilder. (r227903)
[RenderTreeBuilder] Move RenderRubyRun::rubyBaseSafe to RenderTreeBuilder::Ruby (r227856)
[RenderTreeBuilder] Move childBecameNonInline to RenderTreeBuilder (r227791)
[RenderTreeBuilder] Move RenderRuby's moveChildren logic to RenderTreeBuilder (r226714)
Move update image calls to RenderElement::styleDidChange. (r208571)

May 31, 2021
============
[RenderTreeBuilder] Move RenderElement addChild mutation logic to RenderTreeBuilder (r226660)
[RenderTreeBuilder] Move MathML addChild logic to RenderTreeBuilder (r226654)
[RenderTreeBuilder] Move RenderTable* addChild mutation logic to RenderTreeBuilder (r226634)
[RenderTreeBuilder] Transition Render*::addChild() calls to RenderTreeBuilder::insertChildToRender*() (r226632)
[RenderTreeBuilder] Move SVG addChild logic to RenderTreeBuilder (r226568)
Modernize RenderSVGText::locateRenderSVGTextAncestor(). (r163285)
[RenderTreeBuilder] Move RenderBlockFlow addChild logic to RenderTreeBuilder (r226537)
[RenderTreeBuilder] Move RenderInline addChild logic to RenderTreeBuilder (r226520)
[RenderTreeBuilder] Move RenderBlock addChild logic to RenderTreeBuilder (r226516)
::first-letter incorrectly selects grapheme pairs (r226614 + r227691)
RenderTreeUpdater::GeneratedContent should hold a weak reference to RenderQuote. (r226309)
[RenderTreeBuilder] Move RenderMenuList::addChild() tree mutation to RenderTreeBuilder (r226273)
[RenderTreeBuilder] Move RenderButton::addChild() tree mutation to RenderTreeBuilder (r226265)
[RenderTreeBuilder] Move RenderRubyAsInline::addChild mutation to a RenderTreeBuilder (r226246)
[RenderTreeBuilder] Move RenderRubyAsBlock::addChild mutation to a RenderTreeBuilder (r226240)
[RenderTreeBuilder] Move repeating code to RenderTreeBuilder::insertInternal (r226237)
[RenderTreeBuilder] Move ruby mutation code to a dedicated class. (r226221)
Centering text inside a button set to display flex and justify-content: center is impossible (r213173)
Use WeakPtr for RenderTreePosition::m_nextSibling (r226488)
[RenderTreeBuilder] Move finding-the-parent/creating-wrapper logic from RenderTable::addChild to RenderTreeBuilder (r226181)
Move list and multicolumn building code from RenderTreeUpdater to RenderTreeBuilder (r226179)
Move first-letter building code to RenderTreeBuilder (r226168)
[RenderTreeBuilder] Move finding-the-parent/creating-wrapper logic from RenderTableSection::addChild to RenderTreeBuilder (r226140)
[RenderTreeBuilder] Move finding-the-parent/creating-wrapper logic from RenderTableRow::addChild to RenderTreeBuilder (r226127)
Move render tree updating related files under rendering/updating/ (r226013)
Introduce RenderTreeBuilder (r225969 + r225994 rolled out + r226007)

May 28, 2021
============
REGRESSION(r230914) Selecting text on this apple.com page makes it vanish (r231178)
[Win] Crash under WebCore::SimpleLineLayout::generateLineBoxTree (r230995)
[Simple line layout] Generate inline boxtree using simple line layout runs. (r230914)
iBooks: Overlapping/missing content at beginning/end of paragraph. (r219742)
Initialize a new layout state while bailing out of simple line layout only when needed. (r216001)
Text gets cut off when bailing out of simple line layout with widows. (r215861)
Simple line layout: Add top level pagination support. (r213639)
Simple line layout: Re-adjust paginated lines when block height changes. (r212986)
Simple line layout: Set the pagination strut on the flow when the first line does not fit the page. (r212854)
Simple line layout: ensureLineBoxes for paginated content. (r212843)
Simple line layout: Add support for pagination. (r212468)
Migrate BidiRunList and BidiRun to automatic memory management (r198970 + r199015)
  => [New Parser] css3test.com 58% 1636 tests out of 2954 total for 672 features

May 27, 2021
============
[CSS Font Loading] Fonts are erroneously invisible when the policy says they should be visible (r223576)
Add "display" to FontFace Javascript object (r222949)
Implement font-display loading behaviors (r222926 + r222969)
Parse font-display (r220725 complete revisited)
Don't hang onto expired resources without validation headers in memory cache (r278119 rolled out)
  -> crash in pruneDeadResourcesToSize
Don't hang onto expired resources without validation headers in memory cache (r278119)
Infinite recursion via CachedResource::~CachedResource (r241121)
Loading of multipart response was cancelled because of content policy set in WebFrameLoaderClient::dispatchDecidePolicyForResponse (r230489)
Unreviewed, reverting r278028. (r278125)

May 26, 2021
============
Move 'style' from Element to HTMLElement / SVGElement and make it settable (r216426)
Cache style declaration CSSOM wrappers directly on MutableStylePropertySet. (r152935)
Only MutableStylePropertySets should be able to have CSSOM wrappers. (r148410)
References from CSSStyleDeclaration to CSSValues should be weak (r230737 rolled in)
[WebIDL] Remove the need for the side map of DeprecatedCSSOMValue roots (r219744)
Rename Element::style() to Element::cssomStyle() (r196430)
Remove DeprecatedCSSOMValue::equals (r226382)
[CSS Values] Make separate wrapper classes for the deprecated CSS Values OM (r209969)

May 25, 2021
============
Introduce remote variants of Frame / DOMWindow classes (r230613)
CrashOnOverflow in WebCore::RenderTable::cellBefore(WebCore::RenderTableCell const*) (r278028)
media/restore-from-page-cache.html causes NoEventDispatchAssertion::isEventAllowedInMainThread() assertion failure (r214392)
Add support for prefers-color-scheme media query (r237156)

May 21, 2021
============
[css-flexbox] Wrong height of an empty table inside an orthogonal flex parent (r277777)
[iOS] Multiple select appearance doesn't update when selecting or deselecting rows in the picker view (r230055)
Drop select.remove() / options.remove() overloads taking an option element in parameter (r213607)
Update HTMLSelectElement::recalcListItems() to ignore nested optgroup elements (r207276)
validity assertion fails after removing a child of an <optgroup> element (r204186)
Remove UsePointersEvenForNonNullableObjectArguments from HTMLSelectElement (r199334)
HTMLSelectElement add() should support adding group of options element (HTMLOptGroupElement). (r177629)

May 20, 2021
============
Calculated width percent loses the floating point and cause line wrap (r277738)
Fix flex-aspect-ratio-002+004.html (r277717)

May 19, 2021
============
REGRESSION (r249160): Deleting newline after pasting text ending in a newline results in a discontinuity (r260528)
Rename LineLayoutInterface to LineLayoutTraversal (r250343)
Refcount simple line layout (r250234)
Implement Position::upstream and Position::downstream with line layout iterator (r250132)
Move code for traversing reversed text boxes from TextIterator to TextBoxIterator (r249943)
InlineTextBox::end() should return first-past-end offset (r249160)
Fix LogicalSelectionOffsetCaches to work with detached render tree. (r203045)
Selection cache produces invalid result when ancestor has float element. (r185665)
The containing block for a fixed renderer has to be a type of RenderBlock (r277698)
RenderElement::containingBlockForAbsolutePosition may call RenderObject::containingBlock recursively (r272931)
styleDidChange functions should all check for nullptr oldStyle (r266930)
RenderObject::containingBlock() cleanup. (r204667)

May 18, 2021
============
Eliminate separate simple line layout path from TextIterator (r249895)
[Simple line layout] Add support for line layout box generation with multiple text renderers. (r231384)
Difficult to scroll calcalist.co.il webpage, scrolling gets 'stuck' (r277650)
StructureRareData::m_replacementWatchpointSets should not be a pointer to a pointer (r277620)
REGRESSION (r271119): Object methods defined with shorthand notation cannot access "caller" in non-strict mode (r277613)
Reduce use of dmb ish on ARM64 (r277117 partial)
Reduce size of HashMap and HashSet (r255611)
Structure::previousID() races with Structure::allocateRareData() (r201590)

May 17, 2021
============
Implement layout system independent text box iterator (r249084)
Subpixel rendering: Inline box decoration rounds to integral. (r170875)
  => [New Parser] css3test.com 58% 1635 tests out of 2954 total for 672 features
InlineBox should not hold a reference to RenderObject (r275943)
Subpixel layout: Switch inlines' baseline positioning from int to LayoutUnit. (r275413)
Tables with vertical-lr writing-mode doesn't apply correctly vertical-align: baseline (r238441)

May 15, 2021
============
Wrong static position for out-of-flow positioned element with different writing-mode than its containing block (r277497)

May 14, 2021
============
Ensure scrollable transformed elements that are themselves within scrollable elements don't ignore border-radius (r277462)
[css-flexbox] Flex item construction may affect sibling flex item height computation (r277222 + r277297 rolled out + r277435)

May 13, 2021
============
ConservativeRoots triggers page demand on Speedometer (r277346 + r277381 rolled out + r277388)
ASSERTION FAILED: m_clients.contains(&client) in CSSFontFace::removeClient via CSSSegmentedFontFace::~CSSSegmentedFontFace() (r277378)

May 12, 2021
============
Long hang when loading a cnn.com page on iOS (r247195)
Layer flashing and poor perf during scrolling of message list on gmail.com and hotmail.com - overlap testing needs to constrained to clipping scopes (r245602)
Avoid a recursive descendants layer walk sometimes (r245375)
Clean up code related to compositing overlap map maintenance (r245373)
Clean up RenderLayerCompositor::computeCompositingRequirements() and traverseUnchangedSubtree() (r245371)
Move RenderLayerCompositor's OverlapMap to its own file (r245326)
Absolute in stacking-context scroller jiggles when scrolled (r243309)
Sometimes unable to scroll fixed div when the body is scrollable (r192193)
Layer z-ordering is incorrect when scrolling on page witih position:fixed (r187271)
Text disappears shortly after page load on Nexus 7 site. (r185019)
RenderObject: Inline isBody() and isHR(). (r159793)
Function.prototype.toString triggers page demand on Speedometer (r277347 partial)
ConservativeRoots triggers page demand on Speedometer (r277346)

May 11, 2021
============
Page::m_isInWindow is uninitialized (r143979)
Clarify isInWindow vs. isVisible path through to RenderLayerCompositor (r143428)
REGRESSION (r238090): animation on https://www.robotodyssey.online gets stuck; site broken (r244752)
REGRESSION (iOS 12.2): CSS perspective property value can only be set correctly once (r244612)
REGRESSION (r238266): Exchange 2013 Outlook Web Access displays partially blank page when creating new e-mail (r243786)
REGRESSION (r241788>): ASSERTION FAILED: !m_normalFlowListDirty in TestWebKitAPI.WebKit.ResizeReversePaginatedWebView test (r241830)
REGRESSION (r238090): Toggling visibility on the <html> element can result in a blank web view (r241788)
REGRESSION (r238090): After showing the Find banner or tab bar, hit tests are vertically offset (or painting is not offset) (r239601)
REGRESSION (r238090): CAPCHA UI jumps to the wrong location (r239150)
REGRESSION (r238090): position:fixed sidebar on https://www.w3.org/TR/SVG2/coords.html does not stay fixed (r238840 + r238855 rolled out + r238876)
Optimize composited iframe layer hookup (r238337)
REGRESSION (r238090) Composited iframes that resize from zero don't show (r238269)
Overlay with -webkit-overflow-scrolling:touch doesn't become scrollable after added text makes it taller (r238266)
REGRESSION(r238090): Composited iframe contents disappear after switching tabs in Safari (r238229)
Transform of composited layer not updated when layer also needs repaint (r238170)
Make compositing updates incremental (r238090)
When navigating back to a page, compositing layers may not use accelerated drawing (r224796)
Remove the WK1-only code path for independently composited iframes (r183943)
Don't call RenderLayerCompositor::needsToBeComposited() so many times (r181247)
Overflow regions sometimes repaint incorrectly after going into or coming out of compositing mode (r125104)

May 10, 2021
============
Remove the 'CompositingChildrenOnly' flag which was always on (r224712)
Clean up RenderLayer z-order traversal code (r222373)
Simplify compositing layer updating (r222254 + r222285 rolled out)
Move composite bounds calculation to RenderLayerBacking. (r171073)
Remove redundant repaintCompositedLayers() parameter and its dependencies. (r170590)
RenderLayerBacking should have RenderLayer& backpointer. (r157378)
Canvas and DOM go out of sync (r144674)
Add RenderLayer::enclosingStackingContainer (r141159)
SVGGeometryElement.getPointAtLength should clamp its argument to [0, length] (r251877)
Make all SVG shape interfaces inherit from SVGGeometryElement (r231955)
Implement SVGGeometryElement's isPointInFill and isPointInStroke (r231739)
Introduce SVGGeometryElement interface (r230829)
Templatize SVGAnimatedType (r229417)
SVGAnimatedListPropertyTearOff::synchronizeWrappersIfNeeded() should do nothing if the property is not animating (r226457)
[SVG] Detach list wrappers before resetting the base value. (r226065)
Convert resetAnimValToBaseVal take a reference to a SVGAnimatedType (r193809)
Refine and simplify some color-related code (r190003)
Crash when appending an SVG <use> element dynamically which has animated SVG <path> element (r186541)

May 07, 2021
============
Add SVGPropertyTraits::fromString() to all the SVG animated types (r228721)
[SVG] Moving more special casing of SVG out of the bindings - SVG lists (r208863)

May 06, 2021
============
Fix missing exception check in objectConstructorGetOwnPropertyDescriptors(). (r277092)
[SVG] Moving more special casing of SVG out of the bindings - SVGNumber/SVGPoint/SVGRect/SVGLength/SVGTransform/SVGMatrix (r208705)
<Error>: CGContextSetLineDash: invalid dash array: at least one element must be non-zero (r207030)
DOMWindow properties may get GC'd before their Window object (r248155)
Deploy smart pointers in RadioButtonGroups and RadioButtonGroup (r251110)
Radio button groups are not scoped by shadow boundaries (r250708)
Rename CheckedRadioButtons into RadioButtonGroups (r201659)
AX: Consolidate radio button group member code with that in HTMLElement derivatives (r198997)

May 05, 2021
============
Re-order the tests in RenderLayerCompositor::requiresCompositingLayer() for performance (r220381)
Bug 164702: WebContent crash due to checked unsigned overflow in WebCore: WebCore::RenderLayerCompositor::requiresCompositingLayer const + 1104 (r208691)
Reduce the side-effects of animations turning off overlap testing (r181515 + r181521)
In RenderLayerCompositor, track layer bounds and the haveComputedBounds flag together in a struct (r181245)
Convert the compositing overlap map to use LayoutRects (r179771)
Drop unnecessary overlapMap null checks in computeCompositingRequirements() (r174658)
Improve performance of the RenderLayerCompositor::OverlapMap (r167407)
Remove non-overlap testing code in RenderLayerCompositor (r148765)
REGRESSION (179771): zooming on facebook images covers image (r185093)
Blob contentType with charset renders html as plain text (r276986)
ASSERTION FAILED: contentSize >= 0 in WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax (r276971)
Fix syntax error message for AUTOPLUSPLUS token. (r276942)

May 04, 2021
============
RenderGeometryMap should know about individual transform properties (r276370)
Assertion in RenderGeometryMap::mapToContainer with LayoutUnit overflow. (r178009)
RenderLayer::renderer() should return a reference. (r154587)
Crash in WebCore::nextBoundary() (r276940)

May 03, 2021
============
Nullopt in RenderFlexibleBox::layoutFlexItems in RenderFlexibleBox::layoutBlock via RenderMultiColumnFlow::layout (r276835)
Expand on shouldComputeLogicalWidthFromAspectRatioAndInsets return logic (r275402)
Fix table-element-001.html (r274467)
Apply transferred min/max sizes for intrinsic sizing (r274287)
Support aspect-ratio in intrinsic sizing (r274068)
Fix flex-aspect-ratio-009.html (r273952)
Support aspect-ratio on flexbox items (r273193)
Make auto && <ratio> use content box-sizing (r272569)
Make shouldComputeLogicalWidthFromAspectRatioAndInsets writing mode aware (r272363)
Improve percentage height in shouldComputeLogicalWidthFromAspectRatio (r272992)
Fix logic error in shouldComputeLogicalHeightFromAspectRatio (r272049)
Handle zero aspect-ratio width/height (r271948)
Refactor computePreferredLogicalWidths (r271934)
Handle min-width/min-height:auto for aspect-ratio (r272718)
Support transferred min/max block size for aspect-ratio (r271554 + r271648)
Take aspect-ratio into account for percentage resolution (r271293 + r271375)
Support aspect-ratio on positioned elements (r271061)
Support aspect-ratio on replaced elements (r270618)
Support aspect-ratio on non-replaced elements (r270551)
[css-flexbox] WebKit doesn't preserve aspect ratio when computing cross size of flexed images in auto-height flex container (r270288)
[css-flex] Remove flexbox's specific computePreferredLogicalWidths() (r267183)
[CSS Regions] Region's float parent doesn't size according to region size but to content node size (r148943)
Flexboxes incorrectly add the scrollbar width to the intrinsic width of fixed-width items (r139351 complete revisited)
  => [New Parser] css3test.com 58% 1634 tests out of 2952 total for 671 features
getPropertyValue for url path doesn't return the "#" character (r276888 + r276894)
[css-flex] Implement section 9.8 Definite and Indefinite Sizes case 1 (r270578 + r272755 rolled out + r273072)
[css-flex] RenderFlexibleBox::computeMainSizeFromAspectRatioUsing() must obbey box-sizing (r270617)
Remove -webkit-aspect-ratio support (r269820)
Parse aspect-ratio CSS property (r269641)
[css-flexbox] min-height:auto not updated after an image loads when the image has a specified height and width. (r265858)
[css-flexbox] Apply aspect ratios when computing flex-basis (r265855)
Changing canvas height immediately after page load does not relayout canvas (r201889)

May 01, 2021
============
[css-logical] Fix logical shorthands with var() (r276837)

Apr 30, 2021
============
Avoid null deref after inserting a text field with a list attribute (r259402)
[Datalist] Add button to TextFieldInputs with a datalist (r234281 + r234289 rolled out + r234898)
[Datalist] Allow TextFieldInputType to show and hide suggestions (r232640)
Refactoring: Move the content of HTMLInputElement::subtreeHasChanged to TextFieldInputType (r135675)
Correct input[type=number] value sanitization for user-input (r135598)
[SVG] Start moving special casing of SVG out of the bindings - SVGPreserveAspectRatio (r208581)
[SVG] Start moving special casing of SVG out of the bindings - SVGAngle (r208480)
[SVG2] Implement marker orient='auto-start-reverse' (r197738)
Fix animation of orient attribute on marker element (r175525)
Floating object are not removed from the initial containing block (r276816)

Apr 29, 2021
============
imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion (r235956 complete revisited)
Replace some stack raw pointers with RefPtrs within WebCore/html (r223644 partial revisited)
Remove SpinButtonElement::shadowPseudoId (r171832)
A Spin button should release mouse event capturing when a modal dialog opens (r134886)

Apr 28, 2021
============
Store InputType in a Ref before calling setValueAsDecimal (r275807)
input[type=number] does not increment/decrement integers with trailing decimal characters (r191940)
Do not dispatch change event twice in single step action (r164367)
:in-range & :out-of-range CSS pseudo-classes shouldn't match disabled or readonly inputs (r202159)
:in-range & :out-of-range CSS pseudo-classes shouldn't match inputs without range limitations (r202143)
REGRESSION(r215946): Can't reference a table cell in Google spreadsheet (r217576)
The rects returned by Element/Range.getClientRects() should not be rounded (r216817)
Stop using legacy ClientRect / ClientRectList in Internals (r215956)
Range.getClientRects() / getBoundingClientRect() should return DOMRect types (r215946)
Element.getBoundingClientRect() / getClientRects() should return a DOMRect types (r215892)
Move PostResolutionCallbackDisabler to resolveComputedStyle (r273415)
[selectors] :focus should match inside the focus event (r271146)
%TypedArray%.prototype.sort() should not use a regular array as a temp buffer. (r276612)

Apr 27, 2021
============
INPUT_MULTIPLE_FIELDS_UI: Should not move focus if the element already has focus (r141887)
INPUT_MULTIPLE_FIELDS_UI: Focus order is not controllable by tabIndex attribute on <input> (r141835)
Click on a label element won't select input[type=date] (r141395)
REGRESSION (r257839): Broken focus when 'display' changes in an attribute selector (r271446)
REGRESSION (r257839): Miscomputed style due to computed 'rem' value in matched declaration cache (r269384)
REGRESSION (r257839): Can't add a memo when transferring funds in First Tech Credit Union App (r267345)
REGRESSION (r257839): clickpay.com - password placeholder text cannot be replaced (r266887 + r266899)
REGRESSION (257846) Crash on maps.google.com under Element::isVisibleWithoutResolvingFullStyle (r258172)
Avoid full style resolution on Element::focus() (r257839 + r257846)
Facebook post with lots of comments has cut off scrollbar, and can't scroll fully to the bottom (sticky) (r266156)
[selectors4] :focus-within should use the flat tree (r215719)
REGRESSION (233281): fast/dom/location-new-window-no-crash.html and some other tests are timing out (r233341)
Don't invoke post resolution callbacks when resolving computed style (r233281)
Focusing a shadow host which delegates focus should skip inner shadow hosts which delegate focus (r252537)
Make elements of zero width or height focusable (r226823)
Don't resolve an extra computed style for getComputedStyle in a display: none subtree. (r219138)
Add support for @href attribute in MathML (r203104)
Additional refinement in MathMLSelectElement toggle implementation (r160771)

Apr 26, 2021
============
wpt/css/css-images/gradient/color-stops-parsing.html crashes (r251437)
Division by zero in CSSGradientValue::addStops() (r148859)
Add the support for ShadowRoot.delegateFocus (r251043)
Prevent cross-site top-level navigations from third-party iframes (r239742 partial)
Some test cases in accessibility/mac/selection-notification-focus-change.html fail (r227983 partial)
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 revisited)

Apr 24, 2021
============
[YARR Interpreter] Improper backtrack of parentheses with non-zero based greedy quantifiers (r276527)

Apr 23, 2021
============
Node flags should be an OptionSet (r266776 partial revisited)
REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange (r276010)
[selectors] Move :focus-viisble & :focus-within flags from Node to UserActionElementSet (r274173)
"precustomized" state of custom elements can become HTMLUnknownElement (r273935 partial)
[selectors] :focus-visible implementation (r273812 partial)

Apr 22, 2021
============
Descendant style relations are sometimes reset when they shouldn't (r275825)
Incorrect computed style in pseudo-elements with display: contents (r225049)
Wrong getComputedStyle behavior for pseudo-elements for layout-dependent properties. (r221501)
Introduce ValidationMessageClient (r128394)
Replace every use of Node::offsetInCharacters() by Node::isCharacterDataNode() (r236607)

Apr 21, 2021
============
Node flags should be an OptionSet (r266776 partial)
Stop using live ranges in DocumentMarkerController (r259575 partial)
Nullptr crash in CSSCalcValue::category() via HTMLConverterCaches::floatPropertyValueForNode (r276262)
MutationObserverRegistration should be ref counted (r267175 + r267779 + r268695 rolled out)
Simplify OptionSet::set (r266812)
Having an iframe as a descendent node shouldn't require ElementRareData (r266769)
Move Node::hasName() to Element. (r151071 + r151072)

Apr 20, 2021
============
Speed up HTMLInputElement validation (r208577)
Add support for input.minLength / textArea.minLength (r205524 + r206357)
Align HTMLInputElement.maxLength with the specification (r197458)
Remove unneeded extra memory allocation and indirection for ValidityState (r157352)
REGRESSION(r135836): Invalid user input for input[type=number] should be cleared by input.value="" (r139151)
Implement ValidityState::badInput (r135836)
Layout broken after cloning and re-inserting a table with a misplaced <form> (r130422)
[CSS Parser] Simplify background-position-x/y style mapping (r208146)
[CSS Parser] Fix background-position parsing (r207556)
Move all remaining flags from ElementRareData to Node to reduce the frequency (r266714)
Make tabIndex IDL attribute reflect its content attribute (r249237)
Split tabIndex computation for DOM and the rest of WebCore (r248784)
Element focus appearance update should be either immediate or a post-layout task (r221464)
Node: Use FINAL instead of the non-virtual shadowing hack. (r149974)
Remove unused method and de-virtualize others in Element.h (r149718)

Apr 19, 2021
============
Store all styling flags in m_rendererWithStyleFlags (r266578)
slotchange event doesn't get fired when inserting, removing, or renaming slot elements (r235650)
Changes to slot children should trigger slotchange (r235458)
Unify the node removal code in ContainerNode and expand the coverage of NoEventDispatchAssertion (r223788)
Release assert with <img usemap> in shadow tree (r239905)
Release assert when removing element with a map element in the shadow tree (r239877)
Release assert in TreeScopeOrderedMap::remove via HTMLImageElement::removedFromAncestor (r231621)
Using image map inside a shadow tree results hits a release assert in DocumentOrderedMap::add (r231329)
Remove Unicode case-insensitive matching for usemap="" (r209810)
Assert failure in isCloneInShadowTreeOfSVGUseElement (r275543 complete revisited)

Apr 18, 2021
============
SVG use element inside a shadow tree cannot reference an element in the same tree (r238524)
Modernize SVGURIReference::targetElementFromIRIString (r238452)
Do refactor in collectGradientAttributes() and renderStyleForLengthResolve() (r162385)
SVG radialGradient should support 'fr' for focal radius (just like Canvas) (r130599)

Apr 17, 2021
============
Crash in removeSymbolElementsFromSubtree() (r273809 + r273822 rolled out + r273868)
ASSERT fires when removing a disallowed clone from the shadow tree without reseting its corresponding element (r244276)
<g> wrapping <symbol> causes display of hidden <symbol> (r197194)
  => [New Parser] css3test.com 58% 1595 tests out of 2895 total for 657 features

Apr 16, 2021
============
Assert failure in isCloneInShadowTreeOfSVGUseElement (r275543 partial rolled out)
Crash happens when calling removeEventListener for an SVG element which has an instance inside a <defs> element of shadow tree (r187504)
[ macOS ] svg/custom/textPath-change-id-pattern.svg is flakey failing (r259031)
Dynamic changes in the style attributes of an SVGElement do no affect the <use> instances (r240305)
Replace some stack raw pointers with RefPtrs within WebCore/svg (r224615 partial)
window proxy of detached iframe doesn't respect updates to global values (r273901 partial)
Reflect.preventExtensions should not throw if called on WindowProxy or Location (r270702)
Trying to set toString / valueOf on a cross-origin Location object should throw a SecurityError (r253418)
window.navigator should not become null after the window loses its browsing context (r237185)
Window's properties such as 'location' should not become null when it loses its browsing context (r237105)
Object.preventExtensions() on a Location object should throw a TypeError (r211778)
Object.defineProperty() should throw cross-origin (r205358)
[[Delete]] should throw for cross-origin Window / Location objects (r205200)
Empty value is added in codePointsFromString in CSSFontFaceSet::matchingFacesExcludingPreinstalledFonts (r276015)
Assert failure in isCloneInShadowTreeOfSVGUseElement (r275543)
ASSERTION FAILED: m_wrapper on fast/events/scoped/editing-commands.html (r262016)
MutationRecord doesn't keep JS wrappers of target, addedNodes, and removedNodes alive (r236850)
GC can collect JS wrappers of nodes in the mutation records waiting to be delivered (r236781 + r236799 rolled out + r236801)
ASAN failure in ~GCReachableRef() (r236693)
imported/w3c/web-platform-tests/shadow-dom/slotchange.html is a flaky failure (r236440)
Custom elements in a reaction queue can lose its JS wrapper and become HTMLUnknownElement (r236376 partial)
Make HashMap and HashSet work with Refs (r202002 partial)

Apr 15, 2021
============
Have DOMWindowProperty get is frame from its associated DOMWindow (r236917)
Some tests to verify forbidden frame navigation time out (r218835)
Remove AffectedByDrag style flag (r258416)
REGRESSION (r258321): CSS rules using :first-of-type are applied to any/all siblings in a group under certain circumstances (r271367)
CSS Selector an-plus-b serialization is incorrect (r267812)
Remove unused affectedBy style flags (r258388)
Accurate style invalidation for user action pseudo classes (r258321)
focus pseudo class should match a shadow host whose shadow tree contains the focused element (r250788)
Support dynamic pseudo-classes on elements with display: contents (r238097)
Avoid indirect load in ContainerNode::hasOneChild() (r275997)

Apr 14, 2021
============
Store WeakPtr<Frame> instead of Frame* (r269435 + r269439 + r269565)
Teardown shadow root renderers on SlotAssignment::didChangeSlot (r275756)
Cancel image loader events after first dispatch (r274357)
REGRESSION(r272900): Nullptr crash in ComposedTreeIterator::traverseNextInShadowTree() via ShadowRoot::hostChildElementDidChange (r274064)
Teardown shadow root renderers on hostChildElementDidChange (r272900)
Don't update form control elements validity status if they are detached from the document. (r272843)
A newly inserted element doesn't get assigned to a named slot if slot assignments had already happened (r250709)
[css-grid] Incorrect track sizing when using relative sized items in 'auto' column tracks (r274596 + r274741 rolled out + r275908)
ASSERTION FAILED: !m_needExceptionCheck in CloneSerializer::serialize with postMessage({g:42}) (r275882)
[css-flexbox] CDC COVID Vaccine Tracker: Safari garbles data table (r275873)
RenderFlexibleBox::m_hasDefiniteHeight should not need to be mutable (r275796)
[css-flex] Make {main|cross}SizeForPercentageResolution() return booleans instead of actual sizes (r274708)
[css-flexbox] Fix mainAxisLengthIsDefinite for orthogonal items with percentage sizes (r273958)
Change order in RenderBlock::availableLogicalHeightForPercentageComputation (r273647)
REGRESSION (r266695): twitch.tv: when in fullscreen, WebKit continually does 350ms layouts. Firefox and Chrome do not (r273264)
[css-flexbox] REGRESSION(r266695): content inside a `<button>` inside a flex container has a height of `0` without a declared `min-height` (r272054)
REGRESSION(r268666) Incorrect vertical position inside grid items with padding (r271436)
[css-flex] Images as flex items should use the overridingLogicalWidth when defined to compute the logical height (r270116)
[css-flex] Images as flex items should use the overridingLogicalHeight when defined to compute the logical width (r270073)
[css-flex] Better naming from some methods (r269840)
[css-grid] Percentage height on replaced item with scrollbar (r269717)
[css-flexbox] Indefinite flex-basis percentage should cause height to be ignored (r267086)
Sanitize the usage of override sizes (r268666)
[css-flex] Allow indefinite size flex items to be definite wrt resolving percentages inside them (r266696)
[css-flexbox] min-height: auto not applied to nested flexboxes. (r266695)
[css-flexbox] Only update the intrinsic height if we don't have override height (r265497)
[css-flexbox] Don't include scrollbar extents when computing sizes for percentage resolution (r263794)
[css-flex] Remove death code paths when evaluating percentage resolution (r263792)
[css-flex] Allow indefinite size flex items to be definite wrt resolving percentages inside them (r263399 + r264775 rolled out)
[css-flex] Allow indefinite size flex items to be definite wrt resolving percentages inside them (r262124 + r263018 rolled out)
[css-flexbox] Tables as flex items should obey the flex container sizing (r262378)
Fix table sizing when 'max-width' is used (r261924)
Do not cache definite height against perpendicular flex items. (r260055)

Apr 13, 2021
============
Make it possible to create a WeakPtr to Node and use it store assigned nodes in SlotAssignment (r266212)

Apr 11, 2021
============
Copy-constructed Vectors should not have excess capacity (r275658)

Apr 09, 2021
============
GCThreadSharedData is just a bad way of saying Heap (r190151)

Apr 08, 2021
============
Bloom filter should support longer hashes (r182363)
Add non-counting bloom filter class (r182321)
Wasted vector capacity under CSSFontFace::setUnicodeRange() (r275638)
Wasted vector capacity under RuleFeatureSet::collectFeatures() (r275637)
Reduce Vector<> wasted capacity in some RuleSet code (r275633 + r279242 rolled out + r280638 rolled in)
Wasted vector capacity in StyleRuleKeyframes (r275610)
Wasted vector capacity in StyleSheetContents (r275609)
CloneDeserializer should use ArrayBuffer::tryCreate (r275508)
Wasted vector capacity in SVGPathByteStream (r275483)
Wasted vector capacity in CSSVariableData (r275481)
Shrink the Vector<> of keyframe values (r275479)

Apr 07, 2021
============
Fix spelling of evaluteDynamicMediaQueryRules (r263140)
CSS Rules with the same selector from several large stylesheets are applied in the wrong order (r255671)
O(n^2) behavior in media query resolution (r263092)
REGRESSION (r262618): Very slow typing in a github issue (r262960)
REGRESSION (r253875?): Element styles incorrect after media query evaluation changes (r262618)
Invalidate only affected elements after media query evaluation changes (r253820 + r253844 rolled out + r253875)
Resolve dynamic media queries without reconstructing RuleSets (r253616)
  => [New Parser] css3test.com 58% 1593 tests out of 2882 total for 656 features
REGRESSION(r228313): Membuster | macOS | All Devices | 1.5 MB (r228453)
Move compiled selectors to StyleRule (r228313)
Remove the CSS @host rule. (r163359)

Apr 06, 2021
============
Media queries in img sizes attribute don't evaluate dynamically (r252828)
REGRESSION (r251930): Flaky WK1 crash in printing/pseudo-class-outside-page.html (r252079)
Collect all documents before iterating in Page::forEachDocument (r252013)
Integrate media query evaluation into HTML5 event loop (r251322 + r251605 rolled out + r251930)
REGRESSION (r244182) [WK1]: Page updates should always scheduleCompositingLayerFlush() immediately (r246231)
REGRESSION (r244182): RenderingUpdate should not be scheduled for invisible pages (r244837)
Rename "forced style recalc" to "full style rebuild" (r239057)
Semantic colors don't update when accessibility Increase Contrast mode is enabled. (r233612 + r233642 rolled out + r233670 partial)
Merge didMoveOnscreen / page visibility to isVisible (r161223 partial)
A change in system environment should force all CSS properties to be recomputed. (r149839)
Wasted vector capacity in CSSSegmentedFontFace (r275488)
DFG arity fixup nodes should exit to the caller's call opcode (r275472)

Apr 05, 2021
============
@media rules ignored in user agent style sheet html.css (r224495)
Remove the StyleResolver-specific evaluate function in MediaQueryEvaluator (r265321)
MediaQueryEvaluator shouldn't know about style resolver (r252736)
REGRESSION (r237878): css-dark-mode/supported-color-schemes.html is failing on Mojave (r237906)
<picture> container doesn't update when prefers-color-scheme media query changes (r237878)
REGRESSION (r220112): reCAPTCHA images render off screen on Twitch.tv app Log In or Sign Up (r230933)
REGRESSION(r224535): Can't write reviews in the App Store (r227343)
Dynamic media queries don't update in shadow tree stylesheets (r224535)
REGRESSION (r217197): New Yorker website hangs for a long time on load, lots of blank tiles (r220112)
matchMedia('print').addListener() fires in WK1 but never in WK2 when printing (breaks printing Google maps, QuickLooks) (r217197)
AX: "(inverted-colors)" media query only matches on page reload; should match on change (r208915)
Move RuleData to a file of its own (r252629)
REGRESSION (r168119): Album flipping animation doesnt work (r172183)
Don't always make backing store for -webkit-backface-visibility:hidden (r168119)
Initial letter does not paginate properly. (r214110)
[CSS Regions] Monolithic elements should not affect the layout of the content outside its region (r167018)
FloatingObject m_paginationStrut should be LayoutUnit (r163631)

Apr 03, 2021
============
Remove CSS regions related fields from RenderStyle (r222435)

Apr 02, 2021
============
Remove RenderNamedFlowFragment (r222335)
Remove RenderNamedFlowThread and FlowThreadController (r222263)
Disable per-region boxes for multicolumn (r214126)
[CSS Regions] The height of a scrollable element flowed inside a scrollable region is not computed correctly (r165964)

Apr 01, 2021
============
Subselectors not searched when determining property whitelist for selector (r245664)
Remove DOM and styling support for CSS Regions (r222259)
Destroy the associated renderer subtree when display: contents node is deleted. (r217794)
Style invalidation cleanups (r253949 partial)
Make RuleSet refcounted (r253935)
Move Vector HashTraits to HashTraits.h to fix GCC build (r253864)
Allow Vectors as hash keys (r253775)
Optimize Style::Invalidator for multiple RuleSet case (r253717)
Style::Invalidator should be able to invalidate using multiple RuleSets in one pass (r253690)
Turn static DocumentRuleSets::s_isInvalidatingStyleWithRuleSets assertion bit into a member (r250092)
Add release assert against InvalidationRuleSet mutation during invalidation (r248297)
UBSan: JSC::Parser<LexerType>::parseProperty(): runtime error: load of value nnn, which is not a valid value for type 'bool' (r275343)
[JSC] get / set for object literal and class should not be escaped (r270487)

Mar 31, 2021
============
Empty property sets should not mark MatchedProperties uncacheable (r252339)
[CSS Shadow Parts] :part rules should be able to override style attribute (r251285 complete revisited)
[CSS Shadow Parts] Fix style invalidation with class selector and ::before and ::after (r250861)
[CSS Shadow Parts] Implement style invalidation (r250821)
[JSC] Remove warnings about unnecessary operator= for ARMv7Assembler LinkRecord (r275285)
[css-logical] Reject unitless length quirk in 'inset' shorthand (r240588)
[css-logical] Implement flow-relative inset properties (r240334)
[css-logical] Implement flow-relative margin, padding and border shorthands (r238244 + r238262 rolled out + r240251 + r240310)
Fix 'border' serialization with both common and uncommon values (r236278)

Mar 30, 2021
============
JSCell constructor needs to ensure that the passed in structure is still alive. (r263523)
Ensure that GlobalPropertyInfo is allocated on the stack. (r275212 partial)
[JIT] Require value registers explicitly on emitValueProfilingSite (r270711)
[JIT] Value profile stores wrong value in BaselineJIT for some operations (r270431 partial)
Implement "line-break: anywhere" (r245275)
line should not be broken before the first space after a word (r244748)

Mar 29, 2021
============
Implement white-space:break-spaces value (r244036)
Clean up Marquee-related enums (r226666)
FetchResponse::BodyLoader should not be movable (r247087)
Cache API should return Abort error in case of putting an aborted fetch (r244515)
Align Element.insertAdjacentHTML() with the specification (r206308)
Remove equalIgnoringCase since all callers really wanted equalIgnoringASCIICase (r195743)
Reduce use of equalIgnoringCase to just ignore ASCII case (r195452)
Use HTTPHeaderName in more places (r170023)
"application/x-mimearchive" should be included in finding remoteWebArchive while document loading (r151962)

Mar 27, 2021
============
Dirty layout for floating children of inline on full layout (r275130)
Remove support for -apple-trailing-word (r243819)
A single leading space is not considered as a word break even when word-break: break-all is set (r243437)

Mar 25, 2021
============
[JSC] JSCustomGetterFunction/JSCustomSetterFunction should use Identifier for their field (r274817 rolled out)
  => Crash caused by possible heap-use-after-free.
[CSS Parser] Fix named color parsing (r207539)
bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to null pointer of type 'WebCore::ScriptExecutionContext' (r274996)
Fix interpolation of the border-spacing property (r274978)
Select CSS properties animating as float should not allow negative values (r274142)
[css-flexbox] flex-basis not animatable (r268792)
[css-flexbox] flex-shrink property should be animatable (r268718)
[css-flexbox] flex-grow property should be animatable (r268516)
Make RenderStyle copy-on-write a bit less. (r197680)
Subpixel layout: Enable vertical/horizontal subpixel spacing for tables. (r197450)
[JSC] JSCustomGetterFunction/JSCustomSetterFunction should use Identifier for their field (r274817 partial)
  => Use JSString to simlify destruction.
 
Mar 24, 2021
============
r271034 added code in constant folding phase that's unreachable given current invariants of our ICs and PutByIdStatus (r274942)
Update MessageEvent to stop using legacy [ConstructorTemplate=Event] (r207016 complete revisited)
Remove support for array types in IDLs (r204336)
Move charCode / keyCode / which attributes from UIEvent to KeyboardEvent (r209895)
Update generated bindings code so that dictionary structures no longer need explicit constructors (r206974 partial)
Update KeyboardEvent to stop using legacy [ConstructorTemplate=Event] (r206971)
KeyboardEvent.getModifierState() should support "CapsLock" modifier (r206828)
Implement KeyboardEvent.code from the UI Event spec (r206803)
Add support for KeyboardEvent.isComposing attribute (r206796)
Add support for KeyboardEvent.key attribute (r206750)
Add support for KeyboardEvent.getModifierState() operation (r206725)
Add support for KeyboardEvent.repeat attribute (r206724)
PlatformEvent::m_modifiers should be an OptionSet (r206450)
Define DOM_KEY_LOCATION_* constants on KeyboardEvent (r153955)
Add support for KeyboardEvent.location attribute (r153905)
[JSC] Rope string equal operation should first check length (r274935)

Mar 23, 2021
============
Support for resolving highlight pseudo element style (r253210)
Fix inspector/css test assertions after r253158 (r253176 partial)
Add CSS parser support for the highlight pseudoelement (r253158)
[CSS Shadow Parts] Allow exporting single part with multiple names using exportparts attribute (r250902)
[CSS Shadow Parts] Support 'exportparts' attribute (r250712)
[CSS Shadow Parts] Support multiple arguments for ::part() (r250643)
[CSS Shadow Parts] Basic ::part() pseudo element support (r250628)
[CSS Shadow Parts] Parse 'part' attribute (r250584)
Remove PseudoElementUserAgentCustom. (r235652)
  => [New Parser] css3test.com 55% 1570 tests out of 2882 total for 656 features
RenderStyle:diff() was inadvertently doing deep compares of StyleRareNonInheritedData etc (r220383 complete revisited)
Remove PassRefPtr from more of "platform" (r210758 partial)
LiteralParser shouldn't make error messages of length ~2^31 (r274813)
[JSC] JSCustomGetterFunction/JSCustomSetterFunction should use Identifier for their field (r274817 partial)
[YARR] Interpreter incorrectly matches non-BMP characters with multiple . (r274806)
[JSC] Intl.Locale should not assume is8Bit (r274784)
[ECMA-402] Implement Intl.Locale (r261215 partial)

Mar 22, 2021
============
HTMLSelectElement::typeAheadFind depends on implementation dependent behavior (r130717)
Better type ahead for DateTimeSymbolicFieldElement (r136111 + r136113 rolled out + r136205 partial)
Change ProxyObject.[[Get]] not to use custom accessor (r201703 partial revisited)
  => Insert missing exception checks for getPropertySlot.
  
Mar 19, 2021
============
Create MediaQueryParserContext to provide additional context for the evaluation of media queries (r229654 complete revisited)
Remove support for >> descendant combinator syntax (r221788)
  => [New Parser] css3test.com 55% 1570 tests out of 2882 total for 656 features
Unprefix -webkit-sticky (r244353)
transformCanLikelyUseFastPath() can read off the end of a string (r221488)
Add a fast path for rotate() and rotateZ() transform parsing (r220382)
WebKit uses Alphabetic Baseline when "-webkit-text-orientation" is "mixed" in Vertical Writing Mode (r258990)

Mar 18, 2021
============
Allow RenderStyles marked unique in matched properties cache (r201086 complete revisited)
Invalidate RenderTreePosition's next sibling with display:contents (r274630)
Do not collapse ruby's internal anonymous blocks (r274576)
Create MediaQueryParserContext to provide additional context for the evaluation of media queries (r229654)

Mar 14, 2021
============
Remove RenderObject::canHaveRegionStyle since nothing uses it (r146533)
GCSegmentedArray's size() and isEmpty() methods should be const. (r274400)

Mar 13, 2021
============
[JSC] Make JSON.parse faster by using table for fast string parsing (r272570)

Mar 12, 2021
============
Avoid constructing the string "all" repeatedly in MediaQueryParser (r232173)
brightness() filter should default to 1, and not allow negative values (r231033)
Support calc() in webkit-gradient and cross-fade (r230816)
[css-conditional] The one-string version of CSS.supports should be wrapped in implied parentheses. (r217844)
Unprefix unicode-bidi CSS values (r216418)
Be less strict about closing blocks in attribute and functional pseudo-element selectors. (r243691)
FontFace constructor throws an exception when there is a name which starts with a number (r243637 complete revisited)
CSS variables don't work for colors in "border" property (r239516)
CSSGradientValue's color stops vector wastes 12KB on theverge.com (r233241 complete revisited)
StyleRuleMedia wastes 158KB of Vector capacity on cnn.com (r232899 complete revisited)
MediaQuerySet wastes a lot of vector capacity (r232898)
Implement line clamp for mail. (r227577 + r234215 rolled out)
tab-size: 0px asserts (r224193)
SizesAttributeParser::SizesAttributeParser triggers layout (r223895)
Support min() and max() in calc() (r222190 complete revisited)
[css-grid] grid shorthand should not reset the gutter properties (r221668 complete revisited)
Align quirky number parsing with other browsers (r219642)
Support calc() in font-variation-settings and font-feature-settings (r217267)

Mar 11, 2021
============
Remove bogus assert for :not. (r215513)
[css-grid] Clamp the number of autorepeat tracks (r214604)
imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/sizes/parse-a-sizes-attribute.html is unreliable (r213711)
Parsing -webkit-hyphenate-character uses confusingly named consumeLocale() (r213561)
[JSC] Shrink Structure (r257201 partial)
REGRESSION (r248807): Objects stored in ElementRareData are leaked (r249076 + r249198)
Don't use union to store NodeRareData* and RenderObject* (r248807)
Rename ChildrenAffectedByActive to StyleAffectedByActive (r202607)
Inline Node's rare data getters. (r170828)
Get rid of Node::createRareData (r139839)

Mar 10, 2021
============
AX: add "alt" as an overriding synonym of "-webkit-alt" (now in the CSS4 spec) (r175654)
AX: Implement CSS -webkit-alt property (text alternative for generated content pseudo-elements ::before and ::after) (r159591)
  => [New Parser] css3test.com 55% 1570 tests out of 2879 total for 656 features
JSC Crash in makeString() while creating Error object. (r274181)
Styles should not show background-repeat-x/y, or -webkit-mask-repeat-x/y (r211289)

Mar 09, 2021
============
Implement CSS `display: flow-root` (modern clearfix) (r245494)
Parse calc() in CSS media queries (r227295)
Revert r210882, removing support for background-repeat-x/y (r211149 complete revisited)
Avoid triggering rebuilds for minor changes of CSSProperties.json (r210493 + r210495 + r210506 rolled out)
REGRESSION (r252161): Animation of box-shadow with border-radius set is flashy (r261334)
REGRESSION (r252161): box-shadow with inset and rounded borders is clipped (r252689)
Box-shadow spread radius does not transition or animate correctly with CSS Transitions & Animations (r252161)
Remove flex and bison build dependencies; commit generated XPath parser (r209883)
[Cocoa] Implement font-synthesis: small-caps (r209875)
[CSS Parser] Rename StyleKeyframe to StyleRuleKeyframe (r209838)
[CSS Parser] Rename CSSPrimitiveValue::UnitTypes to CSSPrimitiveValue::UnitType (r209758)
[CSS Parser] Move CSSParserValues.h/.cpp to CSSParserSelector.h/.cpp (r209671)

Mar 08, 2021
============
[CSS Easing 1] implement `jump-*` step positions (r261046)
[Web Animations] Expose getKeyframes() and parsing of remaining keyframe properties (r227441)
REGRESSION (209396): Apple Pay buttons do not render (r212558)
[CSS Parser] Make intercap property values serialize correctly (r212131)
Don't do range checking for calc() at parse time (r252983)
Move CSSUnitType enum to its own file (r252393)
Convert CSSPrimitiveValue::UnitType to an enum class, and cleanup (r252392)
imported/w3c/web-platform-tests/css/css-values/calc-positive-fraction-001.html fails (r251580)

Mar 05, 2021
============
[CSS Parser] Remove WebkitCSSTransformValue (r209805)
[CSS Parser] Make CSSFunctionValue derive from CSSValueList (r209788)
[CSS Parser] Eliminate SVGPaint and SVGColor (r209777)

Mar 04, 2021
============
[css-logical] Implement flow-relative margin, padding, border and sizing properties (r234798)
REGRESSION(r259585) Text decoration color with value currentColor miscomputed in some cases (r265198)
CSS Variables: Color on specific `border` properties does not work. (r262627)
'currentcolor' doesn't need setHasExplicitlyInheritedProperties marking anymore (r259585 complete revisited)
Implement the css-color-4 behavior for inheritance of currentColor (r259532)
Add support for spreadMethod=reflect and repeat on SVG gradients (for CoreGraphics platforms) (r236024)
Incorrect rendering on boostmobile FAQ page (r201666)

Mar 03, 2021
============
Ranges for variation font properties are not enforced (r214507)
font variation properties don't need to accept numbers (r214419)
Update CSSFontSelector's matching algorithm to understand ranges (r213436 complete revisited)
CSSStyleRule.style / CSSPageRule.style / CSSKeyframeRule.style should be settable (r217917)
Rename WebKitCSSKeyframe(s)Rule into CSSKeyframe(s)Rule (r176157)

Mar 02, 2021
============
Unprefix CSS cursor values grab and grabbing (r215146)
[CSS Parser] Remove the pseudoclass/element hacks (r209670)
[CSS Parser] Remove the old CSS Parser (r209666)
[CSS Parser] Consolidate string/ident/url serialization functions (r209495)
Fix a couple of mistakes in CSSParserValue memory management (r201608)
CSSGrammar.y:1742.31-34: warning: unused value: $3 (r195612)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179539 complete revisited)
Get rid of invalidSelectorVector, use Bison's error recovery instead (r179485)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179476 complete revisited)
REGRESSION (r173698): Leaks of selector lists in CSS parsing (r179258 complete revisited)
Fix type clash warning in supports_error rule of CSSGrammar. (r175415)
Update the CSS Grammar selector names to get closer to the latest terminology (r173011 complete revisited)
REGRESSION: CSS not() selector does not work when it appears after or within @supports (r172833)
[Feature Queries] Feature Query CSS Grammar Productions Should Return a Value (r171008)
Add support for HTMLImageElement's sizes attribute (r170576 complete revisited)
Split CSS Selectors pseudo class and pseudo elements (r166883 complete revisited)
[CSS Grid Layout] Update named <grid-line> syntax to the last version of the specs (r166157 complete revisited)
REGRESSION (r155536): Broken error recovery in @media at-rule (r160779)
Another CSS parser leak fix (r156224)
Fix a couple more CSS leaks (r156178)
Fix a couple mistakes in my recent CSS grammar leak patch (r156141)
Fix leaks in CSS parser caused by overwriting owned raw pointers with 0 (r156138)
Rework CSS parser, eliminating "floating" concept and using %destructor (r155536 complete revisited)

Mar 02, 2021
============
Unreachable code hit in WebCore::Shape::createShape (r256192)
Add support for the Q unit (r251662 complete revisited)
wpt/css/css-images/gradient/color-stops-parsing.html fails (r251474)
CSS ellipse() doesn't accept single <shape-radius> (r250653)
Handle calc() expressions in gradient color stops (r239571)
Parsing support for text-underline-offset and text-decoration-thickness (r237835 complete revisited)
Support Images Module Level 4's double-position gradient color stop syntax (r236155)
[CSS3 Media Queries] Aspect ratio value re-parsed when media query expression is evaluated (r131037)
REGRESSION: Object.defineProperties triggering a setter (r273717)

Mar 01, 2021
============
[CSS selectors] :is() / :where() should not allow pseudo-elements at parse-time (r260338)
[CSS selectors] Support :where() pseudo class (r260319 complete revisited)
transform-box: content-box, stroke-box missing (r251081 + r251084 rolled out + r251252 complete revisited)
font-weight: 1000 is not parsed successfully (r244817)
[css-masking] Update clip-path box mapping to unified box (r233302 complete revisited)
Support transform-box to switch sizing box in SVG (r217236 complete revisited)
Unprefix -webkit-min-content, -webkit-max-content and -webkit-fit-content (r213831 complete revisited)
  => [New Parser] css3test.com 49% 1510 tests out of 2879 total for 656 features
[SVG2] fill-opacity, stroke-opacity, stop-opacity and flood-opacity doe not support percentage (r251696)
Implement stroke-color CSS property. (r215261 complete revisited)
Support css-color-4 rgb functions (r239574 complete revisited)
Update HSL/HSLA parsing to match CSS Color 4 (r230861)
Properties that take <position> should not accept 3 values (r251668)
Parse font-display (r220725 partial revisited)
[css-ui] Implement caret-color support (r220706 complete revisited)
flex-basis should be 0% (not 0px) when omitted (r213305)
Unprefix -webkit-line-break (r213094)
background-repeat-x doesn't work (r210882 + r211149 roled out + r211164 rolled out)
[CSS Parser] Enhance fast path translate transforms to allow percentages (r209783)
[CSS Parser] Eliminate the Scope class and fold it into CSSTokenizer (r209466)
[CSS Parser] Support setting of custom properties from the CSS OM (r209370)

Feb 28, 2021
============
[CSS Parser] Add strict checking for right parens to selector functions like :matches, :not etc. (r209566)
[CSS Parser] REGRESSION: Values of 0 should not be allowed for -webkit-aspect-ratio (r209541)
[CSS Parser] Turn back on a bunch of layout tests (r209460)
[CSS Parser] Reject invalid hex colors on the fast path (r209389)
[CSS Parser] Allow calc in SVG attributes (r209387)
[CSS Parser] Properly reject large numeric values (r209383)
[CSS Parser] shape-rendering supports crispEdges rather than crisp-edges (r209371)
[CSS Parser] Support glyph-orientation-horizontal and glyph-orientation-vertical (r209351)
[CSS Parser] Make sure the transform fast path uses WebKitCSSTransformValue (r209341)
[CSS Parser] The page-break-* properties are only keyword props for old parser. (r209320)
[CSS Parser] Eliminate in-place lowercasing in the parser. (r209314 complete revisited)
[CSS Parser] Add parseValue support to new parser. Use new parser for UA sheet too if useNewParser is set. (r209318)
[CSS Parser] Support Dashboard Regions (r209302)
[CSS Parser] Need to set edit flags properly when user-modify/select are used. (r209265)
[CSS Parser] Hook up InspectorStyleSheet to the new CSS parser. (r208886)
[CSS Parser] Add @supports, @keyframe and media query parsing options (r208847)
[CSS Parser] calcs on column-width that resolve to 0 should be discarded (r209368)
[CSS Parser] Fix calc() with -webkit-line-clamp (r209338)
[CSS Parser] Support -webkit-text-decoration (r209335)
[CSS Parser] Support the 'alphabetic' keyword for text-underline-position (r209329)
[CSS Parser] Fix rx and ry parsing (r209324)
[CSS Parser] Properly fail on bad values for -webkit-clip-path (r209321)
[CSS Parser] Don't use CSS_PARSER_INTEGER unit for resolved integer calcs. (r209319)
[CSS Parser] Remove line numbers from StyleRule. (r209304 complete revisited)
[CSS Parser] Make sure the z-component of transform-origin can be implicit (r209258)
[CSS Parser] Fix :any/:host to allow pseudo-elements. Support -webkit-border-radius. (r209255)
[CSS Parser] Add support for the SVG 'kerning' property (r209248)
[CSS Parser] Support the -webkit-letterpress value for text-decoration (r209245)
[CSS Parser] Make sure margin and font set the implicit flag properly (r209239)
[CSS Parser] Make sure the templatized consumeIdent uses CSSValuePool (r209238)
[CSS Parser] Fix font-variant parsing  (r209237)
[CSS Parser] Fix animation property parsing (r209236)
[CSS Parser] Only allow a single font-family in @font-face (r209217)
[CSS Parser] Support -webkit-overflow-scrolling: touch (r209205)
[CSS Parser] Fix font-variant parsing (r209199)
[CSS Parser] Fix columns shorthand parsing (r209148)
[CSS Parser] Make sure -webkit-background-size coalesces identical values. (r209142)
[CSS Parser] Fix ::cue parsing (r209085)
Avoid ref-count churn in ShadowParseContext::commitColor() (r209079)
Avoid ref-count churn in CSSParser::ValueWithCalculation::setCalculation() (r209078)
[CSS Parser] Fix parsing of "all" in transitions (r209075)
[CSS Parser] Fix @page rule parsing (r209072)
[CSS Parser] Fix bugs in the @supports parser (r209021)
[CSS Parser] Filters and Reflections Fixes (r209006)
[CSS Parser] flex-basis should be pixel units not percentages. (r209003)
[CSS Parser] Support -webkit-animation-trigger (r209000 + r236750 removed)
[CSS Parser] Support font-variation-settings (r208892)
[CSS Parser] Fix font-synthesis and text-decoration-skip parsing (r208733)
[CSS Parser] Support the font-synthesis property (r208706)
Handle filter() image type in new CSS Parser (r208700)

Feb 27, 2021
============
[CSS Parser] Support percentages in word-spacing (r208697)
[CSS Parser] Support all the correct blend modes (r208636)
[CSS Parser] Add support for paths as basic shapes. (r208620)
[CSS Parser] Support margin-box in shape parsing. (r208618)
[CSS Parser] Add support for -webkit-mask-source-type (r208617)
[CSS Parser] Support the spring animation timing function (r208615)
[CSS Parser] Fix time unit parsing (r208608)
[CSS Parser] Fix basic shape parsing (r208599)
[CSS Parser] Fix SVG markers and colors (r208594)
[CSS Parser] Support -webkit-svg-shadow (r208590)
[CSS Parser] Fix grid layout parsing (r208478)
[CSS Parser] Clean up new parser's grid layout ifdefs/runtime checking (r208301)
Filter functions grayscale/invert/opacity/sepia should clamp values over 100%, not fail (r208294)
[CSS Parser] Support scroll-snap-* properties (r208291)
[CSS Parser] Support the shadow DOM (r208180 + r208198 rolled out + r208267)
[CSS Parser] Support -webkit-named-image (r208169)
[CSS Parser] Make sure to fail on :role(a,b) and :dir(a,b) (r208166)
Support bezier paths in clip-path property (r191551)
Give subclasses of CSSImageGeneratorValue a consistent image() return type (r191082)
Provide a way for web developers to draw a Theme-specific Wireless Playback icon (r185731 partial)

Feb 26, 2021
============
Parse color() function (r208116)
New CSS Parser should use Colors not RGBA32s (r208060)
[CSS Parser] Allow unitless values on background-size in quirks mode (r208165)
[CSS Parser] Fully support prefixed background-size and box-shadows (r208157)
[CSS Parser] Get rid of CSSCustomIdentValue::creates (r208152)
[CSS Parser] Support unprefixed cross-fade (r208147)
[CSS Parser] Miscellaneous bug fixes (r208142)
[CSS Parser] Fix nth-child serialization (r208133)
[CSS Parser] Support unprefixed image-sets (r208125)
[CSS Parser] Add font-variant-* keyword property support (r208120)
[CSS Parser] Fix text-emphasis-position parsing (r208119)
[CSS Parser] Disable -webkit-text-size-adjust when the context says to. (r208115)
[CSS Parser] Match old parser's image-rendering values (r208114)
[CSS Parser] Support -webkit-text value for background-clip and -webkit-background-clip (r208113)
[CSS Parser] Support -webkit-aspect-ratio (r208111)
[CSS Parser] Support the caps lock indicator appearance (r208110)
[CSS Parser] Support the alt property (r208109)
[CSS Parser] Add support for -webkit-hyphenate-limit-* properties (r208108)
[CSS Parser] Fix transform-origin and perspective-origin to parse as shorthands (r208107)
[CSS Parser] Support -webkit-background-composite (r208103)
border-image-outset doesn't handle float values (r273478)
[CSS Parser] Clean up the two types of descendant relations in CSSSelector (r208130 complete revisited)
[CSS Parser] Allow unknown properties in will-change (r208088)
[CSS Parser] Fix font-family parsing inside @font-face (r208076)
[CSS Parser] Support hanging-punctuation (r208073)
[CSS Parser] Support initial-letter (r208069)
[CSS Parser] Support bopomofo Ruby (r208065)
[CSS Parser] Add support for -webkit-canvas images (r208064)
[CSS Parser] Clean up gradient parsing (r208062)
Allow new CSS parser to handle insertRule, etc via parseRule (r208059)
[CSS Parser] Support the marquee properties (r208055)
[CSS Parser] Miscellaneous bug fixes (r208051)
[CSS Parser] Add support for a reference box to -webkit-clip-path (r208029)
[CSS Parser] Get functional pseudos parsing (r207900)
[CSS Parser] Improvements to selector parsing (r207854)
Remove CSSCharsetRule from the CSS OM (r207767)
Enable selectors level 4's :lang() by default (r181197)
Always serialize :lang()'s arguments to strings (r180558)
Language ranges containing asterisks must be quoted as strings (r180413)
Canonicalization of :lang() should preserve the :lang()'s arguments representations (r178532 + r178583 rolled out + r178675)
Allow strings as argument to :lang() (r177745 + r178198)
Extend :lang()'s selector checker to handle ranges with '*' properly and perform matching within the ASCII range (r177333)
Implement parser for :lang pseudo class selector arguments that contain wildcard '*' subtags (r176902 + r176983)
Add selector checker for :lang pseudo class in Selectors level 4 (r176313)
Add initial parsing functionality of :lang pseudo class in Selectors Level 4. (r175446 + r175447)
CSS JIT: add support for the :lang() pseudo class (r170001)

Feb 25, 2021
============
[CSS Parser] Fix :lang argument parsing (r207783 + r207790 rolled out)
[CSS Parser] Fix -webkit-box-reflect parsing (r207759)
[CSS Parser] Unprefix -webkit-writing-mode (r207757 complete revisited)
[CSS Parser] Support horizontal-bt writing mode (r207682)
[CSS Parser] Add support for -webkit-line-box-contain (r207679)
[CSS Parser] Add support for @-webkit-region rules (r207677)
[CSS Parser] Fix compound selector parsing. (r207536)
[CSS Parser] Make sure to handle prefixed transform-style (r207638)
[CSS Parser] Fix region, column and page break parsing (r207629)
[CSS Parser] Support -webkit-border-fit (r207567)
[CSS Parser] class and id parsing need to be case-insensitive in HTML quirks mode (r207565)
[CSS Parser] Fix -webkit-mask-box-image parsing (r207549)
[CSS Parser] Enable basic parser testing. (r207513)
Update Alignment shorthands to the spec now that they are not ambiguous (r230848 complete revisited)
Remove GridLayout runtime flag (r229531)
[css-align] Implement the new behavior of 'legacy' for justify-items (r228319 complete revisitted)
[css-align] The 'baseline' value must be invalid for the 'justify-content' property (r227786 complete revisited)
[css-align] 'left' and 'right' should parse as invalid in block/cross-axis alignment (r227432 complete revisited)
[css-align] 'overflow' keyword must precede the self-position and content-position value (r227297 complete revisited)
[css-align] Implement the place-self shorthand (r216829 complete revisited)
[css-align] Implement the place-items shorthand (r214966 complete revisited)
[css-align] Adapt place-content alignment shorthand to the new baseline syntax (r214852 complete revisited)
[css-align] Adapt content-alignment properties to the new baseline syntax (r214624 complete revisited)
[css-align] Adapt self-alignment properties to the new baseline syntax (r214564 complete revisited)
[css-align] Implement the place-content shorthand (r213230 complete revisited)
  => css3test.com 51% 1520 tests out of 2853 total for 646 features
Don't spin up a CalcParser if the current token is not a function token (r239575)
[css-grid] Rename gutter properties to remove "grid-" prefix (r228095 complete revisited)
[css-multicol] Support percentages in column-gap (r227676 complete revisited)
font-style needs a new CSSValue to make CSSRule.cssText work correctly (r214359 complete revisited)
font shorthand should accept variation values (r214324)
Parsing font descriptors inside @font-face needs to accept ranges (r213528 complete revisited)
Expand font-weight and font-stretch to take any number (r213464 complete revisited)
Implement font-stretch for installed fonts (r213267 complete revisited)
REGRESSION: font shorthand parsing is broken (r209526 + r209531)
[CSS Parser] Allow @font-face src descriptor's format function to contain identifiers (r208093)
[CSS Parser] Fix crash when parsing -webkit-margin-collapse (r207636)
[CSS Parser] Fix font family parsing and add CSS region property parsing (r207622)
[CSS Parser] Fix transform parsing (r207543 + r207548)
[CSS Parser] Get all the properties turned on (r207479 + r207507)
Serialized declaration for background-size/-webkit-mask-size should preserve identical values instead of coalescing them (r186687)
Support variables inside -webkit-box-reflect CSS property. (r140642)

Feb 24, 2021
============
Variation fonts: Make sure that feature detection and preprocessor macros are right (r214546)
[CSS Parser] Get CSSPropertyParserHelpers.cpp compiling (r206043)
[CSS Parser] Get CSSParserFastPaths.cpp compiling (r206007 + r206022)
[CSS Parser] Make stylesheets parse using the new parser if the setting is enabled (r205984)
[css-grid] Implement fit-content track size (r205966 + r205972 rolled out + r205977 complete revisited)
Switch CSSParser to use CSSParserFastPaths::isKeywordPropertyID() (r205926)
Null check ArrayBufferView RefPtr (r273373)
[YARR JIT] Crash on overflow when compiling /(a{1000000000}b{1000000000}|c{1000000000}|)d{1000000000}e{1000000000}/.test(); (r273371)
Rename parseColorParameters and clean up conditional (r205924)
[CSS Parser] Enable the new sizes parser by default (r205905)
Remove Chrome app-specific CSS property -webkit-app-region (r205889)

Feb 23, 2021
============
[CSS Parser] Implement CSS variables (r208006 complete revisited)
[CSS Parser] Unify CSSCustomPropertyValue and CSSCustomPropertyDeclaration (r207903)
[CSS Parser] Add CSS Variable Parsing support (r205869)
Writing-mode-dependent properties don't apply if their value is a variable (r201875)
Remove CSS keyword properties from CSSParser::parseValue(CSSPropertyID, bool) (r205868)
Organize CSS keyword properties in WebCore::isKeywordPropertyID() (r205867)
[CSS Parser] Add support for the parsing of the HTML sizes attribute (r205821)
[CSS Parser] Add the main parser implementation (r205790)
ASSERTION FAILED: result in WebCore::CSSParser::parseURI (r206736)
[CSS Parser] Add support for new CSS selector parsing (r205660 complete revisited)
Add CSSAtRule id info for new parser (r205550)
Add CSSSelectorList::isValid(). (r140677)

Feb 22, 2021
============
Add support for media query parsing using new CSS Parser (r205368)
Initial landing of CSS Parser Tokenization (and files to support that). Not used yet. (r205103)
Add pref for enabling new CSS parsing and move parser files into subdirectory. (r204852)
Media queries and platform screen modernization and streamlining (r201441 partial)
[JSC] JSInternalPromise::then can fail if execution is terminated (r273222)

Feb 21, 2021
============
Add support for midpoint to CSS gradients (r174191)
[Forms] Make HTMLInputElement::blur()/focus() override-able by input type (r126963 + r126965 rolled out + r126966)

Feb 21, 2021
============
Include the 'text' color keyword as a system color. (r230056)
[css-ui] Implement caret-color support (r220706 partial revisited)
  => css3test.com 50% 1518 tests out of 2853 total for 646 features

Feb 20, 2021
============
[css-ui] Implement caret-color support (r220706 partial)
'currentcolor' doesn't need setHasExplicitlyInheritedProperties marking anymore (r259585 partial)
Avoid unnecessary full style resolution in getComputedStyle for non-inherited properties (r207755)

Feb 19, 2021
============
Tighten ComputedStyleExtractor to use Element instead of Node (r207686)
CSSComputedStyleDeclaration::length should recalculate styles if needed to provide the correct value (r202382)
Add a fast path in TransformationMatrix::mapRect(const FloatRect&) for affine transformations (r266619)
Make TransformationMatrix::inverse() faster in the case of affine transformation matrices (r266513)
Optimize the implementation of TransformationMatrix::rotate(double) (r266353)
Clean up TransformationMatrix implementation (r234433)
Use of uninitialised memory in TransformationMatrx::blend4() (r205197)
decompose4 return value is unchecked, leading to potentially uninitialized data. (r202068 + r202115 + r202128 + r202195 rolled out)

Feb 18, 2021
============
ASSERTION FAILED: hasLayer() in RenderLayer::enclosingOverflowClipLayer (r254086)
REGRESSION(r244906): Crash in WebCore::positionOffsetValue (r247256)
Resolve the percentage values of inset properties against proper box. (r244906)
Resolve inset properties to computed style when there is overconstraintment (r236979)
Improve behavior of position:sticky on zoomed pages (r170690)
Prepare for position:sticky support inside accelerated overflow-scroll with WK2 (r169408)
Remove redundant isComposited() function and replace hasLayer() && layer()->isComposited() with RenderObject::isComposited(). (r190627)
Allow some LayoutPoint and LayoutSize conversions to be inlined (r152175 complete revisited)
Avoid calling the virtual isBlockFlow() in RenderBox::computeRectForRepaint() (r135034 complete revisited)
Remove CSS Animation Triggers (r236750 revisited)
Inline ~Color and Color::isExtended() (r220378 partial)
AnimationController::scrollWasUpdated() shows up in scrolling profiles on pages that don't use scroll triggers (r183295)
CSS Animations with triggers should map scroll position to duration (r181778 + r182371)
Implement Scroll Container Animation Triggers (r181655)
RenderBox::updateShapeOutsideInfoAfterStyleChange shows up on profiles (r164471)
Make FillLayer::hasImage() inline (r249236)
Minor optimization in InlineFlowBox::paintBoxDecorations() (r249170)
Only run the node comparison code in FrameSelection::respondToNodeModification() for range selections (r239971)
Minor optimization to RenderText::setRenderedText() (r239911)
applyTextTransform() should take a const RenderStyle&. (r158181)
text-transform: lowercase is not lang-dependent (Turkish languages : tr,az) (r156948)
Use a RenderObject bit for isRenderFlowThread() (r182431)
Animated GIFs fail to play in multi-column layout (r213523)
REGRESSION: [CSS Regions] Content flowed directly into the flow thread that ends up in the second region is not properly repainted (r169120)
[CSSRegions] Incorrect background paint on positioned element hover (r167489)
[New Multicolumn] Column sets below spanners don't repaint properly. (r167439)
Flexbox sizing logic triggers full repaint on the flex items. (r252716)

Feb 17, 2021
============
Remove m_reversedOrderIteratorForHitTesting (r270388)
[css-flexbox] WebKit mistakenly lets pointer events (click/hover/etc) pass through flex items, if they have negative margin (r263659)
Unable to place the caret at the end of the first line, when followed by a block, in the vertical writing mode. (r138169)
When invalidating the clients of an SVG resource we should not go beyond the RenderSVGRoot (r264364)
Additional cleanup from "Hit test with clipPath referencing parent element causes infinite recursion" (r259751)
Hit test with clipPath referencing parent element causes infinite recursion (r259722)
Hit test with clipPath referencing parent element causes infinite recursion (r257616)
[css-masking] Fully support -webkit-clip-path on SVG elements (r233835)
operationNewArrayWithSize should call tryCreate instead of create (r272938)

Feb 16, 2021
============
Implement document.elementsFromPoint (r219961)
DisallowUserAgentShadowContent moves out of non-UA shadow roots (r219551)
Align Document.elementFromPoint() with the CSSOM specification (r213646)
ASSERTION FAILURE: !result.innerNode() || (request.resultIsElementList() && result.listBasedTestResult().size()) in RenderLayer::hitTestContents() (r258508)
Fix hit testing on display:block <svg> elements (r206591)
[New Multicolumn] fast/multicol/hit-test-* layout tests all fail (r167817)
[New Multicolumn] Selection gets confused when the mouse is in the column gaps. (r167404)
AX: Make SVG Group containers accessible elements (r147802)
Avoid running the outline painting phase if no renderers have outlines (r249309)
Devirtualize RenderBox::visualOverflowRect() (r249222)
Have RenderSVGBlock compute visual overflow just like everyone else (r249203)
Merge SVGRenderBlock::styleWillChange() into styleDidChange(). (r157833)
Insufficient viewport repaints when FrameView::paintsEntireContents (r152584)

Feb 15, 2021
============
Get rid of the unused 'immediate' parameters from repaint related functions (r164594)
Proxy's [[GetOwnProperty]] should complete trap result descriptor before validation (r272838)

Feb 14, 2021
============
Subpixel rendering: Use floorf/roundf/fabs in device snapping helpers. (r163278)
Floored and truncated rounded confused. (r125167 partial revisited)

Feb 13, 2021
============
Subpixel positioned iframe's repaint area calculation problem. (r189026)
Subpixel rendering: Transforms on non-compositing layers leave bits behind when the box boundaries changes. (r172373)
Subpixel rendering: WK1: Wrong repaint rect is calculated when layer has non-compositing transform. (r167538)
Remove IntRect::pixelSnapped* and its enclosingRect since they are no longer used (r151425)

Feb 12, 2021
============
Subpixel rendering: Wrong cliprect on absolute positioned elements. (r165113)
SetIntegrityLevel should call [[DefineOwnProperty]] with partial descriptor (r272747)

Feb 11, 2021
============
Don't crash when reparsing an arrow function and the parsing invariant is broken (r272663)
Get rid of didFinishParsing and make parseInner return its results (r255047)

Feb 10, 2021
============
Filter attribute selectors with selector filter (r229090)
Use selector filter when invalidating descendants (r228729)
Prefer ids and classes over tag names in selector filter (r225596)
Remove duplicates from selector filter hashes (r225482)
Style::Change should be enum class (r267191)
[JSC] Introduce JSArrayIterator (r254252 partial)
[JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl (r249547 partial)

Feb 09, 2021
============
font-style needs a new CSSValue to make CSSRule.cssText work correctly (r214359)
Parsing font descriptors inside @font-face needs to accept ranges (r213528)
Avoid using CSSOM style declarations in HTML editing. (r150960)
Take ComputedStyleExtractor for a spin. (r150945)
Get rid of Position::computedStyle (r150954)
Mail hangs when resizing the font size of a large RTL text (r137370)
Previous elements with lang= can affect fonts selected for subsequent elements (r221408 complete revisited)
Font features specified in @font-face blocks don't apply to local() families (r196969)
Give String and AtomicString an existingHash() function (r192920)
Move locale information into FontDescription (r187626 + r188025 + r190701 + r190746 rolled out + r190754 rolled out + r192290)
Remove support for screen font substitution (r179368)
local(Helvetica) in src descriptor prevent fallback (r132969)
  => css3test.com 50% 1515 tests out of 2852 total for 645 features
REGRESSION (r264574): Unchecked JS exception in validateAndApplyPropertyDescriptor() (r272466)

Feb 08, 2021
============
Unify font-variant-* with font-variant shorthand (r192819 + r192843 rolled out + r192992)
FontCascade::typesettingFeatures() is not privy to font-variant-* nor font-feature-settings (r191331)
Split TypesettingFeatures into kerning and ligatures bools (r191014)
Unprefix font-kerning (r190999)
  => css3test.com 50% 1515 tests out of 2852 total for 645 features
font-variant-* properties in @font-face declarations should be honored (r191968 + r192367)
Nullptr crash in WebCore::FontFamilySpecificationCoreText::fontRanges (r256077)
[Cocoa] [Font Features] Implement font-variant-* (r190192 + r190402)
Make FontDescriptionKey sensitive to FontFeatureSettings (r188088)
Font feature settings comparisons are order-dependent and case-dependent (r188056)
  => css3test.com 50% 1510 tests out of 2852 total for 645 features
Unreviewed post-review fixup after r213464 (r213502)
[Mac] [iOS] Implement font-synthesis CSS property (r183494)
Implement parsing support for font-synthesis CSS property (r183304)
Consolidate one-line flag-related header files into TextFlags.h (r183442)
  => css3test.com 49% 1471 tests out of 2852 total for 645 features

Feb 07, 2021
============
Expand font-weight and font-stretch to take any number (r213464)
Migrate font-stretch to use fixed-point values (r213341)
Match spec for font-weight: bolder|lighter (r175043)
  => css3test.com 49% 1466 tests out of 2852 total for 645 features

Feb 05, 2021
============
Implement the "all" CSS property. (r191178)
  => css3test.com 49% 1458 tests out of 2852 total for 645 features
Generate matchingShorthandsForLonghand() implementation from CSSPropertyNames.in (r178638)
Generate shorthandForProperty() implementation from CSSPropertyNames.in (r178626)
[JSC] globalFuncCopyDataProperties should not perform GC-sensitive operation in the middle of Structure::forEachProperty (r272428 + r272430)
Remove 'font' shorthand property special casing (r179100 complete revisited)
Generate StylePropertyShorthand.* from CSSPropertyNames.in (r178586)
Unfriend StyleResolver and StyleBuilderCustom (r178123)
Move 'font' CSS property to the new StyleBuilder (r178101)
[CSS Parser] Unprefix -webkit-writing-mode (r207757 complete revisited)
Get rid of custom StyleBuilder code for 'line-height' CSS property (r178512)
Drop legacy SVGCSSStyleSelector.cpp (r178251)
Move more SVG CSS properties to the new StyleBuilder (r178246)
The initial value of "transform-box" should be "view-box" (r261752)
transform-box: content-box, stroke-box missing (r251081 + r251084 rolled out + r251252)
[css-masking] Update clip-path box mapping to unified box (r233302)
-webkit-clip-path wrong offset for clipPath references (r233287)
http://victordarras.fr/cssgame/ doesn't work in Safari. (r195397)
Get rid of legacy StyleBuilder switch in StyleResolver.cpp (r178228)
Move 'content' CSS property to the new StyleBuilder (r178022)
Move the 'alt' CSS property to the new StyleBuilder (r178017)
Move '-webkit-text-size-adjust' CSS property to the new StyleBuilder (r178016)
Setting '-webkit-filter' to 'brightness(calc(10% * 2))' does not work (r178010)
Crash when setting 'alt' CSS property to inherit or initial (r176161)
[CSS Shapes] Can't select content within the area of the floating box when clip-path is applied (r168463)
Missing box doesn't use border-box as reference box for clip-path (r164380)
Add a CSSProperty::isDirectionAwareProperty() helper. (r160070)
  => css3test.com 48% 1454 tests out of 2852 total for 645 features

Feb 04, 2021
============
Move 'kerning' / 'paint-order' / 'stroke-dasharray' SVG CSS properties to the new StyleBuilder (r178237)
Add support for SVG CSS Properties to the new StyleBuilder (r178189)
Move '-webkit-font-feature-settings' CSS property to the new StyleBuilder (r178149)
Move '-webkit-filter' / '-webkit-backdrop-filter' to the new StyleBuilder (r177953)
Get rid of some unnecessary custom StyleBuilder code (r177915)
  => css3test.com 48% 1454 tests out of 2852 total for 645 features

Feb 04, 2021
============
[JSC] Implement Object.entries in C++ (r272364)
[JSC] Insert PhantomLocal just before SetLocal for |this| to ensure liveness (r272349)
Completion value of a finally block should not be ignored if completion is abrupt (r272243)

Feb 03, 2021
============
Fix clang static analyzer warning in StyleBuilderConverter.h (r237557)
[CSS Parser] Enhance grid-auto-flow parsing to allow dense first. (r208031)
Make 'TypeName' parameter unnecessary in CSSPropertyNames.in (r178434 + r178454)
[CSS Grid Layout] Remove the usage of Length(Undefined) in GridLength (r180140 complete revisited)
Move the CSS Grid properties to the new StyleBuilder (r177872)
[CSS Grid Layout] Remove stack from grid-auto-flow syntax (r177858)
Kill the DeprecatedStyleBuilder (r177869)
Move 'webkit-mask-image' CSS property to the new StyleBuilder (r178020 + r186392)
Remove -webkit-mask-attachment (r136080)
Implement font-stretch for installed fonts (r213267 partial revisited)
Move 'font-size' CSS property to the new StyleBuilder (r177866)
Fix initial / inherit support for '-webkit-perspective-origin' CSS property (r177616)
Move 'text-emphasis-style' CSS property to the new StyleBuilder (r176861)
Move 'clip' CSS property to the new StyleBuilder (r176383)
getPropertyValue for -webkit-text-stroke returns null, should compute the shorthand value (r144732)
Turn -webkit-text-emphasis into a shorthand property (r135374)
Move font-related CSS properties to the new StyleBuilder (r177828)
Move '-webkit-font-variant-ligature' CSS property to the new StyleBuilder (r177827)
  => css3test.com 48% 1454 tests out of 2852 total for 645 features

Feb 02, 2021
============
Add copy constructor and assignment operator to Ref<> (r261467)
Move animation / transition CSS properties to the new StyleBuilder (r177821)
Animations in an AnimationList are never null (r155119)
Support Vector<Ref<T>>. (r154997)
Move color CSS properties to the new StyleBuilder (r177687)
Implement stroke-width CSS property. (r213634 complete revisited)
Move "Auto" CSS properties to the new StyleBuilder (r177630)
Clean up StyleBuilderCustom and DeprecatedStyleBuilder (r177572)
Move 'font-weight' CSS property to the new StyleBuilder (r177503)
Move 'cursor' CSS property to the new StyleBuilder (r177414)
Move 'counter-increment' / 'counter-reset' to the new StyleBuilder (r177274)
Move 'webkit-aspect-ratio' CSS property to the new StyleBuilder (r176813)
Move 'outline-style' CSS property to the new StyleBuilder (r176359)
Move 'list-style-image' CSS property to the new StyleBuilder (r177489)
[CSS Shapes] Fix StyleBuilder code to use CSSValueNone to match spec and other code (r177289)
Move '-webkit-text-decoration-skip' to the new StyleBuilder (r177282)
Remove isSpecifiedFont boolean from FontDescription (r176789 + r176790 rolled out)
Move 'display' CSS property to the new StyleBuilder (r176721)
Move 'font-family' CSS property to the new StyleBuilder (r176657)
Move 'text-shadow' / 'box-shadow' / '-webkit-box-shadow' to the new StyleBuilder (r176621)
Transform StyleBuilderCustom into a class and mark it as a friend of RenderStyle (r176593)
Move the '-webkit-initial-letter', '-webkit-line-box-contain' and '-webkit-text-stroke-width' CSS properties to the new StyleBuilder (r176571)
Move the '-webkit-box-reflext' CSS property to the new StyleBuilder (r176524)
Properties in CSSPropertyNames.in should use the new StyleBuilder by default (r176491)
Move static StyleResolver functions to Style namespace (r153906 partial)
Clamp font sizes to valid range in RenderStyle::setFontSize (r138821)
  => css3test.com 48% 1454 tests out of 2852 total for 645 features

Feb 02, 2021
============
[JSC] TypedArray#fill should be implemented in C++ (r272187)
Lazily create m_windowCloseWatchpoints so we don't mistakenly think we have a frame when re-associating a document to a given cached frame (r272174)
%TypedArray%#slice shouldn't care about source buffer detachment if there's nothing to copy (r270371)

Feb 01, 2021
============
Asan false positive: stack use after scope under WebCore::ApplyPropertyBorderImageModifier in WebCore::Length::Length(WebCore::Length&&) (r233405)
Move the 'quotes' CSS property to the new StyleBuilder (r176369)
Move more CSS properties to the new StyleBuilder (r176202 + r176490)
Move 'vertical-align' CSS property to the new StyleBuilder (r176168)
Move 'image-resolution' CSS property to the new StyleBuilder (r176111)
Move 'border-image-*' / '-webkit-mask-box-image-*' CSS properties to the new StyleBuilder (r175997)
Move '-webkit-marquee-speed' CSS property to the new StyleBuilder (r175932)
Move 'size' CSS property to the new StyleBuilder (r175659)
  => css3test.com 48% 1454 tests out of 2852 total for 645 features

Feb 01, 2021
============
Null dereference loading Blink layout test fast/css/background-repeat-null-y-crash.html (r191938)
Move 'resize' CSS property to the new StyleBuilder (r175817)
Move 'text-indent' CSS property to the new StyleBuilder (r175815)
Move 'webkit-clip-path' CSS property to the new StyleBuilder (r175760)
Move text-align CSS property to the new StyleBuilder (r175625)
Move -webkit-text-emphasis-position to the new StyleBuilder (r175581)
Support modern range loops over CSSValueList (r175487 + r175490)
Move -webkit-shape-outside to the new StyleBuilder (r175481)
CSSValueList should assert that no null values are added to it. (r165717)
Remove Vector::prepend (r149583)
Making -webkit-image-set() the first value of background property causes crash. (r141701)
webkit-image-set() function not showing up when computing background property (r126611)
  => css3test.com 48% 1446 tests out of 2852 total for 645 features

Feb 01, 2021
============
[css-align] 'overflow' keyword must precede the self-position and content-position value (r227297 partial revisited)
[css-align] Adapt self-alignment properties to the new baseline syntax (r214564 partial revisited)
Implement stroke-width CSS property. (r213634 partial revisited)
[CSS Box Alignment] Upgrade justify-content parsing to CSS3 Box Alignment spec. (r183748 complete revisited)
[CSS Box Alignment] Unifying alignment data in a single class (r183591) (r183591 complete revisited)
[CSS Grid Layout] Implement justify-self and justify-item css properties. (r182613 complete revisited)
[CSS Grid Layout] Upgrade align-self and align-items parsing to CSS 3 (r182147 complete revisited)
Move the '-webkit-locale', '-webkit-text-orientation', '-webkit-writing-mode', '-webkit-justify-self' and '-webkit-perspective' CSS properties to the new StyleBuilder (r176584)
Move 'zoom' CSS property to the new StyleBuilder (r175467)
Move "direction" CSS property to the new StyleBuilder (r175458)
  => css3test.com 48% 1445 tests out of 2852 total for 645 features

Jan 31, 2021
============
Move string-typed properties to the new StyleBuilder (r175464)
Move the -webkit-transform property to the new StyleBuilder (r175454)
StyleBuilder: Stop using custom code for -webkit-hyphenate-limit-lines (r175445)
Move -webkit-marquee-increment property to the new StyleBuilder (r175439)
Move border-image-source / -webkit-mask-box-image-source to the new StyleBuilder (r175405)
Move -webkit-border-image / -webkit-mask-box-image to the new StyleBuilder (r175381 + r176455)
Move text decoration CSS properties to the new StyleBuilder (r175250)
Move radius CSS properties to the new StyleBuilder (r175222 + r175228)
Move ComputeLength CSS properties to the new StyleBuilder (r175169)
Move remaining Length-type properties to the new StyleBuilder (r175137)
Move remaining marquee applying code to StyleBuilder (r147350)
Move "Number" CSS properties to the new StyleBuilder (r175267)
Move Length-type CSS properties from DeprecatedStyleBuilder to the new Style Builder (r175123)
[CSS3-Text] Cosmetics on RenderBlockFlow::textAlignmentForLine (r172607)
[CSS3-Text] Add rendering support for the none value of text-justify property (r172524)
[CSS3-Text] Adjust text-justify implementation to the latest spec (r171677)
[CSS3] Add rendering support for -webkit-text-align-last (r162213)
[CSS3] Parsing the property, text-justify. (r148070)
Add initial support for generating the StyleBuilder from CSSPropertyNames.in (r175052)
[CSS] Rename the enum, from "ETextAlignLast" to "TextAlignLast" (r139734)

Jan 30, 2021
============
Fix Debug build error 'comparison is always true due to limited range of data type [-Werror=type-limits]' (r181475)
Shrink the CSSPropertyID enum type (r181320 complete revisited)
Intermittent WebCore build failures - CSSPropertyNames.gperf: No keywords in input file! calling gperf failed: 256 at WebCore/css/makeprop.pl line 901 (r178537)
[CSS Exclusions] Remove exclusions parsing support (r166618)
[CSS Exclusions] remove unused -webkit-wrap property (r149623)
getPropertyValue for -webkit-columns returns null, should compute the shorthand value (r144730)
getComputedStyle not implemented for -webkit-columns shorthand (r144647)
getComputedStyle not implemented for -webkit-column-rule shorthand (r144485)
getPropertyValue for -webkit-column-rule returns null, should compute the shorthand value (r144146)
getPropertyValue for -webkit-margin-collapse returns null, should compute the shorthand value (r144145)
getPropertyValue for -webkit-marquee returns null, should compute the shorthand value (r144144)

Jan 29, 2021
============
[iOS] Upstream WebCore/css changes (r161286 partial)
Wheel Event Not Fired For `body,html { height:100% }` (r200247)
Sideways 'wobble' when scrolling with trackpad on Mavericks (r163180)
Horizontal rubber-banding without a horizontal scrollbar is distracting (r160397)
Improve scrolling behavior in iTunes (r154535)
Vertical overlay scrollbar in iframes fades in and out rapidly when you scroll in a circle (r149066)
Get rid of m_useLatchedWheelEventNode (r126556)
DocumentMarkerController should not invoke ensureLineBoxes during TextIterator traversal (r250034)
Text markers don't paint on simple lines (r169199)

Jan 28, 2021
============
REGRESSION(r217695): Offscreen/overflowed items not being rendered while translating in-frame (r218735)
REGRESSION (r204552): Yelp carousel animation is not smooth. (r206483 + r206611 rolled out + r206662)
REGRESSION (r204552): Athlete search on Strava gives bad rendering. (r206188)
Subpixel rendering: Cleanup RenderLayerBacking::updateGeometry. (r204552)
The backdrop-filter property does not respect border-radius (r201785)
-webkit-clip-path clips incorrectly if the element bounds go beyond the top edge of the page (r185851)
Subpixel rendering: Clip-path does not work properly on subpixel positions. (r185343)
Use borderBoxRect instead of contentBoxRect for backdrop filter. (r185192)
Backdrop filter is pulling in content from behind the window. (r185124)
Make clip-path work on <video>, <canvas> etc. (r180882)
[iOS WK2] Assert in ScrollingTreeOverflowScrollingNodeIOS::updateAfterChildren() on tab switching (r179604 partial)
Border-radius clipping on a stacking context causes descendants to not render (r179369)
Filters aren't applied to elements in columns after the first (r178380)
Fix Border-radius clipping issue on a composited descendants (r178029)
REGRESSION (r169972): fix issue when removing masks from compositing layers (r170203)
Masks disappear when layers become tiled (r169972)
Column rules not respecting scroll offsets. (r167820)
Invalid cast in WebCore::RenderLayer::setupClipPath (r167079)
WebKit ignores column-rules wider than column-gap (r142770 complete revisited)
CSS filters which reference SVG filters fail to respect the "color-interpolation-filters" of the filter (r231473)
Null dereference loading Blink layout test svg/filters/display-none-filter-primitive.html (r191403)
column-rule-style: outset/inset doesn't work (r189916)
feDisplacementMap filter gets color space wrong (r144110)
feFlood incorrectly applied color-interpolation-filters (r143267)
Clean up use of flags in localToContainer-type functions (r181505)
Selection gaps don't repaint correctly with transforms (r148258)

Jan 27, 2021
============
Remove scrolledContentOffset() from rendering code (r200671)
Change RenderLayer::scrollTo() to take a ScrollPosition (r194478)
More scrollOffset/scrollPosition disambiguation, in RenderLayer (r194466)
Have offsetFromContainer() / offsetFromAncestorContainer() take a RenderElement& (r174722)
[New Multicolumn] Multiple tests assert in RenderGeometryMap (r167982)
[CSS Regions] The background of children of scrollable elements flowed into regions is not properly scrolled (r166259)
StickyPositionContraints should not need to change to account for a RenderLayer's scrollOffset (r152998)
Fix scrollRectToVisible in the presence of transforms (r140202)
Clarify that scrollPositionChangedViaPlatformWidget takes offsets (r194463)
Change ScrollView::scrollTo() to take a ScrollPosition (r194457)

Jan 26, 2021
============
Move 'dir' attribute from HTMLDocument to Document (r203761)
Document.body should return the first child of the html element that is either a body / frameset element (r202881)
Document.body should return the first body / frameset child of the html element (r189354)
REGRESSION(r179166): Crash when accessing document.dir on a document with no elements (r179971)
HTMLElement.dir should only return known values (r179181)
Introduce Document::body() for call sites interested in the <body> element (r179172)
Document.dir should reflect the 'dir' attribute of the root html element (r179166)
ASSERTION FAILED: !frame().document()->inRenderTreeUpdate() in WebCore::FrameView::layout(bool) (r216253)
Avoid repaints for invisible animations on tumblr.com/search/aww (r215507)
Allow the page to render before <link> stylesheet tags in body (r213633 + r213701 rolled out + r213712 + r214333 rolled out + r214435)
v2: WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver() (r203172)
Rename Document::body() to Document::bodyOrFrameset() for clarity (r179157)
Rename insertedInto and removedFrom to insertedIntoAncestor and removedFromAncestor (r223802)
REGRESSION (r270874): Some React Native apps are reported broken on iOS (r271873)

Jan 25, 2021
============
REGRESSION(r225868): Release assert when removing an SVGUseElement from Document::m_svgUseElements (r231267)
Release assert in ScriptController::canExecuteScripts via CachedSVGFont::ensureCustomFontData during (r230983)
Update the SVG use element's shadow trees explicitly before the style recall (r225868)
Assert that no script is executed during style recalc (r224011 + r224131 rolled out + r224159)
Add an argument indicating the type of removal to Node::removedFrom (r223685)
Add an argument indicating the type of insertion to Node::insertedInto (r223628)
getElementById can return a wrong elemnt when a matching element is removed during beforeload event (r216978)
SVG animations are not paused when their <svg> element is removed from the document (r214327)
Store form control list with RefPtr (r150946)
sectionRowIndex must return -1 when its parent is not a table, tbody, thead, or tfoot (r190337)

Jan 24, 2021
============
Replace debug assertion with release one in Frame::setView() (r213521)

Jan 23, 2021
============
Avoid duplicate calculations in RenderBlock::computePreferredLogicalWidths (r271758)
width: max-content with box-sizing: border-box should leave space for padding (Twitter date hover overflow) (r271003)
Always min-width should win over max-width. (r245966)
Make table collapsed borders subpixel aware. (r197627)
Unexpected content wrapping at http://email.osh.com/H/2/v100000152474feb8ec7c1a1f4bbe5c7c0/HTML (r195740)
Subpixel layout: Convert RenderTable* and AutoTableLayout to use LayoutUnit. (r191623)
Vertical border spacing is doubled between table row groups (r159747)
"border-collapse: collapse;" for table removes part of its border (was: Border disappears when close to some elements) (r157579)
marquee special-case in RenderBlock is not needed (r139203)
Fix the collapsing border code to handle mixed directionality at the row level (r133439)

Jan 22, 2021
============
Ensure animations that lose their effect don't schedule an animation update (r256623)
REGRESSION(r252455): imported/w3c/web-platform-tests/dom/events/Event-dispatch-on-disabled-elements.html fails on iOS and WK1 (r252911)
[Web Animations] Retargeted transitions targeting accelerated properties do not stop the original transition (r252455 + r252526 rolled out + r252527 rolled in)
Web Inspector: Timelines: add a timeline that shows information about any recorded CSS animation/transition (r251959 partial)
[Web Animations] JS wrapper may be deleted while animation is yet to dispatch its finish event (r244031)
[Web Animations] JS wrapper may be deleted while animation is yet to dispatch its finish event (r243346 + r243561 rolled out + r243868 + r243917 rolled out)
updateCSSTransitionsForElementAndProperty should clone RenderStyles (r257640)
[Web Animations] Style changes due to Web Animations should not trigger CSS Transitions (r256627)
[Web Animations] Use a keyframe effect stack to resolve animations on an element (r252253)
ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) on animations/keyframe-autoclose-brace.html (r255552)
[Web Animations] Optimize blending for CSS Transitions (r251706 + r251789)
[Web Animations] Only process CSS properties affected by a given CSS transition (r251543)
Fix clang static analyzer warnings: Branch condition evaluates to a garbage value (r233267)
Rename isExpandedShorthand() to isShorthandCSSProperty() for clarity (r179227)
text-emphasis-position CSS property doesn't recognize 'left' and 'right' (r162135)
Crash in debug build with imported/w3c/web-platform-tests/web-animations/timing-model/timelines/update-and-send-events-replacement.html (r250737)
[Web Animations] Implement replaced animations (r250603 + r250607 rolled out + r250617)

Jan 20, 2021
============
[Web Animations] Compute animation effect timing properties in batch (r239723)
WebAnimations API doesn't properly apply keyframe easings to transforms (r260360)
Crash in KeyframeEffect::getAnimatedStyle (r258260)
[Web Animations] The easing property for a CSSTransition effect is always "linear" (r251657)
[css-multicol] OOM with 1px height columns (r271644)

Jan 19, 2021
============
Positioned SVG not sized correctly (r214010)
Node::document() should return a reference. (r154877)
RenderObject::document() should return a reference. (r154580)

Jan 18, 2021
============
Document should store its RenderView in a RenderPtr. (r161151)
Remove Document::m_savedRenderView pointer. (r159246)
RenderObject::frame() should return a reference. (r154554)
RenderObject::view() should return a reference. (r154546)
FrameView::frame() should return a reference. (r154184)
FrameView should have an isMainFrameView() (r154116)
Remove unused code from Frame class destructor (r146815)
Removed some dead code in the page cache (r144953)
Autoreleased cached pages slow down the PLT by 2% (r144884)
RenderLayer::compositor() should return a reference. (r154549)
RenderView::compositor() should return a reference. (r154504)
REGRESSION (r187593): Scroll position jumps when selecting text in an iframe (r194405)
Minor cleanup in RenderBox::canBeProgramaticallyScrolled() (r194404)
Selecting in an iframe can cause main page scrolling (r187593)
REGRESSION (r181879): Scrolling order on pages with focused iframe is broken. (r185201)
Scroll latching logic can get stuck in 'scrollable="no"' iframes (r181879)
Scrolling allowed when overflow:hidden (seen on Acid2) (r154722 complete revisited)
Text dragging can scroll overflow:hidden boxes (r154382)
Post-r130226 Cleanup: Comment a complicated if statement and make it a helper. (r130700)
iframes with scrolling=no can't scroll to anchors (r130226)
Momentum scrolling ends at the wrong place when a scrolling overflow element has a non-zero border (r238576)
Add explicit conversions between scrollOffset and scrollPostion, and use them in a few places (r194448 + r194486)
Remove pixelSnapped* functions from RenderBoxModelObject/RenderBox. (r188433 partial)
Rubber-banding in overflow:scroll regions does not work correctly with direction:rtl (r172945 + r172965)
[iOS WK2] Fix touch-scrollable elements with overflow:scroll on just one axis, and RTL scrolling (r170541)
[JSC] GenericArguments<Type>::defineOwnProperty's assumption about error is not correct (r271570)
[JSC] Add some more exception checks in globalFuncCopyDataProperties (r271568)
Align [[DefineOwnProperty]] method of mapped arguments object with the spec (r270664)

Jan 17, 2021
============
Inspector highlights clipped at the bottom on the page in WK1 views with contentInsets (r171951 + r171952)
[iOS][WK2] Add support for minimal-ui viewports (r169245)
Implement contentInset for Mac WebKit2 (r166017)
Avoid spurious "all repaint" layouts when scrolling WebViews on Retina displays (r153810)

Jan 16, 2021
============
Viewport units are wrong when scaled in 2-up mode, cause content to hop around on apple.com/music (r185966)
Viewport units should not dirty style just before we do layout (r180848)
Clarify some resizing terminology in ScrollView/FrameView (r180615)
Use an enum for scrollbar style (r180607)
[iOS WK1] CSS viewport units use the wrong viewport size in WebKit1 (r171567)
[iOS WebKit2] Implement CSS viewport units (r167616)
Generalize unobscured rect to all ports (r165404)
Make visibleContentRect() return actualVisibleContentRect() on iOS most of the time (r162663 + r162697 + r162994 + r174199)
Scrollbar corner can be drawn outside containing frame (r173046)
Merge Document::viewportSize() logic into RenderView::viewportSize(). (r154556)
Clean up the boolean argument to visibleContentRect (r143295)
Make ScrollView::paint() clip by visibleContentRect (r142045 + r142136)
FrameView: Store scroll corner renderer in a RenderPtr. (r161197)
Make page scale shrink FrameView in applyPageScaleInCompositor mode (r141053)
Invalidate non-composited content host when page scale factor changes (r135439)

Jan 15, 2021
============
[CSS Regions] Rename region-overflow to region-fragment (r151394)
Rename "scrollOffsetForFixedPosition" and related functions to refer to scrollPosition (r194442)
Remove ScrollView::scrollOffset() in preparation for scrollOffset vs. scrollPosition clarification (r194438)
Simplify isOverlayScrollbar() logic (r194184)
Provide contentsToView() and viewToContents() functions on ScrollView, and use them (r183510)
REGRESSION (topContentInset): Searching through Facebook Messenger's chat causes  (r168763)
WK2: coordinate mapping for frames does not work when the page is scrolled. (r163989)
iframe and scrollbar with "overflow:auto" should support autoscroll with mousedrag (r156257 + r156259 rolled out + r156297)
Content inside frames and scrollbars in overflow areas hit-tests incorrectly when the WKView has a header (r148643)
FindBanner matches are offset when the WKView has a header or footer (r148137)
Correct coordinated scrolling for RTL iframe and overflow:scroll (r146399)
Subpixel rendering: Composited layer with subpixel gap does not get painted properly when its position changes. (r185152)
CSS animations in filling-forwards state shouldn't force compositing. (r185097)
[CSS Regions] Assertion failure and null dereference crash when using animations and regions (r173806)
[CSSRegions] Assertion failure hit testing a region-based multicolumn in a region (r171745)
The scrolledContentOffset method should handle the hasOverflowClip check (r165537)
[CSS Regions] Hit-testing is not working properly inside scrollable regions (r165388)
[CSS Regions] Scrollable regions (r165130)
Fix assertions when doing a full repaint of compositing layers (r137841)
Fix repaint issues when resizing a window with centered content, for platforms with a tile cache (r137811)
Text selection in text area in auto scroll mode goes wrong. (r125648)
[JSC] Correctly handle escaped keyword identifiers (r271509)
SpeculativeJIT::compileGetEnumerableLength should not use GPRFlushedCallResult (r271490)
[JSC] Accept escaped keywords for class and object property names (r270481)

Jan 14, 2021
============
[css-grid] Fix 'align-content' in grid containers with small content area (r265020)
[css-flexbox] align-content should apply even when there's just a single line (r262716)
REGRESSION(r263035): stress/get-prototype-of.js broken on s390x (r263546)
Add DFG/FTL fast path for GetPrototypeOf based on OverridesGetPrototype flag (r263470)
super should not depend on __proto__ (r263035)
Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view (r241784 + r241785 rolled out + r241787 partial)
[JSC] __proto__ getter should be fast (r223523 + r223584 rolled out + r223594)
Concurrent GC should be stable enough to land enabled (r209570 partial)

Jan 13, 2021
============
[ESNext] super accesses broken on arrow functions defined as class field (r271420)
[JSC] Enable public class fields (r258071)
[JSC] Computed function properties compute their keys twice (r256846 complete revisited)
[JSC] Add support for public class fields (r254653)
[css-flex][css-grid] Fix synthesized baseline (r244213)
[css-grid] Handle indefinite percentages in fit-content() (r241746)
[css-grid] Implement Baseline Alignment for grid items (r238457)
[css-grid] Refactoring to make more explicit the orthogonal items' pre-layout logic (r238114)
CSS grid elements with justify-content: space-around have extra whitespace, sometimes a lot (r237884)
[css-grid] Update behavior of percentage row tracks and gutters (r234687)
[css-grid] Ignore collapsed tracks on content-distribution alignment (r217345)
[JSC] Class name 'await' is valid in sync context (r271432)
[JSC] Class names must be lexed as strict mode code (r271423)

Jan 12, 2021
============
Fix computeMarginLogicalSizeForChild to check auto margins in the right axis (r261907)
Fix marginLogicalSizeForChild to check auto margins in the right axis (r261894)
[css-grid] Implement alignment for absolute positioned grid items (r225805)
[LayoutState cleanup] Remove explicit LayoutStateMaintainer::pop calls. (r224546)
RenderBlock::simplifiedLayout should pop LayoutStateMaintainer when early returns. (r188485)
Make LayoutState not arena-allocated. (r157336)
Make isTableRow() an inline function (r262132)
[css-grid] Display issues with child with max-width (r225163)
[css-grid] Refactoring and new namespace with grid related utility functions (r225104)
[css-grid] Margin wrong applied when stretching an orthogonal item in fixed size track (r217705)
[css-grid] Add support for orthogonal positioned grid items (r217486)
[css-grid] Fix behavior of positioned items without specific dimensions (r217411)
[css-grid] Handle alignment with orthogonal flows (r203771)
Stop traversing at the container block when computing RTL inline static distance. (r200492)
Incorrect position: fixed; rendering when child of position:relative/sticky. (r194710)
Baseline of number inputs not right. (r217418)
Vertical writing doesn't work with form controls. (r145391)

Jan 11, 2021
============
Implement @copyDataProperties in C++ to optimize object rest / spread (r271343)
  => Passed stress DFG (executionCounterIncrementForEntry=150, executionCounterIncrementForLoop=10) on ARMv7 GCC6.2.0 with hard float.
    [JIT tests]

Jan 11, 2021
============
for/in over a Proxy should not call [[GetOwnProperty]] trap twice per property (r271305)
[JSC] Simplify get*PropertyNames() methods and EnumerationMode (r271269)
Proxy's "ownKeys" trap result should not be sorted (r267040)
Index properties on cross origin Window objects should be enumerable (r224464 complete revisited)
JSCallee unnecessarily overrides a bunch of things in the method table. (r181765 complete revisited)

Jan 09, 2021
============
[JSC] Special property caching should check Structure's cacheability (r266715 partial)

Jan 08, 2021
============
[JSC] New expression and value function call should reserve function register if arguments include assignments (r271265)

Jan 07, 2021
============
OSR availability validation should run for any node with exitOK (r266242 partial)
DFG should not use or preserve Phantoms during transformations (r183497 partial revisited)
  Workaround SunSpider Math Cordic error on some ARMv7 platforms
  JetStream2 Octane error
  https://www.cbc.ca/ crash
  => Passed stress DFG (executionCounterIncrementForEntry=150, executionCounterIncrementForLoop=10) on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Jan 06, 2021
============
We should have a DFG intrinsic for the construct case of the Object constructor (r271164)

Jan 05, 2021
============
Improve error message for uninitialized |this| in derived constructor (r271120)
propertyNameEnumerator must check it can still take the fast path after getGenericPropertyNames (r271144)
Don't throw if `function.caller` is a non-strict / generator / async function (r271119)

Jan 04, 2021
============
[JSC] Remove unnecessary mov bytecodes when performing simple object pattern destructuring to variables (r271121)
JSFunction::deleteProperty() fails to delete a non-existent "prototype" property (r271117)
Add support for globalThis (r239464)

Dec 30, 2020
============
[CSS selectors] Support :where() pseudo class (r260319)
[CSS Selectors 4] Add support for `:is()` with the same logic for the existing `:matches()` (r259261 complete revisited)
The CSS specificity of :host() pseudo-classes is wrong (r265812)

Dec 23, 2020
============
Crash in DOMSelection::getRangeAt() (r270983)
Null Ptr Deref @ WebCore::Node::Treescope (r256764)
Don't update selection when calling setSelectionRange on a disconnected input element (r256207)
is<HTMLTextFormControlElement> reports the input type. (r225837)
innerText->renderBox() can be null in HTMLTextFormControlElement::setSelectionRange (r224296)
Handle synchronous layout when setting a selection range (r212023)

Dec 21, 2020
============
DFG should make sure replacement watchpoint is fired before folding to PutByOffset (r271034)

Dec 18, 2020
============
Implement Math.hypot (r165795)
Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength. (r220219)
Cleanup of DFG and Baseline JIT debugging code (r145933)

Dec 16, 2020
============
[DFG] Unify bunch of DFG 32bit code into 64bit code (r226261 complete revisited)
  => Passed DFG on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/html5test/css3test/EPG Guide/Factory Demo/EBench 2004/V8/SunSpider/Speedometer/arewefastyet]

Dec 16, 2020
============
Non-enumerable property fails to shadow inherited enumerable property from for-in (r270874)
[DFG] Unify bunch of DFG 32bit code into 64bit code (r226261 partial revisited)

Dec 15, 2020
============
REGRESSION(r225913): about 30 JSC test failures on ARMv7 (r226616 revisited)

Dec 14, 2020
============
:host() pseudo-selector reported as :host in CSSStyleRule (r266245)
Little cleanup of the default stylesheet (r176711 revisted)

Dec 11, 2020
============
Spread's effects are modeled incorrectly both in AI and in Clobberize (r227229)
JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object (r215777 partial)
JSC: operationSpreadGeneric uses the wrong global object for the builtin function and slow_path_spread consults the wrong global object to prove if the iterator protocol is unobservable (r211070)
We should have a more concise way of determining when we're varargs calling a function using rest parameters (r208584 + r208592 rolled out + r208637 partial revisited)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Dec 11, 2020
============
[JSC] Use JSFixedArray directly when using call_varargs (r215720 + r215761)
We should have a more concise way of determining when we're varargs calling a function using rest parameters (r208584 + r208592 rolled out + r208637 partial revisited)

Dec 09, 2020
============
When border-radius is present, inset/outset/groove/ridge border color changes. (r178613)

Dec 08, 2020
============
Remove GraphicsContext::drawConvexPolygon() and GraphicsContext::clipConvexPolygon() (r195170 partial)
Wrong getComputedStyle result for pseudo-elements in display: none subtrees. (r221542)
Improve some other cases of context-sensitive inlining (r199093 partial revisited)

Dec 07, 2020
============
CachedCall::call() should be faster (r231741)
[JSC] Array.prototype.toString should not get "join" function each time (r248906)

Dec 02, 2020
============
Update Alignment shorthands to the spec now that they are not ambiguous (r230848 partial)
[css-align] Implement the new behavior of 'legacy' for justify-items (r228319 partial revisited)
[css-align] 'overflow' keyword must precede the self-position and content-position value (r227297 partial)
[css-align][css-flex][css-grid] 'auto' values of align-self and justify-self must not be resolved (r219315)
Use the parent box style to adjust RenderStyle for alignment. (r217536)
[css-align] The 'baseline' value must be invalid for the 'justify-content' property (r227786 partial)

Dec 01, 2020
============
[css-grid] Rename gutter properties to remove "grid-" prefix (r228095)
[css-grid] grid shorthand should not reset the gutter properties (r221668)
[css-grid] grid shorthand must reset gap properties to their initial values (r195529 complete revisited)
[css-multicol] Support percentages in column-gap (r227676)
[css-align] Implement the place-self shorthand (r216829 partial)
[css-align] Implement the new behavior of 'legacy' for justify-items (r228319 partial)
[css-align] 'left' and 'right' should parse as invalid in block/cross-axis alignment (r227432 partial)
[css-align] Implement the place-items shorthand (r214966 partial)
Rename "Region" to "Fragment" for RenderRegion and associated classes/methods. (r222556 partial revisited)
[css-flexbox] ChildIntrinsicLogicalWidth should use fit-content, not max-content (r262411)
[css-grid] Avoid clearing the overrideContainingBlockWidth if possible (r223955)
space-evenly misbehaves with flexbox (r216536)

Nov 30, 2020
============
[css-align] Adapt place-content alignment shorthand to the new baseline syntax (r214852 partial)
[css-align] Adapt content-alignment properties to the new baseline syntax (r214624 partial)
[css-align][css-grid] Overflow alignment value 'true' renamed to 'unsafe' (r194104)
Missing 'specification' section in the place-content shorthand (r213247)
[css-align] Implement the place-content shorthand (r213230 partial)
[css-grid] Use transferred size over content size for automatic minimum size (r221910)
[css-grid] Logical margin incorrectly applied during the tracks sizing algorithm of auto tracks (r217709)
[css-grid] Remove Blink-specific code for handling orthogonal grid items (r216574)
[css-grid] Remove most of the usage of SizingOperation (r215800)
[css-grid] Constrain by min|max-height on auto repeat computation (r207457)
[css-grid] Fix auto repeat tracks computation with definite min sizes (r229897)
REGRESSION(r221931): Row stretch doesn't work for grid container with min-height (r225741)
[css-grid] Small refactoring adding RenderGrid::contentAlignment() (r222441)
[css-grid] fit-content() tracks shouldn't stretch (r222440)
[css-grid] Stretching auto tracks should be done as part of the track sizing algorithm (r221931)
[css-align] Adapt self-alignment properties to the new baseline syntax (r214564)
Flex layout triggers excessive layout on height percentage descendants (r252620)

Nov 27, 2020
============
Block layout invalidation logic triggers excessive layout on height percentage descendants (r252562)
SVG root is skipped while marking percentage height descendants dirty. (r229849)
Flex child does not get repainted when it is inserted back to the render tree. (r230349 complete revisited)
Correct spacing regression on inter-element complex path shaping on some fonts (r211382)
ASSERTION FAILED: run->m_stop > 0 in *WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment (r210601)
ASSERTION FAILED: opportunitiesInRun <= expansionOpportunityCount in WebCore::computeExpansionForJustifiedText (r205186)
REGRESSION(r182286): Tatechuyoko following ruby is drawn too far to the right (r192120)
Disallow ruby base from having leading or trailing expansions (r182286)
Support forcing expansion opportunities at the beginning and ending of a run (r182236)
Justified ruby can cause lines to grow beyond their container (r180278)
Ruby does not preserve expansion opportunities from enclosing context (r177377)
Inline ruby does not get justified correctly (r174489)
Ruby base oddly justify its text when the text is ideograph and it contains <br> on Mac. (r163469)
Design mode should not affect UA shadow trees (r217046)
Update the SearchFieldResultsButtonElement shadow Pseudo Id when HTMLInputElement's maxResults change (r171972)
REGRESSION (r155957): Invalid cast in WebCore::RenderNamedFlowThread::getRanges (r171105 complete revisited)
[CSSRegions] Region's behaviour not updated when becoming valid from invalid (r166781)
[CSSRegions] Crash while repainting an invalid region (r161054)
[CSSRegions] Crash when trying to select content from invalid region (r160979 complete revisited)
2.5% regression on page cycler moz (r153788 complete revisited)
Move :before and :after into the DOM (r131004 + r131012 + r131016 + r131042 + r131043 + r131050 rolled out)
Remove transient state regarding uknown pseudoelements from SelectorChecker. (r128329 complete revisited)
Remove RefPtr from HTMLProgressElement::m_value (r125985)
Remove RefPtr from SearchInputType::m_resultsButton and SearchInputType::m_cancelButton (r125984)
Remove RefPtr from DateInputType::m_pickerElement (r125886)

Nov 26, 2020
============
Multi-hop reference cycles not detected. (r189954)
Crash when setting 'alt' CSS property to inherit or initial (r176161)
ScriptController needs to SetForScope m_sourceURL after Refing its Frame (r264319 partial)
Correct document lifecycle while processing commands (r246890)
SVGUseElement::findTarget should return nullptr when there is a cycle (r239402)
Infinite loop if a <use> element references its ancestor and the DOMNodeInserted event handler of one its ancestor's descents updates the document style (r233366)
Ref element keys in CSSAnimationControllerPrivate (r222557)
Kill the presentation attribute cache. (r210826)
Nested calls to setDocument can omit firing 'unload' events (r210122)
Color bleeding with rounded rectangles on high dpi displays (r139137)
Route main resource loads through the memory cache. (r137333 + r137344 + r137364 + r137377 + r137424 rolled out)
Circular reference between Document and MediaQueryMatcher. (r135709 complete revisited)
Page background color bleeds through inner edge of div border with rounded edges (r135625 complete revisited)
[Platform] There are memory leak in LocaleICU (r129191)
Fix build with icu 65.1 (r250747)
Use refs for ResourceLoaders, No change in behavior except a fixed memory leak in WebKit1. (r203064 partial)  
Fix some leaks found by the leak bot (r179473 partial revisited)
WebCore icon database appears to leak sudden termination assertions (r161995)
REGRESSION(r155228): Call to DragData::asFragment() nullifies PassRefPtr<Range> in documentFragmentFromDragData (r155785)
Many textarea tests leak documents because Document::removeFocusNavigationNodeOfSubtree() can trigger a Document retain cycle (r235863)
Clean up code related to Document node removal (r235830)
For keyboard users, activating a fragment URL should transfer focus and caret to the destination (r201832)

Nov 25, 2020
============
Leaf EventTarget subclasses should be FINAL. (r156719)
Crash in DOMWindowExtension::suspendForPageCache (r241848)
ActiveDOMObject::hasPendingActivity() should stop preventing wrapper collection after ActiveDOMObject::stop() has been called (r259419 partial revisited)
Retain cycle between CSSFontSelector -> CSSFontFaceSet -> CSSFontFace -> CSSFontSelector (r257639 complete revisited)

Nov 20, 2020
============
Apply FINAL to the RenderObject hierarchy. (r149955 + r149967 rolled out + r150294 + r150312 rolled out + r153380)
Add FINAL decorators to the InlineBox class hierarchy. (r149110)

Nov 19, 2020
============
Style resolution spin due to calc() values always comparing inequal (seen on arstechnica.com) (r225141)
Support min() and max() in calc() (r222190)
Support transitions/animations of background-position with right/bottom-relative values (r206713 + r206894 rolled out + r213603)

Nov 17, 2020
============
[JSC] SourceProviderCacheItem should be small (r241201)
RenderTreeNeedsLayoutChecker asserts with imported/w3c/web-platform-tests/css/css-position/position-absolute-crash-chrome-005.html (r258380)
Remove positioned descendants when RenderBlock is no longer a containing block. (r201984)
Cleanup RenderObject::container() (r201201)
containingBlockFor*Position functions should take the renderer instead of the parent. (r200953)
Cleanup RenderObject::containingBlock. (r200781)
Absolute positioned element is not placed properly when parent becomes the containing block. (r200736)
RenderImage::repaintOrMarkForLayout fails when the renderer is detached. (r198701)
Clean up absolute positioned map properly. (r194016)
Move some code from LogicalSelectionOffsetCaches into RenderElement (r181654)
Crash in WebCore::LogicalSelectionOffsetCaches::LogicalSelectionOffsetCaches (r160819)
Avoid synchronous layout in window.scrollTo(0,0) when already at (0,0) (r170063)
[iOS WK2] Make window.scroll() and window.scrollBy() work (r167503 revisited)
ASSERT(time.isFinite()) in SVGSMILElement::createInstanceTimesFromSyncbase (r162459)
Avoid layout in window.scroll{Y,X} when at topmost/leftmost position. (r157006)

Nov 15, 2020
============
Main frame scrollbars not updated on hovering when using overlay scrollbars (r195591)
Legacy style scrollbars do not change color when you mouse over them if you are scrolled (r194155)
HitTestRequest::AllowFrameScrollbars does not test main frame scrollbar (r148188)
REGRESSION(r143727): Clicking / selecting inside an <embed> is broken (r145098)
Multiple Layout Test crashes (ASSERT) on chromium linux debug after r143727 (r143744 + r143747)
Multiple Layout Test crashes (ASSERT) on chromium linux debug after r143727 (r143730)
Allow child-frame content in hit-tests. (r143727)
HitTestResult should not be a HitTestLocation (r135710)
Disambiguate innerNodeFramePoint and mainFramePoint (r135405)
Widget's position change should not initiate layout, only when its size changes. (r158727)
Remove unused RenderWidget::notifyWidget(). (r158693)
Remove RenderWidget::viewCleared(). (r158655)
Do not call setFrameRect on Widget unless its boundaries changed. (r158651)
Merge RenderPart into RenderWidget. (r155591)
Lots of unnecessary DidLayout notifications when scrolling zoomed page with iframes (r143990)
[chromium] pepper plugins sometimes are shifted by 1 pixel (r126042)

Nov 13, 2020
============
Tidied up the Vector<T> move constructor (r157606)
Fix the performance regressions introduced by r152418 (r152438 complete revisited)
A lot of code duplication within StringImpl 'equal' functions (r152418 complete revisited)
ARM_NEON Inline Assembly for copyLCharsFromUCharSource() inefficient for aligned destinations (r142336)
Add an optimized version of copyLCharsFromUCharSource for ARM (r133100)
bitwise_cast: allow const destination type (r205577 complete revisited)
bitwise_cast infinite loops if called from the default constructor in ToType (r205362 complete revisited)
bitwise_cast uses inactive member of union (r205066 revisited)
becu.org: Placeholder text "Search" is cut off (r258906)

Nov 12, 2020
============
Optimize RenderStyle::diff() and clean up the code (r236677 complete revisited)
RenderLayer::removeOnlyThisLayer() should not call updateLayerPositions() (r236632)
[CSS Blending] Changing isolation CSS property should not trigger repaint in RenderStyle::changeRequiresLayerRepaint (r168465)
Remove client-drawn highlights (-webkit-highlight, WebHTMLHighlighter) (r163717)
Removed dead code from a very old iteration of CSS counters. (r126119)
Fixed position element is truncated if moved onscreen by a transform (r182743)

Nov 11, 2020
============
Get rid of RefCountedCustomAllocated (r162074)
Use post-branch store for RefCountedBase::derefBase (r149053)
[Refactoring] Tidy NDEBUG optioning in RefCountedBase. (r130365)
Cancelling one frame's load cancels load in other frames that have the same URL as well (r206062)
CSS parser does not support -webkit-mask-size for -webkit-mask shorthand (r136072)
Always parse pasted fragments as HTML even on XHTML pages (r132211)
Remove parent pointer from StyleSheetContents and StyleRuleImport (r126717 + 127123 + r128637 rolled out)

Nov 10, 2020
============
[JSC] Repatch should construct CallCases and CasesValue at the same time (r249310)

Nov 09, 2020
============
Delete Node::boundingBox() (r177035 + r177301)
v2: WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver() (r203172 complete revisited)
REGRESSION (r160908): Unable to unset bold while entering text (r170296 complete revisited)
Hiding a focused element should unfocus it and fire a blur event (r156252 + r169244 rolled out)
Rename Node::getRect/getPixelSnappedRect and remove ContainerNode::getRect (r128006 + r128009 complete revisited + r128644)
Bad cast with toRenderBox in WebCore::RenderView::repaintViewRectangle (r165826)
Crash due to infinite recursion via FrameSelection::updateAppearanceAfterLayout (r218451)
ShadowRoot should have its own node flag (r235780 complete revisited)
Use a dedicated node flag to identify a Document node (r217875 + r217904)
ShadowRoot should have its own node flag (r235780)
Rename HasCustomCallbacks to HasCustomStyleCallbacks (r143089 revisited complete)

Nov 07, 2020
============
Reduce the size of Node::deref by eliminating an explicit parentNode check (r243037 + r243075 rolled out + r243122 + r243686)
Storing a Node in Ref/RefPtr inside its destructor results in double delete (r242964)

Nov 06, 2020
============
imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion (r235956 revisited)
Document should not be mutated under SMILTimeContainer::updateAnimations() (r232941)
Crash in addChildNodesToDeletionQueue (r224199)
Avoid style resolution when clearing focused element. (r222164 + r222166 rolled out + r222167)
Avoid style recomputation when forwarding a focus event to an text field's input type (r222114)
Move MatchResult and related types out of StyleResolver (r251532)
ElementRuleCollector function signature cleanups (r251289)
[CSS Shadow Parts] :part rules should be able to override style attribute (r251285 partial)
Node::ref/deref should be const (r250768)
Allow RefPtrs of const RefCounted types (r203257)

Nov 05, 2020
============
DocumentTimeline / CSSTransition objects are leaking on CNN.com (r258826 + r258858)
Add move constructor / assignment operator to ListHashSet (r203304 + r203306 rolled out + r203325)
Use LazyNeverDestroyed instead of DEFINE_GLOBAL for QualifiedName (r220131)
Use LazyNeverDestroyed instead of DEFINE_GLOBAL for MediaFeatureNames (r220090)
Media queries and platform screen modernization and streamlining (r201441 partial)
Remove CSSPropertySourceData emptyCSSPropertySourceData (r150539)
color-index media feature not supported (r148431)
Use initialization from literal for MediaFeatureNames (r144656)
Return early in SelectorChecker::checkOne() if selector.isAttributeSelector() is true (r173646 revisited)
Remove unnecessary null checks in SelectorChecker::checkOne(). (r151210 revisited)

Nov 04, 2020
============
localToAbsolute() does incorrect conversion for elements inside position:fixed with zooming (r209297)
Fix failing tests following r254091 (r254160)
Precision of getClientRects(), getBoundingClientRect() differs depending whether simple line layout or line box layout is used (r254091)
REGRESSION (r212693): getClientRects(), getBoundingClientRect() for range that spans multi-lines differs depending on whether text is selected (r253893)
Range getBoundingClientRect returning zero rect on simple text node with <br> before it (r245534)
getBoundingClientRect always returns empty rect on a collapsed range (r243635)
Simple line layout: Implement absoluteQuadsForRange. (r212693)
Fix checkingLogicalHeight initialization in Document::updateLayoutIfDimensionsOutOfDate() (r184114)
Improve the offsetWidth/Height layout optimization (r181898 + r181909 + r181928 rolled out + r182022)

Nov 03, 2020
============
RELEASE_ASSERT(!m_document.isResolvingTreeStyle()) in com.apple.WebKit.WebContent at WebCore: WebCore::StyleResolver::~StyleResolver (r241018)
Add more assertions to find root cause for release assert hit in StyleResolver (r240037)
Media query with :host inside a custom elements doesn't get updated on window resize (r224864)
Use DOM element iterators more, and more consistently (r257188 partial)

Nov 02, 2020
============
[CSS Selectors] Selectors Level 4 specificity calculation for pseudo classes (r260024 + r260060 rolled out + r260069)
[CSS Selectors 4] Add support for `:is()` with the same logic for the existing `:matches()` (r259261)
:matches() doesn't combine correctly with pseudo elements (r255059)
Little cleanup of the default stylesheet (r176711)

Oct 31, 2020
============
Remove initial layout throttler (r257862)

Oct 28, 2020
============
Remove the use of "Immediate" in JIT function names. (r190230 partial revisited)
inc/dec behave incorrectly operating on a resolved const (r127544 revisited)

Oct 27, 2020
============
[DFG] Introduces fused compare and jump (r229957)
Baseline op_jtrue emits an insane amount of code (r232444)

Oct 24, 2020
============
[Qt] Enable tiled shadow blur for inset box shadows (r145366 revisited for Cairo)

Oct 23, 2020
============
Frame's composited content is visible when the frame has visibility: hidden. (r217472)
segfault in RenderLayerCompositor when the iframe's position attribute is changed and it embeds <object>. (r153003)
position:sticky should stick for the enclosing overflow ancestor (r150395)
Don't create compositing layers for sticky position unless using the ScrollingCoordinator (r148998)
[cairo] memory corruption with putImageData and accelerated canvas. (r153961 complete revisited)
Micro-optimize AtomicHTMLToken::initializeAttributes() (r208812)
AtomicHTMLToken should not be heap allocated or RefCounted (r145248)
Remove two unnecessary mallocs from the main-thread-parser code path (r144544 complete revisited)
Remove HTMLTokenTypes header (and split out AtomicHTMLToken.h from HTMLToken.h) (r142641)
Fold MarkupTokenBase into HTMLToken now that it has no other subclasses (r142522)
Move WebVTTToken off of MarkupTokenBase (r142484)
Fix TextDocumentParser to play nice with threading (r142363)
Remove DocType support from MarkupTokenBase now that NEW_XML is gone (r140569)
AtomicMarkupTokenBase must die (r140403)
ENABLE(NEW_XML) isn't used by anyone and no one is actively working on it (r140399)
Move constructTreeFromHTMLToken into HTMLDocumentParser (r139523)
Optimize parseHTMLInteger() (r197255 complete revisited)
[Reflected] IDL attributes of integer types should use HTML rules for parsing integers (r197014)
Fix srcset related bugs (r164929 + rr164934 + r164936 rolled out + r164949 complete revisited)
Deduplicate shortish Text node strings during tree construction. (r159764 + r159909 rolled out)
Optimize strings copies in srcset parser (r156902 complete revisited)
REGRESSION (r156140): Srcset tests are frequently crashing (r156183 complete revisited)
Remove URL decoding in srcset handling (r156140 complete revisited)
[JSC] Fix argument order for double and/or ops on ARMv7 (r268918)

Oct 22, 2020
============
Let the compiler generate QualifiedName copy constructor and assignment operator (r203298)
QualifiedName should use RefPtr<QualifiedNameImpl> internally. (r170816)

Oct 21, 2020
============
Release assert in ~Node due to render element of pseudo element not getting removed in time (r268782)
Don't use raw pointers in ShadowRoot. (r259353)
WK1: arbitrary JS execution while tearing down renderers in Element::addShadowRoot (r254700)
Rename NoEventDispatchAssertion to ScriptDisallowedScope (r226251)
Eliminate isMainThread() checks in most call sites of NoEventDispatchAssertion (r224356)
Assert that NoEventDispatchAssertion is not in the stack when executing a script (r224290)
[FrameView::layout cleanup] Make m_subtreeLayoutRoot weak. (r223853)
[FrameView::layout cleanup] Subtree should read subtreeLayout. (r223569)
Protect FrameView during style calculations (r223313)
Tear down existing renderers when adding a shadow root. (r212024)
Make sure we don't mishandle HTMLFrameOwnerElement lifecycle (r200216)
Merge ScriptControllerBase into ScriptController (r156615)
Remove Page::javaScriptURLsAreAllowed setting. (r132023)
[JSC] Update RegExp UCD to version 13.0 (r268773)

Oct 20, 2020
============
onnegotiationneeded should only be called once (r215321)
Activate WebRTC data channel tests for WK1 (r215239)
MediaStream id should be equal to msid (r215238)
MediaStreamTrack id should be preserved by PeerConnection (r215144)
Fix memory leak in CreateSessionDescriptionObserver::OnSuccess (r214689 + r214700)
Clean up RTCDataChannel (r214627)
%TypedArray%#sort helper functions should be globalPrivate (r268715)
Ensure %TypedArray% essential internal methods adhere to spec (r268640)
pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests. (r264895)

Oct 19, 2020
============
test262: test/language/expressions/conditional/in-branch-1.js (r268688)
Stop RTCDataChannel when closing page (r214485 + r214500 rolled out + r214508)
Support RTCPeerConnectionState (r214293 revisited)
LibWebRTCProvider should allow setting encoder and decoder factories (r214525)
Activate release libwebrtc logging when WebRTC log channel is on (r214445)
Tighten RTCDatachannel creation and parameter getters (r214421)
Add support for RTCRtpReceiver/RTCRtpSender getParameters (r214420)
Further optimize checkWebRTCAvailability (r214418)
Add support for qpSum in WebRTC stats (r214368)
Add libwebrtc backend support for RTCRtpSender::replaceTrack (r214357)
Add support for DataChannel and MediaStreamTrack stats (r214350)
Remove custom binding for MediaDevices (r209864 partial)

Oct 16, 2020
============
Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport (r217194)
Value for iterator property is wrong for maplike interfaces (r217188)
Rename RTCIceCandidateEvent to RTCPeerConnectionIceEvent (r214330)
[WebRTC] Update libwebrtc source code (r213418)
[WebRTC] Support modern RTCStatsReport (r213108)
[JSC] Shrink sizeof(UnlinkedFunctionExecutable) more (r245288)
Web Inspector: Generator functions should have a displayable name when shown in stack traces (r208885)

Oct 15, 2020
============
Use @putByValDirect instead of Array.prototype.@push in built-ins (r268489 partial + r268528)
Fix framesEncoded/framesDecoded RTC stats (r214348)
Add logging in case libwebrtc.dylib cannot be opened (r214312)
Support RTCPeerConnectionState (r214293)
Clean up RTCSdpType, RTC enums and headers (r214212)
Add a WebRTC specific compile flag (r198492 partial)
Add iceCandidatePoolSize to RTCConfiguration (r214209)
Stop sending media data as soon as peer connection is closed (r214134)
Implement incoming webrtc data based on tracksCurr (r214132)
Remove uses of Dictionary in WebRTC IDL files (r209695)
Remove RTCRtpTransceiver.setDirection (r239391)
Flatten RTC enum naming (r214030)
Clean up RTCPeerConnection IDL (r213992)
Make RealtimeMediaSource::type an enum class (r213884)
[MediaStream] Minor cleanup (r205929 partial)
Split platform-independent logic in AVCaptureDeviceManager out into a new class (r192838)

Oct 14, 2020
============
Move libwebrtc backend to using tracks (r213736)
Use BlockPtr::fromCallable in WorkQueue::dispatch and WorkQueue::dispatchAfter (r205325)
Support PeerConnectionStates::BundlePolicy::MaxBundle when setting rtc configuration (r213613)
Expose WebRTC current/pending description getters (r213520)
Use default configuration for libwebrtc peerconnection (r213494)
Don't call libwebrtc functions if libwebrtc.dylib doesn't exist while testing (r213234)
LibWebRTCProvider should check existence of libwebrtc.dylib (r213190)
[WebRTC] Limit libwebrtc logging in Debug build (r213167)
[WebRTC] Fix remote audio rendering (r213080)
[WebRTC] Outgoing video quality is poor (r212931)
[WebRTC] Disable libwebrtc stderr logging in release mode (r212847)
[WebRTC] ICE candidates should be filtered according a policy (r212745)
[WebRTC] Fix some memory leaks in libwebrtc binding code (r212644 + r212661)
[WebRTC] Add support for libwebrtc negotiation needed event (r212338)
[WebRTC] Remove obsolete WebRTC stats API (r212329)
[WebRTC] Implement description getters for libwebrtc RTCPeerConnection (r212315)
[WebRTC] Creating RTCPeerConnection with libwebrtc backend is crashing on rwt (r212269)
[MediaStream Mac] Stop using AVSampleBufferAudioRenderer (r211728)
HTMLVideoElement frames do not update on iOS when src is a MediaStream blob (r203423 + r203459 rolled out + r203739)
[MediaStream] Implement MediaStreamTrack.getSettings() (r192954)
[MediaStream] Reflect media stream tracks as HTMLMediaElement tracks (r192365)
Use AtomicString arguments in TrackPrivateBaseClient callbacks (r164106)
Add "id" attribute to TextTrack (r158760)

Oct 13, 2020
============
[WebRTC] Implement Outgoing libwebrtc audio source support (r212144)
Fix i386 libwebrtc build (r211981)
Configure MockRealtimeAudioSourceMac to generate stereo audio (r211959)
RTCPeerConnection constructor can take null as input (r211886)
[WebRTC] LibWebRTCEndpoint should not own objects that should be destroyed on the main thread (r211837)
[Mac] Add an audio stream description class (r211437)
RTCPeerConnection methods can take dictionaries as input (r211436)
[WebRTC] getStats does not support legacy callback (r211404)
[WebRTC] Add a libwebrtc AudioModule specific to WebKit (r211439 + r211458)
[WebRTC] Add support for libwebrtc data channel (r211371)
[WebRTC] Use MediaEndPointPeerConnection if not using libwebrtc (r211286)
[WebRTC] Implement WebRTC PeerConnection backend based on libwebrtc (r211255)
[WebRTC] Add a LibWebRTC mock for testing (r211253)
Fixing typos in r211161 (r211171)
[WebRTC] Introduce libwebrtc abstraction for WK1/WK2 implementations (r211161)
__proto__ in object literal should perform [[SetPrototypeOf]] directly (r266264)
Invalid early error for object literal method named "__proto__" (r266117)
Array.prototype.sort's sortBucketSort accesses an array in an invalid way that can lead to incorrect results with indexed properties on the prototype chain (r268375)
OpToPropertyKey only accepts temporary for destination (r268374)
Implementation of the class "extends" clause incorrectly uses __proto__ for setting prototypes (r266106)

Oct 12, 2020
============
[JSC] arguments.callee should become ThrowTypeError if function has non simple parameter list (r268323)

Oct 09, 2020
============
libwebrtc (r218296)
 
Oct 08, 2020
============
Add support for canvas.toBlob (r213344 + r213378 rolled out + r213412 + r213437 + r213491 + r213508)
[WebIDL] PutForwards is not implemented to spec as illustrated by the WPT WebIDL/ecmascript-binding/put-forwards.html (r217895)

Oct 07, 2020
============
Update ANGLE to b11e2483742db884bd0af41f78f528240577356b. (r186169 + r186330)
[WebGL] Error messages should use source code labels, not internal mangled symbols. (r161889(

Oct 06, 2020
============
Use OwnPtr instead of deleteAllValues in KeyframeValueList (r149661)
Use OwnPtr instead of deleteAllValues in SVGResourcesCache (r149684)
Use OwnPtr instead of deleteAllValues in DocumentMarkerController (r149654)
Use unique_ptr instead of deleteAllValues in FloatingObject code (r156319)
ListHashSet::removeLast should only remove one element. (r156305)
ListHashSet should work with move-only types (r156294)
[GTK] GL_MAX_VARYING_FLOATS is not defined in OpenGL ES 2 (r181323)
Check for varying packing restrictions per program instead of per shader. (r173527 + r173539)
[WebGL] Check for global variable precision mismatch between vertex and fragment shaders. (r160567)
[GTK] Support WEBGL_draw_buffers extension. (r164525)
Rename EXT_draw_buffers to WEBGL_draw_buffers (r164477)
Check WEBGL_draw_buffers requirements before exposing the extension (r146694)
EXT_draw_buffers needs implementation (r144358 + r144459)
Support ANGLE_instanced_arrays for GLES backend. (r164026)
Support ANGLE_instanced_arrays for linux (r163858)
[WebGL] Implement ANGLE_instanced_arrays (r162565 + r162600)
[WebGL] validateRenderingState method name change (r153742)
Roll ANGLE to r1833 (r143742 revisited)
Add support for OES_vertex_array_object in chromium (r129275)
Do not create a shape object outside of the layout context (r245361)
Animation stops with object-fit:contain on an animated 2d canvas (r234187 + r234203 rolled out + r234343)
putImageData leaves visible artifacts on retina display (r198958)
[CSS Shapes] Refactor getExcludedIntervals since only one LineSegment is ever returned (r172357)
[CSS Shapes] line height grows around polygon and incorrectly causes text to wrap to next line (r168778)
[CSS Shapes] shape-outside polygon fails when first vertex is 0,0 (r167931)
[CSS Shapes] Simplify Polygon implementation (r166790)
[CSS Shapes] Empty polygons with non-zero shape-padding cause an ASSERT crash (r159291)
[CSS Shapes] Winding rule polygon issues (r155865)
[CSS Exclusions] polygon shape-inside layout fails (r148582)
[Chromium] Animation updates fail when using a canvas as a CSS backround-image style with -webkit-canvas (r136262)
vw/vh units used as font/line-height values don't scale with the viewport (r169407 complete revisited)
[CSS Shapes] Shapes do not resolve dimensions specified in viewport units (r168481 complete revisited)
%TypedArray%.from must do mapping and putting in lockstep (r268037)

Oct 05, 2020
============
Refactor ShapeOutsideInfo so it isn't mutated for each line (r172529)
[CSS Shapes] Stacked floats with shape-outside should allow inline content to interact with the non-outermost float (r162217)
Header is blank on https://nader.org (r260905)
Fix computeFloatVisibleRectInContainer to handle non-SVG object parent (r254458)
Nullptr crash if SVG element if element parent becomes document node (r253521)
`width: 1%` on nested table cell causes its table to hog horizontal space (r201234)
Removed the custom allocator for PODRedBlackTree (r176431)
Amazon.com Additional Information links aren't clickable (r192854)
RenderBlockFlow::addFloatsToNewParent should check if float is already added to the object list. (r214588)
RenderBlockFlow::moveFloatsTo does not move floats. (r210145)
Cleanup inline boxes when list marker gets blockified (r242943)
Remove RenderElement::s_noLongerAffectsParentBlock (r229137)
Remove RenderElement::s_affectsParentBlock (r229091)
Merge RenderListMarker::styleWillChange() into styleDidChange(). (r157722)

Oct 02, 2020
============
[JSC] String.protoytpe.toLocaleLowerCase's availableLocales HashSet is inefficient (r264293)
The SVG fragment identifier is not respected if it is a part of an HTTP URL (r221377)
SVG preserveAspectRatio=none is not honored. (r163453)
ASSERTION FAILED: url.containsOnlyASCII() in WebCore::checkEncodedString() when parsing an invalid CSS cursor URL (r206744)
REGRESSION(r184779): Possible read-after-free in JavaScriptCore/dfg/DFGClobberize.h (r189046)
Allow DFGClobberize to return non-node constants that must be later created (r184776 revisited FTL JIT)
Explore increasing max JSString::m_length to UINT_MAX. (r221192)
Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround. (r185768 revisited)
LazyNode comparison can return incorrect results when comparing an empty value (r184927)
[JSC] Define Array#sort's implementation functions as globalPrivate (r267827)
Update Array.prototype.sort to be consistent with tightened spec (r267514)

Oct 01, 2020
============
[JSC] ModuleEnvironment do not have JSGlobalLexicalEnvironment as its upper scope (r259835)
Unreviewed, fix initial global lexical binding epoch (r240329)
[JSC] Invalidate old scope operations using global lexical binding epoch (r240220 + r240248 rolled out + r240254)
[JSC] Global lexical bindings can shadow global variables if it is `configurable = true` (r239879 + r239898)

Oct 01, 2020
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Sep 30, 2020
============
[JSC] Speculate children first in DFG NewArray (r265405 complete revisited)
HasIndexedProperty should know about sane chain (r258901 + r258952)
Remove invalid assertion in DFG's compileNewArray(). (r252247)
[JSC] Add branchIfNaN and branchIfNotNaN (r236734)
FTL should pin the tag registers at inline caches (r199675)
Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction(). (r252239)
JSC test crash: stress/dont-strength-reduce-regexp-with-compile-error.js.default (r243237)
[YARR] Add diagnosis for YarrJIT failures (r227469)
Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory (r232738)
Don't do index masking or poisoning for DirectArguments (r230266)
JSObject shouldn't do index masking (r230144)
Strings and Vectors shouldn't do index masking (r230130)
REGRESSION(r225913): about 30 JSC test failures on ARMv7 (r226616)
REGRESSION(r225913): about 30 JSC test failures on ARMv7 (r226298)
Fix assertion in JSObject's structure setting methods (r225933 + r225943)
JSObjects should have a mask for loading indexed properties (r225913 complete revisited)
DOMMatrix and DOMMatrixReadOnly should be available in workers (r221512)
Implement DOMMatrix2DInit for setTransform()/addPath() (r221462)
[canvas] Add more constructors to Path (r141624)
Restrict WebSockets header parsing according to RFC6455 and RFC7230. Based on Lamarque V. Souza's original patch. (r198561)

Sep 29, 2020
============
RegExp.prototype[@@search] should use SameValue (r260312)
[JSC] Add SameValue DFG node (r231224 + r231284)
We don't model regexp effects properly (r231145 complete revisited)
DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace (r199075 complete revisited)
DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace (r199075 partial revisited)
Add a slice intrinsic to the DFG/FTL (r210476 + r210518 rolled out + r210695 complete revisited)

Sep 28, 2020
============
[JSC] isRope jump in StringSlice should not jump over register allocations (r244058 partial)
[DFG][FTL] Introduce StringSlice (r224276)
[DFG][FTL] Make ArraySlice(0) code tight (r229742)
ArraySlice needs to keep the source array alive. (r246740 complete revisited)
Add a slice intrinsic to the DFG/FTL (r210476 + r210518 rolled out + r210695 complete revisited)
[JSC] Remove getTypedArrayImpl (r233721)
[JSC] Move slowDownAndWasteMemory function to JSArrayBufferView (r233467)

Sep 27, 2020
============
Disambiguate the OverridesGetPropertyNames structure flag (r262827)
Index properties on cross origin Window objects should be enumerable (r224464)
Regression(r219659): Can no longer log into ifttt.com using Google account (r224287)
Make cross-origin properties enumerable (r219659)
Symbols exposed on cross-origin Window / Location objects should be configurable (r211772)
REGRESSION(r205136): {}.toString.call(crossOriginWindow) should not throw (r211504)

Sep 26, 2020
============
%TypedArray%.{from, of} no longer perform AllocateTypedArray (r267603)
DataView instances should not have own "byteLength" and "byteOffset" properties (r267564)

Sep 25, 2020
============
[JSC] Add missing detached buffer errors for DataView (r266529)
Don't use AtomicString in HTTPHeaderMap (r170029 + r170038)
URTBF after r169943 and r169946. (r169966)
Add a HTTPHeaderMap::get overload that takes an HTTPHeaderName (r169946)
Add a HTTPHeaderMap::set overload that takes a HTTPHeaderName (r169943)
Add a HTTPHeaderMap::find overload that takes a HTTPHeaderName (r169941)
Add overloads of HTTPHeaderMap::find and remove that take enums (r169937)
Move header value merging to HTTPHeaderMap (r169906)
HTTPHeaderMap should not derive from HashMap (r169679)
Add addHTTPHeaderField() method to ResourceResponse (r142902)
tryGetById should be supported by the DFG/FTL (r199279 complete revisited)
TryGetById clobberize rules are wrong. (r264643)
%TypedArray%.prototype.toLocaleString must make conscious use of @toString (r267559)
%TypedArray%.prototype.sort must throw if comparator is defined and uncallable (r267554)
%TypedArray%.prototype.{map, filter} should perform TypedArraySpeciesCreate correctly (r267549)

Sep 24, 2020
============
[JSC] Exception verification crash on operationArrayIndexOfValueInt32OrContiguous (r243835)
[JSC] havingABadTimeWatchpoint is not required in Array#indexOf optimization (r237447)
[DFG] More ArrayIndexOf fixups for various types (r218525 partial)
[DFG] Add ArrayIndexOf intrinsic (r218084 + r218113 + r218312)
TemplateObject passed to template literal tags are not always identical for the same source location. (r244978 + r245026 rolled out + r245040)

Sep 24, 2020
============
%TypedArray%.prototype.fill must only evaluate its argument once (r267522)
%ArrayIteratorPrototype%.next must check for detached buffers (r267519)
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Sep 23, 2020
============
[JSC] add DFG/FTL support for op_to_property_key (r254801 complete revisited)
  slowPathCall spills registers excluding result registers, so result registers can not reuse other registers.
Save three bytes per CStringBuffer object (r154565)
Computed Properties with increment sometimes produces incorrect results (r257034 complete revisited)
[JSC] Computed function properties compute their keys twice (r256846 partial)
[JSC] add DFG/FTL support for op_to_property_key (r254801 partial)
Coerce computed property before adding to |excludedList| (r267440)

Sep 22, 2020
============
REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable (r234580)
[JSC] cache TaggedTemplate arrays by callsite rather than by contents (r228422)
[JSC] Rename ANDEQUAL to BITANDEQUAL (etc.) throughout frontend (r259096)
[JSC] Ensure x?.y ?? z is fast (r249117)
Update double-conversion to the latest version (r242048)
[WTF] Make double-conversion's cache data constant and drop double_conversion::initialize() (r219124)
[ESNext] Implement optional chaining (r248829)
Exception message for expressions with multiple bracket accesses is inconsistent / incorrect (r207326 complete revisited)
[JSC] Proxy should be trapped if base value is primitive (r267348)

Sep 21, 2020
============
Drop legacy canvas.probablySupportsContext() (r205554)
First parameter to canvas.getContext() / probablySupportsContext() should be mandatory (r203845)
CanvasRenderingContext2D should not have a CanvasRenderingContext parent interface (r204745 + r204748 rolled out + r204839 + r205360)
Support unprefixed WebGL context creation (r157138)
Expose HTMLCanvasElement supportsContext (r151298 + r155137)
Fix crash accessing RenderView's layer's backing when not composited (r140073)
Regression(183998): Disqus comments take a very long time to load (r186195)
Throttle RequestAnimationFrame in subframes that are outside the viewport (r183985 + r183990 rolled out + r183998)
Throttle timers that change the style of elements outside the viewport (r176212 + r176282 + r176496 + r177964 + r185269 rolled out)
ScriptedAnimationController::setThrottled should extend MinimumAnimationInterval (r150159 + r150162)
Process suppression should throttle scripted animations (r150156)
DOMMatrix/DOMMatrixReadOnly validation is incorrect for NaN values (r221545)
Add CanvasRenderingContext2D::getTransform (r219619)
Add support for CanvasRenderingContext2D.resetTransform() (r204878)
Generate bindings code for EventTarget.addEventListener() / removeEventListener() (r201305)

Sep 19, 2020
============
DFG should ensure there are PhantomLocals for the taken block of op_jneq_ptr (r267255)

Sep 18, 2020
============
Add support for structured serialization of CSS Geometry types (r218644)
Implement serializer = { attribute } (r207378 + r207394)
ClientRect properties should be on the prototype (r203702)
[Freetype] Doesn't support coloured fonts (r221909 partial revisited)
Implement DOMQuad (r218458)
[Win] Compile errors in Document::updateTitleElement. (r221684)
Fix a few minor problems found while working toward removing unneeded calls to updateStyle (r221603 + r221626 rolled out + r221661)
document.title setter can't throw. (r205106)
Fix null handling of several Document attributes (r203487)
Setting document.title reuses <title>'s textnode child (r203047)
Document.title setter does not work for SVG documents (r202895)
Setting document.title when there is no title and no head element should no nothing (r189555)
Rename Node::childNodeCount() to countChildNodes() and avoid inefficient uses (r173606 complete revisited)
[JSC] Async generator default-export is not handled (r267199)
[JSC] Update JSModuleNamespaceObject::defineOwnProperty (r267196)
Support export namespace `export * as ns` (r267186)

Sep 17, 2020
============
REGRESSiON (r226492): Crash under Element::absoluteEventBounds() on a SVGPathElement which has not been laid out yet (r227697)
ASSERTION FAILED: m_layoutPhase == InPostLayerPositionsUpdatedAfterLayout || m_layoutPhase == OutsideLayout (r217588)
Move RenderView::shouldDisableLayoutStateForSubtree to SubtreeLayoutStateMaintainer. (r203751)
Disconnect LayoutStateDisabler logic and RenderView pointer. (r188322)
WebKit1 Clients Are Not Reliably Repainted (r181587)
Layers need to be already updated before we call adjustViewSize (r178661)
Rename FrameView's repaintFixedElementsAfterScrolling and updateFixedElementsAfterScrolling (r159238)
Delegated scrolling: Assertion on attempt to show a CSS sticky element (r140262)
Pages with position:fixed elements should still be able to scroll on the scrolling thread (r133536 partial)
ScrollView::setScrollPosition is overridden by FrameView, but is not virtual (r130123)
Disabled SVG shapes should not be hit (r252069)
REGRESSION (r220717): Assertion fires when animating an SVG rounded corner rect till it collapses (r243845)
The none smooth stroke applied to an SVG shape breaks its hit testing (r220717)
REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout (r185567 rolled out, black bar on top of https://web.basemark.com/ SVG test 10/20)
getBBox() returns (0,0) when width or height is zero. (r169522)
AX: IOS: crash while navigating with SVG (r152105)
RenderSVGRoot should check the renderers inside its visualOverflowRect for hit testing if the overflow is visible (r222934)
Unreviewed, suppress GCC warnings (r227478)
Implement DOMMatrixReadOnly.transformPoint() (r217767)
Implement DOMMatrix's fromFloat32Array / fromFloat64Array & toFloat32Array / toFloat64Array (r217764)
Implement DOMPointReadOnly.matrixTransform() (r217763)
Implement DOMRect/DOMRectReadOnly (r207438)
Add version of drawFocusIfNeeded that take a Path2D parameter. (r173652)
Add support for drawFocusIfNeeded (r168476)
DOMMatrix.invertSelf() returns garbage values for a non-invertible matrix (r233628)
Implement DOMMatrix / DOMMatrixReadOnly (r216959)
Align WebKitCSSMatrix stringifier with spec for DOMMatrix (r216881)
Support the deprecated dictionary constructor for DOMPointReadOnly and DOMPoint (r209677)
Implement DOMPoint/DOMPointReadOnly (r207420)
Use Optional for matrix inverses (r192900)
Don't call CGPathAddPath with invalid CGAffineTransform objects (r166989)
[JSC] Optimize Promise#finally by avoiding creating multiple environments (r267184)
Don't IC a null custom accessor/value setter (r267163)

Sep 16, 2020
============
Update custom line breaking iterators to the latest version of Unicode (r212235)
Rename MidpointState to WhitespaceCollapsingState (r199149)
Hangable punctuation measurement using the wrong indices. (r199777)
Implement the allow-end value of the hanging-punctuation CSS property. (r198683)
Don't hyphenate the last word in a paragraph of text. (r199818)
Add support for the "last" value of hanging-punctuation (r197519)
Add support for the "first" value of the hanging-punctuation property. (r197464)
Implement hanging-punctuation property parsing. (r196075)
Text is misplaced when custom font does not have space glyph. (r184150)
When kerning is enabled, word spacing is doubly accounted for in RenderText::computePreferredLogicalWidths (r129068)
HashTable based classes leak a lot (r172167 + r172378)
False-positive leaks from FastMalloc. (r153635)
Remove RefPtrHashMap (r174268 rolled out, possible memory leak during load test, code size is larger)
CustomFunctionEquivalence PropertyCondition needs to check if the structure has the property (r267113)

Sep 15, 2020
============
Binding NULL pointer to reference in WebCore::RenderObject (r204620)
Migrate line breaking code from ints to Optional<unsigned>s (r204531)
Soft hyphen is not shown when it is placed at the end of an inline element (r196782)
Implement -apple-trailing-word: -apple-partially-balanced (r181013)
SVG clip-path references can clip out later content (r212038)
[REGRESSION] word-spacing property is incorrectly applied (r222605)
Arguments called in wrong order (r209924 partial)
text-align: justify and word-spacing combine to overflow column (r209910)
Include tab character as a word end for kerning (r149891)
Width of last of consecutive tabs may be incorrect with "white-space: pre-wrap" (r148358)
Enable font measurement optimization for Chromium-mac when there are no font-feature-settings. (r147156)
Only add wordspacing when kerning to actual word ends (r146083)
Tests failure on Chromium Mac after r130821 (r131000)
SVG elements should inherit the root's flow thread state. (r210035)
RenderObject::flowThreadState should follow containing block instead of parent. (r208661)
Mark CanvasPath operations' parameters as mandatory when they should be (r204669)
Add 'edgeMode' attribute to SVGFEGaussianBlur (r154948)
More event handler improvements (r181507 partial revisited)
BytecodeParser should GetLocal op_ret's value even if it's unused by the caller (r267062)
Don't assume byte code operands are uint32 JSValues (r267017)
Element::parseAttribute() should take name & value as separate arguments. (r135069)

Sep 14, 2020
============
Remove unneeded SVG code, including most isSupportedAttribute functions (r182121 + r182256)
More event handler improvements (r181507 partial)
Streamline and simplify SVGSVGElement and related classes (r179982)
SVGPathElement should cache the built-up Path of its non animating pathByteStream() (r223804)
Make sure HTTPHeaderMap gets a move constructor / assignment operator (r201994)
Use references and more const in SVGPathUtilities (r190844)
Remove RefPtrHashMap (r174268)
Fix bugs related to setting reflected floating point DOM attributes (r223035)
Move all classes in the HTML directory from ExceptionCode to Exception (r208096 partial)
Use fastGetAttribute() / setAttributeWithoutSynchronization() when possible (r203302 partial)
GenericHashTraits::peek() is producing copies of passed-in temporary values (r172895)
Remove passIn and passOut from HashTraits (r157049)
RefPtrHashMap should work with move only types (r156056)
Make Vector::takeLast work with move-only types (and optimize for types where move is faster) (r167348)
Make Vector::insert work for move-only types (r157074)
Implement Vector::append for move-only types (r155541)
Make Vector::uncheckedAppend work with move-only types (r155152)
VectorMover should use std::move (r155258)

Sep 11, 2020
============
Crash in CSSImageGeneratorValue and RenderScrollbar (r160618 complete revisited)
Caching of generated images in CSS should be smarter. (r149886)
Promise.prototype.finally should perform PromiseResolve (r266896 partial)
[JSC] Optimize Promise runtime functions (r251671 partial)

Sep 10, 2020
============
RenderStyle should not be reference counted (r199964 complete revisited)
Crash in CSSImageGeneratorValue and RenderScrollbar (r160618 partial)
Scrollbar width is not applied when element hidden (r155323)
RenderStyle should not be reference counted (r199964 partial revisited)
Placeholder style mechanism leaks CSSFontSelector for first Document styled. (r210240)

Sep 09, 2020
============
REGRESSION(r156846): Crashes with guard malloc (r200031 complete revisited)
Don't emitDirectBinding() if there is a [...rest] element binding (r266778)
QuickLook resources are cache-replaced with their original binary data causing ASSERT(m_data->size() == newBuffer->size()) in CachedResource.cpp (r171993)
Implementors of CachedResource subclasses should be forced to decide if encoded data can be replaced. (r149079)
Avoid CSSPrimitiveValue allocation when parsing sizes (r184208)
Calculate source-size length as a float (r183984)
Fix sizes crash and add invalid value tests. (r183948)
[Win] Build fix after r179476. (r179487)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179476 partial revisited)
Rework CSS parser, eliminating "floating" concept and using %destructor (r155536 partial revisited)

Sep 08, 2020
============
Remove "gopher" from list of special schemes in URLParser (r249941)
When parsing an IPv4 address, wait until after deciding it is indeed an IPv4 address before reporting syntax violations (r247269)
Remove invalid assertion in URLParser::domainToASCII (r247268)
URLParser should reserialize IPv6 addresses that end with a colon (r247267)
URLParser::parseIPv6Host should properly parse 0's around compression (r245983)
URLParser::parseHostAndPort should not allow non-port characters after an ipv6 host (r245982)
URLs with mismatched surrogate pairs in the host should fail to parse (r236528)
uidna_nameToASCII only needs a buffer capacity of 64 (r236527)
Remove NavigatorContentUtils in WebCore/Modules (r243433)
Forbid < and > in URL hosts (r226469)
Clean up old URL parser remnants (r224823)
ASSERTION FAILED: internalValuesConsistent(m_url) in WebCore::URLParser::URLParser (r224202)
Missing break in URLParser (r221677)
Unreviewed, add comment warning that some flags have been copied into Epiphany (r221195)
Deleting last URLSearchParams key should remove trailing ? in associated URL (r219458)
Reduce URL size (r219338)
REGRESSION(r215096) Queries of URLs with non-special schemes should not percent-encode single quotes (r219024 + r219073 rolled out + r219076)
URLSearchParams should be reflective (r215940)
WebKit should percent encode single quotes in query strings (r215096)
[URLParser] Fix file URLs that are just file:// and a Windows drive letter (r213546)
Fix URLs relative to file URLs with paths beginning with Windows drive letters (r213469)
[URLParser] Fix file: as a relative file URL (r213384)
Non-special relative URLs should not ignore extra slashes (r212977)
.. should not remove windows drive letters in paths of file URLs (r212953)
Remove old URL parser (r212508)
Special URLs without a host are invalid (r212470)
URLs with an invalid IPv4 address should be invalid (r212279)
Rename RegisterProtocolHandler API to NavigatorContentUtils (r126735)
Percent should be allowed in non-special URL hosts (r212249)
URLParser: implement forbidden host code points for non-special URLs (r211638)
URLParser: Fix parsing invalid IPv4 addresses with non-ASCII characters (r211621)
URLParser should fail to parse percent-encoded invalid UTF-8 sequences (r211067)
Make URLs with non-special schemes and a query or fragment but no slash after the host more compatible (r211058)
REGRESSION (URL parser): Relative URLs arent resolved correctly when the base URL is an applewebdata: URL (r209572)
Support IDN2008 with UTS #46 instead of IDN2003 (r208902)
REGRESSION (r207162): [debug] loader/stateobjects LayoutTests timing out (r208815)
URLParser should not consider path of URLs with no host to start at the first slash after the colon (r208508)
Move isDefaultPortForProtocol from URLParser.cpp back to URL.cpp (r208407)
Percent-encode non-ASCII code points in hosts of URLs with unrecognized schemes (r208239)
Partially revert 207805 after resolution in URL spec issue 87 (r208087)
URLParser should not try to interpret host of URLs with unrecognized schemes as IPv4 address (r208086)
URLParser should match old URL::parse with %2E in path (r207795 + r207803 rolled out + r207805)
Hosts of URLs with non-special schemes should be case-sensitive, and non-ASCII characters in such hosts should be punycode-encoded (r207321)
Disable URLParser for non-Safari iOS and Mac apps for now (r207305)
Fix out-of-bounds reading in URLParser when parsing improperly percent-encoded values (r207273)
Mail needs nonspecial URLs to keep case in host and not have slash after host (r207268)
URLParser should percent-encode non-ASCII and non-printable characters in fragment (r207152)
Non-special URL fragments should percent-encode non-ASCII characters (r206942)
Disable URLParser logs by default in all builds (r206924)
URLParser: Non-ASCII characters in Non-UTF-8 encoded queries of relative URLs with ws, wss, or nonspecial schemes should be UTF-8 encoded (r206887)
Skip tabs and newlines between end of query and beginning of fragment in non-UTF-8-encoded URLs (r206879)
URLParser should parse file URLs with ports consistently (r206878)
URLParser should parse IPv4 addresses as the last two pieces of an IPv6 address (r206842)
URLParser should correctly strip unnecessary 0's in IPv6 addresses (r206819)
UTF-8 encode queries of nonspecial and websocket schemes (r206818)
URLParser: query-only URLs relative to file URLs should just add a query (r206784)
URLParser should match URL::parse and other browsers when parsing a URL containing only scheme:// (r206783)
URLParser should strip tabs at all locations (r206758)
URLParser: fragment-only URLs relative to file URLs should just add a fragment (r206749)
URLParser: empty relative URLs should not copy fragment from the base URL (r206735)
Fix off-by-one error in URLParser::parseIPv4Host (r206650)
URLParser: parsing a URL with an empty host and a colon should fail (r206649)
URLParser: handle syntax violations in non-UTF-8 encoded queries (r206648)
Fix syntax violation handling in IPv4 address parsing (r206617)
URLParser should correctly parse ports with leading 0's (r206614 + r206615)
URLParser: make parsing invalid IPv4 addresses more robust and correct (r206609)
URLParser: IPv6 addresses followed by a colon are invalid (r206608)
URLParser should fail to parse unclosed IPv6 addresses (r206593)
URLParser should ignore tabs at all possible locations (r206592)
URLParser should properly handle unexpected periods and overflows in IPv4 addresses (r206554)
URLParser should ignore tabs in authority (r206549)
URLParser should ignore extra slashes after scheme:// and handle a missing slash after the port (r206548)
URLParser should correctly canonicalize uppercase IPv6 addresses (r206547)
Inline critical functions in URLParser (r206485)
Correctly parse URLs with the first tab in the fragment (r206480)
URLParser: Handle windows drive letters after two slashes in relative URLs according to spec (r206477)
URLs with @ in the user should only search for the last @ until the end of the authority and host (r206475)

Sep 04, 2020
============
Implement URLParser::syntaxViolation (r206457)
-Wtautological-compare triggered in URLParser::internalValuesConsistent (r206385)
Refactor URLParser (r206337)
Refactor URLParser (r206334)
Refactor URLParser (r206329)
Remove URLParser serialized template (r206323)
URLParser should match URL::parse when parsing data urls with slashes in them (r206235)
URLParser should fail when parsing invalid relative URLs with no schemes (r206231)
Optimize URLParser (r206223)
URLParser: Correctly parse URLs that are just nonspecialscheme:/ (r206219)
URLParser: correctly parse relative URLs that are just one character (r206218)
Optimize URLParser (r206198)
Reduce allocations in URLParser (r206177)
URLParser: uidna_IDNToASCII_56 is deprecated (r206169)
Align URLParser with web platform tests when parsing non-special relative URLs ending in AuthorityOrHost state (r206162)
URLParser should allow '@' in user (r206159)
URLParser: Fix parsing relative URLs with one slash after the scheme: (r206158)
Fix Windows file URL quirks in URLParser (r206157)
URLParser can read memory out of bounds (r206126)
URLParser should parse serialized valid URLs faster than unknown input (r206125)
Remove unnecessary String allocations in URLParser (r206076)
Inline functions in URLParser (r206075)
Use Vector<LChar> instead of StringBuilder for the ASCII parts of URLParser (r206044)
URLParser should percent encode the user and password according to spec (r206036)
Fix more edge cases in URLParser (r206035)
Use character class table in URLParser (r205990)
URLParser should parse URLs with non-special schemes (r205749 complete revisited)
URLParser: Check for invalid characters in the host (r205988)
Use efficient iterators in URLParser (r205986)
Array.prototype.push should always perform [[Set]] in strict mode (r266581)

Sep 03, 2020
============
The width of an empty or nullptr TextRun should be zero (r235721 partial)
WTF::StringView::split should have an allowEmptyEntries flag (r234122)
Add WebCore::protocolIsJavaScript(StringView) (r215949)
Text might wrap when its preferred logical width is used for sizing the containing block. (r213008)
StringView.split() should use an iterator design pattern instead of allocating a Vector (r211087)
Add runtime flag for using URLParser (r205266)
Perform IDNA encoding on parameters for setHostAndPort and setHost (r201850)
Revert accidental behavior change from previous patch. (r195952)
Cut down on calls to String::lower; mostly replace with convertToASCIILowercase (r195951 partial)
AI does not correctly model the clobber case of ArithClz32 (r224349)
[JSC] Make ArithClz32 work with Cell arguments (r205511)
[JSC] Implement Math.clz32(), remove Number.clz() (r183358 complete revisited)
ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp (r266496)

Sep 02, 2020
============
ASSERTION FAILED: newLogicalTop >= logicalTop in WebCore::RenderBlockFlow::getClearDelta (r210534 no more infinite loop at https://www.suntory.co.jp/)
REGRESSION(r159166?): fast/block/float/float-with-fractional-height-vertical-lr.html, fast/block/float/float-with-fractional-height.html are failing (r160715)
ASSERTION FAILED: rangesIntersect(m_renderer.pixelSnappedLogicalTopForFloat(floatingObject), m_renderer.pixelSnappedLogicalBottomForFloat(floatingObject), m_lineTop, m_lineBottom)  (r159324)
Make the placed floats tree use LayoutUnit instead of int (r159166)
RenderBlockFlow::nextFloatLogicalBottomBelow should not use ShapeOutsideFloatOffsetMode (r158954)
Refactor logical left/right offset for line methods (r158855 + r158856)
Allow RenderStyles marked unique in matched properties cache (r201086)
[New Multicolumn] Writing mode changes on the <html> and RenderView need to be propagated to column sets and flow thread children of those renderers. (r170304)
[New Multicolumn] REGRESSION: Column set styles don't update when zooming etc. (r167429)
Make RenderStyle's non-inherited flags more human friendly (r221459 + r221467 + r221469)
Resolving direction and writing mode properties should not mutate document (r195560)
Style resolver initialization cleanups (r195465 partial)
Support break-after, break-before and break-inside. (r195892)

Sep 01, 2020
============
Document.createElementNS() / createAttributeNS() parameters should be mandatory (r203441)
createElementNS and createAttributeNS should treat undefined namespaceURI as null string (r195152)
createElement should not lowercase non-ASCII characters (r195091)
createElementNS handles element name 'xmlns' correctly. (r161464)
Shrink factory functions (r155801 partial)
Devirtualize some things on Document. (r149959)
RenderStyle should not be reference counted (r199964 partial revisited)
Clicking the search icon on ae.com hangs the web content process (r248909)
Text insertion cursor disappears after pressing enter (r215094)

Aug 31, 2020
============
Make StyleRareNonInheritedData::mask and StyleBackgroundData::background DataRefs (r266344)
Speculative fixes for crashing in viewportChangeAffectedPicture (r195606)
Picture element needs to respond to dynamic viewport changes. (r193859)
The stress GC bot crashes in JavaScriptCore beneath ShadowChicken::update and Inspector::jsToInspectorValue (r209847 partial)
optional sequence values not handled correctly by binding generator (r209303 partial + r209310)
Simplify SerializedScriptValue, MessagePortArray and ArrayBufferArray to ease generation (r207505 partial)
First parameter to MessagePort / DedicatedWorkerGlobalScope.postMessage() should be mandatory (r201835)
Remove webkitPostMessage (r128658 + r138646)

Aug 29, 2020
============
[WebIDL] Remove custom bindings for HTMLDocument (r218437)
[Web IDL] Drop webkit-specific extended attributes that are no longer useful (r207519)
Move 'embeds' / 'plugins'/ 'scripts' attributes from HTMLDocument to Document (r204450)
CrashTracer beneath JSC::MarkedBlock::specializedSweep (r202590)
Drop obsolete HTMLDocument.width / height attributes (r195160)
REGRESSION (r174985-174986): Site display disappears (r175706 revisited)
bgColor, setBgColor, alinkColor, setAlinkColor, and etc... on HTMLBodyElement are useless (r160072)

Aug 28, 2020
============
Rename callerDOMWindow()/CallerDocument to incumbentDOMWindow()/IncumbentDocument (r215904)
[JSC] setLength in Array#push could get very large length (r266257)

Aug 27, 2020
============
Merge putLength() into setLength() (r266215)
Make isIndex use MAX_ARRAY_INDEX (r266213)
We can't cast toLength result to unsigned (r260990)
[WebIDL] Re-implement GetOwnPropertySlot[ByIndex] generation to more closely follow WebIDL (r218126 complete revisited)
Regression: HTMLOptionsCollection's named properties have precedence over indexed properties (r202478)

Aug 26, 2020
============
[WebIDL] Re-implement GetOwnPropertySlot[ByIndex] generation to more closely follow WebIDL (r218126 partial revisited)
[WebIDL] Autogenerate named getters (r210667 complete revisited)

Aug 25, 2020
============
DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking (r180989 complete revisited)

Aug 20, 2020
============
Invalid flags in a RegExp literal should be an early SyntaxError (r242699)

Aug 20, 2020
============
  => Passed stress DFG (executionCounterIncrementForEntry=45, executionCounterIncrementForLoop=3) on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Aug 19, 2020
============
Implement self.queueMicrotask in Workers (r234588)
Add support for microtasks in workers (r234586)
[JSC] Do not use asArrayModes() with Structures because it discards TypedArray information (r239951)
fourthTier: Have fewer Arrayify's (r153264 complete revisited)

Aug 18, 2020
============
[JSC] Should not pass Exception to JSPromise::reject (r264052 complete revisited)
globalFuncImportModule() should return a promise when it clears exceptions. (r238391 complete revisited)
[JSC] Remove ModuleLoaderPrototype (r230900)
Update ModuleLoader code by using the latest builtin primitives (r209848)
builtins should be able to use async/await (r239774)
[WebAssembly][Modules] Prototype wasm import (r230697 + r230720 + r230724 + r230741 rolled out + r230759)
Fix incorrect handling of try-finally completion values. (r242591 + r242614)
CompactVariableMap::Handle's copy operator= leaks the previous data (r242613)
Cache CompactVariableMap::Handle instead of VariableEnvironment for UnlinkedFunctionExecutable (r241938 partial)
Cache the results of BytecodeGenerator::getVariablesUnderTDZ (r241571)

Aug 17, 2020
============
[ARM64] static_cast<int32_t>() in BinaryOpNode::emitBytecode() prevents op_unsigned emission (r223745)
Reland "Add Above/Below comparisons for UInt32 patterns" (r223318)
Support compiling catch in the DFG (r221196 partial)
Make Number.isInteger an intrinsic (r228968)

Aug 14, 2020
============
[ARMv7][JSC] Conservative GC is not considering `r7` as a root (r265692)
[ECMA-402] WebKit Intl does not allow calendar and numberingSystem options (r259941)
Intl.DateTimeFormat returns resolvedOptions in the wrong order (r251815)
Callers of JSString::getIndex should check for OOM exceptions (r239227)
Enable Intl.PluralRules and Intl.NumberFormatToParts by default (r247247)
Add self.queueMicrotask(f) on DOMWindow (r234491)
REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching (r224843)
[JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d (r224623)

Aug 13, 2020
============
[INTL] Intl constructor lengths should be configurable (r234202)
[INTL] Improve spec & test262 compliance for Intl APIs (r231740)
[INTL] Implement Intl.PluralRules (r231047)
[JSC] Clean up ArraySpeciesCreate (r247173 + r247175)
stress/const-semantics.js fails a dfg-eager / ftl-eager run with an ASAN release build. (r240449 partial revisited)
JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG) (r234260)
DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path (r205810)
FastBitVector should have efficient and easy-to-use vector-vector operations (r205794)
Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable (r232742)
Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable (r226655 + r230928 rolled out)
When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts (r228031)
DFG should always flush `this` (r227431 complete revisited)
When inserting Unreachable in byte code parser we need to flush all the right things (r226811)

Aug 12, 2020
============
InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format (r238511 complete revisited)
InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format (r232134 complete revisited)
InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time (r231660)
DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA (r231522)
Speed up AbstractInterpreter::executeEdges (r231607)
[DFG][FTL] regExpMatchFast should be handled (r226775)

Aug 11, 2020
============
[DFG] Support ArrayPush with multiple args (r222563 + r222565 + r222581 + r222658 rolled out + r222675)

Aug 11, 2020
============
DFG AI should have O(1) clobbering (r231471 complete revisited)
  => Passed stress DFG (executionCounterIncrementForEntry=75, executionCounterIncrementForLoop=5) on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Aug 10, 2020
============
[JSC] Speed up InPlaceAbstractState::endBasicBlock() (r204130)
DFG plays fast and loose with the shadow values of a Phi (r208364 + r208367 rolled out + r208373)
[JSC] Revert most of r203808 (r204393)
[JSC] Improve the memory locality of DFG Node's AbstractValues (r204112)
[JSC] Use the same data structures for DFG and Air Liveness Analysis (r203921)
[JSC] DFG::Node should not have its own allocator (r203808)
DFG::FixupPhase should use the lambda form of m_graph.doToChildren() rather than the old macro (r188886)
[JSC] Speculate children first in DFG NewArray (r265405 partial)
[DFG] More aggressive removal of duplicate 32bit DFG code (r230150 partial revisited)
AbortSignal does not always emit the abort signal (r250727)
[JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition (r232907)

Aug 07, 2020
============
RegExp sticky not matching alternates correctly, ignoring lastIndex requirement (r265373)
YARR: Coalesce constructed character classes (r225683 + r225771)

Aug 06, 2020
============
ASCIICType refinements (r191874)

Aug 05, 2020
============
[JSC] Add fast path for String#localeCompare (r251736)
DFG should be able to constant fold Object.create() with a constant prototype operand (r244313)
[JSC] Object.create should have intrinsic (r232442)
[JSC] Generator should not create JSLexicalEnvironment if it is not necessary (r243127)
[JSC] Clean up BytecodeLivenessAnalysis (r221551)

Aug 04, 2020
============
Merging an IC variant may lead to the IC status containing overlapping structure sets (r238411)
[YARR] Align allocation size in BumpPointerAllocator with sizeof(void*) (r234916)
Implement JSSourceCode to propagate SourceCode in module pipeline (r210537 + r210557 rolled out + r210573)

Jul 31, 2020
============
[INTL] Language tags are not canonicalized (r234127)
[INTL] Allow "unknown" formatToParts types (r234477)
[INTL] Implement hourCycle in DateTimeFormat (r234475)
Add support for Intl NumberFormat formatToParts (r231867)
Unhandled enumeration values in IntlDateTimeFormat.cpp (r215792)
[INTL] Implement Intl.DateTimeFormat.prototype.formatToParts (r215520 + r215526 rolled + r215616)
Intl.Collator uses POSIX locale (detected by js/intl-collator.html on iOS Simulator) (r197261)

Jul 30, 2020
============
Error should compute .stack and friends lazily (r221836 complete revisited)

Jul 30, 2020
============
Web Process crash when starting the web inspector after r174025. (r174856 + r181817 revisited)
Ensure that inline assembly Thunk functions don't conflict with the section designations of the compiler (r174503)
Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste (r173799)
[x86] moveDoubleToInts() does not clobber its source register anymore (r173580)
[MIPS] branch32WithPatch missing (r173461 revisited)
  => Passed stress DFG on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Jul 30, 2020
============
REGRESSION (r168868): eBay 'see all' links fail due to different JS bindings conversion behavior. (r171014)
Subpixel layout: Legacy Element.offset* client* return values are invalid in certain cases. (r169346)
Subpixel layout: Change Element.offset* client* scroll* return type to double. (r168868 + r169417)
[iOS WK2] Make window.scroll() and window.scrollBy() work (r167503)
Merge HTMLBodyElement::didNotifySubtreeInsertions into HTMLBodyElement::insertedInto (r156072)
offsetWidth/height incorrect for images when zoomed (r139537 + r139573 rolled out + r139659)
Change native call frames to use the scope from their Callee instead of their caller's scope (r174996 revisited X86_64)

Jul 29, 2020
============
JSArray::shiftCountWithArrayStorage is wrong when an array has holes (r237129 complete revisited)
Make JSString values from literals in a single consistent style (r253865)
[JSC] Reflect object should have toStringTag with "Reflect" (r265034)
[JSC] Add hasCustomGetterSetterProperties to canAccessPropertiesQuicklyForEnumeration (r265030)
Refactoring to simplify some code in DatePrototype.cpp. (r175080)
Change native call frames to use the scope from their Callee instead of their caller's scope (r174996 revisited ARMv7)

Jul 28, 2020
============
AST Nodes should keep track of their end offset (r175396 complete revisited)
[WTF] Add WTF::unalignedLoad and WTF::unalignedStore (r235018)

Jul 27, 2020
============
Replace CompactJITCodeMap with JITCodeMap. (r230549 + r230550)

Jul 27, 2020
============
  => Passed stress DFG on ARMv7 GCC6.2.0 with hard float.
  	foreGCOnEveryAllocation 1024KB
	JITCode 16384KB
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Jul 24, 2020
============
Update scope related slow path code to use scope register added to opcodes (r175762 revisited)
ClosureCallStubRoutine no longer needs codeOrigin (r178693 revisited)
Basic block start offsets should never be larger than end offsets in the control flow profiler (r178692 revisited)
PropertyTable keys should be AtomicStringImpl. (r176583 revisited)
Fix an alignment issue with operationPushCatchScope on ARMv7 (r175766)
BytecodeGenerator shouldn't expose all of its member variables (r178882)
Change Heap::m_compiledCode to use a Vector (r178884 revisited)
Remove a few duplicate propagation steps from the DFG's PredictionPropagation phase (r179817 revisited)
Remove useless declarations and a stale comment from DFGByteCodeParser.h (r179816)
Remove DFGNode::hasArithNodeFlags() (r179814)
ExitSiteData saying m_takesSlowPath shouldn't mean early returning takesSlowPath() since for the non-LLInt case we later set m_couldTakeSlowPath,
  which is more precise (r179241)
op_call_varargs should only load the length once (r179887)
[JSC] Arrow function |this| resolution should not be trapped by with-scope (r264809)

Jul 23, 2020
============
Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier (r179873 complete revisited)
Fix a typo in Parser error message (r181831 revisited)
Update Map/Set to treat -0 and 0 as the same value (r181556 revisited)
The bool returning form of BytecodeGenerator::addVar() can be removed (r180711 revisited)
Remove unused activationCount and allTheThingsCount variable declarations. (r180527)
Remove BytecodeGenerator's numberMap, it is dead code (r180332)
Crash in JSC::Interpreter::execute (r183067)
HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols (r183022 revisited)
[ES6] Fix name enumeration of static functions for Symbol constructor (r182967 revisited)
[ES6] Implement Array.prototype.values (r182668 revisited)
ES6: Iterator toString names should be consistent (r182647 revisited)
Avoid using hardcoded values for JSValue::Int32Tag, if possible. (r182151 revisited)
parse doesn't initialize the 16-bit version of the JSC parser with defaultConstructorKind (r182102)
Function.prototype.toString should not decompile the AST (r182043 revisited)
Make ExecState::vm() branchless in release builds. (r183753)
FTL should fully support Switch (it currently lacks the SwitchString variant) (r183525)
Map#forEach does not pass "map" argument to callback. (r183374 revisited)
Set#forEach does not pass "key" or "set" arguments to callback. (r183371 revisited)
Inline @Array / @Object callsites (r184868)
String.prototype.charCodeAt() should use StringView. (r184866 revisited)
CPS rethreading should really get rid of GetLocals (r184755 complete revisited)
Give JSString a StringView getter and start using it. (r184575 revisited)
Better optimize 'if' with ternaries conditional tests. (r184542)
Add a Int-or-Boolean speculation to Branch (r184510)
MapDataImpl::add() shouldn't do the same hash lookup twice. (r184009 + r184153 rolled out)
FTL SwitchString slow case creates duplicate switch cases (r183825 revisited)
Remove ArrayNode::m_optional (r264750)
Remove emitIsUndefined() from ClassExprNode::emitBytecode() (r264748)

Jul 22, 2020
============
Remove JS Promise constructor unused piece of code (r187349)
DFG::DesiredWatchpoints should accept WatchpointSetType's that aren't necessarily pointers (r186706 revisited)
Gardening: fix build for EWS bots. (r185773)
Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function (r185627)
jsSubstring() should support creating substrings from substrings. (r185486 revisited)
DFG ASSERTION FAILED: !iterate() on stress/singleton-scope-then-overwrite.js.ftl-eager (r185427)
[JSC] JSString::getIndex() should avoid reifying substrings. (r185368)
[JSC] String.prototype.indexOf() should use StringView. (r185367 revisited)
SideState should be a distinct abstract heap from Heap and Stack (r185215)
Any exit from any JIT due to profiling for an inline cache should force all future compilations to be wary (r185103)
[iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks. (r184960 complete revisited)	
[JSC] Shrink sizeof(RegExp) (r243408)
RegExpCache::finalize should not delete code (r188397)
Remove UnspecifiedBoolType from JSC (r188040 revisited)
Clean up the naming for AST expression generation. (r187760 revisited)
stress/math-pow-with-constants.js fails in cloop (r187497 revisited)

Jul 21, 2020
============
[ES6] Implement Reflect.get (r188532 revisited)
[JSC] Reduce the memory usage of BytecodeLivenessAnalysis (r188849 complete revisited)
[JSC] Static hash tables should be 100% compile-time constant. (r188824)
Static property hashtable should only lookup with non-symbol key (r183715)
Provide a way to distinguish a nested lexical block from a function's lexical block (r194251 complete revisited)
ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR (r189192 complete revisited)
[JSC] Get rid of DFG's MergeMode (r189138)
JavaScriptCore fails to build using GCC 5 (r189133)
Callee can be incorrectly overridden when it's captured (r188926 complete revisited)
[ES6] JSON.stringify should ignore object properties that have symbol values and convert the symbol values in array to null (r189162)
CodeBlocks should strongly visit their OSR exit targets (r189554 revisited)
GC should be able to discover new strong CodeBlock references during marking (r189516 + r189524 rolled out + r189553 rolled in revisited)
GC stack scan should include ABI red zone. (r189517)
CodeBlock should have a more explicit "strongly referenced" state (r189257 revisited)
Interpreter::unwind() shouldn't be responsible for filtering out uncatchable exceptions (r189920)
Remove unused StructureRareData::m_cachedGenericPropertyNameEnumerator. (r191200)
Simplify WeakBlock visit and reap phases (r191015)
REGRESSION: ASSERT (impl->isAtomic()) @ facebook.com (r190991)

Jul 20, 2020
============
JIT snippet generator JumpLists should be returned as references. (r192632 revisited)
Layout Test js/intl-collator.html is crashing on win 7 debug (r192092 revisited)
[JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity (r214029 revisited)
[ES6] Add support for rest parameters (r192671 complete revisited)
We should not employ the snippet code in the DFG if no OSR exit was previously encountered. (r194040 revisited)
[CSP] eval() is not blocked for stringified literals (r193939)
Redefining a property should not change its insertion index (Object.keys order) (r264574)
emitIsUndefined() should not special-case [[IsHTMLDDA]] objects (r264504)
Fixed regression due to r264507: Math.{min|max} inequality test should use DoubleNotEqualOrUnordered instead DoubleNotEqualAndOrdered. (r264575)
Math.max() can yield the wrong result for max(0, -0). (r264507)
Add "AndOrdered" to the names of ordered DoubleConditions. (r258063)

Jul 17, 2020
============
Exits from exceptions shouldn't jettison code (r195831)
runtimeTypeForValue should protect against seeing TDZ value (r196300 revisited)
Visiting a WeakBlock should report bytes visited, since we reported them allocated. (r196251)
MIPS: support Signed cond in branchTest32() (r199261)
[JSC] Remove hint from SlowCaseEntry (r198264)
[JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG (r197994 + r198024 rolled out)
[ES6] RegExp sticky flag should be ignored in String.match when global flag is given (r197963 revisited)
[JSC] Simplify the overflow check of ArithAbs (r197688 revisited)
[JSC] Remove a superfluous Move in front of every double unboxing (r197654)
RegExpExec/RegExpTest should not unconditionally speculate cell (r197492 complete revisited)	
SIGSEGV in Proxy [[Get]] and [[Set]] recursion (r197457 revisited)
Simplify some StringBuilder appends (r197438)
Reduce direct callers of Structure::findStructuresAndMapForMaterialization (r197210 revisited)
arrayProtoFuncConcat doesn't check for an exception after allocating an array (r197011 revisited)
Remove unused SymbolTable::createNameScopeTable (r196808)
Parser::parseVariableDeclarationList should null check the node before attempting to create a new CommaExpr (r196587)
Implement IntegerHasher (r188557 revisited)
Minimize collisions when hashing pairs (r128657)

Jul 16, 2020
============
JSC test stress/arrowfunction-lexical-bind-superproperty.js failing (r199129 revisited)
[JSC] CFA's valuesAtHead should be a list, not a map (r198935 revisited)
Revert rewrite const as var workaround (r198932 revisited)
We don't properly optimize TDZ checks when we declare a let variable without an initializer (r198803 revisited)
[ES6] Allow undefined/null for Symbol.search and Symbol.match (r198581 revisited)
Rationalize the makeSpaceForCCall stuff (r199166)
We should support delete in the DFG (r199683 complete revisited)
[ES6] Use @isObject to check Object Type instead of using instanceof (r199647)
isJSArray should use ArrayType rather than the ClassInfo (r199513 revisited)
Unreviewed undo change from ArrayClass to ArrayWithUndecided, which was not intedend to land with r199397. (r199402 revisited)
Remove NewArrowFunction from DFG IR (r199300 revisited)
Rename ArrayMode::supportsLength to supportsSelfLength (r199203)
Handle out of memory error while creating an error message in the literal parser. (r264379)
%TypedArray%.prototype.{indexOf,lastIndexOf} are not spec-perfect (r263944)
[JSC] Fix build break since r199866. (r199868 + r199870)
JSC virtual call thunk shouldn't do a structure->classInfo lookup (r199861 complete revisited)
[JSC] Small cleanup of RegisterAtOffsetList (r199758)
[JSC] el(Greek) characters' upper-case conversion is locale-sensitive (r262992)
[JSC] JSValue::toThis should not throw exception (r262388)
Do more speculation that a GetByVal/PutByVal will have an int32 index based on data from ArrayProfile (r261842)
[JSC] getFunctionRealm should not use recursion (r261773)
Move @isConstructor checks from fast paths of Array.from and Array.of (r260610)
Proxy.revocable should not have [[Construct]] slot (r260654)
Remove revoked Proxy checks from ProxyCreate (r260621)
Putting "memory" back to ensureStillAliveHere (r259558)
ensureStillAliveHere can take the value in any location (r259554)
[JSC] canonicalizeLocaleList should gracefully throw OOM error if input + error message is too large (r259481)
[JSC] TypedArray#subarray should throw OOM error gracefully (r259478)
TypedArrays should more gracefully handle OOM during slowDownAndWasteMemory (r259069)

Jul 15, 2020
============
Intl.NumberFormat.prototype.format must preserve sign of -0 (r259370)
[JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage (r259264)
RegExp.prototype.exec must always access lastIndex (r259246 partial)
Event listeners registered with 'once' option may get garbage collected too soon (r259009)
Octal escapes should be max 3 digits and syntax errors in Unicode patterns (r259546)
Catch parameters must not be lexically redeclared (r258861)
Quantifiers after lookahead assertions should be syntax errors in Unicode patterns only (r255689)
\0 identity escapes should be syntax errors in Unicode patterns only (r255584)
Non-alphabetical \c escapes should be syntax errors in Unicode patterns only (r255544)
Unmatched ] or } brackets should be syntax errors in Unicode patterns only (r255505)

Jul 15, 2020
============
Placate exception check validator in GenericArguments<Type>::put(). (r256202)
Remove own toString from NativeError prototype (r254842)
Reduce the code generated by DFGSlowPathGenerator.h (r254712)
JSArrayBufferView.h: Multiplication result converted to larger type (r254218)
JavaScript: Invalid date parse for ISO 8601 strings when no timezone given (r254038)
Fix bad exception assertion in ExceptionHelpers.cpp's createError(). (r253515)
methodOfGettingAValueProfileFor should return argument value profiles even when node and operandNode are the same origin (r253350)
Fix a broken assertion in GetByStatus::computeForStubInfoWithoutExitSiteFeedback(). (r253136)
[JSC][MIPS] CallFrame is being clobbered on InternalFunction execution (r252975 revisited)
JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should fire its watchpoint as the last step. (r252160)
[JSC] StrictModeTypeErrorFunction is no longer used (r240246)
  => Passed stress DFG on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Jul 14, 2020
============
ArraySlice needs to keep the source array alive. (r246740 partial)
[JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number (r250536)
Syntax checker should report duplicate __proto__ properties (r250098)
constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM. (r249164)
[ESNext] Support hashbang. (r248826)
DateConversion::formatDateTime incorrectly formats negative years (r248738)
[[Set]] isn't correct with respect to the spec and Proxy (r252019)
Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive (r248494)
Three checks are missing in Proxy internal methods (r247811)
[JSC] Make DFG Local CSE and AI conservative for huge basic block (r247703)
[JSC] Make CSE's ImpureData faster when dealing with large blocks (r198376 + r198490 + r204352)

Jul 13, 2020
============
[JSC] ClassExpr should not store result in the middle of evaluation (r246708)
Remove extra check in RegExp @matchSlow (r246692)
We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp (r244136)
Add more overflow check book-keeping for MarkedArgumentBuffer. (r224784)
Unreviewed, rolling out r243665. (r243955)
[JSC] Add exception checks before and after viewWithUnderlyingString (r263905 partial)
[JSC] Add exception checks in JSStringBuilder and Array#join (r263889)
Placate exception check validation in DFG's operationHasGenericProperty(). (r249225)
Add missing exception check in canonicalizeLocaleList (r249020)
[JSC] Add missing exception checks revealed by newly added exception checks, follow-up after r243081 (r243128)
[JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC (r242991 + r242999 complete revisited)
Intl.DateTimeFormat should obey 2-digit hour (r243512)
Add missing exception checks and book-keeping for exception check validation. (r222617 complete revisited)
The GC should be optionally concurrent and disabled by default (r208720 partial revisited)

Jul 12, 2020
============
Fix all ExceptionScope verification failures in JavaScriptCore. (r221849 complete revisited)
Fix missing exception checks in Interpreter.cpp. (r214005 complete revisited)
Add missing exception checks detected by running marathon.js. (r212779 complete revisited)
RegExpObject::exec/match should handle errors gracefully. (r208698 complete revisited)
Added RETURN_IF_EXCEPTION() macro and use it for exception checks. (r206386)

Jul 10, 2020
============
Fixup uses KnownInt32 incorrectly in some nodes (r242954 complete revisited)
blocksInPreOrder and blocksInPostOrder should reserve the right capacity for their result vector (r242802 revisited)
Stack overflow crash in JSC::JSObject::hasInstance. (r242667)
Unreviewed, follow-up after r242568 (r242655)
op_check_tdz does not def its argument (r242649)
JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes. (r240040)
[JSC] Optimize Object.prototype.toString (r239612 + r240327 rolled out)
Error message for `-x ** y` contains a typo. (r239370)
PropertyAttribute needs a CustomValue bit. (r239062 complete revisited)

Jul 09, 2020
============
ErrorInstance::finishCreation() puts "message" twice, with different attributes (r264160)
globalFuncImportModule() should return a promise when it clears exceptions. (r238391 partial)
All users of ArrayBuffer should agree on the same max size (r238326)
KnownCellUse should also have SpecCellCheck as its type filter (r238297)
AI does not clear Phantom allocation nodes. (r237244)
YARR: Update UCS canonicalization tables for Unicode 11 (r235333)
YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag (r235238)
Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero (r234777)
[JSC] A bit performance improvement for Object.assign by cleaning up code (r234058)

Jul 08, 2020
============
CodeBlock::baselineVersion() should account for executables with purged codeBlocks. (r233893)
[JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets (r233862)
Change the reoptimization backoff base to 1.3 from 2 (r233714 + r233762 rolled out)
InstanceOf IC should do generic if the prototype is not an object. (r233427 revisited)
JSArray has some object scanning races (r201553)
Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled (r232718)
generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype (r232562)
[JSC] Should not pass Exception to JSPromise::reject (r264052 partial)

Jul 07, 2020
============
[JSC] Move species watchpoint installation from ArrayPrototype to JSGlobalObject (r242902)
Initialize the ArraySpecies watchpoint as Clear and transition to IsWatched once slice is called for the first time (r210745)
Add a slice intrinsic to the DFG/FTL (r210476 + r210518 rolled out + r210695 partial)
Throwing an exception in the DFG/FTL should not cause a jettison (r221472)
[JSC] Remove dead non-ICU locale Date code since we are always using ICU version (r263250)
[JSC] Remove finalizer in AsyncFromSyncIteratorPrototype (r240823)
TypedArray constructor with string shouldn't throw (r218082 complete revisited)

Jul 06, 2020
============
[DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase (r232002)
Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance (r231882)
defaultConstructorSourceCode needs to makeSource every time it's called (r231930 revisited)
[INTL] Handle error in defineProperty for supported locales length (r231772)
[JSC] Make return types of construction functions tight (r231688)
DFG AI doesn't need to merge valuesAtTail - it can just assign them (r231467 revisited)
Remove the prototype caching for get_by_id in the LLInt (r231316 + r231332 + r231719 rolled out)
[MIPS] Implement and16 and store16 for MacroAssemblerMIPS (r231240)
[ARM] Implement and16 and store16 for MacroAssemblerARMv7 (r231237)
IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u' (r231196)
ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit (r231193)

Jul 06, 2020
============
PutStackSinkingPhase should know that KillStack means ConflictingFlush (r230725)
We should not trash the stack pointer on OSR entry. (r230175 revisited)
Raise the for-call inlining threshold to 190 to fix JetStream/richards regression (r230145)
DFG should know that CreateThis can be effectful (r229987 complete revisited)
[JSC] Drop op_put_by_index (r229852)
[DFG][FTL] Add vectorLengthHint for NewArray (r229743)
Unreviewed, fix obsolete ASSERT (r229570)
[DFG] AI should convert CreateThis to NewObject if the prototype object is proved (r229520 revisited)
Don't waste memory for error.stack (r228366 + r228538 rolled out)
  => Passed stress DFG on ARMv7 GCC6.2.0 with hard float.
    [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/Speedometer/arewefastyet/Kraken/Dromaeo/JetStream2 (runWasm = false in JetStreamDriver.js)]

Jul 05, 2020
============
[JSC] Implement trimStart and trimEnd (r227779)
We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects. (r227692)
Rename some local vars from type to typedArrayType for greater clarity. (r227636)
DFG should always flush `this` (r227431 partial)
Each variant of a polymorphic inlined call should be exitOK at the top of the block (r226881)
Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction) (r226426)
[JSC] IntlCollator and IntlNumberFormat has static fields with same name (r226283)

Jul 03, 2020
============
CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient (r225315)
[JSC] Remove JSStringBuilder (r225150)
[JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field (r225130)
Allow for more efficient use of GenericTypedArrayView (r225084 + r225106)
REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216) (r224915)
AccessCase::generateImpl() should exclude the result register when restoring registers after a call. (r224539 revisited)

Jul 03, 2020
============
[JSC] ScriptFetcher should be notified directly from module pipeline (r223744 + r223750 + r223751 + r223777 rolled out)
Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation (r223724)
Update JavaScriptCore/ucd/CaseFolding.txt to Unicode database 10.0 (r223197)
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/JetStream2 (runWasm = false in JetStreamDriver.js)/Speedometer/arewefastyet/Kraken/Dromaeo] on ARMv7 GCC6.2.0 with hard float.

Jul 03, 2020
============
Enable RegExp JIT for match only Unicode RegExp's (r223010)
Only add prototypes to the PrototypeMap if they're not already present (r222929 + r222939 rolled out)
ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64 (r222724)
We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags (r222071)
[DFG] NewArrayWithSize(size)'s size does not care negative zero (r221807)
Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit (r221317 + r221341 rolled out)

Jul 02, 2020
============
[JSC] Create JSSet constructor that accepts it's size as parameter (r220500)
Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js. (r220432)
ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently. (r220012)
Butterfly storage need not be initialized for indexing type Undecided. (r219636 + r227435 rolled out)
Remove Reflect.enumerate (r218784)
eval virtual call is incorrect in the baseline JIT (r218673 revisited)
[JSC] Add fast path for Object.assign (r218415)
[JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec (r218051)
[JSC] Provide better type information of toLength and tighten bytecode (r217530)
Prevent async methods named 'function' (r217478 + r217578 + r217629 rolled out)
Add missing exception check. (r217157 complete revisited)
WorkerThread::stop() should call scheduleExecutionTermination() last. (r216635 + r216638 rolled out + r216677 + r216707 rolled out)
JSInjectedScriptHost should get a copy of the boundArgs (r216561)
Move trivial String prototype functions to JS builtins (r216301)
[INTL] Support dashed values in unicode locale extensions (r216122)
Deep nesting is leading to ReferenceError for hoisted function (r215977)
[INTL] Implement the caseFirst option for Intl.Collator (r215921)
test262: test262/test/language/statements/for-of/dstr-array-elem-init-fn-name-arrow.js (r215687)
test262: test262/test/built-ins/Number/prototype/toPrecision/nan.js (r215679)
test262: test262/test/built-ins/Number/parseFloat.js (r215673)
X86-64 Assembler doesn't handle xchg with byte register src (r215618)
[INTL] Implement Intl.DateTimeFormat.prototype.formatToParts (r215520 + r215526 rolled out)
[DFG] Use Phantom for base instead of getter when inlining intrinsic getter (r215466)
test262: test262/test/language/expressions/tagged-template/template-object.js (r215401 revisited)
[JSC] use ExpressionErrorClassifier for AwaitExpression operand (r215370)
test262: test262/test/built-ins/NativeErrors/EvalError/proto.js (r215312)
[JSC] Use jsNontrivialString agressively for ToString(Int52) (r214345)
[JSC][DFG] Make addShouldSpeculateAnyInt more conservative to avoid regression caused by Double <-> Int52 conversions (r214323)
[JSC] Add JSPromiseDeferred::reject(ExecState*, Exception*) interface (r214218)
[JSC] Remove unnecessary condition from needsDerivedConstructorInArrowFunctionLexicalEnvironment in BytecodeGenerator.cpp (r214138)
The new array with spread operation needs to check for length overflows. (r214071 revisited)
Switch back to ISO 4217 for Intl CurrencyDigits data (r214020)
BytecodeGenerator should use the same function to determine if it needs to store the DerivedConstructor in an ArrowFunction lexical environment. (r213966)
[X86_64] Smaller code for xchg_rr when one register is accumulator. (r165365)

Jul 01, 2020
============
JSON.stringify() should throw OOM on StringBuilder overflows. (r239355)
Currency digits calculation in Intl.NumberFormat should call out to ICU (r213447)
Weak should not use jsCast in its accessors (r212442)
Expose Symbol.toPrimitive / valueOf on Location instances (r212378)
[JSC] Implement (Shared)ArrayBuffer.prototype.byteLength (r212196)
Static Analyzer: Value stored to 'prev' is never read (r211675)

Jun 30, 2020
============
We need to clear cached structures when having a bad time (r229161 complete revisited)
Add support for global (r210052 + r210570 rolled out)
Rename finallyActionRegister to completionTypeRegister and only store int JSValues in it. (r209974 + r210007 rolled out)
De-duplicate finally blocks. (r209952 + r210010 rolled out)
TypeInfo::OutOfLineTypeFlags should be 16 bits in size. (r209162)
[JSC] Do not need to use defineProperty to define methods for object literals (r206082)
DFGByteCodeParser should be able to infer a property is unset from the Baseline inline cache. (r202093)
Fix exception scope verification failures in runtime/Weak* files. (r209023)
Fix exception scope verification failures in runtime/String* files. (r209022)
Fix exception scope verification failures in miscellaneous files. (r209018)
Fix exception scope verification failures in runtime/Error* files. (r208952)
Fix exception scope verification failures in ConstructData.cpp. (r208937)
Fix missing exception checks in DFGOperations.cpp. (r208913 complete revisited)
REGRESSION (r208711-r208722): ASSERTION FAILED: hasInlineStorage() (r208734)
[JSC] Avoid cloned arguments allocation in ArrayPrototype methods (r208524 complete revisited)
String.prototype.replace() should throw an OutOfMemoryError when using too much memory. (r207861)
Remove redundant argument count check (r207852)
Reduce special handling for typed arrays in JSDOMConvert.h (r207791)
[JSC] throw TypeError when constructing dynamically created JSGeneratorFunction (r207618)
JSON.parse should not modify frozen objects. (r207341 complete revisited)	
Improve JSC use of Strings after the UString->String change (r127505 partial)
implement dynamic scope accesses in the DFG/FTL (r199699 complete revisited)
  => function-name-scope when stressing DFG JIT
Initialize functions too early in an eval (r215986)

Jun 29, 2020
============
Follow up fix to GetMapBucket and MapHash speculating on child node types. (r206767)
GetMapBucket node should speculate on the type of its 'key' child (r206763)
MapHash should speculate on the type of its child node (r206746)
[ES6] Align attributes of Generator related properties to spec (r206711)
test262: Various Constructors length properties should be configurable (r206018)

Jun 29, 2020
============
[INTL] some valid language tags cause errors in Intl constructors (r205568)
Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h (r205522)
[JSC] Some arith nodes are too pessimistic with the types supported on the fast path (r205216)
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/JetStream2 (runWasm = false in JetStreamDriver.js)/Speedometer/arewefastyet/Kraken/Dromaeo] on ARMv7 GCC6.2.0 with hard float.

Jun 29, 2020
============
js/regress/put-by-id-transition-with-indexing-header.html and svg/carto.net/window.svg fail in debug after r204854 (r204901 + r204902 rolled out)
2016] Allow assignment in for-in head in not-strict mode (r204895)
[ES6] Module namespace object's Symbol.iterator method should only accept module namespace objects (r204848 revisited)
[DFG] Should not fixup AnyIntUse in 32_64 (r204697 + r204698 rolled out + r204699 revisited)
Assertion failure when accessing TDZ variable in catch through eval (r204182)
Implement nested rest destructuring w.r.t the ES7 spec (r204078)
TypedArray super constructor has some incompatabilities (r203937)
Refactor DFG::Node::hasLocal() to accessesStack() (r203923)
ARM64: Fused left shift with a right shift can create NaNs from integers (r203851)
[JSC] Fix a bunch of use-after-free of DFG::Node (r203802 revisited)
BytecodeBasicBlock::addSuccessor should check if the  successor already exists (r263619)
The second argument for Function.prototype.apply should be array-like or null/undefined. (r203790)
CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (r203452 complete revisited)
[JSC] Change some parameters based on a random search (r203318 + r203329 rolled out)
ASSERTION FAILED: : this != replacement() (r203239)
StackVisitor::unwindToMachineCodeBlockFrame() may unwind past a VM entry frame when catching an exception and the frame has inlined tail calls (r202847)
[JSC] String.prototype[Symbol.iterator] needs a name (r202956)

Jun 28, 2020
============
[ES6]. Implement Annex B.3.3 function hoisting rules for eval (r215476 + r215779 rolled out + r215984)
RELEASE_ASSERT(!thisObject) in ObjCCallbackFunctionImpl::call when calling JSExport ObjC Constructor without operator new (r202846)
[ES6] Disallow var assignments in for-in loops (r198928 + r198985 + r202865 rolled out)
Function.prototype.caller shouldn't return generator bodies (r230662)
[JSC] __lookupGetter__ and __lookupSetter__ should not ignore exceptions (r202796)
BytecodeGenerator::getVariablesUnderTDZ is too conservative (r202795)
We don't emit TDZ checks for call_eval (r202654)
Assertion failure or crash when accessing let-variable in TDZ with eval with a function in it that returns let variable (r202602)
Fix bad assert in StructureRareData::setObjectToStringValue (r202528)
[JSC] Move calling convention flags to WTF (r202092)
Rare failure in stress/v8-deltablue-strict.js.ftl-eager (r201900 complete revisited)
[JSC] Change some parameters based on a random search (r201836 + r201845 + r201848 + r201866 rolled out)
We should be able to lookup symbols by identifier in builtins (r201825 complete revisited)
Need an exception check after constructEmptyArray(). (r201787 partial revisited)
Try to use StringView when comparing JSStrings for equality. (r184860 + r184983 rolled out)

Jun 26, 2020
============
[JSC] Drop "replace" from JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET (r201544 revisited)
REGRESSION: JSBench spends a lot of time transitioning to/from dictionary (r201436 + r201445 rolled out + r201573 complete revisited)	
[ARM] Fix the Wcast-align warning in LinkBuffer.cpp (r201380)
LLInt should be able to cache prototype loads for values in GetById (r201363 + r201456 + r201532 rolled out + 201617 revisited)
We can cache lookups to JSScope::abstractResolve inside CodeBlock::finishCreation (r201359 + r201531 rolled out)
String template don't handle let initialization properly inside eval (r201293)
JSC: DFG::SpeculativeJIT::compile special case for MIPS for PutByValWithThis (r201170 revisited)
JSC should detect the right default locale even when it's not embedded in WebCore (r201066)
REGRESSION(r200208): It made 2 JSC stress tests fail on x86 (r200996)
Modernize Intl constructors; using InternalFunction::createSubclassStructure (r200928)
DFG/FTL have a few bugs in their reasoning about the scope (r200906 revisited)
Crash beneath ObjCCallbackFunctionImpl::call (r200610)
Improve the grammar of some error messages 'a argument list' => 'an argument list' (r200429)
Speed up JSGlobalObject initialization by making some properties lazy (r200383 + r200406 + r200416 rolled out)
[JSC][ARMv7S] Arithmetic module results change when tiering up to DFG (r200277)
[INTL] Intl Constructors not web compatible with Object.create usage (r197925)
Make RegExp.prototype.test spec compliant. (r200272 complete revisited)
DFG backends shouldn't emit type checks at KnownBlah edges (r200096 complete revisited)
[JSC] Constant folding of UInt32ToNumber is incorrect (r200071)
by a different copy of the CRT library is a potential cause for heap corruption. (r200068)
Allow builtin JS functions to be intrinsics (r198798)
NodeFilter.SHOW_ALL has wrong value on 32-bit (r189184)

Jun 25, 2020
============
The ||= operator (and similar ones) should produce valid bytecode even if the right side is a static error (r262995)
WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed (r213648)
The GC should be optionally concurrent and disabled by default (r208720 partial revisited)

Jun 24, 2020
============
Document.createNodeIterator(null) / Document.createTreeWalker(null) should throw a TypeError (r189765)
[WebIDL] Remove special casing for RegExp which is no longer required by the spec (r219061)
Passing a number as the pixel parameter to texImage2D() doesn't thrown an exception (r207634)
[WebIDL] Enable strict type checking for nullable attribute setters of wrapper types (r203949)
[WebIDL] Enable strict type checking for operations' nullable parameters of wrapper types (r203941)
Parameter to table.deleteRow() / body.deleteRow() should be mandatory (r203840)
Fix null handling for several HTMLTableElement attributes (r203529)
Optimize [StrictTypeChecking] on IDL operations (r200583)
AudioBufferSourceNode.buffer should be nullable (r199751)

Jun 23, 2020
============
Non-standard Error properties should not be enumerable (r250436)
Error instances should not strongly hold onto StackFrames (r232314 complete revisited)
Simplify Interpreter::StackFrame. (r201830)
Exception is a JSCell, not a JSObject. (r242596)
We need to disableCaching() in ErrorInstance when we materialize properties (r225768)
ErrorInstance and Exception need destroy methods (r222186)
Error should compute .stack and friends lazily (r221836 partial revisited)
Add support for Error.stackTraceLimit. (r214289)
Make custom Error properties (line, column, sourceURL) configurable and writable (r204663)

Jun 22, 2020
============
Error should compute .stack and friends lazily (r221836 partial)
[JSC] Use reifying system for "name" property of builtin JSFunction (r221327 + r221404 rolled out + r221417 complete revisited)
Promise built-in functions should be anonymous non-constructors (r263222 partial)
[JSC] Anonymous built-in functions should have empty string for a name (r252520 partial + r252547)
[JSC] Promise resolve/reject functions should be created more efficiently (r249650 partial)
DFG code should not reify the names of builtin functions with private names (r246553 partial)
[JSC] Fix "name" and "length" of Proxy revoke function (r221475)
[JSC] Use reifying system for "name" property of builtin JSFunction (r221327 + r221404 rolled out + r221417 partial)

Jun 20, 2020
============
GetMethod isn't performed properly on iterators (r262567)
IteratorClose should suppress GetMethod errors (r262165)
AsyncFromSyncIterator methods should not pass absent values (r260915)
Typed array constructor behaves differently when length is not passed or when undefined is passed (r263315)
test262: DataView with explicit undefined byteLength should be the same as it not being present (r208640 revisited)
test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex) (r208564 revisited)

Jun 19, 2020
============
HTMLFormElement should use WeakPtr to keep track of its FormNamedItem (r259513)
HTMLFormElement should use WeakPtr to keep track of its associated elements (r259393)
fieldset.elements should return an HTMLCollection instead of an HTMLFormControlsCollection (r236778)
Side effects while restting form elements (r209990)
Audit RenderObject casts and fix problems and style issues found (r201588 partial)
cssFloat missing in CSSPropertyDeclaration.prototype (r222559)
REGRESSION (204441): newsplex.com map does not load (r208674)
getElementsByTagName() should take a qualifiedName in parameter (r204441)
Named / Indexed properties should be configurable (r204045 revisited)
HTMLCollection's named getter should only do 'name' attribute matching for HTMLElements (r204034)
[WebIDL/DOM] Remove need for custom bindings for HTMLAllCollection and bring up to spec (r216851 partial revisited)
TypedArray.prototype.set is incorrect with primitives (r263216)

Jun 18, 2020
============
[WebIDL/DOM] Remove need for custom bindings for HTMLAllCollection and bring up to spec (r216851 partial revisited)
Drop custom bindings code for HTMLFormControlsCollection's named property getter (r216669 complete revisited)
DOMException should not have its own toString() (r219663)
DOMException should be constructible (r204219)
DOMException should be exposed to workers (r201918)
[WebIDL] Re-implement GetOwnPropertySlot[ByIndex] generation to more closely follow WebIDL (r218126 partial)
[WebIDL] Replace some custom bindings code in JSCSSStyleDeclarationCustom.cpp with named getters/setters (r219622 partial)

Jun 17, 2020
============
MessageEvent's source property should be a (DOMWindow or MessagePort)? rather than a EventTarget? (r207381 partial)
Construct URLSearchParams from array or object (r210946)
[Binding] Use unchekcedArgument if argumentCount is already checked (r206338)
Implement URLSearchParams's sort() (r210915)
HTMLAreaElement should have a stringifier (r204871)

Jun 16, 2020
============
[JSC] GetterSetter should be JSCell, not JSObject (r250878 + r250932 rolled out + r251088)
[JSC] Give up IC when unknown structure transition happens (r255365 revisited)
Deferred firing of structure transition watchpoints is racy (r231518)
Expand JSObject::defineOwnIndexedProperty() fast path for existing properties (r263070)
Make crossOriginObject.then undefined for promises (r236661)
Add initial support for 'Cross-Origin-Options' HTTP response header (r231622 + r236623 rolled out)
Speculatively change iteration protocall to use the same next function (r222421)

Jun 15, 2020
============
Assertion failure (!needsLayout()) loading inkedmag.com (r183732)
Small cleanup in BitmapImage (r183716)
Window's [[OwnPropertyKeys]] is wrong for cross origin windows (r219355 + r219363)
Align [[OwnPropertyKeys]] with the HTML specification for cross-origin Window / Location objects (r211756)
Fix enumeration of properties cross origin (r206233)
Align cross-Origin Object.getOwnPropertyNames() with the HTML specification (r205409)
We should call visitChildren on Base not the exact typename (r233085 partial)
Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType (r231198)

Jun 14, 2020
============
First parameter to SVGDocument.createEvent() should be mandatory (r203821)
Fix null handling of SVGAngle/SVGLength.valueAsString attribute (r203531)

Jun 13, 2020
============
[WebIDL] Move plugin object customization into the generator (r219302 partial revisited)
Can't use Object.defineProperty() to add an item to a DOMStringMap or Storage (r217773)
Drop custom bindings code for HTMLSelectElement.remove() (r204064)

Jun 12, 2020
============
Simplify overloads for HTMLSelectElement.add() / HTMLOptionsCollection.add() (r204133)
[WebIDL/DOM] Remove need for custom bindings for HTMLAllCollection and bring up to spec (r216851 partial)
Drop custom bindings code for HTMLFormControlsCollection's named property getter (r216669 partial)
[WebIDL] Remove custom bindings for HTMLInputElement, HTMLFrameElement, HTMLMediaElement and HTMLOptionsCollection (r210780)
select.options may return too many option elements (r207181)
Drop custom bindings code for HTMLOptionsCollection.remove() (r204063)
Fix the HTMLSelectElement.prototype.remove() method (r156869)
[WebIDL] Generate named property deleters (r217585)
WorkerGlobalScope's indexedDB property should be on the prototype, not the instance (r208613)
DOMStringMap reports properties as non-enumerable (r208083)
Storage interface's attributes / operations should be enumerable (r195760)
Remove double hashing from DatasetDOMStringMap::deleteItem (r164176)
Clean up JSDOMStringMap::deleteProperty (r164125)
Get rid of IsWorkerGlobalScope and ExtendsDOMGlobalObject extended attributes (r152168)
Object.getOwnPropertyNames() on NamedNodeMap fails to return named properties (r204115)
Align NamedNodeMap with the specification (r203731)
[JSC] Remove custom mark function for NamedNodeMap. (r143118)
Do not convert to String->AtomicString for NamedNodeMap (r141300)

Jun 11, 2020
============
[WebIDL] Autogenerate named getters (r210667 partial revisited)
[WebIDL] Autogenerate named getters (r210667 partial)
Crash under SchemeRegistry::shouldTreatURLSchemeAsLocal(WTF::String const&) (r228972 complete revisited)
Rename "potentionally trustworthy" to "potentially trustworthy" (r221334)
Consider allow gUM to be called from localhost without https (r220805)
Implement W3C Secure Contexts Draft Specification (r218196)
Implement W3C Secure Contexts Draft Specification (r218028 + r218037)
Implement W3C Secure Contexts Draft Specification (r218027)
Bindings: Support runtime-enabled features in specific worlds (r217146)
Bindings: Require value for extended attributes EnabledAtRuntime and EnabledForWorld (r217066)
Add an experimental API to find elements across shadow boundaries (r208878 partial)
atob() / btoa() API should be exposed to workers (r201898)
[WebIDL] Add support for [EnabledAtRuntime] attributes on non-global objects (r199188)
Enable GAMEPAD in the Mac build, but disabled at runtime. (r170400 partial)
Introduce WindowTimers IDL interface (r151908)

Jun 10, 2020
============
Error thrown during "acceptNode" lookup is overridden (r248708)
Refactoring: make MediaTime the primary time type for audiovisual times. (r173318 partial 2)
Setting playback rate on video with media controller is not ignored. (r168996)
Remove unnecessary PlatformTimeRanges::create() (r180532)
[MSE] http/tests/media/media-source/mediasource-config-change-mp4-v-bitrate.html failing after r173318 (r173454)
[MSE] media/media-source tests broken after r173318 (r173439)
Refactoring: make MediaTime the primary time type for audiovisual times. (r173318 partial)
Update PlatformTimeRanges to use MediaTime rather than doubles for time values. (r169565)
Fix TimeRanges layering violations (r164498)
It should be possible to run the full version of V8v7/crypto with the FTL and call IC's (r160980)

Jun 09, 2020
============
[JSC] JITThunk should be HashSet<Weak<NativeExecutable>> with appropriate GC weakness handling (r256779)
Remove dead ENABLE(CUSTOM_ELEMENTS) code. (r157363)
Custom Elements: "readyCallback" lifecycle callback should be called. (r146534 + r146565 + r146572 rolled out + r146583)
NamedFlowCollection getters should follow the same pattern as HTMLCollection (r152466 + r152569 rolled out)
JSString should remember AtomicString (r151978 + r152613 rolled out)
MediaStream: Implement MediaDevices.getSupportedConstraints (r192602)
[MediaStream] VideoTrack should respond to MediaStreamTrack state changes (r192503)
[MediaStream] A RealtimeMediaSource should begin producing data automatically (r192028)
REGRESSION(r170336): Crash in HTMLMediaElement::seekTimerFired() (r170367)
HTMLMediaElement seek algorithm should allow cancelling previous seeks. (r170336)
Add HTMLMediaElement behavior and attribute value restrictions for MediaStream (r191909)
[MediaStream] Play MediaStream through media element and rendered to canvas (r191721)
Ended event should work also when playback rate is negative (r158965)
[JSC] ToThis omission in DFGByteCodeParser is wrong (r240106)
[DFG] Remove ToThis more aggressively (r222143)

Jun 08, 2020
============
[WTF] Newly added AtomicStringImpl should use BufferInternal static string if StringImpl is static (r219510 + r219521 rolled out + r219725)
Leverage Substring to create new AtomicStringImpl for StaticStringImpl and SymbolImpl (r210230)
[JSC] Drop MapBase (r217192)
HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller (r205842)
MapHash should do constant folding when it has a constant argument and its legal to hash that value (r205819)
[CSS Parser] Miscellaneous bug fixes (r208051 partial)
Add support for the object-position CSS property (r197618)
Add parsing support for object-position (r197617)
Use more concrete types for parsing positions (r196851)
[CSS MultiColumn] Parse "columns: auto <length>" shorthand property value properly (r182270)

Jun 08, 2020
============
Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate(). (r215885 complete revisited)
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/JetStream2 (runWasm = false in JetStreamDriver.js)/Speedometer/arewefastyet/Kraken/Dromaeo] on ARMv7 GCC6.2.0 with hard float.

Jun 07, 2020
============
Fix the argument type of RenderView::resumePausedImageAnimationsIfNeeded() (r242936)

Jun 05, 2020
============
[JSC] Report extra memory allocation from PropertyTable (r262600)
The GC should be optionally concurrent and disabled by default (r208720 partial)
Harden against layout passes triggered when iterating through HTMLFormElement::associatedElements (r227479)
Remove unused HTMLFormControlsCollection::namedItem() (r192122)
CrashTracer: com.apple.WebKit.WebContent at WebCore: WebCore::Document::updateStyleIfNeeded (r227841 + r227846)
animations-paused-in-background-page.html and animated-svg-image-removed-from-document-paused.html fail after r218284 (r218311)
Crash in WebCore::RenderStyle::colorIncludingFallback. (r218284)
REGRESSION (214503): Webkit crash under RenderElement::repaintForPausedImageAnimationsIfNeeded() when scrolling giphy pages (r215700)
Animated SVG images are not paused when outside viewport (r214503)
Directly-composited animated GIFs never resume once scrolled offscreen (r194706)
REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout (r185567)

Jun 04, 2020
============
Prevent reentrancy FrameLoader::dispatchUnloadEvents() (r249762)
It should not be possible to trigger a load while in the middle of restoring a page in PageCache (r247025 partial)
Disallow navigations when page cache updates the current document of the frame (r235121)
Layout Test fast/events/beforeunload-dom-manipulation-crash.html is crashing (r227731 + r227743 rolled out + r227948)
REGRESSION(r214194): Safari leaves a popup window open opened during before unload (r219039)
REGRESSION(r214194): Safari leaves a popup window open opened during before unload (r219008)
Prevent new navigations during document unload (r214365)
Prevent new navigations from onbeforeunload handler (r214194)
Avoid synchronous style recalc in dispatchUnloadEvents(). (r211336)
Document.open / Document.write should be prevented while the document is being unloaded (r195496)
alert, confirm, prompt, showModalDialog should be forbidden during page close and navigation (r192270)
Pages should not be able to abuse users inside beforeunload handlers. (r152941)
String overflow when using StringBuilder in JSC::createError (r242910)
Add didBecomePrototype() calls to global context prototypes (r246808)
Structure::create should call didBecomePrototype() (r246714 + r246780 rolled out + r246801)
[JSC] Implement "well-formed JSON.stringify" proposal (r239537)
Handle more JSON stringify OOM (r230863)
[JSC] Use table based approach for JSON.stringify's Quote (r221330)
Roll out StringBuilder changes from the previous patch. (r209173)
Streamline and speed up tokenizer and segmented string classes (r209058 + r209074 + r209120 rolled out + r209129 partial)
Avoid synchronous style recalc in Document.activeElement (r176294)

Jun 03, 2020
============
Further refinement to list item and counter code after "list-item" counter fix (r226675)
Special list-item counter starts from an incorrect number for ::before and ::after (r226613)
Add some missing longhand properties to CSSComputedStyleDeclaration and fix default values (r210449)
Support CSS Shapes Level 1 without a prefix (r207630)
Clip-path transitions sometimes trigger endless animation timers (r190879)
Minor improvements to RenderListItem (r176032)
Add ShapeValue.cpp and move ShapeValue::isImageValid() there (r169904)
Cleanup HTMLOListElement<->RenderListItem bridge (r149405)
Counter still gets incremented when counter-increment is set to none (r147930)
Crash in WebCore::HTMLDocumentParser::insert (r259378)
Post too much text to iFrame could crash webkit (r237909)
XSSAuditor doesn't need a copy of the original document's body. (r145348)
XSSAuditor doesn't need a copy of the original document URL. (r145331)
Continue making XSSAuditor thread safe: Remove dependency on parser's Document URL (r141633)
Continue making XSSAuditor thread safe: Remove dependencies on m_parser from init() (r141605)
CounterNode::resetRenderers is so inefficient. (r207374)
[css-grid] Dynamically setting "position: absolute" in a grid item doesn't trigger a relayout of that element (r262481)
Renaming of overrides in LayoutBox (r231757)

Jun 01, 2020
============
Remove all use of Deprecated::ScriptValue in generated bindings (r199704 partial)
Modern IDB: A few cursor tests are flaky because JS wrappers are GC'ed. (r194967 partial)
Unable to sign in leetcode. (r241137)
[WebIDL] Split-up and cleanup Fetch IDL files in preparation for removing unnecessary js builtins (r220006)
Stop using WebCore::Dictionary in bindings for Fetch (r209231)
[Web IDL] Add support for 'any' type in dictionaries (r204216 revisited)
WorkerGlobalScope attributes / operations should be on the prototype (r201876)
DedicatedWorkerGlobalScope prototype chain is incorrect (r201852)
[WebIDL] Add support for Promise<> attributes (r220433 partial revisited)

May 30, 2020
============
test262: test262/test/built-ins/Object/getOwnPropertyNames/15.2.3.4-4-44.js (r215400)

May 29, 2020
============
JSC should have InstanceOf inline caching (r231961)
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/JetStream2 (runWasm = false in JetStreamDriver.js)/Speedometer/Kraken/Dromaeo] on ARMv7 GCC6.2.0 with hard float.

May 28, 2020
============
WebRTC: RTCPeerConnection constructor argument should be optional (r210017)
Move updateSignalingState to PeerConnectionBackend (r208703)
Refresh RTCDataChannel abstract infrastructure (r208694)
RTCRtpTransceiver should have Ref of sender and receiver (r208683)
[WebRTC] white-list turns urls from the RTCConfiguration (r208525)
[WebRTC] Introduce asynchronous backend for other RTCPeerConnection API (r208445)
[WebRTC] Introduce asynchronous backend createOffer API (r208379)
RTCOfferAnswerOptions does not need to be refcounted (r208141)
[Bindings] "length" value of overloaded operations may be wrong (r203831)
Correct dictionary bindings handling of optional, null, and undefined (r200555 revisited)

May 27, 2020
============
MediaEndpoint::generateDtlsInfo is not needed (r208100 + r208223 rolled out)
Expose RTCPeerConnection unprefixed (r208057)
PeerMediaDescription does not need to be refcounted (r208043)
MediaPayload does not need to be refcounted (r207952)
IceCandidate does not need to be refcounted (r207897)
WebRTC: The RTCTrackEventInit dictionary needs required members (r207895)
MediaEndpointConfiguration does not need to be refcounted (r207818)
WebRTC: The MediaStreamTrackEvent init dictionary needs a required track member (r207588)
WebRTC: Implement MediaEndpointPeerConnection::stop() (r207552)
Update MediaStream events to stop using legacy [ConstructorTemplate=Event] (r207175)
WebRTC: Make MediaEndpointPeerConnection handle remotely assigned mids correctly (r207052)
WebRTC: Misc gardening: Use typedefs consistently and remove unused code (r206908)
WebRTC: Add support for the iceconnectionstatechange event in MediaEndpointPeerConnection (r206868)
WebRTC: Add support for the icecandidate event in MediaEndpointPeerConnection (r206856)
Add WebIDL special operation support: serializer (r206514)
Shield WebRTC JS built-ins from user scripts (r202810)
WebRTC: Implement MediaEndpointPeerConnection::setConfiguration() (r202671)
WebRTC: ice-char can not contain '=' characters for credentials (r202628)
REGRESSION(r202337) [WebRTC] Crash when loading html5test.com (r202624)
WebRTC: Robustify 'this' type check in RTCPeerConnection JS built-ins (r202565)
WebRTC: Align 'update ICE connection/gathering state' steps with the WebRTC 1.0 specification (r202378)
WebRTC: Add support for RTCPeerConnection legacy MediaStream-based API (r202376)
Use enum class instead of string-based enums in RTC code (r200304)
WebRTC: Add support for the negotiationneeded event in MediaEndpointPeerConnection (r202339)
WebRTC: Replace RTCPeerConnection custom constructor with a JS built-in constructor (r202337)
WebRTC: Remove unused MediaEndpointClient::gotRemoteSource function (r202293)
WebRTC: RTCIceCandidate init dictionary don't handle explicit null or undefined values correctly (r202267)
WebRTC: Check type of this in RTCPeerConnection JS built-in functions (r202130)
WebRTC: (Refactor) Align the structure of RTCPeerConnection.idl with the header file (r202109)
WebRTC: RTCPeerConnection::addTrack() should throw InvalidAccessError instead of InvalidModificationError. (r202049)
WebRTC: Imlement MediaEndpointPeerConnection::addIceCandidate() (r202048)
WebRTC: Add media setup test where media is set up in one direction at a time (r202043)
The vector of mediastreams should be passed via a reference to RTCPeerConnection::addTrack() (r202039)
WebRTC: Imlement MediaEndpointPeerConnection::replaceTrack() (r202026)
WebRTC: Imlement MediaEndpointPeerConnection::createAnswer() (r201920)
WebRTC: Imlement MediaEndpointPeerConnection::setRemoteDescription() (r201851)
WebRTC: Imlement MediaEndpointPeerConnection::setLocalDescription() (r201798)
WebRTC: Refactor: Use captures with initializers in MediaEndpointPeerConnection::createOffer() (r201794)
WebRTC: Update MediaEndpointPeerConnection::createOffer() to use the transceiver set (r201728)
WebRTC: Update RTCPeerConnection.addTrack() to create (or reuse) an RTCRtpTransceiver (r201601)
WebRTC: Add RTCRtpTransceiver interface and RTCPeerConnection.addTransceiver() (r201549)
WebRTC: Update RTCPeerConnection overloaded legacy operations to return a Promise (r201455)
WebRTC: RTCSessionDescription: Make attributes readonly (and remove custom binding) (r201420)
WebRTC: RTCIceCandidate: Make attributes readonly (and update constructor arg) (r201350)
WebRTC: RTCIceCandidate don't need a custom bindings (r200144)
[Readable Streams API] Fix filling of descriptor from queue (r226005)
[Readable Streams API] Align queue with spec for ReadableStreamDefaultController (r223279 complete revisited)
[JSC] Use @toNumber in builtins (r220566)
[Readable Streams API] Implement ReadableStreamBYOBReader read() (r218701)
[Readable Streams API] Align respondInClosedState with spec (r217279)
[Readable Streams API] Implement ReadableStreamBYOBReader releaseLock() (r216926)
[Readable Streams API] Implement ReadableStreamBYOBReader cancel() (r216686)
[Readable Streams API] Enable creation of ReadableStreamBYOBReader (r216513)
[Readable Streams API] Implement cloneArrayBuffer in WebCore (r214663 + r214713 rolled out + r215322))
[Readable Streams API] Implement ReadableStreamBYOBRequest respondWithNewView() (r215043)
[Readable Streams API] Implement ReadableStreamBYOBRequest respond() (readable stream state) (r214265)
[Readable Streams API] Implement ReadableStreamBYOBRequest respond() (closed stream state) (r213770)
[Readable Streams API] Add ReadableStreamBYOBRequest view getter (r212748)
[Readable Streams API] Add ReadableByteStreamController byobRequest attribute (r212656)
[Streams API] ReadableStream generic reader constructor does not need to call ReadableStream getReader (r210862)
[Streams API] Align getReader() with spec (r205248)

May 26, 2020
============
[Readable Streams API] Implement canCloseOrEnqueue (r223044)
[Fetch API] Cloning an opaque response should not assert (r222561)
[WebIDL] Cleanup XMLHttpRequest's bindings (r212181)
[WebIDL] Add support for ByteString (r208876)
Get rid of custom bindings code for XMLHttpRequest.open() (r203470)
Update XMLHttpRequest to use enum class instead of string for enumeration (r200300)
WebRTC: Update RTCIceCandidate (r198325)
WebRTC: Implement MediaEndpointPeerConnection::createOffer() (r197702)
WebRTC: Add MediaEndpoint interface (WebRTC backend abstraction) (r197053)
WebRTC: RTCPeerConnection: Sort out responsibilities of close() and stop() (r197020)
WebRTC: Add addReceiver() function to PeerConnectionBackendClient interface (r197019)
The parser doesn't properly protect against global variable references in builtins (r196525 revisited partial)
WebRTC: Add support for RTCRtpSender.replaceTrack() (r194968)
WebRTC: Update RTCPeerConnection.add/removeTrack() and add test (r194918)
Binding and builtin generators should lowercase RTCXX as rtcXX and not rTCXX (r193948)
[XHR] Ensure response return null when error flag is set for blob and arraybuffer (r163527)
Stop throwing DOM exceptions in internal 'XMLHttpRequest' response getters (r154800)
use XMLHttpRequestResponseType enumeration in XMLHttpRequest.idl (r147172)

May 25, 2020
============
The parser doesn't properly protect against global variable references in builtins (r196525 revisited partial)
webkitGetUserMedia built-in should use @then and not then (r194554)
JSC Builtins should use safe array methods (r193899 partial revisited)
WebRTC: Initial testing of updated RTCPeerConnection API (r192675)
WebRTC: Initial testing of updated RTCPeerConnection API (r192575)
WebRTC: Update RTCPeerConnection API and introduce PeerConnectionBackend (r192464)
WebRTC: Add event names needed by updated RTCPeerConnection (r190713)
Get MEDIA_STREAM compiling on OSX (r155057 partial)
Add bindings generator support to add a native JS function to both a 'name' and a private '@name' slot (r202275 partial revisited)
Remove DOMPromiseWithCallback (r192746)
Move webkitGetUserMedia to JS Builtin (r191949)
Use ImplementedAs for MediaDevices.getUserMediaFromJS (r191547)
Binding generator should allow generating private JS functions (r191287 complete revisited)
REGRESSION(r190262): User media unit test failures after r190262 (r190362)
Clean up user media request internal API (r190262)
[MediaStream Mac] implement WebAudioSourceProvider (r190115)
[MediaStream] Clean up MediaStream private interfaces (r190072)
Linking WebKit2 to be able to grab media sources from a UID (r187282)
Fix a crash in the webaudio source provider when the audio track is going away. (r159931)

May 24, 2020
============
Array.prototype.splice doesn't set "length" of returned object (r262088)

May 23, 2020
============
Implement RegExp Unicode property escapes (r223081)

May 22, 2020
============
UserMediaClientMock leaks every test run (r190061)
Cleanup code that finds and loads a media engine (r190020)
[MediaStream] new load method for MediaStreamPrivate objects (r181153)
Incomplete braced quantifiers should be banned in Unicode patterns only (r255452)
Invalid ranges in character classes should be banned in unicode patterns (r255134)
String.prototype.replace() incorrectly handles named references on RegExp w/o named groups (r254088)
Add OOM detection to StringPrototype's substituteBackreferences(). (r238143)
Correctly detect string overflow when using the 'Function' constructor. (r231197 + r231310 rolled out + r237577)
Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX. (r236804)
Test262 failure with Named Capture Groups - using a reference before the group is defined (r235882)
[JSC] Fix CachedCall's argument count if RegExp has named captures (r232092)
appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards (r230026)
Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek() (r222600)
Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern. (r222586)
String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp (r221949)
Add support for RegExp named capture groups (r221769)
[JSC] Implement String.prototype.concat in JS builtins (r217648 complete revisited)
Change Intl prototypes to plain objects (r215349)
Use @isUndefinedOrNull instead of abstract equality with null (r262017)
RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength (r259029)
[JSC] GetSubstitution is performed incorrectly via RegExp.prototype[@@replace] (r252836)

May 21, 2020
============
[MediaStream] Finish implementing MediaDevices.enumerateDevices (r189982)
Implementing enumerateDevices (r188493)
[JSC] Implement String.prototype.concat in JS builtins (r217648)
Array.prototype.concat is incorrect with objects whose "length" exceeds 2 ** 32 - 1 (r261987)
Array.prototype.concat fast path checks should not be observable (r261430)
arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array. (r234269)
[JSC] Fix Array.prototype.concat fast case when single argument is Proxy (r232261)
[JSC] Clean up ArraySpeciesCreate (r228012 + r228102 rolled out)
Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy (r217149)
arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided (r217135)
JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too. (r215451)
Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it. (r214374 complete revisited)
Array concat operation should check for length overflows. (r214079)
Fix max length check in ArrayPrototype.js' concatSlowPath(). (r212019)
Array.prototype.concat should not modify frozen objects. (r207178 complete revisited)
concatAppendOne should allocate using the indexing type of the array if it cannot merge (r203798)
appendMemcpy might fail in concatAppendOne (r203033)
Add support for Symbol.isConcatSpreadable (round 2) (r202125 complete revisited)
DFG Validation fails when performing a concatenation with only a single entry (r202015)

May 20, 2020
============
[Web IDL] Specify default values for optional parameters of type 'long' / 'unrestricted double' (r200087)
[Web IDL] Specify default values for boolean parameters (r199976)
Update some AudioContext create() method names to latest Web Audio spec (r132125)
'compatMode' property should be on Document, not HTMLDocument (r204451)
Fix null handling of HTMLMediaElement.mediaGroup (r203463)
Parameter to named property getter should be mandatory (r203797)
Fix null handling of HTMLSelectElement.value attribute (r203456)
Fix null handling of SVGScriptElement.type attribute (r203444)
Fix null handling of several HTMLDocument attributes (r203443)
input.formEnctype / formMethod and button.formEnctype / formMethod / type should treat null as "null" (r203394)
HTMLElement / SVGElement should implement GlobalEventHandlers, not Element (r202539)
[Web IDL] Specify default values for optional parameters of type 'DOMString' (r200192)
focus() / blur() should be on HTMLElement / SVGElement, not Element (r197875)
Update DOMException name: InvalidStateError (r134648 revisited)
Update DOMException name: IndexSizeError (r134613 revisited)
fast/forms/file/input-file-write-files.html should cover correct setting value (r132599)
Implement setRangeText() on text controls (r131969)
JSModuleNamespace object should have IC (r212712 + r212717 rolled out + r212818)
[JSC] Update module namespace object according to the latest ECMA262 (r212430)
[ES6] JSModuleNamespaceObject's Symbol.iterator function should have name (r204160)
StaticHashSetNodeList is unnecessary (r149262)
[ Mac wk1 Debug ] imported/w3c/web-platform-tests/fetch/api/basic/stream-safe-creation.any.html  is flaky crashing with alerts
  - WTFCrashWithInfo - SC::JSObject::get(JSC::JSGlobalObject*, JSC::PropertyName) (r261857)

May 19, 2020
============
STP TypedArray.subarray 5x slowdown compared to 9.1 (r203037 + r203046 rolled out + r203076)
We should have a DFG intrinsic that checks if a value is a TypedArrayView (r202363)
Binding generator should generate names for JSBuiltins partial interface methods using ImplementedBy value (r191288)
HTMLMediaElement registers wrong ScriptExecutionContext with its ActiveDOMObject parent class (r241130 partial)
Pass Document instead of ScriptExecutionContext to non-worker constructors (r177864)
Comment should be consructable. (r161867)
Support css-color-4 rgb functions (r239574 partial)
The bison grammar for @supports should return 0 in case of an error (r149376)
[JSC] Introduce op_get_by_id_direct (r230376 complete revisited + r230379)

May 18, 2020
============
[ESNext] Async iteration - Implement Async Generator - runtime (r221080 revisited)

May 17, 2020
============
[ES6] Add @@toStringTag to GeneratorFunction (r199459)
[es6] Arrow function syntax. Fix tests after 149338 landing (r193603 revisited)

May 16, 2020
============
for-await-of has bad error message if used in non-async function (r248711)
[JSC] Generator and AsyncGeneratorMethod's prototype is incorrect (r233855)
ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async) (r229162)
Assertion used to determine if something is an async generator is wrong (r226305)
Async iteration should only fetch the next method once and add feature flag (r224787)
[ESNext] Async iteration - Implement Async Generator - optimization (r222425)
[ESNext] Async iteration - Implement async iteration statement: for-await-of (r221358)
[ESNext] Async iteration - Implement Async Generator - runtime (r221080)
[ES6] GeneratorFunction (a.k.a. GeneratorWrapperFunction)'s prototype object does not have constructor property (r206738)
Generators violate bytecode liveness validation (r202689 revisited)

May 15, 2020
============
op_get_by_id_with_this should use inline caching (r213019 + r213088 rolled out + r213467)
[JSC] Handle new_async_func / new_async_func_exp in DFG / FTL (r208704)
[ESNext] Trailing commas in function parameters. (r201488 + r201566 rolled out + r201725)

May 15, 2020
============
GetArrayLength should be "blessed" during Fixup phase in the DFG (r261712)
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/EPG Guide/Factory Demo/EBench 2004|2013|2016/
    V8/SunSpider/JetStream/JetStream2 (runWasm = false in JetStreamDriver.js)/Speedometer/Kraken/Dromaeo] on ARMv7 GCC6.2.0 with hard float.

May 15, 2020
============
GetByVal and PutByVal runtime operations shouldn't fall off a performance cliff when the property is an integer boxed as a double (r261731)
Undecided Arrays shouldn't need to be OriginalArray to covert to GetArrayLength (r261725)

May 14, 2020
============
[ES6] Handle new_generator_func / new_generator_func_exp in DFG / FTL (r194135 + r194141 rolled out + r194216)
[JSC] Add a new byte code op_define_property instead of calling defineProperty (r206778 + r206790 + r206808)
REGRESSION(r224053): Crash in WebCore::Node::moveTreeToNewScope (r224325)
DidMoveToNewDocumentAssertionScope shouldn't be necessary (r224053)
didMoveToNewDocument doesn't get called on an Attr inside a shadow tree (r218083)
Move TreeScope::adoptIfNeeded to Node and rename it to setTreeScopeRecursively (r217972)
The tree scope of an Attr node inside a shadow tree does not updated upon detach. (r217957)
Simplify DocumentType handling. (r154961)
Merge TreeScopeAdopter into TreeScope (r217876)
CrashTracer: [USER] com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::ExtensionStyleSheets::pageUserSheet + 14 (r208967)
Attr.ownerDocument should change if its parent's owner did (r139958)

May 13, 2020
============
Add support for the Q unit (r251662 partial)
Percentages are calculated wrong in SVG transform CSS property (r217776)
Support transform-box to switch sizing box in SVG (r217236)
StyleSheetContents::wrapperInsertRule() can create rules that overflow RuleData's selector index (r187133)
Turn r/rx/ry to presentation attributes (r172642)
Turn cx/cy to presentation attributes (r172641)
Turn x/y to presentation attributes (r171591)
Refactor calculation of hasRx and hasRy values in SVGPathData (r162537)

May 12, 2020
============
Teach DFGFixupPhase.cpp that the current scope is always a cell (r220890)
We are too conservative about the effects of PushWithScope (r220783)
Support the 'with' keyword in FTL. (r220778)
[ES6] Add DFG/FTL support for accessor put operations (r191500 + r191529 rolled out + r191621)
Remove FeatureObserver. (r164822)
Rename Document::m_selfOnlyRefCount to m_referencingNodeCount (r164242)
Update Document.createEvent for recent DOM specification changes (r223023)
PopStateEvent should not be cancelable by default (r232610)
Rename *Event::create* which creates events for bindings to *Event::createForBindings* and cleanup corresponding paths (r196400)
Implement DOM3 wheel event (r154673 complete revisited)
Update Document's event listener type bitfield when adopting a Node (r148072)
Implement WheelEvent::deltaMode (r141826)
Rename WheelEvent::Granularity to WheelEvent::DeltaMode (r141394)
Implement WheelEvent constructor (r141318)
Implement MouseEvent constructor (r140657)

May 11, 2020
============
Update CustomEvent to stop using legacy [ConstructorTemplate=Event] (r206964)
document.createEvent("popstateevent") should create a PopStateEvent (r205138)
Reduce the number of events that can be created by Document.createEvent (r193957)
Make DOMImplementation::hasFeature() behave according to specification (r153901)
Handle IDLPromise<> properly (r216501 partial revisited)
Support for promise rejection events (unhandledrejection) (r215916 complete revisited)
Make sure Event keeps its current target element alive (r212029)
[New Multicolumn] Column rules don't respect the specified stacking order. (r167463)

May 10, 2020
============
ASSERTION FAILED: !m_valueOrException under FontFaceSet::completedLoading loading a Serious Eats page (r221948)
Fix double resolve assertion in FontFaceSet seen while running tests (r221835)
[WebIDL] Add support for Promise<> attributes (r220433 partial)

May 09, 2020
============
Handle IDLPromise<> properly (r216501 partial)

May 08, 2020
============
Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit (r222115 partial)
Add testing tool to lie to the DFG about profiles (r220735)
DFG ByVal nodes with ArrayModes should clobberTop until Fixup phase runs. (r261260 + r261293 rolled out + r261313 partial)
Follow-up after String.codePointAt optimization (r250004)
[JSC] Add StringCodePointAt intrinsic (r249780)
Use more references in JS wrappers related code (r200934 partial)
An XMLDocument interface should be exposed on the global Window object (r195520)
[WK2] Add support for text document viewport configuration (r163654)
Remove PlaceholderDocument (r161207)
Devirtualize Document class type checking (r149705)

May 07, 2020
============
Add a SecurityOriginPolicy class (r177661)
Remove m_securityOrigin from XMLHttpRequest (r149853)
[Web Animations] Remove the redundant m_scheduledMicrotask from WebAnimation (r239270)
It should be possible to dispatch events on documents that do not have a browsing context (r206462)
DOMImplementation.createHTMLDocument("") should append an empty Text Node to the title Element (r195491)
Remove ContextFeatures. (r155938)
createHTMLDocument() should not create a title element if the title argument is left out (r130203)
RenderMultiColumnFlow::fragmentedFlowDescendantInserted should not destroy incoming newDescendant (r225506)
Move inlineElementContinuation function to RenderBoxModelObject and rename to inlineContinuation (r224600)
There is no such thing as block element continuation (r224561)
ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly. (r217429 revisited)
  -> number-to-string-with-radix-watchpoint
DFG ByVal nodes with ArrayModes should clobberTop until Fixup phase runs. (r261260)
[JSC] Improve our bound function implementation (r253867 partial)
  1. Rename CallFrameSlot::argumentCount to CallFrameSlot::argumentCountIncludingThis.

May 06, 2020
============
Remove Element::isInlineElementContinuation (r224583)
Remove RenderBlock::isAnonymousBlockContinuation() (r224563)
Remove redundant RenderObject::virtualContinuation (r223072)
ASSERTION FAILED: !flow->layer() && !flow->isInlineElementContinuation() in WebCore::RenderBlock::addContinuationWithOutline (r205277)
Stop isEmpty() from leaking out of SVG. (r203660)
Use RenderObject::firstChildSlow() / lastChildSlow() less (r174542 partial)
Remove empty continuations in RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers (r224332)
Remove empty continuations in RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers (r224273 + r224278 + r224279 rolled out + r224327))
Destroy all unneeded anonymous wrappers in RenderObject::removeFromParentAndDestroyCleaningUpAnonymousWrappers() (r224177)
Stay inside the continuation while searching for a candidate ancestor for insertion. (r214059)
[Clean RenderTree] LayoutTests/imported/blink/fast/table/crash-bad-child-table-continuation.html fails. (r207310)
Make inline continuation style change logic consistent. (r182835)
Inline continuation code should not take anonymous containing wrapper granted. (r182051)
REGRESSION: fast/css/relative-positioned-block-nested-with-inline-parent-multiple-descendant-blocks-dynamic.html broken (r166745)
Rename "FlowThread" to "FragmentedFlow" (r222575 partial)
Rename "Region" to "Fragment" for RenderRegion and associated classes/methods. (r222556 partial)
requestAnimationFrame should execute before the next frame (r242624 + r242643 + r242688 + r242714 rolled out + r244182 partial)
[Web Animations] Don't schedule animation frames or update style while an accelerated animation is running (r238128 complete revisited)
[Web Animations] REGRESSION: transition added immediately after element creation doesn't work (r234250)
[Web Animations] Throttle animations when lowPowerMode is on (r230579 partial)
Speed up move of vectors of POD types that have an inline buffer (r201314)

May 05, 2020
============
[Web Animations] Ensure we don't update an animation's finished state twice when updating animations (r239269)
REGRESSION (r233268): contents of an animated element inside overflow:hidden disappear (r239222)
[Web Animations] Don't schedule animation frames or update style while an accelerated animation is running (r238128 partial revisited)
[Web Animations] Don't reset pending tasks when setting a null effect (r237856)
[Web Animations] Implement getTiming() and updateTiming() (r237853)
Structure::flattenDictionary() should clear unused property slots. (r243069)
[JSC] Owner of watchpoints should validate at GC finalizing phase (r243032 + r243071 + r243420 rolled out + r243560)
UserMediaRequest should supply IDs of devices selected by user (r188385)
Need to add stubs to enumerateDevices (r188356)
[EFL] http/tests/media/media-stream/disconnected-frame-already.html is crashing after r185903 (r187737)
Remove duplicate vectors inside of UserMediaRequest (r187435)
Bridged passing lists of devices between the UIProcess and the WebProcess (r187258)
Need the ability to give only best source UIDs to UserMedia request (r187168)
Remove revealing getVideoTracks() and getAudioTracks() (r187164)
Exposing webkitMediaStream as MediaStream (r186697)
Expose MediaStream methods to be used in the MediaStream Engine (r186640)
Implementing platform-specific section of enumerateDevices (r186608)
Make MediaStream conform to its private client like MediaSource does (r186565)
WebRTC: Navigator.webkitGetUserMedia() requires three arguments (r185820)
Patch (r176011)

May 04, 2020
============
AccessCase::canReplace should allow a Getter to replace an IntrinsicGetter (r258573)
Cleanup RenderTable*::createAnonymous* (r203708)
Enable fieldsets to be flexboxes, grids and multicolumn. (r213379 + r213423 rolled out + r213455)
[CSS Grid Layout] Add scrollbar width in intrinsic logical widths computation (r184446)
Fix typo in RenderBox::instrinsicScrollbarLogicalWidth() (r184339)
Tighten RenderCounter typing (r172730)
Element's renderer factory should return RenderPtrs. (r161181)
Improve the performance of RenderDeprecatedFlexibleBox. (r149597)
Add methods to CounterDirectives to clean up StyleBuilder and RenderCounter. (r127826)
Clean up spanners before creating nested column context (r225255)
Always invoke RenderObject::insertedIntoTree/willBeRemovedFromTree (r224933)
Create inline wrappers for before/after pseudo elements that have display:contents (r223898)
Support ::before/::after pseudo elements with display:contents (r223810)
Move more multicolumn render tree mutation code to RenderTreeUpdater::MultiColumn (r222920)
Move multicolumn flow clear to RenderTreeUpdater (r222911)
RenderMultiColumnFlow::m_beingEvacuated is redundant. (r222874)
Move some RenderObject member functions to RenderElement. (r175211)
Inconsistent section grid could lead to CrashOnOverflow (r225960)
Viewport unit values affected by Comand-+ zoom (r225277)

May 03, 2020
============
[JSC] Remove unused Heap::getConservativeRegisterRoots(). (r189515)
CStack Branch: CodeBlocks aren't being marked by garbage collector (r160931)
Set the activeLength of all ScratchBuffers to zero when exiting the VM (r232490)
Create a more generic way for VMEntryScope to notify those interested that it will be destroyed (r172324)
fast/profiler tests ASSERTing after moving recompileAllJSFunctions off a timer (r162720)
Introducing VMEntryScope to update the VM stack limit. (r159605 partial)

May 02, 2020
============
[JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity (r214029 + r214040 + r214041)
We don't properly propagate non-simple-parameter-list when parsing a setter (r206590)
test262: Function length should be number of parameters before parameters with default values (r206268)
test262: Should be a SyntaxError for duplicate parameter names in function with default parameters (r205969)

May 01, 2020
============
[JSC] Remove one indirection in JSObject::toStringName (r239557)
WebRTC: Update the MediaStream API (r186081)
Building MediaDeviceInfo for enumerateDevices (r185940)
Fix Ref to deref before assignment, add tests for this to RefPtr, Ref, Function (r218496)
Refactor UserMediaRequest to share more codes between MediaDevices.getUserMedia and legacy webkitGetUserMedia (r185903)
MediaDevices.getUserMedia should migrate from callbacks to DOMPromise (r185873)
MediaDevices.getUserMedia should put promises in resolve/reject state synchronously (r185191)
MediaDevices.getUserMedia should reject promise instead of throwing exceptions (r184984)
MediaDevices possesses a vtable despite using ImplementationLacksVTable IDL attribute (r182342)
WebRTC: Add support for Promise-based MediaDevices.getUserMedia() (r182275)

Apr 30, 2020
============
Crash when submitting form in a document with null encoding (r158868)
Have MediaStream::getAudioTracks(), MediaStream::getVideoTracks() return const references (r184067)
WebRTC: Remove AudioStreamTrack and VideoStreamTrack (removed in spec) (r182627)
Rename MediaStreamCenter to RealtimeMediaSourceCenter (r181371)
Rename MediaStreamSource to RealtimeMediaSource (r181152)
[Mac][MediaStream] clean up bit rot (r175066)
[MediaStream] Add getTracks() support to MediaStream. (r169743)
[MediaStream] 'get' prefix is missing for capabilities and constraints. (r169648)
RTCDtmfSender default values need to be updated. (r168966)
alidation for getUserMedia() errorCallback is missing. (r168842)
[MediaStream] MediaStream.addTrack Should not check for active state. (r168679)
[MediaStream] Rename NavigatorMediaStream as NavigatorUserMedia. (r168576)
[MediaStream] .ended shouldn't be part of MediaStream IDL (r167868)
[MediaStream] Implement MediaStream active attribute (r167750)
Add platform implementation for RTCOfferAnswerOptions and RTCOfferOptions (r166325)
[WebRTC] Moving RTCConfiguration and RTCIceServer to Modules/mediastream (r166003)
Improving webkitGetUserMedia error handling and error messages (r165915)
[WebRTC] Fix layering violation in RTCStatsRequest (r165858)
Unnecessary ImplementationLacksVTable IDL attribute used for RTCConfiguration, RTCIceServer (r165614)
[WebRTC] Adding getConfiguration method to RTCPeerConnection (r165255)
[WebRTC] Updating RTCPeerConnection.idl (r165248)
[WebRTC] Updating RTCIceServer to match spec (r165247)
[WebRTC] Updating createOffer and createAnswer methods to match WebRTC editor's draft of 01/27/2014 (r165226)
[WebRTC] Removing MediaConstraints argument from RTCPeerConnection addStream, updateIce methods and constructor (r164839)
[WebRTC] Validating RTCConfiguration according to the spec (r164602)
[WebRTC] Updating RTCConfiguration to match WebRTC editor's draft of 01/27/2014 (r164372)
Checking RTCPeerConnection signalingState before setting local/remoteDescription (r160663)
Adding RTCPeerConnectionErrorCallback (r160553)
Removing MediaStreamVector typedef (r165834)
Only supplement Page with UserMediaController once (r165733)
[WebRTC] Throw SYNTAX_ERROR when maxRetransmits and maxRetransmitTime are both set in RTCDataChannelInit (r165321)
[MediaStream] Firing negotiationneeded event upon track add/remove on MediaStream (r160181)
[MediaStream API] HTMLMediaElement should be able to use MediaStream as source (r159797)
MediaStreamRegistry should store MediaStreams instead of MediaStreamPrivates (r159767)
Modifying RTCIceCandidate object construction to match the spec (r159349)
Modifying RTCSessionDescription object construction to match the spec (r159230)
Checking for TypeError in RTCPeerConnection object creation (r158964)
Changing MediaStreamDescriptor to MediaStreamPrivate (r158849)
Removing MediaStreamTrackVector and MediaStreamSourceVector typedefs (r158480)
Removing unnecessary early returns in addTrack, removeTrack and removeRemoteSource methods (r158470)
Explicitly initialize RefCounted base class in MediaStreamTrack's constructors (r158442)
Adding addRemoteTrack and removeRemoteTrack functions to MediaStreamDescriptor and MediaStream (r158438)
Simplifying MediaStream and MediStreamDescriptor creation (r158337)

Apr 29, 2020
============
[Mac MediaStream] implement AVFoundation backed MediaStreamSource (r158220)
Adding platform implementation of MediaStreamTrack (r158018)
[MediaStream API] allow a stream source to be shared (r157958)
MediaStreamTrack now tracks its own state (r157733)
[MediaStream API] update MediaStream object to match spec (r157273)
U_STRING_NOT_TERMINATED_WARNING ICU must be handled when using the output buffer as a C string (r260882 partial)
Improve normalization code, including moving from unorm.h to unorm2.h (r243049 partial)
Remove copy of ICU headers from WebKit (r219103 + r219104 rolled out + r219155 partial)
[JSC] String.prototype.normalize should have a length of zero (r202916)
Change the last RefPtr::get() to release() in String.prototype.normalize (r196547)
Use StringView::upconvertedCharacters() to make a 16-bit copy in String.prototype.normalize (r192146)
[ES6] Implement String.prototype.normalize (r191235)
Create MediaStream object with ended attribute set if all tracks that are being used on its creation are ended (r157268)
[MediaStream API] update MediaStreamTrack object to match spec (r157068)
Fixing mediastream debug build (r157723)
URLMediaStream is unguarded by ENABLE(MEDIA_STREAM) (r157041 revisited)
MediaStreamTrack can't be FINAL (r157030)
Storing a reference to MediaStreamTrack in RTCStatsRequest (r156574)
[MediaStream API] update SourceInfo object to match spec (r156554)
[MediaStream] make MediaStream testable (r156522)
[MediaStream API] implement VideoStreamTrack and AudioStreamTrack (r156488)
[MediaStream] Cleanup platform interface (r156473)

Apr 28, 2020
============
MediaStream API: update NavigatorUserMediaError object to match spec (r156108)
MediaStream API: Changing the device enumeration to be async (r155992)
MediaStream API: Adding an async RTCPeerConnection::addIceCandidate (r155954)
MediaStream API: Storing the constraints in MediaStreamSource (r155881)
MediaStream API: Update RTCDataChannel (r155794)
MediaStream API: Update RTCDataChannel to match the specification (r155792)
[MediaStream] remove MediaStream.label (r155789)
[MediaStream API] Updating NavigatorUserMediaError to match the spec (r155579)
MediaStream API: Remove LocalMediaStream (r155573)
Split MediaStreamDescriptor.h and MediaStreamComponent.h into .h and .cpp (r155477)
Cleanup AudioSourceNode.idl from WebKit build. (r150924)
AudioDestination::create() needs extra device identification information for live/local input streams (r143781)
Implement MediaStreamSource::setAudioFormat() (r138895)
Add basic implementation for MediaStreamAudioDestinationNode (r135985)
MediaStream API: Add ExtraData capability to MediaStreamSource (r124362)
Implement Object.fromEntries (r235589)
Structured cloning a Symbol should throw (r227969)
[JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray (r222017)

Apr 27, 2020
============
Make MediaStream objects ScriptWrappable (r155478)
MediaStream API: Enhance MediaStreamDescriptor add/remove component (r155434)
MediaStream API: Stop means stop (r155364)
MediaStream API: Moving Add/Remove track from WebMediaStreamCenterClient to WebMediaStream (r155362)
Adding username to RTCIceServer (r155346)
MediaStream should fire ended event when all tracks are ended (r155249)
[MediaStream]: Remove ``>= 0'' assertion from a size_t variable (r151863)
MediaStream API: Finalize the RTCPeerConnection states (r146582)
Expose the Type field of an RTCStatsReport (r146509)
Mediastream.ended should return true when all tracks were removed. (r146046)
MediaStream API: Allow local and remote descriptions to be accessed after close (r144808)
MediaStream API: Add the getStreamById method on RTCPeerConnection (r144748)
MediaStream API: Implement DTMF support in RTCPeerConnection (r141984)
MediaStream API: local addTrack() and removeTrack() operations should not fire events. (r144610)
MediaStream API: RTCDataChannel triggers a use-after-free (r142887)
Fix and test for missing return statement (r142289)
MediaStream API: A MediaStreamComponent should be able to return the MediaStreamDescriptor it belongs to (r141151)
Implement MediaStreamEvent constructor (r140305)
MediaStream API: Update MediaStreamTrack::readyState to match specification (r139618 + r139696 rolled out + r139849)
MediaStream API: Rename the [add|remove]Track callbacks to [add|remove]RemoteTrack for clarity (r139775)
MediaStream API: Fixing crashing bug in MediaStream (r139732)
MediaStream API: Update the track accessors on MediaStream to match the latest specification (r139611)
MediaStream API: Change MediaStream::readyState to an boolean attribute called ended. (r139598)
MediaStream API: Adding the new id attribute to MediaStream and MediaStreamTrack (r139352)
Allow live/local audio input to be enabled only when needed (r139262)
MediaStream API: Update the MediaStream constructor (r138354)
MediaStream API: Change the data channel descriptor pattern to a handler pattern (r137441)
Don't invert a matrix for every channel of every pixel of an FETurbulence filter (r224996)
Apply feTurbulence spec change to fix zero length vector generation (r179171)
Assertion failure under FEImage::determineAbsolutePaintRect() (r167295)
Rewrite multithreaded filter job dispatching (r129796)
Remove Local/Remote and RTCStatsElement from WebRTCStats API (r146364)
Implemented new API for RTCStatsReport object. (r145279)
MediaStream API: Add a missing state to RTCPeerConnection (r138738 revisited)
Name enumerator function for GetStats RTCStatsElement (r135500)
MediaStream API: Make sure that MediaConstraints only has optional and mandatory at the top level (r134245)
MediaStream API: Schedule the RTCDataChannel events to be triggered at idle state (r134207)
MediaStream API: Rename owner to client in MediaStreamDescriptor (r131914)
Implement the Selector argument to RTCPeerConnection.getStats (r131584)
Change PeerConnection getStats function to single value local / remote (r130768)
Change RTCPeerConnection GetStats to use Date timestamp format (r130377 + r130380 rolled out + r130383)
MediaStream API: RTCPeerConnection should send down its handler via the FrameLoaderClient directly after creation. (r130270)
Add data passing to the GetStats interface of RTCPeerConnection (r130260)
Implement the GetStats interface on PeerConnection (r129654 + r129672 rolled out + r129908)
MediaStream API: Enhance MediaConstraints to make it easier to get the constraint data (r129764)
MediaStream API: Update getUserMedia to match the latest specification (r129517 + r129532 rolled out + r129749)

Apr 26, 2020
============
Crash in RenderTableCol::willBeRemovedFromTree() (r255971)

Apr 25, 2020
============
[JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine (r253361)
GetByID IC is wrongly unwrapping the global proxy this value for getter/setters. (r209442 revisited)

Apr 24, 2020
============
[chromium] MediaStream API: Add missing WebRTCPeerConnectionHandlerClient::didAddRemoteDataChannel (r134970)
MediaStream API: Extend UserMediaRequest with a ownerDocument method (r129145)
MediaStream API: Rename the RTCIceServer uri parameter to url. (r128982)

Apr 24, 2020
============
Baseline JIT should not require its input to be constant-propagated (r196273 complete revisited)
Gardening: fix broken 32-bit JSC tests.  Just need to assign a scratch register. (r194131)
Polymorphic operand types for DFG and FTL bit operators. (r194113 partial)
Misc. small fixes in snippet related code. (r194042 partial)
Removed some dead code, and simplified some code in the baseline JIT. (r193998)
Snippefy shift operators for the baseline JIT. (r193788)
Rename JITBitwiseBinaryOpGenerator to JITBitBinaryOpGenerator. (r193633)
Snippefy bitwise operators for the baseline JIT. (r193471)
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/JetStream2/Speedometer/Kraken/Dromaeo/EPG Guide/Factory Demo] on ARMv7 GCC6.2.0 with hard float.

Apr 24, 2020
============
Don't cache self customs on dictionaries (r253810 complete revisited)
Canonicalize how we prepare the prototype chain for inline caching (r251085 complete revisited)
Inline caching is wrong for custom accessors and custom values (r250540)
[JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase (r233644)
JSC should know how to cache custom getter accesses on the prototype chain (r231283)
JSC should be able to cache custom setter calls on the prototype chain (r231250)
Refactor AbsenceOfSetter to AbsenceOfSetEffects (r218218)

Apr 23, 2020
============
MediaStream API: Change the MediaStreamTrackList track added/removed signaling (r127485)
AudioContext::createMediaStreamSource() must create a provider for local MediaStreams (r125456)
Create a MediaSource object. (r124953 revisited)
Allow AudioDestination to support local/live audio input (r124264)
Add stub implementation for MediaStreamAudioSourceNode (r124255 revisited)
Snippefy op_negate for the baseline JIT. (r194363)

Apr 23, 2020
============
[JSC] Remove a useless "Move" from baseline-JIT op_mul's fast path (r197685)
Baseline JIT should not require its input to be constant-propagated (r196273 partial revisited)
Refactor the op_add, op_sub, and op_mul snippets to use the SnippetOperand class. (r192842)
Snippefy op_mul for the baseline JIT. (r192600)
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/JetStream2/Speedometer/Kraken/Dromaeo/EPG Guide/Factory Demo] on ARMv7 GCC6.2.0 with hard float.

Apr 23, 2020
============
The baseline JIT crashes when compiling "(1,1)/1" (r201301)
[JSC] Commute FDiv-by-constant into FMul-by-reciprocal when it is safe (r199866)
Snippefy op_div for the baseline JIT. (r192836)
[JSC] Implement Math.clz32(), remove Number.clz() (r183358 partial)
Remove some unnecessary jumps in snippet code. (r192599)
Refactoring: move branchMul32's imm arg to the 3rd argument to be consistent. (r192535)
Fix some inefficiencies in the baseline usage of JITAddGenerator. (r191978)
Snippefy op_add for the baseline JIT. (r191905)
[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag (r226434 + r226440 rolled out)
JITSubGenerator::generateFastPath() does not need to be inlined. (r191713)
Update FTL to support UntypedUse operands for op_sub. (r191683 partial)
Factoring out op_sub baseline code generation into JITSubGenerator. (r190649)

Apr 22, 2020
============
[DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String) (r215472)
Polymorphic operands in operators coerces downstream values to double. (r200606 complete revisited)
[JSC] Get rid of NonNegZeroDouble, it is broken (r200502 complete revisited)
DFG and FTL should be resilient against cases where both snippet operands are constant. (r193793)
Use the JITAddGenerator snippet in the DFG. (r192531 complete revisited)
[ARM] Remove redefined macro after r200606 (r201161)
Polymorphic operands in operators coerces downstream values to double. (r200606 partial revisited)
[JSC] Get rid of NonNegZeroDouble, it is broken (r200502 partial revisited)
Profiling should detect when multiplication overflows but does not create negative zero. (r194613 + r194669)

Apr 21, 2020
============
constructObjectFromPropertyDescriptor() is incorrect with partial descriptors (r260447)
Check Structure attributes in Object.assign exhaustively (r260434)
Replace SpecialFastCase profiles with ResultProfiles. (r194294)
Bytecode dumping should show rare case profiles (r137878 revisited)
Polymorphic operand types for DFG and FTL div. (r193781)
Polymorphic operand types for DFG and FTL mul. (r192993)
Teach DFG that ArithSub can now clobber the heap (and other things). (r192949)
Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG. (r191224 + r191241)
We should only expect a RareCaseProfile to exist if the rare case actually exists. (r190213)
[mips] Add new or32 implementation after r194613 (r194763)

Apr 20, 2020
============
Bindings that override getOwnPropertySlotByIndex need to say they MayHaveIndexedAccessors (r259355)
Drop superfluous iterator property setting in addValueIterableMethods() (r217187)
DOMTokenList should be iterable (r203728)
Improvements to Intl code (r196887)
Use JSValue::toWTFString instead of calling toString(exec) and value(exec) (r209801)
REGRESSION: [iOS 13?] TestWebKitAPI.SharedBufferTest.tryCreateArrayBufferLargeSegments is failing (r251089)
Unreviewed, fix debug by removing an assertion that is not correct anymore. (r189496)
AccessCase should strongly visit its dependencies while on stack (r250184)

Apr 18, 2020
============
Don't use int offsets in StructureStubInfo (r236584)
isCacheableArrayLength should return true for undecided arrays (r231375)
Convert Document from ExceptionCode to Exception (r208144 partial)
TypedArray constructor with string shouldn't throw (r218082 revisited)

Apr 17, 2020
============
[INTL] Implement DateTime Format Functions (r194395)
REGRESSION(r194387): Crash on github.com in IntlDateTimeFormat::resolvedOptions in C locale (r206295)
[JSC] Date.toGMTString should be the Date.toUTCString function (r202752)
[INTL] Call Typed Array elements toLocaleString with locale and options (r234207)
[INTL] Use @thisNumberValue instead of `instanceof @Number` (r199725)
Date.prototype.toLocaleDateString uses overridable Object.create (r198711)
[INTL] Implement Number Format Functions (r196850)
[INTL] Implement Intl.NumberFormat.prototype.resolvedOptions () (r196434)
[INTL] Implement Date.prototype.toLocaleTimeString in ECMA-402 (r195381)
[INTL] Implement Date.prototype.toLocaleDateString in ECMA-402 (r195330)
[INTL] Implement Date.prototype.toLocaleString in ECMA-402 (r195138)
[INTL] Implement Intl.DateTimeFormat.prototype.resolvedOptions () (r194387)
[INTL] Implement Collator Compare Functions (r194253)
[INTL] Implement Intl.Collator.prototype.resolvedOptions () (r191406)
Use asString instead of toWTFString, toString, or getString when we already checked isString (r209906 partial)
Make UCharIterator createIterator(StringView) visible to other classes (r194041)

Apr 16, 2020
============
DFG should be able to constant-fold strings (r197833 partial revisited)
Replace some stack raw pointers with RefPtrs within WebCore/dom (r222993 revisited)
createElementNS() should now throw only InvalidCharacterError, not NamespaceError (r215701)
We should prevent load of subframes inserted during FrameTree deconstruction (r213311 + r213369)
RenderView needs to be updated when FrameView changes (r212554)
Disconnect shadow children of root when detaching a frame (r211999)
Crash inside moveOutOfAllShadowRoots (r201736 partial revisited)
Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions. (r235827)
DFGArrayModes needs to know more about CoW arrays (r232376 partial)

Apr 16, 2020
============
  => Passed [JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/JetStream2/Speedometer/Kraken/Dromaeo/EPG Guide/Factory Demo] on ARMv7 GCC6.2.0 with hard float.

Apr 15, 2020
============
Gardening: ARMv7 build fix. (r235557)
InlineAccess should do StringLength (r235517 complete revisited)
InlineAccess::sizeForLengthAccess() is wrong on some platforms because it should also consider "length" not being array length (r202866)
We should be able to generate more types of ICs inline (r202214 complete revisited + r202818)

Apr 14, 2020
============
[JSC] Remove reifyPropertyNameIfNeeded (r231902 + r231957 + r231976)
[JSC] Optimize Object.assign by single transition acceleration (r225840)
test262: test262/test/annexB/language/expressions/object/__proto__-fn-name.js (r215165)

Apr 13, 2020
============
Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash (r234022)
Invoking Object.prototype.__proto__ accessors directly should throw a TypeError. (r207518)
ActiveDOMObject::hasPendingActivity() should stop preventing wrapper collection after ActiveDOMObject::stop() has been called (r259419 partial)
MediaDevices should be collectable as soon as its document is stopped (r235438 partial)
Cannot Object.seal() or Object.freeze() global "this" (r215072)
{}.toString.call(crossOriginWindow) should return "[object Object]" (r211600)
Object.preventExtensions(window) should throw a TypeError (r205404)
Object.preventExtensions() should throw cross-origin (r205359)
Regression(r204923): It should be possible to set 'Location.href' cross origin (r205154)
Location.toString() should be enumerable (r204953)
It should not be possible to access Location attributes cross origin (r204923)
Attribute getters should not require an explicit 'this' value for Window properties (r196303)
The rhs in `ReadModifyResolveNode` should be evaluated before throwing an exception if the lhs is read-only (r259905)
Proxy's [[OwnPropertyKeys]] is correct only in PropertyNameMode::StringsAndSymbols (r254205)
createListFromArrayLike should throw if value is not an object (r245675)
Fix exception scope verification failures in ProxyConstructor.cpp and ProxyObject.cpp. (r209080)

Apr 12, 2020
============
Refactor AccessCase to be more like B3Value (r212453 complete revisited)
GetByID IC is wrongly unwrapping the global proxy this value for getter/setters. (r209442)
ServiceWorkerGlobalScope prototype chain should be immutable (r225566 partial)
[JSC] Module namespace object behaves like immutable prototype exotic object (r209662)
Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec. (r209424 complete revisited)
[ES6] Module namespace object should not allow unset IC (r204248 complete revisited)

Apr 10, 2020
============
Don't emit the rhs twice in `AssignResolveNode` (r259841)
ProxyObject::defineOwnProperty() should conditionally throw on falsy trap result (r259822)
getOwnPropertyDescriptor() is incorrect with Proxy of exotic object (r259800)

Apr 08, 2020
============
'\u' should throw an early SyntaxError exception, but instead evaluates to 'u' (r259536)
[JSC] Add inherits<T>(VM&) leveraging JSCast fast path (r229410 partial)

Apr 07, 2020
============
[JSC] jsSubstring should resolve rope before calling JSRopeString::create (r243081 partial)
[JSC] We should have more WithoutTransition functions which are usable for JSGlobalObject initialization (r242650 partial)
Try ripping out inferred types because it might be a performance improvement (r240023)
Enforce invariant that GetterSetter objects are invariant. (r232211 + r232231)
A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception (r230102 + r230105 rolled out)
JSC should infer property types (r190076 partial)
Allow deleteById to be cached in the DFG (r259583 partial)
  This also fixes a bug where we were checking the neutering status of typed arrays for named properties when we should
  only check for indexed properties.
TypedArray's [[DefineOwnProperty]] is incorrect with partial descriptors (r259444)
TypeArrays should not store properties that are canonical numeric indices (r244806 + r244816 rolled out + r244950)

Apr 06, 2020
============
JavaScript identifier grammar supports unescaped astral symbols, but JSC doesnt (r258531)
Legacy numeric literals should not permit separators or BigInt (r247845)
[ESNext] Implement nullish coalescing (r247819)
[ESNext] Implement support for Numeric Separators (r245634 + r245648 rolled out + r245655 + r245697)
Web Inspector: Test RuntimeAgent.parse, detecting if a script parse error is recoverable (r189371)
We should be able to generate more types of ICs inline (r202214 partial)
Parser needs to restore unary stack state when backtracking (r255440 complete revisited)
tryGetById should be supported by the DFG/FTL (r199279 complete revisited)
[JSC] Generate TemplateObjects at linking time (r214931)
Lift template escape sequence restrictions in tagged templates (r211319)

Apr 05, 2020
============
tryGetById should be supported by the DFG/FTL (r199279 partial revisited)
Refactor AccessCase to be more like B3Value (r212453 partial)
We should have a way of profiling when a get_by_id is pure and to emit a PureGetById in the DFG/FTL (r208117 + r208160 + r208588 rolled out))

Apr 04, 2020
============
[JSC] Move InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero to out of line type info flags (r207625)
Reduce thresholds that control the maximum IC stub size. (r200480)
Check to see how the perf bots react to megamorphic load being disabled. (r199685)
[JSC] Bugfix for intrinsic getters with dictionary structures. (r194400)
Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties. (r191215 complete revisited)

Apr 03, 2020
============
TryGetById should have a ValueProfile so that it can predict its output type (r204992 complete revisited)
We should support the ability to do a non-effectful getById (r199170 complete revisited)
Add "explicit operator bool" to ScratchRegisterAllocator::PreservedState (r194158)
Introducing ScratchRegisterAllocator::PreservedState. (r194126)
32-bit JSC stress/multi-put-by-offset-multiple-transitions.js failing (r199132 revisited)
Debug JSC test failure: stress/multi-put-by-offset-reallocation-butterfly-cse.js.ftl-no-cjit-small-pool (r199275)
References from code to Structures should be stronger than weak (r200405 complete revisited)
Clients of PolymorphicAccess::addCases shouldn't have to malloc (r201657)
PolymorphicAccess should try to generate a stub only once (r199566)
PolymorphicAccess::regenerate() shouldn't have to clone non-generated AccessCases (r199508)
Add IC support for arguments.length (r199240)
PolymorphicAccess should buffer AccessCases before regenerating (r199382)

Apr 02, 2020
============
PolymorphicAccess should have a MegamorphicLoad case (r199069 complete revisited)
Rationalize the handling of PutById transitions a bit (r199162)
PolymorphicAccess should have a MegamorphicLoad case (r199069 partial)

Apr 02, 2020
============
Clean up how we reason about the states of AccessCases (r199297)
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/JetStream2/Speedometer/Kraken/Dromaeo/EPG Guide/Factory Demo on ARMv7 GCC6.2.0 with hard float.

Apr 01, 2020
============
r190735 Caused us to maybe trample the base's tag-GPR on 32-bit inline cache when the cache allocates a scratch register and then jumps to the slow path (r191594)
Inline caches should handle out-of-line offsets out-of-line (r190672)
Don't cache self customs on dictionaries (r253810 partial)
Canonicalize how we prepare the prototype chain for inline caching (r251085 partial)
REGRESSION(r189585): run-perf-tests Speedometer fails with a console error (r189658)
There should be one stub hanging off an inline cache that contains code for all of the cases,
  rather than forming a linked list consisting of one stub per case (r189586 complete revisited)
  
Apr 01, 2020
============
[mips] Implemented missing branch patching methods. (r194715)
PolymorphicAccess should remember that it checked an ObjectPropertyCondition with a check on some structure (r190215)
PolymorphicAccess adds sizeof(CallerFrameAndPC) rather than subtracting it when calculating stack height (r199837)
Inline cache repatching should be throttled if it happens a lot (r190561 complete revisited)

Mar 31, 2020
============
Remove std::random_shuffle (r231347)
BinarySwitch should be faster on average (r179490)
[JSC] Introduce op_get_by_id_direct (r230376 partial)
Promise callbacks should be called at microtask checkpoints (r193286 complete revisited)
index out of bound in bytecodebasicblock (r217840)
Remove never changing IndexedDB RuntimeEnabledFeature (r201013 partial)
Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings (r199017 complete revisited)

Mar 30, 2020
============
Assertion hit in DocumentOrderedMap::get while removing a form element (r226095)
IsInShadowTreeFlag does not get updated for a non-container node (r218044)
IsInShadowTreeFlag does not get updated for a non-container node (r217926 revisited complete)
De-template ContainerNodeAlgorithms (r189945)
Turn ChildNodeInsertion/RemovalNotifier classes into functions (r189896)
Load stylesheets in link elements inside a connected shadow tree (r208302 + r208356 rolled out + r208403)
[Web Animations] transform property is always "none" for getKeyframes() output of a CSS Animation (r251839)
Assert that Node::insertedInto doesn't fire an event (r223458)
GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()  (r200091)
Simplify relationship between Attr and Element now that Attr is childless (r216632)
Clean up Attr.idl (r216256)
Drop legacy Attributes.isId attribute (r211395)
Attr.prefix / Element.prefix attribute should be readonly (r204648)
Move prefix / namespaceURI / localName attributes from Node to Attr / Element (r204624)
Attr.value should not be nullable (r199392)

Mar 29, 2020
============
Rename Node::childNodeCount() to countChildNodes() and avoid inefficient uses (r173606 partial)
Drop [CEReactions] from CharacterData operations (r216474)
Attr Nodes should not have children (r216259)
Relax the event firing ASSERT for Attr changes (r215787)
Drop XPATH_NAMESPACE_NODE from Node::NodeType enum (r190210)
Optimize Range's lengthOfContentsInNode() for DocumentType Nodes (r190208)
Drop support for legacy EntityReference DOM Node type (r190120)
Drop support for Entity Node type (r189971)
Delete Notation because we don't use it (r177297)

Mar 28, 2020
============
Fix build: using integer absolute value function 'abs' when argument is of floating point type (r165683)
Get rid of the bizarre Darwin/x86-only MacroAssembler::shouldBlindForSpecificArch(uintptr_t) overload (r158981)
Get rid of Qt code from JavaScriptCore (r156780 partial)

Mar 27, 2020
============
[ESnext] Implement Object Spread (r219443)
[ESnext] Implement Object Rest - Implementing Object Rest Destructuring (r213697 + r214038 + r216891 rolled out + r218861)
[Next] Async iteration - Implement Async Generator - parser (r220323)

Mar 26, 2020
============
[JSC] fix order of evaluation for ClassDefinitionEvaluation (r229608)
test262: test262/test/language/computed-property-names/class/static/getter-prototype.js (r215689)
[JSC] Make SourceParseMode small (r233860 ervisited)
test262: test262/test/language/expressions/object/method-definition/early-errors-object-method-duplicate-parameters.js (r215723)
test262: test262/test/language/expressions/generators/yield-as-label.js (r215674 + r215680 rolled out + r215682)
[Web Animations] Update the API to allow the "auto" composite value (r237855)
[JSC] Correct a->an in error messages and API docblocks (r248833)

Mar 25, 2020
============
`async` should be able to be used as an imported binding name (r223022 + r223062 rolled out + r223124)
[JSC] It should be possible create a label named let when parsing Statement in non strict mode (r213850)
First line box in paragraph using initial-letter overflows. (r191195)
Remove BreakingContext's friendship from RenderBlockFlow (r160073)
Nested isolates can cause an infinite loop when laying out bidi runs (r189832)
GraphicsContext::drawBidiText()'s BidiResolver should not have isolated runs (r189829)
\b escapes inside character classes should be valid in Unicode patterns (r258976)
Introduce @tryGetByIdWithWellKnownSymbol instead of repurposing @tryGetById itself (r258968)

Mar 24, 2020
============
[JSC] Perform check again when we found non-BMP characters (r249926 partial)
[YARR] Precompute BMP / non-BMP status when constructing character classes (r243642 partial)
[YARR] Properly handle surrogates when matching back references (r250568 partial)
Unreviewed, address Yusuke's feedback on r258801. (r258865)

Mar 23, 2020
============
DOMTokenLists value and stringifier should not return parsed tokens (r206560)
DOMTokenList.value should be a stringifier attribute (r204970)
Add support for DOMTokenList.replace() (r204161)
Regression(r199360): assertion hit in Element::fastGetAttribute() (r199378)
Lazily update tokens in DOMTokenList when the associated attribute value changes (r199360)
DOMTokenList.add() / remove() should run the update steps even if tokens were not modified (r190078)
Favicons are not always loaded. (r183015)
Streamline icon-related code, mostly unused (r182351 + r182352)
Add force parameter to DOMTokenList.toggle (r131408)
CSS Selectors: fix attribute case-insensitive matching of Contain and List (r181845)
Merge AttributedDOMTokenList into DOMTokenList (r199298)
DOMTokenList.contains() should not throw (r199296)
Regression(r175947): Caused assertions in debug builds (r175968 revisited)
Minor tweaks to HTMLCollection (r175947 revisited)
Crashes in HTMLFormElement::submit. (r167569)
Video element's width and height content attributes should not influence intrinsic width and height (r160734)
REGRESSION(r154586): Past names map should only be used when named item is empty (r154765 revisited)
Elements in a node list of the form element's name getter should not be added to the past names map (r154662 revisited)
hasObservableSideEffectsForRegExpSplit doesn't check for @@match override (r258801 partial)

Mar 22, 2020
============
RegExp.prototype[@@replace] doesn't coerce result index to integer (r258783)
Missing arithMode for ArithAbs and ArithNegate in DFGClobberize (r258452 partial)
Bound functions should pass correct NewTarget value (r258410)

Mar 12, 2020
============
[Web Animations] Repeated animations on pseudo elements will fail to run after a while (r257138)
[Web Animations] Removing an element should only cancel its declarative animations (r250335)
Web Inspector: Crash in http/tests/inspector/network/resource-response-source-memory-cache-revalidate-expired-only.html (r237468)
[Web Animations] Update the API to implement Animation.updatePlaybackRate() (r237854)
[Web Animations] Update the Web Animations API to remove all the ReadOnly interfaces (r237852)
[media-source] web-platform-test/media-source/mediasource-remove.html test failing (r206001 partial)
[MSE] Implement support for SourceBuffer.remove() (r166423 complete revisited)
Nullptr crash accessing Document in GenericEventQueue::dispatchOneEvent() (r233496 + r233571 + r234177 rolled out + r234374 complete revisited)
[macOS] Flaky Crash under EventTarget::fireEventListeners on imported/blink/paint/deprecatedpaintlayer/non-self-painting-layer-overrides-visibility.html (r216084)
Rename ActiveDOMObject/DOMWindow PageCacheSuspension code to support more reasons for suspension (r192848 partial)
Rename ActiveDOMObject::canSuspend() to canSuspendForPageCache() for clarity (r182544 partial)
Use GenericEventQueue in TrackListBase and reduce code duplication with scheduleTrackEvent() (r159950)

Mar 11, 2020
============
Throws incorrectly a syntax error when declaring a top level catch variable the same as a parameter (r258279)
Nullptr crash accessing Document in GenericEventQueue::dispatchOneEvent() (r233496 + r233571 + r234177 rolled out + r234374 partial)
Media elements should not be paused right away when removed from the document (r200431)
Document / DOMWindow objects get leaked on CNN.com due to CSSTransitions (r257235)
Fix crash due to uninitialized currentStyle in CSSTransition (r256427)
[Web Animations] Ensure all timelines are detached from their document (r255953 + r256017)
[Web Animations] Update all DocumentTimeline objects when updating animations (r255141)
[Web Animations] Unflake web-animations/timing-model/animations/updating-the-finished-state.html WPT test (r250303)
DumpRenderTree crashes under WebAnimation::isRelevant when running imported/mozilla/css-transitions/test_document-get-animations.html in GuardMalloc (r243263)
[Web Animations] transitions/remove-transition-style.html crashes with GuardMalloc on (r237868)
[Web Animations] Make document.getAnimations() return declarative animations in the correct order (r237726)

Mar 10, 2020
============
[WTF] Try using 75% load factor for HashTable (r255889 + r256011 rolled out + r256093 + r256194 + r256203)
HashTable::removeIf always shrinks the hash table by half even if there is nothing left (r244289 + r244489)
[Web Animations] Implement the update animations and send events procedure (r237587)
[Web Animations] Move the logic of Document::getAnimations() to DocumentTimeline (r237499)
[Web Animations] Move bindings methods requiring style flush from CSSAnimation to DeclarativeAnimation (r237498)
@putByValDirect does not perform [[DefineOwnProperty]] correctly (r258170)

Mar 08, 2020
============
JSON.stringify should call replacer on deleted properties (r258049 + r258081)

Mar 07, 2020
============
[Web Animations] Remove useless internals methods (r237474)
[Web Animations] REGRESSION (r236809): crash under AnimationTimeline::updateCSSAnimationsForElement() (r236871)
[Web Animations] REGRESSION: setting 'animation-name: none' after a 'fill: forwards' animation has completed does not revert to the unanimated style (r236809)

Mar 05, 2020
============
DocumentTimeline / CSSTransition objects are leaking on CNN.com (r257417)
[Win] Animations tests are crashing in debug mode. (r202738)
Multiple selectors break keyframes animation (r201818)
[Web Animations] Make WPT test at interfaces/KeyframeEffect/processing-a-keyframes-argument-001.html pass reliably (r233729 + r233730 + r233731)

Mar 04, 2020
============
DeclarativeAnimation should suspend, resume, & stop m_eventQueue (r234049)
[Web Animations] Make WPT test at interfaces/DocumentTimeline/constructor.html pass reliably (r233667)
Improve behavior of media elements in page cache. (r187031)
Leaving a streaming movie by going "Back" keeps playing the audio (r166722)
[Web Animations] Add an ASSERT() to check the contract that a CSSTransition has a valid effect in setTimingProperties() (r234166)
[Web Animations] Crash when setting an animation style on an existing animation that had its effect set to null (r234165)
[Web Animations] Querying the current time of a finished CSSAnimation after removing its target leads to a crash (r234109)
Ensure timingFunctionForKeyframeAtIndex() can be used from setAnimatedPropertiesInStyle(). (r233903)
[Web Animations] Correct handle repetition of composite and easing values (r233676)
[Web Animations] Support overlapping keyframes (r233666)
[Web Animations] Make WPT test at interfaces/KeyframeEffect/processing-a-keyframes-argument-002.html pass reliably (r233588)
[Web Animations] Make WPT test at interfaces/Animation/finish.html pass reliably (r233585)
[Web Animations] Make WPT test at interfaces/Animation/finished.html pass reliably (r233584)
[Web Animations] The ready promise should initially be resolved (r233519)
[Web Animations] Make WPT test at timing-model/timelines/timelines.html pass reliably (r233500)
REGRESSION (r232186): Hardware-accelerated CSS animations using steps() timing function no longer work (r233462)
[Web Animations] Crash in KeyframeEffectReadOnly::applyPendingAcceleratedActions() (r233429)
[Web Animations] Handle relative length units (r232255)
[Web Animations] Enable seeking for hardware animations (r230574)
Ensure DocumentTimeline is kept alive until the VM::whenIdle callback is called (r234007)
[Web Animations] Make WPT test at timing-model/timelines/document-timelines.html pass reliably (r233394)
[Web Animations] Make imported/mozilla/css-animations/test_animation-pausing.html pass reliably (r233141)
Unify code paths for manually deleting all code (r188792 + r188810 rolled out + r188846 rolled in partial)

Mar 03, 2020
============
Unprefix -webkit-cross-fade() (r200888)
CrashTracer: com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::CachedResource::addClientToSet + 27 (r199561)
Support interpolation between cross-fade() images (r155100)
[Web Animations] Make imported/mozilla/css-animations/test_animation-starttime.html pass reliably (r233325)
[Web Animations] Ensure animations are updated prior to requestAnimationFrame callbacks (r233140 + r233170)
[Web Animations] Make imported/mozilla/css-animations/test_animation-ready.html pass reliably (r233051)
[Web Animations] Make imported/mozilla/css-animations/test_pseudoElement-get-animations.html pass reliably (r233004)
[Web Animations] Make imported/mozilla/css-animations/test_animation-playstate.html pass reliably (r232978)
[Web Animations] Implement "Starting of transitions" section from CSS Transitions (r232946)
Crash in WebCore::WebAnimation::timeToNextRequiredTick when running imported/w3c/web-platform-tests/web-animations/interfaces/Animatable/animate-no-browsing-context.html (r233430)

Mar 02, 2020
============
[Web Animations] Crash accessing CSSAnimation::bindingsCurrentTime when effect has been set to null (r234161)
[Web Animations] A number of tests report an incorrect computed offset (r233632)
Crash in WebAnimation::runPendingPlayTask (r233196)
[Web Animations] Make imported/mozilla/css-transitions/test_animation-cancel.html pass reliably (r232960)
[Web Animations] CSS Animations should take precedence over CSS Transitions (r232868)
[Web Animations] Test webanimations/css-animations.html is crashing (r232241)
[Web Animations] Fix a host of small CSS Animations and CSS Transitions issues (r230595)
Layout Test animations/needs-layout.html is a flaky Image Failure. (r230703 complete revisited)
[Web Animations] Ensure we never return -0 through the API (r230667)
[Web Animations] Animations do not naturally get a finish event (r230665)
decompose4 return value is unchecked, leading to potentially uninitialized data. (r202068 + r202115 + r202128 + r202195 rolled out)
Very fuzzy layers under non-decompasable matrices (r168227)
Provide 2D Matrix decomposition for animation (r156553)
Improve the performance of rect transform (r135038)
[Web Animations] Only cancel declarative animations upon element removal (r230594 complete revisited)
[Web Animations] CSSTransition objects should have fill: backwards to allow seeking prior to start time (r230112)
[Web Animations] Correctly obtain the timing function for a given keyframe (r230100)
CSSKeyframesRule::findRule() and deleteRule() should delete the last matching rule, not the first (r179197)
[Web Animations] Using a Web Animation leaks the Document (r233349 + r233361 rolled out + r233583 complete revisited)
[Web Animations] Make imported/mozilla/css-animations/test_animation-currenttime.html pass reliably (r229983)
[Web Animations] Make imported/mozilla/css-animations/test_event-dispatch.html pass reliably (r229864)
[Web Animations] Dispatch DOM events for CSS Transitions and CSS Animations implemented as Web Animations (r229818)
Move onanimation* EventHandlers to GlobalEventHandlers (r216540)
ontransitionend eventHandler should be in GlobalEventHandlers (r216510)

Feb 28, 2020
============
Interpolate between CSS filter() and cached images (r155240)
Animate CSS Image filter() function (r154906)

Feb 27, 2020
============
[JSC] Identifier validity should be based on ID_Start / ID_Continue properties (r239559)

Feb 26, 2020
============
StructureStubInfo should be able to reset itself without going through CodeBlock (r189323)
We are using valueProfileForBytecodeOffset when there may not be a value profile (r221018)

Feb 25, 2020
============
Fixup uses KnownInt32 incorrectly in some nodes (r242954 partial revisited)
MIPS+Armv7 builds are broken since r229391 (r229772 partial)
Add storeFence support for ARMv7 (r209392)
ARMv7Assembler: suppress a -Wnarrowing warning when compiling with GCC (r200742)
[JSC] Put the x86 Assembler on a binary diet (r198708 partial)
[JSC] Do not generate an Add when adding a zero immediate to something (r192409 + r196152 rolled out)
[JSC][x86] Improve the compare functions when comparing with zero (r189136 + r189148 rolled out)
[ARM] Typo fix after r176083 (r179187)
Use 16bits instructions for push/pop on ARMv7 when possible (r170950)
Restore the assertion changed with 170839 (r170909)
[ARMv7] Use 16 bits instructions for push/pop when possible (r170839)
Making more sophisticated cache flush on ARM Linux platform (r145505)
JIT::updateTopCallframe() in the baseline JIT should use PC instead of PC+1 (r204840)
We should inline operationConvertJSValueToBoolean into JIT code (r205675)
JSStringRef should define JSChar without platform checks (r206734)
Document the native format of JSChar type (r202069)

Feb 21, 2020
============
Computed Properties with increment sometimes produces incorrect results (r257034 partial)

Feb 20, 2020
============
Arrow functions do not infer name from computed property but normal functions do (r206610)
test262: class and function names should be inferred in assignment (r206599)

Feb 18, 2020
============
Remove nonArgGPR1 for ARMv7 and ARM64 (unused) (r256718 rolled out)

Feb 17, 2020
============
Remove nonArgGPR1 for ARMv7 and ARM64 (unused) (r256718)
Inline cache repatching should be throttled if it happens a lot (r190561 partial)
Structure::get should instantiate DeferGC only when materializing property map (r169822 revisited)
Speed up jsStringWithCache() through WeakGCMap inlining. (r167577 complete revisited)
Slap ALWAYS_INLINE on Element attribute lookup things. (r167545 revisited)
Array.prototype.concat should allocate output storage only once. (r167249 revisited)
Rename equalNonNull to equal and make it take const StringImpl& instead (r163398)
Remove 2 bad branches from StringHash::equal() and CaseFoldingHash::equal() (r146702 complete revisited)

Feb 16, 2020
============
Null pointer crash in DocumentOrderedMap::getElementById via FormAssociatedElement::findAssociatedForm (r238912)
Form control may be associated with the wrong HTML Form element after form id change (r183436)
Implement CSS Image filter() function (r154133)
Fix rubber-band effect on non-scrollable pages (r141514)
[EFL][WK2] Never create WebCore scrollbars for EFL/WK2 (r138378)
Make RenderLayerCompositor::requiresCompositingForScrollableFrame scrollbars agnostic (r138183)
v3: WebContent crash due to RELEASE_ASSERT in WebCore: WebCore::StyleResolver::styleForElement (r205701)
REGRESSION(r199964): Animation on pseudo elements doesn't trigger if first frame matches the current style (r200347)
Let RenderImage construct its RenderImageResource. (r162356)
Remove Style::PendingResources (r205421)
Reverse ownership relation of StyleCachedImage and CSSImageValue (r205344 + r205346 rolled out + r205419)
Remove StylePendingImage (r205181)

Feb 15, 2020
============
Remove StyleCachedImageSet (r204560)
[CSS Shapes] Add parsing support for gradients (r167518)
ShapeOutside should use same origin credentials mode (r227635)
Factor pending CSS resources into a struct (r202656)
REGRESSION: ASSERTION FAILED: FontCache::singleton().generation() == m_generation (r253633)
REGRESSION (r219145): Toggling layer borders on a static document no longer works immediately (r226521)
Style::Scope::flushPendingUpdate() can replace the entire document in XSLTProcessor::createDocumentFromSource (r223999 + r224116 rolled out + r224146))
Low memory notification shouldn't cause style recalc (r219145)
Document style resolvers should share user rulesets (r216069 + r216071 rolled out + r216083)
REGRESSION (r207669): FileMaker Pro Help pages do not render correctly (r214830)
Handle recursive calls to ProcessingInstruction::checkStyleSheet (r214360 + r214369 rolled out + r214378)
Differentiate between pending head and body stylesheets in Style::Scope (r213515)
Allow render tree building before loading stylesheet elements (r213446)
REGRESSION(r207669): Crash after mutating selector text (r212737 + r212788 rolled out + r212828)
Execute pending scripts asynchronously after stylesheet loads complete (r212463 + r212556 rolled out + r212614 complete revisited)
REGRESSION (r207717): DumpRenderTree crashed in com.apple.WebCore: WebCore::Style::Scope::flushPendingUpdate + 16 (r208378)
REGRESSION (r207669): Crash under media controls shadow root construction (r208370)
imported/mozilla/svg/paint-order-01.svg and imported/mozilla/svg/paint-order-02.svg are flaky failures (r208327)
REGRESSION(r207669): Dromaeo/jslib-style-jquery.html regressed >20% (r207717)
Style resolver should be updated lazily (r207669)
Reading border radius from style property returns in wrong order. (r145172)
Mouseup event does not fire on Scroll Bar (r143560)
[CSS Parser] Eliminate in-place lowercasing in the parser. (r209314 partial)

Feb 14, 2020
============
Use getElementById for attribute matching if the attribute name is html's id (r203439)
Micro-optimize element descendant iterator. (r165822 complete revisited)

Feb 11, 2020
============
Use WeakPtr instead of storing raw pointers in WebSocket code (r243252)
[Fetch API] SubresourceLoader::checkRedirectionCrossOriginAccessControl should not always assert in SameOrigin mode (r204172)
Content Blocker cannot block WebSocket connections (r204127)
Anchor element 'ping' property should only apply to http/https destinations (r199900)

Feb 10, 2020
============
Missing exception check in GenericArguments<Type>::deletePropertyByIndex(). (r256198)
Optimize Style::determineChange() (r256102)
[Web Animations] Crash under AnimationTimeline::cancelOrRemoveDeclarativeAnimation() (r234848)
[Web Animations] Crash when setting "animation: none" after clearing an animation's effect (r234163)
Flaky crash in AnimationTimeline::cancelOrRemoveDeclarativeAnimation (r234017)
[Web Animations] Make imported/mozilla/css-transitions/test_element-get-animations.html pass reliably (r233010)

Feb 07, 2020
============
CSSGradientValue's color stops vector wastes 12KB on theverge.com (r233241)
REGRESSION (r172832): Poor 2-finger scrolling performance at theverge.com articles  (r173275)
RenderStyle: Pack Color members tighter in substructures. (r134224 + r134242 rolled out)

Feb 06, 2020
============
REGRESSION(r235917): 2% regression in Dromaeo CSS selector on MacBookPro11,4 (r236228 partial)
:first-child, :last-child, :nth-child, and :nth-of-type don't work on shadow root's children (r235917)
Don't invalidate descendants for nth pseudo classes unless needed (r229537)
Don't invalidate descendants for sibling combinators unless needed (r229372)

Feb 05, 2020
============
checkForSiblingStyleChanges should use internal versions of the invalidation functions (r229368)
Cache hasComplexSelectorsForStyleAttribute bit (r229332)
Add ChildrenAffectedByForwardPositionalRules bit for nth-child pseudo class marking (r229307)
Don't invalidate all children when doing insertion/deletion in presence of backward positional selectors (r229288)
Do sibling invalidation on mutation (r228497)
Only resolve attribute-derived style once per shared ElementAttributeData. (r133286 + r133451 rolled out)
Enable optimized stylesheet updates in shadow trees (r206990)
Rename StyleInvalidationAnalysis to Style::Invalidator (r216117)
Use invalidation rulesets for attribute selectors (r228285)
embed element without src and type attributes should represent nothing (r192132)
Invalidate style for sibling combinators accurately on class change (r227956)
Avoid traversing too much when doing class change invalidation (r227787)
Shadow DOM: Toggling class in `.class ::slotted(*)` does not trigger style recalc (r208610)
Invalidate current element style on class change accurately (r226703 + r226718)
Factor common code in Style::*ChangeInvalidation into helper functions (r220204)
Optimize style invalidation after class attribute change (r196383 revisited)
SimpleLineLayout::FlowContents wastes 54KB of Vector capacity on nytimes.com (r233530 + r233682 rolled out + r233728)
AutoTableLayout wastes 52KB of Vector capacity on nytimes.com (r233148)
AnimationList wastes 60KB of vector capacity (r233020 complete revisited)
ContentSecurityPolicySourceList wastes 51KB of Vector capacity on cnn.com (r233019)
CSSFontFace wastes 59KB of Vector capacity on nytimes.com (r233014)
SVGTransformListValues wastes 127KB of Vector capacity on nytimes.com (r232942 partial)
CachedRawResource wastes 57K of Vector capacity (r232897)
Give SVGTransformList some inline vector capacity (r193609)
[Content Extensions] Use less memory for CombinedURLFilters. (r183499 partial)

Feb 04, 2020
============
AnimationList wastes 60KB of vector capacity (r233020 partial)
[Web Animations] Implement more CSSPropertyBlendingClient methods (r230033 + r230043 rolled out + r230068)
[Web Animations] Correctly handle timing functions specified by CSS Animations and CSS Transitions (r229981)
Parsing and Style Resolution of Container-based Animation Triggers (r181602 + r236750 removed)
[Web Animations] infinite repeat counts aren't reflected for CSS Animations (r229891)
[Web Animations] Support "transition: all" for CSS Transitions as Web Animations (r229888)
[Web Animations] Update the timing model when pending tasks schedule changes (r229771)
REGRESSION (Safari 10.1): When 'transition' contains -ms-transform, transform-origin is also transitioned (r216204)
[Web Animations] Using a Web Animation leaks the Document (r233349 + r233361 rolled out + r233583 partial revisited)
[ASan / StressGC] DumpRenderTree crashed in com.apple.WebCore: WebCore::EventTarget::ref + 16 (r232596)
Layout Test animations/needs-layout.html is a flaky Image Failure. (r230703 partial)

Feb 03, 2020
============
[Web Animations] WebAnimation objects never get destroyed (r232185 complete revisited)
[Web Animations] Ensure animationcancel and transitioncancel events are dispatched (r229829)
[Web Animations] Implement CSS Animations and CSS Transitions as Web Animations (r229530)
[Web Animations] Add a new CSSTransition subclass of WebAnimation (r229340)
[Web Animations] Add a new CSSAnimation subclass of WebAnimation (r229327)
imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes (r227649 complete revisited)
[JSC] Retry module fetching if previous request fails (r224662)
[Web Animations] Correct implementation of pending tasks and promises (r229069)
[Web Animations] Implement the procedure to set the target effect of an animation (r229059)
[Web Animations] Update the playState implementation (r229058)
[Web Animations] Implement the procedure to set the start time (r229040)
[Web Animations] Ensure setting the hold time invalidates the timing model (r229030)
[Web Animations] Make KeyframeEffect target nullable and read-write (r228717)
[Web Animations] Decouple parsing JS keyframes and computing blending keyframes (r228710)
[Web Animations] Ensure that changing the timing model updates styles synchronously (r228537)
[JSC] Perform module specifier validation at parsing time (r223331)
Support integrity="" on module scripts (r223237)
Merge CachedModuleScript and LoadableModuleScript (r211313)

Feb 01, 2020
============
[JSC] Introduce import.meta (r222895)
[JSC] Drop Instantiate hook in ES6 module loader (r223173)
Update ModuleLoader code by using the latest builtin primitives (r209848)

Jan 31, 2020
============
[JSC] Invalid AssignmentTargetType should be an early error. (r245406)
The parser is failing to record the token location of new in new.target. (r242193 complete revisited)
[JSC] Reduce size of SourceProvider (r240228)
import.meta should not be assignable (r223232)
[JSC] speed up parsing of async functions (r208933)

Jan 30, 2020
============
Fix handling of attributes prior to compiling shader (r168112)
[WebGL] Return filtered results for getProgramParameter for ACTIVE_ATTRIBUTES and ACTIVE_UNIFORMS (r161605)
Implement symbol name hashing for WebGL shaders (r156352)
Shaders that fail to compile should be marked as such (r156205)
[WebGL] conformance/textures/texture-size.html is failing on Apple Mountain Lion (r132265)
[WebGL] [On Mac] queried attributes and uniforms need to return the original variable name, not the mapped name. (r130985)
GraphicsContext3D::compileShader is using incorrect string length in GraphicsContext3DOpenGLCommon.cpp (r129547 revisited)
Fix build of GraphicsContext3DOpenGLCommon.cpp with MSVC (r127934)
[WebGL] OES_vertex_array_object is not correctly un/binding or deleting (r126088)
[WebGL] Add support for EXT_robustness (r125349)
[Web Animations] Support the copy constructors for KeyframeEffectReadOnly and KeyframeEffect (r228412)
[Web Animations] Store all parsed keyframe input information in a single structure (r228702)
[Web Animations] Accept null composite modes in keyframes (r228694)
[Web Animations] Refactor AnimationEffect and KeyframeEffect into AnimationEffectReadOnly, KeyframeEffectReadOnly and KeyframeEffect (r228333)
[JSC] Give up IC when unknown structure transition happens (r255365)

Jan 29, 2020
============
Redeclaration of var over let/const/class should be a syntax error. (r239354)
[JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time (r223894)
[WebGL] Resizing and entering/exiting full screen draws garbage (r162105)
[WebGL] Be safer about toggling OpenGL state by using a scoped object to control setting lifetime. (r161389 + r161428 + r161693)
[WebGL] Blit operation from Multisample FBO to rendering FBO must ignore GL_SCISSOR test (r161297)
[WebGL] glScissor test is not accounted for when generating internal rendering textures. (r161285)

Jan 28, 2020
============
[WebGL] Allow ANGLE to initialize unused varyings (r164574)
Hook into some shader symbol logic following the ANGLE update in r159533. (r160223)
[WebGL] Make sure we satisfy uniform and varying packing restrictions. (r160199)
.: [EFL][GLES] OpenGL should be an optional (r158351)
[WebGL] program should not be able to link if a bad shader is attached (r156971)
Finish updating ANGLE. (r168115)
Updated ANGLE. (r168055)
Use compile flag SH_UNFOLD_SHORT_CIRCUIT when compiling shaders. (r159590)
Update ANGLE sources. (r159533)
Use mapped name in attribute location binding (r156351)
Add temporary typedef to ANGLEWebKitBridge to support incompatible API upgrade (r142567)
[WebGL] getUniformLocation fails for uniform array name without array brackets (r131952)
[WebGL] [Mac] only the mapped symbol for the first element of a uniform/attribute array is stored. (r131105)
[CSS Shaders] Do not clamp indirect array indices during CSS Shaders ANGLE validation pass (r136430)
Removed the custom allocator for ListHashSet nodes (176290)
REGRESSION(r225650): The scores of MotionMark tests Multiply and Leaves dropped by 8% (r226721 + r226880 rolled out + r227147)
Move security origin filtering for getMatchedCSSRules out of StyleResolver (r225650)
Support ::marker pseudo-element (r220207)
Remove PassRefPtr from "loader" directory of WebCore (r210845 partial)
[Web Animations] Distinguish between an omitted and a null timeline argument to the Animation constructor (r227714)
[CSS Parser] Remove line numbers from StyleRule. (r209304 + r215059)
Crash in WebCore::HTMLMediaElement::detachMediaSource() (r255161 + r255165 rolled out + r255170)
[media-source] Fix imported/w3c/web-platform-tests/media-source/mediasource-avtracks.html (r206127 + r206211)

Jan 27, 2020
============
Remove the frames() timing function (r236998)
[Web Animations] Always expose "composite" in output of getKeyframes() (r228312)
[Web Animations] Expose the reverse() method (r227623)
[Web Animations] Account for provided easings when computing progress and resolving keyframe effect values (r227622)
[Web Animations] Compute the progress and currentIteration properties on getComputedTiming() (r227534)
Add support for the frames() timing function (r226886 + r236998 removed)
Refactor timing function solving code (r226645)
Add experimental support for spring based CSS animations (r201706 + r201715 rolled out + r201759)

Jan 24, 2020
============
[Web Animations] Expose getKeyframes() and parsing of remaining keyframe properties (r227428)
Provide a method to obtain a CSS value from a RenderStyle by CSSPropertyID (r226627)
Web Inspector: ResourceScriptMapping should no steal scripts from other mappings. (r129485)
Web Inspector: Create JavaScriptSources based on network resources. (r127427 + r127429 rolled out + r127454)
Web Inspector: Minor ResourceScriptMapping polish. (r127005)
Web Inspector: Extract StylesSourceMapping from StylesUISourceCodeProvider. (r127002)
[Web Animations] Expose timing properties (delay, endDelay, fill, iterationStart, iterations, direction) and getComputedTiming() (r227208)
Web Inspector: Selector's raw start position in its line is considered to be 0 when computing UILocation (r144434 partial)
Web Inspector: Implement CSS reload upon related SASS resource saving (r132321)
Web Inspector: Invalid Regex in SASSSourceMapping/didRequestContent, breaks Support for Sass experiment (r131883)
Web Inspector: Turn workspace into a container of UiSourceCodes put in different projects. (r126999)
Web Inspector: Extract StylesUISourceCodeProvider to separate file. (r126979)
Web Inspector: toolbar causes 8 reflows upon opening (r126001)
Web Inspector: load network panel lazily (r125980)
Web Inspector: implement reusable progress bar (r124878)
Web Inspector: simplify handling of status bar items (r123770)

Jan 23, 2020
============
[iOS WebGL] Float texture extension has a slightly different name (r169654)
Implement OES texture half float linear (r161688)
[WebGL] Expose texture_float_linear and texture_half_float to getSupportedExtensions (r161616)
[WebGL] Implement OES texture float linear (r160030)
GenerateIsReachable=ImplContext is confusing (r157486)
Conformance Test 1.0.3 (Beta) function: bufferData undefined value failed. (r145334)
Compute WebGL context attributes from DrawingBuffer when it is used (r145159)
[WebGL] Support for texImage2D of type HALF_FLOAT_OES with ArrayBufferView. (r144535)
Insufficient validation when uploading depth textures to WebGL (r144241)
Printing WebGL canvases in Chrome uses stale data after first print (r143545)
WEBGL_compressed_texture_s3tc extension can be enabled even when not supported (r142545)
Avoid unnecessary format conversion for tex{Sub}Image2D() for ImageData of WebGL (r140595)
Implement OES_element_index_uint / WEBKIT_OES_element_index_uint (r131780)
Add warning for unrenderable textures (r131261)
Web Inspector: Get rid of frontendReused logic on front-end. (r126584)
Web Inspector: load scripts panel lazily (r126012 + r126162)
Web Inspector: prepare scripts panel to be lazily loaded (r126009)
Web Inspector: make profiles panel a lazily loaded module. (r125922 + r125942 rolled out + r125966)
Loading code on demand (upon the panel access). (r125897 + r125960 rolled out + r125965)
Web Inspector: support --line-numbers mapping for SASS (r124026)
Web Inspector: SASS source mapping straw man (behind experiment) (r123768)
StyleResolver: Have "list of matched rules" API vend internal types instead of CSSOM wrappers. (r149532)

Jan 22, 2020
============
[ARMv7] Assembler is generating wrong instruction for ldr r2, [r3, #7] (r254943)
Document.createElement(localName) does not handle correctly missing or null parameter (r189842 revisited)
new Event() without parameter should throw (r189827)
Click on node assigned to slot in button's shadow cause loss of button focus (r238393)
Move Range from ExceptionCode to ExceptionOr (r208479 partial)
EventHandler functions that need to guarantee event handler lifetime need to use Ref<Frame> (r206941)
Give RuleFeatures::classesMatchingAncestors some inline capacity. (r201697)
Rename HitTestRequest DisallowShadowContent to DisallowUserAgentShadowContent (r200540)
Clicking a scrollbar unfocuses the current activeElement (r136642)

Jan 21, 2020
============
[Web Animations] Avoid querying the current time multiple time when resolving the play state (r227615)
[Web Animations] Implement Element.animate() (r226289)
CSSGradientValue should check whether gradientLength is zero or not. (r190597)
Reference cycles during SVG dependency invalidation (r190592)
CTTE: SVGResourcesCache should only allow RenderElements. (r173325)
RenderSVGResource::removeClientFromCache() should take RenderElement&. (r163295)
Invalidation of some SVG filter attributes on HTML content doesn't work (r138835)

Jan 20, 2020
============
Overlapping text on all CSS fonts specs (r223688)
RenderStyle should not be reference counted (r199964 partial)
[Web Animations] Complete support for keyframe animations (r226234 complete revisited)
Conversion to sequence<T> is broken for iterable objects (r204500)
Add a helper class for enumerating elements in an iterable object (r204438)

Jan 19, 2020
============
JSON.parse should lookup prototype chains during revival (r254757)

Jan 18, 2020
============
Crash with long selector list (r165921)
CSS selector list splitting should be by component, not by selector. (r152788)
Optimized querySelector(All) when selector contains #id (r164924 complete revisited)
Hardening against CSSSelector double frees (r192758)
Plug leak in CSSSelectorList::deleteSelectors(). (r150316)
Simplify CSSSelectorList creation/adoption. (r149528)

Jan 17, 2020
============
[Web Animations] Complete support for keyframe animations (r226234 partial)
[Web Animations] Bring timeline and currentTime setters closer to compliance (r225928)
[Web Animations] Implement the cancel() method on Animation (r225927)
[Web Animations] Implement the finish() method on Animation (r225917)
[Web Animations] Implement the play() and pause() methods on Animation (r225909)
[Web Animations] Implement the "updating the finished state" procedure (r225862)
[Web Animations] Expose promises on Animation interface (r225812)
[Web Animations] Implement the playState property on Animation (r225807)
[Web Animations] Enqueue and dispatch animation events (r225790)
[Web Animations] Implement AnimationPlaybackEvent and AnimationPlaybackEventInit (r225745 + r225749 + r225750)
AX: Audio and Video attachments are not output to VoiceOver (r158743)
AX: Items the img aria role aren't inserting an object replacement character (r152388)

Jan 16, 2020
============
operationToObject() should check for a null errorMessage. (r254687)
Object.preventExtensions should throw if not successful (r254626)
Possible null dereference under EventHandler::dispatchMouseEvent() (r203082)
It's confusing that return values of 'bool Node::dispatchEvent(...)' and 'bool Node::dispatchMouseEvent(..)' have the opposite meanings. (r135650)
Simplify event dispatch code and make it a bit more consistent (r224459 partial)
Make setting Event's cancelBubble to false a no-op (r210254)
Add support for BeforeUnloadEvent interface (r155367)
[Web Animations] Using a Web Animation leaks the Document (r233349 + r233361 rolled out + r233583 partial)
[Web Animations] WebAnimation objects never get destroyed (r232185 partial)
[Web Animations] Only cancel declarative animations upon element removal (r230594 partial)
[Web Animations] Correctly cancel animations when a parent gets a "display: none" style or when an element is removed (r229890)
ComposedTreeIterator does not traverse all slotted children if the traversal root is a slot element. (r216431)
Rename "FlowThread" to "FragmentedFlow" (r222575 partial)

Jan 15, 2020
============
[Web Animations] Expose the id property on Animation (r226697)
[Web Animations] Allow getComputedStyle() to return animated values for accelerated animations (r225133)
[Web Animations] Perform accelerated animations when possible (r225128)
[Web Animations] Adopt KeyframeList in KeyframeEffect (r225099)
Don't call RenderElement::setStyle when nothing changes (r226809)
Rename recalcStyle to resolveStyle and clean up the signature (r213266)
[Web Animations] Force a stacking context during animations that animate properties that will force a stacking context (r224968)
[Web Animations] Allow KeyframeEffect to support CSS property animation blending (r224957)
Rename AnimationBase::isTransformFunctionListValid() (r187461)
Don't eliminate whitespace renderer if the previous sibling is a text renderer (r224773)
display:contents should work with dynamic table mutations (r224360)
Remove unnecessary whitespace invalidation logic from RenderTreeUpdater (r224034)
WebContent process crashes while loading https://www.classicspecs.com (r226413 complete revisited)
Text nodes with display:contents parent should render as if they were wrapped in an unstyled <span> (r223514)
Add isContinuation bit (r223127)
[Web Animations] Make KeyframeEffect target nullable and read-write (r228437 + r228439 + r228440 + r228446 rolled out)
[Web Animations] Express time in milliseconds through the API (r224939)
Clean up KeyframeEffect (r224934)
REGRESSION: Stack overflow in RenderBlockFlow::layoutBlock after increasing the font size to max in some RTL vertical books. (r219190)
Setup cloned continuation renderer properly. (r198753)
RenderObject::destroy() should only be invoked after renderer has been removed from the tree (r223131 complete revisited)
Assertion failure in RenderMultiColumnSet::requiresBalancing() on fast/multicol/spanner-crash-when-adding-summary.html (r227570)
Remember previous child renderer during render tree update (r223848)
Support ::before/::after pseudo elements on elements with display:contents (r223748)
REGRESSION (r223604): Setting :before/after pseudo element on <noscript> asserts (r227145)
Resolve ::before and ::after pseudo elements during style resolution (r223500 + r223579 rolled out + r223604)
Always update display: contents styles in RenderTreeUpdater. (r222168)
Remove RenderObject::requiresForcedStyleRecalcPropagation (r209986)
Make Style::Update const in RenderTreeUpdater (r209802)
Text renderer updates should be done by RenderTreeUpdater (r220523)

Jan 14, 2020
============
Factor :before/:after render tree mutations into a RenderTreeUpdater helper class (r220956)
Remove RenderQuote collection from RenderView (r220594)
RenderQuote should not mutate render tree (r220447)
Transform misplaces element 50% of the time (r217075)
[Web Animations] Implement basic to-from animations (r224897 complete revisited)
REGRESSION (r222040): Crash navigating out of gfycat.com url (r222554)
REGRESSION (222040): Google Maps Street View CrashTracer: [USER] com.apple.WebKit.WebContent.Development (r222501)
  at com.apple.WebCore: WebCore::PropertyWrapperAcceleratedTransform::blend const + 92
Computing animated style should not require renderers (r222040 + r222104 rolled out + r222129)
AnimationBase should ref the element (r222098)
Make more of the CSS animation system internals element based (r221980)
AnimationBase should point to Element instead of RenderElement (r221941)
Remove RenderElement::isCSSAnimating boolean (r221916)
Large negative animation-delays may not work depending on machine uptime (r215352)
Drop the render tree for documents in the page cache. (r210226)
Animation followed by transition doesn't always fire transitionend event (r209675)
REGRESSION (r208025) GraphicsContext state stack assertions loading webkit.org (r208314 + r208319)
If an animation's keyframes affect stacking context properties, create stacking context while the animation is running (r208025)
Replace redundant prepareForDestruction() call with RELEASE_ASSERT in Document::removedLastRef. (r206299)
It is possible for Document::m_frame pointer to become stale (r205786)
prepareForDestruction() always needs to be called before destroying the Document object. (r202769)
Toggling animation-play-state can re-start a finished animation (r200047)
Unify code paths leading to render tree teardown. (r156270)

Jan 13, 2020
============
Transitions and animations do not apply to CSS ::before and ::after pseudo-elements (r138632)
[Web Animations] Implement basic to-from animations (r224897 partial)
[CSS Parser] Add support for new CSS selector parsing (r205660 partial)
operator==(Vector, Vector) should work with different inline capacities (r251432)
[Web Animations] Implement getAnimations() (r224705 + r224709 rolled out + r224760)
[JSC] Allow indexed module namespace object fields (r213453)
[mac-wk1] LayoutTest media/modern-media-controls/tracks-support/tracks-support-click-track-in-panel.html is a flaky timeout (r211501)
HashMap::ensure() should return an AddResult like all the other add-like functions. (r197123)
Add an ensure function on HashMap that takes a key and a function to make the lazy value initialization idiom easier (r196716)
Progress on web timing. (r168647)
[Win] Crash when scrolling page with images. (r152228)
[JSC] Consistently use "var" in builtin JS (r254418)
Object.keys should throw if called on module namespace object with uninitialized binding (r254390)

Jan 10, 2020
============
requestFrameAnimation() callback timestamp should be very close to Performance.now() (r202399)
[Web Timing] Fix flaky test. (r185434)
Restore old semantics to webkitRequestAnimationFrame callbacks (r139509)
Expose high-resolution on requestAnimationFrame callback (r131131)
[Web Animations] Schedule animations registered on the document timeline (r224472)
[Web Animations] Support AnimationEffect parameter in Animation constructor and read-write timeline property (r224242)
[Web Animations] Expose the playbackRate property on Animation (r224181)
[Web Animations] Expose the currentTime property on Animation (r224163 + r224164)
[Web Animations] Expose the currentTime property on AnimationTimeline (r224128)
[Web Animations] Use Seconds vs. MonotonicTime to represent times (r224127)
[Web Animations] Add basic timing and target properties (r223883)
[Web Animations] Add animations to the timeline (r223825)
[Web Animations] Provide basic timeline and animation interfaces (r223779)
JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names. (r239392)
[JSC] JSPropertyNameEnumerator could be destructorless. (r192416 + r192443 + r192453 rolled out + r192536 + r192722 + r192743 + r192766 rolled out)

Jan 09, 2020
============
will-change should trigger stacking context based purely on properties (r190667)
will-change: backface-visibility should not cause stacking context (r188604)
will-change should sometimes trigger compositing (r188530)
Have will-change create stacking context when necessary (r188514)

Jan 08, 2020
============
Always use matched declarations cache fully when parent inherited style matches (r252344)
Don't always recalc the style of display: contents elements. (r218318 + r218345 rolled out + r220202)
[CSSRegions]Incorrect layout for multicol element transformed into region (r173424)
Delete dead SVG Font code (r198074)

Jan 07, 2020
============
Crash calling webSocket.close() from onError handler for blocked web socket. (r187556)

Jan 07, 2020
============
implement dynamic scope accesses in the DFG/FTL (r199699 complete revisited)
  => function-name-scope when stressing DFG JIT

Jan 07, 2020
============
Use the rare data's RenderStyle for display: contents. (r217599)
Dynamically applied :empty pseudo class with display:none does not get unapplied (r214290)
Proxy's [[OwnPropertyKeys]] is incorrect in DontEnumPropertiesMode::Exclude (r254070)

Jan 06, 2020
============
Factor RenderMultiColumnFlowThread construction and destruction into RenderTreeUpdater helper (r221409)
RenderMultiColumnFlowThread - Avoid render tree mutation during layout (r221379)
Do not create multicolumn context for certain type of renderers. (r209546)
ASSERTION FAILED: flowThread->regionInRange(region, startRegion, endRegion) in WebCore::RenderBox::borderBoxRectInRegion (r209259)
Composited negative z-index elements are hidden behind the body sometimes (r208981)
Rename RenderObject::isRoot() to isDocumentElementRenderer() (r190834)
Garbage pixels on enphaseenergy.com site (r190818)
REGRESSION (r173283-r173296): Amazon.com front page has no caret in the search field (r185666)
RenderLayer::currentTransform computes a pixel snapped rect it doesn't use. (r183887)
[CSS Blending] The composited layers isolated by the page group should blend with the default white background color. (r173867)
JSON.parse should initialize wrapper object with [[DefineOwnProperty]] (r254037)
DFG and FTL should support op_call_eval (r203364 partial revisited)
Wrong value recovery for DFG try/catch with a getter that throws during an IC miss (r191930 complete revisited)
DFG should use PhantomLocal instead of Flush as liveness preservation mechanism in LiveCatchVariablesPreservationPhase (r190261)

Jan 03, 2020
============
DFG should not use or preserve Phantoms during transformations (r183497 partial revisited)
  SunSpider Math Cordic error on some ARMv7 platforms
  https://www.cbc.ca/ crash

Jan 03, 2020
============
[JSC] Use emitDumbVirtualCall in 32bit JIT (r223892)
Unreviewed, update the exponentiation expression error message (r203664)
FTL should generate code to call slow paths lazily (r190860 partial)
Support the with keyword in DFG (r220724)
GetArrayMask should support constant folding (r228693 revisited)
imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes (r227649 revisited)
We should not allow Function.caller to be used on native functions (r212009)
Add a micro-benchmark for checking that accessing a variable within a 'with' block does not automatically prevent type prediction. (r221084)
ArraySlice needs to keep the source array alive. (r246740)
Structure::willStoreValueSlow needs to keep the property table alive until the end (r213773)
AI rule for PutById can only observe transitions when it watches the condition (r253991)

Jan 02, 2020
============
@putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties (r210457)
REGRESSION(215272): microbenchmark/seal-and-do-work and microbenchmark/freeze-and-do-work are 27x slower (r215471)
Implement Object.isFrozen() and Object.isSealed() per ECMA spec (r215272)
ASSERTION FAILED: "!scope.exception()" with Object.isSealed/isFrozen and uninitialized module bindings (r212710)

Jan 02, 2020
============
DFG should not use or preserve Phantoms during transformations (r183497 complete revisited)
  Workaround SunSpider Math Cordic error on some ARMv7 platforms

Jan 02, 2020
============
Unreviewed, fix debug failures due to missing exception checks (r253869)
It should be easier to reify lazy property names (r224927)
Promise resolve and reject function should have length = 1 (r220324)
JSFunction::put() should not allow caching of lazily reified properties. (r208018 complete revisited)
JSBoundFunction should lazily generate its name string (r204321)

Dec 20, 2019
============
[JSC] DFG should respect node's strict flag (r244067 complete revisited)

Dec 20, 2019
============
implement dynamic scope accesses in the DFG/FTL (r199699 partial rolled out)
  => function-name-scope when stressing DFG JIT

Dec 20, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/JetStream2/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Dec 20, 2019
============
Don't cache self customs on dictionaries (r253810 partial)

Dec 19, 2019
============
DFG should not use or preserve Phantoms during transformations (r183497 partial revisited)
  SunSpider Math Cordic error on some ARMv7 platforms
  
Dec 19, 2019
============
CopiedBlock should be 8kB (r199567 + r199572 rolled out)
VarargsForwardingPhase should only consider MovHints that have the candidate as a child (r183492 revisited)
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 complete revisited)
Harden DFGForAllKills (r182857 revisited)

Dec 18, 2019
============
Ensure transparency layers are properly ended when only painting root background (r253692)
Shrink Vectors with inline capacity. (r153514)
NinePieceImage: Avoid unnecessary duplication of default data in assignment operator. (r125708 revisited)
Reduce the size of empty NinePieceImage objects. (r125465 revisited)
[JSC] 8Bit JSRopeString can contain 16Bit string in its rope (r253648)

Dec 17, 2019
============
[JSC] Remove ArrayBufferNeuteringWatchpointSet (r253576)
WebAssembly API: test with neutered inputs (r217052 partial)
Structure should have a bloom filter of seen identifiers (r253517)
fourthTier: Create an equivalent of Structure::get() that can work from a compilation thread (r153128 partial)
Only use 16 VFP registers if !CPU(ARM_NEON). (r220871)
Speed up TransformationMatrix::multiply() on modern ARM (r133653)
FontFaceSet binding does not handle null correctly (r199216)

Dec 16, 2019
============
HTMLInputElement::defaultEventHandler() shouldn't force style updates. (r165773)
[Forms] Set SpinButtonElement free from HTMLInputElement (r125997)
[Forms] Move wheel event handler to spin button class (r125522)
Minimize the amount of memcpy done for allocating Error stacks. (r201976)
Refactor common code between GetCatchHandlerFunctor and UnwindFunctor (r190004)

Dec 13, 2019
============
Protect lifetime of frame and frameView objects (r253463)
Focusing a new frame (via window.focus()) should blur the active element in the current frame (r143299)
Fix missing exception in JSValue::toWTFStringSlowCase(). (r253458)
Fix missing exception check in JSON Stringifier's gap function. (r253441)
DFG and FTL expects String.prototype to not qualify for StringObjectUse. (r253432)

Dec 12, 2019
============
Remove 14 more unnecessary uses of UsePointersEvenForNonNullableObjectArguments (r199231)
Use filterRootId in SelectorQuery even if CSS JIT is not enabled (r181699)
Implement Element.closest() API (r174324)
filterRootById accidentally clears inAdjacentChain flag (r173688)
SelectorQuery failing RightMostWithIdMatch are compiling their selectors for each execution (r165001)
Optimized querySelector(All) when selector contains #id (r164924 partial)
Move insertAdjacent*() API from HTMLElement to Element (r204150)
Improve IDL support for object arguments that are neither optional nor nullable (r199265)
Remove unneeded UsePointersEvenForNonNullableObjectArguments from event classes (r199224)
Remove unneeded UsePointersEvenForNonNullableObjectArguments in WebKitCSSMatrix.idl (r198994)
Binding generator should allow passing DOM objects parameters as references (r198833)
HTML*ListElement wrappers have custom getOwnPropertySlot()s for no good reason. (r169709 revisited)

Dec 11, 2019
============
Optimize [StrictTypeChecking] on IDL attributes (r200393)
Remove unused C++ DOM event handler attribute functions (r181169)
window.name leaks information across domains (r209076)

Dec 10, 2019
============
Fix null handling for several HTMLBodyElement attributes (r203525)
CSP: Check inline event handlers on each run, not only the first (r198541)
Make JavaScript binding get and set legacy event listener attributes directly (r181001 + r181003 + r181024 rolled out + r181156)
Actually only generate tables for History and Location. (r169792 + r169796 + r169800 + r169810)
Make atob() throw an InvalidCharacterError on excess padding characters (r153904)
Make atob() / btoa() argument non optional (r152859)
REGRESSION (r231456): Colloquy is broken (r232424)
Stop using an iframe's id as fallback if its name attribute is not set (r231331 + r231367 rolled out + r231456)
Revalidate URL after events that could trigger navigations (r212350)
Regression(r191652): Colloquy doesnt render any chat content (r192016)
Ensure attached frame count doesn't exceed the maximum allowed frames (r174922)
Move URL-checking code into Frame (r135503)
Rename Page::frameCount() to subframeCount(), and related (r129707)

Dec 09, 2019
============
Changing details.open should cause a toggle event to be fired asynchronously (r207514)
EventHandler IDL attributes should be enumerable (r195778)
Getting / Setting property on prototype object must throw TypeError (r195695)
Organize event handlers a bit (r184616 partial)
More event handler improvements (r181507 partial)
Some event handler fixes (r181358)
REGRESSION (r154769): Wrong <title> taken as a tooltip for SVG element. (r178459)
[SVG2] Share "on"- event attributes with HTMLElement (r168358)
Add HTMLNames::classAttr has a regular name in SVGElement::isAnimatableAttribute (r163510)
Shrink the function that builds the event listener attribute name map (r155769)
Add child and descendant const iterators (r154769 revisited)
feImage fails if referenced node contains radialGradient declaration (r154713)
Object.prototype.isPrototypeOf() should check if the passed in value is a non-object first. (r253264)
Remove ChromeClient::paintCustomOverhangArea (r159224)

Dec 06, 2019
============
RenderFlowThread's containing block cache should be invalidated before calling styleDidChange. (r208605)
RenderFlowThread::removeLineRegionInfo shouldn't call HashMap::contains before HashMap::remove (r208597 revisited)
RenderElement::invalidateFlowThreadContainingBlockIncludingDescendants should be on RenderBlock. (r208555)
RenderFlowThread state reset cleanup. (r208414)
Tighten region style map to use RenderElement instead of RenderObject (r206049)
[JSC] Clean up baseline slow path (r223823)
Simplify JIT::emit_op_mod() (r189444)

Dec 05, 2019
============
Move RenderNamedFlowThread nextRendererForElement logic to RenderTreeUpdater. (r208470)
Use after free in WebCore::RenderNamedFlowFragment::restoreRegionObjectsOriginalStyle (r180767)
[CSSRegions] Use RenderStyle::hasFlowInto when needed (r166696)
Nullptr crash in RenderLayoutState::pageLogicalHeight const via RenderGrid::computeIntrinsicLogicalWidths inside RenderMarquee::updateMarqueePosition (r253139)
Crash in WebCore::RenderStyle::overflowX with display:contents (r224394)
:active and :hover states may not be updated across slots (r210564)
When the mouse is upped after dragged out of shadowDOM, it should lose :active. (r166277)
:active style is not cleared when its display property is set to none before mouse released. (r165037)
[JSC] AI should convert IsCellWithType to constant when Structure set is finite (r252416 + r253124 rolled out + r253144)

Dec 04, 2019
============
Fix missing exception check in ArrayPrototype's fastJoin(). (r253137)
REGRESSION(r200964): Tab focus navigation is broken on results.en.voyages-sncf.com (r208922)
Focus ordering should respect slot elements (r200964)
FKA: No way to get focus from DOM to shadow DOM components (Was: HTML5 media controls not keyboard accessible) (r200520)
Only skip stretchy operators when determining the stretch height. (r164538 revisited)
Remove the not-much-used isShadowHost function from Element.h (r157355)
TreeScope::rootNode() should return a ContainerNode. (r150713)
[Forms] Move multiple fields related functions to BaseDateAndTimeInputType from TimeInputType (r129729)
[Forms] Shift+Tab should focus the last field of multiple fields time input UI (r127226)
[ShadowDOM] Shadow elements in the input element should be focusable. (r126842)
normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same (r244760)

Dec 03, 2019
============
Option() named constructor is not per spec (r217168)
Tear down descendant renderers when <slot>'s display value is set to no "contents". (r214232)
HTML Link elements should load data URLs as same origin (r211926)
Un-expose DOMSettableTokenList (r204242)
Moving focus by tab could erroneously focus a non-focusable shadow host (r200712)
Refactor FocusController::findFocusableElementRecursively (r200576)
AX: Add support for CSS4 :focus-within pseudo (r202358)
Element with maximum tabIndex cannot be returned by nextElementWithGreaterTabIndex() (r197835)
Stop clamping HTMLElement.tabIndex to the range of a short (r197726)
Contents inside a shadow host with a negative tabindex should not be tab focusable (r197439)
Use more references in FocusNavigationScope (r197055)
Move FocusNavigationScope into FocusController.cpp (r197021)
Merge DOMTokenList and DOMSettableTokenList (r196123)
HTMLIFrameElement.sandbox should be a DOMSettableTokenList (r191388)
Remove NodeRenderingTraversal (r191186)
HTMLOutputElement.htmlFor should be settable (r190134 + r190138 rolled out + r190168 + r190173 rolled out + r190189)
Remove isInCanvasSubtree bit (r172487)
AX: tabindex support in SVG2 (r168313)
SVG elements always have custom style resolve callbacks. (r154414)
REGRESSION (r154254): fast/frames/frameset-frameborder-inheritance.html failing on Apple MountainLion Debug WK1 (Tests) (r154326)
.: Remove support for HTML5 MicroData (r153772 partial)
FocusController should operate on Elements internally. (r150869)
Move hasNonEmptyBoundingBox from Node to HTMLAnchorElement (r150783)
Move Node::supportsFocus() to Element. (r150710)
Move Node::tabIndex() to Element. (r150707)
Move Node::focusDelegate() to Element. (r150697)
HTMLOutputElement::htmlFor should be readonly (r141063)
platform/mac/accessibility/progressbar.html fails on Mac WK1 and WK2 (r139723)
AX: Should be able to tab to focus a link in a canvas subtree (r126908)
DOM4: classList should be defined on Element and not on HTMLElement (r125092)
PropertySlot should not have Customs have a PropertyOffset of zero (r253026)

Dec 02, 2019
============
Use AtomicString in RuleSet and RuleFeature (r214255)
RenderVideo should always update the intrinsic size before layout. (r199856)
Fix CSS Selector's tag name matching when mixing HTML and XML (r179132)
Remove unused methods from MediaPlayerClient (r173719)
Move querySelector from Node to ContainerNode and use references instead of pointers (r157354)
Make use of Node::ownerDocument a compile time error (r154264)
Remove unnecessary uses of Element::ownerDocument (r154225)
Crash on display-contents-replaced-001.html (r217549)
slot doesn't work as a flex container (r208743)
Merge Element::ShadowRootMode and ShadowRoot::Mode enumerations (r208001)
[css-grid] Add support for percentage gaps (r215463)
Get rid of JIT::compilePutDirectOffset (r190681)
JIT::emitGetGlobalProperty/emitPutGlobalProperty are only called from one place (r190675)
JIT::compileGetDirectOffset is useless (r190673)

Nov 29, 2019
============
[Fetch API] Request constructor should provide exception messages (r206954)
[Fetch API] Implement abortable fetch (r239644)
FetchResponse should close its stream when loading finishes (r233994 + r234003 rolled out + r234045)
imported/w3c/web-platform-tests/service-workers/service-worker/fetch-event-respond-with-response-body-with-invalid-chunk.https.html is flaky (r228199)
Opaque being-loaded responses should clone their body (r227581)
REGRESSION (r224684): User-agent seen by page does not change when modified by the develop menu options after reloading. (r232323)
The referer header is not set after redirect (r230208)
Implement https://fetch.spec.whatwg.org/#main-fetch default referrer policy setting (r226397)
Allow XHR to override the User-Agent header. (r224684)
StringView could use a function to strip leading/trailing characters without allocation (r220982)

Nov 28, 2019
============
[Fetch] Extracting a body of type Blob should not set Content-Type to the empty string (r226162)
Replace JS builtin implementation of the FetchResponse constructor with a C++ one (r221806)
[Armv7] Linkbuffer: executableOffsetFor() fails for location 2 (r233015 revisited)
LinkBuffer should not keep a reference to the MacroAssembler (r170876 partial)
Inline caching in the FTL on ARM64 should "work" (r164673 partial)

Nov 27, 2019
============
Align FetchResponse and FetchRequest body handling (r221772)
Support caching of Response with a ReadableStream body (r221704)
[Fetch API] Add support for consuming a Request ReadableStream body (r221504)
[CSS] The parser should not get rid of empty namespace specification in front of element name selectors (r204591)
DOMQuad.p1 / p2 / p3 / p4 should behave as [SameObject] (r223448)
fourthTier: Change JSStack to grow from high to low addresses (r155711 revisited)

Nov 26, 2019
============
Remove Document::elementSheet() (r206753)
Remove addSubresourceStyleURLs functions (r206603)
Stop using valueToStringWithNullCheck() in JSCSSStyleDeclaration::putDelegate() (r203475)
Throttle timers that change the style of elements outside the viewport (r176212 partial)
Reduce the overhead of updating the AssemblerBuffer (r171123)
It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful (r164548)
Add some missing functions to MacroAssembler (r160680)
Fix the ARM64 build after recent JavaScriptCore changes (r159261)
[mips] Fix build for MIPS platforms. (r158670)
Fix CPU(ARM_TRADITIONAL) build after r157690. (r158205)
REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool. (r157796)
Restructure LinkBuffer to allow for alternate allocation strategies (r157690 + r157699)

Nov 24, 2019
============
References from CSSStyleDeclaration to CSSValues should be weak (r230737 rolled out)

Nov 22, 2019
============
REGRESSION(STP): rgb() with calc() containing variables doesn't work (r216188)

Nov 21, 2019
============
Make -webkit-transition-* and -webkit-animation-* properties be pure aliases of the unprefixed ones (r205809)
Reapply fixes for webkit.org/b/159450 and webkit.org/b/157569 (r204052)
REGRESSION (r202950): Image zoom animations are broken at medium.com (159861) (r203380)
REGRESSION(r200769): animations are no longer overridden (r202950)
Correctly handle prefixed and unprefixed variants in CSSStyleDeclaration (r200769)
Copy and paste can strip !important CSS rules due to a bug in mergeStyleFromRules (r149167)

Nov 20, 2019
============
Cannot unset transition with important (r231995)
Align CSSStyleDeclaration with the specification (r203744)
CSSStyleDeclaration.setProperty() should be able to unset "important" on a property (r203460)
Align CSSStyleDeclaration.setProperty() with the specification (r203437)
Setting an inline style property to "" shouldn't cause style recalc unless the property was present. (r149059)

Nov 19, 2019
============
[CSS Parser] Implement CSS variables (r208006 partial)
Use random() instead of begin() to limit cache sizes (r237463)
HashMap should support selecting a random entry (r237419)
querySelector() / querySelectorAll() should always throw a SyntaxError when failing to parse selector string (r204522)
createFontFaceValue() should be smarter about overgrown cache. (r158478)
[Mac] Drain the CSSValuePool on memory pressure. (r136866)

Nov 18, 2019
============
ctx.font = "" asserts in CSS parser (r251270)
Add support for Request body stream cloning (r221437)
Move consume promise from FetchBody to FetchBodyConsumer (r221427)

Nov 15, 2019
============
Add support for FetchRequest.body (r221329 + r221395)
[Cache API] Add support for being loaded responses (r220948 partial)
Add support for ReadableStream storage in FetchBody (r221201)
JSInternalPromiseDeferred should inherit JSPromiseDeferred (r189577)
Use toLength() and getIndexQuickly() in JSON.stringify (r252464)
Fix a couple of mistakes in CSSParserValue memory management (r201608)
Fix type clash warning in supports_error rule of CSSGrammar. (r175415)

Nov 14, 2019
============
Regression(r236862): Crash under DOMWindowExtension::willDetachGlobalObjectFromFrame() (r236888)
A Document / Window should lose its browsing context as soon as its iframe is removed from the document (r236862)
Have DOMWindow get its frame from its document (r236965)
DumpRenderTree crashed in com.apple.WebCore: WebCore::DOMWindow::resetDOMWindowProperties + 607 (r204631)
Pages frequently fail to enter the back/forward cache due to frames with a quick redirect coming (r251019 + r251029)
ResourceLoader::cancel() shouldn't synchronously fire load event on document (r232419 + r232433)

Nov 13, 2019
============
Merge TreeShared into Node. (r183009 + r183174 + r183183)
ASSERTION FAILED: !m_adoptionIsRequired in void WebCore::TreeShared<NodeType>::ref() (r154099 + r154121)

Nov 12, 2019
============
Remove support for X-Frame-Options in `<meta>` (r199605)
XSS Auditor should navigate to empty substitute data on full page block (r194927)
X-Frame-Options headers not respected when loading from application cache. (r184598)
REGRESSION (r167856): adobe.com no longer able to launch Create Cloud app using a URL with a custom scheme (r172697 + r172699 rolled out + r172709)
REGRESSION (r167856): Unable to log into HSBC app (r170120)
Webpages can trigger loads with invalid URLs (r167856)
Hash navigation doesn't affect history when the page is retrieved from appcache (r155099)
[Fetch API] Response should keep all ResourceResponse information (r220320)
Web Inspector: Cross Origin importScripts() scripts lack source URL, causes issues with Inspector showing Resource (r210279)

Nov 11, 2019
============
[Readable Streams API] Align queue with spec for ReadableStreamDefaultController (r223279 partial)
[Readable Streams API] Align respondInClosedState with spec (r217279)
[Readable Streams API] Align getDesiredSize with spec (r217044)

Nov 08, 2019
============
[Readable Streams API] Implement ReadableByteStreamController enqueue() (r211779)
[Readable Streams API] Implement ReadableByteStreamController pull() (r211484)
[Readable Streams API] Fix test in readableByteStreamCallPullIfNeeded (r210060)
[Readable Streams API] Implement readableByteStreamControllerCallPullIfNeeded() (r210027)
[Readable Streams API] Implement ReadableByteStreamController cancel internal method (r209915)
[Readable Streams API] Implement ReadableByteStreamController desiredSize (r209649)
[Readable Streams API] Implement ReadableByteStreamController close() (r208790)
[Readable Streams API] Implement ByteStreamController error() (r208382 + r208422 rolled out + r208434 rolled in)
Refactor post-attach and HTMLObjectElement-related code (r166144 + r166680 rolled out + r166853 complete revisited + r168580)
[[HasProperty]] result of Proxy in prototype chain is ignored (r252158 rolled out + r252191)

Nov 07, 2019
============
Refactor post-attach and HTMLObjectElement-related code (r166144 + r166680 rolled out + r166853 partial + r168580)
REGRESSION(r220052): ASSERTION FAILED: !frame().isMainFrame() || !needsStyleRecalcOrLayout()  in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() (r221139 + r221173 rolled out + r221423)
REGRESSION(r220052): http/tests/appcache/deferred-events-delete-while-raising-timer.html is crashing. (r220750)
Remove code in HTMLObjectElement attribute parsing that forces style resolution and layout (r220052)
REGRESSION (r158617): Find on Page can get stuck in a loop when the search string occurs in an <input> in a <fieldset> (r167210 partial)
<applet> plugins are instantiated post-attach (instead of post-layout like for object and embed) (r153013)

Nov 05, 2019
============
[JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison (r243966)
CodeBlock::jettison() should disallow repatching its own calls (r243626 rolled in)

Nov 04, 2019
============
Setting any of the <object> element plugin controlling attributes does not have any affect. (r180683 + r180966 rolled out + r181168)
Slotted nodes ignore transition (r209065)
Rename setNeedsStyleRecalc to invalidateStyle (r207458)
Setter on style element's textContent or cssText doesn't trigger style recalc (r206404)
Invalidate style for newly added nodes in Node::insertedInto (r201416)
Page does not update when <link> media attribute changes to no longer apply to page (r189060)
Replace Element::didAffectSelector() by setNeedsStyleRecalc() (r175212)
Update the <link>'s link status (r174878)
HTMLLinkElement should resolve resource URLs when resources will be fetched (r147291)
Elements must be reattached when inserted/removed from top layer (r139402 + r140080 rolled out + r140931)
[[HasProperty]] result of Proxy in prototype chain is ignored (r251940)

Nov 01, 2019
============
ASSERTION FAILED: hasOverflowingCell == this->hasOverflowingCell() in WebCore::RenderTableSection::computeOverflowFromCells (r204860)
REGRESSION(r147019): Page has extra space (r153832)
Growing a position:absolute element in a position:relative one in a table does not update scrollHeight (r147019)
JSArrayBuffer should have its own JSType (r234468)
We should be able to jsDynamicCast from JSType when possible (r228500 partial)
RenderTable should not hold a collection of raw pointers to RenderTableCaption (r223018)
RenderTable should not hold a collection of raw pointers to RenderTableCol (r223009)
RenderTable should not hold section raw pointers (r222953)
COL element in table has 0 for offsetWidth (r164504)
cell width / offsetTop incorrect (r154702)
Make rendering tables with <colgroups> twice as fast by avoiding walking the DOM for colgroups 4 times for each cell (r132764)

Oct 31, 2019
============
JSCell::classInfo() shouldn't have a bunch of mitigations for being called during destruction (r210821 + r210824 rolled out + r210829)
JSCallbackObject<JSGlobalObject> should not destroy its JSCallbackObjectData before all its finalizers have been called. (r181806)

Oct 30, 2019
============
Get to Structures more efficiently in JSCell::methodTable(). (r165078)
Add some hardening to methodTable() (r141190)
[JSC] Introduce @putByIdDirectPrivate (r230459)
Support for promise rejection events (unhandledrejection) (r215916 partial)
[JSC] Merge PromiseReactions (r209455)

Oct 29, 2019
============
[Readable Streams API] Enable creation of ReadableByteStreamController (r208276)

Oct 28, 2019
============
Object.getOwnPropertyNames() does not return named properties (r190280)

Oct 27, 2019
============
Crash in HTMLCollection::updateNamedElementCache (r238880)
document.getElementsByTagName should return an HTMLCollection (r188809)
Drop NodeListBase class (r188753)
HTMLCollection caches incorrect length if item(0) is called before length on an empty collection (r182125 revisited)
Speculative fix for a fast\dom\html-collections-named-getter failing only in Debug builds. (r173703)
Use an AtomicString as key for caching ClassNodeList objects (r173648)
appendChild shouldn't invalidate LiveNodeLists and HTMLCollections if they don't have valid caches (r165103 revisited)

Oct 26, 2019
============
getElementsByClassName() should return an HTMLCollection (r188735)

Oct 25, 2019
============
Refactor HTMLCollection to be as fast as CachedLiveNodeList (r188508 + r188513 rolled out + r188520)
Minor tweaks to HTMLCollection (r175947)
Rename LiveNodeLists / HTMLCollections's nodeMatches() to elementMatches() (r173649)
Named element cache can become invalid during HTMLCollection::updateNamedElementCache() (r168322)
HTMLCollection::updateNamedElementCach iterates over items twice (r167028)
LiveNodeLists should use ElementDescendantIterator (r166460)

Oct 24, 2019
============
[WebIDL] Remove JS builtin bindings for FetchRequest, DOMWindowFetch and WorkerGlobalScopeFetch (r220050)
[Fetch API] Refactor FetchHeaders initialization with iterators (r197026)

Oct 23, 2019
============
Expose Event / EventTarget properties on WorkerGlobalScope (r201791)
window.EventTarget should exist (r189660)
Parameter to HTMLCollection.item() / namedItem() should be mandatory (r203624)
Fix warnings in IDLParser.pm (r190111)
The following properties should exist on the global object: AudioTrackList, AudioTrack, VideoTrackList, VideoTrack (r196621)
Iterator of Array.keys() returns object in wrong order (r233740)
URLSearchParams / Headers objects @@iterator is not as per Web IDL spec (r217166)
JavaScript for-of does not work on a lot of collection types (e.g. HTMLCollection) (r211024)
Remove support for value iterators from JSDOMIterator (r203234)
DOM value iterable interfaces should use Array prototype methods (r203222)
Speedup array iterators (r200422 + r200428 + r200499)
Map#entries and Map#keys error for non-Maps is swapped (r183402)
Set#keys !== Set#values (r183320)
Fix missing exception check in JSON Stringifier. (r251403)
Post increment/decrement should only call ToNumber once (r251371)
DOMIterators should be assigned a correct prototype (r203235)
Iterable interfaces should have their related prototype @@iterator property writable (r202583)
NodeList should be iterable (r200619 + r202303 rolled out + r202305 + r202306 + r202307)
Ensure DOM iterators remain done (r200678 + r202302 rolled out)
Rename JSKeyValueIterator as JSDOMIterator (r200411 complete revisited)
Binding generator should support key value iterable (r196900 complete revisited)
[Web IDL] 'length' property is wrong for variadic operations (r190621)

Oct 21, 2019
============
[WebIDL] Remove JS builtin bindings for FetchHeaders (r220039)
[Fetch API] TypeError when called with body === {} (r218677)
[Fetch API] Pass directly FetchRequest fetch options to ThreadableLoader (r204014)
Crash when uploading huge files to YouTube or Google Drive (r184443)
Update FileReaderLoader to allow specifying a range and reading as a blob. (r143706 + r143733)
[Resource Timing] XMLHttpRequests should have initiator type 'xmlhttprequest' (r139513)
Report CSS as initiator instead of elements, except body (r136256)
Remove the concept of initiatorDocument from CachedResourceRequest (r135452)
Add initiator to CachedResourceRequest. (r134442 + r134446 rolled out + r134930)

Oct 18, 2019
============
Implement Subresource Integrity (SRI) (r216553 partial)
Implement Subresource Integrity (SRI) (r216347)
Split cryptographic digest computation and parsing out of CSP code so it can be reused (r215646 partial)
[Fetch API] Improve resource loading console logging (r209917 partial)
Set Response.blob() type correctly when body is a ReadableStream. (r216073)
[Fetch API] fetch fails when undefined is passed as headers (r212162)
Reject fetch promise in case of ReadableStream upload (r210860)
[Fetch API] Update content-type in case of form data (r210853)
Change HTTPHeaderValues from a struct to a namespace (r207046)
Add a place for common HTTP Header values (r206901)
XMLHttpRequest always defaults Content-Type to application/xml, while it should depend on data type (r173254)
FetchBody should use UTF8Encoding to encode text data (r206636)
DumpRenderTree crashed in com.apple.WebCore: WTF::Optional<WebCore::FetchBodyOwner::BlobLoader>::operator bool const + 12 (r206633)
[Fetch API] Blob type should be correctly set in case of empty body (r205250)
[Fetch API] Body mix-in text() should decode data as UTF-8 (r205188)
[Fetch API] Activate CSP checks (r204164)
Add missing checks after calls to the sameValue() JSValue comparator. (r251274)
RegExpObject's collectMatches should not be using JSArray::push to fill in its match results. (r238270)
Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers. (r237877)
Add missing exception check in RegExpObjectInlines.h's collectMatches. (r233161)
Fix missing exception check in RegExpObject::matchGlobal(). (r228388)
Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH. (r217869 complete revisited)
Fix exception scope verification failures in runtime/RegExp* files. (r209101)
regExpProtoFuncSplitFast should OOM before it swaps (r201467)
Bogus uses of regexp matching should realize that they will OOM before they start swapping (r201451)

Oct 17, 2019
============
GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap (r251271)
Add support for DOM aborting (https://dom.spec.whatwg.org/#aborting-ongoing-activities) (r222692)
[Web IDL] Add support for [SameObject] extended attribute (r207319 + r207355 rolled out)
Remove CSS Custom Filters code and tests (r162644)
Implement css-conditional's CSS.supports() (r142739)
Handle error recovery in @supports (r142640)
Implement CSSSupportsRule (r139866)
Re-virtualize CSSRule. (r135465)
Shader translator needs option to clamp uniform array accesses in vertex shaders (r131933)
Implement css3-conditional's @supports rule (r131783)
Attribute and Uniform variable names need translation in shader (r130417)
[CSS Shaders] Remove direct texture access via u_texture (r128334)
[CSS Shaders] Implement normal blend mode and source-atop compositing mode (r127217)
[CSS Shaders] Use CSS transform parsing code within CSS Shader (r127046)
[WebGL] Mac/ATI/AMD systems need to translate built-in GLSL functions (r126342)
[CSS Shaders] Add blend mode and composite op to compiled program cache key (r125331)
[CSS Shaders] Reuse precompiled shaders across elements (r124897)

Oct 16, 2019
============
[WeakPtr] RenderListMarker::m_listItem should be a WeakPtr (r242921)
InputType should not interact with an HTMLInputElement is no longer associated with (r234744)
FragmentInterval, FragmentIntervalTree and FragmentSearchAdapter should hold not hold raw pointers to renderers. (r233696)
Move scheduleSetNeedsStyleRecalc to HTMLFrameOwnerElement (r160928)
operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string. (r251178)

Oct 15, 2019
============
Clean up register naming (r189293 complete revisited)
[DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers (r231472 complete revisited)
[JSC] Remove per-host-function CTI stub in 32bit environment (r223813)
[jsc][mips] fix JIT::emit_op_log_shadow_chicken_prologue/_tail (r201713)
[mips] Fix regT2 and regT3 trampling in MacroAssembler (r195182)
Clean up register naming (r189293 partial revisited)

Oct 11, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/JetStream2/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Oct 11, 2019
============
[ESNext] Symbol.prototype.description (r235712 partial)
[JSC] Add Symbol.prototype.description getter (r232404)

Oct 10, 2019
============
[ShadowDOM] Add support for Node.getRootNode(options) (r206285)
Add support for Node.isConnected (r202870)
Crash under WebCore::EventTarget::fireEventListeners (r228574)
Use a strong reference when calling callOnMainThread to schedule events in AudioScheduledSourceNode. (r210748)
Make JavaScript binding get and set legacy event listener attributes directly (r181156 partial)
Avoid unwanted thread hops in ScriptProcessorNode when 'onaudioprocess' listener is not set. (r151558)
Support the 'onended' EventListener property for AudioBufferSourceNode and OscillatorNode. (r150905)
webaudio: clean-up. Replace AudioContext::m_document member with ContextDestructionObserver::scriptExecutionContext(). (r135116 + r135144 rolled out + r135156)
Unreviewed, roll out r250878 (r250932)
RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect (r218828)
[ES6] RegExp.prototype.@@replace should use @isObject instead of `instanceof` for object guard (r200239)
[ES] Implement RegExp.prototype.@@replace and use it for String.prototype.replace (r200117)

Oct 09, 2019
============
MutationObserver should accept attributeFilter, attributeOldValue, and characterDataOldValue on their own (r189271)
ASSERTION FAILED: m_op == CompareStrictEq in JSC::DFG::Node::convertToCompareEqPtr(JSC::DFG::FrozenValue *, JSC::DFG::Edge) (r243448)
[Datalist] fast/forms/datalist/datalist-child-validation.html crashes with a debug assertion in isValidFormControlElement() (r242309)
Only attach Attributes to a given element one time (r214510)
REGRESSION (r179497): Crash inside setAttributeNode (r212214)
The :enabled/:disabled selectors should only match elements that can be disabled. (r205050)
ASSERTION FAILED: m_isValid == valid() in WebCore::HTMLFormControlElement::isValidFormControlElement (r198451)
Clean up attribute handling: part 2 - attributeNode (r179497)
Support for :enabled selector on Anchor & Area elements (r171671 + r174064)
Add a few pseudo type to the selector compiler through function calls (r163853)
[JSC] GetterSetter should be JSCell, not JSObject (r250878)
JSON.parse incorrectly handles array proxies (r250860)
AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset (r246210)
JSON.parse throws incorrect exception when called w/o arguments (r246162)
The GetterSetter structure needs a globalObject. (r200177)
We should support the ability to do a non-effectful getById (r199170 partial revisited)

Oct 08, 2019
============
assignedNodes should include fallback contents when flattened option is set (r206534)
Add support for ShadowRoot.mode attribute (r204543)
Change HTMLSlotElement::assignedNodes to take a IDL dictionary instead of a WebCore::Dictionary (r200557)
Rename getAssignedNodes to assignedNodes and support flattened option (r200285)
Rename HTMLSlotElement.getDistributedNodes to getAssignedNodes (r195681)
RenderTreeNeedsLayoutChecker fails with absolutely positioned svg and <use> (r229782)
Invalidate scrollbars when custom scrollbar style changes dynamically. (r168230)
Web Inspector: Occasional crash under WebCore::CSSStyleSheet::item called from Inspector (r241567)
NULL Reference Error in ElementRuleCollector (r204220)

Oct 07, 2019
============
GoogleMaps transit schedule explorer comes up blank initially (r202104)
REGRESSION (r199640): position:absolute generated content inherits text-decoration from its element (r200302)
Element::idForStyleResolution() is a foot-gun (r199844)
Element should be const in StyleResolver (r199640)
CSSCursorImageValue shouldn't mutate element during style resolution (r199625)
Make Element const in ElementRuleCollector (r197779 partial)
Add version number for default stylesheet (r196555)
NodeList should not have a named getter (r188829 complete revisited)
Make CSSDefaultStyleSheets::ensureDefaultStyleSheetsForElement() faster (r175427)
Remove view source code (r164254)
leaks seen in fast/css/variables tests (r201690)
-webkit-image-set doesn't work inside CSS variables (r199884)

Oct 04, 2019
============
Fix inspector with variables enabled and enable inspector variables tests by default. (r126118)
Indexing CSSStyleDeclaration object with out-of-range index should return undefined (r200358)
Font size computed style is innaccurate (r197160 + r197215 rolled out + r197811)

Oct 04, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Oct 04, 2019
============
RegisterSet should use a Bitmap instead of a BitVector so that it never allocates memory and is trivial to copy (r203365)
restoreCalleeSavesFromVMCalleeSavesBuffer should use the scratch register (r194772)
[ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516 (r182634)
FTL unwind parsing should handle ARM64 (r164326)
Bitmap's WordType should be a template parameter (r155640)

Oct 03, 2019
============
FTL should use stackmap register liveness (r167187)
ScratchRegisterAllocator::preserveReusedRegistersByPushing() should allow room for C helper calls and keep sp properly aligned. (r189103)
StringImpl utf8 conversion should not fail silently. (r232089)
Add the unprefixed version of the pseudo element ::placeholder (r202066)
We shouldn't recurse into the parser when gathering metadata about various function offsets (r233377 partial + r233383)
test262: Completion values for control flow do not match the spec (r218512 + r218957 rolled out + r221622)
[JSC] linkPolymorphicCall now does GC (r244711)
Implement CSS Variables. (r191128)

Oct 02, 2019
============
CSSParserVariable leaks seen on leaks bots (r191825)
Keep the already-parsed list of terms in custom property values so that we don't have to re-parse them later when doing variable resolution. (r190231)
Add support for CSS Custom Properties (in preparation for implementing CSS Variables). (r190209)
Extract computeRenderStyleForProperty and nodeOrItsAncestorNeedsStyleRecalc from ComputedStyleExtractor::propertyValue (r152938)
Move computed style extraction out of CSSComputedStyleDeclaration. (r150901)

Oct 01, 2019
============
Implement the CSS4 'revert' keyword. (r191252)
ASSERT in imported/blink/fast/block/float/overhanging-float-crashes-when-sibling-becomes-formatting-context.html (r191201)
Patch parseKeywordValue to accept "unset" so that it goes down the faster parsing path. (r191155)
Add support for the CSS 'unset' keyword. (r191151)
When no background-size is specified on the 2nd background layer, it takes the first instead of the initial value (r179413)
Demote 'line-height' to a low priority property. (r179119)
Add support for SVG CSS Properties to the new StyleBuilder (r178189 partial)

Sep 30, 2019
============
No-Cors check should take into account same-origin (r250515)
fetch redirect is incompatible with "no-cors" mode (r227270)
Remove CachedResource::passesSameOriginPolicyCheck (r207753)
Refactor CachedResourceLoader::canRequest (r206203)
Revert use of  SVG <mask> elements for -webkit-mask-image (r186180 + r186390 rolled out)
Revert use of  SVG <mask> elements for -webkit-mask-image (r176798, r177494) (r186391, r186392 rolled out)
When redirecting to data URL use HTTP response for same origin policy checks (r184434)
[Content Filtering] Tell the filter about requests and redirects (r182369)
Drop ResourceLoadPriorityUnresolved resource load priority and use Optional<> instead (r179584)
[JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&` (r250479 partial)
Date.UTC should not return NaN with only Year param (r234763)
test262: test262/test/built-ins/Array/S15.4.3_A2.2.js (r215234)
Fix exception scope verification failures in DateConstructor.cpp and DatePrototype.cpp. (r208935)
[ES6] Date.prototype should be a plain object (r194603 + r194615 rolled out + r194636)
Date creation should share a little code (r191393)

Sep 27, 2019
============
[First-letter] Use WeakPtr for the first-letter insertion point. (r249954)
Use WeakPtr for JSLazyEventListener::m_originalNode for safety (r244926)
Make WeakPtr<Element> possible and deploy it in form associated elements code (r243929 + r243941 rolled out + r243954)
Modernize SlotAssignment (r235483)
REGRESSION(r231291): InputType should hold a WeakPtr to its HTMLInputElement (r232496)
Use RetainPtr for form input type (r231291)
Break Document::m_associatedFormControls reference cycle. (r215465)
Remove PassRefPtr use from the "html" directory, other improvements (r210319 partial)
Use 'childOfType' template when retrieving Shadow DOM elements (r209130 + r209140 rolled out + r209145 partial)
Don't associate form-associated elements with forms in other trees. (r203373 + r203374 rolled out + r203383)
Image should not be re-registered if m_form already exists. This leads to an assertion failure. (r194617)
form.elements should reflect the element ordering after the HTML tree builder algorithm (r193840)
The code to look for an ancestor form element is duplicated in three different places (r154801)
Add client callbacks to notify of changes of associated from controls (r146672)
Add WeakHashSet (r242387)

Sep 26, 2019
============
Move StyleResolver ownership from Document/ShadowRoot to Style::Scope (r206951)
Initial letters should clear one another. (r173281)
Rename AuthorStyleSheets to Style::Scope (r206917)
Mutating styleSheet in shadow tree doesn't update the style (r206880)
AuthorStyleSheets shouldn't trigger synchronous style resolutions (r206361)
Remove AuthorStyleSheets::m_hadActiveLoadingStylesheet bit (r206167)
MatchedPropertiesCacheItem wastes 388KB of vector capacity on nytimes.com (r233173)
Move stylesheet change logic from Document to AuthorStyleSheets (r206311 + r206312 rolled out + r206351)
Document::styleResolverChanged simplification (r206230)
Web Inspector: Crash inspecting styles of element with mutated stylesheet (r180005)
Do not reenter Document from its destructor (r156444)
Tie the life of DocumentStyleSheetCollection and Document together (r156422 revisited)
Inactive style sheets should not trigger style recalc when loaded. (r153494)
Web Inspector: Page with @import and :last-child in an edited stylesheet will crash (r127000)
DOM mutation against including <link> shouldn't trigger pending HTML parser. (r125988)

Sep 25, 2019
============
Fix an edge case where HTMLFormElement::removeFormElement is invoked twice with the same element (r242917)
Invalidate the shadow subtree style when slotted pseudo rules are present. (r217708)
Updating class name of a shadow host does not update the style applied by descendants of :host() (r216761)
::after and ::before don't work on :host (r209535)
keyframes do not work when defined inside a style in a shadowRoot (r209352)
Updating class name doesn't update the slotted content's style (r208616)
slotted() pseudo does not work with ID selector (r208390)
[CSS Parser] Clean up the two types of descendant relations in CSSSelector (r208130 partial)
Support scoped style for user agent shadow trees (r207280)
Stop copying author shadow pseudo rules into shadow tree style resolver (r207077)
Can't style descendants in shadow tree using the :host pseudo class (r204724)
:default CSS pseudo-class should match checkboxes+radios with a `checked` attribute (r202245)
Updating class name of a shadow host does not update the style applied by :host() (r202227)
:indeterminate pseudo-class should match radios whose group has no checked radio (r202197)
Resolve !important properties from different shadow trees in a single pass. (r201075)
Shadow DOM: :host() From The First Shadow Context Should Not Style All Shadow Context (r199060)
Factor id mutation style invalidation code into a class (r196636)
REGRESSION(r183706): HTMLImageElement sometimes fails to register as document named item. (r186461)
Reproducible crash removing name attribute from <img> node (r183706)
Add the alternative syntax for CSS Selector's descendant combinator (">>") (r178592)

Sep 24, 2019
============
imported/w3c/web-platform-tests/shadow-dom/form-control-form-attribute.html hits assertion (r225956)
Submitting a form can cause HTMLFormElement's associated elements vector to be mutated during iteration (r222005)
imported/w3c/web-platform-tests/html/semantics/forms/form-control-infrastructure/form_attribute.html is crashing (r217524)
Make TreeScope::rootNode return a reference (r164251)
Don't try to dispatch resize events for SVG images (r157010)
NoEventDispatchAssertion in ContainerNode::removeChildren is too strict (r139964 revisited)
Continuation map should not hold a raw pointer (r223003)
RenderMathMLFenced should not hold a raw pointer to RenderMathMLFencedOperator (r222922)
Subpixel rendering: RenderBox's content clipping should clip on device pixel boundary. (r169862)
Array methods should throw TypeError upon attempting to modify a string (r250275)
Stop storing raw pointers to Documents (r243459)
[HTMLTemplateElement] Allow <template> content to be inspected (r139132)

Sep 23, 2019
============
Very flashy scrolling on http://quellish.tumblr.com page (r198498)
Newly added float should trigger full layout on the block. (r233767)
RootInlineBox should not hold a collection of raw pointers to RenderBox (r223004)
Replace some stack raw pointers with RefPtrs within WebCore/dom (r222993)
RootInlineBox should not hold a raw pointer to RenderObject (r222990)
RenderButton should not hold raw pointers to its direct children. (r222932)
RenderFragmentContainerRange should not hold raw pointers. (r222847)
RenderMenuList should not hold raw pointers (r222814)
Remove bogus assertions in updateNameForTreeScope and updateNameForDocument (r159566)
Node::document() should return a reference. (r154877 partial)
Validity of a radio button is not updated correctly when it is detached from an invalid radio group (r137565)

Sep 20, 2019
============
Shadow DOM: RenderTreePosition miscomputed when display:contents value changes (r201393)
Shadow DOM: Implement display: contents for slots (r199151 + r199152 rolled out + r199154)

Sep 20, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Sep 20, 2019
============
DFG should not use or preserve Phantoms during transformations (r183497 complete revisited)
Harden how the compiler references GC objects (r211237 partial revisited)
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 partial revisited)

Sep 19, 2019
============
Crash when passing Symbol to NPAPI plugin objects (r185369)
Scrolling does not work when the mouse down is handled by a node (r197784)
DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph" (r173072)
DFG::StrCat isn't really effectful (r189075 revisited)
js/dom/stack-trace.html fails with eager compilation (r184260 partial)
DFG ref count calculation should be reusable (r173626)
[ftlopt] Constant folding and strength reduction should work in SSA (r169949)
TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT (r250065)
Phantom insertion phase may disagree with arguments forwarding about live ranges (r250058)

Sep 18, 2019
============
REGRESSION (r245249): ASSERTION FAILED: !m_needExceptionCheck seen with stress/proxy-delete.js and stress/proxy-property-descriptor.js (r245311)
JSObject::getOwnPropertyDescriptor is missing an exception check (r245249 partial revisited)
ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter (r244862 + r244872 rolled out)
Stack overflow crashes with deep or cyclic proxy prototype chains (r201495 partial revisited)
[JSC] CheckArray+NonArray is not filtering out Array in AI (r249976)
CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage (r249959)
[FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage (r228726)
Support GetArrayLength on ArrayStorage in the FTL (r228421 revisited)

Sep 17, 2019
============
[JSC] Object.assign for final objects should be faster (r231687)
REGRESSION(r203368): broke some test262 tests (r204093)
Object.preventExtensions/seal/freeze makes code much slower (r203368)
Structure should be able to tell you if it had ever been a dictionary (r189596)

Sep 16, 2019
============
[JSC] Add missing syntax errors for await in function parameter default expressions (r249925)
JSObject::putInlineSlow should not ignore "__proto__" for Proxy (r249911)
Move id attribute to parent Element interface (r154057)
REGRESSION(r236862): early frame decoupling leaves JSC ArrayBuffer objects lingering (r243104)
Pointer lock causes abandoned documents (r239469)
Crash when pointer lock element is removed before pointer lock allowed arrives. (r216209)
Page should be able to request pointer lock without user gesture if it relinquished it without a user gesture (r211249)
[pointer-lock] Cursor should become visible when exiting pointer-lock via ESC key. (r209394 + r209464)
Implement basic pointer lock behavior for WebKit and WebKit2. (r207689)
Remove webkit prefix from pointer lock. (r170585)
Sandbox-blocked pointer lock should log to the console. (r138722)
webkitPointerLockElement returns null when pointer lock request is pending. (r127606)
Remove old Pointer Lock API. (r124535)
Block pointer lock for sandboxed iframes. (r124368)
webkitRequestPointerLock and webkitExitPointerLock limited to the same document of an active Pointer lock. (r124301)
Date.prototype.toJSON does not execute steps 1-2 (r249861)
Implement dynamic-import for WebCore (r211280)

Sep 13, 2019
============
[JSC] export JSC::importModule API for WebCore dynamic import (r211018)
dynamic import is ambiguous with import declaration at module code (r211017)
[JSC] Specifying same module entry point multiple times cause TypeError (r209172)
Fix modules tests after r206653 handle breakpoint locations in import/export statements (r206671)
Implement InlineClassicScript (r210627)
Images and scripts should be said as clean based on CachedResource::isCORSSameOrigin (r206995)
CachedXSLStylesheet does not need to be updated according Origin/Fetch mode (r206902)
Clean CSS stylesheets should be accessible from JavaScript (r205455)
[JSC] Don't sanitize window.onerror information on crossorigin-enabled scripts (r135009)
JSC crashes due to stack overflow while building RegExp (r249777)
[JSC] Tweak LiteralParser to improve lexing performance (r231761)
Remove duplicate error() impls in CachedResource subclasses (r127695)

Sep 12, 2019
============
[JSC] Remove repeated iteration of ElementNode (r229993)
[JSC] Use JSFixedArray for op_new_array_buffer (r225385)
We should have a more concise way of determining when we're varargs calling a function using rest parameters (r208584 + r208592 rolled out + r208637 partial)
[JSC] Prototype dynamic-import (r210522 + r210535)
[JSC] Drop translate phase in module loader (r209500)

Sep 12, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Sep 12, 2019
============
[DFG] Remove duplicate 32bit code more (r230517 partial revisited + r230520 revisited)
REGRESSION(r226269): 60 JSC test failures on ARMv7 (r226294 revisited)
[DFG] Cleaning up and unifying 32bit code more (r226269 partial revisited)
[DFG] Unify bunch of DFG 32bit code into 64bit code (r226261 partial revisited)
[JSC][MIPS][DFG] Use x86 generic HasOwnProperty (r215038)
Make HasOwnProperty faster (r206136 revisited + r206149 + r206207)

Sep 12, 2019
============
JSC should use a shadow stack version of CHICKEN so that debuggers have the option of retrieving tail-deleted frames (r199076 partial)
  => Some code was forgetting to use NativeCallFrameTracer (fixed new-typed-array-cse-effects failure).
  
Sep 11, 2019
============
InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format (r238511 partial)
InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format (r232134 partial)

Sep 10, 2019
============
[DFG] Drop unknown use of CheckCell's child2 to work ObjectAllocationSinking for Array iterator object (r215459 + r215460)
DFG should really support varargs (r180279 partial)

Sep 09, 2019
============
Harden how the compiler references GC objects (r211237 partial)
Constructor returning null should construct an object instead of null (r180587 partial revisited)

Sep 08, 2019
============
DFG AI should have O(1) clobbering (r231471 partial)
Creating a new blank document in icloud pages causes an AI error: (r184318 complete revisited)
TypeOf should return SpecStringIdent and the DFG should know this (r183548 complete revisited)
Crash in DFGFrozenValue (r180505)

Sep 07, 2019
============
Math.round() produces wrong result for value prior to 0.5 (r249597)

Sep 06, 2019
============
[FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage) (r229053)
[DFG] PutByVal with Array::Generic is too generic (r221793)
[DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported (r221783)

Sep 05, 2019
============
mergeOSREntryValue is wrong when the incoming value does not match up with the flush format (r244287)
REGRESSION(186691): OSR entry is broken on loop headers that have no live variables (r187028)
DFG fragile frozen values are fundamentally broken (r186691 partial)
Potential null dereferencing on a detached positioned renderer. (r202177)
Outline does not clip when ancestor has overflow: hidden and requires layer. (r196244)
LayerFragment should be able to intersect with ClipRect. (r178534)
[CSS Regions] Regions auto-height and absolute positioning bug (r151554 revisited)
REGRESSION (r217522): "Show My Relationship" link in familysearch.org does not work. (r219151)
getComputedStyle returns percentage values for left / right / top / bottom (r217522)

Sep 04, 2019
============
implement dynamic scope accesses in the DFG/FTL (r199699 complete reivisted)
PropertyCondition::isValidValueForAttributes() should also consider deleted values. (r233114)
AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself (r196497)
DFG::freezeFragile should register the frozen value's structure (r186215 partial revisited)

Sep 03, 2019
============
[DOMJIT] Add initial CheckDOM and CallDOM implementations (r206846 partial)
ClonedArguments need to also support haveABadTime mode. (r208377 complete revisited)
[JSC] Remove BytecodeGenerator::emitPopScope (r249418)
[JSC] Generate new.target register only when it is used (r249337)

Aug 30, 2019
============
ObjectPropertyCondition should have a isStillValidAssumingImpurePropertyWatchpoint function (r201610)
Prototype structure transition should be a deferred transition (r223161)
DFG and FTL should support op_call_eval (r203364 partial)
Remove AllocationProfileWatchpoint node (r183073)

Aug 30, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Aug 30, 2019
============
PropertyAttribute needs a CustomValue bit. (r239062 partial revisited)
Fix missing edge cases with JSGlobalObjects having a bad time. (r237469 complete revisited)
Give the heap object iterators the ability to return early. (r183124)

Aug 30, 2019
============
Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value (r248798)
Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list. (r227434)
  => new-typed-array-cse-effects success with <debugDFGJIT>1</debugDFGJIT>
  
Aug 29, 2019
============
[ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function (r171389 revisited)
[JSC] Remove unused JSTypes (r226311)

Aug 28, 2019
============
Propagate the source origin as much as possible (r210149)
Break reference cycle in ErrorEvent by using JSValueInWrappedObject (r234789)
Event improvements (r228260 partial)
ErrorEvent / ProgressEvent should be exposed to workers (r201926)
Fix memory issues related to preload eviction. (r211673)
Avoid evicting link preload resources when parsing is done. (r211649)
Add event support for link preload. (r205269)

Aug 27, 2019
============
Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node. (r208560 complete revisited)
[JSC] Use is_cell_with_type for @isRegExpObject, @isMap, and @isSet (r206104 complete revisited)
Make JSMap and JSSet faster (r205504 + r205507 rolled out + r205520 + r205523)
RenderFlowThread::removeLineRegionInfo shouldn't call HashMap::contains before HashMap::remove (r208597)
Bidi-Isolate inlines break layout with collapsed whitespace (r186686)
Use outermost containing isolate when constructing bidi runs (r166650)
Fixing several incorrect assumptions with handling isolated inlines. (r162957)
Since MidpointState is a class, it should behave like a class (r162472)
Move space-ignoring inline functions into MidpointState (r160074 + 160076)
Rename InlineIterator::m_obj and make it private (r159860)
Clean up BidiRun a little bit. (r158834)
Fix nested unicode-bidi: isolate (r155554)
Bidi-Isolated inlines can cause subsequent content to not be rendered (r142793)

Aug 24, 2019
============
Do not mutate RenderText content during layout. (r222214 + r222217 + r222218 rolled out + r222221)

Aug 23, 2019
============
Percentage constrained images shrinking inside blocks inside nested flex boxes (r213748)
REGRESSION: Block no longer shrinks to preferred width in this flex box layout (r213480)
Update flexbox to Blink's tip of tree (r213149 complete revisited)
ASSERTION FAILED: contentSize >= 0 in WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax (r192513)
ASSERTION FAILED: m_isEngaged in WTF::Optional::value (r192413)
fast/flexbox/auto-height-with-flex.html failing only on release builds. (r150278)
Update flexbox to Blink's tip of tree (r213149 partial)
Do not destroy the RenderNamedFlowFragment as leftover anonymous block. (r210120)

Aug 22, 2019
============
import(arg) crashes when ToString(arg) throws (r214143)
Decouple module loading initiator from ScriptElement (r210585)
Gracefully handle inaccessible font face data (r245190)
Script modules should be able to import data urls (r217760)
data:// URL behavior of XHR does not match spec (r205113)
Add the support for nomodule attribute on script element (r211078)
[ES6] Integrate ES6 Modules into WebCore (r208788 revisited)

Aug 21, 2019
============
[ES6] Integrate ES6 Modules into WebCore (r208788)
document.currentScript should be null when running a script inside a shadow tree (r208660)
[JSC] Error prototypes are called on remote scripts. (r202460)
Layers should be destroyed by RenderLayerModelObject (r223139)
[Repaint from Layout Removal] Move layer repaint rects into a map (r220479)
Removing unnecessary friend classes in RenderObject: LayoutRepainter, RenderSVGContainer (r135779)
RenderMultiColumnSpannerPlaceholder should not hold raw pointers. (r222845)
Use WeakPtr in RenderFullScreen (r222831)
Remove ChromeClient::fullScreenRendererChanged(). (r161203)
Nullptr deref in WebCore::RenderTableCaption::containingBlockLogicalWidthForContent (r225402)
RenderObject::destroy() should only be invoked after renderer has been removed from the tree (r223131 partial)
Use WeakPtr for first-letter memory management (r222691)
Potential nullptr dereference in RenderLayer::updateLayerPosition() (r210760)
Crash in WebCore::RenderElement::containingBlockForObjectInFlow (r197716 partial revisited)
RenderBlock shouldn't need a pre-destructor hook. (r175640)
Move RenderBlock::beingDestroyed() to RenderObject. (r175242)

Aug 20, 2019
============
lowering get_by_val to GetById inside bytecode parser should check for BadType exit kind (r226254)
[JSC] Add initiator parameter to module pipeline (r205278)
Make JSMap and JSSet faster (r205504 + r205507 rolled out + r205520 partial)
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String (r207060 complete revisited)
JSC::Symbol should be hash-consed (r203895)
DFGBytecodeParser should not declare that a node won't clobberExit if DFGFixupPhase can later declare it does clobberExit (r241968)
GetByVal to GetById conversion in the DFG is incorrect for getters with control flow (r207500)
Webkit jsc Crash in RegExp::matchInline (this=<optimized out> (r248857)
REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow (r228481)
YARR: JIT RegExps with greedy parenthesized sub patterns (r225695 + r225861 rolled out + 225930)
[JSC] Add MacroAssembler::getEffectiveAddress in all platforms (r225271)

Aug 19, 2019
============
Proxy constructor should throw if handler is revoked Proxy (r248880)
Date.prototype.toJSON throws if toISOString returns an object (r248876)
[JSC] Avoid code bloating for iteration if block does not have "break" (r220852)
[JSC] LabelScopePtr is not necessary (r215972)
WTF::Bag should be non-copyable (r195339)
SegmentedVector::append() should take in rvalue reference, forward it to Vector::uncheckedAppend() (r164377)
Null pointer crash when loading module with unresolved import also as a script file (r213452)
[JSC] linking and evaluating the modules are done in a sync manner (r205276)
[ES6] Add ModuleLoaderPrototype and move methods to it (r204330)
[JSC] Use is_cell_with_type for @isRegExpObject, @isMap, and @isSet (r206104 partial)
[JSC] Use bytecode intrinsic to expose Module's loading status to builtin JS (r202261)
isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode. (r235662)
output of toString() of Generator is wrong (r235514)
[JSC] Drop isEnvironmentRecord type info flag and use JSType information instead (r207652)
JSGlobalLexicalEnvironment needs a toThis implementation (r202664)
CodeBlock destructor should clear all of its watchpoints. (r248800)
SIGSEGV in JSC::BytecodeGenerator::addStringConstant (r243948 partial + r244028 rolled out + r244038 rolled in)
[JSC] DFG ToNumber should support Boolean in fixup (r248825)
More missing exception checks in string comparison operators. (r248802)

Aug 18, 2019
============
[ES] Add support finally to Promise (r219989 revisited)

Aug 17, 2019
============
[JSC] Add `typeof value === "symbol"` handling to bytecode compiler (r206147)

Aug 16, 2019
============
ProxyObject should not be allow to access its target's private properties. (r248709 + r248786 rolled out + r248796)
[JSC] Promise.prototype.finally should accept non-promise objects (r248793)
Promise constructor should check argument before [[Construct]] (r248787)
[ES] Add support finally to Promise (r219989)
[JSC][LLInt] Introduce is_cell_with_type (r206098)
[DFG] Introduce IsCellWithType node and unify IsJSArray, IsRegExpObject and newly added IsProxyObject (r206065)
[DFG] Introduce ArrayUse (r206047)
ES6: Implement RegExp.prototype[@@search]. (r199502 + r199511 + r199514 rolled out + r199748 complete revisited)
Make SpeculatedType a 64-bit integer (r205107)
Remove DFGNode::predictHeap() (r180545)
More missing exception checks in String.prototype. (r248716)
test262: test262/test/language/global-code/new.target-arrow.js (r215395)
[JSC] Tweak ES6 generator function to allow inlining (r224141)
[DFG][FTL] Implement ES6 Generators in DFG / FTL (r204994 complete revisited)

Aug 15, 2019
============
ProxyObject should not be allow to access its target's private properties. (r248709)
Missing exception check in string compare. (r248694)
Optimize RenderStyle::diff() and clean up the code (r236677 partial)
REGRESSION: Parts of the route/route options windows are invisible at maps.google.com (r172656)
[DFG][FTL] Implement ES6 Generators in DFG / FTL (r204994 partial)
move should only emit the move if it's actually needed (r232399 complete revisited)

Aug 14, 2019
============
Move more code out from RenderObject (r205927)
REGRESSION(r201040): Repainting of moving overflow:hidden objects is broken. (r201529)
Optimize layer repaint rect computation and painting. (r201040)
Paint artifacts when hovering on http://jsfiddle.net/Sherbrow/T87Mn/ (r190658)
[iOS WK2] WKWebViews in Facebook app start off black (r186107)
REGRESSION (r183794): Garbage tiles when body background switches to fixed (r184371)
Fix assertions in WK1 tests after r183777. (r183794)
display:none iframes cause repeated compositing flushing (r183777)
Fix updating of tiled backing opaquenss when the page background color changes (r183775)
border-image with 'fill' keyword does not fill the middle area unless the border width is greater than zero. (r182197)
Crashes under RenderLayer::hitTestLayer under determinePrimarySnapshottedPlugIn() (r180063)
Doing a navigation on a non-opaque WKWebView can result in an empty layer tree (r173344)
border-radius should not force layer backing store (r173295)
Support transparent WKWebViews (r170935)
Don't make an overhang shadow layer when the WKView has a transparent background (r143656)
Standardize on "flush" terminology for compositing layer flushing/syncing (r130400)
[JSC] Add "jump if (not) undefined or null" bytecode ops (r248426)
Array.prototype.flat/flatMap have a minor bug in ArraySpeciesCreate (r239761)

Aug 13, 2019
============
REGRESSION (r163560): ASSERTION FAILED: childrenInline() in WebCore::RenderSVGText::layout (r165836)
REGRESSION (r163560): Always treat SVG <tspan> and <textPath> as display inline (r164368)
Remove display:run-in support. (r163560)
RenderBlock::clone() should return RenderPtr. (r161337)
RenderInline::clone() should return RenderPtr. (r161335)
Use smart pointers for creating, adding and removing renderers (r222679)
[css-grid] Crash on debug removing a positioned child (r214039)
Use anonymous table row for new child at RenderTableRow::addChild() if available. (r207547)
Continuations with anonymous wrappers inside misplaces child renderers. (r192275)
Leak of SVGFontFaceElement when RenderStyle holds onto a FontRances which uses it (r243483 complete revisited)

Aug 12, 2019
============
Font Loading API specifies font is loaded but sizing of font after load reports inconsistent values (r216079)
Clear Node renderer pointer when destroying RenderObject (r224336)
Update CSSFontSelector's matching algorithm to understand ranges (r213436)
Do not assume that hypen's width can be computed using the simplified text measure codepath. (r233537)
Safari doesn't load newest The Order of the Stick comic. (r217848)
Simple line layout: Nested block with pseudo first-line parent should bail out of simple line layout. (r194461)
Be more defensive at renderer type checking when initializing flow segments. (r185531 revisited)
Shrink RenderBlock. (r179454 partial)
High number of cache miss on localTimeOffset (r248363)
String(new Date(Mar 30 2014 01:00:00)) is wrong in CET (r175078)

Aug 11, 2019
============
Assertion failures and crashes with missing TDZ checks for catch-node bindings. (r203315)
JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray (r248271)
GetterSetter type confusion during DFG compilation (r248149)

Jul 26, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Jul 25, 2019
============
REGRESSION(r178180): Membuster regressed ~4% (r178853)
StyleRuleMedia wastes 158KB of Vector capacity on cnn.com (r232899 partial)
DocumentRuleSets::collectFeatures() should shrink-to-fit. (r204241)
Shrink MediaQuerySets to fit after parsing. (r204006)
TrailingObjects shouldn't shrink vector capacity in a loop (r152905 revisited)
RenderImage can be destroyed even before setting the style on it. (r225872)
Followup (r220289): RenderImageResourceStyleImage code clean up (r220934)
RenderImageResourceStyleImage::image() should return the nullImage() if the image is not available (r220048 + r220073 rolled out + r220289)
Debug ASSERT: WebCore::RenderImageResource::shutdown (r217012)
SVG elements don't blend correctly into HTML (r202022)
Garbage is displayed when root svg element has mix-blend-mode set (r195724)
Apply more unique_ptr to line box management. (r158718)
RenderListItem should not hold raw pointers to RenderListMarker. (r222936)
Fix memory leaks in RenderMultiColumnFlow (r222710)
Move code out of renderer destructors into willBeDestroyed() (r214173)
Subtree layout code should use RenderElement. (r188163)
REGRESSION (r160259): text-combine glyphs are not rendered (r169011)
Save original text for RenderText to a map (r160259)

Jul 24, 2019
============
REGRESSION (r220646): RenderTreePosition::computeNextSibling hits assertion with certain first-letter mutations (r225014)
First letter text renderer should be anonymous (r224324)
Move first-letter renderer mutation code out of RenderBlock and into RenderTreeUpdater (r220795)
[Render Tree Mutation] First letter should not mutate the render tree while in layout. (r220646)
Remove getMutableCachedPseudoStyle (r208797)
Do not update selection rect on dirty lineboxes. (r207804)
Resolve beforeChild's render tree position before calling addChildIgnoringContinuation. (r211337)
Style resolution for explicitly inherited properties is inefficient (r201159)
ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext (r217577)
[JSC] always wrap AwaitExpression operand in a new Promise (r209113)
[DFG][FTL] Implement ES6 Generators in DFG / FTL (r204994 partial)
Factor render tree mutation code from RenderListItem to RenderTreeUpdater (r220916)
RenderListItem - Avoid render tree mutation during layout (r220858)
ASSERTION FAILED: !beforeChild->isRubyRun() in WebCore::RenderRubyAsBlock::addChild (r209617)
Remove FIRST_LINE_INHERITED fake pseudo style (r208998)

Jul 23, 2019
============
Safari 10 /11 problem with if (!await get(something)). (r223043)
"this" missing after await in async arrow function (r210925)
Calling async arrow function which is in a class's member function will cause error (r210558)

Jul 22, 2019
============
[DFG][FTL] Implement ES6 Generators in DFG / FTL (r204994 partial)
DocumentThreadableLoader should report an error when getting a null CachedResource (r204163 revisited)

Jul 21, 2019
============
WebContent process crashes while loading https://www.classicspecs.com (r226413 partial)
Move destroyLeftoverChildren call to RenderObject::destroy (r224976)
FloatingObjects/FloatingObject classes should hold weak references to renderers (r225748)
Add WeakPtr support to RenderObject. (r222653)
WeakPtrFactory should allow downcasting (r222633 revisited)
FloatingObject should not hold a raw pointer to RootInlineBox. (r222292)
Switch multicolumn's spanner map from raw over to weak pointers. (r222008)
Make RepaintRegionAccumulator hold a WeakPtr to its root RenderView (r213897)

Jul 20, 2019
============
FloatingObject::unsafeClone should not copy m_originatingLine (r163651)
RenderView::availableLogicalHeight() should be self-contained. (r154689)

Jul 19, 2019
============
[JSC] do not reference AwaitExpression Promises in async function Promise chain (r208726)
[JSC] implement runtime for async functions (r208052 complete revisited)
[JSC] implement runtime for async functions (r208052 partial)
[JSC] implement async functions proposal (r201481 + r201523 + r201542 rolled out)
[ES7] yield star should not return if the inner iterator.throw returns { done: true } (r199652)
[JSC] report unexpected token when "async" is followed by identifier (r209350)
[JSC] forbid lexical redeclaration of generator formal parameters (r208016)
[JSC] disallow references to `await` in AsyncFunction formal parameters (r207628)
[JSC] forbid "use strict" directive in generator functions with non-simple parameters (r207569)
[ES6] Modules' `export default function/class` should be declaration (r204842)
[ES6] Module should not allow HTML comments (r204714 revisited)
[ES6] Module binding can be exported by multiple names (r203953)
It should be a syntax error to have a 'use strict' directive inside a function that has a non-simple parameter list (r203263)
[ES6] Namespace object re-export should be handled as local export (r201085)
[ES6] Cache the resolution result in JSModuleRecord (r189747)
[ES6] Implement ModuleNamespaceObject (r189429)

Jul 18, 2019
============
[JSC] Implement parsing of Async Functions (r206333)
Remove the circular reference between TextTrack and TextTrackCue (r132681 revisited)
XHR should only fire an abort event if the cancellation was requested by the client (r220731 revisited)
Heap-use-after-free in WebCore::RenderObject::isDescendantOf (r140206 + r140225 rolled out + r140435 + r140439 rolled out)
Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion (r139365)
Crash re-entering Document layout with frame flattening enabled (r129944)
Anonymous table objects: Collapse anonymous table rows. (r191119)
display: table-cell; bug when resizing window (r190893)
table element may get larger when its contents are recreated (r147871)
Make RenderObject destruction during detach a top-down operation (r131539 + r132591 + 139664 + 142500)
REGRESSION (r156355) Links / interactive elements inside nested tables are unclickable (r156404)
Tighten table rendering code (r156355)
Remove XMLHttpRequestException (r195588)
Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer (r150544)
Heap-use-after-free in WebCore::DeleteButtonController::enable (r142642)
REGRESSION (r207372) Visibility property is not inherited when used in an animation (r216591 + r216619 rolled out + r216631)
100% CPU on homedepot.com page (r207372)

Jul 17, 2019
============
Add support for Element.getAttributeNames() (r203852)
Make parameters to Element.getElementsBy*() operations mandatory (r203547)
Make parameters mandatory for attribute-related API on Element (r203546)
Element's attribute NS API should treat defined undefined namespace as null (r189893)
Element.getAttributeNS() should return null if the attribute does not exist (r189825)
Add a nicer way to iterate over all the attributes of an element (r162394 partial)
Re-inline some hot ElementData functions. (r156227)
REGRESSION(r216944): Fallback fonts erroneously visible when the primary font is loading (r220003)
REGRESSION(r216944): Font loads can cause Chinese characters to draw as .notdef (r219221)
REGRESSION(r212513): LastResort is platform-dependent, so its semantics should not be required to perform font loading correctly. (r216944)
Migrate Font constructor from bools to enums (r216896)
font-weight in @font-face can cause a font to be downloaded even when it's not used (r212513)
Canvas does not draw any text if the font is not fully loaded yet (r135888)

Jul 16, 2019
============
A Possible Issue of Object.create method (r247471)
Remove fonts from CSSFontFaceSet safely (r238222)
[CSS Font Loading] FontFaceSet.load() promises don't always fire (r208889)
Honor the second argument to FontFaceSet.load and FontFaceSet.check (r203092)
Implement grapheme cluster iterator on StringView (r203078)
Implement operator== and operator!= for Optional<> (r199107)
Value assignment operator of Optional should be stricter (r182254)
Make WTF::Optional work with msvc 2013 (r178372)
Add copy/move constructors and assignment operators to WTF::Optional (r170202)
DOM/textarea-edit.html spends 35% of time in numGraphemeClusters (r130818)
[CSS Font Loading] FontFace.load() promises don't always fire (r208976)
Deleting a CSSOM style rule invalidates any previously-added FontFaces (r201887 + r201906 rolled out + r201971 + r202085)
Extend CSSFontSelector's lifetime to be longer than the Document's lifetime (r197434 + r197436 + r197456 rolled out + r201799)

Jul 15, 2019
============
WeakPtr breaks vtables when upcasting to base classes (r245857 + r245863 rolled out + r245868 partial)
REGRESSION(r200601): Crash when using local() and unicode-range in @font-face blocks (r200803)
Web Font is downloaded even when all the characters in the document are outside its unicode-range (r200601)
Parse font-display (r220725 partial)

Jul 14, 2019
============
Support ArrayBufferViews in the CSS Font Loading API (r200921)
Some JIT/DFG operations need NativeCallFrameTracers (r199617 revisited complete)

Jul 13, 2019
============
@font-face rules with invalid primary fonts never download their secondary fonts (r218157 + r218264 rolled out + r218733 complete revisited)
Text not visible while external font downloading (r201676)

Jul 12, 2019
============
[Font Loading] The callback passed to document.fonts.ready should always be called (r203002)
Rework FontFace promise attribute handling (r200546 complete revisited)
Optimize join of large empty arrays (r247296)
FontFace constructor throws an exception when there is a name which starts with a number (r243637)
[Font Loading] Allow empty strings in FontFace constructor (r201421)
SVGColor custom text format is different from the CSS color custom text format (r189646)
Remove 'font' shorthand property special casing (r179100)
Unfriend StyleResolver and StyleBuilderCustom (r178123)
Documents can be destroyed before their CSSFontFaceSet is destroyed (r243828)
Free FontFaceSets may include fonts that were never actually added to them (r225414)
[Font Loading] ASSERT if calling FontFace.loaded twice with a garbage collection between them (r201394)
Rework FontFace promise attribute handling (r200546 partial)
[Font Loading] Crash when a single load request causes multiple fonts to fail loading (r197804)
[Font Loading] Split CSSFontSelector into a FontFaceSet implementation and the rest of the class (r196954)

Jul 11, 2019
============
[Font Loading] Implement FontFaceSet (r196747 + r196784)
Implement FontLoader interface (r145787 revisited)

Jul 10, 2019
============
Font selection should not consult font-variant property (r192732)
NamedFlowCollection should be a ContextDestructionObserver (r142223)
[Font Loading] Implement FontFace JavaScript object (r196604)
[CSS Font Loading] Implement CSSFontFace Boilerplate (r196510)
Image should clear its ImageObserver* when CachedImage releases the last reference to its RefCounted<ImageObserver> (r218003 + r218031 rolled out + r218038)
Crash when getting font bounding rect (r205031)
@font-face related cleanup (r188853 partial)
Remove dead ENABLE(FONT_LOAD_EVENTS) code (r217293)
Remove dead FontLoader code (r197016)

Jul 09, 2019
============
slotchange event should be fired at the end of microtask (r201858)
REGRESSION (r193286): Promise chain no longer prevent UI refresh (r211913)
Crash under WebCore::MutationObserver::deliverAllMutations() (r200062)
Add a microtask abstraction (r180911 + r180914 rolled out + r180996)
Potential infinite recursion in isFrameFamiliarWith(Frame&, Frame&) (r239600)
Restrict browsing context lookup by name to frames that are related to one another (r237112)
_blank / _self / _parent / _top browsing context names should be case-insensitive (r214944)
Bypass pop-up blocker from cross-origin or sandboxed frame (r210112)
Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185 (r183781)
REGRESSION (r142755): window.open creates an invisible window when width and height are 0 (r153913)
Disallow a window to focus itself via javascript URLs or using target _self (r149936 revisited)
[Qt] window.open passes height and width parameters even if not defined in a page (r142755)
ASSERTION FAILED: canHaveChildren() || canHaveGeneratedChildren() in WebCore::RenderElement::insertChildInternal (r195146)
Make Document::postTask() safe to call from a background thread (r247239)
Give Document a strongly typed identifier instead of a uint64_t (r225184)

Jul 08, 2019
============
AffectsNextSibling style relation marking is inefficient (r199583)
[Mutation Observers] prevent delivery while recipient context is suspended (r138754)

Jul 07, 2019
============
event.composedPath() does not include window (r208641)
Import w3c shadow DOM tests and fix one assertion (r206463)
Crash under eventTargetRespectingTargetRules() (r201571)
event.target shouldn't be retargeted as the event bubbles into a slot (r200464)
Crash in render tree after dynamically mutating the slot value (r212028)
Details element doesn't work correctly when mutating content between closing and opening (r212027)
slotchange event should bubble and dispatched once (r208817)
Node.prototype.rootNode is not Web compatible (r200297)
Rename Node.treeRoot to rootNode and turn it on by default (r197887)
Add Node.treeRoot (r195682)
Element.slot should be marked as [Unscopable] (r216228)
Evaluating window named element may return wrong result (r210508)
[Web IDL] Add support for [Unscopable] extended attribute (r204234)
Refactor to make JSMainThreadExecState's constructor and destructor private. (r166943)
switch(String) needs to check for exceptions when resolving the string (r247194)

Jul 06, 2019
============
Hardening: Prevent FrameLoader crash due to SetForScope (r245464)
[WK2] fast/parser/document-open-in-unload.html makes the following test crash (r233414)
Turn off offset*/scroll* optimization for input elements with shadow content (r229505)
Abandon the current load once the provisional loader detaches from the frame (r216120)
Remove PassRefPtr from "page" directory of WebCore, also deploy references (r211033 partial)
  (WebCore::FrameTree::removeChild): Use move instead of trickier swap.
WebContent crash under WebCore::CachedResource::load in WebCore::FrameLoader::outgoingReferrer const (r209817)
Postpone mutation events before invoke Editor::Command command(Document*, const String&, bool). (r191066)
Fix crash due to unexpected Node deletion during MutationObserver registration book-keeping (r153447)

Jul 05, 2019
============
Add an owning smart pointer for RenderObjects and start using it. (r161115)
Some refinements for Node and Document (r241932 partial)
document.webkitFullscreenElement leaks elements inside a shadow tree (r209628)
document.caretRangeFromPoint doesn't retarget the resultant Range correctly. (r209486)
ShadowRoot interface should have elementFromPoint (r206795)
ToT WebKit doesn't show tooltip on perf dashboard's summary page (r200923)
Web Inspector: Inspect Element and Element Selection searching should work with Shadow DOM Nodes (r200539)
Drop [UsePointersEvenForNonNullableObjectArguments] from Document (r199871)
REGRESSION(r177048) 11 failures on layout tests fast/selectors. (r177074)
Computed style for clip is wrong with respect to auto (r174543 + r174554)
Move nodeFromPoint() back to Document where it belongs (r173857)
Provide a default argument for the most commonly used HitTestRequest variant (r173766)
Move focus management API from HTMLDocument to Document (r166668 partial)
Hit testing should use ancestorInThisScope to get the non-shadow ancestor (r145448)
Convert deprecatedShadowAncestorNode() to shadowHost() in Editor.cpp (r141225)
[Shadow DOM] Selecting a node to another node in ShadowDOM fires 'click' event unexpectedly (r140944)
shadowAncestorNode() should be renamed to deprecatedShadowAncestorNode() (r140541)
FrameSelection should use shadowHost instead of shadowAncestorNode (r140381)
Cursor stops blinking after clicking on scrollbar (r139939)
When a selected node in nested ShadowDOM is deleted, selection have wrong range. (r139401)
[Chromium/Mac] Don't send an onclick event from a ctrl-click (r138380)
Implement ShadowRoot::elementFromPoint (r138379)
Incorrect rect-based hit-test result when hit-test region includes culled inlines (r135841)
Remove shadowAncestorNode() from VisibleSelection (r131559)
[Refactoring] DOMSelection should not use shadowAncestorNode (r130124)
TreeScope should not use node->shadowAncetorNode() (r130121)
Move region from HitTestResult to HitTestPoint. (r123754)

Jul 04, 2019
============
Outline should contribute to visual overflow. (r196222)
Recompute maximum outline size only when outline changes. (r189242)
Make outline: auto repaint rect inflate more explicit. (r188744)
outline-style: auto leaves bits behind on strava's flyby view. (r188658)
Cleanup outline-style: auto painting. (r188652)
Outline with auto style leaves bits behind when the the box is moved. (r188577)
Merged anonymous blocks should invalidate simple line layout path. (r184577)
Free up some bits in RenderObject by moving rarely used bits into a side table (r182373)
Move continuation teardown from subclasses to RenderBoxModelObject. (r175210)
Make RenderBlockRareData be in a hashtable instead of being a member variable. (r159150)
Reduce the size of RenderBlockFlow by making its rare data inherit from RenderBlockRareData (r159034)
Manage line-grid RootInlineBox with unique_ptr. (r158398)
Regression(r237903) Speedometer 2 is 1-2% regressed on iOS (r244277)
Thick overlines and line-throughs grow in the wrong direction (r238838 + r238860 rolled out + r239357)
Positioned text underline can look like a strike-through (r237955 complete revisited + r238075)
Implement text-underline-offset and text-decoration-thickness (r237903)
Clean up text decoration drawing code (r237844 partial)
Improve wavy underline rendering (r215802)
Move 'text-shadow' check from RenderStyle::changeRequiresLayout() to changeAffectsVisualOverflow() (r176998)
Text decorations do not contribute to visual overflow (r168750 + r168883 rolled out + r169089)

Jul 03, 2019
============
The destructor of CSSAnimationControllerPrivate must explicitly clear the composite animations (r247121)
Parsing support for text-underline-offset and text-decoration-thickness (r237835 partial)
Cascading order for !important properties in ::slotted and ::host rules is incorrect (r201073)
Implement functional :host() pseudo class (r199268 + r199274 rolled out + r199291)
Exception from For..of loop assignment eliminates TDZ checks in subsequent code (r247088)
Frozen Arrays length assignment should throw in strict mode (r247065)
for-in loops should preserve and restore the TDZ stack for each of its internal loops. (r232219)

Jul 02, 2019
============
PostResolutionCallbackDisabler can resume pending requests while a ResourceLoadSuspender is alive (r203450 partial)
WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver() (r202716)
Remove code in HTMLObjectElement attribute parsing that forces style resolution and layout (r166144 + r166680 rolled out)
Missing render tree position invalidation when tearing down renderers for display:contents subtree (r214501)
CrashTracer: com.apple.WebKit.WebContent at WebCore: WebCore::Node::invalidateStyle (r211730)
No need to set setFlowThreadState on RenderText in createTextRenderer. (r208487)
:hover CSS pseudo-class sometimes keeps matching ever after mouse has left the element (r202324)
::slotted doesn't work in nested shadow trees (r197316)
Crash in WebCore::Node::getFlag (r175809)
Remove nodeIsDetachedFromDocument and visualWordMovementEnabled in FrameSelection (r160067 + r160068)
Get rid of the toHTMLElement helper for casting FormAssociatedElement to HTMLElement (r157357)
contenteditable justify commands applied to next paragraph as well (r156764)
FormAssociatedElement shouldn't create out-of-tree FormAttributeTargetObserver (r153661)
Handle the XPath / (root) operator correctly for nodes that aren't attached to the document. (r125631 + r126621)
Render tree teardown should be iterative (r199056)
Mark the dedicated root linebox for trailing floats in empty inlines dirty. (r210369)
REGRESSION (r202931): breaks release builds with ASSERT_WITH_SECURITY_IMPLICATION for fuzzing (r203031)
REGRESSION (r199054): CrashTracer: [USER] parseWebKit at WebCore: WebCore::RenderBlockFlow::checkFloatsInCleanLine + 107 (r202931)
Add RenderDescendantIterator to traverse a RenderObject's descendants (r200994)
Use RenderTreeUpdater for text node mutations (r199054)
Avoid double traversal in RenderTreeUpdater for slot roots (r199004)
REGRESSION(r179706): Caused memory corruption on some tests (Requested by _ap_ on #webkit). (r179750)
Crash due to failing to dirty a removed text node's line box (r179706)
Generalize dirtying of parent's line boxes when taking a renderer out of tree. (r175352 + r176974 rolled out)

Jun 30, 2019
============
Missing quotation mark when <q> gets reparented. (r206821)
Do not destroy RenderQuote's text fragment child when quotation mark string is changing. (r179691)
RenderQuote shouldn't need a pre-destructor hook. (r175528)
ASSERT_WITH_SECURITY_IMPLICATION in WebCore::InlineTextBox::paint (r162972)
RenderQuote has giant function for language to quotes map (r149833)
Store the quotes in the same allocation as the QuotesData object (r149707)
Begin unraveling the mess that is QuotesData (r149700)
Function parameter quotePair can be passed by reference (r149080)

Jun 28, 2019
============
REGRESSION (r198990): Cannot edit content inside <details> in wysiwyg editor (r209756)
Regression (198943): <marquee> shouldn't wrap text (r216973)
REGRESSION(r198943): drop-down menu navigation on fiddlevideo.com doesn't appear on iOS, works on OS X (r203985 partial)
REGRESSION (r198943): Transitions don't work if they animate display property (r200381)
Tighten ComposedTreeAncestorIterator to return Elements (r198992 complete revisited)
Shadow DOM: Slot style is not computed (r198990 + r200633)
Separate render tree updating from style resolve (r198828 + r198847 rolled out + r198943)
Calling FrameView::viewportContentsChanged() after style recalcs is too expensive (r185118)
Regression: Scrolling on popsci.com spends too much time in FrameView::viewportsContentsChanged() (r182773)
Document::recalcStyle() shouldn't call viewportContentsChanged() if there is a pending layout (r181133)
Add utility method on FrameView that resumes animated images and unthrottles DOM timers (r178013)
[CSSRegions] Rename inNamedFlow flag to isNamedFlowContentNode flag (r166354)
Assertion Failure in WebCore::RenderLayerCompositor::updateCompositingLayers (r139229)
Assert in RenderGeometryMap::mapToContainer (r139146)
RenderGeometryMap asserts when loading http://en.softonic.com/mac (r133544)

Jun 27, 2019
============
Unprefix text-decoration CSS3 properties (r238002)
Positioned text underline can look like a strike-through (r237955 partial)
Dotted underlines that skip descenders are invisible (r237948)
Strikethrough positions are erroneously snapped twice (r205519)
ASSERTION FAILED: y2 >= y1 in WebCore::RenderElement::drawLineForBoxSide (r198597)
ASSERTION FAILED: x2 >= x1 in WebCore::RenderElement::drawLineForBoxSide (r194418)
ASSERTION FAILED: !rect.isEmpty() in WebCore::GraphicsContext::drawRect (r194002)
[cairo] Solid stroke of lines with thickness less than 1 pixel broken after r191658 (r193743)
[Cairo] SolidStroke broken in drawLine after r191658 (r192574)
[Cairo] Incorrect dashed and dotted border painting after r177686. (r191658)
Incorrect dashed and dotted border painting. (r177658 + r177678 rolled out + r177686)
[GTK] Add support for text-decoration-skip (r177078 partial)
Dashed/dotted borders do not paint. (r172797)
Subpixel rendering: Border thickness and length flooring can result empty borders due to losing precision during multiple float <-> LayoutUnit conversions. (r172326)
Do not paint border image when the border rect is empty. (r167694)
Space between double underlines does not scale with font size (r165016)
Subpixel rendering: Add subpixel support to border type of double, groove, ridge, inset and outset. (r164888)
Implement text-decoration-skip: auto (r164115)
[css3-text] Support -webkit-text-decoration-skip: objects (r164061)
text-decoration-skip: ink does not work with line wraps (r161608 partial)
Faster implementation of text-decoration-skip: ink (r160951 partial)
Initial implementation of text-decoration-skip ink (r158467)
Parsing support for -webkit-text-decoration-skip: ink (r158127)
Remove GraphicsContext::strokeArc(), which is unused. (r149566)
[css3-text] Add support for text-decoration-color (r145785)
speciesConstruct needs to throw if the result is a DataView (r246851)

Jun 26, 2019
============
[32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing (r233806 partial)
Create ById IC for ByVal operation only when the specific Id comes more than once (r188878)
Introduce put_by_id like IC into put_by_val when the given name is String or Symbol (r188696 + r189820)
Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions (r204362)
Introduce get_by_id like IC into get_by_val when the given name is String or Symbol (r188105 + r188201 rolled out + r188299)

Jun 25, 2019
============
Add Array.prototype.{flat,flatMap} to unscopables (r246765)
[JSC] Rename Array#flatten to flat (r232226)
[JSC] Implement Array.prototype.flatMap and Array.prototype.flatten (r228266)
[jsc] MacroAssemblerMIPS: implement the branchPtr(RelationalCondition, BaseIndex, RegisterID) overload. (r214213)
HasOwnPropertyCache needs to ref the UniquedStringImpls it sees (r207186 + 207213 + r207425)
HasOwnPropertyCache flattening dictionaries is causing insane memory usage with the uBlock Safari extension (r206885)
Make HasOwnProperty faster (r206136 + r206149 + r206207)
Switching on symbols should be fast (r203491)
Introduce SymbolUse optimization into CompareEq and CompareStrictEq (r190414)

Jun 24, 2019
============
Make Document a FrameDestructionObserver (r209787)
Underlines are too thick when zoomed in (r164741)
Position and thickness of underline as text size changes (r163921)
[JSC] Strict, Sloppy and Arrow functions should have different classInfo (r246709)
Function object should convert params to string before throw a parsing error (r235582)
Builtins and host functions should get their own structures. (r233426)
Don't use JSFunction's allocation profile when getting the prototype can be effectful (r228725)
Arrow functions need their own structure because they have different properties than sloppy functions (r225891)
Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties (r225845)
Strict and sloppy functions shouldn't share structure (r225273)
Function constructor needs to follow the spec and validate parameters and body independently (r218845)
Fix exception scope verification failures in FunctionConstructor.cpp. (r208956)
[JSC] ES6 Method functions should not have prototype (r207461)
[ES6] GeneratorFunction constructor should instantiate generator function (r206710)
ES6: Classes: Should be allowed to create a static method with name "arguments" (r205856)
REGRESSION(r200694): %ThrowTypeError% is not unique (r201619)
Improve error messages for accessing arguments.callee and similar getters in strict mode (r200694)

Jun 21, 2019
============
Fix SVG animations which set rx or ry attributes (r162438)
Computed style of fill/stroke properties incorrect on references (r154628)
SVG stroke-dasharray is not animatable (r153754 + r153757 + r153764)
[CSS Parser] Support the 'alphabetic' keyword for text-underline-position (r209329)
A composition underline is placed to wrong position in RTL (r202250 partial)
-webkit-text-underline-position: under; does not work in ToT (r198858)
Hovering link on http://help.apple.com/appletv/#/ does not show text underline. (r194775)
Underlines too close in vertical Chinese text. (r185256)
[Mac] [iOS] Underlines are too low (r168599)
getPropertyValue for -webkit-text-stroke returns null, should compute the shorthand value (r144732 revisited)
REGRESSION (r224780): Text stroke not applied to video captions. (r227141)
The css properties stroke-width/stroke-color and -webkit-text-stroke-width/-webkit-text-stroke-color should not be mixed. (r224780)
Round-tripping stroke-width styles through getComputedStyle cause the text to gain a stroke. (r219755)
The CSS property -webkit-text-stroke is not applied on captions. (r211637)
m_disconnectedFrame can be null in DOMWindowExtension::willDestroyGlobalObjectInCachedFrame() (r246529)
Implement stroke-color CSS property. (r215261 partial)
Implement stroke-width CSS property. (r213634 partial)
Get rid of two silly static null Strings (r144432)

Jun 20, 2019
============
REGRESSION(r202953): Clicking on input[type=file] doesn't open a file picker (r203187)
Add slotchange event (r198115)
Share style by sharing RenderStyle substructures not the object itself (r198584)
Implement ::slotted pseudo element (r197165)
Reduce pointless malloc traffic in ElementRuleCollector. (r190842)
Implement :host pseudo class (r190680)
Unify the various serialization of selector list (r177313)
Add parsing support for the extended :nth-last-child(An+B of selector-list) defined (r175848)
Frame::rectForSelection shouldn't instantiate FrameSelection (r163920)
Optimize `resolve` method lookup in Promise static methods (r246620)
Implement Promise.allSettled (r245869)
[ES6] Promise.{all,race} no longer use @@species (r203052)
Nullptr deref in WebCore::Node::computeEditability (r223028)
REGRESSION(r180867): Tabbing to login field on iCloud.com doesn't have highlight for text (r185398)
isContentEditable shouldn't trigger synchronous style recalc in most cases (r180867)
Node::hasEditableStyle and isEditablePosition have too many options (r180809)
Carets in GMail and iCloud compositions are the foreground text color (r175152)
Text caret changes to color of text in Mail and Notes (r173246)
REGRESSION(r164133): Selection disappears after scrolling on nytimes.com (r171718)
DataDetectorUI doesn't update with resize (r168664)
REGRESSION (r164133): Selection doesn't paint when scrolling some pages (r167845)
Preserve selection end positions in directionOfSelection (r166457)
FrameSelection::textWasReplaced and setSelectedRange shouldn't trigger synchronous layout (r164319 + r164322)
computeSelectionStart and computeSelectionEnd shouldn't trigger synchronous layout (r164180)
setSelection should not synchronously trigger layout (r164133)
HTMLTextFormControlElement::setSelectionRange shouldn't use VisiblePosition (r163825 complete revisited)
Split UserTriggered into FireSelectEvent and RevealSelection for selection options (r163721)
Merge updateSelectionCachesIfSelectionIsInsideTextFormControl into setSelectionWithoutUpdatingAppearance (r163692)
FrameSelection's destructor shouldn't notify accessibility (r163689)
EventHandler::handleMouseReleaseEvent shouldn't call updateSelectionCachesIfSelectionIsInsideTextFormControl and selectFrameElementInParentIfFullySelected (r163056)
Rename notifyRendererOfSelectionChange (r163012)
CSS: Null-pointer dereference with negative 'orphans' value. (r160766)
Potential crash in RenderView::selectionBounds and RenderView::repaintSelection (r160065)
Text selected with double-click gets unselected after DOM modification (r158186)
Caret should respect text background color (r152612)
webkit fails IETC column-width-negative-001.htm (r138746 revisited)
REGRESSION(r133820?): SimplifyMarkupTest API test asserts (r138303)
CSSParser crases, when no context is available, and the value is a valid keyword (r138141 revisited)
SimplifyMarkupCommand takes a disproportionally long time to run when there are many nodes to remove (r133820)
Part 1 of: Extend -webkit-user-select with a new value "all" (r125330)

Jun 19, 2019
============
ElementRuleCollector should not mutate document and style (r197764)
Computed style should work correctly with slotted elements that have display:none (r191204 + r191229 rolled out + r191262)
Document.title does not behave according to specification (r189680)
Select validation does not correctly work when handling change event (r188672)
Move pseudo-style code from RenderObject to RenderElement. (r176365)
Abandoned select option is reselected when shift selecting new options (r175263)
Only set title on SVG documents (r169118)
Input ::selection pseudo class does not work leading to hidden selection (r169024)
Remove boolean argument from Element::setChildrenAffectBy* methods (r161037)
Eliminate awkward virtualComputedStyle construction (r160536)
ASSERTION FAILED: isHTMLTitleElement(m_titleElement.get()) in WebCore::Document::setTitle (r158682)
[Shadow DOM] Specifying scrollbar style of an element having RenderLayer in ShadowDOM does not work. (r140287)
[Shadow] TITLE elements in Shadow DOM should not affect document.title attribute (r138130)
MaybeParseAsGeneratorForScope sometimes loses track of its scope ref (r246549)
ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..."
  for function redeclaration with async function module export (r217755)
Clarify SyntaxErrors around yield and unskip tests (r204111)

Jun 18, 2019
============
Resolve style iteratively (r196864)
Style sharing check for fullscreen element seems bogus. (r219147)
Calling importNode on shadow root causes a crash (r196998 complete revisited)
Factor style sharing code out of StyleResolver (r196031)
Fix style sharing with the "type" and "readonly" attributes (r176864)
Remove remaining uses of NODE_TYPE_CASTS() from html/ (r174067 partial)
Make HTMLProgressElement::isDeterminate private (r146953)
Rename HTMLInputElement::isIndeterminate to Element::shouldAppearIndeterminate (r146860)
:before/:after pseudo elements do not always apply to the proper element (r143300)
Add canvas to set of elements that do not allow style sharing in order to provoke RenderLayer creation (r129934)

Jun 17, 2019
============
Remove "rem" unit optimization for document element font size changes (r206641)
Correct delayed load event handling (r245056 + r245142)
Execute pending scripts asynchronously after stylesheet loads complete (r212463 + r212556 rolled out + 212614 partial)
An assertion failure inside removeChildren (r212354)
Remove the remaining threaded parser code (r162258)
http/tests/misc/object-image-error.html asserts (r160920)
Fix crashing plugin tests caused by a logic error in the previous patch. (r154255)
Plug-in unavailability indicator should not be displayed if a blocked plugin's indicator is clipped (r153017)
Threaded HTML parser hits ASSERTION FAILED: this == frameLoader()->activeDocumentLoader() (r144370 + r144413 rolled out)
Threaded HTML Parser fails fast/dom/HTMLAnchorElement/anchor-no-multiple-windows.html in debug (r144240)
Threaded HTML parser hits ASSERTION FAILED: this == frameLoader()->activeDocumentLoader() (r144232)
REGRESSION(r143664, r143681): http/tests/security/feed-urls-from-remote.html fails (r143695 + r143719 rolled out + r143753)
LayoutTests/fast/encoding/parser-tests-*.html timeout with threaded HTML parser (r143664 + r143681)
Nodes should not have attributes property (r143663)
Load event fires too early with threaded HTML parser (take 2) (r142555 complete revisited)
document.write during window.onload can trigger DumpRenderTree to dump the render tree (r142492)
Load event fires too early with threaded HTML parser (r142378)

Jun 14, 2019
============
Add helper funtion for checking pointer equivalency and use it (r191017)
Allow composited clip-path to be updated without a layer repaint (r181164)
Yarr bytecode compilation failure should be gracefully handled (r246408)
Running out of stack space not properly handled in RegExp::compile() and its callers (r237753 + r237757 rolled out + r237763)
We don't throw SyntaxErrors for runtime generated regular expressions with errors (r231939)
[YARR] Yarr should return ErrorCode instead of error messages (const char*) (r226128)

Jun 13, 2019
============
Range.detach() / NodeIterator.detach() should be no-ops as per the latest DOM specification (r189182)
Default value for createNodeIterator() / createTreeWalker()'s whatToShow parameter should be 0xFFFFFFFF (r188711)
Rename Node::childNode(index) to traverseToChildAt(index) for clarity (r173684 partial)
Fix Range.insertNode when the inserted node is in the same container as the Range (r159620)
Fix out-of-date offset in selection range code in range.surroundContents (r158738)
Assertion failure in Range::processContentsBetweenOffsets (r157431)
Fix a crash in Range::processContents(). (r152707)
Range.getClientRects() should not include rects for partially selected elements (r148898)
Move transformFriendlyBoundingBox out of Range (r126074)
[JSC] Support optional catch binding (r220068)
[image-decoders] Make ImageDecoder::size() lazily decode the image if needed to return a valid size (r202800 partial)
REGRESSION(r198782, r201043): [image-decoders] Flickering with some animated gif (r202616 partial)

Jun 12, 2019
============
[Cairo] Handle the blend mode in GraphicsContext::drawPattern (r214100)
[CSS Masking] Implement luminance masking (r156391)
Object.getPrototypeOf(NodeFilter) should be Function.prototype, not Object.prototype (r211970)
Regression(r189230): DOM Callbacks may use wrong global object (r210468)
[[Prototype]] property of an interface object for a callback interface must be the Object.prototype object (r204126)
NodeFilter should be a callback interface (r189230)
JSCallbackData::invokeCallback() should return the Exception to the caller (r189140)
JSC should throw if proxy set returns falsish in strict mode context (r246346)
Error message for non-callable Proxy `construct` trap is misleading (r246333)
AI BitURShift's result should not be unsigned (r246332)

Jun 11, 2019
============
Rename FontGlyphs to FontCascadeFonts (r180294)
Rename SimpleFontData to Font (r178940)
Rename SimpleFontData::AdditionalFontData to SimpleFontData::SVGData (r177975)
Rename Font to FontCascade (r178510)
REGRESSION (r177876): store.apple.com profile and cart icons are missing (r186809 + r186816 rolled out + r186827 revisited)
Cleanup and simplification of SVG path-related classes (r190849)
SVG error parsing empty path (r154896)

Jun 10, 2019
============
textPath layout performance improvement. (r182828 partial)
Add 'float FloatPoint::slopeAngleRadians()' (r138800)
[ftlopt] Infer immutable object properties (r170855 complete revisited)

Jun 9, 2019
============
@font-face rules with invalid primary fonts never download their secondary fonts (r218157 + r218264 rolled out + r218733 complete revisted)
Subclass CachedFont for SVG fonts (r176276 revisited)

Jun 07, 2019
============
Get rid of UnicodeRange.h/cpp, using ICU instead (r162780)
SVG: hit testing region for <text> elements is incorrect (r192020)
Clear SVGInlineTextBox fragments when the text changes. (r166420)

Jun 06, 2019
============
Do not convert GlyphBufferAdvance to FloatSize (r195596)
SVGGlyphToPathTranslator ASSERTs when encountering a missing glyph in an SVG font (r169872)
REGRESSION: missing underline under CJK text (r169715)
Fix the !ENABLE(SVG_FONTS) build (r165611)
text-decoration-skip: ink does not skip over SVG fonts (r164842)

Jun 05, 2019
============
[SVG -> OTF Converter] Crash when trying to re-convert a previously-failed font conversion (r199014)
Range.insersectsNode(node) is supposed to return true if node.parent is null (r189225)
[Win] [SVG -> OTF Converter] All uses of a font except the first one are invisible (r196835)
Change the type of SVGToOTFFontConverter::m_weight to be not a char (r229328)
Delete incorrect version of clampTo() function from SVGToOTFFontConversion.cpp (r229202)
[SVG -> OTF Font Converter] Fonts advances are not internally consistent inside the generated font file (r208888)
[Cocoa] REGRESSION(r184899): Ascent adjustments are applied to web fonts (r201228)
SVGToOTFFontConversion.cpp does not compile with libstdc++ 4.8 (r197298)
[Win] [SVG -> OTF Converter] SVG fonts drawn into ImageBuffers are invisible (r196559)
[EFL][GTK] Fix ENABLE(SVG_OTF_CONVERTER) build (r196481)
GCC buildfix in Source/WebCore/svg/SVGToOTFFontConversion.cpp (r196469)
[SVG -> OTF Converter] Parsing failures cause use of incomplete fonts (r194839)
[SVG -> OTF Converter] Force UnitsPerEm to 1000 (r192930)
Crash when using an SVG font with > 390 glyphs (r190375)
[SVG -> OTF Converter] Crash when converting Arabic fonts (r187685)
[SVG -> OTF Converter] Remove unnecessary hacks (r185100)
[Win] [SVG -> OTF Converter] Support the SVG -> OTF Font Converter (r182423)
Work around a Cocoa font parsing bug (r181278)
Test horiz-origin-x and horiz-origin-y in SVG fonts (r181167)
[iOS] SVG fonts are garbled (r181155)
[Win] Build fix after r178760. (r178762)
[SVG -> OTF Converter] Glyphs get clipped weirdly (r178647)
[SVG -> OTF Converter] Implement ligatures (r178249)
[SVG -> OTF Converter] Make Placeholder a move-only type (r177688)
[SVG -> OTF Converter] Make placeholders more robust (r177620)
[SVG -> OTF Converter] Arabic forms are not substituted correctly (r174325)
[SVG -> OTF Converter] Support non-BMP codepoints (r174279 + r174372)
Tweak and tighten SVG font converter (r174063)
SVG -> OTF converter bug gardening (r174011)
Implement 'vhea', 'vmtx', and 'kern' tables in SVG -> OTF converter (r173852)
Text laid out with the SVG -> OTF font converter does not have the same metrics as with the SVG font code path (r173739)
Initial implementation of SVG to OTF font converter (r173521)
[iOS] [OSX] Don't transcode WOFF on platforms that support it natively (r171375)
Allow mmap encoded data replacement for WOFF fonts. (r162897)
Remove code duplications in createFontCustomPlatformData() (r158623)
Once a custom font is cached to disk, it starts failing to render until the page is refreshed. (r149070)
Accept request header values should be more tightly checked after r232572 in case of CORS load (r232728)
HTTP Header values validation is too strict (r232572)
Switch to a blacklist model for restricted Accept headers in simple CORS requests (r210077)
Allow commas in Accept, Accept-Language, and Content-Language request headers for simple CORS (r209510)
Tighten XMLHttpRequest setRequestHeader value check (r174920)

Jun 04, 2019
============
Fonts forced to use non synthetic italics might be laid out with the incorrect baseline (r172504 revisited)
Subpixel rendering: Empty rects should remain empty after integrally enclosing them. (r168575)
Synthesized vertical italics on rotated glyphs are transformed incorrectly (r151693 revisited)
Asserts when textPath is used with no path (r140429)
SVG Font kerning can take an early out if the font has no kerning information (r171955)
Uncomplicate some of SVGTextRunRenderingContext. (r157960)
Remove unnecessary save/restore in SVGTextRunRenderingContext (r133897)
Object bounding box wrong for some paths (r217772)
SVG content renders in incorrect vertical position when padding-left is not specified (r201604)
Replace 2 uses of updateLogicalHeight with computeLogicalHeight (r130686)
Support kerning with SVG web fonts (r156393 + r156399)
[sub-pixel] Rounding error in table cell height calculation causes unnecessary scrollbar (r145242 revisited)
Image.__proto__ should be Function.prototype, not HTMLElement.prototype (r236769)
[JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect (r246040)
Replace scoped flag in Event by composed flag (r202953)
REGRESSION (198056): Unable to use edit buttons on WordPress (r200580)
Add Event.deepPath() and Event.scoped (r198056)
Extract EventPath.h/cpp out of EventDispatcher.cpp (r197924)
WebKit should expose the DOM 4 Event.isTrusted property (r196520)
dispatchEvent() should throw an InvalidStateError if the event's initialized flag is not set (r189386 + r189419 rolled out + r189452)
Remove two unused SVGDocument functions. (r167798)
Clean up dispatchEvent overrides and overloads (r138674)

Jun 03, 2019
============
Input elements don't work inside shadow tree (r206403)
ComposedTreeIterator may crash when first child of shadow root is a comment node (r199097)
ComposedTreeIterator fails to traverse slots if root is shadow host (r198087)
ComposedTreeIterator may traverse slotted nodes multiple times (r197553)
ComposedTreeIterator traverses normal children for elements with empty shadow root (r196833)
Fix the !(ENABLE(SHADOW_DOM) || ENABLE(DETAILS_ELEMENT)) after r196281 (r196422)
Fix the !(ENABLE(SHADOW_DOM) || ENABLE(DETAILS_ELEMENT)) after r196281 (r196365)
Try to fix Yosemite build. (r196282)
Implement ComposedTreeIterator in terms of ElementAndTextDescendantIterator (r196281)
Tighten ComposedTreeAncestorIterator to return Elements (r198992 partial)
Implement iterator for traversing composed ancestors (r191112 + r191127)
Inserting a child to a slot assigned node doesn't trigger repaint (r190530)
Implement the matching for :nth-last-child(An+B of selector-list) (r176084 complete revisited)
[CSSRegions] Respect renderer creation constraints when element is part of named flow (r151204)

May 31, 2019
============
Japanese fonts in vertical text should support synthesized italics (r214848)
REGRESSION (r190983): Non-element, non-text nodes should not be distributed to slots (r192763)
Implement iterator for traversing composed DOM (r190983)
ShadowRoot with leading or trailing white space cause a crash (r190585)
Create RenderRubyText for <rt> only when the parent renderer is a RenderRuby. (r183160)
Move render ruby initialization logic from RenderElement::createFor() to *::createElementRenderer() (r183129)
Catch up ruby and its tag omission rule changes in HTML5 CR Feb 2014 (r167437)

May 30, 2019
============
REGRESSION (r167689): Hovering file name in a file input causes a crash (r167840)
[GTK] Bump freetype version to 2.8.0 (r221670 partial revisited)
[FreeType] Add support for the USE_TYPO_METRICS flag (r191378)
Update flexbox to Blink's tip of tree (r213149 partial)
DOMWindow::dispatchEvent() does not reset the event's dispatch flag (r224125)
Event handlers should not be called in frameless documents (r218242)
document.createEvent("popstateevent") should create a PopStateEvent (r205138 partial)
Protect FrameView from being destroyed in Document::recalcStyle() (r185403)
Laili restaurant menu page does not display full menu (r217943)
Available height is wrong for positioned elements with "box-sizing: border-box" (r225101)
Remove InsertionPoint and ContentDistributor (r190845)
REGRESSION(r210226): fast/history/back-from-page-with-focused-iframe.html crashes under GuardMalloc (r210246)
ASSERTION FAILED: !isUnreachableNode(m_target.get()) when hovering over any input element (r190340)
relatedNode should be retargeted respecting slots (r190288)
Make event dispatching respect slotting (r190214)
REGRESSION (r157328): popover to check into flight ba.com dismisses instantly when focusing form (r167689)
HTML-page with <object type="image/svg+xml" data="foo.svg"> often is blank (r225791)
WebKit should unset event propagation flags after dispatch (r204630)
Event fired on a detached node does not bubble up (r190153)
Crash in EventDispatcher::dispatchEvent entering a location on Google Maps (r185232)
Comment in ScopedEventQueue::dispatchEvent is unnecessarily verbose (r157933)
Reintroduce PassRefPtr<Event> copy in ScopedEventQueue::dispatchEvent (r157401)
Extract an iterator/resolver class from calculateAdjustedNodes (r157331)
Dramatically simplify calculateAdjustedNodes (r157328)
Make EventPath private to EventDispatcher.cpp (r157294)
EventContext should be used only in EventDispatcher.cpp (r157288)
Remove EventRetargeter.h/cpp (r157282)
Make all functions of EventDispatcher static (r157250)
Move the rest of EventRetargeter functions to EventPath (r157242)
REGRESSION(r157210): Crashes in WebCore::ScopedEventQueue::dispatchEvent for platforms using GCC (r157219)
Make EventDispatcher::dispatch comprehensible (r157210 + r157214)
Remove the code erroneously in the previous commit. (r157153)

May 29, 2019
============
Remove PassRefPtr use from the "dom" directory, related cleanup (r210216 partial)
EventDispatchMediator is goner (r157203 + r157245)
Remove MouseEventDispatchMediator (r157196)
Remove all subclasses of EventDispatchMediator except MouseEventDispatchMediator (r157195)
Rename EventRetargeter::adjustForRelatedTarget to EventPath::setRelatedTarget (r157177)
Make buildRelatedNodeMap and findRelatedNode static to EventRetargeter.cpp (r157083)
Make an event object clonable to support an event propagation across seamless iframes. (r126256)
JITOperations putByVal should mark negative array indices as out-of-bounds (r245813)
ByValInfo should not use integer offsets. (r236587)
DFG::OSRExit::m_patchableCodeOffset should not be an int (r236585)
DFG::OSREntry::m_machineCodeOffset should be a CodeLocation. (r236576)

May 28, 2019
============
Turn EventPath into a real class (r157152 + r157158)
Get rid of Node::preDispatchEventHandler and Node::postDispatchEventHandler (r156825 + r156826)
Cleanup Document::dispatchFullScreenChangeOrErrorEvent (r156733)
Simplify the loop in EventRetargeter::calculateEventPath (r157127)
Use references in EventRetargeter::calculateEventPath and EventRetargeter::eventTargetRespectingTargetRules (r157123)
EventDispatchBehavior is unnecessary (r157085)
Remove EventPathWalker. (r156390)
ASSERTION FAILED: !node || node->isShadowRoot() in WebCore::EventRetargeter::eventTargetRespectingTargetRules (r154289)
[Shadow DOM] Change the order of event dispatching at AT_TARGET phase. (r147371)
[Shadow Dom]: Non Bubbling events in ShadowDOM dispatch in an incorrect order (r145873)
Calculate EventPath in EventDispatcher's constructor. (r143426)
Make EventDispatcher take an Event object in its constructor. (r143145 + r143244 rolled out + r143303)
Extend EventDispatcher::dispatchSimulatedClick to allow sending a mouseover event (r135690)
Factor Event retargeting code. (r142957)
[Shadow] Stop 'load' and 'error' events at shadow boundaries (r125744)
REGRESSION (r190430): WTFCrashWithSecurityImplication in:void SVGRootInlineBox::layoutCharactersInTextBoxes() (r196669)
REGRESSION(r190430): Assertion failure in Text::~Text() (r195727)
Inserting or removing slot elements can cause a crash (r190008)

May 27, 2019
============
REGRESSION (r190840): crash inside details element's slotNameFunction (r198090)
Rewrite HTMLDetailsElement using HTMLSlotElement (r190840 + r191289)
Update style/layout when a slot is added or removed (r190323)
invalidateSlotAssignments should trigger style recalc (r190109)
The binding for getDistributedNodes unnecessarily makes a vector of nodes (r190093)
JITOperations getByVal should mark negative array indices as out-of-bounds (r245769)
Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain (r228720)
[INTL] Implement String.prototype.localeCompare in ECMA-402 (r194328 + r194332 rolled out + r194394 + r198171 rolled out + r199967)
[INTL] Implement String.prototype.toLocaleUpperCase in ECMA-402 (r193679)
[INTL] Implement String.prototype.toLocaleLowerCase in ECMA-402 (r193611)
[INTL] Implement Number.prototype.toLocaleString in ECMA-402 (r193493)

May 24, 2019
============
Slot elements should support fallback contents (r190430)
HTMLSlotElement should render its assigned nodes (r190084)
Add HTMLSlotElement, Element.slot, and NonDocumentTypeChildNode.assignedSlot (r189950)
We should only make rope strings when concatenating strings long enough. (r241230 + r241255 rolled out + r241493)
DFG::OSREntry should not perform arity check (r245710)

May 23, 2019
============
Optimize Canvas fill and drawImage with SourceIn, DestinationIn, SourceOut, and DestinationAtop using transparencyLayer. (r167248)
Canvas strokeText and fillText with SourceIn, DestinationIn, SourceOut, DestinationAtop and Copy have errors (r166840)
Canvas stroke and strokeRect with SourceIn, DestinationIn, SourceOut, DestinationAtop and Copy have errors (r166836)
Zero size gradient should paint nothing on canvas (r141612)
Proposal: Add support for even-odd fill and clip to Canvas (r140352)
Update GraphicsContext to support winding rule in clip operator for Cairo (r140091)
Update GraphicsContext to support winding rule in clip operator for Core Graphics (r139967)
REGRESSION(r233495) [cairo] drawGlyphsShadow should use the fast path for zero blur-radius (r233556)
[cairo] Doesn't paint box-shadow with zero blur-radius (r233495)
[Cairo] Use one-time ShadowBlur objects when performing shadowing (r227051)
[Cairo] Contain shadow blur requirement state in a separate object (r226509)
[Cairo] Canvas: Path::clear should clear its transform (r226443)
[Cairo] Remove GraphicsContext::mustUseShadowBlur() (r224754)
Don't clear PropertyNameArray in Proxy code (r245643)
[JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames() (r243943 + r244020 rolled out + r244330)
[JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys (r243933)
[JSC] Fix Array allocation in Object.keys (r221970)
[JSC] Optimize Object.keys by using careful array allocation (r221853)
[JSC] fix RETURN_IF_EXCEPTION() placement in ownPropertyKeys() (r215810)
[JSC] Object.keys() must discard property names with no PropertyDescriptor (r215799)

May 21, 2019
============
[GTK] Bump freetype version to 2.8.0 (r221670 partial)
Remove feature: CSS variables (r159842 complete revisited)
[CSS] Minor cleanups in CSS variables handling (r150302)
[CSS] CSS Variables are case-sensitive (r150207)
Make CSS variable names case-insensitive. (r131313)

May 20, 2019
============
Canvas methods clip/fill/stroke should not except 0 argument (r165976)
Refactor Path to Path2D and remove currentPath (r165651)

May 17, 2019
============
Nested template contents are not cloned by document.importNode (r177372)
implement op_get_rest_length so that we can allocate the rest array with the right size from the start (r192814)
op_throw_static_error's use of its first operand should be reflected in DFG BytecodeUseDef as well. (r216459)
[WebCore][JSC] Use new @throwTypeError and @throwRangeError intrinsics (r206870 partial revisited)

May 15, 2019
============
[WebIDL] Move plugin object customization into the generator (r219302 partial)

May 14, 2019
============
Expose CloseEvent and CustomEvent to workers (r234799)
WebSocket::didReceiveMessage() may construct a SecurityOrigin object on a non-main thread (r230042 + r230305 rolled out)
WebSocketChannel should ensure its client is live when calling it in error case (r225469)
The setter of binaryType attribute in WebSocket should raise the exception. (r198482)
Crashes in SocketStreamHandleBase::close (r184005)
"nullable" sequence support is incomplete (i.e. sequence<NativeType>?) (r170015)
Sec-WebSocket-Extensions header field must not appear more than once in an HTTP response. (r149120)
WebSocket: Return type of send() should be void if hybi-10 protocol is chosen (r148968)
Add User-Agent header in opening handshake headers. (r144037)
Improve WebSocketChannel connection failure console messages. (r135981)
Remove the custom WebSocket::send for both V8 and JSC (r134386)
[WebSocket] WebSocketInflater should handle BFINAL = 1 blocks (r131395)
[WebSocket] Add "Cache-Control: no-cache" to handshake request (r131155)
[WebSocket] Setting wrong value to binaryType should not raise exception (r130019)
WebSocket.send() should accept ArrayBufferView (r124846)
JSObject::getOwnPropertyDescriptor is missing an exception check (r245249 partial)
Allow setting the prototype of cross-origin objects, as long as they don't change (r214135)
Symbols exposed on cross-origin Window / Location objects should be configurable (r211772)

May 13, 2019
============
[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values (r202413 + r202435 rolled out + r202680 complete)
[JSC] Add truncate operation (rounding to zero) (r198981)
[JSC] String substring operation should return ropes consistently (r245194)

May 10, 2019
============
OfflineAudioDestinationNode::startRendering leaks OfflineAudioDestinationNode if offlineRender exists early (r244145)
DFG should know that CreateThis can be effectful (r229987 partial revisited)
[JSC] Introduce @toObject (r224280 + r224335)
[JSC] Clean up Object.entries implementation (r218790)
[JSC] Object.values should be implemented in C++ (r218697)
[JSC] Implement Object.assign in C++ (r218348)
[JSC] Speedup Object.assign for slow case by using propertyIsEnumerable (r217191)
[ES2016] Implement Object.entries (r204419)
[ES2016] Implement Object.values (r204358)
parseStatementListItem needs a stack overflow check (r245152)

May 09, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.8.2.

May 09, 2019
============
Invalid DFG JIT genereation in high CPU usage state (r245071)

May 08, 2019
============
preflight checker should add a console message when preflight load is blocked (r231056)
DocumentThreadableLoader should send credentials after redirections and preflight if fetch option credentials is include (r229907)
Service Worker fetch should filter HTTP headers that are added by CachedResourceLoader/CachedResource (r225574 partial)
Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language (r209261)
WebCore::ResourceErrorBase::setType is crashing (r206524)
[Fetch API] Referrer and Origin header should not be considered as safe request headers (r206009)
ASSERT(revalidatingResource.inCache()) in MemoryCache when reloading tumblr.com (r185070)
[WTF] HashTable's rehash is not compatible to Ref<T> and ASan (r205836)
[WTF] HashTable's rehash is not compatible to Ref<T> and ASan (r205694)
Remove needsDestruction from vector and hash traits (r156507 partial)
[WTF] Add the move constructor, move assignment operator for HashTable (r170995 + r170999 rolled out + r171262)
Remove the hash table mover (r156496 + r156524 + r156526)
Replace WTF::move with WTFMove (r194496)
Rename WTF_MOVE to WTFMove (r194469)
Use of WTF::move prevents clang's move diagnostics from warning about several classes of mistakes (r194451)
Stop moving local objects in return statements (r194428 partial)
Add WTF::move() (r170774)
Add Accept-Encoding: identity to Range requests (r232571)
X-Frame-Options: SAMEORIGIN needs to check all ancestor frames (r231730)
[WTF] StringBuilder should set correct m_is8Bit flag when merging (r244429)
Correct JSON parser to address unterminated escape character (r245028)
JSC: A bug in BytecodeGenerator::emitEqualityOpImpl (r245047)

May 07, 2019
============
[JSC] We should check OOM for description string of Symbol (r244996)
REGRESSION(r180726): Removing an empty line at the end of textarea clears the entire texture (r181465)
isEditablePosition and related functions shouldn't move position out of table (r180726)

May 06, 2019
============
isEditablePosition shouldn't trigger synchronous layout (r164387)
Cleanup the interface of FrameSelection (r163739)
Remove inline member functions of FrameSelection that access m_selection (r163232 + r163233)
Frame::selection() should return a reference (r154286)

May 03, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.8.2.

May 02, 2019
============
HashMap should work with move-only keys (r155963)

May 01, 2019
============
Keyboard input should be disabled in the preview popover (r176753)
Transform is sometimes left in a bad state after an animation (r244800)
Mouseenter/-leave not triggered when element under cursor is moved/removed (r155519 + r155548 rolled out)
display:inline's hover behavior is not applied to ::before and ::after pseudo elements (r139739)
Images in feed on ebay.com jiggle when one is hovered (r198374)
[JSC][DFG] Propagate AnyIntAsDouble information carefully to utilize it in fixup (r214296)
[JSC] Clean up stringGetByValStubGenerator (r232106)
Add MacroAssembler::patchableBranch64 and fix ARM64's patchableBranchPtr (r188135 partial)
Introduce get_by_id like IC into get_by_val when the given name is String or Symbol (r188105 + r188201 rolled out)

Apr 30, 2019
============
JITStubRoutineSet wastes 180KB of HashTable capacity on can.com (r244745)

Apr 26, 2019
============
REGRESSION(r212218): Assertion failures in and after parserRemoveChild (r212621)
parserRemoveChild should unload subframes (r212218)
HTMLConstructionSiteTask::Insert should never be called on a node with a parent (r212140)
REGRESSION (r201471): Keyboard remains visible when swiping back on twitter.com (r207486)
REGRESSION(r201471): FormClient.textFieldDidEndEditing is no longer called when a text field is removed (r202578)
Crash in TreeScope::focusedElement (r201471)
Make adoption agency use the task queue (r163579)
Notify nodes removal to Range/Selection after dispatching blur and mutation event (r158739)
Remove Node::aboutToUnload and be more explicit about what it was for (r134806)

Apr 25, 2019
============
Add support for HTMLMediaElement.fastSeek() (r159208 revisited)
Do not assert when CharacterData representing an Attr fires events (r214915)
Adopting a child node of a script element can run script (r211965 + r211966)
Disconnect child frames iteratively (r161567)
document.currentScript must be null when we're executing a script inside a shadow tree (r200327)
Only HTML spaces should be stripped from a <script>'s 'for' / 'event' attributes (r191349)
Script element with an empty for or event attributes should not execute (r191270)
script.text shouldn't include text from non-direct children of the script element (r190730)
Remove some optimizations made obsolete by use of StringBuilder (r154241)
Add support for document.currentScript (r151951)

Apr 24, 2019
============
Repeated background images have the wrong position when using bottom/right-relative background-position (r196960)
Animations should use double for key values, not floats (r154909)

Apr 23, 2019
============
White edge on animating panel on http://rokkosunnyvale.com (r184395)
REGRESSION (r172417, r184065): Multiple rendering issues with fixed attached background-image (r187116)
background-position sometimes doesn't work properly with background-attachment: fixed (r184065)
Subpixel layout: Cleanup snapSizeToPixel/snapSizeToDevicePixel. (r173049)
Subpixel layout: Rename LayoutRect's device pixel snapping functions. (r173047)
Fixed backgrounds don't paint in blurred inset areas (r172291 + r172332 rolled out + r172417)
REGRESSION (r180582): background-attachment: local; does not scroll the background image when scrolling the the element's contents (r186299)
Cleanup BackgroundImageGeometry class. (r180644)
Remove unused BackgroundImageGeometry::m_destOrigin (r180582)
RenderBoxModelObject::calculateBackgroundImageGeometry should return BackgroundImageGeometry. (r180581)
[CSS Blending] Webkit-blend-mode fails for accelerated parent with overflow:hidden (r168314)
[CSS Blending] Blend mode property is propagated to multiple GraphicLayers (r166526)
Remove unused RenderLayerBacking::hasContentsLayer(). (r183849)
Subpixel rendering: Animating HTML elements leaves trails when embedded to a subpxiel positioned iframe. (r177412)
Remove redundant GraphicsContext::drawImage() function. (r169484)
Garbage when rubber-banding at the right edge of a page zoomed to non-integral scale. (r169161)
Subpixel rendering: WK1: Trail of cruft in redraw during animations. (r167129)
Web Inspector: Breakpoint in gutter has clipped / broken border image. (r167090)
Subpixel rendering: Make border images device pixel aware. (r166925)
Subpixel rendering: Make GraphicsContext::drawTiledImage* functions float based. (r166644)
Subpixel rendering: RenderBox is positioned off by one when non-compositing transform is present. (r166060)
Subpixel rendering: Pass FloatSize boxsize to transform animations to support device pixel sizing. (r165354)
Every scroll causes additional layer tree work because of flatteningLayer->removeFromParent(); (r154018)
Don't remove contents layer from its parent unless necessary (r153805)
Force elements with perspective or preserve-3d to disallow direct composited backgrounds (r153681)
REGRESSION(r152227) Images with compositing layer don't show up unless the containing window is resized. (r152986)
Avoid calling RenderLayerBacking::resetContentsRect() if possible (r152227)
Draw intermediate snapshots if possible (r144017)
Don't unconditionally repaint compositing layers when their size changes (r137526)
Source/WebCore: REGRESSION (r137215): WebKit stretches and shrinks a part of screen on scroll (r137248)
Don't unconditionally repaint compositing layers when their size changes (r137215)
r132427 changed the tiling behavior of tiled layer TileCaches as well as the page tile cache (r132504)

Apr 22, 2019
============
Black line across screen on Adobe Illustrator detail page (non-retina only) (r180661)
Switch BackgroundImageGeometry's m_phase from LayoutPoint to LayoutSize. (r180580)
FrameView::paintContents() is not called for composited content (r166015 + r166018)
Repeating background images should continue into margin tiles (r162098)
Margin tiles are not repainted when background color changes (r161570)
call to setNeedsLayout during RenderVideo::paintReplaced (r132398)
When paged-x/y is specified on the root, columnGap is ignored, and garbage pixels are likely (r126840)
Subpixel rendering: Make GraphicsContext::drawImageBuffer* functions float based. (r166455)
If you set a tiled cross-faded-image or a tiled gradient as a background layer, -webkit-background-blend-mode doesn't work. (r162442)
[CSS Background Blending] Background layer with -webkit-cross-fade doesn't blend (r162348)
GradientImage should be called GradientImage (r156226)
[CSS Background Blending] Gradients don't blend with any of the layers behind. (r151547)
Add platform support for -webkit-background-blend-mode to CG context (r143046)
GraphicsContext::drawImageBuffer is inefficient (r142123)
inconsistency in drawImage with target rect negative dimensions. (r139911)
Improve the logic for compositing backing store avoidance (r173293)
Subpixel rendering: Adjust cliprect with devicePixelFractionFromRenderer() before painting. (r171165)
Subpixel rendering: Zero sized compositing container's content positioned off by one device pixel. (r171100)
Make sure childContainmentLayer is parented (r166339)
Subpixel rendering: Incorrect repaint rect cuts off content's right edge after move. (r165050)
REGRESSION(r164412): Pixel cracks when zooming in to any web content. (r164532)

Apr 18, 2019
============
Subpixel layout: remove roundedLayoutPoint/roundedLayoutSize functions. (r172948)
Subpixel rendering: Device pixel round accumulated subpixel value when the RenderLayer with transform paints its content. (r165127 revisited)
Subpixel layout: Clean up LayoutPoint class. (r163973)
Remove LayoutTypes abstraction (r133779)
Floored and truncated rounded confused. (r125167 partial revisited)
Ambiguous naming: Do not call replacedContentRect()'s return value paint rect. (r179488)
Subpixel layout: Rename LayoutSize's device pixel snapping functions. (r173037)
[CSS Blending]The background images set on the root element will blend on an initial white backdrop. (r170841)
REGRESSION (r166784): Gradient at background of iCloud login page doesnt go all the way to the bottom (r167637)
Subpixel rendering: Move background images to device pixel boundaries. (r166784)
Subpixel rendering: Transition class CSSImageGeneratorValue/class StyleImage (and its dependencies) from IntSize to FloatSize to enable subpixel sized (generated)images. (r166642)
Subpixel rendering: Make <img> positioning subpixel aware. (r166100)
Subpixel rendering: Transition class Image (and its dependencies) from int to float to enable subpixel positioned/sized images. (r166582)
Subpixel rendering: Fix bleed avoidance subpixel calculation. (r164556)
-webkit-cross-fade paints SVGs at full opacity during cross-fade (r157045)
Remove platform/graphic's Generator (r150053)
[subpixel] Change intrinsicSize to LayoutUnit (r133172)

Apr 17, 2019
============
Update the background blending implementation to match the changes done in the spec. (r150503)
[Cairo] fillRectWithColor with Color::transparent doesn't perform anything (r135737)
REGRESSION: Hit testing of composited elements is broken in new multicolumn layout. (r169651)
[iOS] WKPDFView should have a page indicator (r169290)
REGRESSION (174986): CSS clip property is ignored when border-radius is present. (r176432)
REGRESSION: Google Search (mobile) video thumbnails are too large. (r174986)
REGRESSION (r163382): Overflow hidden for inner elements breaks blurring (r172146)
Subpixel rendering: InlineTextBox mistakenly rounds offset value before painting. (r172008 complete revisited)
Subpixel rendering: Region painting needs to take subpixel accumulation into account. (r171896)
Subpixel rendering: Embedded non-compositing rotate transform paints to wrong position. (r171210)
Subpixel rendering: icloud.com password arrow has clipped circle at some window sizes. (r170877 + r171000)
Subpixel rendering: Background clipping with subpixel behaves differently when composited. (r170563)
Make offset from ancestor computation explicit by moving it to the callers. (r170282)
[iOS] Fixed items are sometimes clipped after rubber-banding (r168670)
Some fixed position elements disappear in WK2 on iOS (r163157)
Left sidebar on cubic-bezier.com flickers (r158934)
Non-painting fixed elements should not cause repaints on scroll (r147120)
Rubberband scrolling on news.google.com causes text to blink repeatedly (r141221)
Should update compositing state when an out-of-view fixed position element becomes in-view (r140593)
Allow position:sticky elements to be moved by the scrolling thread (r138076 partial)

Apr 16, 2019
============
Subpixel rendering: Make webkit-box-shadow painting subpixel aware. (r169257)
Subpixel rendering: RenderLayer's clipping should snap to device pixel boundaries. (r167562)
[GTK][WPE] border-radius with non visible border doesn't work on images that have their own RenderLayer (r219445)
[CSS Filters] When applying an SVG filter on a composited image using CSS the image is rendered without the filter (r196571)
[DFG] Remove duplicate 32bit code more (r230517 partial revisited)
Subpixel rendering: border-radius painting falls back to rectangle at subpixel positions. (r165670 + r165671)
Subpixel rendering: Make border-radius painting device pixel aware. (r165065)

Apr 15, 2019
============
Subpixel rendering: Make GraphicsLayer::fillRect FloatRoundedRect based and cleanup dependencies. (r165055)
Box-shadow displayed improperly with border-radius. (r145044)
border-radius with box-shadow is not rendered correctly (r139256)
box-shadow creates incorrect shadow when border-radius is too large (r125304)
Composited frames incorrectly get requestAnimationFrame throttled (r225554)
[New Multicolumn] Elements with rounded corners and overflow:hidden do not properly clip their content (r170566)
Fall out of simple image layer optimization if the image has EXIF rotation (r153797)
Allow ports to decide whether an image should be directly composited (r134147)
Remove special case for transparent SVG root layers (r169368)
<svg> with opacity and compositing double-applies its opacity (r168651)
[GTK] [EFL] Enable tiled shadow blur for the inset shadows. (r153898)
Add platform support for -webkit-background-blend-mode to CG context with background color (r149010)
[Qt] Create ShadowBlur on demand. (r147750)
Content of replaced elements should be trimmed to the content edge curve. (r131557)

Apr 12, 2019
============
Subpixel rendering: Rounded rect gets non-renderable at certain subpixel size. (r171640)
Assertion failed: CGPathAddRoundedRect asserts on non-renderable rounded rectangle. (r170458)
Transition layer offsets from LayoutPoint to LayoutSize. (r170273)
Introduce RenderLayer::offsetFromAncestorLayer() to make convertToLayerCoords() calls with (r170220)
Subpixel rendering: Pixelsnapping empty rounded rect results in NaN radii width/height. (r169716)
Subpixel rendering: border-radius painting falls back to rectangle when the snapped rounded rect becomes non-renderable. (r169620)
REGRESSSION(r168528) Subpixel rendering: Selection rect is not positioned properly when SVG text is selected. (r168687)
REGRESSION (r168095): 1-pixel gap between adjacent selection inlines (r168528)
Subpixel rendering: Inline text selection painting should not snap to integral CSS pixel position. (r168095)
[JSC] op_has_indexed_property should not assume subscript part is Uint32 (r244211)

Apr 11, 2019
============
[Compositor] Do not disable overlap testing for layers in front of 3D transformed layers (r139794)
Element is displayed behind a composited layer when clipping is used on a previous element (r139493)
[CSS Blending] Replacing Unisolated with NotIsolated in variables and methods names (r168468)
[CSS Blending] Blending doesn't work if the parent stacking context is not a self painting layer (r168462)
Incomplete body painting when using blend modes (r167796)
Subpixel rendering: RenderLayer's size is set using enclosingRect() which can result in cruft. (r167582)
[CSS Blending] Isolation descendant dependent flags are not updated correctly (r167424)
[CSS Blending] Compositing requirements for blending are not computed correctly (r166634)
[CSS Blending] Blending operation is not isolated when setting z-index on parent from javascript (r165970)
[CSS Blending] An element having -webkit-mix-blend-mode should only blend with the contents of the parent stacking context (r164579)
[CSS Element Blending] Implement the software path of -webkit-blend-mode with Core Graphics. (r163955)
Add support for blendmode to Core Animation layer. (r161628)
[Cairo] Incorrectly determining height in GraphicsContext::roundToDevicePixels() (r213219)
Subpixel rendering: roundToDevicePixel() snaps to wrong value. (r185916)
Subpixel layout: Remove LayoutUnit's kEffectiveFixedPointDenominator. (r173135)
Subpixel layout: Rename LayoutPoint's device pixel snapping functions. (r173044)
Remove ENABLE(SUBPIXEL_LAYOUT). (r172758)
Subpixel rendering: Non-compositing transforms with subpixel coordinates paint to wrong position. (r169309)
Contents of directly composited image layers are sometimes missing (r167529)
A TrailingObject's endpoint might get decremented twice (r166412)
InlineIterator position (unsigned int) variable can wrap around (r166245)
Subpixel rendering: Nested layers with subpixel accumulation paint to wrong position. (r165540 + r165581 rolled out + r165963)
Subpixel rendering: Transform origin is miscalculated when RenderLayer's (r165892)
Fix bug that caused pages with fixed backgrounds to not be fast scrollable (r140233)
Allow fixed background layers to be moved by the ScrollingCoordinator (r140223)

Apr 10, 2019
============
Remove ScrollView::clipsRepaints() which was only used by Chromium (r220781)
Change scrollOffsetForFixedPosition() to do LayoutUnit math (r165484)
Subpixel rendering: Simple compositing container layer (isSimpleContainerCompositingLayer) paints to wrong position. (r165341)
Subpixel rendering: Setting content to opaque on m_graphicsLayer depends on subpixel accumulation. (r165190)
Enable device pixel repaint rect tracking. (r165094)
[mac] Stop using DrawingAreaImpl on PLATFORM(MAC)  (r156793)
[CSS Background] repeat: round should round the number of tiles to the nearest natural number (r156322)
[CSS Masking/Background] Position property should be ignored when using repeat: space (r156097)
compositing/geometry/bounds-ignores-hidden-dynamic.html has incorrect initial rendering (r154470)
Painting of fixed background images is wrong in composited layers (r151623)
REGRESSION (r178156): CSS Parser incorrectly rejects valid calc() in padding-right property (r183765)
ASSERTION FAILED: !valueWithCalculation.calculation() in WebCore::CSSParser::validateCalculationUnit (r178156 revisited)
Assert should never be reached hit in WebCore::CSSCalcPrimitiveValue::doubleValue (r178102)
Crash when creating CSSCalcBinaryOperation (r177089)
Inset box-shadows fail to round around corners when border-radius is set in vh/vw units. (r156466)
CSS Unit vh, vw, vmin and vmax in box-shadow are not applied. (r156318)
Shadows don't support viewport units (r153948)

Apr 09, 2019
============
ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get (r244069)
[JSC] DFG should respect node's strict flag (r244067 partial)
[JSC] to_index_string should not assume incoming value is Uint32 (r244057)
Do value profiling in to_this (r226436)
get_by_id_with_this does not trigger a to_this in caller. (r202710)
We need to to_this when an inner arrow function uses 'this' (r202693)

Apr 08, 2019
============
REGRESSION (r164449): Subpixel rendering: http://www.apple.com/iphone-6/ "Faster wireless." image displays vertical black line on 1x displays at specific window width. (r183950)
Subpixel rendering: Enable compositing RenderLayer painting on device pixel position. (r164449)
Rename 'IntSize toSize(const IntPoint&)' to 'toIntSize' (r139045)
SIGSEGV in JSC::BytecodeGenerator::addStringConstant (r243948 partial)
test262: test262/test/annexB/language/comments/multi-line-html-close.js (r215235)
[JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern (r243959)

Apr 05, 2019
============
[JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode (r243925)

Apr 04, 2019
============
NULL ptr in WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::blend (r155105)
ScrollingStateNodes should be referenced via IDs on RenderLayerBacking (r130783)
Add rudimentary support for move-only types as values in HashMap (r155621 rolled in)
HashSet should work with move only types (r155577 rolled in)
[JSC] don't crash when arguments to `new Function()` produce unexpected AST (r207684)

Apr 03, 2019
============
Subpixel rendering: Make GraphicsLayer's offsetFromRenderer subpixel position based. (r164415)
Subpixel rendering: Make GraphicsLayer::paintGraphicsLayerContents()'s cliprect FloatRect based. (r164412)
Subpixel rendering: Switch repaint rect from IntRect to LayoutRect to be able to repaint on device pixel boundaries. (r163944)
Subpixel rendering: Make GraphicsLayerClient::paintContents's clip rect subpixel based. (r163931)
REGRESSION (r155660): box-shadow causes overlay scrollbars to be in the wrong position when element is composited (85647) (r159082)
Video with object-fit: cover can spill outside the box (r154921)
Unnecessary use of Layout types in GraphicsLayer::paintGraphicsLayerContents (r151319)
Dropdowns on http://www.exploratorium.edu don't show anything (r149969)
Implement coordinated scrollbar for subframes and overflow:scroll (r144024 + r144799 + r144823)
Elements that dynamically become fixed sometimes jump to the top left on scrolling (r141330)
Some ScrollingCordinator-related cleanup in RenderLayerBacking (r139802)
Use toSize() to convert from Int/FloatPoint to Int/FloatSize (r139037 complete revisited)
Pages with position:fixed elements should still be able to scroll on the scrolling thread -and corresponding- (r133536 partial)

Apr 03, 2019
============
  => Passed JIT tests/ACID3/ACID2/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.8.2.

Apr 03, 2019
============
Weak should have a move constructor and move assignment operator (r156469 rolled in)
OwnPtr: Use copy/move-and-swap for assignment operators (r155526 rolled in)
Clang doesn't optimize away undefined OwnPtr copy constructor (r128203 rolled in)
RadioNodeList should be exposed on Window (r148869)
Use toSize() to convert from Int/FloatPoint to Int/FloatSize (r139037 partial)
CodeBlock::jettison() should disallow repatching its own calls (r243626 rolled out)

Apr 02, 2019
============
Vector with inline capacity should work with non-PODs (r164185 complete revisited)
VectorBuffer::swap doesn't need to use std::swap_ranges (r155542)
More WTF/Alignment.h removal (r155484 partial)
Shrink baseline size of WTF::Vector on 64-bit by switching to unsigned capacity and size. (r148891)
Remove Vector::dataSlot(), it has no implementation (r143254)
Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit (r183065)

Apr 01, 2019
============
Assertion failure in Range::nodeWillBeRemoved (r162492)
Weak should have a move constructor and move assignment operator (r156469 rolled out)
It should be an error to use adoptPtr with RefCounted subclasses (r149341)
Clang doesn't optimize away undefined OwnPtr copy constructor (r128203 rolled out)
Subpixel rendering: InlineTextBox mistakenly rounds offset value before painting. (r172008 partial)
Fix assertion failure with simple line layout debug borders enabled. (r169041)
Subpixel rendering: Simple line layout should not round to integral position while painting. (r166456)
Subpixel rendering: Change RenderBoxModelObject's border functions' signature to support subpixel border painting. (r163171)
Subpixel Layout: SimpleLineLayout needs more position rounding to match InlineFlowBox layout. (r162553)
Subpixel layout: RenderInline is not centered when child RenderTextControl's innerTextRenderer needs bias centering. (r162791)
Subpixel layout: setSimpleLineLayoutEnabled() produces different layout when line position has CSS px fractions. (r162340)
Reuse floating point formatting of TextStream in [SVG]RenderTreeAsText.cpp (r128564)
[iOS][WebKit2] Mark layer contents as being opaque if they are (r165863)
At some scales, opaque compositing layers have garbage pixels around the edges (r159463)
[Sub pixel layout] RTL cells with padding wraps (r139807)
REGRESSION(SUBPIXEL_LAYOUT): el.offsetWidth < el.clientWidth for elements of a certain size (r139013)
Assertion failed in JSC::createError (r243665)
JSC::createError should clear exception thrown by errorDescriptionForValue (r243335)
JSC::createError needs to check for OOM in errorDescriptionForValue (r243246)
String overflow in JSC::createError results in ASSERT in WTF::makeString (r239375)

Mar 31, 2019
============
Add rudimentary support for move-only types as values in HashMap (r155621 rolled out)
Remove redundant calls to ceilToFloat in RenderBlock::computeInlinePreferredLogicalWidths (r151445 + r151446)
LayoutUnit::epsilon shouldn't be necessary to place floats (r143357 revisited)
Float imprecision causes incorrect wrapping in LineLayout with subpixel layout (r124295 revisited)

Mar 30, 2019
============
Ruby overhang uses ints instead of floats (r177398)
[Subpixel] Use floats instead of ints for text justification expansion (r174233)
Unexpected word wrapping for wrapped content then raw content. (r156536 + r157100 rolled out)
Background images can incorrectly repeat with sub-pixel layout (r132731)
[Chromium] SVG repaint issues (r132377)

Mar 29, 2019
============
CodeBlock::jettison() should disallow repatching its own calls (r243626)
Reduce LayoutRect::infiniteRect() usage. (r178541)
Subpixel rendering: Make PaintInfo layout unit aware. (r162732)
Add {IntRect, FloatRect}::infiniteRect() and ::isInfinite() (r161381)
REGRESSION(SUBPIXEL_LAYOUT) Composited layers can cause one pixel shifts (r154009)
Make WorkerThread lifetime much more predictable. (r225343)
NavigatorBase::onLine() accesses NetworkStateNotifier's singleton in a worker thread (r224321 partial)
BreakingContext::handleReplaced() should use replacedBox instead of m_current.renderer(). (r218989)

Mar 28, 2019
============
Remove two unnecessary mallocs from the main-thread-parser code path (r144544)
XSSAuditor should use threadSafeMatch when relevant. (r144425)
Continue making XSSAuditor thread safe: Remove unsafe AtomicString compares (r141686)
Cut down on calls to String::lower; mostly replace with convertToASCIILowercase (r195951 partial)
HashSet should work with move only types (r155577 rolled out)
ASSERTION FAILED: layoutState->m_renderer == this in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage (r209158)

Mar 27, 2019
============
Leak of SVGFontFaceElement when RenderStyle holds onto a FontRances which uses it (r243483 partial)
Correct handling of isolatedWorld in event handling (r215486)
Refactor LazyEventListener creation to separate Element and Document cases (r196888)

Mar 26, 2019
============
Overwriting an attribute event listener can lead to wrong event listener firing order (r206889)
Use FocusEvent.relatedTarget in {FocusIn,FocusOut,Focus,Blur}EventDispatchMediator. (r142719)
Factor EventContext and introduces MouseOrFocusEventContext. (r142575)
{FocusIn,FocusOut,Focus,Blur}EventDispatchMediator should be in FocusEvent.cpp (r142329)
Support a relatedTarget attribute on focus/blur events (r142240)
Implement FocusEvent constructor (r142205)
WebKit's focus events are UIEvents (instead of FocusEvent) and thus don't expose .relatedTarget (r142072)
Implement pseudoElement attribute on transition DOM events. (r141119)
Event dispatch: Avoid heap allocations in ensureEventAncestors() typical case. (r137680)
Event's relatedTarget re-targeting does not occur for manually fired mouse events created by event.initMouseEvent(). (r136918)

Mar 25, 2019
============
DOMTokenList update steps for classList don't follow the spec (r189632)
Add relList to the anchor, area and link elements (r175028)
Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf(). (r243391)
Fix missing exception check in genericTypedArrayViewProtoFuncSet(). (r211246)
Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files. (r209031)
%TypedArray%.prototype.indexOf is coercing non-integers or non-floats to numbers wrongly (r203297)
ECMAScript 2016: %TypedArray%.prototype.includes implementation (r203037 + r203046 rolled out + r203107)

Mar 22, 2019
============
Cancel pending script loads when service worker is being terminated (r226398 partial)
[Fetch API] isRedirected should be conveyed in workers (r203153)
fourthTier: get rid of op_call_put_result (r153200 partial revisited)
[WebIDL] Remove custom binding for the named Image constructor (r209987 rolled in)
[Web IDL] Specify default values for optional parameters of type 'unsigned long' (r200110)
Drop Dictionary from CanUseWTFOptionalForParameter() (r200099)
[Web IDL] Specify default values for optional parameters of TypedArray types (r200088)

Mar 21, 2019
============
JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap (r243299)
Rename RenderStyle::fontSize() to RenderStyle::computedFontPixelSize() (r219544)
HTML <sub> and <sup> elements do not work in some 64-bit builds (r172317)
<marquee> element forces itself to be at least 1em high, regardless of 'height' declaration (r130541)
Devirtualize FontData (r178388)
FontCache should only deal with SimpleFontData (r178180)
Add SPI for telling WebKit to prefer pictograph glyphs over monochrome ones (r157265)
CSSSegmentedFontFace does not need to be reference counted (r196388)
DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty (r243278)
typeOfDoubleSum is wrong for when NaN can be produced (r243277)
GetCallee does not report the correct type in AI (r243268)

Mar 20, 2019
============
CSSSegmentedFontFace::fontRanges() does not handle duplicate fonts correctly (r188114)
[WebCore] Clean up script loading code in XML (r208840)
A 'load' event should be fired on the shadow host directly, not on an inner image element of shadow dom subtree. (r125727)
Align the event listener firing code with the latest DOM Specification and simplify it (r204459)
Implement DOM3 wheel event (r154673 partial)
Enable DOM class create functions to take parameters in case of JSBuiltinConstructor (r197642 partial)
Remove the inline capacity of Operands (r243088)

Mar 19, 2019
============
Setting URL.search to '' results in a stringified URL ending in '?' (r217004)
URL hash setter does not remove fragment identifier if argument is an empty string (r202176)
Clean up some edge cases of URL parsing. (r149925)
<object data="<some data URL>"> MIME types aren't case-insensitive (r149466)
[Web IDL] Drop support for legacy [ConstructorConditional=*] (r207279)
[Web IDL] interface objects should be Function objects (r196392 complete revisited)
WebIDL generator should support the possibility for C++ classes to have a JS Builtin constructor (r194100 complete revisited)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 complete revisited)
Finalize bug 149952 patch (r191238)
Binding generator should use templated JSXXConstructor (r191176 + r191316)
Rationalize JSXXConstructor class definition (r190785 + r190803)

Mar 18, 2019
============
[JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC (r242991 partial + r242999 partial)
[JSC] Add a JSONStringify overload that receives a JSValue space (r236660)
Unreviewed, check scope after performing getPropertySlot in JSON.stringify (r233987)
JSON.stringify should emit non own properties if second array argument includes (r233924)
[JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks (r233918)
[JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable (r233917)
[JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function (r231839)
ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread() (r242955)
Fixup uses KnownInt32 incorrectly in some nodes (r242954 partial)
DFG liveness can't skip tail caller inline frames (r242945)

Mar 08, 2019
============
Setting Window.opener to null should disown its opener (r226842)
Drop custom bindings code now window.open() (r216615)
Drop custom bindings code for Window.location setter (r216534)
Refactor / Clean up DOMWindow.idl (r216479 partial)
[JSC] Remove merging must handle values into proven types in CFA (r242627)
[JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL (r242626)

Mar 07, 2019
============
We need to clear cached structures when having a bad time (r229161 partial)
BytecodeGenerator::m_finallyDepth should be unsigned. (r210119)
BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump. (r212640)
De-duplicate finally blocks. (r210116)
Rename BytecodeGenerator's ControlFlowContext to ControlFlowScope. (r209728)
Implement font-stretch for installed fonts (r213267 partial)
SegmentedVector should waste less memory. (r185663)
[JSC] AI should not propagate AbstractValue relying on constant folding phase (r242568)

Mar 06, 2019
============
[JSC] Should check exception for JSString::toExistingAtomicString (r242500)

Mar 05, 2019
============
Expose crypto.getRandomValues to Web Workers (r204481)
window.Crypto is missing (r199159)
Document should be constructable (r164036 + r164099)
Treat some CSS properties as keyword properties (r205888)
Remove webkit prefix from CSS columns. (r175421)
Stop pretending to support <string> for text-align. (r153389)
Add support for the column-fill property (r157458)
Rename WorkerContext to WorkerGlobalScope (r152080)

Mar 04, 2019
============
Remove the unused *Executable::unlinkCalls() and CodeBlock::unlinkCalls() (r188972)

Mar 04, 2019
============
Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js (r218414 complete revisited)
Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate(). (r215885 partial revisited)
IntlObject should not be using JSArray::initializeIndex(). (r214637)
IntlObject uses JSArray::tryCreateUninitialized in an unsafe way (r211043)
Property setters should not be called for bound arguments list entries. (r210563)
[INTL] Implement Intl.getCanonicalLocales (r206837)
Speed up Function.prototype.bind a bit by making it a builtin (r205848)
Speed up bound functions a bit (r199946 partial)
  => Passed JIT tests and CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Mar 01, 2019
============
GC constraint solving should be parallel (r225524 partial - SlotVisitor m_opaqueRoots should use PtrHashSet)
WorkerGlobalScope's self, location and navigator attributes should not be replaceable (r200375)
Remove [NoInterfaceObject] from WorkerGlobalScope (r152100 complete revisited)
Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions (r179791 partial)
Add removeFirst(value) / removeAll(value) methods to WTF::Vector (r179599 partial)
CSSValueList should never contain null values. (r172536)
Drop the [EventTarget] WebKit-specific IDL extended attribute (r196568)

Feb 28, 2019
============
Binding generator should support interfaces with CustomConstructor and NoInterfaceObject (r184872 + r184886 rolled out + r184953)
Merge [NoInterfaceObject] and [OmitConstructor] extended attributes (r151207)
[ES7] Introduce exponentiation expression (r203499)
[WebIDL] Remove custom binding for the named Image constructor (r209987 rolled out)
Modern IDB: Lots of IDB bindings cleanup (including making IDBVersionChangeEvent constructible). (r199750)
Remove old WebKit Animation API code (r137243)
The parser is failing to record the token location of new in new.target. (r242193 partial)

Feb 27, 2019
============
[WebIDL] Remove custom binding for the named Image constructor (r209987)
Exposing webkitMediaStream as MediaStream (r186697)
Remove custom code for webkitAudioContext global constructor getter (r150663 + r151832)
Have IDL interface names match their global constructor (r150509)
Get rid of Custom code for Audio global constructor (r150311)
Get rid of [CustomGetter] for global named constructors (r150283)
[IDL] Extend support for [EnabledAtRuntime] attributes / operations to all global objects, not just Window (r199103 complete revisited)
Add support for [EnabledAtRuntime] operations on DOMWindow (r199096)
Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings (r199017 partial revisited)
Add [EnabledAtRuntime] extended attribute support for global constructors (r150276)
[WebIDL] Another bindings cleanup pass, this time focusing on attributes (r217507 partial)
EventTarget should visit the JSEventListeners using visitAdditionalChildren (r211238)
CodeGeneratorJS's InstanceNeedsVisitChildren should not return true just because a class is / extends EventTarget. (r217642)
Window's named properties should be exposed on a WindowProperties object in its prototype (r203935 + r204166 rolled out + r204179)
[[GetPrototypeOf]] should be a fully virtual method in the method table (r197648 complete revisited)
REGRESSION (r196563): Images not loading on https://klim.co.nz/blog/paypal-sans-design-information/ (r196961)
Regression(r196563): It is no longer possible to call window.addEventListener without an explicit 'this' (r196588)
Window and WorkerGlobalScope should inherit EventTarget (r196563)
Move generate prototype and constructor classes into the generated implementation files (r170167 partial)

Feb 26, 2019
============
Fast path for casting JSValue to JSDocument*. (r178758)
Remove overrides of visitChildren() that do not add any functionality. (r217645 partial)
Drop WorkerGlobalScope's custom GetOwnPropertySlot() implementation (r200814)
[JSC] Add @throwXXXError bytecode intrinsic (r206853 partial revisited)
stringProtoFuncRepeatCharacter will return `null` when it should not (r206573)
Make builtin TypeErrors consistent (r203393 partial revisited)
padStart/padEnd with Infinity produces unexpected result (r202966)
Unexpected "Out of memory" error for "x".repeat(-1) (r202954)
DFGByteCodeParsing does not handle calling the Object constructor with no arguments correctly (r202487)
Add support for Symbol.isConcatSpreadable (round 2) (r202125 partial)
[JSC] re-implement String#padStart and String#padEnd in JavaScript (r200210)
[JSC] implement spec changes for String#padStart and String#padEnd (r200194)
[JSC] Implement String.prototype.repeat in builtins JS (r198838)
[JSC] fix divide-by-zero in String.prototype.padStart/padEnd (r198695)
[JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal (r198674)
[JSC] Repeat string created from Array.prototype.join() take too much memory (r242081)

Feb 25, 2019
============
[JSC] SmallStringsStorage is unnecessary (r241954 + r241955)
EdenCollections unnecessarily visit SmallStrings (r178984)
Enhanced GC logging (r166837 partial)
JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState. (r236369 complete revisited)

Feb 25, 2019
============
Add an exception check and some assertions in StringPrototype.cpp. (r241991 partial)
[ES6] Add support for Symbol.isConcatSpreadable. (r198808 + r198844 rolled out + r199128 + r199164 rolled out + r199397 + r200149 rolled out + r200426 rolled in + r201049 rolled out)
  => Passed JIT tests and CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Feb 22, 2019
============
[JSC] Use new extra memory reporting in PropertyTable (r?)
[JSC] PropertyTable should report extra memory for its m_index and m_deletedOffsets (r?)
[JSC] Use new extra memory reporting in SparseArrayMap (r236900)
Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add(). (r214857)
Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious (r181407 partial revisited)
[JSC] Array.prototype[Symbol.unscopables] should have the "includes" property (r202943)
ArrayPrototype.map builtin declares a var it does not use (r218674)
Array.prototype.concat should not modify frozen objects. (r207178 partial)
Make @Array(size) a bytecode intrinsic (r204597)
[ES6] Module namespace object should not allow unset IC (r204248)

Feb 21, 2019
============
Indexing an object with an integer that is not a supported property index should not call the named property getter (r191587)
Rename JSDOMWrapper to JSDOMObject and JSDOMWrapperWithImplementation to JSDOMWrapper (r191060)
Refactor binding generator to factor JS DOM class m_impl handling (r190403)
Simplify DOM wrapper destruction, don't deref() in finalizers. (r183523)
Build break since r172093 (r172128)
Make NodeList.length inline-cacheable by JSC. (r167181)
JS DOM wrappers' impl() functions should return references. (r157215)
[JSC] Replace $implClassName with $interfaceName in CodeGeneratorJS.pm (r135256)
REGRESSION(r205374): <li> content inside <ul> should mid-word wrap when word-break: break-word is present. (r215660)
ASSERTION FAILED: !m_committedWidth in WebCore::LineWidth::fitBelowFloats (r205374)
IndexedDB: Assertion failure with open() within upgradeneeded (r133776)
IndexedDB: Pending call cleanup (r129076)

Feb 20, 2019
============
[ListItems] Render tree should be all clean by the end of FrameView::layout(). (r206765)
Add support for the initial-letter CSS property to first-letter (r173217)
Refactor LineLayoutState's float box handling. (r207219)
A floating element within <li> overlaps with the marker (r210239)
Do not position detached list item marker. (r210001)
Use IndentTextOrNot instead of passing isFirstLine/shouldIndentText as bool. (r197462)
Background of an absolutely positioned inline element inside text-indented parent is positioned statically. (r197030)
RenderListItem resets its marker's style on style change even if the diff is StyleDifferenceEqual (r180090)
Clarify RenderListMarker ownership model. (r175505)
ASSERTION FAILED: listNode in WebCore::RenderListItem::updateListMarkerNumbers (r171917)
InlineTextBox's m_len can be an unsigned (rather than an unsigned short) (r170413 + r170947 rolled out)
REGRESSION (r133351, sub-pixel layout): Right-to-left block with text-overflow: ellipsis truncates prematurely (breaks facebook.com Hebrew UI) (r169048 complete revisited)
Crash in RenderBlock::addChildIgnoringAnonymousColumnBlocks. (r166078)
RenderListItem should store its marker in a RenderPtr. (r161183)
Remove unused arithmetic operation in RenderListItem (r151154)
Tighten TextIterator::handleTextNode run-renderer mapping logic. (r217019)
Simple line layout: Use pre-computed simple line runs to produce innerText content. (r182325 complete revisited)
innerText setter inserts empty text node if value starts with newline (r214136)
TextFieldInputType::handleBeforeTextInsertedEvent shouldn't use plainText (r164329)
ASSERTION FAILED: comparePositions(newEnd, newStart) >= 0 in WebCore::ApplyStyleCommand::updateStartEnd (r164104)

Feb 19, 2019
============
Navigating to www.apple.com hits assertion in WebCore::TextIteratorCopyableText::set() (r183835)
REGRESSION (r165385): Crash when applying autocorrection exceeds maximum text area length. (r178462)
Internals should always cause a layout before calling into TextIterator (r155378)
EllipsisBox ctor's isVertical parameter should read isHorizontal. (r203681)
CTTE: EllipsisBox owner renderer is always a RenderBlock. (r155827)
The ellipsis in a text overflow should not avoid floats (r150602 + r151836 rolled out)
REGRESSION (r138196): Regions with text-overflow: ellipsis; are being ellipsized unnecessarily (r138543)
[Regression] text-overflow ellipsis clips content when zoomed (r138196)
paragraphs with different directionality in textarea with unicode-bidi: plaintext are aligned the same (r164867)
Hittest finds the truncated text instead of the floating input, when the input is clicked. (r151894)
Ellipsis text is placed to wrong position, when the truncated text is fully cut off in RTL direction. (r150065)
Text overflow ellipsis wrong color when using webkit-text-fill-color (r144542)
text-overflow:ellipsis is not applied when the block contains nested blocks (r143754)
Redundant ellipsis box triggers ASSERT_WITH_SECURITY_IMPLICATION in InlineBox::parent(). (r217079 + r217092 rolled out + r217164)
Manage EllipsisBox objects with unique_ptr. (r158346)
Rename InlineBox::remove() to removeFromParent (r157367)
JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor. (r201494)
ArrayPrototype should have a destroy function (r196155)
[ARM] Fix crash with sampling profiler (r241756)
[JSC] JSWrapperObject should not be destructible (r241649)
RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved (r241634)
[JSC] CodeBlock::jettison should clear related watchpoints (r241613)
[JSC] Date.setYear() misses timeClip() (r202683)

Feb 15, 2019
============
IndexedDB: Explicitly send null/undefined/integers to frontend IDBCallbacks (r131661)
IndexedDB: Pass type of error causing abort to IDBTransaction::onAbort (r131371)
Use separate style resolver for user agent shadow trees (r190347 revisited partial)
Implement scoped styling for shadow DOM (r190256)
REGRESSION(r154268): Some stylesheet media attribute tests failing (r154284)
Rename StyleElement to InlineStyleSheetOwner and stop inheriting from it (r154271)
Clean up StyleElement (r154268)
Use TextNodeTraversal for getting sheet text in StyleElement (r154242)
Use 'childOfType' template when retrieving Shadow DOM elements (r209145 partial)
IndexedDB: Remove IDBUpgradeNeededEvent, merge with IDBVersionChangeEvent (r140741 + r140934 rolled out + r141013 rolled in)
IndexedDB: Remove IDBVersionChangeRequest (r140602)
IndexedDB: Implement IndexedDB bindings for JSC (r136686 + r140908)
IndexedDB: Remove IDBDatabase.setVersion API (r135904)
IndexedDB: Obtain ScriptState from IDL binding generator (r135471)
IndexedDB: Complex series of opens/deleteDatabase fails an ASSERT (r135226)
IndexedDB: Propagate DOMRequestState to IndexedDB binding utility functions (r134989)
Add DOMRequestState to maintain world/ScriptExecutionContext state (r134632)
IndexedDB: Cursor property value identities should be preserved (r132401)
IndexedDB: Hidden indexing events are visible to script via bubbling/capture (r131967)
IndexedDB: Refactor IDBDatabaseBackendImpl to use IDBDatabaseMetadata (r131832)
IndexedDB: Closing connection in upgradeneeded should result in error event (r131668)
IndexedDB: remove autogenerated objectStore/index id code (r130708)
IndexedDB: promote objectstore/index backend ids to the frontend (r130428)
IndexedDB: Don't wedge if page reloads with pending upgradeneeded (r130199)
IndexedDB: Use ScriptValue instead of SerializedScriptValue for get/openCursor (r128789)
IndexedDB: Calling close() during upgradeneeded handler should fire error at open request (r128674)
IndexedDB: Use ScriptValue instead of SerializedScriptValue when possible (r128379)
IndexedDB: The |source| property of IDBFactory.open() request should be null (r128370)
IndexedDB: Large integer versions not persisted correctly (r127685)
IndexedDB: Throw TypeError for invalid version parameters (r127049)

Feb 14, 2019
============
IndexedDB: Consolidate two-phase connection to avoid race conditions (r128533)
IndexedDB: Move onSuccess(IDBDatabaseBackendInterface) to IDBOpenDBRequest (r126461)
IndexedDB should respect SchemeRegistry's database access setting. (r172603)
IndexedDB: Enforce unsigned long/unsigned long long ranges (r131658)
IndexedDB: fire upgradeneeded even without an explicit integer version (r129037)
IndexedDB: revert int version when version change transaction aborts (r126366)
IndexedDB: Fire error at request when abort is called in upgradeneeded (r126239)
IndexedDB: Frontend and plumbing for integer versions (r125850)
Neutered ArrayBuffers are not properly serialized (r208628 + r208629)

Feb 12, 2019
============
TryGetById should have a ValueProfile so that it can predict its output type (r204992 partial)
Nodes that rely on being dominated by CheckInBounds should have a child edge to it (r241228)
[DFG] Remove duplicate 32bit code more (r230517 partial)
DFG should not use or preserve Phantoms during transformations (r183497 partial)
Remove String::deprecatedCharacters (r166120 complete)
Stop using getCharactersWithUpconvert in JavaScriptCore (r163727)
text-transform: capitalize shouldn't upconvert (r151422)
String::append() should handle two 8 bit strings without converting both to 16 bits (r134677)
String::remove will convert an 8 bit string to a 16 bit string (r130404)
Remove String::deprecatedCharacters (r166120 partial)
Remove some 16bits conversion. (r150985)
Make TextCodecICU not depend on TextEncoding (r149924)
Use Vector instead of StringBuilder for CSSPreloadScanner's buffers (r148772)
StyledMarkupAccumulator::appendText() should not allocate an intermediary StringBuilder (r148770)

Feb 11, 2019
============
TextIterator: Use StringView and references rather than pointers (r165385)
Copying (createMarkup) wrapping text results in space between wrapped lines stripped. (r164047)
Change TextIterator to use StringView, preparing to wean it from deprecatedCharacters (r163712)
nextBoundary and previousBoundary are very slow when there is a password field (r159619)
Moving word boundaries backwards fails when there is a text node starting with an apostrophe (r149058)
canonicalizedTitle() shouldn't convert 8 bit title strings to 16 bit (r133631)
Add 8 bit patch to Document::isValidName() for the non ASCII case (r131403 + r131418 rolled out + r131425)
Remove all uses of deprecatedCharacters from JavaScriptCore (r165703)
Make HexNumber functions return 8-bit strings (r143265)
OpaqueJSString doesn't optimally handle 8 bit strings (r130344 + r130413 + r130931)
[JSC] String.fromCharCode's slow path always generates 16bit string (r241233)
We should only make rope strings when concatenating strings long enough. (r241230 + rr241255 rolled out)
Remove unneeded exception check from String.fromCharCode (r231171)
Fix exception scope verification failures in CommonSlowPaths.cpp/h. (r208936 revisited)
String.prototype.toLowerCase should be a DFG/FTL intrinsic (r206804 revisited)
Finish auditing call sites of upper() and lower(), eliminate many, and rename the functions (r196223 partial)
Remove most uses of deprecatedCharacter in WTF (r165721 + r165772 rolled out + r165792)

Feb 08, 2019
============
XMLHttpRequest should use reportExtraMemoryAllocated/reportExtraMemoryVisited instead of deprecatedReportExtraMemory (r236999)

Feb 07, 2019
============
Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths (r139470 revisited)
Heap-use-after-free in WebCore::Document::implicitClose (r138918 revisited)
REGRESSION(r123636): Heap-use-after-free in StyleResolver::collectMatchingRules. (r124089 revisited)
[JSC] Use BufferInternal single character StringImpl for SmallStrings (r241117)

Feb 06, 2019
============
[Win] StaticStringImpl in HTMLNames.cpp aren't constructed (r216566)
Force StaticStringImpl constructor to use the constexpr versions of StringImplShape constructors. (r216512)

Feb 06, 2019
============
We should support the ability to do a non-effectful getById (r199170 partial revisited)
  => Passed JIT tests and CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.
  
Feb 05, 2019
============
Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached. (r204305 complete revisited)
Event and EventTarget interfaces don't need to be store as AtomicStrings (r156241)

Feb 04, 2019
============
[DFG] Cleaning up and unifying 32bit code more (r226269 partial revisited)
[DFG] Add JSValueRegsFlushedCallResult (r226260 partial)
SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path (r207697)
Crash using @tryGetById in DFG (r200048)
tryGetById should be supported by the DFG/FTL (r199279 partial)

Jan 30, 2019
============
Limit thread name appropriately (r210313)
self.hasOwnProperty() does not work inside Web workers (r201808)
ValueRecovery::recover() should purify NaN values it recovers. (r240681)
[JSC] allow duplicate property names returned from Proxy ownKeys() trap (r198531 complete revisited)
Object.getOwnPropertySymbols on large list takes very long (r187355 revisited)
Introduce UniquedStringImpl and SymbolImpl to separate symbolic strings from AtomicStringImpl (r184828)
PropertyNameArray should use a Vector when there are few entries. (r184120 revisited)
Remove unused things from PropertyNameArray. (r184050 revisited)

Jan 29, 2019
============
Tons of FastMalloc leaks reported by leaks of objects that have already been deallocated (r153455)
Fix cast-align warnings in FastMalloc.cpp (r152349)
Harden FastMalloc against partial pointer overflows (r148587)
Add cookies to FastMalloc spans (r143996 + r144001)
Moar hardening (r143400 + r143424 rolled out + r143488)
Harden FastMalloc (again) (r142536)
releaseFastMallocFreeMemory doesn't adjust free counts for scavenger (r89716 revisited)
Safari often freezes when clicking "Return free memory" in Caches dialog (r87157 revisited)
[ARM] Check for negative zero instead of just zero (r240650)

Jan 28, 2019
============
Crash in JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper (r144346)
Further harden FastMalloc (r138398)
Harden pointers in FastMalloc's singly linked list implementation (r138293)
Removed incorrect pthread_mutex_trylock code in an ASSERT in TCMalloc_PageHeap::signalScavenger. This branch is used by the Webkit GTK code. (r131066)
NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe. (r216217 partial revisited)
test262: test262/test/built-ins/Date/prototype/Symbol.toPrimitive/name.js (r215399)
Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496) (r185109 complete revisited)

Jan 25, 2019
============
StorageTracker::deleteOrigin being called off the main thread (ASSERTs in inspector/test-harness-trivially-works.html test) (r174014)
refCount() of a StringImpl could be zero if it's static; in that case we shouldn't report extra memory cost (r154145)
NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe. (r216217 partial revisited)
WorkerRunLoop::Task::performTask() needs to null check context->script() before use. (r216953)
WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution(). (r216801 + r216826 rolled out + r216876)
watchdog m_didFire state erroneously retained. (r189008 partial)
ASSERT(!childItemWithTarget(child->target())) is hit in HistoryItem::addChildItem() (r231450)
Exceptions logged to the JS console should use toString(). (r203334)
Update DOMCoreException to use the description in toString(). (r203333 partial)
Update SVGException to use the description in toString(). (r203328)
Change toString() behavior for exceptions constructed with "createWithDescriptionAsMessage". (r203309 + r203310)

Jan 24, 2019
============
NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe. (r216217 partial)
Use StaticStringImpl instead of StaticASCIILiteral (r210227)
Introduce StringImpl::StaticStringImpl with constexpr constructor (r209179)
SerializedScriptValue should use a compact encoding for 8-bit strings. (r190838)

Jan 23, 2019
============
origin spoofing possible (HTTP Origin, postMessage event.origin) due to inappropriate URL escape sequence decoding (r167480)
SerializedScriptValue may move Identifiers between worlds (r165339)
Add uint8_t specialization for WebCore::writeLittleEndian() (r161903)
Remove some duplicate checks from SerializedScriptValue (r160250)
Blob constructor accepts a sequence (array-like object) as first arg. (r159275)
Set MessageEvent.source to the newly created port for shared workers' connect events (r155959)
Remove special case for MessagePortArray from bindings generator (r150580)
Remove custom code for MessageEvent.ports getter (r150249)
transition-delay and transition-duration return incorrect values when querying using the computed style. (r139070)
WebSocket's MessageEvent.origin attribute is an empty string (r135587)
[JSC] SerializedScriptValue::create() should throw a DataCloneError if input is an unsupported object (r126067)
Returns inconsistent types for el.style.property and el.style.getPropertyValue('color') (r187813)
Support unprefixed animation property names (r176050)
MessagePort should remove its listeners when being closed (r229614)
Recursive MessagePort.postMessage() calls causes tab to become unresponsive (r212609)
ASAN Crash running LayoutTests/inspector/worker tests (r215528)

Jan 22, 2019
============
DataCloneError exception is not thrown when postMessage's second parameter is the source port or the target port. (r160309)
MessagePort::disentangle() takes an ExceptionCode argument without any need (r146130)
fast/events/message-port-clone.html hits ASSERT in Debug (usually in later tests) (r127380)
window.postMessage() / MessagePort.postMessage() throw wrong exception for invalid ports argument (r126286)
Assertion failure in MessagePort::contextDestroyed in http/tests/security/MessagePort/event-listener-context.html, usually attributed to later tests. (r226202)
ScriptExecutionContext::processMessagePortMessagesSoon() should only post task when necessary (r208829)
ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC) (r167579 complete revisited)
Remove upcastPointer from ActiveDOMObject constructor (r146537)
Crash under SchemeRegistry::shouldTreatURLSchemeAsLocal(WTF::String const&) (r228972 partial)
Bad optional access in WebCore::ContentSecurityPolicySource::portMatches (r233036)
CSP: Allow HTTPS URL to match HTTP source expression (r209821)
URL::port should return Optional<uint16_t> (r207769)
Don't run SecurityOrigin's port through URLParser (r207033)
Remove equalIgnoringCase since all callers really wanted equalIgnoringASCIICase (r195743 partial)

Jan 21, 2019
============
Make it possible to call ContentSecurityPolicy::upgradeInsecureRequestIfNeeded() from non-main threads (r230017)
REGRESSION (r209608): Cross-origin plugin document opened in child window blocked by parent window CSP when object-src 'none' is set (r217054)
ASSERTION FAILED: m_normalWorld->hasOneRef() under WorkerThread::stop (r212698)
[CSP] Policy of window opener not applied to about:blank window (r209608)
Cleanup: Remove an extraneous copy of SecurityOrigin (r206122)
[Fetch API] Fetch API should strip fragment and credentials from URLs used as referrer (r204224 complete revisited)
Regression(r199087): window.focus() / window.close() can no longer be called by a Window's opener (r202761)
Get rid of StringCapture. (r201594)
MessageEvent.source window is incorrect once window has been reified (r199087 complete revisited)
Introduce CallWith=Document in binding generator (r198102 partial)
Fix various cases of incorrect cross-thread capture of non-thread-safe RefCounted (r175792)
Add StringCapture helper for thread-safe lambda capture (r174660)
IndexedDB: Remove speculative dispatchEvent crash fix now that root cause is addressed (r141351)
Prevent race condition during Worker shutdown (r140483 complete revisited)
IndexedDB: Prevent crash dereferencing null if script context has stopped (r140027)
`const location = "foo"` throws in a worker (r214145)
Proxy is not allowed in the global prototype chain. (r209149)
Fix exception scope verification failures in *Executable.cpp files. (r208950 partial)
ES6: Implement HasRestrictedGlobalProperty when checking for global lexical tier conflicts (r202734)
JSC should have an option to allow global const redeclarations (r200121)
MovHint must merge NodeBytecodeUsesAsValue for its child (r240223)

Jan 18, 2019
============
MainThreadBridge needs an isolatedCopy() of SecurityOrigin (r206074)
http/tests/fetch/fetch-in-worker-crash.html is sometimes crashing (r204085)
Fix AtomicString regression caused by r201603. (r201637 partial revisited)
The compiler should always register a structure when it adds its transitionWatchPointSet. (r223614)
ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC) (r167579 partial revisited)
DatabaseContext should implement ThreadSafeRefCounted. (r141320)
Change DatabaseContext lookup to be thread-safe. (r141166)
Removed the need for the ProposedDatabase mechanism. (r139078)
Initial refactoring of database functionality into the manager and server. (r138085)
Re-landing patch for "Introducing the DatabaseStrategy and database servers". (r137767 + r137784 rolled out + r137795)
Encapsulate externally used webdatabase APIs in DatabaseManager. (r137520)
[JSC] Do not check isValid() in op_new_regexp (r226209)
[DFG][FTL] NewRegexp shoud be fast (r226134)
[WebCore][JSC] Use new @throwTypeError and @throwRangeError intrinsics (r206870 partial)
[JSC] Add @throwXXXError bytecode intrinsic (r206853 partial revisited)
StringImpl isolatedCopy unnecessarily copies text-segment character data (r138194)
StringObjectUse should not be a structure check for the original string object structure (r240114)
Unreviewed, fix some FIXMEs and add some new ones, based on things we've learned from some recent OSR exit work. (r189070)
REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase (r184288)

Jan 17, 2019
============
IndexedDB: IDB*::keyPath should return IDBKeyPath, not IDBAny (r125730)
IndexedDB: Pass cursor continue results back in callback (r125568)
IndexedDB: new enums and openCursor stub (r125084)
IndexedDB: Size the Vector in encodeInt/encodeVarInt/encodeString (r124865)
[JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String) (r240024)
ToThis constant folding in DFG is incorrect when the structure indicates that toThis is overridden (r202936)
ToThis should be able to be eliminated in Constant Folding (r200325)
DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly (r187487)

Jan 15, 2019
============
IndexedDB: Rename methods and remove dead code from IDBBackingStore (r133858)
IndexedDB: Prepare for IDBBackingStore merge by renaming IDBLevelDBBackingStore.cpp (r133825)
IndexedDB: Remove "current transaction" concept from backing store (r129066)
IndexedDB: IDBObjectStore.count() is slow (r128217)
IndexedDB: generate index keys for existing data in createIndex in front end (r125728)
IndexedDB: add tracing to IDBLevelDBBackingStore (r125627)
IndexedDB: Make leveldb store integer versions and migrate old schemas (r124858)
SVG bindings are improperly being generated with "fastGetAttribute" (r160578)
Bindings generation tests are failing (r152886)
Simplify SVG animated type handling in the JSC bindings generator (r152845)
CodeGen: Make [Reflect] use getIdAttribute and getNameAttribute (r138297)

Jan 14, 2019
============
We need to clear cached structures when having a bad time (r229141)
Refactor layout functions to avoid using flexbox in MathML (r202934)
Phrasing content should be accepted in <mo> elements (r202572)
Remove anonymous in renderName for all MathML renderers but RenderMathMLOperator (r202569)
Refactor RenderMathMLOperator and RenderMathMLToken to avoid using anonymous renderers. (r202420)
Implement RenderMathMLOperator::layoutBlock (r202284)
Bug 130345 - Refine childShouldCreateRenderer for MathML elements (r166065)
Fix handling of <annotation> in MathMLTextElement. (r165739)
Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time (r187214 rolled in)

Jan 14, 2019
============
Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time (r187214 rolled out)
  => defer().then does not work correctly under DFG JIT.

Jan 12, 2019
============
CachedScript cloning does not clone encodedSize (r210546)
Cloned CachedResource should not have an empty response (r209961)

Jan 11, 2019
============
Remove ColorSpaceDeviceRGB and most users of the obsolete deviceRGB colorspace (r225797)
Add Display P3 ColorSpace (r207366)
Use the MathOperator to handle some non-stretchy operators (r202271)
Refactor RenderMathMLRoot layout function to avoid using flexbox (r202168)
Refactor RenderMathMLMenclose. (r199980)
Fix two coding mistakes in MathMLInlineContainerElement::childrenChanged (r199497)
Remove ColorSpace argument to all the drawing calls (r192140)
Use ColorSpaceSRGB for image buffers everywhere (r192138)
Remove -webkit-color-correction CSS property (r188202)
Use constants from wtf/MathExtras.h (r175261)
Menclose with no notation attribute does not display anything. (r163543)

Jan 10, 2019
============
speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar. (r238923)
TypeOf should return SpecStringIdent and the DFG should know this (r183548 complete revisited)
JetStream should have a more rational story for jitter-oriented latency tests (r185425 + r185618)
Simplify things like CompareEq(@x,@x) (r187213)
Strict Equality on objects should only check that one of the two sides is an object. (r185920)
Leak of VectorBufferBase.m_buffer (16-64 bytes) under JSC::CompactVariableEnvironment in com.apple.WebKit.WebContent running layout tests (r239755)
Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them (r231477)

Jan 09, 2019
============
MathOperator: Add fallback mechanisms for stretching and mirroring radical symbols (r202161)
Add separate MathOperator for selection/measuring/drawing of stretchy operators (r202156)
RenderMathOperator: Move calculation of preferred width into MathOperator (r201881)
Introduce MathOperator::Type (r201862)
Regression: Event#stopPropagation() does not halt bubbling for webkitTransitionEnd (r150239)
Don't run transitions to or from undefined Lengths (r205659)
REGRESSION (r193610): Drop down menu doesnt expand at allofbach.com (r200622)
Don't run transitions to/from 'auto' values (r200360)
Make Length, LengthSize and LengthPoint blending not use member functions (r200343)
Negative animation-delay is treated as 0s (r200042)
REGRESSION (r187121): Can't get to the main content of the page at https://theintercept.com/drone-papers/ (r193610)
REGRESSION (r187121): Delayed instantaneous animations not honouring ' forwards' fill-mode (r191540)
REGRESSION (r187121): Multiple-keyframe animations not honouring ' forwards' fill-mode (r191502)
Safari mis-applies "animation-fill-mode: forwards" when using fractional iteration count (r187121)
Support unprefixed animation event types (r176423)
Make RenderLayerBacking get the timingFunction of the correct animation. (r167472)
A completed fill-forwards animation should not disable overlap testing (r165977)
Avoid unnecessary vector copy in AnimationController event dispatch. (r157704)
Allow new transitions to run even when controller is suspended (r153396)
Dereference null pointer crash in Length::decrementCalculatedRef() (r152825)
Animations do not restart after exiting page cache (r150862)
Animations and Transitions should not start when globally suspended (r149576)

Jan 08, 2019
============
Unprefix -webkit-min-content, -webkit-max-content and -webkit-fit-content (r213831)
[CSS Parser] Fix grid layout parsing (r208478 partial)
[CSS Parser] Get all the properties turned on (r207479 partial)
Do not attempt to compute min/max width. (r200486)
[css-grid] Move the track sizing algorithm to its own class (r212823)
[css-grid] Changing the argument on fit-content() doesn't cause the grid to be relayout (r207343)
[css-grid] Fix intrinsic maximums resolution with fit-content and auto (r207288)
[css-grid] grid-auto-flow|row should take a <track-size>+ (r203716)
[css-grid] Disallow repeat() in grid-template shorthand (r202972)
[css-grid] Move Grid class out of RenderGrid (r211283)
Safari (WebKit) doesn't wrap element within flex when width comes below min-width (r209068)
Should never be reached failure in WebCore::RenderFlexibleBox::alignChildren (r205102)

Jan 07, 2019
============
[css-grid] Implementing baseline positioning for grid containers (r210792)
[css-grid] Make the grid sizing data persistent through layouts (r210669)
[css-grid] Isolate instrinsic size computation from layout (r210211)
[css-grid] Move Grid into GridSizingData (r210197)
[css-grid] Pass Grid as argument to items' placement methods (r209601)
[css-grid] Move more attributes from RenderGrid to the new Grid class (r209180)

Dec 20, 2018
============
REGRESSION(r177637) [HarfBuzz][GTK][EFL] It made 3 performance tests crash and +24 layout tests crashes/failures (r178115 revisited)
Generic font code should not know about SVG font missing glyph (r177637 revisited)

Dec 19, 2018
============
Force display: block on ::-webkit-media-controls. (r192252)
min-width/height should default to auto for flexbox items (r189567 complete revisited)
REGRESSION (r150516): Media controls are messed up on right-to-left webpages (r154529)
[Mac] Captions menu isn't internationalized, doesn't use rtl layout for rtl languages (r150516)
Closed caption lines overlap (r149438)
Mac: Incorrect rendering of <audio> controls (r145588)
Convert media controls from DeprecatedFlexibleBox to FlexibleBox (r142947)
Regression(r143542): -webkit-align-items: center with overflow: auto/scroll has extra bottom padding (r145736)
Small code cleanup in RenderFlexibleBox (r145457)
Incorrect rendering for flex boxes with percentage height in a table cell (r143542)
[New Multicolumn] fast/multicol/fixed-column-percent-logical-height-orthogonal-writing-mode.html fails (r167727)
Make sure to skip the RenderMultiColumnFlowThread when resolving percentage heights inside columns against containing blocks. (r167353)
[css-grid] Remove Blink-specific code for handling orthogonal grid items (r216574)
[css-grid] Move attributes from RenderGrid to the new Grid class (r208995)
[css-grid] Convert grid representation into a class (r208973)
[css-grid] Isolate size of internal representation from actual grid size (r208962)
[css-grid] ASSERTION FAILED: !m_gridIsDirty in WebCore::RenderGrid::gridRowCount (r208586)
[css-grid] Fix fr tracks sizing under min|max-size constraints (r208531)
[css-grid] Content Alignment broken with indefinite sized grid container (r207663)
[css-grid] Different width of grid container between initial load and refresh (r207460)
[css-grid] Remove the x2 computation of row sizes with indefinite heights (r206253)
[css-grid] repeat() syntax should take a <track-list> argument (r203717)
[css-grid] Positioned items can be placed on the implicit grid (r201545)
[css-grid] Fix static position for positioned grid items (r200572)

Dec 18, 2018
============
[css-grid] Implement fit-content track size (r205966 + r205972 rolled out + r205977)
[css-grid] Update <fixed-size> syntax (r201399)
[css-grid] Stretch alignment doesn't work for orthogonal flows (r204734)
[css-grid] Implement repeat(auto-fit) (r203680)
[css-grid] Handle min-content/max-content with orthogonal flows (r203252)
[css-grid] Fix alignment with content distribution (r200181)
[css-grid] Fix percentage tracks' size computation in grids with gutters (r198486)
ASSERTION FAILED: freeSpace >= 0 in WebCore::RenderGrid::computeTrackSizesForDirection (r192741)
Selector checker should not mutate document and style (r195293 complete revisited)
CSS JIT: finish :nth-last-child() (r180206 partial)
Add the dynamic specificity of the selector list argument when matching :nth-child() and :nth-last-child() (r176623)
Web Inspector: do not show invalid specificity for dynamic cases of :matches() (r176436)
Add the initial implementation of dynamic specificity for :matches() (r176307)
Compute the selector specificity as we match simple selectors (r176152)
Implement the matching for :nth-last-child(An+B of selector-list) (r176084 partial)
Make the Selector's specificity part of Selector matching (r175772 + r175773)
When computing the specificity of selectors, use saturated arithmetic per component (r175576)
Fix the specificity of the extended :not() selector (r175453)
Block of text is missing in iBooks sample books. (r219291)
REGRESSION (r173698): Leaks of selector lists in CSS parsing (r179258 partial)
CSS4 Selectors: Add the pseudo class :any-link (r175301)
CSS Selectors Level 4: Implement :matches in SelectorChecker (r174811)
Update :nth-child(An+B of selector-list) to the latest specification (r174613)
Add the baseline implementation of :not(selectorList) (r174535)
Web Inspector: Highlighted selectors in Rules sidebar break with selectors that contain nested selector lists (r174379)
CSS Selectors Level 4: Add parsing for :matches (r174259)
Add the baseline implementation of :nth-child(An+B of selector-list) (r173853)
Add parsing for :nth-child(An+B of selector) (r173698)
CSS value in whitespace-separated list attribute selector (~=) mishandles tab/newline/etc. (r173697)

Dec 17, 2018
============
[css-grid] Do not recursively call layout during auto repeat computation (r205114)
[css-grid] Const-ify track sizing algorithm (r203220)
[css-grid] Inline size is never indefinite during layout (r202974)
[css-grid] Empty grid without explicit tracks shouldn't have any size (r201510 complete revisited)
[css-grid] Simplify grid track sizes parsing (r201373 + r201378 rolled out + r201382)
[css-grid] Refactor populateGridPositions() (r201379)
[css-grid] Fix behavior of flexible track breadths (r201325)
[css-grid] Show auto-repeat line names in ComputedStyle (r200821)
[css-grid] Implement auto-repeat computation (r200618)
[css-grid] Add support for position resolution with auto-repeat tracks (r200368)
Null pointer dereference in JSC::WriteBarrierBase() (r239256)
LiteralParser has a bunch of uses of String::format with untrusted data (r239248)
[css-grid] grid shorthand should not reset the gutter properties (r221668)
[css-grid] The 'grid' shorthand has a new syntax. (r206161)
[css-grid] Unprefix CSS Grid Layout properties (r200510)
[css-grid] Store auto-repeat information in style (r200182)
[css-grid] Add parsing support for <auto-repeat> syntax (r199343)
[css-grid] Fix order of grid shorthands in CSSPropertyNames.in (r197511)
[css-grid] Swap the order of columns/rows in grid-gap shorthand (r197022)
[css-grid] Rows track sizes are optional in grid-template shorthand (r196978)
[css-grid] Swap columns and rows in grid-template shorthand (r196934)
[css-grid] Swap columns and rows in grid shorthand (r196906)
[css-grid] grid shorthand must reset gap properties to their initial values (r195529)
[CSS Grid Layout] Switch from parenthesis to brackets for grid line names (r185147)
[CSS Grid Layout] Mark grid shorthands as layout dependent (r183913)
[CSS Grid Layout] Crash at CSSParser::parseGridTemplateRowsAndAreas (r173615)
Update the CSS Grammar selector names to get closer to the latest terminology (r173011 partial)
[CSS Grid Layout] Update named <grid-line> syntax to the last version of the specs (r166157 complete revisited)

Dec 14, 2018
============
Move selection and drawing of stretchy operators into a separate MathOperator class (r201854)
Shrink MathMLOperatorDictionary::dictionary table (r175221)
Skipping {}, () and [] blocks while error recovering in CSS (r151510)
Add CSS parsing recovery to functions (r151488)
Autoclose braces and parentheses at the end of style sheet (r151424)
Refactor CALCFUNCTION rules in the CSS grammar (r151395)
Allow nesting of at-rules (r139594)
[CSS Regions] @region rules inside media queries are ignored (r138854)
Add a missing exception check. (r239198)
CSSValueList: Reserve the exact amount of space needed when constructing from CSS parser. (r125968)

Dec 13, 2018
============
RenderTextControlSingleLine shouldn't mutate placeholder element inline style (r197637)
REGRESSION (r172826): Password field placeholder text is missing if placeholder attribute precedes type attribute (r176082)
Reduce style marking when using the pseudo class :placeholder-shown (r172933)
CSS: Implement the :placeholder-shown pseudo-class from Selectors Level 4 (r172826)
OOM Assertion failure in JSON.stringify. (r202173)
StringBuilder::appendQuotedJSONString doesn't properly protect against the math it's doing. Make the math fit the assertion. (r201121)
Remove String(RefPtr<StringImpl>) constructor (r155115)
Make StringBuilder::toAtomicString() consistent with StringBuilder::toString() for strings of length zero (r141917)
StringBuilder::append(UChar) with an 8 bit quantity shouldn't change the contents to 16 bits (r133726)
StringBuilder::append(StringBuilder&) doesn't take into account the bit size of the argument string (r131250 revisited)
Make it easier to append a literal to StringBuilder (r125936)

Dec 12, 2018
============
Slider thumb style should not depend on renderers (r197502)
Text control shadow element style shouldn't depend on renderers (r197401)
Use scope stack instead of nested TreeResolvers for shadow trees (r196215)
Inner text element should not use -webkit-user-modify (r164526)
m_ancestorDisabledState should never be unknown (r164475)
fieldset:disabled fieldset > legend:first-child input should be disabled (r164407)
fieldset:disabled > legend:first-child legend input should not be disabled (r164403)
[css-grid] CRASH when getting the computed style of a grid with only absolutely positioned children (r201919)
[css-grid] Empty grid without explicit tracks shouldn't have any size (r201510 partial)
RenderMathMLOperator: refactor management of stretchy data and italic correction (r200569)
RenderMathMLOperator refactoring: introduce getBaseGlyph and remove parameter from getDisplayStyleLargeOperator (r200185 + r200186 rolled out + r200187)
[css-grid] Fix grid-template-columns|rows computed style with content alignment (r199981)
[css-grid] Use the margin box for non-auto minimum sizes (r199728)
[css-grid] Fix positioned items with content alignment (r199657)
[css-grid] Add method to translate RTL coordinates (r199655)
[css-grid] Fix positioned items with grid gaps (r199223)
[css-grid] Content box incorrectly used as non-auto min-height (r199153)
[css-grid] Fix positioned children in RTL (r199098)
[css-grid] Refactor positioned children code (r198834)
[css-grid] Remove unneeded lines in offsetAndBreadthForPositionedChild() (r198732)
[css-grid] Rename GridSpan properties (r198399)
[css-grid] Fix placement for unknown named grid lines (r197930)
[css-grid] Allow to place positioned grid items on the padding (r197857)
[css-grid] Fix auto-track sizing with min-size:auto and specific sizes (r197854)
Multiple refactors in RenderMathMLOperator (r174678 complete revisited)
[regression] background colors do not apply to <mo> elements. (r166170)

Dec 11, 2018
============
String(Vector) behaves differently from String(vector.data(), vector.size()) for vectors with inline capacity in the size=0 case (r142894)
REGRESSION(r142712): attribute values show up as "(null)" instead of null with the threaded parser (r142863)
Fix HTMLToken::Attribute member naming and update callsites to use Vector-based String functions (r142712)
Teach more WTF string classes about vectors with inline capacity (r142689 revisited)
@font-face rules with invalid primary fonts never download their secondary fonts (r218157 + r218264 rolled out + r218733 partial)
[Font Loading] Crash during font download failure after garbage collection (r201358)
PropertyAttribute needs a CustomValue bit. (r239062 partial)
Error instances should not strongly hold onto StackFrames (r232314 partial)

Dec 10, 2018
============
Support size_t multiplication and division operators on LayoutUnit (r138952)
[css-grid] Pass GridSizingData instead of columnTracks to track sizing methods (r199341)
[css-grid] Rename GridCoordinate to GridArea (r198210)
[css-grid] Rename GridResolvedPosition to GridPositionsResolver (r198207)
[css-grid] Initial support for implicit grid before explicit grid (r197850)
[css-grid] Simplify method to resolve auto-placed items (r197501)
[css-grid] Get rid of GridResolvedPosition (r197400)
Setting up OrderIterator shouldn't require an extra Vector (r167879 + r167942 + 168067 rolled out + r169372)
[css-grid] Avoid duplicated calls to resolution code (r196983)
[css-grid] GridSpan refactoring (r196691)
[css-grid] Store lines instead of tracks in GridResolvedPosition (r195808)
[CSS Grid Layout] Remove old FIXME in RenderGrid::placeItemsOnGrid() (r180500)
REGRESSION(r194143): Float width incorrectly calculated on Wikipedia (r194558)
Fix computation of min|max-content contribution of non-replaced blocks (r194143)
[css-grid] Stretch should grow and shrink items to fit its grid area (r213449 partial)
[css-grid] Fix intrinsic size computation with flexible sized tracks (r205960)
[css-grid][css-align] justify-self stretch is not applied for img elements (r195284 complete revisited)
[css-grid] Fix height computation of grid items with borders (r194030)
[css-grid] Fix height computation of grid items with borders inside fr tracks (r193413)
[CSS Grid Layout] inline margins not honored when not using stretch in row-axis alignment (r192573 complete revisited)
[css-grid] Fix alignment with gutters and negative free spaces (r192512)
[css-grid] Refactor cachedGridCoordinate() to cachedGridSpan() (r192156)
[css-grid] Improve grid container sizing with size constraints and intrinsic sizes (r192154)
[css-grid] Fix availableLogicalSpace computation with non-zero baseSize flex tracks (r191385)
[css-grid] Include freeSpace in GridSizingData struct (r190784)
[css-grid] Remove unneeded calls to compute(Content)LogicalWidth(Height) (r190783)
[css-grid] Percentages of indefinite sizes to be resolved as auto (r190721)
[CSS Grid Layout] Modify grid item height doesn't work (r190665)
min-width/height should default to auto for grid items (r189708)
ASSERTION FAILED: growthShare > 0 in WebCore::RenderGrid::distributeSpaceToTracks (r175314)

Dec 07, 2018
============
Floating box is misplaced after content change. (r191610)
[CSSRegions] Incorrect layout of a region pseudo children (r162508)
Update flexbox to Blink's tip of tree (r213149 partial)
Rename Length::isPercent() and Length::isPercentNotCalculated(). (r184055 complete revisited)
Fix viewport units in Media Queries (r183404)
ASSERTION NOT REACHED because RenderStyle::setWordSpacing() does not handle a Length value of type 'Calculated'. (r175363)
Clamp wordSpacing percentage value. (r175197)
Minor refactor in CSSComputedStyleDeclaration (r173421 partail)
vw/vh units used as font/line-height values don't scale with the viewport (r169407 complete revisited)
REGRESSION (r166860): ASSERTION FAILED: !isCalculated() on fast/css/image-set-value-not-removed-crash.html (r167192)
Fix assertions triggered by CSS calc changes in r166860 (r166920)
Rework CSS calc logic, fixing some reference count mistakes in Length (r166860)
ASSERTION FAILED: v.isFixed() in WebCore::RenderStyle::setWordSpacing (r162588)
Add HashMap::isValidKey and HashSet::isValidValue (r143071)

Dec 06, 2018
============
[css-grid] Remove unused GridResolvedPosition constructor (r192414)
[css-grid] Grid placement conflict handling (r192153)
[css-grid] Support positioned grid children (r192054)
Graphics corruption after Find on some pages (r178490)
Calling clearSelection on a detached RenderObject leads to segfault. (r178231 revisited)
RenderBox shouldn't need a pre-destructor hook. (r175580)
[css3-text] text-decoration-line now accepts "blink" as valid value (r150136)
[css] text-decoration:none no longer valid (r134156)
[css] Text decoration's "blink" not valid when CSS3_TEXT is enabled (r134078)
[css3-text] Add suport for -webkit-text-decoration-line (r125205)
[css-grid] Implement grid gutters (r190663)
intrinsic size keywords don't work for heights (r185908 complete revisited)
Div having contentEditable and display:grid cannot be edited if it is empty. (r180050 + r180213)
Div having contentEditable and display:flex cannot be edited if it is empty. (r179944)
Using calc() in repeat() for -webkit-grid-template-rows does not work (r177947)
Get rid of error-prone ReleaseParsedCalcValueCondition argument in CSSParser (r177623 + r177628)
Crash when setting 'flex' CSS property to 'calc(2 * 3) calc(2 * 3)' (r176674)
Crash when setting 'column-span' CSS property to 'calc(2 * 3)' (r176671)
Crash when setting 'z-index' / 'flex-shrink' CSS properties to a calculated value (r176301)
Crash when setting 'order' CSS property to a calculated value (r176171)
Assertion hit when setting a very large value to 'border-width' / 'font-size' CSS properties (r176170)
[CSS Grid Layout] Handle min/max height in the grid element (r166923)
[CSS Shapes] Simplify the parsing of width arguments for Inset shapes (r166909)
ASSERTION FAILED: std::isfinite(num) in WebCore::CSSPrimitiveValue::CSSPrimitiveValue (r166114)
[CSS Shapes] Adjust inset sizing syntax to the latest specification (r162989)
[CSS Shapes] Remove restriction of negative values for inset parameters (r162871)
Remove feature: CSS variables (r159842 partial)
Replace isolate || bidi-override by isolate-override (r126072)
[CSS Grid Layout]  Using automatic (instead of min-content) minimums for 'auto' tracks (r189911)

Dec 05, 2018
============
[CSS Box Alignment] New CSS Value 'normal' for Self Alignment (r201498 complete revisited)
[CSS Box Alignment] New CSS Value 'normal' for Content Alignment (r197503 complete revisited)
[CSS Grid Layout] inline margins not honored when not using stretch in row-axis alignment (r192573 partial revisited)
[CSS Grid Layout] Don't need to reset auto-margins during grid items layout (r190633)
[CSS Grid Layout] Support for Content Alignment in grid layout (r190484 complete revisited)
[CSS Grid Layout] Flex tracks sizing alg must handle 0fr values (r190308)
[CSS Grid Layout] Using {row, column}-axis terms in alignment related logic (r189806)
[CSS Grid Layout] Layout is wrong for flex factor sum between 0 and 1 (r189208)
[CSS Grid Layout] auto-margins alignment does not work for heights (r189169)
[CSS Grid Layout] Do not stretch always grid items with auto width (r188582 + r188823))
[CSS Grid Layout] Grid item's auto-margins are not applied correctly (r186682)
[CSS Grid Layout] Performance optimization: avoid computing overflow alignment if not needed (r185874)
[CSS Grid Layout] Setting height on a grid item doesn't have any effect (r185327)
[CSS Grid Layout] Relayout whenever Box Alignment properties change (r189910)
[CSS Grid Layout] Fix grid-template-areas parsing to avoid spaces (r185492 + r185499 rolled out + r185520)
[CSS Grid Layout] Support dots sequences in grid-template-areas (r185246)
[CSS Grid Layout] Simplify the interface of GridResolvedPosition (r185059)
[CSS Grid Layout] Support "sparse" in auto-placed items locked to a row/column (r180567)
[CSS Grid Layout] Support sparse in auto-placement algorithm (r171082 + r171102)
[CSS Box Alignment] New CSS Value 'normal' for Self Alignment (r201498 partial)
[CSS Box Alignment] New CSS Value 'normal' for Content Alignment (r197503 partial)
[css-grid][css-align] justify-self stretch is not applied for img elements (r195284 partial)
[CSS Grid Layout] inline margins not honored when not using stretch in row-axis alignment (r192573 partial)
[CSS Grid Layout] Support for Content Alignment in grid layout (r190484 partial)
[CSS Box Alignment] Upgrade align-content parsing to CSS3 Box Alignment spec (r183805)
[CSS Box Alignment] Upgrade justify-content parsing to CSS3 Box Alignment spec. (r183748)
[CSS Grid Layout] overflow-position keyword for align and justify properties. (r183660)
[CSS Grid Layout] Support for the justify-self and justify-items in grid layout (r183399 complete revisited)
[CSS Grid Layout] Support for align-self and align-items in grid layout (r183370 + r183394)
Rename hasOverride{Height,Width}() to hasOverrideLogicalContent{Height,Width}() (r183100)
[CSS Grid Layout] Support marking/unmarking tracks as infinitely growable (r182704 + r182726)
[CSS Grid Layout] Fix raw function pointer usages (r182628)
[CSS Grid Layout] Update track sizes after distributing extra space (r182472)
'true' isn't a valid value for justify-self (r174999)

Dec 04, 2018
============
Referrer policy should be inherited from creator (r223697)
Improve our support for referrer policies (r220208)
Always update the referrer header in CachedResource (r173398 revisited)
[CSS Box Alignment] Unifying alignment data in a single class (r183591)
[CSS Grid Layout] Support for the justify-self and justify-items in grid layout (r183399 partial)
Small removal of useless code for MathML token elements (r200938)
More improvements and explanations regarding resetting CSS properties on the <math> element (r199869)
Use OpenType MATH fonts by default (r199773)
[regression] foreign content not displayed in MathML (r165702)
childShouldCreateRenderer should return false for the mspace element (r163626)
CSS direction must be reset to ltr on <math> element. (r159035)
Refactor RenderMathMLScripts layout to avoid using flexbox (r199665)
RenderMathMLOperator: Add helper function to retrieve italic correction (r199548)
Crash under WebCore::PageConsoleClient::addMessage attempting to log insecure content message in ImageDocument (r185781)
Console log sometimes prefixed with line number (r178648)
Multiple refactors in RenderMathMLOperator (r174678 partial)
PageConsole::addMessage should automatically determine column number alongside line number (r160374)

Dec 03, 2018
============
Crashes in PageConsole::addMessage (r166551 revisited complete)
Layout Test http/tests/security/canvas-remote-read-remote-image-redirect.html is flaky (r156130)
Web Inspector: ConsoleMessage should include line and column number where possible (r149125 partial revisited)
Web Inspector: split Console into two entities, a web-facing bound object and page console. (r146208)
CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.WebCore: WebCore::FrameLoader::subresourceCachePolicy const + 11 (r185301)
Rename fastHasAttribute to hasAttributeWithoutSynchronization (r203337)
Rename fastGetAttribute to attributeWithoutSynchronization (r203324)

Nov 30, 2018
============
Refactor RenderMathMLFraction layout to avoid using flexbox (r199295)
CTTE: RenderMathMLFraction always has a MathMLInlineContainerElement. (r157791)
Get rid of RepatchBuffer and replace it with static functions (r189288 + r189342)
RepatchBuffer should be stateless (r189278)

Nov 29, 2018
============
Simplify call linking (r187505)
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC (r181990 partial)
REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall (r191530)
Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo (r185932)
If a call has ever taken the virtual slow path, make sure that the DFG knows this (r185099)
Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24 (r185084)
Polymorphic call inlining should be based on polymorphic call inline caching rather than logging (r179357 + r179392 rolled out + r179478)
Move DFGBinarySwitch out of the DFG so that all of the JITs can use it (r179223)
Ensure that RenderMathMLOperator::stretchTo functions are called with stretchy operators that have the correct direction (r199544)
Refactor RenderMathMLUnderOver layout functions to avoid using flexbox (r199293)
Bad position of large operators inside an munderover element (r193829)
Changes in the stretchy attribute do not update rendering (r174677)
RenderMathMLUnderOver adds spacing to the child operator indefinitely when resizing the window. (r174540)

Nov 28, 2018
============
[JSC] Drop ArityCheckData (r223891 partial)
Wrong value recovery for DFG try/catch with a getter that throws during an IC miss (r191930 partial)
Each *ById inline cache in the FTL must have its own CallSiteIndex (r190885 partial)
Implement try/catch in the DFG. (r189938 + r189952 + r189956 + r189961 rolled out + r189995)
Add support for Callee-Saves registers (r189575 partial)
rename callFrameForThrow to callFrameForCatch (r189775)
Node::origin should always be set, and the dead zone due to SSA Phis can just use exitOK=false (r189013)
Node::origin should be able to tell you if it's OK to exit (r188979)
DFG::InsertionSet should be tolerant of occasional out-of-order insertions (r188879)

Nov 27, 2018
============
Refactor RenderMathMLRow layout functions to avoid using flexbox (r198998)
Reset CSS spacing rules on the <math> element. (r198952)
Use out-of-band messaging for RenderBox::firstLineBaseline() and RenderBox::inlineBlockBaseline() (r181398)
Assertion failure in WebCore::FlexBoxIterator::next() (r167093)
[MathML] Baseline wrong for fractions or munder/mover with padding (r130097)
[Readable Streams API] Cleanup patch, fix small inconsistencies (r207337)
[Readable Streams API] Implement generic reader functions (r206912 revisited)
CachedResourceLoader should set headers of the HTTP request prior checking for the cache (r207817)
Add protocolIsInHTTPFamily for strings and use it where appropriate (r162555)
Never send a non-http(s) referrer header even with a referrer policy (r162351)

Nov 26, 2018
============
Cached CSS image resources don't show up after reloading (r184315)
Get rid of "CachePolicyCache" cache policy (r181766)
Remove ENABLE(PARSED_STYLE_SHEET_CACHING) and make it always-on. (r149140)
Regression(r176212): Broke app switching on iCloud.com (r185269 partial)
Regression(r176212): Carousel on mbusa.com is choppy (r177964 partial)
Regression(r163928): Animated images are not resumed on window resizing (r177927)
REGRESSION (r163928): Animated GIFs are not resumed when translated into view using -webkit-transform (r177360)
http://omfgdogs.info/ only animates when you resize the window (r177135)
Speculative fix for assertion "frame().view() == this" (r177107)
REGRESSION (r172854): Web Viewer in FileMaker does not render a Base64 encoded animated-GIF (r176384)
Throttle timers that change the style of elements outside the viewport (r176212 partial)
Animated GIFs scrolled out of view still cause titlebar blur to update, on tumblr.com page (r172854)
REGRESSION: Animated GIF inside compositing layer never resumes animation when scrolled back into view (r168424)
GIF animations should be suspended when outside of viewport (r163928)

Nov 23, 2018
============
svg/as-image/svg-image-with-data-uri-use-data-uri.svg is flaky after r207754 (r209914)
REGRESSION(r207753-207755): ASSERTION FAILED: m_parsedStyleSheetCache->isInMemoryCache() (r207967 + r208200 rolled out + r208279)
REGRESSION (r207754): LayoutTest http/tests/security/svg-image-with-css-cross-domain.html is a flaky failure (r208102)
ASSERTION FAILED: canvas()->securityOrigin()->toString() == cachedImage.origin()->toString() (r207754)
CachedResourceLoader should not need to remove fragment identifier (r207459)
Remove CachedResourceRequest::mutableResourceRequest (r207281)
[Fetch API] Support Request cache mode (r207086)
[Fetch API] Memory cache should not bypass redirect mode (r206994)
ASSERTION FAILED: m_origin || m_type == CachedResource::MainResource (r206370)
CachedResourceRequest should store a SecurityOrigin (r206255)
CachedFont do not need to be updated according Origin/Fetch mode (r206017)
CachedResource should efficiently construct its ResourceRequest (r206016)
Link loader should use FetchOptions::mode according its crossOrigin attribute (r206010)
Remove CredentialRequest ResourceLoaderOptions (r202815)
Don't reuse memory cache entries with different charset (r194898)
CachedResources should hang on to stripped fragment identifiers (r137604)
Set the Response.blob() type based on the content-type header value. (r216353)
ScriptElement should use FetchOptions::mode according its crossOrigin attribute (r205854)
TextTrackLoader should use FetchOptions::mode according its crossOrigin attribute (r205750)
CachedResourceLoader is not taking into account fetch options to use or not cached resources (r205450 + r205464 rolled out + r205473)
[Fetch API] Fetch API should be able to load data URL in Same Origin mode (r205265)
Synchronous preflight should check for successful responses (r203943)
Remove ClientCredentialPolicy cross-origin option from ResourceLoaderOptions (r203720)
Synchronous preflight checker should set loading options to not use credentials (r202779)
[WK2] Authentication dialog is displayed for cross-origin XHR (r173516)

Nov 22, 2018
============
Improve error message for Access-Control-Allow-Origin violation due to misconfigured server (r217069)
Safari sends empty "Access-Control-Request-Headers" in preflight request (r214254)
CORS: Fix the handling of redirected request containing Origin null. (r195100)
Remove unsafe uses of AtomicallyInitializedStatic (r161812 partial)

Nov 21, 2018
============
Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister(). (r215351)
HashTraits<RefPtr<P> >::peek should consider empty value (r149739)
Avoid unnecessary arguments copying inside GenericHashTraits methods (r149738)
HashTraits<RefPtr<P> >::PeekType should be raw pointer for better performance (r149665)

Nov 20, 2018
============
DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals. (r204360 complete revisited)
ScriptRunner should be driven by PendingScript rather than ScriptElement (r205652 + r205653 rolled out + r205695)
Add HashSet::takeAny (r167592)
Add HashSet::take (r155580)
Change HashTraits<RefPtr<P> >::PassOutType to PassRefPtr for better performance (r149602 revisited)
Introduce abstract class LoadableScript for classic script and module graph (r205581)

Nov 19, 2018
============
ASSERTION FAILED: hasParserBlockingScript() seen with js/dom/modules/module-will-fire-beforeload.html (r209791)
A function named canTakeNextToken executing blocking scripts is misleading (r197040)
Make PendingScript as ref-counted (r205218)
CrashTracer: WebProcess at com.apple.WebCore: WebCore::toScriptElementIfPossible + 4 (r183178)
WebProgressTracker updates progress too frequently (r170464)
Loads started soon after main frame completion should be considered part of the main load (r162637)
Possible crash in ProgressTracker::progressHeartbeatTimerFired(Timer<ProgressTracker>*) (r159986)
Possible crash in ProgressTracker::progressHeartbeatTimerFired(Timer<ProgressTracker>*) (r159974)
HarfBuzzFace::CacheEntry should use 32-bit values in its HashMap (r238363)
SVGUseElement follow-up improvements (r179980 + r179991)

Nov 18, 2018
============
Remove the SVG instance tree (r179810)
Remove SVGElementInstanceList, m_instanceUnderMouse, DUMP_INSTANCE_TREE, DUMP_SHADOW_TREE (r178715)

Nov 16, 2018
============
[Win] Fix debug build after r179807. (r179916)
Make SVGUseElement work without creating any SVGElementInstance objects (r179807)
Stop dispatching events to with SVGElementInstance objects as their targets (r179467 + r179471 rolled out + 179785)
Move InstanceInvalidationGuard/UpdateBlocker to SVGElement from SVGElementInstance (r179548 + r179555 rolled out + r179695)
Make SVGElement::instancesForElement point to elements in the shadow tree, not SVGElementInstance objects (r179260)
[SVG] Accept HTML and MathML namespaces as valid requiredExtensions (r161629 + r161653 rolled out + r162083)
Tighten up the type bounds for SVGPropertyInfo callback parameters (r145830)
RegExp operations should not take fast patch if lastIndex is not numeric. (r238267)

Nov 15, 2018
============
REGRESSION (r179101): SVGUseElement::expandUseElementsInShadowTree has an object lifetime mistake (r179163)
Streamline SVGUseElement shadow tree handling and make it use SVGElementInstance less (r179101)
Remove SVGUseElement.instanceRoot and all tests that depend on it (r179391)
Only when the SVG is inline and only when a shape is referenced before it is defined, this shape will not be drawn. (r177576)
Avoid unnecessary HashSet copies when calling collectInstancesForSVGElement (r166586 + r166590)
Rename ElementDescendantIterator to TypedElementDescendantIterator. (r165805)
REGRESSION(r191731): SVGPatternElement can only reference another SVGPatternElement in the same SVG document (r222304)
Reference cycle between SVGPathElement and SVGPathSegWithContext leaks Document (r194964 complete revisited)
If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked. (r139209 complete revisited)
svg/W3C-SVG-1.1/render-groups-03-t.svg and some other SVG tests leak documents (r235862)
References from CSSStyleDeclaration to CSSValues should be weak (r230737)
NULL WeakPtr should not malloc! (r222752)
WeakPtrFactory should populate m_ref lazily. (r222422)

Nov 14, 2018
============
[JSC] Do not allocate unnecessary UTF-8 string for encodeXXX functions (r201756 complete revisited)
Make converting JSString to StringView idiomatically safe (r186037 complete revisited)
[JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). (r184613 + r184618 rolled out)
ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception (r238163)
Need an exception check after constructEmptyArray(). (r201787 partial revisited)

Nov 13, 2018
============
DFG::ByteCodeParser should attempt constant folding on loads from structures that are DFG-watchable (r188357)
DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet (r188292 complete)
[JSC] Unify Math.pow() accross all tiers (r200208 complete)
flattenDictionaryStruture needs to zero inline storage. (r233048)
[JSC] Implement Object.assign in C++ (r218348 partial)

Nov 12, 2018
============
implement dynamic scope accesses in the DFG/FTL (r199699 partial)
[JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG (r199342 partial)
Rare case profiling should actually work (r180137)

Nov 09, 2018
============
FTL should be able to do polymorphic call inlining (r172940 + r172961 rolled out + r173069)
[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure (r169795 partial)
U+180E is no longer a whitespace character (r238004)

Nov 08, 2018
============
MediaStream API: update MediaStreamTrackEvent object to match spec (r156135)
Remove remaining custom getters for WorkerContext constructor attributes (r151223)

Nov 06, 2018
============
CallLinkStatus should trust BadCell exit sites whenever there is no stub (r195877)
CallLinkInfo inside StructureStubInfo should not use polymorphic stubs (r189493)
Refactor CallLinkInfo from a struct to a class (r185930)
CallLinkStatus should return takesSlowPath if the GC often cleared the IC (r185161)

Nov 05, 2018
============
GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete (r163691 partial)
[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure (r169795 partial)
StorageAccessData should be referenced in a sensible way (r173793)

Nov 02, 2018
============
[ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function (r171389 + r171508)

Nov 02, 2018
============
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 complete revisited)
[ftlopt] Infer immutable object properties (r170855 complete revisited)
[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them (r170375)
[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets (r170275)
  => Passed JIT tests and CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.
   
Nov 02, 2018
============
Fix missing edge cases with JSGlobalObjects having a bad time. (r237469 partial)
   
Nov 01, 2018
============
Custom GetterSetterAccessCase does not use the correct slotBase when making call (r222671 complete)
Dictionary property access should be fast (r201562 complete)
DFG::ByteCodeParser needs to null check the result of presenceLike() (r196446)
Caching of properties on objects that have named property getters is sometimes incorrect (r192693 complete)
DFG should have adaptive structure watchpoints (r187780 complete revisited)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 complete revisited)
[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for,
  whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants (r169950)
  => Passed JIT tests and CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Nov 01, 2018
============
ObjectPropertyConditionSet::mergedWith does not produce a minimal intersection. (r190283)
Unreviewed, fix Windows. (r187783)
Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time (r187214)

Oct 31, 2018
============
r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143) (r176506)
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 complete revisited)
[ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to (r170672)
DFG SSA stack accesses shouldn't speak of VariableAccessDatas (r180691)
[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base (r170090)

Oct 30, 2018
============
[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base (r169902)

Oct 29, 2018
============
Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com (r176624)

Oct 29, 2018
============
[JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case (r206844 complete revisited)
WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading (r191937)
The JIT should cache property lookup misses. (r175846 complete revisited + r175849 + r175880 revisited)
r171362 accidentally increased the size of InlineCallFrame. (r172853)
[ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to (r169143)
  => Passed JIT tests and CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo on ARMv7 GCC4.9 with hard float.
  
Oct 29, 2018
============
[ftlopt] Factor out how CallLinkStatus uses exit site data (r169014)
[ftlopt] InlineCallFrame::isCall should be an enumeration (r169005)
Token misspelled "tocken" in error message string (r231142)
Early error on ANY operator before new.target (r220481)
[JSC] add additional bit to JSTokenType bitfield (r209293)
Arrow functions should not allow duplicate parameter names (r206647)
JS parser incorrectly handles invalid utf8 in error messages. (r201624)
JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool) (r187763 revisited)
Function bodies should always include braces (r181673 revisited)
Parser statementDepth accounting needs to account for when a function body excludes its braces. (r170034 revisited)

Oct 26, 2018
============
Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes (r181817 complete revisited)
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 partial revisited)
[ftlopt] Reduce the GC's influence on optimization decisions (r170571 complete)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 partial revisited)
[ftlopt] AI should be able track structure sets larger than 1 (r169588 complete revisited)
It should be OK to store new fields into objects that have no prototypes (r167563)
Support caching of custom setters (r165208 complete revisited)
More FTL ARM fixes (r165129)
FTL should do polymorphic PutById inlining (r164620)
  => Passed JIT tests and CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo on ARMv7 GCC4.9 with hard float.

Oct 26, 2018
============
GetById and PutById profiling should be more precise about it takes slow path (r185160)
FTL should do polyvariant PutById inlining (r162849)
FTL should do polyvariant GetById inlining (r162811)

Oct 25, 2018
============
Unreviewed, fix a goofy assertion to fix debug. (r166952)

Oct 24, 2018
============
Eliminate construct methods from NullGetterFunction and NullSetterFunction classes (r178855)
REGRESSION(178696): Sporadic crashes while garbage collecting (r178728)
A "cached" null setter should throw a TypeException when called in strict mode and doesn't (r178696)
DFG Tries using an inner object's getter/setter when one hasn't been defined (r177030 + r177055)
[ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant (r171153)
[ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise (r170383)

Oct 23, 2018
============
adoptNode() changes css class to lowercase for document loaded with XHR responseType = "document" (r203018 + r203043)
GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything (r164066 + r164071 rolled out)

Oct 22, 2018
============
32-bit JSC test failure: stress/instanceof-late-constant-folding.js (r204209)

Oct 19, 2018
============
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 partial revisited)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 partial revisited)
FTL should inline polymorphic heap accesses (r164207 complete + r164216)
FTL should inline polymorphic heap accesses (r164207 partial + r164216)
Too much repainting on scrolling with fixed backgrounds (r182669)
Differentiate between composited scrolling, and async scrolling (r182345)
Scrollbars are left in the wrong position when resizing a fixed layout view (r182307 revisited)
Even when in fixed layout mode, some platforms need to do layout after a viewport change (r163182 + r163188 rolled out + r163216)
Call FrameView::contentsResized() when setting fixed layout size (r140869 + r141015 rolled out + r141450 revisited)
Enable/disable composited scrolling based on overflow (r127620)
Register scrolling layers with ScrollingCoordinator (r127480)
delete expression should not throw without a reference (r237259)

Oct 18, 2018
============
[DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped) (r221328)
DFG should really support jneq_ptr (r203361)
Improve some other cases of context-sensitive inlining (r199093 partial)
{Map,Set}.prototype.forEach should be visible as own properties (r196274)

Oct 18, 2018
============
PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear (r232384)
DFG AI and clobberize should agree with each other (r230488 revisited complete)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 partial)
  => Passed JIT tests.
  
Oct 18, 2018
============
The parser should not emit a ApplyFunctionCallDotNode for Reflect.apply. (r237241)

Oct 17, 2018
============
Dynamic background color changes do not update until a layout is forced (r190816)
Avoid repaints when changing transform on an element with multiple background images (r181710)
Use unique_ptr for FillLayer::m_next (r167208)
Avoid unnecessary copy-on-write in FillLayer style application. (r159782)
FontDescription copies should share families list, not duplicate it. (r159279)
Avoid unnecessarily padding the FontDescription families vector. (r159185)
getComputedStyle(x).lineHeight is affected by zooming (r158714)
Merge SVG renderers' styleWillChange() into styleDidChange(). (r157787)
[CSS Background Blending] Specifying background-image and background-color with opaque image doesn't trigger blending. (r153702)
RefCountedArray needs a size based constructor (r146964)
TransformState::move should not round offset to int (r142638)
Push pixel snapping logic into TransformState (r137847)
Remove unnecessary mode identifiers added in r131111 (r131231)
[Sub pixel layout] Fast-path iframe scrolling can picks up an extra pixel (r130811 + r130824 rolled out + r131111)
REGRESSION: transition doesnt always override transition-property (r128656 revisited)
Prevent overflows in FractionalLayoutUnit (r127933)

Oct 16, 2018
============
[JSC] JSON.stringify can accept call-with-no-arguments (r237095)
[JSC] Remove LocalScope (r226407)
Fix exception scope verification failures in JSONObject.cpp. (r208966)
[ES6] Make JSON.stringify ES6 compatible (r198150)
Speed up the Stringifier::toJSON() fast case (r187537)
JSArray::shiftCountWithArrayStorage is wrong when an array has holes (r237129)

Oct 15, 2018
============
Fix exception scope verification failures in CommonSlowPaths.cpp/h. (r208936)
GetByValWithThis: fix opInfo in DFG creation (r205361)
Missing exception check in JSObject::hasInstance (r219451 complete)
We should throw a SecurityError when denying access to cross-origin Window properties (r211504)
Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp. (r209020)
Object.freeze() and seal() should throw if [[PreventExtensions]]() fails. (r206948)
createError() and JSObject::calculatedClassName() should not throw any exceptions. (r206476)
We should throw a SecurityError when denying access to cross-origin Window properties (r205136)
Calling crossOriginWindow.toString() should not be allowed (r205037)
Trying to access cross-origin Location properties should throw a SecurityError (r205026)
Completes native binding descriptors with native getters and potentially setters. (r185889 + r185902 + r186202 rolled out)

Oct 12, 2018
============
InlineTextBox::paintDocumentMarker() does not need to special case painting of grammar and dictation alternatives (r221212)
Compute document marker rects at use time instead of paint time (r190363)
Scrolling a overflow: scroll region makes find overlay holes stick to the edge of the region (r190254)
Holes for find matches that span multiple lines are completely wrong (r188527)
Kill toRenderedDocumentMarker() by using tighter typing (r174876)

Oct 11, 2018
============
[Win] Application name in user agent string is truncated. (r161983)
Simplify StringTypeAdapter templates (r174234 + r174255)
Inline QualifiedName::toString() method (r208710)
Prevent hit tests from being performed on an invalid render tree (r208003)
Remove LayoutUnit::operator unsigned(). (r201114)
RenderLayer::hitTestList could mutate the list of candidate layers. (r200971 + r201384)
Frame flattening: Hit-testing an iframe could end up destroying the associated inline tree context. (r186165)
Hit test returns incorrect results when performed in paginated content over the page gaps. (r179027)
Ensure that layout is up-to-date before hit-testing via RenderView (r173865)
Ensure that layout is up-to-date before hit testing (r172969)
Code cleanup: change FrameView::doLayoutWithFrameFlattening() to make it more explicit. (r159231)

Oct 10, 2018
============
InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values (r231468 + r231492 rolled out + r231514)
URLParser: Add fast path for hosts containing no non-ASCII or percent characters (r205922)
URLParser: Add fast path for utf8 encoding queries (r205918)
URLParser: Correctly ignore spaces before relative URLs with no scheme (r205846)
URLParser: Fix relative URLs containing only fragments (r205835)
URLParser: Correctly handle relative URLs that are just a scheme and a colon (r205833)
Remove trailing control characters and spaces before parsing a URL (r205824)
Fix more URLParser quirks (r205813)
Optimize URLParser performance (r205812)
URLParser: Keep track of cannot-be-a-base-url according to spec (r205782)
URLParser should convert ASCII hosts to lowercase (r205774)
Text replacement candidates don't always overwrite the entire original string (r205768)
URLParser: Handle \ in path according to spec (r205752)
URLParser should parse URLs with non-special schemes (r205749 partial)
Ensure StringView lifetime is correct inside InlineTextBox (r204276)
Remove BufferForAppendingHyphen (r170561)

Oct 09, 2018
============
[JSC] TinyPtrSet::deleteListIfNecessary() no longer needs to test for reservedValue (r204354)
[JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter (r204065)
[JSC] Get rid of NodePointerTraits (r188850)
The tiny set magic in StructureSet should be available in WTF (r185324 + r185325 + r185433)
[ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered() (r170376)
[JSC] Avoid creating ProgramExecutable in checkSyntax (r236904)

Oct 05, 2018
============
[JSC] Optimize Kraken stringify (r209858)
parseHTMLInteger() should take a StringView in parameter (r205787)
Align meta element http-equiv="refresh" parsing with the HTML specification (r205400)
Follow-up fixes after r205030. (r205095)
HTMLAreaElement's coords attributes parsing does not comply with the HTML specification (r205030)
Speed up StringBuilder::appendQuotedJSONString() (r187484)
Shrink SVGPathStringBuilder (r156024)
Make SVGTransform::valueAsString use StringBuilder (r155968 + r155982))
[WIN] Use GetTimeZoneInformation() for getting the timezone name (r125004)
Unify JSC date and time formating functions (r124817)

Oct 04, 2018
============
Do not measure large chunk of text repeatedly during mid-word breaking. (r215666)
Remove hasStaticPropertyTable (part 5: done!) (r202218)
Remove hasStaticPropertyTable (part 3: JSLocation::putDelegate) (r202032)
Remove hasStaticPropertyTable (part 4: JSHTMLDocument & JSStorage) (r202031)
Remove hasStaticPropertyTable (part 3: JSLocation::putDelegate) (r202030)
Remove hasStaticPropertyTable (part 2: JSPluginElement) (r202029)
Remove hasStaticPropertyTable (part 1: DOM bindings) (r202028)
JSObject::reifyAllStaticProperties cleanup (r201853 complete)
Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead. (r201719)
Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead. (r201702)
Static table property lookup should not require getOwnPropertySlot override. (r201448)
[JSC][32bit] stress/tagged-templates-template-object.js fails in debug (r200541)
ToThis should have a fast path based on type info flags (r199686)
[JSC] Symbol structure has unnecessary flags (r196107)
Remove OverridesHasInstance from TypeInfoFlags (r194369)

Oct 03, 2018
============
Fix 32-bit OverridesHasInstance in the DFG. (r204176)
ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell() (r204140 partial)
Unreviewed, roll out r202268 as it looks like it was a ~50% regression on Dromaeo DOM Core (r202281)
Don't eagerly reify DOM Prototype properties (r202268)
Refactor showModalDialog handling in JSDOMWindowCustom (r201638)
OverridesHasInstance constant folding is wrong (r197370)
Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup (r197196)

Oct 02, 2018
============
StringView operator==(char*) should check the length of the string (r233660)
StringView should have an explicit m_is8Bit field. (r203834)
equal(StringView, StringView) for strings should have a fast path for pointer equality (r201738)
PropertyTable::skipDeletedEntries() should guard against iterating past the table end. (r233625)
Use the default hash value for Symbolized StringImpl (r183624)
Partial Information Leakage in Hash Table implementations (PrivateName) (r155563)
[JSC] Use fastJoin in Array#toString (r223834)
Callers of JSString::unsafeView() should check exceptions (r216699)
Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString. (r208767 complete)
Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions. (r208699)
[JSC] Help clang generate better code on arrayProtoFuncToString() (r198256)
[INTL] Implement Array.prototype.toLocaleString in ECMA-402 (r195431)
Fixed assertion in JSStringJoiner::join() (regression from r185899). (r185909)
Make Array.join work directly on substrings without reifying them (r185899 complete)

Oct 01, 2018
============
[ES6] Implement Symbol.for and Symbol.keyFor (r182915 + r182921)
Fix cast-align warning in StringImpl.h (r176805)
Store StringImpl substring backpointers as tail data (r163416)
Get rid of StringImpl::m_buffer (r163396)
Fix Windows build. (r163349)
StringImpl::tailOffset() should return the offset right after m_hashAndFlags (r163347)
More tail pointer consolidation (r163341)
Consolidate StringImpl tail handling into two functions (r163326)

Oct 01, 2018
============
test262: TypedArray constructors length should be 3 and configurable (r205932)
r199812 broke test262 (r201105)
Make RegExp.prototype.test spec compliant. (r200272 partial)
Align RegExp[@@match] with other @@ methods (r199812)
Re-landing: ES6: Implement RegExp.prototype[@@search]. (r199748 partial)
  => Passed JIT tests.
  
Oct 01, 2018
============
[ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null,
  so that if we constant-infer an accessor slot then we immediately get the function constant for free (r170729)
Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp. (r209011)
Array.prototype.slice should not modify frozen objects. (r207226 complete)
Change ArrayPrototype.cpp's putLength() and setLength() to take a VM& so that we can use vm.propertyNames. (r207036 complete)
Rename the StrictModeReadonlyPropertyWriteError string to ReadonlyPropertyWriteError. (r207023)
test262: Array.prototype.slice should always set length (r205910)

Sep 28, 2018
============
[JSC] make Object.getOwnPropertyDescriptors() work with non-JSObject types (r196042)
[JSC] Implement Object.getOwnPropertyDescriptors() proposal (r196040)
Harden JSObject::getOwnPropertyDescriptor() (r209869)
Follow up fix to Implement Proxy.[[GetOwnProperty]] (r196775)
Use a profile to store allocation structures for subclasses of InternalFunctions (r194863 complete)

Sep 27, 2018
============
JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData (r196959 complete)
We should zero unused property storage when rebalancing array storage. (r236514)
We should support the ability to do a non-effectful getById (r199170 partial)
We should support the ability to do a non-effectful getById (r199073 + r199084 rolled out + r199104 + r199108 rolled out)
Clean up JavaScriptCore/builtins (r182118)

Sep 26, 2018
============
Unreviewed, add scope verification handling (r236505)
[JSC] Optimize Array#lastIndexOf (r236496)
We should be able to lookup symbols by identifier in builtins (r201825 partial revisited)
ES6: Implement String.prototype.split and RegExp.prototype[@@split]. (r199393 + r199400 rolled out + r199502 + r199514 rolled out + r199731)
String.prototype.match() should be calling internal function RegExpCreate. (r199144)
RegExp constructor should use Symbol.match and other properties (r199106)
Misc. JavaScriptCore built-ins cleanups (r198713)
ES6: Implement IsRegExp function and use where needed in String.prototype.* methods (r198652)
Create private builtin helper advanceStringIndexUnicode() for use by RegExp builtins (r198647)
[ES6] Add Proxy based tests for RegExp.prototype[@@match] (r198625)
[ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters (r198624 complete)
[ES6] Implement RegExp.prototype[@@match] (r198554)
ES6 spec requires that RegExpPrototype not be a RegExp object. (r198447)
[ES6] Allow RegExp constructor to take pattern from an existing RegExp with new flags (r197962)
[ES6] Make ToPropertyDescriptor spec compliant (r197960)

Sep 25, 2018
============
The Array species constructor watchpoints should be created the first time they are needed rather than on creation (r202067)
Promise.prototype.then should use Symbol.species to construct the return Promise (r197428)
Symbol.species accessors on builtin constructors should be configurable (r196414)
Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects (r236437)
JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState. (r236369 partial)
Proxy's [[Get]] passes incorrect receiver (r217093)
JavaScript for-of does not work on a lot of collection types (e.g. HTMLCollection) (r211024 partial)
Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec. (r209424)
[JSC] Avoid cloned arguments allocation in ArrayPrototype methods (r208524 partial revisited)
Align cross-origin proto getter / setter behavior with the specification (r205297 + r205301 rolled out)
Array.prototype.map builtin should go on the fast path when constructor===@Array (r204488 complete)
Make builtin TypeErrors consistent (r203393 partial revisited)
[JSC] Array.prototype.includes uses ToInt32 instead of ToInteger on the index argument (r202926)
[JSC] The prototype cycle checks throws the wrong error type (r202832)
[JSC] StringObject.{put, defineOwnProperty} should realize indexed properties (r197684)
[JSC] Iterating over a Set/Map is too slow (r194838)
Fix grammar issue in TypeError attempting to change an unconfigurable property (r186584)
Reflect nits for r184863 (r184871)
[ES6] Implement Array.prototype.copyWithin (r184863)
Array#findIndex/find should not skip holes (r184848)
Rename createIterResultObject as createIteratorResultObject (r184586)
Array.prototype methods must use ToLength (r184582 partial revisited)
ES7: Implement Array.prototype.includes (r181871)
Array.prototype.find and findIndex should skip holes (r169162)
Implement Array.prototype.find() (r167797)

Sep 21, 2018
============
Fix the debug build after r202667 (r202673)
[JSC] Minor TypedArray fixes (r202667)
[JSC] Fix small issues of TypedArray prototype (r202631)
[JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array (r231572)
%TypedArray%.prototype.slice needs to check that the source and destination have not been detached. (r204868)
Array.prototype.map builtin should go on the fast path when constructor===@Array (r204488 partial)
Array.prototype native functions' species constructors should work with proxies (r198589)
Array prototype JS builtins should support Symbol.species (r197536 complete)
Use Symbol.species in the builtin TypedArray.prototype functions (r196950)
JSC Builtins should use safe array methods (r193899 partial revisited)
Add regression tests for TypedArray.prototype functions' error messages. (r191300)
Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter. (r191225)
[JSC] Optimize Array#indexOf in C++ runtime (r236240)
JSArray::canFastCopy() should fail if the source and destination arrays are the same. (r222598)
Object properties are undefined in super.call() but not in this.call() (r223175)
ArrayBuffer constructor needs to create subclass structures before its buffer (r218452)
Fix toStringName for Proxies and add support for normal instances (r205131)
toString called on proxies returns incorrect tag (r205023)

Sep 20, 2018
============
constructGenericTypedArrayViewWithArguments() is missing an exception check. (r221711)
Put does not properly consult the prototype chain (r216309)
Fix missing exception checks in Interpreter.cpp. (r214005 partial revisited)
Change ProxyObject.[[Get]] not to use custom accessor (r201703)
Proxy.ownKeys should no longer throw an exception when duplicate keys are returned and the target is non-extensible (r201672)
Stack overflow crashes with deep or cyclic proxy prototype chains (r201495 partial revisited)
Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver (r201322)
REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this (r205939)
Align proto getter / setter behavior with other browsers (r205354 + r205372 rolled out + r205670)
ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__" (r205535)
Assertion failure when returning incomplete property descriptor from proxy trap. (r202124)
Fix typos in our error messages and remove some trailing periods (r198813)
[JSC] allow duplicate property names returned from Proxy ownKeys() trap (r198531 complete)
[ES6] Reflect.set with receiver (r198270)
[ES6] Implement Proxy.[[GetPrototypeOf]] (r197711)
[[GetPrototypeOf]] should be a fully virtual method in the method table (r197645 + r97646 rolled out + r197648)
PutProperytSlot should inform the IC about the property before effects. (r224416)
[ES6] Implement Reflect.set without receiver support (r198023)
Location.reload should not be writable (r197576)
[Unforgeable] operations should not be writable as per Web IDL (r196770)
Drop [NotDeletable] from QuickTimePluginReplacement.postEvent() (r190234)
Unify symbolTableGet and Put in JSLexicalEnvironment and JSSymbolTableObject (r189525)

Sep 19, 2018
============
Assertion failure for bound function with custom prototype and Reflect.construct (r200319)
ES6 spec requires that ErrorPrototype not be an Error object. (r198469)
ArrayPrototype methods should use JSValue::toLength for non-Arrays. (r218449 complete)
Web Inspector: Reflect.toString() should be [object Object] not [object Reflect] (r200355)
[ES6] Support Reflect.construct (r197614)
Ensure that ForInContexts are invalidated if their loop local is over-written. (r236161)
Refactor some ForInContext code for better encapsulation. (r236018)
[JSC] has_generic_property never accepts non-String (r217887)

Sep 18, 2018
============
[FreeType] Use FastMalloc for FreeType (r226635)
[ES6] Instanceof isn't spec compliant when the RHS is a Proxy with a target that is a function (r197970)
[FreeType] Enable BCI on webfonts (r219422)

Sep 17, 2018
============
Add proper JSON.stringify support for Proxy when the target is an array (r197918 complete)
Array.isArray support for Proxy (r197899)
[ES6] Implement revocable proxies (r197732)
Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate(). (r214684)
Fix Array.prototype.splice ES6 compliance. (r207322 + r207344 rolled out)
Rename variables in arrayProtoFuncSplice() to match names in the spec. (r207241)
some paths in Array.prototype.splice don't account for the array not having certain indexed properties (r203087 complete)

Sep 17, 2018
============
[ES6] Add support for Symbol.hasInstance (r193974 + r194007 + r194036 rolled out + r194248 + r194262)
  => Passed JIT tests.

Sep 14, 2018
============
JSGenericTypedArrayView::set() should check for exceptions. (r207906)
Crashes with detached ArrayBuffers (r203199 + r203200 rolled out + r203204 complete)
DataView should use an accessor for its length and buffer properties (r198435)
Native Typed Array functions should use Symbol.species (r197192)
Fix typo in "use strict" in TypedArray builtins (r191777)

Sep 13, 2018
============
Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized() (r196437)
Array.prototype native functions should use Symbol.species to construct the result (r195878)
WebKit must support all JavaScript MIME types in HTML5 spec (r191268)
[ES6] Add Symbol.species properties to the relevant constructors (r195460)
Fix some issues with TypedArrays (r191190 + r191193 rolled out + r191212 complete)
ES6 Fix TypedArray constructors. (r191059)
Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties. (r191215 partial)

Sep 12, 2018
============
TypedArrays need more isNeutered checks. (r202982 complete)
TypedArray.prototype.slice should not throw if no arguments are provided (r201364)
[ES6] Fix various issues with TypedArrays. (r195360 complete)
[ES6] Add TypedArray.prototype functionality. (r189064 + r189085 rolled out + r190367 + r190385 rolled out + r190429)
Octane/regexp's Exec function should benefit from array length accessor inlining (r197542)
[JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix (r229855)
[DFG][FTL] Efficiently execute number#toString() (r221601)

Sep 11, 2018
============
canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints (r201584)
DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0' (r227716)
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t (r226937 + r227004 rolled out + r227271 partial)
[JSC] Optimize Number.prototype.toString on Int32 / Int52 / Double (r214219)
Assertion failed under operationToLowerCase with a rope with zero length (r207377)
String.prototype.toLowerCase should be a DFG/FTL intrinsic (r206804)
[ES6] Implement Proxy.[[SetPrototypeOf]] (r197544)
Add Proxy tests for exceptions that depend on an object being non-extensible and having configurable properties (r197539)
[ES6] Implement Proxy.[[DefineOwnProperty]] (r197533)
[[SetPrototypeOf]] isn't properly implemented everywhere (r197512)
clean up JSObject::isExtensibleInline and JSObject::setPrototypeOfInline, and rename setPrototypeOf to setPrototype (r197484)
[ES6] Implement Proxy.[[IsExtensible]] (r197420)
[ES6] Implement Proxy.[[PreventExtensions]] (r197418)
X.[[SetPrototypeOf]](Y) should succeed if X.[[Prototype]] is already Y even if X is not extensible (r188384 complete)

Sep 10, 2018
============
[DFG] DFG should handle String#toString (r235790)
[Intl] Change the return type of canonicalizeLocaleList() from JSArray* to Vector<String> (r190591)
[INTL] Implement supportedLocalesOf on Intl Constructors (r189811)
Implement basic types for ECMAScript Internationalization API (r187575)
Implement ECMAScript Internationalization API (r186161)
LLInt get/put inline caches shouldn't use tons of opcodes (r189766)
[[SetPrototypeOf]] should be a fully virtual method in ClassInfo::methodTable (r197467)
Assertion failure for super() call in direct eval in method function (r200409)
EvalCodeCache should not give up in strict mode and other cases (r208404)
Lets rename codeOriginIndex to callSiteIndex and get rid of CallFrame::Location. (r188932)

Sep 07, 2018
============
Web Inspector: Stepping highlight for dot/bracket expressions in if statements highlights subset of the expression (r207312)
ThisTDZMode is no longer needed (r201328)
Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive (r180518 partial)
Removed unused sourceOffset from JSTokenLocation. (r153071)
[JSC] Clean up StructureStubClearingWatchpoint (r235776)
Stack overflow error for deeply nested classes. (r203286)
WatchpointsOnStructureStubInfo doesn't need to be reference counted (r189328)

Sep 06, 2018
============
Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter (r235765)
ES6: Reusing function name as a parameter name shouldn't throw Syntax Error (r201892)

Sep 06, 2018
============
Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached. (r204305 partial)
We don't have to parse a function's parameters every time if the function is in the source provider cache (r200038)
  => Passed JIT tests.
  
Sep 06, 2018
============
Use of arguments in arrow function is slow (r213165 complete revisited)
arrow function lexical environment should reuse the same environment as the function's lexical environment where possible (r201176)
Assertion failure for direct eval in non-class method (r200856)
Add a couple UNLIKELY macros in parseMemberExpression (r199755)
[ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError (r198980)

Sep 05, 2018
============
REGRESSION: date-format-tofte.js is super slow (r208427)
Sloppy mode: We don't properly hoist functions names "arguments" when we have a non-simple parameter list (r212021)
Rename BytecodeGenerator's m_symbolTableStack to m_lexicalScopeStack. (r209723)
Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions (r199848)
Super property access in base class constructor doesn't work (r210958)
The parser doesn't properly parse "super" when default parameter is an arrow function. (r202074)
Remove some unnecessary RefPtrs in the parser (r199845)
[ES6] Arrow function syntax. Update syntax error text 'super is only valid inside functions' to more suitable (r198472)
JSBench regression: CodeBlock linking always copies the symbol table (r201221)
Make the type profiler work with lexical scoping and add tests (r187524 partial)

Sep 04, 2018
============
Class contructor and methods shouldn't have "arguments" and "caller" (r200321)
Web Inspector: ES6: Provide a better view for Classes in the console (r182047 partial)
synthesizePrototype() and friends need to be followed by exception checks (or equivalent). (r197794 revisited)

Aug 31, 2018
============
[ES6] Make GetProperty(.) inside ArrayPrototype.cpp spec compatible. (r198360)
[ES6] Getters and Setters should be prefixed appropriately (r198348 partial)
Clean up register naming (r189293 partial)
  => Passed JIT tests.
  
Aug 31, 2018
============
Add missing exception check in arrayProtoFuncLastIndexOf(). (r235540)
Add some missing exception checks in JSRopeString::resolveRopeToAtomicString(). (r235491)

Aug 29, 2018
============
[ES6] Reflect.set with receiver (r198270 partial)
Implement Function.name support for getters/setters and inferring name of function properties. (r197817)
GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types (r205321)
Remove the use of "Immediate" in JIT function names. (r190230 partial)
[DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers (r231472 partial)
[ES6] Arrow function. Issue in access to this after eval('super()') within constructor (r216329)
BytecodeGenerator ".call" and ".apply" is exponential in nesting depth (r215453 revisited)
Getter and setter on super are called with wrong "this" object (r200586)
[ES6][ES7] Drop Constructability of generator function (r194435)
Insert exception check around toPropertyKey call (r182057 complete)

Aug 28, 2018
============
calling super() a second time in a constructor should throw (r199712 + r199724 rolled out + r200083 + r200084 rolled out + r200102)
Speed up case folding for 8-bit strings (r160954)
[ES6] Support subclassing Function. (r195070)
[ES6] Support subclassing the String builtin object (r194998)
Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays (r194869)
Assertion failure for exception in "prototype" property getter and Reflect.construct (r200257)
  
Aug 27, 2018
============
Debug assertion failure while loading http://kangax.github.io/compat-table/es6/. (r196986)
InternalFunction::createSubclassStructure doesn't take into account that get() might throw (r196966)
WTF::StringImpl::copyChars segfaults when built with GCC 7 (r219182)
Crash in WTF::StringBuilder::append() (r164408)
Remove 'static' specifier from free inline functions in StringImpl.h (r164175)
plainText() is O(N^2) (r152306)
[JSC] Object constructor need to be aware of new.target (r200421 complete)
Remove redundant StringImpl substring creation function. (r194509)
Constructed object's global object should be the global object of the constructor. (r212015 complete)
global lexical environment variables are not accessible through functions created using the function constructor (r201628)
Use a profile to store allocation structures for subclasses of InternalFunctions (r194863 partial)
[ES6] Boolean, Number, Map, RegExp, and Set should be subclassable (r194643)
[ES6] Arrays should be subclassable. (r194612)
Optimized equal() functions in StringImpl.h are not ASan compatible (r179644 revisited)
Fix undefined behavior in WTF::equal() in StringImpl.h for i386/x86_64 (r165681 revisited + r165706 revisited)

Aug 24, 2018
============
Promise constructor should throw when not called with "new" (r191276)
Atomics.h has incorrect GCC test for ext/atomicity.h when using LSB compilers (r125010)
constructArray() should always allocate the requested length. (r233722)
constructArray() should set m_numValuesInVector to the specified length. (r233167)
unshift should zero unused property storage (r233121)
constructArray variants should take the slow path for subclasses of Array (r232977)
Initial implementation of annex b.3.3 behavior was incorrect (r199179)
Implement Annex B.3.3 function hoisting rules for function code (r198989)

Aug 23, 2018
============
Scopes that are not under TDZ should still push their variables onto the TDZ stack so that lifting TDZ doesn't bypass that scope (r202778)
Method names should not appear in the lexical scope of the method's body. (r198332)
Add support for setting Function.name from computed properties. (r198288)
Need to distinguish between Symbol() and Symbol(""). (r198168)
Give Unique StringImpls a meaningful data pointer (r160453)
Try to create AtomicString as 8 bit where possible (r132739)

Aug 22, 2018
============
The DFG CFGSimplification phase shouldnt jettison a block when its the target of both branch directions. (r235177)
ES6 Function.name inferred from property names of literal objects can break some websites. (r200423)
Implement Function.name and Function#toString for ES6 class. (r198042)
Accept 8 and 4 value hex colors (#RRGGBBAA) (r192023)
Use __sync_add_and_fetch instead of __gnu_cxx::__exchange_and_add (r139553)
ES6: Implement lexical scoping for function definitions in strict mode (r197915)
BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools (r194304)
calculatedDisplayName() and friends actually need a VM& and not a ExecState/CallFrame. (r201766)
FunctionExecutable::ecmaName() should not be based on inferredName(). (r197867 complete)
Implement Function.name support for getters/setters and inferring name of function properties. (r197815)
NativeExecutable should have a name field (r195000)
Web Inspector: Scope details sidebar should label objects with constructor names (r180173)
Make JSFunction.name allocation fully lazy. (r197308)
[JSC] Should not rotate constant with 64 (r234852 + r235021 rolled out + r235160)

Aug 21, 2018
============
[ES6] Recognize calls in tail position (r189336 + r189376)
Function with default parameter values that are arrow functions that capture this isn't working (r201122)
Web Inspector: JSContext inspection should report exceptions in the console (r164824 partial)
Web Inspector: JSContext inspection should report exceptions in the console (r164486 + r164491 rolled out + r164507 + r164554 rolled out)
Web Inspector: Autogenerate stack traces and line numbers when possible. (r136377 + r136386 rolled out + r136657)
Web Inspector: Remove unused ConsoleMessage constructor. (r135107)
Web Inspector: Associate console messages with the requests that caused them. (r132918)
[JSC] op_new_arrow_func_exp is no longer necessary (r201487)
Remove unused m_writtenVariables from the parser and related bits (r199768)
Fix a crash when assigning an object to document.location (r166090 revisited)

Aug 20, 2018
============
Function.name and Function.length should be configurable. (r197205)
[ES6] Implement ES6 arrow function syntax. Prototype of arrow function should be undefined (r189341)
intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point (r235007)
[JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion (r234855)
[DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants (r234853)
[JSC] Should not rotate constant with 64 (r234852 + r235021 rolled out)
We should have different JSTypes for JSGlobalLexicalEnvironment and JSLexicalEnvironment and JSModuleEnvironment (r198228)
[ES6] Catch parameter should accept BindingPattern (r195439)
Fix asm operand type for weakCompareAndSwap on ARM_THUMB2 (r133796)
Fix for WTF fails to compile in thumb mode when llint is enabled. (r128557)
atomicDecrement() never reach 0 on Android so no deref() will be called (r124115)
set WTF_USE_LOCKFREE_THREADSAFEREFCOUNTED for chromium android (r123875)

Aug 11, 2018
============
parsing arrow function expressions slows down the parser by 8% lets recoup some loss (r198927)

Aug 10, 2018
============
We don't need a manual stack for an RAII object when the machine's stack will do just fine (r199787)
Runaway WebContent process CPU & memory @ foxnews.com (r201589)
[ES6] Arrow function syntax. Arrow function should support the destructuring parameters. (r195178)
Assertion failure for destructuring assignment with new.target and unary operator (r200293 complete)
Misleading error message: "At least one digit must occur after a decimal point" (r187506)
SyntaxChecker assertion is trapped with computed property name and getter (r181807)
Array.prototype.sort should call @toLength instead of ">>> 0" (r234728)
Array.prototype.sort should throw TypeError if param is a not callable object (r234716)
super should be available in object literals (r199927)
We incorrectly parse arrow function expressions (r199352)
FunctionExecutable::ecmaName() should not be based on inferredName(). (r197867 partial)
keywords ("super", "delete", etc) should be valid method names (r194881)
[JSC] support CoverInitializedName in nested AssignmentPatterns (r192919)
[ES6] Implement computed accessors (r189504)

Aug 09, 2018
============
ES6 class syntax should allow computed name method (r188498)
JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path) (r227898)
[ES6] Class expression should have lexical environment that has itself as an imutable binding (r191030 + r191037 rolled out + r191110)
[ES6] Class method should not declare any variables to upper scope. (r191086)
ES6: Should not allow duplicate basic __proto__ properties in Object Literals (r184640)
ES6: Allow duplicate property names (r184324 revisited)
Implement SmallPtrSet and integrate it into the Parser (r198375 + r198579)

Aug 08, 2018
============
[ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class (r194835)
Assertion failure for super() call in arrow function default parameters (r200824)
REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte (r198778)
Invoking super()/super inside of the eval should not lead to SyntaxError (r198324)
How we load new.target in arrow functions is broken (r197928)
[ES6] Arrow function syntax. Lexical bind super inside of the arrow function in generator. (r197554)
[ES6] Arrow function. Some not used byte code is emited (r197410)
[ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function. (r197033 + rr197043 rolled out + r197296)
[ES6] Arrow function syntax. Using 'super' in arrow function that declared out of the class should lead to Syntax error (r196261)
Provide a way to distinguish a nested lexical block from a function's lexical block (r194251)
[ES6] Implement LLInt/Baseline Support for ES6 Generators and enable this feature (r192914 + r192935 rolled out + r192937)
Super use should be recorded in per-function scope (r192695)
Bytecodegenerator emits crappy code for returns in a lexical scope. (r187991)
Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions (r187014)
Function bodies should always include braces (r181673)

Aug 07, 2018
============
Clean up ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep minimal set of them (r191946)
[ES6] Add ScriptElement::determineScriptType (r204221)
[ES6] Implement ES6 Module loader hook stubs in WebCore (r190272)
Add module loader "resolve" hook for local file system to test the loader in JSC shell (r189071)

Aug 03, 2018
============
[ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super" (r194449)
Unexpected exception assigning to this._property inside arrow function (r194340)
[ES6] Arrow function syntax. Arrow function specific features. Lexical bind "arguments" (r195581)
[ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration (r196545)
[ES6] Support Generator Syntax (r191875)
[ES6] Add more fine-grained APIs and additional hooks to control module loader from WebCore (r189941)
[ES6] Instantiate Module Environment bindings and execute module (r189339)

Aug 02, 2018
============
[ES6] Introduce ModuleProgramExecutable families and compile Module code to bytecode (r189201)
[JSC] Make some classes non JSDestructibleObject (r196108)
[ES6] Implement Module execution and Loader's ready / link phase (r189088)
New map and set modification tests in r181922 fails (r181968)
REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor (r181922)
Integrate MapData into JSMap and JSSet (r181458)
Serialization of MapData object provides unsafe access to internal types (r176803)
Support structured clone of Map and Set (r155008)

Aug 01, 2018
============
[ES6] Return JSInternalPromise as result of evaluateModule (r188894)
[ES6] prototyping module loader in JSC shell (r188752)
Exception message for expressions with multiple bracket accesses is inconsistent / incorrect (r207326)
[JSC] fix error message for eval/arguments CoverInitializedName in strict code (r194153)
[ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment (r193766)
Web Inspector: arrow function names are never inferred, call frames are labeled (anonymous function) (r190066)

Jul 31, 2018
============
[JSC] Make get_by_val & string "499" to number 499 (r217199 revisited complete)
[JSC] add missing RequireObjectCoercible() step in destructuring (r192899)
[JSC] support Computed Property Names in destructuring Patterns (r192768)
ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier" (r187119)
[Baseline] Remove a hack for DCE removal of NewFunction (r232182 revisited)
[ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment (r192876 + r192882 rolled out + r193584 + r193606 rolled out)
New tests introduced in r188545 fail on 32 bit ARM (r190063)
[ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this (r188545)
Inline JSFunction allocation in DFG (r182959)
Crash in operationNewFunction when scrolling on Google+ (r177871)
[ES6] Drop WeakMap#clear (r185041)
[ES6] Implement WeakSet (r182994)
MapData and WeakMapData don't need to be objects (r155558)
Support WeakMap (r155473)

Jul 30, 2018
============
[ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this (r188545 partial)
Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode (r188417)
[ES6] Add ES6 Modules preparsing phase to collect the dependencies (r188355)
[ES6] Support Module Syntax (r187890)

Jul 27, 2018
============
The parser doesn't properly protect against global variable references in builtins (r196525 revisited partial)

Jul 27, 2018
============
Spread operator should be allowed when not the first argument of parameter list (r196734)
  => Passed JIT tests.

Jul 26, 2018
============
Use NakedPtr<Exception>& to return exception results. (r185608)
window.onerror should pass the ErrorEvent's 'error' property as the 5th argument to the event handler (r202023 revisited)
WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects. (r185487)
Interpreter::unwind shouldn't be responsible for assigning the correct scope. (r188136 + r188144)
Returned Exception* values need to be initialized to nullptr when no exceptions are thrown. (r185286)
finally blocks should not set the exception stack trace when re-throwing the exception. (r185259)
Add the ability to tell between Catch and Finally blocks. (r185083)

Jul 25, 2018
============
[JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code (r194107)
[JSC] Fix AssignmentElement parsing (r192661)
Relax builtin JS restriction about try-catch (r186260)
Strict mode destructuring assignment crashes the parser. (r166216)
OSR entry into DFG has problems with lexical scoping (r203356)
Destructuring parameters are evaluated in the wrong scope (r198206)
Remove our notion of having a single activation register (r195862)

Jul 24, 2018
============
baseline JIT should emit better code for UnresolvedProperty in resolve_scope/get_from_scope/put_to_scope (r189501)
JSC allows invalid var declarations when the declared name is the same as a let/const variable (r190188)
some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct (r202588 revisited)
JSC should detect singleton functions (r182759 complete revisited)
VariableEnvironmentNode should inherit from ParserArenaDeletable because VariableEnvironment's must have their destructors run (r190014)
[JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling (r223824 partial revisited)

Jul 23, 2018
============
put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object (r228193 complete revisited)
[JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling (r223824 partial)
Factoring out op_sub baseline code generation into JITSubGenerator. (r190649 partial)
baseline JIT should emit better code for UnresolvedProperty in resolve_scope/get_from_scope/put_to_scope (r189501 partial)
Block scoped variables should be visible across scripts (r189279)
DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray (r234075)
CompareEq should be using KnownOtherUse instead of OtherUse (r234060)
Let's rename FunctionBodyNode (r188219)
ES6 class syntax should use block scoping (r187680)

Jul 20, 2018
============
functions that use try/catch will allocate a top level JSLexicalEnvironment even when it is not necessary (r189819)
Callee can be incorrectly overridden when it's captured (r188926 complete revisited)
Replace JSFunctionNameScope with JSLexicalEnvironment for the function name scope. (r187969)
Implement catch scope using lexical scoping constructs introduced with "let" scoping patch (r187515)
There is a bug when default parameter values are mixed with destructuring parameter values (r192436 + r192586 + r192597 rolled out + r192603))
Added a comment explaining that all "addVar()"s should happen before emitting bytecode for a function's default parameter expressions (r187437)
[ES6] Add support for default parameters (r187351)
DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable (r187111)
"let" scoping introduced incoherent story about symbol table cloning (r187033)
[ES6] Add support for block scope const (r187012)
[ES6] Support rest element in destructuring assignments (r185981)
[ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern (r185853)
[ES6] Destructuring assignment need to accept iterables (r185791)
JSC should detect singleton functions (r182759 partial)
functionProtoFuncToString should not rely on typeProfilingEndOffset() (r190096)
Function.prototype.toString is incorrect for ArrowFunction (r188928)
Function parameters should be parsed in the same parser arena as the function body (r186903 + r186906 rolled out + r186959)
Setter should have a single formal parameter, Getter no parameters (r181929)
ES6: Object Literal Methods toString is missing method name (r181901)
Function.prototype.toString should not decompile the AST (r181810)

Jul 19, 2018
============
CSP: 'blob:' URLs should not match 'self' in CSP source expression lists. (r196528)
lexical scoping is broken with respect to "break" and "continue" (r186996 + r186997 rolled out + r187003)
[ES6] implement block scoping to enable 'let' (r186860)
JSC's parser should follow the ES6 spec with respect to parsing Declarations (r186379)

Jul 18, 2018
============
class methods should be non-enumerable (r183316)

Jul 17, 2018
============
performProxyCall should toThis the value passed to its handler (r233110)
[[IsExtensible]] should be a virtual method in the method table (r197412)
[[PreventExtensions]] should be a virtual method in the method table. (r197391)
Global functions should be initialized as JSFunctions in byte code (r183789 + r183790 rolled out + r183972)
FunctionBodyNode should known where its parameters started (r181818)
Breakpoint doesn't fire in this HTML5 game (r178232)
Check whether font is nonnull for GlyphData instead of calling GlyphData::isValid() (r203280 partial)
[CSS Grid Layout] Upgrade align-self and align-items parsing to CSS 3 (r176218 + r176258 rolled out + r182147 complete)
[iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or boundsForGlyph() (r180792)
Draw radicals with glyphs for better rendering (r169939 + r169945 rolled out + r169963 + r169965 rolled out + r170005 + r170006)
Rename "Deconstruction" to "Destructuring" throughout JSC (r186246)
[ES6] support default values in deconstruction parameter nodes (r185699)
MathML operators not stretched horizontally (r169607)
[MathML] Use of floating point floor/ceil on LayoutUnits seems wrong (r157135)

Jul 16, 2018
============
Use size variants and glyph assembly from the MATH data. (r169305)
Operator stretching: read the Open Type MATH table (r166640)
Operator stretching: expose a math data API (r166633)
[JSC] Private symbols should not be trapped by proxy handler (r197383)
[ES6] Implement Proxy.[[Set]] (r197136)
Migrate the MathML stretchy code from UChar to Glyph. (r165608)
[MathML] The double bar vertical delimiter does not stretch properly (r159219)
[MathML] Poor spacing around delimiters in MathML Torture Test 14 (r159007)
[MathML] Center of stretched curly bracket not always vertically centered (r158931)
Invisible Operators should not add space. (r165464)
Implement MathML spacing around operators . (r165461)
Improve renderer classes for MathML Token elements. (r165436)
Add support for minsize/maxsize attributes. (r164700)
Implement asymmetric/symmetric stretching of vertical operators. (r164537)
Large stretch size error for MathML operators. (r164534 + r164535 rolled out + r164536)
Do not draw multi-characters <mi> in italic. (r163553)
Ensure inferred mrows for msqrt, mstyle, merror, mphantom and math. (r160711)
RenderMathMLFenced should pass around operators in tighter types. (r159011)
CTTE: RenderMathMLFenced always has a MathMLInlineContainerElement. (r157593)
MathML padding overrides only need to be on RenderMathMLRoot (r140032)
[MathML] Implement <mtd> rowspan and columnspan attributes (r129695)

Jul 13, 2018
============
Implement the MathML Operator Dictionary. (r164418)
Add support for menclose element (r162933)
Map the dir attribute to the CSS direction property. (r159504)
REGRESSION(r157408): Crashes in RenderFullScreen::wrapRenderer(). (r157415)
Pass Document directly to anonymous renderer constructors. (r157408)
[MathML] Implement the subscriptshift and superscriptshift attributes (r156036)
Remove RenderObject::clearNode(). (r155807)
Remove support for anonymous deprecated flexboxes. (r155689)

Jul 12, 2018
============
Remove unused FragmentationDisabler class. (r159022)
[MathML] Remove RenderTree modification during layout and refactor the StretchyOp code (r156930 + r156937 + r156947 rolled out + r157070)
[CSS Regions] Crash when MathML used in CSS Regions (r144744)
[MathML] Timeouts on linux after r132264 (r132365)
[MathML] Symbol font uses greek letters for roman ones on linux and Windows (r132264)
[Cocoa] Text shadow sometimes clipped unexpectedly (r200807 partial revisited)
[Simple line layout] Incorrect repaint rect with vertically shrinking content and bottom-padding. (r225379)

Jul 11, 2018
============
[GTK] Unnecessary extern functions in FontPlatformDataFreeType.cpp (r206373)
[GTK] Bad text rendering since r101343 (r102748 revisited)
[GTK] Improve FontMetrics accuracy (r101343 revisited)
[FreeType] Vertical CJK glyphs should not be rendered with synthetic oblique (r183878)
[Freetype] Add support for the font-synthesis property (r183673)
[FreeType] REGRESSION(r180563): Introduced crashes (r180675)
[GTK] Fonts loaded via @font-face look bad (r180563)
[GTK] REGRESSION: FreeType backend does not respect XSettings font settings after r68558 (r69786 revisited)
[Cairo] FreeType fonts should obey FontConfig hinting/anti-aliasing settings (r68558 revisited)
hasOwnProperty returns true for out of bounds property index on TypedArray (r233718)
Change the reoptimization backoff base to 1.3 from 2 (r233714)
YARR: . doesn't match non-BMP Unicode characters in some cases (r233690)
Enable moving fixed character class terms after fixed character terms for BMP only character classes (r221167)

Jul 10, 2018
============
Tatechuyoko text is not vertically centered in its vertical advance (r192259)
text-combine needs to center text within the vertical space using glyph bounds (r175236)
Ruby text is incorrectly positioned when its writing-mode is changed to vertical after layout is done (r145451)
[JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock (r233657)
NewRegexp should not prevent inlining (r204958)

Jul 09, 2018
============
ProgramExecutable may be collected as we checkSyntax on it (r233540)
Regular expressions with ".?" expressions at the start and the end match the entire string (r233453)
RegExp.exec returns wrong value with a long integer quantifier (r233451)
test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs (r222336)
Add support for RegExp "dotAll" flag (r221160)
REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137 (r221111)
Implement Unicode RegExp support in the YARR JIT (r221052)
Update treatment of invoking RegExp.prototype methods on RegExp.prototype. (r199545)
ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites. (r198698)

Jun 27, 2018
============
Invalid innerTextRenderer in RenderTextControlSingleLine::styleDidChange() (r229393)
Add newTarget accessor to JS constructor written in C++ (r187142)
[CSS Grid Layout] Wrong computed style for named grid lines in implicit tracks (r183739)
[CSS Grid Layout] Implement justify-self and justify-item css properties. (r182613)
[CSS Grid Layout] Resolved value of grid-template-* must include every track listed (r173156)
[JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr (r233252)
eval() is wrong about the LiteralParser never throwing any exceptions. (r233242)
JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow (r196849)
[ES6] Add support for rest parameters (r192671 partial)
[CSS Grid Layout] grid-template-areas should accept none value (r183850)
  => Passed JIT tests.

Jun 26, 2018
============
[ES6] Implement Proxy.[[Delete]] (r197042)
[ES6] Implement Proxy.[[Construct]] (r196868)
[ES6] Implement Proxy.[[Call]] (r196836)
Unreviewed, relax limitation in operationCreateThis (r194436)
[CSS Grid Layout] Upgrade align-self and align-items parsing to CSS 3 (r176218 + r176258 rolled out + r182147)
[CSS Grid Layout] Properly support for z-index on grid items (r170474)
ContentData equals() methods are not inline-able (r163936)
Convert RenderFullScreen to use the non-deprecated flexbox (r140705)
Remove StyleContentType since it's not used anymore (r131684)

Jun 25, 2018
============
[JSC] Private symbols should not be trapped by proxy handler (r197383 partial)
ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot (r197295)
Make JSObject::getMethod have fewer branches (r196999)
JSGlobalObject doesn't visit ProxyObjectStructure during GC (r196967)
Implement Proxy.[[HasProperty]] (r196789)
Proxy's don't properly handle Symbols as PropertyKeys. (r196785)
Implement Proxy.[[GetOwnProperty]] (r196772)
Implement Proxy [[Get]] (r196722 complete)
Improve JSObject::put performance (r194175)
Some JSValue::get() micro-optimzations. (r169815)
Streamline JSValue::get(). (r165090)

Jun 22, 2018
============
[CSS Grid Layout] Implement justify-self css property (r171010)
[CSS Parser] Unprefix -webkit-writing-mode (r207757)
Implement parsing for CSS will-change (r188512)
Code clean up for extracting information from the mix of WritingMode and TextDirection (r184962)
[CSS Grid Layout] <string> not allowed in grid-{area | row | column} syntax (166712)
[CSS Masking] Add -webkit-mask-source-type property, with auto, alpha and luminance values (r154174)
CSSParser::parseFontFamily should allow the keyword "default" as part of a font name (r149360)
Implement 'mask-type' for <mask> (r129018)

Jun 21, 2018
============
CSS canvas color parsing accepts invalid color identifiers (r170933)
REGRESSION (r168685): css calc() expression fails (r170544)
ASSERTION FAILED: leftCategory != CalcOther && rightCategory != CalcOther in WebCore::CSSCalcBinaryOperation::createSimplified (r168685)
Fix WebKit build error when SVG is disabled(broken since r154174) (r154203)
[SVG2] Add support for the buffered-rendering hint (r147348)
REGRESSION (r189567): The top of Facebook's messenger.com looks visually broken (r199877 + r199883 rolled out + r199895 complete)
min-width/height should default to auto for flexbox items (r189567 revisited)
Update Grid Layout to use fewer magic -1s (r189037)
Use Optionals in RenderBox height computations (r188873 revisited)
intrinsic size keywords don't work for heights (r185908 partial)
[CSS Grid Layout] LayoutBox::hasDefiniteLogicalHeight() should consider abspos boxes as definite (r183385)
[CSS Grid Layout] Columns set in percentages collapse to auto width (r182780)
ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken (r172036)
Fixing calc() parameter parsing in cubic-bezier functions (r172033)
[CSS Shapes] polygon y-value calc() args serialize incorrectly (r166813)
display:table with padding and/or borders in border-box calculates height incorrectly (r164674)
[CSS Grid Layout] ASSERTION FAILED !track.growthLimitIsInfinite() in RenderGrid::computeUsedBreadthOfGridTracks (r181141)
[CSS Grid Layout] Tracks growing beyond limits when they should not (r180623)
[CSS Grid Layout] Invalid initialization of track sizes with non spanning grid items (r179987 + r180003 rolled out + r180142)
[CSS Grid Layout] Remove the usage of Length(Undefined) in GridLength (r180140)
[CSS Grid Layout] Tracks' growth limits must be >= base sizes (r179824)
[CSS Grid Layout] Skip items spanning flex tracks when sizing content based tracks (r178895)
[CSS Grid Layout] Fix the handling of infinity in track growth limits (r174006)
[CSS Grid Layout] Size tracks using a list of all items sorted by span (r178893)
[CSS Grid Layout] Wrong arguments passed to computeNormalizedFractionBreadth (r178701)
ASSERTION FAILED: !gridWasPopulated() in WebCore::RenderGrid::placeItemsOnGrid (r174946)
[CSS Grid Layout] Pass the valid set of tracks to grow beyond growth limits (r174643)
[CSS Grid Layout] Do not grow tracks when the growth factor is 0 (r173868)
[CSS Grid Layout] Sort items by span when resolving content-based track sizing functions (r173620)
[Armv7] Linkbuffer: executableOffsetFor() fails for location 2 (r233015)

Jun 20, 2018
============
[CSS Grid Layout] Tracks shrink sometimes with indefinite remaining space (r178577 + r178582 rolled out + r178642)
[CSS Grid Layout] Replace the usage of size_t by unsigned (r176390)
Set the end position on the placeholder BidiRun properly. (r202251)
Japanese text in Google search is rendered too low and clipped (r169780)
HTMLTextAreaElement no longer needs custom style resolve callbacks. (r155419)
Remove HTMLTextFormControl::fixPlaceholderRenderer (r155408)
defining line height affects height of text box (r155324)
REGRESSION(r147602): Search text field doesn't render selection when it has some :focus rules (r151695 revisited)
Input value/placeholder is not redrawn when the input height grows (r147602 revisited)
Refactoring: Clean up placeholder attribute usage (r136928)
AuthorShadowDOM support for textarea element. (r127108)
Remove RefPtr from HTMLTextAreaElement::m_placeholder (r126567)
flattenDictionaryStructure needs to zero properties that have been compressed away (r233001)
DirectArguments::create needs to initialize to undefined instead of the empty value (r233000)
Simple line path does not respect visibility:hidden (r159385)
Element Traversal is not just Elements anymore (r184034 revisited)

Jun 19, 2018
============
Simple line layout: Use float types wherever possible to match line tree. (r189030 revisited)
StyleRule*::properties() should return const references. (r153880)
Refactoring CSS grammar (r150804)
Invalid block doesn't make declaration invalid (r150803)
Web Inspector: Enable CSS logging (r150791)
Reducing CSS code duplication in declaration list error recovery (r150682)
Fixing invalid block recovery in some declaration list. (r150672)
Changing typing style with font size delta overrides the previous font size delta (r147661)
REGRESSION (r146588): Cannot correctly display Chinese SNS Renren (r147028)
Web Inspector: Report more CSS errors (r146588)
Web Inspector: Track CSS error location information. (r146452)
Web Inspector: Plumbing CSS warnings (r146353)
[Refactoring] rename StyleRuleBlock -> StyleRuleGroup (r140316)

Jun 18, 2018
============
[CSS Grid Layout] Limit the size of explicit/implicit grid (r175930)
ASSERTION FAILED: !trackSizes.isEmpty() in WebCore::createGridTrackList (r172904)
[CSS Grid Layout] Interaction between auto-placement and column / row spanning (r170531)
[CSS Grid Layout] Add GridSpan::iterator (r170182)
Only define MAX_GRID_TRACK_REPETITIONS if CSS_GRID_LAYOUT is enabled. (r168873)
[CSS Grid Layout] Clamping the number of repetitions in repeat() (r168108)
[CSS Grid Layout] Handle percentages of indefinite sizes in minmax() and grid-auto-* (r174057)
[CSS Grid Layout] Update grid-auto-flow to the new syntax (r170996)
[CSS Grid Layout] Introduce an explicit type for resolved grid positions (r169934)
[CSS Grid Layout] Simplify the named grid lines resolution algorithm (r169744)
[CSS Grid Layout] Implementation of the "grid" shorthand. (r169349)
REGRESSION(r167799): ASSERTION in parseGridTemplateShorthand in fast/css-grid-layout/grid-template-shorthand-get-set.html (r167821)
REGRESSION(r167799): Breaks debug build (r167806)
[CSS Grid Layout] Implementation of the grid-template shorthand. (r167799)
[CSS Shapes] CRASH with calc() value args in inset round (r166726)
[CSS Grid Layout] getComputedStyle() must return the specified value for positioning properties (r166299)
[CSS Grid Layout] Update named <grid-line> syntax to the last version of the specs (r166157 partial)
[CSS Grid Layout] the "grid-template-areas" is not identified as computable property. (r165613)
[CSS Grid layout] Initial position in span not correctly computed sometimes (r165612)
[CSS Grid Layout] Percentages of indefinite sizes should compute to auto (r165048)
[CSS Grid Layout] Fix positioning grid items using named grid lines/areas (r164869)
[CSS Grid Layout] handle undefined RemainingSpace in computeUsedBreadthOfGridTracks algorithm (r164609)
[CSS Grid Layout] Support calc() breadth size type (r163888)
[CSS Grid Layout] getComputedStyle() not using author's order when showing named grid lines (r165742)
[CSS Grid Layout] Fix missing layout in flexible and content sized columns (r164214)
[CSS Grid Layout] Rename named areas property (r164035)
[CSS Grid Layout] Rename grid-definition-{columns|rows} to match the new syntax (r163625)
[CSS Grid Layout] getComputedStyle() is wrong for grid-definition-{columns|rows} (r163547)
[CSS Grid Layout] Do log(n) search in the named line vectors when positioning named line spans. (r163166)
[CSS Grid Layout] minmax() should be a CSSFunction instead of a CSSValueList (r163013)
[CSS Grid Layout] Fix the preferred logical widths code to work with spanning grid items (r160633)
[CSS Grid Layout] Fix positioning of grid items with margins (r159809)
[CSS Grid Layout] Support grid-definition-{rows|columns} repeat() syntax (r159808)
[CSS Grid Layout] Cache several vectors to avoid malloc/free churn (r159741)
[CSS Grid Layout] Improve content-sized track layout (r159685)
[CSS Grid Layout] Run the content-sized tracks sizing algorithm only when required (r159684)

Jun 15, 2018
============
[CSS Grid Layout] CSSParser should reject <track-list> without a <track-size> (r158839)
[CSS Grid Layout] Add support for named grid areas (r158744)
[CSS Grid Layout] Fix handling of 'inherit' and 'initial' for grid lines (r158838)
[CSS Grid Layout] Add support for order inside grid items (r158115 complete)
[CSS Grid Layout] Implement support for <flex> (r157393 + r157397)
[CSS Grid Layout] 2 span positions are not resolved correctly (r157389)
[CSS Grid Layout] Implement support for grid-template (r157211)
[CSS Grid Layout] Support 'auto' sized grid items (r141317)
[CSS Grid Layout] Implement CSS parsing and handling for min-content and max-content (r137478)
Remove newBlockInsideInlineModel and anonymous inline block (r221456)
Anonymous table objects: inline parent box requires inline-table child. (r191011)
WebCore::RenderBlock::determineStartPosition crash (r135684)
Node.nodeName should not be nullable (r200271)
[CSS Grid Layout] Implement the grid-area shorthand (r156638)
[CSS Grid Layout] Resolve named grid lines (r155181)
[CSS Grid Layout] Add parsing for named grid lines (r154996)
[CSS Grid Layout] Handle 'span' positions during layout (r154753)
[CSS Grid Layout] Fix grid position resolution (r154731)
[CSS Grid Layout] infinity should be defined as a negative value (r154730)
[CSS Grid Layout] Align our grid-line handling with the updated specification (r154044)
[CSS Grid Layout] Allow defining named grid lines on the grid element (r153752)
[CSS Grid Layout] Add support for parsing <grid-line> that includes a 'span' (r153748)
[CSS Grid Layout] Rename grid placement properties (r153746)
[CSS Grid Layout] Rename grid-{rows|columns} to grid-definition-{rows|columns} (r152479)
clearLayoutOverflow should never be called before calling layer()->updateScrollInfoAfterLayout(). (r151146 + r151178 rolled out)
webkit fails IETC grid-column-002 (r147430)
[CSS Grid Layout] content-sized row tracks with percentage logical height grid items don't resolve properly (r146697)
[CSS Grid Layout] Properly layout spanning grid items with minmax grid tracks (r146482)
[CSS Grid Layout] OOB access in RenderGrid with a grid item with negative position index (r146470)
[CSS Grid Layout] Support default grid items sizing (r146467)
[CSS Grid Layout] Improper repainting when grid item change their position (r146371)
[CSS Grid Layout] Add parsing for grid-auto-{row|column} (r146274)
[CSS Grid Layout] resolveContentBasedTrackSizingFunctions should iterate over the grid items not the grid tracks (r145840)
[CSS Grid Layout] Refactor GridCoordinate to hold GridSpans (r145762)
[CSS Grid Layout] Handle min-width / max-width on the grid element (r145758)
[CSS Grid Layout] Handle spanning grid items over specified grid tracks (r145378)
[CSS Grid Layout] Resolve grid-{end|after} integer against the end|after edge (r145297)
[CSS Grid Layout] Handle 2 positions with one 'auto' properly (r145240)

Jun 14, 2018
============
Cleanup: Use consistent naming in CSSParser when dealing with the forward slash operator. (r137345 complete)
[CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag. (r137166)
Enable CSS3 position offset for CSS Masking. (r137007)
Improve r136754 by hardening checks of expected values for background-position. (r136966)
REGRESSION (r136683): css3/calc/background-position-parsing.html failing on EFL Linux 64-bit Debug WK2 (r136754)
[CSS3 Backgrounds and Borders] Allow the CSS3 background position offset for background shorthand. (r136683)
[CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing. (r135632)
[CSS Grid Layout] Fix StyleGridData::operator== (r146098)
[CSS Grid Layout] Extend our grammar to support 2 positions for grid-{row|column} (r145029)
[CSS Grid Layout] Add parsing for grid-{end|after} (r144762)
[CSS Grid Layout] Add parsing for grid-{start|before} (r144681)
[CSS Grid Layout] Refactor RenderStyle's grid position storage in preparation to supporting spanning (r143941 + r144092 rolled out)
[CSS Grid Layout] Implement grid growth during auto placement (r143621)
[CSS Grid Layout] Implement the auto-placement algorithm without grid growth (r143535)
[CSS Grid Layout] Refactor the code in preparation of auto placement support (r143397)
[CSS Grid Layout] Add parsing for grid-auto-flow (r141787 + r141872)
Cleanup: Use consistent naming in CSSParser when dealing with the forward slash operator. (r137345 partial)
Add an helper function in CSSParser to check for '/' character. (r136525)
Don't let the CSSValuePool's font family cache grow unbounded. (r179141)
Leverage CSSValuePool's font family cache in CSSComputedStyleDeclaration (r179017)
RenderGrid::computedUsedBreadthOfGridTracks can read past m_grid's size (r143331)
[CSS Grid Layout] Refactor grid position resolution code to support an internal grid representation (r143268)
Implement RenderGrid::computeIntrinsicLogicalWidths (r143043)
[CSS Grid Layout] Add an internal 2D grid representation to RenderGrid (r142898)
[CSS Grid Layout] Adding or removing grid items doesn't properly recompute the track sizes (r142798)
[CSS Grid Layout] Grid item's logical height is not properly recomputed after -webkit-grid-column / -webkit-grid-row changes (r141963)
[CSS Grid Layout] computePreferredLogicalWidths doesn't handle minmax tracks (r141616)
[CSS Grid Layout] Support implicit rows and columns (r141505)
[CSS Grid Layout] Make resolveContentBasedTrackSizingFunctionsForItems reuse distributeSpaceToTracks (r141163)
Share code between the different min-content / max-content code paths (r140894)
[CSS Grid Layout] Add support for max-content (r140583)
[CSS Grid Layout] Add support for min-content (r140198)
[CSS Grid Layout] Updating -webkit-grid-rows or -webkit-grid-columns doesn't work as expected (r140045 complete)
CFGSimplificationPhase should de-dupe jettisonedBlocks (r232800)
Do not reparent floating object until after intruding/overhanging dependency is cleared. (r214023)
Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock (r204980 partial)
Float with media query positioned incorrectly after window resize. (r194645)
Use Optionals in RenderBox height computations (r188873 revisited)
vw/vh units used as font/line-height values don't scale with the viewport (r169407 revisited)
[CSS Regions] Infinite loop when computing widows (r156881)
[CTTE] RenderGrid is never anonymous. (r155687)
[CTTE] RenderListItem is never anonymous. (r155684)
Cleanup visibility of some computePreferredLogicalWidths calls (r139772 + r139783)
[CSS Grid Layout] Implement grid items sizing for fixed minmax grid tracks (r139025)
[CSS Grid Layout] Include paddings and borders into the grid element's logical height / width (r137560)
[CSS Grid Layout] Implement CSS parsing and handling for <track-minmax> (r136588)
[CSS Grid Layout] Support paddings and margins on grid items (r136465)
[CSS Grid Layout] Support <percentage> and viewport-relative breadth sizes (r136432)
[CSS Grid Layout] Align the grid track code with the specification's production rules (r136294)
[CSS Grid Layout] track sizing functions should have their own type (r136150)
Computed grid items' positions shouldn't be using Length (r135164)

Jun 13, 2018
============
Fix childrenInline() check in markAllDescendantsWithFloatsForLayout() (r201186)
markAllDescendantsWithFloatsForLayout should not drill into blocks with inline children. It was sufficient to mark ourselves as needing layout. (r201088)
Add ASSERT_WITH_SECURITY_IMPLICATION when a float box is referenced by multiple RootInlineBoxes. (r199113)
ASSERTION FAILED: !floatingObject->originatingLine() in WebCore::RenderBlockFlow::linkToEndLineIfNeeded (r199101)
Remove invalid float from RootInlineBox. (r175345)
Clear sibling floats while splitting inline flow (r167166)
Crash when merging ruby bases that contain floats (r164323)
Deploy more child renderer iterators in RenderBlockFlow. (r161278 partial)
RenderGrid children should always be RenderBoxes (r126071)
[New Block-Inside-Inline Model] Do not attempt to re-run margin collapsing on the block sequence. (r202146)
[New Block-Inside-Inline Model] Implement margin collapsing across contiguous anonymous inline blocks. (r189817)
Assertion failure in WebCore::BidiRun::BidiRun() (r184653)
BreakingContext cleanup (r180944)
[CSS Regions] Block incorrectly sized when containing an unsplittable box (r169110)
Move a few more functions from RenderBlock to RenderBlockFlow (r161316)
Move LineBreaker functions to LineBreaker.cpp (r161314)
[New Block-Inside-Inline Model] Implement the correct paint order for blocks inside inlines. (r182279)
Flex and grid items should be painted as inline-blocks (r181691)
[CSS Grid Layout] Add support for order inside grid items (r158115 partial)
Use a Vector instead of HashSet to computed the orderValues in RenderFlexibleBox (r157916 + r157934 rolled out + r157999)
Change the terminology used by rendering code when painting a given node and its children from "paintingRoot" to "subtreePaintRoot" (r150355)
CSS Flexbox: dynamically applied align-items doesn't affect item alignment (r144104)
Make order iterator member stack allocated in RenderFlexibleBox (r138235)

Jun 12, 2018
============
Remove <iframe seamless> support. (r163427)
ASSERTION FAILED: !object || object->isBox(), Bad cast in RenderBox::computeLogicalHeight (r142816)
Remove RenderIFrame::updateLogicalHeight and RenderIFrame::updateLogicalWidth (r129046)
Remove the spanner placeholder from m_spannerMap when the placeholder object gets transferred to a descendant flow. (r187564)
REGRESSION(r174761) Dangling spanner pointer in RenderMultiColumnSpannerPlaceholder. (r180328)
Simplify ASSERT in lastRubyRun(). (r180081)
REGRESSION (r174761): Invalid cast in WebCore::lastRubyRun / WebCore::RenderRubyAsBlock::addChild (r180064)
REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency (r179877)
[CSSRegions] Assert failure in RenderBlock::locateFlowThreadContainingBlock when showing the render tree debug info (r178496)
ASSERTION FAILED: rareData->m_flowThreadContainingBlock.value() == RenderBox::locateFlowThreadContainingBlock() in WebCore::RenderBlock::locateFlowThreadContainingBlock (r178025)
ASSERTION  FAILED in WebCore::RenderFlowThread::getRegionRangeForBox (r174761)
REGRESSION (r168046): Incorrect handling of object information in WebCore::RenderFlowThread::removeLineRegionInfo (r170291)
[CSS Regions] Add ASSERT to make sure using the flowThread cache does not return incorrect results (r168837 + r168844 rolled out + r168971)
[CSS Regions] Reduce the RenderRegion invasiveness in rendering code (r168899 + r168905 rolled out + r168967)
[CSS Regions] Assertion failure in some cases with inline blocks (r168791)
[CSS Regions] ASSERT when hovering over region (r168263)
[New Multicolumn] Enable new multi-column mode (r168046 revisited)
[CSS Regions] Fix getClientRects() for content nodes (r167930)
[CSS Regions] Rename objectShouldPaintInFlowRegion to something more clear (r167810)
[CSS Regions] Hit testing doesn't work in video (r167215)
[CSS Regions] Include region range information when printing the render tree (r166715)
[CSS Regions] Regions don't paint correctly in new-multicol elements (r164481)
[CSS Regions] visibility: hidden on a region should hide its content (r164103)
[CSS Regions] Hit-testing goes through clipped layer in fast/regions/overflow-first-and-last-regions-in-container-hidden.html (r162064)
Allow ShadowContents in HitTests by default. (r146961)
Simplify hitTestResultAtPoint and nodesFromRect APIs (r142977)
Move AllowShadowContent flag to HitTestRequest (r127421)

Jun 11, 2018
============
RenderElement::removeChild() doesn't need a return value. (r176478)
ASSERTION FAILED: !object || !object->parent()->isRuby() || is<RenderRubyRun>(*object) || (object->isInline() && (object->isBeforeContent() || object->isAfterContent())) || (object->isAnonymous() && ... ) in WebCore::isAnonymousRubyInlineBlock (r175807)
Descendant ends up in wrong flow thread with nested columns and spans. (r175641)
Remove a multicolumn ASSERT and replace with a guard. (r174126)
REGRESSION (r168046): Confused column spans when combined with dynamic animations (r174085)
Bad cast in isValidColumnSpanner. (r173845)
ASSERT in RenderMultiColumnSet::requiresBalancing. (r173843)
REGRESSION (r168046): Incorrect layout for multicol spanners when moving from one thread to another (r170010)
REGRESSION (r168046): Incorrect handling of multicol spanner (r169385)
[CSS Shapes] Negative raster shape height leads to crash (r178054)
ArityFixup should adjust SP first on 32-bit platforms too (r232568)
Array.prototype.sort should also allow a null comparator (r216169 + r232666 rolled out)
ArityFixup should adjust SP first (r211479)
Disconnecting a HTMLObjectElement does not always unload its content document (r214599)
[CSS Shapes] Image lifetime is not properly handled for gradient shapes (r169606)
[CSS Shapes] off-by-one error in Shape::createRasterShape() (r167938)
[CSS Shapes] shape-margin in percentage units always computes to 0px (r166787)
Merge ShapeInfo & ShapeOutsideInfo now that ShapeInsideInfo is no more (r166752)
[CSS Shapes] Simplify RasterShape implementation (r166522)
[CSS Shapes] clamp RasterShape shapeMargin to reference box size (r166019)

Jun 08, 2018
============
[CSS Shapes][css clip-path] rounded corner calculation for box shapes is wrong (r166383)
[CSS Shapes] Remove no-longer-used shape-inside geometry code (r166316)
[CSS Shapes] Simplify RectangleShape implementation (r160802)
[CSS Shapes] Remove shape-inside support (r166301)
LayoutBox is a terrible name (r165843)
[CSS Shapes] Image valued shape-outside shapes should update the layout after the image has been loaded (r157414 revisited)
FunctionRareData::m_objectAllocationProfileWatchpoint is racy (r232598)
Subpixel rendering: REGRESSION (r163272): Fixed positioned pseudo content leaves trails while scrolling. (r177243)
[New multicolumn] Spin in RenderMultiColumnSet::repaintFlowThreadContent() (r168882)
[CSS Shapes] Remove deprecated shapes (r165472 + f165474)
[CSS Shapes] inset corner radii are not flipped for vertical writing modes (r165429)
[CSS Shapes] SVG Image valued shape fails if root element's size is relative (r165387)
[CSS Shapes] inset does not properly clamp large corner radii (r165261)
[CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension (r164743)
Rename border/padding/margin width/height to horizontal/vertical extent on RenderBoxModelObject (r164441)
[CSS Shapes] Rounded Insets Let Content Overlap Shape (r163585)
Subpixel rendering: Enable subpixel positioning/sizing/hairline border painting. (r163272)
Subpixel rendering: Introduce device pixel snapping helper functions. (r163265 + r163348)
Floor thickness and length after switching from int to float. (r163264)
Subpixel rendering: Make BorderEdge/RoundedRect::Radii LayoutUnit aware. (r163262)
Subpixel rendering: Change BorderData's width from unsigned to float to enable subpixel border painting. (r163152)
Have kFixedPointDenominator be constant across ports (r138026)

Jun 07, 2018
============
[CSS Shapes] shape-outside does not properly handle different writing modes (r164363)
[CSS Shapes] Rename shapeSize and others to make ShapeInfo and friends easier to understand (r164006)
[CSS Shapes] ShapeOutsideInfo needs to use the parent's writing mode when calculating offsets (r160243)
[css shapes] Fix support for shape-outside on a float with padding (r158584)
[CSS Shapes] New positioning model: Shape cropped to margin box (r157236)
Move float logical location/dimension methods to RenderBlockFlow (r157197 complete)
[CSS Shapes] Lines that don't intersect shape-outside should ignore both left and right margins (r157192)
[css-shapes] shape-outside does not properly handle the container and the float having different writing modes (r156806)
[CSS Shapes] Move ShapeInsideInfo::updateSegmentsForLine implementations into the cpp (r156798)
[CSS Shapes] Rename shapeContainingBlockHeight to shapeContainingBlockLogicalHeight (r155655)

Jun 07, 2018
============
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 complete)
  => Passed JIT tests.

Jun 07, 2018
============
A crash reproducible in Path::isEmpty() under RenderSVGShape::paint() (r195411)
RenderSVGResourceContainer clients are always RenderElement. (r163279)
-webkit-svg-shadow radius changes don't cause children's boundaries to be recomputed (r137393)
RenderSVGResourceContainer does not clear cached data on removal (r135719)
Use m_everHadLayout in RenderObject::checkForRepaintDuringLayout() (r125160)
[DFG] Compare operations do not respect negative zeros (r232567)
Reland "Add Above/Below comparisons for UInt32 patterns" (r222518 + r222523 rolled out + r222564 + r222689 rolled out + r223318 partial)
Renaming SpecInt32, SpecInt52, MachineInt to SpecInt32Only, SpecInt52Only, AnyInt. (r200034)
Add some comments to describe the DFG UseKind representations. (r176425)
[JSC] IndexedDB: Exceptions not thrown for non-cloneable values (r147382)

Jun 06, 2018
============
[CSS Shapes] Remove outside-shape CSS value (r166786)
border-box clip-paths jump around when outline changes (r164336)
-webkit-clip-path should support fill, stroke, view-box keywords (r163764)
Create clipping path from <box> value (r163205)
[CSS Shapes] Image valued shape can fail (r163186)
[CSS Shapes] Preserve box-shape order when serializing shape values (r162475)
[CSS Shapes] Move CSSPrimitiveValue <-> LayoutBox Conversion to CSSPrimitiveValueMappings (r162001)
[CSS Shapes] Shape images are now <image> types, not just URIs (r161980 + rr162055)
Make clipping path from basic-shapes relative to <box> value (r161669)
[CSS Shapes] Change parseBasicShape to return a CSSPrimitiveValue (r161667)
[CSS Shapes] Change default value from 'auto' to 'none' (r161436)
[CSS Shapes] shape-outside animation does not handle 'auto' well (r160623)
StylePendingImage needs to correctly manage the CSSValue pointer lifetime (r160479 complete)
[CSS Shapes] Image valued shape-outside that extends vertically into the margin-box is top-clipped (r158967 + r159065)
[CSS Shapes] Image shape-outside with vertical gaps is handled incorrectly (r158898)
SVGRenderingContext should wrap a RenderElement. (r157945)
CSS cursor property should support webkit-image-set (r136919 complete)
[CSS Shapes] large corner radius combined with 0 radius does not wrap properly (r166966)
[CSS Shapes] Image valued shape size and position should conform to the spec (r162659)
[CSS Shapes] Basic shapes' computed position should be a horizontal and vertical offset (r162210)
[CSS Shapes] First line gets incorrectly adjusted in shape-inside due to rounding (r161604)
[CSS Shapes] Factor the ReferenceBox type out of BasicShapes (r161569)
[CSS Shapes] shape-outside layout incorrect when line spans rounded box rounded corners (r161434)
[CSS Shapes] Simplify FloatRoundedRect, BoxShape construction (r161260)
[CSS Shapes] Simplify the BoxShape implementation (r160814)
[CSS Shapes] Add support for the computing the included intervals for a BoxShape (r160644)
[CSS Shapes] Determining if a line is inside of a shape should only happen in one place (r159205)
[CSS Shapes] image valued shape element margin can cause an ASSERT fail (r158596)
[CSS Shapes] Improve the performance of image valued shapes with large shape-margins (r157574)
[CSS Shapes] Support the shape-image-threshold property (r156852)
[CSS Shapes] add shape-margin support for image valued shapes (r156838)
[CSS Shapes] Implement the shape-image-threshold property (r156814)
Bad ASSERT() in RasterShapeIntervals::firstIncludedIntervalY() (r155965)
[CSS Shapes] Improve the performance of image valued shapes (r155583)
[CSS Shapes] Heap-buffer-overflow in WebCore::ShapeInterval<float>::subtractShapeIntervals (r155354)
[CSS Shapes] Revise the ShapeInterval set operations' implementation (r155043)
[CSS Shapes] Redefine the ShapeIntervals class as a template (r154904)
[CSS Shapes] Complete RasterShape::firstIncludedIntervalLogicalTop() (r154349)

Jun 04, 2018
============
Support <box> values computed style for 'clip-path' property (r161209)
[CSS Shapes] Implement interpolation between keywords in basic shapes (r160770)
[CSS Shapes] Layout using [<box> || <shape>] value (r159792)
[CSS Shapes] When the <box> value is set, derive radii from border-radius (r159702)
[CSS Shapes] Parse [<box> || <shape>] values (r159526 complete)
Remove always true syncXHRInDocumentsEnabled setting (r211081 partial)
[Win] Remove workarounds for fixed bugs in fmod and pow. (r195011 partial)
[CSS Shapes] Support inset for shape-outside (r160130)
[CSS Shapes] Remove explicit numbering from BasicShape::Type and CSSBasicShape::Type enums (r160126)
[css shapes] layout for new ellipse syntax (r160007 + r160009)
[css shapes] Layout support for new circle shape syntax (r159979 complete)
[CSS Shapes] Support inset parsing (r159968)
[CSS Shapes] Support for shape-margin in BoxShape (r159787)
Factorize the creation of primitive values with a pair into a function. (r134937)
[CSS Regions] 1-2% performance regression in html5-full-render after r168286 (r168534)
[CSSRegions] Slider displayed wrong in regions (r168286)
We missed the case where attachLine was called when we already had an inline box wrapper. (r167387)
[CSSRegions] Crash when video in region exits fullscreen (r167001)
[CSSRegions] An unsplittable box is always displayed in a single region (r165893)
[CSSRegions] Compute region ranges for children of inline blocks (r165890)
[CSSRegions] Compute region ranges for inline replaced elements (r164290)
Use tighter InlineBox subtypes in some places. (r158842)
Generate type casting helpers for line boxes and use them. (r158832)
InlineBox: Make paint() and nodeAtPoint() pure virtuals. (r158812)
Nothing should return std::unique_ptr<InlineBox>. (r158811)
Add InlineElementBox and stop instantiating InlineBox directly. (r158736)
Replace InlineBox::destroy() with regular virtual destruction. (r158343)
[CSS Regions] Content that has overflow: scroll cannot be scrolled by dragging the scroll thumbs with the mouse (r150881)
fast/dom/HTMLImageElement/image-alt-text.html and fast/dom/HTMLInputElement/input-image-alt-text.html are failing (r147492)
move should only emit the move if it's actually needed (r232399 partial)

Jun 01, 2018
============
[CSS Regions] Scrolling regions with the mouse wheel only works properly if hovering over the region's padding (r165377)
[CSS Regions] Move specific named flow methods from RenderRegion to RenderNamedFlowFragment (r164275)
[CSS Regions] The box decorations of an element overflowing a region should be clipped at the border box, not the content box (r164231)
[CSS Regions] Overflow above the first region is not properly painted for regions with padding (r163873)
REGRESSION (r163018): Cant scroll in <select> lists (r163329)
[CSSRegions] Unable to scroll a scrollable container for regions using mouse wheel (r163018)
[CSSRegions]Do not compute region range for a box unless the parent has one (r165720)
[CSS Regions] Move named-flow specific method decorationsClipRectForBoxInRegion to RenderNamedFlowThread (r164837)
[CSS Regions] Remove unused method in RenderFlowThread (r163957)
[CSS Regions] Positioned elements in regions get clipped if they fall outside the region (r160721)
The overflow border of a relatively positioned element inside a region is not painted (r160014)
Variables can resolve to the wrong value when elements differ in nothing but inherited variable value (r197300)
REGRESSION (r168046): Invalid layout in multicol (r169425)
REGRESSION (r168046): Invalid layout in WebCore::RenderBox::containingBlockLogicalWidthForPositioned (r169160)
Invalid information remaining in lineToRegion map of RenderFlowThread. (r168621)
Begin Removal of Old Multi-Column Code. (r168380)
REGRESSION (new multi-column): WebKit2.ResizeReversePaginatedWebView fails on debug bots (r168113)
[New Multicolumn] Implement support for compositing (r167965)
Store the containing region map inside the flow thread (r167871 + r167895 rolled out + r167928)
[New Multicolumn] Add support for offsetLeft and offsetTop. (r167808)
[New Multicolumn] Crasher when clearing out a flow thread in multicolumn layout. (r167718)
[New Multicolumn] Pagination mode messed up with non-inline axis and reversed direction. (r167597)
REGRESSION (r163194-r163227): Garbage tiles in overflow of RTL page with background image (r166895)
[CSSRegions] Use RenderRegion::isValid() before using a region (r166867)
Wrong layout while animating content in regions (r166495)
[CSSRegions] Inline-block child of content node incorrectly clipped (r165615)
[CSSRegions] Add helper method for region clipping flow content (r164419)
Clean up PLATFORM(IOS) code related to the custom fixed position layout rect (r162462)
Map RootInlineBox to containing region via bit+hashmap. (r161909)
overflowchanged event could cause a crash (r160847)
[CSSRegions] Incorrect repaint of fixed element with transformed parent (r160717 + r160720 rolled out)
Fix hit testing for divs with a hierarchy of css transformed and non-transformed elements (r160699)
[CSS Regions] Use hasOverflowClip() in RenderRegion (r159682)
Fix hover area for divs with css transforms (r159626)
Kill InlineFlowBox::rendererLineBoxes(). (r159049)
Bring the LineFragmentationData back to RootInlineBox. (r159044)
Use RenderAncestorIterator in a couple of places. (r158611 partial)
Rename deleteLineBoxTree to deleteLines (r157824)
[CSS Regions] Widows don't work if the first line in a region is aligned with the top of the region (r157120)
FrameView::scheduleEvent() is over-engineered. (r155315)
Fix compositing layers in columns (r154795)

May 31, 2018
============
REGRESSION (r168046): [New Multicolumn] Selection into and out of column-span elements doesn't work (r168121)
REGRESSION (r168046): [New Multicolumn] LeftToRight-rl.html (and all the other reversed/block-axis pagination tests) fail (r168088)
REGRESSION (r168046): [New Multicolumn] Painting order is wrong for columns and fixed positioned elements (r168076)
[New Multicolumn] Enable new multi-column mode (r168046)
[New Multicolumn] ASSERTs in fast/dynamic/continuation-detach-crash.html (r168043)
[New Multicolumn] Make RenderFlowThreads into selection roots. (127270)
[New Multicolumn] Client rects don't work with column spans. (r167764)
[New Multicolumn] Make sure columnTranslationForOffset has the same column-span-aware (r167677)
[New Multicolumn] Nested columns not working at all. (r167714 complete)
[New Multicolumn] Add support for column-span:all (r167335)
[New Multicolumn] Child top margin sometimes ignored for column balancing (r166938)
[New Multicolumn] getClientRects returns wrong rectangle (r165991)
[CSSRegions] ASSERTION FAILED: !m_regionsInvalidated in RenderFlowThread::regionAtBlockOffset (r164858)
RenderNamedFlowThread should only support RenderElement children. (r163969)
Remove unused RenderNamedFlowThread::previousRendererForNode(). (r163925)
[New Multicolumn] Nested columns not working at all. (r167714 partial)
[New Multicolumn] columnNumberForOffset is not patched for new multicolumn code yet. (r167444)
[New Multicolumn] Add support for block progression axis and reverse direction (r162892)
[New Multicolumn] Transformed objects inside fragmented transparent objects don't render (r144529)
[New Multicolumn] Make columns work with line grids (r163878)
Remove repaint throttling (r162839)
XML fragment parsing algorithm doesn't use the context element's default namespace URI (r160024)
Move RenderBlock functions only used by RenderBlockFlow to RenderBlockFlow (r158121)
REGRESSION: Crash in XMLDocumentParser::startElementNs (r157470)
REGRESSION(r222090): [HarfBuzz] Arabic shaping is broken except for first word in line (r224015 partial)

May 30, 2018
============
Rendering flexbox children across columns (r215041 + r215067 rolled out + r215320)
[CSS Regions] Strange layout for content with region breaks (r165873)
[New Multicolumn] -webkit-column-break-inside:avoid doesn't work (r164649)
[New Multicolumn] fast/multicol/multicol-with-child-renderLayer-for-input.html puts the textfield in the wrong place (r167663)
[New Multicolumn] Change the axis property to be a boolean like other isInline checks (r162822)
[New Multicolumn] Don't destroy all the renderers when a multi-column block stops being multi-column (and vice versa) (r162726)
[New Multicolumn] Eliminate RenderMultiColumnBlock (r162712)
Improve multicol intrinsic width calculation (r154714)
Fix the iOS build following <http://trac.webkit.org/changeset/160236> (r161028)
[iOS] Upstream WebCore/rendering changes (r160236)
RenderWidget doesn't need to cache a FrameView pointer. (r155817)
Take document height into account when determining when it is considered visually non-empy (r152401)
Null check m_frame in maximum and minimumScrollPosition (r153349)
OSX: ePub: Unable to select text in vertical Japanese book (r152911)
Tons of crashes on bots after r152425 (r152434)
Fix r152265: FrameView's pagination mode is only one of two, and the logic was totally wrong (r152433)
[wk2] Add API to lock the scroll position at the top or bottom of the page (r152425 partial)
Maximum scroll position can be negative in some cases (r152265)
Convert ScrollableArea ASSERT_NOT_REACHED virtuals (r126444)
Add support for making a web site become paginated using overflow: paged-x | paged-y and corresponding- (r126343)

May 29, 2018
============
Refactor of rebuildFloatingObjectSetFromIntrudingFloats function after r176957. (r177021)
[CSS Grid Layout] Grid items must set a new formatting context. (r176957)
[CSSRegions] Region box incorrectly overlaps floating box (r169639)
[CSS Regions] Don't relayout when updating the region range unless necessary (r168836)
[New Multicolumn] Column balancing is slow on float-multicol.html (r167602)
[New Multicolumn] Table cells and list items need to work as multicolumn blocks. (r162702)
REGRESSION (143483): overflow:hidden doesn't quash big repaints from text-indent: -9999px (r155546)
Floats should not overhang from flex items (r150029)
[New Multicolumn] RenderMultiColumnFlowThreads should establish a BFC. (r143486)
No caret on empty contenteditable element with negative text-indent (r143483)

May 28, 2018
============
isAnonymousInlineBlock() should exclude any ruby content. (r194638)
[New Block-Inside-Inline Model] Floats need to be allowed to intrude into anonymous inline-blocks. (r182241)
REGRESSION (r176262): Invalid cast in WebCore`WebCore::RootInlineBox::selectionTop (r180038)
REGRESSION (r167210): Invalid cast in WebCore::RenderBlock::blockSelectionGaps (r176295)
Improve Ruby selection (getting rid of overlap and improving gap filling) (r176262)
Selection gap painting is ugly for ruby bases. (r175260)
Rename RenderBlockFlow::clearFloats and RenderBlockFlow::newLine to be more accurate (r164440)
REGRESSION (r169407): Calls to RenderStyle::getRoundedBorderFor() in computeRoundedRectForBoxShape() still include RenderView pointer (r173348)
Cursor doesn't change back to pointer when leaving the Safari window (r167700)
Subpixel rendering: Make RoundedRect layout unit aware. (r163156)
[CSS Shapes] Add BoxShape and FloatRoundingRect classes (r159583)
[CSS Shapes] Refactor RectangleShape (r159513)
RenderView::frameView() should return a reference. (r154488 partial)
ASSERT(m_frame->view() == this) fails (r154045)
Layout should force a StyleResolver rebuild if there isn't one at all. (r153595)
Don't check for @media rules affected by viewport changes in every layout. (r149313 + r149377 + r152568 rolled out)
activating a focused link to an in-page fragment ID should transfer focus to the target of the link when possible (r148481)
Updating mouse cursor on style changes without emitting fake mousemove event (r147739)
Call FrameView::contentsResized() when setting fixed layout size (r140869 + r141015 rolled out + r141450)
Avoid filling a rounded rect when radii are zero (r140279 partial)
Don't dispatch fake mousemove events when we don't know where the cursor is (r137539)
No tests for changing mouse cursors (r134144 + r134183 rolled out + r134803)
[chromium] Restrict link highlights to targets that display a hand-cursor (r132945)
Refactoring: move EventHandler::targetNode into HitTestResult (r125715)

May 25, 2018
============
Remove slow repaint object from FrameView when style changes. (r225052)
[iOS WK2] background-attachment:fixed behaves very poorly (r168726)
Fix various crashes on sites with fixed backgrounds (r151934)
Body background with background-attachment:fixed stays in place during rubber-banding (r138757)
Synchronous media query callbacks on nested frames could produced a detached FrameView. (r218228)
REGRESSION(r203415): ASSERTION FAILED: !m_layoutRoot->container() || !m_layoutRoot->container()->needsLayout() (r203425)
theguardian.co.uk crossword puzzles are sometimes not displaying text (r203415)
Delay HTMLFormControlElement::focus() call until after layout is finished. (r198238)
ASSERT(frame().view() == this) assertion hit in FrameView::windowClipRect() on Windows bots (r182807)
Optimize offsetWidth and offsetHeight to avoid doing layouts. (r181396)
HTMLPlugInElement::isUserObservable() is causing layout (r174040)
Don't dispatch 'beforeload' event inside FrameView::layout() (r168668 + r168843 rolled out + r169475 rolled in)
REGRESSION(r162947): Document::topDocument() returns an incorrect reference for cached Documents (r164718)
REGRESSION (r162947): Repaint test results are different between WK1 and WK2 (r163021)
REGRESSION (r162947): css3/flexbox/multiline-justify-content.html and css3/flexbox/position-absolute-child.html are timing out (r163019)
REGRESSION(r162837): 5% regression on html5-full-render and 3% regression in DoYouEvenBench (r162947)
Remove repaint throttling (r162837)
FrameView destructor is worried about being retained by a renderer. (r158625)
Restore two-pass mechanism for FrameView::updateEmbeddedObjects(). (r155798)
Assertion while scrolling news.google.com (r154672)
REGRESSION (r147797): Animations slideshows of images on www.thesuperficial.com are slow (r149105)
Throttle compositing layer flushes in subframes (r148013)
Throttle compositing layer flushes during page loading (r147797)
Positioned children of an overflow:visible container should ignore scroll offset when updating layer position (r139669)
Don't update layer positions on scrolling if we're in the middle of layout (r135091)
Autoresize should work even if turned on while the page is loading. (r133790)
RenderMarquee causes ASSERTION FAILED: enclosingIntRect(rendererMappedResult) == enclosingIntRect(FloatQuad(result).boundingBox()) (r129294)
Repaints should not be deferred after initial page load is complete (r127388)
[CSS Shapes] Dynamically created element with image valued shape-outside doesn't update automatically (r163458)
[CSS Shapes] Image valued shape-outside shapes should update the layout after the image has been loaded (r157414)
[CSS Shapes] Shape Outside should relayout when set dynamically (r156905)
[Baseline] Remove a hack for DCE removal of NewFunction (r232182)

May 24, 2018
============
MathML: ASSERTION FAILED: !isPreferredLogicalHeightDirty() in RenderMathMLBlock::preferredLogicalHeight() const (r154475)
RenderListMarker::computePreferredLogicalWidth should not be public (r139891)
Flex child does not get repainted when it is inserted back to the render tree. (r230349)
Move HTMLElement's children property to ParentNode (r184420)
<input>.labels is empty if type changes from text->hidden->checkbox (r212522)
REGRESSION(r165103): labels list doesn't get invalidated when other lists are invalidated at document level (r206975)
HTMLCollection caches incorrect length if item(0) is called before length on an empty collection (r182125)
Speculative fix for a fast\dom\html-collections-named-getter failing only in Debug builds. (r173703)
ASSERT in Document::unregisterCollection reloading apple.com (r172210)
Document::unregisterNodeListforInvalidation() and Document::unregisterCollection() have incorrect assertions (r171261)
Remove NodeListRootType flag (r166407)
Remove LiveNodeList::Type (r166377)
Remove some unnecessary branches from LiveNodeList traversal (r166369)
appendChild shouldn't invalidate LiveNodeLists and HTMLCollections if they don't have valid caches (r165103)
Text can wrap between hyphens and commas (r232103)
Do not layout images when we only need the overflow information. (r230480)
JSC ignores the extra memory cost of HTMLCollection after a major GC (r164853 complete)
Extract named items caches in HTMLCollection as a class (r164772)
Add very basic image control rendering (r164457 partial)

May 22, 2018
============
Avoid unnecessary HTML Collection invalidations for id and name attribute changes (r164707)
REGRESSION (r158774): Iteration over element children is broken (r159389)
HTMLCollection should use CollectionIndexCache (r158774)
Add ElementTraversal::next/previousSibling (r153942 partial)
Factor index cache for NodeLists and HTMLCollections to a class (r158698)
op_in should mark if it sees out of bounds accesses (r231990)
Add missing exception check. (r231983)
[DFG][FTL] operationHasIndexedProperty does not consider negative int32_t (r225342 revisited)
[JSC] op_in should have ArrayProfile (r211908)
[ES6] for...in iteration doesn't comply with the specification (r197144)

May 18, 2018
============
Move array position caching out from HTMLCollection (r158758)
Build fix after r154515. (r154532)
Reduce use of Node in HTMLTableRowsCollection, and use modern traversal idiom (r154515 partial)
Bail out of simple line layout when hyphen needs a fallback font. (r216438)
REGRESSION (r211531): Text flow changes and overlaps other text after double-click selecting paragraph (r225497)
Simple line layout: Extend webkit-hyphenate-limit-lines to cover subsequent words. (r214072)
Simple line layout: Adjust hyphenation constrains based on the normal line layout line-breaking logic. (r213944)
Simple line layout: Do not measure runs with trailing whitespace when kerning and ligatures are off. (r212271)
Simple line layout: Use simplified text measuring when possible. (r211738)
Simple line layout: Move TextFragmentIterator::runWidth to ::textWidth. (r211531)
Back TextRun with a StringView (r174228)

May 17, 2018
============
Simple line layout: Do not use invalid m_lastNonWhitespaceFragment while removing trailing whitespace. (r213534)
Simple line layout: Removing adjacent trailing whitespace runs should not crash. (r211647)
Simple line layout: Do not assert on zero length/width trailing whitespace. (r211466)
Split mixed font GlyphPage functionality to separate class (r189539)
[Simple line layout] Cache run resolver. (r231529 partial)
Simple line layout: Bail out from Simple Line Layout when the primary font is insufficient. (r211661)
Simple line layout: Collect fragments in LineState only when needed for post-processing. (r211456)
Simple line layout: Small tweaks to improve performance. (r211394)
Simple line layout: PerformanceTests/Layout/simple-line-layout-innertext.html regressed at r211108 (r211353)
Simple line layout: Do not bail out on -webkit-line-box-contain: block glyphs unless text overflows vertically. (r211292)
Simple line layout: Add support for -webkit-hyphenate-limit-lines (r211228)
Simple line layout: Add support for -webkit-hyphenate-limit-after and -webkit-hyphenate-limit-before (r211222)
Simple line layout: Add support for hyphen: auto. (r211108)
Simple line layout: Extend coverage for justified content. (r210948)
Text highlight causes Yoon Gothic webfont to reflow. (r210456)
TextFragmentIterator::runWidth does not need typename CharacterType<> anymore. (r210433)
ASSERTION FAILED: !simpleLineLayout() in WebCore::RenderText::collectSelectionRectsForLineBoxes (r193947)
Simple line layout: Add text-indent support. (r192688)
Simple line layout: Glitch selecting long text. (r189870)
Simple line layout: Use float types wherever possible to match line tree. (r189030)
[CSS3] Add support for the word-break:keep-all CSS property (r185729)
DFG models InstanceOf incorrectly (r231871)
Regression(r189881): release assertion hit in toJS(ExecState*, JSDOMGlobalObject*, DocumentFragment*) (r189949)
Add ShadowRoot interface and Element.prototype.attachShadow (r189841)
ContentDistribution should be only used for details elements (r189824)
ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form association after subtree insertion (r189469)
Rename ShadowRoot::hostElement to shadowRoot::host to match the latest spec (r189243)
Rename ShadowRoot::hostElement to shadowRoot::host to match the latest spec (r189239 complete)
DOM4: prepend, append, before, after & replace (r186803)
Give Node::didNotifySubtreeInsertions() a better name (r185813)
REGRESSION (r168921): SVG elements may be unnecessarily rebuilt (r173738)
ASSERT_NOT_REACHED() in DocumentOrderedMap::get() when removing SVG subtree (r168921)
SVG element may reference arbitrary DOM element before running its insertion logic (r168915)
DocumentFragment should be constructable. (r162062)
Remove ScopeContentDistribution (r150480)
Remove ShadowRoot's previous/next ShadowRoot pointers. (r149560)
[Shadow] offsetParent should never return nodes in user agent Shadow DOM to script (r146037)
Clean up interface to ShadowRoot (r141311)

May 16, 2018
============
HTMLCollection should not be NodeList (r158663)
Dubious cast from HTMLCollection to HTMLAllCollection (r141556)
Assertion hit on redfin.com: ASSERTION FAILED: collection->length() > 1 (r210284)
Fix release builds with security assertion after r190007. (r190097)
REGRESSION(r150187): updateIdForTreeScope may not be called inside shadow trees (r190007)
ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById (r185435)
NodeList has issues with Symbol and empty string (r183589 complete)
Optimize constructing JSC::Identifier from AtomicString. (r176622)
PropertyName's internal string is always atomic. (r171838)
Don't attempt to update id or name for nodes that are already removed (r169007)
jsDocumentPrototypeFunctionGetElementById should not create an AtomicString for the function argument (r164505)
Add more assertions with security implications in DocumentOrderedMap (r159489 complete)
use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeElementById (r159481 complete)
FocusController::advanceFocus spends a lot of time in HTMLMapElement::imageElement (r156925 + r156929 + r156950)
CTTE: StaticNodeLists often contain only Elements, we shouldn't store them as Vector<RefPtr<Node>> in those cases (r156251)
Inline SelectorQuery's execution traits (r154562)
Don't bother using a Vector for the ouput of querySelector, just return the first element found (r154370)
REGRESSION(r150187): Safari fails to render allrecipe.com comment popups (r154037)
Encapsulate access to documentNamedItemMap and windowNamedItemMap (r153970)
REGRESSION(r149652): accessing items in .children via id doesn't work when element is not rooted in DOM tree (r151821)
Split SelectorDataList::executeSingleTagNameSelectorData() into the 4 kinds of traversal (r151470)
Fix the element type in the selector checkers (r151467)
Add special tree walking for the single tag or class CSS query selectors (r151365)
Split the 3 paths of SelectorDataList::execute() into 3 separate functions (r151359)
DocumentOrderedMap doesn't need to have two HashMaps (r150187)
REGRESSION (r149652): Videos do not play on cnn.com, just black box (r149881)
Unify ways to cache named item in HTMLCollections (r149652)
HTML parser should queue MutationRecords for its operations (r142204)
ShadowRoot.getElementById() returns a deleted element (r138123 + r138129 rolled out + r138131 rolled in)
treeScopeOfParent doesn't return the TreeScope of the parent (r131739)

May 15, 2018
============
Add Support for the semantics element. (r161430)
Add support for maction@toggle (r160631)
Map the dir attribute to the CSS direction property. (r159680)
Avoid redundant isElementNode() checks in Traversal<HTML*Element> / Traversal<SVG*Element> (r173622)
Remove unnecessary overloads taking a ContainerNode in Element Traversal (r173609)
Make LiveNodeListBase use Elements instead of Nodes (r158587)
LiveNodeLists should have non-null ContainerNode as root (r158540)
ChildNodeList should not be LiveNodeList (r158536)
Invalid cast in WebCore::toRenderMathMLBlock (r158198 revisited)
Implement the mmultiscripts tag (r155797)
REGRESSION: Assertion failure !collection->hasExactlyOneItem() in WebCore::namedItemGetter (r154441)
Incorrect calculated width for mspace. (r152840)
Move Node::isFocusable() to Element. (r150709)
Remove Document::getFocusableNodes(). (r150699)
Move Node::isKeyboardFocusable() to Element. (r150687)
Bad spacing inside MathML formulas when text-indent is specified (r150264)
Use ElementTraversal in LiveNodeListBase (r138195)
[mathml] Improve performance of nested sup or sub elements (r136409)
HTMLCollection on Document should be stored on NodeListsNodeData like other HTMLCollections and LiveNodeLists (r135893)
Rename DynamicNodeList to LiveNodeList (r135671)
REGRESSION(r135493): HTMLCollection and DynamicNodeList have two vtable pointers (r135667 complete)
Get rid of HTMLCollectionCacheBase (r135534)
Web Inspector: NMI add instrumentation to DynamicNodeList classes hierarchy. (r135493)
CollectionType and DynamicNodeList::NodeListType should be merged (r135476)
Fix another typo. I need to checking that type() != NodeListCollectionType, (r135327)
Fix typos. Apparently XCode failed to text-replace earlier when it was busy making a snapshot :( (r135323)
HTMLCollection's cache should not be invalidated when id or name attributes are changed (r135321)
REGRESSION(r125159): ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(list) in Document::unregisterNodeListCache. (r125334)
Microdata: PropertyNodeList cache should be invalidated on id attribute change. (r125159)
Microdata: HTMLPropertiesCollection does not contain all properties when item is not attached to the DOM tree. (r125157)
Allow plugins to decide whether they are keyboard focusable (r124954)

May 11, 2018
============
Graphical elements inside mphantom should not be visible. (r153088)
Add Support for mspace element (r152235)
Implement parsing of MathML lengths. (r152140)
MathML line fraction needs to parse number values (r151323)
Remove isPluginElement hack in Document::setFocusedNode() (r149101)
document.activeElement should not return a non-focusable element (r142234)
Optimize hasTagName when called on an HTMLElement (r165544 + r165560 + r165562 + r165563 + r165568 rolled out + r165699)
Invalid cast in WebCore::toRenderMathMLBlock (r158198 partial)
Tighten up logic in HTMLTableRowsCollection (r154288)
Unable to focus on embedded plugins such as Flash via javascript focus() (r147591)
MathML preferred widths should not depend on layout information (r140880 + r140923 rolled out)
Copying text with ruby inserts new lines around rt elements (r137477)

May 10, 2018
============
Decouple the percent height and positioned descendants maps. (r202123)
ASSERTION FAILED: !newRelayoutRoot.container() || is<RenderView>(newRelayoutRoot.container()) || !newRelayoutRoot.container()->needsLayout() while loading sohu.com (r206343)
Cleanup RenderBlock::removePositionedObjects (r201985)
Add convenience methods to use ListHashSet for a LRU cache (r137188)
innerHTML should always add a mutation record for removing all children (r195263)
Removing text node does not remove its associated markers (r180139)
Missing support for innerHTML on SVGElement (r176630 + r176713)
Add TextNodeTraversal (r154240)
Minimize virtual function calls in MarkupAccumulator (r173783)
Regression(r206240): XMLSerializer.serializeToString() does not properly escape '<' / '>' in attribute values (r215648)
Fix serialization of HTML void elements when they have children (r206266)
Fix serialization of HTML Element attributes (r206240)
Optimize MarkupAccumulator::appendText() (r173754)
Clean up MarkupAccumulator::appendCharactersReplacingEntities (r163854)
XMLSerializer escapes < > & correctly inside <script> and <style> tags. (r159326)
XMLSerializer-attribute-namespace-prefix-conflicts can't produce reliable results (r154932)
Namespace prefix is blindly followed when serializing (r154779)
XMLSerializer should reset default namespace when necessary (r153508)
[Mac] REGRESSION(r152685): svg/custom/xlink-prefix-in-attributes.html failed unexpectedly (r152785)
XMLSerializer doesn't include namespaces on nodes in HTML documents (r152685)

May 09, 2018
============
Make RenderBlock::insertInto/RemoveFromTrackedRendererMaps functions static. (r202044)
Bopomofo ruby in Dictionary.app is written horizontally (when it should be written vertically) (r201677)
Heap-use-after-free in WebCore::RenderBlock::insertIntoTrackedRendererMaps (r138908)
Specifying a longhand property should not serialize to a shorthand property (r200357)
Add proper support for letter-spacing to bopomofo Ruby (r172874)
Implement rudimentary Bopomofo Ruby support (ruby-position:inter-character) (r172861)
a fractional value of the css letter-spacing property is not rendered as expected (r161521)
REGRESSION(r222843): [HarfBuzz] Combining enclosed keycap not correctly handled (r229165 partial)

May 08, 2018
============
REGRESSION(r221909): Failing fast/text/international/iso-8859-8.html (r222792)
REGRESSION(r221974): [Harfbuzz] Test fast/text/international/hebrew-selection.html is failing since r221974 (r222141)
[Harfbuzz] Test fast/text/complex-text-selection.html is failing since r222090 (r222132)
[Harbuzz] Test fast/text/international/harfbuzz-runs-with-no-glyph.html is crashing (r222126)
[Harfbuzz] Material icons not rendered correctly when using the web font (r222090)
[Harfbuzz] Fix incorrect font rendering when selecting texts in pages which specifies text-rendering: optimizeLegibility (r222086)
[Harfbuzz] Wrong offset returned by HarfBuzzShaper::offsetForPosition() when target point is at the middle of a character (r222020)
[HarfBuzz] Wrong offset returned by HarfBuzzShaper::offsetForPosition in some cases (r221974)
[HarfBuzz] Decomposed Vietnamese characters are rendered incorrectly (r219504 + r220746 rolled out + r220797)
[HarfBuzz] HarfBuzzShaper should not assume numGlyphs is greater than 0 (r208675)

May 07, 2018
============
ASSERTION FAILED: childrenInline() in WebCore::RenderBlockFlow::hasLines (r204908)
Crash in WebCore::RenderElement::containingBlockForObjectInFlow (r197716 partial)
[New Block-Inside-Inline Model] Self-collapsing block check needs to account for anonymous inline blocks (r189594)
REGRESSION (r159345): The hover state for links in the top navigation of Yahoo.com doesn't work (r167870 revisited)
[CSS Regions] Fix painting when the composited region has overflow:hidden (r162115)
[CSS Regions] position: fixed is computed relative to the first region, not the viewport (r154973)
inline-block baseline not computed correctly for vertical-lr (r227947)
Inline block children do not have correct baselines if their children are also block elements (r181387)
REGRESSION(r176978): Inline-blocks with overflowing contents have ascents that are too large (r181292 revisited)
REGRESSION (Simple Line Layout): Inline block baselines computed incorrectly (r174370)
Scroll size is not recalculated when absolute left of child is updated (r165602)

May 04, 2018
============
Simple line layout: Paginated content is not painted properly when font overflows line height. (r213779 partial)
ASSERTION FAILED: !m_trailingWhitespaceWidth in WebCore::SimpleLineLayout::LineState::removeTrailingWhitespace (r208170)
Text on compositing layer with negative letter-spacing is truncated. (r199516)
Simple line layout: Text with stroke width is not positioned correctly. (r194462)
REGRESSION: Inline-block baseline is wrong when zero-width replaced child is present (r189540)
In some situations, partial layouts of floating elements produce incorrect results. (r166428)
End of line whitespace should collapse with white-space:pre-wrap; overflow-wrap:break-word in all cases (r159071)
RenderBlockFlow should only expose its line boxes as RootInlineBox. (r158730)
[CSS Regions] Overset computation is incorrect in some cases (r164988)
[CSSRegions] Move regions auto-size code into RenderNamedFlowFragment (r161553)
[CSS Regions] Anonymous nested regions (r157567 revisited complete)
Remove redundant helper from RenderRegion. (r151887)
[CSS Regions] Move overset compute code from flow thread to named flow thread (r151843)
[CSS Regions] Add new regionOversetChange event (r151777)

May 03, 2018
============
Simple line layout: Leading whitespace followed by a <br> produces an extra linebreak. (r216861)
Text overlaps on http://www.duden.de/rechtschreibung/Acre (r216440)
Simple line layout: FlowContents::segmentIndexForRunSlow skips empty runs. (r215124)
Simple line layout: Hittest always returns the first renderer in the block. (r215054)
Simple line layout: Implement positionForPoint. (r212615)
REGRESSION (197987): Ingredient lists on smittenkitchen.com are full justified instead of left justified. (r199156)
Simple line layout: Add text-align: justify support. (r197987)
[CSS Regions] Overflow selection doesn't work properly (r167803)
[CSS Regions] Use the named-flow-specific object RenderNamedFlowFragment instead of the generic RenderRegion whenever possible (r164482)
REGRESSION (r159609): Images are corrupted when hovering over buttons @ github.com (r163382)
[CSS Regions] Implement visual overflow for first & last regions (r159337 + r159347 rolled out + r159609)
[CSSRegions] Move region styling code into RenderNamedFlowFragment (r159553)
[CSS Regions] Selection focusNode set to the "region" block, instead of the "source" block (r159057)
[CSS Regions] The layers from the flow thread should be collected under the regions' layers. (r156451 + r156478 rolled out + rr157725)
ASSERTION FAILED: !m_visibleDescendantStatusDirty on twitter (r154417)
Propagate writing-mode from the first region to the flow thread (r154221)
[CSSRegions] ASSERTION FAILED: roundedIntPoint(rendererMappedResult) == roundedIntPoint(result) in RenderGeometryMap::mapToContainer (r151396)
[CSS Regions] Hit testing is broken for absolutely positioned regions that have overflow: hidden (r149168)
[New Multicolumn] Make sure region styling works for columns inside regions. (r144633)
Introduce the "stacking container" concept. (r140620)
SVG Fragment is not rendered if it is the css background image of an HTML element (r185395)
SVG fragment identifier rendering issue (r184874)
Respect SVG fragment identifiers in <img> src attribute (r164983)
Respect SVG fragment identifiers in <img> src attribute (r164804)
Text-decoration-style: dashed / dotted rendered as solid (r201777)
Remove unused shouldAntialias parameter from GraphicsContext::computeLineBoundsAndAntialiasingModeForText() (r194731)
Wrong text-decoration-style used for underlines. (r180273)
text-underline-position:under has multiple correctness issues (r180150)
text-underline-position: under is broken (r179883)
fast/css3-text/css3-text-decoration/text-decoration-thickness.html fails on GTK (r166902)
Space between double underlines does not scale with font size (r165120)
Draw all underline segments in a particular run in the same call (r162150)
Underline bounds cannot be queried before underline itself is drawn (r158392)
[css] Update ETextDecorations enum to TextDecorations (r150525)
Improve -webkit-text-underline-position memory usage. (r150258)
[css3-text] Add platform support for "wavy" text decoration style (r147170)
Avoid repeated calls to decorationColor on RenderObject::getTextDecorationColors (r136617)
[css3-text] Add rendering support for -webkit-text-decoration-style (r132076)
[css3-text] Add parsing support for -webkit-text-decoration-style (r126054)

May 02, 2018
============
Simple line layout: Add support for non-breaking space character. (r210985)
Simple line layout: Clear needs layout flag even when only overflow is getting recomputed. (r208214)
Simple line layout:: Add text-decoration support. (r194500)
text-decoration: line-through is mispositioned when text has overline/underline too. (r194465)
Move InlineTextBox's text decoration painting to its own class. (r194447)
Continuously repainting large parts of Huffington Post. (r177128)
-webkit-text-underline-position should not be inherited (r150366 + r150941)
[css3-text] Add rendering support for -webkit-text-underline-position (r146104)
[css3-text] Add partial parsing support for text-underline-position property from CSS3 Text (r145450)
Optimize fetching the Node for never-anonymous renderers. (r156155)
[CTTE] Tighten RenderTextControl element typing. (r155671)
[CTTE] RenderTextControlMultiLine's element is always a HTMLTextAreaElement. (r155667)
[CTTE] RenderButton always has a HTMLFormControlElement. (r155678)
Optimize RenderElement::rendererForRootBackground() a bit (r177193)
Purge remaining ENABLE(SHADOW_DOM) cruft. (r164131)
Micro-optimize RenderBoxModelObject::computedCSSPadding(). (r162238)
Text should be constructable. (r161876)
Text::renderer() should return RenderText (r157373)
Optimize RenderLayerCompositor's OverlapMap (r152806)
[Shadow] Provide an api of insertionParent(). (r146555)
Remove duplicate code in RenderBoxModelObject::computedCSSPadding* (r141669 + r141670 rolled out + r141775)
RoboHornetPro spends ~25% of total test time in WebCore::Region::Shape methods (r132990)

May 01, 2018
============
Split SimpleLineLayout::canUseFor into canUseForStyle and canUseForFontAndText. (r192526)
[JSC] Remove arity fixup check if the number of parameters is 1 (r231160)
Simple line layout: Add support for word-break property. (r194965)
Simple line layout: Add letter-spacing support. (r192564)
Simple line layout: Text jumps sometimes on naughty strings page (r189058)
REGRESSION(r175617): Some text doesn't render on internationalculinarycenter.com (r184219)
Simple line layout: support text-transform: lowercase|uppercase|capitalize (r175617)
Simple line layout: Ignore -webkit-flow-*content while collecting text content for innerText. (r184825)
Simple line layout: Wrong text offsetting when range does not start from the first renderer. (r183413)
Simple line layout: Add <br> support. (r182536 + r182542 rolled out + r182620)
Find results on simple lines are not marked correctly (r165002)
CTTE: RenderBR always has an HTMLElement. (r156054)
Avoid using RenderBR internally in RenderMenuList. (r156040)
Simple line layout(regression): Calling innerText on RenderFlow with multiple children is slow. (r182604)
Simple line layout: Use pre-computed simple line runs to produce innerText content. (r182325)
Remove TextIterator argumentless constructor (r146796)
Simple line layout: Web process spins endlessly below layoutSimpleLines. (r183576)
TextFragment#start() is always >= 0 since its type is unsigned (r181727)
Simple line layout: Use Vector<>::const_iterator instead of custom FlowContents::Iterator. (r181698)
Simple line layout: Change FlowContents::segmentForPosition() to segmentForRun(). (r181697)
Simple line layout: Split fragments on renderer boundary on the fly. (r181667 + r181682 + r181683 + r181685 rolled out + r181692)
Simple line layout: Merge TextFragmentIterator::findNextBreakablePosition() and TextFragmentIterator::findNextNonWhitespacePosition(). (r181268 + r181284 rolled out + r181325)
Simple line layout should not be limited to RenderText. (r181290)
Simple line layout: Use FlowContents::Segment::text instead of renderer when possible. (r178754)
Simple line layout: Rename FlowContentsIterator to TextFragmentIterator. (r179534)
Simple line layout: use std::upper_bound in splitFragmentToFitLine() (r179510)
Regression(r179438) Simple line layout: ASSERTION at SimpleLineLayout::FlowContentsIterator::runWidth(). (r179444)
Simple line layout: Improve FlowContentsIterator::TextFragment's encapsulation. (r179438)
Simple line layout: Make LineState fragment handling simpler. (r179435)

Apr 30, 2018
============
Simple line layout: Drop uncommitted/committed terms from LineState. (r179309)
Simple line layout: Refactor line wrapping logic. (r179048)
Simple line layout: Move FlowContents iterator interface to FlowContentsIterator. (r179284)
Simple line layout: Make FlowContents an iterator class. (r179185)
Simple line layout: Use only FlowContents::nextTextFragment() to read fragments from the text flow. (r179047)
Simple line layout: Move leading whitespace handling from removeTrailingWhitespace() to initializeNewLine(). (r178983)
Simple line layout: Make trailing whitespace handling more explicit. (r178939)
Simple line layout: Move nextTextFragment() to FlowContents class. (r178862)
Simple line layout: Remove redundant style.preserveNewline check when collapsing trailing whitespace. (r178729)
Simple line layout: Refactor TextFragment class. (r178407)
Simple line layout: Refactor SimpleLineLayout::nextFragment(). (r178396)
We don't model regexp effects properly (r231145)
DFG/FTL should inline accesses to RegExpObject::m_lastIndex (r197549)
The put_by_id IC store barrier contract should benefit transition over replace (r189492)
Insert store barriers late so that IR transformations don't have to worry about them (r184445 partial revisited)
Avoid double hash table lookup in SpaceSplitStringData::create() (r175602)
Cut down on double hashing and code needlessly using hash table iterators (r154967)
Fix double hash lookup in DocumentEventQueue::cancelEvent(). (r150969)
Unload event listeners should prevent Safari from insta-killing the web process on last tab close. (r149971)

Apr 27, 2018
============
[New Block-Inside-Inline Model] Anonymous inline-blocks should size as though they are block-level. (r182195)
[New Block-Inside-Inline Model] Make sure line breaks occur before and after the anonymous inline-block. (r182188)
Japanese line breaking rules need to be respected before and after Ruby. (r179366)
Add support to -webkit-line-break property for CSS3 Text line-break property values and semantics. (r176473)
Do not insert positioned renderers to multiple gPositionedDescendantsMap. (r193773)
Overhanging float sets are not cleaned up properly when floating renderer is destroyed. (r184885)
Transform-style should not kill position:fixed (r177200)
vw/vh units used as font/line-height values don't scale with the viewport (r169407 revisited)
[CSS Regions] Extend the RenderRegionRange class to include overflow information + apply the layout overflow (r155026)
[CSS Regions] RenderRegions should have a RenderLayer+Backing when they contain a Composited RenderLayer (r154072 revisited)
[CSS Regions] Propagate overflow from the flow thread to the first and last region (r153814)
[CSS-Regions] OverrideLogicalHeight used by both regions and flexbox (r152281)
Layout info should never be cleared before delayed scroll information updates. (r151360)
[CSSRegions] getBoundingClientRect wrong for inline content nodes (r151309)
[CSS Regions] REGRESSION Incorrect layer clipping inside flow thread (r151202)
clearLayoutOverflow should never be called before calling layer()->updateScrollInfoAfterLayout(). (r151146 + r151178 rolled out)
[New Multicolumn] Fix overflow computation for column blocks. (r143546)
Scroll offset of flex items lost during relayout (r129975)
getComputedStyle returns wrong value for CSS3 2D transformations (r126443)

Apr 26, 2018
============
[MIPS] Fix branch offsets in branchNeg32 (r231044)

Apr 25, 2018
============
'mouseenter' mouse compat event not fired when listeners for touch events (r164495)
Move mouse event dispatch from Node to Element. (r156761)
Make hoverAncestor() a RenderElement concept. (r156338 revisted)
MouseEnter and MouseLeave may be emitted on Document nodes (r155351)
MouseLeave not always emitted when cursor leaves subframe (r155348)
Hover doesn't work for block elements inside a href element (r152907)
[CSS Regions] Mouse over an element does not trigger :hover state for parent when the element is flowed in a region (r150868)
Mouseenter and mouseleave events not supported (r149173)
Add the event handler content attributes that are defined in the spec to HTMLElement (r147205)
fromCharCode is missing some exception checks (r230980)
Make tests for renderer base types non-virtual (r156738)
REGRESSION (r160806): CSS zoom property doesn't work on anything inside anchors. (r171692)
Hide Document::renderer() (r155344)
Document's renderer is always a RenderView. (r154676)
Document::setFocusedNode() should be setFocusedElement(). (r150796)
FocusController::setFocusedNode() should be setFocusedElement(). (r150712)
Move Node::isMouseFocusable() to Element. (r150692)

Apr 24, 2018
============
Use RenderElement instead of RenderObject in many places (r156622 revisited)
Beat FrameView with the FINAL stick. (r155283)
Tatechuyoko shrink-to-fit breaks after changing color, background-color or text-decoration (r192388)
Leverage the new RenderElement::m_isCSSAnimating flag in more places (r174804)
Introduce an isCSSAnimated flag on RenderElement for performance (r174703)
Tighten animation-driven restyle to operate on Element only. (r157856)
Fix some inefficiencies in AnimationController's composite animation map. (r151218)

Apr 23, 2018
============
Move LineLayoutState.h into rendering/line (r159386)
REGRESSION(r157851): trailing space inside an editable region could be erroneously collapsed (r161404)
Remove code now unnecessary after r159575 (r159758 revisited)
Move BreakingContext and LineBreaker into their own files (r159354)
Move LineWidth.{h,cpp} into rendering/line (r149569)
Refactor LineBreaker::nextSegmentBreak, add BreakingContext that holds all its state (r157851)
[css3-text] Rendering -webkit-each-line value for text-indent from css3-text (r147513)
InlineIterator needs to be updated when RenderCombineText shrinks at a line break (r147504)
Add descriptive names for different addMidpoint use cases (r143812)
Remove RenderText::updateText (r143380)
RenderQuote should not mark renderers as needing layout during layout (r143060)
Expand list of supported languages for RenderQuote to match WHATWG spec (r125476)
CSS quotes output quotes when depth is negative (r125448)
Reimplement RenderQuote placement algorithm (r125220)
Built in quotes don't use lang attribute (r124518)
[Cocoa] Improve performance of glyph advance metrics gathering (r205703)
Honor bidi unicode codepoints (r202083)
Remove GlyphPage::mayUseMixedFontsWhenFilling (r189466)
Remove unneeded offset and length arguments from glyph page filling functions (r189465)
[OS X] Remove support for composite fonts (r188566 + r188569)
Support the ch unit from css3-values (r142904)

Apr 22, 2018
============
RenderSVGResource shouldn't trigger relayout during render tree teardown. (r155055)

Apr 20, 2018
============
FrameView shouldn't keep dangling pointers into dead render trees. (r210777)
REGRESSION (r177876): store.apple.com profile and cart icons are missing (r186809 + r186816 rolled out + r186827)
REGRESSION (r177876): 35% regression in Parser/html5-full-render (r177979 + r177984)
Resolve mirroring and variant in Font instead of FontGlyphs (r177957)
Remove GlyphPageTree (r177876 + r177878 + r177881)
Remove FontData::containsCharacters (r177847)
Assertion failure in GlyphPage::setGlyphDataForIndex: (!glyph || fontData == m_fontDataForAllGlyphs) (r150085)
REGRESSION (r194426): First email field is not autofilled on amazon.com (r194823)

Apr 19, 2018
============
Editor::updateMarkersForWordsAffectedByEditing(bool) shouldn't compute start and end of words when there are nor markers (r153734)
[New Block-Inside-Inline Model] Create anonymous inline blocks to hold blocks-inside-inlines. (r182146)
Add a pref to enable the new block-inside-inline model (r181959)
Use after free in WebCore::RenderObject::nextSibling / WebCore::RenderBoxModelObject::moveChildrenTo (r168448 revisited)
Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit (r166236)
Bad cast with toRenderBoxModelObject in RenderBlock::updateFirstLetter() (r157768)
Quirksmode: CSS1: WebKit fails dynamic :first-letter test (r156742 + r161137 rolled out)
Tighten typing in inline rendering (r156618)
Clean up code for getting first line style (r156608)
Clean up some uses of first/lastChildSlow (r156377)
CTTE: RenderNamedFlowThread and FlowThreadController should operate on Elements, not Nodes (r156250)
[CSSRegions] Failed to retrieve named flow ranges for content with inline svg (r156082)
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r154399 + r154404 rolled out)
RenderBoxModelObject::firstLetterRemainingText should be a RenderTextFragment*. (r153688)
Refactor shouldAddBorderPaddingMargin() (r150642)
REGRESSION(r148121): Empty Span does not get a linebox when it's in an anonymous block (r149897)
An inline element with an absolutely positioned child does not correctly calculate/render padding and margin (r148453)
Empty inline continuations should only get lineboxes if the padding applies to their side of the inline (r148121)
Restore pre-r118852 behavior for EllipsisBox::nodeAtPoint() (r142335)
MutationRecord addedNodes/removedNodes should never be null (r136996)
[CSS Regions] Destroying a render named flow thread without unregistering left-over content nodes triggered an assertion. (r127472)
Fix access to m_markupBox in WebCore::EllipsisBox::paint (r125635)

Apr 18, 2018
============
Unsupported emoji are invisible (r208894)
REGRESSION(r177637) [HarfBuzz][GTK][EFL] It made 3 performance tests crash and +24 layout tests crashes/failures (r178115)
Generic font code should not know about SVG font missing glyph (r177637)
FontGlyphs::glyphDataAndPageForCharacter cleanups (r177229)
A put is not an ExistingProperty put when we transition a structure because of an attributes change (r230740)
Laying out a TextRun using an SVG font is O(n^2) (r173349 + r173476)
RenderBlockFlow::layoutRunsAndFloatsInRange is O(n^2) for runs of inlines without any text (r225110)
Contents of composited overflow-scroll are missing when newly added (r224715)
RenderSVGModelObject::checkIntersection triggers layout (r223947)
RenderSVGModelObject::checkIntersection triggers layout (r223882)
getIntersectionList always returns empty NodeList until layout is complete (r211905)
REGRESSION(r53318): background-repeat: space with gradients doesn't render correctly (r191048)
Remove Image::spaceSize() and ImageBuffer::spaceSize() (r190910 + r190914)
SVG root element accepts background color but fails to repaint it (r168674)
ASSERTION FAILED: object->style()->overflowX() == object->style()->overflowY() (r168543)
[CSS Masking] -webkit-mask-repeat: space does not work (r154875)
mask-repeat: round bug (r153582)
SVG objects are misplaced when SVG root has CSS transform. (r151265)
Fix body background image geometry calculation (r145726)
[CSS3 Backgrounds and Borders] Implement CSS3 background-position offsets rendering. (r136378 + r136380)

Apr 17, 2018
============
CachedImage: ensure clients overrides imageChanged instead of notifyFinished (r179340 + r179344 + r181412 rolled out)
Re-use existing RenderStyle local in textWidth(). (r158476)
RenderText should cache RenderStyle in locals more. (r157448)
REGRESSION: Lines jump up and down while typing Chinese or Japanese (r151327)
Simple line layout: Reset LineState when starting a new line. (r178964)
[CSS Shapes] content inside second shape area when two floats interact (r178192)
Fix r176527. Iterate through the text renderers. (r176534)
SimpleLineLayout::canUseFor() should iterate through RenderTexts to check if their content is eligible for simple line layout. (r176527)
Don't dereference end() in SimpleLineLayout::RunResolver::rangeForRenderer (r177852)
Simple line layout: Add 16bit support. (r177219)
Simple line layout: Rename TextFragment::mustBreak to TextFragment::isLineBreak (r176531)
Avoid String concatenation with line break iterator (r176528)
Use segment vector for FlowContents (r176510)
Make locale part of the SimpleLineLayout::FlowContent::Style (r176507)
REGRESSION(r175259) Simple line layout text measuring behavior changed. (r176470)
Simple line layout: Introduce text fragment continuation. (r176396 + r176397 + r176401)
Simple line layout: Add renderer based rect collecting to RunResolver. (r176317)
RenderTextFragment: Tighten first-letter logic. (r158551)
Add a child renderer iterator. (r158495)
Simple line layout: Rename FlowContentIterator and move implementation to SimpleLineLayoutFlowContents.cpp (r176235)
Simple line layout: Move simple line layout RunResolver and LineResolver implementation to SimpleLineLayoutResolver.cpp (r176123)
REGRESSION(r175601): Assertion failures in SimpleLineLayout (r175620)
Simple line layout: Abstract out content iteration and text handling in general. (r175601)
Simple line layout: Cleanup line initialization and line closing. (r175565)
Speed up line parsing for simple line layout. (r175259)
ASSERTION FAILED: underlyingStringIsValid() (r174451)
Stop using deprecatedCharacters in WebCore/platform/win (r166063)
REGRESSION(r215347): NAS4Free Pop-down menus fail to appear (r218925)
Don't invalidate composition for style changes in non-composited layers (r215347)
Support bezier paths in clip-path property (r191551 partial)
Move more inlines from RenderObject to RenderElement. (r161088)
Move a couple of inlines from RenderObject to RenderElement. (r160596)
Move RenderObject::repaintAfterLayoutIfNeeded() to RenderElement. (r160590)
Use RenderElement instead of RenderObject in many places (r156622 partial)
Move rendererForRootBackground() to RenderElement. (r156310)
-webkit-background-clip:text produces artifacts when applied to the body and the browser is resized (r133686)
REGRESSION(r159345): Lines are clipped between pages when printing web content from Safari (r170805)
REGRESSION(r167870): Crash in simple line layout code with :after (r169189)
REGRESSION (r159345): The hover state for links in the top navigation of Yahoo.com doesn't work (r167870)
Text autosizing does not determine line count correctly for simple line layout (r166171)
Hovering over text using simple line path should not cause switch to line boxes (r159345)

Apr 16, 2018
============
Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone.html (r192844)
Text with simple line layout not getting pushed below float when there is not enough space for it (r168598)
Re-enable simple line layout on non-Mac platforms (r163537)
CSS word-spacing property does not obey percentages (r161696)
REGRESSION (r159560): Text clips on tile border if line-height < font-size (r168624)
Simple line layout should support floats (r159579)
Don't paint simple text runs outside the paint rect (r159560)
Factor simple line creation loop to function (r159194)
Support overflow-wrap:break-word on simple line path (r159192)
Text on simple lines sometimes paints one pixel off (r159105)
Use start/end instead of textOffset/textLength for simple text runs (r159032)
Implement white-space property on simple line layout path (r159030)
Templated LChar/UChar paths for simple line layout (r158918)
Add debug settings for simple line layout (r158279)

Apr 13, 2018
============
Remove a redundant repaint when a layer becomes composited (r181513)
Should never be reached failure in WebCore::RenderElement::clearLayoutRootIfNeeded (r194426)
Crash when subtree layout is set on FrameView while auto size mode is enabled. (r192133)
Do not crash when the descendant frame tree is destroyed during layout. (r185484)
Make WidgetHierarchyUpdatesSuspensionScope use swap instead of copy (r150872)

Apr 12, 2018
============
Avoid compositing updates after style recalcs which have no compositing implications (r183710)
Eliminate styleDidChange with StyleDifferenceEqual when updates are actually necessary (r183461)
Eliminate styleDidChange with StyleDifferenceEqual when updates are actually necessary (r183454)
Some compositing logic cleanup (r174356)
Refactor conditions for setCompositingLayersNeedRebuild in RenderLayer::styleChanged (r146213)
Devirtualize RenderElement::setStyle(). (r160906)
StyledElement::attributeChanged shouldn't do any work when the attribute value didn't change (r208485)
REGRESSION (r196383): Drop down CSS menus not working on cnet.com, apmex.com (r203976)
REGRESSION (r196629): Safari can get into a state where switching Reader theme doesn't apply to the webpage (r201332)
REGRESSION(r196629): Messages text size only changes for sending text, conversation text size does not change (r199099)
Optimize style invalidations for attribute selectors (r196629)
Add parsing support for CSS Selector L4's case-insensitive attribute (r179819)
Handle unprefixed @keyframes rule (r176368)
Element::attributeChanged shouldn't do any work when attribute value didn't change (r164856 + r165044)
[CSS Regions] Fix WHITESPACE issues in the CSS grammar. (r157720)
Rework CSS parser, eliminating "floating" concept and using %destructor (r155536 partial)
Element: Modernize attribute storage accessor functions. (r153826)
Set Attr.ownerDocument in Element#setAttributeNode() (r151998)
Allow no space between "background-position:" dimensions (r150972)
Removing Attr can delete a wrong Attribute in ElementData (r150072 + r150297)
ElementData should use 'unsigned' attribute indices. (r149061)
Speed up ElementData::getAttributeItem(), which is hot. (r148961)
Attr: Simplify modification callbacks. (r143834 + r147144)

Apr 11, 2018
============
REGRESSION(r196383): Automatic shrink-to-fit of RuleSet no longer works. (r211335)
REGRESSION (196383): Class change invalidation does not handle :not correctly (r198216)
Factor class change style invalidation code into a class (r196560)
Optimize style invalidation after class attribute change (r196383)
The SVGDocument of an SVGImage should not perform any additional actions when the SVGImage is being destroyed (r177441)
Elements with class names automatically get unique ElementData. (r159104)
setAttributeNode() does not set the new value to an existing attribute if specified attribute is in a different case. (r154881 + r154991 rolled out + r155093)
Crash in WTF::RefPtr<WebCore::SpaceSplitStringData>::operator UnspecifiedBoolType (r153835)
Enable selector filtering for shadow trees (r194762)
Factor free standing tree style resolve functions into a class (r194691)
Assertion failure in RenderTreePosition::computeNextSibling (r192608)
Don't create renderers for children of shadow host (r190006)
Style invalidation affecting siblings does not work with inline-style changes (r189836)
Give pseudo elements the correct specificity (r175715)
Remove the code guarded by STYLE_SCOPED (r156683)
Figure out if node is focusable without requiring renderer (r160966)
DFG AI and clobberize should agree with each other (r230488 partial)
REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq (r230485)
Avoid setting style twice for generated image content. (r159989)
Fix 4 asserting SVG tests after r158097. (r158100)
Tone down overzealous assertion from r158097. (r158099)
Renderers should receive their style at construction. (r158097)
Move setPseudoStyle() to RenderImage (from RenderElement.) (r157371)

Apr 10, 2018
============
SearchInputType could end up with a mismatched renderer. (r216159)
Avoid synchronous style recalc when mutating a Node inside FrameSelection. (r176201)
CSS filter on a compositing layer should not cause unncessary backing store allocation (r173294)
Make inherited style and parent renderer references (r172599)
<embed> videos flashes constantly while playing inline on iPad, making it unwatchable (r171702)
Remove unnecessary style invalidation in RenderTextControl::styleDidChange(). (r170033)
Assertion failure, !node || node->isElementNode(), in WebCore::RenderBlock::clone() (r167092)
Crash after mutating after pseudo style (r166706)
REGRESSION (r161195): Acid2 regression tests frequently fail (r161484)
Crash when mutating SVG text with transform (r161630)
Document abandons its EventTargetData. (r201466)
Remove selector filter update calls from Element child parsing callbacks (r194596)
Support style isolation in shadow trees (r189987 revisited complete)
Don't recurse into non-rendered subtrees when computing style (r172517 revisited complete)
Pass inherited style only when resolving tree style (r172409)
Crash in Web Content Process under ~PDFDocument under clearTouchEventListeners at topDocument() (r171647)
[CSSRegions] Crash when cloning a region child with a content node child (r166353)
Render tree construction is O(N^2) in number of siblings (r166303)
Invalidate sibling text node style when needed instead of attaching synchronously (r166173)
Don't call to willBeDeletedFrom(Document&) when destructing document (r164369)
CTTE: RenderNamedFlowThread and FlowThreadController should operate on Elements, not Nodes (r156250)
Refactoring: Fold Document::focusedNodeRemoved into Document::removeFocusedNodeOfSubtree (r151980)
Turn TreeScope::focusedNode() into focusedElement(). (r150733)
Document::adoptNode for multiple fields time input UI should not crash (r129448)
Move StyleChange enum into a separate file (r194584)
Don't recurse into non-rendered subtrees when computing style (r172517 revisited complete)
Don't use NodeRenderingTraversal for pseudo elements (r165465)
Remove public attachRenderTree (r161205)
Remove reattachRenderTree (r161199)
Do less synchronous render tree construction (r161195)
Remove attachChild (r161142)
XML document builder should create render tree asynchronously (r161140)
Remove Node::attached() (r161127)
Dodge more work during render tree teardown. (r155955)
Rename needsShadowTreeWalker (r155303)
Remove ComposedShadowTreeWalker (r155292)
Separate forward and backward paths in ComposedShadowTreeWalker (r155287)
Remove unnecessary sibling text renderers after attach (r155253)
Set "render tree being torn down" flag a bit earlier. (r155089)
REGRESSION (r154581): Some plugin tests failing in debug bots (r154613)
ComposedShadowTreeWalker shouldn't be exposed to non-ShadowDOM classes (r139325)

Apr 09, 2018
============
IsInShadowTreeFlag does not get updated for a non-container node (r217926 partial)
REGRESSION(160908): vube.com video won't play after going into and out of fullscreen (r170638)
REGRESSION (r160908): Unable to unset bold while entering text (r170296 partial)
REGRESSION (r160908): Safari doesn't draw rotated images properly first time (r167598)
Move document life time management from TreeScope to Document (r164195)
Create render tree lazily (r160908)
Add more assertions with security implications in DocumentOrderedMap (r159489 partial)
SMIL timers can still fire after the containing document has been torn down (r158627)
Document::destroyRenderTree() shouldn't do anything but. (r156274)
Destroying a Document's render tree shouldn't make it impossible to recreate. (r155874)
Devirtualize Document::detach(). (r155849)
Use a better name than m_invertibleCTM (r155752)
According to DOM4, all DocType nodes should have a document (r154840)
Kill updateStyleForAllDocuments() (r153872)
Listening touch events on ShadowRoot can crash. (r146853)
Range::isPointInRange incorrectly throws WRONG_DOCUMENT_ERR (r124506)
Move pseudo element construction out from Element (r160138)
Call createTextRenderersForSiblingsAfterAttachIfNeeded only for the attach root (r155116)
Use Element& in StyleResolveTree (r154903 partial)
Remove AttachContext (r154873)
Tighten before/after pseudo element accessors (r154541)
Remove StyleResolver::State::m_parentNode (r165542 revisited complete)
Remove NodeRenderingContext (r154809)
Move element renderer creation out of NodeRenderingContext (r154806)
Make NodeRenderingContext::parentRenderer and nextRenderer top layer aware (r139154)

Apr 08, 2018
============
Rename ShadowRoot::hostElement to shadowRoot::host to match the latest spec (r189239 partial)
REGRESSION (r154232): Crash on the japantimes.co.jp (r154320)
PseudoElement is abusing parent node pointer (r154232)
Parent pointer and shadow root host pointer should not be shared (r154165)
Move functions from NodeRareData to ElementRareData and other classes (r139681)
[Shadow DOM] ShadowRoot.getElementById() should work outside document. (r137731)
ShadowRoot needs guardRef() and guardDeref() (r144735)
Element: Avoid unrelated attribute synchronization on other attribute access. (r143112 revisited)
[Refactoring] Replace Node's Document pointer with a TreeScope pointer (138735)
REGRESSION(r133492): Heap-use-after-free in WebCore::Element::normalizeAttributes (r137341)
Decouple Attr logic from ElementAttributeData. (r133492)

Apr 07, 2018
============
Share attach loops between Elements and ShadowRoots (r154746)
Make Element::attach standalone function (r154257 + r154323 + r155779))
Remove ElementShadow (r154106)
Shadow DOM styles appear to be over-eagerly shared (r144031)
Rename AncestorChainWalker. (r143422)
WheelEvent should not target text nodes. (r143148)
[Shadow DOM] Refactoring: invalidateParentDistributionIfNecessary() calls are too intrusive (r139064)
Changing pseudoClass (:indeterminate) should cause distribution (r134418 + r134432 + r134938)
Cannot select the AuthorShadowDOM inner element of an img element (r125397)
No need for notifyChromeClientWheelEventHandlerCountChanged in Frame (r154575)
Make Element::attach non-virtual (r154254)
Crash in DumpRenderTree at com.apple.WebCore: WebCore::CaptionUserPreferences::captionPreferencesChanged + 185 (r145826 partial)
Rename HasCustomCallbacks to HasCustomStyleCallbacks (r143089)
[Mac] Track language selection should be sticky (r142580 partial)
Video element image loader must persist after element detach. (r125052)

Apr 06, 2018
============
Don't use NodeRenderingContext when attaching text renderers (r154738 complete)
Always resolve style from root (r161208)
Don't use NodeRenderingContext when attaching text renderers (r154738 partial)
Missing null-check of parent renderer in WebCore::HTMLEmbedElement::rendererIsNeeded() (r154698)
Missing null-check in HTMLFormElement::rendererIsNeeded() (r154476)
Replace NodeRenderingContext with Node* as childShouldCreateRenderer() argument (r154361 + r154365 + r154371)
Replace NodeRenderingContext with RenderStyle& as shouldCreateRenderer() argument (r154358 + r155887)
Remove NodeRenderingTraversal::ParentDetails (r154327)
Move some Document recalcStyle code to StyleResolveTree (r153938)
Avoid calling nextRenderer() in some cases (r153530)
before/after generated content is not working with HTMLSummaryElement and HTMLDetailsElement. (r151351)
[Mac] svg/custom/text-use-click-crash.xhtml added by r139029 hits assertion in enclosingTextFormControl (r139999)
[Refactoring] HTMLTextFormControlElement should use shadowHost instead of shadowAncestorNode (r139962)
[Shadow DOM]: reset-style-inheritance doesn't work for insertion point (r137112)
Merge EditingText into Text (r135529)
HTMLTextFormControlElement calls setInlineStyleProperty with the wrong parameters. (r130897)

Apr 05, 2018
============
REGRESSION (r172591): Can no longer style <optgroup> with colors (LayoutTests/fast/forms/select/optgroup-rendering.html) (r184675)
Remove nonRendererStyle (r172591)
[MIPS] Optimize generated JIT code for branches (r230310)
ASSERTION FAILED: !currBox->needsLayout() in WebCore::RenderBlock::checkPositionedObjectsNeedLayout (r205479)
ASSERTION FAILED: !currBox->needsLayout() loading bing maps (and apple.com/music and nytimes) (r187502)
ASSERTION FAILED: !length.isUndefined() in WebCore::GridLength::GridLength (r180669)
ASSERTION FAILED: !lengthOrPercentageValue.isUndefined() in WebCore::ApplyPropertyTextIndent::applyValue (r178067)
Remove <iframe seamless> support. (r163427 partial)
Remove redundant check for "firstLine" in RenderBlock::lineHeight() (r213923)
ASSERTION FAILED: m_fonts in &WebCore::FontCascade::primaryFont (r207726 partial)
Use separate style resolver for user agent shadow trees (r190347 partial)
Support style isolation in shadow trees (r189987 partial)
ElementRuleCollector: group the shadow tree code (r171835)
Move document life time management from TreeScope to Document (r164195 partial)
RenderObject::view() should return a reference. (r154546 partial)
Let Document keep its RenderView during render tree detach. (r154542)
[Shadow DOM] Kill ShadowRoot constructor (r137870)
REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain (r230287)
Split author style code out from DocumentStyleSheetCollection (r190169)
Remove "document has no sibling rules" optimization. (r176388)

Apr 04, 2018
============
MIPS: add missing implementations of load8SignedExtendTo32() (r212419)
Remove "document has no ::before and/or ::after rules" optimization. (r176373)
[MIPS] Optimize JIT code generated by methods with TrustedImm32 operand (r230164)
[JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t (r208450 partial revisited)
Selector checker should not mutate document and style (r195293 partial)
CSS4 Selectors: Add multiple pseudo elements support to :matches (r175889)
Style invalidation does not work for adjacent node updates (r172880)
The style is not updated correctly when the pseudo class :empty is applied on anything but the rightmost element (r172721)
CSS JIT: Implement Pseudo Element (r171588)
Make RenderStyle's non inherited flags more JSC friendly (r166465 + r166468 + r166469)
Clean up RenderStyle creation (r165578)
Implement :scope for element.querySelector[All]() (r145691)
Remove unbaked support for :scope pseudo-class. (r129408)
Merge CheckingContexts from SelectorCompiler and SelectorChecker (r173457)
Pass CSSSelector pointers around as const after parsing stage. (r140530)
CSS general sibling selectors does not work without CSS JIT (r189560)
Removing an HTML element spends a lot of time in adjustDirectionalityIfNeededAfterChildrenChanged (r178571)
Roll out r165076. (r177048)
Remove the style marking from :nth-child() (r173910)
Fix style invalidation of elements with multiple siblings dependencies (r173229)
Don't recurse into non-rendered subtrees when computing style (r172517 partial)
Don't recurse into non-rendered subtrees when computing style (r172494 + 172505)
Subtrees with :first-child and :last-child are not invalidated when siblings are added/removed (r170121 revisited complete)
Devirtualize isHTMLUnknownElement(). (r166839)
Add a Document::updateStyleIfNeededForNode(Node&). (r165076)
Turn some not-so-rare ElementRareData bits into Node flags. (r159191)
Keep SVGElementRareData in an SVGElement member instead of a hashmap. (r156819)
Clean up ContainerNode::childrenChanged (r154957)
Don't force layout when querying a fixed or non-box margin/padding property (r153347)
Extract computeRenderStyleForProperty and nodeOrItsAncestorNeedsStyleRecalc from ComputedStyleExtractor::propertyValue (r152938)
REGRESSION: ChildrenAffectedBy flags lost between siblings which have child elements sharing style (r141093)
Rename ContainerNode::parserAddChild "parserAppendChild" for consistency (r129164)

Apr 03, 2018
============
Return early in SelectorChecker::checkOne() if selector.isAttributeSelector() is true (r173646)
Unify the modes style resolution modes SharingRules and StyleInvalidation (r172679)
Simplify the StyleInvalidation mode of rule collection (r172024 revisited)
Regression(r169547): Crash in WebCore::styleForFirstLetter() while loading http://thenextweb.com/apple/2014/02/21/apple-confirms-acquired-testflight-creator-burstly/ (r169599)
Make pseudo element matching for style resolution more JIT friendly (r169547)
Start cleaning the API of SelectorChecker (r156189)
Split SelectorChecker's fast-checking logic into its own class. (r143686)
Move HTML Attribute case-sensitivity logic out of SelectorChecker to HTMLDocument. (r140832)
CSS: Refactor :visited handling in SelectorChecker (r173138)
CSS: Fix :visited behavior for SubSelectors (r171675)
CSS: Generalize CSS First Letter treatment (r171138)
Remove an useless check from SelectorChecker (r171058)
Fix the quirks mode selector matching of the pseudo classes :hover and :active (r169360)
Upgrade to SelectorFailsAllSiblings when Child selector is failed. (r166808)
Remove a contradiction from SelectorChecker (r156380)
Add a special case for SelectorDataList::execute when there is only one selector (r150944)
Use ElementTraversal in SelectorDataList::execute (r150099)
SelectorQuery should not ever use ResolvingStyle mode. (r144140)
SelectorChecker should not know about SelectorCheckerFastPath. (r143858)
REGRESSION(r130089): Scrollbar thumb no longer re-rendered on hover (r143819 revisited)
Kill transitive effects of SelectorChecker::checkOneSelector. (r130089 revisited)
Rename the CSSSelector PseudoType to PseudoClassType (r167571)
Split CSS Selectors pseudo class and pseudo elements (r166883 partial)
Move the PseudoPageClass types out of the pseudo element/class mix (r166863)
Update the code related to SelectorPseudoTypeMap to reflect its new purpose (r166447)
Pseudo type cleanup part 2: split pseudo elements parsing (r166094)
Fix a bunch of mistakes in the parsing of ::cue( and ::cue (r165579)
Start splitting CSS Selectors's pseudo types (r165402)
Remove unused CSSSelector::isCustomPseudoType(). (r149565)
class="cue" is getting some default style (r141806)

Apr 02, 2018
============
Some improvements to RuleSet shrinking. (r178580)
CSS Rule features are ignored for nested CSS Selector lists (r175018)
Simplify the StyleInvalidation mode of rule collection (r172024)
Remove SelectorCheckerFastPath from the style resolution algorithm (r171059)
Partition the CSS rules based on the most specific filter of the rightmost fragment (r171020)
CSS JIT: Ensure resolvingMode size is 1 byte (r170832)
CSS JIT: compile the first-child pseudo class (r166537 partial)
Remove leftover cruft from scoped stylesheet implementation. (r163559)
Reoptimize free-standing :focus/link/visited/-webkit-any-link selectors. (r149838)
`currentColor` computes to the same colour on all elements, even if 'color' is inherited differently (r182130)
Updating attributes on HTML elements do not invalidate the style correctly unless the attribute name is lowercase in the stylesheet (r173012)
[Forms] We should share RenderStyle object for optgroup and option element (r172597)
Two small refinements to matched properties cache. (r160829)
CSS: Fall back to cache-less cascade when encountering explicitly inherited value. (r160820)
Incorrect repeated background-size behavior in keyframes (r191589)
Crash under WebCore::invalidateStyleRecursively (r184615)
Crash when using 'em' units to specify font-size inside animation keyframe. (r171785)
REGRESSION (r160806): Incorrect cascade order of prefixed and non-prefixed variants of CSS properties box-shadow and background-{clip, origin, size} (r165587)
Add missing &. (r163594)
Check selectors exactly when invalidating style (r163592)
ElementRuleCollector should not use StyleResolver::State (r163475)
Remove StyleScopeResolver (r163263)
Remove the CSS selector profiler. (r162084)
REGRESSION(r160806): line-height is not applied when only present in :link style. (r161814)
Use CascadedProperties for page and keyframe style resolution as well. (r160852)
CascadedProperties: Deferred properties should have inline capacity. (r160830)
CascadedProperties should use a bitset to track property presence. (r160828)
Don't waste cycles on zeroing every CascadedProperties::Property. (r160817)
CSS: Add a property cascading pass to style application. (r160806)
Clean up more <style scoped> from style resolution (r156788)
Move the SharingRules mode outside of SelectorChecker (r156187)
Web Inspector: [REGRESSION] Forced :visited pseudoclass has no effect on A elements (r140331)
Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live (r230115)
Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType (r230101)
ArrayMode should not try to get the DFG to think it can convert TypedArrays (r230078)

Mar 29, 2018
============
Remove ElementRuleCollector's m_behaviorAtBoundary (r154297)
[Refactoring] Implement RuleCollector (r145510)
[Shadow DOM]: scoped styles are not applied in the cascade order. (r137708)
Group parameters (firstRuleIndex and lastRuleIndex) into a parameter object, RuleRange. (r140643)
Group all request parameters which are used to match CSS Rules into a parameter object. (r139817)
Split each RuleSet and feature out from StyleResolver into its own class. (r142573)
Split default style-sheet statics out from StyleResolver into its own class (r141713)
Let SVG images not taint canvases except when containing foreignObjects (r195614)
Add Traversal<ElementType> template (r154481)
Allow SVG images to be drawn into canvas without tainting. (r153876)

Mar 28, 2018
============
Factor stylesheet invalidation analysis code into a class (r132009)
Don't invalidate style unnecessarily when setting inline style cssText (r198284)
Reduce the overhead of updating the animatable style on ARMv7 (r169790)
Continuations casting issue. (r166736 revisited)
Mutating rules returned by getMatchedCSSRules can result in crash (r165821)
Move m_style to RenderElement (r156527)
Don't do document style recalc unless there's a RenderView. (r154927)
[cairo] Typo in determining fixed width fonts (r69776 revisited)

Mar 27, 2018
============
Remove the prefix for CSS Transforms (r181824 + r181825 + r181832)
[GTK] Support FontPlatformData::isFixedPitch for custom fonts (r69137 revisited)
DFG should know that CreateThis can be effectful (r229987 partial)
Stop returning GlyphPage from various Font functions (r177490)
Remove genericFamily enum from FontDescription (r176751)
FontGenericFamilies should not be ref-counted. (r157455)
Separate generic font family settings to a class (r150962)
Tighten FontGlyphs::glyphDataAndPageForCharacter to take FontDescription (r150762)
Avoid creating background layers on pages with a fixed background, but no image (r140648)
[CSS Grid Layout] Updating -webkit-grid-rows or -webkit-grid-columns doesn't work as expected (r140045 partial)
StyleResolver should not set NaN to font size (r136074)
Some CSS properties are not handled on StyleResolver::applyProperty (r134357)

Mar 26, 2018
============
REGRESSION(r158214): It made zillion tests crash on GTK and EFL (r158265)
Use left/right instead of left/width for simple text runs (r158225)
Make SimpleLineLayout::Layout a variable size object (r158214)
Multiple runs per line on simple line path (r158196)
Prepare simple line layout to support multiple runs per line (r158107)

Mar 23, 2018
============
[Qt] Animated opacity does not trigger accelerated compositing (r149123)

Mar 22, 2018
============
Remove misleadingly-named Font::isSVGFont() (r170871)
Simple line layout crashes with SVG fonts (r158860)
Decorated text sometimes does not draw its decorations (r158379)
[Texmap] Update a dirty region which is not covered with keepRect. (r148094)
[CSS] Expand -webkit-line-break value space (r132942)
CSS 3 'overflow-wrap' property implementation (r127737)
Text bounding box computation for simple line layout is wrong (r167568)
Re-enable simple line layout for GTK (r158102)
Enable center and right text alignment for simple lines (r158098)
fast/frames/seamless/seamless-nested-crash.html asserts on wk2 only (r158085)
Faster way for simple line layout to check if text has fallback fonts (r158012)
REGRESSION(r157950): It made many tests assert on Windows, EFL, GTK (r158007)
Non-SVG build broken after r157950 (r157998)
Cache line layout path (r157985)
Try to fix build without CSS_SHAPES. (r157952)
Simple line layout (r157950)
REGRESSION (Safari 5.1 - 6): Cannot correctly display Traditional Mongolian Script (r124654)
SVGImage::drawPatternForContainer creates a buffer without respecting the destination's acceleration setting (r173143 partial)
Remove deep copy of ImageBuffer in tiled SVG backgrounds (r143692)
Fix scaling of tiled SVG backgrounds on high-dpi displays (r143257 revisited)
Incorrect embedded SVG image sizing on first load (r132069)

Mar 21, 2018
============
Rename some line box functions to be just about lines (r157810)
ASSERTION FAILED: generatingElement() in WebCore::RenderNamedFlowFragment::regionOversetState (r171476)
[CSS Regions] Possible performance regression after r157567 (r157793)
[CSSRegions] Use RenderStyle::hasFlowFrom when needed (r157779)
[CSS Regions] Anonymous nested regions (r157567 partial)
[CSSRegions] Regions with overflow: hidden should paint over positioned sibling (r157129)
[CSSRegions] Computed z-Index should return 0 instead of auto for a region (r157121)
[CSSRegions] Regions as stacking contexts should paint over positioned sibling (r156891)
Replace node() calls with generatingNode() for RenderRegion code (r155109)
[CSSRegions] Pseudo-elements as regions should not be exposed to JS (r154982)
[CSS Regions] ::before and ::after pseudo-elements are not displayed for regions (r151647)
[CSS Regions] Regions don't create a stacking context for their contents (r151475)
[CSS Regions] Layers inside the RenderFlowThread should be collected by the layer of RenderView (r151339)
[CSSRegions] Prevent unnecessary copy of LayoutRect objects (r150761)
[CSSRegions] Consolidate use of RenderRegion::isValid (r147082)
Generated should not be supported for things with a shadow (r132269 + r132529 + 132696 + r132753)

Mar 20, 2018
============
[CSS Regions] Null dereference applying animation with CSS regions (r163531 partial)
[CoordGfx] Regression from r135212: big layers with transform animations sometime fail to render tiles (r142979 partial)
Coordinated Graphics: crash in TiledBackingStore::adjustForContentsRect (r141833)
REGRESSION(134048): TiledBackingStore must create tiles when the contents rect is changed. (r135366)
Coordinated Graphics: Remove a backing store of GraphicsLayer when the layer is far from the viewport. (r134048)
[Qt] Decide when to apply a scrolled position to the viewport based on the rect covered by the tiles (r130031)
[DFG][FTL] Profile array vector length for array allocation (r222380 + r222382 rolled out + r222384)

Mar 19, 2018
============
Move setting of some layout bits to RenderElement (r156816 + r156822 rolled out + r156876)
Move more style change code from RenderObject to RenderElement (r156325)
Move style change analysis code to RenderElement (r156312)
Rename RenderObject::first/lastChild to RenderObject::first/lastChildSlow (r156285)
Move layer hierarchy functions from RenderObject to RenderElement (r156190)
SVG relayout problem when displayed with different image box heights (r152178)
Fixed backgrounds in composited layers not repainted on scrolling (r151624 complete revisited)
webkit-backface-visibility on a parent element stops background-position from updating (r151622)
Fix assertion in the getComputedStyle-background-shorthand.html test (r150547)
New Flickr doesn't get fast scrolling but should (r150529)
REGRESSION (142152): ensure we skip past out-of-flow objects when detecting whitespace to ignore after leading empty inlines (r148223)
REGRESSION(r142152): Text wraps in menu (r147662 + r147667 + r147850 + r147939)
Padding applied twice for empty generated RenderInlines (r147505 revisited)
CSS 2.1 failure: floats-149 fails (r142152)
Improve "bad parent" and "bad child list" assertions in line boxes (r160837)
Move code for finding rendered character offset to RenderTextLineBoxes (r157517)
Move test for contained caret offset to RenderTextLineBoxes (r157514)
Make absoluteQuads/Rects functions return Vectors (r157366)

Mar 16, 2018
============
Remove strange CharacterData::dataImpl function (r178157)
Move absoluteRects/Quads to RenderTextLineBoxes (r157362)
Move positionForPoint to RenderTextLineBoxes (r157349)
Move line dirtying code to RenderTextLineBoxes (r157346)
Move more code to RenderTextLineBoxes (r157345)
Factor line box code from RenderText to a class (r157340)
Replace RenderText::renderedTextLength with hasRenderedText (r157338)
Repaint borders and outlines on pseudo content changes (r156619)
[CTTE] RenderText is always anonymous or associated with Text node (r156090)
CTTE: RenderSVGInlineText always has a Text node. (r155837)
CTTE: RenderCombineText always has a Text node. (r155845)
Changes in text-only properties shouldn't cause repaints unless there is actually text. (r150259)
Test if non-immediate descendants obscure background (r146955)
Don't compute background obscuration on every repaint (r146279)
Change hasAlpha to isKnownToBeOpaque and correct the return value for SVG images. (r141637)
REGRESSION (r135628-135632): Double box shadow failure to render (r141160)
Use render box background over border draw strategy in cases with background-image (r137473)
Fix occlusion culling logic to handle css background layer clipping (r136326)
Adding occlusion detection to reduce overdraw in RenderBox background rendering (r135629)

Mar 09, 2018
============
Window's pageXOffset / pageYOffset attributes should be replaceable (r206109)
Safari not handling undefined global variables with same name as element Id correctly. (r229451)

Mar 08, 2018
============
Upgrade-Insecure-Request state is improperly retained between navigations (r204521)
CSP: object-src and plugin-types directives are not respected for plugin replacements (r203611 partial)
CSP: Content Security Policy directive, upgrade-insecure-requests (UIR) (r201753)
[CSP] Violation report may be sent to wrong domain on frame-ancestors violation (r206278)
CSP: Improve support for multiple policies to more closely conform to the CSP Level 2 spec. (r203434 partial)
Fold setCellLogicalWidths logic into RenderTableSection layout (r131465)
Make RenderTable columns() and columnPositions() return a const reference (r131366)
Make no-column table-layout cases a little faster with inlining (r130698)

Mar 07, 2018
============
HTML `pattern` attribute should set `u` flag for regular expressions (r229363)
Ignore invalid regular expressions for input[pattern]. (r149151)
matchingShorthandsForLonghand builds map using a giant function (r155352 revisited)
[css3-text] Parsing -webkit-hanging value for text-indent from css3-text (r148414)
[css3-text] Parsing -webkit-each-line value for text-indent from css3-text (r146408)
[CSS3] Parsing the property, text-align-last. (r134190)
[Chromium] Use OpenTypeVerticalData on Linux (r129273)
Remove special-case flooring of baselinePosition for replaced elements in InlineFlowBox::placeBoxesInBlockDirection (r131503)
Revert rounding change in RenderTable::paintObject (r131358 revisited)
[Sub pixel layout] Change RenderBox to not round logicalTop/Left for RenderReplaced (r131202)
Remove the now-unneeded invalidations in RenderTable::removeCaption (r127139)
Crash in RenderTable::removeCaption (r126833)
Remove RenderTable::removeChild (r126495)
Lots of time spent querying table cell borders, when there are none. (r182235)
RenderTableRow should check if it has access to its ancestor chain. (r180190)
ROLLOUT: r153510: Broke Table borders on Wikipedia (r169814)
REGRESSION (r154622): Borders disappear when hovering over cells in table (r169532)
REGRESSION (r162334): RenderTableCol::styleDidChange uses out-of-date table information (r165837)
Col width is not honored when dynamically updated and it would make table narrower (r162334)
Avoid painting every non-edge collapsed border twice over (r154622)
In RenderTableCell::paintCollapsedBorders() check surrounding cells using physical rather than logical direction (r154389)
Dotted borders render w/ artifacts and sometimes as solid lines (r153510)

Mar 06, 2018
============
Implement TextDecoder and TextEncoder (r208872)
[mips] GPRInfo::toArgumentRegister missing (r194709)
Update CSSProperties.json with correct fill-and-stroke status, and other cleanup (r215151 partial)
Implement stroke-miterlimit. (r214787)
[FreeType] ASSERTION FAILED: !lookupForWriting(Extractor::extract(entry)).second in FontCache::getVerticalData() (r200237 partial revisited)
Add support for CSS properties paint-order, stroke-linecap, and stroke-linejoin in text rendering. (r212808 partial)
Apply SVG styles paint-order, stroke-linejoin, and stroke-linecap on DOM text. (r212562)
calc() doesn't work for SVG CSS properties (r172711)
Removed some allocation and cruft from the parser (r177001 + r177010)

Mar 05, 2018
============
Removed the concept of ParserArenaRefCounted (r176825)
Split out FunctionNode from FunctionBodyNode (r176822)
The parser should generate AST nodes the var declarations with no initializers (r172717)
Crash in uninitialized deconstructing variable. (r179682)
Reduce the mass templatizing of the JS parser (r160383 complete revisited)
ASSERTION FAILED: !m_bodyLoader (r212257)
[Fetch API] Use ReadableStream pull to transfer binary data to stream when application needs it (r206857)
[Fetch API] ReadableStream should be errored with TypeError values (r206770)

Mar 02, 2018
============
[FreeType] ASSERTION FAILED: !lookupForWriting(Extractor::extract(entry)).second in FontCache::getVerticalData() (r200237 partial)

Mar 01, 2018
============
[GTK] Glyphs in vertical text tests are rotated 90 degrees clockwise (r158848 complete revisited)
Make OpenTypeVerticalData be ref-counted (r134871)
FontVerticalDataCache should allow zero as a key value (r130968)
OpenTypeVerticalData issue with DroidSansFallback.ttf on chromium-android and chromium-linux (r130570)
OPENTYPE_VERTICAL support for Chromium Win (r126907)
Cache support for OpenTypeVerticalData (r124397 complete revisited)

Feb 27, 2018
============
Directional single quotation marks are not rotated in vertical text (r176903)
Correct range used for Emoji checks. (r155951)

Feb 26, 2018
============
[DFG][FTL] Support Array::DirectArguments with OutOfBounds (r224818)
Constructor calls set this too early (r217062 complete revisited)
Fix exception scope verification failures in GenericArgumentsInlines.h. (r214085)
Use of arguments in arrow function is slow (r213165 partial)
ScopedArguments is using the wrong owner object for a write barrier. (r204612)
SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector. (r186643)
JIT bug - fails when inspector closed, works when open (r185566)
  => Passed JIT tests.

Feb 23, 2018
============
Creating a new blank document in icloud pages causes an AI error: (r184318 complete revisited)
[JSC] Avoid cloned arguments allocation in ArrayPrototype methods (r208524 partial)
Add argument_count bytecode for concat (r201668)

Feb 22, 2018
============
putDirectIndex does not properly do defineOwnProperty (r216279 complete revisited)
Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate(). (r215885 partial revisited)
[JSC] Drop arguments.caller (r208867)
ClonedArguments need to also support haveABadTime mode. (r208377 partial revisited)
Bad ASSERT in ClonedArguments::createByCopyingFrom() (r206836)
We should be able to eliminate cloned arguments objects that use the length property (r198154)
Leak of mallocs under StructureSet::OutOfLineList::create (r173787)

Feb 22, 2018
============
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 complete revisited)
REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes. (r182167)
DFG IR should refer to FunctionExecutables directly and not via the CodeBlock (r180993 complete)
  => Passed JIT tests.

Feb 21, 2018
============
GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments (r219433)
Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js (r218414 partial)
putDirectIndex does not properly do defineOwnProperty (r216279 partial revisited)
[test262] Fixing mapped arguments object property test case (r210146)
ClonedArguments need to also support haveABadTime mode. (r208377 partial)
We allow assignments to const variables when in a for-in/for-of loop (r204586 complete revisited)
DFG JIT bug in typeof constant folding where the input to typeof is an object or function (r198902 revisited)
Callee can be incorrectly overridden when it's captured (r188926 partial revisited)
DFG Is<Blah> versions of TypeOf should fold based on proven input type (r183629 revisited)
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 partial revisited)
[ES6] Use specific functions for @@iterator functions (r182911 revisited)
PutClosureVar CSE def() rule has a wrong base (r182213)
Deconstruction parameters are bound too late (r182109)
ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor (r182100)
If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments. (r182023)
Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them. (r182004)
Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it right, so this just makes 32-bit do the same. (r182001)
Unreviewed, VC found a bug. This fixes the bug. (r181998)
Heap variables shouldn't end up in the stack frame (r181993 complete)
Bytecode liveness analysis should have more lambdas and fewer sets (r181467)
DFG IR should refer to FunctionExecutables directly and not via the CodeBlock (r180993 partial)
BytecodeGenerator::constLocal() behaves identically to BytecodeGenerator::local() for the purposes of its one caller (r180723)
Varargs frame set-up should be factored out for use by other JITs (r179862 partial)
Keep only captured symbols in CodeBlock symbol tables. (r163337 partial)

Feb 14, 2018
============
[ES6] implement block scoping to enable 'let' (r186860 partial)
ClonedArguments should not materialize its special properties unless they are being changed or deleted (r196644)
In strict mode, `Object.keys(arguments)` includes "length" (r187017)
Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren(). (r185277)
Heap variables shouldn't end up in the stack frame (r181993 partial)
putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present (r228454)
[YarrJIT][ARM] We need to save r8 as it is the initial start register (r228436)

Feb 13, 2018
============
The error handler of ReadableJSStream should own stream object (r189196 revisited)
Make JSCells have 32-bit Structure pointers (r164764 partial)

Feb 13, 2018
============
Heap variables shouldn't end up in the stack frame (r181993 partial)
  => Passed JIT tests.

Feb 12, 2018
============
SVGCSSParser: m_implicitShorthand value is not reset after adding the shorthand property (r207471)
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion (r226993)
[SVG] Leak in SVGAnimatedListPropertyTearOff (r221292)
[SVG] Leak in SVGAnimatedListPropertyTearOff (r219193 + r219217 rolled out + r219257 + r219264 rolled out + r219325 + r219327 rolled out + r219334 + r220484 rolled out)
REGRESSION: GuardMallloc crash in SVGListPropertyTearOff<SVGPointList>::processIncomingListItemWrapper (r197967 complete revisited)
WeakPtr functions crash when created with default constructor (r178615 partial)

Feb 09, 2018
============
put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object (r228193 partial)
REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy (r196367)
REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy (r195965)
Allow CachedResourceLoader clients to opt out of the MemoryCache. (r195770 revisited)
Cannot abort multiple XHR POSTs made to same url (r140174)
Refactor client removal in CachedResource::switchClientsToRevalidatedResource (r138958)
Failure to dispatch delegate callbacks if resource load fails synchronously (r126325 + r126373)
REGRESSION (r146540?): Crashes in storage/indexeddb/factory-basics-workers.html, storage/indexeddb/transaction-error.html (r146629)
IndexedDB: Ensure script wrappers can be collected after context is stopped (r146540)
IndexedDB: database connections don't close after versionchange transaction aborts (r142513)
[V8] IndexedDB: Minor GC can collect IDBDatabase wrapper with versionchange handler (r142483)
IndexedDB: IDBTransaction should manage lifetime of IDBRequests (r139518)
IndexedDB: Simplify transaction timers and event tracking (r135927)
IndexedDB: Move control of transaction completion to front end (r135332)
IndexedDB: Indexing tests are flaky-crashing (r134838)
IndexedDB: Indexing tests are flaky-crashing (r134685)

Feb 08, 2018
============
  => Passed JIT tests.

Feb 08, 2018
============
Do not paint border image when the border rect is empty. (r167694)
ASSERTION FAILED: x2 >= x1 in WebCore::RenderObject::drawLineForBoxSide (r167351)
box-shadows get truncated with a combination of transforms and clip: (affects Google Maps) (r164252)
Fix context save/restore mistake spotted in SVGInlineTextBox::paintTextWithShadows (r163286)
[Cocoa] Text shadow sometimes clipped unexpectedly (r200807 partial)
Repaint rect too small on elements with shadows (r148049)
When blocking localStorage, Firefox throws a security exception on access, and maybe so should we (r132183)

Feb 06, 2018
============
Fix bugs in 32-bit Structure implementation. (r165325 partial revisited)
It should be possible to jettison JIT stub routines even if they are currently running (r122166 revisited)
Global stringStructure caches its prototype chain, abandoning a web page (r97291 revisited)

Feb 05, 2018
============
RegExpMatchesArray doesn't know how to have a bad time (r197641 revisited)
The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell (r197622 revisitedd)
DFG should be able to compile StringReplace (r197520 revisited)
  => Passed JIT tests.

Feb 01, 2018
============
[DFG] Cleaning up and unifying 32bit code more (r226269 partial)
[DFG] Unify bunch of DFG 32bit code into 64bit code (r226261 partial)
ParseInt intrinsic in DFG backend doesn't properly flush its operands (r215387 revisited)
DFG::Node::convertToConstant needs to clear the varargs flags (r227053 revisited)

Jan 31, 2018
============
[Web IDL] interface objects should be Function objects (r196392 partially rolled out)

Jan 31, 2018
============
Unreviewed, register symbol structure to fix Debug build (r190927)
DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet (r188292 partial revisited)
Structures used for tryGetConstantProperty() should be registered first (r188067 revisited)
DFG::freezeFragile should register the frozen value's structure (r186215 partial)
  => Passed JIT tests.
  
Jan 31, 2018
============
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 partial revisited)
[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them (r170375)

Jan 30, 2018
============
[JSC] Relax line terminators in String to make JSON subset of JS (r227775)
Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate(). (r215885 partial)
Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it. (r214374 partial revisited)
Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks. (r214313)
JSArray::tryCreateUninitialized should be called JSArray::tryCreateForInitializationPrivate (r211110)
  => Passed JIT tests.

Jan 29, 2018
============
REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode() (r227742)
[JSC] Add primitive String support to compare operators (r199867)
Avoid backing store allocation with some combinations of replaced elements, masking and visibility:hidden (r173184)
Non-composited child RenderLayers cause allocation of unncessary backing store (r173181)
Adding a mask on a simple color compositing layer removes the content (r170306)
Images missing sometimes with composited clipping layers (r169053)
Direct pattern compositing breaks when no-repeat is set on a large layer (r150685)
WebProcess is crashing on http://achicu.github.io/css-presentation when direct pattern compositing is enabled (r150643)
Garbage at the top of http://www.technologyreview.com after scrolling (r149084)
Allow direct compositing of background images (r148172)
Fix debug assertion being triggered because we may access dirty normalFlowList. (r142815)
RenderLayer hasVisibleContent() has inconsistent semantics causing disappearing composited layers (r142012)
position:fixed that doesn't render any content should not force compositing (r141039)
[DFG] Remove GetLocalUnlinked (r225149)
Heap variables shouldn't end up in the stack frame (r181993 partial)

Jan 26, 2018
============
Relax builtin JS restriction about try-catch (r186260)

Jan 26, 2018
============
putDirectIndex does not properly do defineOwnProperty (r216279 partial revisited)
defineProperty on a index of a TypedArray should throw if configurable (r203096)
DFG call codegen should resolve the callee operand as late as possible (r179851)
  => Passed JIT tests.
  
Jan 25, 2018
============
Do all closed variable access through the local lexical object (r174226 revisited)
Don't use GPRResult unless you're flushing registers and making a runtime function call (r174090 revisited)

Jan 24, 2018
============
Insert store barriers late so that IR transformations don't have to worry about them (r184445 partial)
REGRESSION (r174025): Invalid cast in JSC::asString (r174121)
DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell (r174025 partial revisited)
DFG should have a separate StoreBarrier node (r160796 partial revisited)
PutGlobalVar should reference the global object it's storing into (r184367)
PutGlobalVar shouldn't have an unconditional store barrier (r183852)
RenderTableCell can't access its parent while in detached state. (r180174)
DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace (r189075 revisited)
[JSC] Use (x + x) instead of (x * 2) when possible (r188519)

Jan 23, 2018
============
DFG abstract interpreter needs to properly model effects of some Math ops (r227341)
[JSC] op_negate should with any type (r207369 partial)
DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid (r179863)
Immediate crash when setting JS breakpoint (r179015)
Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand. (r178143)
Add the lexicalEnvironment as an operand to op_get_argument_by_val. (r178106)
Add the lexicalEnvironment as an operand to op_create_arguments. (r178008)
REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html (r174359 revisited)
AI for CreateArguments should pass through non-SpecEmpty input values (r161574 revisited)
fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races (r153129 revisited)
  => Passed JIT tests.

Jan 19, 2018
============
Octane/regexp's Exec function should benefit from array length accessor inlining (r197542 rolled out)

Jan 18, 2018
============
DFG should inline binary string concatenations (i.e. ValueAdd with string children) (r146164 revisited)
DFG should hoist structure checks (r124404 revisited)
Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure (r222590 revisited)
JSObject::reifyAllStaticProperties cleanup (r201853 partial revisited)
DFG should have some obvious mitigations against watching structures that are unprofitable to watch (r186986 revisited)
Merge r170436 from ftlopt. (r171660 partial)
[ftlopt] Infer immutable object properties (r170855 partial revisited)
Structure bit fields should have a consistent format (r170436)
Move structureHasRareData out of TypeInfo (r169903)

Jan 17, 2018
============
The Abstract Interpreter needs to change similar to clobberize() in r224366 (r224426)
DFG needs to handle code motion of code in for..in loop bodies (r224366)
DFG::Node::convertToConstant needs to clear the varargs flags (r227053)
DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three (r179840)

Jan 16, 2018
============
DFG::StrCat isn't really effectful (r189075 revisited)
Introduce SymbolType into SpeculativeTypes (r184340)
TypeOf should be fast (r183724 complete revisited)
Move all of the branchIs<type> helpers from SpeculativeJIT into AssemblyHelpers (r183656 partial)
The CleanUp after LICM is erroneously removing a Check (r225966)
ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender() (r215852)
Minor fix to idx bounds check after 185954 (r185959)
REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689) (r185954)

Jan 15, 2018
============
Local CSE wrongly CSEs array accesses with different result types. (r215748)
DFG should not use or preserve Phantoms during transformations (r183497 partial)
[ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children (r171152)

Jan 15, 2018
============
[FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage (r217202 revisited)
cloberrize() is wrong for ArithRound because it doesn't account for the arith mode (r184541 complete revisited)
Constructor returning null should construct an object instead of null (r180587 partial revisited)
[ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects (r171106 partial revisited)
HashMap should have removeIf() (r171049)
[ftlopt] DFG::clobberize should be blind to the effects of GC (r169188)
  => Passed JIT tests.

Jan 12, 2018
============
IndexedDB: Free up resources used by completed cursors earlier (r129038)
IndexedDB: IDBRequest can be destructed during abort (r126361)
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 partial revisited)

Jan 11, 2018
============
cloberrize() is wrong for ArithRound because it doesn't account for the arith mode (r184541 partial revisited)
[ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects (r171106 partial)
[JSC] Make the rounding-related nodes support any type (r205931 + r205974 rolled out + r206134)
[JSC] Improve ArithAbs with polymorphic input (r205112)
[JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log (r204995)
[JSC] Make ArithLog works with any type (r204881)
[JSC] Make Math.cos() and Math.sin() work with any argument type (r204849)
[JSC] ArithSqrt should work with any argument type (r204670)
DFG abstract heaps should respect the difference between heap and stack (r180656)
ArithSqrt should not be conditional on supportsFloatingPointSqrt (r180085)
Eliminate Scope slot from JavaScript CallFrame (r178856 partial)
Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions (r172665 partial)
Our for-in caching is wrong when we add indexed properties on things in the prototype chain (r226767)
Fix exception handling for the baseline JIT. (r160656 partial revisited)
Fix Use details for op_create_arguments. (r177994)
Fix Use details for op_create_lexical_environment and op_create_arguments. (r177981)

Jan 10, 2018
============
Crash in operationNewFunction when scrolling on Google+ (r177871)
DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking (r180989 partial revisited)
BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister (r180875)
Eliminate Scope slot from JavaScript CallFrame (r178856 partial)
Crash in JSScope::resolve() on tools.ups.com (r178629 revisited)
Fix broken build after r177146. (r177149)
REGRESSION: Use of undefined CallFrame::ScopeChain value (r177146)
Remove GetMyScope node from DFG (r176625)
Allocate local ScopeChain register (r176479)
Fix exception handling for the baseline JIT. (r160656 partial)
Use scope register when processing op_resolve_scope in LLInt and Baseline JIT (r175998)
Update scope related slow path code to use scope register added to opcodes (r175509 + r175512 rolled out + r175762)
Repatch code is passing the wrong args to lookupExceptionHandler. (r163274)
reentrant-caching sometimes fails with LLInt disabled (r162089)

Jan 09, 2018
============
ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter (r226650)
Change CallFrame::globalThisValue() to not use CallFrame::scope() (r176700)
Add scope operand to op_create_lexical_environment (r175845)
Change CallFrame::lexicalGlobalObject() to use Callee instead of JSScope (r175118)
Change CallFrame to use Callee instead of JSScope to implement vm() (r173706)
Create a JSCallee for GlobalExec object (r173636)
Remove unused CodeBlock::createActivation(). (r162845)
Reduce the precision of "high" resolution time to 1ms (r226495 partial)
performance.now() should truncate to 100us (r209462)
Make NetworkLoadTiming use double for higher precision in Resource Timing (r204736 partial)
Make the C Loop LLINT work with callToJavaScript. (r160186 partial)

Jan 08, 2018
============
Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions (r226489)
Add scope operand to op_new_func* byte codes (r176109)

Dec 22, 2017
============
GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell (r226208)

Dec 20, 2017
============
Typing is slow in Gmail on iPads (r185287)
REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) (r203416)
Iterator loops over key twice after delete (r190923)
[JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit. (r185380)
DFG HasStructureProperty codegen should use one fewer registers (r174091)
Don't use GPRResult unless you're flushing registers and making a runtime function call (r174090 revisited)

Dec 19, 2017
============
Handle cases in StackVisitor::Frame::existingArguments() when lexicalEnvironment and/or unmodifiedArgumentsRegister is not set up yet (r175967)

Dec 19, 2017
============
Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin (r221470)
Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node. (r208560 partial)
Polymorphic operands in operators coerces downstream values to double. (r200606 partial)
[JSC] Get rid of NonNegZeroDouble, it is broken (r200502 partial)
  => Passed JIT tests.

Dec 19, 2017
============
Our for-in optimization in the bytecode generator does its static analysis incorrectly (r217438 revisited)

Dec 18, 2017
============
Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser (r208496 revisited)
[DFG][FTL][B3] Support floor and ceil (r197380 partial revisited)
[JSC] Make the NegZero backward propagated flags of ArithMod stricter (r184220 revisited)
DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers. (r217156 + r217169 rolled out + r217179)
[DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String) (r215472 rolled out)
Eliminate two large sources of temporary StringImpl objects. (r201645 revisited)
TypedArrays need more isNeutered checks. (r202982 partial)
[JSC] Optimize more cases of something-compared-to-null/undefined (r188624 revisited) 
Add "get scope" byte code (r175508)
Make Executable::clearCode() actually clear all of the entrypoints (r168459 partial)
Fix bugs in 32-bit Structure implementation. (r165325 partial revisited)
Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks (r163513 revisited)
op_to_this shouldn't use value profiling (r156468 revisited)

Dec 16, 2017
============
DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking (r180989 partial revisited)
Change DFG to use scope operand for op_resolve_scope (r176005 rolled in)
Fix bugs in 32-bit Structure implementation. (r165325 partial revisited)

Dec 15, 2017
============
Change DFG to use scope operand for op_resolve_scope (r176005 rolled out)
Remove op_get_callee, it's unused (r180917)

Dec 14, 2017
============
r9 is volatile on ARMv7 for iOS 3 and up. (r180516)
[ARM] Add the necessary setupArgumentsWithExecState after bug141915 (r180515)
Scopes should always be created with a previously-created symbol table rather than creating one on the fly (r180514)
Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it (r180506)
Callee can be incorrectly overridden when it's captured (r188926 partial revisited)

Dec 13, 2017
============
Add scope operand to op_resolve_scope (r175471)
Add scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope (r175426)
Fixed the Inspector to be able to properly distinguish between scope types. (r174216 partial)
[ftlopt] Infer immutable object properties (r170855 partial revisited)
Functions should have initialization precedence over arguments. (r181353)
Simplified name scope creation for function expressions (r163321)
Code cache stores bogus var references for functions in eval code (r149836 revisited)

Dec 12, 2017
============
DFG inlining should be hardened for the no-result case (r217050)
Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object (r205205)
[JSC] Object.getOwnPropertyDescriptors should not add undefined props to result (r203747)
http://kangax.github.io/compat-table/esnext/ crashes reliably. (r198080 revisited)
Turn off Internal Function inlining in the DFG for super calls. (r194565)
Overflow propagation broken in BTT and RTL writing-modes (r167706)

Dec 11, 2017
============
Constructor calls set this too early (r217062 partial)
DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit. (r182745 partial)
Kraken/stanford-crypto-pbkdf2.js sometimes crashes with an OSR assertion in FTL (r202141)
AbstractValue should use the result type to filter structures (r199391)
[DFG] Drop unnecessary proved type branch in ToPrimitive (r197164 revisited)
REGRESSION(r180595): same-callee profiling no longer works (r184328 revisited)
Use "this" instead of "callee" to get the constructor (r180595 revisited)
<1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput') (r163789 revisited)

Dec 09, 2017
============
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 partial revisited)
REGRESSION (r174226): Header on huffingtonpost.com is too large (r178591 revisited)
Get rid of JSLexicalEnvironment::argumentsGetter (r180529)
REGRESSION(r178591): 20% regression in Octane box2d (r179202)
BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope. (r178926 revisited)
REGRESSION (r174226): Header on huffingtonpost.com is too large (r178591)
REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked (r177578)
slow_path_get_direct_pname() needs to be hardened against a constant baseValue. (r175724 revisited)
Various arguments optimisations in codegen fail to account for arguments being in lexical record (r174821)
Use a single allocation for the Arguments object (r174795 revisited)
REGRESSION(r174025): remote inspector crashes frequently when executing inspector frontend's JavaScript (r174749 revisited)
Make sure arguments tearoff is performed through the environment record if necessary (r174478)
Remove op_new_captured_func (r174401)
REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html (r174359)
tearoff_arguments should always refer to the unmodified arguments register (r174294)
Do all closed variable access through the local lexical object (r174226)
REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms. (r172838)
Stop implicitly skipping a function's own activation when walking the scope chain (r172808)
Update scope resolution to assume that the parent activation is always there (r172598)

Dec 08, 2017
============
Rename activation to be more in line with spec language (r173517)
Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec (r173490)
[JSC] "return this" in a constructor does not need a branch on isObject(this) (r200992)
[JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL (r197155)
REGRESSION(r180595): same-callee profiling no longer works (r184123 + r184152 + r184328 revisited)
Stores to local captured variables should be intercepted (r159943 revisited)

Dec 07, 2017
============
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 revisited)

Dec 06, 2017
============
[JSC] Don't reference the properties of @Reflect directly (r198192)
[ES6] Make Object.assign spec compliant (r198052)
[ES6] Implement Reflect.getOwnPropertyDescriptor (r188529)
Origin header is not included in CORS requests for preloaded cross-origin resources (r201930 partial)
Initial Link preload support (r199650 partial)
Allow CachedResourceLoader clients to opt out of the MemoryCache. (r195770)
Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround. (r185768)

Dec 05, 2017
============
Fix all ExceptionScope verification failures in JavaScriptCore. (r221849 partial revisited)
ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *) (r203012)
Avoid duplicate computations of ExecState::vm(). (r221822 partial)
Make FunctionRareData allocation thread-safe (r183212 partial)

Dec 04, 2017
============
We should be able to lookup symbols by identifier in builtins (r201825 partial revisited)
REGRESSION(r194394): >2x slow-down on CDjs (r198171)
[ES6] Implement @@search (r196498)
[INTL] Implement String.prototype.localeCompare in ECMA-402 (r194394)
[Fetch] Align Accept header default values with fetch spec (r206206)
JavaScriptCore: missing exception checks in Math functions that take more than one argument (r225443)
Having a bad time needs to handle ArrayClass indexing type as well (r225423)
test262: Unexpected passes after r222617 and r222618. (r222638)
Add missing exception checks and book-keeping for exception check validation. (r222617 partial)
Missing exception check in JSObject::hasInstance (r219451 partial)
Add missing exception check. (r217157 partial)
Fix missing exception checks in Interpreter.cpp. (r214005 partial)
Fix missing exception checks in DFGOperations.cpp. (r208913 partial)
JSFunction::put() should not allow caching of lazily reified properties. (r208018 partial revisited)
StringView should have find(StringView, start). (r184867)
Don't hold on to parameterBindingNodes forever (r167964 + r168107 rolled out)

Dec 03, 2017
============
ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly. (r217429 partial)
Add missing exception checks detected by running marathon.js. (r212779 revisited)
some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct (r202588 revisited)
AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself (r196497)
[ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore. (r170724)

Dec 01, 2017
============
DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks (r188764 revisited)
Crash on SES selftest page when loading the page while WebInspector is open (r196760)
re-inline ObjectAllocationProfile::initializeProfile (r223727)
Remove FetchBody::m_isEmpty (r206737)
[ES6] Add support for Symbol.toPrimitive (r197531 revisited)
DFG should have adaptive structure watchpoints (r187780 partial)
[DFG][FTL] operationHasIndexedProperty does not consider negative int32_t (r225342)
test262: test262/test/built-ins/isNaN/toprimitive-not-callable-throws.js (r215402)
[ES6] Add support for Symbol.toPrimitive (r197531 partial revisited)

Nov 30, 2017
============
Avoid 2 times name iteration in Object.assign (r187363)
Implement `Object.assign` (r183199)
Object.getOwnPropertySymbols on large list takes very long (r187355)
Remove unused things from PropertyNameArray. (r184050)
Implement `Object.is` (r183006)
[JSC] allow duplicate property names returned from Proxy ownKeys() trap (r198531 partial)
[ES6] Implement Reflect.enumerate (r187483)
Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols (r187440)
Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT (r187409)
[ES6] Implement Reflect.ownKeys (r187408 revisited)
Introducing construct ability into JS executables (r187205 revisited)
[ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor (r185577)
Implement ES6 Object.getOwnPropertySymbols (r182343)
Upgrade ES6 Iterator interfaces (r181077 revisited)
REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated (r181891)

Nov 29, 2017
============
Remove JSPropertyNameIterator (r171614)
Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure (r222590 revisited)
Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname (r216593)
We allow assignments to const variables when in a for-in/for-of loop (r204586 partial)
We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols (r203793)
We should not crash there is a finally inside a for-in loop (r202608)
REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result (r172962)
REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests. (r172959)
REGRESSION(r172401): for-in optimization no longer works at all (r172794)
Re-landing r172401 with fixed test. (r172413)
for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests (r172216)
We are missing places where we invalidate the for-in context (r219209)
Our for-in optimization in the bytecode generator does its static analysis incorrectly (r217438)
HasIndexedProperty clobberize rule is wrong for Array::ForceOSRExit (r206955)
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 revisited)
Clean up EnumerationMode to easily extend (r182280)
Refactor our current implementation of for-in (r171605)
AST incorrectly conflates readable and writable locations (r166243)

Nov 28, 2017
============
Custom GetterSetterAccessCase does not use the correct slotBase when making call (r222671 partial)
DFG doesn't properly handle a property that is change to read only in a prototype (r218203)
[Re-landing] CachedCall should let GC know to keep its arguments alive. (r212618 + r212665 rolled out + r216292 partial)
REGRESSION (r206221): [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: vmEntryToJavaScript + 299 (r206359)
Object.getOwnPropertyDescriptor() does not work correctly cross origin (r206221)
assignments in for-in/for-of header not allowed (r198144)
Assignment to new.target should be an early error (r197947)
Prevent cross-origin access to Location.assign() / Location.reload() (r197263)
Implement Proxy [[Get]] (r196722 partial)
Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset (r195462)
	
Nov 27, 2017
============
Regression(r191815): 5.3% regression on Dromaeo JS Library Benchmark (r192321 partial revisited)
Regression(r191815): 5.3% regression on Dromaeo JS Library Benchmark (r192321 rolled out)
[ES6] Add support for toStringTag (r191864 revisited)
String#startsWith/endsWith/includes don't handle Infinity position/endPosition args correctly (r183694)
Implement String.codePointAt() (r183141)
String.prototype.startsWith/endsWith/includes have wrong length in r182673 (r182872)
Regression(r173761): ASSERTION FAILED: !is8Bit() in StringImpl::characters16() (r181105)
Implement ES6 StringIterator (r181084)
Investigate the character type of repeated string instead of checking is8Bit flag (r178098)
Implement ES6 String.prototype.repeat(count) (r177978)
String includes methods perform toString on searchString before toInt32 on a offset (r177856)
Rename String.prototype.contains to String.prototype.includes (r176404)
Simple ES6 feature:String prototype additions (r173761)

Nov 25, 2017
============
ES6: Classes: Program level class statement throws exception in strict mode (r181973 complete)
ES6 Classes: Extends should accept an expression without parenthesis (r181724)
Support spread operand in |new| expressions (r166392 revisited)
Built-in functions should know that they use strict mode (r181664)

Nov 24, 2017
============
Crash for non-static super property call in derived class constructor (r200191)
[ES6] Support subclassing Function. (r195070 rolled out)
ES6: Classes: Program level class statement throws exception in strict mode (r181973 partial)
Revert changes in bug#160417 about extending `null` not being a derived class (r204058 revisited + r218581)
Extending undefined in class syntax should throw a TypeError (r183759)
eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor (r182198)
update a class extending null w.r.t the ES7 spec (r204058)
Upgrade Map, Set and WeakMap constructor interface (r181333)

Nov 23, 2017
============
[[Set]] should be properly executed in JS builtins (r183117)
calling methods off super in a class constructor should check for TDZ (r196361)
[ES6] Class parser does not allow methods named set and get. (r188018)
Introducing construct ability into JS executables (r187205 revisited)
ToT WebKit crashes while loading ES6 compatibility table (r183912)
new super should be a syntax error (r183757)
Class syntax should allow string and numeric identifiers for method names (r183709)
Class body ending with a semicolon throws a SyntaxError (r183383)
ES6 class syntax should allow static setters and getters (r182218)
Support spread operand in |new| expressions (r166392)
ES6 classes: When a class extends B, super() invokes B.prototype.constructor() instead of B() (r190847)
Extending null should set __proto__ to null (r182171)
ES6: Classes: Program level class statement throws exception in strict mode (r181973 partial)
Improve error messages in JSC (r181889 partial)
Create activations eagerly (r172594)
Add support for the new.target syntax. (r187108)
WebContent Crash when instantiating class with Type Profiling enabled (r182050)
ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance (r181924)
parseClass should popScope after pushScope (r181503)

Nov 22, 2017
============
Add support for default constructor (r181611)

Nov 21, 2017
============
[Fetch API] Fetch ReadableStream should only clone the second branch (r208039)
[Readable Streams API] Implement generic reader functions (r206912)
[Readable Streams API] Align function names with spec (r206814)
[Streams API] Align cancelReadableStream() with spec (r206508)
[Fetch API] Remove ReadableStreamSource firstReadCallback (r206423)
Reduce number of Structures created at startup. (r195528 revisited)
[ES6] Use specific functions for @@iterator functions (r182911)
Completed iterator can be revived by adding more than one new entry to the target object (r172707)
Implement Set iterators (r159031)
Add Map Iterators (r159008)
Support iteration of the Arguments object (r158793 revisited)
REGRESSION(r180595): same-callee profiling no longer works (r184123 + r184152 rolled out + r184328)
Use "this" instead of "callee" to get the constructor (r180595)

Nov 20, 2017
============
"this" should be in TDZ until super is called in the constructor of a derived class (r181466)
[JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix (r184859 revisited)
Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError (r183382)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r182452 revisited)
"static" should not be a reserved keyword in non-strict mode even when ES6 class is enabled (r181419)
ES6: Object Literal Extensions - Methods (r181183 revisited)
__proto__ shorthand property should not modify prototype in Object Literal construction (r181179)
Implement ES6 class syntax without inheritance support (r179371)
Add a build flag for ES6 class syntax (r178954)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r178894 + r178928 rolled out)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r178751 + r178756 rolled out)
Reduce the mass templatizing of the JS parser (r160383 partial)
[Fetch API] Add support for URLSearchParams body (r206632)
Iterating over URLSearchParams does not work (r210593)
Fix occasional using uninitialized memory crashes after r206168. (r206179)
Make URLSearchParams spec-compliant (r206168)
Implement URLSearchParams (r205893)
Simplify valueToUSVString (r204228)
[Web IDL] Add support for USVString type (r204215)
autocapitalize attribute should not use [TreatNullAs=LegacyNullString] (r203427)
form.enctype / encoding / method should treat null as "null" string (r203401)
JSDOMIterator forEach should support second optional parameter (r202334)
Rename JSKeyValueIterator as JSDOMIterator (r200411 partial)
Drop [TreatNullAs=EmptyString] from URL interface attributes (r197507)
Drop [TreatNullAs=LegacyNullString] from HTMLBaseElement.href (r197494)
Refactor DOM Iterator next signature (r196973)
Binding generator should support key value iterable (r196900 partial)
Remove DOMWrapped parameter from JSKeyValueIterator (r196170 partial)
Give StringView a utf8() API. (r184617)

Nov 17, 2017
============
Introducing construct ability into JS executables (r187205)
Make Builtin functions non constructible (r182995)
Class constructor should throw TypeError when "called" (r181490)
Calling super() in a base class results in a crash (r181404)
Support extends and super keywords (r181293)
test262: @isConstructor incorrectly thinks Math.cos is a constructor (r207347)
URLParser: Handle \ in paths of special URLs according to spec (r205684)
URLParser: Parsing empty URLs with a base URL should return the base URL (r205679)
URLParser failures should preserve the original input string (r205678)
URLParser should parse URLs with a user but no password (r205677)
URLParser should parse ports after IPv4 and IPv6 hosts (r205669 + r205671)
URLParser should correctly handle \ in path (r205668)
URLParser should handle URLs with empty authority (r205667)
Re-land r205580 after r205649 fixed the test failures (r205650)
Add range check in URLParser's serializeIPv6 (r205649)
Implement relative file urls and begin implementing character encoding in URLParser (r205493)
URLParser should parse file URLs (r205390)
Avoid unneeded string copy when parsing URL hosts (r205318)
URLParser should handle . and .. in URL paths (r205312)
Implement IPv6 parsing in URLParser (r205273)
URLParser should handle relative URLs that start with // (r205194)
URLParser should parse about:blank (r205147)
API test URLParserTest.ParserFailures failing ASSERT_NOT_REACHED (r205128)
URLParser should parse relative URLs (r205097)
[ES6] newPromiseCapabilities should check the given argument is constructor (r205027)
URLParser should parse IPv4 addresses (r204701)
URLParser should parse URLs without credentials (r204544)
Make URLParser work with URLs missing URL parts (r204431)
Initial URLParser implementation (r204417)
Add URLParser stub (r204380)
Addressing post-review comments after r203119 (r203208)
Relax ordering requirements on StringView::CodePoints iterator (r203119)
[JSC] Array.from() and Array.of() try to build objects even if "this" is not a constructor (r203101)
We should be able to lookup symbols by identifier in builtins (r201825 partial)
ES6: Implement String.prototype.split and RegExp.prototype[@@split]. (r199393 + r199502 partial)
JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData (r196959 partial)
[ES6] Array.from need to accept iterables (r183357)
[ES6] Enable Symbol in web pages (r182653 partial)
Support modern for loops over StringViews (r174271)
Function.bind itself is too slow (r167272 + r167297)
Rewrite Function.bind as a builtin (r167020 + r167165 + r167199 + r167313 + r167251)

Nov 16, 2017
============
JSRopeString::RopeBuilder::append() should check for overflows. (r224055 revisited)
Fix exception scope verification failures in runtime/Operations.cpp/h. (r209030)
Error description code should be able to handle Symbol values. (r208410)
Improve Symbol() to string coercion error message (r200402)
Regression(r191815): 5.3% regression on Dromaeo JS Library Benchmark (r192321 partial)
[ES6] Implement Symbol.unscopables (r182225)

Nov 15, 2017
============
We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments. (r224735)
REGRESSION (r197531): JavaScriptCore ASan build fails due to weak external symbol (r197590)
[ES6] Add support for Symbol.toPrimitive (r197531 partial)
NodeList has issues with Symbol and empty string (r183589 revisited)
[ES6] Add support for toStringTag (r191815 + r191821 + r191863 + r191864)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 revisited)
Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters (r182577)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 revisited)
Insert exception check around toPropertyKey call (r182057 partial)
REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83 (r181814 revisited)
Implement ES6 Symbol (r179429)
Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint (r178224)
Crash beneath operationTearOffActivation running this JS compression demo (r165999 partial)
Small cleanup of empty string (r165906)

Nov 14, 2017
============
removing FetchBoyd::m_type (r206708)
The memory consumption of DFG::BasicBlock can be easily reduced a bit (r224689)
[Streams API] Align internal structure of ReadableStream with spec (r205289)
[Fetch API] Response bodyUsed should check for its body disturbed state (r205251)
[Fetch API] Response cloning should structureClone when teeing Response stream (r205117)
[Fetch API] Ensure response cloning works when data is loading (r205110)
Array#reduce and reduceRight don't follow ToLength (r185038)
ES6: Implement Math.sign() (r171278)
iOS 8 beta 2 ES6 'Set' clear() broken (r170517)
Simple ES6 feature:Array.prototype.fill (r167380)
Partial Information Leakage in Hash Table implementations (PrivateName) (r155560)
XHR should only fire an abort event if the cancellation was requested by the client (r220731)
[Fetch API] Add support for BufferSource bodies (r205115)
[Fetch API] Opaque responses should not have any body (r205082)
Implement redirect support post CORS-preflight (r204795)
cross-origin requests redirected fail or drop author requested headers (r204693 complete revisited)
DocumentThreadableLoader should pass the fetch mode to underlying loader code (r204117)
Remove didFailAccessControlCheck ThreadableLoaderClient callback (r202542)
Remove didFailRedirectCheck ThreadableLoaderClient callback (r202480)
Introduce ResourceErrorBase::type (r201856)
Port blocking bypass issue using 307 redirect (r194666)
Report error when main resource is blocked by content blocker (r190611 partial)
Implement Number.prototype.clz() (r165047)

Nov 13, 2017
============
[Fetch API] Add support to ReferrerPolicy (r204019)
Add basic caching for Document.cookie API (r174190)
Regression(r201805): Crash with <use> resource that has Vary header (r202985)
WebKit memory cache doesn't respect Vary header (r201800 + r201801 + r201805)
Respect cache-control directives in request (r182059)
Add support for sessions to MemoryCache. (r165013 + r165027 + r165117 partial)
Do not reuse cache entries with conditional headers (r200326)
Make SessionID use intHash (r194213)
Cached "Expires" header is not updated upon successful resource revalidation (r182157)
Move CacheValidation to platform (182064)
Do not attempt to revalidate cached main resource on back/forward navigation (r178012 revisited)
Rename WebContext to WebProcessPool (r177692 partial)
Notify Settings object when its Page object goes away. (r175348)
Create SessionID value-style class for session IDs. (r164726)
REGRESSION(r158333): http/tests/xmlhttprequest/response-encoding.html and xmlhttprequest-overridemimetype-content-type-header.html are failing (r158362)
Revalidation header blacklisting should be case-insensitive. (r155203)
Entity-header extension headers honored on 304 responses. (r142068)
Update Fetch to use enum class instead of string for enumerations (r200313)
Strip out Referer header when requesting subresources or following links for documents with "Content-Disposition: attachment" (r193983 + r193995 + r194001)
Do not enforce "content-disposition: attachment" sandbox restrictions on a MediaDocument (r188062)
Do not enforce "content-disposition: attachment" sandbox restrictions on a MediaDocument (r188051)
[iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment (r186982)
Add preference to disable all http-equiv. (r186232)
Add API to disable meta refreshes. (r183632)
Referrer Policy: Update <meta name="referrer"> values to match the spec (r174640)
Update meta-referrer behavior for invalid policies (r164866)
[iOS] Upstream WebCore/dom changes (r160679 partial)
REGRESSION (r141981): Crash when closing a Google Docs document (r148310)
Take referrer policy into account when clearing the referrer header (r141981)

Nov 10, 2017
============
Response.blob() does not set the content-type based on the header value. (r215814 + r215842 rolled out)
cross-origin requests redirected fail or drop author requested headers (r204693)
[Fetch API] Fetch promises should not reject or resolve when ActiveDOMObjects are being stopped (r204020)
CrossOrigin preflight checker should compute the right Access-Control-Request-Headers value (r203899)
Compute fetch response type in case of cross-origin requests (r203815)
Remove RequestOriginPolicy from ResourceLoaderOptions (r202821)

Nov 09, 2017
============
[Fetch API] Activate credentials mode (r203900)
CSP: Ignore paths in CSP matching after redirects (r199612)
CSP: Move logic for reporting a violation from ContentSecurityPolicyDirectiveList to ContentSecurityPolicy (r198657)
CSP: Simplify logic for checking policies (r198613 partial)
CSP: Make violation console messages concise and consistent (r198591)
CSP: Should only execute <script> or apply <style> if its hash appears in all policies (r198551)
CSP: Enable plugin-types directive by default (r197038)
CSP: Enable form-action directive by default (r196892)
CSP: ws: and wss: blocked with connect-src * (r209789)
Cleanup: Remove the need to pass reporting status to ContentSecurityPolicy functions (r198379)
Pass SecurityOrigin as references in CORS check code (r202674 partial)
CSP: Content Security Policy should allow '*' to match the originating page's scheme (r202155)
Fix AtomicString regression caused by r201603. (r201637 partial)
Overhaul cross-thread use of ResourceRequest, ResourceResponse, and ResourceError. (r201603 partial)
CSP: Nested browsing context created for <object> or <embed> should respect object-src directive (r199527)
REGRESSION (r197724): <object>/<embed> with no URL does not match source * (r198936)
REGRESSION (r197724): [GTK] Web Inspector: Images being blocked by CSP 2.0 (r198201 + r198334 rolled out)
CSP: Implement frame-ancestors directive (r197972)
CSP: Source '*' should not match URLs with schemes blob, data, or filesystem (r197724)
CSP: Make SecurityPolicyViolationEvent more closely conform to CSP spec and enable it by default (r197118)
CSP: Enable base-uri directive by default (r197007)
CSP: Violation report should include column number (r196877)
CSP: Violation report should include HTTP status code and effective-directive of protected resource (r196876)
CSP: report-url directive should be ignored when contained in a policy defined via a meta element (r196875)
CSP: sandbox directive should be ignored when contained in a policy defined via a meta element (r196874)
CSP: 'sandbox' should be ignored in report-only mode (r196582)
CSP: Implement child-src directive (r196526)
Rename *Event::create* which creates events for bindings to *Event::createForBindings* and cleanup corresponding paths (r196400 partial)
Content Security Policy error message when frame load is blocked does not read well (r185912)
CSP 1.1: Remove 'type' parameter from CSPDirectiveList::checkSourceAndReportViolation. (r147346)
CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports. (r146758 revisited)
Cleanup: Tiny nits in ContentSecurityPolicy::reportViolation. (r146755)
CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur. (r146520 revisited)
CSP 1.1: Add 'effective-directive' to violation reports. (r146137)
CSP logging: Be more developer-friendly when 'default-src' is violated. (r129572)
CSP reports should send an empty "blocked-uri" rather than nothing. (r129168)
CSP reports should send an empty 'referrer' rather than nothing. (r129150)

Nov 08, 2017
============
Make ResourceLoaderOptions derive from FetchOptions (r202741 revisited)
Remove ThreadableLoaderOptions origin (r202614)
Pack ResourceError harder. (r161955)
CSP connect-src directive should block redirects (r196283)
REGRESSION (r182866): repeated prompts for password on internal Apple website using workers (r186592)
ThreadableLoaderOptions::isolatedCopy() doesn't produce a copy that is safe for sending to another thread (r184657)
No thread safety when passing ThreadableLoaderOptions from a worker thread (r182866)
CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy (r196242)
Fix null pointer dereference in WebSocket::connect() (r190588)
Remove support for SharedWorkers (r178310 partial)
REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self' (r200030 partial)
CSP: Support checking content security policy without a script execution context (r196012)
CSP 1.1: Schemeless source expressions match HTTPS resources on HTTP sites. (r146141)
CSP: Throw a warning when a '*-report-only' header doesn't contain a 'report-uri' directive. (r144566)
Pause inspector when inline scripts are blocked by Content Security Policy. (r128703)
JSC should throw a more descriptive exception when blocking 'eval' via CSP. (r128670)

Nov 07, 2017
============
We should trigger a console warning when we encounter invalid sandbox flags. (r134766)
crossorigin element resource loading should check HTTP redirection (r198395)
CSP: Use the served CSP header for dedicated workers (r195948)
CSP 1.1: Support CSP 1.1 directives on the unprefixed header. (r144571)
[Fetch API] Request construction failure should not set "bodyUsed" (r205253)
[Fetch API] Add support for fetch mode, in particular cors (r203732)
Remove crossOriginRequestPolicy from ThreadableLoaderOptions (r203490)
Make ResourceLoaderOptions derive from FetchOptions (r202741 partial)
CrossOriginPreflightChecker should call DocumentThreadableLoader preflightFailure instead of didFailLoading (r202336)
CORS preflight with a non-200 response should be a preflight failure (r202162)
Move preflight check code outside of DocumentThreadableLoader (r201924 partial)

Nov 06, 2017
============
[Fetch API] Blob type should be set from Response/Request contentType header (r205076)
[Fetch API] Response.blob should not assert in case the created blob is empty (r204171)
[Fetch API] Fetching with a FormData body should reject until it is implemented (r204225)
[ES6] Implement Reflect.defineProperty (r188361)
[ES6] Implement Reflect.has (r188264)
[ES6] Implement Reflect.getPrototypeOf and Reflect.setPrototypeOf (r188262)
[ES6] Implement Reflect.preventExtensions (r187479)
[ES6] Implement Reflect.isExtensible (r187410)
[ES6] Implement Reflect.ownKeys (r187408)
[ES6] Implement Reflect.apply (r187407)
[ES6] Add Reflect namespace and add Reflect.deleteProperty (r187401)
ES6: Implement Object.setPrototypeOf (r184642)
POST request on a blob resource should return a "network error" instead of HTTP 500 response (r201557)
Builtins that should not rely on iteration do. (r196949)
Memcache migth not be pruned when it should for https pages (r170504)
Crash in WebCore::SubresourceLoader::releaseResources when connection fails (r150867 revisited)
CORS preflight broken with NetworkProcess (r142936)
Remove incorrect ASSERT for m_error in CachedResource (r137028 revisited)
Remove some CachedResource::Status's in favor of looking at CachedResource::m_error (r133130)
Fix weird use of KURL's protocolIs (r130586)
Avoid ASSERT(m_workerContext->isSharedWorkerContext()) in WorkerScriptController::initScript() (r125120)

Nov 03, 2017
============
[Fetch API] Request should be created with any HeadersInit data (r203641 + r203642 rolled out + r203675)
Generate WebCore builtin wrapper files (r202975 partial)
Remove forEach use from Fetch Headers builtin constructor (r198889)
[Fetch API] Fetching with a FormData body should reject until it is implemented (r204225 partial)
[Fetch API] Fetch API should strip fragment and credentials from URLs used as referrer (r204224)
Fetch Response built-ins should use @makeThisTypeError (r203961)
[Streams API] Replace ReadableStreamController by ReadableStreamDefaultController (r203818)
[Streams API] Use makeThisTypeError in ReadableStreamDefaultReader.js (r203814)
[Streams API] Replace ReadableStreamReader by ReadableStreamDefaultReader (r203772)
[Fetch API] Response constructor should be able to take a ReadableStream as body (r203719 + r203726 rolled out + r203767)
JS Built-ins should throw this-error messages consistently with binding generated code (r203766)
[Fetch API] Add a JS builtin to implement https://fetch.spec.whatwg.org/#concept-headers-fill (r203445)
[Streams API] Make ReadableStream properties not enumerable (r203402)
[Fetch API] Request and Response url getter should use URL serialization (r203221)
Make use of PrivateIdentifier to simplify Fetch Headers built-in checks (r203029)
[Fetch API] Response constructor should throw in case of bad reason phrase (r202910)
[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values (r202680 partial)

Nov 02, 2017
============
[Fetch API] Fetch response stream should enqueue Uint8Array (r203637)
Use a private property to implement FetchResponse.body getter (r203632)
FetchResponse should return a ReadableStream even if disturbed (r200235)
[Fetch API] Response should not become disturbed on the ReadableStream creation (r203162)
[Fetch API] Response.redirect should throw a RangeError in case of bad status code (r202909)
Binding generator should generate accessors for constructors safely accessed from JS builtin (r202551)
Add bindings generator support to add a native JS function to both a 'name' and a private '@name' slot (r202275 partial)
[Fetch API] Implement Fetch redirect mode (r201324)
[IDL] Extend support for [EnabledAtRuntime] attributes / operations to all global objects, not just Window (r199103 partial)
Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings (r199017 partial)
The parser doesn't properly protect against global variable references in builtins (r196525 revisited partial)
[Fetch API] Consume HTTP data as a ReadableStream (r199641)
[Streams API] Refactor builtin internals to prepare support for streams API in worker (r194960)

Nov 01, 2017
============
[Streams API] ReadableStream should throw a RangeError in case of NaN highWaterMark (r203347)
[Streams API] Expose ReadableStream and relatives to Worker (r194033 + r194391 + r195101)
[Streams API] In RS during enqueuing error should be reported only if readable (r194391)
[Streams API] Directly use @then as much as possible (r194035)
JSC Builtins should use safe array methods (r193899 partial)
[Streams API] pipeThrough test failing (r193832)
[Streams API] pull function of tee should call readFromReadableStreamReader directly (r192879)
[Streams API] Clean-up JS built-in code using arrow functions (r192878)
[Streams API] teeReadableStream should not directly use stream.getReader() (r192877)
[Streams API] streams should not directly use Number and related methods (r192874)
[Streams API] Remove use of @catch for exposed promises (r192865)
[Streams API] Implement pipeTo method in readable Stream (r192765)
[Streams API] Implement IsReadableStreamDisturbed according to spec (r192621)
[Streams API] Update the implementation up to spec of Nov 11 2015 (r192466)
[Streams API] Remove bind usage (r192309)
[Streams API] Fix style issues (r192246)
[Streams API] Activate assertions (r192160 partial)
[Streams API] Shield promises when prototype is replaced from a promise (r192207)
[Streams API] Shield implementation from mangling then and catch promise methods (r192157)
[Streams API] Shield implementation from user mangling Promise.reject and resolve methods (r192057)
[Streams API] Shield streams against user replacing the Promise constructor (r192021)
[Streams API] Vended promise capabilities should not need @resolve/@reject fields (r191956)
[Streams API] Rework promises to use @newPromiseCapability (r191950)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 partial revisited)
Disable outdated WritableStream API (r215429 partial)
ASSERTION FAILED: promise.inherits(JSPromise::info()) (r205729 revisited)
[Streams API] Turn WS states into integers and fix state initialization (r191730)
Builtins generator should emit ENABLE(FEATURE) guards based on @conditional annotation (r191687 partial)
Audit WebCore builtins for user overridable code (r198776)
The parser doesn't properly protect against global variable references in builtins (r196525 partial)
[Streams API] Add write method to writable stream (r191669)
[Streams API] Add close method to writable stream (r191622)
[Streams API] Implement abort method on writable streams (r191584)
[Streams API] Add writable stream attributes (r191446)
[Streams API] Construct a writable stream (r191383)
[Streams API] Rework some readable stream internals that can be common to writable streams (r191335)
[Streams API] Add skeleton for initial WritableStream support (r191283)
Add InternalPromise to use Promises safely in the internals (r188681)
Introduce non-user-observable Promise functions to use Promises internally (r188603)
Remove CompoundType and LeafType (r170129)

Oct 31, 2017
============
[Streams API] Implement ReadableStream tee (r191285)
[JSC] Introduce BytecodeIntrinsic constant rep like @undefined (r196022 partial)
Automate WebCore JS builtins generation and build system (r190794 partial)
Migrate streams API to JS Builtins (r190608)
[Streams API] Add support for private WebCore JS builtins functions (r190401)
Fixing several incorrect assumptions with handling isolated inlines. (r162956)
[CSS Shapes] Match adjustLogicalLineTopAndLogicalHeightIfNeeded's implementation with Blink's (r157820)
[CSS Shapes] Use the floatingObject's logical coordinates to determine its size in computeLogicalLocationForFloat (r157318)
[CSS Shapes] Clip shape-outside to the bottom of the margin box (r157186)
[CSS Shapes] Support block content with inline content around floats in shape-inside (r156846)
Properly handle bottom margin on float with shape-outside (r156346)
Redrawing issue with inserting new inline element between existing inline elements (r136513)

Oct 30, 2017
============
[Streams API] Create ByteLengthQueuingStrategy object as per spec (r190394)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 revisited)
Remove the need for DOMClass in case of JSBuiltinConstructor WebIDL (r190239 revisited)
[Streams API] Add support for JS builtins constructor (r190198)
[Streams API] Implement ReadableStream pipeThrough (r190155)
Shrink RenderInline. (r159038)
[CSS Shapes] Modify updateSegmentsForShapes function to use logical coordinates (r156364)
Move logicalHeightForLine out of LineWidth.h (r156197)
Move LineWidth out of RenderBlockLineLayout (r155565)
Simplify the ShapeOutsideInfo and ShapeInfo interfaces (r156176)
Fix handling of top margin on float with shape-outside (r156106 revisited)
[CSS Shapes] Use the float height to determine position in shape-inside (r156022)
LayoutUnit::epsilon shouldn't be necessary to place floats (r143375)
[CSS Exclusions] Floats should respect shape-inside on exclusions (r137920)
REGRESSION (r155854 - r155967) block with margin-left adjacent to floated block causes text of subsequent blocks to overlap the floated block. (r156075)
[ARMv7] Fix initial start register support in YarrJIT (r224172)
Remove code now unnecessary after r159575 (r159758)
Move float logical location/dimension methods to RenderBlockFlow (r157197)

Oct 28, 2017
============
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 5) (r157705 complete)
Get rid of static map for marking ancestor line boxes dirty (r156639)
Focus ring for a child layer is incorrectly offset by ancestor composited layer's position (r144350)
Remove RenderBlock::paintEllipsisBoxes (r126335)

Oct 27, 2017
============
[Streams API] Update implementation with the latest spec (r188580)
[Streams API] ReadableStreamReader closed promise should use CachedAttribute (r188209)
[Streams API] Create CountQueuingStrategy object as per spec (r188127)
Create [CustomBinding] extended IDL attribute (r188119)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 4) (r157683)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 3) (r157677)
Crash in RenderTable::calcBorderEnd (r127206)
Remove RenderTableSection::removeChild (r126590)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 2) (r157674)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 1) (r157662)
[Streams API] Templating ReadableJSStream (r186740)
[Streams API] Remove ReadableStreamReader.read() custom binding (r186414)
[Streams API] Implement ReadableStream js source "'cancel" callback (r185872)
Move line grid functionality from RenderBlock into RenderBlockFlow. (r156557)
IteratorClose should be called when jumping over the target for-of loop (r182226)

Oct 26, 2017
============
JSRopeString::RopeBuilder::append() should check for overflows. (r224055 partial)
REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum (r224072)
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match (r222601 rolled in)
Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory (r210837 rolled in)
  Regression on http://peacekeeper.futuremark.com/
  /:((?:[\w\u00c0-\uFFFF\-]|\\.)+)(?:\((['"]?)((?:\([^\)]+\)|[^\(\)]*)+)\2\))?/.exec(":contains('Sega')")
Fix all ExceptionScope verification failures in JavaScriptCore. (r221849 partial)
[Streams API] Remove ReadableStream custom constructor (r186323)
Don't force CharacterData to override getOwnPropertySlot. (r169829)

Oct 25, 2017
============
RenderLayerModelObject shouldn't need a pre-destructor hook. (r175475 revisited)
Remove RenderObjectChildList (r156278)
Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects. (r142760 revisited)
[Streams API] Remove ReadableStream and Reader cancel() custom binding (r186257)
[Streams API] Remove ReadableStreamController.enqueue() custom binding (r186231)
[Streams API] Synced bad strategy test with reference implementation (r186112)
Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue (r186076)
[Streams API] Add support for chunks with customized sizes (r186044)
Use FINAL instead of virtualChildren trick in render tree classes (r155802)
Support captions when PLUGIN_PROXY_FOR_VIDEO (r132842)
[mips] fix offsets of branches that have to go over a jump (r223916)
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r159575 revisited)
Move m_floatingObjects to RenderBlockFlow from RenderBlock (r157144)
[CSS Regions] Activate all regions to have layers, as CSS Regions create a new stacking context (r156767)
Fix handling of top margin on float with shape-outside (r156106)
Make FloatingObjects own it's FloatingObject instances (r155906)
Move Floats out of RenderBlock (r155391)
FloatingObjects should manage cleaning it's line box tree pointers itself (r155065)
[CSS Regions] RenderRegions should have a RenderLayer+Backing when they contain a Composited RenderLayer (r154072)
[CSS Shapes] Clear overflowing line's segments in pushShapeContentOverflowBelowTheContentBox (r152906)

Oct 24, 2017
============
Move logical(Left|Right)FloatOffsetForLine methods into FloatingObjects (r155368)
Move logical dimension getters/setters to FloatingObject from RenderBlock (r155050)
Code cleanup: rename FloatIntervalSearchAdapter and remove unnecessary inlines (r154758)
Optimize FloatIntervalSearchAdapter::collectIfNeeded (r154641)
[CSS Shapes] New positioning model: Borders (r153058)
[CSS Shapes] Port refactoring of shape-outside code from Blink (r152794)
REGRESSION: fast/border/border-fit-2.html needs updating (r145139)
border-fit-adjust should happen at layout time rather than paint time (r145100)
Fix some baseline flexbox alignment (r132104 revisited)
[Streams API] Finish pulling must always be done asynchronously as it is the expected promise behavior (according to the spec) (r186113)
[Streams API] ReadableStreamReader.closed should use DOMPromise (r186109 complete)
[Streams API]Remove ReadableStreamController.close custom binding (r186043)
[Streams API] Implement ReadableStreamController.desiredSize property (r186024)
[Streams API] Implement HighWaterMark (r185953)
Move ExceptionCodeDescription.h into the files that actually need it (r171285)
IndexedDB: Remove IDBDatabaseException.idl (r136869)
Remove IDBDatabaseException (r135424)

Oct 23, 2017
============
[Streams API] Implement ReadableStream cancel (abstract part) (r185826)
ASSERTION FAILED: typesettingFeatures & (Kerning | Ligatures) in WebCore::applyFontTransforms (r189557 partial)
Cache glyph widths to GlyphPages (r180752 + r180779 rolled out + r181492 + r181597 rolled out)
Emphasis mark is printed after inline-block with justify (r137786)
Layout Test fast/text/justify-ideograph-leading-expansion.html is failing an assertion chromium mac (r131405 revisited)
[Streams API] Remove ReadableStream.getReader() custom binding (r186111)
[Streams API] Implement ReadableStreamReader.releaseLock (r185697)
[Streams API] ReadableJSStream should handle promises returned by JS source pull callback (r185648)
[Streams API] Implement ReadableStream locked property (r185641)
[Streams API] ReadableJSStream should handle promises returned by JS source start callback (r185406 + r185467 + r185537)

Oct 20, 2017
============
Cleanup: Add convenience function URL::procotolIsBlob() (r197706 partial)
CSP is enforced for eval in report-only mode on first page load (r175771)
CSP: 'eval()' is blocked in report-only mode. (r145268)
[Streams API] Implement pulling of a source by a ReadableStream (r185406)
DeferredWrapper should clear its JS strong references once its promise is resolved/rejected (r185404 partial)
[Streams API] ReadableJSStream should handle JS source getters that throw (r185356)
[Streams API] ReadableStream should store callbacks as a Deque (r185260)
[Streams API] Implement ReadableStreamController enqueue (r185197)
[Streams API] ReadableStreamReader::closed() should be called once by binding code (r185149)
[Streams API] Remove ReadableStreamReader closed promise internal slot (r184723)
[Streams API] ReadableJSStream does not need a ReadableStreamSource (r185196)
[Streams API] Implement ReadableStreamReader read method in closed and errored state (r185114)
[Streams API] Implement ReadableStreamController constructor (r185039)
[Streams API] ReadableStreamReader should not be exposed (r184955)
[Streams API] Migrate closed promise handling from ReadableStreamReader to ReadableStream (r184585)
[Streams API] Delegate ReadableStreamReader reference counting to ReadableStream (r184444)
Stringifier::appendStringifiedValue() is missing an exception check. (r223731)
JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX. (r207849)
[Streams API] ReadableStreamReader.closed should use DOMPromise (r186109 partial)
[Streams API] ReadableStream reader should not be disposable when having pending promises (r184159)
[Streams API] Refactor ReadableStreamReader close promise callback cleaning (r184048)
[Streams API] ReadableStream constructor start function should be able to error the stream (r183991)
Move ReadableStreamJSSource.h/.cpp to ReadableJSStream.h/.cpp (r183866)
streams/readable-stream.html is very flaky (r183803)
[Streams API] Refactor ReadableJSStream and ReadableStreamJSSource (r183744)
[Streams API] ReadableStream constructor start function should be able to close the stream (r183395)

Oct 19, 2017
============
Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString. (r208767 partial revisited)
Isolated worlds should respect Content Security Policy; User Agent Shadow DOM should be exempt from Content Security Policy (r186395)
Isolated worlds should respect Content Security Policy; User Agent Shadow DOM should be exempt from Content Security Policy (r186388)
Scripts running in isolated world should not subject to a page's CSP about 'eval'. (r181925)
[CSS Shapes] CORS-enabled fetch for shape image values (r158044)
[CSS Shapes] Floats with shape-outside aren't painting in the correct order (r155244)
[CSS Shapes] Add support for shape-outside image values (r154152)
[CSS Shapes] New positioning model: basic support for rectangle shape-outside (r152122)
[CSS Shapes] limit shape image values to same origin (r151878)
Rename 'KURL::elidedString' and inspector's 'String.prototype.trimMiddle' for clarity. (r150957 partial)
[JSC] Script run from an isolated world should bypass a page's CSP (r148076 revisited)
[CSS Exclusions] Properly position multiple stacked floats with non rectangular shape outside (r148056)
[CSS Exclusions] shape outside segments not properly calculated for ellipses (r147250)
CSP: 'frame-src' should block redirects to invalid sources. (r138818)
CSP: XHR from an isolated world should bypass a page's policy. (r138817)
Unblock SVG external references (r133538)
Script run from an isolated world should bypass a page's CSP. (r133006)
Fix a typo that caused SVG external resources to be blocked on platforms other than Chromium. (r132869)
Block SVG external references pending a security review (r132849)
[Streams API] Implement ReadableStreamController (r183107)
[Streams API] Support the start function parameter in ReadableStream constructor (r182591)
[Streams API] Collecting a ReadableStreamReader should not unlock its stream (r182344)
[Streams API] Split ReadableStream/Reader implementation according source type (JS vs native) (r182309)
Get rid of outdated raises() from Web IDL (r151336 partial)
RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified. (r223645)
[Streams API] Implement a barebone ReadableStreamReader interface (r182180)

Oct 18, 2017
============
[Streams API] Error storage should be moved from source to stream/reader (r182140)
[Streams API] Update ReadableStream API according new version of the specification (r181736)
ReadableStream does not not need to pass itself as callback parameter (r181262)
[Streams API] Reading ReadableStream ready and closed attributes should not always create a new promise (r180599)
[Streams API] Implement a barebone ReadableStream interface (r179687)

Oct 17, 2017
============
Add reflected nonce attribute to HTML Link element IDL (r209644)
CSP: Fix parsing of 'host/path' source expressions (r196655)
CSP: Disallow an empty host in a host-source source expression (r196653)
CSP: 'none' should take effect only if no other source expression is present. (r139085)
CSP 1.0: Warn when old-style directives encountered. (r133193)
CSP source expressions should support paths at file-level granularity. (r131317)
'self' in a CSP directive should match blob: and filesystem: URLs. (r126785)
Trailing spaces in CSP source lists should not generate console warnings. (r126488)
Tighten up parsing the 'script-nonce' CSP directive value. (r125614)
Content Security Policy directives that begin with an invalid character should log a console warning. (r125195)
CSP: Implement support for inline script and inline style hashes (r197940)
Move CryptoDigest to WebCore/platform (r197575)

Oct 16, 2017
============
CSP: Implement support for script and style nonces (r197944)
Isolated worlds should respect Content Security Policy; User Agent Shadow DOM should be exempt from Content Security Policy (r186388 partial)
CSP: Remove SecurityPolicy script interface (r197142)
CSP 1.1: Experiment with 'base-uri' directive. (r146886)
CSP: Extract helper classes into their own files (r196350)
Move ContentSecurityPolicy.{cpp, h} to its own directory (r195711)
CSP: Drop 'script-nonce' directive. (r171150)
Refactor CSPDirective to support non-sourcelist types. (r125817)
Prefer 'Content-Security-Policy' to 'X-WebKit-CSP'. (r133329)
Implement the canonical "Content-Security-Policy" header. (r133095)
WebKit Doesn't Recognize Content-Language HTTP Header (r131794)
CSP paths: Ignore invalid path components, rather than dropping the source completely. (r129525)
ArrayPrototype methods should use JSValue::toLength for non-Arrays. (r218449 partial revisited)
Array.prototype.slice should not modify frozen objects. (r207226 partial)
Need an exception check after constructEmptyArray(). (r201787 partial)
Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated (r200387 revisited)
crossorigin element resource loading should check HTTP redirection (r198395)
Fix problems with cross-origin redirects (r195010)
50% time on Dromaeo Selector * benchmark spent allocating oversized backing stores (but not in Chrome) (r163057 revisited)
REGRESSION: We see authentication challenge sheets for favicon requests. (r149303 partial)
Don't include ResourceHandle.h in ResourceLoaderOptions.h (r143838)
Synchronous XMLHTTPRequests need to go to the NetworkProcess. (r139935 partial)
Support X-XSS-Protection: report=URL header syntax in XSSAuditor. (r133323 revisited)
Warn when CSP headers don't separate directives with ';'. (r131413)
Support paths in Content Security Policy directives. (r129143)
Warn authors about CSP directives ignored due to non-ASCII values. (r128042)
Invalid Content Security Policy sources should generate console warnings. (r125213)
Until CSP fully supports paths, we should log a warning if we encounter a source with a path. (r125047)
Refactor console logging out of CSPDirectiveList into ContentSecurityPolicy (r125021)

Oct 13, 2017
============
Speculative fix for: Crash in DocumentThreadableLoader::redirectReceived. (r212330 + r212335)
[Fetch API] Rename 'origin-only' referrer policy to 'origin' (r202323)
Replace CaseFoldingHash with ASCIICaseInsensitiveHash (r195928 partial)
http/tests/security/xss-DENIED-xsl-document-redirect.xml fails with NetworkProcess (r168498 + r168504 rolled out + r169243)
Set the original resource's response even on a 304 (r138202)

Oct 12, 2017
============
Rename [GlobalContext] extended attribute to [Exposed] and align with WebIDL (r199587 revisited)
Crashes in setTextForIterator (r162511)
[Fetch API] Add basic loading of resources for Workers (r198891)
[Fetch API] Move isDisturbed handling to FetchBodyOwner (r198890)
[Fetch API] Add basic loading of resources (r198665)
Stop hardcoding knowledge about blob protocol in ResourceHandle (r143569)
[Fetch API] Add support for iterating over Headers (r196128)

Oct 11, 2017
============
[Fetch] Use @isArray instead of `instanceof @Array` (r199654)
[Fetch API] response-consume.html is crashing on Mac WK1 Debug builds (r198326)
[Fetch API] FetchLoader should check for empty bodies (r198151)
[Fetch API] Implement data resolution for blob stored in Body (r198133 + r198134)
Array prototype JS builtins should support Symbol.species (r197536 partial)
[Fetch API] Use DeferredWrapper directly in FetchBody promise handling (r198005)
[Fetch API] Commonalize handling of FetchBody by FetchRequest and FetchResponse (r197778)
[Fetch API] Implement fetch skeleton (r197748)
Refactor FetchBody constructors (r197347)
[Fetch API] Make FetchRequest and FetchResponse ActiveDOMObject (r197744)
WebIDL generator should support the possibility for C++ classes to have a JS Builtin constructor (r194100 partial)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 partial)
JSBuiltinConstructor must always add builtin header (r190610)
Improve binding of JSBuiltinConstructor classes (r190314)
Remove the need for DOMClass in case of JSBuiltinConstructor WebIDL (r190239 partial)
Array.of should work with other constructors (r184942)

Oct 10, 2017
============
[Fetch API] Support Request and Response blob() when body data is a blob (r197396)
Blob content type normalization. (r148105)
[JSC] Introduce BytecodeIntrinsic constant rep like @undefined (r196022 partial)
[Fetch API] Implement Fetch API Response (r197049)
We don't need to clearEmptyObjectStructureForPrototype because JSGlobalObject* is part of the cache's key (r223123)
Octane/splay can leak memory due to stray pointers on the stack when run from the command line (r223024 partial)
[Fetch API] Implement Fetch API Request (r195954)
HTMLElement::nodeName should not upper case non-ASCII characters (r195501)
Element.tagName should be upper-case for HTML elements in HTML documents (r189618)

Oct 06, 2017
============
[Fetch API] Implement Fetch API Request (r195954 partial)
Stop using String::deprecatedCharacters to call WTF::Collator (r163792)
Avoid integer overflow in DFGStrengthReduction.cpp (r222981)
Audit WebCore builtins for user overridable code (r198776 partial)
[ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and => (r186047)
[ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. (r185989 + r185996)
AST Nodes should keep track of their end offset (r175396 partial)
Consolidate out arguments of parseFunctionInfo into a struct (r178888)
WTF should have a similar function as equalLettersIgnoringASCIICase to match beginning of strings (r198019)
Custom protocol loading through AVFoundation does not support byte-range requests. (r195764 partial)
[Fetch API] Implement Fetch API Headers (r195530)
XHR.setRequestHeader should remove trailing and leading whitespaces from the header value (r188333)
Small refactoring before implementation of the ES6 arrow function. (r184313 + r184317 rolled out + r184349)
CSS: fix the case-insensitive matching of the attribute selectors Begin, End and Hyphen (r181525)
Add a script that generates a gperf hash for HTTP header names (r169826)
Code duplication between HTTPParsers and HTTPValidation (r146908)

Oct 05, 2017
============
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match (r222601 rolled out)
Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory (r210837 patially rolled out)
  Regression on http://peacekeeper.futuremark.com/
  /:((?:[\w\u00c0-\uFFFF\-]|\\.)+)(?:\((['"]?)((?:\([^\)]+\)|[^\(\)]*)+)\2\))?/.exec(":contains('Sega')")
  
Oct 04, 2017
============
RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches (r219031)
test262: test262/test/annexB/language/literals/regexp/identity-escape.js (r215161)
REGRESSION (r200946): Improper backtracking from last alternative in sticky patterns (r202597)
RegExp /y flag incorrect handling of mixed-length alternation (r200946)
[ES6] Implement Unicode code point escapes (r183552)
[ES6] Implement String.fromCodePoint (r183315)
test262: test262/test/language/literals/regexp/u-dec-esc.js (r215311)
Some bad unicode regex escapes aren't flagged as errors (r203202)
ES6 Change: Unify handling of RegExp CharacterClassEscapes \w and \W and Word Asserts \b and \B (r202490)
RegExp unicode parsing reads an extra character before failing (r201714)
Some tests fail with ES6 `u` (Unicode) flag for regular expressions (r199523)
[ES6] Quantified unicode regular expressions do not work for counts greater than 1 (r198866)
[ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters (r198624 partial)
[ES6] Make RegExp.prototype.toString spec compliant (r197999)
[ES6] Regular Expression canonicalization tables for Unicode need to be updated to use Unicode CaseFolding.txt (r197781)
[ES6] Make Unicode RegExp pattern parsing conform to the spec (r197534)
[ES6] Add support for Unicode regular expressions (r197426)
Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little (r185528)
ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html (r185440)
Implement RegExp.prototype.flags (r185432)
Element.matches()'s argument is not supposed to be optional (r174334)
Clear the Selector Query caches on memory pressure (r168243)
Add Element.matches, the standard name for webkitMatchesSelector (r167631)
Unify the three call sites of SelectorQueryCache (r164854)
Inline SelectorQuery::matches, SelectorQuery::queryAll, SelectorQuery::queryFirst (r148984)
Stop passing around SelectorChecker in SelectorQuery, now that it's stack-allocated. (r143152)
[Refactoring] Make m_selectorChecker in StyleResolver an on-stack object. (r142591)
Move pointer to Document up from SelectorChecker to StyleResolver. (r138571)
Move visited link-checking (and caching) code out of SelectorChecker. (r138515)

Oct 03, 2017
============
Avoid unnecessary null checks in toJS() when the implementation returns a reference or Ref<> (r200775 partial)
Improve binding of JSBuiltinConstructor classes (r190314 partial)
Many DOM objects have InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero for no reason. (r171956)
Fast-path for casting JS wrappers to JSElement. (r166765 revisited)
Fast-path for casting JS wrappers to JSNode. (r166760 revisited)
CodeGeneratorJS.pm should generate "isFiringEventListeners()" check in isReachableFromOpaqueRoots() (r148700)
Add more type validation to debug builds (r148257 partial)
An [ActiveDOMObject] IDL attribute should be inherited (r140938)
Add missing exception check for the custom-get-set-inline-caching-one-level-up-proto-chain.js (r222744)
SegmentedString's copy ctor should copy all fields (r142514)
Implement MouseEvent constructor (r140657 partial)

Oct 02, 2017
============
[Web IDL] interfaces should inherit EventTarget instead of duplicating the EventTarget API (r196466 + r196476)
Generate Element casting helper functions (r173804 partial)
Fast-path for casting JS wrappers to JSElement. (r166765)
Fast-path for casting JS wrappers to JSNode. (r166760)
CREATE_DOM_WRAPPER doesn't need the ExecState. (r166128)
JSC bindings should use the passed-in global object for wrapper caching. (r165914)
[InexedDB] Interfaces inheriting from EventTarget should generate JSC (un)wrapping functions (r156701 partial)
IndexedDB IDL Refactoring. (r156590 partial)
Update AbstractWorker, Worker and SharedWorker to match the specification (r151956)
Rename CodeGenerator::IsSubType() to CodeGenerator::InheritsInterface() (r140884)
[Web IDL] interface objects should be Function objects (r196392 partial)
Get rid of multiple inheritance support from the bindings generators (r152725)
Remove ElementTimeControl and expose SVGAnimationElement (r152543)
Stop inheriting SVGFilterPrimitiveStandardAttributes in SVG (r152350)

Sep 29, 2017
============
Debugger may dereference m_currentCallFrame even after the VM has gone idle (r199249)
Move breakpoint (and exception break) functionality into JSC::Debugger. (r158937 partial)
MediaFragmentURIParser::parseFragments shouldn't upconvert 8-bit string (r152673)
HTMLTextFormControlElement::valueWithHardLineBreaks shouldn't upconvert 8-bit string (r152616)
parseHTMLInteger shouldn't upconvert 8-bit string (r152610 revisited)
setUpStaticFunctionSlot does not handle Builtin|Accessor properties (r202033)
reifyAllStaticProperties makes two copies of every string (r201225)
Add support for WebIDL JSBuiltin attributes (r190305)
JSC property attributes should fit in a byte (r189160)
In CodeGeneratorJS.pm we should rename $dataNode to $interface (r135231)
ASSERTION FAILED: character != kEndOfFileMarker in WebCore::HTMLTokenizer::bufferCharacter (r178128)
Stop using deprecatedCharacters in HTMLTreeBuilder (r165724 + r165734)
xmlDocPtrForString shouldn't upconvert 8-bit string (r152667)
HTML/XML parser helper unconsumeCharacters() can push back 8 bit text as 16 bit text (r135802)
Reduce use of deprecatedCharacters in WebCore (r165848)
Turn on ENABLE(8BIT_TEXTRUN) for everyone. (r163478)
Use deprecatedCharacters in a few more places (non-Mac-build sites found by EWS) (r163257)
Crash calling is8Bit() in visitedLinkHash() (r133337)
visitedHashLink() converts 8 bit URLs and attributes to 16 bits. (r133334)
Add String version of visitedLinkHash() to properly handle 8-bit URL Strings. (r131955)

Sep 28, 2017
============
Window should have its 'constructor' property on the prototype (r196690)
SVGTextLayoutAttributesBuilder shouldn't use RenderText::deprecatedCharacters() (r163248)
JSObject::reifyAllStaticProperties cleanup (r201853 partial)
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match (r222601)
Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure (r222590 partial)
Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory (r210837)
Correct dictionary bindings handling of optional, null, and undefined (r200555 revisited)
Make some bindings improvements, with smaller code size for error message generation (r166864)
Improve dom error messages (r165640 partial)

Sep 27, 2017
============
Remove removeDirect (r201834)
JSGlobalObject::addFunction should call deleteProperty rather than removeDirect (r201654)
Regression(r196648): window.showModalDialog is no longer undefined if the client does not allow showing modal dialog (r196706)
JSDOMWindow::put should not do the same thing twice (r196702)
JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot (r196678)
JSDOMWindow::getOwnPropertySlot should not search photo chain (r196676)
[Web IDL] Operations should be on the instance for global objects or if [Unforgeable] (r196648)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 partial)
replaceable own properties seem to ignore replacement after property caching (r201428 revisited)
window.history / window.navigator should not be replaceable (r196797 revisited)
Do security checks early in JSDOMWindow::put*() (r196628)
Organize, deduplicate & comment JSDOMWindowCustom getOwnPropertySlot (r196583)
Separate out !allowsAccess path in JSDOMWindowCustom getOwnPropertySlot (r196494)
Prevent cross-origin access to window.history (r196227)
Clean up access checks in JSHistoryCustom.cpp (r182284)
JSDOMWindow should not claim HasImpureGetOwnPropertySlot (r168914 revisited)

Sep 26, 2017
============
REGRESSION (196374): deleting a global property is expensive (r201315)
Attributes on the Window instance should be configurable unless [Unforgeable] (r196374)
Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties. (r191215 partial)
Introduce getter definition into static hash tables and use it for getters in RegExp.prototype. (r185370)
RegExp.prototype.toString Should Produce an 8 bit JSString if possible. (r133333)
XMLHttpRequest properties should be on the prototype (r190123)
DOM attributes on prototypes should be configurable (r190104)
Object.defineProperty() should maintain existing getter / setter if not overridden in the new descriptor (r203004)
JSBoundSlotBaseFunction no longer binds slot base (r202027)
SES selftest page crashes on nightly r196694 (r196723)
GetValueFunc/PutValueFunc should not take both slotBase and thisValue (r196331 + r196368)
Instance property getters / setters cannot be called on another instance of the same type (r196200)
Object.getOwnPropertyDescriptor() returns incomplete descriptor for instance properties (r196145)
object.__lookupGetter__() / object.__lookupSetter__() does not work for native bindings (r196004)
Native Bindings Descriptors are Incomplete (r196001)
[JS Bindings] prototype.constructor should be writable (r195907)
Getting / Setting property on prototype object must throw TypeError (r195695)
Avoid double hash lookup in our JS bindings named property getter code (r188663)
Improve the JavaScript bindings of DatasetDOMStringMap (r163239 + r163251)
Make DOMStringMap a typedef of DatasetDOMStringMap (r162821)
Start removing custom implementations of getOwnPropertyDescriptor (r154300 revisited)

Sep 25, 2017
============
HTMLOptionsCollection's namedItem and name getter should return the first item (r149126 revisited)
[Regression] After r142831  collection-null-like-arguments.html layout test failing (r142846)
HTMLCollections namedItem() methods should return null than undefined for empty collections. (r142831)
There should be one stub hanging off an inline cache that contains code for all of the cases, rather than forming a linked list consisting of one stub per case (r189586 partial)
Make writes to RegExpObject.lastIndex cacheable. (r175416)
REGRESSION(r135493): HTMLCollection and DynamicNodeList have two vtable pointers (r135667 partial)
ScriptController::updateDocument ASSERT mutating map while iterating map (r171505)
Assert in JSC::Heap::unprotect when closing facebook.com web site (r149188)
Delete checks for impossible conditions in V8DOMWindowShell (r126817)

Sep 22, 2017
============
Remove String::deprecatedCharacters (r166120 partial)
TextBreakIterator's should support Latin-1 for all iterator types (Part 3) (r162184)
TextBreakIterator's should support Latin-1 for all iterator types (Part 2) (r162109)
TextBreakIterator's should support Latin-1 for all iterator types (Part 1) (r161844)
Optimize RenderText::offsetNext for 8 bit strings (r150922)
REGRESSION (r147588): Line breaks occur in the middle of Hebrew words at haaertz.co.il and other websites (r148791)
HTMLFontElement font size parsing should directly handle 8 bit strings (r136068)
TextIterator unnecessarily converts 8 bit strings to 16 bits (r135972)
Grapheme cluster functions can be simplified for 8 bit Strings (r135805)
listMarkerText() should create 8 bit strings when possible (r135641)
HTML integer parsing functions don't natively handle 8 bit strings (r135495)
HTML Attributes names and values should be created as 8 bit string where possible (r134116)
MarkupAccumulator should optimally handle 8 bit Strings (r130795)
ApplicationCacheStorage does not optimally handle 8 bit strings (r129786)
Fix the uses of String::operator+=() for Mac (r127574)
Create CSS color output string on 8 bits (r126186)
Append the unit in place when generating the text value of a CSSPrimitiveValue (r125221)
Call deprecatedCharacters instead of characters at more call sites (r162784)
Add deprecatedCharacters as a synonym for characters and convert most call sites (r161851 partial)
Add a new String::charactersWithNullTermination() function that returns a vector (r152142)
Remove call to deprecatedCharactersWithNullTermination() in WebGL code (r152137)
StringImpl::findIgnoringCase() and reverseFindIgnoringCase() don't optimally handle a mix of 8 and 16 bit strings (r131655 + r132159)
StringImpl::reverseFind() with a single match character isn't optimal for mixed 8/16 bit cases (r131524)
WTFString::show doesn't dump non-ASCII characters in a readable manner (r128682 + r128684 + r128908)

Sep 20, 2017
============
Caching of properties on objects that have named property getters is sometimes incorrect (r192693 revisited)
The JIT should cache property lookup misses. (r175846 partial + r175849 + r175880 revisited)

Sep 19, 2017
============
Update parseHTMLNonNegativeInteger() to return an unsigned value (r205663 partial)
HTMLImageElement.width / height attributes should be unsigned (r205655)
[WebIDL] Extend new overload resolution algorithm support to constructors (r204043)
Have parseHTMLInteger() / parseHTMLNonNegativeInteger() use WTF::Optional (r197389 partial + r197449 partial)
Binding generator should allow generating private JS functions (r191287 partial)
Fix license and copyrights of WebCore js binding builtin files (r190993 partial)
[Streams API] Add support for JS builtins constructor (r190198 partial)
Automate WebCore JS builtins generation and build system (r190794 partial)
A WebIDL callback interface is allowed to have constants (r189063)
[WebIDL] All interface objects must have a property named "name" (r188258)
The 'prototype' property on interface objects should not be enumerable (r188252)
Static hash tables no longer need to be coupled with a VM. (r171824 revisited)
Remove static tables for bindings that use eager reification (r170256)
Get rid of [ConstructorParameters] extended attributes (r150292)

Sep 18, 2017
============
[Fetch API] Implement Fetch API Headers (r195530 partial)
Migrate streams API to JS Builtins (r190608 partial)
[Streams API] Add support for private WebCore JS builtins functions (r190401 partial)
Move 'length' property to the prototype (r196423)
Deprecate StringImpl::charactersWithNullTermination (r152069)
Avoids stack recursion when indexed propertyNames defined using Object.defineProperty are deleted. (r194399)
NodeList has issues with Symbol and empty string (r183589 partial)
Move properties that use custom bindings to the prototype (r195969)
Move more 'constructor' properties to the prototype (r195904)
[Streams API] Implement ReadableStream pipeThrough (r190155 partial)
[cmake] Fix generate-js-builtins related incremental build issue (r183738)

Sep 15, 2017
============
Make JSCells have 32-bit Structure pointers (r164764 partial)

Sep 14, 2017
============
Move attributes to the prototype for List types / and types with indexed/named property getters (r195798)
Caching of properties on objects that have named property getters is sometimes incorrect (r192693 partial)
NodeList should not have a named getter (r188829 partial revisited)
Make our bindings' GetOwnPropertySlot() behave according to specification (r188590)
Accessing HTMLCollection.length is slow (r188523)
Always inline toJS() for NodeList. (r166520)
Improve the bindings of NodeList's name accessor (r162801)
NodeList.item() does not behave according to specification (r154012)
Regression(r196648): http://w3c-test.org/html/dom/interfaces.html redirects at the end of the test (r196742)
Regression(r190023): fast/dom/navigation-with-sideeffects-crash.html is crashing (r190034)
Get rid of custom bindings for HTMLLinkElement.sizes setter (r190030)
[Web IDL] Add support for [PutForwards=XXX] IDL extended attribute (r190023)
Get rid of most custom bindings for Location.idl (r190017)
Get rid of custom bindings for Document.location getter (r190015)
[GTK] Implement sizes attribute for link tag (r177143)
[GObject] StrictTypeChecking extended attribute fails for methods with sequence<T>. (r171181)
Use & instead of | in the value of [CallWith] (r152154)
Web Inspector: Move call stack generation out of bindings. (r134931)

Sep 13, 2017
============
[Web IDL] Fix overload resolution when the distinguishing argument is a Window (r206587)
Fix the !ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) build after r184337 (r184713)
REGRESSION (r184337): [EFL] unresolved reference errors in ARM builds (r184352)
REGRESSION (r184337): ASSERT failed in debug builds for tagged templates (r184347)
Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked (r154038)
Kill [StrictTypeChecking] IDL extended attribute (r204033 partial)
[WebIDL] Implement overload resolution algorithm (r204028)
Enable strict type checking for Window dictionary members (r203950)
Optimize function and interface object length computation in bindings generator (r149177)
'length' property of DOM bindings functions returns wrong value (r148997)
[V8] Generate wrapper methods for custom methods (r142849)

Sep 12, 2017
============
Implement EventListenerOptions argument to addEventListener (r201730 + r201734 + r201735 + r201743 + r201757 partial revisited)
Avoid redundant isUndefined() check for parameters that are both optional and nullable in overloads (r201681)
[WebIDL] 'undefined' should be an acceptable value for nullable parameters (r201627)
Change IDBObjectStore.createIndex to take an IDL dictionary (r200699 partial)
REGRESSION (r178097): HTMLSelectElement.add(option, undefined) prepends option to the list of options; should append to the end of the list of options (r186275)
REGRESSION (r178097): JavaScript TypeError after clicking on compose button in Yahoo Mail (r186265)
HTMLSelectElement and HTMLOptionsCollection add() method should support index as second argument. (r178097)
CodeGeneratorJS.pm doesn't need to add spaces between consecutive closing template brackets (r165242)
Don't throw on infinity or NaN index in HTMLOptionsCollection.add() (r146283)
Distinguish Web IDL callback interfaces from Web IDL callback functions (r188994)
Remove support for DOMFileSystem (r156692 partial)
Remove web intents code (r142549 partial)
Add support for callback interfaces using other callback names than "handleEvent" (r188913)
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 partial revisited)
Unreviewed, fix PropertyName::isNull() that was introduced in r188994. (r189154)
Get rid of custom bindings for RequestAnimationFrameCallback.handleEvent() (r188905)
Cleanup MediaQueryListListener (r153925 + r154020 + r154035 revisited)
Remove support for [PassThisToCallback] extended attribute (r152490)
Remove a redundant virtual call to hostWindow() in FrameView::invalidateRect() (r151628)

Sep 11, 2017
============
Modern IDB: Support IDBDatabase.transaction() (and transaction scheduling in general). (r191722 partial)
IndexedDB IDL Refactoring. (r156590 partial)
WebIDL: overloaded methods prevent number -> string conversion (r131063)
IndexedDB: IDBRequest leaks if IDBCursor closes and no further events fired (r127518 revisited)
IndexedDB: IDBRequest can be GCd during event dispatch (r126254 revisited)
IndexedDB: Remove IDBRequest::finishCursor() and plumbing (r124842)

Sep 08, 2017
============
[CSS Regions] Improve implementation of elements in region being flowed to another flow thread (r152320)
[CSS Regions] Elements in a region should be assignable to a named flow (r147756 + r147983 + r148865)
[CSS Regions] Remove m_flowThread from NodeRenderingContext (r148605)
[CSS Regions] Don't apply region flow to fullscreen video playing (r138755)
[CSSRegions] Pseudo-elements should not be directly collected into a named flow (r137836)
Remove Node::attach() and ContainerNode::attach() (r154047)
ENABLE(NEW_XML) isn't used by anyone and no one is actively working on it (r140399)
REGRESSION (r151839): Subframe keeps getting mousemove events with the same coordinates after hiding a hovered element. (r167684)
Remove unused attachChildrenLazily method and make attach/detachChildren private (r152197)
Improve the reattaching process while applying the :hover style (r151839)
Document::setHoveredNode() should be setHoveredElement(). (r150752)
Rename from parentOrHost* to parentOrShadowHost* in Node.h. (r141524)

Sep 07, 2017
============
REGRESSION (r137006): TileCache flashes to linen, rather than the background color, when scrolling fast (r137800 revisited)
REGRESSION (r137006): CSS clip on solid color composited div broken (r137250)
Use background color for GraphicsLayers when applicable (r137006 + r137039 rolled out)

Aug 31, 2017
============
semicolon is being interpreted as an = in the LiteralParser (r221400)

Aug 17, 2017
============
Part 2: Assertion failure in WebCore::PseudoElement::didRecalcStyle() (r162820)
Skip CachedImage::CreateImage if we don't have image data (r139484 revisited)
Clear pending container size requests as early as possible (r138976)
Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue (r136560 revisited)
REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient (r129962)
Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) (r159790)

Aug 16, 2017
============
Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142 (r208953)
Hasher::addCharacters() should be able to handle zero length strings. (r208958)
StringHasher functions require alignment that call sites do not all guarantee (r144552)
Style tweaks to StringHasher.h (r143280)
Remove redundant use of inline keyword in StringHasher.h (r143116)
Extend StringHasher to take a stream of characters (r136695)
Remove HandleSet::m_nextToFinalize (r165490)

Aug 15, 2017
============
Region based multicol: support explicit column breaks (r162366)
[CSS Shapes] Parse [<box> || <shape>] values (r159526 partial revisited)
[CSS Shapes] Accept the new <box> value for shape-outside (r159307)
[CSS Exclusions] Minimal support for using an image to define a shape (r154081 revisited)
[CSS Exclusions] Add CSS parsing support for image URI shape-inside and shape-outside values (r150387 revisited)
[CSS Shapes] Remove unnecessarily complex template from ShapeInfo classes (r155627)
[CSS Shapes] Turn shape's logicalwidth/height into a LayoutSize (r155626)
[CSS Exclusions] Minimal support for using an image to define a shape (r154081)
[CSS Shapes] inset-rectangle support for shape-outside (r151116)
[CSS Shapes] Support parsing inset-rectangle shapes (r150904)
[CSS Exclusions] ExclusionShape bounding box methods should return LayoutRects (r149226)
[CSS Exclusions] refactor shape-outside code to use isFloatingWithShapeOutside() helper method (r147495)
[css exclusions] overflow:hidden undoes shape-outside offsets (r147463)
[CSS Exclusions] shape-outside on floats for circle and ellipse shapes (r145982)
CSS cursor property should support webkit-image-set (r136919 partial)

Aug 14, 2017
============
[CSS Exclusions] Improve ExclusionPolygon smart pointer safety (r149003)
[CSS Exclusions] Zoom causes shape-inside to fail when shape-padding is specified (r148139)
[CSS Exclusions] Add support for the simple case of shape-margin polygonal shape-outside (r147831)
[CSS Exclusions] shape-outside on floats fails to respect shape-margin's vertical extent (r147384)
[CSS Exclusions] Add support for the simple case of padding a polygonal shape-inside (r147111)
[CSS Exclusions] Removed ExclusionShape dead code (r147597)
[CSS Exclusions] Refactor the ExclusionPolygon class to enable storing multiple boundaries (r145411)
[CSS Exclusions] Enable shape-inside rectangle support for shape-padding (r144258)
[CSS Exclusions] ExclusionPolygon reflex vertices should constrain the first fit location. (r142805)
[CSS Exclusions] Ignore ExclusionPolygon edges above minLogicalIntervalTop (r142187)
[CSS Exclusions] Add support for computing first included interval position for polygons (r140606)
[CSS Exclusions] The ExclusionPolygon classes should allow more than one type of "Edge" class (r138802)
[CSS Exclusions] shape-inside layout fails to adjust first line correctly for writing-mode: vertical-rl (r138043)
[CSS Exclusions] Update wrap-margin/padding to shape-margin/padding (r134433)
[CSS Exclusions] Polygon with horizontal bottom edges returns incorrect segments (r133968)
[CSS Exclusions] Store ExclusionPolygonEdge vertices in clockwise order (r133682)
[CSS Exclusions] Polygon edges should span colinear vertices (r133490)
[CSS Exclusions] Multiple segment polygon layout does not get all segments (r132971)
[CSS Exclusions] Add ExclusionShape::shapeBoundingBox() method (r131768)
[CSS Exclusions] Handle special case "empty" shapes (r131766)
[CSS Shapes] Shape's content gets extra left offset when left-border is positive on the content box (r155002 complete)
[CSS Shapes] Remove lineOverflowsFromShapeInside boolean from RenderBlock::layoutRunsAndFloatsInRange function (r151703)
[CSS Shapes] Consider bottom borders when calculating the position of the overflow (r151652)
[CSS Shapes][CSS Regions] Respect bottom positioned shapes and content adjustment inside shapes (r151570)
[CSS Shapes] Rename updateLineBoundariesForExclusions to updateShapeAndSegmentsForCurrentLine (r151295)
[CSS Regions][CSS Exclusions] Multiple regions with shape-insides should respect positioned shapes and overflow (r150478)
[CSS Regions][CSS Exclusions] shape-inside on regions should respect positioned shapes and overflow (r150375)
[CSS Regions][CSS Exclusions] Shape-inside on regions should respect region borders and paddings (r150027)
[CSS Exclusions] shape-inside overflow should be pushed to the outside of the content box (r148975)
[CSS Exclusions] Implement empty segments for multiple-segment shape-insides (r148781)
[CSS Exclusions][CSS Regions] Block children do not layout inline content correctly in a region with shape-inside set (r147155)
[CSS Grid Layout] Before / start paddings and borders are not accounted for when placing the grid items (r147140)
[CSSRegions] Crash reflowing content in variable width regions (r146192)
On HarfbuzzNG ports, Arabic TATWEEL is not joined. (r141124)
[CSS Exclusions] Block children have incorrect offset when shape-inside element lays out below other elements (r132685)
Spread expressions are not fair game for direct binding (r196323)

Aug 11, 2017
============
Move the line widow functions out of RenderBlock and into RenderBlockFlow. (r155964)
[CSS Shapes] Shape's content gets extra left offset when left-border is positive on the content box (r155002 partial)
[CSS Regions] Compute correct region ranges for boxes (r153990 + r153993 + r154248)
ASSERTION FAILED: layoutState->m_renderer == this in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage (r152768 revisited)
[CSS Regions] In a region chain with auto-height regions, lines get their length based only on the first region (r152572)
[CSS Regions] fast/regions/seamless-iframe-flowed-into-regions.html asserts (r151992)
Column balancing support in the region based multicol implementation (r151545)
[CSS Regions] Remove the offsetFromLogicalTopOfFirstPage parameter from layout functions (r150743)
[CSSRegions] Fix offsetLeft / offsetTop for elements inside named flow (r150383)
Reproducible crash in RenderBoxModelObject::adjustedPositionRelativeToOffsetParent() (r149653)
RenderObject::offsetParent should return Element* (r147395)
[CSSRegions]: Crash accessing offsetParent for contentNodes inside a flow thread (r146856)
Widows and orphans test4 fails if isolated (r140007)
Merge getLineAtIndex into RenderBlock::lineAtIndex (r139135)
[CSSRegions] RenderFlowThread::renderRegionForLine should use a faster search method (r147620)
[CSS Regions] Nested auto-height regions don't layout correctly (r147426)
[CSSRegions] Clean-up RenderFlowThread::updateRegionsFlowThreadPortionRect (r147411)
[CSSRegions] RenderFlowThread should keep a count of auto height regions (r140948)
[CSS Regions] min-max height will not trigger a relayout when set on a region with auto-height (r140400)
[CSS Regions] regionlayoutupdate event fires continuously (r136346)
[CSS Regions] Auto-height regions will not calculate the height correctly when the content changes dynamically (r136039)
[CSSRegions]Former auto-height regions should not ignore their defined height (r133146)
[CSS Regions] Content flows incorrectly in autoheight regions with min/max-height set (r140014)
[New Multicolumn] Add minimum column height tracking and forced break tracking to column sets. (r136146)
[CSSRegions] Incorrect computed height for content with region-break-before (r134395)

Aug 10, 2017
============
Add computeLogicalHeight override methods to RenderView and RenderMultiColumnSet (r131351)
[CSS Regions] Create a separate list for the invalid regions (r130918)
Layout Test fast/repaint/japanese-rl-selection-repaint-in-regions.html is failing after r126304 (r126961)
Crash in WebCore::RenderBlock::removeChild (r126304)
[CSS Regions] Add the NamedFlow.getRegions() API (r124772)
Checking if frame is complete and access duration doesn't need a decode (r151957 + r152531)
Simply GIFImageReader error handling (r147392)
GIFImageReader to count frames and decode in one pass (r146237)
More cleanup in GIFImageReader (r144961)
GIFImageReader to read from source data directly (r143936 + r143972 rolled out + r144100)
Fix code style violations in GIFImageReader.{cc|h} (r142528)

Aug 09, 2017
============
Fix a few missed renames from Exclusions -> Shapes (r151750)
Add some UNUSED_PARAMs to RenderBlock.cpp so that it builds properly if CSS_EXCLUSIONS is disabled. (r151662 partial)
[CSS Shapes][CSS Exclusions] Split CSS Exclusions and CSS Shapes code (r151402 partial)
[CSS Exclusions][CSS Shapes] Split CSS Exclusions & Shapes compile & runtime flags (r151247 partial)
[css exclusions] Clean up ExclusionShapeInsideInfo dynamic removal code (r151237)
[CSS Exclusions] Add CSS parsing support for image URI shape-inside and shape-outside values (r150387)
[CSS Exclusions] Increasing padding does not correctly layout child blocks (r148120)

Aug 08, 2017
============
[css exclusions] Dynamically removing shape-inside should cause relayout of child blocks' inline content (r147758)
[css exclusions] Move ExclusionShapeInsideInfo into RenderBlockRareData (r144520 + r144561 + r145610)
[CSS Exclusions] Enable shape-inside support for ellipses (r143420)
[CSS Exclusions] Enable shape-inside support for circles (r143010)
[CSS Exclusions] Blocks should not re-use their parent's ExclusionShapeInsideInfo (r138040)
Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily. (r181297 revisited)
VM::lastCachedString should be a Strong, not a Weak. (r170898)
Fast path for jsStringWithCache() when asked for the same string repeatedly. (r170857)
Fast path for jsStringWithCache() when asked for the same string repeatedly. (r170818)
Micro-optimize the way we hand NodeLists to JSC. (r167589)
Speed up jsStringWithCache() through WeakGCMap inlining. (r167577 partial)
Attempt to make it more clear what FloatIntervalSearchAdaptor::collectIfNeeded is doing (r154494 revisited)
ASSERTION FAILED: node->parentNode(), Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r151117 revisited)
Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r150084 revisited)
[CSS Exclusions] shape-outside on floats for polygon shapes (r144776)
[CSS Exclusions] Support outside-shape layout for shape-inside property (r143225)
Make outside-shape the default value for shape-inside (r142893)
[CSS Exclusions] Handle shape-outside changing a float's overhang behavior (r142527)
[CSS Exclusions] shape-outside on floats for rectangle shapes positioning (r140365)
GetOwnProperty of TypedArray indexed fields is wrongly configurable (r220377)

Aug 04, 2017
============
[CSS Filters] Using negative drop-shadow radius values has slow performance (r146762)

Aug 03, 2017
============
[New Multicolumn] Autogenerate regions for columns. (r144773)
[New Multicolumn] Remove unneeded layout method in RenderMultiColumnFlowThread. (r143606)
[New Multicolumn] Resize RenderMultiColumnSets around their columns. (r143506)
[New Multicolumn] Column gap is computed incorrectly. (r143484)
[CSS Regions] Assertion in RenderFlowThread::removeRenderBoxRegionInfo (r143322)
[New Multicolumn] Add requiresBalancing booleans to track which column sets need to rebalance. (r136886)
Added WTF::StackStats mechanism. (r131938 partial)
Wrong blur radius for filter: drop-shadow() (r208058)
Skip trying to paint overlay scrollbars when there are none or they are clipped out (r181695)
drop-shadow filter with overflow:hidden child misbehaves. (r150775)
Hoist several chunks of code at the top of RenderLayer::paintLayerContents() onto new functions (r150349)
border-radius clipping a canvas does not always clip (r149504)
RenderView should bail out of paintBoxDecorations() when painting with a different renderer (r148521)
Fix painting phases for composited scrolling (r145067)
[CSS Filters] Refactor filter outsets into a class (r142823)
[CSS Filters] brightness() function doesn't work as specified (r139770)
Zoomed-in scrolling is very slow when deviceScaleFactor > 1 (r134348)
Store a visible rect in GraphicsLayers, and optionally dump it in layerTreeAsText (r130927)
[CSS Shaders] Cached validated programs are destroyed and recreated when there is only one custom filter animating (r128387)
[CSS Filters] Filters should render using sRGB until the specification says how it works (r126927)

Aug 02, 2017
============
REGRESSION (r143070): Overflow:scroll content does not get clipped properly when the parent box has CSS3 filter on. (r151110)
[CSS Filters] RenderLayerCompositor::addToOverlapMap should take into account the filters outsets (ie. blur and drop-shadow) (r139330)
REGRESSION(r144318) 1-7% perf. regression on SVG/SvgHitTesting (r144484)
[New Multicolumn] Rewrite the painting/stacking model to be spec compliant. (r144318 + r144377)
[Safari] Crash with opacity + drop shadow filter + child element extending beyond filter outsets (r143655)
drop-shadow filter with overflow:hidden child misbehaves (r143070)
resize property doesn't work on iframes (r140749)
[CSS Filters] CSS opacity property clips filter outsets (r140702)
RenderLayer minor clean-up: replace raw pointers with OwnPtrs. (r135605)
Reduce the crazy number of parameters to RenderLayer painting member functions (r134311 + r134330 revisited)
[New Multicolumn] Implement column repainting. (r127297)
[New Multicolumn] Refactor flow thread repainting. (r127280)
CSS Masking and CSS Filters applied in wrong order (r126084)

Aug 01, 2017
============
Make it possible for the root background to be painted into its own GraphicsLayer (r140068)
Allow PaintInfo to carry all PaintBehavior flags (r139908 + r140066)
Add the ability for a RenderLayerBacking to have a layer that renders backgrounds. (r139815)
Rename RenderLayerBacking's m_containmentLayer to m_childContainmentLayer to better describe its purpose (r139797)
Allow tiled WKViews to have transparent backgrounds (r139750)
REGRESSION (r137006): TileCache flashes to linen, rather than the background color, when scrolling fast (r137800)
Disambiguate "background color" and "contents as solid color" on GraphicsLayer (r137798)
Use background color for GraphicsLayers when applicable (r137051 revisited)
Ensure that scrollbar layers show debug borders (r134843)
Fix layer borders to cleaning appear and disappear on switching (r133517)
GraphicsLayer visible rect computation needs to use the current animating transform (r131626)
Some GraphicsLayer cleanup to separate the concepts of using a tile cache, and being the main tile cache layer (r130676)
When using SVG as an image, we should load datauri images when these images are not in the image cache. (r179626 revisited)
REGRESSION(151586): multipart/x-mixed-replace images are broken (r152207)
Avoid unnecessary data copies when loading subresources with DoNotBufferData option (r151586)
ResourceLoader::resourceData() should not return a PassRefPtr (r151277)
ImageDocuments leak their world. (r197765 + r197780 rolled out + r197856)

Jul 31, 2017
============
Out-of-view fixed position check should not be affected by page scale at all on Mac (r143641)
Fixed elements sometimes marked out-of-view if you have rubber-banded too far, affects flickr.com (r140758)
Sticky-position elements can jump around/hide on rubber-banding (r140229 partial)
Fix position:-webkit-sticky behavior when zoomed (r138036)
Out-of-view check of fixed position element in frame is incorrect when page is scaled (r137697)
Fixed position out-of-view check is incorrect when page is scaled (r137399)
[EFL][Qt][WK2] Fixed position elements are not always fixed (r136452)
Parcel up logic related to sticky positioning into a Constraints class that will later be used for threaded scrolling (r127795)
Handle sticky that overflows its container (r126943)

Jul 26, 2017
============
REGRESSION (r142520?): Space no longer scrolls the page (r142561 partial)
REGRESSION (r133807): Sticky-position review bar on bugzilla review page is jumpy (r142520 partial)
ASSERT loading Acid3 test in run-safari --debug (r135050) (r137690)
When animating mask-postion on a composited layer, element renders incorrectly (r136433)
Fixed position elements that are out of view still end up forcing non-threaded scrolling (r133807)
[New Multicolumn] Implement hit testing for columns. (r127037)
[New Multicolumn] Correctly track whether or not a layer is paginated. (r143757)
[New Multicolumn] Make layers paint properly in columns. (r143467)
Reduce the crazy number of parameters to RenderLayer clip-rect functions (r135060)

Jul 25, 2017
============
Remove Broken CompareEq constant folding phase. (r219895)
Give purity hints to compiler to avoid penalizing repeated calls to some functions. (r156246 revisited)
REGRESSION (r155607): Javascript site does not load visually on panerabread.com (r157296 revisited)
REGRESSION (r132516): Javascript menu text incorrectly disappearing and reappearing (r155607 revisited)
Avoid calling isSimpleContainerCompositingLayer() an extra time (r152213)
ASSERTION FAILED: m_clipRectsCache->m_respectingOverflowClip[clipRectsType] == (clipRectsContext.respectOverflowClip == RespectOverflowClip) in RenderLayer. (r144639)
[New Multicolumn] REGRESSION: RenderMultiColumnSets broken by the RenderRegion -> RenderBlock subclassing. (r143395)
[CSS Regions] RenderRegion should inherit from RenderBlock (r142984 revisited)
Use background color for GraphicsLayers when applicable (r137051)
Avoid calling calculateLayerBounds() and convertToLayerCoords() more than once per layer paint (r134356)
Change calculateLayerBounds() from a static function to a member function (r134355)
[New Multicolumn] Implement column contents painting. (r127008)
Add support for compositing the contents of overflow:scroll areas (r126663)
[New Multicolumn] Make column rules paint properly. (r126177 revisited)
Avoid backing store on layers created for CoreAnimation plugins (r125101)

Jul 24, 2017
============
[New Multicolumn] Change inRenderFlowThread to follow containing block chain (r144497)
[New Multicolumn] Change flow thread containment to be a state. (r144461)
[CSS Regions] Region overset property is not properly computed when there is a region break (r144178)
[CSS Regions][Mac] fast/regions/full-screen-video-from-region.html hits an assertion in RenderFlowThread::removeRenderBoxRegionInfo (r142982)
[CSS Regions] Selecting text through nested regions causes weird and unclearable selection (r139197)
[CSS Regions] Remove the sanitize mechanism from LineFragmentationData (r136908)
[CSS Regions] Blocks don't relayout children if the width of a region changes (r136793)
[CSS Regions] Add Region info for RootLineBoxes and pack the pagination data (r135750)
Make convertToLayerCoords iterative, rather than recursive (r135080)
[CSSRegions] Add support for auto-height regions with region-breaks (r132602)
DFG Node for throw_static_error is incorrectly named as "ThrowReferenceError". This patch renames it to "ThrowStaticError". (r206853 partial)

Jul 21, 2017
============
Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable (r219702 partial)
[JSC] Reduce the memory usage of BytecodeLivenessAnalysis (r188849 partial)
Fix keyTimes list length of from/to/by animations. (r172706)
Make seamless iframes paginate properly in their enclosing document's pagination context. (r143256)
[CSSRegions] Assertion failure in Node::detach (!renderer || renderer->inRenderFlowThread()) (r141982)
Crash caused by incomplete cleanup of regions information for anonymous block (r139596)
[CSS Regions] Crash when using hover and first-letter inside a flow-thread (r136045)
[CSS Regions] InRenderFlowThread returns false in the first setStyle (r136037)
[CSS Regions] Elements using transforms are not repainted correctly when rendered in a region (r135921 + 136054)
[CSSRegions]Crash when moving anonymous block children inside a named flow (r126459)

Jul 20, 2017
============
[CSSRegions][CSSOM] Implement Element.getRegionFlowRanges (r128416 complete)
[css exclusions] setting shape-inside on a parent does not relayout child blocks' inline content (r144487)
[CSS Regions] Region boxes should respect -shape-inside CSS property (r143766)
[CSS Exclusions] shape-inside does not properly handle padding or border (r142164)
[CSS Exclusions] Refactor ExclusionShapeInsideInfo to more general ExclusionShapeInfo (r140978)
[CSS Exclusions] Add helper functions for converting floats to LayoutUnits (r137914)
[CSS Exclusions] Add support for computing the first included interval position. (r136857)
[CSS Exclusions] Layout of the first shape-inside line can be incorrect (r133475)
[CSS Exclusions] Points on the bottom and right edges of an exclusion shape should be classified as "outside" (r132127)
[CSSRegions][CSSOM] Implement Element.getRegionFlowRanges (r128416 partial)

Jul 19, 2017
============
Emoji sequences do not render properly. (r180191)
Backdrop Filter should repaint when changed via script (r198963)
[filters2] Support for backdrop-filter (r175716)
DataRef<T> should use Ref<T> internally. (r157568 partial)
Setting -webkit-filter: in :active selector causes failure to redraw (r154430)

Jul 18, 2017
============
Remove WebKitCSSFilterValue to make Hyatt happy (r208253)
Harden FilterOperation type casting (r166741)
REGRESSION(r161967): Crash in WebCore::CachedSVGDocumentReference::load (r162643)
Remove unnecessary WebkitCSSSVGDocumentValue (r162051)
Make CachedSVGDocument independent of CSS Filters (r161967)
Start refactoring Filter code to reuse CachedSVGDocument for clipPath (r160973)
Crashes due to NULL dereference beneath WebCore::StyleResolver::loadPendingSVGDocuments and related functions (r151875)
Remove the clone() method from FilterOperation (and subclasses). (r124213)

Jul 13, 2017
============
Support CSS filters without webkit prefix (r188647)

Jul 12, 2017
============
Wrong radix used in Unicode Escape in invalid character error message (r219396)
Vector-effect updates require a re-layout (r163618)
ASSERTION FAILED: stroke->opacity != other->stroke->opacity in WebCore::SVGRenderStyle::diff (r153914)
Fix slider thumb event handling to use local, not absolute coordinates (r154832)
input[type=range]: Fix a crash by changing input type in 'input' event handler (r154308)
Dragging to edge should always snap to min/max. (r147070)
Fix some crashes in render sliders (r144790)
Remove hidden limiter div in the input slider shadow DOM (r135913)
REGRESSION(r126132): MediaSlider and MediaVolumeSlider thumbs don't match mouse when dragged (r127553)
Tick marks don't match thumb when applying padding or border to input type=range (r127140)
REGRESSION(r126132): thumb doesn't match click position for rtl input type=range (r126539)
Clicking input type=range with padding or border sets wrong value (r126132)
Make SegmentedVector Noncopyable (r145401 revisited)
Add CString operators for comparison with const char* (r143049)

Jul 11, 2017
============
Change custom getter signature to make the base reference an object pointer (r163496 revisited)
HTMLOptionsCollection's namedItem and name getter should return the first item (r149126)
[JSC] REGRESSION(r135093): A form control with name=length overrides length property on form.elements (r139278 revisited)
Use ownerNode() instead of base() in HTMLCollection (r136850)
Make namedItem return a node list only in HTMLFormControlsCollection and HTMLOptionsCollection (r135093)
[V8][JSC] HTMLOptionsCollection::length needs not to be [Custom] (r134248)
[HarfBuzz][Cairo] harfBuzzGetGlyph is slow and hot (r141908)

Jul 10, 2017
============
[JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator (r219285)
[ES6] Implement tagged templates (r184337)
Lexer::scanRegExp, create 8 bit pattern and flag Identifiers from 16 bit source when possible (r133668)
hitTestResultAtPoint does two hit-tests if called on non main frame (r134253)
\n\r is not the same as \r\n. (r219263)

Jul 07, 2017
============
[Web IDL] Specify default values for optional parameters of type 'float' / 'unrestricted float' (r200058 revisited)
The 2D Canvas functions fillText()/strokeText() should display nothing when maxWidth is less then or equal to zero (r142754)
[SVG] Leak in SVGAnimatedListPropertyTearOff (r219257)

Jul 05, 2017
============
Repaint issue with vertical text in an out of flow container. (r201635 + r201704)
RenderObject::computeRectForRepaint/computeFloatRectForRepaint should return the computed rectangle. (r190685)
Incomplete repaint of input elements in writing-mode overflow (r151761)
Allow painting outside overflow clip in accelerated scrolling layers (r134456)
Refactor paint overflow clipping (r128478)
Setting overflow:hidden does not always repaint clipped content. (r151549 + r151685 rolled out + r201407)
SVG foreign objects do not inherit the container coordinates system if they are repainted. (r175847)

Jul 04, 2017
============
ASSERTION FAILED: layoutState->m_renderer == this in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage (r152768)
Incomplete repaint of input elements in writing-mode overflow (r151761 partial)
Float block's logical top margin is illegal in vertical writing mode. (r139040)
[CSS Regions]Content overflowing last region displayed wrong (r138785)
[CSS Exclusions] ExclusionShape inlines should use isFlippedBlocksWritingMode() (r136647)
Crash due to intruding float not removed after writing mode changed. (r136253)
[CSSRegions]Region overset property is incorectly computed when content has negative letter spacing and is flowed near to the edge of a region (r125610)
[CSSRegions]regionOverset is computed as "overset" even though the region is not the last in the chain (r125600)
DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status (219111)
[ftlopt] GC should notify us if it resets to_this (r170382)
[JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT (r219043)

Jun 30, 2017
============
[GTK] Glyphs in vertical text tests are rotated 90 degrees clockwise (r158848 partial)
Full width semicolon is wrong in vertical text. (r158697)
RegExpCachedResult::setInput should reify left and right contexts (r219001)
Reduce the number of instructions needed to record the last regexp result (r197730)
Array.prototype.join should do overflow checks on string joins. (r206281)
[JSC] Array.prototype.join() fails some conformance tests (r203147 complete)
JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls (r198592 complete)
[ES6] Make Array.prototype.reverse spec compatible. (r198294 revisited)
Optimize Array.join and Array.reverse for high speed array types (r185942 complete + r185943)
Oscillator node should throw exception if type is assigned an invalid value (r125460)
Creating "basic waveform" Oscillator nodes is not efficient (r125122)
Passing invalid values to OfflineAudioContext's constructor should not crash. (r179565)

Jun 29, 2017
============
Calculating postCapacity in unshiftCountSlowCase is wrong (r218977)
RenderWidget::setWidgetGeometry() can end up destroying *this*. (r183788 revisited)
Get rid of ref-counting on RenderWidget. (r155796 revisited)
Background doesn't fully repaint when body has margins. (r153701 revisited)
ASSERTION FAILED: m_repaintRect == renderer()->clippedOverflowRectForRepaint(renderer()->containerForRepaint()) after r135816 (r147759 revisited)
Temporarily disable assertions related to clip rect computation in RenderLayer (r141278)
Optimize layer updates after scrolling (r135746)
Eliminate ancestor tree walk computing outlineBoundsForRepaint() when updating layer positions (r135025)
Don't use temporary clip rects when hit testing (r134737)
Save one call to containerForRepaint() when updating layer positions (r134174)
Fix build warning in RenderLayer.cpp caused by r133628 (r133683)
Fix RenderGeometryMap assertion when layers are scrolled during layout (r133628)
Overflow regions sometimes repaint incorrectly after going into or coming out of compositing mode (r125086)
ASSERT(!m_zOrderListsDirty) when mousing over web view with incremental rendering suppressed (r185858)
Don't say there are dirty overlay scrollbars when they are clipped out (r135064)
Make Document::renderer faster by using the cached ptr for RenderView (r133711)
box-shadow causes overlay scrollbars to be in the wrong position when element is composited (r127943)
REGRESSION (r149928): CanvasStyle::operator= leaks everything (r156099)
Make CanvasStyle a plain object instead of an RefCounted object (r149928)
Make CanvasStyle's CMYKAValues allocated on the heap and move the pointer in the union. (r149710)
We should not ref() the RefPtr twice in CanvasStyle (r149706)
Move CanvasGradient and CanvasPattern in the union of CanvasStyle (r149696)

Jun 28, 2017
============
Don't pass a paintingRoot when painting from RenderLayerBacking (r134642 revisited)
Accumulate sub-pixel offsets through layers and transforms (r125794)
Refactor transform painting/hit testing code in RenderLayer. (r144226)
[Sub-pixel layout] incorrect rendering when painting sub-layers as their own root (r130322)
Fix filter dirty rect regression from r134311 (r134330)
Reduce the crazy number of parameters to RenderLayer painting member functions (r134311)
Remove the use of GraphicsContextStateSaver from RenderLayer::paintLayerByApplyingTransform (r193390)
CheckedArithmetic's operator bool() and operator==() is broken. (r185755 + r185764)

Jun 26, 2017
============
Crash in JSC::Lexer<unsigned char>::setCode (r218819)
Crash running webaudio/panner-loop.html (r192281)
ASSERTION FAILED: !m_renderingAutomaticPullNodes.size() (r146362)
Add rudimentary support for move-only types as values in HashMap (r155621)
HashSet should work with move only types (r155577)
Add move semantics to RefPtr (r149184 + r151670)
WTF::OwnPtr should behave similarly with the rest of WTF smart pointers (r155527)
OwnPtr: Use copy/move-and-swap for assignment operators (r155526)
Weak should have a move constructor and move assignment operator (r156469)
Clang doesn't optimize away undefined OwnPtr copy constructor (r128203)

Jun 23, 2017
============
[Qt] Add support for tiled shadow blur (r145810)
[Qt] Enable tiled shadow blur for inset box shadows (r145366)
[JSC] Use the way number constants are written to help type speculation (r180813 partial revisited)
The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation (r218729)
ValueRep(DoubleRep(@v)) can not simply convert to @v (r218728)

Jun 22, 2017
============
[CSS Exclusions] shape-outside on floats for rectangle shapes height/width (r137930)
Floored and truncated rounded confused. (r125167 partial)
hb_face_t instances should not depend on FontPlatformData (r131432)
Initial advance of text runs should be taken into account (r148956 partial)
[GTK] Bring Harfbuzz-ng support to Gtk (r137146 partial)
Fonts fast code path is used for partial runs with kerning and ligatures, but shouldnt be (r132178)
REGRESSION(130231): Causes 3 complex font test failures on EFL / Harfbuzz+Freetype (r131058 + r131073)
Reversing a GlyphBuffer needlessly queries its size multiple times (r130531)
Clean up makeFontCascadeCacheKey() (r187615 + r190232 + r190242)
Remove support for screen font substitution (r179368 partial)
Remove GlyphPageTree (r177876 partial)
  nonCJKGlyphOrientation matters for glyph selection too and needs to be part of the FontDescription cache key.
Avoid calling AtomicString::lower() in makeFontGlyphsCacheKey (r156139 + r156142)
Share FontGlyphs (r150897 + r150899)

Jun 21, 2017
============
SoftBank Emoji are not transformed by shaping when in a run of their own (r185175 + r185176)
Crash in CGContextShowGlyphsWithAdvances when passing kCGFontIndexInvalid (r182192 + r190891)
[Mac] Some ligatures are applied across different fronts (r148283)
REGRESSION (r131365): WidthIterator::advance() is needlessly passed a GlyphBuffer in many cases (r131410)
WebCore part of <rdar://problem/12470680> Fonts fast code path doesnt support kerning and ligatures (r131365 + r131374 + r131375)
Move more style recalc code to StyleResolveTree.cpp (r153816)
[Vertical Writing Mode] Rename "vertical-right" CSS value to match spec (r191935)
Font description not synchronized correctly on orientation affecting property changes (r138299)
[EFL] Fix build warning in StyleResolver.cpp using gcc 4.7.2 (r136952)

Jun 20, 2017
============
Character orientation should follow UTR50 specs for vertical layout. (r145854)
Some characters are not rotated properly in vertical text (r138986)
Font::glyphDataAndPageForCharacter doesn't account for text orientation when using systemFallback on a cold cache. (r130443 + r130779 + r130803)
Support text-orientation: sideways-right (and sideways when it maps to sideways-right) (r136640)
Remove unused macro HANDLE_INHERIT_AND_INITIAL_WITH_VALUE in StyleResolver.cpp (r134861)
Remove HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE macro in StyleResolver. (r131968)
Move handling of CSSPropertyPointerEvents from StyleResolver into StyleBuilder. (r131586)
Move handling of CSSPropertyWebkitLineClamp from StyleResolver into StyleBuilder. (r131677)
Handle CSSPropertyOpacity in StyleBuilder. (r131443)
The parser should allocate all pieces of the AST (r176754)
[Chromium] Improve vertical text rendering of HarfBuzzShaper (Re-land) (r131126)
HarfBuzzShaper::shape() should return false when it adds no glyph to GlyphBuffer (r132051)
[Chromium] Introduce caches for HarfBuzzShaper (r130231)
[Chromium] Improve glyph selection of HarfBuzzShaper (r129175)

Jun 19, 2017
============
[JSC] Use the way number constants are written to help type speculation (r180813 partial, crash in BytecodeGenerator::addConstantValue)
[JSC] Make StringRecursionChecker faster in the simple cases without any recursion (r184447)
ArrayPrototype methods should use JSValue::toLength for non-Arrays. (r218449 partial)

Jun 16, 2017
============
RenderLayer: Check SVG bit instead of element namespace in isTransparent(). (r157360)
Make hoverAncestor() a RenderElement concept. (r156338 partial)
Make RenderObject::parent() return RenderElement (r156151)
Make createRenderer() return RenderElement (r156147)
Rename createRenderObject() to createRenderer(). (r161153 partial)

Jun 15, 2017
============
[Cocoa] Unify FontPlatformData's hashing and equality operators (r211029)

Jun 14, 2017
============
0.0 should really be 0.0 (r189929)
js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing (r183650 revisited)
[JSC] Use the way number constants are written to help type speculation (r180813 partial)
Add support for 8 bit TextRuns on Chromium Linux & Mac (r144646)
[harfbuzz] Crash in harfbuzz related code (r143337)
Crash when selecting a HarfBuzz text run with SVG fonts included (r142928)
REGRESSION (r125578): word-wrapping in absolute position with nbsp, word-spacing and custom font (r135884)
[Chromium] Arabic digits should appear left-to-right (r133983)
[Chromium] Unicode combining diacritical aren't always combined on Linux (r133550)
[Chromium] Improve glyph positioning of HarfBuzzShaper (r129074)
[Chromium] HarfBuzzShaper should take into account combining characters (r129050)
[Chromium] Don't treat tab as spaces for word-end in HarfBuzzShaper (r128965)
REGRESSION (r125578): The monospace code path in RenderText::widthFromCache disagrees with Font::width on word spacing (r128693)
REGRESSION (r125578): Word spacing not applied to newline and tab characters that are treated as spaces (r128692)
REGRESSION(r125578): fast/regex/unicodeCaseInsensitive.html crash on Linux Debug Chromium (r126310)
CSS 2.1 failure: Word-spacing affects each space and non-breaking space (r125430 + r125437 rolled out + r125578)
[chromium] Enable kerning on Android (r125189)
[Cairo] Add complex font drawing using HarfbuzzNG (r124454)
Avoid Assertion Failure in HarfBuzzRun::characterIndexForXPosition (r124111)
[Chromium] HarfBuzzShaper can't handle segmented text run (r123991)
[Cairo] Add complex font drawing using HarfbuzzNG (r123864)

Jun 13, 2017
============
ASSERT_NOT_REACHED() is touched in WebCore::minimumValueForLength (r205056)
Simplify and inline minimumValueForLength() (r201401)
Subpixel rendering: Pixel crack in breadcrumbs at devforums.apple.com. (r170646)
REGRESSION (r167937): Do not use effective zoom factor while resolving media query's min-, max-(device)width/height values. (r169779)
vw/vh units used as font/line-height values don't scale with the viewport (r169407)
[iOS][WK2] Add support for minimal-ui viewports (r169245 partial)
Add valueForLength/minimumValueForLength wrappers to RenderElement. (r156166)
Bad cast in RenderBlock::splitBlocks. (r142922)
ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderListItem::positionListMarker (r142657)
Heap-buffer-overflow in WebCore::RenderBlock::clone. (r138988)
We incorrectly allow escaped characters in keyword tokens (r218111)
Arrow functions with concise bodies cannot return regular expressions (r207798)
[JSC] Fix the Template Raw Value of \ (escape) + LineTerminatorSequence (r203028)
fix "ASSERTION FAILED: currentOffset() >= currentLineStartOffset()" (r202768)
Drop the escaped reserved words as identifiers compatibility measure (r185414 + r185419 rolled out + r185437)
ES6: Add binary and octal literal support (r181497)
JSC Lexer is allowing octals 08 and 09 in strict mode functions (r172380)
Fix error messages for incorrect hex literals (r170079)
REGRESSION (r158586): callToJavaScript needs to save return PC to Sentinel frame (r159346 partial revisited)

Jun 09, 2017
============
TypeOf should be fast (r183724 complete)

Jun 08, 2017
============
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String (r207060 partial)
  Enable number optimization.
  
Jun 07, 2017
============
Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH. (r217869 partial)
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String (r207060 partial)
  Disable number optimization.

Jun 06, 2017
============
Scrollbar style resolution arguments should not passed via statics. (r143848)
Create WebCore/style and move StyleResolveTree there (r153785)
Move style recalculation out from Element (r153783)
Strengthen typing of detaching an Element from Document's :active chain. (r150744)

Jun 02, 2017
============
:hover style not applied on hover if its display property is different from original style's (r151282)

Jun 01, 2017
============
-webkit-margin-collapse: separate doesn't work correctly for before margins (r143617)
Changing position:relative to position:static results in mis-positioned div (r135670)

May 31, 2017
============
ASSERT repaintContainer->hasLayer() in WebCore::RenderObject::repaintUsingContainer (r179776 revisited)
Absolute position div without width specified does not reflow its text when it is moved (and computed width changes) (r146308)
<button> ignores margin-bottom. (r149407)
RelevantRepaintedObjects heuristic should ensure there is some coverage in the bottom half of the relevant view rect (r144395)
Border changes on tables with collapsed borders doesn't relayout table cells (r143377)
DidHitRelevantRepaintedObjectsAreaThreshold should not use the viewRect since that varies (r137959)
DidHitRelevantRepaintedObjectsAreaThreshold LayoutMilestone fires too early on some pages with iframes (r137224)
margin-top/bottom has no effect for child nodes of flex items (r132164)

May 30, 2017
============
Refactoring: Replace Element::disabled and isEnabledFormControl with isDisabledFormControl (r147135)
Rename HTMLFormControlElement::readOnly to isReadOnly (r146977)
Disabled file input box stops a certain other div from being rendered (r136915)

May 29, 2017
============
Refactoring: Pull Node::disabled() and Node::isInert() down to Element. (r146744)
Implement inert subtrees needed for modal <dialog> (r145340)
formenctype to have empty string as default value. (r141947)
formMethod to have empty string as default value and 'get' as invalid. (r141405)
Element::areAuthorShadowsAllowed should be private (r141277)
Remove all ShadowRoots during ElementShadow destruction (r141162)
Move ElementShadow creation to ElementRareData (r141132)
Clean up interface to ElementShadow (r141083)
Move hasAuthorShadowRoot to Element (r141005)
Node::containingShadowRoot should be constant time (r139273)

May 28, 2017
============
GTK+ and Qt build fix after r139833. (r139838 revisited)
NodeRareData doesn't need to have a vtable pointer (r139833 revisited)

May 26, 2017
============
Automatically handle suspend and resume of post attach callbacks (r136574)
Text nodes in shadow roots don't inherit style properly (r137418 revisited)
Replace NodeRareData hash map with a union on m_renderer (r133372 revisited)
Remove setRenderStyle in favor of callbacks on HTMLOptionElement and HTMLOptGroupElement (r132684)

May 25, 2017
============
Avoid computing style twice when element has no existing style (r148970)
Abspos Inline block not positioned correctly in text-aligned container (r140570)
Assertion parent->inDocument() failed in WebCore::PseudoElement::PseudoElement (r140452)
[FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage (r217202)
CSS Unit vmax and vmin in border-width not handled. (r156091)
CSS Unit vw in border-width maps to 0px. (r155624)
Implement 'vmax' from CSS3 values and units (r142021)
column-count: 0 should not prevent margin-collapse through (r130997)
Remove "orphaned units" quirk (r130668)

May 24, 2017
============
REGRESSION (r121599): incorrect border scaling when zoomed (r139798)
REGRESSION (r167937): Do not use effective zoom factor while resolving media query's min-, max-(device)width/height values. (r169779 partial)
CSS3 calc: expressions with 'em' units do not zoom correctly. (r127557)
CFGSimplificationPhase should not merge a block with itself (r217287)
Remove HTMLContentElement (r156381)
Remove stub HTMLContentElement (r150483)
Remove ContentDistribution (r150464)
Simplify Shadow DOM distribution code (r150430)
Remove unneeded counters from ScopeContentDistribution. (r150010)
Remove SelectRuleFeatureSet (r149708 revisited)
Remove more code that was only needed for younger/older shadow trees (r149628)
Remove concept of younger and older shadow trees (r149549)
Remove HTMLShadowElement (r149525)
Shadow DOM removal: Get rid of ContentSelectorQuery (r149507)
Remove TextFieldDecoration feature (r149015)
remoeveAllEventListeners() should be called to shadow trees (r146882)
Remove willAddAuthorShadowRoot and replace with alwaysCreateUserAgentShadowRoot (r141292)
Move ShadowRoot creation into ElementShadow (r141218)
Refactor ShadowRoot exception handling (r141175)
Distribution state becomes inconsistent with content/shadow reprojection (r140299)
[Shadow DOM] Refactoring: InsertionPoint could simplify its subclass hooks (r139400)
[Shadow DOM] Distribution related code on ElementShadow should be minimized. (r139269)
[Shadow DOM]: crash in WebCore::ElementShadow::setValidityUndetermined (r138923)
[Shadow] HTMLContentElement::getDistributedNodes() doesn't work correctly if not in document tree. (r137552)
[Shadow DOM] Implement HTMLShadowElement::olderShadowRoot (r137429)
Content element does not expose distributedNodes property. (r131701)
Needs internal API to return distributed nodes for InsertionPoint (r130926)
A shadow element in ShadowDOM of a button element does not work. (r126248)

May 23, 2017
============
We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter (r217200)
[JSC] Make get_by_val & string "499" to number 499 (r217199 partial)

May 19, 2017
============
[Shadow DOM] Distribution related code on ShadowRoot should be minimized. (r139128)
[Bindings] Simplify [RequiresExistingAtomicString] IDL extended attribute handling (r200562 partial)

May 17, 2017
============
[DFG] Constant Folding Phase should convert MakeRope("", String) => Identity(String) (r216948)

May 16, 2017
============
HTMLMediaElement: WebKitMediaKeys member name should be prefixed (r212289)
Improve URL length handling (r208861)
Ensure sufficient buffer for worst-case URL encoding (r208765)
strncpy may leave unterminated string in WebCore::URL::init (r208753)
URLs containing tabs or newlines are parsed incorrectly (r201740)
fast/loader/opaque-base-url.html crashing during mac and ios debug tests (r199199 + r199202)
URLs that start with http:/// and https:/// lose two slashes when parsed, causing assertion failure and inconsistent behavior (r174712)
<input type="search"> doesn't correctly handle the "size" attribute (r153647)
KURL creates duplicate strings when completing data: URIs. (r152951)

May 15, 2017
============
Move "using software CSS filters" optimization flag to RenderView. (r155301)
Remove [NoInterfaceObject] from TreeWalker (r151200)
Remove [NoInterfaceObject] from XPathExpression and NodeIterator (r151182)
Remove [NoInterfaceObject] from FileReaderSync and WorkerLocation (r150586 + r150590)
Remove [NoInterfaceObject] from several WebAudio IDL interfaces (r149920)
JSObject for ChannelSplitterNode and ChannelMergerNode are not created. (r142848)
Incorrect color space conversion for FEImage (r138250)
feImage should not be allowed to self reference (r132856)
An feImage that tries to render itself should be stopped (r131488)
Rename some AudioNodes (r131486)
WebKit+SVG does not support color-interpolation-filters or draw filters in correct colorspace (r125462)

May 12, 2017
============
Upgrade ES6 Iterator interfaces (r181077 partial)
[MSE] Implement Append Window support. (r178172 partial)
[MSE] Add support for SourceBuffer.mode. (r177225 partial)

May 11, 2017
============
[media-source] Support MediaSource.setLiveSeekableRanges() (r206146)
DFG should know how to speculate StringOrOther (r197649)
DFG+FTL should generate efficient code for branching on a string's boolean value. (r183495)
[Fetch API] Add support for iterating over Headers (r196128 partial)
Upgrade ES6 Iterator interfaces (r181077 partial)

May 10, 2017
============
[EME] Implement MediaKeySession::load() (r212110)
[EME] Implement MediaKeySession::sessionClosed() (r212109)
[EME] Implement MediaKeySession::updateKeyStatuses(), MediaKeyStatusMap (r212107)
Binding generator should make mutable CachedAttribute member fields (r190398)

May 09, 2017
============
[EME] MediaKeys::setServerCertificate() must resolve with 'false' when certificates aren't supported (r212356)
[EME] Implement MediaKeySession::remove() (r211857)
[EME] Implement MediaKeySession::close() (r211856)
[EME] Alias CDMInstance enums to the specification-defined enums (r211855)
putDirectIndex does not properly do defineOwnProperty (r216279 partial)
defineProperty on a index of a TypedArray should throw if configurable (r203096)

May 08, 2017
============
[EME] Implement MediaKeySession::update() (r211550)
Don't setOutOfBounds in JIT code for PutByVal, since the C++ slow path already does it (r190682)
[EME] InitDataRegistry should use base64url encoding and decoding for keyids (r211429)
MediaKeySession: use existing 'message' event name (r210798)
Add support for MediaKeys.generateRequest(). (r210555)

May 05, 2017
============
Add support for MediaKeys.createSession(). (r210552)
Add support for MediaKeys.setServerCertificate() (r210549)
Add support for MediaKeySystemAccess.createMediaKeys() (r210445)
Sync DOM exception types with WebIDL and update promise rejections (r201080)
Modern IDB: storage/indexeddb/exceptions.html fails. (r193428 partial)
[Streams API] Remove ReadableStreamController.enqueue() custom binding (r186231 partial)
Remove historical enums from ExceptionCode.h (r135277)
stress/call-apply-exponential-bytecode-size.js.no-llint failing on 32-bit debug for OOM on executable memory (r216180)

May 04, 2017
============
Different behaviour with the .sort(callback) method (unlike Firefox & Chrome) (r216137)
Handle non-function, non-undefined comparator in Array.prototype.sort (r207235)
Make builtin TypeErrors consistent (r203393 partial)
REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower (r185067)
REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower (r184926)
REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower (r184917)
Add implementation for navigator.requestMediaKeySystemAccess() (r209964 complete)
Allow session storage for third-party origins even if third-party data access is blocked. (r150490)
Change approach to third-party blocking for LocalStorage (r149326)
Allow blocking of IndexedDB in third-party contexts (r141418)
IDBFactory::webkitGetDatabaseNames should raise DOMExceptions. (r141090)
Extend third-party storage blocking API to optionally allow blocking all storage (r127956)
Allow blocking of Web SQL databases in third-party web workers (r126365)
Allow blocking of Web SQL databases in third-party documents (r125736)
Allow blocking of third-party localStorage and sessionStorage (r125335)
Add API for enabling blanket third-party data blocking (r124647)

May 03, 2017
============
Add implementation for navigator.requestMediaKeySystemAccess() (r209964 partial)
[Web IDL] Add support for having string enumerations in their own IDL file (r207937 partial)

May 02, 2017
============
Remove an overloaded strokeRect in <canvas> (r150137)
[Web IDL] Add support for [TreatNullAs=EmptyString] and use it (r197353)
Add username / password attributes to HTMLAnchorElement / HTMLAreaElement (r196890)
CharacterData::setData doesn't need ExceptionCode as an out argument (r195264)
URL::setUser and URL::setPass don't percent encode (r179933)
Attribute text in HTMLAnchorElement should behave as per specification. (r176213)
Adopt URLUtils interface and template in HTMLAnchorElement and HTMLAreaElement (r163699 + r163309)
Implement (most of) URL API (r163299)
[DOM4] Have ProcessingInstruction inherit CharacterData (r155340)
Factor URL decomposition methods (from URLUtils interface) into a base template (r123653)
Make atob() / btoa() argument non optional (r152859)
Web Inspector: Console: "time" and "timeEnd" should have same number of required arguments (r133881)
Add replaceWithLiteral() method to WTF::String (r133731)
HTMLBaseElement href attribute binding returns wrong URL (r132071)
[Web IDL] Specify default values for optional parameters of type 'float' / 'unrestricted float' (r200058 partial)
[Web IDL] Specify default values for parameters of type 'unsigned short' (r200037)
Autogenerated IDBFactory.open() does the wrong thing if you pass an explicit 'undefined' as the second argument (r199970)
[WebIDL] Drop [Default] WebKit-IDL extended attribute (r199969 partial)
[Web IDL] Mark DOMString parameters as nullable when they should be (r197156)
Drop [TreatReturnedNullStringAs=Undefined] WebKit-specific IDL attribute (r197139)
Drop [TreatReturnedNullStringAs=Null] WebKit-specific IDL attribute (r197060)
HTMLScriptElement.crossOrigin / HTMLImageElement.crossOrigin should only return known values (r196894)
Use Optional instead of isNull out argument for nullable getters (r192839)
[WebIDL] Specify default parameter values where it is useful (r190021)
Drop non-standard [IsIndex] WebKit IDL extended attribute (r189770)
CharacterData API parameters should not be optional (r189676)
Range API should throw a TypeError for null Node parameters (r189240)
Range.compareBoundaryPoints() should throw a NotSupportedError for invalid compareHow values (r189062)
NodeList should not have a named getter (r188829 partial)
constants are always typed to 'int' (r166413 revisited)
Don't synchronize attributes in reflect setters when we don't need to (r165046)
Range should be constructable. (r162601)
[Replaceable] attributes must be readonly (r149660)
Stop using "in" keyword in IDL files (r149368 partial)
[V8] HTMLDocument.all should have [Replaceable] (r144591)
Rename NATIVE_TYPE_ERR to TypeError (r134646)
Replaceable attributes should also have readonly (r132667)

Apr 27, 2017
============
Canvas fillText and measureText handle ideographic spaces differently (r155596)
[EME] Add no-op Web-facing APIs (r208539 partial)
[CodeGeneratorJS] Support enums for standalone dictionaries (r207768)
Update MessageEvent to stop using legacy [ConstructorTemplate=Event] (r207016 partial)
Change Notification constructor to take an IDL dictionary instead of a WebCore::Dictionary (r200607 partial)
Correct dictionary bindings handling of optional, null, and undefined (r200555)
[WebIDL] Drop [Default] WebKit-IDL extended attribute (r199969 partial)
Fix LayoutTests/canvas/philip/tests/2d.text.draw.space.collapse.nonspace.html (r125575)

Apr 25, 2017
============
Array.prototype.slice() should ensure that end >= begin. (r215768)
[Web IDL] Generated bindings include the wrong header when ImplementedAs is used on a dictionary (r207243)
Add support for ClipboardEvent (r206963 complete)
[Web IDL] Add support for dictionary members of dictionary types (r204589)
[Web IDL] We should resolve typedefs for dictionary members (r204273)
Add support for wrapper types in dictionaries (r204143)
Drop Dictionary from CanUseWTFOptionalForParameter() (r200099)
Fix CodeGenerator.pm to only write files if the generated content has changed (r167384 + r167474)
StrictTypeChecking extended attribute fails for methods with sequence<T> (r156157)
CodeGeneratorJS doesn't generate header includes for sequence<type> (r155718)
Clean up AddIncludesForType in JSC bindings generators (r151283)
Implement support for nullable types in the bindings generator (r145907)
Remove CodeGenerator::StripModule (r134849)

Apr 24, 2017
============
[WebIDL] Add support for having dictionaries in their own IDL file (r206877 partial)
[Bindings] Declare dictionary / enumeration template specializations in the header (r206812 partial)
Add the ability to override the implementation name of IDL enums and dictionaries (r204978)
cache parsed interfaces in CodeGenerator.pm (r147037)
[Bindings] Simplify [RequiresExistingAtomicString] IDL extended attribute handling (r200562)
Drop some unnecessary exception checking in the generated bindings (r200374)
Follow-up fix for: JavaScript bindings are unnecessarily checking for impossible empty JSValue arguments (r185377 revisited)
JavaScript bindings are unnecessarily checking for impossible empty JSValue arguments (r185373)
Use Vector instead of custom linked list for font families (r150716)
Move font-family applying code to StyleBuilder (r146014)
CanvasRenderingContext2D::setFont() is slow. (r137630)
Incorrect value of CSSStyleDeclaration#length when a shorthand property is inherit or initial (r135848 revisited)
Font value should be parsed as a individual property (r128076)
style->fontMetrics() should be available when setting line-height (r126959)
Relative units are not set when the canvas has not parent (r125663)
CanvasRenderContext2D::font() does not re-serialize the font (r125450)
CanvasRenderContext2D::setFont() should ignore inherited properties and default keyword value (r125118)

Apr 21, 2017
============
[Web IDL] Add support for dictionary inheritance (r206776)
Bindings do not throw a TypeError if a required dictionary member is missing (r206766 partial)
Add support for dictionary members of non nullable wrapper types (r204497)
Implement EventListenerOptions argument to addEventListener (r201757 partial)
[WebIDL] Add support for dictionary members of integer types (r200920)
[Bindings] Add convert<>() template specializations for integer types (r200556)
Streamline and remove unused bindings generation code (r200299 partial)
Next step on dictionary bindings, along with other bindings refinements (r200547 partial)
Clean up converting from JSValue to float / double in the bindings generator (r200528)
Enhance IDL compiler so it supports unrestricted float and double (r168302)
Look into possibilities of typedef in webkit idl files (r142865 revisited)
[JSC][FTL] FTL should support Arrayify (r215600 partial)
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 partial)
[WebIDL] Add support for default parameter values (r189957)
Follow-up fix for: JavaScript bindings are unnecessarily checking for impossible empty JSValue arguments (r185377)
Replace "Optional" extended attribute by proper Web IDL "optional" keyword (r149356)

Apr 20, 2017
============
Increase large animation cutoff (r215557 partial)
Add support for delete by value to the DFG (r200459 revisited)
[DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String) (r215472)
[JSC] PredictionPropagation should not be in the top 5 heaviest phases (r199933)
Use the JITAddGenerator snippet in the DFG. (r192531 partial)

Apr 19, 2017
============
[Streams API] streams should not directly use Number and related methods (r192874 partial)
Math.{max, min}() must not return after first NaN value (r164819)
Follow up to debug build stack overflow in test after r215453 (r215474)

Apr 18, 2017
============
Crash when font completes downloading after calling 2D canvas setText() multiple times (r189421)
Function.prototype.apply has a bad time with the spread operator (r164738)
BytecodeGenerator ".call" and ".apply" is exponential in nesting depth (r215453 partial)
Array.concat should be fast for integer or double arrays (r186358 + r186363)
Force debug builds to do bounds checks on contiguous property storage (r141154)

Apr 17, 2017
============
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 partial)
test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js (r215405)
Settings a reflected DOMString attribute to null should set it to the "null" string rather than the empty string (r195700)
EnforceRange doesn't enforce range of a short (r158521)
Cleanup MediaQueryListListener (r154035)
Support byte and octet types in bindings generators (r151563)
Get rid of [Callback] IDL extended attribute for parameters (r149257)
javascriptcore bindings do not check exception after calling valueToStringWithNullCheck (r147038)
[JSC] Implement EnforceRange IDL attribute for integer conversions (r146430)
[JSC] MAYBE_MISSING_PARAMETER(..., DefaultIsNullString) macro is redundant (r143304)
Add 'any' type to V8 bindings as a synonym for DOMObject (r128248)
ParseInt intrinsic in DFG backend doesn't properly flush its operands (r215387)
Intrinsicify parseInt (r212939)
Get rid of SVGPoint special case from the bindings generator (r152780)

Apr 13, 2017
============
SVG pattern data deleted while in use (r136250)
Horizontal and vertical lines are clipped completely if clip-path is included in the tag but the referenced element is defined later. (r180643)
Stop using deleteAllValues in SVG code (r155547)
[SVG] Cached filter results are not invalidated on repaint rect change (r142955)
Incorrect pattern scaling (r131974)
SVG Pattern pixelated on inline SVG with CSS transforms (r145541)

Apr 11, 2017
============
[Refactoring] Remove WebCore::isInsertionPoint(Node*) (r135251)
[Refactoring] Use isActiveInsertionPoint() instead of isInsertionPoint() (r132791)

Apr 10, 2017
============
[Fetch API] Headers should be combine with ',' and not ', ' (r206014 partial)

Apr 09, 2017
============
[HTMLTemplateElement] prevent the parser from removing nodes from the content when the foster agency is processing formatting elements (r141327)
parserAppendChild and parserInsertBefore should ensure that child nodes are in the same document (r141198)
REGRESSION(r140101): caused debug asserts in fast/forms/associated-element-crash.html and html5lib/run-template.html (r140537)
Ensure the parser adopts foster-parented children into the document of their parent. (r140101)
Properly process <template> end tags when in TemplateContentsMode (r138315)
[HTMLTemplateElement] Prevent first-level recursive <template> from resetting the implied context (r138059)
DOMImplementation.createDocument should call appendChild rather than parserAppendChild to add docType and documentElement (r136717)
HTML parser fails to propertly close 4 identical nested formatting elements (r128373)

Apr 07, 2017
============
Crash in flexbox when removing absolutely positioned children (r134683)
The parser doesn't properly protect against global variable references in builtins (r196525 partial)
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 partial)
Move IDL extended attributes to their correct location (r151714)

Apr 06, 2017
============
Eagerly reify DOM prototype attributes (r169703 revisited)
Indexed getters should return values directly on the PropertySlot. (r169668 revisited)
Make DOM properties exposed as instance properties use the base object instead of |this| (r169433)
JSDOMWindow should not claim HasImpureGetOwnPropertySlot (r168914 revisited)
Make some bindings improvements, with smaller code size for error message generation (r166864 partial)
Push DOM attributes into the prototype chain (r163562 revisitied)
Remove "numeric index getter" stuff from bindings code generator. (r167175)
Simplify bindings codegen for adding getOwnPropertySlot overrides (r160786 revisited)
Support latest Web IDL indexed property getters (r151499)
Support latest Web IDL named property getters (r151434)
Add initial support for [Unforgeable] IDL extended attribute (r189873)
JSC bindings generator should generate deletable JSC functions (r159100)
Remove the OperationsNotDeletable attribute from most of the WebIDL interfaces (r159061 partial)
[CSS Regions] Elements in a region should be assignable to a named flow (r147756 + r147983)

Apr 05, 2017
============
Move attributes to the instance for most interfaces that have "Error" in their name (r197874)
Added ClientRect as an interface that requires attributes on instance for compatibility. (r179406)
replaceable own properties seem to ignore replacement after property caching (r201428)
XHR should keep attributes on instance (r170534)
Navigator object needs to have properties directly on the instance object (r169260)
Can't make a booking at virginamerica.com (r168385)
Push DOM attributes into the prototype chain (r163562)
Simplify bindings codegen for adding getOwnPropertySlot overrides (r160786)
Get rid of IsWorkerGlobalScope and ExtendsDOMGlobalObject extended attributes (r152168 partial)
[JSC] REGRESSION(r135093): A form control with name=length overrides length property on form.elements (r139278)
DOM bindings should not be using a reference type to point to a temporary object (r183648)
window.history / window.navigator should not be replaceable (r196797)
Rename BarInfo to BarProp and remove [NoInterfaceObject] (r150045)

Apr 04, 2017
============
Ensure that all the smart pointer types in WTF clear their pointer before deref (r184316 partial)
Fix small leak in Collator (r179245)
Null pointer crash in String::append(UChar). (r166414)
Remove String::deprecatedCharacters (r166120 partial)
Avoid code duplication inside String::append() (r152289)
Remove 2 bad branches from StringHash::equal() and CaseFoldingHash::equal() (r146702 partial)

Apr 03, 2017
============
Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add(). (r214837 partial)
REGRESSION (r189567): Elements with aspect ratios not handled correctly inside flexbox. (201516)
REGRESSION (r189567): The top of Facebook's messenger.com looks visually broken (r199895 partial)
ASSERTION FAILED: computeMainAxisExtentForChild(child, MainOrPreferredSize, mainSize) in WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax (r191336)
min-width/height should default to auto for flexbox items (r189536 + r189538 + r189541 rolled out + r189567 partial)
Use Optionals in RenderBox height computations (r188873 partial)
Rename Length::isPercent() and Length::isPercentNotCalculated(). (r184055 partial)
Flexitems no longer default min-width to min-content (r147261)
Object with numerical keys with gaps gets filled by NaN values (r214714)
[ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed (r182189)
DFG can call PutByValDirect for generic arrays (r178370 partial)
Holes are not copied properly when Arrays change shape to ArrayStorage type. (r175249 + r175258 rolled out)
Simplified some JSObject methods for converting arrays to ArrayStorage shape. (r175240)

Mar 31, 2017
============
First step in using "enum class" instead of "String" for enumerations in DOM (r200288)
IDL parser should remove a leading "_" from identifier names (r156808)
do not use string reference for enum support in CodeGeneratorJS.pm (r146292)
Add IDL 'enum' support to CodeGeneratorJS.pm (r146161)
Drop width / height shorthands code from StylePropertyShorthand. (r178746)
Use inline capacity for StylePropertyShorthand Vectors. (r201559 revisited)
matchingShorthandsForLonghand builds map using a giant function (r155352)
Unprefix the flexbox CSS properties (r173579 partial)
Unprefix the flexbox CSS properties (r173572)
Remove the (dead) code for handling shorthands in StyleResolver / StyleBuilder (r144912)
String.prototype.replace incorrectly applies "special replacement parameters" when passed a function (r214662)

Mar 30, 2017
============
REGRESSION (r147261): Audio controls background not displayed after loading audio file (r149237)
Improve DeferredWrapper code (r206252 partial)
max-height property not respected in case of tables (r135891)
Specified width CSS tables should not include border and padding as part of that width. (r134265)
Remove stretchesToMinIntrinsicLogicalWidth (r143479)
Adapt inline SVG sizing behavior to Firefox and Blink (r168350 revisited)
Positioned, replaced elements with intrinsic width keywords compute the wrong width (r143539 revisited)
Intrinsic and preferred widths on replaced elements are wrong in many cases (r142931 revisited)
Remove unnecessary setNeedsLayoutAndPrefWidthsRecalc from RenderTable (r139680)
table not aligned in center column and seems shrunk because of float:right (table-layout: fixed and width: 100%) (r134017)
Table layout does not need to explicitly call computePreferredLogicalWidths (r140047)
RenderListItem does not need to override computePreferredLogicalWidth (r139693)
Recalculate borders at the beginning of table layout (r145104)
ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderTableSection::layout (r144837)
Increase the max preferred width of tables to 1000000 (r143801)
Negative text indents can break RenderBlock's inline maximum preferred width calculation (r142042)
Accumulating LayoutUnits with floats for determining block preferred width can lead to wrapping (r125591 + r125632)
REGRESSION (r146272): layout issues for flex boxes that have -webkit-flex-wrap: wrap (r146684 revisited)
Make intrinsic size keywords on flexboxes work (r146272)
Intrinsic width keyword values don't work for tables (r145424)
Inline min/maxInstrinsicLogicalWidth functions (r144816 revisited)
Add computeInstrinsicLogicalWidths functions to TableLayout subclasses (r143762)
Clean up computePreferredLogicalWidths functions in TableLayout subclasses (r143683)

Mar 29, 2017
============
Switching between two SVG images with no intrinsic sizes causes them to get the default SVG size instead of the container size. (r181720 revisited)
Twitter avatar moves when hovering/unhovering the "follow" button. (r176619)
REGRESSION: united.com has overlapping elements and is broken by flex box changes. (r150087)
Text flow broken in elements with vertical align top/bottom and inline elements taller than line-height (r149929 + r149930)
Float at exact multiple of line-height affects too many lines (r148523)
Auto height column flexboxes with border and padding are too short (r145937)
incorrect flexbox relayout with overflow, padding and absolute positioning (r138770 revisited)
Use always the order iterator from data member in RenderFlexibleBox (r136938)
Reduce the children repaints when moved multiple times during the layout (r136656)
While absolute positioning is put before the first flexitem, flexitems will move to a new line. (r133906)
Crash due to column span under button element (r133717)
Setting width of a flexitem causes the adjacent flex item to be displayed poorly. (r132395)
Implement absolutely positioned flex items (r129154)
Refactor duplicate code into RenderFlexibleBox::mainAxisContentExtent (r128494)
flex item sized incorrectly in a column flexbox with height set via top/bottom (r128383)
logicalLeftSelectionGap and logicalRightSelectionGap call availableLogicalWidth() multiple times (r149007 + r149009 + r149065 revisited)
Make loops in RenderObject::containingBlock homogeneous in their forms to simplify (r148759 + r148777 revisited)
Selection code spends a lot of time in InlineTextBox::localSelectionRect (r147008 revisited)
Make intrinsic size keywords on flexboxes work (r146272 revisited)
REGRESSION: WebKit does not render selection in non-first ruby text nodes. (r140613)
Nested fixed position element not staying with parent (r140024 + r140208 + r149640 revisited)
REGRESSION(r111439): Focus ring is rendered incorrectly in fast/inline/continuation-outlines-with-layers.html (r139223)
Unreviewed, rolling out r137632. (r138974)
REGRESSION(r136947): Made two tests fail on all platforms (Requested by tonikitoo-ll on #webkit). (r136954)
Regression r130057: Improper preferred width calculation when an inline replaced object, wrapped in an inline flow, follows some text. (r133292 revisited)
Regression r130057: incorrect block pref width for alternating InlineFlow and inline Replaced (r131359 revisited)
Deprecated flexboxes subtract scrollbar width/height twice (r130549)
RenderBlock incorrectly calculates pref width when a replaced object follows a RenderInline with width (r130057 revisited)
REGRESSION: hit test doesn't take iframe scroll position into account (r128462 revisited)
REGRESSION(r122501): replaced elements with percent width are wrongly size when inserted inside an auto-table layout (r128389 revisited)
Make RenderBox::computeLogicalWidthInRegion const (r127914 revisited)
Make computePositionedLogicalWidth and computePositionedLogicalWidthReplaced const (r127812 revisited)
Add a const version of RenderBox::computeLogicalHeight (r127549 revisited)
REGRESSION(r120832): RenderLayer::clampScrollOffset doesn't properly clamp (r127520 revisited)
Allow child-frame content in hit-tests. (r127457 revisited)
Make computeBlockDirectionMargins const (r127346 revisited)
Make RenderBox::computeInlineDirectionMargins const (r127157 revisited)
REGRESSION (r94492): Unstable layout of static block inside text-align: center div (r126911 revisited)
Make RenderBox::computePositionedLogicalHeight const (r126802 revisited)
Regression(r118248): Replaced element not layout (r125810 revisited)
REGRESSION (r109851): Video controls do not render (r125597)
REGRESSION(r117339): cell in block-level table in inline-block are aligned with their last line box (r125229 revisited)
REGRESSION (r123171): <svg> element with intrinsic size and max-width gets sized incorrectly (r125050 revisited)
Custom promise-returning functions should not throw if callee has not the expected type (r206011)
JS Built-ins should throw this-error messages consistently with binding generated code (r203766 partial)
Rename [GlobalContext] extended attribute to [Exposed] and align with WebIDL (r199587)
[JSC] Introduce @isObject bytecode intrinsic and use it instead of JS implemented one (r196276)
[ES6] Implement the latest Promise spec in JS (r186298)
Array.prototype methods must use ToLength (r184582 partial)
[ES6] Implement String.raw (r184287)
Add backed intrinsics to private functions exposed with private symbols in global object (r183785)
Introduce bytecode intrinsics (r182997)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 partial)
Upgrade ES6 Iterator interfaces (r181077 partial)
Promise: Drop Promise.cast (r173681)

Mar 28, 2017
============
Rework FontFace promise attribute handling (r200546 partial)
ASSERTION FAILED: promise.inherits(JSPromise::info()) (r205729)
Avoid using strong reference in JSDOMPromises DeferredWrapper (r205257 partial)
Properly generate static functions that return Promises (r199012)
Promise-returning functions should reject promises if the callee is not of the expected type (r186312)
[Streams API] Remove ReadableStream and Reader cancel() custom binding (r186257 partial)
Improve JSDOMPromise callPromiseFunction naming (r185919)
Bindings generator should generate code to catch exception and reject promises for Promise-based APIs (r185739)
Bindings generator should generate code for Promise-based APIs (r185493)
JS binding generator should create a member variable for each Promise attribute of an interface (r184643 + r188334)
Notify Settings object when its Page object goes away. (r175347)

Mar 27, 2017
============
Refactor AudioContext implementation to enable automatic binding generation of promise-based methods (r185407 partial)
[EME] Add no-op Web-facing APIs (r208539 partial)
DeferredWrapper should clear its JS strong references once its promise is resolved/rejected (r185404 revisited)
AudioContext resume/close/suspend should reject promises with a DOM exception in lieu of throwing exceptions (r184651 partial)
AudioContext should resolve promises with jsUndefined() and not jsNull() (r184588)
[Streams API] ReadableStream constructor start function should be able to error the stream (r183991 partial)
[Streams API] ReadableStream constructor start function should be able to close the stream (r183395 partial)
[iOS] When Web Audio is interrupted by a phone call, it cannot be restarted. (r182141 partial)
[Streams API] Reading ReadableStream ready and closed attributes should not always create a new promise (r180559)
Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it. (r214374 partial)

Mar 24, 2017
============
[WebIDL] Support BufferSource (r207462)
Streamline and remove unused bindings generation code (r200299 partial)
Document should always have a Settings. (r211964)
Simplify some Settings access where we have a Frame in reach. (r154531)
Update WebKitMediaKeyMessageEvent / WebKitMediaKeyNeededEvent to stop using legacy [ConstructorTemplate=Event] (r207277 partial)
Array.prototype.splice behaves incorrectly when the VM is "having a bad time". (r214334)
[JSC] Use jsNontrivialString for Number toString operations (r214272)
Add support for ClipboardEvent (r206963 partial)

Mar 23, 2017
============
ENABLE_LEGACY_ENCRYPTED_MEDIA interfaces should have a hard-coded WebKit prefix (r206983 partial)
Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily. (r181297 revisited)
IndexedDB should use mostly ScriptWrappable DOM objects (r134040)

Mar 22, 2017
============
JITThunks keeps finalized Weaks around, pinning WeakBlocks. (r181250)
Extend create_hash_table to specify Intrinsic (r211306)

Mar 21, 2017
============
min-width/max-width of min-content/max-content don't work correctly if width is specified (r147245 revisited)
[DFG] ToString operation should have fixup for primitives to say this node does not have side effects (r214028)
[ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString (r182433)

Mar 20, 2017
============
First parameter to HTMLMediaElement.canPlayType() should be mandatory (r203806)
JSC: BindingNode::bindValue doesn't increase the scope's reference count. (r213742)

Mar 09, 2017
============
[Qt] Animations jump when the page is suspended (r132907)
Rename box-sizing applying methods to be more clear about just applying box-sizing. (r128130)
Add two missing variable initializers to RenderFlowThread (r126762)
Initialized m_hasNonEmptyList to fix a valgrind uninitialized read (r126727)
Bad rendering of web page because of image's height is set to 100% (r136347)
RenderBox::computeLogicalClientHeight is incorrectly named (r128371 fixed merge)
Convert <select> to new-flexbox (r145959)

Mar 08, 2017
============
Incorrect layout for blocks containing ideographs with -webkit-linebox-contain: glyphs, font, inline-box. (r149450)
Adapt inline SVG sizing behavior to Firefox and Blink (r168350 revisited)	
Move height/width implementation for use element from RenderSVGViewportContainer to SVGUseElement (r179069)
Vertical writing mode can overflow fixed size grandparent container (r138838)
Support proper <percent> / calc() resolution for grid items (r135965)
RenderGrid should have a function to resolve grid position (r134935)
SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical width and height before calling SVGPreserveAspectRatio::getCTM() (r183026)
SVG: Fix viewBox animations on shapes with non-scaling-stroke. (r149102)
[SVG] Suppress painting when an empty viewBox is specified (r146495)
SVGViewSpec fails when corresponding element has been removed (r140049 + r140056 rolled out + r140975)
[svg] Remove unnecessary rounding in SVGRootInlineBox::layoutRootBox (r140728)
Remove never-implemented CSS3 text decoration-related properties (r213567)
CSS3's vh attribute is not adjusting while browser resizes (r141492)

Mar 07, 2017
============
Ensure we compute the height of replaced elements to 'auto' when appropriate. (r170895)
When computing the percentage of the logical height, use the logical top and bottom (r147453)
RenderBlock minor clean-up: replace raw pointers with OwnPtrs. (r136288)
Source/WebCore: Track block's positioned objects like percent-height descendants (r125351 + r125353)
Move forward declaration of bindings static functions into their implementation files (r170042 partial)
Available height should respect min and max height (r139548)
When a block's height is determined by min-height/max-height, children with percentage heights are sized incorrectly (r138668)
Positioned replaced elements should resolve vertical margins against their containing block's logical width (r137695)
RenderBox::computePercentageLogicalHeight should use containingBlockLogicalWidthForContent (r135741)
image not displayed in flexbox (r130714)
[chromium] REGRESSION: Incorrect preferred width calculation for table cells (r129529)
Replace RenderMeter::updateLogicalHeight to RenderMeter::computeLogicalHeight (r129409)
Flexitem margins should be based on content width, not width (r128486)
RenderBox::computeLogicalClientHeight is incorrectly named (r128371)
Pass the logical height and logical top into RenderBox::computeLogicalHeight (r128238 revisited)
Make RenderBox::computeLogicalWidthInRegion const (r127914 revisited)
Add a const version of RenderBox::computeLogicalHeight (r127549)
Fix cross-direction stretch for replaced elements in column flexbox (r126503)
Flexbox doesn't need to compute logical height for stretched items in row flow (r126468)
Fix cross-direction stretch for replaced elements in row flexbox (r126257)
implement display: -webkit-inline-flex (r125262)
percentage margins + flex incorrectly overflows the flexbox (r124987)
Need to Remove Anonymous Wrappers When All Children Become Inline (r150527)
Support for CSS widows and orphans (r137200)

Mar 06, 2017
============
hasOverflowClip() does not necessarily mean valid layer(). (r191915 partial)
REGRESSION (r147373): Auto-sizing doesn't always respect minimum width changes (r147664)
Autosize should use documentRect height instead of scrollHeight (r147373)
REGRESSION(r176978): Inline-blocks with overflowing contents have ascents that are too large (r181292 partial)
REGRESSION (r179168): Characters overlap after resizing the font on the copy-pasted Japanese text (r186191)
The computed value of line-height:normal is incorrect (r179168)
Inline elements whose parents have small line-height are laid out too low (r176978)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 5) (r157705 partial)
Wrong linebox height, when block element parent has vertical-align property defined. (r152793)
REGRESSION(r140907) - Backport blink r149612 to fix vertical-align and rowspan issue (r149585)
REGRESSION(r140907): Incorrect baseline on cells after updating vertical-align (r149553)
REGRESSION(r140907): Incorrect baseline for cells with media content during load (r145305)
Split the intrinsic padding update code out of RenderTableSection::layoutRows (r130454)
Subpixel rendering: Buttons in default media controls shift vertically when controls fade in or out. (r169615)
RenderIFrame should display its name correctly in DRT output. (r159017)
Fix orphan needsLayout state in RenderTextControlSingleLine (r154036)
A placeholder renderer should not be taken to imply the existence of a text renderer in single line text controls (r146038)
Convert old flexbox uses in html.css to new flexbox (non-<select>) (r145977 + r146103)
RenderTextControlSingleLine should not assume that its text element has a renderer (r145239 + r145877)
Empty <button>s should collapse; empty <input type="button"> should not collapse (r144096)
Overflow can be cleared just before it is computed (r143627)
input element with placeholder text and width set to 100% on focus causes overflow even after losing focus (r143475)
REGRESSION(r120616): Cell's logical height wrongly computed with vertical-align: baseline and rowspan (r140907)
Fix enclosingLayoutRect calls in InlineFlowBox.h (r133903)
Fix margin box ascent computation in flexbox (r130553)
AutoTableLayout truncates preferred widths for cells when it needs to ceil them to contain the contents (r125694)
JSC: FunctionParameters are memory hungry. (r140947)
JSC: SourceProviderCache is memory hungry (r140945).
CodeBlock: Give m_putToBaseOperations an inline capacity (r132307)
[mac] REGRESSION (r122215): Animated GIF outside the viewport doesn't play when scrolled into view (merged r130573).
Figure out the exact space needed for parameter identifiers and use reserveInitialCapacity() (r129773).

Mar 03, 2017
============
Shrank the SourceProvider cache (r143279)

Mar 02, 2017
============
[Freetype] Properly support synthetic oblique in vertical text (r183680)
[GTK] Glyphs in vertical text tests are rotated 90 degrees clockwise (r158848 partial)
Cache support for OpenTypeVerticalData (r124397 partial)

Mar 01, 2017
============
Eliminate two large sources of temporary StringImpl objects. (r201645 revisited)
Static hash tables no longer need to be coupled with a VM. (r171824)
Constructors should eagerly reify their properties too (r169954)
Don't create a HashTable for JSObjects that use eager reification (r169789)

Feb 28, 2017
============
[iOS] Crash during font loading when injected bundle cancels load (r197570)
SVGResources should use HashSet<AtomicString> instead of HashSet<AtomicStringImpl*> (r130780)
SVG TextRuns do not always get RenderingContexts (r169400)
Fixing the !ENABLE(SVG_FONTS) build (r164485)

Feb 27, 2017
============
SVG: <altglpyh> for a surrogate pair character in a ligature fails (r138316)
[css shapes] Parse new ellipse shape syntax (r159954 revisited)
[css shapes] Parse new circle shape syntax (r159585 revisited)
[CSS Exclusions] The radius of a circle should be computed based on the shorter available dimension (r146938)
REGRESSION(r121789): Text not wrapping in presence of floating objects (r137331 revisited)
[CSS Exclusions] Enable shape-inside for multiple-segment polygons (r136729)
[CSS Exclusions] Support outside-shape value on shape-inside (r135314)
Support animation of basic shape 'polygon' (r134736)
Cleanup BasicShape blending check (r134679)
[CSS Exclusions] Basic shapes on 'shape-inside' should be animatable (r134678)
BasicShapes 'circle', 'rectangle', 'ellipse' should be animatable with themselves (r134352)
[CSS Exclusions] Add support for polygonal shapes (r130687)
[CSS Exclusions] Rename WrapShapeInfo to ExclusionShapeInfo (r129689)
[CSS Exclusions] shape-inside line segment layout should be based on line position and height (r129590)
[CSS Exclusions] Enable css exclusions for multiple blocks per element (r129530)
[CSS Exclusions] ExclusionShape API should use logical coordinates for input/output (r129411)
[CSS Exclusions] Enable shape-inside for percentage lengths based on logical height (r128786)
Typo in RenderStyle::isFlippedLinesWritingMode(), small refactoring possible (r128508)
[CSS Exlusions] add support for the basic shapes (r128083)
[CSS Exclusions] Enable shape-inside for simple rectangles (r126605)
CSS 2.1 failure: 'Text-indent' only affects a line if it is the first formatted line of an element (r125202)

Feb 24, 2017
============
Support <box> values parsing on 'clip-path' property (r161067)
[CSS Shapes] Parse [<box> || <shape>] values (r159526 partial + r161086)
Repaint issues with -webkit-svg-shadow used on a container (r133834)
SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check (r212909)
Ensure that the end of the last invalidation point does not extend beyond the end of the buffer. (r212908)

Feb 23, 2017
============
-webkit-clip-path property should just reference clipPath (r132682)
-webkit-clip-path should parse IRIs (r130592)
Add ClipPathOperation for -webkit-clip-path organization (r128700)

Feb 22, 2017
============
RenderLayerCompositor destructor is fragile (r152121)
Cache timer heap pointer to timers (r142652)
Add more missing exception checks detected by running marathon.js. (r212791)
Add missing exception checks detected by running marathon.js. (r212779 partial)	
Give scripts 'high' load priority (r211334)

Feb 21, 2017
============
JavaScriptCore should discard baseline code after some time (r189889 partial)

Feb 16, 2017
============
Parse a function expression as a primary expression (r179159)

Feb 15, 2017
============
The JIT should cache property lookup misses. (r175846 partial + r175849 + r175880 rolled in)
  Does not cause slow down https://www.youtube.com/tv browse-to-play	
Removed the global parser arena (r176756)
	
Feb 13, 2017
============
Inserting a JS generated keyframe animation shouldn't trigger a whole document style recalc (r156912)
Inserting multiple rules into an empty style sheet should avoid style recalc if possible. (r153829)
Inserting a rule into an empty style sheet shouldn't trigger style recalc unless necessary. (r153699)
Don't create Document's selector query cache just to invalidate it. (r151925)
Shrink WatchpointSet. (r161554)
REGRESSION(r130643): ASSERTION FAILED: result.iterator != end() below PluginDatabase::add (r132302)
Lower minimum table size of WTF::HashTable to reduce memory usage. (r130419 + r130436 rolled out + r130643)
Using float/double as WTF hash table key is unreliable. (r130639)
Deque: Free internal buffer in clear(). (r144630)
Vector should consult allocator about ideal size when choosing capacity. (r141716)
Vector::shrinkToFit should use realloc when suitable. (r127186 + r131623)

Feb 12, 2017
============
Constructed object's global object should be the global object of the constructor. (r212015)

Feb 10, 2017
============
Add ScriptWrappable to more WebCore classes which are commonly JS-wrapped (r135058)
Deploy ScriptWrappable to more always-wrapped objects (r135001)	
Clear the JSString cache when under memory pressure. (r168235)
Node::compareDocumentPosition leaks memory structure (r164920)
Deduplicate Document::encoding(). (r163184)
Jettison all StyleResolver data on memory pressure. (r160370)	
compareDocumentPosition() should report PRECEDING or FOLLOWING information even if nodes are disconnected (r153660)
compareDocumentPosition reports disconnected nodes as following each other (r143239)
RenderText::isAllCollapsibleWhitespace() shouldn't upconvert string to 16-bit. (r142529)	
RenderStyle should use copy-on-write inheritance for NinePieceImage. (r142404 revisited)
RenderText: Access characters through m_text instead of caching data pointers separately. (r142398)

Feb 09, 2017
============
Rename JSDOMWrapper.impl to JSDOMWrapper.wrapped (r191887 partial)
Refactor ImageLoader's setting of CachedImage (r181849)  

Feb 08, 2017
============
Stop image from displaying when src attribute is removed or emptied (r181897)
Assertion failure in WebCore::PseudoElement::didRecalcStyle() (r162679 partial + r166304)
Blocking a resource via Content Security Policy should trigger an Error event. (r126194 revisited)
[NoInterfaceObject] extended attribute should be removed for several interfaces (r149845)

Jan 31, 2017
============
The JIT should cache property lookup misses. (r175846 partial + r175849 + r175880)

Jan 25, 2017
============
[JSC] Optimize Number#toString with Int52 (r211128)	

Jan 24, 2017
============
[Shadow DOM][Refactoring] HTMLContentElement,HTMLShadowElement::m_registeredWithShadowRoot should be moved to InsertionPoint (r137233 complete)
[Shadow] ShadowRoot should cache InsertionPointList. (r136098)
[Shadow] Move Distribution stuffs from ShadowRoot (r136081)
Disable adding an AuthorShadowRoot to replaced elements. (r128856)
[Shadow DOM] Unpolished elements should reject author shadows (r128323)
[Shadow DOM][Refactoring] Element subclasses should have a way to reject author shadows. (r127811)
ShadowRoot insertion point change aborts css transition (r126789)

Jan 23, 2017
============
JSC: Simplify interface between throw and catch handler (r160213 partial)
[WK2] didRemoveFrameFromHierarchy callback doesn't fire for subframes when evicting from PageCache. (r206922)

Jan 20, 2017
============
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r159575 revisited)
Move all collapsing margin code out of RenderBlock and into RenderBlockFlow. (r155555)
Move layoutBlock and layoutBlockChildren into RenderBlockFlow (r155377 + r155390)
Merge handleSpecialChild into layoutBlockChildren (r143290)
Remove RenderWordBreak (r156038)
Get rid of isBlockFlowFlexBoxOrGrid(). (r155366)
Add new RenderBlockFlow class. (r155211 revisited)
[CSSRegions] No other SVG elements except the SVGRoot must have RegionInfo objects attached (r152293)
Flexbox should ignore firstLetter pseudo element. (r143993)
Convert buttons from DeprecatedFlexBox to nondeprecated FlexibleBox (r143643 + r144706 + r145265)
CSSRegions: crash positioned object with inline containing block in flow thread (r143312)
Flexbox should ignore firstLine pseudo element. (r143042)
Cannot click an element at 2nd line or more inside inline-block in vertical writing mode. (r138080)
Rename RenderObject::firstLineStyleSlowCase() to a more appropriate cachedFirstLineStyle() (r130694)
:first-line pseudo selector ignoring words created from :before (r130616)
JSCell::classInfo() belongs in JSCellInlines.h. (r171888)

Jan 19, 2017
============
Make the Web Inspector console work in strict mode with JavaScriptCore. (r146937)
Reserve capacity for StringBuilder in unescape (r210735 + r210752 rolled out + r210766)

Jan 18, 2017
============
REGRESSION(r152313): Inline-block element doesn't wrap properly (r176287 partial)
Rename InlineBox::isText() (r156025)
Add isTextOrBR() and use it (r155975)
RenderBR should not be RenderText (r155957 + r168364 + r171105 partial)
Move text caret rect computation to root inline box (r155949)
REGRESSION(r152313): Links in certain twitter postings don't warp correctly on page (r153061)
empty inlines should not affect line-wrapping (r152313)
Ignoring padding-right of inline elements in containers with undefined width (r151855)
Refactor adding a line break (r151922)
Remove unnecessary check in RenderBlockLineLayout::nextSegmentBreak() (r151919)
REGRESSION (r148367): Facebook and Twitter icons at macworld.com are stacked vertically, obscuring Twitter one (r151613)
Whitespace between inlines with nowrap and a shrink-to-fit parent gets a line-break when it shouldn't (r151518)
Breaking Float: floated block level element following inline element in floated container breaks to next line (r148622)
Call directly RenderBlock::deleteLineBoxTree (r148468)
Whitespace between nowrap elements ignored after collapsed trailing space in a text run (r148367)
Whitespace in particular source code changes rendering; does not in Firefox (r148027)
Padding applied twice for empty generated RenderInlines (r147505)
When we set word-wrap: break-word and xml:space="preserve" to svg text element, the text is collapsed. (r145215)
Inline Containing Only Collapsed Whitespace Not Getting a Linebox (r140693)
Crash in WebCore::InlineBox::deleteLine (r138654)

Jan 16, 2017
============
Move :active chain participation state from Node to Element. (r150722)
Move "active" state logic from Node to Element. (r150715)
Move Node::dispatchSimulatedClick() to Element. (r150714)
Begin moving "focus" state logic from Node to Element. (r150686)
Move "hover" state logic from Node to Element. (r150684)
ContainerNode::setActive should not sleep for 100ms on platforms that do not implement synchronous repaint(true) semantics (r144795)
Remove redundant code in Document::updateHoverActiveState. (r144741)
Dynamically styling ShadowDom content on a node distributed to another shadow insertion point fails. (r126275)

Jan 13, 2017
============
Implement run-in remove child cases. (r150155)
Add covariant RenderElement* Element::renderer() (r156144 + r156181)
[Freetype] Some text in Planet GNOME renders in the wrong place (r96378 revisited)

Jan 12, 2017
============
Remove JSInlineGetOwnPropertySlot attribute as it is no longer necessary (r160775)
Add RenderElement (r156102 complete)
Add RenderObject bit for isBR(). (r155962)	
Remove the quirk margin bits from RenderObject and put them back in RenderBlock. (r144344)
Refactor logic for relaying out children out of RenderBlock::styleDidChange (r143950)
Padding and border changes don't trigger the relayout of children in some cases. (r143284)
Padding and border changes doesn't trigger relayout of children (r142889 + r142962 rolled out + r143092)
Re-layout child blocks when border/padding of the box-sizing:border-box parent is updated (r140854)

Jan 11, 2017
============
Fix an out-of-bound read decoding WebP animation frames (r156137)
Add animation support for WebP images Animation support was added to WebP in v0.3.0. (blink r153187 + r153588 + r153598)
Re-read the frame buffer.getAddr(0,0) address every time through the decode() routine (partial decodes) (blink r148528)
Remove libqcms support (r197171)
Turn width/height to presentation attributes (r171341)	
Shrink SVGElement::cssPropertyIdForSVGAttributeName and cssPropertyToTypeMap (r155969)
Element: Devirtualize attribute synchronization functions. (r143114)    
	
Jan 10, 2017
============
REGRESSION (Safari 10 / r189445): WKWebView and WebView no longer allow async XMLHttpRequest timeout to exceed 60 seconds (r208101)
REGRESSION(r204163): Web Inspector: Page crashes when Inspector tries to load insecure SourceMap (r209784 partial)
DocumentThreadableLoader should report an error when getting a null CachedResource (r204163)
XHR abort() event firing does not match spec (r192361)
Removing XHR_TIMEOUT guard (r190025)
Correct DOMWindow handling during FrameLoader::clear (r210288)
Crashes in PageConsole::addMessage (r166551 partial)
Delete Frame::domWindow() and Frame::existingDOMWindow() (r125615)
REGRESSION(r162744): wsj.com paints white (r162763)
Update style asynchronously after style sheet load (r162744)
Document::updateHoverActiveState() should allow for deferred style recalcs (r155071)
Removing a <link> element with an empty stylesheet shouldn't trigger style recalc. (r153672)
Removing an empty style sheet shouldn't trigger style recalc. (r153641)
Unset :hover in inner documents (r148672 partial)
Move side-effects on hover/active state out of hit-testing (r145126)
Make sure that clearOwnerNode also clears StyleResolver references (via didMutate). (r144713)
Document::setActiveNode() should be Document::setActiveElement() (r139199)
Document::m_activeNode should be always an Element. (r139029)
IsActiveFlag, IsHoverFlag, InActiveChainFlag can be unified. (r137277)

Jan 09, 2017
============
Bindings: Remove special cases for DOMString[] (r139641)
Add support for generic types in arrays and sequences to the code generators (r136507 complete)
IndexedDB: Use sequence<> instead of DOMString[] in IDL (r134342)
Wrap CSS length conversion arguments in an object (r167937)
[shadow] styleForText should consider the case where parent node has no style (r146967)
Crash at RenderStyle::inheritFrom reported by fuzzer (r145885)
Text nodes in shadow roots don't inherit style properly (r137418)
Remove SVGShadowText class (r135544)
REGRESSION (Safari 6 - ToT): Incorrectly assumes that RenderStyle data can be shared (r153608 + r153634 rolled out + r167716)
Stop throwing away the Document's StyleResolver on a timer. (r166740)

Jan 06, 2017
============
Crash in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients (r166628)
Invalid cast in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients() (r165206)
Build broken when svg is disabled. (r140845)
Merge RenderObjectChildList::appendChildNode and insertChildNode (r139940)
CSS url() filters with forward references don't work (r136975 + r137463 rolled out + r138823)
REGRESSION (r135455): Compilation without SVG enabled broken (r135583)
Make CachedSVGDocumentReference independent of FilterOperation (r135455)
Change ReferenceFilterOperations to reference (own) the data passed to them. (r132528)
Regression (r145601): out-of-bounds read in line breaking / new width cache (r146954)
Add a single character cache to WidthCache (r145601)
Optimized kerning and ligatures using caching (r133921)	    

Jan 05, 2017
============    
Cleaned up the Font class in preparation for optimizing kerning and ligatures (r133534)	
Encapsulate FontGlyphs (r150730)
Tighten FontGlyphs interfaces to take FontDescription instead of Font (r150747)
Rename FontFallbackList to FontGlyphs (r150727)
SVG classes cause layering violations in platform Font code (r133290)

Jan 04, 2017
============
Move BindingSecurity stuff under JSDOMBinding umbrella. (r158997)
	
Jan 03, 2017
============
[SVG2] support paint-order presentation attribute (r165595)
Regression(r182517): WebSocket::suspend() causes error event to be fired (r182901)
Open WebSockets should not prevent a page from entering PageCache (r182517)
Web Core: Websocket state should be set to closed in didReceiveMessage call back. (r173642)	
[WebSocket] Ignore incoming message in CLOSING state (r148019)
[WebSocket] send() and close() should not throw an exception for an unpaired surrogate but use the replacement character (r134515)

Dec 16, 2016
============
RenderView does not need to override computePreferredLogicalWidth (r139749)
Move updateHoverActiveState to Document. (r128468)
Rename HitTestPoint and pointInContainer (r126859)
Remove extraneous includes (HTMLElement, SVGElement, GlyphBuffer, Clipboard) (r127752 partial)	
[SVG2] Merge SVGStyledElement and SVGElement (r154462)
Reduce number of header includes in SVG (r152553 revisited)
Introduce DECLARE_FORWARDING_ATTRIBUTE_EVENT_LISTENER() macro (r152451)

Dec 15, 2016
============
Have SVGTextContentElement inherit SVGGraphicsElement (r152404 + r152409)
Move SVGTests attributes parsing to SVGGraphicsElement (r152343)
Remove SVGStyledLocatableElement class (r152299)
Try to fix the build after r128006. (r128009)
Introduce SVGGraphicsElement IDL interface (r152167)
BytecodeBasicBlock::computeImpl() should not keep iterating blocks if all jump targets have already been found. (r209820)

Dec 14, 2016
============
Add getElementById to DocumentFragment (r184435)
Introduce ParentNode.idl / NonDocumentTypeChildNode.idl (r184042)
Element Traversal is not just Elements anymore (r184034)
Merge SVGLangSpace into SVGElement (r152156 + r152157)
Update SVG interfaces to stop inheriting from SVGURIReference and SVGTests (r152120)
Automatically generate WorkerContext constructor attributes (r151169)
Stop inheriting SVGExternalResourcesRequired, SVGFitToViewBox and SVGZoomAndPan (r151988)	
Get rid of multiple inheritence for SVGViewElement interface (r151985)
Refactor SVGSVGElement to inherit from SVGStyledTransformableElement (r140267)

Dec 13, 2016
============
Web Inspector: console.time() should use performance.now() (r126276)
Replace currentTime() with monotonicallyIncreasingTime() in WebCore (r154706)
Replace currentTime() with monotonicallyIncreasingTime() in WebCore (r154201)
HTMLParserScheduler gets into an inconsistent state when suspended for reasons other than WillDeferLoading (r153407)
Active DOM object resumption should match reason for suspending (r150560)

Dec 12, 2016
============
Implement KeyboardEvent constructor (r141346)
Implement UIEvent constructor (r140493)
Inline JSCell::toObject() (r209636)

Dec 09, 2016
============
Implement OfflineAudioContext constructor (r137516)
[GTK] Generated files are regenerated always (r149887)
touching any idl rebuilds all derived sources (r151675)
Add support for [NoInterfaceObject] Web IDL extended attribute (r149796 + r149805)
Add support for Web IDL callback interfaces to the bindings generator (r149113)
Unprefix IndexedDB (r129385)
VoidCallback should not be a special snowflake (r125745)

Dec 07, 2016
============
Merge SVGStylable into SVGStyledElement (r140265)
Commented IDL implements statements should not impact code generation (r151912)
Move IDL implements statements to IDL files that implement the interface (r151896)
[Win] IDLParser.pm fails to parse OESTextureHalfFloat and causes a build failure (r144575)
Look into possibilities of typedef in webkit idl files (r142865)
[V8] Add IDL 'enum' support to CodeGeneratorV8.pm (r141360)
Add support for generic types in arrays and sequences to the code generators (r136507 partial)
Remove 'module' from IDL parser (r135547)
[WebKit IDL] remove all module from idl files. (r131145)
PureNaN: fix typo (r209429)
YARR uses mixture of int and unsigned values to index into subject string (r203206)

Dec 06, 2016
============
Null dereference in Performance::Performance(WebCore::Frame*) (r192582)
Reduce resolution of performance.now. (r186208)
Record the reference time when Performance is constructed. (r183795)
performance.now can crash if accessed from a window that has navigated (r179937)
Implement WebIDL implements (r151740 partial)
Add support for [NoInterfaceObject] Web IDL extended attribute (r149796 partial)
Add support for Web IDL partial interfaces to the bindings generator (r149170 partial)
Speed up supplemental dependency computation (r139331)
[chromium] don't write additional idl files to a gyp temp file (r137519)
[WebKit IDL] move extended attributes to left of interface, exception... (r131172)

Dec 05, 2016
============
unprefix window.performance.webkitNow() (r131106)
DOM4 remove method (r129400)
Remove IDLStructure.pm (r135129)
Rename idlDocument::classes to idlDocument::interfaces in the IDL parser (r135203)
ASSERTION FAILED: animatedTypes[0].properties.size() == 1 in WebCore::SVGAnimatedTypeAnimator::constructFromBaseValue. (r177166)
Automatically generate template specializations for most Elements (r174050 partial)
Introduce toSVGAnimateElement(), and use it (r154266)
Reduce number of header includes in SVG (r152553)
Crash in WebCore::RenderListItem::updateMarkerLocation (r124783 revisited)
		
Dec 02, 2016
============
Merge HTMLBodyElement::didNotifySubtreeInsertions into HTMLBodyElement::insertedInto (r156072)
Consider all ancestors not just parentElement when disconnecting frames (r140856)
Assert the connectedSubframeCount is consistent and fix over counting (r140807)
Track subframe count to avoid traversing the tree when there's no subframes (r140090)
ContainerNodeAlgorithm::notifyInsertedIntoDocument is not used (r137564)
Disable frame loading instead of throwing exceptions on subtree modifications in ChildFrameDisconnector (r134528)
Make Frames and HTMLFrameOwnerElement less friendly (r134350)
Skip frame owner disconnect when there's no frames (r133933)
InsertionShouldCallDidNotifyDescendantInsertions should be merged to InsertionShouldCallDidNotifySubtreeInsertions (r126136)
DOM mutation against including <link> shouldn't trigger pending HTML parser. (r125988)
Prevent inconsistent firstChild during document destruction (r142899)
Replace documentFragmentIsShadowRoot with isTreeScope (r138404)	
ContentDistributor and ShadowRootContentDistributionData should use RefPtr to hold elements. (r137717 partial)
ASSERT(!m_inRemovedLastRefFunction) in Element::addShadowRoot while destroying a document (r169708)

Dec 01, 2016
============
[Shadow DOM] registering InsertionPoints to ShadowRoot should work out of a document. (r137421)	
[Shadow DOM][Refactoring] HTMLContentElement,HTMLShadowElement::m_registeredWithShadowRoot should be moved to InsertionPoint (r137233 partial)
Node::compareDocumentPosition returns wrong value for a node in the different shadow tree. (r136087)
Shrink ShadowRoot and TreeScope. (r135939 partial)
[Shadow] Attaching children of a shadow host takes O(N^2) where N is the number of host children (r135689)
[Shadow DOM][V8] Assertion failure when shadow host is reclaimed before ShadowRoot (r135456)
[Refactoring] Remove shadowPseudoId() and use setPseudo() in <progress> ElementShadow. (r135249)
Prevent creation of detached frames in ShadowRoot (r134775)
[Refactoring] Remove shadowPseudoId() and use setPseudo() in <meter> ElementShadow. (r134420)
Don't update style when attaching in HTMLMeterElement (r134196)
[Refactoring] Remove shadowPseudoId() and use setPseudo() in HTMLKeygenElement (r134189)
[Refactoring] Remove shadowPseudoId() and use pseudo() instead in TextTrackCue (r134020)
[Shadow] Style should update when 'pseudo' attribute is dynamically updated (r133769)
[Shadow] ShadowRoot type is not set correctly. (r133443)
[Shadow] ShadowRoot should have a method to return ShadowRootType. (r133435)
[Refactoring] Move initial style setting for ProgressValueElement from attach method to createShadowSubtree method in HTMLProgressElement. (r133124)
The shadow element is not reprojected to a nested ShadowRoot. (r132760 revisited)
The order of resolving distribution in tree composition is wrong. (r132237)
Assertion failed at WebCore::toInsertionPoint / WebCore::ContentDistributor::distribute (r132176)
Refactoring around ContainerNode::attachChildren (r132168)
[Shadow] ASSERT triggered when we try reprojecting fallback elements. (r132047)   
Web Inspector: Shadow DOM: Node removal doesn't reflect. (r132024)
Elements assigned to <shadow> should not be reprojected. (r131910)
REGRESSION(r131464): Null-pointer crash in StyleResolver::styleForElement (r131758)
Assertion failure at TreeScopeAdopter::moveNodeToNewDocument() (r131709)
Make ContentSelectorQuery work when siblings are passed explicitly. (r131068 revisited)
Move parent pointer from TreeShared to subclass (r139751)	
Crash when accessing an item in SVGTransformList and then removing a previous item from this list. (r180129)	
SVGAnimateElementBase::calculateAnimatedValue() asserts when reinserting an SVG animating element within the same animation limits (r183085)
Should never be reached failure in WebCore::floatValueForLength (r205392)
SVG SMIL animations run at less than 60fps (r200171)
CSS and SVG animations should run at 60fps (r200164)
Fix ASSERTION FAILED in WebCore::SVGLengthContext::determineViewport (r160774)
Use OwnPtr instead of deleteAllValues in SVGAttributeToPropertyMap (r149632)
	
Nov 30, 2016
============
REGRESSION: GuardMallloc crash in SVGListPropertyTearOff<SVGPointList>::processIncomingListItemWrapper (r197967 partial)
ASSERTION FAILED: resultAnimationElement->m_animatedType (r147581)
SVG text path referencing parent text infinite loops (r146515)
Assertion faulire in SVGAnimatedPath. (r146083)
SVGDocumentExtensions should use OwnPtr for pending resource maps. (r145333)
Crash in SVGViewSpec::viewTarget (r145013)
SVG pattern to pattern reference does not work if first pattern has a child node (r144948)
Crash when accessing an item in SVGLengthList and then replacing it with a previous item in the list. (r180128)
Prevent crash in animated transform lists (r143859)
Stop starting animations when leaving a page (r143640)
[SVG] Update of element referenced by multiple 'use' nodes is absurdly slow (r143498)
Fix 'slice' aspect ratio calculation (r143389)
Sanitize m_keyTimes for paced value animations (r142365)
Refactoring: The name ContainerNode::removeChildren and ContainerNde::removeAllChilren() is confusing (r140784)
Invalidated SVG shadow tree should be always detached. (r140520)
[SVG] Suppress resource rebuilding for unattached and shadow elements (r139457)
fastAttributeLookupAllowed: classAttr is only animatable by SVG styled elements (r138296)
Clear m_timeContainer on SVGSMILElement removal. (r137701)
SVG <use> element inside an svg-as-image fails (r136845)
Stale SVGUseElement reference in CachedResource::checkNotify() (r136541)
Crash when mixing layers, foreignObjects and SVG hidden containers (r133521)
SVG as an image may recreate the renderer on zoom (r133155)
Prevent NaN offset values in ElementTimeControl. (r132724)
Fix a operator ordering bug in SVGSMILElement::calculateAnimationPercentAndRepeat (r132715)
Recursively detach SVGElementInstances (r130855)
SVGAttributeHashTranslator does not need to copy QualifiedName in the common case (r130456)
Remove overzealous assert in SVGElement::localAttributeToPropertyMap (r130011)
<use> not working when the SVG doc is embedded as <object> data (r128702)
getScreenCTM returns different values depending on zoom (r128309)
Roll out r126056 and r126626 (r126693)
ASSERTION FAILED: !attached() in WebCore::Node::attach() (r126657)
Refactor SVGMaskElement to inherit from StyledElement (r125971)
[SVG] load events shouldn't be fired during Node::insrtedInto() (r125147)

Nov 29, 2016
============
Cache calcMode() value for SVG animations. (r132755)
Fix target element handling in SVGSMILElement. (r137509)
Unify SVG's animation and target tracking systems. (r136906)	
mpath elements do not clear resource lists before destruction (r134851)
Cache animationMode() in SVG animations. (r133074)
Let SVGElements have pending resources. (r132847)
Prevent animation when CSS attributeType is invalid. (r130777)
Refactor SMILTimeContainer to maintain animation information instead of recalculating it every frame (r129670)
Source/WebCore: Remove unnecessary codepaths in SMILTimeContainer::updateAnimations (r128131)
ASSERTion failure when SVG element is removed from document and readded (r127474)

Nov 28, 2016
============
[JSC] DFG should support relational comparisons of Number and Other (r199639 revisited)  
Allow for Int52Rep to see things other than Int32, and make this testable (r171096 complete)
mandreel throws a checksum error on 32-bit x86. (r166440 similar, use SegmentedVector which does not move)
Infer constant global variables (r159545 revisited)  
[ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state (r170092)

Nov 25, 2016
============
Allow for Int52Rep to see things other than Int32, and make this testable (r171096 partial)
Non-speculative Branch should be fast in the FTL (r185002 partial)
Creating a new blank document in icloud pages causes an AI error: (r184318 partial)
[JSC] DFG should support relational comparisons of Number and Other (r199639 revisited)  
Infer constant global variables (r159545 revisited)

Nov 24, 2016
============
DFG::StrCat isn't really effectful (r189075 revisited)
Introduce SymbolType into SpeculativeTypes (r184340 revisited)
Constructor returning null should construct an object instead of null (r180587 partial revisited)
[ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values (r170016)
DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet (r188292 partial)
  if it isn't checking that the base has a structure in that StructureSet
Structures used for tryGetConstantProperty() should be registered first (r188067)
TypeOf should return SpecStringIdent and the DFG should know this (r183548 partial revisited)
[ftlopt] AI should be able track structure sets larger than 1 (r169588 partial + r171381)
Rename hasFastArrayStorage to be more appropriate (r166292)
FTL should inline polymorphic heap accesses (r164207 partial)	
[ftlopt] A StructureSet with one element should only require one word and no allocation (r169148)

Nov 22, 2016
============
ES6: Implement Array.from() (r180370)
ES6: Support Array.of construction (r178662)
Number.parseInt is not === global parseInt in nightly r182673 (r182938)
Number.parseInt in nightly r182673 has wrong length (r182863)
Simple ES6 feature: Number constructor extras (r174049 + r174066)
FTL should use cvttsd2si directly for double-to-int32 conversions (r160205 revisited)	
[JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations (r196513 partial)
[JSC] Add Float support to B3 (r193683 partial)	
B3 should have a Select opcode (r192699 partial)
Add conditional moves to the MacroAssembler (r192131)
Make the CSS JIT compile for ARM64 (r167557 partial)
[x86] Improve code generation of byte test (r165009)
Add an utility class to simplify generating function calls (r160881)
Change Set 154207 causes wrong register to be used for 32 bit tests (r154298)
[JSC] x86: improve code generation for xxxTest32 (r154207)

Nov 21, 2016
============
Constant folding of typed array properties should be handled by AI rather than strength reduction (r182498 revisited)
Remove unneeded moving of ESP to ECX in callToJavaScript for COMPILER(MSVC) (r158857)
DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks (r188764 partial)
DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser (r180989 partial)
  should not pretend that it's a constant as that breaks OSR exit liveness tracking	
DFG should have a separate StoreBarrier node (r160796 partial revisited)	
JSC should have property butterflies (r128400 revisited)

Nov 18, 2016
============
[ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling (r168780 revisited)
  coverage due to variable constant inference and the better prediction modeling of typed array GetByVals

Nov 16, 2016
============
BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope. (r178926 partial)
REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked (r177578 partial)
op_captured_mov and op_new_captured_func in UnlinkedCodeBlocks should use the IdentifierMap instead of the strings directly (r162390 partial)
Infer constant closure variables (r160109)
DFG should have a separate StoreBarrier node (r160796 partial)
Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables (r159942)
Infer one-time scopes (r159834 + r159836)
Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString. (r208767 partial)

Nov 15, 2016
============
Unsafe JavaScript attempt errors are ludicrously verbose and annoying (r145692)
REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly. (r168443 partial)	
Restructure global variable constant inference so that it could work for any kind of symbol table variable (r159798)
[MIPS] Build fails since r159545. (r159635)
Fix CPU(ARM_TRADITIONAL) build after r159545. (r159571)
[armv7][arm64] Speculative build fix after r159545. (r159564)
Infer constant global variables (r159545)

Nov 14, 2016
============
RegExpObject::exec/match should handle errors gracefully. (r208698 partial)
[ftlopt] Infer immutable object properties (r170855 partial)   
Extract URL that doesn't inherit a parent's SecurityOrigin out into a constant. (r147526 revisited)
XSSAuditor should block pages by redirecting to a sandboxed data: URL. (r143644)
document.referrer leakage with XSS Auditor page block (r142063)
XSS blocker false positive when page contains <iframe src=""> (r133249)
XSSAuditor must replace form action with about:blank when reflected action detected. (r132511)
XSSAuditor too tolerant of injected data: URLs from other "hostless" schemes. (r126120)
Follow-up fix to r208639. (r208643)
test262: DataView with explicit undefined byteLength should be the same as it not being present (r208640)
test262: DataView get methods should allow for missing offset, set methods should allow for missing value (r208639)

Nov 11, 2016
============
Document.URL / Document.documentURI should return "about:blank" instead of empty string / null (r195485)
X-Frame-Options: Blocked frames should not inherit their parent's SecurityOrigin. (r147530)
Extract URL that doesn't inherit a parent's SecurityOrigin out into a constant. (r147526)
Begin to make XSSAuditor thread aware (r141494)
Support X-XSS-Protection: report=URL header syntax in XSSAuditor. (r133323)
Source/WebCore: Malformed X-XSS-Protection headers not reported. (r133066)
DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed (r180160 partial)
REGRESSION (r149749): Video becomes invisible when it starts playing at newyorkbygehry.com (r149989)
test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex) (r208564)
[ARM] Unreviewed buildfix after r208450. (r208533)
     
Nov 10, 2016
============
[JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t (r208450 partial)
[JSC] Mask TrustedImm32 to 8bit in MacroAssembler for 8bit operations (r203331)
MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress) (r199372)
[JSC] Improve codegen of Compare and Test (r197652 partial)     
REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values (r201254)
DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace (r199075 partial)
load8Signed() and load16Signed() should be renamed to avoid confusion (r182098)
CStack Branch: Get ARM working (r162705 partial)
REGRESSION (r159395): Error compiling for ARMv7 (r159521 revisited)
Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser (r208496)	 

Nov 09, 2016
============
Start fixing the handling of Element's attributes when they contain non-ASCII characters (r179323)
selectors should match attribute name with case sensitivity based on element & document type (r153631)
Move attributeNameMatches from SelectorChecker to its proper place on Attribute. (r140235)
Class name matching should use ASCII case-insensitive matching, not Unicode case folding (r169358)
Simplify and clean SpaceSplitString (r154780 + r154782)
Clean ClassList and DOMSettableTokenList (r154707)
Remove DOMSettableTokenList's overload of add() and remove() (r154667)
REGRESSION (r153005): Crash in SpaceSplitString::spaceSplitStringContainsValue on Facebook (r153685)
Do not allocate 2 AtomicString just to do a comparison in HTMLAnchorElement::setRel() (r153005)
Removed a using declaration to avoid name conflicts (r146273)
Make ClassList::reset's purpose obvious and don't keep quirks string when not needed (r138691)
Fix issue with ClassList which was hitting an assert in debug mode (r129798)
DOM4: Add support for rest parameters to DOMTokenList (r129779)

Nov 08, 2016
============
document.createEvent("eventname") should do a case-insensitive match on the event name (r189282)
Add String literal overloads to equalIgnoringASCIICase() (r184341)
Change the exact attribute matching to be ASCII case-insensitive (r181512 partial)
Remove a bunch of redundant checks for empty string in StringImpl (r153686)
String::lower() - Skip to slow path on the first failure (r153007)
Little cleaning of StringImpl::lower() and StringImpl::upper() for ARM (r152881 + r152883)
Improve StringImpl::constructInternal() method (r152595)
Remove code duplication from StringImpl create()/reallocate() methods (r152415)
Add 8 bit handling to SpaceSplitString (r128694)
Unreviewed, rolling out r133841. (r133848)
Unreviewed, rolling out r133428 and r133749 (r133841)
[Shadow] Use setPseudo() instead of setShadowPseudoId(). (r133749 partial)
[Shadow] Implement custom pseudo-elements styling (r133428)
	
Nov 07, 2016
============
Fix a bunch of mistakes in the parsing of ::cue( and ::cue (r165579)
Some media/track tests fail or assert on Mac (r150260 partial)
TextTrack's .cues not ordered correctly when two cues have the same .startTime (r136843)
Occasional crash in WebCore::RenderVTTCue::initializeLayoutParameters (r203737)
onload callback for <track> element attached to <video> does not fire (r138766 revisited)
[Chromium] Layout Test media/track/track-cue-rendering-snap-to-lines-not-set.html is flaky (r127176 revisited)
Not all properties apply to the '::cue' pseudo-element (r145397 + r145504 + r145404)		
[Track] Closed Caption button shouldn't be visible if all the track resources have failed loading (r141531)
Adding a text track should not make controls visible (r140862 revisited)
media/video-controls-captions.html fails after fixing https://bugs.webkit.org/show_bug.cgi?id=105536 (r139326)
HTMLMediaElement::configureTextTracks should configure all text tracks (r135202)
Allow ports to override text track rendering style (r132349)
Create a toggle button for closed captions. (r127035)

Nov 04, 2016
============
REGRESSION(r140231): media track layout tests crashing (r141529)
Whitelist should also work for the WebVTT ::cue element without an argument (r140505)	
The ASCII decoding for non ASCII character is incorrect if this character comes after going through (r178099)
Cue line-height property shouldn't be inherited from the video element (r144814)
WebVTT <i>, <b> and <u> elements should have default styles (r141817)
Support language WebVTT Nodes (r140877)
Implement :past pseudo class for the WebVTT ::cue pseudo element (r140707)	
Remove a TextTrack.h include from the Element.h and move WebVTT related stuff outside the Element (r140231)
Implement matching by the voice attribute for WebVTT ::cue pseudo element (r139803)
Implement ID selector matching for the WebVTT ::cue pseudo element (r139714)
Implement element type selectors for the WebVTT ::cue pseudo class (r139692)
Asking for a value profile prediction should be defensive against not finding a value profile (r208326 partial)	
Make Settings ref-counted (and let Frame keep a ref!) (r154219)

Nov 03, 2016
============
Web Inspector: Resume button in element inspector -> scripts has tooltip 'pause script execution' (r131181)
Web Inspector: Fix compilation errors (r133288 partial)
Web Inspector: Output code evaluated in the console the same as console.log (r133150)	
Fix an exception when hovering native functions while paused in the debugger. (r149829)
Make 'this' evaluate to the correct object when paused in the Debugger. (r147356)
Web Inspector: prevent crash, add required error string value (r141891)	
Web Inspector: adds isOwnProperty to remote protocol (r132902)
Web Inspector: relies on current Function.prototype.bind in the frame (r131178)
Web Inspector: expose object internal properties such as PrimitiveValue or BoundThis (r130398)
Web Inspector: TypeError in ConsoleMessage.js (r131019)
Web Inspector: move completions calculation into RuntimeModel (part 1) (r130119)
Web Inspector: rename JavaScriptContextManager to RuntimeModel for consistency. (r127417)
Web Inspector: get rid of context execution id fallback. (r127412)
Web Inspector: make ConsoleView listen to the JavaScriptContextManager (r126709)	
Web Inspector: make ui component compile (r126579)	
Web Inspector: hovering over an image link in Timeline popup kills popup (r125882)
Web Inspector: render arrays as dir in case they were logged into console prior to the front-end opening. (r125284)
Web Inspector: follow up to r125174 - fix subtype use. (r125186)
Web Inspector: generate preview for the objects dumped into the console upon logging. (r125174)
WebKit nullptr dereference Archive Subframe (r208292)

Nov 02, 2016
============
Web Inspector: do not use InspectorInstrumentation::hasFrontends() check when collecting stacks (r130021)

Nov 01, 2016
============
Make the Web Inspector console work in strict mode with JavaScriptCore. (r146840)
Replace 'DOMObject' with 'any' (r142935)
Web Inspector: fix closure compilation warnings caused by setVariableValue change (r142888)
Web Inspector: support JavaScript variable mutation in protocol and V8 bindings (r142114)
Repatch should save and restore all used registers - not just temp ones - when making a call (r165414)
Unreviewed, remove unintended change. (r165405)
Out-line ScratchRegisterAllocator (r165401)
Clarify how we deal with "special" registers (r165293 partial)
Crash in JIT code while watching a video @ storyboard.tumblr.com (r165021)
lr is a special register on ARM64 (r164238)
Fix RegisterSet::calleeSaveRegisters() by making it correct on ARM64 (r164237)
RegisterSet::calleeSaveRegisters() should know about ARM64 (r164233)
Switch FTL GetById/PutById IC's over to using AnyRegCC (r159039 partial)
FTL should be able to do some simple inline caches using LLVM patchpoints (r157872 partial)	
StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries (r157707)
Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union (r157696)
Rename RegisterSet to TempRegisterSet (r157693)
[JSC] JSON.stringify should handle Proxy which is non JSArray but isArray is true (r208123)
JSON.parse should not modify frozen objects. (r207341 partial)	
Add proper JSON.stringify support for Proxy when the target is an array (r197918 partial)

Oct 31, 2016
============
Clean up WebVTTNodeType code (r139639)
Styling disappears from the cue that's being styled by ::cue pseudo element (r139562)
CC Button doesn't always show up (r139547)
[Track] Rendering crash (r138966)
Crash when setting 'transition-delay' CSS property to a calculated value (r176458)
Implement :future pseudo class for the WebVTT ::cue pseudo element (r138784)
Allow ports to override text track rendering style (r132349 partial)
Follow WebVTT line breaking rules (r138282)
Implement matching cue by the class name with ::cue pseudo element (r137955)
Convert m_selectorVector back to a stack allocated m_reusableSelectorVector (r134693)
[Shadow] Pseudo custom-elements should start with 'x-'. (r133715)
Convert CSSParser's m_reusableSelectorVector to OwnPtr and rename to m_selectorVector. (r125252)
Sign in front of keyframe selector causes stylesheet parsing to abort (r130007)
Make it possible to use CSS Variables inside Calc expressions. (r127220)
Get rid of "parser" type casts in CSSGrammar.y (r124241)
Pre-process CSSGrammar.y before running through bison. (r131477)
Avoid eagerly creating the JSActivation when the debugger is attached. (r163223 revisited)  
  
Oct 29, 2016
============
String(new Date(2010,10,1)) is wrong in KRAT, YAKT (r150833 revisited)	

Oct 28, 2016
============
Refactor Media Control Elements to remove code duplication. (r136613)
Fullscreen movie controls behave incorrectly when clicked (and dragged) (r131781)
REGRESSION(r136615): Incorrect style sharing in view-source documents. (r136722)
Style sharing: Allow sharing between elements with classes not referenced by any selectors. (r136615)
Style sharing: Remove O(n^2) presentation attribute checks that never found anything anyway. (r135542)
Style sharing: Compare class lists via SpaceSplitString instead of string comparison. (r135445)
StyleResolver: No need to compare "cellpadding" attributes when evaluating style sharing candidates. (r135068)
StyleResolver: Only input elements need equal "readonly" attribute for style sharing. (r134984)
StyleResolver: Optimize sharing candidate evaluation for elements with shared attribute data. (r134962)
JSFunction::put() should not allow caching of lazily reified properties. (r208018 partial)

Oct 27, 2016
============
ASSERT removing then adding a <track> element (r151796)
onload callback for <track> element attached to <video> does not fire (r138766)
Captions menu doesn't update to track changes (r136978)	
HTMLMediaElement's .textTracks property does not reflect <track> element (r136131)
Make track list control active (r135934)
Support list of tracks in caption media controls (r134507)

Oct 26, 2016
============
Implement general ::cue pseudo element for the <video> (r136991)	
Clean up the inheritance tree under the MediaControls Class. (r134488)
Web Inspector: [REGRESSION] Breakpoints are not always shown in breakpoints sidebar pane. (r129775)
Web Inspector: DefaultTextEditor throws exception sometimes. (r129641)
Web Inspector: don't allow exception in front-end when expanding function scope (r129361)
Web Inspector: [REGRESSION] Content is not available for dynamically loaded script sometimes. (r127902)
Web Inspector: Incorrect property override computation when !important is involved (r126737)
Web Inspector: Breakpoints are not correctly restored on reload. (r125767)
Web Inspector: CodeMirrorTextEditor doesn't clear execution line (r125650)
Web Inspector: remove commitEditing from the text editor delegate. (r125438)
Web Inspector: improve large array logging experience (r125165)
Web Inspector: store last evaluation result in $_ (r125033)
Web Inspector: show whitespace nodes if they are the only tag's children. (r125014)
Web Inspector: [regression r121673] restore link between the command and the result. (r124867)
Web Inspector: WebInspector.linkifyStringAsFragment gives wrong typeof lineNumber (r124792)
Web Inspector: Fix protocol version check. (r124453)
Web Inspector: Move formatting support from JavaScriptSource to UISourceCode. (r123852)
Web Inspector: Render breakpoint gutter markers and execution line in CodeMirrorTextEditor (r125599)
Web Inspector: get rid of beforeTextChanged (r125426)

Oct 25, 2016
============
Web Inspector: InspectorBackend.loadFromJSONIfNeeded should take the JSON url as argument (r128287)	 
Web Inspector: Make textModel private to textEditor (r124584)
JSONParse should not crash with null Strings (r207785)

Oct 24, 2016
============
Need earlier cell test (r167832)
Split sizing of VarArgs frames from loading arguments for the frame (r160244)
REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms (r164880)
Whoops, include all of last patch. (r164836)
Slow cases for function.apply and function.call should not require vm re-entry (r164835)	
Spread operator has a bad time when applied to call function (r164630)
[JS] Convert Promise.prototype.catch to be a built-in (r164396 + r164416)	
Web Inspector: Relative URL Link Tooltips do not respect <base> (r129477)
Web Inspector: Use and process the actual ScriptId in the protocol EventListener object (r129105)
fixing inspector/elements/iframe-load-event.html broken by r126572. (r126576)
Web Inspector: resolve URLs upon creation, get rid of populateHrefContextMenu (r126572)
Web Inspector: extract ParsedURL into a separate file. (r126426)
Web Inspector: replace the Web Inspector editor with CodeMirror (r125201)
Web Inspector: Create and interface for TextEditor (r124638)

Oct 21, 2016
============
Shink attribute event listener code (r156231)
Web Inspector: for event listener provide handler function value in protocol and in UI (r142627)

Oct 20, 2016
============
HTMLMediaElement should not throw an exception from setCurrentTime or fastSeek. (r159363)

Oct 19, 2016
============
Remove bogus global internal functions for properties and prototype retrieval (r192024)
REGRESSION(r183570): jslib-traverse-jquery is 22% slower (r183749)
It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. (r183570)    
Implement ES6 StringIterator (r181084 partial)

Oct 18, 2016
============
Implement a few more Array prototype functions in JS (r164139)
CurrentTime on mediaController is set as 0 when playback is completed. (r190114)
Setting playback rate on Media Controller modifies current time. (r164365)
Add support for the 'unpause()' method on MediaController. (r136295)
no timeupdate events emitted for media controller (r125337)
Make it possible to implement JS builtins in JS (r163960 complete)

Oct 17, 2016
============
ASSERT_NOT_REACHED when using spread inside an array literal with Function.prototype.apply (r205944)
Improve JSC Parser error messages (r158014)	
Add a StringTypeAdapter for ASCIILiteral (r141342)
JS Lexer and Parser should be more informative when they encounter errors (r148849)
Unify JSC Parser's error and error message (r148167)
Move macros from Parser.h to Parser.cpp (r131236)

Oct 15, 2016
============
Tests with infinite recursion frequently crash (r177460)
	
Oct 14, 2016
============
JSMainThreadExecState::call() should clear exceptions before returning. (r167142 partial)	
MutationCallback should be a WebIDL 'callback', not a [Callback] interface (r145379)
Web Inspector:  The JS code injected by worker inspector shouldn't be evaluated through JSMainThreadExecState (r129476)
Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks (r166135)
test262: Failure with RegExp.prototype.compile when pattern is undefined (r207334)
Add WTF::NeverDestroyed and start using it in WTF (r150450 + r150451)

Oct 13, 2016
============
FTL should be able to do call ICs (r160893 partial)
StyledElement: Make handling the "style" attribute a litte faster. (r135101)
Support caching of custom setters (r165208 complete)
FTL should do polyvariant Call/Construct inlining (r162788 partial)
IC status classes should directly query exit site information (r162424)
fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data (r153176)

Oct 12, 2016
============
Update JS whitespace definition for changes in Unicode 6.3 (r163325)
JSC Parser: Shrink BindingNode. (r162393)

Oct 11, 2016
============
r159210 added a period where there previously wasn't one, breaking >100 tests (r159216)
REGRESSION (r158014): Many webpages throw stack overflow exceptions on iOS (because Parser::parseMemberExpression uses ~130K more stack) (r159210)
Fix minor (unobservable) bug in ArrayIterator::next() (r158940)
IC code should handle the call frame register not being the callFrameRegister (r158820 revisited)
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String (r207060 partial)
DFG should be able to constant-fold strings (r197833 partial)
Change ArrayPrototype.cpp's putLength() and setLength() to take a VM& so that we can use vm.propertyNames. (r207036 partial)

Oct 07, 2016
============
Crash in virtualForThunkGenerator generated code on ARM64 (r159427 revisited)
Fixed callFrameRegister differences between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h. (r159276 partial/revisited)
REGRESSION(r158883): Fix crashes for ARM architecture. (r158926)
REGRESSION(r158883): Fix crashes for MIPS architecture. (r158925)		
Change CallFrameRegister to architected frame pointer register (r158883 partial)
Change ctiTrampoline into a thunk (r158751 + r158858 + r158916)
fourthTier: DFG::ByteCodeParser doesn't need ExecState* (r153144)

Oct 06, 2016
============
REGRESSION(r158586): plugins/refcount-leaks.html fails (r158648)
Eliminate HostCall bit from JSC Stack CallerFrame (r158586)
DebuggerCallFrame::evaluateWithCallFrame() should not execute a null executable. (r162752)
Change ScriptDebugServer to use DebuggerCallFrame instead of JavaScriptCallFrame. (r156936)
Web Inspector: Breakpoint Actions (r155132)
Web Inspector: Breakpoints should have Automatically Continue Option (r154910)
Web Inspector: Column Breakpoint not working, may be off by 1 (r154681)
Web Inspector: The front-end should provide the position in original source file when set a breakpoint (r130615)
[JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case (r206844 partial)
Continue hangs when performing for-of over arguments (r165306)	
Support iteration of the Arguments object (r158793)  
  
Oct 05, 2016
============
ARM64 CRASH: Improper offset in getHostCallReturnValue() to access callerFrame in CallFrame (r159428)
REGRESSION(r158315): Fix register mixup in JIT::compileOpCall. (r158672)
Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI . (r158315)
FunctionExecutable::isCompiling() is weird and wrong. (r185379)
[ES6] Implement ES6 template literals (r183373 + r183559)
JS Lexer and Parser should be more informative when they encounter errors (r148849 partial)

Oct 04, 2016
============
Don't branch when accessing the callee (r183935)
Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions. (r159995)
Uninitialized member causes crash when DFG JIT is not enabled. (r157930)
Remove unused stuff in JIT stubs. (r157795)
Remove excess reserved space in ctiTrampoline frames for X86 and X86_64. (r157650)
Unreviewed, speculative ARM64 build fix. (r157619)
Pass VM instead of JSGlobalObject to JSONObject constructor. (r157614)
Removed the JITStackFrame struct (r157612)
Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks (r157609)
Removed restoreArgumentReference (another use of JITStackFrame) (r157604)
Remove JITStubCall.h (r157603)
Removed a use of JITSTACKFRAME_ARGS_INDEX (r157592)
Change emit_op_catch to use another method to materialize VM (r157591)
Eliminate emitGetJITStubArg() - dead code (r157590)
Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h. (r157588)
Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction() (r157586)	

Oct 03, 2016
============
Try to fix the Windows (32-bit) build. (r128122)
Web Inspector: Stepping through `a(); b(); c();` it is unclear where we are and what is about to execute (r206654)
Get rid of the regT* definitions in JSInterfaceJIT.h. (r158901 revisited)
transition void cti_op_* methods to JIT operations. (r157457 complete + r157467)
[arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test. (r159748)
Transition void cti_op_tear_off* methods to JIT operations for 32 bit. (r157521)
[sh4] Some calls don't match sh4 ABI. (r157475)
transition void cti_op_* methods to JIT operations. (r157457 partial + r157467)     	
Change JSC debug hooks to pass a CallFrame* instead of a DebuggerCallFrame. (r156374)	   
Change debug hooks to pass sourceID and position info via the DebuggerCallFrame. (r155622)	   
	   
Sep 30, 2016
============
Change native function call stubs to use JIT operations instead of ctiVMHandleException (r157636 partial)	
Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks (r157609)
Transition cti_op_throw and cti_vm_throw to a JIT operation (r157581)    
transition void cti_op_* methods to JIT operations. (r157457 partial)    
Follow up patch to: [ES6] bound functions .name property should be "bound " + the target function's name (r196243)
[ES6] bound functions .name property should be "bound " + the target function's name (r196033)
Spread operator should be performing direct "puts" and not triggering setters (r157656 revisited)

Sep 29, 2016
============
Implement ES6 spread operator (r157545)

Sep 28, 2016
============
Move ElementTraversal to ElementTraversal.h (r153939)

Sep 27, 2016
============
A label element not in a document should not label an element in a document (r191497)
Use DOM ordering for list counts (r148863)
REGRESSION(r137406): Text inside an empty optgroup prevents subsequent options from appearing (r139038)
REGRESSION(r137406): NodeTraversal changes causing large renderer crash (r137642)
Add Element-specific traversal functions (r137406)
Fix non-root SVG viewport under zoom (r143144)
Factor node traversal into standalone functions (r137221 + r137227 + r137236)	
Invalidate SVG width on width attribute changes. (r136424)
Microdata: item with itemprop attribute should not include the item itself in the HTMLPropertiesCollection. (r125348)
	
Sep 26, 2016
============
getComputedStyle() doesn't report intermediate values during a transition of a pseudo element (r142215)	
Remove RenderObjectChildList::beforePseudoElementRenderer and afterPseudoElementRenderer (r138909)	
REGRESSION(r136948): inspector/styles/import-pseudoclass-crash.html hits an assertion (r137303)
Web Inspector: the "Sources" column is always empty in CSS selector profiles (r136948)
Remove StyleResolver::State::m_parentNode (r165542 revisited)
Style recalculation takes too long when adding whitespace text nodes (r144526 revisited)
Default element styles are not always collected for sharing detection (r141844 partial)
Split CSSOMWrapper data and functions out from StyleResolver into its own class. (r141373)
documentElement should not always get a renderer (r136331)	
Move childrenAffectedBy bits from RenderStyle to Element (r136001 revisited)
Make renderer construction less generic (r135668)
Remove unnecessary ternaries in createRendererIfNeeded (r135432)
Replace NodeRendererFactory class with a function (r135419)
Merge checks for creating renderers into shouldCreateRenderer (r135290)
Remove unneeded null check in NodeRendererFactory::createRendererIfNeeded (r135252)
No isChildAllowed checked when adding RenderFullScreen as the child. (r124491)
[CSS Regions] RenderRegion should inherit from RenderBlock (r142984)
[CSS Regions] Absolutely positioned regions do not expand to fill their container (r135851)
[CSSRegions]Add support for auto-height regions (without region-breaks) (r131348)
Replace 2 uses of updateLogicalHeight with computeLogicalHeight (r129427)
[CSSRegions]Flag auto-height regions (r128861)
[CSS Regions] Auto width is not working for Regions (r128155)
[New Multicolumn] Implement unforced breaking in the new column layout. (r127267)
[New Multicolumn] Rename methods to prepare for proper pagination of columns (r127051)
[New Multicolumn] Rename some flow thread methods and region methods/members to make them (r126895)
[New Multicolumn] Plumbing to prepare for contents painting and hit testing implementation. (r126602)
[New Multicolumn] Make column rules paint properly. (r126177)
Never notify of insertedIntoTree during document destruction. (r126107)
CSSRegions: Crash when using style in region for removed element. (r125376)
[CSS Regions] region-overflow: break still renders the content that does not fit in the last region. (r125271)
CSSRegions: Crash when attaching a region to the removed named flow (r125192)
[CSS Regions] Rename regionOverflow to regionOverset (r124771)

Sep 23, 2016
============
Absolutely positioned non-replaced elements should resolve vertical margins against their containing block's logical width (r136646)
Make RenderView anonymous (r155370)
Harden RenderBox::canBeScrolledAndHasScrollableArea logic https://bugs.webkit.org/show_bug.cgi?id=104373 (r154383)
[CSSRegions] RenderFlowThread should not be created as a Document renderer (r147414)
Rework bug 97927 to not depend on RenderLayer::allowsScrolling (r136947)
ASSERT in RenderLayer::hitTestContents can fire (r133330)
REGRESSION (r128837): mathml/presentation/subsup.xhtml became flaky (r133221)
[MathML] Improve some addChild methods (r132735)
Navigator object needs to have properties directly on the instance object (r129260)	
[MathML] Increase visual space around fraction parts, italic variables, and operators (r129146)
Convert MathML to use flexboxes (r128837)
mathml.css: Add more { white-space: nowrap } declarations (r127769)
REGRESSION (r124512): Failures in MathML Presentation tests on GTK and EFL (r126862)
Streamline mathml.css (r126713)
Remove { vertical-align: baseline } declarations from mathml.css (r126698)
MathML: nested square root symbols have varying descenders (r124512)	
	
Sep 22, 2016
============
Add new RenderBlockFlow class. (r155211)
Move isBlockFlowElement and related functions out of the Node class into editing code (r150782)
Crash in Node::enclosingBlockFlowElement() (r147388)
Make renderer constructors take Element where possible (r140244)
TextIterator takes O(n^2) to iterate over n empty blocks (r126164)
XHR timeouts should not fire if there is an immediate network error. (r192175)
[Content Extensions] Make blocked async XHR call onerror (r191077)
XHR2 timeout property should allow late updates (r189445)
	
Sep 21, 2016
============
Remove the JSC::OverridesVisitChildren flag. (r171939)	
Don't de-allocate FunctionRareData (r183113)
REGRESSION (r182899): icloud.com crashes (r183069)
Extract the allocation profile from JSFunction into a rare object (r182899)
Percentage min/max width replaced element may incorrectly rendered (r138332)
Bound functions should use the prototype of the function being bound (r196956)
[JSC] Some setters for components of Date do not timeClip() their result (r201586)

Sep 20, 2016
============
Undefined behavior: Left shift negative number (r206151)
window.atob() should ignore spaces in input (r195694)
Decode data URLs in web process (r188820 partial)
Implement base64url encoding from RFC 4648 (r158628)
Make atob() throw an InvalidCharacterError on excess padding characters (r153904)
Remove obsolete code for deleting CodeBlocks (r189888 partial)
Some renaming to clarify CodeBlock and UnlinkedCodeBlock (r188884 partial)
Periodic code deletion should delete RegExp code (r188401)
Standardize on the phrase "delete code" (r188394)
Re-land r188339, since Alex fixed it in r188341 by landing the WebCore half. (r188351)
Unreviewed build fix after r188339. (r188341)
Empty parse cache when receiving a low memory warning (r136773 partial)

Sep 19, 2016
============
text-overflow: ellipsis is broken by text-align: right and padding-left (r187380)
REGRESSION (r133351, sub-pixel layout): Right-to-left block with text-overflow: ellipsis truncates prematurely (breaks facebook.com Hebrew UI) (r169048)
Table with percentage column widths doesn't scale to fill the entire width of a table containing it (r133037)
Replace calls to updateLogicalHeight with calls to computeLogicalHeight (r131971)
REGRESSION(r128517): Percentage heights in quirks mode collapse when printing (r141459)	
REGRESSION (r128633): td changes size during re-layout of table although it shouldn't (r135578)
getComputedStyle perspective-origin is based on the wrong bounding box (r130277)
Simplify some code in RenderBox::computePercentageLogicalHeight (r128633)
percentage heights in quirks mode with auto-sized body are computed incorrectly (r128517)
percentage widths rendered wrong in vertical writing mode with orthogonal parent (r128375)
Refactor computePercentageLogicalHeight to simplify the logic a bit (r128215)
Fix RenderBox::availableHeight to subtract scrollbars in the right places (r127915)
Delete some dead code in RenderBox::computePercentageLogicalHeight (r125938)
percentage height/width values in quirks mode are incorrectly resolved in flexbox children (r125055)
need tests to ensure flexboxes play nicely with box-sizing (r124793)
Constrain replaced element layout to from-intrinsic aspect ratio if specified (r164265)
Update aspect-ratio property to have constraining keywords (r163840)
Percentage width replaced element incorrectly rendered when intrinsic size changed (r137960)
Use computeLogical* methods instead of updateLogical* methods in RenderImage (r130806)
image not displayed in flexbox (r130714)

Sep 16, 2016
============
REGRESSION (r181720): Unnecessary layout triggered any time animated GIF advances to a new frame (r185310)
Switching between two SVG images with no intrinsic sizes causes them to get the default SVG size instead of the container size. (r181720)
incorrect flexbox relayout with overflow, padding and absolute positioning (r138770)
REGRESSION(r121789): Text not wrapping in presence of floating objects (r137331)
Flex boxes (both old and new) don't handle max-height images correctly. (r151997)
Set relayoutChildren to 'true' only if size change happens in Table (r177782)
getComputedStyle().width wrong after text changed (r152005)
REGRESSION(r136324): Flexbox should relayout flex children when width changes (r141290)
REGRESSION(r136324): flex items with percent heights not resizing (r138037)
Avoid a second layout of flex items in layoutAndPlaceChildren() (r136324)

Sep 15, 2016
============
min-width/max-width of min-content/max-content don't work correctly if width is specified (r147275)
CSSParser does not allow the absence of whitespace between "and" and "expression" (r139316)
Max width of a floated container with floated children calculated incorrectly (r138899)
YARR doesn't check for invalid flags for literal regular expressions (r205937)
[ES6] Implement RegExp sticky flag and related functionality (r197869)	
Web Inspector: [REGRESSION] [Styles] Rule disappears if edited selector does not affect selected node (r136488)
Web Inspector: [Styles] Retain selector case as written in the source code (r136370)
Web Inspector: [Styles] For group selectors, transmit their segments with the "matches" flag (r129470)	
Web Inspector: [REGRESSION] Cmd-Shift-C doesn't enable element inspection mode when inspector hidden (r129348)	
Web Inspector: Group selectors to highlight matched selector in the Styles pane of Elements Panel (r128746)
Web Inspector: [Styles] Styles not updated when there is a heavy stream of DOM updates (r128407)
Web Inspector: build Elements, Resources, Timeline, Audits and Console panels lazily. (r125871)

Sep 14, 2016
============
AutoTableLayout applies min-width redundantly with RenderTable (r143555)
REGRESION(r130774): preferred width of tables does not take max-width into account (r140479)
max-width property is does not overriding the width properties for css tables(display:table) (r130774)
Attempt to fix the build after r165542 (r165561)
REGRESSION(r165542): printing/page-rule-selection.html failing (r165557)
Remove StyleResolver::State::m_parentNode (r165542)
[Refactoring] Remove elementParentStyle from SelectorCheckerContext (r140531)
Make StyleResolver::applyProperty use isInherit in CSSPropertyWebkitMarquee instead of calculating equivalent in-place. (r135760)
DFG NewArrayBuffer node should watch for "have a bad time" state change. (r205882)
[JSC] Use GetArrayLength for JSArray.length even when the array type is undecided (r205830)

Sep 12, 2016
============
REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled. (r180083 rolled out, crash)	
Don't create StyleResolvers just to invalidate them. (r149392)
Crash in WebCore::ElementRuleCollector::collectMatchingRulesForList (r147928)
Continuations casting issue. (r166736)
REGRESSION (r121551) Incorrect handling of invalid media query list. (r153822)	
Regression r130057: Improper preferred width calculation when an inline replaced object, wrapped in an inline flow, follows some text. (r133292)
CSS Style is not recalculated when media attribute of style element is changed (r130816)
http/tests/w3c/dom/nodes/Element-matches.html is flaky (r189198 + r189205 rolled out + r189252)
Preloads should be cleared when JavaScript cancels loading prematurely. (r143789)
Make hasOwnProperty ALWAYS_INLINE (r205753)

Sep 09, 2016
============
Possible dangling CachedResourceClient of StyleRuleImport and XSLImportRule (r154889)

Sep 08, 2016
============
Move StylePropertySet internal storage access helpers to subclass. (r148406)
Move property setting/removing functions to MutableStylePropertySet. (r148403)	
Move addParsedProperty/addParsedProperties to MutableStylePropertySet. (r148400)
CSSParser should return ImmutableStylePropertySets. (r148399)
Move parseDeclaration() and clear() to MutableStylePropertySet. (r148397)
Move CSSOM classes to using MutableStylePropertySet over StylePropertySet. (r148396)	
Rename/tweak some StylePropertySet/CSSStyleDeclaration copying functions. (r148365)    
Remove unused method CSSStyleDeclaration::makeMutable(). (r148359)    
StyledElement: Don't expose a mutable direct interface to the inline style. (r143868)
StyledElement: Tweak signature of collectStyleForPresentationAttribute(). (r143843 partial)

Sep 07, 2016
============
Use inline capacity for StylePropertyShorthand Vectors. (r201559 partial)	
Reduce CSSProperty's StylePropertyMetadata memory footprint by half when used inside a ImmutableStylePropertySet. (r153581 + r153650)	
	
Sep 06, 2016
============
Implement 'round' and 'space' values for border-image (r191590)
Fix warning in makeprop.pl (r156400)
Make the table static const. (r155550)
Support ruby-position: {before, after} (r137359)
Transition call and construct JITStubs to CCallHelper functions (r157164)
CSSProperty::isInheritedProperty is large (r155511 + r156228)

Sep 02, 2016
============
[CSS Blending] Remove the -webkit- prefix for mix-blend-mode and isolation CSS properties (r167448)	
[CSS Blending] Parse and implement the -webkit-isolation CSS property. (r164795)
[CSS Blending] Refactor -webkit-blend-mode to -webkit-mix-blend-mode (r164480)
[CSS Background Blending] Unprefix the -webkit-background-blend-mode property (r163633)
Remove ENABLE_CSS_COMPOSITING guards around -webkit-background-blend mode related code. (r152083)
Add support for parsing of -webkit-background-blend-mode (r142168)
Turn Compositing on by default in WebKit build (r130460)
Add support for blendmode to webkit rendering engine (r127162)
parse CSS attribute -webkit-blend-mode (r126105)
[CSS Shaders] Parse mix function (r124820)

Sep 01, 2016
============
When using SVG as an image, we should load datauri images when these images are not in the image cache. (r179626)
Fix crashes due to failed ImageBuffer allocation (r151525)
Object.getPrototypeOf() should return null cross-origin (205258)

Aug 31, 2016
============
Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time (r204162 partial)
[CSS Shapes] shape-outside: ellipse(50% 50% at) causes crash (r165835 complete)
[CSS Shapes] CSS parser accepts trailing position arguments (r165655 complete)	
[css shapes] Parse new ellipse shape syntax (r159954 partial)
Cleanup usage of CSSPropertyID and CSSValueID inside WebKit. (r151783)
Make sure to use CSSValueID and CSSPropertyID rather than integers (r151754)
CSS3 Multicolumn: column-span should accept value 'none' (instead of '1') (r136053)
Fix CSSParserValue::createCSSValue() for viewport based units. (r126828)

Aug 26, 2016
============
[CSS Shapes] shape-outside: ellipse(50% 50% at) causes crash (r165835 partial)
[CSS Shapes] CSS parser accepts trailing position arguments (r165655 partial)
[css shapes] Layout support for new circle shape syntax (r159979 partial)
[css shapes] Parse new circle shape syntax (r159585 partial)
Crash on shape-outside when using calc() (r156586)
REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled. (r180083)
Unreviewed, another ARM64 build fix. (r157621)

Aug 25, 2016
============
Don't set z-index: 0 on lots of elements with -webkit-overflow-scrolling: touch (r152335)
-webkit-clip-path is applied on elements that are not descendant of the container (r129215)
BasicShapePolygon::path takes width instead of height for boundary calculation (r132257)
Use -webkit-clip-path shapes to clip HTML elements (r127608)
-webkit-clip-path does not apply origin for polygon() (r127548)
Use -webkit-clip-path shapes to clip SVG elements (r127383)
Add support for blendmode to webkit rendering engine (r127162)
z-index should work without position on flexitems (r125693)
Introduce new CSS property for clip-path (r127327 + 127371)

Aug 24, 2016
============
No LLInt Test Failure: jsc-layout-tests.yaml/js/script-tests/object-literal-duplicate-properties.js.layout-no-llint (r184647)
strict mode eval should not fire the var injection watch point (r204861)
ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo. (r204422)
Assertion failure for destructuring assignment with new.target and unary operator (r200293 partial)
Current implementation of Parser::createSavePoint is a foot gun (r195484 partial)
Support unprefixed deconstructing assignment (r159139)
Refactor parser rollback logic (r158074)

Aug 23, 2016
============
Source and stack information should get appended only to native errors (r182495)

Aug 19, 2016
============
Fix problems with divot and lineStart mismatches. (r153477)
Remove an invalid assertion in the DFG backend's GetById emitter. (r204570)
ScriptExecutionContext log exception should include a column number (r149131)
Web Inspector: ConsoleMessage should include line and column number where possible (r149125 partial)    

Aug 18, 2016
============
We allow assignments to const variables when in a for-in/for-of loop (r204596 partial)
Fix 30% JSBench regression (caused by adding column numbers to stack traces). (r152494)
StackFrame::column() returning bogus value (r148720)
Unify the many and varied stack trace mechanisms, and make the result sane. (r147858 complete)
Fix O(n^2) op_debug bytecode charPosition to column computation. (r146552)
Fixed a potential bug in MarkedArgumentBuffer. (r204572)

Aug 16, 2016
============
Fix incorrect debugger column number value. (r146318)	   
Make JSValue::strictEqual() handle failures to resolve JSRopeStrings. (r204485)
[Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid() (r204495)

Aug 15, 2016
============
Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier (r179873 partial)
Deconstruction object pattern node emits the wrong start/end text positions (r173026 partial/revisited)
Web Inspector: [JSC] implement setting breakpoints by line:column (r124729)

Aug 11, 2016
============
DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals. (r204360 partial)

Aug 10, 2016
============
JavaScriptCore should discard optimized code after some time (r189620 partial)
Watchpoints should be allocated with FastMalloc (r186705 partial)
Add InvalidationPoints to the DFG and use them for all watchpoints (r158304 revisited)

Aug 09, 2016
============
CodeBlock::jettison() should be implicit (r154986)
Reduce parser overhead in JSC (r133688 partial)
ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren(). (r204261)

Aug 08, 2016
============
various math operations don't properly check for an exception after calling toNumber() on the lhs (r204206 partial)
compilePutByValForIntTypedArray() has a slow path in the middle of its processing (r204204)

Aug 06, 2016
============
Assertion failure in WebCore::FrameLoader::stopLoading() running fast/events tests (r191688)
Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations. (r178363)
JSC virtual call thunk shouldn't do a structure->classInfo lookup (r199861 partial)
virtualForWithFunction() should not throw an exception with a partially initialized frame. (r164472)   
Transition call and construct JITStubs to CCallHelper functions (r157164 partial)   

Aug 05, 2016
============
CodeBlock::prepareForExecution() is silly (r154833 partial + r154838)
CodeBlock compilation and installation should be simplified and rationalized (r154824 partial) 
fourthTier: Executable and CodeBlock should be aware of DFG::Plans that complete asynchronously (r153165 partial)    

Aug 03, 2016
============
Assertion failure while setting the length of an ArrayClass array. (r203952)
Undefined Behavior in JSValue cast from NaN (r203925)

Jul 29, 2016
============
ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string. (r203853)

Jul 28, 2016
============
[ARM] Typo fix after r121885 (r203817)
Sticky positioning is broken for table rows (r162960)
Use-after-free in SliderThumbElement::dragFrom (r158724)
Use-after-free in CompositeEditCommand::cloneParagraphUnderNewElement (r148908)
Potential use after free in ApplyStyleCommand::splitAncestorsWithUnicodeBidi (r148497)

Jul 27, 2016
============
Heap-use-after-free in WebCore::LiveNodeListBase::invalidateCache (r140103)
HTMLCollection should use the same storage as DynamicNodeList (r135429 + r135431 + r135438)
Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement (r138537)
Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo (r137632)
Heap-use-after-free in WebCore::RenderLayer::paintList [MathML] (r136554)
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r159575)
Implement the -webkit-margin-collapse properties correct rendering (r142974)
REGRESSION(r136967): Combination of float and clear yields to bad layout (r142659)	
Misaligned logo on www.nzherald.co.nz possibly due to negative margin-top (r140358)
REGRESSION(r136967): margin-top + overflow:hidden causes incorrect layout for internal floated elements (r139337)
REGRESSION(r127163): Content is offset to the right at rea.ru (r136967)
Regression(r127163): Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer (r127509)
CSS 2.1 failure: margin-collapse-clear-012 fails (r127163)
[WebSocket] Receiving a large message is really slow (r129239)
REGRESSION (r123848): Heap-use-after-free in WebCore::CachedResource::didAddClient. (r125292)
Gather the duplicated timer code into CachedResource. (r123848)
Re-order variables in BidiRun and LayoutState (r133713)
WebSocket crash when a connection is closed from server side (r173848)
Crashes in WebSocketChannel::processFrame when processing a ping (r147938)
Simulated events instances do not all have the same underlying event (r134995)
Regression(r132681): Heap-use-after-free in WebCore::RenderTextTrackCue::layout (r133609)
Fix use-after free when using a variable to specify a -webkit-filter. (r129189)
use after free in WebCore::FileReader::doAbort (r127082)

Jul 25, 2016
============
Do not restart the matched properties cache timer if active (r141280)	
Top layer fails for inline elements (r140075)
StyleResolver: Garbage collect the matched properties cache on a timer. (r131388 revisited)

Jul 22, 2016
============
Crashes with detached ArrayBuffers (r203204 partial/rework)
Use moveDoubleToInts in SpecializedThunkJIT::returnDouble for non-X86 JSVALUE32_64 ports. (r159873)

Jul 21, 2016
============
CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (r203452 partial)
[JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr (r201412 partial)
Remove JSDependentRetained.h and V8DependentRetained.h (r136815)

Jul 20, 2016
============
Crash under WebCore::DOMWindow::dispatchMessageEventWithOriginCheck attempting to log console message (r185712)
Don't crash when SerializedScriptValue deserialization fails (r164008)
Use-after-free in ApplyStyleCommand::removeInlineStyle (r153102)
Use-after-free in RadioInputType::handleKeydownEvent (r151986)	
Use-after-free in DOMSelection::containsNode (r150498)
Potential use-after-free of Frame (r149780)
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine (r147765 + r149641)
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent (r140891)
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent (r140886)
Regression(r107058): Use-after-free in SerializedScriptValue::deserialize (r140748)
NativeToJSValue is harcoding the $thisValue in some strings (r201419)
heap use-after-free at WebCore::TimerBase::heapPopMin() (r200986)	
Use after free in WebCore::RenderObject::nextSibling / WebCore::RenderBoxModelObject::moveChildrenTo (r168448)
IndexedDB: Add clear() method to JSC ScriptValue (r134689)	
	
Jul 19, 2016
============
Progressive JPEG outputScanlines() calls should handle failure (r167381)
Crash when removing children of a MathMLSelectElement (r188014 partial)	
Add an MathMLSelectElement class to implement <maction> and <semantics>. (r160005)
DeferredWrapper should clear its JS strong references once its promise is resolved/rejected (r185404 partial)
EventListenerMap: Use Vector instead of HashMap as backend. (r128002)
ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp (r203376)
Crash in WebCore::NotificationCenter::stop() (r181256)
Crash in WebCore::NotificationCenter::stop() (r181219)
[WTF] Add OwnArrayPtr vectortraits template (r151093)
Give AtomicString SimpleClassVectorTraits. (r127973)
	
Jul 15, 2016
============
JSONObject Walker::walk must save array length before processing array elements. (r203229)
[mips] Handle properly unaligned halfword load (r203226)
ShareableElementData should use zero-length array for storage. (r143726)
ElementData: Move leafy things out of the base class. (r143014, rolled in r144010)
Stronger ElementData pointer typing. (r142826)
The style resolution cache applies properties incorrectly whenever direction != ltr (r173906)
REGRESSION (r159218): FrameView::layout() should destroy TemporaryChange<LayoutPhase> before destroying Ref<FrameView> (r165396)
ASSERTION FAILED: m_repaintRect == renderer().clippedOverflowRectForRepaint(renderer().containerForRepaint()) after r135816 (r159218 partial)
getAttribute does not behave correctly for mixed-case attributes on HTML elements (r148614)	    
ASSERTION FAILED: m_repaintRect == renderer()->clippedOverflowRectForRepaint(renderer()->containerForRepaint()) after r135816 (r147759)
REGRESSION(r143076): Crash when calling removeNamedItem or removeNamedItemNS with a non-existent attribute of newly created element. (r143115)
Element: Avoid unrelated attribute synchronization on other attribute access. (r143112)	    
Calling DOM Element.attributes shouldn't force creation of ElementData. (r143076)	    
Remove Element::getAttributeItem() overload that returned a mutable Attribute*. (r142827)
Better names for ElementAttributeData & subclasses. (r142791)
Remove Element::ensureAttributeData(). (r142741)
Keep ElementAttributeData sharing cache open for a while after document parsing finishes. (r136334)
Node: Move AreSVGAttributesValidFlag to ElementAttributeData. (r135816)
Node: Remove IsSynchronizingSVGAttributesFlag. (r135793)
Make it possible for elements with different tag names to share attribute data. (r135421)
Exploit shared attribute data to avoid parsing identical "style" attributes. (r135021)
Short-circuit Element::hasEquivalentAttributes() if elements share attribute data. (r134947)
Only resolve presentation attribute style once per shared ElementAttributeData. (r134664)
Move inline style logic from ElementAttributeData to StyledElement. (r134539)
Rename AttributeStyle => PresentationAttributeStyle across WebCore. (r134322)
removeAttribute('style') not working in certain circumstances (r133581)
Remove Page::javaScriptURLsAreAllowed setting. (r132023 partial)
Enable ElementAttributeData sharing for non-HTML elements. (r129318)

Jul 14, 2016
============
Adapt inline SVG sizing behavior to Firefox and Blink (r168350 partial)	
REGRESSION (r146272): layout issues for flex boxes that have -webkit-flex-wrap: wrap (r146684)
Positioned, replaced elements with intrinsic width keywords compute the wrong width (r143539)
Make intrinsic width values work for positioned elements (r143476)    
Intrinsic and preferred widths on replaced elements are wrong in many cases (r142931)
Fixed width overrides intrinsic min-width/max-width for text inputs and listboxes (r139536)
Setting width overrides intrinsic min-width/max-width on flexboxes and their subclasses (r139535)
Flexboxes incorrectly add the scrollbar width to the intrinsic width of fixed-width items (r139351)
intrinsic min-widths don't override width for file upload controls (r139329)	
min-content gets the wrong value if min-width is set on some form controls (r139216)
REGRESSION(r143102): Ignore table cell's height attribute when checking if containing block has auto height. (r147199)
REGRESSION(r143102): iframe with percentage height within table with anonymous cell fails. (r147021)
percentage top value of position:relative element not calculated using parent's min-height unless height set (r143102)
Crashes with detached ArrayBuffers (r203204 partial)

Jul 13, 2016
============
[JSC] Array.prototype.join() fails some conformance tests (r203131 + r203143 rolled out + r203147 partial)
Stack overflow crashes with deep or cyclic proxy prototype chains (r201495 partial)
JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls (r198592 partial)
Make converting JSString to StringView idiomatically safe (r186037 partial)
Optimize Array.join and Array.reverse for high speed array types (r185942 partial + r185943)
Fix Array.concat with RuntimeArray (regression from my last patch) (r185904)
Add AtomicString::number and use it (r156965 partial)

Jul 12, 2016
============
REGRESSION (r125912): Crashes in worker tests (r125946)
some paths in Array.prototype.splice don't account for the array not having certain indexed properties (r203087 partial)

Jul 11, 2016
============
Streamline cached wrapper lookup for Nodes in the normal world. (r166823)
Loading <object> from WebArchive crashes (r169472)
[ftlopt] Reduce the GC's influence on optimization decisions (r170571 partial)
We may add a ReadOnly property without setting the corresponding bit on Structure (r203015)

Jul 07, 2016
============
Kill some of the last vestiges of the C++ interpreter's PICs (r164092)	
[ARMv7] REGRESSION(r197655): ASSERTION FAILED: (cond == Zero) || (cond == NonZero) (r202899)
our parsing for "use strict" is wrong when we first parse other directives that are not "use strict" but are located in a place where "use strict" would be valid (r202828)
[JSC] RegExp.compile is not returning the regexp when it succeed (r202770)
__defineGetter__/__defineSetter__ should throw exceptions (r181868 + r183535 rolled out + r202755)
missing exception checks in arrayProtoFuncReverse (r202714)
Setters are just getters that take an extra argument and don't return a value (r166908 partial)

Jul 06, 2016
============
JSDOMWindow should not claim HasImpureGetOwnPropertySlot (r168914)	
Inline caching for proxies clobbers baseGPR too early (r168861)

Jun 30, 2016
============
Eagerly reify DOM prototype attributes (r169703 + r169705 + r169707)
Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs (r202648)

Jun 29, 2016
============
Repatch should support setters and plant calls to them directly (r166945 partial)	
some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct (r202588 partial)
Change CallFrame to use Callee instead of JSScope to implement vm() (r173706 partial)
Repatch should plant calls to getters directly rather than through a C helper (r166263 partial)
More scaffolding for a stub routine to have a stub recursively embedded inside it (r166218)
CREATE_DOM_WRAPPER doesn't need the ExecState. (r166128 partial)
	
Jun 28, 2016
============
Inline caching should try to flatten uncacheable dictionaries (r169853 revisited)
JSDOMWindow should have a WatchpointSet to fire on window close (r168548)
JSProxies should be cacheable (r167963)
Support caching of custom setters (r165208 partial + r165217)	
PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint (r164971)	
	
Jun 27, 2016
============
[JSC] Object constructor need to be aware of new.target (r200421 partial)
Put functions need to take a base object and a this value, and perform type checks on |this| (r162741)	
Generic JSObject::put should handle static properties in the classinfo hierarchy (r162740)	
REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit (r165912 partial)
GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList (r165459)
OOM Assertion failure in Array.prototype.toString (r202415)
Math.random should have an intrinsic thunk and it should be later handled as a DFG Node (r194087)
Make 32bit pass the correct this value to custom getters (r163549)
Change custom getter signature to make the base reference an object pointer (r163496)	
REGRESSION (r163011-r163031): Web Inspector: Latest nightly crashes when showing the Web Inspector (r163342)
Avoid indirect function calls for custom getters (r160688)

Jun 24, 2016
============
REGRESSION(r192855): Math.random() always produces the same first 7 decimal points the first two invocations (r201053)

Jun 23, 2016
============
Move subframe name getter lookup later in JSDOMWindow::getOwnPropertySlot (r168902 revisited)	
Simplify tryCacheGetById (r167922 revisited)
Cache getters and custom accessors on the prototype chain (r160670)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 revisited)
IC code should handle the call frame register not being the callFrameRegister (r158820 partial + r158830)	

Jun 22, 2016
============
Refactor PutPropertySlot to be aware of custom properties (r161220)
Fix resource leak of unclosed file descriptor. (r172113)
Worker threads leak WeakBlocks (as seen on leaks bot) (r183938)
Modern IDB: storage/indexeddb/structured-clone.html crashes. (r194625 partial)
Indexed getters should return values directly on the PropertySlot. (r169668)
Move the JSString cache from DOMWrapperWorld to VM. (r167605)
WeakMap reference w/ DOM element as key does not survive long enough. (r185023 rolled in, not related to document leaks on http://www.cnn.com and others)
Only generate isObservable() when IDL specifies GenerateIsReachable (r159648)
Don't generate a wasteful isObservable check in isReachableFromOpaqueRoots (r157438)	
Remove redundant Document::getElementById (r157444)
Add the NotDeletable, OperationsNotDeletable IDL attributes (r156831)
toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined (r166415)	
Change CodeGeneratorJS.pm special cases for "DOMWindow" to be general purpose (r166404)	
Stop throwing when attempting to read instance properties directly from the prototype (r163890)
Make DOM attributes appear to be faux accessor properties (r163035 + r163056)	
Global constructors exposed in worker environment have wrong attributes (r150664)
CodeGeneratorJS.pm should generate "isFiringEventListeners()" check in isReachableFromOpaqueRoots() (r148700)
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators (r140892)
Remove GenerateModule() from all code generators (r135085)	
REGRESSION (r133633): ASSERTION FAILED: m_wrapper || !m_jsFunction (r135063)
[V8] Remove IsSubType() from CodeGeneratorV8.pm (r134940)
ScriptWrappable should work for more than just Node (r133633)

Jun 21, 2016
============
DOM bindings should use thisValue for attributes (r160879)	
Refactor CodeGeneratorJS - Move attribute function creation out of getOwnPropertyName guard (r160793)
Refactor static getter function prototype to include thisValue in addition to the base object (r160208)
	   
Jun 20, 2016
============   
MessageEvent.source window is incorrect once window has been reified (r199087 partial)	   
REGRESSION (174847): can't view NHK(Japan's national public broadcasting organization)s news pages (r178966)
JSXMLHttpRequest::visitAdditionalChildren does not need to explicitly mark m_response (r187736)
Fix toJSDOMWindow() in the case of an object that has the actual JS DOM window in its prototype chain. (r187165)
Don't create cached functions for HTMLDocument.write*() (r174985 + r175706)
Don't create cached functions that access lexicalGlobalObject() (r174847 + r174918))
Move subframe name getter lookup later in JSDOMWindow::getOwnPropertySlot (r168902)
ASSERTION FAILED: "!m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction" in svg/custom/use-instanceRoot-event-listeners.xhtml (r167794)
JS wrappers should have strongly typed impl() functions. (r156419)
[JSC] Generate visitChildren() for uncustomized EventTarget interfaces (r136482)
A mistake in WebCore::JavaScriptCallFrame::evaluate which will cause assert failed (r132573)
Assertion going back to results.html page from an image diff result (r126090)
Remove hack that allowed plug-ins to always take over certain image formats (r190826)
Plugin create can end up destroying its renderer. (r186666)
Roll out changes not part of the patch reviewed for Bug 132089 (r167852)
Frame and page lifetime fixes in WebCore::createWindow (r167851)
RenderEmbeddedObject shouldn't know about fallback content. (r158657 partial)
Fix crash in http/tests/plugins/plugin-document-has-focus (r125543)
REGRESSION (r188820): fast/dom/HTMLObjectElement/object-as-frame.html is flaky (r189164)
loadSubframe can return null in SubframeLoader::loadOrRedirectSubframe (r163599)	
	
Jun 16, 2016
============
ImageDocuments leak their world. (r197856 rolled out, document leaks on http://www.cnn.com and others)	
	
Jun 15, 2016
============
Remove SelectRuleFeatureSet (r149708)
ASSERT when loading github.com (r199607)
Calling importNode on shadow root causes a crash (r196998 partial)
Form elements should match :valid and :invalid based on their associated elements (r177664)
Fix two bad function names of HTMLFormControlElement (r176250)
Implement :valid and :invalid matching for the fieldset element (r176174)
Lazily create HTMLInputElement's inputType and shadow subtree (r176069)

Jun 14, 2016
============
Elements must be reattached when inserted/removed from top layer (r140931)
Don't allocate rare data on every Element on removal (r140638)
setIsInTopLayer is not really a setter (r136575)
Remove unneeded optimization in Element::isInTopLayer (r135270)
REGRESSION(r133214): Don't invalidate style when adding classes that don't match rules (r162843)
Store ShadowRootType inside the bitfield (r141075)
[Shadow DOM]: ShadowRoot has wrong nodeName attribute (r139198)
NodeRenderingContext is slow due to ComposedShadowTreeWalker (r137715)
[Shadow DOM] Implement Element::shadowRoot with prefix (r136924)
ShadowRoot should recalcStyle for itself (r136675)
[Refactoring] HasSelectorForClassStyleFunctor in Element.cpp seems verbose (r135967)
Changing id, className, or attribute should invalidate distribution (r135174)
[Refactoring] Create SelectRuleFeatureSet for collecting RuleFeatureSet for select attribute (r134219)
[Shadow] ElementShadow should have RuleFeatureSet for select attribute selectors. (r134184)
[Refactoring] Expose collectFeaturesFromSelector from RuleSet.cpp (r134008)
[Shadow] ShadowRoot should know the existence of elements having ElementShadow. (r133575)	
LayoutTest fast/dom/shadow/shadowroot-type.html is failing on Windows (r133548)
[Shadow] ShadowRoot should be able to know the existence of <content> (r133392)	
The shadow element is not reprojected to a nested ShadowRoot. (r132760)
[Shadow]: removing styles in shadow dom subtree causes crash. (r132621)
[Shadow] Fallback content should also be reprojection. (r132174)
[Meta] [Shadow] contenteditable attribute for distributed nodes. (r131464)
[Shadow DOM] Insertion points need resetStyleInheritance (r131136)
[Refactoring] ContentDistributor::distributeSelectionsTo should not change ContentDistribution pool. (r128956)
[Scoped Style] NodeRareData::m_numberOfScopedHTMLStyleChildren could be replaced with a node flag. (r128331)
Rename ContentDistributor::distributeShadowChildrenTo to distributeNodeChildrenTo. (r126824)
Crash in WebCore::RenderBlock::willBeDestroyed (r138850)
REGRESSION(137336): Generated run-ins are not placed correctly (r137528)
Switch to new PseudoElement based :before and :after (r137336)	
[CSS Regions] Fix content node renderers ordering inside the named flow thread (r136107)
Clean up loop in NodeRenderingContext::nextRenderer and previousRenderer (r135237)
RenderLayerModelObject shouldn't need a pre-destructor hook. (r175475)
Fix functions calling to RenderObject superclass to call RenderElement instead (r156255)	
Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects. (r142760)

Jun 13, 2016
============
Free one bit in RenderObject (r138113)
Move RenderView::setFixedPositionedObjectsNeedLayout to FrameView (r127783)
Regression: Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath (r127497 partial)
If both left and right (or top and bottom) are specified for sticky, use left (or top) (r126812)
Implement sticky positioning (r126774 + r126919 + r127301)
Garbage texture data with composited table row (r190820)
CSS clip property should make layers non-opaque (r170307)
Garbage at the top of http://www.technologyreview.com after scrolling (r149084)
Refactor layer-related logic out of RenderBoxModelObject (r130081)
FrameView: Remove code for disabling repaints. (r156977)
Separate SVG image size and container size (r146227)
Account for transform in SVG background images (r143541)
Replace SVG bitmap cache with directly-rendered SVG (r142765)
Track scale and zoom together when drawing SVG images (r141303)
Canvas drawImage() should draw SVG at the correct scale. (r126094)
[JSC] Inline JSC::toInt32 to improve kraken (r201964 + r201966)
The backend should be happy to compile Unreachable even if AI didn't prove it to be unreachable (r201936)

Jun 10, 2016
============
PingHandle delete's itself but pointer is still used by handleDataURL (r198143)
Permanent redirects should have long implicit cache lifetime (r184837)
Assertion hit DOMTimer::updateTimerIntervalIfNecessary() (r175655 partial)
Simplify treeScope and setTreeScope (r136328)
StylePendingImage needs to correctly manage the CSSValue pointer lifetime (r160479 partial)
SVG-as-image: Throw out cached bitmap renderings after they sit unused for some time. (r139236)
Make sure we don't mishandle HTMLFrameOwnerElement lifecycle (r200216)
Micro-optimize JSNodeOwner::isReachableFromOpaqueRoots(). (r164900)
Remove custom finalizer for Node JS wrappers. (r157230)
Simplify and optimize ChildListMutationScope (r129280 + r129288)
ImageLoader can't be cleared when video element poster attribute removed. (r128654)
Rare failure in stress/v8-deltablue-strict.js.ftl-eager (r201900 partial)
Fix passing null / undefined as NodeFilter parameter for createNodeIterator() / createTreeWalker() (r188745)
Remove leak of objects between isolated worlds on custom events, message events, and pop state events. (r186955)
CustomEvent: Allow taking in a serialized value during initialization. (r134120)

Jun 08, 2016
============
MediaStream API: Update RTCPeerConnections stream accessors to match the latest specification (r141871)
MediaStream API: Deleting all files relating to the deprecated PeerConnection00 (r134084)
[Shadow DOM] Kill ShadowRoot constructor (r137408)
Element.pseudo property should be prefixed (r136913)
[Shadow DOM] Element.createShadowRoot() should be prefixed. (r136092)
[Shadow DOM] Implement Element::createShadowRoot() (r135693)
[Shadow] attribute pseudo should return empty string instead of null when nothing is specified. (r135236)
[Shadow] Element should have getter and setter of attribute 'pseudo' (r133268)
Support re-projection for Shadow DOM. (r131070)  
XMLHttpRequest: status and statusText throw DOM Exception 11 when the state is UNSENT or OPENED. (r165229)
XMLHttpRequest performs too many copies for ArrayBuffer results (r163444)    
Have XHR.getResponseHeader() return null and XHR.getAllResponseHeader() return the empty string in initial ready states (r163022)
XHR.response is null when requesting empty file as arraybuffer (r158333)
Reuse of XMLHttpRequests causes character corruption in response text (r153553)
InvalidationPointInjectionPhase creates bogus InvalidationPoints that may even be inserted when it's not OK to exit (r201776)

Jun 07, 2016
============
[JSC] Do not allocate unnecessary UTF-8 string for encodeXXX functions (r201756 partial)
Stub out WebSpeech synthesis (r139918)
Add support for :read-write/:read-only matching editable content (r173441 + r173559)
Update the current matching of :read-only and :read-write to the latest spec (r173328)
[Mac] media/track/audio-track.html is flakey (r176024)
Crash in GenericEventQueue::timerFired since the owner of GenericEventQueue is deleted during dispatching events. (r124843)
octal and binary parsing is wrong for some programs (r201737)
rootRenderer in FrameView is really RenderView (r142647 partial)
Handle createShadowSubtree inside of ensureUserAgentShadowRoot (r141066)
Move ensureUserAgentShadowRoot to Element (r141002)
Adding a text track should not make controls visible (r140862 partial)
Refactor ValidationMessage class (r128254)
AuthorShadowDOM for meter element (r125659)                                   
Remove Element::ensureShadowRoot (r125007)	
AuthorShadowDOM for progress element (r124754)

Jun 06, 2016
============
:read-write pseudo-class should not be applied on <input type="text" disabled> (r156387)
[jsc][mips] Implement absDouble() (r201716)
Crash under JSObject::getOwnPropertyDescriptor() (r201712)
Refactoring: Rename Element::shouldMatchReadOnlySelector and shouldMatchReadWriteSelector (r137284)
Refactoring: Introduce HTMLFormControlElement::isDisabledOrReadOnly (r137124)
:read-only selector should match to date/time input types (r135829)
[WK2] Support download attribute feature (r198893)
JSON.stringify replacer function calls with numeric array indices (r201674)

Jun 03, 2016
============
Large array shouldn't be slow (r183787 partial)	
Eliminate two large sources of temporary StringImpl objects. (r201645)
Hang when calling setCurrentTime on SVG with cyclic animation dependency chain (r147434)
REGRESSION: JSBench spends a lot of time transitioning to/from dictionary (r201436 + r201445 rolled out + r201573 partial)	
		
Jun 02, 2016
============
CachedResource leak in validation code (r188358)	
Memory leak for a protected Element having pending events in ImageLoader. (r186267)
Crash when ImageLoader deletes Element inside SVGImageElement (r144825)
CachedResource::clearLoader() should self-destruct if nothing else retains the CachedResource. (r180068)
Memory leaks with autoLoadImages off (r171036)
REGRESSION(r150867): FrameView auto-sizing + delegate denied image load may cause StyleResolver to re-enter itself. (r153072)
Crash in WebCore::SubresourceLoader::releaseResources when connection fails (r150867)
Fix memory leaks in platform/image-encoders/JPEGImageEncoder.cpp (r158280)
Avoid Node references from AXObjectCache from leaking (r154859 partial)
Don't keep unassociated elements in the past names map (r154761)
JSHTMLFormElement::canGetItemsForName needlessly allocates a Vector (r154586)
id of iframe incorrectly sets window name (r191652)
Dictionary property access should be fast (r201562 partial)
		
Jun 01, 2016
============
Calling SVGAnimatedPropertyTearOff::animationEnded() will crash if the SVG property is not animating (r199598)
Reference cycle between SVGPathElement and SVGPathSegWithContext leaks Document (r194964 partial)
SVGPropertyTearOffs should detachChildren before deleting its value. (r165053)
Prevent infinite loop in SVG use cycle detection (r145216)
ASSERT triggered in SVGTRefTargetEventListener::handleEvent() (r126205)

May 31, 2016
============
Exploitable crash happens when an SVG contains an indirect resource inheritance cycle (r191731 + r191746 + r191748)
Clean up SVGPatternElement::collectPatternAttributes (r162792)
Cyclic resources were not detected if the reference had deep containers (r189953)
REGRESSION (r196268): Many assertion failures and crashes on SVG path animation tests when JS garbage collection happens quickly (r197125)
REGRESSION(r196268): WTFCrashWithSecurityImplication on SVG path animation tests (r196670)
REGRESSION(r181345): SVG polyline and polygon leak page (r196268)

May 30, 2016
============
Log which ActiveDOMObject(s) can't be suspended for PageCache. (r178223 partial)
MediaStream API: Update the RTCPeerConnection states to match the latest specification (r140310)
MediaStream API: Update RTCPeerConnection states to match the latest editors draft (r134900 + r134805 + r134810 rolled out + r134976)
MediaStream API: Don't trigger any object deletion during RTCPeerConnection::stop (r134093)
Source/WebCore: MediaStream API: Make sure all events are dispatched asynchronously (r132420)
MediaStream API: Fix the incorrectly spelled RTCPeerConnection::onnegotiationneeded callback (r129397)
MediaStream API: add RTCPeerConnection::onnegotiationneeded (r128166)
MediaStream API: add RTCPeerConnection::createAnswer (r127906)
MediaStream API: Add the local and remote description functionality to RTCPeerConnection (r127612 + 127660 + 127664 + 127679 rolled out + r127766)
MediaStream API: Add the async createOffer functionality to RTCPeerConnection (r127501)
MediaStream API: Add MediaStream management to RTCPeerConnection (r127365)
MediaStream API: Introduce RTCSessionDescription (r126333)

May 27, 2016
============
MediaStream API: Implement RTCDataChannel (r131372)
MediaStream API: Add Ice-related functionality to RTCPeerConnection (r127425)
MediaStream API: Introduce MediaConstraints (r127165)
MediaStream API: Add readyState functionality to RTCPeerConnection (r126586)
MediaStream API: Introduce RTCIceCandidate (r126328)
MediaStream API: Add RTCPeerConnectionHandler infrastructure (r124460)
MediaStream API: Move RTCConfiguration to its proper place (r124421)
Introduce a minimal RTCPeerConnection together with Dictionary changes (r124193)
time element should use HTMLTimeElement interface (r190106)	
Implement the HTML <main> element. (r140341)	
HTMLTreeBuilder::furthestBlockForFormattingElement should belong to HTMLElementStack (r126355)
Move causesFosterParenting() to HTMLStackItem (r124537)
Avoid downloading the wrong image for <picture> elements. (r195132 partial)
Fix the !ENABLE(VIDEO) build after r192953 for <picture> element introduction (r194278)
Implement the picture element. (r192953)

May 26, 2016
============
[Cairo] Implement Path::addPath (r183088)
[Cairo] Implement Path::addEllipse (r180881)
Add support for canvas ellipse method (r180790)
Implement method addPath for Path2D (r165910)
Quadratic and bezier curves with coincident endpoints rendered incorrectly (r141500)
Change navigator.webkitGamepads[] to navigator.webkitGetGamepads() (r123937)
[canvas] Implement currentPath to get and set the current path of the context (r141456)
Implement Canvas Path object (r140604)
Make timerNestingLevel threadsafe (r173133)
DOMTimer::m_nestingLevel is prone to overflow (r173132)
DOMTimer may be deleted during timer fire (r172963)
Numeric identifiers of events are not guaranteed to be unique (r142909)
Numeric identifiers of events should not be globally sequential (r135478)

May 25, 2016
============
REGRESSION (r153406): DOM intervals are not properly restarted when resumed (r153531)        
Make SuspendableTimer safer (r153406)
EventSource: Loss of reconnect time precision due to integer division (r149436)
EventSource: Synchronous loader callback not handled properly (r149098)
cloneNode(true) does not clone nested template elements' contents (r177314)
Remove the unused deletion UI feature (r175647)
Implement Document.cloneNode() (r160330)
cloneChildNodes looks for deleteButtonController in each level of recursion (r149127)
Turn avoidIntersectionWithNode into Editor member functions to encapsulate delete button controller (r142705)
Crash in ContainerNode::cloneChildNodes. (r142533)
Implement the new stacking layer needed by the Fullscreen API and the new <dialog> element (r135242)
Vertically center non-anchored <dialog> elements (r127681)

May 24, 2016
============
Use isDocumentFragment() instead of comparing nodeType() with Node::DOCUMENT_FRAGMENT_NODE (r161024)
Clear TemplateContentDocumentFragment::m_host when HTMLTemplateElement is destroyed (r159596)
[HTMLTemplateElement] When adopting a template element, also adopt its content into the appropriate document (r138756)	
[HTMLTemplateElement] Disallow cycles within template content (r138730)	
HTMLTemplateElement.innerHTML should be parsed into the template contents owner document (r137021)
[HTMLTemplateElement] make content readonly and cloneNode(deep) clone content (r136903)
Add infrastructure for :before and :after in DOM (r136744)	
parser* methods in ContainerNode should not support DocumentFragment (r136584)
Implement HTMLTemplateElement (r136467 + r136480)	
Corrupted DOM tree during appendChild/insertBefore (r136405)
checkAcceptChild() needs fewer virtual calls (r136076)	
[Refactoring] NodeFlags::IsShadowRootFlag should be Node::IsDocumentFragmentFlag (r135833)
[Refactoring] Some Node::isDescendant calls can be replaced with Node::contains() (r135695)
Frame element doesn't always unload its child frame. (r127534)
JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference (r201235 + r201266)

May 20, 2016
============
Add new JSDependentRetained that allows keeping a JSObject alive as long as another is alive (r128249)
IndexedDB: IDBRequest leaks if IDBCursor closes and no further events fired (r127518)
IndexedDB: IDBRequest can be GCd during event dispatch (r126254)
IndexedDB: intversion-long-queue.html fails an assert (r125231)
Layout Test storage/indexeddb/intversion-omit-parameter.html is flaky (r124974)
[JSC] MutationObservers should not create circular, leaky references (r141296)
[JSC] MutationObserver wrapper should not be collected while still observing (r135337)	
MutationObserver wrapper should not be collected while still observing (r135228)
CSP 1.1: Rename SecurityPolicyViolationEvent::sourceURL to ::sourceFile. (r146763)
CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports. (r146758)
Prefer 'KURL(ParsedURLString, String)' when dealing with known-good data. (r146580)
CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur. (r146520)
CSP 1.1: Stub out SecurityPolicyViolationEvent interface. (r146305)	
CSP 1.1: Experiment with adding line numbers to violation reports. (r138834)
Implement the form-action Content Security Policy directive. (r125772)
Implement the plugin-types Content Security Policy directive. (r125531)	

May 19, 2016
============
Add support for delete by value to the DFG (r200459 partial)	
Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated (r200387)

May 18, 2016
============
CPS rethreading should really get rid of GetLocals (r184755 partial)
Objects with numeric properties intermittently get a phantom 'length' property (r182058)
FTL should support GetById(Untyped:) (r163119 partial)
[JSC] SetLocal without exit do not need phantoms (r200898)
[JSC] Improve codegen of Compare and Test (r197652 partial)

May 17, 2016
============
ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR (r189192 partial)
Math.imul has wrong length in Safari 8.0.4 (r182868)
Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations (r181841)
DFG::NodeOrigin should have a flag determining if exiting is OK right now (r188771 partial)
Add some assertions about the CFG in the loop pre-header creation phase (r184646 partial)
ARMv7 compare32() should not use TST to do CMP's job. (r166716)	

May 16, 2016
============
[Win] Crash when enabling DFG JIT. (r168535 partial)
REGRESSION(r158315): Fix register mixup in JIT::compileOpCall. (r158672)
CRASH in operationCreateDirectArgumentsDuringExit() (r183307)	
Crash when attempting to perform array iteration on a non-array with numeric keys not initialized. (r175243)
Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes (r181817 complete)

May 16, 2016
============
Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value (r196490)
Error construction for inlined operations should not use the inliner's CodeBlock (r196302)
Remove unnecessary SpecialFastCaseProfiles. (r190435)
[JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used (r200896)	
Runaway malloc memory usage in this simple JSC program (r200884)

May 13, 2016
============
cloberrize() is wrong for ArithRound because it doesn't account for the arith mode (r184541 partial)
js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing (r183650)
SpeculativeJIT::emitAllocateArguments() should be a bit faster, and shouldn't do destructor initialization (r180909)
FTL should support StringFromCharCode (r196642 partial)
The StringFromCharCode DFG intrinsic should support untyped operands. (r194996)
Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently. (r194983)
Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters (r166142 complete)
Add extra space to op_call and related opcodes (r164503)
REGRESSION (r163027?): CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: JSC::ArrayProfile::computeUpdatedPrediction + 4 (r163241)
DFG should allow inlining of op_call_varargs calls (r162739)

May 12, 2016
============
ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister. (r194707)
DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure). (r193653)	
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 partial)
[JSC] Make sure StringRange is passed to Vector by register (r200743)	
TypedArray.prototype.slice should use the byteLength of passed array for memmove (r200667)
Implement SmallPtrSet and integrate it into the Parser (r198375 partial)
synthesizePrototype() and friends need to be followed by exception checks (or equivalent). (r197794 partial)   
JSSymbolTableObject::deleteProperty() crashes deleting Symbols (r196051)

May 10, 2016
============
Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes (r181817 partial)
the toInt32 operation inside DFGSpeculativeJIT.cpp can't throw so we shouldn't emit an exceptionCheck after it. (r190128)
DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks (r188764 partial)
Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads (r199052)
Merge arm and sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions. (r159871)
JavaScript parser bug (r158425)
Implement basic ES6 Math functions (r158401)

May 09, 2016
============
Need ability to fuzz exception throwing (r171213 partial)

May 06, 2016
============
[JSC] In DFG, an OSR Exit on SetLocal can trash its child node (r200498)
VarargsForwardingPhase should use bytecode liveness in addition to other uses to determine the last point that a candidate is used (r183406 partial)

May 05, 2016
============
We shouldn't crash if DFG AI proved that something was unreachable on one run but then decided not to prove it on another run (r200468)	
Add support for delete by value to the DFG (r200459 partial)

May 04, 2016
============
References from code to Structures should be stronger than weak (r200405 partial)

May 03, 2016
============
[JSC] Unify Math.pow() accross all tiers (r200208 partial)
[JSC] Add an implementation of pow() taking an integer exponent to B3 (r193989 partial)
[JSC] Improve how DFG zero Floating Point registers (r192183 partial + r192946 partial + r197687 + r197731 + r199626)

Apr 29, 2016
============
JSON.stringify shouldn't use generic get() to access Array.length (r184107)
Micro-optimize JSON serialization of string primitives. (r184006)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179539 partial)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179476 partial)
Add support for HTMLImageElement's sizes attribute (r170576 complete)
[JSC] GetByVal on Undecided use its children before its OSR Exit (r200133)
[JSC] Add support for GetByVal on arrays of Undecided shape (r188432 partial)

Apr 28, 2016
============
DFG del_by_id support forgets to set() (r199801)
We should support delete in the DFG (r199683 partial)
Reveal array bounds checks in DFG IR (r160347 partial)

Apr 27, 2016
============
Properly clear m_logicallyLastRun to remove use-after-free possibility (r164876)
DFG backends shouldn't emit type checks at KnownBlah edges (r200096 partial)

Apr 26, 2016
============
[JSC] Optimize JSON.parse string fast path (r199968)
[JSC] Optimize number parsing and string parsing in LiteralParser (r199941)
Animations sometimes fail to start (r187535 partial)
Animate clip rect() between different Length types (r149288)
REGRESSION(r111639): delayed animation start can be postponed (r144935)
Fix potential crash when canceling animations on renderers with no node (r136293)

Apr 25, 2016
============
[JSC] Improve how B3 lowers Add() and Sub() on x86 (r193804 partial)
[GTK] Fonts loaded via @font-face look bad (r180563 partial)
[Freetype] Cannot use characters outside the BMP (r141122 partial)
javascript jit bug affecting Google Maps. (r199935)
[JSC] Integer Multiply of a number by itself does not need negative zero support (r199894)

Apr 24, 2016
============
Fix mixed use of booleans in JPEGImageDecoder.cpp (r166490)
Fix JPEG decoding faiure when IMAGE_DECODER_DOWN_SAMPLING is enabled (r131075)

Apr 21, 2016
============
[JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block (r199796)
[JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG (r199792)
[JSC] Use 3 operands Add in more places (r197653)

Apr 20, 2016
============
r161364 caused JSC tests regression on non-DFG builds (e.g. C Loop and Windows). (r161446)
Get rid of ENABLE(VALUE_PROFILER). It's on all the time now. (r161364)

Apr 19, 2016
============
REGRESSION(r173188): Text inserted when trying to delete a word from the Twitter message box. (r176824 revisited)	
[JSC] Fix some overhead affecting small codegen (r199710)	
Use a better RNG for Math.random() (r192855 partial)

Apr 18, 2016
============
[JSC] DFG should support relational comparisons of Number and Other (r199639)
[JSC] FRound/Negate can produce an impure NaN out of a pure NaN (r199638)
Some JIT/DFG operations need NativeCallFrameTracers (r199617 partial)

Apr 15, 2016
============
CopiedBlock should be 64kB (r199589)
CopiedBlock should be 8kB (r199567 + r199572 rolled out)
CopiedBlock should be 16kB (r199016 + r199032 rolled out + r199125 rolled int + r199145 rolled out)

Apr 13, 2016
============
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179539 partial)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179476 partial)
Add support for HTMLImageElement's sizes attribute (r170576 partial)

Apr 12, 2016
============
Elements whose contents start with an astral Unicode symbol disappear when CSS `::first-letter` is applied to them (r172513)
Align srcset parser with recent spec changes (r169637)	
	
Apr 11, 2016
============
Refactor the srcset parser into its own file (r169573)	
Use srcset's pixel density to determine intrinsic size (r163415)
Update HTMLPreloadScanner to handle img srcset (r153733)
srcset algorithm breaks base64 src attributes (r153627)
Implement img element's srcset attribute (r153624)
Add the default video poster if it doesn't exist in video tag (r145750)
[JSC] Optimize more cases of something-compared-to-null/undefined (r188624) 
 
Apr 08, 2016
============
DFG should have a KnownBooleanUse for cases where we are required to know that the child is a boolean and it's not OK to speculate (r188747 partial)
[JSC] Improve DFG's Int32 ArithMul if one operand is a constant (r197655)
Fix CPU(ARM_TRADITIONAL) build after r159039. (r159055)
It should be easy to disable blinding on a per-architecture basis (r158975)
[mips] Fix build for MIPS platforms. (r158670 partial)
Build break on ARMv7 after r157209 (r157784)
Unreviewed, speculative ARM build fix. (r157618)

Apr 07, 2016
============
CopiedBlock should be 16kB (r199016 rolled out)
[JSC] UInt32ToNumber should be NodeMustGenerate (r199148)

Apr 05, 2016
============
Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads (r199052)

Apr 04, 2016
============
Decouple font creation from font loading (r196322 + r196335 + r196376 + r196576)
Cleanup in font loading code (r194923)
The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell (r197622)

Apr 01, 2016
============
[Font Loading] General cleanup (r195523)
Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER) (r178292 + r178294 + r178628)
Subclass CachedFont for SVG fonts (r176264 + r176267 rolled out + r176276 + r176410)
FontPlatformData has unnecessary m_textOrientation member (r136520)
DFG JIT bug in typeof constant folding where the input to typeof is an object or function (r198902)

Mar 31, 2016
============
Remove broken cache from CSSFontFaceSource (r195567)

Mar 29, 2016
============
Optimize ColorMatrix filter (r13661)
Simulated mouse events should return an accurate offset (r135065)
beginElement() does not observe updated animation attributes (r125608)
EventDispatcher::dispatchSimulatedClick should not reuse the same EventDispatcher instance. (r125133)
Don't re-use the same EventDispatcher instance to dispatch events. (r124975)
[JSC] ArithSub should not propagate "UsesAsOther" (r198770)
Subtrees with :first-child and :last-child are not invalidated when siblings are added/removed (r170121 partial)
(display: block)input range's thumb disappears when moved. (r186981)	
MediaControls::show() should make controls opaque (r138902)
Reset the slider thumb location before every layout of the slider container (r135388)
Dynamically added elements do not get re-projected. (r131615)
Fix crash in WebCore::MediaControlPanelElement::makeTransparent() (r131505)
input[type=range] as a flex item renders thumb at wrong position (r131497)	
Replace RenderListBox::updateLogicalHeight with RenderListBox::computeLogicalHeight (r129174)
Pass the logical height and logical top into RenderBox::computeLogicalHeight (r128238)
Rename computeLogicalHeight to updateLogicalHeight (r128201)
Rename computeLogicalWidth to updateLogicalWidth (r128110)
Add OVERRIDE to computeLogical{Width,Height} overrides (r127937)
Fullscreen/normal volume sliders don't stay in sync (r125590)

Mar 28, 2016
============
RegExp.prototype.test should be an intrinsic again (r198705)
putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength (r198676)

Mar 24, 2016
============
REGRESSION (r125592): Reproducible crash in DOMWindow::open when a delegate closes the new window in decidePolicyForNavigationAction (r149589)
REGRESSION (r125592): Crash in Console::addMessage, under InjectedBundle::reportException (r125912)
DOMWindow::document() should not reach through Frame (r125592)
Make PNGImageDecoder::rowAvailable auto-vectorizable (r150252)
[Qt] RGB -> BGR is wrong on big endian (r141886)
Seam occurred between pieces of ShadowBlur on floating point zoom (r133836)

Mar 23, 2016
============
[JSC] correctly handle indexed properties in Object.getOwnPropertyDescriptors (r198572)
REGRESSION(r197543): Use-after-free on storage/indexeddb/transaction-abort-private.html (r198565)
JSArrayBuffers should be collected less aggressively (r197543 complete)

Mar 22, 2016
============
ANGLE doesn't build with bison 3.0 (r154109)
[ANGLE] Fix the build with gcc 4.7 (r127747)
[CSS Shaders] [ANGLE] RenameFunction::RenameFunction may store references to temporary string (r126625)

Mar 21, 2016
============
Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time (r198478 partial)
[ES6] Make Array.prototype.reverse spec compatible. (r198294)
Asynchronously call onerror when a content blocker blocks ascript element's load (r192983)
Various assertion failures occur when executing script in the midst of DOM insertion (r185769)
WebCore::ScriptRunner::timerFired() is reported to crash. (r139942)

Mar 10, 2016
============
Improve CSSPrimitiveValue::customCSSText for ARMv7 (r169731 + r169734)
ASSERTION FAILED: !value || (value->isPrimitiveValue()) in WebCore::StyleProperties::getLayeredShorthandValue. (r160010)
Fix the parsing and re-serialization of :lang pseudo class selector when it has multiple arguments with same value (r176535)
CSS attribute selectors cause unnecessary style recalc when setting attribute to same value. (r149047)
Make HTMLLegendElement.form behave according to specification (r134510)
Improve console error messages when 'document.domain' blocks cross-origin script access. (r128208)
Source/WebCore: Clarify the cause of console warnings generated by "cross-origin" access to sandboxed iframes. (r128070)
Regexp matching should incur less call overhead (r197796)
createRegExpMatchesArray should allocate substrings more quickly (r197729)

Mar 09, 2016
============
WeakBlock::visit() should check for a WeakHandleOwner before consulting mark bits. (r197774)

Mar 08, 2016
============
DFG should be able to compile StringReplace (r197520)
FTL should simplify StringReplace with an empty replacement string (r197416 partial)
RegExp.prototype.exec() should call into Yarr at most once (r197715)
RegExpMatchesArray doesn't know how to have a bad time (r197641 partial)
The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell (r197622)
Turn String.prototype.replace into an intrinsic (r197408)

Mar 07, 2016
============
[JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path (r197640)
[JSC] Improve the call site of string comparison in some hot path (r167220)

Mar 04, 2016
============
JSArrayBuffers should be collected less aggressively (r197543 partial)
Octane/regexp's Exec function should benefit from array length accessor inlining (r197542)
Per CSSOM, computed rect() function values must be comma separated (r163686)
Fix three bugs in the equals() implementations for css gradients. (r157598)
Implement CSSValue::equals(const CSSValue&) to optimise CSSValue comparison (r142444 + r142457 + r142472)
cssText for cursor property doesn't include hotspot (r132966)	
Ensure variables are resolved for specialized CSS primitive value types. (r129579)
Setting inline style to the same value it already has triggers a style recalc (r183017)
StylePropertySet::getPropertyShorthand() should return a String. (r149157)
getComputedStyle returns truncated value for margin-right (r142824)
getComputedStyle returns "left" instead of "none" for "float" on abspos elements (r140993)
The "outline-offset" property is not found in the computed style property list (r139321)	
Implement CSS computed style value for transition shorthand (r139200)
Querying transition-timing-function value on the computed style does not return keywords when it should. (r138728)
Prep work for: Implement sticky positioning (r126520)
Share the StringImpl the CSS property names (r125934)
Move CSS's propertyNameStrings[] to from the header to the cpp file (r125368)

Mar 03, 2016
============
transition properties can't be found in CSSStyleDeclaration (r144626)
createAttribute/setAttributeNode does not properly normalize case (r144595)
Accept 'allowfullscreen' in addition to 'webkitallowfullscreen'. (r143533)
[WEBGL] Rename WEBKIT_WEBGL_depth_texture to WEBGL_depth_texture. (r141922)
[WEBGL] Rename WEBKIT_WEBGL_compressed_texture_s3tc to WEBGL_compressed_texture_s3tc (r141846)
[WEBGL] Rename WEBKIT_WEBGL_lose_context to WEBGL_lose_context. (r141845)
RegExpExec/RegExpTest should not unconditionally speculate cell (r197492 partial)	
FTL should be able to run everything in Octane/regexp (r197357 partial)
RegExpPrototype should check for exceptions after calling toString and doing so should not be expensive (r197485)
Enable unprefixed CSS transitions by default. (r141578)
Canvas support for isPointInStroke (r141141)
Allow construction of unprefixed transition DOM events. (r140448)
CSS3 calc: unprefix implementation (r140300)
PseudoElement should never dispatch events (r138832)
Implement CSS parsing for CSS transitions unprefixed. (r138184)	
Add infrastructure for :before and :after in DOM (r136744)	
Use virtual dispatch to create ContentData renderers (r131666)
Clean up ContentData operator overloads (r131565)

Mar 02, 2016
============
SpeculatedType should be easier to edit (r197374)
isUntypedSpeculationForArithmetic is wrong. (r194560)
FTL should simplify StringReplace with an empty replacement string (r197416 partial)
[JSC] Simplify ArithMod(ArithMod(x, const1), const2) if const2 >= const1 (r197445)

Mar 01, 2016
============
Regression(r139836): Crash in WTF::equalIgnoringCase (r140848)
Add ontransitionend attribute on HTML elements. (r140010)
Update CSS3 gradient support to the latest spec version and unprefix. (r139836)
Switch the gradient drawing code to use bearing angles (r137669)
Deprecate prefixed linear-gradient and radial-gradient functions (r137206)
Unprefixed transitionend event doesn't seem to be implemented, which breaks many sites (r139762)
StyleRareNonInheritedData::contentDataEquivalent only looks at the first ContentData (r131685)
webkit fails IETC namespaces/prefix-007.xml (r125371)
Unprefix window.webkitURL (r125149)
[DFG][FTL][B3] Support floor and ceil (r197380 partial)

Feb 29, 2016
============
[RequestAnimationFrame] Remove vendor prefix (r131214)
[DFG] Drop unnecessary proved type branch in ToPrimitive (r197164)

Feb 24, 2016
============
Background size width specified in viewport percentage units not working (r142645)

Feb 23, 2016
============
setSelectionRange should set selection without validation (r164316)
setSelectionRange shouldn't directly instantiate VisibleSelection (r164194)
setSelectionRange shouldn't trigger a synchronous layout to check focusability when text field is already focused (r164156)
HTMLTextFormControlElement::setSelectionRange shouldn't use VisiblePosition (r163825 partial)
CTTE: Tighten up type usage around InputType::innerTextElement() (r157694)
Unduplicate the code to convert between VisiblePosition and index (r154868 partial)	
Caret is incorrectly painted for a contenteditable <div> containing a <br> in vertical writing mode (r139166)
REGRESSION(r129186): Pressing enter at the end of a line deletes the line (r129814)
Prevent reading stale data from InlineTextBoxes (r129186)

Feb 20, 2016
============
Properly reset deleted count when clearing HashTables. (r183504)
Avoid copying a hash table bucket when inserting causes a rehash (r155571)

Feb 19, 2016
============
ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier" (r187119)
AtomicString::HashAndUTF8CharactersTranslator::equal() doesn't optimally handle 8 bit strings (r131652)
Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion (r196810)
JSString resolution of substrings should use StringImpl sharing optimization. (r196761)

Feb 18, 2016
============
Background doesn't fully repaint when body has margins. (r153701)
Fix test assertion after r151624 (r151629)
Fixed backgrounds in composited layers not repainted on scrolling (r151624 partial)	
Parent box with background-size auto and gradient image does not get properly repainted when child box is resized. (r148203)
Gradient background does not get repainted when child box is expanded. (r147303)
Late-loading stylesheets can cause composited layers to be blank (r136277)
Introduce a will-be-removed-from-tree notification in RenderObject (r126048)
Add a was-inserted-into-tree notification to RenderObject (r125737)
Callers of JSString::value() should check for exceptions thereafter. (r196745 partial)
[JSC] Remove the overflow check on ArithAbs when possible (r196726 partial)	
StringPrototype functions should check for exceptions after calling JSString::value(). (r196721)

Feb 17, 2016
============
Remove more of the UNINTERRUPTED_SEQUENCE thing (r157500)
Get rid of the UNINTERRUPTED_SEQUENCE thing (r157481)
Transition *switch* and *scope* JITStubs to JIT operations. (r157439)    
Separate out array iteration intrinsics (r157420)
Transition misc cti_op_* JITStubs to JIT operations. (r157404)

Feb 16, 2016
============
[ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing. (r196591)	
JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX (r196524)

Feb 12, 2016
============
Implement ES6 class syntax without inheritance support (r179371 partial)

Feb 11, 2016
============
Unreviewed, rolling out r195375. (r195398)
X.[[SetPrototypeOf]](Y) should succeed if X.[[Prototype]] is already Y even if X is not extensible (r188384 partial)
Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes. (r177657)
Add operator==(PropertyName, const char*) (r174997)
Avoid going through ExecState for VM when we already have it (in some places.) (r164925)
JSObject::findPropertyHashEntry() should take VM instead of ExecState. (r164904)
[JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix (r184859)
ES6: Allow duplicate property names (r184324)
Computed Property names should allow only AssignmentExpressions not any Expression (r181829)
ES6: Object Literal Extensions - Methods (r181183)

Feb 10, 2016
============
Parser should detect error before calls to parseAssignmentExpression() (r196258)
Object.getOwnPropertyDescriptor() does not work on sub-frame's window (r196220)
PropertyListNode::emitNode duplicates the code to put a constant property (r178918)
Fix build after r157457 for architecture with 4 argument registers. (r157467)
[ARM] Add the missing setupArgumentsWithExecState functions after r185240 (r185323)
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 partial)

Feb 09, 2016
============
Don't set up the callsite to operationGetByValDefault when the optimization is already done (r187750 revisited)
ES6: Object Literal Extensions - Shorthand Properties (Identifiers) (r181121)
Optimize own property GetByVals with rope string subscripts. (r173188 revisited)
Optimize GetByVal when subscript is a rope string. (r168335 revisited)
Transition remaining op_get* JITStubs to JIT operations. (r157559)	    

Feb 08, 2016
============
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r182452 revisited)
[sh4][mips][arm] Fix crashes in JSC (32-bit only). (r157797)
Support computed property names in object literals (r157724)
Spread operator should be performing direct "puts" and not triggering setters (r157656 revisited)
Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4. (r157566)
transition void cti_op_put_by_val* stubs to JIT operations (r157546)
Fix J_JITOperation_EAapJ call for MIPS and ARM EABI. (r157633)
Fix potential register trampling in JIT since r157313. (r157339)
Transition op_new_* JITStubs to JIT operations. (r157313)
String.match should defend against matches that would crash the VM (r196240)
Further improve ArrayIterator performance (r157267)
transition cti_op_* methods returning int to JIT operations. (r157266)	

Feb 06, 2016
============
Arrayify for a typed array shouldn't create a monster (r196179)

Feb 05, 2016
============
[iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks. (r184960 partial revisited)	
Baseline JIT and DFG IC code generation should be unified and rationalized (r157685)
Fix build failure for architectures with 4 argument registers. (r157668)
A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs (r157660)
Get rid of the StructureStubInfo::patch union (r157489)
Baseline JIT should use the DFG GetById IC (r157480)

Feb 04, 2016
============
[arm] Add missing setupArgumentsWithExecState() prototypes to fix build. (r157800)
[sh4] Fixes after r157404 and r157411. (r157427)
Baseline JIT should use the DFG's PutById IC (r157411)
Fix potential register trampling in JIT since r157313. (r157339)
Transition call and construct JITStubs to CCallHelper functions (r157164 partial)	
[EFL] Add ARM64 build support (r166232)
[iOS] Upstream JavaScriptCore support for ARM64 (r157474 partial)

Feb 03, 2016
============
[Win] JavaScript JIT crash (with DFG enabled). (r159593)
Crash in virtualForThunkGenerator generated code on ARM64 (r159427 partial)		

Feb 02, 2016
============
Fixed callFrameRegister differences between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h. (r159276 partial)
[mips] Make regTx registers match between JSInterfaceJIT and GPRInfo. (r158677)
Get rid of the regT* definitions in JSInterfaceJIT.h. (r158901)	
Text-combine erroneously draws vertically after non-layout-causing style change (r182609)
Don't mutate style in RenderCombineText (r156500)
text-combine: horizontal does not work properly for some fonts. (r149474)
Combined text reverts to full-width font after a style change (r131077)
Pass VM instead of ExecState to JSGenericTypedArrayViewPrototype. (r157301)	
Pass VM instead of ExecState to JSNotAnObject constructor. (r157082)	
text-combine doesnt use third- and quarter-width variants when used with @font-face (r131005)

Feb 01, 2016
============
Should not predict OtherObj for ToThis with primitive types under strict mode (r195938)

Jan 29, 2016
============
Transition stack check JITStubs to CCallHelper functions (r157050)
Fix compilation of DateMath.cpp with MSVC (r158520)
Cut down on use of String::number (r156964)
Add callOperation to Baseline JIT (r156896)
Avoid upconverting strings in various places in WebCore (r152611 partial)
Make sure to call release() on our smart pointers when we should. (r150255)
CSS parser: Add error recovery while parsing @-webkit-keyframes key values. (r149106)

Jan 28, 2016
============
Make LLINT exception stack unwinding consistent with the JIT. (r156818)
Make Baseline JIT exception handling work like the DFG JIT (r156810)
Optimized VM access from C++ code (r156802)
Pass VM instead of ExecState to ObjectPrototype constructor. (r156680)
Pass VM instead of JSGlobalObject to MathObject constructor. (r156679)
Pass VM instead of JSGlobalObject to RegExp constructor. (r156668)
Refactor code for finding x86 scratch register. (r156617)
Fix compilation for COMPILER(MSVC) && !CPU(X86) after r156490. (r156654)
Unreviewed. Speculative build fix on ARMv7 Thumb2 after r156490. (r156637)
Move DFG inline caching logic into jit/ (r156490)
[sh4] JSValue* exception is unused since r70703 in JITStackFrame. (r156477)
WeakGCMap should not inherit from HashMap (r156476)
Move KeyValuePairTraits inside HashMap (r156438)
Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com (r156371 partial)
Remove the notion that a CallFrame can have a pointer to an InlineCallFrame, since that doesn't happen anymore (r156239)
Fixed Win64 build after r156184. (r156559)
Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them (r156184 partial)

Jan 27, 2016
============
Rename OperationInProgress to HeapOperation and move it out of Heap.h into its own header (r156050)
MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList (r155891 partial)
Extend the SaneChain optimization to Contiguous arrays (r184032)
Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase (r183897)
Constant folding of typed array properties should be handled by AI rather than strength reduction (r182498 partial)
Rename IntegerBranch/IntegerCompare to Int32Branch/Int32Compare. (r155783)
Rename SpeculativeJIT::integerResult() to int32Result(). (r155745)
Make Array.join work directly on substrings without reifying them (r185899 partial)

Jan 26, 2016
============
Reduce number of Structures created at startup. (r195528 partial)	
[JSC] Speed up new array construction in Array.prototype.splice(). (r184767)

Jan 22, 2016
============
Avoid a couple of zero-sized fastMalloc calls (r155734)
Unreviewed, fix mispelling (Specualte -> Speculate) that I introduced in an earlier patch. (r155644)
Rename initInteger() to initInt32() (r155595)
Rename IntegerOperand to Int32Operand and fillInteger() to fillInt32(). (r155594)
Remove needsDataFormatConversion because it is unused. (r155578)
Rename fillSpeculateInt to fillSpeculateInt32. (r155576)
Propagate the Int48 stuff into the prediction propagator. (r155499)
Atomicize HTMLAnchorElement.hash before passing it to JS. (r152743)
JSDOMWindowShell leaks on pages with media elements (r171481 partial)
REGRESSION: Crash under Heap::reportExtraMemoryAllocatedSlowCase for media element (r181453 partial)
Element::focus() should acquire the ownership of Frame. (r192433)	
Generated frame tree names should be kept reasonably long. (r190752)
Memory corruption in WebGLRenderingContext::simulateVertexAttrib0 (r186380 + r186384)
GraphicsContext state stack wasting lots of memory when empty. (r185396)	
Memory cache live resources repeatedly purged during painting (r183261)
Replace currentTime() with monotonicallyIncreasingTime() in WebCore (r154706 partial)

Jan 21, 2016
============
Fix bug in TypedArray.prototype.set and add tests (r195416)
[ES6] Fix various issues with TypedArrays. (r195360 partial)
TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation. (r195375)
We should say Int32 when we mean Int32. Saying Integer is just weird. (r155482)
Clearing MarkedBlock::m_newlyAllocated should be separate from MarkedBlock::clearMarks (r155316)
Stop using fastNew/fastDelete in JavaScriptCore (r155219)
CodeBlock memory cost reporting should be rationalized (r155021) 
Change local variable register allocation to start at offset -1 (r158237 revisited)
Web Inspector: [JSC] Caught exception is treated as uncaught (r155471)
Renamed StackIterator to StackVisitor. (r155081)	  
Refining the StackIterator callback interface. (r155075)
Converting StackIterator to a callback interface. (r155013)

Jan 20, 2016
============
Make JSValue bool conversion less dangerous (r154902)
CodeBlock's magic for scaling tier-up thresholds should be more reusable (r154837)
VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT) (r154817)

Jan 15, 2016
============
Streamline PropertyTable for lookup-only access. (r165440 revisited)
REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception. (r169221)
Refactoring Exception throws. (r154797)

Jan 14, 2016
============
Don't leak registers for redeclared variables (r154466 partial)
Remove putDirectVirtual (r154461)
Error.stack should not be enumerable (r154460)
Remove putDirectVirtual (r154459)
Clarify var/const/function declaration (r154434 partial)
Users of Heap::deprecatedReportExtraMemory should switch to reportExtraMemoryAllocated+reportExtraMemoryVisited (r181415)
Many users of Heap::reportExtraMemory* are wrong, causing lots of memory growth (r181411 partial)
Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious (r181407 partial)
JSC ignores the extra memory cost of HTMLCollection after a major GC (r164853 partial)
Automate generation of toJS function for classes that need to report extra memory usage (r148648)
PropertyDescriptor argument to define methods should be const (r154422)
	This should never be modified, and this way we can use rvalues.
Compress DFG stack layout (r156984 revisited)
Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index (r156300 revisited)
Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML (r154351)

Jan 13, 2016
============
Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML (r154245)
Remove some code duplication. (r154143)
accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3. (r154139)
remove some unnecessary periods from exceptions. (r154132)
Remove bogus assertion. (r154108)
[WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places (r154032)
Delay Arguments creation in strict mode (r153763)
Give the error object's stack property accessor attributes. (r153679)
Have vm's exceptionStack match java's vm's exceptionStack. (r153669)
fourthTier: Refactor JITStubs.cpp to move CPU specific parts out into their own files. (r153160)

Jan 12, 2016
============
[mips] Max value of immediate arg of logical ops is 0xffff (r194764)
Use a single allocation for the Arguments object (r174795 partial)

Jan 11, 2016
============
JSActivation::symbolTablePut() should invalidate variable watchpoints (r170766)
Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray (r167729 revisited)
fourthTier: Change JSStack to grow from high to low addresses (r155711 revisited)
Out of bounds read in IdentifierArena::makeIdentifier (r178311)
Unreviewed, fix uninitialized property leading to an assert. (r187794)
Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined (r183275)
SparseArrayEntry's write barrier owner should be the SparseArrayValueMap. (r183128 GGC)

Jan 07, 2016
============
Removed fastMallocForbid / fastMallocAllow (r179319)
Don't set up the callsite to operationGetByValDefault when the optimization is already done (r187750 partial)
[mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler (r194641)
[mips] Fix or32 implementation in macro assembler (r194640)
[mips] Add missing branchAdd32 implementation in macro assembler (r194639)

Jan 06, 2016
============
[JSC] Should not emit get_by_id for indexed property access (r194021)

Jan 05, 2016
============
Add webp image color profile support (r147048)
libwebp-0.2.0: handle alpha channel if present (r125869)
Fixes operationPutByIds such that they check that the put didn't (r176979 + r176997 rolled out + r177083 for baseline JIT)
  change the structure of the object who's property access is being cached.

Dec 22, 2015
============
Don't optimize variadic closure calls (r164119)
Fixes operationPutByIdOptimizes such that they check that the put didn't (r178441 for baseline JIT)	
DFG::StrCat isn't really effectful (r189075)
DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit (r188825)
Introduce SymbolType into SpeculativeTypes (r184340 partial)
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 partial)
[JSC] StructureTransitionTable should eagerly deallocate single-transition WeakImpls. (r188978)	

Dec 21, 2015
============
Having a bad time has a really awful time when it runs at the same time as the JIT (r193470)
It's best for the DFG to always have some guess of basic block frequency (r192529)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 DFG/baseline JIT revisited).
	Missing tryRepatchIn.	

Dec 18, 2015
============
Rename DFG's compileAdd to compileArithAdd. (r192000)
DoubleRep fails to convert SpecBoolean values. (r191290)
speculateRealNumber() should early exit if you're already a real number, not if you're already a real double. (r185267)
Simplify unboxing of double JSValues known to be not NaN and not Int32 (r185239)
[JSC] Add undefined->double conversion to DoubleRep (r184933)
Add SpecBoolInt32 type that means "I'm an int and I'm either 0 or 1" (r184540)
REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests (r167452)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 baseline JIT revisited).

Dec 17, 2015
============
TypeOf should return SpecStringIdent and the DFG should know this (r183548 partial)
	breaks dfg-use-function-as-variable-merge-structure

Dec 16, 2015
============
Fixes inline cache fast path accessing nonexistant getters. (r176676 for baseline JIT)	
	
Dec 15, 2015
============
REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit (r165912 partial)
JS benchmarks crash with a bus error on 32-bit x86. (r165559 partial)
Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:) (r165842)
Revive SABI (aka shouldAlwaysBeInlined) (r164490)
AI folding of IsObjectOrNull is broken for non-object types that may be null (r186702)
DFG Is<Blah> versions of TypeOf should fold based on proven input type (r183629)
Constructor returning null should construct an object instead of null (r180587 partial)
Removed op_ret_object_or_this (r179372)

Dec 14, 2015
============
Spam static branch prediction hints on JS bindings. (r165079)
Crash beneath DFG JIT code @ video.disney.com (r167112)
Debugger created JSActivations should account for CodeBlock::framePointerOffsetToGetActivationRegisters(). (r163322)
Saying "jitType() == JITCode::DFGJIT" is almost never correct. (r163247 partial)
Change slow path result to take a void* instead of a ExecState*. (r160665)
Ensure that arity fixups honor stack alignment requirements. (r159706 partial)
Using emitResolveScope & emitGetFromScope with 'this' that is TDZ lead to segfault in DFG (r192078)
Fix endless OSR exits when creating a rope that contains an object that ToPrimitive's to a number. (r192034)
DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit (r188825 partial)
Makes compileArithSub in the DFG ensure that the constant is an int32. (r186819)
DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear (r185941)
CPS rethreading phase's flush detector flushes way too many SetLocals (r184128)
Math.abs() returns negative (r183692)
[JSC] Add support for typed arrays to the Array profiling (r183450)
Rationalize DFG DCE handling of nodes that perform checks that propagate through AI (r183401)
Rename HardPhantom to MustGenerate. (r183201)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r182452)
Return Optional<uint32_t> from PropertyName::asIndex (r182406)
Clean up OSRExit's considerAddingAsFrequentExitSite() (r180257)
It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band (r179756)
Don't use GPRResult unless you're flushing registers and making a runtime function call (r174090 partial)
[REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR (r171662)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 partial)

Dec 13, 2015
============
Fix build warning (uninitialized variable) in DFGFixupPhase.cpp (r168540)
DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound (r189219)
Various array access corner cases should take OSR exit feedback (r180703)  
MultiGetByOffset should be marked NodeMustGenerate (r179536 removed)
Fix bugs in 32-bit Structure implementation. (r165325 partial)
Vector with inline capacity should work with non-PODs (r164185 partial)
Do bytecode validation as part of testing (r159825)

Dec 11, 2015
============
[DFG] Avoid OSR exit in the middle of string concatenation (r185728)
TypeOf should return SpecStringIdent and the DFG should know this (r183548 partial)
Fixes operationPutByIds such that they check that the put didn't (r176979 + r176997 rolled out + r177083)
Arrayify neglects to inform the clobberizer that it might fire watchpoints (r169428)
ARM64: Hang running pdfjs test, suspect DFG generated code for "in" (r160493)

Dec 10, 2015
============
mandreel throws a checksum error on 32-bit x86. (r166440 similar, use SegmentedVector which does not move)
Remove CodeBlock's notion of adding identifiers entirely (r153967)
Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them (r153963)
StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments (r180237)

Dec 09, 2015
============
[GTK] Clean up compiler optimizations flags for libWTF, libJSC (r160996)
Fix typo in YARR at BOL check (r174012)
YARR: Put UCS2 canonicalization tables in read-only memory. (r156043)
Merge CharacterClassTable into CharacterClass (r148259)

Dec 07, 2015
============
Object::{freeze, seal} perform preventExtensionsTransition twice (r192858)				
JSC::SlotVisitor should not be a hot mess (r190563 complete)	
	
Dec 04, 2015
============
Callee can be incorrectly overridden when it's captured (r188926 partial)
YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0. (r191364)
The JSONP parser incorrectly parsers -0 as +0. (r188085)

Dec 03, 2015
============
JSC::SlotVisitor should not be a hot mess (r190563 partial)
	More hash cons removal.	
new Date(NaN).toJSON() must return null instead of throwing a TypeError (r187016)
FunctionCallBracketNode should store the base value to the temporary when subscript has assignment (r183955)
Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined. (r165680)
JSActivation constructor should use NotNull placement new. (r159813)

Dec 02, 2015
============
JSC::SlotVisitor should not be a hot mess (r190563 partial)
	More hash cons removal.	

Dec 01, 2015
============
DFG should have some obvious mitigations against watching structures that are unprofitable to watch (r186986)
Fix some issues with TypedArrays (r191212 partial)
Numeric setter on prototype doesn't get called. (r188269)

Nov 30, 2015
============
SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index (r187464)
Fixes operationPutByIdOptimizes such that they check that the put didn't (r178441)
Change Heap::m_compiledCode to use a Vector (r178884)
shiftCountWithArrayStorage should exit to slow path if the object has a sparse map. (r177245)
Change how 32-bit JSValues check if they are a Boolean (r174260)
REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty (r170386)
Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot. (r169831)
Templatize GC's destructor invocation for dtor type. (r169284)
JSDOMWindow should disable property caching after a certain point (r168558)

Nov 25, 2015
============
REGRESSION (r125251): wrapper lifetimes of SVGElementInstance are incorrect (r178633)
[JSC] Copy non-index properties of arrays in SerializedScriptValue (r138964)
DFG optimizations don't handle neutered arrays properly (r153613)
REGRESSION(r190882): Concatenating a character array and an empty string is broken. (r191069)
"A + B" with strings shouldn't copy if A or B is empty. (r190882)
[JSC] jsSubstring() should have a fast path for 0..baseLength "substrings." (r185659)
Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496) (r185109 partial)
Optimize serialization of quoted JSON strings. (r183961 + r183977 rolled out + r183988)
Add way to dump cache meta data to file (r180894)
Optimize WeakBlock's "reap" and "visit" operations. (r183769)	
Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely. (r182347)
MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects (r133358 revisited)
Optimize own property GetByVals with rope string subscripts. (r173188)
Inline (C++) GetByVal with numeric indices more aggressively. (r167842)     
     
Nov 24, 2015
============
Global HashTables contain references to atomic StringImpls (r169740)
Remove String::deprecatedCharacters (r166120 partial)
Harden executeConstruct against incorrect return types from host functions (r154011)
GenerateHashValue should be usable outside CodeGeneratorJS.pm (r146253)
Implement ES6 Symbol (r179429 partial)
Merge AtomicString, Identifier (r165982)
Initialize AtomicStringTable in WTFThreadData's constructor (r151663)

Nov 23, 2015
============
Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers (r179746)
ASSERTION FAILED in Parser: dst != localReg (r166240)
Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer. (r166107)
compileMakeRope does not emit necessary bounds checks (r167336)
	
Nov 19, 2015
============
GC should compute stack bounds and dump registers at the earliest opportunity. (r181060)
Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection (r178364)	
JSTypeInfo should have an inline type flag to indicate of getCallData() has been overridden (r183575)
Evict IsEnvironmentRecord from inline type flags (r183557)		
JSObject and JSArray code shouldn't have to tiptoe around garbage collection (r154471)
Object.prototype.toString() should use cached strings for null/undefined. (r169316)
	
Nov 18, 2015
============
Math.imul gives wrong results (r164461)
Exception in global setter doesn't unwind correctly (r154429)
Cleaning errorDescriptionForValue after r154839 (r154892)
	
Nov 16, 2015
============	
Investigate HashTable::HashTable(const HashTable&) and HashTable::operator=(const HashTable&) performance for hash-based static analyses (r187733)
JSArray::setLength() should reallocate instead of zero-filling if the reallocation would be small enough. (r184407)
Clear ScratchBuffer::m_lastLayerSize when clearing the scratch buffer. (r161014)
	
Nov 13, 2015
============	
Short-circuit repaints with empty rects (r175395)
Simplify bounds computation for the RenderView's layer (r135059)
Don't pass a paintingRoot when painting from RenderLayerBacking (r134642)
	
Nov 11, 2015
============	
DFG and FTL should know that comparing anything to Misc is cheap and easy (r165406)

Nov 10, 2015
============
http/tests/security/sandboxed-iframe-invalid.html is flaky on Mac (r153973)
Sometimes Gmail cannot load messages, particularly on refresh ("...the application ran into an unexpected error...") (r172275)
Active DOM objects stopped twice (r150741)
Optimize RenderLayer::intersectsDamageRect() slightly (r182116)
Poor performance on IE's Chalkboard benchmark. (r179335)
Speed up SVG sprites by only painting the source rect in SVGImage::draw (r152020)
RuleData should ref the StyleRule (r168835)
Optimize StylePropertiesSet::findPropertyIndex() to improve CSS properties performance (r164995)
Out-of-line InspectorValues create() methods. (r156131)
[JSC] Pre-bake final Structure for RegExp matches arrays. (r185597)

Nov 09, 2015
============
Simplified IndexingType's hasAnyArrayStorage(). (r175172)
Call to enclosingFilterLayer() in RenderObject::containerForRepaint() is expensive (r134619)
Invalid values for media query features are not handled (r130995)
REGRESSION(r135082): Restore the ability to insert author level style sheets from script (r136878)
When calling DocumentStyleSheetCollection::addUserSheet, pass in a user sheet (r135316)
REGRESSION(r129644): User StyleSheet not applying (r135082)
Move seamless stylesheet collecting to DocumentStyleSheetCollection (r132787)
Maintain a list of active CSS stylesheets (r131929)
Optimize stylesheet insertions (r129644)
Make SVGPathSegList.appendItem O(1) instead of O(n) (r128729)	
	
Nov 06, 2015
============
Add a DFG node for the Pow Intrinsics (r180098 + 180102)
DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) (r165085 + r165098 rolled out + r165099)
	
Nov 05, 2015
============
Structure should initialize its previousID in its constructor. (r169695)
EmptyUnique strings are Identifiers/Atomic (r165946)		
Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234. (r169758)
MarkedBlock::allocateBlock will have the wrong allocation size when (sizeof(MarkedBlock) + bytes) is divisible by WTF::pageSize() (r189012)
If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated,
	and maybe it should see the object of interest in the transitioned-to state (r186776)	
Watchpoints should be removed from their owning WatchpointSet before they are fired (r186745)
Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll() (r159528)
ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument (r165522)

Nov 04, 2015
============
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 partial)	
Nodes should have an optional epoch field (r183162)
[ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously (r170890)
DFG should allow Phantoms after terminals (r183094)

Nov 03, 2015
============
Spread operator should be performing direct "puts" and not triggering setters (r157656)
FTL should have an explicit notion of bytecode liveness (r159394)
Liveness analysis should take less memory in CodeBlock when it is unused (r159141)
CodeBlocks should be able to determine bytecode liveness (r159136)	
Eliminate a branch in FastBitVector setAndCheck, make it vectorizable. (r156792)
mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit. (r183310)
Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well. (r183095)
MovHint should be a strong use (r183072)	
REGRESSION (r172129): Vine pages load as blank (r173534)
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 partial)
[ftlopt] Phantom simplification should be in its own phase (r170907)	
	
Nov 02, 2015
============
DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format (r182827)
Set the semantic origin of delayed SetLocal to the Bytecode that originated it (r180546)
CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays. (r176972)
WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com. (r176399)
Apparently we've had a hole in arguments capture all along (r174790)
CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences (r170604)
[ftlopt] Fold constant Phis (r170064)
[ftlopt] Structure::dfgShouldWatchIfPossible() is unsound (r169753)
jsSubstring() should be lazy (r168635)
Convert ASSERT in inlineFunctionForCapabilityLevel to early return (r170011)
Prediction propagator should make sure everyone knows that a variable that is in an argument position (r169787)
	where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
JSCallee unnecessarily overrides a bunch of things in the method table. (r181765)
Add JSCallee to program and eval CallFrames (r173600)
Unreviewed build fix for CLOOP build. (r173576)
Remove unneeded declarations from JSCallee.h (r173567)
Move JSScope out of JSFunction into separate JSCallee class (r173541)
DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (r171190 revisited)       

Oct 30, 2015
============
REGRESSION(r179477): arguments simplification no longer works (r179504)
Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child (r179477)
[ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase (r170929)	
[ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase (r170060 partial)		
[ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it (r170017)		
Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch (r171689)
Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep (r170555)
DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell (r174025 partial)
Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing (r169354)
Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization) (r167418)

Oct 29, 2015
============
Sink NaN sanitization to uses and remove it when it's unnecessary (r167416)	
Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging (r167394)	
Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child (r179477)
OSR exit should know about Int52 and Double constants (r167612)
DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's (r167325)	
FTL should use cvttsd2si directly for double-to-int32 conversions (r160205 revisited)

Oct 28, 2015
============
DFG prediction propagation should agree with fixup phase over the return type of GetByVal (r169145)
DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays (r169447)
Prediction propagator should correctly model Int52s flowing through arguments (r167455)
DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush (r166276)
Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something (r166136)
  as having a Int32 register format if it's a non-Int32 constant
Constants folded by DFG::ByteCodeParser should not be dead. (r166095)
FTL should support ToPrimitive and the DFG should fold it correctly (r164243)
<1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput') (r163789)
ASSERT in speculateMachineInt on 32-bit platforms (r163391)
internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: (r158646 + r158653)
ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249
Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget (r163946)	

Oct 27, 2015
============
DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled (r167182)	
Get rid of DFG forward exiting (r161126)
DFG PhantomArguments shouldn't rely on a dead Phi graph (r161072 complete)
DFG: Add JIT support for  LogicalNot(String/StringIdent) (r157329)
Unreviewed, 32-bit build fix. (r164208)
DFG::prepareOSREntry should be nice to the stack (r164205 partial)
Finally fix some obvious Bartlett bugs (r159826 complete)
CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things (r159721)		
CodeBlock::m_numCalleeRegisters need to honor native stack alignment. (r159670)
Change local variable register allocation to start at offset -1 (r158237)		
Remove JITStackFrame references in the C Loop LLINT. (r157576)		
REGRESSION(r155711): js/stack-overflow-arrity-catch.html is crashing on non-Mac platforms (r156046)
StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal. (r166064)
Get rid of InlineStart so that I don't have to implement it in FTL (r158116)
Fix register allocation inside control flow in GetByVal String (r158687)
Compress DFG stack layout (r156984)
REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT (r153789)

Oct 26, 2015
============
URTBF after r171946 to fix non-Apple builds. (r171949)
CodeBlock fails to visit the Executables of its InlineCallFrames (r171946)
Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index (r156300)
Deoptimize deoptimization: make DFGOSRExitCompiler64.cpp more hackable (r155820)
DFG::GenerationInfo init/fill methods shouldn't duplicate a bunch of logic (r155645)
	
Oct 23, 2015
============
SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS (r161411)
Argument flush formats should not be presumed to be JSValue since 'this' is weird (r168051)
Arguments objects shouldn't need a destructor (r167641 revisted)
Inline allocate Arguments objects in the DFG (r167591 revisted)
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in (r157035 revisited)
Compress DFG stack layout (r156984 partial)
[arm] Inverted src and dest FP registers in DFG speculative JIT when using hardfp. (r157173)
FTL: Optimize IsString(@2<String>) -> JSConst(true) + Phantom() (r157059)	
	
Oct 22, 2015
============			
DFG PhantomArguments shouldn't rely on a dead Phi graph (r161072 partial) 
ObjectAllocationProfile is racy and the DFG should be cool with that (r160038)	
Finally fix some obvious Bartlett bugs (r159826 partial)	
FTL should support AllocatePropertyStorage (r158983)	
Variable event stream (for DFG OSR exit) should be explicit about where on the stack a SetLocal put a value (r156747)
Fix 32-bit builds after r163471 (r163473)
Can no longer run OctaneV2 in browser, crashes in speculationFromCell (r163471)
The DFG should use always DFG::Graph methods for determining where special registers are (r156817)	
SpeculativeJIT::m_arguments/m_variables are vestiges of a time long gone (r156723)
Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries (r156677)  		
Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures (r156594)

Oct 21, 2015
============
The DFG should be able to tier-up and OSR enter into the FTL (r155023 partial)	  
fourthTier: It should be easy to figure out which blocks nodes belong to (r153293)	
	
Oct 20, 2015
============
fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, (r153291)
DFG CheckArray(String) should just be a Phantom(String:) (r158644)
fourthTier: String GetByVal out-of-bounds handling is so wrong (r153286)  
fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds (r153244)
Simplify CSE's treatment of NodeRelevantToOSR (r160407)
CSE should work in SSA (r160328)
Stores to local captured variables should be intercepted (r159943)	
	
Oct 16, 2015
============
fourthTier: DFG should have an SSA form for use by FTL (r153274 partial)	
	
Oct 14, 2015
============
String.prototype.charAt() should use StringView. (r184865)

Oct 13, 2015
============
DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage
  due to variable constant inference and the better prediction modeling of typed array GetByVals (r168780)
indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack (r164851)
Array.concat() should work on runtime arrays too. (r171390)
Refactor ArrayPrototype to use getLength() and putLength() utility functions. (r171328)  
Array.prototype.concat should allocate output storage only once. (r167255)
Add ExecState::uncheckedArgument and use where possible to shrink a bit (r156240)
Use emptyString instead of String("") (r153546)
String.prototype.split() should create efficient substrings. (r184346)
Updated split such that it does not include the empty end of input string match. (r178860)
[JSC] Add a node for Math.log() (r181035)
	
Oct 09, 2015
============
[JSC] Make the NegZero backward propagated flags of ArithMod stricter (r184220)
[JSC] Add basic DFG/FTL support for Math.round (r183963)	
DFG should insert Phantoms when it uses conversion nodes (r161683)
Hoist and combine array bounds checks (r164059)

Oct 08, 2015
============
[GTK][ARM] javascriptcore compilation is broken (r154287)
Concurrent compilation thread should not trigger WriteBarriers (r154162)
FTL should have an inefficient but correct implementation of GetById (r157409 partial)
Prohibit GC while sweeping (r181486)

Oct 07, 2015
============
operationCreateArguments could cause a GC during OSR exit (r169973)
CodeBlock: Un-segment some Vectors. (r159097)
arguments[-1] should have well-defined behavior (r179538)

Oct 06, 2015
============
CStack Branch: Change the disabling of DFG OSR entry to be based on an option (r160499)
Rationalize DFG DCE (r161218)
	
Oct 05, 2015
============
sunspider-1.0/math-spectral-norm.js.dfg-eager occasionally fails with Trap 5 (i.e int $3) (r157327)   
DFG::Int32Operand and fillInt32() should go away and all uses should be replaced with SpeculateInt32Operand (r155662)
GPRTemporary's reuse constructor should be templatized to reduce code duplication,
  and the bool to denote tag or payload should be replaced with an enum (r155643)
Inlining should work in debug mode (i.e. Executable::newCodeBlock() should call recordParse()) (r155889)
VariableAccessData::flushFormat() should be the universal way of deciding how to speculate on stores to locals and how locals are formatted (r155564)	
change usage of calculateUTCOffset()/calculateDSTOffset  to calculateLocalTimeOffset (r154315)
String(new Date(2010,10,1)) is wrong in KRAT, YAKT (r150833)
Replace WTF::getCurrentLocalTime() with GregorianDateTime::setToCurrentLocalTime() (r124365)	
Add function to calculate the day in year from a date (r124095)
	
Oct 01, 2015
============
DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s (r168172)
Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit. (r167341)
Make room for additional types in SpeculatedType.h (r167111)	
FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees (r166030)
AI for CreateArguments should pass through non-SpecEmpty input values (161574)
DFG: ConstProp the pattern ValueToInt32(Bool(x)) -> Int32(x) (r156830)
DFG should support Int52 for local variables (r156047)  
Array.slice should have a fast path like Array.splice (r184217)
JSArray::shiftCountWith* could be more efficient (r169121)

Sep 30, 2015
============
[JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). (r184501)	
Special-case Int32 values in JSON.stringify(). (r183928)
Fixes inline cache fast path accessing nonexistant getters. (r176676)
	
Sep 29, 2015
============
Get rid of CodeBlock::RareData::callReturnIndexVector and most of the evil that it introduced (r156247)
Interpreter::unwind() has no need for the bytecodeOffset (r156242)
Fix P_DFGOperation_EJS call for MIPS and ARM EABI. (r154442)
Fix V_DFGOperation_EJPP signature in DFG. (r154388)
fourthTier: DFG should't exit just because it GetByVal'd a big character (r153241)

Sep 28, 2015
============
DFG AI assumes that ToThis can never return non-object if it is passed an object,
  and operationToThis will get the wrong value of isStrictMode() if there's inlining (r155730)

Sep 25, 2015
============
fourthTier: CFA should consider live-at-head for clobbering and dumping (r153280)  
fourthTier: Rationalize Node::replacement (r153278)  
fourthTier: add option to disable OSR entry in loops (r153263)
	
Sep 24, 2015
============
Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html (r158341 complete)

Sep 23, 2015
============
DFG fixup phase should be responsible for inserting ValueToInt32's as needed and
  it should use Phantom to keep the original values alive in case of OSR exit (r161465)
RegExp::match() should set m_state to ByteCode if compilation fails. (r186920)	
WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276 (r185770)	
[JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray (r183291)
Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9 (r168983)
Reproducible crash when using Map (affects Web Inspector) (r158875)

Sep 22, 2015
============
[JSC] Add support for overloaded constructors (r138138)
[JSC] Refactoring CodeGeneratorJS.pm to simplify adding support for overloaded constructors (r138008)
Remove the V8 custom code for WebSockets constructor (r134221)
DOM URL is flaky when workers are used (r132973)
Remove unused regular expressions from IDLStructure.pm (r129769)
Follow-up to r129723 to once more allow parsing of scoped names in IDL files. (r129737)
Move IDL extended attributes to the location specified in WebIDL (r129723)
Support constructor-type attribute in idls other than DOMWindow. (r128655)
[MSE] Move PublicURLManager shutdown logic so ActiveDOMObjects associated with public URLs won't leak. (r164091)	

Sep 16, 2015
============
Code cleanup after r132165 (r132373)
HTML Parser should produce 8 bit strings for doctype, comment and tagName tokens (r132165)
Update RenderText to use String instead of UChar* for text (r131311 complete)
HTML Parser should produce 8bit substrings for inline style and script elements (r125846)

Sep 15, 2015
============
Move definition of nested classes that inherit enclosing class outside class definition. (r147345)
Clean up Vector.h (r131659)

Sep 11, 2015
============
Improve the SourceProvider hierarchy (r128542)

Sep 10, 2015
============
Heap-use-after-free in bool WebCore::SelectorChecker::checkOneSelector. (r139100)
Heap-use-after-free in DocumentLoader::stopLoading (r138926)
Heap-use-after-free in WebCore::XMLDocumentParser::doEnd (r138863)
[JSC] static methods with Callback should not have this pointer (r144101)
EventSource should support CORS (r138083)
[WebKitIDL] Optional dictionary types should have default values of empty dictionary (r132698)

Sep 09, 2015
============
Remove FontTranscoder (r156657)
REGRESSION (r130851): With kerning enabled, a white-space: pre-wrap inline starting with tab+space has the wrong width (r136034)
floated element with negative margin causes text wrap bug (r131998)
Only measure text once instead of twice when performing line layout. (r130812 + r130820 rolled out + r130851)
Change FractionalLayoutUnit denominator to 64 to reduce precision loss when converting to floating point (r129656)
REGRESSION (r129176): Incorrect line breaking when kerning occurs between a space and the following character (r129284)
Yank an unneccessary if added in r125810. (r126100)

Sep 04, 2015
============
Update RenderText to use String instead of UChar* for text (r131311)
REGRESSION (r126763): css1/pseudo/firstline.html fails when using the complex text code path (r128713)
Regression(r126763): Heap-use-after-free in WebCore::nextBreakablePosition (r127381)
Unreviewed Mac Chromium build fix after r126763. (r126770)
Improve line breaking performance for complex text (r126763)	
Split ICU UText providers out into their own files (r161817)	
Element boundaries prevent Japanese line break opportunities (r147588)		
Generalize prior line break context state and names. (r147506)
Line breaking opportunities at the end of a text node are missed (r145338)	
Line layout (but not pref widths) double-counts word spacing when between inlines (r143520)	
Add 8-bit path to RenderBlock::handleTrailingSpaces() (r131776)
Unreviewed speculative build fix for clang. (r129698)	

Sep 03, 2015
============
Add Latin-1 Line Break Iterator to TextBreakIteratorICU.cpp (r129662)
Remove all uses of deprecatedCharacters from WebKit2 (r165692)
Add support for null StringViews (r161785)
Add WTF::StringView and use it for grammar checking (r161518)
Improve the find word boundary performance (r160526)	
Rename TextBreakIteratorWinCE to TextBreakIteratorWchar (r141156)
HTMLConstructionSite::insertTextNode isn't optimized for 8 bit strings (r130190)
Part 1 of removing PlatformString.h, move remaining functions to new homes (r127525)

Sep 02, 2015
============	
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in
  jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit (r157035 complete)  
fourthTier: Change JSStack to grow from high to low addresses (r155711)
Change virtual register function arguments from unsigned to int (r155418)

Sep 01, 2015
============
Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters (r166142 partial)	
Add local to/from operand helpers similar to argument to/from operand2 (r155415)
There should be one "invalid" virtual register constant (r155420)
Un-inline the Node constructor (r173643)
Un-inline Element constructor (r173605)
Inline JSDOMWrapper subclasses' finishCreation(). (r166411)
HTMLEntityTable could use char to reduce binary size (r155559)
Prune dead code for Web Inspector memory instrumentation. (r164637)
Web Inspector: Remove stale optional native memory instrumentation protocol params (r158356)
Web Inspector: Remove Memory Distribution and Memory Snapshots Panels (r149807)
Remove the memory instrumentation code (r148921)
Rolling out my r123067 and r123572 (r124773)
Pass presentational attribute StylePropertySets by const pointer where possible. (r124760)	

Aug 28, 2015
============	
ExtJS breaks with modern Array.prototype.values API due to use of with() (r159063)	
Source/WebCore: Clean up the speech recognintion API (r146601)
Speech Recognition API: Change the error code to a string on SpeechRecognitionError (r136846)
Speech Recognition API: Update SpeechRecognitionEvent to match the specification (r136392)
Speech JavaScript API: Add SpeechRecognition.interimResults attribute (r130308)
Speech JavaScript API: Remove resultdeleted event (r130307)
Speech JavaScript API: Throw exception for start() when already started (r124225)

Aug 27, 2015
============
JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses (r165121)
DFG PutByVal on typed arrays should detect OutOfBounds sooner (r163418)	
FTL PutByVal should have a complete story for OOB (r161945)	

Aug 21, 2015
============
Review feedback followup for r185003. (r185018)
WebSQL default functions can bypass authorizer. (r185003)
Enhance SQL journal_mode setting code to be less likely to log an error. (r158906)	
Use SQLite journal mode WAL (WriteAheadLogging) (r158865)
Do not allocate SQLiteDatabase's m_openErrorMessage until its needed (r125992)

Aug 20, 2015
============
Add Canvas blend modes to Cairo (r139804)
Add canvas blending modes using Core Graphics (r138334)
Extend platform layer so it can pass blend modes to the compositing calls (r136993 + r136999 rolled out + r137011)
Extend JavaScript support for blending in canvas (r136337)
Implement canvas v5 line dash feature (r128116)
Unprefix Page Visibility API (r150695)
Remove page visibility hidden histograms (r131391)

Aug 19, 2015
============
Deconstruction object pattern node emits the wrong start/end text positions (r173026 partial)
Convert for-of iteration to in-band signalling so we can trivially avoid unnecessary object allocation (r157150)
Support for-of syntax (r156910)
REGRESSION(158384) ARMv7 point checks too restrictive for native calls to traditional ARM code (r159532)
Remove CachedTranscendentalFunction because caching math functions is an ugly idea (r158384)
[JS] Should be able to create a promise by calling the Promise constructor as a function (r161538)
[JS] Implement Promise.all() (r161365)
[JS] Implement Promise.race() (r161330)
Pass VM instead of JSGlobalObject to function constructors. (r156624)	
Pass VM instead of JSGlobalObject to ArrayPrototype constructor. (r156621)
Pass VM instead of ExecState to simple builtin constructors. (r156620)

Aug 17, 2015
============
Improve CSSParser::setupParser() since the prefix/suffix are literals (r133387)
Deploy ASCIILiteral hotness throughout WebCore (r126968)
Deploy ASCIILiteral and StringBuilder in more places in WebCore

Aug 13, 2015
============
Pass VM instead of ExecState to JSFunction constructors. (r156602)
GetterSetter construction should take a VM instead of ExecState. (r156521)
Pass VM instead of ExecState to StringObject constructor. (r156998)
Pass VM instead of ExecState to JSDateMath functions. (r156540)
Pass VM instead of ExecState to many finishCreation() functions. (r156498)

Aug 12, 2015
============
Implement prefixed-destructuring assignment (r156514 patial)
Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers (r172381)
Fix a number of problems with destructuring of arguments (r158051)

Aug 11, 2015
============
Reinstate intialiser syntax in for-in loops (r165682)
Implement prefixed-destructuring assignment (r156785)
Try to kill initialiser expression in for-in statements (r155724)		
PropertyNameArray should use a Vector when there are few entries. (r184120)	
Pass VM instead of ExecState to JSCell::fastGetOwnProperty(). (r163755)
Map.forEach crashes on deleted values (r158929)
Support for-of syntax (r156910 partial without parser change)
Implement Array key, value and entries iterators (r156791)	
MapData has some issues (r155487)
Make it simpler to introduce new data types to the global object (r155177)
Implement ES6 Set class (r154916)
Fix build break after r154861 (r154864)
Fix issues found by MSVC (which also happily fixes an unintentional pessimisation) (r154862)
Implement ES6 Map object (r154861)
Create a specialized pair for use in HashMap iterators (r123667)

Aug 10, 2015
============
Minor VM* -> VM& cleanups in HashTable and Keywords. (r157836)

Aug 07, 2015
============
Streamline PropertyTable for lookup-only access. (r165440)
URI encoding/escaping should use efficient string building instead of calling snprintf(). (r182370)	
REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests (r182643)
Optimize String::fromUTF8 for ASCII (r151556)
String::fromUTF8() should take advantage of the ASCII check in convertUTF8ToUTF16() (r134981)
convertUTF8ToUTF16() Should Check for ASCII Input (r131836)
[JSC] Remove RageConvert array conversion (r183615)

Aug 05, 2015
============
Buildfix. Fix warning after r153887: (r153892)
ASSERT_NOT_REACHED() touched in WebCore::SVGAnimatedStringAnimator::addAnimatedTypes (r153887)
ASSERT_NOT_REACHED was touched in WebCore::SVGAnimatedType::valueAsString (r153433)	
REGRESSION(r138263): Don't use fastGetAttribute for HTMLNames::classAttr because it breaks on SVGElement (r138277)
CodeGen: Make [Reflect] use fastGetAttribute and fastHasAttribute (r138263)
Allow lazy initialization of SVG XML animated properties. (r131631)

Aug 04, 2015
============
Use SVGImage instead of cached image when drawing without a render tree. (r126977)
Remove incorrect getBBox() code (r126056)
Fix resource leak in FillLayersPropertyWrapper object member (r171960)
Use CSSParserSelector::appendTagHistory() from CSS grammar. (r150337)
Ads on theverge.com cause repaints when hovered, even though content doesn't visibly change. (r150318)

Jul 31, 2015
============
GlyphPage: ALWAYS_INLINE all performance-relevant getters. (r143707)
GlyphPage: Bake per-glyph font data array into same allocation as GlyphPage. (r143601)
REGRESSION(r143125): ~5% performance hit on Chromium's intl2 page cycler. (r143137)
Optimize GlyphPage for case where all glyphs are available in the same font. (r143125)	
SVGPathStringSource should not up-convert 8-bit strings to UTF-16 (r140985)

Jul 30, 2015
============
Throw away StyleResolvers that haven't been used for a long time. (r136956)
HTMLOptionElement: Remove two unused members. (r135810)
RenderStyle: Move 'list-style-image' to rare inherited data. (r135788)
Tighten vector in ResourceRequestBase::setResponseContentDispositionEncodingFallbackArray(). (r134208)
Don't detach from shared ElementAttributeData when overwriting attribute with identical value. (r134163)	
REGRESSION (r125239): classList contains() doesn't work after element was moved from strict mode document to quirks mode document (r134102)
setAttributeNode and friends should not have optional argument (r133944)
REGRESSION(r131104): Heap-use-after-free in WebCore::Element::attributeChanged (r132141)
ElementAttributeData shouldn't be managing Element's callbacks. (r131104)
ElementAttributeData: tighten member packing on 64-bit. (r130870)
Remove unused ElementAttributeData::removeAttribute() overload. (r125973)
HTMLElement.classList cannot remove classnames with uppercase characters (r125239)
Shrink EventTargetData by making firingEventListeners vector optional. (r131620)	
332kB below DocumentEventQueue::create() on Membuster3. (r129776)
4.95MB below RenderBlock::insertIntoTrackedRendererMaps() on Membuster3. (r129682)

Jul 29, 2015
============
REGRESSION (r127277): CSS URIs with multi-byte Unicode escape sequences fail to parse (r145924)	
471kB below StyleSheetContents::parserAppendRule() on Membuster3. (r129907)
flex-grow should be 1 when omitted from flex shorthand (r129414)
equal() in CSSParser.cpp should check the length of characters (r127508)
Fix the Debug builds after r127277 (r127303)
CSS Parser should directly parse 8 bit source strings (r127277)	
CSSParser: Move enumeration to a common place (StylePropertyShorthand) (r126491)
Handle variables in CSSParser::parseValidPrimitive(), preventing null return value. (r124833)
More fixes for String::operator+=() on Mac (r127639)	
Replace more instances of += with StringBuilder (r127224)
Replace uses of WTF::String::operator+= with StringBuilder (r127112)
CSSComputedStyleDeclaration::cssText() should use StringBuilder (r125367)	
itemType.add should treat \t as a space. (r125257)

Jul 28, 2015
============
canvas/philip/tests/2d.fillStyle.parse.invalid.rgba-6.html fails (r126192)
Crash in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode (r136619)
CSSStyleDeclaration.cssText should not contain extraneous whitespace in final delimiter (r126656)

Jul 27, 2015
============
Do not add CSSPropertyBorderImage shorthand part of the property list when parsing CSS border property (r144908)
ASSERT_NOT_REACHED in StylePropertySet::fontValue when accessing font style property through JS after setting style font size. (r139313)
Incorrect value of CSSStyleDeclaration#length when a shorthand property is inherit or initial (r135848)
removeAttribute('style') not working in certain circumstances (r133581)
Fix StylePropertySet/ElementAttributeData custom allocation in debug builds. (r133160)
Update average StylePropertySet size estimation. (r133148)	
Pack immutable StylePropertySets harder on 64-bit. (r133138)	
StylePropertySet: Convert more logic to use PropertyReference. (r132952)
Don't expose implementation details of StylePropertySet storage. (r132786)

Jul 24, 2015
============
REGRESSION(r134408): Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement(). (r134779)
Exploit ElementAttributeData sharing in Node.cloneNode. (r134408)		
Shrink immutable ElementAttributeData and StylePropertySet by one pointer each. (r132288)

Jul 22, 2015
============
REGRESSION: Rapid memory growth calling DOM APIs with large strings. (r131209)
GlyphPageTreeNode should use HashMap<OwnPtr>. (r130850)
REGRESSION (r130584): Crashes in JSC::MarkedAllocator::allocateSlowCase, failing fast/dom/gc-dom-tree-lifetime.html (r130611)
If Node X is reachable from JavaScript, all Nodes in the same tree should be kept alive (r130587)
If Node X is reachable from JavaScript, all Nodes in the same tree should be kept alive (r130584)
IndexedDB: Memory leak when deleting object stores with indexes (r130335)

Jul 20, 2015
============
StylePropertySet: Use subclasses to manage varying object layouts. (r129543)
Share inline style between cloned Nodes (copy on write.) (r127375)
Simplify cloning of inline style (below Node.cloneNode) (r126872)
Simplify CSSOM style declaration's grabbing at internals. (r124779)
Make MarkedBlock and WeakBlock 4x smaller. (r182878 partial)

Jul 17, 2015
============
REGRESSION(r128239): Mutable ElementAttributeData leak their Attribute vectors. (r129323)
ElementAttributeData: Use subclasses to manage varying object layouts. (r128239)
HTMLTokenizer should use the latest EfficientStrings hotness (r127899)
Make CSSPrimitiveValue::cleanup() handle all UnitTypes, fixing memory leak in the process. (r127838)	
Element: Share code between setAttributeNode() and other attribute setters. (r127126)
Use initialization from literal for HTML Input type names (r125991)
Remove the static Strings used for outputting values of CSS_ATTR, CSS_COUNTER, CSS_RECT (r125990)
Remove some of the tautologies in DFGRepatch function naming. (r156124)
Unreviewed assertion fix. (r175372)
CodeBlock: Size m_callLinkInfos and m_byValInfos to fit earlier. (r162284)
[JSC] InlineCallFrame::arguments should be sized-to-fit. (r185409)
[JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed. (r185381)

Jul 10, 2015
============
HTMLInputElement can delete an ImageLoader while it's still needed (r145423)		
Do the DecimalNumber to String conversion on 8 bits (r125357)	
Incorrect Date returned between March 1, 2034 and February 28, 2100. (r165667)
Document is never released if an image's src attribute is changed to a url blocked by content-security-policy. (r141667 partial)
One more unreviewed Windows buildfix after r140097. (r140140)
Unreviewed Windows buildfix after r140097. (r140138)
Revert r122824 for a while (r140097)

Jul 09, 2015
============
Clear failed image loads when an <img> is adopted into a different document (r138724)	
Document will never be released when an Image is created inside unload event listener (r137615)
Incorrect rendering of borders on <col> with span > 1 (r131671)
Crash in ContainerNode::removeAllChildren() (r131670)
1.18MB below RenderTableSection::setCachedCollapsedBorderValue() on Membuster3. (r130718)	
Remove isStartColumn in the border collapsing code (r129136)	
The collapsing border code needs direction-aware border getters (r129078)

Jul 08, 2015
============
RenderWidget::setWidgetGeometry() can end up destroying *this*. (r183788)

Jul 07, 2015
============
Kill RenderArena. (r158461)
Take BidiRuns out of the arena. (r158453)
Take line boxes out of the arena. (r158321)
Let Page::renderTreeSize() be the number of renderers. (r158310)
Take RenderObjects out of the arena. (r157535)
Make LayoutState not arena-allocated. (r157336)
Make RenderLayer not arena-allocated. (r157333)
Get rid of ref-counting on RenderWidget. (r155796)
Renderer is recreated unexpectedly after detach in HTMLInputElement (r141228)
There are a few of wrong removeAllChildren() call (r140659)
suspend/resumeWidgetHierarchyUpdates should be a RAII object (r129406)

Jul 06, 2015
============
jsSubstring() should be lazy (r171362)
RegExp matches arrays should use contiguous indexing. (r183438 + r183446 rolled out + r183458)
Use plain JSArray for RegExp matches instead of a lazily populated custom object. (r175365)
Allocate the whole RegExpMatchesArray backing store up front. (r172618)
Don't allocate a StringImpl for every Number JSValue in JSON.stringify(). (r183874)

Jun 24, 2015
============
Potential use-after-free after neutering AudioBuffer's underlying ArrayBuffer. (r152038)

Jun 23, 2015
============
Heap-buffer-overflow in WebCore::AudioBufferSourceNode::process (r141851)
Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine (r140069)
Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree (r139788)
Regression(r119759): Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse (r139551)
Heap-buffer-overflow in WebCore::TextTrackCueList::add (r133610)
Protect against resource deletion during iteration in MemoryCache::pruneDeadResourcesToSize (r133469)
Crash on accessing a removed layout root in FrameView::scheduleRelayout. (r125315)
Document should be a FontSelectorClient. (r179025)
Hang CSSFontSelector off Document instead of StyleResolver. (r179012)
CanvasRenderingContext2D should update the computed style while setting the font (r173591)

Jun 22, 2015
============
Crash when setting 'font' CSS property to 'calc(2 * 3)' (r176454)
Lists styled with SVG fonts are not rendered as expected (r169591)
use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeElementById (r159481)
Bad cast from CSSInitialValue to CSSValueList (r156222)
fast/frames/seamless/seamless-custom-font-pruning-crash.html asserts (r153796)
ASSERTION FAILED: m_purgePreventCount when clicking text with emphasis marks (r147317)
Variant of non-primary fell-back SVGFont causes crash. (r146129)
CanvasRenderingContext2D::setFont argument may reference destroyed object (r139144)
Fixing memory read after free in CanvasRenderingContext2D::accessFont (r138994)
SVGTextRunRenderingContext changes font data in the glyph page, but it shouldn't (r130999)

Jun 11, 2015
============
Main resource loaded via 304 response becomes empty if reloaded by user (r183555)

May 26, 2015
============
Creating a large MarkedBlock sometimes results in more than one cell in the block (r184019)		
DFGAllocator should use bmalloc's aligned allocator. (r181758)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r181215)
Fix crashes seen on the the 32-bit buildbots after my last patch. (r181177)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r181157)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179407)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179361)	
	
May 25, 2015
============
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179348)  
Refactor MarkStackArray to allow more than JSCells to be stored (r163414)	
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r181210)	
Fix crashes seen on the the Windows buildbots after my last patch. (r181180)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179500)  

May 19, 2015
============
Fix thread safety issue in AudioParamTimeline (r132259)
Repeated use of decodeAudioData() causes leak (r148566)
webaudio: leak: AudioContext objects are leaking. They retain 36mb of shared data. (r135152)
Ensure that AudioNode deletion is synchronized with a stable state of the rendering graph (r133239)

May 12, 2015
============
[XHR] Abort method execution when m_loader->cancel() in internalAbort() caused reentry (r174684)
XMLHttpRequest Content-Type should be taken from Blob type (r136893)
Improve ContentTypeParser, so that it could be used to validate mime type according to RFC (135176)
[XMLHttpRequest] overrideMimeType(mime) does not update the response's "Content-Type" header (r130158)
Assume allocator success in Vector unless using try* functions. (r156117)

May 11, 2015
============
(try)append and insert operations don't need new operator for PODs (r164097)

May 05, 2015
============
XMLHttpRequestProgressEventThrottle shouldn't throttle / defer progress events if there are no listeners (r174235)
Dispatch a progress event before dispatching abort, error or timeout event (r161891 + r161894 + r161896)
Correctly set XHR loadend attributes (loaded and total). (r161668)
On request error, always fire events on the XMLHttpRequestUpload before the XMLHttpRequest (r154004)
XMLHttpRequestProgressEventThrottle::resume() always schedules timer even when unnecessary (r142538)

Apr 29, 2015
============
AudioBufferSourceNode stop attribute shouldn't throw exception in finished state. (r165716)

Apr 23, 2015
============
Take block execution count estimates into account when voting double (r167600 partial)
Crash beneath operationTearOffActivation running this JS compression demo (r165995)
DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints (r164459)
REGRESSION (r164417): ASSERTION FAILED: isBranch() in X86 32 bit build (r164445)
DFG should have a way of carrying and preserving conditional branch weights (r164417)
fourthTier: Add a phase to create loop pre-headers (r153279)
fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block" (r153277)
fourthTier: NaturalLoops + Profiler = Crash (r153272)
fourthTier: DFG should know how to find natural loops (r153257)

Apr 22, 2015
============
start/stop method for AudioBufferSourceNodes and OscillatorNodes can take no args (r176311)
window.crypto doesn't preserve custom properties (r157417)
window.crypto.getRandomValues should return the input ArrayBufferView (r138298)
Update DOMException name: QuotaExceededError (r135149)
Update DOMException name: TypeMismatchError (r134954)
Many DOMWindowProperties would benefit from being ScriptWrappable (r134188)
crypto.getRandomValues should throw an exception when given a big array (r126953)

Apr 21, 2015
============
V8 regexp spends most of its time in operationGetById (r165797)
Add one-deep cache to opaque roots hashset. (r165796)

Apr 20, 2015
============
Take block execution count estimates into account when voting double (r167600 partial)
DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (r171190)
Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode (r178365)

Apr 15, 2015
============
Fix null-pointer deref in DocumentLoader::responseReceived() (r151812)
X-Frame-Options: Blocked resources should fire load events. (r147164)

Apr 14, 2015
============
FrameProgressTracker expects Page to not have detached (r175277)
FrameLoader::checkCompleted can hit the "ref'ing while destroyed" assertion (r167790)
Crash in WebCore::FrameLoader::checkCompleted() (r143514)
Shrink-to-fit the ResourceResponse vector after loading completes. (r133970)
fast/loader/document-destruction-within-unload.html causes assertion failures on mac and qt. (r127347)
ProgressTracker never completes if iframe detached during parsing (r125829 + r125858 rolled out + r126483 + r126507 rolled out + r127087)

Apr 13, 2015
============
Drawing text in an SVG font causes load events to be fired. (r173028)
Don't GC img elements blocked by CSP until error events fire. (r128730)

Apr 10, 2015
============
Load event fires too early with threaded HTML parser (take 2) (r142555 partial)
load event shouldn't fired during node insertion traversals. (r126131)
Crash in URL::protocol() after appcache load fails (r178937)
Do not attempt to revalidate cached main resource on back/forward navigation (r178012)
SVG loaded through html <img> can't request to load any external resources. (r175074)

Apr 09, 2015
============
Sometimes Gmail cannot load messages, particularly on refresh ("...the application ran into an unexpected error...") (r172275)
REGRESSION (r130783): Scrolling is broken going back to a cached page from a page that still has outstanding subresources. (r153649)
widthMediaFeatureEval ends up with null FrameView during iframe unload. (r151702)
REGRESSION (r151088): Crash navigating away from non-loaded main resources with non-loaded scripts. (r151335)
Webkit crashes while loading content from Application Cache. (r151099)
Going "back" to a cached page from a page with a main resource error breaks scrolling, amongst other issues. (r151088)
Fix double hash lookup in DocumentLoader::removeSubresourceLoader(). (r150967)
We need to clear main resource when detaching DocumentLoader from the frame. (r150613)
Crash in convertMainResourceLoadToDownload when downloading file by option-return (r150609)
ASSERT d->m_defersLoading != defers on detik.com and drive.google.com (r147228)
Threaded HTML Parser fails fast/dom/HTMLAnchorElement/anchor-no-multiple-windows.html in debug (r144240)
JavaScript identifier incorrectly parsed if the prefix before an escape sequence is a keyword (r178427)
ASSERTION FAILED: !hasError() in JSC::Parser<LexerType>::createSavePoint(). (r162006)
Support the "json" responseType and JSON response entity in XHR (r154992)
Watchdog timer should be lazily allocated (r169139)
JSArray::sortNumeric should handle ArrayWithUndecided (r182567)

Apr 08, 2015
============
@media queries do not take zooming into account (r145233)

Apr 02, 2015
============
Prevent crash when track is deleted during video element deletion. (r149749)
Heap-use-after-free in WebCore::RenderTextTrackCue::layout (r141127)
Heap-use-after-free in WebCore::TextTrackCue::isActive (r140834)

Apr 01, 2015
============
REGRESSION: Crash under JITCompiler::link while loading Gmail (r154419)

Mar 31, 2015
============
[EME] MediaKey APIs should be prefixed. (r153867)

Mar 30, 2015
============
Merge API shims and JSLock (r165074 partial)
JSDOMPromise methods should acquire VM lock before calling into JS. (r164679)
Update Promises to the https://github.com/domenic/promises-unwrapping spec (r161241)
[Gtk] Build is failing after r158317 (r158345)
Add a way to fulfill promises from DOM code (r158317)
WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook (r155495)
Add support for Promises (r154629)

Mar 26, 2015
============
Web Inspector: deny access from injected script to nodes from document with another origin (r138228)
Web Inspector: Calling getEventListeners() on element with malformed javascript event listeners crashes (r125654)
Web Inspector: do not use window's eval in InjectedScript (r126168)

Mar 24, 2015
============
Regression: failing RegExp tests on 32 bit architectures. (r161562)

Mar 23, 2015
============
Web Inspector: show internal properties in inspector frontend (r134914)

Mar 20, 2015
============
Web Inspector: [Regression] Search across all sources is broken. (r141091)
Web Inspector: [Regression] Search all sources should not search across service projects. (r140966)
Web Inspector: never expand global scope automatically (r131171)
Web Inspector: [regression] Settings panel fails to open. (r126253)

Mar 19, 2015
============
Web Inspector: display function scope in UI (r124876)

Mar 16, 2015
============
Update custom setter implementations to perform type checks (r161009)

Mar 12, 2015
============
BuiltinExecutables keeps finalized Weaks around, pinning WeakBlocks. (r181248)
Prevent builtin js named with C++ reserved words from breaking the build (r164346)
Make it possible to implement JS builtins in JS (r163960 partial)
Store DOM constants directly in the JS object rather than jumping through a custom accessor (r169979)

Mar 11, 2015
============
Eagerly reify DOM prototype attributes (r169703 partial)

Mar 05, 2015
============
Fix the non-DFG build. (r156233)
Get rid of IsInlinedCodeTag and its associated methods since it's unused (r156229)

Mar 03, 2015
============
Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray (r167729)
Arguments objects shouldn't need a destructor (r167641)

Mar 02, 2015
============
Inline allocate Arguments objects in the DFG (r167591)

Feb 25, 2015
============
Extend the coverage of the Custom Allocation Framework in WebCore (r128572)

Feb 19, 2015
============
fourthTier: Arity fixup should be done while on same stack (r153232)
fourthTier: ASSERT that commonly used not-thread-safe methods in the runtime are not being called during compilation (r153134)

Feb 18, 2015
============
Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the initialization of m_capabilityLevelState. (r153227)

Feb 12, 2015
============
Gardening: fixed broken non-DFG build. (r154827)
Change StackIterator to not require writes to the JS stack. (r154821)
fourthTier: DFG tries to ref/deref StringImpls in a ton of places (r153142)

Feb 11, 2015
============
fourthTier: DFG should support op_in and it should use patching to make it fast (r153225)
Naming convention on createInvalidParamError is incorrect. (r152784)
Restoring use of StackIterator instead of Interpreter::getStacktrace(). (r153825)
Moved ErrorConstructor and NativeErrorConstructor helper functions into the Interpreter class. (r153823)
Unreviewed build fix after r153218. (r153329)
[Qt] Build fix after FTL. (r153322)
Unreviewed buildfix after FTL upstream.. (r153314)
Unreviewed buildfix after FTL upstream for non C++11 builds. (r153299)
fourthTier: Resurrect the CLoop LLINT on the FTL branch. (r153273)
fourthTier: Introducing the StackIterator class. (r153218)

Feb 10, 2015
============
fourthTier: Fix some minor issues in the DFG's profiling of heap accesses (r153204)
fourthTier: Remove CodeOrigin::valueProfileOffset since it was only needed for op_call_put_result. (r153202)
fourthTier: Remove finalDestinationOrIgnored since it isn't called anymore. (r153201)

Feb 05, 2015
============
fourthTier: Remove Interpreter::retrieveLastCaller().

Feb 03, 2015
============
fourthTier: CodeBlock should be RefCounted (r153147)

Feb 02, 2015
============
Unify the many and varied stack trace mechanisms, and make the result sane. (r147858 partial)
Reduce parser overhead in JSC (r133688 partial)
Eager stack trace for error objects. (r153457)
It should be easy to add new nodes that do OSR forward rewiring in both DFG and FTL (r155793)
fourthTier: Landing the initial FTL logic in a single commit to avoid spurious broken builds. (r153121)

Jan 29, 2015
============
Web Inspector: [JSC] implement setting breakpoints by line:column (r124406 partial)
Don't need a JSNameScope for the callee name just for the debugger. (r163210)
pushFinallyContext saves wrong m_labelScopes size (r161437)
get_callee and to_this aren't properly cleared during finalizeUnconditionally (r156787)
Avoid eagerly creating the JSActivation when the debugger is attached. (r163223 partial)
Web Inspector shouldn't artificially allocate the arguments object in functions that don't use it (r155657)

Jan 28, 2015
============
Removed a JSC-specific hack from the web inspector (r126720)

Add platform implementation of remote web inspector server for GTK port. (r134600 partial)

Jan 23, 2015
============
fourthTier: WatchpointSet should make racy uses easier to reason about (r153131 complete)

Jan 22, 2015
============
Web Inspector: Get rid of Inspector/BindingVisitors.h (r161382)
Remove the memory instrumentation code (r148921)
Web Inspector: move StringImpl size calculation to StringImpl (r124006)
Switch statements that skip the baseline JIT should work (r167646)
fourthTier: DFG should support switch_string (r153248)
fourthTier: There should only be one table of SimpleJumpTables (r153237)

Jan 21, 2015
============
fourthTier: FTL should support SwitchChar (r153235 partial)
One more buildfix after FTL upstream. (r153308)
fourthTier: DFG should have switch_char (r153234 partial)
fourthTier: String::utf8() should also be available as StringImpl::utf8() so that you don't have to ref() a StringImpl just to get its utf8() (r153135)
WTFString::utf8() should have a mode of conversion to use replacement character (r134173)
fourthTier: FTL should support Switch (r153230 partial)
fourthTier: Add CFG simplification for Switch (r153229)
DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT (r153540)
fourthTier: DFG should support op_switch_imm (r153228)

Jan 20, 2015
============
Marking should be generational (r161615 partial when GGC is enabled)
JSObject and JSArray code shouldn't have to tiptoe around garbage collection (r154471 when GGC is enabled)
Remove JSObject::propertyIsEnumerable (r154405)
Remove getOwnPropertyDescriptor trap (r154373)
Remove use of GOPD from JSFunction::defineProperty (r154340)
Remove getPropertyDescriptor (r154337)
Remove some dead code following getOwnPropertyDescriptor cleanup (r154336)
Remove custom getOwnPropertyDescriptor for JSProxy (r154334)
Remove custom getOwnPropertyDescriptor for global objects (r154313)
Rename DataFormatInteger to DataFormatInt32. (r155575)
DFG 32Bit: Crash loading "Classic" site @ translate.google.com (r154303)
Start removing custom implementations of getOwnPropertyDescriptor (r154300)

Jan 16, 2015
============
Add attributes field to PropertySlot (r154253)

Jan 16, 2015
============
operationOptimize() should defer the GC for a while. (r169094)
Inline the trivial parts of GC deferral. (r165355)
DFG::operationTypeOf() needs to set the VM::topCallFrame. (r163426)
Don't GC while in the OSR-triggered jettison code (r155457)
DFGOperations doesn't use NativeCallFrameTracer in enough places (r128898)

AI for GetLocal should match the DFG backend, and in this case, the best way to do that
  is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone (r167433 partial)
  
Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias (r166281)
CodeBlock fails to visit the Executables of its InlineCallFrames (r171946)
Flattening dictionaries with oversize backing stores can cause crashes (r171092)
Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
  when WebKit is compiled with fcatch-undefined-behavior (r166217)
Rename/refactor setButterfly/setStructure (r154426)

Jan 15, 2015
============
Add the notion of ConstantStoragePointer to DFG IR (r160295 partial)
Fold typedArray.length if typedArray is constant (r160292)
Fold constant typed arrays (r160150)
Clobberize phase forgets to indicate that it writes GCState for several node types (r156192)
DFG should inline typedArray.byteOffset (r154305)
fourthTier: Reenable the DFG optimization fixpoint now that it's profitable to do so with concurrent compilation (r153214)

Jan 14, 2015
============
CodeBlock::jettison() shouldn't call baselineVersion() (r158507)
OSR exit profiling should be robust against all code being cleared (r158459)
Add InvalidationPoints to the DFG and use them for all watchpoints (r158304 partial)
OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo (r158141)
Speculative Windows build fix. (r153537)
fourthTier: Small strings shouldn't get GC'd (r153240)

Jan 13, 2015
============
Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction (r160587 partial)
DFG CheckArray(NonArray) should prove that the child isn't an array (r158773 partial)

Jan 12, 2015
============
[Win] Javascript crash with DFG JIT enabled. (r158057)
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in
  jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit (r157035)
Deoptimize 32-bit deoptimization (r156564)
fourthTier: 32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset. (r153212 partial)
fourthTier: The DFG JIT should populate frame bytecodeOffsets on OSR exit. (r153207)
fourthTier: get rid of op_call_put_result (r153200 partial)
fourthTier: DFG should provide utilities for common OSR exit tasks (r153119)
Constants folded by DFG::ByteCodeParser should not be dead. (r166095)
fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode (r153116)
fourthTier: Everyone should know about the FTL (r153115)
fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated (r153113)

Jan 08, 2015
============
Source/WebCore: [MSE] http/tests/media/media-source/mediasource-remove.html is failing (r170932 partial)
[MSE] http/tests/media/media-source/mediasource-append-buffer.html is failing (r170543)

Jan 07, 2015
============
[EME] MediaKeySession resources persist across page reloads (r175332)
[EME] REGRESSION(??): test media/encrypted-media/encrypted-media-v2-syntax.html is failing (r173520)
[EME] Call suspendIfNeeded() in the MediaKeySession create() method to avoid an ASSERT. (r168533)
[EME] Crash when passing a NULL initData to MediaKeys.createSession() (r166721)
[EME] Extend the lifetime of MediaKeySession. (r165643)

Jan 05, 2015
============
fourthTier: don't insert ForceOSRExits except for inadequate coverage (r153215 partial)
fourthTier: CFA should defend against results seeming inconsistent due to a watchpoint firing during compilation (r153130)

Jan 02, 2015
============
REGRESSION(r153215): New iCloud site crashes (r156211)
Don't GC while OSR compiling (r155995)
Crash during exception unwinding (r154290)
32 bit portion of load validation logic (r153339)
fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing (r153285)
fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure (r153284 partial)
Heap-use-after-free in WebCore::AudioNodeInput::updateInternalBus (r144417)
Get rid of forward exit in GetByVal on Uint32Array (r160394 partial)
fourthTier: CheckArray should call the right version of filterArrayModes (r153270)
fourthTier: DFG CFA should know when it hits a contradiction (r153213)

Dec 22, 2014
============
XMLHttpRequest should support attribute responseURL as per latest XHR spec. (r175053)

Dec 19, 2014
============
32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state (r153793)
fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread (r153124 partial)
Require use of AudioBus::create() to avoid ref-counting issues (r149817)
Heap-use-after-free in WebCore::AudioNodeOutput::pull (r149778)
Implement channel up-mixing and down-mixing rules (r144235)
Enhance AudioBus copyFrom() and sumFrom() to be able to handle discrete and speakers up and down-mixing (r143094)
Add Web Audio support for deprecated/legacy APIs (r129260)

Dec 18, 2014
============
Assigning to a readonly global results in DFG byte code parse failure (r154120)
new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer" (r171323)
Incorrect behavior when mutating a typed array during set. (r165989)
ASSERT in MarkedAllocator::allocateSlowCase is wrong (r155056)
Remove incorrect ASSERT from CopyVisitor::visitItem (r154407)
[DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind. (r154141)
[Windows] Unreviewed build fix after r15417. (r154137)

Dec 17, 2014
============
JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses (r165121)
[JSC] Revise typed array implementations to match ECMAScript and WebGL Specification (r161789)
Implement ArrayBuffer.isView (r160876)
JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid (r158583)
Use CheckStructure for checking the types of typed arrays whenever possible (r156017)
FTL should support typed array GetByVal and related ops (r155260)
DFG should inline new typedArray() (r154403)
REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse (r154261)
DFG should optimize typedArray.byteLength (r154218)
FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions (r154569)
Incorrect TypedArray#set behavior (r154518)
Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView (r154408)
Unreviewed, fix 32-bit build. (r154129)
Typed arrays should be rewritten (r154127)
Copied space should be able to handle more than one copied backing store per JSCell (r153720)
fourthTier: Count external memory usage towards heap footprint (r153247)
It should be possible to hijack IndexingHeader for things other than lengths (r153104)

Dec 16, 2014
============
Move TypedArray implementation into JSC (r153728)
Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access (r154157)
fourthTier: The Math object should not be polymorphic (r153223)

Dec 15, 2014
============
fourthTier: GC's put_by_id transition fixpoint should converge more quickly (r153243)
Reduce parser overhead in JSC (r133688 partial)
Introduce a SpecInt48 type and be more careful about what we mean by "Top" (r155480)
SpecType should have SpecInt48AsDouble (r155466)
fourthTier: Have fewer Arrayify's (r153264)
fourthTier: DFG should optimize identifier string equality (r153245)
ASSERT in compileArithNegate on pdfjs (r161438)
Make the different flavors of integer arithmetic more explicit, and don't rely on (possibly stale) results of
	the backwards propagator to decide integer arithmetic semantics (r161399)
Get rid of forward exit on DoubleAsInt32 (r160411)
Optimize away OR with zero - a common ASM.js pattern. (r159783)
DFG should use the (x & 0x7fffffff) trick for doing overflow and neg-zero checks on negation in one go (r156016)
Int32ToDouble should be predicted SpecInt48 and predictions should have nothing to do with constant folding (r155567)
Be explicit about backwards propagation properties that care about escaping to bytecode, as opposed to just escaping within DFG code. (r155497)

Dec 12, 2014
============
op_to_this shouldn't use value profiling (r156468)
op_get_callee shouldn't use value profiling (r156376)
Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them (r156184 partial)
For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset (r143994)
Static size inference for JavaScript objects (r141050)

Dec 11, 2014
============
STRH can store values with the wrong offset (r176151)
ARMv7(s) Assembler: LDRH with immediate offset is loading from the wrong offset (r176083)
[Win] Enum type with value zero is compatible with void*, potential cause of crashes. (r168729)
ASSERTION FAILED: isUInt16() on ARMv7 after r113253. (r164433)
FTL should use cvttsd2si directly for double-to-int32 conversions (r160205)
Baseline JIT calls to CommonSlowPaths shouldn't restore the last result (r159973)
fourthTier: Add another temp register regT4 to JSInterfaceJIT (r153231)


Dec 09, 2014
============
Eliminate unused JITStub function declarations (r156858)
Wrong for SlowPathCall to load callFrame reg from vm.topCallFrame after call (r155399)
REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark. (r154839)
Build fix attempt after r154156. (r154159)
REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException (r154173)
Fix crash when performing activation tearoff. (r154156)
Build fix for ARM MSVC after r153222 and r153648. (r153745)
REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath. (r153659)
REGRESSION: ARM still crashes after change set r153612. (r153648)
REGRESSION(r153612): It made jsc and layout tests crash (r153646)
REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer (r153612)
[Windows] Speculative build fix. (r153360)
fourthTier: The baseline jit and LLint should use common slow paths (r153222)

Fix more fallout from failed attempts at div/mod DFG strength reductions (r159736)
Generated color wheel displays incorrectly (regressed in r155567) (r158556)
fourthTier: FTL should support ArithAbs (r153198)

Dec 08, 2014
============
Trap 5 (most likely int $3) in jsc-layout-tests.yaml/js/script-tests/integer-division-neg2tothe32-by-neg1.js.layout-dfg-eager-no-cjit (r157043)
fourthTier: DFG ArithMod should have the !nodeUsedAsNumber optimizations that ArithDiv has (r153187)
fourthTier: clean up ArithDiv/ArithMod in the DFG (r153186)
Simplify WatchpointSet state tracking (r159395)
Refine DFG+FTL inlining and compilation limits (r164558 partial)
fourthTier: add heuristics to reduce the likelihood of a trivially inlineable function being independently compiled by the concurrent JIT (r153180)

Dec 05, 2014
============
The GetById->GetByOffset AI-based optimization should actually do things (r158114)

Dec 04, 2014
============
Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks (r163513)
DFG doesn't properly keep scope alive for op_put_to_scope (r156003)

Dec 02, 2014
============
Generate put_by_id for bracket assignment with constant string subscript. (r176079)
Generate get_by_id for bracket access with constant string subscript. (r176035)
REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings. (r172727)
Always inline JSValue::get() and Structure::get(). (r169823)

Dec 01, 2014
============
put_to_scope[5] should not point to the structure if it's a variable access, but it should point to the WatchpointSet (r159462)
fourthTier: StringObjectUse uses structures, and CSE should know that (r153287)
fourthTier: Re-worked non-local variable resolution (r153221)

- This revealed a bug where the CFA was modeling CheckStructure on a node that had (r153213)
  a known singleton m_futurePossibleStructure set somewhat differently than the
  constant folder. If the CheckStructure was checking a structure set with two or
  more structures in it, it would not filter the abstract value. But the constant
  folder would turn this into a watchpoint on the singleton structure, thereby
  filtering the value. This discrepancy meant that we wouldn't realize the
  contradiction until the backend, and the AbstractState::bail() method asserts that
  we always realize contradictions in the constant folder.

Nov 27, 2014
============
Remove unnecessary indirection to non-local variable access operations (r142769)

Nov 26, 2014
============
FixupPhase should always call fixEdge() exactly once for every edge (r155593)
FixupPhase's setUseKindAndUnboxBlahbittyblah and fixDoubleEdge methods should be merged and given intuitive names (r155590 partial)
2) The constant folder has a long standing bug! It will fold a node to a constant if (r157327)
   the AI proved it to be a constant. But it's possible that the original node also
   proved things about the constant's structure. In that case "folding" to a
   JSConstant actually loses information since JSConstant doesn't guarantee anything
   about a constant's structure. There are various things we could do here to ensure
   that a folded constant's structure doesn't change, and that if it does, we
   deoptimize the code. But for now we can just make this sound by disabling folding
   in this pathological case.
   
Remove ConstantFoldingPhase's weirdo compile-time optimization (r159074)
fourthTier: NodeExitsForward shouldn't be duplicated in NodeType (r153292 partial)
fourthTier: DFG should do a high-level LICM before going to FTL (r153295 partial)
fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex (r153267 partial)
fourthTier: DFG should support op_switch_imm (r153228 partial)

Nov 25, 2014
============
DFG PhantomArguments shouldn't rely on a dead Phi graph (r161072 partial)
- ClobberSet::add was failing to switch Super entries to Direct entries in some cases. (r153295)
- DFGClobberize.cpp needed to #include "Operations.h".
fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop (r153269)
fourthTier: DFG should be able to query Structure without modifying it (r153120)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 baseline JIT).
fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access (r153281)
fourthTier: isContravenedByStructure is backwards (r153220)
fourthTier: Type check hoisting phase has a dead if statement (r153219)
fourthTier: CheckArrays should be hoisted (r153167)
fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes (r153271)
fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t (r153265)
fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals (r153249)
fourthTier: DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray (r153210)
fourthTier: Clean up AbstractValue (r153208)
fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races (r153129)
fourthTier: DFG should better abstract floating point arguments (r153118)
fourthTier: DFG should better abstract arguments (r153117)
fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified (r153114)

Nov 24, 2014
============
This also fixes a long-standing performance bug where the JSObject slow paths would (r160347)
always create contiguous storage, rather than type-specialized storage, when doing a
"storage creating" storage, like:        
    var o = {};
    o[0] = 42;

Nov 21, 2014
============
Implement object-fit CSS property (r154858)
ASSERT in FrameLoader::shouldInterruptLoadForXFrameOptions (r164435)
X-Frame-Options: Multiple headers are ignored completely. (r147086)
X-Frame-Options should accept ALLOWALL as a valid value. (r144105)
Bring back eager resolution of function scoped variables (r14500 partial)

Nov 20, 2014
============
r157411 fails run-javascriptcore-tests when run with Baseline JIT (r157541)
Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot (r168510 partial)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 partial)
Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary (r157556)
fourthTier: DFG should have its own notion of StructureChain, and it should be possible to validate it after compilation finishes (r153146)
Get rid of the lastResultRegister optimization in the baseline JIT (r159091)

Nov 19, 2014
============
fourthTier: get rid of op_call_put_result (r153200)
fourthTier: LLInt shouldn't store an offset call PC during op_call-like calls (r153199)

Nov 18, 2014
============
fourthTier: rationalize DFG::CapabilityLevel and DFGCapabilities.[h|cpp] (r153179)

Nov 17, 2014
============
fourthTier: DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray (r153210 partial)
fourthTier: observeUseKindOnNode doesn't contain a case for KnownCellUse (r153164)
fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write (r153294)
CodeBlock DFG entry list isn't getting shrunk-to-fit after linking. (r152882)
CodeBlock::m_argumentValueProfiles wastes a lot of memory. (r152848)
[JSC]: Fix maybe-uninitialized gcc 4.8 warning in DFGSpeculativeJIT.cpp (r152280)

Nov 14, 2014
============
Initialize a char* that needs to be initialized. (r169665)
Stop using deprecatedCharactersWithNullTermination in SQLite code (r152134)
WebSQL forces 16-bit strings (r151248)
SQLResultSet.rowsAffected not cleared (r130891)

Nov 13, 2014
============
PropertySlot::setValue is ambiguous (r154113)
Remove no-arguments constructor to PropertySlot (r153677)
Remove no-arguments constructor to PropertySlot (r153673)
More cleanup in PropertySlot (r153556)
Some cleanup in JSValue::get (r153532)
String.prototype.trim removes U+200B from strings. (r167951)
Unreviewed, ARMv7 build fix after r167336. (r167354)
compileMakeRope does not emit necessary bounds checks (r167336)

Nov 12, 2014
============
REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG (r155201 partial)
Some cleanup in PropertySlot (r153454)
fourthTier: Rationalized 'this' conversion, includes subsequent FTL branch fixes (r153145 partial)
REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't! (r157830)
Made AudioNode an EventTarget (r150810)

Nov 11, 2014
============
CachedResourceLoader should check redirections to reuse or not cached resources (r173173)
ASSERTION FAILED: m_history->provisionalItem() == m_requestedHistoryItem.get() when navigating to an uncached subframe (r154306)
REGRESSION (r150169): Images from file: URLs display after a delay even though they were preloaded by JavaScript (r150863)
Resources from non-HTTP schemes should not be cached indefinitely (r150169)

Nov 10, 2014
============
Update all float attributes in HTMLMediaElement to double (r148099 partial)
[WTF] Media time should not have a constructor which accepts a single int or float. (r159443 complete)
[MSE] Add MediaSource extensions to AudioTrack, VideoTrack, and TextTrack (r158821 partial)
[WTF] Media time should not have a constructor which accepts a single int or float. (r159443 partial)
[WTF] Add a multiplication operator (and a few others) to MediaTime (r157992)
Extend the coverage of the Custom Allocation Framework in WTF and in JavaScriptCore (r127484)
Support a rational time class for use by media elements. (r123878)
[MSE] Add support for VideoPlaybackMetrics. (r160336)
[MSE] Add MediaSource extensions to AudioTrack, VideoTrack, and TextTrack (r158821 partial)
High res times should start at 0 (r131001)
[MSE] Refactor MediaSourceBase back into MediaSource (r160258 partial)

Oct 27, 2014
============
WebGL shouldn't allocate a "length" Identifier just to move some numbers around (r149249)

Oct 24, 2014
============
[EME] setMediaKeys function as defined in the EME specification does not work (r153851)

Oct 23, 2014
============
[EME] Implement MediaKeys.isTypeSupported() (r153838)

Oct 21, 2014
============
[MSE] Bring SourceBuffer.append up to the most recent spec. (r158928 partial)
[MSE] Add a SourceBufferPrivateClient interface for platform -> html communication. (r158606)
[MSE] Make MediaSourcePrivate, SourceBufferPrivate classes RefCounted. (r158270)

Oct 17, 2014
============
Fix TimeRanges::intersectWith (r160749)

Oct 16, 2014
============
[MSE] Remove legacy Media Source APIs (WebKitMediaSource, WebKitSourceBuffer, WebKitSourceBufferList) (r158288)
[MSE] Fix runtime errors caused by mediasource IDL attributes. (r158040)
URLMediaSource.idl and URLMediaStream.idl are wrong (r157054)
Conditional support in bindings code generator for overloaded functions (r157048)
[MSE] Throw exception when setting timestampOffset while 'updating' state is set. (r156058)
Merge blink MediaSource changes since fork. (r156049 partial)
Remove MediaSource 'ended' to 'open' transition when seeking. (r137480)
Add support for MediaSource::isTypeSupported() (r146360)

Oct 15, 2014
============
Factor SourceBuffer methods out of MediaSourcePrivate & WebMediaSource into SourceBufferPrivate & WebSourceBuffer respectively. (r144328)
Fix SourceBufferList so SourceBuffer.append() calls are always rejected after the MediaSource is closed. (r144203)
Update MediaSource to allow append() calls in "ended" state. (r137332)
Fire suspend event whenever network state is set to NETWORK_IDLE. (r125054)
Factor MediaSource methods out of MediaPlayer & MediaPlayerPrivate and into a new MediaSourcePrivate interface. (r143826)
Resource leak related to gstreamer and videos (r153937)
Potential use-after-free with an event fired at a HTMLMediaElement which is currently being deleted (r151600)
Use-after-free in media player handling (r135906)

Oct 10, 2014
============
[EME] setMediaKeys function as defined in the EME specification does not work (r153851)
Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement (r144859 + r144896 rolled out + r145162)

Oct 09, 2014
============
EME: Add a CDMPrivate implementation using AVFoundation. (r143258)
Add a CDMClient class which allows the CDM to query for the currently attached MediaPlayer. (r143072)
EME: replace MediaKeySession.addKey() -> update() (r142918)
Bring WebKit up to speed with latest Encrypted Media spec. (r142327)

Oct 08, 2014
============
Fix cast-align warnings in JavaScriptCore/heap/HandleBlockInlines.h (r152225)
Remove String::deprecatedCharactersWithNullTermination() and related code (r152201)
Add a new String::charactersWithNullTermination() function that returns a vector (r152142)
Stop using deprecatedCharactersWithNullTermination in SQLite code (r152134)
Add JSStringCreateWithCharactersNoCopy SPI (r152052)
Remove minimum window size for PagePopup (r124753)
Fix layoutMod in fractional layout units. (r124745)
http/tests/inspector/indexeddb/database-structure.html start to crash after r124675 (r130198)
Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration(). (r124723)
Don't reuse cached stylesheet with failed or canceled resource loads (r124720)
REGRESSION (tiled drawing): Pages scroll bars flash with each character you type in a textarea (affects Wikipedia and YouTube) (r124714)
HTMLMediaElement may fire the seeked event before currentTime reaches the seek time (r124713)
CSS 2.1 failure: overflow-applies-to-001 fails (r124697)
Disabling eval changes the timing of DidCreateScriptContext (r124689)
[SVG] Tref target event listener cleanup (r124681)
IndexedDB: Core upgradeneeded logic (r124540 + r124545 rolled out + r124675)
Implement computePreferredLogicalWidths on RenderGrid (r124671)
Switch mapLocalToContainer to use a flag instead of boolean parameters (r124662)

Oct 07, 2014
============
[JSC] Test262 15.5.4.9_3 test is failing (r151159)
Incorrect assertion in DFG::Graph::uncheckedActivationRegisterFor() (r151045)

Oct 02, 2014
============
RefCountedArray needs to use vector initialisers for its backing store (r150160)
Improve stringProtoFuncLastIndexOf for the prefix case (r150042)
Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase (r149911)	
Stop using WTF::deleteAllValues in JavaScriptCore (r149633)
Build with GCC 4.8 fails because of -Wmaybe-uninitialized (r149622)
Removed op_ensure_property_exists (r149418)

Sep 25, 2014
============
Unify the data access of StringImpl members from JavaScriptCore (r149344)
Cleaned up pre/post inc/dec in bytecode (r149247)
Filled out more cases of branch folding in bytecode when emitting expressions into a branching context (r149236)
       
Sep 24, 2014
============
Crash when a clip path referencing a clip path changes documents (r124631)
Crash in Notification when setting a non-object as an event listener (91881) (r124626)
Delete text from password does nothing. (r124586)
Make order of attribute/method in HTMLTrackElement.idl as same as specification (r124562)
Fix crashes for <input> and <textarea> with display:run-in. (r124556)

Sep 18, 2014
============
regression(r124510) webintents/web-intents-obj-constructor.html is crashing (r125513)
Regression(r124564): Wrong inlineChildrenBlock->hasLayer() computed in RenderBlock::removeChild. (r124580)
Unreviewed r124536 followup, fix the assertion error on Chromium. (r124577)
Crash due to layer not removed from parent for anonymous block. (r124564)
Read tag names and attributes from the saved tokens in HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken*) (r124536)
A few objects aren't being safely protected from GC in all cases (r124510)
DOM4: className should be defined on Element and not on HTMLElement (r124499)

Sep 08, 2014
============
Do not dispatch modification events in SVG attribute synchronization (r124485)
Check if the last table element's parent node is an element when determining the foster parent element. (r124465)
Move number localization code in LocaleICU.cpp to new class (r124459)
Alignment issue for readTime in PluginDatabase.cpp (r124441)
CSSRegions: Crash when reattaching a region to a named flow. (r124425)

Sep 03, 2014
============
REGRESSION(r102741): [Forms] In selects, when disabled, browser skips first option if not in optgroup, then selects first option in optgroup (r124416)
Chromium Android build fix after r124402. Initialize the out variables as suggested by the compiler. (r124411)
The elements in Shadow DOM of input should not be modifiable. (r124407)
IndexedDB: ObjectStoreMetaDataKey::m_metaDataType should use byte type (r124402)
Read tag names and attributes from the saved tokens in HTMLElementStack (r124379)
CSP should correctly block plugin resources rendered in PluginDocuments. (r124371)
SVG animation not working for elements inserted after parsing is finished (r124369)
IndexedDB: IDBCursor.continue(key) does not throw for key "behind" cursor (r124361)
Read tag names and attributes from the saved tokens in HTMLFormattingElementList::closestElementInScopeWithName(const AtomicString&) (r124357)
IndexedDB: inject index keys on cursor/objectstore/index get success handlers (r123843)

Aug 27, 2014
============
REGRESSION (r139343): WebKit crashes when canceling a load inside webView:resource:didFinishLoadingFromDataSource: (r154115)
We should clear mainResource in DocumentLoader::cancelMainResourceLoad. (r150150)
FrameLoaderClient::assignIdentifierToInitialRequest() not called for the main resource when loaded from the memory cache (r148182)
Make a bunch of DocumentLoader functions private (r147336)
REGRESSION (r146239): Reproducible crash in WebCore::DocumentLoader::responseReceived. (r146626)
Merge MainResourceLoader into DocumentLoader (r146449)
REGRESSION(r146223): chromium asserts/crashes in DocumentLoader (r146267)
Merge MainResourceLoader's SubstituteData loading + others into DocumentLoader (r146239)
Merge MainResourceLoader::responseReceived into DocumentLoader (r146216)
Merge MainResourceLoader::willSendRequest into DocumentLoader (r145973)
Hide MainResourceLoader from the outside world (r145914)
Rename FrameLoaderClient::download to convertMainResourceLoadToDownload (r137845)
Warn when parsing an invalid X-Frame-Options header. (r133868)
Move mixed content logic out of FrameLoader (r131704)

Aug 26, 2014
============
Loader cleanup : Simplify FrameLoader/DocumentLoader setupForReplace() (r130651)

Address review feedback I forgot to address in r148929 (r148932)
REGRESSION (r141136): Wiki "Random article" function very broken. (r148929)
Returning NULL from willSendRequest should cancel a load from the memory cache (r147829)
REGRESSION(r137607): Redirecting a post to a get then reloading triggers resubmit warning (r145735)
Merge MainResourceLoader's didFinishLoading and dataReceived into DocumentLoader (r145734)
REGRESSION: Reloading a local file doesn't pick up changes (r142707)
REGRESSION(r141136): Apple's internal PLT test suite doesn't finish (r142024)
Cached main resources report a zero identifer on 304s (r141615)
REGRESSION (r138962): Fails to show "confirm form resubmission", hangs browser (r141462)
Apple's internal PLT test suite doesn't finish after r141136 (r141306)
.: Enable reuse of cached main resources (r141136)
Preserve container size requests across image loads (r140722)
ResourceHandle::willLoadFromCache is evil (r138962)
Rename shouldBufferData to dataBufferingPolicy (r138285)
Queue container size requests while images are loading. (r137981)

REGRESSION (r137607): Loading of archives as substitute data is broken (r141811)
Replace unnecessary null-checks with an assert in MainResourceLoader::continueAfterNavigationPolicy. (r139350)
REGRESSION(r138222): WebDocumentLoaderMac-related leaks seen on Leaks bot (r139343)
REGRESSION(r138222?): [Mac WK1] http/tests/appcache/main-resource-redirect.html asserts in WebFrameLoaderClient::dispatchDidFinishLoading (r139150)
REGRESSION (r138222?): Assertion failure on appcache/main-resource-redirect.html (r138782)
[Qt]REGRESSION(r138222): It made fast/forms/number/number-spinbutton-click-in-iframe.html crash (r138258)
REGRESSION(r137607): resource load client callbacks are not called for the main resource when loading HTML string (r138222)
REGRESSION(r137607): PluginDocument loads consume huge amounts of memory (r138174)
REGRESSION (r137607): Cannot download files, stuck in Preparing to download (r138012)
Route main resource loads through the memory cache. (r137607)
Make MainResourceLoader not use m_frame directly. (r136412)
Move empty loading to DocumentLoader, simplify FrameLoader::init() (r136031)
Add a main resource type to the memory cache (r132520)
Crash in WebCore::SubresourceLoader::willSendRequest. (r132287)
Add timeout support to XMLHttpRequest (r132252)
Refactor CachedResourceLoader: add CachedResourceRequest (r132157)
Reorder some functions in SubresourceLoader to permit main resources (r131919)
Move ResourceRequest construction out of SubresourceLoader (r131660)
Re-order CachedRawResource::data() to set m_data earlier (r131467)
Switch ResourceLoader::resourceData() from SharedBuffer to ResourceBuffer (r131085)
Switch over CachedResource::data() from taking a SharedBuffer to taking a ResourceBuffer. (r130983)
Switch CachedResource over from SharedBuffer to a new ResourceBuffer (r130947)
Make CachedResourceLoader RefCounted and have both Document and DocumentLoader hold RefPtrs. This is in preparation for caching main resources. (r130817)
Reland "Add in-place reload behavior to ImagesEnabled setting" with optimizations (r129462)
ResourceErrorBase needs to identify timeouts (r127495)
@import url("#foo") causes stack overflow (r125852)
Remove StyleSheetContents::m_finalURL  (r125805)

Aug 21, 2014
============
fourthTier: SpeculativeJIT::checkArray should use the correct ExitKind (r153157)
DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing (r158608)
DFG optimizes out strict mode arguments tear off (r154217)
DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray,
  and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants (r153778)
DFG is not enforcing correct ordering of ToString conversion in MakeRope (r153615)
	
Aug 20, 2014
============
HTMLTreeBuilder passes a wrong token when pushing the head element (r124353)
[CSS Regions] The regionLayoutUpdate event should be dispatched on the NamedFlow object (r124350)
CSS 2.1 failure: margin-collapse-012 fails (r124347)
[CSS] Add selectors for multiple fields time input UI. (r124314)
Make HTMLConstructionSite::createHTMLElement(AtomicHTMLToken*) private. (r124310)
ColorInputType::typeMismatchFor is returning the opposite bool (r124299)
-webkit-flex-flow does not work with inherit/initial values (r124297)
Float imprecision causes incorrect wrapping in LineLayout with subpixel layout (r124295)
Refactor EventDispatcher::dispatchEvent() so that we can call each phase (Caputure, Target and Bubbling) of event dispatching separately. (r124291)
-webkit-order should take an integer, not a number (r124276)
Stop masking 8 bits off of the visited link hash. We need all the bits! (r124268 revisited)
Read tag names and attributes from the saved tokens in HTMLTreeBuilder::processEndTag(AtomicHTMLToken*) (r124262)
FractionalLayoutUnit minor math bugs (r124253)

Aug 19, 2014
============
AudioPannerNode should raise exception when distanceModel is set incorrectly (r124237)
[CSS Shaders] CSS parser rejects parameter names that are also CSS keywords (r124233)
Caret position is wrong when a editable container has word-wrap:normal set (r124231)
xmlserializer strips xlink from xlink:html svg image tag (r124210)
Slider ticks are drawn at wrong positions (r124198)
Older ShadowDOM is still rendered when a new ShadowDOM is added when they don't have any InsertionPoints. (r124196)
Inspector crashes when trying to inspect a page with CSS region styling (r124186)
Change Element::isReadOnlyFormControl to Element::shouldMatchReadOnlySelector/shouldMatchReadWriteSelector or HTMLFormControlElement::readOnly (r124180)
There is no way to tell whether an element can be activated or not (r124022)
REGRESSION(r124168): Null crash in RenderLayer::createScrollbar (r129955)
Crash in RenderTableCell::borderTop() due to custom scrollbars after r124168 (r126591)
Remove overflow: scroll handling in block flow layout methods (r124168)
fillWithEmptyClients method should also initialize chromeClient with EmptyChromeClient (r124162)

Aug 18, 2014
============
Make QuotesData use a Vector of pairs (r124157)
Node::replaceChild() can create bad DOM topology with MutationEvent, Part 2 (r125237)
Node::replaceChild() can create bad DOM topology with MutationEvent (r124156)
[Forms] Get rid of Element::isReadOnlyFormControl other than CSS related (r124146)
Regression(r124135): SVG tests crashing on ports using Cairo (r124212)
Unreviewed crash fix after r124135. (r124181)
Grid Demo spends 1.5% of total time allocating Path objects in RenderBoxModelObject::paintBorderSides (r124135)
Crash at WebCore::PluginData::pluginFileForMimeType const + 38 (r134903)
Plugin diagnostic logging should send plugin file basename instead of MIME type. (r134083)
Crash in WebCore::logPluginRequest + 183 (r126921)
Crash in logging code if MIME type is null (r124102)
new flexbox should ignore float set on flexitems (r124064)
ASSERTION FAILED: !rect.isEmpty()  : void WebCore::GraphicsContext::drawRect(const WebCore::IntRect &) (r124044)
[Bindings]Remove custom JS/V8 bindings for WebSocket::close() using [Clamp] (r124034)
Prohibit having AuthorShadowDOM of input or textarea element for a while and having a flag to enable it in Internals. (r124027)
Wheel events on a page with frames are not handled in fixed layout (r124024)
Remove an useless member variable, m_shouldPreventDispatch, from EventDispatcher. (r124019)
Remove an unused member variable, m_originalTarget, from EventDispatcher. (r124014)

Aug 15, 2014
============
Remove unnecessary code which set event's target from EventDispatcher::dispatchEvent. (r124009)
Fix removing invalid values from color input suggestions (r123997)
getChannelData should raise exception when index is more than numberOfChannels. (r123996)
forward-delete in the last cell of a table moves the caret after the table (r123995)
Remove unused method HTMLConstructionSiteTask::take(HTMLConstructionSiteTask&) (r123992)
Hit testing in the gap between pages returns incorrect results in flipped blocks writing modes (r123990)
RenderBlock::offsetForContents() is wrong in flipped blocks writing modes (r123977)
Size changes on a layer with negative z-index children don't repaint correctly (r123972)
Ignore visibility:hidden elements when computing compositing layer bounds (r123971)
[V8] Optimize Element::getAttributeNS() by replacing String with AtomicString (r123944)
Reset the set of "seen" plugins when the main frame load is committed. (r123942)
execCommand copies the backgroung-color of the enclosing element to the element being edited. (r123940)
Plugins should not be allowed to override standard properties/attributes in non-standard worlds (r123936)
Add diagnostic logging for plugins-per-page. (r123930)
Build warning in CSSPrimitiveValueMappings.h when CSS_STICKY_POSITION is disabled (r123928)
Search cancel button is hard to activate with a tap gesture even if touch adjustment is enabled. (r123919)
Animated SVGs do not clear previous frame completely in hidpi mode. (r123914)
Fix COMPILE_ASSERT for InlineFlowBox growing (r123913)
-webkit-background-clip:text is blurry in WebKit 1 apps when deviceScaleFactor > 1 (r123912)

Aug 13, 2014
============
REGRESSION: flexbox content-size fails to exclude scrollbar (r124278)
flex-wrap: wrap not wrapping for % sized items in column flow (r123909)
Show the unavailable plug-in indicator for Java applets as well (r123907)
CSP directives containing invalid characters should log an error. (r123899)

Aug 12, 2014
============
Improve touch adjustment for targetting small controls. (r123889)
Microdata: Remove toJs() and toV8Object() custom methods from JSHTMLElementCustom.cpp and V8HTMLElementCustom.cpp respectively. (r123880)
Initialize the Event Names' string from read only memory (r124616)
REGRESSION (r123837): Full screen transition is broken at apple.com (r148065)
Make transitions work between different Length types (r123837)
Blocks with reverse column progression dont have layout overflow for overflowing columns (r123835)
De-virtualize WrapShape classes (r123830)
Reloading substitute-data/alternate html string for unreachableURL will add an item to the back-forward-history for each reload (r123823)

Aug 11, 2014
============
[WebGL] Initial size of canvas can be larger than MAX_VIEWPORT_DIMS. (r123816)
[Qt] Build fix for Qt after r123811 (r123838)
HTMLAppletElement should inherit from HTMLPlugInImageElement (r123811)
Use the constant count of Tags/Attributes names instead of getting the size when obtaining the tags/attributes (r123804)
Guard Prerenderer against inserting prerenders into detached documents. (r123798)
Outline is always painted on the first table row regardless of the row it's set on (r123793)
Href attribute with javascript protocol is stripped when content is pasted into a XML doucment (r123788)
<svg> element with no intrinsic size and max-width gets sized incorrectly (r123785)
Add diagnostic messages when media and plugins load or fail to load. (r123780)
Unreviewed, rolling out r123525. (r123794)
Unreviewed, rolling out r123159, r123165, r123168, r123492, and r123650. (r123779)
Add a ChromeClient method to send diagnostic logging messages from WebCore to the client. (r123778)
Move region from HitTestResult to HitTestPoint. (r123754)
[WebGL] ANGLEWebKitBridge should support ESSL platforms (r123749)
Add a MediaPlayer API to retrieve the description of the current media engine. (r123747)
Web Inspector: Edits of styles declared after invalid selector are not applied (r123746)
[WebGL] GraphicsContext3D::readPixels has extraneous code from GraphicsContext3D::readPixelsIMG (r123745)
MediaStream API: Remove DeprecatedPeerConnection (r123724)
CSP 1.1: Implement the Content Security Policy script interface. (r123722) 
Fix null ptr deref in CSSParser::storeVariableDeclaration(). (r123714)
Add UserAgentShadowDOM to FormControlElement just before adding AuthorShadowDOM (r123713)
Repalce "int" with "long" from WebCore/*.idls (r123705)
The elements in ShadowDOM of meter or progress should not be modifiable. (r123704)
[WebGL] fast/canvas/webgl/framebuffer-object-attachment.html fails on certain platforms (r123699)
IndexedDB: IDBTransaction::abort() should throw DOMException (r123698)
Regression: r123696 made css3/flexbox tests failing (r123783)
flexitems can overflow the flexbox due to rounding (r123696)
[Forms] Move HTMLInputElement::updateInnerTextValue to InputType class (r123687)
In flipped blocks, a point on the top edge of a text box is considered outside the box (and vice versa) (r123988)
In flipped blocks, a point on the top edge of a box is considered outside the box (and vice versa) (r123980)
In flipped lines writing modes, hit testing at the beginning of a column may return a result from the previous column (r123973)
Hit testing near a column break can return a result from an adjacent column when there is leading (r123904)
Hit testing in one column or in the gap between cloumns along the block axis can return a result from the wrong column (r123684)
IndexedDB: Make db.version return an integer if appropriate (r123683)
Read tag names and attributes from the saved tokens in HTMLTreeBuilder::resetInsertionModeAppropriately. (r123671)
It is invalid when both numberOfInputChannels and numberOfOutputChannels to be zero in JavaScriptAudioNode. (r123662)

Aug 06, 2014
============ 
Fix potential bug in lookup logic (r149496)

Aug 05, 2014
============ 
Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0 (r154630)
DFG should CSE MakeRope (r153242)
DFG string concatenation optimizations might emit speculative nodes after emitting nodes that kill the original inputs (r153075)

Aug 01, 2014
============ 
MakeRope fixup shouldn't lead to an Identity without kids (r152742)
Optimize addStrackTraceIfNecessary to be faster in the case when it's not necessary (r152606)	
Going to google.com/trends causes a crash (r151709 complete)
Function names on Object.prototype should be common identifiers (r151605)	
Remove LiteralIdentifierTable (r151578)	
JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com (r151273 complete)
We broke (-2^31/-1)|0 in the DFG (r150694)
We broke !(0/0) (r150659) 
fourthTier: Get rid of StructureStubInfo::bytecodeIndex (r153205)

Jul 30, 2014
============
JSString::toAtomicString() should return AtomicString. (r168384)
fourthTier: all cached put_by_id transitions, even ones that weren't inlined by the DFG, should be propagated by the GC (r153206)
IndexingTypes should use hex (r149304)
Add support for Math.imul (r149159)
PreciseJumpTargets should treat loop_hint as a jump target (r149154) 
Fix problems with processing negative zero on DFG. (r149152)
Stack guards are too conservative (r149146)	
Stack guards are too conservative (r149136)	
Add watchdog timer polling for the DFG. (r149089)
Special thunks for math functions should work on ARMv7 (r149082)

Jul 29, 2014
============
JSC Assertion tests failures on MIPS. (r151228)		
Filled out more cases of branch folding in the DFG (r149041 + r149050)
Global constructors should be configurable and not enumerable (r149001)
Simplify the baseline JIT loop hint call site. (r148989) 
Fix a typo in MacroAssemblerARMv7.h. (r148942)
Change baseline JIT watchdog timer check to use the proper fast slow path infrastructure. (r148893 + r148899)
Improve StringImpl code density for older ARM hardware (r148857)
Refactor identical inline functions in JSVALUE64 and JSVALUE32_64 sections out into the common section. (r148820)
Rename JSStringJoiner::build() to join() (r148767)

Jul 28, 2014
============
Use StringJoiner to create the JSString of arrayProtoFuncToString (r148721)
Interpreter entry points should throw the TerminatedExecutionException from the caller frame. (r148709)
DFG: Negative size for new Array() interpreted as large unsigned int (r148130 + r148207)
Adds fromCharCode intrinsic support. (r147985)	
DFG should be able to inline string equality comparisons (r147965)
REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests (r147933)
Use Vector::reserveInitialCapacity() when possible in JavaScriptCore runtime (r147887)
Inspector should display information about non-object exceptions (r147872)
Stop pretending that statements return a value (r147677)

Jul 25, 2014
============
Simplified bytecode generation by merging prefix and postfix nodes (r147658)
a = data[a]++; sets the wrong key in data (r127676)
Bug, assignment within subscript of prefix/postfix increment of bracket access (r127666)
Merge prefix/postfix nodes (r127654)
Remove an unused variable from the ARMv7 Assembler (r147316)
fix a comment. While thinking about TBAA for array accesses (r147290)
Move Region into its own header (r147282)
Simplified bytecode generation by unforking "condition context" codegen (r147234)
Simplified the bytecode by removing op_jmp_scopes (r147184)
Removed a dead field. (r147054 + r147055)

Jul 24, 2014
============
Removed some dead code in the DFG bytecode parser (r147053)
JIT and DFG should NaN-check loads from Float32 arrays (r147047)
DFG should use CheckStructure for typed array checks whenever possible (r146996)
REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype (r146947)
Fix unused parameter warnings in JITInlines.h (r146869)
opaqueJSClassData should be cached on JSGlobalObject, not the JSGlobalData (r146682)
Leak bots erroneously report JSC::WatchpointSet as leaking (r146568)
JSC profiler should have an at-a-glance report of the success of DFG optimization (r146548)
Heap::collect shouldn't be responsible for sweeping (r161429)
fourthTier: DFG should be able to run on a separate thread (r153169 partial)
"" + x where x is not a string should be optimized by the DFG to some manner of ToString conversion (r146400)
It's called "Hash Consing" not "Hash Consting" (r146383)	
DFG implementation of op_strcat should inline rope allocations. (r146382)
RELEASE_ASSERT fires in exception handler lookup (r146255)

Jul 21, 2014
============
MacroAssemblerARM should use xor to swap registers instead of move (r150748)
Added missing assert condition for PositiveOrZero in ARM branch32(). (r150449)
Remove code duplicates from MacroAssemblerARM (r148134)
REGRESSION(r146089): It broke 20 sputnik tests on ARM traditional and Thumb2 (r146309)
DFG should optimize StringObject.length and StringOrStringObject.length (r146247)
Implement and32 on ARMv7 and ARM traditional platforms (r146195)
DFG ToString generic cases should work correctly (r146179)
DFG should inline binary string concatenations (i.e. ValueAdd with string children) (r146164)
JSC_NATIVE_FUNCTION() takes an identifier for the name and then uses #name, which is unsafe if name was already #define'd to something else (r146157)
DFG string conversions and allocations should be inlined (r146089)

Jul 18, 2014
============
ObjectPrototype properties should be eagerly created rather than lazily via static tables (r146071)
Add runtime check for improper register allocations in DFG (r145931)
Remove the SegmentedVector inline segment to shrink CodeBlock by 6X (r151755)

Jul 17, 2014
============
Change most call sites to call ICU directly instead of through WTF::Unicode (r157330)

Jul 16, 2014
============
Harden JSStringJoiner (r145594)
DFG generic array access cases should not be guarded by CheckStructure even of the profiling tells us that it could be (r145578)
SpeculativeJIT should use OwnPtr<SlowPathGenerator>. (r145329)
Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux (r146263)	
DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination (r144973 complete)
Pack Structure members better. (r144957)	

Jul 15, 2014
============
Unused Structure property tables waste 14MB on Membuster. (144910)
Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode (r144886)
Add simple vector traits for JSC::Identifier. (r144641)
Add casts in DFGGPRInfo.h to suppress warnings (r144365)	
Potential crash in YARR JIT generated code when building 64 bit (r144083)
DFG backend Branch handling has duplicate code and dead code (r143276)
Remove support for bytecode comments, since it doesn't build, and hasn't been used in a while. (r143122)
Structure should be more methodical about the relationship between m_offset and m_propertyTable (r143097)
Yarr: Use OwnPtr to make pattern/disjunction/character-class ownership clearer. (r143018)
JSC asserting with long parameter list functions in debug mode on ARM traditional (r142616)
Structure::m_outOfLineCapacity is unnecessary (r141295)
Added TriState to WTF and started using it in one place (r141588)
Structure should have a StructureRareData field to save space (r141651)
Structure::m_enumerationCache should be moved to StructureRareData (r141681)
Structure::m_outOfLineCapacity is unnecessary (r141916)
Don't also clone StructureRareData when cloning Structure. (r145947)

Jul 11, 2014
============
ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding (r145052)
The DFG fixpoint is not strictly profitable, and should be straight-lined (r145143)
DFG doesn't support to_jsnumber (r149162)
DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed (r144340)
[JSC] Fix sign comparison warning/error after r144340. (r144452)
It should be easy to determine if a DFG node exits forward or backward when doing type checks (r144362)
Rename MovHint to MovHintEvent so I can create a NodeType called MovHint (r144477)
DFG DCE might eliminate checks unsoundly (r144862)
Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code. (r144864)
DFG should not check if nodes are shouldGenerate prior to DCE (r144939)
DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way (r145145)
Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData (r146268)	
DFG bytecode parser is too aggressive about getting rid of GetLocals on captured variables (r145828)

Jul 10, 2014
============
DFG FixupPhase should have one common hook for knowing if a node is ever being speculated a certain way (r143817)
The DFG special case checks for isCreatedThisArgument are fragile (r143955)
The DFG backend's and OSR's decision to unbox a variable should be based on whether it's used in a typed context (r144131)
REGRESSION(r144131): It made fast/js/regress/string-repeat-arith.html assert on 32 bit (r146945)
DFG overflow check elimination is too smart for its own good (r145489 complete)
Fix problems with processing negative zero on DFG. (r149152 partial)
DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode (r143654)
Fix a typo that broke the 32 bit build. (r143679)
REGRESSION(r143654): some fast/js test crashes on 32 bit build (r143800)
DFG::Edge should have more bits for UseKind, and DFG::Allocator should be simpler (r143958)
REGRESSION(r143654): some jquery test asserts on 32 bit debug build (r144005)
DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live (r144486)	
32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean (r149128)
DFG assumes that NewFunction will never pass its input through (r152813)
DFG CompareEq optimization should be retuned (r142636)
DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint (r142162)

Jul 09, 2014
============
DFG should allow phases to break Phi's and then have one phase to rebuild them (r142377 partial)
Remove dead code for ValueToNumber from the DFG. (r143165)
Remove DFG::SpeculativeJIT::isStrictInt32(), since it's not called from anywhere. (r143167)
Remove DFG::SpeculativeJIT::isKnownNumeric(), since it's not called from anywhere. (r143168)
DFG::SpeculativeJIT::isKnownXYZ methods should use CFA rather than other things (r143242)
Get rid of DFG::DoubleOperand and simplify ValueToInt32 (r143241 complete)
DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding (r142515)	
Add 8 bit string data path to TextRun (r127801)
Added 8 bit path to WidthIterator::advance() (r128504)
Specialize nextBreakablePosition depending on breakNBSP (r127974)

Jul 08, 2014
============
Build fix with newer bison 2.6. (r124099)

Jul 07, 2014
============
Use immutable StylePropertySets for element inline style declarations. (r126524)	
REGRESSION(r126524): Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom (r126755)

Jul 04, 2014
============
Simplify ContainerNode::removeChildren (r149386)
ContainerNode::removeChildren should first detach the children then remove them (r148754)

Jun 27, 2014
============
Be a little more conservative about emitting table-based switches (r141222)	
DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability (r141544)

Jun 26, 2014
============
DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node* (r141069 partial)

Jun 24, 2014
============
Optimize JSRopeString for resolving directly to AtomicString. (r168256 + r168267 + r168329)
Optimize PutByVal when subscript is a rope string. (r168300)
Optimize GetByVal when subscript is a rope string. (r168335 partial)
8.8% spent in Object.prototype.hasOwnProperty() on sbperftest. (r168549)

Jun 19, 2014
============
Convert HTML parser to handle 8-bit resources without converting to UChar* (r123560 + r123635 + r123679 + r123943 + r124679)
Stop masking 8 bits off of the visited link hash. We need all the bits! (r124268)

Jun 17, 2014
============
WebCore::findAtomicString(PropertyName) always convert the name to 16bits (r125356)
Add ability to create AtomicString using LChar* buffer and length (r125958)	
Store CString data in the CStringBuffer to avoid the double indirection (r126191)
WTF Threading leaks kernel objects on platforms that use pthreads (r126208)
Even up WTF::String to CString functions (r126780 + r127093)
AtomicString(ASCIILiteral) should not compile (r127233)
16 bit JSRopeString up converts an 8 bit fibers to 16 bits during resolution (r127809)
StringBuilder::toAtomicString() can create an 16 bit string with 8 bit contents (r127821)	
equalIgnoringCase of two StringImpls doesn't handle 8 bit strings (r127887)
StringImpl::find(StringImpl*) doesn't handle cases where search and match strings are different bitness (r127928)
Fix for WTF fails to compile in thumb mode when llint is enabled. (r128557)

Jun 13, 2014
============
webkitsourceopen event doesn't always fire (r132115)
Remove image decoding in some BitmapImage metadata functions (r125154)
Report frame bytes by platform ImageDecoder (r126892)
Don't attempt to destroy decoded frame if a BitmapImage doesn't have encoded raw data. (r156681)

Jun 12, 2014
============
GetById->GetByOffset and PutById->PutByOffset folding should mark haveStructures since it may result in structure transition watchpoints (r158680)

Jun 11, 2014
============
Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only) (r145417)
JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com (r151273 partial)
fourthTier: Structure transition table keys don't have to ref their StringImpl's (r153141)
fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled (r153159)

Jun 10, 2014
============
ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC) (r167579 partial)
REGRESSION: Crash when opening a message on Gmail (r153381 partial)
Fix assertion during detach of SVG wrappers without baseVal (r124733)		
Generalize DocumentWeakReference into WTF::WeakPtr (r139780)
Clear SVGPathSeg role on removal. (r143454)	
Use [ImplementedAs] instead of special casing in the bindings generators (r152844)
Fix lifetime handling of SVGPropertyTearOffs (r164917)

Jun 09, 2014
============
Skip SVG repaint tracking when parent container transforms (r133786)
Prevent skipped repaints for children of inner SVG elements (r141645)
[SVG] OOB access in SVGListProperty::replaceItemValues() (r142759)
444kB below CSSParser::parseDeprecatedGradient() on Membuster3. (r129996)
349kB below SelectorDataList::initialize() on Membuster3. (r130088)
Give CSSValueList backing vector an inline capacity. (r130292)
1.18MB below RenderTableSection::setCachedCollapsedBorderValue() on Membuster3. (r130718)
Avoid doing work in RenderBox::outlineBoundsForRepaint() when the repaintContainer is this (r152212)
Remove redundant check for negative values when using WebCore::Color::alpha() (r126452)
Support for background-clip:content-box and padding-box with border-radius (r131402)
Boxes with rounded corners and thin borders are too slow to draw (r134631)
REGRESSION (r134631) of border-radius percentage with border pixel (r144196)

Jun 06, 2014
============
changing -webkit-order should change the paint order of flex items (r123842)
flexbox should avoid floats (r124279)
flexbox does wrong baseline item alignment in columns (r130110)
inline-flex baseline is sometimes wrong (r130405)
Fix some baseline flexbox alignment (r132104)
Change baselinePosition and maxAscent/maxDescent to int (r132112 partial)

Jun 05, 2014
============
DFG overflow check elimination is too smart for its own good (r145489 partial)

Jun 03, 2014
============
fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists (r153217)

May 30, 2014
============
releaseExecutableMemory() should canonicalize cell liveness data before it scans the GC roots. (r148616)
	
May 29, 2014
============
RegExpMatchesArray should not call [[put]] (r154612)
Setting a large numeric property on an object causes it to allocate a huge backing store (r153374 + r154633)

May 27, 2014
============
I pity da foo' who's converting numbers to strings (r131258)	
JSC should have property butterflies (r128400 complete)
fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread (r153124 partial)
fourthTier: WatchpointSet should make racy uses easier to reason about (r153131 partial)
Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html (r158341 partial)	
[ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure (r170728)
Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll() (r159528 partial)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 partial)	
Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL (r136060)
Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent (r136062)

May 23, 2014
============
PropertyNameArray::m_shouldCache is only assigned and never used (r123989)
get_by_pname can become confused when iterating over objects with static properties (r147570)
JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly (r148036)
JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly (r148142)

May 22, 2014
============
Pack create_hash_table tables better. (r156009)
Reduce memory use for static property maps (r165603 partial + r165606)

May 21, 2014
============
fourthTier: The DFG JIT should populate frame bytecodeOffsets on OSR exit. (r153207 partial)
fourthTier: Disambiguate between CallFrame bytecodeOffset and codeOriginIndex. (r153209)
fourthTier: CallFrame::trueCallFrame() should populate the bytecodeOffset field when reifying inlined frames. (r153211)
fourthTier: 32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset. (r153212)
Unify Number to StringImpl conversion (r126658 + r127991)
Unify the many and varied stack trace mechanisms, and make the result sane. (r147858 partial)
JSC: Fix interpreter misbehavior in builds with JIT disabled (r149134)

May 13, 2014
============
DFG::SpeculativeJIT::compileInt32ToDouble() has an unnecessary case for constant operands (r143562)
DFG CFA should not do liveness pruning (r144401)        
DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to (r144481)
DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live (r144486)
DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination (r144973 partial)
The DFG fixpoint is not strictly profitable, and should be straight-lined (r145143 partial)
Incorrect behavior on emscripten-compiled cube2hash (r154344)
DFG should have a precise view of jump targets (r141931)
Simplified the bytecode by removing op_loop and op_loop_if_* (r147190)
PreciseJumpTargets should treat loop_hint as a jump target (r149154)
get_callee and to_this aren't properly cleared during finalizeUnconditionally (r156787)

May 13, 2014
============
EFL: Unsafe branch detected in compilePutByValForFloatTypedArray() (r146174)
ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit (r157047)
DFG doesn't support to_jsnumber (r149162 partial)	
Potentially unsafe register allocations in DFG code generation (r146100 partial)	
REGRESSION r153221: Crash when opening Facebook.com (r153410)

May 12, 2014
============
DFG assumes that NewFunction will never pass its input through (r152813 + r152818)
REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute (r141168)	
DFG TypeOf implementation should have its backend code aligned to what the CFA does (r142508)
NonStringCell and Object are practically the same thing for the purpose of speculation (r142530)
DFG CFA doesn't filter precisely enough for CompareStrictEq (r142679)
Renamed SpecObjectMask to SpecObject. (r142695)
DFG LogicalNot/Branch peephole removal and inversion ignores the possibility of things exiting (r142779)
ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types (r142780)
ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types (r142800)
Change another use of (SpecCell & ~SpecString) to SpecObject. (r142804)
DFG AbstractState should filter operands to NewArray more precisely (r143024)
DFG Phantom node should be honest about the fact that it can exit (r144373)
DFG prediction propagation phase should not rerun forward propagation if double voting has already converged (r145491)
DFG CFA filters CheckFunction in a really weird way, and assumes that the function's structure won't change (r149016)

May 09, 2014
============
DFG folding of PutById to SimpleReplace should consider the specialized function case (r146653)
Fix some minor issues in the DFG's profiling of heap accesses (r146669)

May 08, 2014
============
Minimize collisions when hashing pairs (r128650)

May 07, 2014
============
Do the DecimalNumber to String conversion on 8 bits (r125357 partial)
Add ECMAScript Number to String conversion to WTF::String (r126781)
Replace JSC::UString by WTF::String (r127191)
Ambiguous operator[]  after r127191 on some compiler (r127212)
Build fix for WinCE after r127191. (r127248)
jsStringWithCache shouldn't call StringImpl::characters() for single character strings (r128244 + r128247)

May 06, 2014
============
Pass full target idl file path to CodeGenerator as a constructor argument. (r128010)

May 05, 2014
============
The generic bindings shouldn't use templates (r124492)
BindingSecurityBase serves no purpose and should be removed (r124515)
JSC should use BindingState to determine the activeDOMWindow (r124835)
BindingSecurity::shouldAllowAccessToFrame shouldn't use a raw boolean parameter (r124847)
Rewire the same-origin checks for the JavaScriptCore bindings through BindingSecurity (r125126)
Implement JSDOMWindow*::allowsAccessFrom* in terms of BindingSecurity (r126165)
REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert (r128513)
Move m_element checks out of canShareStyle into locateSharedStyle (r133315 + r133324)
Support constructor-type static readonly attribute for CodeGenerator. (r123800)	
constructing TypedArray from another TypedArray is slow (r123819)
use createUninitialized when creating TypedArray from another array (r123935)
[Clamp] support in binding generator. (r123962)
TypedArray set method is slow when called with another typed array (r124483)
The generic bindings shouldn't use templates (r124492)
[JSC] Remove custom JSBindings for constructArrayBufferView() (r124755)
Microdata: itemType[index] must be undefined for out-of-range index. (r124859)
[V8] Remove custom toV8() calls for TypedArray. (r124872)
Remove All Custom binding code for TypedArray. (r125042)
SVGElementInstance should have EventTarget on the prototype chain (r125251)
Moving the common code from CodegeneratorJS/V8.pm to Codegenerator.pm (r125261)
[V8] Remove [TreatReturnedNullAs=False] (r125484)
Source/WebCore: Check argument count in the dispatch function for overloaded functions (r126562)

May 02, 2014
============
Disable some unsound DFG DCE (r144219)

May 01, 2014
============
Attempt to rationalize and simplify WTF::binarySearch (r137709)	
The JITThunks class should be in its own file, and doing so should not break the build (r139541 partial)
Track inheritance structures in a side table, instead of using a private name in each prototype (r140259 + r140278 + r140284)
Fix DateMath.cpp to compile with -Wshorten-64-to-32 (r140437)
Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures (r140608)
DFG::JITCompiler::getSpeculation() methods are badly named and superfluous (r140719)
DFG variable event stream shouldn't use NodeIndex (r140904)
DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value (r139688)
DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1 (r139835)
Refactor isPowerOf2() and add getLSBSet() (r140186)
Weak GC maps should be easier to use (r140194 + r140199 + r140211)

Apr 30, 2014
============
DFG should backwards-propagate NodeUsedAsValue for Phantom (r139068)
Support op_typeof in the DFG (r139145)
Rename propertyOffsetFor => offsetForPropertyNumber (r139481)
Fixed some bogus PropertyOffset ASSERTs (r139482)
Removed an unused version of getDirectLocation (r139488)
Simplify slow case profiling (r138924)
Rationalize closure call heuristics and profiling (r139021)
Unreviewed, it should be possible to build JSC on ARM. (r139004)
Special thunks for math functions should work on ARMv7 (r149082)
NativeExecutable cache needs to use both call and construct functions for key (r152573 + r152577 + r152600)
DFG should inline closure calls (r138921 partial)	        
REGRESSION (r138921): Crash in JSC::Arguments::create (r139109)

Apr 29, 2014
============
Rationalize exit site profiling for calls (r138871)
DFG::ByteCodeCache serves little or no purpose ever since we decided to keep bytecode around permanently (r138763)
DFG inliner should not use the callee's bytecode variable for resolving references to the callee in inlined code (r138641)
DFG should not use the InlineCallFrame's callee when it could have used the executable istead (r138651)
DFG inlining machinery should be robust against the inline callee varying while the executable stays the same (r138669)
CallLinkStatus should be aware of closure calls, and the DFG bytecode parser should use that as its sole internal notion of how to optimize calls (r138737)
DFG initrinsic handling should ensure that we backwards propagate the fact that all operands may escape (r139098 complete)
Baseline JIT should have closure call caching (r138609 + r138610 + r138612)
JITThunks should be in its own file (r138465)
All JIT stubs should go through the getCTIStub API (r138516 + r138522)
JIT: Change uninitialized pointer value -1 to constant (r138308)
DFG Arrayify slow path should be out-of-line (r138399)
Constant fold !{number} in the parser (r137988)
DFG speculation checks that take JumpList should consolidate OSRExits (r138276 partial)
Rename Profiler to LegacyProfiler (r136572)
Profiler should say things about OSR exits (r137175 partial)
Rationalize array profiling for out-of-bounds and hole cases (r137937 partial)

Apr 28, 2014
============
Crash in InlineFlowBox::deleteLine. (r124888)
Crash in WebCore::Document::fullScreenChangeDelayTimerFired (r129270)
Fullscreen element should not share styles with it's siblings. (r139824)
RenderFullScreen needs to clear override sizes when exiting full screen (r145241)
Swap both the error and change event queue before processing fullscreen events (r146787)
REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes (r150531)

Apr 25, 2014
============
Calculating the size of the Heap should not require walking over it (r155317)
CopiedSpace::startedCopying should not call MarkedSpace::capacity (r155406)

Apr 24, 2014
============
Generalize JSGlobalThis as JSProxy (r129685)	
Proxy the global this in JSC (r129711)
Proxy the global this in JSC (r129719)
Delayed structure sweep can leak structures without bound (r130303 partial)
Proxies should set InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero (138107)
tryCacheGetByID sets StructureStubInfo accessType to an incorrect value (r147816)
Fixed ASSERTION FAILED: callFrame == vm->topCallFrame in JSC::Interpreter::addStackTraceIfNecessary (r152871 partial)
Baseline JIT gives erroneous error message that an object is not a constructor though it expects a function (r154204)
DFG is too aggressive eliding overflow checks for additions involving large constants (r137980)
Data flow paths that carry non-numbers, non-undefined, non-null values
  should not cause subtractions and arithmetic additions (i.e. ++) to speculate double (r138915)  
Phantom(GetLocal) should be treated as relevant to OSR (139528)
If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit (r139540)
DFG phases that store per-node information should store it in Node itself rather than using a secondary vector (r139586)
DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants (r140030)
Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html (140221)
Inserting a node into the DFG graph should not require five lines of code (r140275)
Convert CSE phase to not rely too much on NodeIndex (r140504)
REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken (r141301)
Strange bug in DFG OSR in JSC (r142544)
Replace RELEASE_ASSERT with ASSERT in CodeBlock:: bytecodeOffsetForCallAtIndex (r152314)
JIT::updateTopCallFrame doesn't update the CallFrame's bytecodeOffset if bytecodeOffset == 0 (r153097)

Apr 23, 2014
============
Exception stack unwinding doesn't handle inline callframes correctly (r147670)
Make stack tracing more robust (r149205)
JSC Stack walking logic craches in the face of inlined functions triggering VM re-entry (r149404 complete)
Optimise more cases of op_typeof (r136297)
DFG CSE should not keep alive things that aren't relevant to OSR (r136360)
Incorrect inequality for checking whether a statement is within bounds of a handler (r136927)
DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation() (r137110)	
Implement add64 for ARM traditional assembler after r136601 (r137426)
DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same (r135923)
REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms (r143314 complete)
DFG should be able to cache closure calls (part 1/2) (r135330 + r135555 + r135610 + r146396 + r146429)
DFG should be able to cache closure calls (part 2/2) (r135336)
DFG should be able to cache closure calls (r135341)
Don't blind all the things. (r135757 + r135759)
JavaScript fails to handle String.replace() with large replacement string (r135794)
Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators() (r135800)
put_to_base should emit a Phantom for "value" across the ForceOSRExit (r141962)
	Otherwise, the OSR exit compiler could clobber it, which would lead to badness.	
JSC Stack walking logic craches in the face of inlined functions triggering VM re-entry (r149404 partial)
Structure should be able to easily tell if the prototype chain might intercept a store (r134813)
Remove methodCallDummy since it is not used anymore. (r134856)
DFG should copy propagate trivially no-op ConvertThis (r134896)
Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead (r135041)
DFG constant folding phase should say 'changed = true' whenever it changes the graph (r135079 complete)
JSC should have more logging in structure-related code (r135097 + r135099 + r135103)
Remove support for ARMv7 errata from the jump code (r135247)

Apr 22, 2014
============
JSEventListener should not access m_jsFunction when its wrapper is gone. (r134495)	
Make an assertion in JSEventListener::jsFunction() more useful. (r134508)
Replace (typeof(x) != <"object", "undefined", ...>) with !(typeof(x) == <"object",..>).
  Later is_object, is_<...>  bytecode operation will be used. (r134634)
Fixed regressions due to adding JSEventListener::m_wrapper null checks. (r134666)
Don't access Node& after adding nodes to the graph. (r134682)
Change JSEventListener::m_jsFunction to be a weak ref. (r134697)	
Make JSEventListener more robust in the event of the compiled handler being released. (r141348)
The act of getting the callee during 'this' construction should be explicit in bytecode (r134361)
op_get_callee should have value profiling (r134381)
JSFunction and its descendants should be destructible (r134460)
DFG CreateThis should be able to statically account for the structure of the object it creates,
  if profiling indicates that this structure is always the same (r134555)
DFG should not emit function checks if we've already proved that the operand is that exact function (r134313)
Patching of jumps to stubs should use jump replacement rather than branch destination overwrite (r134332 + r134358 + r134383 + r134608)
Uninitialized fields in class JSLock (r134430)

Apr 21, 2014
============
It should be possible to JIT compile get_by_vals and put_by_vals even if the DFG is disabled. (r133985)
DFG should know that int == null is always false (r133990)
DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is
  proven to have a non-masquerading structure then it always evaluates to true (r134164)
DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time (r134168)
JSC should scale the optimization threshold for a code block according to the cost of compiling it (r137094 partial)
SunSpider/date-format-tofte shouldn't compile each of the tiny worthless eval's only to OSR exit in the prologue every time (r138074)
Removed getDirectLocation and offsetForLocation and all their uses (r139491)

Apr 17, 2014
============
ArrayPrototype should start out with a blank indexing type (r134081)
Fix assertion failure in JSObject::tryGetIndexQuickly() (r134193)
Read-only properties created with putDirect() should tell the structure that there are read-only properties (r134695)
If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized (r139094)
Get rid of DFG::DoubleOperand and simplify ValueToInt32 (r143241 partial)
REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms (r143314 partial)
Incorrect type speculation reported by ToPrimitive (r153674)
DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit
  should not try to coerce integer constants to double constants (r153778 partial)	
Fixed crash in V8 benchmark suite in ARM,softp,EABI environment. (r155675 + r155705)	
Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS. (r155884)	
(un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole (r156214)
DFG CheckArray(NonArray) should prove that the child isn't an array (r158773 partial)	
[JSC] HTML extensions to String.prototype should escape " as &quot; in argument values (r133966)
DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context (r136372)
JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object (r138201 complete)
DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize (r139949)
Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty (r143269)
Flattening a dictionary can cause CopiedSpace corruption (r154366 complete)

Apr 16, 2014
============
JSC should infer when indexed storage contains only integers or doubles (133953 + r134051 + r134071)
If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this (r134151)
JSObject::copyButterfly doesn't handle undecided indexing types correctly (r135756)
DFGArrayMode::fromObserved is too liberal when it sees different Array and NonArray shapes (r149834)
Rationalize and clean up DFG handling of scoped accesses (r136276)
DFG should inline code blocks that use scoped variable access (r136546)
Don't OSR exit just because a string is a rope (r137247)
glsl-function-atan.html WebGL conformance test fails after (r132991)
Prototype chain caching should check that the path from the base object to the slot base involves prototype hops only (r133546)
DFG should not fall down to patchable GetById just because a prototype had things added to it (r133567)

Apr 15, 2014
============
Removed
MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects (r133358)

Apr 10, 2014
============
MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects (r133358)
WeakBlocks should be HeapBlocks (r133812)
MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator (r134080)
Copying phase should use work lists (r136077)
Butterfly::growArrayRight shouldn't be called on null Butterfly objects (r137961)
Restrictions on oversize CopiedBlock allocations should be relaxed (r138067)
r134080 causes heap problem on linux systems where PAGESIZE != 4096 (r140195)	
Add more assertions to the property storage use in arrays (r141029 partial)
fourthTier: It should be possible to record heap operations (both FastMalloc and JSC GC) (r153189 partial)
hasIndexingHeader should be a property of the Structure, not just the IndexingType (r153657)
hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure (r153691)
Flattening a dictionary can cause CopiedSpace corruption (r154366 partial)

Apr 10, 2014
============
instanceof should not get the prototype for non-default HasInstance (r129281)
Remove redundant argument to op_instanceof (r129287)	
broke early boyer in bug#97382 (r129292)

Apr 09, 2014
============
Baseline array profiling should be less accurate, and DFG OSR exit should update array profiles on CheckArray and CheckStructure failure (r131868)
Unreviewed fix after r131868. (r131874)
DFG should have some facility for recognizing redundant CheckArrays and Arrayifies (r131982)
DFG::Array::Undecided should be called DFG::Array::SelectUsingPredictions (r132162)
DFG NewArrayBuffer node should keep its data in a structure on the side to free up one of the opInfos (r132499)
DFG Arrayify elimination should replace it with GetButterfly rather than Phantom (r132554)
DFG::Array::Mode needs to be cleaned up (r132745)
OSR exit compilation should defend against argument recoveries from code blocks that are no longer on the inline stack (r132749)
DFG should be able to emit effectful structure checks (r132759)
DFG optimized string access code should be enabled (r133135)
DFG::Node::converToStructureTransitionWatchpoint should take kindly to ArrayifyToStructure (r133363)
DFG constant folding phase should say 'changed = true' whenever it changes the graph (r135079)
Strange results calculating a square root in a loop (r136989)
javascript integer overflow (r137951)	
DFG is too aggressive with eliding overflow checks in loops (r137963)
DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode incorrectly checks for non-array array storage when
  it should be checking for array array storage (r138086)
DFG shouldn't emit CheckStructure on array accesses if exit profiling tells it not to (r138300)
DFG should not elide CheckStructure if it's needed to perform a cell check (r138862)
DFG should trust array profiling over value profiling (r138890)
Python implementation reports "MemoryError" instead of doing things (r139687)
ArrayMode should not consider SpecOther when refining the base (r146887)
DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray (r151284)
DFG new Array() inlining could get confused about global objects (r154304)

Apr 08, 2014
============
Bytecode should not have responsibility for determining how to perform non-local resolves (r131822)
REGRESSION (r131793-r131826): Crash going to wikifonia.org (r132546)
Forward OSR calculation is wrong in the presence of multiple SetLocals, or a mix of SetLocals and Phantoms (r132701)
Remove GlobalObject constant register that is typically unused (r133255)
ASSERT problem on MIPS (r133950)	
DFG inlines Resolves that it doesn't know how to handle correctly (r143553)
Need ExpressionRangeInfo before ResolveForPuts in strict mode.(r153074)
Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms (r135738)	

Apr 02, 2014
============
[Refactoring] Introduce a traversal strategy in SelectorChecker (r130459)
Minimize the recent template explosion in SelectorChecker. (r131002)
Make ContentSelectorQuery work when siblings are passed explicitly. (r131068)
Optimzie SelectorCheckingContext memory layout (r131156)
Get rid of StyleResolver state related to unknown pseudo-elements. (r132754)
[Shadow] Using isUnknownPseudoElement() for shadow pseudo id seems confusing (r133577)
HTMLContentElement should preserve parsed CSSSelectorList (r133992)
Move childrenAffectedBy bits from RenderStyle to Element (136001)
Split fast-rejection filter logic off SelectorChecker. (138432)
The word "selector" is somewhat redundant redundantly used in SelectorChecker. (r139406)
CSS: Make tag sub-selectors standalone CSSSelectors. (r140371)
Shadow DOM removal: Make SelectorChecker non-generic (r149498)

Apr 01, 2014
============
2% of all samples running grid demo show up in StyleResolver::canShareStyleWithElement, 20% of those due to getAttribute instead of fastGetAttribute (r123730)
StyleResolver::canShareStyleWithElement does not need to use getAttribute for classAttr in the non-SVG case (r124260)
CSS: Shrink RuleData by storing selector as index rather than pointer. (r125294)
Remove unnecessary null checks from pseudoStyleForElement and adjustRenderStyle (r125384)
Changing class attribute is not reflected in the classList property (r126349)
Distributed nodes should not share styles. (r126442)
Share immutable ElementAttributeData between elements with identical attributes. (r127438)
Element::classAttributeChanged should use characters8/16 to find first non-whitespace (r128363)
REGRESSION(r127438): Google Docs to renders text too small. (r128697)
[Shadow] ShadowRoot should know whether <shadow> in its treescope (r130177)
[Refactoring] Some classes in StyleResolver.cpp/h could have its own file. (r130465)
[Refactoring] Scoped Style related code should have its own class (r130732)
[Shadow DOM] should be able to be available without <style scoped> (r130987)
Avoid unnecessary style recalcs on id attribute mutation. (r132516)
[Shadow DOM] Needs @host rule for ShadowDOM styling (r132618)
Avoid unnecessary style recalcs on class attribute mutation (r132941)
Remove stray calls to mutableAttributeData() (r133021)
REGRESSION (r132941): attribute modification 10% performance regression (r133214)
Implement ::cue() pseudo element property whitelist (r140173)
Make RuleData support up to 8191 selectors (r145034)
REGRESSION(r125294): A style rule with more than 8192 selectors can cause style corruption. (r152453)
REGRESSION (r132516): Javascript menu text incorrectly disappearing and reappearing (r155607)
REGRESSION (r155607): Javascript site does not load visually on panerabread.com (r157296)
REGRESSION(r133214): Don't invalidate style when adding classes that don't match rules (r162843)

Apr 01, 2014
============

Optimize ChildNode{Insertion,Removal}Notifier::notify() by lazily taking a snapshot of child nodes (merged r124990 + r125006).
in a column flexbox, input overflows the box when stretched (merged r131481).

Mar 31, 2014
============
Simplify subtree relayout scheduling a bit. (merged r155046)
ASSERTION FAILED: node->parentNode(), Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r151117)
Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r150084)
RenderStyle should use copy-on-write inheritance for NinePieceImage. (merged r142404)

Rolled out svn13880 [Make precise size classes more precise (merged r141192)],
  > low JS memory when loading UX.
  
Refactor WrapShape to Shape/BasicShape (r127132 + r127155)
[CSS Exclusions] Rename RenderStyle::wrapShapeInside/Outside to shapeInside/Outside (r129787)
Remove needless virtual calls and inline RenderStyle::logical* to make table layout faster (r130560)	
4.68MB below RenderStyle::filter() on Membuster3. (r133926)
RenderTable::paintBoxDecorations sometimes draws box-shadow twice. (r143690)
Basic child obscuration test for backgrounds (r145680)
Compute image background size when testing for background visibility (r145786)
Mark GraphicsLayers as opaque when possible (r146531)
RenderBox::backgroundIsKnownToBeOpaqueInRect may be wrong for theme-painted elements (r147127)	
Layers with opacity and blur filters are reported as opaque to the compositor (r148117)
Garbage down left side of nytimes.com page (if subscriber) (r149914)
REGRESSION (r143626): Element shows as garbage in image gallery (r149915)
REGRESSION (r145680): No box shadow rendered on element with positioned child that obscures it (r149918)	
Graphics buffer issue with clip-path and fixed positioned element (r164232)

============
Make RenderBox::computePositionedLogicalHeight const (r126802)
Dont use a node reference after appending to the graph (merged r139264).
Get rid of method_check (merged r133564)
DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec (merged r144137)
There should not be blind spots in array length array profiling (merged r132757)
GetByVal on Arguments does the wrong size load when checking the Arguments object length (merged r153500)
32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean (merged r149128)
Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article (merged r145150)
Make precise size classes more precise (merged r141192)
Baseline JIT should use structure watchpoints whenever possible (merged r133430).
DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments (merged r139136)
JIT::privateCompileGetByVal should use the uint8ClampedArrayDescriptor for compiling accesses to Uint8ClampedArrays (merged r133359).
Split EventTargetData out of NodeRareData to reduce memory use. (merged r130000)

Shrink ElementRareData by moving bool flags to NodeRareData. (merged r130278)
Shrink the size of NodeRareData by moving pointers into separate objects (merged r137003)
Remove NodeListsNodeData when it's no longer needed (merged r140070)
RenderBlock minor clean-up: replace raw pointers with OwnPtrs. (merged r136288)
Improve performance of RenderBoxModelObject::paintTranslucentBorderSides() (merged r135167).
Crash in FrameLoader::stopLoading. (merged r135303).
Fix: CachedResourceLoader::requestSVGDocument was passing an URL as charset (merged r131782),
RenderLayer subtrees without any self-painting layer shouldn't be walked during hit testing (merged r131665)

Move default DOM Timer values into Settings (merged r132538)
DOMImplementation should use ScriptWrappable (merged r133657).
Build fix after r134191. Turns out that FrameView::performPostLayoutTasks calls FrameSelection::updateAppearance (merged r134197)
Make caret repainting container-aware (merged r139282)
Disabled input/textarea doesn't trigger selection change (merged r140936)
REGRESSION (r139282): Caret repainting is broken for text-align: center'd <input> (merged r141243)
Stale FrameSelection in removed iframe causes crash (merged r144400)
Uninflate caret rect. (merged r149223)
Avoid caret repaints if we're not showing carets anyway. (merged r150396)
Robustify repaint of previous caret node when moving FrameSelection. (merged r150482)
Fix document leak when selection is created inside the document (merged r153366)

REGRESSION(r139282): Old caret sometimes gets "stuck" (not repainted) in contenteditable elements. (merged r153815)
Crash in WebCore::RenderLayer::normalFlowList (merged r133840 + r133939 + r134191)
Clean up confused use of Document::renderer and renderView (merged r133813).
Revert rounding change in RenderTable::paintObject (merged r131358)
Track block's positioned objects like percent-height descendants (merged r125351 + r125353).

Remove HTMLMediaElement.startTime (merged r158112)
  > It was replaced with initialTime in August 2010.
Remove HTMLMediaElement.initialTime (merged r158527)
  > It was dropped from spec in April 2012.

Keyboard caret movement in textarea with RTL Override Character can make tab unresponsive (merged r137213).
Copying collection shouldn't require O(live bytes) memory overhead (merged r131213 + r131215 + r131244 + r131791)
JSC should dump object size inference statistics (merged r129586)
JSC should have a zombie mode (merged r127829)

Contiguous array allocation should always be inlined (merged r131249 + r131251).
DFG should inline code blocks that use new_array_buffer (merged 131087)
Add LLINT and baseline JIT support for timing out scripts (merged r148639),
  > Introduces the new Watchdog class which is used to track script
  > execution time, and initiate script termination if needed.
Removed bitrotted TimeoutChecker code (merged r148119),
  > This mechanism hasn't worked for a while.

Cache flush problem on ARMv7 JSC (merged r145194)
Structure check hoisting phase doesn't know about the side-effecting nature of Arrayify (merged r129553)
  > regression r128957 (break UX animation).
Deleting the classic interpreter and cleaning up some build options (merged r129453).
Array profiling has convergence issues (merged r128790).
Fixed DFG JIT build with ARMv7 assembler,
  > Fix problems with processing negative zero on DFG (partially merged r149152).
Unreviewed, fix ARM build (merged r129274).
Rolled out svn13719 (crash when starting browser with DFG JIT)
  > Array profiling has convergence issues (merged r128790).
Array profiling has convergence issues (merged r128790).

Make global const initialisation explicit in the bytecode (merged r128534).
Fix interpreter build (merged r128611).

Feb 27, 2014
============
JSC should have property butterflies (merged r128400),
  > CodeGeneratorJS.pm is causing random crash when merged putByIndex and getOwnPropertySlotByIndex.
r128425 Testing whether indexing type is ArrayWithArrayStorage should not compare against ArrayWithArrayStorage
r128541 DFG: Dead GetButterfly's shouldn't be subject to CSE
r128428 [Qt][Win] REGRESSION(r128400): It broke the build
r128667 bbc homepage crashes immediately
r128680 All of the things in SparseArrayValueMap should be out-of-line
r128706 JSObject.cpp and JSArray.cpp have inconsistent tests for the invalid array index case
r128802 If a prototype has indexed setters and its instances have indexed storage, then all put_by_val's should have a bad time
r128816 We don't have a bad enough time if an object's prototype chain crosses global objects
r128928 REGRESSION(r128802): It made some JS tests crash
r129065 REGRESSION(r128802): It made some JS tests crash
r129272 REGRESSION (r128400): Opening Google Web Fonts page hangs or crashes
r129317 Sorting a non-array creates propreties (spec-violation)
r129432 JSArray::putByIndex asserts with readonly property on prototype
r129457 SerializedScriptValue isn't aware of indexed storage, but should be
r129458 Bug in numeric accessors on global environment
r129461 Regression, freeze applied to numeric properties of non-array objects
r129548 Regression: put beyond vector length prefers prototype setters to sparse properties
r129574 JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode
r129588 DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly
r130228 REGRESSION(r128400): ASSERT (crash in release) @ app.asana.com
r154346 REGRESSION (r128400): BBC4 website not displaying pictures

Feb 27, 2014
============
JSC should have property butterflies (partially merged r128400),
  > CodeGeneratorJS.pm is causing random crash when merged putByIndex and getOwnPropertySlotByIndex.

Render unto #ifdef's that which belong to them (merged r127199)
Removed a JSC-specific hack from the web inspector (merged r126720).
ThreadRestrictionVerifier should be opt-in, not opt-out (merged r126379)
Refactored the interpreter and JIT so they don't dictate closure layout (merged r129156).
Fixed CallFrameClosure::resetCallFrame() to use the valid range of argument index values. (merged r129827)
We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array (merged r129577).
Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes (merged r129440).
ValueToInt32 bool case does bad things to registers (merged r129435).
PutScopedVar should not be marked as clobbering the world (merged r129325)
Don't allocate a backing store just for a function's name (merged r128265)
Refactored the arguments object so it doesn't dictate closure layout (merged r128832).
BlockAllocator should use regions as its VM allocation abstraction (merged r131132).

JSActivation should inline allocate its registers, and eliminate 'arguments' registers in the common case (merged r128260)

Combine MarkStack and SlotVisitor into single class (merged r128084)
Separate MarkStackThreadSharedData from MarkStack (merged r126354)

Added large allocation support to MarkedSpace (merged r128141)
Rename forEachCell to forEachLiveCell (merged r128498)
Remove the Zapped BlockState (merged r128563)
Delayed structure sweep can leak structures without bound (merged r130303)

====r128141====
I expanded the imprecise size classes to cover up to 32KB, then added
an mmap-based allocator for everything bigger. There's a lot of tuning
we could do in these size classes, but currently they're almost
completely unused, so I haven't done any tuning.

Subtle point: the large allocator is a degenerate case of our free list
logic. Its list only ever contains zero or one items.

====r128498====
forEachCell actually only iterates over live cells. We should rename it to 
reflect what it actually does. This is also helpful because we want to add a new 
forEachCell that actually does iterate each and every cell in a MarkedBlock 
regardless of whether or not it is live.

====r128563====
The Zapped block state is rather confusing. It indicates that a block is in one of two different states that we
can't tell the difference between:

1) I have run all destructors of things that are zapped, and I have not allocated any more objects. This block
   is ready for reclaiming if you so choose.
2) I have run all the destructors of things that are zapped, but I have allocated more stuff since then, so it
   is not safe to reclaim this block.

This state adds a lot of complexity to our state transition model for MarkedBlocks. We should get rid of it.
We can replace this state by making sure mark bits represent all of the liveness information we need when running
our conservative stack scan. Instead of zapping the free list when canonicalizing cell liveness data prior to
a conservative scan, we can instead mark all objects in the block except for those in the free list. This should
incur no performance penalty since we're doing it on a very small O(1) number of blocks at the beginning of the collection.

For the time being we still need to use zapping to determine whether we have run an object's destructor or not.

Delayed structure sweep can leak structures without bound (r130303)

Going to google.com/trends causes a crash (merged r151709).

If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame,
  then it should give up and return 0 and all callers should be robust against this (merged r147798)
JSC Stack walking logic craches in the face of inlined functions triggering VM re-entry (merged r149404).
DFG register allocation should be greedy rather than round-robin (merged r134182).

Remove m_classInfo from JSCell (merged r128146)
Structure check hoisting fails to consider the possibility of conflicting checks on the source of the first assignment to the hoisted variable (merged r128699).
Refactored op_tear_off* to support activations that don't allocate space for 'arguments' (merged r128096)
Object.prototype.__define{G,S}etter__ with non-callable second parameter should throw TypeError instead of SyntaxError (merged r127930).

Named functions should not allocate scope objects for their names (merged r127810).
Remove use of JSCell::classInfoOffset() from tryCacheGetByID (merged r127648)
Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator (merged r127625)
DFG GetByVal for JSArrays shouldn't OSR exit every time that the index is out of bound (merged r127536).
Remove uses of ClassInfo from SpeculativeJIT::compileObjectOrOtherLogicalNot (merged r127479).
Refactored scope chain opcodes to support optimization for named function expressions (merged r127393 + r127394 + r127408)
JSArray::putDirectIndex should by default behave like JSObject::putDirect (merged r127349).
Remove use of ClassInfo in SpeculativeJIT::emitBranch (merged r127343).
Shrink activation objects by half (merged r127293+).
Use one object instead of two for closures, eliminating ScopeChainNode (merged r127202).
Remove uses of ClassInfo in StrictEq and CompareEq in the DFG (merged r127189)
Fix broken classic intrpreter build. (merged r127179)
Build warning : -Wsign-compare on DFGByteCodeParser.cpp (merged r127167)
Remove use of ClassInfo from compileGetByValOnArguments and compileGetArgumentsLength (merged r127090).

PutById uses DataLabel32, not DataLabelCompact (merged r127066)
ExecutableAllocator should be destructed after Heap (merged r127034)

Introduced JSWithScope, making all scope objects subclasses of JSScope (merged r127010)
Added JSScope::objectInScope(), and refactored callers to use it (merged r126962 + r126990)
Refactored and consolidated variable resolution functions (merged r126893 + rr126897 + r126906).
Remove use of ClassInfo from SpeculativeJIT::compileGetByValOnArguments (merged r126815).
Remove uses of TypedArray ClassInfo from SpeculativeJIT::checkArgumentTypes (merged r126804).
fix for builds without VALUE_PROFILING. I had forgotten that shouldEmitProfiling() (merged r126723).
  is designed to return true if DFG_JIT is disabled. I should be using canBeOptimized() instead.
Don't allocate space for arguments and call frame if arguments aren't captured (merged r126722).
Finally inlining should correctly track the catch context (merged r126718).
Array type checks and storage accesses should be uniformly represented and available to CSE (merged r126715).

op_call should have ArrayProfiling for the benefit of array intrinsics (merged r126692)
Change behavior of MasqueradesAsUndefined to better accommodate DFG changes (merged r126494 + r150569)
Serialization of JavaScript values does not appear to respect new HTML5 Structured Clone semantics (merged r126464).
JSC GC object copying APIs should allow for greater flexibility (merged r123690).
Structure check hoisting should abstain if the OSR entry's must-handle value for the respective variable has a different structure (merged r126826).
Array accesses should remember what kind of array they are predicted to access (merged r126387).
The relationship between abstract values and structure transition watchpoints should be rationalized (merged r125999)
DFG is still too pessimistic about what constitutes a side-effect on array accesses (merged r125959).
Structure check hoisting should be less expensive (merged r125823).
Array checks should use the structure, not the class info (merged r125637 + r127778)
DFG::StructureCheckHoistingPhase keeps a Node& around for too long (merged r124655).
50% time on Dromaeo Selector * benchmark spent allocating oversized backing stores (but not in Chrome) (merged r163057),
Remove all uses of ClassInfo for JSStrings in JIT code (merged r124476).
DFG should hoist structure checks (merged r124404 + r124420 + r124555 + r128544)
DFG should distinguish between PutByVal's that clobber the world and ones that don't (merged r124398)
C++ code should get ClassInfo from the Structure (merged r124355).
Structures should be swept after all other objects (merged r124265 + 124352)
Removed some public data and casting from the Heap (merged r124250 & relevant changes).
Removed some public data and casting from the Heap (merged r124250 & relevant changes).
Remove 2 bad branches from StringHash::equal() and CaseFoldingHash::equal() (merged r146702).

SVGElement destructor can use invalid iterator (merged r149306).

Allocate Structures in a separate part of the Heap (merged r123813)
Split functionality of MarkedAllocator::m_currentBlock (merged r123931)

Always null check cells before marking (merged r126624);
Removed the NULL checks from visitChildren functions (merged r126721);

[arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build. (merged r160911);
OSR exit compiler should emit code for resetting the execution counter that matches the logic of ExecutionCounter.cpp (merged r137505).
A patchable GetById right after a watchpoint should have the appropriate nop padding (merged r126214).
MIPS DFG implementation (merged r143247);
CALLFRAME_OFFSET and EXCEPTION_OFFSET are same in ctiTrampoline on ARM Thumb2 (Neither of these values need to be stored. At all) (merged r127944);

There are a few of wrong removeAllChildren() call (merged r140659)
Renderer is recreated unexpectedly after detach in HTMLInputElement (merged r141228)

Refactored the DFG to make fewer assumptions about variable capture (merged r128544).
IncrementalSweeper should not sweep/free Zapped blocks (merged r128262)
DFG misses arguments tear-off for function.arguments if 'arguments' is used (merged r128111)
Refactored callee access in the DFG to support it in the general case (merged r127643)
DFG JIT doesn't work properly on ARM hardfp (merged r127561).
The redundant phi elimination phase is not used and should be removed (merged r126689).
fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html crashes on 32-bit (merged r126081 & r126082).
The current state of the call frame should be taken into account in the DFG for both predictions and proofs (merged r125982)
DFG CSE should be more honest about when it changed the IR (merged r125964).
DFG OSR exit profiling has unusual oversights (merged r124230)
ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes (merged r124555)
Crashes in dfgBuildPutByIdList when clicking on just about anything on Google Maps (merged r124678).
DFG handling of get_by_id should always inject a ForceOSRExit node if there is no prediction (merged r124667).
JSC ARM traditional failing on Octane NavierStokes test (merged r149601),
  > SunSpider 1.0.2 is working with DFG JIT, but on cnn.com, still missing bottom part.
Build fix for 32-bit after r123682 (merged r123708)
Remove JSObject::m_inheritorID (merged r123682).

Stop starting animations when leaving a page (merged r143640)

Supporting text track (not working)
  > merged r126372 (Display a TextTrackCue when snap-to-lines flag is set);

Abandoned Memory: SVGFontElement and Corresponding SVGDocument Never Deconstructed (merged r140698).
Update DOMException name to match the spec and Firefox (merged r134435 and more).

Fixed document leak related to web worker (statusbar)
  Merged r140483 Prevent race condition during Worker shutdown;
  Changed MessageQueue appendAndKill to process all remaining tasks, then kill itself (signal run loop exit);

Cache continuation() in a local to avoid repeat hash lookups (merged r156334).


--------Not Merged--------

Nullptr crash due to display:block ruby and continuations (279005@main)
[IFC][Ruby] Anonymous bases should have white-space:nowrap (272285@main)
[IFC][Ruby] Return correct accessibility roles (272111@main)
[IFC][Ruby] Force unicode-bidi to correct value (271839@main)
[IFC][Ruby] Support annotation without base (271056@main)
Basic support for CSS based Ruby in IFC (267937@main)

Unreviewed, reverting r270860. (r270861)
Unreviewed, reverting r269320, r269341, r269502, and r269576. (r270860)
[JSC] Add TimeZone range cache over ICU TimeZone API (r269576)
[JSC] Obtain default timezone ID from cached icu::TimeZone (r269341)
REGRESSION (r254038): Simple.com money transfer UI is very laggy (multiple seconds per keypress) (r269320)
  => Require ICU >= 69.1

Regression(r291141) Flashing when hovering photos on nytimes.com (251802@main)
Main document is leaking on haaretz.co.il due to lazy image loading (r291141 complete revisited)
Fix crash in image-loading-lazy-slow.html WPT test (r266720)
Lazy load images using base url at parse time (r257054)
Main implementation for lazy image loading (r251637 + r251708 rolled out + r256786)

[BigInt] Simplify boolean context evaluation by leveraging JSString::offsetOfLength() == JSBigInt::offsetOfLength() (r239099)

[JSC] Reduce # of registers used in RegExpTestInline to allow using unlinked DFG in x64 (r291515)
[JSC] YarrJIT inlining should be disabled when we have DotStarEnclosure (r289450)
[JSC][32bit] Fix regexp crash on ARMv7 (r288400 + r288401 rolled out + r288476 complete revisited)
Inline RegExp.test JIT code in DFG and FTL (r285651)

compileEnumeratorHasProperty uses flushRegisters incorrectly (r281473, 240852@main)
Emit HasOwnPropertyFunctionCallDotNode for "Reflect" identifiers (r264397)
[JSC] for-in should allocate new temporary register for base (r262354)
hasOwnProperty inside structure property for-in loop should use an opcode like has_structure_property but for hasOwnProperty (r262233)
in_by_val inside structure property for-in loop should use an opcode like has_structure_property but for "in" (r262083)

CheckIsConstant should not use BadCache exit kind (r263054)
Fix CheckIsConstant for non-constant values and checking for empty (r260377)
Redesign how we do for-of iteration for JSArrays (r260323 complete revisited)

Delete IC incorrectly caches for proxies (r259357)
Inline Cache delete by id/val (r257399)

[JSC] ShrinkToFit some vectors kept by JIT data structures (r255541 complete revisited)
  -> Sony EPG Guide does not work correctly with DFG JIT.

[JSC] @hasOwnLengthProperty returns wrong value if "length" is attempted to be modified (r257784)
[JSC] Improve our bound function implementation (r253867)

A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile (r224603)

Inlining of a function that ends in op_unreachable crashes (r226362)
Avoid allocating useless landingBlocks in DFGByteCodeParser::handleInlining() (r223159)
Refactor the inliner to simplify block linking (r223086)
Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit (r222115 complete revisited)
It should be valid to exit before each set when doing arity fixup when inlining (r222060)
[JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed (r222035)

[JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&` (r250479 complete revisited)
[JSC] jsSubstring should resolve rope before calling JSRopeString::create (r243081 complete revisited)
op_switch_char broken for rope strings after JSRopeString layout rewrite (r242519)
[JSC] sizeof(JSString) should be 16 (r242252)

The GC should be optionally concurrent and disabled by default (r208720 partial)

[JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr (r201412 complete revisited)

[JSC] AI should check the given constant's array type when folding GetByVal into constant (r239964)
[JSC] Optimize Object.keys by caching own keys results in StructureRareData (r239153 + r239154 + r239155 + r239231 rolled out + r239324)
DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType. (r237325)
need to didFoldClobberWorld when we constant fold GetByVal (r234128)
[DFG] Fold GetByVal if the indexed value is non configurable and non writable (r234089)
[DFG] Fold GetByVal if Array is CoW (r234066)
DFGArrayModes needs to know more about CoW arrays (r232376 complete revisited)
We should have a CoW storage for NewArrayBuffer arrays. (r232070)

REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes (r242838)
YARR: JIT RegExps with back references (r235636)

[EME] MediaKeySession: handle MediaKeys association through a WeakPtr (r221816)
[EME] HTMLMediaElement: basic implementations of 'Attempt to Decrypt', 'Attempt to Resume Playback If Necessary' (r220962)
[EME] MediaKeySession has to initiate playback resume on HTMLMediaElement (r220905)

Implement createImageBitmap(HTMLVideoElement) (r228092)
[GTK] Use fallible allocation in ImageBuffer::ImageBuffer(). (r224681)

REGRESSION(r215211): [GTK] Several webgl related tests are failing (r215924)
REGRESSION(r215211): [GTK] Lots of image related tests are timing out, causing the test bot to exit early (r215227)
REGRESSION(r215211): [GTK] Lots of image related tests are crashing, causing the test bot to exit early (r215224)
CachedImage should stop decoding images when unknown type is detected (r215211)

REGRESSION (r206481): Don't assume frameCount() is larger than or equal to the size of the image frame cache (r217392)
[Cairo] GraphicsContext3D::ImageExtractor fails to extract images (r207332)
REGRESSION(r206481): ASSERTION FAILED: isDecoderAvailable() (r206526)
Move caching the ImageFrame from BitmapImage to ImageSource (r206481 + r206502)

[WebIDL] Add support for Promise<> attributes (r220433 complete revisited)
[WebIDL] Add proper parsing for Promises (r208474)

Concurrent GC should be stable enough to land enabled (r209570 partial)

Disable SharedArrayBuffers from Web API (r226386)
JSC should support SharedArrayBuffer (r208209)

REGRESSION (r174226): Header on huffingtonpost.com is too large (r178591 revisited)
operationCreateArguments could cause a GC during OSR exit (r169973 revisited)
FTL should support PhantomArguments (r164923)

DFGGraph::m_doubleConstantMap will not map 0 values correctly. (r170109)
mandreel throws a checksum error on 32-bit x86. (r166440)

REGRESSION(r164205): WebKit crash @StructureIDTable::get. (r167532)
DFG::prepareOSREntry should be nice to the stack (r164205)

Implementing caching transition puts that need to reallocate with indexing storage (r199209)
Crash making a tail call from a getter to a host function (r191765 + r191835)
GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor (r191350)
C calls in PolymorphicAccess shouldn't assume that the top of the stack looks like a JSC JIT frame and enable *ByIdFlush in FTL (r191404)
We were creating a GCAwareJITStubRoutineWithExceptionHandler when we didn't actually have an exception handler in the CodeBlock's exception handler table (r191016)
We should be able to inline getter/setter calls inside an inline cache even when the SpillRegistersMode is NeedsToSpill (r190735 + r193423)
Repatch should support setters and plant calls to them directly (r166945 complete)
Setters are just getters that take an extra argument and don't return a value (r166908)
Fix 32-bit getter call alignment. (r166266)
Repatch should plant calls to getters directly rather than through a C helper (r166263)	
Need to align sp before calling operationLoadVarargs on 32-bit platforms. (r164397)
Repatch code is passing the wrong args to lookupExceptionHandler. (r163274)
Merge the jsCStack branch (r163027)	

REGRESSION(r242841): Fix conservative DFG OSR entry validation to accept values which will be stored in AnyInt / Double flush formats (r242990)
[JSC] OSR entry should respect abstract values in addition to flush formats (r242841)
[JSC] Remove merging must handle values into proven types in CFA (r242627)
[JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases (r242192)
DFG CFA should pick the right time to inject OSR entry data (r231665)

convertToRegExpMatchFastGlobal must use KnownString as the child use kind (r235538)
[FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag (r229514)
[DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky (r227107)

[JSC] DFG terminal's liveness should respect caller's opcodeID (r252789)
Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. (r243280)
We should have a more concise way of determining when we're varargs calling a function using rest parameters (r208584 + r208592 rolled out + r208637 partial revisited)

DFG fragile frozen values are fundamentally broken (r186691)

Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time (r204162)
Restore CodeBlock jettison code Geoff accidentally removed (r192401 + r192450 rolled out + r195550 + r195576 rolled out)
CodeBlock should be a GC object (r190827 + r191291)
CodeBlock should be a GC object (r190450 + r19045 out + r190522 in + r190546 out + r190589 in + r190606 out + r190694 in + r190809 out)

JavaScriptCore should discard optimized code after some time (r189620)

[JSC] Drop ArityCheckData (r223891)
Add support for Callee-Saves registers (r189575 complete revisited)

DFG should not use or preserve Phantoms during transformations (r183497 complete revisited)
  Workaround SunSpider Math Cordic error on some ARMv7 platforms
  https://www.cbc.ca/ crash

Don't segregate heap objects based on Structure immortality. (r182747)

we should emit op_watchdog after op_enter (r193842)
Add op_watchdog opcode that is generated when VM has a watchdog (r193649)
Rename Watchdog::didFire to Watchdog::shouldTerminate because that's what didFire really meant (r193636)
Watchdog timer callback should release the lock before deref'ing the watchdog. (r189172)
watchdog m_didFire state erroneously retained. (r189009)
Add support for CheckWatchdogTimer as slow path in DFG and FTL. (r188649)
Implementation JavaScript watchdog using WTF::WorkQueue. (r188329)
Rename some variables in the JSC watchdog implementation. (r188147)

Blob URL changes after loading it (r280824 complete revisited)
imported/w3c/web-platform-tests/webmessaging/broadcastchannel/blobs.html is a flaky failure since implementing BlobChannel (r280547 complete revisited)
Revoking Blob URL after calling XMLHttpRequest::open() causes the XHR to fail (r279881 complete revisited)
REGRESSION (async policy delegate): Revoking an object URL immediately after triggering download breaks file download (r231714)

[Web Animations] Accelerated animations don't respect a positive delay value (r234279)
REGRESSION: hardware-accelerated animation fails on inline element (r233164)
[Web Animations] Ensure elements overlapping with elements animating also get composited (r230578)

Crash in worker tests handling the m_stoppedCallback. (r224941)

Instantiate WebKit plug-ins at layout time, instead of at style resolution time (r204320)

Update TextTrack API to current spec (r163649)

REGRESSION(r222843): [HarfBuzz] Combining enclosed keycap not correctly handled (r229165)
REGRESSION(r222090): [HarfBuzz] Arabic shaping is broken except for first word in line (r224015)
[HarfBuzz] ComplexTextRun should initialize direction from the harfbuzz buffer (r224007)
[Harfbuzz] Implement ComplexTextController on top of HarfBuzz (r222843)

Allow creation of ExtendedColors and make Color immutable (r207442)
Add preliminary support for extended colors to WebCore::Color (r207265)

REGRESSION(r173441): [GTK] All buttons appear insensitive (r173559)
REGRESSION (r166422): All RenderBox objects grew 104 bytes from adding repaint timers. (r168993)
Scrollbars do not update properly when topContentInset changes dynamically (r167911)
topContentInset does not play well with fullscreen elements (r167630 partial)
Support form controls that may need incremental redraw (r166422)

LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it) (r232461)
DFG and FTL should support op_call_eval (r203364 complete revisited)
Support compiling catch in the DFG (r221119 + r221176 rolled out + r221196 complete revisited + r221210)

JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation (r225239)
We should be able to eliminate rest parameter allocations (r208208 + r208224 rolled out + r208235)
Inline store loop for CopyRest in DFG and FTL for certain array modes (r204439)

[JSC] adjustFrameAndStackInOSRExitCompilerThunk() can trash values in FTL (r195707)
OSR exits that are exception handlers should emit less code eagerly in the thunk generator, and instead,
  should defer as much code generation as possible to be lazily generated in the exit itself (r193485)

CopyBarrier must be avoided for slow TypedArrays (r191221)
GC should have a Baker barrier for concurrent copying (r190896)

Fix bugs in 32-bit Structure implementation. (r165325 complete revisited)
Make JSCells have 32-bit Structure pointers (r164764 partial - V8 benchmark is much slower)

Refactoring: make MediaTime the primary time type for audiovisual times. (r173318 complete revisited)

Consider throttling DOM timers in iframes outside the viewport (r185012 + r185602)

Remove all use of Deprecated::ScriptValue in generated bindings (r199704 revisited)
Get rid of IDBAny (r199668)
Merge IDBDatabaseBackendInterface and IDBDatabaseBackendImpl (r158992)
IndexedDB IDL Refactoring. (r156590)
IndexedDB: Use WeakPtr for Factory-to-BackingStore reference (r145166 + r145180 rolled out + r145238)
IndexedDB: Avoid ScriptValue copies in IDBAny (r144517)
IndexedDB: Pass metadata in to IDBOpenDBRequest.onUpgradeNeeded/onSuccess (r141142)
IndexedDB: Move TaskType enum to IDBDatabaseBackendInterface (r140850 + r140935 rolled out + r141013 rolled in)
IndexedDB: Remove dependency on IDBKey type from IDLs (r140457)
IndexedDB: Combine openConnection and openConnectionWithVersion (r138400)
IndexedDB: Implement custom bindings for parsing options (r138081)
IndexedDB: propagate transaction_ids through open/upgradeneeded (r136992)
IndexedDB: Abort transactions because of leveldb errors part 4 (r136897)
IndexedDB: Stub out transaction-backend methods (r136714)

======MediaStream======
Remove all custom bindings from media streams, using dictionaries instead (r209959)

Support canvas captureStream (r213598)
[MediaStream] delete CaptureDeviceInfo struct (r212418)
[MediaStream] Restructure MediaConstraints classes (r206445)
[MediaStream] Minor cleanup (r205929 complete revisited)
[MediaStream] cleanup MediaConstraints (r204595)
Implement parsing of Media Constraints for getUserMedia algorithm in Media Capture and Streaming Spec (r204516)
WebRTC: Misc MediaStreamEvent fixes: Update build flag and remove PassRefPtr usage (r202625)
REGRESSION (r197114): Crash in WebCore::MediaDevicesRequest::didCompletePermissionCheck (r198160)
getUserMedia requests from the main frame should be treated the same as requests from an iframe with the same origin (r198082)
[MediaStream] push media stream state to the UI process (r197929)
[MediaStream] MediaDeviceInfo deviceId and groupId must be unique to the page's origin (r197114)
WebCoreJSBuiltins do not use to do conditional include (r195533 + r195535 rolled out + r195584)
[MediaStream] MediaDeviceInfo.label must be empty in some situations (r194397)
[MediaStream] MediaStreamTrackPrivate.source should be a reference (r194371)
[MediaStream] Expose media capture devices persistent permissions to WebCore (r193944)
[MediaStream] Rename UserMediaClient and UserMediaController methods (r193764)
[MediaStream] Update MediaStreamTrack.getCapabilities (r193389)

======WebRTC======
WebCore::LibWebRTCMediaEndpoint::gatherStatsForLogging is crashing (r218428)
[WebIDL] Replace general inclusion of JSDOMConvert.h with inclusion of individual converter files to reduce unnecessary inclusion (r218342)
libwebrtc (r218296 complete revisited)
getReceivers() should return transceivers that have only an active receiver (r218182)
Filter SDP from ICE candidates in case of local ICE candidate filtering (r218168)
Add WebRTC stats logging (r217888)
Add support for Certificate and IceCandidatePair stats (r217583)
RealtimeOutgoingVideoSource should not rotate muted frames (r217562)
WebRTC stats should be in milliseconds (r217519)
Compile error, include file is not found. (r216912)
Only ever initialize LibWebRTCProvider's staticFactoryAndThreads() factories once. (r216884)
Name WebRTC Threads (r216682)
Refresh webrtc WPT tests (r216537)
TURNS gathering is not working properly (r216436)
TURNS gathering is not working properly (r216285)
[LibWebRTC] Set explicitly logging level in debug mode (r216092)
LayoutTest webrtc/datachannel/basic.html is a flaky crash (r215832)
com.apple.WebCore: non-virtual thunk to WebCore::LibWebRTCDataChannelHandler::OnBufferedAmountChange + 39 (r215658)
RTCPeerConnection is stopping its backend twice sometimes (r215558)
[Mac] Allow customizing H264 encoder (r215548)
RTCOfferOptions iceRestart should be supported (r215501)
[Cocoa] Move isNullFunctionPointer down into WTF (r215424)
Add an external libwebrtc encoder factory in WebCore (r215411)
Remove RTCSignalingState::Closed (r215327)

======Custom Element======
Custom element constructor doesn't use HTMLElement in new.target's realm (r234957)
Update the semantics of defined-ness of custom elements per spec changes (r205416)
Move QualifiedName from CustomElementInfo to JSCustomElementInterface (r197612)
Add basic support for attributeChanged lifecycle callback (r197611)
Update defineCustomElement according to the spec rewrite (r197602)
Disallow custom elements inside a window-less documents (r197528)
Make HTML parser construct custom elements (r197463)
document.createElement should be able to create a custom element (r195538)
Add document.defineCustomElement (r195087)

Web Inspector: Selector's raw start position in its line is considered to be 0 when computing UILocation (r144434 complete revisited)
Web Inspector: Move workspace specific code from FileMapping to workspace. (r143448)
Web Inspector: Implement tracking of active stylesheets in the frontend (r142975 + r143333 rolled out)
Web Inspector: Implement position-based sourcemapping for stylesheets (r142445)
Web Inspector: [REGRESSION] SASSSourceMapping broken: _bindUISourceCode method is absent (r140405)
Web Inspector: Introduce file mapping allowing to map network loaded scripts and stylesheets to file system files. (r139860)
Web Inspector: Introduce UISourceCode.originURL(). (r139859)
Web Inspector: Workspace should support several projects and should not have temporary UISourceCodes. (r139454)
Web Inspector: Introduce uri as a UISourceCode unique identifier in workspace. (r138536)
Web Inspector: Introduce workspace provider as a content providing backend for project. (r132348)
Web Inspector: Remove resource() getter from UISourceCode. (r129626)
