changeset 11030:bf4a59920c38 11+24

8209049: Cherry pick GTK WebKit 2.20.4 changes Reviewed-by: kcr, mbilla
author arajkumar
date Thu, 16 Aug 2018 09:11:58 +0530
parents 834a2d62dea8
children 9bbbcd7d185f c97fa2cc59b0
files modules/javafx.web/src/main/java/com/sun/javafx/webkit/prism/WCMediaPlayerImpl.java modules/javafx.web/src/main/native/Source/JavaScriptCore/CMakeLists.txt modules/javafx.web/src/main/native/Source/JavaScriptCore/builtins/BuiltinNames.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/Watchpoint.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/Watchpoint.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGClobberize.h modules/javafx.web/src/main/native/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/CommonSlowPaths.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSFunction.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObject.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObject.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObjectInlines.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/StringConstructor.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/Structure.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/Structure.h modules/javafx.web/src/main/native/Source/WTF/wtf/Bag.h modules/javafx.web/src/main/native/Source/WTF/wtf/text/StringBuilderJSON.cpp modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/AudioContext.cpp modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/AudioContext.h modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.cpp modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.h modules/javafx.web/src/main/native/Source/WebCore/html/BaseButtonInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/BaseCheckableInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/BaseChooserOnlyDateAndTimeInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/BaseClickableWithKeyInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/BaseDateAndTimeInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/BaseTextInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/CheckboxInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/ColorInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/DateInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/DateTimeInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/DateTimeLocalInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/EmailInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/FileInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/HTMLButtonElement.cpp modules/javafx.web/src/main/native/Source/WebCore/html/HTMLFormElement.cpp modules/javafx.web/src/main/native/Source/WebCore/html/HTMLInputElement.cpp modules/javafx.web/src/main/native/Source/WebCore/html/HTMLInputElement.h modules/javafx.web/src/main/native/Source/WebCore/html/HiddenInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/ImageInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/InputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/InputType.h modules/javafx.web/src/main/native/Source/WebCore/html/MonthInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/NumberInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/RadioInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/RangeInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/ResetInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/SearchInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/SubmitInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/TextFieldInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/TimeInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/URLInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/WeekInputType.cpp modules/javafx.web/src/main/native/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp modules/javafx.web/src/main/native/Source/WebCore/html/canvas/WebGLRenderingContextBase.h modules/javafx.web/src/main/native/Source/WebCore/platform/ScrollView.h modules/javafx.web/src/main/native/Source/WebCore/platform/Widget.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/Widget.h modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.h modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h
diffstat 73 files changed, 906 insertions(+), 451 deletions(-) [+]
line wrap: on
line diff
--- a/modules/javafx.web/src/main/java/com/sun/javafx/webkit/prism/WCMediaPlayerImpl.java	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/java/com/sun/javafx/webkit/prism/WCMediaPlayerImpl.java	Thu Aug 16 09:11:58 2018 +0530
@@ -28,6 +28,7 @@
 import java.net.URI;
 import java.util.List;
 
+import com.sun.javafx.logging.PlatformLogger;
 import com.sun.javafx.media.PrismMediaFrameHandler;
 import com.sun.media.jfxmedia.Media;
 import com.sun.media.jfxmedia.MediaManager;
@@ -125,7 +126,9 @@
                 p = MediaManager.getPlayer(locator);
             } catch (Exception ex) {
                 log.warning("CreateThread ERROR: {0}", ex.toString());
-                ex.printStackTrace(System.out);
+                if (log.isLoggable(PlatformLogger.Level.FINE)) {
+                    ex.printStackTrace(System.out);
+                }
                 onError(this, 0, ex.getMessage());
                 return;
             }
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/CMakeLists.txt	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/CMakeLists.txt	Thu Aug 16 09:11:58 2018 +0530
@@ -247,6 +247,7 @@
     ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LLIntDesiredOffsets.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/Bytecodes.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/BytecodeStructs.h
 )
 target_link_libraries(LLIntOffsetsExtractor WTF)
+add_dependencies(LLIntOffsetsExtractor JavaScriptCoreForwardingHeaders)
 
 # The build system will execute asm.rb every time LLIntOffsetsExtractor's mtime is newer than
 # LLIntAssembly.h's mtime. The problem we have here is: asm.rb has some built-in optimization
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/builtins/BuiltinNames.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/builtins/BuiltinNames.h	Thu Aug 16 09:11:58 2018 +0530
@@ -83,6 +83,7 @@
     macro(typedArrayGetOriginalConstructor) \
     macro(typedArraySubarrayCreate) \
     macro(BuiltinLog) \
+    macro(BuiltinDescribe) \
     macro(homeObject) \
     macro(templateRegistryKey) \
     macro(enqueueJob) \
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1241,9 +1241,7 @@
     for (size_t size = propertyAccessInstructions.size(), i = 0; i < size; ++i) {
         Instruction* curInstruction = &instructions()[propertyAccessInstructions[i]];
         switch (Interpreter::getOpcodeID(curInstruction[0])) {
-        case op_get_by_id:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset: {
+        case op_get_by_id: {
             StructureID oldStructureID = curInstruction[4].u.structureID;
             if (!oldStructureID || Heap::isMarked(vm.heap.structureIDTable().get(oldStructureID)))
                 break;
@@ -1282,6 +1280,8 @@
         // We need to add optimizations for op_resolve_scope_for_hoisting_func_decl_in_eval to do link time scope resolution.
         case op_resolve_scope_for_hoisting_func_decl_in_eval:
             break;
+        case op_get_by_id_proto_load:
+        case op_get_by_id_unset:
         case op_get_array_length:
             break;
         case op_to_this:
@@ -1339,8 +1339,27 @@
 
     // We can't just remove all the sets when we clear the caches since we might have created a watchpoint set
     // then cleared the cache without GCing in between.
-    m_llintGetByIdWatchpointMap.removeIf([](const StructureWatchpointMap::KeyValuePairType& pair) -> bool {
-        return !Heap::isMarked(pair.key);
+    m_llintGetByIdWatchpointMap.removeIf([&] (const StructureWatchpointMap::KeyValuePairType& pair) -> bool {
+        auto clear = [&] () {
+            Instruction* instruction = std::get<1>(pair.key);
+            OpcodeID opcode = Interpreter::getOpcodeID(*instruction);
+            if (opcode == op_get_by_id_proto_load || opcode == op_get_by_id_unset) {
+                if (Options::verboseOSR())
+                    dataLogF("Clearing LLInt property access.\n");
+                clearLLIntGetByIdCache(instruction);
+            }
+            return true;
+        };
+
+        if (!Heap::isMarked(std::get<0>(pair.key)))
+            return clear();
+
+        for (const LLIntPrototypeLoadAdaptiveStructureWatchpoint* watchpoint : pair.value) {
+            if (!watchpoint->key().isStillLive())
+                return clear();
+        }
+
+        return false;
     });
 
     for (unsigned i = 0; i < m_llintCallLinkInfos.size(); ++i) {
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/CodeBlock.h	Thu Aug 16 09:11:58 2018 +0530
@@ -625,7 +625,7 @@
         return m_llintExecuteCounter;
     }
 
-    typedef HashMap<Structure*, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>> StructureWatchpointMap;
+    typedef HashMap<std::tuple<Structure*, Instruction*>, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>> StructureWatchpointMap;
     StructureWatchpointMap& llintGetByIdWatchpointMap() { return m_llintGetByIdWatchpointMap; }
 
     // Functions for controlling when tiered compilation kicks in. This
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h	Thu Aug 16 09:11:58 2018 +0530
@@ -33,16 +33,19 @@
 
 class LLIntPrototypeLoadAdaptiveStructureWatchpoint : public Watchpoint {
 public:
+    LLIntPrototypeLoadAdaptiveStructureWatchpoint() = default;
     LLIntPrototypeLoadAdaptiveStructureWatchpoint(const ObjectPropertyCondition&, Instruction*);
 
     void install();
 
+    const ObjectPropertyCondition& key() const { return m_key; }
+
 protected:
     void fireInternal(const FireDetail&) override;
 
 private:
     ObjectPropertyCondition m_key;
-    Instruction* m_getByIdInstruction;
+    Instruction* m_getByIdInstruction { nullptr };
 };
 
 } // namespace JSC
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.h	Thu Aug 16 09:11:58 2018 +0530
@@ -68,6 +68,7 @@
 
     bool isValidAndWatchable() const;
 
+    size_t size() const { return m_data ? m_data->vector.size() : 0; }
     bool isEmpty() const
     {
         return !m_data;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/Watchpoint.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/Watchpoint.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -92,6 +92,16 @@
     WTF::storeStoreFence();
 }
 
+void WatchpointSet::fireAllSlow(VM&, DeferredWatchpointFire* deferredWatchpoints)
+{
+    ASSERT(state() == IsWatched);
+
+    WTF::storeStoreFence();
+    deferredWatchpoints->takeWatchpointsToFire(this);
+    m_state = IsInvalidated; // Do after moving watchpoints to deferredWatchpoints so deferredWatchpoints gets our current state.
+    WTF::storeStoreFence();
+}
+
 void WatchpointSet::fireAllSlow(VM& vm, const char* reason)
 {
     fireAllSlow(vm, StringFireDetail(reason));
@@ -133,6 +143,15 @@
     }
 }
 
+void WatchpointSet::take(WatchpointSet* other)
+{
+    ASSERT(state() == ClearWatchpoint);
+    m_set.takeFrom(other->m_set);
+    m_setIsNotEmpty = other->m_setIsNotEmpty;
+    m_state = other->m_state;
+    other->m_setIsNotEmpty = false;
+}
+
 void InlineWatchpointSet::add(Watchpoint* watchpoint)
 {
     inflate()->add(watchpoint);
@@ -159,5 +178,28 @@
     fat()->deref();
 }
 
+DeferredWatchpointFire::DeferredWatchpointFire(VM& vm)
+    : m_vm(vm)
+    , m_watchpointsToFire(ClearWatchpoint)
+{
+}
+
+DeferredWatchpointFire::~DeferredWatchpointFire()
+{
+}
+
+void DeferredWatchpointFire::fireAll()
+{
+    if (m_watchpointsToFire.state() == IsWatched)
+        m_watchpointsToFire.fireAll(m_vm, *this);
+}
+
+void DeferredWatchpointFire::takeWatchpointsToFire(WatchpointSet* watchpointsToFire)
+{
+    ASSERT(m_watchpointsToFire.state() == ClearWatchpoint);
+    ASSERT(watchpointsToFire->state() == IsWatched);
+    m_watchpointsToFire.take(watchpointsToFire);
+}
+
 } // namespace JSC
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/Watchpoint.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/Watchpoint.h	Thu Aug 16 09:11:58 2018 +0530
@@ -68,9 +68,7 @@
     WTF_MAKE_NONCOPYABLE(Watchpoint);
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    Watchpoint()
-    {
-    }
+    Watchpoint() = default;
 
     virtual ~Watchpoint();
 
@@ -89,10 +87,12 @@
 };
 
 class InlineWatchpointSet;
+class DeferredWatchpointFire;
 class VM;
 
 class WatchpointSet : public ThreadSafeRefCounted<WatchpointSet> {
     friend class LLIntOffsetsExtractor;
+    friend class DeferredWatchpointFire;
 public:
     JS_EXPORT_PRIVATE WatchpointSet(WatchpointState);
 
@@ -159,6 +159,13 @@
         fireAllSlow(vm, detail);
     }
 
+    void fireAll(VM& vm, DeferredWatchpointFire* deferredWatchpoints)
+    {
+        if (LIKELY(m_state != IsWatched))
+            return;
+        fireAllSlow(vm, deferredWatchpoints);
+    }
+
     void fireAll(VM& vm, const char* reason)
     {
         if (LIKELY(m_state != IsWatched))
@@ -201,10 +208,12 @@
     int8_t* addressOfSetIsNotEmpty() { return &m_setIsNotEmpty; }
 
     JS_EXPORT_PRIVATE void fireAllSlow(VM&, const FireDetail&); // Call only if you've checked isWatched.
+    JS_EXPORT_PRIVATE void fireAllSlow(VM&, DeferredWatchpointFire* deferredWatchpoints);
     JS_EXPORT_PRIVATE void fireAllSlow(VM&, const char* reason); // Ditto.
 
 private:
     void fireAllWatchpoints(VM&, const FireDetail&);
+    void take(WatchpointSet* other);
 
     friend class InlineWatchpointSet;
 
@@ -308,6 +317,18 @@
         WTF::storeStoreFence();
     }
 
+    void fireAll(VM& vm, DeferredWatchpointFire* deferred)
+    {
+        if (isFat()) {
+            fat()->fireAll(vm, deferred);
+            return;
+        }
+        if (decodeState(m_data) == ClearWatchpoint)
+            return;
+        m_data = encodeState(IsInvalidated);
+        WTF::storeStoreFence();
+    }
+
     void invalidate(VM& vm, const FireDetail& detail)
     {
         if (isFat())
@@ -435,4 +456,19 @@
     uintptr_t m_data;
 };
 
+class DeferredWatchpointFire : public FireDetail {
+    WTF_MAKE_NONCOPYABLE(DeferredWatchpointFire);
+public:
+    JS_EXPORT_PRIVATE DeferredWatchpointFire(VM&);
+    JS_EXPORT_PRIVATE ~DeferredWatchpointFire();
+
+    JS_EXPORT_PRIVATE void takeWatchpointsToFire(WatchpointSet*);
+    JS_EXPORT_PRIVATE void fireAll();
+
+    void dump(PrintStream& out) const override = 0;
+private:
+    VM& m_vm;
+    WatchpointSet m_watchpointsToFire;
+};
+
 } // namespace JSC
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca>
  * Copyright (C) 2012 Igalia, S.L.
  *
@@ -3114,6 +3114,16 @@
     }
 }
 
+void BytecodeGenerator::preserveTDZStack(BytecodeGenerator::PreservedTDZStack& preservedStack)
+{
+    preservedStack.m_preservedTDZStack = m_TDZStack;
+}
+
+void BytecodeGenerator::restoreTDZStack(const BytecodeGenerator::PreservedTDZStack& preservedStack)
+{
+    m_TDZStack = preservedStack.m_preservedTDZStack;
+}
+
 RegisterID* BytecodeGenerator::emitNewObject(RegisterID* dst)
 {
     size_t begin = instructions().size();
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h	Thu Aug 16 09:11:58 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca>
  * Copyright (C) 2012 Igalia, S.L.
  *
@@ -1090,6 +1090,13 @@
         void initializeArrowFunctionContextScopeIfNeeded(SymbolTable* functionSymbolTable = nullptr, bool canReuseLexicalEnvironment = false);
         bool needsDerivedConstructorInArrowFunctionLexicalEnvironment();
 
+        enum class TDZNecessityLevel {
+            NotNeeded,
+            Optimize,
+            DoNotOptimize
+        };
+        typedef HashMap<RefPtr<UniquedStringImpl>, TDZNecessityLevel, IdentifierRepHash> TDZMap;
+
     public:
         JSString* addStringConstant(const Identifier&);
         JSValue addBigIntConstant(const Identifier&, uint8_t radix);
@@ -1099,6 +1106,15 @@
 
         RegisterID* emitThrowExpressionTooDeepException();
 
+        class PreservedTDZStack {
+        private:
+            Vector<TDZMap> m_preservedTDZStack;
+            friend class BytecodeGenerator;
+        };
+
+        void preserveTDZStack(PreservedTDZStack&);
+        void restoreTDZStack(const PreservedTDZStack&);
+
     private:
         Vector<UnlinkedInstruction, 0, UnsafeVectorOverflow> m_instructions;
 
@@ -1111,12 +1127,7 @@
             int m_symbolTableConstantIndex;
         };
         Vector<LexicalScopeStackEntry> m_lexicalScopeStack;
-        enum class TDZNecessityLevel {
-            NotNeeded,
-            Optimize,
-            DoNotOptimize
-        };
-        typedef HashMap<RefPtr<UniquedStringImpl>, TDZNecessityLevel, IdentifierRepHash> TDZMap;
+
         Vector<TDZMap> m_TDZStack;
         std::optional<size_t> m_varScopeLexicalScopeStackIndex;
         void pushTDZVariables(const VariableEnvironment&, TDZCheckOptimization, TDZRequirement);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -3006,6 +3006,9 @@
 
     enumerator = generator.emitGetPropertyEnumerator(generator.newTemporary(), base.get());
 
+    BytecodeGenerator::PreservedTDZStack preservedTDZStack;
+    generator.preserveTDZStack(preservedTDZStack);
+
     // Indexed property loop.
     {
         Ref<LabelScope> scope = generator.newLabelScope(LabelScope::Loop);
@@ -3045,6 +3048,7 @@
         generator.emitJump(end.get());
         generator.emitLabel(loopEnd.get());
     }
+    generator.restoreTDZStack(preservedTDZStack);
 
     // Structure property loop.
     {
@@ -3085,6 +3089,7 @@
         generator.emitJump(end.get());
         generator.emitLabel(loopEnd.get());
     }
+    generator.restoreTDZStack(preservedTDZStack);
 
     // Generic property loop.
     {
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h	Thu Aug 16 09:11:58 2018 +0530
@@ -1967,10 +1967,8 @@
     case RegExpExec:
     case RegExpExecNonGlobalOrSticky:
         if (node->op() == RegExpExec) {
-            if (node->child2().useKind() == RegExpObjectUse
-                && node->child3().useKind() == StringUse) {
-                // This doesn't clobber the world since there are no conversions to perform.
-            } else
+            // Even if we've proven known input types as RegExpObject and String,
+            // accessing lastIndex is effectful if it's a global regexp.
                 clobberWorld(node->origin.semantic, clobberLimit);
         }
 
@@ -1991,10 +1989,8 @@
         break;
 
     case RegExpTest:
-        if (node->child2().useKind() == RegExpObjectUse
-            && node->child3().useKind() == StringUse) {
-            // This doesn't clobber the world since there are no conversions to perform.
-        } else
+        // Even if we've proven known input types as RegExpObject and String,
+        // accessing lastIndex is effectful if it's a global regexp.
             clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).setType(SpecBoolean);
         break;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGClobberize.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/dfg/DFGClobberize.h	Thu Aug 16 09:11:58 2018 +0530
@@ -1488,18 +1488,18 @@
 
     case RegExpExec:
     case RegExpTest:
+        // Even if we've proven known input types as RegExpObject and String,
+        // accessing lastIndex is effectful if it's a global regexp.
+        read(World);
+        write(Heap);
+        return;
+
     case RegExpMatchFast:
-        if (node->child2().useKind() == RegExpObjectUse
-            && node->child3().useKind() == StringUse) {
             read(RegExpState);
             read(RegExpObject_lastIndex);
             write(RegExpState);
             write(RegExpObject_lastIndex);
             return;
-        }
-        read(World);
-        write(Heap);
-        return;
 
     case RegExpExecNonGlobalOrSticky:
         read(RegExpState);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -5274,7 +5274,7 @@
             LValue arrayLength = lowInt32(m_node->child1());
             LBasicBlock loopStart = m_out.newBlock();
             JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
-            RegisteredStructure structure = m_graph.registerStructure(globalObject->restParameterStructure());
+            RegisteredStructure structure = m_graph.registerStructure(globalObject->originalRestParameterStructure());
             ArrayValues arrayValues = allocateUninitializedContiguousJSArray(arrayLength, structure);
             LValue array = arrayValues.array;
             LValue butterfly = arrayValues.butterfly;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -671,15 +671,18 @@
 
     PropertyOffset offset = invalidOffset;
     CodeBlock::StructureWatchpointMap& watchpointMap = codeBlock->llintGetByIdWatchpointMap();
-    auto result = watchpointMap.add(structure, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>());
+    Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint> watchpoints;
     for (ObjectPropertyCondition condition : conditions) {
         if (!condition.isWatchable())
             return;
         if (condition.condition().kind() == PropertyCondition::Presence)
             offset = condition.condition().offset();
-        result.iterator->value.add(condition, pc)->install();
+        watchpoints.add(condition, pc)->install();
     }
+
     ASSERT((offset == invalidOffset) == slot.isUnset());
+    auto result = watchpointMap.add(std::make_tuple(structure, pc), WTFMove(watchpoints));
+    ASSERT_UNUSED(result, result.isNewEntry);
 
     ConcurrentJSLocker locker(codeBlock->m_lock);
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/CommonSlowPaths.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/CommonSlowPaths.h	Thu Aug 16 09:11:58 2018 +0530
@@ -158,7 +158,7 @@
         scope->structure()->didCachePropertyReplacement(vm, slot.cachedOffset());
 
         ConcurrentJSLocker locker(codeBlock->m_lock);
-        pc[5].u.structure.set(vm, codeBlock, scope->structure());
+        pc[5].u.structure.set(vm, codeBlock, scope->structure(vm));
         pc[6].u.operand = slot.cachedOffset();
     }
 }
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSFunction.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSFunction.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -364,9 +364,34 @@
     // Firefox returns null for native code callers, so we match that behavior.
     if (function->isHostOrBuiltinFunction())
         return JSValue::encode(jsNull());
+    SourceParseMode parseMode = function->jsExecutable()->parseMode();
+    switch (parseMode) {
+    case SourceParseMode::GeneratorBodyMode:
+    case SourceParseMode::AsyncGeneratorBodyMode:
+        return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Function.caller used to retrieve generator body")));
+    case SourceParseMode::AsyncFunctionBodyMode:
+    case SourceParseMode::AsyncArrowFunctionBodyMode:
+        return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Function.caller used to retrieve async function body")));
+    case SourceParseMode::NormalFunctionMode:
+    case SourceParseMode::GeneratorWrapperFunctionMode:
+    case SourceParseMode::GetterMode:
+    case SourceParseMode::SetterMode:
+    case SourceParseMode::MethodMode:
+    case SourceParseMode::ArrowFunctionMode:
+    case SourceParseMode::AsyncFunctionMode:
+    case SourceParseMode::AsyncMethodMode:
+    case SourceParseMode::AsyncArrowFunctionMode:
+    case SourceParseMode::ProgramMode:
+    case SourceParseMode::ModuleAnalyzeMode:
+    case SourceParseMode::ModuleEvaluateMode:
+    case SourceParseMode::AsyncGeneratorWrapperFunctionMode:
+    case SourceParseMode::AsyncGeneratorWrapperMethodMode:
+    case SourceParseMode::GeneratorWrapperMethodMode:
     if (!function->jsExecutable()->isStrictMode())
         return JSValue::encode(caller);
     return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Function.caller used to retrieve strict caller")));
+    }
+    RELEASE_ASSERT_NOT_REACHED();
 }
 
 bool JSFunction::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObject.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObject.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -773,6 +773,7 @@
         putDirectWithoutTransition(vm, vm.propertyNames->Loader, m_moduleLoader.get(), static_cast<unsigned>(PropertyAttribute::DontEnum));
 
     JSFunction* builtinLog = JSFunction::create(vm, this, 1, vm.propertyNames->emptyIdentifier.string(), globalFuncBuiltinLog);
+    JSFunction* builtinDescribe = JSFunction::create(vm, this, 1, vm.propertyNames->emptyIdentifier.string(), globalFuncBuiltinDescribe);
 
     JSFunction* privateFuncAbs = JSFunction::create(vm, this, 0, String(), mathProtoFuncAbs, AbsIntrinsic);
     JSFunction* privateFuncFloor = JSFunction::create(vm, this, 0, String(), mathProtoFuncFloor, FloorIntrinsic);
@@ -863,6 +864,7 @@
         GlobalPropertyInfo(vm.propertyNames->builtinNames().hasInstanceBoundFunctionPrivateName(), privateFuncHasInstanceBoundFunction, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().instanceOfPrivateName(), privateFuncInstanceOf, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().BuiltinLogPrivateName(), builtinLog, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->builtinNames().BuiltinDescribePrivateName(), builtinDescribe, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().NumberPrivateName(), numberConstructor, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().RegExpPrivateName(), m_regExpConstructor.get(), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().StringPrivateName(), stringConstructor, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObject.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObject.h	Thu Aug 16 09:11:58 2018 +0530
@@ -667,6 +667,7 @@
     Structure* proxyRevokeStructure() const { return m_proxyRevokeStructure.get(); }
     Structure* moduleLoaderStructure() const { return m_moduleLoaderStructure.get(); }
     Structure* restParameterStructure() const { return arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous); }
+    Structure* originalRestParameterStructure() const { return originalArrayStructureForIndexingType(ArrayWithContiguous); }
 #if ENABLE(WEBASSEMBLY)
     Structure* webAssemblyModuleRecordStructure() const { return m_webAssemblyModuleRecordStructure.get(); }
     Structure* webAssemblyFunctionStructure() const { return m_webAssemblyFunctionStructure.get(); }
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -774,6 +774,11 @@
     return JSValue::encode(jsUndefined());
 }
 
+EncodedJSValue JSC_HOST_CALL globalFuncBuiltinDescribe(ExecState* exec)
+{
+    return JSValue::encode(jsString(exec, toString(exec->argument(0))));
+}
+
 EncodedJSValue JSC_HOST_CALL globalFuncImportModule(ExecState* exec)
 {
     VM& vm = exec->vm();
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h	Thu Aug 16 09:11:58 2018 +0530
@@ -52,6 +52,7 @@
 EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState*);
 EncodedJSValue JSC_HOST_CALL globalFuncHostPromiseRejectionTracker(ExecState*);
 EncodedJSValue JSC_HOST_CALL globalFuncBuiltinLog(ExecState*);
+EncodedJSValue JSC_HOST_CALL globalFuncBuiltinDescribe(ExecState*);
 EncodedJSValue JSC_HOST_CALL globalFuncImportModule(ExecState*);
 EncodedJSValue JSC_HOST_CALL globalFuncPropertyIsEnumerable(ExecState*);
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1652,7 +1652,7 @@
         prototype.asCell()->didBecomePrototype();
 
     if (structure(vm)->hasMonoProto()) {
-        DeferredStructureTransitionWatchpointFire deferred;
+        DeferredStructureTransitionWatchpointFire deferred(vm, structure(vm));
         Structure* newStructure = Structure::changePrototypeTransition(vm, structure(vm), prototype, deferred);
         setStructure(vm, newStructure);
     } else
@@ -3543,7 +3543,7 @@
 
 void JSObject::convertToDictionary(VM& vm)
 {
-    DeferredStructureTransitionWatchpointFire deferredWatchpointFire;
+    DeferredStructureTransitionWatchpointFire deferredWatchpointFire(vm, structure(vm));
     setStructure(
         vm, Structure::toCacheableDictionaryTransition(vm, structure(vm), &deferredWatchpointFire));
 }
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObjectInlines.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObjectInlines.h	Thu Aug 16 09:11:58 2018 +0530
@@ -287,12 +287,13 @@
 
             putDirect(vm, offset, value);
             structure->didReplaceProperty(offset);
-            slot.setExistingProperty(this, offset);
 
             if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessor) != (currentAttributes & PropertyAttribute::CustomAccessor)) {
                 ASSERT(!(attributes & PropertyAttribute::ReadOnly));
                 setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
-            }
+            } else
+                slot.setExistingProperty(this, offset);
+
             return true;
         }
 
@@ -344,13 +345,14 @@
                 vm, propertyName, value, slot.context() == PutPropertySlot::PutById);
         }
 
-        slot.setExistingProperty(this, offset);
         putDirect(vm, offset, value);
 
         if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessor) != (currentAttributes & PropertyAttribute::CustomAccessor)) {
             ASSERT(!(attributes & PropertyAttribute::ReadOnly));
             setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
-        }
+        } else
+            slot.setExistingProperty(this, offset);
+
         return true;
     }
 
@@ -360,7 +362,7 @@
     // We want the structure transition watchpoint to fire after this object has switched
     // structure. This allows adaptive watchpoints to observe if the new structure is the one
     // we want.
-    DeferredStructureTransitionWatchpointFire deferredWatchpointFire;
+    DeferredStructureTransitionWatchpointFire deferredWatchpointFire(vm, structure);
 
     newStructure = Structure::addNewPropertyTransition(
         vm, structure, propertyName, attributes, offset, slot.context(), &deferredWatchpointFire);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/StringConstructor.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/StringConstructor.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -77,9 +77,9 @@
 
     unsigned length = exec->argumentCount();
     if (LIKELY(length == 1)) {
+        scope.release();
         unsigned code = exec->uncheckedArgument(0).toUInt32(exec);
-        RETURN_IF_EXCEPTION(scope, encodedJSValue());
-        scope.release();
+        // Not checking for an exception here is ok because jsSingleCharacterString will just fetch an unused string if there's an exception.
         return JSValue::encode(jsSingleCharacterString(exec, code));
     }
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/Structure.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/Structure.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1035,22 +1035,20 @@
     out.print("Structure transition from ", *m_structure);
 }
 
-DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire()
-    : m_structure(nullptr)
+DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire(VM& vm, Structure* structure)
+    : DeferredWatchpointFire(vm)
+    , m_structure(structure)
 {
 }
 
 DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire()
 {
-    if (m_structure)
-        m_structure->transitionWatchpointSet().fireAll(*m_structure->vm(), StructureFireDetail(m_structure));
+    fireAll();
 }
 
-void DeferredStructureTransitionWatchpointFire::add(const Structure* structure)
+void DeferredStructureTransitionWatchpointFire::dump(PrintStream& out) const
 {
-    RELEASE_ASSERT(!m_structure);
-    RELEASE_ASSERT(structure);
-    m_structure = structure;
+    out.print("Structure transition from ", *m_structure);
 }
 
 void Structure::didTransitionFromThisStructure(DeferredStructureTransitionWatchpointFire* deferred) const
@@ -1061,9 +1059,10 @@
     if (m_transitionWatchpointSet.isBeingWatched())
         const_cast<Structure*>(this)->setTransitionWatchpointIsLikelyToBeFired(true);
 
-    if (deferred)
-        deferred->add(this);
-    else
+    if (deferred) {
+        ASSERT(deferred->structure() == this);
+        m_transitionWatchpointSet.fireAll(*vm(), deferred);
+    } else
         m_transitionWatchpointSet.fireAll(*vm(), StructureFireDetail(this));
 }
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/Structure.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/Structure.h	Thu Aug 16 09:11:58 2018 +0530
@@ -110,13 +110,15 @@
     const Structure* m_structure;
 };
 
-class DeferredStructureTransitionWatchpointFire {
+class DeferredStructureTransitionWatchpointFire : public DeferredWatchpointFire {
     WTF_MAKE_NONCOPYABLE(DeferredStructureTransitionWatchpointFire);
 public:
-    JS_EXPORT_PRIVATE DeferredStructureTransitionWatchpointFire();
+    JS_EXPORT_PRIVATE DeferredStructureTransitionWatchpointFire(VM&, Structure*);
     JS_EXPORT_PRIVATE ~DeferredStructureTransitionWatchpointFire();
 
-    void add(const Structure*);
+    void dump(PrintStream& out) const override;
+
+    const Structure* structure() const { return m_structure; }
 
 private:
     const Structure* m_structure;
--- a/modules/javafx.web/src/main/native/Source/WTF/wtf/Bag.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WTF/wtf/Bag.h	Thu Aug 16 09:11:58 2018 +0530
@@ -139,12 +139,20 @@
         return result;
     }
 
-    iterator end() { return iterator(); }
+    const iterator begin() const
+    {
+        iterator result;
+        result.m_node = unwrappedHead();
+        return result;
+    }
+
+
+    iterator end() const { return iterator(); }
 
     bool isEmpty() const { return !m_head; }
 
 private:
-    Node* unwrappedHead() { return PtrTraits::unwrap(m_head); }
+    Node* unwrappedHead() const { return PtrTraits::unwrap(m_head); }
 
     typename PtrTraits::StorageType m_head { nullptr };
 };
--- a/modules/javafx.web/src/main/native/Source/WTF/wtf/text/StringBuilderJSON.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WTF/wtf/text/StringBuilderJSON.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -91,6 +91,10 @@
     // https://bugs.webkit.org/show_bug.cgi?id=176086
     allocationSize = std::max(allocationSize, roundUpToPowerOfTwo(allocationSize));
 
+    // Allocating this much will definitely fail.
+    if (allocationSize >= 0x80000000)
+        return false;
+
     if (is8Bit() && !string.is8Bit())
         allocateBufferUpConvert(m_bufferCharacters8, allocationSize);
     else
--- a/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/AudioContext.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/AudioContext.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -393,6 +393,17 @@
     }
 }
 
+bool AudioContext::wouldTaintOrigin(const URL& url) const
+{
+    if (url.protocolIsData())
+        return false;
+
+    if (auto* document = this->document())
+        return !document->securityOrigin().canRequest(url);
+
+    return false;
+}
+
 ExceptionOr<Ref<AudioBuffer>> AudioContext::createBuffer(unsigned numberOfChannels, size_t numberOfFrames, float sampleRate)
 {
     auto audioBuffer = AudioBuffer::create(numberOfChannels, numberOfFrames, sampleRate);
--- a/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/AudioContext.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/AudioContext.h	Thu Aug 16 09:11:58 2018 +0530
@@ -71,6 +71,7 @@
 class PannerNode;
 class PeriodicWave;
 class ScriptProcessorNode;
+class URL;
 class WaveShaperNode;
 
 // AudioContext is the cornerstone of the web audio API and all AudioNodes are created from it.
@@ -118,6 +119,8 @@
     enum class State { Suspended, Running, Interrupted, Closed };
     State state() const;
 
+    bool wouldTaintOrigin(const URL&) const;
+
     // The AudioNode create methods are called on the main thread (from JavaScript).
     Ref<AudioBufferSourceNode> createBufferSource();
 #if ENABLE(VIDEO)
--- a/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -67,6 +67,8 @@
 
 void MediaElementAudioSourceNode::setFormat(size_t numberOfChannels, float sourceSampleRate)
 {
+    m_muted = wouldTaintOrigin();
+
     if (numberOfChannels != m_sourceNumberOfChannels || sourceSampleRate != m_sourceSampleRate) {
         if (!numberOfChannels || numberOfChannels > AudioContext::maxNumberOfChannels() || sourceSampleRate < minSampleRate || sourceSampleRate > maxSampleRate) {
             // process() will generate silence for these uninitialized values.
@@ -100,11 +102,22 @@
     }
 }
 
+bool MediaElementAudioSourceNode::wouldTaintOrigin()
+{
+    if (!m_mediaElement->hasSingleSecurityOrigin())
+        return true;
+
+    if (m_mediaElement->player() && m_mediaElement->player()->didPassCORSAccessCheck())
+        return false;
+
+    return context().wouldTaintOrigin(m_mediaElement->currentSrc());
+}
+
 void MediaElementAudioSourceNode::process(size_t numberOfFrames)
 {
     AudioBus* outputBus = output(0)->bus();
 
-    if (!m_sourceNumberOfChannels || !m_sourceSampleRate) {
+    if (m_muted || !m_sourceNumberOfChannels || !m_sourceSampleRate) {
         outputBus->zero();
         return;
     }
--- a/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/Modules/webaudio/MediaElementAudioSourceNode.h	Thu Aug 16 09:11:58 2018 +0530
@@ -64,11 +64,14 @@
     // As an audio source, we will never propagate silence.
     bool propagatesSilence() const override { return false; }
 
+    bool wouldTaintOrigin();
+
     Ref<HTMLMediaElement> m_mediaElement;
     Lock m_processMutex;
 
     unsigned m_sourceNumberOfChannels;
     double m_sourceSampleRate;
+    bool m_muted { false };
 
     std::unique_ptr<MultiChannelResampler> m_multiChannelResampler;
 };
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/BaseButtonInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/BaseButtonInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -53,7 +53,8 @@
 
 RenderPtr<RenderElement> BaseButtonInputType::createInputRenderer(RenderStyle&& style)
 {
-    return createRenderer<RenderButton>(element(), WTFMove(style));
+    ASSERT(element());
+    return createRenderer<RenderButton>(*element(), WTFMove(style));
 }
 
 bool BaseButtonInputType::storesValueSeparateFromAttribute()
@@ -63,7 +64,8 @@
 
 void BaseButtonInputType::setValue(const String& sanitizedValue, bool, TextFieldEventBehavior)
 {
-    element().setAttributeWithoutSynchronization(valueAttr, sanitizedValue);
+    ASSERT(element());
+    element()->setAttributeWithoutSynchronization(valueAttr, sanitizedValue);
 }
 
 } // namespace WebCore
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/BaseCheckableInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/BaseCheckableInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -45,19 +45,22 @@
 
 FormControlState BaseCheckableInputType::saveFormControlState() const
 {
-    return { element().checked() ? ASCIILiteral("on") : ASCIILiteral("off") };
+    ASSERT(element());
+    return { element()->checked() ? ASCIILiteral("on") : ASCIILiteral("off") };
 }
 
 void BaseCheckableInputType::restoreFormControlState(const FormControlState& state)
 {
-    element().setChecked(state[0] == "on");
+    ASSERT(element());
+    element()->setChecked(state[0] == "on");
 }
 
 bool BaseCheckableInputType::appendFormData(DOMFormData& formData, bool) const
 {
-    if (!element().checked())
+    ASSERT(element());
+    if (!element()->checked())
         return false;
-    formData.append(element().name(), element().value());
+    formData.append(element()->name(), element()->value());
     return true;
 }
 
@@ -65,7 +68,8 @@
 {
     const String& key = event.keyIdentifier();
     if (key == "U+0020") {
-        element().setActive(true, true);
+        ASSERT(element());
+        element()->setActive(true, true);
         // No setDefaultHandled(), because IE dispatches a keypress in this case
         // and the caller will only dispatch a keypress if we don't call setDefaultHandled().
     }
@@ -89,7 +93,8 @@
 {
     InputType::accessKeyAction(sendMouseEvents);
 
-    element().dispatchSimulatedClick(0, sendMouseEvents ? SendMouseUpDownEvents : SendNoEvents);
+    ASSERT(element());
+    element()->dispatchSimulatedClick(0, sendMouseEvents ? SendMouseUpDownEvents : SendNoEvents);
 }
 
 String BaseCheckableInputType::fallbackValue() const
@@ -105,7 +110,8 @@
 
 void BaseCheckableInputType::setValue(const String& sanitizedValue, bool, TextFieldEventBehavior)
 {
-    element().setAttributeWithoutSynchronization(valueAttr, sanitizedValue);
+    ASSERT(element());
+    element()->setAttributeWithoutSynchronization(valueAttr, sanitizedValue);
 }
 
 bool BaseCheckableInputType::isCheckable()
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/BaseChooserOnlyDateAndTimeInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/BaseChooserOnlyDateAndTimeInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -45,15 +45,15 @@
 
 void BaseChooserOnlyDateAndTimeInputType::handleDOMActivateEvent(Event&)
 {
-    if (element().isDisabledOrReadOnly() || !element().renderer() || !UserGestureIndicator::processingUserGesture())
+    if (element()->isDisabledOrReadOnly() || !element()->renderer() || !UserGestureIndicator::processingUserGesture())
         return;
 
     if (m_dateTimeChooser)
         return;
-    if (!element().document().page())
+    if (!element()->document().page())
         return;
     DateTimeChooserParameters parameters;
-    if (!element().setupDateTimeChooserParameters(parameters))
+    if (!element()->setupDateTimeChooserParameters(parameters))
         return;
 }
 
@@ -61,15 +61,15 @@
 {
     static NeverDestroyed<AtomicString> valueContainerPseudo("-webkit-date-and-time-value", AtomicString::ConstructFromLiteral);
 
-    auto valueContainer = HTMLDivElement::create(element().document());
+    auto valueContainer = HTMLDivElement::create(element()->document());
     valueContainer->setPseudo(valueContainerPseudo);
-    element().userAgentShadowRoot()->appendChild(valueContainer);
+    element()->userAgentShadowRoot()->appendChild(valueContainer);
     updateAppearance();
 }
 
 void BaseChooserOnlyDateAndTimeInputType::updateAppearance()
 {
-    RefPtr<Node> node = element().userAgentShadowRoot()->firstChild();
+    RefPtr<Node> node = element()->userAgentShadowRoot()->firstChild();
     if (!is<HTMLElement>(node))
         return;
     String displayValue = visibleValue();
@@ -94,7 +94,7 @@
 
 void BaseChooserOnlyDateAndTimeInputType::didChooseValue(const String& value)
 {
-    element().setValue(value, DispatchInputAndChangeEvent);
+    element()->setValue(value, DispatchInputAndChangeEvent);
 }
 
 void BaseChooserOnlyDateAndTimeInputType::didEndChooser()
@@ -110,12 +110,12 @@
 
 void BaseChooserOnlyDateAndTimeInputType::handleKeydownEvent(KeyboardEvent& event)
 {
-    BaseClickableWithKeyInputType::handleKeydownEvent(element(), event);
+    BaseClickableWithKeyInputType::handleKeydownEvent(*element(), event);
 }
 
 void BaseChooserOnlyDateAndTimeInputType::handleKeypressEvent(KeyboardEvent& event)
 {
-    BaseClickableWithKeyInputType::handleKeypressEvent(element(), event);
+    BaseClickableWithKeyInputType::handleKeypressEvent(*element(), event);
 }
 
 void BaseChooserOnlyDateAndTimeInputType::handleKeyupEvent(KeyboardEvent& event)
@@ -126,12 +126,12 @@
 void BaseChooserOnlyDateAndTimeInputType::accessKeyAction(bool sendMouseEvents)
 {
     BaseDateAndTimeInputType::accessKeyAction(sendMouseEvents);
-    BaseClickableWithKeyInputType::accessKeyAction(element(), sendMouseEvents);
+    BaseClickableWithKeyInputType::accessKeyAction(*element(), sendMouseEvents);
 }
 
 bool BaseChooserOnlyDateAndTimeInputType::isMouseFocusable() const
 {
-    return element().isTextFormControlFocusable();
+    return element()->isTextFormControlFocusable();
 }
 
 }
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/BaseClickableWithKeyInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/BaseClickableWithKeyInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010, 2012 Google Inc. All rights reserved.
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -80,12 +80,14 @@
 
 void BaseClickableWithKeyInputType::handleKeydownEvent(KeyboardEvent& event)
 {
-    handleKeydownEvent(element(), event);
+    ASSERT(element());
+    handleKeydownEvent(*element(), event);
 }
 
 void BaseClickableWithKeyInputType::handleKeypressEvent(KeyboardEvent& event)
 {
-    handleKeypressEvent(element(), event);
+    ASSERT(element());
+    handleKeypressEvent(*element(), event);
 }
 
 void BaseClickableWithKeyInputType::handleKeyupEvent(KeyboardEvent& event)
@@ -96,7 +98,8 @@
 void BaseClickableWithKeyInputType::accessKeyAction(bool sendMouseEvents)
 {
     InputType::accessKeyAction(sendMouseEvents);
-    accessKeyAction(element(), sendMouseEvents);
+    ASSERT(element());
+    accessKeyAction(*element(), sendMouseEvents);
 }
 
 } // namespace WebCore
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/BaseDateAndTimeInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/BaseDateAndTimeInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -58,19 +58,19 @@
 
 ExceptionOr<void> BaseDateAndTimeInputType::setValueAsDate(double value) const
 {
-    element().setValue(serializeWithMilliseconds(value));
+    element()->setValue(serializeWithMilliseconds(value));
     return { };
 }
 
 double BaseDateAndTimeInputType::valueAsDouble() const
 {
-    const Decimal value = parseToNumber(element().value(), Decimal::nan());
+    const Decimal value = parseToNumber(element()->value(), Decimal::nan());
     return value.isFinite() ? value.toDouble() : DateComponents::invalidMilliseconds();
 }
 
 ExceptionOr<void> BaseDateAndTimeInputType::setValueAsDecimal(const Decimal& newValue, TextFieldEventBehavior eventBehavior) const
 {
-    element().setValue(serialize(newValue), eventBehavior);
+    element()->setValue(serialize(newValue), eventBehavior);
     return { };
 }
 
@@ -81,7 +81,7 @@
 
 bool BaseDateAndTimeInputType::typeMismatch() const
 {
-    return typeMismatchFor(element().value());
+    return typeMismatchFor(element()->value());
 }
 
 Decimal BaseDateAndTimeInputType::defaultValueForStepUp() const
@@ -98,7 +98,8 @@
 
 void BaseDateAndTimeInputType::minOrMaxAttributeChanged()
 {
-    element().invalidateStyleForSubtree();
+    if (auto* element = this->element())
+        element->invalidateStyleForSubtree();
 }
 
 Decimal BaseDateAndTimeInputType::parseToNumber(const String& source, const Decimal& defaultValue) const
@@ -134,7 +135,7 @@
 String BaseDateAndTimeInputType::serializeWithComponents(const DateComponents& date) const
 {
     Decimal step;
-    if (!element().getAllowedValueStep(&step))
+    if (!element()->getAllowedValueStep(&step))
         return date.toString();
     if (step.remainder(msecPerMinute).isZero())
         return date.toString(DateComponents::None);
@@ -154,13 +155,13 @@
     if (!parseToDateComponents(proposedValue, &date))
         return proposedValue;
 
-    String localized = element().locale().formatDateTime(date);
+    String localized = element()->locale().formatDateTime(date);
     return localized.isEmpty() ? proposedValue : localized;
 }
 
 String BaseDateAndTimeInputType::visibleValue() const
 {
-    return localizeValue(element().value());
+    return localizeValue(element()->value());
 }
 
 String BaseDateAndTimeInputType::sanitizeValue(const String& proposedValue) const
@@ -180,13 +181,13 @@
 
 bool BaseDateAndTimeInputType::valueMissing(const String& value) const
 {
-    return element().isRequired() && value.isEmpty();
+    return element()->isRequired() && value.isEmpty();
 }
 
 #if PLATFORM(IOS)
 bool BaseDateAndTimeInputType::isKeyboardFocusable(KeyboardEvent&) const
 {
-    return !element().isReadOnly() && element().isTextFormControlFocusable();
+    return !element()->isReadOnly() && element()->isTextFormControlFocusable();
 }
 #endif
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/BaseTextInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/BaseTextInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -3,6 +3,7 @@
  *
  * Copyright (C) 2009 Michelangelo De Simone <micdesim@gmail.com>
  * Copyright (C) 2010 Google Inc. All rights reserved.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -39,7 +40,8 @@
 
 bool BaseTextInputType::patternMismatch(const String& value) const
 {
-    const AtomicString& rawPattern = element().attributeWithoutSynchronization(patternAttr);
+    ASSERT(element());
+    const AtomicString& rawPattern = element()->attributeWithoutSynchronization(patternAttr);
     if (rawPattern.isNull() || value.isEmpty() || !JSC::Yarr::RegularExpression(rawPattern).isValid())
         return false;
     String pattern = "^(?:" + rawPattern + ")$";
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/CheckboxInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/CheckboxInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -46,7 +46,8 @@
 
 bool CheckboxInputType::valueMissing(const String&) const
 {
-    return element().isRequired() && !element().checked();
+    ASSERT(element());
+    return element()->isRequired() && !element()->checked();
 }
 
 String CheckboxInputType::valueMissingText() const
@@ -64,23 +65,26 @@
 
 void CheckboxInputType::willDispatchClick(InputElementClickState& state)
 {
+    ASSERT(element());
+
     // An event handler can use preventDefault or "return false" to reverse the checking we do here.
     // The InputElementClickState object contains what we need to undo what we did here in didDispatchClick.
 
-    state.checked = element().checked();
-    state.indeterminate = element().indeterminate();
+    state.checked = element()->checked();
+    state.indeterminate = element()->indeterminate();
 
     if (state.indeterminate)
-        element().setIndeterminate(false);
+        element()->setIndeterminate(false);
 
-    element().setChecked(!state.checked, DispatchChangeEvent);
+    element()->setChecked(!state.checked, DispatchChangeEvent);
 }
 
 void CheckboxInputType::didDispatchClick(Event& event, const InputElementClickState& state)
 {
     if (event.defaultPrevented() || event.defaultHandled()) {
-        element().setIndeterminate(state.indeterminate);
-        element().setChecked(state.checked);
+        ASSERT(element());
+        element()->setIndeterminate(state.indeterminate);
+        element()->setChecked(state.checked);
     }
 
     // The work we did in willDispatchClick was default handling.
@@ -99,7 +103,8 @@
 
 bool CheckboxInputType::shouldAppearIndeterminate() const
 {
-    return element().indeterminate();
+    ASSERT(element());
+    return element()->indeterminate();
 }
 
 } // namespace WebCore
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/ColorInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/ColorInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -111,20 +111,22 @@
 
 Color ColorInputType::valueAsColor() const
 {
-    return parseSimpleColorValue(element().value()).value();
+    ASSERT(element());
+    return parseSimpleColorValue(element()->value()).value();
 }
 
 void ColorInputType::createShadowSubtree()
 {
-    ASSERT(element().shadowRoot());
+    ASSERT(element());
+    ASSERT(element()->shadowRoot());
 
-    Document& document = element().document();
+    Document& document = element()->document();
     auto wrapperElement = HTMLDivElement::create(document);
     wrapperElement->setPseudo(AtomicString("-webkit-color-swatch-wrapper", AtomicString::ConstructFromLiteral));
     auto colorSwatch = HTMLDivElement::create(document);
     colorSwatch->setPseudo(AtomicString("-webkit-color-swatch", AtomicString::ConstructFromLiteral));
     wrapperElement->appendChild(colorSwatch);
-    element().userAgentShadowRoot()->appendChild(wrapperElement);
+    element()->userAgentShadowRoot()->appendChild(wrapperElement);
 
     updateColorSwatch();
 }
@@ -143,7 +145,8 @@
 
 void ColorInputType::handleDOMActivateEvent(Event& event)
 {
-    if (element().isDisabledFormControl() || !element().renderer())
+    ASSERT(element());
+    if (element()->isDisabledFormControl() || !element()->renderer())
         return;
 
     if (!UserGestureIndicator::processingUserGesture())
@@ -181,12 +184,13 @@
 
 void ColorInputType::didChooseColor(const Color& color)
 {
-    if (element().isDisabledFormControl() || color == valueAsColor())
+    ASSERT(element());
+    if (element()->isDisabledFormControl() || color == valueAsColor())
         return;
     EventQueueScope scope;
-    element().setValueFromRenderer(color.serialized());
+    element()->setValueFromRenderer(color.serialized());
     updateColorSwatch();
-    element().dispatchFormControlChangeEvent();
+    element()->dispatchFormControlChangeEvent();
 }
 
 void ColorInputType::didEndChooser()
@@ -206,12 +210,14 @@
     if (!colorSwatch)
         return;
 
-    colorSwatch->setInlineStyleProperty(CSSPropertyBackgroundColor, element().value(), false);
+    ASSERT(element());
+    colorSwatch->setInlineStyleProperty(CSSPropertyBackgroundColor, element()->value(), false);
 }
 
 HTMLElement* ColorInputType::shadowColorSwatch() const
 {
-    RefPtr<ShadowRoot> shadow = element().userAgentShadowRoot();
+    ASSERT(element());
+    RefPtr<ShadowRoot> shadow = element()->userAgentShadowRoot();
     if (!shadow)
         return nullptr;
 
@@ -224,9 +230,10 @@
 
 IntRect ColorInputType::elementRectRelativeToRootView() const
 {
-    if (!element().renderer())
+    ASSERT(element());
+    if (!element()->renderer())
         return IntRect();
-    return element().document().view()->contentsToRootView(element().renderer()->absoluteBoundingBoxRect());
+    return element()->document().view()->contentsToRootView(element()->renderer()->absoluteBoundingBoxRect());
 }
 
 Color ColorInputType::currentColor()
@@ -237,7 +244,8 @@
 bool ColorInputType::shouldShowSuggestions() const
 {
 #if ENABLE(DATALIST_ELEMENT)
-    return element().hasAttributeWithoutSynchronization(listAttr);
+    ASSERT(element());
+    return element()->hasAttributeWithoutSynchronization(listAttr);
 #else
     return false;
 #endif
@@ -247,7 +255,8 @@
 {
     Vector<Color> suggestions;
 #if ENABLE(DATALIST_ELEMENT)
-    if (auto dataList = element().dataList()) {
+    ASSERT(element());
+    if (auto dataList = element()->dataList()) {
         Ref<HTMLCollection> options = dataList->options();
         unsigned length = options->length();
         suggestions.reserveInitialCapacity(length);
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/DateInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/DateInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -64,10 +64,10 @@
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(dateDefaultStep, dateDefaultStepBase, dateStepScaleFactor, StepRange::ParsedStepValueShouldBeInteger);
 
-    const Decimal stepBase = parseToNumber(element().attributeWithoutSynchronization(minAttr), 0);
-    const Decimal minimum = parseToNumber(element().attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumDate()));
-    const Decimal maximum = parseToNumber(element().attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumDate()));
-    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element().attributeWithoutSynchronization(stepAttr));
+    const Decimal stepBase = parseToNumber(element()->attributeWithoutSynchronization(minAttr), 0);
+    const Decimal minimum = parseToNumber(element()->attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumDate()));
+    const Decimal maximum = parseToNumber(element()->attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumDate()));
+    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element()->attributeWithoutSynchronization(stepAttr));
     return StepRange(stepBase, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/DateTimeInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/DateTimeInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -65,10 +65,10 @@
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(dateTimeDefaultStep, dateTimeDefaultStepBase, dateTimeStepScaleFactor, StepRange::ScaledStepValueShouldBeInteger);
 
-    const Decimal stepBase = parseToNumber(element().attributeWithoutSynchronization(minAttr), 0);
-    const Decimal minimum = parseToNumber(element().attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumDateTime()));
-    const Decimal maximum = parseToNumber(element().attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumDateTime()));
-    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element().attributeWithoutSynchronization(stepAttr));
+    const Decimal stepBase = parseToNumber(element()->attributeWithoutSynchronization(minAttr), 0);
+    const Decimal minimum = parseToNumber(element()->attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumDateTime()));
+    const Decimal maximum = parseToNumber(element()->attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumDateTime()));
+    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element()->attributeWithoutSynchronization(stepAttr));
     return StepRange(stepBase, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/DateTimeLocalInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/DateTimeLocalInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -72,10 +72,10 @@
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(dateTimeLocalDefaultStep, dateTimeLocalDefaultStepBase, dateTimeLocalStepScaleFactor, StepRange::ScaledStepValueShouldBeInteger);
 
-    const Decimal stepBase = parseToNumber(element().attributeWithoutSynchronization(minAttr), 0);
-    const Decimal minimum = parseToNumber(element().attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumDateTime()));
-    const Decimal maximum = parseToNumber(element().attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumDateTime()));
-    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element().attributeWithoutSynchronization(stepAttr));
+    const Decimal stepBase = parseToNumber(element()->attributeWithoutSynchronization(minAttr), 0);
+    const Decimal minimum = parseToNumber(element()->attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumDateTime()));
+    const Decimal maximum = parseToNumber(element()->attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumDateTime()));
+    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element()->attributeWithoutSynchronization(stepAttr));
     return StepRange(stepBase, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/EmailInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/EmailInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -3,6 +3,7 @@
  *
  * Copyright (C) 2009 Michelangelo De Simone <micdesim@gmail.com>
  * Copyright (C) 2010 Google Inc. All rights reserved.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Library General Public
@@ -58,9 +59,10 @@
 
 bool EmailInputType::typeMismatchFor(const String& value) const
 {
+    ASSERT(element());
     if (value.isEmpty())
         return false;
-    if (!element().multiple())
+    if (!element()->multiple())
         return !isValidEmailAddress(value);
     Vector<String> addresses;
     value.split(',', true, addresses);
@@ -73,12 +75,14 @@
 
 bool EmailInputType::typeMismatch() const
 {
-    return typeMismatchFor(element().value());
+    ASSERT(element());
+    return typeMismatchFor(element()->value());
 }
 
 String EmailInputType::typeMismatchText() const
 {
-    return element().multiple() ? validationMessageTypeMismatchForMultipleEmailText() : validationMessageTypeMismatchForEmailText();
+    ASSERT(element());
+    return element()->multiple() ? validationMessageTypeMismatchForMultipleEmailText() : validationMessageTypeMismatchForEmailText();
 }
 
 bool EmailInputType::isEmailField() const
@@ -94,7 +98,8 @@
 String EmailInputType::sanitizeValue(const String& proposedValue) const
 {
     String noLineBreakValue = proposedValue.removeCharacters(isHTMLLineBreak);
-    if (!element().multiple())
+    ASSERT(element());
+    if (!element()->multiple())
         return stripLeadingAndTrailingHTMLSpaces(noLineBreakValue);
     Vector<String> addresses;
     noLineBreakValue.split(',', true, addresses);
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/FileInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/FileInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -151,10 +151,11 @@
 
 bool FileInputType::appendFormData(DOMFormData& formData, bool multipart) const
 {
-    auto fileList = makeRefPtr(element().files());
+    ASSERT(element());
+    auto fileList = makeRefPtr(element()->files());
     ASSERT(fileList);
 
-    auto name = element().name();
+    auto name = element()->name();
 
     if (!multipart) {
         // Send only the basenames.
@@ -184,17 +185,20 @@
 
 bool FileInputType::valueMissing(const String& value) const
 {
-    return element().isRequired() && value.isEmpty();
+    ASSERT(element());
+    return element()->isRequired() && value.isEmpty();
 }
 
 String FileInputType::valueMissingText() const
 {
-    return element().multiple() ? validationMessageValueMissingForMultipleFileText() : validationMessageValueMissingForFileText();
+    ASSERT(element());
+    return element()->multiple() ? validationMessageValueMissingForMultipleFileText() : validationMessageValueMissingForFileText();
 }
 
 void FileInputType::handleDOMActivateEvent(Event& event)
 {
-    auto& input = element();
+    ASSERT(element());
+    auto& input = *element();
 
     if (input.isDisabledFormControl())
         return;
@@ -221,7 +225,8 @@
 
 RenderPtr<RenderElement> FileInputType::createInputRenderer(RenderStyle&& style)
 {
-    return createRenderer<RenderFileUploadControl>(element(), WTFMove(style));
+    ASSERT(element());
+    return createRenderer<RenderFileUploadControl>(*element(), WTFMove(style));
 }
 
 bool FileInputType::canSetStringValue() const
@@ -265,7 +270,8 @@
     // FIXME: Should we clear the file list, or replace it with a new empty one here? This is observable from JavaScript through custom properties.
     m_fileList->clear();
     m_icon = nullptr;
-    element().invalidateStyleForSubtree();
+    ASSERT(element());
+    element()->invalidateStyleForSubtree();
 }
 
 bool FileInputType::isFileUpload() const
@@ -275,32 +281,33 @@
 
 void FileInputType::createShadowSubtree()
 {
-    ASSERT(element().shadowRoot());
-    element().userAgentShadowRoot()->appendChild(element().multiple() ? UploadButtonElement::createForMultiple(element().document()): UploadButtonElement::create(element().document()));
+    ASSERT(element());
+    ASSERT(element()->shadowRoot());
+    element()->userAgentShadowRoot()->appendChild(element()->multiple() ? UploadButtonElement::createForMultiple(element()->document()): UploadButtonElement::create(element()->document()));
 }
 
 void FileInputType::disabledAttributeChanged()
 {
-    ASSERT(element().shadowRoot());
+    ASSERT(element());
+    ASSERT(element()->shadowRoot());
 
-    auto root = element().userAgentShadowRoot();
+    auto root = element()->userAgentShadowRoot();
     if (!root)
         return;
 
     if (auto button = makeRefPtr(childrenOfType<UploadButtonElement>(*root).first()))
-        button->setBooleanAttribute(disabledAttr, element().isDisabledFormControl());
+        button->setBooleanAttribute(disabledAttr, element()->isDisabledFormControl());
 }
 
 void FileInputType::multipleAttributeChanged()
 {
-    ASSERT(element().shadowRoot());
-
-    auto root = element().userAgentShadowRoot();
-    if (!root)
-        return;
-
+    if (auto* element = this->element()) {
+        ASSERT(element->shadowRoot());
+        if (auto root = element->userAgentShadowRoot()) {
     if (auto button = makeRefPtr(childrenOfType<UploadButtonElement>(*root).first()))
-        button->setValue(element().multiple() ? fileButtonChooseMultipleFilesLabel() : fileButtonChooseFileLabel());
+                button->setValue(element->multiple() ? fileButtonChooseMultipleFilesLabel() : fileButtonChooseFileLabel());
+        }
+    }
 }
 
 void FileInputType::requestIcon(const Vector<String>& paths)
@@ -337,7 +344,8 @@
 {
     if (!RuntimeEnabledFeatures::sharedFeatures().directoryUploadEnabled())
         return false;
-    return element().hasAttributeWithoutSynchronization(webkitdirectoryAttr);
+    ASSERT(element());
+    return element()->hasAttributeWithoutSynchronization(webkitdirectoryAttr);
 }
 
 void FileInputType::setFiles(RefPtr<FileList>&& files)
@@ -350,7 +358,8 @@
     if (!files)
         return;
 
-    Ref<HTMLInputElement> input(element());
+    ASSERT(element());
+    Ref<HTMLInputElement> protectedInputElement(*element());
 
     unsigned length = files->length();
 
@@ -368,8 +377,8 @@
 
     m_fileList = files.releaseNonNull();
 
-    input->setFormControlValueMatchesRenderer(true);
-    input->updateValidity();
+    protectedInputElement->setFormControlValueMatchesRenderer(true);
+    protectedInputElement->updateValidity();
 
     if (shouldRequestIcon == RequestIcon::Yes) {
         Vector<String> paths;
@@ -379,15 +388,15 @@
         requestIcon(paths);
     }
 
-    if (input->renderer())
-        input->renderer()->repaint();
+    if (protectedInputElement->renderer())
+        protectedInputElement->renderer()->repaint();
 
     if (pathsChanged) {
         // This call may cause destruction of this instance.
         // input instance is safe since it is ref-counted.
-        input->dispatchChangeEvent();
+        protectedInputElement->dispatchChangeEvent();
     }
-    input->setChangedSinceLastFormControlChangeEvent(false);
+    protectedInputElement->setChangedSinceLastFormControlChangeEvent(false);
 }
 
 void FileInputType::filesChosen(const Vector<FileChooserFileInfo>& paths, const String& displayString, Icon* icon)
@@ -420,8 +429,9 @@
         return;
 
     m_icon = WTFMove(icon);
-    if (element().renderer())
-        element().renderer()->repaint();
+    ASSERT(element());
+    if (auto* renderer = element()->renderer())
+        renderer->repaint();
 }
 
 #if ENABLE(DRAG_SUPPORT)
@@ -431,7 +441,8 @@
     if (paths.isEmpty())
         return false;
 
-    if (element().hasAttributeWithoutSynchronization(multipleAttr)) {
+    ASSERT(element());
+    if (element()->hasAttributeWithoutSynchronization(multipleAttr)) {
         Vector<FileChooserFileInfo> files;
         files.reserveInitialCapacity(paths.size());
         for (auto& path : paths)
@@ -454,7 +465,8 @@
 {
     unsigned listSize = m_fileList->length();
     if (!listSize) {
-        if (element().multiple())
+        ASSERT(element());
+        if (element()->multiple())
             return fileButtonNoFilesSelectedLabel();
         return fileButtonNoFileSelectedLabel();
     }
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLButtonElement.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLButtonElement.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004, 2005, 2006, 2007, 2010, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  * Copyright (C) 2007 Samuel Weinig (sam@webkit.org)
  *
@@ -32,6 +32,7 @@
 #include "HTMLNames.h"
 #include "KeyboardEvent.h"
 #include "RenderButton.h"
+#include <wtf/SetForScope.h>
 #include <wtf/StdLibExtras.h>
 
 namespace WebCore {
@@ -115,14 +116,24 @@
 void HTMLButtonElement::defaultEventHandler(Event& event)
 {
     if (event.type() == eventNames().DOMActivateEvent && !isDisabledFormControl()) {
-        if (form() && m_type == SUBMIT) {
-            m_isActivatedSubmit = true;
-            form()->prepareForSubmission(event);
-            event.setDefaultHandled();
-            m_isActivatedSubmit = false; // Do this in case submission was canceled.
+        RefPtr<HTMLFormElement> protectedForm(form());
+
+        if (protectedForm) {
+            // Update layout before processing form actions in case the style changes
+            // the Form or button relationships.
+            document().updateLayoutIgnorePendingStylesheets();
+
+            if (auto currentForm = form()) {
+                if (m_type == SUBMIT) {
+                    SetForScope<bool> activatedSubmitState(m_isActivatedSubmit, true);
+                    currentForm->prepareForSubmission(event);
         }
-        if (form() && m_type == RESET) {
-            form()->reset();
+
+                if (m_type == RESET)
+                    currentForm->reset();
+            }
+
+            if (m_type == SUBMIT || m_type == RESET)
             event.setDefaultHandled();
         }
     }
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLFormElement.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLFormElement.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -219,9 +219,9 @@
     // Because the form has invalid controls, we abort the form submission and
     // show a validation message on a focusable form control.
 
-    // Needs to update layout now because we'd like to call isFocusable(), which
-    // has !renderer()->needsLayout() assertion.
-    document().updateLayoutIgnorePendingStylesheets();
+    // Make sure layout is up-to-date in case we call isFocusable() (which
+    // has !renderer()->needsLayout() assertion).
+    ASSERT(!document().view() || !document().view()->needsLayout());
 
     Ref<HTMLFormElement> protectedThis(*this);
 
@@ -740,6 +740,12 @@
 
 bool HTMLFormElement::reportValidity()
 {
+    Ref<HTMLFormElement> protectedThis(*this);
+
+    // Update layout before processing form actions in case the style changes
+    // the Form or button relationships.
+    document().updateLayoutIgnorePendingStylesheets();
+
     return validateInteractively();
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLInputElement.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLInputElement.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -97,7 +97,6 @@
 HTMLInputElement::HTMLInputElement(const QualifiedName& tagName, Document& document, HTMLFormElement* form, bool createdByParser)
     : HTMLTextFormControlElement(tagName, document, form)
     , m_size(defaultSize)
-    , m_maxResults(-1)
     , m_isChecked(false)
     , m_reflectsCheckedAttribute(true)
     , m_isIndeterminate(false)
@@ -120,10 +119,12 @@
     , m_hasTouchEventHandler(false)
 #endif
     , m_isSpellcheckDisabledExceptTextReplacement(false)
+{
     // m_inputType is lazily created when constructed by the parser to avoid constructing unnecessarily a text inputType and
     // its shadow subtree, just to destroy them when the |type| attribute gets set by the parser to something else than 'text'.
-    , m_inputType(createdByParser ? nullptr : InputType::createText(*this))
-{
+    if (!createdByParser)
+        m_inputType = InputType::createText(*this);
+
     ASSERT(hasTagName(inputTag));
     setHasCustomStyleResolveCallbacks();
 }
@@ -146,7 +147,8 @@
 
 void HTMLInputElement::didAddUserAgentShadowRoot(ShadowRoot&)
 {
-    m_inputType->createShadowSubtree();
+    Ref<InputType> protectedInputType(*m_inputType);
+    protectedInputType->createShadowSubtree();
     updateInnerTextElementEditability();
 }
 
@@ -612,7 +614,8 @@
 
 void HTMLInputElement::accessKeyAction(bool sendMouseEvents)
 {
-    m_inputType->accessKeyAction(sendMouseEvents);
+    Ref<InputType> protectedInputType(*m_inputType);
+    protectedInputType->accessKeyAction(sendMouseEvents);
 }
 
 bool HTMLInputElement::isPresentationAttribute(const QualifiedName& name) const
@@ -669,6 +672,7 @@
 void HTMLInputElement::parseAttribute(const QualifiedName& name, const AtomicString& value)
 {
     ASSERT(m_inputType);
+    Ref<InputType> protectedInputType(*m_inputType);
 
     if (name == nameAttr) {
         removeFromRadioButtonGroup();
@@ -876,6 +880,7 @@
 
 bool HTMLInputElement::appendFormData(DOMFormData& formData, bool multipart)
 {
+    Ref<InputType> protectedInputType(*m_inputType);
     return m_inputType->isFormDataAppendable() && m_inputType->appendFormData(formData, multipart);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLInputElement.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HTMLInputElement.h	Thu Aug 16 09:11:58 2018 +0530
@@ -28,6 +28,7 @@
 #include "HTMLTextFormControlElement.h"
 #include "StepRange.h"
 #include <memory>
+#include <wtf/WeakPtr.h>
 
 #if PLATFORM(IOS)
 #include "DateComponents.h"
@@ -341,6 +342,8 @@
 
     ExceptionOr<void> setSelectionRangeForBindings(int start, int end, const String& direction);
 
+    auto& weakPtrFactory() const { return m_weakFactory; }
+
 protected:
     HTMLInputElement(const QualifiedName&, Document&, HTMLFormElement*, bool createdByParser);
 
@@ -446,7 +449,7 @@
     AtomicString m_name;
     String m_valueIfDirty;
     unsigned m_size;
-    short m_maxResults;
+    short m_maxResults { -1 };
     bool m_isChecked : 1;
     bool m_reflectsCheckedAttribute : 1;
     bool m_isIndeterminate : 1;
@@ -469,7 +472,7 @@
     bool m_hasTouchEventHandler : 1;
 #endif
     bool m_isSpellcheckDisabledExceptTextReplacement : 1;
-    std::unique_ptr<InputType> m_inputType;
+    RefPtr<InputType> m_inputType;
     // The ImageLoader must be owned by this element because the loader code assumes
     // that it lives as long as its owning element lives. If we move the loader into
     // the ImageInput object we may delete the loader while this element lives on.
@@ -477,6 +480,7 @@
 #if ENABLE(DATALIST_ELEMENT)
     std::unique_ptr<ListAttributeTargetObserver> m_listAttributeTargetObserver;
 #endif
+    WeakPtrFactory<HTMLInputElement> m_weakFactory;
 };
 
 }
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/HiddenInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/HiddenInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -52,12 +52,14 @@
 {
     // valueAttributeWasUpdatedAfterParsing() never be true for form controls create by createElement() or cloneNode().
     // It's OK for now because we restore values only to form controls created by parsing.
-    return element().valueAttributeWasUpdatedAfterParsing() ? FormControlState { { element().value() } } : FormControlState { };
+    ASSERT(element());
+    return element()->valueAttributeWasUpdatedAfterParsing() ? FormControlState { { element()->value() } } : FormControlState { };
 }
 
 void HiddenInputType::restoreFormControlState(const FormControlState& state)
 {
-    element().setAttributeWithoutSynchronization(valueAttr, state[0]);
+    ASSERT(element());
+    element()->setAttributeWithoutSynchronization(valueAttr, state[0]);
 }
 
 bool HiddenInputType::supportsValidation() const
@@ -87,7 +89,8 @@
 
 void HiddenInputType::setValue(const String& sanitizedValue, bool, TextFieldEventBehavior)
 {
-    element().setAttributeWithoutSynchronization(valueAttr, sanitizedValue);
+    ASSERT(element());
+    element()->setAttributeWithoutSynchronization(valueAttr, sanitizedValue);
 }
 
 bool HiddenInputType::isHiddenType() const
@@ -97,7 +100,8 @@
 
 bool HiddenInputType::appendFormData(DOMFormData& formData, bool isMultipartForm) const
 {
-    auto name = element().name();
+    ASSERT(element());
+    auto name = element()->name();
 
     if (equalIgnoringASCIICase(name, "_charset_")) {
         formData.append(name, String { formData.encoding().name() });
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/ImageInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/ImageInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -56,10 +56,11 @@
 
 bool ImageInputType::appendFormData(DOMFormData& formData, bool) const
 {
-    if (!element().isActivatedSubmit())
+    ASSERT(element());
+    if (!element()->isActivatedSubmit())
         return false;
 
-    auto& name = element().name();
+    auto& name = element()->name();
     if (name.isEmpty()) {
         formData.append(ASCIILiteral("x"), String::number(m_clickLocation.x()));
         formData.append(ASCIILiteral("y"), String::number(m_clickLocation.y()));
@@ -69,7 +70,7 @@
     formData.append(makeString(name, ".x"), String::number(m_clickLocation.x()));
     formData.append(makeString(name, ".y"), String::number(m_clickLocation.y()));
 
-    auto value = element().value();
+    auto value = element()->value();
     if (!value.isEmpty())
         formData.append(name, value);
 
@@ -83,10 +84,14 @@
 
 void ImageInputType::handleDOMActivateEvent(Event& event)
 {
-    Ref<HTMLInputElement> element(this->element());
-    if (element->isDisabledFormControl() || !element->form())
+    ASSERT(element());
+    Ref<HTMLInputElement> protectedElement(*element());
+    if (protectedElement->isDisabledFormControl() || !protectedElement->form())
         return;
-    element->setActivatedSubmit(true);
+
+    Ref<HTMLFormElement> protectedForm(*protectedElement->form());
+
+    protectedElement->setActivatedSubmit(true);
 
     m_clickLocation = IntPoint();
     if (event.underlyingEvent()) {
@@ -98,42 +103,49 @@
         }
     }
 
-    element->form()->prepareForSubmission(event); // Event handlers can run.
-    element->setActivatedSubmit(false);
+    // Update layout before processing form actions in case the style changes
+    // the Form or button relationships.
+    protectedElement->document().updateLayoutIgnorePendingStylesheets();
+
+    if (auto currentForm = protectedElement->form())
+        currentForm->prepareForSubmission(event); // Event handlers can run.
+
+    protectedElement->setActivatedSubmit(false);
     event.setDefaultHandled();
 }
 
 RenderPtr<RenderElement> ImageInputType::createInputRenderer(RenderStyle&& style)
 {
-    return createRenderer<RenderImage>(element(), WTFMove(style));
+    ASSERT(element());
+    return createRenderer<RenderImage>(*element(), WTFMove(style));
 }
 
 void ImageInputType::altAttributeChanged()
 {
-    if (!is<RenderImage>(element().renderer()))
-        return;
-
-    auto* renderer = downcast<RenderImage>(element().renderer());
-    if (!renderer)
-        return;
-    renderer->updateAltText();
+    if (auto* element = this->element()) {
+        auto* renderer = element->renderer();
+        if (is<RenderImage>(renderer))
+            downcast<RenderImage>(*renderer).updateAltText();
+    }
 }
 
 void ImageInputType::srcAttributeChanged()
 {
-    if (!element().renderer())
-        return;
-    element().ensureImageLoader().updateFromElementIgnoringPreviousError();
+    if (auto* element = this->element()) {
+        if (element->renderer())
+            element->ensureImageLoader().updateFromElementIgnoringPreviousError();
+    }
 }
 
 void ImageInputType::attach()
 {
     BaseButtonInputType::attach();
 
-    HTMLImageLoader& imageLoader = element().ensureImageLoader();
+    ASSERT(element());
+    HTMLImageLoader& imageLoader = element()->ensureImageLoader();
     imageLoader.updateFromElement();
 
-    auto* renderer = downcast<RenderImage>(element().renderer());
+    auto* renderer = downcast<RenderImage>(element()->renderer());
     if (!renderer)
         return;
 
@@ -176,7 +188,8 @@
 
 unsigned ImageInputType::height() const
 {
-    Ref<HTMLInputElement> element(this->element());
+    ASSERT(element());
+    Ref<HTMLInputElement> element(*this->element());
 
     element->document().updateLayout();
 
@@ -197,7 +210,8 @@
 
 unsigned ImageInputType::width() const
 {
-    Ref<HTMLInputElement> element(this->element());
+    ASSERT(element());
+    Ref<HTMLInputElement> element(*this->element());
 
     element->document().updateLayout();
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/InputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/InputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -2,7 +2,7 @@
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
  *           (C) 2006 Alexey Proskuryakov (ap@nypop.com)
  * Copyright (C) 2007 Samuel Weinig (sam@webkit.org)
  * Copyright (C) 2009, 2010, 2011, 2012 Google Inc. All rights reserved.
@@ -85,13 +85,13 @@
 
 typedef bool (RuntimeEnabledFeatures::*InputTypeConditionalFunction)() const;
 typedef const AtomicString& (*InputTypeNameFunction)();
-typedef std::unique_ptr<InputType> (*InputTypeFactoryFunction)(HTMLInputElement&);
+typedef Ref<InputType> (*InputTypeFactoryFunction)(HTMLInputElement&);
 typedef HashMap<AtomicString, InputTypeFactoryFunction, ASCIICaseInsensitiveHash> InputTypeFactoryMap;
 
 template<class T>
-static std::unique_ptr<InputType> createInputType(HTMLInputElement& element)
+static Ref<InputType> createInputType(HTMLInputElement& element)
 {
-    return std::make_unique<T>(element);
+    return adoptRef(*new T(element));
 }
 
 static InputTypeFactoryMap createInputTypeFactoryMap()
@@ -149,19 +149,19 @@
     return map;
 }
 
-std::unique_ptr<InputType> InputType::create(HTMLInputElement& element, const AtomicString& typeName)
+Ref<InputType> InputType::create(HTMLInputElement& element, const AtomicString& typeName)
 {
     if (!typeName.isEmpty()) {
         static const auto factoryMap = makeNeverDestroyed(createInputTypeFactoryMap());
         if (auto factory = factoryMap.get().get(typeName))
             return factory(element);
     }
-    return std::make_unique<TextInputType>(element);
+    return adoptRef(*new TextInputType(element));
 }
 
-std::unique_ptr<InputType> InputType::createText(HTMLInputElement& element)
+Ref<InputType> InputType::createText(HTMLInputElement& element)
 {
-    return std::make_unique<TextInputType>(element);
+    return adoptRef(*new TextInputType(element));
 }
 
 InputType::~InputType() = default;
@@ -193,27 +193,31 @@
 
 FormControlState InputType::saveFormControlState() const
 {
-    auto currentValue = element().value();
-    if (currentValue == element().defaultValue())
+    ASSERT(element());
+    auto currentValue = element()->value();
+    if (currentValue == element()->defaultValue())
         return { };
     return { { currentValue } };
 }
 
 void InputType::restoreFormControlState(const FormControlState& state)
 {
-    element().setValue(state[0]);
+    ASSERT(element());
+    element()->setValue(state[0]);
 }
 
 bool InputType::isFormDataAppendable() const
 {
+    ASSERT(element());
     // There is no form data unless there's a name for non-image types.
-    return !element().name().isEmpty();
+    return !element()->name().isEmpty();
 }
 
 bool InputType::appendFormData(DOMFormData& formData, bool) const
 {
+    ASSERT(element());
     // Always successful.
-    formData.append(element().name(), element().value());
+    formData.append(element()->name(), element()->value());
     return true;
 }
 
@@ -319,7 +323,8 @@
 
 bool InputType::sizeShouldIncludeDecoration(int, int& preferredSize) const
 {
-    preferredSize = element().size();
+    ASSERT(element());
+    preferredSize = element()->size();
     return false;
 }
 
@@ -390,7 +395,8 @@
 
 String InputType::validationMessage() const
 {
-    String value = element().value();
+    ASSERT(element());
+    String value = element()->value();
 
     // The order of the following checks is meaningful. e.g. We'd like to show the
     // badInput message even if the control has other validation errors.
@@ -406,11 +412,11 @@
     if (patternMismatch(value))
         return validationMessagePatternMismatchText();
 
-    if (element().tooShort())
-        return validationMessageTooShortText(numGraphemeClusters(value), element().minLength());
+    if (element()->tooShort())
+        return validationMessageTooShortText(numGraphemeClusters(value), element()->minLength());
 
-    if (element().tooLong())
-        return validationMessageTooLongText(numGraphemeClusters(value), element().effectiveMaxLength());
+    if (element()->tooLong())
+        return validationMessageTooLongText(numGraphemeClusters(value), element()->effectiveMaxLength());
 
     if (!isSteppable())
         return emptyString();
@@ -480,12 +486,14 @@
 
 RenderPtr<RenderElement> InputType::createInputRenderer(RenderStyle&& style)
 {
-    return RenderPtr<RenderElement>(RenderElement::createFor(element(), WTFMove(style)));
+    ASSERT(element());
+    return RenderPtr<RenderElement>(RenderElement::createFor(*element(), WTFMove(style)));
 }
 
 void InputType::blur()
 {
-    element().defaultBlur();
+    ASSERT(element());
+    element()->defaultBlur();
 }
 
 void InputType::createShadowSubtree()
@@ -494,7 +502,8 @@
 
 void InputType::destroyShadowSubtree()
 {
-    RefPtr<ShadowRoot> root = element().userAgentShadowRoot();
+    ASSERT(element());
+    RefPtr<ShadowRoot> root = element()->userAgentShadowRoot();
     if (!root)
         return;
 
@@ -533,14 +542,16 @@
 
 void InputType::dispatchSimulatedClickIfActive(KeyboardEvent& event) const
 {
-    if (element().active())
-        element().dispatchSimulatedClick(&event);
+    ASSERT(element());
+    if (element()->active())
+        element()->dispatchSimulatedClick(&event);
     event.setDefaultHandled();
 }
 
 Chrome* InputType::chrome() const
 {
-    if (Page* page = element().document().page())
+    ASSERT(element());
+    if (Page* page = element()->document().page())
         return &page->chrome();
     return nullptr;
 }
@@ -557,12 +568,14 @@
 
 bool InputType::isKeyboardFocusable(KeyboardEvent& event) const
 {
-    return !element().isReadOnly() && element().isTextFormControlKeyboardFocusable(event);
+    ASSERT(element());
+    return !element()->isReadOnly() && element()->isTextFormControlKeyboardFocusable(event);
 }
 
 bool InputType::isMouseFocusable() const
 {
-    return element().isTextFormControlMouseFocusable();
+    ASSERT(element());
+    return element()->isTextFormControlMouseFocusable();
 }
 
 bool InputType::shouldUseInputMethod() const
@@ -580,7 +593,8 @@
 
 void InputType::accessKeyAction(bool)
 {
-    element().focus(false);
+    ASSERT(element());
+    element()->focus(false);
 }
 
 void InputType::addSearchResult()
@@ -671,17 +685,20 @@
 
 void InputType::setValue(const String& sanitizedValue, bool valueChanged, TextFieldEventBehavior eventBehavior)
 {
-    element().setValueInternal(sanitizedValue, eventBehavior);
-    element().invalidateStyleForSubtree();
+    ASSERT(element());
+    element()->setValueInternal(sanitizedValue, eventBehavior);
+    element()->invalidateStyleForSubtree();
     if (!valueChanged)
         return;
+
     switch (eventBehavior) {
     case DispatchChangeEvent:
-        element().dispatchFormControlChangeEvent();
+        element()->dispatchFormControlChangeEvent();
         break;
     case DispatchInputAndChangeEvent:
-        element().dispatchFormControlInputEvent();
-        element().dispatchFormControlChangeEvent();
+        element()->dispatchFormControlInputEvent();
+        if (auto element = this->element())
+            element->dispatchFormControlChangeEvent();
         break;
     case DispatchNoEvent:
         break;
@@ -708,7 +725,8 @@
 
 String InputType::visibleValue() const
 {
-    return element().value();
+    ASSERT(element());
+    return element()->value();
 }
 
 bool InputType::isEmptyValue() const
@@ -984,7 +1002,8 @@
     if (!stepRange.hasStep())
         return Exception { InvalidStateError };
 
-    const Decimal current = parseToNumberOrNaN(element().value());
+    ASSERT(element());
+    const Decimal current = parseToNumberOrNaN(element()->value());
     if (!current.isFinite())
         return Exception { InvalidStateError };
     Decimal newValue = current + stepRange.step() * count;
@@ -997,7 +1016,7 @@
     if (newValue < stepRange.minimum())
         newValue = stepRange.minimum();
 
-    if (!equalLettersIgnoringASCIICase(element().attributeWithoutSynchronization(stepAttr), "any"))
+    if (!equalLettersIgnoringASCIICase(element()->attributeWithoutSynchronization(stepAttr), "any"))
         newValue = stepRange.alignValueForStep(current, newValue);
 
     if (newValue - stepRange.maximum() > acceptableErrorValue)
@@ -1009,8 +1028,8 @@
     if (result.hasException())
         return result;
 
-    if (AXObjectCache* cache = element().document().existingAXObjectCache())
-        cache->postNotification(&element(), AXObjectCache::AXValueChanged);
+    if (AXObjectCache* cache = element()->document().existingAXObjectCache())
+        cache->postNotification(element(), AXObjectCache::AXValueChanged);
 
     return result;
 }
@@ -1097,7 +1116,8 @@
     else
         sign = 0;
 
-    String currentStringValue = element().value();
+    ASSERT(element());
+    String currentStringValue = element()->value();
     Decimal current = parseToNumberOrNaN(currentStringValue);
     if (!current.isFinite()) {
         current = defaultValueForStepUp();
@@ -1111,7 +1131,7 @@
     if ((sign > 0 && current < stepRange.minimum()) || (sign < 0 && current > stepRange.maximum()))
         setValueAsDecimal(sign > 0 ? stepRange.minimum() : stepRange.maximum(), DispatchInputAndChangeEvent);
     else {
-        if (stepMismatch(element().value())) {
+        if (stepMismatch(element()->value())) {
             ASSERT(!step.isZero());
             const Decimal base = stepRange.stepBase();
             Decimal newValue;
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/InputType.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/InputType.h	Thu Aug 16 09:11:58 2018 +0530
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2012 Samsung Electronics. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37,6 +37,7 @@
 #include "StepRange.h"
 #include <wtf/FastMalloc.h>
 #include <wtf/Forward.h>
+#include <wtf/RefCounted.h>
 #include <wtf/RefPtr.h>
 
 #if PLATFORM(IOS)
@@ -68,12 +69,12 @@
 // An InputType object represents the type-specific part of an HTMLInputElement.
 // Do not expose instances of InputType and classes derived from it to classes
 // other than HTMLInputElement.
-class InputType {
+class InputType : public RefCounted<InputType> {
     WTF_MAKE_FAST_ALLOCATED;
 
 public:
-    static std::unique_ptr<InputType> create(HTMLInputElement&, const AtomicString&);
-    static std::unique_ptr<InputType> createText(HTMLInputElement&);
+    static Ref<InputType> create(HTMLInputElement&, const AtomicString&);
+    static Ref<InputType> createText(HTMLInputElement&);
     virtual ~InputType();
 
     static bool themeSupportsDataListUI(InputType*);
@@ -309,8 +310,9 @@
     virtual String displayString() const;
 
 protected:
-    explicit InputType(HTMLInputElement& element) : m_element(element) { }
-    HTMLInputElement& element() const { return m_element; }
+    explicit InputType(HTMLInputElement& element)
+        : m_element(makeWeakPtr(element)) { }
+    HTMLInputElement* element() const { return m_element.get(); }
     Chrome* chrome() const;
     Decimal parseToNumberOrNaN(const String&) const;
 
@@ -319,7 +321,7 @@
     ExceptionOr<void> applyStep(int count, AnyStepHandling, TextFieldEventBehavior);
 
     // Raw pointer because the HTMLInputElement object owns this InputType object.
-    HTMLInputElement& m_element;
+    WeakPtr<HTMLInputElement> m_element;
 };
 
 } // namespace WebCore
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/MonthInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/MonthInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -61,7 +61,7 @@
 double MonthInputType::valueAsDate() const
 {
     DateComponents date;
-    if (!parseToDateComponents(element().value(), &date))
+    if (!parseToDateComponents(element()->value(), &date))
         return DateComponents::invalidMilliseconds();
     double msec = date.millisecondsSinceEpoch();
     ASSERT(std::isfinite(msec));
@@ -93,10 +93,10 @@
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(monthDefaultStep, monthDefaultStepBase, monthStepScaleFactor, StepRange::ParsedStepValueShouldBeInteger);
 
-    const Decimal stepBase = parseToNumber(element().attributeWithoutSynchronization(minAttr), Decimal::fromDouble(monthDefaultStepBase));
-    const Decimal minimum = parseToNumber(element().attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumMonth()));
-    const Decimal maximum = parseToNumber(element().attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumMonth()));
-    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element().attributeWithoutSynchronization(stepAttr));
+    const Decimal stepBase = parseToNumber(element()->attributeWithoutSynchronization(minAttr), Decimal::fromDouble(monthDefaultStepBase));
+    const Decimal minimum = parseToNumber(element()->attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumMonth()));
+    const Decimal maximum = parseToNumber(element()->attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumMonth()));
+    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element()->attributeWithoutSynchronization(stepAttr));
     return StepRange(stepBase, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/NumberInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/NumberInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -93,14 +93,16 @@
 
 void NumberInputType::setValue(const String& sanitizedValue, bool valueChanged, TextFieldEventBehavior eventBehavior)
 {
-    if (!valueChanged && sanitizedValue.isEmpty() && !element().innerTextValue().isEmpty())
+    ASSERT(element());
+    if (!valueChanged && sanitizedValue.isEmpty() && !element()->innerTextValue().isEmpty())
         updateInnerTextValue();
     TextFieldInputType::setValue(sanitizedValue, valueChanged, eventBehavior);
 }
 
 double NumberInputType::valueAsDouble() const
 {
-    return parseToDoubleForNumberType(element().value());
+    ASSERT(element());
+    return parseToDoubleForNumberType(element()->value());
 }
 
 ExceptionOr<void> NumberInputType::setValueAsDouble(double newValue, TextFieldEventBehavior eventBehavior) const
@@ -109,7 +111,8 @@
     const double floatMax = std::numeric_limits<float>::max();
     if (newValue < -floatMax || newValue > floatMax)
         return Exception { InvalidStateError };
-    element().setValue(serializeForNumberType(newValue), eventBehavior);
+    ASSERT(element());
+    element()->setValue(serializeForNumberType(newValue), eventBehavior);
     return { };
 }
 
@@ -119,7 +122,8 @@
     const Decimal floatMax = Decimal::fromDouble(std::numeric_limits<float>::max());
     if (newValue < -floatMax || newValue > floatMax)
         return Exception { InvalidStateError };
-    element().setValue(serializeForNumberType(newValue), eventBehavior);
+    ASSERT(element());
+    element()->setValue(serializeForNumberType(newValue), eventBehavior);
     return { };
 }
 
@@ -130,17 +134,20 @@
 
 bool NumberInputType::typeMismatch() const
 {
-    ASSERT(!typeMismatchFor(element().value()));
+    ASSERT(element());
+    ASSERT(!typeMismatchFor(element()->value()));
     return false;
 }
 
 StepRange NumberInputType::createStepRange(AnyStepHandling anyStepHandling) const
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(numberDefaultStep, numberDefaultStepBase, numberStepScaleFactor);
-    const Decimal stepBase = parseToDecimalForNumberType(element().attributeWithoutSynchronization(minAttr), numberDefaultStepBase);
+
+    ASSERT(element());
+    const Decimal stepBase = parseToDecimalForNumberType(element()->attributeWithoutSynchronization(minAttr), numberDefaultStepBase);
     // FIXME: We should use numeric_limits<double>::max for number input type.
     const Decimal floatMax = Decimal::fromDouble(std::numeric_limits<float>::max());
-    const Element& element = this->element();
+    const Element& element = *this->element();
 
     RangeLimitations rangeLimitations = RangeLimitations::Invalid;
     auto extractBound = [&] (const QualifiedName& attributeName, const Decimal& defaultValue) -> Decimal {
@@ -163,15 +170,16 @@
 {
     preferredSize = defaultSize;
 
-    auto& stepString = element().attributeWithoutSynchronization(stepAttr);
+    ASSERT(element());
+    auto& stepString = element()->attributeWithoutSynchronization(stepAttr);
     if (equalLettersIgnoringASCIICase(stepString, "any"))
         return false;
 
-    const Decimal minimum = parseToDecimalForNumberType(element().attributeWithoutSynchronization(minAttr));
+    const Decimal minimum = parseToDecimalForNumberType(element()->attributeWithoutSynchronization(minAttr));
     if (!minimum.isFinite())
         return false;
 
-    const Decimal maximum = parseToDecimalForNumberType(element().attributeWithoutSynchronization(maxAttr));
+    const Decimal maximum = parseToDecimalForNumberType(element()->attributeWithoutSynchronization(maxAttr));
     if (!maximum.isFinite())
         return false;
 
@@ -187,8 +195,10 @@
 
 float NumberInputType::decorationWidth() const
 {
+    ASSERT(element());
+
     float width = 0;
-    RefPtr<HTMLElement> spinButton = element().innerSpinButtonElement();
+    RefPtr<HTMLElement> spinButton = element()->innerSpinButtonElement();
     if (RenderBox* spinRenderer = spinButton ? spinButton->renderBox() : 0) {
         width += spinRenderer->borderAndPaddingLogicalWidth();
         // Since the width of spinRenderer is not calculated yet, spinRenderer->logicalWidth() returns 0.
@@ -234,12 +244,14 @@
     // We don't localize scientific notations.
     if (proposedValue.find(isE) != notFound)
         return proposedValue;
-    return element().locale().convertToLocalizedNumber(proposedValue);
+    ASSERT(element());
+    return element()->locale().convertToLocalizedNumber(proposedValue);
 }
 
 String NumberInputType::visibleValue() const
 {
-    return localizeValue(element().value());
+    ASSERT(element());
+    return localizeValue(element()->value());
 }
 
 String NumberInputType::convertFromVisibleValue(const String& visibleValue) const
@@ -249,7 +261,8 @@
     // We don't localize scientific notations.
     if (visibleValue.find(isE) != notFound)
         return visibleValue;
-    return element().locale().convertFromLocalizedNumber(visibleValue);
+    ASSERT(element());
+    return element()->locale().convertFromLocalizedNumber(visibleValue);
 }
 
 String NumberInputType::sanitizeValue(const String& proposedValue) const
@@ -261,7 +274,8 @@
 
 bool NumberInputType::hasBadInput() const
 {
-    String standardValue = convertFromVisibleValue(element().innerTextValue());
+    ASSERT(element());
+    String standardValue = convertFromVisibleValue(element()->innerTextValue());
     return !standardValue.isEmpty() && !std::isfinite(parseToDoubleForNumberType(standardValue));
 }
 
@@ -282,19 +296,21 @@
 
 void NumberInputType::minOrMaxAttributeChanged()
 {
-    InputType::minOrMaxAttributeChanged();
-    HTMLInputElement& element = this->element();
-    element.invalidateStyleForSubtree();
-    if (RenderObject* renderer = element.renderer())
+    if (auto* element = this->element()) {
+        element->invalidateStyleForSubtree();
+        if (auto* renderer = element->renderer())
         renderer->setNeedsLayoutAndPrefWidthsRecalc();
+    }
 }
 
 void NumberInputType::stepAttributeChanged()
 {
     InputType::stepAttributeChanged();
 
-    if (element().renderer())
-        element().renderer()->setNeedsLayoutAndPrefWidthsRecalc();
+    if (auto* element = this->element()) {
+        if (auto* renderer = element->renderer())
+            renderer->setNeedsLayoutAndPrefWidthsRecalc();
+    }
 }
 
 } // namespace WebCore
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/RadioInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/RadioInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2010 Google Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -44,7 +44,8 @@
 
 bool RadioInputType::valueMissing(const String&) const
 {
-    return element().isInRequiredRadioButtonGroup() && !element().checkedRadioButtonForGroup();
+    ASSERT(element());
+    return element()->isInRequiredRadioButtonGroup() && !element()->checkedRadioButtonForGroup();
 }
 
 String RadioInputType::valueMissingText() const
@@ -66,18 +67,19 @@
     if (key != "Up" && key != "Down" && key != "Left" && key != "Right")
         return;
 
+    ASSERT(element());
     // Left and up mean "previous radio button".
     // Right and down mean "next radio button".
     // Tested in WinIE, and even for RTL, left still means previous radio button (and so moves
     // to the right).  Seems strange, but we'll match it.
     // However, when using Spatial Navigation, we need to be able to navigate without changing the selection.
-    if (isSpatialNavigationEnabled(element().document().frame()))
+    if (isSpatialNavigationEnabled(element()->document().frame()))
         return;
     bool forward = (key == "Down" || key == "Right");
 
     // We can only stay within the form's children if the form hasn't been demoted to a leaf because
     // of malformed HTML.
-    RefPtr<Node> node = &element();
+    RefPtr<Node> node = element();
     while ((node = (forward ? NodeTraversal::next(*node) : NodeTraversal::previous(*node)))) {
         // Once we encounter a form element, we know we're through.
         if (is<HTMLFormElement>(*node))
@@ -86,10 +88,10 @@
         if (!is<HTMLInputElement>(*node))
             continue;
         RefPtr<HTMLInputElement> inputElement = downcast<HTMLInputElement>(node.get());
-        if (inputElement->form() != element().form())
+        if (inputElement->form() != element()->form())
             break;
-        if (inputElement->isRadioButton() && inputElement->name() == element().name() && inputElement->isFocusable()) {
-            element().document().setFocusedElement(inputElement.get());
+        if (inputElement->isRadioButton() && inputElement->name() == element()->name() && inputElement->isFocusable()) {
+            element()->document().setFocusedElement(inputElement.get());
             inputElement->dispatchSimulatedClick(&event, SendNoEvents, DoNotShowPressedLook);
             event.setDefaultHandled();
             return;
@@ -102,9 +104,11 @@
     const String& key = event.keyIdentifier();
     if (key != "U+0020")
         return;
+
+    ASSERT(element());
     // If an unselected radio is tabbed into (because the entire group has nothing
     // checked, or because of some explicit .focus() call), then allow space to check it.
-    if (element().checked())
+    if (element()->checked())
         return;
     dispatchSimulatedClickIfActive(event);
 }
@@ -114,32 +118,35 @@
     if (!InputType::isKeyboardFocusable(event))
         return false;
 
+    ASSERT(element());
     // When using Spatial Navigation, every radio button should be focusable.
-    if (isSpatialNavigationEnabled(element().document().frame()))
+    if (isSpatialNavigationEnabled(element()->document().frame()))
         return true;
 
     // Never allow keyboard tabbing to leave you in the same radio group.  Always
     // skip any other elements in the group.
-    RefPtr<Element> currentFocusedNode = element().document().focusedElement();
+    RefPtr<Element> currentFocusedNode = element()->document().focusedElement();
     if (is<HTMLInputElement>(currentFocusedNode)) {
         HTMLInputElement& focusedInput = downcast<HTMLInputElement>(*currentFocusedNode);
-        if (focusedInput.isRadioButton() && focusedInput.form() == element().form() && focusedInput.name() == element().name())
+        if (focusedInput.isRadioButton() && focusedInput.form() == element()->form() && focusedInput.name() == element()->name())
             return false;
     }
 
     // Allow keyboard focus if we're checked or if nothing in the group is checked.
-    return element().checked() || !element().checkedRadioButtonForGroup();
+    return element()->checked() || !element()->checkedRadioButtonForGroup();
 }
 
 bool RadioInputType::shouldSendChangeEventAfterCheckedChanged()
 {
     // Don't send a change event for a radio button that's getting unchecked.
     // This was done to match the behavior of other browsers.
-    return element().checked();
+    ASSERT(element());
+    return element()->checked();
 }
 
 void RadioInputType::willDispatchClick(InputElementClickState& state)
 {
+    ASSERT(element());
     // An event handler can use preventDefault or "return false" to reverse the selection we do here.
     // The InputElementClickState object contains what we need to undo what we did here in didDispatchClick.
 
@@ -147,10 +154,10 @@
     // Therefore if nothing is currently selected, we won't allow the upcoming action to be "undone", since
     // we want some object in the radio group to actually get selected.
 
-    state.checked = element().checked();
-    state.checkedRadioButton = element().checkedRadioButtonForGroup();
+    state.checked = element()->checked();
+    state.checkedRadioButton = element()->checkedRadioButtonForGroup();
 
-    element().setChecked(true, DispatchChangeEvent);
+    element()->setChecked(true, DispatchChangeEvent);
 }
 
 void RadioInputType::didDispatchClick(Event& event, const InputElementClickState& state)
@@ -159,7 +166,8 @@
         // Restore the original selected radio button if possible.
         // Make sure it is still a radio button and only do the restoration if it still belongs to our group.
         auto& button = state.checkedRadioButton;
-        if (button && button->isRadioButton() && button->form() == element().form() && button->name() == element().name())
+        ASSERT(element());
+        if (button && button->isRadioButton() && button->form() == element()->form() && button->name() == element()->name())
             button->setChecked(true);
     }
 
@@ -174,7 +182,8 @@
 
 bool RadioInputType::matchesIndeterminatePseudoClass() const
 {
-    const HTMLInputElement& element = this->element();
+    ASSERT(element());
+    const HTMLInputElement& element = *this->element();
     if (const RadioButtonGroups* radioButtonGroups = element.radioButtonGroups())
         return !radioButtonGroups->hasCheckedButton(&element);
     return !element.checked();
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/RangeInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/RangeInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -92,12 +92,14 @@
 
 double RangeInputType::valueAsDouble() const
 {
-    return parseToDoubleForNumberType(element().value());
+    ASSERT(element());
+    return parseToDoubleForNumberType(element()->value());
 }
 
 ExceptionOr<void> RangeInputType::setValueAsDecimal(const Decimal& newValue, TextFieldEventBehavior eventBehavior) const
 {
-    element().setValue(serialize(newValue), eventBehavior);
+    ASSERT(element());
+    element()->setValue(serialize(newValue), eventBehavior);
     return { };
 }
 
@@ -115,16 +117,17 @@
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(rangeDefaultStep, rangeDefaultStepBase, rangeStepScaleFactor);
 
-    const Decimal minimum = parseToNumber(element().attributeWithoutSynchronization(minAttr), rangeDefaultMinimum);
-    const Decimal maximum = ensureMaximum(parseToNumber(element().attributeWithoutSynchronization(maxAttr), rangeDefaultMaximum), minimum, rangeDefaultMaximum);
+    ASSERT(element());
+    const Decimal minimum = parseToNumber(element()->attributeWithoutSynchronization(minAttr), rangeDefaultMinimum);
+    const Decimal maximum = ensureMaximum(parseToNumber(element()->attributeWithoutSynchronization(maxAttr), rangeDefaultMaximum), minimum, rangeDefaultMaximum);
 
-    const AtomicString& precisionValue = element().attributeWithoutSynchronization(precisionAttr);
+    const AtomicString& precisionValue = element()->attributeWithoutSynchronization(precisionAttr);
     if (!precisionValue.isNull()) {
         const Decimal step = equalLettersIgnoringASCIICase(precisionValue, "float") ? Decimal::nan() : 1;
         return StepRange(minimum, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
     }
 
-    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element().attributeWithoutSynchronization(stepAttr));
+    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element()->attributeWithoutSynchronization(stepAttr));
     return StepRange(minimum, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
 }
 
@@ -137,14 +140,15 @@
 
 void RangeInputType::handleMouseDownEvent(MouseEvent& event)
 {
-    if (element().isDisabledFormControl())
+    ASSERT(element());
+    if (element()->isDisabledFormControl())
         return;
 
     if (event.button() != LeftButton || !is<Node>(event.target()))
         return;
-    ASSERT(element().shadowRoot());
+    ASSERT(element()->shadowRoot());
     auto& targetNode = downcast<Node>(*event.target());
-    if (&targetNode != &element() && !targetNode.isDescendantOf(element().userAgentShadowRoot().get()))
+    if (&targetNode != element() && !targetNode.isDescendantOf(element()->userAgentShadowRoot().get()))
         return;
     auto& thumb = typedSliderThumbElement();
     if (&targetNode == &thumb)
@@ -160,7 +164,8 @@
 #if PLATFORM(IOS)
     typedSliderThumbElement().handleTouchEvent(event);
 #elif ENABLE(TOUCH_SLIDER)
-    if (element().isDisabledFormControl())
+    ASSERT(element());
+    if (element()->isDisabledFormControl())
         return;
 
     if (event.type() == eventNames().touchendEvent) {
@@ -193,12 +198,13 @@
 
 void RangeInputType::handleKeydownEvent(KeyboardEvent& event)
 {
-    if (element().isDisabledFormControl())
+    ASSERT(element());
+    if (element()->isDisabledFormControl())
         return;
 
     const String& key = event.keyIdentifier();
 
-    const Decimal current = parseToNumberOrNaN(element().value());
+    const Decimal current = parseToNumberOrNaN(element()->value());
     ASSERT(current.isFinite());
 
     StepRange stepRange(createStepRange(RejectAny));
@@ -206,12 +212,12 @@
 
     // FIXME: We can't use stepUp() for the step value "any". So, we increase
     // or decrease the value by 1/100 of the value range. Is it reasonable?
-    const Decimal step = equalLettersIgnoringASCIICase(element().attributeWithoutSynchronization(stepAttr), "any") ? (stepRange.maximum() - stepRange.minimum()) / 100 : stepRange.step();
+    const Decimal step = equalLettersIgnoringASCIICase(element()->attributeWithoutSynchronization(stepAttr), "any") ? (stepRange.maximum() - stepRange.minimum()) / 100 : stepRange.step();
     const Decimal bigStep = std::max((stepRange.maximum() - stepRange.minimum()) / 10, step);
 
     bool isVertical = false;
-    if (element().renderer()) {
-        ControlPart part = element().renderer()->style().appearance();
+    if (auto* renderer = element()->renderer()) {
+        ControlPart part = renderer->style().appearance();
         isVertical = part == SliderVerticalPart || part == MediaVolumeSliderPart;
     }
 
@@ -241,8 +247,8 @@
         EventQueueScope scope;
         setValueAsDecimal(newValue, DispatchInputAndChangeEvent);
 
-        if (AXObjectCache* cache = element().document().existingAXObjectCache())
-            cache->postNotification(&element(), AXObjectCache::AXValueChanged);
+        if (AXObjectCache* cache = element()->document().existingAXObjectCache())
+            cache->postNotification(element(), AXObjectCache::AXValueChanged);
     }
 
     event.setDefaultHandled();
@@ -250,25 +256,27 @@
 
 void RangeInputType::createShadowSubtree()
 {
-    ASSERT(element().userAgentShadowRoot());
+    ASSERT(element());
+    ASSERT(element()->userAgentShadowRoot());
 
-    Document& document = element().document();
+    Document& document = element()->document();
     auto track = HTMLDivElement::create(document);
     track->setPseudo(AtomicString("-webkit-slider-runnable-track", AtomicString::ConstructFromLiteral));
     track->appendChild(SliderThumbElement::create(document));
     auto container = SliderContainerElement::create(document);
     container->appendChild(track);
-    element().userAgentShadowRoot()->appendChild(container);
+    element()->userAgentShadowRoot()->appendChild(container);
 }
 
 HTMLElement* RangeInputType::sliderTrackElement() const
 {
-    ASSERT(element().userAgentShadowRoot());
-    ASSERT(element().userAgentShadowRoot()->firstChild()); // container
-    ASSERT(element().userAgentShadowRoot()->firstChild()->isHTMLElement());
-    ASSERT(element().userAgentShadowRoot()->firstChild()->firstChild()); // track
+    ASSERT(element());
+    ASSERT(element()->userAgentShadowRoot());
+    ASSERT(element()->userAgentShadowRoot()->firstChild()); // container
+    ASSERT(element()->userAgentShadowRoot()->firstChild()->isHTMLElement());
+    ASSERT(element()->userAgentShadowRoot()->firstChild()->firstChild()); // track
 
-    RefPtr<ShadowRoot> root = element().userAgentShadowRoot();
+    RefPtr<ShadowRoot> root = element()->userAgentShadowRoot();
     if (!root)
         return nullptr;
 
@@ -294,7 +302,8 @@
 
 RenderPtr<RenderElement> RangeInputType::createInputRenderer(RenderStyle&& style)
 {
-    return createRenderer<RenderSlider>(element(), WTFMove(style));
+    ASSERT(element());
+    return createRenderer<RenderSlider>(*element(), WTFMove(style));
 }
 
 Decimal RangeInputType::parseToNumber(const String& src, const Decimal& defaultValue) const
@@ -314,7 +323,8 @@
 {
     InputType::accessKeyAction(sendMouseEvents);
 
-    element().dispatchSimulatedClick(0, sendMouseEvents ? SendMouseUpDownEvents : SendNoEvents);
+    ASSERT(element());
+    element()->dispatchSimulatedClick(0, sendMouseEvents ? SendMouseUpDownEvents : SendNoEvents);
 }
 
 void RangeInputType::minOrMaxAttributeChanged()
@@ -322,9 +332,10 @@
     InputType::minOrMaxAttributeChanged();
 
     // Sanitize the value.
-    if (element().hasDirtyValue())
-        element().setValue(element().value());
-
+    if (auto* element = this->element()) {
+        if (element->hasDirtyValue())
+            element->setValue(element->value());
+    }
     typedSliderThumbElement().setPositionFromValue();
 }
 
@@ -335,8 +346,10 @@
     if (!valueChanged)
         return;
 
-    if (eventBehavior == DispatchNoEvent)
-        element().setTextAsOfLastFormControlChangeEvent(value);
+    if (eventBehavior == DispatchNoEvent) {
+        ASSERT(element());
+        element()->setTextAsOfLastFormControlChangeEvent(value);
+    }
 
     typedSliderThumbElement().setPositionFromValue();
 }
@@ -373,7 +386,8 @@
         return;
     m_tickMarkValues.clear();
     m_tickMarkValuesDirty = false;
-    auto dataList = element().dataList();
+    ASSERT(element());
+    auto dataList = element()->dataList();
     if (!dataList)
         return;
     Ref<HTMLCollection> options = dataList->options();
@@ -382,7 +396,7 @@
         RefPtr<Node> node = options->item(i);
         HTMLOptionElement& optionElement = downcast<HTMLOptionElement>(*node);
         String optionValue = optionElement.value();
-        if (!element().isValidValue(optionValue))
+        if (!element()->isValidValue(optionValue))
             continue;
         m_tickMarkValues.append(parseToNumber(optionValue, Decimal::nan()));
     }
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/ResetInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/ResetInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -52,9 +52,10 @@
 
 void ResetInputType::handleDOMActivateEvent(Event& event)
 {
-    if (element().isDisabledFormControl() || !element().form())
+    ASSERT(element());
+    if (element()->isDisabledFormControl() || !element()->form())
         return;
-    element().form()->reset();
+    element()->form()->reset();
     event.setDefaultHandled();
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/SearchInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/SearchInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -60,8 +60,9 @@
     // Normally we've got the correct renderer by the time we get here. However when the input type changes
     // we don't update the associated renderers until after the next tree update, so we could actually end up here
     // with a mismatched renderer (e.g. through form submission).
-    if (is<RenderSearchField>(element().renderer()))
-        downcast<RenderSearchField>(*element().renderer()).addSearchResult();
+    ASSERT(element());
+    if (is<RenderSearchField>(element()->renderer()))
+        downcast<RenderSearchField>(*element()->renderer()).addSearchResult();
 #endif
 }
 
@@ -77,13 +78,16 @@
 
 void SearchInputType::maxResultsAttributeChanged()
 {
-    if (m_resultsButton)
-        updateResultButtonPseudoType(*m_resultsButton, element().maxResults());
+    if (m_resultsButton) {
+        if (auto* element = this->element())
+            updateResultButtonPseudoType(*m_resultsButton, element->maxResults());
+    }
 }
 
 RenderPtr<RenderElement> SearchInputType::createInputRenderer(RenderStyle&& style)
 {
-    return createRenderer<RenderSearchField>(element(), WTFMove(style));
+    ASSERT(element());
+    return createRenderer<RenderSearchField>(*element(), WTFMove(style));
 }
 
 const AtomicString& SearchInputType::formControlType() const
@@ -112,11 +116,12 @@
     ASSERT(container);
     ASSERT(textWrapper);
 
-    m_resultsButton = SearchFieldResultsButtonElement::create(element().document());
-    updateResultButtonPseudoType(*m_resultsButton, element().maxResults());
+    ASSERT(element());
+    m_resultsButton = SearchFieldResultsButtonElement::create(element()->document());
+    updateResultButtonPseudoType(*m_resultsButton, element()->maxResults());
     container->insertBefore(*m_resultsButton, textWrapper.get());
 
-    m_cancelButton = SearchFieldCancelButtonElement::create(element().document());
+    m_cancelButton = SearchFieldCancelButtonElement::create(element()->document());
     container->insertBefore(*m_cancelButton, textWrapper->nextSibling());
 }
 
@@ -132,16 +137,17 @@
 
 void SearchInputType::handleKeydownEvent(KeyboardEvent& event)
 {
-    if (element().isDisabledOrReadOnly()) {
+    ASSERT(element());
+    if (element()->isDisabledOrReadOnly()) {
         TextFieldInputType::handleKeydownEvent(event);
         return;
     }
 
     const String& key = event.keyIdentifier();
     if (key == "U+001B") {
-        Ref<HTMLInputElement> input(this->element());
-        input->setValueForUser(emptyString());
-        input->onSearch();
+        Ref<HTMLInputElement> protectedInputElement(*element());
+        protectedInputElement->setValueForUser(emptyString());
+        protectedInputElement->onSearch();
         event.setDefaultHandled();
         return;
     }
@@ -157,8 +163,9 @@
 
 void SearchInputType::startSearchEventTimer()
 {
-    ASSERT(element().renderer());
-    unsigned length = element().innerTextValue().length();
+    ASSERT(element());
+    ASSERT(element()->renderer());
+    unsigned length = element()->innerTextValue().length();
 
     if (!length) {
         m_searchEventTimer.startOneShot(0_ms);
@@ -177,18 +184,21 @@
 
 void SearchInputType::searchEventTimerFired()
 {
-    element().onSearch();
+    ASSERT(element());
+    element()->onSearch();
 }
 
 bool SearchInputType::searchEventsShouldBeDispatched() const
 {
-    return element().hasAttributeWithoutSynchronization(incrementalAttr);
+    ASSERT(element());
+    return element()->hasAttributeWithoutSynchronization(incrementalAttr);
 }
 
 void SearchInputType::didSetValueByUserEdit()
 {
-    if (m_cancelButton && is<RenderSearchField>(element().renderer()))
-        downcast<RenderSearchField>(*element().renderer()).updateCancelButtonVisibility();
+    ASSERT(element());
+    if (m_cancelButton && is<RenderSearchField>(element()->renderer()))
+        downcast<RenderSearchField>(*element()->renderer()).updateCancelButtonVisibility();
     // If the incremental attribute is set, then dispatch the search event
     if (searchEventsShouldBeDispatched())
         startSearchEventTimer();
@@ -198,7 +208,8 @@
 
 bool SearchInputType::sizeShouldIncludeDecoration(int, int& preferredSize) const
 {
-    preferredSize = element().size();
+    ASSERT(element());
+    preferredSize = element()->size();
     return true;
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/SubmitInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/SubmitInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -48,9 +48,10 @@
 
 bool SubmitInputType::appendFormData(DOMFormData& formData, bool) const
 {
-    if (!element().isActivatedSubmit())
+    ASSERT(element());
+    if (!element()->isActivatedSubmit())
         return false;
-    formData.append(element().name(), element().valueWithDefault());
+    formData.append(element()->name(), element()->valueWithDefault());
     return true;
 }
 
@@ -61,12 +62,21 @@
 
 void SubmitInputType::handleDOMActivateEvent(Event& event)
 {
-    Ref<HTMLInputElement> element(this->element());
-    if (element->isDisabledFormControl() || !element->form())
+    ASSERT(element());
+    Ref<HTMLInputElement> protectedElement(*element());
+    if (protectedElement->isDisabledFormControl() || !protectedElement->form())
         return;
-    element->setActivatedSubmit(true);
-    element->form()->prepareForSubmission(event); // Event handlers can run.
-    element->setActivatedSubmit(false);
+
+    Ref<HTMLFormElement> protectedForm(*protectedElement->form());
+
+    // Update layout before processing form actions in case the style changes
+    // the Form or button relationships.
+    protectedElement->document().updateLayoutIgnorePendingStylesheets();
+
+    protectedElement->setActivatedSubmit(true);
+    if (auto currentForm = protectedElement->form())
+        currentForm->prepareForSubmission(event); // Event handlers can run.
+    protectedElement->setActivatedSubmit(false);
     event.setDefaultHandled();
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/TextFieldInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/TextFieldInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -75,16 +75,18 @@
 
 bool TextFieldInputType::isKeyboardFocusable(KeyboardEvent&) const
 {
+    ASSERT(element());
 #if PLATFORM(IOS)
-    if (element().isReadOnly())
+    if (element()->isReadOnly())
         return false;
 #endif
-    return element().isTextFormControlFocusable();
+    return element()->isTextFormControlFocusable();
 }
 
 bool TextFieldInputType::isMouseFocusable() const
 {
-    return element().isTextFormControlFocusable();
+    ASSERT(element());
+    return element()->isTextFormControlFocusable();
 }
 
 bool TextFieldInputType::isTextField() const
@@ -106,14 +108,17 @@
 
 bool TextFieldInputType::valueMissing(const String& value) const
 {
-    return element().isRequired() && value.isEmpty();
+    ASSERT(element());
+    return element()->isRequired() && value.isEmpty();
 }
 
 void TextFieldInputType::setValue(const String& sanitizedValue, bool valueChanged, TextFieldEventBehavior eventBehavior)
 {
+    ASSERT(element());
+
     // Grab this input element to keep reference even if JS event handler
     // changes input type.
-    Ref<HTMLInputElement> input(element());
+    Ref<HTMLInputElement> input(*element());
 
     // We don't ask InputType::setValue to dispatch events because
     // TextFieldInputType dispatches events different way from InputType.
@@ -158,17 +163,19 @@
 
 void TextFieldInputType::handleKeydownEvent(KeyboardEvent& event)
 {
-    if (!element().focused())
+    ASSERT(element());
+    if (!element()->focused())
         return;
-    RefPtr<Frame> frame = element().document().frame();
-    if (!frame || !frame->editor().doTextFieldCommandFromEvent(&element(), &event))
+    RefPtr<Frame> frame = element()->document().frame();
+    if (!frame || !frame->editor().doTextFieldCommandFromEvent(element(), &event))
         return;
     event.setDefaultHandled();
 }
 
 void TextFieldInputType::handleKeydownEventForSpinButton(KeyboardEvent& event)
 {
-    if (element().isDisabledOrReadOnly())
+    ASSERT(element());
+    if (element()->isDisabledOrReadOnly())
         return;
     const String& key = event.keyIdentifier();
     if (key == "Up")
@@ -192,13 +199,16 @@
     bool isBlurEvent = event.type() == eventNames().blurEvent;
     if (isFocusEvent || isBlurEvent)
         capsLockStateMayHaveChanged();
-    if (event.isMouseEvent() || isFocusEvent || isBlurEvent)
-        element().forwardEvent(event);
+    if (event.isMouseEvent() || isFocusEvent || isBlurEvent) {
+        ASSERT(element());
+        element()->forwardEvent(event);
+    }
 }
 
 void TextFieldInputType::elementDidBlur()
 {
-    auto* renderer = element().renderer();
+    ASSERT(element());
+    auto* renderer = element()->renderer();
     if (!renderer)
         return;
 
@@ -217,15 +227,17 @@
 
 void TextFieldInputType::handleFocusEvent(Node* oldFocusedNode, FocusDirection)
 {
-    ASSERT_UNUSED(oldFocusedNode, oldFocusedNode != &element());
-    if (RefPtr<Frame> frame = element().document().frame())
-        frame->editor().textFieldDidBeginEditing(&element());
+    ASSERT(element());
+    ASSERT_UNUSED(oldFocusedNode, oldFocusedNode != element());
+    if (RefPtr<Frame> frame = element()->document().frame())
+        frame->editor().textFieldDidBeginEditing(element());
 }
 
 void TextFieldInputType::handleBlurEvent()
 {
     InputType::handleBlurEvent();
-    element().endEditing();
+    ASSERT(element());
+    element()->endEditing();
 }
 
 bool TextFieldInputType::shouldSubmitImplicitly(Event& event)
@@ -236,7 +248,8 @@
 
 RenderPtr<RenderElement> TextFieldInputType::createInputRenderer(RenderStyle&& style)
 {
-    return createRenderer<RenderTextControlSingleLine>(element(), WTFMove(style));
+    ASSERT(element());
+    return createRenderer<RenderTextControlSingleLine>(*element(), WTFMove(style));
 }
 
 bool TextFieldInputType::needsContainer() const
@@ -246,17 +259,20 @@
 
 bool TextFieldInputType::shouldHaveSpinButton() const
 {
-    return RenderTheme::singleton().shouldHaveSpinButton(element());
+    ASSERT(element());
+    return RenderTheme::singleton().shouldHaveSpinButton(*element());
 }
 
 bool TextFieldInputType::shouldHaveCapsLockIndicator() const
 {
-    return RenderTheme::singleton().shouldHaveCapsLockIndicator(element());
+    ASSERT(element());
+    return RenderTheme::singleton().shouldHaveCapsLockIndicator(*element());
 }
 
 void TextFieldInputType::createShadowSubtree()
 {
-    ASSERT(element().shadowRoot());
+    ASSERT(element());
+    ASSERT(element()->shadowRoot());
 
     ASSERT(!m_innerText);
     ASSERT(!m_innerBlock);
@@ -264,7 +280,7 @@
     ASSERT(!m_capsLockIndicator);
     ASSERT(!m_autoFillButton);
 
-    Document& document = element().document();
+    Document& document = element()->document();
     bool shouldHaveSpinButton = this->shouldHaveSpinButton();
     bool shouldHaveCapsLockIndicator = this->shouldHaveCapsLockIndicator();
     bool createsContainer = shouldHaveSpinButton || shouldHaveCapsLockIndicator || needsContainer();
@@ -272,7 +288,7 @@
     m_innerText = TextControlInnerTextElement::create(document);
 
     if (!createsContainer) {
-        element().userAgentShadowRoot()->appendChild(*m_innerText);
+        element()->userAgentShadowRoot()->appendChild(*m_innerText);
         updatePlaceholderText();
         return;
     }
@@ -350,8 +366,10 @@
 
 void TextFieldInputType::attributeChanged(const QualifiedName& attributeName)
 {
-    if (attributeName == valueAttr || attributeName == placeholderAttr)
+    if (attributeName == valueAttr || attributeName == placeholderAttr) {
+        if (element())
         updateInnerTextValue();
+    }
 }
 
 void TextFieldInputType::disabledAttributeChanged()
@@ -474,12 +492,13 @@
 
 void TextFieldInputType::handleBeforeTextInsertedEvent(BeforeTextInsertedEvent& event)
 {
+    ASSERT(element());
     // Make sure that the text to be inserted will not violate the maxLength.
 
     // We use RenderTextControlSingleLine::text() instead of InputElement::value()
     // because they can be mismatched by sanitizeValue() in
     // HTMLInputElement::subtreeHasChanged() in some cases.
-    String innerText = element().innerTextValue();
+    String innerText = element()->innerTextValue();
     unsigned oldLength = numGraphemeClusters(innerText);
 
     // selectionLength represents the selection length of this text field to be
@@ -488,18 +507,18 @@
     // selection length. The selection is the source of text drag-and-drop in
     // that case, and nothing in the text field will be removed.
     unsigned selectionLength = 0;
-    if (element().focused()) {
-        ASSERT(enclosingTextFormControl(element().document().frame()->selection().selection().start()) == &element());
-        int selectionStart = element().selectionStart();
-        ASSERT(selectionStart <= element().selectionEnd());
-        int selectionCodeUnitCount = element().selectionEnd() - selectionStart;
+    if (element()->focused()) {
+        ASSERT(enclosingTextFormControl(element()->document().frame()->selection().selection().start()) == element());
+        int selectionStart = element()->selectionStart();
+        ASSERT(selectionStart <= element()->selectionEnd());
+        int selectionCodeUnitCount = element()->selectionEnd() - selectionStart;
         selectionLength = selectionCodeUnitCount ? numGraphemeClusters(StringView(innerText).substring(selectionStart, selectionCodeUnitCount)) : 0;
     }
     ASSERT(oldLength >= selectionLength);
 
     // Selected characters will be removed by the next text event.
     unsigned baseLength = oldLength - selectionLength;
-    unsigned maxLength = isTextType() ? element().effectiveMaxLength() : HTMLInputElement::maxEffectiveLength;
+    unsigned maxLength = isTextType() ? element()->effectiveMaxLength() : HTMLInputElement::maxEffectiveLength;
     unsigned appendableLength = maxLength > baseLength ? maxLength - baseLength : 0;
 
     // Truncate the inserted text to avoid violating the maxLength and other constraints.
@@ -523,7 +542,8 @@
 {
     if (!supportsPlaceholder())
         return;
-    String placeholderText = element().strippedPlaceholder();
+    ASSERT(element());
+    String placeholderText = element()->strippedPlaceholder();
     if (placeholderText.isEmpty()) {
         if (m_placeholder) {
             m_placeholder->parentNode()->removeChild(*m_placeholder);
@@ -532,8 +552,8 @@
         return;
     }
     if (!m_placeholder) {
-        m_placeholder = TextControlPlaceholderElement::create(element().document());
-        element().userAgentShadowRoot()->insertBefore(*m_placeholder, m_container ? m_container.get() : innerTextElement().get());
+        m_placeholder = TextControlPlaceholderElement::create(element()->document());
+        element()->userAgentShadowRoot()->insertBefore(*m_placeholder, m_container ? m_container.get() : innerTextElement().get());
     }
     m_placeholder->setInnerText(placeholderText);
 }
@@ -541,9 +561,10 @@
 bool TextFieldInputType::appendFormData(DOMFormData& formData, bool multipart) const
 {
     InputType::appendFormData(formData, multipart);
-    auto& dirnameAttrValue = element().attributeWithoutSynchronization(dirnameAttr);
+    ASSERT(element());
+    auto& dirnameAttrValue = element()->attributeWithoutSynchronization(dirnameAttr);
     if (!dirnameAttrValue.isNull())
-        formData.append(dirnameAttrValue, element().directionForFormData());
+        formData.append(dirnameAttrValue, element()->directionForFormData());
     return true;
 }
 
@@ -554,7 +575,8 @@
 
 void TextFieldInputType::subtreeHasChanged()
 {
-    element().setChangedSinceLastFormControlChangeEvent(true);
+    ASSERT(element());
+    element()->setChangedSinceLastFormControlChangeEvent(true);
 
     // We don't need to call sanitizeUserInputValue() function here because
     // HTMLInputElement::handleBeforeTextInsertedEvent() has already called
@@ -566,23 +588,24 @@
     // user input in order to retain parity between what's in the model and
     // what's on the screen. Otherwise, we retain the sanitization process for
     // backward compatibility. https://bugs.webkit.org/show_bug.cgi?id=150346
-    String innerText = convertFromVisibleValue(element().innerTextValue());
+    String innerText = convertFromVisibleValue(element()->innerTextValue());
     if (!supportsSelectionAPI())
         innerText = sanitizeValue(innerText);
-    element().setValueFromRenderer(innerText);
-    element().updatePlaceholderVisibility();
+    element()->setValueFromRenderer(innerText);
+    element()->updatePlaceholderVisibility();
     // Recalc for :invalid change.
-    element().invalidateStyleForSubtree();
+    element()->invalidateStyleForSubtree();
 
     didSetValueByUserEdit();
 }
 
 void TextFieldInputType::didSetValueByUserEdit()
 {
-    if (!element().focused())
+    ASSERT(element());
+    if (!element()->focused())
         return;
-    if (RefPtr<Frame> frame = element().document().frame())
-        frame->editor().textDidChangeInTextField(&element());
+    if (RefPtr<Frame> frame = element()->document().frame())
+        frame->editor().textDidChangeInTextField(element());
 }
 
 void TextFieldInputType::spinButtonStepDown()
@@ -597,40 +620,45 @@
 
 void TextFieldInputType::updateInnerTextValue()
 {
-    if (!element().formControlValueMatchesRenderer()) {
+    ASSERT(element());
+    if (!element()->formControlValueMatchesRenderer()) {
         // Update the renderer value if the formControlValueMatchesRenderer() flag is false.
         // It protects an unacceptable renderer value from being overwritten with the DOM value.
-        element().setInnerTextValue(visibleValue());
-        element().updatePlaceholderVisibility();
+        element()->setInnerTextValue(visibleValue());
+        element()->updatePlaceholderVisibility();
     }
 }
 
 void TextFieldInputType::focusAndSelectSpinButtonOwner()
 {
-    Ref<HTMLInputElement> input(element());
+    ASSERT(element());
+    Ref<HTMLInputElement> input(*element());
     input->focus();
     input->select();
 }
 
 bool TextFieldInputType::shouldSpinButtonRespondToMouseEvents()
 {
-    return !element().isDisabledOrReadOnly();
+    ASSERT(element());
+    return !element()->isDisabledOrReadOnly();
 }
 
 bool TextFieldInputType::shouldSpinButtonRespondToWheelEvents()
 {
-    return shouldSpinButtonRespondToMouseEvents() && element().focused();
+    ASSERT(element());
+    return shouldSpinButtonRespondToMouseEvents() && element()->focused();
 }
 
 bool TextFieldInputType::shouldDrawCapsLockIndicator() const
 {
-    if (element().document().focusedElement() != &element())
+    ASSERT(element());
+    if (element()->document().focusedElement() != element())
         return false;
 
-    if (element().isDisabledOrReadOnly())
+    if (element()->isDisabledOrReadOnly())
         return false;
 
-    RefPtr<Frame> frame = element().document().frame();
+    RefPtr<Frame> frame = element()->document().frame();
     if (!frame)
         return false;
 
@@ -651,30 +679,33 @@
 
 bool TextFieldInputType::shouldDrawAutoFillButton() const
 {
-    return !element().isDisabledOrReadOnly() && element().autoFillButtonType() != AutoFillButtonType::None;
+    ASSERT(element());
+    return !element()->isDisabledOrReadOnly() && element()->autoFillButtonType() != AutoFillButtonType::None;
 }
 
 void TextFieldInputType::autoFillButtonElementWasClicked()
 {
-    Page* page = element().document().page();
+    ASSERT(element());
+    Page* page = element()->document().page();
     if (!page)
         return;
 
-    page->chrome().client().handleAutoFillButtonClick(element());
+    page->chrome().client().handleAutoFillButtonClick(*element());
 }
 
 void TextFieldInputType::createContainer()
 {
     ASSERT(!m_container);
+    ASSERT(element());
 
-    m_container = TextControlInnerContainer::create(element().document());
+    m_container = TextControlInnerContainer::create(element()->document());
     m_container->setPseudo(AtomicString("-webkit-textfield-decoration-container", AtomicString::ConstructFromLiteral));
 
-    m_innerBlock = TextControlInnerElement::create(element().document());
+    m_innerBlock = TextControlInnerElement::create(element()->document());
     m_innerBlock->appendChild(*m_innerText);
     m_container->appendChild(*m_innerBlock);
 
-    element().userAgentShadowRoot()->appendChild(*m_container);
+    element()->userAgentShadowRoot()->appendChild(*m_container);
 }
 
 void TextFieldInputType::createAutoFillButton(AutoFillButtonType autoFillButtonType)
@@ -684,7 +715,8 @@
     if (autoFillButtonType == AutoFillButtonType::None)
         return;
 
-    m_autoFillButton = AutoFillButtonElement::create(element().document(), *this);
+    ASSERT(element());
+    m_autoFillButton = AutoFillButtonElement::create(element()->document(), *this);
     m_autoFillButton->setPseudo(autoFillButtonTypeToAutoFillButtonPseudoClassName(autoFillButtonType));
     m_autoFillButton->setAttributeWithoutSynchronization(roleAttr, AtomicString("button", AtomicString::ConstructFromLiteral));
     m_autoFillButton->setAttributeWithoutSynchronization(aria_labelAttr, autoFillButtonTypeToAccessibilityLabel(autoFillButtonType));
@@ -698,7 +730,8 @@
         if (!m_container)
             createContainer();
 
-        AutoFillButtonType autoFillButtonType = element().autoFillButtonType();
+        ASSERT(element());
+        AutoFillButtonType autoFillButtonType = element()->autoFillButtonType();
         if (!m_autoFillButton)
             createAutoFillButton(autoFillButtonType);
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/TimeInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/TimeInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -80,10 +80,10 @@
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(timeDefaultStep, timeDefaultStepBase, timeStepScaleFactor, StepRange::ScaledStepValueShouldBeInteger);
 
-    const Decimal stepBase = parseToNumber(element().attributeWithoutSynchronization(minAttr), 0);
-    const Decimal minimum = parseToNumber(element().attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumTime()));
-    const Decimal maximum = parseToNumber(element().attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumTime()));
-    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element().attributeWithoutSynchronization(stepAttr));
+    const Decimal stepBase = parseToNumber(element()->attributeWithoutSynchronization(minAttr), 0);
+    const Decimal minimum = parseToNumber(element()->attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumTime()));
+    const Decimal maximum = parseToNumber(element()->attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumTime()));
+    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element()->attributeWithoutSynchronization(stepAttr));
     return StepRange(stepBase, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/URLInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/URLInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
@@ -51,7 +52,8 @@
 
 bool URLInputType::typeMismatch() const
 {
-    return typeMismatchFor(element().value());
+    ASSERT(element());
+    return typeMismatchFor(element()->value());
 }
 
 String URLInputType::typeMismatchText() const
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/WeekInputType.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/WeekInputType.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -59,10 +59,10 @@
 {
     static NeverDestroyed<const StepRange::StepDescription> stepDescription(weekDefaultStep, weekDefaultStepBase, weekStepScaleFactor, StepRange::ParsedStepValueShouldBeInteger);
 
-    const Decimal stepBase = parseToNumber(element().attributeWithoutSynchronization(minAttr), weekDefaultStepBase);
-    const Decimal minimum = parseToNumber(element().attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumWeek()));
-    const Decimal maximum = parseToNumber(element().attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumWeek()));
-    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element().attributeWithoutSynchronization(stepAttr));
+    const Decimal stepBase = parseToNumber(element()->attributeWithoutSynchronization(minAttr), weekDefaultStepBase);
+    const Decimal minimum = parseToNumber(element()->attributeWithoutSynchronization(minAttr), Decimal::fromDouble(DateComponents::minimumWeek()));
+    const Decimal maximum = parseToNumber(element()->attributeWithoutSynchronization(maxAttr), Decimal::fromDouble(DateComponents::maximumWeek()));
+    const Decimal step = StepRange::parseStep(anyStepHandling, stepDescription, element()->attributeWithoutSynchronization(stepAttr));
     return StepRange(stepBase, RangeLimitations::Valid, minimum, maximum, step, stepDescription);
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -5746,6 +5746,8 @@
         if (m_context->getError() != GraphicsContext3D::NO_ERROR) {
             // We were unable to create a buffer.
             m_vertexAttrib0UsedBefore = false;
+            m_vertexAttrib0BufferSize = 0;
+            m_forceAttrib0BufferRefill = true;
             return std::nullopt;
         }
         m_vertexAttrib0BufferSize = bufferDataSize;
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/canvas/WebGLRenderingContextBase.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/canvas/WebGLRenderingContextBase.h	Thu Aug 16 09:11:58 2018 +0530
@@ -488,10 +488,10 @@
     Vector<VertexAttribValue> m_vertexAttribValue;
     unsigned m_maxVertexAttribs;
     RefPtr<WebGLBuffer> m_vertexAttrib0Buffer;
-    long m_vertexAttrib0BufferSize;
+    long m_vertexAttrib0BufferSize { 0 };
     GC3Dfloat m_vertexAttrib0BufferValue[4];
-    bool m_forceAttrib0BufferRefill;
-    bool m_vertexAttrib0UsedBefore;
+    bool m_forceAttrib0BufferRefill { true };
+    bool m_vertexAttrib0UsedBefore { false };
 
     RefPtr<WebGLProgram> m_currentProgram;
     RefPtr<WebGLFramebuffer> m_framebufferBinding;
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/ScrollView.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/ScrollView.h	Thu Aug 16 09:11:58 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2009 Holger Hans Peter Freyther
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33,6 +33,7 @@
 #include "ScrollTypes.h"
 #include "Widget.h"
 #include <wtf/HashSet.h>
+#include <wtf/WeakPtr.h>
 
 #if PLATFORM(IOS)
 
@@ -371,6 +372,8 @@
     void setAllowsUnclampedScrollPositionForTesting(bool allowsUnclampedScrollPosition) { m_allowsUnclampedScrollPosition = allowsUnclampedScrollPosition; }
     bool allowsUnclampedScrollPosition() const { return m_allowsUnclampedScrollPosition; }
 
+    auto& weakPtrFactory() const { return m_weakPtrFactory; }
+
 protected:
     ScrollView();
 
@@ -457,6 +460,8 @@
 
     IntPoint m_panScrollIconPoint;
 
+    WeakPtrFactory<ScrollView> m_weakPtrFactory;
+
     bool m_horizontalScrollbarLock { false };
     bool m_verticalScrollbarLock { false };
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/Widget.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/Widget.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2006, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -34,7 +34,6 @@
 
 void Widget::init(PlatformWidget widget)
 {
-    m_parent = 0;
     m_selfVisible = false;
     m_parentVisible = false;
     m_widget = widget;
@@ -47,7 +46,7 @@
     ASSERT(!view || !m_parent);
     if (!view || !view->isVisible())
         setParentVisible(false);
-    m_parent = view;
+    m_parent = view ? makeWeakPtr(*view) : nullptr;
     if (view && view->isVisible())
         setParentVisible(true);
 }
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/Widget.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/Widget.h	Thu Aug 16 09:11:58 2018 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2016 Apple Inc.  All rights reserved.
+ * Copyright (C) 2004-2018 Apple Inc.  All rights reserved.
  * Copyright (C) 2008 Collabora Ltd.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -145,7 +145,7 @@
 
     WEBCORE_EXPORT void removeFromParent();
     WEBCORE_EXPORT virtual void setParent(ScrollView* view);
-    ScrollView* parent() const { return m_parent; }
+    ScrollView* parent() const { return m_parent.get(); }
     FrameView* root() const;
 
     virtual void handleEvent(Event&) { }
@@ -209,7 +209,7 @@
     static IntPoint convertFromContainingWindowToRoot(const Widget* rootWidget, const IntPoint&);
 
 private:
-    ScrollView* m_parent;
+    WeakPtr<ScrollView> m_parent;
 #if !PLATFORM(COCOA)
     PlatformWidget m_widget;
 #else
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.h	Thu Aug 16 09:11:58 2018 +0530
@@ -117,7 +117,6 @@
     void setRepaintCount(int);
     void setContentsLayer(TextureMapperPlatformLayer*);
     void setAnimations(const TextureMapperAnimations&);
-    const TextureMapperAnimations& animations() const { return m_animations; }
     void setFixedToViewport(bool);
     bool fixedToViewport() const { return m_fixedToViewport; }
     void setBackingStore(RefPtr<TextureMapperBackingStore>&&);
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp	Thu Aug 16 09:11:58 2018 +0530
@@ -171,24 +171,28 @@
 void CoordinatedGraphicsLayer::addChild(GraphicsLayer* layer)
 {
     GraphicsLayer::addChild(layer);
+    downcast<CoordinatedGraphicsLayer>(*layer).setCoordinatorIncludingSubLayersIfNeeded(m_coordinator);
     didChangeChildren();
 }
 
 void CoordinatedGraphicsLayer::addChildAtIndex(GraphicsLayer* layer, int index)
 {
     GraphicsLayer::addChildAtIndex(layer, index);
+    downcast<CoordinatedGraphicsLayer>(*layer).setCoordinatorIncludingSubLayersIfNeeded(m_coordinator);
     didChangeChildren();
 }
 
 void CoordinatedGraphicsLayer::addChildAbove(GraphicsLayer* layer, GraphicsLayer* sibling)
 {
     GraphicsLayer::addChildAbove(layer, sibling);
+    downcast<CoordinatedGraphicsLayer>(*layer).setCoordinatorIncludingSubLayersIfNeeded(m_coordinator);
     didChangeChildren();
 }
 
 void CoordinatedGraphicsLayer::addChildBelow(GraphicsLayer* layer, GraphicsLayer* sibling)
 {
     GraphicsLayer::addChildBelow(layer, sibling);
+    downcast<CoordinatedGraphicsLayer>(*layer).setCoordinatorIncludingSubLayersIfNeeded(m_coordinator);
     didChangeChildren();
 }
 
@@ -197,6 +201,7 @@
     bool ok = GraphicsLayer::replaceChild(oldChild, newChild);
     if (!ok)
         return false;
+    downcast<CoordinatedGraphicsLayer>(*newChild).setCoordinatorIncludingSubLayersIfNeeded(m_coordinator);
     didChangeChildren();
     return true;
 }
@@ -1017,6 +1022,33 @@
     m_coordinator = coordinator;
 }
 
+void CoordinatedGraphicsLayer::setCoordinatorIncludingSubLayersIfNeeded(CoordinatedGraphicsLayerClient* coordinator)
+{
+    if (m_coordinator == coordinator)
+        return;
+
+    // If the coordinators are different it means that we are attaching a layer that was created by a different
+    // CompositingCoordinator than the current one. This happens because the layer was taken out of the tree
+    // and then added back after AC was disabled and enabled again. We need to set the new coordinator to the
+    // layer and its children.
+    //
+    // During each layer flush, the state stores the values that have changed since the previous one, and these
+    // are updated once in the scene. When adding CoordinatedGraphicsLayers back to the tree, the fields that
+    // are not updated during the next flush won't be sent to the scene, so they won't be updated there and the
+    // rendering will fail.
+    //
+    // For example the drawsContent flag. This is set when the layer is created and is not updated anymore (unless
+    // the content changes). When the layer is added back to the tree, the state won't reflect any change in the
+    // flag value, so the scene won't update it and the layer won't be rendered.
+    //
+    // We need to update here the layer changeMask so the scene gets all the current values.
+    m_layerState.changeMask = UINT_MAX;
+
+    coordinator->attachLayer(this);
+    for (auto& child : children())
+        downcast<CoordinatedGraphicsLayer>(*child).setCoordinatorIncludingSubLayersIfNeeded(coordinator);
+}
+
 void CoordinatedGraphicsLayer::setNeedsVisibleRectAdjustment()
 {
     if (shouldHaveBackingStore())
@@ -1108,8 +1140,7 @@
 
 bool CoordinatedGraphicsLayer::shouldHaveBackingStore() const
 {
-    return drawsContent() && contentsAreVisible() && !m_size.isEmpty()
-        && (!!opacity() || m_animations.hasActiveAnimationsOfType(AnimatedPropertyOpacity));
+    return drawsContent() && contentsAreVisible() && !m_size.isEmpty();
 }
 
 bool CoordinatedGraphicsLayer::selfOrAncestorHasActiveTransformAnimation() const
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h	Wed Aug 15 11:56:19 2018 -0700
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.h	Thu Aug 16 09:11:58 2018 +0530
@@ -52,6 +52,7 @@
     virtual FloatRect visibleContentsRect() const = 0;
     virtual Ref<CoordinatedImageBacking> createImageBackingIfNeeded(Image&) = 0;
     virtual void detachLayer(CoordinatedGraphicsLayer*) = 0;
+    virtual void attachLayer(CoordinatedGraphicsLayer*) = 0;
     virtual Ref<Nicosia::Buffer> getCoordinatedBuffer(const IntSize&, Nicosia::Buffer::Flags, uint32_t&, IntRect&) = 0;
     virtual Nicosia::PaintingEngine& paintingEngine() = 0;
 
@@ -138,6 +139,7 @@
     void removeTile(uint32_t tileID) override;
 
     void setCoordinator(CoordinatedGraphicsLayerClient*);
+    void setCoordinatorIncludingSubLayersIfNeeded(CoordinatedGraphicsLayerClient*);
 
     void setNeedsVisibleRectAdjustment();
     void purgeBackingStores();