Updated WebKit to ad96ca2f9b57271da4ea7432022ac686ee0981c2

Integrated changes:

|| <https://webkit.org/b/37760> || FrameView's layout root can be detached by style recalc ||
|| <https://webkit.org/b/38922> || innerHTML decompilation issues in textarea ||
|| <https://webkit.org/b/36878> || REGRESSION: Trailing colon on hostnames (with no port specified) causes "Not allowed to use restricted network port" ||
|| <https://webkit.org/b/37781> || [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR ||
|| <https://webkit.org/b/36502> || Cross-origin bypass: iFrame.src can be set to a JavaScript URL via nodeValue or textContent ||
|| <https://webkit.org/b/28697> || WebKit crash on WebCore::Node::nodeIndex() ||
|| <https://webkit.org/b/37031> || Cross-origin bypass: Javascript URL can be set as iframe.src via multiple DOM aliases ||
|| <https://webkit.org/b/36522> || [Qt] Rename QWebSettings::XSSAuditorEnabled to XSSAuditingEnabled ||
|| <https://webkit.org/b/38583> || Use of stale pointers whilst normalizing DOM nodes with mutation event handlers that modify element attributes ||
|| <https://webkit.org/b/41412> || [Qt] Canvas arcTo() should draw straight line to p1 if p0, p1 and p2 are collinear ||
|| <https://webkit.org/b/39878> || [Qt]: REGRESSION(r58703): QWebSettings::JavascriptCanAccessClipboard has wrong case in "Javascript" part. ||
|| <https://webkit.org/b/26824> || focus() behavior permits keystrokes to be redirected across domains ||
|| <https://webkit.org/b/39508> || Crash in WebCore::toAlphabetic() while running MangleMe ||
|| <https://webkit.org/b/36571> || WebKit should treat port numbers outside of the valid range as being blacklisted ||
|| <https://webkit.org/b/38497> || Make sure that http URLs always have a host in SecurityOrigin ||
|| <https://webkit.org/b/38626> || ZDI-CAN-765: CSS Charset Text Transformation Vulnerability ||
|| <https://webkit.org/b/36838> || Cross-origin image theft via SVGs as a canvas pattern ||
|| <https://webkit.org/b/27751> || [sg:high] Copying text to the system clipboard can be done in any context ||
|| <https://webkit.org/b/36843> || REGRESSION (r47291): XHR allows arbitrary XSRF across domains ||
|| <https://webkit.org/b/37230> || REGRESSION (4.0.5): Safari asks for credentials all the time when authenticating to Windows IIS Server ||
|| <https://webkit.org/b/37618> || Memory Corruption with Drag-Drop item from a purged document. ||
|| <https://webkit.org/b/38260> || Frame.src allows javascript URLs with starting spaces ||
|| <https://webkit.org/b/38261> || Table layout crash bug ||

11 files changed, 100 insertions, 29 deletions

diff --git a/src/3rdparty/webkit/WebCore/dom/Attr.idl b/src/3rdparty/webkit/WebCore/dom/Attr.idl
index af84478..3c73bc0 100644
--- a/src/3rdparty/webkit/WebCore/dom/Attr.idl
+++ b/src/3rdparty/webkit/WebCore/dom/Attr.idl
@@ -28,7 +28,9 @@ module core {
         // DOM Level 1
 
         readonly attribute [ConvertNullStringTo=Null] DOMString name;
+
         readonly attribute boolean specified;
+
                  attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value 
                      setter raises(DOMException);
 
diff --git a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
index fb2852f..c17489a 100644
--- a/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/ContainerNode.cpp
@@ -292,19 +292,32 @@ void ContainerNode::willRemove()
     Node::willRemove();
 }
 
-static ExceptionCode willRemoveChild(Node *child)
+static void willRemoveChild(Node* child)
 {
-    ExceptionCode ec = 0;
+    // update auxiliary doc info (e.g. iterators) to note that node is being removed
+    child->document()->nodeWillBeRemoved(child);
+    child->document()->incDOMTreeVersion();
 
     // fire removed from document mutation events.
     dispatchChildRemovalEvents(child);
-    if (ec)
-        return ec;
 
     if (child->attached())
         child->willRemove();
-    
-    return 0;
+}
+
+static void willRemoveChildren(ContainerNode* container)
+{
+    container->document()->nodeChildrenWillBeRemoved(container);
+    container->document()->incDOMTreeVersion();
+
+    // FIXME: Adding new children from event handlers can cause an infinite loop here.
+    for (RefPtr<Node> child = container->firstChild(); child; child = child->nextSibling()) {
+        // fire removed from document mutation events.
+        dispatchChildRemovalEvents(child.get());
+
+        if (child->attached())
+            child->willRemove();
+    }
 }
 
 bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec)
@@ -328,10 +341,7 @@ bool ContainerNode::removeChild(Node* oldChild, ExceptionCode& ec)
     }
 
     RefPtr<Node> child = oldChild;
-
-    ec = willRemoveChild(child.get());
-    if (ec)
-        return false;
+    willRemoveChild(child.get());
 
     // Mutation events might have moved this child into a different parent.
     if (child->parentNode() != this) {
@@ -399,14 +409,12 @@ bool ContainerNode::removeChildren()
         return false;
 
     // The container node can be removed from event handlers.
-    RefPtr<Node> protect(this);
-    
+    RefPtr<ContainerNode> protect(this);
+
     // Do any prep work needed before actually starting to detach
     // and remove... e.g. stop loading frames, fire unload events.
-    // FIXME: Adding new children from event handlers can cause an infinite loop here.
-    for (RefPtr<Node> n = m_firstChild; n; n = n->nextSibling())
-        willRemoveChild(n.get());
-    
+    willRemoveChildren(protect.get());
+
     // exclude this node when looking for removed focusedNode since only children will be removed
     document()->removeFocusedNodeOfSubtree(this, true);
 
@@ -936,6 +944,8 @@ static void dispatchChildInsertionEvents(Node* child)
 
 static void dispatchChildRemovalEvents(Node* child)
 {
+    ASSERT(!eventDispatchForbidden());
+
 #if ENABLE(INSPECTOR)    
     if (Page* page = child->document()->page()) {
         if (InspectorController* inspectorController = page->inspectorController())
@@ -946,11 +956,6 @@ static void dispatchChildRemovalEvents(Node* child)
     RefPtr<Node> c = child;
     RefPtr<Document> document = child->document();
 
-    // update auxiliary doc info (e.g. iterators) to note that node is being removed
-    document->nodeWillBeRemoved(child);
-
-    document->incDOMTreeVersion();
-
     // dispatch pre-removal mutation events
     if (c->parentNode() && document->hasListenerType(Document::DOMNODEREMOVED_LISTENER))
         c->dispatchEvent(MutationEvent::create(eventNames().DOMNodeRemovedEvent, true, c->parentNode()));
diff --git a/src/3rdparty/webkit/WebCore/dom/Document.cpp b/src/3rdparty/webkit/WebCore/dom/Document.cpp
index 545819d..9803cf5 100644
--- a/src/3rdparty/webkit/WebCore/dom/Document.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp
@@ -2957,6 +2957,28 @@ void Document::nodeChildrenChanged(ContainerNode* container)
     }
 }
 
+void Document::nodeChildrenWillBeRemoved(ContainerNode* container)
+{
+    if (!disableRangeMutation(page())) {
+        HashSet<Range*>::const_iterator end = m_ranges.end();
+        for (HashSet<Range*>::const_iterator it = m_ranges.begin(); it != end; ++it)
+            (*it)->nodeChildrenWillBeRemoved(container);
+    }
+
+    HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end();
+    for (HashSet<NodeIterator*>::const_iterator it = m_nodeIterators.begin(); it != nodeIteratorsEnd; ++it) {
+        for (Node* n = container->firstChild(); n; n = n->nextSibling())
+            (*it)->nodeWillBeRemoved(n);
+    }
+
+    if (Frame* frame = this->frame()) {
+        for (Node* n = container->firstChild(); n; n = n->nextSibling()) {
+            frame->selection()->nodeWillBeRemoved(n);
+            frame->dragCaretController()->nodeWillBeRemoved(n);
+        }
+    }
+}
+
 void Document::nodeWillBeRemoved(Node* n)
 {
     HashSet<NodeIterator*>::const_iterator nodeIteratorsEnd = m_nodeIterators.end();
diff --git a/src/3rdparty/webkit/WebCore/dom/Document.h b/src/3rdparty/webkit/WebCore/dom/Document.h
index 44cdf0d..68927f4 100644
--- a/src/3rdparty/webkit/WebCore/dom/Document.h
+++ b/src/3rdparty/webkit/WebCore/dom/Document.h
@@ -616,6 +616,9 @@ public:
     void detachRange(Range*);
 
     void nodeChildrenChanged(ContainerNode*);
+    // nodeChildrenWillBeRemoved is used when removing all node children at once.
+    void nodeChildrenWillBeRemoved(ContainerNode*);
+    // nodeWillBeRemoved is only safe when removing one node at a time.
     void nodeWillBeRemoved(Node*);
 
     void textInserted(Node*, unsigned offset, unsigned length);
diff --git a/src/3rdparty/webkit/WebCore/dom/Element.cpp b/src/3rdparty/webkit/WebCore/dom/Element.cpp
index 6bd512d..a02bb4c 100644
--- a/src/3rdparty/webkit/WebCore/dom/Element.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Element.cpp
@@ -937,7 +937,7 @@ void Element::recalcStyle(StyleChange change)
                 newStyle->setChildrenAffectedByDirectAdjacentRules();
         }
 
-        if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get())) {
+        if (ch != NoChange || pseudoStyleCacheIsInvalid(currentStyle.get(), newStyle.get()) || change == Force && renderer() && renderer()->requiresForcedStyleRecalcPropagation()) {
             setRenderStyle(newStyle);
         } else if (needsStyleRecalc() && (styleChangeType() != SyntheticStyleChange) && (document()->usesSiblingRules() || document()->usesDescendantRules())) {
             // Although no change occurred, we use the new style so that the cousin style sharing code won't get
@@ -1429,9 +1429,15 @@ void Element::normalizeAttributes()
     NamedNodeMap* attrs = attributes(true);
     if (!attrs)
         return;
-    unsigned numAttrs = attrs->length();
-    for (unsigned i = 0; i < numAttrs; i++) {
-        if (Attr* attr = attrs->attributeItem(i)->attr())
+
+    if (attrs->isEmpty())
+        return;
+
+    Vector<RefPtr<Attribute> > attributeVector;
+    attrs->copyAttributesToVector(attributeVector);
+    size_t numAttrs = attributeVector.size();
+    for (size_t i = 0; i < numAttrs; ++i) {
+        if (Attr* attr = attributeVector[i]->attr())
             attr->normalize();
     }
 }
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
index d8a6ba8..ee979cf 100644
--- a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.cpp
@@ -172,6 +172,11 @@ PassRefPtr<Node> NamedNodeMap::item(unsigned index) const
     return m_attributes[index]->createAttrIfNeeded(m_element);
 }
 
+void NamedNodeMap::copyAttributesToVector(Vector<RefPtr<Attribute> >& copy)
+{
+    copy = m_attributes;
+}
+
 Attribute* NamedNodeMap::getAttributeItemSlowCase(const String& name, bool shouldIgnoreAttributeCase) const
 {
     unsigned len = length();
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h
index d5136b5..e292576 100644
--- a/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h
+++ b/src/3rdparty/webkit/WebCore/dom/NamedAttrMap.h
@@ -72,6 +72,8 @@ public:
     Attribute* attributeItem(unsigned index) const { return m_attributes[index].get(); }
     Attribute* getAttributeItem(const QualifiedName&) const;
 
+    void copyAttributesToVector(Vector<RefPtr<Attribute> >&);
+
     void shrinkToLength() { m_attributes.shrinkCapacity(length()); }
     void reserveInitialCapacity(unsigned capacity) { m_attributes.reserveInitialCapacity(capacity); }
 
diff --git a/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl b/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl
index 4d36577..7bfbf23 100644
--- a/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl
+++ b/src/3rdparty/webkit/WebCore/dom/NamedNodeMap.idl
@@ -28,7 +28,7 @@ module core {
 
         Node getNamedItem(in DOMString name);
 
-        Node setNamedItem(in Node node)
+        [Custom] Node setNamedItem(in Node node)
             raises(DOMException);
 
         Node removeNamedItem(in DOMString name)
@@ -46,7 +46,7 @@ module core {
             // FIXME: the implementation does take an exceptioncode parameter.
             /*raises(DOMException)*/;
 
-        Node setNamedItemNS(in Node node)
+        [Custom] Node setNamedItemNS(in Node node)
             raises(DOMException);
 
         [OldStyleObjC] Node removeNamedItemNS(in [ConvertNullToNullString] DOMString namespaceURI, 
diff --git a/src/3rdparty/webkit/WebCore/dom/Node.idl b/src/3rdparty/webkit/WebCore/dom/Node.idl
index 0489316..22d9a85 100644
--- a/src/3rdparty/webkit/WebCore/dom/Node.idl
+++ b/src/3rdparty/webkit/WebCore/dom/Node.idl
@@ -51,7 +51,7 @@ module core {
         readonly attribute [ConvertNullStringTo=Null] DOMString        nodeName;
 
                  // FIXME: the spec says this can also raise on retrieval.
-                 attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString        nodeValue
+                 attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString        nodeValue
                      setter raises(DOMException);
 
         readonly attribute unsigned short   nodeType;
@@ -96,7 +96,7 @@ module core {
         readonly attribute [ConvertNullStringTo=Null] DOMString       baseURI;
 
                  // FIXME: the spec says this can also raise on retrieval.
-                 attribute [ConvertNullStringTo=Null, ConvertNullToNullString] DOMString       textContent
+                 attribute [CustomSetter, ConvertNullStringTo=Null, ConvertNullToNullString] DOMString       textContent
                      setter raises(DOMException);
 
         boolean            isSameNode(in Node other);
diff --git a/src/3rdparty/webkit/WebCore/dom/Range.cpp b/src/3rdparty/webkit/WebCore/dom/Range.cpp
index 52d1785..689b590 100644
--- a/src/3rdparty/webkit/WebCore/dom/Range.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Range.cpp
@@ -1716,6 +1716,31 @@ void Range::nodeChildrenChanged(ContainerNode* container)
     boundaryNodeChildrenChanged(m_end, container);
 }
 
+static inline void boundaryNodeChildrenWillBeRemoved(RangeBoundaryPoint& boundary, ContainerNode* container)
+{
+    for (Node* nodeToBeRemoved = container->firstChild(); nodeToBeRemoved; nodeToBeRemoved = nodeToBeRemoved->nextSibling()) {
+        if (boundary.childBefore() == nodeToBeRemoved) {
+            boundary.setToStartOfNode(container);
+            return;
+        }
+
+        for (Node* n = boundary.container(); n; n = n->parentNode()) {
+            if (n == nodeToBeRemoved) {
+                boundary.setToStartOfNode(container);
+                return;
+            }
+        }
+    }
+}
+
+void Range::nodeChildrenWillBeRemoved(ContainerNode* container)
+{
+    ASSERT(container);
+    ASSERT(container->document() == m_ownerDocument);
+    boundaryNodeChildrenWillBeRemoved(m_start, container);
+    boundaryNodeChildrenWillBeRemoved(m_end, container);
+}
+
 static inline void boundaryNodeWillBeRemoved(RangeBoundaryPoint& boundary, Node* nodeToBeRemoved)
 {
     if (boundary.childBefore() == nodeToBeRemoved) {
diff --git a/src/3rdparty/webkit/WebCore/dom/Range.h b/src/3rdparty/webkit/WebCore/dom/Range.h
index fd0f66a..bfddd32 100644
--- a/src/3rdparty/webkit/WebCore/dom/Range.h
+++ b/src/3rdparty/webkit/WebCore/dom/Range.h
@@ -111,6 +111,7 @@ public:
     void textQuads(Vector<FloatQuad>&, bool useSelectionHeight = false);
 
     void nodeChildrenChanged(ContainerNode*);
+    void nodeChildrenWillBeRemoved(ContainerNode*);
     void nodeWillBeRemoved(Node*);
 
     void textInserted(Node*, unsigned offset, unsigned length);