
--------

Clean up Int52 code and some bugs in it (r244079)

Disable SharedArrayBuffers from Web API (r226386)
JSC should support SharedArrayBuffer (r208209)

DFGGraph::m_doubleConstantMap will not map 0 values correctly. (r170109)
mandreel throws a checksum error on 32-bit x86. (r166440)

REGRESSION(r164205): WebKit crash @StructureIDTable::get. (r167532)
DFG::prepareOSREntry should be nice to the stack (r164205)

[JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr (r201412)
Need to align sp before calling operationLoadVarargs on 32-bit platforms. (r164397)
Repatch code is passing the wrong args to lookupExceptionHandler. (r163274)
Merge the jsCStack branch (r163027)	

Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable (r226655 + r230928 rolled out + r232742)

REGRESSION(r242841): Fix conservative DFG OSR entry validation to accept values which will be stored in AnyInt / Double flush formats (r242990)
[JSC] OSR entry should respect abstract values in addition to flush formats (r242841)
[JSC] Remove merging must handle values into proven types in CFA (r242627)
[JSC] mustHandleValues for dead bytecode locals should be ignored in DFG phases (r242192)
DFG CFA should pick the right time to inject OSR entry data (r231665)

REGRESSION(186691): OSR entry is broken on loop headers that have no live variables (r187028)
DFG fragile frozen values are fundamentally broken (r186691)

Error instances should not strongly hold onto StackFrames (r232314 complete revisited)
We need to disableCaching() in ErrorInstance when we materialize properties (r225768)
ErrorInstance and Exception need destroy methods (r222186)
Error should compute .stack and friends lazily (r221836)
Simplify Interpreter::StackFrame. (r201830)

Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time (r204162)
Restore CodeBlock jettison code Geoff accidentally removed (r192401 + r192450 rolled out + r195550 + r195576 rolled out)
CodeBlock should be a GC object (r190827 + r191291)

[JSC] Drop ArityCheckData (r223891)
Add support for Callee-Saves registers (r189575)

[DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers (r231472 partial revisited)
[jsc][mips] fix JIT::emit_op_log_shadow_chicken_prologue/_tail (r201713)
[mips] Fix regT2 and regT3 trampling in MacroAssembler (r195182)
Clean up register naming (r189293)

Don't segregate heap objects based on Structure immortality. (r182747)

we should emit op_watchdog after op_enter (r193842)
Add op_watchdog opcode that is generated when VM has a watchdog (r193649)
Rename Watchdog::didFire to Watchdog::shouldTerminate because that's what didFire really meant (r193636)
Watchdog timer callback should release the lock before deref'ing the watchdog. (r189172)
watchdog m_didFire state erroneously retained. (r189009)
Add support for CheckWatchdogTimer as slow path in DFG and FTL. (r188649)
Implementation JavaScript watchdog using WTF::WorkQueue. (r188329)
Rename some variables in the JSC watchdog implementation. (r188147)

Fix a couple of mistakes in CSSParserValue memory management (r201608)
CSSGrammar.y:1742.31-34: warning: unused value: $3 (r195612)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179539 complete revisited)
Get rid of invalidSelectorVector, use Bison's error recovery instead (r179485)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179476 complete revisited)
REGRESSION (r173698): Leaks of selector lists in CSS parsing (r179258 complete revisited)
Fix type clash warning in supports_error rule of CSSGrammar. (r175415)
Update the CSS Grammar selector names to get closer to the latest terminology (r173011 complete revisited)
REGRESSION: CSS not() selector does not work when it appears after or within @supports (r172833)
[Feature Queries] Feature Query CSS Grammar Productions Should Return a Value (r171008)
Add support for HTMLImageElement's sizes attribute (r170576 complete revisited)
Split CSS Selectors pseudo class and pseudo elements (r166883 complete revisited)
[CSS Grid Layout] Update named <grid-line> syntax to the last version of the specs (r166157 complete revisited)
REGRESSION (r155536): Broken error recovery in @media at-rule (r160779)
Another CSS parser leak fix (r156224)
Fix a couple more CSS leaks (r156178)
Fix a couple mistakes in my recent CSS grammar leak patch (r156141)
Fix leaks in CSS parser caused by overwriting owned raw pointers with 0 (r156138)
Rework CSS parser, eliminating "floating" concept and using %destructor (r155536 complete revisited)

REGRESSION(r222843): [HarfBuzz] Combining enclosed keycap not correctly handled (r229165)
REGRESSION(r222090): [HarfBuzz] Arabic shaping is broken except for first word in line (r224015)
[HarfBuzz] ComplexTextRun should initialize direction from the harfbuzz buffer (r224007)
[Harfbuzz] Implement ComplexTextController on top of HarfBuzz (r222843)

Always use the compiler's CAS implementation and get rid of ENABLE(COMPARE_AND_SWAP) (r190103)
8-bit version of weakCompareAndSwap() can cause an infinite loop. (r181305)
Source/WTF/wtf/Atomics.h:300: Error: bad register name `%bpl' (r162137)
[Windows] Provide ASM implemenation of 8-bit compare-and-swap (r153345)

// requires C++11
Remove RefPtrHashMap (r174268)
Remove needsDestruction from vector and hash traits (r156507)

Delete dead SVG Font code (r198074)

--------

REGRESSION (iOS 12.2): Webpage using CoffeeScript crashes (r242838)
YARR: JIT RegExps with back references (r235636)

[YARR] Properly handle RegExp's that require large ParenContext space (r245815)
Cleanup Yarr regexp code around paren contexts. (r245586)
REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow (r228481)
YARR: JIT RegExps with greedy parenthesized sub patterns (r225695 + r225861 rolled out + r225930)

Unreviewed, fix 32bit and scope release (r232017)
JSC should have InstanceOf inline caching (r231961)

[JSC] ToThis omission in DFGByteCodeParser is wrong (r240106)
[DFG] Remove ToThis more aggressively (r222143)

[Win] Crash under WebCore::SimpleLineLayout::generateLineBoxTree (r230995)
[Simple line layout] Generate inline boxtree using simple line layout runs. (r230914)

Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient (r173251)
Web Inspector: Expose the console object in JSContexts to interact with Web Inspector (r165199)

Builtins and host functions should get their own structures. (r233426)
Arrow functions need their own structure because they have different properties than sloppy functions (r225891)
Strict and sloppy functions shouldn't share structure (r225273)

InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format (r238511)
InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format (r232134)
InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time (r231660)

[JSC] Do not use asArrayModes() with Structures because it discards TypedArray information (r239951)
DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType. (r237325)
We should have a CoW storage for NewArrayBuffer arrays. (r232070)

Unreviewed, fix simple goof that was causing 32-bit DFG crashes. (r229545)
Split DirectArguments into JSValueOOB and JSValueStrict parts (r229518)

[JSC] AI should check the given constant's array type when folding GetByVal into constant (r239964)
need to didFoldClobberWorld when we constant fold GetByVal (r234128)
[DFG] Fold GetByVal if the indexed value is non configurable and non writable (r234089)
[DFG] Fold GetByVal if Array is CoW (r234066)

It should be valid to exit before each set when doing arity fixup when inlining (r222060)
[JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed (r222035)

Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX. (r236804)
Explore increasing max JSString::m_length to UINT_MAX. (r221192)

[DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String) (r215472)
Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin (r221470)
Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node. (r208560 partial)
Polymorphic operands in operators coerces downstream values to double. (r200606)
[JSC] Get rid of NonNegZeroDouble, it is broken (r200502)

REGRESSION(r199964): Animation on pseudo elements doesn't trigger if first frame matches the current style (r200347)
REGRESSION(r156846): Crashes with guard malloc (r200031)
RenderStyle should not be reference counted (r199964)

[WebIDL] Add proper parsing for Promises (r208474)

Speculative fixes for crashing in viewportChangeAffectedPicture (r195606)
Picture element needs to respond to dynamic viewport changes. (r193859)
	
REGRESSION(r173441): [GTK] All buttons appear insensitive (r173559)
REGRESSION (r166422): All RenderBox objects grew 104 bytes from adding repaint timers. (r168993)
Scrollbars do not update properly when topContentInset changes dynamically (r167911)
topContentInset does not play well with fullscreen elements (r167630 partial)
Support form controls that may need incremental redraw (r166422)
		
Repatch should support setters and plant calls to them directly (r166945 complete)
JSProxies should be cacheable (r167963 revisited)
Setters are just getters that take an extra argument and don't return a value (r166908)
Fix 32-bit getter call alignment. (r166266)
Repatch should plant calls to getters directly rather than through a C helper (r166263)	
	
Update TextTrack API to current spec (r163649)
	
Implement text-decoration-skip: auto (r164115)
[css3-text] Support -webkit-text-decoration-skip: objects (r164061)
Initial implementation of text-decoration-skip ink (r158467)
Parsing support for -webkit-text-decoration-skip: ink (r158127)

JavaScriptCore should discard optimized code after some time (r189620)

test262: Completion values for control flow do not match the spec (r218512 + r218957 + r221622)

[New Multicolumn] Column rules don't respect the specified stacking order. (r167463)
[New Multicolumn] Add support for column-span:all (r167335)
[New Multicolumn] getClientRects returns wrong rectangle (r165991)

Fix null handling of HTMLMediaElement.mediaGroup (r203423)
[Web IDL] Specify default values for optional parameters of type 'DOMString' (r200192)
Binding generator should generate names for JSBuiltins partial interface methods using ImplementedBy value (r191288)

[JSC] Fix CachedCall's argument count if RegExp has named captures (r232092)
Heap out of bounds read in JSC::Yarr::Parser<JSC::Yarr::SyntaxChecker, unsigned char>::peek() (r222600)
Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern. (r222586)
String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp (r221949)
Add support for RegExp named capture groups (r221769)

Concurrent GC should be stable enough to land enabled (r209570 partial)
[DFG] Introduce IsCellWithType node and unify IsJSArray, IsRegExpObject and newly added IsProxyObject (r206065)
Make JSMap and JSSet faster (r205504 + r205507 rolled out + r205520)
Make SpeculatedType a 64-bit integer (r205107)

ErrorInstance and Exception need destroy methods (r222186 partial)
Error should compute .stack and friends lazily (r221836 partial)
CodeBlock should be a GC object (r190694)

The referer header is not set after redirect (r230208)
Implement https://fetch.spec.whatwg.org/#main-fetch default referrer policy setting (r226397)
[Fetch API] TypeError when called with body === {} (r218677)
[Readable Streams API] Align getDesiredSize with spec (r217044)
[Readable Streams API] Implement ReadableStreamBYOBReader releaseLock() (r216926)
[Readable Streams API] Implement ReadableStreamBYOBReader cancel() (r216686)
[Readable Streams API] Implement ReadableByteStreamController enqueue() (r211779)
[Readable Streams API] Implement readableByteStreamControllerCallPullIfNeeded() (r210027)

Value for iterator property is wrong for maplike interfaces (r217188)
URLSearchParams / Headers objects @@iterator is not as per Web IDL spec (r217166)
JavaScript for-of does not work on a lot of collection types (e.g. HTMLCollection) (r211024)
DOMIterators should be assigned a correct prototype (r203235)
Remove support for value iterators from JSDOMIterator (r203234)
DOM value iterable interfaces should use Array prototype methods (r203222)
Iterable interfaces should have their related prototype @@iterator property writable (r202583)
JSDOMIterator forEach should support second optional parameter (r202334)

Ensure DOM iterators remain done (r200678)
NodeList should be iterable (r200619 + r202302 rolled out + r202303 rolled out + r202305 + r202306 + r202307)

Speedup array iterators (r200422)

REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren(). (r192743)
REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren(). (r192722)
[JSC] JSPropertyNameEnumerator could be destructorless. (r192536)

REGRESSION (r174226): Header on huffingtonpost.com is too large (r178591 revisited)
operationCreateArguments could cause a GC during OSR exit (r169973 revisited)
FTL should support PhantomArguments (r164923)

Teach DFG that ArithSub can now clobber the heap (and other things). (r192949)
Use JITSubGenerator to support UntypedUse operands for op_sub in the DFG. (r191224)

REGRESSION(r225913): about 30 JSC test failures on ARMv7 (r226616)
REGRESSION(r225913): about 30 JSC test failures on ARMv7 (r226298)
JSObjects should have a mask for loading indexed properties (r225913 complete)

CopyBarrier must be avoided for slow TypedArrays (r191221)
GC should have a Baker barrier for concurrent copying (r190896)

Fix bugs in 32-bit Structure implementation. (r165325 complete revisited)
Make JSCells have 32-bit Structure pointers (r164764 partial)

Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties (r225845)
[JSC] Use reifying system for "name" property of builtin JSFunction (r221327 + r221404 + r221417)
JSFunction::put() should not allow caching of lazily reified properties. (r208018 complete revisited)
JSBoundFunction should lazily generate its name string (r204312)

Always invoke RenderObject::insertedIntoTree/willBeRemovedFromTree (r224933)

IsInShadowTreeFlag does not get updated for a non-container node (r218044)
IsInShadowTreeFlag does not get updated for a non-container node (r217926 revisited complete)
Turn ChildNodeInsertion/RemovalNotifier classes into functions (r189896)

Simple line layout: Paginated content is not painted properly when font overflows line height. (r213779)
Selection rects sent to ServicesOverlayController are wrong. (r170758)

Refactor HTMLCollection to be as fast as CachedLiveNodeList (r188520)

The SVG fragment identifier is not respected if it is a part of an HTTP URL (r221377)
REGRESSION (r190883): Error calculating the tile size for an SVG with no intrinsic size but with large floating intrinsic ratio (r192161)
REGRESSION(r184895): border-image should always slice the SVG image to nine pieces when drawing it in the container element (r190883)
REGRESSION (r184895): Vertical border elements ([-webkit]-border-image set to 'repeat') that used to render perfectly are now rendering incorrectly. (r185438)
An SVG with no intrinsic size does not draw correct slices when used as a border-image for an HTML element. (r184895)

REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable (r234580)
[JSC] cache TaggedTemplate arrays by callsite rather than by contents (r228422)

Add the support for nomodule attribute on script element (r211078)
Implement InlineClassicScript (r210627)
Decouple module loading initiator from ScriptElement (r210585)
[ES6] Integrate ES6 Modules into WebCore (r208788)
Introduce abstract class LoadableScript for classic script and module graph (r205581)
[ES6] Implement ModuleNamespaceObject (r189429)

[JSC] Map and Set constructors should have fast path for cloning (r217527)

Function.toString() should also copy the source code Functions that are class definitions. (r236713)
jsc CLI tool crashes on EOF. (r194409)
CachedScript could have a copy-free path for all-ASCII scripts. (r194017)

[JSC] fix order of evaluation for ClassDefinitionEvaluation (r229608)
Web Inspector: Stepping through `a(); b(); c();` it is unclear where we are and what is about to execute (r226054)
Arrow functions need their own structure because they have different properties than sloppy functions (r225891)
Strict and sloppy functions shouldn't share structure (r225273)
[ESnext] Implement Object Rest - Implementing Object Rest Destructuring (r218861)
index out of bound in bytecodebasicblock (r217840)
ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext (r217577)
test262: test262/test/language/expressions/object/method-definition/early-errors-object-method-duplicate-parameters.js (r215723)
[JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity (r214029 + r214040)
"this" missing after await in async arrow function (r210925)
Calling async arrow function which is in a class's member function will cause error (r210558)
[JSC] ES6 Method functions should not have prototype (r207461)
[JSC] Add a new byte code op_define_property instead of calling defineProperty (r206778 + r206790 + r206808)
[JSC] Implement parsing of Async Functions (r206333)
[DFG][FTL] Implement ES6 Generators in DFG / FTL (r204994)

STP TypedArray.subarray 5x slowdown compared to 9.1 (r203037 + r203046 rolled out + r203076)
We should have a DFG intrinsic that checks if a value is a TypedArrayView (r202363)
Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties. (r191215 complete)

Remove old URL parser (r212508)
WebKit should percent encode single quotes in query strings (r215096)
Use efficient iterators in URLParser (r205986)
Add runtime flag for using URLParser (r205266)

Fix missing edge cases with JSGlobalObjects having a bad time. (r237469 complete)

JIT::emitGetGlobalProperty/emitPutGlobalProperty are only called from one place (r190675)

Break reference cycle in ErrorEvent by using JSValueInWrappedObject (r234789)
Event improvements (r228260)

Fix memory leaks in RenderMultiColumnFlow (r222710)

RegExpObject's collectMatches should not be using JSArray::push to fill in its match results. (r238270)
Multiple stress/regexp-compile-oom.js tests are failing on High Sierra Debug and Release JSC testers. (r237877)
Add missing exception check in RegExpObjectInlines.h's collectMatches. (r233161)
Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH. (r217867)
Bogus uses of regexp matching should realize that they will OOM before they start swapping (r201451)

Assertion failure when opening a file with a missing tag closing bracket (r221335)
Streamline and speed up tokenizer and segmented string classes (r209058 + r209120 rolled out + r209129)

[JSC] Speed up InPlaceAbstractState::endBasicBlock() (r204130)

AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset (r246210)
The GetterSetter structure needs a globalObject. (r200177)
We should support the ability to do a non-effectful getById (r199170 complete revisited)

PolymorphicAccess adds sizeof(CallerFrameAndPC) rather than subtracting it when calculating stack height (r199837)
We should be able to inline getter/setter calls inside an inline cache even when the SpillRegistersMode is NeedsToSpill (r190735)
Inline cache repatching should be throttled if it happens a lot (r190561)
PolymorphicAccess should remember that it checked an ObjectPropertyCondition with a check on some structure (r190215)
There should be one stub hanging off an inline cache that contains code for all of the cases, rather than forming a linked list consisting of one stub per case (r189586)

[css-grid] Add support for percentage gaps (r215463)

REGRESSION: Block no longer shrinks to preferred width in this flex box layout (r213480)
Update flexbox to Blink's tip of tree (r213149 complete revisited)

Fix missing edge cases with JSGlobalObjects having a bad time. (r237469 complete revisited)

Unreviewed, fix initial global lexical binding epoch (r240329)
[JSC] Invalidate old scope operations using global lexical binding epoch (r240220 + r240248 rolled out + r240254)
Unreviewed, fix scope check assertions (r239898)
[JSC] Global lexical bindings can shadow global variables if it is `configurable = true` (r239879)

Make SecurityOrigin safe to create and use from any thread (r230205)
Avoid constructing SecurityOrigin objects from non-main threads (r230009)
Crash under SchemeRegistry::shouldTreatURLSchemeAsLocal(WTF::String const&) (r228972 complete revisited)
Rename "potentionally trustworthy" to "potentially trustworthy" (r221334)
Implement W3C Secure Contexts Draft Specification (r218196)
Implement W3C Secure Contexts Draft Specification (r218028)
Implement W3C Secure Contexts Draft Specification (r218027)

Structured cloning a Symbol should throw (r227969)
[JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray (r222017)
[WTF] Newly added AtomicStringImpl should use BufferInternal static string if StringImpl is static (r219510)
Leverage Substring to create new AtomicStringImpl for StaticStringImpl and SymbolImpl (r210230)

[ES] Implement RegExp.prototype.@@replace and use it for String.prototype.replace (r200117)

Crash in worker tests handling the m_stoppedCallback. (r224941)

Heap-use-after-free regression (r146935)
Add client callbacks to notify of changes of associated from controls (r146672)

Merge IDBDatabaseBackendInterface and IDBDatabaseBackendImpl (r158992)
IndexedDB IDL Refactoring. (r156590)
IndexedDB: Use WeakPtr for Factory-to-BackingStore reference (r145166 + r145180 rolled out + r145238)
IndexedDB: Avoid ScriptValue copies in IDBAny (r144517)
IndexedDB: Pass metadata in to IDBOpenDBRequest.onUpgradeNeeded/onSuccess (r141142)
IndexedDB: Move TaskType enum to IDBDatabaseBackendInterface (r140850 + r140935 rolled out + r141013 rolled in)
IndexedDB: Remove dependency on IDBKey type from IDLs (r140457)
IndexedDB: Combine openConnection and openConnectionWithVersion (r138400)
IndexedDB: Implement custom bindings for parsing options (r138081)
IndexedDB: propagate transaction_ids through open/upgradeneeded (r136992)
IndexedDB: Abort transactions because of leveldb errors part 4 (r136897)
IndexedDB: Stub out transaction-backend methods (r136714)

[JSC] havingABadTimeWatchpoint is not required in Array#indexOf optimization (r237447)
Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory (r232738)
[DFG] Add ArrayIndexOf intrinsic (r218084)

[JSC] isRope jump in StringSlice should not jump over register allocations (r244058)
Initialize the ArraySpecies watchpoint as Clear and transition to IsWatched once slice is called for the first time (r210745)
Add a slice intrinsic to the DFG/FTL (r210476 + r210518 rolled out + r210695)

Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. (r243280)
JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object (r215777)
JSC: operationSpreadGeneric uses the wrong global object for the builtin function and slow_path_spread consults the wrong global object to prove if the iterator protocol is unobservable (r211070)
We should have a more concise way of determining when we're varargs calling a function using rest parameters (r208584 + r208592 rolled out + r208637)

arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array. (r234269)
[JSC] Fix Array.prototype.concat fast case when single argument is Proxy (r232261)
[JSC] Clean up ArraySpeciesCreate (r228012 + r228102 rolled out)
Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it. (r214374 complete revisited)
Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy (r217149)
arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided (r217135)
JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too. (r215451)
Array concat operation should check for length overflows. (r214079)
Fix max length check in ArrayPrototype.js' concatSlowPath(). (r212019)
Array.prototype.concat should not modify frozen objects. (r207178 complete revisited)
concatAppendOne should allocate using the indexing type of the array if it cannot merge (r203798)
appendMemcpy might fail in concatAppendOne (r203033)
Add support for Symbol.isConcatSpreadable (round 2) (r202125)

[DFG] Fold GetByVal if the indexed value is non configurable and non writable (r234089)

When inserting Unreachable in byte code parser we need to flush all the right things (r226811)
Inlining of a function that ends in op_unreachable crashes (r226362)

Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings (r199017 complete revisited)

Kill [StrictTypeChecking] IDL extended attribute (r204033)
Drop [StrictTypeChecking] in cases where it is a no-op (r203956)
[WebIDL] Enable strict type checking for nullable attribute setters of wrapper types (r203949)
Generate bindings code for EventTarget.addEventListener() / removeEventListener() (r201305)
Remove unused C++ DOM event handler attribute functions (r181169)
Make JavaScript binding get and set legacy event listener attributes directly (r181156)

Lifetime of HTMLMediaElement is not properly handled in asynchronous actions (r238788)

Invalid flags in a RegExp literal should be an early SyntaxError (r242699)

ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly. (r217429)

[Web IDL] Specify default values for optional parameters of type 'long' / 'unrestricted double' (r200087)
[Web IDL] Specify default values for boolean parameters (r199976)

DOMTokenLists value and stringifier should not return parsed tokens (r206560)
DOMTokenList.value should be a stringifier attribute (r204970)
Add support for DOMTokenList.replace() (r204161)
Regression(r199360): assertion hit in Element::fastGetAttribute() (r199378)
Lazily update tokens in DOMTokenList when the associated attribute value changes (r199360)
Merge AttributedDOMTokenList into DOMTokenList (r199298)
DOMTokenList.contains() should not throw (r199296)
Merge DOMTokenList and DOMSettableTokenList (r196123)

Make HasOwnProperty faster (r206136 + r206149 + r206207)

Add support for CSS Custom Properties (in preparation for implementing CSS Variables). (r190209)

Setter on style element's textContent or cssText doesn't trigger style recalc (r206404)
will-change should sometimes trigger compositing (r188530)

Release assert in ScriptController::canExecuteScripts via CachedSVGFont::ensureCustomFontData during (r230983)
Assert that Node::insertedInto doesn't fire an event (r223458)
Attr Nodes should not have children (r216259)
Relax the event firing ASSERT for Attr changes (r215787)
Give Node::didNotifySubtreeInsertions() a better name (r185813)

HTMLMediaElement seek algorithm should allow cancelling previous seeks. (r170336 + r170367)

Lexer<T>::parseDecimal ought to ASSERT isASCIIDigit (r245697)
[ESNext] Implement support for Numeric Separators (r245655)

JSObject::getOwnPropertyDescriptor is missing an exception check (r245249 complete revisited)
[WebIDL] Move plugin object customization into the generator (r219302 complete revisited)

Binding generator should support key value iterable (r196900)

Baseline GetByVal and PutByVal for cache ID stubs need to handle exceptions (r204362)
Create ById IC for ByVal operation only when the specific Id comes more than once (r188878)
Introduce put_by_id like IC into put_by_val when the given name is String or Symbol (r188696 + r189820)
Introduce get_by_id like IC into get_by_val when the given name is String or Symbol (r188105 + r188201 rolled out + r188299)

Remove unnecessary Structure flags from generated bindings (r170074)
Extract prototype declaration generation into a helper function (r170044)

QuickLook resources are cache-replaced with their original binary data causing ASSERT(m_data->size() == newBuffer->size()) in CachedResource.cpp (r171993)
Implementors of CachedResource subclasses should be forced to decide if encoded data can be replaced. (r149079)

:first-child, :last-child, :nth-child, and :nth-of-type don't work on shadow root's children (r235917)
Don't invalidate descendants for nth pseudo classes unless needed (r229372 + r229537)
checkForSiblingStyleChanges should use internal versions of the invalidation functions (r229368)
Add ChildrenAffectedByForwardPositionalRules bit for nth-child pseudo class marking (r229307)
Invalidate style for sibling combinators accurately on class change (r227956)
slotchange event should bubble and dispatched once (r208817)
event.composedPath() does not include window (r208641)
[CSS Parser] Support the shadow DOM (r208180 + r208198 rolled out + r208267)
[CSS Parser] Clean up the two types of descendant relations in CSSSelector (r208130)
Merge Element::ShadowRootMode and ShadowRoot::Mode enumerations (r208001)
Rename setNeedsStyleRecalc to invalidateStyle (r207458)
The :enabled/:disabled selectors should only match elements that can be disabled. (r205050)
Can't style descendants in shadow tree using the :host pseudo class (r204724)
Add support for ShadowRoot.mode attribute (r204543)
:hover CSS pseudo-class sometimes keeps matching ever after mouse has left the element (r202324)
Add the unprefixed version of the pseudo element ::placeholder (r202066)
slotchange event should be fired at the end of microtask (r201858)
Change HTMLSlotElement::assignedNodes to take a IDL dictionary instead of a WebCore::Dictionary (r200557)

Crash under eventTargetRespectingTargetRules() (r201571)
event.target shouldn't be retargeted as the event bubbles into a slot (r200464)

Shadow DOM: RenderTreePosition miscomputed when display:contents value changes (r201383)
Shadow DOM: Implement display: contents for slots (r199154)
Shadow DOM: Implement display: contents for slots (r199151)

Render tree teardown should be iterative (r199056)

Tighten ComposedTreeAncestorIterator to return Elements (r198992 complete revisited)

Separate render tree updating from style resolve (r198828 + r198847 rolled out + r198943)

Add slotchange event (r198115)

ElementRuleCollector should not mutate document and style (r197764)

Resolve style iteratively (r196864)

Element::idForStyleResolution() is a foot-gun (r199844)
AffectsNextSibling style relation marking is inefficient (r199583)

Share style by sharing RenderStyle substructures not the object itself (r198584)
Factor style sharing code out of StyleResolver (r196031)

CanvasRenderingContext2D should not have a CanvasRenderingContext parent interface (r204839)

Object.getPrototypeOf(NodeFilter) should be Function.prototype, not Object.prototype (r211970)
Regression(r189230): DOM Callbacks may use wrong global object (r210468)
NodeFilter should be a callback interface (r189230)

REGRESSION(r200601): Crash when using local() and unicode-range in @font-face blocks (r200803)
Web Font is downloaded even when all the characters in the document are outside its unicode-range (r200601)
[Font Loading] Crash when a single load request causes multiple fonts to fail loading (r197804)
[Font Loading] Split CSSFontSelector into a FontFaceSet implementation and the rest of the class (r196954)
[Font Loading] Implement FontFaceSet (r196747)
[Font Loading] Implement FontFace JavaScript object (r196604)

Jun 11, 2019
============
REGRESSION (r177876): store.apple.com profile and cart icons are missing (r186809 + r186816 rolled out + r186827 revisited)
Cleanup and simplification of SVG path-related classes (r190849)
SVG error parsing empty path (r154896)

Jun 10, 2019
============
textPath layout performance improvement. (r182828)
Add 'float FloatPoint::slopeAngleRadians()' (r138800)
[ftlopt] Infer immutable object properties (r170855 complete revisited)

Jun 9, 2019
============
@font-face rules with invalid primary fonts never download their secondary fonts (r218157 + r218264 rolled out + r218733 complete revisted)
Subclass CachedFont for SVG fonts (r176276 revisited)

Jun 07, 2019
============
Get rid of UnicodeRange.h/cpp, using ICU instead (r162780)
SVG: hit testing region for <text> elements is incorrect (r192020)
Clear SVGInlineTextBox fragments when the text changes. (r166420)

Jun 06, 2019
============
Do not convert GlyphBufferAdvance to FloatSize (r195596)
SVGGlyphToPathTranslator ASSERTs when encountering a missing glyph in an SVG font (r169872)
REGRESSION: missing underline under CJK text (r169715)
Fix the !ENABLE(SVG_FONTS) build (r165611)
text-decoration-skip: ink does not skip over SVG fonts (r164842)

Jun 05, 2019
============
[SVG -> OTF Converter] Crash when trying to re-convert a previously-failed font conversion (r199014)
Range.insersectsNode(node) is supposed to return true if node.parent is null (r189225)
[Win] [SVG -> OTF Converter] All uses of a font except the first one are invisible (r196835)
Change the type of SVGToOTFFontConverter::m_weight to be not a char (r229328)
Delete incorrect version of clampTo() function from SVGToOTFFontConversion.cpp (r229202)
[SVG -> OTF Font Converter] Fonts advances are not internally consistent inside the generated font file (r208888)
[Cocoa] REGRESSION(r184899): Ascent adjustments are applied to web fonts (r201228)
SVGToOTFFontConversion.cpp does not compile with libstdc++ 4.8 (r197298)
[Win] [SVG -> OTF Converter] SVG fonts drawn into ImageBuffers are invisible (r196559)
[EFL][GTK] Fix ENABLE(SVG_OTF_CONVERTER) build (r196481)
GCC buildfix in Source/WebCore/svg/SVGToOTFFontConversion.cpp (r196469)
[SVG -> OTF Converter] Parsing failures cause use of incomplete fonts (r194839)
[SVG -> OTF Converter] Force UnitsPerEm to 1000 (r192930)
Crash when using an SVG font with > 390 glyphs (r190375)
[SVG -> OTF Converter] Crash when converting Arabic fonts (r187685)
[SVG -> OTF Converter] Remove unnecessary hacks (r185100)
[Win] [SVG -> OTF Converter] Support the SVG -> OTF Font Converter (r182423)
Work around a Cocoa font parsing bug (r181278)
Test horiz-origin-x and horiz-origin-y in SVG fonts (r181167)
[iOS] SVG fonts are garbled (r181155)
[Win] Build fix after r178760. (r178762)
[SVG -> OTF Converter] Glyphs get clipped weirdly (r178647)
[SVG -> OTF Converter] Implement ligatures (r178249)
[SVG -> OTF Converter] Make Placeholder a move-only type (r177688)
[SVG -> OTF Converter] Make placeholders more robust (r177620)
[SVG -> OTF Converter] Arabic forms are not substituted correctly (r174325)
[SVG -> OTF Converter] Support non-BMP codepoints (r174279 + r174372)
Tweak and tighten SVG font converter (r174063)
SVG -> OTF converter bug gardening (r174011)
Implement 'vhea', 'vmtx', and 'kern' tables in SVG -> OTF converter (r173852)
Text laid out with the SVG -> OTF font converter does not have the same metrics as with the SVG font code path (r173739)
Initial implementation of SVG to OTF font converter (r173521)
[iOS] [OSX] Don't transcode WOFF on platforms that support it natively (r171375)
Allow mmap encoded data replacement for WOFF fonts. (r162897)
Remove code duplications in createFontCustomPlatformData() (r158623)
Once a custom font is cached to disk, it starts failing to render until the page is refreshed. (r149070)
Accept request header values should be more tightly checked after r232572 in case of CORS load (r232728)
HTTP Header values validation is too strict (r232572)
Switch to a blacklist model for restricted Accept headers in simple CORS requests (r210077)
Allow commas in Accept, Accept-Language, and Content-Language request headers for simple CORS (r209510)
Tighten XMLHttpRequest setRequestHeader value check (r174920)

Jun 04, 2019
============
Fonts forced to use non synthetic italics might be laid out with the incorrect baseline (r172504 revisited)
Subpixel rendering: Empty rects should remain empty after integrally enclosing them. (r168575)
Synthesized vertical italics on rotated glyphs are transformed incorrectly (r151693 revisited)
Asserts when textPath is used with no path (r140429)
SVG Font kerning can take an early out if the font has no kerning information (r171955)
Uncomplicate some of SVGTextRunRenderingContext. (r157960)
Remove unnecessary save/restore in SVGTextRunRenderingContext (r133897)
Object bounding box wrong for some paths (r217772)
SVG content renders in incorrect vertical position when padding-left is not specified (r201604)
Replace 2 uses of updateLogicalHeight with computeLogicalHeight (r130686)
Support kerning with SVG web fonts (r156393 + r156399)
[sub-pixel] Rounding error in table cell height calculation causes unnecessary scrollbar (r145242 revisited)
Image.__proto__ should be Function.prototype, not HTMLElement.prototype (r236769)
[JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect (r246040)
Replace scoped flag in Event by composed flag (r202953)
REGRESSION (198056): Unable to use edit buttons on WordPress (r200580)
Add Event.deepPath() and Event.scoped (r198056)
Extract EventPath.h/cpp out of EventDispatcher.cpp (r197924)
WebKit should expose the DOM 4 Event.isTrusted property (r196520)
dispatchEvent() should throw an InvalidStateError if the event's initialized flag is not set (r189386 + r189419 rolled out + r189452)
Remove two unused SVGDocument functions. (r167798)
Clean up dispatchEvent overrides and overloads (r138674)

Jun 03, 2019
============
ComposedTreeIterator does not traverse all slotted children if the traversal root is a slot element. (r216431)
Input elements don't work inside shadow tree (r206403)
ComposedTreeIterator may crash when first child of shadow root is a comment node (r199097)
ComposedTreeIterator fails to traverse slots if root is shadow host (r198087)
ComposedTreeIterator may traverse slotted nodes multiple times (r197553)
ComposedTreeIterator traverses normal children for elements with empty shadow root (r196833)
Fix the !(ENABLE(SHADOW_DOM) || ENABLE(DETAILS_ELEMENT)) after r196281 (r196422)
Fix the !(ENABLE(SHADOW_DOM) || ENABLE(DETAILS_ELEMENT)) after r196281 (r196365)
Try to fix Yosemite build. (r196282)
Implement ComposedTreeIterator in terms of ElementAndTextDescendantIterator (r196281)
Tighten ComposedTreeAncestorIterator to return Elements (r198992 partial)
Implement iterator for traversing composed ancestors (r191112 + r191127)
Inserting a child to a slot assigned node doesn't trigger repaint (r190530)
Implement the matching for :nth-last-child(An+B of selector-list) (r176084 complete revisited)
[CSSRegions] Respect renderer creation constraints when element is part of named flow (r151204)

May 31, 2019
============
Japanese fonts in vertical text should support synthesized italics (r214848)
REGRESSION (r190983): Non-element, non-text nodes should not be distributed to slots (r192763)
Implement iterator for traversing composed DOM (r190983)
ShadowRoot with leading or trailing white space cause a crash (r190585)
Create RenderRubyText for <rt> only when the parent renderer is a RenderRuby. (r183160)
Move render ruby initialization logic from RenderElement::createFor() to *::createElementRenderer() (r183129)
Catch up ruby and its tag omission rule changes in HTML5 CR Feb 2014 (r167437)

May 30, 2019
============
REGRESSION (r167689): Hovering file name in a file input causes a crash (r167840)
[GTK] Bump freetype version to 2.8.0 (r221670 partial revisited)
[FreeType] Add support for the USE_TYPO_METRICS flag (r191378)
Update flexbox to Blink's tip of tree (r213149 partial)
DOMWindow::dispatchEvent() does not reset the event's dispatch flag (r224125)
Event handlers should not be called in frameless documents (r218242)
document.createEvent("popstateevent") should create a PopStateEvent (r205138 partial)
Protect FrameView from being destroyed in Document::recalcStyle() (r185403)
Laili restaurant menu page does not display full menu (r217943)
Available height is wrong for positioned elements with "box-sizing: border-box" (r225101)
Remove InsertionPoint and ContentDistributor (r190845)
REGRESSION(r210226): fast/history/back-from-page-with-focused-iframe.html crashes under GuardMalloc (r210246)
ASSERTION FAILED: !isUnreachableNode(m_target.get()) when hovering over any input element (r190340)
relatedNode should be retargeted respecting slots (r190288)
Make event dispatching respect slotting (r190214)
REGRESSION (r157328): popover to check into flight ba.com dismisses instantly when focusing form (r167689)
HTML-page with <object type="image/svg+xml" data="foo.svg"> often is blank (r225791)
WebKit should unset event propagation flags after dispatch (r204630)
Event fired on a detached node does not bubble up (r190153)
Crash in EventDispatcher::dispatchEvent entering a location on Google Maps (r185232)
Comment in ScopedEventQueue::dispatchEvent is unnecessarily verbose (r157933)
Reintroduce PassRefPtr<Event> copy in ScopedEventQueue::dispatchEvent (r157401)
Extract an iterator/resolver class from calculateAdjustedNodes (r157331)
Dramatically simplify calculateAdjustedNodes (r157328)
Make EventPath private to EventDispatcher.cpp (r157294)
EventContext should be used only in EventDispatcher.cpp (r157288)
Remove EventRetargeter.h/cpp (r157282)
Make all functions of EventDispatcher static (r157250)
Move the rest of EventRetargeter functions to EventPath (r157242)
REGRESSION(r157210): Crashes in WebCore::ScopedEventQueue::dispatchEvent for platforms using GCC (r157219)
Make EventDispatcher::dispatch comprehensible (r157210 + r157214)
Remove the code erroneously in the previous commit. (r157153)

May 29, 2019
============
Remove PassRefPtr use from the "dom" directory, related cleanup (r210216 partial)
EventDispatchMediator is goner (r157203 + r157245)
Remove MouseEventDispatchMediator (r157196)
Remove all subclasses of EventDispatchMediator except MouseEventDispatchMediator (r157195)
Rename EventRetargeter::adjustForRelatedTarget to EventPath::setRelatedTarget (r157177)
Make buildRelatedNodeMap and findRelatedNode static to EventRetargeter.cpp (r157083)
Make an event object clonable to support an event propagation across seamless iframes. (r126256)
JITOperations putByVal should mark negative array indices as out-of-bounds (r245813)
ByValInfo should not use integer offsets. (r236587)
DFG::OSRExit::m_patchableCodeOffset should not be an int (r236585)
DFG::OSREntry::m_machineCodeOffset should be a CodeLocation. (r236576)

May 28, 2019
============
Turn EventPath into a real class (r157152 + r157158)
Get rid of Node::preDispatchEventHandler and Node::postDispatchEventHandler (r156825 + r156826)
Cleanup Document::dispatchFullScreenChangeOrErrorEvent (r156733)
Simplify the loop in EventRetargeter::calculateEventPath (r157127)
Use references in EventRetargeter::calculateEventPath and EventRetargeter::eventTargetRespectingTargetRules (r157123)
EventDispatchBehavior is unnecessary (r157085)
Remove EventPathWalker. (r156390)
ASSERTION FAILED: !node || node->isShadowRoot() in WebCore::EventRetargeter::eventTargetRespectingTargetRules (r154289)
[Shadow DOM] Change the order of event dispatching at AT_TARGET phase. (r147371)
[Shadow Dom]: Non Bubbling events in ShadowDOM dispatch in an incorrect order (r145873)
Calculate EventPath in EventDispatcher's constructor. (r143426)
Make EventDispatcher take an Event object in its constructor. (r143145 + r143244 rolled out + r143303)
Extend EventDispatcher::dispatchSimulatedClick to allow sending a mouseover event (r135690)
Factor Event retargeting code. (r142957)
[Shadow] Stop 'load' and 'error' events at shadow boundaries (r125744)
REGRESSION (r190430): WTFCrashWithSecurityImplication in:void SVGRootInlineBox::layoutCharactersInTextBoxes() (r196669)
REGRESSION(r190430): Assertion failure in Text::~Text() (r195727)
Inserting or removing slot elements can cause a crash (r190008)

May 27, 2019
============
REGRESSION (r190840): crash inside details element's slotNameFunction (r198090)
Rewrite HTMLDetailsElement using HTMLSlotElement (r190840 + r191289)
Update style/layout when a slot is added or removed (r190323)
invalidateSlotAssignments should trigger style recalc (r190109)
The binding for getDistributedNodes unnecessarily makes a vector of nodes (r190093)
JITOperations getByVal should mark negative array indices as out-of-bounds (r245769)
Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain (r228720)
[INTL] Implement String.prototype.localeCompare in ECMA-402 (r194328 + r194332 rolled out + r194394 + r198171 rolled out + r199967)
[INTL] Implement String.prototype.toLocaleUpperCase in ECMA-402 (r193679)
[INTL] Implement String.prototype.toLocaleLowerCase in ECMA-402 (r193611)
[INTL] Implement Number.prototype.toLocaleString in ECMA-402 (r193493)

May 24, 2019
============
Slot elements should support fallback contents (r190430)
HTMLSlotElement should render its assigned nodes (r190084)
Add HTMLSlotElement, Element.slot, and NonDocumentTypeChildNode.assignedSlot (r189950)
We should only make rope strings when concatenating strings long enough. (r241230 + r241255 rolled out + r241493)
DFG::OSREntry should not perform arity check (r245710)

May 23, 2019
============
Optimize Canvas fill and drawImage with SourceIn, DestinationIn, SourceOut, and DestinationAtop using transparencyLayer. (r167248)
Canvas strokeText and fillText with SourceIn, DestinationIn, SourceOut, DestinationAtop and Copy have errors (r166840)
Canvas stroke and strokeRect with SourceIn, DestinationIn, SourceOut, DestinationAtop and Copy have errors (r166836)
Zero size gradient should paint nothing on canvas (r141612)
Proposal: Add support for even-odd fill and clip to Canvas (r140352)
Update GraphicsContext to support winding rule in clip operator for Cairo (r140091)
Update GraphicsContext to support winding rule in clip operator for Core Graphics (r139967)
REGRESSION(r233495) [cairo] drawGlyphsShadow should use the fast path for zero blur-radius (r233556)
[cairo] Doesn't paint box-shadow with zero blur-radius (r233495)
[Cairo] Use one-time ShadowBlur objects when performing shadowing (r227051)
[Cairo] Contain shadow blur requirement state in a separate object (r226509)
[Cairo] Canvas: Path::clear should clear its transform (r226443)
[Cairo] Remove GraphicsContext::mustUseShadowBlur() (r224754)
Don't clear PropertyNameArray in Proxy code (r245643)
[JSC] Filter DontEnum properties in ProxyObject::getOwnPropertyNames() (r243943 + r244020 rolled out + r244330)
[JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys (r243933)
[JSC] Fix Array allocation in Object.keys (r221970)
[JSC] Optimize Object.keys by using careful array allocation (r221853)
[JSC] fix RETURN_IF_EXCEPTION() placement in ownPropertyKeys() (r215810)
[JSC] Object.keys() must discard property names with no PropertyDescriptor (r215799)

May 21, 2019
============
[GTK] Bump freetype version to 2.8.0 (r221670 partial)
Remove feature: CSS variables (r159842 complete revisited)
[CSS] Minor cleanups in CSS variables handling (r150302)
[CSS] CSS Variables are case-sensitive (r150207)
Make CSS variable names case-insensitive. (r131313)

May 20, 2019
============
Canvas methods clip/fill/stroke should not except 0 argument (r165976)
Refactor Path to Path2D and remove currentPath (r165651)

May 17, 2019
============
Nested template contents are not cloned by document.importNode (r177372)
implement op_get_rest_length so that we can allocate the rest array with the right size from the start (r192814)
op_throw_static_error's use of its first operand should be reflected in DFG BytecodeUseDef as well. (r216459)
[WebCore][JSC] Use new @throwTypeError and @throwRangeError intrinsics (r206870 partial revisited)

May 15, 2019
============
[WebIDL] Move plugin object customization into the generator (r219302 partial)

May 14, 2019
============
Expose CloseEvent and CustomEvent to workers (r234799)
WebSocket::didReceiveMessage() may construct a SecurityOrigin object on a non-main thread (r230042 + r230305 rolled out)
WebSocketChannel should ensure its client is live when calling it in error case (r225469)
The setter of binaryType attribute in WebSocket should raise the exception. (r198482)
Crashes in SocketStreamHandleBase::close (r184005)
"nullable" sequence support is incomplete (i.e. sequence<NativeType>?) (r170015)
Sec-WebSocket-Extensions header field must not appear more than once in an HTTP response. (r149120)
WebSocket: Return type of send() should be void if hybi-10 protocol is chosen (r148968)
Add User-Agent header in opening handshake headers. (r144037)
Improve WebSocketChannel connection failure console messages. (r135981)
Remove the custom WebSocket::send for both V8 and JSC (r134386)
[WebSocket] WebSocketInflater should handle BFINAL = 1 blocks (r131395)
[WebSocket] Add "Cache-Control: no-cache" to handshake request (r131155)
[WebSocket] Setting wrong value to binaryType should not raise exception (r130019)
WebSocket.send() should accept ArrayBufferView (r124846)
JSObject::getOwnPropertyDescriptor is missing an exception check (r245249 partial)
Allow setting the prototype of cross-origin objects, as long as they don't change (r214135)
Symbols exposed on cross-origin Window / Location objects should be configurable (r211772)

May 13, 2019
============
[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values (r202413 + r202435 rolled out + r202680 complete)
[JSC] Add truncate operation (rounding to zero) (r198981)
[JSC] String substring operation should return ropes consistently (r245194)

May 10, 2019
============
OfflineAudioDestinationNode::startRendering leaks OfflineAudioDestinationNode if offlineRender exists early (r244145)
DFG should know that CreateThis can be effectful (r229987 partial revisited)
[JSC] Introduce @toObject (r224280 + r224335)
[JSC] Clean up Object.entries implementation (r218790)
[JSC] Object.values should be implemented in C++ (r218697)
[JSC] Implement Object.assign in C++ (r218348)
[JSC] Speedup Object.assign for slow case by using propertyIsEnumerable (r217191)
[ES2016] Implement Object.entries (r204419)
[ES2016] Implement Object.values (r204358)
parseStatementListItem needs a stack overflow check (r245152)

May 09, 2019
============
  => Passed JIT tests/ACID3/ACID2/Asteroidbench/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.8.2.

May 09, 2019
============
Invalid DFG JIT genereation in high CPU usage state (r245071)

May 08, 2019
============
preflight checker should add a console message when preflight load is blocked (r231056)
DocumentThreadableLoader should send credentials after redirections and preflight if fetch option credentials is include (r229907)
Service Worker fetch should filter HTTP headers that are added by CachedResourceLoader/CachedResource (r225574 partial)
Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language (r209261)
WebCore::ResourceErrorBase::setType is crashing (r206524)
[Fetch API] Referrer and Origin header should not be considered as safe request headers (r206009)
ASSERT(revalidatingResource.inCache()) in MemoryCache when reloading tumblr.com (r185070)
[WTF] HashTable's rehash is not compatible to Ref<T> and ASan (r205836)
[WTF] HashTable's rehash is not compatible to Ref<T> and ASan (r205694)
Remove needsDestruction from vector and hash traits (r156507 partial)
[WTF] Add the move constructor, move assignment operator for HashTable (r170995 + r170999 rolled out + r171262)
Remove the hash table mover (r156496 + r156524 + r156526)
Replace WTF::move with WTFMove (r194496)
Rename WTF_MOVE to WTFMove (r194469)
Use of WTF::move prevents clang's move diagnostics from warning about several classes of mistakes (r194451)
Stop moving local objects in return statements (r194428 partial)
Add WTF::move() (r170774)
Add Accept-Encoding: identity to Range requests (r232571)
X-Frame-Options: SAMEORIGIN needs to check all ancestor frames (r231730)
[WTF] StringBuilder should set correct m_is8Bit flag when merging (r244429)
Correct JSON parser to address unterminated escape character (r245028)
JSC: A bug in BytecodeGenerator::emitEqualityOpImpl (r245047)

May 07, 2019
============
[JSC] We should check OOM for description string of Symbol (r244996)
REGRESSION(r180726): Removing an empty line at the end of textarea clears the entire texture (r181465)
isEditablePosition and related functions shouldn't move position out of table (r180726)

May 06, 2019
============
isEditablePosition shouldn't trigger synchronous layout (r164387)
Cleanup the interface of FrameSelection (r163739)
Remove inline member functions of FrameSelection that access m_selection (r163232 + r163233)
Frame::selection() should return a reference (r154286)

May 03, 2019
============
  => Passed JIT tests/ACID3/ACID2/Asteroidbench/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.8.2.

May 02, 2019
============
HashMap should work with move-only keys (r155963)

May 01, 2019
============
Keyboard input should be disabled in the preview popover (r176753)
Transform is sometimes left in a bad state after an animation (r244800)
Mouseenter/-leave not triggered when element under cursor is moved/removed (r155519 + r155548 rolled out)
display:inline's hover behavior is not applied to ::before and ::after pseudo elements (r139739)
Images in feed on ebay.com jiggle when one is hovered (r198374)
[JSC][DFG] Propagate AnyIntAsDouble information carefully to utilize it in fixup (r214296)
[JSC] Clean up stringGetByValStubGenerator (r232106)
Add MacroAssembler::patchableBranch64 and fix ARM64's patchableBranchPtr (r188135 partial)
Introduce get_by_id like IC into get_by_val when the given name is String or Symbol (r188105 + r188201 rolled out)

Apr 30, 2019
============
JITStubRoutineSet wastes 180KB of HashTable capacity on can.com (r244745)

Apr 26, 2019
============
REGRESSION(r212218): Assertion failures in and after parserRemoveChild (r212621)
parserRemoveChild should unload subframes (r212218)
HTMLConstructionSiteTask::Insert should never be called on a node with a parent (r212140)
REGRESSION (r201471): Keyboard remains visible when swiping back on twitter.com (r207486)
REGRESSION(r201471): FormClient.textFieldDidEndEditing is no longer called when a text field is removed (r202578)
Crash in TreeScope::focusedElement (r201471)
Make adoption agency use the task queue (r163579)
Notify nodes removal to Range/Selection after dispatching blur and mutation event (r158739)
Remove Node::aboutToUnload and be more explicit about what it was for (r134806)

Apr 25, 2019
============
Add support for HTMLMediaElement.fastSeek() (r159208 revisited)
Do not assert when CharacterData representing an Attr fires events (r214915)
Adopting a child node of a script element can run script (r211965 + r211966)
Disconnect child frames iteratively (r161567)
document.currentScript must be null when we're executing a script inside a shadow tree (r200327)
Only HTML spaces should be stripped from a <script>'s 'for' / 'event' attributes (r191349)
Script element with an empty for or event attributes should not execute (r191270)
script.text shouldn't include text from non-direct children of the script element (r190730)
Remove some optimizations made obsolete by use of StringBuilder (r154241)
Add support for document.currentScript (r151951)

Apr 24, 2019
============
Repeated background images have the wrong position when using bottom/right-relative background-position (r196960)
Animations should use double for key values, not floats (r154909)

Apr 23, 2019
============
White edge on animating panel on http://rokkosunnyvale.com (r184395)
REGRESSION (r172417, r184065): Multiple rendering issues with fixed attached background-image (r187116)
background-position sometimes doesn't work properly with background-attachment: fixed (r184065)
Subpixel layout: Cleanup snapSizeToPixel/snapSizeToDevicePixel. (r173049)
Subpixel layout: Rename LayoutRect's device pixel snapping functions. (r173047)
Fixed backgrounds don't paint in blurred inset areas (r172291 + r172332 rolled out + r172417)
REGRESSION (r180582): background-attachment: local; does not scroll the background image when scrolling the the element's contents (r186299)
Cleanup BackgroundImageGeometry class. (r180644)
Remove unused BackgroundImageGeometry::m_destOrigin (r180582)
RenderBoxModelObject::calculateBackgroundImageGeometry should return BackgroundImageGeometry. (r180581)
[CSS Blending] Webkit-blend-mode fails for accelerated parent with overflow:hidden (r168314)
[CSS Blending] Blend mode property is propagated to multiple GraphicLayers (r166526)
Remove unused RenderLayerBacking::hasContentsLayer(). (r183849)
Subpixel rendering: Animating HTML elements leaves trails when embedded to a subpxiel positioned iframe. (r177412)
Remove redundant GraphicsContext::drawImage() function. (r169484)
Garbage when rubber-banding at the right edge of a page zoomed to non-integral scale. (r169161)
Subpixel rendering: WK1: Trail of cruft in redraw during animations. (r167129)
Web Inspector: Breakpoint in gutter has clipped / broken border image. (r167090)
Subpixel rendering: Make border images device pixel aware. (r166925)
Subpixel rendering: Make GraphicsContext::drawTiledImage* functions float based. (r166644)
Subpixel rendering: RenderBox is positioned off by one when non-compositing transform is present. (r166060)
Subpixel rendering: Pass FloatSize boxsize to transform animations to support device pixel sizing. (r165354)
Every scroll causes additional layer tree work because of flatteningLayer->removeFromParent(); (r154018)
Don't remove contents layer from its parent unless necessary (r153805)
Force elements with perspective or preserve-3d to disallow direct composited backgrounds (r153681)
REGRESSION(r152227) Images with compositing layer don't show up unless the containing window is resized. (r152986)
Avoid calling RenderLayerBacking::resetContentsRect() if possible (r152227)
Draw intermediate snapshots if possible (r144017)
Don't unconditionally repaint compositing layers when their size changes (r137526)
Source/WebCore: REGRESSION (r137215): WebKit stretches and shrinks a part of screen on scroll (r137248)
Don't unconditionally repaint compositing layers when their size changes (r137215)
r132427 changed the tiling behavior of tiled layer TileCaches as well as the page tile cache (r132504)

Apr 22, 2019
============
Black line across screen on Adobe Illustrator detail page (non-retina only) (r180661)
Switch BackgroundImageGeometry's m_phase from LayoutPoint to LayoutSize. (r180580)
FrameView::paintContents() is not called for composited content (r166015 + r166018)
Repeating background images should continue into margin tiles (r162098)
Margin tiles are not repainted when background color changes (r161570)
call to setNeedsLayout during RenderVideo::paintReplaced (r132398)
When paged-x/y is specified on the root, columnGap is ignored, and garbage pixels are likely (r126840)
Subpixel rendering: Make GraphicsContext::drawImageBuffer* functions float based. (r166455)
If you set a tiled cross-faded-image or a tiled gradient as a background layer, -webkit-background-blend-mode doesn't work. (r162442)
[CSS Background Blending] Background layer with -webkit-cross-fade doesn't blend (r162348)
GradientImage should be called GradientImage (r156226)
[CSS Background Blending] Gradients don't blend with any of the layers behind. (r151547)
Add platform support for -webkit-background-blend-mode to CG context (r143046)
GraphicsContext::drawImageBuffer is inefficient (r142123)
inconsistency in drawImage with target rect negative dimensions. (r139911)
Improve the logic for compositing backing store avoidance (r173293)
Subpixel rendering: Adjust cliprect with devicePixelFractionFromRenderer() before painting. (r171165)
Subpixel rendering: Zero sized compositing container's content positioned off by one device pixel. (r171100)
Make sure childContainmentLayer is parented (r166339)
Subpixel rendering: Incorrect repaint rect cuts off content's right edge after move. (r165050)
REGRESSION(r164412): Pixel cracks when zooming in to any web content. (r164532)

Apr 18, 2019
============
Subpixel layout: remove roundedLayoutPoint/roundedLayoutSize functions. (r172948)
Subpixel rendering: Device pixel round accumulated subpixel value when the RenderLayer with transform paints its content. (r165127 revisited)
Subpixel layout: Clean up LayoutPoint class. (r163973)
Remove LayoutTypes abstraction (r133779)
Floored and truncated rounded confused. (r125167 partial revisited)
Ambiguous naming: Do not call replacedContentRect()'s return value paint rect. (r179488)
Subpixel layout: Rename LayoutSize's device pixel snapping functions. (r173037)
[CSS Blending]The background images set on the root element will blend on an initial white backdrop. (r170841)
REGRESSION (r166784): Gradient at background of iCloud login page doesnt go all the way to the bottom (r167637)
Subpixel rendering: Move background images to device pixel boundaries. (r166784)
Subpixel rendering: Transition class CSSImageGeneratorValue/class StyleImage (and its dependencies) from IntSize to FloatSize to enable subpixel sized (generated)images. (r166642)
Subpixel rendering: Make <img> positioning subpixel aware. (r166100)
Subpixel rendering: Transition class Image (and its dependencies) from int to float to enable subpixel positioned/sized images. (r166582)
Subpixel rendering: Fix bleed avoidance subpixel calculation. (r164556)
-webkit-cross-fade paints SVGs at full opacity during cross-fade (r157045)
Remove platform/graphic's Generator (r150053)
[subpixel] Change intrinsicSize to LayoutUnit (r133172)

Apr 17, 2019
============
Update the background blending implementation to match the changes done in the spec. (r150503)
[Cairo] fillRectWithColor with Color::transparent doesn't perform anything (r135737)
REGRESSION: Hit testing of composited elements is broken in new multicolumn layout. (r169651)
[iOS] WKPDFView should have a page indicator (r169290)
REGRESSION (174986): CSS clip property is ignored when border-radius is present. (r176432)
REGRESSION: Google Search (mobile) video thumbnails are too large. (r174986)
REGRESSION (r163382): Overflow hidden for inner elements breaks blurring (r172146)
Subpixel rendering: InlineTextBox mistakenly rounds offset value before painting. (r172008 complete revisited)
Subpixel rendering: Region painting needs to take subpixel accumulation into account. (r171896)
Subpixel rendering: Embedded non-compositing rotate transform paints to wrong position. (r171210)
Subpixel rendering: icloud.com password arrow has clipped circle at some window sizes. (r170877 + r171000)
Subpixel rendering: Background clipping with subpixel behaves differently when composited. (r170563)
Make offset from ancestor computation explicit by moving it to the callers. (r170282)
[iOS] Fixed items are sometimes clipped after rubber-banding (r168670)
Some fixed position elements disappear in WK2 on iOS (r163157)
Left sidebar on cubic-bezier.com flickers (r158934)
Non-painting fixed elements should not cause repaints on scroll (r147120)
Rubberband scrolling on news.google.com causes text to blink repeatedly (r141221)
Should update compositing state when an out-of-view fixed position element becomes in-view (r140593)
Allow position:sticky elements to be moved by the scrolling thread (r138076 partial)

Apr 16, 2019
============
Subpixel rendering: Make webkit-box-shadow painting subpixel aware. (r169257)
Subpixel rendering: RenderLayer's clipping should snap to device pixel boundaries. (r167562)
[GTK][WPE] border-radius with non visible border doesn't work on images that have their own RenderLayer (r219445)
[CSS Filters] When applying an SVG filter on a composited image using CSS the image is rendered without the filter (r196571)
[DFG] Remove duplicate 32bit code more (r230517 partial revisited)
Subpixel rendering: border-radius painting falls back to rectangle at subpixel positions. (r165670 + r165671)
Subpixel rendering: Make border-radius painting device pixel aware. (r165065)

Apr 15, 2019
============
Subpixel rendering: Make GraphicsLayer::fillRect FloatRoundedRect based and cleanup dependencies. (r165055)
Box-shadow displayed improperly with border-radius. (r145044)
border-radius with box-shadow is not rendered correctly (r139256)
box-shadow creates incorrect shadow when border-radius is too large (r125304)
Composited frames incorrectly get requestAnimationFrame throttled (r225554)
[New Multicolumn] Elements with rounded corners and overflow:hidden do not properly clip their content (r170566)
Fall out of simple image layer optimization if the image has EXIF rotation (r153797)
Allow ports to decide whether an image should be directly composited (r134147)
Remove special case for transparent SVG root layers (r169368)
<svg> with opacity and compositing double-applies its opacity (r168651)
[GTK] [EFL] Enable tiled shadow blur for the inset shadows. (r153898)
Add platform support for -webkit-background-blend-mode to CG context with background color (r149010)
[Qt] Create ShadowBlur on demand. (r147750)
Content of replaced elements should be trimmed to the content edge curve. (r131557)

Apr 12, 2019
============
Subpixel rendering: Rounded rect gets non-renderable at certain subpixel size. (r171640)
Assertion failed: CGPathAddRoundedRect asserts on non-renderable rounded rectangle. (r170458)
Transition layer offsets from LayoutPoint to LayoutSize. (r170273)
Introduce RenderLayer::offsetFromAncestorLayer() to make convertToLayerCoords() calls with (r170220)
Subpixel rendering: Pixelsnapping empty rounded rect results in NaN radii width/height. (r169716)
Subpixel rendering: border-radius painting falls back to rectangle when the snapped rounded rect becomes non-renderable. (r169620)
REGRESSSION(r168528) Subpixel rendering: Selection rect is not positioned properly when SVG text is selected. (r168687)
REGRESSION (r168095): 1-pixel gap between adjacent selection inlines (r168528)
Subpixel rendering: Inline text selection painting should not snap to integral CSS pixel position. (r168095)
[JSC] op_has_indexed_property should not assume subscript part is Uint32 (r244211)

Apr 11, 2019
============
[Compositor] Do not disable overlap testing for layers in front of 3D transformed layers (r139794)
Element is displayed behind a composited layer when clipping is used on a previous element (r139493)
[CSS Blending] Replacing Unisolated with NotIsolated in variables and methods names (r168468)
[CSS Blending] Blending doesn't work if the parent stacking context is not a self painting layer (r168462)
Incomplete body painting when using blend modes (r167796)
Subpixel rendering: RenderLayer's size is set using enclosingRect() which can result in cruft. (r167582)
[CSS Blending] Isolation descendant dependent flags are not updated correctly (r167424)
[CSS Blending] Compositing requirements for blending are not computed correctly (r166634)
[CSS Blending] Blending operation is not isolated when setting z-index on parent from javascript (r165970)
[CSS Blending] An element having -webkit-mix-blend-mode should only blend with the contents of the parent stacking context (r164579)
[CSS Element Blending] Implement the software path of -webkit-blend-mode with Core Graphics. (r163955)
Add support for blendmode to Core Animation layer. (r161628)
[Cairo] Incorrectly determining height in GraphicsContext::roundToDevicePixels() (r213219)
Subpixel rendering: roundToDevicePixel() snaps to wrong value. (r185916)
Subpixel layout: Remove LayoutUnit's kEffectiveFixedPointDenominator. (r173135)
Subpixel layout: Rename LayoutPoint's device pixel snapping functions. (r173044)
Remove ENABLE(SUBPIXEL_LAYOUT). (r172758)
Subpixel rendering: Non-compositing transforms with subpixel coordinates paint to wrong position. (r169309)
Contents of directly composited image layers are sometimes missing (r167529)
A TrailingObject's endpoint might get decremented twice (r166412)
InlineIterator position (unsigned int) variable can wrap around (r166245)
Subpixel rendering: Nested layers with subpixel accumulation paint to wrong position. (r165540 + r165581 rolled out + r165963)
Subpixel rendering: Transform origin is miscalculated when RenderLayer's (r165892)
Fix bug that caused pages with fixed backgrounds to not be fast scrollable (r140233)
Allow fixed background layers to be moved by the ScrollingCoordinator (r140223)

Apr 10, 2019
============
Remove ScrollView::clipsRepaints() which was only used by Chromium (r220781)
Change scrollOffsetForFixedPosition() to do LayoutUnit math (r165484)
Subpixel rendering: Simple compositing container layer (isSimpleContainerCompositingLayer) paints to wrong position. (r165341)
Subpixel rendering: Setting content to opaque on m_graphicsLayer depends on subpixel accumulation. (r165190)
Enable device pixel repaint rect tracking. (r165094)
[mac] Stop using DrawingAreaImpl on PLATFORM(MAC)  (r156793)
[CSS Background] repeat: round should round the number of tiles to the nearest natural number (r156322)
[CSS Masking/Background] Position property should be ignored when using repeat: space (r156097)
compositing/geometry/bounds-ignores-hidden-dynamic.html has incorrect initial rendering (r154470)
Painting of fixed background images is wrong in composited layers (r151623)
REGRESSION (r178156): CSS Parser incorrectly rejects valid calc() in padding-right property (r183765)
ASSERTION FAILED: !valueWithCalculation.calculation() in WebCore::CSSParser::validateCalculationUnit (r178156 revisited)
Assert should never be reached hit in WebCore::CSSCalcPrimitiveValue::doubleValue (r178102)
Crash when creating CSSCalcBinaryOperation (r177089)
Inset box-shadows fail to round around corners when border-radius is set in vh/vw units. (r156466)
CSS Unit vh, vw, vmin and vmax in box-shadow are not applied. (r156318)
Shadows don't support viewport units (r153948)

Apr 09, 2019
============
ASSERTION FAILED: !scope.exception() || !hasProperty in JSObject::get (r244069)
[JSC] DFG should respect node's strict flag (r244067 partial)
[JSC] to_index_string should not assume incoming value is Uint32 (r244057)
Do value profiling in to_this (r226436)
get_by_id_with_this does not trigger a to_this in caller. (r202710)
We need to to_this when an inner arrow function uses 'this' (r202693)

Apr 08, 2019
============
REGRESSION (r164449): Subpixel rendering: http://www.apple.com/iphone-6/ "Faster wireless." image displays vertical black line on 1x displays at specific window width. (r183950)
Subpixel rendering: Enable compositing RenderLayer painting on device pixel position. (r164449)
Rename 'IntSize toSize(const IntPoint&)' to 'toIntSize' (r139045)
SIGSEGV in JSC::BytecodeGenerator::addStringConstant (r243948 partial)
test262: test262/test/annexB/language/comments/multi-line-html-close.js (r215235)
[JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern (r243959)

Apr 05, 2019
============
[JSC] makeBoundFunction should not assume incoming "length" value is Int32 because it performs some calculation in bytecode (r243925)

Apr 04, 2019
============
NULL ptr in WebCore::RefCountedPropertyWrapper<WebCore::ClipPathOperation>::blend (r155105)
ScrollingStateNodes should be referenced via IDs on RenderLayerBacking (r130783)
Add rudimentary support for move-only types as values in HashMap (r155621 rolled in)
HashSet should work with move only types (r155577 rolled in)
[JSC] don't crash when arguments to `new Function()` produce unexpected AST (r207684)

Apr 03, 2019
============
Subpixel rendering: Make GraphicsLayer's offsetFromRenderer subpixel position based. (r164415)
Subpixel rendering: Make GraphicsLayer::paintGraphicsLayerContents()'s cliprect FloatRect based. (r164412)
Subpixel rendering: Switch repaint rect from IntRect to LayoutRect to be able to repaint on device pixel boundaries. (r163944)
Subpixel rendering: Make GraphicsLayerClient::paintContents's clip rect subpixel based. (r163931)
REGRESSION (r155660): box-shadow causes overlay scrollbars to be in the wrong position when element is composited (85647) (r159082)
Video with object-fit: cover can spill outside the box (r154921)
Unnecessary use of Layout types in GraphicsLayer::paintGraphicsLayerContents (r151319)
Dropdowns on http://www.exploratorium.edu don't show anything (r149969)
Implement coordinated scrollbar for subframes and overflow:scroll (r144024 + r144799 + r144823)
Elements that dynamically become fixed sometimes jump to the top left on scrolling (r141330)
Some ScrollingCordinator-related cleanup in RenderLayerBacking (r139802)
Use toSize() to convert from Int/FloatPoint to Int/FloatSize (r139037 complete revisited)
Pages with position:fixed elements should still be able to scroll on the scrolling thread -and corresponding- (r133536 partial)

Apr 03, 2019
============
  => Passed JIT tests/ACID3/ACID2/Asteroidbench/CanvasMark/html5test/css3test/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.8.2.

Apr 03, 2019
============
Weak should have a move constructor and move assignment operator (r156469 rolled in)
OwnPtr: Use copy/move-and-swap for assignment operators (r155526 rolled in)
Clang doesn't optimize away undefined OwnPtr copy constructor (r128203 rolled in)
RadioNodeList should be exposed on Window (r148869)
Use toSize() to convert from Int/FloatPoint to Int/FloatSize (r139037 partial)
CodeBlock::jettison() should disallow repatching its own calls (r243626 rolled out)

Apr 02, 2019
============
Vector with inline capacity should work with non-PODs (r164185 complete revisited)
VectorBuffer::swap doesn't need to use std::swap_ranges (r155542)
More WTF/Alignment.h removal (r155484 partial)
Shrink baseline size of WTF::Vector on 64-bit by switching to unsigned capacity and size. (r148891)
Remove Vector::dataSlot(), it has no implementation (r143254)
Make Vector(const Vector<T, otherCapacity, otherOverflowBehaviour>&) constructor explicit (r183065)

Apr 01, 2019
============
Assertion failure in Range::nodeWillBeRemoved (r162492)
Weak should have a move constructor and move assignment operator (r156469 rolled out)
It should be an error to use adoptPtr with RefCounted subclasses (r149341)
Clang doesn't optimize away undefined OwnPtr copy constructor (r128203 rolled out)
Subpixel rendering: InlineTextBox mistakenly rounds offset value before painting. (r172008 partial)
Fix assertion failure with simple line layout debug borders enabled. (r169041)
Subpixel rendering: Simple line layout should not round to integral position while painting. (r166456)
Subpixel rendering: Change RenderBoxModelObject's border functions' signature to support subpixel border painting. (r163171)
Subpixel Layout: SimpleLineLayout needs more position rounding to match InlineFlowBox layout. (r162553)
Subpixel layout: RenderInline is not centered when child RenderTextControl's innerTextRenderer needs bias centering. (r162791)
Subpixel layout: setSimpleLineLayoutEnabled() produces different layout when line position has CSS px fractions. (r162340)
Reuse floating point formatting of TextStream in [SVG]RenderTreeAsText.cpp (r128564)
[iOS][WebKit2] Mark layer contents as being opaque if they are (r165863)
At some scales, opaque compositing layers have garbage pixels around the edges (r159463)
[Sub pixel layout] RTL cells with padding wraps (r139807)
REGRESSION(SUBPIXEL_LAYOUT): el.offsetWidth < el.clientWidth for elements of a certain size (r139013)
Assertion failed in JSC::createError (r243665)
JSC::createError should clear exception thrown by errorDescriptionForValue (r243335)
JSC::createError needs to check for OOM in errorDescriptionForValue (r243246)
String overflow in JSC::createError results in ASSERT in WTF::makeString (r239375)

Mar 31, 2019
============
Add rudimentary support for move-only types as values in HashMap (r155621 rolled out)
Remove redundant calls to ceilToFloat in RenderBlock::computeInlinePreferredLogicalWidths (r151445 + r151446)
LayoutUnit::epsilon shouldn't be necessary to place floats (r143357 revisited)
Float imprecision causes incorrect wrapping in LineLayout with subpixel layout (r124295 revisited)

Mar 30, 2019
============
Ruby overhang uses ints instead of floats (r177398)
[Subpixel] Use floats instead of ints for text justification expansion (r174233)
Unexpected word wrapping for wrapped content then raw content. (r156536 + r157100 rolled out)
Background images can incorrectly repeat with sub-pixel layout (r132731)
[Chromium] SVG repaint issues (r132377)

Mar 29, 2019
============
CodeBlock::jettison() should disallow repatching its own calls (r243626)
Reduce LayoutRect::infiniteRect() usage. (r178541)
Subpixel rendering: Make PaintInfo layout unit aware. (r162732)
Add {IntRect, FloatRect}::infiniteRect() and ::isInfinite() (r161381)
REGRESSION(SUBPIXEL_LAYOUT) Composited layers can cause one pixel shifts (r154009)
Make WorkerThread lifetime much more predictable. (r225343)
NavigatorBase::onLine() accesses NetworkStateNotifier's singleton in a worker thread (r224321 partial)
BreakingContext::handleReplaced() should use replacedBox instead of m_current.renderer(). (r218989)

Mar 28, 2019
============
Remove two unnecessary mallocs from the main-thread-parser code path (r144544)
XSSAuditor should use threadSafeMatch when relevant. (r144425)
Continue making XSSAuditor thread safe: Remove unsafe AtomicString compares (r141686)
Cut down on calls to String::lower; mostly replace with convertToASCIILowercase (r195951 partial)
HashSet should work with move only types (r155577 rolled out)
ASSERTION FAILED: layoutState->m_renderer == this in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage (r209158)

Mar 27, 2019
============
Leak of SVGFontFaceElement when RenderStyle holds onto a FontRances which uses it (r243483 partial)
Correct handling of isolatedWorld in event handling (r215486)
Refactor LazyEventListener creation to separate Element and Document cases (r196888)

Mar 26, 2019
============
Overwriting an attribute event listener can lead to wrong event listener firing order (r206889)
Use FocusEvent.relatedTarget in {FocusIn,FocusOut,Focus,Blur}EventDispatchMediator. (r142719)
Factor EventContext and introduces MouseOrFocusEventContext. (r142575)
{FocusIn,FocusOut,Focus,Blur}EventDispatchMediator should be in FocusEvent.cpp (r142329)
Support a relatedTarget attribute on focus/blur events (r142240)
Implement FocusEvent constructor (r142205)
WebKit's focus events are UIEvents (instead of FocusEvent) and thus don't expose .relatedTarget (r142072)
Implement pseudoElement attribute on transition DOM events. (r141119)
Event dispatch: Avoid heap allocations in ensureEventAncestors() typical case. (r137680)
Event's relatedTarget re-targeting does not occur for manually fired mouse events created by event.initMouseEvent(). (r136918)

Mar 25, 2019
============
DOMTokenList update steps for classList don't follow the spec (r189632)
Add relList to the anchor, area and link elements (r175028)
Placate exception check validation in genericTypedArrayViewProtoFuncLastIndexOf(). (r243391)
Fix missing exception check in genericTypedArrayViewProtoFuncSet(). (r211246)
Fix exception scope verification failures in runtime/JSGenericTypedArrayView* files. (r209031)
%TypedArray%.prototype.indexOf is coercing non-integers or non-floats to numbers wrongly (r203297)
ECMAScript 2016: %TypedArray%.prototype.includes implementation (r203037 + r203046 rolled out + r203107)

Mar 22, 2019
============
Cancel pending script loads when service worker is being terminated (r226398 partial)
[Fetch API] isRedirected should be conveyed in workers (r203153)
fourthTier: get rid of op_call_put_result (r153200 partial revisited)
[WebIDL] Remove custom binding for the named Image constructor (r209987 rolled in)
[Web IDL] Specify default values for optional parameters of type 'unsigned long' (r200110)
Drop Dictionary from CanUseWTFOptionalForParameter() (r200099)
[Web IDL] Specify default values for optional parameters of TypedArray types (r200088)

Mar 21, 2019
============
JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap (r243299)
Rename RenderStyle::fontSize() to RenderStyle::computedFontPixelSize() (r219544)
HTML <sub> and <sup> elements do not work in some 64-bit builds (r172317)
<marquee> element forces itself to be at least 1em high, regardless of 'height' declaration (r130541)
Devirtualize FontData (r178388)
FontCache should only deal with SimpleFontData (r178180)
Add SPI for telling WebKit to prefer pictograph glyphs over monochrome ones (r157265)
CSSSegmentedFontFace does not need to be reference counted (r196388)
DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty (r243278)
typeOfDoubleSum is wrong for when NaN can be produced (r243277)
GetCallee does not report the correct type in AI (r243268)

Mar 20, 2019
============
CSSSegmentedFontFace::fontRanges() does not handle duplicate fonts correctly (r188114)
[WebCore] Clean up script loading code in XML (r208840)
A 'load' event should be fired on the shadow host directly, not on an inner image element of shadow dom subtree. (r125727)
Align the event listener firing code with the latest DOM Specification and simplify it (r204459)
Implement DOM3 wheel event (r154673 partial)
Enable DOM class create functions to take parameters in case of JSBuiltinConstructor (r197642 partial)
Remove the inline capacity of Operands (r243088)

Mar 19, 2019
============
Setting URL.search to '' results in a stringified URL ending in '?' (r217004)
URL hash setter does not remove fragment identifier if argument is an empty string (r202176)
Clean up some edge cases of URL parsing. (r149925)
<object data="<some data URL>"> MIME types aren't case-insensitive (r149466)
[Web IDL] Drop support for legacy [ConstructorConditional=*] (r207279)
[Web IDL] interface objects should be Function objects (r196392 complete revisited)
WebIDL generator should support the possibility for C++ classes to have a JS Builtin constructor (r194100 complete revisited)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 complete revisited)
Finalize bug 149952 patch (r191238)
Binding generator should use templated JSXXConstructor (r191176 + r191316)
Rationalize JSXXConstructor class definition (r190785 + r190803)

Mar 18, 2019
============
[JSC] Retain PrivateName of Symbol before passing it to operations potentially incurring GC (r242991 partial + r242999 partial)
[JSC] Add a JSONStringify overload that receives a JSValue space (r236660)
Unreviewed, check scope after performing getPropertySlot in JSON.stringify (r233987)
JSON.stringify should emit non own properties if second array argument includes (r233924)
[JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks (r233918)
[JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable (r233917)
[JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function (r231839)
ASSERTION FAILED: regexp->isValid() or ASSERTION FAILED: !isCompilationThread() (r242955)
Fixup uses KnownInt32 incorrectly in some nodes (r242954 partial)
DFG liveness can't skip tail caller inline frames (r242945)

Mar 08, 2019
============
Setting Window.opener to null should disown its opener (r226842)
Drop custom bindings code now window.open() (r216615)
Drop custom bindings code for Window.location setter (r216534)
Refactor / Clean up DOMWindow.idl (r216479 partial)
[JSC] Remove merging must handle values into proven types in CFA (r242627)
[JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL (r242626)

Mar 07, 2019
============
We need to clear cached structures when having a bad time (r229161 partial)
BytecodeGenerator::m_finallyDepth should be unsigned. (r210119)
BytecodeGenerator should not iterate its m_controlFlowScopeStack using a pointer bump. (r212640)
De-duplicate finally blocks. (r210116)
Rename BytecodeGenerator's ControlFlowContext to ControlFlowScope. (r209728)
Implement font-stretch for installed fonts (r213267 partial)
SegmentedVector should waste less memory. (r185663)
[JSC] AI should not propagate AbstractValue relying on constant folding phase (r242568)

Mar 06, 2019
============
[JSC] Should check exception for JSString::toExistingAtomicString (r242500)

Mar 05, 2019
============
Expose crypto.getRandomValues to Web Workers (r204481)
window.Crypto is missing (r199159)
Document should be constructable (r164036 + r164099)
Treat some CSS properties as keyword properties (r205888)
Remove webkit prefix from CSS columns. (r175421)
Stop pretending to support <string> for text-align. (r153389)
Add support for the column-fill property (r157458)
Rename WorkerContext to WorkerGlobalScope (r152080)

Mar 04, 2019
============
Remove the unused *Executable::unlinkCalls() and CodeBlock::unlinkCalls() (r188972)

Mar 04, 2019
============
Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js (r218414 complete revisited)
Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate(). (r215885 partial revisited)
IntlObject should not be using JSArray::initializeIndex(). (r214637)
IntlObject uses JSArray::tryCreateUninitialized in an unsafe way (r211043)
Property setters should not be called for bound arguments list entries. (r210563)
[INTL] Implement Intl.getCanonicalLocales (r206837)
Speed up Function.prototype.bind a bit by making it a builtin (r205848)
Speed up bound functions a bit (r199946 partial)
  => Passed JIT tests and Asteroidbench/CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Mar 01, 2019
============
GC constraint solving should be parallel (r225524 partial - SlotVisitor m_opaqueRoots should use PtrHashSet)
WorkerGlobalScope's self, location and navigator attributes should not be replaceable (r200375)
Remove [NoInterfaceObject] from WorkerGlobalScope (r152100 complete revisited)
Add Vector::removeFirstMatching() / removeAllMatching() methods taking lambda functions (r179791 partial)
Add removeFirst(value) / removeAll(value) methods to WTF::Vector (r179599 partial)
CSSValueList should never contain null values. (r172536)
Drop the [EventTarget] WebKit-specific IDL extended attribute (r196568)

Feb 28, 2019
============
Binding generator should support interfaces with CustomConstructor and NoInterfaceObject (r184872 + r184886 rolled out + r184953)
Merge [NoInterfaceObject] and [OmitConstructor] extended attributes (r151207)
[ES7] Introduce exponentiation expression (r203499)
[WebIDL] Remove custom binding for the named Image constructor (r209987 rolled out)
Modern IDB: Lots of IDB bindings cleanup (including making IDBVersionChangeEvent constructible). (r199750)
Remove old WebKit Animation API code (r137243)
The parser is failing to record the token location of new in new.target. (r242193 partial)

Feb 27, 2019
============
[WebIDL] Remove custom binding for the named Image constructor (r209987)
Exposing webkitMediaStream as MediaStream (r186697)
Remove custom code for webkitAudioContext global constructor getter (r150663 + r151832)
Have IDL interface names match their global constructor (r150509)
Get rid of Custom code for Audio global constructor (r150311)
Get rid of [CustomGetter] for global named constructors (r150283)
[IDL] Extend support for [EnabledAtRuntime] attributes / operations to all global objects, not just Window (r199103 complete revisited)
Add support for [EnabledAtRuntime] operations on DOMWindow (r199096)
Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings (r199017 partial revisited)
Add [EnabledAtRuntime] extended attribute support for global constructors (r150276)
[WebIDL] Another bindings cleanup pass, this time focusing on attributes (r217507 partial)
EventTarget should visit the JSEventListeners using visitAdditionalChildren (r211238)
CodeGeneratorJS's InstanceNeedsVisitChildren should not return true just because a class is / extends EventTarget. (r217642)
Window's named properties should be exposed on a WindowProperties object in its prototype (r203935 + r204166 rolled out + r204179)
[[GetPrototypeOf]] should be a fully virtual method in the method table (r197648 complete revisited)
REGRESSION (r196563): Images not loading on https://klim.co.nz/blog/paypal-sans-design-information/ (r196961)
Regression(r196563): It is no longer possible to call window.addEventListener without an explicit 'this' (r196588)
Window and WorkerGlobalScope should inherit EventTarget (r196563)
Move generate prototype and constructor classes into the generated implementation files (r170167 partial)

Feb 26, 2019
============
Fast path for casting JSValue to JSDocument*. (r178758)
Remove overrides of visitChildren() that do not add any functionality. (r217645 partial)
Drop WorkerGlobalScope's custom GetOwnPropertySlot() implementation (r200814)
[JSC] Add @throwXXXError bytecode intrinsic (r206853 partial revisited)
stringProtoFuncRepeatCharacter will return `null` when it should not (r206573)
Make builtin TypeErrors consistent (r203393 partial revisited)
padStart/padEnd with Infinity produces unexpected result (r202966)
Unexpected "Out of memory" error for "x".repeat(-1) (r202954)
DFGByteCodeParsing does not handle calling the Object constructor with no arguments correctly (r202487)
Add support for Symbol.isConcatSpreadable (round 2) (r202125 partial)
[JSC] re-implement String#padStart and String#padEnd in JavaScript (r200210)
[JSC] implement spec changes for String#padStart and String#padEnd (r200194)
[JSC] Implement String.prototype.repeat in builtins JS (r198838)
[JSC] fix divide-by-zero in String.prototype.padStart/padEnd (r198695)
[JSC] implement String.prototype.padStart() and String.prototype.padEnd() proposal (r198674)
[JSC] Repeat string created from Array.prototype.join() take too much memory (r242081)

Feb 25, 2019
============
[JSC] SmallStringsStorage is unnecessary (r241954 + r241955)
EdenCollections unnecessarily visit SmallStrings (r178984)
Enhanced GC logging (r166837 partial)
JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState. (r236369 complete revisited)

Feb 25, 2019
============
Add an exception check and some assertions in StringPrototype.cpp. (r241991 partial)
[ES6] Add support for Symbol.isConcatSpreadable. (r198808 + r198844 rolled out + r199128 + r199164 rolled out + r199397 + r200149 rolled out)
  => Passed JIT tests and Asteroidbench/CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Feb 22, 2019
============
[JSC] Use new extra memory reporting in PropertyTable (r?)
[JSC] PropertyTable should report extra memory for its m_index and m_deletedOffsets (r?)
[JSC] Use new extra memory reporting in SparseArrayMap (r236900)
Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add(). (r214857)
Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious (r181407 partial revisited)
[JSC] Array.prototype[Symbol.unscopables] should have the "includes" property (r202943)
ArrayPrototype.map builtin declares a var it does not use (r218674)
Array.prototype.concat should not modify frozen objects. (r207178 partial)
Make @Array(size) a bytecode intrinsic (r204597)
[ES6] Module namespace object should not allow unset IC (r204248)

Feb 21, 2019
============
Indexing an object with an integer that is not a supported property index should not call the named property getter (r191587)
Rename JSDOMWrapper to JSDOMObject and JSDOMWrapperWithImplementation to JSDOMWrapper (r191060)
Refactor binding generator to factor JS DOM class m_impl handling (r190403)
Simplify DOM wrapper destruction, don't deref() in finalizers. (r183523)
Build break since r172093 (r172128)
Make NodeList.length inline-cacheable by JSC. (r167181)
JS DOM wrappers' impl() functions should return references. (r157215)
[JSC] Replace $implClassName with $interfaceName in CodeGeneratorJS.pm (r135256)
REGRESSION(r205374): <li> content inside <ul> should mid-word wrap when word-break: break-word is present. (r215660)
ASSERTION FAILED: !m_committedWidth in WebCore::LineWidth::fitBelowFloats (r205374)
IndexedDB: Assertion failure with open() within upgradeneeded (r133776)
IndexedDB: Pending call cleanup (r129076)

Feb 20, 2019
============
[ListItems] Render tree should be all clean by the end of FrameView::layout(). (r206765)
Add support for the initial-letter CSS property to first-letter (r173217)
Refactor LineLayoutState's float box handling. (r207219)
A floating element within <li> overlaps with the marker (r210239)
Do not position detached list item marker. (r210001)
Use IndentTextOrNot instead of passing isFirstLine/shouldIndentText as bool. (r197462)
Background of an absolutely positioned inline element inside text-indented parent is positioned statically. (r197030)
RenderListItem resets its marker's style on style change even if the diff is StyleDifferenceEqual (r180090)
Clarify RenderListMarker ownership model. (r175505)
ASSERTION FAILED: listNode in WebCore::RenderListItem::updateListMarkerNumbers (r171917)
InlineTextBox's m_len can be an unsigned (rather than an unsigned short) (r170413 + r170947 rolled out)
REGRESSION (r133351, sub-pixel layout): Right-to-left block with text-overflow: ellipsis truncates prematurely (breaks facebook.com Hebrew UI) (r169048 complete revisited)
Crash in RenderBlock::addChildIgnoringAnonymousColumnBlocks. (r166078)
RenderListItem should store its marker in a RenderPtr. (r161183)
Remove unused arithmetic operation in RenderListItem (r151154)
Tighten TextIterator::handleTextNode run-renderer mapping logic. (r217019)
Simple line layout: Use pre-computed simple line runs to produce innerText content. (r182325 complete revisited)
innerText setter inserts empty text node if value starts with newline (r214136)
TextFieldInputType::handleBeforeTextInsertedEvent shouldn't use plainText (r164329)
ASSERTION FAILED: comparePositions(newEnd, newStart) >= 0 in WebCore::ApplyStyleCommand::updateStartEnd (r164104)

Feb 19, 2019
============
Navigating to www.apple.com hits assertion in WebCore::TextIteratorCopyableText::set() (r183835)
REGRESSION (r165385): Crash when applying autocorrection exceeds maximum text area length. (r178462)
Internals should always cause a layout before calling into TextIterator (r155378)
EllipsisBox ctor's isVertical parameter should read isHorizontal. (r203681)
CTTE: EllipsisBox owner renderer is always a RenderBlock. (r155827)
The ellipsis in a text overflow should not avoid floats (r150602 + r151836 rolled out)
REGRESSION (r138196): Regions with text-overflow: ellipsis; are being ellipsized unnecessarily (r138543)
[Regression] text-overflow ellipsis clips content when zoomed (r138196)
paragraphs with different directionality in textarea with unicode-bidi: plaintext are aligned the same (r164867)
Hittest finds the truncated text instead of the floating input, when the input is clicked. (r151894)
Ellipsis text is placed to wrong position, when the truncated text is fully cut off in RTL direction. (r150065)
Text overflow ellipsis wrong color when using webkit-text-fill-color (r144542)
text-overflow:ellipsis is not applied when the block contains nested blocks (r143754)
Redundant ellipsis box triggers ASSERT_WITH_SECURITY_IMPLICATION in InlineBox::parent(). (r217079 + r217092 rolled out + r217164)
Manage EllipsisBox objects with unique_ptr. (r158346)
Rename InlineBox::remove() to removeFromParent (r157367)
JSGlobalLexicalEnvironment leaks SegmentedVector due to lack of destructor. (r201494)
ArrayPrototype should have a destroy function (r196155)
[ARM] Fix crash with sampling profiler (r241758)
[JSC] JSWrapperObject should not be destructible (r241649)
RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved (r241634)
[JSC] CodeBlock::jettison should clear related watchpoints (r241613)
[JSC] Date.setYear() misses timeClip() (r202683)

Feb 15, 2019
============
IndexedDB: Explicitly send null/undefined/integers to frontend IDBCallbacks (r131661)
IndexedDB: Pass type of error causing abort to IDBTransaction::onAbort (r131371)
Use separate style resolver for user agent shadow trees (r190347 revisited partial)
Implement scoped styling for shadow DOM (r190256)
REGRESSION(r154268): Some stylesheet media attribute tests failing (r154284)
Rename StyleElement to InlineStyleSheetOwner and stop inheriting from it (r154271)
Clean up StyleElement (r154268)
Use TextNodeTraversal for getting sheet text in StyleElement (r154242)
Use 'childOfType' template when retrieving Shadow DOM elements (r209145 partial)
IndexedDB: Remove IDBUpgradeNeededEvent, merge with IDBVersionChangeEvent (r140741 + r140934 rolled out + r141013 rolled in)
IndexedDB: Remove IDBVersionChangeRequest (r140602)
IndexedDB: Implement IndexedDB bindings for JSC (r136686 + r140908)
IndexedDB: Remove IDBDatabase.setVersion API (r135904)
IndexedDB: Obtain ScriptState from IDL binding generator (r135471)
IndexedDB: Complex series of opens/deleteDatabase fails an ASSERT (r135226)
IndexedDB: Propagate DOMRequestState to IndexedDB binding utility functions (r134989)
Add DOMRequestState to maintain world/ScriptExecutionContext state (r134632)
IndexedDB: Cursor property value identities should be preserved (r132401)
IndexedDB: Hidden indexing events are visible to script via bubbling/capture (r131967)
IndexedDB: Refactor IDBDatabaseBackendImpl to use IDBDatabaseMetadata (r131832)
IndexedDB: Closing connection in upgradeneeded should result in error event (r131668)
IndexedDB: remove autogenerated objectStore/index id code (r130708)
IndexedDB: promote objectstore/index backend ids to the frontend (r130428)
IndexedDB: Don't wedge if page reloads with pending upgradeneeded (r130199)
IndexedDB: Use ScriptValue instead of SerializedScriptValue for get/openCursor (r128789)
IndexedDB: Calling close() during upgradeneeded handler should fire error at open request (r128674)
IndexedDB: Use ScriptValue instead of SerializedScriptValue when possible (r128379)
IndexedDB: The |source| property of IDBFactory.open() request should be null (r128370)
IndexedDB: Large integer versions not persisted correctly (r127685)
IndexedDB: Throw TypeError for invalid version parameters (r127049)

Feb 14, 2019
============
IndexedDB: Consolidate two-phase connection to avoid race conditions (r128533)
IndexedDB: Move onSuccess(IDBDatabaseBackendInterface) to IDBOpenDBRequest (r126461)
IndexedDB should respect SchemeRegistry's database access setting. (r172603)
IndexedDB: Enforce unsigned long/unsigned long long ranges (r131658)
IndexedDB: fire upgradeneeded even without an explicit integer version (r129037)
IndexedDB: revert int version when version change transaction aborts (r126366)
IndexedDB: Fire error at request when abort is called in upgradeneeded (r126239)
IndexedDB: Frontend and plumbing for integer versions (r125850)
Neutered ArrayBuffers are not properly serialized (r208628 + r208629)

Feb 12, 2019
============
TryGetById should have a ValueProfile so that it can predict its output type (r204992 partial)
Nodes that rely on being dominated by CheckInBounds should have a child edge to it (r241228)
[DFG] Remove duplicate 32bit code more (r230517 partial)
DFG should not use or preserve Phantoms during transformations (r183497 partial)
Remove String::deprecatedCharacters (r166120 complete)
Stop using getCharactersWithUpconvert in JavaScriptCore (r163727)
text-transform: capitalize shouldn't upconvert (r151422)
String::append() should handle two 8 bit strings without converting both to 16 bits (r134677)
String::remove will convert an 8 bit string to a 16 bit string (r130404)
Remove String::deprecatedCharacters (r166120 partial)
Remove some 16bits conversion. (r150985)
Make TextCodecICU not depend on TextEncoding (r149924)
Use Vector instead of StringBuilder for CSSPreloadScanner's buffers (r148772)
StyledMarkupAccumulator::appendText() should not allocate an intermediary StringBuilder (r148770)

Feb 11, 2019
============
TextIterator: Use StringView and references rather than pointers (r165385)
Copying (createMarkup) wrapping text results in space between wrapped lines stripped. (r164047)
Change TextIterator to use StringView, preparing to wean it from deprecatedCharacters (r163712)
nextBoundary and previousBoundary are very slow when there is a password field (r159619)
Moving word boundaries backwards fails when there is a text node starting with an apostrophe (r149058)
canonicalizedTitle() shouldn't convert 8 bit title strings to 16 bit (r133631)
Add 8 bit patch to Document::isValidName() for the non ASCII case (r131403 + r131418 rolled out + r131425)
Remove all uses of deprecatedCharacters from JavaScriptCore (r165703)
Make HexNumber functions return 8-bit strings (r143265)
OpaqueJSString doesn't optimally handle 8 bit strings (r130344 + r130413 + r130931)
[JSC] String.fromCharCode's slow path always generates 16bit string (r241233)
We should only make rope strings when concatenating strings long enough. (r241230 + rr241255 rolled out)
Remove unneeded exception check from String.fromCharCode (r231171)
Fix exception scope verification failures in CommonSlowPaths.cpp/h. (r208936 revisited)
String.prototype.toLowerCase should be a DFG/FTL intrinsic (r206804 revisited)
Finish auditing call sites of upper() and lower(), eliminate many, and rename the functions (r196223 partial)
Remove most uses of deprecatedCharacter in WTF (r165721 + r165772 rolled out + r165792)

Feb 08, 2019
============
XMLHttpRequest should use reportExtraMemoryAllocated/reportExtraMemoryVisited instead of deprecatedReportExtraMemory (r236999)

Feb 07, 2019
============
Heap-use-after-free in WebCore::RenderText::computePreferredLogicalWidths (r139470 revisited)
Heap-use-after-free in WebCore::Document::implicitClose (r138918 revisited)
REGRESSION(r123636): Heap-use-after-free in StyleResolver::collectMatchingRules. (r124089 revisited)
[JSC] Use BufferInternal single character StringImpl for SmallStrings (r241117)

Feb 06, 2019
============
[Win] StaticStringImpl in HTMLNames.cpp aren't constructed (r216566)
Force StaticStringImpl constructor to use the constexpr versions of StringImplShape constructors. (r216512)

Feb 06, 2019
============
We should support the ability to do a non-effectful getById (r199170 partial revisited)
  => Passed JIT tests and Asteroidbench/CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.
  
Feb 05, 2019
============
Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached. (r204305 complete revisited)
Event and EventTarget interfaces don't need to be store as AtomicStrings (r156241)

Feb 04, 2019
============
[DFG] Cleaning up and unifying 32bit code more (r226269 partial revisited)
[DFG] Add JSValueRegsFlushedCallResult (r226260 partial)
SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path (r207697)
Crash using @tryGetById in DFG (r200048)
tryGetById should be supported by the DFG/FTL (r199279 partial)

Jan 30, 2019
============
Limit thread name appropriately (r210313)
self.hasOwnProperty() does not work inside Web workers (r201808)
ValueRecovery::recover() should purify NaN values it recovers. (r240681)
[JSC] allow duplicate property names returned from Proxy ownKeys() trap (r198531 complete revisited)
Object.getOwnPropertySymbols on large list takes very long (r187355 revisited)
Introduce UniquedStringImpl and SymbolImpl to separate symbolic strings from AtomicStringImpl (r184828)
PropertyNameArray should use a Vector when there are few entries. (r184120 revisited)
Remove unused things from PropertyNameArray. (r184050 revisited)

Jan 29, 2019
============
Tons of FastMalloc leaks reported by leaks of objects that have already been deallocated (r153455)
Fix cast-align warnings in FastMalloc.cpp (r152349)
Harden FastMalloc against partial pointer overflows (r148587)
Add cookies to FastMalloc spans (r143996 + r144001)
Moar hardening (r143400 + r143424 rolled out + r143488)
Harden FastMalloc (again) (r142536)
releaseFastMallocFreeMemory doesn't adjust free counts for scavenger (r89716 revisited)
Safari often freezes when clicking "Return free memory" in Caches dialog (r87157 revisited)
[ARM] Check for negative zero instead of just zero (r240650)

Jan 28, 2019
============
Crash in JSC::MarkedBlock::FreeList JSC::MarkedBlock::sweepHelper (r144346)
Further harden FastMalloc (r138398)
Harden pointers in FastMalloc's singly linked list implementation (r138293)
Removed incorrect pthread_mutex_trylock code in an ASSERT in TCMalloc_PageHeap::signalScavenger. This branch is used by the Webkit GTK code. (r131066)
NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe. (r216217 partial revisited)
test262: test262/test/built-ins/Date/prototype/Symbol.toPrimitive/name.js (r215399)
Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496) (r185109 complete revisited)

Jan 25, 2019
============
StorageTracker::deleteOrigin being called off the main thread (ASSERTs in inspector/test-harness-trivially-works.html test) (r174014)
refCount() of a StringImpl could be zero if it's static; in that case we shouldn't report extra memory cost (r154145)
NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe. (r216217 partial revisited)
WorkerRunLoop::Task::performTask() needs to null check context->script() before use. (r216953)
WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution(). (r216876)
watchdog m_didFire state erroneously retained. (r189008 partial)
ASSERT(!childItemWithTarget(child->target())) is hit in HistoryItem::addChildItem() (r231450)
Exceptions logged to the JS console should use toString(). (r203334)
Update DOMCoreException to use the description in toString(). (r203333 partial)
Update SVGException to use the description in toString(). (r203328)
Change toString() behavior for exceptions constructed with "createWithDescriptionAsMessage". (r203309 + r203310)

Jan 24, 2019
============
NeverDestroyed<String>(ASCIILiteral(...)) is not thread safe. (r216217 partial)
Use StaticStringImpl instead of StaticASCIILiteral (r210227)
Introduce StringImpl::StaticStringImpl with constexpr constructor (r209179)
SerializedScriptValue should use a compact encoding for 8-bit strings. (r190838)

Jan 23, 2019
============
origin spoofing possible (HTTP Origin, postMessage event.origin) due to inappropriate URL escape sequence decoding (r167480)
SerializedScriptValue may move Identifiers between worlds (r165339)
Add uint8_t specialization for WebCore::writeLittleEndian() (r161903)
Remove some duplicate checks from SerializedScriptValue (r160250)
Blob constructor accepts a sequence (array-like object) as first arg. (r159275)
Set MessageEvent.source to the newly created port for shared workers' connect events (r155959)
Remove special case for MessagePortArray from bindings generator (r150580)
Remove custom code for MessageEvent.ports getter (r150249)
transition-delay and transition-duration return incorrect values when querying using the computed style. (r139070)
WebSocket's MessageEvent.origin attribute is an empty string (r135587)
[JSC] SerializedScriptValue::create() should throw a DataCloneError if input is an unsupported object (r126067)
Returns inconsistent types for el.style.property and el.style.getPropertyValue('color') (r187813)
Support unprefixed animation property names (r176050)
MessagePort should remove its listeners when being closed (r229614)
Recursive MessagePort.postMessage() calls causes tab to become unresponsive (r212609)
ASAN Crash running LayoutTests/inspector/worker tests (r215528)

Jan 22, 2019
============
DataCloneError exception is not thrown when postMessage's second parameter is the source port or the target port. (r160309)
MessagePort::disentangle() takes an ExceptionCode argument without any need (r146130)
fast/events/message-port-clone.html hits ASSERT in Debug (usually in later tests) (r127380)
window.postMessage() / MessagePort.postMessage() throw wrong exception for invalid ports argument (r126286)
Assertion failure in MessagePort::contextDestroyed in http/tests/security/MessagePort/event-listener-context.html, usually attributed to later tests. (r226202)
ScriptExecutionContext::processMessagePortMessagesSoon() should only post task when necessary (r208829)
ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC) (r167579 complete revisited)
Remove upcastPointer from ActiveDOMObject constructor (r146537)
Crash under SchemeRegistry::shouldTreatURLSchemeAsLocal(WTF::String const&) (r228972 partial)
Bad optional access in WebCore::ContentSecurityPolicySource::portMatches (r233036)
CSP: Allow HTTPS URL to match HTTP source expression (r209821)
URL::port should return Optional<uint16_t> (r207769)
Don't run SecurityOrigin's port through URLParser (r207033)
Remove equalIgnoringCase since all callers really wanted equalIgnoringASCIICase (r195743 partial)

Jan 21, 2019
============
Make it possible to call ContentSecurityPolicy::upgradeInsecureRequestIfNeeded() from non-main threads (r230017)
REGRESSION (r209608): Cross-origin plugin document opened in child window blocked by parent window CSP when object-src 'none' is set (r217054)
ASSERTION FAILED: m_normalWorld->hasOneRef() under WorkerThread::stop (r212698)
[CSP] Policy of window opener not applied to about:blank window (r209608)
Cleanup: Remove an extraneous copy of SecurityOrigin (r206122)
[Fetch API] Fetch API should strip fragment and credentials from URLs used as referrer (r204224 complete revisited)
Regression(r199087): window.focus() / window.close() can no longer be called by a Window's opener (r202761)
Get rid of StringCapture. (r201594)
MessageEvent.source window is incorrect once window has been reified (r199087 complete revisited)
Introduce CallWith=Document in binding generator (r198102 partial)
Fix various cases of incorrect cross-thread capture of non-thread-safe RefCounted (r175792)
Add StringCapture helper for thread-safe lambda capture (r174660)
IndexedDB: Remove speculative dispatchEvent crash fix now that root cause is addressed (r141351)
Prevent race condition during Worker shutdown (r140483 complete revisited)
IndexedDB: Prevent crash dereferencing null if script context has stopped (r140027)
`const location = "foo"` throws in a worker (r214145)
Proxy is not allowed in the global prototype chain. (r209149)
Fix exception scope verification failures in *Executable.cpp files. (r208950 partial)
ES6: Implement HasRestrictedGlobalProperty when checking for global lexical tier conflicts (r202734)
JSC should have an option to allow global const redeclarations (r200121)
MovHint must merge NodeBytecodeUsesAsValue for its child (r240223)

Jan 18, 2019
============
MainThreadBridge needs an isolatedCopy() of SecurityOrigin (r206074)
http/tests/fetch/fetch-in-worker-crash.html is sometimes crashing (r204085)
Fix AtomicString regression caused by r201603. (r201637 partial revisited)
The compiler should always register a structure when it adds its transitionWatchPointSet. (r223614)
ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC) (r167579 partial revisited)
DatabaseContext should implement ThreadSafeRefCounted. (r141320)
Change DatabaseContext lookup to be thread-safe. (r141166)
Removed the need for the ProposedDatabase mechanism. (r139078)
Initial refactoring of database functionality into the manager and server. (r138085)
Re-landing patch for "Introducing the DatabaseStrategy and database servers". (r137767 + r137784 rolled out + r137795)
Encapsulate externally used webdatabase APIs in DatabaseManager. (r137520)
[JSC] Do not check isValid() in op_new_regexp (r226209)
[DFG][FTL] NewRegexp shoud be fast (r226134)
[WebCore][JSC] Use new @throwTypeError and @throwRangeError intrinsics (r206870 partial)
[JSC] Add @throwXXXError bytecode intrinsic (r206853 partial revisited)
StringImpl isolatedCopy unnecessarily copies text-segment character data (r138194)
StringObjectUse should not be a structure check for the original string object structure (r240114)
Unreviewed, fix some FIXMEs and add some new ones, based on things we've learned from some recent OSR exit work. (r189070)
REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase (r184288)

Jan 17, 2019
============
IndexedDB: IDB*::keyPath should return IDBKeyPath, not IDBAny (r125730)
IndexedDB: Pass cursor continue results back in callback (r125568)
IndexedDB: new enums and openCursor stub (r125084)
IndexedDB: Size the Vector in encodeInt/encodeVarInt/encodeString (r124865)
[JSC] Use KnownStringUse for GetByVal(Array::String) since AI would offer wider type information and offer non-string type after removing Check(String) (r240024)
ToThis constant folding in DFG is incorrect when the structure indicates that toThis is overridden (r202936)
ToThis should be able to be eliminated in Constant Folding (r200325)
DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly (r187487)

Jan 15, 2019
============
IndexedDB: Rename methods and remove dead code from IDBBackingStore (r133858)
IndexedDB: Prepare for IDBBackingStore merge by renaming IDBLevelDBBackingStore.cpp (r133825)
IndexedDB: Remove "current transaction" concept from backing store (r129066)
IndexedDB: IDBObjectStore.count() is slow (r128217)
IndexedDB: generate index keys for existing data in createIndex in front end (r125728)
IndexedDB: add tracing to IDBLevelDBBackingStore (r125627)
IndexedDB: Make leveldb store integer versions and migrate old schemas (r124858)
SVG bindings are improperly being generated with "fastGetAttribute" (r160578)
Bindings generation tests are failing (r152886)
Simplify SVG animated type handling in the JSC bindings generator (r152845)
CodeGen: Make [Reflect] use getIdAttribute and getNameAttribute (r138297)

Jan 14, 2019
============
We need to clear cached structures when having a bad time (r229141)
Refactor layout functions to avoid using flexbox in MathML (r202934)
Phrasing content should be accepted in <mo> elements (r202572)
Remove anonymous in renderName for all MathML renderers but RenderMathMLOperator (r202569)
Refactor RenderMathMLOperator and RenderMathMLToken to avoid using anonymous renderers. (r202420)
Implement RenderMathMLOperator::layoutBlock (r202284)
Bug 130345 - Refine childShouldCreateRenderer for MathML elements (r166065)
Fix handling of <annotation> in MathMLTextElement. (r165739)
Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time (r187214 rolled in)
Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time (r187214 rolled out)
  => defer().then does not work correctly under DFG JIT.

Jan 12, 2019
============
CachedScript cloning does not clone encodedSize (r210546)
Cloned CachedResource should not have an empty response (r209961)

Jan 11, 2019
============
Remove ColorSpaceDeviceRGB and most users of the obsolete deviceRGB colorspace (r225797)
Add Display P3 ColorSpace (r207366)
Use the MathOperator to handle some non-stretchy operators (r202271)
Refactor RenderMathMLRoot layout function to avoid using flexbox (r202168)
Refactor RenderMathMLMenclose. (r199980)
Fix two coding mistakes in MathMLInlineContainerElement::childrenChanged (r199497)
Remove ColorSpace argument to all the drawing calls (r192140)
Use ColorSpaceSRGB for image buffers everywhere (r192138)
Remove -webkit-color-correction CSS property (r188202)
Use constants from wtf/MathExtras.h (r175261)
Menclose with no notation attribute does not display anything. (r163543)

Jan 10, 2019
============
speculationFromCell() should speculate non-Identifier strings as SpecString instead of SpecStringVar. (r238923)
TypeOf should return SpecStringIdent and the DFG should know this (r183548 complete revisited)
JetStream should have a more rational story for jitter-oriented latency tests (r185425 + r185618)
Simplify things like CompareEq(@x,@x) (r187213)
Strict Equality on objects should only check that one of the two sides is an object. (r185920)
Leak of VectorBufferBase.m_buffer (16-64 bytes) under JSC::CompactVariableEnvironment in com.apple.WebKit.WebContent running layout tests (r239755)
Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them (r231477)

Jan 09, 2019
============
MathOperator: Add fallback mechanisms for stretching and mirroring radical symbols (r202161)
Add separate MathOperator for selection/measuring/drawing of stretchy operators (r202156)
RenderMathOperator: Move calculation of preferred width into MathOperator (r201881)
Introduce MathOperator::Type (r201862)
Regression: Event#stopPropagation() does not halt bubbling for webkitTransitionEnd (r150239)
Don't run transitions to or from undefined Lengths (r205659)
REGRESSION (r193610): Drop down menu doesnt expand at allofbach.com (r200622)
Don't run transitions to/from 'auto' values (r200360)
Make Length, LengthSize and LengthPoint blending not use member functions (r200343)
Negative animation-delay is treated as 0s (r200042)
REGRESSION (r187121): Can't get to the main content of the page at https://theintercept.com/drone-papers/ (r193610)
REGRESSION (r187121): Delayed instantaneous animations not honouring ' forwards' fill-mode (r191540)
REGRESSION (r187121): Multiple-keyframe animations not honouring ' forwards' fill-mode (r191502)
Safari mis-applies "animation-fill-mode: forwards" when using fractional iteration count (r187121)
Support unprefixed animation event types (r176423)
Make RenderLayerBacking get the timingFunction of the correct animation. (r167472)
A completed fill-forwards animation should not disable overlap testing (r165977)
Avoid unnecessary vector copy in AnimationController event dispatch. (r157704)
Allow new transitions to run even when controller is suspended (r153396)
Dereference null pointer crash in Length::decrementCalculatedRef() (r152825)
Animations do not restart after exiting page cache (r150862)
Animations and Transitions should not start when globally suspended (r149576)

Jan 08, 2019
============
Unprefix -webkit-min-content, -webkit-max-content and -webkit-fit-content (r213831)
[CSS Parser] Fix grid layout parsing (r208478 partial)
[CSS Parser] Get all the properties turned on (r207479 partial)
Do not attempt to compute min/max width. (r200486)
[css-grid] Move the track sizing algorithm to its own class (r212823)
[css-grid] Changing the argument on fit-content() doesn't cause the grid to be relayout (r207343)
[css-grid] Fix intrinsic maximums resolution with fit-content and auto (r207288)
[css-grid] grid-auto-flow|row should take a <track-size>+ (r203716)
[css-grid] Disallow repeat() in grid-template shorthand (r202972)
[css-grid] Move Grid class out of RenderGrid (r211283)
Safari (WebKit) doesn't wrap element within flex when width comes below min-width (r209068)
Should never be reached failure in WebCore::RenderFlexibleBox::alignChildren (r205102)

Jan 07, 2019
============
[css-grid] Implementing baseline positioning for grid containers (r210792)
[css-grid] Make the grid sizing data persistent through layouts (r210669)
[css-grid] Isolate instrinsic size computation from layout (r210211)
[css-grid] Move Grid into GridSizingData (r210197)
[css-grid] Pass Grid as argument to items' placement methods (r209601)
[css-grid] Move more attributes from RenderGrid to the new Grid class (r209180)

Dec 20, 2018
============
REGRESSION(r177637) [HarfBuzz][GTK][EFL] It made 3 performance tests crash and +24 layout tests crashes/failures (r178115 revisited)
Generic font code should not know about SVG font missing glyph (r177637 revisited)

Dec 19, 2018
============
Force display: block on ::-webkit-media-controls. (r192252)
min-width/height should default to auto for flexbox items (r189567 complete revisited)
REGRESSION (r150516): Media controls are messed up on right-to-left webpages (r154529)
[Mac] Captions menu isn't internationalized, doesn't use rtl layout for rtl languages (r150516)
Closed caption lines overlap (r149438)
Mac: Incorrect rendering of <audio> controls (r145588)
Convert media controls from DeprecatedFlexibleBox to FlexibleBox (r142947)
Regression(r143542): -webkit-align-items: center with overflow: auto/scroll has extra bottom padding (r145736)
Small code cleanup in RenderFlexibleBox (r145457)
Incorrect rendering for flex boxes with percentage height in a table cell (r143542)
[New Multicolumn] fast/multicol/fixed-column-percent-logical-height-orthogonal-writing-mode.html fails (r167727)
Make sure to skip the RenderMultiColumnFlowThread when resolving percentage heights inside columns against containing blocks. (r167353)
[css-grid] Remove Blink-specific code for handling orthogonal grid items (r216574)
[css-grid] Move attributes from RenderGrid to the new Grid class (r208995)
[css-grid] Convert grid representation into a class (r208973)
[css-grid] Isolate size of internal representation from actual grid size (r208962)
[css-grid] ASSERTION FAILED: !m_gridIsDirty in WebCore::RenderGrid::gridRowCount (r208586)
[css-grid] Fix fr tracks sizing under min|max-size constraints (r208531)
[css-grid] Content Alignment broken with indefinite sized grid container (r207663)
[css-grid] Different width of grid container between initial load and refresh (r207460)
[css-grid] Remove the x2 computation of row sizes with indefinite heights (r206253)
[css-grid] repeat() syntax should take a <track-list> argument (r203717)
[css-grid] Positioned items can be placed on the implicit grid (r201545)
[css-grid] Fix static position for positioned grid items (r200572)

Dec 18, 2018
============
[css-grid] Implement fit-content track size (r205966 + r205972 rolled out + r205977)
[css-grid] Update <fixed-size> syntax (r201399)
[css-grid] Stretch alignment doesn't work for orthogonal flows (r204734)
[css-grid] Implement repeat(auto-fit) (r203680)
[css-grid] Handle min-content/max-content with orthogonal flows (r203252)
[css-grid] Fix alignment with content distribution (r200181)
[css-grid] Fix percentage tracks' size computation in grids with gutters (r198486)
ASSERTION FAILED: freeSpace >= 0 in WebCore::RenderGrid::computeTrackSizesForDirection (r192741)
Selector checker should not mutate document and style (r195293 complete revisited)
CSS JIT: finish :nth-last-child() (r180206 partial)
Add the dynamic specificity of the selector list argument when matching :nth-child() and :nth-last-child() (r176623)
Web Inspector: do not show invalid specificity for dynamic cases of :matches() (r176436)
Add the initial implementation of dynamic specificity for :matches() (r176307)
Compute the selector specificity as we match simple selectors (r176152)
Implement the matching for :nth-last-child(An+B of selector-list) (r176084 partial)
Make the Selector's specificity part of Selector matching (r175772 + r175773)
When computing the specificity of selectors, use saturated arithmetic per component (r175576)
Fix the specificity of the extended :not() selector (r175453)
Block of text is missing in iBooks sample books. (r219291)
REGRESSION (r173698): Leaks of selector lists in CSS parsing (r179258 partial)
CSS4 Selectors: Add the pseudo class :any-link (r175301)
CSS Selectors Level 4: Implement :matches in SelectorChecker (r174811)
Update :nth-child(An+B of selector-list) to the latest specification (r174613)
Add the baseline implementation of :not(selectorList) (r174535)
Web Inspector: Highlighted selectors in Rules sidebar break with selectors that contain nested selector lists (r174379)
CSS Selectors Level 4: Add parsing for :matches (r174259)
Add the baseline implementation of :nth-child(An+B of selector-list) (r173853)
Add parsing for :nth-child(An+B of selector) (r173698)
CSS value in whitespace-separated list attribute selector (~=) mishandles tab/newline/etc. (r173697)

Dec 17, 2018
============
[css-grid] Do not recursively call layout during auto repeat computation (r205114)
[css-grid] Const-ify track sizing algorithm (r203220)
[css-grid] Inline size is never indefinite during layout (r202974)
[css-grid] Empty grid without explicit tracks shouldn't have any size (r201510 complete revisited)
[css-grid] Simplify grid track sizes parsing (r201373 + r201378 rolled out + r201382)
[css-grid] Refactor populateGridPositions() (r201379)
[css-grid] Fix behavior of flexible track breadths (r201325)
[css-grid] Show auto-repeat line names in ComputedStyle (r200821)
[css-grid] Implement auto-repeat computation (r200618)
[css-grid] Add support for position resolution with auto-repeat tracks (r200368)
Null pointer dereference in JSC::WriteBarrierBase() (r239256)
LiteralParser has a bunch of uses of String::format with untrusted data (r239248)
[css-grid] grid shorthand should not reset the gutter properties (r221668)
[css-grid] The 'grid' shorthand has a new syntax. (r206161)
[css-grid] Unprefix CSS Grid Layout properties (r200510)
[css-grid] Store auto-repeat information in style (r200182)
[css-grid] Add parsing support for <auto-repeat> syntax (r199343)
[css-grid] Fix order of grid shorthands in CSSPropertyNames.in (r197511)
[css-grid] Swap the order of columns/rows in grid-gap shorthand (r197022)
[css-grid] Rows track sizes are optional in grid-template shorthand (r196978)
[css-grid] Swap columns and rows in grid-template shorthand (r196934)
[css-grid] Swap columns and rows in grid shorthand (r196906)
[css-grid] grid shorthand must reset gap properties to their initial values (r195529)
[CSS Grid Layout] Switch from parenthesis to brackets for grid line names (r185147)
[CSS Grid Layout] Mark grid shorthands as layout dependent (r183913)
[CSS Grid Layout] Crash at CSSParser::parseGridTemplateRowsAndAreas (r173615)
Update the CSS Grammar selector names to get closer to the latest terminology (r173011 partial)
[CSS Grid Layout] Update named <grid-line> syntax to the last version of the specs (r166157 complete revisited)

Dec 14, 2018
============
Move selection and drawing of stretchy operators into a separate MathOperator class (r201854)
Shrink MathMLOperatorDictionary::dictionary table (r175221)
Skipping {}, () and [] blocks while error recovering in CSS (r151510)
Add CSS parsing recovery to functions (r151488)
Autoclose braces and parentheses at the end of style sheet (r151424)
Refactor CALCFUNCTION rules in the CSS grammar (r151395)
Allow nesting of at-rules (r139594)
[CSS Regions] @region rules inside media queries are ignored (r138854)
Add a missing exception check. (r239198)
CSSValueList: Reserve the exact amount of space needed when constructing from CSS parser. (r125968)

Dec 13, 2018
============
RenderTextControlSingleLine shouldn't mutate placeholder element inline style (r197637)
REGRESSION (r172826): Password field placeholder text is missing if placeholder attribute precedes type attribute (r176082)
Reduce style marking when using the pseudo class :placeholder-shown (r172933)
CSS: Implement the :placeholder-shown pseudo-class from Selectors Level 4 (r172826)
OOM Assertion failure in JSON.stringify. (r202173)
StringBuilder::appendQuotedJSONString doesn't properly protect against the math it's doing. Make the math fit the assertion. (r201121)
Remove String(RefPtr<StringImpl>) constructor (r155115)
Make StringBuilder::toAtomicString() consistent with StringBuilder::toString() for strings of length zero (r141917)
StringBuilder::append(UChar) with an 8 bit quantity shouldn't change the contents to 16 bits (r133726)
StringBuilder::append(StringBuilder&) doesn't take into account the bit size of the argument string (r131250 revisited)
Make it easier to append a literal to StringBuilder (r125936)

Dec 12, 2018
============
Slider thumb style should not depend on renderers (r197502)
Text control shadow element style shouldn't depend on renderers (r197401)
Use scope stack instead of nested TreeResolvers for shadow trees (r196215)
Inner text element should not use -webkit-user-modify (r164526)
m_ancestorDisabledState should never be unknown (r164475)
fieldset:disabled fieldset > legend:first-child input should be disabled (r164407)
fieldset:disabled > legend:first-child legend input should not be disabled (r164403)
[css-grid] CRASH when getting the computed style of a grid with only absolutely positioned children (r201919)
[css-grid] Empty grid without explicit tracks shouldn't have any size (r201510 partial)
RenderMathMLOperator: refactor management of stretchy data and italic correction (r200569)
RenderMathMLOperator refactoring: introduce getBaseGlyph and remove parameter from getDisplayStyleLargeOperator (r200185 + r200186 rolled out + r200187)
[css-grid] Fix grid-template-columns|rows computed style with content alignment (r199981)
[css-grid] Use the margin box for non-auto minimum sizes (r199728)
[css-grid] Fix positioned items with content alignment (r199657)
[css-grid] Add method to translate RTL coordinates (r199655)
[css-grid] Fix positioned items with grid gaps (r199223)
[css-grid] Content box incorrectly used as non-auto min-height (r199153)
[css-grid] Fix positioned children in RTL (r199098)
[css-grid] Refactor positioned children code (r198834)
[css-grid] Remove unneeded lines in offsetAndBreadthForPositionedChild() (r198732)
[css-grid] Rename GridSpan properties (r198399)
[css-grid] Fix placement for unknown named grid lines (r197930)
[css-grid] Allow to place positioned grid items on the padding (r197857)
[css-grid] Fix auto-track sizing with min-size:auto and specific sizes (r197854)
Multiple refactors in RenderMathMLOperator (r174678 complete revisited)
[regression] background colors do not apply to <mo> elements. (r166170)

Dec 11, 2018
============
String(Vector) behaves differently from String(vector.data(), vector.size()) for vectors with inline capacity in the size=0 case (r142894)
REGRESSION(r142712): attribute values show up as "(null)" instead of null with the threaded parser (r142863)
Fix HTMLToken::Attribute member naming and update callsites to use Vector-based String functions (r142712)
Teach more WTF string classes about vectors with inline capacity (r142689 revisited)
@font-face rules with invalid primary fonts never download their secondary fonts (r218157 + r218264 rolled out + r218733 partial)
[Font Loading] Crash during font download failure after garbage collection (r201358)
PropertyAttribute needs a CustomValue bit. (r239062 partial)
Error instances should not strongly hold onto StackFrames (r232314 partial)

Dec 10, 2018
============
Support size_t multiplication and division operators on LayoutUnit (r138952)
[css-grid] Pass GridSizingData instead of columnTracks to track sizing methods (r199341)
[css-grid] Rename GridCoordinate to GridArea (r198210)
[css-grid] Rename GridResolvedPosition to GridPositionsResolver (r198207)
[css-grid] Initial support for implicit grid before explicit grid (r197850)
[css-grid] Simplify method to resolve auto-placed items (r197501)
[css-grid] Get rid of GridResolvedPosition (r197400)
Setting up OrderIterator shouldn't require an extra Vector (r169372)
[css-grid] Avoid duplicated calls to resolution code (r196983)
[css-grid] GridSpan refactoring (r196691)
[css-grid] Store lines instead of tracks in GridResolvedPosition (r195808)
[CSS Grid Layout] Remove old FIXME in RenderGrid::placeItemsOnGrid() (r180500)
REGRESSION(r194143): Float width incorrectly calculated on Wikipedia (r194558)
Fix computation of min|max-content contribution of non-replaced blocks (r194143)
[css-grid] Stretch should grow and shrink items to fit its grid area (r213449)
[css-grid] Fix intrinsic size computation with flexible sized tracks (r205960)
[css-grid][css-align] justify-self stretch is not applied for img elements (r195284 complete revisited)
[css-grid] Fix height computation of grid items with borders (r194030)
[css-grid] Fix height computation of grid items with borders inside fr tracks (r193413)
[CSS Grid Layout] inline margins not honored when not using stretch in row-axis alignment (r192573 complete revisited)
[css-grid] Fix alignment with gutters and negative free spaces (r192512)
[css-grid] Refactor cachedGridCoordinate() to cachedGridSpan() (r192156)
[css-grid] Improve grid container sizing with size constraints and intrinsic sizes (r192154)
[css-grid] Fix availableLogicalSpace computation with non-zero baseSize flex tracks (r191385)
[css-grid] Include freeSpace in GridSizingData struct (r190784)
[css-grid] Remove unneeded calls to compute(Content)LogicalWidth(Height) (r190783)
[css-grid] Percentages of indefinite sizes to be resolved as auto (r190721)
[CSS Grid Layout] Modify grid item height doesn't work (r190665)
min-width/height should default to auto for grid items (r189708)
ASSERTION FAILED: growthShare > 0 in WebCore::RenderGrid::distributeSpaceToTracks (r175314)

Dec 07, 2018
============
Floating box is misplaced after content change. (r191610)
[CSSRegions] Incorrect layout of a region pseudo children (r162508)
Update flexbox to Blink's tip of tree (r213149 partial)
Rename Length::isPercent() and Length::isPercentNotCalculated(). (r184055 complete revisited)
Fix viewport units in Media Queries (r183404)
ASSERTION NOT REACHED because RenderStyle::setWordSpacing() does not handle a Length value of type 'Calculated'. (r175363)
Clamp wordSpacing percentage value. (r175197)
Minor refactor in CSSComputedStyleDeclaration (r173421 partail)
vw/vh units used as font/line-height values don't scale with the viewport (r169407 complete revisited)
REGRESSION (r166860): ASSERTION FAILED: !isCalculated() on fast/css/image-set-value-not-removed-crash.html (r167192)
Fix assertions triggered by CSS calc changes in r166860 (r166920)
Rework CSS calc logic, fixing some reference count mistakes in Length (r166860)
ASSERTION FAILED: v.isFixed() in WebCore::RenderStyle::setWordSpacing (r162588)
Add HashMap::isValidKey and HashSet::isValidValue (r143071)

Dec 06, 2018
============
[css-grid] Remove unused GridResolvedPosition constructor (r192414)
[css-grid] Grid placement conflict handling (r192153)
[css-grid] Support positioned grid children (r192054)
Graphics corruption after Find on some pages (r178490)
Calling clearSelection on a detached RenderObject leads to segfault. (r178231 revisited)
RenderBox shouldn't need a pre-destructor hook. (r175580)
[css3-text] text-decoration-line now accepts "blink" as valid value (r150136)
[css] text-decoration:none no longer valid (r134156)
[css] Text decoration's "blink" not valid when CSS3_TEXT is enabled (r134078)
[css3-text] Add suport for -webkit-text-decoration-line (r125205)
[css-grid] Implement grid gutters (r190663)
intrinsic size keywords don't work for heights (r185908 complete revisited)
Div having contentEditable and display:grid cannot be edited if it is empty. (r180050 + r180213)
Div having contentEditable and display:flex cannot be edited if it is empty. (r179944)
Using calc() in repeat() for -webkit-grid-template-rows does not work (r177947)
Get rid of error-prone ReleaseParsedCalcValueCondition argument in CSSParser (r177623 + r177628)
Crash when setting 'flex' CSS property to 'calc(2 * 3) calc(2 * 3)' (r176674)
Crash when setting 'column-span' CSS property to 'calc(2 * 3)' (r176671)
Crash when setting 'z-index' / 'flex-shrink' CSS properties to a calculated value (r176301)
Crash when setting 'order' CSS property to a calculated value (r176171)
Assertion hit when setting a very large value to 'border-width' / 'font-size' CSS properties (r176170)
[CSS Grid Layout] Handle min/max height in the grid element (r166923)
[CSS Shapes] Simplify the parsing of width arguments for Inset shapes (r166909)
ASSERTION FAILED: std::isfinite(num) in WebCore::CSSPrimitiveValue::CSSPrimitiveValue (r166114)
[CSS Shapes] Adjust inset sizing syntax to the latest specification (r162989)
[CSS Shapes] Remove restriction of negative values for inset parameters (r162871)
Remove feature: CSS variables (r159842 partial)
Replace isolate || bidi-override by isolate-override (r126072)
[CSS Grid Layout]  Using automatic (instead of min-content) minimums for 'auto' tracks (r189911)

Dec 05, 2018
============
[CSS Box Alignment] New CSS Value 'normal' for Self Alignment (r201498 complete revisited)
[CSS Box Alignment] New CSS Value 'normal' for Content Alignment (r197503 complete revisited)
[CSS Grid Layout] inline margins not honored when not using stretch in row-axis alignment (r192573 partial revisited)
[CSS Grid Layout] Don't need to reset auto-margins during grid items layout (r190633)
[CSS Grid Layout] Support for Content Alignment in grid layout (r190484 complete revisited)
[CSS Grid Layout] Flex tracks sizing alg must handle 0fr values (r190308)
[CSS Grid Layout] Using {row, column}-axis terms in alignment related logic (r198906)
[CSS Grid Layout] Layout is wrong for flex factor sum between 0 and 1 (r189208)
[CSS Grid Layout] auto-margins alignment does not work for heights (r189169)
[CSS Grid Layout] Do not stretch always grid items with auto width (r188582 + r188823))
[CSS Grid Layout] Grid item's auto-margins are not applied correctly (r186682)
[CSS Grid Layout] Performance optimization: avoid computing overflow alignment if not needed (r185874)
[CSS Grid Layout] Setting height on a grid item doesn't have any effect (r185327)
[CSS Grid Layout] Relayout whenever Box Alignment properties change (r189910)
[CSS Grid Layout] Fix grid-template-areas parsing to avoid spaces (r185492 + r185499 rolled out + r185520)
[CSS Grid Layout] Support dots sequences in grid-template-areas (r185246)
[CSS Grid Layout] Simplify the interface of GridResolvedPosition (r185059)
[CSS Grid Layout] Support "sparse" in auto-placed items locked to a row/column (r180567)
[CSS Grid Layout] Support sparse in auto-placement algorithm (r171082 + r171102)
[CSS Box Alignment] New CSS Value 'normal' for Self Alignment (r201498 partial)
[CSS Box Alignment] New CSS Value 'normal' for Content Alignment (r197503 partial)
[css-grid][css-align] justify-self stretch is not applied for img elements (r195284 partial)
[CSS Grid Layout] inline margins not honored when not using stretch in row-axis alignment (r192573 partial)
[CSS Grid Layout] Support for Content Alignment in grid layout (r190484 partial)
[CSS Box Alignment] Upgrade align-content parsing to CSS3 Box Alignment spec (r183805)
[CSS Box Alignment] Upgrade justify-content parsing to CSS3 Box Alignment spec. (r183748)
[CSS Grid Layout] overflow-position keyword for align and justify properties. (r183660)
[CSS Grid Layout] Support for the justify-self and justify-items in grid layout (r183399 complete revisited)
[CSS Grid Layout] Support for align-self and align-items in grid layout (r183370 + r183394)
Rename hasOverride{Height,Width}() to hasOverrideLogicalContent{Height,Width}() (r183100)
[CSS Grid Layout] Support marking/unmarking tracks as infinitely growable (r182704 + r182726)
[CSS Grid Layout] Fix raw function pointer usages (r182628)
[CSS Grid Layout] Update track sizes after distributing extra space (r182472)
'true' isn't a valid value for justify-self (r174999)

Dec 04, 2018
============
Referrer policy should be inherited from creator (r223697)
Improve our support for referrer policies (r220208)
Always update the referrer header in CachedResource (r173398 revisited)
[CSS Box Alignment] Unifying alignment data in a single class (r183591)
[CSS Grid Layout] Support for the justify-self and justify-items in grid layout (r183399 partial)
Small removal of useless code for MathML token elements (r200938)
More improvements and explanations regarding resetting CSS properties on the <math> element (r199869)
Use OpenType MATH fonts by default (r199773)
[regression] foreign content not displayed in MathML (r165702)
childShouldCreateRenderer should return false for the mspace element (r163626)
CSS direction must be reset to ltr on <math> element. (r159035)
Refactor RenderMathMLScripts layout to avoid using flexbox (r199665)
RenderMathMLOperator: Add helper function to retrieve italic correction (r199548)
Crash under WebCore::PageConsoleClient::addMessage attempting to log insecure content message in ImageDocument (r185781)
Console log sometimes prefixed with line number (r178648)
Multiple refactors in RenderMathMLOperator (r174678 partial)
PageConsole::addMessage should automatically determine column number alongside line number (r160374)

Dec 03, 2018
============
Crashes in PageConsole::addMessage (r166551 revisited complete)
Layout Test http/tests/security/canvas-remote-read-remote-image-redirect.html is flaky (r156130)
Web Inspector: ConsoleMessage should include line and column number where possible (r149125 partial revisited)
Web Inspector: split Console into two entities, a web-facing bound object and page console. (r146208)
CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.WebCore: WebCore::FrameLoader::subresourceCachePolicy const + 11 (r185301)
Rename fastHasAttribute to hasAttributeWithoutSynchronization (r203337)
Rename fastGetAttribute to attributeWithoutSynchronization (r203324)

Nov 30, 2018
============
Refactor RenderMathMLFraction layout to avoid using flexbox (r199295)
CTTE: RenderMathMLFraction always has a MathMLInlineContainerElement. (r157791)
Get rid of RepatchBuffer and replace it with static functions (r189288 + r189342)
RepatchBuffer should be stateless (r189278)

Nov 29, 2018
============
Simplify call linking (r187505)
Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC (r181990 partial)
REGRESSION (r179357-r179359): WebContent Crash using AOL Mail @ com.apple.JavascriptCore JSC::linkPolymorphicCall (r191530)
Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo (r185932)
If a call has ever taken the virtual slow path, make sure that the DFG knows this (r185099)
Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24 (r185084)
Polymorphic call inlining should be based on polymorphic call inline caching rather than logging (r179357 + r179392 rolled out + r179478)
Move DFGBinarySwitch out of the DFG so that all of the JITs can use it (r179223)
Ensure that RenderMathMLOperator::stretchTo functions are called with stretchy operators that have the correct direction (r199544)
Refactor RenderMathMLUnderOver layout functions to avoid using flexbox (r199293)
Bad position of large operators inside an munderover element (r193829)
Changes in the stretchy attribute do not update rendering (r174677)
RenderMathMLUnderOver adds spacing to the child operator indefinitely when resizing the window. (r174540)

Nov 28, 2018
============
[JSC] Drop ArityCheckData (r223891 partial)
Wrong value recovery for DFG try/catch with a getter that throws during an IC miss (r191930 partial)
Each *ById inline cache in the FTL must have its own CallSiteIndex (r190885 partial)
Implement try/catch in the DFG. (r189938 + r189952 + r189956 + r189961 rolled out + r189995)
Add support for Callee-Saves registers (r189575 partial)
rename callFrameForThrow to callFrameForCatch (r189775)
Node::origin should always be set, and the dead zone due to SSA Phis can just use exitOK=false (r189013)
Node::origin should be able to tell you if it's OK to exit (r188979)
DFG::InsertionSet should be tolerant of occasional out-of-order insertions (r188879)

Nov 27, 2018
============
Refactor RenderMathMLRow layout functions to avoid using flexbox (r198998)
Reset CSS spacing rules on the <math> element. (r198952)
Use out-of-band messaging for RenderBox::firstLineBaseline() and RenderBox::inlineBlockBaseline() (r181398)
Assertion failure in WebCore::FlexBoxIterator::next() (r167093)
[MathML] Baseline wrong for fractions or munder/mover with padding (r130097)
[Readable Streams API] Cleanup patch, fix small inconsistencies (r207337)
[Readable Streams API] Implement generic reader functions (r206912 revisited)
CachedResourceLoader should set headers of the HTTP request prior checking for the cache (r207817)
Add protocolIsInHTTPFamily for strings and use it where appropriate (r162555)
Never send a non-http(s) referrer header even with a referrer policy (r162351)

Nov 26, 2018
============
Cached CSS image resources don't show up after reloading (r184315)
Get rid of "CachePolicyCache" cache policy (r181766)
Remove ENABLE(PARSED_STYLE_SHEET_CACHING) and make it always-on. (r149140)
Regression(r176212): Broke app switching on iCloud.com (r185269 partial)
Regression(r176212): Carousel on mbusa.com is choppy (r177964 partial)
Regression(r163928): Animated images are not resumed on window resizing (r177927)
REGRESSION (r163928): Animated GIFs are not resumed when translated into view using -webkit-transform (r177360)
http://omfgdogs.info/ only animates when you resize the window (r177135)
Speculative fix for assertion "frame().view() == this" (r177107)
REGRESSION (r172854): Web Viewer in FileMaker does not render a Base64 encoded animated-GIF (r176384)
Throttle timers that change the style of elements outside the viewport (r176212 partial)
Animated GIFs scrolled out of view still cause titlebar blur to update, on tumblr.com page (r172854)
REGRESSION: Animated GIF inside compositing layer never resumes animation when scrolled back into view (r168424)
GIF animations should be suspended when outside of viewport (r163928)

Nov 23, 2018
============
svg/as-image/svg-image-with-data-uri-use-data-uri.svg is flaky after r207754 (r209914)
REGRESSION(r207753-207755): ASSERTION FAILED: m_parsedStyleSheetCache->isInMemoryCache() (r207967 + r208200 rolled out + r208279)
REGRESSION (r207754): LayoutTest http/tests/security/svg-image-with-css-cross-domain.html is a flaky failure (r208102)
ASSERTION FAILED: canvas()->securityOrigin()->toString() == cachedImage.origin()->toString() (r207754)
CachedResourceLoader should not need to remove fragment identifier (r207459)
Remove CachedResourceRequest::mutableResourceRequest (r207281)
[Fetch API] Support Request cache mode (r207086)
[Fetch API] Memory cache should not bypass redirect mode (r206994)
ASSERTION FAILED: m_origin || m_type == CachedResource::MainResource (r206370)
CachedResourceRequest should store a SecurityOrigin (r206255)
CachedFont do not need to be updated according Origin/Fetch mode (r206017)
CachedResource should efficiently construct its ResourceRequest (r206016)
Link loader should use FetchOptions::mode according its crossOrigin attribute (r206010)
Remove CredentialRequest ResourceLoaderOptions (r202815)
Don't reuse memory cache entries with different charset (r194898)
CachedResources should hang on to stripped fragment identifiers (r137604)
Set the Response.blob() type based on the content-type header value. (r216353)
ScriptElement should use FetchOptions::mode according its crossOrigin attribute (r205854)
TextTrackLoader should use FetchOptions::mode according its crossOrigin attribute (r205750)
CachedResourceLoader is not taking into account fetch options to use or not cached resources (r205450 + r205464 rolled out + r205473)
[Fetch API] Fetch API should be able to load data URL in Same Origin mode (r205265)
Synchronous preflight should check for successful responses (r203943)
Remove ClientCredentialPolicy cross-origin option from ResourceLoaderOptions (r203720)
Synchronous preflight checker should set loading options to not use credentials (r202779)
[WK2] Authentication dialog is displayed for cross-origin XHR (r173516)

Nov 22, 2018
============
Improve error message for Access-Control-Allow-Origin violation due to misconfigured server (r217069)
Safari sends empty "Access-Control-Request-Headers" in preflight request (r214254)
CORS: Fix the handling of redirected request containing Origin null. (r195100)
Remove unsafe uses of AtomicallyInitializedStatic (r161812 partial)

Nov 21, 2018
============
Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister(). (r215351)
HashTraits<RefPtr<P> >::peek should consider empty value (r149739)
Avoid unnecessary arguments copying inside GenericHashTraits methods (r149738)
HashTraits<RefPtr<P> >::PeekType should be raw pointer for better performance (r149665)

Nov 20, 2018
============
DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals. (r204360 complete revisited)
ScriptRunner should be driven by PendingScript rather than ScriptElement (r205652 + r205653 rolled out + r205695)
Add HashSet::takeAny (r167592)
Add HashSet::take (r155580)
Change HashTraits<RefPtr<P> >::PassOutType to PassRefPtr for better performance (r149602 revisited)
Introduce abstract class LoadableScript for classic script and module graph (r205581)

Nov 19, 2018
============
ASSERTION FAILED: hasParserBlockingScript() seen with js/dom/modules/module-will-fire-beforeload.html (r209791)
A function named canTakeNextToken executing blocking scripts is misleading (r197040)
Make PendingScript as ref-counted (r205218)
CrashTracer: WebProcess at com.apple.WebCore: WebCore::toScriptElementIfPossible + 4 (r183178)
WebProgressTracker updates progress too frequently (r170464)
Loads started soon after main frame completion should be considered part of the main load (r162637)
Possible crash in ProgressTracker::progressHeartbeatTimerFired(Timer<ProgressTracker>*) (r159986)
Possible crash in ProgressTracker::progressHeartbeatTimerFired(Timer<ProgressTracker>*) (r159974)
HarfBuzzFace::CacheEntry should use 32-bit values in its HashMap (r238363)
SVGUseElement follow-up improvements (r179980 + r179991)

Nov 18, 2018
============
Remove the SVG instance tree (r179810)
Remove SVGElementInstanceList, m_instanceUnderMouse, DUMP_INSTANCE_TREE, DUMP_SHADOW_TREE (r178715)

Nov 16, 2018
============
[Win] Fix debug build after r179807. (r179916)
Make SVGUseElement work without creating any SVGElementInstance objects (r179807)
Stop dispatching events to with SVGElementInstance objects as their targets (r179467 + r179471 rolled out + 179785)
Move InstanceInvalidationGuard/UpdateBlocker to SVGElement from SVGElementInstance (r179548 + r179555 rolled out + r179695)
Make SVGElement::instancesForElement point to elements in the shadow tree, not SVGElementInstance objects (r179260)
[SVG] Accept HTML and MathML namespaces as valid requiredExtensions (r161629 + r161653 rolled out + r162083)
Tighten up the type bounds for SVGPropertyInfo callback parameters (r145830)
RegExp operations should not take fast patch if lastIndex is not numeric. (r238267)

Nov 15, 2018
============
REGRESSION (r179101): SVGUseElement::expandUseElementsInShadowTree has an object lifetime mistake (r179163)
Streamline SVGUseElement shadow tree handling and make it use SVGElementInstance less (r179101)
Remove SVGUseElement.instanceRoot and all tests that depend on it (r179391)
Only when the SVG is inline and only when a shape is referenced before it is defined, this shape will not be drawn. (r177576)
Avoid unnecessary HashSet copies when calling collectInstancesForSVGElement (r166586 + r166590)
Rename ElementDescendantIterator to TypedElementDescendantIterator. (r165805)
REGRESSION(r191731): SVGPatternElement can only reference another SVGPatternElement in the same SVG document (r222304)
Reference cycle between SVGPathElement and SVGPathSegWithContext leaks Document (r194964 complete revisited)
If ImageLoader's loadEventSender or errorEventSender fires after document is detached, the document will be leaked. (r139209 complete revisited)
svg/W3C-SVG-1.1/render-groups-03-t.svg and some other SVG tests leak documents (r235862)
References from CSSStyleDeclaration to CSSValues should be weak (r230737)
NULL WeakPtr should not malloc! (r222752)
WeakPtrFactory should populate m_ref lazily. (r222422)

Nov 14, 2018
============
[JSC] Do not allocate unnecessary UTF-8 string for encodeXXX functions (r201756 complete revisited)
Make converting JSString to StringView idiomatically safe (r186037 complete revisited)
[JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). (r184613 + r184618 rolled out)
ProxyObject should check for VMInquiry and return early before throwing a stack overflow exception (r238163)
Need an exception check after constructEmptyArray(). (r201787 partial revisited)

Nov 13, 2018
============
DFG::ByteCodeParser should attempt constant folding on loads from structures that are DFG-watchable (r188357)
DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet (r188292 complete)
[JSC] Unify Math.pow() accross all tiers (r200208 complete)
flattenDictionaryStruture needs to zero inline storage. (r233048)
[JSC] Implement Object.assign in C++ (r218348 partial)

Nov 12, 2018
============
implement dynamic scope accesses in the DFG/FTL (r199699 partial)
[JSC] addStaticGlobals should emit SymbolTableEntry watchpoints to encourage constant folding in DFG (r199342)
Rare case profiling should actually work (r180137)

Nov 09, 2018
============
FTL should be able to do polymorphic call inlining (r172940 + r172961 rolled out + r173069)
[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure (r169795 partial)
U+180E is no longer a whitespace character (r238004)

Nov 08, 2018
============
MediaStream API: update MediaStreamTrackEvent object to match spec (r156135)
Remove remaining custom getters for WorkerContext constructor attributes (r151223)

Nov 06, 2018
============
CallLinkStatus should trust BadCell exit sites whenever there is no stub (r195877)
CallLinkInfo inside StructureStubInfo should not use polymorphic stubs (r189493)
Refactor CallLinkInfo from a struct to a class (r185930)
CallLinkStatus should return takesSlowPath if the GC often cleared the IC (r185161)

Nov 05, 2018
============
GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete (r163691 partial)
[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure (r169795 partial)
StorageAccessData should be referenced in a sensible way (r173793)

Nov 02, 2018
============
[ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function (r171389 + r171508)

Nov 02, 2018
============
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 complete revisited)
[ftlopt] Infer immutable object properties (r170855 complete revisited)
[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them (r170375)
[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets (r170275)
  => Passed JIT tests and Asteroidbench/CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.
   
Nov 02, 2018
============
Fix missing edge cases with JSGlobalObjects having a bad time. (r237469 partial)
   
Nov 01, 2018
============
Custom GetterSetterAccessCase does not use the correct slotBase when making call (r222671 complete)
Dictionary property access should be fast (r201562 complete)
DFG::ByteCodeParser needs to null check the result of presenceLike() (r196446)
Caching of properties on objects that have named property getters is sometimes incorrect (r192693 complete)
DFG should have adaptive structure watchpoints (r187780 complete revisited)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 complete revisited)
[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for,
  whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants (r169950)
  => Passed JIT tests and Asteroidbench/CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo/EPG Guide on ARMv7 GCC4.9 with hard float.

Nov 01, 2018
============
ObjectPropertyConditionSet::mergedWith does not produce a minimal intersection. (r190283)
Unreviewed, fix Windows. (r187783)
Simplify DFG::DesiredIdentifiers and make it possible to turn a UniquedStringImpl* into an identifierNumber at any time (r187214)

Oct 31, 2018
============
r176455: ASSERT(!m_vector.isEmpty()) in IntendedStructureChain.cpp(143) (r176506)
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 complete revisited)
[ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to (r170672)
DFG SSA stack accesses shouldn't speak of VariableAccessDatas (r180691)
[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base (r170090)

Oct 30, 2018
============
[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base (r169902)

Oct 29, 2018
============
Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com (r176624)

Oct 29, 2018
============
[JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case (r206844 complete revisited)
WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading (r191937)
The JIT should cache property lookup misses. (r175846 complete revisited + r175849 + r175880 revisited)
r171362 accidentally increased the size of InlineCallFrame. (r172853)
[ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to (r169143)
  => Passed JIT tests and Asteroidbench/CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo on ARMv7 GCC4.9 with hard float.
  
Oct 29, 2018
============
[ftlopt] Factor out how CallLinkStatus uses exit site data (r169014)
[ftlopt] InlineCallFrame::isCall should be an enumeration (r169005)
Token misspelled "tocken" in error message string (r231142)
Early error on ANY operator before new.target (r220481)
[JSC] add additional bit to JSTokenType bitfield (r209293)
Arrow functions should not allow duplicate parameter names (r206647)
JS parser incorrectly handles invalid utf8 in error messages. (r201624)
JavascriptCore Crash in JSC::ASTBuilder::Property JSC::Parser<JSC::Lexer<unsigned char> >::parseProperty<JSC::ASTBuilder>(JSC::ASTBuilder&, bool) (r187763 revisited)
Function bodies should always include braces (r181673 revisited)
Parser statementDepth accounting needs to account for when a function body excludes its braces. (r170034 revisited)

Oct 26, 2018
============
Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes (r181817 complete revisited)
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 partial revisited)
[ftlopt] Reduce the GC's influence on optimization decisions (r170571 complete)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 partial revisited)
[ftlopt] AI should be able track structure sets larger than 1 (r169588 complete revisited)
It should be OK to store new fields into objects that have no prototypes (r167563)
Support caching of custom setters (r165208 complete revisited)
More FTL ARM fixes (r165129)
FTL should do polymorphic PutById inlining (r164620)
  => Passed JIT tests and Asteroidbench/CanvasMark/V8/SunSpider/JetStream/Speedometer/Kraken/Dromaeo on ARMv7 GCC4.9 with hard float.

Oct 26, 2018
============
GetById and PutById profiling should be more precise about it takes slow path (r185160)
FTL should do polyvariant PutById inlining (r162849)
FTL should do polyvariant GetById inlining (r162811)

Oct 25, 2018
============
Unreviewed, fix a goofy assertion to fix debug. (r166952)

Oct 24, 2018
============
Eliminate construct methods from NullGetterFunction and NullSetterFunction classes (r178855)
REGRESSION(178696): Sporadic crashes while garbage collecting (r178728)
A "cached" null setter should throw a TypeException when called in strict mode and doesn't (r178696)
DFG Tries using an inner object's getter/setter when one hasn't been defined (r177030 + r177055)
[ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant (r171153)
[ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise (r170383)

Oct 23, 2018
============
adoptNode() changes css class to lowercase for document loaded with XHR responseType = "document" (r203018 + r203043)
GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything (r164066 + r164071 rolled out)

Oct 22, 2018
============
32-bit JSC test failure: stress/instanceof-late-constant-folding.js (r204209)

Oct 19, 2018
============
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 partial revisited)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 partial revisited)
FTL should inline polymorphic heap accesses (r164207 complete + r164216)
FTL should inline polymorphic heap accesses (r164207 partial + r164216)
Too much repainting on scrolling with fixed backgrounds (r182669)
Differentiate between composited scrolling, and async scrolling (r182345)
Scrollbars are left in the wrong position when resizing a fixed layout view (r182307 revisited)
Even when in fixed layout mode, some platforms need to do layout after a viewport change (r163182 + r163188 rolled out + r163216)
Call FrameView::contentsResized() when setting fixed layout size (r140869 + r141015 rolled out + r141450 revisited)
Enable/disable composited scrolling based on overflow (r127620)
Register scrolling layers with ScrollingCoordinator (r127480)
delete expression should not throw without a reference (r237259)

Oct 18, 2018
============
[DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped) (r221328)
DFG should really support jneq_ptr (r203361)
Improve some other cases of context-sensitive inlining (r199093 partial)
{Map,Set}.prototype.forEach should be visible as own properties (r196274)

Oct 18, 2018
============
PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear (r232384)
DFG AI and clobberize should agree with each other (r230488 revisited complete)
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton (r170141 partial)
  => Passed JIT tests.
  
Oct 18, 2018
============
The parser should not emit a ApplyFunctionCallDotNode for Reflect.apply. (r237241)

Oct 17, 2018
============
Dynamic background color changes do not update until a layout is forced (r190816)
Avoid repaints when changing transform on an element with multiple background images (r181710)
Use unique_ptr for FillLayer::m_next (r167208)
Avoid unnecessary copy-on-write in FillLayer style application. (r159782)
FontDescription copies should share families list, not duplicate it. (r159279)
Avoid unnecessarily padding the FontDescription families vector. (r159185)
getComputedStyle(x).lineHeight is affected by zooming (r158714)
Merge SVG renderers' styleWillChange() into styleDidChange(). (r157787)
[CSS Background Blending] Specifying background-image and background-color with opaque image doesn't trigger blending. (r153702)
RefCountedArray needs a size based constructor (r146964)
TransformState::move should not round offset to int (r142638)
Push pixel snapping logic into TransformState (r137847)
Remove unnecessary mode identifiers added in r131111 (r131231)
[Sub pixel layout] Fast-path iframe scrolling can picks up an extra pixel (r130811 + r130824 rolled out + r131111)
REGRESSION: transition doesnt always override transition-property (r128656 revisited)
Prevent overflows in FractionalLayoutUnit (r127933)

Oct 16, 2018
============
[JSC] JSON.stringify can accept call-with-no-arguments (r237095)
[JSC] Remove LocalScope (r226407)
Fix exception scope verification failures in JSONObject.cpp. (r208966)
[ES6] Make JSON.stringify ES6 compatible (r198150)
Speed up the Stringifier::toJSON() fast case (r187537)
JSArray::shiftCountWithArrayStorage is wrong when an array has holes (r237129)

Oct 15, 2018
============
Fix exception scope verification failures in CommonSlowPaths.cpp/h. (r208936)
GetByValWithThis: fix opInfo in DFG creation (r205361)
Missing exception check in JSObject::hasInstance (r219451 complete)
We should throw a SecurityError when denying access to cross-origin Window properties (r211504)
Fix exception scope verification failures in ObjectConstructor.cpp and ObjectPrototype.cpp. (r209020)
Object.freeze() and seal() should throw if [[PreventExtensions]]() fails. (r206948)
createError() and JSObject::calculatedClassName() should not throw any exceptions. (r206476)
We should throw a SecurityError when denying access to cross-origin Window properties (r205136)
Calling crossOriginWindow.toString() should not be allowed (r205037)
Trying to access cross-origin Location properties should throw a SecurityError (r205026)
Completes native binding descriptors with native getters and potentially setters. (r185889 + r185902 + r186202 rolled out)

Oct 12, 2018
============
InlineTextBox::paintDocumentMarker() does not need to special case painting of grammar and dictation alternatives (r221212)
Compute document marker rects at use time instead of paint time (r190363)
Scrolling a overflow: scroll region makes find overlay holes stick to the edge of the region (r190254)
Holes for find matches that span multiple lines are completely wrong (r188527)
Kill toRenderedDocumentMarker() by using tighter typing (r174876)

Oct 11, 2018
============
[Win] Application name in user agent string is truncated. (r161983)
Simplify StringTypeAdapter templates (r174234 + r174255)
Inline QualifiedName::toString() method (r208710)
Prevent hit tests from being performed on an invalid render tree (r208003)
Remove LayoutUnit::operator unsigned(). (r201114)
RenderLayer::hitTestList could mutate the list of candidate layers. (r200971 + r201384)
Frame flattening: Hit-testing an iframe could end up destroying the associated inline tree context. (r186165)
Hit test returns incorrect results when performed in paginated content over the page gaps. (r179027)
Ensure that layout is up-to-date before hit-testing via RenderView (r173865)
Ensure that layout is up-to-date before hit testing (r172969)
Code cleanup: change FrameView::doLayoutWithFrameFlattening() to make it more explicit. (r159231)

Oct 10, 2018
============
InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values (r231468 + r231492 rolled out + r231514)
URLParser: Add fast path for hosts containing no non-ASCII or percent characters (r205922)
URLParser: Add fast path for utf8 encoding queries (r205918)
URLParser: Correctly ignore spaces before relative URLs with no scheme (r205846)
URLParser: Fix relative URLs containing only fragments (r205835)
URLParser: Correctly handle relative URLs that are just a scheme and a colon (r205833)
Remove trailing control characters and spaces before parsing a URL (r205824)
Fix more URLParser quirks (r205813)
Optimize URLParser performance (r205812)
URLParser: Keep track of cannot-be-a-base-url according to spec (r205782)
URLParser should convert ASCII hosts to lowercase (r205774)
Text replacement candidates don't always overwrite the entire original string (r205768)
URLParser: Handle \ in path according to spec (r205752)
URLParser should parse URLs with non-special schemes (r205749)
Ensure StringView lifetime is correct inside InlineTextBox (r204276)
Remove BufferForAppendingHyphen (r170561)

Oct 09, 2018
============
[JSC] TinyPtrSet::deleteListIfNecessary() no longer needs to test for reservedValue (r204354)
[JSC] Simplify the initialization of AbstractValue in the AbstractInterpreter (r204065)
[JSC] Get rid of NodePointerTraits (r188850)
The tiny set magic in StructureSet should be available in WTF (r185324 + r185325 + r185433)
[ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered() (r170376)
[JSC] Avoid creating ProgramExecutable in checkSyntax (r236904)

Oct 05, 2018
============
[JSC] Optimize Kraken stringify (r209858)
parseHTMLInteger() should take a StringView in parameter (r205787)
Align meta element http-equiv="refresh" parsing with the HTML specification (r205400)
Follow-up fixes after r205030. (r205095)
HTMLAreaElement's coords attributes parsing does not comply with the HTML specification (r205030)
Speed up StringBuilder::appendQuotedJSONString() (r187484)
Shrink SVGPathStringBuilder (r156024)
Make SVGTransform::valueAsString use StringBuilder (r155968 + r155982))
[WIN] Use GetTimeZoneInformation() for getting the timezone name (r125004)
Unify JSC date and time formating functions (r124817)

Oct 04, 2018
============
Do not measure large chunk of text repeatedly during mid-word breaking. (r215666)
Remove hasStaticPropertyTable (part 5: done!) (r202218)
Remove hasStaticPropertyTable (part 3: JSLocation::putDelegate) (r202032)
Remove hasStaticPropertyTable (part 4: JSHTMLDocument & JSStorage) (r202031)
Remove hasStaticPropertyTable (part 3: JSLocation::putDelegate) (r202030)
Remove hasStaticPropertyTable (part 2: JSPluginElement) (r202029)
Remove hasStaticPropertyTable (part 1: DOM bindings) (r202028)
JSObject::reifyAllStaticProperties cleanup (r201853 complete)
Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead. (r201719)
Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead. (r201702)
Static table property lookup should not require getOwnPropertySlot override. (r201448)
[JSC][32bit] stress/tagged-templates-template-object.js fails in debug (r200541)
ToThis should have a fast path based on type info flags (r199686)
[JSC] Symbol structure has unnecessary flags (r196107)
Remove OverridesHasInstance from TypeInfoFlags (r194369)

Oct 03, 2018
============
Fix 32-bit OverridesHasInstance in the DFG. (r204176)
ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell() (r204140 partial)
Unreviewed, roll out r202268 as it looks like it was a ~50% regression on Dromaeo DOM Core (r202281)
Don't eagerly reify DOM Prototype properties (r202268)
Refactor showModalDialog handling in JSDOMWindowCustom (r201638)
OverridesHasInstance constant folding is wrong (r197370)
Folding of OverridesHasInstance DFG nodes shoud happen in constant folding not fixup (r197196)

Oct 02, 2018
============
StringView operator==(char*) should check the length of the string (r233660)
StringView should have an explicit m_is8Bit field. (r203834)
equal(StringView, StringView) for strings should have a fast path for pointer equality (r201738)
PropertyTable::skipDeletedEntries() should guard against iterating past the table end. (r233625)
Use the default hash value for Symbolized StringImpl (r183624)
Partial Information Leakage in Hash Table implementations (PrivateName) (r155563)
[JSC] Use fastJoin in Array#toString (r223834)
Callers of JSString::unsafeView() should check exceptions (r216699)
Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString. (r208767 complete)
Some of JSStringView::SafeView methods are not idiomatically safe for JSString to StringView conversions. (r208699)
[JSC] Help clang generate better code on arrayProtoFuncToString() (r198256)
[INTL] Implement Array.prototype.toLocaleString in ECMA-402 (r195431)
Fixed assertion in JSStringJoiner::join() (regression from r185899). (r185909)
Make Array.join work directly on substrings without reifying them (r185899 complete)

Oct 01, 2018
============
[ES6] Implement Symbol.for and Symbol.keyFor (r182915 + r182921)
Fix cast-align warning in StringImpl.h (r176805)
Store StringImpl substring backpointers as tail data (r163416)
Get rid of StringImpl::m_buffer (r163396)
Fix Windows build. (r163349)
StringImpl::tailOffset() should return the offset right after m_hashAndFlags (r163347)
More tail pointer consolidation (r163341)
Consolidate StringImpl tail handling into two functions (r163326)

Oct 01, 2018
============
test262: TypedArray constructors length should be 3 and configurable (r205932)
r199812 broke test262 (r201105)
Make RegExp.prototype.test spec compliant. (r200272 partial)
Align RegExp[@@match] with other @@ methods (r199812)
Re-landing: ES6: Implement RegExp.prototype[@@search]. (r199748 partial)
  => Passed JIT tests.
  
Oct 01, 2018
============
[ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null,
  so that if we constant-infer an accessor slot then we immediately get the function constant for free (r170729)
Fix exception scope verification failures in ArrayConstructor.cpp and ArrayPrototype.cpp. (r209011)
Array.prototype.slice should not modify frozen objects. (r207226 complete)
Change ArrayPrototype.cpp's putLength() and setLength() to take a VM& so that we can use vm.propertyNames. (r207036 complete)
Rename the StrictModeReadonlyPropertyWriteError string to ReadonlyPropertyWriteError. (r207023)
test262: Array.prototype.slice should always set length (r205910)

Sep 28, 2018
============
[JSC] make Object.getOwnPropertyDescriptors() work with non-JSObject types (r196042)
[JSC] Implement Object.getOwnPropertyDescriptors() proposal (r196040)
Harden JSObject::getOwnPropertyDescriptor() (r209869)
Follow up fix to Implement Proxy.[[GetOwnProperty]] (r196775)
Use a profile to store allocation structures for subclasses of InternalFunctions (r194863 complete)

Sep 27, 2018
============
JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData (r196959 complete)
We should zero unused property storage when rebalancing array storage. (r236514)
We should support the ability to do a non-effectful getById (r199170 partial)
We should support the ability to do a non-effectful getById (r199073 + r199084 rolled out + r199104 + r199108 rolled out)
Clean up JavaScriptCore/builtins (r182118)

Sep 26, 2018
============
Unreviewed, add scope verification handling (r236505)
[JSC] Optimize Array#lastIndexOf (r236496)
We should be able to lookup symbols by identifier in builtins (r201825 partial revisited)
ES6: Implement String.prototype.split and RegExp.prototype[@@split]. (r199393 + r199400 rolled out + r199502 + r199514 rolled out + r199731)
String.prototype.match() should be calling internal function RegExpCreate. (r199144)
RegExp constructor should use Symbol.match and other properties (r199106)
Misc. JavaScriptCore built-ins cleanups (r198713)
ES6: Implement IsRegExp function and use where needed in String.prototype.* methods (r198652)
Create private builtin helper advanceStringIndexUnicode() for use by RegExp builtins (r198647)
[ES6] Add Proxy based tests for RegExp.prototype[@@match] (r198625)
[ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters (r198624 complete)
[ES6] Implement RegExp.prototype[@@match] (r198554)
ES6 spec requires that RegExpPrototype not be a RegExp object. (r198447)
[ES6] Allow RegExp constructor to take pattern from an existing RegExp with new flags (r197962)
[ES6] Make ToPropertyDescriptor spec compliant (r197960)

Sep 25, 2018
============
The Array species constructor watchpoints should be created the first time they are needed rather than on creation (r202067)
Promise.prototype.then should use Symbol.species to construct the return Promise (r197428)
Symbol.species accessors on builtin constructors should be configurable (r196414)
Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects (r236437)
JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState. (r236369 partial)
Proxy's [[Get]] passes incorrect receiver (r217093)
JavaScript for-of does not work on a lot of collection types (e.g. HTMLCollection) (r211024 partial)
Introduce the concept of Immutable Prototype Exotic Objects to comply with the spec. (r209424)
[JSC] Avoid cloned arguments allocation in ArrayPrototype methods (r208524 partial revisited)
Align cross-origin proto getter / setter behavior with the specification (r205297 + r205301 rolled out)
Array.prototype.map builtin should go on the fast path when constructor===@Array (r204488 complete)
Make builtin TypeErrors consistent (r203393 partial revisited)
[JSC] Array.prototype.includes uses ToInt32 instead of ToInteger on the index argument (r202926)
[JSC] The prototype cycle checks throws the wrong error type (r202832)
[JSC] StringObject.{put, defineOwnProperty} should realize indexed properties (r197684)
[JSC] Iterating over a Set/Map is too slow (r194838)
Fix grammar issue in TypeError attempting to change an unconfigurable property (r186584)
Reflect nits for r184863 (r184871)
[ES6] Implement Array.prototype.copyWithin (r184863)
Array#findIndex/find should not skip holes (r184848)
Rename createIterResultObject as createIteratorResultObject (r184586)
Array.prototype methods must use ToLength (r184582 partial revisited)
ES7: Implement Array.prototype.includes (r181871)
Array.prototype.find and findIndex should skip holes (r169162)
Implement Array.prototype.find() (r167797)

Sep 21, 2018
============
Fix the debug build after r202667 (r202673)
[JSC] Minor TypedArray fixes (r202667)
[JSC] Fix small issues of TypedArray prototype (r202631)
[JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array (r231572)
%TypedArray%.prototype.slice needs to check that the source and destination have not been detached. (r204868)
Array.prototype.map builtin should go on the fast path when constructor===@Array (r204488 partial)
Array.prototype native functions' species constructors should work with proxies (r198589)
Array prototype JS builtins should support Symbol.species (r197536 complete)
Use Symbol.species in the builtin TypedArray.prototype functions (r196950)
JSC Builtins should use safe array methods (r193899 partial revisited)
Add regression tests for TypedArray.prototype functions' error messages. (r191300)
Unreviewed. Fix typo in TypeError messages in TypedArray.prototype.forEach/filter. (r191225)
[JSC] Optimize Array#indexOf in C++ runtime (r236240)
JSArray::canFastCopy() should fail if the source and destination arrays are the same. (r222598)
Object properties are undefined in super.call() but not in this.call() (r223175)
ArrayBuffer constructor needs to create subclass structures before its buffer (r218452)
Fix toStringName for Proxies and add support for normal instances (r205131)
toString called on proxies returns incorrect tag (r205023)

Sep 20, 2018
============
constructGenericTypedArrayViewWithArguments() is missing an exception check. (r221711)
Put does not properly consult the prototype chain (r216309)
Fix missing exception checks in Interpreter.cpp. (r214005 partial revisited)
Change ProxyObject.[[Get]] not to use custom accessor (r201703)
Proxy.ownKeys should no longer throw an exception when duplicate keys are returned and the target is non-extensible (r201672)
Stack overflow crashes with deep or cyclic proxy prototype chains (r201495 complete)
Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver (r201322)
REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this (r205939)
Align proto getter / setter behavior with other browsers (r205354 + r205372 rolled out + r205670)
ProxyObject's structure should not have ObjectPrototype as its prototype and it should not have special behavior for intercepting "__proto__" (r205535)
Assertion failure when returning incomplete property descriptor from proxy trap. (r202124)
Fix typos in our error messages and remove some trailing periods (r198813)
[JSC] allow duplicate property names returned from Proxy ownKeys() trap (r198531 complete)
[ES6] Reflect.set with receiver (r198270)
[ES6] Implement Proxy.[[GetPrototypeOf]] (r197711)
[[GetPrototypeOf]] should be a fully virtual method in the method table (r197645 + r97646 rolled out + r197648)
PutProperytSlot should inform the IC about the property before effects. (r224416)
[ES6] Implement Reflect.set without receiver support (r198023)
Location.reload should not be writable (r197576)
[Unforgeable] operations should not be writable as per Web IDL (r196770)
Drop [NotDeletable] from QuickTimePluginReplacement.postEvent() (r190234)
Unify symbolTableGet and Put in JSLexicalEnvironment and JSSymbolTableObject (r189525)

Sep 19, 2018
============
Assertion failure for bound function with custom prototype and Reflect.construct (r200319)
ES6 spec requires that ErrorPrototype not be an Error object. (r198469)
ArrayPrototype methods should use JSValue::toLength for non-Arrays. (r218449 complete)
Web Inspector: Reflect.toString() should be [object Object] not [object Reflect] (r200355)
[ES6] Support Reflect.construct (r197614)
Ensure that ForInContexts are invalidated if their loop local is over-written. (r236161)
Refactor some ForInContext code for better encapsulation. (r236018)
[JSC] has_generic_property never accepts non-String (r217887)

Sep 18, 2018
============
[FreeType] Use FastMalloc for FreeType (r226635)
[ES6] Instanceof isn't spec compliant when the RHS is a Proxy with a target that is a function (r197970)
[FreeType] Enable BCI on webfonts (r219422)

Sep 17, 2018
============
Add proper JSON.stringify support for Proxy when the target is an array (r197918 complete)
Array.isArray support for Proxy (r197899)
[ES6] Implement revocable proxies (r197732)
Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate(). (r214684)
Fix Array.prototype.splice ES6 compliance. (r207322 + r207344 rolled out)
Rename variables in arrayProtoFuncSplice() to match names in the spec. (r207241)
some paths in Array.prototype.splice don't account for the array not having certain indexed properties (r203087 complete)

Sep 17, 2018
============
[ES6] Add support for Symbol.hasInstance (r193974 + r194007 + r194036 rolled out + r194248 + r194262)
  => Passed JIT tests.

Sep 14, 2018
============
JSGenericTypedArrayView::set() should check for exceptions. (r207906)
Crashes with detached ArrayBuffers (r203199 + r203200 rolled out + r203204 complete)
DataView should use an accessor for its length and buffer properties (r198435)
Native Typed Array functions should use Symbol.species (r197192)
Fix typo in "use strict" in TypedArray builtins (r191777)

Sep 13, 2018
============
Cannot call initializeIndex() if we didn't create the array using tryCreateUninitialized() (r196437)
Array.prototype native functions should use Symbol.species to construct the result (r195878)
WebKit must support all JavaScript MIME types in HTML5 spec (r191268)
[ES6] Add Symbol.species properties to the relevant constructors (r195460)
Fix some issues with TypedArrays (r191190 + r191193 rolled out + r191212 complete)
ES6 Fix TypedArray constructors. (r191059)
Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties. (r191215 partial)

Sep 12, 2018
============
TypedArrays need more isNeutered checks. (r202982 complete)
TypedArray.prototype.slice should not throw if no arguments are provided (r201364)
[ES6] Fix various issues with TypedArrays. (r195360 complete)
[ES6] Add TypedArray.prototype functionality. (r189064 + r189085 rolled out + r190367 + r190385 rolled out + r190429)
Octane/regexp's Exec function should benefit from array length accessor inlining (r197542)
[JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix (r229855)
[DFG][FTL] Efficiently execute number#toString() (r221601)

Sep 11, 2018
============
canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints (r201584)
DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0' (r227716)
[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t (r227271 partial)
[JSC] Optimize Number.prototype.toString on Int32 / Int52 / Double (r214219)
Assertion failed under operationToLowerCase with a rope with zero length (r207377)
String.prototype.toLowerCase should be a DFG/FTL intrinsic (r206804)
[ES6] Implement Proxy.[[SetPrototypeOf]] (r197544)
Add Proxy tests for exceptions that depend on an object being non-extensible and having configurable properties (r197539)
[ES6] Implement Proxy.[[DefineOwnProperty]] (r197533)
[[SetPrototypeOf]] isn't properly implemented everywhere (r197512)
clean up JSObject::isExtensibleInline and JSObject::setPrototypeOfInline, and rename setPrototypeOf to setPrototype (r197484)
[ES6] Implement Proxy.[[IsExtensible]] (r197420)
[ES6] Implement Proxy.[[PreventExtensions]] (r197418)
X.[[SetPrototypeOf]](Y) should succeed if X.[[Prototype]] is already Y even if X is not extensible (r188384 complete)

Sep 10, 2018
============
[DFG] DFG should handle String#toString (r235790)
[Intl] Change the return type of canonicalizeLocaleList() from JSArray* to Vector<String> (r190591)
[INTL] Implement supportedLocalesOf on Intl Constructors (r189811)
Implement basic types for ECMAScript Internationalization API (r187575)
Implement ECMAScript Internationalization API (r186161)
LLInt get/put inline caches shouldn't use tons of opcodes (r189766)
[[SetPrototypeOf]] should be a fully virtual method in ClassInfo::methodTable (r197467)
Assertion failure for super() call in direct eval in method function (r200409)
EvalCodeCache should not give up in strict mode and other cases (r208404)
Lets rename codeOriginIndex to callSiteIndex and get rid of CallFrame::Location. (r188932)

Sep 07, 2018
============
Web Inspector: Stepping highlight for dot/bracket expressions in if statements highlights subset of the expression (r207312)
ThisTDZMode is no longer needed (r201328)
Adjust the ranges of basic block statements in JSC's control flow profiler to be mutually exclusive (r180518 partial)
Removed unused sourceOffset from JSTokenLocation. (r153071)
[JSC] Clean up StructureStubClearingWatchpoint (r235776)
Stack overflow error for deeply nested classes. (r203286)
WatchpointsOnStructureStubInfo doesn't need to be reference counted (r189328)

Sep 06, 2018
============
Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter (r235765)
ES6: Reusing function name as a parameter name shouldn't throw Syntax Error (r201892)

Sep 06, 2018
============
Parser<LexerType>::parseFunctionInfo() has the wrong info about captured vars when a function is not cached. (r204305 partial)
We don't have to parse a function's parameters every time if the function is in the source provider cache (r200038)
  => Passed JIT tests.
  
Sep 06, 2018
============
Use of arguments in arrow function is slow (r213165 complete revisited)
arrow function lexical environment should reuse the same environment as the function's lexical environment where possible (r201176)
Assertion failure for direct eval in non-class method (r200856)
Add a couple UNLIKELY macros in parseMemberExpression (r199755)
[ES6] Class syntax. Access to new.target inside of the eval should not lead to SyntaxError (r198980)

Sep 05, 2018
============
REGRESSION: date-format-tofte.js is super slow (r208427)
Sloppy mode: We don't properly hoist functions names "arguments" when we have a non-simple parameter list (r212021)
Rename BytecodeGenerator's m_symbolTableStack to m_lexicalScopeStack. (r209723)
Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions (r199848)
Super property access in base class constructor doesn't work (r210958)
The parser doesn't properly parse "super" when default parameter is an arrow function. (r202074)
Remove some unnecessary RefPtrs in the parser (r199845)
[ES6] Arrow function syntax. Update syntax error text 'super is only valid inside functions' to more suitable (r198472)
JSBench regression: CodeBlock linking always copies the symbol table (r201221)
Make the type profiler work with lexical scoping and add tests (r187524 partial)

Sep 04, 2018
============
Class contructor and methods shouldn't have "arguments" and "caller" (r200321)
Web Inspector: ES6: Provide a better view for Classes in the console (r182047 partial)
synthesizePrototype() and friends need to be followed by exception checks (or equivalent). (r197794 revisited)

Aug 31, 2018
============
[ES6] Make GetProperty(.) inside ArrayPrototype.cpp spec compatible. (r198360)
[ES6] Getters and Setters should be prefixed appropriately (r198348 partial)
Clean up register naming (r189293 partial)
  => Passed JIT tests.
  
Aug 31, 2018
============
Add missing exception check in arrayProtoFuncLastIndexOf(). (r235540)
Add some missing exception checks in JSRopeString::resolveRopeToAtomicString(). (r235491)

Aug 29, 2018
============
[ES6] Reflect.set with receiver (r198270 partial)
Implement Function.name support for getters/setters and inferring name of function properties. (r197817)
GetByIdWithThis/GetByValWithThis should have ValueProfiles so that they can predict their result types (r205321)
Remove the use of "Immediate" in JIT function names. (r190230 partial)
[DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers (r231472 partial)
[ES6] Arrow function. Issue in access to this after eval('super()') within constructor (r216329)
BytecodeGenerator ".call" and ".apply" is exponential in nesting depth (r215453 revisited)
Getter and setter on super are called with wrong "this" object (r200586)
[ES6][ES7] Drop Constructability of generator function (r194435)
Insert exception check around toPropertyKey call (r182057 complete)

Aug 28, 2018
============
calling super() a second time in a constructor should throw (r199712 + r199724 rolled out + r200083 + r200084 rolled out + r200102)
Speed up case folding for 8-bit strings (r160954)
[ES6] Support subclassing Function. (r195070)
[ES6] Support subclassing the String builtin object (r194998)
Arrays should use the InternalFunctionAllocationProfile when constructing new Arrays (r194869)
Assertion failure for exception in "prototype" property getter and Reflect.construct (r200257)
  
Aug 27, 2018
============
Debug assertion failure while loading http://kangax.github.io/compat-table/es6/. (r196986)
InternalFunction::createSubclassStructure doesn't take into account that get() might throw (r196966)
WTF::StringImpl::copyChars segfaults when built with GCC 7 (r219182)
Crash in WTF::StringBuilder::append() (r164408)
Remove 'static' specifier from free inline functions in StringImpl.h (r164175)
plainText() is O(N^2) (r152306)
[JSC] Object constructor need to be aware of new.target (r200421 complete)
Remove redundant StringImpl substring creation function. (r194509)
Constructed object's global object should be the global object of the constructor. (r212015 complete)
global lexical environment variables are not accessible through functions created using the function constructor (r201628)
Use a profile to store allocation structures for subclasses of InternalFunctions (r194863 partial)
[ES6] Boolean, Number, Map, RegExp, and Set should be subclassable (r194643)
[ES6] Arrays should be subclassable. (r194612)
Optimized equal() functions in StringImpl.h are not ASan compatible (r179644 revisited)
Fix undefined behavior in WTF::equal() in StringImpl.h for i386/x86_64 (r165681 revisited + r165706 revisited)

Aug 24, 2018
============
Promise constructor should throw when not called with "new" (r191276)
Atomics.h has incorrect GCC test for ext/atomicity.h when using LSB compilers (r125010)
constructArray() should always allocate the requested length. (r233722)
constructArray() should set m_numValuesInVector to the specified length. (r233167)
unshift should zero unused property storage (r233121)
constructArray variants should take the slow path for subclasses of Array (r232977)
Initial implementation of annex b.3.3 behavior was incorrect (r199179)
Implement Annex B.3.3 function hoisting rules for function code (r198989)

Aug 23, 2018
============
Scopes that are not under TDZ should still push their variables onto the TDZ stack so that lifting TDZ doesn't bypass that scope (r202778)
Method names should not appear in the lexical scope of the method's body. (r198332)
Add support for setting Function.name from computed properties. (r198288)
Need to distinguish between Symbol() and Symbol(""). (r198168)
Give Unique StringImpls a meaningful data pointer (r160453)
Try to create AtomicString as 8 bit where possible (r132739)

Aug 22, 2018
============
The DFG CFGSimplification phase shouldnt jettison a block when its the target of both branch directions. (r235177)
ES6 Function.name inferred from property names of literal objects can break some websites. (r200423)
Implement Function.name and Function#toString for ES6 class. (r198042)
Accept 8 and 4 value hex colors (#RRGGBBAA) (r192023)
Use __sync_add_and_fetch instead of __gnu_cxx::__exchange_and_add (r139553)
ES6: Implement lexical scoping for function definitions in strict mode (r197915)
BytecodeGenerator::pushLexicalScopeInternal and pushLexicalScope should use enums instead of bools (r194304)
calculatedDisplayName() and friends actually need a VM& and not a ExecState/CallFrame. (r201766)
FunctionExecutable::ecmaName() should not be based on inferredName(). (r197867 complete)
Implement Function.name support for getters/setters and inferring name of function properties. (r197815)
NativeExecutable should have a name field (r195000)
Web Inspector: Scope details sidebar should label objects with constructor names (r180173)
Make JSFunction.name allocation fully lazy. (r197308)
[JSC] Should not rotate constant with 64 (r235160)

Aug 21, 2018
============
[ES6] Recognize calls in tail position (r189336 + r189376)
Function with default parameter values that are arrow functions that capture this isn't working (r201122)
Web Inspector: JSContext inspection should report exceptions in the console (r164824 partial)
Web Inspector: JSContext inspection should report exceptions in the console (r164486 + r164491 rolled out + r164507 + r164554 rolled out)
Web Inspector: Autogenerate stack traces and line numbers when possible. (r136377 + r136386 rolled out + r136657)
Web Inspector: Remove unused ConsoleMessage constructor. (r135107)
Web Inspector: Associate console messages with the requests that caused them. (r132918)
[JSC] op_new_arrow_func_exp is no longer necessary (r201487)
Remove unused m_writtenVariables from the parser and related bits (r199768)
Fix a crash when assigning an object to document.location (r166090 revisited)

Aug 20, 2018
============
Function.name and Function.length should be configurable. (r197205)
[ES6] Implement ES6 arrow function syntax. Prototype of arrow function should be undefined (r189341)
intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point (r235007)
[JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion (r234855)
[DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants (r234853)
[JSC] Should not rotate constant with 64 (r234852 + r235021 rolled out)
We should have different JSTypes for JSGlobalLexicalEnvironment and JSLexicalEnvironment and JSModuleEnvironment (r198228)
[ES6] Catch parameter should accept BindingPattern (r195439)
Fix asm operand type for weakCompareAndSwap on ARM_THUMB2 (r133796)
Fix for WTF fails to compile in thumb mode when llint is enabled. (r128557)
atomicDecrement() never reach 0 on Android so no deref() will be called (r124115)
set WTF_USE_LOCKFREE_THREADSAFEREFCOUNTED for chromium android (r123875)

Aug 11, 2018
============
parsing arrow function expressions slows down the parser by 8% lets recoup some loss (r198927)

Aug 10, 2018
============
We don't need a manual stack for an RAII object when the machine's stack will do just fine (r199787)
Runaway WebContent process CPU & memory @ foxnews.com (r201589)
[ES6] Arrow function syntax. Arrow function should support the destructuring parameters. (r195178)
Assertion failure for destructuring assignment with new.target and unary operator (r200293 complete)
Misleading error message: "At least one digit must occur after a decimal point" (r187506)
SyntaxChecker assertion is trapped with computed property name and getter (r181807)
Array.prototype.sort should call @toLength instead of ">>> 0" (r234728)
Array.prototype.sort should throw TypeError if param is a not callable object (r234716)
super should be available in object literals (r199927)
We incorrectly parse arrow function expressions (r199352)
FunctionExecutable::ecmaName() should not be based on inferredName(). (r197867 partial)
keywords ("super", "delete", etc) should be valid method names (r194881)
[JSC] support CoverInitializedName in nested AssignmentPatterns (r192919)
[ES6] Implement computed accessors (r189504)

Aug 09, 2018
============
ES6 class syntax should allow computed name method (r188498)
JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path) (r227898)
[ES6] Class expression should have lexical environment that has itself as an imutable binding (r191030 + r191037 rolled out + r191110)
[ES6] Class method should not declare any variables to upper scope. (r191086)
ES6: Should not allow duplicate basic __proto__ properties in Object Literals (r184640)
ES6: Allow duplicate property names (r184324 revisited)
Implement SmallPtrSet and integrate it into the Parser (r198375 + r198579)

Aug 08, 2018
============
[ES6] Arrow function syntax. Get rid of JSArrowFunction and use standard JSFunction class (r194835)
Assertion failure for super() call in arrow function default parameters (r200824)
REGRESSION(r192914): 10% regression on Sunspider's date-format-tofte (r198778)
Invoking super()/super inside of the eval should not lead to SyntaxError (r198324)
How we load new.target in arrow functions is broken (r197928)
[ES6] Arrow function syntax. Lexical bind super inside of the arrow function in generator. (r197554)
[ES6] Arrow function. Some not used byte code is emited (r197410)
[ES6] Arrow function syntax. Emit loading&putting this/super only if they are used in arrow function. (r197033 + rr197043 rolled out + r197296)
[ES6] Arrow function syntax. Using 'super' in arrow function that declared out of the class should lead to Syntax error (r196261)
Provide a way to distinguish a nested lexical block from a function's lexical block (r194251)
[ES6] Implement LLInt/Baseline Support for ES6 Generators and enable this feature (r192914 + r192935 rolled out + r192937)
Super use should be recorded in per-function scope (r192695)
Bytecodegenerator emits crappy code for returns in a lexical scope. (r187991)
Parser::parseFunctionInfo hits RELEASE_ASSERT for Arrow Functions (r187014)
Function bodies should always include braces (r181673)

Aug 07, 2018
============
Clean up ENABLE(ES6_ARROWFUNCTION_SYNTAX) ifdefs and keep minimal set of them (r191946)
[ES6] Add ScriptElement::determineScriptType (r204221)
[ES6] Implement ES6 Module loader hook stubs in WebCore (r190272)
Add module loader "resolve" hook for local file system to test the loader in JSC shell (r189071)

Aug 03, 2018
============
[ES6] Arrow function syntax. Arrow function specific features. Lexical bind "super" (r194449)
Unexpected exception assigning to this._property inside arrow function (r194340)
[ES6] Arrow function syntax. Arrow function specific features. Lexical bind "arguments" (r195581)
[ES6] we have an incorrect syntax error when a callee of a function expression has the same name as a top-level lexical declaration (r196545)
[ES6] Support Generator Syntax (r191875)
[ES6] Add more fine-grained APIs and additional hooks to control module loader from WebCore (r189941)
[ES6] Instantiate Module Environment bindings and execute module (r189339)

Aug 02, 2018
============
[ES6] Introduce ModuleProgramExecutable families and compile Module code to bytecode (r189201)
[JSC] Make some classes non JSDestructibleObject (r196108)
[ES6] Implement Module execution and Loader's ready / link phase (r189088)
New map and set modification tests in r181922 fails (r181968)
REGRESSION (r181458): Heap use-after-free in JSSetIterator destructor (r181922)
Integrate MapData into JSMap and JSSet (r181458)
Serialization of MapData object provides unsafe access to internal types (r176803)
Support structured clone of Map and Set (r155008)

Aug 01, 2018
============
[ES6] Return JSInternalPromise as result of evaluateModule (r188894)
[ES6] prototyping module loader in JSC shell (r188752)
Exception message for expressions with multiple bracket accesses is inconsistent / incorrect (r207326)
[JSC] fix error message for eval/arguments CoverInitializedName in strict code (r194153)
[ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment (r193766)
Web Inspector: arrow function names are never inferred, call frames are labeled (anonymous function) (r190066)

Jul 31, 2018
============
[JSC] Make get_by_val & string "499" to number 499 (r217199 revisited complete)
[JSC] add missing RequireObjectCoercible() step in destructuring (r192899)
[JSC] support Computed Property Names in destructuring Patterns (r192768)
ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier" (r187119)
[Baseline] Remove a hack for DCE removal of NewFunction (r232182 revisited)
[ES6] "super" and "this" should be lexically bound inside an arrow function and should live in a JSLexicalEnvironment (r192876 + r192882 rolled out + r193584 + r193606 rolled out)
New tests introduced in r188545 fail on 32 bit ARM (r190063)
[ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this (r188545)
Inline JSFunction allocation in DFG (r182959)
Crash in operationNewFunction when scrolling on Google+ (r177871)
[ES6] Drop WeakMap#clear (r185041)
[ES6] Implement WeakSet (r182994)
MapData and WeakMapData don't need to be objects (r155558)
Support WeakMap (r155473)

Jul 30, 2018
============
[ES6] Implement ES6 arrow function syntax. Arrow function specific features. Lexical bind of this (r188545 partial)
Unify JSParserCodeType, FunctionParseMode and ModuleParseMode into SourceParseMode (r188417)
[ES6] Add ES6 Modules preparsing phase to collect the dependencies (r188355)
[ES6] Support Module Syntax (r187890)

Jul 27, 2018
============
The parser doesn't properly protect against global variable references in builtins (r196525 revisited partial)

Jul 27, 2018
============
Spread operator should be allowed when not the first argument of parameter list (r196734)
  => Passed JIT tests.

Jul 26, 2018
============
Use NakedPtr<Exception>& to return exception results. (r185608)
window.onerror should pass the ErrorEvent's 'error' property as the 5th argument to the event handler (r202023 revisited)
WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects. (r185487)
Interpreter::unwind shouldn't be responsible for assigning the correct scope. (r188136)
Returned Exception* values need to be initialized to nullptr when no exceptions are thrown. (r185286)
finally blocks should not set the exception stack trace when re-throwing the exception. (r185259)
Add the ability to tell between Catch and Finally blocks. (r185083)

Jul 25, 2018
============
[JSC] SyntaxError if AssignmentElement is `eval` or `arguments` in strict code (r194107)
[JSC] Fix AssignmentElement parsing (r192661)
Relax builtin JS restriction about try-catch (r186260)
Strict mode destructuring assignment crashes the parser. (r166216)
OSR entry into DFG has problems with lexical scoping (r203356)
Destructuring parameters are evaluated in the wrong scope (r198206)
Remove our notion of having a single activation register (r195862)

Jul 24, 2018
============
baseline JIT should emit better code for UnresolvedProperty in resolve_scope/get_from_scope/put_to_scope (r189501)
JSC allows invalid var declarations when the declared name is the same as a let/const variable (r190188)
some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct (r202588 revisited)
JSC should detect singleton functions (r182759 complete revisited)
VariableEnvironmentNode should inherit from ParserArenaDeletable because VariableEnvironment's must have their destructors run (r190014)
[JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling (r223824 partial revisited)

Jul 23, 2018
============
put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object (r228193 complete revisited)
[JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling (r223824 partial)
Factoring out op_sub baseline code generation into JITSubGenerator. (r190649 partial)
baseline JIT should emit better code for UnresolvedProperty in resolve_scope/get_from_scope/put_to_scope (r189501 partial)
Block scoped variables should be visible across scripts (r189279)
DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray (r234075)
CompareEq should be using KnownOtherUse instead of OtherUse (r234060)
Let's rename FunctionBodyNode (r188219)
ES6 class syntax should use block scoping (r187680)

Jul 20, 2018
============
functions that use try/catch will allocate a top level JSLexicalEnvironment even when it is not necessary (r189819)
Callee can be incorrectly overridden when it's captured (r188926 complete revisited)
Replace JSFunctionNameScope with JSLexicalEnvironment for the function name scope. (r187969)
Implement catch scope using lexical scoping constructs introduced with "let" scoping patch (r187515)
There is a bug when default parameter values are mixed with destructuring parameter values (r192436 + r192586 + r192597 rolled out + r192603))
Added a comment explaining that all "addVar()"s should happen before emitting bytecode for a function's default parameter expressions (r187437)
[ES6] Add support for default parameters (r187351)
DestructuringPatternNode and DestructuringAssignmentNode should be ParserArenaFreeable (r187111)
"let" scoping introduced incoherent story about symbol table cloning (r187033)
[ES6] Add support for block scope const (r187012)
[ES6] Support rest element in destructuring assignments (r185981)
[ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern (r185853)
[ES6] Destructuring assignment need to accept iterables (r185791)
JSC should detect singleton functions (r182759 partial)
functionProtoFuncToString should not rely on typeProfilingEndOffset() (r190096)
Function.prototype.toString is incorrect for ArrowFunction (r188928)
Function parameters should be parsed in the same parser arena as the function body (r186959)
Setter should have a single formal parameter, Getter no parameters (r181929)
ES6: Object Literal Methods toString is missing method name (r181901)
Function.prototype.toString should not decompile the AST (r181810)

Jul 19, 2018
============
CSP: 'blob:' URLs should not match 'self' in CSP source expression lists. (r196528)
lexical scoping is broken with respect to "break" and "continue" (r186996 + r186997 rolled out + r187003)
[ES6] implement block scoping to enable 'let' (r186860)
JSC's parser should follow the ES6 spec with respect to parsing Declarations (r186379)

Jul 18, 2018
============
class methods should be non-enumerable (r183316)

Jul 17, 2018
============
performProxyCall should toThis the value passed to its handler (r233110)
[[IsExtensible]] should be a virtual method in the method table (r197412)
[[PreventExtensions]] should be a virtual method in the method table. (r197391)
Global functions should be initialized as JSFunctions in byte code (r183789 + r183790 rolled out + r183972)
FunctionBodyNode should known where its parameters started (r181818)
Breakpoint doesn't fire in this HTML5 game (r178232)
Check whether font is nonnull for GlyphData instead of calling GlyphData::isValid() (r203280 partial)
[CSS Grid Layout] Upgrade align-self and align-items parsing to CSS 3 (r176218 + r176258 rolled out + r182147 complete)
[iOS] Some MathML tests crash in RenderMathMLOperator::advanceForGlyph() or boundsForGlyph() (r180792)
Draw radicals with glyphs for better rendering (r169939 + r169945 rolled out + r169963 + r169965 rolled out + r170005 + r170006)
Rename "Deconstruction" to "Destructuring" throughout JSC (r186246)
[ES6] support default values in deconstruction parameter nodes (r185699)
MathML operators not stretched horizontally (r169607)
[MathML] Use of floating point floor/ceil on LayoutUnits seems wrong (r157135)

Jul 16, 2018
============
Use size variants and glyph assembly from the MATH data. (r169305)
Operator stretching: read the Open Type MATH table (r166640)
Operator stretching: expose a math data API (r166633)
[JSC] Private symbols should not be trapped by proxy handler (r197383)
[ES6] Implement Proxy.[[Set]] (r197136)
Migrate the MathML stretchy code from UChar to Glyph. (r165608)
[MathML] The double bar vertical delimiter does not stretch properly (r159219)
[MathML] Poor spacing around delimiters in MathML Torture Test 14 (r159007)
[MathML] Center of stretched curly bracket not always vertically centered (r158931)
Invisible Operators should not add space. (r165464)
Implement MathML spacing around operators . (r165461)
Improve renderer classes for MathML Token elements. (r165436)
Add support for minsize/maxsize attributes. (r164700)
Implement asymmetric/symmetric stretching of vertical operators. (r164537)
Large stretch size error for MathML operators. (r164534 + r164535 rolled out + r164536)
Do not draw multi-characters <mi> in italic. (r163553)
Ensure inferred mrows for msqrt, mstyle, merror, mphantom and math. (r160711)
RenderMathMLFenced should pass around operators in tighter types. (r159011)
CTTE: RenderMathMLFenced always has a MathMLInlineContainerElement. (r157593)
MathML padding overrides only need to be on RenderMathMLRoot (r140032)
[MathML] Implement <mtd> rowspan and columnspan attributes (r129695)

Jul 13, 2018
============
Implement the MathML Operator Dictionary. (r164418)
Add support for menclose element (r162933)
Map the dir attribute to the CSS direction property. (r159504)
REGRESSION(r157408): Crashes in RenderFullScreen::wrapRenderer(). (r157415)
Pass Document directly to anonymous renderer constructors. (r157408)
[MathML] Implement the subscriptshift and superscriptshift attributes (r156036)
Remove RenderObject::clearNode(). (r155807)
Remove support for anonymous deprecated flexboxes. (r155689)

Jul 12, 2018
============
Remove unused FragmentationDisabler class. (r159022)
[MathML] Remove RenderTree modification during layout and refactor the StretchyOp code (r156930 + r156937 + r156947 rolled out + r157070)
[CSS Regions] Crash when MathML used in CSS Regions (r144744)
[MathML] Timeouts on linux after r132264 (r132265)
[MathML] Symbol font uses greek letters for roman ones on linux and Windows (r132264)
[Cocoa] Text shadow sometimes clipped unexpectedly (r200807 partial revisited)
[Simple line layout] Incorrect repaint rect with vertically shrinking content and bottom-padding. (r225379)

Jul 11, 2018
============
[GTK] Unnecessary extern functions in FontPlatformDataFreeType.cpp (r206373)
[GTK] Bad text rendering since r101343 (r102748 revisited)
[GTK] Improve FontMetrics accuracy (r101343 revisited)
[FreeType] Vertical CJK glyphs should not be rendered with synthetic oblique (r183878)
[Freetype] Add support for the font-synthesis property (r183673)
[FreeType] REGRESSION(r180563): Introduced crashes (r180675)
[GTK] Fonts loaded via @font-face look bad (r180563)
[GTK] REGRESSION: FreeType backend does not respect XSettings font settings after r68558 (r69786 revisited)
[Cairo] FreeType fonts should obey FontConfig hinting/anti-aliasing settings (r68558 revisited)
hasOwnProperty returns true for out of bounds property index on TypedArray (r233718)
Change the reoptimization backoff base to 1.3 from 2 (r233714)
YARR: . doesn't match non-BMP Unicode characters in some cases (r233690)
Enable moving fixed character class terms after fixed character terms for BMP only character classes (r221167)

Jul 10, 2018
============
Tatechuyoko text is not vertically centered in its vertical advance (r192259)
text-combine needs to center text within the vertical space using glyph bounds (r175236)
Ruby text is incorrectly positioned when its writing-mode is changed to vertical after layout is done (r145451)
[JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock (r233657)
NewRegexp should not prevent inlining (r204958)

Jul 09, 2018
============
ProgramExecutable may be collected as we checkSyntax on it (r233540)
Regular expressions with ".?" expressions at the start and the end match the entire string (r233453)
RegExp.exec returns wrong value with a long integer quantifier (r233451)
test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs (r222336)
Add support for RegExp "dotAll" flag (r221160)
REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137 (r221111)
Implement Unicode RegExp support in the YARR JIT (r221052)
Update treatment of invoking RegExp.prototype methods on RegExp.prototype. (r199545)
ES6's throwing of TypeErrors on access of RegExp.prototype flag properties breaks websites. (r198698)

Jun 27, 2018
============
Invalid innerTextRenderer in RenderTextControlSingleLine::styleDidChange() (r229393)
Add newTarget accessor to JS constructor written in C++ (r187142)
[CSS Grid Layout] Wrong computed style for named grid lines in implicit tracks (r183739)
[CSS Grid Layout] Implement justify-self and justify-item css properties. (r182613)
[CSS Grid Layout] Resolved value of grid-template-* must include every track listed (r173156)
[JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr (r233252)
eval() is wrong about the LiteralParser never throwing any exceptions. (r233242)
JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow (r196849)
[ES6] Add support for rest parameters (r192671 partial)
[CSS Grid Layout] grid-template-areas should accept none value (r183850)
  => Passed JIT tests.

Jun 26, 2018
============
[ES6] Implement Proxy.[[Delete]] (r197042)
[ES6] Implement Proxy.[[Construct]] (r196868)
[ES6] Implement Proxy.[[Call]] (r196836)
Unreviewed, relax limitation in operationCreateThis (r194436)
[CSS Grid Layout] Upgrade align-self and align-items parsing to CSS 3 (r176218 + r176258 rolled out + r182147)
[CSS Grid Layout] Properly support for z-index on grid items (r170474)
ContentData equals() methods are not inline-able (r163936)
Convert RenderFullScreen to use the non-deprecated flexbox (r140705)
Remove StyleContentType since it's not used anymore (r131684)

Jun 25, 2018
============
[JSC] Private symbols should not be trapped by proxy handler (r197383 partial)
ProxyObject.[[GetOwnProperty]] is partially broken because it doesn't propagate information back to the slot (r197295)
Make JSObject::getMethod have fewer branches (r196999)
JSGlobalObject doesn't visit ProxyObjectStructure during GC (r196967)
Implement Proxy.[[HasProperty]] (r196789)
Proxy's don't properly handle Symbols as PropertyKeys. (r196785)
Implement Proxy.[[GetOwnProperty]] (r196772)
Implement Proxy [[Get]] (r196722 complete)
Improve JSObject::put performance (r194175)
Some JSValue::get() micro-optimzations. (r169815)
Streamline JSValue::get(). (r165090)

Jun 22, 2018
============
[CSS Grid Layout] Implement justify-self css property (r171010)
[CSS Parser] Unprefix -webkit-writing-mode (r207757)
Implement parsing for CSS will-change (r188512)
Code clean up for extracting information from the mix of WritingMode and TextDirection (r184962)
[CSS Grid Layout] <string> not allowed in grid-{area | row | column} syntax (166712)
[CSS Masking] Add -webkit-mask-source-type property, with auto, alpha and luminance values (r154174)
CSSParser::parseFontFamily should allow the keyword "default" as part of a font name (r149360)
Implement 'mask-type' for <mask> (r129018)

Jun 21, 2018
============
CSS canvas color parsing accepts invalid color identifiers (r170933)
REGRESSION (r168685): css calc() expression fails (r170544)
ASSERTION FAILED: leftCategory != CalcOther && rightCategory != CalcOther in WebCore::CSSCalcBinaryOperation::createSimplified (r168685)
Fix WebKit build error when SVG is disabled(broken since r154174) (r154203)
[SVG2] Add support for the buffered-rendering hint (r147348)
REGRESSION (r189567): The top of Facebook's messenger.com looks visually broken (r199877 + r199883 rolled out + r199895 complete)
min-width/height should default to auto for flexbox items (r189567 revisited)
Update Grid Layout to use fewer magic -1s (r189037)
Use Optionals in RenderBox height computations (r188873 revisited)
intrinsic size keywords don't work for heights (r185908 partial)
[CSS Grid Layout] LayoutBox::hasDefiniteLogicalHeight() should consider abspos boxes as definite (r183385)
[CSS Grid Layout] Columns set in percentages collapse to auto width (r182780)
ASSERTION FAILED: name[0] == '@' && length >= 2 in WebCore::CSSParser::detectAtToken (r172036)
Fixing calc() parameter parsing in cubic-bezier functions (r172033)
[CSS Shapes] polygon y-value calc() args serialize incorrectly (r166813)
display:table with padding and/or borders in border-box calculates height incorrectly (r164674)
[CSS Grid Layout] ASSERTION FAILED !track.growthLimitIsInfinite() in RenderGrid::computeUsedBreadthOfGridTracks (r181141)
[CSS Grid Layout] Tracks growing beyond limits when they should not (r180623)
[CSS Grid Layout] Invalid initialization of track sizes with non spanning grid items (r179987 + r180003 rolled out + r180142)
[CSS Grid Layout] Remove the usage of Length(Undefined) in GridLength (r180140)
[CSS Grid Layout] Tracks' growth limits must be >= base sizes (r179824)
[CSS Grid Layout] Skip items spanning flex tracks when sizing content based tracks (r178895)
[CSS Grid Layout] Fix the handling of infinity in track growth limits (r174006)
[CSS Grid Layout] Size tracks using a list of all items sorted by span (r178893)
[CSS Grid Layout] Wrong arguments passed to computeNormalizedFractionBreadth (r178701)
ASSERTION FAILED: !gridWasPopulated() in WebCore::RenderGrid::placeItemsOnGrid (r174946)
[CSS Grid Layout] Pass the valid set of tracks to grow beyond growth limits (r174643)
[CSS Grid Layout] Do not grow tracks when the growth factor is 0 (r173868)
[CSS Grid Layout] Sort items by span when resolving content-based track sizing functions (r173620)
[Armv7] Linkbuffer: executableOffsetFor() fails for location 2 (r233015)

Jun 20, 2018
============
[CSS Grid Layout] Tracks shrink sometimes with indefinite remaining space (r178577 + r178582 rolled out + r178642)
[CSS Grid Layout] Replace the usage of size_t by unsigned (r176390)
Set the end position on the placeholder BidiRun properly. (r202251)
Japanese text in Google search is rendered too low and clipped (r169780)
HTMLTextAreaElement no longer needs custom style resolve callbacks. (r155419)
Remove HTMLTextFormControl::fixPlaceholderRenderer (r155408)
defining line height affects height of text box (r155324)
REGRESSION(r147602): Search text field doesn't render selection when it has some :focus rules (r151695 revisited)
Input value/placeholder is not redrawn when the input height grows (r147602 revisited)
Refactoring: Clean up placeholder attribute usage (r136928)
AuthorShadowDOM support for textarea element. (r127108)
Remove RefPtr from HTMLTextAreaElement::m_placeholder (r126567)
flattenDictionaryStructure needs to zero properties that have been compressed away (r233001)
DirectArguments::create needs to initialize to undefined instead of the empty value (r233000)
Simple line path does not respect visibility:hidden (r159385)
Element Traversal is not just Elements anymore (r184034 revisited)

Jun 19, 2018
============
Simple line layout: Use float types wherever possible to match line tree. (r189030 revisited)
StyleRule*::properties() should return const references. (r153880)
Refactoring CSS grammar (r150804)
Invalid block doesn't make declaration invalid (r150803)
Web Inspector: Enable CSS logging (r150791)
Reducing CSS code duplication in declaration list error recovery (r150682)
Fixing invalid block recovery in some declaration list. (r150672)
Changing typing style with font size delta overrides the previous font size delta (r147661)
REGRESSION (r146588): Cannot correctly display Chinese SNS Renren (r147028)
Web Inspector: Report more CSS errors (r146588)
Web Inspector: Track CSS error location information. (r146452)
Web Inspector: Plumbing CSS warnings (r146353)
[Refactoring] rename StyleRuleBlock -> StyleRuleGroup (r140316)

Jun 18, 2018
============
[CSS Grid Layout] Limit the size of explicit/implicit grid (r175930)
ASSERTION FAILED: !trackSizes.isEmpty() in WebCore::createGridTrackList (r172904)
[CSS Grid Layout] Interaction between auto-placement and column / row spanning (r170531)
[CSS Grid Layout] Add GridSpan::iterator (r170182)
Only define MAX_GRID_TRACK_REPETITIONS if CSS_GRID_LAYOUT is enabled. (r168873)
[CSS Grid Layout] Clamping the number of repetitions in repeat() (r168108)
[CSS Grid Layout] Handle percentages of indefinite sizes in minmax() and grid-auto-* (r174057)
[CSS Grid Layout] Update grid-auto-flow to the new syntax (r170996)
[CSS Grid Layout] Introduce an explicit type for resolved grid positions (r169934)
[CSS Grid Layout] Simplify the named grid lines resolution algorithm (r169744)
[CSS Grid Layout] Implementation of the "grid" shorthand. (r169349)
REGRESSION(r167799): ASSERTION in parseGridTemplateShorthand in fast/css-grid-layout/grid-template-shorthand-get-set.html (r167821)
REGRESSION(r167799): Breaks debug build (r167806)
[CSS Grid Layout] Implementation of the grid-template shorthand. (r167799)
[CSS Shapes] CRASH with calc() value args in inset round (r166726)
[CSS Grid Layout] getComputedStyle() must return the specified value for positioning properties (r166299)
[CSS Grid Layout] Update named <grid-line> syntax to the last version of the specs (r166157 partial)
[CSS Grid Layout] the "grid-template-areas" is not identified as computable property. (r165613)
[CSS Grid layout] Initial position in span not correctly computed sometimes (r165612)
[CSS Grid Layout] Percentages of indefinite sizes should compute to auto (r165048)
[CSS Grid Layout] Fix positioning grid items using named grid lines/areas (r164869)
[CSS Grid Layout] handle undefined RemainingSpace in computeUsedBreadthOfGridTracks algorithm (r164609)
[CSS Grid Layout] Support calc() breadth size type (r163888)
[CSS Grid Layout] getComputedStyle() not using author's order when showing named grid lines (r165742)
[CSS Grid Layout] Fix missing layout in flexible and content sized columns (r164214)
[CSS Grid Layout] Rename named areas property (r164035)
[CSS Grid Layout] Rename grid-definition-{columns|rows} to match the new syntax (r163625)
[CSS Grid Layout] getComputedStyle() is wrong for grid-definition-{columns|rows} (r163547)
[CSS Grid Layout] Do log(n) search in the named line vectors when positioning named line spans. (r163166)
[CSS Grid Layout] minmax() should be a CSSFunction instead of a CSSValueList (r163013)
[CSS Grid Layout] Fix the preferred logical widths code to work with spanning grid items (r160633)
[CSS Grid Layout] Fix positioning of grid items with margins (r159809)
[CSS Grid Layout] Support grid-definition-{rows|columns} repeat() syntax (r159808)
[CSS Grid Layout] Cache several vectors to avoid malloc/free churn (r159741)
[CSS Grid Layout] Improve content-sized track layout (r159685)
[CSS Grid Layout] Run the content-sized tracks sizing algorithm only when required (r159684)

Jun 15, 2018
============
[CSS Grid Layout] CSSParser should reject <track-list> without a <track-size> (r158839)
[CSS Grid Layout] Add support for named grid areas (r158744)
[CSS Grid Layout] Fix handling of 'inherit' and 'initial' for grid lines (r158838)
[CSS Grid Layout] Add support for order inside grid items (r158115 complete)
[CSS Grid Layout] Implement support for <flex> (r157393 + r157397)
[CSS Grid Layout] 2 span positions are not resolved correctly (r157389)
[CSS Grid Layout] Implement support for grid-template (r157211)
[CSS Grid Layout] Support 'auto' sized grid items (r141317)
[CSS Grid Layout] Implement CSS parsing and handling for min-content and max-content (r137478)
Remove newBlockInsideInlineModel and anonymous inline block (r221456)
Anonymous table objects: inline parent box requires inline-table child. (r191011)
WebCore::RenderBlock::determineStartPosition crash (r135684)
Node.nodeName should not be nullable (r200271)
[CSS Grid Layout] Implement the grid-area shorthand (r156638)
[CSS Grid Layout] Resolve named grid lines (r155181)
[CSS Grid Layout] Add parsing for named grid lines (r154996)
[CSS Grid Layout] Handle 'span' positions during layout (r154753)
[CSS Grid Layout] Fix grid position resolution (r154731)
[CSS Grid Layout] infinity should be defined as a negative value (r154730)
[CSS Grid Layout] Align our grid-line handling with the updated specification (r154044)
[CSS Grid Layout] Allow defining named grid lines on the grid element (r153752)
[CSS Grid Layout] Add support for parsing <grid-line> that includes a 'span' (r153748)
[CSS Grid Layout] Rename grid placement properties (r153746)
[CSS Grid Layout] Rename grid-{rows|columns} to grid-definition-{rows|columns} (r152479)
clearLayoutOverflow should never be called before calling layer()->updateScrollInfoAfterLayout(). (r151146 + r151178 rolled out)
webkit fails IETC grid-column-002 (r147430)
[CSS Grid Layout] content-sized row tracks with percentage logical height grid items don't resolve properly (r146697)
[CSS Grid Layout] Properly layout spanning grid items with minmax grid tracks (r146482)
[CSS Grid Layout] OOB access in RenderGrid with a grid item with negative position index (r146470)
[CSS Grid Layout] Support default grid items sizing (r146467)
[CSS Grid Layout] Improper repainting when grid item change their position (r146371)
[CSS Grid Layout] Add parsing for grid-auto-{row|column} (r146274)
[CSS Grid Layout] resolveContentBasedTrackSizingFunctions should iterate over the grid items not the grid tracks (r145840)
[CSS Grid Layout] Refactor GridCoordinate to hold GridSpans (r145762)
[CSS Grid Layout] Handle min-width / max-width on the grid element (r145758)
[CSS Grid Layout] Handle spanning grid items over specified grid tracks (r145378)
[CSS Grid Layout] Resolve grid-{end|after} integer against the end|after edge (r145297)
[CSS Grid Layout] Handle 2 positions with one 'auto' properly (r145240)

Jun 14, 2018
============
Cleanup: Use consistent naming in CSSParser when dealing with the forward slash operator. (r137345 complete)
[CSS3 Backgrounds and Borders] Remove CSS3_BACKGROUND feature flag. (r137166)
Enable CSS3 position offset for CSS Masking. (r137007)
Improve r136754 by hardening checks of expected values for background-position. (r136966)
REGRESSION (r136683): css3/calc/background-position-parsing.html failing on EFL Linux 64-bit Debug WK2 (r136754)
[CSS3 Backgrounds and Borders] Allow the CSS3 background position offset for background shorthand. (r136683)
[CSS3 Backgrounds and Borders] Implement new CSS3 background-position parsing. (r135632)
[CSS Grid Layout] Fix StyleGridData::operator== (r146098)
[CSS Grid Layout] Extend our grammar to support 2 positions for grid-{row|column} (r145029)
[CSS Grid Layout] Add parsing for grid-{end|after} (r144762)
[CSS Grid Layout] Add parsing for grid-{start|before} (r144681)
[CSS Grid Layout] Refactor RenderStyle's grid position storage in preparation to supporting spanning (r143941 + r144092 rolled out)
[CSS Grid Layout] Implement grid growth during auto placement (r143621)
[CSS Grid Layout] Implement the auto-placement algorithm without grid growth (r143535)
[CSS Grid Layout] Refactor the code in preparation of auto placement support (r143397)
[CSS Grid Layout] Add parsing for grid-auto-flow (r141787 + r141872)
Cleanup: Use consistent naming in CSSParser when dealing with the forward slash operator. (r137345 partial)
Add an helper function in CSSParser to check for '/' character. (r136525)
Don't let the CSSValuePool's font family cache grow unbounded. (r179141)
Leverage CSSValuePool's font family cache in CSSComputedStyleDeclaration (r179017)
RenderGrid::computedUsedBreadthOfGridTracks can read past m_grid's size (r143331)
[CSS Grid Layout] Refactor grid position resolution code to support an internal grid representation (r143268)
Implement RenderGrid::computeIntrinsicLogicalWidths (r143043)
[CSS Grid Layout] Add an internal 2D grid representation to RenderGrid (r142898)
[CSS Grid Layout] Adding or removing grid items doesn't properly recompute the track sizes (r142798)
[CSS Grid Layout] Grid item's logical height is not properly recomputed after -webkit-grid-column / -webkit-grid-row changes (r141963)
[CSS Grid Layout] computePreferredLogicalWidths doesn't handle minmax tracks (r141616)
[CSS Grid Layout] Support implicit rows and columns (r141505)
[CSS Grid Layout] Make resolveContentBasedTrackSizingFunctionsForItems reuse distributeSpaceToTracks (r141163)
Share code between the different min-content / max-content code paths (r140894)
[CSS Grid Layout] Add support for max-content (r140583)
[CSS Grid Layout] Add support for min-content (r140198)
[CSS Grid Layout] Updating -webkit-grid-rows or -webkit-grid-columns doesn't work as expected (r140045 complete)
CFGSimplificationPhase should de-dupe jettisonedBlocks (r232800)
Do not reparent floating object until after intruding/overhanging dependency is cleared. (r214023)
Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock (r204980 partial)
Float with media query positioned incorrectly after window resize. (r194645)
Use Optionals in RenderBox height computations (r188873 revisited)
vw/vh units used as font/line-height values don't scale with the viewport (r169407 revisited)
[CSS Regions] Infinite loop when computing widows (r156881)
[CTTE] RenderGrid is never anonymous. (r155687)
[CTTE] RenderListItem is never anonymous. (r155684)
Cleanup visibility of some computePreferredLogicalWidths calls (r139772 + r139783)
[CSS Grid Layout] Implement grid items sizing for fixed minmax grid tracks (r139025)
[CSS Grid Layout] Include paddings and borders into the grid element's logical height / width (r137560)
[CSS Grid Layout] Implement CSS parsing and handling for <track-minmax> (r136588)
[CSS Grid Layout] Support paddings and margins on grid items (r136465)
[CSS Grid Layout] Support <percentage> and viewport-relative breadth sizes (r136432)
[CSS Grid Layout] Align the grid track code with the specification's production rules (r136294)
[CSS Grid Layout] track sizing functions should have their own type (r136150)
Computed grid items' positions shouldn't be using Length (r135164)

Jun 13, 2018
============
Fix childrenInline() check in markAllDescendantsWithFloatsForLayout() (r201186)
markAllDescendantsWithFloatsForLayout should not drill into blocks with inline children. It was sufficient to mark ourselves as needing layout. (r201088)
Add ASSERT_WITH_SECURITY_IMPLICATION when a float box is referenced by multiple RootInlineBoxes. (r199113)
ASSERTION FAILED: !floatingObject->originatingLine() in WebCore::RenderBlockFlow::linkToEndLineIfNeeded (r199101)
Remove invalid float from RootInlineBox. (r175345)
Clear sibling floats while splitting inline flow (r167166)
Crash when merging ruby bases that contain floats (r164323)
Deploy more child renderer iterators in RenderBlockFlow. (r161278 partial)
RenderGrid children should always be RenderBoxes (r126071)
[New Block-Inside-Inline Model] Do not attempt to re-run margin collapsing on the block sequence. (r202146)
[New Block-Inside-Inline Model] Implement margin collapsing across contiguous anonymous inline blocks. (r189817)
Assertion failure in WebCore::BidiRun::BidiRun() (r184653)
BreakingContext cleanup (r180944)
[CSS Regions] Block incorrectly sized when containing an unsplittable box (r169110)
Move a few more functions from RenderBlock to RenderBlockFlow (r161316)
Move LineBreaker functions to LineBreaker.cpp (r161314)
[New Block-Inside-Inline Model] Implement the correct paint order for blocks inside inlines. (r182279)
Flex and grid items should be painted as inline-blocks (r181691)
[CSS Grid Layout] Add support for order inside grid items (r158115 partial)
Use a Vector instead of HashSet to computed the orderValues in RenderFlexibleBox (r157916 + r157934 rolled out + r157999)
Change the terminology used by rendering code when painting a given node and its children from "paintingRoot" to "subtreePaintRoot" (r150355)
CSS Flexbox: dynamically applied align-items doesn't affect item alignment (r144104)
Make order iterator member stack allocated in RenderFlexibleBox (r138235)

Jun 12, 2018
============
Remove <iframe seamless> support. (r163427)
ASSERTION FAILED: !object || object->isBox(), Bad cast in RenderBox::computeLogicalHeight (r142816)
Remove RenderIFrame::updateLogicalHeight and RenderIFrame::updateLogicalWidth (r129046)
Remove the spanner placeholder from m_spannerMap when the placeholder object gets transferred to a descendant flow. (r187564)
REGRESSION(r174761) Dangling spanner pointer in RenderMultiColumnSpannerPlaceholder. (r180328)
Simplify ASSERT in lastRubyRun(). (r180081)
REGRESSION (r174761): Invalid cast in WebCore::lastRubyRun / WebCore::RenderRubyAsBlock::addChild (r180064)
REGRESSION (r168046): Crash in WebCore::InlineBox::renderer / WebCore::RenderFlowThread::checkLinesConsistency (r179877)
[CSSRegions] Assert failure in RenderBlock::locateFlowThreadContainingBlock when showing the render tree debug info (r178496)
ASSERTION FAILED: rareData->m_flowThreadContainingBlock.value() == RenderBox::locateFlowThreadContainingBlock() in WebCore::RenderBlock::locateFlowThreadContainingBlock (r178025)
ASSERTION  FAILED in WebCore::RenderFlowThread::getRegionRangeForBox (r174761)
REGRESSION (r168046): Incorrect handling of object information in WebCore::RenderFlowThread::removeLineRegionInfo (r170291)
[CSS Regions] Add ASSERT to make sure using the flowThread cache does not return incorrect results (r168837 + r168844 rolled out + r168971)
[CSS Regions] Reduce the RenderRegion invasiveness in rendering code (r168899 + r168905 rolled out + r168967)
[CSS Regions] Assertion failure in some cases with inline blocks (r168791)
[CSS Regions] ASSERT when hovering over region (r168263)
[New Multicolumn] Enable new multi-column mode (r168046 revisited)
[CSS Regions] Fix getClientRects() for content nodes (r167930)
[CSS Regions] Rename objectShouldPaintInFlowRegion to something more clear (r167810)
[CSS Regions] Hit testing doesn't work in video (r167215)
[CSS Regions] Include region range information when printing the render tree (r166715)
[CSS Regions] Regions don't paint correctly in new-multicol elements (r164481)
[CSS Regions] visibility: hidden on a region should hide its content (r164103)
[CSS Regions] Hit-testing goes through clipped layer in fast/regions/overflow-first-and-last-regions-in-container-hidden.html (r162064)
Allow ShadowContents in HitTests by default. (r146961)
Simplify hitTestResultAtPoint and nodesFromRect APIs (r142977)
Move AllowShadowContent flag to HitTestRequest (r127421)

Jun 11, 2018
============
RenderElement::removeChild() doesn't need a return value. (r176478)
ASSERTION FAILED: !object || !object->parent()->isRuby() || is<RenderRubyRun>(*object) || (object->isInline() && (object->isBeforeContent() || object->isAfterContent())) || (object->isAnonymous() && ... ) in WebCore::isAnonymousRubyInlineBlock (r175807)
Descendant ends up in wrong flow thread with nested columns and spans. (r175641)
Remove a multicolumn ASSERT and replace with a guard. (r174126)
REGRESSION (r168046): Confused column spans when combined with dynamic animations (r174085)
Bad cast in isValidColumnSpanner. (r173845)
ASSERT in RenderMultiColumnSet::requiresBalancing. (r173843)
REGRESSION (r168046): Incorrect layout for multicol spanners when moving from one thread to another (r170010)
REGRESSION (r168046): Incorrect handling of multicol spanner (r169385)
[CSS Shapes] Negative raster shape height leads to crash (r178054)
ArityFixup should adjust SP first on 32-bit platforms too (r232568)
Array.prototype.sort should also allow a null comparator (r216169 + r232666 rolled out)
ArityFixup should adjust SP first (r211479)
Disconnecting a HTMLObjectElement does not always unload its content document (r214599)
[CSS Shapes] Image lifetime is not properly handled for gradient shapes (r169606)
[CSS Shapes] off-by-one error in Shape::createRasterShape() (r167938)
[CSS Shapes] shape-margin in percentage units always computes to 0px (r166787)
Merge ShapeInfo & ShapeOutsideInfo now that ShapeInsideInfo is no more (r166752)
[CSS Shapes] Simplify RasterShape implementation (r166522)
[CSS Shapes] clamp RasterShape shapeMargin to reference box size (r166019)

Jun 08, 2018
============
[CSS Shapes][css clip-path] rounded corner calculation for box shapes is wrong (r166383)
[CSS Shapes] Remove no-longer-used shape-inside geometry code (r166316)
[CSS Shapes] Simplify RectangleShape implementation (r160802)
[CSS Shapes] Remove shape-inside support (r166301)
LayoutBox is a terrible name (r165843)
[CSS Shapes] Image valued shape-outside shapes should update the layout after the image has been loaded (r157414 revisited)
FunctionRareData::m_objectAllocationProfileWatchpoint is racy (r232598)
Subpixel rendering: REGRESSION (r163272): Fixed positioned pseudo content leaves trails while scrolling. (r177243)
[New multicolumn] Spin in RenderMultiColumnSet::repaintFlowThreadContent() (r168882)
[CSS Shapes] Remove deprecated shapes (r165472 + f165474)
[CSS Shapes] inset corner radii are not flipped for vertical writing modes (r165429)
[CSS Shapes] SVG Image valued shape fails if root element's size is relative (r165387)
[CSS Shapes] inset does not properly clamp large corner radii (r165261)
[CSS Shapes] inset and inset-rectangle trigger assert with replaced element and large percentage dimension (r164743)
Rename border/padding/margin width/height to horizontal/vertical extent on RenderBoxModelObject (r164441)
[CSS Shapes] Rounded Insets Let Content Overlap Shape (r163585)
Subpixel rendering: Enable subpixel positioning/sizing/hairline border painting. (r163272)
Subpixel rendering: Introduce device pixel snapping helper functions. (r163265 + r163348)
Floor thickness and length after switching from int to float. (r163264)
Subpixel rendering: Make BorderEdge/RoundedRect::Radii LayoutUnit aware. (r163262)
Subpixel rendering: Change BorderData's width from unsigned to float to enable subpixel border painting. (r163152)
Have kFixedPointDenominator be constant across ports (r138026)

Jun 07, 2018
============
[CSS Shapes] shape-outside does not properly handle different writing modes (r164363)
[CSS Shapes] Rename shapeSize and others to make ShapeInfo and friends easier to understand (r164006)
[CSS Shapes] ShapeOutsideInfo needs to use the parent's writing mode when calculating offsets (r160243)
[css shapes] Fix support for shape-outside on a float with padding (r158584)
[CSS Shapes] New positioning model: Shape cropped to margin box (r157236)
Move float logical location/dimension methods to RenderBlockFlow (r157197 complete)
[CSS Shapes] Lines that don't intersect shape-outside should ignore both left and right margins (r157192)
[css-shapes] shape-outside does not properly handle the container and the float having different writing modes (r156806)
[CSS Shapes] Move ShapeInsideInfo::updateSegmentsForLine implementations into the cpp (r156798)
[CSS Shapes] Rename shapeContainingBlockHeight to shapeContainingBlockLogicalHeight (r155655)

Jun 07, 2018
============
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 complete)
  => Passed JIT tests.

Jun 07, 2018
============
A crash reproducible in Path::isEmpty() under RenderSVGShape::paint() (r195411)
RenderSVGResourceContainer clients are always RenderElement. (r163279)
-webkit-svg-shadow radius changes don't cause children's boundaries to be recomputed (r137393)
RenderSVGResourceContainer does not clear cached data on removal (r135719)
Use m_everHadLayout in RenderObject::checkForRepaintDuringLayout() (r125160)
[DFG] Compare operations do not respect negative zeros (r232567)
Reland "Add Above/Below comparisons for UInt32 patterns" (r222518 + r222523 rolled out + r222564 + r222689 rolled out + r223318 partial)
Renaming SpecInt32, SpecInt52, MachineInt to SpecInt32Only, SpecInt52Only, AnyInt. (r200034)
Add some comments to describe the DFG UseKind representations. (r176425)
[JSC] IndexedDB: Exceptions not thrown for non-cloneable values (r147382)

Jun 06, 2018
============
[CSS Shapes] Remove outside-shape CSS value (r166786)
border-box clip-paths jump around when outline changes (r164336)
-webkit-clip-path should support fill, stroke, view-box keywords (r163764)
Create clipping path from <box> value (r163205)
[CSS Shapes] Image valued shape can fail (r163186)
[CSS Shapes] Preserve box-shape order when serializing shape values (r162475)
[CSS Shapes] Move CSSPrimitiveValue <-> LayoutBox Conversion to CSSPrimitiveValueMappings (r162001)
[CSS Shapes] Shape images are now <image> types, not just URIs (r161980 + rr162055)
Make clipping path from basic-shapes relative to <box> value (r161669)
[CSS Shapes] Change parseBasicShape to return a CSSPrimitiveValue (r161667)
[CSS Shapes] Change default value from 'auto' to 'none' (r161436)
[CSS Shapes] shape-outside animation does not handle 'auto' well (r160623)
StylePendingImage needs to correctly manage the CSSValue pointer lifetime (r160479 complete)
[CSS Shapes] Image valued shape-outside that extends vertically into the margin-box is top-clipped (r158967 + r159065)
[CSS Shapes] Image shape-outside with vertical gaps is handled incorrectly (r158898)
SVGRenderingContext should wrap a RenderElement. (r157945)
CSS cursor property should support webkit-image-set (r136919 complete)
[CSS Shapes] large corner radius combined with 0 radius does not wrap properly (r166966)
[CSS Shapes] Image valued shape size and position should conform to the spec (r162659)
[CSS Shapes] Basic shapes' computed position should be a horizontal and vertical offset (r162210)
[CSS Shapes] First line gets incorrectly adjusted in shape-inside due to rounding (r161604)
[CSS Shapes] Factor the ReferenceBox type out of BasicShapes (r161569)
[CSS Shapes] shape-outside layout incorrect when line spans rounded box rounded corners (r161434)
[CSS Shapes] Simplify FloatRoundedRect, BoxShape construction (r161260)
[CSS Shapes] Simplify the BoxShape implementation (r160814)
[CSS Shapes] Add support for the computing the included intervals for a BoxShape (r160644)
[CSS Shapes] Determining if a line is inside of a shape should only happen in one place (r159205)
[CSS Shapes] image valued shape element margin can cause an ASSERT fail (r158596)
[CSS Shapes] Improve the performance of image valued shapes with large shape-margins (r157574)
[CSS Shapes] Support the shape-image-threshold property (r156852)
[CSS Shapes] add shape-margin support for image valued shapes (r156838)
[CSS Shapes] Implement the shape-image-threshold property (r156814)
Bad ASSERT() in RasterShapeIntervals::firstIncludedIntervalY() (r155965)
[CSS Shapes] Improve the performance of image valued shapes (r155583)
[CSS Shapes] Heap-buffer-overflow in WebCore::ShapeInterval<float>::subtractShapeIntervals (r155354)
[CSS Shapes] Revise the ShapeInterval set operations' implementation (r155043)
[CSS Shapes] Redefine the ShapeIntervals class as a template (r154904)
[CSS Shapes] Complete RasterShape::firstIncludedIntervalLogicalTop() (r154349)

Jun 04, 2018
============
Support <box> values computed style for 'clip-path' property (r161209)
[CSS Shapes] Implement interpolation between keywords in basic shapes (r160770)
[CSS Shapes] Layout using [<box> || <shape>] value (r159792)
[CSS Shapes] When the <box> value is set, derive radii from border-radius (r159702)
[CSS Shapes] Parse [<box> || <shape>] values (r159526 complete)
Remove always true syncXHRInDocumentsEnabled setting (r211081 partial)
[Win] Remove workarounds for fixed bugs in fmod and pow. (r195011 partial)
[CSS Shapes] Support inset for shape-outside (r160130)
[CSS Shapes] Remove explicit numbering from BasicShape::Type and CSSBasicShape::Type enums (r160126)
[css shapes] layout for new ellipse syntax (r160007 + r160009)
[css shapes] Layout support for new circle shape syntax (r159979 complete)
[CSS Shapes] Support inset parsing (r159968)
[CSS Shapes] Support for shape-margin in BoxShape (r159787)
Factorize the creation of primitive values with a pair into a function. (r134937)
[CSS Regions] 1-2% performance regression in html5-full-render after r168286 (r168534)
[CSSRegions] Slider displayed wrong in regions (r168286)
We missed the case where attachLine was called when we already had an inline box wrapper. (r167387)
[CSSRegions] Crash when video in region exits fullscreen (r167001)
[CSSRegions] An unsplittable box is always displayed in a single region (r165893)
[CSSRegions] Compute region ranges for children of inline blocks (r165890)
[CSSRegions] Compute region ranges for inline replaced elements (r164290)
Use tighter InlineBox subtypes in some places. (r158842)
Generate type casting helpers for line boxes and use them. (r158832)
InlineBox: Make paint() and nodeAtPoint() pure virtuals. (r158812)
Nothing should return std::unique_ptr<InlineBox>. (r158811)
Add InlineElementBox and stop instantiating InlineBox directly. (r158736)
Replace InlineBox::destroy() with regular virtual destruction. (r158343)
[CSS Regions] Content that has overflow: scroll cannot be scrolled by dragging the scroll thumbs with the mouse (r150881)
fast/dom/HTMLImageElement/image-alt-text.html and fast/dom/HTMLInputElement/input-image-alt-text.html are failing (r147492)
move should only emit the move if it's actually needed (r232399)

Jun 01, 2018
============
[CSS Regions] Scrolling regions with the mouse wheel only works properly if hovering over the region's padding (r165377)
[CSS Regions] Move specific named flow methods from RenderRegion to RenderNamedFlowFragment (r164275)
[CSS Regions] The box decorations of an element overflowing a region should be clipped at the border box, not the content box (r164231)
[CSS Regions] Overflow above the first region is not properly painted for regions with padding (r163873)
REGRESSION (r163018): Cant scroll in <select> lists (r163329)
[CSSRegions] Unable to scroll a scrollable container for regions using mouse wheel (r163018)
[CSSRegions]Do not compute region range for a box unless the parent has one (r165720)
[CSS Regions] Move named-flow specific method decorationsClipRectForBoxInRegion to RenderNamedFlowThread (r164837)
[CSS Regions] Remove unused method in RenderFlowThread (r163957)
[CSS Regions] Positioned elements in regions get clipped if they fall outside the region (r160721)
The overflow border of a relatively positioned element inside a region is not painted (r160014)
Variables can resolve to the wrong value when elements differ in nothing but inherited variable value (r197300)
REGRESSION (r168046): Invalid layout in multicol (r169425)
REGRESSION (r168046): Invalid layout in WebCore::RenderBox::containingBlockLogicalWidthForPositioned (r169160)
Invalid information remaining in lineToRegion map of RenderFlowThread. (r168621)
Begin Removal of Old Multi-Column Code. (r168380)
REGRESSION (new multi-column): WebKit2.ResizeReversePaginatedWebView fails on debug bots (r168113)
[New Multicolumn] Implement support for compositing (r167965)
Store the containing region map inside the flow thread (r167871 + r167895 rolled out + r167928)
[New Multicolumn] Add support for offsetLeft and offsetTop. (r167808)
[New Multicolumn] Crasher when clearing out a flow thread in multicolumn layout. (r167718)
[New Multicolumn] Pagination mode messed up with non-inline axis and reversed direction. (r167597)
REGRESSION (r163194-r163227): Garbage tiles in overflow of RTL page with background image (r166895)
[CSSRegions] Use RenderRegion::isValid() before using a region (r166867)
Wrong layout while animating content in regions (r166495)
[CSSRegions] Inline-block child of content node incorrectly clipped (r165615)
[CSSRegions] Add helper method for region clipping flow content (r164419)
Clean up PLATFORM(IOS) code related to the custom fixed position layout rect (r162462)
Map RootInlineBox to containing region via bit+hashmap. (r161909)
overflowchanged event could cause a crash (r160847)
[CSSRegions] Incorrect repaint of fixed element with transformed parent (r160717 + r160720 rolled out)
Fix hit testing for divs with a hierarchy of css transformed and non-transformed elements (r160699)
[CSS Regions] Use hasOverflowClip() in RenderRegion (r159682)
Fix hover area for divs with css transforms (r159626)
Kill InlineFlowBox::rendererLineBoxes(). (r159049)
Bring the LineFragmentationData back to RootInlineBox. (r159044)
Use RenderAncestorIterator in a couple of places. (r158611 partial)
Rename deleteLineBoxTree to deleteLines (r157824)
[CSS Regions] Widows don't work if the first line in a region is aligned with the top of the region (r157120)
FrameView::scheduleEvent() is over-engineered. (r155315)
Fix compositing layers in columns (r154795)

May 31, 2018
============
REGRESSION (r168046): [New Multicolumn] Selection into and out of column-span elements doesn't work (r168121)
REGRESSION (r168046): [New Multicolumn] LeftToRight-rl.html (and all the other reversed/block-axis pagination tests) fail (r168088)
REGRESSION (r168046): [New Multicolumn] Painting order is wrong for columns and fixed positioned elements (r168076)
[New Multicolumn] Enable new multi-column mode (r168046)
[New Multicolumn] ASSERTs in fast/dynamic/continuation-detach-crash.html (r168043)
[New Multicolumn] Make RenderFlowThreads into selection roots. (127270)
[New Multicolumn] Client rects don't work with column spans. (r167764)
[New Multicolumn] Make sure columnTranslationForOffset has the same column-span-aware (r167677)
[New Multicolumn] Nested columns not working at all. (r167714 complete)
[New Multicolumn] Add support for column-span:all (r167335)
[New Multicolumn] Child top margin sometimes ignored for column balancing (r166938)
[New Multicolumn] getClientRects returns wrong rectangle (r165991)
[CSSRegions] ASSERTION FAILED: !m_regionsInvalidated in RenderFlowThread::regionAtBlockOffset (r164858)
RenderNamedFlowThread should only support RenderElement children. (r163969)
Remove unused RenderNamedFlowThread::previousRendererForNode(). (r163925)
[New Multicolumn] Nested columns not working at all. (r167714 partial)
[New Multicolumn] columnNumberForOffset is not patched for new multicolumn code yet. (r167444)
[New Multicolumn] Add support for block progression axis and reverse direction (r162892)
[New Multicolumn] Transformed objects inside fragmented transparent objects don't render (r144529)
[New Multicolumn] Make columns work with line grids (r163878)
Remove repaint throttling (r162839)
XML fragment parsing algorithm doesn't use the context element's default namespace URI (r160024)
Move RenderBlock functions only used by RenderBlockFlow to RenderBlockFlow (r158121)
REGRESSION: Crash in XMLDocumentParser::startElementNs (r157470)
REGRESSION(r222090): [HarfBuzz] Arabic shaping is broken except for first word in line (r224015 partial)

May 30, 2018
============
Rendering flexbox children across columns (r215320)
[CSS Regions] Strange layout for content with region breaks (r165873)
[New Multicolumn] -webkit-column-break-inside:avoid doesn't work (r164649)
[New Multicolumn] fast/multicol/multicol-with-child-renderLayer-for-input.html puts the textfield in the wrong place (r167663)
[New Multicolumn] Change the axis property to be a boolean like other isInline checks (r162822)
[New Multicolumn] Don't destroy all the renderers when a multi-column block stops being multi-column (and vice versa) (r162726)
[New Multicolumn] Eliminate RenderMultiColumnBlock (r162712)
Improve multicol intrinsic width calculation (r154714)
Fix the iOS build following <http://trac.webkit.org/changeset/160236> (r161028)
[iOS] Upstream WebCore/rendering changes (r160236)
RenderWidget doesn't need to cache a FrameView pointer. (r155817)
Take document height into account when determining when it is considered visually non-empy (r152401)
Null check m_frame in maximum and minimumScrollPosition (r153349)
OSX: ePub: Unable to select text in vertical Japanese book (r152911)
Tons of crashes on bots after r152425 (r152434)
Fix r152265: FrameView's pagination mode is only one of two, and the logic was totally wrong (r152433)
[wk2] Add API to lock the scroll position at the top or bottom of the page (r152425 partial)
Maximum scroll position can be negative in some cases (r152265)
Convert ScrollableArea ASSERT_NOT_REACHED virtuals (r126444)
Add support for making a web site become paginated using overflow: paged-x | paged-y and corresponding- (r126343)

May 29, 2018
============
Refactor of rebuildFloatingObjectSetFromIntrudingFloats function after r176957. (r177021)
[CSS Grid Layout] Grid items must set a new formatting context. (r176957)
[CSSRegions] Region box incorrectly overlaps floating box (r169639)
[CSS Regions] Don't relayout when updating the region range unless necessary (r168836)
[New Multicolumn] Column balancing is slow on float-multicol.html (r167602)
[New Multicolumn] Table cells and list items need to work as multicolumn blocks. (r162702)
REGRESSION (143483): overflow:hidden doesn't quash big repaints from text-indent: -9999px (r155546)
Floats should not overhang from flex items (r150029)
[New Multicolumn] RenderMultiColumnFlowThreads should establish a BFC. (r143486)
No caret on empty contenteditable element with negative text-indent (r143483)

May 28, 2018
============
isAnonymousInlineBlock() should exclude any ruby content. (r194638)
[New Block-Inside-Inline Model] Floats need to be allowed to intrude into anonymous inline-blocks. (r182241)
REGRESSION (r176262): Invalid cast in WebCore`WebCore::RootInlineBox::selectionTop (r180038)
REGRESSION (r167210): Invalid cast in WebCore::RenderBlock::blockSelectionGaps (r176295)
Improve Ruby selection (getting rid of overlap and improving gap filling) (r176262)
Selection gap painting is ugly for ruby bases. (r175260)
Rename RenderBlockFlow::clearFloats and RenderBlockFlow::newLine to be more accurate (r164440)
REGRESSION (r169407): Calls to RenderStyle::getRoundedBorderFor() in computeRoundedRectForBoxShape() still include RenderView pointer (r173348)
Cursor doesn't change back to pointer when leaving the Safari window (r167700)
Subpixel rendering: Make RoundedRect layout unit aware. (r163156)
[CSS Shapes] Add BoxShape and FloatRoundingRect classes (r159583)
[CSS Shapes] Refactor RectangleShape (r159513)
RenderView::frameView() should return a reference. (r154488 partial)
ASSERT(m_frame->view() == this) fails (r154045)
Layout should force a StyleResolver rebuild if there isn't one at all. (r153595)
Don't check for @media rules affected by viewport changes in every layout. (r149313 + r149377 + r152568 rolled out)
activating a focused link to an in-page fragment ID should transfer focus to the target of the link when possible (r148481)
Updating mouse cursor on style changes without emitting fake mousemove event (r147739)
Call FrameView::contentsResized() when setting fixed layout size (r140869 + r141015 rolled out + r141450)
Avoid filling a rounded rect when radii are zero (r140279 partial)
Don't dispatch fake mousemove events when we don't know where the cursor is (r137539)
No tests for changing mouse cursors (r134144 + r134183 rolled out + r134803)
[chromium] Restrict link highlights to targets that display a hand-cursor (r132945)
Refactoring: move EventHandler::targetNode into HitTestResult (r125715)

May 25, 2018
============
Remove slow repaint object from FrameView when style changes. (r225052)
[iOS WK2] background-attachment:fixed behaves very poorly (r168726)
Fix various crashes on sites with fixed backgrounds (r151934)
Body background with background-attachment:fixed stays in place during rubber-banding (r138757)
Synchronous media query callbacks on nested frames could produced a detached FrameView. (r218228)
REGRESSION(r203415): ASSERTION FAILED: !m_layoutRoot->container() || !m_layoutRoot->container()->needsLayout() (r203425)
theguardian.co.uk crossword puzzles are sometimes not displaying text (r203415)
Delay HTMLFormControlElement::focus() call until after layout is finished. (r198238)
ASSERT(frame().view() == this) assertion hit in FrameView::windowClipRect() on Windows bots (r182807)
Optimize offsetWidth and offsetHeight to avoid doing layouts. (r181396)
HTMLPlugInElement::isUserObservable() is causing layout (r174040)
Don't dispatch 'beforeload' event inside FrameView::layout() (r168668 + r168843 rolled out + r169475 rolled in)
REGRESSION(r162947): Document::topDocument() returns an incorrect reference for cached Documents (r164718)
REGRESSION (r162947): Repaint test results are different between WK1 and WK2 (r163021)
REGRESSION (r162947): css3/flexbox/multiline-justify-content.html and css3/flexbox/position-absolute-child.html are timing out (r163019)
REGRESSION(r162837): 5% regression on html5-full-render and 3% regression in DoYouEvenBench (r162947)
Remove repaint throttling (r162837)
FrameView destructor is worried about being retained by a renderer. (r158625)
Restore two-pass mechanism for FrameView::updateEmbeddedObjects(). (r155798)
Assertion while scrolling news.google.com (r154672)
REGRESSION (r147797): Animations slideshows of images on www.thesuperficial.com are slow (r149105)
Throttle compositing layer flushes in subframes (r148013)
Throttle compositing layer flushes during page loading (r147797)
Positioned children of an overflow:visible container should ignore scroll offset when updating layer position (r139669)
Don't update layer positions on scrolling if we're in the middle of layout (r135091)
Autoresize should work even if turned on while the page is loading. (r133790)
RenderMarquee causes ASSERTION FAILED: enclosingIntRect(rendererMappedResult) == enclosingIntRect(FloatQuad(result).boundingBox()) (r129294)
Repaints should not be deferred after initial page load is complete (r127388)
[CSS Shapes] Dynamically created element with image valued shape-outside doesn't update automatically (r163458)
[CSS Shapes] Image valued shape-outside shapes should update the layout after the image has been loaded (r157414)
[CSS Shapes] Shape Outside should relayout when set dynamically (r156905)
[Baseline] Remove a hack for DCE removal of NewFunction (r232182)

May 24, 2018
============
MathML: ASSERTION FAILED: !isPreferredLogicalHeightDirty() in RenderMathMLBlock::preferredLogicalHeight() const (r154475)
RenderListMarker::computePreferredLogicalWidth should not be public (r139891)
Flex child does not get repainted when it is inserted back to the render tree. (r230349)
Move HTMLElement's children property to ParentNode (r184420)
<input>.labels is empty if type changes from text->hidden->checkbox (r212522)
REGRESSION(r165103): labels list doesn't get invalidated when other lists are invalidated at document level (r206975)
HTMLCollection caches incorrect length if item(0) is called before length on an empty collection (r182125)
Speculative fix for a fast\dom\html-collections-named-getter failing only in Debug builds. (r173703)
ASSERT in Document::unregisterCollection reloading apple.com (r172210)
Document::unregisterNodeListforInvalidation() and Document::unregisterCollection() have incorrect assertions (r171261)
Remove NodeListRootType flag (r166407)
Remove LiveNodeList::Type (r166377)
Remove some unnecessary branches from LiveNodeList traversal (r166369)
appendChild shouldn't invalidate LiveNodeLists and HTMLCollections if they don't have valid caches (r165103)
Text can wrap between hyphens and commas (r232103)
Do not layout images when we only need the overflow information. (r230480)
JSC ignores the extra memory cost of HTMLCollection after a major GC (r164853 complete)
Extract named items caches in HTMLCollection as a class (r164772)
Add very basic image control rendering (r164457 partial)

May 22, 2018
============
Avoid unnecessary HTML Collection invalidations for id and name attribute changes (r164707)
REGRESSION (r158774): Iteration over element children is broken (r159389)
HTMLCollection should use CollectionIndexCache (r158774)
Add ElementTraversal::next/previousSibling (r153942 partial)
Factor index cache for NodeLists and HTMLCollections to a class (r158698)
op_in should mark if it sees out of bounds accesses (r231990)
Add missing exception check. (r231983)
[DFG][FTL] operationHasIndexedProperty does not consider negative int32_t (r225342 revisited)
[JSC] op_in should have ArrayProfile (r211908)
[ES6] for...in iteration doesn't comply with the specification (r197144)

May 18, 2018
============
Move array position caching out from HTMLCollection (r158758)
Build fix after r154515. (r154532)
Reduce use of Node in HTMLTableRowsCollection, and use modern traversal idiom (r154515 partial)
Bail out of simple line layout when hyphen needs a fallback font. (r216438)
REGRESSION (r211531): Text flow changes and overlaps other text after double-click selecting paragraph (r225497)
Simple line layout: Extend webkit-hyphenate-limit-lines to cover subsequent words. (r214072)
Simple line layout: Adjust hyphenation constrains based on the normal line layout line-breaking logic. (r213944)
Simple line layout: Do not measure runs with trailing whitespace when kerning and ligatures are off. (r212271)
Simple line layout: Use simplified text measuring when possible. (r211738)
Simple line layout: Move TextFragmentIterator::runWidth to ::textWidth. (r211531)
Back TextRun with a StringView (r174228)

May 17, 2018
============
Simple line layout: Do not use invalid m_lastNonWhitespaceFragment while removing trailing whitespace. (r213534)
Simple line layout: Removing adjacent trailing whitespace runs should not crash. (r211647)
Simple line layout: Do not assert on zero length/width trailing whitespace. (r211466)
Split mixed font GlyphPage functionality to separate class (r189539)
[Simple line layout] Cache run resolver. (r231529 partial)
Simple line layout: Bail out from Simple Line Layout when the primary font is insufficient. (r211661)
Simple line layout: Collect fragments in LineState only when needed for post-processing. (r211456)
Simple line layout: Small tweaks to improve performance. (r211394)
Simple line layout: PerformanceTests/Layout/simple-line-layout-innertext.html regressed at r211108 (r211353)
Simple line layout: Do not bail out on -webkit-line-box-contain: block glyphs unless text overflows vertically. (r211292)
Simple line layout: Add support for -webkit-hyphenate-limit-lines (r211228)
Simple line layout: Add support for -webkit-hyphenate-limit-after and -webkit-hyphenate-limit-before (r211222)
Simple line layout: Add support for hyphen: auto. (r211108)
Simple line layout: Extend coverage for justified content. (r210948)
Text highlight causes Yoon Gothic webfont to reflow. (r210456)
TextFragmentIterator::runWidth does not need typename CharacterType<> anymore. (r210433)
ASSERTION FAILED: !simpleLineLayout() in WebCore::RenderText::collectSelectionRectsForLineBoxes (r193947)
Simple line layout: Add text-indent support. (r192688)
Simple line layout: Glitch selecting long text. (r189870)
Simple line layout: Use float types wherever possible to match line tree. (r189030)
[CSS3] Add support for the word-break:keep-all CSS property (r185729)
DFG models InstanceOf incorrectly (r231871)
Regression(r189881): release assertion hit in toJS(ExecState*, JSDOMGlobalObject*, DocumentFragment*) (r189949)
Add ShadowRoot interface and Element.prototype.attachShadow (r189841)
ContentDistribution should be only used for details elements (r189824)
ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::get(); update form association after subtree insertion (r189469)
Rename ShadowRoot::hostElement to shadowRoot::host to match the latest spec (r189243)
Rename ShadowRoot::hostElement to shadowRoot::host to match the latest spec (r189239 complete)
DOM4: prepend, append, before, after & replace (r186803)
Give Node::didNotifySubtreeInsertions() a better name (r185813)
REGRESSION (r168921): SVG elements may be unnecessarily rebuilt (r173738)
ASSERT_NOT_REACHED() in DocumentOrderedMap::get() when removing SVG subtree (r168921)
SVG element may reference arbitrary DOM element before running its insertion logic (r168915)
DocumentFragment should be constructable. (r162062)
Remove ScopeContentDistribution (r150480)
Remove ShadowRoot's previous/next ShadowRoot pointers. (r149560)
[Shadow] offsetParent should never return nodes in user agent Shadow DOM to script (r146037)
Clean up interface to ShadowRoot (r141311)

May 16, 2018
============
HTMLCollection should not be NodeList (r158663)
Dubious cast from HTMLCollection to HTMLAllCollection (r141556)
Assertion hit on redfin.com: ASSERTION FAILED: collection->length() > 1 (r210284)
Fix release builds with security assertion after r190007. (r190097)
REGRESSION(r150187): updateIdForTreeScope may not be called inside shadow trees (r190007)
ASSERT_WITH_SECURITY_IMPLICATION in WebCore::DocumentOrderedMap::getElementById (r185435)
NodeList has issues with Symbol and empty string (r183589 complete)
Optimize constructing JSC::Identifier from AtomicString. (r176622)
PropertyName's internal string is always atomic. (r171838)
Don't attempt to update id or name for nodes that are already removed (r169007)
jsDocumentPrototypeFunctionGetElementById should not create an AtomicString for the function argument (r164505)
Add more assertions with security implications in DocumentOrderedMap (r159489 complete)
use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeElementById (r159481 complete)
FocusController::advanceFocus spends a lot of time in HTMLMapElement::imageElement (r156925 + r156929 + r156950)
CTTE: StaticNodeLists often contain only Elements, we shouldn't store them as Vector<RefPtr<Node>> in those cases (r156251)
Inline SelectorQuery's execution traits (r154562)
Don't bother using a Vector for the ouput of querySelector, just return the first element found (r154370)
REGRESSION(r150187): Safari fails to render allrecipe.com comment popups (r154037)
Encapsulate access to documentNamedItemMap and windowNamedItemMap (r153970)
REGRESSION(r149652): accessing items in .children via id doesn't work when element is not rooted in DOM tree (r151821)
Split SelectorDataList::executeSingleTagNameSelectorData() into the 4 kinds of traversal (r151470)
Fix the element type in the selector checkers (r151467)
Add special tree walking for the single tag or class CSS query selectors (r151365)
Split the 3 paths of SelectorDataList::execute() into 3 separate functions (r151359)
DocumentOrderedMap doesn't need to have two HashMaps (r150187)
REGRESSION (r149652): Videos do not play on cnn.com, just black box (r149881)
Unify ways to cache named item in HTMLCollections (r149652)
HTML parser should queue MutationRecords for its operations (r142204)
ShadowRoot.getElementById() returns a deleted element (r138123 + r138129 rolled out + r138131 rolled in)
treeScopeOfParent doesn't return the TreeScope of the parent (r131739)

May 15, 2018
============
Add Support for the semantics element. (r161430)
Add support for maction@toggle (r160631)
Map the dir attribute to the CSS direction property. (r159680)
Avoid redundant isElementNode() checks in Traversal<HTML*Element> / Traversal<SVG*Element> (r173622)
Remove unnecessary overloads taking a ContainerNode in Element Traversal (r173609)
Make LiveNodeListBase use Elements instead of Nodes (r158587)
LiveNodeLists should have non-null ContainerNode as root (r158540)
ChildNodeList should not be LiveNodeList (r158536)
Invalid cast in WebCore::toRenderMathMLBlock (r158198 revisited)
Implement the mmultiscripts tag (r155797)
REGRESSION: Assertion failure !collection->hasExactlyOneItem() in WebCore::namedItemGetter (r154441)
Incorrect calculated width for mspace. (r152840)
Move Node::isFocusable() to Element. (r150709)
Remove Document::getFocusableNodes(). (r150699)
Move Node::isKeyboardFocusable() to Element. (r150687)
Bad spacing inside MathML formulas when text-indent is specified (r150264)
Use ElementTraversal in LiveNodeListBase (r138195)
[mathml] Improve performance of nested sup or sub elements (r136409)
HTMLCollection on Document should be stored on NodeListsNodeData like other HTMLCollections and LiveNodeLists (r135893)
Rename DynamicNodeList to LiveNodeList (r135671)
REGRESSION(r135493): HTMLCollection and DynamicNodeList have two vtable pointers (r135667 complete)
Get rid of HTMLCollectionCacheBase (r135534)
Web Inspector: NMI add instrumentation to DynamicNodeList classes hierarchy. (r135493)
CollectionType and DynamicNodeList::NodeListType should be merged (r135476)
Fix another typo. I need to checking that type() != NodeListCollectionType, (r135327)
Fix typos. Apparently XCode failed to text-replace earlier when it was busy making a snapshot :( (r135323)
HTMLCollection's cache should not be invalidated when id or name attributes are changed (r135321)
REGRESSION(r125159): ASSERTION FAILED: m_listsInvalidatedAtDocument.contains(list) in Document::unregisterNodeListCache. (r125334)
Microdata: PropertyNodeList cache should be invalidated on id attribute change. (r125159)
Microdata: HTMLPropertiesCollection does not contain all properties when item is not attached to the DOM tree. (r125157)
Allow plugins to decide whether they are keyboard focusable (r124954)

May 11, 2018
============
Graphical elements inside mphantom should not be visible. (r153088)
Add Support for mspace element (r152235)
Implement parsing of MathML lengths. (r152140)
MathML line fraction needs to parse number values (r151323)
Remove isPluginElement hack in Document::setFocusedNode() (r149101)
document.activeElement should not return a non-focusable element (r142234)
Optimize hasTagName when called on an HTMLElement (r165544 + r165560 + r165562 + r165563 + r165568 rolled out + r165699)
Invalid cast in WebCore::toRenderMathMLBlock (r158198 partial)
Tighten up logic in HTMLTableRowsCollection (r154288)
Unable to focus on embedded plugins such as Flash via javascript focus() (r147591)
MathML preferred widths should not depend on layout information (r140880 + r140923 rolled out)
Copying text with ruby inserts new lines around rt elements (r137477)

May 10, 2018
============
Decouple the percent height and positioned descendants maps. (r202123)
ASSERTION FAILED: !newRelayoutRoot.container() || is<RenderView>(newRelayoutRoot.container()) || !newRelayoutRoot.container()->needsLayout() while loading sohu.com (r206343)
Cleanup RenderBlock::removePositionedObjects (r201985)
Add convenience methods to use ListHashSet for a LRU cache (r137188)
innerHTML should always add a mutation record for removing all children (r195263)
Removing text node does not remove its associated markers (r180139)
Missing support for innerHTML on SVGElement (r176630 + r176713)
Add TextNodeTraversal (r154240)
Minimize virtual function calls in MarkupAccumulator (r173783)
Regression(r206240): XMLSerializer.serializeToString() does not properly escape '<' / '>' in attribute values (r215648)
Fix serialization of HTML void elements when they have children (r206266)
Fix serialization of HTML Element attributes (r206240)
Optimize MarkupAccumulator::appendText() (r173754)
Clean up MarkupAccumulator::appendCharactersReplacingEntities (r163854)
XMLSerializer escapes < > & correctly inside <script> and <style> tags. (r159326)
XMLSerializer-attribute-namespace-prefix-conflicts can't produce reliable results (r154932)
Namespace prefix is blindly followed when serializing (r154779)
XMLSerializer should reset default namespace when necessary (r153508)
[Mac] REGRESSION(r152685): svg/custom/xlink-prefix-in-attributes.html failed unexpectedly (r152785)
XMLSerializer doesn't include namespaces on nodes in HTML documents (r152685)

May 09, 2018
============
Make RenderBlock::insertInto/RemoveFromTrackedRendererMaps functions static. (r202044)
Bopomofo ruby in Dictionary.app is written horizontally (when it should be written vertically) (r201677)
Heap-use-after-free in WebCore::RenderBlock::insertIntoTrackedRendererMaps (r138908)
Specifying a longhand property should not serialize to a shorthand property (r200357)
Add proper support for letter-spacing to bopomofo Ruby (r172874)
Implement rudimentary Bopomofo Ruby support (ruby-position:inter-character) (r172861)
a fractional value of the css letter-spacing property is not rendered as expected (r161521)
REGRESSION(r222843): [HarfBuzz] Combining enclosed keycap not correctly handled (r229165 partial)

May 08, 2018
============
REGRESSION(r221909): Failing fast/text/international/iso-8859-8.html (r222792)
REGRESSION(r221974): [Harfbuzz] Test fast/text/international/hebrew-selection.html is failing since r221974 (r222141)
[Harfbuzz] Test fast/text/complex-text-selection.html is failing since r222090 (r222132)
[Harbuzz] Test fast/text/international/harfbuzz-runs-with-no-glyph.html is crashing (r222126)
[Harfbuzz] Material icons not rendered correctly when using the web font (r222090)
[Harfbuzz] Fix incorrect font rendering when selecting texts in pages which specifies text-rendering: optimizeLegibility (r222086)
[Harfbuzz] Wrong offset returned by HarfBuzzShaper::offsetForPosition() when target point is at the middle of a character (r222020)
[HarfBuzz] Wrong offset returned by HarfBuzzShaper::offsetForPosition in some cases (r221974)
[HarfBuzz] Decomposed Vietnamese characters are rendered incorrectly (r219504 + r220746 rolled out + r220797)
[HarfBuzz] HarfBuzzShaper should not assume numGlyphs is greater than 0 (r208675)

May 07, 2018
============
ASSERTION FAILED: childrenInline() in WebCore::RenderBlockFlow::hasLines (r204908)
Crash in WebCore::RenderElement::containingBlockForObjectInFlow (r197716 partial)
[New Block-Inside-Inline Model] Self-collapsing block check needs to account for anonymous inline blocks (r189594)
REGRESSION (r159345): The hover state for links in the top navigation of Yahoo.com doesn't work (r167870 revisited)
[CSS Regions] Fix painting when the composited region has overflow:hidden (r162115)
[CSS Regions] position: fixed is computed relative to the first region, not the viewport (r154973)
inline-block baseline not computed correctly for vertical-lr (r227947)
Inline block children do not have correct baselines if their children are also block elements (r181387)
REGRESSION(r176978): Inline-blocks with overflowing contents have ascents that are too large (r181292 revisited)
REGRESSION (Simple Line Layout): Inline block baselines computed incorrectly (r174370)
Scroll size is not recalculated when absolute left of child is updated (r165602)

May 04, 2018
============
Simple line layout: Paginated content is not painted properly when font overflows line height. (r213779 partial)
ASSERTION FAILED: !m_trailingWhitespaceWidth in WebCore::SimpleLineLayout::LineState::removeTrailingWhitespace (r208170)
Text on compositing layer with negative letter-spacing is truncated. (r199516)
Simple line layout: Text with stroke width is not positioned correctly. (r194462)
REGRESSION: Inline-block baseline is wrong when zero-width replaced child is present (r189540)
In some situations, partial layouts of floating elements produce incorrect results. (r166428)
End of line whitespace should collapse with white-space:pre-wrap; overflow-wrap:break-word in all cases (r159071)
RenderBlockFlow should only expose its line boxes as RootInlineBox. (r158730)
[CSS Regions] Overset computation is incorrect in some cases (r164988)
[CSSRegions] Move regions auto-size code into RenderNamedFlowFragment (r161553)
[CSS Regions] Anonymous nested regions (r157567 revisited complete)
Remove redundant helper from RenderRegion. (r151887)
[CSS Regions] Move overset compute code from flow thread to named flow thread (r151843)
[CSS Regions] Add new regionOversetChange event (r151777)

May 03, 2018
============
Simple line layout: Leading whitespace followed by a <br> produces an extra linebreak. (r216861)
Text overlaps on http://www.duden.de/rechtschreibung/Acre (r216440)
Simple line layout: FlowContents::segmentIndexForRunSlow skips empty runs. (r215124)
Simple line layout: Hittest always returns the first renderer in the block. (r215054)
Simple line layout: Implement positionForPoint. (r212615)
REGRESSION (197987): Ingredient lists on smittenkitchen.com are full justified instead of left justified. (r199156)
Simple line layout: Add text-align: justify support. (r197987)
[CSS Regions] Overflow selection doesn't work properly (r167803)
[CSS Regions] Use the named-flow-specific object RenderNamedFlowFragment instead of the generic RenderRegion whenever possible (r164482)
REGRESSION (r159609): Images are corrupted when hovering over buttons @ github.com (r163382)
[CSS Regions] Implement visual overflow for first & last regions (r159337 + r159347 rolled out + r159609)
[CSSRegions] Move region styling code into RenderNamedFlowFragment (r159553)
[CSS Regions] Selection focusNode set to the "region" block, instead of the "source" block (r159057)
[CSS Regions] The layers from the flow thread should be collected under the regions' layers. (r156451 + r156478 rolled out + rr157725)
ASSERTION FAILED: !m_visibleDescendantStatusDirty on twitter (r154417)
Propagate writing-mode from the first region to the flow thread (r154221)
[CSSRegions] ASSERTION FAILED: roundedIntPoint(rendererMappedResult) == roundedIntPoint(result) in RenderGeometryMap::mapToContainer (r151396)
[CSS Regions] Hit testing is broken for absolutely positioned regions that have overflow: hidden (r149168)
[New Multicolumn] Make sure region styling works for columns inside regions. (r144633)
Introduce the "stacking container" concept. (r140620)
SVG Fragment is not rendered if it is the css background image of an HTML element (r185395)
SVG fragment identifier rendering issue (r184874)
Respect SVG fragment identifiers in <img> src attribute (r164983)
Respect SVG fragment identifiers in <img> src attribute (r164804)
Text-decoration-style: dashed / dotted rendered as solid (r201777)
Remove unused shouldAntialias parameter from GraphicsContext::computeLineBoundsAndAntialiasingModeForText() (r194731)
Wrong text-decoration-style used for underlines. (r180273)
text-underline-position:under has multiple correctness issues (r180150)
text-underline-position: under is broken (r179883)
fast/css3-text/css3-text-decoration/text-decoration-thickness.html fails on GTK (r166902)
Space between double underlines does not scale with font size (r165120)
Draw all underline segments in a particular run in the same call (r162150)
Underline bounds cannot be queried before underline itself is drawn (r158392)
[css] Update ETextDecorations enum to TextDecorations (r150525)
Improve -webkit-text-underline-position memory usage. (r150258)
[css3-text] Add platform support for "wavy" text decoration style (r147170)
Avoid repeated calls to decorationColor on RenderObject::getTextDecorationColors (r136617)
[css3-text] Add rendering support for -webkit-text-decoration-style (r132076)
[css3-text] Add parsing support for -webkit-text-decoration-style (r126054)

May 02, 2018
============
Simple line layout: Add support for non-breaking space character. (r210985)
Simple line layout: Clear needs layout flag even when only overflow is getting recomputed. (r208214)
Simple line layout:: Add text-decoration support. (r194500)
text-decoration: line-through is mispositioned when text has overline/underline too. (r194465)
Move InlineTextBox's text decoration painting to its own class. (r194447)
Continuously repainting large parts of Huffington Post. (r177128)
-webkit-text-underline-position should not be inherited (r150366 + r150941)
[css3-text] Add rendering support for -webkit-text-underline-position (r146104)
[css3-text] Add partial parsing support for text-underline-position property from CSS3 Text (r145450)
Optimize fetching the Node for never-anonymous renderers. (r156155)
[CTTE] Tighten RenderTextControl element typing. (r155671)
[CTTE] RenderTextControlMultiLine's element is always a HTMLTextAreaElement. (r155667)
[CTTE] RenderButton always has a HTMLFormControlElement. (r155678)
Optimize RenderElement::rendererForRootBackground() a bit (r177193)
Purge remaining ENABLE(SHADOW_DOM) cruft. (r164131)
Micro-optimize RenderBoxModelObject::computedCSSPadding(). (r162238)
Text should be constructable. (r161876)
Text::renderer() should return RenderText (r157373)
Optimize RenderLayerCompositor's OverlapMap (r152806)
[Shadow] Provide an api of insertionParent(). (r146555)
Remove duplicate code in RenderBoxModelObject::computedCSSPadding* (r141669 + r141670 rolled out + r141775)
RoboHornetPro spends ~25% of total test time in WebCore::Region::Shape methods (r132990)

May 01, 2018
============
Split SimpleLineLayout::canUseFor into canUseForStyle and canUseForFontAndText. (r192526)
[JSC] Remove arity fixup check if the number of parameters is 1 (r231160)
Simple line layout: Add support for word-break property. (r194965)
Simple line layout: Add letter-spacing support. (r192564)
Simple line layout: Text jumps sometimes on naughty strings page (r189058)
REGRESSION(r175617): Some text doesn't render on internationalculinarycenter.com (r184219)
Simple line layout: support text-transform: lowercase|uppercase|capitalize (r175617)
Simple line layout: Ignore -webkit-flow-*content while collecting text content for innerText. (r184825)
Simple line layout: Wrong text offsetting when range does not start from the first renderer. (r183413)
Simple line layout: Add <br> support. (r182536 + r182542 rolled out + r182620)
Find results on simple lines are not marked correctly (r165002)
CTTE: RenderBR always has an HTMLElement. (r156054)
Avoid using RenderBR internally in RenderMenuList. (r156040)
Simple line layout(regression): Calling innerText on RenderFlow with multiple children is slow. (r182604)
Simple line layout: Use pre-computed simple line runs to produce innerText content. (r182325)
Remove TextIterator argumentless constructor (r146796)
Simple line layout: Web process spins endlessly below layoutSimpleLines. (r183576)
TextFragment#start() is always >= 0 since its type is unsigned (r181727)
Simple line layout: Use Vector<>::const_iterator instead of custom FlowContents::Iterator. (r181698)
Simple line layout: Change FlowContents::segmentForPosition() to segmentForRun(). (r181697)
Simple line layout: Split fragments on renderer boundary on the fly. (r181667 + r181682 + r181683 + r181685 rolled out + r181692)
Simple line layout: Merge TextFragmentIterator::findNextBreakablePosition() and TextFragmentIterator::findNextNonWhitespacePosition(). (r181325)
Simple line layout should not be limited to RenderText. (r181290)
Simple line layout: Use FlowContents::Segment::text instead of renderer when possible. (r178754)
Simple line layout: Rename FlowContentsIterator to TextFragmentIterator. (r179534)
Simple line layout: use std::upper_bound in splitFragmentToFitLine() (r179510)
Regression(r179438) Simple line layout: ASSERTION at SimpleLineLayout::FlowContentsIterator::runWidth(). (r179444)
Simple line layout: Improve FlowContentsIterator::TextFragment's encapsulation. (r179438)
Simple line layout: Make LineState fragment handling simpler. (r179435)

Apr 30, 2018
============
Simple line layout: Drop uncommitted/committed terms from LineState. (r179309)
Simple line layout: Refactor line wrapping logic. (r179048)
Simple line layout: Move FlowContents iterator interface to FlowContentsIterator. (r179284)
Simple line layout: Make FlowContents an iterator class. (r179185)
Simple line layout: Use only FlowContents::nextTextFragment() to read fragments from the text flow. (r179047)
Simple line layout: Move leading whitespace handling from removeTrailingWhitespace() to initializeNewLine(). (r178983)
Simple line layout: Make trailing whitespace handling more explicit. (r178939)
Simple line layout: Move nextTextFragment() to FlowContents class. (r178862)
Simple line layout: Remove redundant style.preserveNewline check when collapsing trailing whitespace. (r178729)
Simple line layout: Refactor TextFragment class. (r178407)
Simple line layout: Refactor SimpleLineLayout::nextFragment(). (r178396)
We don't model regexp effects properly (r231145)
DFG/FTL should inline accesses to RegExpObject::m_lastIndex (r197549)
The put_by_id IC store barrier contract should benefit transition over replace (r189492)
Insert store barriers late so that IR transformations don't have to worry about them (r184445 partial revisited)
Avoid double hash table lookup in SpaceSplitStringData::create() (r175602)
Cut down on double hashing and code needlessly using hash table iterators (r154967)
Fix double hash lookup in DocumentEventQueue::cancelEvent(). (r150969)
Unload event listeners should prevent Safari from insta-killing the web process on last tab close. (r149971)

Apr 27, 2018
============
[New Block-Inside-Inline Model] Anonymous inline-blocks should size as though they are block-level. (r182195)
[New Block-Inside-Inline Model] Make sure line breaks occur before and after the anonymous inline-block. (r182188)
Japanese line breaking rules need to be respected before and after Ruby. (r179366)
Add support to -webkit-line-break property for CSS3 Text line-break property values and semantics. (r176473)
Do not insert positioned renderers to multiple gPositionedDescendantsMap. (r193773)
Overhanging float sets are not cleaned up properly when floating renderer is destroyed. (r184885)
Transform-style should not kill position:fixed (r177200)
vw/vh units used as font/line-height values don't scale with the viewport (r169407 revisited)
[CSS Regions] Extend the RenderRegionRange class to include overflow information + apply the layout overflow (r155026)
[CSS Regions] RenderRegions should have a RenderLayer+Backing when they contain a Composited RenderLayer (r154072 revisited)
[CSS Regions] Propagate overflow from the flow thread to the first and last region (r153814)
[CSS-Regions] OverrideLogicalHeight used by both regions and flexbox (r152281)
Layout info should never be cleared before delayed scroll information updates. (r151360)
[CSSRegions] getBoundingClientRect wrong for inline content nodes (r151309)
[CSS Regions] REGRESSION Incorrect layer clipping inside flow thread (r151202)
clearLayoutOverflow should never be called before calling layer()->updateScrollInfoAfterLayout(). (r151146 + r151178 rolled out)
[New Multicolumn] Fix overflow computation for column blocks. (r143546)
Scroll offset of flex items lost during relayout (r129975)
getComputedStyle returns wrong value for CSS3 2D transformations (r126443)

Apr 26, 2018
============
[MIPS] Fix branch offsets in branchNeg32 (r231044)

Apr 25, 2018
============
'mouseenter' mouse compat event not fired when listeners for touch events (r164495)
Move mouse event dispatch from Node to Element. (r156761)
Make hoverAncestor() a RenderElement concept. (r156338 revisted)
MouseEnter and MouseLeave may be emitted on Document nodes (r155351)
MouseLeave not always emitted when cursor leaves subframe (r155348)
Hover doesn't work for block elements inside a href element (r152907)
[CSS Regions] Mouse over an element does not trigger :hover state for parent when the element is flowed in a region (r150868)
Mouseenter and mouseleave events not supported (r149173)
Add the event handler content attributes that are defined in the spec to HTMLElement (r147205)
fromCharCode is missing some exception checks (r230980)
Make tests for renderer base types non-virtual (r156738)
REGRESSION (r160806): CSS zoom property doesn't work on anything inside anchors. (r171692)
Hide Document::renderer() (r155344)
Document's renderer is always a RenderView. (r154676)
Document::setFocusedNode() should be setFocusedElement(). (r150796)
FocusController::setFocusedNode() should be setFocusedElement(). (r150712)
Move Node::isMouseFocusable() to Element. (r150692)

Apr 24, 2018
============
Use RenderElement instead of RenderObject in many places (r156622 revisited)
Beat FrameView with the FINAL stick. (r155283)
Tatechuyoko shrink-to-fit breaks after changing color, background-color or text-decoration (r192388)
Leverage the new RenderElement::m_isCSSAnimating flag in more places (r174804)
Introduce an isCSSAnimated flag on RenderElement for performance (r174703)
Tighten animation-driven restyle to operate on Element only. (r157856)
Fix some inefficiencies in AnimationController's composite animation map. (r151218)

Apr 23, 2018
============
Move LineLayoutState.h into rendering/line (r159386)
REGRESSION(r157851): trailing space inside an editable region could be erroneously collapsed (r161404)
Remove code now unnecessary after r159575 (r159758 revisited)
Move BreakingContext and LineBreaker into their own files (r159354)
Move LineWidth.{h,cpp} into rendering/line (r149569)
Refactor LineBreaker::nextSegmentBreak, add BreakingContext that holds all its state (r157851)
[css3-text] Rendering -webkit-each-line value for text-indent from css3-text (r147513)
InlineIterator needs to be updated when RenderCombineText shrinks at a line break (r147504)
Add descriptive names for different addMidpoint use cases (r143812)
Remove RenderText::updateText (r143380)
RenderQuote should not mark renderers as needing layout during layout (r143060)
Expand list of supported languages for RenderQuote to match WHATWG spec (r125476)
CSS quotes output quotes when depth is negative (r125448)
Reimplement RenderQuote placement algorithm (r125220)
Built in quotes don't use lang attribute (r124518)
[Cocoa] Improve performance of glyph advance metrics gathering (r205703)
Honor bidi unicode codepoints (r202083)
Remove GlyphPage::mayUseMixedFontsWhenFilling (r189466)
Remove unneeded offset and length arguments from glyph page filling functions (r189465)
[OS X] Remove support for composite fonts (r188566 + r188569)
Support the ch unit from css3-values (r142904)

Apr 22, 2018
============
RenderSVGResource shouldn't trigger relayout during render tree teardown. (r155055)

Apr 20, 2018
============
FrameView shouldn't keep dangling pointers into dead render trees. (r210777)
REGRESSION (r177876): store.apple.com profile and cart icons are missing (r186809 + r186816 rolled out + r186827)
REGRESSION (r177876): 35% regression in Parser/html5-full-render (r177979 + r177984)
Resolve mirroring and variant in Font instead of FontGlyphs (r177957)
Remove GlyphPageTree (r177876 + r177878 + r177881)
Remove FontData::containsCharacters (r177847)
Assertion failure in GlyphPage::setGlyphDataForIndex: (!glyph || fontData == m_fontDataForAllGlyphs) (r150085)
REGRESSION (r194426): First email field is not autofilled on amazon.com (r194823)

Apr 19, 2018
============
Editor::updateMarkersForWordsAffectedByEditing(bool) shouldn't compute start and end of words when there are nor markers (r153734)
[New Block-Inside-Inline Model] Create anonymous inline blocks to hold blocks-inside-inlines. (r182146)
Add a pref to enable the new block-inside-inline model (r181959)
Use after free in WebCore::RenderObject::nextSibling / WebCore::RenderBoxModelObject::moveChildrenTo (r168448 revisited)
Hold a reference to firstSuccessfulSubmitButton in HTMLFormElement::submit (r166236)
Bad cast with toRenderBoxModelObject in RenderBlock::updateFirstLetter() (r157768)
Quirksmode: CSS1: WebKit fails dynamic :first-letter test (r156742 + r161137 rolled out)
Tighten typing in inline rendering (r156618)
Clean up code for getting first line style (r156608)
Clean up some uses of first/lastChildSlow (r156377)
CTTE: RenderNamedFlowThread and FlowThreadController should operate on Elements, not Nodes (r156250)
[CSSRegions] Failed to retrieve named flow ranges for content with inline svg (r156082)
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r154399 + r154404 rolled out)
RenderBoxModelObject::firstLetterRemainingText should be a RenderTextFragment*. (r153688)
Refactor shouldAddBorderPaddingMargin() (r150642)
REGRESSION(r148121): Empty Span does not get a linebox when it's in an anonymous block (r149897)
An inline element with an absolutely positioned child does not correctly calculate/render padding and margin (r148453)
Empty inline continuations should only get lineboxes if the padding applies to their side of the inline (r148121)
Restore pre-r118852 behavior for EllipsisBox::nodeAtPoint() (r142335)
MutationRecord addedNodes/removedNodes should never be null (r136996)
[CSS Regions] Destroying a render named flow thread without unregistering left-over content nodes triggered an assertion. (r127472)
Fix access to m_markupBox in WebCore::EllipsisBox::paint (r125635)

Apr 18, 2018
============
Unsupported emoji are invisible (r208894)
REGRESSION(r177637) [HarfBuzz][GTK][EFL] It made 3 performance tests crash and +24 layout tests crashes/failures (r178115)
Generic font code should not know about SVG font missing glyph (r177637)
FontGlyphs::glyphDataAndPageForCharacter cleanups (r177229)
A put is not an ExistingProperty put when we transition a structure because of an attributes change (r230740)
Laying out a TextRun using an SVG font is O(n^2) (r173349 + r173476)
RenderBlockFlow::layoutRunsAndFloatsInRange is O(n^2) for runs of inlines without any text (r225110)
Contents of composited overflow-scroll are missing when newly added (r224715)
RenderSVGModelObject::checkIntersection triggers layout (r223947)
RenderSVGModelObject::checkIntersection triggers layout (r223882)
getIntersectionList always returns empty NodeList until layout is complete (r211905)
REGRESSION(r53318): background-repeat: space with gradients doesn't render correctly (r191048)
Remove Image::spaceSize() and ImageBuffer::spaceSize() (r190910 + r190914)
SVG root element accepts background color but fails to repaint it (r168674)
ASSERTION FAILED: object->style()->overflowX() == object->style()->overflowY() (r168543)
[CSS Masking] -webkit-mask-repeat: space does not work (r154875)
mask-repeat: round bug (r153582)
SVG objects are misplaced when SVG root has CSS transform. (r151265)
Fix body background image geometry calculation (r145726)
[CSS3 Backgrounds and Borders] Implement CSS3 background-position offsets rendering. (r136378 + r136380)

Apr 17, 2018
============
CachedImage: ensure clients overrides imageChanged instead of notifyFinished (r179340 + r179344 + r181412 rolled out)
Re-use existing RenderStyle local in textWidth(). (r158476)
RenderText should cache RenderStyle in locals more. (r157448)
REGRESSION: Lines jump up and down while typing Chinese or Japanese (r151327)
Simple line layout: Reset LineState when starting a new line. (r178964)
[CSS Shapes] content inside second shape area when two floats interact (r178192)
Fix r176527. Iterate through the text renderers. (r176534)
SimpleLineLayout::canUseFor() should iterate through RenderTexts to check if their content is eligible for simple line layout. (r176527)
Don't dereference end() in SimpleLineLayout::RunResolver::rangeForRenderer (r177852)
Simple line layout: Add 16bit support. (r177219)
Simple line layout: Rename TextFragment::mustBreak to TextFragment::isLineBreak (r176531)
Avoid String concatenation with line break iterator (r176528)
Use segment vector for FlowContents (r176510)
Make locale part of the SimpleLineLayout::FlowContent::Style (r176507)
REGRESSION(r175259) Simple line layout text measuring behavior changed. (r176470)
Simple line layout: Introduce text fragment continuation. (r176396 + r176397 + r176401)
Simple line layout: Add renderer based rect collecting to RunResolver. (r176317)
RenderTextFragment: Tighten first-letter logic. (r158551)
Add a child renderer iterator. (r158495)
Simple line layout: Rename FlowContentIterator and move implementation to SimpleLineLayoutFlowContents.cpp (r176235)
Simple line layout: Move simple line layout RunResolver and LineResolver implementation to SimpleLineLayoutResolver.cpp (r176123)
REGRESSION(r175601): Assertion failures in SimpleLineLayout (r175620)
Simple line layout: Abstract out content iteration and text handling in general. (r175601)
Simple line layout: Cleanup line initialization and line closing. (r175565)
Speed up line parsing for simple line layout. (r175259)
ASSERTION FAILED: underlyingStringIsValid() (r174451)
Stop using deprecatedCharacters in WebCore/platform/win (r166063)
REGRESSION(r215347): NAS4Free Pop-down menus fail to appear (r218925)
Don't invalidate composition for style changes in non-composited layers (r215347)
Support bezier paths in clip-path property (r191551 partial)
Move more inlines from RenderObject to RenderElement. (r161088)
Move a couple of inlines from RenderObject to RenderElement. (r160596)
Move RenderObject::repaintAfterLayoutIfNeeded() to RenderElement. (r160590)
Use RenderElement instead of RenderObject in many places (r156622 partial)
Move rendererForRootBackground() to RenderElement. (r156310)
-webkit-background-clip:text produces artifacts when applied to the body and the browser is resized (r133686)
REGRESSION(r159345): Lines are clipped between pages when printing web content from Safari (r170805)
REGRESSION(r167870): Crash in simple line layout code with :after (r169189)
REGRESSION (r159345): The hover state for links in the top navigation of Yahoo.com doesn't work (r167870)
Text autosizing does not determine line count correctly for simple line layout (r166171)
Hovering over text using simple line path should not cause switch to line boxes (r159345)

Apr 16, 2018
============
Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone.html (r192844)
Text with simple line layout not getting pushed below float when there is not enough space for it (r168598)
Re-enable simple line layout on non-Mac platforms (r163537)
CSS word-spacing property does not obey percentages (r161696)
REGRESSION (r159560): Text clips on tile border if line-height < font-size (r168624)
Simple line layout should support floats (r159579)
Don't paint simple text runs outside the paint rect (r159560)
Factor simple line creation loop to function (r159194)
Support overflow-wrap:break-word on simple line path (r159192)
Text on simple lines sometimes paints one pixel off (r159105)
Use start/end instead of textOffset/textLength for simple text runs (r159032)
Implement white-space property on simple line layout path (r159030)
Templated LChar/UChar paths for simple line layout (r158918)
Add debug settings for simple line layout (r158279)

Apr 13, 2018
============
Remove a redundant repaint when a layer becomes composited (r181513)
Should never be reached failure in WebCore::RenderElement::clearLayoutRootIfNeeded (r194426)
Crash when subtree layout is set on FrameView while auto size mode is enabled. (r192133)
Do not crash when the descendant frame tree is destroyed during layout. (r185484)
Make WidgetHierarchyUpdatesSuspensionScope use swap instead of copy (r150872)

Apr 12, 2018
============
Avoid compositing updates after style recalcs which have no compositing implications (r183710)
Eliminate styleDidChange with StyleDifferenceEqual when updates are actually necessary (r183461)
Eliminate styleDidChange with StyleDifferenceEqual when updates are actually necessary (r183454)
Some compositing logic cleanup (r174356)
Refactor conditions for setCompositingLayersNeedRebuild in RenderLayer::styleChanged (r146213)
Devirtualize RenderElement::setStyle(). (r160906)
StyledElement::attributeChanged shouldn't do any work when the attribute value didn't change (r208485)
REGRESSION (r196383): Drop down CSS menus not working on cnet.com, apmex.com (r203976)
REGRESSION (r196629): Safari can get into a state where switching Reader theme doesn't apply to the webpage (r201332)
REGRESSION(r196629): Messages text size only changes for sending text, conversation text size does not change (r199099)
Optimize style invalidations for attribute selectors (r196629)
Add parsing support for CSS Selector L4's case-insensitive attribute (r179819)
Handle unprefixed @keyframes rule (r176368)
Element::attributeChanged shouldn't do any work when attribute value didn't change (r164856 + r165044)
[CSS Regions] Fix WHITESPACE issues in the CSS grammar. (r157720)
Rework CSS parser, eliminating "floating" concept and using %destructor (r155536 partial)
Element: Modernize attribute storage accessor functions. (r153826)
Set Attr.ownerDocument in Element#setAttributeNode() (r151998)
Allow no space between "background-position:" dimensions (r150972)
Removing Attr can delete a wrong Attribute in ElementData (r150072 + r150297)
ElementData should use 'unsigned' attribute indices. (r149061)
Speed up ElementData::getAttributeItem(), which is hot. (r148961)
Attr: Simplify modification callbacks. (r143834 + r147144)

Apr 11, 2018
============
REGRESSION(r196383): Automatic shrink-to-fit of RuleSet no longer works. (r211335)
REGRESSION (196383): Class change invalidation does not handle :not correctly (r198216)
Factor class change style invalidation code into a class (r196560)
Optimize style invalidation after class attribute change (r196383)
The SVGDocument of an SVGImage should not perform any additional actions when the SVGImage is being destroyed (r177441)
Elements with class names automatically get unique ElementData. (r159104)
setAttributeNode() does not set the new value to an existing attribute if specified attribute is in a different case. (r154881 + r154991 + r155093)
Crash in WTF::RefPtr<WebCore::SpaceSplitStringData>::operator UnspecifiedBoolType (r153835)
Enable selector filtering for shadow trees (r194762)
Factor free standing tree style resolve functions into a class (r194691)
Assertion failure in RenderTreePosition::computeNextSibling (r192608)
Don't create renderers for children of shadow host (r190006)
Style invalidation affecting siblings does not work with inline-style changes (r189836)
Give pseudo elements the correct specificity (r175715)
Remove the code guarded by STYLE_SCOPED (r156683)
Figure out if node is focusable without requiring renderer (r160966)
DFG AI and clobberize should agree with each other (r230488 partial)
REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq (r230485)
Avoid setting style twice for generated image content. (r159989)
Fix 4 asserting SVG tests after r158097. (r158100)
Tone down overzealous assertion from r158097. (r158099)
Renderers should receive their style at construction. (r158097)
Move setPseudoStyle() to RenderImage (from RenderElement.) (r157371)

Apr 10, 2018
============
SearchInputType could end up with a mismatched renderer. (r216159)
Avoid synchronous style recalc when mutating a Node inside FrameSelection. (r176201)
CSS filter on a compositing layer should not cause unncessary backing store allocation (r173294)
Make inherited style and parent renderer references (r172599)
<embed> videos flashes constantly while playing inline on iPad, making it unwatchable (r171702)
Remove unnecessary style invalidation in RenderTextControl::styleDidChange(). (r170033)
Assertion failure, !node || node->isElementNode(), in WebCore::RenderBlock::clone() (r167092)
Crash after mutating after pseudo style (r166706)
REGRESSION (r161195): Acid2 regression tests frequently fail (r161484)
Crash when mutating SVG text with transform (r161630)
Document abandons its EventTargetData. (r201466)
Remove selector filter update calls from Element child parsing callbacks (r194596)
Support style isolation in shadow trees (r189987 revisited complete)
Don't recurse into non-rendered subtrees when computing style (r172517 revisited complete)
Pass inherited style only when resolving tree style (r172409)
Crash in Web Content Process under ~PDFDocument under clearTouchEventListeners at topDocument() (r171647)
[CSSRegions] Crash when cloning a region child with a content node child (r166353)
Render tree construction is O(N^2) in number of siblings (r166303)
Invalidate sibling text node style when needed instead of attaching synchronously (r166173)
Don't call to willBeDeletedFrom(Document&) when destructing document (r164369)
CTTE: RenderNamedFlowThread and FlowThreadController should operate on Elements, not Nodes (r156250)
Refactoring: Fold Document::focusedNodeRemoved into Document::removeFocusedNodeOfSubtree (r151980)
Turn TreeScope::focusedNode() into focusedElement(). (r150733)
Document::adoptNode for multiple fields time input UI should not crash (r129448)
Move StyleChange enum into a separate file (r194584)
Don't recurse into non-rendered subtrees when computing style (r172517 revisited complete)
Don't use NodeRenderingTraversal for pseudo elements (r165465)
Remove public attachRenderTree (r161205)
Remove reattachRenderTree (r161199)
Do less synchronous render tree construction (r161195)
Remove attachChild (r161142)
XML document builder should create render tree asynchronously (r161140)
Remove Node::attached() (r161127)
Dodge more work during render tree teardown. (r155955)
Rename needsShadowTreeWalker (r155303)
Remove ComposedShadowTreeWalker (r155292)
Separate forward and backward paths in ComposedShadowTreeWalker (r155287)
Remove unnecessary sibling text renderers after attach (r155253)
Set "render tree being torn down" flag a bit earlier. (r155089)
REGRESSION (r154581): Some plugin tests failing in debug bots (r154613)
ComposedShadowTreeWalker shouldn't be exposed to non-ShadowDOM classes (r139325)

Apr 09, 2018
============
IsInShadowTreeFlag does not get updated for a non-container node (r217926 partial)
REGRESSION(160908): vube.com video won't play after going into and out of fullscreen (r170638)
REGRESSION (r160908): Unable to unset bold while entering text (r170296 partial)
REGRESSION (r160908): Safari doesn't draw rotated images properly first time (r167598)
Move document life time management from TreeScope to Document (r164195)
Create render tree lazily (r160908)
Add more assertions with security implications in DocumentOrderedMap (r159489 partial)
SMIL timers can still fire after the containing document has been torn down (r158627)
Document::destroyRenderTree() shouldn't do anything but. (r156274)
Destroying a Document's render tree shouldn't make it impossible to recreate. (r155874)
Devirtualize Document::detach(). (r155849)
Use a better name than m_invertibleCTM (r155752)
According to DOM4, all DocType nodes should have a document (r154840)
Kill updateStyleForAllDocuments() (r153872)
Listening touch events on ShadowRoot can crash. (r146853)
Range::isPointInRange incorrectly throws WRONG_DOCUMENT_ERR (r124506)
Move pseudo element construction out from Element (r160138)
Call createTextRenderersForSiblingsAfterAttachIfNeeded only for the attach root (r155116)
Use Element& in StyleResolveTree (r154903 partial)
Remove AttachContext (r154873)
Tighten before/after pseudo element accessors (r154541)
Remove StyleResolver::State::m_parentNode (r165542 revisited complete)
Remove NodeRenderingContext (r154809)
Move element renderer creation out of NodeRenderingContext (r154806)
Make NodeRenderingContext::parentRenderer and nextRenderer top layer aware (r139154)

Apr 08, 2018
============
Rename ShadowRoot::hostElement to shadowRoot::host to match the latest spec (r189239 partial)
REGRESSION (r154232): Crash on the japantimes.co.jp (r154320)
PseudoElement is abusing parent node pointer (r154232)
Parent pointer and shadow root host pointer should not be shared (r154165)
Move functions from NodeRareData to ElementRareData and other classes (r139681)
[Shadow DOM] ShadowRoot.getElementById() should work outside document. (r137731)
ShadowRoot needs guardRef() and guardDeref() (r144735)
Element: Avoid unrelated attribute synchronization on other attribute access. (r143112 revisited)
[Refactoring] Replace Node's Document pointer with a TreeScope pointer (138735)
REGRESSION(r133492): Heap-use-after-free in WebCore::Element::normalizeAttributes (r137341)
Decouple Attr logic from ElementAttributeData. (r133492)

Apr 07, 2018
============
Share attach loops between Elements and ShadowRoots (r154746)
Make Element::attach standalone function (r154257 + r154323 + r155779))
Remove ElementShadow (r154106)
Shadow DOM styles appear to be over-eagerly shared (r144031)
Rename AncestorChainWalker. (r143422)
WheelEvent should not target text nodes. (r143148)
[Shadow DOM] Refactoring: invalidateParentDistributionIfNecessary() calls are too intrusive (r139064)
Changing pseudoClass (:indeterminate) should cause distribution (r134418 + r134432 + r134938)
Cannot select the AuthorShadowDOM inner element of an img element (r125397)
No need for notifyChromeClientWheelEventHandlerCountChanged in Frame (r154575)
Make Element::attach non-virtual (r154254)
Crash in DumpRenderTree at com.apple.WebCore: WebCore::CaptionUserPreferences::captionPreferencesChanged + 185 (r145826 partial)
Rename HasCustomCallbacks to HasCustomStyleCallbacks (r143089)
[Mac] Track language selection should be sticky (r142580 partial)
Video element image loader must persist after element detach. (r125052)

Apr 06, 2018
============
Don't use NodeRenderingContext when attaching text renderers (r154738 complete)
Always resolve style from root (r161208)
Don't use NodeRenderingContext when attaching text renderers (r154738 partial)
Missing null-check of parent renderer in WebCore::HTMLEmbedElement::rendererIsNeeded() (r154698)
Missing null-check in HTMLFormElement::rendererIsNeeded() (r154476)
Replace NodeRenderingContext with Node* as childShouldCreateRenderer() argument (r154361 + r154365 + r154371)
Replace NodeRenderingContext with RenderStyle& as shouldCreateRenderer() argument (r154358 + r155887)
Remove NodeRenderingTraversal::ParentDetails (r154327)
Move some Document recalcStyle code to StyleResolveTree (r153938)
Avoid calling nextRenderer() in some cases (r153530)
before/after generated content is not working with HTMLSummaryElement and HTMLDetailsElement. (r151351)
[Mac] svg/custom/text-use-click-crash.xhtml added by r139029 hits assertion in enclosingTextFormControl (r139999)
[Refactoring] HTMLTextFormControlElement should use shadowHost instead of shadowAncestorNode (r139962)
[Shadow DOM]: reset-style-inheritance doesn't work for insertion point (r137112)
Merge EditingText into Text (r135529)
HTMLTextFormControlElement calls setInlineStyleProperty with the wrong parameters. (r130897)

Apr 05, 2018
============
REGRESSION (r172591): Can no longer style <optgroup> with colors (LayoutTests/fast/forms/select/optgroup-rendering.html) (r184675)
Remove nonRendererStyle (r172591)
[MIPS] Optimize generated JIT code for branches (r230310)
ASSERTION FAILED: !currBox->needsLayout() in WebCore::RenderBlock::checkPositionedObjectsNeedLayout (r205479)
ASSERTION FAILED: !currBox->needsLayout() loading bing maps (and apple.com/music and nytimes) (r187502)
ASSERTION FAILED: !length.isUndefined() in WebCore::GridLength::GridLength (r180669)
ASSERTION FAILED: !lengthOrPercentageValue.isUndefined() in WebCore::ApplyPropertyTextIndent::applyValue (r178067)
Remove <iframe seamless> support. (r163427 partial)
Remove redundant check for "firstLine" in RenderBlock::lineHeight() (r213923)
ASSERTION FAILED: m_fonts in &WebCore::FontCascade::primaryFont (r207726)
Use separate style resolver for user agent shadow trees (r190347 partial)
Support style isolation in shadow trees (r189987 partial)
ElementRuleCollector: group the shadow tree code (r171835)
Move document life time management from TreeScope to Document (r164195 partial)
RenderObject::view() should return a reference. (r154546 partial)
Let Document keep its RenderView during render tree detach. (r154542)
[Shadow DOM] Kill ShadowRoot constructor (r137870)
REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain (r230287)
Split author style code out from DocumentStyleSheetCollection (r190169)
Remove "document has no sibling rules" optimization. (r176388)

Apr 04, 2018
============
MIPS: add missing implementations of load8SignedExtendTo32() (r212419)
Remove "document has no ::before and/or ::after rules" optimization. (r176373)
[MIPS] Optimize JIT code generated by methods with TrustedImm32 operand (r230164)
[JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t (r208450 partial revisited)
Selector checker should not mutate document and style (r195293 partial)
CSS4 Selectors: Add multiple pseudo elements support to :matches (r175889)
Style invalidation does not work for adjacent node updates (r172880)
The style is not updated correctly when the pseudo class :empty is applied on anything but the rightmost element (r172721)
CSS JIT: Implement Pseudo Element (r171588)
Make RenderStyle's non inherited flags more JSC friendly (r166465 + r166468 + r166469)
Clean up RenderStyle creation (r165578)
Implement :scope for element.querySelector[All]() (r145691)
Remove unbaked support for :scope pseudo-class. (r129408)
Merge CheckingContexts from SelectorCompiler and SelectorChecker (r173457)
Pass CSSSelector pointers around as const after parsing stage. (r140530)
CSS general sibling selectors does not work without CSS JIT (r189560)
Removing an HTML element spends a lot of time in adjustDirectionalityIfNeededAfterChildrenChanged (r178571)
Roll out r165076. (r177048)
Remove the style marking from :nth-child() (r173910)
Fix style invalidation of elements with multiple siblings dependencies (r173229)
Don't recurse into non-rendered subtrees when computing style (r172517 partial)
Don't recurse into non-rendered subtrees when computing style (r172494 + 172505)
Subtrees with :first-child and :last-child are not invalidated when siblings are added/removed (r170121 revisited complete)
Devirtualize isHTMLUnknownElement(). (r166839)
Add a Document::updateStyleIfNeededForNode(Node&). (r165076)
Turn some not-so-rare ElementRareData bits into Node flags. (r159191)
Keep SVGElementRareData in an SVGElement member instead of a hashmap. (r156819)
Clean up ContainerNode::childrenChanged (r154957)
Don't force layout when querying a fixed or non-box margin/padding property (r153347)
Extract computeRenderStyleForProperty and nodeOrItsAncestorNeedsStyleRecalc from ComputedStyleExtractor::propertyValue (r152938)
REGRESSION: ChildrenAffectedBy flags lost between siblings which have child elements sharing style (r141093)
Rename ContainerNode::parserAddChild "parserAppendChild" for consistency (r129164)

Apr 03, 2018
============
Return early in SelectorChecker::checkOne() if selector.isAttributeSelector() is true (r173646)
Unify the modes style resolution modes SharingRules and StyleInvalidation (r172679)
Simplify the StyleInvalidation mode of rule collection (r172024 revisited)
Regression(r169547): Crash in WebCore::styleForFirstLetter() while loading http://thenextweb.com/apple/2014/02/21/apple-confirms-acquired-testflight-creator-burstly/ (r169599)
Make pseudo element matching for style resolution more JIT friendly (r169547)
Start cleaning the API of SelectorChecker (r156189)
Split SelectorChecker's fast-checking logic into its own class. (r143686)
Move HTML Attribute case-sensitivity logic out of SelectorChecker to HTMLDocument. (r140832)
CSS: Refactor :visited handling in SelectorChecker (r173138)
CSS: Fix :visited behavior for SubSelectors (r171675)
CSS: Generalize CSS First Letter treatment (r171138)
Remove an useless check from SelectorChecker (r171058)
Fix the quirks mode selector matching of the pseudo classes :hover and :active (r169360)
Upgrade to SelectorFailsAllSiblings when Child selector is failed. (r166808)
Remove a contradiction from SelectorChecker (r156380)
Add a special case for SelectorDataList::execute when there is only one selector (r150944)
Use ElementTraversal in SelectorDataList::execute (r150099)
SelectorQuery should not ever use ResolvingStyle mode. (r144140)
SelectorChecker should not know about SelectorCheckerFastPath. (r143858)
REGRESSION(r130089): Scrollbar thumb no longer re-rendered on hover (r143819 revisited)
Kill transitive effects of SelectorChecker::checkOneSelector. (r130089 revisited)
Rename the CSSSelector PseudoType to PseudoClassType (r167571)
Split CSS Selectors pseudo class and pseudo elements (r166883 partial)
Move the PseudoPageClass types out of the pseudo element/class mix (r166863)
Update the code related to SelectorPseudoTypeMap to reflect its new purpose (r166447)
Pseudo type cleanup part 2: split pseudo elements parsing (r166094)
Fix a bunch of mistakes in the parsing of ::cue( and ::cue (r165579)
Start splitting CSS Selectors's pseudo types (r165402)
Remove unused CSSSelector::isCustomPseudoType(). (r149565)
class="cue" is getting some default style (r141806)

Apr 02, 2018
============
Some improvements to RuleSet shrinking. (r178580)
CSS Rule features are ignored for nested CSS Selector lists (r175018)
Simplify the StyleInvalidation mode of rule collection (r172024)
Remove SelectorCheckerFastPath from the style resolution algorithm (r171059)
Partition the CSS rules based on the most specific filter of the rightmost fragment (r171020)
CSS JIT: Ensure resolvingMode size is 1 byte (r170832)
CSS JIT: compile the first-child pseudo class (r166537 partial)
Remove leftover cruft from scoped stylesheet implementation. (r163559)
Reoptimize free-standing :focus/link/visited/-webkit-any-link selectors. (r149838)
`currentColor` computes to the same colour on all elements, even if 'color' is inherited differently (r182130)
Updating attributes on HTML elements do not invalidate the style correctly unless the attribute name is lowercase in the stylesheet (r173012)
[Forms] We should share RenderStyle object for optgroup and option element (r172597)
Two small refinements to matched properties cache. (r160829)
CSS: Fall back to cache-less cascade when encountering explicitly inherited value. (r160820)
Incorrect repeated background-size behavior in keyframes (r191589)
Crash under WebCore::invalidateStyleRecursively (r184615)
Crash when using 'em' units to specify font-size inside animation keyframe. (r171785)
REGRESSION (r160806): Incorrect cascade order of prefixed and non-prefixed variants of CSS properties box-shadow and background-{clip, origin, size} (r165587)
Add missing &. (r163594)
Check selectors exactly when invalidating style (r163592)
ElementRuleCollector should not use StyleResolver::State (r163475)
Remove StyleScopeResolver (r163263)
Remove the CSS selector profiler. (r162084)
REGRESSION(r160806): line-height is not applied when only present in :link style. (r161814)
Use CascadedProperties for page and keyframe style resolution as well. (r160852)
CascadedProperties: Deferred properties should have inline capacity. (r160830)
CascadedProperties should use a bitset to track property presence. (r160828)
Don't waste cycles on zeroing every CascadedProperties::Property. (r160817)
CSS: Add a property cascading pass to style application. (r160806)
Clean up more <style scoped> from style resolution (r156788)
Move the SharingRules mode outside of SelectorChecker (r156187)
Web Inspector: [REGRESSION] Forced :visited pseudoclass has no effect on A elements (r140331)
Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live (r230115)
Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType (r230101)
ArrayMode should not try to get the DFG to think it can convert TypedArrays (r230078)

Mar 29, 2018
============
Remove ElementRuleCollector's m_behaviorAtBoundary (r154297)
[Refactoring] Implement RuleCollector (r145510)
[Shadow DOM]: scoped styles are not applied in the cascade order. (r137708)
Group parameters (firstRuleIndex and lastRuleIndex) into a parameter object, RuleRange. (r140643)
Group all request parameters which are used to match CSS Rules into a parameter object. (r139817)
Split each RuleSet and feature out from StyleResolver into its own class. (r142573)
Split default style-sheet statics out from StyleResolver into its own class (r141713)
Let SVG images not taint canvases except when containing foreignObjects (r195614)
Add Traversal<ElementType> template (r154481)
Allow SVG images to be drawn into canvas without tainting. (r153876)

Mar 28, 2018
============
Factor stylesheet invalidation analysis code into a class (r132009)
Don't invalidate style unnecessarily when setting inline style cssText (r198284)
Reduce the overhead of updating the animatable style on ARMv7 (r169790)
Continuations casting issue. (r166736 revisited)
Mutating rules returned by getMatchedCSSRules can result in crash (r165821)
Move m_style to RenderElement (r156527)
Don't do document style recalc unless there's a RenderView. (r154927)
[cairo] Typo in determining fixed width fonts (r69776 revisited)

Mar 27, 2018
============
Remove the prefix for CSS Transforms (r181824 + r181825 + r181832)
[GTK] Support FontPlatformData::isFixedPitch for custom fonts (r69137 revisited)
DFG should know that CreateThis can be effectful (r229987 partial)
Stop returning GlyphPage from various Font functions (r177490)
Remove genericFamily enum from FontDescription (r176751)
FontGenericFamilies should not be ref-counted. (r157455)
Separate generic font family settings to a class (r150962)
Tighten FontGlyphs::glyphDataAndPageForCharacter to take FontDescription (r150762)
Avoid creating background layers on pages with a fixed background, but no image (r140648)
[CSS Grid Layout] Updating -webkit-grid-rows or -webkit-grid-columns doesn't work as expected (r140045 partial)
StyleResolver should not set NaN to font size (r136074)
Some CSS properties are not handled on StyleResolver::applyProperty (r134357)

Mar 26, 2018
============
REGRESSION(r158214): It made zillion tests crash on GTK and EFL (r158265)
Use left/right instead of left/width for simple text runs (r158225)
Make SimpleLineLayout::Layout a variable size object (r158214)
Multiple runs per line on simple line path (r158196)
Prepare simple line layout to support multiple runs per line (r158107)

Mar 23, 2018
============
[Qt] Animated opacity does not trigger accelerated compositing (r149123)

Mar 22, 2018
============
Remove misleadingly-named Font::isSVGFont() (r170871)
Simple line layout crashes with SVG fonts (r158860)
Decorated text sometimes does not draw its decorations (r158379)
[Texmap] Update a dirty region which is not covered with keepRect. (r148094)
[CSS] Expand -webkit-line-break value space (r132942)
CSS 3 'overflow-wrap' property implementation (r127737)
Text bounding box computation for simple line layout is wrong (r167568)
Re-enable simple line layout for GTK (r158102)
Enable center and right text alignment for simple lines (r158098)
fast/frames/seamless/seamless-nested-crash.html asserts on wk2 only (r158085)
Faster way for simple line layout to check if text has fallback fonts (r158012)
REGRESSION(r157950): It made many tests assert on Windows, EFL, GTK (r158007)
Non-SVG build broken after r157950 (r157998)
Cache line layout path (r157985)
Try to fix build without CSS_SHAPES. (r157952)
Simple line layout (r157950)
REGRESSION (Safari 5.1 - 6): Cannot correctly display Traditional Mongolian Script (r124654)
SVGImage::drawPatternForContainer creates a buffer without respecting the destination's acceleration setting (r173143 partial)
Remove deep copy of ImageBuffer in tiled SVG backgrounds (r143692)
Fix scaling of tiled SVG backgrounds on high-dpi displays (r143257 revisited)
Incorrect embedded SVG image sizing on first load (r132069)

Mar 21, 2018
============
Rename some line box functions to be just about lines (r157810)
ASSERTION FAILED: generatingElement() in WebCore::RenderNamedFlowFragment::regionOversetState (r171476)
[CSS Regions] Possible performance regression after r157567 (r157793)
[CSSRegions] Use RenderStyle::hasFlowFrom when needed (r157779)
[CSS Regions] Anonymous nested regions (r157567 partial)
[CSSRegions] Regions with overflow: hidden should paint over positioned sibling (r157129)
[CSSRegions] Computed z-Index should return 0 instead of auto for a region (r157121)
[CSSRegions] Regions as stacking contexts should paint over positioned sibling (r156891)
Replace node() calls with generatingNode() for RenderRegion code (r155109)
[CSSRegions] Pseudo-elements as regions should not be exposed to JS (r154982)
[CSS Regions] ::before and ::after pseudo-elements are not displayed for regions (r151647)
[CSS Regions] Regions don't create a stacking context for their contents (r151475)
[CSS Regions] Layers inside the RenderFlowThread should be collected by the layer of RenderView (r151339)
[CSSRegions] Prevent unnecessary copy of LayoutRect objects (r150761)
[CSSRegions] Consolidate use of RenderRegion::isValid (r147082)
Generated should not be supported for things with a shadow (r132269 + r132529 + 132696 + r132753)

Mar 20, 2018
============
[CSS Regions] Null dereference applying animation with CSS regions (r163531 partial)
[CoordGfx] Regression from r135212: big layers with transform animations sometime fail to render tiles (r142979 partial)
Coordinated Graphics: crash in TiledBackingStore::adjustForContentsRect (r141833)
REGRESSION(134048): TiledBackingStore must create tiles when the contents rect is changed. (r135366)
Coordinated Graphics: Remove a backing store of GraphicsLayer when the layer is far from the viewport. (r134048)
[Qt] Decide when to apply a scrolled position to the viewport based on the rect covered by the tiles (r130031)
[DFG][FTL] Profile array vector length for array allocation (r222384)

Mar 19, 2018
============
Move setting of some layout bits to RenderElement (r156816 + r156822 rolled out + r156876)
Move more style change code from RenderObject to RenderElement (r156325)
Move style change analysis code to RenderElement (r156312)
Rename RenderObject::first/lastChild to RenderObject::first/lastChildSlow (r156285)
Move layer hierarchy functions from RenderObject to RenderElement (r156190)
SVG relayout problem when displayed with different image box heights (r152178)
Fixed backgrounds in composited layers not repainted on scrolling (r151624 complete revisited)
webkit-backface-visibility on a parent element stops background-position from updating (r151622)
Fix assertion in the getComputedStyle-background-shorthand.html test (r150547)
New Flickr doesn't get fast scrolling but should (r150529)
REGRESSION (142152): ensure we skip past out-of-flow objects when detecting whitespace to ignore after leading empty inlines (r148223)
REGRESSION(r142152): Text wraps in menu (r147662 + r147667 + r147850 + r147939)
Padding applied twice for empty generated RenderInlines (r147505 revisited)
CSS 2.1 failure: floats-149 fails (r142152)
Improve "bad parent" and "bad child list" assertions in line boxes (r160837)
Move code for finding rendered character offset to RenderTextLineBoxes (r157517)
Move test for contained caret offset to RenderTextLineBoxes (r157514)
Make absoluteQuads/Rects functions return Vectors (r157366)

Mar 16, 2018
============
Remove strange CharacterData::dataImpl function (r178157)
Move absoluteRects/Quads to RenderTextLineBoxes (r157362)
Move positionForPoint to RenderTextLineBoxes (r157349)
Move line dirtying code to RenderTextLineBoxes (r157346)
Move more code to RenderTextLineBoxes (r157345)
Factor line box code from RenderText to a class (r157340)
Replace RenderText::renderedTextLength with hasRenderedText (r157338)
Repaint borders and outlines on pseudo content changes (r156619)
[CTTE] RenderText is always anonymous or associated with Text node (r156090)
CTTE: RenderSVGInlineText always has a Text node. (r155837)
CTTE: RenderCombineText always has a Text node. (r155845)
Changes in text-only properties shouldn't cause repaints unless there is actually text. (r150259)
Test if non-immediate descendants obscure background (r146955)
Don't compute background obscuration on every repaint (r146279)
Change hasAlpha to isKnownToBeOpaque and correct the return value for SVG images. (r141637)
REGRESSION (r135628-135632): Double box shadow failure to render (r141160)
Use render box background over border draw strategy in cases with background-image (r137473)
Fix occlusion culling logic to handle css background layer clipping (r136326)
Adding occlusion detection to reduce overdraw in RenderBox background rendering (r135629)

Mar 09, 2018
============
Window's pageXOffset / pageYOffset attributes should be replaceable (r206109)
Safari not handling undefined global variables with same name as element Id correctly. (r229451)

Mar 08, 2018
============
Upgrade-Insecure-Request state is improperly retained between navigations (r204521)
CSP: object-src and plugin-types directives are not respected for plugin replacements (r203611 partial)
CSP: Content Security Policy directive, upgrade-insecure-requests (UIR) (r201753)
[CSP] Violation report may be sent to wrong domain on frame-ancestors violation (r206278)
CSP: Improve support for multiple policies to more closely conform to the CSP Level 2 spec. (r203434 partial)
Fold setCellLogicalWidths logic into RenderTableSection layout (r131465)
Make RenderTable columns() and columnPositions() return a const reference (r131366)
Make no-column table-layout cases a little faster with inlining (r130698)

Mar 07, 2018
============
HTML `pattern` attribute should set `u` flag for regular expressions (r229363)
Ignore invalid regular expressions for input[pattern]. (r149151)
matchingShorthandsForLonghand builds map using a giant function (r155352 revisited)
[css3-text] Parsing -webkit-hanging value for text-indent from css3-text (r148414)
[css3-text] Parsing -webkit-each-line value for text-indent from css3-text (r146408)
[CSS3] Parsing the property, text-align-last. (r134190)
[Chromium] Use OpenTypeVerticalData on Linux (r129273)
Remove special-case flooring of baselinePosition for replaced elements in InlineFlowBox::placeBoxesInBlockDirection (r131503)
Revert rounding change in RenderTable::paintObject (r131358 revisited)
[Sub pixel layout] Change RenderBox to not round logicalTop/Left for RenderReplaced (r131202)
Remove the now-unneeded invalidations in RenderTable::removeCaption (r127139)
Crash in RenderTable::removeCaption (r126833)
Remove RenderTable::removeChild (r126495)
Lots of time spent querying table cell borders, when there are none. (r182235)
RenderTableRow should check if it has access to its ancestor chain. (r180190)
ROLLOUT: r153510: Broke Table borders on Wikipedia (r169814)
REGRESSION (r154622): Borders disappear when hovering over cells in table (r169532)
REGRESSION (r162334): RenderTableCol::styleDidChange uses out-of-date table information (r165837)
Col width is not honored when dynamically updated and it would make table narrower (r162334)
Avoid painting every non-edge collapsed border twice over (r154622)
In RenderTableCell::paintCollapsedBorders() check surrounding cells using physical rather than logical direction (r154389)
Dotted borders render w/ artifacts and sometimes as solid lines (r153510)

Mar 06, 2018
============
Implement TextDecoder and TextEncoder (r208872)
[mips] GPRInfo::toArgumentRegister missing (r194709)
Update CSSProperties.json with correct fill-and-stroke status, and other cleanup (r215151 partial)
Implement stroke-miterlimit. (r214787)
[FreeType] ASSERTION FAILED: !lookupForWriting(Extractor::extract(entry)).second in FontCache::getVerticalData() (r200237 partial revisited)
Add support for CSS properties paint-order, stroke-linecap, and stroke-linejoin in text rendering. (r212808)
Apply SVG styles paint-order, stroke-linejoin, and stroke-linecap on DOM text. (r212562)
calc() doesn't work for SVG CSS properties (r172711)
Removed some allocation and cruft from the parser (r177001 + r177010)

Mar 05, 2018
============
Removed the concept of ParserArenaRefCounted (r176825)
Split out FunctionNode from FunctionBodyNode (r176822)
The parser should generate AST nodes the var declarations with no initializers (r172717)
Crash in uninitialized deconstructing variable. (r179682)
Reduce the mass templatizing of the JS parser (r160383 complete revisited)
ASSERTION FAILED: !m_bodyLoader (r212257)
[Fetch API] Use ReadableStream pull to transfer binary data to stream when application needs it (r206857)
[Fetch API] ReadableStream should be errored with TypeError values (r206770)

Mar 02, 2018
============
[FreeType] ASSERTION FAILED: !lookupForWriting(Extractor::extract(entry)).second in FontCache::getVerticalData() (r200237 partial)

Mar 01, 2018
============
[GTK] Glyphs in vertical text tests are rotated 90 degrees clockwise (r158848 complete revisited)
Make OpenTypeVerticalData be ref-counted (r134871)
FontVerticalDataCache should allow zero as a key value (r130968)
OpenTypeVerticalData issue with DroidSansFallback.ttf on chromium-android and chromium-linux (r130570)
OPENTYPE_VERTICAL support for Chromium Win (r126907)
Cache support for OpenTypeVerticalData (r124397 complete revisited)

Feb 27, 2018
============
Directional single quotation marks are not rotated in vertical text (r176903)
Correct range used for Emoji checks. (r155951)

Feb 26, 2018
============
[DFG][FTL] Support Array::DirectArguments with OutOfBounds (r224818)
Constructor calls set this too early (r217062 complete revisited)
Fix exception scope verification failures in GenericArgumentsInlines.h. (r214085)
Use of arguments in arrow function is slow (r213165 partial)
ScopedArguments is using the wrong owner object for a write barrier. (r204612)
SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector. (r186643)
JIT bug - fails when inspector closed, works when open (r185566)
  => Passed JIT tests.

Feb 23, 2018
============
Creating a new blank document in icloud pages causes an AI error: (r184318 complete revisited)
[JSC] Avoid cloned arguments allocation in ArrayPrototype methods (r208524 partial)
Add argument_count bytecode for concat (r201668)

Feb 22, 2018
============
putDirectIndex does not properly do defineOwnProperty (r216279 complete revisited)
Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate(). (r215885 partial revisited)
[JSC] Drop arguments.caller (r208867)
ClonedArguments need to also support haveABadTime mode. (r208377 complete revisited)
Bad ASSERT in ClonedArguments::createByCopyingFrom() (r206836)
We should be able to eliminate cloned arguments objects that use the length property (r198154)
Leak of mallocs under StructureSet::OutOfLineList::create (r173787)

Feb 22, 2018
============
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 complete revisited)
REGRESSION (r181993): inspector-protocol/debugger/setBreakpoint-dfg-and-modify-local.html crashes. (r182167)
DFG IR should refer to FunctionExecutables directly and not via the CodeBlock (r180993 complete)
  => Passed JIT tests.

Feb 21, 2018
============
GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments (r219433)
Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js (r218414 partial)
putDirectIndex does not properly do defineOwnProperty (r216279 partial revisited)
[test262] Fixing mapped arguments object property test case (r210146)
ClonedArguments need to also support haveABadTime mode. (r208377 partial)
We allow assignments to const variables when in a for-in/for-of loop (r204586 complete revisited)
DFG JIT bug in typeof constant folding where the input to typeof is an object or function (r198902 revisited)
Callee can be incorrectly overridden when it's captured (r188926 partial revisited)
DFG Is<Blah> versions of TypeOf should fold based on proven input type (r183629 revisited)
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 partial revisited)
[ES6] Use specific functions for @@iterator functions (r182911 revisited)
PutClosureVar CSE def() rule has a wrong base (r182213)
Deconstruction parameters are bound too late (r182109)
ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor (r182100)
If we're in code for accessing scoped arguments, we should probably check if the object is a scoped arguments rather than checking if it's a direct arguments. (r182023)
Unreviewed, fixes to silly things. While landing fixes to r181993, I introduced crashes. This fixes them. (r182004)
Unreviewed, fix obvious goof that was causing 32-bit debug crashes. The 64-bit version did it right, so this just makes 32-bit do the same. (r182001)
Unreviewed, VC found a bug. This fixes the bug. (r181998)
Heap variables shouldn't end up in the stack frame (r181993 complete)
Bytecode liveness analysis should have more lambdas and fewer sets (r181467)
DFG IR should refer to FunctionExecutables directly and not via the CodeBlock (r180993 partial)
BytecodeGenerator::constLocal() behaves identically to BytecodeGenerator::local() for the purposes of its one caller (r180723)
Varargs frame set-up should be factored out for use by other JITs (r179862 partial)
Keep only captured symbols in CodeBlock symbol tables. (r163337 partial)

Feb 14, 2018
============
[ES6] implement block scoping to enable 'let' (r186860 partial)
ClonedArguments should not materialize its special properties unless they are being changed or deleted (r196644)
In strict mode, `Object.keys(arguments)` includes "length" (r187017)
Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren(). (r185277)
Heap variables shouldn't end up in the stack frame (r181993 partial)
putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present (r228454)
[YarrJIT][ARM] We need to save r8 as it is the initial start register (r228436)

Feb 13, 2018
============
The error handler of ReadableJSStream should own stream object (r189196 revisited)
Make JSCells have 32-bit Structure pointers (r164764 partial)

Feb 13, 2018
============
Heap variables shouldn't end up in the stack frame (r181993 partial)
  => Passed JIT tests.

Feb 12, 2018
============
SVGCSSParser: m_implicitShorthand value is not reset after adding the shorthand property (r207471)
REGRESSION(r221292): svg/animations/animateTransform-pattern-transform.html crashes with security assertion (r226993)
[SVG] Leak in SVGAnimatedListPropertyTearOff (r221292)
[SVG] Leak in SVGAnimatedListPropertyTearOff (r219193 + r219217 rolled out + r219257 + r219264 rolled out + r219325 + r219327 rolled out + r219334 + r220484 rolled out)
REGRESSION: GuardMallloc crash in SVGListPropertyTearOff<SVGPointList>::processIncomingListItemWrapper (r197967 complete revisited)
WeakPtr functions crash when created with default constructor (r178615 partial)

Feb 09, 2018
============
put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object (r228193 partial)
REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy (r196367)
REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy (r195965)
Allow CachedResourceLoader clients to opt out of the MemoryCache. (r195770 revisited)
Cannot abort multiple XHR POSTs made to same url (r140174)
Refactor client removal in CachedResource::switchClientsToRevalidatedResource (r138958)
Failure to dispatch delegate callbacks if resource load fails synchronously (r126325 + r126373)
REGRESSION (r146540?): Crashes in storage/indexeddb/factory-basics-workers.html, storage/indexeddb/transaction-error.html (r146629)
IndexedDB: Ensure script wrappers can be collected after context is stopped (r146540)
IndexedDB: database connections don't close after versionchange transaction aborts (r142513)
[V8] IndexedDB: Minor GC can collect IDBDatabase wrapper with versionchange handler (r142483)
IndexedDB: IDBTransaction should manage lifetime of IDBRequests (r139518)
IndexedDB: Simplify transaction timers and event tracking (r135927)
IndexedDB: Move control of transaction completion to front end (r135332)
IndexedDB: Indexing tests are flaky-crashing (r134838)
IndexedDB: Indexing tests are flaky-crashing (r134685)

Feb 08, 2018
============
  => Passed JIT tests.

Feb 08, 2018
============
Do not paint border image when the border rect is empty. (r167694)
ASSERTION FAILED: x2 >= x1 in WebCore::RenderObject::drawLineForBoxSide (r167351)
box-shadows get truncated with a combination of transforms and clip: (affects Google Maps) (r164252)
Fix context save/restore mistake spotted in SVGInlineTextBox::paintTextWithShadows (r163286)
[Cocoa] Text shadow sometimes clipped unexpectedly (r200807 partial)
Repaint rect too small on elements with shadows (r148049)
When blocking localStorage, Firefox throws a security exception on access, and maybe so should we (r132183)

Feb 06, 2018
============
Fix bugs in 32-bit Structure implementation. (r165325 partial revisited)
It should be possible to jettison JIT stub routines even if they are currently running (r122166 revisited)
Global stringStructure caches its prototype chain, abandoning a web page (r97291 revisited)

Feb 05, 2018
============
RegExpMatchesArray doesn't know how to have a bad time (r197641 revisited)
The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell (r197622 revisitedd)
DFG should be able to compile StringReplace (r197520 revisited)
  => Passed JIT tests.

Feb 01, 2018
============
[DFG] Cleaning up and unifying 32bit code more (r226269 partial)
[DFG] Unify bunch of DFG 32bit code into 64bit code (r226261 partial)
ParseInt intrinsic in DFG backend doesn't properly flush its operands (r215387 revisited)
DFG::Node::convertToConstant needs to clear the varargs flags (r227053 revisited)

Jan 31, 2018
============
[Web IDL] interface objects should be Function objects (r196392 partially rolled out)

Jan 31, 2018
============
Unreviewed, register symbol structure to fix Debug build (r190927)
DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet (r188292 partial revisited)
Structures used for tryGetConstantProperty() should be registered first (r188067 revisited)
DFG::freezeFragile should register the frozen value's structure (r186215 partial)
  => Passed JIT tests.
  
Jan 31, 2018
============
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 partial revisited)
[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them (r170375)

Jan 30, 2018
============
[JSC] Relax line terminators in String to make JSON subset of JS (r227775)
Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate(). (r215885 partial)
Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it. (r214374 partial revisited)
Clients of JSArray::tryCreateForInitializationPrivate() should do their own null checks. (r214313)
JSArray::tryCreateUninitialized should be called JSArray::tryCreateForInitializationPrivate (r211110)
  => Passed JIT tests.

Jan 29, 2018
============
REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode() (r227742)
[JSC] Add primitive String support to compare operators (r199867)
Avoid backing store allocation with some combinations of replaced elements, masking and visibility:hidden (r173184)
Non-composited child RenderLayers cause allocation of unncessary backing store (r173181)
Adding a mask on a simple color compositing layer removes the content (r170306)
Images missing sometimes with composited clipping layers (r169053)
Direct pattern compositing breaks when no-repeat is set on a large layer (r150685)
WebProcess is crashing on http://achicu.github.io/css-presentation when direct pattern compositing is enabled (r150643)
Garbage at the top of http://www.technologyreview.com after scrolling (r149084)
Allow direct compositing of background images (r148172)
Fix debug assertion being triggered because we may access dirty normalFlowList. (r142815)
RenderLayer hasVisibleContent() has inconsistent semantics causing disappearing composited layers (r142012)
position:fixed that doesn't render any content should not force compositing (r141039)
[DFG] Remove GetLocalUnlinked (r225149)
Heap variables shouldn't end up in the stack frame (r181993 partial)

Jan 26, 2018
============
Relax builtin JS restriction about try-catch (r186260)

Jan 26, 2018
============
putDirectIndex does not properly do defineOwnProperty (r216279 partial revisited)
defineProperty on a index of a TypedArray should throw if configurable (r203096)
DFG call codegen should resolve the callee operand as late as possible (r179851)
  => Passed JIT tests.
  
Jan 25, 2018
============
Do all closed variable access through the local lexical object (r174226 revisited)
Don't use GPRResult unless you're flushing registers and making a runtime function call (r174090 revisited)

Jan 24, 2018
============
Insert store barriers late so that IR transformations don't have to worry about them (r184445 partial)
REGRESSION (r174025): Invalid cast in JSC::asString (r174121)
DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell (r174025 partial revisited)
DFG should have a separate StoreBarrier node (r160796 partial revisited)
PutGlobalVar should reference the global object it's storing into (r184367)
PutGlobalVar shouldn't have an unconditional store barrier (r183852)
RenderTableCell can't access its parent while in detached state. (r180174)
DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace (r189075 revisited)
[JSC] Use (x + x) instead of (x * 2) when possible (r188519)

Jan 23, 2018
============
DFG abstract interpreter needs to properly model effects of some Math ops (r227341)
[JSC] op_negate should with any type (r207369 partial)
DFG::StackLayoutPhase should always set the scopeRegister to VirtualRegister() because the DFG doesn't do anything to make its value valid (r179863)
Immediate crash when setting JS breakpoint (r179015)
Make the LLINT and Baseline JIT's op_create_arguments and op_get_argument_by_val use their lexicalEnvironment operand. (r178143)
Add the lexicalEnvironment as an operand to op_get_argument_by_val. (r178106)
Add the lexicalEnvironment as an operand to op_create_arguments. (r178008)
REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html (r174359 revisited)
AI for CreateArguments should pass through non-SpecEmpty input values (r161574 revisited)
fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races (r153129 revisited)
  => Passed JIT tests.

Jan 19, 2018
============
Octane/regexp's Exec function should benefit from array length accessor inlining (r197542 rolled out)

Jan 18, 2018
============
DFG should inline binary string concatenations (i.e. ValueAdd with string children) (r146164 revisited)
DFG should hoist structure checks (r124404 revisited)
Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure (r222590 revisited)
JSObject::reifyAllStaticProperties cleanup (r201853 partial revisited)
DFG should have some obvious mitigations against watching structures that are unprofitable to watch (r186986 revisited)
Merge r170436 from ftlopt. (r171660 partial)
[ftlopt] Infer immutable object properties (r170855 partial revisited)
Structure bit fields should have a consistent format (r170436)
Move structureHasRareData out of TypeInfo (r169903)

Jan 17, 2018
============
The Abstract Interpreter needs to change similar to clobberize() in r224366 (r224426)
DFG needs to handle code motion of code in for..in loop bodies (r224366)
DFG::Node::convertToConstant needs to clear the varargs flags (r227053)
DFG should only have two mechanisms for describing effectfulness of nodes; previously there were three (r179840)

Jan 16, 2018
============
DFG::StrCat isn't really effectful (r189075 revisited)
Introduce SymbolType into SpeculativeTypes (r184340)
TypeOf should be fast (r183724 complete revisited)
Move all of the branchIs<type> helpers from SpeculativeJIT into AssemblyHelpers (r183656 partial)
The CleanUp after LICM is erroneously removing a Check (r225966)
ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender() (r215852)
Minor fix to idx bounds check after 185954 (r185959)
REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689) (r185954)

Jan 15, 2018
============
Local CSE wrongly CSEs array accesses with different result types. (r215748)
DFG should not use or preserve Phantoms during transformations (r183497 partial)
[ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children (r171152)

Jan 15, 2018
============
[FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage (r217202 revisited)
cloberrize() is wrong for ArithRound because it doesn't account for the arith mode (r184541 complete revisited)
Constructor returning null should construct an object instead of null (r180587 revisited)
[ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects (r171106 partial revisited)
HashMap should have removeIf() (r171049)
[ftlopt] DFG::clobberize should be blind to the effects of GC (r169188)
  => Passed JIT tests.

Jan 12, 2018
============
IndexedDB: Free up resources used by completed cursors earlier (r129038)
IndexedDB: IDBRequest can be destructed during abort (r126361)
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 partial revisited)

Jan 11, 2018
============
cloberrize() is wrong for ArithRound because it doesn't account for the arith mode (r184541 partial revisited)
[ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects (r171106 partial)
[JSC] Make the rounding-related nodes support any type (r206134)
[JSC] Improve ArithAbs with polymorphic input (r205112)
[JSC] Clean up the abstract interpreter for cos/sin/sqrt/fround/log (r204995)
[JSC] Make ArithLog works with any type (r204881)
[JSC] Make Math.cos() and Math.sin() work with any argument type (r204849)
[JSC] ArithSqrt should work with any argument type (r204670)
DFG abstract heaps should respect the difference between heap and stack (r180656)
ArithSqrt should not be conditional on supportsFloatingPointSqrt (r180085)
Eliminate Scope slot from JavaScript CallFrame (r178856 partial)
Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions (r172665 partial)
Our for-in caching is wrong when we add indexed properties on things in the prototype chain (r226767)
Fix exception handling for the baseline JIT. (r160656 partial revisited)
Fix Use details for op_create_arguments. (r177994)
Fix Use details for op_create_lexical_environment and op_create_arguments. (r177981)

Jan 10, 2018
============
Crash in operationNewFunction when scrolling on Google+ (r177871)
DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking (r180989 partial revisited)
BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister (r180875)
Eliminate Scope slot from JavaScript CallFrame (r178856 partial)
Crash in JSScope::resolve() on tools.ups.com (r178629 revisited)
Fix broken build after r177146. (r177149)
REGRESSION: Use of undefined CallFrame::ScopeChain value (r177146)
Remove GetMyScope node from DFG (r176625)
Allocate local ScopeChain register (r176479)
Fix exception handling for the baseline JIT. (r160656 partial)
Use scope register when processing op_resolve_scope in LLInt and Baseline JIT (r175998)
Update scope related slow path code to use scope register added to opcodes (r175509 + r175512 + r175762)
Repatch code is passing the wrong args to lookupExceptionHandler. (r163274)
reentrant-caching sometimes fails with LLInt disabled (r162089)

Jan 09, 2018
============
ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter (r226650)
Change CallFrame::globalThisValue() to not use CallFrame::scope() (r176700)
Add scope operand to op_create_lexical_environment (r175845)
Change CallFrame::lexicalGlobalObject() to use Callee instead of JSScope (r175118)
Change CallFrame to use Callee instead of JSScope to implement vm() (r173706)
Create a JSCallee for GlobalExec object (r173636)
Remove unused CodeBlock::createActivation(). (r162845)
Reduce the precision of "high" resolution time to 1ms (r226495 partial)
performance.now() should truncate to 100us (r209462)
Make NetworkLoadTiming use double for higher precision in Resource Timing (r204736 partial)
Make the C Loop LLINT work with callToJavaScript. (r160186 partial)

Jan 08, 2018
============
Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions (r226489)
Add scope operand to op_new_func* byte codes (r176109)

Dec 22, 2017
============
GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell (r226208)

Dec 20, 2017
============
Typing is slow in Gmail on iPads (r185287)
REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) (r203416)
Iterator loops over key twice after delete (r190923)
[JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit. (r185380)
DFG HasStructureProperty codegen should use one fewer registers (r174091)
Don't use GPRResult unless you're flushing registers and making a runtime function call (r174090 revisited)

Dec 19, 2017
============
Handle cases in StackVisitor::Frame::existingArguments() when lexicalEnvironment and/or unmodifiedArgumentsRegister is not set up yet (r175967)

Dec 19, 2017
============
Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin (r221470)
Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node. (r208560 partial)
Polymorphic operands in operators coerces downstream values to double. (r200606 partial)
[JSC] Get rid of NonNegZeroDouble, it is broken (r200502 partial)
  => Passed JIT tests.

Dec 19, 2017
============
Our for-in optimization in the bytecode generator does its static analysis incorrectly (r217438 revisited)

Dec 18, 2017
============
Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser (r208496 revisited)
[DFG][FTL][B3] Support floor and ceil (r197380 partial revisited)
[JSC] Make the NegZero backward propagated flags of ArithMod stricter (r184220 revisited)
DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers. (r217156 + r217169 + r217179)
[DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String) (r215472 rolled out)
Eliminate two large sources of temporary StringImpl objects. (r201645 revisited)
TypedArrays need more isNeutered checks. (r202982 partial)
[JSC] Optimize more cases of something-compared-to-null/undefined (r188624 revisited) 
Add "get scope" byte code (r175508)
Make Executable::clearCode() actually clear all of the entrypoints (r168459 partial)
Fix bugs in 32-bit Structure implementation. (r165325 partial revisited)
Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks (r163513 revisited)
op_to_this shouldn't use value profiling (r156468 revisited)

Dec 16, 2017
============
DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking (r180989 partial revisited)
Change DFG to use scope operand for op_resolve_scope (r176005 rolled in)
Fix bugs in 32-bit Structure implementation. (r165325 partial revisited)

Dec 15, 2017
============
Change DFG to use scope operand for op_resolve_scope (r176005 rolled out)
Remove op_get_callee, it's unused (r180917)

Dec 14, 2017
============
r9 is volatile on ARMv7 for iOS 3 and up. (r180516)
[ARM] Add the necessary setupArgumentsWithExecState after bug141915 (r180515)
Scopes should always be created with a previously-created symbol table rather than creating one on the fly (r180514)
Function name scope is only created on the function instance that triggered parsing rather than on every function instance that needs it (r180506)
Callee can be incorrectly overridden when it's captured (r188926 partial revisited)

Dec 13, 2017
============
Add scope operand to op_resolve_scope (r175471)
Add scope operand to op_push_with_scope, op_push_name_scope and op_pop_scope (r175426)
Fixed the Inspector to be able to properly distinguish between scope types. (r174216 partial)
[ftlopt] Infer immutable object properties (r170855 partial revisited)
Functions should have initialization precedence over arguments. (r181353)
Simplified name scope creation for function expressions (r163321)
Code cache stores bogus var references for functions in eval code (r149836 revisited)

Dec 12, 2017
============
DFG inlining should be hardened for the no-result case (r217050)
Object.setPrototypeOf() should throw when used on a cross-origin Window / Location object (r205205)
[JSC] Object.getOwnPropertyDescriptors should not add undefined props to result (r203747)
http://kangax.github.io/compat-table/esnext/ crashes reliably. (r198080 revisited)
Turn off Internal Function inlining in the DFG for super calls. (r194565)
Overflow propagation broken in BTT and RTL writing-modes (r167706)

Dec 11, 2017
============
Constructor calls set this too early (r217062 partial)
DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit. (r182745 partial)
Kraken/stanford-crypto-pbkdf2.js sometimes crashes with an OSR assertion in FTL (r202141)
AbstractValue should use the result type to filter structures (r199391)
[DFG] Drop unnecessary proved type branch in ToPrimitive (r197164 revisited)
REGRESSION(r180595): same-callee profiling no longer works (r184328 revisited)
Use "this" instead of "callee" to get the constructor (r180595 revisited)
<1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput') (r163789 revisited)

Dec 09, 2017
============
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 partial revisited)
REGRESSION (r174226): Header on huffingtonpost.com is too large (r178591 revisited)
Get rid of JSLexicalEnvironment::argumentsGetter (r180529)
REGRESSION(r178591): 20% regression in Octane box2d (r179202)
BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope. (r178926 revisited)
REGRESSION (r174226): Header on huffingtonpost.com is too large (r178591)
REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked (r177578)
slow_path_get_direct_pname() needs to be hardened against a constant baseValue. (r175724 revisited)
Various arguments optimisations in codegen fail to account for arguments being in lexical record (r174821)
Use a single allocation for the Arguments object (r174795 revisited)
REGRESSION(r174025): remote inspector crashes frequently when executing inspector frontend's JavaScript (r174749 revisited)
Make sure arguments tearoff is performed through the environment record if necessary (r174478)
Remove op_new_captured_func (r174401)
REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html (r174359)
tearoff_arguments should always refer to the unmodified arguments register (r174294)
Do all closed variable access through the local lexical object (r174226)
REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms. (r172838)
Stop implicitly skipping a function's own activation when walking the scope chain (r172808)
Update scope resolution to assume that the parent activation is always there (r172598)

Dec 08, 2017
============
Rename activation to be more in line with spec language (r173517)
Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec (r173490)
[JSC] "return this" in a constructor does not need a branch on isObject(this) (r200992)
[JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL (r197155)
REGRESSION(r180595): same-callee profiling no longer works (r184123 + r184152 + r184328 revisited)
Stores to local captured variables should be intercepted (r159943 revisited)

Dec 07, 2017
============
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 revisited)

Dec 06, 2017
============
[JSC] Don't reference the properties of @Reflect directly (r198192)
[ES6] Make Object.assign spec compliant (r198052)
[ES6] Implement Reflect.getOwnPropertyDescriptor (r188529)
Origin header is not included in CORS requests for preloaded cross-origin resources (r201930 partial)
Initial Link preload support (r199650 partial)
Allow CachedResourceLoader clients to opt out of the MemoryCache. (r195770)
Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround. (r185768)

Dec 05, 2017
============
Fix all ExceptionScope verification failures in JavaScriptCore. (r221849 partial revisited)
ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *) (r203012)
Avoid duplicate computations of ExecState::vm(). (r221822 partial)
Make FunctionRareData allocation thread-safe (r183212 partial)

Dec 04, 2017
============
We should be able to lookup symbols by identifier in builtins (r201825 partial revisited)
REGRESSION(r194394): >2x slow-down on CDjs (r198171)
[ES6] Implement @@search (r196498)
[INTL] Implement String.prototype.localeCompare in ECMA-402 (r194394)
[Fetch] Align Accept header default values with fetch spec (r206206)
JavaScriptCore: missing exception checks in Math functions that take more than one argument (r225443)
Having a bad time needs to handle ArrayClass indexing type as well (r225423)
test262: Unexpected passes after r222617 and r222618. (r222638)
Add missing exception checks and book-keeping for exception check validation. (r222617 partial)
Missing exception check in JSObject::hasInstance (r219451 partial)
Add missing exception check. (r217157 partial)
Fix missing exception checks in Interpreter.cpp. (r214005 partial)
Fix missing exception checks in DFGOperations.cpp. (r208913 partial)
JSFunction::put() should not allow caching of lazily reified properties. (r208018 partial revisited)
StringView should have find(StringView, start). (r184867)
Don't hold on to parameterBindingNodes forever (r167964 + r168107 rolled out)

Dec 03, 2017
============
ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly. (r217429 partial)
Add missing exception checks detected by running marathon.js. (r212779 revisited)
some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct (r202588 revisited)
AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself (r196497)
[ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore. (r170724)

Dec 01, 2017
============
DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks (r188764 revisited)
Crash on SES selftest page when loading the page while WebInspector is open (r196760)
re-inline ObjectAllocationProfile::initializeProfile (r223727)
Remove FetchBody::m_isEmpty (r206737)
[ES6] Add support for Symbol.toPrimitive (r197531 revisited)
DFG should have adaptive structure watchpoints (r187780 partial)
[DFG][FTL] operationHasIndexedProperty does not consider negative int32_t (r225342)
test262: test262/test/built-ins/isNaN/toprimitive-not-callable-throws.js (r215402)
[ES6] Add support for Symbol.toPrimitive (r197531 partial revisited)

Nov 30, 2017
============
Avoid 2 times name iteration in Object.assign (r187363)
Implement `Object.assign` (r183199)
Object.getOwnPropertySymbols on large list takes very long (r187355)
Remove unused things from PropertyNameArray. (r184050)
Implement `Object.is` (r183006)
[JSC] allow duplicate property names returned from Proxy ownKeys() trap (r198531 partial)
[ES6] Implement Reflect.enumerate (r187483)
Rename PropertyNameMode::Both to PropertyNameMode::StringsAndSymbols (r187440)
Unreviewed, fix the debug build due to touching the non-declared variable in ASSERT (r187409)
[ES6] Implement Reflect.ownKeys (r187408 revisited)
Introducing construct ability into JS executables (r187205 revisited)
[ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor (r185577)
Implement ES6 Object.getOwnPropertySymbols (r182343)
Upgrade ES6 Iterator interfaces (r181077 revisited)
REGRESSION (172175-172177): Change in for...in processing causes properties added in loop to be enumerated (r181891)

Nov 29, 2017
============
Remove JSPropertyNameIterator (r171614)
Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure (r222590 revisited)
Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname (r216593)
We allow assignments to const variables when in a for-in/for-of loop (r204586 partial)
We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols (r203793)
We should not crash there is a finally inside a for-in loop (r202608)
REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result (r172962)
REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests. (r172959)
REGRESSION(r172401): for-in optimization no longer works at all (r172794)
Re-landing r172401 with fixed test. (r172413)
for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests (r172216)
We are missing places where we invalidate the for-in context (r219209)
Our for-in optimization in the bytecode generator does its static analysis incorrectly (r217438)
HasIndexedProperty clobberize rule is wrong for Array::ForceOSRExit (r206955)
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 revisited)
Clean up EnumerationMode to easily extend (r182280)
Refactor our current implementation of for-in (r171605)
AST incorrectly conflates readable and writable locations (r166243)

Nov 28, 2017
============
Custom GetterSetterAccessCase does not use the correct slotBase when making call (r222671 partial)
DFG doesn't properly handle a property that is change to read only in a prototype (r218203)
[Re-landing] CachedCall should let GC know to keep its arguments alive. (r212618 + r212665 + r216292 partial)
REGRESSION (r206221): [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: vmEntryToJavaScript + 299 (r206359)
Object.getOwnPropertyDescriptor() does not work correctly cross origin (r206221)
assignments in for-in/for-of header not allowed (r198144)
Assignment to new.target should be an early error (r197947)
Prevent cross-origin access to Location.assign() / Location.reload() (r197263)
Implement Proxy [[Get]] (r196722 partial)
Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset (r195462)
	
Nov 27, 2017
============
Regression(r191815): 5.3% regression on Dromaeo JS Library Benchmark (r192321 revisited)
Regression(r191815): 5.3% regression on Dromaeo JS Library Benchmark (r192321 rolled out)
[ES6] Add support for toStringTag (r191864 revisited)
String#startsWith/endsWith/includes don't handle Infinity position/endPosition args correctly (r183694)
Implement String.codePointAt() (r183141)
String.prototype.startsWith/endsWith/includes have wrong length in r182673 (r182872)
Regression(r173761): ASSERTION FAILED: !is8Bit() in StringImpl::characters16() (r181105)
Implement ES6 StringIterator (r181084)
Investigate the character type of repeated string instead of checking is8Bit flag (r178098)
Implement ES6 String.prototype.repeat(count) (r177978)
String includes methods perform toString on searchString before toInt32 on a offset (r177856)
Rename String.prototype.contains to String.prototype.includes (r176404)
Simple ES6 feature:String prototype additions (r173761)

Nov 25, 2017
============
ES6: Classes: Program level class statement throws exception in strict mode (r181973 complete)
ES6 Classes: Extends should accept an expression without parenthesis (r181724)
Support spread operand in |new| expressions (r166392 revisited)
Built-in functions should know that they use strict mode (r181664)

Nov 24, 2017
============
Crash for non-static super property call in derived class constructor (r200191)
[ES6] Support subclassing Function. (r195070 rolled out)
ES6: Classes: Program level class statement throws exception in strict mode (r181973 partial)
Revert changes in bug#160417 about extending `null` not being a derived class (r204058 revisited + r218581)
Extending undefined in class syntax should throw a TypeError (r183759)
eval("this.foo") causes a crash if this had not been initialized in a derived class's constructor (r182198)
update a class extending null w.r.t the ES7 spec (r204058)
Upgrade Map, Set and WeakMap constructor interface (r181333)

Nov 23, 2017
============
[[Set]] should be properly executed in JS builtins (r183117)
calling methods off super in a class constructor should check for TDZ (r196361)
[ES6] Class parser does not allow methods named set and get. (r188018)
Introducing construct ability into JS executables (r187205 revisited)
ToT WebKit crashes while loading ES6 compatibility table (r183912)
new super should be a syntax error (r183757)
Class syntax should allow string and numeric identifiers for method names (r183709)
Class body ending with a semicolon throws a SyntaxError (r183383)
ES6 class syntax should allow static setters and getters (r182218)
Support spread operand in |new| expressions (r166392)
ES6 classes: When a class extends B, super() invokes B.prototype.constructor() instead of B() (r190847)
Extending null should set __proto__ to null (r182171)
ES6: Classes: Program level class statement throws exception in strict mode (r181973 partial)
Improve error messages in JSC (r181889 partial)
Create activations eagerly (r172594)
Add support for the new.target syntax. (r187108)
WebContent Crash when instantiating class with Type Profiling enabled (r182050)
ES6: Classes: Early return in sub-class constructor results in returning undefined instead of instance (r181924)
parseClass should popScope after pushScope (r181503)

Nov 22, 2017
============
Add support for default constructor (r181611)

Nov 21, 2017
============
[Fetch API] Fetch ReadableStream should only clone the second branch (r208039)
[Readable Streams API] Implement generic reader functions (r206912)
[Readable Streams API] Align function names with spec (r206814)
[Streams API] Align cancelReadableStream() with spec (r206508)
[Fetch API] Remove ReadableStreamSource firstReadCallback (r206423)
Reduce number of Structures created at startup. (r195528 revisited)
[ES6] Use specific functions for @@iterator functions (r182911)
Completed iterator can be revived by adding more than one new entry to the target object (r172707)
Implement Set iterators (r159031)
Add Map Iterators (r159008)
Support iteration of the Arguments object (r158793 revisited)
REGRESSION(r180595): same-callee profiling no longer works (r184123 + r184152 + r184328)
Use "this" instead of "callee" to get the constructor (r180595)

Nov 20, 2017
============
"this" should be in TDZ until super is called in the constructor of a derived class (r181466)
[JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix (r184859 revisited)
Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError (r183382)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r182452 revisited)
"static" should not be a reserved keyword in non-strict mode even when ES6 class is enabled (r181419)
ES6: Object Literal Extensions - Methods (r181183 revisited)
__proto__ shorthand property should not modify prototype in Object Literal construction (r181179)
Implement ES6 class syntax without inheritance support (r179371)
Add a build flag for ES6 class syntax (r178954)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r178894 + r178928 rolled out)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r178751 + r178756 rolled out)
Reduce the mass templatizing of the JS parser (r160383 partial)
[Fetch API] Add support for URLSearchParams body (r206632)
Iterating over URLSearchParams does not work (r210593)
Fix occasional using uninitialized memory crashes after r206168. (r206179)
Make URLSearchParams spec-compliant (r206168)
Implement URLSearchParams (r205893)
Simplify valueToUSVString (r204228)
[Web IDL] Add support for USVString type (r204215)
autocapitalize attribute should not use [TreatNullAs=LegacyNullString] (r203427)
form.enctype / encoding / method should treat null as "null" string (r203401)
JSDOMIterator forEach should support second optional parameter (r202334)
Rename JSKeyValueIterator as JSDOMIterator (r200411 partial)
Drop [TreatNullAs=EmptyString] from URL interface attributes (r197507)
Drop [TreatNullAs=LegacyNullString] from HTMLBaseElement.href (r197494)
Refactor DOM Iterator next signature (r196973)
Binding generator should support key value iterable (r196900 partial)
Remove DOMWrapped parameter from JSKeyValueIterator (r196170 partial)
Give StringView a utf8() API. (r184617)

Nov 17, 2017
============
Introducing construct ability into JS executables (r187205)
Make Builtin functions non constructible (r182995)
Class constructor should throw TypeError when "called" (r181490)
Calling super() in a base class results in a crash (r181404)
Support extends and super keywords (r181293)
test262: @isConstructor incorrectly thinks Math.cos is a constructor (r207347)
URLParser: Handle \ in paths of special URLs according to spec (r205684)
URLParser: Parsing empty URLs with a base URL should return the base URL (r205679)
URLParser failures should preserve the original input string (r205678)
URLParser should parse URLs with a user but no password (r205677)
URLParser should parse ports after IPv4 and IPv6 hosts (r205669 + r205671)
URLParser should correctly handle \ in path (r205668)
URLParser should handle URLs with empty authority (r205667)
Re-land r205580 after r205649 fixed the test failures (r205650)
Add range check in URLParser's serializeIPv6 (r205649)
Implement relative file urls and begin implementing character encoding in URLParser (r205493)
URLParser should parse file URLs (r205390)
Avoid unneeded string copy when parsing URL hosts (r205318)
URLParser should handle . and .. in URL paths (r205312)
Implement IPv6 parsing in URLParser (r205273)
URLParser should handle relative URLs that start with // (r205194)
URLParser should parse about:blank (r205147)
API test URLParserTest.ParserFailures failing ASSERT_NOT_REACHED (r205128)
URLParser should parse relative URLs (r205097)
[ES6] newPromiseCapabilities should check the given argument is constructor (r205027)
URLParser should parse IPv4 addresses (r204701)
URLParser should parse URLs without credentials (r204544)
Make URLParser work with URLs missing URL parts (r204431)
Initial URLParser implementation (r204417)
Add URLParser stub (r204380)
Addressing post-review comments after r203119 (r203208)
Relax ordering requirements on StringView::CodePoints iterator (r203119)
[JSC] Array.from() and Array.of() try to build objects even if "this" is not a constructor (r203101)
We should be able to lookup symbols by identifier in builtins (r201825 partial)
ES6: Implement String.prototype.split and RegExp.prototype[@@split]. (r199393 + r199502 partial)
JSValue::isConstructor and JSValue::isFunction should check getConstructData and getCallData (r196959 partial)
[ES6] Array.from need to accept iterables (r183357)
[ES6] Enable Symbol in web pages (r182653 partial)
Support modern for loops over StringViews (r174271)
Function.bind itself is too slow (r167272 + r167297)
Rewrite Function.bind as a builtin (r167020 + r167165 + r167199 + r167313 + r167251)

Nov 16, 2017
============
JSRopeString::RopeBuilder::append() should check for overflows. (r224055 revisited)
Fix exception scope verification failures in runtime/Operations.cpp/h. (r209030)
Error description code should be able to handle Symbol values. (r208410)
Improve Symbol() to string coercion error message (r200402)
Regression(r191815): 5.3% regression on Dromaeo JS Library Benchmark (r192321 partial)
[ES6] Implement Symbol.unscopables (r182225)

Nov 15, 2017
============
We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments. (r224735)
REGRESSION (r197531): JavaScriptCore ASan build fails due to weak external symbol (r197590)
[ES6] Add support for Symbol.toPrimitive (r197531 partial)
NodeList has issues with Symbol and empty string (r183589 revisited)
[ES6] Add support for toStringTag (r191815 + r191821 + r191863 + r191864)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 revisited)
Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters (r182577)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 revisited)
Insert exception check around toPropertyKey call (r182057 partial)
REGRESSION (r179429): Potential Use after free in JavaScriptCore`WTF::StringImpl::ref + 83 (r181814 revisited)
Implement ES6 Symbol (r179429)
Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint (r178224)
Crash beneath operationTearOffActivation running this JS compression demo (r165999 partial)
Small cleanup of empty string (r165906)

Nov 14, 2017
============
removing FetchBoyd::m_type (r206708)
The memory consumption of DFG::BasicBlock can be easily reduced a bit (r224689)
[Streams API] Align internal structure of ReadableStream with spec (r205289)
[Fetch API] Response bodyUsed should check for its body disturbed state (r205251)
[Fetch API] Response cloning should structureClone when teeing Response stream (r205117)
[Fetch API] Ensure response cloning works when data is loading (r205110)
Array#reduce and reduceRight don't follow ToLength (r185038)
ES6: Implement Math.sign() (r171278)
iOS 8 beta 2 ES6 'Set' clear() broken (r170517)
Simple ES6 feature:Array.prototype.fill (r167380)
Partial Information Leakage in Hash Table implementations (PrivateName) (r155560)
XHR should only fire an abort event if the cancellation was requested by the client (r220731)
[Fetch API] Add support for BufferSource bodies (r205115)
[Fetch API] Opaque responses should not have any body (r205082)
Implement redirect support post CORS-preflight (r204795)
cross-origin requests redirected fail or drop author requested headers (r204693 revisited)
DocumentThreadableLoader should pass the fetch mode to underlying loader code (r204117)
Remove didFailAccessControlCheck ThreadableLoaderClient callback (r202542)
Remove didFailRedirectCheck ThreadableLoaderClient callback (r202480)
Introduce ResourceErrorBase::type (r201856)
Port blocking bypass issue using 307 redirect (r194666)
Report error when main resource is blocked by content blocker (r190611 partial)
Implement Number.prototype.clz() (r165047)

Nov 13, 2017
============
[Fetch API] Add support to ReferrerPolicy (r204019)
Add basic caching for Document.cookie API (r174190)
Regression(r201805): Crash with <use> resource that has Vary header (r202985)
WebKit memory cache doesn't respect Vary header (r201800 + r201801 + r201805)
Respect cache-control directives in request (r182059)
Add support for sessions to MemoryCache. (r165013 + r165027 + r165117 partial)
Do not reuse cache entries with conditional headers (r200326)
Make SessionID use intHash (r194213)
Cached "Expires" header is not updated upon successful resource revalidation (r182157)
Move CacheValidation to platform (182064)
Do not attempt to revalidate cached main resource on back/forward navigation (r178012 revisited)
Rename WebContext to WebProcessPool (r177692 partial)
Notify Settings object when its Page object goes away. (r175348)
Create SessionID value-style class for session IDs. (r164726)
REGRESSION(r158333): http/tests/xmlhttprequest/response-encoding.html and xmlhttprequest-overridemimetype-content-type-header.html are failing (r158362)
Revalidation header blacklisting should be case-insensitive. (r155203)
Entity-header extension headers honored on 304 responses. (r142068)
Update Fetch to use enum class instead of string for enumerations (r200313)
Strip out Referer header when requesting subresources or following links for documents with "Content-Disposition: attachment" (r193983 + r193995 + r194001)
Do not enforce "content-disposition: attachment" sandbox restrictions on a MediaDocument (r188062)
Do not enforce "content-disposition: attachment" sandbox restrictions on a MediaDocument (r188051)
[iOS] Further tighten the sandbox around pages fetched with Content-Disposition: attachment (r186982)
Add preference to disable all http-equiv. (r186232)
Add API to disable meta refreshes. (r183632)
Referrer Policy: Update <meta name="referrer"> values to match the spec (r174640)
Update meta-referrer behavior for invalid policies (r164866)
[iOS] Upstream WebCore/dom changes (r160679 partial)
REGRESSION (r141981): Crash when closing a Google Docs document (r148310)
Take referrer policy into account when clearing the referrer header (r141981)

Nov 10, 2017
============
Response.blob() does not set the content-type based on the header value. (r215814 + r215842)
cross-origin requests redirected fail or drop author requested headers (r204693)
[Fetch API] Fetch promises should not reject or resolve when ActiveDOMObjects are being stopped (r204020)
CrossOrigin preflight checker should compute the right Access-Control-Request-Headers value (r203899)
Compute fetch response type in case of cross-origin requests (r203815)
Remove RequestOriginPolicy from ResourceLoaderOptions (r202821)

Nov 09, 2017
============
[Fetch API] Activate credentials mode (r203900)
CSP: Ignore paths in CSP matching after redirects (r199612)
CSP: Move logic for reporting a violation from ContentSecurityPolicyDirectiveList to ContentSecurityPolicy (r198657)
CSP: Simplify logic for checking policies (r198613 partial)
CSP: Make violation console messages concise and consistent (r198591)
CSP: Should only execute <script> or apply <style> if its hash appears in all policies (r198551)
CSP: Enable plugin-types directive by default (r197038)
CSP: Enable form-action directive by default (r196892)
CSP: ws: and wss: blocked with connect-src * (r209789)
Cleanup: Remove the need to pass reporting status to ContentSecurityPolicy functions (r198379)
Pass SecurityOrigin as references in CORS check code (r202674 partial)
CSP: Content Security Policy should allow '*' to match the originating page's scheme (r202155)
Fix AtomicString regression caused by r201603. (r201637 partial)
Overhaul cross-thread use of ResourceRequest, ResourceResponse, and ResourceError. (r201603 partial)
CSP: Nested browsing context created for <object> or <embed> should respect object-src directive (r199527)
REGRESSION (r197724): <object>/<embed> with no URL does not match source * (r198936)
REGRESSION (r197724): [GTK] Web Inspector: Images being blocked by CSP 2.0 (r198201 + r198334 rolled out)
CSP: Implement frame-ancestors directive (r197972)
CSP: Source '*' should not match URLs with schemes blob, data, or filesystem (r197724)
CSP: Make SecurityPolicyViolationEvent more closely conform to CSP spec and enable it by default (r197118)
CSP: Enable base-uri directive by default (r197007)
CSP: Violation report should include column number (r196877)
CSP: Violation report should include HTTP status code and effective-directive of protected resource (r196876)
CSP: report-url directive should be ignored when contained in a policy defined via a meta element (r196875)
CSP: sandbox directive should be ignored when contained in a policy defined via a meta element (r196874)
CSP: 'sandbox' should be ignored in report-only mode (r196582)
CSP: Implement child-src directive (r196526)
Rename *Event::create* which creates events for bindings to *Event::createForBindings* and cleanup corresponding paths (r196400 partial)
Content Security Policy error message when frame load is blocked does not read well (r185912)
CSP 1.1: Remove 'type' parameter from CSPDirectiveList::checkSourceAndReportViolation. (r147346)
CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports. (r146758 revisited)
Cleanup: Tiny nits in ContentSecurityPolicy::reportViolation. (r146755)
CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur. (r146520 revisited)
CSP 1.1: Add 'effective-directive' to violation reports. (r146137)
CSP logging: Be more developer-friendly when 'default-src' is violated. (r129572)
CSP reports should send an empty "blocked-uri" rather than nothing. (r129168)
CSP reports should send an empty 'referrer' rather than nothing. (r129150)

Nov 08, 2017
============
Make ResourceLoaderOptions derive from FetchOptions (r202741 revisited)
Remove ThreadableLoaderOptions origin (r202614)
Pack ResourceError harder. (r161955)
CSP connect-src directive should block redirects (r196283)
REGRESSION (r182866): repeated prompts for password on internal Apple website using workers (r186592)
ThreadableLoaderOptions::isolatedCopy() doesn't produce a copy that is safe for sending to another thread (r184657)
No thread safety when passing ThreadableLoaderOptions from a worker thread (r182866)
CSP: Allow Web Workers initiated from an isolated world to bypass the main world Content Security Policy (r196242)
Fix null pointer dereference in WebSocket::connect() (r190588)
Remove support for SharedWorkers (r178310 partial)
REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self' (r200030)
CSP: Support checking content security policy without a script execution context (r196012)
CSP 1.1: Schemeless source expressions match HTTPS resources on HTTP sites. (r146141)
CSP: Throw a warning when a '*-report-only' header doesn't contain a 'report-uri' directive. (r144566)
Pause inspector when inline scripts are blocked by Content Security Policy. (r128703)
JSC should throw a more descriptive exception when blocking 'eval' via CSP. (r128670)

Nov 07, 2017
============
We should trigger a console warning when we encounter invalid sandbox flags. (r134766)
crossorigin element resource loading should check HTTP redirection (r198395)
CSP: Use the served CSP header for dedicated workers (r195948)
CSP 1.1: Support CSP 1.1 directives on the unprefixed header. (r144571)
[Fetch API] Request construction failure should not set "bodyUsed" (r205253)
[Fetch API] Add support for fetch mode, in particular cors (r203732)
Remove crossOriginRequestPolicy from ThreadableLoaderOptions (r203490)
Make ResourceLoaderOptions derive from FetchOptions (r202741 partial)
CrossOriginPreflightChecker should call DocumentThreadableLoader preflightFailure instead of didFailLoading (r202336)
CORS preflight with a non-200 response should be a preflight failure (r202162)
Move preflight check code outside of DocumentThreadableLoader (r201924 partial)

Nov 06, 2017
============
[Fetch API] Blob type should be set from Response/Request contentType header (r205076)
[Fetch API] Response.blob should not assert in case the created blob is empty (r204171)
[Fetch API] Fetching with a FormData body should reject until it is implemented (r204225)
[ES6] Implement Reflect.defineProperty (r188361)
[ES6] Implement Reflect.has (r188264)
[ES6] Implement Reflect.getPrototypeOf and Reflect.setPrototypeOf (r188262)
[ES6] Implement Reflect.preventExtensions (r187479)
[ES6] Implement Reflect.isExtensible (r187410)
[ES6] Implement Reflect.ownKeys (r187408)
[ES6] Implement Reflect.apply (r187407)
[ES6] Add Reflect namespace and add Reflect.deleteProperty (r187401)
ES6: Implement Object.setPrototypeOf (r184642)
POST request on a blob resource should return a "network error" instead of HTTP 500 response (r201557)
Builtins that should not rely on iteration do. (r196949)
Memcache migth not be pruned when it should for https pages (r170504)
Crash in WebCore::SubresourceLoader::releaseResources when connection fails (r150867 revisited)
CORS preflight broken with NetworkProcess (r142936)
Remove incorrect ASSERT for m_error in CachedResource (r137028 revisited)
Remove some CachedResource::Status's in favor of looking at CachedResource::m_error (r133130)
Fix weird use of KURL's protocolIs (r130586)
Avoid ASSERT(m_workerContext->isSharedWorkerContext()) in WorkerScriptController::initScript() (r125120)

Nov 03, 2017
============
[Fetch API] Request should be created with any HeadersInit data (r203641 + r203642 + r203675)
Generate WebCore builtin wrapper files (r202975 partial)
Remove forEach use from Fetch Headers builtin constructor (r198889)
[Fetch API] Fetching with a FormData body should reject until it is implemented (r204225 partial)
[Fetch API] Fetch API should strip fragment and credentials from URLs used as referrer (r204224)
Fetch Response built-ins should use @makeThisTypeError (r203961)
[Streams API] Replace ReadableStreamController by ReadableStreamDefaultController (r203818)
[Streams API] Use makeThisTypeError in ReadableStreamDefaultReader.js (r203814)
[Streams API] Replace ReadableStreamReader by ReadableStreamDefaultReader (r203772)
[Fetch API] Response constructor should be able to take a ReadableStream as body (r203719 + r203726 + r203767)
JS Built-ins should throw this-error messages consistently with binding generated code (r203766)
[Fetch API] Add a JS builtin to implement https://fetch.spec.whatwg.org/#concept-headers-fill (r203445)
[Streams API] Make ReadableStream properties not enumerable (r203402)
[Fetch API] Request and Response url getter should use URL serialization (r203221)
Make use of PrivateIdentifier to simplify Fetch Headers built-in checks (r203029)
[Fetch API] Response constructor should throw in case of bad reason phrase (r202910)
[JSC] Implement isFinite / isNaN in JS and make DFG ToNumber accept non number values (r202680 partial)

Nov 02, 2017
============
[Fetch API] Fetch response stream should enqueue Uint8Array (r203637)
Use a private property to implement FetchResponse.body getter (r203632)
FetchResponse should return a ReadableStream even if disturbed (r200235)
[Fetch API] Response should not become disturbed on the ReadableStream creation (r203162)
[Fetch API] Response.redirect should throw a RangeError in case of bad status code (r202909)
Binding generator should generate accessors for constructors safely accessed from JS builtin (r202551)
Add bindings generator support to add a native JS function to both a 'name' and a private '@name' slot (r202275 partial)
[Fetch API] Implement Fetch redirect mode (r201324)
[IDL] Extend support for [EnabledAtRuntime] attributes / operations to all global objects, not just Window (r199103 partial)
Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings (r199017 partial)
The parser doesn't properly protect against global variable references in builtins (r196525 revisited partial)
[Fetch API] Consume HTTP data as a ReadableStream (r199641)
[Streams API] Refactor builtin internals to prepare support for streams API in worker (r194960)

Nov 01, 2017
============
[Streams API] ReadableStream should throw a RangeError in case of NaN highWaterMark (r203347)
[Streams API] Expose ReadableStream and relatives to Worker (r194033 + r194391 + r195101)
[Streams API] In RS during enqueuing error should be reported only if readable (r194391)
[Streams API] Directly use @then as much as possible (r194035)
JSC Builtins should use safe array methods (r193899 partial)
[Streams API] pipeThrough test failing (r193832)
[Streams API] pull function of tee should call readFromReadableStreamReader directly (r192879)
[Streams API] Clean-up JS built-in code using arrow functions (r192878)
[Streams API] teeReadableStream should not directly use stream.getReader() (r192877)
[Streams API] streams should not directly use Number and related methods (r192874)
[Streams API] Remove use of @catch for exposed promises (r192865)
[Streams API] Implement pipeTo method in readable Stream (r192765)
[Streams API] Implement IsReadableStreamDisturbed according to spec (r192621)
[Streams API] Update the implementation up to spec of Nov 11 2015 (r192466)
[Streams API] Remove bind usage (r192309)
[Streams API] Fix style issues (r192246)
[Streams API] Activate assertions (r192160 partial)
[Streams API] Shield promises when prototype is replaced from a promise (r192207)
[Streams API] Shield implementation from mangling then and catch promise methods (r192157)
[Streams API] Shield implementation from user mangling Promise.reject and resolve methods (r192057)
[Streams API] Shield streams against user replacing the Promise constructor (r192021)
[Streams API] Vended promise capabilities should not need @resolve/@reject fields (r191956)
[Streams API] Rework promises to use @newPromiseCapability (r191950)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 partial revisited)
Disable outdated WritableStream API (r215429 partial)
ASSERTION FAILED: promise.inherits(JSPromise::info()) (r205729 revisited)
[Streams API] Turn WS states into integers and fix state initialization (r191730)
Builtins generator should emit ENABLE(FEATURE) guards based on @conditional annotation (r191687 partial)
Audit WebCore builtins for user overridable code (r198776)
The parser doesn't properly protect against global variable references in builtins (r196525 partial)
[Streams API] Add write method to writable stream (r191669)
[Streams API] Add close method to writable stream (r191622)
[Streams API] Implement abort method on writable streams (r191584)
[Streams API] Add writable stream attributes (r191446)
[Streams API] Construct a writable stream (r191383)
[Streams API] Rework some readable stream internals that can be common to writable streams (r191335)
[Streams API] Add skeleton for initial WritableStream support (r191283)
Add InternalPromise to use Promises safely in the internals (r188681)
Introduce non-user-observable Promise functions to use Promises internally (r188603)
Remove CompoundType and LeafType (r170129)

Oct 31, 2017
============
[Streams API] Implement ReadableStream tee (r191285)
[JSC] Introduce BytecodeIntrinsic constant rep like @undefined (r196022 partial)
Automate WebCore JS builtins generation and build system (r190794 partial)
Migrate streams API to JS Builtins (r190608)
[Streams API] Add support for private WebCore JS builtins functions (r190401)
Fixing several incorrect assumptions with handling isolated inlines. (r162956)
[CSS Shapes] Match adjustLogicalLineTopAndLogicalHeightIfNeeded's implementation with Blink's (r157820)
[CSS Shapes] Use the floatingObject's logical coordinates to determine its size in computeLogicalLocationForFloat (r157318)
[CSS Shapes] Clip shape-outside to the bottom of the margin box (r157186)
[CSS Shapes] Support block content with inline content around floats in shape-inside (r156846)
Properly handle bottom margin on float with shape-outside (r156346)
Redrawing issue with inserting new inline element between existing inline elements (r136513)

Oct 30, 2017
============
[Streams API] Create ByteLengthQueuingStrategy object as per spec (r190394)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 revisited)
Remove the need for DOMClass in case of JSBuiltinConstructor WebIDL (r190239 revisited)
[Streams API] Add support for JS builtins constructor (r190198)
[Streams API] Implement ReadableStream pipeThrough (r190155)
Shrink RenderInline. (r159038)
[CSS Shapes] Modify updateSegmentsForShapes function to use logical coordinates (r156364)
Move logicalHeightForLine out of LineWidth.h (r156197)
Move LineWidth out of RenderBlockLineLayout (r155565)
Simplify the ShapeOutsideInfo and ShapeInfo interfaces (r156176)
Fix handling of top margin on float with shape-outside (r156106 revisited)
[CSS Shapes] Use the float height to determine position in shape-inside (r156022)
LayoutUnit::epsilon shouldn't be necessary to place floats (r143375)
[CSS Exclusions] Floats should respect shape-inside on exclusions (r137920)
REGRESSION (r155854 - r155967) block with margin-left adjacent to floated block causes text of subsequent blocks to overlap the floated block. (r156075)
[ARMv7] Fix initial start register support in YarrJIT (r224172)
Remove code now unnecessary after r159575 (r159758)
Move float logical location/dimension methods to RenderBlockFlow (r157197)

Oct 28, 2017
============
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 5) (r157705 complete)
Get rid of static map for marking ancestor line boxes dirty (r156639)
Focus ring for a child layer is incorrectly offset by ancestor composited layer's position (r144350)
Remove RenderBlock::paintEllipsisBoxes (r126335)

Oct 27, 2017
============
[Streams API] Update implementation with the latest spec (r188580)
[Streams API] ReadableStreamReader closed promise should use CachedAttribute (r188209)
[Streams API] Create CountQueuingStrategy object as per spec (r188127)
Create [CustomBinding] extended IDL attribute (r188119)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 4) (r157683)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 3) (r157677)
Crash in RenderTable::calcBorderEnd (r127206)
Remove RenderTableSection::removeChild (r126590)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 2) (r157674)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 1) (r157662)
[Streams API] Templating ReadableJSStream (r186740)
[Streams API] Remove ReadableStreamReader.read() custom binding (r186414)
[Streams API] Implement ReadableStream js source "'cancel" callback (r185872)
Move line grid functionality from RenderBlock into RenderBlockFlow. (r156557)
IteratorClose should be called when jumping over the target for-of loop (r182226)

Oct 26, 2017
============
JSRopeString::RopeBuilder::append() should check for overflows. (r224055 partial)
REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum (r224072)
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match (r222601 rolled in)
Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory (r210837 rolled in)
  Regression on http://peacekeeper.futuremark.com/
  /:((?:[\w\u00c0-\uFFFF\-]|\\.)+)(?:\((['"]?)((?:\([^\)]+\)|[^\(\)]*)+)\2\))?/.exec(":contains('Sega')")
Fix all ExceptionScope verification failures in JavaScriptCore. (r221849 partial)
[Streams API] Remove ReadableStream custom constructor (r186323)
Don't force CharacterData to override getOwnPropertySlot. (r169829)

Oct 25, 2017
============
RenderLayerModelObject shouldn't need a pre-destructor hook. (r175475 revisited)
Remove RenderObjectChildList (r156278)
Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects. (r142760 revisited)
[Streams API] Remove ReadableStream and Reader cancel() custom binding (r186257)
[Streams API] Remove ReadableStreamController.enqueue() custom binding (r186231)
[Streams API] Synced bad strategy test with reference implementation (r186112)
Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue (r186076)
[Streams API] Add support for chunks with customized sizes (r186044)
Use FINAL instead of virtualChildren trick in render tree classes (r155802)
Support captions when PLUGIN_PROXY_FOR_VIDEO (r132842)
[mips] fix offsets of branches that have to go over a jump (r223916)
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r159575 revisited)
Move m_floatingObjects to RenderBlockFlow from RenderBlock (r157144)
[CSS Regions] Activate all regions to have layers, as CSS Regions create a new stacking context (r156767)
Fix handling of top margin on float with shape-outside (r156106)
Make FloatingObjects own it's FloatingObject instances (r155906)
Move Floats out of RenderBlock (r155391)
FloatingObjects should manage cleaning it's line box tree pointers itself (r155065)
[CSS Regions] RenderRegions should have a RenderLayer+Backing when they contain a Composited RenderLayer (r154072)
[CSS Shapes] Clear overflowing line's segments in pushShapeContentOverflowBelowTheContentBox (r152906)

Oct 24, 2017
============
Move logical(Left|Right)FloatOffsetForLine methods into FloatingObjects (r155368)
Move logical dimension getters/setters to FloatingObject from RenderBlock (r155050)
Code cleanup: rename FloatIntervalSearchAdapter and remove unnecessary inlines (r154758)
Optimize FloatIntervalSearchAdapter::collectIfNeeded (r154641)
[CSS Shapes] New positioning model: Borders (r153058)
[CSS Shapes] Port refactoring of shape-outside code from Blink (r152794)
REGRESSION: fast/border/border-fit-2.html needs updating (r145139)
border-fit-adjust should happen at layout time rather than paint time (r145100)
Fix some baseline flexbox alignment (r132104 revisited)
[Streams API] Finish pulling must always be done asynchronously as it is the expected promise behavior (according to the spec) (r186113)
[Streams API] ReadableStreamReader.closed should use DOMPromise (r186109 complete)
[Streams API]Remove ReadableStreamController.close custom binding (r186043)
[Streams API] Implement ReadableStreamController.desiredSize property (r186024)
[Streams API] Implement HighWaterMark (r185953)
Move ExceptionCodeDescription.h into the files that actually need it (r171285)
IndexedDB: Remove IDBDatabaseException.idl (r136869)
Remove IDBDatabaseException (r135424)

Oct 23, 2017
============
[Streams API] Implement ReadableStream cancel (abstract part) (r185826)
ASSERTION FAILED: typesettingFeatures & (Kerning | Ligatures) in WebCore::applyFontTransforms (r189557 partial)
Cache glyph widths to GlyphPages (r180752 + r180779 rolled out + r181492 + r181597 rolled out)
Emphasis mark is printed after inline-block with justify (r137786)
Layout Test fast/text/justify-ideograph-leading-expansion.html is failing an assertion chromium mac (r131405 revisited)
[Streams API] Remove ReadableStream.getReader() custom binding (r186111)
[Streams API] Implement ReadableStreamReader.releaseLock (r185697)
[Streams API] ReadableJSStream should handle promises returned by JS source pull callback (r185648)
[Streams API] Implement ReadableStream locked property (r185641)
[Streams API] ReadableJSStream should handle promises returned by JS source start callback (r185406 + r185467 + r185537)

Oct 20, 2017
============
Cleanup: Add convenience function URL::procotolIsBlob() (r197706 partial)
CSP is enforced for eval in report-only mode on first page load (r175771)
CSP: 'eval()' is blocked in report-only mode. (r145268)
[Streams API] Implement pulling of a source by a ReadableStream (r185406)
DeferredWrapper should clear its JS strong references once its promise is resolved/rejected (r185404 partial)
[Streams API] ReadableJSStream should handle JS source getters that throw (r185356)
[Streams API] ReadableStream should store callbacks as a Deque (r185260)
[Streams API] Implement ReadableStreamController enqueue (r185197)
[Streams API] ReadableStreamReader::closed() should be called once by binding code (r185149)
[Streams API] Remove ReadableStreamReader closed promise internal slot (r184723)
[Streams API] ReadableJSStream does not need a ReadableStreamSource (r185196)
[Streams API] Implement ReadableStreamReader read method in closed and errored state (r185114)
[Streams API] Implement ReadableStreamController constructor (r185039)
[Streams API] ReadableStreamReader should not be exposed (r184955)
[Streams API] Migrate closed promise handling from ReadableStreamReader to ReadableStream (r184585)
[Streams API] Delegate ReadableStreamReader reference counting to ReadableStream (r184444)
Stringifier::appendStringifiedValue() is missing an exception check. (r223731)
JSStringJoiner::joinedLength() should limit joined string lengths to INT_MAX. (r207849)
[Streams API] ReadableStreamReader.closed should use DOMPromise (r186109 partial)
[Streams API] ReadableStream reader should not be disposable when having pending promises (r184159)
[Streams API] Refactor ReadableStreamReader close promise callback cleaning (r184048)
[Streams API] ReadableStream constructor start function should be able to error the stream (r183991)
Move ReadableStreamJSSource.h/.cpp to ReadableJSStream.h/.cpp (r183866)
streams/readable-stream.html is very flaky (r183803)
[Streams API] Refactor ReadableJSStream and ReadableStreamJSSource (r183744)
[Streams API] ReadableStream constructor start function should be able to close the stream (r183395)

Oct 19, 2017
============
Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString. (r208767 partial revisited)
Isolated worlds should respect Content Security Policy; User Agent Shadow DOM should be exempt from Content Security Policy (r186395)
Isolated worlds should respect Content Security Policy; User Agent Shadow DOM should be exempt from Content Security Policy (r186388)
Scripts running in isolated world should not subject to a page's CSP about 'eval'. (r181925)
[CSS Shapes] CORS-enabled fetch for shape image values (r158044)
[CSS Shapes] Floats with shape-outside aren't painting in the correct order (r155244)
[CSS Shapes] Add support for shape-outside image values (r154152)
[CSS Shapes] New positioning model: basic support for rectangle shape-outside (r152122)
[CSS Shapes] limit shape image values to same origin (r151878)
Rename 'KURL::elidedString' and inspector's 'String.prototype.trimMiddle' for clarity. (r150957 partial)
[JSC] Script run from an isolated world should bypass a page's CSP (r148076 revisited)
[CSS Exclusions] Properly position multiple stacked floats with non rectangular shape outside (r148056)
[CSS Exclusions] shape outside segments not properly calculated for ellipses (r147250)
CSP: 'frame-src' should block redirects to invalid sources. (r138818)
CSP: XHR from an isolated world should bypass a page's policy. (r138817)
Unblock SVG external references (r133538)
Script run from an isolated world should bypass a page's CSP. (r133006)
Fix a typo that caused SVG external resources to be blocked on platforms other than Chromium. (r132869)
Block SVG external references pending a security review (r132849)
[Streams API] Implement ReadableStreamController (r183107)
[Streams API] Support the start function parameter in ReadableStream constructor (r182591)
[Streams API] Collecting a ReadableStreamReader should not unlock its stream (r182344)
[Streams API] Split ReadableStream/Reader implementation according source type (JS vs native) (r182309)
Get rid of outdated raises() from Web IDL (r151336 partial)
RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified. (r223645)
[Streams API] Implement a barebone ReadableStreamReader interface (r182180)

Oct 18, 2017
============
[Streams API] Error storage should be moved from source to stream/reader (r182140)
[Streams API] Update ReadableStream API according new version of the specification (r181736)
ReadableStream does not not need to pass itself as callback parameter (r181262)
[Streams API] Reading ReadableStream ready and closed attributes should not always create a new promise (r180599)
[Streams API] Implement a barebone ReadableStream interface (r179687)

Oct 17, 2017
============
Add reflected nonce attribute to HTML Link element IDL (r209644)
CSP: Fix parsing of 'host/path' source expressions (r196655)
CSP: Disallow an empty host in a host-source source expression (r196653)
CSP: 'none' should take effect only if no other source expression is present. (r139085)
CSP 1.0: Warn when old-style directives encountered. (r133193)
CSP source expressions should support paths at file-level granularity. (r131317)
'self' in a CSP directive should match blob: and filesystem: URLs. (r126785)
Trailing spaces in CSP source lists should not generate console warnings. (r126488)
Tighten up parsing the 'script-nonce' CSP directive value. (r125614)
Content Security Policy directives that begin with an invalid character should log a console warning. (r125195)
CSP: Implement support for inline script and inline style hashes (r197940)
Move CryptoDigest to WebCore/platform (r197575)

Oct 16, 2017
============
CSP: Implement support for script and style nonces (r197944)
Isolated worlds should respect Content Security Policy; User Agent Shadow DOM should be exempt from Content Security Policy (r186388 partial)
CSP: Remove SecurityPolicy script interface (r197142)
CSP 1.1: Experiment with 'base-uri' directive. (r146886)
CSP: Extract helper classes into their own files (r196350)
Move ContentSecurityPolicy.{cpp, h} to its own directory (r195711)
CSP: Drop 'script-nonce' directive. (r171150)
Refactor CSPDirective to support non-sourcelist types. (r125817)
Prefer 'Content-Security-Policy' to 'X-WebKit-CSP'. (r133329)
Implement the canonical "Content-Security-Policy" header. (r133095)
WebKit Doesn't Recognize Content-Language HTTP Header (r131794)
CSP paths: Ignore invalid path components, rather than dropping the source completely. (r129525)
ArrayPrototype methods should use JSValue::toLength for non-Arrays. (r218449 partial revisited)
Array.prototype.slice should not modify frozen objects. (r207226 partial)
Need an exception check after constructEmptyArray(). (r201787 partial)
Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated (r200387 revisited)
crossorigin element resource loading should check HTTP redirection (r198395)
Fix problems with cross-origin redirects (r195010)
50% time on Dromaeo Selector * benchmark spent allocating oversized backing stores (but not in Chrome) (r163057 revisited)
REGRESSION: We see authentication challenge sheets for favicon requests. (r149303 partial)
Don't include ResourceHandle.h in ResourceLoaderOptions.h (r143838)
Synchronous XMLHTTPRequests need to go to the NetworkProcess. (r139935 partial)
Support X-XSS-Protection: report=URL header syntax in XSSAuditor. (r133323 revisited)
Warn when CSP headers don't separate directives with ';'. (r131413)
Support paths in Content Security Policy directives. (r129143)
Warn authors about CSP directives ignored due to non-ASCII values. (r128042)
Invalid Content Security Policy sources should generate console warnings. (r125213)
Until CSP fully supports paths, we should log a warning if we encounter a source with a path. (r125047)
Refactor console logging out of CSPDirectiveList into ContentSecurityPolicy (r125021)

Oct 13, 2017
============
Speculative fix for: Crash in DocumentThreadableLoader::redirectReceived. (r212330 + r212335)
[Fetch API] Rename 'origin-only' referrer policy to 'origin' (r202323)
Replace CaseFoldingHash with ASCIICaseInsensitiveHash (r195928 partial)
http/tests/security/xss-DENIED-xsl-document-redirect.xml fails with NetworkProcess (r169243)
Set the original resource's response even on a 304 (r138202)

Oct 12, 2017
============
Rename [GlobalContext] extended attribute to [Exposed] and align with WebIDL (r199587 revisited)
Crashes in setTextForIterator (r162511)
[Fetch API] Add basic loading of resources for Workers (r198891)
[Fetch API] Move isDisturbed handling to FetchBodyOwner (r198890)
[Fetch API] Add basic loading of resources (r198665)
Stop hardcoding knowledge about blob protocol in ResourceHandle (r143569)
[Fetch API] Add support for iterating over Headers (r196128)

Oct 11, 2017
============
[Fetch] Use @isArray instead of `instanceof @Array` (r199654)
[Fetch API] response-consume.html is crashing on Mac WK1 Debug builds (r198326)
[Fetch API] FetchLoader should check for empty bodies (r198151)
[Fetch API] Implement data resolution for blob stored in Body (r198133 + r198134)
Array prototype JS builtins should support Symbol.species (r197536 partial)
[Fetch API] Use DeferredWrapper directly in FetchBody promise handling (r198005)
[Fetch API] Commonalize handling of FetchBody by FetchRequest and FetchResponse (r197778)
[Fetch API] Implement fetch skeleton (r197748)
Refactor FetchBody constructors (r197347)
[Fetch API] Make FetchRequest and FetchResponse ActiveDOMObject (r197744)
WebIDL generator should support the possibility for C++ classes to have a JS Builtin constructor (r194100 partial)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 partial)
JSBuiltinConstructor must always add builtin header (r190610)
Improve binding of JSBuiltinConstructor classes (r190314)
Remove the need for DOMClass in case of JSBuiltinConstructor WebIDL (r190239 partial)
Array.of should work with other constructors (r184942)

Oct 10, 2017
============
[Fetch API] Support Request and Response blob() when body data is a blob (r197396)
Blob content type normalization. (r148105)
[JSC] Introduce BytecodeIntrinsic constant rep like @undefined (r196022 partial)
[Fetch API] Implement Fetch API Response (r197049)
We don't need to clearEmptyObjectStructureForPrototype because JSGlobalObject* is part of the cache's key (r223123)
Octane/splay can leak memory due to stray pointers on the stack when run from the command line (r223024 partial)
[Fetch API] Implement Fetch API Request (r195954)
HTMLElement::nodeName should not upper case non-ASCII characters (r195501)
Element.tagName should be upper-case for HTML elements in HTML documents (r189618)

Oct 06, 2017
============
[Fetch API] Implement Fetch API Request (r195954 partial)
Stop using String::deprecatedCharacters to call WTF::Collator (r163792)
Avoid integer overflow in DFGStrengthReduction.cpp (r222981)
Audit WebCore builtins for user overridable code (r198776 partial)
[ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and => (r186047)
[ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. (r185989 + r185996)
AST Nodes should keep track of their end offset (r175396 partial)
Consolidate out arguments of parseFunctionInfo into a struct (r178888)
WTF should have a similar function as equalLettersIgnoringASCIICase to match beginning of strings (r198019)
Custom protocol loading through AVFoundation does not support byte-range requests. (r195764 partial)
[Fetch API] Implement Fetch API Headers (r195530)
XHR.setRequestHeader should remove trailing and leading whitespaces from the header value (r188333)
Small refactoring before implementation of the ES6 arrow function. (r184313 + r184317 + r184349)
CSS: fix the case-insensitive matching of the attribute selectors Begin, End and Hyphen (r181525)
Add a script that generates a gperf hash for HTTP header names (r169826)
Code duplication between HTTPParsers and HTTPValidation (r146908)

Oct 05, 2017
============
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match (r222601 rolled out)
Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory (r210837 patially rolled out)
  Regression on http://peacekeeper.futuremark.com/
  /:((?:[\w\u00c0-\uFFFF\-]|\\.)+)(?:\((['"]?)((?:\([^\)]+\)|[^\(\)]*)+)\2\))?/.exec(":contains('Sega')")
  
Oct 04, 2017
============
RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches (r219031)
test262: test262/test/annexB/language/literals/regexp/identity-escape.js (r215161)
REGRESSION (r200946): Improper backtracking from last alternative in sticky patterns (r202597)
RegExp /y flag incorrect handling of mixed-length alternation (r200946)
[ES6] Implement Unicode code point escapes (r183552)
[ES6] Implement String.fromCodePoint (r183315)
test262: test262/test/language/literals/regexp/u-dec-esc.js (r215311)
Some bad unicode regex escapes aren't flagged as errors (r203202)
ES6 Change: Unify handling of RegExp CharacterClassEscapes \w and \W and Word Asserts \b and \B (r202490)
RegExp unicode parsing reads an extra character before failing (r201714)
Some tests fail with ES6 `u` (Unicode) flag for regular expressions (r199523)
[ES6] Quantified unicode regular expressions do not work for counts greater than 1 (r198866)
[ES6] Greedy unicode RegExp's don't properly backtrack past non BMP characters (r198624 partial)
[ES6] Make RegExp.prototype.toString spec compliant (r197999)
[ES6] Regular Expression canonicalization tables for Unicode need to be updated to use Unicode CaseFolding.txt (r197781)
[ES6] Make Unicode RegExp pattern parsing conform to the spec (r197534)
[ES6] Add support for Unicode regular expressions (r197426)
Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little (r185528)
ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html (r185440)
Implement RegExp.prototype.flags (r185432)
Element.matches()'s argument is not supposed to be optional (r174334)
Clear the Selector Query caches on memory pressure (r168243)
Add Element.matches, the standard name for webkitMatchesSelector (r167631)
Unify the three call sites of SelectorQueryCache (r164854)
Inline SelectorQuery::matches, SelectorQuery::queryAll, SelectorQuery::queryFirst (r148984)
Stop passing around SelectorChecker in SelectorQuery, now that it's stack-allocated. (r143152)
[Refactoring] Make m_selectorChecker in StyleResolver an on-stack object. (r142591)
Move pointer to Document up from SelectorChecker to StyleResolver. (r138571)
Move visited link-checking (and caching) code out of SelectorChecker. (r138515)

Oct 03, 2017
============
Avoid unnecessary null checks in toJS() when the implementation returns a reference or Ref<> (r200775 partial)
Improve binding of JSBuiltinConstructor classes (r190314 partial)
Many DOM objects have InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero for no reason. (r171956)
Fast-path for casting JS wrappers to JSElement. (r166765 revisited)
Fast-path for casting JS wrappers to JSNode. (r166760 revisited)
CodeGeneratorJS.pm should generate "isFiringEventListeners()" check in isReachableFromOpaqueRoots() (r148700)
Add more type validation to debug builds (r148257 partial)
An [ActiveDOMObject] IDL attribute should be inherited (r140938)
Add missing exception check for the custom-get-set-inline-caching-one-level-up-proto-chain.js (r222744)
SegmentedString's copy ctor should copy all fields (r142514)
Implement MouseEvent constructor (r140657 partial)

Oct 02, 2017
============
[Web IDL] interfaces should inherit EventTarget instead of duplicating the EventTarget API (r196466 + r196476)
Generate Element casting helper functions (r173804 partial)
Fast-path for casting JS wrappers to JSElement. (r166765)
Fast-path for casting JS wrappers to JSNode. (r166760)
CREATE_DOM_WRAPPER doesn't need the ExecState. (r166128)
JSC bindings should use the passed-in global object for wrapper caching. (r165914)
[InexedDB] Interfaces inheriting from EventTarget should generate JSC (un)wrapping functions (r156701 partial)
IndexedDB IDL Refactoring. (r156590 partial)
Update AbstractWorker, Worker and SharedWorker to match the specification (r151956)
Rename CodeGenerator::IsSubType() to CodeGenerator::InheritsInterface() (r140884)
[Web IDL] interface objects should be Function objects (r196392 partial)
Get rid of multiple inheritance support from the bindings generators (r152725)
Remove ElementTimeControl and expose SVGAnimationElement (r152543)
Stop inheriting SVGFilterPrimitiveStandardAttributes in SVG (r152350)

Sep 29, 2017
============
Debugger may dereference m_currentCallFrame even after the VM has gone idle (r199249)
Move breakpoint (and exception break) functionality into JSC::Debugger. (r158937 partial)
MediaFragmentURIParser::parseFragments shouldn't upconvert 8-bit string (r152673)
HTMLTextFormControlElement::valueWithHardLineBreaks shouldn't upconvert 8-bit string (r152616)
parseHTMLInteger shouldn't upconvert 8-bit string (r152610 revisited)
setUpStaticFunctionSlot does not handle Builtin|Accessor properties (r202033)
reifyAllStaticProperties makes two copies of every string (r201225)
Add support for WebIDL JSBuiltin attributes (r190305)
JSC property attributes should fit in a byte (r189160)
In CodeGeneratorJS.pm we should rename $dataNode to $interface (r135231)
ASSERTION FAILED: character != kEndOfFileMarker in WebCore::HTMLTokenizer::bufferCharacter (r178128)
Stop using deprecatedCharacters in HTMLTreeBuilder (r165724 + r165734)
xmlDocPtrForString shouldn't upconvert 8-bit string (r152667)
HTML/XML parser helper unconsumeCharacters() can push back 8 bit text as 16 bit text (r135802)
Reduce use of deprecatedCharacters in WebCore (r165848)
Turn on ENABLE(8BIT_TEXTRUN) for everyone. (r163478)
Use deprecatedCharacters in a few more places (non-Mac-build sites found by EWS) (r163257)
Crash calling is8Bit() in visitedLinkHash() (r133337)
visitedHashLink() converts 8 bit URLs and attributes to 16 bits. (r133334)
Add String version of visitedLinkHash() to properly handle 8-bit URL Strings. (r131955)

Sep 28, 2017
============
Window should have its 'constructor' property on the prototype (r196690)
SVGTextLayoutAttributesBuilder shouldn't use RenderText::deprecatedCharacters() (r163248)
JSObject::reifyAllStaticProperties cleanup (r201853 partial)
REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match (r222601)
Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure (r222590 partial)
Nested parenthesized regular expressions with non-zero minimum counts appear to hang and use lots of memory (r210837)
Correct dictionary bindings handling of optional, null, and undefined (r200555 revisited)
Make some bindings improvements, with smaller code size for error message generation (r166864)
Improve dom error messages (r165640 partial)

Sep 27, 2017
============
Remove removeDirect (r201834)
JSGlobalObject::addFunction should call deleteProperty rather than removeDirect (r201654)
Regression(r196648): window.showModalDialog is no longer undefined if the client does not allow showing modal dialog (r196706)
JSDOMWindow::put should not do the same thing twice (r196702)
JSDOMWindow::getOwnPropertySlot should just call getStaticPropertySlot (r196678)
JSDOMWindow::getOwnPropertySlot should not search photo chain (r196676)
[Web IDL] Operations should be on the instance for global objects or if [Unforgeable] (r196648)
IDL functions and attributes should be JSBuiltin by default if interface is marked as JSBuiltinConstructor (r191885 partial)
replaceable own properties seem to ignore replacement after property caching (r201428 revisited)
window.history / window.navigator should not be replaceable (r196797 revisited)
Do security checks early in JSDOMWindow::put*() (r196628)
Organize, deduplicate & comment JSDOMWindowCustom getOwnPropertySlot (r196583)
Separate out !allowsAccess path in JSDOMWindowCustom getOwnPropertySlot (r196494)
Prevent cross-origin access to window.history (r196227)
Clean up access checks in JSHistoryCustom.cpp (r182284)
JSDOMWindow should not claim HasImpureGetOwnPropertySlot (r168914 revisited)

Sep 26, 2017
============
REGRESSION (196374): deleting a global property is expensive (r201315)
Attributes on the Window instance should be configurable unless [Unforgeable] (r196374)
Add Intrinsic Getters and use them to fix performance on the getters of TypedArray properties. (r191215 partial)
Introduce getter definition into static hash tables and use it for getters in RegExp.prototype. (r185370)
RegExp.prototype.toString Should Produce an 8 bit JSString if possible. (r133333)
XMLHttpRequest properties should be on the prototype (r190123)
DOM attributes on prototypes should be configurable (r190104)
Object.defineProperty() should maintain existing getter / setter if not overridden in the new descriptor (r203004)
JSBoundSlotBaseFunction no longer binds slot base (r202027)
SES selftest page crashes on nightly r196694 (r196723)
GetValueFunc/PutValueFunc should not take both slotBase and thisValue (r196331 + r196368)
Instance property getters / setters cannot be called on another instance of the same type (r196200)
Object.getOwnPropertyDescriptor() returns incomplete descriptor for instance properties (r196145)
object.__lookupGetter__() / object.__lookupSetter__() does not work for native bindings (r196004)
Native Bindings Descriptors are Incomplete (r196001)
[JS Bindings] prototype.constructor should be writable (r195907)
Getting / Setting property on prototype object must throw TypeError (r195695)
Avoid double hash lookup in our JS bindings named property getter code (r188663)
Improve the JavaScript bindings of DatasetDOMStringMap (r163239 + r163251)
Make DOMStringMap a typedef of DatasetDOMStringMap (r162821)
Start removing custom implementations of getOwnPropertyDescriptor (r154300 revisited)

Sep 25, 2017
============
HTMLOptionsCollection's namedItem and name getter should return the first item (r149126 revisited)
[Regression] After r142831  collection-null-like-arguments.html layout test failing (r142846)
HTMLCollections namedItem() methods should return null than undefined for empty collections. (r142831)
There should be one stub hanging off an inline cache that contains code for all of the cases, rather than forming a linked list consisting of one stub per case (r189586 partial)
Make writes to RegExpObject.lastIndex cacheable. (r175416)
REGRESSION(r135493): HTMLCollection and DynamicNodeList have two vtable pointers (r135667 partial)
ScriptController::updateDocument ASSERT mutating map while iterating map (r171505)
Assert in JSC::Heap::unprotect when closing facebook.com web site (r149188)
Delete checks for impossible conditions in V8DOMWindowShell (r126817)

Sep 22, 2017
============
Remove String::deprecatedCharacters (r166120 partial)
TextBreakIterator's should support Latin-1 for all iterator types (Part 3) (r162184)
TextBreakIterator's should support Latin-1 for all iterator types (Part 2) (r162109)
TextBreakIterator's should support Latin-1 for all iterator types (Part 1) (r161844)
Optimize RenderText::offsetNext for 8 bit strings (r150922)
REGRESSION (r147588): Line breaks occur in the middle of Hebrew words at haaertz.co.il and other websites (r148791)
HTMLFontElement font size parsing should directly handle 8 bit strings (r136068)
TextIterator unnecessarily converts 8 bit strings to 16 bits (r135972)
Grapheme cluster functions can be simplified for 8 bit Strings (r135805)
listMarkerText() should create 8 bit strings when possible (r135641)
HTML integer parsing functions don't natively handle 8 bit strings (r135495)
HTML Attributes names and values should be created as 8 bit string where possible (r134116)
MarkupAccumulator should optimally handle 8 bit Strings (r130795)
ApplicationCacheStorage does not optimally handle 8 bit strings (r129786)
Fix the uses of String::operator+=() for Mac (r127574)
Create CSS color output string on 8 bits (r126186)
Append the unit in place when generating the text value of a CSSPrimitiveValue (r125221)
Call deprecatedCharacters instead of characters at more call sites (r162784)
Add deprecatedCharacters as a synonym for characters and convert most call sites (r161851 partial)
Add a new String::charactersWithNullTermination() function that returns a vector (r152142)
Remove call to deprecatedCharactersWithNullTermination() in WebGL code (r152137)
StringImpl::findIgnoringCase() and reverseFindIgnoringCase() don't optimally handle a mix of 8 and 16 bit strings (r131655 + r132159)
StringImpl::reverseFind() with a single match character isn't optimal for mixed 8/16 bit cases (r131524)
WTFString::show doesn't dump non-ASCII characters in a readable manner (r128682 + r128684 + r128908)

Sep 20, 2017
============
Caching of properties on objects that have named property getters is sometimes incorrect (r192693 revisited)
The JIT should cache property lookup misses. (r175846 partial + r175849 + r175880 revisited)

Sep 19, 2017
============
Update parseHTMLNonNegativeInteger() to return an unsigned value (r205663 partial)
HTMLImageElement.width / height attributes should be unsigned (r205655)
[WebIDL] Extend new overload resolution algorithm support to constructors (r204043)
Have parseHTMLInteger() / parseHTMLNonNegativeInteger() use WTF::Optional (r197389 partial + r197449 partial)
Binding generator should allow generating private JS functions (r191287 partial)
Fix license and copyrights of WebCore js binding builtin files (r190993 partial)
[Streams API] Add support for JS builtins constructor (r190198 partial)
Automate WebCore JS builtins generation and build system (r190794 partial)
A WebIDL callback interface is allowed to have constants (r189063)
[WebIDL] All interface objects must have a property named "name" (r188258)
The 'prototype' property on interface objects should not be enumerable (r188252)
Static hash tables no longer need to be coupled with a VM. (r171824 revisited)
Remove static tables for bindings that use eager reification (r170256)
Get rid of [ConstructorParameters] extended attributes (r150292)

Sep 18, 2017
============
[Fetch API] Implement Fetch API Headers (r195530 partial)
Migrate streams API to JS Builtins (r190608 partial)
[Streams API] Add support for private WebCore JS builtins functions (r190401 partial)
Move 'length' property to the prototype (r196423)
Deprecate StringImpl::charactersWithNullTermination (r152069)
Avoids stack recursion when indexed propertyNames defined using Object.defineProperty are deleted. (r194399)
NodeList has issues with Symbol and empty string (r183589 partial)
Move properties that use custom bindings to the prototype (r195969)
Move more 'constructor' properties to the prototype (r195904)
[Streams API] Implement ReadableStream pipeThrough (r190155 partial)
[cmake] Fix generate-js-builtins related incremental build issue (r183738)

Sep 15, 2017
============
Make JSCells have 32-bit Structure pointers (r164764 partial)

Sep 14, 2017
============
Move attributes to the prototype for List types / and types with indexed/named property getters (r195798)
Caching of properties on objects that have named property getters is sometimes incorrect (r192693 partial)
NodeList should not have a named getter (r188829 revisited)
Make our bindings' GetOwnPropertySlot() behave according to specification (r188590)
Accessing HTMLCollection.length is slow (r188523)
Always inline toJS() for NodeList. (r166520)
Improve the bindings of NodeList's name accessor (r162801)
NodeList.item() does not behave according to specification (r154012)
Regression(r196648): http://w3c-test.org/html/dom/interfaces.html redirects at the end of the test (r196742)
Regression(r190023): fast/dom/navigation-with-sideeffects-crash.html is crashing (r190034)
Get rid of custom bindings for HTMLLinkElement.sizes setter (r190030)
[Web IDL] Add support for [PutForwards=XXX] IDL extended attribute (r190023)
Get rid of most custom bindings for Location.idl (r190017)
Get rid of custom bindings for Document.location getter (r190015)
[GTK] Implement sizes attribute for link tag (r177143)
[GObject] StrictTypeChecking extended attribute fails for methods with sequence<T>. (r171181)
Use & instead of | in the value of [CallWith] (r152154)
Web Inspector: Move call stack generation out of bindings. (r134931)

Sep 13, 2017
============
[Web IDL] Fix overload resolution when the distinguishing argument is a Window (r206587)
Fix the !ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) build after r184337 (r184713)
REGRESSION (r184337): [EFL] unresolved reference errors in ARM builds (r184352)
REGRESSION (r184337): ASSERT failed in debug builds for tagged templates (r184347)
Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked (r154038)
Kill [StrictTypeChecking] IDL extended attribute (r204033 partial)
[WebIDL] Implement overload resolution algorithm (r204028)
Enable strict type checking for Window dictionary members (r203950)
Optimize function and interface object length computation in bindings generator (r149177)
'length' property of DOM bindings functions returns wrong value (r148997)
[V8] Generate wrapper methods for custom methods (r142849)

Sep 12, 2017
============
Implement EventListenerOptions argument to addEventListener (r201730 + r201734 + r201735 + r201743 + r201757 partial revisited)
Avoid redundant isUndefined() check for parameters that are both optional and nullable in overloads (r201681)
[WebIDL] 'undefined' should be an acceptable value for nullable parameters (r201627)
Change IDBObjectStore.createIndex to take an IDL dictionary (r200699 partial)
REGRESSION (r178097): HTMLSelectElement.add(option, undefined) prepends option to the list of options; should append to the end of the list of options (r186275)
REGRESSION (r178097): JavaScript TypeError after clicking on compose button in Yahoo Mail (r186265)
HTMLSelectElement and HTMLOptionsCollection add() method should support index as second argument. (r178097)
CodeGeneratorJS.pm doesn't need to add spaces between consecutive closing template brackets (r165242)
Don't throw on infinity or NaN index in HTMLOptionsCollection.add() (r146283)
Distinguish Web IDL callback interfaces from Web IDL callback functions (r188994)
Remove support for DOMFileSystem (r156692 partial)
Remove web intents code (r142549 partial)
Add support for callback interfaces using other callback names than "handleEvent" (r188913)
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 revisited)
Unreviewed, fix PropertyName::isNull() that was introduced in r188994. (r189154)
Get rid of custom bindings for RequestAnimationFrameCallback.handleEvent() (r188905)
Cleanup MediaQueryListListener (r153925 + r154020 + r154035 revisited)
Remove support for [PassThisToCallback] extended attribute (r152490)
Remove a redundant virtual call to hostWindow() in FrameView::invalidateRect() (r151628)

Sep 11, 2017
============
Modern IDB: Support IDBDatabase.transaction() (and transaction scheduling in general). (r191722 partial)
IndexedDB IDL Refactoring. (r156590 partial)
WebIDL: overloaded methods prevent number -> string conversion (r131063)
IndexedDB: IDBRequest leaks if IDBCursor closes and no further events fired (r127518 revisited)
IndexedDB: IDBRequest can be GCd during event dispatch (r126254 revisited)
IndexedDB: Remove IDBRequest::finishCursor() and plumbing (r124842)

Sep 08, 2017
============
[CSS Regions] Improve implementation of elements in region being flowed to another flow thread (r152320)
[CSS Regions] Elements in a region should be assignable to a named flow (r147756 + r147983 + r148865)
[CSS Regions] Remove m_flowThread from NodeRenderingContext (r148605)
[CSS Regions] Don't apply region flow to fullscreen video playing (r138755)
[CSSRegions] Pseudo-elements should not be directly collected into a named flow (r137836)
Remove Node::attach() and ContainerNode::attach() (r154047)
ENABLE(NEW_XML) isn't used by anyone and no one is actively working on it (r140399)
REGRESSION (r151839): Subframe keeps getting mousemove events with the same coordinates after hiding a hovered element. (r167684)
Remove unused attachChildrenLazily method and make attach/detachChildren private (r152197)
Improve the reattaching process while applying the :hover style (r151839)
Document::setHoveredNode() should be setHoveredElement(). (r150752)
Rename from parentOrHost* to parentOrShadowHost* in Node.h. (r141524)

Sep 07, 2017
============
REGRESSION (r137006): TileCache flashes to linen, rather than the background color, when scrolling fast (r137800 revisited)
REGRESSION (r137006): CSS clip on solid color composited div broken (r137250)
Use background color for GraphicsLayers when applicable (r137006 + r137039))

Aug 31, 2017
============
semicolon is being interpreted as an = in the LiteralParser (r221400)

Aug 17, 2017
============
Part 2: Assertion failure in WebCore::PseudoElement::didRecalcStyle() (r162820)
Skip CachedImage::CreateImage if we don't have image data (r139484 revisited)
Clear pending container size requests as early as possible (r138976)
Heap-use-after-free in WebCore::StyleCachedImageSet::cssValue (r136560 revisited)
REGRESSION(r122215) - CachedImage::likelyToBeUsedSoon crashes on accessing a deleted CachedImageClient (r129962)
Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&) (r159790)

Aug 16, 2017
============
Crash in com.apple.JavaScriptCore: WTF::ThreadSpecific<WTF::WTFThreadData, + 142 (r208953)
Hasher::addCharacters() should be able to handle zero length strings. (r208958)
StringHasher functions require alignment that call sites do not all guarantee (r144552)
Style tweaks to StringHasher.h (r143280)
Remove redundant use of inline keyword in StringHasher.h (r143116)
Extend StringHasher to take a stream of characters (r136695)
Remove HandleSet::m_nextToFinalize (r165490)

Aug 15, 2017
============
Region based multicol: support explicit column breaks (r162366)
[CSS Shapes] Parse [<box> || <shape>] values (r159526 partial revisited)
[CSS Shapes] Accept the new <box> value for shape-outside (r159307)
[CSS Exclusions] Minimal support for using an image to define a shape (r154081 revisited)
[CSS Exclusions] Add CSS parsing support for image URI shape-inside and shape-outside values (r150387 revisited)
[CSS Shapes] Remove unnecessarily complex template from ShapeInfo classes (r155627)
[CSS Shapes] Turn shape's logicalwidth/height into a LayoutSize (r155626)
[CSS Exclusions] Minimal support for using an image to define a shape (r154081)
[CSS Shapes] inset-rectangle support for shape-outside (r151116)
[CSS Shapes] Support parsing inset-rectangle shapes (r150904)
[CSS Exclusions] ExclusionShape bounding box methods should return LayoutRects (r149226)
[CSS Exclusions] refactor shape-outside code to use isFloatingWithShapeOutside() helper method (r147495)
[css exclusions] overflow:hidden undoes shape-outside offsets (r147463)
[CSS Exclusions] shape-outside on floats for circle and ellipse shapes (r145982)
CSS cursor property should support webkit-image-set (r136919 partial)

Aug 14, 2017
============
[CSS Exclusions] Improve ExclusionPolygon smart pointer safety (r149003)
[CSS Exclusions] Zoom causes shape-inside to fail when shape-padding is specified (r148139)
[CSS Exclusions] Add support for the simple case of shape-margin polygonal shape-outside (r147831)
[CSS Exclusions] shape-outside on floats fails to respect shape-margin's vertical extent (r147384)
[CSS Exclusions] Add support for the simple case of padding a polygonal shape-inside (r147111)
[CSS Exclusions] Removed ExclusionShape dead code (r147597)
[CSS Exclusions] Refactor the ExclusionPolygon class to enable storing multiple boundaries (r145411)
[CSS Exclusions] Enable shape-inside rectangle support for shape-padding (r144258)
[CSS Exclusions] ExclusionPolygon reflex vertices should constrain the first fit location. (r142805)
[CSS Exclusions] Ignore ExclusionPolygon edges above minLogicalIntervalTop (r142187)
[CSS Exclusions] Add support for computing first included interval position for polygons (r140606)
[CSS Exclusions] The ExclusionPolygon classes should allow more than one type of "Edge" class (r138802)
[CSS Exclusions] shape-inside layout fails to adjust first line correctly for writing-mode: vertical-rl (r138043)
[CSS Exclusions] Update wrap-margin/padding to shape-margin/padding (r134433)
[CSS Exclusions] Polygon with horizontal bottom edges returns incorrect segments (r133968)
[CSS Exclusions] Store ExclusionPolygonEdge vertices in clockwise order (r133682)
[CSS Exclusions] Polygon edges should span colinear vertices (r133490)
[CSS Exclusions] Multiple segment polygon layout does not get all segments (r132971)
[CSS Exclusions] Add ExclusionShape::shapeBoundingBox() method (r131768)
[CSS Exclusions] Handle special case "empty" shapes (r131766)
[CSS Shapes] Shape's content gets extra left offset when left-border is positive on the content box (r155002 complete)
[CSS Shapes] Remove lineOverflowsFromShapeInside boolean from RenderBlock::layoutRunsAndFloatsInRange function (r151703)
[CSS Shapes] Consider bottom borders when calculating the position of the overflow (r151652)
[CSS Shapes][CSS Regions] Respect bottom positioned shapes and content adjustment inside shapes (r151570)
[CSS Shapes] Rename updateLineBoundariesForExclusions to updateShapeAndSegmentsForCurrentLine (r151295)
[CSS Regions][CSS Exclusions] Multiple regions with shape-insides should respect positioned shapes and overflow (r150478)
[CSS Regions][CSS Exclusions] shape-inside on regions should respect positioned shapes and overflow (r150375)
[CSS Regions][CSS Exclusions] Shape-inside on regions should respect region borders and paddings (r150027)
[CSS Exclusions] shape-inside overflow should be pushed to the outside of the content box (r148975)
[CSS Exclusions] Implement empty segments for multiple-segment shape-insides (r148781)
[CSS Exclusions][CSS Regions] Block children do not layout inline content correctly in a region with shape-inside set (r147155)
[CSS Grid Layout] Before / start paddings and borders are not accounted for when placing the grid items (r147140)
[CSSRegions] Crash reflowing content in variable width regions (r146192)
On HarfbuzzNG ports, Arabic TATWEEL is not joined. (r141124)
[CSS Exclusions] Block children have incorrect offset when shape-inside element lays out below other elements (r132685)
Spread expressions are not fair game for direct binding (r196323)

Aug 11, 2017
============
Move the line widow functions out of RenderBlock and into RenderBlockFlow. (r155964)
[CSS Shapes] Shape's content gets extra left offset when left-border is positive on the content box (r155002 partial)
[CSS Regions] Compute correct region ranges for boxes (r153990 + r153993 + r154248)
ASSERTION FAILED: layoutState->m_renderer == this in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage (r152768 revisited)
[CSS Regions] In a region chain with auto-height regions, lines get their length based only on the first region (r152572)
[CSS Regions] fast/regions/seamless-iframe-flowed-into-regions.html asserts (r151992)
Column balancing support in the region based multicol implementation (r151545)
[CSS Regions] Remove the offsetFromLogicalTopOfFirstPage parameter from layout functions (r150743)
[CSSRegions] Fix offsetLeft / offsetTop for elements inside named flow (r150383)
Reproducible crash in RenderBoxModelObject::adjustedPositionRelativeToOffsetParent() (r149653)
RenderObject::offsetParent should return Element* (r147395)
[CSSRegions]: Crash accessing offsetParent for contentNodes inside a flow thread (r146856)
Widows and orphans test4 fails if isolated (r140007)
Merge getLineAtIndex into RenderBlock::lineAtIndex (r139135)
[CSSRegions] RenderFlowThread::renderRegionForLine should use a faster search method (r147620)
[CSS Regions] Nested auto-height regions don't layout correctly (r147426)
[CSSRegions] Clean-up RenderFlowThread::updateRegionsFlowThreadPortionRect (r147411)
[CSSRegions] RenderFlowThread should keep a count of auto height regions (r140948)
[CSS Regions] min-max height will not trigger a relayout when set on a region with auto-height (r140400)
[CSS Regions] regionlayoutupdate event fires continuously (r136346)
[CSS Regions] Auto-height regions will not calculate the height correctly when the content changes dynamically (r136039)
[CSSRegions]Former auto-height regions should not ignore their defined height (r133146)
[CSS Regions] Content flows incorrectly in autoheight regions with min/max-height set (r140014)
[New Multicolumn] Add minimum column height tracking and forced break tracking to column sets. (r136146)
[CSSRegions] Incorrect computed height for content with region-break-before (r134395)

Aug 10, 2017
============
Add computeLogicalHeight override methods to RenderView and RenderMultiColumnSet (r131351)
[CSS Regions] Create a separate list for the invalid regions (r130918)
Layout Test fast/repaint/japanese-rl-selection-repaint-in-regions.html is failing after r126304 (r126961)
Crash in WebCore::RenderBlock::removeChild (r126304)
[CSS Regions] Add the NamedFlow.getRegions() API (r124772)
Checking if frame is complete and access duration doesn't need a decode (https://chromium.googlesource.com/chromium/blink/+/899a7a4375e3d124a3e740aa368ef733f3ebfa3e)
Simply GIFImageReader error handling (r147392)
GIFImageReader to count frames and decode in one pass (r146237)
More cleanup in GIFImageReader (r144961)
GIFImageReader to read from source data directly (r143936 + r143972 + r144100)
Fix code style violations in GIFImageReader.{cc|h} (r142528)

Aug 09, 2017
============
Fix a few missed renames from Exclusions -> Shapes (r151750)
Add some UNUSED_PARAMs to RenderBlock.cpp so that it builds properly if CSS_EXCLUSIONS is disabled. (r151662 partial)
[CSS Shapes][CSS Exclusions] Split CSS Exclusions and CSS Shapes code (r151402 partial)
[CSS Exclusions][CSS Shapes] Split CSS Exclusions & Shapes compile & runtime flags (r151247 partial)
[css exclusions] Clean up ExclusionShapeInsideInfo dynamic removal code (r151237)
[CSS Exclusions] Add CSS parsing support for image URI shape-inside and shape-outside values (r150387)
[CSS Exclusions] Increasing padding does not correctly layout child blocks (r148120)

Aug 08, 2017
============
[css exclusions] Dynamically removing shape-inside should cause relayout of child blocks' inline content (r147758)
[css exclusions] Move ExclusionShapeInsideInfo into RenderBlockRareData (r144520 + r144561 + r145610)
[CSS Exclusions] Enable shape-inside support for ellipses (r143420)
[CSS Exclusions] Enable shape-inside support for circles (r143010)
[CSS Exclusions] Blocks should not re-use their parent's ExclusionShapeInsideInfo (r138040)
Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily. (r181297 revisited)
VM::lastCachedString should be a Strong, not a Weak. (r170898)
Fast path for jsStringWithCache() when asked for the same string repeatedly. (r170857)
Fast path for jsStringWithCache() when asked for the same string repeatedly. (r170818)
Micro-optimize the way we hand NodeLists to JSC. (r167589)
Speed up jsStringWithCache() through WeakGCMap inlining. (r167577 partial)
Attempt to make it more clear what FloatIntervalSearchAdaptor::collectIfNeeded is doing (r154494 revisited)
ASSERTION FAILED: node->parentNode(), Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r151117 revisited)
Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r150084 revisited)
[CSS Exclusions] shape-outside on floats for polygon shapes (r144776)
[CSS Exclusions] Support outside-shape layout for shape-inside property (r143225)
Make outside-shape the default value for shape-inside (r142893)
[CSS Exclusions] Handle shape-outside changing a float's overhang behavior (r142527)
[CSS Exclusions] shape-outside on floats for rectangle shapes positioning (r140365)
GetOwnProperty of TypedArray indexed fields is wrongly configurable (r220377)

Aug 04, 2017
============
[CSS Filters] Using negative drop-shadow radius values has slow performance (r146762)

Aug 03, 2017
============
[New Multicolumn] Autogenerate regions for columns. (r144773)
[New Multicolumn] Remove unneeded layout method in RenderMultiColumnFlowThread. (r143606)
[New Multicolumn] Resize RenderMultiColumnSets around their columns. (r143506)
[New Multicolumn] Column gap is computed incorrectly. (r143484)
[CSS Regions] Assertion in RenderFlowThread::removeRenderBoxRegionInfo (r143322)
[New Multicolumn] Add requiresBalancing booleans to track which column sets need to rebalance. (r136886)
Added WTF::StackStats mechanism. (r131938 partial)
Wrong blur radius for filter: drop-shadow() (r208058)
Skip trying to paint overlay scrollbars when there are none or they are clipped out (r181695)
drop-shadow filter with overflow:hidden child misbehaves. (r150775)
Hoist several chunks of code at the top of RenderLayer::paintLayerContents() onto new functions (r150349)
border-radius clipping a canvas does not always clip (r149504)
RenderView should bail out of paintBoxDecorations() when painting with a different renderer (r148521)
Fix painting phases for composited scrolling (r145067)
[CSS Filters] Refactor filter outsets into a class (r142823)
[CSS Filters] brightness() function doesn't work as specified (r139770)
Zoomed-in scrolling is very slow when deviceScaleFactor > 1 (r134348)
Store a visible rect in GraphicsLayers, and optionally dump it in layerTreeAsText (r130927)
[CSS Shaders] Cached validated programs are destroyed and recreated when there is only one custom filter animating (r128387)
[CSS Filters] Filters should render using sRGB until the specification says how it works (r126927)

Aug 02, 2017
============
REGRESSION (r143070): Overflow:scroll content does not get clipped properly when the parent box has CSS3 filter on. (r151110)
[CSS Filters] RenderLayerCompositor::addToOverlapMap should take into account the filters outsets (ie. blur and drop-shadow) (r139330)
REGRESSION(r144318) 1-7% perf. regression on SVG/SvgHitTesting (r144484)
[New Multicolumn] Rewrite the painting/stacking model to be spec compliant. (r144318 + r144377)
[Safari] Crash with opacity + drop shadow filter + child element extending beyond filter outsets (r143655)
drop-shadow filter with overflow:hidden child misbehaves (r143070)
resize property doesn't work on iframes (r140749)
[CSS Filters] CSS opacity property clips filter outsets (r140702)
RenderLayer minor clean-up: replace raw pointers with OwnPtrs. (r135605)
Reduce the crazy number of parameters to RenderLayer painting member functions (r134311 + r134330 revisited)
[New Multicolumn] Implement column repainting. (r127297)
[New Multicolumn] Refactor flow thread repainting. (r127280)
CSS Masking and CSS Filters applied in wrong order (r126084)

Aug 01, 2017
============
Make it possible for the root background to be painted into its own GraphicsLayer (r140068)
Allow PaintInfo to carry all PaintBehavior flags (r139908 + r140066)
Add the ability for a RenderLayerBacking to have a layer that renders backgrounds. (r139815)
Rename RenderLayerBacking's m_containmentLayer to m_childContainmentLayer to better describe its purpose (r139797)
Allow tiled WKViews to have transparent backgrounds (r139750)
REGRESSION (r137006): TileCache flashes to linen, rather than the background color, when scrolling fast (r137800)
Disambiguate "background color" and "contents as solid color" on GraphicsLayer (r137798)
Use background color for GraphicsLayers when applicable (r137051 revisited)
Ensure that scrollbar layers show debug borders (r134843)
Fix layer borders to cleaning appear and disappear on switching (r133517)
GraphicsLayer visible rect computation needs to use the current animating transform (r131626)
Some GraphicsLayer cleanup to separate the concepts of using a tile cache, and being the main tile cache layer (r130676)
When using SVG as an image, we should load datauri images when these images are not in the image cache. (r179626 revisited)
REGRESSION(151586): multipart/x-mixed-replace images are broken (r152207)
Avoid unnecessary data copies when loading subresources with DoNotBufferData option (r151586)
ResourceLoader::resourceData() should not return a PassRefPtr (r151277)
ImageDocuments leak their world. (r197765 + r197780 rolled out + r197856)

Jul 31, 2017
============
Out-of-view fixed position check should not be affected by page scale at all on Mac (r143641)
Fixed elements sometimes marked out-of-view if you have rubber-banded too far, affects flickr.com (r140758)
Sticky-position elements can jump around/hide on rubber-banding (r140229 partial)
Fix position:-webkit-sticky behavior when zoomed (r138036)
Out-of-view check of fixed position element in frame is incorrect when page is scaled (r137697)
Fixed position out-of-view check is incorrect when page is scaled (r137399)
[EFL][Qt][WK2] Fixed position elements are not always fixed (r136452)
Parcel up logic related to sticky positioning into a Constraints class that will later be used for threaded scrolling (r127795)
Handle sticky that overflows its container (r126943)

Jul 26, 2017
============
REGRESSION (r142520?): Space no longer scrolls the page (r142561 partial)
REGRESSION (r133807): Sticky-position review bar on bugzilla review page is jumpy (r142520 partial)
ASSERT loading Acid3 test in run-safari --debug (r135050) (r137690)
When animating mask-postion on a composited layer, element renders incorrectly (r136433)
Fixed position elements that are out of view still end up forcing non-threaded scrolling (r133807)
[New Multicolumn] Implement hit testing for columns. (r127037)
[New Multicolumn] Correctly track whether or not a layer is paginated. (r143757)
[New Multicolumn] Make layers paint properly in columns. (r143467)
Reduce the crazy number of parameters to RenderLayer clip-rect functions (r135060)

Jul 25, 2017
============
Remove Broken CompareEq constant folding phase. (r219895)
Give purity hints to compiler to avoid penalizing repeated calls to some functions. (r156246 revisited)
REGRESSION (r155607): Javascript site does not load visually on panerabread.com (r157296 revisited)
REGRESSION (r132516): Javascript menu text incorrectly disappearing and reappearing (r155607 revisited)
Avoid calling isSimpleContainerCompositingLayer() an extra time (r152213)
ASSERTION FAILED: m_clipRectsCache->m_respectingOverflowClip[clipRectsType] == (clipRectsContext.respectOverflowClip == RespectOverflowClip) in RenderLayer. (r144639)
[New Multicolumn] REGRESSION: RenderMultiColumnSets broken by the RenderRegion -> RenderBlock subclassing. (r143395)
[CSS Regions] RenderRegion should inherit from RenderBlock (r142984 revisited)
Use background color for GraphicsLayers when applicable (r137051)
Avoid calling calculateLayerBounds() and convertToLayerCoords() more than once per layer paint (r134356)
Change calculateLayerBounds() from a static function to a member function (r134355)
[New Multicolumn] Implement column contents painting. (r127008)
Add support for compositing the contents of overflow:scroll areas (r126663)
[New Multicolumn] Make column rules paint properly. (r126177 revisited)
Avoid backing store on layers created for CoreAnimation plugins (r125101)

Jul 24, 2017
============
[New Multicolumn] Change inRenderFlowThread to follow containing block chain (r144497)
[New Multicolumn] Change flow thread containment to be a state. (r144461)
[CSS Regions] Region overset property is not properly computed when there is a region break (r144178)
[CSS Regions][Mac] fast/regions/full-screen-video-from-region.html hits an assertion in RenderFlowThread::removeRenderBoxRegionInfo (r142982)
[CSS Regions] Selecting text through nested regions causes weird and unclearable selection (r139197)
[CSS Regions] Remove the sanitize mechanism from LineFragmentationData (r136908)
[CSS Regions] Blocks don't relayout children if the width of a region changes (r136793)
[CSS Regions] Add Region info for RootLineBoxes and pack the pagination data (r135750)
Make convertToLayerCoords iterative, rather than recursive (r135080)
[CSSRegions] Add support for auto-height regions with region-breaks (r132602)
DFG Node for throw_static_error is incorrectly named as "ThrowReferenceError". This patch renames it to "ThrowStaticError". (r206853 partial)

Jul 21, 2017
============
Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable (r219702 partial)
[JSC] Reduce the memory usage of BytecodeLivenessAnalysis (r188849 partial)
Fix keyTimes list length of from/to/by animations. (r172706)
Make seamless iframes paginate properly in their enclosing document's pagination context. (r143256)
[CSSRegions] Assertion failure in Node::detach (!renderer || renderer->inRenderFlowThread()) (r141982)
Crash caused by incomplete cleanup of regions information for anonymous block (r139596)
[CSS Regions] Crash when using hover and first-letter inside a flow-thread (r136045)
[CSS Regions] InRenderFlowThread returns false in the first setStyle (r136037)
[CSS Regions] Elements using transforms are not repainted correctly when rendered in a region (r135921 + 136054)
[CSSRegions]Crash when moving anonymous block children inside a named flow (r126459)

Jul 20, 2017
============
[CSSRegions][CSSOM] Implement Element.getRegionFlowRanges (r128416 complete)
[css exclusions] setting shape-inside on a parent does not relayout child blocks' inline content (r144487)
[CSS Regions] Region boxes should respect -shape-inside CSS property (r143766)
[CSS Exclusions] shape-inside does not properly handle padding or border (r142164)
[CSS Exclusions] Refactor ExclusionShapeInsideInfo to more general ExclusionShapeInfo (r140978)
[CSS Exclusions] Add helper functions for converting floats to LayoutUnits (r137914)
[CSS Exclusions] Add support for computing the first included interval position. (r136857)
[CSS Exclusions] Layout of the first shape-inside line can be incorrect (r133475)
[CSS Exclusions] Points on the bottom and right edges of an exclusion shape should be classified as "outside" (r132127)
[CSSRegions][CSSOM] Implement Element.getRegionFlowRanges (r128416 partial)

Jul 19, 2017
============
Emoji sequences do not render properly. (r180191)
Backdrop Filter should repaint when changed via script (r198963)
[filters2] Support for backdrop-filter (r175716)
DataRef<T> should use Ref<T> internally. (r157568 partial)
Setting -webkit-filter: in :active selector causes failure to redraw (r154430)

Jul 18, 2017
============
Remove WebKitCSSFilterValue to make Hyatt happy (r208253)
Harden FilterOperation type casting (r166741)
REGRESSION(r161967): Crash in WebCore::CachedSVGDocumentReference::load (r162643)
Remove unnecessary WebkitCSSSVGDocumentValue (r162051)
Make CachedSVGDocument independent of CSS Filters (r161967)
Start refactoring Filter code to reuse CachedSVGDocument for clipPath (r160973)
Crashes due to NULL dereference beneath WebCore::StyleResolver::loadPendingSVGDocuments and related functions (r151875)
Remove the clone() method from FilterOperation (and subclasses). (r124213)

Jul 13, 2017
============
Support CSS filters without webkit prefix (r188647)

Jul 12, 2017
============
Wrong radix used in Unicode Escape in invalid character error message (r219396)
Vector-effect updates require a re-layout (r163618)
ASSERTION FAILED: stroke->opacity != other->stroke->opacity in WebCore::SVGRenderStyle::diff (r153914)
Fix slider thumb event handling to use local, not absolute coordinates (r154832)
input[type=range]: Fix a crash by changing input type in 'input' event handler (r154308)
Dragging to edge should always snap to min/max. (r147070)
Fix some crashes in render sliders (r144790)
Remove hidden limiter div in the input slider shadow DOM (r135913)
REGRESSION(r126132): MediaSlider and MediaVolumeSlider thumbs don't match mouse when dragged (r127553)
Tick marks don't match thumb when applying padding or border to input type=range (r127140)
REGRESSION(r126132): thumb doesn't match click position for rtl input type=range (r126539)
Clicking input type=range with padding or border sets wrong value (r126132)
Make SegmentedVector Noncopyable (r145401 revisited)
Add CString operators for comparison with const char* (r143049)

Jul 11, 2017
============
Change custom getter signature to make the base reference an object pointer (r163496 revisited)
HTMLOptionsCollection's namedItem and name getter should return the first item (r149126)
[JSC] REGRESSION(r135093): A form control with name=length overrides length property on form.elements (r139278 revisited)
Use ownerNode() instead of base() in HTMLCollection (r136850)
Make namedItem return a node list only in HTMLFormControlsCollection and HTMLOptionsCollection (r135093)
[V8][JSC] HTMLOptionsCollection::length needs not to be [Custom] (r134248)
[HarfBuzz][Cairo] harfBuzzGetGlyph is slow and hot (r141908)

Jul 10, 2017
============
[JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator (r219285)
[ES6] Implement tagged templates (r184337)
Lexer::scanRegExp, create 8 bit pattern and flag Identifiers from 16 bit source when possible (r133668)
hitTestResultAtPoint does two hit-tests if called on non main frame (r134253)
\n\r is not the same as \r\n. (r219263)

Jul 07, 2017
============
[Web IDL] Specify default values for optional parameters of type 'float' / 'unrestricted float' (r200058 revisited)
The 2D Canvas functions fillText()/strokeText() should display nothing when maxWidth is less then or equal to zero (r142754)
[SVG] Leak in SVGAnimatedListPropertyTearOff (r219257)

Jul 05, 2017
============
Repaint issue with vertical text in an out of flow container. (r201635 + r201704)
RenderObject::computeRectForRepaint/computeFloatRectForRepaint should return the computed rectangle. (r190685)
Incomplete repaint of input elements in writing-mode overflow (r151761)
Allow painting outside overflow clip in accelerated scrolling layers (r134456)
Refactor paint overflow clipping (r128478)
Setting overflow:hidden does not always repaint clipped content. (r151549 + r151685 + r201407)
SVG foreign objects do not inherit the container coordinates system if they are repainted. (r175847)

Jul 04, 2017
============
ASSERTION FAILED: layoutState->m_renderer == this in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage (r152768)
Incomplete repaint of input elements in writing-mode overflow (r151761 partial)
Float block's logical top margin is illegal in vertical writing mode. (r139040)
[CSS Regions]Content overflowing last region displayed wrong (r138785)
[CSS Exclusions] ExclusionShape inlines should use isFlippedBlocksWritingMode() (r136647)
Crash due to intruding float not removed after writing mode changed. (r136253)
[CSSRegions]Region overset property is incorectly computed when content has negative letter spacing and is flowed near to the edge of a region (r125610)
[CSSRegions]regionOverset is computed as "overset" even though the region is not the last in the chain (r125600)
DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status (219111)
[ftlopt] GC should notify us if it resets to_this (r170382)
[JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT (r219043)

Jun 30, 2017
============
[GTK] Glyphs in vertical text tests are rotated 90 degrees clockwise (r158848 partial)
Full width semicolon is wrong in vertical text. (r158697)
RegExpCachedResult::setInput should reify left and right contexts (r219001)
Reduce the number of instructions needed to record the last regexp result (r197730)
Array.prototype.join should do overflow checks on string joins. (r206281)
[JSC] Array.prototype.join() fails some conformance tests (r203147 complete)
JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls (r198592 complete)
[ES6] Make Array.prototype.reverse spec compatible. (r198294 revisited)
Optimize Array.join and Array.reverse for high speed array types (r185942 complete + r185943)
Oscillator node should throw exception if type is assigned an invalid value (r125460)
Creating "basic waveform" Oscillator nodes is not efficient (r125122)
Passing invalid values to OfflineAudioContext's constructor should not crash. (r179565)

Jun 29, 2017
============
Calculating postCapacity in unshiftCountSlowCase is wrong (r218977)
RenderWidget::setWidgetGeometry() can end up destroying *this*. (r183788 revisited)
Get rid of ref-counting on RenderWidget. (r155796 revisited)
Background doesn't fully repaint when body has margins. (r153701 revisited)
ASSERTION FAILED: m_repaintRect == renderer()->clippedOverflowRectForRepaint(renderer()->containerForRepaint()) after r135816 (r147759 revisited)
Temporarily disable assertions related to clip rect computation in RenderLayer (r141278)
Optimize layer updates after scrolling (r135746)
Eliminate ancestor tree walk computing outlineBoundsForRepaint() when updating layer positions (r135025)
Don't use temporary clip rects when hit testing (r134737)
Save one call to containerForRepaint() when updating layer positions (r134174)
Fix build warning in RenderLayer.cpp caused by r133628 (r133683)
Fix RenderGeometryMap assertion when layers are scrolled during layout (r133628)
Overflow regions sometimes repaint incorrectly after going into or coming out of compositing mode (r125086)
ASSERT(!m_zOrderListsDirty) when mousing over web view with incremental rendering suppressed (r185858)
Don't say there are dirty overlay scrollbars when they are clipped out (r135064)
Make Document::renderer faster by using the cached ptr for RenderView (r133711)
box-shadow causes overlay scrollbars to be in the wrong position when element is composited (r127943)
REGRESSION (r149928): CanvasStyle::operator= leaks everything (r156099)
Make CanvasStyle a plain object instead of an RefCounted object (r149928)
Make CanvasStyle's CMYKAValues allocated on the heap and move the pointer in the union. (r149710)
We should not ref() the RefPtr twice in CanvasStyle (r149706)
Move CanvasGradient and CanvasPattern in the union of CanvasStyle (r149696)

Jun 28, 2017
============
Don't pass a paintingRoot when painting from RenderLayerBacking (r134642 revisited)
Accumulate sub-pixel offsets through layers and transforms (r125794)
Refactor transform painting/hit testing code in RenderLayer. (r144226)
[Sub-pixel layout] incorrect rendering when painting sub-layers as their own root (r130322)
Fix filter dirty rect regression from r134311 (r134330)
Reduce the crazy number of parameters to RenderLayer painting member functions (r134311)
Remove the use of GraphicsContextStateSaver from RenderLayer::paintLayerByApplyingTransform (r193390)
CheckedArithmetic's operator bool() and operator==() is broken. (r185755 + r185764)

Jun 26, 2017
============
Crash in JSC::Lexer<unsigned char>::setCode (r218819)
Crash running webaudio/panner-loop.html (r192281)
ASSERTION FAILED: !m_renderingAutomaticPullNodes.size() (r146362)
Add rudimentary support for move-only types as values in HashMap (r155621)
HashSet should work with move only types (r155577)
Add move semantics to RefPtr (r149184 + r151670)
WTF::OwnPtr should behave similarly with the rest of WTF smart pointers (r155527)
OwnPtr: Use copy/move-and-swap for assignment operators (r155526)
Weak should have a move constructor and move assignment operator (r156469)
Clang doesn't optimize away undefined OwnPtr copy constructor (r128203)

Jun 23, 2017
============
[Qt] Add support for tiled shadow blur (r145810)
[Qt] Enable tiled shadow blur for inset box shadows (r145366)
[JSC] Use the way number constants are written to help type speculation (r180813 partial revisited)
The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation (r218729)
ValueRep(DoubleRep(@v)) can not simply convert to @v (r218728)

Jun 22, 2017
============
[CSS Exclusions] shape-outside on floats for rectangle shapes height/width (r137930)
Floored and truncated rounded confused. (r125167 partial)
hb_face_t instances should not depend on FontPlatformData (r131432)
Initial advance of text runs should be taken into account (r148956 partial)
[GTK] Bring Harfbuzz-ng support to Gtk (r137146 partial)
Fonts fast code path is used for partial runs with kerning and ligatures, but shouldnt be (r132178)
REGRESSION(130231): Causes 3 complex font test failures on EFL / Harfbuzz+Freetype (r131058 + r131073)
Reversing a GlyphBuffer needlessly queries its size multiple times (r130531)
Clean up makeFontCascadeCacheKey() (r187615 + r190232 + r190242)
Remove support for screen font substitution (r179368 partial)
Remove GlyphPageTree (r177876 partial)
  nonCJKGlyphOrientation matters for glyph selection too and needs to be part of the FontDescription cache key.
Avoid calling AtomicString::lower() in makeFontGlyphsCacheKey (r156139 + r156142)
Share FontGlyphs (r150897 + r150899)

Jun 21, 2017
============
SoftBank Emoji are not transformed by shaping when in a run of their own (r185175 + r185176)
Crash in CGContextShowGlyphsWithAdvances when passing kCGFontIndexInvalid (r182192 + r190891)
[Mac] Some ligatures are applied across different fronts (r148283)
REGRESSION (r131365): WidthIterator::advance() is needlessly passed a GlyphBuffer in many cases (r131410)
WebCore part of <rdar://problem/12470680> Fonts fast code path doesnt support kerning and ligatures (r131365 + r131374 + r131375)
Move more style recalc code to StyleResolveTree.cpp (r153816)
[Vertical Writing Mode] Rename "vertical-right" CSS value to match spec (r191935)
Font description not synchronized correctly on orientation affecting property changes (r138299)
[EFL] Fix build warning in StyleResolver.cpp using gcc 4.7.2 (r136952)

Jun 20, 2017
============
Character orientation should follow UTR50 specs for vertical layout. (r145854)
Some characters are not rotated properly in vertical text (r138986)
Font::glyphDataAndPageForCharacter doesn't account for text orientation when using systemFallback on a cold cache. (r130443 + r130779 + r130803)
Support text-orientation: sideways-right (and sideways when it maps to sideways-right) (r136640)
Remove unused macro HANDLE_INHERIT_AND_INITIAL_WITH_VALUE in StyleResolver.cpp (r134861)
Remove HANDLE_INHERIT_AND_INITIAL_AND_PRIMITIVE macro in StyleResolver. (r131968)
Move handling of CSSPropertyPointerEvents from StyleResolver into StyleBuilder. (r131586)
Move handling of CSSPropertyWebkitLineClamp from StyleResolver into StyleBuilder. (r131677)
Handle CSSPropertyOpacity in StyleBuilder. (r131443)
The parser should allocate all pieces of the AST (r176754)
[Chromium] Improve vertical text rendering of HarfBuzzShaper (Re-land) (r131126)
HarfBuzzShaper::shape() should return false when it adds no glyph to GlyphBuffer (r132051)
[Chromium] Introduce caches for HarfBuzzShaper (r130231)
[Chromium] Improve glyph selection of HarfBuzzShaper (r129175)

Jun 19, 2017
============
[JSC] Use the way number constants are written to help type speculation (r180813 partial, crash in BytecodeGenerator::addConstantValue)
[JSC] Make StringRecursionChecker faster in the simple cases without any recursion (r184447)
ArrayPrototype methods should use JSValue::toLength for non-Arrays. (r218449 partial)

Jun 16, 2017
============
RenderLayer: Check SVG bit instead of element namespace in isTransparent(). (r157360)
Make hoverAncestor() a RenderElement concept. (r156338 partial)
Make RenderObject::parent() return RenderElement (r156151)
Make createRenderer() return RenderElement (r156147)
Rename createRenderObject() to createRenderer(). (r161153 partial)

Jun 15, 2017
============
[Cocoa] Unify FontPlatformData's hashing and equality operators (r211029)

Jun 14, 2017
============
0.0 should really be 0.0 (r189929)
js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing (r183650 revisited)
[JSC] Use the way number constants are written to help type speculation (r180813 partial)
Add support for 8 bit TextRuns on Chromium Linux & Mac (r144646)
[harfbuzz] Crash in harfbuzz related code (r143337)
Crash when selecting a HarfBuzz text run with SVG fonts included (r142928)
REGRESSION (r125578): word-wrapping in absolute position with nbsp, word-spacing and custom font (r135884)
[Chromium] Arabic digits should appear left-to-right (r133983)
[Chromium] Unicode combining diacritical aren't always combined on Linux (r133550)
[Chromium] Improve glyph positioning of HarfBuzzShaper (r129074)
[Chromium] HarfBuzzShaper should take into account combining characters (r129050)
[Chromium] Don't treat tab as spaces for word-end in HarfBuzzShaper (r128965)
REGRESSION (r125578): The monospace code path in RenderText::widthFromCache disagrees with Font::width on word spacing (r128693)
REGRESSION (r125578): Word spacing not applied to newline and tab characters that are treated as spaces (r128692)
REGRESSION(r125578): fast/regex/unicodeCaseInsensitive.html crash on Linux Debug Chromium (r126310)
CSS 2.1 failure: Word-spacing affects each space and non-breaking space (r125578)
[chromium] Enable kerning on Android (r125189)
[Cairo] Add complex font drawing using HarfbuzzNG (r124454)
Avoid Assertion Failure in HarfBuzzRun::characterIndexForXPosition (r124111)
[Chromium] HarfBuzzShaper can't handle segmented text run (r123991)
[Cairo] Add complex font drawing using HarfbuzzNG (r123864)

Jun 13, 2017
============
ASSERT_NOT_REACHED() is touched in WebCore::minimumValueForLength (r205056)
Simplify and inline minimumValueForLength() (r201401)
Subpixel rendering: Pixel crack in breadcrumbs at devforums.apple.com. (r170646)
REGRESSION (r167937): Do not use effective zoom factor while resolving media query's min-, max-(device)width/height values. (r169779)
vw/vh units used as font/line-height values don't scale with the viewport (r169407)
[iOS][WK2] Add support for minimal-ui viewports (r169245 partial)
Add valueForLength/minimumValueForLength wrappers to RenderElement. (r156166)
Bad cast in RenderBlock::splitBlocks. (r142922)
ASSERTION FAILED: !object || object->isBox(), UNKNOWN in WebCore::RenderListItem::positionListMarker (r142657)
Heap-buffer-overflow in WebCore::RenderBlock::clone. (r138988)
We incorrectly allow escaped characters in keyword tokens (r218111)
Arrow functions with concise bodies cannot return regular expressions (r207798)
[JSC] Fix the Template Raw Value of \ (escape) + LineTerminatorSequence (r203028)
fix "ASSERTION FAILED: currentOffset() >= currentLineStartOffset()" (r202768)
Drop the escaped reserved words as identifiers compatibility measure (r185414 + r185419 rolled out + r185437)
ES6: Add binary and octal literal support (r181497)
JSC Lexer is allowing octals 08 and 09 in strict mode functions (r172380)
Fix error messages for incorrect hex literals (r170079)
REGRESSION (r158586): callToJavaScript needs to save return PC to Sentinel frame (r159346 partial revisited)

Jun 09, 2017
============
TypeOf should be fast (r183724 complete)

Jun 08, 2017
============
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String (r207060 partial)
  Enable number optimization.
  
Jun 07, 2017
============
Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH. (r217869 partial)
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String (r207060 partial)
  Disable number optimization.

Jun 06, 2017
============
Scrollbar style resolution arguments should not passed via statics. (r143848)
Create WebCore/style and move StyleResolveTree there (r153785)
Move style recalculation out from Element (r153783)
Strengthen typing of detaching an Element from Document's :active chain. (r150744)

Jun 02, 2017
============
:hover style not applied on hover if its display property is different from original style's (r151282)

Jun 01, 2017
============
-webkit-margin-collapse: separate doesn't work correctly for before margins (r143617)
Changing position:relative to position:static results in mis-positioned div (r135670)

May 31, 2017
============
ASSERT repaintContainer->hasLayer() in WebCore::RenderObject::repaintUsingContainer (r179776 revisited)
Absolute position div without width specified does not reflow its text when it is moved (and computed width changes) (r146308)
<button> ignores margin-bottom. (r149407)
RelevantRepaintedObjects heuristic should ensure there is some coverage in the bottom half of the relevant view rect (r144395)
Border changes on tables with collapsed borders doesn't relayout table cells (r143377)
DidHitRelevantRepaintedObjectsAreaThreshold should not use the viewRect since that varies (r137959)
DidHitRelevantRepaintedObjectsAreaThreshold LayoutMilestone fires too early on some pages with iframes (r137224)
margin-top/bottom has no effect for child nodes of flex items (r132164)

May 30, 2017
============
Refactoring: Replace Element::disabled and isEnabledFormControl with isDisabledFormControl (r147135)
Rename HTMLFormControlElement::readOnly to isReadOnly (r146977)
Disabled file input box stops a certain other div from being rendered (r136915)

May 29, 2017
============
Refactoring: Pull Node::disabled() and Node::isInert() down to Element. (r146744)
Implement inert subtrees needed for modal <dialog> (r145340)
formenctype to have empty string as default value. (r141947)
formMethod to have empty string as default value and 'get' as invalid. (r141405)
Element::areAuthorShadowsAllowed should be private (r141277)
Remove all ShadowRoots during ElementShadow destruction (r141162)
Move ElementShadow creation to ElementRareData (r141132)
Clean up interface to ElementShadow (r141083)
Move hasAuthorShadowRoot to Element (r141005)
Node::containingShadowRoot should be constant time (r139273)

May 28, 2017
============
GTK+ and Qt build fix after r139833. (r139838 revisited)
NodeRareData doesn't need to have a vtable pointer (r139833 revisited)

May 26, 2017
============
Automatically handle suspend and resume of post attach callbacks (r136574)
Text nodes in shadow roots don't inherit style properly (r137418 revisited)
Replace NodeRareData hash map with a union on m_renderer (r133372 revisited)
Remove setRenderStyle in favor of callbacks on HTMLOptionElement and HTMLOptGroupElement (r132684)

May 25, 2017
============
Avoid computing style twice when element has no existing style (r148970)
Abspos Inline block not positioned correctly in text-aligned container (r140570)
Assertion parent->inDocument() failed in WebCore::PseudoElement::PseudoElement (r140452)
[FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage (r217202)
CSS Unit vmax and vmin in border-width not handled. (r156091)
CSS Unit vw in border-width maps to 0px. (r155624)
Implement 'vmax' from CSS3 values and units (r142021)
column-count: 0 should not prevent margin-collapse through (r130997)
Remove "orphaned units" quirk (r130668)

May 24, 2017
============
REGRESSION (r121599): incorrect border scaling when zoomed (r139798)
REGRESSION (r167937): Do not use effective zoom factor while resolving media query's min-, max-(device)width/height values. (r169779 partial)
CSS3 calc: expressions with 'em' units do not zoom correctly. (r127557)
CFGSimplificationPhase should not merge a block with itself (r217287)
Remove HTMLContentElement (r156381)
Remove stub HTMLContentElement (r150483)
Remove ContentDistribution (r150464)
Simplify Shadow DOM distribution code (r150430)
Remove unneeded counters from ScopeContentDistribution. (r150010)
Remove SelectRuleFeatureSet (r149708 revisited)
Remove more code that was only needed for younger/older shadow trees (r149628)
Remove concept of younger and older shadow trees (r149549)
Remove HTMLShadowElement (r149525)
Shadow DOM removal: Get rid of ContentSelectorQuery (r149507)
Remove TextFieldDecoration feature (r149015)
remoeveAllEventListeners() should be called to shadow trees (r146882)
Remove willAddAuthorShadowRoot and replace with alwaysCreateUserAgentShadowRoot (r141292)
Move ShadowRoot creation into ElementShadow (r141218)
Refactor ShadowRoot exception handling (r141175)
Distribution state becomes inconsistent with content/shadow reprojection (r140299)
[Shadow DOM] Refactoring: InsertionPoint could simplify its subclass hooks (r139400)
[Shadow DOM] Distribution related code on ElementShadow should be minimized. (r139269)
[Shadow DOM]: crash in WebCore::ElementShadow::setValidityUndetermined (r138923)
[Shadow] HTMLContentElement::getDistributedNodes() doesn't work correctly if not in document tree. (r137552)
[Shadow DOM] Implement HTMLShadowElement::olderShadowRoot (r137429)
Content element does not expose distributedNodes property. (r131701)
Needs internal API to return distributed nodes for InsertionPoint (r130926)
A shadow element in ShadowDOM of a button element does not work. (r126248)

May 23, 2017
============
We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter (r217200)
[JSC] Make get_by_val & string "499" to number 499 (r217199 partial)

May 19, 2017
============
[Shadow DOM] Distribution related code on ShadowRoot should be minimized. (r139128)
[Bindings] Simplify [RequiresExistingAtomicString] IDL extended attribute handling (r200562 partial)

May 17, 2017
============
[DFG] Constant Folding Phase should convert MakeRope("", String) => Identity(String) (r216948)

May 16, 2017
============
HTMLMediaElement: WebKitMediaKeys member name should be prefixed (r212289)
Improve URL length handling (r208861)
Ensure sufficient buffer for worst-case URL encoding (r208765)
strncpy may leave unterminated string in WebCore::URL::init (r208753)
URLs containing tabs or newlines are parsed incorrectly (r201740)
fast/loader/opaque-base-url.html crashing during mac and ios debug tests (r199199 + r199202)
URLs that start with http:/// and https:/// lose two slashes when parsed, causing assertion failure and inconsistent behavior (r174712)
<input type="search"> doesn't correctly handle the "size" attribute (r153647)
KURL creates duplicate strings when completing data: URIs. (r152951)

May 15, 2017
============
Move "using software CSS filters" optimization flag to RenderView. (r155301)
Remove [NoInterfaceObject] from TreeWalker (r151200)
Remove [NoInterfaceObject] from XPathExpression and NodeIterator (r151182)
Remove [NoInterfaceObject] from FileReaderSync and WorkerLocation (r150586 + r150590)
Remove [NoInterfaceObject] from several WebAudio IDL interfaces (r149920)
JSObject for ChannelSplitterNode and ChannelMergerNode are not created. (r142848)
Incorrect color space conversion for FEImage (r138250)
feImage should not be allowed to self reference (r132856)
An feImage that tries to render itself should be stopped (r131488)
Rename some AudioNodes (r131486)
WebKit+SVG does not support color-interpolation-filters or draw filters in correct colorspace (r125462)

May 12, 2017
============
Upgrade ES6 Iterator interfaces (r181077 partial)
[MSE] Implement Append Window support. (r178172 partial)
[MSE] Add support for SourceBuffer.mode. (r177225 partial)

May 11, 2017
============
[media-source] Support MediaSource.setLiveSeekableRanges() (r206146)
DFG should know how to speculate StringOrOther (r197649)
DFG+FTL should generate efficient code for branching on a string's boolean value. (r183495)
[Fetch API] Add support for iterating over Headers (r196128 partial)
Upgrade ES6 Iterator interfaces (r181077 partial)

May 10, 2017
============
[EME] Implement MediaKeySession::load() (r212110)
[EME] Implement MediaKeySession::sessionClosed() (r212109)
[EME] Implement MediaKeySession::updateKeyStatuses(), MediaKeyStatusMap (r212107)
Binding generator should make mutable CachedAttribute member fields (r190398)

May 09, 2017
============
[EME] MediaKeys::setServerCertificate() must resolve with 'false' when certificates aren't supported (r212356)
[EME] Implement MediaKeySession::remove() (r211857)
[EME] Implement MediaKeySession::close() (r211856)
[EME] Alias CDMInstance enums to the specification-defined enums (r211855)
putDirectIndex does not properly do defineOwnProperty (r216279 partial)
defineProperty on a index of a TypedArray should throw if configurable (r203096)

May 08, 2017
============
[EME] Implement MediaKeySession::update() (r211550)
Don't setOutOfBounds in JIT code for PutByVal, since the C++ slow path already does it (r190682)
[EME] InitDataRegistry should use base64url encoding and decoding for keyids (r211429)
MediaKeySession: use existing 'message' event name (r210798)
Add support for MediaKeys.generateRequest(). (r210555)

May 05, 2017
============
Add support for MediaKeys.createSession(). (r210552)
Add support for MediaKeys.setServerCertificate() (r210549)
Add support for MediaKeySystemAccess.createMediaKeys() (r210445)
Sync DOM exception types with WebIDL and update promise rejections (r201080)
Modern IDB: storage/indexeddb/exceptions.html fails. (r193428 partial)
[Streams API] Remove ReadableStreamController.enqueue() custom binding (r186231 partial)
Remove historical enums from ExceptionCode.h (r135277)
stress/call-apply-exponential-bytecode-size.js.no-llint failing on 32-bit debug for OOM on executable memory (r216180)

May 04, 2017
============
Different behaviour with the .sort(callback) method (unlike Firefox & Chrome) (r216137)
Handle non-function, non-undefined comparator in Array.prototype.sort (r207235)
Make builtin TypeErrors consistent (r203393 partial)
REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower (r185067)
REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower (r184926)
REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower (r184917)
Add implementation for navigator.requestMediaKeySystemAccess() (r209964 complete)
Allow session storage for third-party origins even if third-party data access is blocked. (r150490)
Change approach to third-party blocking for LocalStorage (r149326)
Allow blocking of IndexedDB in third-party contexts (r141418)
IDBFactory::webkitGetDatabaseNames should raise DOMExceptions. (r141090)
Extend third-party storage blocking API to optionally allow blocking all storage (r127956)
Allow blocking of Web SQL databases in third-party web workers (r126365)
Allow blocking of Web SQL databases in third-party documents (r125736)
Allow blocking of third-party localStorage and sessionStorage (r125335)
Add API for enabling blanket third-party data blocking (r124647)

May 03, 2017
============
Add implementation for navigator.requestMediaKeySystemAccess() (r209964 partial)
[Web IDL] Add support for having string enumerations in their own IDL file (r207937 partial)

May 02, 2017
============
Remove an overloaded strokeRect in <canvas> (r150137)
[Web IDL] Add support for [TreatNullAs=EmptyString] and use it (r197353)
Add username / password attributes to HTMLAnchorElement / HTMLAreaElement (r196890)
CharacterData::setData doesn't need ExceptionCode as an out argument (r195264)
URL::setUser and URL::setPass don't percent encode (r179933)
Attribute text in HTMLAnchorElement should behave as per specification. (r176213)
Adopt URLUtils interface and template in HTMLAnchorElement and HTMLAreaElement (r163699 + r163309)
Implement (most of) URL API (r163299)
[DOM4] Have ProcessingInstruction inherit CharacterData (r155340)
Factor URL decomposition methods (from URLUtils interface) into a base template (r123653)
Make atob() / btoa() argument non optional (r152859)
Web Inspector: Console: "time" and "timeEnd" should have same number of required arguments (r133881)
Add replaceWithLiteral() method to WTF::String (r133731)
HTMLBaseElement href attribute binding returns wrong URL (r132071)
[Web IDL] Specify default values for optional parameters of type 'float' / 'unrestricted float' (r200058 partial)
[Web IDL] Specify default values for parameters of type 'unsigned short' (r200037)
Autogenerated IDBFactory.open() does the wrong thing if you pass an explicit 'undefined' as the second argument (r199970)
[WebIDL] Drop [Default] WebKit-IDL extended attribute (r199969 partial)
[Web IDL] Mark DOMString parameters as nullable when they should be (r197156)
Drop [TreatReturnedNullStringAs=Undefined] WebKit-specific IDL attribute (r197139)
Drop [TreatReturnedNullStringAs=Null] WebKit-specific IDL attribute (r197060)
HTMLScriptElement.crossOrigin / HTMLImageElement.crossOrigin should only return known values (r196894)
Use Optional instead of isNull out argument for nullable getters (r192839)
[WebIDL] Specify default parameter values where it is useful (r190021)
Drop non-standard [IsIndex] WebKit IDL extended attribute (r189770)
CharacterData API parameters should not be optional (r189676)
Range API should throw a TypeError for null Node parameters (r189240)
Range.compareBoundaryPoints() should throw a NotSupportedError for invalid compareHow values (r189062)
NodeList should not have a named getter (r188829)
constants are always typed to 'int' (r166413 revisited)
Don't synchronize attributes in reflect setters when we don't need to (r165046)
Range should be constructable. (r162601)
[Replaceable] attributes must be readonly (r149660)
Stop using "in" keyword in IDL files (r149368 partial)
[V8] HTMLDocument.all should have [Replaceable] (r144591)
Rename NATIVE_TYPE_ERR to TypeError (r134646)
Replaceable attributes should also have readonly (r132667)

Apr 27, 2017
============
Canvas fillText and measureText handle ideographic spaces differently (r155596)
[EME] Add no-op Web-facing APIs (r208539 partial)
[CodeGeneratorJS] Support enums for standalone dictionaries (r207768)
Update MessageEvent to stop using legacy [ConstructorTemplate=Event] (r207016 partial)
Change Notification constructor to take an IDL dictionary instead of a WebCore::Dictionary (r200607 partial)
Correct dictionary bindings handling of optional, null, and undefined (r200555)
[WebIDL] Drop [Default] WebKit-IDL extended attribute (r199969 partial)
Fix LayoutTests/canvas/philip/tests/2d.text.draw.space.collapse.nonspace.html (r125575)

Apr 25, 2017
============
Array.prototype.slice() should ensure that end >= begin. (r215768)
[Web IDL] Generated bindings include the wrong header when ImplementedAs is used on a dictionary (r207243)
Add support for ClipboardEvent (r206963 complete)
[Web IDL] Add support for dictionary members of dictionary types (r204589)
[Web IDL] We should resolve typedefs for dictionary members (r204273)
Add support for wrapper types in dictionaries (r204143)
Drop Dictionary from CanUseWTFOptionalForParameter() (r200099)
Fix CodeGenerator.pm to only write files if the generated content has changed (r167384 + r167474)
StrictTypeChecking extended attribute fails for methods with sequence<T> (r156157)
CodeGeneratorJS doesn't generate header includes for sequence<type> (r155718)
Clean up AddIncludesForType in JSC bindings generators (r151283)
Implement support for nullable types in the bindings generator (r145907)
Remove CodeGenerator::StripModule (r134849)

Apr 24, 2017
============
[WebIDL] Add support for having dictionaries in their own IDL file (r206877 partial)
[Bindings] Declare dictionary / enumeration template specializations in the header (r206812 partial)
Add the ability to override the implementation name of IDL enums and dictionaries (r204978)
cache parsed interfaces in CodeGenerator.pm (r147037)
[Bindings] Simplify [RequiresExistingAtomicString] IDL extended attribute handling (r200562)
Drop some unnecessary exception checking in the generated bindings (r200374)
Follow-up fix for: JavaScript bindings are unnecessarily checking for impossible empty JSValue arguments (r185377 revisited)
JavaScript bindings are unnecessarily checking for impossible empty JSValue arguments (r185373)
Use Vector instead of custom linked list for font families (r150716)
Move font-family applying code to StyleBuilder (r146014)
CanvasRenderingContext2D::setFont() is slow. (r137630)
Incorrect value of CSSStyleDeclaration#length when a shorthand property is inherit or initial (r135848 revisited)
Font value should be parsed as a individual property (r128076)
style->fontMetrics() should be available when setting line-height (r126959)
Relative units are not set when the canvas has not parent (r125663)
CanvasRenderContext2D::font() does not re-serialize the font (r125450)
CanvasRenderContext2D::setFont() should ignore inherited properties and default keyword value (r125118)

Apr 21, 2017
============
[Web IDL] Add support for dictionary inheritance (r206776)
Bindings do not throw a TypeError if a required dictionary member is missing (r206766 partial)
Add support for dictionary members of non nullable wrapper types (r204497)
Implement EventListenerOptions argument to addEventListener (r201757 partial)
[WebIDL] Add support for dictionary members of integer types (r200920)
[Bindings] Add convert<>() template specializations for integer types (r200556)
Streamline and remove unused bindings generation code (r200299 partial)
Next step on dictionary bindings, along with other bindings refinements (r200547 partial)
Clean up converting from JSValue to float / double in the bindings generator (r200528)
Enhance IDL compiler so it supports unrestricted float and double (r168302)
Look into possibilities of typedef in webkit idl files (r142865 revisited)
[JSC][FTL] FTL should support Arrayify (r215600 partial)
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 partial)
[WebIDL] Add support for default parameter values (r189957)
Follow-up fix for: JavaScript bindings are unnecessarily checking for impossible empty JSValue arguments (r185377)
Replace "Optional" extended attribute by proper Web IDL "optional" keyword (r149356)

Apr 20, 2017
============
Increase large animation cutoff (r215557 partial)
Add support for delete by value to the DFG (r200459 revisited)
[DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String) (r215472)
[JSC] PredictionPropagation should not be in the top 5 heaviest phases (r199933)
Use the JITAddGenerator snippet in the DFG. (r192531 partial)

Apr 19, 2017
============
[Streams API] streams should not directly use Number and related methods (r192874 partial)
Math.{max, min}() must not return after first NaN value (r164819)
Follow up to debug build stack overflow in test after r215453 (r215474)

Apr 18, 2017
============
Crash when font completes downloading after calling 2D canvas setText() multiple times (r189421)
Function.prototype.apply has a bad time with the spread operator (r164738)
BytecodeGenerator ".call" and ".apply" is exponential in nesting depth (r215453 partial)
Array.concat should be fast for integer or double arrays (r186358 + r186363)
Force debug builds to do bounds checks on contiguous property storage (r141154)

Apr 17, 2017
============
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 partial)
test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js (r215405)
Settings a reflected DOMString attribute to null should set it to the "null" string rather than the empty string (r195700)
EnforceRange doesn't enforce range of a short (r158521)
Cleanup MediaQueryListListener (r154035)
Support byte and octet types in bindings generators (r151563)
Get rid of [Callback] IDL extended attribute for parameters (r149257)
javascriptcore bindings do not check exception after calling valueToStringWithNullCheck (r147038)
[JSC] Implement EnforceRange IDL attribute for integer conversions (r146430)
[JSC] MAYBE_MISSING_PARAMETER(..., DefaultIsNullString) macro is redundant (r143304)
Add 'any' type to V8 bindings as a synonym for DOMObject (r128248)
ParseInt intrinsic in DFG backend doesn't properly flush its operands (r215387)
Intrinsicify parseInt (r212939)
Get rid of SVGPoint special case from the bindings generator (r152780)

Apr 13, 2017
============
SVG pattern data deleted while in use (r136250)
Horizontal and vertical lines are clipped completely if clip-path is included in the tag but the referenced element is defined later. (r180643)
Stop using deleteAllValues in SVG code (r155547)
[SVG] Cached filter results are not invalidated on repaint rect change (r142955)
Incorrect pattern scaling (r131974)
SVG Pattern pixelated on inline SVG with CSS transforms (r145541)

Apr 11, 2017
============
[Refactoring] Remove WebCore::isInsertionPoint(Node*) (r135251)
[Refactoring] Use isActiveInsertionPoint() instead of isInsertionPoint() (r132791)

Apr 10, 2017
============
[Fetch API] Headers should be combine with ',' and not ', ' (r206014 partial)

Apr 09, 2017
============
[HTMLTemplateElement] prevent the parser from removing nodes from the content when the foster agency is processing formatting elements (r141327)
parserAppendChild and parserInsertBefore should ensure that child nodes are in the same document (r141198)
REGRESSION(r140101): caused debug asserts in fast/forms/associated-element-crash.html and html5lib/run-template.html (r140537)
Ensure the parser adopts foster-parented children into the document of their parent. (r140101)
Properly process <template> end tags when in TemplateContentsMode (r138315)
[HTMLTemplateElement] Prevent first-level recursive <template> from resetting the implied context (r138059)
DOMImplementation.createDocument should call appendChild rather than parserAppendChild to add docType and documentElement (r136717)
HTML parser fails to propertly close 4 identical nested formatting elements (r128373)

Apr 07, 2017
============
Crash in flexbox when removing absolutely positioned children (r134683)
The parser doesn't properly protect against global variable references in builtins (r196525 partial)
Start on dictionary support for IDL, getting enough to work for one dictionary (r200448 partial)
Move IDL extended attributes to their correct location (r151714)

Apr 06, 2017
============
Eagerly reify DOM prototype attributes (r169703 revisited)
Indexed getters should return values directly on the PropertySlot. (r169668 revisited)
Make DOM properties exposed as instance properties use the base object instead of |this| (r169433)
JSDOMWindow should not claim HasImpureGetOwnPropertySlot (r168914 revisited)
Make some bindings improvements, with smaller code size for error message generation (r166864 partial)
Push DOM attributes into the prototype chain (r163562 revisitied)
Remove "numeric index getter" stuff from bindings code generator. (r167175)
Simplify bindings codegen for adding getOwnPropertySlot overrides (r160786 revisited)
Support latest Web IDL indexed property getters (r151499)
Support latest Web IDL named property getters (r151434)
Add initial support for [Unforgeable] IDL extended attribute (r189873)
JSC bindings generator should generate deletable JSC functions (r159100)
Remove the OperationsNotDeletable attribute from most of the WebIDL interfaces (r159061 partial)
[CSS Regions] Elements in a region should be assignable to a named flow (r147756 + r147983)

Apr 05, 2017
============
Move attributes to the instance for most interfaces that have "Error" in their name (r197874)
Added ClientRect as an interface that requires attributes on instance for compatibility. (r179406)
replaceable own properties seem to ignore replacement after property caching (r201428)
XHR should keep attributes on instance (r170534)
Navigator object needs to have properties directly on the instance object (r169260)
Can't make a booking at virginamerica.com (r168385)
Push DOM attributes into the prototype chain (r163562)
Simplify bindings codegen for adding getOwnPropertySlot overrides (r160786)
Get rid of IsWorkerGlobalScope and ExtendsDOMGlobalObject extended attributes (r152168 partial)
[JSC] REGRESSION(r135093): A form control with name=length overrides length property on form.elements (r139278)
DOM bindings should not be using a reference type to point to a temporary object (r183648)
window.history / window.navigator should not be replaceable (r196797)
Rename BarInfo to BarProp and remove [NoInterfaceObject] (r150045)

Apr 04, 2017
============
Ensure that all the smart pointer types in WTF clear their pointer before deref (r184316 partial)
Fix small leak in Collator (r179245)
Null pointer crash in String::append(UChar). (r166414)
Remove String::deprecatedCharacters (r166120 partial)
Avoid code duplication inside String::append() (r152289)
Remove 2 bad branches from StringHash::equal() and CaseFoldingHash::equal() (r146702 partial)

Apr 03, 2017
============
Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add(). (r214837 partial)
REGRESSION (r189567): Elements with aspect ratios not handled correctly inside flexbox. (201516)
REGRESSION (r189567): The top of Facebook's messenger.com looks visually broken (r199895 partial)
ASSERTION FAILED: computeMainAxisExtentForChild(child, MainOrPreferredSize, mainSize) in WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax (r191336)
min-width/height should default to auto for flexbox items (r189536 + r189541 rolled out + r189567 partial)
Use Optionals in RenderBox height computations (r188873 partial)
Rename Length::isPercent() and Length::isPercentNotCalculated(). (r184055 partial)
Flexitems no longer default min-width to min-content (r147261)
Object with numerical keys with gaps gets filled by NaN values (r214714)
[ES6] Object type restrictions on a first parameter of several Object.* functions are relaxed (r182189)
DFG can call PutByValDirect for generic arrays (r178370 partial)
Holes are not copied properly when Arrays change shape to ArrayStorage type. (r175249 + r175258 + r175249 + r175258)
Simplified some JSObject methods for converting arrays to ArrayStorage shape. (r175240)

Mar 31, 2017
============
First step in using "enum class" instead of "String" for enumerations in DOM (r200288)
IDL parser should remove a leading "_" from identifier names (r156808)
do not use string reference for enum support in CodeGeneratorJS.pm (r146292)
Add IDL 'enum' support to CodeGeneratorJS.pm (r146161)
Drop width / height shorthands code from StylePropertyShorthand. (r178746)
Use inline capacity for StylePropertyShorthand Vectors. (r201559 revisited)
matchingShorthandsForLonghand builds map using a giant function (r155352)
Unprefix the flexbox CSS properties (r173579 partial)
Unprefix the flexbox CSS properties (r173572)
Remove the (dead) code for handling shorthands in StyleResolver / StyleBuilder (r144912)
String.prototype.replace incorrectly applies "special replacement parameters" when passed a function (r214662)

Mar 30, 2017
============
REGRESSION (r147261): Audio controls background not displayed after loading audio file (r149237)
Improve DeferredWrapper code (r206252 partial)
max-height property not respected in case of tables (r135891)
Specified width CSS tables should not include border and padding as part of that width. (r134265)
Remove stretchesToMinIntrinsicLogicalWidth (r143479)
Adapt inline SVG sizing behavior to Firefox and Blink (r168350 revisited)
Positioned, replaced elements with intrinsic width keywords compute the wrong width (r143539 revisited)
Intrinsic and preferred widths on replaced elements are wrong in many cases (r142931 revisited)
Remove unnecessary setNeedsLayoutAndPrefWidthsRecalc from RenderTable (r139680)
table not aligned in center column and seems shrunk because of float:right (table-layout: fixed and width: 100%) (r134017)
Table layout does not need to explicitly call computePreferredLogicalWidths (r140047)
RenderListItem does not need to override computePreferredLogicalWidth (r139693)
Recalculate borders at the beginning of table layout (r145104)
ASSERTION FAILED: i < size(), UNKNOWN in WebCore::RenderTableSection::layout (r144837)
Increase the max preferred width of tables to 1000000 (r143801)
Negative text indents can break RenderBlock's inline maximum preferred width calculation (r142042)
Accumulating LayoutUnits with floats for determining block preferred width can lead to wrapping (r125591 + r125632)
REGRESSION (r146272): layout issues for flex boxes that have -webkit-flex-wrap: wrap (r146684 revisited)
Make intrinsic size keywords on flexboxes work (r146272)
Intrinsic width keyword values don't work for tables (r145424)
Inline min/maxInstrinsicLogicalWidth functions (r144816 revisited)
Add computeInstrinsicLogicalWidths functions to TableLayout subclasses (r143762)
Clean up computePreferredLogicalWidths functions in TableLayout subclasses (r143683)

Mar 29, 2017
============
Switching between two SVG images with no intrinsic sizes causes them to get the default SVG size instead of the container size. (r181720 revisited)
Twitter avatar moves when hovering/unhovering the "follow" button. (r176619)
REGRESSION: united.com has overlapping elements and is broken by flex box changes. (r150087)
Text flow broken in elements with vertical align top/bottom and inline elements taller than line-height (r149929 + r149930)
Float at exact multiple of line-height affects too many lines (r148523)
Auto height column flexboxes with border and padding are too short (r145937)
incorrect flexbox relayout with overflow, padding and absolute positioning (r138770 revisited)
Use always the order iterator from data member in RenderFlexibleBox (r136938)
Reduce the children repaints when moved multiple times during the layout (r136656)
While absolute positioning is put before the first flexitem, flexitems will move to a new line. (r133906)
Crash due to column span under button element (r133717)
Setting width of a flexitem causes the adjacent flex item to be displayed poorly. (r132395)
Implement absolutely positioned flex items (r129154)
Refactor duplicate code into RenderFlexibleBox::mainAxisContentExtent (r128494)
flex item sized incorrectly in a column flexbox with height set via top/bottom (r128383)
logicalLeftSelectionGap and logicalRightSelectionGap call availableLogicalWidth() multiple times (r149007 + r149009 + r149065 revisited)
Make loops in RenderObject::containingBlock homogeneous in their forms to simplify (r148759 + r148777 revisited)
Selection code spends a lot of time in InlineTextBox::localSelectionRect (r147008 revisited)
Make intrinsic size keywords on flexboxes work (r146272 revisited)
REGRESSION: WebKit does not render selection in non-first ruby text nodes. (r140613)
Nested fixed position element not staying with parent (r140024 + r140208 + r149640 revisited)
REGRESSION(r111439): Focus ring is rendered incorrectly in fast/inline/continuation-outlines-with-layers.html (r139223)
Unreviewed, rolling out r137632. (r138974)
REGRESSION(r136947): Made two tests fail on all platforms (Requested by tonikitoo-ll on #webkit). (r136954)
Regression r130057: Improper preferred width calculation when an inline replaced object, wrapped in an inline flow, follows some text. (r133292 revisited)
Regression r130057: incorrect block pref width for alternating InlineFlow and inline Replaced (r131359 revisited)
Deprecated flexboxes subtract scrollbar width/height twice (r130549)
RenderBlock incorrectly calculates pref width when a replaced object follows a RenderInline with width (r130057 revisited)
REGRESSION: hit test doesn't take iframe scroll position into account (r128462 revisited)
REGRESSION(r122501): replaced elements with percent width are wrongly size when inserted inside an auto-table layout (r128389 revisited)
Make RenderBox::computeLogicalWidthInRegion const (r127914 revisited)
Make computePositionedLogicalWidth and computePositionedLogicalWidthReplaced const (r127812 revisited)
Add a const version of RenderBox::computeLogicalHeight (r127549 revisited)
REGRESSION(r120832): RenderLayer::clampScrollOffset doesn't properly clamp (r127520 revisited)
Allow child-frame content in hit-tests. (r127457 revisited)
Make computeBlockDirectionMargins const (r127346 revisited)
Make RenderBox::computeInlineDirectionMargins const (r127157 revisited)
REGRESSION (r94492): Unstable layout of static block inside text-align: center div (r126911 revisited)
Make RenderBox::computePositionedLogicalHeight const (r126802 revisited)
Regression(r118248): Replaced element not layout (r125810 revisited)
REGRESSION (r109851): Video controls do not render (r125597)
REGRESSION(r117339): cell in block-level table in inline-block are aligned with their last line box (r125229 revisited)
REGRESSION (r123171): <svg> element with intrinsic size and max-width gets sized incorrectly (r125050 revisited)
Custom promise-returning functions should not throw if callee has not the expected type (r206011)
JS Built-ins should throw this-error messages consistently with binding generated code (r203766 partial)
Rename [GlobalContext] extended attribute to [Exposed] and align with WebIDL (r199587)
[JSC] Introduce @isObject bytecode intrinsic and use it instead of JS implemented one (r196276)
[ES6] Implement the latest Promise spec in JS (r186298)
Array.prototype methods must use ToLength (r184582 partial)
[ES6] Implement String.raw (r184287)
Add backed intrinsics to private functions exposed with private symbols in global object (r183785)
Introduce bytecode intrinsics (r182997)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 partial)
Upgrade ES6 Iterator interfaces (r181077 partial)
Promise: Drop Promise.cast (r173681)

Mar 28, 2017
============
Rework FontFace promise attribute handling (r200546 partial)
ASSERTION FAILED: promise.inherits(JSPromise::info()) (r205729)
Avoid using strong reference in JSDOMPromises DeferredWrapper (r205257 partial)
Properly generate static functions that return Promises (r199012)
Promise-returning functions should reject promises if the callee is not of the expected type (r186312)
[Streams API] Remove ReadableStream and Reader cancel() custom binding (r186257 partial)
Improve JSDOMPromise callPromiseFunction naming (r185919)
Bindings generator should generate code to catch exception and reject promises for Promise-based APIs (r185739)
Bindings generator should generate code for Promise-based APIs (r185493)
JS binding generator should create a member variable for each Promise attribute of an interface (r184643 + r188334)
Notify Settings object when its Page object goes away. (r175347)

Mar 27, 2017
============
Refactor AudioContext implementation to enable automatic binding generation of promise-based methods (r185407 partial)
[EME] Add no-op Web-facing APIs (r208539 partial)
DeferredWrapper should clear its JS strong references once its promise is resolved/rejected (r185404 revisited)
AudioContext resume/close/suspend should reject promises with a DOM exception in lieu of throwing exceptions (r184651 partial)
AudioContext should resolve promises with jsUndefined() and not jsNull() (r184588)
[Streams API] ReadableStream constructor start function should be able to error the stream (r183991 partial)
[Streams API] ReadableStream constructor start function should be able to close the stream (r183395 partial)
[iOS] When Web Audio is interrupted by a phone call, it cannot be restarted. (r182141 partial)
[Streams API] Reading ReadableStream ready and closed attributes should not always create a new promise (r180559)
Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it. (r214374 partial)

Mar 24, 2017
============
[WebIDL] Support BufferSource (r207462)
Streamline and remove unused bindings generation code (r200299 partial)
Document should always have a Settings. (r211964)
Simplify some Settings access where we have a Frame in reach. (r154531)
Update WebKitMediaKeyMessageEvent / WebKitMediaKeyNeededEvent to stop using legacy [ConstructorTemplate=Event] (r207277 partial)
Array.prototype.splice behaves incorrectly when the VM is "having a bad time". (r214334)
[JSC] Use jsNontrivialString for Number toString operations (r214272)
Add support for ClipboardEvent (r206963 partial)

Mar 23, 2017
============
ENABLE_LEGACY_ENCRYPTED_MEDIA interfaces should have a hard-coded WebKit prefix (r206983 partial)
Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily. (r181297 revisited)
IndexedDB should use mostly ScriptWrappable DOM objects (r134040)

Mar 22, 2017
============
JITThunks keeps finalized Weaks around, pinning WeakBlocks. (r181250)
Extend create_hash_table to specify Intrinsic (r211306)

Mar 21, 2017
============
min-width/max-width of min-content/max-content don't work correctly if width is specified (r147245 revisited)
[DFG] ToString operation should have fixup for primitives to say this node does not have side effects (r214028)
[ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString (r182433)

Mar 20, 2017
============
First parameter to HTMLMediaElement.canPlayType() should be mandatory (r203806)
JSC: BindingNode::bindValue doesn't increase the scope's reference count. (r213742)

Mar 09, 2017
============
[Qt] Animations jump when the page is suspended (r132907)
Rename box-sizing applying methods to be more clear about just applying box-sizing. (r128130)
Add two missing variable initializers to RenderFlowThread (r126762)
Initialized m_hasNonEmptyList to fix a valgrind uninitialized read (r126727)
Bad rendering of web page because of image's height is set to 100% (r136347)
RenderBox::computeLogicalClientHeight is incorrectly named (r128371 fixed merge)
Convert <select> to new-flexbox (r145959)

Mar 08, 2017
============
Incorrect layout for blocks containing ideographs with -webkit-linebox-contain: glyphs, font, inline-box. (r149450)
Adapt inline SVG sizing behavior to Firefox and Blink (r168350 revisited)	
Move height/width implementation for use element from RenderSVGViewportContainer to SVGUseElement (r179069)
Vertical writing mode can overflow fixed size grandparent container (r138838)
Support proper <percent> / calc() resolution for grid items (r135965)
RenderGrid should have a function to resolve grid position (r134935)
SVGFitToViewBox::viewBoxToViewTransform() has to count for zero physical width and height before calling SVGPreserveAspectRatio::getCTM() (r183026)
SVG: Fix viewBox animations on shapes with non-scaling-stroke. (r149102)
[SVG] Suppress painting when an empty viewBox is specified (r146495)
SVGViewSpec fails when corresponding element has been removed (r140975)
[svg] Remove unnecessary rounding in SVGRootInlineBox::layoutRootBox (r140728)
Remove never-implemented CSS3 text decoration-related properties (r213567)
CSS3's vh attribute is not adjusting while browser resizes (r141492)

Mar 07, 2017
============
Ensure we compute the height of replaced elements to 'auto' when appropriate. (r170895)
When computing the percentage of the logical height, use the logical top and bottom (r147453)
RenderBlock minor clean-up: replace raw pointers with OwnPtrs. (r136288)
Source/WebCore: Track block's positioned objects like percent-height descendants (r125351 + r125353)
Move forward declaration of bindings static functions into their implementation files (r170042 partial)
Available height should respect min and max height (r139548)
When a block's height is determined by min-height/max-height, children with percentage heights are sized incorrectly (r138668)
Positioned replaced elements should resolve vertical margins against their containing block's logical width (r137695)
RenderBox::computePercentageLogicalHeight should use containingBlockLogicalWidthForContent (r135741)
image not displayed in flexbox (r130714)
[chromium] REGRESSION: Incorrect preferred width calculation for table cells (r129529)
Replace RenderMeter::updateLogicalHeight to RenderMeter::computeLogicalHeight (r129409)
Flexitem margins should be based on content width, not width (r128486)
RenderBox::computeLogicalClientHeight is incorrectly named (r128371)
Pass the logical height and logical top into RenderBox::computeLogicalHeight (r128238 revisited)
Make RenderBox::computeLogicalWidthInRegion const (r127914 revisited)
Add a const version of RenderBox::computeLogicalHeight (r127549)
Fix cross-direction stretch for replaced elements in column flexbox (r126503)
Flexbox doesn't need to compute logical height for stretched items in row flow (r126468)
Fix cross-direction stretch for replaced elements in row flexbox (r126257)
implement display: -webkit-inline-flex (r125262)
percentage margins + flex incorrectly overflows the flexbox (r124987)
Need to Remove Anonymous Wrappers When All Children Become Inline (r150527)
Support for CSS widows and orphans (r137200)

Mar 06, 2017
============
hasOverflowClip() does not necessarily mean valid layer(). (r191915)
REGRESSION (r147373): Auto-sizing doesn't always respect minimum width changes (r147664)
Autosize should use documentRect height instead of scrollHeight (r147373)
REGRESSION(r176978): Inline-blocks with overflowing contents have ascents that are too large (r181292 partial)
REGRESSION (r179168): Characters overlap after resizing the font on the copy-pasted Japanese text (r186191)
The computed value of line-height:normal is incorrect (r179168)
Inline elements whose parents have small line-height are laid out too low (r176978)
Move m_lineBoxes from RenderBlock to RenderBlockFlow (Part 5) (r157705 partial)
Wrong linebox height, when block element parent has vertical-align property defined. (r152793)
REGRESSION(r140907) - Backport blink r149612 to fix vertical-align and rowspan issue (r149585)
REGRESSION(r140907): Incorrect baseline on cells after updating vertical-align (r149553)
REGRESSION(r140907): Incorrect baseline for cells with media content during load (r145305)
Split the intrinsic padding update code out of RenderTableSection::layoutRows (r130454)
Subpixel rendering: Buttons in default media controls shift vertically when controls fade in or out. (r169615)
RenderIFrame should display its name correctly in DRT output. (r159017)
Fix orphan needsLayout state in RenderTextControlSingleLine (r154036)
A placeholder renderer should not be taken to imply the existence of a text renderer in single line text controls (r146038)
Convert old flexbox uses in html.css to new flexbox (non-<select>) (r145977 + r146103)
RenderTextControlSingleLine should not assume that its text element has a renderer (r145239 + r145877)
Empty <button>s should collapse; empty <input type="button"> should not collapse (r144096)
Overflow can be cleared just before it is computed (r143627)
input element with placeholder text and width set to 100% on focus causes overflow even after losing focus (r143475)
REGRESSION(r120616): Cell's logical height wrongly computed with vertical-align: baseline and rowspan (r140907)
Fix enclosingLayoutRect calls in InlineFlowBox.h (r133903)
Fix margin box ascent computation in flexbox (r130553)
AutoTableLayout truncates preferred widths for cells when it needs to ceil them to contain the contents (r125694)
JSC: FunctionParameters are memory hungry. (r140947)
JSC: SourceProviderCache is memory hungry (r140945).
CodeBlock: Give m_putToBaseOperations an inline capacity (r132307)
[mac] REGRESSION (r122215): Animated GIF outside the viewport doesn't play when scrolled into view (merged r130573).
Figure out the exact space needed for parameter identifiers and use reserveInitialCapacity() (r129773).

Mar 03, 2017
============
Shrank the SourceProvider cache (r143279)

Mar 02, 2017
============
[Freetype] Properly support synthetic oblique in vertical text (r183680)
[GTK] Glyphs in vertical text tests are rotated 90 degrees clockwise (r158848 partial)
Cache support for OpenTypeVerticalData (r124397 partial)

Mar 01, 2017
============
Eliminate two large sources of temporary StringImpl objects. (r201645 revisited)
Static hash tables no longer need to be coupled with a VM. (r171824)
Constructors should eagerly reify their properties too (r169954)
Don't create a HashTable for JSObjects that use eager reification (r169789)

Feb 28, 2017
============
[iOS] Crash during font loading when injected bundle cancels load (r197570)
SVGResources should use HashSet<AtomicString> instead of HashSet<AtomicStringImpl*> (r130780)
SVG TextRuns do not always get RenderingContexts (r169400)
Fixing the !ENABLE(SVG_FONTS) build (r164485)

Feb 27, 2017
============
SVG: <altglpyh> for a surrogate pair character in a ligature fails (r138316)
[css shapes] Parse new ellipse shape syntax (r159954 revisited)
[css shapes] Parse new circle shape syntax (r159585 revisited)
[CSS Exclusions] The radius of a circle should be computed based on the shorter available dimension (r146938)
REGRESSION(r121789): Text not wrapping in presence of floating objects (r137331 revisited)
[CSS Exclusions] Enable shape-inside for multiple-segment polygons (r136729)
[CSS Exclusions] Support outside-shape value on shape-inside (r135314)
Support animation of basic shape 'polygon' (r134736)
Cleanup BasicShape blending check (r134679)
[CSS Exclusions] Basic shapes on 'shape-inside' should be animatable (r134678)
BasicShapes 'circle', 'rectangle', 'ellipse' should be animatable with themselves (r134352)
[CSS Exclusions] Add support for polygonal shapes (r130687)
[CSS Exclusions] Rename WrapShapeInfo to ExclusionShapeInfo (r129689)
[CSS Exclusions] shape-inside line segment layout should be based on line position and height (r129590)
[CSS Exclusions] Enable css exclusions for multiple blocks per element (r129530)
[CSS Exclusions] ExclusionShape API should use logical coordinates for input/output (r129411)
[CSS Exclusions] Enable shape-inside for percentage lengths based on logical height (r128786)
Typo in RenderStyle::isFlippedLinesWritingMode(), small refactoring possible (r128508)
[CSS Exlusions] add support for the basic shapes (r128083)
[CSS Exclusions] Enable shape-inside for simple rectangles (r126605)
CSS 2.1 failure: 'Text-indent' only affects a line if it is the first formatted line of an element (r125202)

Feb 24, 2017
============
Support <box> values parsing on 'clip-path' property (r161067)
[CSS Shapes] Parse [<box> || <shape>] values (r159526 partial + r161086)
Repaint issues with -webkit-svg-shadow used on a container (r133834)
SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check (r212909)
Ensure that the end of the last invalidation point does not extend beyond the end of the buffer. (r212908)

Feb 23, 2017
============
-webkit-clip-path property should just reference clipPath (r132682)
-webkit-clip-path should parse IRIs (r130592)
Add ClipPathOperation for -webkit-clip-path organization (r128700)

Feb 22, 2017
============
RenderLayerCompositor destructor is fragile (r152121)
Cache timer heap pointer to timers (r142652)
Add more missing exception checks detected by running marathon.js. (r212791)
Add missing exception checks detected by running marathon.js. (r212779 partial)	
Give scripts 'high' load priority (r211334)

Feb 21, 2017
============
JavaScriptCore should discard baseline code after some time (r189889 partial)

Feb 16, 2017
============
Parse a function expression as a primary expression (r179159)

Feb 15, 2017
============
The JIT should cache property lookup misses. (r175846 partial + r175849 + r175880 rolled in)
  Does not cause slow down https://www.youtube.com/tv browse-to-play	
Removed the global parser arena (r176756)
	
Feb 13, 2017
============
Inserting a JS generated keyframe animation shouldn't trigger a whole document style recalc (r156912)
Inserting multiple rules into an empty style sheet should avoid style recalc if possible. (r153829)
Inserting a rule into an empty style sheet shouldn't trigger style recalc unless necessary. (r153699)
Don't create Document's selector query cache just to invalidate it. (r151925)
Shrink WatchpointSet. (r161554)
REGRESSION(r130643): ASSERTION FAILED: result.iterator != end() below PluginDatabase::add (r132302)
Lower minimum table size of WTF::HashTable to reduce memory usage. (r130643)
Using float/double as WTF hash table key is unreliable. (r130639)
Deque: Free internal buffer in clear(). (r144630)
Vector should consult allocator about ideal size when choosing capacity. (r141716)
Vector::shrinkToFit should use realloc when suitable. (r127186 + r131623)

Feb 12, 2017
============
Constructed object's global object should be the global object of the constructor. (r212015)

Feb 10, 2017
============
Add ScriptWrappable to more WebCore classes which are commonly JS-wrapped (r135058)
Deploy ScriptWrappable to more always-wrapped objects (r135001)	
Clear the JSString cache when under memory pressure. (r168235)
Node::compareDocumentPosition leaks memory structure (r164920)
Deduplicate Document::encoding(). (r163184)
Jettison all StyleResolver data on memory pressure. (r160370)	
compareDocumentPosition() should report PRECEDING or FOLLOWING information even if nodes are disconnected (r153660)
compareDocumentPosition reports disconnected nodes as following each other (r143239)
RenderText::isAllCollapsibleWhitespace() shouldn't upconvert string to 16-bit. (r142529)	
RenderStyle should use copy-on-write inheritance for NinePieceImage. (r142404 revisited)
RenderText: Access characters through m_text instead of caching data pointers separately. (r142398)

Feb 09, 2017
============
Rename JSDOMWrapper.impl to JSDOMWrapper.wrapped (r191887 partial)
Refactor ImageLoader's setting of CachedImage (r181849)  

Feb 08, 2017
============
Stop image from displaying when src attribute is removed or emptied (r181897)
Assertion failure in WebCore::PseudoElement::didRecalcStyle() (r162679 partial + r166304)
Blocking a resource via Content Security Policy should trigger an Error event. (r126194 revisited)
[NoInterfaceObject] extended attribute should be removed for several interfaces (r149845)

Jan 31, 2017
============
The JIT should cache property lookup misses. (r175846 partial + r175849 + r175880)

Jan 25, 2017
============
[JSC] Optimize Number#toString with Int52 (r211128)	

Jan 24, 2017
============
[Shadow DOM][Refactoring] HTMLContentElement,HTMLShadowElement::m_registeredWithShadowRoot should be moved to InsertionPoint (r137233 complete)
[Shadow] ShadowRoot should cache InsertionPointList. (r136098)
[Shadow] Move Distribution stuffs from ShadowRoot (r136081)
Disable adding an AuthorShadowRoot to replaced elements. (r128856)
[Shadow DOM] Unpolished elements should reject author shadows (r128323)
[Shadow DOM][Refactoring] Element subclasses should have a way to reject author shadows. (r127811)
ShadowRoot insertion point change aborts css transition (r126789)

Jan 23, 2017
============
JSC: Simplify interface between throw and catch handler (r160213 partial)
[WK2] didRemoveFrameFromHierarchy callback doesn't fire for subframes when evicting from PageCache. (r206922)

Jan 20, 2017
============
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r159575 revisited)
Move all collapsing margin code out of RenderBlock and into RenderBlockFlow. (r155555)
Move layoutBlock and layoutBlockChildren into RenderBlockFlow (r155377 + r155390)
Merge handleSpecialChild into layoutBlockChildren (r143290)
Remove RenderWordBreak (r156038)
Get rid of isBlockFlowFlexBoxOrGrid(). (r155366)
Add new RenderBlockFlow class. (r155211 revisited)
[CSSRegions] No other SVG elements except the SVGRoot must have RegionInfo objects attached (r152293)
Flexbox should ignore firstLetter pseudo element. (r143993)
Convert buttons from DeprecatedFlexBox to nondeprecated FlexibleBox (r143643 + r144706 + r145265)
CSSRegions: crash positioned object with inline containing block in flow thread (r143312)
Flexbox should ignore firstLine pseudo element. (r143042)
Cannot click an element at 2nd line or more inside inline-block in vertical writing mode. (r138080)
Rename RenderObject::firstLineStyleSlowCase() to a more appropriate cachedFirstLineStyle() (r130694)
:first-line pseudo selector ignoring words created from :before (r130616)
JSCell::classInfo() belongs in JSCellInlines.h. (r171888)

Jan 19, 2017
============
Make the Web Inspector console work in strict mode with JavaScriptCore. (r146937)
Reserve capacity for StringBuilder in unescape (r210766)

Jan 18, 2017
============
REGRESSION(r152313): Inline-block element doesn't wrap properly (r176287 partial)
Rename InlineBox::isText() (r156025)
Add isTextOrBR() and use it (r155975)
RenderBR should not be RenderText (r155957 + r168364 + r171105 partial)
Move text caret rect computation to root inline box (r155949)
REGRESSION(r152313): Links in certain twitter postings don't warp correctly on page (r153061)
empty inlines should not affect line-wrapping (r152313)
Ignoring padding-right of inline elements in containers with undefined width (r151855)
Refactor adding a line break (r151922)
Remove unnecessary check in RenderBlockLineLayout::nextSegmentBreak() (r151919)
REGRESSION (r148367): Facebook and Twitter icons at macworld.com are stacked vertically, obscuring Twitter one (r151613)
Whitespace between inlines with nowrap and a shrink-to-fit parent gets a line-break when it shouldn't (r151518)
Breaking Float: floated block level element following inline element in floated container breaks to next line (r148622)
Call directly RenderBlock::deleteLineBoxTree (r148468)
Whitespace between nowrap elements ignored after collapsed trailing space in a text run (r148367)
Whitespace in particular source code changes rendering; does not in Firefox (r148027)
Padding applied twice for empty generated RenderInlines (r147505)
When we set word-wrap: break-word and xml:space="preserve" to svg text element, the text is collapsed. (r145215)
Inline Containing Only Collapsed Whitespace Not Getting a Linebox (r140693)
Crash in WebCore::InlineBox::deleteLine (r138654)

Jan 16, 2017
============
Move :active chain participation state from Node to Element. (r150722)
Move "active" state logic from Node to Element. (r150715)
Move Node::dispatchSimulatedClick() to Element. (r150714)
Begin moving "focus" state logic from Node to Element. (r150686)
Move "hover" state logic from Node to Element. (r150684)
ContainerNode::setActive should not sleep for 100ms on platforms that do not implement synchronous repaint(true) semantics (r144795)
Remove redundant code in Document::updateHoverActiveState. (r144741)
Dynamically styling ShadowDom content on a node distributed to another shadow insertion point fails. (r126275)

Jan 13, 2017
============
Implement run-in remove child cases. (r150155)
Add covariant RenderElement* Element::renderer() (r156144 + r156181)
[Freetype] Some text in Planet GNOME renders in the wrong place (r96378 revisited)

Jan 12, 2017
============
Remove JSInlineGetOwnPropertySlot attribute as it is no longer necessary (r160775)
Add RenderElement (r156102 complete)
Add RenderObject bit for isBR(). (r155962)	
Remove the quirk margin bits from RenderObject and put them back in RenderBlock. (r144344)
Refactor logic for relaying out children out of RenderBlock::styleDidChange (r143950)
Padding and border changes don't trigger the relayout of children in some cases. (r143284)
Padding and border changes doesn't trigger relayout of children (r143092)
Re-layout child blocks when border/padding of the box-sizing:border-box parent is updated (r140854)

Jan 11, 2017
============
Fix an out-of-bound read decoding WebP animation frames (r156137)
Add animation support for WebP images Animation support was added to WebP in v0.3.0. (blink r153187 + r153588 + r153598)
Re-read the frame buffer.getAddr(0,0) address every time through the decode() routine (partial decodes) (blink r148528)
Remove libqcms support (r197171)
Turn width/height to presentation attributes (r171341)	
Shrink SVGElement::cssPropertyIdForSVGAttributeName and cssPropertyToTypeMap (r155969)
Element: Devirtualize attribute synchronization functions. (r143114)    
	
Jan 10, 2017
============
REGRESSION (Safari 10 / r189445): WKWebView and WebView no longer allow async XMLHttpRequest timeout to exceed 60 seconds (r208101)
REGRESSION(r204163): Web Inspector: Page crashes when Inspector tries to load insecure SourceMap (r209784 partial)
DocumentThreadableLoader should report an error when getting a null CachedResource (r204163)
XHR abort() event firing does not match spec (r192361)
Removing XHR_TIMEOUT guard (r190025)
Correct DOMWindow handling during FrameLoader::clear (r210288)
Crashes in PageConsole::addMessage (r166551 partial)
Delete Frame::domWindow() and Frame::existingDOMWindow() (r125615)
REGRESSION(r162744): wsj.com paints white (r162763)
Update style asynchronously after style sheet load (r162744)
Document::updateHoverActiveState() should allow for deferred style recalcs (r155071)
Removing a <link> element with an empty stylesheet shouldn't trigger style recalc. (r153672)
Removing an empty style sheet shouldn't trigger style recalc. (r153641)
Unset :hover in inner documents (r148672 partial)
Move side-effects on hover/active state out of hit-testing (r145126)
Make sure that clearOwnerNode also clears StyleResolver references (via didMutate). (r144713)
Document::setActiveNode() should be Document::setActiveElement() (r139199)
Document::m_activeNode should be always an Element. (r139029)
IsActiveFlag, IsHoverFlag, InActiveChainFlag can be unified. (r137277)

Jan 09, 2017
============
Bindings: Remove special cases for DOMString[] (r139641)
Add support for generic types in arrays and sequences to the code generators (r136507 complete)
IndexedDB: Use sequence<> instead of DOMString[] in IDL (r134342)
Wrap CSS length conversion arguments in an object (r167937)
[shadow] styleForText should consider the case where parent node has no style (r146967)
Crash at RenderStyle::inheritFrom reported by fuzzer (r145885)
Text nodes in shadow roots don't inherit style properly (r137418)
Remove SVGShadowText class (r135544)
REGRESSION (Safari 6 - ToT): Incorrectly assumes that RenderStyle data can be shared (r167716)
Stop throwing away the Document's StyleResolver on a timer. (r166740)

Jan 06, 2017
============
Crash in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients (r166628)
Invalid cast in WebCore::RenderLayer::FilterInfo::updateReferenceFilterClients() (r165206)
Build broken when svg is disabled. (r140845)
Merge RenderObjectChildList::appendChildNode and insertChildNode (r139940)
CSS url() filters with forward references don't work (r136975 + r137463 + r138823)
REGRESSION (r135455): Compilation without SVG enabled broken (r135583)
Make CachedSVGDocumentReference independent of FilterOperation (r135455)
Change ReferenceFilterOperations to reference (own) the data passed to them. (r132528)
Regression (r145601): out-of-bounds read in line breaking / new width cache (r146954)
Add a single character cache to WidthCache (r145601)
Optimized kerning and ligatures using caching (r133921)	    

Jan 05, 2017
============    
Cleaned up the Font class in preparation for optimizing kerning and ligatures (r133534)	
Encapsulate FontGlyphs (r150730)
Tighten FontGlyphs interfaces to take FontDescription instead of Font (r150747)
Rename FontFallbackList to FontGlyphs (r150727)
SVG classes cause layering violations in platform Font code (r133290)

Jan 04, 2017
============
Move BindingSecurity stuff under JSDOMBinding umbrella. (r158997)
	
Jan 03, 2017
============
[SVG2] support paint-order presentation attribute (r165595)
Regression(r182517): WebSocket::suspend() causes error event to be fired (r182901)
Open WebSockets should not prevent a page from entering PageCache (r182517)
Web Core: Websocket state should be set to closed in didReceiveMessage call back. (r173642)	
[WebSocket] Ignore incoming message in CLOSING state (r148019)
[WebSocket] send() and close() should not throw an exception for an unpaired surrogate but use the replacement character (r134515)

Dec 16, 2016
============
RenderView does not need to override computePreferredLogicalWidth (r139749)
Move updateHoverActiveState to Document. (r128468)
Rename HitTestPoint and pointInContainer (r126859)
Remove extraneous includes (HTMLElement, SVGElement, GlyphBuffer, Clipboard) (r127752 partial)	
[SVG2] Merge SVGStyledElement and SVGElement (r154462)
Reduce number of header includes in SVG (r152553 revisited)
Introduce DECLARE_FORWARDING_ATTRIBUTE_EVENT_LISTENER() macro (r152451)

Dec 15, 2016
============
Have SVGTextContentElement inherit SVGGraphicsElement (r152404 + r152409)
Move SVGTests attributes parsing to SVGGraphicsElement (r152343)
Remove SVGStyledLocatableElement class (r152299)
Try to fix the build after r128006. (r128009)
Introduce SVGGraphicsElement IDL interface (r152167)
BytecodeBasicBlock::computeImpl() should not keep iterating blocks if all jump targets have already been found. (r209820)

Dec 14, 2016
============
Add getElementById to DocumentFragment (r184435)
Introduce ParentNode.idl / NonDocumentTypeChildNode.idl (r184042)
Element Traversal is not just Elements anymore (r184034)
Merge SVGLangSpace into SVGElement (r152156 + r152157)
Update SVG interfaces to stop inheriting from SVGURIReference and SVGTests (r152120)
Automatically generate WorkerContext constructor attributes (r151169)
Stop inheriting SVGExternalResourcesRequired, SVGFitToViewBox and SVGZoomAndPan (r151988)	
Get rid of multiple inheritence for SVGViewElement interface (r151985)
Refactor SVGSVGElement to inherit from SVGStyledTransformableElement (r140267)

Dec 13, 2016
============
Web Inspector: console.time() should use performance.now() (r126276)
Replace currentTime() with monotonicallyIncreasingTime() in WebCore (r154706)
Replace currentTime() with monotonicallyIncreasingTime() in WebCore (r154201)
HTMLParserScheduler gets into an inconsistent state when suspended for reasons other than WillDeferLoading (r153407)
Active DOM object resumption should match reason for suspending (r150560)

Dec 12, 2016
============
Implement KeyboardEvent constructor (r141346)
Implement UIEvent constructor (r140493)
Inline JSCell::toObject() (r209636)

Dec 09, 2016
============
Implement OfflineAudioContext constructor (r137516)
[GTK] Generated files are regenerated always (r149887)
touching any idl rebuilds all derived sources (r151675)
Add support for [NoInterfaceObject] Web IDL extended attribute (r149796 + r149805)
Add support for Web IDL callback interfaces to the bindings generator (r149113)
Unprefix IndexedDB (r129385)
VoidCallback should not be a special snowflake (r125745)

Dec 07, 2016
============
Merge SVGStylable into SVGStyledElement (r140265)
Commented IDL implements statements should not impact code generation (r151912)
Move IDL implements statements to IDL files that implement the interface (r151896)
[Win] IDLParser.pm fails to parse OESTextureHalfFloat and causes a build failure (r144575)
Look into possibilities of typedef in webkit idl files (r142865)
[V8] Add IDL 'enum' support to CodeGeneratorV8.pm (r141360)
Add support for generic types in arrays and sequences to the code generators (r136507 partial)
Remove 'module' from IDL parser (r135547)
[WebKit IDL] remove all module from idl files. (r131145)
PureNaN: fix typo (r209429)
YARR uses mixture of int and unsigned values to index into subject string (r203206)

Dec 06, 2016
============
Null dereference in Performance::Performance(WebCore::Frame*) (r192582)
Reduce resolution of performance.now. (r186208)
Record the reference time when Performance is constructed. (r183795)
performance.now can crash if accessed from a window that has navigated (r179937)
Implement WebIDL implements (r151740 partial)
Add support for [NoInterfaceObject] Web IDL extended attribute (r149796 partial)
Add support for Web IDL partial interfaces to the bindings generator (r149170 partial)
Speed up supplemental dependency computation (r139331)
[chromium] don't write additional idl files to a gyp temp file (r137519)
[WebKit IDL] move extended attributes to left of interface, exception... (r131172)

Dec 05, 2016
============
unprefix window.performance.webkitNow() (r131106)
DOM4 remove method (r129400)
Remove IDLStructure.pm (r135129)
Rename idlDocument::classes to idlDocument::interfaces in the IDL parser (r135203)
ASSERTION FAILED: animatedTypes[0].properties.size() == 1 in WebCore::SVGAnimatedTypeAnimator::constructFromBaseValue. (r177166)
Automatically generate template specializations for most Elements (r174050 partial)
Introduce toSVGAnimateElement(), and use it (r154266)
Reduce number of header includes in SVG (r152553)
Crash in WebCore::RenderListItem::updateMarkerLocation (r124783 revisited)
		
Dec 02, 2016
============
Merge HTMLBodyElement::didNotifySubtreeInsertions into HTMLBodyElement::insertedInto (r156072)
Consider all ancestors not just parentElement when disconnecting frames (r140856)
Assert the connectedSubframeCount is consistent and fix over counting (r140807)
Track subframe count to avoid traversing the tree when there's no subframes (r140090)
ContainerNodeAlgorithm::notifyInsertedIntoDocument is not used (r137564)
Disable frame loading instead of throwing exceptions on subtree modifications in ChildFrameDisconnector (r134528)
Make Frames and HTMLFrameOwnerElement less friendly (r134350)
Skip frame owner disconnect when there's no frames (r133933)
InsertionShouldCallDidNotifyDescendantInsertions should be merged to InsertionShouldCallDidNotifySubtreeInsertions (r126136)
DOM mutation against including <link> shouldn't trigger pending HTML parser. (r125988)
Prevent inconsistent firstChild during document destruction (r142899)
Replace documentFragmentIsShadowRoot with isTreeScope (r138404)	
ContentDistributor and ShadowRootContentDistributionData should use RefPtr to hold elements. (r137717 partial)
ASSERT(!m_inRemovedLastRefFunction) in Element::addShadowRoot while destroying a document (r169708)

Dec 01, 2016
============
[Shadow DOM] registering InsertionPoints to ShadowRoot should work out of a document. (r137421)	
[Shadow DOM][Refactoring] HTMLContentElement,HTMLShadowElement::m_registeredWithShadowRoot should be moved to InsertionPoint (r137233 partial)
Node::compareDocumentPosition returns wrong value for a node in the different shadow tree. (r136087)
Shrink ShadowRoot and TreeScope. (r135939 partial)
[Shadow] Attaching children of a shadow host takes O(N^2) where N is the number of host children (r135689)
[Shadow DOM][V8] Assertion failure when shadow host is reclaimed before ShadowRoot (r135456)
[Refactoring] Remove shadowPseudoId() and use setPseudo() in <progress> ElementShadow. (r135249)
Prevent creation of detached frames in ShadowRoot (r134775)
[Refactoring] Remove shadowPseudoId() and use setPseudo() in <meter> ElementShadow. (r134420)
Don't update style when attaching in HTMLMeterElement (r134196)
[Refactoring] Remove shadowPseudoId() and use setPseudo() in HTMLKeygenElement (r134189)
[Refactoring] Remove shadowPseudoId() and use pseudo() instead in TextTrackCue (r134020)
[Shadow] Style should update when 'pseudo' attribute is dynamically updated (r133769)
[Shadow] ShadowRoot type is not set correctly. (r133443)
[Shadow] ShadowRoot should have a method to return ShadowRootType. (r133435)
[Refactoring] Move initial style setting for ProgressValueElement from attach method to createShadowSubtree method in HTMLProgressElement. (r133124)
The shadow element is not reprojected to a nested ShadowRoot. (r132760 revisited)
The order of resolving distribution in tree composition is wrong. (r132237)
Assertion failed at WebCore::toInsertionPoint / WebCore::ContentDistributor::distribute (r132176)
Refactoring around ContainerNode::attachChildren (r132168)
[Shadow] ASSERT triggered when we try reprojecting fallback elements. (r132047)   
Web Inspector: Shadow DOM: Node removal doesn't reflect. (r132024)
Elements assigned to <shadow> should not be reprojected. (r131910)
REGRESSION(r131464): Null-pointer crash in StyleResolver::styleForElement (r131758)
Assertion failure at TreeScopeAdopter::moveNodeToNewDocument() (r131709)
Make ContentSelectorQuery work when siblings are passed explicitly. (r131068 revisited)
Move parent pointer from TreeShared to subclass (r139751)	
Crash when accessing an item in SVGTransformList and then removing a previous item from this list. (r180129)	
SVGAnimateElementBase::calculateAnimatedValue() asserts when reinserting an SVG animating element within the same animation limits (r183085)
Should never be reached failure in WebCore::floatValueForLength (r205392)
SVG SMIL animations run at less than 60fps (r200171)
CSS and SVG animations should run at 60fps (r200164)
Fix ASSERTION FAILED in WebCore::SVGLengthContext::determineViewport (r160774)
Use OwnPtr instead of deleteAllValues in SVGAttributeToPropertyMap (r149632)
	
Nov 30, 2016
============
REGRESSION: GuardMallloc crash in SVGListPropertyTearOff<SVGPointList>::processIncomingListItemWrapper (r197967 partial)
ASSERTION FAILED: resultAnimationElement->m_animatedType (r147581)
SVG text path referencing parent text infinite loops (r146515)
Assertion faulire in SVGAnimatedPath. (r146083)
SVGDocumentExtensions should use OwnPtr for pending resource maps. (r145333)
Crash in SVGViewSpec::viewTarget (r145013)
SVG pattern to pattern reference does not work if first pattern has a child node (r144948)
Crash when accessing an item in SVGLengthList and then replacing it with a previous item in the list. (r180128)
Prevent crash in animated transform lists (r143859)
Stop starting animations when leaving a page (r143640)
[SVG] Update of element referenced by multiple 'use' nodes is absurdly slow (r143498)
Fix 'slice' aspect ratio calculation (r143389)
Sanitize m_keyTimes for paced value animations (r142365)
Refactoring: The name ContainerNode::removeChildren and ContainerNde::removeAllChilren() is confusing (r140784)
Invalidated SVG shadow tree should be always detached. (r140520)
[SVG] Suppress resource rebuilding for unattached and shadow elements (r139457)
fastAttributeLookupAllowed: classAttr is only animatable by SVG styled elements (r138296)
Clear m_timeContainer on SVGSMILElement removal. (r137701)
SVG <use> element inside an svg-as-image fails (r136845)
Stale SVGUseElement reference in CachedResource::checkNotify() (r136541)
Crash when mixing layers, foreignObjects and SVG hidden containers (r133521)
SVG as an image may recreate the renderer on zoom (r133155)
Prevent NaN offset values in ElementTimeControl. (r132724)
Fix a operator ordering bug in SVGSMILElement::calculateAnimationPercentAndRepeat (r132715)
Recursively detach SVGElementInstances (r130855)
SVGAttributeHashTranslator does not need to copy QualifiedName in the common case (r130456)
Remove overzealous assert in SVGElement::localAttributeToPropertyMap (r130011)
<use> not working when the SVG doc is embedded as <object> data (r128702)
getScreenCTM returns different values depending on zoom (r128309)
Roll out r126056 and r126626 (r126693)
ASSERTION FAILED: !attached() in WebCore::Node::attach() (r126657)
Refactor SVGMaskElement to inherit from StyledElement (r125971)
[SVG] load events shouldn't be fired during Node::insrtedInto() (r125147)

Nov 29, 2016
============
Cache calcMode() value for SVG animations. (r132755)
Fix target element handling in SVGSMILElement. (r137509)
Unify SVG's animation and target tracking systems. (r136906)	
mpath elements do not clear resource lists before destruction (r134851)
Cache animationMode() in SVG animations. (r133074)
Let SVGElements have pending resources. (r132847)
Prevent animation when CSS attributeType is invalid. (r130777)
Refactor SMILTimeContainer to maintain animation information instead of recalculating it every frame (r129670)
Source/WebCore: Remove unnecessary codepaths in SMILTimeContainer::updateAnimations (r128131)
ASSERTion failure when SVG element is removed from document and readded (r127474)

Nov 28, 2016
============
[JSC] DFG should support relational comparisons of Number and Other (r199639 revisited)  
Allow for Int52Rep to see things other than Int32, and make this testable (r171096 complete)
mandreel throws a checksum error on 32-bit x86. (r166440 similar, use SegmentedVector which does not move)
Infer constant global variables (r159545 revisited)  
[ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state (r170092)

Nov 25, 2016
============
Allow for Int52Rep to see things other than Int32, and make this testable (r171096 partial)
Non-speculative Branch should be fast in the FTL (r185002 partial)
Creating a new blank document in icloud pages causes an AI error: (r184318 partial)
[JSC] DFG should support relational comparisons of Number and Other (r199639 revisited)  
Infer constant global variables (r159545 revisited)

Nov 24, 2016
============
DFG::StrCat isn't really effectful (r189075 revisited)
Introduce SymbolType into SpeculativeTypes (r184340 revisited)
Constructor returning null should construct an object instead of null (r180587 revisited)
[ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values (r170016)
DFG::ByteCodeParser shouldn't call tryGetConstantProperty() with some StructureSet (r188292 partial)
  if it isn't checking that the base has a structure in that StructureSet
Structures used for tryGetConstantProperty() should be registered first (r188067)
TypeOf should return SpecStringIdent and the DFG should know this (r183548 partial revisited)
[ftlopt] AI should be able track structure sets larger than 1 (r169588 partial + r171381)
Rename hasFastArrayStorage to be more appropriate (r166292)
FTL should inline polymorphic heap accesses (r164207 partial)	
[ftlopt] A StructureSet with one element should only require one word and no allocation (r169148)

Nov 22, 2016
============
ES6: Implement Array.from() (r180370)
ES6: Support Array.of construction (r178662)
Number.parseInt is not === global parseInt in nightly r182673 (r182938)
Number.parseInt in nightly r182673 has wrong length (r182863)
Simple ES6 feature: Number constructor extras (r174049 + r174066)
FTL should use cvttsd2si directly for double-to-int32 conversions (r160205 revisited)	
[JSC] On x86, improve the selection of which value are selected for the UseDef part of commutative operations (r196513 partial)
[JSC] Add Float support to B3 (r193683 partial)	
B3 should have a Select opcode (r192699 partial)
Add conditional moves to the MacroAssembler (r192131)
Make the CSS JIT compile for ARM64 (r167557 partial)
[x86] Improve code generation of byte test (r165009)
Add an utility class to simplify generating function calls (r160881)
Change Set 154207 causes wrong register to be used for 32 bit tests (r154298)
[JSC] x86: improve code generation for xxxTest32 (r154207)

Nov 21, 2016
============
Constant folding of typed array properties should be handled by AI rather than strength reduction (r182498 revisited)
Remove unneeded moving of ESP to ECX in callToJavaScript for COMPILER(MSVC) (r158857)
DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks (r188764 partial)
DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser (r180989 partial)
  should not pretend that it's a constant as that breaks OSR exit liveness tracking	
DFG should have a separate StoreBarrier node (r160796 partial revisited)	
JSC should have property butterflies (r128400 revisited)

Nov 18, 2016
============
[ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling (r168780 revisited)
  coverage due to variable constant inference and the better prediction modeling of typed array GetByVals

Nov 16, 2016
============
BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope. (r178926 partial)
REGRESSION(174226): Captured arguments in a using function compiled by the DFG have the initial value when the closure was invoked (r177578 partial)
op_captured_mov and op_new_captured_func in UnlinkedCodeBlocks should use the IdentifierMap instead of the strings directly (r162390 partial)
Infer constant closure variables (r160109)
DFG should have a separate StoreBarrier node (r160796 partial)
Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables (r159942)
Infer one-time scopes (r159834 + r159836)
Remove JSString::SafeView and replace its uses with StringViewWithUnderlyingString. (r208767 partial)

Nov 15, 2016
============
Unsafe JavaScript attempt errors are ludicrously verbose and annoying (r145692)
REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly. (r168443 partial)	
Restructure global variable constant inference so that it could work for any kind of symbol table variable (r159798)
[MIPS] Build fails since r159545. (r159635)
Fix CPU(ARM_TRADITIONAL) build after r159545. (r159571)
[armv7][arm64] Speculative build fix after r159545. (r159564)
Infer constant global variables (r159545)

Nov 14, 2016
============
RegExpObject::exec/match should handle errors gracefully. (r208698 partial)
[ftlopt] Infer immutable object properties (r170855 partial)   
Extract URL that doesn't inherit a parent's SecurityOrigin out into a constant. (r147526 revisited)
XSSAuditor should block pages by redirecting to a sandboxed data: URL. (r143644)
document.referrer leakage with XSS Auditor page block (r142063)
XSS blocker false positive when page contains <iframe src=""> (r133249)
XSSAuditor must replace form action with about:blank when reflected action detected. (r132511)
XSSAuditor too tolerant of injected data: URLs from other "hostless" schemes. (r126120)
Follow-up fix to r208639. (r208643)
test262: DataView with explicit undefined byteLength should be the same as it not being present (r208640)
test262: DataView get methods should allow for missing offset, set methods should allow for missing value (r208639)

Nov 11, 2016
============
Document.URL / Document.documentURI should return "about:blank" instead of empty string / null (r195485)
X-Frame-Options: Blocked frames should not inherit their parent's SecurityOrigin. (r147530)
Extract URL that doesn't inherit a parent's SecurityOrigin out into a constant. (r147526)
Begin to make XSSAuditor thread aware (r141494)
Support X-XSS-Protection: report=URL header syntax in XSSAuditor. (r133323)
Source/WebCore: Malformed X-XSS-Protection headers not reported. (r133066)
DFG SSA should use GetLocal for arguments, and the GetArgument node type should be removed (r180160 partial)
REGRESSION (r149749): Video becomes invisible when it starts playing at newyorkbygehry.com (r149989)
test262: DataView / TypedArray methods should throw RangeErrors for negative numbers (ToIndex) (r208564)
[ARM] Unreviewed buildfix after r208450. (r208533)
     
Nov 10, 2016
============
[JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t (r208450 partial)
[JSC] Mask TrustedImm32 to 8bit in MacroAssembler for 8bit operations (r203331)
MIPS: add MacroAssemblerMIPS::store8(TrustedImm32,ImplicitAddress) (r199372)
[JSC] Improve codegen of Compare and Test (r197652 partial)     
REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values (r201254)
DFG and FTL should constant-fold RegExpExec, RegExpTest, and StringReplace (r199075 partial)
load8Signed() and load16Signed() should be renamed to avoid confusion (r182098)
CStack Branch: Get ARM working (r162705 partial)
REGRESSION (r159395): Error compiling for ARMv7 (r159521 revisited)
Math.min()/Math.max() with no arguments is lowered incorrectly in the BytecodeParser (r208496)	 

Nov 09, 2016
============
Start fixing the handling of Element's attributes when they contain non-ASCII characters (r179323)
selectors should match attribute name with case sensitivity based on element & document type (r153631)
Move attributeNameMatches from SelectorChecker to its proper place on Attribute. (r140235)
Class name matching should use ASCII case-insensitive matching, not Unicode case folding (r169358)
Simplify and clean SpaceSplitString (r154780 + r154782)
Clean ClassList and DOMSettableTokenList (r154707)
Remove DOMSettableTokenList's overload of add() and remove() (r154667)
REGRESSION (r153005): Crash in SpaceSplitString::spaceSplitStringContainsValue on Facebook (r153685)
Do not allocate 2 AtomicString just to do a comparison in HTMLAnchorElement::setRel() (r153005)
Removed a using declaration to avoid name conflicts (r146273)
Make ClassList::reset's purpose obvious and don't keep quirks string when not needed (r138691)
Fix issue with ClassList which was hitting an assert in debug mode (r129798)
DOM4: Add support for rest parameters to DOMTokenList (r129779)

Nov 08, 2016
============
document.createEvent("eventname") should do a case-insensitive match on the event name (r189282)
Add String literal overloads to equalIgnoringASCIICase() (r184341)
Change the exact attribute matching to be ASCII case-insensitive (r181512 partial)
Remove a bunch of redundant checks for empty string in StringImpl (r153686)
String::lower() - Skip to slow path on the first failure (r153007)
Little cleaning of StringImpl::lower() and StringImpl::upper() for ARM (r152881 + r152883)
Improve StringImpl::constructInternal() method (r152595)
Remove code duplication from StringImpl create()/reallocate() methods (r152415)
Add 8 bit handling to SpaceSplitString (r128694)
Unreviewed, rolling out r133841. (r133848)
Unreviewed, rolling out r133428 and r133749 (r133841)
[Shadow] Use setPseudo() instead of setShadowPseudoId(). (r133749 partial)
[Shadow] Implement custom pseudo-elements styling (r133428)
	
Nov 07, 2016
============
Fix a bunch of mistakes in the parsing of ::cue( and ::cue (r165579)
Some media/track tests fail or assert on Mac (r150260 partial)
TextTrack's .cues not ordered correctly when two cues have the same .startTime (r136843)
Occasional crash in WebCore::RenderVTTCue::initializeLayoutParameters (r203737)
onload callback for <track> element attached to <video> does not fire (r138766 revisited)
[Chromium] Layout Test media/track/track-cue-rendering-snap-to-lines-not-set.html is flaky (r127176 revisited)
Not all properties apply to the '::cue' pseudo-element (r145397 + r145504 + r145404)		
[Track] Closed Caption button shouldn't be visible if all the track resources have failed loading (r141531)
Adding a text track should not make controls visible (r140862 revisited)
media/video-controls-captions.html fails after fixing https://bugs.webkit.org/show_bug.cgi?id=105536 (r139326)
HTMLMediaElement::configureTextTracks should configure all text tracks (r135202)
Allow ports to override text track rendering style (r132349)
Create a toggle button for closed captions. (r127035)

Nov 04, 2016
============
REGRESSION(r140231): media track layout tests crashing (r141529)
Whitelist should also work for the WebVTT ::cue element without an argument (r140505)	
The ASCII decoding for non ASCII character is incorrect if this character comes after going through (r178099)
Cue line-height property shouldn't be inherited from the video element (r144814)
WebVTT <i>, <b> and <u> elements should have default styles (r141817)
Support language WebVTT Nodes (r140877)
Implement :past pseudo class for the WebVTT ::cue pseudo element (r140707)	
Remove a TextTrack.h include from the Element.h and move WebVTT related stuff outside the Element (r140231)
Implement matching by the voice attribute for WebVTT ::cue pseudo element (r139803)
Implement ID selector matching for the WebVTT ::cue pseudo element (r139714)
Implement element type selectors for the WebVTT ::cue pseudo class (r139692)
Asking for a value profile prediction should be defensive against not finding a value profile (r208326 partial)	
Make Settings ref-counted (and let Frame keep a ref!) (r154219)

Nov 03, 2016
============
Web Inspector: Resume button in element inspector -> scripts has tooltip 'pause script execution' (r131181)
Web Inspector: Fix compilation errors (r133288 partial)
Web Inspector: Output code evaluated in the console the same as console.log (r133150)	
Fix an exception when hovering native functions while paused in the debugger. (r149829)
Make 'this' evaluate to the correct object when paused in the Debugger. (r147356)
Web Inspector: prevent crash, add required error string value (r141891)	
Web Inspector: adds isOwnProperty to remote protocol (r132902)
Web Inspector: relies on current Function.prototype.bind in the frame (r131178)
Web Inspector: expose object internal properties such as PrimitiveValue or BoundThis (r130398)
Web Inspector: TypeError in ConsoleMessage.js (r131019)
Web Inspector: move completions calculation into RuntimeModel (part 1) (r130119)
Web Inspector: rename JavaScriptContextManager to RuntimeModel for consistency. (r127417)
Web Inspector: get rid of context execution id fallback. (r127412)
Web Inspector: make ConsoleView listen to the JavaScriptContextManager (r126709)	
Web Inspector: make ui component compile (r126579)	
Web Inspector: hovering over an image link in Timeline popup kills popup (r125882)
Web Inspector: render arrays as dir in case they were logged into console prior to the front-end opening. (r125284)
Web Inspector: follow up to r125174 - fix subtype use. (r125186)
Web Inspector: generate preview for the objects dumped into the console upon logging. (r125174)
WebKit nullptr dereference Archive Subframe (r208292)

Nov 02, 2016
============
Web Inspector: do not use InspectorInstrumentation::hasFrontends() check when collecting stacks (r130021)

Nov 01, 2016
============
Make the Web Inspector console work in strict mode with JavaScriptCore. (r146840)
Replace 'DOMObject' with 'any' (r142935)
Web Inspector: fix closure compilation warnings caused by setVariableValue change (r142888)
Web Inspector: support JavaScript variable mutation in protocol and V8 bindings (r142114)
Repatch should save and restore all used registers - not just temp ones - when making a call (r165414)
Unreviewed, remove unintended change. (r165405)
Out-line ScratchRegisterAllocator (r165401)
Clarify how we deal with "special" registers (r165293 partial)
Crash in JIT code while watching a video @ storyboard.tumblr.com (r165021)
lr is a special register on ARM64 (r164238)
Fix RegisterSet::calleeSaveRegisters() by making it correct on ARM64 (r164237)
RegisterSet::calleeSaveRegisters() should know about ARM64 (r164233)
Switch FTL GetById/PutById IC's over to using AnyRegCC (r159039 partial)
FTL should be able to do some simple inline caches using LLVM patchpoints (r157872 partial)	
StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries (r157707)
Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union (r157696)
Rename RegisterSet to TempRegisterSet (r157693)
[JSC] JSON.stringify should handle Proxy which is non JSArray but isArray is true (r208123)
JSON.parse should not modify frozen objects. (r207341 partial)	
Add proper JSON.stringify support for Proxy when the target is an array (r197918 partial)

Oct 31, 2016
============
Clean up WebVTTNodeType code (r139639)
Styling disappears from the cue that's being styled by ::cue pseudo element (r139562)
CC Button doesn't always show up (r139547)
[Track] Rendering crash (r138966)
Crash when setting 'transition-delay' CSS property to a calculated value (r176458)
Implement :future pseudo class for the WebVTT ::cue pseudo element (r138784)
Allow ports to override text track rendering style (r132349 partial)
Follow WebVTT line breaking rules (r138282)
Implement matching cue by the class name with ::cue pseudo element (r137955)
Convert m_selectorVector back to a stack allocated m_reusableSelectorVector (r134693)
[Shadow] Pseudo custom-elements should start with 'x-'. (r133715)
Convert CSSParser's m_reusableSelectorVector to OwnPtr and rename to m_selectorVector. (r125252)
Sign in front of keyframe selector causes stylesheet parsing to abort (r130007)
Make it possible to use CSS Variables inside Calc expressions. (r127220)
Get rid of "parser" type casts in CSSGrammar.y (r124241)
Pre-process CSSGrammar.y before running through bison. (r131477)
Avoid eagerly creating the JSActivation when the debugger is attached. (r163223 revisited)  
  
Oct 29, 2016
============
String(new Date(2010,10,1)) is wrong in KRAT, YAKT (r150833 revisited)	

Oct 28, 2016
============
Refactor Media Control Elements to remove code duplication. (r136613)
Fullscreen movie controls behave incorrectly when clicked (and dragged) (r131781)
REGRESSION(r136615): Incorrect style sharing in view-source documents. (r136722)
Style sharing: Allow sharing between elements with classes not referenced by any selectors. (r136615)
Style sharing: Remove O(n^2) presentation attribute checks that never found anything anyway. (r135542)
Style sharing: Compare class lists via SpaceSplitString instead of string comparison. (r135445)
StyleResolver: No need to compare "cellpadding" attributes when evaluating style sharing candidates. (r135068)
StyleResolver: Only input elements need equal "readonly" attribute for style sharing. (r134984)
StyleResolver: Optimize sharing candidate evaluation for elements with shared attribute data. (r134962)
JSFunction::put() should not allow caching of lazily reified properties. (r208018 partial)

Oct 27, 2016
============
ASSERT removing then adding a <track> element (r151796)
onload callback for <track> element attached to <video> does not fire (r138766)
Captions menu doesn't update to track changes (r136978)	
HTMLMediaElement's .textTracks property does not reflect <track> element (r136131)
Make track list control active (r135934)
Support list of tracks in caption media controls (r134507)

Oct 26, 2016
============
Implement general ::cue pseudo element for the <video> (r136991)	
Clean up the inheritance tree under the MediaControls Class. (r134488)
Web Inspector: [REGRESSION] Breakpoints are not always shown in breakpoints sidebar pane. (r129775)
Web Inspector: DefaultTextEditor throws exception sometimes. (r129641)
Web Inspector: don't allow exception in front-end when expanding function scope (r129361)
Web Inspector: [REGRESSION] Content is not available for dynamically loaded script sometimes. (r127902)
Web Inspector: Incorrect property override computation when !important is involved (r126737)
Web Inspector: Breakpoints are not correctly restored on reload. (r125767)
Web Inspector: CodeMirrorTextEditor doesn't clear execution line (r125650)
Web Inspector: remove commitEditing from the text editor delegate. (r125438)
Web Inspector: improve large array logging experience (r125165)
Web Inspector: store last evaluation result in $_ (r125033)
Web Inspector: show whitespace nodes if they are the only tag's children. (r125014)
Web Inspector: [regression r121673] restore link between the command and the result. (r124867)
Web Inspector: WebInspector.linkifyStringAsFragment gives wrong typeof lineNumber (r124792)
Web Inspector: Fix protocol version check. (r124453)
Web Inspector: Move formatting support from JavaScriptSource to UISourceCode. (r123852)
Web Inspector: Render breakpoint gutter markers and execution line in CodeMirrorTextEditor (r125599)
Web Inspector: get rid of beforeTextChanged (r125426)

Oct 25, 2016
============
Web Inspector: InspectorBackend.loadFromJSONIfNeeded should take the JSON url as argument (r128287)	 
Web Inspector: Make textModel private to textEditor (r124584)
JSONParse should not crash with null Strings (r207785)

Oct 24, 2016
============
Need earlier cell test (r167832)
Split sizing of VarArgs frames from loading arguments for the frame (r160244)
REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms (r164880)
Whoops, include all of last patch. (r164836)
Slow cases for function.apply and function.call should not require vm re-entry (r164835)	
Spread operator has a bad time when applied to call function (r164630)
[JS] Convert Promise.prototype.catch to be a built-in (r164396 + r164416)	
Web Inspector: Relative URL Link Tooltips do not respect <base> (r129477)
Web Inspector: Use and process the actual ScriptId in the protocol EventListener object (r129105)
fixing inspector/elements/iframe-load-event.html broken by r126572. (r126576)
Web Inspector: resolve URLs upon creation, get rid of populateHrefContextMenu (r126572)
Web Inspector: extract ParsedURL into a separate file. (r126426)
Web Inspector: replace the Web Inspector editor with CodeMirror (r125201)
Web Inspector: Create and interface for TextEditor (r124638)

Oct 21, 2016
============
Shink attribute event listener code (r156231)
Web Inspector: for event listener provide handler function value in protocol and in UI (r142627)

Oct 20, 2016
============
HTMLMediaElement should not throw an exception from setCurrentTime or fastSeek. (r159363)

Oct 19, 2016
============
Remove bogus global internal functions for properties and prototype retrieval (r192024)
REGRESSION(r183570): jslib-traverse-jquery is 22% slower (r183749)
It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. (r183570)    
Implement ES6 StringIterator (r181084 partial)

Oct 18, 2016
============
Implement a few more Array prototype functions in JS (r164139)
CurrentTime on mediaController is set as 0 when playback is completed. (r190114)
Setting playback rate on Media Controller modifies current time. (r164365)
Add support for the 'unpause()' method on MediaController. (r136295)
no timeupdate events emitted for media controller (r125337)
Make it possible to implement JS builtins in JS (r163960 complete)

Oct 17, 2016
============
ASSERT_NOT_REACHED when using spread inside an array literal with Function.prototype.apply (r205944)
Improve JSC Parser error messages (r158014)	
Add a StringTypeAdapter for ASCIILiteral (r141342)
JS Lexer and Parser should be more informative when they encounter errors (r148849)
Unify JSC Parser's error and error message (r148167)
Move macros from Parser.h to Parser.cpp (r131236)

Oct 15, 2016
============
Tests with infinite recursion frequently crash (r177460)
	
Oct 14, 2016
============
JSMainThreadExecState::call() should clear exceptions before returning. (r167142 partial)	
MutationCallback should be a WebIDL 'callback', not a [Callback] interface (r145379)
Web Inspector:  The JS code injected by worker inspector shouldn't be evaluated through JSMainThreadExecState (r129476)
Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks (r166135)
test262: Failure with RegExp.prototype.compile when pattern is undefined (r207334)
Add WTF::NeverDestroyed and start using it in WTF (r150450 + r150451)

Oct 13, 2016
============
FTL should be able to do call ICs (r160893 partial)
StyledElement: Make handling the "style" attribute a litte faster. (r135101)
Support caching of custom setters (r165208 complete)
FTL should do polyvariant Call/Construct inlining (r162788 partial)
IC status classes should directly query exit site information (r162424)
fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data (r153176)

Oct 12, 2016
============
Update JS whitespace definition for changes in Unicode 6.3 (r163325)
JSC Parser: Shrink BindingNode. (r162393)

Oct 11, 2016
============
r159210 added a period where there previously wasn't one, breaking >100 tests (r159216)
REGRESSION (r158014): Many webpages throw stack overflow exceptions on iOS (because Parser::parseMemberExpression uses ~130K more stack) (r159210)
Fix minor (unobservable) bug in ArrayIterator::next() (r158940)
IC code should handle the call frame register not being the callFrameRegister (r158820 revisited)
ValueAdd should be constant folded if the operands are constant String,Primitive or Primitive,String (r207060 partial)
DFG should be able to constant-fold strings (r197833 partial)
Change ArrayPrototype.cpp's putLength() and setLength() to take a VM& so that we can use vm.propertyNames. (r207036 partial)

Oct 07, 2016
============
Crash in virtualForThunkGenerator generated code on ARM64 (r159427 revisited)
Fixed callFrameRegister differences between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h. (r159276 partial/revisited)
REGRESSION(r158883): Fix crashes for ARM architecture. (r158926)
REGRESSION(r158883): Fix crashes for MIPS architecture. (r158925)		
Change CallFrameRegister to architected frame pointer register (r158883 partial)
Change ctiTrampoline into a thunk (r158751 + r158858 + r158916)
fourthTier: DFG::ByteCodeParser doesn't need ExecState* (r153144)

Oct 06, 2016
============
REGRESSION(r158586): plugins/refcount-leaks.html fails (r158648)
Eliminate HostCall bit from JSC Stack CallerFrame (r158586)
DebuggerCallFrame::evaluateWithCallFrame() should not execute a null executable. (r162752)
Change ScriptDebugServer to use DebuggerCallFrame instead of JavaScriptCallFrame. (r156936)
Web Inspector: Breakpoint Actions (r155132)
Web Inspector: Breakpoints should have Automatically Continue Option (r154910)
Web Inspector: Column Breakpoint not working, may be off by 1 (r154681)
Web Inspector: The front-end should provide the position in original source file when set a breakpoint (r130615)
[JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case (r206844 partial)
Continue hangs when performing for-of over arguments (r165306)	
Support iteration of the Arguments object (r158793)  
  
Oct 05, 2016
============
ARM64 CRASH: Improper offset in getHostCallReturnValue() to access callerFrame in CallFrame (r159428)
REGRESSION(r158315): Fix register mixup in JIT::compileOpCall. (r158672)
Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI . (r158315)
FunctionExecutable::isCompiling() is weird and wrong. (r185379)
[ES6] Implement ES6 template literals (r183373 + r183559)
JS Lexer and Parser should be more informative when they encounter errors (r148849 partial)

Oct 04, 2016
============
Don't branch when accessing the callee (r183935)
Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions. (r159995)
Uninitialized member causes crash when DFG JIT is not enabled. (r157930)
Remove unused stuff in JIT stubs. (r157795)
Remove excess reserved space in ctiTrampoline frames for X86 and X86_64. (r157650)
Unreviewed, speculative ARM64 build fix. (r157619)
Pass VM instead of JSGlobalObject to JSONObject constructor. (r157614)
Removed the JITStackFrame struct (r157612)
Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks (r157609)
Removed restoreArgumentReference (another use of JITStackFrame) (r157604)
Remove JITStubCall.h (r157603)
Removed a use of JITSTACKFRAME_ARGS_INDEX (r157592)
Change emit_op_catch to use another method to materialize VM (r157591)
Eliminate emitGetJITStubArg() - dead code (r157590)
Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h. (r157588)
Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction() (r157586)	

Oct 03, 2016
============
Try to fix the Windows (32-bit) build. (r128122)
Web Inspector: Stepping through `a(); b(); c();` it is unclear where we are and what is about to execute (r206654)
Get rid of the regT* definitions in JSInterfaceJIT.h. (r158901 revisited)
transition void cti_op_* methods to JIT operations. (r157457 complete + r157467)
[arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test. (r159748)
Transition void cti_op_tear_off* methods to JIT operations for 32 bit. (r157521)
[sh4] Some calls don't match sh4 ABI. (r157475)
transition void cti_op_* methods to JIT operations. (r157457 partial + r157467)     	
Change JSC debug hooks to pass a CallFrame* instead of a DebuggerCallFrame. (r156374)	   
Change debug hooks to pass sourceID and position info via the DebuggerCallFrame. (r155622)	   
	   
Sep 30, 2016
============
Change native function call stubs to use JIT operations instead of ctiVMHandleException (r157636 partial)	
Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks (r157609)
Transition cti_op_throw and cti_vm_throw to a JIT operation (r157581)    
transition void cti_op_* methods to JIT operations. (r157457 partial)    
Follow up patch to: [ES6] bound functions .name property should be "bound " + the target function's name (r196243)
[ES6] bound functions .name property should be "bound " + the target function's name (r196033)
Spread operator should be performing direct "puts" and not triggering setters (r157656 revisited)

Sep 29, 2016
============
Implement ES6 spread operator (r157545)

Sep 28, 2016
============
Move ElementTraversal to ElementTraversal.h (r153939)

Sep 27, 2016
============
A label element not in a document should not label an element in a document (r191497)
Use DOM ordering for list counts (r148863)
REGRESSION(r137406): Text inside an empty optgroup prevents subsequent options from appearing (r139038)
REGRESSION(r137406): NodeTraversal changes causing large renderer crash (r137642)
Add Element-specific traversal functions (r137406)
Fix non-root SVG viewport under zoom (r143144)
Factor node traversal into standalone functions (r137221 + r137227 + r137236)	
Invalidate SVG width on width attribute changes. (r136424)
Microdata: item with itemprop attribute should not include the item itself in the HTMLPropertiesCollection. (r125348)
	
Sep 26, 2016
============
getComputedStyle() doesn't report intermediate values during a transition of a pseudo element (r142215)	
Remove RenderObjectChildList::beforePseudoElementRenderer and afterPseudoElementRenderer (r138909)	
REGRESSION(r136948): inspector/styles/import-pseudoclass-crash.html hits an assertion (r137303)
Web Inspector: the "Sources" column is always empty in CSS selector profiles (r136948)
Remove StyleResolver::State::m_parentNode (r165542 revisited)
Style recalculation takes too long when adding whitespace text nodes (r144526 revisited)
Default element styles are not always collected for sharing detection (r141844 partial)
Split CSSOMWrapper data and functions out from StyleResolver into its own class. (r141373)
documentElement should not always get a renderer (r136331)	
Move childrenAffectedBy bits from RenderStyle to Element (r136001 revisited)
Make renderer construction less generic (r135668)
Remove unnecessary ternaries in createRendererIfNeeded (r135432)
Replace NodeRendererFactory class with a function (r135419)
Merge checks for creating renderers into shouldCreateRenderer (r135290)
Remove unneeded null check in NodeRendererFactory::createRendererIfNeeded (r135252)
No isChildAllowed checked when adding RenderFullScreen as the child. (r124491)
[CSS Regions] RenderRegion should inherit from RenderBlock (r142984)
[CSS Regions] Absolutely positioned regions do not expand to fill their container (r135851)
[CSSRegions]Add support for auto-height regions (without region-breaks) (r131348)
Replace 2 uses of updateLogicalHeight with computeLogicalHeight (r129427)
[CSSRegions]Flag auto-height regions (r128861)
[CSS Regions] Auto width is not working for Regions (r128155)
[New Multicolumn] Implement unforced breaking in the new column layout. (r127267)
[New Multicolumn] Rename methods to prepare for proper pagination of columns (r127051)
[New Multicolumn] Rename some flow thread methods and region methods/members to make them (r126895)
[New Multicolumn] Plumbing to prepare for contents painting and hit testing implementation. (r126602)
[New Multicolumn] Make column rules paint properly. (r126177)
Never notify of insertedIntoTree during document destruction. (r126107)
CSSRegions: Crash when using style in region for removed element. (r125376)
[CSS Regions] region-overflow: break still renders the content that does not fit in the last region. (r125271)
CSSRegions: Crash when attaching a region to the removed named flow (r125192)
[CSS Regions] Rename regionOverflow to regionOverset (r124771)

Sep 23, 2016
============
Absolutely positioned non-replaced elements should resolve vertical margins against their containing block's logical width (r136646)
Make RenderView anonymous (r155370)
Harden RenderBox::canBeScrolledAndHasScrollableArea logic https://bugs.webkit.org/show_bug.cgi?id=104373 (r154383)
[CSSRegions] RenderFlowThread should not be created as a Document renderer (r147414)
Rework bug 97927 to not depend on RenderLayer::allowsScrolling (r136947)
ASSERT in RenderLayer::hitTestContents can fire (r133330)
REGRESSION (r128837): mathml/presentation/subsup.xhtml became flaky (r133221)
[MathML] Improve some addChild methods (r132735)
Navigator object needs to have properties directly on the instance object (r129260)	
[MathML] Increase visual space around fraction parts, italic variables, and operators (r129146)
Convert MathML to use flexboxes (r128837)
mathml.css: Add more { white-space: nowrap } declarations (r127769)
REGRESSION (r124512): Failures in MathML Presentation tests on GTK and EFL (r126862)
Streamline mathml.css (r126713)
Remove { vertical-align: baseline } declarations from mathml.css (r126698)
MathML: nested square root symbols have varying descenders (r124512)	
	
Sep 22, 2016
============
Add new RenderBlockFlow class. (r155211)
Move isBlockFlowElement and related functions out of the Node class into editing code (r150782)
Crash in Node::enclosingBlockFlowElement() (r147388)
Make renderer constructors take Element where possible (r140244)
TextIterator takes O(n^2) to iterate over n empty blocks (r126164)
XHR timeouts should not fire if there is an immediate network error. (r192175)
[Content Extensions] Make blocked async XHR call onerror (r191077)
XHR2 timeout property should allow late updates (r189445)
	
Sep 21, 2016
============
Remove the JSC::OverridesVisitChildren flag. (r171939)	
Don't de-allocate FunctionRareData (r183113)
REGRESSION (r182899): icloud.com crashes (r183069)
Extract the allocation profile from JSFunction into a rare object (r182899)
Percentage min/max width replaced element may incorrectly rendered (r138332)
Bound functions should use the prototype of the function being bound (r196956)
[JSC] Some setters for components of Date do not timeClip() their result (r201586)

Sep 20, 2016
============
Undefined behavior: Left shift negative number (r206151)
window.atob() should ignore spaces in input (r195694)
Decode data URLs in web process (r188820 partial)
Implement base64url encoding from RFC 4648 (r158628)
Make atob() throw an InvalidCharacterError on excess padding characters (r153904)
Remove obsolete code for deleting CodeBlocks (r189888 partial)
Some renaming to clarify CodeBlock and UnlinkedCodeBlock (r188884 partial)
Periodic code deletion should delete RegExp code (r188401)
Standardize on the phrase "delete code" (r188394)
Re-land r188339, since Alex fixed it in r188341 by landing the WebCore half. (r188351)
Unreviewed build fix after r188339. (r188341)
Empty parse cache when receiving a low memory warning (r136773 partial)

Sep 19, 2016
============
text-overflow: ellipsis is broken by text-align: right and padding-left (r187380)
REGRESSION (r133351, sub-pixel layout): Right-to-left block with text-overflow: ellipsis truncates prematurely (breaks facebook.com Hebrew UI) (r169048)
Table with percentage column widths doesn't scale to fill the entire width of a table containing it (r133037)
Replace calls to updateLogicalHeight with calls to computeLogicalHeight (r131971)
REGRESSION(r128517): Percentage heights in quirks mode collapse when printing (r141459)	
REGRESSION (r128633): td changes size during re-layout of table although it shouldn't (r135578)
getComputedStyle perspective-origin is based on the wrong bounding box (r130277)
Simplify some code in RenderBox::computePercentageLogicalHeight (r128633)
percentage heights in quirks mode with auto-sized body are computed incorrectly (r128517)
percentage widths rendered wrong in vertical writing mode with orthogonal parent (r128375)
Refactor computePercentageLogicalHeight to simplify the logic a bit (r128215)
Fix RenderBox::availableHeight to subtract scrollbars in the right places (r127915)
Delete some dead code in RenderBox::computePercentageLogicalHeight (r125938)
percentage height/width values in quirks mode are incorrectly resolved in flexbox children (r125055)
need tests to ensure flexboxes play nicely with box-sizing (r124793)
Constrain replaced element layout to from-intrinsic aspect ratio if specified (r164265)
Update aspect-ratio property to have constraining keywords (r163840)
Percentage width replaced element incorrectly rendered when intrinsic size changed (r137960)
Use computeLogical* methods instead of updateLogical* methods in RenderImage (r130806)
image not displayed in flexbox (r130714)

Sep 16, 2016
============
REGRESSION (r181720): Unnecessary layout triggered any time animated GIF advances to a new frame (r185310)
Switching between two SVG images with no intrinsic sizes causes them to get the default SVG size instead of the container size. (r181720)
incorrect flexbox relayout with overflow, padding and absolute positioning (r138770)
REGRESSION(r121789): Text not wrapping in presence of floating objects (r137331)
Flex boxes (both old and new) don't handle max-height images correctly. (r151997)
Set relayoutChildren to 'true' only if size change happens in Table (r177782)
getComputedStyle().width wrong after text changed (r152005)
REGRESSION(r136324): Flexbox should relayout flex children when width changes (r141290)
REGRESSION(r136324): flex items with percent heights not resizing (r138037)
Avoid a second layout of flex items in layoutAndPlaceChildren() (r136324)

Sep 15, 2016
============
min-width/max-width of min-content/max-content don't work correctly if width is specified (r147275)
CSSParser does not allow the absence of whitespace between "and" and "expression" (r139316)
Max width of a floated container with floated children calculated incorrectly (r138899)
YARR doesn't check for invalid flags for literal regular expressions (r205937)
[ES6] Implement RegExp sticky flag and related functionality (r197869)	
Web Inspector: [REGRESSION] [Styles] Rule disappears if edited selector does not affect selected node (r136488)
Web Inspector: [Styles] Retain selector case as written in the source code (r136370)
Web Inspector: [Styles] For group selectors, transmit their segments with the "matches" flag (r129470)	
Web Inspector: [REGRESSION] Cmd-Shift-C doesn't enable element inspection mode when inspector hidden (r129348)	
Web Inspector: Group selectors to highlight matched selector in the Styles pane of Elements Panel (r128746)
Web Inspector: [Styles] Styles not updated when there is a heavy stream of DOM updates (r128407)
Web Inspector: build Elements, Resources, Timeline, Audits and Console panels lazily. (r125871)

Sep 14, 2016
============
AutoTableLayout applies min-width redundantly with RenderTable (r143555)
REGRESION(r130774): preferred width of tables does not take max-width into account (r140479)
max-width property is does not overriding the width properties for css tables(display:table) (r130774)
Attempt to fix the build after r165542 (r165561)
REGRESSION(r165542): printing/page-rule-selection.html failing (r165557)
Remove StyleResolver::State::m_parentNode (r165542)
[Refactoring] Remove elementParentStyle from SelectorCheckerContext (r140531)
Make StyleResolver::applyProperty use isInherit in CSSPropertyWebkitMarquee instead of calculating equivalent in-place. (r135760)
DFG NewArrayBuffer node should watch for "have a bad time" state change. (r205882)
[JSC] Use GetArrayLength for JSArray.length even when the array type is undecided (r205830)

Sep 12, 2016
============
REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled. (r180083 rolled out, crash)	
Don't create StyleResolvers just to invalidate them. (r149392)
Crash in WebCore::ElementRuleCollector::collectMatchingRulesForList (r147928)
Continuations casting issue. (r166736)
REGRESSION (r121551) Incorrect handling of invalid media query list. (r153822)	
Regression r130057: Improper preferred width calculation when an inline replaced object, wrapped in an inline flow, follows some text. (r133292)
CSS Style is not recalculated when media attribute of style element is changed (r130816)
http/tests/w3c/dom/nodes/Element-matches.html is flaky (r189252)
Preloads should be cleared when JavaScript cancels loading prematurely. (r143789)
Make hasOwnProperty ALWAYS_INLINE (r205753)

Sep 09, 2016
============
Possible dangling CachedResourceClient of StyleRuleImport and XSLImportRule (r154889)

Sep 08, 2016
============
Move StylePropertySet internal storage access helpers to subclass. (r148406)
Move property setting/removing functions to MutableStylePropertySet. (r148403)	
Move addParsedProperty/addParsedProperties to MutableStylePropertySet. (r148400)
CSSParser should return ImmutableStylePropertySets. (r148399)
Move parseDeclaration() and clear() to MutableStylePropertySet. (r148397)
Move CSSOM classes to using MutableStylePropertySet over StylePropertySet. (r148396)	
Rename/tweak some StylePropertySet/CSSStyleDeclaration copying functions. (r148365)    
Remove unused method CSSStyleDeclaration::makeMutable(). (r148359)    
StyledElement: Don't expose a mutable direct interface to the inline style. (r143868)
StyledElement: Tweak signature of collectStyleForPresentationAttribute(). (r143843 partial)

Sep 07, 2016
============
Use inline capacity for StylePropertyShorthand Vectors. (r201559 partial)	
Reduce CSSProperty's StylePropertyMetadata memory footprint by half when used inside a ImmutableStylePropertySet. (r153581 + r153650)	
	
Sep 06, 2016
============
Implement 'round' and 'space' values for border-image (r191590)
Fix warning in makeprop.pl (r156400)
Make the table static const. (r155550)
Support ruby-position: {before, after} (r137359)
Transition call and construct JITStubs to CCallHelper functions (r157164)
CSSProperty::isInheritedProperty is large (r155511 + r156228)

Sep 02, 2016
============
[CSS Blending] Remove the -webkit- prefix for mix-blend-mode and isolation CSS properties (r167448)	
[CSS Blending] Parse and implement the -webkit-isolation CSS property. (r164795)
[CSS Blending] Refactor -webkit-blend-mode to -webkit-mix-blend-mode (r164480)
[CSS Background Blending] Unprefix the -webkit-background-blend-mode property (r163633)
Remove ENABLE_CSS_COMPOSITING guards around -webkit-background-blend mode related code. (r152083)
Add support for parsing of -webkit-background-blend-mode (r142168)
Turn Compositing on by default in WebKit build (r130460)
Add support for blendmode to webkit rendering engine (r127162)
parse CSS attribute -webkit-blend-mode (r126105)
[CSS Shaders] Parse mix function (r124820)

Sep 01, 2016
============
When using SVG as an image, we should load datauri images when these images are not in the image cache. (r179626)
Fix crashes due to failed ImageBuffer allocation (r151525)
Object.getPrototypeOf() should return null cross-origin (205258)

Aug 31, 2016
============
Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time (r204162 partial)
[CSS Shapes] shape-outside: ellipse(50% 50% at) causes crash (r165835 complete)
[CSS Shapes] CSS parser accepts trailing position arguments (r165655 complete)	
[css shapes] Parse new ellipse shape syntax (r159954 partial)
Cleanup usage of CSSPropertyID and CSSValueID inside WebKit. (r151783)
Make sure to use CSSValueID and CSSPropertyID rather than integers (r151754)
CSS3 Multicolumn: column-span should accept value 'none' (instead of '1') (r136053)
Fix CSSParserValue::createCSSValue() for viewport based units. (r126828)

Aug 26, 2016
============
[CSS Shapes] shape-outside: ellipse(50% 50% at) causes crash (r165835 partial)
[CSS Shapes] CSS parser accepts trailing position arguments (r165655 partial)
[css shapes] Layout support for new circle shape syntax (r159979 partial)
[css shapes] Parse new circle shape syntax (r159585 partial)
Crash on shape-outside when using calc() (r156586)
REGRESSION(r180060) New js/regress-141098 test crashes when LLInt is disabled. (r180083)
Unreviewed, another ARM64 build fix. (r157621)

Aug 25, 2016
============
Don't set z-index: 0 on lots of elements with -webkit-overflow-scrolling: touch (r152335)
-webkit-clip-path is applied on elements that are not descendant of the container (r129215)
BasicShapePolygon::path takes width instead of height for boundary calculation (r132257)
Use -webkit-clip-path shapes to clip HTML elements (r127608)
-webkit-clip-path does not apply origin for polygon() (r127548)
Use -webkit-clip-path shapes to clip SVG elements (r127383)
Add support for blendmode to webkit rendering engine (r127162)
z-index should work without position on flexitems (r125693)
Introduce new CSS property for clip-path (r127327 + 127371)

Aug 24, 2016
============
No LLInt Test Failure: jsc-layout-tests.yaml/js/script-tests/object-literal-duplicate-properties.js.layout-no-llint (r184647)
strict mode eval should not fire the var injection watch point (r204861)
ASSERTION FAILED: : line >= firstLine in BytecodeGenerator::emitExpressionInfo. (r204422)
Assertion failure for destructuring assignment with new.target and unary operator (r200293 partial)
Current implementation of Parser::createSavePoint is a foot gun (r195484 partial)
Support unprefixed deconstructing assignment (r159139)
Refactor parser rollback logic (r158074)

Aug 23, 2016
============
Source and stack information should get appended only to native errors (r182495)

Aug 19, 2016
============
Fix problems with divot and lineStart mismatches. (r153477)
Remove an invalid assertion in the DFG backend's GetById emitter. (r204570)
ScriptExecutionContext log exception should include a column number (r149131)
Web Inspector: ConsoleMessage should include line and column number where possible (r149125 partial)    

Aug 18, 2016
============
We allow assignments to const variables when in a for-in/for-of loop (r204596 partial)
Fix 30% JSBench regression (caused by adding column numbers to stack traces). (r152494)
StackFrame::column() returning bogus value (r148720)
Unify the many and varied stack trace mechanisms, and make the result sane. (r147858 complete)
Fix O(n^2) op_debug bytecode charPosition to column computation. (r146552)
Fixed a potential bug in MarkedArgumentBuffer. (r204572)

Aug 16, 2016
============
Fix incorrect debugger column number value. (r146318)	   
Make JSValue::strictEqual() handle failures to resolve JSRopeStrings. (r204485)
[Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid() (r204495)

Aug 15, 2016
============
Parser::parseVarDeclarationList gets the wrong JSToken for the last identifier (r179873 partial)
Deconstruction object pattern node emits the wrong start/end text positions (r173026 partial/revisited)
Web Inspector: [JSC] implement setting breakpoints by line:column (r124729)

Aug 11, 2016
============
DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals. (r204360 partial)

Aug 10, 2016
============
JavaScriptCore should discard optimized code after some time (r189620 partial)
Watchpoints should be allocated with FastMalloc (r186705 partial)
Add InvalidationPoints to the DFG and use them for all watchpoints (r158304 revisited)

Aug 09, 2016
============
CodeBlock::jettison() should be implicit (r154986)
Reduce parser overhead in JSC (r133688 partial)
ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren(). (r204261)

Aug 08, 2016
============
various math operations don't properly check for an exception after calling toNumber() on the lhs (r204206 partial)
compilePutByValForIntTypedArray() has a slow path in the middle of its processing (r204204)

Aug 06, 2016
============
Assertion failure in WebCore::FrameLoader::stopLoading() running fast/events tests (r191688)
Element::normalizeAttributes() needs to handle arbitrary JS executing between loop iterations. (r178363)
JSC virtual call thunk shouldn't do a structure->classInfo lookup (r199861 partial)
virtualForWithFunction() should not throw an exception with a partially initialized frame. (r164472)   
Transition call and construct JITStubs to CCallHelper functions (r157164 partial)   

Aug 05, 2016
============
CodeBlock::prepareForExecution() is silly (r154833 partial + r154838)
CodeBlock compilation and installation should be simplified and rationalized (r154824 partial) 
fourthTier: Executable and CodeBlock should be aware of DFG::Plans that complete asynchronously (r153165 partial)    

Aug 03, 2016
============
Assertion failure while setting the length of an ArrayClass array. (r203952)
Undefined Behavior in JSValue cast from NaN (r203925)

Jul 29, 2016
============
ASSERTION FAILED in errorProtoFuncToString() when Error name is a single char string. (r203853)

Jul 28, 2016
============
[ARM] Typo fix after r121885 (r203817)
Sticky positioning is broken for table rows (r162960)
Use-after-free in SliderThumbElement::dragFrom (r158724)
Use-after-free in CompositeEditCommand::cloneParagraphUnderNewElement (r148908)
Potential use after free in ApplyStyleCommand::splitAncestorsWithUnicodeBidi (r148497)

Jul 27, 2016
============
Heap-use-after-free in WebCore::LiveNodeListBase::invalidateCache (r140103)
HTMLCollection should use the same storage as DynamicNodeList (r135429 + r135431 + r135438)
Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement (r138537)
Heap-use-after-free in WebCore::RenderBlock::finishDelayUpdateScrollInfo (r137632)
Heap-use-after-free in WebCore::RenderLayer::paintList [MathML] (r136554)
REGRESSION(r127163): Respect clearance set on ancestors when placing floats (r159575)
Implement the -webkit-margin-collapse properties correct rendering (r142974)
REGRESSION(r136967): Combination of float and clear yields to bad layout (r142659)	
Misaligned logo on www.nzherald.co.nz possibly due to negative margin-top (r140358)
REGRESSION(r136967): margin-top + overflow:hidden causes incorrect layout for internal floated elements (r139337)
REGRESSION(r127163): Content is offset to the right at rea.ru (r136967)
Regression(r127163): Heap-use-after-free in WebCore::RenderBoxModelObject::hasSelfPaintingLayer (r127509)
CSS 2.1 failure: margin-collapse-clear-012 fails (r127163)
[WebSocket] Receiving a large message is really slow (r129239)
REGRESSION (r123848): Heap-use-after-free in WebCore::CachedResource::didAddClient. (r125292)
Gather the duplicated timer code into CachedResource. (r123848)
Re-order variables in BidiRun and LayoutState (r133713)
WebSocket crash when a connection is closed from server side (r173848)
Crashes in WebSocketChannel::processFrame when processing a ping (r147938)
Simulated events instances do not all have the same underlying event (r134995)
Regression(r132681): Heap-use-after-free in WebCore::RenderTextTrackCue::layout (r133609)
Fix use-after free when using a variable to specify a -webkit-filter. (r129189)
use after free in WebCore::FileReader::doAbort (r127082)

Jul 25, 2016
============
Do not restart the matched properties cache timer if active (r141280)	
Top layer fails for inline elements (r140075)
StyleResolver: Garbage collect the matched properties cache on a timer. (r131388 revisited)

Jul 22, 2016
============
Crashes with detached ArrayBuffers (r203204 partial/rework)
Use moveDoubleToInts in SpecializedThunkJIT::returnDouble for non-X86 JSVALUE32_64 ports. (r159873)

Jul 21, 2016
============
CrashOnOverflow in JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets (r203452 partial)
[JSC] RegExp with deeply nested subexpressions overflow the stack in Yarr (r201412 partial)
Remove JSDependentRetained.h and V8DependentRetained.h (r136815)

Jul 20, 2016
============
Crash under WebCore::DOMWindow::dispatchMessageEventWithOriginCheck attempting to log console message (r185712)
Don't crash when SerializedScriptValue deserialization fails (r164008)
Use-after-free in ApplyStyleCommand::removeInlineStyle (r153102)
Use-after-free in RadioInputType::handleKeydownEvent (r151986)	
Use-after-free in DOMSelection::containsNode (r150498)
Potential use-after-free of Frame (r149780)
Heap-use-after-free in WebCore::InlineFlowBox::deleteLine (r147765 + r149641)
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent (r140891)
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent (r140886)
Regression(r107058): Use-after-free in SerializedScriptValue::deserialize (r140748)
NativeToJSValue is harcoding the $thisValue in some strings (r201419)
heap use-after-free at WebCore::TimerBase::heapPopMin() (r200986)	
Use after free in WebCore::RenderObject::nextSibling / WebCore::RenderBoxModelObject::moveChildrenTo (r168448)
IndexedDB: Add clear() method to JSC ScriptValue (r134689)	
	
Jul 19, 2016
============
Progressive JPEG outputScanlines() calls should handle failure (r167381)
Crash when removing children of a MathMLSelectElement (r188014 partial)	
Add an MathMLSelectElement class to implement <maction> and <semantics>. (r160005)
DeferredWrapper should clear its JS strong references once its promise is resolved/rejected (r185404 partial)
EventListenerMap: Use Vector instead of HashMap as backend. (r128002)
ASSERTION FAILED: : (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) -- WTF/wtf/DateMath.cpp (r203376)
Crash in WebCore::NotificationCenter::stop() (r181256)
Crash in WebCore::NotificationCenter::stop() (r181219)
[WTF] Add OwnArrayPtr vectortraits template (r151093)
Give AtomicString SimpleClassVectorTraits. (r127973)
	
Jul 15, 2016
============
JSONObject Walker::walk must save array length before processing array elements. (r203229)
[mips] Handle properly unaligned halfword load (r203226)
ShareableElementData should use zero-length array for storage. (r143726)
ElementData: Move leafy things out of the base class. (r143014, rolled in r144010)
Stronger ElementData pointer typing. (r142826)
The style resolution cache applies properties incorrectly whenever direction != ltr (r173906)
REGRESSION (r159218): FrameView::layout() should destroy TemporaryChange<LayoutPhase> before destroying Ref<FrameView> (r165396)
ASSERTION FAILED: m_repaintRect == renderer().clippedOverflowRectForRepaint(renderer().containerForRepaint()) after r135816 (r159218 partial)
getAttribute does not behave correctly for mixed-case attributes on HTML elements (r148614)	    
ASSERTION FAILED: m_repaintRect == renderer()->clippedOverflowRectForRepaint(renderer()->containerForRepaint()) after r135816 (r147759)
REGRESSION(r143076): Crash when calling removeNamedItem or removeNamedItemNS with a non-existent attribute of newly created element. (r143115)
Element: Avoid unrelated attribute synchronization on other attribute access. (r143112)	    
Calling DOM Element.attributes shouldn't force creation of ElementData. (r143076)	    
Remove Element::getAttributeItem() overload that returned a mutable Attribute*. (r142827)
Better names for ElementAttributeData & subclasses. (r142791)
Remove Element::ensureAttributeData(). (r142741)
Keep ElementAttributeData sharing cache open for a while after document parsing finishes. (r136334)
Node: Move AreSVGAttributesValidFlag to ElementAttributeData. (r135816)
Node: Remove IsSynchronizingSVGAttributesFlag. (r135793)
Make it possible for elements with different tag names to share attribute data. (r135421)
Exploit shared attribute data to avoid parsing identical "style" attributes. (r135021)
Short-circuit Element::hasEquivalentAttributes() if elements share attribute data. (r134947)
Only resolve presentation attribute style once per shared ElementAttributeData. (r134664)
Move inline style logic from ElementAttributeData to StyledElement. (r134539)
Rename AttributeStyle => PresentationAttributeStyle across WebCore. (r134322)
removeAttribute('style') not working in certain circumstances (r133581)
Remove Page::javaScriptURLsAreAllowed setting. (r132023 partial)
Enable ElementAttributeData sharing for non-HTML elements. (r129318)

Jul 14, 2016
============
Adapt inline SVG sizing behavior to Firefox and Blink (r168350 partial)	
REGRESSION (r146272): layout issues for flex boxes that have -webkit-flex-wrap: wrap (r146684)
Positioned, replaced elements with intrinsic width keywords compute the wrong width (r143539)
Make intrinsic width values work for positioned elements (r143476)    
Intrinsic and preferred widths on replaced elements are wrong in many cases (r142931)
Fixed width overrides intrinsic min-width/max-width for text inputs and listboxes (r139536)
Setting width overrides intrinsic min-width/max-width on flexboxes and their subclasses (r139535)
Flexboxes incorrectly add the scrollbar width to the intrinsic width of fixed-width items (r139351)
intrinsic min-widths don't override width for file upload controls (r139329)	
min-content gets the wrong value if min-width is set on some form controls (r139216)
REGRESSION(r143102): Ignore table cell's height attribute when checking if containing block has auto height. (r147199)
REGRESSION(r143102): iframe with percentage height within table with anonymous cell fails. (r147021)
percentage top value of position:relative element not calculated using parent's min-height unless height set (r143102)
Crashes with detached ArrayBuffers (r203204 partial)

Jul 13, 2016
============
[JSC] Array.prototype.join() fails some conformance tests (r203147 partial)
Stack overflow crashes with deep or cyclic proxy prototype chains (r201495 partial)
JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls (r198592 partial)
Make converting JSString to StringView idiomatically safe (r186037 partial)
Optimize Array.join and Array.reverse for high speed array types (r185942 partial + r185943)
Fix Array.concat with RuntimeArray (regression from my last patch) (r185904)
Add AtomicString::number and use it (r156965 partial)

Jul 12, 2016
============
REGRESSION (r125912): Crashes in worker tests (r125946)
some paths in Array.prototype.splice don't account for the array not having certain indexed properties (r203087 partial)

Jul 11, 2016
============
Streamline cached wrapper lookup for Nodes in the normal world. (r166823)
Loading <object> from WebArchive crashes (r169472)
[ftlopt] Reduce the GC's influence on optimization decisions (r170571 partial)
We may add a ReadOnly property without setting the corresponding bit on Structure (r203015)

Jul 07, 2016
============
Kill some of the last vestiges of the C++ interpreter's PICs (r164092)	
[ARMv7] REGRESSION(r197655): ASSERTION FAILED: (cond == Zero) || (cond == NonZero) (r202899)
our parsing for "use strict" is wrong when we first parse other directives that are not "use strict" but are located in a place where "use strict" would be valid (r202828)
[JSC] RegExp.compile is not returning the regexp when it succeed (r202770)
__defineGetter__/__defineSetter__ should throw exceptions (r202755)
missing exception checks in arrayProtoFuncReverse (r202714)
Setters are just getters that take an extra argument and don't return a value (r166908 partial)

Jul 06, 2016
============
JSDOMWindow should not claim HasImpureGetOwnPropertySlot (r168914)	
Inline caching for proxies clobbers baseGPR too early (r168861)

Jun 30, 2016
============
Eagerly reify DOM prototype attributes (r169703 + r169705 + r169707)
Destructuring variable declaration is missing a validation of the syntax of a sub production when there is a rhs (r202648)

Jun 29, 2016
============
Repatch should support setters and plant calls to them directly (r166945 partial)	
some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct (r202588 partial)
Change CallFrame to use Callee instead of JSScope to implement vm() (r173706 partial)
Repatch should plant calls to getters directly rather than through a C helper (r166263 partial)
More scaffolding for a stub routine to have a stub recursively embedded inside it (r166218)
CREATE_DOM_WRAPPER doesn't need the ExecState. (r166128 partial)
	
Jun 28, 2016
============
Inline caching should try to flatten uncacheable dictionaries (r169853 revisited)
JSDOMWindow should have a WatchpointSet to fire on window close (r168548)
JSProxies should be cacheable (r167963)
Support caching of custom setters (r165208 partial + r165217)	
PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint (r164971)	
	
Jun 27, 2016
============
[JSC] Object constructor need to be aware of new.target (r200421 partial)
Put functions need to take a base object and a this value, and perform type checks on |this| (r162741)	
Generic JSObject::put should handle static properties in the classinfo hierarchy (r162740)	
REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit (r165912 partial)
GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList (r165459)
OOM Assertion failure in Array.prototype.toString (r202415)
Math.random should have an intrinsic thunk and it should be later handled as a DFG Node (r194087)
Make 32bit pass the correct this value to custom getters (r163549)
Change custom getter signature to make the base reference an object pointer (r163496)	
REGRESSION (r163011-r163031): Web Inspector: Latest nightly crashes when showing the Web Inspector (r163342)
Avoid indirect function calls for custom getters (r160688)

Jun 24, 2016
============
REGRESSION(r192855): Math.random() always produces the same first 7 decimal points the first two invocations (r201053)

Jun 23, 2016
============
Move subframe name getter lookup later in JSDOMWindow::getOwnPropertySlot (r168902 revisited)	
Simplify tryCacheGetById (r167922 revisited)
Cache getters and custom accessors on the prototype chain (r160670)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 revisited)
IC code should handle the call frame register not being the callFrameRegister (r158820 partial + r158830)	

Jun 22, 2016
============
Refactor PutPropertySlot to be aware of custom properties (r161220)
Fix resource leak of unclosed file descriptor. (r172113)
Worker threads leak WeakBlocks (as seen on leaks bot) (r183938)
Modern IDB: storage/indexeddb/structured-clone.html crashes. (r194625 partial)
Indexed getters should return values directly on the PropertySlot. (r169668)
Move the JSString cache from DOMWrapperWorld to VM. (r167605)
WeakMap reference w/ DOM element as key does not survive long enough. (r185023 rolled in, not related to document leaks on http://www.cnn.com and others)
Only generate isObservable() when IDL specifies GenerateIsReachable (r159648)
Don't generate a wasteful isObservable check in isReachableFromOpaqueRoots (r157438)	
Remove redundant Document::getElementById (r157444)
Add the NotDeletable, OperationsNotDeletable IDL attributes (r156831)
toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined (r166415)	
Change CodeGeneratorJS.pm special cases for "DOMWindow" to be general purpose (r166404)	
Stop throwing when attempting to read instance properties directly from the prototype (r163890)
Make DOM attributes appear to be faux accessor properties (r163035 + r163056)	
Global constructors exposed in worker environment have wrong attributes (r150664)
CodeGeneratorJS.pm should generate "isFiringEventListeners()" check in isReachableFromOpaqueRoots() (r148700)
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in code generators (r140892)
Remove GenerateModule() from all code generators (r135085)	
REGRESSION (r133633): ASSERTION FAILED: m_wrapper || !m_jsFunction (r135063)
[V8] Remove IsSubType() from CodeGeneratorV8.pm (r134940)
ScriptWrappable should work for more than just Node (r133633)

Jun 21, 2016
============
DOM bindings should use thisValue for attributes (r160879)	
Refactor CodeGeneratorJS - Move attribute function creation out of getOwnPropertyName guard (r160793)
Refactor static getter function prototype to include thisValue in addition to the base object (r160208)
	   
Jun 20, 2016
============   
MessageEvent.source window is incorrect once window has been reified (r199087 partial)	   
REGRESSION (174847): can't view NHK(Japan's national public broadcasting organization)s news pages (r178966)
JSXMLHttpRequest::visitAdditionalChildren does not need to explicitly mark m_response (r187736)
Fix toJSDOMWindow() in the case of an object that has the actual JS DOM window in its prototype chain. (r187165)
Don't create cached functions for HTMLDocument.write*() (r174985 + r175706)
Don't create cached functions that access lexicalGlobalObject() (r174847 + r174918))
Move subframe name getter lookup later in JSDOMWindow::getOwnPropertySlot (r168902)
ASSERTION FAILED: "!m_isolatedWorld->isNormal() || m_wrapper || !m_jsFunction" in svg/custom/use-instanceRoot-event-listeners.xhtml (r167794)
JS wrappers should have strongly typed impl() functions. (r156419)
[JSC] Generate visitChildren() for uncustomized EventTarget interfaces (r136482)
A mistake in WebCore::JavaScriptCallFrame::evaluate which will cause assert failed (r132573)
Assertion going back to results.html page from an image diff result (r126090)
Remove hack that allowed plug-ins to always take over certain image formats (r190826)
Plugin create can end up destroying its renderer. (r186666)
Roll out changes not part of the patch reviewed for Bug 132089 (r167852)
Frame and page lifetime fixes in WebCore::createWindow (r167851)
RenderEmbeddedObject shouldn't know about fallback content. (r158657 partial)
Fix crash in http/tests/plugins/plugin-document-has-focus (r125543)
REGRESSION (r188820): fast/dom/HTMLObjectElement/object-as-frame.html is flaky (r189164)
loadSubframe can return null in SubframeLoader::loadOrRedirectSubframe (r163599)	
	
Jun 16, 2016
============
ImageDocuments leak their world. (r197856 rolled out, document leaks on http://www.cnn.com and others)	
	
Jun 15, 2016
============
Remove SelectRuleFeatureSet (r149708)
ASSERT when loading github.com (r199607)
Calling importNode on shadow root causes a crash (r196998 partial)
Form elements should match :valid and :invalid based on their associated elements (r177664)
Fix two bad function names of HTMLFormControlElement (r176250)
Implement :valid and :invalid matching for the fieldset element (r176174)
Lazily create HTMLInputElement's inputType and shadow subtree (r176069)

Jun 14, 2016
============
Elements must be reattached when inserted/removed from top layer (r140931)
Don't allocate rare data on every Element on removal (r140638)
setIsInTopLayer is not really a setter (r136575)
Remove unneeded optimization in Element::isInTopLayer (r135270)
REGRESSION(r133214): Don't invalidate style when adding classes that don't match rules (r162843)
Store ShadowRootType inside the bitfield (r141075)
[Shadow DOM]: ShadowRoot has wrong nodeName attribute (r139198)
NodeRenderingContext is slow due to ComposedShadowTreeWalker (r137715)
[Shadow DOM] Implement Element::shadowRoot with prefix (r136924)
ShadowRoot should recalcStyle for itself (r136675)
[Refactoring] HasSelectorForClassStyleFunctor in Element.cpp seems verbose (r135967)
Changing id, className, or attribute should invalidate distribution (r135174)
[Refactoring] Create SelectRuleFeatureSet for collecting RuleFeatureSet for select attribute (r134219)
[Shadow] ElementShadow should have RuleFeatureSet for select attribute selectors. (r134184)
[Refactoring] Expose collectFeaturesFromSelector from RuleSet.cpp (r134008)
[Shadow] ShadowRoot should know the existence of elements having ElementShadow. (r133575)	
LayoutTest fast/dom/shadow/shadowroot-type.html is failing on Windows (r133548)
[Shadow] ShadowRoot should be able to know the existence of <content> (r133392)	
The shadow element is not reprojected to a nested ShadowRoot. (r132760)
[Shadow]: removing styles in shadow dom subtree causes crash. (r132621)
[Shadow] Fallback content should also be reprojection. (r132174)
[Meta] [Shadow] contenteditable attribute for distributed nodes. (r131464)
[Shadow DOM] Insertion points need resetStyleInheritance (r131136)
[Refactoring] ContentDistributor::distributeSelectionsTo should not change ContentDistribution pool. (r128956)
[Scoped Style] NodeRareData::m_numberOfScopedHTMLStyleChildren could be replaced with a node flag. (r128331)
Rename ContentDistributor::distributeShadowChildrenTo to distributeNodeChildrenTo. (r126824)
Crash in WebCore::RenderBlock::willBeDestroyed (r138850)
REGRESSION(137336): Generated run-ins are not placed correctly (r137528)
Switch to new PseudoElement based :before and :after (r137336)	
[CSS Regions] Fix content node renderers ordering inside the named flow thread (r136107)
Clean up loop in NodeRenderingContext::nextRenderer and previousRenderer (r135237)
RenderLayerModelObject shouldn't need a pre-destructor hook. (r175475)
Fix functions calling to RenderObject superclass to call RenderElement instead (r156255)	
Heap-use-after-free in WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects. (r142760)

Jun 13, 2016
============
Free one bit in RenderObject (r138113)
Move RenderView::setFixedPositionedObjectsNeedLayout to FrameView (r127783)
Regression: Heap-use-after-free in WebCore::FrameView::scrollContentsFastPath (r127497)
If both left and right (or top and bottom) are specified for sticky, use left (or top) (r126812)
Implement sticky positioning (r126774 + r126919 + r127301)
Garbage texture data with composited table row (r190820)
CSS clip property should make layers non-opaque (r170307)
Garbage at the top of http://www.technologyreview.com after scrolling (r149084)
Refactor layer-related logic out of RenderBoxModelObject (r130081)
FrameView: Remove code for disabling repaints. (r156977)
Separate SVG image size and container size (r146227)
Account for transform in SVG background images (r143541)
Replace SVG bitmap cache with directly-rendered SVG (r142765)
Track scale and zoom together when drawing SVG images (r141303)
Canvas drawImage() should draw SVG at the correct scale. (r126094)
[JSC] Inline JSC::toInt32 to improve kraken (r201964 + r201966)
The backend should be happy to compile Unreachable even if AI didn't prove it to be unreachable (r201936)

Jun 10, 2016
============
PingHandle delete's itself but pointer is still used by handleDataURL (r198143)
Permanent redirects should have long implicit cache lifetime (r184837)
Assertion hit DOMTimer::updateTimerIntervalIfNecessary() (r175655 partial)
Simplify treeScope and setTreeScope (r136328)
StylePendingImage needs to correctly manage the CSSValue pointer lifetime (r160479 partial)
SVG-as-image: Throw out cached bitmap renderings after they sit unused for some time. (r139236)
Make sure we don't mishandle HTMLFrameOwnerElement lifecycle (r200216)
Micro-optimize JSNodeOwner::isReachableFromOpaqueRoots(). (r164900)
Remove custom finalizer for Node JS wrappers. (r157230)
Simplify and optimize ChildListMutationScope (r129280 + r129288)
ImageLoader can't be cleared when video element poster attribute removed. (r128654)
Rare failure in stress/v8-deltablue-strict.js.ftl-eager (r201900 partial)
Fix passing null / undefined as NodeFilter parameter for createNodeIterator() / createTreeWalker() (r188745)
Remove leak of objects between isolated worlds on custom events, message events, and pop state events. (r186955)
CustomEvent: Allow taking in a serialized value during initialization. (r134120)

Jun 08, 2016
============
MediaStream API: Update RTCPeerConnections stream accessors to match the latest specification (r141871)
MediaStream API: Deleting all files relating to the deprecated PeerConnection00 (r134084)
[Shadow DOM] Kill ShadowRoot constructor (r137408)
Element.pseudo property should be prefixed (r136913)
[Shadow DOM] Element.createShadowRoot() should be prefixed. (r136092)
[Shadow DOM] Implement Element::createShadowRoot() (r135693)
[Shadow] attribute pseudo should return empty string instead of null when nothing is specified. (r135236)
[Shadow] Element should have getter and setter of attribute 'pseudo' (r133268)
Support re-projection for Shadow DOM. (r131070)  
XMLHttpRequest: status and statusText throw DOM Exception 11 when the state is UNSENT or OPENED. (r165229)
XMLHttpRequest performs too many copies for ArrayBuffer results (r163444)    
Have XHR.getResponseHeader() return null and XHR.getAllResponseHeader() return the empty string in initial ready states (r163022)
XHR.response is null when requesting empty file as arraybuffer (r158333)
Reuse of XMLHttpRequests causes character corruption in response text (r153553)
InvalidationPointInjectionPhase creates bogus InvalidationPoints that may even be inserted when it's not OK to exit (r201776)

Jun 07, 2016
============
[JSC] Do not allocate unnecessary UTF-8 string for encodeXXX functions (r201756 partial)
Stub out WebSpeech synthesis (r139918)
Add support for :read-write/:read-only matching editable content (r173441 + r173559)
Update the current matching of :read-only and :read-write to the latest spec (r173328)
[Mac] media/track/audio-track.html is flakey (r176024)
Crash in GenericEventQueue::timerFired since the owner of GenericEventQueue is deleted during dispatching events. (r124843)
octal and binary parsing is wrong for some programs (r201737)
rootRenderer in FrameView is really RenderView (r142647 partial)
Handle createShadowSubtree inside of ensureUserAgentShadowRoot (r141066)
Move ensureUserAgentShadowRoot to Element (r141002)
Adding a text track should not make controls visible (r140862 partial)
Refactor ValidationMessage class (r128254)
AuthorShadowDOM for meter element (r125659)                                   
Remove Element::ensureShadowRoot (r125007)	
AuthorShadowDOM for progress element (r124754)

Jun 06, 2016
============
:read-write pseudo-class should not be applied on <input type="text" disabled> (r156387)
[jsc][mips] Implement absDouble() (r201716)
Crash under JSObject::getOwnPropertyDescriptor() (r201712)
Refactoring: Rename Element::shouldMatchReadOnlySelector and shouldMatchReadWriteSelector (r137284)
Refactoring: Introduce HTMLFormControlElement::isDisabledOrReadOnly (r137124)
:read-only selector should match to date/time input types (r135829)
[WK2] Support download attribute feature (r198893)
JSON.stringify replacer function calls with numeric array indices (r201674)

Jun 03, 2016
============
Large array shouldn't be slow (r183787 partial)	
Eliminate two large sources of temporary StringImpl objects. (r201645)
Hang when calling setCurrentTime on SVG with cyclic animation dependency chain (r147434)
REGRESSION: JSBench spends a lot of time transitioning to/from dictionary (r201436 + r201445 rolled out + r201573 partial)	
		
Jun 02, 2016
============
CachedResource leak in validation code (r188358)	
Memory leak for a protected Element having pending events in ImageLoader. (r186267)
Crash when ImageLoader deletes Element inside SVGImageElement (r144825)
CachedResource::clearLoader() should self-destruct if nothing else retains the CachedResource. (r180068)
Memory leaks with autoLoadImages off (r171036)
REGRESSION(r150867): FrameView auto-sizing + delegate denied image load may cause StyleResolver to re-enter itself. (r153072)
Crash in WebCore::SubresourceLoader::releaseResources when connection fails (r150867)
Fix memory leaks in platform/image-encoders/JPEGImageEncoder.cpp (r158280)
Avoid Node references from AXObjectCache from leaking (r154859 partial)
Don't keep unassociated elements in the past names map (r154761)
JSHTMLFormElement::canGetItemsForName needlessly allocates a Vector (r154586)
id of iframe incorrectly sets window name (r191652)
Dictionary property access should be fast (r201562 partial)
		
Jun 01, 2016
============
Calling SVGAnimatedPropertyTearOff::animationEnded() will crash if the SVG property is not animating (r199598)
Reference cycle between SVGPathElement and SVGPathSegWithContext leaks Document (r194964 partial)
SVGPropertyTearOffs should detachChildren before deleting its value. (r165053)
Prevent infinite loop in SVG use cycle detection (r145216)
ASSERT triggered in SVGTRefTargetEventListener::handleEvent() (r126205)

May 31, 2016
============
Exploitable crash happens when an SVG contains an indirect resource inheritance cycle (r191731 + r191746 + r191748)
Clean up SVGPatternElement::collectPatternAttributes (r162792)
Cyclic resources were not detected if the reference had deep containers (r189953)
REGRESSION (r196268): Many assertion failures and crashes on SVG path animation tests when JS garbage collection happens quickly (r197125)
REGRESSION(r196268): WTFCrashWithSecurityImplication on SVG path animation tests (r196670)
REGRESSION(r181345): SVG polyline and polygon leak page (r196268)

May 30, 2016
============
Log which ActiveDOMObject(s) can't be suspended for PageCache. (r178223 partial)
MediaStream API: Update the RTCPeerConnection states to match the latest specification (r140310)
MediaStream API: Update RTCPeerConnection states to match the latest editors draft (r134976)
MediaStream API: Don't trigger any object deletion during RTCPeerConnection::stop (r134093)
Source/WebCore: MediaStream API: Make sure all events are dispatched asynchronously (r132420)
MediaStream API: Fix the incorrectly spelled RTCPeerConnection::onnegotiationneeded callback (r129397)
MediaStream API: add RTCPeerConnection::onnegotiationneeded (r128166)
MediaStream API: add RTCPeerConnection::createAnswer (r127906)
MediaStream API: Add the local and remote description functionality to RTCPeerConnection (r127766)
MediaStream API: Add the async createOffer functionality to RTCPeerConnection (r127501)
MediaStream API: Add MediaStream management to RTCPeerConnection (r127365)
MediaStream API: Introduce RTCSessionDescription (r126333)

May 27, 2016
============
MediaStream API: Implement RTCDataChannel (r131372)
MediaStream API: Add Ice-related functionality to RTCPeerConnection (r127425)
MediaStream API: Introduce MediaConstraints (r127165)
MediaStream API: Add readyState functionality to RTCPeerConnection (r126586)
MediaStream API: Introduce RTCIceCandidate (r126328)
MediaStream API: Add RTCPeerConnectionHandler infrastructure (r124460)
MediaStream API: Move RTCConfiguration to its proper place (r124421)
Introduce a minimal RTCPeerConnection together with Dictionary changes (r124193)
time element should use HTMLTimeElement interface (r190106)	
Implement the HTML <main> element. (r140341)	
HTMLTreeBuilder::furthestBlockForFormattingElement should belong to HTMLElementStack (r126355)
Move causesFosterParenting() to HTMLStackItem (r124537)
Avoid downloading the wrong image for <picture> elements. (r195132)
Fix the !ENABLE(VIDEO) build after r192953 for <picture> element introduction (r194278)
Implement the picture element. (r192953)

May 26, 2016
============
[Cairo] Implement Path::addPath (r183088)
[Cairo] Implement Path::addEllipse (r180881)
Add support for canvas ellipse method (r180790)
Implement method addPath for Path2D (r165910)
Quadratic and bezier curves with coincident endpoints rendered incorrectly (r141500)
Change navigator.webkitGamepads[] to navigator.webkitGetGamepads() (r123937)
[canvas] Implement currentPath to get and set the current path of the context (r141456)
Implement Canvas Path object (r140604)
Make timerNestingLevel threadsafe (r173133)
DOMTimer::m_nestingLevel is prone to overflow (r173132)
DOMTimer may be deleted during timer fire (r172963)
Numeric identifiers of events are not guaranteed to be unique (r142909)
Numeric identifiers of events should not be globally sequential (r135478)

May 25, 2016
============
REGRESSION (r153406): DOM intervals are not properly restarted when resumed (r153531)        
Make SuspendableTimer safer (r153406)
EventSource: Loss of reconnect time precision due to integer division (r149436)
EventSource: Synchronous loader callback not handled properly (r149098)
cloneNode(true) does not clone nested template elements' contents (r177314)
Remove the unused deletion UI feature (r175647)
Implement Document.cloneNode() (r160330)
cloneChildNodes looks for deleteButtonController in each level of recursion (r149127)
Turn avoidIntersectionWithNode into Editor member functions to encapsulate delete button controller (r142705)
Crash in ContainerNode::cloneChildNodes. (r142533)
Implement the new stacking layer needed by the Fullscreen API and the new <dialog> element (r135242)
Vertically center non-anchored <dialog> elements (r127681)

May 24, 2016
============
Use isDocumentFragment() instead of comparing nodeType() with Node::DOCUMENT_FRAGMENT_NODE (r161024)
Clear TemplateContentDocumentFragment::m_host when HTMLTemplateElement is destroyed (r159596)
[HTMLTemplateElement] When adopting a template element, also adopt its content into the appropriate document (r138756)	
[HTMLTemplateElement] Disallow cycles within template content (r138730)	
HTMLTemplateElement.innerHTML should be parsed into the template contents owner document (r137021)
[HTMLTemplateElement] make content readonly and cloneNode(deep) clone content (r136903)
Add infrastructure for :before and :after in DOM (r136744)	
parser* methods in ContainerNode should not support DocumentFragment (r136584)
Implement HTMLTemplateElement (r136467 + r136480)	
Corrupted DOM tree during appendChild/insertBefore (r136405)
checkAcceptChild() needs fewer virtual calls (r136076)	
[Refactoring] NodeFlags::IsShadowRootFlag should be Node::IsDocumentFragmentFlag (r135833)
[Refactoring] Some Node::isDescendant calls can be replaced with Node::contains() (r135695)
Frame element doesn't always unload its child frame. (r127534)
JSScope::abstractAccess doesn't need to copy the SymbolTableEntry, it can use it by reference (r201235 + r201266)

May 20, 2016
============
Add new JSDependentRetained that allows keeping a JSObject alive as long as another is alive (r128249)
IndexedDB: IDBRequest leaks if IDBCursor closes and no further events fired (r127518)
IndexedDB: IDBRequest can be GCd during event dispatch (r126254)
IndexedDB: intversion-long-queue.html fails an assert (r125231)
Layout Test storage/indexeddb/intversion-omit-parameter.html is flaky (r124974)
[JSC] MutationObservers should not create circular, leaky references (r141296)
[JSC] MutationObserver wrapper should not be collected while still observing (r135337)	
MutationObserver wrapper should not be collected while still observing (r135228)
CSP 1.1: Rename SecurityPolicyViolationEvent::sourceURL to ::sourceFile. (r146763)
CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports. (r146758)
Prefer 'KURL(ParsedURLString, String)' when dealing with known-good data. (r146580)
CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur. (r146520)
CSP 1.1: Stub out SecurityPolicyViolationEvent interface. (r146305)	
CSP 1.1: Experiment with adding line numbers to violation reports. (r138834)
Implement the form-action Content Security Policy directive. (r125772)
Implement the plugin-types Content Security Policy directive. (r125531)	

May 19, 2016
============
Add support for delete by value to the DFG (r200459 partial)	
Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated (r200387)

May 18, 2016
============
CPS rethreading should really get rid of GetLocals (r184755 partial)
Objects with numeric properties intermittently get a phantom 'length' property (r182058)
FTL should support GetById(Untyped:) (r163119 partial)
[JSC] SetLocal without exit do not need phantoms (r200898)
[JSC] Improve codegen of Compare and Test (r197652 partial)

May 17, 2016
============
ValueRecovery should distinguish between doubles in an FPR and JSValues in an FPR (r189192 partial)
Math.imul has wrong length in Safari 8.0.4 (r182868)
Remove DFG::ValueRecoveryOverride; it's been dead since we removed forward speculations (r181841)
DFG::NodeOrigin should have a flag determining if exiting is OK right now (r188771 partial)
Add some assertions about the CFG in the loop pre-header creation phase (r184646 partial)
ARMv7 compare32() should not use TST to do CMP's job. (r166716)	

May 16, 2016
============
[Win] Crash when enabling DFG JIT. (r168535 partial)
REGRESSION(r158315): Fix register mixup in JIT::compileOpCall. (r158672)
CRASH in operationCreateDirectArgumentsDuringExit() (r183307)	
Crash when attempting to perform array iteration on a non-array with numeric keys not initialized. (r175243)
Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes (r181817 complete)

May 16, 2016
============
Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value (r196490)
Error construction for inlined operations should not use the inliner's CodeBlock (r196302)
Remove unnecessary SpecialFastCaseProfiles. (r190435)
[JSC] Emit the loads of emitLoadWithStructureCheck() in the order they are used (r200896)	
Runaway malloc memory usage in this simple JSC program (r200884)

May 13, 2016
============
cloberrize() is wrong for ArithRound because it doesn't account for the arith mode (r184541 partial)
js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing (r183650)
SpeculativeJIT::emitAllocateArguments() should be a bit faster, and shouldn't do destructor initialization (r180909)
FTL should support StringFromCharCode (r196642 partial)
The StringFromCharCode DFG intrinsic should support untyped operands. (r194996)
Use DFG Graph::binary/unaryArithShouldSpeculateInt32/MachineInt() functions consistently. (r194983)
Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters (r166142 complete)
Add extra space to op_call and related opcodes (r164503)
REGRESSION (r163027?): CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: JSC::ArrayProfile::computeUpdatedPrediction + 4 (r163241)
DFG should allow inlining of op_call_varargs calls (r162739)

May 12, 2016
============
ARMv7 or32(TrustedImm32, AbsoluteAddress) may have a bug with its use of dataTempRegister. (r194707)
DFG ASSERTION FAILED: m_plan.weakReferences.contains(structure). (r193653)	
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 partial)
[JSC] Make sure StringRange is passed to Vector by register (r200743)	
TypedArray.prototype.slice should use the byteLength of passed array for memmove (r200667)
Implement SmallPtrSet and integrate it into the Parser (r198375 partial)
synthesizePrototype() and friends need to be followed by exception checks (or equivalent). (r197794 partial)   
JSSymbolTableObject::deleteProperty() crashes deleting Symbols (r196051)

May 10, 2016
============
Observably effectful nodes in DFG IR should come last in their bytecode instruction (i.e. forExit section), except for Hint nodes (r181817 partial)
the toInt32 operation inside DFGSpeculativeJIT.cpp can't throw so we shouldn't emit an exceptionCheck after it. (r190128)
DFG callOperations should not implicitly emit an exception check. At callOperation call sites, we should explicitly emit exception checks (r188764 partial)
Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads (r199052)
Merge arm and sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions. (r159871)
JavaScript parser bug (r158425)
Implement basic ES6 Math functions (r158401)

May 09, 2016
============
Need ability to fuzz exception throwing (r171213 partial)

May 06, 2016
============
[JSC] In DFG, an OSR Exit on SetLocal can trash its child node (r200498)
VarargsForwardingPhase should use bytecode liveness in addition to other uses to determine the last point that a candidate is used (r183406 partial)

May 05, 2016
============
We shouldn't crash if DFG AI proved that something was unreachable on one run but then decided not to prove it on another run (r200468)	
Add support for delete by value to the DFG (r200459 partial)

May 04, 2016
============
References from code to Structures should be stronger than weak (r200405 partial)

May 03, 2016
============
[JSC] Unify Math.pow() accross all tiers (r200208 partial)
[JSC] Add an implementation of pow() taking an integer exponent to B3 (r193989 partial)
[JSC] Improve how DFG zero Floating Point registers (r192183 partial + r192946 partial + r197687 + r197731 + r199626)

Apr 29, 2016
============
JSON.stringify shouldn't use generic get() to access Array.length (r184107)
Micro-optimize JSON serialization of string primitives. (r184006)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179539 partial)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179476 partial)
Add support for HTMLImageElement's sizes attribute (r170576 complete)
[JSC] GetByVal on Undecided use its children before its OSR Exit (r200133)
[JSC] Add support for GetByVal on arrays of Undecided shape (r188432 partial)

Apr 28, 2016
============
DFG del_by_id support forgets to set() (r199801)
We should support delete in the DFG (r199683 partial)
Reveal array bounds checks in DFG IR (r160347 partial)

Apr 27, 2016
============
Properly clear m_logicallyLastRun to remove use-after-free possibility (r164876)
DFG backends shouldn't emit type checks at KnownBlah edges (r200096 partial)

Apr 26, 2016
============
[JSC] Optimize JSON.parse string fast path (r199968)
[JSC] Optimize number parsing and string parsing in LiteralParser (r199941)
Animations sometimes fail to start (r187535 partial)
Animate clip rect() between different Length types (r149288)
REGRESSION(r111639): delayed animation start can be postponed (r144935)
Fix potential crash when canceling animations on renderers with no node (r136293)

Apr 25, 2016
============
[JSC] Improve how B3 lowers Add() and Sub() on x86 (r193804 partial)
[GTK] Fonts loaded via @font-face look bad (r180563 partial)
[Freetype] Cannot use characters outside the BMP (r141122 partial)
javascript jit bug affecting Google Maps. (r199935)
[JSC] Integer Multiply of a number by itself does not need negative zero support (r199894)

Apr 24, 2016
============
Fix mixed use of booleans in JPEGImageDecoder.cpp (r166490)
Fix JPEG decoding faiure when IMAGE_DECODER_DOWN_SAMPLING is enabled (r131075)

Apr 21, 2016
============
[JSC] DFG should not generate two jumps when the target of DoubleBranch is the next block (r199796)
[JSC] Add register reuse for ArithAdd of an Int32 and constant in DFG (r199792)
[JSC] Use 3 operands Add in more places (r197653)

Apr 20, 2016
============
r161364 caused JSC tests regression on non-DFG builds (e.g. C Loop and Windows). (r161446)
Get rid of ENABLE(VALUE_PROFILER). It's on all the time now. (r161364)

Apr 19, 2016
============
REGRESSION(r173188): Text inserted when trying to delete a word from the Twitter message box. (r176824 revisited)	
[JSC] Fix some overhead affecting small codegen (r199710)	
Use a better RNG for Math.random() (r192855 partial)

Apr 18, 2016
============
[JSC] DFG should support relational comparisons of Number and Other (r199639)
[JSC] FRound/Negate can produce an impure NaN out of a pure NaN (r199638)
Some JIT/DFG operations need NativeCallFrameTracers (r199617 partial)

Apr 15, 2016
============
CopiedBlock should be 64kB (r199589)

Apr 13, 2016
============
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179539 partial)
REGRESSION (r170576): Storage leaks in parsing of CSS image sizes (r179476 partial)
Add support for HTMLImageElement's sizes attribute (r170576 partial)

Apr 12, 2016
============
Elements whose contents start with an astral Unicode symbol disappear when CSS `::first-letter` is applied to them (r172513)
Align srcset parser with recent spec changes (r169637)	
	
Apr 11, 2016
============
Refactor the srcset parser into its own file (r169573)	
Use srcset's pixel density to determine intrinsic size (r163415)
Update HTMLPreloadScanner to handle img srcset (r153733)
srcset algorithm breaks base64 src attributes (r153627)
Implement img element's srcset attribute (r153624)
Add the default video poster if it doesn't exist in video tag (r145750)
[JSC] Optimize more cases of something-compared-to-null/undefined (r188624) 
 
Apr 08, 2016
============
DFG should have a KnownBooleanUse for cases where we are required to know that the child is a boolean and it's not OK to speculate (r188747 partial)
[JSC] Improve DFG's Int32 ArithMul if one operand is a constant (r197655)
Fix CPU(ARM_TRADITIONAL) build after r159039. (r159055)
It should be easy to disable blinding on a per-architecture basis (r158975)
[mips] Fix build for MIPS platforms. (r158670 partial)
Build break on ARMv7 after r157209 (r157784)
Unreviewed, speculative ARM build fix. (r157618)

Apr 07, 2016
============
CopiedBlock should be 16kB (r199016 rolled out)
[JSC] UInt32ToNumber should be NodeMustGenerate (r199148)

Apr 05, 2016
============
Add missing EABI_32BIT_DUMMY_ARG arguments for some callOperation(J_JITOperation_EGReoJ, ...) overloads (r199052)

Apr 04, 2016
============
Decouple font creation from font loading (r196322 + r196335 + r196376 + r196576)
Cleanup in font loading code (r194923)
The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell (r197622)

Apr 01, 2016
============
[Font Loading] General cleanup (r195523)
Allow targetting the SVG->OTF font converter with ENABLE(SVG_OTF_CONVERTER) (r178292 + r178294 + r178628)
Subclass CachedFont for SVG fonts (r176264 + r176267 rolled out + r176276 + r176410)
FontPlatformData has unnecessary m_textOrientation member (r136520)
DFG JIT bug in typeof constant folding where the input to typeof is an object or function (r198902)

Mar 31, 2016
============
Remove broken cache from CSSFontFaceSource (r195567)

Mar 29, 2016
============
Optimize ColorMatrix filter (r13661)
Simulated mouse events should return an accurate offset (r135065)
beginElement() does not observe updated animation attributes (r125608)
EventDispatcher::dispatchSimulatedClick should not reuse the same EventDispatcher instance. (r125133)
Don't re-use the same EventDispatcher instance to dispatch events. (r124975)
[JSC] ArithSub should not propagate "UsesAsOther" (r198770)
Subtrees with :first-child and :last-child are not invalidated when siblings are added/removed (r170121 partial)
(display: block)input range's thumb disappears when moved. (r186981)	
MediaControls::show() should make controls opaque (r138902)
Reset the slider thumb location before every layout of the slider container (r135388)
Dynamically added elements do not get re-projected. (r131615)
Fix crash in WebCore::MediaControlPanelElement::makeTransparent() (r131505)
input[type=range] as a flex item renders thumb at wrong position (r131497)	
Replace RenderListBox::updateLogicalHeight with RenderListBox::computeLogicalHeight (r129174)
Pass the logical height and logical top into RenderBox::computeLogicalHeight (r128238)
Rename computeLogicalHeight to updateLogicalHeight (r128201)
Rename computeLogicalWidth to updateLogicalWidth (r128110)
Add OVERRIDE to computeLogical{Width,Height} overrides (r127937)
Fullscreen/normal volume sliders don't stay in sync (r125590)

Mar 28, 2016
============
RegExp.prototype.test should be an intrinsic again (r198705)
putByIndexBeyondVectorLengthWithoutAttributes should not crash if it can't ensureLength (r198676)

Mar 24, 2016
============
REGRESSION (r125592): Reproducible crash in DOMWindow::open when a delegate closes the new window in decidePolicyForNavigationAction (r149589)
REGRESSION (r125592): Crash in Console::addMessage, under InjectedBundle::reportException (r125912)
DOMWindow::document() should not reach through Frame (r125592)
Make PNGImageDecoder::rowAvailable auto-vectorizable (r150252)
[Qt] RGB -> BGR is wrong on big endian (r141886)
Seam occurred between pieces of ShadowBlur on floating point zoom (r133836)

Mar 23, 2016
============
[JSC] correctly handle indexed properties in Object.getOwnPropertyDescriptors (r198572)
REGRESSION(r197543): Use-after-free on storage/indexeddb/transaction-abort-private.html (r198565)
JSArrayBuffers should be collected less aggressively (r197543 complete)

Mar 22, 2016
============
ANGLE doesn't build with bison 3.0 (r154109)
[ANGLE] Fix the build with gcc 4.7 (r127747)
[CSS Shaders] [ANGLE] RenameFunction::RenameFunction may store references to temporary string (r126625)

Mar 21, 2016
============
Crash in stress/regexp-matches-array-slow-put.js due to stomping on memory when having bad time (r198478)
[ES6] Make Array.prototype.reverse spec compatible. (r198294)
Asynchronously call onerror when a content blocker blocks ascript element's load (r192983)
Various assertion failures occur when executing script in the midst of DOM insertion (r185769)
WebCore::ScriptRunner::timerFired() is reported to crash. (r139942)

Mar 10, 2016
============
Improve CSSPrimitiveValue::customCSSText for ARMv7 (r169731 + r169734)
ASSERTION FAILED: !value || (value->isPrimitiveValue()) in WebCore::StyleProperties::getLayeredShorthandValue. (r160010)
Fix the parsing and re-serialization of :lang pseudo class selector when it has multiple arguments with same value (r176535)
CSS attribute selectors cause unnecessary style recalc when setting attribute to same value. (r149047)
Make HTMLLegendElement.form behave according to specification (r134510)
Improve console error messages when 'document.domain' blocks cross-origin script access. (r128208)
Source/WebCore: Clarify the cause of console warnings generated by "cross-origin" access to sandboxed iframes. (r128070)
Regexp matching should incur less call overhead (r197796)
createRegExpMatchesArray should allocate substrings more quickly (r197729)

Mar 09, 2016
============
WeakBlock::visit() should check for a WeakHandleOwner before consulting mark bits. (r197774)

Mar 08, 2016
============
DFG should be able to compile StringReplace (r197520)
FTL should simplify StringReplace with an empty replacement string (r197416 partial)
RegExp.prototype.exec() should call into Yarr at most once (r197715)
RegExpMatchesArray doesn't know how to have a bad time (r197641 partial)
The most aggressive form of RegExpTest/RegExpExec should speculate more aggressively than just cell (r197622)
Turn String.prototype.replace into an intrinsic (r197408)

Mar 07, 2016
============
[JSC] RegExp#lastIndex should handle writable attribute when defining in defineOwnProperty path (r197640)
[JSC] Improve the call site of string comparison in some hot path (r167220)

Mar 04, 2016
============
JSArrayBuffers should be collected less aggressively (r197543 partial)
Octane/regexp's Exec function should benefit from array length accessor inlining (r197542)
Per CSSOM, computed rect() function values must be comma separated (r163686)
Fix three bugs in the equals() implementations for css gradients. (r157598)
Implement CSSValue::equals(const CSSValue&) to optimise CSSValue comparison (r142444 + r142457 + r142472)
cssText for cursor property doesn't include hotspot (r132966)	
Ensure variables are resolved for specialized CSS primitive value types. (r129579)
Setting inline style to the same value it already has triggers a style recalc (r183017)
StylePropertySet::getPropertyShorthand() should return a String. (r149157)
getComputedStyle returns truncated value for margin-right (r142824)
getComputedStyle returns "left" instead of "none" for "float" on abspos elements (r140993)
The "outline-offset" property is not found in the computed style property list (r139321)	
Implement CSS computed style value for transition shorthand (r139200)
Querying transition-timing-function value on the computed style does not return keywords when it should. (r138728)
Prep work for: Implement sticky positioning (r126520)
Share the StringImpl the CSS property names (r125934)
Move CSS's propertyNameStrings[] to from the header to the cpp file (r125368)

Mar 03, 2016
============
transition properties can't be found in CSSStyleDeclaration (r144626)
createAttribute/setAttributeNode does not properly normalize case (r144595)
Accept 'allowfullscreen' in addition to 'webkitallowfullscreen'. (r143533)
[WEBGL] Rename WEBKIT_WEBGL_depth_texture to WEBGL_depth_texture. (r141922)
[WEBGL] Rename WEBKIT_WEBGL_compressed_texture_s3tc to WEBGL_compressed_texture_s3tc (r141846)
[WEBGL] Rename WEBKIT_WEBGL_lose_context to WEBGL_lose_context. (r141845)
RegExpExec/RegExpTest should not unconditionally speculate cell (r197492 partial)	
FTL should be able to run everything in Octane/regexp (r197357 partial)
RegExpPrototype should check for exceptions after calling toString and doing so should not be expensive (r197485)
Enable unprefixed CSS transitions by default. (r141578)
Canvas support for isPointInStroke (r141141)
Allow construction of unprefixed transition DOM events. (r140448)
CSS3 calc: unprefix implementation (r140300)
PseudoElement should never dispatch events (r138832)
Implement CSS parsing for CSS transitions unprefixed. (r138184)	
Add infrastructure for :before and :after in DOM (r136744)	
Use virtual dispatch to create ContentData renderers (r131666)
Clean up ContentData operator overloads (r131565)

Mar 02, 2016
============
SpeculatedType should be easier to edit (r197374)
isUntypedSpeculationForArithmetic is wrong. (r194560)
FTL should simplify StringReplace with an empty replacement string (r197416 partial)
[JSC] Simplify ArithMod(ArithMod(x, const1), const2) if const2 >= const1 (r197445)

Mar 01, 2016
============
Regression(r139836): Crash in WTF::equalIgnoringCase (r140848)
Add ontransitionend attribute on HTML elements. (r140010)
Update CSS3 gradient support to the latest spec version and unprefix. (r139836)
Switch the gradient drawing code to use bearing angles (r137669)
Deprecate prefixed linear-gradient and radial-gradient functions (r137206)
Unprefixed transitionend event doesn't seem to be implemented, which breaks many sites (r139762)
StyleRareNonInheritedData::contentDataEquivalent only looks at the first ContentData (r131685)
webkit fails IETC namespaces/prefix-007.xml (r125371)
Unprefix window.webkitURL (r125149)
[DFG][FTL][B3] Support floor and ceil (r197380 partial)

Feb 29, 2016
============
[RequestAnimationFrame] Remove vendor prefix (r131214)
[DFG] Drop unnecessary proved type branch in ToPrimitive (r197164)

Feb 24, 2016
============
Background size width specified in viewport percentage units not working (r142645)

Feb 23, 2016
============
setSelectionRange should set selection without validation (r164316)
setSelectionRange shouldn't directly instantiate VisibleSelection (r164194)
setSelectionRange shouldn't trigger a synchronous layout to check focusability when text field is already focused (r164156)
HTMLTextFormControlElement::setSelectionRange shouldn't use VisiblePosition (r163825 partial)
CTTE: Tighten up type usage around InputType::innerTextElement() (r157694)
Unduplicate the code to convert between VisiblePosition and index (r154868 partial)	
Caret is incorrectly painted for a contenteditable <div> containing a <br> in vertical writing mode (r139166)
REGRESSION(r129186): Pressing enter at the end of a line deletes the line (r129814)
Prevent reading stale data from InlineTextBoxes (r129186)

Feb 20, 2016
============
Properly reset deleted count when clearing HashTables. (r183504)
Avoid copying a hash table bucket when inserting causes a rehash (r155571)

Feb 19, 2016
============
ObjectPatternNode's entry should use "const Identifier&" instead of "Identifier" (r187119)
AtomicString::HashAndUTF8CharactersTranslator::equal() doesn't optimally handle 8 bit strings (r131652)
Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion (r196810)
JSString resolution of substrings should use StringImpl sharing optimization. (r196761)

Feb 18, 2016
============
Background doesn't fully repaint when body has margins. (r153701)
Fix test assertion after r151624 (r151629)
Fixed backgrounds in composited layers not repainted on scrolling (r151624 partial)	
Parent box with background-size auto and gradient image does not get properly repainted when child box is resized. (r148203)
Gradient background does not get repainted when child box is expanded. (r147303)
Late-loading stylesheets can cause composited layers to be blank (r136277)
Introduce a will-be-removed-from-tree notification in RenderObject (r126048)
Add a was-inserted-into-tree notification to RenderObject (r125737)
Callers of JSString::value() should check for exceptions thereafter. (r196745 partial)
[JSC] Remove the overflow check on ArithAbs when possible (r196726 partial)	
StringPrototype functions should check for exceptions after calling JSString::value(). (r196721)

Feb 17, 2016
============
Remove more of the UNINTERRUPTED_SEQUENCE thing (r157500)
Get rid of the UNINTERRUPTED_SEQUENCE thing (r157481)
Transition *switch* and *scope* JITStubs to JIT operations. (r157439)    
Separate out array iteration intrinsics (r157420)
Transition misc cti_op_* JITStubs to JIT operations. (r157404)

Feb 16, 2016
============
[ARMv7] stress/op_rshift.js and stress/op_urshift.js are failing. (r196591)	
JSObject::putByIndexBeyondVectorLengthWithoutAttributes needs to go to the sparse map based on MAX_STORAGE_VECTOR_INDEX (r196524)

Feb 12, 2016
============
Implement ES6 class syntax without inheritance support (r179371 partial)

Feb 11, 2016
============
Unreviewed, rolling out r195375. (r195398)
X.[[SetPrototypeOf]](Y) should succeed if X.[[Prototype]] is already Y even if X is not extensible (r188384 partial)
Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes. (r177657)
Add operator==(PropertyName, const char*) (r174997)
Avoid going through ExecState for VM when we already have it (in some places.) (r164925)
JSObject::findPropertyHashEntry() should take VM instead of ExecState. (r164904)
[JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix (r184859)
ES6: Allow duplicate property names (r184324)
Computed Property names should allow only AssignmentExpressions not any Expression (r181829)
ES6: Object Literal Extensions - Methods (r181183)

Feb 10, 2016
============
Parser should detect error before calls to parseAssignmentExpression() (r196258)
Object.getOwnPropertyDescriptor() does not work on sub-frame's window (r196220)
PropertyListNode::emitNode duplicates the code to put a constant property (r178918)
Fix build after r157457 for architecture with 4 argument registers. (r157467)
[ARM] Add the missing setupArgumentsWithExecState functions after r185240 (r185323)
[JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case (r185240 partial)

Feb 09, 2016
============
Don't set up the callsite to operationGetByValDefault when the optimization is already done (r187750 revisited)
ES6: Object Literal Extensions - Shorthand Properties (Identifiers) (r181121)
Optimize own property GetByVals with rope string subscripts. (r173188 revisited)
Optimize GetByVal when subscript is a rope string. (r168335 revisited)
Transition remaining op_get* JITStubs to JIT operations. (r157559)	    

Feb 08, 2016
============
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r182452 revisited)
[sh4][mips][arm] Fix crashes in JSC (32-bit only). (r157797)
Support computed property names in object literals (r157724)
Spread operator should be performing direct "puts" and not triggering setters (r157656 revisited)
Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4. (r157566)
transition void cti_op_put_by_val* stubs to JIT operations (r157546)
Fix J_JITOperation_EAapJ call for MIPS and ARM EABI. (r157633)
Fix potential register trampling in JIT since r157313. (r157339)
Transition op_new_* JITStubs to JIT operations. (r157313)
String.match should defend against matches that would crash the VM (r196240)
Further improve ArrayIterator performance (r157267)
transition cti_op_* methods returning int to JIT operations. (r157266)	

Feb 06, 2016
============
Arrayify for a typed array shouldn't create a monster (r196179)

Feb 05, 2016
============
[iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks. (r184960 partial revisited)	
Baseline JIT and DFG IC code generation should be unified and rationalized (r157685)
Fix build failure for architectures with 4 argument registers. (r157668)
A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs (r157660)
Get rid of the StructureStubInfo::patch union (r157489)
Baseline JIT should use the DFG GetById IC (r157480)

Feb 04, 2016
============
[arm] Add missing setupArgumentsWithExecState() prototypes to fix build. (r157800)
[sh4] Fixes after r157404 and r157411. (r157427)
Baseline JIT should use the DFG's PutById IC (r157411)
Fix potential register trampling in JIT since r157313. (r157339)
Transition call and construct JITStubs to CCallHelper functions (r157164 partial)	
[EFL] Add ARM64 build support (r166232)
[iOS] Upstream JavaScriptCore support for ARM64 (r157474 partial)

Feb 03, 2016
============
[Win] JavaScript JIT crash (with DFG enabled). (r159593)
Crash in virtualForThunkGenerator generated code on ARM64 (r159427 partial)		

Feb 02, 2016
============
Fixed callFrameRegister differences between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h. (r159276 partial)
[mips] Make regTx registers match between JSInterfaceJIT and GPRInfo. (r158677)
Get rid of the regT* definitions in JSInterfaceJIT.h. (r158901)	
Text-combine erroneously draws vertically after non-layout-causing style change (r182609)
Don't mutate style in RenderCombineText (r156500)
text-combine: horizontal does not work properly for some fonts. (r149474)
Combined text reverts to full-width font after a style change (r131077)
Pass VM instead of ExecState to JSGenericTypedArrayViewPrototype. (r157301)	
Pass VM instead of ExecState to JSNotAnObject constructor. (r157082)	
text-combine doesnt use third- and quarter-width variants when used with @font-face (r131005)

Feb 01, 2016
============
Should not predict OtherObj for ToThis with primitive types under strict mode (r195938)

Jan 29, 2016
============
Transition stack check JITStubs to CCallHelper functions (r157050)
Fix compilation of DateMath.cpp with MSVC (r158520)
Cut down on use of String::number (r156964)
Add callOperation to Baseline JIT (r156896)
Avoid upconverting strings in various places in WebCore (r152611 partial)
Make sure to call release() on our smart pointers when we should. (r150255)
CSS parser: Add error recovery while parsing @-webkit-keyframes key values. (r149106)

Jan 28, 2016
============
Make LLINT exception stack unwinding consistent with the JIT. (r156818)
Make Baseline JIT exception handling work like the DFG JIT (r156810)
Optimized VM access from C++ code (r156802)
Pass VM instead of ExecState to ObjectPrototype constructor. (r156680)
Pass VM instead of JSGlobalObject to MathObject constructor. (r156679)
Pass VM instead of JSGlobalObject to RegExp constructor. (r156668)
Refactor code for finding x86 scratch register. (r156617)
Fix compilation for COMPILER(MSVC) && !CPU(X86) after r156490. (r156654)
Unreviewed. Speculative build fix on ARMv7 Thumb2 after r156490. (r156637)
Move DFG inline caching logic into jit/ (r156490)
[sh4] JSValue* exception is unused since r70703 in JITStackFrame. (r156477)
WeakGCMap should not inherit from HashMap (r156476)
Move KeyValuePairTraits inside HashMap (r156438)
Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com (r156371 partial)
Remove the notion that a CallFrame can have a pointer to an InlineCallFrame, since that doesn't happen anymore (r156239)
Fixed Win64 build after r156184. (r156559)
Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them (r156184 partial)

Jan 27, 2016
============
Rename OperationInProgress to HeapOperation and move it out of Heap.h into its own header (r156050)
MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList (r155891 partial)
Extend the SaneChain optimization to Contiguous arrays (r184032)
Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase (r183897)
Constant folding of typed array properties should be handled by AI rather than strength reduction (r182498 partial)
Rename IntegerBranch/IntegerCompare to Int32Branch/Int32Compare. (r155783)
Rename SpeculativeJIT::integerResult() to int32Result(). (r155745)
Make Array.join work directly on substrings without reifying them (r185899 partial)

Jan 26, 2016
============
Reduce number of Structures created at startup. (r195528 partial)	
[JSC] Speed up new array construction in Array.prototype.splice(). (r184767)

Jan 22, 2016
============
Avoid a couple of zero-sized fastMalloc calls (r155734)
Unreviewed, fix mispelling (Specualte -> Speculate) that I introduced in an earlier patch. (r155644)
Rename initInteger() to initInt32() (r155595)
Rename IntegerOperand to Int32Operand and fillInteger() to fillInt32(). (r155594)
Remove needsDataFormatConversion because it is unused. (r155578)
Rename fillSpeculateInt to fillSpeculateInt32. (r155576)
Propagate the Int48 stuff into the prediction propagator. (r155499)
Atomicize HTMLAnchorElement.hash before passing it to JS. (r152743)
JSDOMWindowShell leaks on pages with media elements (r171481 partial)
REGRESSION: Crash under Heap::reportExtraMemoryAllocatedSlowCase for media element (r181453 partial)
Element::focus() should acquire the ownership of Frame. (r192433)	
Generated frame tree names should be kept reasonably long. (r190752)
Memory corruption in WebGLRenderingContext::simulateVertexAttrib0 (r186380 + r186384)
GraphicsContext state stack wasting lots of memory when empty. (r185396)	
Memory cache live resources repeatedly purged during painting (r183261)
Replace currentTime() with monotonicallyIncreasingTime() in WebCore (r154706 partial)

Jan 21, 2016
============
Fix bug in TypedArray.prototype.set and add tests (r195416)
[ES6] Fix various issues with TypedArrays. (r195360 partial)
TypedArray's .buffer does not return the JSArrayBuffer that was passed to it on creation. (r195375)
We should say Int32 when we mean Int32. Saying Integer is just weird. (r155482)
Clearing MarkedBlock::m_newlyAllocated should be separate from MarkedBlock::clearMarks (r155316)
Stop using fastNew/fastDelete in JavaScriptCore (r155219)
CodeBlock memory cost reporting should be rationalized (r155021) 
Change local variable register allocation to start at offset -1 (r158237 revisited)
Web Inspector: [JSC] Caught exception is treated as uncaught (r155471)
Renamed StackIterator to StackVisitor. (r155081)	  
Refining the StackIterator callback interface. (r155075)
Converting StackIterator to a callback interface. (r155013)

Jan 20, 2016
============
Make JSValue bool conversion less dangerous (r154902)
CodeBlock's magic for scaling tier-up thresholds should be more reusable (r154837)
VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT) (r154817)

Jan 15, 2016
============
Streamline PropertyTable for lookup-only access. (r165440 revisited)
REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception. (r169221)
Refactoring Exception throws. (r154797)

Jan 14, 2016
============
Don't leak registers for redeclared variables (r154466 partial)
Remove putDirectVirtual (r154461)
Error.stack should not be enumerable (r154460)
Remove putDirectVirtual (r154459)
Clarify var/const/function declaration (r154434 partial)
Users of Heap::deprecatedReportExtraMemory should switch to reportExtraMemoryAllocated+reportExtraMemoryVisited (r181415)
Many users of Heap::reportExtraMemory* are wrong, causing lots of memory growth (r181411 partial)
Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious (r181407 partial)
JSC ignores the extra memory cost of HTMLCollection after a major GC (r164853 partial)
Automate generation of toJS function for classes that need to report extra memory usage (r148648)
PropertyDescriptor argument to define methods should be const (r154422)
	This should never be modified, and this way we can use rvalues.
Compress DFG stack layout (r156984 revisited)
Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index (r156300 revisited)
Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML (r154351)

Jan 13, 2016
============
Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML (r154245)
Remove some code duplication. (r154143)
accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3. (r154139)
remove some unnecessary periods from exceptions. (r154132)
Remove bogus assertion. (r154108)
[WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places (r154032)
Delay Arguments creation in strict mode (r153763)
Give the error object's stack property accessor attributes. (r153679)
Have vm's exceptionStack match java's vm's exceptionStack. (r153669)
fourthTier: Refactor JITStubs.cpp to move CPU specific parts out into their own files. (r153160)

Jan 12, 2016
============
[mips] Max value of immediate arg of logical ops is 0xffff (r194764)
Use a single allocation for the Arguments object (r174795 partial)

Jan 11, 2016
============
JSActivation::symbolTablePut() should invalidate variable watchpoints (r170766)
Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray (r167729 revisited)
fourthTier: Change JSStack to grow from high to low addresses (r155711 revisited)
Out of bounds read in IdentifierArena::makeIdentifier (r178311)
Unreviewed, fix uninitialized property leading to an assert. (r187794)
Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined (r183275)
SparseArrayEntry's write barrier owner should be the SparseArrayValueMap. (r183128 GGC)

Jan 07, 2016
============
Removed fastMallocForbid / fastMallocAllow (r179319)
Don't set up the callsite to operationGetByValDefault when the optimization is already done (r187750 partial)
[mips] Fix branchTruncateDoubleToUint32 implementation in macro assembler (r194641)
[mips] Fix or32 implementation in macro assembler (r194640)
[mips] Add missing branchAdd32 implementation in macro assembler (r194639)

Jan 06, 2016
============
[JSC] Should not emit get_by_id for indexed property access (r194021)

Jan 05, 2016
============
Add webp image color profile support (r147048)
libwebp-0.2.0: handle alpha channel if present (r125869)
Fixes operationPutByIds such that they check that the put didn't (r177083 for baseline JIT)
  change the structure of the object who's property access is being cached.

Dec 22, 2015
============
Don't optimize variadic closure calls (r164119)
Fixes operationPutByIdOptimizes such that they check that the put didn't (r178441 for baseline JIT)	
DFG::StrCat isn't really effectful (r189075)
DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit (r188825)
Introduce SymbolType into SpeculativeTypes (r184340 partial)
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash (r172737 partial)
[JSC] StructureTransitionTable should eagerly deallocate single-transition WeakImpls. (r188978)	

Dec 21, 2015
============
Having a bad time has a really awful time when it runs at the same time as the JIT (r193470)
It's best for the DFG to always have some guess of basic block frequency (r192529)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 DFG/baseline JIT revisited).
	Missing tryRepatchIn.	

Dec 18, 2015
============
Rename DFG's compileAdd to compileArithAdd. (r192000)
DoubleRep fails to convert SpecBoolean values. (r191290)
speculateRealNumber() should early exit if you're already a real number, not if you're already a real double. (r185267)
Simplify unboxing of double JSValues known to be not NaN and not Int32 (r185239)
[JSC] Add undefined->double conversion to DoubleRep (r184933)
Add SpecBoolInt32 type that means "I'm an int and I'm either 0 or 1" (r184540)
REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests (r167452)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 baseline JIT revisited).

Dec 17, 2015
============
TypeOf should return SpecStringIdent and the DFG should know this (r183548 partial)
	breaks dfg-use-function-as-variable-merge-structure

Dec 16, 2015
============
Fixes inline cache fast path accessing nonexistant getters. (r176676 for baseline JIT)	
	
Dec 15, 2015
============
REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit (r165912 partial)
JS benchmarks crash with a bus error on 32-bit x86. (r165559 partial)
Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:) (r165842)
Revive SABI (aka shouldAlwaysBeInlined) (r164490)
AI folding of IsObjectOrNull is broken for non-object types that may be null (r186702)
DFG Is<Blah> versions of TypeOf should fold based on proven input type (r183629)
Constructor returning null should construct an object instead of null (r180587 complete)
Removed op_ret_object_or_this (r179372)

Dec 14, 2015
============
Spam static branch prediction hints on JS bindings. (r165079)
Crash beneath DFG JIT code @ video.disney.com (r167112)
Debugger created JSActivations should account for CodeBlock::framePointerOffsetToGetActivationRegisters(). (r163322)
Saying "jitType() == JITCode::DFGJIT" is almost never correct. (r163247 partial)
Change slow path result to take a void* instead of a ExecState*. (r160665)
Ensure that arity fixups honor stack alignment requirements. (r159706 partial)
Using emitResolveScope & emitGetFromScope with 'this' that is TDZ lead to segfault in DFG (r192078)
Fix endless OSR exits when creating a rope that contains an object that ToPrimitive's to a number. (r192034)
DFG string concatenation shouldn't be playing fast and loose with effects and OSR exit (r188825 partial)
Makes compileArithSub in the DFG ensure that the constant is an int32. (r186819)
DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear (r185941)
CPS rethreading phase's flush detector flushes way too many SetLocals (r184128)
Math.abs() returns negative (r183692)
[JSC] Add support for typed arrays to the Array profiling (r183450)
Rationalize DFG DCE handling of nodes that perform checks that propagate through AI (r183401)
Rename HardPhantom to MustGenerate. (r183201)
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex (r182452)
Return Optional<uint32_t> from PropertyName::asIndex (r182406)
Clean up OSRExit's considerAddingAsFrequentExitSite() (r180257)
Web Process crash when starting the web inspector after r174025. (r174856 removed)
It should be possible to use the DFG SetArgument node to indicate that someone set the value of a local out-of-band (r179756)
Don't use GPRResult unless you're flushing registers and making a runtime function call (r174090 partial)
[REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR (r171662)
Clean up Identifier factories to clarify the meaning of StringImpl* (r182205 partial)

Dec 13, 2015
============
Fix build warning (uninitialized variable) in DFGFixupPhase.cpp (r168540)
DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound (r189219)
Various array access corner cases should take OSR exit feedback (r180703)  
MultiGetByOffset should be marked NodeMustGenerate (r179536 removed)
Fix bugs in 32-bit Structure implementation. (r165325 partial)
Vector with inline capacity should work with non-PODs (r164185 partial)
Do bytecode validation as part of testing (r159825)

Dec 11, 2015
============
[DFG] Avoid OSR exit in the middle of string concatenation (r185728)
TypeOf should return SpecStringIdent and the DFG should know this (r183548 partial)
Fixes operationPutByIds such that they check that the put didn't (r177083)
Arrayify neglects to inform the clobberizer that it might fire watchpoints (r169428)
ARM64: Hang running pdfjs test, suspect DFG generated code for "in" (r160493)

Dec 10, 2015
============
mandreel throws a checksum error on 32-bit x86. (r166440 similar, use SegmentedVector which does not move)
Remove CodeBlock's notion of adding identifiers entirely (r153967)
Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them (r153963)
StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments (r180237)

Dec 09, 2015
============
[GTK] Clean up compiler optimizations flags for libWTF, libJSC (r160996)
Fix typo in YARR at BOL check (r174012)
YARR: Put UCS2 canonicalization tables in read-only memory. (r156043)
Merge CharacterClassTable into CharacterClass (r148259)

Dec 07, 2015
============
Object::{freeze, seal} perform preventExtensionsTransition twice (r192858)				
JSC::SlotVisitor should not be a hot mess (r190563 complete)	
	
Dec 04, 2015
============
Callee can be incorrectly overridden when it's captured (r188926 partial)
YarrPatternConstructor::containsCapturingTerms() should not assume that its terms.size() is greater than 0. (r191364)
The JSONP parser incorrectly parsers -0 as +0. (r188085)

Dec 03, 2015
============
JSC::SlotVisitor should not be a hot mess (r190563 partial)
	More hash cons removal.	
new Date(NaN).toJSON() must return null instead of throwing a TypeError (r187016)
FunctionCallBracketNode should store the base value to the temporary when subscript has assignment (r183955)
Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined. (r165680)
JSActivation constructor should use NotNull placement new. (r159813)

Dec 02, 2015
============
JSC::SlotVisitor should not be a hot mess (r190563 partial)
	More hash cons removal.	

Dec 01, 2015
============
DFG should have some obvious mitigations against watching structures that are unprofitable to watch (r186986)
Fix some issues with TypedArrays (r191212 partial)
Numeric setter on prototype doesn't get called. (r188269)

Nov 30, 2015
============
SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index (r187464)
Fixes operationPutByIdOptimizes such that they check that the put didn't (r178441)
Change Heap::m_compiledCode to use a Vector (r178884)
shiftCountWithArrayStorage should exit to slow path if the object has a sparse map. (r177245)
Change how 32-bit JSValues check if they are a Boolean (r174260)
REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty (r170386)
Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot. (r169831)
Templatize GC's destructor invocation for dtor type. (r169284)
JSDOMWindow should disable property caching after a certain point (r168558)

Nov 25, 2015
============
REGRESSION (r125251): wrapper lifetimes of SVGElementInstance are incorrect (r178633)
[JSC] Copy non-index properties of arrays in SerializedScriptValue (r138964)
DFG optimizations don't handle neutered arrays properly (r153613)
REGRESSION(r190882): Concatenating a character array and an empty string is broken. (r191069)
"A + B" with strings shouldn't copy if A or B is empty. (r190882)
[JSC] jsSubstring() should have a fast path for 0..baseLength "substrings." (r185659)
Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496) (r185109 partial)
Optimize serialization of quoted JSON strings. (r183961 + r183977 rolled out + r183988)
Add way to dump cache meta data to file (r180894)
Optimize WeakBlock's "reap" and "visit" operations. (r183769)	
Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely. (r182347)
MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects (r133358 revisited)
Optimize own property GetByVals with rope string subscripts. (r173188)
Inline (C++) GetByVal with numeric indices more aggressively. (r167842)     
     
Nov 24, 2015
============
Global HashTables contain references to atomic StringImpls (r169740)
Remove String::deprecatedCharacters (r166120 partial)
Harden executeConstruct against incorrect return types from host functions (r154011)
GenerateHashValue should be usable outside CodeGeneratorJS.pm (r146253)
Implement ES6 Symbol (r179429 partial)
Merge AtomicString, Identifier (r165982)
Initialize AtomicStringTable in WTFThreadData's constructor (r151663)

Nov 23, 2015
============
Remove BytecodeGenerator::preserveLastVar() and replace it with a more robust mechanism for preserving non-temporary registers (r179746)
ASSERTION FAILED in Parser: dst != localReg (r166240)
Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer. (r166107)
compileMakeRope does not emit necessary bounds checks (r167336)
	
Nov 19, 2015
============
GC should compute stack bounds and dump registers at the earliest opportunity. (r181060)
Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection (r178364)	
JSTypeInfo should have an inline type flag to indicate of getCallData() has been overridden (r183575)
Evict IsEnvironmentRecord from inline type flags (r183557)		
JSObject and JSArray code shouldn't have to tiptoe around garbage collection (r154471)
Object.prototype.toString() should use cached strings for null/undefined. (r169316)
	
Nov 18, 2015
============
Math.imul gives wrong results (r164461)
Exception in global setter doesn't unwind correctly (r154429)
Cleaning errorDescriptionForValue after r154839 (r154892)
	
Nov 16, 2015
============	
Investigate HashTable::HashTable(const HashTable&) and HashTable::operator=(const HashTable&) performance for hash-based static analyses (r187733)
JSArray::setLength() should reallocate instead of zero-filling if the reallocation would be small enough. (r184407)
Clear ScratchBuffer::m_lastLayerSize when clearing the scratch buffer. (r161014)
	
Nov 13, 2015
============	
Short-circuit repaints with empty rects (r175395)
Simplify bounds computation for the RenderView's layer (r135059)
Don't pass a paintingRoot when painting from RenderLayerBacking (r134642)
	
Nov 11, 2015
============	
DFG and FTL should know that comparing anything to Misc is cheap and easy (r165406)

Nov 10, 2015
============
http/tests/security/sandboxed-iframe-invalid.html is flaky on Mac (r153973)
Sometimes Gmail cannot load messages, particularly on refresh ("...the application ran into an unexpected error...") (r172275)
Active DOM objects stopped twice (r150741)
Optimize RenderLayer::intersectsDamageRect() slightly (r182116)
Poor performance on IE's Chalkboard benchmark. (r179335)
Speed up SVG sprites by only painting the source rect in SVGImage::draw (r152020)
RuleData should ref the StyleRule (r168835)
Optimize StylePropertiesSet::findPropertyIndex() to improve CSS properties performance (r164995)
Out-of-line InspectorValues create() methods. (r156131)
[JSC] Pre-bake final Structure for RegExp matches arrays. (r185597)

Nov 09, 2015
============
Simplified IndexingType's hasAnyArrayStorage(). (r175172)
Call to enclosingFilterLayer() in RenderObject::containerForRepaint() is expensive (r134619)
Invalid values for media query features are not handled (r130995)
REGRESSION(r135082): Restore the ability to insert author level style sheets from script (r136878)
When calling DocumentStyleSheetCollection::addUserSheet, pass in a user sheet (r135316)
REGRESSION(r129644): User StyleSheet not applying (r135082)
Move seamless stylesheet collecting to DocumentStyleSheetCollection (r132787)
Maintain a list of active CSS stylesheets (r131929)
Optimize stylesheet insertions (r129644)
Make SVGPathSegList.appendItem O(1) instead of O(n) (r128729)	
	
Nov 06, 2015
============
Add a DFG node for the Pow Intrinsics (r180098 + 180102)
DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) (r165099)
	
Nov 05, 2015
============
Structure should initialize its previousID in its constructor. (r169695)
EmptyUnique strings are Identifiers/Atomic (r165946)		
Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234. (r169758)
MarkedBlock::allocateBlock will have the wrong allocation size when (sizeof(MarkedBlock) + bytes) is divisible by WTF::pageSize() (r189012)
If Watchpoint::fire() looks at the state of the world, it should definitely see its set invalidated,
	and maybe it should see the object of interest in the transitioned-to state (r186776)	
Watchpoints should be removed from their owning WatchpointSet before they are fired (r186745)
Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll() (r159528)
ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument (r165522)

Nov 04, 2015
============
DFG should insert Phantoms late using BytecodeKills and block-local OSR availability (r183207 partial)	
Nodes should have an optional epoch field (r183162)
[ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously (r170890)
DFG should allow Phantoms after terminals (r183094)

Nov 03, 2015
============
Spread operator should be performing direct "puts" and not triggering setters (r157656)
FTL should have an explicit notion of bytecode liveness (r159394)
Liveness analysis should take less memory in CodeBlock when it is unused (r159141)
CodeBlocks should be able to determine bytecode liveness (r159136)	
Eliminate a branch in FastBitVector setAndCheck, make it vectorizable. (r156792)
mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit. (r183310)
Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well. (r183095)
MovHint should be a strong use (r183072)	
REGRESSION (r172129): Vine pages load as blank (r173534)
[ftlopt] Phantoms in SSA form should be aggressively hoisted (r171495 partial)
[ftlopt] Phantom simplification should be in its own phase (r170907)	
	
Nov 02, 2015
============
DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format (r182827)
Set the semantic origin of delayed SetLocal to the Bytecode that originated it (r180546)
CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays. (r176972)
WTFCrashWithSecurityImplication under SpeculativeJIT::compile() when loading a page from theblaze.com. (r176399)
Apparently we've had a hole in arguments capture all along (r174790)
CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences (r170604)
[ftlopt] Fold constant Phis (r170064)
[ftlopt] Structure::dfgShouldWatchIfPossible() is unsound (r169753)
jsSubstring() should be lazy (r168635)
Convert ASSERT in inlineFunctionForCapabilityLevel to early return (r170011)
Prediction propagator should make sure everyone knows that a variable that is in an argument position (r169787)
	where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
JSCallee unnecessarily overrides a bunch of things in the method table. (r181765)
Add JSCallee to program and eval CallFrames (r173600)
Unreviewed build fix for CLOOP build. (r173576)
Remove unneeded declarations from JSCallee.h (r173567)
Move JSScope out of JSFunction into separate JSCallee class (r173541)
DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (r171190 revisited)       

Oct 30, 2015
============
REGRESSION(r179477): arguments simplification no longer works (r179504)
Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child (r179477)
[ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase (r170929)	
[ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase (r170060 partial)		
[ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it (r170017)		
Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch (r171689)
Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep (r170555)
DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell (r174025 partial)
Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing (r169354)
Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization) (r167418)

Oct 29, 2015
============
Sink NaN sanitization to uses and remove it when it's unnecessary (r167416)	
Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging (r167394)	
Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child (r179477)
OSR exit should know about Int52 and Double constants (r167612)
DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's (r167325)	
FTL should use cvttsd2si directly for double-to-int32 conversions (r160205 revisited)

Oct 28, 2015
============
DFG prediction propagation should agree with fixup phase over the return type of GetByVal (r169145)
DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays (r169447)
Prediction propagator should correctly model Int52s flowing through arguments (r167455)
DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush (r166276)
Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something (r166136)
  as having a Int32 register format if it's a non-Int32 constant
Constants folded by DFG::ByteCodeParser should not be dead. (r166095)
FTL should support ToPrimitive and the DFG should fold it correctly (r164243)
<1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput') (r163789)
ASSERT in speculateMachineInt on 32-bit platforms (r163391)
internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: (r158646 + r158653)
ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249
Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget (r163946)	

Oct 27, 2015
============
DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled (r167182)	
Get rid of DFG forward exiting (r161126)
DFG PhantomArguments shouldn't rely on a dead Phi graph (r161072 complete)
DFG: Add JIT support for  LogicalNot(String/StringIdent) (r157329)
Unreviewed, 32-bit build fix. (r164208)
DFG::prepareOSREntry should be nice to the stack (r164205 partial)
Finally fix some obvious Bartlett bugs (r159826 complete)
CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things (r159721)		
CodeBlock::m_numCalleeRegisters need to honor native stack alignment. (r159670)
Change local variable register allocation to start at offset -1 (r158237)		
Remove JITStackFrame references in the C Loop LLINT. (r157576)		
REGRESSION(r155711): js/stack-overflow-arrity-catch.html is crashing on non-Mac platforms (r156046)
StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal. (r166064)
Get rid of InlineStart so that I don't have to implement it in FTL (r158116)
Fix register allocation inside control flow in GetByVal String (r158687)
Compress DFG stack layout (r156984)
REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT (r153789)

Oct 26, 2015
============
URTBF after r171946 to fix non-Apple builds. (r171949)
CodeBlock fails to visit the Executables of its InlineCallFrames (r171946)
Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index (r156300)
Deoptimize deoptimization: make DFGOSRExitCompiler64.cpp more hackable (r155820)
DFG::GenerationInfo init/fill methods shouldn't duplicate a bunch of logic (r155645)
	
Oct 23, 2015
============
SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS (r161411)
Argument flush formats should not be presumed to be JSValue since 'this' is weird (r168051)
Arguments objects shouldn't need a destructor (r167641 revisted)
Inline allocate Arguments objects in the DFG (r167591 revisted)
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in (r157035 revisited)
Compress DFG stack layout (r156984 partial)
[arm] Inverted src and dest FP registers in DFG speculative JIT when using hardfp. (r157173)
FTL: Optimize IsString(@2<String>) -> JSConst(true) + Phantom() (r157059)	
	
Oct 22, 2015
============			
DFG PhantomArguments shouldn't rely on a dead Phi graph (r161072 partial) 
ObjectAllocationProfile is racy and the DFG should be cool with that (r160038)	
Finally fix some obvious Bartlett bugs (r159826 partial)	
FTL should support AllocatePropertyStorage (r158983)	
Variable event stream (for DFG OSR exit) should be explicit about where on the stack a SetLocal put a value (r156747)
Fix 32-bit builds after r163471 (r163473)
Can no longer run OctaneV2 in browser, crashes in speculationFromCell (r163471)
The DFG should use always DFG::Graph methods for determining where special registers are (r156817)	
SpeculativeJIT::m_arguments/m_variables are vestiges of a time long gone (r156723)
Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries (r156677)  		
Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures (r156594)

Oct 21, 2015
============
The DFG should be able to tier-up and OSR enter into the FTL (r155023 partial)	  
fourthTier: It should be easy to figure out which blocks nodes belong to (r153293)	
	
Oct 20, 2015
============
fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, (r153291)
DFG CheckArray(String) should just be a Phantom(String:) (r158644)
fourthTier: String GetByVal out-of-bounds handling is so wrong (r153286)  
fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds (r153244)
Simplify CSE's treatment of NodeRelevantToOSR (r160407)
CSE should work in SSA (r160328)
Stores to local captured variables should be intercepted (r159943)	
	
Oct 16, 2015
============
fourthTier: DFG should have an SSA form for use by FTL (r153274 partial)	
	
Oct 14, 2015
============
String.prototype.charAt() should use StringView. (r184865)

Oct 13, 2015
============
DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage
  due to variable constant inference and the better prediction modeling of typed array GetByVals (r168780)
indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack (r164851)
Array.concat() should work on runtime arrays too. (r171390)
Refactor ArrayPrototype to use getLength() and putLength() utility functions. (r171328)  
Array.prototype.concat should allocate output storage only once. (r167255)
Add ExecState::uncheckedArgument and use where possible to shrink a bit (r156240)
Use emptyString instead of String("") (r153546)
String.prototype.split() should create efficient substrings. (r184346)
Updated split such that it does not include the empty end of input string match. (r178860)
[JSC] Add a node for Math.log() (r181035)
	
Oct 09, 2015
============
[JSC] Make the NegZero backward propagated flags of ArithMod stricter (r184220)
[JSC] Add basic DFG/FTL support for Math.round (r183963)	
DFG should insert Phantoms when it uses conversion nodes (r161683)
Hoist and combine array bounds checks (r164059)

Oct 08, 2015
============
[GTK][ARM] javascriptcore compilation is broken (r154287)
Concurrent compilation thread should not trigger WriteBarriers (r154162)
FTL should have an inefficient but correct implementation of GetById (r157409 partial)
Prohibit GC while sweeping (r181486)

Oct 07, 2015
============
operationCreateArguments could cause a GC during OSR exit (r169973)
CodeBlock: Un-segment some Vectors. (r159097)
arguments[-1] should have well-defined behavior (r179538)

Oct 06, 2015
============
CStack Branch: Change the disabling of DFG OSR entry to be based on an option (r160499)
Rationalize DFG DCE (r161218)
	
Oct 05, 2015
============
sunspider-1.0/math-spectral-norm.js.dfg-eager occasionally fails with Trap 5 (i.e int $3) (r157327)   
DFG::Int32Operand and fillInt32() should go away and all uses should be replaced with SpeculateInt32Operand (r155662)
GPRTemporary's reuse constructor should be templatized to reduce code duplication,
  and the bool to denote tag or payload should be replaced with an enum (r155643)
Inlining should work in debug mode (i.e. Executable::newCodeBlock() should call recordParse()) (r155889)
VariableAccessData::flushFormat() should be the universal way of deciding how to speculate on stores to locals and how locals are formatted (r155564)	
change usage of calculateUTCOffset()/calculateDSTOffset  to calculateLocalTimeOffset (r154315)
String(new Date(2010,10,1)) is wrong in KRAT, YAKT (r150833)
Replace WTF::getCurrentLocalTime() with GregorianDateTime::setToCurrentLocalTime() (r124365)	
Add function to calculate the day in year from a date (r124095)
	
Oct 01, 2015
============
DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s (r168172)
Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit. (r167341)
Make room for additional types in SpeculatedType.h (r167111)	
FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees (r166030)
AI for CreateArguments should pass through non-SpecEmpty input values (161574)
DFG: ConstProp the pattern ValueToInt32(Bool(x)) -> Int32(x) (r156830)
DFG should support Int52 for local variables (r156047)  
Array.slice should have a fast path like Array.splice (r184217)
JSArray::shiftCountWith* could be more efficient (r169121)

Sep 30, 2015
============
[JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). (r184501)	
Special-case Int32 values in JSON.stringify(). (r183928)
Fixes inline cache fast path accessing nonexistant getters. (r176676)
	
Sep 29, 2015
============
Get rid of CodeBlock::RareData::callReturnIndexVector and most of the evil that it introduced (r156247)
Interpreter::unwind() has no need for the bytecodeOffset (r156242)
Fix P_DFGOperation_EJS call for MIPS and ARM EABI. (r154442)
Fix V_DFGOperation_EJPP signature in DFG. (r154388)
fourthTier: DFG should't exit just because it GetByVal'd a big character (r153241)

Sep 28, 2015
============
DFG AI assumes that ToThis can never return non-object if it is passed an object,
  and operationToThis will get the wrong value of isStrictMode() if there's inlining (r155730)

Sep 25, 2015
============
fourthTier: CFA should consider live-at-head for clobbering and dumping (r153280)  
fourthTier: Rationalize Node::replacement (r153278)  
fourthTier: add option to disable OSR entry in loops (r153263)
	
Sep 24, 2015
============
Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html (r158341 complete)

Sep 23, 2015
============
DFG fixup phase should be responsible for inserting ValueToInt32's as needed and
  it should use Phantom to keep the original values alive in case of OSR exit (r161465)
RegExp::match() should set m_state to ByteCode if compilation fails. (r186920)	
WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276 (r185770)	
[JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray (r183291)
Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9 (r168983)
Reproducible crash when using Map (affects Web Inspector) (r158875)

Sep 22, 2015
============
[JSC] Add support for overloaded constructors (r138138)
[JSC] Refactoring CodeGeneratorJS.pm to simplify adding support for overloaded constructors (r138008)
Remove the V8 custom code for WebSockets constructor (r134221)
DOM URL is flaky when workers are used (r132973)
Remove unused regular expressions from IDLStructure.pm (r129769)
Follow-up to r129723 to once more allow parsing of scoped names in IDL files. (r129737)
Move IDL extended attributes to the location specified in WebIDL (r129723)
Support constructor-type attribute in idls other than DOMWindow. (r128655)
[MSE] Move PublicURLManager shutdown logic so ActiveDOMObjects associated with public URLs won't leak. (r164091)	

Sep 16, 2015
============
Code cleanup after r132165 (r132373)
HTML Parser should produce 8 bit strings for doctype, comment and tagName tokens (r132165)
Update RenderText to use String instead of UChar* for text (r131311 complete)
HTML Parser should produce 8bit substrings for inline style and script elements (r125846)

Sep 15, 2015
============
Move definition of nested classes that inherit enclosing class outside class definition. (r147345)
Clean up Vector.h (r131659)

Sep 11, 2015
============
Improve the SourceProvider hierarchy (r128542)

Sep 10, 2015
============
Heap-use-after-free in bool WebCore::SelectorChecker::checkOneSelector. (r139100)
Heap-use-after-free in DocumentLoader::stopLoading (r138926)
Heap-use-after-free in WebCore::XMLDocumentParser::doEnd (r138863)
[JSC] static methods with Callback should not have this pointer (r144101)
EventSource should support CORS (r138083)
[WebKitIDL] Optional dictionary types should have default values of empty dictionary (r132698)

Sep 09, 2015
============
Remove FontTranscoder (r156657)
REGRESSION (r130851): With kerning enabled, a white-space: pre-wrap inline starting with tab+space has the wrong width (r136034)
floated element with negative margin causes text wrap bug (r131998)
Only measure text once instead of twice when performing line layout. (r130851)
Change FractionalLayoutUnit denominator to 64 to reduce precision loss when converting to floating point (r129656)
REGRESSION (r129176): Incorrect line breaking when kerning occurs between a space and the following character (r129284)
Yank an unneccessary if added in r125810. (r126100)

Sep 04, 2015
============
Update RenderText to use String instead of UChar* for text (r131311)
REGRESSION (r126763): css1/pseudo/firstline.html fails when using the complex text code path (r128713)
Regression(r126763): Heap-use-after-free in WebCore::nextBreakablePosition (r127381)
Unreviewed Mac Chromium build fix after r126763. (r126770)
Improve line breaking performance for complex text (r126763)	
Split ICU UText providers out into their own files (r161817)	
Element boundaries prevent Japanese line break opportunities (r147588)		
Generalize prior line break context state and names. (r147506)
Line breaking opportunities at the end of a text node are missed (r145338)	
Line layout (but not pref widths) double-counts word spacing when between inlines (r143520)	
Add 8-bit path to RenderBlock::handleTrailingSpaces() (r131776)
Unreviewed speculative build fix for clang. (r129698)	

Sep 03, 2015
============
Add Latin-1 Line Break Iterator to TextBreakIteratorICU.cpp (r129662)
Remove all uses of deprecatedCharacters from WebKit2 (r165692)
Add support for null StringViews (r161785)
Add WTF::StringView and use it for grammar checking (r161518)
Improve the find word boundary performance (r160526)	
Rename TextBreakIteratorWinCE to TextBreakIteratorWchar (r141156)
HTMLConstructionSite::insertTextNode isn't optimized for 8 bit strings (r130190)
Part 1 of removing PlatformString.h, move remaining functions to new homes (r127525)

Sep 02, 2015
============	
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in
  jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit (r157035 complete)  
fourthTier: Change JSStack to grow from high to low addresses (r155711)
Change virtual register function arguments from unsigned to int (r155418)

Sep 01, 2015
============
Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters (r166142 partial)	
Add local to/from operand helpers similar to argument to/from operand2 (r155415)
There should be one "invalid" virtual register constant (r155420)
Un-inline the Node constructor (r173643)
Un-inline Element constructor (r173605)
Inline JSDOMWrapper subclasses' finishCreation(). (r166411)
HTMLEntityTable could use char to reduce binary size (r155559)
Prune dead code for Web Inspector memory instrumentation. (r164637)
Web Inspector: Remove stale optional native memory instrumentation protocol params (r158356)
Web Inspector: Remove Memory Distribution and Memory Snapshots Panels (r149807)
Remove the memory instrumentation code (r148921)
Rolling out my r123067 and r123572 (r124773)
Pass presentational attribute StylePropertySets by const pointer where possible. (r124760)	

Aug 28, 2015
============	
ExtJS breaks with modern Array.prototype.values API due to use of with() (r159063)	
Source/WebCore: Clean up the speech recognintion API (r146601)
Speech Recognition API: Change the error code to a string on SpeechRecognitionError (r136846)
Speech Recognition API: Update SpeechRecognitionEvent to match the specification (r136392)
Speech JavaScript API: Add SpeechRecognition.interimResults attribute (r130308)
Speech JavaScript API: Remove resultdeleted event (r130307)
Speech JavaScript API: Throw exception for start() when already started (r124225)

Aug 27, 2015
============
JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses (r165121)
DFG PutByVal on typed arrays should detect OutOfBounds sooner (r163418)	
FTL PutByVal should have a complete story for OOB (r161945)	

Aug 21, 2015
============
Review feedback followup for r185003. (r185018)
WebSQL default functions can bypass authorizer. (r185003)
Enhance SQL journal_mode setting code to be less likely to log an error. (r158906)	
Use SQLite journal mode WAL (WriteAheadLogging) (r158865)
Do not allocate SQLiteDatabase's m_openErrorMessage until its needed (r125992)

Aug 20, 2015
============
Add Canvas blend modes to Cairo (r139804)
Add canvas blending modes using Core Graphics (r138334)
Extend platform layer so it can pass blend modes to the compositing calls (r137011)
Extend JavaScript support for blending in canvas (r136337)
Implement canvas v5 line dash feature (r128116)
Unprefix Page Visibility API (r150695)
Remove page visibility hidden histograms (r131391)

Aug 19, 2015
============
Deconstruction object pattern node emits the wrong start/end text positions (r173026 partial)
Convert for-of iteration to in-band signalling so we can trivially avoid unnecessary object allocation (r157150)
Support for-of syntax (r156910)
REGRESSION(158384) ARMv7 point checks too restrictive for native calls to traditional ARM code (r159532)
Remove CachedTranscendentalFunction because caching math functions is an ugly idea (r158384)
[JS] Should be able to create a promise by calling the Promise constructor as a function (r161538)
[JS] Implement Promise.all() (r161365)
[JS] Implement Promise.race() (r161330)
Pass VM instead of JSGlobalObject to function constructors. (r156624)	
Pass VM instead of JSGlobalObject to ArrayPrototype constructor. (r156621)
Pass VM instead of ExecState to simple builtin constructors. (r156620)

Aug 17, 2015
============
Improve CSSParser::setupParser() since the prefix/suffix are literals (r133387)
Deploy ASCIILiteral hotness throughout WebCore (r126968)
Deploy ASCIILiteral and StringBuilder in more places in WebCore

Aug 13, 2015
============
Pass VM instead of ExecState to JSFunction constructors. (r156602)
GetterSetter construction should take a VM instead of ExecState. (r156521)
Pass VM instead of ExecState to StringObject constructor. (r156998)
Pass VM instead of ExecState to JSDateMath functions. (r156540)
Pass VM instead of ExecState to many finishCreation() functions. (r156498)

Aug 12, 2015
============
Implement prefixed-destructuring assignment (r156514 patial)
Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers (r172381)
Fix a number of problems with destructuring of arguments (r158051)

Aug 11, 2015
============
Reinstate intialiser syntax in for-in loops (r165682)
Implement prefixed-destructuring assignment (r156785)
Try to kill initialiser expression in for-in statements (r155724)		
PropertyNameArray should use a Vector when there are few entries. (r184120)	
Pass VM instead of ExecState to JSCell::fastGetOwnProperty(). (r163755)
Map.forEach crashes on deleted values (r158929)
Support for-of syntax (r156910 partial without parser change)
Implement Array key, value and entries iterators (r156791)	
MapData has some issues (r155487)
Make it simpler to introduce new data types to the global object (r155177)
Implement ES6 Set class (r154916)
Fix build break after r154861 (r154864)
Fix issues found by MSVC (which also happily fixes an unintentional pessimisation) (r154862)
Implement ES6 Map object (r154861)
Create a specialized pair for use in HashMap iterators (r123667)

Aug 10, 2015
============
Minor VM* -> VM& cleanups in HashTable and Keywords. (r157836)

Aug 07, 2015
============
Streamline PropertyTable for lookup-only access. (r165440)
URI encoding/escaping should use efficient string building instead of calling snprintf(). (r182370)	
REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests (r182643)
Optimize String::fromUTF8 for ASCII (r151556)
String::fromUTF8() should take advantage of the ASCII check in convertUTF8ToUTF16() (r134981)
convertUTF8ToUTF16() Should Check for ASCII Input (r131836)
[JSC] Remove RageConvert array conversion (r183615)

Aug 05, 2015
============
Buildfix. Fix warning after r153887: (r153892)
ASSERT_NOT_REACHED() touched in WebCore::SVGAnimatedStringAnimator::addAnimatedTypes (r153887)
ASSERT_NOT_REACHED was touched in WebCore::SVGAnimatedType::valueAsString (r153433)	
REGRESSION(r138263): Don't use fastGetAttribute for HTMLNames::classAttr because it breaks on SVGElement (r138277)
CodeGen: Make [Reflect] use fastGetAttribute and fastHasAttribute (r138263)
Allow lazy initialization of SVG XML animated properties. (r131631)

Aug 04, 2015
============
Use SVGImage instead of cached image when drawing without a render tree. (r126977)
Remove incorrect getBBox() code (r126056)
Fix resource leak in FillLayersPropertyWrapper object member (r171960)
Use CSSParserSelector::appendTagHistory() from CSS grammar. (r150337)
Ads on theverge.com cause repaints when hovered, even though content doesn't visibly change. (r150318)

Jul 31, 2015
============
GlyphPage: ALWAYS_INLINE all performance-relevant getters. (r143707)
GlyphPage: Bake per-glyph font data array into same allocation as GlyphPage. (r143601)
REGRESSION(r143125): ~5% performance hit on Chromium's intl2 page cycler. (r143137)
Optimize GlyphPage for case where all glyphs are available in the same font. (r143125)	
SVGPathStringSource should not up-convert 8-bit strings to UTF-16 (r140985)

Jul 30, 2015
============
Throw away StyleResolvers that haven't been used for a long time. (r136956)
HTMLOptionElement: Remove two unused members. (r135810)
RenderStyle: Move 'list-style-image' to rare inherited data. (r135788)
Tighten vector in ResourceRequestBase::setResponseContentDispositionEncodingFallbackArray(). (r134208)
Don't detach from shared ElementAttributeData when overwriting attribute with identical value. (r134163)	
REGRESSION (r125239): classList contains() doesn't work after element was moved from strict mode document to quirks mode document (r134102)
setAttributeNode and friends should not have optional argument (r133944)
REGRESSION(r131104): Heap-use-after-free in WebCore::Element::attributeChanged (r132141)
ElementAttributeData shouldn't be managing Element's callbacks. (r131104)
ElementAttributeData: tighten member packing on 64-bit. (r130870)
Remove unused ElementAttributeData::removeAttribute() overload. (r125973)
HTMLElement.classList cannot remove classnames with uppercase characters (r125239)
Shrink EventTargetData by making firingEventListeners vector optional. (r131620)	
332kB below DocumentEventQueue::create() on Membuster3. (r129776)
4.95MB below RenderBlock::insertIntoTrackedRendererMaps() on Membuster3. (r129682)

Jul 29, 2015
============
REGRESSION (r127277): CSS URIs with multi-byte Unicode escape sequences fail to parse (r145924)	
471kB below StyleSheetContents::parserAppendRule() on Membuster3. (r129907)
flex-grow should be 1 when omitted from flex shorthand (r129414)
equal() in CSSParser.cpp should check the length of characters (r127508)
Fix the Debug builds after r127277 (r127303)
CSS Parser should directly parse 8 bit source strings (r127277)	
CSSParser: Move enumeration to a common place (StylePropertyShorthand) (r126491)
Handle variables in CSSParser::parseValidPrimitive(), preventing null return value. (r124833)
More fixes for String::operator+=() on Mac (r127639)	
Replace more instances of += with StringBuilder (r127224)
Replace uses of WTF::String::operator+= with StringBuilder (r127112)
CSSComputedStyleDeclaration::cssText() should use StringBuilder (r125367)	
itemType.add should treat \t as a space. (r125257)

Jul 28, 2015
============
canvas/philip/tests/2d.fillStyle.parse.invalid.rgba-6.html fails (r126192)
Crash in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode (r136619)
CSSStyleDeclaration.cssText should not contain extraneous whitespace in final delimiter (r126656)

Jul 27, 2015
============
Do not add CSSPropertyBorderImage shorthand part of the property list when parsing CSS border property (r144908)
ASSERT_NOT_REACHED in StylePropertySet::fontValue when accessing font style property through JS after setting style font size. (r139313)
Incorrect value of CSSStyleDeclaration#length when a shorthand property is inherit or initial (r135848)
removeAttribute('style') not working in certain circumstances (r133581)
Fix StylePropertySet/ElementAttributeData custom allocation in debug builds. (r133160)
Update average StylePropertySet size estimation. (r133148)	
Pack immutable StylePropertySets harder on 64-bit. (r133138)	
StylePropertySet: Convert more logic to use PropertyReference. (r132952)
Don't expose implementation details of StylePropertySet storage. (r132786)

Jul 24, 2015
============
REGRESSION(r134408): Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement(). (r134779)
Exploit ElementAttributeData sharing in Node.cloneNode. (r134408)		
Shrink immutable ElementAttributeData and StylePropertySet by one pointer each. (r132288)

Jul 22, 2015
============
REGRESSION: Rapid memory growth calling DOM APIs with large strings. (r131209)
GlyphPageTreeNode should use HashMap<OwnPtr>. (r130850)
REGRESSION (r130584): Crashes in JSC::MarkedAllocator::allocateSlowCase, failing fast/dom/gc-dom-tree-lifetime.html (r130611)
If Node X is reachable from JavaScript, all Nodes in the same tree should be kept alive (r130587)
If Node X is reachable from JavaScript, all Nodes in the same tree should be kept alive (r130584)
IndexedDB: Memory leak when deleting object stores with indexes (r130335)

Jul 20, 2015
============
StylePropertySet: Use subclasses to manage varying object layouts. (r129543)
Share inline style between cloned Nodes (copy on write.) (r127375)
Simplify cloning of inline style (below Node.cloneNode) (r126872)
Simplify CSSOM style declaration's grabbing at internals. (r124779)
Make MarkedBlock and WeakBlock 4x smaller. (r182878)

Jul 17, 2015
============
REGRESSION(r128239): Mutable ElementAttributeData leak their Attribute vectors. (r129323)
ElementAttributeData: Use subclasses to manage varying object layouts. (r128239)
HTMLTokenizer should use the latest EfficientStrings hotness (r127899)
Make CSSPrimitiveValue::cleanup() handle all UnitTypes, fixing memory leak in the process. (r127838)	
Element: Share code between setAttributeNode() and other attribute setters. (r127126)
Use initialization from literal for HTML Input type names (r125991)
Remove the static Strings used for outputting values of CSS_ATTR, CSS_COUNTER, CSS_RECT (r125990)
Remove some of the tautologies in DFGRepatch function naming. (r156124)
Unreviewed assertion fix. (r175372)
CodeBlock: Size m_callLinkInfos and m_byValInfos to fit earlier. (r162284)
[JSC] InlineCallFrame::arguments should be sized-to-fit. (r185409)
[JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed. (r185381)

Jul 10, 2015
============
HTMLInputElement can delete an ImageLoader while it's still needed (r145423)		
Do the DecimalNumber to String conversion on 8 bits (r125357)	
Incorrect Date returned between March 1, 2034 and February 28, 2100. (r165667)
Document is never released if an image's src attribute is changed to a url blocked by content-security-policy. (r141667)
One more unreviewed Windows buildfix after r140097. (r140140)
Unreviewed Windows buildfix after r140097. (r140138)
Revert r122824 for a while (r140097)

Jul 09, 2015
============
Clear failed image loads when an <img> is adopted into a different document (r138724)	
Document will never be released when an Image is created inside unload event listener (r137615)
Incorrect rendering of borders on <col> with span > 1 (r131671)
Crash in ContainerNode::removeAllChildren() (r131670)
1.18MB below RenderTableSection::setCachedCollapsedBorderValue() on Membuster3. (r130718)	
Remove isStartColumn in the border collapsing code (r129136)	
The collapsing border code needs direction-aware border getters (r129078)

Jul 08, 2015
============
RenderWidget::setWidgetGeometry() can end up destroying *this*. (r183788)

Jul 07, 2015
============
Kill RenderArena. (r158461)
Take BidiRuns out of the arena. (r158453)
Take line boxes out of the arena. (r158321)
Let Page::renderTreeSize() be the number of renderers. (r158310)
Take RenderObjects out of the arena. (r157535)
Make LayoutState not arena-allocated. (r157336)
Make RenderLayer not arena-allocated. (r157333)
Get rid of ref-counting on RenderWidget. (r155796)
Renderer is recreated unexpectedly after detach in HTMLInputElement (r141228)
There are a few of wrong removeAllChildren() call (r140659)
suspend/resumeWidgetHierarchyUpdates should be a RAII object (r129406)

Jul 06, 2015
============
jsSubstring() should be lazy (r171362)
RegExp matches arrays should use contiguous indexing. (r183458)
Use plain JSArray for RegExp matches instead of a lazily populated custom object. (r175365)
Allocate the whole RegExpMatchesArray backing store up front. (r172618)
Don't allocate a StringImpl for every Number JSValue in JSON.stringify(). (r183874)

Jun 24, 2015
============
Potential use-after-free after neutering AudioBuffer's underlying ArrayBuffer. (r152038)

Jun 23, 2015
============
Heap-buffer-overflow in WebCore::AudioBufferSourceNode::process (r141851)
Heap-use-after-free in WebCore::RenderBlock::checkFloatsInCleanLine (r140069)
Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree (r139788)
Regression(r119759): Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse (r139551)
Heap-buffer-overflow in WebCore::TextTrackCueList::add (r133610)
Protect against resource deletion during iteration in MemoryCache::pruneDeadResourcesToSize (r133469)
Crash on accessing a removed layout root in FrameView::scheduleRelayout. (r125315)
Document should be a FontSelectorClient. (r179025)
Hang CSSFontSelector off Document instead of StyleResolver. (r179012)
CanvasRenderingContext2D should update the computed style while setting the font (r173591)

Jun 22, 2015
============
Crash when setting 'font' CSS property to 'calc(2 * 3)' (r176454)
Lists styled with SVG fonts are not rendered as expected (r169591)
use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeElementById (r159481)
Bad cast from CSSInitialValue to CSSValueList (r156222)
fast/frames/seamless/seamless-custom-font-pruning-crash.html asserts (r153796)
ASSERTION FAILED: m_purgePreventCount when clicking text with emphasis marks (r147317)
Variant of non-primary fell-back SVGFont causes crash. (r146129)
CanvasRenderingContext2D::setFont argument may reference destroyed object (r139144)
Fixing memory read after free in CanvasRenderingContext2D::accessFont (r138994)
SVGTextRunRenderingContext changes font data in the glyph page, but it shouldn't (r130999)

Jun 11, 2015
============
Main resource loaded via 304 response becomes empty if reloaded by user (r183555)

May 26, 2015
============
Creating a large MarkedBlock sometimes results in more than one cell in the block (r184019)		
DFGAllocator should use bmalloc's aligned allocator. (r181758)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r181215)
Fix crashes seen on the the 32-bit buildbots after my last patch. (r181177)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r181157)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179407)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179361)	
	
May 25, 2015
============
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179348)  
Refactor MarkStackArray to allow more than JSCells to be stored (r163414)	
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r181210)	
Fix crashes seen on the the Windows buildbots after my last patch. (r181180)
Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages (r179500)  

May 19, 2015
============
Fix thread safety issue in AudioParamTimeline (r132259)
Repeated use of decodeAudioData() causes leak (r148566)
webaudio: leak: AudioContext objects are leaking. They retain 36mb of shared data. (r135152)
Ensure that AudioNode deletion is synchronized with a stable state of the rendering graph (r133239)

May 12, 2015
============
[XHR] Abort method execution when m_loader->cancel() in internalAbort() caused reentry (r174684)
XMLHttpRequest Content-Type should be taken from Blob type (r136893)
Improve ContentTypeParser, so that it could be used to validate mime type according to RFC (135176)
[XMLHttpRequest] overrideMimeType(mime) does not update the response's "Content-Type" header (r130158)
Assume allocator success in Vector unless using try* functions. (r156117)

May 11, 2015
============
(try)append and insert operations don't need new operator for PODs (r164097)

May 05, 2015
============
XMLHttpRequestProgressEventThrottle shouldn't throttle / defer progress events if there are no listeners (r174235)
Dispatch a progress event before dispatching abort, error or timeout event (r161891 + r161894 + r161896)
Correctly set XHR loadend attributes (loaded and total). (r161668)
On request error, always fire events on the XMLHttpRequestUpload before the XMLHttpRequest (r154004)
XMLHttpRequestProgressEventThrottle::resume() always schedules timer even when unnecessary (r142538)

Apr 29, 2015
============
AudioBufferSourceNode stop attribute shouldn't throw exception in finished state. (r165716)

Apr 23, 2015
============
Take block execution count estimates into account when voting double (r167600)
Crash beneath operationTearOffActivation running this JS compression demo (r165995)
DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints (r164459)
REGRESSION (r164417): ASSERTION FAILED: isBranch() in X86 32 bit build (r164445)
DFG should have a way of carrying and preserving conditional branch weights (r164417)
fourthTier: Add a phase to create loop pre-headers (r153279)
fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block" (r153277)
fourthTier: NaturalLoops + Profiler = Crash (r153272)
fourthTier: DFG should know how to find natural loops (r153257)

Apr 22, 2015
============
start/stop method for AudioBufferSourceNodes and OscillatorNodes can take no args (r176311)
window.crypto doesn't preserve custom properties (r157417)
window.crypto.getRandomValues should return the input ArrayBufferView (r138298)
Update DOMException name: QuotaExceededError (r135149)
Update DOMException name: TypeMismatchError (r134954)
Many DOMWindowProperties would benefit from being ScriptWrappable (r134188)
crypto.getRandomValues should throw an exception when given a big array (r126953)

Apr 21, 2015
============
V8 regexp spends most of its time in operationGetById (r165797)
Add one-deep cache to opaque roots hashset. (r165796)

Apr 20, 2015
============
Take block execution count estimates into account when voting double (r167600 partial)
DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (r171190)
Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode (r178365)

Apr 15, 2015
============
Fix null-pointer deref in DocumentLoader::responseReceived() (r151812)
X-Frame-Options: Blocked resources should fire load events. (r147164)

Apr 14, 2015
============
FrameProgressTracker expects Page to not have detached (r175277)
FrameLoader::checkCompleted can hit the "ref'ing while destroyed" assertion (r167790)
Crash in WebCore::FrameLoader::checkCompleted() (r143514)
Shrink-to-fit the ResourceResponse vector after loading completes. (r133970)
fast/loader/document-destruction-within-unload.html causes assertion failures on mac and qt. (r127347)
ProgressTracker never completes if iframe detached during parsing (r125829 + r125858 rolled out + r126483 + r126507 rolled out + r127087)

Apr 13, 2015
============
Drawing text in an SVG font causes load events to be fired. (r173028)
Don't GC img elements blocked by CSP until error events fire. (r128730)

Apr 10, 2015
============
Load event fires too early with threaded HTML parser (take 2) (r142555 partial)
load event shouldn't fired during node insertion traversals. (r126131)
Crash in URL::protocol() after appcache load fails (r178937)
Do not attempt to revalidate cached main resource on back/forward navigation (r178012)
SVG loaded through html <img> can't request to load any external resources. (r175074)

Apr 09, 2015
============
Sometimes Gmail cannot load messages, particularly on refresh ("...the application ran into an unexpected error...") (r172275)
REGRESSION (r130783): Scrolling is broken going back to a cached page from a page that still has outstanding subresources. (r153649)
widthMediaFeatureEval ends up with null FrameView during iframe unload. (r151702)
REGRESSION (r151088): Crash navigating away from non-loaded main resources with non-loaded scripts. (r151335)
Webkit crashes while loading content from Application Cache. (r151099)
Going "back" to a cached page from a page with a main resource error breaks scrolling, amongst other issues. (r151088)
Fix double hash lookup in DocumentLoader::removeSubresourceLoader(). (r150967)
We need to clear main resource when detaching DocumentLoader from the frame. (r150613)
Crash in convertMainResourceLoadToDownload when downloading file by option-return (r150609)
ASSERT d->m_defersLoading != defers on detik.com and drive.google.com (r147228)
Threaded HTML Parser fails fast/dom/HTMLAnchorElement/anchor-no-multiple-windows.html in debug (r144240)
JavaScript identifier incorrectly parsed if the prefix before an escape sequence is a keyword (r178427)
ASSERTION FAILED: !hasError() in JSC::Parser<LexerType>::createSavePoint(). (r162006)
Support the "json" responseType and JSON response entity in XHR (r154992)
Watchdog timer should be lazily allocated (r169139)
JSArray::sortNumeric should handle ArrayWithUndecided (r182567)

Apr 08, 2015
============
@media queries do not take zooming into account (r145233)

Apr 02, 2015
============
Prevent crash when track is deleted during video element deletion. (r149749)
Heap-use-after-free in WebCore::RenderTextTrackCue::layout (r141127)
Heap-use-after-free in WebCore::TextTrackCue::isActive (r140834)

Apr 01, 2015
============
REGRESSION: Crash under JITCompiler::link while loading Gmail (r154419)

Mar 31, 2015
============
[EME] MediaKey APIs should be prefixed. (r153867)

Mar 30, 2015
============
Merge API shims and JSLock (r165074 partial)
JSDOMPromise methods should acquire VM lock before calling into JS. (r164679)
Update Promises to the https://github.com/domenic/promises-unwrapping spec (r161241)
[Gtk] Build is failing after r158317 (r158345)
Add a way to fulfill promises from DOM code (r158317)
WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook (r155495)
Add support for Promises (r154629)

Mar 26, 2015
============
Web Inspector: deny access from injected script to nodes from document with another origin (r138228)
Web Inspector: Calling getEventListeners() on element with malformed javascript event listeners crashes (r125654)
Web Inspector: do not use window's eval in InjectedScript (r126168)

Mar 24, 2015
============
Regression: failing RegExp tests on 32 bit architectures. (r161562)

Mar 23, 2015
============
Web Inspector: show internal properties in inspector frontend (r134914)

Mar 20, 2015
============
Web Inspector: [Regression] Search across all sources is broken. (r141091)
Web Inspector: [Regression] Search all sources should not search across service projects. (r140966)
Web Inspector: never expand global scope automatically (r131171)
Web Inspector: [regression] Settings panel fails to open. (r126253)

Mar 19, 2015
============
Web Inspector: display function scope in UI (r124876)

Mar 16, 2015
============
Update custom setter implementations to perform type checks (r161009)

Mar 12, 2015
============
BuiltinExecutables keeps finalized Weaks around, pinning WeakBlocks. (r181248)
Prevent builtin js named with C++ reserved words from breaking the build (r164346)
Make it possible to implement JS builtins in JS (r163960 partial)
Store DOM constants directly in the JS object rather than jumping through a custom accessor (r169979)

Mar 11, 2015
============
Eagerly reify DOM prototype attributes (r169703 partial)

Mar 05, 2015
============
Fix the non-DFG build. (r156233)
Get rid of IsInlinedCodeTag and its associated methods since it's unused (r156229)

Mar 03, 2015
============
Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray (r167729)
Arguments objects shouldn't need a destructor (r167641)

Mar 02, 2015
============
Inline allocate Arguments objects in the DFG (r167591)

Feb 25, 2015
============
Extend the coverage of the Custom Allocation Framework in WebCore (r128572)

Feb 19, 2015
============
fourthTier: Arity fixup should be done while on same stack (r153232)
fourthTier: ASSERT that commonly used not-thread-safe methods in the runtime are not being called during compilation (r153134)

Feb 18, 2015
============
Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the initialization of m_capabilityLevelState. (r153227)

Feb 12, 2015
============
Gardening: fixed broken non-DFG build. (r154827)
Change StackIterator to not require writes to the JS stack. (r154821)
fourthTier: DFG tries to ref/deref StringImpls in a ton of places (r153142)

Feb 11, 2015
============
fourthTier: DFG should support op_in and it should use patching to make it fast (r153225)
Naming convention on createInvalidParamError is incorrect. (r152784)
Restoring use of StackIterator instead of Interpreter::getStacktrace(). (r153825)
Moved ErrorConstructor and NativeErrorConstructor helper functions into the Interpreter class. (r153823)
Unreviewed build fix after r153218. (r153329)
[Qt] Build fix after FTL. (r153322)
Unreviewed buildfix after FTL upstream.. (r153314)
Unreviewed buildfix after FTL upstream for non C++11 builds. (r153299)
fourthTier: Resurrect the CLoop LLINT on the FTL branch. (r153273)
fourthTier: Introducing the StackIterator class. (r153218)

Feb 10, 2015
============
fourthTier: Fix some minor issues in the DFG's profiling of heap accesses (r153204)
fourthTier: Remove CodeOrigin::valueProfileOffset since it was only needed for op_call_put_result. (r153202)
fourthTier: Remove finalDestinationOrIgnored since it isn't called anymore. (r153201)

Feb 05, 2015
============
fourthTier: Remove Interpreter::retrieveLastCaller().

Feb 03, 2015
============
fourthTier: CodeBlock should be RefCounted (r153147)

Feb 02, 2015
============
Unify the many and varied stack trace mechanisms, and make the result sane. (r147858 partial)
Reduce parser overhead in JSC (r133688 partial)
Eager stack trace for error objects. (r153457)
It should be easy to add new nodes that do OSR forward rewiring in both DFG and FTL (r155793)
fourthTier: Landing the initial FTL logic in a single commit to avoid spurious broken builds. (r153121)

Jan 29, 2015
============
Web Inspector: [JSC] implement setting breakpoints by line:column (r124406 partial)
Don't need a JSNameScope for the callee name just for the debugger. (r163210)
pushFinallyContext saves wrong m_labelScopes size (r161437)
get_callee and to_this aren't properly cleared during finalizeUnconditionally (r156787)
Avoid eagerly creating the JSActivation when the debugger is attached. (r163223 partial)
Web Inspector shouldn't artificially allocate the arguments object in functions that don't use it (r155657)

Jan 28, 2015
============
Removed a JSC-specific hack from the web inspector (r126720)

Add platform implementation of remote web inspector server for GTK port. (r134600 partial)

Jan 23, 2015
============
fourthTier: WatchpointSet should make racy uses easier to reason about (r153131 complete)

Jan 22, 2015
============
Web Inspector: Get rid of Inspector/BindingVisitors.h (r161382)
Remove the memory instrumentation code (r148921)
Web Inspector: move StringImpl size calculation to StringImpl (r124006)
Switch statements that skip the baseline JIT should work (r167646)
fourthTier: DFG should support switch_string (r153248)
fourthTier: There should only be one table of SimpleJumpTables (r153237)

Jan 21, 2015
============
fourthTier: FTL should support SwitchChar (r153235 partial)
One more buildfix after FTL upstream. (r153308)
fourthTier: DFG should have switch_char (r153234 partial)
fourthTier: String::utf8() should also be available as StringImpl::utf8() so that you don't have to ref() a StringImpl just to get its utf8() (r153135)
WTFString::utf8() should have a mode of conversion to use replacement character (r134173)
fourthTier: FTL should support Switch (r153230 partial)
fourthTier: Add CFG simplification for Switch (r153229)
DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT (r153540)
fourthTier: DFG should support op_switch_imm (r153228)

Jan 20, 2015
============
Marking should be generational (r161615 partial when GGC is enabled)
JSObject and JSArray code shouldn't have to tiptoe around garbage collection (r154471 when GGC is enabled)
Remove JSObject::propertyIsEnumerable (r154405)
Remove getOwnPropertyDescriptor trap (r154373)
Remove use of GOPD from JSFunction::defineProperty (r154340)
Remove getPropertyDescriptor (r154337)
Remove some dead code following getOwnPropertyDescriptor cleanup (r154336)
Remove custom getOwnPropertyDescriptor for JSProxy (r154334)
Remove custom getOwnPropertyDescriptor for global objects (r154313)
Rename DataFormatInteger to DataFormatInt32. (r155575)
DFG 32Bit: Crash loading "Classic" site @ translate.google.com (r154303)
Start removing custom implementations of getOwnPropertyDescriptor (r154300)

Jan 16, 2015
============
Add attributes field to PropertySlot (r154253)

Jan 16, 2015
============
operationOptimize() should defer the GC for a while. (r169094)
Inline the trivial parts of GC deferral. (r165355)
DFG::operationTypeOf() needs to set the VM::topCallFrame. (r163426)
Don't GC while in the OSR-triggered jettison code (r155457)
DFGOperations doesn't use NativeCallFrameTracer in enough places (r128898)

AI for GetLocal should match the DFG backend, and in this case, the best way to do that
  is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone (r167433 partial)
  
Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias (r166281)
CodeBlock fails to visit the Executables of its InlineCallFrames (r171946)
Flattening dictionaries with oversize backing stores can cause crashes (r171092)
Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
  when WebKit is compiled with fcatch-undefined-behavior (r166217)
Rename/refactor setButterfly/setStructure (r154426)

Jan 15, 2015
============
Add the notion of ConstantStoragePointer to DFG IR (r160295 partial)
Fold typedArray.length if typedArray is constant (r160292)
Fold constant typed arrays (r160150)
Clobberize phase forgets to indicate that it writes GCState for several node types (r156192)
DFG should inline typedArray.byteOffset (r154305)
fourthTier: Reenable the DFG optimization fixpoint now that it's profitable to do so with concurrent compilation (r153214)

Jan 14, 2015
============
CodeBlock::jettison() shouldn't call baselineVersion() (r158507)
OSR exit profiling should be robust against all code being cleared (r158459)
Add InvalidationPoints to the DFG and use them for all watchpoints (r158304 partial)
OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo (r158141)
Speculative Windows build fix. (r153537)
fourthTier: Small strings shouldn't get GC'd (r153240)

Jan 13, 2015
============
Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction (r160587 partial)
DFG CheckArray(NonArray) should prove that the child isn't an array (r158773 partial)

Jan 12, 2015
============
[Win] Javascript crash with DFG JIT enabled. (r158057)
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in
  jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit (r157035)
Deoptimize 32-bit deoptimization (r156564)
fourthTier: 32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset. (r153212 partial)
fourthTier: The DFG JIT should populate frame bytecodeOffsets on OSR exit. (r153207)
fourthTier: get rid of op_call_put_result (r153200 partial)
fourthTier: DFG should provide utilities for common OSR exit tasks (r153119)
Constants folded by DFG::ByteCodeParser should not be dead. (r166095)
fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode (r153116)
fourthTier: Everyone should know about the FTL (r153115)
fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated (r153113)

Jan 08, 2015
============
Source/WebCore: [MSE] http/tests/media/media-source/mediasource-remove.html is failing (r170932 partial)
[MSE] http/tests/media/media-source/mediasource-append-buffer.html is failing (r170543)

Jan 07, 2015
============
[EME] MediaKeySession resources persist across page reloads (r175332)
[EME] REGRESSION(??): test media/encrypted-media/encrypted-media-v2-syntax.html is failing (r173520)
[EME] Call suspendIfNeeded() in the MediaKeySession create() method to avoid an ASSERT. (r168533)
[EME] Crash when passing a NULL initData to MediaKeys.createSession() (r166721)
[EME] Extend the lifetime of MediaKeySession. (r165643)

Jan 05, 2015
============
fourthTier: don't insert ForceOSRExits except for inadequate coverage (r153215 partial)
fourthTier: CFA should defend against results seeming inconsistent due to a watchpoint firing during compilation (r153130)

Jan 02, 2015
============
REGRESSION(r153215): New iCloud site crashes (r156211)
Don't GC while OSR compiling (r155995)
Crash during exception unwinding (r154290)
32 bit portion of load validation logic (r153339)
fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing (r153285)
fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure (r153284 partial)
Heap-use-after-free in WebCore::AudioNodeInput::updateInternalBus (r144417)
Get rid of forward exit in GetByVal on Uint32Array (r160394 partial)
fourthTier: CheckArray should call the right version of filterArrayModes (r153270)
fourthTier: DFG CFA should know when it hits a contradiction (r153213)

Dec 22, 2014
============
XMLHttpRequest should support attribute responseURL as per latest XHR spec. (r175053)

Dec 19, 2014
============
32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state (r153793)
fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread (r153124 partial)
Require use of AudioBus::create() to avoid ref-counting issues (r149817)
Heap-use-after-free in WebCore::AudioNodeOutput::pull (r149778)
Implement channel up-mixing and down-mixing rules (r144235)
Enhance AudioBus copyFrom() and sumFrom() to be able to handle discrete and speakers up and down-mixing (r143094)
Add Web Audio support for deprecated/legacy APIs (r129260)

Dec 18, 2014
============
Assigning to a readonly global results in DFG byte code parse failure (r154120)
new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer" (r171323)
Incorrect behavior when mutating a typed array during set. (r165989)
ASSERT in MarkedAllocator::allocateSlowCase is wrong (r155056)
Remove incorrect ASSERT from CopyVisitor::visitItem (r154407)
[DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind. (r154141)
[Windows] Unreviewed build fix after r15417. (r154137)

Dec 17, 2014
============
JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses (r165121)
[JSC] Revise typed array implementations to match ECMAScript and WebGL Specification (r161789)
Implement ArrayBuffer.isView (r160876)
JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid (r158583)
Use CheckStructure for checking the types of typed arrays whenever possible (r156017)
FTL should support typed array GetByVal and related ops (r155260)
DFG should inline new typedArray() (r154403)
REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse (r154261)
DFG should optimize typedArray.byteLength (r154218)
FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions (r154569)
Incorrect TypedArray#set behavior (r154518)
Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView (r154408)
Unreviewed, fix 32-bit build. (r154129)
Typed arrays should be rewritten (r154127)
Copied space should be able to handle more than one copied backing store per JSCell (r153720)
fourthTier: Count external memory usage towards heap footprint (r153247)
It should be possible to hijack IndexingHeader for things other than lengths (r153104)

Dec 16, 2014
============
Move TypedArray implementation into JSC (r153728)
Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access (r154157)
fourthTier: The Math object should not be polymorphic (r153223)

Dec 15, 2014
============
fourthTier: GC's put_by_id transition fixpoint should converge more quickly (r153243)
Reduce parser overhead in JSC (r133688 partial)
Introduce a SpecInt48 type and be more careful about what we mean by "Top" (r155480)
SpecType should have SpecInt48AsDouble (r155466)
fourthTier: Have fewer Arrayify's (r153264)
fourthTier: DFG should optimize identifier string equality (r153245)
ASSERT in compileArithNegate on pdfjs (r161438)
Make the different flavors of integer arithmetic more explicit, and don't rely on (possibly stale) results of
	the backwards propagator to decide integer arithmetic semantics (r161399)
Get rid of forward exit on DoubleAsInt32 (r160411)
Optimize away OR with zero - a common ASM.js pattern. (r159783)
DFG should use the (x & 0x7fffffff) trick for doing overflow and neg-zero checks on negation in one go (r156016)
Int32ToDouble should be predicted SpecInt48 and predictions should have nothing to do with constant folding (r155567)
Be explicit about backwards propagation properties that care about escaping to bytecode, as opposed to just escaping within DFG code. (r155497)

Dec 12, 2014
============
op_to_this shouldn't use value profiling (r156468)
op_get_callee shouldn't use value profiling (r156376)
Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them (r156184 partial)
For JSVALUE32_64, maxOffsetRelativeToPatchedStorage() doesn't compute the maximum negative offset (r143994)
Static size inference for JavaScript objects (r141050)

Dec 11, 2014
============
STRH can store values with the wrong offset (r176151)
ARMv7(s) Assembler: LDRH with immediate offset is loading from the wrong offset (r176083)
[Win] Enum type with value zero is compatible with void*, potential cause of crashes. (r168729)
ASSERTION FAILED: isUInt16() on ARMv7 after r113253. (r164433)
FTL should use cvttsd2si directly for double-to-int32 conversions (r160205)
Baseline JIT calls to CommonSlowPaths shouldn't restore the last result (r159973)
fourthTier: Add another temp register regT4 to JSInterfaceJIT (r153231)


Dec 09, 2014
============
Eliminate unused JITStub function declarations (r156858)
Wrong for SlowPathCall to load callFrame reg from vm.topCallFrame after call (r155399)
REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark. (r154839)
Build fix attempt after r154156. (r154159)
REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException (r154173)
Fix crash when performing activation tearoff. (r154156)
Build fix for ARM MSVC after r153222 and r153648. (r153745)
REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath. (r153659)
REGRESSION: ARM still crashes after change set r153612. (r153648)
REGRESSION(r153612): It made jsc and layout tests crash (r153646)
REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer (r153612)
[Windows] Speculative build fix. (r153360)
fourthTier: The baseline jit and LLint should use common slow paths (r153222)

Fix more fallout from failed attempts at div/mod DFG strength reductions (r159736)
Generated color wheel displays incorrectly (regressed in r155567) (r158556)
fourthTier: FTL should support ArithAbs (r153198)

Dec 08, 2014
============
Trap 5 (most likely int $3) in jsc-layout-tests.yaml/js/script-tests/integer-division-neg2tothe32-by-neg1.js.layout-dfg-eager-no-cjit (r157043)
fourthTier: DFG ArithMod should have the !nodeUsedAsNumber optimizations that ArithDiv has (r153187)
fourthTier: clean up ArithDiv/ArithMod in the DFG (r153186)
Simplify WatchpointSet state tracking (r159395)
Refine DFG+FTL inlining and compilation limits (r164558 partial)
fourthTier: add heuristics to reduce the likelihood of a trivially inlineable function being independently compiled by the concurrent JIT (r153180)

Dec 05, 2014
============
The GetById->GetByOffset AI-based optimization should actually do things (r158114)

Dec 04, 2014
============
Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks (r163513)
DFG doesn't properly keep scope alive for op_put_to_scope (r156003)

Dec 02, 2014
============
Generate put_by_id for bracket assignment with constant string subscript. (r176079)
Generate get_by_id for bracket access with constant string subscript. (r176035)
REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings. (r172727)
Always inline JSValue::get() and Structure::get(). (r169823)

Dec 01, 2014
============
put_to_scope[5] should not point to the structure if it's a variable access, but it should point to the WatchpointSet (r159462)
fourthTier: StringObjectUse uses structures, and CSE should know that (r153287)
fourthTier: Re-worked non-local variable resolution (r153221)

- This revealed a bug where the CFA was modeling CheckStructure on a node that had (r153213)
  a known singleton m_futurePossibleStructure set somewhat differently than the
  constant folder. If the CheckStructure was checking a structure set with two or
  more structures in it, it would not filter the abstract value. But the constant
  folder would turn this into a watchpoint on the singleton structure, thereby
  filtering the value. This discrepancy meant that we wouldn't realize the
  contradiction until the backend, and the AbstractState::bail() method asserts that
  we always realize contradictions in the constant folder.

Nov 27, 2014
============
Remove unnecessary indirection to non-local variable access operations (r142769)

Nov 26, 2014
============
FixupPhase should always call fixEdge() exactly once for every edge (r155593)
FixupPhase's setUseKindAndUnboxBlahbittyblah and fixDoubleEdge methods should be merged and given intuitive names (r155590 partial)
2) The constant folder has a long standing bug! It will fold a node to a constant if (r157327)
   the AI proved it to be a constant. But it's possible that the original node also
   proved things about the constant's structure. In that case "folding" to a
   JSConstant actually loses information since JSConstant doesn't guarantee anything
   about a constant's structure. There are various things we could do here to ensure
   that a folded constant's structure doesn't change, and that if it does, we
   deoptimize the code. But for now we can just make this sound by disabling folding
   in this pathological case.
   
Remove ConstantFoldingPhase's weirdo compile-time optimization (r159074)
fourthTier: NodeExitsForward shouldn't be duplicated in NodeType (r153292 partial)
fourthTier: DFG should do a high-level LICM before going to FTL (r153295 partial)
fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex (r153267 partial)
fourthTier: DFG should support op_switch_imm (r153228 partial)

Nov 25, 2014
============
DFG PhantomArguments shouldn't rely on a dead Phi graph (r161072 partial)
- ClobberSet::add was failing to switch Super entries to Direct entries in some cases. (r153295)
- DFGClobberize.cpp needed to #include "Operations.h".
fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop (r153269)
fourthTier: DFG should be able to query Structure without modifying it (r153120)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 baseline JIT).
fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access (r153281)
fourthTier: isContravenedByStructure is backwards (r153220)
fourthTier: Type check hoisting phase has a dead if statement (r153219)
fourthTier: CheckArrays should be hoisted (r153167)
fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes (r153271)
fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t (r153265)
fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals (r153249)
fourthTier: DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray (r153210)
fourthTier: Clean up AbstractValue (r153208)
fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races (r153129)
fourthTier: DFG should better abstract floating point arguments (r153118)
fourthTier: DFG should better abstract arguments (r153117)
fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified (r153114)

Nov 24, 2014
============
This also fixes a long-standing performance bug where the JSObject slow paths would (r160347)
always create contiguous storage, rather than type-specialized storage, when doing a
"storage creating" storage, like:        
    var o = {};
    o[0] = 42;

Nov 21, 2014
============
Implement object-fit CSS property (r154858)
ASSERT in FrameLoader::shouldInterruptLoadForXFrameOptions (r164435)
X-Frame-Options: Multiple headers are ignored completely. (r147086)
X-Frame-Options should accept ALLOWALL as a valid value. (r144105)
Bring back eager resolution of function scoped variables (r14500 partial)

Nov 20, 2014
============
r157411 fails run-javascriptcore-tests when run with Baseline JIT (r157541)
Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot (r168510 partial)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 partial)
Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary (r157556)
fourthTier: DFG should have its own notion of StructureChain, and it should be possible to validate it after compilation finishes (r153146)
Get rid of the lastResultRegister optimization in the baseline JIT (r159091)

Nov 19, 2014
============
fourthTier: get rid of op_call_put_result (r153200)
fourthTier: LLInt shouldn't store an offset call PC during op_call-like calls (r153199)

Nov 18, 2014
============
fourthTier: rationalize DFG::CapabilityLevel and DFGCapabilities.[h|cpp] (r153179)

Nov 17, 2014
============
fourthTier: DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray (r153210 partial)
fourthTier: observeUseKindOnNode doesn't contain a case for KnownCellUse (r153164)
fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write (r153294)
CodeBlock DFG entry list isn't getting shrunk-to-fit after linking. (r152882)
CodeBlock::m_argumentValueProfiles wastes a lot of memory. (r152848)
[JSC]: Fix maybe-uninitialized gcc 4.8 warning in DFGSpeculativeJIT.cpp (r152280)

Nov 14, 2014
============
Initialize a char* that needs to be initialized. (r169665)
Stop using deprecatedCharactersWithNullTermination in SQLite code (r152134)
WebSQL forces 16-bit strings (r151248)
SQLResultSet.rowsAffected not cleared (r130891)

Nov 13, 2014
============
PropertySlot::setValue is ambiguous (r154113)
Remove no-arguments constructor to PropertySlot (r153677)
Remove no-arguments constructor to PropertySlot (r153673)
More cleanup in PropertySlot (r153556)
Some cleanup in JSValue::get (r153532)
String.prototype.trim removes U+200B from strings. (r167951)
Unreviewed, ARMv7 build fix after r167336. (r167354)
compileMakeRope does not emit necessary bounds checks (r167336)

Nov 12, 2014
============
REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG (r155201 partial)
Some cleanup in PropertySlot (r153454)
fourthTier: Rationalized 'this' conversion, includes subsequent FTL branch fixes (r153145 partial)
REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't! (r157830)
Made AudioNode an EventTarget (r150810)

Nov 11, 2014
============
CachedResourceLoader should check redirections to reuse or not cached resources (r173173)
ASSERTION FAILED: m_history->provisionalItem() == m_requestedHistoryItem.get() when navigating to an uncached subframe (r154306)
REGRESSION (r150169): Images from file: URLs display after a delay even though they were preloaded by JavaScript (r150863)
Resources from non-HTTP schemes should not be cached indefinitely (r150169)

Nov 10, 2014
============
Update all float attributes in HTMLMediaElement to double (r148099 partial)
[WTF] Media time should not have a constructor which accepts a single int or float. (r159443 complete)
[MSE] Add MediaSource extensions to AudioTrack, VideoTrack, and TextTrack (r158821 partial)
[WTF] Media time should not have a constructor which accepts a single int or float. (r159443 partial)
[WTF] Add a multiplication operator (and a few others) to MediaTime (r157992)
Extend the coverage of the Custom Allocation Framework in WTF and in JavaScriptCore (r127484)
Support a rational time class for use by media elements. (r123878)
[MSE] Add support for VideoPlaybackMetrics. (r160336)
[MSE] Add MediaSource extensions to AudioTrack, VideoTrack, and TextTrack (r158821 partial)
High res times should start at 0 (r131001)
[MSE] Refactor MediaSourceBase back into MediaSource (r160258 partial)

Oct 27, 2014
============
WebGL shouldn't allocate a "length" Identifier just to move some numbers around (r149249)

Oct 24, 2014
============
[EME] setMediaKeys function as defined in the EME specification does not work (r153851)

Oct 23, 2014
============
[EME] Implement MediaKeys.isTypeSupported() (r153838)

Oct 21, 2014
============
[MSE] Bring SourceBuffer.append up to the most recent spec. (r158928 partial)
[MSE] Add a SourceBufferPrivateClient interface for platform -> html communication. (r158606)
[MSE] Make MediaSourcePrivate, SourceBufferPrivate classes RefCounted. (r158270)

Oct 17, 2014
============
Fix TimeRanges::intersectWith (r160749)

Oct 16, 2014
============
[MSE] Remove legacy Media Source APIs (WebKitMediaSource, WebKitSourceBuffer, WebKitSourceBufferList) (r158288)
[MSE] Fix runtime errors caused by mediasource IDL attributes. (r158040)
URLMediaSource.idl and URLMediaStream.idl are wrong (r157054)
Conditional support in bindings code generator for overloaded functions (r157048)
[MSE] Throw exception when setting timestampOffset while 'updating' state is set. (r156058)
Merge blink MediaSource changes since fork. (r156049)
Remove MediaSource 'ended' to 'open' transition when seeking. (r137480)
Add support for MediaSource::isTypeSupported() (r146360)

Oct 15, 2014
============
Factor SourceBuffer methods out of MediaSourcePrivate & WebMediaSource into SourceBufferPrivate & WebSourceBuffer respectively. (r144328)
Fix SourceBufferList so SourceBuffer.append() calls are always rejected after the MediaSource is closed. (r144203)
Update MediaSource to allow append() calls in "ended" state. (r137332)
Fire suspend event whenever network state is set to NETWORK_IDLE. (r125054)
Factor MediaSource methods out of MediaPlayer & MediaPlayerPrivate and into a new MediaSourcePrivate interface. (r143826)
Resource leak related to gstreamer and videos (r153937)
Potential use-after-free with an event fired at a HTMLMediaElement which is currently being deleted (r151600)
Use-after-free in media player handling (r135906)

Oct 10, 2014
============
[EME] setMediaKeys function as defined in the EME specification does not work (r153851)
Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement (r145162)

Oct 09, 2014
============
EME: Add a CDMPrivate implementation using AVFoundation. (r143258)
Add a CDMClient class which allows the CDM to query for the currently attached MediaPlayer. (r143072)
EME: replace MediaKeySession.addKey() -> update() (r142918)
Bring WebKit up to speed with latest Encrypted Media spec. (r142327)

Oct 08, 2014
============
Fix cast-align warnings in JavaScriptCore/heap/HandleBlockInlines.h (r152225)
Remove String::deprecatedCharactersWithNullTermination() and related code (r152201)
Add a new String::charactersWithNullTermination() function that returns a vector (r152142)
Stop using deprecatedCharactersWithNullTermination in SQLite code (r152134)
Add JSStringCreateWithCharactersNoCopy SPI (r152052)
Remove minimum window size for PagePopup (r124753)
Fix layoutMod in fractional layout units. (r124745)
http/tests/inspector/indexeddb/database-structure.html start to crash after r124675 (r130198)
Fix null pointer dereference when CSSParser::sinkFloatingValueList() returns null and is passed to storeVariableDeclaration(). (r124723)
Don't reuse cached stylesheet with failed or canceled resource loads (r124720)
REGRESSION (tiled drawing): Pages scroll bars flash with each character you type in a textarea (affects Wikipedia and YouTube) (r124714)
HTMLMediaElement may fire the seeked event before currentTime reaches the seek time (r124713)
CSS 2.1 failure: overflow-applies-to-001 fails (r124697)
Disabling eval changes the timing of DidCreateScriptContext (r124689)
[SVG] Tref target event listener cleanup (r124681)
IndexedDB: Core upgradeneeded logic (r124540 + r124545 rolled out + r124675)
Implement computePreferredLogicalWidths on RenderGrid (r124671)
Switch mapLocalToContainer to use a flag instead of boolean parameters (r124662)

Oct 07, 2014
============
[JSC] Test262 15.5.4.9_3 test is failing (r151159)
Incorrect assertion in DFG::Graph::uncheckedActivationRegisterFor() (r151045)

Oct 02, 2014
============
RefCountedArray needs to use vector initialisers for its backing store (r150160)
Improve stringProtoFuncLastIndexOf for the prefix case (r150042)
Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase (r149911)	
Stop using WTF::deleteAllValues in JavaScriptCore (r149633)
Build with GCC 4.8 fails because of -Wmaybe-uninitialized (r149622)
Removed op_ensure_property_exists (r149418)

Sep 25, 2014
============
Unify the data access of StringImpl members from JavaScriptCore (r149344)
Cleaned up pre/post inc/dec in bytecode (r149247)
Filled out more cases of branch folding in bytecode when emitting expressions into a branching context (r149236)
       
Sep 24, 2014
============
Crash when a clip path referencing a clip path changes documents (r124631)
Crash in Notification when setting a non-object as an event listener (91881) (r124626)
Delete text from password does nothing. (r124586)
Make order of attribute/method in HTMLTrackElement.idl as same as specification (r124562)
Fix crashes for <input> and <textarea> with display:run-in. (r124556)

Sep 18, 2014
============
regression(r124510) webintents/web-intents-obj-constructor.html is crashing (r125513)
Regression(r124564): Wrong inlineChildrenBlock->hasLayer() computed in RenderBlock::removeChild. (r124580)
Unreviewed r124536 followup, fix the assertion error on Chromium. (r124577)
Crash due to layer not removed from parent for anonymous block. (r124564)
Read tag names and attributes from the saved tokens in HTMLTreeBuilder::callTheAdoptionAgency(AtomicHTMLToken*) (r124536)
A few objects aren't being safely protected from GC in all cases (r124510)
DOM4: className should be defined on Element and not on HTMLElement (r124499)

Sep 08, 2014
============
Do not dispatch modification events in SVG attribute synchronization (r124485)
Check if the last table element's parent node is an element when determining the foster parent element. (r124465)
Move number localization code in LocaleICU.cpp to new class (r124459)
Alignment issue for readTime in PluginDatabase.cpp (r124441)
CSSRegions: Crash when reattaching a region to a named flow. (r124425)

Sep 03, 2014
============
REGRESSION(r102741): [Forms] In selects, when disabled, browser skips first option if not in optgroup, then selects first option in optgroup (r124416)
Chromium Android build fix after r124402. Initialize the out variables as suggested by the compiler. (r124411)
The elements in Shadow DOM of input should not be modifiable. (r124407)
IndexedDB: ObjectStoreMetaDataKey::m_metaDataType should use byte type (r124402)
Read tag names and attributes from the saved tokens in HTMLElementStack (r124379)
CSP should correctly block plugin resources rendered in PluginDocuments. (r124371)
SVG animation not working for elements inserted after parsing is finished (r124369)
IndexedDB: IDBCursor.continue(key) does not throw for key "behind" cursor (r124361)
Read tag names and attributes from the saved tokens in HTMLFormattingElementList::closestElementInScopeWithName(const AtomicString&) (r124357)
IndexedDB: inject index keys on cursor/objectstore/index get success handlers (r123843)

Aug 27, 2014
============
REGRESSION (r139343): WebKit crashes when canceling a load inside webView:resource:didFinishLoadingFromDataSource: (r154115)
We should clear mainResource in DocumentLoader::cancelMainResourceLoad. (r150150)
FrameLoaderClient::assignIdentifierToInitialRequest() not called for the main resource when loaded from the memory cache (r148182)
Make a bunch of DocumentLoader functions private (r147336)
REGRESSION (r146239): Reproducible crash in WebCore::DocumentLoader::responseReceived. (r146626)
Merge MainResourceLoader into DocumentLoader (r146449)
REGRESSION(r146223): chromium asserts/crashes in DocumentLoader (r146267)
Merge MainResourceLoader's SubstituteData loading + others into DocumentLoader (r146239)
Merge MainResourceLoader::responseReceived into DocumentLoader (r146216)
Merge MainResourceLoader::willSendRequest into DocumentLoader (r145973)
Hide MainResourceLoader from the outside world (r145914)
Rename FrameLoaderClient::download to convertMainResourceLoadToDownload (r137845)
Warn when parsing an invalid X-Frame-Options header. (r133868)
Move mixed content logic out of FrameLoader (r131704)

Aug 26, 2014
============
Loader cleanup : Simplify FrameLoader/DocumentLoader setupForReplace() (r130651)

Address review feedback I forgot to address in r148929 (r148932)
REGRESSION (r141136): Wiki "Random article" function very broken. (r148929)
Returning NULL from willSendRequest should cancel a load from the memory cache (r147829)
REGRESSION(r137607): Redirecting a post to a get then reloading triggers resubmit warning (r145735)
Merge MainResourceLoader's didFinishLoading and dataReceived into DocumentLoader (r145734)
REGRESSION: Reloading a local file doesn't pick up changes (r142707)
REGRESSION(r141136): Apple's internal PLT test suite doesn't finish (r142024)
Cached main resources report a zero identifer on 304s (r141615)
REGRESSION (r138962): Fails to show "confirm form resubmission", hangs browser (r141462)
Apple's internal PLT test suite doesn't finish after r141136 (r141306)
.: Enable reuse of cached main resources (r141136)
Preserve container size requests across image loads (r140722)
ResourceHandle::willLoadFromCache is evil (r138962)
Rename shouldBufferData to dataBufferingPolicy (r138285)
Queue container size requests while images are loading. (r137981)

REGRESSION (r137607): Loading of archives as substitute data is broken (r141811)
Replace unnecessary null-checks with an assert in MainResourceLoader::continueAfterNavigationPolicy. (r139350)
REGRESSION(r138222): WebDocumentLoaderMac-related leaks seen on Leaks bot (r139343)
REGRESSION(r138222?): [Mac WK1] http/tests/appcache/main-resource-redirect.html asserts in WebFrameLoaderClient::dispatchDidFinishLoading (r139150)
REGRESSION (r138222?): Assertion failure on appcache/main-resource-redirect.html (r138782)
[Qt]REGRESSION(r138222): It made fast/forms/number/number-spinbutton-click-in-iframe.html crash (r138258)
REGRESSION(r137607): resource load client callbacks are not called for the main resource when loading HTML string (r138222)
REGRESSION(r137607): PluginDocument loads consume huge amounts of memory (r138174)
REGRESSION (r137607): Cannot download files, stuck in Preparing to download (r138012)
Route main resource loads through the memory cache. (r137607)
Make MainResourceLoader not use m_frame directly. (r136412)
Move empty loading to DocumentLoader, simplify FrameLoader::init() (r136031)
Add a main resource type to the memory cache (r132520)
Crash in WebCore::SubresourceLoader::willSendRequest. (r132287)
Add timeout support to XMLHttpRequest (r132252)
Refactor CachedResourceLoader: add CachedResourceRequest (r132157)
Reorder some functions in SubresourceLoader to permit main resources (r131919)
Move ResourceRequest construction out of SubresourceLoader (r131660)
Re-order CachedRawResource::data() to set m_data earlier (r131467)
Switch ResourceLoader::resourceData() from SharedBuffer to ResourceBuffer (r131085)
Switch over CachedResource::data() from taking a SharedBuffer to taking a ResourceBuffer. (r130983)
Switch CachedResource over from SharedBuffer to a new ResourceBuffer (r130947)
Make CachedResourceLoader RefCounted and have both Document and DocumentLoader hold RefPtrs. This is in preparation for caching main resources. (r130817)
Reland "Add in-place reload behavior to ImagesEnabled setting" with optimizations (r129462)
ResourceErrorBase needs to identify timeouts (r127495)
@import url("#foo") causes stack overflow (r125852)
Remove StyleSheetContents::m_finalURL  (r125805)

Aug 21, 2014
============
fourthTier: SpeculativeJIT::checkArray should use the correct ExitKind (r153157)
DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing (r158608)
DFG optimizes out strict mode arguments tear off (r154217)
DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray,
  and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants (r153778)
DFG is not enforcing correct ordering of ToString conversion in MakeRope (r153615)
	
Aug 20, 2014
============
HTMLTreeBuilder passes a wrong token when pushing the head element (r124353)
[CSS Regions] The regionLayoutUpdate event should be dispatched on the NamedFlow object (r124350)
CSS 2.1 failure: margin-collapse-012 fails (r124347)
[CSS] Add selectors for multiple fields time input UI. (r124314)
Make HTMLConstructionSite::createHTMLElement(AtomicHTMLToken*) private. (r124310)
ColorInputType::typeMismatchFor is returning the opposite bool (r124299)
-webkit-flex-flow does not work with inherit/initial values (r124297)
Float imprecision causes incorrect wrapping in LineLayout with subpixel layout (r124295)
Refactor EventDispatcher::dispatchEvent() so that we can call each phase (Caputure, Target and Bubbling) of event dispatching separately. (r124291)
-webkit-order should take an integer, not a number (r124276)
Stop masking 8 bits off of the visited link hash. We need all the bits! (r124268 revisited)
Read tag names and attributes from the saved tokens in HTMLTreeBuilder::processEndTag(AtomicHTMLToken*) (r124262)
FractionalLayoutUnit minor math bugs (r124253)

Aug 19, 2014
============
AudioPannerNode should raise exception when distanceModel is set incorrectly (r124237)
[CSS Shaders] CSS parser rejects parameter names that are also CSS keywords (r124233)
Caret position is wrong when a editable container has word-wrap:normal set (r124231)
xmlserializer strips xlink from xlink:html svg image tag (r124210)
Slider ticks are drawn at wrong positions (r124198)
Older ShadowDOM is still rendered when a new ShadowDOM is added when they don't have any InsertionPoints. (r124196)
Inspector crashes when trying to inspect a page with CSS region styling (r124186)
Change Element::isReadOnlyFormControl to Element::shouldMatchReadOnlySelector/shouldMatchReadWriteSelector or HTMLFormControlElement::readOnly (r124180)
There is no way to tell whether an element can be activated or not (r124022)
REGRESSION(r124168): Null crash in RenderLayer::createScrollbar (r129955)
Crash in RenderTableCell::borderTop() due to custom scrollbars after r124168 (r126591)
Remove overflow: scroll handling in block flow layout methods (r124168)
fillWithEmptyClients method should also initialize chromeClient with EmptyChromeClient (r124162)

Aug 18, 2014
============
Make QuotesData use a Vector of pairs (r124157)
Node::replaceChild() can create bad DOM topology with MutationEvent, Part 2 (r125237)
Node::replaceChild() can create bad DOM topology with MutationEvent (r124156)
[Forms] Get rid of Element::isReadOnlyFormControl other than CSS related (r124146)
Regression(r124135): SVG tests crashing on ports using Cairo (r124212)
Unreviewed crash fix after r124135. (r124181)
Grid Demo spends 1.5% of total time allocating Path objects in RenderBoxModelObject::paintBorderSides (r124135)
Crash at WebCore::PluginData::pluginFileForMimeType const + 38 (r134903)
Plugin diagnostic logging should send plugin file basename instead of MIME type. (r134083)
Crash in WebCore::logPluginRequest + 183 (r126921)
Crash in logging code if MIME type is null (r124102)
new flexbox should ignore float set on flexitems (r124064)
ASSERTION FAILED: !rect.isEmpty()  : void WebCore::GraphicsContext::drawRect(const WebCore::IntRect &) (r124044)
[Bindings]Remove custom JS/V8 bindings for WebSocket::close() using [Clamp] (r124034)
Prohibit having AuthorShadowDOM of input or textarea element for a while and having a flag to enable it in Internals. (r124027)
Wheel events on a page with frames are not handled in fixed layout (r124024)
Remove an useless member variable, m_shouldPreventDispatch, from EventDispatcher. (r124019)
Remove an unused member variable, m_originalTarget, from EventDispatcher. (r124014)

Aug 15, 2014
============
Remove unnecessary code which set event's target from EventDispatcher::dispatchEvent. (r124009)
Fix removing invalid values from color input suggestions (r123997)
getChannelData should raise exception when index is more than numberOfChannels. (r123996)
forward-delete in the last cell of a table moves the caret after the table (r123995)
Remove unused method HTMLConstructionSiteTask::take(HTMLConstructionSiteTask&) (r123992)
Hit testing in the gap between pages returns incorrect results in flipped blocks writing modes (r123990)
RenderBlock::offsetForContents() is wrong in flipped blocks writing modes (r123977)
Size changes on a layer with negative z-index children don't repaint correctly (r123972)
Ignore visibility:hidden elements when computing compositing layer bounds (r123971)
[V8] Optimize Element::getAttributeNS() by replacing String with AtomicString (r123944)
Reset the set of "seen" plugins when the main frame load is committed. (r123942)
execCommand copies the backgroung-color of the enclosing element to the element being edited. (r123940)
Plugins should not be allowed to override standard properties/attributes in non-standard worlds (r123936)
Add diagnostic logging for plugins-per-page. (r123930)
Build warning in CSSPrimitiveValueMappings.h when CSS_STICKY_POSITION is disabled (r123928)
Search cancel button is hard to activate with a tap gesture even if touch adjustment is enabled. (r123919)
Animated SVGs do not clear previous frame completely in hidpi mode. (r123914)
Fix COMPILE_ASSERT for InlineFlowBox growing (r123913)
-webkit-background-clip:text is blurry in WebKit 1 apps when deviceScaleFactor > 1 (r123912)

Aug 13, 2014
============
REGRESSION: flexbox content-size fails to exclude scrollbar (r124278)
flex-wrap: wrap not wrapping for % sized items in column flow (r123909)
Show the unavailable plug-in indicator for Java applets as well (r123907)
CSP directives containing invalid characters should log an error. (r123899)

Aug 12, 2014
============
Improve touch adjustment for targetting small controls. (r123889)
Microdata: Remove toJs() and toV8Object() custom methods from JSHTMLElementCustom.cpp and V8HTMLElementCustom.cpp respectively. (r123880)
Initialize the Event Names' string from read only memory (r124616)
REGRESSION (r123837): Full screen transition is broken at apple.com (r148065)
Make transitions work between different Length types (r123837)
Blocks with reverse column progression dont have layout overflow for overflowing columns (r123835)
De-virtualize WrapShape classes (r123830)
Reloading substitute-data/alternate html string for unreachableURL will add an item to the back-forward-history for each reload (r123823)

Aug 11, 2014
============
[WebGL] Initial size of canvas can be larger than MAX_VIEWPORT_DIMS. (r123816)
[Qt] Build fix for Qt after r123811 (r123838)
HTMLAppletElement should inherit from HTMLPlugInImageElement (r123811)
Use the constant count of Tags/Attributes names instead of getting the size when obtaining the tags/attributes (r123804)
Guard Prerenderer against inserting prerenders into detached documents. (r123798)
Outline is always painted on the first table row regardless of the row it's set on (r123793)
Href attribute with javascript protocol is stripped when content is pasted into a XML doucment (r123788)
<svg> element with no intrinsic size and max-width gets sized incorrectly (r123785)
Add diagnostic messages when media and plugins load or fail to load. (r123780)
Unreviewed, rolling out r123525. (r123794)
Unreviewed, rolling out r123159, r123165, r123168, r123492, and r123650. (r123779)
Add a ChromeClient method to send diagnostic logging messages from WebCore to the client. (r123778)
Move region from HitTestResult to HitTestPoint. (r123754)
[WebGL] ANGLEWebKitBridge should support ESSL platforms (r123749)
Add a MediaPlayer API to retrieve the description of the current media engine. (r123747)
Web Inspector: Edits of styles declared after invalid selector are not applied (r123746)
[WebGL] GraphicsContext3D::readPixels has extraneous code from GraphicsContext3D::readPixelsIMG (r123745)
MediaStream API: Remove DeprecatedPeerConnection (r123724)
CSP 1.1: Implement the Content Security Policy script interface. (r123722) 
Fix null ptr deref in CSSParser::storeVariableDeclaration(). (r123714)
Add UserAgentShadowDOM to FormControlElement just before adding AuthorShadowDOM (r123713)
Repalce "int" with "long" from WebCore/*.idls (r123705)
The elements in ShadowDOM of meter or progress should not be modifiable. (r123704)
[WebGL] fast/canvas/webgl/framebuffer-object-attachment.html fails on certain platforms (r123699)
IndexedDB: IDBTransaction::abort() should throw DOMException (r123698)
Regression: r123696 made css3/flexbox tests failing (r123783)
flexitems can overflow the flexbox due to rounding (r123696)
[Forms] Move HTMLInputElement::updateInnerTextValue to InputType class (r123687)
In flipped blocks, a point on the top edge of a text box is considered outside the box (and vice versa) (r123988)
In flipped blocks, a point on the top edge of a box is considered outside the box (and vice versa) (r123980)
In flipped lines writing modes, hit testing at the beginning of a column may return a result from the previous column (r123973)
Hit testing near a column break can return a result from an adjacent column when there is leading (r123904)
Hit testing in one column or in the gap between cloumns along the block axis can return a result from the wrong column (r123684)
IndexedDB: Make db.version return an integer if appropriate (r123683)
Read tag names and attributes from the saved tokens in HTMLTreeBuilder::resetInsertionModeAppropriately. (r123671)
It is invalid when both numberOfInputChannels and numberOfOutputChannels to be zero in JavaScriptAudioNode. (r123662)

Aug 06, 2014
============ 
Fix potential bug in lookup logic (r149496)

Aug 05, 2014
============ 
Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0 (r154630)
DFG should CSE MakeRope (r153242)
DFG string concatenation optimizations might emit speculative nodes after emitting nodes that kill the original inputs (r153075)

Aug 01, 2014
============ 
MakeRope fixup shouldn't lead to an Identity without kids (r152742)
Optimize addStrackTraceIfNecessary to be faster in the case when it's not necessary (r152606)	
Going to google.com/trends causes a crash (r151709 complete)
Function names on Object.prototype should be common identifiers (r151605)	
Remove LiteralIdentifierTable (r151578)	
JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com (r151273 complete)
We broke (-2^31/-1)|0 in the DFG (r150694)
We broke !(0/0) (r150659) 
fourthTier: Get rid of StructureStubInfo::bytecodeIndex (r153205)

Jul 30, 2014
============
JSString::toAtomicString() should return AtomicString. (r168384)
fourthTier: all cached put_by_id transitions, even ones that weren't inlined by the DFG, should be propagated by the GC (r153206)
IndexingTypes should use hex (r149304)
Add support for Math.imul (r149159)
PreciseJumpTargets should treat loop_hint as a jump target (r149154) 
Fix problems with processing negative zero on DFG. (r149152)
Stack guards are too conservative (r149146)	
Stack guards are too conservative (r149136)	
Add watchdog timer polling for the DFG. (r149089)
Special thunks for math functions should work on ARMv7 (r149082)

Jul 29, 2014
============
JSC Assertion tests failures on MIPS. (r151228)		
Filled out more cases of branch folding in the DFG (r149041 + r149050)
Global constructors should be configurable and not enumerable (r149001)
Simplify the baseline JIT loop hint call site. (r148989) 
Fix a typo in MacroAssemblerARMv7.h. (r148942)
Change baseline JIT watchdog timer check to use the proper fast slow path infrastructure. (r148893 + r148899)
Improve StringImpl code density for older ARM hardware (r148857)
Refactor identical inline functions in JSVALUE64 and JSVALUE32_64 sections out into the common section. (r148820)
Rename JSStringJoiner::build() to join() (r148767)

Jul 28, 2014
============
Use StringJoiner to create the JSString of arrayProtoFuncToString (r148721)
Interpreter entry points should throw the TerminatedExecutionException from the caller frame. (r148709)
DFG: Negative size for new Array() interpreted as large unsigned int (r148130 + r148207)
Adds fromCharCode intrinsic support. (r147985)	
DFG should be able to inline string equality comparisons (r147965)
REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests (r147933)
Use Vector::reserveInitialCapacity() when possible in JavaScriptCore runtime (r147887)
Inspector should display information about non-object exceptions (r147872)
Stop pretending that statements return a value (r147677)

Jul 25, 2014
============
Simplified bytecode generation by merging prefix and postfix nodes (r147658)
a = data[a]++; sets the wrong key in data (r127676)
Bug, assignment within subscript of prefix/postfix increment of bracket access (r127666)
Merge prefix/postfix nodes (r127654)
Remove an unused variable from the ARMv7 Assembler (r147316)
fix a comment. While thinking about TBAA for array accesses (r147290)
Move Region into its own header (r147282)
Simplified bytecode generation by unforking "condition context" codegen (r147234)
Simplified the bytecode by removing op_jmp_scopes (r147184)
Removed a dead field. (r147054 + r147055)

Jul 24, 2014
============
Removed some dead code in the DFG bytecode parser (r147053)
JIT and DFG should NaN-check loads from Float32 arrays (r147047)
DFG should use CheckStructure for typed array checks whenever possible (r146996)
REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype (r146947)
Fix unused parameter warnings in JITInlines.h (r146869)
opaqueJSClassData should be cached on JSGlobalObject, not the JSGlobalData (r146682)
Leak bots erroneously report JSC::WatchpointSet as leaking (r146568)
JSC profiler should have an at-a-glance report of the success of DFG optimization (r146548)
Heap::collect shouldn't be responsible for sweeping (r161429)
fourthTier: DFG should be able to run on a separate thread (r153169 partial)
"" + x where x is not a string should be optimized by the DFG to some manner of ToString conversion (r146400)
It's called "Hash Consing" not "Hash Consting" (r146383)	
DFG implementation of op_strcat should inline rope allocations. (r146382)
RELEASE_ASSERT fires in exception handler lookup (r146255)

Jul 21, 2014
============
MacroAssemblerARM should use xor to swap registers instead of move (r150748)
Added missing assert condition for PositiveOrZero in ARM branch32(). (r150449)
Remove code duplicates from MacroAssemblerARM (r148134)
REGRESSION(r146089): It broke 20 sputnik tests on ARM traditional and Thumb2 (r146309)
DFG should optimize StringObject.length and StringOrStringObject.length (r146247)
Implement and32 on ARMv7 and ARM traditional platforms (r146195)
DFG ToString generic cases should work correctly (r146179)
DFG should inline binary string concatenations (i.e. ValueAdd with string children) (r146164)
JSC_NATIVE_FUNCTION() takes an identifier for the name and then uses #name, which is unsafe if name was already #define'd to something else (r146157)
DFG string conversions and allocations should be inlined (r146089)

Jul 18, 2014
============
ObjectPrototype properties should be eagerly created rather than lazily via static tables (r146071)
Add runtime check for improper register allocations in DFG (r145931)
Remove the SegmentedVector inline segment to shrink CodeBlock by 6X (r151755)

Jul 17, 2014
============
Change most call sites to call ICU directly instead of through WTF::Unicode (r157330)

Jul 16, 2014
============
Harden JSStringJoiner (r145594)
DFG generic array access cases should not be guarded by CheckStructure even of the profiling tells us that it could be (r145578)
SpeculativeJIT should use OwnPtr<SlowPathGenerator>. (r145329)
Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux (r146263)	
DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination (r144973 complete)
Pack Structure members better. (r144957)	

Jul 15, 2014
============
Unused Structure property tables waste 14MB on Membuster. (144910)
Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode (r144886)
Add simple vector traits for JSC::Identifier. (r144641)
Add casts in DFGGPRInfo.h to suppress warnings (r144365)	
Potential crash in YARR JIT generated code when building 64 bit (r144083)
DFG backend Branch handling has duplicate code and dead code (r143276)
Remove support for bytecode comments, since it doesn't build, and hasn't been used in a while. (r143122)
Structure should be more methodical about the relationship between m_offset and m_propertyTable (r143097)
Yarr: Use OwnPtr to make pattern/disjunction/character-class ownership clearer. (r143018)
JSC asserting with long parameter list functions in debug mode on ARM traditional (r142616)
Structure::m_outOfLineCapacity is unnecessary (r141295)
Added TriState to WTF and started using it in one place (r141588)
Structure should have a StructureRareData field to save space (r141651)
Structure::m_enumerationCache should be moved to StructureRareData (r141681)
Structure::m_outOfLineCapacity is unnecessary (r141916)
Don't also clone StructureRareData when cloning Structure. (r145947)

Jul 11, 2014
============
ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding (r145052)
The DFG fixpoint is not strictly profitable, and should be straight-lined (r145143)
DFG doesn't support to_jsnumber (r149162)
DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed (r144340)
[JSC] Fix sign comparison warning/error after r144340. (r144452)
It should be easy to determine if a DFG node exits forward or backward when doing type checks (r144362)
Rename MovHint to MovHintEvent so I can create a NodeType called MovHint (r144477)
DFG DCE might eliminate checks unsoundly (r144862)
Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code. (r144864)
DFG should not check if nodes are shouldGenerate prior to DCE (r144939)
DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way (r145145)
Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData (r146268)	
DFG bytecode parser is too aggressive about getting rid of GetLocals on captured variables (r145828)

Jul 10, 2014
============
DFG FixupPhase should have one common hook for knowing if a node is ever being speculated a certain way (r143817)
The DFG special case checks for isCreatedThisArgument are fragile (r143955)
The DFG backend's and OSR's decision to unbox a variable should be based on whether it's used in a typed context (r144131)
REGRESSION(r144131): It made fast/js/regress/string-repeat-arith.html assert on 32 bit (r146945)
DFG overflow check elimination is too smart for its own good (r145489 complete)
Fix problems with processing negative zero on DFG. (r149152 partial)
DFG should not change its mind about what type speculations a node does, by encoding the checks in the NodeType, UseKind, and ArrayMode (r143654)
Fix a typo that broke the 32 bit build. (r143679)
REGRESSION(r143654): some fast/js test crashes on 32 bit build (r143800)
DFG::Edge should have more bits for UseKind, and DFG::Allocator should be simpler (r143958)
REGRESSION(r143654): some jquery test asserts on 32 bit debug build (r144005)
DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live (r144486)	
32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean (r149128)
DFG assumes that NewFunction will never pass its input through (r152813)
DFG CompareEq optimization should be retuned (r142636)
DFG::ByteCodeParser should do surgical constant folding to reduce load on the optimization fixpoint (r142162)

Jul 09, 2014
============
DFG should allow phases to break Phi's and then have one phase to rebuild them (r142377 partial)
Remove dead code for ValueToNumber from the DFG. (r143165)
Remove DFG::SpeculativeJIT::isStrictInt32(), since it's not called from anywhere. (r143167)
Remove DFG::SpeculativeJIT::isKnownNumeric(), since it's not called from anywhere. (r143168)
DFG::SpeculativeJIT::isKnownXYZ methods should use CFA rather than other things (r143242)
Get rid of DFG::DoubleOperand and simplify ValueToInt32 (r143241 complete)
DFG CompareEq(a, null) and CompareStrictEq(a, const) are unsound with respect to constant folding (r142515)	
Add 8 bit string data path to TextRun (r127801)
Added 8 bit path to WidthIterator::advance() (r128504)
Specialize nextBreakablePosition depending on breakNBSP (r127974)

Jul 08, 2014
============
Build fix with newer bison 2.6. (r124099)

Jul 07, 2014
============
Use immutable StylePropertySets for element inline style declarations. (r126524)	
REGRESSION(r126524): Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom (r126755)

Jul 04, 2014
============
Simplify ContainerNode::removeChildren (r149386)
ContainerNode::removeChildren should first detach the children then remove them (r148754)

Jun 27, 2014
============
Be a little more conservative about emitting table-based switches (r141222)	
DFG::CFGSimplificationPhase::keepOperandAlive() conflates liveness and availability (r141544)

Jun 26, 2014
============
DFG should not use a graph that is a vector, Nodes shouldn't move after allocation, and we should always refer to nodes by Node* (r141069 partial)

Jun 24, 2014
============
Optimize JSRopeString for resolving directly to AtomicString. (r168256 + r168267 + r168329)
Optimize PutByVal when subscript is a rope string. (r168300)
Optimize GetByVal when subscript is a rope string. (r168335 partial)
8.8% spent in Object.prototype.hasOwnProperty() on sbperftest. (r168549)

Jun 19, 2014
============
Convert HTML parser to handle 8-bit resources without converting to UChar* (r123560 + r123635 + r123679 + r123943 + r124679)
Stop masking 8 bits off of the visited link hash. We need all the bits! (r124268)

Jun 17, 2014
============
WebCore::findAtomicString(PropertyName) always convert the name to 16bits (r125356)
Add ability to create AtomicString using LChar* buffer and length (r125958)	
Store CString data in the CStringBuffer to avoid the double indirection (r126191)
WTF Threading leaks kernel objects on platforms that use pthreads (r126208)
Even up WTF::String to CString functions (r126780 + r127093)
AtomicString(ASCIILiteral) should not compile (r127233)
16 bit JSRopeString up converts an 8 bit fibers to 16 bits during resolution (r127809)
StringBuilder::toAtomicString() can create an 16 bit string with 8 bit contents (r127821)	
equalIgnoringCase of two StringImpls doesn't handle 8 bit strings (r127887)
StringImpl::find(StringImpl*) doesn't handle cases where search and match strings are different bitness (r127928)
Fix for WTF fails to compile in thumb mode when llint is enabled. (r128557)

Jun 13, 2014
============
webkitsourceopen event doesn't always fire (r132115)
Remove image decoding in some BitmapImage metadata functions (r125154)
Report frame bytes by platform ImageDecoder (r126892)
Don't attempt to destroy decoded frame if a BitmapImage doesn't have encoded raw data. (r156681)

Jun 12, 2014
============
GetById->GetByOffset and PutById->PutByOffset folding should mark haveStructures since it may result in structure transition watchpoints (r158680)

Jun 11, 2014
============
Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only) (r145417)
JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com (r151273 partial)
fourthTier: Structure transition table keys don't have to ref their StringImpl's (r153141)
fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled (r153159)

Jun 10, 2014
============
ScriptExecutionContext::stopActiveDOMObjects iterates a hash map that can change during iteration (for multiple reasons, including GC) (r167579 partial)
REGRESSION: Crash when opening a message on Gmail (r153381 partial)
Fix assertion during detach of SVG wrappers without baseVal (r124733)		
Generalize DocumentWeakReference into WTF::WeakPtr (r139780)
Clear SVGPathSeg role on removal. (r143454)	
Use [ImplementedAs] instead of special casing in the bindings generators (r152844)
Fix lifetime handling of SVGPropertyTearOffs (r164917)

Jun 09, 2014
============
Skip SVG repaint tracking when parent container transforms (r133786)
Prevent skipped repaints for children of inner SVG elements (r141645)
[SVG] OOB access in SVGListProperty::replaceItemValues() (r142759)
444kB below CSSParser::parseDeprecatedGradient() on Membuster3. (r129996)
349kB below SelectorDataList::initialize() on Membuster3. (r130088)
Give CSSValueList backing vector an inline capacity. (r130292)
1.18MB below RenderTableSection::setCachedCollapsedBorderValue() on Membuster3. (r130718)
Avoid doing work in RenderBox::outlineBoundsForRepaint() when the repaintContainer is this (r152212)
Remove redundant check for negative values when using WebCore::Color::alpha() (r126452)
Support for background-clip:content-box and padding-box with border-radius (r131402)
Boxes with rounded corners and thin borders are too slow to draw (r134631)
REGRESSION (r134631) of border-radius percentage with border pixel (r144196)

Jun 06, 2014
============
changing -webkit-order should change the paint order of flex items (r123842)
flexbox should avoid floats (r124279)
flexbox does wrong baseline item alignment in columns (r130110)
inline-flex baseline is sometimes wrong (r130405)
Fix some baseline flexbox alignment (r132104)
Change baselinePosition and maxAscent/maxDescent to int (r132112 partial)

Jun 05, 2014
============
DFG overflow check elimination is too smart for its own good (r145489 partial)

Jun 03, 2014
============
fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists (r153217)

May 30, 2014
============
releaseExecutableMemory() should canonicalize cell liveness data before it scans the GC roots. (r148616)
	
May 29, 2014
============
RegExpMatchesArray should not call [[put]] (r154612)
Setting a large numeric property on an object causes it to allocate a huge backing store (r153374 + r154633)

May 27, 2014
============
I pity da foo' who's converting numbers to strings (r131258)	
JSC should have property butterflies (r128400 complete)
fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread (r153124 partial)
fourthTier: WatchpointSet should make racy uses easier to reason about (r153131 partial)
Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html (r158341 partial)	
[ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure (r170728)
Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll() (r159528 partial)
REGRESSION: 2x regression on Dromaeo DOM query tests (r160628 partial)	
Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL (r136060)
Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent (r136062)

May 23, 2014
============
PropertyNameArray::m_shouldCache is only assigned and never used (r123989)
get_by_pname can become confused when iterating over objects with static properties (r147570)
JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly (r148036)
JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly (r148142)

May 22, 2014
============
Pack create_hash_table tables better. (r156009)
Reduce memory use for static property maps (r165603 partial + r165606)

May 21, 2014
============
fourthTier: The DFG JIT should populate frame bytecodeOffsets on OSR exit. (r153207 partial)
fourthTier: Disambiguate between CallFrame bytecodeOffset and codeOriginIndex. (r153209)
fourthTier: CallFrame::trueCallFrame() should populate the bytecodeOffset field when reifying inlined frames. (r153211)
fourthTier: 32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset. (r153212)
Unify Number to StringImpl conversion (r126658 + r127991)
Unify the many and varied stack trace mechanisms, and make the result sane. (r147858 partial)
JSC: Fix interpreter misbehavior in builds with JIT disabled (r149134)

May 13, 2014
============
DFG::SpeculativeJIT::compileInt32ToDouble() has an unnecessary case for constant operands (r143562)
DFG CFA should not do liveness pruning (r144401)        
DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to (r144481)
DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live (r144486)
DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination (r144973 partial)
The DFG fixpoint is not strictly profitable, and should be straight-lined (r145143 partial)
Incorrect behavior on emscripten-compiled cube2hash (r154344)
DFG should have a precise view of jump targets (r141931)
Simplified the bytecode by removing op_loop and op_loop_if_* (r147190)
PreciseJumpTargets should treat loop_hint as a jump target (r149154)
get_callee and to_this aren't properly cleared during finalizeUnconditionally (r156787)

May 13, 2014
============
EFL: Unsafe branch detected in compilePutByValForFloatTypedArray() (r146174)
ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit (r157047)
DFG doesn't support to_jsnumber (r149162 partial)	
Potentially unsafe register allocations in DFG code generation (r146100 partial)	
REGRESSION r153221: Crash when opening Facebook.com (r153410)

May 12, 2014
============
DFG assumes that NewFunction will never pass its input through (r152813 + r152818)
REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute (r141168)	
DFG TypeOf implementation should have its backend code aligned to what the CFA does (r142508)
NonStringCell and Object are practically the same thing for the purpose of speculation (r142530)
DFG CFA doesn't filter precisely enough for CompareStrictEq (r142679)
Renamed SpecObjectMask to SpecObject. (r142695)
DFG LogicalNot/Branch peephole removal and inversion ignores the possibility of things exiting (r142779)
ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types (r142780)
ForwardInt32ToDouble is not in DFG::MinifiedNode's list of relevant node types (r142800)
Change another use of (SpecCell & ~SpecString) to SpecObject. (r142804)
DFG AbstractState should filter operands to NewArray more precisely (r143024)
DFG Phantom node should be honest about the fact that it can exit (r144373)
DFG prediction propagation phase should not rerun forward propagation if double voting has already converged (r145491)
DFG CFA filters CheckFunction in a really weird way, and assumes that the function's structure won't change (r149016)

May 09, 2014
============
DFG folding of PutById to SimpleReplace should consider the specialized function case (r146653)
Fix some minor issues in the DFG's profiling of heap accesses (r146669)

May 08, 2014
============
Minimize collisions when hashing pairs (r128650)

May 07, 2014
============
Do the DecimalNumber to String conversion on 8 bits (r125357 partial)
Add ECMAScript Number to String conversion to WTF::String (r126781)
Replace JSC::UString by WTF::String (r127191)
Ambiguous operator[]  after r127191 on some compiler (r127212)
Build fix for WinCE after r127191. (r127248)
jsStringWithCache shouldn't call StringImpl::characters() for single character strings (r128244 + r128247)

May 06, 2014
============
Pass full target idl file path to CodeGenerator as a constructor argument. (r128010)

May 05, 2014
============
The generic bindings shouldn't use templates (r124492)
BindingSecurityBase serves no purpose and should be removed (r124515)
JSC should use BindingState to determine the activeDOMWindow (r124835)
BindingSecurity::shouldAllowAccessToFrame shouldn't use a raw boolean parameter (r124847)
Rewire the same-origin checks for the JavaScriptCore bindings through BindingSecurity (r125126)
Implement JSDOMWindow*::allowsAccessFrom* in terms of BindingSecurity (r126165)
REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert (r128513)
Move m_element checks out of canShareStyle into locateSharedStyle (r133315 + r133324)
Support constructor-type static readonly attribute for CodeGenerator. (r123800)	
constructing TypedArray from another TypedArray is slow (r123819)
use createUninitialized when creating TypedArray from another array (r123935)
[Clamp] support in binding generator. (r123962)
TypedArray set method is slow when called with another typed array (r124483)
The generic bindings shouldn't use templates (r124492)
[JSC] Remove custom JSBindings for constructArrayBufferView() (r124755)
Microdata: itemType[index] must be undefined for out-of-range index. (r124859)
[V8] Remove custom toV8() calls for TypedArray. (r124872)
Remove All Custom binding code for TypedArray. (r125042)
SVGElementInstance should have EventTarget on the prototype chain (r125251)
Moving the common code from CodegeneratorJS/V8.pm to Codegenerator.pm (r125261)
[V8] Remove [TreatReturnedNullAs=False] (r125484)
Source/WebCore: Check argument count in the dispatch function for overloaded functions (r126562)

May 02, 2014
============
Disable some unsound DFG DCE (r144219)

May 01, 2014
============
Attempt to rationalize and simplify WTF::binarySearch (r137709)	
The JITThunks class should be in its own file, and doing so should not break the build (r139541 partial)
Track inheritance structures in a side table, instead of using a private name in each prototype (r140259 + r140278 + r140284)
Fix DateMath.cpp to compile with -Wshorten-64-to-32 (r140437)
Constant folding an access to an uncaptured variable that is captured later in the same basic block shouldn't lead to assertion failures (r140608)
DFG::JITCompiler::getSpeculation() methods are badly named and superfluous (r140719)
DFG variable event stream shouldn't use NodeIndex (r140904)
DFG should not forget that it had proved something to be a constant during a merge just because it's merging against the empty value (r139688)
DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1 (r139835)
Refactor isPowerOf2() and add getLSBSet() (r140186)
Weak GC maps should be easier to use (r140194 + r140199 + r140211)

Apr 30, 2014
============
DFG should backwards-propagate NodeUsedAsValue for Phantom (r139068)
Support op_typeof in the DFG (r139145)
Rename propertyOffsetFor => offsetForPropertyNumber (r139481)
Fixed some bogus PropertyOffset ASSERTs (r139482)
Removed an unused version of getDirectLocation (r139488)
Simplify slow case profiling (r138924)
Rationalize closure call heuristics and profiling (r139021)
Unreviewed, it should be possible to build JSC on ARM. (r139004)
Special thunks for math functions should work on ARMv7 (r149082)
NativeExecutable cache needs to use both call and construct functions for key (r152573 + r152577 + r152600)
DFG should inline closure calls (r138921 partial)	        
REGRESSION (r138921): Crash in JSC::Arguments::create (r139109)

Apr 29, 2014
============
Rationalize exit site profiling for calls (r138871)
DFG::ByteCodeCache serves little or no purpose ever since we decided to keep bytecode around permanently (r138763)
DFG inliner should not use the callee's bytecode variable for resolving references to the callee in inlined code (r138641)
DFG should not use the InlineCallFrame's callee when it could have used the executable istead (r138651)
DFG inlining machinery should be robust against the inline callee varying while the executable stays the same (r138669)
CallLinkStatus should be aware of closure calls, and the DFG bytecode parser should use that as its sole internal notion of how to optimize calls (r138737)
DFG initrinsic handling should ensure that we backwards propagate the fact that all operands may escape (r139098 complete)
Baseline JIT should have closure call caching (r138609 + r138610 + r138612)
JITThunks should be in its own file (r138465)
All JIT stubs should go through the getCTIStub API (r138516 + r138522)
JIT: Change uninitialized pointer value -1 to constant (r138308)
DFG Arrayify slow path should be out-of-line (r138399)
Constant fold !{number} in the parser (r137988)
DFG speculation checks that take JumpList should consolidate OSRExits (r138276 partial)
Rename Profiler to LegacyProfiler (r136572)
Profiler should say things about OSR exits (r137175 partial)
Rationalize array profiling for out-of-bounds and hole cases (r137937 partial)

Apr 28, 2014
============
Crash in InlineFlowBox::deleteLine. (r124888)
Crash in WebCore::Document::fullScreenChangeDelayTimerFired (r129270)
Fullscreen element should not share styles with it's siblings. (r139824)
RenderFullScreen needs to clear override sizes when exiting full screen (r145241)
Swap both the error and change event queue before processing fullscreen events (r146787)
REGRESSION: ASSERTION FAILED: obj->isRenderInline() || obj == this, Bad cast in WebCore::RenderBlock::createLineBoxes (r150531)

Apr 25, 2014
============
Calculating the size of the Heap should not require walking over it (r155317)
CopiedSpace::startedCopying should not call MarkedSpace::capacity (r155406)

Apr 24, 2014
============
Generalize JSGlobalThis as JSProxy (r129685)	
Proxy the global this in JSC (r129711)
Proxy the global this in JSC (r129719)
Delayed structure sweep can leak structures without bound (r130303 partial)
Proxies should set InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero (138107)
tryCacheGetByID sets StructureStubInfo accessType to an incorrect value (r147816)
Fixed ASSERTION FAILED: callFrame == vm->topCallFrame in JSC::Interpreter::addStackTraceIfNecessary (r152871 partial)
Baseline JIT gives erroneous error message that an object is not a constructor though it expects a function (r154204)
DFG is too aggressive eliding overflow checks for additions involving large constants (r137980)
Data flow paths that carry non-numbers, non-undefined, non-null values
  should not cause subtractions and arithmetic additions (i.e. ++) to speculate double (r138915)  
Phantom(GetLocal) should be treated as relevant to OSR (139528)
If you use Phantom to force something to be live across an OSR exit, you should put it after the OSR exit (r139540)
DFG phases that store per-node information should store it in Node itself rather than using a secondary vector (r139586)
DFG Node::ref() and Node::deref() should not return bool, and should have postfixRef variants (r140030)
Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html (140221)
Inserting a node into the DFG graph should not require five lines of code (r140275)
Convert CSE phase to not rely too much on NodeIndex (r140504)
REGRESSION(140504): pure CSE no longer matches things, 10% regression on Kraken (r141301)
Strange bug in DFG OSR in JSC (r142544)
Replace RELEASE_ASSERT with ASSERT in CodeBlock:: bytecodeOffsetForCallAtIndex (r152314)
JIT::updateTopCallFrame doesn't update the CallFrame's bytecodeOffset if bytecodeOffset == 0 (r153097)

Apr 23, 2014
============
Exception stack unwinding doesn't handle inline callframes correctly (r147670)
Make stack tracing more robust (r149205)
JSC Stack walking logic craches in the face of inlined functions triggering VM re-entry (r149404 complete)
Optimise more cases of op_typeof (r136297)
DFG CSE should not keep alive things that aren't relevant to OSR (r136360)
Incorrect inequality for checking whether a statement is within bounds of a handler (r136927)
DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation() (r137110)	
Implement add64 for ARM traditional assembler after r136601 (r137426)
DFG SetLocal should use forwardSpeculationCheck instead of its own half-baked version of same (r135923)
REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms (r143314 complete)
DFG should be able to cache closure calls (part 1/2) (r135330 + r135555 + r135610 + r146396 + r146429)
DFG should be able to cache closure calls (part 2/2) (r135336)
DFG should be able to cache closure calls (r135341)
Don't blind all the things. (r135757 + r135759)
JavaScript fails to handle String.replace() with large replacement string (r135794)
Substitute "allSeparators8Bit" for "allSeperators8Bit" in JSC::jsSpliceSubstringsWithSeparators() (r135800)
put_to_base should emit a Phantom for "value" across the ForceOSRExit (r141962)
	Otherwise, the OSR exit compiler could clobber it, which would lead to badness.	
JSC Stack walking logic craches in the face of inlined functions triggering VM re-entry (r149404 partial)
Structure should be able to easily tell if the prototype chain might intercept a store (r134813)
Remove methodCallDummy since it is not used anymore. (r134856)
DFG should copy propagate trivially no-op ConvertThis (r134896)
Given a PutById or GetById with a proven structure, the DFG should be able to emit a PutByOffset or GetByOffset instead (r135041)
DFG constant folding phase should say 'changed = true' whenever it changes the graph (r135079 complete)
JSC should have more logging in structure-related code (r135097 + r135099 + r135103)
Remove support for ARMv7 errata from the jump code (r135247)

Apr 22, 2014
============
JSEventListener should not access m_jsFunction when its wrapper is gone. (r134495)	
Make an assertion in JSEventListener::jsFunction() more useful. (r134508)
Replace (typeof(x) != <"object", "undefined", ...>) with !(typeof(x) == <"object",..>).
  Later is_object, is_<...>  bytecode operation will be used. (r134634)
Fixed regressions due to adding JSEventListener::m_wrapper null checks. (r134666)
Don't access Node& after adding nodes to the graph. (r134682)
Change JSEventListener::m_jsFunction to be a weak ref. (r134697)	
Make JSEventListener more robust in the event of the compiled handler being released. (r141348)
The act of getting the callee during 'this' construction should be explicit in bytecode (r134361)
op_get_callee should have value profiling (r134381)
JSFunction and its descendants should be destructible (r134460)
DFG CreateThis should be able to statically account for the structure of the object it creates,
  if profiling indicates that this structure is always the same (r134555)
DFG should not emit function checks if we've already proved that the operand is that exact function (r134313)
Patching of jumps to stubs should use jump replacement rather than branch destination overwrite (r134332 + r134358 + r134383 + r134608)
Uninitialized fields in class JSLock (r134430)

Apr 21, 2014
============
It should be possible to JIT compile get_by_vals and put_by_vals even if the DFG is disabled. (r133985)
DFG should know that int == null is always false (r133990)
DFG constant folding and CFG simplification should be smart enough to know that if a logical op's operand is
  proven to have a non-masquerading structure then it always evaluates to true (r134164)
DFG should optimize out the NaN check on loads from double arrays if the array prototype chain is having a great time (r134168)
JSC should scale the optimization threshold for a code block according to the cost of compiling it (r137094 partial)
SunSpider/date-format-tofte shouldn't compile each of the tiny worthless eval's only to OSR exit in the prologue every time (r138074)
Removed getDirectLocation and offsetForLocation and all their uses (r139491)

Apr 17, 2014
============
ArrayPrototype should start out with a blank indexing type (r134081)
Fix assertion failure in JSObject::tryGetIndexQuickly() (r134193)
Read-only properties created with putDirect() should tell the structure that there are read-only properties (r134695)
If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized (r139094)
Get rid of DFG::DoubleOperand and simplify ValueToInt32 (r143241 partial)
REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms (r143314 partial)
Incorrect type speculation reported by ToPrimitive (r153674)
DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit
  should not try to coerce integer constants to double constants (r153778 partial)	
Fixed crash in V8 benchmark suite in ARM,softp,EABI environment. (r155675 + r155705)	
Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS. (r155884)	
(un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole (r156214)
DFG CheckArray(NonArray) should prove that the child isn't an array (r158773 partial)	
[JSC] HTML extensions to String.prototype should escape " as &quot; in argument values (r133966)
DFG should trigger rage conversion from double to contiguous if it sees a GetByVal on Double being used in an integer context (r136372)
JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object (r138201 complete)
DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize (r139949)
Structure::flattenDictionaryStructure should compute max offset in a manner that soundly handles the case where the property list becomes empty (r143269)
Flattening a dictionary can cause CopiedSpace corruption (r154366 complete)

Apr 16, 2014
============
JSC should infer when indexed storage contains only integers or doubles (133953 + r134051 + r134071)
If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this (r134151)
JSObject::copyButterfly doesn't handle undecided indexing types correctly (r135756)
DFGArrayMode::fromObserved is too liberal when it sees different Array and NonArray shapes (r149834)
Rationalize and clean up DFG handling of scoped accesses (r136276)
DFG should inline code blocks that use scoped variable access (r136546)
Don't OSR exit just because a string is a rope (r137247)
glsl-function-atan.html WebGL conformance test fails after (r132991)
Prototype chain caching should check that the path from the base object to the slot base involves prototype hops only (r133546)
DFG should not fall down to patchable GetById just because a prototype had things added to it (r133567)

Apr 15, 2014
============
Removed
MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects (r133358)

Apr 10, 2014
============
MarkedBlocks should use something other than the mark bits to indicate liveness for newly allocated objects (r133358)
WeakBlocks should be HeapBlocks (r133812)
MarkStackArray should use the BlockAllocator instead of the MarkStackSegmentAllocator (r134080)
Copying phase should use work lists (r136077)
Butterfly::growArrayRight shouldn't be called on null Butterfly objects (r137961)
Restrictions on oversize CopiedBlock allocations should be relaxed (r138067)
r134080 causes heap problem on linux systems where PAGESIZE != 4096 (r140195)	
Add more assertions to the property storage use in arrays (r141029 partial)
fourthTier: It should be possible to record heap operations (both FastMalloc and JSC GC) (r153189 partial)
hasIndexingHeader should be a property of the Structure, not just the IndexingType (r153657)
hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure (r153691)
Flattening a dictionary can cause CopiedSpace corruption (r154366 partial)

Apr 10, 2014
============
instanceof should not get the prototype for non-default HasInstance (r129281)
Remove redundant argument to op_instanceof (r129287)	
broke early boyer in bug#97382 (r129292)

Apr 09, 2014
============
Baseline array profiling should be less accurate, and DFG OSR exit should update array profiles on CheckArray and CheckStructure failure (r131868)
Unreviewed fix after r131868. (r131874)
DFG should have some facility for recognizing redundant CheckArrays and Arrayifies (r131982)
DFG::Array::Undecided should be called DFG::Array::SelectUsingPredictions (r132162)
DFG NewArrayBuffer node should keep its data in a structure on the side to free up one of the opInfos (r132499)
DFG Arrayify elimination should replace it with GetButterfly rather than Phantom (r132554)
DFG::Array::Mode needs to be cleaned up (r132745)
OSR exit compilation should defend against argument recoveries from code blocks that are no longer on the inline stack (r132749)
DFG should be able to emit effectful structure checks (r132759)
DFG optimized string access code should be enabled (r133135)
DFG::Node::converToStructureTransitionWatchpoint should take kindly to ArrayifyToStructure (r133363)
DFG constant folding phase should say 'changed = true' whenever it changes the graph (r135079)
Strange results calculating a square root in a loop (r136989)
javascript integer overflow (r137951)	
DFG is too aggressive with eliding overflow checks in loops (r137963)
DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode incorrectly checks for non-array array storage when
  it should be checking for array array storage (r138086)
DFG shouldn't emit CheckStructure on array accesses if exit profiling tells it not to (r138300)
DFG should not elide CheckStructure if it's needed to perform a cell check (r138862)
DFG should trust array profiling over value profiling (r138890)
Python implementation reports "MemoryError" instead of doing things (r139687)
ArrayMode should not consider SpecOther when refining the base (r146887)
DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray (r151284)
DFG new Array() inlining could get confused about global objects (r154304)

Apr 08, 2014
============
Bytecode should not have responsibility for determining how to perform non-local resolves (r131822)
REGRESSION (r131793-r131826): Crash going to wikifonia.org (r132546)
Forward OSR calculation is wrong in the presence of multiple SetLocals, or a mix of SetLocals and Phantoms (r132701)
Remove GlobalObject constant register that is typically unused (r133255)
ASSERT problem on MIPS (r133950)	
DFG inlines Resolves that it doesn't know how to handle correctly (r143553)
Need ExpressionRangeInfo before ResolveForPuts in strict mode.(r153074)
Use load64 instead of loadPtr to load a JSValue on JSVALUE64 platforms (r135738)	

Apr 02, 2014
============
[Refactoring] Introduce a traversal strategy in SelectorChecker (r130459)
Minimize the recent template explosion in SelectorChecker. (r131002)
Make ContentSelectorQuery work when siblings are passed explicitly. (r131068)
Optimzie SelectorCheckingContext memory layout (r131156)
Get rid of StyleResolver state related to unknown pseudo-elements. (r132754)
[Shadow] Using isUnknownPseudoElement() for shadow pseudo id seems confusing (r133577)
HTMLContentElement should preserve parsed CSSSelectorList (r133992)
Move childrenAffectedBy bits from RenderStyle to Element (136001)
Split fast-rejection filter logic off SelectorChecker. (138432)
The word "selector" is somewhat redundant redundantly used in SelectorChecker. (r139406)
CSS: Make tag sub-selectors standalone CSSSelectors. (r140371)
Shadow DOM removal: Make SelectorChecker non-generic (r149498)

Apr 01, 2014
============
2% of all samples running grid demo show up in StyleResolver::canShareStyleWithElement, 20% of those due to getAttribute instead of fastGetAttribute (r123730)
StyleResolver::canShareStyleWithElement does not need to use getAttribute for classAttr in the non-SVG case (r124260)
CSS: Shrink RuleData by storing selector as index rather than pointer. (r125294)
Remove unnecessary null checks from pseudoStyleForElement and adjustRenderStyle (r125384)
Changing class attribute is not reflected in the classList property (r126349)
Distributed nodes should not share styles. (r126442)
Share immutable ElementAttributeData between elements with identical attributes. (r127438)
Element::classAttributeChanged should use characters8/16 to find first non-whitespace (r128363)
REGRESSION(r127438): Google Docs to renders text too small. (r128697)
[Shadow] ShadowRoot should know whether <shadow> in its treescope (r130177)
[Refactoring] Some classes in StyleResolver.cpp/h could have its own file. (r130465)
[Refactoring] Scoped Style related code should have its own class (r130732)
[Shadow DOM] should be able to be available without <style scoped> (r130987)
Avoid unnecessary style recalcs on id attribute mutation. (r132516)
[Shadow DOM] Needs @host rule for ShadowDOM styling (r132618)
Avoid unnecessary style recalcs on class attribute mutation (r132941)
Remove stray calls to mutableAttributeData() (r133021)
REGRESSION (r132941): attribute modification 10% performance regression (r133214)
Implement ::cue() pseudo element property whitelist (r140173)
Make RuleData support up to 8191 selectors (r145034)
REGRESSION(r125294): A style rule with more than 8192 selectors can cause style corruption. (r152453)
REGRESSION (r132516): Javascript menu text incorrectly disappearing and reappearing (r155607)
REGRESSION (r155607): Javascript site does not load visually on panerabread.com (r157296)
REGRESSION(r133214): Don't invalidate style when adding classes that don't match rules (r162843)

Apr 01, 2014
============

Optimize ChildNode{Insertion,Removal}Notifier::notify() by lazily taking a snapshot of child nodes (merged r124990 + r125006).
in a column flexbox, input overflows the box when stretched (merged r131481).

Mar 31, 2014
============
Simplify subtree relayout scheduling a bit. (merged r155046)
ASSERTION FAILED: node->parentNode(), Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r151117)
Heap-use-after-free in WebCore::RenderBox::exclusionShapeOutsideInfo (r150084)
RenderStyle should use copy-on-write inheritance for NinePieceImage. (merged r142404)

Rolled out svn13880 [Make precise size classes more precise (merged r141192)],
  > low JS memory when loading UX.
  
Refactor WrapShape to Shape/BasicShape (r127132 + r127155)
[CSS Exclusions] Rename RenderStyle::wrapShapeInside/Outside to shapeInside/Outside (r129787)
Remove needless virtual calls and inline RenderStyle::logical* to make table layout faster (r130560)	
4.68MB below RenderStyle::filter() on Membuster3. (r133926)
RenderTable::paintBoxDecorations sometimes draws box-shadow twice. (r143690)
Basic child obscuration test for backgrounds (r145680)
Compute image background size when testing for background visibility (r145786)
Mark GraphicsLayers as opaque when possible (r146531)
RenderBox::backgroundIsKnownToBeOpaqueInRect may be wrong for theme-painted elements (r147127)	
Layers with opacity and blur filters are reported as opaque to the compositor (r148117)
Garbage down left side of nytimes.com page (if subscriber) (r149914)
REGRESSION (r143626): Element shows as garbage in image gallery (r149915)
REGRESSION (r145680): No box shadow rendered on element with positioned child that obscures it (r149918)	
Graphics buffer issue with clip-path and fixed positioned element (r164232)

============
Make RenderBox::computePositionedLogicalHeight const (r126802)
Dont use a node reference after appending to the graph (merged r139264).
Get rid of method_check (merged r133564)
DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec (merged r144137)
There should not be blind spots in array length array profiling (merged r132757)
GetByVal on Arguments does the wrong size load when checking the Arguments object length (merged r153500)
32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean (merged r149128)
Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article (merged r145150)
Make precise size classes more precise (merged r141192)
Baseline JIT should use structure watchpoints whenever possible (merged r133430).
DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments (merged r139136)
JIT::privateCompileGetByVal should use the uint8ClampedArrayDescriptor for compiling accesses to Uint8ClampedArrays (merged r133359).
Split EventTargetData out of NodeRareData to reduce memory use. (merged r130000)

Shrink ElementRareData by moving bool flags to NodeRareData. (merged r130278)
Shrink the size of NodeRareData by moving pointers into separate objects (merged r137003)
Remove NodeListsNodeData when it's no longer needed (merged r140070)
RenderBlock minor clean-up: replace raw pointers with OwnPtrs. (merged r136288)
Improve performance of RenderBoxModelObject::paintTranslucentBorderSides() (merged r135167).
Crash in FrameLoader::stopLoading. (merged r135303).
Fix: CachedResourceLoader::requestSVGDocument was passing an URL as charset (merged r131782),
RenderLayer subtrees without any self-painting layer shouldn't be walked during hit testing (merged r131665)

Move default DOM Timer values into Settings (merged r132538)
DOMImplementation should use ScriptWrappable (merged r133657).
Build fix after r134191. Turns out that FrameView::performPostLayoutTasks calls FrameSelection::updateAppearance (merged r134197)
Make caret repainting container-aware (merged r139282)
Disabled input/textarea doesn't trigger selection change (merged r140936)
REGRESSION (r139282): Caret repainting is broken for text-align: center'd <input> (merged r141243)
Stale FrameSelection in removed iframe causes crash (merged r144400)
Uninflate caret rect. (merged r149223)
Avoid caret repaints if we're not showing carets anyway. (merged r150396)
Robustify repaint of previous caret node when moving FrameSelection. (merged r150482)
Fix document leak when selection is created inside the document (merged r153366)

REGRESSION(r139282): Old caret sometimes gets "stuck" (not repainted) in contenteditable elements. (merged r153815)
Crash in WebCore::RenderLayer::normalFlowList (merged r133840 + r133939 + r134191)
Clean up confused use of Document::renderer and renderView (merged r133813).
Revert rounding change in RenderTable::paintObject (merged r131358)
Track block's positioned objects like percent-height descendants (merged r125351 + r125353).

Remove HTMLMediaElement.startTime (merged r158112)
  > It was replaced with initialTime in August 2010.
Remove HTMLMediaElement.initialTime (merged r158527)
  > It was dropped from spec in April 2012.

Keyboard caret movement in textarea with RTL Override Character can make tab unresponsive (merged r137213).
Copying collection shouldn't require O(live bytes) memory overhead (merged r131213 + r131215 + r131244 + r131791)
JSC should dump object size inference statistics (merged r129586)
JSC should have a zombie mode (merged r127829)

Contiguous array allocation should always be inlined (merged r131249 + r131251).
DFG should inline code blocks that use new_array_buffer (merged 131087)
[arm] Fix lots of crashes because of 4th argument register trampling (merged r158208)
Add LLINT and baseline JIT support for timing out scripts (merged r148639),
  > Introduces the new Watchdog class which is used to track script
  > execution time, and initiate script termination if needed.
Removed bitrotted TimeoutChecker code (merged r148119),
  > This mechanism hasn't worked for a while.

Cache flush problem on ARMv7 JSC (merged r145194)
Structure check hoisting phase doesn't know about the side-effecting nature of Arrayify (merged r129553)
  > regression r128957 (break UX animation).
Deleting the classic interpreter and cleaning up some build options (merged r129453).
Array profiling has convergence issues (merged r128790).
Fixed DFG JIT build with ARMv7 assembler,
  > Fix problems with processing negative zero on DFG (partially merged r149152).
Unreviewed, fix ARM build (merged r129274).
Rolled out svn13719 (crash when starting browser with DFG JIT)
  > Array profiling has convergence issues (merged r128790).
Array profiling has convergence issues (merged r128790).

Make global const initialisation explicit in the bytecode (merged r128534).
Fix interpreter build (merged r128611).

Feb 27, 2014
============
JSC should have property butterflies (merged r128400),
  > CodeGeneratorJS.pm is causing random crash when merged putByIndex and getOwnPropertySlotByIndex.
r128425 Testing whether indexing type is ArrayWithArrayStorage should not compare against ArrayWithArrayStorage
r128541 DFG: Dead GetButterfly's shouldn't be subject to CSE
r128428 [Qt][Win] REGRESSION(r128400): It broke the build
r128667 bbc homepage crashes immediately
r128680 All of the things in SparseArrayValueMap should be out-of-line
r128706 JSObject.cpp and JSArray.cpp have inconsistent tests for the invalid array index case
r128802 If a prototype has indexed setters and its instances have indexed storage, then all put_by_val's should have a bad time
r128816 We don't have a bad enough time if an object's prototype chain crosses global objects
r128928 REGRESSION(r128802): It made some JS tests crash
r129065 REGRESSION(r128802): It made some JS tests crash
r129272 REGRESSION (r128400): Opening Google Web Fonts page hangs or crashes
r129317 Sorting a non-array creates propreties (spec-violation)
r129432 JSArray::putByIndex asserts with readonly property on prototype
r129457 SerializedScriptValue isn't aware of indexed storage, but should be
r129458 Bug in numeric accessors on global environment
r129461 Regression, freeze applied to numeric properties of non-array objects
r129548 Regression: put beyond vector length prefers prototype setters to sparse properties
r129574 JSC bindings appear to sometimes ignore the possibility of arrays being in sparse mode
r129588 DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly
r130228 REGRESSION(r128400): ASSERT (crash in release) @ app.asana.com
r154346 REGRESSION (r128400): BBC4 website not displaying pictures

Feb 27, 2014
============
JSC should have property butterflies (partially merged r128400),
  > CodeGeneratorJS.pm is causing random crash when merged putByIndex and getOwnPropertySlotByIndex.

Render unto #ifdef's that which belong to them (merged r127199)
Removed a JSC-specific hack from the web inspector (merged r126720).
ThreadRestrictionVerifier should be opt-in, not opt-out (merged r126379)
Refactored the interpreter and JIT so they don't dictate closure layout (merged r129156).
Fixed CallFrameClosure::resetCallFrame() to use the valid range of argument index values. (merged r129827)
We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array (merged r129577).
Nested try/finally should not confuse the finally unpopper in BytecodeGenerator::emitComplexJumpScopes (merged r129440).
ValueToInt32 bool case does bad things to registers (merged r129435).
PutScopedVar should not be marked as clobbering the world (merged r129325)
Don't allocate a backing store just for a function's name (merged r128265)
Refactored the arguments object so it doesn't dictate closure layout (merged r128832).
BlockAllocator should use regions as its VM allocation abstraction (merged r131132).

JSActivation should inline allocate its registers, and eliminate 'arguments' registers in the common case (merged r128260)

Combine MarkStack and SlotVisitor into single class (merged r128084)
Separate MarkStackThreadSharedData from MarkStack (merged r126354)

Added large allocation support to MarkedSpace (merged r128141)
Rename forEachCell to forEachLiveCell (merged r128498)
Remove the Zapped BlockState (merged r128563)
Delayed structure sweep can leak structures without bound (merged r130303)

====r128141====
I expanded the imprecise size classes to cover up to 32KB, then added
an mmap-based allocator for everything bigger. There's a lot of tuning
we could do in these size classes, but currently they're almost
completely unused, so I haven't done any tuning.

Subtle point: the large allocator is a degenerate case of our free list
logic. Its list only ever contains zero or one items.

====r128498====
forEachCell actually only iterates over live cells. We should rename it to 
reflect what it actually does. This is also helpful because we want to add a new 
forEachCell that actually does iterate each and every cell in a MarkedBlock 
regardless of whether or not it is live.

====r128563====
The Zapped block state is rather confusing. It indicates that a block is in one of two different states that we
can't tell the difference between:

1) I have run all destructors of things that are zapped, and I have not allocated any more objects. This block
   is ready for reclaiming if you so choose.
2) I have run all the destructors of things that are zapped, but I have allocated more stuff since then, so it
   is not safe to reclaim this block.

This state adds a lot of complexity to our state transition model for MarkedBlocks. We should get rid of it.
We can replace this state by making sure mark bits represent all of the liveness information we need when running
our conservative stack scan. Instead of zapping the free list when canonicalizing cell liveness data prior to
a conservative scan, we can instead mark all objects in the block except for those in the free list. This should
incur no performance penalty since we're doing it on a very small O(1) number of blocks at the beginning of the collection.

For the time being we still need to use zapping to determine whether we have run an object's destructor or not.

Delayed structure sweep can leak structures without bound (r130303)

Going to google.com/trends causes a crash (merged r151709).

If CallFrame::trueCallFrame() knows that it's about to read garbage instead of a valid CodeOrigin/InlineCallFrame,
  then it should give up and return 0 and all callers should be robust against this (merged r147798)
JSC Stack walking logic craches in the face of inlined functions triggering VM re-entry (merged r149404).
DFG register allocation should be greedy rather than round-robin (merged r134182).

Remove m_classInfo from JSCell (merged r128146)
Structure check hoisting fails to consider the possibility of conflicting checks on the source of the first assignment to the hoisted variable (merged r128699).
Refactored op_tear_off* to support activations that don't allocate space for 'arguments' (merged r128096)
Object.prototype.__define{G,S}etter__ with non-callable second parameter should throw TypeError instead of SyntaxError (merged r127930).

Named functions should not allocate scope objects for their names (merged r127810).
Remove use of JSCell::classInfoOffset() from tryCacheGetByID (merged r127648)
Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator (merged r127625)
DFG GetByVal for JSArrays shouldn't OSR exit every time that the index is out of bound (merged r127536).
Remove uses of ClassInfo from SpeculativeJIT::compileObjectOrOtherLogicalNot (merged r127479).
Refactored scope chain opcodes to support optimization for named function expressions (merged r127393 + r127394 + r127408)
JSArray::putDirectIndex should by default behave like JSObject::putDirect (merged r127349).
Remove use of ClassInfo in SpeculativeJIT::emitBranch (merged r127343).
Shrink activation objects by half (merged r127293+).
Use one object instead of two for closures, eliminating ScopeChainNode (merged r127202).
Remove uses of ClassInfo in StrictEq and CompareEq in the DFG (merged r127189)
Fix broken classic intrpreter build. (merged r127179)
Build warning : -Wsign-compare on DFGByteCodeParser.cpp (merged r127167)
Remove use of ClassInfo from compileGetByValOnArguments and compileGetArgumentsLength (merged r127090).

PutById uses DataLabel32, not DataLabelCompact (merged r127066)
ExecutableAllocator should be destructed after Heap (merged r127034)

Introduced JSWithScope, making all scope objects subclasses of JSScope (merged r127010)
Added JSScope::objectInScope(), and refactored callers to use it (merged r126962 + r126990)
Refactored and consolidated variable resolution functions (merged r126893 + rr126897 + r126906).
Remove use of ClassInfo from SpeculativeJIT::compileGetByValOnArguments (merged r126815).
Remove uses of TypedArray ClassInfo from SpeculativeJIT::checkArgumentTypes (merged r126804).
fix for builds without VALUE_PROFILING. I had forgotten that shouldEmitProfiling() (merged r126723).
  is designed to return true if DFG_JIT is disabled. I should be using canBeOptimized() instead.
Don't allocate space for arguments and call frame if arguments aren't captured (merged r126722).
Finally inlining should correctly track the catch context (merged r126718).
Array type checks and storage accesses should be uniformly represented and available to CSE (merged r126715).

op_call should have ArrayProfiling for the benefit of array intrinsics (merged r126692)
Change behavior of MasqueradesAsUndefined to better accommodate DFG changes (merged r126494 + r150569)
Serialization of JavaScript values does not appear to respect new HTML5 Structured Clone semantics (merged r126464).
JSC GC object copying APIs should allow for greater flexibility (merged r123690).
Structure check hoisting should abstain if the OSR entry's must-handle value for the respective variable has a different structure (merged r126826).
Array accesses should remember what kind of array they are predicted to access (merged r126387).
The relationship between abstract values and structure transition watchpoints should be rationalized (merged r125999)
DFG is still too pessimistic about what constitutes a side-effect on array accesses (merged r125959).
Structure check hoisting should be less expensive (merged r125823).
Array checks should use the structure, not the class info (merged r125637 + r127778)
DFG::StructureCheckHoistingPhase keeps a Node& around for too long (merged r124655).
50% time on Dromaeo Selector * benchmark spent allocating oversized backing stores (but not in Chrome) (merged r163057),
Remove all uses of ClassInfo for JSStrings in JIT code (merged r124476).
DFG should hoist structure checks (merged r124404 + r124420 + r124555 + r128544)
DFG should distinguish between PutByVal's that clobber the world and ones that don't (merged r124398)
C++ code should get ClassInfo from the Structure (merged r124355).
Structures should be swept after all other objects (merged r124265 + 124352)
Removed some public data and casting from the Heap (merged r124250 & relevant changes).
Removed some public data and casting from the Heap (merged r124250 & relevant changes).
Remove 2 bad branches from StringHash::equal() and CaseFoldingHash::equal() (merged r146702).

SVGElement destructor can use invalid iterator (merged r149306).

Allocate Structures in a separate part of the Heap (merged r123813)
Split functionality of MarkedAllocator::m_currentBlock (merged r123931)

Always null check cells before marking (merged r126624);
Removed the NULL checks from visitChildren functions (merged r126721);

[arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build. (merged r160911);
[arm] Use specific PatchableJump implementation for CPU(ARM_TRADITIONAL). (merged r158915);
OSR exit compiler should emit code for resetting the execution counter that matches the logic of ExecutionCounter.cpp (merged r137505).
A patchable GetById right after a watchpoint should have the appropriate nop padding (merged r126214).
MIPS DFG implementation (merged r143247);
CALLFRAME_OFFSET and EXCEPTION_OFFSET are same in ctiTrampoline on ARM Thumb2 (Neither of these values need to be stored. At all) (merged r127944);

There are a few of wrong removeAllChildren() call (merged r140659)
Renderer is recreated unexpectedly after detach in HTMLInputElement (merged r141228)

Refactored the DFG to make fewer assumptions about variable capture (merged r128544).
IncrementalSweeper should not sweep/free Zapped blocks (merged r128262)
DFG misses arguments tear-off for function.arguments if 'arguments' is used (merged r128111)
Refactored callee access in the DFG to support it in the general case (merged r127643)
DFG JIT doesn't work properly on ARM hardfp (merged r127561).
The redundant phi elimination phase is not used and should be removed (merged r126689).
fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html crashes on 32-bit (merged r126081 & r126082).
The current state of the call frame should be taken into account in the DFG for both predictions and proofs (merged r125982)
DFG CSE should be more honest about when it changed the IR (merged r125964).
DFG OSR exit profiling has unusual oversights (merged r124230)
ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes (merged r124555)
Crashes in dfgBuildPutByIdList when clicking on just about anything on Google Maps (merged r124678).
DFG handling of get_by_id should always inject a ForceOSRExit node if there is no prediction (merged r124667).
JSC ARM traditional failing on Octane NavierStokes test (merged r149601),
  > SunSpider 1.0.2 is working with DFG JIT, but on cnn.com, still missing bottom part.
Build fix for 32-bit after r123682 (merged r123708)
Remove JSObject::m_inheritorID (merged r123682).

Stop starting animations when leaving a page (merged r143640)

Supporting text track (not working)
  > merged r126372 (Display a TextTrackCue when snap-to-lines flag is set);

Abandoned Memory: SVGFontElement and Corresponding SVGDocument Never Deconstructed (merged r140698).
Update DOMException name to match the spec and Firefox (merged r134435 and more).

Fixed document leak related to web worker (statusbar)
  Merged r140483 Prevent race condition during Worker shutdown;
  Changed MessageQueue appendAndKill to process all remaining tasks, then kill itself (signal run loop exit);

Cache continuation() in a local to avoid repeat hash lookups (merged r156334).
