changeset 11202:f6e1bb859eb5

8219539: Cherry pick GTK WebKit 2.22.6 changes Reviewed-by: mbilla, kcr
author arajkumar
date Sun, 24 Feb 2019 13:23:28 +0530
parents 0ee0cd385816
children 5ee37427d89a
files modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/InByIdStatus.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PropertyCondition.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSFunction.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObjectInlines.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/LiteralParser.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/LiteralParser.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/PropertySlot.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/ScopedArguments.h modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/VM.h modules/javafx.web/src/main/native/Source/WTF/wtf/Gigacage.cpp modules/javafx.web/src/main/native/Source/WTF/wtf/Gigacage.h modules/javafx.web/src/main/native/Source/WTF/wtf/WorkQueue.cpp modules/javafx.web/src/main/native/Source/WebCore/Modules/fetch/FetchResponse.cpp modules/javafx.web/src/main/native/Source/WebCore/Sources.txt modules/javafx.web/src/main/native/Source/WebCore/bindings/js/JSMicrotaskCallback.h modules/javafx.web/src/main/native/Source/WebCore/bindings/js/JSSVGViewSpecCustom.cpp modules/javafx.web/src/main/native/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm modules/javafx.web/src/main/native/Source/WebCore/html/URLUtils.h modules/javafx.web/src/main/native/Source/WebCore/loader/DocumentLoader.cpp modules/javafx.web/src/main/native/Source/WebCore/page/Frame.cpp modules/javafx.web/src/main/native/Source/WebCore/page/FrameView.cpp modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.cpp modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.h modules/javafx.web/src/main/native/Source/WebCore/page/scrolling/ScrollingThread.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/ScrollAnimationKinetic.cpp modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/glx/GLContextGLX.cpp modules/javafx.web/src/main/native/Source/WebCore/svg/SVGElement.h modules/javafx.web/src/main/native/Source/WebCore/svg/SVGPathElement.h modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.cpp modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.h modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.idl modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxy.cpp modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxy.h modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxyImpl.h modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/BAssert.h modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Gigacage.cpp modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Gigacage.h modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/HeapKind.h
diffstat 44 files changed, 378 insertions(+), 124 deletions(-) [+]
line wrap: on
line diff
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -73,7 +73,7 @@
         PropertyOffset offset = structure->getConcurrently(uid, attributes);
         if (!isValidOffset(offset))
             return GetByIdStatus(NoInformation, false);
-        if (attributes & PropertyAttribute::CustomAccessor)
+        if (attributes & PropertyAttribute::CustomAccessorOrValue)
             return GetByIdStatus(NoInformation, false);
 
         return GetByIdStatus(Simple, false, GetByIdVariant(StructureSet(structure), offset));
@@ -168,7 +168,7 @@
         variant.m_offset = structure->getConcurrently(uid, attributes);
         if (!isValidOffset(variant.m_offset))
             return GetByIdStatus(JSC::slowVersion(summary));
-        if (attributes & PropertyAttribute::CustomAccessor)
+        if (attributes & PropertyAttribute::CustomAccessorOrValue)
             return GetByIdStatus(JSC::slowVersion(summary));
 
         variant.m_structureSet.add(structure);
@@ -367,7 +367,7 @@
             return GetByIdStatus(TakesSlowPath); // It's probably a prototype lookup. Give up on life for now, even though we could totally be way smarter about it.
         if (attributes & PropertyAttribute::Accessor)
             return GetByIdStatus(MakesCalls); // We could be smarter here, like strength-reducing this to a Call.
-        if (attributes & PropertyAttribute::CustomAccessor)
+        if (attributes & PropertyAttribute::CustomAccessorOrValue)
             return GetByIdStatus(TakesSlowPath);
 
         if (!result.appendVariant(GetByIdVariant(structure, offset)))
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/InByIdStatus.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/InByIdStatus.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -139,7 +139,7 @@
         variant.m_offset = structure->getConcurrently(uid, attributes);
         if (!isValidOffset(variant.m_offset))
             return InByIdStatus(TakesSlowPath);
-        if (attributes & PropertyAttribute::CustomAccessor)
+        if (attributes & PropertyAttribute::CustomAccessorOrValue)
             return InByIdStatus(TakesSlowPath);
 
         variant.m_structureSet.add(structure);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PropertyCondition.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PropertyCondition.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -161,7 +161,7 @@
         unsigned currentAttributes;
         PropertyOffset currentOffset = structure->getConcurrently(uid(), currentAttributes);
         if (currentOffset != invalidOffset) {
-            if (currentAttributes & (PropertyAttribute::ReadOnly | PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor)) {
+            if (currentAttributes & (PropertyAttribute::ReadOnly | PropertyAttribute::Accessor | PropertyAttribute::CustomAccessorOrValue)) {
                 if (PropertyConditionInternal::verbose) {
                     dataLog(
                         "Invalid because we expected not to have a setter, but we have one at offset ",
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -305,7 +305,7 @@
         unsigned attributes;
         PropertyOffset offset = structure->getConcurrently(uid, attributes);
         if (isValidOffset(offset)) {
-            if (attributes & PropertyAttribute::CustomAccessor)
+            if (attributes & PropertyAttribute::CustomAccessorOrValue)
                 return PutByIdStatus(MakesCalls);
 
             if (attributes & (PropertyAttribute::Accessor | PropertyAttribute::ReadOnly))
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSFunction.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSFunction.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -645,7 +645,7 @@
     unsigned attributes;
     // This function may be called when the mutator isn't running and we are lazily generating a stack trace.
     PropertyOffset offset = structure->getConcurrently(vm.propertyNames->displayName.impl(), attributes);
-    if (offset != invalidOffset && !(attributes & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor))) {
+    if (offset != invalidOffset && !(attributes & (PropertyAttribute::Accessor | PropertyAttribute::CustomAccessorOrValue))) {
         JSValue displayName = object->getDirect(offset);
         if (displayName && displayName.isString())
             return asString(displayName)->tryGetValue();
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -1866,9 +1866,15 @@
     return putDirectNonIndexAccessor(exec->vm(), propertyName, accessor, attributes);
 }
 
+// FIXME: Introduce a JSObject::putDirectCustomValue() method instead of using
+// JSObject::putDirectCustomAccessor() to put CustomValues.
+// https://bugs.webkit.org/show_bug.cgi?id=192576
 bool JSObject::putDirectCustomAccessor(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
 {
     ASSERT(!parseIndex(propertyName));
+    ASSERT(value.isCustomGetterSetter());
+    if (!(attributes & PropertyAttribute::CustomAccessor))
+        attributes |= PropertyAttribute::CustomValue;
 
     PutPropertySlot slot(this);
     bool result = putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, attributes, slot);
@@ -1884,6 +1890,7 @@
 
 bool JSObject::putDirectNonIndexAccessor(VM& vm, PropertyName propertyName, GetterSetter* accessor, unsigned attributes)
 {
+    ASSERT(attributes & PropertyAttribute::Accessor);
     PutPropertySlot slot(this);
     bool result = putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, accessor, attributes, slot);
 
@@ -3000,6 +3007,7 @@
 bool JSObject::putDirectIndexSlowOrBeyondVectorLength(ExecState* exec, unsigned i, JSValue value, unsigned attributes, PutDirectIndexMode mode)
 {
     VM& vm = exec->vm();
+    ASSERT(!value.isCustomGetterSetter());
 
     if (!canDoFastPutDirectIndex(vm, this)) {
         PropertyDescriptor descriptor;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObject.h	Sun Feb 24 13:23:28 2019 +0530
@@ -217,6 +217,7 @@
     // otherwise, it creates a property with the provided attributes. Semantically, this is performing defineOwnProperty.
     bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
     {
+        ASSERT(!value.isCustomGetterSetter());
         auto canSetIndexQuicklyForPutDirect = [&] () -> bool {
             switch (indexingMode()) {
             case ALL_BLANK_INDEXING_TYPES:
@@ -1374,6 +1375,7 @@
 
 ALWAYS_INLINE void JSObject::fillCustomGetterPropertySlot(VM& vm, PropertySlot& slot, CustomGetterSetter* customGetterSetter, unsigned attributes, Structure* structure)
 {
+    ASSERT(attributes & PropertyAttribute::CustomAccessorOrValue);
     if (customGetterSetter->inherits<DOMAttributeGetterSetter>(vm)) {
         auto* domAttribute = jsCast<DOMAttributeGetterSetter*>(customGetterSetter);
         if (structure->isUncacheableDictionary())
@@ -1499,7 +1501,7 @@
 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
 {
     ASSERT(!value.isGetterSetter() && !(attributes & PropertyAttribute::Accessor));
-    ASSERT(!value.isCustomGetterSetter());
+    ASSERT(!value.isCustomGetterSetter() && !(attributes & PropertyAttribute::CustomAccessorOrValue));
     PutPropertySlot slot(this);
     return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, attributes, slot);
 }
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObjectInlines.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSObjectInlines.h	Sun Feb 24 13:23:28 2019 +0530
@@ -279,6 +279,7 @@
 {
     ASSERT(value);
     ASSERT(value.isGetterSetter() == !!(attributes & PropertyAttribute::Accessor));
+    ASSERT(value.isCustomGetterSetter() == !!(attributes & PropertyAttribute::CustomAccessorOrValue));
     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
     ASSERT(!parseIndex(propertyName));
 
@@ -297,7 +298,7 @@
             putDirect(vm, offset, value);
             structure->didReplaceProperty(offset);
 
-            if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessor) != (currentAttributes & PropertyAttribute::CustomAccessor)) {
+            if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessorOrValue) != (currentAttributes & PropertyAttribute::CustomAccessorOrValue)) {
                 ASSERT(!(attributes & PropertyAttribute::ReadOnly));
                 setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
             } else
@@ -360,7 +361,7 @@
 
         putDirect(vm, offset, value);
 
-        if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessor) != (currentAttributes & PropertyAttribute::CustomAccessor)) {
+        if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessorOrValue) != (currentAttributes & PropertyAttribute::CustomAccessorOrValue)) {
             ASSERT(!(attributes & PropertyAttribute::ReadOnly));
             setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
         } else
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h	Sun Feb 24 13:23:28 2019 +0530
@@ -135,8 +135,9 @@
     bool sawPolyProto;
     bool successfullyNormalizedChain = normalizePrototypeChain(exec, base, sawPolyProto) != InvalidPrototypeChain;
 
-    enumerator = JSPropertyNameEnumerator::create(vm, structure, indexedLength, numberStructureProperties, WTFMove(propertyNames));
-    if (!indexedLength && successfullyNormalizedChain && base->structure(vm) == structure) {
+    Structure* structureAfterGettingPropertyNames = base->structure(vm);
+    enumerator = JSPropertyNameEnumerator::create(vm, structureAfterGettingPropertyNames, indexedLength, numberStructureProperties, WTFMove(propertyNames));
+    if (!indexedLength && successfullyNormalizedChain && structureAfterGettingPropertyNames == structure) {
         enumerator->setCachedPrototypeChain(vm, structure->prototypeChain(exec, base));
         if (structure->canCachePropertyNameEnumerator())
             structure->setCachedPropertyNameEnumerator(vm, enumerator);
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/LiteralParser.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/LiteralParser.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -37,6 +37,7 @@
 #include "StrongInlines.h"
 #include <wtf/ASCIICType.h>
 #include <wtf/dtoa.h>
+#include <wtf/text/StringConcatenate.h>
 
 namespace JSC {
 
@@ -515,7 +516,7 @@
             return tokenType;
         }
     }
-    m_lexErrorMessage = String::format("Unrecognized token '%c'", *m_ptr);
+    m_lexErrorMessage = makeString("Unrecognized token '", StringView { m_ptr, 1 }, '\'');
     return TokError;
 }
 
@@ -673,7 +674,7 @@
                     } // uNNNN == 5 characters
                     for (int i = 1; i < 5; i++) {
                         if (!isASCIIHexDigit(m_ptr[i])) {
-                            m_lexErrorMessage = String::format("\"\\%s\" is not a valid unicode escape", String(m_ptr, 5).ascii().data());
+                            m_lexErrorMessage = makeString("\"\\", StringView { m_ptr, 5 }, "\" is not a valid unicode escape");
                             return TokError;
                         }
                     }
@@ -687,7 +688,7 @@
                         m_ptr++;
                         break;
                     }
-                    m_lexErrorMessage = String::format("Invalid escape character %c", *m_ptr);
+                    m_lexErrorMessage = makeString("Invalid escape character ", StringView { m_ptr, 1 });
                     return TokError;
             }
         }
@@ -995,9 +996,9 @@
                     case TokIdentifier: {
                         typename Lexer::LiteralParserTokenPtr token = m_lexer.currentToken();
                         if (token->stringIs8Bit)
-                            m_parseErrorMessage = String::format("Unexpected identifier \"%s\"", String(token->stringToken8, token->stringLength).ascii().data());
+                            m_parseErrorMessage = makeString("Unexpected identifier \"", StringView { token->stringToken8, token->stringLength }, '"');
                         else
-                            m_parseErrorMessage = String::format("Unexpected identifier \"%s\"", String(token->stringToken16, token->stringLength).ascii().data());
+                            m_parseErrorMessage = makeString("Unexpected identifier \"", StringView { token->stringToken16, token->stringLength }, '"');
                         return JSValue();
                     }
                     case TokColon:
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/LiteralParser.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/LiteralParser.h	Sun Feb 24 13:23:28 2019 +0530
@@ -102,9 +102,9 @@
     String getErrorMessage()
     {
         if (!m_lexer.getErrorMessage().isEmpty())
-            return String::format("JSON Parse error: %s", m_lexer.getErrorMessage().ascii().data());
+            return "JSON Parse error: " + m_lexer.getErrorMessage();
         if (!m_parseErrorMessage.isEmpty())
-            return String::format("JSON Parse error: %s", m_parseErrorMessage.ascii().data());
+            return "JSON Parse error: " + m_parseErrorMessage;
         return "JSON Parse error: Unable to parse JSON string"_s;
     }
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -109,7 +109,13 @@
 {
     ASSERT(value);
 
-    m_attributes = attributes;
+    // We need to mask off the PropertyAttribute::CustomValue bit because
+    // PropertyDescriptor::attributesEqual() does an equivalent test on
+    // m_attributes, and a property that has a CustomValue should be indistinguishable
+    // from a property that has a normal value as far as JS code is concerned.
+    // PropertyAttribute does not need knowledge of the underlying implementation
+    // actually being a CustomValue. So, we'll just mask it off up front here.
+    m_attributes = attributes & ~PropertyAttribute::CustomValue;
     if (value.isGetterSetter()) {
         m_attributes &= ~PropertyAttribute::ReadOnly; // FIXME: we should be able to ASSERT this!
 
@@ -125,6 +131,7 @@
 
 void PropertyDescriptor::setCustomDescriptor(unsigned attributes)
 {
+    ASSERT(!(attributes & PropertyAttribute::CustomValue));
     m_attributes = attributes | PropertyAttribute::Accessor | PropertyAttribute::CustomAccessor;
     m_attributes &= ~PropertyAttribute::ReadOnly;
     m_seenAttributes = EnumerablePresent | ConfigurablePresent;
@@ -136,6 +143,7 @@
 void PropertyDescriptor::setAccessorDescriptor(GetterSetter* accessor, unsigned attributes)
 {
     ASSERT(attributes & PropertyAttribute::Accessor);
+    ASSERT(!(attributes & PropertyAttribute::CustomValue));
     attributes &= ~PropertyAttribute::ReadOnly; // FIXME: we should be able to ASSERT this!
 
     m_attributes = attributes;
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/PropertySlot.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/PropertySlot.h	Sun Feb 24 13:23:28 2019 +0530
@@ -43,6 +43,8 @@
     DontDelete        = 1 << 3,  // property can't be deleted
     Accessor          = 1 << 4,  // property is a getter/setter
     CustomAccessor    = 1 << 5,
+    CustomValue       = 1 << 6,
+    CustomAccessorOrValue = CustomAccessor | CustomValue,
 
     // Things that are used by static hashtables are not in the attributes byte in PropertyMapEntry.
     Function          = 1 << 8,  // property is a function - only used by static hashtables
@@ -299,6 +301,7 @@
     void setCustomGetterSetter(JSObject* slotBase, unsigned attributes, CustomGetterSetter* getterSetter)
     {
         ASSERT(attributes == attributesForStructure(attributes));
+        ASSERT(attributes & PropertyAttribute::CustomAccessor);
 
         disableCaching();
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/ScopedArguments.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/ScopedArguments.h	Sun Feb 24 13:23:28 2019 +0530
@@ -74,8 +74,13 @@
     uint32_t length(ExecState* exec) const
     {
         VM& vm = exec->vm();
-        if (UNLIKELY(storageHeader().overrodeThings))
-            return get(exec, vm.propertyNames->length).toUInt32(exec);
+        auto scope = DECLARE_THROW_SCOPE(vm);
+        if (UNLIKELY(storageHeader().overrodeThings)) {
+            auto value = get(exec, vm.propertyNames->length);
+            RETURN_IF_EXCEPTION(scope, 0);
+            scope.release();
+            return value.toUInt32(exec);
+        }
         return internalLength();
     }
 
--- a/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/VM.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/JavaScriptCore/runtime/VM.h	Sun Feb 24 13:23:28 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -344,6 +344,8 @@
     ALWAYS_INLINE CompleteSubspace& gigacageAuxiliarySpace(Gigacage::Kind kind)
     {
         switch (kind) {
+        case Gigacage::ReservedForFlagsAndNotABasePtr:
+            RELEASE_ASSERT_NOT_REACHED();
         case Gigacage::Primitive:
             return primitiveGigacageAuxiliarySpace;
         case Gigacage::JSValue:
--- a/modules/javafx.web/src/main/native/Source/WTF/wtf/Gigacage.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WTF/wtf/Gigacage.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -41,9 +41,10 @@
     return FastMalloc::tryMalloc(size);
 }
 
-void* tryAllocateZeroedVirtualPages(Kind, size_t size)
+void* tryAllocateZeroedVirtualPages(Kind, size_t requestedSize)
 {
-    size = roundUpToMultipleOf(WTF::pageSize(), size);
+    size_t size = roundUpToMultipleOf(WTF::pageSize(), requestedSize);
+    RELEASE_ASSERT(size >= requestedSize);
     void* result = OSAllocator::reserveAndCommit(size);
 #if !ASSERT_DISABLED
     if (result) {
--- a/modules/javafx.web/src/main/native/Source/WTF/wtf/Gigacage.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WTF/wtf/Gigacage.h	Sun Feb 24 13:23:28 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -40,15 +40,20 @@
 namespace Gigacage {
 
 struct BasePtrs {
+    uintptr_t reservedForFlags;
     void* primitive;
     void* jsValue;
 };
 
 enum Kind {
+    ReservedForFlagsAndNotABasePtr = 0,
     Primitive,
     JSValue,
 };
 
+static_assert(offsetof(BasePtrs, primitive) == Kind::Primitive * sizeof(void*), "");
+static_assert(offsetof(BasePtrs, jsValue) == Kind::JSValue * sizeof(void*), "");
+
 inline void ensureGigacage() { }
 inline void disablePrimitiveGigacage() { }
 inline bool shouldBeEnabled() { return false; }
@@ -65,6 +70,8 @@
 ALWAYS_INLINE const char* name(Kind kind)
 {
     switch (kind) {
+    case ReservedForFlagsAndNotABasePtr:
+        RELEASE_ASSERT_NOT_REACHED();
     case Primitive:
         return "Primitive";
     case JSValue:
@@ -77,6 +84,8 @@
 ALWAYS_INLINE void*& basePtr(BasePtrs& basePtrs, Kind kind)
 {
     switch (kind) {
+    case ReservedForFlagsAndNotABasePtr:
+        RELEASE_ASSERT_NOT_REACHED();
     case Primitive:
         return basePtrs.primitive;
     case JSValue:
--- a/modules/javafx.web/src/main/native/Source/WTF/wtf/WorkQueue.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WTF/wtf/WorkQueue.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -75,7 +75,7 @@
 
             m_workers.reserveInitialCapacity(threadCount);
             for (unsigned i = 0; i < threadCount; ++i) {
-                m_workers.append(Thread::create(String::format("ThreadPool Worker %u", i).utf8().data(), [this] {
+                m_workers.append(Thread::create("ThreadPool Worker", [this] {
                     threadBody();
                 }));
             }
--- a/modules/javafx.web/src/main/native/Source/WebCore/Modules/fetch/FetchResponse.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/Modules/fetch/FetchResponse.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -205,7 +205,7 @@
 const String& FetchResponse::url() const
 {
     if (m_responseURL.isNull()) {
-        URL url = m_internalResponse.url();
+        URL url = filteredResponse().url();
         url.removeFragmentIdentifier();
         m_responseURL = url.string();
     }
--- a/modules/javafx.web/src/main/native/Source/WebCore/Sources.txt	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/Sources.txt	Sun Feb 24 13:23:28 2019 +0530
@@ -439,6 +439,7 @@
 bindings/js/JSRemoteDOMWindowBase.cpp
 bindings/js/JSRemoteDOMWindowCustom.cpp
 bindings/js/JSSVGPathSegCustom.cpp
+bindings/js/JSSVGViewSpecCustom.cpp
 bindings/js/JSStyleSheetCustom.cpp
 bindings/js/JSServiceWorkerClientCustom.cpp
 bindings/js/JSServiceWorkerGlobalScopeCustom.cpp
@@ -2280,6 +2281,7 @@
 
 svg/properties/SVGAnimatedPathSegListPropertyTearOff.cpp
 svg/properties/SVGAnimatedProperty.cpp
+svg/properties/SVGAttributeOwnerProxy.cpp
 
 workers/AbstractWorker.cpp
 workers/DedicatedWorkerGlobalScope.cpp
--- a/modules/javafx.web/src/main/native/Source/WebCore/bindings/js/JSMicrotaskCallback.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/bindings/js/JSMicrotaskCallback.h	Sun Feb 24 13:23:28 2019 +0530
@@ -27,6 +27,7 @@
 #pragma once
 
 #include "JSExecState.h"
+#include <JavaScriptCore/VM.h>
 
 namespace WebCore {
 
@@ -40,8 +41,8 @@
     void call()
     {
         auto protectedThis { makeRef(*this) };
-        VM& vm = m_globalObject->vm();
-        JSLockHolder lock(vm);
+        JSC::VM& vm = m_globalObject->vm();
+        JSC::JSLockHolder lock(vm);
         auto scope = DECLARE_THROW_SCOPE(vm);
         JSExecState::runTask(m_globalObject->globalExec(), m_task);
         scope.assertNoException();
@@ -54,7 +55,7 @@
     {
     }
 
-    Strong<JSDOMGlobalObject> m_globalObject;
+    JSC::Strong<JSDOMGlobalObject> m_globalObject;
     Ref<JSC::Microtask> m_task;
 };
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/javafx.web/src/main/native/Source/WebCore/bindings/js/JSSVGViewSpecCustom.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSSVGViewSpec.h"
+
+#include "JSNode.h"
+
+namespace WebCore {
+
+void JSSVGViewSpec::visitAdditionalChildren(JSC::SlotVisitor& visitor)
+{
+    ASSERT(wrapped().contextElementConcurrently().get());
+    visitor.addOpaqueRoot(root(wrapped().contextElementConcurrently().get()));
+}
+
+}
--- a/modules/javafx.web/src/main/native/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm	Sun Feb 24 13:23:28 2019 +0530
@@ -4445,7 +4445,7 @@
         } else {
             push(@implContent, "    JSValue constructor = ${className}Constructor::create(state->vm(), ${className}Constructor::createStructure(state->vm(), *prototype->globalObject(), prototype->globalObject()->objectPrototype()), *jsCast<JSDOMGlobalObject*>(prototype->globalObject()));\n");
             push(@implContent, "    // Shadowing constructor property to ensure reusing the same constructor object\n");
-            push(@implContent, "    prototype->putDirect(vm, vm.propertyNames->constructor, constructor, JSC::PropertyAttribute::DontEnum | JSC::PropertyAttribute::ReadOnly);\n");
+            push(@implContent, "    prototype->putDirect(vm, vm.propertyNames->constructor, constructor, static_cast<unsigned>(JSC::PropertyAttribute::DontEnum));\n");
             push(@implContent, "    return JSValue::encode(constructor);\n");
         }
         push(@implContent, "}\n\n");
--- a/modules/javafx.web/src/main/native/Source/WebCore/html/URLUtils.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/html/URLUtils.h	Sun Feb 24 13:23:28 2019 +0530
@@ -90,6 +90,8 @@
 template <typename T>
 String URLUtils<T>::protocol() const
 {
+    if (protocolIsJavaScript(href()))
+        return "javascript:"_s;
     return makeString(href().protocol(), ':');
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/loader/DocumentLoader.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/loader/DocumentLoader.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -434,6 +434,8 @@
     if (!m_mainDocumentError.isNull())
         return;
     clearMainResourceLoader();
+    if (!frameLoader())
+        return;
     if (!frameLoader()->stateMachine().creatingInitialEmptyDocument())
         frameLoader()->checkLoadComplete();
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/Frame.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/Frame.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -676,22 +676,23 @@
 
 void Frame::setPrinting(bool printing, const FloatSize& pageSize, const FloatSize& originalPageSize, float maximumShrinkRatio, AdjustViewSizeOrNot shouldAdjustViewSize)
 {
+    if (!view())
+        return;
     // In setting printing, we should not validate resources already cached for the document.
     // See https://bugs.webkit.org/show_bug.cgi?id=43704
     ResourceCacheValidationSuppressor validationSuppressor(m_doc->cachedResourceLoader());
 
     m_doc->setPrinting(printing);
-    if (auto* frameView = view()) {
-        frameView->adjustMediaTypeForPrinting(printing);
+    auto& frameView = *view();
+    frameView.adjustMediaTypeForPrinting(printing);
 
         m_doc->styleScope().didChangeStyleSheetEnvironment();
         if (shouldUsePrintingLayout())
-            frameView->forceLayoutForPagination(pageSize, originalPageSize, maximumShrinkRatio, shouldAdjustViewSize);
+        frameView.forceLayoutForPagination(pageSize, originalPageSize, maximumShrinkRatio, shouldAdjustViewSize);
         else {
-            frameView->forceLayout();
+        frameView.forceLayout();
             if (shouldAdjustViewSize == AdjustViewSize)
-                frameView->adjustViewSize();
-        }
+            frameView.adjustViewSize();
     }
 
     // Subframes of the one we're printing don't lay out to the page size.
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/FrameView.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/FrameView.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -4438,22 +4438,29 @@
 
 void FrameView::forceLayoutForPagination(const FloatSize& pageSize, const FloatSize& originalPageSize, float maximumShrinkFactor, AdjustViewSizeOrNot shouldAdjustViewSize)
 {
+    if (!renderView())
+        return;
+
+    Ref<FrameView> protectedThis(*this);
+    auto& renderView = *this->renderView();
+
     // Dumping externalRepresentation(frame().renderer()).ascii() is a good trick to see
     // the state of things before and after the layout
-    if (RenderView* renderView = this->renderView()) {
-        float pageLogicalWidth = renderView->style().isHorizontalWritingMode() ? pageSize.width() : pageSize.height();
-        float pageLogicalHeight = renderView->style().isHorizontalWritingMode() ? pageSize.height() : pageSize.width();
-
-        renderView->setPageLogicalSize({ floor(pageLogicalWidth), floor(pageLogicalHeight) });
-        renderView->setNeedsLayoutAndPrefWidthsRecalc();
+    float pageLogicalWidth = renderView.style().isHorizontalWritingMode() ? pageSize.width() : pageSize.height();
+    float pageLogicalHeight = renderView.style().isHorizontalWritingMode() ? pageSize.height() : pageSize.width();
+
+    renderView.setPageLogicalSize({ floor(pageLogicalWidth), floor(pageLogicalHeight) });
+    renderView.setNeedsLayoutAndPrefWidthsRecalc();
         forceLayout();
+    if (hasOneRef())
+        return;
 
         // If we don't fit in the given page width, we'll lay out again. If we don't fit in the
         // page width when shrunk, we will lay out at maximum shrink and clip extra content.
         // FIXME: We are assuming a shrink-to-fit printing implementation.  A cropping
         // implementation should not do this!
-        bool horizontalWritingMode = renderView->style().isHorizontalWritingMode();
-        const LayoutRect& documentRect = renderView->documentRect();
+    bool horizontalWritingMode = renderView.style().isHorizontalWritingMode();
+    const LayoutRect& documentRect = renderView.documentRect();
         LayoutUnit docLogicalWidth = horizontalWritingMode ? documentRect.width() : documentRect.height();
         if (docLogicalWidth > pageLogicalWidth) {
             int expectedPageWidth = std::min<float>(documentRect.width(), pageSize.width() * maximumShrinkFactor);
@@ -4462,24 +4469,25 @@
             pageLogicalWidth = horizontalWritingMode ? maxPageSize.width() : maxPageSize.height();
             pageLogicalHeight = horizontalWritingMode ? maxPageSize.height() : maxPageSize.width();
 
-            renderView->setPageLogicalSize({ floor(pageLogicalWidth), floor(pageLogicalHeight) });
-            renderView->setNeedsLayoutAndPrefWidthsRecalc();
+        renderView.setPageLogicalSize({ floor(pageLogicalWidth), floor(pageLogicalHeight) });
+        renderView.setNeedsLayoutAndPrefWidthsRecalc();
             forceLayout();
-
-            const LayoutRect& updatedDocumentRect = renderView->documentRect();
+        if (hasOneRef())
+            return;
+
+        const LayoutRect& updatedDocumentRect = renderView.documentRect();
             LayoutUnit docLogicalHeight = horizontalWritingMode ? updatedDocumentRect.height() : updatedDocumentRect.width();
             LayoutUnit docLogicalTop = horizontalWritingMode ? updatedDocumentRect.y() : updatedDocumentRect.x();
             LayoutUnit docLogicalRight = horizontalWritingMode ? updatedDocumentRect.maxX() : updatedDocumentRect.maxY();
-            LayoutUnit clippedLogicalLeft = 0;
-            if (!renderView->style().isLeftToRightDirection())
+        LayoutUnit clippedLogicalLeft;
+        if (!renderView.style().isLeftToRightDirection())
                 clippedLogicalLeft = docLogicalRight - pageLogicalWidth;
             LayoutRect overflow(clippedLogicalLeft, docLogicalTop, pageLogicalWidth, docLogicalHeight);
 
             if (!horizontalWritingMode)
                 overflow = overflow.transposedRect();
-            renderView->clearLayoutOverflow();
-            renderView->addLayoutOverflow(overflow); // This is how we clip in case we overflow again.
-        }
+        renderView.clearLayoutOverflow();
+        renderView.addLayoutOverflow(overflow); // This is how we clip in case we overflow again.
     }
 
     if (shouldAdjustViewSize)
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -34,7 +34,7 @@
 namespace WebCore {
 
 PrintContext::PrintContext(Frame* frame)
-    : m_frame(frame)
+    : FrameDestructionObserver(frame)
 {
 }
 
@@ -46,10 +46,14 @@
 
 void PrintContext::computePageRects(const FloatRect& printRect, float headerHeight, float footerHeight, float userScaleFactor, float& outPageHeight, bool allowHorizontalTiling)
 {
+    if (!frame())
+        return;
+
+    auto& frame = *this->frame();
     m_pageRects.clear();
     outPageHeight = 0;
 
-    if (!m_frame->document() || !m_frame->view() || !m_frame->document()->renderView())
+    if (!frame.document() || !frame.view() || !frame.document()->renderView())
         return;
 
     if (userScaleFactor <= 0) {
@@ -57,9 +61,9 @@
         return;
     }
 
-    RenderView* view = m_frame->document()->renderView();
+    RenderView* view = frame.document()->renderView();
     const IntRect& documentRect = view->documentRect();
-    FloatSize pageSize = m_frame->resizePageRectsKeepingRatio(FloatSize(printRect.width(), printRect.height()), FloatSize(documentRect.width(), documentRect.height()));
+    FloatSize pageSize = frame.resizePageRectsKeepingRatio(FloatSize(printRect.width(), printRect.height()), FloatSize(documentRect.width(), documentRect.height()));
     float pageWidth = pageSize.width();
     float pageHeight = pageSize.height();
 
@@ -82,10 +86,14 @@
 
 void PrintContext::computePageRectsWithPageSizeInternal(const FloatSize& pageSizeInPixels, bool allowInlineDirectionTiling)
 {
-    if (!m_frame->document() || !m_frame->view() || !m_frame->document()->renderView())
+    if (!frame())
         return;
 
-    RenderView* view = m_frame->document()->renderView();
+    auto& frame = *this->frame();
+    if (!frame.document() || !frame.view() || !frame.document()->renderView())
+        return;
+
+    RenderView* view = frame.document()->renderView();
 
     IntRect docRect = view->documentRect();
 
@@ -151,26 +159,34 @@
 
 void PrintContext::begin(float width, float height)
 {
+    if (!frame())
+        return;
+
+    auto& frame = *this->frame();
     // This function can be called multiple times to adjust printing parameters without going back to screen mode.
     m_isPrinting = true;
 
     FloatSize originalPageSize = FloatSize(width, height);
-    FloatSize minLayoutSize = m_frame->resizePageRectsKeepingRatio(originalPageSize, FloatSize(width * minimumShrinkFactor(), height * minimumShrinkFactor()));
+    FloatSize minLayoutSize = frame.resizePageRectsKeepingRatio(originalPageSize, FloatSize(width * minimumShrinkFactor(), height * minimumShrinkFactor()));
 
     // This changes layout, so callers need to make sure that they don't paint to screen while in printing mode.
-    m_frame->setPrinting(true, minLayoutSize, originalPageSize, maximumShrinkFactor() / minimumShrinkFactor(), AdjustViewSize);
+    frame.setPrinting(true, minLayoutSize, originalPageSize, maximumShrinkFactor() / minimumShrinkFactor(), AdjustViewSize);
 }
 
 float PrintContext::computeAutomaticScaleFactor(const FloatSize& availablePaperSize)
 {
-    if (!m_frame->view())
+    if (!frame())
+        return 1;
+
+    auto& frame = *this->frame();
+    if (!frame.view())
         return 1;
 
     bool useViewWidth = true;
-    if (m_frame->document() && m_frame->document()->renderView())
-        useViewWidth = m_frame->document()->renderView()->style().isHorizontalWritingMode();
+    if (frame.document() && frame.document()->renderView())
+        useViewWidth = frame.document()->renderView()->style().isHorizontalWritingMode();
 
-    float viewLogicalWidth = useViewWidth ? m_frame->view()->contentsWidth() : m_frame->view()->contentsHeight();
+    float viewLogicalWidth = useViewWidth ? frame.view()->contentsWidth() : frame.view()->contentsHeight();
     if (viewLogicalWidth < 1)
         return 1;
 
@@ -181,6 +197,10 @@
 
 void PrintContext::spoolPage(GraphicsContext& ctx, int pageNumber, float width)
 {
+    if (!frame())
+        return;
+
+    auto& frame = *this->frame();
     // FIXME: Not correct for vertical text.
     IntRect pageRect = m_pageRects[pageNumber];
     float scale = width / pageRect.width();
@@ -189,27 +209,35 @@
     ctx.scale(scale);
     ctx.translate(-pageRect.x(), -pageRect.y());
     ctx.clip(pageRect);
-    m_frame->view()->paintContents(ctx, pageRect);
-    outputLinkedDestinations(ctx, *m_frame->document(), pageRect);
+    frame.view()->paintContents(ctx, pageRect);
+    outputLinkedDestinations(ctx, *frame.document(), pageRect);
     ctx.restore();
 }
 
 void PrintContext::spoolRect(GraphicsContext& ctx, const IntRect& rect)
 {
+    if (!frame())
+        return;
+
+    auto& frame = *this->frame();
     // FIXME: Not correct for vertical text.
     ctx.save();
     ctx.translate(-rect.x(), -rect.y());
     ctx.clip(rect);
-    m_frame->view()->paintContents(ctx, rect);
-    outputLinkedDestinations(ctx, *m_frame->document(), rect);
+    frame.view()->paintContents(ctx, rect);
+    outputLinkedDestinations(ctx, *frame.document(), rect);
     ctx.restore();
 }
 
 void PrintContext::end()
 {
+    if (!frame())
+        return;
+
+    auto& frame = *this->frame();
     ASSERT(m_isPrinting);
     m_isPrinting = false;
-    m_frame->setPrinting(false, FloatSize(), FloatSize(), 0, AdjustViewSize);
+    frame.setPrinting(false, FloatSize(), FloatSize(), 0, AdjustViewSize);
     m_linkedDestinations = nullptr;
 }
 
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/PrintContext.h	Sun Feb 24 13:23:28 2019 +0530
@@ -20,6 +20,7 @@
 
 #pragma once
 
+#include "FrameDestructionObserver.h"
 #include <wtf/Forward.h>
 #include <wtf/HashMap.h>
 #include <wtf/Vector.h>
@@ -36,13 +37,11 @@
 class IntRect;
 class Node;
 
-class PrintContext {
+class PrintContext : public FrameDestructionObserver {
 public:
     WEBCORE_EXPORT explicit PrintContext(Frame*);
     WEBCORE_EXPORT ~PrintContext();
 
-    Frame* frame() const { return m_frame; }
-
     // Break up a page into rects without relayout.
     // FIXME: This means that CSS page breaks won't be on page boundary if the size is different than what was passed to begin(). That's probably not always desirable.
     // FIXME: Header and footer height should be applied before layout, not after.
@@ -96,7 +95,6 @@
     static constexpr float maximumShrinkFactor() { return 2; }
 
 protected:
-    Frame* m_frame;
     Vector<IntRect> m_pageRects;
 
 private:
--- a/modules/javafx.web/src/main/native/Source/WebCore/page/scrolling/ScrollingThread.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/page/scrolling/ScrollingThread.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -72,24 +72,21 @@
 
 void ScrollingThread::createThreadIfNeeded()
 {
-    if (m_thread)
-        return;
-
     // Wait for the thread to initialize the run loop.
-    {
         std::unique_lock<Lock> lock(m_initializeRunLoopMutex);
 
+    if (!m_thread) {
         m_thread = Thread::create("WebCore: Scrolling", [this] {
             WTF::Thread::setCurrentThreadIsUserInteractive();
             initializeRunLoop();
         });
+    }
 
 #if PLATFORM(COCOA)
         m_initializeRunLoopConditionVariable.wait(lock, [this]{ return m_threadRunLoop; });
 #else
         m_initializeRunLoopConditionVariable.wait(lock, [this]{ return m_runLoop; });
 #endif
-    }
 }
 
 void ScrollingThread::dispatchFunctionsFromScrollingThread()
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/ScrollAnimationKinetic.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/ScrollAnimationKinetic.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -89,12 +89,14 @@
     m_velocity = -decelFriction * m_coef2 * exponentialPart;
 
     if (m_position < m_lower) {
+        m_velocity = m_lower - m_position;
         m_position = m_lower;
-        m_velocity = 0;
     } else if (m_position > m_upper) {
+        m_velocity = m_upper - m_position;
         m_position = m_upper;
-        m_velocity = 0;
-    } else if (fabs(m_velocity) < 1 || (lastTime && fabs(m_position - lastPosition) < 1)) {
+    }
+
+    if (fabs(m_velocity) < 1 || (lastTime && fabs(m_position - lastPosition) < 1)) {
         m_position = round(m_position);
         m_velocity = 0;
     }
--- a/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/glx/GLContextGLX.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/platform/graphics/glx/GLContextGLX.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -114,8 +114,24 @@
     return glXCreateContextAttribsARB(display, config, sharingContext, GL_TRUE, nullptr);
 }
 
+static bool compatibleVisuals(XVisualInfo* a, XVisualInfo* b)
+{
+    return a->c_class == b->c_class
+        && a->depth == b->depth
+        && a->red_mask == b->red_mask
+        && a->green_mask == b->green_mask
+        && a->blue_mask == b->blue_mask
+        && a->colormap_size == b->colormap_size
+        && a->bits_per_rgb == b->bits_per_rgb;
+}
+
 std::unique_ptr<GLContextGLX> GLContextGLX::createWindowContext(GLNativeWindowType window, PlatformDisplay& platformDisplay, GLXContext sharingContext)
 {
+    // In order to create the GLContext, we need to select a GLXFBConfig that has depth and stencil
+    // buffers that is compatible with the Visual used to create the window. To do this, we request
+    // all the GLXFBConfigs that have the features we need and compare their XVisualInfo to check whether
+    // they are compatible with the window one. Then we try to create the GLContext with each of those
+    // configs until we succeed, and finally fallback to the window config if nothing else works.
     Display* display = downcast<PlatformDisplayX11>(platformDisplay).native();
     XWindowAttributes attributes;
     if (!XGetWindowAttributes(display, static_cast<Window>(window), &attributes))
@@ -125,27 +141,66 @@
     visualInfo.visualid = XVisualIDFromVisual(attributes.visual);
 
     int numConfigs = 0;
-    GLXFBConfig config = nullptr;
+    GLXFBConfig windowConfig = nullptr;
     XUniquePtr<GLXFBConfig> configs(glXGetFBConfigs(display, DefaultScreen(display), &numConfigs));
     for (int i = 0; i < numConfigs; i++) {
         XUniquePtr<XVisualInfo> glxVisualInfo(glXGetVisualFromFBConfig(display, configs.get()[i]));
         if (!glxVisualInfo)
             continue;
-
         if (glxVisualInfo.get()->visualid == visualInfo.visualid) {
-            config = configs.get()[i];
+            windowConfig = configs.get()[i];
             break;
         }
     }
-    ASSERT(config);
+    ASSERT(windowConfig);
+    XUniquePtr<XVisualInfo> windowVisualInfo(glXGetVisualFromFBConfig(display, windowConfig));
 
+    static const int fbConfigAttributes[] = {
+        GLX_DRAWABLE_TYPE, GLX_WINDOW_BIT,
+        GLX_RENDER_TYPE, GLX_RGBA_BIT,
+        GLX_X_RENDERABLE, GL_TRUE,
+        GLX_RED_SIZE, 1,
+        GLX_GREEN_SIZE, 1,
+        GLX_BLUE_SIZE, 1,
+        GLX_ALPHA_SIZE, 1,
+        GLX_DEPTH_SIZE, 1,
+        GLX_STENCIL_SIZE, 1,
+        GLX_DOUBLEBUFFER, GL_TRUE,
+        GLX_CONFIG_CAVEAT, GLX_NONE,
+#ifdef GLX_FRAMEBUFFER_SRGB_CAPABLE_EXT
+        // Discard sRGB configs if any sRGB extension is installed.
+        GLX_FRAMEBUFFER_SRGB_CAPABLE_EXT, GL_FALSE,
+#endif
+        0
+    };
+    configs.reset(glXChooseFBConfig(display, DefaultScreen(display), fbConfigAttributes, &numConfigs));
     XUniqueGLXContext context;
+    for (int i = 0; i < numConfigs; i++) {
+        XUniquePtr<XVisualInfo> configVisualInfo(glXGetVisualFromFBConfig(display, configs.get()[i]));
+        if (!configVisualInfo)
+            continue;
+        if (compatibleVisuals(windowVisualInfo.get(), configVisualInfo.get())) {
+            // Try to create a context with this config. Use the trapper in case we get an XError.
+            XErrorTrapper trapper(display, XErrorTrapper::Policy::Ignore);
+            if (hasGLXARBCreateContextExtension(display))
+                context.reset(createGLXARBContext(display, configs.get()[i], sharingContext));
+            else {
+                // Legacy OpenGL version.
+                context.reset(glXCreateContext(display, configVisualInfo.get(), sharingContext, True));
+            }
+
+            if (context)
+                return std::unique_ptr<GLContextGLX>(new GLContextGLX(platformDisplay, WTFMove(context), window));
+        }
+    }
+
+    // Fallback to the config used by the window. We don't probably have the buffers we need in
+    // this config and that will cause artifacts, but it's better than not rendering anything.
     if (hasGLXARBCreateContextExtension(display))
-        context.reset(createGLXARBContext(display, config, sharingContext));
+        context.reset(createGLXARBContext(display, windowConfig, sharingContext));
     else {
         // Legacy OpenGL version.
-        XUniquePtr<XVisualInfo> visualInfoList(glXGetVisualFromFBConfig(display, config));
-        context.reset(glXCreateContext(display, visualInfoList.get(), sharingContext, True));
+        context.reset(glXCreateContext(display, windowVisualInfo.get(), sharingContext, True));
     }
 
     if (!context)
--- a/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGElement.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGElement.h	Sun Feb 24 13:23:28 2019 +0530
@@ -31,6 +31,7 @@
 #include "StyledElement.h"
 #include <wtf/HashMap.h>
 #include <wtf/HashSet.h>
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
 
@@ -45,7 +46,7 @@
 
 void mapAttributeToCSSProperty(HashMap<AtomicStringImpl*, CSSPropertyID>* propertyNameToIdMap, const QualifiedName& attrName);
 
-class SVGElement : public StyledElement, public SVGLangSpace {
+class SVGElement : public StyledElement, public SVGLangSpace, public CanMakeWeakPtr<SVGElement> {
     WTF_MAKE_ISO_ALLOCATED(SVGElement);
 public:
     bool isOutermostSVGSVGElement() const;
--- a/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGPathElement.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGPathElement.h	Sun Feb 24 13:23:28 2019 +0530
@@ -55,7 +55,7 @@
 class SVGPathSegList;
 class SVGPoint;
 
-class SVGPathElement final : public SVGGeometryElement, public SVGExternalResourcesRequired, public CanMakeWeakPtr<SVGPathElement> {
+class SVGPathElement final : public SVGGeometryElement, public SVGExternalResourcesRequired {
     WTF_MAKE_ISO_ALLOCATED(SVGPathElement);
 public:
     static Ref<SVGPathElement> create(const QualifiedName&, Document&);
--- a/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -34,7 +34,7 @@
 
 SVGViewSpec::SVGViewSpec(SVGElement& contextElement)
     : SVGFitToViewBox(&contextElement, PropertyIsReadOnly)
-    , m_contextElement(&contextElement)
+    , m_contextElement(makeWeakPtr(contextElement))
     , m_attributeOwnerProxy(*this, contextElement)
 {
     registerAttributes();
--- a/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.h	Sun Feb 24 13:23:28 2019 +0530
@@ -49,6 +49,8 @@
     RefPtr<SVGTransformList> transform();
     SVGTransformListValues transformValue() const { return m_transform.value(); }
 
+    const WeakPtr<SVGElement>& contextElementConcurrently() const { return m_contextElement; }
+
 private:
     explicit SVGViewSpec(SVGElement&);
 
@@ -58,7 +60,7 @@
     static AttributeOwnerProxy::AttributeRegistry& attributeRegistry() { return AttributeOwnerProxy::attributeRegistry(); }
     static bool isKnownAttribute(const QualifiedName& attributeName) { return AttributeOwnerProxy::isKnownAttribute(attributeName); }
 
-    SVGElement* m_contextElement;
+    WeakPtr<SVGElement> m_contextElement;
     String m_viewTargetString;
     AttributeOwnerProxy m_attributeOwnerProxy;
     SVGAnimatedTransformListAttribute m_transform;
--- a/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.idl	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/SVGViewSpec.idl	Sun Feb 24 13:23:28 2019 +0530
@@ -28,6 +28,7 @@
 // It would require that any of those classes would be RefCounted, and we want to avoid that.
 [
     ImplementationLacksVTable,
+    JSCustomMarkFunction,
     JSGenerateToJSObject,
 ] interface SVGViewSpec {
     readonly attribute SVGTransformList transform;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxy.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2018 Apple Inc.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "config.h"
+#include "SVGAttributeOwnerProxy.h"
+
+namespace WebCore {
+
+SVGAttributeOwnerProxy::SVGAttributeOwnerProxy(SVGElement& element)
+    : m_element(makeWeakPtr(element))
+{
+}
+
+SVGElement& SVGAttributeOwnerProxy::element() const
+{
+    return *m_element;
+}
+
+}
--- a/modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxy.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxy.h	Sun Feb 24 13:23:28 2019 +0530
@@ -26,6 +26,7 @@
 #pragma once
 
 #include "SVGAnimatedPropertyType.h"
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
 
@@ -35,14 +36,11 @@
 
 class SVGAttributeOwnerProxy {
 public:
-    SVGAttributeOwnerProxy(SVGElement& element)
-        : m_element(element)
-    {
-    }
+    SVGAttributeOwnerProxy(SVGElement&);
 
     virtual ~SVGAttributeOwnerProxy() = default;
 
-    SVGElement& element() const { return m_element; }
+    SVGElement& element() const;
 
     virtual void synchronizeAttributes() const = 0;
     virtual void synchronizeAttribute(const QualifiedName&) const = 0;
@@ -54,7 +52,7 @@
     virtual Vector<RefPtr<SVGAnimatedProperty>> lookupOrCreateAnimatedProperties(const QualifiedName&) const = 0;
 
 protected:
-    SVGElement& m_element;
+    WeakPtr<SVGElement> m_element;
 };
 
 }
--- a/modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxyImpl.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/WebCore/svg/properties/SVGAttributeOwnerProxyImpl.h	Sun Feb 24 13:23:28 2019 +0530
@@ -68,12 +68,12 @@
 private:
     void synchronizeAttributes() const override
     {
-        attributeRegistry().synchronizeAttributes(m_owner, m_element);
+        attributeRegistry().synchronizeAttributes(m_owner, *m_element);
     }
 
     void synchronizeAttribute(const QualifiedName& attributeName) const override
     {
-        attributeRegistry().synchronizeAttribute(m_owner, m_element, attributeName);
+        attributeRegistry().synchronizeAttribute(m_owner, *m_element, attributeName);
     }
 
     Vector<AnimatedPropertyType> animatedTypes(const QualifiedName& attributeName) const override
@@ -83,17 +83,17 @@
 
     RefPtr<SVGAnimatedProperty> lookupOrCreateAnimatedProperty(const SVGAttribute& attribute) const override
     {
-        return attributeRegistry().lookupOrCreateAnimatedProperty(m_owner, m_element, attribute, m_animatedState);
+        return attributeRegistry().lookupOrCreateAnimatedProperty(m_owner, *m_element, attribute, m_animatedState);
     }
 
     RefPtr<SVGAnimatedProperty> lookupAnimatedProperty(const SVGAttribute& attribute) const override
     {
-        return attributeRegistry().lookupAnimatedProperty(m_owner, m_element, attribute);
+        return attributeRegistry().lookupAnimatedProperty(m_owner, *m_element, attribute);
     }
 
     Vector<RefPtr<SVGAnimatedProperty>> lookupOrCreateAnimatedProperties(const QualifiedName& attributeName) const override
     {
-        return attributeRegistry().lookupOrCreateAnimatedProperties(m_owner, m_element, attributeName, m_animatedState);
+        return attributeRegistry().lookupOrCreateAnimatedProperties(m_owner, *m_element, attributeName, m_animatedState);
     }
 
     OwnerType& m_owner;
--- a/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/BAssert.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/BAssert.h	Sun Feb 24 13:23:28 2019 +0530
@@ -81,6 +81,7 @@
 } while (0)
 
 #define RELEASE_BASSERT(x) BASSERT_IMPL(x)
+#define RELEASE_BASSERT_NOT_REACHED() BCRASH()
 
 #if BUSE(OS_LOG)
 #define BMALLOC_LOGGING_PREFIX "bmalloc: "
--- a/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Gigacage.cpp	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Gigacage.cpp	Sun Feb 24 13:23:28 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -42,14 +42,16 @@
 // If this were less than 32GB, those OOB accesses could reach outside of the cage.
 #define GIGACAGE_RUNWAY (32llu * 1024 * 1024 * 1024)
 
+// Note: g_gigacageBasePtrs[0] is reserved for storing the wasEnabled flag.
+// The first gigacageBasePtr will start at g_gigacageBasePtrs[sizeof(void*)].
+// This is done so that the wasEnabled flag will also be protected along with the
+// gigacageBasePtrs.
 alignas(GIGACAGE_BASE_PTRS_SIZE) char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE];
 
 using namespace bmalloc;
 
 namespace Gigacage {
 
-bool g_wasEnabled;
-
 namespace {
 
 bool s_isDisablingPrimitiveGigacageDisabled;
@@ -99,6 +101,21 @@
     Vector<Callback> callbacks;
 };
 
+#if GIGACAGE_ENABLED
+size_t runwaySize(Kind kind)
+{
+    switch (kind) {
+    case Kind::ReservedForFlagsAndNotABasePtr:
+        RELEASE_BASSERT_NOT_REACHED();
+    case Kind::Primitive:
+        return static_cast<size_t>(GIGACAGE_RUNWAY);
+    case Kind::JSValue:
+        return static_cast<size_t>(0);
+    }
+    return static_cast<size_t>(0);
+}
+#endif
+
 } // anonymous namespace
 
 void ensureGigacage()
@@ -113,7 +130,7 @@
 
             Kind shuffledKinds[numKinds];
             for (unsigned i = 0; i < numKinds; ++i)
-                shuffledKinds[i] = static_cast<Kind>(i);
+                shuffledKinds[i] = static_cast<Kind>(i + 1); // + 1 to skip Kind::ReservedForFlagsAndNotABasePtr.
 
             // We just go ahead and assume that 64 bits is enough randomness. That's trivially true right
             // now, but would stop being true if we went crazy with gigacages. Based on my math, 21 is the
@@ -140,9 +157,9 @@
 
             for (Kind kind : shuffledKinds) {
                 totalSize = bump(kind, alignTo(kind, totalSize));
+                totalSize += runwaySize(kind);
                 maxAlignment = std::max(maxAlignment, alignment(kind));
             }
-            totalSize += GIGACAGE_RUNWAY;
 
             // FIXME: Randomize where this goes.
             // https://bugs.webkit.org/show_bug.cgi?id=175245
@@ -155,23 +172,22 @@
                 BCRASH();
             }
 
-            if (GIGACAGE_RUNWAY > 0) {
-                char* runway = reinterpret_cast<char*>(base) + totalSize - GIGACAGE_RUNWAY;
-                // Make OOB accesses into the runway crash.
-                vmRevokePermissions(runway, GIGACAGE_RUNWAY);
-            }
-
-            vmDeallocatePhysicalPages(base, totalSize);
-
             size_t nextCage = 0;
             for (Kind kind : shuffledKinds) {
                 nextCage = alignTo(kind, nextCage);
                 basePtr(kind) = reinterpret_cast<char*>(base) + nextCage;
                 nextCage = bump(kind, nextCage);
+                if (runwaySize(kind) > 0) {
+                    char* runway = reinterpret_cast<char*>(base) + nextCage;
+                    // Make OOB accesses into the runway crash.
+                    vmRevokePermissions(runway, runwaySize(kind));
+                    nextCage += runwaySize(kind);
+                }
             }
 
+            vmDeallocatePhysicalPages(base, totalSize);
+            setWasEnabled();
             protectGigacageBasePtrs();
-            g_wasEnabled = true;
         });
 #endif // GIGACAGE_ENABLED
 }
@@ -224,6 +240,9 @@
 
 static void primitiveGigacageDisabled(void*)
 {
+    if (GIGACAGE_ALLOCATION_CAN_FAIL && !wasEnabled())
+        return;
+
     static bool s_false;
     fprintf(stderr, "FATAL: Primitive gigacage disabled, but we don't want that in this process.\n");
     if (!s_false)
--- a/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Gigacage.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/Gigacage.h	Sun Feb 24 13:23:28 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -75,19 +75,24 @@
 
 namespace Gigacage {
 
-extern BEXPORT bool g_wasEnabled;
-BINLINE bool wasEnabled() { return g_wasEnabled; }
+BINLINE bool wasEnabled() { return g_gigacageBasePtrs[0]; }
+BINLINE void setWasEnabled() { g_gigacageBasePtrs[0] = true; }
 
 struct BasePtrs {
+    uintptr_t reservedForFlags;
     void* primitive;
     void* jsValue;
 };
 
 enum Kind {
+    ReservedForFlagsAndNotABasePtr = 0,
     Primitive,
     JSValue,
 };
 
+static_assert(offsetof(BasePtrs, primitive) == Kind::Primitive * sizeof(void*), "");
+static_assert(offsetof(BasePtrs, jsValue) == Kind::JSValue * sizeof(void*), "");
+
 static constexpr unsigned numKinds = 2;
 
 BEXPORT void ensureGigacage();
@@ -107,6 +112,8 @@
 BINLINE const char* name(Kind kind)
 {
     switch (kind) {
+    case ReservedForFlagsAndNotABasePtr:
+        RELEASE_BASSERT_NOT_REACHED();
     case Primitive:
         return "Primitive";
     case JSValue:
@@ -119,6 +126,8 @@
 BINLINE void*& basePtr(BasePtrs& basePtrs, Kind kind)
 {
     switch (kind) {
+    case ReservedForFlagsAndNotABasePtr:
+        RELEASE_BASSERT_NOT_REACHED();
     case Primitive:
         return basePtrs.primitive;
     case JSValue:
@@ -146,6 +155,8 @@
 BINLINE size_t size(Kind kind)
 {
     switch (kind) {
+    case ReservedForFlagsAndNotABasePtr:
+        RELEASE_BASSERT_NOT_REACHED();
     case Primitive:
         return static_cast<size_t>(PRIMITIVE_GIGACAGE_SIZE);
     case JSValue:
--- a/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/HeapKind.h	Fri Feb 22 15:36:53 2019 +0530
+++ b/modules/javafx.web/src/main/native/Source/bmalloc/bmalloc/HeapKind.h	Sun Feb 24 13:23:28 2019 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,6 +70,8 @@
 BINLINE HeapKind heapKind(Gigacage::Kind kind)
 {
     switch (kind) {
+    case Gigacage::ReservedForFlagsAndNotABasePtr:
+        RELEASE_BASSERT_NOT_REACHED();
     case Gigacage::Primitive:
         return HeapKind::PrimitiveGigacage;
     case Gigacage::JSValue: