| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Change-Id: Ibb796c6802e757b1d9b40f58205cfbe4da95fcd4
|
|\
| |
| |
| |
| |
| |
| |
| |
| | |
fix exploitable memory corruption in RenderBoxModelObject
Merge commit '7c8c1ab35fc21fce4eaa3455d70b040a845b7eb6'
* commit '7c8c1ab35fc21fce4eaa3455d70b040a845b7eb6':
Cherry-pick WebKit change 61921 to fix exploitable memory corruption in RenderBoxModelObject
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
memory corruption in RenderBoxModelObject
Merge commit 'e9ee2d864ded6c57c02ebc2ff6e41a0711d099d3' into gingerbread-plus-aosp
* commit 'e9ee2d864ded6c57c02ebc2ff6e41a0711d099d3':
Cherry-pick WebKit change 61921 to fix exploitable memory corruption in RenderBoxModelObject
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
corruption in RenderBoxModelObject
Merge commit 'a42794783dfec7f142845611dc0f20bfe2657c49' into gingerbread
* commit 'a42794783dfec7f142845611dc0f20bfe2657c49':
Cherry-pick WebKit change 61921 to fix exploitable memory corruption in RenderBoxModelObject
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
RenderBoxModelObject
Bug: 2895569
Change-Id: Iea09dc4fdc35e68ccad36deed2132f02e3778e34
|
|\ \ \ \
| |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
fix an exploitable crash when focus is changed
Merge commit '373399bd97b28edc9ee0b6fafdce24cd3becc42c'
* commit '373399bd97b28edc9ee0b6fafdce24cd3becc42c':
Cherry-pick WebKit change 60984 to fix an exploitable crash when focus is changed
|
| |\ \ \
| | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
exploitable crash when focus is changed
Merge commit '7162fe0e3c5886b6c35f42c5cd9d9e83aa3785cf' into gingerbread-plus-aosp
* commit '7162fe0e3c5886b6c35f42c5cd9d9e83aa3785cf':
Cherry-pick WebKit change 60984 to fix an exploitable crash when focus is changed
|
| | |\ \
| | | |/
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
when focus is changed
Merge commit '2b6ea0299b0340ff815b7beab6e7491ff5e4d6c0' into gingerbread
* commit '2b6ea0299b0340ff815b7beab6e7491ff5e4d6c0':
Cherry-pick WebKit change 60984 to fix an exploitable crash when focus is changed
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
changed
Bug: 2895569
Change-Id: I76f48ca7d6ddee996127254c5f1f00e355318527
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is part 1 of 2. This CL moves all response actions to the correct thread. A later CL will move all request actions.
Parts of CL https://android-git.corp.google.com/g/#change,58486 are here since I don't want to loose that functionality.
This will be rewritten as the next part of this CL, and is in WebRequest.cpp function WebRequest::start().
Change-Id: I476dc40ae722ecd83d56c482dbe7df726b3844b0
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: I08ccbef18a53660fd9c22e1e2160be7de1733db1
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | / / /
| | |/ / /
| |/| | | |
Change-Id: I39ea3d77358e89ee6e5202d08ad18329a17c6989
|
| |\ \ \ \
| | | |/ /
| | |/| |
| | | | |
| | | | |
| | | | |
| | | | | |
Merge commit '71b088a040027130a502f60e6f953c08a194b11e' into gingerbread-plus-aosp
* commit '71b088a040027130a502f60e6f953c08a194b11e':
Tracking merge of dalvik-dev to gingerbread
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
git cherry-pick --no-commit a2350cae81d07b024de06d0508f8cbd317dad3b7
Change-Id: I52ae486a58ed5bdc79390525179092a5a930c0e7
|
|\ \ \ \ \ |
|
| | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Setting the proxy to 0 was not too smart as it crashes when used. The ProxyService::CreateNull is for a usercase like ours where we basicly don't want a proxy.
Also changed the includes in this file to be correct for files from other libraries.
Change-Id: I7b8ccadf01cdeb10cc141e07bea7dbb57bb80073
|
|\ \ \ \ \
| | | | | |
| | | | | |
| | | | | | |
r64264"
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
See https://android-git.corp.google.com/g/#change,59749
Change-Id: I0ea44ef95fcd8035adc27a32fb75e7c19f23c975
|
|\ \ \ \ \ \
| |/ / / / /
| | / / / /
| |/ / / /
|/| | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This class acts simply as a proxy to the real or mock client, which is owned by
the WebView. DEVICE_ORIENTATION is eabled on Android, so we must implement the
client before we pull in http://trac.webkit.org/changeset/64356, which calls
DeviceOrientationClient::setController() from the Page constructor.
Change-Id: Ie21957249e5bef7a58c51205732f4fb1b82fbbd3
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: Ie984365f5bc35305ec1c2899be25a791ad354ef1
|
| |/ / / /
|/| | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Cherry pick of webkit.org r64638.
Change-Id: I50ea47544af219cc04717a060d4b70f478a40877
|
|\ \ \ \ \
| |/ / / / |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
A loader will not be deleted before the WebRequest has called didFinishLoading() now, so there is no longer a need for this.
There was also a problem with that list. If a loader got deleted and a new one created with the same pointer value the deleted one could be mistaken for the new one.
Change-Id: I856519e751f6f1d15cfbd426a2cd2ba71315850b
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I03f3535b7764f420c4bd89981d9cdbe9ac0d0a8b
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The expected result for fast/dom/DeviceOrientation/window-property-expected is now the jsc output. Removing the old file from the android expected output.
Webkit CL that changed the expected from v8 to jsc:
http://trac.webkit.org/changeset/64125/trunk/LayoutTests/fast/dom/DeviceOrientation/window-property-expected.txt
Change-Id: Idc040906b80dd90c26b115f8c97d6d2e3b35a1b7
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
GraphicsContext.h
Change introduced here: http://trac.webkit.org/changeset/63864/trunk/WebCore/platform/graphics/GraphicsContext.h
Change-Id: I471797fff394396ec375db10c3bcb4e9c00feb3e
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Introduced here: http://trac.webkit.org/changeset/64196/trunk/WebCore/rendering/SVGResourcesCycleSolver.cpp
Partially upstreamed as the file has changed upstream after the merge, and the newer version doesn't have both places where guards were needed.
Upstream bug: https://bugs.webkit.org/show_bug.cgi?id=43338
Upstream CL: http://trac.webkit.org/changeset/64465/trunk/WebCore/rendering/SVGResourcesCycleSolver.cpp
Upstream change after merge where we have guards: http://trac.webkit.org/changeset/64440/trunk/WebCore/rendering/SVGResourcesCycleSolver.cpp
Change-Id: Iaab4595ded78485c81d6f61a726a5bd0f48c5621
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Introduced here: http://trac.webkit.org/changeset/63891/trunk/WebCore/bindings/v8/ScriptValue.cpp
The JSC version is guarded.
This change has been upstreamed, and this is the bug:
https://bugs.webkit.org/show_bug.cgi?id=43345
And the webkit CL:
http://trac.webkit.org/changeset/64464/trunk/WebCore/bindings/v8/ScriptValue.cpp
Change-Id: Ic1e5b7a7352a9f290210776f2f1ce220952c6725
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
http://trac.webkit.org/changeset/63994/trunk/WebCore/rendering/RenderTableSection.h
Change-Id: I52787b9723791822d9c95ef52d7a81c23c2aeca7
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
http://trac.webkit.org/changeset/64208
Change-Id: If0c6a616bd9eb1f1c90041f9c83d1770d8acd9bd
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
SecurityOrigin::registerURLSchemeAsLocal got moved to a new class.
http://trac.webkit.org/changeset/63863
Change-Id: If1baa94d90506a9de321ad3303545e133ee446e9
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: Ie4783363cff9eb7f70d6bbfec1a6237b5f5a72b5
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Tracs of the changes:
WebCore/html/HTMLDocumentParser.cpp
http://trac.webkit.org/changeset/63998/trunk/WebCore/html/HTMLDocumentParser.cpp
WebCore/page/EventHandler.cpp
WebCore/page/EventHandler.h
http://trac.webkit.org/changeset/63888
WebCore/page/Page.cpp
http://trac.webkit.org/changeset/64208
WebCore/page/Settings.cpp
WebCore/page/Settings.h
http://trac.webkit.org/changeset/64110
WebCore/rendering/RenderLayerCompositor.h
http://trac.webkit.org/changeset/64054/trunk/WebCore/rendering/RenderLayerCompositor.h
WebCore/rendering/RenderTableSection.cpp
http://trac.webkit.org/changeset/63994/trunk/WebCore/rendering/RenderTableSection.cpp
WebCore/rendering/break_lines.cpp
http://trac.webkit.org/changeset/64207
Change-Id: I34167b43899ee5066e33b40867cd569ce53f9207
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: Ic42bef02efef8217a0f84c47176a9c617c28d1f1
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
EventHandler:
* Added IgnoreClipping in order to touch nodes that are clipped
out.
android_graphics:
* Remember the absolute bounds of the node for invals.
RenderBox:
* Fix a compiler warning.
RenderLayer:
* Do not record the entire layer contents unless the scroll
dimensions are larger than the client dimensions.
* Change isSelfPaintingLayer to check for an overflow clip
instead of the scrollable dimensions since it can be too
early to check at this point.
RenderLayerCompositor:
* Same as RenderLayer for checking the overflow clip.
WebViewCore:
* Scroll the containing layer to the node bounds and offset the
mouse position if scrolled. Once the mouse event is processed,
restore the layer to 0,0.
CacheBuilder:
* The body position is no longer used.
* Do not clip out nodes if the layer is scrollable.
CachedFrame:
* Add unadjustBounds to restore adjusted bounds to their original
position (fixed position elements).
* Call unadjustBounds when a node has been found. This new set of
bounds is passed over to WebViewCore to handle clicks.
* Reject empty node bounds.
CachedLayer:
* Document adjustBounds and add unadjustBounds. Add in the scroll
position to the node bounds.
CachedRoot:
* Unadjust the mouse bounds.
WebView:
* Unadjust the mouse bounds and use the absolute bounds of the ring
during inval.
Bug: 1566791
Change-Id: Ia55f2cbb61869087176d3ff61882e40324614c6a
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The original data in this file comes from FileFilter class in the old Dump Render Tree and was extracted from there on 30/07/2010
Change-Id: Ibc1101d08123ffaff51b765e5333d1b96c5ab02f
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This reverts commit 0ed6485271097ecf1b4cf4e790f9cfdbb57d921c.
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This allows web pages to have fine-grain control over the appearance
of the rings drawn around nodes.
Generated links (email, addresses, phone numbers) are no longer
given unique colors. To preserve this feature, a separate change
could add an HTML extension similar to vlink to provide the cursor
ring defintions for theses links. The mechanism implemented below
isn't appropriate since these links don't necessarily correspond to
single DOM nodes or other DOM elements.
------------
CSS examples
------------
The CSS to specify the ring looks like:
-webkit-ring-fill-color:rgba(0,0,255,0.4);
-webkit-ring-inner-width:2 px;
-webkit-ring-outer-width:3.5 px;
-webkit-ring-outset: 8 px;
-webkit-ring-pressed-inner-color:rgba(0,0,255,0.8);
-webkit-ring-pressed-outer-color:rgba(0,0,127,0.3);
-webkit-ring-radius: 10 px;
-webkit-ring-selected-inner-color:rgba(63,63,255,0.8);
-webkit-ring-selected-outer-color:rgba(63,63,127,0.3);
and may be alternately defined with a property shortcut:
-webkit-ring:rgba(255,0,0,0.4) 5px 7px
rgba(255,0,0,0.8) rgba(127,0,0,0.3) 20px
rgba(255,63,63,0.8) rgba(127,63,63,0.3);
--------------------
Property definitions
--------------------
A vertical cross-section of the ring corresponds to these
parameters as shown:
______
R / ___O_ R = corner radius
/ / __I_ o I = inner ring
/ / / _O_ ^ O = outer ring
| | | / F | F = fill
|O|I|O| L o = outset
| | | \_F_ | L = original link
\ \ \__O_ V
\ \___I_ o
R \____O_
The fill color specifies what to draw inside the ring
when the link is followed. The fill area consists of the
original link area the outset.
The inner and outer widths specify the stoke width of the inner
and outer rings, respectively. The widths may be specified in
fractional pixels. The implementation captures 4 bits of the
fraction.
The outset specifies the distance from the edge of the original
link to the rings' center. Both rings are drawn at the same center
location.
The radius specifies the curvature of the corners at the center
of the rings.
-------------
Data lifetime
-------------
The selected colors specify the colors of the inner and outer
rings when the trackball or D-pad hovers over the link. The
pressed colors specify the colors of the rings when the
trackball center is pressed or the link is tapped.
The CSS data is recorded in the RenderStyle when the DOM
is parsed. The widths are scaled up by 16 to preserve the fraction.
When the nav cache is built, the CSS style information is
recorded in the CachedColor class. Only unique style sets
are recorded; many CachedNode instances can share the same
CachedColor instance.
When the cursor ring is drawn, the CachedColor is
retrieved by getting the index from the CachedNode, and
looking up the entry in the CachedFrame. The widths are
scaled down by 16 since Lengths are stored by the webkit as
integers.
----------
File Edits
----------
WebCore/Android.derived.mk
- Build the CSS data property tables by concatentating
Android specific data and optionally SVG data.
WebCore/config.h
- Add switch for these rings. This switch is meant
as a convenience for finding the code in WebKit
that was added to enable this feature. Since the
old code in DrawCursor has been removed, it does
not revert to the old behavior if the switch is
turned off.
WebCore/css/AndroidCSSPropertyNames.in
- The new ring properties, plus an old one we
added before.
WebCore/css/CSSComputedStyleDeclaration.cpp
WebCore/css/CSSMutableStyleDeclaration.cpp
WebCore/css/CSSParser.cpp
WebCore/css/CSSStyleSelector.cpp
- I can guess what these functions are for as
well as anyone, but I really don't know. Do
I need all of them? Do I need to modify
Mutable at all?
WebCore/css/CSSPropertyNames.in
- Moved Android addition to AndroidCSSPropertyNames.in
WebCore/platform/graphics/Color.h
- Added initial color values here.
WebCore/platform/graphics/android/android_graphics.*
- This draws the cursor ring. The code that draws
'synthetic' links has been discarded.
WebCore/rendering/style/RenderStyle.h
- Functions to get, set, and initialize the style
data.
WebCore/rendering/style/StyleRareInheritedData.*
- The storage for the style data and an equivalence
function.
WebKit/Android.mk
- Added CachedColor to the build.
WebKit/android/nav/CacheBuilder.cpp
- Record the color from the DOM into the cache.
WebKit/android/nav/CachedColor.*
- Store the cached color info.
WebKit/android/nav/CachedFrame.*
- Where the array of colors is stored.
WebKit/android/nav/CachedNode.*
- Where the index to the colors is stored.
Change-Id: Ia3a931f41d6545e47678e245aafe7c84d4658f94
http://b/2603197
|
|\ \ \ \ \ \ |
|
| | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | | |
issue: 2841402
Change-Id: Ia147b39f84be91a92dd4f491e8d3de263df4244b
|
|\ \ \ \ \ \
| |_|/ / / /
|/| | | | | |
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The original webkit change is:
http://trac.webkit.org/changeset/64087
Change-Id: Ide7141ffec0a8a37f333c06bddabe3703d79af54
|
|\ \ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Ported the webkit fixes from http://trac.webkit.org/changeset/62965.
Harfbuzz does not do mirroring, so we iterate each character
in the string and mirror it if needed before passing the
string to harfbuzz for shaping.
Change-Id: Ifee1035f96e4e82a5a2641b57dd839cec3427b59
|
| |/ / / /
|/| | | |
| | | | |
| | | | | |
Change-Id: I31e3786742f0ae05c9f6c8ab23b4dbd0c790dfc5
|