changeset 11292:26dc4201fad2 14+0

8227079: Cherry pick GTK WebKit 2.24.3 changes Reviewed-by: kcr, jvos
author arajkumar
date Fri, 05 Jul 2019 13:58:27 +0530
parents 23d82463559b
children 35b27c59007c 4c6d39fc63ef
files modules/javafx.web/src/main/native/Source/JavaScriptCore/assembler/ARM64Assembler.h modules/javafx.web/src/main/native/Source/JavaScriptCore/assembler/PerfLog.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PolymorphicAccess.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGCommonData.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGCommonData.h modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/interpreter/CallFrame.h modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/ArrayPrototype.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/RegExp.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/RegExpInlines.h modules/javafx.web/src/main/native/Source/JavaScriptCore/wasm/WasmBinding.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/RegularExpression.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/YarrInterpreter.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/YarrInterpreter.h modules/javafx.web/src/main/native/Source/WTF/wtf/generic/MemoryFootprintGeneric.cpp modules/javafx.web/src/main/native/Source/WebCore/accessibility/AXObjectCache.cpp modules/javafx.web/src/main/native/Source/WebCore/accessibility/AccessibilityObject.cpp modules/javafx.web/src/main/native/Source/WebCore/accessibility/AccessibilityRenderObject.cpp modules/javafx.web/src/main/native/Source/WebCore/css/CSSComputedStyleDeclaration.cpp modules/javafx.web/src/main/native/Source/WebCore/css/CSSComputedStyleDeclaration.h modules/javafx.web/src/main/native/Source/WebCore/css/RuleSet.cpp modules/javafx.web/src/main/native/Source/WebCore/css/SVGCSSComputedStyleDeclaration.cpp modules/javafx.web/src/main/native/Source/WebCore/dom/Document.cpp modules/javafx.web/src/main/native/Source/WebCore/dom/Document.h modules/javafx.web/src/main/native/Source/WebCore/dom/TreeScope.cpp modules/javafx.web/src/main/native/Source/WebCore/editing/Editing.cpp modules/javafx.web/src/main/native/Source/WebCore/editing/FrameSelection.cpp modules/javafx.web/src/main/native/Source/WebCore/editing/TypingCommand.cpp modules/javafx.web/src/main/native/Source/WebCore/editing/markup.cpp modules/javafx.web/src/main/native/Source/WebCore/editing/markup.h modules/javafx.web/src/main/native/Source/WebCore/html/HTMLLabelElement.cpp modules/javafx.web/src/main/native/Source/WebCore/html/HTMLPlugInElement.cpp modules/javafx.web/src/main/native/Source/WebCore/html/HTMLTextAreaElement.cpp modules/javafx.web/src/main/native/Source/WebCore/html/ImageDocument.cpp modules/javafx.web/src/main/native/Source/WebCore/html/MediaElementSession.cpp modules/javafx.web/src/main/native/Source/WebCore/loader/DocumentWriter.cpp modules/javafx.web/src/main/native/Source/WebCore/loader/FrameLoader.cpp modules/javafx.web/src/main/native/Source/WebCore/loader/FrameLoader.h modules/javafx.web/src/main/native/Source/WebCore/page/DOMWindow.cpp modules/javafx.web/src/main/native/Source/WebCore/page/DragController.cpp modules/javafx.web/src/main/native/Source/WebCore/page/EventHandler.cpp modules/javafx.web/src/main/native/Source/WebCore/page/FrameView.cpp modules/javafx.web/src/main/native/Source/WebCore/page/FrameViewLayoutContext.cpp modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/nicosia/NicosiaAnimatedBackingStoreClient.h modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.h modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/opengl/Extensions3DOpenGLES.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.h modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.h modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h modules/javafx.web/src/main/native/Source/WebCore/platform/image-decoders/ScalableImageDecoder.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/text/TextCodec.cpp modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderView.cpp modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderView.h modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderWidget.cpp modules/javafx.web/src/main/native/Source/WebCore/testing/Internals.cpp modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/AvailableMemory.cpp modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/AvailableMemory.h modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/bmalloc.h
diffstat 73 files changed, 874 insertions(+), 334 deletions(-) [+]
line wrap: on
line diff
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/assembler/ARM64Assembler.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/assembler/ARM64Assembler.h	Fri Jul 05 13:58:27 2019 +0530
@@ -458,11 +458,11 @@
             struct RealTypes {
                 int64_t m_from;
                 int64_t m_to;
+                RegisterID m_compareRegister;
                 JumpType m_type : 8;
                 JumpLinkType m_linkType : 8;
                 Condition m_condition : 4;
                 unsigned m_bitNumber : 6;
-                RegisterID m_compareRegister : 6;
                 bool m_is64Bit : 1;
             } realTypes;
             struct CopyTypes {
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/assembler/PerfLog.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/assembler/PerfLog.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -28,6 +28,7 @@
 
 #if ENABLE(ASSEMBLER) && OS(LINUX)
 
+#include <array>
 #include <elf.h>
 #include <fcntl.h>
 #include <mutex>
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1691,20 +1691,20 @@
     return HandlerInfo::handlerForIndex(m_rareData->m_exceptionHandlers, index, requiredHandler);
 }
 
-CallSiteIndex CodeBlock::newExceptionHandlingCallSiteIndex(CallSiteIndex originalCallSite)
+DisposableCallSiteIndex CodeBlock::newExceptionHandlingCallSiteIndex(CallSiteIndex originalCallSite)
 {
 #if ENABLE(DFG_JIT)
     RELEASE_ASSERT(JITCode::isOptimizingJIT(jitType()));
     RELEASE_ASSERT(canGetCodeOrigin(originalCallSite));
     ASSERT(!!handlerForIndex(originalCallSite.bits()));
     CodeOrigin originalOrigin = codeOrigin(originalCallSite);
-    return m_jitCode->dfgCommon()->addUniqueCallSiteIndex(originalOrigin);
+    return m_jitCode->dfgCommon()->addDisposableCallSiteIndex(originalOrigin);
 #else
     // We never create new on-the-fly exception handling
     // call sites outside the DFG/FTL inline caches.
     UNUSED_PARAM(originalCallSite);
     RELEASE_ASSERT_NOT_REACHED();
-    return CallSiteIndex(0u);
+    return DisposableCallSiteIndex(0u);
 #endif
 }
 
@@ -1774,7 +1774,7 @@
     }
 }
 
-void CodeBlock::removeExceptionHandlerForCallSite(CallSiteIndex callSiteIndex)
+void CodeBlock::removeExceptionHandlerForCallSite(DisposableCallSiteIndex callSiteIndex)
 {
     RELEASE_ASSERT(m_rareData);
     Vector<HandlerInfo>& exceptionHandlers = m_rareData->m_exceptionHandlers;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.h	Fri Jul 05 13:58:27 2019 +0530
@@ -239,7 +239,7 @@
 
     HandlerInfo* handlerForBytecodeOffset(unsigned bytecodeOffset, RequiredHandler = RequiredHandler::AnyHandler);
     HandlerInfo* handlerForIndex(unsigned, RequiredHandler = RequiredHandler::AnyHandler);
-    void removeExceptionHandlerForCallSite(CallSiteIndex);
+    void removeExceptionHandlerForCallSite(DisposableCallSiteIndex);
     unsigned lineNumberForBytecodeOffset(unsigned bytecodeOffset);
     unsigned columnNumberForBytecodeOffset(unsigned bytecodeOffset);
     void expressionRangeForBytecodeOffset(unsigned bytecodeOffset, int& divot,
@@ -862,7 +862,7 @@
         m_rareData->m_exceptionHandlers.append(handler);
     }
 
-    CallSiteIndex newExceptionHandlingCallSiteIndex(CallSiteIndex originalCallSite);
+    DisposableCallSiteIndex newExceptionHandlingCallSiteIndex(CallSiteIndex originalCallSite);
 
     void ensureCatchLivenessIsComputedForBytecodeOffset(InstructionStream::Offset bytecodeOffset);
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -163,6 +163,14 @@
     return m_callSiteIndex;
 }
 
+DisposableCallSiteIndex AccessGenerationState::callSiteIndexForExceptionHandling()
+{
+    RELEASE_ASSERT(m_calculatedRegistersForCallAndExceptionHandling);
+    RELEASE_ASSERT(m_needsToRestoreRegistersIfException);
+    RELEASE_ASSERT(m_calculatedCallSiteIndex);
+    return DisposableCallSiteIndex::fromCallSiteIndex(m_callSiteIndex);
+}
+
 const HandlerInfo& AccessGenerationState::originalExceptionHandler()
 {
     if (!m_calculatedRegistersForCallAndExceptionHandling)
@@ -535,7 +543,7 @@
     failure.append(jit.jump());
 
     CodeBlock* codeBlockThatOwnsExceptionHandlers = nullptr;
-    CallSiteIndex callSiteIndexForExceptionHandling;
+    DisposableCallSiteIndex callSiteIndexForExceptionHandling;
     if (state.needsToRestoreRegistersIfException() && hasJSGetterSetterCall) {
         // Emit the exception handler.
         // Note that this code is only reachable when doing genericUnwind from a pure JS getter/setter .
@@ -557,7 +565,7 @@
         CCallHelpers::Jump jumpToOSRExitExceptionHandler = jit.jump();
 
         HandlerInfo oldHandler = state.originalExceptionHandler();
-        CallSiteIndex newExceptionHandlingCallSite = state.callSiteIndexForExceptionHandling();
+        DisposableCallSiteIndex newExceptionHandlingCallSite = state.callSiteIndexForExceptionHandling();
         jit.addLinkTask(
             [=] (LinkBuffer& linkBuffer) {
                 linkBuffer.link(jumpToOSRExitExceptionHandler, oldHandler.nativeCode);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PolymorphicAccess.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PolymorphicAccess.h	Fri Jul 05 13:58:27 2019 +0530
@@ -241,13 +241,7 @@
     const RegisterSet& liveRegistersForCall();
 
     CallSiteIndex callSiteIndexForExceptionHandlingOrOriginal();
-    CallSiteIndex callSiteIndexForExceptionHandling()
-    {
-        RELEASE_ASSERT(m_calculatedRegistersForCallAndExceptionHandling);
-        RELEASE_ASSERT(m_needsToRestoreRegistersIfException);
-        RELEASE_ASSERT(m_calculatedCallSiteIndex);
-        return m_callSiteIndex;
-    }
+    DisposableCallSiteIndex callSiteIndexForExceptionHandling();
 
     const HandlerInfo& originalExceptionHandler();
 
@@ -271,7 +265,7 @@
 
     RegisterSet m_liveRegistersToPreserveAtExceptionHandlingCallSite;
     RegisterSet m_liveRegistersForCall;
-    CallSiteIndex m_callSiteIndex { CallSiteIndex(std::numeric_limits<unsigned>::max()) };
+    CallSiteIndex m_callSiteIndex;
     SpillState m_spillStateForJSGetterSetter;
     bool m_calculatedRegistersForCallAndExceptionHandling : 1;
     bool m_needsToRestoreRegistersIfException : 1;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -3980,7 +3980,7 @@
         generator.emitNode(superclass.get(), m_classHeritage);
     }
 
-    RefPtr<RegisterID> constructor;
+    RefPtr<RegisterID> constructor = generator.tempDestination(dst);
     bool needsHomeObject = false;
 
     if (m_constructorExpression) {
@@ -3988,10 +3988,10 @@
         FunctionMetadataNode* metadata = static_cast<FuncExprNode*>(m_constructorExpression)->metadata();
         metadata->setEcmaName(ecmaName());
         metadata->setClassSource(m_classSource);
-        constructor = generator.emitNode(dst, m_constructorExpression);
+        constructor = generator.emitNode(constructor.get(), m_constructorExpression);
         needsHomeObject = m_classHeritage || metadata->superBinding() == SuperBinding::Needed;
     } else
-        constructor = generator.emitNewDefaultConstructor(generator.finalDestination(dst), m_classHeritage ? ConstructorKind::Extends : ConstructorKind::Base, m_name, ecmaName(), m_classSource);
+        constructor = generator.emitNewDefaultConstructor(constructor.get(), m_classHeritage ? ConstructorKind::Extends : ConstructorKind::Base, m_name, ecmaName(), m_classSource);
 
     const auto& propertyNames = generator.propertyNames();
     RefPtr<RegisterID> prototype = generator.emitNewObject(generator.newTemporary());
@@ -4048,7 +4048,7 @@
         generator.popLexicalScope(this);
     }
 
-    return generator.move(dst, constructor.get());
+    return generator.move(generator.finalDestination(dst, constructor.get()), constructor.get());
 }
 
 // ------------------------------ ImportDeclarationNode -----------------------
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h	Fri Jul 05 13:58:27 2019 +0530
@@ -433,13 +433,13 @@
                 setConstant(node, JSValue(a ^ b));
                 break;
             case BitRShift:
-                setConstant(node, JSValue(a >> static_cast<uint32_t>(b)));
+                setConstant(node, JSValue(a >> (static_cast<uint32_t>(b) & 0x1f)));
                 break;
             case BitLShift:
-                setConstant(node, JSValue(a << static_cast<uint32_t>(b)));
+                setConstant(node, JSValue(a << (static_cast<uint32_t>(b) & 0x1f)));
                 break;
             case BitURShift:
-                setConstant(node, JSValue(static_cast<uint32_t>(a) >> static_cast<uint32_t>(b)));
+                setConstant(node, JSValue(static_cast<int32_t>(static_cast<uint32_t>(a) >> (static_cast<uint32_t>(b) & 0x1f))));
                 break;
             default:
                 RELEASE_ASSERT_NOT_REACHED();
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -756,11 +756,11 @@
                         InlineCallFrame* inlineCallFrame = candidate->origin.semantic.inlineCallFrame;
                         index += numberOfArgumentsToSkip;
 
-                        bool safeToGetStack;
+                        bool safeToGetStack = index >= numberOfArgumentsToSkip;
                         if (inlineCallFrame)
-                            safeToGetStack = index < inlineCallFrame->argumentCountIncludingThis - 1;
+                            safeToGetStack &= index < inlineCallFrame->argumentCountIncludingThis - 1;
                         else {
-                            safeToGetStack =
+                            safeToGetStack &=
                                 index < static_cast<unsigned>(codeBlock()->numParameters()) - 1;
                         }
                         if (safeToGetStack) {
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGCommonData.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGCommonData.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -61,9 +61,6 @@
 
 CallSiteIndex CommonData::addUniqueCallSiteIndex(CodeOrigin codeOrigin)
 {
-    if (callSiteIndexFreeList.size())
-        return CallSiteIndex(callSiteIndexFreeList.takeAny());
-
     codeOrigins.append(codeOrigin);
     unsigned index = codeOrigins.size() - 1;
     ASSERT(codeOrigins[index] == codeOrigin);
@@ -76,10 +73,26 @@
     return CallSiteIndex(codeOrigins.size() - 1);
 }
 
-void CommonData::removeCallSiteIndex(CallSiteIndex callSite)
+DisposableCallSiteIndex CommonData::addDisposableCallSiteIndex(CodeOrigin codeOrigin)
+{
+    if (callSiteIndexFreeList.size()) {
+        unsigned index = callSiteIndexFreeList.takeAny();
+        codeOrigins[index] = codeOrigin;
+        return DisposableCallSiteIndex(index);
+    }
+
+    codeOrigins.append(codeOrigin);
+    unsigned index = codeOrigins.size() - 1;
+    ASSERT(codeOrigins[index] == codeOrigin);
+    return DisposableCallSiteIndex(index);
+}
+
+
+void CommonData::removeDisposableCallSiteIndex(DisposableCallSiteIndex callSite)
 {
     RELEASE_ASSERT(callSite.bits() < codeOrigins.size());
     callSiteIndexFreeList.add(callSite.bits());
+    codeOrigins[callSite.bits()] = CodeOrigin();
 }
 
 void CommonData::shrinkToFit()
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGCommonData.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGCommonData.h	Fri Jul 05 13:58:27 2019 +0530
@@ -83,7 +83,9 @@
     CallSiteIndex addCodeOrigin(CodeOrigin);
     CallSiteIndex addUniqueCallSiteIndex(CodeOrigin);
     CallSiteIndex lastCallSite() const;
-    void removeCallSiteIndex(CallSiteIndex);
+
+    DisposableCallSiteIndex addDisposableCallSiteIndex(CodeOrigin);
+    void removeDisposableCallSiteIndex(DisposableCallSiteIndex);
 
     void shrinkToFit();
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -8186,17 +8186,18 @@
         }
     }
 
-
     GPRTemporary temp3(this);
     GPRReg tempValue = temp3.gpr();
+
     {
+        // We need to keep the source array alive at least until after we're done
+        // with anything that can GC (e.g. allocating the result array below).
         SpeculateCellOperand cell(this, m_jit.graph().varArgChild(node, 0));
+
         m_jit.load8(MacroAssembler::Address(cell.gpr(), JSCell::indexingTypeAndMiscOffset()), tempValue);
         // We can ignore the writability of the cell since we won't write to the source.
         m_jit.and32(TrustedImm32(AllWritableArrayTypesAndHistory), tempValue);
-    }
-
-    {
+
         JSValueRegsTemporary emptyValue(this);
         JSValueRegs emptyValueRegs = emptyValue.regs();
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -4254,13 +4254,15 @@
 
         LValue numberOfArgs = m_out.sub(numberOfArgsIncludingThis, m_out.int32One);
         LValue indexToCheck = originalIndex;
+        LValue numberOfArgumentsToSkip = m_out.int32Zero;
         if (m_node->numberOfArgumentsToSkip()) {
-            CheckValue* check = m_out.speculateAdd(indexToCheck, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
+            numberOfArgumentsToSkip = m_out.constInt32(m_node->numberOfArgumentsToSkip());
+            CheckValue* check = m_out.speculateAdd(indexToCheck, numberOfArgumentsToSkip);
             blessSpeculation(check, Overflow, noValue(), nullptr, m_origin);
             indexToCheck = check;
         }
 
-        LValue isOutOfBounds = m_out.aboveOrEqual(indexToCheck, numberOfArgs);
+        LValue isOutOfBounds = m_out.bitOr(m_out.aboveOrEqual(indexToCheck, numberOfArgs), m_out.below(indexToCheck, numberOfArgumentsToSkip));
         LBasicBlock continuation = nullptr;
         LBasicBlock lastNext = nullptr;
         ValueFromBlock slowResult;
@@ -4907,6 +4909,7 @@
     {
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
 
+        LValue sourceArray = lowCell(m_graph.varArgChild(m_node, 0));
         LValue sourceStorage = lowStorage(m_graph.varArgChild(m_node, m_node->numChildren() - 1));
         LValue inputLength = m_out.load32(sourceStorage, m_heaps.Butterfly_publicLength);
 
@@ -4932,7 +4935,7 @@
 
         ArrayValues arrayResult;
         {
-            LValue indexingType = m_out.load8ZeroExt32(lowCell(m_graph.varArgChild(m_node, 0)), m_heaps.JSCell_indexingTypeAndMisc);
+            LValue indexingType = m_out.load8ZeroExt32(sourceArray, m_heaps.JSCell_indexingTypeAndMisc);
             // We can ignore the writability of the cell since we won't write to the source.
             indexingType = m_out.bitAnd(indexingType, m_out.constInt32(AllWritableArrayTypesAndHistory));
             // When we emit an ArraySlice, we dominate the use of the array by a CheckStructure
@@ -4947,6 +4950,9 @@
             arrayResult = allocateJSArray(resultLength, resultLength, structure, indexingType, false, false);
         }
 
+        // Keep the sourceArray alive at least until after anything that can GC.
+        keepAlive(sourceArray);
+
         LBasicBlock loop = m_out.newBlock();
         LBasicBlock continuation = m_out.newBlock();
 
@@ -16995,6 +17001,15 @@
         return true;
     }
 
+    void keepAlive(LValue value)
+    {
+        PatchpointValue* patchpoint = m_out.patchpoint(Void);
+        patchpoint->effects = Effects::none();
+        patchpoint->effects.writesLocalState = true;
+        patchpoint->append(value, ValueRep::ColdAny);
+        patchpoint->setGenerator([=] (CCallHelpers&, const StackmapGenerationParams&) { });
+    }
+
     void addWeakReference(JSCell* target)
     {
         m_graph.m_plan.weakReferences().addLazily(target);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -170,8 +170,9 @@
     YarrPattern pattern(patternString, JSC::RegExpFlags::FlagMultiline, error);
     ASSERT(!hasError(error));
     BumpPointerAllocator regexAllocator;
-    auto bytecodePattern = byteCompile(pattern, &regexAllocator);
-    ASSERT(bytecodePattern);
+    JSC::Yarr::ErrorCode ignoredErrorCode = JSC::Yarr::ErrorCode::NoError;
+    auto bytecodePattern = byteCompile(pattern, &regexAllocator, ignoredErrorCode);
+    RELEASE_ASSERT(bytecodePattern);
 
     ASSERT(pattern.m_numSubpatterns == 1);
     std::array<unsigned, 4> matches;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/interpreter/CallFrame.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/interpreter/CallFrame.h	Fri Jul 05 13:58:27 2019 +0530
@@ -43,11 +43,9 @@
 
     typedef ExecState CallFrame;
 
-    struct CallSiteIndex {
-        CallSiteIndex()
-            : m_bits(UINT_MAX)
-        {
-        }
+    class CallSiteIndex {
+    public:
+        CallSiteIndex() = default;
 
         explicit CallSiteIndex(uint32_t bits)
             : m_bits(bits)
@@ -64,7 +62,22 @@
         inline uint32_t bits() const { return m_bits; }
 
     private:
-        uint32_t m_bits;
+        uint32_t m_bits { UINT_MAX };
+    };
+
+    class DisposableCallSiteIndex : public CallSiteIndex {
+    public:
+        DisposableCallSiteIndex() = default;
+
+        explicit DisposableCallSiteIndex(uint32_t bits)
+            : CallSiteIndex(bits)
+        {
+        }
+
+        static DisposableCallSiteIndex fromCallSiteIndex(CallSiteIndex callSiteIndex)
+        {
+            return DisposableCallSiteIndex(callSiteIndex.bits());
+        }
     };
 
     // arm64_32 expects caller frame and return pc to use 8 bytes
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -102,7 +102,7 @@
 
 GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler(
     const MacroAssemblerCodeRef<JITStubRoutinePtrTag>& code, VM& vm,  const JSCell* owner, const Vector<JSCell*>& cells,
-    CodeBlock* codeBlockForExceptionHandlers, CallSiteIndex exceptionHandlerCallSiteIndex)
+    CodeBlock* codeBlockForExceptionHandlers, DisposableCallSiteIndex exceptionHandlerCallSiteIndex)
     : MarkingGCAwareJITStubRoutine(code, vm, owner, cells)
     , m_codeBlockWithExceptionHandler(codeBlockForExceptionHandlers)
     , m_exceptionHandlerCallSiteIndex(exceptionHandlerCallSiteIndex)
@@ -120,7 +120,7 @@
 {
 #if ENABLE(DFG_JIT)
     if (m_codeBlockWithExceptionHandler) {
-        m_codeBlockWithExceptionHandler->jitCode()->dfgCommon()->removeCallSiteIndex(m_exceptionHandlerCallSiteIndex);
+        m_codeBlockWithExceptionHandler->jitCode()->dfgCommon()->removeDisposableCallSiteIndex(m_exceptionHandlerCallSiteIndex);
         m_codeBlockWithExceptionHandler->removeExceptionHandlerForCallSite(m_exceptionHandlerCallSiteIndex);
         m_codeBlockWithExceptionHandler = nullptr;
     }
@@ -137,7 +137,7 @@
     bool makesCalls,
     const Vector<JSCell*>& cells,
     CodeBlock* codeBlockForExceptionHandlers,
-    CallSiteIndex exceptionHandlerCallSiteIndex)
+    DisposableCallSiteIndex exceptionHandlerCallSiteIndex)
 {
     if (!makesCalls)
         return adoptRef(*new JITStubRoutine(code));
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h	Fri Jul 05 13:58:27 2019 +0530
@@ -89,19 +89,19 @@
 
 // The stub has exception handlers in it. So it clears itself from exception
 // handling table when it dies. It also frees space in CodeOrigin table
-// for new exception handlers to use the same CallSiteIndex.
+// for new exception handlers to use the same DisposableCallSiteIndex.
 class GCAwareJITStubRoutineWithExceptionHandler : public MarkingGCAwareJITStubRoutine {
 public:
     typedef GCAwareJITStubRoutine Base;
 
-    GCAwareJITStubRoutineWithExceptionHandler(const MacroAssemblerCodeRef<JITStubRoutinePtrTag>&, VM&, const JSCell* owner, const Vector<JSCell*>&, CodeBlock*, CallSiteIndex);
+    GCAwareJITStubRoutineWithExceptionHandler(const MacroAssemblerCodeRef<JITStubRoutinePtrTag>&, VM&, const JSCell* owner, const Vector<JSCell*>&, CodeBlock*, DisposableCallSiteIndex);
 
     void aboutToDie() override;
     void observeZeroRefCount() override;
 
 private:
     CodeBlock* m_codeBlockWithExceptionHandler;
-    CallSiteIndex m_exceptionHandlerCallSiteIndex;
+    DisposableCallSiteIndex m_exceptionHandlerCallSiteIndex;
 };
 
 // Helper for easily creating a GC-aware JIT stub routine. For the varargs,
@@ -126,7 +126,7 @@
 Ref<JITStubRoutine> createJITStubRoutine(
     const MacroAssemblerCodeRef<JITStubRoutinePtrTag>&, VM&, const JSCell* owner, bool makesCalls,
     const Vector<JSCell*>& = { },
-    CodeBlock* codeBlockForExceptionHandlers = nullptr, CallSiteIndex exceptionHandlingCallSiteIndex = CallSiteIndex(std::numeric_limits<unsigned>::max()));
+    CodeBlock* codeBlockForExceptionHandlers = nullptr, DisposableCallSiteIndex exceptionHandlingCallSiteIndex = DisposableCallSiteIndex());
 
 } // namespace JSC
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h	Fri Jul 05 13:58:27 2019 +0530
@@ -35,11 +35,10 @@
 
 namespace JSC {
 
+class CallSiteIndex;
 class CodeBlock;
 class StructureStubInfo;
 
-struct CallSiteIndex;
-
 enum class AccessType : int8_t;
 
 class JITInlineCacheGenerator {
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/ArrayPrototype.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/ArrayPrototype.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1004,6 +1004,10 @@
         RETURN_IF_EXCEPTION(scope, { });
     }
 
+    // Document that we need to keep the source array alive until after anything
+    // that can GC (e.g. allocating the result array).
+    thisObj->use();
+
     unsigned n = 0;
     for (unsigned k = begin; k < end; k++, n++) {
         JSValue v = getProperty(exec, thisObj, k);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/RegExp.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/RegExp.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -262,9 +262,9 @@
 }
 
 
-static std::unique_ptr<Yarr::BytecodePattern> byteCodeCompilePattern(VM* vm, Yarr::YarrPattern& pattern)
+static std::unique_ptr<Yarr::BytecodePattern> byteCodeCompilePattern(VM* vm, Yarr::YarrPattern& pattern, Yarr::ErrorCode& errorCode)
 {
-    return Yarr::byteCompile(pattern, &vm->m_regExpAllocator, &vm->m_regExpAllocatorLock);
+    return Yarr::byteCompile(pattern, &vm->m_regExpAllocator, errorCode, &vm->m_regExpAllocatorLock);
 }
 
 void RegExp::byteCodeCompileIfNecessary(VM* vm)
@@ -282,7 +282,11 @@
     }
     ASSERT(m_numSubpatterns == pattern.m_numSubpatterns);
 
-    m_regExpBytecode = byteCodeCompilePattern(vm, pattern);
+    m_regExpBytecode = byteCodeCompilePattern(vm, pattern, m_constructionErrorCode);
+    if (!m_regExpBytecode) {
+        m_state = ParseError;
+        return;
+    }
 }
 
 void RegExp::compile(VM* vm, Yarr::YarrCharSize charSize)
@@ -322,7 +326,11 @@
         dataLog("Can't JIT this regular expression: \"", m_patternString, "\"\n");
 
     m_state = ByteCode;
-    m_regExpBytecode = byteCodeCompilePattern(vm, pattern);
+    m_regExpBytecode = byteCodeCompilePattern(vm, pattern, m_constructionErrorCode);
+    if (!m_regExpBytecode) {
+        m_state = ParseError;
+        return;
+    }
 }
 
 int RegExp::match(VM& vm, const String& s, unsigned startOffset, Vector<int>& ovector)
@@ -379,7 +387,11 @@
         dataLog("Can't JIT this regular expression: \"", m_patternString, "\"\n");
 
     m_state = ByteCode;
-    m_regExpBytecode = byteCodeCompilePattern(vm, pattern);
+    m_regExpBytecode = byteCodeCompilePattern(vm, pattern, m_constructionErrorCode);
+    if (!m_regExpBytecode) {
+        m_state = ParseError;
+        return;
+    }
 }
 
 MatchResult RegExp::match(VM& vm, const String& s, unsigned startOffset)
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/RegExpInlines.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/RegExpInlines.h	Fri Jul 05 13:58:27 2019 +0530
@@ -139,14 +139,17 @@
 
     compileIfNecessary(vm, s.is8Bit() ? Yarr::Char8 : Yarr::Char16);
 
-    if (m_state == ParseError) {
+    auto throwError = [&] {
         auto throwScope = DECLARE_THROW_SCOPE(vm);
         ExecState* exec = vm.topCallFrame;
         throwScope.throwException(exec, errorToThrow(exec));
         if (!hasHardError(m_constructionErrorCode))
             reset();
         return -1;
-    }
+    };
+
+    if (m_state == ParseError)
+        return throwError();
 
     int offsetVectorSize = (m_numSubpatterns + 1) * 2;
     ovector.resize(offsetVectorSize);
@@ -175,6 +178,8 @@
         if (result == Yarr::JSRegExpJITCodeFailure) {
             // JIT'ed code couldn't handle expression, so punt back to the interpreter.
             byteCodeCompileIfNecessary(&vm);
+            if (m_state == ParseError)
+                return throwError();
             result = Yarr::interpret(m_regExpBytecode.get(), s, startOffset, reinterpret_cast<unsigned*>(offsetVector));
         }
 
@@ -263,14 +268,17 @@
 
     compileIfNecessaryMatchOnly(vm, s.is8Bit() ? Yarr::Char8 : Yarr::Char16);
 
-    if (m_state == ParseError) {
+    auto throwError = [&] {
         auto throwScope = DECLARE_THROW_SCOPE(vm);
         ExecState* exec = vm.topCallFrame;
         throwScope.throwException(exec, errorToThrow(exec));
         if (!hasHardError(m_constructionErrorCode))
             reset();
         return MatchResult::failed();
-    }
+    };
+
+    if (m_state == ParseError)
+        return throwError();
 
 #if ENABLE(YARR_JIT)
     MatchResult result;
@@ -302,6 +310,8 @@
 
         // JIT'ed code couldn't handle expression, so punt back to the interpreter.
         byteCodeCompileIfNecessary(&vm);
+        if (m_state == ParseError)
+            return throwError();
     }
 #endif
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/wasm/WasmBinding.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/wasm/WasmBinding.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -31,6 +31,7 @@
 #include "CCallHelpers.h"
 #include "JSCInlines.h"
 #include "LinkBuffer.h"
+#include "WasmCallingConvention.h"
 #include "WasmInstance.h"
 
 namespace JSC { namespace Wasm {
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/RegularExpression.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/RegularExpression.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -74,7 +74,7 @@
 
         m_numSubpatterns = pattern.m_numSubpatterns;
 
-        return JSC::Yarr::byteCompile(pattern, &m_regexAllocator);
+        return JSC::Yarr::byteCompile(pattern, &m_regexAllocator, m_constructionErrorCode);
     }
 
     BumpPointerAllocator m_regexAllocator;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/YarrInterpreter.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/YarrInterpreter.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1673,13 +1673,15 @@
     ByteCompiler(YarrPattern& pattern)
         : m_pattern(pattern)
     {
-        m_currentAlternativeIndex = 0;
     }
 
-    std::unique_ptr<BytecodePattern> compile(BumpPointerAllocator* allocator, ConcurrentJSLock* lock)
+    std::unique_ptr<BytecodePattern> compile(BumpPointerAllocator* allocator, ConcurrentJSLock* lock, ErrorCode& errorCode)
     {
         regexBegin(m_pattern.m_numSubpatterns, m_pattern.m_body->m_callFrameSize, m_pattern.m_body->m_alternatives[0]->onceThrough());
-        emitDisjunction(m_pattern.m_body);
+        if (auto error = emitDisjunction(m_pattern.m_body, 0, 0)) {
+            errorCode = error.value();
+            return nullptr;
+        }
         regexEnd();
 
 #ifndef NDEBUG
@@ -1734,9 +1736,9 @@
     {
         m_bodyDisjunction->terms.append(ByteTerm(characterClass, invert, inputPosition));
 
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].atom.quantityMaxCount = quantityMaxCount.unsafeGet();
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].atom.quantityType = quantityType;
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = frameLocation;
+        m_bodyDisjunction->terms.last().atom.quantityMaxCount = quantityMaxCount.unsafeGet();
+        m_bodyDisjunction->terms.last().atom.quantityType = quantityType;
+        m_bodyDisjunction->terms.last().frameLocation = frameLocation;
     }
 
     void atomBackReference(unsigned subpatternId, unsigned inputPosition, unsigned frameLocation, Checked<unsigned> quantityMaxCount, QuantifierType quantityType)
@@ -1745,19 +1747,19 @@
 
         m_bodyDisjunction->terms.append(ByteTerm::BackReference(subpatternId, inputPosition));
 
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].atom.quantityMaxCount = quantityMaxCount.unsafeGet();
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].atom.quantityType = quantityType;
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = frameLocation;
+        m_bodyDisjunction->terms.last().atom.quantityMaxCount = quantityMaxCount.unsafeGet();
+        m_bodyDisjunction->terms.last().atom.quantityType = quantityType;
+        m_bodyDisjunction->terms.last().frameLocation = frameLocation;
     }
 
     void atomParenthesesOnceBegin(unsigned subpatternId, bool capture, unsigned inputPosition, unsigned frameLocation, unsigned alternativeFrameLocation)
     {
-        int beginTerm = m_bodyDisjunction->terms.size();
+        unsigned beginTerm = m_bodyDisjunction->terms.size();
 
         m_bodyDisjunction->terms.append(ByteTerm(ByteTerm::TypeParenthesesSubpatternOnceBegin, subpatternId, capture, false, inputPosition));
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = frameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = frameLocation;
         m_bodyDisjunction->terms.append(ByteTerm::AlternativeBegin());
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = alternativeFrameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = alternativeFrameLocation;
 
         m_parenthesesStack.append(ParenthesesStackEntry(beginTerm, m_currentAlternativeIndex));
         m_currentAlternativeIndex = beginTerm + 1;
@@ -1765,12 +1767,12 @@
 
     void atomParenthesesTerminalBegin(unsigned subpatternId, bool capture, unsigned inputPosition, unsigned frameLocation, unsigned alternativeFrameLocation)
     {
-        int beginTerm = m_bodyDisjunction->terms.size();
+        unsigned beginTerm = m_bodyDisjunction->terms.size();
 
         m_bodyDisjunction->terms.append(ByteTerm(ByteTerm::TypeParenthesesSubpatternTerminalBegin, subpatternId, capture, false, inputPosition));
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = frameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = frameLocation;
         m_bodyDisjunction->terms.append(ByteTerm::AlternativeBegin());
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = alternativeFrameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = alternativeFrameLocation;
 
         m_parenthesesStack.append(ParenthesesStackEntry(beginTerm, m_currentAlternativeIndex));
         m_currentAlternativeIndex = beginTerm + 1;
@@ -1782,12 +1784,12 @@
         // then fix this up at the end! - simplifying this should make it much clearer.
         // https://bugs.webkit.org/show_bug.cgi?id=50136
 
-        int beginTerm = m_bodyDisjunction->terms.size();
+        unsigned beginTerm = m_bodyDisjunction->terms.size();
 
         m_bodyDisjunction->terms.append(ByteTerm(ByteTerm::TypeParenthesesSubpatternOnceBegin, subpatternId, capture, false, inputPosition));
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = frameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = frameLocation;
         m_bodyDisjunction->terms.append(ByteTerm::AlternativeBegin());
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = alternativeFrameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = alternativeFrameLocation;
 
         m_parenthesesStack.append(ParenthesesStackEntry(beginTerm, m_currentAlternativeIndex));
         m_currentAlternativeIndex = beginTerm + 1;
@@ -1795,12 +1797,12 @@
 
     void atomParentheticalAssertionBegin(unsigned subpatternId, bool invert, unsigned frameLocation, unsigned alternativeFrameLocation)
     {
-        int beginTerm = m_bodyDisjunction->terms.size();
+        unsigned beginTerm = m_bodyDisjunction->terms.size();
 
         m_bodyDisjunction->terms.append(ByteTerm(ByteTerm::TypeParentheticalAssertionBegin, subpatternId, false, invert, 0));
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = frameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = frameLocation;
         m_bodyDisjunction->terms.append(ByteTerm::AlternativeBegin());
-        m_bodyDisjunction->terms[m_bodyDisjunction->terms.size() - 1].frameLocation = alternativeFrameLocation;
+        m_bodyDisjunction->terms.last().frameLocation = alternativeFrameLocation;
 
         m_parenthesesStack.append(ParenthesesStackEntry(beginTerm, m_currentAlternativeIndex));
         m_currentAlternativeIndex = beginTerm + 1;
@@ -1836,10 +1838,9 @@
     unsigned popParenthesesStack()
     {
         ASSERT(m_parenthesesStack.size());
-        int stackEnd = m_parenthesesStack.size() - 1;
-        unsigned beginTerm = m_parenthesesStack[stackEnd].beginTerm;
-        m_currentAlternativeIndex = m_parenthesesStack[stackEnd].savedAlternativeIndex;
-        m_parenthesesStack.shrink(stackEnd);
+        unsigned beginTerm = m_parenthesesStack.last().beginTerm;
+        m_currentAlternativeIndex = m_parenthesesStack.last().savedAlternativeIndex;
+        m_parenthesesStack.removeLast();
 
         ASSERT(beginTerm < m_bodyDisjunction->terms.size());
         ASSERT(m_currentAlternativeIndex < m_bodyDisjunction->terms.size());
@@ -1847,11 +1848,11 @@
         return beginTerm;
     }
 
-    void closeAlternative(int beginTerm)
+    void closeAlternative(unsigned beginTerm)
     {
-        int origBeginTerm = beginTerm;
+        unsigned origBeginTerm = beginTerm;
         ASSERT(m_bodyDisjunction->terms[beginTerm].type == ByteTerm::TypeAlternativeBegin);
-        int endIndex = m_bodyDisjunction->terms.size();
+        unsigned endIndex = m_bodyDisjunction->terms.size();
 
         unsigned frameLocation = m_bodyDisjunction->terms[beginTerm].frameLocation;
 
@@ -1874,10 +1875,10 @@
 
     void closeBodyAlternative()
     {
-        int beginTerm = 0;
-        int origBeginTerm = 0;
+        unsigned beginTerm = 0;
+        unsigned origBeginTerm = 0;
         ASSERT(m_bodyDisjunction->terms[beginTerm].type == ByteTerm::TypeBodyAlternativeBegin);
-        int endIndex = m_bodyDisjunction->terms.size();
+        unsigned endIndex = m_bodyDisjunction->terms.size();
 
         unsigned frameLocation = m_bodyDisjunction->terms[beginTerm].frameLocation;
 
@@ -1992,7 +1993,7 @@
 
     void alternativeBodyDisjunction(bool onceThrough)
     {
-        int newAlternativeIndex = m_bodyDisjunction->terms.size();
+        unsigned newAlternativeIndex = m_bodyDisjunction->terms.size();
         m_bodyDisjunction->terms[m_currentAlternativeIndex].alternative.next = newAlternativeIndex - m_currentAlternativeIndex;
         m_bodyDisjunction->terms.append(ByteTerm::BodyAlternativeDisjunction(onceThrough));
 
@@ -2001,17 +2002,17 @@
 
     void alternativeDisjunction()
     {
-        int newAlternativeIndex = m_bodyDisjunction->terms.size();
+        unsigned newAlternativeIndex = m_bodyDisjunction->terms.size();
         m_bodyDisjunction->terms[m_currentAlternativeIndex].alternative.next = newAlternativeIndex - m_currentAlternativeIndex;
         m_bodyDisjunction->terms.append(ByteTerm::AlternativeDisjunction());
 
         m_currentAlternativeIndex = newAlternativeIndex;
     }
 
-    void emitDisjunction(PatternDisjunction* disjunction, unsigned inputCountAlreadyChecked = 0, unsigned parenthesesInputCountAlreadyChecked = 0)
+    Optional<ErrorCode> WARN_UNUSED_RETURN emitDisjunction(PatternDisjunction* disjunction, Checked<unsigned, RecordOverflow> inputCountAlreadyChecked, unsigned parenthesesInputCountAlreadyChecked)
     {
         for (unsigned alt = 0; alt < disjunction->m_alternatives.size(); ++alt) {
-            unsigned currentCountAlreadyChecked = inputCountAlreadyChecked;
+            auto currentCountAlreadyChecked = inputCountAlreadyChecked;
 
             PatternAlternative* alternative = disjunction->m_alternatives[alt].get();
 
@@ -2029,32 +2030,34 @@
             if (countToCheck) {
                 checkInput(countToCheck);
                 currentCountAlreadyChecked += countToCheck;
+                if (currentCountAlreadyChecked.hasOverflowed())
+                    return ErrorCode::OffsetTooLarge;
             }
 
             for (auto& term : alternative->m_terms) {
                 switch (term.type) {
                 case PatternTerm::TypeAssertionBOL:
-                    assertionBOL(currentCountAlreadyChecked - term.inputPosition);
+                    assertionBOL((currentCountAlreadyChecked - term.inputPosition).unsafeGet());
                     break;
 
                 case PatternTerm::TypeAssertionEOL:
-                    assertionEOL(currentCountAlreadyChecked - term.inputPosition);
+                    assertionEOL((currentCountAlreadyChecked - term.inputPosition).unsafeGet());
                     break;
 
                 case PatternTerm::TypeAssertionWordBoundary:
-                    assertionWordBoundary(term.invert(), currentCountAlreadyChecked - term.inputPosition);
+                    assertionWordBoundary(term.invert(), (currentCountAlreadyChecked - term.inputPosition).unsafeGet());
                     break;
 
                 case PatternTerm::TypePatternCharacter:
-                    atomPatternCharacter(term.patternCharacter, currentCountAlreadyChecked - term.inputPosition, term.frameLocation, term.quantityMaxCount, term.quantityType);
+                    atomPatternCharacter(term.patternCharacter, (currentCountAlreadyChecked - term.inputPosition).unsafeGet(), term.frameLocation, term.quantityMaxCount, term.quantityType);
                     break;
 
                 case PatternTerm::TypeCharacterClass:
-                    atomCharacterClass(term.characterClass, term.invert(), currentCountAlreadyChecked- term.inputPosition, term.frameLocation, term.quantityMaxCount, term.quantityType);
+                    atomCharacterClass(term.characterClass, term.invert(), (currentCountAlreadyChecked - term.inputPosition).unsafeGet(), term.frameLocation, term.quantityMaxCount, term.quantityType);
                     break;
 
                 case PatternTerm::TypeBackReference:
-                    atomBackReference(term.backReferenceSubpatternId, currentCountAlreadyChecked - term.inputPosition, term.frameLocation, term.quantityMaxCount, term.quantityType);
+                    atomBackReference(term.backReferenceSubpatternId, (currentCountAlreadyChecked - term.inputPosition).unsafeGet(), term.frameLocation, term.quantityMaxCount, term.quantityType);
                         break;
 
                 case PatternTerm::TypeForwardReference:
@@ -2069,22 +2072,22 @@
                             disjunctionAlreadyCheckedCount = term.parentheses.disjunction->m_minimumSize;
                         else
                             alternativeFrameLocation += YarrStackSpaceForBackTrackInfoParenthesesOnce;
-                        ASSERT(currentCountAlreadyChecked >= term.inputPosition);
-                        unsigned delegateEndInputOffset = currentCountAlreadyChecked - term.inputPosition;
+                        unsigned delegateEndInputOffset = (currentCountAlreadyChecked - term.inputPosition).unsafeGet();
                         atomParenthesesOnceBegin(term.parentheses.subpatternId, term.capture(), disjunctionAlreadyCheckedCount + delegateEndInputOffset, term.frameLocation, alternativeFrameLocation);
-                        emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, disjunctionAlreadyCheckedCount);
+                        if (auto error = emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, disjunctionAlreadyCheckedCount))
+                            return error;
                         atomParenthesesOnceEnd(delegateEndInputOffset, term.frameLocation, term.quantityMinCount, term.quantityMaxCount, term.quantityType);
                     } else if (term.parentheses.isTerminal) {
-                        ASSERT(currentCountAlreadyChecked >= term.inputPosition);
-                        unsigned delegateEndInputOffset = currentCountAlreadyChecked - term.inputPosition;
+                        unsigned delegateEndInputOffset = (currentCountAlreadyChecked - term.inputPosition).unsafeGet();
                         atomParenthesesTerminalBegin(term.parentheses.subpatternId, term.capture(), disjunctionAlreadyCheckedCount + delegateEndInputOffset, term.frameLocation, term.frameLocation + YarrStackSpaceForBackTrackInfoParenthesesTerminal);
-                        emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, disjunctionAlreadyCheckedCount);
+                        if (auto error = emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, disjunctionAlreadyCheckedCount))
+                            return error;
                         atomParenthesesTerminalEnd(delegateEndInputOffset, term.frameLocation, term.quantityMinCount, term.quantityMaxCount, term.quantityType);
                     } else {
-                        ASSERT(currentCountAlreadyChecked >= term.inputPosition);
-                        unsigned delegateEndInputOffset = currentCountAlreadyChecked - term.inputPosition;
+                        unsigned delegateEndInputOffset = (currentCountAlreadyChecked - term.inputPosition).unsafeGet();
                         atomParenthesesSubpatternBegin(term.parentheses.subpatternId, term.capture(), disjunctionAlreadyCheckedCount + delegateEndInputOffset, term.frameLocation, 0);
-                        emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, 0);
+                        if (auto error = emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, 0))
+                            return error;
                         atomParenthesesSubpatternEnd(term.parentheses.lastSubpatternId, delegateEndInputOffset, term.frameLocation, term.quantityMinCount, term.quantityMaxCount, term.quantityType, term.parentheses.disjunction->m_callFrameSize);
                     }
                     break;
@@ -2092,22 +2095,25 @@
 
                 case PatternTerm::TypeParentheticalAssertion: {
                     unsigned alternativeFrameLocation = term.frameLocation + YarrStackSpaceForBackTrackInfoParentheticalAssertion;
-
-                    ASSERT(currentCountAlreadyChecked >= term.inputPosition);
-                    unsigned positiveInputOffset = currentCountAlreadyChecked - term.inputPosition;
+                    unsigned positiveInputOffset = (currentCountAlreadyChecked - term.inputPosition).unsafeGet();
                     unsigned uncheckAmount = 0;
                     if (positiveInputOffset > term.parentheses.disjunction->m_minimumSize) {
                         uncheckAmount = positiveInputOffset - term.parentheses.disjunction->m_minimumSize;
                         uncheckInput(uncheckAmount);
                         currentCountAlreadyChecked -= uncheckAmount;
+                        if (currentCountAlreadyChecked.hasOverflowed())
+                            return ErrorCode::OffsetTooLarge;
                     }
 
                     atomParentheticalAssertionBegin(term.parentheses.subpatternId, term.invert(), term.frameLocation, alternativeFrameLocation);
-                    emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, positiveInputOffset - uncheckAmount);
+                    if (auto error = emitDisjunction(term.parentheses.disjunction, currentCountAlreadyChecked, positiveInputOffset - uncheckAmount))
+                        return error;
                     atomParentheticalAssertionEnd(0, term.frameLocation, term.quantityMaxCount, term.quantityType);
                     if (uncheckAmount) {
                         checkInput(uncheckAmount);
                         currentCountAlreadyChecked += uncheckAmount;
+                        if (currentCountAlreadyChecked.hasOverflowed())
+                            return ErrorCode::OffsetTooLarge;
                     }
                     break;
                 }
@@ -2118,6 +2124,7 @@
                 }
             }
         }
+        return WTF::nullopt;
     }
 #ifndef NDEBUG
     void dumpDisjunction(ByteDisjunction* disjunction, unsigned nesting = 0)
@@ -2383,14 +2390,14 @@
 private:
     YarrPattern& m_pattern;
     std::unique_ptr<ByteDisjunction> m_bodyDisjunction;
-    unsigned m_currentAlternativeIndex;
+    unsigned m_currentAlternativeIndex { 0 };
     Vector<ParenthesesStackEntry> m_parenthesesStack;
     Vector<std::unique_ptr<ByteDisjunction>> m_allParenthesesInfo;
 };
 
-std::unique_ptr<BytecodePattern> byteCompile(YarrPattern& pattern, BumpPointerAllocator* allocator, ConcurrentJSLock* lock)
+std::unique_ptr<BytecodePattern> byteCompile(YarrPattern& pattern, BumpPointerAllocator* allocator, ErrorCode& errorCode, ConcurrentJSLock* lock)
 {
-    return ByteCompiler(pattern).compile(allocator, lock);
+    return ByteCompiler(pattern).compile(allocator, lock, errorCode);
 }
 
 unsigned interpret(BytecodePattern* bytecode, const String& input, unsigned start, unsigned* output)
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/YarrInterpreter.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/yarr/YarrInterpreter.h	Fri Jul 05 13:58:27 2019 +0530
@@ -26,6 +26,7 @@
 #pragma once
 
 #include "ConcurrentJSLock.h"
+#include "YarrErrorCode.h"
 #include "YarrPattern.h"
 
 namespace WTF {
@@ -388,7 +389,7 @@
     Vector<std::unique_ptr<CharacterClass>> m_userCharacterClasses;
 };
 
-JS_EXPORT_PRIVATE std::unique_ptr<BytecodePattern> byteCompile(YarrPattern&, BumpPointerAllocator*, ConcurrentJSLock* = nullptr);
+JS_EXPORT_PRIVATE std::unique_ptr<BytecodePattern> byteCompile(YarrPattern&, BumpPointerAllocator*, ErrorCode&, ConcurrentJSLock* = nullptr);
 JS_EXPORT_PRIVATE unsigned interpret(BytecodePattern*, const String& input, unsigned start, unsigned* output);
 unsigned interpret(BytecodePattern*, const LChar* input, unsigned length, unsigned start, unsigned* output);
 unsigned interpret(BytecodePattern*, const UChar* input, unsigned length, unsigned start, unsigned* output);
--- a/modules/javafx.web/src/main/native/Source/WTF/wtf/generic/MemoryFootprintGeneric.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WTF/wtf/generic/MemoryFootprintGeneric.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -26,11 +26,19 @@
 #include "config.h"
 #include <wtf/MemoryFootprint.h>
 
+#if !(defined(USE_SYSTEM_MALLOC) && USE_SYSTEM_MALLOC) && OS(LINUX)
+#include <bmalloc/bmalloc.h>
+#endif
+
 namespace WTF {
 
 size_t memoryFootprint()
 {
+#if !(defined(USE_SYSTEM_MALLOC) && USE_SYSTEM_MALLOC) && OS(LINUX)
+    return bmalloc::api::memoryFootprint();
+#else
     return 0;
+#endif
 }
 
 } // namespace WTF
--- a/modules/javafx.web/src/main/native/Source/WebCore/accessibility/AXObjectCache.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/accessibility/AXObjectCache.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -594,6 +594,8 @@
     if (!inCanvasSubtree && !isHidden && !insideMeterElement)
         return nullptr;
 
+    auto protectedNode = makeRef(*node);
+
     // Fallback content is only focusable as long as the canvas is displayed and visible.
     // Update the style before Element::isFocusable() gets called.
     if (inCanvasSubtree)
--- a/modules/javafx.web/src/main/native/Source/WebCore/accessibility/AccessibilityObject.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/accessibility/AccessibilityObject.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -974,7 +974,7 @@
     if (document) {
         HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::Active | HitTestRequest::AccessibilityHitTest);
         HitTestResult hitTestResult(clickPoint());
-        document->renderView()->hitTest(request, hitTestResult);
+        document->hitTest(request, hitTestResult);
         if (auto* innerNode = hitTestResult.innerNode()) {
             if (auto* shadowHost = innerNode->shadowHost())
                 hitTestElement = shadowHost;
--- a/modules/javafx.web/src/main/native/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/accessibility/AccessibilityRenderObject.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1,5 +1,5 @@
 /*
-* Copyright (C) 2008 Apple Inc. All rights reserved.
+* Copyright (C) 2008-2019 Apple Inc. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -1558,9 +1558,10 @@
         HTMLTextFormControlElement& textControl = downcast<RenderTextControl>(*m_renderer).textFormControlElement();
         textControl.setSelectionRange(range.start, range.start + range.length);
     } else {
-        ASSERT(node());
-        VisiblePosition start = visiblePositionForIndexUsingCharacterIterator(*node(), range.start);
-        VisiblePosition end = visiblePositionForIndexUsingCharacterIterator(*node(), range.start + range.length);
+        auto node = this->node();
+        ASSERT(node);
+        VisiblePosition start = visiblePositionForIndexUsingCharacterIterator(*node, range.start);
+        VisiblePosition end = visiblePositionForIndexUsingCharacterIterator(*node, range.start + range.length);
         m_renderer->frame().selection().setSelection(VisibleSelection(start, end), FrameSelection::defaultSetSelectionOptions(UserTriggered));
     }
 
@@ -2157,7 +2158,7 @@
         HitTestRequest request(HitTestRequest::ReadOnly |
                                HitTestRequest::Active);
         HitTestResult result(ourpoint);
-        renderView->hitTest(request, result);
+        renderView->document().hitTest(request, result);
         innerNode = result.innerNode();
         if (!innerNode)
             return VisiblePosition();
@@ -2363,6 +2364,9 @@
 
     m_renderer->document().updateLayout();
 
+    if (!m_renderer || !m_renderer->hasLayer())
+        return nullptr;
+
     RenderLayer* layer = downcast<RenderBox>(*m_renderer).layer();
 
     HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::Active | HitTestRequest::AccessibilityHitTest);
--- a/modules/javafx.web/src/main/native/Source/WebCore/css/CSSComputedStyleDeclaration.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/css/CSSComputedStyleDeclaration.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004 Zack Rusin <zack@kde.org>
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
  * Copyright (C) 2007 Alexey Proskuryakov <ap@webkit.org>
  * Copyright (C) 2007 Nicholas Shanks <webkit@nickshanks.com>
  * Copyright (C) 2011 Sencha, Inc. All rights reserved.
@@ -4214,7 +4214,7 @@
         case CSSPropertyKerning:
         case CSSPropertyTextAnchor:
         case CSSPropertyVectorEffect:
-            return svgPropertyValue(propertyID, DoNotUpdateLayout);
+            return svgPropertyValue(propertyID);
         case CSSPropertyCustom:
             ASSERT_NOT_REACHED();
             return nullptr;
--- a/modules/javafx.web/src/main/native/Source/WebCore/css/CSSComputedStyleDeclaration.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/css/CSSComputedStyleDeclaration.h	Fri Jul 05 13:58:27 2019 +0530
@@ -87,7 +87,7 @@
     // no pseudo-element.
     RenderElement* styledRenderer() const;
 
-    RefPtr<CSSValue> svgPropertyValue(CSSPropertyID, EUpdateLayout);
+    RefPtr<CSSValue> svgPropertyValue(CSSPropertyID);
     Ref<CSSValue> adjustSVGPaintForCurrentColor(SVGPaintType, const String& url, const Color&, const Color& currentColor) const;
     static Ref<CSSValue> valueForShadow(const ShadowData*, CSSPropertyID, const RenderStyle&, AdjustPixelValuesForComputedStyle = AdjustPixelValues);
     Ref<CSSPrimitiveValue> currentColorOrValidColor(const RenderStyle*, const Color&) const;
--- a/modules/javafx.web/src/main/native/Source/WebCore/css/RuleSet.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/css/RuleSet.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -144,6 +144,14 @@
 #endif
         if (component->match() == CSSSelector::PseudoElement && component->pseudoElementType() == CSSSelector::PseudoElementMarker)
             return PropertyWhitelistMarker;
+
+        if (const auto* selectorList = selector->selectorList()) {
+            for (const auto* subSelector = selectorList->first(); subSelector; subSelector = CSSSelectorList::next(subSelector)) {
+                auto whitelistType = determinePropertyWhitelistType(subSelector);
+                if (whitelistType != PropertyWhitelistNone)
+                    return whitelistType;
+            }
+        }
     }
     return PropertyWhitelistNone;
 }
--- a/modules/javafx.web/src/main/native/Source/WebCore/css/SVGCSSComputedStyleDeclaration.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/css/SVGCSSComputedStyleDeclaration.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1,6 +1,7 @@
 /*
     Copyright (C) 2007 Eric Seidel <eric@webkit.org>
     Copyright (C) 2007 Alexey Proskuryakov <ap@webkit.org>
+    Copyright (C) 2019 Apple Inc. All rights reserved.
 
     This library is free software; you can redistribute it and/or
     modify it under the terms of the GNU Library General Public
@@ -81,15 +82,11 @@
     return CSSPrimitiveValue::create(color);
 }
 
-RefPtr<CSSValue> ComputedStyleExtractor::svgPropertyValue(CSSPropertyID propertyID, EUpdateLayout updateLayout)
+RefPtr<CSSValue> ComputedStyleExtractor::svgPropertyValue(CSSPropertyID propertyID)
 {
     if (!m_element)
         return nullptr;
 
-    // Make sure our layout is up to date before we allow a query on these attributes.
-    if (updateLayout)
-        m_element->document().updateLayout();
-
     auto* style = m_element->computedStyle();
     if (!style)
         return nullptr;
--- a/modules/javafx.web/src/main/native/Source/WebCore/dom/Document.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/dom/Document.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -183,6 +183,7 @@
 #include "ScriptSourceCode.h"
 #include "ScriptState.h"
 #include "ScriptedAnimationController.h"
+#include "ScrollbarTheme.h"
 #include "ScrollingCoordinator.h"
 #include "SecurityOrigin.h"
 #include "SecurityOriginData.h"
@@ -339,6 +340,26 @@
 
 unsigned ScriptDisallowedScope::LayoutAssertionDisableScope::s_layoutAssertionDisableCount = 0;
 
+struct FrameFlatteningLayoutDisallower {
+    FrameFlatteningLayoutDisallower(FrameView& frameView)
+        : m_frameView(frameView)
+        , m_disallowLayout(frameView.effectiveFrameFlattening() != FrameFlattening::Disabled)
+    {
+        if (m_disallowLayout)
+            m_frameView.startDisallowingLayout();
+    }
+
+    ~FrameFlatteningLayoutDisallower()
+    {
+        if (m_disallowLayout)
+            m_frameView.endDisallowingLayout();
+    }
+
+private:
+    FrameView& m_frameView;
+    bool m_disallowLayout { false };
+};
+
 // DOM Level 2 says (letters added):
 //
 // a) Name start characters must have one of the categories Ll, Lu, Lo, Lt, Nl.
@@ -1821,7 +1842,7 @@
 
 void Document::scheduleStyleRecalc()
 {
-    ASSERT(!m_renderView || !m_renderView->inHitTesting());
+    ASSERT(!m_renderView || !inHitTesting());
 
     if (m_styleRecalcTimer.isActive() || pageCacheState() != NotInPageCache)
         return;
@@ -3798,7 +3819,7 @@
         return MouseEventWithHitTestResults(event, HitTestResult(LayoutPoint()));
 
     HitTestResult result(documentPoint);
-    renderView()->hitTest(request, result);
+    hitTest(request, result);
 
     if (!request.readOnly())
         updateHoverActiveState(request, result.targetElement());
@@ -4330,8 +4351,8 @@
             }
             if (focusWidget)
                 focusWidget->setFocus(true);
-            else
-                view()->setFocus(true);
+            else if (auto* frameView = view())
+                frameView->setFocus(true);
         }
     }
 
@@ -5583,6 +5604,11 @@
         if (transformSourceDocument() || !processingInstruction->sheet())
             return;
 
+        // If the Document has already been detached from the frame, or the frame is currently in the process of
+        // changing to a new document, don't attempt to create a new Document from the XSLT.
+        if (!frame() || frame()->documentIsBeingReplaced())
+            return;
+
         auto processor = XSLTProcessor::create();
         processor->setXSLStyleSheet(downcast<XSLStyleSheet>(processingInstruction->sheet()));
         String resultMIMEType;
@@ -6014,11 +6040,14 @@
     setSecurityOriginPolicy(ownerFrame->document()->securityOriginPolicy());
 }
 
-bool Document::shouldInheritContentSecurityPolicyFromOwner() const
+// FIXME: The current criterion is stricter than <https://www.w3.org/TR/CSP3/#security-inherit-csp> (Editor's Draft, 28 February 2019).
+bool Document::shouldInheritContentSecurityPolicy() const
 {
     ASSERT(m_frame);
     if (SecurityPolicy::shouldInheritSecurityOriginFromOwner(m_url))
         return true;
+    if (m_url.protocolIsData() || m_url.protocolIsBlob())
+        return true;
     if (!isPluginDocument())
         return false;
     if (m_frame->tree().parent())
@@ -6029,7 +6058,7 @@
     return openerFrame->document()->securityOrigin().canAccess(securityOrigin());
 }
 
-void Document::initContentSecurityPolicy()
+void Document::initContentSecurityPolicy(ContentSecurityPolicy* previousPolicy)
 {
     // 1. Inherit Upgrade Insecure Requests
     Frame* parentFrame = m_frame->tree().parent();
@@ -6037,19 +6066,27 @@
         contentSecurityPolicy()->copyUpgradeInsecureRequestStateFrom(*parentFrame->document()->contentSecurityPolicy());
 
     // 2. Inherit Content Security Policy (without copying Upgrade Insecure Requests state).
-    if (!shouldInheritContentSecurityPolicyFromOwner())
-        return;
+    if (!shouldInheritContentSecurityPolicy())
+        return;
+    ContentSecurityPolicy* ownerPolicy = nullptr;
+    if (previousPolicy && (m_url.protocolIsData() || m_url.protocolIsBlob()))
+        ownerPolicy = previousPolicy;
+    if (!ownerPolicy) {
     Frame* ownerFrame = parentFrame;
     if (!ownerFrame)
         ownerFrame = m_frame->loader().opener();
-    if (!ownerFrame)
-        return;
-    // FIXME: The CSP 3 spec. implies that only plugin documents delivered with a local scheme (e.g. blob, file, data)
-    // should inherit a policy.
+        if (ownerFrame)
+            ownerPolicy = ownerFrame->document()->contentSecurityPolicy();
+    }
+    if (!ownerPolicy)
+        return;
+    // FIXME: We are stricter than the CSP 3 spec. with regards to plugins: we prefer to inherit the full policy unless the plugin
+    // document is opened in a new window. The CSP 3 spec. implies that only plugin documents delivered with a local scheme (e.g. blob,
+    // file, data) should inherit a policy.
     if (isPluginDocument() && m_frame->loader().opener())
-        contentSecurityPolicy()->createPolicyForPluginDocumentFrom(*ownerFrame->document()->contentSecurityPolicy());
+        contentSecurityPolicy()->createPolicyForPluginDocumentFrom(*ownerPolicy);
     else
-        contentSecurityPolicy()->copyStateFrom(ownerFrame->document()->contentSecurityPolicy());
+        contentSecurityPolicy()->copyStateFrom(ownerPolicy);
 }
 
 bool Document::isContextThread() const
@@ -8690,6 +8727,45 @@
     detachFromFrame();
 }
 
+bool Document::hitTest(const HitTestRequest& request, HitTestResult& result)
+{
+    return hitTest(request, result.hitTestLocation(), result);
+}
+
+bool Document::hitTest(const HitTestRequest& request, const HitTestLocation& location, HitTestResult& result)
+{
+    Ref<Document> protectedThis(*this);
+    updateLayout();
+    if (!renderView())
+        return false;
+
+#if !ASSERT_DISABLED
+    SetForScope<bool> hitTestRestorer { m_inHitTesting, true };
+#endif
+
+    auto& frameView = renderView()->frameView();
+    Ref<FrameView> protector(frameView);
+
+    FrameFlatteningLayoutDisallower disallower(frameView);
+
+    bool resultLayer = renderView()->layer()->hitTest(request, location, result);
+
+    // ScrollView scrollbars are not the same as RenderLayer scrollbars tested by RenderLayer::hitTestOverflowControls,
+    // so we need to test ScrollView scrollbars separately here. In case of using overlay scrollbars, the layer hit test
+    // will always work so we need to check the ScrollView scrollbars in that case too.
+    if (!resultLayer || ScrollbarTheme::theme().usesOverlayScrollbars()) {
+        // FIXME: Consider if this test should be done unconditionally.
+        if (request.allowsFrameScrollbars()) {
+            IntPoint windowPoint = frameView.contentsToWindow(location.roundedPoint());
+            if (auto* frameScrollbar = frameView.scrollbarAtPoint(windowPoint)) {
+                result.setScrollbar(frameScrollbar);
+                return true;
+            }
+        }
+    }
+    return resultLayer;
+}
+
 #if ENABLE(CSS_PAINTING_API)
 Worklet& Document::ensurePaintWorklet()
 {
--- a/modules/javafx.web/src/main/native/Source/WebCore/dom/Document.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/dom/Document.h	Fri Jul 05 13:58:27 2019 +0530
@@ -134,6 +134,7 @@
 class HTMLMediaElement;
 class HTMLPictureElement;
 class HTMLScriptElement;
+class HitTestLocation;
 class HitTestRequest;
 class HitTestResult;
 class ImageBitmapRenderingContext;
@@ -1131,7 +1132,7 @@
     HashSet<SVGUseElement*> const svgUseElements() const { return m_svgUseElements; }
 
     void initSecurityContext();
-    void initContentSecurityPolicy();
+    void initContentSecurityPolicy(ContentSecurityPolicy* previousPolicy);
 
     void updateURLForPushOrReplaceState(const URL&);
     void statePopped(Ref<SerializedScriptValue>&&);
@@ -1522,6 +1523,12 @@
 
     void frameWasDisconnectedFromOwner();
 
+    WEBCORE_EXPORT bool hitTest(const HitTestRequest&, HitTestResult&);
+    bool hitTest(const HitTestRequest&, const HitTestLocation&, HitTestResult&);
+#if !ASSERT_DISABLED
+    bool inHitTesting() const { return m_inHitTesting; }
+#endif
+
 protected:
     enum ConstructionFlags { Synthesized = 1, NonRenderedPlaceholder = 1 << 1 };
     Document(Frame*, const URL&, unsigned = DefaultDocumentClass, unsigned constructionFlags = 0);
@@ -1537,7 +1544,7 @@
     friend class IgnoreOpensDuringUnloadCountIncrementer;
     friend class IgnoreDestructiveWriteCountIncrementer;
 
-    bool shouldInheritContentSecurityPolicyFromOwner() const;
+    bool shouldInheritContentSecurityPolicy() const;
 
     void updateTitleElement(Element& changingTitleElement);
     void willDetachPage() final;
@@ -2019,6 +2026,9 @@
 
     bool m_areDeviceMotionAndOrientationUpdatesSuspended { false };
     bool m_userDidInteractWithPage { false };
+#if !ASSERT_DISABLED
+    bool m_inHitTesting { false };
+#endif
 
 #if ENABLE(TELEPHONE_NUMBER_DETECTION)
     bool m_isTelephoneNumberParsingAllowed { true };
--- a/modules/javafx.web/src/main/native/Source/WebCore/dom/TreeScope.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/dom/TreeScope.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -356,11 +356,9 @@
         return nullptr;
 
     HitTestResult result(absolutePoint.value());
-    documentScope().renderView()->hitTest(HitTestRequest(), result);
-
+    documentScope().hitTest(HitTestRequest(), result);
     if (localPoint)
         *localPoint = result.localPoint();
-
     return result.innerNode();
 }
 
@@ -403,7 +401,7 @@
         | HitTestRequest::CollectMultipleElements
         | HitTestRequest::IncludeAllElementsUnderPoint);
     HitTestResult result(absolutePoint.value());
-    documentScope().renderView()->hitTest(request, result);
+    documentScope().hitTest(request, result);
 
     Node* lastNode = nullptr;
     for (const auto& listBasedNode : result.listBasedTestResult()) {
--- a/modules/javafx.web/src/main/native/Source/WebCore/editing/Editing.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/editing/Editing.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1121,6 +1121,17 @@
     range->selectNodeContents(node);
     CharacterIterator it(range.get());
     it.advance(index - 1);
+
+    if (!it.atEnd() && it.text()[0] == '\n') {
+        // FIXME: workaround for collapsed range (where only start position is correct) emitted for some emitted newlines (see rdar://5192593)
+        auto range = it.range();
+        if (range->startPosition() == range->endPosition()) {
+            it.advance(1);
+            if (!it.atEnd())
+                return VisiblePosition(it.range()->startPosition());
+        }
+    }
+
     return { it.atEnd() ? range->endPosition() : it.range()->endPosition(), UPSTREAM };
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/editing/FrameSelection.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/editing/FrameSelection.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1879,12 +1879,12 @@
     if (!isRange())
         return false;
 
-    RenderView* renderView = m_frame->contentRenderer();
-    if (!renderView)
+    auto* document = m_frame->document();
+    if (!document)
         return false;
 
     HitTestResult result(point);
-    renderView->hitTest(HitTestRequest(), result);
+    document->hitTest(HitTestRequest(), result);
     Node* innerNode = result.innerNode();
     if (!innerNode || !innerNode->renderer())
         return false;
--- a/modules/javafx.web/src/main/native/Source/WebCore/editing/TypingCommand.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/editing/TypingCommand.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2008, 2016 Apple Inc.  All rights reserved.
+ * Copyright (C) 2005-2019 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -551,6 +551,8 @@
 
     applyCommandToComposite(WTFMove(command), endingSelection());
 
+    Frame& frame = this->frame();
+    Ref<Frame> protector(frame);
     typingAddedToOpenCommand(InsertText);
 }
 
@@ -563,6 +565,9 @@
         return;
 
     applyCommandToComposite(InsertLineBreakCommand::create(document()));
+
+    Frame& frame = this->frame();
+    Ref<Frame> protector(frame);
     typingAddedToOpenCommand(InsertLineBreak);
 }
 
@@ -583,6 +588,9 @@
         return;
 
     applyCommandToComposite(InsertParagraphSeparatorCommand::create(document(), false, false, EditAction::TypingInsertParagraph));
+
+    Frame& frame = this->frame();
+    Ref<Frame> protector(frame);
     typingAddedToOpenCommand(InsertParagraphSeparator);
 }
 
@@ -607,6 +615,9 @@
     }
 
     applyCommandToComposite(BreakBlockquoteCommand::create(document()));
+
+    Frame& frame = this->frame();
+    Ref<Frame> protector(frame);
     typingAddedToOpenCommand(InsertParagraphSeparatorInQuotedContent);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/editing/markup.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/editing/markup.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1114,12 +1114,16 @@
     string.replace("\r\n", "\n");
     string.replace('\r', '\n');
 
+    auto createHTMLBRElement = [&document]() {
+        auto element = HTMLBRElement::create(document);
+        element->setAttributeWithoutSynchronization(classAttr, AppleInterchangeNewline);
+        return element;
+    };
+
     if (contextPreservesNewline(context)) {
         fragment->appendChild(document.createTextNode(string));
         if (string.endsWith('\n')) {
-            auto element = HTMLBRElement::create(document);
-            element->setAttributeWithoutSynchronization(classAttr, AppleInterchangeNewline);
-            fragment->appendChild(element);
+            fragment->appendChild(createHTMLBRElement());
         }
         return fragment;
     }
@@ -1130,6 +1134,12 @@
         return fragment;
     }
 
+    if (string.length() == 1 && string[0] == '\n') {
+        // This is a single newline char, thus just create one HTMLBRElement.
+        fragment->appendChild(createHTMLBRElement());
+        return fragment;
+    }
+
     // Break string into paragraphs. Extra line breaks turn into empty paragraphs.
     Node* blockNode = enclosingBlock(context.firstNode());
     Element* block = downcast<Element>(blockNode);
@@ -1148,8 +1158,7 @@
         RefPtr<Element> element;
         if (s.isEmpty() && i + 1 == numLines) {
             // For last line, use the "magic BR" rather than a P.
-            element = HTMLBRElement::create(document);
-            element->setAttributeWithoutSynchronization(classAttr, AppleInterchangeNewline);
+            element = createHTMLBRElement();
         } else if (useLineBreak) {
             element = HTMLBRElement::create(document);
             fillContainerFromString(fragment, s);
--- a/modules/javafx.web/src/main/native/Source/WebCore/editing/markup.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/editing/markup.h	Fri Jul 05 13:58:27 2019 +0530
@@ -26,6 +26,7 @@
 #pragma once
 
 #include "ExceptionOr.h"
+#include "FloatSize.h"
 #include "FragmentScriptingPermission.h"
 #include "HTMLInterchange.h"
 #include <wtf/Forward.h>
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLLabelElement.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLLabelElement.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  *
  * This library is free software; you can redistribute it and/or
@@ -149,6 +149,7 @@
 
 void HTMLLabelElement::focus(bool restorePreviousSelection, FocusDirection direction)
 {
+    Ref<HTMLLabelElement> protectedThis(*this);
     if (document().haveStylesheetsLoaded()) {
         document().updateLayout();
         if (isFocusable()) {
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLPlugInElement.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLPlugInElement.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -464,27 +464,27 @@
     HitTestLocation location = LayoutPoint(x + width / 2, y + height / 2);
     ASSERT(!renderView->needsLayout());
     ASSERT(!renderView->document().needsStyleRecalc());
-    bool hit = renderView->hitTest(request, location, result);
+    bool hit = topDocument->hitTest(request, location, result);
     if (!hit || result.innerNode() != &pluginRenderer.frameOwnerElement())
         return true;
 
     location = LayoutPoint(x, y);
-    hit = renderView->hitTest(request, location, result);
+    hit = topDocument->hitTest(request, location, result);
     if (!hit || result.innerNode() != &pluginRenderer.frameOwnerElement())
         return true;
 
     location = LayoutPoint(x + width, y);
-    hit = renderView->hitTest(request, location, result);
+    hit = topDocument->hitTest(request, location, result);
     if (!hit || result.innerNode() != &pluginRenderer.frameOwnerElement())
         return true;
 
     location = LayoutPoint(x + width, y + height);
-    hit = renderView->hitTest(request, location, result);
+    hit = topDocument->hitTest(request, location, result);
     if (!hit || result.innerNode() != &pluginRenderer.frameOwnerElement())
         return true;
 
     location = LayoutPoint(x, y + height);
-    hit = renderView->hitTest(request, location, result);
+    hit = topDocument->hitTest(request, location, result);
     if (!hit || result.innerNode() != &pluginRenderer.frameOwnerElement())
         return true;
     return false;
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLTextAreaElement.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLTextAreaElement.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  * Copyright (C) 2007 Samuel Weinig (sam@webkit.org)
  *
@@ -223,6 +223,7 @@
     if (name().isEmpty())
         return false;
 
+    Ref<HTMLTextAreaElement> protectedThis(*this);
     document().updateLayout();
 
     formData.append(name(), m_wrap == HardWrap ? valueWithHardLineBreaks() : value());
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/ImageDocument.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/ImageDocument.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2008, 2010, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -398,6 +398,9 @@
 
         updateLayout();
 
+        if (!view())
+            return;
+
         float scale = this->scale();
 
         IntSize viewportSize = view()->visibleSize();
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/MediaElementSession.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/MediaElementSession.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -854,8 +854,6 @@
     if (!shouldHitTestMainFrame)
         return true;
 
-    RenderView& mainRenderView = *mainFrame.view()->renderView();
-
     // Hit test the area of the main frame where the element appears, to determine if the element is being obscured.
     IntRect rectRelativeToView = element.clientRect();
     ScrollPosition scrollPosition = mainFrame.view()->documentScrollPositionRelativeToViewOrigin();
@@ -864,7 +862,9 @@
     HitTestResult result(rectRelativeToTopDocument.center());
 
     // Elements which are obscured by other elements cannot be main content.
-    mainRenderView.hitTest(request, result);
+    if (!mainFrame.document())
+        return false;
+    mainFrame.document()->hitTest(request, result);
     result.setToNonUserAgentShadowAncestor();
     RefPtr<Element> hitElement = result.targetElement();
     if (hitElement != &element)
--- a/modules/javafx.web/src/main/native/Source/WebCore/loader/DocumentWriter.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/loader/DocumentWriter.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -142,13 +142,11 @@
     else
         document->createDOMWindow();
 
-    // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, we need to retain an ongoing set of upgraded
-    // requests in new navigation contexts. Although this information is present when we construct the
-    // Document object, it is discard in the subsequent 'clear' statements below. So, we must capture it
-    // so we can restore it.
-    HashSet<SecurityOriginData> insecureNavigationRequestsToUpgrade;
-    if (auto* existingDocument = m_frame->document())
-        insecureNavigationRequestsToUpgrade = existingDocument->contentSecurityPolicy()->takeNavigationRequestsToUpgrade();
+    // Temporarily extend the lifetime of the existing document so that FrameLoader::clear() doesn't destroy it as
+    // we need to retain its ongoing set of upgraded requests in new navigation contexts per <http://www.w3.org/TR/upgrade-insecure-requests/>
+    // and we may also need to inherit its Content Security Policy in FrameLoader::didBeginDocument().
+    RefPtr<Document> existingDocument = m_frame->document();
+    auto* previousContentSecurityPolicy = existingDocument ? existingDocument->contentSecurityPolicy() : nullptr;
 
     m_frame->loader().clear(document.ptr(), !shouldReuseDefaultView, !shouldReuseDefaultView);
     clear();
@@ -164,7 +162,8 @@
     m_frame->loader().setOutgoingReferrer(url);
     m_frame->setDocument(document.copyRef());
 
-    document->contentSecurityPolicy()->setInsecureNavigationRequestsToUpgrade(WTFMove(insecureNavigationRequestsToUpgrade));
+    if (previousContentSecurityPolicy)
+        document->contentSecurityPolicy()->setInsecureNavigationRequestsToUpgrade(previousContentSecurityPolicy->takeNavigationRequestsToUpgrade());
 
     if (m_decoder)
         document->setDecoder(m_decoder.get());
@@ -174,7 +173,7 @@
         document->setStrictMixedContentMode(ownerDocument->isStrictMixedContentMode());
     }
 
-    m_frame->loader().didBeginDocument(dispatch);
+    m_frame->loader().didBeginDocument(dispatch, previousContentSecurityPolicy);
 
     document->implicitOpen();
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/loader/FrameLoader.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/loader/FrameLoader.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -717,7 +717,7 @@
     m_outgoingReferrer = url.strippedForUseAsReferrer();
 }
 
-void FrameLoader::didBeginDocument(bool dispatch)
+void FrameLoader::didBeginDocument(bool dispatch, ContentSecurityPolicy* previousPolicy)
 {
     m_needsClear = true;
     m_isComplete = false;
@@ -733,7 +733,7 @@
         dispatchDidClearWindowObjectsInAllWorlds();
 
     updateFirstPartyForCookies();
-    m_frame.document()->initContentSecurityPolicy();
+    m_frame.document()->initContentSecurityPolicy(previousPolicy);
 
     const Settings& settings = m_frame.settings();
     m_frame.document()->cachedResourceLoader().setImagesEnabled(settings.areImagesEnabled());
@@ -3691,6 +3691,8 @@
 {
     RELEASE_LOG_IF_ALLOWED("loadDifferentDocumentItem: frame load started (frame = %p, main = %d)", &m_frame, m_frame.isMainFrame());
 
+    Ref<Frame> protectedFrame(m_frame);
+
     // History items should not be reported to the parent.
     m_shouldReportResourceTimingToParentFrame = false;
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/loader/FrameLoader.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/loader/FrameLoader.h	Fri Jul 05 13:58:27 2019 +0530
@@ -230,7 +230,7 @@
     void didExplicitOpen();
 
     // Callbacks from DocumentWriter
-    void didBeginDocument(bool dispatchWindowObjectAvailable);
+    void didBeginDocument(bool dispatchWindowObjectAvailable, ContentSecurityPolicy* previousPolicy);
 
     void receivedFirstData();
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/DOMWindow.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/DOMWindow.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1237,14 +1237,17 @@
 
 int DOMWindow::innerHeight() const
 {
+    if (!frame())
+        return 0;
+
+    // Force enough layout in the parent document to ensure that the FrameView has been resized.
+    if (auto* frameElement = this->frameElement())
+        frameElement->document().updateLayoutIfDimensionsOutOfDate(*frameElement, HeightDimensionsCheck);
+
     auto* frame = this->frame();
     if (!frame)
         return 0;
 
-    // Force enough layout in the parent document to ensure that the FrameView has been resized.
-    if (auto* frameElement = this->frameElement())
-        frameElement->document().updateLayoutIfDimensionsOutOfDate(*frameElement, HeightDimensionsCheck);
-
     FrameView* view = frame->view();
     if (!view)
         return 0;
@@ -1254,14 +1257,17 @@
 
 int DOMWindow::innerWidth() const
 {
+    if (!frame())
+        return 0;
+
+    // Force enough layout in the parent document to ensure that the FrameView has been resized.
+    if (auto* frameElement = this->frameElement())
+        frameElement->document().updateLayoutIfDimensionsOutOfDate(*frameElement, WidthDimensionsCheck);
+
     auto* frame = this->frame();
     if (!frame)
         return 0;
 
-    // Force enough layout in the parent document to ensure that the FrameView has been resized.
-    if (auto* frameElement = this->frameElement())
-        frameElement->document().updateLayoutIfDimensionsOutOfDate(*frameElement, WidthDimensionsCheck);
-
     FrameView* view = frame->view();
     if (!view)
         return 0;
@@ -1311,7 +1317,16 @@
 
     frame->document()->updateLayoutIgnorePendingStylesheets();
 
-    return view->mapFromLayoutToCSSUnits(view->contentsScrollPosition().x());
+    // Layout may have affected the current frame:
+    auto* frameAfterLayout = this->frame();
+    if (!frameAfterLayout)
+        return 0;
+
+    FrameView* viewAfterLayout = frameAfterLayout->view();
+    if (!viewAfterLayout)
+        return 0;
+
+    return viewAfterLayout->mapFromLayoutToCSSUnits(viewAfterLayout->contentsScrollPosition().x());
 }
 
 int DOMWindow::scrollY() const
@@ -1330,7 +1345,16 @@
 
     frame->document()->updateLayoutIgnorePendingStylesheets();
 
-    return view->mapFromLayoutToCSSUnits(view->contentsScrollPosition().y());
+    // Layout may have affected the current frame:
+    auto* frameAfterLayout = this->frame();
+    if (!frameAfterLayout)
+        return 0;
+
+    FrameView* viewAfterLayout = frameAfterLayout->view();
+    if (!viewAfterLayout)
+        return 0;
+
+    return viewAfterLayout->mapFromLayoutToCSSUnits(viewAfterLayout->contentsScrollPosition().y());
 }
 
 bool DOMWindow::closed() const
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/DragController.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/DragController.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -366,7 +366,7 @@
     LayoutPoint point(p.x() * zoomFactor, p.y() * zoomFactor);
 
     HitTestResult result(point);
-    documentUnderMouse->renderView()->hitTest(HitTestRequest(), result);
+    documentUnderMouse->hitTest(HitTestRequest(), result);
 
     auto* node = result.innerNode();
     if (!node)
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/EventHandler.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/EventHandler.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -884,7 +884,7 @@
 
     if (m_selectionInitiationState != ExtendedSelection) {
         HitTestResult result(m_mouseDownPos);
-        m_frame.document()->renderView()->hitTest(HitTestRequest(), result);
+        m_frame.document()->hitTest(HitTestRequest(), result);
 
         updateSelectionForMouseDrag(result);
     }
@@ -897,8 +897,8 @@
     // This is a pre-flight check of whether the event might lead to a drag being started.  Be careful
     // that its logic needs to stay in sync with handleMouseMoveEvent() and the way we setMouseDownMayStartDrag
     // in handleMousePressEvent
-    RenderView* renderView = m_frame.contentRenderer();
-    if (!renderView)
+    auto* document = m_frame.document();
+    if (!document)
         return false;
 
     if (event.button() != LeftButton || event.clickCount() != 1)
@@ -917,7 +917,7 @@
     updateDragSourceActionsAllowed();
     HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::DisallowUserAgentShadowContent);
     HitTestResult result(view->windowToContents(event.position()));
-    renderView->hitTest(request, result);
+    document->hitTest(request, result);
     DragState state;
     Element* targetElement = result.targetElement();
     return targetElement && page->dragController().draggableElement(&m_frame, targetElement, result.roundedPointInInnerNodeFrame(), state);
@@ -928,13 +928,13 @@
     FrameView* view = m_frame.view();
     if (!view)
         return;
-    RenderView* renderView = m_frame.contentRenderer();
-    if (!renderView)
+    auto* document = m_frame.document();
+    if (!document)
         return;
 
     HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::Active | HitTestRequest::Move | HitTestRequest::DisallowUserAgentShadowContent);
     HitTestResult result(view->windowToContents(m_lastKnownMousePosition));
-    renderView->hitTest(request, result);
+    document->hitTest(request, result);
     updateSelectionForMouseDrag(result);
 }
 
@@ -1176,13 +1176,13 @@
         frameView->updateLayoutAndStyleIfNeededRecursive();
 
     HitTestResult result(point, nonNegativePaddingHeight, nonNegativePaddingWidth, nonNegativePaddingHeight, nonNegativePaddingWidth);
-    RenderView* renderView = m_frame.contentRenderer();
-    if (!renderView)
+    auto* document = m_frame.document();
+    if (!document)
         return result;
 
     // hitTestResultAtPoint is specifically used to hitTest into all frames, thus it always allows child frame content.
     HitTestRequest request(hitType | HitTestRequest::AllowChildFrameContent);
-    renderView->hitTest(request, result);
+    document->hitTest(request, result);
     if (!request.readOnly())
         m_frame.document()->updateHoverActiveState(request, result.targetElement());
 
@@ -1378,8 +1378,8 @@
     if (!view)
         return;
 
-    RenderView* renderView = view->renderView();
-    if (!renderView)
+    auto* document = m_frame.document();
+    if (!document)
         return;
 
     if (!view->shouldSetCursor())
@@ -1393,7 +1393,7 @@
 
     HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::AllowFrameScrollbars);
     HitTestResult result(view->windowToContents(m_lastKnownMousePosition));
-    renderView->hitTest(request, result);
+    document->hitTest(request, result);
 
     updateCursor(*view, result, shiftKey);
 }
@@ -2642,10 +2642,10 @@
 
 bool EventHandler::isInsideScrollbar(const IntPoint& windowPoint) const
 {
-    if (RenderView* renderView = m_frame.contentRenderer()) {
+    if (auto* document = m_frame.document()) {
         HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::DisallowUserAgentShadowContent);
         HitTestResult result(windowPoint);
-        renderView->hitTest(request, result);
+        document->hitTest(request, result);
         return result.scrollbar();
     }
 
@@ -2761,8 +2761,8 @@
 
 bool EventHandler::handleWheelEvent(const PlatformWheelEvent& event)
 {
-    RenderView* renderView = m_frame.contentRenderer();
-    if (!renderView)
+    auto* document = m_frame.document();
+    if (!document)
         return false;
 
     Ref<Frame> protectedFrame(m_frame);
@@ -2784,7 +2784,7 @@
 
     HitTestRequest request;
     HitTestResult result(view->windowToContents(event.position()));
-    renderView->hitTest(request, result);
+    document->hitTest(request, result);
 
     RefPtr<Element> element = result.targetElement();
     RefPtr<ContainerNode> scrollableContainer;
@@ -3096,12 +3096,12 @@
 
     Ref<Frame> protectedFrame(m_frame);
 
-    if (RenderView* renderView = m_frame.contentRenderer()) {
+    if (auto* document = m_frame.document()) {
         if (FrameView* view = m_frame.view()) {
             HitTestRequest request(HitTestRequest::Move | HitTestRequest::DisallowUserAgentShadowContent);
             HitTestResult result(view->windowToContents(m_lastKnownMousePosition));
-            renderView->hitTest(request, result);
-            m_frame.document()->updateHoverActiveState(request, result.targetElement());
+            document->hitTest(request, result);
+            document->updateHoverActiveState(request, result.targetElement());
         }
     }
 }
@@ -3660,7 +3660,7 @@
         // try to find an element that wants to be dragged
         HitTestRequest request(HitTestRequest::ReadOnly | HitTestRequest::DisallowUserAgentShadowContent);
         HitTestResult result(m_mouseDownPos);
-        m_frame.contentRenderer()->hitTest(request, result);
+        m_frame.document()->hitTest(request, result);
         if (m_frame.page())
             dragState().source = m_frame.page()->dragController().draggableElement(&m_frame, result.targetElement(), m_mouseDownPos, dragState());
 
@@ -4035,7 +4035,7 @@
         if (!rect.contains(roundedIntPoint(point)))
             return result;
     }
-    frame->contentRenderer()->hitTest(HitTestRequest(hitType), result);
+    frame->document()->hitTest(HitTestRequest(hitType), result);
     return result;
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/FrameView.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/FrameView.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -3,7 +3,7 @@
  *                     1999 Lars Knoll <knoll@kde.org>
  *                     1999 Antti Koivisto <koivisto@kde.org>
  *                     2000 Dirk Mueller <mueller@kde.org>
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
  *           (C) 2006 Graham Dennis (graham.dennis@gmail.com)
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  * Copyright (C) 2009 Google Inc. All rights reserved.
@@ -3512,6 +3512,7 @@
         setHorizontalScrollbarLock(false);
         setScrollbarModes(horizonalScrollbarMode, verticalScrollbarMode, true, true);
     }
+    Ref<FrameView> protectedThis(*this);
     // All the resizing above may have invalidated style (for example if viewport units are being used).
     document->updateStyleIfNeeded();
     // FIXME: Use the final layout's result as the content size (webkit.org/b/173561).
@@ -4889,8 +4890,11 @@
 
 String FrameView::trackedRepaintRectsAsText() const
 {
-    if (frame().document())
-        frame().document()->updateLayout();
+    Frame& frame = this->frame();
+    Ref<Frame> protector(frame);
+
+    if (auto* document = frame.document())
+        document->updateLayout();
 
     TextStream ts;
     if (!m_trackedRepaintRects.isEmpty()) {
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/FrameViewLayoutContext.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/FrameViewLayoutContext.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -321,7 +321,7 @@
     }
 
     if (auto* renderView = this->renderView()) {
-        ASSERT(!renderView->inHitTesting());
+        ASSERT(!frame().document()->inHitTesting());
         renderView->setNeedsLayout();
         scheduleLayout();
     }
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2007 Alp Toker <alp@atoker.com>
- * Copyright (C) 2007, 2016 Apple Inc.
+ * Copyright (C) 2007-2019 Apple Inc.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -316,6 +316,8 @@
     ASSERT(frame);
     ASSERT(frame->document());
 
+    Ref<Frame> protectedFrame(*frame);
+
     auto& document = *frame->document();
     PrintContext printContext(frame);
     printContext.begin(800); // Any width is OK here.
@@ -371,6 +373,8 @@
 
 int PrintContext::numberOfPages(Frame& frame, const FloatSize& pageSizeInPixels)
 {
+    Ref<Frame> protectedFrame(frame);
+
     PrintContext printContext(&frame);
     if (!printContext.beginAndComputePageRectsWithPageSize(frame, pageSizeInPixels))
         return -1;
@@ -380,6 +384,8 @@
 
 void PrintContext::spoolAllPagesWithBoundaries(Frame& frame, GraphicsContext& graphicsContext, const FloatSize& pageSizeInPixels)
 {
+    Ref<Frame> protectedFrame(frame);
+
     PrintContext printContext(&frame);
     if (!printContext.beginAndComputePageRectsWithPageSize(frame, pageSizeInPixels))
         return;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/nicosia/NicosiaAnimatedBackingStoreClient.h	Fri Jul 05 13:58:27 2019 +0530
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2019 Metrological Group B.V.
+ * Copyright (C) 2019 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above
+ *    copyright notice, this list of conditions and the following
+ *    disclaimer in the documentation and/or other materials provided
+ *    with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#if USE(COORDINATED_GRAPHICS)
+
+#include <wtf/ThreadSafeRefCounted.h>
+
+namespace WebCore {
+class TransformationMatrix;
+}
+
+namespace Nicosia {
+
+class AnimatedBackingStoreClient : public ThreadSafeRefCounted<AnimatedBackingStoreClient> {
+public:
+    enum class Type {
+        Coordinated
+    };
+
+    explicit AnimatedBackingStoreClient(Type type)
+        : m_type(type)
+    {
+    }
+
+    Type type() const { return m_type; }
+    virtual ~AnimatedBackingStoreClient() = default;
+    virtual void requestBackingStoreUpdateIfNeeded(const WebCore::TransformationMatrix&) = 0;
+
+private:
+    Type m_type;
+};
+
+} // namespace Nicosia
+
+#define SPECIALIZE_TYPE_TRAITS_ANIMATEDBACKINGSTORECLIENT(ToValueTypeName, predicate) \
+SPECIALIZE_TYPE_TRAITS_BEGIN(ToValueTypeName) \
+    static bool isType(const Nicosia::AnimatedBackingStoreClient& client) { return client.predicate; } \
+SPECIALIZE_TYPE_TRAITS_END()
+
+#endif // USE(COORDINATED_GRAPHICS)
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.h	Fri Jul 05 13:58:27 2019 +0530
@@ -34,6 +34,7 @@
 #include "FloatPoint3D.h"
 #include "FloatRect.h"
 #include "FloatSize.h"
+#include "NicosiaAnimatedBackingStoreClient.h"
 #include "TextureMapperAnimation.h"
 #include "TransformationMatrix.h"
 #include <wtf/Function.h>
@@ -110,6 +111,7 @@
                     bool contentLayerChanged : 1;
                     bool backingStoreChanged : 1;
                     bool imageBackingChanged : 1;
+                    bool animatedBackingStoreClientChanged : 1;
                     bool repaintCounterChanged : 1;
                     bool debugBorderChanged : 1;
                 };
@@ -162,6 +164,7 @@
         RefPtr<ContentLayer> contentLayer;
         RefPtr<BackingStore> backingStore;
         RefPtr<ImageBacking> imageBacking;
+        RefPtr<AnimatedBackingStoreClient> animatedBackingStoreClient;
 
         struct RepaintCounter {
             unsigned count { 0 };
@@ -240,6 +243,8 @@
             staging.contentLayer = pending.contentLayer;
         if (pending.delta.imageBackingChanged)
             staging.imageBacking = pending.imageBacking;
+        if (pending.delta.animatedBackingStoreClientChanged)
+            staging.animatedBackingStoreClient = pending.animatedBackingStoreClient;
 
         pending.delta = { };
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/opengl/Extensions3DOpenGLES.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/opengl/Extensions3DOpenGLES.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -167,9 +167,6 @@
 
 void Extensions3DOpenGLES::bindVertexArrayOES(Platform3DObject array)
 {
-    if (!array)
-        return;
-
     m_context->makeContextCurrent();
     if (m_glBindVertexArrayOES)
         m_glBindVertexArrayOES(array);
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -239,6 +239,19 @@
     }
 }
 
+void TextureMapperAnimation::applyKeepingInternalState(ApplicationResult& applicationResults, MonotonicTime time)
+{
+    MonotonicTime oldLastRefreshedTime = m_lastRefreshedTime;
+    Seconds oldTotalRunningTime = m_totalRunningTime;
+    AnimationState oldState = m_state;
+
+    apply(applicationResults, time);
+
+    m_lastRefreshedTime = oldLastRefreshedTime;
+    m_totalRunningTime = oldTotalRunningTime;
+    m_state = oldState;
+}
+
 void TextureMapperAnimation::pause(Seconds time)
 {
     m_state = AnimationState::Paused;
@@ -338,6 +351,12 @@
         animation.apply(applicationResults, time);
 }
 
+void TextureMapperAnimations::applyKeepingInternalState(TextureMapperAnimation::ApplicationResult& applicationResults, MonotonicTime time)
+{
+    for (auto& animation : m_animations)
+        animation.applyKeepingInternalState(applicationResults, time);
+}
+
 bool TextureMapperAnimations::hasActiveAnimationsOfType(AnimatedPropertyID type) const
 {
     return std::any_of(m_animations.begin(), m_animations.end(),
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.h	Fri Jul 05 13:58:27 2019 +0530
@@ -44,6 +44,7 @@
     WEBCORE_EXPORT TextureMapperAnimation(const TextureMapperAnimation&);
 
     void apply(ApplicationResult&, MonotonicTime);
+    void applyKeepingInternalState(ApplicationResult&, MonotonicTime);
     void pause(Seconds);
     void resume();
     bool isActive() const;
@@ -81,6 +82,7 @@
     void resume();
 
     void apply(TextureMapperAnimation::ApplicationResult&, MonotonicTime);
+    void applyKeepingInternalState(TextureMapperAnimation::ApplicationResult&, MonotonicTime);
 
     bool isEmpty() const { return m_animations.isEmpty(); }
     size_t size() const { return m_animations.size(); }
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -78,6 +78,28 @@
             m_layerTransforms.combinedForChildren = m_layerTransforms.combinedForChildren.to2dTransform();
         m_layerTransforms.combinedForChildren.multiply(m_state.childrenTransform);
         m_layerTransforms.combinedForChildren.translate3d(-originX, -originY, -m_state.anchorPoint.z());
+
+#if USE(COORDINATED_GRAPHICS)
+        // Compute transforms for the future as well.
+        TransformationMatrix futureParentTransform;
+        if (m_parent)
+            futureParentTransform = m_parent->m_layerTransforms.futureCombinedForChildren;
+        else if (m_effectTarget)
+            futureParentTransform = m_effectTarget->m_layerTransforms.futureCombined;
+
+        m_layerTransforms.futureCombined = futureParentTransform;
+        m_layerTransforms.futureCombined
+            .translate3d(originX + m_state.pos.x(), originY + m_state.pos.y(), m_state.anchorPoint.z())
+            .multiply(m_layerTransforms.futureLocalTransform);
+
+        m_layerTransforms.futureCombinedForChildren = m_layerTransforms.futureCombined;
+        m_layerTransforms.futureCombined.translate3d(-originX, -originY, -m_state.anchorPoint.z());
+
+        if (!m_state.preserves3D)
+            m_layerTransforms.futureCombinedForChildren = m_layerTransforms.futureCombinedForChildren.to2dTransform();
+        m_layerTransforms.futureCombinedForChildren.multiply(m_state.childrenTransform);
+        m_layerTransforms.futureCombinedForChildren.translate3d(-originX, -originY, -m_state.anchorPoint.z());
+#endif
     }
 
     m_state.visible = m_state.backfaceVisibility || !m_layerTransforms.combined.isBackFaceVisible();
@@ -97,6 +119,11 @@
     // Reorder children if needed on the way back up.
     if (m_state.preserves3D)
         sortByZOrder(m_children);
+
+#if USE(COORDINATED_GRAPHICS)
+    if (m_backingStore && m_animatedBackingStoreClient)
+        m_animatedBackingStoreClient->requestBackingStoreUpdateIfNeeded(m_layerTransforms.futureCombined);
+#endif
 }
 
 void TextureMapperLayer::paint()
@@ -623,6 +650,13 @@
     m_backingStore = backingStore;
 }
 
+#if USE(COORDINATED_GRAPHICS)
+void TextureMapperLayer::setAnimatedBackingStoreClient(Nicosia::AnimatedBackingStoreClient* client)
+{
+    m_animatedBackingStoreClient = client;
+}
+#endif
+
 bool TextureMapperLayer::descendantsOrSelfHaveRunningAnimations() const
 {
     if (m_animations.hasRunningAnimations())
@@ -651,6 +685,13 @@
     m_currentOpacity = applicationResults.opacity.valueOr(m_state.opacity);
     m_currentFilters = applicationResults.filters.valueOr(m_state.filters);
 
+#if USE(COORDINATED_GRAPHICS)
+    // Calculate localTransform 50ms in the future.
+    TextureMapperAnimation::ApplicationResult futureApplicationResults;
+    m_animations.applyKeepingInternalState(futureApplicationResults, time + 50_ms);
+    m_layerTransforms.futureLocalTransform = futureApplicationResults.transform.valueOr(m_layerTransforms.localTransform);
+#endif
+
     return applicationResults.hasRunningAnimations;
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.h	Fri Jul 05 13:58:27 2019 +0530
@@ -27,6 +27,10 @@
 #include "TextureMapperBackingStore.h"
 #include <wtf/WeakPtr.h>
 
+#if USE(COORDINATED_GRAPHICS)
+#include "NicosiaAnimatedBackingStoreClient.h"
+#endif
+
 namespace WebCore {
 
 class GraphicsLayer;
@@ -88,6 +92,9 @@
     void setContentsLayer(TextureMapperPlatformLayer*);
     void setAnimations(const TextureMapperAnimations&);
     void setBackingStore(TextureMapperBackingStore*);
+#if USE(COORDINATED_GRAPHICS)
+    void setAnimatedBackingStoreClient(Nicosia::AnimatedBackingStoreClient*);
+#endif
 
     bool applyAnimationsRecursively(MonotonicTime);
     bool syncAnimations(MonotonicTime);
@@ -197,12 +204,19 @@
     TextureMapper* m_textureMapper { nullptr };
     TextureMapperAnimations m_animations;
     uint32_t m_id { 0 };
+#if USE(COORDINATED_GRAPHICS)
+    RefPtr<Nicosia::AnimatedBackingStoreClient> m_animatedBackingStoreClient;
+#endif
 
     struct {
         TransformationMatrix localTransform;
-
         TransformationMatrix combined;
         TransformationMatrix combinedForChildren;
+#if USE(COORDINATED_GRAPHICS)
+        TransformationMatrix futureLocalTransform;
+        TransformationMatrix futureCombined;
+        TransformationMatrix futureCombinedForChildren;
+#endif
     } m_layerTransforms;
 };
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -149,6 +149,8 @@
     }
     ASSERT(!m_nicosia.imageBacking);
     ASSERT(!m_nicosia.backingStore);
+    if (m_animatedBackingStoreHost)
+        m_animatedBackingStoreHost->layerWillBeDestroyed();
     willBeDestroyed();
 }
 
@@ -631,6 +633,87 @@
 #endif
 }
 
+static void clampToContentsRectIfRectIsInfinite(FloatRect& rect, const FloatSize& contentsSize)
+{
+    if (rect.width() >= LayoutUnit::nearlyMax() || rect.width() <= LayoutUnit::nearlyMin()) {
+        rect.setX(0);
+        rect.setWidth(contentsSize.width());
+    }
+
+    if (rect.height() >= LayoutUnit::nearlyMax() || rect.height() <= LayoutUnit::nearlyMin()) {
+        rect.setY(0);
+        rect.setHeight(contentsSize.height());
+    }
+}
+
+class CoordinatedAnimatedBackingStoreClient final : public Nicosia::AnimatedBackingStoreClient {
+public:
+    static Ref<CoordinatedAnimatedBackingStoreClient> create(RefPtr<CoordinatedGraphicsLayer::AnimatedBackingStoreHost>&& host, const FloatRect& visibleRect, const FloatRect& coverRect, const FloatSize& size, float contentsScale)
+    {
+        return adoptRef(*new CoordinatedAnimatedBackingStoreClient(WTFMove(host), visibleRect, coverRect, size, contentsScale));
+    }
+
+    ~CoordinatedAnimatedBackingStoreClient() = default;
+
+    void setCoverRect(const IntRect& rect) { m_coverRect = rect; }
+    void requestBackingStoreUpdateIfNeeded(const TransformationMatrix& transform) final
+    {
+        ASSERT(!isMainThread());
+
+        // Calculate the contents rectangle of the layer in backingStore coordinates.
+        FloatRect contentsRect = { { 0, 0 }, m_size };
+        contentsRect.scale(m_contentsScale);
+
+        // If the area covered by tiles (the coverRect, already in backingStore coordinates) covers the whole
+        // layer contents then we don't need to do anything.
+        if (m_coverRect.contains(contentsRect))
+            return;
+
+        // Non-invertible layers are not visible.
+        if (!transform.isInvertible())
+            return;
+
+        // Calculate the inverse of the layer transformation. The inverse transform will have the inverse of the
+        // scaleFactor applied, so we need to scale it back.
+        TransformationMatrix inverse = transform.inverse().valueOr(TransformationMatrix()).scale(m_contentsScale);
+
+        // Apply the inverse transform to the visible rectangle, so we have the visible rectangle in layer coordinates.
+        FloatRect rect = inverse.clampedBoundsOfProjectedQuad(FloatQuad(m_visibleRect));
+        clampToContentsRectIfRectIsInfinite(rect, m_size);
+        FloatRect transformedVisibleRect = enclosingIntRect(rect);
+
+        // Convert the calculated visible rectangle to backingStore coordinates.
+        transformedVisibleRect.scale(m_contentsScale);
+
+        // Restrict the calculated visible rect to the contents rectangle of the layer.
+        transformedVisibleRect.intersect(contentsRect);
+
+        // If the coverRect doesn't contain the calculated visible rectangle we need to request a backingStore
+        // update to render more tiles.
+        if (!m_coverRect.contains(transformedVisibleRect)) {
+            callOnMainThread([protectedHost = m_host.copyRef()]() {
+                protectedHost->requestBackingStoreUpdate();
+            });
+        }
+    }
+
+private:
+    CoordinatedAnimatedBackingStoreClient(RefPtr<CoordinatedGraphicsLayer::AnimatedBackingStoreHost>&& host, const FloatRect& visibleRect, const FloatRect& coverRect, const FloatSize& size, float contentsScale)
+        : Nicosia::AnimatedBackingStoreClient(Type::Coordinated)
+        , m_host(WTFMove(host))
+        , m_visibleRect(visibleRect)
+        , m_coverRect(coverRect)
+        , m_size(size)
+        , m_contentsScale(contentsScale)
+    { }
+
+    RefPtr<CoordinatedGraphicsLayer::AnimatedBackingStoreHost> m_host;
+    FloatRect m_visibleRect;
+    FloatRect m_coverRect;
+    FloatSize m_size;
+    float m_contentsScale;
+};
+
 void CoordinatedGraphicsLayer::flushCompositingStateForThisLayerOnly()
 {
     // Whether it kicked or not, we don't need this timer running anymore.
@@ -666,6 +749,19 @@
         m_nicosia.delta.backingStoreChanged = true;
     }
 
+    if (hasActiveTransformAnimation && m_nicosia.backingStore) {
+        // The layer has a backingStore and a transformation animation. This means that we need to add an
+        // AnimatedBackingStoreClient to check whether we need to update the backingStore due to the animation.
+        // At this point we don't know the area covered by tiles available, so we just pass an empty rectangle
+        // for that. The call to updateContentBuffers will calculate the tile coverage and set the appropriate
+        // rectangle to the client.
+        if (!m_animatedBackingStoreHost)
+            m_animatedBackingStoreHost = AnimatedBackingStoreHost::create(*this);
+        m_nicosia.animatedBackingStoreClient = CoordinatedAnimatedBackingStoreClient::create(m_animatedBackingStoreHost.copyRef(), m_coordinator->visibleContentsRect(), { }, m_size, effectiveContentsScale());
+    }
+    // Each layer flush changes the AnimatedBackingStoreClient, being it null or a real one.
+    m_nicosia.delta.animatedBackingStoreClientChanged = true;
+
     // Determine image backing presence according to the composited image source.
     if (m_compositedNativeImagePtr) {
         ASSERT(m_compositedImage);
@@ -787,6 +883,8 @@
                     state.contentLayer = m_nicosia.contentLayer;
                 if (localDelta.imageBackingChanged)
                     state.imageBacking = m_nicosia.imageBacking;
+                if (localDelta.animatedBackingStoreClientChanged)
+                    state.animatedBackingStoreClient = m_nicosia.animatedBackingStoreClient;
             });
         m_nicosia.performLayerSync = !!m_nicosia.delta.value;
         m_nicosia.delta = { };
@@ -817,19 +915,6 @@
     return selfOrAncestorHaveNonAffineTransforms() ? 1 : deviceScaleFactor() * pageScaleFactor();
 }
 
-static void clampToContentsRectIfRectIsInfinite(FloatRect& rect, const FloatSize& contentsSize)
-{
-    if (rect.width() >= LayoutUnit::nearlyMax() || rect.width() <= LayoutUnit::nearlyMin()) {
-        rect.setX(0);
-        rect.setWidth(contentsSize.width());
-    }
-
-    if (rect.height() >= LayoutUnit::nearlyMax() || rect.height() <= LayoutUnit::nearlyMin()) {
-        rect.setY(0);
-        rect.setHeight(contentsSize.height());
-    }
-}
-
 IntRect CoordinatedGraphicsLayer::transformedVisibleRect()
 {
     // Non-invertible layers are not visible.
@@ -845,6 +930,12 @@
     return enclosingIntRect(rect);
 }
 
+void CoordinatedGraphicsLayer::requestBackingStoreUpdate()
+{
+    setNeedsVisibleRectAdjustment();
+    notifyFlushRequired();
+}
+
 void CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers()
 {
     if (CoordinatedGraphicsLayer* mask = downcast<CoordinatedGraphicsLayer>(maskLayer()))
@@ -914,6 +1005,11 @@
         layerState.mainBackingStore->createTilesIfNeeded(transformedVisibleRect(), IntRect(0, 0, m_size.width(), m_size.height()));
     }
 
+    if (is<CoordinatedAnimatedBackingStoreClient>(m_nicosia.animatedBackingStoreClient)) {
+        // Determine the coverRect and set it to the client.
+        downcast<CoordinatedAnimatedBackingStoreClient>(*m_nicosia.animatedBackingStoreClient).setCoverRect(layerState.mainBackingStore->coverRect());
+    }
+
     ASSERT(m_coordinator && m_coordinator->isFlushingLayerChanges());
 
     // With all the affected tiles created and/or invalidated, we can finally paint them.
@@ -1208,4 +1304,6 @@
 
 } // namespace WebCore
 
+SPECIALIZE_TYPE_TRAITS_ANIMATEDBACKINGSTORECLIENT(WebCore::CoordinatedAnimatedBackingStoreClient, type() == Nicosia::AnimatedBackingStoreClient::Type::Coordinated)
+
 #endif // USE(COORDINATED_GRAPHICS)
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h	Fri Jul 05 13:58:27 2019 +0530
@@ -29,6 +29,7 @@
 #include "GraphicsLayerTransform.h"
 #include "Image.h"
 #include "IntSize.h"
+#include "NicosiaAnimatedBackingStoreClient.h"
 #include "NicosiaBuffer.h"
 #include "NicosiaPlatformLayer.h"
 #include "TextureMapperAnimation.h"
@@ -124,6 +125,30 @@
 
     const RefPtr<Nicosia::CompositionLayer>& compositionLayer() const;
 
+    class AnimatedBackingStoreHost : public ThreadSafeRefCounted<AnimatedBackingStoreHost> {
+    public:
+        static Ref<AnimatedBackingStoreHost> create(CoordinatedGraphicsLayer& layer)
+        {
+            return adoptRef(*new AnimatedBackingStoreHost(layer));
+        }
+
+        void requestBackingStoreUpdate()
+        {
+            if (m_layer)
+                m_layer->requestBackingStoreUpdate();
+        }
+
+        void layerWillBeDestroyed() { m_layer = nullptr; }
+    private:
+        explicit AnimatedBackingStoreHost(CoordinatedGraphicsLayer& layer)
+            : m_layer(&layer)
+        { }
+
+        CoordinatedGraphicsLayer* m_layer;
+    };
+
+    void requestBackingStoreUpdate();
+
 private:
     bool isCoordinatedGraphicsLayer() const;
 
@@ -199,7 +224,10 @@
         RefPtr<Nicosia::BackingStore> backingStore;
         RefPtr<Nicosia::ContentLayer> contentLayer;
         RefPtr<Nicosia::ImageBacking> imageBacking;
+        RefPtr<Nicosia::AnimatedBackingStoreClient> animatedBackingStoreClient;
     } m_nicosia;
+
+    RefPtr<AnimatedBackingStoreHost> m_animatedBackingStoreHost;
 };
 
 } // namespace WebCore
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/image-decoders/ScalableImageDecoder.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/image-decoders/ScalableImageDecoder.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -196,11 +196,11 @@
 bool ScalableImageDecoder::frameIsCompleteAtIndex(size_t index) const
 {
     LockHolder lockHolder(m_mutex);
-    // FIXME(176089): asking whether enough data has been appended for a decode
-    // operation to succeed should not require decoding the entire frame.
-    // This function should be implementable in a way that allows const.
-    auto* buffer = const_cast<ScalableImageDecoder*>(this)->frameBufferAtIndex(index);
-    return buffer && buffer->isComplete();
+    if (index >= m_frameBufferCache.size())
+        return false;
+
+    auto& frame = m_frameBufferCache[index];
+    return frame.isComplete();
 }
 
 bool ScalableImageDecoder::frameHasAlphaAtIndex(size_t index) const
@@ -208,9 +208,11 @@
     LockHolder lockHolder(m_mutex);
     if (m_frameBufferCache.size() <= index)
         return true;
-    if (m_frameBufferCache[index].isComplete())
-        return m_frameBufferCache[index].hasAlpha();
+
+    auto& frame = m_frameBufferCache[index];
+    if (!frame.isComplete())
     return true;
+    return frame.hasAlpha();
 }
 
 unsigned ScalableImageDecoder::frameBytesAtIndex(size_t index, SubsamplingLevel) const
@@ -225,20 +227,24 @@
 Seconds ScalableImageDecoder::frameDurationAtIndex(size_t index) const
 {
     LockHolder lockHolder(m_mutex);
-    // FIXME(176089): asking for the duration of a sub-image should not require decoding
-    // the entire frame. This function should be implementable in a way that
-    // allows const.
-    auto* buffer = const_cast<ScalableImageDecoder*>(this)->frameBufferAtIndex(index);
-    if (!buffer || buffer->isInvalid())
+    if (index >= m_frameBufferCache.size())
         return 0_s;
 
+    // Returning 0_s in case of an incomplete frame can break display of animated image formats.
+    // We pick up the decoded duration if it's available, otherwise the default 0_s value is
+    // adjusted below.
+    Seconds duration = 0_s;
+    auto& frame = m_frameBufferCache[index];
+    if (frame.isComplete())
+        duration = frame.duration();
+
     // Many annoying ads specify a 0 duration to make an image flash as quickly as possible.
     // We follow Firefox's behavior and use a duration of 100 ms for any frames that specify
     // a duration of <= 10 ms. See <rdar://problem/7689300> and <http://webkit.org/b/36082>
     // for more information.
-    if (buffer->duration() < 11_ms)
+    if (duration < 11_ms)
         return 100_ms;
-    return buffer->duration();
+    return duration;
 }
 
 NativeImagePtr ScalableImageDecoder::createFrameImageAtIndex(size_t index, SubsamplingLevel, const DecodingOptions&)
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/text/TextCodec.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/text/TextCodec.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -28,6 +28,7 @@
 #include "TextCodec.h"
 
 #include <array>
+#include <cstdio>
 
 namespace WebCore {
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderView.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderView.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -49,7 +49,6 @@
 #include "RenderQuote.h"
 #include "RenderTreeBuilder.h"
 #include "RenderWidget.h"
-#include "ScrollbarTheme.h"
 #include "Settings.h"
 #include "StyleInheritedData.h"
 #include "TransformState.h"
@@ -61,26 +60,6 @@
 
 WTF_MAKE_ISO_ALLOCATED_IMPL(RenderView);
 
-struct FrameFlatteningLayoutDisallower {
-    FrameFlatteningLayoutDisallower(FrameView& frameView)
-        : m_frameView(frameView)
-        , m_disallowLayout(frameView.effectiveFrameFlattening() != FrameFlattening::Disabled)
-    {
-        if (m_disallowLayout)
-            m_frameView.startDisallowingLayout();
-    }
-
-    ~FrameFlatteningLayoutDisallower()
-    {
-        if (m_disallowLayout)
-            m_frameView.endDisallowingLayout();
-    }
-
-private:
-    FrameView& m_frameView;
-    bool m_disallowLayout { false };
-};
-
 RenderView::RenderView(Document& document, RenderStyle&& style)
     : RenderBlockFlow(document, WTFMove(style))
     , m_frameView(*document.view())
@@ -137,40 +116,6 @@
     m_renderersNeedingLazyRepaint.clear();
 }
 
-bool RenderView::hitTest(const HitTestRequest& request, HitTestResult& result)
-{
-    return hitTest(request, result.hitTestLocation(), result);
-}
-
-bool RenderView::hitTest(const HitTestRequest& request, const HitTestLocation& location, HitTestResult& result)
-{
-    document().updateLayout();
-
-#if !ASSERT_DISABLED
-    SetForScope<bool> hitTestRestorer { m_inHitTesting, true };
-#endif
-
-    FrameFlatteningLayoutDisallower disallower(frameView());
-
-    bool resultLayer = layer()->hitTest(request, location, result);
-
-    // ScrollView scrollbars are not the same as RenderLayer scrollbars tested by RenderLayer::hitTestOverflowControls,
-    // so we need to test ScrollView scrollbars separately here. In case of using overlay scrollbars, the layer hit test
-    // will always work so we need to check the ScrollView scrollbars in that case too.
-    if (!resultLayer || ScrollbarTheme::theme().usesOverlayScrollbars()) {
-        // FIXME: Consider if this test should be done unconditionally.
-        if (request.allowsFrameScrollbars()) {
-            IntPoint windowPoint = frameView().contentsToWindow(location.roundedPoint());
-            if (Scrollbar* frameScrollbar = frameView().scrollbarAtPoint(windowPoint)) {
-                result.setScrollbar(frameScrollbar);
-                return true;
-            }
-        }
-    }
-
-    return resultLayer;
-}
-
 RenderBox::LogicalExtentComputedValues RenderView::computeLogicalHeight(LayoutUnit logicalHeight, LayoutUnit) const
 {
     return { !shouldUsePrintingLayout() ? LayoutUnit(viewLogicalHeight()) : logicalHeight, 0_lu, ComputedMarginValues() };
--- a/modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderView.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderView.h	Fri Jul 05 13:58:27 2019 +0530
@@ -43,9 +43,6 @@
     RenderView(Document&, RenderStyle&&);
     virtual ~RenderView();
 
-    WEBCORE_EXPORT bool hitTest(const HitTestRequest&, HitTestResult&);
-    bool hitTest(const HitTestRequest&, const HitTestLocation&, HitTestResult&);
-
     const char* renderName() const override { return "RenderView"; }
 
     bool requiresLayer() const override { return true; }
@@ -194,10 +191,6 @@
     const HashSet<const RenderBox*>& boxesWithScrollSnapPositions() { return m_boxesWithScrollSnapPositions; }
 #endif
 
-#if !ASSERT_DISABLED
-    bool inHitTesting() const { return m_inHitTesting; }
-#endif
-
 protected:
     void mapLocalToContainer(const RenderLayerModelObject* repaintContainer, TransformState&, MapCoordinatesFlags, bool* wasFixed) const override;
     const RenderObject* pushMappingToContainer(const RenderLayerModelObject* ancestorToStopAt, RenderGeometryMap&) const override;
@@ -253,9 +246,6 @@
     bool m_hasSoftwareFilters { false };
     bool m_usesFirstLineRules { false };
     bool m_usesFirstLetterRules { false };
-#if !ASSERT_DISABLED
-    bool m_inHitTesting { false };
-#endif
 
     HashMap<RenderElement*, Vector<CachedImage*>> m_renderersWithPausedImageAnimation;
     HashSet<RenderElement*> m_visibleInViewportRenderers;
--- a/modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderWidget.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/rendering/RenderWidget.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -364,7 +364,6 @@
 {
     if (request.allowsChildFrameContent() && is<FrameView>(widget()) && downcast<FrameView>(*widget()).renderView()) {
         FrameView& childFrameView = downcast<FrameView>(*widget());
-        RenderView& childRoot = *childFrameView.renderView();
 
         LayoutPoint adjustedLocation = accumulatedOffset + location();
         LayoutPoint contentOffset = LayoutPoint(borderLeft() + paddingLeft(), borderTop() + paddingTop()) - toIntSize(childFrameView.scrollPosition());
@@ -372,7 +371,10 @@
         HitTestRequest newHitTestRequest(request.type() | HitTestRequest::ChildFrameHitTest);
         HitTestResult childFrameResult(newHitTestLocation);
 
-        bool isInsideChildFrame = childRoot.hitTest(newHitTestRequest, newHitTestLocation, childFrameResult);
+        auto* document = childFrameView.frame().document();
+        if (!document)
+            return false;
+        bool isInsideChildFrame = document->hitTest(newHitTestRequest, newHitTestLocation, childFrameResult);
 
         if (request.resultIsElementList())
             result.append(childFrameResult, request);
--- a/modules/javafx.web/src/main/native/Source/WebCore/testing/Internals.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/testing/Internals.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -2083,7 +2083,7 @@
         return nullptr;
 
     HitTestResult result(point, topPadding, rightPadding, bottomPadding, leftPadding);
-    renderView->hitTest(request, result);
+    document.hitTest(request, result);
     const HitTestResult::NodeSet& nodeSet = result.listBasedTestResult();
     Vector<Ref<Node>> matches;
     matches.reserveInitialCapacity(nodeSet.size());
--- a/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/AvailableMemory.cpp	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/AvailableMemory.cpp	Fri Jul 05 13:58:27 2019 +0530
@@ -43,6 +43,10 @@
 #import <mach/mach_error.h>
 #import <math.h>
 #elif BOS(UNIX)
+#if BOS(LINUX)
+#include <algorithm>
+#include <fcntl.h>
+#endif
 #include <unistd.h>
 #endif
 
@@ -88,6 +92,62 @@
 }
 #endif
 
+#if BOS(LINUX)
+struct LinuxMemory {
+    static const LinuxMemory& singleton()
+    {
+        static LinuxMemory s_singleton;
+        static std::once_flag s_onceFlag;
+        std::call_once(s_onceFlag,
+            [] {
+                long numPages = sysconf(_SC_PHYS_PAGES);
+                s_singleton.pageSize = sysconf(_SC_PAGE_SIZE);
+                if (numPages == -1 || s_singleton.pageSize == -1)
+                    s_singleton.availableMemory = availableMemoryGuess;
+                else
+                    s_singleton.availableMemory = numPages * s_singleton.pageSize;
+
+                s_singleton.statmFd = open("/proc/self/statm", O_RDONLY | O_CLOEXEC);
+            });
+        return s_singleton;
+    }
+
+    size_t footprint() const
+    {
+        if (statmFd == -1)
+            return 0;
+
+        std::array<char, 256> statmBuffer;
+        ssize_t numBytes = pread(statmFd, statmBuffer.data(), statmBuffer.size(), 0);
+        if (numBytes <= 0)
+            return 0;
+
+        std::array<char, 32> rssBuffer;
+        {
+            auto begin = std::find(statmBuffer.begin(), statmBuffer.end(), ' ');
+            if (begin == statmBuffer.end())
+                return 0;
+
+            std::advance(begin, 1);
+            auto end = std::find(begin, statmBuffer.end(), ' ');
+            if (end == statmBuffer.end())
+                return 0;
+
+            auto last = std::copy_n(begin, std::min<size_t>(31, std::distance(begin, end)), rssBuffer.begin());
+            *last = '\0';
+        }
+
+        unsigned long dirtyPages = strtoul(rssBuffer.data(), nullptr, 10);
+        return dirtyPages * pageSize;
+    }
+
+    long pageSize { 0 };
+    size_t availableMemory { 0 };
+
+    int statmFd { -1 };
+};
+#endif
+
 static size_t computeAvailableMemory()
 {
 #if BOS(DARWIN)
@@ -100,6 +160,8 @@
     // Round up the memory size to a multiple of 128MB because max_mem may not be exactly 512MB
     // (for example) and we have code that depends on those boundaries.
     return ((sizeAccordingToKernel + multiple - 1) / multiple) * multiple;
+#elif BOS(LINUX)
+    return LinuxMemory::singleton().availableMemory;
 #elif BOS(UNIX)
     long pages = sysconf(_SC_PHYS_PAGES);
     long pageSize = sysconf(_SC_PAGE_SIZE);
@@ -121,9 +183,10 @@
     return availableMemory;
 }
 
-#if BPLATFORM(IOS_FAMILY)
+#if BPLATFORM(IOS_FAMILY) || BOS(LINUX)
 MemoryStatus memoryStatus()
 {
+#if BPLATFORM(IOS_FAMILY)
     task_vm_info_data_t vmInfo;
     mach_msg_type_number_t vmSize = TASK_VM_INFO_COUNT;
 
@@ -132,8 +195,13 @@
         memoryFootprint = static_cast<size_t>(vmInfo.phys_footprint);
 
     double percentInUse = static_cast<double>(memoryFootprint) / static_cast<double>(availableMemory());
+#elif BOS(LINUX)
+    auto& memory = LinuxMemory::singleton();
+    size_t memoryFootprint = memory.footprint();
+    double percentInUse = static_cast<double>(memoryFootprint) / static_cast<double>(memory.availableMemory);
+#endif
+
     double percentAvailableMemoryInUse = std::min(percentInUse, 1.0);
-
     return MemoryStatus(memoryFootprint, percentAvailableMemoryInUse);
 }
 #endif
--- a/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/AvailableMemory.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/AvailableMemory.h	Fri Jul 05 13:58:27 2019 +0530
@@ -32,7 +32,7 @@
 
 size_t availableMemory();
 
-#if BPLATFORM(IOS_FAMILY)
+#if BPLATFORM(IOS_FAMILY) || BOS(LINUX)
 struct MemoryStatus {
     MemoryStatus(size_t memoryFootprint, double percentAvailableMemoryInUse)
         : memoryFootprint(memoryFootprint)
@@ -61,7 +61,7 @@
 
 inline bool isUnderMemoryPressure()
 {
-#if BPLATFORM(IOS_FAMILY)
+#if BPLATFORM(IOS_FAMILY) || BOS(LINUX)
     return percentAvailableMemoryInUse() > memoryPressureThreshold;
 #else
     return false;
--- a/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/bmalloc.h	Wed Jul 03 12:05:09 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/bmalloc.h	Fri Jul 05 13:58:27 2019 +0530
@@ -111,7 +111,7 @@
     return bmalloc::availableMemory();
 }
 
-#if BPLATFORM(IOS_FAMILY)
+#if BPLATFORM(IOS_FAMILY) || BOS(LINUX)
 inline size_t memoryFootprint()
 {
     return bmalloc::memoryFootprint();