Merge branch 'stable' into release

Change-Id: Ifdbfff78833ca658ad6d10dd829289fc0a430e6d

9 files changed, 127 insertions, 55 deletions

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index e9ddd3906..4e661d971 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,23 @@
+2012-12-17  Jonathan Liu  <net147@gmail.com>
+
+        Fix Math.pow implementation with MinGW-w64
+        https://bugs.webkit.org/show_bug.cgi?id=105087
+
+        Reviewed by Simon Hausmann.
+
+        The MinGW-w64 runtime has different behaviour for pow()
+        compared to other C runtimes. This results in the following
+        test262 tests failing with the latest MinGW-w64 runtime:
+        - S15.8.2.13_A14
+        - S15.8.2.13_A16
+        - S15.8.2.13_A20
+        - S15.8.2.13_A22
+
+        Handle the special cases that are different with MinGW-w64.
+
+        * runtime/MathObject.cpp:
+        (JSC::mathPow):
+
 2012-12-07  Jonathan Liu  <net147@gmail.com>
 
         Add missing forward declaration for JSC::ArrayAllocationProfile
diff --git a/Source/JavaScriptCore/runtime/JSDestructibleObject.h b/Source/JavaScriptCore/runtime/JSDestructibleObject.h
index b8479be62..efbe2b4f6 100644
--- a/Source/JavaScriptCore/runtime/JSDestructibleObject.h
+++ b/Source/JavaScriptCore/runtime/JSDestructibleObject.h
@@ -3,41 +3,4 @@
 
 #include "JSObject.h"
 
-namespace JSC {
-
-struct ClassInfo;
-
-class JSDestructibleObject : public JSNonFinalObject {
-public:
-    typedef JSNonFinalObject Base;
-
-    static const bool needsDestruction = true;
-
-    const ClassInfo* classInfo() const { return m_classInfo; }
-
-protected:
-    JSDestructibleObject(JSGlobalData& globalData, Structure* structure, Butterfly* butterfly = 0)
-        : JSNonFinalObject(globalData, structure, butterfly)
-        , m_classInfo(structure->classInfo())
-    {
-        ASSERT(m_classInfo);
-    }
-
-private:
-    const ClassInfo* m_classInfo;
-};
-
-inline const ClassInfo* JSCell::classInfo() const
-{
-    if (MarkedBlock::blockFor(this)->destructorType() == MarkedBlock::Normal)
-        return static_cast<const JSDestructibleObject*>(this)->classInfo();
-#if ENABLE(GC_VALIDATION)
-    return m_structure.unvalidatedGet()->classInfo();
-#else
-    return m_structure->classInfo();
-#endif
-}
-
-} // namespace JSC
-
 #endif
diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h
index 4f7f4700b..957ba8227 100644
--- a/Source/JavaScriptCore/runtime/JSObject.h
+++ b/Source/JavaScriptCore/runtime/JSObject.h
@@ -1560,6 +1560,37 @@ inline int offsetRelativeToBase(PropertyOffset offset)
 
 COMPILE_ASSERT(!(sizeof(JSObject) % sizeof(WriteBarrierBase<Unknown>)), JSObject_inline_storage_has_correct_alignment);
 
+class JSDestructibleObject : public JSNonFinalObject {
+public:
+    typedef JSNonFinalObject Base;
+
+    static const bool needsDestruction = true;
+
+    const ClassInfo* classInfo() const { return m_classInfo; }
+
+protected:
+    JSDestructibleObject(JSGlobalData& globalData, Structure* structure, Butterfly* butterfly = 0)
+        : JSNonFinalObject(globalData, structure, butterfly)
+        , m_classInfo(structure->classInfo())
+    {
+        ASSERT(m_classInfo);
+    }
+
+private:
+    const ClassInfo* m_classInfo;
+};
+
+inline const ClassInfo* JSCell::classInfo() const
+{
+    if (MarkedBlock::blockFor(this)->destructorType() == MarkedBlock::Normal)
+        return static_cast<const JSDestructibleObject*>(this)->classInfo();
+#if ENABLE(GC_VALIDATION)
+    return m_structure.unvalidatedGet()->classInfo();
+#else
+    return m_structure->classInfo();
+#endif
+}
+
 } // namespace JSC
 
 #endif // JSObject_h
diff --git a/Source/JavaScriptCore/runtime/MathObject.cpp b/Source/JavaScriptCore/runtime/MathObject.cpp
index 7634487ad..f939b8dd4 100644
--- a/Source/JavaScriptCore/runtime/MathObject.cpp
+++ b/Source/JavaScriptCore/runtime/MathObject.cpp
@@ -232,6 +232,22 @@ static ALWAYS_INLINE double mathPow(double x, double y)
 
 ALWAYS_INLINE double mathPow(double x, double y)
 {
+#if COMPILER(MINGW64)
+    // MinGW-w64 has a custom implementation for pow.
+    // This handles certain special cases that are different.
+    if ((x == 0.0 || isinf(x)) && isfinite(y)) {
+        double f;
+        if (modf(y, &f) != 0.0)
+            return ((x == 0.0) ^ (y > 0.0)) ? std::numeric_limits<double>::infinity() : 0.0;
+    }
+
+    if (x == 2.0) {
+        int yInt = static_cast<int>(y);
+        if (y == yInt)
+            return ldexp(1.0, yInt);
+    }
+#endif
+
     return pow(x, y);
 }
 
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index db002064a..7b3d70b5a 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,49 @@
+2012-12-19  Simon Hausmann  <simon.hausmann@digia.com>, Jedrzej Nowacki <jedrzej.nowacki@digia.com>
+
+        [Qt] JS bridge does not transmit QVariants anymore in Qt5
+        https://bugs.webkit.org/show_bug.cgi?id=104540
+
+        Reviewed by Kenneth Rohde Christiansen.
+
+        A data corruption exists in the QObject bridge when calling slots that
+        take a QVariant.
+
+        The calling convention for slots is that the void* parameter array must
+        contain pointers to the actually required destination argument type. If
+        a function takes an int for example, the corresponding entry in the
+        void* parameter array must be a pointer to an int that the moc
+        generated code then can "safely" cast to an int* and dereference.
+        Similarly if the function takes a QVariant it must be a pointer to a
+        QVariant.
+
+        We implement this calling convention by constructing QVariants of the
+        requested parameter types and passing the value of data() into the
+        void* parameter array. This works fine for all types except if the
+        requested type is a QVariant. In that case data() will _not_ return a
+        pointer that can later be safely casted to a QVariant pointer and
+        dereferenced. Instead we must use the address of our variant to ensure
+        a working cast.
+
+        Our auto tests cover this case, but they worked by accident because the
+        provided pointer when casted to a QVariant happens to have the correct
+        type id that doesn't produce the warning seen in the test case of the
+        provided example and the unit test just copies the QVariant and thus
+        pointer.
+
+        * bridge/qt/qt_runtime.cpp:
+        (JSC::Bindings::QtMethodMatchType::typeId): Replace string based meta
+        type id determination of QVariant with a quicker table lookup.
+        (JSC::Bindings::findMethodIndex): Remember the chosen (requested) types
+        and pass the pointer to the QVariant instead of its data() pointer if
+        requested.
+        (JSC::Bindings::QtRuntimeMethod::call): Fixed determination of whether
+        we need to convert a return value or not solely based on the return
+        type _specified_ in the meta method instead of the variant value
+        returned. The latter is not sufficient because a slot can return an
+        invalid variant, which is not the same as returning void. This was
+        triggered by an unit test that accidentally passed due to this memory
+        corruption in the first place.
+
 2012-12-12  Csaba Osztrogonác  <ossy@webkit.org>
 
         [Qt] Unreviewed typo fix after r137446.
diff --git a/Source/WebCore/bridge/qt/qt_runtime.cpp b/Source/WebCore/bridge/qt/qt_runtime.cpp
index 951fa1cde..131239533 100644
--- a/Source/WebCore/bridge/qt/qt_runtime.cpp
+++ b/Source/WebCore/bridge/qt/qt_runtime.cpp
@@ -893,7 +893,7 @@ private:
 QMetaType::Type QtMethodMatchType::typeId() const
 {
     if (isVariant())
-        return (QMetaType::Type) QMetaType::type("QVariant");
+        return (QMetaType::Type) qMetaTypeId<QVariant>();
     return (QMetaType::Type) (isMetaEnum() ? QMetaType::Int : m_typeId);
 }
 
@@ -1086,6 +1086,7 @@ static int findMethodIndex(JSContextRef context,
                 && (matchDistance == 0)) {
                 // perfect match, use this one
                 chosenIndex = index;
+                chosenTypes = types;
                 break;
             }
             QtMethodMatchData currentMatch(matchDistance, index, types, args);
@@ -1163,6 +1164,7 @@ static int findMethodIndex(JSContextRef context,
             setException(context, exception, message);
         } else {
             chosenIndex = bestMatch.index;
+            chosenTypes = bestMatch.types;
             args = bestMatch.args;
         }
     }
@@ -1173,7 +1175,10 @@ static int findMethodIndex(JSContextRef context,
         vars.resize(args.count());
         for (i=0; i < args.count(); i++) {
             vars[i] = args[i];
-            vvars[i] = vars[i].data();
+            if (chosenTypes[i].isVariant())
+                vvars[i] = &vars[i];
+            else
+                vvars[i] = vars[i].data();
         }
     }
 
@@ -1238,14 +1243,15 @@ JSValueRef QtRuntimeMethod::call(JSContextRef context, JSObjectRef function, JSO
 
     QVarLengthArray<QVariant, 10> vargs;
     void* qargs[11];
+    const QMetaObject* metaObject = obj->metaObject();
 
-    int methodIndex = findMethodIndex(context, obj->metaObject(), d->m_identifier,  argumentCount, arguments,
+    int methodIndex = findMethodIndex(context, metaObject, d->m_identifier,  argumentCount, arguments,
                                       (d->m_flags & AllowPrivate), vargs, (void **)qargs, exception);
 
     if (QMetaObject::metacall(obj, QMetaObject::InvokeMetaMethod, methodIndex, qargs) >= 0)
         return JSValueMakeUndefined(context);
 
-    if (vargs.size() > 0 && vargs[0].isValid())
+    if (vargs.size() > 0 && metaObject->method(methodIndex).returnType() != QMetaType::Void)
         return convertQVariantToValue(context, d->m_instance->rootObject(), vargs[0], exception);
 
     return JSValueMakeUndefined(context);
diff --git a/Source/WebKit/qt/docs/webkitsnippets/qtwebkit_build_snippet.qdoc b/Source/WebKit/qt/docs/webkitsnippets/qtwebkit_build_snippet.qdoc
index d4fc2bd85..69814b023 100644
--- a/Source/WebKit/qt/docs/webkitsnippets/qtwebkit_build_snippet.qdoc
+++ b/Source/WebKit/qt/docs/webkitsnippets/qtwebkit_build_snippet.qdoc
@@ -1,8 +1,8 @@
 //! [0]
-QT += webkit
+QT += webkitwidgets
 //! [0]
 
 
 //! [1]
-#include <QtWebKit>
+#include <QtWebKitWidgets>
 //! [1]
diff --git a/Source/WebKit2/UIProcess/PageViewportController.cpp b/Source/WebKit2/UIProcess/PageViewportController.cpp
index e56869f23..8d4bc0176 100644
--- a/Source/WebKit2/UIProcess/PageViewportController.cpp
+++ b/Source/WebKit2/UIProcess/PageViewportController.cpp
@@ -234,6 +234,8 @@ void PageViewportController::didChangeViewportAttributes(const WebCore::Viewport
 
     if (updateMinimumScaleToFit(true))
         m_client->didChangeViewportAttributes();
+
+    syncVisibleContents();
 }
 
 WebCore::FloatSize PageViewportController::viewportSizeInContentsCoordinates() const
diff --git a/Source/WebKit2/WebProcess/WebPage/WebPage.cpp b/Source/WebKit2/WebProcess/WebPage/WebPage.cpp
index 3e20c830d..3c256ec84 100644
--- a/Source/WebKit2/WebProcess/WebPage/WebPage.cpp
+++ b/Source/WebKit2/WebProcess/WebPage/WebPage.cpp
@@ -1027,18 +1027,6 @@ void WebPage::sendViewportAttributesChanged()
     ViewportAttributes attr = computeViewportAttributes(m_page->viewportArguments(), minimumLayoutFallbackWidth, deviceWidth, deviceHeight, m_page->deviceScaleFactor(), m_viewportSize);
     attr.initialScale = m_page->viewportArguments().zoom; // Resets auto (-1) if no value was set by user.
 
-    // Keep the current position, update size only.
-    // For the new loads position is already reset to (0,0).
-    FrameView* view = m_page->mainFrame()->view();
-    IntPoint contentFixedOrigin = view->fixedVisibleContentRect().location();
-
-    // Put the width and height to the viewport width and height. In css units however.
-    // FIXME: This should be in scaled units but this currently affects viewport attributes calculation.
-    IntSize contentFixedSize = m_viewportSize;
-    contentFixedSize.scale(1 / m_page->deviceScaleFactor());
-
-    setFixedVisibleContentRect(IntRect(contentFixedOrigin, contentFixedSize));
-
     // This also takes care of the relayout.
     setFixedLayoutSize(roundedIntSize(attr.layoutSize));