diff --git a/accessible/src/atk/nsAccessibleWrap.cpp b/accessible/src/atk/nsAccessibleWrap.cpp
index 0311f1c0c9d..fb0b9e6ecec 100644
--- a/accessible/src/atk/nsAccessibleWrap.cpp
+++ b/accessible/src/atk/nsAccessibleWrap.cpp
@@ -976,9 +976,11 @@ refRelationSetCB(AtkObject *aAtkObj)
     while ((tempAcc = rel.Next()))
       targets.AppendElement(nsAccessibleWrap::GetAtkObject(tempAcc));
 
-    atkRelation = atk_relation_new(targets.Elements(), targets.Length(), atkType);
-    atk_relation_set_add(relation_set, atkRelation);
-    g_object_unref(atkRelation);
+    if (targets.Length()) {
+      atkRelation = atk_relation_new(targets.Elements(), targets.Length(), atkType);
+      atk_relation_set_add(relation_set, atkRelation);
+      g_object_unref(atkRelation);
+    }
   }
 
   return relation_set;
diff --git a/browser/base/content/sanitize.js b/browser/base/content/sanitize.js
index 0e8f3b73c2f..54bf72f131c 100644
--- a/browser/base/content/sanitize.js
+++ b/browser/base/content/sanitize.js
@@ -156,10 +156,9 @@ Sanitizer.prototype = {
         }
 
         // Clear plugin data.
-        let ph = Cc["@mozilla.org/plugin/host;1"].getService(Ci.nsIPluginHost);
         const phInterface = Ci.nsIPluginHost;
         const FLAG_CLEAR_ALL = phInterface.FLAG_CLEAR_ALL;
-        ph.QueryInterface(phInterface);
+        let ph = Cc["@mozilla.org/plugin/host;1"].getService(phInterface);
 
         // Determine age range in seconds. (-1 means clear all.) We don't know
         // that this.range[1] is actually now, so we compute age range based
@@ -195,13 +194,13 @@ Sanitizer.prototype = {
         } catch (e) {}
 
       },
-      
+
       get canClear()
       {
         return true;
       }
     },
-    
+
     offlineApps: {
       clear: function ()
       {
diff --git a/browser/base/content/syncAddDevice.xul b/browser/base/content/syncAddDevice.xul
index 2c4b3636930..0dfc8fd5eba 100644
--- a/browser/base/content/syncAddDevice.xul
+++ b/browser/base/content/syncAddDevice.xul
@@ -120,20 +120,20 @@
               label=" "
               onpageshow="gSyncAddDevice.onPageShow();">
     <description>
-      &addDevice.dialog.syncKey.label;
+      &addDevice.dialog.recoveryKey.label;
     </description>
     <spacer/>
 
     <groupbox>
-      <label value="&syncKeyEntry.label;"
-             accesskey="&syncKeyEntry.accesskey;"
+      <label value="&recoveryKeyEntry.label;"
+             accesskey="&recoveryKeyEntry.accesskey;"
              control="weavePassphrase"/>
       <textbox id="weavePassphrase"
                readonly="true"/>
     </groupbox>
 
     <groupbox align="center">
-      <description>&syncKeyBackup.description;</description>
+      <description>&recoveryKeyBackup.description;</description>
       <hbox>
         <button id="printSyncKeyButton"
                 label="&button.syncKeyBackup.print.label;"
diff --git a/browser/base/content/syncGenericChange.js b/browser/base/content/syncGenericChange.js
index 90ab64197fd..0449cbadd3d 100644
--- a/browser/base/content/syncGenericChange.js
+++ b/browser/base/content/syncGenericChange.js
@@ -92,15 +92,15 @@ let Change = {
         document.getElementById("textBox1Row").hidden = true;
         document.getElementById("textBox2Row").hidden = true;
         document.getElementById("passphraseLabel").value
-          = this._str("new.synckey.label");
+          = this._str("new.recoverykey.label");
         document.getElementById("passphraseSpacer").hidden = false;
 
         if (this._updatingPassphrase) {
           document.getElementById("passphraseHelpBox").hidden = false;
-          document.title = this._str("new.synckey.title");
-          introText.textContent = this._str("new.synckey2.introText");
+          document.title = this._str("new.recoverykey.title");
+          introText.textContent = this._str("new.recoverykey.introText");
           this._dialog.getButton("finish").label
-            = this._str("new.synckey.acceptButton");
+            = this._str("new.recoverykey.acceptButton");
         }
         else {
           document.getElementById("generatePassphraseButton").hidden = false;
@@ -111,11 +111,11 @@ let Change = {
              pp = Weave.Utils.hyphenatePassphrase(pp);
           this._passphraseBox.value = pp;
           this._passphraseBox.focus();
-          document.title = this._str("change.synckey2.title");
+          document.title = this._str("change.recoverykey.title");
           introText.textContent = this._str("change.synckey.introText2");
-          warningText.textContent = this._str("change.synckey2.warningText");
+          warningText.textContent = this._str("change.recoverykey.warningText");
           this._dialog.getButton("finish").label
-            = this._str("change.synckey.acceptButton");
+            = this._str("change.recoverykey.acceptButton");
           if (this._duringSetup) {
             this._dialog.getButton("finish").disabled = false;
           }
@@ -137,7 +137,7 @@ let Change = {
         else {
           document.title = this._str("change.password.title");
           box2label.value = this._str("new.password.confirm");
-          introText.textContent = this._str("change.password2.introText");
+          introText.textContent = this._str("change.password3.introText");
           warningText.textContent = this._str("change.password.warningText");
           this._dialog.getButton("finish").label
             = this._str("change.password.acceptButton");
@@ -195,7 +195,7 @@ let Change = {
     if (this._updatingPassphrase) {
       Weave.Service.passphrase = pp;
       if (Weave.Service.login()) {
-        this._updateStatus("change.synckey2.success", "success");
+        this._updateStatus("change.recoverykey.success", "success");
         Weave.Service.persistLogin();
       }
       else {
@@ -203,12 +203,12 @@ let Change = {
       }
     }
     else {
-      this._updateStatus("change.synckey.label", "active");
+      this._updateStatus("change.recoverykey.label", "active");
 
       if (Weave.Service.changePassphrase(pp))
-        this._updateStatus("change.synckey2.success", "success");
+        this._updateStatus("change.recoverykey.success", "success");
       else
-        this._updateStatus("change.synckey2.error", "error");
+        this._updateStatus("change.recoverykey.error", "error");
     }
 
     return false;
diff --git a/browser/base/content/syncGenericChange.xul b/browser/base/content/syncGenericChange.xul
index 9cccc1e0351..2980ce6ef4f 100644
--- a/browser/base/content/syncGenericChange.xul
+++ b/browser/base/content/syncGenericChange.xul
@@ -138,7 +138,7 @@
     <vbox id="passphraseHelpBox"
           hidden="true">
       <description>
-        &existingSyncKey.description;
+        &existingRecoveryKey.description;
         <label class="text-link"
                href="https://services.mozilla.com/sync/help/manual-setup">
           &addDevice.showMeHow.label;
diff --git a/browser/base/content/syncSetup.xul b/browser/base/content/syncSetup.xul
index ba56674df3f..25191eb55a6 100644
--- a/browser/base/content/syncSetup.xul
+++ b/browser/base/content/syncSetup.xul
@@ -196,17 +196,17 @@
     </grid>
   </wizardpage>
 
-  <wizardpage label="&setup.newSyncKeyPage.title.label;"
+  <wizardpage label="&setup.newRecoveryKeyPage.title.label;"
               onextra1="gSyncSetup.onSyncOptions()"
               onpageshow="gSyncSetup.onPageShow();">
     <description>
-      &setup.newSyncKeyPage.description.label;
+      &setup.newRecoveryKeyPage.description.label;
     </description>
     <spacer/>
 
     <groupbox>
-      <label value="&syncKeyEntry.label;"
-             accesskey="&syncKeyEntry.accesskey;"
+      <label value="&recoveryKeyEntry.label;"
+             accesskey="&recoveryKeyEntry.accesskey;"
              control="weavePassphrase"/>
       <textbox id="weavePassphrase"
                readonly="true"
@@ -214,7 +214,7 @@
     </groupbox>
 
     <groupbox align="center">
-      <description>&syncKeyBackup.description;</description>
+      <description>&recoveryKeyBackup.description;</description>
       <hbox>
         <button id="printSyncKeyButton"
                 label="&button.syncKeyBackup.print.label;"
@@ -351,8 +351,8 @@
 
     <groupbox>
       <label id="existingPassphraseLabel"
-             value="&signIn.syncKey.label;"
-             accesskey="&signIn.syncKey.accesskey;"
+             value="&signIn.recoveryKey.label;"
+             accesskey="&signIn.recoveryKey.accesskey;"
              control="existingPassphrase"/>
       <textbox id="existingPassphrase"
                oninput="gSyncSetup.checkFields()"/>
@@ -370,7 +370,7 @@
 
     <vbox id="passphraseHelpBox">
       <description>
-        &existingSyncKey.description;
+        &existingRecoveryKey.description;
         <label class="text-link"
                href="https://services.mozilla.com/sync/help/manual-setup">
           &addDevice.showMeHow.label;
diff --git a/browser/base/content/syncUtils.js b/browser/base/content/syncUtils.js
index 30af40579a4..99695e4d6db 100644
--- a/browser/base/content/syncUtils.js
+++ b/browser/base/content/syncUtils.js
@@ -193,8 +193,8 @@ let gSyncUtils = {
    * @param elid : ID of the form element containing the passphrase.
    */
   passphraseSave: function(elid) {
-    let dialogTitle = this.bundle.GetStringFromName("save.synckey.title");
-    let defaultSaveName = this.bundle.GetStringFromName("save.default.label");
+    let dialogTitle = this.bundle.GetStringFromName("save.recoverykey.title");
+    let defaultSaveName = this.bundle.GetStringFromName("save.recoverykey.defaultfilename");
     this._preparePPiframe(elid, function(iframe) {
       let filepicker = Cc["@mozilla.org/filepicker;1"]
                          .createInstance(Ci.nsIFilePicker);
@@ -243,7 +243,7 @@ let gSyncUtils = {
     else if (val1 && val1 == Weave.Service.password)
       error = "change.password.pwSameAsPassword";
     else if (val1 && val1 == Weave.Service.passphrase)
-      error = "change.password.pwSameAsSyncKey";
+      error = "change.password.pwSameAsRecoveryKey";
     else if (val1 && val2) {
       if (val1 == val2 && val1.length >= Weave.MIN_PASS_LENGTH)
         valid = true;
diff --git a/browser/base/content/test/browser_sanitizeDialog.js b/browser/base/content/test/browser_sanitizeDialog.js
index 325e6b0a6da..a1842ab14dd 100644
--- a/browser/base/content/test/browser_sanitizeDialog.js
+++ b/browser/base/content/test/browser_sanitizeDialog.js
@@ -56,8 +56,6 @@ Cc["@mozilla.org/moz/jssubscript-loader;1"].
 
 const dm = Cc["@mozilla.org/download-manager;1"].
            getService(Ci.nsIDownloadManager);
-const bhist = Cc["@mozilla.org/browser/global-history;2"].
-              getService(Ci.nsIBrowserHistory);
 const formhist = Cc["@mozilla.org/satchel/form-history;1"].
                  getService(Ci.nsIFormHistory2);
 
@@ -583,7 +581,7 @@ WindowHelper.prototype = {
           try {
             if (wh.onunload)
               wh.onunload();
-            doNextTest();
+            waitForAsyncUpdates(doNextTest);
           }
           catch (exc) {
             win.close();
@@ -698,10 +696,11 @@ function addFormEntryWithMinutesAgo(aMinutesAgo) {
  */
 function addHistoryWithMinutesAgo(aMinutesAgo) {
   let pURI = makeURI("http://" + aMinutesAgo + "-minutes-ago.com/");
-  bhist.addPageWithDetails(pURI,
-                           aMinutesAgo + " minutes ago",
-                           now_uSec - (aMinutesAgo * 60 * 1000 * 1000));
-  is(bhist.isVisited(pURI), true,
+  PlacesUtils.bhistory
+             .addPageWithDetails(pURI,
+                                 aMinutesAgo + " minutes ago",
+                                 now_uSec - (aMinutesAgo * 60 * 1000 * 1000));
+  is(PlacesUtils.bhistory.isVisited(pURI), true,
      "Sanity check: history visit " + pURI.spec +
      " should exist after creating it");
   return pURI;
@@ -711,11 +710,45 @@ function addHistoryWithMinutesAgo(aMinutesAgo) {
  * Removes all history visits, downloads, and form entries.
  */
 function blankSlate() {
-  bhist.removeAllPages();
+  PlacesUtils.bhistory.removeAllPages();
   dm.cleanUp();
   formhist.removeAllEntries();
 }
 
+/**
+ * Waits for all pending async statements on the default connection, before
+ * proceeding with aCallback.
+ *
+ * @param aCallback
+ *        Function to be called when done.
+ * @param aScope
+ *        Scope for the callback.
+ * @param aArguments
+ *        Arguments array for the callback.
+ *
+ * @note The result is achieved by asynchronously executing a query requiring
+ *       a write lock.  Since all statements on the same connection are
+ *       serialized, the end of this write operation means that all writes are
+ *       complete.  Note that WAL makes so that writers don't block readers, but
+ *       this is a problem only across different connections.
+ */
+function waitForAsyncUpdates(aCallback, aScope, aArguments)
+{
+  let scope = aScope || this;
+  let args = aArguments || [];
+  let db = PlacesUtils.history.QueryInterface(Ci.nsPIPlacesDatabase)
+                              .DBConnection;
+  db.createAsyncStatement("BEGIN EXCLUSIVE").executeAsync();
+  db.createAsyncStatement("COMMIT").executeAsync({
+    handleResult: function() {},
+    handleError: function() {},
+    handleCompletion: function(aReason)
+    {
+      aCallback.apply(scope, args);
+    }
+  });
+}
+
 /**
  * Ensures that the given pref is the expected value.
  *
@@ -758,7 +791,7 @@ function downloadExists(aID)
 function doNextTest() {
   if (gAllTests.length <= gCurrTest) {
     blankSlate();
-    finish();
+    waitForAsyncUpdates(finish);
   }
   else {
     let ct = gCurrTest;
@@ -810,7 +843,7 @@ function ensureFormEntriesClearedState(aFormEntries, aShouldBeCleared) {
 function ensureHistoryClearedState(aURIs, aShouldBeCleared) {
   let niceStr = aShouldBeCleared ? "no longer" : "still";
   aURIs.forEach(function (aURI) {
-    is(bhist.isVisited(aURI), !aShouldBeCleared,
+    is(PlacesUtils.bhistory.isVisited(aURI), !aShouldBeCleared,
        "history visit " + aURI.spec + " should " + niceStr + " exist");
   });
 }
@@ -836,5 +869,5 @@ function test() {
   blankSlate();
   waitForExplicitFinish();
   // Kick off all the tests in the gAllTests array.
-  doNextTest();
+  waitForAsyncUpdates(doNextTest);
 }
diff --git a/browser/base/content/test/browser_sanitizeDialog_treeView.js b/browser/base/content/test/browser_sanitizeDialog_treeView.js
index df566034f84..f3dc6d7f249 100644
--- a/browser/base/content/test/browser_sanitizeDialog_treeView.js
+++ b/browser/base/content/test/browser_sanitizeDialog_treeView.js
@@ -55,8 +55,6 @@ Cc["@mozilla.org/moz/jssubscript-loader;1"].
 
 const dm = Cc["@mozilla.org/download-manager;1"].
            getService(Ci.nsIDownloadManager);
-const bhist = Cc["@mozilla.org/browser/global-history;2"].
-              getService(Ci.nsIBrowserHistory);
 const formhist = Cc["@mozilla.org/satchel/form-history;1"].
                  getService(Ci.nsIFormHistory2);
 
@@ -502,10 +500,11 @@ function addFormEntryWithMinutesAgo(aMinutesAgo) {
  */
 function addHistoryWithMinutesAgo(aMinutesAgo) {
   let pURI = makeURI("http://" + aMinutesAgo + "-minutes-ago.com/");
-  bhist.addPageWithDetails(pURI,
-                           aMinutesAgo + " minutes ago",
-                           now_uSec - (aMinutesAgo * 60 * 1000 * 1000));
-  is(bhist.isVisited(pURI), true,
+  PlacesUtils.bhistory
+             .addPageWithDetails(pURI,
+                                 aMinutesAgo + " minutes ago",
+                                 now_uSec - (aMinutesAgo * 60 * 1000 * 1000));
+  is(PlacesUtils.bhistory.isVisited(pURI), true,
      "Sanity check: history visit " + pURI.spec +
      " should exist after creating it");
   return pURI;
@@ -515,11 +514,45 @@ function addHistoryWithMinutesAgo(aMinutesAgo) {
  * Removes all history visits, downloads, and form entries.
  */
 function blankSlate() {
-  bhist.removeAllPages();
+  PlacesUtils.bhistory.removeAllPages();
   dm.cleanUp();
   formhist.removeAllEntries();
 }
 
+/**
+ * Waits for all pending async statements on the default connection, before
+ * proceeding with aCallback.
+ *
+ * @param aCallback
+ *        Function to be called when done.
+ * @param aScope
+ *        Scope for the callback.
+ * @param aArguments
+ *        Arguments array for the callback.
+ *
+ * @note The result is achieved by asynchronously executing a query requiring
+ *       a write lock.  Since all statements on the same connection are
+ *       serialized, the end of this write operation means that all writes are
+ *       complete.  Note that WAL makes so that writers don't block readers, but
+ *       this is a problem only across different connections.
+ */
+function waitForAsyncUpdates(aCallback, aScope, aArguments)
+{
+  let scope = aScope || this;
+  let args = aArguments || [];
+  let db = PlacesUtils.history.QueryInterface(Ci.nsPIPlacesDatabase)
+                              .DBConnection;
+  db.createAsyncStatement("BEGIN EXCLUSIVE").executeAsync();
+  db.createAsyncStatement("COMMIT").executeAsync({
+    handleResult: function() {},
+    handleError: function() {},
+    handleCompletion: function(aReason)
+    {
+      aCallback.apply(scope, args);
+    }
+  });
+}
+
 /**
  * Checks to see if the download with the specified ID exists.
  *
@@ -548,7 +581,7 @@ function downloadExists(aID)
 function doNextTest() {
   if (gAllTests.length <= gCurrTest) {
     blankSlate();
-    finish();
+    waitForAsyncUpdates(finish);
   }
   else {
     let ct = gCurrTest;
@@ -600,7 +633,7 @@ function ensureFormEntriesClearedState(aFormEntries, aShouldBeCleared) {
 function ensureHistoryClearedState(aURIs, aShouldBeCleared) {
   let niceStr = aShouldBeCleared ? "no longer" : "still";
   aURIs.forEach(function (aURI) {
-    is(bhist.isVisited(aURI), !aShouldBeCleared,
+    is(PlacesUtils.bhistory.isVisited(aURI), !aShouldBeCleared,
        "history visit " + aURI.spec + " should " + niceStr + " exist");
   });
 }
@@ -625,7 +658,7 @@ function openWindow(aOnloadCallback) {
         // ok()/is() do...
         try {
           aOnloadCallback(win);
-          doNextTest();
+          waitForAsyncUpdates(doNextTest);
         }
         catch (exc) {
           win.close();
@@ -649,5 +682,5 @@ function test() {
   blankSlate();
   waitForExplicitFinish();
   // Kick off all the tests in the gAllTests array.
-  doNextTest();
+  waitForAsyncUpdates(doNextTest);
 }
diff --git a/browser/components/places/tests/browser/browser_bookmarksProperties.js b/browser/components/places/tests/browser/browser_bookmarksProperties.js
index f5987f6fdc1..0a96d23d329 100644
--- a/browser/components/places/tests/browser/browser_bookmarksProperties.js
+++ b/browser/components/places/tests/browser/browser_bookmarksProperties.js
@@ -536,7 +536,7 @@ function runNextTest() {
     gCurrentTest.cleanup();
     info("End of test: " + gCurrentTest.desc);
     gCurrentTest = null;
-    executeSoon(runNextTest);
+    waitForAsyncUpdates(runNextTest);
     return;
   }
 
diff --git a/browser/components/places/tests/browser/browser_library_infoBox.js b/browser/components/places/tests/browser/browser_library_infoBox.js
index 6194169f75c..25954318135 100644
--- a/browser/components/places/tests/browser/browser_library_infoBox.js
+++ b/browser/components/places/tests/browser/browser_library_infoBox.js
@@ -146,8 +146,7 @@ gTests.push({
 
     menuNode.containerOpen = false;
 
-    bhist.removeAllPages();
-    nextTest();
+    waitForClearHistory(nextTest);
   }
 });
 
diff --git a/browser/components/places/tests/browser/head.js b/browser/components/places/tests/browser/head.js
index d7838594aa7..3fb34e0e645 100644
--- a/browser/components/places/tests/browser/head.js
+++ b/browser/components/places/tests/browser/head.js
@@ -29,6 +29,13 @@ function openLibrary(callback, aLeftPaneRoot) {
   return library;
 }
 
+/**
+ * Waits for completion of a clear history operation, before
+ * proceeding with aCallback.
+ *
+ * @param aCallback
+ *        Function to be called when done.
+ */
 function waitForClearHistory(aCallback) {
   Services.obs.addObserver(function observeCH(aSubject, aTopic, aData) {
     Services.obs.removeObserver(observeCH, PlacesUtils.TOPIC_EXPIRATION_FINISHED);
@@ -36,3 +43,37 @@ function waitForClearHistory(aCallback) {
   }, PlacesUtils.TOPIC_EXPIRATION_FINISHED, false);
   PlacesUtils.bhistory.removeAllPages();
 }
+
+/**
+ * Waits for all pending async statements on the default connection, before
+ * proceeding with aCallback.
+ *
+ * @param aCallback
+ *        Function to be called when done.
+ * @param aScope
+ *        Scope for the callback.
+ * @param aArguments
+ *        Arguments array for the callback.
+ *
+ * @note The result is achieved by asynchronously executing a query requiring
+ *       a write lock.  Since all statements on the same connection are
+ *       serialized, the end of this write operation means that all writes are
+ *       complete.  Note that WAL makes so that writers don't block readers, but
+ *       this is a problem only across different connections.
+ */
+function waitForAsyncUpdates(aCallback, aScope, aArguments)
+{
+  let scope = aScope || this;
+  let args = aArguments || [];
+  let db = PlacesUtils.history.QueryInterface(Ci.nsPIPlacesDatabase)
+                              .DBConnection;
+  db.createAsyncStatement("BEGIN EXCLUSIVE").executeAsync();
+  db.createAsyncStatement("COMMIT").executeAsync({
+    handleResult: function() {},
+    handleError: function() {},
+    handleCompletion: function(aReason)
+    {
+      aCallback.apply(scope, args);
+    }
+  });
+}
diff --git a/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js b/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js
index 484482f24b1..5a5617fe9a8 100644
--- a/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js
+++ b/browser/components/privatebrowsing/src/nsPrivateBrowsingService.js
@@ -619,11 +619,9 @@ PrivateBrowsingService.prototype = {
     }
 
     // Plugin data
-    let (ph = Cc["@mozilla.org/plugin/host;1"].getService(Ci.nsIPluginHost)) {
-      const phInterface = Ci.nsIPluginHost;
-      const FLAG_CLEAR_ALL = phInterface.FLAG_CLEAR_ALL;
-      ph.QueryInterface(phInterface);
-
+    const phInterface = Ci.nsIPluginHost;
+    const FLAG_CLEAR_ALL = phInterface.FLAG_CLEAR_ALL;
+    let (ph = Cc["@mozilla.org/plugin/host;1"].getService(phInterface)) {
       let tags = ph.getPluginTags();
       for (let i = 0; i < tags.length; i++) {
         try {
diff --git a/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_placestitle.js b/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_placestitle.js
index f4194ddb72f..f7d9845a084 100644
--- a/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_placestitle.js
+++ b/browser/components/privatebrowsing/test/browser/browser_privatebrowsing_placestitle.js
@@ -42,34 +42,21 @@ function test() {
   // initialization
   let pb = Cc["@mozilla.org/privatebrowsing;1"].
            getService(Ci.nsIPrivateBrowsingService);
-  let bhist = Cc["@mozilla.org/browser/global-history;2"].
-              getService(Ci.nsIBrowserHistory);
-  let histsvc = Cc["@mozilla.org/browser/nav-history-service;1"].
-                getService(Ci.nsINavHistoryService).
-                QueryInterface(Ci.nsPIPlacesDatabase);
   let cm = Cc["@mozilla.org/cookiemanager;1"].
            getService(Ci.nsICookieManager);
   waitForExplicitFinish();
 
   const TEST_URL = "http://mochi.test:8888/browser/browser/components/privatebrowsing/test/browser/title.sjs";
 
-  function cleanup() {
-    // delete all history items
-    bhist.removeAllPages();
+  function waitForCleanup(aCallback) {
     // delete all cookies
     cm.removeAll();
+    // delete all history items
+    waitForClearHistory(aCallback);
   }
-  cleanup();
 
   let observer = {
     pass: 1,
-    onBeginUpdateBatch: function() {
-    },
-    onEndUpdateBatch: function() {
-    },
-    onVisit: function(aURI, aVisitID, aTime, aSessionId, aReferringId,
-                      aTransitionType, _added) {
-    },
     onTitleChanged: function(aURI, aPageTitle) {
       if (aURI.spec != TEST_URL)
         return;
@@ -80,8 +67,9 @@ function test() {
         break;
       case 2: // the second time that the page is loaded
         is(aPageTitle, "Cookie", "The page should be loaded with a cookie for the second time");
-        cleanup();
-        gBrowser.selectedTab = gBrowser.addTab(TEST_URL);
+        waitForCleanup(function () {
+          gBrowser.selectedTab = gBrowser.addTab(TEST_URL);
+        });
         break;
       case 3: // before entering the private browsing mode
         is(aPageTitle, "No Cookie", "The page should be loaded without any cookie again");
@@ -89,37 +77,33 @@ function test() {
         pb.privateBrowsingEnabled = true;
         gBrowser.selectedTab = gBrowser.addTab(TEST_URL);
         executeSoon(function() {
-          histsvc.removeObserver(observer);
+          PlacesUtils.history.removeObserver(observer);
           pb.privateBrowsingEnabled = false;
-          while (gBrowser.browsers.length > 1)
+          while (gBrowser.browsers.length > 1) {
             gBrowser.removeCurrentTab();
-          cleanup();
-          finish();
+          }
+          waitForCleanup(finish);
         });
         break;
       default:
         ok(false, "Unexpected pass: " + (this.pass - 1));
       }
     },
-    onBeforeDeleteURI: function(aURI) {
-    },
-    onDeleteURI: function(aURI) {
-    },
-    onClearHistory: function() {
-    },
-    onPageChanged: function(aURI, aWhat, aValue) {
-    },
-    onDeleteVisits: function() {
-    },
-    QueryInterface: function(iid) {
-      if (iid.equals(Ci.nsINavHistoryObserver) ||
-          iid.equals(Ci.nsISupports)) {
-        return this;
-      }
-      throw Cr.NS_ERROR_NO_INTERFACE;
-    }
-  };
-  histsvc.addObserver(observer, false);
 
-  gBrowser.selectedTab = gBrowser.addTab(TEST_URL);
+    onBeginUpdateBatch: function () {},
+    onEndUpdateBatch: function () {},
+    onVisit: function () {},
+    onBeforeDeleteURI: function () {},
+    onDeleteURI: function () {},
+    onClearHistory: function () {},
+    onPageChanged: function () {},
+    onDeleteVisits: function() {},
+
+    QueryInterface: XPCOMUtils.generateQI([Ci.nsINavHistoryObserver])
+  };
+  PlacesUtils.history.addObserver(observer, false);
+
+  waitForCleanup(function () {
+    gBrowser.selectedTab = gBrowser.addTab(TEST_URL);
+  });
 }
diff --git a/browser/components/privatebrowsing/test/browser/head.js b/browser/components/privatebrowsing/test/browser/head.js
index 3ac83cf5156..ea935fe7267 100644
--- a/browser/components/privatebrowsing/test/browser/head.js
+++ b/browser/components/privatebrowsing/test/browser/head.js
@@ -9,3 +9,17 @@ registerCleanupFunction(function() {
   } catch(e) {}
 });
 
+/**
+ * Waits for completion of a clear history operation, before
+ * proceeding with aCallback.
+ *
+ * @param aCallback
+ *        Function to be called when done.
+ */
+function waitForClearHistory(aCallback) {
+  Services.obs.addObserver(function observeCH(aSubject, aTopic, aData) {
+    Services.obs.removeObserver(observeCH, PlacesUtils.TOPIC_EXPIRATION_FINISHED);
+    aCallback();
+  }, PlacesUtils.TOPIC_EXPIRATION_FINISHED, false);
+  PlacesUtils.bhistory.removeAllPages();
+}
diff --git a/browser/locales/en-US/chrome/browser/syncGenericChange.properties b/browser/locales/en-US/chrome/browser/syncGenericChange.properties
index 32310a307a7..ecd8a1a323a 100644
--- a/browser/locales/en-US/chrome/browser/syncGenericChange.properties
+++ b/browser/locales/en-US/chrome/browser/syncGenericChange.properties
@@ -1,25 +1,24 @@
-# LOCALIZATION NOTE (change.password.title): This (and associated change.password/passphrase) are used when the user elects to change their password.
+#LOCALIZATION NOTE (change.password.title): This (and associated change.password/passphrase) are used when the user elects to change their password.
 change.password.title = Change your Password
 change.password.acceptButton = Change Password
 change.password.status.active = Changing your password…
 change.password.status.success = Your password has been changed.
 change.password.status.error = There was an error changing your password.
 
-change.password2.introText = Your password must be at least 8 characters long.  It cannot be the same as either your user name or your Sync Key.
+change.password3.introText = Your password must be at least 8 characters long.  It cannot be the same as either your user name or your Recovery Key.
 change.password.warningText = Note: All of your other devices will be unable to connect to your account once you change this password.
 
-change.synckey2.title = My Sync Key
-change.synckey.acceptButton = Change Sync Key
-change.synckey.label = Changing Sync Key and uploading local data, please wait…
-change.synckey2.error = There was an error while changing your Sync Key!
-change.synckey2.success = Your Sync Key was successfully changed!
+change.recoverykey.title = My Recovery Key
+change.recoverykey.acceptButton = Change Recovery Key
+change.recoverykey.label = Changing Recovery Key and uploading local data, please wait…
+change.recoverykey.error = There was an error while changing your Recovery Key!
+change.recoverykey.success = Your Recovery Key was successfully changed!
 
-change.synckey.introText = Firefox Cares About Your Privacy
 change.synckey.introText2 = To ensure your total privacy, all of your data is encrypted prior to being uploaded. The key to decrypt your data is not uploaded.
-# LOCALIZATION NOTE (change.synckey2.warningText) "Sync" should match &syncBrand.shortName.label; from syncBrand.dtd
-change.synckey2.warningText = Note: Changing this will erase all data stored on the Sync server and upload new data secured by this Sync Key. Your other devices will not sync until the new Sync Key is entered for that device.
+# LOCALIZATION NOTE (change.recoverykey.warningText) "Sync" should match &syncBrand.shortName.label; from syncBrand.dtd
+change.recoverykey.warningText = Note: Changing this will erase all data stored on the Sync server and upload new data secured by this Recovery Key. Your other devices will not sync until the new Recovery Key is entered for that device.
 
-new.synckey.label = Your Sync Key
+new.recoverykey.label = Your Recovery Key
 
 # LOCALIZATION NOTE (new.password.title): This (and associated new.password/passphrase) are used on a second computer when it detects that your password or passphrase has been changed on a different device.
 new.password.title            = Update Password
@@ -29,7 +28,6 @@ new.password.confirm          = Confirm your new password
 new.password.acceptButton     = Update Password
 new.password.status.incorrect = Password incorrect, please try again.
 
-new.synckey.title          = Update Sync Key
-new.synckey2.introText       = Your Sync Key was changed using another device, please enter your updated Sync Key.
-new.synckey.acceptButton     = Update Sync Key
-new.synckey.status.incorrect = Sync Key incorrect, please try again.
+new.recoverykey.title          = Update Recovery Key
+new.recoverykey.introText      = Your Recovery Key was changed using another device, please enter your updated Recovery Key.
+new.recoverykey.acceptButton     = Update Recovery Key
diff --git a/browser/locales/en-US/chrome/browser/syncSetup.dtd b/browser/locales/en-US/chrome/browser/syncSetup.dtd
index 4454fea47db..d7b37f59ba6 100644
--- a/browser/locales/en-US/chrome/browser/syncSetup.dtd
+++ b/browser/locales/en-US/chrome/browser/syncSetup.dtd
@@ -19,8 +19,8 @@
 <!ENTITY signIn.account2.accesskey  "A">
 <!ENTITY signIn.password.label      "Password">
 <!ENTITY signIn.password.accesskey  "P">
-<!ENTITY signIn.syncKey.label       "Sync Key">
-<!ENTITY signIn.syncKey.accesskey   "K">
+<!ENTITY signIn.recoveryKey.label       "Recovery Key">
+<!ENTITY signIn.recoveryKey.accesskey   "K">
 
 <!-- New Account Page 1: Basic Account Info -->
 <!ENTITY setup.newAccountDetailsPage.title.label "Account Details">
@@ -41,12 +41,12 @@
 <!ENTITY setup.tosAgree2.accesskey  "">
 
 <!-- New Account Page 2: Sync Key -->
-<!ENTITY setup.newSyncKeyPage.title.label "&brandShortName; Cares About Your Privacy">
-<!ENTITY setup.newSyncKeyPage.description.label "To ensure your total privacy, all of your data is encrypted prior to being uploaded. The Sync Key which is necessary to decrypt your data is not uploaded.">
-<!ENTITY syncKeyEntry.label        "Your Sync Key">
-<!ENTITY syncKeyEntry.accesskey    "K">
+<!ENTITY setup.newRecoveryKeyPage.title.label "&brandShortName; Cares About Your Privacy">
+<!ENTITY setup.newRecoveryKeyPage.description.label "To ensure your total privacy, all of your data is encrypted prior to being uploaded. The Recovery Key which is necessary to decrypt your data is not uploaded.">
+<!ENTITY recoveryKeyEntry.label        "Your Recovery Key">
+<!ENTITY recoveryKeyEntry.accesskey    "K">
 <!ENTITY syncGenerateNewKey.label  "Generate a new key">
-<!ENTITY syncKeyBackup.description "Your Sync Key is required to access &syncBrand.fullName.label; on other machines. Please create a backup copy. We cannot help you recover your Sync Key.">
+<!ENTITY recoveryKeyBackup.description "Your Recovery Key is required to access &syncBrand.fullName.label; on other machines. Please create a backup copy. We cannot help you recover your Recovery Key.">
 
 <!ENTITY button.syncKeyBackup.print.label     "Print…">
 <!ENTITY button.syncKeyBackup.print.accesskey "P">
@@ -65,12 +65,12 @@
 <!ENTITY addDevice.dialog.enterCode.label   "Enter the code that the device provides:">
 <!ENTITY addDevice.dialog.tryAgain.label    "Please try again.">
 <!ENTITY addDevice.dialog.successful.label  "The device has been successfully added. The initial synchronization can take several minutes and will finish in the background.">
-<!ENTITY addDevice.dialog.syncKey.label     "To activate your device you will need to enter your Sync Key. Please print or save this key and take it with you.">
+<!ENTITY addDevice.dialog.recoveryKey.label     "To activate your device you will need to enter your Recovery Key. Please print or save this key and take it with you.">
 <!ENTITY addDevice.dialog.connected.label   "Device Connected">
 
 <!-- Existing Account Page 2: Manual Login -->
 <!ENTITY setup.signInPage.title.label "Sign In">
-<!ENTITY existingSyncKey.description "You can get a copy of your Sync Key by going to &syncBrand.shortName.label; Options on your other device, and selecting  &#x0022;My Sync Key&#x0022; under &#x0022;Manage Account&#x0022;.">
+<!ENTITY existingRecoveryKey.description "You can get a copy of your Recovery Key by going to &syncBrand.shortName.label; Options on your other device, and selecting  &#x0022;My Recovery Key&#x0022; under &#x0022;Manage Account&#x0022;.">
 <!ENTITY verifying.label              "Verifying…">
 <!ENTITY resetPassword.label          "Reset Password">
 <!ENTITY resetSyncKey.label           "I have lost my other device.">
diff --git a/browser/locales/en-US/chrome/browser/syncSetup.properties b/browser/locales/en-US/chrome/browser/syncSetup.properties
index e29b2acdecd..89b9c510b3a 100644
--- a/browser/locales/en-US/chrome/browser/syncSetup.properties
+++ b/browser/locales/en-US/chrome/browser/syncSetup.properties
@@ -29,8 +29,8 @@ historyDaysCount.label      = #1 day of history;#1 days of history
 # #1 is the number of passwords (was %S for a short while, use #1 instead, even if both work)
 passwordsCount.label        = #1 password;#1 passwords
 
-save.synckey.title = Save Sync Key
-save.default.label = Firefox Sync Key.html
+save.recoverykey.title = Save Recovery Key
+save.recoverykey.defaultfilename = Firefox Recovery Key.html
 
 newAccount.action.label = Firefox Sync is now set up to automatically sync all of your browser data.
 newAccount.change.label = You can choose exactly what to sync by selecting Sync Options below.
diff --git a/browser/themes/gnomestripe/browser/browser.css b/browser/themes/gnomestripe/browser/browser.css
index 2f59976c62c..366267c60eb 100644
--- a/browser/themes/gnomestripe/browser/browser.css
+++ b/browser/themes/gnomestripe/browser/browser.css
@@ -603,18 +603,37 @@ toolbar[mode="full"] .toolbarbutton-1 > .toolbarbutton-menubutton-button {
 
 #forward-button {
   list-style-image: url("moz-icon://stock/gtk-go-forward-ltr?size=toolbar");
+  -moz-transition: 250ms ease-out;
 }
-#forward-button[disabled="true"] {
-  list-style-image: url("moz-icon://stock/gtk-go-forward-ltr?size=toolbar&state=disabled");
-}
-
 #forward-button:-moz-locale-dir(rtl) {
   list-style-image: url("moz-icon://stock/gtk-go-forward-rtl?size=toolbar");
 }
-#forward-button[disabled="true"]:-moz-locale-dir(rtl) {
+
+toolbar:not([mode=icons]) #forward-button[disabled="true"] {
+  list-style-image: url("moz-icon://stock/gtk-go-forward-ltr?size=toolbar&state=disabled");
+}
+toolbar:not([mode=icons]) #forward-button[disabled="true"]:-moz-locale-dir(rtl) {
   list-style-image: url("moz-icon://stock/gtk-go-forward-rtl?size=toolbar&state=disabled");
 }
 
+toolbar[mode=icons] #forward-button[disabled="true"] {
+  -moz-transform: scale(0);
+  opacity: 0;
+  pointer-events: none;
+}
+toolbar[mode=icons] #forward-button[disabled="true"]:-moz-locale-dir(ltr) {
+  margin-left: -36px;
+}
+toolbar[mode=icons] #forward-button[disabled="true"]:-moz-locale-dir(rtl) {
+  margin-right: -36px;
+}
+toolbar[mode=icons][iconsize=small] #forward-button[disabled="true"]:-moz-locale-dir(ltr) {
+  margin-left: -28px;
+}
+toolbar[mode=icons][iconsize=small] #forward-button[disabled="true"]:-moz-locale-dir(rtl) {
+  margin-right: -28px;
+}
+
 #reload-button {
   list-style-image: url("moz-icon://stock/gtk-refresh?size=toolbar");
 }
@@ -786,7 +805,7 @@ toolbar[iconsize="small"] #forward-button {
 .unified-nav-forward[_moz-menuactive] {
   list-style-image: url("moz-icon://stock/gtk-go-forward-ltr?size=menu") !important;
 }
-toolbar[iconsize="small"] #forward-button[disabled="true"] {
+toolbar[iconsize="small"]:not([mode=icons]) #forward-button[disabled="true"] {
   list-style-image: url("moz-icon://stock/gtk-go-forward-ltr?size=menu&state=disabled");
 }
 
@@ -796,7 +815,7 @@ toolbar[iconsize="small"] #forward-button:-moz-locale-dir(rtl) {
 .unified-nav-forward[_moz-menuactive]:-moz-locale-dir(rtl) {
   list-style-image: url("moz-icon://stock/gtk-go-forward-rtl?size=menu") !important;
 }
-toolbar[iconsize="small"] #forward-button[disabled="true"]:-moz-locale-dir(rtl) {
+toolbar[iconsize="small"]:not([mode=icons]) #forward-button[disabled="true"]:-moz-locale-dir(rtl) {
   list-style-image: url("moz-icon://stock/gtk-go-forward-rtl?size=menu&state=disabled");
 }
 
diff --git a/browser/themes/pinstripe/browser/browser.css b/browser/themes/pinstripe/browser/browser.css
index 1cec29a8209..06b03962ddc 100644
--- a/browser/themes/pinstripe/browser/browser.css
+++ b/browser/themes/pinstripe/browser/browser.css
@@ -482,6 +482,7 @@ toolbar[mode="icons"] #forward-button:-moz-locale-dir(rtl):-moz-lwtheme {
   padding: 4px 5px 5px 3px;
   margin-bottom: -1px;
   background: url(chrome://browser/skin/keyhole-circle.png) 0 0 no-repeat;
+  border-radius: 0;
 }
 
 #navigator-toolbox[iconsize="large"][mode="icons"] > #nav-bar #back-button:-moz-window-inactive:not(:-moz-lwtheme) {
diff --git a/browser/themes/pinstripe/browser/keyhole-circle-lion.png b/browser/themes/pinstripe/browser/keyhole-circle-lion.png
index f164d498c35..8c4cb3ba212 100644
Binary files a/browser/themes/pinstripe/browser/keyhole-circle-lion.png and b/browser/themes/pinstripe/browser/keyhole-circle-lion.png differ
diff --git a/build/macosx/mozconfig.leopard b/build/macosx/mozconfig.leopard
index 78dfb6f4bb4..2756f1d2ebc 100644
--- a/build/macosx/mozconfig.leopard
+++ b/build/macosx/mozconfig.leopard
@@ -10,4 +10,6 @@ fi
 CC="$CC -arch i386"
 CXX="$CXX -arch i386"
 
+# Note, the version (10) is used by libffi's configure.
+ac_add_options --target=i386-apple-darwin10
 ac_add_options --with-macos-sdk=/Developer/SDKs/MacOSX10.5.sdk
diff --git a/build/macosx/universal/mozconfig.common b/build/macosx/universal/mozconfig.common
index c0a123fec23..1b65dc8b80f 100644
--- a/build/macosx/universal/mozconfig.common
+++ b/build/macosx/universal/mozconfig.common
@@ -38,10 +38,10 @@ mk_add_options MOZ_UNIFY_BDATE=1
 
 mk_add_options MOZ_POSTFLIGHT_ALL+=build/macosx/universal/flight.mk
 
-DARWIN_VERSION=`uname -r`
-ac_add_app_options ppc  --target=powerpc-apple-darwin$DARWIN_VERSION
-ac_add_app_options i386 --target=i386-apple-darwin$DARWIN_VERSION
-ac_add_app_options x86_64 --target=x86_64-apple-darwin$DARWIN_VERSION
+# Note, the version (10) is used by libffi's configure.
+ac_add_app_options ppc  --target=powerpc-apple-darwin10
+ac_add_app_options i386 --target=i386-apple-darwin10
+ac_add_app_options x86_64 --target=x86_64-apple-darwin10
 
 ac_add_app_options ppc --with-macos-sdk=/Developer/SDKs/MacOSX10.5.sdk
 ac_add_app_options i386 --with-macos-sdk=/Developer/SDKs/MacOSX10.5.sdk
diff --git a/build/mobile/devicemanagerADB.py b/build/mobile/devicemanagerADB.py
index f98fcbd4bc4..7a82b0082d2 100644
--- a/build/mobile/devicemanagerADB.py
+++ b/build/mobile/devicemanagerADB.py
@@ -2,6 +2,7 @@ import subprocess
 from devicemanager import DeviceManager, DMError
 import re
 import os
+import sys
 
 class DeviceManagerADB(DeviceManager):
 
@@ -11,6 +12,7 @@ class DeviceManagerADB(DeviceManager):
     self.retrylimit = retrylimit
     self.retries = 0
     self._sock = None
+    self.useRunAs = False
     if packageName == None:
       if os.getenv('USER'):
         packageName = 'org.mozilla.fennec_' + os.getenv('USER')
@@ -22,14 +24,11 @@ class DeviceManagerADB(DeviceManager):
     # Initialization code that may fail: Catch exceptions here to allow
     # successful initialization even if, for example, adb is not installed.
     try:
-      root = self.getDeviceRoot()
-      self.verifyPackage(packageName)
-      self.tmpDir = root + "/tmp"
-      if (not self.dirExists(self.tmpDir)):
-        self.mkDir(self.tmpDir)
+      self.verifyADB()
+      self.verifyRunAs(packageName)
     except:
+      self.useRunAs = False
       self.packageName = None
-      self.tmpDir = None
     try:
       # a test to see if we have root privs
       files = self.listFiles("/data/data")
@@ -51,7 +50,7 @@ class DeviceManagerADB(DeviceManager):
     try:
       if (os.name == "nt"):
         destname = destname.replace('\\', '/')
-      if (self.packageName):
+      if (self.useRunAs):
         remoteTmpFile = self.tmpDir + "/" + os.path.basename(localname)
         self.checkCmd(["push", os.path.realpath(localname), remoteTmpFile])
         self.checkCmdAs(["shell", "cp", remoteTmpFile, destname])
@@ -498,7 +497,7 @@ class DeviceManagerADB(DeviceManager):
     return subprocess.check_call(args)
 
   def checkCmdAs(self, args):
-    if (self.packageName):
+    if (self.useRunAs):
       args.insert(1, "run-as")
       args.insert(2, self.packageName)
     return self.checkCmd(args)
@@ -518,13 +517,44 @@ class DeviceManagerADB(DeviceManager):
       self.checkCmdAs(["shell", "chmod", "777", remoteDir.strip()])
       print "chmod " + remoteDir.strip()
 
-  def verifyPackage(self, packageName):
-    # If a valid package name is specified, it will be used for certain
-    # file operations, so that pushed files and directories are created
-    # by the uid associated with the package.
-    self.packageName = None
-    if (packageName):
-      data = self.runCmd(["shell", "run-as", packageName, "pwd"]).stdout.read()
-      if (not re.search('is unknown', data)):
+  def verifyADB(self):
+    # Check to see if adb itself can be executed.
+    try:
+      self.runCmd(["version"])
+    except Exception as (ex):
+      print "unable to execute ADB: ensure Android SDK is installed and adb is in your $PATH"
+    
+  def isCpAvailable(self):
+    # Some Android systems may not have a cp command installed,
+    # or it may not be executable by the user. 
+    data = self.runCmd(["shell", "cp"]).stdout.read()
+    if (re.search('Usage', data)):
+      return True
+    else:
+      print "unable to execute 'cp' on device; consider installing busybox from Android Market"
+      return False
+
+  def verifyRunAs(self, packageName):
+    # If a valid package name is available, and certain other
+    # conditions are met, devicemanagerADB can execute file operations
+    # via the "run-as" command, so that pushed files and directories 
+    # are created by the uid associated with the package, more closely
+    # echoing conditions encountered by Fennec at run time.
+    # Check to see if run-as can be used here, by verifying a 
+    # file copy via run-as.
+    self.useRunAs = False
+    devroot = self.getDeviceRoot()
+    if (packageName and self.isCpAvailable() and devroot):
+      self.tmpDir = devroot + "/tmp"
+      if (not self.dirExists(self.tmpDir)):
+        self.mkDir(self.tmpDir)
+      self.checkCmd(["shell", "run-as", packageName, "mkdir", devroot + "/sanity"])
+      self.checkCmd(["push", os.path.abspath(sys.argv[0]), self.tmpDir + "/tmpfile"])
+      self.checkCmd(["shell", "run-as", packageName, "cp", self.tmpDir + "/tmpfile", devroot + "/sanity"])
+      if (self.fileExists(devroot + "/sanity/tmpfile")):
+        print "will execute commands via run-as " + packageName
         self.packageName = packageName
-        print "package set: " + self.packageName
+        self.useRunAs = True
+      self.checkCmd(["shell", "rm", devroot + "/tmp/tmpfile"])
+      self.checkCmd(["shell", "run-as", packageName, "rm", "-r", devroot + "/sanity"])
+      
diff --git a/config/autoconf.mk.in b/config/autoconf.mk.in
index 01f88cb1296..d1de275ab42 100644
--- a/config/autoconf.mk.in
+++ b/config/autoconf.mk.in
@@ -43,7 +43,6 @@ USE_AUTOCONF 	= 1
 MOZILLA_CLIENT	= 1
 target          = @target@
 ac_configure_args = @ac_configure_args@
-BUILD_MODULES	= @BUILD_MODULES@
 MOZILLA_VERSION = @MOZILLA_VERSION@
 FIREFOX_VERSION	= @FIREFOX_VERSION@
 
diff --git a/config/nsinstall_win.c b/config/nsinstall_win.c
index d9b723b2c7c..1c1623f82fa 100644
--- a/config/nsinstall_win.c
+++ b/config/nsinstall_win.c
@@ -41,6 +41,38 @@ static BOOL sh_DoCopy(wchar_t *srcFileName, DWORD srcFileAttributes,
 #define ARRAY_LEN(a) (sizeof(a) / sizeof(a[0]))
 #define STR_LEN(a) (ARRAY_LEN(a) - 1)
 
+#ifdef __MINGW32__
+
+/* MingW currently does not implement a wide version of the
+   startup routines.  Workaround is to implement something like
+   it ourselves. */
+
+#include <shellapi.h>
+
+int wmain(int argc, WCHAR **argv);
+
+int main(int argc, char **argv)
+{
+    int result;
+    wchar_t *commandLine = GetCommandLineW();
+    int argcw = 0;
+    wchar_t **_argvw = CommandLineToArgvW( commandLine, &argcw );
+    wchar_t *argvw[argcw + 1];
+    int i;
+    if (!_argvw)
+        return 127;
+    /* CommandLineToArgvW doesn't output the ending NULL so
+       we have to manually add it on */
+    for ( i = 0; i < argcw; i++ )
+        argvw[i] = _argvw[i];
+    argvw[argcw] = NULL;
+
+    result = wmain(argcw, argvw);
+    LocalFree(_argvw);
+    return result;
+}
+#endif /* __MINGW32__ */
+
 /* changes all forward slashes in token to backslashes */
 void changeForwardSlashesToBackSlashes ( wchar_t *arg )
 {
diff --git a/config/rules.mk b/config/rules.mk
index d2bf49060f8..59cee5577e4 100644
--- a/config/rules.mk
+++ b/config/rules.mk
@@ -1153,8 +1153,9 @@ ifdef HAVE_DTRACE
 ifndef XP_MACOSX
 ifdef DTRACE_PROBE_OBJ
 ifndef DTRACE_LIB_DEPENDENT
-$(DTRACE_PROBE_OBJ):
-	dtrace -G -C -s $(MOZILLA_DTRACE_SRC) -o $(DTRACE_PROBE_OBJ)
+NON_DTRACE_OBJS := $(filter-out $(DTRACE_PROBE_OBJ),$(OBJS))
+$(DTRACE_PROBE_OBJ): $(NON_DTRACE_OBJS)
+	dtrace -G -C -s $(MOZILLA_DTRACE_SRC) -o $(DTRACE_PROBE_OBJ) $(NON_DTRACE_OBJS)
 endif
 endif
 endif
@@ -1550,9 +1551,6 @@ export:: FORCE
 	@echo; sleep 2; false
 endif
 
-$(IDL_DIR)::
-	$(NSINSTALL) -D $@
-
 # generate .h files from into $(XPIDL_GEN_DIR), then export to $(DIST)/include;
 # warn against overriding existing .h file. 
 $(XPIDL_GEN_DIR)/.done:
@@ -1623,14 +1621,8 @@ endif # XPIDLSRCS
 
 
 
-#
 # General rules for exporting idl files.
-#
-# WORK-AROUND ONLY, for mozilla/tools/module-deps/bootstrap.pl build.
-# Bug to fix idl dependency problems w/o this extra build pass is
-#   http://bugzilla.mozilla.org/show_bug.cgi?id=145777
-#
-$(IDL_DIR)::
+$(IDL_DIR):
 	$(NSINSTALL) -D $@
 
 export-idl:: $(SUBMAKEFILES) $(MAKE_DIRS)
@@ -2097,7 +2089,6 @@ showhost:
 	@echo "HOST_LIBRARY       = $(HOST_LIBRARY)"
 
 showbuildmods::
-	@echo "Build Modules	= $(BUILD_MODULES)"
 	@echo "Module dirs	= $(BUILD_MODULE_DIRS)"
 
 documentation:
diff --git a/configure.in b/configure.in
index d4e3c8b2d8e..93806e05ff0 100644
--- a/configure.in
+++ b/configure.in
@@ -970,7 +970,6 @@ if test -n "$_WIN32_MSVC"; then
     AC_DEFINE(HAVE_IO_H)
     AC_DEFINE(HAVE_SETBUF)
     AC_DEFINE(HAVE_ISATTY)
-    AC_DEFINE(HAVE_STDCALL)
 fi
 
 fi # COMPILE_ENVIRONMENT
@@ -2492,6 +2491,8 @@ ia64*-hpux*)
         if test -n "$GNU_CC"; then
             CFLAGS="$CFLAGS -mstackrealign"
             CXXFLAGS="$CXXFLAGS -mstackrealign"
+        else
+            AC_DEFINE(HAVE_STDCALL)
         fi
 
         MOZ_CHECK_HEADERS(mmintrin.h)
@@ -5185,7 +5186,7 @@ incorrect])
        MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS $_QTMOBILITY_CFLAGS"
        MOZ_QT_LIBS="$MOZ_QT_LIBS $_QTMOBILITY_LIBS"
     else
-       AC_CHECK_LIB(QtSensors QtFeedback QtLocation, main, [
+       AC_CHECK_LIB(QtSensors, main, [
           MOZ_ENABLE_QTMOBILITY=1
           MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS -I/usr/include/qt4/QtMobility"
           MOZ_QT_CFLAGS="$MOZ_QT_CFLAGS -I/usr/include/qt4/QtSensors"
diff --git a/content/base/public/nsIFrameMessageManager.idl b/content/base/public/nsIFrameMessageManager.idl
index 9cbbf16d570..2977298e31d 100644
--- a/content/base/public/nsIFrameMessageManager.idl
+++ b/content/base/public/nsIFrameMessageManager.idl
@@ -125,10 +125,10 @@ interface nsITreeItemFrameMessageManager : nsIFrameMessageManager
   nsITreeItemFrameMessageManager getChildAt(in unsigned long aIndex);
 };
 
-[scriptable, uuid(23e6ef7b-8cc5-4e8b-9391-453440a3b858)]
+[scriptable, uuid(9e5c0526-aa4c-49f0-afbb-57f489cd9b59)]
 interface nsIChromeFrameMessageManager : nsITreeItemFrameMessageManager
 {
-  /*
+  /**
    * Load a script in the (remote) frame. aURL must be the absolute URL.
    * data: URLs are also supported. For example data:,dump("foo\n");
    * If aAllowDelayedLoad is true, script will be loaded when the
@@ -136,5 +136,10 @@ interface nsIChromeFrameMessageManager : nsITreeItemFrameMessageManager
    * only if the frame is already available.
    */
   void loadFrameScript(in AString aURL, in boolean aAllowDelayedLoad);
+
+  /**
+   * Removes aURL from the list of scripts which support delayed load.
+   */
+  void removeDelayedFrameScript(in AString aURL);
 };
 
diff --git a/content/base/src/nsDocument.cpp b/content/base/src/nsDocument.cpp
index 9cf806b669c..501503d20a4 100644
--- a/content/base/src/nsDocument.cpp
+++ b/content/base/src/nsDocument.cpp
@@ -6125,7 +6125,7 @@ nsDocument::AdoptNode(nsIDOMNode *aAdoptedNode, nsIDOMNode **aResult)
       } while ((doc = doc->GetParentDocument()));
 
       // Remove from parent.
-      nsINode* parent = adoptedNode->GetNodeParent();
+      nsCOMPtr<nsINode> parent = adoptedNode->GetNodeParent();
       if (parent) {
         rv = parent->RemoveChildAt(parent->IndexOf(adoptedNode), PR_TRUE);
         NS_ENSURE_SUCCESS(rv, rv);
diff --git a/content/base/src/nsFrameMessageManager.cpp b/content/base/src/nsFrameMessageManager.cpp
index a922b45208b..9c0e9b57d29 100644
--- a/content/base/src/nsFrameMessageManager.cpp
+++ b/content/base/src/nsFrameMessageManager.cpp
@@ -177,6 +177,13 @@ nsFrameMessageManager::LoadFrameScript(const nsAString& aURL,
   return NS_OK;
 }
 
+NS_IMETHODIMP
+nsFrameMessageManager::RemoveDelayedFrameScript(const nsAString& aURL)
+{
+  mPendingScripts.RemoveElement(aURL);
+  return NS_OK;
+}
+
 static JSBool
 JSONCreator(const jschar* aBuf, uint32 aLen, void* aData)
 {
diff --git a/content/base/src/nsGenericElement.cpp b/content/base/src/nsGenericElement.cpp
index 61ef8cd7679..74dc85e9bd3 100644
--- a/content/base/src/nsGenericElement.cpp
+++ b/content/base/src/nsGenericElement.cpp
@@ -620,7 +620,7 @@ nsINode::Normalize()
     }
 
     // Remove node
-    nsINode* parent = node->GetNodeParent();
+    nsCOMPtr<nsINode> parent = node->GetNodeParent();
     NS_ASSERTION(parent || hasRemoveListeners,
                  "Should always have a parent unless "
                  "mutation events messed us up");
@@ -3945,7 +3945,7 @@ nsINode::ReplaceOrInsertBefore(PRBool aReplace, nsINode* aNewChild,
   }
 
   // Remove the new child from the old parent if one exists
-  nsINode* oldParent = newContent->GetNodeParent();
+  nsCOMPtr<nsINode> oldParent = newContent->GetNodeParent();
   if (oldParent) {
     PRInt32 removeIndex = oldParent->IndexOf(newContent);
     if (removeIndex < 0) {
diff --git a/content/base/test/chrome/file_bug549682.xul b/content/base/test/chrome/file_bug549682.xul
index bac5b7bfe26..dd33d0643c9 100644
--- a/content/base/test/chrome/file_bug549682.xul
+++ b/content/base/test/chrome/file_bug549682.xul
@@ -67,6 +67,16 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=549682
     global.addMessageListener("sync", globalListener);
     global.addMessageListener("global-sync", globalListener);
     global.loadFrameScript("data:,sendSyncMessage('global-sync', { data: 1234 });", true);
+    var toBeRemovedScript = "data:,sendAsyncMessage('toberemoved', { data: 2345 })";
+    var c = 0;
+    messageManager.addMessageListener("toberemoved", function() {
+      ++c;
+      opener.wrappedJSObject.is(c, 1, "Should be called only once!");
+    });
+    // This loads the script in the existing <browser>
+    messageManager.loadFrameScript(toBeRemovedScript, true);
+    // But it won't be loaded in the dynamically created <browser>
+    messageManager.removeDelayedFrameScript(toBeRemovedScript);
 
     var oldValue = globalListenerCallCount;
     var b = document.createElement("browser");
diff --git a/content/html/content/src/nsHTMLInputElement.cpp b/content/html/content/src/nsHTMLInputElement.cpp
index d51b0e8ba0b..57e8ab340e5 100644
--- a/content/html/content/src/nsHTMLInputElement.cpp
+++ b/content/html/content/src/nsHTMLInputElement.cpp
@@ -2510,12 +2510,12 @@ nsHTMLInputElement::SanitizeValue(nsAString& aValue)
     case NS_FORM_INPUT_SEARCH:
     case NS_FORM_INPUT_TEL:
     case NS_FORM_INPUT_PASSWORD:
-    case NS_FORM_INPUT_EMAIL:
       {
         PRUnichar crlf[] = { PRUnichar('\r'), PRUnichar('\n'), 0 };
         aValue.StripChars(crlf);
       }
       break;
+    case NS_FORM_INPUT_EMAIL:
     case NS_FORM_INPUT_URL:
       {
         PRUnichar crlf[] = { PRUnichar('\r'), PRUnichar('\n'), 0 };
diff --git a/content/html/content/test/forms/test_input_email.html b/content/html/content/test/forms/test_input_email.html
index 9c33886c1be..8b2b2fe7bd4 100644
--- a/content/html/content/test/forms/test_input_email.html
+++ b/content/html/content/test/forms/test_input_email.html
@@ -75,8 +75,12 @@ var email = document.forms[0].elements[0];
 var values = [
   [ '', true ], // The empty string shouldn't be considered as invalid.
   [ 'foo@bar.com', true ],
-  [ ' foo@bar.com', false ],
-  [ 'foo@bar.com ', false ],
+  [ ' foo@bar.com', true ],
+  [ 'foo@bar.com ', true ],
+  [ '\r\n foo@bar.com', true ],
+  [ 'foo@bar.com \n\r', true ],
+  [ '\n\n \r\rfoo@bar.com\n\n   \r\r', true ],
+  [ '\n\r \n\rfoo@bar.com\n\r   \n\r', true ],
   [ 'tulip', false ],
   // Some checks on the user part of the address.
   [ '@bar.com', false ],
@@ -163,7 +167,7 @@ values.push(["foo@bar.com" + legalCharacters, true]);
 // Add domain illegal characters.
 illegalCharacters = "()<>[]:;@\\,!#$%&'*+/=?^_`{|}~ \t";
 for each (c in illegalCharacters) {
-  values.push(['foo@foo.bar' + c, false]);
+  values.push(['foo@foo.ba' + c + 'r', false]);
 }
 
 values.forEach(function([value, valid]) {
diff --git a/content/html/content/test/test_bug549475.html b/content/html/content/test/test_bug549475.html
index 6e383cf12ab..54618c33439 100644
--- a/content/html/content/test/test_bug549475.html
+++ b/content/html/content/test/test_bug549475.html
@@ -47,9 +47,9 @@ function sanitizeValue(aType, aValue)
     case "password":
     case "search":
     case "tel":
-    case "email":
       return aValue.replace(/[\n\r]/g, "");
     case "url":
+    case "email":
       return aValue.replace(/[\n\r]/g, "").replace(/^\s+|\s+$/g, "");
     case "date":
     case "month":
diff --git a/content/media/test/test_replay_metadata.html b/content/media/test/test_replay_metadata.html
index c002e6ba679..b0c7e0b48e0 100644
--- a/content/media/test/test_replay_metadata.html
+++ b/content/media/test/test_replay_metadata.html
@@ -32,7 +32,6 @@ function seekStarted(evt) {
 function seekEnded(evt) {
   var v = evt.target;
   v._gotSeekEnded = true;
-  v.play();
 }
 
 function loadedData(evt) {
diff --git a/content/smil/crashtests/650732-1.svg b/content/smil/crashtests/650732-1.svg
new file mode 100644
index 00000000000..95be31c16af
--- /dev/null
+++ b/content/smil/crashtests/650732-1.svg
@@ -0,0 +1,46 @@
+<svg xmlns="http://www.w3.org/2000/svg" class="reftest-wait">
+  <rect fill="green" width="100" height="100">
+    <set id="a" attributeName="fill" to="blue"
+      begin="6s" end="986s"/>
+    <set id="b" attributeName="fill" to="orange"
+      begin="a.begin+69.3s;b.begin+700s" dur="700s" end="a.end"/>
+    <set id="c" attributeName="fill" to="yellow"
+      begin="0s;b.begin+700s"/>
+  </rect>
+  <script type="text/javascript">
+<![CDATA[
+const max_attempts = 100;
+var   attempts = 0;
+function attemptCrash()
+{
+  remove();
+  add();
+  if (++attempts >= max_attempts) {
+    document.documentElement.removeAttribute("class");
+  } else {
+    setTimeout(attemptCrash, 0);
+  }
+}
+function add()
+{
+  const svgns = "http://www.w3.org/2000/svg";
+  var elem = document.createElementNS(svgns, "set");
+  elem.setAttribute("id", "b");
+  elem.setAttribute("attributeName", "fill");
+  elem.setAttribute("to", "orange");
+  elem.setAttribute("begin", "a.begin+69.3s;b.begin+700s");
+  elem.setAttribute("dur", "700s");
+  elem.setAttribute("end", "a.end");
+  rect = document.getElementsByTagNameNS(svgns, "rect")[0];
+  rect.appendChild(elem);
+}
+function remove()
+{
+  var elem = document.getElementById('b');
+  elem.parentNode.removeChild(elem);
+  elem = null;
+}
+window.addEventListener("load", attemptCrash, false);
+]]>
+ </script>
+</svg>
diff --git a/content/smil/crashtests/crashtests.list b/content/smil/crashtests/crashtests.list
index 8975b1b37ba..631dfb9403d 100644
--- a/content/smil/crashtests/crashtests.list
+++ b/content/smil/crashtests/crashtests.list
@@ -34,6 +34,7 @@ load 608295-1.html
 load 611927-1.svg
 load 615002-1.svg
 load 615872-1.svg
+load 650732-1.svg
 load 665334-1.svg
 load 669225-1.svg
 load 670313-1.svg
diff --git a/content/smil/nsSMILCSSProperty.cpp b/content/smil/nsSMILCSSProperty.cpp
index 2242d9dade7..dce56c18bb6 100644
--- a/content/smil/nsSMILCSSProperty.cpp
+++ b/content/smil/nsSMILCSSProperty.cpp
@@ -146,8 +146,14 @@ nsSMILCSSProperty::GetBaseValue() const
 
   // (4) Populate our nsSMILValue from the computed style
   if (didGetComputedVal) {
+    // When we parse animation values we check if they are context-sensitive or
+    // not so that we don't cache animation values whose meaning may change.
+    // For base values however this is unnecessary since on each sample the
+    // compositor will fetch the (computed) base value and compare it against
+    // the cached (computed) value and detect changes for us.
     nsSMILCSSValueType::ValueFromString(mPropID, mElement,
-                                        computedStyleVal, baseValue);
+                                        computedStyleVal, baseValue,
+                                        nsnull);
   }
   return baseValue;
 }
@@ -160,22 +166,17 @@ nsSMILCSSProperty::ValueFromString(const nsAString& aStr,
 {
   NS_ENSURE_TRUE(IsPropertyAnimatable(mPropID), NS_ERROR_FAILURE);
 
-  nsSMILCSSValueType::ValueFromString(mPropID, mElement, aStr, aValue);
-  if (aValue.IsNull()) {
-    return NS_ERROR_FAILURE;
+  nsSMILCSSValueType::ValueFromString(mPropID, mElement, aStr, aValue,
+      &aPreventCachingOfSandwich);
+
+  // XXX Due to bug 536660 (or at least that seems to be the most likely
+  // culprit), when we have animation setting display:none on a <use> element,
+  // if we DON'T set the property every sample, chaos ensues.
+  if (!aPreventCachingOfSandwich && mPropID == eCSSProperty_display) {
+    aPreventCachingOfSandwich = PR_TRUE;
   }
 
-  // XXXdholbert: For simplicity, just assume that all CSS values have to
-  // reparsed every sample. This prevents us from doing the "nothing's changed
-  // so don't recompose" optimization (bug 533291) for CSS properties & mapped
-  // attributes.  If it ends up being expensive to always recompose those, we
-  // can be a little smarter here.  We really only need to set
-  // aPreventCachingOfSandwich to true for "inherit" & "currentColor" (whose
-  // values could change at any time), for length-valued types (particularly
-  // those with em/ex/percent units, since their conversion ratios can change
-  // at any time), and for any value for 'font-family'.
-  aPreventCachingOfSandwich = PR_TRUE;
-  return NS_OK;
+  return aValue.IsNull() ? NS_ERROR_FAILURE : NS_OK;
 }
 
 nsresult
diff --git a/content/smil/nsSMILCSSValueType.cpp b/content/smil/nsSMILCSSValueType.cpp
index 719e76b7dc3..85100e844ee 100644
--- a/content/smil/nsSMILCSSValueType.cpp
+++ b/content/smil/nsSMILCSSValueType.cpp
@@ -371,7 +371,8 @@ ValueFromStringHelper(nsCSSProperty aPropID,
                       Element* aTargetElement,
                       nsPresContext* aPresContext,
                       const nsAString& aString,
-                      nsStyleAnimation::Value& aStyleAnimValue)
+                      nsStyleAnimation::Value& aStyleAnimValue,
+                      PRBool* aIsContextSensitive)
 {
   // If value is negative, we'll strip off the "-" so the CSS parser won't
   // barf, and then manually make the parsed value negative.
@@ -386,7 +387,8 @@ ValueFromStringHelper(nsCSSProperty aPropID,
   }
   nsDependentSubstring subString(aString, subStringBegin);
   if (!nsStyleAnimation::ComputeValue(aPropID, aTargetElement, subString,
-                                      PR_TRUE, aStyleAnimValue)) {
+                                      PR_TRUE, aStyleAnimValue,
+                                      aIsContextSensitive)) {
     return PR_FALSE;
   }
   if (isNegative) {
@@ -409,7 +411,8 @@ void
 nsSMILCSSValueType::ValueFromString(nsCSSProperty aPropID,
                                     Element* aTargetElement,
                                     const nsAString& aString,
-                                    nsSMILValue& aValue)
+                                    nsSMILValue& aValue,
+                                    PRBool* aIsContextSensitive)
 {
   NS_ABORT_IF_FALSE(aValue.IsNull(), "Outparam should be null-typed");
   nsPresContext* presContext = GetPresContextForElement(aTargetElement);
@@ -420,7 +423,7 @@ nsSMILCSSValueType::ValueFromString(nsCSSProperty aPropID,
 
   nsStyleAnimation::Value parsedValue;
   if (ValueFromStringHelper(aPropID, aTargetElement, presContext,
-                            aString, parsedValue)) {
+                            aString, parsedValue, aIsContextSensitive)) {
     sSingleton.Init(aValue);
     aValue.mU.mPtr = new ValueWrapper(aPropID, parsedValue, presContext);
   }
diff --git a/content/smil/nsSMILCSSValueType.h b/content/smil/nsSMILCSSValueType.h
index 399b6292778..c5546140ca3 100644
--- a/content/smil/nsSMILCSSValueType.h
+++ b/content/smil/nsSMILCSSValueType.h
@@ -100,13 +100,20 @@ public:
    * @param       aString         The string to be parsed as a CSS value.
    * @param [out] aValue          The nsSMILValue to be populated. Should
    *                              initially be null-typed.
+   * @param [out] aIsContextSensitive Set to PR_TRUE if |aString| may produce
+   *                                  a different |aValue| depending on other
+   *                                  CSS properties on |aTargetElement|
+   *                                  or its ancestors (e.g. 'inherit).
+   *                                  PR_FALSE otherwise. May be nsnull.
+   *                                  Not set if the method fails.
    * @pre  aValue.IsNull()
    * @post aValue.IsNull() || aValue.mType == nsSMILCSSValueType::sSingleton
    */
   static void ValueFromString(nsCSSProperty aPropID,
                               Element* aTargetElement,
                               const nsAString& aString,
-                              nsSMILValue& aValue);
+                              nsSMILValue& aValue,
+                              PRBool* aIsContextSensitive);
 
   /**
    * Creates a string representation of the given nsSMILValue.
diff --git a/content/smil/nsSMILMappedAttribute.cpp b/content/smil/nsSMILMappedAttribute.cpp
index dc1042b9b2b..751771749de 100644
--- a/content/smil/nsSMILMappedAttribute.cpp
+++ b/content/smil/nsSMILMappedAttribute.cpp
@@ -67,15 +67,9 @@ nsSMILMappedAttribute::ValueFromString(const nsAString& aStr,
 {
   NS_ENSURE_TRUE(IsPropertyAnimatable(mPropID), NS_ERROR_FAILURE);
 
-  nsSMILCSSValueType::ValueFromString(mPropID, mElement, aStr, aValue);
-  if (aValue.IsNull()) {
-    return NS_ERROR_FAILURE;
-  }
-
-  // XXXdholbert: For simplicity, just assume that all CSS values have to
-  // reparsed every sample. See note in nsSMILCSSProperty::ValueFromString.
-  aPreventCachingOfSandwich = PR_TRUE;
-  return NS_OK;
+  nsSMILCSSValueType::ValueFromString(mPropID, mElement, aStr, aValue,
+                                      &aPreventCachingOfSandwich);
+  return aValue.IsNull() ? NS_ERROR_FAILURE : NS_OK;
 }
 
 nsSMILValue
@@ -87,8 +81,12 @@ nsSMILMappedAttribute::GetBaseValue() const
                                      baseStringValue);
   nsSMILValue baseValue;
   if (success) {
+    // For base values, we don't need to worry whether the value returned is
+    // context-sensitive or not since the compositor will take care of comparing
+    // the returned (computed) base value and its cached value and determining
+    // if an update is required or not.
     nsSMILCSSValueType::ValueFromString(mPropID, mElement,
-                                        baseStringValue, baseValue);
+                                        baseStringValue, baseValue, nsnull);
   } else {
     // Attribute is unset -- use computed value.
     // FIRST: Temporarily clear animated value, to make sure it doesn't pollute
diff --git a/content/smil/test/test_smilChangeAfterFrozen.xhtml b/content/smil/test/test_smilChangeAfterFrozen.xhtml
index 3ae1994898d..7ffc3423a89 100644
--- a/content/smil/test/test_smilChangeAfterFrozen.xhtml
+++ b/content/smil/test/test_smilChangeAfterFrozen.xhtml
@@ -8,7 +8,10 @@
 <body>
 <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=533291">Mozilla Bug 533291</a>
 <p id="display"></p>
-<div id="content" style="display: none">
+<!-- Bug 628848: The following should be display: none but we currently don't
+     handle percentage lengths properly when the whole fragment is display: none
+     -->
+<div id="content" style="visibility: hidden">
 <svg id="svg" xmlns="http://www.w3.org/2000/svg" width="120px" height="120px"
      onload="this.pauseAnimations()">
   <g id="circleParent">
@@ -19,68 +22,99 @@
 <pre id="test">
 <script class="testbody" type="text/javascript">
 <![CDATA[
-/** Test for SMIL fill modes **/
+/** Test for SMIL values that are context-sensitive **/
+
+/* See bugs 533291 and 562815.
+   
+   The format of each test is basically:
+   1) create some animated and frozen state
+   2) test the animated values
+   3) change the context
+   4) test that context-sensitive animation values have changed
+
+   Ideally, after changing the context (3), the animated state would instantly
+   update. However, this is not currently the case for many situations.
+
+     For CSS properties we have bug 545282 - In animations involving 'inherit'
+     / 'currentColor', changes to inherited value / 'color' don't show up in
+     animated value immediately
+
+     For SVG lengths we have bug 508206 - Relative units used in
+     animation don't update immediately
+
+     (There are a few of todo_is's in the following tests so that if those bugs
+     are ever resolved we'll know to update this test case accordingly.)
+
+   So in between (3) and (4) we force a sample. This is currently done by
+   calling SVGSVGElement.setCurrentTime with the same current time which has the
+   side effect of forcing a sample.
+
+   What we *are* testing is that we're not too zealous with caching animation
+   values whilst in the frozen state. Normally we'd say, "Hey, we're frozen,
+   let's just use the same animation result as last time" but for some
+   context-sensitive animation values that doesn't work.
+*/
 
 /* Global Variables */
 const SVGNS = "http://www.w3.org/2000/svg";
+
+// Animation parameters -- not used for <set> animation
 const ANIM_DUR = "4s";
 const TIME_ANIM_END = "4";
 const TIME_AFTER_ANIM_END = "5";
 
-// SETTIMEOUT_INTERVAL: This value just needs to be at least as large as
-// nsSMILAnimationController::kTimerInterval, so we can queue up a callback
-// for this far in the future and be assured that an animation sample will
-// have happened before the callback fires (because we presumably already
-// have an animation sample in the setTimeout queue, with a lower timeout
-// value than this).
-// NOTE: We only need to use timeouts here because of Bug 545282.
-const SETTIMEOUT_INTERVAL = 60;
-
-const gTestArray =
-  [ testBaseValueChange,
-    testCurrentColorChange,
-    testCurrentColorChangeUsingStyle,
-    testInheritChange,
-    testInheritChangeUsingStyle
-   ];
-
-// Index of current test in gTestArray
-var gNextTestIndex = 0;
-
 const gSvg = document.getElementById("svg");
 const gCircle = document.getElementById("circle");
 const gCircleParent = document.getElementById("circleParent");
 
-
 SimpleTest.waitForExplicitFinish();
 
 // MAIN FUNCTION
 // -------------
 
-function main() {
+function main()
+{
   ok(gSvg.animationsPaused(), "should be paused by <svg> load handler");
   is(gSvg.getCurrentTime(), 0, "should be paused at 0 in <svg> load handler");
 
-  if (gNextTestIndex != 0) {
-    ok(false, "expecting to start at first test in array.");
+  const tests =
+    [ testBaseValueChange,
+      testCurrentColorChange,
+      testCurrentColorChangeUsingStyle,
+      testCurrentColorChangeOnFallback,
+      testInheritChange,
+      testInheritChangeUsingStyle,
+      testEmUnitChangeOnProp,
+      testEmUnitChangeOnPropBase,
+      testEmUnitChangeOnLength,
+      testPercentUnitChangeOnProp,
+      testPercentUnitChangeOnLength,
+      testRelativeFontSize,
+      testRelativeFontWeight,
+      testRelativeFont,
+      testCalcFontSize,
+      testDashArray,
+      testClip
+     ];
+
+  while (tests.length) {
+    tests.shift()();
   }
-  // Kick off first test.  (It will kick off the one after it, and so on.)
-  runNextTest();
+  SimpleTest.finish();
 }
 
 // HELPER FUNCTIONS
 // ----------------
-function createAnimFromTo(attrName, fromVal, toVal) {
-  var anim = document.createElementNS(SVGNS,"animate");
+function createAnimSetTo(attrName, toVal)
+{
+  var anim = document.createElementNS(SVGNS,"set");
   anim.setAttribute("attributeName", attrName);
-  anim.setAttribute("dur", ANIM_DUR);
-  anim.setAttribute("begin", "0s");
-  anim.setAttribute("from", fromVal);
   anim.setAttribute("to", toVal);
-  anim.setAttribute("fill", "freeze");
   return gCircle.appendChild(anim);
 }
-function createAnimBy(attrName, byVal) {
+
+function createAnimBy(attrName, byVal)
+{
   var anim = document.createElementNS(SVGNS,"animate");
   anim.setAttribute("attributeName", attrName);
   anim.setAttribute("dur", ANIM_DUR);
@@ -90,6 +124,18 @@ function createAnimBy(attrName, byVal) {
   return gCircle.appendChild(anim);
 }
 
+function createAnimFromTo(attrName, fromVal, toVal)
+{
+  var anim = document.createElementNS(SVGNS,"animate");
+  anim.setAttribute("attributeName", attrName);
+  anim.setAttribute("dur", ANIM_DUR);
+  anim.setAttribute("begin","0s");
+  anim.setAttribute("from", fromVal);
+  anim.setAttribute("to", toVal);
+  anim.setAttribute("fill", "freeze");
+  return gCircle.appendChild(anim);
+}
+
 // Common setup code for each test function: seek to 0, and make sure
 // the previous test cleaned up its animations.
 function setupTest() {
@@ -99,17 +145,6 @@ function setupTest() {
   }
 }
 
-function runNextTest() {
-  if (gNextTestIndex == gTestArray.length) {
-    // No tests left! we're done.
-    SimpleTest.finish();
-    return;
-  }
-
-  // Call next test (and increment next-test index)
-  gTestArray[gNextTestIndex++]();
-}
-
 // THE TESTS
 // ---------
 
@@ -130,106 +165,400 @@ function testBaseValueChange()
      "Checking animated cx after anim ends & after changing base val");
 
   anim.parentNode.removeChild(anim); // clean up
-  runNextTest();
 }
 
 function testCurrentColorChange()
 {
   gCircle.setAttribute("color", "red"); // At first: currentColor=red
-  var anim = createAnimFromTo("fill", "yellow", "currentColor");
+  var anim = createAnimSetTo("fill", "currentColor");
 
-  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  gSvg.setCurrentTime(0); // trigger synchronous sample
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(255, 0, 0)",
-     "Checking animated fill=currentColor after anim ends");
+     "Checking animated fill=currentColor after animating");
 
   gCircle.setAttribute("color", "lime"); // Change: currentColor=lime
-  setTimeout(testCurrentColorChange_final, SETTIMEOUT_INTERVAL);
-}
-
-function testCurrentColorChange_final()
-{
+  // Bug 545282: We should really detect this change and update immediately but
+  // currently we don't until we get sampled again
+  todo_is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(0, 255, 0)",
+     "Checking animated fill=currentColor after updating context but before " +
+     "sampling");
+  gSvg.setCurrentTime(0);
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(0, 255, 0)",
-     "Checking animated fill=currentColor after anim ends and 'color' changes");
+     "Checking animated fill=currentColor after updating context");
 
   // Clean up
   gCircle.removeAttribute("color");
-  gCircle.firstChild.parentNode.removeChild(gCircle.firstChild);
-
-  // Kick off next test
-  runNextTest();
+  gCircle.removeChild(gCircle.firstChild);
 }
 
 function testCurrentColorChangeUsingStyle()
 {
   setupTest();
   gCircle.setAttribute("style", "color: red"); // At first: currentColor=red
-  var anim = createAnimFromTo("fill", "yellow", "currentColor");
+  var anim = createAnimSetTo("fill", "currentColor");
 
-  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  gSvg.setCurrentTime(0);
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(255, 0, 0)",
-     "Checking animated fill=currentColor after anim ends (using style attr)");
+     "Checking animated fill=currentColor after animating (using style attr)");
 
   gCircle.setAttribute("style", "color: lime"); // Change: currentColor=lime
-  setTimeout(testCurrentColorChangeUsingStyle_final, SETTIMEOUT_INTERVAL);
-}
-
-function testCurrentColorChangeUsingStyle_final()
-{
+  gSvg.setCurrentTime(0);
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(0, 255, 0)",
-     "Checking animated fill=currentColor after anim ends and 'color' changes "
+     "Checking animated fill=currentColor after updating context "
      + "(using style attr)");
 
   // Clean up
   gCircle.removeAttribute("style");
-  gCircle.firstChild.parentNode.removeChild(gCircle.firstChild);
-  runNextTest();
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function getFallbackColor(pServerStr)
+{
+  return pServerStr.substr(pServerStr.indexOf(" ")+1);
+}
+
+function testCurrentColorChangeOnFallback()
+{
+  setupTest();
+  gCircle.setAttribute("color", "red"); // At first: currentColor=red
+  var anim = createAnimSetTo("fill", "url(#missingGrad) currentColor");
+
+  gSvg.setCurrentTime(0);
+  var fallback =
+    getFallbackColor(SMILUtil.getComputedStyleSimple(gCircle, "fill"));
+  is(fallback, "rgb(255, 0, 0)",
+     "Checking animated fallback fill=currentColor after animating");
+
+  gCircle.setAttribute("color", "lime"); // Change: currentColor=lime
+  gSvg.setCurrentTime(0);
+  fallback = getFallbackColor(SMILUtil.getComputedStyleSimple(gCircle, "fill"));
+  is(fallback, "rgb(0, 255, 0)",
+     "Checking animated fallback fill=currentColor after updating context");
+
+  gCircle.removeAttribute("style");
+  gCircle.removeChild(gCircle.firstChild);
 }
 
 function testInheritChange()
 {
   setupTest();
   gCircleParent.setAttribute("fill", "red"); // At first: inherit=red
-  var anim = createAnimFromTo("fill", "yellow", "inherit");
+  var anim = createAnimSetTo("fill", "inherit");
 
-  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  gSvg.setCurrentTime(0);
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(255, 0, 0)",
-     "Checking animated fill=inherit after anim ends");
+     "Checking animated fill=inherit after animating");
 
   gCircleParent.setAttribute("fill", "lime"); // Change: inherit=lime
-  setTimeout(testInheritChange_final, SETTIMEOUT_INTERVAL);
-}
-
-function testInheritChange_final() {
+  gSvg.setCurrentTime(0);
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(0, 255, 0)",
-     "Checking animated fill=inherit after anim ends and parent val changes");
+     "Checking animated fill=inherit after updating context");
 
   gCircleParent.removeAttribute("fill");
-  gCircle.firstChild.parentNode.removeChild(gCircle.firstChild);
-  runNextTest();
+  gCircle.removeChild(gCircle.firstChild);
 }
 
 function testInheritChangeUsingStyle()
 {
   setupTest();
   gCircleParent.setAttribute("style", "fill: red"); // At first: inherit=red
-  var anim = createAnimFromTo("fill", "yellow", "inherit");
+  var anim = createAnimSetTo("fill", "inherit");
 
-  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  gSvg.setCurrentTime(0);
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(255, 0, 0)",
-     "Checking animated fill=inherit after anim ends (using style attr)");
+     "Checking animated fill=inherit after animating (using style attr)");
 
   gCircleParent.setAttribute("style", "fill: lime"); // Change: inherit=lime
-  setTimeout(testInheritChangeUsingStyle_final, SETTIMEOUT_INTERVAL);
-}
-
-function testInheritChangeUsingStyle_final() {
+  gSvg.setCurrentTime(0);
   is(SMILUtil.getComputedStyleSimple(gCircle, "fill"), "rgb(0, 255, 0)",
-     "Checking animated fill=inherit after anim ends and parent val changes "
+     "Checking animated fill=inherit after updating context "
      + "(using style attr)");
 
   gCircleParent.removeAttribute("style");
-  gCircle.firstChild.parentNode.removeChild(gCircle.firstChild);
-  runNextTest();
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testEmUnitChangeOnProp()
+{
+  setupTest();
+  gCircleParent.setAttribute("font-size", "10px"); // At first: font-size: 10px
+  var anim = createAnimSetTo("font-size", "2em");
+
+  gSvg.setCurrentTime(0);
+  is(SMILUtil.getComputedStyleSimple(gCircle, "font-size"), "20px",
+     "Checking animated font-size=2em after animating ends");
+
+  gCircleParent.setAttribute("font-size", "20px"); // Change: font-size: 20px
+  gSvg.setCurrentTime(0);
+  is(SMILUtil.getComputedStyleSimple(gCircle, "font-size"), "40px",
+     "Checking animated font-size=2em after updating context");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testEmUnitChangeOnPropBase()
+{
+  // Test the case where the base value for our animation sandwich is
+  // context-sensitive.
+  // Currently, this is taken care of by the compositor which keeps a cached
+  // base value and compares it with the current base value. This test then just
+  // serves as a regression test in case the compositor's behaviour changes.
+  setupTest();
+  gSvg.setAttribute("font-size", "10px"); // At first: font-size: 10px
+  gCircleParent.setAttribute("font-size", "1em"); // Base: 10px
+  var anim = createAnimBy("font-size", "10px");
+
+  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  is(SMILUtil.getComputedStyleSimple(gCircle, "font-size"), "20px",
+     "Checking animated font-size=20px after anim ends");
+
+  gSvg.setAttribute("font-size", "20px"); // Change: font-size: 20px
+  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  is(SMILUtil.getComputedStyleSimple(gCircle, "font-size"), "30px",
+     "Checking animated font-size=30px after updating context");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testEmUnitChangeOnLength()
+{
+  setupTest();
+  gCircleParent.setAttribute("font-size", "10px"); // At first: font-size: 10px
+  var anim = createAnimSetTo("cx", "2em");
+
+  gSvg.setCurrentTime(0);
+  is(gCircle.cx.animVal.value, 20,
+     "Checking animated length=2em after animating");
+
+  gCircleParent.setAttribute("font-size", "20px"); // Change: font-size: 20px
+  // Bug 508206: We should really detect this change and update immediately but
+  // currently we don't until we get sampled again
+  todo_is(gCircle.cx.animVal.value, 40,
+     "Checking animated length=2em after updating context but before sampling");
+
+  gSvg.setCurrentTime(0);
+  is(gCircle.cx.animVal.value, 40,
+     "Checking animated length=2em after updating context and after " +
+     "resampling");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testPercentUnitChangeOnProp()
+{
+  setupTest();
+  gCircleParent.setAttribute("font-size", "10px"); // At first: font-size: 10px
+  var anim = createAnimSetTo("font-size", "150%");
+
+  gSvg.setCurrentTime(0);
+  is(SMILUtil.getComputedStyleSimple(gCircle, "font-size"), "15px",
+     "Checking animated font-size=150% after animating");
+
+  gCircleParent.setAttribute("font-size", "20px"); // Change: font-size: 20px
+  gSvg.setCurrentTime(0);
+  is(SMILUtil.getComputedStyleSimple(gCircle, "font-size"), "30px",
+     "Checking animated font-size=150% after updating context");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testPercentUnitChangeOnLength()
+{
+  setupTest();
+  var oldHeight = gSvg.getAttribute("height");
+  gSvg.setAttribute("height", "100px"); // At first: viewport height: 100px
+  var anim = createAnimSetTo("cy", "100%");
+
+  gSvg.setCurrentTime(0); // Force synchronous sample so animation takes effect
+  // Due to bug 627594 (SVGLength.value for percent value lengths doesn't
+  // reflect updated viewport until reflow) the following will fail.
+  // Check that it does indeed fail so that when that bug is fixed this test
+  // can be updated.
+  todo_is(gCircle.cy.animVal.value, 100,
+     "Checking animated length=100% after animating but before reflow");
+  gSvg.forceRedraw();
+  // Even after doing a reflow though we'll still fail due to bug 508206
+  // (Relative units used in animation don't update immediately)
+  todo_is(gCircle.cy.animVal.value, 100,
+     "Checking animated length=100% after animating but before resampling");
+  gSvg.setCurrentTime(0);
+  // Now we should be up to date
+  is(gCircle.cy.animVal.value, 100,
+     "Checking animated length=100% after animating");
+
+  gSvg.setAttribute("height", "50px"); // Change: height: 50px
+  gSvg.forceRedraw(); // Bug 627594
+  gSvg.setCurrentTime(0); // Bug 508206
+  is(gCircle.cy.animVal.value, 50,
+     "Checking animated length=100% after updating context");
+
+  gSvg.setAttribute("height", oldHeight);
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testRelativeFontSize()
+{
+  setupTest();
+  gCircleParent.setAttribute("font-size", "10px"); // At first: font-size: 10px
+  var anim = createAnimSetTo("font-size", "larger");
+
+  gSvg.setCurrentTime(0);
+  var fsize = parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-size"));
+  // CSS 2 suggests a scaling factor of 1.2 so we should be looking at something
+  // around about 12 or so
+  ok(fsize > 10 && fsize < 20,
+    "Checking animated font-size > 10px after animating");
+
+  gCircleParent.setAttribute("font-size", "20px"); // Change: font-size: 20px
+  gSvg.setCurrentTime(0);
+  fsize = parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-size"));
+  ok(fsize > 20, "Checking animated font-size > 20px after updating context");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testRelativeFontWeight()
+{
+  setupTest();
+  gCircleParent.setAttribute("font-weight", "100"); // At first: font-weight 100
+  var anim = createAnimSetTo("font-weight", "bolder");
+  // CSS 2: 'bolder': Specifies the next weight that is assigned to a font
+  // that is darker than the inherited one. If there is no such weight, it
+  // simply results in the next darker numerical value (and the font remains
+  // unchanged), unless the inherited value was '900', in which case the
+  // resulting weight is also '900'.
+
+  gSvg.setCurrentTime(0);
+  var weight =
+    parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-weight"));
+  ok(weight > 100, "Checking animated font-weight > 100 after animating");
+
+  gCircleParent.setAttribute("font-weight", "800"); // Change: font-weight 800
+  gSvg.setCurrentTime(0);
+  weight = parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-weight"));
+  is(weight, 900,
+     "Checking animated font-weight = 900 after updating context");
+
+  gCircleParent.removeAttribute("font-weight");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testRelativeFont()
+{
+  // Test a relative font-size as part of a 'font' spec since the code path
+  // is different in this case
+  // It turns out that, due to the way we store shorthand font properties, we
+  // don't need to worry about marking such values as context-sensitive since we
+  // seem to store them in their relative form. If, however, we change the way
+  // we store shorthand font properties in the future, this will serve as
+  // a useful regression test.
+  setupTest();
+  gCircleParent.setAttribute("font-size", "10px"); // At first: font-size: 10px
+  // We must be sure to set every part of the shorthand property to some
+  // non-context sensitive value because we want to test that even if only the
+  // font-size is relative we will update it appropriately.
+  var anim =
+    createAnimSetTo("font", "normal normal bold larger/normal sans-serif");
+
+  gSvg.setCurrentTime(0);
+  var fsize = parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-size"));
+  ok(fsize > 10 && fsize < 20,
+    "Checking size of shorthand 'font' > 10px after animating");
+
+  gCircleParent.setAttribute("font-size", "20px"); // Change: font-size: 20px
+  gSvg.setCurrentTime(0);
+  fsize  = parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-size"));
+  ok(fsize > 20,
+     "Checking size of shorthand 'font' > 20px after updating context");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testCalcFontSize()
+{
+  setupTest();
+  gCircleParent.setAttribute("font-size", "10px"); // At first: font-size: 10px
+  var anim = createAnimSetTo("font-size", "-moz-calc(110% + 0.1em)");
+
+  gSvg.setCurrentTime(0);
+  var fsize = parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-size"));
+  // Font size should be 1.1 * 10px + 0.1 * 10px = 12
+  is(fsize, 12, "Checking animated calc font-size == 12px after animating");
+
+  gCircleParent.setAttribute("font-size", "20px"); // Change: font-size: 20px
+  gSvg.setCurrentTime(0);
+  fsize = parseInt(SMILUtil.getComputedStyleSimple(gCircle, "font-size"));
+  is(fsize, 24, "Checking animated calc font-size == 24px after updating " +
+                "context");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testDashArray()
+{
+  // stroke dasharrays don't currently convert units--but if someone ever fixes
+  // that, hopefully this test will fail and remind us not to cache percentage
+  // values in that case
+  setupTest();
+  var oldHeight = gSvg.getAttribute("height");
+  var oldWidth  = gSvg.getAttribute("width");
+  gSvg.setAttribute("height", "100px"); // At first: viewport: 100x100px
+  gSvg.setAttribute("width",  "100px");
+  var anim = createAnimFromTo("stroke-dasharray", "0 5", "0 50%");
+
+  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+
+  // Now we should be up to date
+  is(SMILUtil.getComputedStyleSimple(gCircle, "stroke-dasharray"), "0, 50%",
+     "Checking animated stroke-dasharray after animating");
+
+  gSvg.setAttribute("height", "50px"); // Change viewport: 50x50px
+  gSvg.setAttribute("width",  "50px");
+  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  is(SMILUtil.getComputedStyleSimple(gCircle, "stroke-dasharray"), "0, 50%",
+     "Checking animated stroke-dasharray after updating context");
+
+  gSvg.setAttribute("height", oldHeight);
+  gSvg.setAttribute("width",  oldWidth);
+  gCircle.removeChild(gCircle.firstChild);
+}
+
+function testClip()
+{
+  setupTest();
+  gCircleParent.setAttribute("font-size", "20px"); // At first: font-size: 20px
+
+  // The clip property only applies to elements that establish a new
+  // viewport so we need to create a nested svg and add animation to that
+  var nestedSVG = document.createElementNS(SVGNS, "svg");
+  nestedSVG.setAttribute("clip", "rect(0px 0px 0px 0px)");
+  gCircleParent.appendChild(nestedSVG);
+
+  var anim = createAnimSetTo("clip", "rect(1em 1em 1em 1em)");
+  // createAnimSetTo will make the animation a child of gCircle so we need to
+  // move it so it targets nestedSVG instead
+  nestedSVG.appendChild(anim);
+
+  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  is(SMILUtil.getComputedStyleSimple(nestedSVG, "clip"),
+     "rect(20px, 20px, 20px, 20px)",
+     "Checking animated clip rect after animating");
+
+  gCircleParent.setAttribute("font-size", "10px"); // Change: font-size: 10px
+  gSvg.setCurrentTime(TIME_AFTER_ANIM_END);
+  is(SMILUtil.getComputedStyleSimple(nestedSVG, "clip"),
+     "rect(10px, 10px, 10px, 10px)",
+     "Checking animated clip rect after updating context");
+
+  gCircleParent.removeAttribute("font-size");
+  gCircleParent.removeChild(nestedSVG);
 }
 
 window.addEventListener("load", main, false);
diff --git a/content/svg/content/test/Makefile.in b/content/svg/content/test/Makefile.in
index d0dd1331c79..d6a1d4e6c2f 100644
--- a/content/svg/content/test/Makefile.in
+++ b/content/svg/content/test/Makefile.in
@@ -57,7 +57,6 @@ _TEST_FILES = \
 		a_href_helper_04.svg \
 		test_animLengthObjectIdentity.xhtml \
 		test_animLengthReadonly.xhtml \
-		test_animLengthRelativeUnits.xhtml \
 		test_animLengthUnits.xhtml \
 		test_bbox.xhtml \
 		test_bbox-with-invalid-viewBox.xhtml \
diff --git a/content/svg/content/test/test_animLengthRelativeUnits.xhtml b/content/svg/content/test/test_animLengthRelativeUnits.xhtml
deleted file mode 100644
index 4bcf243953a..00000000000
--- a/content/svg/content/test/test_animLengthRelativeUnits.xhtml
+++ /dev/null
@@ -1,80 +0,0 @@
-<html xmlns="http://www.w3.org/1999/xhtml">
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=508206
--->
-<head>
-  <title>Test for liveness of relative units in animation</title>
-  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
-</head>
-<body>
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=508206">Mozilla Bug 508206</a>
-<p id="display"></p>
-<!-- XXX The following should be display: none but that's broken by bug 413975
-     where we don't handle percentage lengths when the whole fragment is
-     display: none properly. -->
-<div id="content" style="visibility: hidden">
-<svg id="svg" xmlns="http://www.w3.org/2000/svg" width="100px" height="100px"
-     onload="this.pauseAnimations()">
-  <g font-size="10px">
-    <circle cx="0" cy="0" r="15" fill="blue" id="circle">
-      <animate attributeName="cx" from="0" to="10em" dur="10s" begin="0s"
-        fill="freeze" id="animate"/>
-      <animate attributeName="cy" from="0" to="100%" dur="10s" begin="0s"
-        fill="freeze"/>
-    </circle>
-  </g>
-</svg>
-</div>
-<pre id="test">
-<script class="testbody" type="text/javascript">
-<![CDATA[
-/** Test liveness of relative units of animated lengths **/
-
-/* Global Variables */
-const svgns="http://www.w3.org/2000/svg";
-var svg = document.getElementById("svg");
-var circle = document.getElementById('circle');
-
-SimpleTest.waitForExplicitFinish();
-
-function main() {
-  ok(svg.animationsPaused(), "should be paused by <svg> load handler");
-  is(svg.getCurrentTime(), 0, "should be paused at 0 in <svg> load handler");
-
-  // Sample mid-way through the animation
-  svg.setCurrentTime(5);
-
-  // (1) Check values mid-way
-  is(circle.cx.animVal.value, 50,
-    "(1) Unexpected animVal for cx before changing base length");
-  is(circle.cy.animVal.value, 50,
-    "(1) Unexpected animVal for cy before changing base length");
-
-  // (2) Change the frame of reference and check values are updated immediately
-
-  // Change font-size
-  circle.parentNode.setAttribute('font-size', '5px');
-  todo_is(circle.cx.animVal.value, 25,
-    "(2) Unexpected animVal for cx after changing parent font-size");
-
-  // Change the viewport size
-  svg.setAttribute('height', '50px');
-  todo_is(circle.cy.animVal.value, 25,
-    "(2) Unexpected animVal for cy after changing containing viewport size");
-
-  SimpleTest.finish();
-}
-
-var animate = document.getElementById('animate');
-if (animate && animate.targetElement) {
-  window.addEventListener("load", main, false);
-} else {
-  ok(true); // Skip tests but don't report 'todo' either
-  SimpleTest.finish();
-}
-]]>
-</script>
-</pre>
-</body>
-</html>
diff --git a/content/xbl/src/nsXBLDocumentInfo.cpp b/content/xbl/src/nsXBLDocumentInfo.cpp
index 375285c1cc1..e6e1a842fa7 100644
--- a/content/xbl/src/nsXBLDocumentInfo.cpp
+++ b/content/xbl/src/nsXBLDocumentInfo.cpp
@@ -429,7 +429,7 @@ static PRBool IsChromeURI(nsIURI* aURI)
 
 /* Implementation file */
 
-static PRIntn
+static PRBool
 TraverseProtos(nsHashKey *aKey, void *aData, void* aClosure)
 {
   nsCycleCollectionTraversalCallback *cb = 
@@ -439,7 +439,7 @@ TraverseProtos(nsHashKey *aKey, void *aData, void* aClosure)
   return kHashEnumerateNext;
 }
 
-static PRIntn
+static PRBool
 UnlinkProtoJSObjects(nsHashKey *aKey, void *aData, void* aClosure)
 {
   nsXBLPrototypeBinding *proto = static_cast<nsXBLPrototypeBinding*>(aData);
@@ -453,7 +453,7 @@ struct ProtoTracer
   void *mClosure;
 };
 
-static PRIntn
+static PRBool
 TraceProtos(nsHashKey *aKey, void *aData, void* aClosure)
 {
   ProtoTracer* closure = static_cast<ProtoTracer*>(aClosure);
diff --git a/content/xbl/src/nsXBLPrototypeBinding.cpp b/content/xbl/src/nsXBLPrototypeBinding.cpp
index a1932ed790f..b75318e4829 100644
--- a/content/xbl/src/nsXBLPrototypeBinding.cpp
+++ b/content/xbl/src/nsXBLPrototypeBinding.cpp
@@ -328,7 +328,7 @@ PRBool nsXBLPrototypeBinding::CompareBindingURI(nsIURI* aURI) const
   return equal;
 }
 
-static PRIntn
+static PRBool
 TraverseInsertionPoint(nsHashKey* aKey, void* aData, void* aClosure)
 {
   nsCycleCollectionTraversalCallback &cb = 
@@ -1213,7 +1213,7 @@ nsXBLPrototypeBinding::ConstructInsertionTable(nsIContent* aContent)
   PRInt32 i;
   for (i = 0; i < count; i++) {
     nsIContent* child = childrenElements[i];
-    nsIContent* parent = child->GetParent(); 
+    nsCOMPtr<nsIContent> parent = child->GetParent(); 
 
     // Create an XBL insertion point entry.
     nsXBLInsertionPointEntry* xblIns = nsXBLInsertionPointEntry::Create(parent);
diff --git a/content/xul/document/src/nsXULDocument.cpp b/content/xul/document/src/nsXULDocument.cpp
index eadcd29d1d6..f468fde1400 100644
--- a/content/xul/document/src/nsXULDocument.cpp
+++ b/content/xul/document/src/nsXULDocument.cpp
@@ -4047,7 +4047,8 @@ nsXULDocument::OverlayForwardReference::Merge(nsIContent* aTargetNode,
         if (attr == nsGkAtoms::removeelement &&
             value.EqualsLiteral("true")) {
 
-            rv = RemoveElement(aTargetNode->GetParent(), aTargetNode);
+            nsCOMPtr<nsIContent> parent = aTargetNode->GetParent();
+            rv = RemoveElement(parent, aTargetNode);
             if (NS_FAILED(rv)) return rv;
 
             return NS_OK;
diff --git a/content/xul/templates/src/nsXULContentBuilder.cpp b/content/xul/templates/src/nsXULContentBuilder.cpp
index 774a71cdbca..8ae82bf6d7d 100644
--- a/content/xul/templates/src/nsXULContentBuilder.cpp
+++ b/content/xul/templates/src/nsXULContentBuilder.cpp
@@ -1324,7 +1324,7 @@ nsXULContentBuilder::RemoveGeneratedContent(nsIContent* aElement)
     while (0 != (count = ungenerated.Length())) {
         // Pull the next "ungenerated" element off the queue.
         PRUint32 last = count - 1;
-        nsIContent* element = ungenerated[last];
+        nsCOMPtr<nsIContent> element = ungenerated[last];
         ungenerated.RemoveElementAt(last);
 
         PRUint32 i = element->GetChildCount();
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 6b7aeea814f..19c63664db0 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -723,11 +723,11 @@ nsDocShell::nsDocShell():
     mChildOffset(0),
     mBusyFlags(BUSY_FLAGS_NONE),
     mAppType(nsIDocShell::APP_TYPE_UNKNOWN),
+    mLoadType(0),
     mMarginWidth(-1),
     mMarginHeight(-1),
     mItemType(typeContent),
     mPreviousTransIndex(-1),
-    mLoadType(0),
     mLoadedTransIndex(-1),
     mCreated(PR_FALSE),
     mAllowSubframes(PR_TRUE),
@@ -8452,13 +8452,13 @@ nsDocShell::InternalLoad(nsIURI * aURI,
             GetCurScrollPos(ScrollOrientation_X, &cx);
             GetCurScrollPos(ScrollOrientation_Y, &cy);
 
-            // We scroll whenever we're not doing a history load.  Note that
-            // sometimes we might scroll even if we don't fire a hashchange
-            // event!  See bug 653741.
-            if (!aSHEntry) {
-                rv = ScrollToAnchor(curHash, newHash, aLoadType);
-                NS_ENSURE_SUCCESS(rv, rv);
-            }
+            // ScrollToAnchor doesn't necessarily cause us to scroll the window;
+            // the function decides whether a scroll is appropriate based on the
+            // arguments it receives.  But even if we don't end up scrolling,
+            // ScrollToAnchor performs other important tasks, such as informing
+            // the presShell that we have a new hash.  See bug 680257.
+            rv = ScrollToAnchor(curHash, newHash, aLoadType);
+            NS_ENSURE_SUCCESS(rv, rv);
 
             mLoadType = aLoadType;
             mURIResultedInDocument = PR_TRUE;
diff --git a/docshell/test/Makefile.in b/docshell/test/Makefile.in
index f6e2fc101ef..e8ce5c3e5ab 100644
--- a/docshell/test/Makefile.in
+++ b/docshell/test/Makefile.in
@@ -120,6 +120,8 @@ _TEST_FILES = \
 		file_bug669671.sjs \
 		test_bug675587.html \
 		test_bfcache_plus_hash.html \
+		test_bug680257.html \
+		file_bug680257.html \
 		$(NULL)
 
 ifeq ($(MOZ_WIDGET_TOOLKIT),cocoa)
diff --git a/docshell/test/file_bug680257.html b/docshell/test/file_bug680257.html
new file mode 100644
index 00000000000..ff480e96a56
--- /dev/null
+++ b/docshell/test/file_bug680257.html
@@ -0,0 +1,16 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <style type='text/css'>
+    a        { color: black; }
+    a:target { color: red; }
+  </style>
+</head>
+
+<body onload='(opener || parent).popupLoaded()'>
+
+<a id='a' href='#a'>link</a>
+<a id='b' href='#b'>link2</a>
+
+</body>
+</html>
diff --git a/docshell/test/test_bug680257.html b/docshell/test/test_bug680257.html
new file mode 100644
index 00000000000..bf7c32d1180
--- /dev/null
+++ b/docshell/test/test_bug680257.html
@@ -0,0 +1,59 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=680257
+-->
+<head>
+  <title>Test for Bug 680257</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=680257">Mozilla Bug 680257</a>
+
+<script type="application/javascript;version=1.7">
+
+SimpleTest.waitForExplicitFinish();
+
+var popup = window.open('file_bug680257.html');
+
+// The popup will call into popupLoaded() once it loads.
+function popupLoaded() {
+  // runTests() needs to be called from outside popupLoaded's onload handler.
+  // Otherwise, the navigations we do in runTests won't create new SHEntries.
+  SimpleTest.executeSoon(runTests);
+}
+
+function runTests() {
+  checkPopupLinkStyle(false, 'Initial');
+
+  popup.location.hash = 'a';
+  checkPopupLinkStyle(true, 'After setting hash');
+
+  popup.history.back();
+  checkPopupLinkStyle(false, 'After going back');
+
+  popup.history.forward();
+  checkPopupLinkStyle(true, 'After going forward');
+
+  popup.close();
+  SimpleTest.finish();
+}
+
+function checkPopupLinkStyle(isTarget, desc) {
+  var link = popup.document.getElementById('a');
+  var style = popup.getComputedStyle(link);
+  var color = style.getPropertyValue('color');
+
+  // Color is red if isTarget, black otherwise.
+  if (isTarget) {
+    is(color, 'rgb(255, 0, 0)', desc);
+  }
+  else {
+    is(color, 'rgb(0, 0, 0)', desc);
+  }
+}
+
+</script>
+</body>
+</html>
diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp
index 822eba5e8f1..979e73f116b 100644
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -8220,19 +8220,21 @@ NS_IMETHODIMP
 nsGlobalWindow::GetMozIndexedDB(nsIIDBFactory** _retval)
 {
   if (!mIndexedDB) {
-    nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil =
-      do_GetService(THIRDPARTYUTIL_CONTRACTID);
-    NS_ENSURE_TRUE(thirdPartyUtil, NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR);
+    if (!IsChromeWindow()) {
+      nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil =
+        do_GetService(THIRDPARTYUTIL_CONTRACTID);
+      NS_ENSURE_TRUE(thirdPartyUtil, NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR);
 
-    PRBool isThirdParty;
-    nsresult rv = thirdPartyUtil->IsThirdPartyWindow(this, nsnull,
-                                                     &isThirdParty);
-    NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR);
+      PRBool isThirdParty;
+      nsresult rv = thirdPartyUtil->IsThirdPartyWindow(this, nsnull,
+                                                       &isThirdParty);
+      NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR);
 
-    if (isThirdParty) {
-      NS_WARNING("IndexedDB is not permitted in a third-party window.");
-      *_retval = nsnull;
-      return NS_OK;
+      if (isThirdParty) {
+        NS_WARNING("IndexedDB is not permitted in a third-party window.");
+        *_retval = nsnull;
+        return NS_OK;
+      }
     }
 
     mIndexedDB = indexedDB::IDBFactory::Create(this);
diff --git a/dom/interfaces/css/nsIDOMCSS2Properties.idl b/dom/interfaces/css/nsIDOMCSS2Properties.idl
index d34a97920d4..f3b4c6cf036 100644
--- a/dom/interfaces/css/nsIDOMCSS2Properties.idl
+++ b/dom/interfaces/css/nsIDOMCSS2Properties.idl
@@ -51,7 +51,7 @@
  * http://www.w3.org/TR/DOM-Level-2-Style
  */
 
-[builtinclass, scriptable, uuid(10f43750-b379-11e0-aff2-0800200c9a66)]
+[builtinclass, scriptable, uuid(286466f1-4246-4574-afdb-2f8a03ad7cc8)]
 interface nsIDOMCSS2Properties : nsISupports
 {
            attribute DOMString        background;
@@ -657,6 +657,9 @@ interface nsIDOMCSS2Properties : nsISupports
            attribute DOMString        MozBorderImage;
                                         // raises(DOMException) on setting
 
+           attribute DOMString        MozColumns;
+                                        // raises(DOMException) on setting
+
            attribute DOMString        MozColumnRule;
                                         // raises(DOMException) on setting
 
diff --git a/dom/interfaces/events/nsIDOMMessageEvent.idl b/dom/interfaces/events/nsIDOMMessageEvent.idl
index 8bae70876d2..2981b864083 100644
--- a/dom/interfaces/events/nsIDOMMessageEvent.idl
+++ b/dom/interfaces/events/nsIDOMMessageEvent.idl
@@ -45,7 +45,7 @@
  * For more information on this interface, please see
  * http://www.whatwg.org/specs/web-apps/current-work/#messageevent
  */
-[scriptable, uuid(dc8ec5c6-ebf2-4f95-be99-cd13e3c0d0c6)]
+[scriptable, uuid(9ac4fa26-4d19-4f4e-807e-b30cd0dbe56a)]
 interface nsIDOMMessageEvent : nsIDOMEvent
 {
   /**
diff --git a/dom/plugins/base/nsPluginInstanceOwner.cpp b/dom/plugins/base/nsPluginInstanceOwner.cpp
index f09136328d3..6d529df1f75 100644
--- a/dom/plugins/base/nsPluginInstanceOwner.cpp
+++ b/dom/plugins/base/nsPluginInstanceOwner.cpp
@@ -1877,17 +1877,12 @@ nsPluginInstanceOwner::HandleEvent(nsIDOMEvent* aEvent)
     nsCOMPtr<nsIPrivateDOMEvent> privateEvent(do_QueryInterface(aEvent));
     if (privateEvent) {
       nsEvent* ievent = privateEvent->GetInternalNSEvent();
-      if (ievent && NS_IS_TRUSTED_EVENT(ievent) &&
-          (ievent->message == NS_DRAGDROP_ENTER || ievent->message == NS_DRAGDROP_OVER)) {
-        // set the allowed effect to none here. The plugin should set it if necessary
-        nsCOMPtr<nsIDOMDataTransfer> dataTransfer;
-        dragEvent->GetDataTransfer(getter_AddRefs(dataTransfer));
-        if (dataTransfer)
-          dataTransfer->SetEffectAllowed(NS_LITERAL_STRING("none"));
+      if ((ievent && NS_IS_TRUSTED_EVENT(ievent)) &&
+           ievent->message != NS_DRAGDROP_ENTER && ievent->message != NS_DRAGDROP_OVER) {
+        aEvent->PreventDefault();
       }
 
       // Let the plugin handle drag events.
-      aEvent->PreventDefault();
       aEvent->StopPropagation();
     }
   }
diff --git a/dom/system/unix/QTMLocationProvider.cpp b/dom/system/unix/QTMLocationProvider.cpp
index 712bf5b50da..74e2f473bcc 100644
--- a/dom/system/unix/QTMLocationProvider.cpp
+++ b/dom/system/unix/QTMLocationProvider.cpp
@@ -37,7 +37,7 @@
 
 #include "QTMLocationProvider.h"
 #include "nsGeoPosition.h"
-#include <QFeedbackEffect>
+
 using namespace QtMobility;
 
 using namespace mozilla;
diff --git a/editor/composer/src/nsEditorSpellCheck.cpp b/editor/composer/src/nsEditorSpellCheck.cpp
index 8b278f143a9..ad4bc1675ec 100644
--- a/editor/composer/src/nsEditorSpellCheck.cpp
+++ b/editor/composer/src/nsEditorSpellCheck.cpp
@@ -53,8 +53,13 @@
 #include "nsIHTMLEditor.h"
 
 #include "nsIComponentManager.h"
+#include "nsIContentPrefService.h"
+#include "nsIObserverService.h"
 #include "nsServiceManagerUtils.h"
 #include "nsIChromeRegistry.h"
+#include "nsIPrivateBrowsingService.h"
+#include "nsIContentURIGrouper.h"
+#include "nsNetCID.h"
 #include "nsString.h"
 #include "nsReadableUtils.h"
 #include "nsITextServicesFilter.h"
@@ -80,6 +85,216 @@ class UpdateDictionnaryHolder {
     }
 };
 
+#define CPS_PREF_NAME NS_LITERAL_STRING("spellcheck.lang")
+
+class LastDictionary : public nsIObserver, public nsSupportsWeakReference {
+public:
+  NS_DECL_ISUPPORTS
+  NS_DECL_NSIOBSERVER
+
+  LastDictionary();
+
+  /**
+   * Store current dictionary for editor document url. Use content pref
+   * service. Or, if in private mode, store this information in memory.
+   */
+  NS_IMETHOD StoreCurrentDictionary(nsIEditor* aEditor, const nsAString& aDictionary);
+
+  /**
+   * Get last stored current dictionary for editor document url.
+   */
+  NS_IMETHOD FetchLastDictionary(nsIEditor* aEditor, nsAString& aDictionary);
+
+  /**
+   * Forget last current dictionary stored for editor document url.
+   */
+  NS_IMETHOD ClearCurrentDictionary(nsIEditor* aEditor);
+
+  /**
+   * get uri of editor's document.
+   *
+   */
+  static nsresult GetDocumentURI(nsIEditor* aEditor, nsIURI * *aURI);
+
+  PRBool mInPrivateBrowsing;
+
+  // During private browsing, dictionaries are stored in memory
+  nsDataHashtable<nsStringHashKey, nsString> mMemoryStorage;
+};
+
+NS_IMPL_ISUPPORTS2(LastDictionary, nsIObserver, nsISupportsWeakReference)
+
+LastDictionary::LastDictionary():
+  mInPrivateBrowsing(PR_FALSE)
+{  
+  nsCOMPtr<nsIPrivateBrowsingService> pbService =
+    do_GetService(NS_PRIVATE_BROWSING_SERVICE_CONTRACTID);
+  if (pbService) {
+    pbService->GetPrivateBrowsingEnabled(&mInPrivateBrowsing);
+    mMemoryStorage.Init();
+  }
+}
+
+// static
+nsresult
+LastDictionary::GetDocumentURI(nsIEditor* aEditor, nsIURI * *aURI)
+{
+  NS_ENSURE_ARG_POINTER(aEditor);
+  NS_ENSURE_ARG_POINTER(aURI);
+
+  nsCOMPtr<nsIDOMDocument> domDoc;
+  aEditor->GetDocument(getter_AddRefs(domDoc));
+  NS_ENSURE_TRUE(domDoc, NS_ERROR_FAILURE);
+
+  nsCOMPtr<nsIDocument> doc = do_QueryInterface(domDoc);
+  NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
+
+  nsCOMPtr<nsIURI> docUri = doc->GetDocumentURI();
+  NS_ENSURE_TRUE(docUri, NS_ERROR_FAILURE);
+
+  *aURI = docUri;
+  NS_ADDREF(*aURI);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LastDictionary::FetchLastDictionary(nsIEditor* aEditor, nsAString& aDictionary)
+{
+  NS_ENSURE_ARG_POINTER(aEditor);
+
+  nsresult rv;
+
+  nsCOMPtr<nsIURI> docUri;
+  rv = GetDocumentURI(aEditor, getter_AddRefs(docUri));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (mInPrivateBrowsing) {
+    nsCOMPtr<nsIContentURIGrouper> hostnameGrouperService =
+      do_GetService(NS_HOSTNAME_GROUPER_SERVICE_CONTRACTID);
+    NS_ENSURE_TRUE(hostnameGrouperService, NS_ERROR_NOT_AVAILABLE);
+    nsString group;
+    hostnameGrouperService->Group(docUri, group);
+    nsAutoString lastDict;
+    if (mMemoryStorage.Get(group, &lastDict)) {
+      aDictionary.Assign(lastDict);
+    } else {
+      aDictionary.Truncate();
+    }
+    return NS_OK;
+  }
+
+  nsCOMPtr<nsIContentPrefService> contentPrefService =
+    do_GetService(NS_CONTENT_PREF_SERVICE_CONTRACTID);
+  NS_ENSURE_TRUE(contentPrefService, NS_ERROR_NOT_AVAILABLE);
+
+  nsCOMPtr<nsIWritableVariant> uri = do_CreateInstance(NS_VARIANT_CONTRACTID);
+  NS_ENSURE_TRUE(uri, NS_ERROR_OUT_OF_MEMORY);
+  uri->SetAsISupports(docUri);
+
+  PRBool hasPref;
+  if (NS_SUCCEEDED(contentPrefService->HasPref(uri, CPS_PREF_NAME, &hasPref)) && hasPref) {
+    nsCOMPtr<nsIVariant> pref;
+    contentPrefService->GetPref(uri, CPS_PREF_NAME, nsnull, getter_AddRefs(pref));
+    pref->GetAsAString(aDictionary);
+  } else {
+    aDictionary.Truncate();
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+LastDictionary::StoreCurrentDictionary(nsIEditor* aEditor, const nsAString& aDictionary)
+{
+  NS_ENSURE_ARG_POINTER(aEditor);
+
+  nsresult rv;
+
+  nsCOMPtr<nsIURI> docUri;
+  rv = GetDocumentURI(aEditor, getter_AddRefs(docUri));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+ if (mInPrivateBrowsing) {
+    nsCOMPtr<nsIContentURIGrouper> hostnameGrouperService =
+      do_GetService(NS_HOSTNAME_GROUPER_SERVICE_CONTRACTID);
+    NS_ENSURE_TRUE(hostnameGrouperService, NS_ERROR_NOT_AVAILABLE);
+    nsString group;
+    hostnameGrouperService->Group(docUri, group);
+
+    if (mMemoryStorage.Put(group, nsString(aDictionary))) {
+      return NS_OK;
+    } else {
+      return NS_ERROR_FAILURE;
+    }
+  }
+
+  nsCOMPtr<nsIWritableVariant> uri = do_CreateInstance(NS_VARIANT_CONTRACTID);
+  NS_ENSURE_TRUE(uri, NS_ERROR_OUT_OF_MEMORY);
+  uri->SetAsISupports(docUri);
+
+  nsCOMPtr<nsIWritableVariant> prefValue = do_CreateInstance(NS_VARIANT_CONTRACTID);
+  NS_ENSURE_TRUE(prefValue, NS_ERROR_OUT_OF_MEMORY);
+  prefValue->SetAsAString(aDictionary);
+
+  nsCOMPtr<nsIContentPrefService> contentPrefService =
+    do_GetService(NS_CONTENT_PREF_SERVICE_CONTRACTID);
+  NS_ENSURE_TRUE(contentPrefService, NS_ERROR_NOT_INITIALIZED);
+
+  return contentPrefService->SetPref(uri, CPS_PREF_NAME, prefValue);
+}
+
+NS_IMETHODIMP
+LastDictionary::ClearCurrentDictionary(nsIEditor* aEditor)
+{
+  NS_ENSURE_ARG_POINTER(aEditor);
+
+  nsresult rv;
+
+  nsCOMPtr<nsIURI> docUri;
+  rv = GetDocumentURI(aEditor, getter_AddRefs(docUri));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsCOMPtr<nsIContentURIGrouper> hostnameGrouperService =
+      do_GetService(NS_HOSTNAME_GROUPER_SERVICE_CONTRACTID);
+  NS_ENSURE_TRUE(hostnameGrouperService, NS_ERROR_NOT_AVAILABLE);
+
+  nsString group;
+  hostnameGrouperService->Group(docUri, group);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (mMemoryStorage.IsInitialized()) {
+    mMemoryStorage.Remove(group);
+  }
+
+  nsCOMPtr<nsIWritableVariant> uri = do_CreateInstance(NS_VARIANT_CONTRACTID);
+  NS_ENSURE_TRUE(uri, NS_ERROR_OUT_OF_MEMORY);
+  uri->SetAsISupports(docUri);
+
+  nsCOMPtr<nsIContentPrefService> contentPrefService =
+    do_GetService(NS_CONTENT_PREF_SERVICE_CONTRACTID);
+  NS_ENSURE_TRUE(contentPrefService, NS_ERROR_NOT_INITIALIZED);
+
+  return contentPrefService->RemovePref(uri, CPS_PREF_NAME);
+}
+
+NS_IMETHODIMP
+LastDictionary::Observe(nsISupports *aSubject, char const *aTopic, PRUnichar const *aData)
+{
+  if (strcmp(aTopic, NS_PRIVATE_BROWSING_SWITCH_TOPIC) == 0) {
+    if (NS_LITERAL_STRING(NS_PRIVATE_BROWSING_ENTER).Equals(aData)) {
+      mInPrivateBrowsing = PR_TRUE;
+    } else if (NS_LITERAL_STRING(NS_PRIVATE_BROWSING_LEAVE).Equals(aData)) {
+      mInPrivateBrowsing = PR_FALSE;
+      if (mMemoryStorage.IsInitialized()) {
+        mMemoryStorage.Clear();
+      }
+    }
+  } 
+  return NS_OK;
+}
+
+LastDictionary* nsEditorSpellCheck::gDictionaryStore = nsnull;
+
 NS_IMPL_CYCLE_COLLECTING_ADDREF(nsEditorSpellCheck)
 NS_IMPL_CYCLE_COLLECTING_RELEASE(nsEditorSpellCheck)
 
@@ -89,15 +304,16 @@ NS_INTERFACE_MAP_BEGIN(nsEditorSpellCheck)
   NS_INTERFACE_MAP_ENTRIES_CYCLE_COLLECTION(nsEditorSpellCheck)
 NS_INTERFACE_MAP_END
 
-NS_IMPL_CYCLE_COLLECTION_2(nsEditorSpellCheck,
+NS_IMPL_CYCLE_COLLECTION_3(nsEditorSpellCheck,
+                           mEditor,
                            mSpellChecker,
                            mTxtSrvFilter)
 
 nsEditorSpellCheck::nsEditorSpellCheck()
   : mSuggestedWordIndex(0)
   , mDictionaryIndex(0)
+  , mEditor(nsnull)
   , mUpdateDictionaryRunning(PR_FALSE)
-  , mDictWasSetManually(PR_FALSE)
 {
 }
 
@@ -135,8 +351,24 @@ nsEditorSpellCheck::CanSpellCheck(PRBool* _retval)
 NS_IMETHODIMP    
 nsEditorSpellCheck::InitSpellChecker(nsIEditor* aEditor, PRBool aEnableSelectionChecking)
 {
+  NS_ENSURE_TRUE(aEditor, NS_ERROR_NULL_POINTER);
+  mEditor = aEditor;
+
   nsresult rv;
 
+  if (!gDictionaryStore) {
+    gDictionaryStore = new LastDictionary();
+    if (gDictionaryStore) {
+      NS_ADDREF(gDictionaryStore);
+      nsCOMPtr<nsIObserverService> observerService =
+        mozilla::services::GetObserverService();
+      if (observerService) {
+        observerService->AddObserver(gDictionaryStore, NS_PRIVATE_BROWSING_SWITCH_TOPIC, PR_TRUE);
+      }
+    }
+  }
+
+
   // We can spell check with any editor type
   nsCOMPtr<nsITextServicesDocument>tsDoc =
      do_CreateInstance("@mozilla.org/textservices/textservicesdocument;1", &rv);
@@ -208,7 +440,7 @@ nsEditorSpellCheck::InitSpellChecker(nsIEditor* aEditor, PRBool aEnableSelection
 
   // do not fail if UpdateCurrentDictionary fails because this method may
   // succeed later.
-  UpdateCurrentDictionary(aEditor);
+  UpdateCurrentDictionary();
   return NS_OK;
 }
 
@@ -391,7 +623,29 @@ nsEditorSpellCheck::SetCurrentDictionary(const nsAString& aDictionary)
   NS_ENSURE_TRUE(mSpellChecker, NS_ERROR_NOT_INITIALIZED);
 
   if (!mUpdateDictionaryRunning) {
-    mDictWasSetManually = PR_TRUE;
+
+    nsDefaultStringComparator comparator;
+    nsAutoString langCode;
+    PRInt32 dashIdx = aDictionary.FindChar('-');
+    if (dashIdx != -1) {
+      langCode.Assign(Substring(aDictionary, 0, dashIdx));
+    } else {
+      langCode.Assign(aDictionary);
+    }
+
+    if (mPreferredLang.IsEmpty() || !nsStyleUtil::DashMatchCompare(mPreferredLang, langCode, comparator)) {
+      // When user sets dictionary manually, we store this value associated
+      // with editor url.
+      gDictionaryStore->StoreCurrentDictionary(mEditor, aDictionary);
+    } else {
+      // If user sets a dictionary matching (even partially), lang defined by
+      // document, we consider content pref has been canceled, and we clear it.
+      gDictionaryStore->ClearCurrentDictionary(mEditor);
+    }
+
+    // Also store it in as a preference. It will be used as a default value
+    // when everything else fails.
+    Preferences::SetString("spellchecker.dictionary", aDictionary);
   }
   return mSpellChecker->SetCurrentDictionary(aDictionary);
 }
@@ -409,21 +663,6 @@ nsEditorSpellCheck::UninitSpellChecker()
   return NS_OK;
 }
 
-// Save the last set dictionary to the user's preferences.
-NS_IMETHODIMP
-nsEditorSpellCheck::SaveDefaultDictionary()
-{
-  if (!mDictWasSetManually) {
-    return NS_OK;
-  }
-
-  nsAutoString dictName;
-  nsresult rv = GetCurrentDictionary(dictName);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  return Preferences::SetString("spellchecker.dictionary", dictName);
-}
-
 
 /* void setFilter (in nsITextServicesFilter filter); */
 NS_IMETHODIMP 
@@ -442,45 +681,51 @@ nsEditorSpellCheck::DeleteSuggestedWordList()
 }
 
 NS_IMETHODIMP
-nsEditorSpellCheck::UpdateCurrentDictionary(nsIEditor* aEditor)
+nsEditorSpellCheck::UpdateCurrentDictionary()
 {
-  if (mDictWasSetManually) { // user has set dictionary manually; we better not change it.
-    return NS_OK;
-  }
-
   nsresult rv;
 
   UpdateDictionnaryHolder holder(this);
 
-  // Tell the spellchecker what dictionary to use:
-  nsAutoString dictName;
-
-  // First, try to get language with html5 algorithm
-  nsAutoString editorLang;
-
+  // Get language with html5 algorithm
   nsCOMPtr<nsIContent> rootContent;
-
-  nsCOMPtr<nsIHTMLEditor> htmlEditor = do_QueryInterface(aEditor);
+  nsCOMPtr<nsIHTMLEditor> htmlEditor = do_QueryInterface(mEditor);
   if (htmlEditor) {
     rootContent = htmlEditor->GetActiveEditingHost();
   } else {
     nsCOMPtr<nsIDOMElement> rootElement;
-    rv = aEditor->GetRootElement(getter_AddRefs(rootElement));
+    rv = mEditor->GetRootElement(getter_AddRefs(rootElement));
     NS_ENSURE_SUCCESS(rv, rv);
     rootContent = do_QueryInterface(rootElement);
   }
   NS_ENSURE_TRUE(rootContent, NS_ERROR_FAILURE);
 
-  rootContent->GetLang(editorLang);
+  mPreferredLang.Truncate();
+  rootContent->GetLang(mPreferredLang);
 
-  if (editorLang.IsEmpty()) {
-    nsCOMPtr<nsIDocument> doc = rootContent->GetCurrentDoc();
-    NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
-    doc->GetContentLanguage(editorLang);
+  // Tell the spellchecker what dictionary to use:
+
+  // First try to get dictionary from content prefs. If we have one, do not got
+  // further. Use this exact dictionary.
+  nsAutoString dictName;
+  rv = gDictionaryStore->FetchLastDictionary(mEditor, dictName);
+  if (NS_SUCCEEDED(rv) && !dictName.IsEmpty()) {
+    if (NS_FAILED(SetCurrentDictionary(dictName))) { 
+      // may be dictionary was uninstalled ?
+      gDictionaryStore->ClearCurrentDictionary(mEditor);
+    }
+    return NS_OK;
   }
 
-  if (!editorLang.IsEmpty()) {
-    dictName.Assign(editorLang);
+  if (mPreferredLang.IsEmpty()) {
+    nsCOMPtr<nsIDocument> doc = rootContent->GetCurrentDoc();
+    NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
+    doc->GetContentLanguage(mPreferredLang);
+  }
+
+  // Then, try to use language computed from element
+  if (!mPreferredLang.IsEmpty()) {
+    dictName.Assign(mPreferredLang);
   }
 
   // otherwise, get language from preferences
@@ -543,7 +788,7 @@ nsEditorSpellCheck::UpdateCurrentDictionary(nsIEditor* aEditor)
   // If we have not set dictionary, and the editable element doesn't have a
   // lang attribute, we try to get a dictionary. First try, en-US. If it does
   // not work, pick the first one.
-  if (editorLang.IsEmpty()) {
+  if (mPreferredLang.IsEmpty()) {
     nsAutoString currentDictionary;
     rv = GetCurrentDictionary(currentDictionary);
     if (NS_FAILED(rv) || currentDictionary.IsEmpty()) {
@@ -567,3 +812,8 @@ nsEditorSpellCheck::UpdateCurrentDictionary(nsIEditor* aEditor)
 
   return NS_OK;
 }
+
+void 
+nsEditorSpellCheck::ShutDown() {
+  NS_IF_RELEASE(gDictionaryStore);
+}
diff --git a/editor/composer/src/nsEditorSpellCheck.h b/editor/composer/src/nsEditorSpellCheck.h
index 094ae5467b8..f4fe764a320 100644
--- a/editor/composer/src/nsEditorSpellCheck.h
+++ b/editor/composer/src/nsEditorSpellCheck.h
@@ -43,8 +43,12 @@
 
 #include "nsIEditorSpellCheck.h"
 #include "nsISpellChecker.h"
+#include "nsIObserver.h"
+#include "nsIURI.h"
+#include "nsWeakReference.h"
 #include "nsCOMPtr.h"
 #include "nsCycleCollectionParticipant.h"
+#include "nsDataHashtable.h"
 
 #define NS_EDITORSPELLCHECK_CID                     \
 { /* {75656ad9-bd13-4c5d-939a-ec6351eea0cc} */        \
@@ -52,6 +56,8 @@
     { 0x93, 0x9a, 0xec, 0x63, 0x51, 0xee, 0xa0, 0xcc }\
 }
 
+class LastDictionary;
+
 class nsEditorSpellCheck : public nsIEditorSpellCheck
 {
 public:
@@ -64,6 +70,10 @@ public:
   /* Declare all methods in the nsIEditorSpellCheck interface */
   NS_DECL_NSIEDITORSPELLCHECK
 
+  static LastDictionary* gDictionaryStore;
+
+  static void ShutDown();
+
 protected:
   nsCOMPtr<nsISpellChecker> mSpellChecker;
 
@@ -78,9 +88,11 @@ protected:
   nsresult       DeleteSuggestedWordList();
 
   nsCOMPtr<nsITextServicesFilter> mTxtSrvFilter;
+  nsCOMPtr<nsIEditor> mEditor;
+
+  nsString mPreferredLang;
 
   PRPackedBool mUpdateDictionaryRunning;
-  PRPackedBool mDictWasSetManually;
 
 public:
   void BeginUpdateDictionary() { mUpdateDictionaryRunning = PR_TRUE ;}
diff --git a/editor/composer/test/Makefile.in b/editor/composer/test/Makefile.in
index d7dffb7d5c4..46274d28fef 100644
--- a/editor/composer/test/Makefile.in
+++ b/editor/composer/test/Makefile.in
@@ -49,11 +49,13 @@ _TEST_FILES = \
 		test_bug384147.html \
 		test_bug389350.html \
 		test_bug519928.html \
+		bug678842_subframe.html \
 		$(NULL)
 
 _CHROME_TEST_FILES = \
 		test_bug434998.xul \
 		test_bug338427.html \
+		test_bug678842.html \
 		$(NULL)
 
 libs:: $(_TEST_FILES)
diff --git a/editor/composer/test/bug678842_subframe.html b/editor/composer/test/bug678842_subframe.html
new file mode 100644
index 00000000000..39d578ee41d
--- /dev/null
+++ b/editor/composer/test/bug678842_subframe.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+</head>
+<body>
+<textarea id="textarea" lang="testing-XXX"></textarea>
+</body>
+</html>
diff --git a/editor/composer/test/test_bug678842.html b/editor/composer/test/test_bug678842.html
new file mode 100644
index 00000000000..778e12551cc
--- /dev/null
+++ b/editor/composer/test/test_bug678842.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=678842
+-->
+<head>
+  <title>Test for Bug 678842</title>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=678842">Mozilla Bug 678842</a>
+<p id="display"></p>
+<iframe id="content"></iframe>
+  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 678842 **/
+SimpleTest.waitForExplicitFinish();
+var content = document.getElementById('content');
+// load a subframe containing an editor with a defined unknown lang. At first
+// load, it will set dictionary to en-US. At second load, it will return current
+// dictionary. So, we can check, dictionary is correctly remembered between
+// loads.
+
+var firstLoad = true;
+
+var loadListener = function(evt) {
+  var doc = evt.target.contentDocument;
+  var elem = doc.getElementById('textarea');
+  var editor = elem.QueryInterface(Components.interfaces.nsIDOMNSEditableElement).editor;
+  editor.setSpellcheckUserOverride(true);
+  var inlineSpellChecker = editor.getInlineSpellChecker(true);
+  var spellchecker = inlineSpellChecker.spellChecker;
+  var currentDictonary = "";
+  try {
+    currentDictonary = spellchecker.GetCurrentDictionary();
+  } catch(e) {}
+
+  if (!currentDictonary) {
+    spellchecker.SetCurrentDictionary('en-US');
+  }
+
+  if (firstLoad) {
+    firstLoad = false;
+    is (currentDictonary, "", "unexpected lang " + currentDictonary);
+    content.src = 'http://mochi.test:8888/tests/editor/composer/test/bug678842_subframe.html?firstload=false';
+  } else {
+    is (currentDictonary, "en-US", "unexpected lang " + currentDictonary + " instead of en-US");
+    content.removeEventListener('load', loadListener, false);
+    SimpleTest.finish();
+  }
+}
+
+content.addEventListener('load', loadListener, false);
+
+content.src = 'http://mochi.test:8888/tests/editor/composer/test/bug678842_subframe.html?firstload=true';
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/editor/idl/nsIEditorSpellCheck.idl b/editor/idl/nsIEditorSpellCheck.idl
index b39dafb7de0..f06eabff715 100644
--- a/editor/idl/nsIEditorSpellCheck.idl
+++ b/editor/idl/nsIEditorSpellCheck.idl
@@ -41,7 +41,7 @@
 interface nsIEditor;
 interface nsITextServicesFilter;
 
-[scriptable, uuid(3da0ce96-7d3a-48d0-80b7-2d90dab09747)]
+[scriptable, uuid(af84da62-588f-409f-847d-feecc991bd93)]
 interface nsIEditorSpellCheck : nsISupports
 {
 
@@ -150,14 +150,6 @@ interface nsIEditorSpellCheck : nsISupports
    */
   void          SetCurrentDictionary(in AString dictionary);
 
-  /**
-   * Call to save the currently selected dictionary as the default. The
-   * function UninitSpellChecker will also do this, but that function may not
-   * be called in some situations. This function allows the caller to force the
-   * default right now.
-   */
-  void          saveDefaultDictionary();
-
   /**
    * Call this to free up the spell checking object. It will also save the
    * current selected language as the default for future use.
@@ -192,6 +184,6 @@ interface nsIEditorSpellCheck : nsISupports
    * Update the dictionary in use to be sure it corresponds to what the editor
    * needs.
    */
-  void          UpdateCurrentDictionary(in nsIEditor editor);
+  void          UpdateCurrentDictionary();
 
 };
diff --git a/editor/libeditor/html/nsHTMLEditRules.cpp b/editor/libeditor/html/nsHTMLEditRules.cpp
index df93229bcdb..689a7e58617 100644
--- a/editor/libeditor/html/nsHTMLEditRules.cpp
+++ b/editor/libeditor/html/nsHTMLEditRules.cpp
@@ -3730,7 +3730,11 @@ nsHTMLEditRules::WillCSSIndent(nsISelection *aSelection, PRBool *aCancel, PRBool
       else {
         if (!curQuote)
         {
+          // First, check that our element can contain a div.
           NS_NAMED_LITERAL_STRING(divquoteType, "div");
+          if (!mEditor->CanContainTag(curParent, divquoteType))
+            return NS_OK; // cancelled
+
           res = SplitAsNeeded(&divquoteType, address_of(curParent), &offset);
           NS_ENSURE_SUCCESS(res, res);
           res = mHTMLEditor->CreateNode(divquoteType, curParent, offset, getter_AddRefs(curQuote));
@@ -3957,6 +3961,10 @@ nsHTMLEditRules::WillHTMLIndent(nsISelection *aSelection, PRBool *aCancel, PRBoo
         
         if (!curQuote) 
         {
+          // First, check that our element can contain a blockquote.
+          if (!mEditor->CanContainTag(curParent, quoteType))
+            return NS_OK; // cancelled
+
           res = SplitAsNeeded(&quoteType, address_of(curParent), &offset);
           NS_ENSURE_SUCCESS(res, res);
           res = mHTMLEditor->CreateNode(quoteType, curParent, offset, getter_AddRefs(curQuote));
@@ -4089,10 +4097,10 @@ nsHTMLEditRules::WillOutdent(nsISelection *aSelection, PRBool *aCancel, PRBool *
       nsCOMPtr<nsIDOMNode> n = curNode;
       nsCOMPtr<nsIDOMNode> tmp;
       curBlockQuoteIsIndentedWithCSS = PR_FALSE;
-      // keep looking up the hierarchy as long as we don't hit the body or a table element
-      // (other than an entire table)
-      while (!nsTextEditUtils::IsBody(n) &&   
-             (nsHTMLEditUtils::IsTable(n) || !nsHTMLEditUtils::IsTableElement(n)))
+      // keep looking up the hierarchy as long as we don't hit the body or the
+      // active editing host or a table element (other than an entire table)
+      while (!nsTextEditUtils::IsBody(n) && mHTMLEditor->IsNodeInActiveEditor(n)
+          && (nsHTMLEditUtils::IsTable(n) || !nsHTMLEditUtils::IsTableElement(n)))
       {
         n->GetParentNode(getter_AddRefs(tmp));
         if (!tmp) {
@@ -4785,7 +4793,11 @@ nsHTMLEditRules::WillAlign(nsISelection *aSelection,
     // or if this node doesn't go in div we used earlier.
     if (!curDiv || transitionList[i])
     {
+      // First, check that our element can contain a div.
       NS_NAMED_LITERAL_STRING(divType, "div");
+      if (!mEditor->CanContainTag(curParent, divType))
+        return NS_OK; // cancelled
+
       res = SplitAsNeeded(&divType, address_of(curParent), &offset);
       NS_ENSURE_SUCCESS(res, res);
       res = mHTMLEditor->CreateNode(divType, curParent, offset, getter_AddRefs(curDiv));
@@ -4795,9 +4807,9 @@ nsHTMLEditRules::WillAlign(nsISelection *aSelection,
       // set up the alignment on the div
       nsCOMPtr<nsIDOMElement> divElem = do_QueryInterface(curDiv);
       res = AlignBlock(divElem, alignType, PR_TRUE);
-//      nsAutoString attr(NS_LITERAL_STRING("align"));
-//      res = mHTMLEditor->SetAttribute(divElem, attr, *alignType);
-//      NS_ENSURE_SUCCESS(res, res);
+      //nsAutoString attr(NS_LITERAL_STRING("align"));
+      //res = mHTMLEditor->SetAttribute(divElem, attr, *alignType);
+      //NS_ENSURE_SUCCESS(res, res);
       // curDiv is now the correct thing to put curNode in
     }
 
@@ -5598,9 +5610,13 @@ nsHTMLEditRules::GetPromotedPoint(RulesEndpoint aWhere, nsIDOMNode *aNode, PRInt
       // Don't walk past the editable section. Note that we need to check
       // before walking up to a parent because we need to return the parent
       // object, so the parent itself might not be in the editable area, but
-      // it's OK.
-      if (!mHTMLEditor->IsNodeInActiveEditor(node) &&
-          !mHTMLEditor->IsNodeInActiveEditor(parent)) {
+      // it's OK if we're not performing a block-level action.
+      PRBool blockLevelAction = (actionID == nsHTMLEditor::kOpIndent)
+                             || (actionID == nsHTMLEditor::kOpOutdent)
+                             || (actionID == nsHTMLEditor::kOpAlign)
+                             || (actionID == nsHTMLEditor::kOpMakeBasicBlock);
+      if (!mHTMLEditor->IsNodeInActiveEditor(parent) &&
+          (blockLevelAction || !mHTMLEditor->IsNodeInActiveEditor(node))) {
         break;
       }
 
@@ -8935,8 +8951,17 @@ nsHTMLEditRules::RelativeChangeIndentationOfElementNode(nsIDOMNode *aNode, PRInt
     }
     else {
       mHTMLEditor->mHTMLCSSUtils->RemoveCSSProperty(element, marginProperty, value, PR_FALSE);
-      if (nsHTMLEditUtils::IsDiv(aNode)) {
-        // we deal with a DIV ; let's see if it is useless and if we can remove it
+      // remove unnecessary DIV blocks:
+      // we could skip this section but that would cause a FAIL in
+      // editor/libeditor/html/tests/browserscope/richtext.html, which expects
+      // to unapply a CSS "indent" (<div style="margin-left: 40px;">) by
+      // removing the DIV container instead of just removing the CSS property.
+      nsCOMPtr<nsINode> node = do_QueryInterface(aNode);
+      if (nsHTMLEditUtils::IsDiv(aNode)
+          && (node != mHTMLEditor->GetActiveEditingHost())
+          && mHTMLEditor->IsNodeInActiveEditor(aNode)) {
+        // we deal with an editable DIV;
+        // let's see if it is useless and if we can remove it
         nsCOMPtr<nsIDOMNamedNodeMap> attributeList;
         res = element->GetAttributes(getter_AddRefs(attributeList));
         NS_ENSURE_SUCCESS(res, res);
diff --git a/editor/libeditor/html/tests/Makefile.in b/editor/libeditor/html/tests/Makefile.in
index b9c9526fa16..6f72aa83471 100644
--- a/editor/libeditor/html/tests/Makefile.in
+++ b/editor/libeditor/html/tests/Makefile.in
@@ -86,6 +86,7 @@ _TEST_FILES = \
 		test_bug668599.html \
 		test_bug674861.html \
 		test_bug676401.html \
+		test_bug677752.html \
 		test_CF_HTML_clipboard.html \
 		test_contenteditable_focus.html \
 		test_htmleditor_keyevent_handling.html \
diff --git a/editor/libeditor/html/tests/browserscope/lib/richtext2/currentStatus.js b/editor/libeditor/html/tests/browserscope/lib/richtext2/currentStatus.js
index 00eab5b9428..5aeea117f7a 100644
--- a/editor/libeditor/html/tests/browserscope/lib/richtext2/currentStatus.js
+++ b/editor/libeditor/html/tests/browserscope/lib/richtext2/currentStatus.js
@@ -4479,11 +4479,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><blockquote>`foo[bar]baz´</blockquote></body>"
         },
         "div": {
-          "valscore": 0,
-          "selscore": 0,
-          "valresult": 2,
-          "selresult": 3,
-          "output": "EXECUTION EXCEPTION: [Exception... \"Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLDocument.execCommand]\"  nsresult: \"0x80004005 (NS_ERROR_FAILURE)\"  location: \"JS frame :: http://mochi.test:8888/tests/editor/libeditor/html/tests/browserscope/lib/richtext2/richtext2/static/js/run.js :: runSingleTest :: line 143\"  data: no]"
+          "valscore": 1,
+          "selscore": 1,
+          "valresult": 8,
+          "selresult": 5,
+          "output": "<blockquote>`foo[bar]baz´</blockquote>",
+          "innerHTML": "<blockquote>`foo[bar]baz´</blockquote>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><blockquote>`foo[bar]baz´</blockquote></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><blockquote>`foo[bar]baz´</blockquote></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><blockquote>`foo[bar]baz´</blockquote></div>CAN<br>ARY</body>"
         }
       },
       "FB:BQ_BR.BR-1_SM": {
@@ -4510,11 +4514,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><blockquote>`fo[o´<br>`bar´<br>`b]az´</blockquote></body>"
         },
         "div": {
-          "valscore": 0,
-          "selscore": 0,
-          "valresult": 2,
-          "selresult": 3,
-          "output": "EXECUTION EXCEPTION: [Exception... \"Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLDocument.execCommand]\"  nsresult: \"0x80004005 (NS_ERROR_FAILURE)\"  location: \"JS frame :: http://mochi.test:8888/tests/editor/libeditor/html/tests/browserscope/lib/richtext2/richtext2/static/js/run.js :: runSingleTest :: line 143\"  data: no]"
+          "valscore": 1,
+          "selscore": 1,
+          "valresult": 8,
+          "selresult": 5,
+          "output": "<blockquote>`fo[o´<br>`bar´<br>`b]az´</blockquote>",
+          "innerHTML": "<blockquote>`fo[o´<br>`bar´<br>`b]az´</blockquote>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><blockquote>`fo[o´<br>`bar´<br>`b]az´</blockquote></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><blockquote>`fo[o´<br>`bar´<br>`b]az´</blockquote></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><blockquote>`fo[o´<br>`bar´<br>`b]az´</blockquote></div>CAN<br>ARY</body>"
         }
       },
       "BC:blue_TEXT-1_SI": {
@@ -4856,11 +4864,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><blockquote>`foo[bar]baz´</blockquote></body>"
         },
         "div": {
-          "valscore": 0,
-          "selscore": 0,
-          "valresult": 2,
-          "selresult": 3,
-          "output": "EXECUTION EXCEPTION: [Exception... \"Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLDocument.execCommand]\"  nsresult: \"0x80004005 (NS_ERROR_FAILURE)\"  location: \"JS frame :: http://mochi.test:8888/tests/editor/libeditor/html/tests/browserscope/lib/richtext2/richtext2/static/js/run.js :: runSingleTest :: line 143\"  data: no]"
+          "valscore": 1,
+          "selscore": 1,
+          "valresult": 8,
+          "selresult": 5,
+          "output": "<blockquote>`foo[bar]baz´</blockquote>",
+          "innerHTML": "<blockquote>`foo[bar]baz´</blockquote>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><blockquote>`foo[bar]baz´</blockquote></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><blockquote>`foo[bar]baz´</blockquote></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><blockquote>`foo[bar]baz´</blockquote></div>CAN<br>ARY</body>"
         }
       },
       "JC_TEXT-1_SC": {
@@ -4887,15 +4899,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div align=\"center\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"center\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"center\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\" align=\"center\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div align=\"center\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div align=\"center\">`foo^bar´</div>",
+          "innerHTML": "<div align=\"center\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div align=\"center\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div align=\"center\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div align=\"center\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       },
       "JF_TEXT-1_SC": {
@@ -4922,15 +4934,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div align=\"justify\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"justify\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"justify\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\" align=\"justify\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div align=\"justify\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div align=\"justify\">`foo^bar´</div>",
+          "innerHTML": "<div align=\"justify\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div align=\"justify\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div align=\"justify\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div align=\"justify\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       },
       "JL_TEXT-1_SC": {
@@ -4957,15 +4969,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div align=\"left\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"left\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"left\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\" align=\"left\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div align=\"left\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div align=\"left\">`foo^bar´</div>",
+          "innerHTML": "<div align=\"left\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div align=\"left\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div align=\"left\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div align=\"left\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       },
       "JR_TEXT-1_SC": {
@@ -4992,15 +5004,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div align=\"right\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"right\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" align=\"right\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\" align=\"right\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div align=\"right\" contenteditable=\"true\" id=\"editor-div\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div align=\"right\">`foo^bar´</div>",
+          "innerHTML": "<div align=\"right\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div align=\"right\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div align=\"right\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div align=\"right\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       },
       "H:H1_TEXT-1_SC": {
@@ -5556,15 +5568,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div style=\"margin-left: 40px;\">`foo[bar]baz´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"margin-left: 40px;\">`foo[bar]baz´</div>",
-          "innerHTML": "`foo[bar]baz´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"margin-left: 40px;\">`foo[bar]baz´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div style=\"margin-left: 40px;\" id=\"editor-div\" contenteditable=\"true\">`foo[bar]baz´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\" style=\"margin-left: 40px;\">`foo[bar]baz´</div>CAN<br>ARY</body>"
+          "output": "<div style=\"margin-left: 40px;\">`foo[bar]baz´</div>",
+          "innerHTML": "<div style=\"margin-left: 40px;\">`foo[bar]baz´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div style=\"margin-left: 40px;\">`foo[bar]baz´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div style=\"margin-left: 40px;\">`foo[bar]baz´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div style=\"margin-left: 40px;\">`foo[bar]baz´</div></div>CAN<br>ARY</body>"
         }
       },
       "JC_TEXT-1_SC": {
@@ -5591,15 +5603,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div style=\"text-align: center;\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: center;\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: center;\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div style=\"text-align: center;\" id=\"editor-div\" contenteditable=\"true\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\" style=\"text-align: center;\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div style=\"text-align: center;\">`foo^bar´</div>",
+          "innerHTML": "<div style=\"text-align: center;\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: center;\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div style=\"text-align: center;\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: center;\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       },
       "JF_TEXT-1_SC": {
@@ -5626,15 +5638,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div style=\"text-align: justify;\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: justify;\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: justify;\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div style=\"text-align: justify;\" id=\"editor-div\" contenteditable=\"true\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\" style=\"text-align: justify;\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div style=\"text-align: justify;\">`foo^bar´</div>",
+          "innerHTML": "<div style=\"text-align: justify;\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: justify;\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div style=\"text-align: justify;\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: justify;\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       },
       "JL_TEXT-1_SC": {
@@ -5661,15 +5673,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div style=\"text-align: left;\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: left;\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: left;\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div style=\"text-align: left;\" id=\"editor-div\" contenteditable=\"true\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\" style=\"text-align: left;\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div style=\"text-align: left;\">`foo^bar´</div>",
+          "innerHTML": "<div style=\"text-align: left;\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: left;\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div style=\"text-align: left;\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: left;\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       },
       "JR_TEXT-1_SC": {
@@ -5696,15 +5708,15 @@ const TEST_RESULTS = {
           "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\"><div style=\"text-align: right;\">`foo^bar´</div></body>"
         },
         "div": {
-          "valscore": 0,
+          "valscore": 1,
           "selscore": 1,
-          "valresult": 7,
+          "valresult": 8,
           "selresult": 5,
-          "output": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: right;\">`foo^bar´</div>",
-          "innerHTML": "`foo^bar´",
-          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\" style=\"text-align: right;\">`foo^bar´</div>",
-          "bodyInnerHTML": "CAN<br>ARY<div style=\"text-align: right;\" id=\"editor-div\" contenteditable=\"true\">`foo^bar´</div>CAN<br>ARY",
-          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\" style=\"text-align: right;\">`foo^bar´</div>CAN<br>ARY</body>"
+          "output": "<div style=\"text-align: right;\">`foo^bar´</div>",
+          "innerHTML": "<div style=\"text-align: right;\">`foo^bar´</div>",
+          "outerHTML": "<div xmlns=\"http://www.w3.org/1999/xhtml\" contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: right;\">`foo^bar´</div></div>",
+          "bodyInnerHTML": "CAN<br>ARY<div id=\"editor-div\" contenteditable=\"true\"><div style=\"text-align: right;\">`foo^bar´</div></div>CAN<br>ARY",
+          "bodyOuterHTML": "<body xmlns=\"http://www.w3.org/1999/xhtml\">CAN<br>ARY<div contenteditable=\"true\" id=\"editor-div\"><div style=\"text-align: right;\">`foo^bar´</div></div>CAN<br>ARY</body>"
         }
       }
     }
diff --git a/editor/libeditor/html/tests/test_bug414526.html b/editor/libeditor/html/tests/test_bug414526.html
index 2022a2a410a..499ee7d10c1 100644
--- a/editor/libeditor/html/tests/test_bug414526.html
+++ b/editor/libeditor/html/tests/test_bug414526.html
@@ -42,6 +42,8 @@ function runTests()
     selection.collapseToEnd();
   }
 
+  /* TestCase #1
+   */
   const kTestCase1 =
     "<p id=\"editor1\" contenteditable=\"true\">editor1</p>" +
     "<p id=\"editor2\" contenteditable=\"true\">editor2</p>" +
@@ -50,7 +52,7 @@ function runTests()
     "non-editable text" +
     "<p id=\"editor5\" contenteditable=\"true\">editor5</p>";
 
-  const kTestCase1_editor3_specialcase =
+  const kTestCase1_editor3_deleteAtStart =
     "<p id=\"editor1\" contenteditable=\"true\">editor1</p>" +
     "<p id=\"editor2\" contenteditable=\"true\">editor2</p>" +
     "<div id=\"editor3\" contenteditable=\"true\"><div>ditor3</div></div>" +
@@ -58,6 +60,14 @@ function runTests()
     "non-editable text" +
     "<p id=\"editor5\" contenteditable=\"true\">editor5</p>";
 
+  const kTestCase1_editor3_backspaceAtEnd =
+    "<p id=\"editor1\" contenteditable=\"true\">editor1</p>" +
+    "<p id=\"editor2\" contenteditable=\"true\">editor2</p>" +
+    "<div id=\"editor3\" contenteditable=\"true\"><div>editor</div></div>" +
+    "<p id=\"editor4\" contenteditable=\"true\">editor4</p>" +
+    "non-editable text" +
+    "<p id=\"editor5\" contenteditable=\"true\">editor5</p>";
+
   container.innerHTML = kTestCase1;
 
   var editor1 = document.getElementById("editor1");
@@ -66,6 +76,9 @@ function runTests()
   var editor4 = document.getElementById("editor4");
   var editor5 = document.getElementById("editor5");
 
+  /* TestCase #1:
+   * pressing backspace key at start should not change the content.
+   */
   editor2.focus();
   moveCaretToStartOf(editor2);
   synthesizeKey("VK_BACK_SPACE", { });
@@ -94,6 +107,9 @@ function runTests()
      "Pressing backspace key at start of editor5 changes the content");
   reset();
 
+  /* TestCase #1:
+   * pressing delete key at end should not change the content.
+   */
   editor1.focus();
   moveCaretToEndOf(editor1);
   synthesizeKey("VK_DELETE", { });
@@ -127,14 +143,28 @@ function runTests()
      "Pressing delete key at end of editor4 changes the content");
   reset();
 
-  // Cases when the caret is not on text node.
+  /* TestCase #1: cases when the caret is not on text node.
+   *   - pressing delete key at start should remove the first character
+   *   - pressing backspace key at end should remove the first character
+   * and the adjacent blocks should not be changed.
+   */
   editor3.focus();
   moveCaretToStartOf(editor3);
   synthesizeKey("VK_DELETE", { });
-  is(container.innerHTML, kTestCase1_editor3_specialcase,
-     "Pressing delete key at end of editor3 changes the content");
+  is(container.innerHTML, kTestCase1_editor3_deleteAtStart,
+     "Pressing delete key at start of editor3 changes adjacent elements"
+     + " and/or does not remove the first character.");
   reset();
 
+  // Backspace doesn't work here yet.
+  editor3.focus();
+  moveCaretToEndOf(editor3);
+  synthesizeKey("VK_BACK_SPACE", { });
+  todo_is(container.innerHTML, kTestCase1_editor3_backspaceAtEnd,
+          "Pressing backspace key at end of editor3 changes adjacent elements"
+          + " and/or does not remove the last character.");
+  reset();
+  //  We can still check that adjacent elements are not affected.
   editor3.focus();
   moveCaretToEndOf(editor3);
   synthesizeKey("VK_BACK_SPACE", { });
@@ -142,6 +172,9 @@ function runTests()
      "Pressing backspace key at end of editor3 changes the content");
   reset();
 
+  /* TestCase #2:
+   * two adjacent editable <span> in a table cell.
+   */
   const kTestCase2 = "<table><tbody><tr><td><span id=\"editor1\" contenteditable=\"true\">test</span>" +
     "<span id=\"editor2\" contenteditable=\"true\">test</span></td></tr></tbody></table>";
 
@@ -163,6 +196,9 @@ function runTests()
      "Pressing delete key at the end of editor1 changes the content for kTestCase2");
   reset();
 
+  /* TestCase #3:
+   * editable <span> in two adjacent table cells.
+   */
   const kTestCase3 = "<table><tbody><tr><td><span id=\"editor1\" contenteditable=\"true\">test</span></td>" +
     "<td><span id=\"editor2\" contenteditable=\"true\">test</span></td></tr></tbody></table>";
 
@@ -184,6 +220,9 @@ function runTests()
      "Pressing delete key at the end of editor1 changes the content for kTestCase3");
   reset();
 
+  /* TestCase #4:
+   * editable <div> in two adjacent table cells.
+   */
   const kTestCase4 = "<table><tbody><tr><td><div id=\"editor1\" contenteditable=\"true\">test</div></td>" +
     "<td><div id=\"editor2\" contenteditable=\"true\">test</div></td></tr></tbody></table>";
 
diff --git a/editor/libeditor/html/tests/test_bug677752.html b/editor/libeditor/html/tests/test_bug677752.html
new file mode 100644
index 00000000000..8809c1ead4e
--- /dev/null
+++ b/editor/libeditor/html/tests/test_bug677752.html
@@ -0,0 +1,107 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=677752
+-->
+<head>
+  <title>Test for Bug 677752</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=677752">Mozilla Bug 677752</a>
+<p id="display"></p>
+<div id="content">
+  <section contenteditable> foo bar </section>
+  <div contenteditable> foo bar </div>
+  <p contenteditable> foo bar </p>
+</div>
+
+<pre id="test">
+<script type="application/javascript">
+
+/** Test for Bug 677752 **/
+SimpleTest.waitForExplicitFinish();
+SimpleTest.waitForFocus(runTests);
+
+function selectEditor(aEditor) {
+  aEditor.focus();
+  var selection = window.getSelection();
+  selection.selectAllChildren(aEditor);
+  selection.collapseToStart();
+}
+
+function runTests() {
+  var editor, node, initialHTML;
+  document.execCommand('styleWithCSS', false, true);
+
+  // editable <section>
+  editor = document.querySelector("section[contenteditable]");
+  initialHTML = editor.innerHTML;
+  selectEditor(editor);
+  // editable <section>: justify
+  document.execCommand("justifyright", false, null);
+  node = editor.querySelector("*");
+  is(node.nodeName.toLowerCase(), "div", "'justifyright' should create a <div> in the editable <section>.");
+  is(node.style.textAlign,      "right", "'justifyright' should create a 'text-align: right' CSS rule.");
+  document.execCommand("undo", false, null);
+  // editable <section>: indent
+  document.execCommand("indent", false, null);
+  node = editor.querySelector("*");
+  is(node.nodeName.toLowerCase(), "div", "'indent' should create a <div> in the editable <section>.");
+  is(node.style.marginLeft,      "40px", "'indent' should create a 'margin-left: 40px' CSS rule.");
+  // editable <section>: undo with outdent
+  // this should remove the whole <div> but only removing the CSS rule would be acceptable, too
+  document.execCommand("outdent", false, null);
+  is(editor.innerHTML, initialHTML, "'outdent' should undo the 'indent' action.");
+  // editable <section>: outdent again
+  document.execCommand("outdent", false, null);
+  is(editor.innerHTML, initialHTML, "another 'outdent' should not modify the <section> element.");
+
+  // editable <div>
+  editor = document.querySelector("div[contenteditable]");
+  initialHTML = editor.innerHTML;
+  selectEditor(editor);
+  // editable <div>: justify
+  document.execCommand("justifyright", false, null);
+  node = editor.querySelector("*");
+  is(node.nodeName.toLowerCase(), "div", "'justifyright' should create a <div> in the editable <div>.");
+  is(node.style.textAlign,      "right", "'justifyright' should create a 'text-align: right' CSS rule.");
+  document.execCommand("undo", false, null);
+  // editable <div>: indent
+  document.execCommand("indent", false, null);
+  node = editor.querySelector("*");
+  is(node.nodeName.toLowerCase(), "div", "'indent' should create a <div> in the editable <div>.");
+  is(node.style.marginLeft,      "40px", "'indent' should create a 'margin-left: 40px' CSS rule.");
+  // editable <div>: undo with outdent
+  // this should remove the whole <div> but only removing the CSS rule would be acceptable, too
+  document.execCommand("outdent", false, null);
+  is(editor.innerHTML, initialHTML, "'outdent' should undo the 'indent' action.");
+  // editable <div>: outdent again
+  document.execCommand("outdent", false, null);
+  is(editor.innerHTML, initialHTML, "another 'outdent' should not modify the <div> element.");
+
+  // editable <p>
+  // all block-level commands should be ignored (<p><div/></p> is not valid)
+  editor = document.querySelector("p[contenteditable]");
+  initialHTML = editor.innerHTML;
+  selectEditor(editor);
+  // editable <p>: justify
+  document.execCommand("justifyright", false, null);
+  is(editor.innerHTML, initialHTML, "'justifyright' should have no effect on <p>.");
+  // editable <p>: indent
+  document.execCommand("indent", false, null);
+  is(editor.innerHTML, initialHTML, "'indent' should have no effect on <p>.");
+  // editable <p>: outdent
+  document.execCommand("outdent", false, null);
+  is(editor.innerHTML, initialHTML, "'outdent' should have no effect on <p>.");
+
+  // done
+  SimpleTest.finish();
+}
+
+</script>
+</pre>
+</body>
+</html>
diff --git a/editor/libeditor/html/tests/test_htmleditor_keyevent_handling.html b/editor/libeditor/html/tests/test_htmleditor_keyevent_handling.html
index 4140073a93b..e0ebacd97c2 100644
--- a/editor/libeditor/html/tests/test_htmleditor_keyevent_handling.html
+++ b/editor/libeditor/html/tests/test_htmleditor_keyevent_handling.html
@@ -325,12 +325,10 @@ function runTests()
     synthesizeKey("VK_TAB", { shiftKey: true });
     check(aDescription + "Shift+Tab after Tab on UL",
           true, true, !aIsTabbable && !aIsReadonly && !aIsPlaintext);
-    // XXX why do we fail to outdent on non-tabbable HTML editor?
     is(aElement.innerHTML,
-       aIsReadonly || aIsTabbable ?
+       aIsReadonly || aIsTabbable || (!aIsPlaintext) ?
          "<ul><li id=\"target\">ul list item</li></ul>" :
-         aIsPlaintext ? "<ul><li id=\"target\">ul list item\t</li></ul>" :
-           "<ul><ul><li id=\"target\">ul list item</li></ul></ul>",
+         "<ul><li id=\"target\">ul list item\t</li></ul>",
        aDescription + "Shift+Tab after Tab on UL");
     is(fm.focusedElement, aElement,
        aDescription + "focus moved unexpectedly (Shift+Tab after Tab on UL)");
@@ -340,10 +338,8 @@ function runTests()
     check(aDescription + "Shift+Tab on UL",
           true, true, !aIsTabbable && !aIsReadonly && !aIsPlaintext);
     is(aElement.innerHTML,
-       aIsReadonly || aIsTabbable ?
-         "<ul><li id=\"target\">ul list item</li></ul>" :
-         aIsPlaintext ? "<ul><li id=\"target\">ul list item</li></ul>" :
-           "<ul><li id=\"target\">ul list item</li></ul>",
+       aIsReadonly || aIsTabbable || aIsPlaintext ?
+         "<ul><li id=\"target\">ul list item</li></ul>" : "ul list item",
        aDescription + "Shift+Tab on UL");
     is(fm.focusedElement, aElement,
        aDescription + "focus moved unexpectedly (Shift+Tab on UL)");
@@ -389,12 +385,10 @@ function runTests()
     synthesizeKey("VK_TAB", { shiftKey: true });
     check(aDescription + "Shift+Tab after Tab on OL",
           true, true, !aIsTabbable && !aIsReadonly && !aIsPlaintext);
-    // XXX why do we fail to outdent on non-tabbable HTML editor?
     is(aElement.innerHTML,
-       aIsReadonly || aIsTabbable ?
+       aIsReadonly || aIsTabbable || (!aIsPlaintext) ?
          "<ol><li id=\"target\">ol list item</li></ol>" :
-         aIsPlaintext ? "<ol><li id=\"target\">ol list item\t</li></ol>" :
-           "<ol><ol><li id=\"target\">ol list item</li></ol></ol>",
+         "<ol><li id=\"target\">ol list item\t</li></ol>",
        aDescription + "Shift+Tab after Tab on OL");
     is(fm.focusedElement, aElement,
        aDescription + "focus moved unexpectedly (Shift+Tab after Tab on OL)");
@@ -404,10 +398,8 @@ function runTests()
     check(aDescription + "Shift+Tab on OL",
           true, true, !aIsTabbable && !aIsReadonly && !aIsPlaintext);
     is(aElement.innerHTML,
-       aIsReadonly || aIsTabbable ?
-         "<ol><li id=\"target\">ol list item</li></ol>" :
-         aIsPlaintext ? "<ol><li id=\"target\">ol list item</li></ol>" :
-           "<ol><li id=\"target\">ol list item</li></ol>",
+       aIsReadonly || aIsTabbable || aIsPlaintext ?
+         "<ol><li id=\"target\">ol list item</li></ol>" : "ol list item",
        aDescription + "Shfit+Tab on OL");
     is(fm.focusedElement, aElement,
        aDescription + "focus moved unexpectedly (Shift+Tab on OL)");
diff --git a/embedding/android/GeckoSurfaceView.java b/embedding/android/GeckoSurfaceView.java
index f53d1a84b4f..b8a49477efc 100644
--- a/embedding/android/GeckoSurfaceView.java
+++ b/embedding/android/GeckoSurfaceView.java
@@ -169,8 +169,30 @@ class GeckoSurfaceView
     }
 
     public void surfaceChanged(SurfaceHolder holder, int format, int width, int height) {
+
+        // Force exactly one frame to render
+        // because the surface change is only seen after we
+        // have swapped the back buffer.
+        // The buffer size only changes after the next swap buffer.
+        // We need to make sure the Gecko's view resize when Android's 
+        // buffer resizes.
+        if (mDrawMode == DRAW_GLES_2) {
+            // When we get a surfaceChange event, we have 0 to n paint events 
+            // waiting in the Gecko event queue. We will make the first
+            // succeed and the abort the others.
+            mDrawSingleFrame = true;
+            if (!mInDrawing) { 
+                // Queue at least one paint event in case none are queued.
+                GeckoAppShell.scheduleRedraw();
+            }
+            GeckoAppShell.geckoEventSync();
+            mDrawSingleFrame = false;
+            mAbortDraw = false;
+        }
+
         if (mShowingSplashScreen)
             drawSplashScreen(holder, width, height);
+
         mSurfaceLock.lock();
 
         try {
@@ -221,6 +243,12 @@ class GeckoSurfaceView
             }
         } finally {
             mSurfaceLock.unlock();
+            if (mDrawMode == DRAW_GLES_2) {
+                // Force a frame to be drawn before the surfaceChange returns,
+                // otherwise we get artifacts.
+                GeckoAppShell.scheduleRedraw();
+                GeckoAppShell.geckoEventSync();
+            }
         }
 
         Object syncDrawObject = null;
@@ -254,7 +282,12 @@ class GeckoSurfaceView
         mSoftwareBufferCopy = null;
         mSoftwareBitmap = null;
         GeckoEvent e = new GeckoEvent(GeckoEvent.SURFACE_DESTROYED);
-        GeckoAppShell.sendEventToGecko(e);
+        if (mDrawMode == DRAW_GLES_2) {
+            // Ensure GL cleanup occurs before we return.
+            GeckoAppShell.sendEventToGeckoSync(e);
+        } else {
+            GeckoAppShell.sendEventToGecko(e);
+        }
     }
 
     public Bitmap getSoftwareDrawBitmap() {
@@ -293,6 +326,10 @@ class GeckoSurfaceView
     public static final int DRAW_ERROR = 0;
     public static final int DRAW_GLES_2 = 1;
     public static final int DRAW_2D = 2;
+    // Drawing is disable when the surface buffer
+    // has changed size but we haven't yet processed the
+    // resize event.
+    public static final int DRAW_DISABLED = 3;
 
     public int beginDrawing() {
         if (mInDrawing) {
@@ -300,6 +337,12 @@ class GeckoSurfaceView
             return DRAW_ERROR;
         }
 
+        // Once we drawn our first frame after resize we can ignore
+        // the other draw events until we handle the resize events.
+        if (mAbortDraw) {
+            return DRAW_DISABLED;
+        }
+
         /* Grab the lock, which we'll hold while we're drawing.
          * It gets released in endDrawing(), and is also used in surfaceChanged
          * to make sure that we don't change our surface details while
@@ -330,6 +373,9 @@ class GeckoSurfaceView
             return;
         }
 
+       if (mDrawSingleFrame)
+            mAbortDraw = true;
+
         try {
             if (!mSurfaceValid) {
                 Log.e(LOG_FILE_NAME, "endDrawing with false mSurfaceValid");
@@ -657,6 +703,10 @@ class GeckoSurfaceView
     // Are we actively between beginDrawing/endDrawing?
     boolean mInDrawing;
 
+    // Used to finish the current buffer before changing the surface size
+    boolean mDrawSingleFrame = false;
+    boolean mAbortDraw = false;
+
     // Are we waiting for a buffer to draw in surfaceChanged?
     boolean mSyncDraw;
 
diff --git a/extensions/pref/system-pref/src/gconf/nsSystemPrefService.cpp b/extensions/pref/system-pref/src/gconf/nsSystemPrefService.cpp
index e8e4d0ff6cf..07e8242a73c 100644
--- a/extensions/pref/system-pref/src/gconf/nsSystemPrefService.cpp
+++ b/extensions/pref/system-pref/src/gconf/nsSystemPrefService.cpp
@@ -285,7 +285,7 @@ NS_IMETHODIMP nsSystemPrefService::GetBoolPref(const char *aPrefName, PRBool *_r
 }
 
 /* void setBoolPref (in string aPrefName, in long aValue); */
-NS_IMETHODIMP nsSystemPrefService::SetBoolPref(const char *aPrefName, PRInt32 aValue)
+NS_IMETHODIMP nsSystemPrefService::SetBoolPref(const char *aPrefName, PRBool aValue)
 {
     return NS_ERROR_NOT_IMPLEMENTED;
 }
diff --git a/extensions/spellcheck/src/mozInlineSpellChecker.cpp b/extensions/spellcheck/src/mozInlineSpellChecker.cpp
index 59cf6e5ba04..e159d38e567 100644
--- a/extensions/spellcheck/src/mozInlineSpellChecker.cpp
+++ b/extensions/spellcheck/src/mozInlineSpellChecker.cpp
@@ -1765,8 +1765,7 @@ NS_IMETHODIMP mozInlineSpellChecker::UpdateCurrentDictionary()
     previousDictionary.Truncate();
   }
 
-  nsCOMPtr<nsIEditor> editor (do_QueryReferent(mEditor));
-  nsresult rv = mSpellCheck->UpdateCurrentDictionary(editor);
+  nsresult rv = mSpellCheck->UpdateCurrentDictionary();
 
   nsAutoString currentDictionary;
   if (NS_FAILED(mSpellCheck->GetCurrentDictionary(currentDictionary))) {
diff --git a/extensions/spellcheck/src/mozSpellChecker.cpp b/extensions/spellcheck/src/mozSpellChecker.cpp
index 3ada4c029b5..96832848549 100644
--- a/extensions/spellcheck/src/mozSpellChecker.cpp
+++ b/extensions/spellcheck/src/mozSpellChecker.cpp
@@ -41,10 +41,6 @@
 #include "nsICategoryManager.h"
 #include "nsISupportsPrimitives.h"
 
-// The number 130 more or less comes out of thin air.
-// See https://bugzilla.mozilla.org/show_bug.cgi?id=355178#c78 for a pseudo-rationale.
-#define UNREASONABLE_WORD_LENGTH 130
-
 #define DEFAULT_SPELL_CHECKER "@mozilla.org/spellchecker/engine;1"
 
 NS_IMPL_CYCLE_COLLECTING_ADDREF(mozSpellChecker)
@@ -149,12 +145,6 @@ mozSpellChecker::CheckWord(const nsAString &aWord, PRBool *aIsMisspelled, nsTArr
   if(!mSpellCheckingEngine)
     return NS_ERROR_NULL_POINTER;
 
-  // don't bother to check crazy words
-  if (aWord.Length() > UNREASONABLE_WORD_LENGTH) {
-    *aIsMisspelled = PR_TRUE;
-    return NS_OK;
-  }
-
   *aIsMisspelled = PR_FALSE;
   result = mSpellCheckingEngine->Check(PromiseFlatString(aWord).get(), &correct);
   NS_ENSURE_SUCCESS(result, result);
diff --git a/gfx/2d/DrawTargetD2D.cpp b/gfx/2d/DrawTargetD2D.cpp
index 03394fc6a42..480685813db 100644
--- a/gfx/2d/DrawTargetD2D.cpp
+++ b/gfx/2d/DrawTargetD2D.cpp
@@ -50,19 +50,19 @@
 #endif
 
 typedef HRESULT (WINAPI*D2D1CreateFactoryFunc)(
-    __in D2D1_FACTORY_TYPE factoryType,
-    __in REFIID iid,
-    __in_opt CONST D2D1_FACTORY_OPTIONS *pFactoryOptions,
-    __out void **factory
+    D2D1_FACTORY_TYPE factoryType,
+    REFIID iid,
+    CONST D2D1_FACTORY_OPTIONS *pFactoryOptions,
+    void **factory
 );
 
 typedef HRESULT (WINAPI*D3D10CreateEffectFromMemoryFunc)(
-  __in   void *pData,
-  __in   SIZE_T DataLength,
-  __in   UINT FXFlags,
-  __in   ID3D10Device *pDevice,
-  __in   ID3D10EffectPool *pEffectPool,
-  __out  ID3D10Effect **ppEffect
+    void *pData,
+    SIZE_T DataLength,
+    UINT FXFlags,
+    ID3D10Device *pDevice,
+    ID3D10EffectPool *pEffectPool,
+    ID3D10Effect **ppEffect
 );
 
 using namespace std;
diff --git a/gfx/2d/GradientStopsD2D.h b/gfx/2d/GradientStopsD2D.h
index bdb228c9114..4db16623200 100644
--- a/gfx/2d/GradientStopsD2D.h
+++ b/gfx/2d/GradientStopsD2D.h
@@ -40,7 +40,7 @@
 
 #include "2D.h"
 
-#include <D2D1.h>
+#include <d2d1.h>
 
 namespace mozilla {
 namespace gfx {
diff --git a/gfx/2d/HelpersD2D.h b/gfx/2d/HelpersD2D.h
index c3f013d7eea..7d11d24218a 100644
--- a/gfx/2d/HelpersD2D.h
+++ b/gfx/2d/HelpersD2D.h
@@ -38,7 +38,7 @@
 #ifndef MOZILLA_GFX_HELPERSD2D_H_
 #define MOZILLA_GFX_HELPERSD2D_H_
 
-#include <D2D1.h>
+#include <d2d1.h>
 #include "2D.h"
 
 namespace mozilla {
diff --git a/gfx/2d/PathD2D.h b/gfx/2d/PathD2D.h
index f759902cf96..7eb03820430 100644
--- a/gfx/2d/PathD2D.h
+++ b/gfx/2d/PathD2D.h
@@ -39,7 +39,7 @@
 #define MOZILLA_GFX_PATHD2D_H_
 
 #include "2D.h"
-#include <D2D1.h>
+#include <d2d1.h>
 
 namespace mozilla {
 namespace gfx {
diff --git a/gfx/layers/opengl/ThebesLayerOGL.cpp b/gfx/layers/opengl/ThebesLayerOGL.cpp
index e8b2687cd1e..91fd36c40ee 100644
--- a/gfx/layers/opengl/ThebesLayerOGL.cpp
+++ b/gfx/layers/opengl/ThebesLayerOGL.cpp
@@ -191,96 +191,40 @@ ThebesLayerBufferOGL::RenderTo(const nsIntPoint& aOffset,
       renderRegion = &visibleRegion;
     }
 
+    mTexImage->BeginTileIteration();
+    if (mTexImageOnWhite) {
+      mTexImageOnWhite->BeginTileIteration();
+      NS_ASSERTION(mTexImageOnWhite->GetTileRect() == mTexImage->GetTileRect(), "component alpha textures should be the same size.");
+    }
     nsIntRegion region(*renderRegion);
     nsIntPoint origin = GetOriginOffset();
     region.MoveBy(-origin);           // translate into TexImage space, buffer origin might not be at texture (0,0)
 
-    // Figure out the intersecting draw region
-    nsIntSize texSize = mTexImage->GetSize();
-    nsIntRect textureRect = nsIntRect(0, 0, texSize.width, texSize.height);
-    textureRect.MoveBy(region.GetBounds().TopLeft());
-    nsIntRegion subregion;
-    subregion.And(region, textureRect);
-    if (subregion.IsEmpty())  // Region is empty, nothing to draw
-      return;
-
-    nsIntRegion screenRects;
-    nsIntRegion regionRects;
-
-    // Collect texture/screen coordinates for drawing
-    nsIntRegionRectIterator iter(subregion);
-    while (const nsIntRect* iterRect = iter.Next()) {
-        nsIntRect regionRect = *iterRect;
-        nsIntRect screenRect = regionRect;
-        screenRect.MoveBy(origin);
-
-        screenRects.Or(screenRects, screenRect);
-        regionRects.Or(regionRects, regionRect);
-    }
-
-    mTexImage->BeginTileIteration();
-    if (mTexImageOnWhite) {
-      NS_ASSERTION(mTexImage->GetTileCount() == mTexImageOnWhite->GetTileCount(),
-                   "Tile count mismatch on component alpha texture");
-      mTexImageOnWhite->BeginTileIteration();
-    }
-
-    bool usingTiles = (mTexImage->GetTileCount() > 1);
     do {
-      if (mTexImageOnWhite) {
-        NS_ASSERTION(mTexImageOnWhite->GetTileRect() == mTexImage->GetTileRect(), "component alpha textures should be the same size.");
+      nsIntRect textureRect = mTexImage->GetTileRect();
+      textureRect.MoveBy(region.GetBounds().x, region.GetBounds().y);
+      nsIntRegion subregion(region);
+      subregion.And(region, textureRect); // region this texture is visible in
+      if (subregion.IsEmpty()) {
+        continue;
       }
-
-      nsIntRect tileRect = mTexImage->GetTileRect();
-
       // Bind textures.
       TextureImage::ScopedBindTexture texBind(mTexImage, LOCAL_GL_TEXTURE0);
       TextureImage::ScopedBindTexture texOnWhiteBind(mTexImageOnWhite, LOCAL_GL_TEXTURE1);
 
-      // Draw texture. If we're using tiles, we do repeating manually, as texture
-      // repeat would cause each individual tile to repeat instead of the
-      // compound texture as a whole. This involves drawing at most 4 sections,
-      // 2 for each axis that has texture repeat.
-      for (int y = 0; y < (usingTiles ? 2 : 1); y++) {
-        for (int x = 0; x < (usingTiles ? 2 : 1); x++) {
-          nsIntRect currentTileRect(tileRect);
-          currentTileRect.MoveBy(x * texSize.width, y * texSize.height);
+      nsIntRegionRectIterator iter(subregion);
+      while (const nsIntRect *iterRect = iter.Next()) {
+        nsIntRect regionRect = *iterRect;  // one rectangle of this texture's region
+        // translate into the correct place for this texture sub-region
+        nsIntRect screenRect = regionRect;
+        screenRect.MoveBy(origin);
+        program->SetLayerQuadRect(screenRect);
 
-          nsIntRegionRectIterator screenIter(screenRects);
-          nsIntRegionRectIterator regionIter(regionRects);
-
-          const nsIntRect* screenRect;
-          const nsIntRect* regionRect;
-          while ((screenRect = screenIter.Next()) &&
-                 (regionRect = regionIter.Next())) {
-              nsIntRect tileScreenRect(*screenRect);
-              nsIntRect tileRegionRect(*regionRect);
-
-              // When we're using tiles, find the intersection between the tile
-              // rect and this region rect. Tiling is then handled by the
-              // outer for-loops and modifying the tile rect.
-              if (usingTiles) {
-                  tileScreenRect.MoveBy(-origin);
-                  tileScreenRect = tileScreenRect.Intersect(currentTileRect);
-                  tileScreenRect.MoveBy(origin);
-
-                  if (tileScreenRect.IsEmpty())
-                    continue;
-
-                  tileRegionRect = regionRect->Intersect(currentTileRect);
-                  tileRegionRect.MoveBy(-currentTileRect.TopLeft());
-              }
-
-              program->SetLayerQuadRect(tileScreenRect);
-              aManager->BindAndDrawQuadWithTextureRect(program, tileRegionRect,
-                                                       tileRect.Size(),
-                                                       mTexImage->GetWrapMode());
-          }
-        }
+        regionRect.MoveBy(-mTexImage->GetTileRect().TopLeft()); // get region of tile
+        aManager->BindAndDrawQuadWithTextureRect(program, regionRect,
+                                                 textureRect.Size(),
+                                                 mTexImage->GetWrapMode());
       }
-
-      if (mTexImageOnWhite)
-          mTexImageOnWhite->NextTile();
     } while (mTexImage->NextTile());
   }
 
@@ -847,18 +791,6 @@ ShadowBufferOGL::Upload(gfxASurface* aUpdate, const nsIntRegion& aUpdated,
   nsIntPoint visTopLeft = mLayer->GetVisibleRegion().GetBounds().TopLeft();
   destRegion.MoveBy(-visTopLeft);
 
-  // Correct for rotation
-  destRegion.MoveBy(aRotation);
-  nsIntRect destBounds = destRegion.GetBounds();
-  destRegion.MoveBy((destBounds.x >= size.width) ? -size.width : 0,
-                    (destBounds.y >= size.height) ? -size.height : 0);
-
-  // There's code to make sure that updated regions don't cross rotation
-  // boundaries, so assert here that this is the case
-  NS_ASSERTION(((destBounds.x % size.width) + destBounds.width <= size.width) &&
-               ((destBounds.y % size.height) + destBounds.height <= size.height),
-               "Updated region lies across rotation boundaries!");
-
   // NB: this gfxContext must not escape EndUpdate() below
   mTexImage->DirectUpdate(aUpdate, destRegion);
 
diff --git a/gfx/ots/src/cmap.cc b/gfx/ots/src/cmap.cc
index 591252a6ce9..bedc3b6b90b 100644
--- a/gfx/ots/src/cmap.cc
+++ b/gfx/ots/src/cmap.cc
@@ -488,7 +488,7 @@ bool Parse0514(ots::OpenTypeFile *file,
           return OTS_FAILURE();
         }
         const uint32_t check_value =
-            ranges[j].unicode_value + ranges[i].additional_count;
+            ranges[j].unicode_value + ranges[j].additional_count;
         if (ranges[j].unicode_value == 0 ||
             ranges[j].unicode_value > kUnicodeUpperLimit ||
             check_value > kUVSUpperLimit ||
diff --git a/gfx/src/X11Util.h b/gfx/src/X11Util.h
index 6bc22f4f31d..7be82bc0e2c 100644
--- a/gfx/src/X11Util.h
+++ b/gfx/src/X11Util.h
@@ -126,6 +126,7 @@ private:
  */
 class NS_GFX ScopedXErrorHandler
 {
+public:
     // trivial wrapper around XErrorEvent, just adding ctor initializing by zero.
     struct ErrorEvent
     {
@@ -137,6 +138,8 @@ class NS_GFX ScopedXErrorHandler
         }
     };
 
+private:
+
     // this ScopedXErrorHandler's ErrorEvent object
     ErrorEvent mXError;
 
diff --git a/gfx/thebes/GLContext.cpp b/gfx/thebes/GLContext.cpp
index 443fa8a961f..fcf78f30db3 100644
--- a/gfx/thebes/GLContext.cpp
+++ b/gfx/thebes/GLContext.cpp
@@ -575,8 +575,20 @@ BasicTextureImage::BeginUpdate(nsIntRegion& aRegion)
     NS_ASSERTION(!mUpdateSurface, "BeginUpdate() without EndUpdate()?");
 
     // determine the region the client will need to repaint
-    GetUpdateRegion(aRegion);
-    mUpdateRegion = aRegion;
+    ImageFormat format =
+        (GetContentType() == gfxASurface::CONTENT_COLOR) ?
+        gfxASurface::ImageFormatRGB24 : gfxASurface::ImageFormatARGB32;
+    if (mTextureState != Valid)
+    {
+        // if the texture hasn't been initialized yet, or something important
+        // changed, we need to recreate our backing surface and force the
+        // client to paint everything
+        mUpdateRegion = nsIntRect(nsIntPoint(0, 0), mSize);
+    } else {
+        mUpdateRegion = aRegion;
+    }
+
+    aRegion = mUpdateRegion;
 
     nsIntRect rgnSize = mUpdateRegion.GetBounds();
     if (!nsIntRect(nsIntPoint(0, 0), mSize).Contains(rgnSize)) {
@@ -584,10 +596,7 @@ BasicTextureImage::BeginUpdate(nsIntRegion& aRegion)
         return NULL;
     }
 
-    ImageFormat format =
-        (GetContentType() == gfxASurface::CONTENT_COLOR) ?
-        gfxASurface::ImageFormatRGB24 : gfxASurface::ImageFormatARGB32;
-    mUpdateSurface =
+    mUpdateSurface = 
         GetSurfaceForUpdate(gfxIntSize(rgnSize.width, rgnSize.height), format);
 
     if (!mUpdateSurface || mUpdateSurface->CairoStatus()) {
@@ -600,16 +609,6 @@ BasicTextureImage::BeginUpdate(nsIntRegion& aRegion)
     return mUpdateSurface;
 }
 
-void
-BasicTextureImage::GetUpdateRegion(nsIntRegion& aForRegion)
-{
-  // if the texture hasn't been initialized yet, or something important
-  // changed, we need to recreate our backing surface and force the
-  // client to paint everything
-  if (mTextureState != Valid)
-      aForRegion = nsIntRect(nsIntPoint(0, 0), mSize);
-}
-
 void
 BasicTextureImage::EndUpdate()
 {
@@ -730,9 +729,10 @@ TiledTextureImage::~TiledTextureImage()
 bool 
 TiledTextureImage::DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion, const nsIntPoint& aFrom /* = nsIntPoint(0, 0) */)
 {
+    nsIntRect bounds = aRegion.GetBounds();
     nsIntRegion region;
     if (mTextureState != Valid) {
-        nsIntRect bounds = nsIntRect(0, 0, mSize.width, mSize.height);
+        bounds = nsIntRect(0, 0, mSize.width, mSize.height);
         region = nsIntRegion(bounds);
     } else {
         region = aRegion;
@@ -740,8 +740,8 @@ TiledTextureImage::DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion,
 
     PRBool result = PR_TRUE;
     for (unsigned i = 0; i < mImages.Length(); i++) {
-        int xPos = (i % mColumns) * mTileSize;
-        int yPos = (i / mColumns) * mTileSize;
+        unsigned int xPos = (i % mColumns) * mTileSize;
+        unsigned int yPos = (i / mColumns) * mTileSize;
         nsIntRegion tileRegion;
         tileRegion.And(region, nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize())); // intersect with tile
         if (tileRegion.IsEmpty())
@@ -757,66 +757,25 @@ TiledTextureImage::DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion,
     return result;
 }
 
-void
-TiledTextureImage::GetUpdateRegion(nsIntRegion& aForRegion)
-{
-    if (mTextureState != Valid) {
-        // if the texture hasn't been initialized yet, or something important
-        // changed, we need to recreate our backing surface and force the
-        // client to paint everything
-        aForRegion = nsIntRect(nsIntPoint(0, 0), mSize);
-        return;
-    }
-
-    nsIntRegion newRegion;
-
-    // We need to query each texture with the region it will be drawing and
-    // set aForRegion to be the combination of all of these regions
-    for (unsigned i = 0; i < mImages.Length(); i++) {
-        int xPos = (i % mColumns) * mTileSize;
-        int yPos = (i / mColumns) * mTileSize;
-        nsIntRect imageRect = nsIntRect(nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize()));
-
-        if (aForRegion.Intersects(imageRect)) {
-            // Make a copy of the region
-            nsIntRegion subRegion;
-            subRegion.And(aForRegion, imageRect);
-            // Translate it into tile-space
-            subRegion.MoveBy(-xPos, -yPos);
-            // Query region
-            mImages[i]->GetUpdateRegion(subRegion);
-            // Translate back
-            subRegion.MoveBy(xPos, yPos);
-            // Add to the accumulated region
-            newRegion.Or(newRegion, subRegion);
-        }
-    }
-
-    aForRegion = newRegion;
-}
-
 gfxASurface*
 TiledTextureImage::BeginUpdate(nsIntRegion& aRegion)
 {
     NS_ASSERTION(!mInUpdate, "nested update");
     mInUpdate = PR_TRUE;
 
-    // Note, we don't call GetUpdateRegion here as if the updated region is
-    // fully contained in a single tile, we get to avoid iterating through
-    // the tiles again (and a little copying).
     if (mTextureState != Valid)
     {
         // if the texture hasn't been initialized yet, or something important
         // changed, we need to recreate our backing surface and force the
         // client to paint everything
-        aRegion = nsIntRect(nsIntPoint(0, 0), mSize);
+        mUpdateRegion = nsIntRect(nsIntPoint(0, 0), mSize);
+    } else {
+        mUpdateRegion = aRegion;
     }
 
-    nsIntRect bounds = aRegion.GetBounds();
-
     for (unsigned i = 0; i < mImages.Length(); i++) {
-        int xPos = (i % mColumns) * mTileSize;
-        int yPos = (i / mColumns) * mTileSize;
+        unsigned int xPos = (i % mColumns) * mTileSize;
+        unsigned int yPos = (i / mColumns) * mTileSize;
         nsIntRegion imageRegion = nsIntRegion(nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize()));
 
         // a single Image can handle this update request
@@ -827,10 +786,6 @@ TiledTextureImage::BeginUpdate(nsIntRegion& aRegion)
             nsRefPtr<gfxASurface> surface = mImages[i]->BeginUpdate(aRegion);
             // caller expects container space
             aRegion.MoveBy(xPos, yPos);
-            // Correct the device offset
-            gfxPoint offset = surface->GetDeviceOffset();
-            surface->SetDeviceOffset(gfxPoint(offset.x - xPos,
-                                              offset.y - yPos));
             // we don't have a temp surface
             mUpdateSurface = nsnull;
             // remember which image to EndUpdate
@@ -838,21 +793,15 @@ TiledTextureImage::BeginUpdate(nsIntRegion& aRegion)
             return surface.get();
         }
     }
-
-    // Get the real updated region, taking into account the capabilities of
-    // each TextureImage tile
-    GetUpdateRegion(aRegion);
-    mUpdateRegion = aRegion;
-    bounds = aRegion.GetBounds();
-
     // update covers multiple Images - create a temp surface to paint in
     gfxASurface::gfxImageFormat format =
         (GetContentType() == gfxASurface::CONTENT_COLOR) ?
         gfxASurface::ImageFormatRGB24 : gfxASurface::ImageFormatARGB32;
+
+    nsIntRect bounds = aRegion.GetBounds();
     mUpdateSurface = gfxPlatform::GetPlatform()->
         CreateOffscreenSurface(gfxIntSize(bounds.width, bounds.height), gfxASurface::ContentFromFormat(format));
     mUpdateSurface->SetDeviceOffset(gfxPoint(-bounds.x, -bounds.y));
-
     return mUpdateSurface;
 }
 
@@ -871,10 +820,9 @@ TiledTextureImage::EndUpdate()
 
     // upload tiles from temp surface
     for (unsigned i = 0; i < mImages.Length(); i++) {
-        int xPos = (i % mColumns) * mTileSize;
-        int yPos = (i / mColumns) * mTileSize;
+        unsigned int xPos = (i % mColumns) * mTileSize;
+        unsigned int yPos = (i / mColumns) * mTileSize;
         nsIntRect imageRect = nsIntRect(nsIntPoint(xPos,yPos), mImages[i]->GetSize());
-
         nsIntRegion subregion;
         subregion.And(mUpdateRegion, imageRect);
         if (subregion.IsEmpty())
@@ -894,7 +842,6 @@ TiledTextureImage::EndUpdate()
     mInUpdate = PR_FALSE;
     mShaderType = mImages[0]->GetShaderProgramType();
     mIsRGBFormat = mImages[0]->IsRGB();
-    mTextureState = Valid;
 }
 
 void TiledTextureImage::BeginTileIteration()
@@ -954,11 +901,6 @@ void TiledTextureImage::Resize(const nsIntSize& aSize)
     mTextureState = Allocated;
 }
 
-PRUint32 TiledTextureImage::GetTileCount()
-{
-    return mImages.Length();
-}
-
 PRBool
 GLContext::ResizeOffscreenFBO(const gfxIntSize& aSize)
 {
diff --git a/gfx/thebes/GLContext.h b/gfx/thebes/GLContext.h
index 72e4a4957d4..863f3f444a4 100644
--- a/gfx/thebes/GLContext.h
+++ b/gfx/thebes/GLContext.h
@@ -193,15 +193,6 @@ public:
      * followed by EndUpdate().
      */
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion) = 0;
-    /**
-     * Retrieves the region that will require updating, given a
-     * region that needs to be updated. This can be used for
-     * making decisions about updating before calling BeginUpdate().
-     *
-     * |aRegion| is an inout param.
-     */
-    virtual void GetUpdateRegion(nsIntRegion& aForRegion) {
-    };
     /**
      * Finish the active update and synchronize with the server, if
      * necessary.
@@ -227,11 +218,6 @@ public:
     };
 
     virtual GLuint GetTextureID() = 0;
-
-    virtual PRUint32 GetTileCount() {
-        return 1;
-    };
-
     /**
      * Set this TextureImage's size, and ensure a texture has been
      * allocated.  Must not be called between BeginUpdate and EndUpdate.
@@ -362,7 +348,6 @@ public:
     virtual void BindTexture(GLenum aTextureUnit);
 
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion);
-    virtual void GetUpdateRegion(nsIntRegion& aForRegion);
     virtual void EndUpdate();
     virtual bool DirectUpdate(gfxASurface* aSurf, const nsIntRegion& aRegion, const nsIntPoint& aFrom = nsIntPoint(0,0));
     virtual GLuint GetTextureID() { return mTexture; };
@@ -407,10 +392,8 @@ public:
     ~TiledTextureImage();
     void DumpDiv();
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion);
-    virtual void GetUpdateRegion(nsIntRegion& aForRegion);
     virtual void EndUpdate();
     virtual void Resize(const nsIntSize& aSize);
-    virtual PRUint32 GetTileCount();
     virtual void BeginTileIteration();
     virtual PRBool NextTile();
     virtual nsIntRect GetTileRect();
@@ -569,6 +552,8 @@ public:
 
     virtual void WindowDestroyed() {}
 
+    virtual void ReleaseSurface() {}
+
     void *GetUserData(void *aKey) {
         void *result = nsnull;
         mUserData.Get(aKey, &result);
diff --git a/gfx/thebes/GLContextProviderEGL.cpp b/gfx/thebes/GLContextProviderEGL.cpp
index 3594229d27f..3db398ff8fd 100644
--- a/gfx/thebes/GLContextProviderEGL.cpp
+++ b/gfx/thebes/GLContextProviderEGL.cpp
@@ -695,7 +695,9 @@ public:
 #endif
 
         sEGLLibrary.fDestroyContext(EGL_DISPLAY(), mContext);
-        sEGLLibrary.fDestroySurface(EGL_DISPLAY(), mSurface);
+        if (mSurface) {
+            sEGLLibrary.fDestroySurface(EGL_DISPLAY(), mSurface);
+        }
     }
 
     GLContextType GetContextType() {
@@ -783,7 +785,7 @@ public:
         // Assume that EGL has the same problem as WGL does,
         // where MakeCurrent with an already-current context is
         // still expensive.
-        if (aForce || sEGLLibrary.fGetCurrentContext() != mContext) {
+        if (!mSurface || aForce || sEGLLibrary.fGetCurrentContext() != mContext) {
             if (mGLWidget) {
 #ifdef MOZ_WIDGET_QT
                 static_cast<QGLWidget*>(mGLWidget)->makeCurrent();
@@ -791,6 +793,12 @@ public:
                 succeeded = PR_FALSE;
 #endif
             } else {
+#ifndef MOZ_WIDGET_QT
+                if (!mSurface) {
+                    EGLConfig config = CreateConfig();
+                    mSurface = CreateSurfaceForWindow(NULL, config);
+                }
+#endif
                 succeeded = sEGLLibrary.fMakeCurrent(EGL_DISPLAY(),
                                                      mSurface, mSurface,
                                                      mContext);
@@ -810,8 +818,7 @@ public:
 #else
     virtual PRBool
     RenewSurface() {
-        sEGLLibrary.fDestroySurface(EGL_DISPLAY(), mSurface);
-
+        ReleaseSurface();
         EGLConfig config = CreateConfig();
         mSurface = CreateSurfaceForWindow(NULL, config);
 
@@ -821,6 +828,18 @@ public:
     }
 #endif
 
+#ifndef MOZ_WIDGET_QT
+    virtual void
+    ReleaseSurface() {
+        if (mSurface) {
+            sEGLLibrary.fMakeCurrent(EGL_DISPLAY(), EGL_NO_SURFACE, EGL_NO_SURFACE,
+                                     EGL_NO_CONTEXT);
+            sEGLLibrary.fDestroySurface(EGL_DISPLAY(), mSurface);
+            mSurface = NULL;
+        }
+    }
+#endif
+
     PRBool SetupLookupFunction()
     {
         mLookupFunc = (PlatformLookupFunction)sEGLLibrary.fGetProcAddress;
@@ -840,7 +859,11 @@ public:
 
     PRBool SwapBuffers()
     {
-        return sEGLLibrary.fSwapBuffers(EGL_DISPLAY(), mSurface);
+        if (mSurface) {
+            return sEGLLibrary.fSwapBuffers(EGL_DISPLAY(), mSurface);
+        } else {
+            return PR_FALSE;
+        }
     }
     // GLContext interface - returns Tiled Texture Image in our case
     virtual already_AddRefed<TextureImage>
@@ -1043,7 +1066,9 @@ GLContextEGL::ResizeOffscreen(const gfxIntSize& aNewSize)
 
         SetOffscreenSize(aNewSize, pbsize);
 
-        sEGLLibrary.fDestroySurface(EGL_DISPLAY(), mSurface);
+        if (mSurface) {
+            sEGLLibrary.fDestroySurface(EGL_DISPLAY(), mSurface);
+        }
 
         mSurface = surface;
 
@@ -1207,28 +1232,27 @@ public:
         }
     }
 
-    virtual void GetUpdateRegion(nsIntRegion& aForRegion)
-    {
-        if (mTextureState != Valid) {
-            // if the texture hasn't been initialized yet, force the
-            // client to paint everything
-            aForRegion = nsIntRect(nsIntPoint(0, 0), mSize);
-        } else if (!mBackingSurface) {
-            // We can only draw a rectangle, not subregions due to
-            // the way that our texture upload functions work.  If
-            // needed, we /could/ do multiple texture uploads if we have
-            // non-overlapping rects, but that's a tradeoff.
-            aForRegion = nsIntRegion(mUpdateRect);
-        }
-    }
-
     virtual gfxASurface* BeginUpdate(nsIntRegion& aRegion)
     {
         NS_ASSERTION(!mUpdateSurface, "BeginUpdate() without EndUpdate()?");
 
         // determine the region the client will need to repaint
-        GetUpdateRegion(aRegion);
-        mUpdateRect = aRegion.GetBounds();
+        if (mTextureState != Valid) {
+            // if the texture hasn't been initialized yet, force the
+            // client to paint everything
+            mUpdateRect = nsIntRect(nsIntPoint(0, 0), mSize);
+            //printf_stderr("v Forcing full paint\n");
+            aRegion = nsIntRegion(mUpdateRect);
+        } else {
+            mUpdateRect = aRegion.GetBounds();
+            if (!mBackingSurface) {
+                // We can only draw a rectangle, not subregions due to
+                // the way that our texture upload functions work.  If
+                // needed, we /could/ do multiple texture uploads if we have
+                // non-overlapping rects, but that's a tradeoff.
+                aRegion = nsIntRegion(mUpdateRect);
+            }
+        }
 
         //printf_stderr("BeginUpdate with updateRect [%d %d %d %d]\n", mUpdateRect.x, mUpdateRect.y, mUpdateRect.width, mUpdateRect.height);
         if (!nsIntRect(nsIntPoint(0, 0), mSize).Contains(mUpdateRect)) {
diff --git a/gfx/thebes/GLContextProviderGLX.cpp b/gfx/thebes/GLContextProviderGLX.cpp
index 6763d65a32b..887d06f87db 100644
--- a/gfx/thebes/GLContextProviderGLX.cpp
+++ b/gfx/thebes/GLContextProviderGLX.cpp
@@ -112,65 +112,70 @@ GLXLibrary::EnsureInitialized()
         reporter.SetSuccessful();
     }
 
+    if (PR_GetEnv("MOZ_GLX_DEBUG")) {
+        mDebug = PR_TRUE;
+    }
+
     LibrarySymbolLoader::SymLoadStruct symbols[] = {
         /* functions that were in GLX 1.0 */
-        { (PRFuncPtr*) &xDestroyContext, { "glXDestroyContext", NULL } },
-        { (PRFuncPtr*) &xMakeCurrent, { "glXMakeCurrent", NULL } },
-        { (PRFuncPtr*) &xSwapBuffers, { "glXSwapBuffers", NULL } },
-        { (PRFuncPtr*) &xQueryVersion, { "glXQueryVersion", NULL } },
-        { (PRFuncPtr*) &xGetCurrentContext, { "glXGetCurrentContext", NULL } },
-        { (PRFuncPtr*) &xWaitGL, { "glXWaitGL", NULL } },
+        { (PRFuncPtr*) &xDestroyContextInternal, { "glXDestroyContext", NULL } },
+        { (PRFuncPtr*) &xMakeCurrentInternal, { "glXMakeCurrent", NULL } },
+        { (PRFuncPtr*) &xSwapBuffersInternal, { "glXSwapBuffers", NULL } },
+        { (PRFuncPtr*) &xQueryVersionInternal, { "glXQueryVersion", NULL } },
+        { (PRFuncPtr*) &xGetCurrentContextInternal, { "glXGetCurrentContext", NULL } },
+        { (PRFuncPtr*) &xWaitGLInternal, { "glXWaitGL", NULL } },
+        { (PRFuncPtr*) &xWaitXInternal, { "glXWaitX", NULL } },
         /* functions introduced in GLX 1.1 */
-        { (PRFuncPtr*) &xQueryExtensionsString, { "glXQueryExtensionsString", NULL } },
-        { (PRFuncPtr*) &xGetClientString, { "glXGetClientString", NULL } },
-        { (PRFuncPtr*) &xQueryServerString, { "glXQueryServerString", NULL } },
+        { (PRFuncPtr*) &xQueryExtensionsStringInternal, { "glXQueryExtensionsString", NULL } },
+        { (PRFuncPtr*) &xGetClientStringInternal, { "glXGetClientString", NULL } },
+        { (PRFuncPtr*) &xQueryServerStringInternal, { "glXQueryServerString", NULL } },
         { NULL, { NULL } }
     };
 
     LibrarySymbolLoader::SymLoadStruct symbols13[] = {
         /* functions introduced in GLX 1.3 */
-        { (PRFuncPtr*) &xChooseFBConfig, { "glXChooseFBConfig", NULL } },
-        { (PRFuncPtr*) &xGetFBConfigAttrib, { "glXGetFBConfigAttrib", NULL } },
+        { (PRFuncPtr*) &xChooseFBConfigInternal, { "glXChooseFBConfig", NULL } },
+        { (PRFuncPtr*) &xGetFBConfigAttribInternal, { "glXGetFBConfigAttrib", NULL } },
         // WARNING: xGetFBConfigs not set in symbols13_ext
-        { (PRFuncPtr*) &xGetFBConfigs, { "glXGetFBConfigs", NULL } },
-        { (PRFuncPtr*) &xGetVisualFromFBConfig, { "glXGetVisualFromFBConfig", NULL } },
+        { (PRFuncPtr*) &xGetFBConfigsInternal, { "glXGetFBConfigs", NULL } },
+        { (PRFuncPtr*) &xGetVisualFromFBConfigInternal, { "glXGetVisualFromFBConfig", NULL } },
         // WARNING: symbols13_ext sets xCreateGLXPixmapWithConfig instead
-        { (PRFuncPtr*) &xCreatePixmap, { "glXCreatePixmap", NULL } },
-        { (PRFuncPtr*) &xDestroyPixmap, { "glXDestroyPixmap", NULL } },
-        { (PRFuncPtr*) &xCreateNewContext, { "glXCreateNewContext", NULL } },
+        { (PRFuncPtr*) &xCreatePixmapInternal, { "glXCreatePixmap", NULL } },
+        { (PRFuncPtr*) &xDestroyPixmapInternal, { "glXDestroyPixmap", NULL } },
+        { (PRFuncPtr*) &xCreateNewContextInternal, { "glXCreateNewContext", NULL } },
         { NULL, { NULL } }
     };
 
     LibrarySymbolLoader::SymLoadStruct symbols13_ext[] = {
         /* extension equivalents for functions introduced in GLX 1.3 */
         // GLX_SGIX_fbconfig extension
-        { (PRFuncPtr*) &xChooseFBConfig, { "glXChooseFBConfigSGIX", NULL } },
-        { (PRFuncPtr*) &xGetFBConfigAttrib, { "glXGetFBConfigAttribSGIX", NULL } },
+        { (PRFuncPtr*) &xChooseFBConfigInternal, { "glXChooseFBConfigSGIX", NULL } },
+        { (PRFuncPtr*) &xGetFBConfigAttribInternal, { "glXGetFBConfigAttribSGIX", NULL } },
         // WARNING: no xGetFBConfigs equivalent in extensions
-        { (PRFuncPtr*) &xGetVisualFromFBConfig, { "glXGetVisualFromFBConfig", NULL } },
+        { (PRFuncPtr*) &xGetVisualFromFBConfigInternal, { "glXGetVisualFromFBConfig", NULL } },
         // WARNING: different from symbols13:
-        { (PRFuncPtr*) &xCreateGLXPixmapWithConfig, { "glXCreateGLXPixmapWithConfigSGIX", NULL } },
-        { (PRFuncPtr*) &xDestroyPixmap, { "glXDestroyGLXPixmap", NULL } }, // not from ext
-        { (PRFuncPtr*) &xCreateNewContext, { "glXCreateContextWithConfigSGIX", NULL } },
+        { (PRFuncPtr*) &xCreateGLXPixmapWithConfigInternal, { "glXCreateGLXPixmapWithConfigSGIX", NULL } },
+        { (PRFuncPtr*) &xDestroyPixmapInternal, { "glXDestroyGLXPixmap", NULL } }, // not from ext
+        { (PRFuncPtr*) &xCreateNewContextInternal, { "glXCreateContextWithConfigSGIX", NULL } },
         { NULL, { NULL } }
     };
 
     LibrarySymbolLoader::SymLoadStruct symbols14[] = {
         /* functions introduced in GLX 1.4 */
-        { (PRFuncPtr*) &xGetProcAddress, { "glXGetProcAddress", NULL } },
+        { (PRFuncPtr*) &xGetProcAddressInternal, { "glXGetProcAddress", NULL } },
         { NULL, { NULL } }
     };
 
     LibrarySymbolLoader::SymLoadStruct symbols14_ext[] = {
         /* extension equivalents for functions introduced in GLX 1.4 */
         // GLX_ARB_get_proc_address extension
-        { (PRFuncPtr*) &xGetProcAddress, { "glXGetProcAddressARB", NULL } },
+        { (PRFuncPtr*) &xGetProcAddressInternal, { "glXGetProcAddressARB", NULL } },
         { NULL, { NULL } }
     };
 
     LibrarySymbolLoader::SymLoadStruct symbols_texturefrompixmap[] = {
-        { (PRFuncPtr*) &xBindTexImage, { "glXBindTexImageEXT", NULL } },
-        { (PRFuncPtr*) &xReleaseTexImage, { "glXReleaseTexImageEXT", NULL } },
+        { (PRFuncPtr*) &xBindTexImageInternal, { "glXBindTexImageEXT", NULL } },
+        { (PRFuncPtr*) &xReleaseTexImageInternal, { "glXReleaseTexImageEXT", NULL } },
         { NULL, { NULL } }
     };
 
@@ -235,7 +240,7 @@ GLXLibrary::EnsureInitialized()
 
     if (HasExtension(extensionsStr, "GLX_EXT_texture_from_pixmap") &&
         LibrarySymbolLoader::LoadSymbols(mOGLLibrary, symbols_texturefrompixmap, 
-                                         (LibrarySymbolLoader::PlatformLookupFunction)xGetProcAddress))
+                                         (LibrarySymbolLoader::PlatformLookupFunction)&xGetProcAddress))
     {
         mHasTextureFromPixmap = PR_TRUE;
     } else {
@@ -326,7 +331,7 @@ GLXLibrary::BindTexImage(GLXPixmap aPixmap)
 
     Display *display = DefaultXDisplay();
     // Make sure all X drawing to the surface has finished before binding to a texture.
-    XSync(DefaultXDisplay(), False);
+    xWaitX();
     xBindTexImage(display, aPixmap, GLX_FRONT_LEFT_EXT, NULL);
 }
 
@@ -341,6 +346,289 @@ GLXLibrary::ReleaseTexImage(GLXPixmap aPixmap)
     xReleaseTexImage(display, aPixmap, GLX_FRONT_LEFT_EXT);
 }
 
+#ifdef DEBUG
+
+static int (*sOldErrorHandler)(Display *, XErrorEvent *);
+ScopedXErrorHandler::ErrorEvent sErrorEvent;
+static int GLXErrorHandler(Display *display, XErrorEvent *ev)
+{
+    if (!sErrorEvent.mError.error_code) {
+        sErrorEvent.mError = *ev;
+    }
+    return 0;
+}
+
+void
+GLXLibrary::BeforeGLXCall()
+{
+    if (mDebug) {
+        sOldErrorHandler = XSetErrorHandler(GLXErrorHandler);
+    }
+}
+
+void
+GLXLibrary::AfterGLXCall()
+{
+    if (mDebug) {
+        XSync(DefaultXDisplay(), False);
+        if (sErrorEvent.mError.error_code) {
+            char buffer[2048];
+            XGetErrorText(DefaultXDisplay(), sErrorEvent.mError.error_code, buffer, sizeof(buffer));
+            printf_stderr("X ERROR: %s (%i) - Request: %i.%i, Serial: %i",
+                          buffer,
+                          sErrorEvent.mError.error_code,
+                          sErrorEvent.mError.request_code,
+                          sErrorEvent.mError.minor_code,
+                          sErrorEvent.mError.serial);
+            NS_ABORT();
+        }
+        XSetErrorHandler(sOldErrorHandler);
+    }
+}
+
+#define BEFORE_GLX_CALL do {                     \
+    sGLXLibrary.BeforeGLXCall();                 \
+} while (0)
+    
+#define AFTER_GLX_CALL do {                      \
+    sGLXLibrary.AfterGLXCall();                  \
+} while (0)
+
+#else
+
+#define BEFORE_GLX_CALL do { } while(0)
+#define AFTER_GLX_CALL do { } while(0)
+
+#endif
+    
+void 
+GLXLibrary::xDestroyContext(Display* display, GLXContext context)
+{
+    BEFORE_GLX_CALL;
+    xDestroyContextInternal(display, context);
+    AFTER_GLX_CALL;
+}
+
+Bool 
+GLXLibrary::xMakeCurrent(Display* display, 
+                         GLXDrawable drawable, 
+                         GLXContext context)
+{
+    BEFORE_GLX_CALL;
+    Bool result = xMakeCurrentInternal(display, drawable, context);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+GLXContext 
+GLXLibrary::xGetCurrentContext()
+{
+    BEFORE_GLX_CALL;
+    GLXContext result = xGetCurrentContextInternal();
+    AFTER_GLX_CALL;
+    return result;
+}
+
+/* static */ void* 
+GLXLibrary::xGetProcAddress(const char *procName)
+{
+    BEFORE_GLX_CALL;
+    void* result = sGLXLibrary.xGetProcAddressInternal(procName);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+GLXFBConfig*
+GLXLibrary::xChooseFBConfig(Display* display, 
+                            int screen, 
+                            const int *attrib_list, 
+                            int *nelements)
+{
+    BEFORE_GLX_CALL;
+    GLXFBConfig* result = xChooseFBConfigInternal(display, screen, attrib_list, nelements);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+GLXFBConfig* 
+GLXLibrary::xGetFBConfigs(Display* display, 
+                          int screen, 
+                          int *nelements)
+{
+    BEFORE_GLX_CALL;
+    GLXFBConfig* result = xGetFBConfigsInternal(display, screen, nelements);
+    AFTER_GLX_CALL;
+    return result;
+}
+    
+GLXContext
+GLXLibrary::xCreateNewContext(Display* display, 
+                              GLXFBConfig config, 
+                              int render_type, 
+                              GLXContext share_list, 
+                              Bool direct)
+{
+    BEFORE_GLX_CALL;
+    GLXContext result = xCreateNewContextInternal(display, config, 
+	                                              render_type,
+	                                              share_list, direct);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+XVisualInfo*
+GLXLibrary::xGetVisualFromFBConfig(Display* display, 
+                                   GLXFBConfig config)
+{
+    BEFORE_GLX_CALL;
+    XVisualInfo* result = xGetVisualFromFBConfigInternal(display, config);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+int
+GLXLibrary::xGetFBConfigAttrib(Display *display,
+                               GLXFBConfig config,
+                               int attribute,
+                               int *value)
+{
+    BEFORE_GLX_CALL;
+    int result = xGetFBConfigAttribInternal(display, config,
+                                            attribute, value);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+void
+GLXLibrary::xSwapBuffers(Display *display, GLXDrawable drawable)
+{
+    BEFORE_GLX_CALL;
+    xSwapBuffersInternal(display, drawable);
+    AFTER_GLX_CALL;
+}
+
+const char *
+GLXLibrary::xQueryExtensionsString(Display *display,
+                                   int screen)
+{
+    BEFORE_GLX_CALL;
+    const char *result = xQueryExtensionsStringInternal(display, screen);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+const char *
+GLXLibrary::xGetClientString(Display *display,
+                             int screen)
+{
+    BEFORE_GLX_CALL;
+    const char *result = xGetClientStringInternal(display, screen);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+const char *
+GLXLibrary::xQueryServerString(Display *display,
+                               int screen, int name)
+{
+    BEFORE_GLX_CALL;
+    const char *result = xQueryServerStringInternal(display, screen, name);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+GLXPixmap
+GLXLibrary::xCreatePixmap(Display *display, 
+                          GLXFBConfig config,
+                          Pixmap pixmap,
+                          const int *attrib_list)
+{
+    BEFORE_GLX_CALL;
+    GLXPixmap result = xCreatePixmapInternal(display, config,
+                                             pixmap, attrib_list);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+GLXPixmap
+GLXLibrary::xCreateGLXPixmapWithConfig(Display *display,
+                                       GLXFBConfig config,
+                                       Pixmap pixmap)
+{
+    BEFORE_GLX_CALL;
+    GLXPixmap result = xCreateGLXPixmapWithConfigInternal(display, config, pixmap);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+void
+GLXLibrary::xDestroyPixmap(Display *display, GLXPixmap pixmap)
+{
+    BEFORE_GLX_CALL;
+    xDestroyPixmapInternal(display, pixmap);
+    AFTER_GLX_CALL;
+}
+
+GLXContext
+GLXLibrary::xCreateContext(Display *display,
+                           XVisualInfo *vis,
+                           GLXContext shareList,
+                           Bool direct)
+{
+    BEFORE_GLX_CALL;
+    GLXContext result = xCreateContextInternal(display, vis, shareList, direct);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+Bool
+GLXLibrary::xQueryVersion(Display *display,
+                          int *major,
+                          int *minor)
+{
+    BEFORE_GLX_CALL;
+    Bool result = xQueryVersionInternal(display, major, minor);
+    AFTER_GLX_CALL;
+    return result;
+}
+
+void
+GLXLibrary::xBindTexImage(Display *display,
+                          GLXDrawable drawable,
+                          int buffer,
+                          const int *attrib_list)
+{
+    BEFORE_GLX_CALL;
+    xBindTexImageInternal(display, drawable, buffer, attrib_list);
+    AFTER_GLX_CALL;
+}
+
+void
+GLXLibrary::xReleaseTexImage(Display *display,
+                             GLXDrawable drawable,
+                             int buffer)
+{
+    BEFORE_GLX_CALL;
+    xReleaseTexImageInternal(display, drawable, buffer);
+    AFTER_GLX_CALL;
+}
+
+void 
+GLXLibrary::xWaitGL()
+{
+    BEFORE_GLX_CALL;
+    xWaitGLInternal();
+    AFTER_GLX_CALL;
+}
+
+void
+GLXLibrary::xWaitX()
+{
+    BEFORE_GLX_CALL;
+    xWaitXInternal();
+    AFTER_GLX_CALL;
+}
+
 GLXLibrary sGLXLibrary;
 
 class GLContextGLX : public GLContext
@@ -466,7 +754,7 @@ TRY_AGAIN_NO_SHARING:
 
     PRBool SetupLookupFunction()
     {
-        mLookupFunc = (PlatformLookupFunction)sGLXLibrary.xGetProcAddress;
+        mLookupFunc = (PlatformLookupFunction)&GLXLibrary::xGetProcAddress;
         return PR_TRUE;
     }
 
@@ -1050,3 +1338,4 @@ GLContextProviderGLX::Shutdown()
 
 } /* namespace gl */
 } /* namespace mozilla */
+
diff --git a/gfx/thebes/GLXLibrary.h b/gfx/thebes/GLXLibrary.h
index c6199b94e07..3ed67d100bf 100644
--- a/gfx/thebes/GLXLibrary.h
+++ b/gfx/thebes/GLXLibrary.h
@@ -49,93 +49,64 @@ class GLXLibrary
 {
 public:
     GLXLibrary() : mInitialized(PR_FALSE), mTriedInitializing(PR_FALSE),
-                   mHasTextureFromPixmap(PR_FALSE), mOGLLibrary(nsnull) {}
+                   mHasTextureFromPixmap(PR_FALSE), mDebug(PR_FALSE),
+                   mOGLLibrary(nsnull) {}
 
-    typedef void (GLAPIENTRY * PFNGLXDESTROYCONTEXTPROC) (Display*,
-                                                          GLXContext);
-    PFNGLXDESTROYCONTEXTPROC xDestroyContext;
-    typedef Bool (GLAPIENTRY * PFNGLXMAKECURRENTPROC) (Display*,
-                                                       GLXDrawable,
-                                                       GLXContext);
-    PFNGLXMAKECURRENTPROC xMakeCurrent;
-    typedef GLXContext (GLAPIENTRY * PFNGLXGETCURRENTCONTEXT) ();
-    PFNGLXGETCURRENTCONTEXT xGetCurrentContext;
-    typedef void* (GLAPIENTRY * PFNGLXGETPROCADDRESSPROC) (const char *);
-    PFNGLXGETPROCADDRESSPROC xGetProcAddress;
-    typedef GLXFBConfig* (GLAPIENTRY * PFNGLXCHOOSEFBCONFIG) (Display *,
-                                                              int,
-                                                              const int *,
-                                                              int *);
-    PFNGLXCHOOSEFBCONFIG xChooseFBConfig;
-    typedef GLXFBConfig* (GLAPIENTRY * PFNGLXGETFBCONFIGS) (Display *,
-                                                            int,
-                                                            int *);
-    PFNGLXGETFBCONFIGS xGetFBConfigs;
-    typedef GLXContext (GLAPIENTRY * PFNGLXCREATENEWCONTEXT) (Display *,
-                                                              GLXFBConfig,
-                                                              int,
-                                                              GLXContext,
-                                                              Bool);
-    PFNGLXCREATENEWCONTEXT xCreateNewContext;
-    typedef XVisualInfo* (GLAPIENTRY * PFNGLXGETVISUALFROMFBCONFIG) (Display *,
-                                                                     GLXFBConfig);
-    PFNGLXGETVISUALFROMFBCONFIG xGetVisualFromFBConfig;
-    typedef int (GLAPIENTRY * PFNGLXGETFBCONFIGATTRIB) (Display *, 
-                                                        GLXFBConfig,
-                                                        int,
-                                                        int *);
-    PFNGLXGETFBCONFIGATTRIB xGetFBConfigAttrib;
-
-    typedef void (GLAPIENTRY * PFNGLXSWAPBUFFERS) (Display *,
-                                                   GLXDrawable);
-    PFNGLXSWAPBUFFERS xSwapBuffers;
-    typedef const char * (GLAPIENTRY * PFNGLXQUERYEXTENSIONSSTRING) (Display *,
-                                                                     int);
-    PFNGLXQUERYEXTENSIONSSTRING xQueryExtensionsString;
-    typedef const char * (GLAPIENTRY * PFNGLXGETCLIENTSTRING) (Display *,
-                                                               int);
-    PFNGLXGETCLIENTSTRING xGetClientString;
-    typedef const char * (GLAPIENTRY * PFNGLXQUERYSERVERSTRING) (Display *,
-                                                                 int,
-                                                                 int);
-    PFNGLXQUERYSERVERSTRING xQueryServerString;
-
-    typedef GLXPixmap (GLAPIENTRY * PFNGLXCREATEPIXMAP) (Display *,
-                                                         GLXFBConfig,
-                                                         Pixmap,
-                                                         const int *);
-    PFNGLXCREATEPIXMAP xCreatePixmap;
-    typedef GLXPixmap (GLAPIENTRY * PFNGLXCREATEGLXPIXMAPWITHCONFIG)
-                                                        (Display *,
-                                                         GLXFBConfig,
-                                                         Pixmap);
-    PFNGLXCREATEGLXPIXMAPWITHCONFIG xCreateGLXPixmapWithConfig;
-    typedef void (GLAPIENTRY * PFNGLXDESTROYPIXMAP) (Display *,
-                                                     GLXPixmap);
-    PFNGLXDESTROYPIXMAP xDestroyPixmap;
-    typedef GLXContext (GLAPIENTRY * PFNGLXCREATECONTEXT) (Display *,
-                                                           XVisualInfo *,
-                                                           GLXContext,
-                                                           Bool);
-    PFNGLXCREATECONTEXT xCreateContext;
-    typedef Bool (GLAPIENTRY * PFNGLXQUERYVERSION) (Display *,
-                                                    int *,
-                                                    int *);
-    PFNGLXQUERYVERSION xQueryVersion;
-
-    typedef void (GLAPIENTRY * PFNGLXBINDTEXIMAGE) (Display *,
-                                                    GLXDrawable,
-                                                    int,
-                                                    const int *);
-    PFNGLXBINDTEXIMAGE xBindTexImage;
-
-    typedef void (GLAPIENTRY * PFNGLXRELEASETEXIMAGE) (Display *,
-                                                       GLXDrawable,
-                                                       int);
-    PFNGLXRELEASETEXIMAGE xReleaseTexImage;
-
-    typedef void (GLAPIENTRY * PFNGLXWAITGL) ();
-    PFNGLXWAITGL xWaitGL;
+    void xDestroyContext(Display* display, GLXContext context);
+    Bool xMakeCurrent(Display* display, 
+                      GLXDrawable drawable, 
+                      GLXContext context);
+    GLXContext xGetCurrentContext();
+    static void* xGetProcAddress(const char *procName);
+    GLXFBConfig* xChooseFBConfig(Display* display, 
+                                 int screen, 
+                                 const int *attrib_list, 
+                                 int *nelements);
+    GLXFBConfig* xGetFBConfigs(Display* display, 
+                               int screen, 
+                               int *nelements);
+    GLXContext xCreateNewContext(Display* display, 
+                                 GLXFBConfig config, 
+                                 int render_type, 
+                                 GLXContext share_list, 
+                                 Bool direct);
+    XVisualInfo* xGetVisualFromFBConfig(Display* display, 
+                                        GLXFBConfig config);
+    int xGetFBConfigAttrib(Display *display,
+                           GLXFBConfig config,
+                           int attribute,
+                           int *value);
+    void xSwapBuffers(Display *display, GLXDrawable drawable);
+    const char * xQueryExtensionsString(Display *display,
+                                        int screen);
+    const char * xGetClientString(Display *display,
+                                  int screen);
+    const char * xQueryServerString(Display *display,
+                                    int screen, int name);
+    GLXPixmap xCreatePixmap(Display *display, 
+                            GLXFBConfig config,
+                            Pixmap pixmap,
+                            const int *attrib_list);
+    GLXPixmap xCreateGLXPixmapWithConfig(Display *display,
+                                         GLXFBConfig config,
+                                         Pixmap pixmap);
+    void xDestroyPixmap(Display *display, GLXPixmap pixmap);
+    GLXContext xCreateContext(Display *display,
+                              XVisualInfo *vis,
+                              GLXContext shareList,
+                              Bool direct);
+    Bool xQueryVersion(Display *display,
+                       int *major,
+                       int *minor);
+    void xBindTexImage(Display *display,
+                       GLXDrawable drawable,
+                       int buffer,
+                       const int *attrib_list);
+    void xReleaseTexImage(Display *display,
+                          GLXDrawable drawable,
+                          int buffer);
+    void xWaitGL();
+    void xWaitX();
 
     PRBool EnsureInitialized();
 
@@ -148,9 +119,105 @@ public:
     PRBool SupportsTextureFromPixmap(gfxASurface* aSurface);
 
 private:
+    
+    typedef void (GLAPIENTRY * PFNGLXDESTROYCONTEXTPROC) (Display*,
+                                                          GLXContext);
+    PFNGLXDESTROYCONTEXTPROC xDestroyContextInternal;
+    typedef Bool (GLAPIENTRY * PFNGLXMAKECURRENTPROC) (Display*,
+                                                       GLXDrawable,
+                                                       GLXContext);
+    PFNGLXMAKECURRENTPROC xMakeCurrentInternal;
+    typedef GLXContext (GLAPIENTRY * PFNGLXGETCURRENTCONTEXT) ();
+    PFNGLXGETCURRENTCONTEXT xGetCurrentContextInternal;
+    typedef void* (GLAPIENTRY * PFNGLXGETPROCADDRESSPROC) (const char *);
+    PFNGLXGETPROCADDRESSPROC xGetProcAddressInternal;
+    typedef GLXFBConfig* (GLAPIENTRY * PFNGLXCHOOSEFBCONFIG) (Display *,
+                                                              int,
+                                                              const int *,
+                                                              int *);
+    PFNGLXCHOOSEFBCONFIG xChooseFBConfigInternal;
+    typedef GLXFBConfig* (GLAPIENTRY * PFNGLXGETFBCONFIGS) (Display *,
+                                                            int,
+                                                            int *);
+    PFNGLXGETFBCONFIGS xGetFBConfigsInternal;
+    typedef GLXContext (GLAPIENTRY * PFNGLXCREATENEWCONTEXT) (Display *,
+                                                              GLXFBConfig,
+                                                              int,
+                                                              GLXContext,
+                                                              Bool);
+    PFNGLXCREATENEWCONTEXT xCreateNewContextInternal;
+    typedef XVisualInfo* (GLAPIENTRY * PFNGLXGETVISUALFROMFBCONFIG) (Display *,
+                                                                     GLXFBConfig);
+    PFNGLXGETVISUALFROMFBCONFIG xGetVisualFromFBConfigInternal;
+    typedef int (GLAPIENTRY * PFNGLXGETFBCONFIGATTRIB) (Display *, 
+                                                        GLXFBConfig,
+                                                        int,
+                                                        int *);
+    PFNGLXGETFBCONFIGATTRIB xGetFBConfigAttribInternal;
+
+    typedef void (GLAPIENTRY * PFNGLXSWAPBUFFERS) (Display *,
+                                                   GLXDrawable);
+    PFNGLXSWAPBUFFERS xSwapBuffersInternal;
+    typedef const char * (GLAPIENTRY * PFNGLXQUERYEXTENSIONSSTRING) (Display *,
+                                                                     int);
+    PFNGLXQUERYEXTENSIONSSTRING xQueryExtensionsStringInternal;
+    typedef const char * (GLAPIENTRY * PFNGLXGETCLIENTSTRING) (Display *,
+                                                               int);
+    PFNGLXGETCLIENTSTRING xGetClientStringInternal;
+    typedef const char * (GLAPIENTRY * PFNGLXQUERYSERVERSTRING) (Display *,
+                                                                 int,
+                                                                 int);
+    PFNGLXQUERYSERVERSTRING xQueryServerStringInternal;
+
+    typedef GLXPixmap (GLAPIENTRY * PFNGLXCREATEPIXMAP) (Display *,
+                                                         GLXFBConfig,
+                                                         Pixmap,
+                                                         const int *);
+    PFNGLXCREATEPIXMAP xCreatePixmapInternal;
+    typedef GLXPixmap (GLAPIENTRY * PFNGLXCREATEGLXPIXMAPWITHCONFIG)
+                                                        (Display *,
+                                                         GLXFBConfig,
+                                                         Pixmap);
+    PFNGLXCREATEGLXPIXMAPWITHCONFIG xCreateGLXPixmapWithConfigInternal;
+    typedef void (GLAPIENTRY * PFNGLXDESTROYPIXMAP) (Display *,
+                                                     GLXPixmap);
+    PFNGLXDESTROYPIXMAP xDestroyPixmapInternal;
+    typedef GLXContext (GLAPIENTRY * PFNGLXCREATECONTEXT) (Display *,
+                                                           XVisualInfo *,
+                                                           GLXContext,
+                                                           Bool);
+    PFNGLXCREATECONTEXT xCreateContextInternal;
+    typedef Bool (GLAPIENTRY * PFNGLXQUERYVERSION) (Display *,
+                                                    int *,
+                                                    int *);
+    PFNGLXQUERYVERSION xQueryVersionInternal;
+
+    typedef void (GLAPIENTRY * PFNGLXBINDTEXIMAGE) (Display *,
+                                                    GLXDrawable,
+                                                    int,
+                                                    const int *);
+    PFNGLXBINDTEXIMAGE xBindTexImageInternal;
+
+    typedef void (GLAPIENTRY * PFNGLXRELEASETEXIMAGE) (Display *,
+                                                       GLXDrawable,
+                                                       int);
+    PFNGLXRELEASETEXIMAGE xReleaseTexImageInternal;
+
+    typedef void (GLAPIENTRY * PFNGLXWAITGL) ();
+    PFNGLXWAITGL xWaitGLInternal;
+    
+    typedef void (GLAPIENTRY * PFNGLXWAITX) ();
+    PFNGLXWAITGL xWaitXInternal;
+
+#ifdef DEBUG
+    void BeforeGLXCall();
+    void AfterGLXCall();
+#endif
+
     PRBool mInitialized;
     PRBool mTriedInitializing;
     PRBool mHasTextureFromPixmap;
+    PRBool mDebug;
     PRLibrary *mOGLLibrary;
 };
 
diff --git a/ipc/chromium/chromium-config.mk b/ipc/chromium/chromium-config.mk
index 784fb3f7a6c..227b5b64cfa 100644
--- a/ipc/chromium/chromium-config.mk
+++ b/ipc/chromium/chromium-config.mk
@@ -48,7 +48,6 @@ EXTRA_DEPS += $(topsrcdir)/ipc/chromium/chromium-config.mk
 
 DEFINES += \
   -DEXCLUDE_SKIA_DEPENDENCIES \
-  -DCHROMIUM_MOZILLA_BUILD \
   $(NULL)
 
 LOCAL_INCLUDES += \
diff --git a/ipc/chromium/src/base/at_exit.cc b/ipc/chromium/src/base/at_exit.cc
index b5ab77e4305..f6319fbc30a 100644
--- a/ipc/chromium/src/base/at_exit.cc
+++ b/ipc/chromium/src/base/at_exit.cc
@@ -64,11 +64,9 @@ void AtExitManager::ProcessCallbacksNow() {
   }
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 // static
 bool AtExitManager::AlreadyRegistered() {
   return !!g_top_manager;
 }
-#endif
 
 }  // namespace base
diff --git a/ipc/chromium/src/base/at_exit.h b/ipc/chromium/src/base/at_exit.h
index 90347a12337..be226acecbd 100644
--- a/ipc/chromium/src/base/at_exit.h
+++ b/ipc/chromium/src/base/at_exit.h
@@ -51,9 +51,7 @@ class AtExitManager {
   // is possible to register new callbacks after calling this function.
   static void ProcessCallbacksNow();
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   static bool AlreadyRegistered();
-#endif
 
  private:
   struct CallbackAndParam {
diff --git a/ipc/chromium/src/base/atomicops_internals_x86_gcc.h b/ipc/chromium/src/base/atomicops_internals_x86_gcc.h
index fda502939ff..020e7b72b13 100644
--- a/ipc/chromium/src/base/atomicops_internals_x86_gcc.h
+++ b/ipc/chromium/src/base/atomicops_internals_x86_gcc.h
@@ -196,7 +196,6 @@ inline void NoBarrier_Store(volatile Atomic64* ptr, Atomic64 value) {
   *ptr = value;
 }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 inline Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr,
                                        Atomic64 old_value,
                                        Atomic64 new_value) {
@@ -207,7 +206,6 @@ inline Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr,
   }
   return x;
 }
-#endif
 
 inline void Acquire_Store(volatile Atomic64* ptr, Atomic64 value) {
   *ptr = value;
diff --git a/ipc/chromium/src/base/base_switches.h b/ipc/chromium/src/base/base_switches.h
index 25a60ffe884..bc679111aba 100644
--- a/ipc/chromium/src/base/base_switches.h
+++ b/ipc/chromium/src/base/base_switches.h
@@ -7,7 +7,7 @@
 #ifndef BASE_BASE_SWITCHES_H_
 #define BASE_BASE_SWITCHES_H_
 
-#if defined(CHROMIUM_MOZILLA_BUILD) && defined(COMPILER_MSVC)
+#if defined(COMPILER_MSVC)
 #include <string.h>
 #endif
 
diff --git a/ipc/chromium/src/base/basictypes.h b/ipc/chromium/src/base/basictypes.h
index dd2595c8fa9..5ae0f430336 100644
--- a/ipc/chromium/src/base/basictypes.h
+++ b/ipc/chromium/src/base/basictypes.h
@@ -5,8 +5,6 @@
 #ifndef BASE_BASICTYPES_H_
 #define BASE_BASICTYPES_H_
 
-#ifdef CHROMIUM_MOZILLA_BUILD
-
 // Chromium includes a prtypes.h also, but it has been modified to include
 // their build_config.h as well. We can therefore test for both to determine
 // if someone screws up the include order.
@@ -41,8 +39,6 @@
 #define _WIN32
 #endif
 
-#endif // CHROMIUM_MOZILLA_BUILD
-
 #include <limits.h>         // So we can set the bounds of our types
 #include <stddef.h>         // For size_t
 #include <string.h>         // for memcpy
@@ -63,7 +59,7 @@ typedef short               int16;
 #define _INT32
 typedef int                 int32;
 #endif
-#if !(defined(CHROMIUM_MOZILLA_BUILD) && defined(PROTYPES_H))
+#ifndef PROTYPES_H
 typedef long long           int64;
 #endif
 
@@ -81,7 +77,7 @@ typedef unsigned short     uint16;
 #define _UINT32
 typedef unsigned int       uint32;
 #endif
-#if !(defined(CHROMIUM_MOZILLA_BUILD) && defined(PROTYPES_H))
+#ifndef PROTYPES_H
 typedef unsigned long long uint64;
 #endif
 
@@ -104,7 +100,6 @@ const  int32 kint32max  = (( int32) 0x7FFFFFFF);
 const  int64 kint64min  = (( int64) GG_LONGLONG(0x8000000000000000));
 const  int64 kint64max  = (( int64) GG_LONGLONG(0x7FFFFFFFFFFFFFFF));
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 // Platform- and hardware-dependent printf specifiers
 #  if defined(OS_POSIX)
 #    define __STDC_FORMAT_MACROS 1
@@ -120,7 +115,6 @@ const  int64 kint64max  = (( int64) GG_LONGLONG(0x7FFFFFFFFFFFFFFF));
 #    define PRIu64L L"I64u"
 #    define PRIx64L L"I64x"
 #  endif
-#endif  // defined(CHROMIUM_MOZILLA_BUILD)
 
 // A macro to disallow the copy constructor and operator= functions
 // This should be used in the private: declarations for a class
diff --git a/ipc/chromium/src/base/command_line.h b/ipc/chromium/src/base/command_line.h
index ed86e622c10..24a106bbc2c 100644
--- a/ipc/chromium/src/base/command_line.h
+++ b/ipc/chromium/src/base/command_line.h
@@ -65,11 +65,9 @@ class CommandLine {
     return current_process_commandline_;
   }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   static bool IsInitialized() {
     return !!current_process_commandline_;
   }
-#endif
 
   // Returns true if this command line contains the given switch.
   // (Switch names are case-insensitive.)
diff --git a/ipc/chromium/src/base/debug_util_posix.cc b/ipc/chromium/src/base/debug_util_posix.cc
index ed9ad4f4ea2..900148745e8 100644
--- a/ipc/chromium/src/base/debug_util_posix.cc
+++ b/ipc/chromium/src/base/debug_util_posix.cc
@@ -144,25 +144,5 @@ void StackTrace::PrintBacktrace() {
 }
 
 void StackTrace::OutputToStream(std::ostream* os) {
-#ifdef CHROMIUM_MOZILLA_BUILD
   return;
-#else
-  scoped_ptr_malloc<char*> trace_symbols(
-      backtrace_symbols(&trace_[0], trace_.size()));
-
-  // If we can't retrieve the symbols, print an error and just dump the raw
-  // addresses.
-  if (trace_symbols.get() == NULL) {
-    (*os) << "Unable get symbols for backtrace (" << strerror(errno)
-          << "). Dumping raw addresses in trace:\n";
-    for (size_t i = 0; i < trace_.size(); ++i) {
-      (*os) << "\t" << trace_[i] << "\n";
-    }
-  } else {
-    (*os) << "Backtrace:\n";
-    for (size_t i = 0; i < trace_.size(); ++i) {
-      (*os) << "\t" << trace_symbols.get()[i] << "\n";
-    }
-  }
-#endif
 }
diff --git a/ipc/chromium/src/base/histogram.cc b/ipc/chromium/src/base/histogram.cc
index 5cd8b4fc034..06e264ae849 100644
--- a/ipc/chromium/src/base/histogram.cc
+++ b/ipc/chromium/src/base/histogram.cc
@@ -21,13 +21,11 @@
 
 namespace base {
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 #define DVLOG(x) LOG(ERROR)
 #define CHECK_GT DCHECK_GT
 #define CHECK_LT DCHECK_LT
 typedef ::Lock Lock;
 typedef ::AutoLock AutoLock;
-#endif
 
 // Static table of checksums for all possible 8 bit bytes.
 const uint32 Histogram::kCrcTable[256] = {0x0, 0x77073096L, 0xee0e612cL,
diff --git a/ipc/chromium/src/base/histogram.h b/ipc/chromium/src/base/histogram.h
index 840b0918597..0b5e77e361e 100644
--- a/ipc/chromium/src/base/histogram.h
+++ b/ipc/chromium/src/base/histogram.h
@@ -45,11 +45,6 @@
 #include <string>
 #include <vector>
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
-#define BASE_API
-#else
-#include "base/base_api.h"
-#endif
 #include "testing/gtest/include/gtest/gtest_prod.h"
 #include "base/time.h"
 #include "base/lock.h"
@@ -264,7 +259,7 @@ class CustomHistogram;
 class Histogram;
 class LinearHistogram;
 
-class BASE_API Histogram {
+class Histogram {
  public:
   typedef int Sample;  // Used for samples (and ranges of samples).
   typedef int Count;  // Used to count samples in a bucket.
@@ -323,7 +318,7 @@ class BASE_API Histogram {
   //----------------------------------------------------------------------------
   // Statistic values, developed over the life of the histogram.
 
-  class BASE_API SampleSet {
+  class SampleSet {
    public:
     explicit SampleSet();
     ~SampleSet();
@@ -582,7 +577,7 @@ class BASE_API Histogram {
 
 // LinearHistogram is a more traditional histogram, with evenly spaced
 // buckets.
-class BASE_API LinearHistogram : public Histogram {
+class LinearHistogram : public Histogram {
  public:
   virtual ~LinearHistogram();
 
@@ -638,7 +633,7 @@ class BASE_API LinearHistogram : public Histogram {
 //------------------------------------------------------------------------------
 
 // BooleanHistogram is a histogram for booleans.
-class BASE_API BooleanHistogram : public LinearHistogram {
+class BooleanHistogram : public LinearHistogram {
  public:
   static Histogram* FactoryGet(const std::string& name, Flags flags);
 
@@ -655,7 +650,7 @@ class BASE_API BooleanHistogram : public LinearHistogram {
 //------------------------------------------------------------------------------
 
 // CustomHistogram is a histogram for a set of custom integers.
-class BASE_API CustomHistogram : public Histogram {
+class CustomHistogram : public Histogram {
  public:
 
   static Histogram* FactoryGet(const std::string& name,
@@ -681,7 +676,7 @@ class BASE_API CustomHistogram : public Histogram {
 // general place for histograms to register, and supports a global API for
 // accessing (i.e., dumping, or graphing) the data in all the histograms.
 
-class BASE_API StatisticsRecorder {
+class StatisticsRecorder {
  public:
   typedef std::vector<Histogram*> Histograms;
 
diff --git a/ipc/chromium/src/base/id_map.h b/ipc/chromium/src/base/id_map.h
index 3dfecc02c24..ae724265f47 100644
--- a/ipc/chromium/src/base/id_map.h
+++ b/ipc/chromium/src/base/id_map.h
@@ -72,7 +72,6 @@ class IDMap {
     return data_.empty();
   }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   void Clear() {
     data_.clear();
   }
@@ -84,7 +83,6 @@ class IDMap {
         return true;
     return false;
   }
-#endif
 
   T* Lookup(int32 id) const {
     const_iterator i = data_.find(id);
diff --git a/ipc/chromium/src/base/logging.cc b/ipc/chromium/src/base/logging.cc
index 33d4ca4cad6..2b8d180bddf 100644
--- a/ipc/chromium/src/base/logging.cc
+++ b/ipc/chromium/src/base/logging.cc
@@ -3,9 +3,6 @@
 // found in the LICENSE file.
 
 #include "base/logging.h"
-
-#ifdef CHROMIUM_MOZILLA_BUILD
-
 #include "prmem.h"
 #include "prprf.h"
 #include "base/string_util.h"
@@ -106,570 +103,3 @@ operator<<(mozilla::Logger& log, void* p)
   log.printf("%p", p);
   return log;
 }
-
-#else
-
-#if defined(OS_WIN)
-#include <windows.h>
-typedef HANDLE FileHandle;
-typedef HANDLE MutexHandle;
-#elif defined(OS_MACOSX)
-#include <CoreFoundation/CoreFoundation.h>
-#include <mach/mach.h>
-#include <mach/mach_time.h>
-#include <mach-o/dyld.h>
-#elif defined(OS_LINUX)
-#include <sys/syscall.h>
-#include <time.h>
-#endif
-
-#if defined(OS_POSIX)
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#define MAX_PATH PATH_MAX
-typedef FILE* FileHandle;
-typedef pthread_mutex_t* MutexHandle;
-#endif
-
-#include <ctime>
-#include <iomanip>
-#include <cstring>
-#include <algorithm>
-
-#include "base/base_switches.h"
-#include "base/command_line.h"
-#include "base/debug_util.h"
-#include "base/lock_impl.h"
-#include "base/string_piece.h"
-#include "base/string_util.h"
-#include "base/sys_string_conversions.h"
-
-namespace logging {
-
-bool g_enable_dcheck = false;
-
-const char* const log_severity_names[LOG_NUM_SEVERITIES] = {
-  "INFO", "WARNING", "ERROR", "ERROR_REPORT", "FATAL" };
-
-int min_log_level = 0;
-LogLockingState lock_log_file = LOCK_LOG_FILE;
-
-// The default set here for logging_destination will only be used if
-// InitLogging is not called.  On Windows, use a file next to the exe;
-// on POSIX platforms, where it may not even be possible to locate the
-// executable on disk, use stderr.
-#if defined(OS_WIN)
-LoggingDestination logging_destination = LOG_ONLY_TO_FILE;
-#elif defined(OS_POSIX)
-LoggingDestination logging_destination = LOG_ONLY_TO_SYSTEM_DEBUG_LOG;
-#endif
-
-const int kMaxFilteredLogLevel = LOG_WARNING;
-std::string* log_filter_prefix;
-
-// For LOG_ERROR and above, always print to stderr.
-const int kAlwaysPrintErrorLevel = LOG_ERROR;
-
-// Which log file to use? This is initialized by InitLogging or
-// will be lazily initialized to the default value when it is
-// first needed.
-#if defined(OS_WIN)
-typedef wchar_t PathChar;
-typedef std::wstring PathString;
-#else
-typedef char PathChar;
-typedef std::string PathString;
-#endif
-PathString* log_file_name = NULL;
-
-// this file is lazily opened and the handle may be NULL
-FileHandle log_file = NULL;
-
-// what should be prepended to each message?
-bool log_process_id = false;
-bool log_thread_id = false;
-bool log_timestamp = true;
-bool log_tickcount = false;
-
-// An assert handler override specified by the client to be called instead of
-// the debug message dialog and process termination.
-LogAssertHandlerFunction log_assert_handler = NULL;
-// An report handler override specified by the client to be called instead of
-// the debug message dialog.
-LogReportHandlerFunction log_report_handler = NULL;
-
-// The lock is used if log file locking is false. It helps us avoid problems
-// with multiple threads writing to the log file at the same time.  Use
-// LockImpl directly instead of using Lock, because Lock makes logging calls.
-static LockImpl* log_lock = NULL;
-
-// When we don't use a lock, we are using a global mutex. We need to do this
-// because LockFileEx is not thread safe.
-#if defined(OS_WIN)
-MutexHandle log_mutex = NULL;
-#elif defined(OS_POSIX)
-pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
-#endif
-
-// Helper functions to wrap platform differences.
-
-int32 CurrentProcessId() {
-#if defined(OS_WIN)
-  return GetCurrentProcessId();
-#elif defined(OS_POSIX)
-  return getpid();
-#endif
-}
-
-int32 CurrentThreadId() {
-#if defined(OS_WIN)
-  return GetCurrentThreadId();
-#elif defined(OS_MACOSX)
-  return mach_thread_self();
-#elif defined(OS_LINUX)
-  return syscall(__NR_gettid);
-#endif
-}
-
-uint64 TickCount() {
-#if defined(OS_WIN)
-  return GetTickCount();
-#elif defined(OS_MACOSX)
-  return mach_absolute_time();
-#elif defined(OS_LINUX)
-  struct timespec ts;
-  clock_gettime(CLOCK_MONOTONIC, &ts);
-
-  uint64 absolute_micro =
-    static_cast<int64>(ts.tv_sec) * 1000000 +
-    static_cast<int64>(ts.tv_nsec) / 1000;
-
-  return absolute_micro;
-#endif
-}
-
-void CloseFile(FileHandle log) {
-#if defined(OS_WIN)
-  CloseHandle(log);
-#else
-  fclose(log);
-#endif
-}
-
-void DeleteFilePath(const PathString& log_name) {
-#if defined(OS_WIN)
-  DeleteFile(log_name.c_str());
-#else
-  unlink(log_name.c_str());
-#endif
-}
-
-// Called by logging functions to ensure that debug_file is initialized
-// and can be used for writing. Returns false if the file could not be
-// initialized. debug_file will be NULL in this case.
-bool InitializeLogFileHandle() {
-  if (log_file)
-    return true;
-
-  if (!log_file_name) {
-    // Nobody has called InitLogging to specify a debug log file, so here we
-    // initialize the log file name to a default.
-#if defined(OS_WIN)
-    // On Windows we use the same path as the exe.
-    wchar_t module_name[MAX_PATH];
-    GetModuleFileName(NULL, module_name, MAX_PATH);
-    log_file_name = new std::wstring(module_name);
-    std::wstring::size_type last_backslash =
-        log_file_name->rfind('\\', log_file_name->size());
-    if (last_backslash != std::wstring::npos)
-      log_file_name->erase(last_backslash + 1);
-    *log_file_name += L"debug.log";
-#elif defined(OS_POSIX)
-    // On other platforms we just use the current directory.
-    log_file_name = new std::string("debug.log");
-#endif
-  }
-
-  if (logging_destination == LOG_ONLY_TO_FILE ||
-      logging_destination == LOG_TO_BOTH_FILE_AND_SYSTEM_DEBUG_LOG) {
-#if defined(OS_WIN)
-    log_file = CreateFile(log_file_name->c_str(), GENERIC_WRITE,
-                          FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
-                          OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
-    if (log_file == INVALID_HANDLE_VALUE || log_file == NULL) {
-      // try the current directory
-      log_file = CreateFile(L".\\debug.log", GENERIC_WRITE,
-                            FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
-                            OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
-      if (log_file == INVALID_HANDLE_VALUE || log_file == NULL) {
-        log_file = NULL;
-        return false;
-      }
-    }
-    SetFilePointer(log_file, 0, 0, FILE_END);
-#elif defined(OS_POSIX)
-    log_file = fopen(log_file_name->c_str(), "a");
-    if (log_file == NULL)
-      return false;
-#endif
-  }
-
-  return true;
-}
-
-void InitLogMutex() {
-#if defined(OS_WIN)
-  if (!log_mutex) {
-    // \ is not a legal character in mutex names so we replace \ with /
-    std::wstring safe_name(*log_file_name);
-    std::replace(safe_name.begin(), safe_name.end(), '\\', '/');
-    std::wstring t(L"Global\\");
-    t.append(safe_name);
-    log_mutex = ::CreateMutex(NULL, FALSE, t.c_str());
-  }
-#elif defined(OS_POSIX)
-  // statically initialized
-#endif
-}
-
-void InitLogging(const PathChar* new_log_file, LoggingDestination logging_dest,
-                 LogLockingState lock_log, OldFileDeletionState delete_old) {
-  g_enable_dcheck =
-      CommandLine::ForCurrentProcess()->HasSwitch(switches::kEnableDCHECK);
-
-  if (log_file) {
-    // calling InitLogging twice or after some log call has already opened the
-    // default log file will re-initialize to the new options
-    CloseFile(log_file);
-    log_file = NULL;
-  }
-
-  lock_log_file = lock_log;
-  logging_destination = logging_dest;
-
-  // ignore file options if logging is disabled or only to system
-  if (logging_destination == LOG_NONE ||
-      logging_destination == LOG_ONLY_TO_SYSTEM_DEBUG_LOG)
-    return;
-
-  if (!log_file_name)
-    log_file_name = new PathString();
-  *log_file_name = new_log_file;
-  if (delete_old == DELETE_OLD_LOG_FILE)
-    DeleteFilePath(*log_file_name);
-
-  if (lock_log_file == LOCK_LOG_FILE) {
-    InitLogMutex();
-  } else if (!log_lock) {
-    log_lock = new LockImpl();
-  }
-
-  InitializeLogFileHandle();
-}
-
-void SetMinLogLevel(int level) {
-  min_log_level = level;
-}
-
-int GetMinLogLevel() {
-  return min_log_level;
-}
-
-void SetLogFilterPrefix(const char* filter)  {
-  if (log_filter_prefix) {
-    delete log_filter_prefix;
-    log_filter_prefix = NULL;
-  }
-
-  if (filter)
-    log_filter_prefix = new std::string(filter);
-}
-
-void SetLogItems(bool enable_process_id, bool enable_thread_id,
-                 bool enable_timestamp, bool enable_tickcount) {
-  log_process_id = enable_process_id;
-  log_thread_id = enable_thread_id;
-  log_timestamp = enable_timestamp;
-  log_tickcount = enable_tickcount;
-}
-
-void SetLogAssertHandler(LogAssertHandlerFunction handler) {
-  log_assert_handler = handler;
-}
-
-void SetLogReportHandler(LogReportHandlerFunction handler) {
-  log_report_handler = handler;
-}
-
-// Displays a message box to the user with the error message in it. For
-// Windows programs, it's possible that the message loop is messed up on
-// a fatal error, and creating a MessageBox will cause that message loop
-// to be run. Instead, we try to spawn another process that displays its
-// command line. We look for "Debug Message.exe" in the same directory as
-// the application. If it exists, we use it, otherwise, we use a regular
-// message box.
-void DisplayDebugMessage(const std::string& str) {
-  if (str.empty())
-    return;
-
-#if defined(OS_WIN)
-  // look for the debug dialog program next to our application
-  wchar_t prog_name[MAX_PATH];
-  GetModuleFileNameW(NULL, prog_name, MAX_PATH);
-  wchar_t* backslash = wcsrchr(prog_name, '\\');
-  if (backslash)
-    backslash[1] = 0;
-  wcscat_s(prog_name, MAX_PATH, L"debug_message.exe");
-
-  std::wstring cmdline = base::SysUTF8ToWide(str);
-  if (cmdline.empty())
-    return;
-
-  STARTUPINFO startup_info;
-  memset(&startup_info, 0, sizeof(startup_info));
-  startup_info.cb = sizeof(startup_info);
-
-  PROCESS_INFORMATION process_info;
-  if (CreateProcessW(prog_name, &cmdline[0], NULL, NULL, false, 0, NULL,
-                     NULL, &startup_info, &process_info)) {
-    WaitForSingleObject(process_info.hProcess, INFINITE);
-    CloseHandle(process_info.hThread);
-    CloseHandle(process_info.hProcess);
-  } else {
-    // debug process broken, let's just do a message box
-    MessageBoxW(NULL, &cmdline[0], L"Fatal error",
-                MB_OK | MB_ICONHAND | MB_TOPMOST);
-  }
-#else
-  fprintf(stderr, "%s\n", str.c_str());
-#endif
-}
-
-#if defined(OS_WIN)
-LogMessage::SaveLastError::SaveLastError() : last_error_(::GetLastError()) {
-}
-
-LogMessage::SaveLastError::~SaveLastError() {
-  ::SetLastError(last_error_);
-}
-#endif  // defined(OS_WIN)
-
-LogMessage::LogMessage(const char* file, int line, LogSeverity severity,
-                       int ctr)
-    : severity_(severity) {
-  Init(file, line);
-}
-
-LogMessage::LogMessage(const char* file, int line, const CheckOpString& result)
-    : severity_(LOG_FATAL) {
-  Init(file, line);
-  stream_ << "Check failed: " << (*result.str_);
-}
-
-LogMessage::LogMessage(const char* file, int line, LogSeverity severity,
-                       const CheckOpString& result)
-    : severity_(severity) {
-  Init(file, line);
-  stream_ << "Check failed: " << (*result.str_);
-}
-
-LogMessage::LogMessage(const char* file, int line)
-     : severity_(LOG_INFO) {
-  Init(file, line);
-}
-
-LogMessage::LogMessage(const char* file, int line, LogSeverity severity)
-    : severity_(severity) {
-  Init(file, line);
-}
-
-// writes the common header info to the stream
-void LogMessage::Init(const char* file, int line) {
-  // log only the filename
-  const char* last_slash = strrchr(file, '\\');
-  if (last_slash)
-    file = last_slash + 1;
-
-  // TODO(darin): It might be nice if the columns were fixed width.
-
-  stream_ <<  '[';
-  if (log_process_id)
-    stream_ << CurrentProcessId() << ':';
-  if (log_thread_id)
-    stream_ << CurrentThreadId() << ':';
-  if (log_timestamp) {
-     time_t t = time(NULL);
-#if _MSC_VER >= 1400
-    struct tm local_time = {0};
-    localtime_s(&local_time, &t);
-    struct tm* tm_time = &local_time;
-#else
-    struct tm* tm_time = localtime(&t);
-#endif
-    stream_ << std::setfill('0')
-            << std::setw(2) << 1 + tm_time->tm_mon
-            << std::setw(2) << tm_time->tm_mday
-            << '/'
-            << std::setw(2) << tm_time->tm_hour
-            << std::setw(2) << tm_time->tm_min
-            << std::setw(2) << tm_time->tm_sec
-            << ':';
-  }
-  if (log_tickcount)
-    stream_ << TickCount() << ':';
-  stream_ << log_severity_names[severity_] << ":" << file <<
-             "(" << line << ")] ";
-
-  message_start_ = stream_.tellp();
-}
-
-LogMessage::~LogMessage() {
-  // TODO(brettw) modify the macros so that nothing is executed when the log
-  // level is too high.
-  if (severity_ < min_log_level)
-    return;
-
-  std::string str_newline(stream_.str());
-#if defined(OS_WIN)
-  str_newline.append("\r\n");
-#else
-  str_newline.append("\n");
-#endif
-
-  if (log_filter_prefix && severity_ <= kMaxFilteredLogLevel &&
-      str_newline.compare(message_start_, log_filter_prefix->size(),
-                          log_filter_prefix->data()) != 0) {
-    return;
-  }
-
-  if (logging_destination == LOG_ONLY_TO_SYSTEM_DEBUG_LOG ||
-      logging_destination == LOG_TO_BOTH_FILE_AND_SYSTEM_DEBUG_LOG) {
-#if defined(OS_WIN)
-    OutputDebugStringA(str_newline.c_str());
-    if (severity_ >= kAlwaysPrintErrorLevel)
-#endif
-    // TODO(erikkay): this interferes with the layout tests since it grabs
-    // stderr and stdout and diffs them against known data. Our info and warn
-    // logs add noise to that.  Ideally, the layout tests would set the log
-    // level to ignore anything below error.  When that happens, we should
-    // take this fprintf out of the #else so that Windows users can benefit
-    // from the output when running tests from the command-line.  In the
-    // meantime, we leave this in for Mac and Linux, but until this is fixed
-    // they won't be able to pass any layout tests that have info or warn logs.
-    // See http://b/1343647
-    fprintf(stderr, "%s", str_newline.c_str());
-  } else if (severity_ >= kAlwaysPrintErrorLevel) {
-    // When we're only outputting to a log file, above a certain log level, we
-    // should still output to stderr so that we can better detect and diagnose
-    // problems with unit tests, especially on the buildbots.
-    fprintf(stderr, "%s", str_newline.c_str());
-  }
-
-  // write to log file
-  if (logging_destination != LOG_NONE &&
-      logging_destination != LOG_ONLY_TO_SYSTEM_DEBUG_LOG &&
-      InitializeLogFileHandle()) {
-    // We can have multiple threads and/or processes, so try to prevent them
-    // from clobbering each other's writes.
-    if (lock_log_file == LOCK_LOG_FILE) {
-      // Ensure that the mutex is initialized in case the client app did not
-      // call InitLogging. This is not thread safe. See below.
-      InitLogMutex();
-
-#if defined(OS_WIN)
-      DWORD r = ::WaitForSingleObject(log_mutex, INFINITE);
-      DCHECK(r != WAIT_ABANDONED);
-#elif defined(OS_POSIX)
-      pthread_mutex_lock(&log_mutex);
-#endif
-    } else {
-      // use the lock
-      if (!log_lock) {
-        // The client app did not call InitLogging, and so the lock has not
-        // been created. We do this on demand, but if two threads try to do
-        // this at the same time, there will be a race condition to create
-        // the lock. This is why InitLogging should be called from the main
-        // thread at the beginning of execution.
-        log_lock = new LockImpl();
-      }
-      log_lock->Lock();
-    }
-
-#if defined(OS_WIN)
-    SetFilePointer(log_file, 0, 0, SEEK_END);
-    DWORD num_written;
-    WriteFile(log_file,
-              static_cast<const void*>(str_newline.c_str()),
-              static_cast<DWORD>(str_newline.length()),
-              &num_written,
-              NULL);
-#else
-    fprintf(log_file, "%s", str_newline.c_str());
-#endif
-
-    if (lock_log_file == LOCK_LOG_FILE) {
-#if defined(OS_WIN)
-      ReleaseMutex(log_mutex);
-#elif defined(OS_POSIX)
-      pthread_mutex_unlock(&log_mutex);
-#endif
-    } else {
-      log_lock->Unlock();
-    }
-  }
-
-  if (severity_ == LOG_FATAL) {
-    // display a message or break into the debugger on a fatal error
-    if (DebugUtil::BeingDebugged()) {
-      DebugUtil::BreakDebugger();
-    } else {
-#ifndef NDEBUG
-      // Dump a stack trace on a fatal.
-      StackTrace trace;
-      stream_ << "\n";  // Newline to separate from log message.
-      trace.OutputToStream(&stream_);
-#endif
-
-      if (log_assert_handler) {
-        // make a copy of the string for the handler out of paranoia
-        log_assert_handler(std::string(stream_.str()));
-      } else {
-        // Don't use the string with the newline, get a fresh version to send to
-        // the debug message process. We also don't display assertions to the
-        // user in release mode. The enduser can't do anything with this
-        // information, and displaying message boxes when the application is
-        // hosed can cause additional problems.
-#ifndef NDEBUG
-        DisplayDebugMessage(stream_.str());
-#endif
-        // Crash the process to generate a dump.
-        DebugUtil::BreakDebugger();
-      }
-    }
-  } else if (severity_ == LOG_ERROR_REPORT) {
-    // We are here only if the user runs with --enable-dcheck in release mode.
-    if (log_report_handler) {
-      log_report_handler(std::string(stream_.str()));
-    } else {
-      DisplayDebugMessage(stream_.str());
-    }
-  }
-}
-
-void CloseLogFile() {
-  if (!log_file)
-    return;
-
-  CloseFile(log_file);
-  log_file = NULL;
-}
-
-}  // namespace logging
-
-std::ostream& operator<<(std::ostream& out, const wchar_t* wstr) {
-  return out << base::SysWideToUTF8(std::wstring(wstr));
-}
-
-#endif // CHROMIUM_MOZILLA_BUILD
diff --git a/ipc/chromium/src/base/logging.h b/ipc/chromium/src/base/logging.h
index d5f78d66f12..660590f364b 100644
--- a/ipc/chromium/src/base/logging.h
+++ b/ipc/chromium/src/base/logging.h
@@ -9,9 +9,6 @@
 #include <cstring>
 
 #include "base/basictypes.h"
-
-#ifdef CHROMIUM_MOZILLA_BUILD
-
 #include "prlog.h"
 
 // Replace the Chromium logging code with NSPR-based logging code and
@@ -123,640 +120,4 @@ const mozilla::EmptyLog& operator <<(const mozilla::EmptyLog& log, const T&)
 #endif
 #define assert DLOG_ASSERT
 
-#else
-
-#include <sstream>
-
-//
-// Optional message capabilities
-// -----------------------------
-// Assertion failed messages and fatal errors are displayed in a dialog box
-// before the application exits. However, running this UI creates a message
-// loop, which causes application messages to be processed and potentially
-// dispatched to existing application windows. Since the application is in a
-// bad state when this assertion dialog is displayed, these messages may not
-// get processed and hang the dialog, or the application might go crazy.
-//
-// Therefore, it can be beneficial to display the error dialog in a separate
-// process from the main application. When the logging system needs to display
-// a fatal error dialog box, it will look for a program called
-// "DebugMessage.exe" in the same directory as the application executable. It
-// will run this application with the message as the command line, and will
-// not include the name of the application as is traditional for easier
-// parsing.
-//
-// The code for DebugMessage.exe is only one line. In WinMain, do:
-//   MessageBox(NULL, GetCommandLineW(), L"Fatal Error", 0);
-//
-// If DebugMessage.exe is not found, the logging code will use a normal
-// MessageBox, potentially causing the problems discussed above.
-
-
-// Instructions
-// ------------
-//
-// Make a bunch of macros for logging.  The way to log things is to stream
-// things to LOG(<a particular severity level>).  E.g.,
-//
-//   LOG(INFO) << "Found " << num_cookies << " cookies";
-//
-// You can also do conditional logging:
-//
-//   LOG_IF(INFO, num_cookies > 10) << "Got lots of cookies";
-//
-// The above will cause log messages to be output on the 1st, 11th, 21st, ...
-// times it is executed.  Note that the special COUNTER value is used to
-// identify which repetition is happening.
-//
-// The CHECK(condition) macro is active in both debug and release builds and
-// effectively performs a LOG(FATAL) which terminates the process and
-// generates a crashdump unless a debugger is attached.
-//
-// There are also "debug mode" logging macros like the ones above:
-//
-//   DLOG(INFO) << "Found cookies";
-//
-//   DLOG_IF(INFO, num_cookies > 10) << "Got lots of cookies";
-//
-// All "debug mode" logging is compiled away to nothing for non-debug mode
-// compiles.  LOG_IF and development flags also work well together
-// because the code can be compiled away sometimes.
-//
-// We also have
-//
-//   LOG_ASSERT(assertion);
-//   DLOG_ASSERT(assertion);
-//
-// which is syntactic sugar for {,D}LOG_IF(FATAL, assert fails) << assertion;
-//
-// We also override the standard 'assert' to use 'DLOG_ASSERT'.
-//
-// The supported severity levels for macros that allow you to specify one
-// are (in increasing order of severity) INFO, WARNING, ERROR, ERROR_REPORT,
-// and FATAL.
-//
-// Very important: logging a message at the FATAL severity level causes
-// the program to terminate (after the message is logged).
-//
-// Note the special severity of ERROR_REPORT only available/relevant in normal
-// mode, which displays error dialog without terminating the program. There is
-// no error dialog for severity ERROR or below in normal mode.
-//
-// There is also the special severity of DFATAL, which logs FATAL in
-// debug mode, ERROR_REPORT in normal mode.
-
-namespace logging {
-
-// Where to record logging output? A flat file and/or system debug log via
-// OutputDebugString. Defaults on Windows to LOG_ONLY_TO_FILE, and on
-// POSIX to LOG_ONLY_TO_SYSTEM_DEBUG_LOG (aka stderr).
-enum LoggingDestination { LOG_NONE,
-                          LOG_ONLY_TO_FILE,
-                          LOG_ONLY_TO_SYSTEM_DEBUG_LOG,
-                          LOG_TO_BOTH_FILE_AND_SYSTEM_DEBUG_LOG };
-
-// Indicates that the log file should be locked when being written to.
-// Often, there is no locking, which is fine for a single threaded program.
-// If logging is being done from multiple threads or there can be more than
-// one process doing the logging, the file should be locked during writes to
-// make each log outut atomic. Other writers will block.
-//
-// All processes writing to the log file must have their locking set for it to
-// work properly. Defaults to DONT_LOCK_LOG_FILE.
-enum LogLockingState { LOCK_LOG_FILE, DONT_LOCK_LOG_FILE };
-
-// On startup, should we delete or append to an existing log file (if any)?
-// Defaults to APPEND_TO_OLD_LOG_FILE.
-enum OldFileDeletionState { DELETE_OLD_LOG_FILE, APPEND_TO_OLD_LOG_FILE };
-
-// Sets the log file name and other global logging state. Calling this function
-// is recommended, and is normally done at the beginning of application init.
-// If you don't call it, all the flags will be initialized to their default
-// values, and there is a race condition that may leak a critical section
-// object if two threads try to do the first log at the same time.
-// See the definition of the enums above for descriptions and default values.
-//
-// The default log file is initialized to "debug.log" in the application
-// directory. You probably don't want this, especially since the program
-// directory may not be writable on an enduser's system.
-#if defined(OS_WIN)
-void InitLogging(const wchar_t* log_file, LoggingDestination logging_dest,
-                 LogLockingState lock_log, OldFileDeletionState delete_old);
-#elif defined(OS_POSIX)
-// TODO(avi): do we want to do a unification of character types here?
-void InitLogging(const char* log_file, LoggingDestination logging_dest,
-                 LogLockingState lock_log, OldFileDeletionState delete_old);
-#endif
-
-// Sets the log level. Anything at or above this level will be written to the
-// log file/displayed to the user (if applicable). Anything below this level
-// will be silently ignored. The log level defaults to 0 (everything is logged)
-// if this function is not called.
-void SetMinLogLevel(int level);
-
-// Gets the current log level.
-int GetMinLogLevel();
-
-// Sets the log filter prefix.  Any log message below LOG_ERROR severity that
-// doesn't start with this prefix with be silently ignored.  The filter defaults
-// to NULL (everything is logged) if this function is not called.  Messages
-// with severity of LOG_ERROR or higher will not be filtered.
-void SetLogFilterPrefix(const char* filter);
-
-// Sets the common items you want to be prepended to each log message.
-// process and thread IDs default to off, the timestamp defaults to on.
-// If this function is not called, logging defaults to writing the timestamp
-// only.
-void SetLogItems(bool enable_process_id, bool enable_thread_id,
-                 bool enable_timestamp, bool enable_tickcount);
-
-// Sets the Log Assert Handler that will be used to notify of check failures.
-// The default handler shows a dialog box and then terminate the process,
-// however clients can use this function to override with their own handling
-// (e.g. a silent one for Unit Tests)
-typedef void (*LogAssertHandlerFunction)(const std::string& str);
-void SetLogAssertHandler(LogAssertHandlerFunction handler);
-// Sets the Log Report Handler that will be used to notify of check failures
-// in non-debug mode. The default handler shows a dialog box and continues
-// the execution, however clients can use this function to override with their
-// own handling.
-typedef void (*LogReportHandlerFunction)(const std::string& str);
-void SetLogReportHandler(LogReportHandlerFunction handler);
-
-typedef int LogSeverity;
-const LogSeverity LOG_INFO = 0;
-const LogSeverity LOG_WARNING = 1;
-const LogSeverity LOG_ERROR = 2;
-const LogSeverity LOG_ERROR_REPORT = 3;
-const LogSeverity LOG_FATAL = 4;
-const LogSeverity LOG_NUM_SEVERITIES = 5;
-
-// LOG_DFATAL_LEVEL is LOG_FATAL in debug mode, ERROR_REPORT in normal mode
-#ifdef NDEBUG
-const LogSeverity LOG_DFATAL_LEVEL = LOG_ERROR_REPORT;
-#else
-const LogSeverity LOG_DFATAL_LEVEL = LOG_FATAL;
-#endif
-
-// A few definitions of macros that don't generate much code. These are used
-// by LOG() and LOG_IF, etc. Since these are used all over our code, it's
-// better to have compact code for these operations.
-#define COMPACT_GOOGLE_LOG_INFO \
-  logging::LogMessage(__FILE__, __LINE__)
-#define COMPACT_GOOGLE_LOG_WARNING \
-  logging::LogMessage(__FILE__, __LINE__, logging::LOG_WARNING)
-#define COMPACT_GOOGLE_LOG_ERROR \
-  logging::LogMessage(__FILE__, __LINE__, logging::LOG_ERROR)
-#define COMPACT_GOOGLE_LOG_ERROR_REPORT \
-  logging::LogMessage(__FILE__, __LINE__, logging::LOG_ERROR_REPORT)
-#define COMPACT_GOOGLE_LOG_FATAL \
-  logging::LogMessage(__FILE__, __LINE__, logging::LOG_FATAL)
-#define COMPACT_GOOGLE_LOG_DFATAL \
-  logging::LogMessage(__FILE__, __LINE__, logging::LOG_DFATAL_LEVEL)
-
-// wingdi.h defines ERROR to be 0. When we call LOG(ERROR), it gets
-// substituted with 0, and it expands to COMPACT_GOOGLE_LOG_0. To allow us
-// to keep using this syntax, we define this macro to do the same thing
-// as COMPACT_GOOGLE_LOG_ERROR, and also define ERROR the same way that
-// the Windows SDK does for consistency.
-#define ERROR 0
-#define COMPACT_GOOGLE_LOG_0 \
-  logging::LogMessage(__FILE__, __LINE__, logging::LOG_ERROR)
-
-// We use the preprocessor's merging operator, "##", so that, e.g.,
-// LOG(INFO) becomes the token COMPACT_GOOGLE_LOG_INFO.  There's some funny
-// subtle difference between ostream member streaming functions (e.g.,
-// ostream::operator<<(int) and ostream non-member streaming functions
-// (e.g., ::operator<<(ostream&, string&): it turns out that it's
-// impossible to stream something like a string directly to an unnamed
-// ostream. We employ a neat hack by calling the stream() member
-// function of LogMessage which seems to avoid the problem.
-
-#define LOG(severity) COMPACT_GOOGLE_LOG_ ## severity.stream()
-#define SYSLOG(severity) LOG(severity)
-
-#define LOG_IF(severity, condition) \
-  !(condition) ? (void) 0 : logging::LogMessageVoidify() & LOG(severity)
-#define SYSLOG_IF(severity, condition) LOG_IF(severity, condition)
-
-#define LOG_ASSERT(condition)  \
-  LOG_IF(FATAL, !(condition)) << "Assert failed: " #condition ". "
-#define SYSLOG_ASSERT(condition) \
-  SYSLOG_IF(FATAL, !(condition)) << "Assert failed: " #condition ". "
-
-// CHECK dies with a fatal error if condition is not true.  It is *not*
-// controlled by NDEBUG, so the check will be executed regardless of
-// compilation mode.
-#define CHECK(condition) \
-  LOG_IF(FATAL, !(condition)) << "Check failed: " #condition ". "
-
-// A container for a string pointer which can be evaluated to a bool -
-// true iff the pointer is NULL.
-struct CheckOpString {
-  CheckOpString(std::string* str) : str_(str) { }
-  // No destructor: if str_ is non-NULL, we're about to LOG(FATAL),
-  // so there's no point in cleaning up str_.
-  operator bool() const { return str_ != NULL; }
-  std::string* str_;
-};
-
-// Build the error message string.  This is separate from the "Impl"
-// function template because it is not performance critical and so can
-// be out of line, while the "Impl" code should be inline.
-template<class t1, class t2>
-std::string* MakeCheckOpString(const t1& v1, const t2& v2, const char* names) {
-  std::ostringstream ss;
-  ss << names << " (" << v1 << " vs. " << v2 << ")";
-  std::string* msg = new std::string(ss.str());
-  return msg;
-}
-
-extern std::string* MakeCheckOpStringIntInt(int v1, int v2, const char* names);
-
-template<int, int>
-std::string* MakeCheckOpString(const int& v1,
-                               const int& v2,
-                               const char* names) {
-  return MakeCheckOpStringIntInt(v1, v2, names);
-}
-
-// Plus some debug-logging macros that get compiled to nothing for production
-//
-// DEBUG_MODE is for uses like
-//   if (DEBUG_MODE) foo.CheckThatFoo();
-// instead of
-//   #ifndef NDEBUG
-//     foo.CheckThatFoo();
-//   #endif
-
-#ifdef OFFICIAL_BUILD
-// We want to have optimized code for an official build so we remove DLOGS and
-// DCHECK from the executable.
-
-#define DLOG(severity) \
-  true ? (void) 0 : logging::LogMessageVoidify() & LOG(severity)
-
-#define DLOG_IF(severity, condition) \
-  true ? (void) 0 : logging::LogMessageVoidify() & LOG(severity)
-
-#define DLOG_ASSERT(condition) \
-  true ? (void) 0 : LOG_ASSERT(condition)
-
-enum { DEBUG_MODE = 0 };
-
-// This macro can be followed by a sequence of stream parameters in
-// non-debug mode. The DCHECK and friends macros use this so that
-// the expanded expression DCHECK(foo) << "asdf" is still syntactically
-// valid, even though the expression will get optimized away.
-// In order to avoid variable unused warnings for code that only uses a
-// variable in a CHECK, we make sure to use the macro arguments.
-#define NDEBUG_EAT_STREAM_PARAMETERS \
-  logging::LogMessage(__FILE__, __LINE__).stream()
-
-#define DCHECK(condition) \
-  while (false && (condition)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_EQ(val1, val2) \
-  while (false && (val1) == (val2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_NE(val1, val2) \
-  while (false && (val1) == (val2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_LE(val1, val2) \
-  while (false && (val1) == (val2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_LT(val1, val2) \
-  while (false && (val1) == (val2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_GE(val1, val2) \
-  while (false && (val1) == (val2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_GT(val1, val2) \
-  while (false && (val1) == (val2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_STREQ(str1, str2) \
-  while (false && (str1) == (str2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_STRCASEEQ(str1, str2) \
-  while (false && (str1) == (str2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_STRNE(str1, str2) \
-  while (false && (str1) == (str2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_STRCASENE(str1, str2) \
-  while (false && (str1) == (str2)) NDEBUG_EAT_STREAM_PARAMETERS
-
-#else
-#ifndef NDEBUG
-// On a regular debug build, we want to have DCHECKS and DLOGS enabled.
-
-#define DLOG(severity) LOG(severity)
-#define DLOG_IF(severity, condition) LOG_IF(severity, condition)
-#define DLOG_ASSERT(condition) LOG_ASSERT(condition)
-
-// debug-only checking.  not executed in NDEBUG mode.
-enum { DEBUG_MODE = 1 };
-#define DCHECK(condition) \
-  LOG_IF(FATAL, !(condition)) << "Check failed: " #condition ". "
-
-// Helper macro for binary operators.
-// Don't use this macro directly in your code, use DCHECK_EQ et al below.
-#define DCHECK_OP(name, op, val1, val2)  \
-  if (logging::CheckOpString _result = \
-      logging::Check##name##Impl((val1), (val2), #val1 " " #op " " #val2)) \
-    logging::LogMessage(__FILE__, __LINE__, _result).stream()
-
-// Helper functions for string comparisons.
-// To avoid bloat, the definitions are in logging.cc.
-#define DECLARE_DCHECK_STROP_IMPL(func, expected) \
-  std::string* Check##func##expected##Impl(const char* s1, \
-                                           const char* s2, \
-                                           const char* names);
-DECLARE_DCHECK_STROP_IMPL(strcmp, true)
-DECLARE_DCHECK_STROP_IMPL(strcmp, false)
-DECLARE_DCHECK_STROP_IMPL(_stricmp, true)
-DECLARE_DCHECK_STROP_IMPL(_stricmp, false)
-#undef DECLARE_DCHECK_STROP_IMPL
-
-// Helper macro for string comparisons.
-// Don't use this macro directly in your code, use CHECK_STREQ et al below.
-#define DCHECK_STROP(func, op, expected, s1, s2) \
-  while (CheckOpString _result = \
-      logging::Check##func##expected##Impl((s1), (s2), \
-                                           #s1 " " #op " " #s2)) \
-    LOG(FATAL) << *_result.str_
-
-// String (char*) equality/inequality checks.
-// CASE versions are case-insensitive.
-//
-// Note that "s1" and "s2" may be temporary strings which are destroyed
-// by the compiler at the end of the current "full expression"
-// (e.g. DCHECK_STREQ(Foo().c_str(), Bar().c_str())).
-
-#define DCHECK_STREQ(s1, s2) DCHECK_STROP(strcmp, ==, true, s1, s2)
-#define DCHECK_STRNE(s1, s2) DCHECK_STROP(strcmp, !=, false, s1, s2)
-#define DCHECK_STRCASEEQ(s1, s2) DCHECK_STROP(_stricmp, ==, true, s1, s2)
-#define DCHECK_STRCASENE(s1, s2) DCHECK_STROP(_stricmp, !=, false, s1, s2)
-
-#define DCHECK_INDEX(I,A) DCHECK(I < (sizeof(A)/sizeof(A[0])))
-#define DCHECK_BOUND(B,A) DCHECK(B <= (sizeof(A)/sizeof(A[0])))
-
-#else  // NDEBUG
-// On a regular release build we want to be able to enable DCHECKS through the
-// command line.
-#define DLOG(severity) \
-  true ? (void) 0 : logging::LogMessageVoidify() & LOG(severity)
-
-#define DLOG_IF(severity, condition) \
-  true ? (void) 0 : logging::LogMessageVoidify() & LOG(severity)
-
-#define DLOG_ASSERT(condition) \
-  true ? (void) 0 : LOG_ASSERT(condition)
-
-enum { DEBUG_MODE = 0 };
-
-// This macro can be followed by a sequence of stream parameters in
-// non-debug mode. The DCHECK and friends macros use this so that
-// the expanded expression DCHECK(foo) << "asdf" is still syntactically
-// valid, even though the expression will get optimized away.
-#define NDEBUG_EAT_STREAM_PARAMETERS \
-  logging::LogMessage(__FILE__, __LINE__).stream()
-
-// Set to true in InitLogging when we want to enable the dchecks in release.
-extern bool g_enable_dcheck;
-#define DCHECK(condition) \
-    !logging::g_enable_dcheck ? void (0) : \
-        LOG_IF(ERROR_REPORT, !(condition)) << "Check failed: " #condition ". "
-
-// Helper macro for binary operators.
-// Don't use this macro directly in your code, use DCHECK_EQ et al below.
-#define DCHECK_OP(name, op, val1, val2)  \
-  if (logging::g_enable_dcheck) \
-    if (logging::CheckOpString _result = \
-        logging::Check##name##Impl((val1), (val2), #val1 " " #op " " #val2)) \
-      logging::LogMessage(__FILE__, __LINE__, logging::LOG_ERROR_REPORT, \
-                          _result).stream()
-
-#define DCHECK_STREQ(str1, str2) \
-  while (false) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_STRCASEEQ(str1, str2) \
-  while (false) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_STRNE(str1, str2) \
-  while (false) NDEBUG_EAT_STREAM_PARAMETERS
-
-#define DCHECK_STRCASENE(str1, str2) \
-  while (false) NDEBUG_EAT_STREAM_PARAMETERS
-
-#endif  // NDEBUG
-
-// Helper functions for DCHECK_OP macro.
-// The (int, int) specialization works around the issue that the compiler
-// will not instantiate the template version of the function on values of
-// unnamed enum type - see comment below.
-#define DEFINE_DCHECK_OP_IMPL(name, op) \
-  template <class t1, class t2> \
-  inline std::string* Check##name##Impl(const t1& v1, const t2& v2, \
-                                        const char* names) { \
-    if (v1 op v2) return NULL; \
-    else return MakeCheckOpString(v1, v2, names); \
-  } \
-  inline std::string* Check##name##Impl(int v1, int v2, const char* names) { \
-    if (v1 op v2) return NULL; \
-    else return MakeCheckOpString(v1, v2, names); \
-  }
-DEFINE_DCHECK_OP_IMPL(EQ, ==)
-DEFINE_DCHECK_OP_IMPL(NE, !=)
-DEFINE_DCHECK_OP_IMPL(LE, <=)
-DEFINE_DCHECK_OP_IMPL(LT, < )
-DEFINE_DCHECK_OP_IMPL(GE, >=)
-DEFINE_DCHECK_OP_IMPL(GT, > )
-#undef DEFINE_DCHECK_OP_IMPL
-
-// Equality/Inequality checks - compare two values, and log a LOG_FATAL message
-// including the two values when the result is not as expected.  The values
-// must have operator<<(ostream, ...) defined.
-//
-// You may append to the error message like so:
-//   DCHECK_NE(1, 2) << ": The world must be ending!";
-//
-// We are very careful to ensure that each argument is evaluated exactly
-// once, and that anything which is legal to pass as a function argument is
-// legal here.  In particular, the arguments may be temporary expressions
-// which will end up being destroyed at the end of the apparent statement,
-// for example:
-//   DCHECK_EQ(string("abc")[1], 'b');
-//
-// WARNING: These may not compile correctly if one of the arguments is a pointer
-// and the other is NULL. To work around this, simply static_cast NULL to the
-// type of the desired pointer.
-
-#define DCHECK_EQ(val1, val2) DCHECK_OP(EQ, ==, val1, val2)
-#define DCHECK_NE(val1, val2) DCHECK_OP(NE, !=, val1, val2)
-#define DCHECK_LE(val1, val2) DCHECK_OP(LE, <=, val1, val2)
-#define DCHECK_LT(val1, val2) DCHECK_OP(LT, < , val1, val2)
-#define DCHECK_GE(val1, val2) DCHECK_OP(GE, >=, val1, val2)
-#define DCHECK_GT(val1, val2) DCHECK_OP(GT, > , val1, val2)
-
-#endif  // OFFICIAL_BUILD
-
-#define NOTREACHED() DCHECK(false)
-
-// Redefine the standard assert to use our nice log files
-#undef assert
-#define assert(x) DLOG_ASSERT(x)
-
-// This class more or less represents a particular log message.  You
-// create an instance of LogMessage and then stream stuff to it.
-// When you finish streaming to it, ~LogMessage is called and the
-// full message gets streamed to the appropriate destination.
-//
-// You shouldn't actually use LogMessage's constructor to log things,
-// though.  You should use the LOG() macro (and variants thereof)
-// above.
-class LogMessage {
- public:
-  LogMessage(const char* file, int line, LogSeverity severity, int ctr);
-
-  // Two special constructors that generate reduced amounts of code at
-  // LOG call sites for common cases.
-  //
-  // Used for LOG(INFO): Implied are:
-  // severity = LOG_INFO, ctr = 0
-  //
-  // Using this constructor instead of the more complex constructor above
-  // saves a couple of bytes per call site.
-  LogMessage(const char* file, int line);
-
-  // Used for LOG(severity) where severity != INFO.  Implied
-  // are: ctr = 0
-  //
-  // Using this constructor instead of the more complex constructor above
-  // saves a couple of bytes per call site.
-  LogMessage(const char* file, int line, LogSeverity severity);
-
-  // A special constructor used for check failures.
-  // Implied severity = LOG_FATAL
-  LogMessage(const char* file, int line, const CheckOpString& result);
-
-  // A special constructor used for check failures, with the option to
-  // specify severity.
-  LogMessage(const char* file, int line, LogSeverity severity,
-             const CheckOpString& result);
-
-  ~LogMessage();
-
-  std::ostream& stream() { return stream_; }
-
- private:
-  void Init(const char* file, int line);
-
-  LogSeverity severity_;
-  std::ostringstream stream_;
-  size_t message_start_;  // Offset of the start of the message (past prefix
-                          // info).
-#if defined(OS_WIN)
-  // Stores the current value of GetLastError in the constructor and restores
-  // it in the destructor by calling SetLastError.
-  // This is useful since the LogMessage class uses a lot of Win32 calls
-  // that will lose the value of GLE and the code that called the log function
-  // will have lost the thread error value when the log call returns.
-  class SaveLastError {
-   public:
-    SaveLastError();
-    ~SaveLastError();
-
-    unsigned long get_error() const { return last_error_; }
-
-   protected:
-    unsigned long last_error_;
-  };
-
-  SaveLastError last_error_;
-#endif
-
-  DISALLOW_COPY_AND_ASSIGN(LogMessage);
-};
-
-// A non-macro interface to the log facility; (useful
-// when the logging level is not a compile-time constant).
-inline void LogAtLevel(int const log_level, std::string const &msg) {
-  LogMessage(__FILE__, __LINE__, log_level).stream() << msg;
-}
-
-// This class is used to explicitly ignore values in the conditional
-// logging macros.  This avoids compiler warnings like "value computed
-// is not used" and "statement has no effect".
-class LogMessageVoidify {
- public:
-  LogMessageVoidify() { }
-  // This has to be an operator with a precedence lower than << but
-  // higher than ?:
-  void operator&(std::ostream&) { }
-};
-
-// Closes the log file explicitly if open.
-// NOTE: Since the log file is opened as necessary by the action of logging
-//       statements, there's no guarantee that it will stay closed
-//       after this call.
-void CloseLogFile();
-
-}  // namespace logging
-
-// These functions are provided as a convenience for logging, which is where we
-// use streams (it is against Google style to use streams in other places). It
-// is designed to allow you to emit non-ASCII Unicode strings to the log file,
-// which is normally ASCII. It is relatively slow, so try not to use it for
-// common cases. Non-ASCII characters will be converted to UTF-8 by these
-// operators.
-std::ostream& operator<<(std::ostream& out, const wchar_t* wstr);
-inline std::ostream& operator<<(std::ostream& out, const std::wstring& wstr) {
-  return out << wstr.c_str();
-}
-
-// The NOTIMPLEMENTED() macro annotates codepaths which have
-// not been implemented yet.
-//
-// The implementation of this macro is controlled by NOTIMPLEMENTED_POLICY:
-//   0 -- Do nothing (stripped by compiler)
-//   1 -- Warn at compile time
-//   2 -- Fail at compile time
-//   3 -- Fail at runtime (DCHECK)
-//   4 -- [default] LOG(ERROR) at runtime
-//   5 -- LOG(ERROR) at runtime, only once per call-site
-
-#ifndef NOTIMPLEMENTED_POLICY
-// Select default policy: LOG(ERROR)
-#define NOTIMPLEMENTED_POLICY 4
-#endif
-
-#if defined(COMPILER_GCC)
-// On Linux, with GCC, we can use __PRETTY_FUNCTION__ to get the demangled name
-// of the current function in the NOTIMPLEMENTED message.
-#define NOTIMPLEMENTED_MSG "Not implemented reached in " << __PRETTY_FUNCTION__
-#else
-#define NOTIMPLEMENTED_MSG "NOT IMPLEMENTED"
-#endif
-
-#if NOTIMPLEMENTED_POLICY == 0
-#define NOTIMPLEMENTED() ;
-#elif NOTIMPLEMENTED_POLICY == 1
-// TODO, figure out how to generate a warning
-#define NOTIMPLEMENTED() COMPILE_ASSERT(false, NOT_IMPLEMENTED)
-#elif NOTIMPLEMENTED_POLICY == 2
-#define NOTIMPLEMENTED() COMPILE_ASSERT(false, NOT_IMPLEMENTED)
-#elif NOTIMPLEMENTED_POLICY == 3
-#define NOTIMPLEMENTED() NOTREACHED()
-#elif NOTIMPLEMENTED_POLICY == 4
-#define NOTIMPLEMENTED() LOG(ERROR) << NOTIMPLEMENTED_MSG
-#elif NOTIMPLEMENTED_POLICY == 5
-#define NOTIMPLEMENTED() do {\
-  static int count = 0;\
-  LOG_IF(ERROR, 0 == count++) << NOTIMPLEMENTED_MSG;\
-} while(0)
-#endif
-
-#endif // CHROMIUM_MOZILLA_BUILD
-
 #endif  // BASE_LOGGING_H_
diff --git a/ipc/chromium/src/base/message_loop.cc b/ipc/chromium/src/base/message_loop.cc
index 857fe892e95..7f2b444a220 100644
--- a/ipc/chromium/src/base/message_loop.cc
+++ b/ipc/chromium/src/base/message_loop.cc
@@ -31,9 +31,7 @@
 #include "base/message_pump_android.h"
 #endif
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 #include "MessagePump.h"
-#endif
 
 using base::Time;
 using base::TimeDelta;
@@ -98,8 +96,6 @@ MessageLoop::MessageLoop(Type type)
       next_sequence_num_(0) {
   DCHECK(!current()) << "should only have one message loop per thread";
   lazy_tls_ptr.Pointer()->Set(this);
-
-#ifdef CHROMIUM_MOZILLA_BUILD
   if (type_ == TYPE_MOZILLA_UI) {
     pump_ = new mozilla::ipc::MessagePump();
     return;
@@ -108,7 +104,7 @@ MessageLoop::MessageLoop(Type type)
     pump_ = new mozilla::ipc::MessagePumpForChildProcess();
     return;
   }
-#endif
+
 #if defined(OS_WIN)
   // TODO(rvargas): Get rid of the OS guards.
   if (type_ == TYPE_DEFAULT) {
@@ -209,15 +205,6 @@ void MessageLoop::RunHandler() {
 
 void MessageLoop::RunInternal() {
   DCHECK(this == current());
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  StartHistogrammer();
-#if defined(OS_WIN)
-  if (state_->dispatcher) {
-    pump_win()->RunWithDispatcher(this, state_->dispatcher);
-    return;
-  }
-#endif
-#endif
   pump_->Run(this);
 }
 
@@ -291,16 +278,7 @@ void MessageLoop::PostTask_Helper(
   scoped_refptr<base::MessagePump> pump;
   {
     AutoLock locked(incoming_queue_lock_);
-
-#ifdef CHROMIUM_MOZILLA_BUILD
     incoming_queue_.push(pending_task);
-#else
-    bool was_empty = incoming_queue_.empty();
-    incoming_queue_.push(pending_task);
-    if (!was_empty)
-      return;  // Someone else should have started the sub-pump.
-#endif
-
     pump = pump_;
   }
   // Since the incoming_queue_ may contain a task that destroys this message
@@ -317,11 +295,7 @@ void MessageLoop::SetNestableTasksAllowed(bool allowed) {
     if (!nestable_tasks_allowed_)
       return;
     // Start the native pump if we are not already pumping.
-#ifndef CHROMIUM_MOZILLA_BUILD
-    pump_->ScheduleWork();
-#else
     pump_->ScheduleWorkForNestedLoop();
-#endif
   }
 }
 
@@ -341,7 +315,6 @@ void MessageLoop::RunTask(Task* task) {
   // Execute the task and assume the worst: It is probably not reentrant.
   nestable_tasks_allowed_ = false;
 
-  HistogramEvent(kTaskRunEvent);
   task->Run();
   delete task;
 
@@ -533,76 +506,6 @@ bool MessageLoop::PendingTask::operator<(const PendingTask& other) const {
   return (sequence_num - other.sequence_num) > 0;
 }
 
-//------------------------------------------------------------------------------
-// Method and data for histogramming events and actions taken by each instance
-// on each thread.
-
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-// static
-bool MessageLoop::enable_histogrammer_ = false;
-#endif
-
-// static
-void MessageLoop::EnableHistogrammer(bool enable) {
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  enable_histogrammer_ = enable;
-#endif
-}
-
-void MessageLoop::StartHistogrammer() {
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  if (enable_histogrammer_ && !message_histogram_.get()
-      && base::StatisticsRecorder::IsActive()) {
-    DCHECK(!thread_name_.empty());
-    message_histogram_.reset(static_cast<base::LinearHistogram*>(
-                             base::LinearHistogram::FactoryGet(("MsgLoop:" + thread_name_).c_str(),
-                                                               kLeastNonZeroMessageId,
-                                                               kMaxMessageId,
-                                                               kNumberOfDistinctMessagesDisplayed,
-                                                               base::Histogram::kNoFlags)));
-    message_histogram_->SetFlags(message_histogram_->kHexRangePrintingFlag);
-    message_histogram_->SetRangeDescriptions(event_descriptions_);
-  }
-#endif
-}
-
-void MessageLoop::HistogramEvent(int event) {
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  if (message_histogram_.get())
-    message_histogram_->Add(event);
-#endif
-}
-
-// Provide a macro that takes an expression (such as a constant, or macro
-// constant) and creates a pair to initalize an array of pairs.  In this case,
-// our pair consists of the expressions value, and the "stringized" version
-// of the expression (i.e., the exrpression put in quotes).  For example, if
-// we have:
-//    #define FOO 2
-//    #define BAR 5
-// then the following:
-//    VALUE_TO_NUMBER_AND_NAME(FOO + BAR)
-// will expand to:
-//   {7, "FOO + BAR"}
-// We use the resulting array as an argument to our histogram, which reads the
-// number as a bucket identifier, and proceeds to use the corresponding name
-// in the pair (i.e., the quoted string) when printing out a histogram.
-#define VALUE_TO_NUMBER_AND_NAME(name) {name, #name},
-
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-// static
-const base::LinearHistogram::DescriptionPair MessageLoop::event_descriptions_[] = {
-  // Provide some pretty print capability in our histogram for our internal
-  // messages.
-
-  // A few events we handle (kindred to messages), and used to profile actions.
-  VALUE_TO_NUMBER_AND_NAME(kTaskRunEvent)
-  VALUE_TO_NUMBER_AND_NAME(kTimerEvent)
-
-  {-1, NULL}  // The list must be null terminated, per API to histogram.
-};
-#endif
-
 //------------------------------------------------------------------------------
 // MessageLoopForUI
 
@@ -662,7 +565,6 @@ bool MessageLoopForIO::WatchFileDescriptor(int fd,
       delegate);
 }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 bool
 MessageLoopForIO::CatchSignal(int sig,
                               SignalEvent* sigevent,
@@ -670,6 +572,5 @@ MessageLoopForIO::CatchSignal(int sig,
 {
   return pump_libevent()->CatchSignal(sig, sigevent, delegate);
 }
-#endif  // defined(CHROMIUM_MOZILLA_BUILD)
 
 #endif
diff --git a/ipc/chromium/src/base/message_loop.h b/ipc/chromium/src/base/message_loop.h
index 22eaef788a5..f736a636139 100644
--- a/ipc/chromium/src/base/message_loop.h
+++ b/ipc/chromium/src/base/message_loop.h
@@ -10,12 +10,8 @@
 #include <string>
 #include <vector>
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 #include <map>
 #include "base/lock.h"
-#else
-#include "base/histogram.h"
-#endif
 #include "base/message_pump.h"
 #include "base/observer_list.h"
 #include "base/ref_counted.h"
@@ -31,7 +27,6 @@
 #include "base/message_pump_libevent.h"
 #endif
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 namespace mozilla {
 namespace ipc {
 
@@ -39,7 +34,6 @@ class DoWorkRunnable;
 
 } /* namespace ipc */
 } /* namespace mozilla */
-#endif
 
 // A MessageLoop is used to process events for a particular thread.  There is
 // at most one MessageLoop instance per thread.
@@ -73,13 +67,9 @@ class DoWorkRunnable;
 //
 class MessageLoop : public base::MessagePump::Delegate {
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   friend class mozilla::ipc::DoWorkRunnable;
-#endif
 
 public:
-  static void EnableHistogrammer(bool enable_histogrammer);
-
   // A DestructionObserver is notified when the current MessageLoop is being
   // destroyed.  These obsevers are notified prior to MessageLoop::current()
   // being changed to return NULL.  This gives interested parties the chance to
@@ -212,11 +202,9 @@ public:
   enum Type {
     TYPE_DEFAULT,
     TYPE_UI,
-    TYPE_IO
-#ifdef CHROMIUM_MOZILLA_BUILD
-    , TYPE_MOZILLA_CHILD
-    , TYPE_MOZILLA_UI
-#endif
+    TYPE_IO,
+    TYPE_MOZILLA_CHILD,
+    TYPE_MOZILLA_UI
   };
 
   // Normally, it is not necessary to instantiate a MessageLoop.  Instead, it
@@ -381,20 +369,6 @@ public:
   virtual bool DoDelayedWork(base::Time* next_delayed_work_time);
   virtual bool DoIdleWork();
 
-  // Start recording histogram info about events and action IF it was enabled
-  // and IF the statistics recorder can accept a registration of our histogram.
-  void StartHistogrammer();
-
-  // Add occurence of event to our histogram, so that we can see what is being
-  // done in a specific MessageLoop instance (i.e., specific thread).
-  // If message_histogram_ is NULL, this is a no-op.
-  void HistogramEvent(int event);
-
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  static const base::LinearHistogram::DescriptionPair event_descriptions_[];
-  static bool enable_histogrammer_;
-#endif
-
   Type type_;
 
   // A list of tasks that need to be processed by this instance.  Note that
@@ -420,10 +394,7 @@ public:
   bool exception_restoration_;
 
   std::string thread_name_;
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  // A profiling histogram showing the counts of various messages and events.
-  scoped_ptr<base::LinearHistogram> message_histogram_;
-#endif
+
   // A null terminated list which creates an incoming_queue of tasks that are
   // aquired under a mutex for processing on this instance's thread. These tasks
   // have not yet been sorted out into items for our work_queue_ vs items that
@@ -463,14 +434,10 @@ class MessageLoopForUI : public MessageLoop {
     MessageLoop* loop = MessageLoop::current();
     if (!loop)
       return NULL;
-#ifdef CHROMIUM_MOZILLA_BUILD
     Type type = loop->type();
     DCHECK(type == MessageLoop::TYPE_UI ||
            type == MessageLoop::TYPE_MOZILLA_UI ||
            type == MessageLoop::TYPE_MOZILLA_CHILD);
-#else
-    DCHECK_EQ(MessageLoop::TYPE_UI, loop->type());
-#endif
     return static_cast<MessageLoopForUI*>(loop);
   }
 
@@ -551,13 +518,11 @@ class MessageLoopForIO : public MessageLoop {
                            FileDescriptorWatcher *controller,
                            Watcher *delegate);
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   typedef base::MessagePumpLibevent::SignalEvent SignalEvent;
   typedef base::MessagePumpLibevent::SignalWatcher SignalWatcher;
   bool CatchSignal(int sig,
                    SignalEvent* sigevent,
                    SignalWatcher* delegate);
-#endif  // defined(CHROMIUM_MOZILLA_BUILD)
 
 #endif  // defined(OS_POSIX)
 };
diff --git a/ipc/chromium/src/base/message_pump.h b/ipc/chromium/src/base/message_pump.h
index 077829013c4..46bb3c49251 100644
--- a/ipc/chromium/src/base/message_pump.h
+++ b/ipc/chromium/src/base/message_pump.h
@@ -111,7 +111,6 @@ class MessagePump : public RefCountedThreadSafe<MessagePump> {
   // until it returns a value of false.
   virtual void ScheduleWork() = 0;
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   // This method may only called from the thread that called Run.
   //
   // Ensure that DoWork will be called if a nested loop is entered.
@@ -119,7 +118,6 @@ class MessagePump : public RefCountedThreadSafe<MessagePump> {
   // "reasonably soon", this method can be a no-op to avoid expensive
   // atomic tests and/or syscalls required for ScheduleWork().
   virtual void ScheduleWorkForNestedLoop() { ScheduleWork(); };
-#endif  // defined(CHROMIUM_MOZILLA_BUILD)
 
   // Schedule a DoDelayedWork callback to happen at the specified time,
   // cancelling any pending DoDelayedWork callback.  This method may only be
diff --git a/ipc/chromium/src/base/message_pump_default.h b/ipc/chromium/src/base/message_pump_default.h
index b9f8cd06c83..78cb8d1f42f 100644
--- a/ipc/chromium/src/base/message_pump_default.h
+++ b/ipc/chromium/src/base/message_pump_default.h
@@ -22,11 +22,7 @@ class MessagePumpDefault : public MessagePump {
   virtual void ScheduleWork();
   virtual void ScheduleDelayedWork(const Time& delayed_work_time);
 
-#ifdef CHROMIUM_MOZILLA_BUILD
  protected:
-#else
- private:
-#endif
   // This flag is set to false when Run should return.
   bool keep_running_;
 
@@ -36,9 +32,7 @@ class MessagePumpDefault : public MessagePump {
   // The time at which we should call DoDelayedWork.
   Time delayed_work_time_;
 
-#ifdef CHROMIUM_MOZILLA_BUILD
  private:
-#endif
   DISALLOW_COPY_AND_ASSIGN(MessagePumpDefault);
 };
 
diff --git a/ipc/chromium/src/base/message_pump_libevent.cc b/ipc/chromium/src/base/message_pump_libevent.cc
index b537988e483..6194f79da3f 100644
--- a/ipc/chromium/src/base/message_pump_libevent.cc
+++ b/ipc/chromium/src/base/message_pump_libevent.cc
@@ -212,7 +212,6 @@ void MessagePumpLibevent::OnLibeventNotification(int fd, short flags,
 }
 
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 MessagePumpLibevent::SignalEvent::SignalEvent() :
   event_(NULL)
 {
@@ -293,7 +292,6 @@ MessagePumpLibevent::OnLibeventSignalNotification(int sig, short flags,
   DCHECK(context);
   reinterpret_cast<SignalWatcher*>(context)->OnSignal(sig);
 }
-#endif  // defined(CHROMIUM_MOZILLA_BUILD)
 
 
 // Reentrant!
diff --git a/ipc/chromium/src/base/message_pump_libevent.h b/ipc/chromium/src/base/message_pump_libevent.h
index 7013e299e78..6b108449930 100644
--- a/ipc/chromium/src/base/message_pump_libevent.h
+++ b/ipc/chromium/src/base/message_pump_libevent.h
@@ -85,7 +85,6 @@ class MessagePumpLibevent : public MessagePump {
                            Watcher *delegate);
 
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   // This is analagous to FileDescriptorWatcher above, which really is
   // just a wrapper around libevent's |struct event|.  This class acts
   // as a sort of "scoped event watcher" in that it guarantees that
@@ -129,7 +128,6 @@ class MessagePumpLibevent : public MessagePump {
   bool CatchSignal(int sig,
                    SignalEvent* sigevent,
                    SignalWatcher* delegate);
-#endif  // defined(CHROMIUM_MOZILLA_BUILD)
 
 
   // MessagePump methods:
@@ -160,11 +158,9 @@ class MessagePumpLibevent : public MessagePump {
   static void OnLibeventNotification(int fd, short flags,
                                      void* context);
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   // Called by libevent upon receiving a signal
   static void OnLibeventSignalNotification(int sig, short flags,
                                            void* context);
-#endif
 
   // Unix pipe used to implement ScheduleWork()
   // ... callback; called by libevent inside Run() when pipe is ready to read
diff --git a/ipc/chromium/src/base/pickle.cc b/ipc/chromium/src/base/pickle.cc
index da4245790a7..25be5ed90e3 100644
--- a/ipc/chromium/src/base/pickle.cc
+++ b/ipc/chromium/src/base/pickle.cc
@@ -15,11 +15,7 @@
 const int Pickle::kPayloadUnit = 64;
 
 // We mark a read only pickle with a special capacity_.
-#ifdef CHROMIUM_MOZILLA_BUILD
 static const uint32 kCapacityReadOnly = (uint32) -1;
-#else
-static const size_t kCapacityReadOnly = (size_t) -1;
-#endif
 
 // Payload is uint32 aligned.
 
@@ -37,11 +33,7 @@ Pickle::Pickle(int header_size)
       header_size_(AlignInt(header_size, sizeof(uint32))),
       capacity_(0),
       variable_buffer_offset_(0) {
-#ifdef CHROMIUM_MOZILLA_BUILD
   DCHECK(static_cast<uint32>(header_size) >= sizeof(Header));
-#else
-  DCHECK(static_cast<size_t>(header_size) >= sizeof(Header));
-#endif
   DCHECK(header_size <= kPayloadUnit);
   Resize(kPayloadUnit);
   header_->payload_size = 0;
@@ -61,11 +53,7 @@ Pickle::Pickle(const Pickle& other)
       header_size_(other.header_size_),
       capacity_(0),
       variable_buffer_offset_(other.variable_buffer_offset_) {
-#ifdef CHROMIUM_MOZILLA_BUILD
   uint32 payload_size = header_size_ + other.header_->payload_size;
-#else
-  size_t payload_size = header_size_ + other.header_->payload_size;
-#endif
   bool resized = Resize(payload_size);
   CHECK(resized);  // Realloc failed.
   memcpy(header_, other.header_, payload_size);
@@ -399,21 +387,12 @@ bool Pickle::ReadData(void** iter, const char** data, int* length) const {
   return ReadBytes(iter, data, *length);
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 char* Pickle::BeginWrite(uint32 length) {
-#else
-char* Pickle::BeginWrite(size_t length) {
-#endif
   // write at a uint32-aligned offset from the beginning of the header
   uint32 offset = AlignInt(header_->payload_size, sizeof(uint32));
-
-#ifdef CHROMIUM_MOZILLA_BUILD
   uint32 new_size = offset + AlignInt(length, sizeof(uint32));
   uint32 needed_size = header_size_ + new_size;
-#else
-  size_t new_size = offset + length;
-  size_t needed_size = header_size_ + new_size;
-#endif
+
   if (needed_size > capacity_ && !Resize(std::max(capacity_ * 2, needed_size)))
     return NULL;
 
@@ -509,11 +488,7 @@ void Pickle::TrimWriteData(int new_length) {
   *cur_length = new_length;
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 bool Pickle::Resize(uint32 new_capacity) {
-#else
-bool Pickle::Resize(size_t new_capacity) {
-#endif
   new_capacity = AlignInt(new_capacity, kPayloadUnit);
 
   void* p = realloc(header_, new_capacity);
@@ -526,19 +501,11 @@ bool Pickle::Resize(size_t new_capacity) {
 }
 
 // static
-#ifdef CHROMIUM_MOZILLA_BUILD
 const char* Pickle::FindNext(uint32 header_size,
-#else
-const char* Pickle::FindNext(size_t header_size,
-#endif
                              const char* start,
                              const char* end) {
   DCHECK(header_size == AlignInt(header_size, sizeof(uint32)));
-#ifdef CHROMIUM_MOZILLA_BUILD
   DCHECK(header_size <= static_cast<uint32>(kPayloadUnit));
-#else
-  DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));
-#endif
 
   const Header* hdr = reinterpret_cast<const Header*>(start);
   const char* payload_base = start + header_size;
diff --git a/ipc/chromium/src/base/pickle.h b/ipc/chromium/src/base/pickle.h
index 3cef8ff29c1..8206706ee7e 100644
--- a/ipc/chromium/src/base/pickle.h
+++ b/ipc/chromium/src/base/pickle.h
@@ -170,11 +170,9 @@ class Pickle {
   // not been changed.
   void TrimWriteData(int length);
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   void EndRead(void* iter) const {
     DCHECK(iter == end_of_payload());
   }
-#endif
 
   // Payload follows after allocation of Header (header size is customizable).
   struct Header {
@@ -207,11 +205,7 @@ class Pickle {
   }
 
  protected:
-#ifdef CHROMIUM_MOZILLA_BUILD
   uint32 payload_size() const { return header_->payload_size; }
-#else
-  size_t payload_size() const { return header_->payload_size; }
-#endif
 
   char* payload() {
     return reinterpret_cast<char*>(header_) + header_size_;
@@ -229,11 +223,7 @@ class Pickle {
     return payload() + payload_size();
   }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   uint32 capacity() const {
-#else
-  size_t capacity() const {
-#endif
     return capacity_;
   }
 
@@ -241,11 +231,7 @@ class Pickle {
   // location that the data should be written at is returned, or NULL if there
   // was an error. Call EndWrite with the returned offset and the given length
   // to pad out for the next write.
-#ifdef CHROMIUM_MOZILLA_BUILD
   char* BeginWrite(uint32 length);
-#else
-  char* BeginWrite(size_t length);
-#endif
 
   // Completes the write operation by padding the data with NULL bytes until it
   // is padded. Should be paired with BeginWrite, but it does not necessarily
@@ -256,18 +242,10 @@ class Pickle {
   // the header: new_capacity = sizeof(Header) + desired_payload_capacity.
   // A realloc() failure will cause a Resize failure... and caller should check
   // the return result for true (i.e., successful resizing).
-#ifdef CHROMIUM_MOZILLA_BUILD
   bool Resize(uint32 new_capacity);
-#else
-  bool Resize(size_t new_capacity);
-#endif
 
   // Aligns 'i' by rounding it up to the next multiple of 'alignment'
-#ifdef CHROMIUM_MOZILLA_BUILD
   static uint32 AlignInt(uint32 i, int alignment) {
-#else
-  static size_t AlignInt(size_t i, int alignment) {
-#endif
     return i + (alignment - (i % alignment)) % alignment;
   }
 
@@ -280,11 +258,7 @@ class Pickle {
 
   // Find the end of the pickled data that starts at range_start.  Returns NULL
   // if the entire Pickle is not found in the given data range.
-#ifdef CHROMIUM_MOZILLA_BUILD
   static const char* FindNext(uint32 header_size,
-#else
-  static const char* FindNext(size_t header_size,
-#endif
                               const char* range_start,
                               const char* range_end);
 
@@ -293,17 +267,9 @@ class Pickle {
 
  private:
   Header* header_;
-#ifdef CHROMIUM_MOZILLA_BUILD
   uint32 header_size_;
   uint32 capacity_;
   uint32 variable_buffer_offset_;
-#else
-  size_t header_size_;  // Supports extra data between header and payload.
-  // Allocation size of payload (or -1 if allocation is const).
-  size_t capacity_;
-  size_t variable_buffer_offset_;  // IF non-zero, then offset to a buffer.
-#endif
-
   FRIEND_TEST(PickleTest, Resize);
   FRIEND_TEST(PickleTest, FindNext);
   FRIEND_TEST(PickleTest, IteratorHasRoom);
diff --git a/ipc/chromium/src/base/port.h b/ipc/chromium/src/base/port.h
index 0fc530dd34b..573f5f07bcb 100644
--- a/ipc/chromium/src/base/port.h
+++ b/ipc/chromium/src/base/port.h
@@ -40,16 +40,7 @@ namespace base {
 // for this purpose.  MSVC does not provide va_copy, so define an
 // implementation here.  It is not guaranteed that assignment is a copy, so the
 // StringUtil.VariableArgsFunc unit test tests this capability.
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-inline void va_copy(va_list& a, va_list& b) {
-#if defined(COMPILER_GCC)
-  ::va_copy(a, b);
-#elif defined(COMPILER_MSVC)
-  a = b;
-#endif
-}
 
-#else
 // The C standard says that va_copy is a "macro", not a function.  Trying to 
 // use va_list as ref args to a function, as above, breaks some machines.
 #  if defined(COMPILER_GCC)
@@ -60,8 +51,6 @@ inline void va_copy(va_list& a, va_list& b) {
 #    error No va_copy for your compiler
 #  endif
 
-#endif
-
 }  // namespace base
 
 // Define an OS-neutral wrapper for shared library entry points
diff --git a/ipc/chromium/src/base/process_util_linux.cc b/ipc/chromium/src/base/process_util_linux.cc
index 71f0f2fb800..08c0043c08d 100644
--- a/ipc/chromium/src/base/process_util_linux.cc
+++ b/ipc/chromium/src/base/process_util_linux.cc
@@ -32,20 +32,16 @@ static mozilla::EnvironmentLog gProcessLog("MOZ_PROCESS_LOG");
 
 namespace base {
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 bool LaunchApp(const std::vector<std::string>& argv,
                const file_handle_mapping_vector& fds_to_remap,
                bool wait, ProcessHandle* process_handle) {
   return LaunchApp(argv, fds_to_remap, environment_map(),
                    wait, process_handle);
 }
-#endif
 
 bool LaunchApp(const std::vector<std::string>& argv,
                const file_handle_mapping_vector& fds_to_remap,
-#if defined(CHROMIUM_MOZILLA_BUILD)
                const environment_map& env_vars_to_set,
-#endif
                bool wait, ProcessHandle* process_handle,
                ProcessArchitecture arch) {
   pid_t pid = fork();
@@ -64,23 +60,19 @@ bool LaunchApp(const std::vector<std::string>& argv,
 
     CloseSuperfluousFds(fd_shuffle);
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
     for (environment_map::const_iterator it = env_vars_to_set.begin();
          it != env_vars_to_set.end(); ++it) {
       if (setenv(it->first.c_str(), it->second.c_str(), 1/*overwrite*/))
         exit(127);
     }
-#endif
 
     scoped_array<char*> argv_cstr(new char*[argv.size() + 1]);
     for (size_t i = 0; i < argv.size(); i++)
       argv_cstr[i] = const_cast<char*>(argv[i].c_str());
     argv_cstr[argv.size()] = NULL;
     execvp(argv_cstr[0], argv_cstr.get());
-#if defined(CHROMIUM_MOZILLA_BUILD)
     // if we get here, we're in serious trouble and should complain loudly
     DLOG(ERROR) << "FAILED TO exec() CHILD PROCESS, path: " << argv_cstr[0];
-#endif
     exit(127);
   } else {
     gProcessLog.print("==> process %d launched child process %d\n",
diff --git a/ipc/chromium/src/base/process_util_win.cc b/ipc/chromium/src/base/process_util_win.cc
index 151ab0ff8ca..bb3fa3d25d5 100644
--- a/ipc/chromium/src/base/process_util_win.cc
+++ b/ipc/chromium/src/base/process_util_win.cc
@@ -321,36 +321,6 @@ bool DidProcessCrash(bool* child_exited, ProcessHandle handle) {
     return false;
   }
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-  // All other exit codes indicate crashes.
-
-  // TODO(jar): Remove histogramming code when UMA stats are consistent with
-  // other crash metrics.
-  // Histogram the low order 3 nibbles for UMA
-  const int kLeastValue = 0;
-  const int kMaxValue = 0xFFF;
-  const int kBucketCount = kMaxValue - kLeastValue + 1;
-  static LinearHistogram least_significant_histogram("ExitCodes.LSNibbles",
-      kLeastValue + 1, kMaxValue, kBucketCount);
-  least_significant_histogram.SetFlags(kUmaTargetedHistogramFlag |
-                                       LinearHistogram::kHexRangePrintingFlag);
-  least_significant_histogram.Add(exitcode & 0xFFF);
-
-  // Histogram the high order 3 nibbles
-  static LinearHistogram most_significant_histogram("ExitCodes.MSNibbles",
-      kLeastValue + 1, kMaxValue, kBucketCount);
-  most_significant_histogram.SetFlags(kUmaTargetedHistogramFlag |
-                                      LinearHistogram::kHexRangePrintingFlag);
-  // Avoid passing in negative numbers by shifting data into low end of dword.
-  most_significant_histogram.Add((exitcode >> 20) & 0xFFF);
-
-  // Histogram the middle order 2 nibbles
-  static LinearHistogram mid_significant_histogram("ExitCodes.MidNibbles",
-      1, 0xFF, 0x100);
-  mid_significant_histogram.SetFlags(kUmaTargetedHistogramFlag |
-                                      LinearHistogram::kHexRangePrintingFlag);
-  mid_significant_histogram.Add((exitcode >> 12) & 0xFF);
-#endif
   return true;
 }
 
diff --git a/ipc/chromium/src/base/shared_memory.h b/ipc/chromium/src/base/shared_memory.h
index 1046916c6b9..3072a1e696c 100644
--- a/ipc/chromium/src/base/shared_memory.h
+++ b/ipc/chromium/src/base/shared_memory.h
@@ -67,11 +67,7 @@ class SharedMemory {
   // opens the existing shared memory and ignores the size parameter.
   // If name is the empty string, use a unique name.
   // Returns true on success, false on failure.
-#ifdef CHROMIUM_MOZILLA_BUILD
   bool Create(const std::string& name, bool read_only, bool open_existing,
-#else
-  bool Create(const std::wstring& name, bool read_only, bool open_existing,
-#endif
               size_t size);
 
   // Deletes resources associated with a shared memory segment based on name.
diff --git a/ipc/chromium/src/base/shared_memory_posix.cc b/ipc/chromium/src/base/shared_memory_posix.cc
index 3a265501ef8..d00cff73877 100644
--- a/ipc/chromium/src/base/shared_memory_posix.cc
+++ b/ipc/chromium/src/base/shared_memory_posix.cc
@@ -70,17 +70,11 @@ SharedMemoryHandle SharedMemory::NULLHandle() {
   return SharedMemoryHandle();
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 bool SharedMemory::Create(const std::string &cname, bool read_only,
-#else
-bool SharedMemory::Create(const std::wstring &name, bool read_only,
-#endif
                           bool open_existing, size_t size) {
   read_only_ = read_only;
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   std::wstring name = UTF8ToWide(cname);
-#endif
 
   int posix_flags = 0;
   posix_flags |= read_only ? O_RDONLY : O_RDWR;
diff --git a/ipc/chromium/src/base/shared_memory_win.cc b/ipc/chromium/src/base/shared_memory_win.cc
index d657dddf60d..de0c684f72c 100644
--- a/ipc/chromium/src/base/shared_memory_win.cc
+++ b/ipc/chromium/src/base/shared_memory_win.cc
@@ -6,9 +6,7 @@
 
 #include "base/logging.h"
 #include "base/win_util.h"
-#ifdef CHROMIUM_MOZILLA_BUILD
-#  include "base/string_util.h"
-#endif
+#include "base/string_util.h"
 
 namespace base {
 
@@ -58,18 +56,10 @@ SharedMemoryHandle SharedMemory::NULLHandle() {
   return NULL;
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 bool SharedMemory::Create(const std::string &cname, bool read_only,
-#else
-bool SharedMemory::Create(const std::wstring &name, bool read_only,
-#endif
                           bool open_existing, size_t size) {
   DCHECK(mapped_file_ == NULL);
-
-#ifdef CHROMIUM_MOZILLA_BUILD
   std::wstring name = UTF8ToWide(cname);
-#endif
-
   name_ = name;
   read_only_ = read_only;
   mapped_file_ = CreateFileMapping(INVALID_HANDLE_VALUE, NULL,
diff --git a/ipc/chromium/src/base/stats_table.cc b/ipc/chromium/src/base/stats_table.cc
index 9edc2cef3c2..b2bf976676b 100644
--- a/ipc/chromium/src/base/stats_table.cc
+++ b/ipc/chromium/src/base/stats_table.cc
@@ -170,12 +170,7 @@ StatsTablePrivate* StatsTablePrivate::New(const std::string& name,
                                           int max_threads,
                                           int max_counters) {
   scoped_ptr<StatsTablePrivate> priv(new StatsTablePrivate());
-#ifdef CHROMIUM_MOZILLA_BUILD
-  if (!priv->shared_memory_.Create(name, false, true,
-#else
-  if (!priv->shared_memory_.Create(base::SysUTF8ToWide(name), false, true,
-#endif
-                                   size))
+  if (!priv->shared_memory_.Create(name, false, true, size))
     return NULL;
   if (!priv->shared_memory_.Map(size))
     return NULL;
diff --git a/ipc/chromium/src/base/string16.cc b/ipc/chromium/src/base/string16.cc
index 285b6b37c7f..baea961c8b5 100644
--- a/ipc/chromium/src/base/string16.cc
+++ b/ipc/chromium/src/base/string16.cc
@@ -69,10 +69,4 @@ char16* c16memset(char16* s, char16 c, size_t n) {
 
 template class std::basic_string<char16, base::string16_char_traits>;
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-std::ostream& operator<<(std::ostream& out, const string16& str) {
-  return out << UTF16ToUTF8(str);
-}
-#endif
-
 #endif  // WCHAR_T_IS_UTF32
diff --git a/ipc/chromium/src/base/string_util.cc b/ipc/chromium/src/base/string_util.cc
index 51609e2935f..63dd36cc345 100644
--- a/ipc/chromium/src/base/string_util.cc
+++ b/ipc/chromium/src/base/string_util.cc
@@ -23,9 +23,6 @@
 #include "base/basictypes.h"
 #include "base/logging.h"
 #include "base/singleton.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "base/third_party/dmg_fp/dmg_fp.h"
-#endif
 
 namespace {
 
@@ -249,47 +246,6 @@ class HexString16ToLongTraits {
   }
 };
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-class StringToDoubleTraits {
- public:
-  typedef std::string string_type;
-  typedef double value_type;
-  static inline value_type convert_func(const string_type::value_type* str,
-                                        string_type::value_type** endptr) {
-    return dmg_fp::strtod(str, endptr);
-  }
-  static inline bool valid_func(const string_type& str) {
-    return !str.empty() && !isspace(str[0]);
-  }
-};
-
-class String16ToDoubleTraits {
- public:
-  typedef string16 string_type;
-  typedef double value_type;
-  static inline value_type convert_func(const string_type::value_type* str,
-                                        string_type::value_type** endptr) {
-    // Because dmg_fp::strtod does not like char16, we convert it to ASCII.
-    // In theory, this should be safe, but it's possible that 16-bit chars
-    // might get ignored by accident causing something to be parsed when it
-    // shouldn't.
-    std::string ascii_string = UTF16ToASCII(string16(str));
-    char* ascii_end = NULL;
-    value_type ret = dmg_fp::strtod(ascii_string.c_str(), &ascii_end);
-    if (ascii_string.c_str() + ascii_string.length() == ascii_end) {
-      // Put endptr at end of input string, so it's not recognized as an error.
-      *endptr =
-          const_cast<string_type::value_type*>(str) + ascii_string.length();
-    }
-
-    return ret;
-  }
-  static inline bool valid_func(const string_type& str) {
-    return !str.empty() && !iswspace(str[0]);
-  }
-};
-#endif
-
 }  // namespace
 
 
@@ -335,9 +291,7 @@ bool IsWprintfFormatPortable(const wchar_t* format) {
 
 }  // namespace base
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 namespace base {
-#endif
 
 const std::string& EmptyString() {
   return Singleton<EmptyStrings>::get()->s;
@@ -351,9 +305,7 @@ const string16& EmptyString16() {
   return Singleton<EmptyStrings>::get()->s16;
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 }
-#endif
 
 const wchar_t kWhitespaceWide[] = {
   0x0009,  // <control-0009> to <control-000D>
@@ -765,11 +717,7 @@ bool StartsWith(const std::wstring& str,
     if (search.size() > str.size())
       return false;
     return std::equal(search.begin(), search.end(), str.begin(),
-#if defined(CHROMIUM_MOZILLA_BUILD)
                       chromium_CaseInsensitiveCompare<wchar_t>());
-#else
-                      CaseInsensitiveCompare<wchar_t>());
-#endif
   }
 }
 
@@ -944,11 +892,7 @@ static void StringAppendVT(StringType* dst,
   typename StringType::value_type stack_buf[1024];
 
   va_list backup_ap;
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  base::va_copy(backup_ap, ap);
-#else
   base_va_copy(backup_ap, ap);
-#endif	// !defined(CHROMIUM_MOZILLA_BUILD)
 
 #if !defined(OS_WIN)
   errno = 0;
@@ -995,11 +939,7 @@ static void StringAppendVT(StringType* dst,
     std::vector<typename StringType::value_type> mem_buf(mem_length);
 
     // Restore the va_list before we use it again.
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-    base::va_copy(backup_ap, ap);
-#else
     base_va_copy(backup_ap, ap);
-#endif	// !defined(CHROMIUM_MOZILLA_BUILD)
 
     result = vsnprintfT(&mem_buf[0], mem_length, format, ap);
     va_end(backup_ap);
@@ -1111,19 +1051,6 @@ std::wstring Uint64ToWString(uint64 value) {
       IntToString(value);
 }
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-std::string DoubleToString(double value) {
-  // According to g_fmt.cc, it is sufficient to declare a buffer of size 32.
-  char buffer[32];
-  dmg_fp::g_fmt(buffer, value);
-  return std::string(buffer);
-}
-
-std::wstring DoubleToWString(double value) {
-  return ASCIIToWide(DoubleToString(value));
-}
-#endif
-
 void StringAppendV(std::string* dst, const char* format, va_list ap) {
   StringAppendVT(dst, format, ap);
 }
@@ -1495,7 +1422,7 @@ bool MatchPattern(const std::string& eval, const std::string& pattern) {
 
 // XXX Sigh.
 
-#if !defined(ARCH_CPU_64_BITS) || !defined(CHROMIUM_MOZILLA_BUILD)
+#if !defined(ARCH_CPU_64_BITS)
 bool StringToInt(const std::string& input, int* output) {
   COMPILE_ASSERT(sizeof(int) == sizeof(long), cannot_strtol_to_int);
   return StringToNumber<StringToLongTraits>(input,
@@ -1528,7 +1455,7 @@ bool StringToInt(const string16& input, int* output) {
   *output = static_cast<int>(tmp);
   return true;
 }
-#endif //  !defined(ARCH_CPU_64_BITS) || !defined(CHROMIUM_MOZILLA_BUILD)
+#endif //  !defined(ARCH_CPU_64_BITS)
 
 bool StringToInt64(const std::string& input, int64* output) {
   return StringToNumber<StringToInt64Traits>(input, output);
@@ -1538,7 +1465,7 @@ bool StringToInt64(const string16& input, int64* output) {
   return StringToNumber<String16ToInt64Traits>(input, output);
 }
 
-#if !defined(ARCH_CPU_64_BITS) || !defined(CHROMIUM_MOZILLA_BUILD)
+#if !defined(ARCH_CPU_64_BITS)
 bool HexStringToInt(const std::string& input, int* output) {
   COMPILE_ASSERT(sizeof(int) == sizeof(long), cannot_strtol_to_int);
   return StringToNumber<HexStringToLongTraits>(input,
@@ -1572,7 +1499,7 @@ bool HexStringToInt(const string16& input, int* output) {
   return true;
 }
 
-#endif // !defined(ARCH_CPU_64_BITS) || !defined(CHROMIUM_MOZILLA_BUILD)
+#endif // !defined(ARCH_CPU_64_BITS)
 
 namespace {
 
@@ -1652,28 +1579,6 @@ int HexStringToInt(const string16& value) {
   return result;
 }
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-bool StringToDouble(const std::string& input, double* output) {
-  return StringToNumber<StringToDoubleTraits>(input, output);
-}
-
-bool StringToDouble(const string16& input, double* output) {
-  return StringToNumber<String16ToDoubleTraits>(input, output);
-}
-
-double StringToDouble(const std::string& value) {
-  double result;
-  StringToDouble(value, &result);
-  return result;
-}
-
-double StringToDouble(const string16& value) {
-  double result;
-  StringToDouble(value, &result);
-  return result;
-}
-#endif
-
 // The following code is compatible with the OpenBSD lcpy interface.  See:
 //   http://www.gratisoft.us/todd/papers/strlcpy.html
 //   ftp://ftp.openbsd.org/pub/OpenBSD/src/lib/libc/string/{wcs,str}lcpy.c
diff --git a/ipc/chromium/src/base/string_util.h b/ipc/chromium/src/base/string_util.h
index d280187081b..9736aaf2eda 100644
--- a/ipc/chromium/src/base/string_util.h
+++ b/ipc/chromium/src/base/string_util.h
@@ -108,9 +108,7 @@ bool IsWprintfFormatPortable(const wchar_t* format);
 #error Define string operations appropriately for your platform
 #endif
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 namespace base {
-#endif
 // Returns a reference to a globally unique empty string that functions can
 // return.  Use this to avoid static construction of strings, not to replace
 // any and all uses of "std::string()" as nicer-looking sugar.
@@ -118,9 +116,7 @@ namespace base {
 const std::string& EmptyString();
 const std::wstring& EmptyWString();
 const string16& EmptyString16();
-#ifdef CHROMIUM_MOZILLA_BUILD
 }
-#endif
 
 extern const wchar_t kWhitespaceWide[];
 extern const char kWhitespaceASCII[];
@@ -509,11 +505,7 @@ inline typename string_type::value_type* WriteInto(string_type* str,
 
 // Function objects to aid in comparing/searching strings.
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 template<typename Char> struct chromium_CaseInsensitiveCompare {
-#else
-template<typename Char> struct CaseInsensitiveCompare {
-#endif
  public:
   bool operator()(Char x, Char y) const {
     return tolower(x) == tolower(y);
diff --git a/ipc/chromium/src/base/third_party/nspr/prtime.h b/ipc/chromium/src/base/third_party/nspr/prtime.h
index 8026aabb19f..df72e6ff7c0 100644
--- a/ipc/chromium/src/base/third_party/nspr/prtime.h
+++ b/ipc/chromium/src/base/third_party/nspr/prtime.h
@@ -55,13 +55,7 @@
 #include "base/logging.h"
 #include "base/third_party/nspr/prtypes.h"
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 PR_BEGIN_EXTERN_C
-#endif
-
-#ifndef CHROMIUM_MOZILLA_BUILD
-#define PR_ASSERT DCHECK
-#endif
 
 #define LL_I2L(l, i)    ((l) = (PRInt64)(i))
 #define LL_MUL(r, a, b) ((r) = (a) * (b))
@@ -171,9 +165,7 @@ typedef struct PRExplodedTime {
 
 typedef PRTimeParameters (PR_CALLBACK *PRTimeParamFn)(const PRExplodedTime *gmt);
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 PR_END_EXTERN_C
-#endif
 
 namespace nspr {
 
diff --git a/ipc/chromium/src/build/build_config.h b/ipc/chromium/src/build/build_config.h
index f7293d9b11b..1e04497ef63 100644
--- a/ipc/chromium/src/build/build_config.h
+++ b/ipc/chromium/src/build/build_config.h
@@ -65,26 +65,10 @@
 #endif
 
 // Type detection for wchar_t.
-#ifndef CHROMIUM_MOZILLA_BUILD
-
-#if defined(OS_WIN)
-#define WCHAR_T_IS_UTF16
-#elif defined(OS_POSIX) && defined(COMPILER_GCC) && \
-    defined(__WCHAR_MAX__) && \
-    (__WCHAR_MAX__ == 0x7fffffff || __WCHAR_MAX__ == 0xffffffff)
-#define WCHAR_T_IS_UTF32
-#else
-#error Please add support for your compiler in build/build_config.h
-#endif
-
-#else // CHROMIUM_MOZILLA_BUILD
-
 #if defined(OS_WIN)
 #define WCHAR_T_IS_UTF16
 #else
 #define WCHAR_T_IS_UTF32
 #endif
 
-#endif // CHROMIUM_MOZILLA_BUILD
-
 #endif  // BUILD_BUILD_CONFIG_H_
diff --git a/ipc/chromium/src/chrome/common/child_process_host.cc b/ipc/chromium/src/chrome/common/child_process_host.cc
index d52074bdfc7..5f2c5b06a32 100644
--- a/ipc/chromium/src/chrome/common/child_process_host.cc
+++ b/ipc/chromium/src/chrome/common/child_process_host.cc
@@ -10,19 +10,12 @@
 #include "base/process_util.h"
 #include "base/singleton.h"
 #include "base/waitable_event.h"
-#ifdef CHROMIUM_MOZILLA_BUILD
 #include "mozilla/ipc/ProcessChild.h"
 #include "mozilla/ipc/BrowserProcessSubThread.h"
 typedef mozilla::ipc::BrowserProcessSubThread ChromeThread;
-#else
-#include "chrome/browser/chrome_thread.h"
-#endif
 #include "chrome/common/ipc_logging.h"
 #include "chrome/common/notification_service.h"
 #include "chrome/common/notification_type.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "chrome/common/plugin_messages.h"
-#endif
 #include "chrome/common/process_watcher.h"
 #include "chrome/common/result_codes.h"
 
@@ -57,11 +50,7 @@ class ChildNotificationTask : public Task {
 ChildProcessHost::ChildProcessHost(
     ProcessType type, ResourceDispatcherHost* resource_dispatcher_host)
     :
-#ifdef CHROMIUM_MOZILLA_BUILD
       ChildProcessInfo(type),
-#else
-      Receiver(type),
-#endif
       ALLOW_THIS_IN_INITIALIZER_LIST(listener_(this)),
       resource_dispatcher_host_(resource_dispatcher_host),
       opening_channel_(false),
@@ -120,16 +109,12 @@ bool ChildProcessHost::Send(IPC::Message* msg) {
 }
 
 void ChildProcessHost::Notify(NotificationType type) {
-#ifdef CHROMIUM_MOZILLA_BUILD
   MessageLoop* loop = ChromeThread::GetMessageLoop(ChromeThread::IO);
   if (!loop)
       loop = mozilla::ipc::ProcessChild::message_loop();
   if (!loop)
       loop = MessageLoop::current();
   loop->PostTask(
-#else
-  resource_dispatcher_host_->ui_loop()->PostTask(
-#endif
       FROM_HERE, new ChildNotificationTask(type, this));
 }
 
@@ -147,10 +132,6 @@ void ChildProcessHost::OnWaitableEventSignaled(base::WaitableEvent *event) {
   // Notify in the main loop of the disconnection.
   Notify(NotificationType::CHILD_PROCESS_HOST_DISCONNECTED);
 #endif
-
-#ifndef CHROMIUM_MOZILLA_BUILD
-  delete this;
-#endif
 }
 
 ChildProcessHost::ListenerHook::ListenerHook(ChildProcessHost* host)
@@ -171,27 +152,10 @@ void ChildProcessHost::ListenerHook::OnMessageReceived(
 #endif
 
   bool msg_is_ok = true;
-#ifdef CHROMIUM_MOZILLA_BUILD
   bool handled = false;
-#else
-  bool handled = host_->resource_dispatcher_host_->OnMessageReceived(
-      msg, host_, &msg_is_ok);
-#endif
 
   if (!handled) {
-#ifdef CHROMIUM_MOZILLA_BUILD
-    if (0) {
-#else
-    if (msg.type() == PluginProcessHostMsg_ShutdownRequest::ID) {
-      // Must remove the process from the list now, in case it gets used for a
-      // new instance before our watcher tells us that the process terminated.
-      Singleton<ChildProcessList>::get()->remove(host_);
-      if (host_->CanShutdown())
-        host_->Send(new PluginProcessMsg_Shutdown());
-#endif
-    } else {
       host_->OnMessageReceived(msg);
-    }
   }
 
   if (!msg_is_ok)
@@ -206,9 +170,6 @@ void ChildProcessHost::ListenerHook::OnMessageReceived(
 void ChildProcessHost::ListenerHook::OnChannelConnected(int32 peer_pid) {
   host_->opening_channel_ = false;
   host_->OnChannelConnected(peer_pid);
-#ifndef CHROMIUM_MOZILLA_BUILD
-  host_->Send(new PluginProcessMsg_AskBeforeShutdown());
-#endif
 
   // Notify in the main loop of the connection.
   host_->Notify(NotificationType::CHILD_PROCESS_HOST_CONNECTED);
@@ -221,21 +182,11 @@ void ChildProcessHost::ListenerHook::OnChannelError() {
 
 
 ChildProcessHost::Iterator::Iterator() : all_(true) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  DCHECK(MessageLoop::current() ==
-      ChromeThread::GetMessageLoop(ChromeThread::IO)) <<
-          "ChildProcessInfo::Iterator must be used on the IO thread.";
-#endif
   iterator_ = Singleton<ChildProcessList>::get()->begin();
 }
 
 ChildProcessHost::Iterator::Iterator(ProcessType type)
     : all_(false), type_(type) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  DCHECK(MessageLoop::current() ==
-      ChromeThread::GetMessageLoop(ChromeThread::IO)) <<
-          "ChildProcessInfo::Iterator must be used on the IO thread.";
-#endif
   iterator_ = Singleton<ChildProcessList>::get()->begin();
   if (!Done() && (*iterator_)->type() != type_)
     ++(*this);
diff --git a/ipc/chromium/src/chrome/common/child_process_host.h b/ipc/chromium/src/chrome/common/child_process_host.h
index 8baad836112..54319b73c73 100644
--- a/ipc/chromium/src/chrome/common/child_process_host.h
+++ b/ipc/chromium/src/chrome/common/child_process_host.h
@@ -12,11 +12,7 @@
 #include "base/basictypes.h"
 #include "base/scoped_ptr.h"
 #include "base/waitable_event_watcher.h"
-#ifdef CHROMIUM_MOZILLA_BUILD
 class ResourceDispatcherHost;
-#else
-#include "chrome/browser/renderer_host/resource_dispatcher_host.h"
-#endif
 #include "chrome/common/child_process_info.h"
 #include "chrome/common/ipc_channel.h"
 
@@ -25,12 +21,8 @@ class NotificationType;
 // Plugins/workers and other child processes that live on the IO thread should
 // derive from this class.
 class ChildProcessHost :
-#ifdef CHROMIUM_MOZILLA_BUILD
                          public IPC::Message::Sender,
                          public ChildProcessInfo,
-#else
-                         public ResourceDispatcherHost::Receiver,
-#endif
                          public base::WaitableEventWatcher::Delegate,
                          public IPC::Channel::Listener {
  public:
@@ -84,28 +76,20 @@ class ChildProcessHost :
   bool opening_channel() { return opening_channel_; }
   const std::wstring& channel_id() { return channel_id_; }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   base::WaitableEvent* GetProcessEvent() { return process_event_.get(); }
-#endif
 
   const IPC::Channel& channel() const { return *channel_; }
-#ifdef CHROMIUM_MOZILLA_BUILD
   IPC::Channel* channelp() const { return channel_.get(); }
-#endif
 
  private:
   // Sends the given notification to the notification service on the UI thread.
   void Notify(NotificationType type);
 
-#ifdef CHROMIUM_MOZILLA_BUILD
  protected:
-#endif
   // WaitableEventWatcher::Delegate implementation:
   virtual void OnWaitableEventSignaled(base::WaitableEvent *event);
-#ifdef CHROMIUM_MOZILLA_BUILD
- private:
-#endif
 
+ private:
   // By using an internal class as the IPC::Channel::Listener, we can intercept
   // OnMessageReceived/OnChannelConnected and do our own processing before
   // calling the subclass' implementation.
diff --git a/ipc/chromium/src/chrome/common/child_process_info.cc b/ipc/chromium/src/chrome/common/child_process_info.cc
index bd1ebff0e0f..2f2c1238afa 100644
--- a/ipc/chromium/src/chrome/common/child_process_info.cc
+++ b/ipc/chromium/src/chrome/common/child_process_info.cc
@@ -6,16 +6,10 @@
 
 #include <limits>
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "app/l10n_util.h"
-#endif
 #include "base/logging.h"
 #include "base/process_util.h"
 #include "base/rand_util.h"
 #include "base/string_util.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "grit/generated_resources.h"
-#endif
 
 std::wstring ChildProcessInfo::GetTypeNameInEnglish(
     ChildProcessInfo::ProcessType type) {
@@ -36,30 +30,7 @@ std::wstring ChildProcessInfo::GetTypeNameInEnglish(
 }
 
 std::wstring ChildProcessInfo::GetLocalizedTitle() const {
-#ifdef CHROMIUM_MOZILLA_BUILD
   return name_;
-#else
-  std::wstring title = name_;
-  if (type_ == ChildProcessInfo::PLUGIN_PROCESS && title.empty())
-    title = l10n_util::GetString(IDS_TASK_MANAGER_UNKNOWN_PLUGIN_NAME);
-
-  int message_id;
-  if (type_ == ChildProcessInfo::PLUGIN_PROCESS) {
-    message_id = IDS_TASK_MANAGER_PLUGIN_PREFIX;
-  } else if (type_ == ChildProcessInfo::WORKER_PROCESS) {
-    message_id = IDS_TASK_MANAGER_WORKER_PREFIX;
-  } else {
-    DCHECK(false) << "Need localized name for child process type.";
-    return title;
-  }
-
-  // Explicitly mark name as LTR if there is no strong RTL character,
-  // to avoid the wrong concatenation result similar to "!Yahoo! Mail: the
-  // best web-based Email: NIGULP", in which "NIGULP" stands for the Hebrew
-  // or Arabic word for "plugin".
-  l10n_util::AdjustStringForLocaleDirection(title, &title);
-  return l10n_util::GetStringF(message_id, title);
-#endif
 }
 
 ChildProcessInfo::ChildProcessInfo(ProcessType type) {
diff --git a/ipc/chromium/src/chrome/common/child_thread.cc b/ipc/chromium/src/chrome/common/child_thread.cc
index 27ffc063aff..73daf663373 100644
--- a/ipc/chromium/src/chrome/common/child_thread.cc
+++ b/ipc/chromium/src/chrome/common/child_thread.cc
@@ -9,10 +9,6 @@
 #include "chrome/common/child_process.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/ipc_logging.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "chrome/common/plugin_messages.h"
-#include "webkit/glue/webkit_glue.h"
-#endif
 
 // V8 needs a 1MB stack size.
 const size_t ChildThread::kV8StackSize = 1024 * 1024;
@@ -25,14 +21,6 @@ ChildThread::ChildThread(Thread::Options options)
   DCHECK(owner_loop_);
   channel_name_ = CommandLine::ForCurrentProcess()->GetSwitchValue(
       switches::kProcessChannelID);
-
-  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kUserAgent)) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-    webkit_glue::SetUserAgent(WideToUTF8(
-        CommandLine::ForCurrentProcess()->GetSwitchValue(
-            switches::kUserAgent)));
-#endif
-  }
 }
 
 ChildThread::~ChildThread() {
@@ -68,22 +56,6 @@ void ChildThread::RemoveRoute(int32 routing_id) {
 }
 
 void ChildThread::OnMessageReceived(const IPC::Message& msg) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  // Resource responses are sent to the resource dispatcher.
-  if (resource_dispatcher_->OnMessageReceived(msg))
-    return;
-
-  if (msg.type() == PluginProcessMsg_AskBeforeShutdown::ID) {
-    check_with_browser_before_shutdown_ = true;
-    return;
-  }
-
-  if (msg.type() == PluginProcessMsg_Shutdown::ID) {
-    owner_loop_->PostTask(FROM_HERE, new MessageLoop::QuitTask());
-    return;
-  }
-#endif
-
   if (msg.routing_id() == MSG_ROUTING_CONTROL) {
     OnControlMessageReceived(msg);
   } else {
@@ -96,23 +68,13 @@ ChildThread* ChildThread::current() {
 }
 
 void ChildThread::Init() {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  channel_.reset(new IPC::SyncChannel(channel_name_,
-      IPC::Channel::MODE_CLIENT, this, NULL, owner_loop_, true,
-      ChildProcess::current()->GetShutDownEvent()));
-#else
   channel_.reset(new IPC::Channel(channel_name_,
                                   IPC::Channel::MODE_CLIENT,
                                   this));
-#endif
 
 #ifdef IPC_MESSAGE_LOG_ENABLED
   IPC::Logging::current()->SetIPCSender(this);
 #endif
-
-#ifndef CHROMIUM_MOZILLA_BUILD
-  resource_dispatcher_.reset(new ResourceDispatcher(this));
-#endif
 }
 
 void ChildThread::CleanUp() {
@@ -122,9 +84,6 @@ void ChildThread::CleanUp() {
   // Need to destruct the SyncChannel to the browser before we go away because
   // it caches a pointer to this thread.
   channel_.reset();
-#ifndef CHROMIUM_MOZILLA_BUILD
-  resource_dispatcher_.reset();
-#endif
 }
 
 void ChildThread::OnProcessFinalRelease() {
@@ -132,12 +91,4 @@ void ChildThread::OnProcessFinalRelease() {
     owner_loop_->PostTask(FROM_HERE, new MessageLoop::QuitTask());
     return;
   }
-
-#ifndef CHROMIUM_MOZILLA_BUILD
-  // The child process shutdown sequence is a request response based mechanism,
-  // where we send out an initial feeler request to the child process host
-  // instance in the browser to verify if it's ok to shutdown the child process.
-  // The browser then sends back a response if it's ok to shutdown.
-  Send(new PluginProcessHostMsg_ShutdownRequest);
-#endif
 }
diff --git a/ipc/chromium/src/chrome/common/child_thread.h b/ipc/chromium/src/chrome/common/child_thread.h
index 97a74ba1a75..aeafc09f3f4 100644
--- a/ipc/chromium/src/chrome/common/child_thread.h
+++ b/ipc/chromium/src/chrome/common/child_thread.h
@@ -9,11 +9,7 @@
 #include "chrome/common/ipc_sync_channel.h"
 #include "chrome/common/message_router.h"
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 class ResourceDispatcher;
-#else
-#include "chrome/common/resource_dispatcher.h"
-#endif
 
 // Child processes's background thread should derive from this class.
 class ChildThread : public IPC::Channel::Listener,
@@ -33,12 +29,6 @@ class ChildThread : public IPC::Channel::Listener,
 
   MessageLoop* owner_loop() { return owner_loop_; }
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-  ResourceDispatcher* resource_dispatcher() {
-    return resource_dispatcher_.get();
-  }
-#endif
-
  protected:
   friend class ChildProcess;
 
@@ -60,11 +50,7 @@ class ChildThread : public IPC::Channel::Listener,
   // Returns the one child thread.
   static ChildThread* current();
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-  IPC::SyncChannel* channel() { return channel_.get(); }
-#else
   IPC::Channel* channel() { return channel_.get(); }
-#endif
 
   // Thread implementation.
   virtual void Init();
@@ -79,11 +65,7 @@ class ChildThread : public IPC::Channel::Listener,
   MessageLoop* owner_loop_;
 
   std::wstring channel_name_;
-#ifndef CHROMIUM_MOZILLA_BUILD
-  scoped_ptr<IPC::SyncChannel> channel_;
-#else
   scoped_ptr<IPC::Channel> channel_;
-#endif
 
   // Used only on the background render thread to implement message routing
   // functionality to the consumers of the ChildThread.
@@ -91,12 +73,6 @@ class ChildThread : public IPC::Channel::Listener,
 
   Thread::Options options_;
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-  // Handles resource loads for this process.
-  // NOTE: this object lives on the owner thread.
-  scoped_ptr<ResourceDispatcher> resource_dispatcher_;
-#endif
-
   // If true, checks with the browser process before shutdown.  This avoids race
   // conditions if the process refcount is 0 but there's an IPC message inflight
   // that would addref it.
diff --git a/ipc/chromium/src/chrome/common/chrome_paths.cc b/ipc/chromium/src/chrome/common/chrome_paths.cc
index 241430697bc..ce36c14ced7 100644
--- a/ipc/chromium/src/chrome/common/chrome_paths.cc
+++ b/ipc/chromium/src/chrome/common/chrome_paths.cc
@@ -32,187 +32,6 @@ bool GetGearsPluginPathFromCommandLine(FilePath* path) {
 }
 
 bool PathProvider(int key, FilePath* result) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  // Some keys are just aliases...
-  switch (key) {
-    case chrome::DIR_APP:
-      return PathService::Get(base::DIR_MODULE, result);
-    case chrome::DIR_LOGS:
-#ifndef NDEBUG
-      return PathService::Get(chrome::DIR_USER_DATA, result);
-#else
-      return PathService::Get(base::DIR_EXE, result);
-#endif
-    case chrome::FILE_RESOURCE_MODULE:
-      return PathService::Get(base::FILE_MODULE, result);
-  }
-
-  // Assume that we will not need to create the directory if it does not exist.
-  // This flag can be set to true for the cases where we want to create it.
-  bool create_dir = false;
-
-  FilePath cur;
-  switch (key) {
-    case chrome::DIR_USER_DATA:
-      if (!GetDefaultUserDataDirectory(&cur))
-        return false;
-      create_dir = true;
-      break;
-    case chrome::DIR_USER_DOCUMENTS:
-      if (!GetUserDocumentsDirectory(&cur))
-        return false;
-      create_dir = true;
-      break;
-    case chrome::DIR_DEFAULT_DOWNLOADS:
-      if (!GetUserDownloadsDirectory(&cur))
-        return false;
-      break;
-    case chrome::DIR_CRASH_DUMPS:
-      // The crash reports are always stored relative to the default user data
-      // directory.  This avoids the problem of having to re-initialize the
-      // exception handler after parsing command line options, which may
-      // override the location of the app's profile directory.
-      if (!GetDefaultUserDataDirectory(&cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("Crash Reports"));
-      create_dir = true;
-      break;
-    case chrome::DIR_USER_DESKTOP:
-      if (!GetUserDesktop(&cur))
-        return false;
-      break;
-    case chrome::DIR_RESOURCES:
-      if (!PathService::Get(chrome::DIR_APP, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("resources"));
-      create_dir = true;
-      break;
-    case chrome::DIR_INSPECTOR:
-      if (!PathService::Get(chrome::DIR_APP, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("resources"));
-      cur = cur.Append(FILE_PATH_LITERAL("inspector"));
-      break;
-    case chrome::DIR_THEMES:
-      if (!PathService::Get(chrome::DIR_APP, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("themes"));
-      create_dir = true;
-      break;
-    case chrome::DIR_LOCALES:
-      if (!PathService::Get(chrome::DIR_APP, &cur))
-        return false;
-#if defined(OS_MACOSX)
-      // On Mac, locale files are in Contents/Resources, a sibling of the
-      // App dir.
-      cur = cur.DirName();
-      cur = cur.Append(FILE_PATH_LITERAL("Resources"));
-#else
-      cur = cur.Append(FILE_PATH_LITERAL("locales"));
-#endif
-      create_dir = true;
-      break;
-    case chrome::DIR_APP_DICTIONARIES:
-#if defined(OS_LINUX)
-      // We can't write into the EXE dir on Linux, so keep dictionaries
-      // alongside the safe browsing database in the user data dir.
-      if (!PathService::Get(chrome::DIR_USER_DATA, &cur))
-        return false;
-#else
-      if (!PathService::Get(base::DIR_EXE, &cur))
-        return false;
-#endif
-      cur = cur.Append(FILE_PATH_LITERAL("Dictionaries"));
-      create_dir = true;
-      break;
-    case chrome::FILE_LOCAL_STATE:
-      if (!PathService::Get(chrome::DIR_USER_DATA, &cur))
-        return false;
-#ifdef CHROMIUM_MOZILLA_BUILD
-      cur = cur.Append(FILE_PATH_LITERAL("Local State"));
-#else
-      cur = cur.Append(chrome::kLocalStateFilename);
-#endif
-      break;
-    case chrome::FILE_RECORDED_SCRIPT:
-      if (!PathService::Get(chrome::DIR_USER_DATA, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("script.log"));
-      break;
-    case chrome::FILE_GEARS_PLUGIN:
-      if (!GetGearsPluginPathFromCommandLine(&cur)) {
-#if defined(OS_WIN)
-        // Search for gears.dll alongside chrome.dll first.  This new model
-        // allows us to package gears.dll with the Chrome installer and update
-        // it while Chrome is running.
-        if (!PathService::Get(base::DIR_MODULE, &cur))
-          return false;
-        cur = cur.Append(FILE_PATH_LITERAL("gears.dll"));
-
-        if (!file_util::PathExists(cur)) {
-          if (!PathService::Get(base::DIR_EXE, &cur))
-            return false;
-          cur = cur.Append(FILE_PATH_LITERAL("plugins"));
-          cur = cur.Append(FILE_PATH_LITERAL("gears"));
-          cur = cur.Append(FILE_PATH_LITERAL("gears.dll"));
-        }
-#else
-        // No gears.dll on non-Windows systems.
-        return false;
-#endif
-      }
-      break;
-    // The following are only valid in the development environment, and
-    // will fail if executed from an installed executable (because the
-    // generated path won't exist).
-    case chrome::DIR_TEST_DATA:
-      if (!PathService::Get(base::DIR_SOURCE_ROOT, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("chrome"));
-      cur = cur.Append(FILE_PATH_LITERAL("test"));
-      cur = cur.Append(FILE_PATH_LITERAL("data"));
-      if (!file_util::PathExists(cur))  // we don't want to create this
-        return false;
-      break;
-    case chrome::DIR_TEST_TOOLS:
-      if (!PathService::Get(base::DIR_SOURCE_ROOT, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("chrome"));
-      cur = cur.Append(FILE_PATH_LITERAL("tools"));
-      cur = cur.Append(FILE_PATH_LITERAL("test"));
-      if (!file_util::PathExists(cur))  // we don't want to create this
-        return false;
-      break;
-    case chrome::FILE_PYTHON_RUNTIME:
-      if (!PathService::Get(base::DIR_SOURCE_ROOT, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("third_party"));
-      cur = cur.Append(FILE_PATH_LITERAL("python_24"));
-      cur = cur.Append(FILE_PATH_LITERAL("python.exe"));
-      if (!file_util::PathExists(cur))  // we don't want to create this
-        return false;
-      break;
-    case chrome::FILE_TEST_SERVER:
-      if (!PathService::Get(base::DIR_SOURCE_ROOT, &cur))
-        return false;
-      cur = cur.Append(FILE_PATH_LITERAL("net"));
-      cur = cur.Append(FILE_PATH_LITERAL("tools"));
-      cur = cur.Append(FILE_PATH_LITERAL("test"));
-      cur = cur.Append(FILE_PATH_LITERAL("testserver"));
-      cur = cur.Append(FILE_PATH_LITERAL("testserver.py"));
-      if (!file_util::PathExists(cur))  // we don't want to create this
-        return false;
-      break;
-    default:
-      return false;
-  }
-
-  if (create_dir && !file_util::PathExists(cur) &&
-      !file_util::CreateDirectory(cur))
-    return false;
-
-  *result = cur;
-#endif
   return true;
 }
 
diff --git a/ipc/chromium/src/chrome/common/chrome_paths_linux.cc b/ipc/chromium/src/chrome/common/chrome_paths_linux.cc
index 8737d89f408..7426a5fd119 100644
--- a/ipc/chromium/src/chrome/common/chrome_paths_linux.cc
+++ b/ipc/chromium/src/chrome/common/chrome_paths_linux.cc
@@ -9,9 +9,6 @@
 
 #include "base/file_path.h"
 #include "base/path_service.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "chrome/third_party/xdg_user_dirs/xdg_user_dir_lookup.h"
-#endif // ifndef CHROMIUM_MOZILLA_BUILD
 
 namespace {
 
@@ -36,14 +33,6 @@ FilePath GetHomeDir() {
 // Wrapper around xdg_user_dir_lookup() from
 // src/chrome/third_party/xdg-user-dirs
 FilePath GetXDGUserDirectory(const char* env_name, const char* fallback_dir) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  char* xdg_dir = xdg_user_dir_lookup(env_name);
-  if (xdg_dir) {
-    FilePath rv(xdg_dir);
-    free(xdg_dir);
-    return rv;
-  }
-#endif // ifndef CHROMIUM_MOZILLA_BUILD
   return GetHomeDir().Append(fallback_dir);
 }
 
diff --git a/ipc/chromium/src/chrome/common/env_vars.h b/ipc/chromium/src/chrome/common/env_vars.h
index 9252e114406..ebfd2ee870d 100644
--- a/ipc/chromium/src/chrome/common/env_vars.h
+++ b/ipc/chromium/src/chrome/common/env_vars.h
@@ -7,7 +7,7 @@
 #ifndef CHROME_COMMON_ENV_VARS_H__
 #define CHROME_COMMON_ENV_VARS_H__
 
-#if defined(CHROMIUM_MOZILLA_BUILD) && defined(COMPILER_MSVC)
+#if defined(COMPILER_MSVC)
 #include <string.h>
 #endif
 
diff --git a/ipc/chromium/src/chrome/common/ipc_channel.h b/ipc/chromium/src/chrome/common/ipc_channel.h
index 4932578fdfe..cdf81581ad7 100644
--- a/ipc/chromium/src/chrome/common/ipc_channel.h
+++ b/ipc/chromium/src/chrome/common/ipc_channel.h
@@ -59,7 +59,6 @@ class Channel : public Message::Sender {
   //
   Channel(const std::wstring& channel_id, Mode mode, Listener* listener);
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   // XXX it would nice not to have yet more platform-specific code in
   // here but it's just not worth the trouble.
 # if defined(OS_POSIX)
@@ -71,7 +70,6 @@ class Channel : public Message::Sender {
   Channel(const std::wstring& channel_id, void* server_pipe,
 	  Mode mode, Listener* listener);
 # endif
-#endif
 
   ~Channel();
 
@@ -86,11 +84,7 @@ class Channel : public Message::Sender {
   void Close();
 
   // Modify the Channel's listener.
-#ifdef CHROMIUM_MOZILLA_BUILD
   Listener* set_listener(Listener* listener);
-#else
-  void set_listener(Listener* listener);
-#endif
 
   // Send a message over the Channel to the listener on the other end.
   //
@@ -114,15 +108,11 @@ class Channel : public Message::Sender {
   // socketpair() in which case this method returns -1 for both parameters.
   void GetClientFileDescriptorMapping(int *src_fd, int *dest_fd) const;
 
-# if defined(CHROMIUM_MOZILLA_BUILD)
   // Return the server side of the socketpair.
   int GetServerFileDescriptor() const;
-# endif
 #elif defined(OS_WIN)
-# if defined(CHROMIUM_MOZILLA_BUILD)
   // Return the server pipe handle.
   void* GetServerPipeHandle() const;
-# endif
 #endif  // defined(OS_POSIX)
 
  private:
diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
index 14a12a05c7f..15a0e2e7f8d 100644
--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
@@ -238,7 +238,6 @@ bool ClientConnectToFifo(const std::string &pipe_name, int* client_socket) {
   return true;
 }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 bool SetCloseOnExec(int fd) {
   int flags = fcntl(fd, F_GETFD);
   if (flags == -1)
@@ -250,7 +249,6 @@ bool SetCloseOnExec(int fd) {
 
   return true;
 }
-#endif
 
 }  // namespace
 //------------------------------------------------------------------------------
@@ -327,14 +325,12 @@ bool Channel::ChannelImpl::CreatePipe(const std::wstring& channel_id,
         return false;
       }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
       if (!SetCloseOnExec(pipe_fds[0]) ||
           !SetCloseOnExec(pipe_fds[1])) {
         HANDLE_EINTR(close(pipe_fds[0]));
         HANDLE_EINTR(close(pipe_fds[1]));
         return false;
       }
-#endif
 
       pipe_ = pipe_fds[0];
       client_pipe_ = pipe_fds[1];
@@ -688,9 +684,6 @@ bool Channel::ChannelImpl::ProcessOutgoingMessages() {
 }
 
 bool Channel::ChannelImpl::Send(Message* message) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  chrome::Counters::ipc_send_counter().Increment();
-#endif
 #ifdef IPC_MESSAGE_DEBUG_EXTRA
   DLOG(INFO) << "sending message @" << message << " on channel @" << this
              << " with type " << message->type()
@@ -824,11 +817,9 @@ Channel::Channel(const std::wstring& channel_id, Mode mode,
     : channel_impl_(new ChannelImpl(channel_id, mode, listener)) {
 }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 Channel::Channel(int fd, Mode mode, Listener* listener)
     : channel_impl_(new ChannelImpl(fd, mode, listener)) {
 }
-#endif
 
 Channel::~Channel() {
   delete channel_impl_;
@@ -842,15 +833,9 @@ void Channel::Close() {
   channel_impl_->Close();
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 Channel::Listener* Channel::set_listener(Listener* listener) {
   return channel_impl_->set_listener(listener);
 }
-#else
-void Channel::set_listener(Listener* listener) {
-  channel_impl_->set_listener(listener);
-}
-#endif
 
 bool Channel::Send(Message* message) {
   return channel_impl_->Send(message);
@@ -860,10 +845,8 @@ void Channel::GetClientFileDescriptorMapping(int *src_fd, int *dest_fd) const {
   return channel_impl_->GetClientFileDescriptorMapping(src_fd, dest_fd);
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 int Channel::GetServerFileDescriptor() const {
   return channel_impl_->GetServerFileDescriptor();
 }
-#endif
 
 }  // namespace IPC
diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.h b/ipc/chromium/src/chrome/common/ipc_channel_posix.h
index 4fd14670e21..dc21a113ede 100644
--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.h
+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.h
@@ -28,23 +28,17 @@ class Channel::ChannelImpl : public MessageLoopForIO::Watcher {
   ~ChannelImpl() { Close(); }
   bool Connect();
   void Close();
-#ifdef CHROMIUM_MOZILLA_BUILD
   Listener* set_listener(Listener* listener) {
     Listener* old = listener_;
     listener_ = listener;
     return old;
   }
-#else
-  void set_listener(Listener* listener) { listener_ = listener; }
-#endif
   bool Send(Message* message);
   void GetClientFileDescriptorMapping(int *src_fd, int *dest_fd) const;
-#ifdef CHROMIUM_MOZILLA_BUILD
   int GetServerFileDescriptor() const {
     DCHECK(mode_ == MODE_SERVER);
     return pipe_;
   }
-#endif
 
  private:
   void Init(Mode mode, Listener* listener);
diff --git a/ipc/chromium/src/chrome/common/ipc_channel_win.cc b/ipc/chromium/src/chrome/common/ipc_channel_win.cc
index 6a1edfff9c6..85ad6b42db3 100644
--- a/ipc/chromium/src/chrome/common/ipc_channel_win.cc
+++ b/ipc/chromium/src/chrome/common/ipc_channel_win.cc
@@ -45,7 +45,6 @@ Channel::ChannelImpl::ChannelImpl(const std::wstring& channel_id, Mode mode,
   }
 }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
 Channel::ChannelImpl::ChannelImpl(const std::wstring& channel_id,
                                   HANDLE server_pipe,
                                   Mode mode, Listener* listener)
@@ -74,7 +73,6 @@ void Channel::ChannelImpl::Init(Mode mode, Listener* listener) {
 HANDLE Channel::ChannelImpl::GetServerPipeHandle() const {
   return pipe_;
 }
-#endif
 
 void Channel::ChannelImpl::Close() {
   if (thread_check_.get()) {
@@ -94,19 +92,10 @@ void Channel::ChannelImpl::Close() {
     pipe_ = INVALID_HANDLE_VALUE;
   }
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-  // Make sure all IO has completed.
-  base::Time start = base::Time::Now();
-#endif
   while (input_state_.is_pending || output_state_.is_pending) {
     MessageLoopForIO::current()->WaitForIOCompletion(INFINITE, this);
   }
-#ifndef CHROMIUM_MOZILLA_BUILD
-  if (waited) {
-    // We want to see if we block the message loop for too long.
-    UMA_HISTOGRAM_TIMES("AsyncIO.IPCChannelClose", base::Time::Now() - start);
-  }
-#endif
+
   while (!output_queue_.empty()) {
     Message* m = output_queue_.front();
     output_queue_.pop();
@@ -211,10 +200,6 @@ bool Channel::ChannelImpl::EnqueueHelloMessage() {
 }
 
 bool Channel::ChannelImpl::Connect() {
-#ifndef CHROMIUM_MOZILLA_BUILD
-  DLOG(WARNING) << "Connect called twice";
-#endif
-
   if (!thread_check_.get())
     thread_check_.reset(new NonThreadSafe());
 
@@ -459,12 +444,10 @@ Channel::Channel(const std::wstring& channel_id, Mode mode,
     : channel_impl_(new ChannelImpl(channel_id, mode, listener)) {
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 Channel::Channel(const std::wstring& channel_id, void* server_pipe,
                  Mode mode, Listener* listener)
    : channel_impl_(new ChannelImpl(channel_id, server_pipe, mode, listener)) {
 }
-#endif
 
 Channel::~Channel() {
   delete channel_impl_;
@@ -478,7 +461,6 @@ void Channel::Close() {
   channel_impl_->Close();
 }
 
-#ifdef CHROMIUM_MOZILLA_BUILD
 void* Channel::GetServerPipeHandle() const {
   return channel_impl_->GetServerPipeHandle();
 }
@@ -486,11 +468,6 @@ void* Channel::GetServerPipeHandle() const {
 Channel::Listener* Channel::set_listener(Listener* listener) {
   return channel_impl_->set_listener(listener);
 }
-#else
-void Channel::set_listener(Listener* listener) {
-  channel_impl_->set_listener(listener);
-}
-#endif
 
 bool Channel::Send(Message* message) {
   return channel_impl_->Send(message);
diff --git a/ipc/chromium/src/chrome/common/ipc_channel_win.h b/ipc/chromium/src/chrome/common/ipc_channel_win.h
index 398d5aff0c5..7593d5c4fd8 100644
--- a/ipc/chromium/src/chrome/common/ipc_channel_win.h
+++ b/ipc/chromium/src/chrome/common/ipc_channel_win.h
@@ -29,17 +29,12 @@ class Channel::ChannelImpl : public MessageLoopForIO::IOHandler {
   }
   bool Connect();
   void Close();
-#ifdef CHROMIUM_MOZILLA_BUILD
   HANDLE GetServerPipeHandle() const;
-
   Listener* set_listener(Listener* listener) {
     Listener* old = listener_;
     listener_ = listener;
     return old;
   }
-#else
-  void set_listener(Listener* listener) { listener_ = listener; }
-#endif
   bool Send(Message* message);
  private:
   void Init(Mode mode, Listener* listener);
diff --git a/ipc/chromium/src/chrome/common/ipc_logging.cc b/ipc/chromium/src/chrome/common/ipc_logging.cc
index e3c84881953..4a198aa90f2 100644
--- a/ipc/chromium/src/chrome/common/ipc_logging.cc
+++ b/ipc/chromium/src/chrome/common/ipc_logging.cc
@@ -23,21 +23,6 @@
 #include "chrome/common/ipc_sync_message.h"
 #include "chrome/common/ipc_message_utils.h"
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-// This include list should contain all _messages.h header files so that they
-// can get *MsgLog function etc. This makes ipc logs much more informative.
-#include "chrome/common/render_messages.h"
-#include "chrome/test/automation/automation_messages.h"
-
-#if defined(OS_WIN)
-// Pulling this file in Mac/Linux causes a lot of binaries to need to bring in
-// WebKit and all the dependencies, which results in a very large number of
-// linker errors.
-#include "chrome/common/plugin_messages.h"
-#endif
-
-#endif
-
 #if defined(OS_POSIX)
 #include "base/string_util.h"
 #include <unistd.h>
@@ -101,10 +86,6 @@ Logging::Logging()
       CreateEvent(NULL, TRUE, FALSE, event_name.c_str())));
 
   RegisterWaitForEvent(true);
-#elif (!defined(CHROMIUM_MOZILLA_BUILD) && defined(OS_POSIX))
-  if (getenv("CHROME_IPC_LOGGING"))
-    enabled_ = true;
-  SetLoggerFunctions(g_log_function_mapping);
 #endif
 
   MessageLoop::current()->AddDestructionObserver(this);
diff --git a/ipc/chromium/src/chrome/common/ipc_message.cc b/ipc/chromium/src/chrome/common/ipc_message.cc
index ebde76d5408..65db523526e 100644
--- a/ipc/chromium/src/chrome/common/ipc_message.cc
+++ b/ipc/chromium/src/chrome/common/ipc_message.cc
@@ -27,12 +27,8 @@ Message::Message()
   InitLoggingVariables();
 }
 
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-Message::Message(int32 routing_id, msgid_t type, PriorityValue priority)
-#else
 Message::Message(int32 routing_id, msgid_t type, PriorityValue priority,
                  const char* const name)
-#endif
     : Pickle(sizeof(Header)) {
   header()->routing = routing_id;
   header()->type = type;
@@ -40,14 +36,10 @@ Message::Message(int32 routing_id, msgid_t type, PriorityValue priority,
 #if defined(OS_POSIX)
   header()->num_fds = 0;
 #endif
-#if defined(CHROMIUM_MOZILLA_BUILD)
   header()->rpc_remote_stack_depth_guess = static_cast<uint32>(-1);
   header()->rpc_local_stack_depth = static_cast<uint32>(-1);
   header()->seqno = 0;
   InitLoggingVariables(name);
-#else
-  InitLoggingVariables();
-#endif
 }
 
 Message::Message(const char* data, int data_len) : Pickle(data, data_len) {
@@ -55,22 +47,14 @@ Message::Message(const char* data, int data_len) : Pickle(data, data_len) {
 }
 
 Message::Message(const Message& other) : Pickle(other) {
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  InitLoggingVariables();
-#else
   InitLoggingVariables(other.name_);
-#endif
 #if defined(OS_POSIX)
   file_descriptor_set_ = other.file_descriptor_set_;
 #endif
 }
 
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-void Message::InitLoggingVariables() {
-#else
 void Message::InitLoggingVariables(const char* const name) {
   name_ = name;
-#endif
 #ifdef IPC_MESSAGE_LOG_ENABLED
   received_time_ = 0;
   dont_log_ = false;
@@ -80,9 +64,7 @@ void Message::InitLoggingVariables(const char* const name) {
 
 Message& Message::operator=(const Message& other) {
   *static_cast<Pickle*>(this) = other;
-#if defined(CHROMIUM_MOZILLA_BUILD)
   InitLoggingVariables(other.name_);
-#endif
 #if defined(OS_POSIX)
   file_descriptor_set_ = other.file_descriptor_set_;
 #endif
diff --git a/ipc/chromium/src/chrome/common/ipc_message.h b/ipc/chromium/src/chrome/common/ipc_message.h
index 5cff4742d22..b8c51503609 100644
--- a/ipc/chromium/src/chrome/common/ipc_message.h
+++ b/ipc/chromium/src/chrome/common/ipc_message.h
@@ -18,10 +18,6 @@
 #include "base/ref_counted.h"
 #endif
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
-#define IPC_MESSAGE_ENABLE_RPC
-#endif
-
 namespace base {
 class FileDescriptor;
 }
@@ -38,11 +34,7 @@ struct LogData;
 
 class Message : public Pickle {
  public:
-#if defined(CHROMIUM_MOZILLA_BUILD)
   typedef uint32 msgid_t;
-#else
-  typedef uint16 msgid_t;
-#endif
 
   // Implemented by objects that can send IPC messages across a channel.
   class Sender {
@@ -68,12 +60,8 @@ class Message : public Pickle {
 
   // Initialize a message with a user-defined type, priority value, and
   // destination WebView ID.
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  Message(int32 routing_id, msgid_t type, PriorityValue priority);
-#else
   Message(int32 routing_id, msgid_t type, PriorityValue priority,
           const char* const name="???");
-#endif
 
   // Initializes a message from a const block of data.  The data is not copied;
   // instead the data is merely referenced by this message.  Only const methods
@@ -92,12 +80,10 @@ class Message : public Pickle {
     return (header()->flags & SYNC_BIT) != 0;
   }
 
-#if defined(IPC_MESSAGE_ENABLE_RPC)
   // True if this is a synchronous message.
   bool is_rpc() const {
     return (header()->flags & RPC_BIT) != 0;
   }
-#endif
 
   // Set this on a reply to a synchronous message.
   void set_reply() {
@@ -151,7 +137,6 @@ class Message : public Pickle {
     header()->routing = new_id;
   }
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   uint32 rpc_remote_stack_depth_guess() const {
     return header()->rpc_remote_stack_depth_guess;
   }
@@ -185,7 +170,6 @@ class Message : public Pickle {
   void set_name(const char* const name) {
     name_ = name;
   }
-#endif
 
   template<class T>
   static bool Dispatch(const Message* msg, T* obj, void (T::*func)()) {
@@ -254,9 +238,6 @@ class Message : public Pickle {
   bool dont_log() const { return dont_log_; }
 #endif
 
-#if !defined(CHROMIUM_MOZILLA_BUILD)
- protected:
-#endif
   friend class Channel;
   friend class MessageReplyDeserializer;
   friend class SyncMessage;
@@ -265,13 +246,11 @@ class Message : public Pickle {
     header()->flags |= SYNC_BIT;
   }
 
-#if defined(IPC_MESSAGE_ENABLE_RPC)
   void set_rpc() {
     header()->flags |= RPC_BIT;
   }
-#endif
 
-#if defined(CHROMIUM_MOZILLA_BUILD) && !defined(OS_MACOSX)
+#if !defined(OS_MACOSX)
  protected:
 #endif
 
@@ -284,31 +263,23 @@ class Message : public Pickle {
     UNBLOCK_BIT     = 0x0020,
     PUMPING_MSGS_BIT= 0x0040,
     HAS_SENT_TIME_BIT = 0x0080,
-#if defined(IPC_MESSAGE_ENABLE_RPC)
     RPC_BIT        = 0x0100,
-#endif
   };
 
 #pragma pack(push, 2)
   struct Header : Pickle::Header {
     int32 routing;  // ID of the view that this message is destined for
     msgid_t type;   // specifies the user-defined message type
-#if defined(CHROMIUM_MOZILLA_BUILD)
     uint32 flags;   // specifies control flags for the message
-#else
-    uint16 flags;   // specifies control flags for the message
-#endif
 #if defined(OS_POSIX)
     uint32 num_fds; // the number of descriptors included with this message
 #endif
-#if defined(CHROMIUM_MOZILLA_BUILD)
     // For RPC messages, a guess at what the *other* side's stack depth is.
     uint32 rpc_remote_stack_depth_guess;
     // The actual local stack depth.
     uint32 rpc_local_stack_depth;
     // Sequence number
     int32 seqno;
-#endif
   };
 #pragma pack(pop)
 
@@ -319,11 +290,7 @@ class Message : public Pickle {
     return headerT<Header>();
   }
 
-#if !defined(CHROMIUM_MOZILLA_BUILD)
-  void InitLoggingVariables();
-#else
   void InitLoggingVariables(const char* const name="???");
-#endif
 
 #if defined(OS_POSIX)
   // The set of file descriptors associated with this message.
@@ -341,9 +308,7 @@ class Message : public Pickle {
   }
 #endif
 
-#if defined(CHROMIUM_MOZILLA_BUILD)
   const char* name_;
-#endif
 
 #ifdef IPC_MESSAGE_LOG_ENABLED
   // Used for logging.
diff --git a/ipc/chromium/src/chrome/common/ipc_message_macros.h b/ipc/chromium/src/chrome/common/ipc_message_macros.h
index 1935ea366b5..c05b31eb3c0 100644
--- a/ipc/chromium/src/chrome/common/ipc_message_macros.h
+++ b/ipc/chromium/src/chrome/common/ipc_message_macros.h
@@ -40,12 +40,7 @@
 //     ViewHostMsg_SyncMessageName::WriteReplyParams(reply_msg, out1, out2);
 //     Send(reply_msg);
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "IPC/IPCMessageUtils.h"
-#else
 #include "chrome/common/ipc_message_utils.h"
-#endif
-
 
 #ifndef MESSAGES_INTERNAL_FILE
 #error This file should only be included by X_messages.h, which needs to define MESSAGES_INTERNAL_FILE first.
diff --git a/ipc/chromium/src/chrome/common/ipc_message_utils.cc b/ipc/chromium/src/chrome/common/ipc_message_utils.cc
index 2ea2d3165b8..bba016fe665 100644
--- a/ipc/chromium/src/chrome/common/ipc_message_utils.cc
+++ b/ipc/chromium/src/chrome/common/ipc_message_utils.cc
@@ -5,15 +5,9 @@
 #include "chrome/common/ipc_message_utils.h"
 
 #include "base/gfx/rect.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "googleurl/src/gurl.h"
-#endif
 #ifndef EXCLUDE_SKIA_DEPENDENCIES
 #include "SkBitmap.h"
 #endif
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "webkit/glue/dom_operations.h"
-#endif
 
 namespace IPC {
 
@@ -100,132 +94,4 @@ void ParamTraits<SkBitmap>::Log(const SkBitmap& p, std::wstring* l) {
 
 #endif  // EXCLUDE_SKIA_DEPENDENCIES
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-void ParamTraits<GURL>::Write(Message* m, const GURL& p) {
-  m->WriteString(p.possibly_invalid_spec());
-  // TODO(brettw) bug 684583: Add encoding for query params.
-}
-
-bool ParamTraits<GURL>::Read(const Message* m, void** iter, GURL* p) {
-  std::string s;
-  if (!m->ReadString(iter, &s)) {
-    *p = GURL();
-    return false;
-  }
-  *p = GURL(s);
-  return true;
-}
-
-void ParamTraits<GURL>::Log(const GURL& p, std::wstring* l) {
-  l->append(UTF8ToWide(p.spec()));
-}
-
-void ParamTraits<gfx::Point>::Write(Message* m, const gfx::Point& p) {
-  m->WriteInt(p.x());
-  m->WriteInt(p.y());
-}
-
-bool ParamTraits<gfx::Point>::Read(const Message* m, void** iter,
-                                   gfx::Point* r) {
-  int x, y;
-  if (!m->ReadInt(iter, &x) ||
-      !m->ReadInt(iter, &y))
-    return false;
-  r->set_x(x);
-  r->set_y(y);
-  return true;
-}
-
-void ParamTraits<gfx::Point>::Log(const gfx::Point& p, std::wstring* l) {
-  l->append(StringPrintf(L"(%d, %d)", p.x(), p.y()));
-}
-
-
-void ParamTraits<gfx::Rect>::Write(Message* m, const gfx::Rect& p) {
-  m->WriteInt(p.x());
-  m->WriteInt(p.y());
-  m->WriteInt(p.width());
-  m->WriteInt(p.height());
-}
-
-bool ParamTraits<gfx::Rect>::Read(const Message* m, void** iter, gfx::Rect* r) {
-  int x, y, w, h;
-  if (!m->ReadInt(iter, &x) ||
-      !m->ReadInt(iter, &y) ||
-      !m->ReadInt(iter, &w) ||
-      !m->ReadInt(iter, &h))
-    return false;
-  r->set_x(x);
-  r->set_y(y);
-  r->set_width(w);
-  r->set_height(h);
-  return true;
-}
-
-void ParamTraits<gfx::Rect>::Log(const gfx::Rect& p, std::wstring* l) {
-  l->append(StringPrintf(L"(%d, %d, %d, %d)", p.x(), p.y(),
-                         p.width(), p.height()));
-}
-
-
-void ParamTraits<gfx::Size>::Write(Message* m, const gfx::Size& p) {
-  m->WriteInt(p.width());
-  m->WriteInt(p.height());
-}
-
-bool ParamTraits<gfx::Size>::Read(const Message* m, void** iter, gfx::Size* r) {
-  int w, h;
-  if (!m->ReadInt(iter, &w) ||
-      !m->ReadInt(iter, &h))
-    return false;
-  r->set_width(w);
-  r->set_height(h);
-  return true;
-}
-
-void ParamTraits<gfx::Size>::Log(const gfx::Size& p, std::wstring* l) {
-  l->append(StringPrintf(L"(%d, %d)", p.width(), p.height()));
-}
-
-void ParamTraits<webkit_glue::WebApplicationInfo>::Write(
-    Message* m, const webkit_glue::WebApplicationInfo& p) {
-  WriteParam(m, p.title);
-  WriteParam(m, p.description);
-  WriteParam(m, p.app_url);
-  WriteParam(m, p.icons.size());
-  for (size_t i = 0; i < p.icons.size(); ++i) {
-    WriteParam(m, p.icons[i].url);
-    WriteParam(m, p.icons[i].width);
-    WriteParam(m, p.icons[i].height);
-  }
-}
-
-bool ParamTraits<webkit_glue::WebApplicationInfo>::Read(
-    const Message* m, void** iter, webkit_glue::WebApplicationInfo* r) {
-  size_t icon_count;
-  bool result =
-    ReadParam(m, iter, &r->title) &&
-    ReadParam(m, iter, &r->description) &&
-    ReadParam(m, iter, &r->app_url) &&
-    ReadParam(m, iter, &icon_count);
-  if (!result)
-    return false;
-  for (size_t i = 0; i < icon_count && result; ++i) {
-    param_type::IconInfo icon_info;
-    result =
-        ReadParam(m, iter, &icon_info.url) &&
-        ReadParam(m, iter, &icon_info.width) &&
-        ReadParam(m, iter, &icon_info.height);
-    r->icons.push_back(icon_info);
-  }
-  return result;
-}
-
-void ParamTraits<webkit_glue::WebApplicationInfo>::Log(
-    const webkit_glue::WebApplicationInfo& p, std::wstring* l) {
-  l->append(L"<WebApplicationInfo>");
-}
-
-#endif // CHROMIUM_MOZILLA_BUILD
-
 }  // namespace IPC
diff --git a/ipc/chromium/src/chrome/common/ipc_message_utils.h b/ipc/chromium/src/chrome/common/ipc_message_utils.h
index 3c50df9f0f0..9154b2fc6ae 100644
--- a/ipc/chromium/src/chrome/common/ipc_message_utils.h
+++ b/ipc/chromium/src/chrome/common/ipc_message_utils.h
@@ -20,56 +20,6 @@
 #include "chrome/common/ipc_sync_message.h"
 #include "chrome/common/thumbnail_score.h"
 #include "chrome/common/transport_dib.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "webkit/glue/webcursor.h"
-#include "webkit/glue/window_open_disposition.h"
-
-// Forward declarations.
-class GURL;
-class SkBitmap;
-
-namespace gfx {
-class Point;
-class Rect;
-class Size;
-}  // namespace gfx
-
-namespace webkit_glue {
-struct WebApplicationInfo;
-}  // namespace webkit_glue
-
-// Used by IPC_BEGIN_MESSAGES so that each message class starts from a unique
-// base.  Messages have unique IDs across channels in order for the IPC logging
-// code to figure out the message class from its ID.
-enum IPCMessageStart {
-  // By using a start value of 0 for automation messages, we keep backward
-  // compatibility with old builds.
-  AutomationMsgStart = 0,
-  ViewMsgStart,
-  ViewHostMsgStart,
-  PluginProcessMsgStart,
-  PluginProcessHostMsgStart,
-  PluginMsgStart,
-  PluginHostMsgStart,
-  NPObjectMsgStart,
-  TestMsgStart,
-  DevToolsAgentMsgStart,
-  DevToolsClientMsgStart,
-  WorkerProcessMsgStart,
-  WorkerProcessHostMsgStart,
-  WorkerMsgStart,
-  WorkerHostMsgStart,
-  // NOTE: When you add a new message class, also update
-  // IPCStatusView::IPCStatusView to ensure logging works.
-  // NOTE: this enum is used by IPC_MESSAGE_MACRO to generate a unique message
-  // id.  Only 4 bits are used for the message type, so if this enum needs more
-  // than 16 entries, that code needs to be updated.
-  LastMsgIndex
-};
-
-COMPILE_ASSERT(LastMsgIndex <= 16, need_to_update_IPC_MESSAGE_MACRO);
-
-#endif /* CHROMIUM_MOZILLA_BUILD */
 
 namespace IPC {
 
@@ -219,7 +169,7 @@ struct ParamTraits<unsigned long> {
   }
 };
 
-#if !(defined(OS_MACOSX) || defined(OS_WIN) || (defined(CHROMIUM_MOZILLA_BUILD) && defined(OS_LINUX) && defined(ARCH_CPU_64_BITS)))
+#if !(defined(OS_MACOSX) || defined(OS_WIN) || (defined(OS_LINUX) && defined(ARCH_CPU_64_BITS)))
 // There size_t is a synonym for |unsigned long| ...
 template <>
 struct ParamTraits<size_t> {
@@ -272,7 +222,7 @@ struct ParamTraits<uint32> {
 };
 #endif  // defined(OS_MACOSX)
 
-#if !(defined(CHROMIUM_MOZILLA_BUILD) && defined(OS_LINUX) && defined(ARCH_CPU_64_BITS))
+#if !(defined(OS_LINUX) && defined(ARCH_CPU_64_BITS))
 // int64 is |long int| on 64-bit systems, uint64 is |unsigned long|
 template <>
 struct ParamTraits<int64> {
@@ -284,11 +234,7 @@ struct ParamTraits<int64> {
     return m->ReadInt64(iter, r);
   }
   static void Log(const param_type& p, std::wstring* l) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-    l->append(StringPrintf(L"%I64d", p));
-#else
     l->append(StringPrintf(L"%" PRId64L, p));
-#endif // ifndef CHROMIUM_MOZILLA_BUILD
   }
 };
 
@@ -302,14 +248,10 @@ struct ParamTraits<uint64> {
     return m->ReadInt64(iter, reinterpret_cast<int64*>(r));
   }
   static void Log(const param_type& p, std::wstring* l) {
-#ifndef CHROMIUM_MOZILLA_BUILD
-    l->append(StringPrintf(L"%I64u", p));
-#else
     l->append(StringPrintf(L"%" PRIu64L, p));
-#endif // ifndef CHROMIUM_MOZILLA_BUILD
   }
 };
-#endif // if !(defined(CHROMIUM_MOZILLA_BUILD) && defined(OS_LINUX) && defined(ARCH_CPU_64_BITS))
+#endif // if !(defined(OS_LINUX) && defined(ARCH_CPU_64_BITS))
 
 template <>
 struct ParamTraits<double> {
@@ -335,32 +277,6 @@ struct ParamTraits<double> {
   }
 };
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-template <>
-struct ParamTraits<wchar_t> {
-  typedef wchar_t param_type;
-  static void Write(Message* m, const param_type& p) {
-    m->WriteData(reinterpret_cast<const char*>(&p), sizeof(param_type));
-  }
-  static bool Read(const Message* m, void** iter, param_type* r) {
-    const char *data;
-    int data_size = 0;
-    bool result = m->ReadData(iter, &data, &data_size);
-    if (result && data_size == sizeof(param_type)) {
-      memcpy(r, data, sizeof(param_type));
-    } else {
-      result = false;
-      NOTREACHED();
-    }
-
-    return result;
-  }
-  static void Log(const param_type& p, std::wstring* l) {
-    l->append(StringPrintf(L"%lc", p));
-  }
-};
-#endif /* CHROMIUM_MOZILLA_BUILD */
-
 template <>
 struct ParamTraits<base::Time> {
   typedef base::Time param_type;
@@ -426,20 +342,6 @@ struct ParamTraits<MSG> {
 };
 #endif  // defined(OS_WIN)
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-template <>
-struct ParamTraits<SkBitmap> {
-  typedef SkBitmap param_type;
-  static void Write(Message* m, const param_type& p);
-
-  // Note: This function expects parameter |r| to be of type &SkBitmap since
-  // r->SetConfig() and r->SetPixels() are called.
-  static bool Read(const Message* m, void** iter, param_type* r);
-
-  static void Log(const param_type& p, std::wstring* l);
-};
-#endif /* CHROMIUM_MOZILLA_BUILD */
-
 template <>
 struct ParamTraits<std::string> {
   typedef std::string param_type;
@@ -609,16 +511,6 @@ struct ParamTraits<string16> {
 };
 #endif
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-template <>
-struct ParamTraits<GURL> {
-  typedef GURL param_type;
-  static void Write(Message* m, const param_type& p);
-  static bool Read(const Message* m, void** iter, param_type* p);
-  static void Log(const param_type& p, std::wstring* l);
-};
-#endif /* CHROMIUM_MOZILLA_BUILD */
-
 // and, a few more useful types...
 #if defined(OS_WIN)
 template <>
@@ -717,32 +609,6 @@ struct ParamTraits<FilePath> {
   }
 };
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-template <>
-struct ParamTraits<gfx::Point> {
-  typedef gfx::Point param_type;
-  static void Write(Message* m, const param_type& p);
-  static bool Read(const Message* m, void** iter, param_type* r);
-  static void Log(const param_type& p, std::wstring* l);
-};
-
-template <>
-struct ParamTraits<gfx::Rect> {
-  typedef gfx::Rect param_type;
-  static void Write(Message* m, const param_type& p);
-  static bool Read(const Message* m, void** iter, param_type* r);
-  static void Log(const param_type& p, std::wstring* l);
-};
-
-template <>
-struct ParamTraits<gfx::Size> {
-  typedef gfx::Size param_type;
-  static void Write(Message* m, const param_type& p);
-  static bool Read(const Message* m, void** iter, param_type* r);
-  static void Log(const param_type& p, std::wstring* l);
-};
-#endif /* CHROMIUM_MOZILLA_BUILD */
-
 #if defined(OS_POSIX)
 // FileDescriptors may be serialised over IPC channels on POSIX. On the
 // receiving side, the FileDescriptor is a valid duplicate of the file
@@ -825,25 +691,6 @@ struct ParamTraits<ThumbnailScore> {
   }
 };
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-template <>
-struct ParamTraits<WindowOpenDisposition> {
-  typedef WindowOpenDisposition param_type;
-  static void Write(Message* m, const param_type& p) {
-    m->WriteInt(p);
-  }
-  static bool Read(const Message* m, void** iter, param_type* r) {
-    int temp;
-    bool res = m->ReadInt(iter, &temp);
-    *r = static_cast<WindowOpenDisposition>(temp);
-    return res;
-  }
-  static void Log(const param_type& p, std::wstring* l) {
-    l->append(StringPrintf(L"%d", p));
-  }
-};
-#endif
-
 #if defined(OS_WIN)
 template <>
 struct ParamTraits<XFORM> {
@@ -870,22 +717,6 @@ struct ParamTraits<XFORM> {
 };
 #endif  // defined(OS_WIN)
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-template <>
-struct ParamTraits<WebCursor> {
-  typedef WebCursor param_type;
-  static void Write(Message* m, const param_type& p) {
-    p.Serialize(m);
-  }
-  static bool Read(const Message* m, void** iter, param_type* r) {
-    return r->Deserialize(m, iter);
-  }
-  static void Log(const param_type& p, std::wstring* l) {
-    l->append(L"<WebCursor>");
-  }
-};
-#endif
-
 struct LogData {
   std::wstring channel;
   int32 routing_id;
@@ -932,16 +763,6 @@ struct ParamTraits<LogData> {
   }
 };
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-template <>
-struct ParamTraits<webkit_glue::WebApplicationInfo> {
-  typedef webkit_glue::WebApplicationInfo param_type;
-  static void Write(Message* m, const param_type& p);
-  static bool Read(const Message* m, void** iter, param_type* r);
-  static void Log(const param_type& p, std::wstring* l);
-};
-#endif /* CHROMIUM_MOZILLA_BUILD */
-
 #if defined(OS_WIN)
 template<>
 struct ParamTraits<TransportDIB::Id> {
diff --git a/ipc/chromium/src/chrome/common/message_router.cc b/ipc/chromium/src/chrome/common/message_router.cc
index f205291b062..4b0703e5bde 100644
--- a/ipc/chromium/src/chrome/common/message_router.cc
+++ b/ipc/chromium/src/chrome/common/message_router.cc
@@ -3,9 +3,6 @@
 // found in the LICENSE file.
 
 #include "chrome/common/message_router.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "chrome/common/render_messages.h"
-#endif
 
 void MessageRouter::OnControlMessageReceived(const IPC::Message& msg) {
   NOTREACHED() <<
diff --git a/ipc/chromium/src/chrome/common/platform_util_mac.mm b/ipc/chromium/src/chrome/common/platform_util_mac.mm
index 1269a8634e8..2b63648b55c 100644
--- a/ipc/chromium/src/chrome/common/platform_util_mac.mm
+++ b/ipc/chromium/src/chrome/common/platform_util_mac.mm
@@ -6,16 +6,9 @@
 
 #import <Cocoa/Cocoa.h>
 
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "app/l10n_util.h"
-#endif
 #include "base/file_path.h"
 #include "base/logging.h"
 #include "base/sys_string_conversions.h"
-#ifndef CHROMIUM_MOZILLA_BUILD
-#include "chrome/browser/cocoa/tab_window_controller.h"
-#include "grit/generated_resources.h"
-#endif
 
 namespace platform_util {
 
@@ -30,22 +23,8 @@ gfx::NativeWindow GetTopLevel(gfx::NativeView view) {
 }
 
 string16 GetWindowTitle(gfx::NativeWindow window) {
-#ifdef CHROMIUM_MOZILLA_BUILD
   std::string str("Untitled");
   return string16(str.begin(), str.end());
-#else
-  NSString* title = nil;
-  if ([[window delegate] isKindOfClass:[TabWindowController class]])
-    title = [[window delegate] selectedTabTitle];
-  else
-    title = [window title];
-  // If we don't yet have a title, use "Untitled".
-  if (![title length])
-    return WideToUTF16(l10n_util::GetString(
-        IDS_BROWSER_WINDOW_MAC_TAB_UNTITLED));
-
-  return base::SysNSStringToUTF16(title);
-#endif
 }
 
 bool IsWindowActive(gfx::NativeWindow window) {
diff --git a/ipc/chromium/src/chrome/common/process_watcher.h b/ipc/chromium/src/chrome/common/process_watcher.h
index 8a86fc2150d..b4ea20e270a 100644
--- a/ipc/chromium/src/chrome/common/process_watcher.h
+++ b/ipc/chromium/src/chrome/common/process_watcher.h
@@ -24,9 +24,7 @@ class ProcessWatcher {
   // and SYNCHRONIZE permissions.
   //
   static void EnsureProcessTerminated(base::ProcessHandle process_handle
-#if defined(CHROMIUM_MOZILLA_BUILD)
                                       , bool force=true
-#endif
   );
 
  private:
diff --git a/ipc/chromium/src/chrome/common/process_watcher_win.cc b/ipc/chromium/src/chrome/common/process_watcher_win.cc
index 5c4fab42592..d4222ec162f 100644
--- a/ipc/chromium/src/chrome/common/process_watcher_win.cc
+++ b/ipc/chromium/src/chrome/common/process_watcher_win.cc
@@ -79,19 +79,15 @@ class TimerExpiredTask : public Task, public base::ObjectWatcher::Delegate {
 
 // static
 void ProcessWatcher::EnsureProcessTerminated(base::ProcessHandle process
-#ifdef CHROMIUM_MOZILLA_BUILD
 					     , bool force
-#endif
 ) {
   DCHECK(process != GetCurrentProcess());
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   if (!force) {
     WaitForSingleObject(process, INFINITE);
     CloseHandle(process);
     return;
   }
-#endif
 
   // If already signaled, then we are done!
   if (WaitForSingleObject(process, 0) == WAIT_OBJECT_0) {
diff --git a/ipc/chromium/src/chrome/common/transport_dib_mac.cc b/ipc/chromium/src/chrome/common/transport_dib_mac.cc
index 7399b022f6c..9febfb3dc91 100644
--- a/ipc/chromium/src/chrome/common/transport_dib_mac.cc
+++ b/ipc/chromium/src/chrome/common/transport_dib_mac.cc
@@ -25,11 +25,7 @@ TransportDIB::~TransportDIB() {
 // static
 TransportDIB* TransportDIB::Create(size_t size, uint32 sequence_num) {
   TransportDIB* dib = new TransportDIB;
-#ifdef CHROMIUM_MOZILLA_BUILD
   if (!dib->shared_memory_.Create("", false /* read write */,
-#else
-  if (!dib->shared_memory_.Create(L"", false /* read write */,
-#endif
                                   false /* do not open existing */, size)) {
     delete dib;
     return NULL;
diff --git a/ipc/chromium/src/chrome/common/transport_dib_win.cc b/ipc/chromium/src/chrome/common/transport_dib_win.cc
index aea34491323..e32f0d0ef16 100644
--- a/ipc/chromium/src/chrome/common/transport_dib_win.cc
+++ b/ipc/chromium/src/chrome/common/transport_dib_win.cc
@@ -27,11 +27,7 @@ TransportDIB* TransportDIB::Create(size_t size, uint32 sequence_num) {
 
   TransportDIB* dib = new TransportDIB;
 
-#ifdef CHROMIUM_MOZILLA_BUILD
   if (!dib->shared_memory_.Create("", false /* read write */,
-#else
-  if (!dib->shared_memory_.Create(L"", false /* read write */,
-#endif
                                   true /* open existing */, size)) {
     delete dib;
     return NULL;
diff --git a/js/src/Makefile.in b/js/src/Makefile.in
index 4bfcdb7007e..391ff9f826a 100644
--- a/js/src/Makefile.in
+++ b/js/src/Makefile.in
@@ -77,6 +77,36 @@ GRE_MODULE	    = 1
 
 LIBS		= $(NSPR_LIBS) 
 
+ifdef GNU_CXX
+ifdef INTEL_CXX
+# icc gets special optimize flags
+ifdef MOZ_PROFILE_GENERATE
+MODULE_OPTIMIZE_FLAGS = -O0
+else
+MODULE_OPTIMIZE_FLAGS = -O2 -ip
+endif
+else # not INTEL_CXX
+
+MODULE_OPTIMIZE_FLAGS = -O3 -fstrict-aliasing -fno-stack-protector
+
+# We normally want -fomit-frame-pointer, but we want an explicit
+# -fno-omit-frame-pointer if we're using a sampling profiler.
+ifndef MOZ_PROFILING
+MODULE_OPTIMIZE_FLAGS += -fomit-frame-pointer
+else
+MODULE_OPTIMIZE_FLAGS += -fno-omit-frame-pointer
+endif
+
+endif
+else # not GNU_CXX
+ifeq ($(OS_ARCH),SunOS)
+MODULE_OPTIMIZE_FLAGS = -xO4
+endif
+ifeq ($(OS_ARCH),WINNT)
+MODULE_OPTIMIZE_FLAGS = -O2
+endif
+endif
+
 ifeq ($(OS_ARCH),WINNT)
 NO_PROFILE_GUIDED_OPTIMIZE = 1
 endif
@@ -408,6 +438,9 @@ else
 ###############################################
 # BEGIN include sources for the Nitro assembler
 #
+
+ENABLE_YARR_JIT = 1
+
 VPATH += 	$(srcdir)/assembler \
 		$(srcdir)/assembler/wtf \
 		$(srcdir)/assembler/jit \
@@ -1051,7 +1084,11 @@ endif
 # Needed to "configure" it correctly.  Unfortunately these
 # flags wind up being applied to all code in js/src, not just
 # the code in js/src/assembler.
-CXXFLAGS += -DUSE_SYSTEM_MALLOC=1 -DENABLE_ASSEMBLER=1 -DENABLE_JIT=1
+CXXFLAGS += -DUSE_SYSTEM_MALLOC=1 -DENABLE_ASSEMBLER=1
+
+ifneq (,$(ENABLE_YARR_JIT)$(ENABLE_TRACEJIT)$(ENABLE_METHODJIT))
+CXXFLAGS +=  -DENABLE_JIT=1
+endif
 
 INCLUDES +=	-I$(srcdir)/assembler -I$(srcdir)/yarr
 
diff --git a/js/src/assembler/wtf/Platform.h b/js/src/assembler/wtf/Platform.h
index e5d3a78ae2f..00f897143a1 100644
--- a/js/src/assembler/wtf/Platform.h
+++ b/js/src/assembler/wtf/Platform.h
@@ -1026,9 +1026,9 @@
 #define ENABLE_JIT 0
 #endif
 
-/* The JIT is enabled by default on all x86, x64-64, ARM & MIPS platforms. */
+/* The JIT is enabled by default on all x86, x64-64, ARM platforms. */
 #if !defined(ENABLE_JIT) \
-    && (WTF_CPU_X86 || WTF_CPU_X86_64 || WTF_CPU_ARM || WTF_CPU_MIPS || WTF_CPU_SPARC32) \
+    && (WTF_CPU_X86 || WTF_CPU_X86_64 || WTF_CPU_ARM || WTF_CPU_SPARC32) \
     && (WTF_OS_DARWIN || !WTF_COMPILER_GCC || GCC_VERSION_AT_LEAST(4, 1, 0)) \
     && !WTF_OS_WINCE
 #define ENABLE_JIT 1
diff --git a/js/src/config/autoconf.mk.in b/js/src/config/autoconf.mk.in
index 97ba0c24c35..c43c0c21fb3 100644
--- a/js/src/config/autoconf.mk.in
+++ b/js/src/config/autoconf.mk.in
@@ -43,7 +43,6 @@ USE_AUTOCONF 	= 1
 MOZILLA_CLIENT	= 1
 target          = @target@
 ac_configure_args = @ac_configure_args@
-BUILD_MODULES	= @BUILD_MODULES@
 MOZILLA_VERSION = @MOZILLA_VERSION@
 
 MOZ_BUILD_APP = @MOZ_BUILD_APP@
diff --git a/js/src/config/nsinstall_win.c b/js/src/config/nsinstall_win.c
index d9b723b2c7c..1c1623f82fa 100644
--- a/js/src/config/nsinstall_win.c
+++ b/js/src/config/nsinstall_win.c
@@ -41,6 +41,38 @@ static BOOL sh_DoCopy(wchar_t *srcFileName, DWORD srcFileAttributes,
 #define ARRAY_LEN(a) (sizeof(a) / sizeof(a[0]))
 #define STR_LEN(a) (ARRAY_LEN(a) - 1)
 
+#ifdef __MINGW32__
+
+/* MingW currently does not implement a wide version of the
+   startup routines.  Workaround is to implement something like
+   it ourselves. */
+
+#include <shellapi.h>
+
+int wmain(int argc, WCHAR **argv);
+
+int main(int argc, char **argv)
+{
+    int result;
+    wchar_t *commandLine = GetCommandLineW();
+    int argcw = 0;
+    wchar_t **_argvw = CommandLineToArgvW( commandLine, &argcw );
+    wchar_t *argvw[argcw + 1];
+    int i;
+    if (!_argvw)
+        return 127;
+    /* CommandLineToArgvW doesn't output the ending NULL so
+       we have to manually add it on */
+    for ( i = 0; i < argcw; i++ )
+        argvw[i] = _argvw[i];
+    argvw[argcw] = NULL;
+
+    result = wmain(argcw, argvw);
+    LocalFree(_argvw);
+    return result;
+}
+#endif /* __MINGW32__ */
+
 /* changes all forward slashes in token to backslashes */
 void changeForwardSlashesToBackSlashes ( wchar_t *arg )
 {
diff --git a/js/src/config/rules.mk b/js/src/config/rules.mk
index d2bf49060f8..59cee5577e4 100644
--- a/js/src/config/rules.mk
+++ b/js/src/config/rules.mk
@@ -1153,8 +1153,9 @@ ifdef HAVE_DTRACE
 ifndef XP_MACOSX
 ifdef DTRACE_PROBE_OBJ
 ifndef DTRACE_LIB_DEPENDENT
-$(DTRACE_PROBE_OBJ):
-	dtrace -G -C -s $(MOZILLA_DTRACE_SRC) -o $(DTRACE_PROBE_OBJ)
+NON_DTRACE_OBJS := $(filter-out $(DTRACE_PROBE_OBJ),$(OBJS))
+$(DTRACE_PROBE_OBJ): $(NON_DTRACE_OBJS)
+	dtrace -G -C -s $(MOZILLA_DTRACE_SRC) -o $(DTRACE_PROBE_OBJ) $(NON_DTRACE_OBJS)
 endif
 endif
 endif
@@ -1550,9 +1551,6 @@ export:: FORCE
 	@echo; sleep 2; false
 endif
 
-$(IDL_DIR)::
-	$(NSINSTALL) -D $@
-
 # generate .h files from into $(XPIDL_GEN_DIR), then export to $(DIST)/include;
 # warn against overriding existing .h file. 
 $(XPIDL_GEN_DIR)/.done:
@@ -1623,14 +1621,8 @@ endif # XPIDLSRCS
 
 
 
-#
 # General rules for exporting idl files.
-#
-# WORK-AROUND ONLY, for mozilla/tools/module-deps/bootstrap.pl build.
-# Bug to fix idl dependency problems w/o this extra build pass is
-#   http://bugzilla.mozilla.org/show_bug.cgi?id=145777
-#
-$(IDL_DIR)::
+$(IDL_DIR):
 	$(NSINSTALL) -D $@
 
 export-idl:: $(SUBMAKEFILES) $(MAKE_DIRS)
@@ -2097,7 +2089,6 @@ showhost:
 	@echo "HOST_LIBRARY       = $(HOST_LIBRARY)"
 
 showbuildmods::
-	@echo "Build Modules	= $(BUILD_MODULES)"
 	@echo "Module dirs	= $(BUILD_MODULE_DIRS)"
 
 documentation:
diff --git a/js/src/configure.in b/js/src/configure.in
index 1ec0dc55f55..6ecc40d4a69 100644
--- a/js/src/configure.in
+++ b/js/src/configure.in
@@ -1994,14 +1994,11 @@ case "$target" in
 *-darwin*) 
     MKSHLIB='$(CXX) $(CXXFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -o $@'
     MKCSHLIB='$(CC) $(CFLAGS) $(DSO_PIC_CFLAGS) $(DSO_LDOPTS) -o $@'
-
-    MOZ_OPTIMIZE_FLAGS="-O3  -fstrict-aliasing -fno-stack-protector"
-    # We normally want -fomit-frame-pointer, but we want an explicit
-    # -fno-omit-frame-pointer if we're using a sampling profiler.
+    # If we're building with --enable-profiling, we need a frame pointer.
     if test -z "$MOZ_PROFILING"; then
-        MOZ_OPTIMIZE_FLAGS="$MOZ_OPTIMIZE_FLAGS -fomit-frame-pointer"
+        MOZ_OPTIMIZE_FLAGS="-O3 -fomit-frame-pointer"
     else
-        MOZ_OPTIMIZE_FLAGS="$MOZ_OPTIMIZE_FLAGS -fno-omit-frame-pointer"
+        MOZ_OPTIMIZE_FLAGS="-O3 -fno-omit-frame-pointer"
     fi
     _PEDANTIC=
     CFLAGS="$CFLAGS -fpascal-strings -fno-common"
diff --git a/js/src/jsfun.cpp b/js/src/jsfun.cpp
index 704a8d7af6a..66ec82e91f0 100644
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -2482,6 +2482,7 @@ js_CloneFunctionObject(JSContext *cx, JSFunction *fun, JSObject *parent,
             JS_ASSERT(script->compartment != cx->compartment);
             JS_OPT_ASSERT(script->ownerObject == fun);
 
+            cfun->u.i.script = NULL;
             JSScript *cscript = js_CloneScript(cx, script);
             if (!cscript)
                 return NULL;
diff --git a/js/src/methodjit/PolyIC.cpp b/js/src/methodjit/PolyIC.cpp
index 17e1a9ba96b..341d6bab59e 100644
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -2221,8 +2221,8 @@ GetElementIC::attachGetProp(JSContext *cx, JSObject *obj, const Value &v, jsid i
     CodeLocationLabel cs = buffer.finalize();
 #if DEBUG
     char *chars = DeflateString(cx, v.toString()->getChars(cx), v.toString()->length());
-    JaegerSpew(JSpew_PICs, "generated %s stub at %p for atom 0x%lx (\"%s\") shape 0x%x (%s: %d)\n",
-               js_CodeName[op], cs.executableAddress(), (unsigned long) JSID_TO_ATOM(id), chars,
+    JaegerSpew(JSpew_PICs, "generated %s stub at %p for atom %p (\"%s\") shape 0x%x (%s: %d)\n",
+               js_CodeName[op], cs.executableAddress(), (void*)JSID_TO_ATOM(id), chars,
                holder->shape(), cx->fp()->script()->filename, CurrentLine(cx));
     cx->free_(chars);
 #endif
diff --git a/js/src/nanojit-import-rev b/js/src/nanojit-import-rev
index 082e06bde0c..e31ef8208af 100644
--- a/js/src/nanojit-import-rev
+++ b/js/src/nanojit-import-rev
@@ -1 +1 @@
-4cc8b8ebd44b989e08935ed8ffae7e9cb4eb4ae9
+55c10227eece4a02b593997eda3dedef39af7beb
diff --git a/js/src/nanojit/NativeARM.cpp b/js/src/nanojit/NativeARM.cpp
index d504c0b3e05..5b956cffe83 100644
--- a/js/src/nanojit/NativeARM.cpp
+++ b/js/src/nanojit/NativeARM.cpp
@@ -129,10 +129,16 @@ Assembler::CountLeadingZeroes(uint32_t data)
         // On Android gcc compiler, the clz instruction is not supported with a
         // target smaller than armv7, despite it being legal for armv5+.
             "   .arch armv7-a\n"
+        // Force the object to be tagged as armv4t to avoid it bumping the final
+        // binary target.
+            "   .object_arch armv4t\n"
 #elif (NJ_COMPILER_ARM_ARCH < 5)
         // Targetting armv5t allows a toolchain with armv4t target to still build
         // with clz, and clz to be used when appropriate at runtime.
             "   .arch armv5t\n"
+        // Force the object file to be tagged as armv4t to avoid it bumping the
+        // final binary target.
+            "   .object_arch armv4t\n"
 #endif
             "   clz     %0, %1  \n"
             :   "=r"    (leading_zeroes)
diff --git a/js/src/nanojit/NativeMIPS.cpp b/js/src/nanojit/NativeMIPS.cpp
index cccf9c45354..0f2587cec6d 100644
--- a/js/src/nanojit/NativeMIPS.cpp
+++ b/js/src/nanojit/NativeMIPS.cpp
@@ -119,11 +119,11 @@ namespace nanojit
     }
 
     static inline Register mswregpair(Register r) {
-        return Register(r + (isLittleEndian() ? 1 : 0));
+        return isLittleEndian() ? r+1 : r;
     }
 
     static inline Register lswregpair(Register r) {
-        return Register(r + (isLittleEndian() ? 0 : 1));
+        return isLittleEndian() ? r : r+1;
     }
 
 // These variables affect the code generator
@@ -278,7 +278,7 @@ namespace nanojit
     {
 #if !PEDANTIC
         if (isS16(dr)) {
-            LDST(op, rt, dr, rbase);
+            LDSTGPR(op, rt, dr, rbase);
             return;
         }
 #endif
@@ -286,7 +286,7 @@ namespace nanojit
         // lui AT,hi(d)
         // addu AT,rbase
         // ldst rt,lo(d)(AT)
-        LDST(op, rt, lo(dr), AT);
+        LDSTGPR(op, rt, lo(dr), AT);
         ADDU(AT, AT, rbase);
         LUI(AT, hi(dr));
     }
@@ -296,21 +296,21 @@ namespace nanojit
 #if !PEDANTIC
         if (isS16(dr) && isS16(dr+4)) {
             if (IsGpReg(r)) {
-                LDST(store ? OP_SW : OP_LW, r+1, dr+4, rbase);
-                LDST(store ? OP_SW : OP_LW, r,   dr, rbase);
+                LDSTGPR(store ? OP_SW : OP_LW, r+1, dr+4, rbase);
+                LDSTGPR(store ? OP_SW : OP_LW, r,   dr,   rbase);
             }
             else {
                 NanoAssert(cpu_has_fpu);
                 // NanoAssert((dr & 7) == 0);
                 if (cpu_has_lsdc1 && ((dr & 7) == 0)) {
                     // lsdc1 $fr,dr($rbase)
-                    LDST(store ? OP_SDC1 : OP_LDC1, r, dr, rbase);
+                    LDSTFPR(store ? OP_SDC1 : OP_LDC1, r, dr, rbase);
                 }
                 else {
                     // lswc1 $fr,  dr+LSWOFF($rbase)
                     // lswc1 $fr+1,dr+MSWOFF($rbase)
-                    LDST(store ? OP_SWC1 : OP_LWC1, r+1, dr+mswoff(), rbase);
-                    LDST(store ? OP_SWC1 : OP_LWC1, r,   dr+lswoff(), rbase);
+                    LDSTFPR(store ? OP_SWC1 : OP_LWC1, r+1, dr+mswoff(), rbase);
+                    LDSTFPR(store ? OP_SWC1 : OP_LWC1, r,   dr+lswoff(), rbase);
                 }
                 return;
             }
@@ -322,8 +322,8 @@ namespace nanojit
             // addu  $at,$rbase
             // ldsw  $r,  %lo(d)($at)
             // ldst  $r+1,%lo(d+4)($at)
-            LDST(store ? OP_SW : OP_LW, r+1, lo(dr+4), AT);
-            LDST(store ? OP_SW : OP_LW, r,   lo(dr), AT);
+            LDSTGPR(store ? OP_SW : OP_LW, r+1, lo(dr+4), AT);
+            LDSTGPR(store ? OP_SW : OP_LW, r,   lo(dr), AT);
             ADDU(AT, AT, rbase);
             LUI(AT, hi(dr));
         }
@@ -342,7 +342,7 @@ namespace nanojit
                 // lui    $at,%hi(dr)
                 // addu   $at,$rbase
                 // lsdc1  $r,%lo(dr)($at)
-                LDST(store ? OP_SDC1 : OP_LDC1, r, lo(dr), AT);
+                LDSTFPR(store ? OP_SDC1 : OP_LDC1, r, lo(dr), AT);
                 ADDU(AT, AT, rbase);
                 LUI(AT, hi(dr));
             }
@@ -351,8 +351,8 @@ namespace nanojit
                 // addu  $at,$rbase
                 // lswc1 $r,  %lo(d+LSWOFF)($at)
                 // lswc1 $r+1,%lo(d+MSWOFF)($at)
-                LDST(store ? OP_SWC1 : OP_LWC1, r+1, lo(dr+mswoff()), AT);
-                LDST(store ? OP_SWC1 : OP_LWC1, r,   lo(dr+lswoff()), AT);
+                LDSTFPR(store ? OP_SWC1 : OP_LWC1, r+1, lo(dr+mswoff()), AT);
+                LDSTFPR(store ? OP_SWC1 : OP_LWC1, r,   lo(dr+lswoff()), AT);
                 ADDU(AT, AT, rbase);
                 LUI(AT, hi(dr));
             }
@@ -481,8 +481,8 @@ namespace nanojit
         // where we are
         if (stkd & 4) {
             if (stkd < 16) {
-                r = Register(r + 1);
-                fr = Register(fr + 1);
+                r = r + 1;
+                fr = fr + 1;
             }
             stkd += 4;
         }
@@ -496,11 +496,11 @@ namespace nanojit
                 // Move it to the integer pair
                 Register fpupair = arg->getReg();
                 Register intpair = fr;
-                MFC1(mswregpair(intpair), Register(fpupair + 1));  // Odd fpu register contains sign,expt,manthi
-                MFC1(lswregpair(intpair), fpupair);                // Even fpu register contains mantlo
+                MFC1(mswregpair(intpair), fpupair+1); // Odd fpu register contains sign,expt,manthi
+                MFC1(lswregpair(intpair), fpupair);   // Even fpu register contains mantlo
             }
-            r = Register(r + 2);
-            fr = Register(fr + 2);
+            r = r + 2;
+            fr = fr + 2;
         }
         else
             asm_stkarg(arg, stkd);
@@ -1412,20 +1412,20 @@ namespace nanojit
                 else {
                     //  [linkedinstructions]
                     //  bxxx trampoline
-                    //   lui $at,%hi(targ)
+                    //   lui $ra,%hi(targ)
                     //  ...
                     // trampoline:
-                    //  addiu $at,%lo(targ)
-                    //  jr $at
+                    //  addiu $ra,%lo(targ)
+                    //  jr $ra
                     //   nop
 
                     underrunProtect(5 * 4);             // keep bxx and trampoline together
 
-                    LUI(AT,hi(uint32_t(targ)));         // delay slot
+                    LUI(RA,hi(uint32_t(targ)));         // delay slot
 
                     // NB trampoline code is emitted in the correct order
-                    trampADDIU(AT, AT, lo(uint32_t(targ)));
-                    trampJR(AT);
+                    trampADDIU(RA, RA, lo(uint32_t(targ)));
+                    trampJR(RA);
                     trampNOP();                         // trampoline delay slot
 
                 }
@@ -1588,7 +1588,7 @@ namespace nanojit
                 else
                     BEQ(AT, ZERO, btarg);
                 patch = _nIns;
-                SLT(AT, rb, ra);
+                SLTU(AT, rb, ra);
                 break;
             case LIR_geui:
                 if (branchOnFalse)
@@ -1634,17 +1634,31 @@ namespace nanojit
     void Assembler::asm_j(NIns * const targ, bool bdelay)
     {
         if (targ == NULL) {
+            // target is unknown - asm_bxx wiill generate tramopline code
             NanoAssert(bdelay);
             (void) asm_bxx(false, LIR_eqi, ZERO, ZERO, targ);
         }
-        else {
-            NanoAssert(SEG(targ) == SEG(_nIns));
+        else if (SEG(targ) == SEG(_nIns)) {
+            // target is known and in same segment
             if (bdelay) {
                 underrunProtect(2*4);    // j + delay
                 NOP();
             }
             J(targ);
         }
+        else {
+            // target is known but in different segment
+            // generate register jump using $ra
+            // lui $ra,%hi(targ)
+            // ori $ra,%lo(targ) # will be omitted if (targ & 0xffff)==0
+            // jr $ra
+            //  [nop]
+            underrunProtect(4*4); // worst case to prevent underrunProtect from reinvoking asm_j
+            if (bdelay)
+                NOP();
+            JR(RA);
+            asm_li(RA, (uint32_t)targ);
+        }
         TAG("asm_j(targ=%p) bdelay=%d", targ);
     }
 
@@ -1697,8 +1711,8 @@ namespace nanojit
             NanoAssert(ty == ARGTYPE_I || ty == ARGTYPE_UI);
             if (stkd < 16) {
                 asm_regarg(ty, arg, r);
-                fr = Register(fr + 1);
-                r = Register(r + 1);
+                fr = fr + 1;
+                r = r + 1;
             }
             else
                 asm_stkarg(arg, stkd);
@@ -1775,7 +1789,6 @@ namespace nanojit
     Register
     Assembler::nRegisterAllocFromSet(RegisterMask set)
     {
-        Register i;
         int n;
 
         // note, deliberate truncation of 64->32 bits
@@ -1783,18 +1796,19 @@ namespace nanojit
             // gp reg
             n = ffs(int(set));
             NanoAssert(n != 0);
-            i = Register(n - 1);
+            n = n - 1;
         }
         else {
             // fp reg
             NanoAssert(cpu_has_fpu);
             n = ffs(int(set >> 32));
             NanoAssert(n != 0);
-            i = Register(32 + n - 1);
+            n = 32 + n - 1;
         }
-        _allocator.free &= ~rmask(i);
-        TAG("nRegisterAllocFromSet(set=%016llx) => %s", set, gpn(i));
-        return i;
+        Register r = { n };
+        _allocator.free &= ~rmask(r);
+        TAG("nRegisterAllocFromSet(set=%016llx) => %s", set, gpn(r));
+        return r;
     }
 
     void
@@ -1836,9 +1850,9 @@ namespace nanojit
                     // ori $at,target & 0xffff
                     // jr $at
                     //  nop
-                    branch[1] = U_FORMAT(OP_LUI,0,AT,hi(uint32_t(target)));
-                    tramp[0] = U_FORMAT(OP_ADDIU,AT,AT,lo(uint32_t(target)));
-                    tramp[1] = R_FORMAT(OP_SPECIAL,AT,0,0,0,SPECIAL_JR);
+                    branch[1] = U_FORMAT(OP_LUI, 0, GPR(AT), hi(uint32_t(target)));
+                    tramp[0] = U_FORMAT(OP_ADDIU, GPR(AT), GPR(AT), lo(uint32_t(target)));
+                    tramp[1] = R_FORMAT(OP_SPECIAL, GPR(AT), 0, 0, 0, SPECIAL_JR);
                 }
             }
         }
@@ -1874,7 +1888,6 @@ namespace nanojit
             if (!_epilogue)
                 _epilogue = genEpilogue();
             GuardRecord *lr = guard->record();
-            // FIXME: _epilogue may be in another segment
             // lui    $v0,%hi(lr)
             // j      _epilogue
             //  addiu $v0,%lo(lr)
@@ -1966,11 +1979,11 @@ namespace nanojit
     {
         /*
          * Use a non standard fp because we don't know the final framesize until now
-         * addiu  $sp,-FRAMESIZE
+         * addiu   $sp,-FRAMESIZE
          * sw      $ra,RA_OFFSET($sp)
          * sw      $fp,FP_OFFSET($sp)
-         * move   $fp,$sp
-         * addu      $sp,-stackNeeded
+         * move    $fp,$sp
+         * addu    $sp,-stackNeeded
          */
 
         uint32_t stackNeeded = max_out_args + STACK_GRANULARITY * _activation.stackSlotsNeeded();
@@ -1989,7 +2002,8 @@ namespace nanojit
 
         MOVE(FP, SP);
         SW(FP, FP_OFFSET, SP);
-        SW(RA, RA_OFFSET, SP);        // No need to save for leaf functions
+        underrunProtect(2 * 4);         // code page switch could change $ra
+        SW(RA, RA_OFFSET, SP);
         ADDIU(SP, SP, -FRAMESIZE);
 
         TAG("genPrologue()");
@@ -2002,16 +2016,16 @@ namespace nanojit
     {
         /*
          * move    $sp,$fp
-         * lw      $ra,RA_OFFSET($sp)
          * lw      $fp,FP_OFFSET($sp)
+         * lw      $ra,RA_OFFSET($sp)
          * j       $ra
          * addiu   $sp,FRAMESIZE
          */
-        underrunProtect(2*4);   // j $ra; addiu $sp,FRAMESIZE
+        underrunProtect(3*4);   // lw $ra,RA_OFFSET($sp);j $ra; addiu $sp,FRAMESIZE
         ADDIU(SP, SP, FRAMESIZE);
         JR(RA);
-        LW(FP, FP_OFFSET, SP);
         LW(RA, RA_OFFSET, SP);
+        LW(FP, FP_OFFSET, SP);
         MOVE(SP, FP);
 
         TAG("genEpilogue()");
diff --git a/js/src/nanojit/NativeMIPS.h b/js/src/nanojit/NativeMIPS.h
index df158b82a96..12e747dcc12 100644
--- a/js/src/nanojit/NativeMIPS.h
+++ b/js/src/nanojit/NativeMIPS.h
@@ -40,6 +40,8 @@
 #ifndef __nanojit_NativeMIPS__
 #define __nanojit_NativeMIPS__
 
+#include "NativeCommon.h"
+
 #include "../vprof/vprof.h"
 #ifdef PERFM
 #define DOPROF
@@ -66,9 +68,9 @@ namespace nanojit
 
     typedef uint32_t NIns;                // REQ: Instruction count
     typedef uint64_t RegisterMask;        // REQ: Large enough to hold LastRegNum-FirstRegNum bits
-#define _rmask_(r)        (1LL<<(r))
+#define _rmask_(r)      (1LL<<(r))
+#define REGMASK(r)      _rmask_(REGNUM(r))
 
-    typedef uint32_t Register;            // REQ: Register identifiers
     // Register numbers for Native code generator
     static const Register
         ZERO = { 0 },
@@ -163,13 +165,10 @@ namespace nanojit
 
         deprecated_UnknownReg = { 127 };    // XXX: remove eventually, see bug 538924
 
-    static const uint32_t FirstRegNum = ZERO;
-    static const uint32_t LastRegNum = F31;
+    static const uint32_t FirstRegNum = 0; // R0
+    static const uint32_t LastRegNum = 63; // F31
 }
 
-#define NJ_USE_UINT32_REGISTER 1
-#include "NativeCommon.h"
-
 namespace nanojit {
     // REQ: register names
     verbose_only(extern const char* regNames[];)
@@ -190,47 +189,65 @@ namespace nanojit {
     // REQ: Callee saved registers
     const RegisterMask SavedRegs =
 #ifdef FPCALLEESAVED
-                    _rmask_(FS0) | _rmask_(FS1) | _rmask_(FS2) |
-                    _rmask_(FS3) | _rmask_(FS4) | _rmask_(FS5) |
+        REGMASK(FS0) | REGMASK(FS1) | REGMASK(FS2) |
+        REGMASK(FS3) | REGMASK(FS4) | REGMASK(FS5) |
 #endif
-                    _rmask_(S0) | _rmask_(S1) | _rmask_(S2) | _rmask_(S3) |
-                    _rmask_(S4) | _rmask_(S5) | _rmask_(S6) | _rmask_(S7);
+        REGMASK(S0) | REGMASK(S1) | REGMASK(S2) | REGMASK(S3) |
+        REGMASK(S4) | REGMASK(S5) | REGMASK(S6) | REGMASK(S7);
 
     // REQ: General purpose registers
     static const RegisterMask GpRegs =
-                    _rmask_(V0) | _rmask_(V1) |
-                    _rmask_(A0) | _rmask_(A1) | _rmask_(A2) | _rmask_(A3) |
-                    _rmask_(S0) | _rmask_(S1) | _rmask_(S2) | _rmask_(S3) |
-                    _rmask_(S4) | _rmask_(S5) | _rmask_(S6) | _rmask_(S7) |
-                    _rmask_(T0) | _rmask_(T1) | _rmask_(T2) | _rmask_(T3) |
-                    _rmask_(T4) | _rmask_(T5) | _rmask_(T6) | _rmask_(T7) |
-                    _rmask_(T8) | _rmask_(T9);
+        REGMASK(V0) | REGMASK(V1) |
+        REGMASK(A0) | REGMASK(A1) | REGMASK(A2) | REGMASK(A3) |
+        REGMASK(S0) | REGMASK(S1) | REGMASK(S2) | REGMASK(S3) |
+        REGMASK(S4) | REGMASK(S5) | REGMASK(S6) | REGMASK(S7) |
+        REGMASK(T0) | REGMASK(T1) | REGMASK(T2) | REGMASK(T3) |
+        REGMASK(T4) | REGMASK(T5) | REGMASK(T6) | REGMASK(T7) |
+        REGMASK(T8) | REGMASK(T9);
 
     // REQ: Floating point registers
     static const RegisterMask FpRegs =
 #ifdef FPCALLEESAVED
-                    _rmask_(FS0) | _rmask_(FS1) | _rmask_(FS2) |
-                    _rmask_(FS3) | _rmask_(FS4) | _rmask_(FS5) |
+        REGMASK(FS0) | REGMASK(FS1) | REGMASK(FS2) |
+        REGMASK(FS3) | REGMASK(FS4) | REGMASK(FS5) |
 #endif
-                    _rmask_(FV0) | _rmask_(FV1) |
-                    _rmask_(FA0) | _rmask_(FA1) |
-                    _rmask_(FT0) | _rmask_(FT1) | _rmask_(FT2) |
-                    _rmask_(FT3) | _rmask_(FT4) | _rmask_(FT5);
-
-    static const RegisterMask AllowableFlagRegs = GpRegs;        // REQ: Registers that can hold flag results FIXME
-
-    static inline bool IsFpReg(Register r)
-    {
-        return (_rmask_(r) & FpRegs) != 0;
-    }
+        REGMASK(FV0) | REGMASK(FV1) |
+        REGMASK(FA0) | REGMASK(FA1) |
+        REGMASK(FT0) | REGMASK(FT1) | REGMASK(FT2) |
+        REGMASK(FT3) | REGMASK(FT4) | REGMASK(FT5);
 
     static inline bool IsGpReg(Register r)
     {
-        return (_rmask_(r) & GpRegs) != 0;
+        return (REGMASK(r) & GpRegs) != 0;
     }
 
-#define GPR(r) ((r)&31)
-#define FPR(r) ((r)&31)
+    static inline bool IsFpReg(Register r)
+    {
+        return (REGMASK(r) & FpRegs) != 0;
+    }
+
+    static inline bool IsGPR(Register r)
+    {
+        return (r >= ZERO && r <= RA);
+    }
+
+    static inline bool IsFPR(Register r)
+    {
+        return (r >= F0 && r <= F31);
+
+    }
+
+    static inline uint32_t GPR(Register r)
+    {
+        NanoAssertMsg(IsGPR(r), "Not GPR");
+        return REGNUM(r)&31;
+    }
+
+    static inline uint32_t FPR(Register r)
+    {
+        NanoAssertMsg(IsFPR(r), "Not FPR");
+        return REGNUM(r)&31;
+    }
 
 // REQ: Platform specific declarations to include in Stats structure
 #define DECLARE_PLATFORM_STATS()
@@ -412,19 +429,22 @@ namespace nanojit {
 // Parameters are in instruction order
 
 #define R_FORMAT(op, rs, rt, rd, re, func)                              \
-    (((op)<<26)|(GPR(rs)<<21)|(GPR(rt)<<16)|(GPR(rd)<<11)|((re)<<6)|(func))
+    (((op)<<26)|((rs)<<21)|((rt)<<16)|((rd)<<11)|((re)<<6)|(func))
 
 #define I_FORMAT(op, rs, rt, simm)                              \
-    (((op)<<26)|(GPR(rs)<<21)|(GPR(rt)<<16)|((simm)&0xffff))
+    (((op)<<26)|((rs)<<21)|((rt)<<16)|((simm)&0xffff))
 
 #define J_FORMAT(op, index)                     \
     (((op)<<26)|(index))
 
 #define U_FORMAT(op, rs, rt, uimm)                              \
-    (((op)<<26)|(GPR(rs)<<21)|(GPR(rt)<<16)|((uimm)&0xffff))
+    (((op)<<26)|((rs)<<21)|((rt)<<16)|((uimm)&0xffff))
 
 #define F_FORMAT(op, ffmt, ft, fs, fd, func)                            \
-    (((op)<<26)|((ffmt)<<21)|(FPR(ft)<<16)|(FPR(fs)<<11)|(FPR(fd)<<6)|(func))
+    (((op)<<26)|((ffmt)<<21)|((ft)<<16)|((fs)<<11)|((fd)<<6)|(func))
+
+#define X_FORMAT(op, base, index, fs, fd, func)                            \
+    (((op)<<26)|((base)<<21)|((index)<<16)|((fs)<<11)|((fd)<<6)|(func))
 
 #define oname(op) Assembler::oname[op]
 #define cname(cond) Assembler::cname[cond]
@@ -433,34 +453,34 @@ namespace nanojit {
 
 #define BOFFSET(targ)    (uint32_t(targ - (_nIns+1)))
 
-#define LDST(op, rt, offset, base)                                      \
-    do { count_misc(); EMIT(I_FORMAT(op, base, rt, offset),             \
+#define LDSTGPR(op, rt, offset, base)                                      \
+    do { count_misc(); EMIT(I_FORMAT(op, GPR(base), GPR(rt), offset),   \
                             "%s %s, %d(%s)", oname[op], gpn(rt), offset, gpn(base)); } while (0)
 
-#define BX(op, rs, rt, targ)                                            \
-    do { count_br(); EMIT(I_FORMAT(op, rs, rt, BOFFSET(targ)),          \
-                          "%s %s, %s, %p", oname[op], gpn(rt), gpn(rs), targ); } while (0)
+#define LDSTFPR(op, ft, offset, base)                                      \
+    do { count_misc(); EMIT(I_FORMAT(op, GPR(base), FPR(ft), offset),   \
+                            "%s %s, %d(%s)", oname[op], fpn(ft), offset, gpn(base)); } while (0)
 
 // MIPS instructions
 // Parameters are in "assembler" order
 #define ADDIU(rt, rs, simm)                                             \
-    do { count_alu(); EMIT(I_FORMAT(OP_ADDIU, rs, rt, simm),            \
+    do { count_alu(); EMIT(I_FORMAT(OP_ADDIU, GPR(rs), GPR(rt), simm),  \
                            "addiu %s, %s, %d", gpn(rt), gpn(rs), simm); } while (0)
 
 #define trampADDIU(rt, rs, simm)                                        \
-    do { count_alu(); TRAMP(I_FORMAT(OP_ADDIU, rs, rt, simm),           \
+    do { count_alu(); TRAMP(I_FORMAT(OP_ADDIU, GPR(rs), GPR(rt), simm), \
                             "addiu %s, %s, %d", gpn(rt), gpn(rs), simm); } while (0)
 
 #define ADDU(rd, rs, rt)                                                \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_ADDU), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_ADDU), \
                            "addu %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define AND(rd, rs, rt)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_AND), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_AND), \
                            "and %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define ANDI(rt, rs, uimm)                                              \
-    do { count_alu(); EMIT(U_FORMAT(OP_ANDI, rs, rt, uimm),             \
+    do { count_alu(); EMIT(U_FORMAT(OP_ANDI, GPR(rs), GPR(rt), uimm),   \
                            "andi %s, %s, 0x%x", gpn(rt), gpn(rs), ((uimm)&0xffff)); } while (0)
 
 #define BC1F(targ)                                                      \
@@ -471,13 +491,33 @@ namespace nanojit {
     do { count_br(); EMIT(I_FORMAT(OP_COP1, COP1_BC, 1, BOFFSET(targ)), \
                           "bc1t %p", targ); } while (0)
 
-#define B(targ)                 BX(OP_BEQ, ZERO, ZERO, targ)
-#define BEQ(rs, rt, targ)       BX(OP_BEQ, rs, rt, targ)
-#define BNE(rs, rt, targ)       BX(OP_BNE, rs, rt, targ)
-#define BLEZ(rs, targ)          BX(OP_BLEZ, rs, ZERO, targ)
-#define BGTZ(rs, targ)          BX(OP_BGTZ, rs, ZERO, targ)
-#define BGEZ(rs, targ)          BX(OP_REGIMM, rs, REGIMM_BGEZ, targ)
-#define BLTZ(rs, targ)          BX(OP_REGIMM, rs, REGIMM_BLTZ, targ)
+#define B(targ)                                                         \
+        do { count_br(); EMIT(I_FORMAT(OP_BEQ, GPR(ZERO), GPR(ZERO), BOFFSET(targ)), \
+                          "b %p", targ); } while (0)
+
+#define BEQ(rs, rt, targ)                                               \
+    do { count_br(); EMIT(I_FORMAT(OP_BEQ, GPR(rs), GPR(rt), BOFFSET(targ)), \
+                          "%s %s, %s, %p", oname[OP_BEQ], gpn(rs), gpn(rt), targ); } while (0)
+
+#define BNE(rs, rt, targ)                                               \
+    do { count_br(); EMIT(I_FORMAT(OP_BNE, GPR(rs), GPR(rt), BOFFSET(targ)), \
+                          "%s %s, %s, %p", oname[OP_BNE], gpn(rs), gpn(rt), targ); } while (0)
+
+#define BLEZ(rs, targ)                                                  \
+    do { count_br(); EMIT(I_FORMAT(OP_BLEZ, GPR(rs), 0, BOFFSET(targ)), \
+                          "%s %s, %p", oname[OP_BLEZ], gpn(rs), targ); } while (0)
+
+#define BGTZ(rs, targ)                                                  \
+    do { count_br(); EMIT(I_FORMAT(OP_BGTZ, GPR(rs), 0, BOFFSET(targ)), \
+                          "%s %s, %p", oname[OP_BGTZ], gpn(rs), targ); } while (0)
+
+#define BGEZ(rs, targ)                                                  \
+    do { count_br(); EMIT(I_FORMAT(OP_REGIMM, GPR(rs), REGIMM_BGEZ, BOFFSET(targ)), \
+                          "bgez %s, %p", gpn(rs), targ); } while (0)
+
+#define BLTZ(rs, targ)                                                  \
+    do { count_br(); EMIT(I_FORMAT(OP_REGIMM, GPR(rs), REGIMM_BLTZ, BOFFSET(targ)), \
+                          "bltz %s, %p", gpn(rs), targ); } while (0)
 
 #define JINDEX(dest) ((uint32_t(dest)>>2)&0x03ffffff)
 
@@ -494,130 +534,130 @@ namespace nanojit {
                            "jal %p", dest); } while (0)
 
 #define JALR(rs)                                                        \
-    do { count_jmp(); EMIT(R_FORMAT(OP_SPECIAL, rs, 0, RA, 0, SPECIAL_JALR), \
+    do { count_jmp(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), 0, GPR(RA), 0, SPECIAL_JALR), \
                            "jalr %s", gpn(rs)); } while (0)
 
 #define JR(rs)                                                            \
-    do { count_jmp(); EMIT(R_FORMAT(OP_SPECIAL, rs, 0, 0, 0, SPECIAL_JR), \
+    do { count_jmp(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), 0, 0, 0, SPECIAL_JR), \
                            "jr %s", gpn(rs)); } while (0)
 #define trampJR(rs)                                                     \
-    do { count_jmp(); TRAMP(R_FORMAT(OP_SPECIAL, rs, 0, 0, 0, SPECIAL_JR), \
+    do { count_jmp(); TRAMP(R_FORMAT(OP_SPECIAL, GPR(rs), 0, 0, 0, SPECIAL_JR), \
                             "jr %s", gpn(rs)); } while (0)
 
 #define LB(rt, offset, base)                    \
-    LDST(OP_LB, rt, offset, base)
+    LDSTGPR(OP_LB, rt, offset, base)
 
 #define LH(rt, offset, base)                    \
-    LDST(OP_LH, rt, offset, base)
+    LDSTGPR(OP_LH, rt, offset, base)
 
 #define LUI(rt, uimm)                                                   \
-    do { count_alu(); EMIT(U_FORMAT(OP_LUI, 0, rt, uimm),               \
+    do { count_alu(); EMIT(U_FORMAT(OP_LUI, 0, GPR(rt), uimm),          \
                            "lui %s, 0x%x", gpn(rt), ((uimm)&0xffff)); } while (0)
 
 #define LW(rt, offset, base)                    \
-    LDST(OP_LW, rt, offset, base)
+    LDSTGPR(OP_LW, rt, offset, base)
 
 #define MFHI(rd)                                                        \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, 0, rd, 0, SPECIAL_MFHI), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, 0, GPR(rd), 0, SPECIAL_MFHI), \
                            "mfhi %s", gpn(rd)); } while (0)
 
 #define MFLO(rd)                                                        \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, 0, rd, 0, SPECIAL_MFLO), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, 0, GPR(rd), 0, SPECIAL_MFLO), \
                            "mflo %s", gpn(rd)); } while (0)
 
 #define MUL(rd, rs, rt)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL2, rs, rt, rd, 0, SPECIAL2_MUL), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL2, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL2_MUL), \
                            "mul %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define MULT(rs, rt)                                                    \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, 0, 0, SPECIAL_MULT), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), 0, 0, SPECIAL_MULT), \
                            "mult %s, %s", gpn(rs), gpn(rt)); } while (0)
 
 #define MOVE(rd, rs)                                                    \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, ZERO, rd, 0, SPECIAL_ADDU), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(ZERO), GPR(rd), 0, SPECIAL_ADDU), \
                            "move %s, %s", gpn(rd), gpn(rs)); } while (0)
 
 #define MOVN(rd, rs, rt)                                                \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_MOVN), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_MOVN), \
                            "movn %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define NEGU(rd, rt)                                                    \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, ZERO, rt, rd, 0, SPECIAL_SUBU), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(ZERO), GPR(rt), GPR(rd), 0, SPECIAL_SUBU), \
                            "negu %s, %s", gpn(rd), gpn(rt)); } while (0)
 
 #define NOP()                                                           \
-    do { count_misc(); EMIT(R_FORMAT(OP_SPECIAL, 0, 0, 0, 0, SPECIAL_SLL), \
+    do { count_misc(); EMIT(R_FORMAT(OP_SPECIAL, GPR(ZERO), GPR(ZERO), GPR(ZERO), 0, SPECIAL_SLL), \
                             "nop"); } while (0)
 
 #define trampNOP()                                                      \
-    do { count_misc(); TRAMP(R_FORMAT(OP_SPECIAL, 0, 0, 0, 0, SPECIAL_SLL), \
+    do { count_misc(); TRAMP(R_FORMAT(OP_SPECIAL, GPR(ZERO), GPR(ZERO), GPR(ZERO), 0, SPECIAL_SLL), \
                              "nop"); } while (0)
 
 #define NOR(rd, rs, rt)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_NOR), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_NOR), \
                            "nor %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define NOT(rd, rs)                                                     \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, ZERO, rd, 0, SPECIAL_NOR), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(ZERO), GPR(rd), 0, SPECIAL_NOR), \
                            "not %s, %s", gpn(rd), gpn(rs)); } while (0)
 
 #define OR(rd, rs, rt)                                                  \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_OR), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_OR), \
                            "or %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define ORI(rt, rs, uimm)                                               \
-    do { count_alu(); EMIT(U_FORMAT(OP_ORI, rs, rt, uimm),              \
+    do { count_alu(); EMIT(U_FORMAT(OP_ORI, GPR(rs), GPR(rt), uimm),    \
                            "ori %s, %s, 0x%x", gpn(rt), gpn(rs), ((uimm)&0xffff)); } while (0)
 
 #define SLTIU(rt, rs, simm)                                             \
-    do { count_alu(); EMIT(I_FORMAT(OP_SLTIU, rs, rt, simm),            \
+    do { count_alu(); EMIT(I_FORMAT(OP_SLTIU, GPR(rs), GPR(rt), simm),  \
                            "sltiu %s, %s, %d", gpn(rt), gpn(rs), simm); } while (0)
 
 #define SLT(rd, rs, rt)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_SLT), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_SLT), \
                            "slt %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define SLTU(rd, rs, rt)                                                \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_SLTU), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_SLTU), \
                            "sltu %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define SLL(rd, rt, sa)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, rt, rd, sa, SPECIAL_SLL), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, GPR(rt), GPR(rd), sa, SPECIAL_SLL), \
                            "sll %s, %s, %d", gpn(rd), gpn(rt), sa); } while (0)
 
 #define SLLV(rd, rt, rs)                                                \
-    do { count_misc(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_SLLV), \
+    do { count_misc(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_SLLV), \
                             "sllv %s, %s, %s", gpn(rd), gpn(rt), gpn(rs)); } while (0)
 
 #define SRA(rd, rt, sa)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, rt, rd, sa, SPECIAL_SRA), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, GPR(rt), GPR(rd), sa, SPECIAL_SRA), \
                            "sra %s, %s, %d", gpn(rd), gpn(rt), sa); } while (0)
 
 #define SRAV(rd, rt, rs)                                                \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_SRAV), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_SRAV), \
                            "srav %s, %s, %s", gpn(rd), gpn(rt), gpn(rs)); } while (0)
 
 #define SRL(rd, rt, sa)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, rt, rd, sa, SPECIAL_SRL), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, 0, GPR(rt), GPR(rd), sa, SPECIAL_SRL), \
                            "srl %s, %s, %d", gpn(rd), gpn(rt), sa); } while (0)
 
 #define SRLV(rd, rt, rs)                                                \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_SRLV), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_SRLV), \
                            "srlv %s, %s, %s", gpn(rd), gpn(rt), gpn(rs)); } while (0)
 
 #define SUBU(rd, rs, rt)                                                \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_SUBU), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_SUBU), \
                            "subu %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define SW(rt, offset, base)                    \
-    LDST(OP_SW, rt, offset, base)
+    LDSTGPR(OP_SW, rt, offset, base)
 
 #define XOR(rd, rs, rt)                                                 \
-    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, rs, rt, rd, 0, SPECIAL_XOR), \
+    do { count_alu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), GPR(rt), GPR(rd), 0, SPECIAL_XOR), \
                            "xor %s, %s, %s", gpn(rd), gpn(rs), gpn(rt)); } while (0)
 
 #define XORI(rt, rs, uimm)                                              \
-    do { count_alu(); EMIT(U_FORMAT(OP_XORI, rs, rt, uimm),             \
+    do { count_alu(); EMIT(U_FORMAT(OP_XORI, GPR(rs), GPR(rt), uimm),   \
                            "xori %s, %s, 0x%x", gpn(rt), gpn(rs), ((uimm)&0xffff)); } while (0)
 
 
@@ -657,47 +697,47 @@ namespace nanojit {
 #endif
 
 #define FOP_FMT2(ffmt, fd, fs, func, name)                              \
-    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, ffmt, 0, fs, fd, func),    \
+    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, ffmt, FPR(F0), FPR(fs), FPR(fd), func), \
                            "%s.%s %s, %s", name, fname[ffmt], fpn(fd), fpn(fs)); } while (0)
 
 #define FOP_FMT3(ffmt, fd, fs, ft, func, name)                          \
-    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, ffmt, ft, fs, fd, func),   \
+    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, ffmt, FPR(ft), FPR(fs), FPR(fd), func), \
                            "%s.%s %s, %s, %s", name, fname[ffmt], fpn(fd), fpn(fs), fpn(ft)); } while (0)
 
 #define C_COND_FMT(cond, ffmt, fs, ft)                                  \
-    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, ffmt, ft, fs, 0, 0x30|(cond)), \
+    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, ffmt, FPR(ft), FPR(fs), FPR(F0), 0x30|(cond)), \
                            "c.%s.%s %s, %s", cname[cond], fname[ffmt], fpn(fs), fpn(ft)); } while (0)
 
 #define MFC1(rt, fs)                                                    \
-    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, 0, rt, fs, 0, 0),          \
+    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, 0, GPR(rt), FPR(fs), FPR(F0), 0), \
                            "mfc1 %s, %s", gpn(rt), fpn(fs)); } while (0)
 
 #define MTC1(rt, fs)                                                    \
-    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, 4, rt, fs, 0, 0),          \
+    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, 4, GPR(rt), FPR(fs), FPR(F0), 0), \
                            "mtc1 %s, %s", gpn(rt), fpn(fs)); } while (0)
 
 #define MOVF(rd, rs, cc)                                                \
-    do { count_fpu(); EMIT(R_FORMAT(OP_SPECIAL, rs, (cc)<<2, rd, 0, SPECIAL_MOVCI), \
+    do { count_fpu(); EMIT(R_FORMAT(OP_SPECIAL, GPR(rs), (cc)<<2, GPR(rd), 0, SPECIAL_MOVCI), \
                            "movf %s, %s, $fcc%d", gpn(rd), gpn(rs), cc); } while (0)
 
 #define CVT_D_W(fd, fs)                                                 \
-    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, FMT_W, 0, fs, fd, COP1_CVTD), \
+    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, FMT_W, FPR(F0), FPR(fs), FPR(fd), COP1_CVTD), \
                            "cvt.d.w %s, %s", fpn(fd), fpn(fs)); } while (0)
 
 #define TRUNC_W_D(fd, fs)                                               \
-    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, FMT_D, 0, fs, fd, COP1_TRUNCW), \
+    do { count_fpu(); EMIT(F_FORMAT(OP_COP1, FMT_D, FPR(F0), FPR(fs), FPR(fd), COP1_TRUNCW), \
                            "trunc.w.d %s, %s", fpn(fd), fpn(fs)); } while (0)
 
 
-#define LWC1(ft, offset, base)  LDST(OP_LWC1, ft, offset, base)
-#define SWC1(ft, offset, base)  LDST(OP_SWC1, ft, offset, base)
-#define LDC1(ft, offset, base)  LDST(OP_LDC1, ft, offset, base)
-#define SDC1(ft, offset, base)  LDST(OP_SDC1, ft, offset, base)
+#define LWC1(ft, offset, base)  LDSTFPR(OP_LWC1, FPR(ft), offset, GPR(base))
+#define SWC1(ft, offset, base)  LDSTFPR(OP_SWC1, FPR(ft), offset, GPR(base))
+#define LDC1(ft, offset, base)  LDSTFPR(OP_LDC1, FPR(ft), offset, GPR(base))
+#define SDC1(ft, offset, base)  LDSTFPR(OP_SDC1, FPR(ft), offset, GPR(base))
 #define LDXC1(fd, index, base)                                          \
-    do { count_fpu(); EMIT(R_FORMAT(OP_COP1X, base, index, 0, fd, COP1X_LDXC1), \
+    do { count_fpu(); EMIT(X_FORMAT(OP_COP1X, GPR(base), GPR(index), FPR(F0), FPR(fd), COP1X_LDXC1), \
                            "ldxc1 %s, %s(%s)", fpn(fd), gpn(index), gpn(base)); } while (0)
 #define SDXC1(fs, index, base)                                          \
-    do { count_fpu(); EMIT(R_FORMAT(OP_COP1X, base, index, fs, 0, COP1X_SDXC1), \
+    do { count_fpu(); EMIT(X_FORMAT(OP_COP1X, GPR(base), GPR(index), FPR(fs), FPR(F0), COP1X_SDXC1), \
                            "sdxc1 %s, %s(%s)", fpn(fs), gpn(index), gpn(base)); } while (0)
 
 #define C_EQ_D(fs, ft)          C_COND_FMT(COND_EQ, FMT_D, fs, ft)
diff --git a/js/src/nanojit/NativeX64.cpp b/js/src/nanojit/NativeX64.cpp
index 04a72a23b71..18e6ba1321a 100644
--- a/js/src/nanojit/NativeX64.cpp
+++ b/js/src/nanojit/NativeX64.cpp
@@ -2025,6 +2025,7 @@ namespace nanojit
             next = patch+6;
         } else if ((patch[0] == 0xFF) && (patch[1] == 0x25)) {
             // jmp 64bit target
+            // This uses RIP-relative addressing, the 4 bytes after FF 25 is an offset of 0.
             next = patch+6;
             ((int64_t*)next)[0] = int64_t(target);
             return;
diff --git a/js/src/nanojit/nanojit.h b/js/src/nanojit/nanojit.h
index ec5acae47cd..f0c06f0058e 100644
--- a/js/src/nanojit/nanojit.h
+++ b/js/src/nanojit/nanojit.h
@@ -41,6 +41,7 @@
 #define __nanojit_h__
 
 #include "avmplus.h"
+#include "njcpudetect.h"
 
 #ifdef FEATURE_NANOJIT
 
@@ -196,14 +197,14 @@ namespace nanojit
     # pragma intrinsic(_BitScanReverse)
 
     // Returns the index of the most significant bit that is set.
-    static inline int msbSet32(uint32_t x) {
+    static inline unsigned msbSet32(uint32_t x) {
         unsigned long idx;
         _BitScanReverse(&idx, (unsigned long)(x | 1)); // the '| 1' ensures a 0 result when x==0
         return idx;
     }
 
     // Returns the index of the least significant bit that is set.
-    static inline int lsbSet32(uint32_t x) {
+    static inline unsigned lsbSet32(uint32_t x) {
         unsigned long idx;
         _BitScanForward(&idx, (unsigned long)(x | 0x80000000)); // the '| 0x80000000' ensures a 0 result when x==0
         return idx;
@@ -216,25 +217,25 @@ namespace nanojit
     # pragma intrinsic(_BitScanReverse64)
 
     // Returns the index of the most significant bit that is set.
-    static inline int msbSet64(uint64_t x) {
+    static inline unsigned msbSet64(uint64_t x) {
         unsigned long idx;
         _BitScanReverse64(&idx, (unsigned __int64)(x | 1)); // the '| 1' ensures a 0 result when x==0
         return idx;
     }
 
     // Returns the index of the least significant bit that is set.
-    static inline int lsbSet64(uint64_t x) {
+    static inline unsigned lsbSet64(uint64_t x) {
         unsigned long idx;
         _BitScanForward64(&idx, (unsigned __int64)(x | 0x8000000000000000LL)); // the '| 0x80000000' ensures a 0 result when x==0
         return idx;
     }
 #else
     // Returns the index of the most significant bit that is set.
-    static int msbSet64(uint64_t x) {
+    static unsigned msbSet64(uint64_t x) {
         return (x & 0xffffffff00000000LL) ? msbSet32(uint32_t(x >> 32)) + 32 : msbSet32(uint32_t(x));
     }
     // Returns the index of the least significant bit that is set.
-    static int lsbSet64(uint64_t x) {
+    static unsigned lsbSet64(uint64_t x) {
         return (x & 0x00000000ffffffffLL) ? lsbSet32(uint32_t(x)) : lsbSet32(uint32_t(x >> 32)) + 32;
     }
 #endif
@@ -242,29 +243,29 @@ namespace nanojit
 #elif (__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)
 
     // Returns the index of the most significant bit that is set.
-    static inline int msbSet32(uint32_t x) {
+    static inline unsigned msbSet32(uint32_t x) {
         return 31 - __builtin_clz(x | 1);
     }
 
     // Returns the index of the least significant bit that is set.
-    static inline int lsbSet32(uint32_t x) {
+    static inline unsigned lsbSet32(uint32_t x) {
         return __builtin_ctz(x | 0x80000000);
     }
 
     // Returns the index of the most significant bit that is set.
-    static inline int msbSet64(uint64_t x) {
+    static inline unsigned msbSet64(uint64_t x) {
         return 63 - __builtin_clzll(x | 1);
     }
 
     // Returns the index of the least significant bit that is set.
-    static inline int lsbSet64(uint64_t x) {
+    static inline unsigned lsbSet64(uint64_t x) {
         return __builtin_ctzll(x | 0x8000000000000000LL);
     }
 
 #else
 
     // Slow fall-back: return most significant bit set by searching iteratively.
-    static int msbSet32(uint32_t x) {
+    static unsigned msbSet32(uint32_t x) {
         for (int i = 31; i >= 0; i--)
             if ((1 << i) & x)
                 return i;
@@ -272,7 +273,7 @@ namespace nanojit
     }
 
     // Slow fall-back: return least significant bit set by searching iteratively.
-    static int lsbSet32(uint32_t x) {
+    static unsigned lsbSet32(uint32_t x) {
         for (int i = 0; i < 32; i++)
             if ((1 << i) & x)
                 return i;
@@ -280,7 +281,7 @@ namespace nanojit
     }
 
     // Slow fall-back: return most significant bit set by searching iteratively.
-    static int msbSet64(uint64_t x) {
+    static unsigned msbSet64(uint64_t x) {
         for (int i = 63; i >= 0; i--)
             if ((1LL << i) & x)
                 return i;
@@ -288,7 +289,7 @@ namespace nanojit
     }
 
     // Slow fall-back: return least significant bit set by searching iteratively.
-    static int lsbSet64(uint64_t x) {
+    static unsigned lsbSet64(uint64_t x) {
         for (int i = 0; i < 64; i++)
             if ((1LL << i) & x)
                 return i;
diff --git a/js/src/nanojit/njconfig.cpp b/js/src/nanojit/njconfig.cpp
index 54ab9428f28..19b26efcb42 100644
--- a/js/src/nanojit/njconfig.cpp
+++ b/js/src/nanojit/njconfig.cpp
@@ -96,7 +96,7 @@ namespace nanojit
         harden_nop_insertion = false;
 
 #if defined(NANOJIT_ARM)
-        NanoStaticAssert(NJ_COMPILER_ARM_ARCH >= 5 && NJ_COMPILER_ARM_ARCH <= 7);
+        NanoStaticAssert(NJ_COMPILER_ARM_ARCH >= 4 && NJ_COMPILER_ARM_ARCH <= 7);
         arm_arch = NJ_COMPILER_ARM_ARCH;
         arm_vfp = (arm_arch >= 7);
 
diff --git a/js/src/xpconnect/src/Makefile.in b/js/src/xpconnect/src/Makefile.in
index 8a7adaddd93..4118e03265b 100644
--- a/js/src/xpconnect/src/Makefile.in
+++ b/js/src/xpconnect/src/Makefile.in
@@ -46,17 +46,8 @@ include $(DEPTH)/config/autoconf.mk
 
 MODULE		= xpconnect
 
-ifeq (xpconnect, $(findstring xpconnect, $(BUILD_MODULES)))
-LIBRARY_NAME	= xpconnect
-EXPORT_LIBRARY = 1
-SHORT_LIBNAME	= xpconect
-IS_COMPONENT	= 1
-MODULE_NAME	= xpconnect
-GRE_MODULE	= 1
-else
 LIBRARY_NAME    = xpconnect_s
 FORCE_STATIC_LIB = 1
-endif
 LIBXUL_LIBRARY = 1
 EXPORTS = xpcpublic.h
 
diff --git a/layout/base/nsPresShell.cpp b/layout/base/nsPresShell.cpp
index bf48c436d71..4d22b44f078 100644
--- a/layout/base/nsPresShell.cpp
+++ b/layout/base/nsPresShell.cpp
@@ -4813,16 +4813,6 @@ PresShell::FlushPendingNotifications(mozFlushType aType)
       if (rootPresContext) {
         rootPresContext->UpdatePluginGeometry();
       }
-#ifdef DEBUG
-      if (!mIsDestroying) {
-        nsIView* rootView = mViewManager->GetRootView();
-        if (rootView) {
-          nsRect bounds = rootView->GetBounds();
-          NS_ASSERTION(bounds.Size() == mPresContext->GetVisibleArea().Size(),
-                       "root view / pres context visible size mismatch");
-        }
-      }
-#endif
     }
 
     PRUint32 updateFlags = NS_VMREFRESH_NO_SYNC;
@@ -6092,21 +6082,6 @@ PresShell::ProcessSynthMouseMoveEvent(PRBool aFromScroll)
   }
 }
 
-static void DrawThebesLayer(ThebesLayer* aLayer,
-                            gfxContext* aContext,
-                            const nsIntRegion& aRegionToDraw,
-                            const nsIntRegion& aRegionToInvalidate,
-                            void* aCallbackData)
-{
-  PaintParams* params = static_cast<PaintParams*>(aCallbackData);
-  aContext->NewPath();
-  aContext->SetColor(gfxRGBA(params->mBackgroundColor));
-  nsIntRect dirtyRect = aRegionToDraw.GetBounds();
-  aContext->Rectangle(
-    gfxRect(dirtyRect.x, dirtyRect.y, dirtyRect.width, dirtyRect.height));
-  aContext->Fill();
-}
-
 NS_IMETHODIMP
 PresShell::Paint(nsIView*           aViewToPaint,
                  nsIWidget*         aWidgetToPaint,
@@ -6153,11 +6128,9 @@ PresShell::Paint(nsIView*           aViewToPaint,
       if (layerManager->EndEmptyTransaction()) {
         frame->UpdatePaintCountForPaintedPresShells();
         presContext->NotifyDidPaintForSubtree();
-        
         return NS_OK;
       }
     }
-    
 
     frame->RemoveStateBits(NS_FRAME_UPDATE_LAYER_TREE);
   }
@@ -6187,14 +6160,17 @@ PresShell::Paint(nsIView*           aViewToPaint,
     return NS_OK;
   }
 
-  nsRefPtr<ThebesLayer> root = layerManager->CreateThebesLayer();
+  nsRefPtr<ColorLayer> root = layerManager->CreateColorLayer();
   if (root) {
-    root->SetVisibleRegion(aIntDirtyRegion);
+    nsPresContext* pc = GetPresContext();
+    nsIntRect bounds =
+      pc->GetVisibleArea().ToOutsidePixels(pc->AppUnitsPerDevPixel());
+    bgcolor = NS_ComposeColors(bgcolor, mCanvasBackgroundColor);
+    root->SetColor(bgcolor);
+    root->SetVisibleRegion(bounds);
     layerManager->SetRoot(root);
   }
-  bgcolor = NS_ComposeColors(bgcolor, mCanvasBackgroundColor);
-  PaintParams params = { bgcolor };
-  layerManager->EndTransaction(DrawThebesLayer, &params);
+  layerManager->EndTransaction(NULL, NULL);
 
   presContext->NotifyDidPaintForSubtree();
   return NS_OK;
diff --git a/layout/build/nsLayoutStatics.cpp b/layout/build/nsLayoutStatics.cpp
index 81e758730e7..04d3a2c2915 100644
--- a/layout/build/nsLayoutStatics.cpp
+++ b/layout/build/nsLayoutStatics.cpp
@@ -122,6 +122,7 @@
 #include "nsRefreshDriver.h"
 
 #include "nsHyphenationManager.h"
+#include "nsEditorSpellCheck.h"
 #include "nsDOMMemoryReporter.h"
 
 extern void NS_ShutdownChainItemPool();
@@ -358,4 +359,5 @@ nsLayoutStatics::Shutdown()
   nsLayoutUtils::Shutdown();
 
   nsHyphenationManager::Shutdown();
+  nsEditorSpellCheck::ShutDown();
 }
diff --git a/layout/forms/nsProgressFrame.cpp b/layout/forms/nsProgressFrame.cpp
index b8f5d64a18d..14df34d131b 100644
--- a/layout/forms/nsProgressFrame.cpp
+++ b/layout/forms/nsProgressFrame.cpp
@@ -249,6 +249,7 @@ nsProgressFrame::AttributeChanged(PRInt32  aNameSpaceID,
     NS_ASSERTION(barFrame, "The progress frame should have a child with a frame!");
     PresContext()->PresShell()->FrameNeedsReflow(barFrame, nsIPresShell::eResize,
                                                  NS_FRAME_IS_DIRTY);
+    Invalidate(GetVisualOverflowRectRelativeToSelf());
   }
 
   return nsHTMLContainerFrame::AttributeChanged(aNameSpaceID, aAttribute,
@@ -278,6 +279,28 @@ nsProgressFrame::ComputeAutoSize(nsRenderingContext *aRenderingContext,
   return autoSize;
 }
 
+nscoord
+nsProgressFrame::GetMinWidth(nsRenderingContext *aRenderingContext)
+{
+  nsRefPtr<nsFontMetrics> fontMet;
+  NS_ENSURE_SUCCESS(
+      nsLayoutUtils::GetFontMetricsForFrame(this, getter_AddRefs(fontMet)), 0);
+
+  nscoord minWidth = fontMet->Font().size; // 1em
+
+  if (GetStyleDisplay()->mOrient == NS_STYLE_ORIENT_HORIZONTAL) {
+    minWidth *= 10; // 10em
+  }
+
+  return minWidth;
+}
+
+nscoord
+nsProgressFrame::GetPrefWidth(nsRenderingContext *aRenderingContext)
+{
+  return GetMinWidth(aRenderingContext);
+}
+
 bool
 nsProgressFrame::ShouldUseNativeStyle() const
 {
diff --git a/layout/forms/nsProgressFrame.h b/layout/forms/nsProgressFrame.h
index 24c0577c9e0..40ee2ba4dd6 100644
--- a/layout/forms/nsProgressFrame.h
+++ b/layout/forms/nsProgressFrame.h
@@ -84,6 +84,9 @@ public:
                                  nsSize aMargin, nsSize aBorder,
                                  nsSize aPadding, PRBool aShrinkWrap);
 
+  virtual nscoord GetMinWidth(nsRenderingContext *aRenderingContext);
+  virtual nscoord GetPrefWidth(nsRenderingContext *aRenderingContext);
+
   virtual PRBool IsFrameOfType(PRUint32 aFlags) const
   {
     return nsHTMLContainerFrame::IsFrameOfType(aFlags &
diff --git a/layout/generic/nsImageFrame.cpp b/layout/generic/nsImageFrame.cpp
index dd6715bfaa5..48e2a82dfd8 100644
--- a/layout/generic/nsImageFrame.cpp
+++ b/layout/generic/nsImageFrame.cpp
@@ -548,10 +548,10 @@ nsImageFrame::OnStartContainer(imgIRequest *aRequest, imgIContainer *aImage)
     return NS_OK;
   }
   
-  UpdateIntrinsicSize(aImage);
-  UpdateIntrinsicRatio(aImage);
+  PRBool intrinsicSizeChanged = UpdateIntrinsicSize(aImage);
+  intrinsicSizeChanged = UpdateIntrinsicRatio(aImage) || intrinsicSizeChanged;
 
-  if (mState & IMAGE_GOTINITIALREFLOW) {
+  if (intrinsicSizeChanged && (mState & IMAGE_GOTINITIALREFLOW)) {
     // Now we need to reflow if we have an unconstrained size and have
     // already gotten the initial reflow
     if (!(mState & IMAGE_SIZECONSTRAINED)) { 
diff --git a/layout/reftests/border-image/side-scaling-1h-ref.html b/layout/reftests/border-image/side-scaling-1h-ref.html
index 3bf2b64e0d3..d700ca8e042 100644
--- a/layout/reftests/border-image/side-scaling-1h-ref.html
+++ b/layout/reftests/border-image/side-scaling-1h-ref.html
@@ -1,6 +1,6 @@
 <!doctype html>
 <html><head>
-<title>border-image: repeat with zero-height top and bottom
+<title>border-image: repeat with zero-height top and bottom</title>
 <style>
 span {
   display: inline-block;
diff --git a/layout/reftests/border-image/side-scaling-1h.html b/layout/reftests/border-image/side-scaling-1h.html
index 453ab9b7fab..5f4b49f15f3 100644
--- a/layout/reftests/border-image/side-scaling-1h.html
+++ b/layout/reftests/border-image/side-scaling-1h.html
@@ -1,6 +1,6 @@
 <!doctype html>
 <html><head>
-<title>border-image: repeat with zero-height top and bottom
+<title>border-image: repeat with zero-height top and bottom</title>
 <style>
 span {
   display: inline-block;
diff --git a/layout/reftests/border-image/side-scaling-1v-ref.html b/layout/reftests/border-image/side-scaling-1v-ref.html
index 577be6e7af6..65c4d261736 100644
--- a/layout/reftests/border-image/side-scaling-1v-ref.html
+++ b/layout/reftests/border-image/side-scaling-1v-ref.html
@@ -1,6 +1,6 @@
 <!doctype html>
 <html><head>
-<title>border-image: repeat with zero-width left and right
+<title>border-image: repeat with zero-width left and right</title>
 <style>
 span {
   display: inline-block;
diff --git a/layout/reftests/border-image/side-scaling-1v.html b/layout/reftests/border-image/side-scaling-1v.html
index 79e9b3737f8..15c3bcfcf62 100644
--- a/layout/reftests/border-image/side-scaling-1v.html
+++ b/layout/reftests/border-image/side-scaling-1v.html
@@ -1,6 +1,6 @@
 <!doctype html>
 <html><head>
-<title>border-image: repeat with zero-width left and right
+<title>border-image: repeat with zero-width left and right</title>
 <style>
 span {
   display: inline-block;
diff --git a/layout/reftests/forms/progress/block-invalidate-ref.html b/layout/reftests/forms/progress/block-invalidate-ref.html
new file mode 100644
index 00000000000..c06092f7251
--- /dev/null
+++ b/layout/reftests/forms/progress/block-invalidate-ref.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+  <link rel='stylesheet' type='text/css' href='style.css'>
+  <style>
+    progress { display: block; }
+  </style>
+  <body>
+    <progress value='0.5'></progress>
+  </body>
+</html>
diff --git a/layout/reftests/forms/progress/block-invalidate.html b/layout/reftests/forms/progress/block-invalidate.html
new file mode 100644
index 00000000000..47ba03bdac1
--- /dev/null
+++ b/layout/reftests/forms/progress/block-invalidate.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html class='reftest-wait'>
+  <link rel='stylesheet' type='text/css' href='style.css'>
+  <style>
+    progress { display: block; }
+  </style>
+  <script>
+    function loadHandler() {
+      setTimeout(function() {
+        var p = document.getElementsByTagName('progress')[0];
+        p.value = '0.5';
+        document.documentElement.className = '';
+      }, 0);
+    }
+  </script>
+  <body onload="loadHandler();">
+    <progress value='0'></progress>
+  </body>
+</html>
diff --git a/layout/reftests/forms/progress/in-cells-ref.html b/layout/reftests/forms/progress/in-cells-ref.html
new file mode 100644
index 00000000000..5dac7b0fda2
--- /dev/null
+++ b/layout/reftests/forms/progress/in-cells-ref.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+  <link rel='stylesheet' type='text/css' href='style.css'>
+  <style>
+    progress { width: 10em; height: 1em; }
+    progress.vertical { -moz-orient: vertical; width: 1em; height: 10em; }
+  </style>
+  <body>
+    <table>
+      <tr>
+        <td>foo</td>
+        <td><progress value='0.5'></td>
+        <td>bar</td>
+      </tr>
+      <tr>
+        <td>foo</td>
+        <td><progress class='vertical' value='0.5'></td>
+        <td>bar</td>
+      </tr>
+    </table>
+  </body>
+</html>
diff --git a/layout/reftests/forms/progress/in-cells.html b/layout/reftests/forms/progress/in-cells.html
new file mode 100644
index 00000000000..acfad3c6a44
--- /dev/null
+++ b/layout/reftests/forms/progress/in-cells.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+  <link rel='stylesheet' type='text/css' href='style.css'>
+  <style>
+    progress.vertical { -moz-orient: vertical; }
+  </style>
+  <body>
+    <table>
+      <tr>
+        <td>foo</td>
+        <td><progress value='0.5'></td>
+        <td>bar</td>
+      </tr>
+      <tr>
+        <td>foo</td>
+        <td><progress class='vertical' value='0.5'></td>
+        <td>bar</td>
+      </tr>
+    </table>
+  </body>
+</html>
diff --git a/layout/reftests/forms/progress/reftest.list b/layout/reftests/forms/progress/reftest.list
index 76ea026338c..75644cfc039 100644
--- a/layout/reftests/forms/progress/reftest.list
+++ b/layout/reftests/forms/progress/reftest.list
@@ -19,3 +19,7 @@
 # transformations will not behave exactly the same for <progress> and two divs.
 # However, it would be possible to manually check those.
 # == transformations.html transformations-ref.html
+
+# Tests for bugs:
+== block-invalidate.html block-invalidate-ref.html
+== in-cells.html in-cells-ref.html
diff --git a/layout/style/Declaration.cpp b/layout/style/Declaration.cpp
index 291db23e307..c52eb2d7dbc 100644
--- a/layout/style/Declaration.cpp
+++ b/layout/style/Declaration.cpp
@@ -769,6 +769,15 @@ Declaration::GetValue(nsCSSProperty aProperty, nsAString& aValue) const
         AppendValueToString(eCSSProperty_marker_end, aValue);
       break;
     }
+    case eCSSProperty__moz_columns: {
+      // Two values, column-count and column-width, separated by a space.
+      const nsCSSProperty* subprops =
+        nsCSSProps::SubpropertyEntryFor(aProperty);
+      AppendValueToString(subprops[0], aValue);
+      aValue.Append(PRUnichar(' '));
+      AppendValueToString(subprops[1], aValue);
+      break;
+    }
     default:
       NS_ABORT_IF_FALSE(false, "no other shorthands");
       break;
diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index 1dd924e35a6..f72950e63e8 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -492,6 +492,7 @@ protected:
 
   // for 'clip' and '-moz-image-region'
   PRBool ParseRect(nsCSSProperty aPropID);
+  PRBool ParseColumns();
   PRBool ParseContent();
   PRBool ParseCounterData(nsCSSProperty aPropID);
   PRBool ParseCursor();
@@ -5492,6 +5493,8 @@ CSSParserImpl::ParsePropertyByFunction(nsCSSProperty aPropID)
 
   case eCSSProperty_clip:
     return ParseRect(eCSSProperty_clip);
+  case eCSSProperty__moz_columns:
+    return ParseColumns();
   case eCSSProperty__moz_column_rule:
     return ParseBorderSide(kColumnRuleIDs, PR_FALSE);
   case eCSSProperty_content:
@@ -5587,6 +5590,10 @@ CSSParserImpl::ParseSingleValueProperty(nsCSSValue& aValue,
     return ParseVariant(aValue, VARIANT_NONE | VARIANT_INHERIT, nsnull);
   }
 
+  if (aPropID == eCSSPropertyExtra_x_auto_value) {
+    return ParseVariant(aValue, VARIANT_AUTO | VARIANT_INHERIT, nsnull);
+  }
+
   if (aPropID < 0 || aPropID >= eCSSProperty_COUNT_no_shorthands) {
     NS_ABORT_IF_FALSE(PR_FALSE, "not a single value property");
     return PR_FALSE;
@@ -6846,6 +6853,48 @@ CSSParserImpl::ParseRect(nsCSSProperty aPropID)
   return PR_TRUE;
 }
 
+PRBool
+CSSParserImpl::ParseColumns()
+{
+  // We use a similar "fake value" hack to ParseListStyle, because
+  // "auto" is acceptable for both column-count and column-width.
+  // If the fake "auto" value is found, and one of the real values isn't,
+  // that means the fake auto value is meant for the real value we didn't
+  // find.
+  static const nsCSSProperty columnIDs[] = {
+    eCSSPropertyExtra_x_auto_value,
+    eCSSProperty__moz_column_count,
+    eCSSProperty__moz_column_width
+  };
+  const PRInt32 numProps = NS_ARRAY_LENGTH(columnIDs);
+
+  nsCSSValue values[numProps];
+  PRInt32 found = ParseChoice(values, columnIDs, numProps);
+  if (found < 1 || !ExpectEndProperty()) {
+    return PR_FALSE;
+  }
+  if ((found & (1|2|4)) == (1|2|4) &&
+      values[0].GetUnit() ==  eCSSUnit_Auto) {
+    // We filled all 3 values, which is invalid
+    return PR_FALSE;
+  }
+
+  if ((found & 2) == 0) {
+    // Provide auto column-count
+    values[1].SetAutoValue();
+  }
+  if ((found & 4) == 0) {
+    // Provide auto column-width
+    values[2].SetAutoValue();
+  }
+
+  // Start at index 1 to skip the fake auto value.
+  for (PRInt32 index = 1; index < numProps; index++) {
+    AppendValue(columnIDs[index], values[index]);
+  }
+  return PR_TRUE;
+}
+
 #define VARIANT_CONTENT (VARIANT_STRING | VARIANT_URL | VARIANT_COUNTER | VARIANT_ATTR | \
                          VARIANT_KEYWORD)
 PRBool
diff --git a/layout/style/nsCSSPropList.h b/layout/style/nsCSSPropList.h
index bdd1bce579c..7f538c5a7d3 100644
--- a/layout/style/nsCSSPropList.h
+++ b/layout/style/nsCSSPropList.h
@@ -1239,6 +1239,11 @@ CSS_PROP_COLOR(
     nsnull,
     offsetof(nsStyleColor, mColor),
     eStyleAnimType_Color)
+CSS_PROP_SHORTHAND(
+    -moz-columns,
+    _moz_columns,
+    CSS_PROP_DOMPROP_PREFIXED(Columns),
+    CSS_PROPERTY_PARSE_FUNCTION)
 CSS_PROP_COLUMN(
     -moz-column-count,
     _moz_column_count,
diff --git a/layout/style/nsCSSProperty.h b/layout/style/nsCSSProperty.h
index be09eadaf80..043d8ff9de7 100644
--- a/layout/style/nsCSSProperty.h
+++ b/layout/style/nsCSSProperty.h
@@ -76,7 +76,8 @@ enum nsCSSProperty {
   eCSSPropertyExtra_all_properties,
 
   // Extra dummy values for nsCSSParser internal use.
-  eCSSPropertyExtra_x_none_value
+  eCSSPropertyExtra_x_none_value,
+  eCSSPropertyExtra_x_auto_value
 };
 
 // The "descriptors" that can appear in a @font-face rule.
diff --git a/layout/style/nsCSSProps.cpp b/layout/style/nsCSSProps.cpp
index 2116bf2479a..7a1df69f496 100644
--- a/layout/style/nsCSSProps.cpp
+++ b/layout/style/nsCSSProps.cpp
@@ -1968,6 +1968,12 @@ static const nsCSSProperty gOutlineSubpropTable[] = {
   eCSSProperty_UNKNOWN
 };
 
+static const nsCSSProperty gColumnsSubpropTable[] = {
+  eCSSProperty__moz_column_count,
+  eCSSProperty__moz_column_width,
+  eCSSProperty_UNKNOWN
+};
+
 static const nsCSSProperty gColumnRuleSubpropTable[] = {
   // nsCSSDeclaration.cpp outputs the subproperties in this order.
   // It also depends on the color being third.
diff --git a/layout/style/nsFontFaceLoader.cpp b/layout/style/nsFontFaceLoader.cpp
index 4ccb8c24a1a..f62609f2638 100644
--- a/layout/style/nsFontFaceLoader.cpp
+++ b/layout/style/nsFontFaceLoader.cpp
@@ -137,11 +137,10 @@ nsFontFaceLoader::LoadTimerCallback(nsITimer *aTimer, void *aClosure)
   // we allow another timeout period before showing a fallback font.
   if (pe->mLoadingState == gfxProxyFontEntry::LOADING_STARTED) {
     PRInt32 contentLength;
-    loader->mChannel->GetContentLength(&contentLength);
     PRUint32 numBytesRead;
-    loader->mStreamLoader->GetNumBytesRead(&numBytesRead);
-
-    if (contentLength > 0 &&
+    if (NS_SUCCEEDED(loader->mChannel->GetContentLength(&contentLength)) &&
+        contentLength > 0 &&
+        NS_SUCCEEDED(loader->mStreamLoader->GetNumBytesRead(&numBytesRead)) &&
         numBytesRead > 3 * (PRUint32(contentLength) >> 2))
     {
       // More than 3/4 the data has been downloaded, so allow 50% extra
diff --git a/layout/style/nsRuleNode.h b/layout/style/nsRuleNode.h
index f62a88af93e..ca1a04d154b 100644
--- a/layout/style/nsRuleNode.h
+++ b/layout/style/nsRuleNode.h
@@ -744,6 +744,10 @@ public:
     NS_ASSERTION(IsRoot(), "should only be called on root of rule tree");
     return HaveChildren() || mStyleData.mInheritedData || mStyleData.mResetData;
   }
+
+  PRBool NodeHasCachedData(const nsStyleStructID aSID) {
+    return !!mStyleData.GetStyleData(aSID);
+  }
 };
 
 #endif
diff --git a/layout/style/nsStyleAnimation.cpp b/layout/style/nsStyleAnimation.cpp
index a49740ee440..89081e29aab 100644
--- a/layout/style/nsStyleAnimation.cpp
+++ b/layout/style/nsStyleAnimation.cpp
@@ -1926,65 +1926,13 @@ LookupStyleContext(dom::Element* aElement)
   return nsComputedDOMStyle::GetStyleContextForElement(aElement, nsnull, shell);
 }
 
-
-/**
- * Helper function: StyleWithDeclarationAdded
- * Creates a nsStyleRule with the specified property set to the specified
- * value, and returns a nsStyleContext for this rule, as a sibling of the
- * given element's nsStyleContext.
- *
- * If we fail to parse |aSpecifiedValue| for |aProperty|, this method will
- * return nsnull.
- *
- * @param aProperty       The property whose value we're customizing in the
- *                        custom style context.
- * @param aTargetElement  The element whose style context we'll use as a
- *                        sibling for our custom style context.
- * @param aSpecifiedValue The value for |aProperty| in our custom style
- *                        context.
- * @param aUseSVGMode     A flag to indicate whether we should parse
- *                        |aSpecifiedValue| in SVG mode.
- * @return The generated custom nsStyleContext, or nsnull on failure.
- */
-already_AddRefed<nsStyleContext>
-StyleWithDeclarationAdded(nsCSSProperty aProperty,
-                          dom::Element* aTargetElement,
-                          const nsAString& aSpecifiedValue,
-                          PRBool aUseSVGMode)
-{
-  NS_ABORT_IF_FALSE(aTargetElement, "null target element");
-  NS_ABORT_IF_FALSE(aTargetElement->GetCurrentDoc(),
-                    "element needs to be in a document "
-                    "if we're going to look up its style context");
-
-  // Look up style context for our target element
-  nsRefPtr<nsStyleContext> styleContext = LookupStyleContext(aTargetElement);
-  if (!styleContext) {
-    return nsnull;
-  }
-
-  // Parse specified value into a temporary StyleRule
-  nsRefPtr<css::StyleRule> styleRule =
-    BuildStyleRule(aProperty, aTargetElement, aSpecifiedValue, aUseSVGMode);
-  if (!styleRule) {
-    return nsnull;
-  }
-
-  styleRule->RuleMatched();
-
-  // Create a temporary nsStyleContext for the style rule
-  nsCOMArray<nsIStyleRule> ruleArray;
-  ruleArray.AppendObject(styleRule);
-  nsStyleSet* styleSet = styleContext->PresContext()->StyleSet();
-  return styleSet->ResolveStyleByAddingRules(styleContext, ruleArray);
-}
-
 PRBool
 nsStyleAnimation::ComputeValue(nsCSSProperty aProperty,
                                dom::Element* aTargetElement,
                                const nsAString& aSpecifiedValue,
                                PRBool aUseSVGMode,
-                               Value& aComputedValue)
+                               Value& aComputedValue,
+                               PRBool* aIsContextSensitive)
 {
   NS_ABORT_IF_FALSE(aTargetElement, "null target element");
   NS_ABORT_IF_FALSE(aTargetElement->GetCurrentDoc(),
@@ -1995,19 +1943,72 @@ nsStyleAnimation::ComputeValue(nsCSSProperty aProperty,
     nsCSSProps::PropHasFlags(aProperty, CSS_PROPERTY_REPORT_OTHER_NAME)
       ? nsCSSProps::OtherNameFor(aProperty) : aProperty;
 
-  nsRefPtr<nsStyleContext> tmpStyleContext =
-    StyleWithDeclarationAdded(propToParse, aTargetElement,
-                              aSpecifiedValue, aUseSVGMode);
-  if (!tmpStyleContext) {
+  // Parse specified value into a temporary css::StyleRule
+  nsRefPtr<css::StyleRule> styleRule =
+    BuildStyleRule(propToParse, aTargetElement, aSpecifiedValue, aUseSVGMode);
+  if (!styleRule) {
     return PR_FALSE;
   }
 
- if (nsCSSProps::IsShorthand(aProperty) ||
-     nsCSSProps::kAnimTypeTable[aProperty] == eStyleAnimType_None) {
+  if (nsCSSProps::IsShorthand(aProperty) ||
+      nsCSSProps::kAnimTypeTable[aProperty] == eStyleAnimType_None) {
     // Just capture the specified value
     aComputedValue.SetUnparsedStringValue(nsString(aSpecifiedValue));
+    if (aIsContextSensitive) {
+      // Since we're just returning the string as-is, aComputedValue isn't going
+      // to change depending on the context
+      *aIsContextSensitive = PR_FALSE;
+    }
     return PR_TRUE;
   }
+
+  // Look up style context for our target element
+  nsRefPtr<nsStyleContext> styleContext = LookupStyleContext(aTargetElement);
+  if (!styleContext) {
+    return PR_FALSE;
+  }
+  nsStyleSet* styleSet = styleContext->PresContext()->StyleSet();
+
+  nsRefPtr<nsStyleContext> tmpStyleContext;
+  if (aIsContextSensitive) {
+    nsCOMArray<nsIStyleRule> ruleArray;
+    ruleArray.AppendObject(styleSet->InitialStyleRule());
+    ruleArray.AppendObject(styleRule);
+    styleRule->RuleMatched();
+    tmpStyleContext =
+      styleSet->ResolveStyleByAddingRules(styleContext, ruleArray);
+    if (!tmpStyleContext) {
+      return PR_FALSE;
+    }
+
+    // Force walk of rule tree
+    nsStyleStructID sid = nsCSSProps::kSIDTable[aProperty];
+    tmpStyleContext->GetStyleData(sid);
+
+    // If the rule node will have cached style data if the value is not
+    // context-sensitive. So if there's nothing cached, it's not context
+    // sensitive.
+    *aIsContextSensitive =
+      !tmpStyleContext->GetRuleNode()->NodeHasCachedData(sid);
+  }
+
+  // If we're not concerned whether the property is context sensitive then just
+  // add the rule to a new temporary style context alongside the target
+  // element's style context.
+  // Also, if we previously discovered that this property IS context-sensitive
+  // then we need to throw the temporary style context out since the property's
+  // value may have been biased by the 'initial' values supplied.
+  if (!aIsContextSensitive || *aIsContextSensitive) {
+    nsCOMArray<nsIStyleRule> ruleArray;
+    ruleArray.AppendObject(styleRule);
+    styleRule->RuleMatched();
+    tmpStyleContext =
+      styleSet->ResolveStyleByAddingRules(styleContext, ruleArray);
+    if (!tmpStyleContext) {
+      return PR_FALSE;
+    }
+  }
+
   // Extract computed value of our property from the temporary style rule
   return ExtractComputedValue(aProperty, tmpStyleContext, aComputedValue);
 }
diff --git a/layout/style/nsStyleAnimation.h b/layout/style/nsStyleAnimation.h
index e05f482b34a..a09b254d268 100644
--- a/layout/style/nsStyleAnimation.h
+++ b/layout/style/nsStyleAnimation.h
@@ -175,13 +175,22 @@ public:
    * @param aUseSVGMode     A flag to indicate whether we should parse
    *                        |aSpecifiedValue| in SVG mode.
    * @param [out] aComputedValue The resulting computed value.
+   * @param [out] aIsContextSensitive
+   *                        Set to PR_TRUE if |aSpecifiedValue| may produce
+   *                        a different |aComputedValue| depending on other CSS
+   *                        properties on |aTargetElement| or its ancestors.
+   *                        PR_FALSE otherwise.
+   *                        Note that the operation of this method is
+   *                        significantly faster when |aIsContextSensitive| is
+   *                        nsnull.
    * @return PR_TRUE on success, PR_FALSE on failure.
    */
   static PRBool ComputeValue(nsCSSProperty aProperty,
-                             mozilla::dom::Element* aElement,
+                             mozilla::dom::Element* aTargetElement,
                              const nsAString& aSpecifiedValue,
                              PRBool aUseSVGMode,
-                             Value& aComputedValue);
+                             Value& aComputedValue,
+                             PRBool* aIsContextSensitive = nsnull);
 
   /**
    * Creates a specified value for the given computed value.
diff --git a/layout/style/nsStyleSet.cpp b/layout/style/nsStyleSet.cpp
index d5ae1bf202c..23a9ce6391d 100644
--- a/layout/style/nsStyleSet.cpp
+++ b/layout/style/nsStyleSet.cpp
@@ -57,6 +57,7 @@
 #include "nsIContent.h"
 #include "nsIFrame.h"
 #include "nsContentUtils.h"
+#include "nsRuleData.h"
 #include "nsRuleProcessorData.h"
 #include "nsTransitionManager.h"
 #include "nsAnimationManager.h"
@@ -80,6 +81,50 @@ nsEmptyStyleRule::List(FILE* out, PRInt32 aIndent) const
 }
 #endif
 
+NS_IMPL_ISUPPORTS1(nsInitialStyleRule, nsIStyleRule)
+
+/* virtual */ void
+nsInitialStyleRule::MapRuleInfoInto(nsRuleData* aRuleData)
+{
+  // Iterate over the property groups
+  for (nsStyleStructID sid = nsStyleStructID(0);
+       sid < nsStyleStructID_Length; sid = nsStyleStructID(sid + 1)) {
+    if (aRuleData->mSIDs & (1 << sid)) {
+      // Iterate over nsCSSValues within the property group
+      nsCSSValue * const value_start =
+        aRuleData->mValueStorage + aRuleData->mValueOffsets[sid];
+      for (nsCSSValue *value = value_start,
+           *value_end = value + nsCSSProps::PropertyCountInStruct(sid);
+           value != value_end; ++value) {
+        // If MathML is disabled take care not to set MathML properties (or we
+        // will trigger assertions in nsRuleNode)
+        if (sid == eStyleStruct_Font &&
+            !aRuleData->mPresContext->Document()->GetMathMLEnabled()) {
+          size_t index = value - value_start;
+          if (index == nsCSSProps::PropertyIndexInStruct(
+                          eCSSProperty_script_level) ||
+              index == nsCSSProps::PropertyIndexInStruct(
+                          eCSSProperty_script_size_multiplier) ||
+              index == nsCSSProps::PropertyIndexInStruct(
+                          eCSSProperty_script_min_size)) {
+            continue;
+          }
+        }
+        if (value->GetUnit() == eCSSUnit_Null) {
+          value->SetInitialValue();
+        }
+      }
+    }
+  }
+}
+
+#ifdef DEBUG
+/* virtual */ void
+nsInitialStyleRule::List(FILE* out, PRInt32 aIndent) const
+{
+}
+#endif
+
 static const nsStyleSet::sheetType gCSSSheetTypes[] = {
   nsStyleSet::eAgentSheet,
   nsStyleSet::eUserSheet,
@@ -1565,3 +1610,12 @@ nsStyleSet::EnsureUniqueInnerOnCSSSheets()
   }
   return res;
 }
+
+nsIStyleRule*
+nsStyleSet::InitialStyleRule()
+{
+  if (!mInitialStyleRule) {
+    mInitialStyleRule = new nsInitialStyleRule;
+  }
+  return mInitialStyleRule;
+}
diff --git a/layout/style/nsStyleSet.h b/layout/style/nsStyleSet.h
index 030565c70a3..8ca98645756 100644
--- a/layout/style/nsStyleSet.h
+++ b/layout/style/nsStyleSet.h
@@ -74,6 +74,15 @@ class nsEmptyStyleRule : public nsIStyleRule
 #endif
 };
 
+class nsInitialStyleRule : public nsIStyleRule
+{
+  NS_DECL_ISUPPORTS
+  virtual void MapRuleInfoInto(nsRuleData* aRuleData);
+#ifdef DEBUG
+  virtual void List(FILE* out = stdout, PRInt32 aIndent = 0) const;
+#endif
+};
+
 // The style set object is created by the document viewer and ownership is
 // then handed off to the PresShell.  Only the PresShell should delete a
 // style set.
@@ -309,6 +318,8 @@ class nsStyleSet
 
   nsCSSStyleSheet::EnsureUniqueInnerResult EnsureUniqueInnerOnCSSSheets();
 
+  nsIStyleRule* InitialStyleRule();
+
  private:
   // Not to be implemented
   nsStyleSet(const nsStyleSet& aCopy);
@@ -400,6 +411,10 @@ class nsStyleSet
   // apply into different branches of the rule tree.
   nsRefPtr<nsEmptyStyleRule> mFirstLineRule, mFirstLetterRule;
 
+  // Style rule which sets all properties to their initial values for
+  // determining when context-sensitive values are in use.
+  nsRefPtr<nsInitialStyleRule> mInitialStyleRule;
+
   PRUint16 mBatching;
 
   // Old rule trees, which should only be non-empty between
diff --git a/layout/style/test/property_database.js b/layout/style/test/property_database.js
index 66ecd88ae75..2d5fcde568f 100644
--- a/layout/style/test/property_database.js
+++ b/layout/style/test/property_database.js
@@ -472,6 +472,16 @@ var gCSSProperties = {
 		other_values: [ "border-box", "padding-box" ],
 		invalid_values: [ "margin-box", "content", "padding", "border", "margin" ]
 	},
+	"-moz-columns": {
+		domProp: "MozColumns",
+		inherited: false,
+		type: CSS_TYPE_TRUE_SHORTHAND,
+		subproperties: [ "-moz-column-count", "-moz-column-width" ],
+		initial_values: [ "auto", "auto auto" ],
+		other_values: [ "3", "20px", "2 10px", "10px 2", "2 auto", "auto 2", "auto 50px", "50px auto" ],
+		invalid_values: [ "5%", "-1px", "-1", "3 5", "10px 4px", "10 2px 5in", "30px -1",
+		                  "auto 3 5px", "5 auto 20px", "auto auto auto" ]
+	},
 	"-moz-column-count": {
 		domProp: "MozColumnCount",
 		inherited: false,
diff --git a/layout/svg/base/src/nsSVGGlyphFrame.cpp b/layout/svg/base/src/nsSVGGlyphFrame.cpp
index 03896e7737d..7f00f359057 100644
--- a/layout/svg/base/src/nsSVGGlyphFrame.cpp
+++ b/layout/svg/base/src/nsSVGGlyphFrame.cpp
@@ -143,16 +143,16 @@ public:
   }
 
   /**
-   * Returns the index of the next cluster in the string that should be
-   * drawn, or -1 if there is no such cluster.
+   * Returns the index of the next cluster in the string that should be drawn,
+   * or InvalidCluster() (i.e. PRUint32(-1)) if there is no such cluster.
    */
-  PRInt32 NextCluster();
+  PRUint32 NextCluster();
 
   /**
    * Returns the length of the current cluster (usually 1, unless there
    * are combining marks)
    */
-  PRInt32 ClusterLength();
+  PRUint32 ClusterLength();
 
   /**
    * Repeated calls NextCluster until it returns aIndex (i.e. aIndex is the
@@ -160,7 +160,7 @@ public:
    * (because aIndex is before or equal to the current character, or
    * out of bounds, or not drawable).
    */
-  PRBool AdvanceToCharacter(PRInt32 aIndex);
+  PRBool AdvanceToCharacter(PRUint32 aIndex);
 
   /**
    * Resets the iterator to the beginning of the string.
@@ -170,8 +170,8 @@ public:
     // a) If there was a problem creating the iterator (mCurrentChar == -1)
     // b) If we ran off the end of the string (mCurrentChar != -1)
     // We can only reset the mInError flag in case b)
-    if (mCurrentChar != -1) {
-      mCurrentChar = -1;
+    if (mCurrentChar != InvalidCluster()) {
+      mCurrentChar = InvalidCluster();
       mInError = PR_FALSE;
     }
   }
@@ -198,6 +198,13 @@ public:
    */
   CharacterPosition GetPositionData();
 
+  /**
+   * "Invalid" cluster index returned to indicate error state
+   */
+  PRUint32 InvalidCluster() {
+    return PRUint32(-1);
+  }
+
 private:
   PRBool SetupForDirectTextRun(gfxContext *aContext, float aScale);
   void SetupFor(gfxContext *aContext, float aScale);
@@ -207,7 +214,7 @@ private:
   gfxMatrix mInitialMatrix;
   // Textrun advance width from start to mCurrentChar, in appunits
   gfxFloat mCurrentAdvance;
-  PRInt32 mCurrentChar;
+  PRUint32 mCurrentChar;
   float mDrawScale;
   float mMetricsScale;
   PRPackedBool mInError;
@@ -434,8 +441,8 @@ nsSVGGlyphFrame::GetFrameForPoint(const nsPoint &aPoint)
   // Currently we just test the character cells if GetHitTestFlags says we're
   // supposed to be testing either the fill OR the stroke:
 
-  PRInt32 i;
-  while ((i = iter.NextCluster()) >= 0) {
+  PRUint32 i;
+  while ((i = iter.NextCluster()) != iter.InvalidCluster()) {
     gfxTextRun::Metrics metrics =
     mTextRun->MeasureText(i, iter.ClusterLength(),
                           gfxFont::LOOSE_INK_EXTENTS, nsnull, nsnull);
@@ -581,8 +588,8 @@ nsSVGGlyphFrame::AddCharactersToPath(CharacterIterator *aIter,
     return;
   }
 
-  PRInt32 i;
-  while ((i = aIter->NextCluster()) >= 0) {
+  PRUint32 i;
+  while ((i = aIter->NextCluster()) != aIter->InvalidCluster()) {
     aIter->SetupForDrawing(aContext);
     mTextRun->DrawToPath(aContext, gfxPoint(0, 0), i, aIter->ClusterLength(),
                          nsnull, nsnull);
@@ -601,8 +608,8 @@ nsSVGGlyphFrame::AddBoundingBoxesToPath(CharacterIterator *aIter,
     return;
   }
 
-  PRInt32 i;
-  while ((i = aIter->NextCluster()) >= 0) {
+  PRUint32 i;
+  while ((i = aIter->NextCluster()) != aIter->InvalidCluster()) {
     aIter->SetupForMetrics(aContext);
     gfxTextRun::Metrics metrics =
       mTextRun->MeasureText(i, aIter->ClusterLength(),
@@ -621,8 +628,8 @@ nsSVGGlyphFrame::FillCharacters(CharacterIterator *aIter,
     return;
   }
 
-  PRInt32 i;
-  while ((i = aIter->NextCluster()) >= 0) {
+  PRUint32 i;
+  while ((i = aIter->NextCluster()) != aIter->InvalidCluster()) {
     aIter->SetupForDrawing(aContext);
     mTextRun->Draw(aContext, gfxPoint(0, 0), i, aIter->ClusterLength(),
                    nsnull, nsnull);
@@ -1358,11 +1365,11 @@ nsSVGGlyphFrame::GetCharNumAtPosition(nsIDOMSVGPoint *point)
   nsRefPtr<gfxContext> tmpCtx = MakeTmpCtx();
   CharacterIterator iter(this, PR_FALSE);
 
-  PRInt32 i;
+  PRUint32 i;
   PRInt32 last = -1;
   gfxPoint pt(xPos, yPos);
-  while ((i = iter.NextCluster()) >= 0) {
-    PRInt32 limit = i + iter.ClusterLength();
+  while ((i = iter.NextCluster()) != iter.InvalidCluster()) {
+    PRUint32 limit = i + iter.ClusterLength();
     gfxTextRun::Metrics metrics =
       mTextRun->MeasureText(i, limit - i, gfxFont::LOOSE_INK_EXTENTS,
                             nsnull, nsnull);
@@ -1631,8 +1638,10 @@ nsSVGGlyphFrame::EnsureTextRun(float *aDrawScale, float *aMetricsScale,
 
 CharacterIterator::CharacterIterator(nsSVGGlyphFrame *aSource,
         PRBool aForceGlobalTransform)
-  : mSource(aSource), mCurrentAdvance(0), mCurrentChar(-1),
-    mInError(PR_FALSE)
+  : mSource(aSource)
+  , mCurrentAdvance(0)
+  , mCurrentChar(PRUint32(-1))
+  , mInError(PR_FALSE)
 {
   if (!aSource->EnsureTextRun(&mDrawScale, &mMetricsScale,
                               aForceGlobalTransform) ||
@@ -1652,30 +1661,30 @@ CharacterIterator::SetupForDirectTextRun(gfxContext *aContext, float aScale)
   return PR_TRUE;
 }
 
-PRInt32
+PRUint32
 CharacterIterator::NextCluster()
 {
   if (mInError) {
 #ifdef DEBUG
-    if (mCurrentChar != -1) {
-      PRBool pastEnd = (mCurrentChar >= PRInt32(mSource->mTextRun->GetLength()));
+    if (mCurrentChar != InvalidCluster()) {
+      PRBool pastEnd = (mCurrentChar >= mSource->mTextRun->GetLength());
       NS_ABORT_IF_FALSE(pastEnd, "Past the end of CharacterIterator. Missing Reset?");
     }
 #endif
-    return -1;
+    return InvalidCluster();
   }
 
   while (PR_TRUE) {
-    if (mCurrentChar >= 0 &&
+    if (mCurrentChar != InvalidCluster() &&
         (mPositions.IsEmpty() || mPositions[mCurrentChar].draw)) {
       mCurrentAdvance +=
         mSource->mTextRun->GetAdvanceWidth(mCurrentChar, 1, nsnull);
     }
     ++mCurrentChar;
 
-    if (mCurrentChar >= PRInt32(mSource->mTextRun->GetLength())) {
+    if (mCurrentChar >= mSource->mTextRun->GetLength()) {
       mInError = PR_TRUE;
-      return -1;
+      return InvalidCluster();
     }
 
     if (mSource->mTextRun->IsClusterStart(mCurrentChar) &&
@@ -1685,14 +1694,14 @@ CharacterIterator::NextCluster()
   }
 }
 
-PRInt32
+PRUint32
 CharacterIterator::ClusterLength()
 {
   if (mInError) {
     return 0;
   }
 
-  PRInt32 i = mCurrentChar;
+  PRUint32 i = mCurrentChar;
   while (++i < mSource->mTextRun->GetLength()) {
     if (mSource->mTextRun->IsClusterStart(i)) {
       break;
@@ -1702,9 +1711,9 @@ CharacterIterator::ClusterLength()
 }
 
 PRBool
-CharacterIterator::AdvanceToCharacter(PRInt32 aIndex)
+CharacterIterator::AdvanceToCharacter(PRUint32 aIndex)
 {
-  while (NextCluster() != -1) {
+  while (NextCluster() != InvalidCluster()) {
     if (mCurrentChar == aIndex)
       return PR_TRUE;
   }
diff --git a/layout/xul/base/src/nsMenuPopupFrame.cpp b/layout/xul/base/src/nsMenuPopupFrame.cpp
index bf3218cb15d..e610478b90e 100644
--- a/layout/xul/base/src/nsMenuPopupFrame.cpp
+++ b/layout/xul/base/src/nsMenuPopupFrame.cpp
@@ -85,6 +85,7 @@
 #include "nsIScreenManager.h"
 #include "nsIServiceManager.h"
 #include "nsThemeConstants.h"
+#include "nsDisplayList.h"
 #include "mozilla/Preferences.h"
 
 using namespace mozilla;
@@ -124,6 +125,7 @@ nsMenuPopupFrame::nsMenuPopupFrame(nsIPresShell* aShell, nsStyleContext* aContex
   mShouldAutoPosition(PR_TRUE),
   mInContentShell(PR_TRUE),
   mIsMenuLocked(PR_FALSE),
+  mIsDragPopup(PR_FALSE),
   mHFlip(PR_FALSE),
   mVFlip(PR_FALSE)
 {
@@ -176,6 +178,12 @@ nsMenuPopupFrame::Init(nsIContent*      aContent,
     }
   }
 
+  if (mPopupType == ePopupTypePanel &&
+      aContent->AttrValueIs(kNameSpaceID_None, nsGkAtoms::type,
+                            nsGkAtoms::drag, eIgnoreCase)) {
+    mIsDragPopup = PR_TRUE;
+  }
+
   nsCOMPtr<nsISupports> cont = PresContext()->GetContainer();
   nsCOMPtr<nsIDocShellTreeItem> dsti = do_QueryInterface(cont);
   PRInt32 type = -1;
@@ -274,6 +282,7 @@ nsMenuPopupFrame::CreateWidgetForView(nsIView* aView)
   widgetData.clipSiblings = PR_TRUE;
   widgetData.mPopupHint = mPopupType;
   widgetData.mNoAutoHide = IsNoAutoHide();
+  widgetData.mIsDragPopup = mIsDragPopup;
 
   nsAutoString title;
   if (mContent && widgetData.mNoAutoHide) {
@@ -1115,6 +1124,12 @@ nsMenuPopupFrame::SetPopupPosition(nsIFrame* aAnchorFrame, PRBool aIsMove)
   if (!mShouldAutoPosition)
     return NS_OK;
 
+  // If this is due to a move, return early if the popup hasn't been laid out
+  // yet. On Windows, this can happen when using a drag popup before it opens.
+  if (aIsMove && (mPrefSize.width == -1 || mPrefSize.height == -1)) {
+    return NS_OK;
+  }
+
   nsPresContext* presContext = PresContext();
   nsIFrame* rootFrame = presContext->PresShell()->FrameManager()->GetRootFrame();
   NS_ASSERTION(rootFrame->GetView() && GetView() &&
@@ -1768,6 +1783,19 @@ nsMenuPopupFrame::AttachedDismissalListener()
   mConsumeRollupEvent = nsIPopupBoxObject::ROLLUP_DEFAULT;
 }
 
+nsresult
+nsMenuPopupFrame::BuildDisplayList(nsDisplayListBuilder*   aBuilder,
+                                   const nsRect&           aDirtyRect,
+                                   const nsDisplayListSet& aLists)
+{
+  // don't pass events to drag popups
+  if (aBuilder->IsForEventDelivery() && mIsDragPopup) {
+    return NS_OK;
+  }
+
+  return nsBoxFrame::BuildDisplayList(aBuilder, aDirtyRect, aLists);
+}
+
 // helpers /////////////////////////////////////////////////////////////
 
 NS_IMETHODIMP 
diff --git a/layout/xul/base/src/nsMenuPopupFrame.h b/layout/xul/base/src/nsMenuPopupFrame.h
index d4d874f8680..821d0f36716 100644
--- a/layout/xul/base/src/nsMenuPopupFrame.h
+++ b/layout/xul/base/src/nsMenuPopupFrame.h
@@ -240,6 +240,8 @@ public:
   PRBool IsMenu() { return mPopupType == ePopupTypeMenu; }
   PRBool IsOpen() { return mPopupState == ePopupOpen || mPopupState == ePopupOpenAndVisible; }
 
+  PRBool IsDragPopup() { return mIsDragPopup; }
+
   // returns the parent menupopup, if any
   nsMenuFrame* GetParentMenu() {
     nsIFrame* parent = GetParent();
@@ -345,6 +347,9 @@ public:
   // Return the screen coordinates of the popup, or (-1, -1) if anchored.
   nsIntPoint ScreenPosition() const { return nsIntPoint(mScreenXPos, mScreenYPos); }
 
+  NS_IMETHOD BuildDisplayList(nsDisplayListBuilder*   aBuilder,
+                              const nsRect&           aDirtyRect,
+                              const nsDisplayListSet& aLists);
 protected:
 
   // returns the popup's level.
@@ -449,6 +454,7 @@ protected:
   PRPackedBool mShouldAutoPosition; // Should SetPopupPosition be allowed to auto position popup?
   PRPackedBool mInContentShell; // True if the popup is in a content shell
   PRPackedBool mIsMenuLocked; // Should events inside this menu be ignored?
+  PRPackedBool mIsDragPopup; // True if this is a popup used for drag feedback
 
   // the flip modes that were used when the popup was opened
   PRPackedBool mHFlip;
diff --git a/layout/xul/base/src/nsXULPopupManager.cpp b/layout/xul/base/src/nsXULPopupManager.cpp
index 48b17b07ed9..37f6d816ae1 100644
--- a/layout/xul/base/src/nsXULPopupManager.cpp
+++ b/layout/xul/base/src/nsXULPopupManager.cpp
@@ -1402,8 +1402,11 @@ nsXULPopupManager::GetVisiblePopups()
 
   item = mNoHidePanels;
   while (item) {
-    if (item->Frame()->PopupState() == ePopupOpenAndVisible)
+    // skip panels which are not open and visible as well as draggable popups,
+    // as those don't respond to events.
+    if (item->Frame()->PopupState() == ePopupOpenAndVisible && !item->Frame()->IsDragPopup()) {
       popups.AppendElement(static_cast<nsIFrame*>(item->Frame()));
+    }
     item = item->GetParent();
   }
 
diff --git a/mobile/app/mobile.js b/mobile/app/mobile.js
index 0ed920e5c6d..f05a8b9eeb8 100644
--- a/mobile/app/mobile.js
+++ b/mobile/app/mobile.js
@@ -557,6 +557,7 @@ pref("services.sync.prefs.sync.lightweightThemes.isThemeSelected", true);
 pref("services.sync.prefs.sync.lightweightThemes.usedThemes", true);
 pref("services.sync.prefs.sync.network.cookie.cookieBehavior", true);
 pref("services.sync.prefs.sync.permissions.default.image", true);
+pref("services.sync.prefs.sync.privacy.donottrackheader.enabled", true);
 pref("services.sync.prefs.sync.signon.rememberSignons", true);
 #endif
 
diff --git a/mobile/chrome/content/bindings.xml b/mobile/chrome/content/bindings.xml
index 8724f9a0987..53acda40eba 100644
--- a/mobile/chrome/content/bindings.xml
+++ b/mobile/chrome/content/bindings.xml
@@ -1380,6 +1380,9 @@
       <xul:hbox class="remotetabs-throbber-box" flex="1" align="center" pack="center">
         <xul:image src="chrome://browser/skin/images/throbber.png" />
       </xul:hbox>
+      <xul:hbox class="remotetabs-message-box" flex="1" align="center" pack="center">
+        <xul:label xbl:inherits="value=message" align="center" crop="center" flex="1"/>
+      </xul:hbox>
       <xul:richlistbox anonid="child-items" class="remotetabs-list-children" flex="1" batch="25"/>
     </content>
     <implementation>
@@ -1387,6 +1390,7 @@
         <body><![CDATA[
           let self = this;
           this.setAttribute("loading", "true");
+          this.removeAttribute("message");
 
           if (Weave.Service.isLoggedIn) {
             setTimeout(function() self._loadChildren(), 0);
@@ -1394,6 +1398,7 @@
             // Wait until login or setup finishes before loading items.
             let topics = [
               "browser:sync:setup:userabort",
+              "browser:sync:setup:networkerror",
               "weave:service:login:finish",
               "weave:service:login:error"
             ];
@@ -1412,8 +1417,23 @@
           while (children.lastChild)
             children.removeChild(children.lastChild);
 
-          let items = this._getRemoteTabs();
-          children.setItems(items.map(this.createItem));
+          let engine = this._getWeaveEngine();
+
+          // Only load items if the tabs engine is ready. In case
+          // sync fails, WeaveGlue will show an error dialog. If sync
+          // succeeds but has no data to display, a message is presented
+          // in the panel (see "message" attribute).
+          if (engine) {
+            let items = this._getRemoteTabs(engine);
+
+            if (items.length) {
+              children.setItems(items.map(this.createItem));
+            } else {
+              let bundle = Services.strings.createBundle("chrome://browser/locale/sync.properties");
+              this.setAttribute("message", bundle.GetStringFromName("sync.message.notabs"));
+            }
+          }
+
           this.removeAttribute("loading");
         ]]></body>
       </method>
@@ -1424,32 +1444,34 @@
 
       <field name="scrollBoxObject">this._children.scrollBoxObject</field>
 
-      <method name="_getRemoteTabs">
+      <method name="_getWeaveEngine">
         <body><![CDATA[
-          // Don't do anything if the Weave isn't ready
-          if (document.getElementById("cmd_remoteTabs").getAttribute("disabled") == "true")
-            return [];
+          // Return null if the Weave isn't ready
+          if (document.getElementById("cmd_remoteTabs").getAttribute("disabled") ==     "true")
+            return null;
           if (Weave.Status.checkSetup() == Weave.CLIENT_NOT_CONFIGURED)
-            return [];
+            return null;
 
-          // Don't do anything if the tabs engine isn't ready
-          let engine = Weave.Engines.get("tabs");
-          if (!engine)
-            return [];
+          return Weave.Engines.get("tabs");
+        ]]></body>
+      </method>
 
+      <method name="_getRemoteTabs">
+        <parameter name="aEngine"/>
+        <body><![CDATA[
           // Don't bother refetching tabs if we already did so recently
           let lastFetch = Weave.Svc.Prefs.get("lastTabFetch", 0);
           let now = Math.floor(Date.now() / 1000);
           if (now - lastFetch >= Services.prefs.getIntPref("browser.display.remotetabs.timeout")) {
             // Force a sync only for the tabs engine
-            engine.lastModified = null;
-            engine.sync();
+            aEngine.lastModified = null;
+            aEngine.sync();
             Weave.Svc.Prefs.set("lastTabFetch", now);
           };
 
           // Generate the list of tabs
           let tabs = [];
-          for (let [guid, client] in Iterator(engine.getAllClients())) {
+          for (let [guid, client] in Iterator(aEngine.getAllClients())) {
             if (!client.tabs.length)
               continue;
 
diff --git a/mobile/chrome/content/bindings/browser.js b/mobile/chrome/content/bindings/browser.js
index 56ab54af46a..6bd640f8e18 100644
--- a/mobile/chrome/content/bindings/browser.js
+++ b/mobile/chrome/content/bindings/browser.js
@@ -124,10 +124,10 @@ let WebNavigation =  {
   receiveMessage: function(message) {
     switch (message.name) {
       case "WebNavigation:GoBack":
-        this.goBack(message);
+        this.goBack();
         break;
       case "WebNavigation:GoForward":
-        this.goForward(message);
+        this.goForward();
         break;
       case "WebNavigation:GotoIndex":
         this.gotoIndex(message);
@@ -145,11 +145,13 @@ let WebNavigation =  {
   },
 
   goBack: function() {
-    this._webNavigation.goBack();
+    if (this._webNavigation.canGoBack)
+      this._webNavigation.goBack();
   },
 
   goForward: function() {
-    this._webNavigation.goForward();
+    if (this._webNavigation.canGoForward)
+      this._webNavigation.goForward();
   },
 
   gotoIndex: function(message) {
diff --git a/mobile/chrome/content/browser.xul b/mobile/chrome/content/browser.xul
index eb771457177..4f2c28d5a88 100644
--- a/mobile/chrome/content/browser.xul
+++ b/mobile/chrome/content/browser.xul
@@ -572,7 +572,7 @@
             <separator/>
             <textbox id="syncsetup-account" class="prompt-edit" placeholder="&sync.account;" oninput="WeaveGlue.canConnect();"/>
             <textbox id="syncsetup-password" class="prompt-edit" placeholder="&sync.password;" type="password" oninput="WeaveGlue.canConnect();"/>
-            <textbox id="syncsetup-synckey" class="prompt-edit" placeholder="&sync.syncKey;" oninput="WeaveGlue.canConnect();"/>
+            <textbox id="syncsetup-synckey" class="prompt-edit" placeholder="&sync.recoveryKey;" oninput="WeaveGlue.canConnect();"/>
             <separator class="thin"/>
             <button id="syncsetup-usecustomserver" type="checkbox" class="button-checkbox" pack="start" oncommand="WeaveGlue.toggleCustomServer();">
               <image class="button-image-icon"/>
diff --git a/mobile/chrome/content/common-ui.js b/mobile/chrome/content/common-ui.js
index a52aa5ca155..3dd1d571922 100644
--- a/mobile/chrome/content/common-ui.js
+++ b/mobile/chrome/content/common-ui.js
@@ -1490,7 +1490,16 @@ var BadgeHandlers = {
       aPopup.registerBadgeHandler(handlers[i].url, handlers[i]);
   },
 
+  get _pk11DB() {
+    delete this._pk11DB;
+    return this._pk11DB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(Ci.nsIPK11TokenDB);
+  },
+
   getLogin: function(aURL) {
+    let token = this._pk11DB.getInternalKeyToken();
+    if (!token.isLoggedIn())
+      return {username: "", password: ""};
+
     let lm = Cc["@mozilla.org/login-manager;1"].getService(Ci.nsILoginManager);
     let logins = lm.findLogins({}, aURL, aURL, null);
     let username = logins.length > 0 ? logins[0].username : "";
diff --git a/mobile/chrome/content/sync.js b/mobile/chrome/content/sync.js
index 07222518681..23e4388e813 100644
--- a/mobile/chrome/content/sync.js
+++ b/mobile/chrome/content/sync.js
@@ -97,6 +97,7 @@ let WeaveGlue = {
     // Services.io.offline is lying to us, so we use the NetworkLinkService instead
     let nls = Cc["@mozilla.org/network/network-link-service;1"].getService(Ci.nsINetworkLinkService);
     if (!nls.isLinkUp) {
+      Services.obs.notifyObservers(null, "browser:sync:setup:networkerror", "");
       Services.prompt.alert(window,
                              this._bundle.GetStringFromName("sync.setup.error.title"),
                              this._bundle.GetStringFromName("sync.setup.error.network"));
@@ -382,8 +383,6 @@ let WeaveGlue = {
   },
 
   observe: function observe(aSubject, aTopic, aData) {
-    let loggedIn = Weave.Service.isLoggedIn;
-
     // Make sure we're online when connecting/syncing
     Util.forceOnline();
 
@@ -400,7 +399,13 @@ let WeaveGlue = {
     let disconnect = this._elements.disconnect;
     let sync = this._elements.sync;
 
-    let syncEnabled = this._elements.autosync.value;
+    let syncEnabled = autosync.value;
+    let loggedIn = Weave.Service.isLoggedIn;
+
+    // Sync may successfully log in after it was temporarily disabled by a
+    // canceled master password entry.  If so, then re-enable it.
+    if (loggedIn && !syncEnabled)
+      syncEnabled = autosync.value = true;
 
     // If Sync is not enabled, hide the connection row visibility
     if (syncEnabled) {
@@ -451,10 +456,18 @@ let WeaveGlue = {
     }
 
     // Show what went wrong with login if necessary
-    if (aTopic == "weave:service:login:error")
-      connect.setAttribute("desc", Weave.Utils.getErrorString(Weave.Status.login));
-    else
+    if (aTopic == "weave:service:login:error") {
+      if (Weave.Status.login == "service.master_password_locked") {
+        // Disable sync temporarily. Sync will try again after a set interval,
+        // or if the user presses the button to enable it again.
+        autosync.value = false;
+        this.toggleSyncEnabled();
+      } else {
+        connect.setAttribute("desc", Weave.Utils.getErrorString(Weave.Status.login));
+      }
+    } else {
       connect.removeAttribute("desc");
+    }
 
     // Init the setup data if we just logged in
     if (!this.setupData && aTopic == "weave:service:login:finish")
diff --git a/mobile/locales/en-US/chrome/sync.dtd b/mobile/locales/en-US/chrome/sync.dtd
index 4b59523f288..213742a29ab 100644
--- a/mobile/locales/en-US/chrome/sync.dtd
+++ b/mobile/locales/en-US/chrome/sync.dtd
@@ -14,7 +14,7 @@
 <!ENTITY sync.setup.manual          "Enter your Sync account information">
 <!ENTITY sync.account               "Account Name">
 <!ENTITY sync.password              "Password">
-<!ENTITY sync.syncKey               "Sync Key">
+<!ENTITY sync.recoveryKey           "Recovery Key">
 <!ENTITY sync.customServer          "Use custom server">
 <!ENTITY sync.serverURL             "Server URL">
 <!ENTITY sync.setup.connect         "Connect">
diff --git a/mobile/locales/en-US/chrome/sync.properties b/mobile/locales/en-US/chrome/sync.properties
index b7201ad0dc0..541ee114465 100644
--- a/mobile/locales/en-US/chrome/sync.properties
+++ b/mobile/locales/en-US/chrome/sync.properties
@@ -25,3 +25,5 @@ sync.setup.error.network=No internet connection available
 sync.setup.error.nodata=%S could not connect to Sync. Would you like to try again?
 sync.setup.tryagain=Try again
 sync.setup.manual=Manual setup
+
+sync.message.notabs=No tabs from your other computers.
diff --git a/mobile/themes/core/browser.css b/mobile/themes/core/browser.css
index d5f4e896743..88811b6981f 100644
--- a/mobile/themes/core/browser.css
+++ b/mobile/themes/core/browser.css
@@ -420,24 +420,34 @@ toolbarbutton.choice-remotetabs {
 }
 
 /* awesomescreen panels ---------------------------------------------------- */
-historylist > hbox.history-throbber-box,
-remotetabslist > hbox.remotetabs-throbber-box {
-  display: none;
-}
-
-.history-throbber-box > image,
-.remotetabs-throbber-box > image {
+.history-throbber-box,
+.remotetabs-throbber-box {
   list-style-image: url("chrome://browser/skin/images/throbber.png");
 }
 
-historylist[loading="true"] > hbox.history-throbber-box,
-remotetabslist[loading="true"] > hbox.remotetabs-throbber-box {
+.remotetabs-message-box {
+  font-size: @font_small@ !important;
+  font-weight: normal;
+  text-align: center;
+  color: grey;
+}
+
+.history-throbber-box,
+.remotetabs-throbber-box,
+.remotetabs-message-box {
+  display: none;
+}
+
+historylist[loading="true"] > .history-throbber-box,
+remotetabslist[loading="true"] > .remotetabs-throbber-box,
+remotetabslist[message] > .remotetabs-message-box {
   background-color: white;
   display: -moz-box;
 }
 
-historylist[loading="true"] > richlistbox.history-list-children,
-remotetabslist[loading="true"] > richlistbox.remotetabs-list-children {
+historylist[loading="true"] > .history-list-children,
+remotetabslist[loading="true"] > .remotetabs-list-children,
+remotetabslist[message] > .remotetabs-list-children {
   visibility: collapse;
 }
 
diff --git a/modules/libjar/nsJARURI.cpp b/modules/libjar/nsJARURI.cpp
index 16a3726c030..17b4eb73b41 100644
--- a/modules/libjar/nsJARURI.cpp
+++ b/modules/libjar/nsJARURI.cpp
@@ -584,19 +584,6 @@ nsJARURI::SetFilePath(const nsACString& filePath)
     return mJAREntry->SetFilePath(filePath);
 }
 
-NS_IMETHODIMP
-nsJARURI::GetParam(nsACString& param)
-{
-    param.Truncate();
-    return NS_OK;
-}
-
-NS_IMETHODIMP
-nsJARURI::SetParam(const nsACString& param)
-{
-    return NS_ERROR_NOT_AVAILABLE;
-}
-
 NS_IMETHODIMP
 nsJARURI::GetQuery(nsACString& query)
 {
diff --git a/modules/libpref/public/nsIPrefBranch.idl b/modules/libpref/public/nsIPrefBranch.idl
index 857455e2c0f..7e00382c540 100644
--- a/modules/libpref/public/nsIPrefBranch.idl
+++ b/modules/libpref/public/nsIPrefBranch.idl
@@ -55,7 +55,7 @@
  * @see nsIPrefService
  */
 
-[scriptable, uuid(e0b6e170-691b-11e0-ae3e-0800200c9a66)]
+[scriptable, uuid(e162bfa0-01bd-4e9f-9843-8fb2efcd6d1f)]
 interface nsIPrefBranch : nsISupports
 {
 
@@ -107,7 +107,7 @@ interface nsIPrefBranch : nsISupports
    *
    * @see getBoolPref
    */
-  void setBoolPref(in string aPrefName, in long aValue);
+  void setBoolPref(in string aPrefName, in boolean aValue);
 
   /**
    * Called to get the state of an individual string preference.
diff --git a/modules/libpref/public/nsIPrefBranch2.idl b/modules/libpref/public/nsIPrefBranch2.idl
index 6205f151469..043bb617400 100644
--- a/modules/libpref/public/nsIPrefBranch2.idl
+++ b/modules/libpref/public/nsIPrefBranch2.idl
@@ -47,7 +47,7 @@ interface nsIObserver;
  *
  * @see nsIPrefBranch
  */
-[scriptable, uuid(784de8e2-e72f-441a-ae74-9d5fdfe13be3)]
+[scriptable, uuid(d9bb54df-daac-4ce6-a70c-95d87b770cd8)]
 interface nsIPrefBranch2 : nsIPrefBranch
 {
   /**
diff --git a/modules/libpref/public/nsIPrefBranchInternal.idl b/modules/libpref/public/nsIPrefBranchInternal.idl
index 4ffb4d5dff1..d475624207c 100644
--- a/modules/libpref/public/nsIPrefBranchInternal.idl
+++ b/modules/libpref/public/nsIPrefBranchInternal.idl
@@ -44,7 +44,7 @@
  * @status NON-FROZEN interface WHICH WILL PROBABLY GO AWAY.
  */
 
-[scriptable, uuid(d1d412d9-15d6-4a6a-9533-b949dc175ff5)]
+[scriptable, uuid(355bd1e9-248a-438b-809d-e0db1b287882)]
 interface nsIPrefBranchInternal : nsIPrefBranch2
 {
 };
diff --git a/modules/libpref/src/init/all.js b/modules/libpref/src/init/all.js
index 6290a348389..15eabb95b3f 100644
--- a/modules/libpref/src/init/all.js
+++ b/modules/libpref/src/init/all.js
@@ -3331,5 +3331,11 @@ pref("network.buffer.cache.size",  32768);
 // Desktop Notification
 pref("notification.feature.enabled", false);
 
+// Alert sliding effect
+pref("alerts.slideIncrement", 1);
+pref("alerts.slideIncrementTime", 10);
+pref("alerts.totalOpenTime", 4000);
+pref("alerts.disableSlidingEffect", false);
+ 
 //3D Transforms
 pref("layout.3d-transforms.enabled, false);
diff --git a/modules/libpref/src/nsPrefBranch.cpp b/modules/libpref/src/nsPrefBranch.cpp
index 4a19cbbb4d1..fe73a4cb95e 100644
--- a/modules/libpref/src/nsPrefBranch.cpp
+++ b/modules/libpref/src/nsPrefBranch.cpp
@@ -164,7 +164,7 @@ NS_IMETHODIMP nsPrefBranch::GetBoolPref(const char *aPrefName, PRBool *_retval)
   return PREF_GetBoolPref(pref, _retval, mIsDefault);
 }
 
-NS_IMETHODIMP nsPrefBranch::SetBoolPref(const char *aPrefName, PRInt32 aValue)
+NS_IMETHODIMP nsPrefBranch::SetBoolPref(const char *aPrefName, PRBool aValue)
 {
   if (GetContentChild()) {
     NS_ERROR("cannot set pref from content process");
diff --git a/modules/libpref/src/prefapi.cpp b/modules/libpref/src/prefapi.cpp
index feb07e1fa07..713cc4b5426 100644
--- a/modules/libpref/src/prefapi.cpp
+++ b/modules/libpref/src/prefapi.cpp
@@ -68,9 +68,6 @@
 #include <os2.h>
 #endif
 
-#define BOGUS_DEFAULT_INT_PREF_VALUE (-5632)
-#define BOGUS_DEFAULT_BOOL_PREF_VALUE (-2)
-
 static void
 clearPrefEntry(PLDHashTable *table, PLDHashEntryHdr *entry)
 {
@@ -298,7 +295,7 @@ nsresult
 PREF_SetBoolPref(const char *pref_name, PRBool value, PRBool set_default)
 {
     PrefValue pref;
-    pref.boolVal = value ? PR_TRUE : PR_FALSE;
+    pref.boolVal = value;
 
     return pref_HashPref(pref_name, pref, PREF_BOOL, set_default);
 }
@@ -339,9 +336,10 @@ pref_savePref(PLDHashTable *table, PLDHashEntryHdr *heh, PRUint32 i, void *arg)
     PrefValue* sourcePref;
 
     if (PREF_HAS_USER_VALUE(pref) &&
-        pref_ValueChanged(pref->defaultPref,
-                          pref->userPref,
-                          (PrefType) PREF_TYPE(pref))) {
+        (pref_ValueChanged(pref->defaultPref,
+                           pref->userPref,
+                           (PrefType) PREF_TYPE(pref)) ||
+         !(pref->flags & PREF_HAS_DEFAULT))) {
         sourcePref = &pref->userPref;
     } else {
         if (argData->saveTypes == SAVE_ALL_AND_DEFAULTS) {
@@ -523,7 +521,7 @@ nsresult PREF_GetIntPref(const char *pref_name,PRInt32 * return_int, PRBool get_
         {
             PRInt32 tempInt = pref->defaultPref.intVal;
             /* check to see if we even had a default */
-            if (tempInt == ((PRInt32) BOGUS_DEFAULT_INT_PREF_VALUE))
+            if (!(pref->flags & PREF_HAS_DEFAULT))
                 return NS_ERROR_UNEXPECTED;
             *return_int = tempInt;
         }
@@ -548,7 +546,7 @@ nsresult PREF_GetBoolPref(const char *pref_name, PRBool * return_value, PRBool g
         {
             PRBool tempBool = pref->defaultPref.boolVal;
             /* check to see if we even had a default */
-            if (tempBool != ((PRBool) BOGUS_DEFAULT_BOOL_PREF_VALUE)) {
+            if (pref->flags & PREF_HAS_DEFAULT) {
                 *return_value = tempBool;
                 rv = NS_OK;
             }
@@ -614,11 +612,7 @@ PREF_ClearUserPref(const char *pref_name)
     {
         pref->flags &= ~PREF_USERSET;
 
-        if ((pref->flags & PREF_INT && 
-             pref->defaultPref.intVal == ((PRInt32) BOGUS_DEFAULT_INT_PREF_VALUE)) ||
-            (pref->flags & PREF_BOOL && 
-             pref->defaultPref.boolVal == ((PRBool) BOGUS_DEFAULT_BOOL_PREF_VALUE)) ||
-            (pref->flags & PREF_STRING && !pref->defaultPref.stringVal)) {
+        if (!(pref->flags & PREF_HAS_DEFAULT)) {
             PL_DHashTableOperate(&gHashTable, pref_name, PL_DHASH_REMOVE);
         }
 
@@ -640,11 +634,7 @@ pref_ClearUserPref(PLDHashTable *table, PLDHashEntryHdr *he, PRUint32,
     {
         pref->flags &= ~PREF_USERSET;
 
-        if ((pref->flags & PREF_INT && 
-             pref->defaultPref.intVal == ((PRInt32) BOGUS_DEFAULT_INT_PREF_VALUE)) ||
-            (pref->flags & PREF_BOOL && 
-             pref->defaultPref.boolVal == ((PRBool) BOGUS_DEFAULT_BOOL_PREF_VALUE)) ||
-            (pref->flags & PREF_STRING && !pref->defaultPref.stringVal)) {
+        if (!(pref->flags & PREF_HAS_DEFAULT)) {
             nextOp = PL_DHASH_REMOVE;
         }
 
@@ -757,15 +747,6 @@ nsresult pref_HashPref(const char *key, PrefValue value, PrefType type, PRBool s
         pref->key = ArenaStrDup(key, &gPrefNameArena);
         memset(&pref->defaultPref, 0, sizeof(pref->defaultPref));
         memset(&pref->userPref, 0, sizeof(pref->userPref));
-
-        /* ugly hack -- define it to a default that no pref will ever
-           default to this should really get fixed right by some out
-           of band data
-        */
-        if (pref->flags & PREF_BOOL)
-            pref->defaultPref.boolVal = (PRBool) BOGUS_DEFAULT_BOOL_PREF_VALUE;
-        if (pref->flags & PREF_INT)
-            pref->defaultPref.intVal = (PRInt32) BOGUS_DEFAULT_INT_PREF_VALUE;
     }
     else if ((((PrefType)(pref->flags)) & PREF_VALUETYPE_MASK) !=
                  (type & PREF_VALUETYPE_MASK))
@@ -779,9 +760,11 @@ nsresult pref_HashPref(const char *key, PrefValue value, PrefType type, PRBool s
     {
         if (!PREF_IS_LOCKED(pref))
         {       /* ?? change of semantics? */
-            if (pref_ValueChanged(pref->defaultPref, value, type))
+            if (pref_ValueChanged(pref->defaultPref, value, type) ||
+                !(pref->flags & PREF_HAS_DEFAULT))
             {
                 pref_SetValue(&pref->defaultPref, value, type);
+                pref->flags |= PREF_HAS_DEFAULT;
                 if (!PREF_HAS_USER_VALUE(pref))
                     valueChanged = PR_TRUE;
             }
@@ -791,7 +774,8 @@ nsresult pref_HashPref(const char *key, PrefValue value, PrefType type, PRBool s
     {
         /* If new value is same as the default value, then un-set the user value.
            Otherwise, set the user value only if it has changed */
-        if ( !pref_ValueChanged(pref->defaultPref, value, type) )
+        if (!pref_ValueChanged(pref->defaultPref, value, type) &&
+            pref->flags & PREF_HAS_DEFAULT)
         {
             if (PREF_HAS_USER_VALUE(pref))
             {
diff --git a/modules/libpref/src/prefapi.h b/modules/libpref/src/prefapi.h
index e8ca98ddeca..b26da25fbda 100644
--- a/modules/libpref/src/prefapi.h
+++ b/modules/libpref/src/prefapi.h
@@ -58,7 +58,7 @@ struct PrefHashEntry : PLDHashEntryHdr
     const char *key;
     PrefValue defaultPref;
     PrefValue userPref;
-    PRUint8   flags;
+    PRUint16  flags;
 };
 
 /*
@@ -84,9 +84,10 @@ void        PREF_CleanupPrefs();
 
 typedef enum { PREF_INVALID = 0,
                PREF_LOCKED = 1, PREF_USERSET = 2, PREF_CONFIG = 4, PREF_REMOTE = 8,
-			   PREF_LILOCAL = 16, PREF_STRING = 32, PREF_INT = 64, PREF_BOOL = 128,
-			   PREF_VALUETYPE_MASK = (PREF_STRING | PREF_INT | PREF_BOOL)
-			  } PrefType;
+               PREF_LILOCAL = 16, PREF_STRING = 32, PREF_INT = 64, PREF_BOOL = 128,
+               PREF_HAS_DEFAULT = 256,
+               PREF_VALUETYPE_MASK = (PREF_STRING | PREF_INT | PREF_BOOL)
+             } PrefType;
 
 /*
 // <font color=blue>
diff --git a/netwerk/base/public/nsIURL.idl b/netwerk/base/public/nsIURL.idl
index 75581c65537..1a9f9fcce5a 100644
--- a/netwerk/base/public/nsIURL.idl
+++ b/netwerk/base/public/nsIURL.idl
@@ -45,7 +45,6 @@
  *
  * http://host/directory/fileBaseName.fileExtension?query
  * http://host/directory/fileBaseName.fileExtension#ref
- * http://host/directory/fileBaseName.fileExtension;param
  *            \          \                       /
  *             \          -----------------------
  *              \                   |          /
@@ -70,13 +69,6 @@ interface nsIURL : nsIURI
      */
     attribute AUTF8String filePath;
 
-    /**
-     * Returns the parameters specified after the ; in the URL. 
-     *
-     * Some characters may be escaped.
-     */
-    attribute AUTF8String param;
-
     /**
      * Returns the query portion (the part after the "?") of the URL.
      * If there isn't one, an empty string is returned.
diff --git a/netwerk/base/public/nsIURLParser.idl b/netwerk/base/public/nsIURLParser.idl
index 11c3e8e9aad..6ddf339dc83 100644
--- a/netwerk/base/public/nsIURLParser.idl
+++ b/netwerk/base/public/nsIURLParser.idl
@@ -95,14 +95,13 @@ interface nsIURLParser : nsISupports
                           out long port);
 
     /**
-     * ParsePath breaks the path string up into its 4 major components: a file path,
-     * a param string, a query string, and a reference string.
+     * ParsePath breaks the path string up into its 3 major components: a file path,
+     * a query string, and a reference string.
      *
-     * path = <filepath>;<param>?<query>#<ref>
+     * path = <filepath>?<query>#<ref>
      */
     void parsePath       (in string path,                  in long pathLen,
                           out unsigned long filepathPos,  out long filepathLen,
-                          out unsigned long paramPos,     out long paramLen,
                           out unsigned long queryPos,     out long queryLen,
                           out unsigned long refPos,       out long refLen);
 
diff --git a/netwerk/base/src/nsStandardURL.cpp b/netwerk/base/src/nsStandardURL.cpp
index ca7d18447a3..99aa30f33d7 100644
--- a/netwerk/base/src/nsStandardURL.cpp
+++ b/netwerk/base/src/nsStandardURL.cpp
@@ -400,7 +400,6 @@ nsStandardURL::Clear()
     mBasename.Reset();
 
     mExtension.Reset();
-    mParam.Reset();
     mQuery.Reset();
     mRef.Reset();
 
@@ -511,16 +510,16 @@ nsStandardURL::BuildNormalizedSpec(const char *spec)
     // buffers for holding escaped url segments (these will remain empty unless
     // escaping is required).
     nsCAutoString encUsername, encPassword, encHost, encDirectory,
-      encBasename, encExtension, encParam, encQuery, encRef;
+      encBasename, encExtension, encQuery, encRef;
     PRBool useEncUsername, useEncPassword, useEncHost, useEncDirectory,
-      useEncBasename, useEncExtension, useEncParam, useEncQuery, useEncRef;
+      useEncBasename, useEncExtension, useEncQuery, useEncRef;
     nsCAutoString portbuf;
 
     //
     // escape each URL segment, if necessary, and calculate approximate normalized
     // spec length.
     //
-    // [scheme://][username[:password]@]host[:port]/path[;param][?query_string][#ref]
+    // [scheme://][username[:password]@]host[:port]/path[?query_string][#ref]
 
     PRUint32 approxLen = 0;
 
@@ -556,9 +555,6 @@ nsStandardURL::BuildNormalizedSpec(const char *spec)
 
         // These next ones *always* add their leading character even if length is 0
         // Handles items like "http://#"
-        // ;param
-        if (mParam.mLen >= 0)
-            approxLen += 1 + encoder.EncodeSegmentCount(spec, mParam,     esc_Param,         encParam,     useEncParam);
         // ?query
         if (mQuery.mLen >= 0)
             approxLen += 1 + queryEncoder.EncodeSegmentCount(spec, mQuery, esc_Query,        encQuery,     useEncQuery);
@@ -678,10 +674,6 @@ nsStandardURL::BuildNormalizedSpec(const char *spec)
         // calculate corrected filepath length
         mFilepath.mLen = i - mFilepath.mPos;
 
-        if (mParam.mLen >= 0) {
-            buf[i++] = ';';
-            i = AppendSegmentToBuf(buf, i, spec, mParam, &encParam, useEncParam);
-        }
         if (mQuery.mLen >= 0) {
             buf[i++] = '?';
             i = AppendSegmentToBuf(buf, i, spec, mQuery, &encQuery, useEncQuery);
@@ -838,13 +830,11 @@ nsStandardURL::ParsePath(const char *spec, PRUint32 pathPos, PRInt32 pathLen)
 
     nsresult rv = mParser->ParsePath(spec + pathPos, pathLen,
                                      &mFilepath.mPos, &mFilepath.mLen,
-                                     &mParam.mPos, &mParam.mLen,
                                      &mQuery.mPos, &mQuery.mLen,
                                      &mRef.mPos, &mRef.mLen);
     if (NS_FAILED(rv)) return rv;
 
     mFilepath.mPos += pathPos;
-    mParam.mPos += pathPos;
     mQuery.mPos += pathPos;
     mRef.mPos += pathPos;
 
@@ -1208,7 +1198,6 @@ nsStandardURL::SetSpec(const nsACString &input)
         LOG((" directory = (%u,%d)\n", mDirectory.mPos, mDirectory.mLen));
         LOG((" basename  = (%u,%d)\n", mBasename.mPos,  mBasename.mLen));
         LOG((" extension = (%u,%d)\n", mExtension.mPos, mExtension.mLen));
-        LOG((" param     = (%u,%d)\n", mParam.mPos,     mParam.mLen));
         LOG((" query     = (%u,%d)\n", mQuery.mPos,     mQuery.mLen));
         LOG((" ref       = (%u,%d)\n", mRef.mPos,       mRef.mLen));
     }
@@ -1633,7 +1622,6 @@ nsStandardURL::SetPath(const nsACString &input)
         // these are no longer defined
         mBasename.mLen = -1;
         mExtension.mLen = -1;
-        mParam.mLen = -1;
         mQuery.mLen = -1;
         mRef.mLen = -1;
     }
@@ -1684,8 +1672,7 @@ nsStandardURL::EqualsInternal(nsIURI *unknownOther,
         !SegmentIs(mQuery, other->mSpec.get(), other->mQuery) ||
         !SegmentIs(mUsername, other->mSpec.get(), other->mUsername) ||
         !SegmentIs(mPassword, other->mSpec.get(), other->mPassword) ||
-        Port() != other->Port() ||
-        !SegmentIs(mParam, other->mSpec.get(), other->mParam)) {
+        Port() != other->Port()) {
         // No need to compare files or other URI parts -- these are different
         // beasties
         *result = PR_FALSE;
@@ -1795,7 +1782,6 @@ nsStandardURL::CloneInternal(nsStandardURL::RefHandlingEnum refHandlingMode,
     clone->mDirectory = mDirectory;
     clone->mBasename = mBasename;
     clone->mExtension = mExtension;
-    clone->mParam = mParam;
     clone->mQuery = mQuery;
     clone->mRef = mRef;
     clone->mOriginCharset = mOriginCharset;
@@ -2020,7 +2006,7 @@ nsStandardURL::GetCommonBaseSpec(nsIURI *uri2, nsACString &aResult)
 
     // backup to just after previous slash so we grab an appropriate path
     // segment such as a directory (not partial segments)
-    // todo:  also check for file matches which include '?', '#', and ';'
+    // todo:  also check for file matches which include '?' and '#'
     while ((thisIndex != startCharPos) && (*(thisIndex-1) != '/'))
         thisIndex--;
 
@@ -2101,7 +2087,7 @@ nsStandardURL::GetRelativeSpec(nsIURI *uri2, nsACString &aResult)
 
     // backup to just after previous slash so we grab an appropriate path
     // segment such as a directory (not partial segments)
-    // todo:  also check for file matches with '#', '?' and ';'
+    // todo:  also check for file matches with '#' and '?'
     while ((*(thatIndex-1) != '/') && (thatIndex != startCharPos))
         thatIndex--;
 
@@ -2135,14 +2121,6 @@ nsStandardURL::GetFilePath(nsACString &result)
     return NS_OK;
 }
 
-// result may contain unescaped UTF-8 characters
-NS_IMETHODIMP
-nsStandardURL::GetParam(nsACString &result)
-{
-    result = Param();
-    return NS_OK;
-}
-
 // result may contain unescaped UTF-8 characters
 NS_IMETHODIMP
 nsStandardURL::GetQuery(nsACString &result)
@@ -2263,8 +2241,8 @@ nsStandardURL::SetFilePath(const nsACString &input)
     }
     else if (mPath.mLen > 1) {
         mSpec.Cut(mPath.mPos + 1, mFilepath.mLen - 1);
-        // left shift param, query, and ref
-        ShiftFromParam(1 - mFilepath.mLen);
+        // left shift query, and ref
+        ShiftFromQuery(1 - mFilepath.mLen);
         // these contain only a '/'
         mPath.mLen = 1;
         mDirectory.mLen = 1;
@@ -2276,13 +2254,6 @@ nsStandardURL::SetFilePath(const nsACString &input)
     return NS_OK;
 }
 
-NS_IMETHODIMP
-nsStandardURL::SetParam(const nsACString &input)
-{
-    NS_NOTYETIMPLEMENTED("");
-    return NS_ERROR_NOT_IMPLEMENTED;
-}
-
 NS_IMETHODIMP
 nsStandardURL::SetQuery(const nsACString &input)
 {
@@ -2503,7 +2474,7 @@ nsStandardURL::SetFileName(const nsACString &input)
         }
     }
     if (shift) {
-        ShiftFromParam(shift);
+        ShiftFromQuery(shift);
         mFilepath.mLen += shift;
         mPath.mLen += shift;
     }
@@ -2800,9 +2771,6 @@ nsStandardURL::Read(nsIObjectInputStream *stream)
     rv = ReadSegment(stream, mExtension);
     if (NS_FAILED(rv)) return rv;
 
-    rv = ReadSegment(stream, mParam);
-    if (NS_FAILED(rv)) return rv;
-
     rv = ReadSegment(stream, mQuery);
     if (NS_FAILED(rv)) return rv;
 
@@ -2889,9 +2857,6 @@ nsStandardURL::Write(nsIObjectOutputStream *stream)
     rv = WriteSegment(stream, mExtension);
     if (NS_FAILED(rv)) return rv;
 
-    rv = WriteSegment(stream, mParam);
-    if (NS_FAILED(rv)) return rv;
-
     rv = WriteSegment(stream, mQuery);
     if (NS_FAILED(rv)) return rv;
 
@@ -2964,7 +2929,6 @@ nsStandardURL::Read(const IPC::Message *aMsg, void **aIter)
         !ReadSegment(aMsg, aIter, mDirectory) ||
         !ReadSegment(aMsg, aIter, mBasename) ||
         !ReadSegment(aMsg, aIter, mExtension) ||
-        !ReadSegment(aMsg, aIter, mParam) ||
         !ReadSegment(aMsg, aIter, mQuery) ||
         !ReadSegment(aMsg, aIter, mRef) ||
         !ReadParam(aMsg, aIter, &mOriginCharset) ||
@@ -3005,7 +2969,6 @@ nsStandardURL::Write(IPC::Message *aMsg)
     WriteSegment(aMsg, mDirectory);
     WriteSegment(aMsg, mBasename);
     WriteSegment(aMsg, mExtension);
-    WriteSegment(aMsg, mParam);
     WriteSegment(aMsg, mQuery);
     WriteSegment(aMsg, mRef);
     WriteParam(aMsg, mOriginCharset);
diff --git a/netwerk/base/src/nsStandardURL.h b/netwerk/base/src/nsStandardURL.h
index 5d27cc2245c..b144d522c42 100644
--- a/netwerk/base/src/nsStandardURL.h
+++ b/netwerk/base/src/nsStandardURL.h
@@ -223,7 +223,6 @@ private:
     const nsDependentCSubstring Filename(); // see below
     const nsDependentCSubstring Basename()  { return Segment(mBasename); }
     const nsDependentCSubstring Extension() { return Segment(mExtension); }
-    const nsDependentCSubstring Param()     { return Segment(mParam); }
     const nsDependentCSubstring Query()     { return Segment(mQuery); }
     const nsDependentCSubstring Ref()       { return Segment(mRef); }
 
@@ -236,8 +235,7 @@ private:
     void ShiftFromFilepath(PRInt32 diff)  { mFilepath.mPos += diff; ShiftFromDirectory(diff); }
     void ShiftFromDirectory(PRInt32 diff) { mDirectory.mPos += diff; ShiftFromBasename(diff); }
     void ShiftFromBasename(PRInt32 diff)  { mBasename.mPos += diff; ShiftFromExtension(diff); }
-    void ShiftFromExtension(PRInt32 diff) { mExtension.mPos += diff; ShiftFromParam(diff); }
-    void ShiftFromParam(PRInt32 diff)     { mParam.mPos += diff; ShiftFromQuery(diff); }
+    void ShiftFromExtension(PRInt32 diff) { mExtension.mPos += diff; ShiftFromQuery(diff); }
     void ShiftFromQuery(PRInt32 diff)     { mQuery.mPos += diff; ShiftFromRef(diff); }
     void ShiftFromRef(PRInt32 diff)       { mRef.mPos += diff; }
 
@@ -267,7 +265,6 @@ private:
     URLSegment mDirectory;
     URLSegment mBasename;
     URLSegment mExtension;
-    URLSegment mParam;
     URLSegment mQuery;
     URLSegment mRef;
 
diff --git a/netwerk/base/src/nsURLHelper.cpp b/netwerk/base/src/nsURLHelper.cpp
index 3d6a54c0f3e..224756e1e6a 100644
--- a/netwerk/base/src/nsURLHelper.cpp
+++ b/netwerk/base/src/nsURLHelper.cpp
@@ -221,7 +221,6 @@ net_ParseFileURL(const nsACString &inURL,
     // invoke the parser to extract filepath from the path
     rv = parser->ParsePath(url + pathPos, pathLen,
                            &filepathPos, &filepathLen,
-                           nsnull, nsnull,  // don't care about param
                            nsnull, nsnull,  // don't care about query
                            nsnull, nsnull); // don't care about ref
     if (NS_FAILED(rv)) return rv;
@@ -451,7 +450,6 @@ net_ResolveRelativePath(const nsACString &relativePath,
         switch (c) {
           case '\0':
           case '#':
-          case ';':
           case '?':
             stop = PR_TRUE;
             // fall through...
diff --git a/netwerk/base/src/nsURLParsers.cpp b/netwerk/base/src/nsURLParsers.cpp
index 9ade45ce1e5..82be7e91192 100644
--- a/netwerk/base/src/nsURLParsers.cpp
+++ b/netwerk/base/src/nsURLParsers.cpp
@@ -117,7 +117,6 @@ nsBaseURLParser::ParseURL(const char *spec, PRInt32 specLen,
             case '/': // start of filepath
             case '?': // start of query
             case '#': // start of ref
-            case ';': // start of param
                 if (!slash)
                     slash = p;
                 break;
@@ -240,7 +239,6 @@ nsBaseURLParser::ParseServerInfo(const char *serverinfo, PRInt32 serverinfoLen,
 NS_IMETHODIMP
 nsBaseURLParser::ParsePath(const char *path, PRInt32 pathLen,
                            PRUint32 *filepathPos, PRInt32 *filepathLen,
-                           PRUint32 *paramPos, PRInt32 *paramLen,
                            PRUint32 *queryPos, PRInt32 *queryLen,
                            PRUint32 *refPos, PRInt32 *refLen)
 {
@@ -249,7 +247,7 @@ nsBaseURLParser::ParsePath(const char *path, PRInt32 pathLen,
     if (pathLen < 0)
         pathLen = strlen(path);
 
-    // path = [/]<segment1>/<segment2>/<...>/<segmentN>;<param>?<query>#<ref>
+    // path = [/]<segment1>/<segment2>/<...>/<segmentN>?<query>#<ref>
 
     // XXX PL_strnpbrk would be nice, but it's buggy
 
@@ -283,8 +281,6 @@ nsBaseURLParser::ParsePath(const char *path, PRInt32 pathLen,
     else
         SET_RESULT(ref, 0, -1);
 
-    // search backwards for param
-    const char *param_beg = 0;
     const char *end;
     if (query_beg)
         end = query_beg - 1;
@@ -292,20 +288,6 @@ nsBaseURLParser::ParsePath(const char *path, PRInt32 pathLen,
         end = ref_beg - 1;
     else
         end = path + pathLen;
-    for (p = end - 1; p >= path && *p != '/'; --p) {
-        if (*p == ';') {
-            // found param
-            param_beg = p + 1;
-        }
-    }
-
-    if (param_beg) {
-        // found <filepath>;<param>
-        SET_RESULT(param, param_beg - path, end - param_beg);
-        end = param_beg - 1;
-    }
-    else
-        SET_RESULT(param, 0, -1);
 
     // an empty file path is no file path
     if (end != path)
@@ -437,7 +419,7 @@ nsNoAuthURLParser::ParseAfterScheme(const char *spec, PRInt32 specLen,
 #endif
                 // Ignore apparent authority; path is everything after it
                 for (p = spec + 2; p < spec + specLen; ++p) {
-                    if (*p == '/' || *p == '?' || *p == '#' || *p == ';')
+                    if (*p == '/' || *p == '?' || *p == '#')
                         break;
                 }
             }
@@ -667,7 +649,7 @@ nsAuthURLParser::ParseAfterScheme(const char *spec, PRInt32 specLen,
     const char *end = spec + specLen;
     const char *p;
     for (p = spec + nslash; p < end; ++p) {
-        if (*p == '/' || *p == '?' || *p == '#' || *p == ';')
+        if (*p == '/' || *p == '?' || *p == '#')
             break;
     }
     if (p < end) {
diff --git a/netwerk/cache/nsCacheMetaData.cpp b/netwerk/cache/nsCacheMetaData.cpp
index 6c77d2985f3..ae013afdb15 100644
--- a/netwerk/cache/nsCacheMetaData.cpp
+++ b/netwerk/cache/nsCacheMetaData.cpp
@@ -51,12 +51,14 @@ nsCacheMetaData::GetElement(const char * key)
     while (data < limit) {
         // Point to the value part
         const char * value = data + strlen(data) + 1;
+        NS_ABORT_IF_FALSE(value < limit, "Cache Metadata corrupted");
         if (strcmp(data, key) == 0)
             return value;
 
         // Skip value part
         data = value + strlen(value) + 1;
     }
+    NS_ABORT_IF_FALSE(data == limit, "Metadata corrupted");
     return nsnull;
 }
 
@@ -131,6 +133,23 @@ nsresult
 nsCacheMetaData::UnflattenMetaData(const char * data, PRUint32 size)
 {
     if (data && size) {
+        // Check if the metadata ends with a zero byte.
+        if (data[size-1] != '\0') {
+            NS_ERROR("Cache MetaData is not null terminated");
+            return NS_ERROR_ILLEGAL_VALUE;
+        }
+        // Check that there are an even number of zero bytes
+        // to match the pattern { key \0 value \0 }
+        PRBool odd = PR_FALSE;
+        for (int i = 0; i < size; i++) {
+            if (data[i] == '\0') 
+                odd = !odd;
+        }
+        if (odd) {
+            NS_ERROR("Cache MetaData is malformed");
+            return NS_ERROR_ILLEGAL_VALUE;
+        }
+
         nsresult rv = EnsureBuffer(size);
         NS_ENSURE_SUCCESS(rv, rv);
 
@@ -150,6 +169,7 @@ nsCacheMetaData::VisitElements(nsICacheMetaDataVisitor * visitor)
         const char * key = data;
         // Skip key part
         data += strlen(data) + 1;
+        NS_ABORT_IF_FALSE(data < limit, "Metadata corrupted");
         PRBool keepGoing;
         nsresult rv = visitor->VisitMetaDataElement(key, data, &keepGoing);
         if (NS_FAILED(rv) || !keepGoing)
@@ -158,6 +178,7 @@ nsCacheMetaData::VisitElements(nsICacheMetaDataVisitor * visitor)
         // Skip value part
         data += strlen(data) + 1;
     }
+    NS_ABORT_IF_FALSE(data == limit, "Metadata corrupted");
     return NS_OK;
 }
 
diff --git a/netwerk/cache/nsDiskCacheMap.cpp b/netwerk/cache/nsDiskCacheMap.cpp
index b8741e8ef4e..c564e238b92 100644
--- a/netwerk/cache/nsDiskCacheMap.cpp
+++ b/netwerk/cache/nsDiskCacheMap.cpp
@@ -234,7 +234,10 @@ nsDiskCacheMap::FlushHeader()
     if (sizeof(nsDiskCacheHeader) != bytesWritten) {
         return NS_ERROR_UNEXPECTED;
     }
-    
+
+    PRStatus err = PR_Sync(mMapFD);
+    if (err != PR_SUCCESS) return NS_ERROR_UNEXPECTED;
+
     return NS_OK;
 }
 
diff --git a/netwerk/protocol/http/HttpChannelChild.cpp b/netwerk/protocol/http/HttpChannelChild.cpp
index 1931e6b054f..385f07e4a19 100644
--- a/netwerk/protocol/http/HttpChannelChild.cpp
+++ b/netwerk/protocol/http/HttpChannelChild.cpp
@@ -144,6 +144,48 @@ HttpChannelChild::ReleaseIPDLReference()
   Release();
 }
 
+class AssociateApplicationCacheEvent : public ChannelEvent
+{
+  public:
+    AssociateApplicationCacheEvent(HttpChannelChild* child,
+                                   const nsCString &groupID,
+                                   const nsCString &clientID)
+    : mChild(child)
+    , groupID(groupID)
+    , clientID(clientID) {}
+
+    void Run() { mChild->AssociateApplicationCache(groupID, clientID); }
+  private:
+    HttpChannelChild* mChild;
+    nsCString groupID;
+    nsCString clientID;
+};
+
+bool
+HttpChannelChild::RecvAssociateApplicationCache(const nsCString &groupID,
+                                                const nsCString &clientID)
+{
+  if (mEventQ.ShouldEnqueue()) {
+    mEventQ.Enqueue(new AssociateApplicationCacheEvent(this, groupID, clientID));
+  } else {
+    AssociateApplicationCache(groupID, clientID);
+  }
+  return true;
+}
+
+void
+HttpChannelChild::AssociateApplicationCache(const nsCString &groupID,
+                                            const nsCString &clientID)
+{
+  nsresult rv;
+  mApplicationCache = do_CreateInstance(NS_APPLICATIONCACHE_CONTRACTID, &rv);
+  if (NS_FAILED(rv))
+    return;
+
+  mLoadedFromApplicationCache = PR_TRUE;
+  mApplicationCache->InitAsHandle(groupID, clientID);
+}
+
 class StartRequestEvent : public ChannelEvent
 {
  public:
@@ -192,21 +234,6 @@ class StartRequestEvent : public ChannelEvent
   PRNetAddr mPeerAddr;
 };
 
-bool
-HttpChannelChild::RecvAssociateApplicationCache(const nsCString &groupID,
-                                                const nsCString &clientID)
-{
-  nsresult rv;
-  mApplicationCache = do_CreateInstance(
-    NS_APPLICATIONCACHE_CONTRACTID, &rv);
-  if (NS_FAILED(rv))
-    return true;
-
-  mLoadedFromApplicationCache = PR_TRUE;
-  mApplicationCache->InitAsHandle(groupID, clientID);
-  return true;
-}
-
 bool 
 HttpChannelChild::RecvOnStartRequest(const nsHttpResponseHead& responseHead,
                                      const PRBool& useResponseHead,
diff --git a/netwerk/protocol/http/HttpChannelChild.h b/netwerk/protocol/http/HttpChannelChild.h
index c4424eb86bf..6ea23192f2b 100644
--- a/netwerk/protocol/http/HttpChannelChild.h
+++ b/netwerk/protocol/http/HttpChannelChild.h
@@ -173,6 +173,8 @@ private:
   bool mKeptAlive;
   ChannelEventQueue mEventQ;
 
+  void AssociateApplicationCache(const nsCString &groupID,
+                                 const nsCString &clientID);
   void OnStartRequest(const nsHttpResponseHead& responseHead,
                       const PRBool& useResponseHead,
                       const RequestHeaderTuples& requestHeaders,
@@ -204,6 +206,7 @@ private:
   // Called asynchronously from Resume: continues any pending calls into client.
   void CompleteResume();
 
+  friend class AssociateApplicationCacheEvent;
   friend class StartRequestEvent;
   friend class StopRequestEvent;
   friend class TransportAndDataEvent;
diff --git a/netwerk/test/TestURLParser.cpp b/netwerk/test/TestURLParser.cpp
index 854f79e493c..0f589b61386 100644
--- a/netwerk/test/TestURLParser.cpp
+++ b/netwerk/test/TestURLParser.cpp
@@ -70,18 +70,16 @@ parse_path(nsIURLParser *urlParser, char *path, PRInt32 pathLen)
 {
     PRINT_FIELD(path);
 
-    PRUint32 filePos, paramPos, queryPos, refPos;
-    PRInt32 fileLen, paramLen, queryLen, refLen;
+    PRUint32 filePos, queryPos, refPos;
+    PRInt32 fileLen, queryLen, refLen;
 
     urlParser->ParsePath(path, pathLen,
                          &filePos, &fileLen,
-                         &paramPos, &paramLen,
                          &queryPos, &queryLen,
                          &refPos, &refLen);
 
     if (fileLen != -1)
         parse_file_path(urlParser, path + filePos, fileLen);
-    PRINT_SUBFIELD(path, param);
     PRINT_SUBFIELD(path, query);
     PRINT_SUBFIELD(path, ref);
 }
diff --git a/netwerk/test/unit/test_bug429347.js b/netwerk/test/unit/test_bug429347.js
index 16635814984..7eabd14cee7 100644
--- a/netwerk/test/unit/test_bug429347.js
+++ b/netwerk/test/unit/test_bug429347.js
@@ -14,9 +14,12 @@ function run_test() {
   uri2.spec = "http://example.com/?bar";
   do_check_true(uri1.equals(uri2));
 
+  // see https://bugzilla.mozilla.org/show_bug.cgi?id=665706
+  // ";" is not parsed as special anymore and thus ends up
+  // in the authority component (see RFC 3986)
   uri1.spec = "http://example.com;bar";
   uri2.spec = "http://example.com/;bar";
-  do_check_true(uri1.equals(uri2));
+  do_check_false(uri1.equals(uri2));
 
   uri1.spec = "http://example.com#";
   uri2.spec = "http://example.com/#";
@@ -26,9 +29,12 @@ function run_test() {
   uri2.spec = "http://example.com/?";
   do_check_true(uri1.equals(uri2));
 
+  // see https://bugzilla.mozilla.org/show_bug.cgi?id=665706
+  // ";" is not parsed as special anymore and thus ends up
+  // in the authority component (see RFC 3986)
   uri1.spec = "http://example.com;";
   uri2.spec = "http://example.com/;";
-  do_check_true(uri1.equals(uri2));
+  do_check_false(uri1.equals(uri2));
 
   uri1.spec = "http://example.com";
   uri2.spec = "http://example.com/";
diff --git a/netwerk/test/urltest.cpp b/netwerk/test/urltest.cpp
index b4ecc122615..298974a1ba0 100644
--- a/netwerk/test/urltest.cpp
+++ b/netwerk/test/urltest.cpp
@@ -137,8 +137,9 @@ nsresult writeoutto(const char* i_pURL, char** o_Result, PRInt32 urlFactory = UR
         rv = tURL->GetFileExtension(temp);
         output += RESULT();
         output += ',';
-        rv = tURL->GetParam(temp);
-        output += RESULT();
+        // removed with https://bugzilla.mozilla.org/show_bug.cgi?id=665706
+        // rv = tURL->GetParam(temp); 
+        // output += RESULT();
         output += ',';
         rv = tURL->GetQuery(temp);
         output += RESULT();
diff --git a/other-licenses/android/linker.c b/other-licenses/android/linker.c
index 35535929c46..297733cd87d 100644
--- a/other-licenses/android/linker.c
+++ b/other-licenses/android/linker.c
@@ -1954,9 +1954,13 @@ __asm__ (
     /* Jump to the resolved function. */
     "bx ip\n"
 );
+#else
+#define ANDROID_NO_RUNTIME_RELOC
 #endif
 
+#ifndef ANDROID_NO_RUNTIME_RELOC
 static void runtime_reloc() __attribute__((used));
+#endif
 
 static int link_image(soinfo *si, unsigned wr_offset)
 {
@@ -2201,16 +2205,23 @@ static int link_image(soinfo *si, unsigned wr_offset)
         }
     }
 
+#ifndef ANDROID_NO_RUNTIME_RELOC
     /* Initialize GOT[1] and GOT[2], which are used by the PLT trampoline */
     Elf32_Addr *got = (Elf32_Addr *)si->plt_got;
     got[1] = (Elf32_Addr) si;
     got[2] = (Elf32_Addr) runtime_reloc;
+#endif
 
     if(si->plt_rel) {
         DEBUG("[ %5d relocating %s plt ]\n", pid, si->name );
+#ifdef ANDROID_NO_RUNTIME_RELOC
+        if(reloc_library(si, si->plt_rel, si->plt_rel_count))
+            goto fail;
+#else
         /* Relocate PLT GOT */
         for (d = got + 3; d < got + 3 + si->plt_rel_count; d++)
             *d += si->base;
+#endif
     }
     if(si->rel) {
         DEBUG("[ %5d relocating %s ]\n", pid, si->name );
@@ -2221,9 +2232,14 @@ static int link_image(soinfo *si, unsigned wr_offset)
 #ifdef ANDROID_SH_LINKER
     if(si->plt_rela) {
         DEBUG("[ %5d relocating %s plt ]\n", pid, si->name );
+#ifdef ANDROID_NO_RUNTIME_RELOC
+        if(reloc_library_a(si, si->plt_rela, si->plt_rela_count))
+            goto fail;
+#else
         /* Relocate PLT GOT */
         for (d = got + 3; d < got + 3 + si->plt_rela_count; d++)
             *d += si->base;
+#endif
     }
     if(si->rela) {
         DEBUG("[ %5d relocating %s ]\n", pid, si->name );
diff --git a/parser/html/nsHtml5TreeOperation.cpp b/parser/html/nsHtml5TreeOperation.cpp
index 1c382bb4fc9..e9dfadcc6a9 100644
--- a/parser/html/nsHtml5TreeOperation.cpp
+++ b/parser/html/nsHtml5TreeOperation.cpp
@@ -140,7 +140,7 @@ nsHtml5TreeOperation::~nsHtml5TreeOperation()
 
 nsresult
 nsHtml5TreeOperation::AppendTextToTextNode(const PRUnichar* aBuffer,
-                                           PRInt32 aLength,
+                                           PRUint32 aLength,
                                            nsIContent* aTextNode,
                                            nsHtml5TreeOpExecutor* aBuilder)
 {
@@ -172,7 +172,7 @@ nsHtml5TreeOperation::AppendTextToTextNode(const PRUnichar* aBuffer,
 
 nsresult
 nsHtml5TreeOperation::AppendText(const PRUnichar* aBuffer,
-                                 PRInt32 aLength,
+                                 PRUint32 aLength,
                                  nsIContent* aParent,
                                  nsHtml5TreeOpExecutor* aBuilder)
 {
@@ -280,7 +280,7 @@ nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor* aBuilder,
     case eTreeOpDetach: {
       nsIContent* node = *(mOne.node);
       aBuilder->FlushPendingAppendNotifications();
-      nsIContent* parent = node->GetParent();
+      nsCOMPtr<nsIContent> parent = node->GetParent();
       if (parent) {
         nsHtml5OtherDocUpdate update(parent->GetOwnerDoc(),
                                      aBuilder->GetDocument());
@@ -292,7 +292,7 @@ nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor* aBuilder,
       return rv;
     }
     case eTreeOpAppendChildrenToNewParent: {
-      nsIContent* node = *(mOne.node);
+      nsCOMPtr<nsIContent> node = *(mOne.node);
       nsIContent* parent = *(mTwo.node);
       aBuilder->FlushPendingAppendNotifications();
 
@@ -496,7 +496,7 @@ nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor* aBuilder,
     case eTreeOpAppendText: {
       nsIContent* parent = *mOne.node;
       PRUnichar* buffer = mTwo.unicharPtr;
-      PRInt32 length = mInt;
+      PRUint32 length = mInt;
       return AppendText(buffer, length, parent, aBuilder);
     }
     case eTreeOpAppendIsindexPrompt: {
@@ -518,7 +518,7 @@ nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor* aBuilder,
     case eTreeOpFosterParentText: {
       nsIContent* stackParent = *mOne.node;
       PRUnichar* buffer = mTwo.unicharPtr;
-      PRInt32 length = mInt;
+      PRUint32 length = mInt;
       nsIContent* table = *mThree.node;
       
       nsIContent* foster = table->GetParent();
diff --git a/parser/html/nsHtml5TreeOperation.h b/parser/html/nsHtml5TreeOperation.h
index 575c9974e69..5c724724df6 100644
--- a/parser/html/nsHtml5TreeOperation.h
+++ b/parser/html/nsHtml5TreeOperation.h
@@ -317,12 +317,12 @@ class nsHtml5TreeOperation {
   private:
 
     nsresult AppendTextToTextNode(const PRUnichar* aBuffer,
-                                  PRInt32 aLength,
+                                  PRUint32 aLength,
                                   nsIContent* aTextNode,
                                   nsHtml5TreeOpExecutor* aBuilder);
 
     nsresult AppendText(const PRUnichar* aBuffer,
-                        PRInt32 aLength,
+                        PRUint32 aLength,
                         nsIContent* aParent,
                         nsHtml5TreeOpExecutor* aBuilder);
 
diff --git a/security/manager/ssl/src/nsCertTree.cpp b/security/manager/ssl/src/nsCertTree.cpp
index 56973cf97ff..a0205fbc46f 100644
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -65,6 +65,7 @@ extern PRLogModuleInfo* gPIPNSSLog;
 NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate)
 
 static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
+static NS_DEFINE_CID(kCertOverrideCID, NS_CERTOVERRIDE_CID);
 
 // treeArrayElStr
 //
@@ -198,6 +199,11 @@ nsCertTree::nsCertTree() : mTreeArray(NULL)
   mCompareCache.ops = nsnull;
   mNSSComponent = do_GetService(kNSSComponentCID);
   mOverrideService = do_GetService("@mozilla.org/security/certoverride;1");
+  // Might be a different service if someone is overriding the contract
+  nsCOMPtr<nsICertOverrideService> origCertOverride =
+    do_GetService(kCertOverrideCID);
+  mOriginalOverrideService =
+    static_cast<nsCertOverrideService*>(origCertOverride.get());
   mCellText = nsnull;
 }
 
@@ -485,9 +491,7 @@ nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
   if (!aCertList)
     return NS_ERROR_FAILURE;
 
-  nsCertOverrideService *cos = 
-    reinterpret_cast<nsCertOverrideService*>(mOverrideService.get());
-  if (!cos)
+  if (!mOriginalOverrideService)
     return NS_ERROR_FAILURE;
 
   nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys;
@@ -495,9 +499,10 @@ nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
     return NS_ERROR_OUT_OF_MEMORY;
 
   if (aWantedType == nsIX509Cert::SERVER_CERT) {
-    cos->EnumerateCertOverrides(nsnull, 
-                                CollectAllHostPortOverridesCallback, 
-                                &allHostPortOverrideKeys);
+    mOriginalOverrideService->
+      EnumerateCertOverrides(nsnull, 
+                             CollectAllHostPortOverridesCallback, 
+                             &allHostPortOverrideKeys);
   }
 
   CERTCertListNode *node;
@@ -637,7 +642,7 @@ nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
         ++count;
         ++InsertPosition;
       }
-      if (addOverrides && cos) {
+      if (addOverrides) {
         nsCertAndArrayAndPositionAndCounterAndTracker cap;
         cap.certai = certai;
         cap.array = &mDispInfo;
@@ -645,7 +650,8 @@ nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
         cap.counter = 0;
         cap.tracker = &allHostPortOverrideKeys;
 
-        cos->EnumerateCertOverrides(pipCert, MatchingCertOverridesCallback, &cap);
+        mOriginalOverrideService->
+          EnumerateCertOverrides(pipCert, MatchingCertOverridesCallback, &cap);
         count += cap.counter;
       }
     }
@@ -657,7 +663,8 @@ nsCertTree::GetCertsByTypeFromCertList(CERTCertList *aCertList,
     cap.position = 0;
     cap.counter = 0;
     cap.tracker = &allHostPortOverrideKeys;
-    cos->EnumerateCertOverrides(nsnull, AddRemaningHostPortOverridesCallback, &cap);
+    mOriginalOverrideService->
+      EnumerateCertOverrides(nsnull, AddRemaningHostPortOverridesCallback, &cap);
   }
 
   return NS_OK;
diff --git a/security/manager/ssl/src/nsCertTree.h b/security/manager/ssl/src/nsCertTree.h
index d2fe5774aab..3edff75d236 100644
--- a/security/manager/ssl/src/nsCertTree.h
+++ b/security/manager/ssl/src/nsCertTree.h
@@ -155,6 +155,7 @@ private:
   PLDHashTable mCompareCache;
   nsCOMPtr<nsINSSComponent> mNSSComponent;
   nsCOMPtr<nsICertOverrideService> mOverrideService;
+  nsRefPtr<nsCertOverrideService> mOriginalOverrideService;
 
   treeArrayEl *GetThreadDescAtIndex(PRInt32 _index);
   already_AddRefed<nsIX509Cert> 
diff --git a/services/sync/locales/en-US/errors.properties b/services/sync/locales/en-US/errors.properties
index 0aab6848cd5..80e52db8017 100644
--- a/services/sync/locales/en-US/errors.properties
+++ b/services/sync/locales/en-US/errors.properties
@@ -1,9 +1,9 @@
 error.login.reason.network      = Failed to connect to the server
-error.login.reason.synckey      = Wrong Sync Key
+error.login.reason.recoverykey  = Wrong Recovery Key
 error.login.reason.account      = Incorrect account name or password
 error.login.reason.no_username  = Missing account name
 error.login.reason.no_password2 = Missing password
-error.login.reason.no_synckey   = No saved Sync Key to use
+error.login.reason.no_recoverykey= No saved Recovery Key to use
 error.login.reason.server       = Server incorrectly configured
 
 error.sync.failed_partial     = One or more data types could not be synced
@@ -14,13 +14,7 @@ weak-password   = Use a stronger password
 # this is the fallback, if we hit an error we didn't bother to localize
 error.reason.unknown          = Unknown error
 
-change.synckey.sameAsSyncKey    = The new Sync Key cannot be the same as your Sync Key
-change.synckey.sameAsPassword   = The Sync Key cannot be the same as your password
-change.synckey.sameAsUsername   = The Sync Key cannot be the same as your user name
-change.synckey.sameAsEmail      = The Sync Key cannot be the same as your email address
-change.synckey.tooShort         = The Sync Key entered is too short
-
-change.password.pwSameAsSyncKey      = Password can't match your Sync Key
+change.password.pwSameAsRecoveryKey  = Password can't match your Recovery Key
 change.password.pwSameAsPassword     = Password can't match current password
 change.password.pwSameAsUsername     = Password can't match your user name
 change.password.pwSameAsEmail        = Password can't match your email address
diff --git a/services/sync/modules/async.js b/services/sync/modules/async.js
index 5a023a74138..7179807c6da 100644
--- a/services/sync/modules/async.js
+++ b/services/sync/modules/async.js
@@ -300,7 +300,7 @@ let Async = {
       let row;
       while ((row = results.getNextRow()) != null) {
         let item = {};
-        for each (name in this.names) {
+        for each (let name in this.names) {
           item[name] = row.getResultByName(name);
         }
         this.results.push(item);
diff --git a/services/sync/modules/constants.js b/services/sync/modules/constants.js
index 5d41fa0ede7..f7154833739 100644
--- a/services/sync/modules/constants.js
+++ b/services/sync/modules/constants.js
@@ -147,10 +147,10 @@ ENGINE_SUCCEEDED:                      "success.engine",
 // login failure status codes:
 LOGIN_FAILED_NO_USERNAME:              "error.login.reason.no_username",
 LOGIN_FAILED_NO_PASSWORD:              "error.login.reason.no_password2",
-LOGIN_FAILED_NO_PASSPHRASE:            "error.login.reason.no_synckey",
+LOGIN_FAILED_NO_PASSPHRASE:            "error.login.reason.no_recoverykey",
 LOGIN_FAILED_NETWORK_ERROR:            "error.login.reason.network",
 LOGIN_FAILED_SERVER_ERROR:             "error.login.reason.server",
-LOGIN_FAILED_INVALID_PASSPHRASE:       "error.login.reason.synckey",
+LOGIN_FAILED_INVALID_PASSPHRASE:       "error.login.reason.recoverykey",
 LOGIN_FAILED_LOGIN_REJECTED:           "error.login.reason.account",
 
 // sync failure status codes
diff --git a/services/sync/modules/engines.js b/services/sync/modules/engines.js
index 37afa6b285a..e2ca563e25e 100644
--- a/services/sync/modules/engines.js
+++ b/services/sync/modules/engines.js
@@ -622,8 +622,9 @@ SyncEngine.prototype = {
       // Mark all items to be uploaded, but treat them as changed from long ago
       this._log.debug("First sync, uploading all items");
       this._modified = {};
-      for (let id in this._store.getAllIDs())
+      for (let id in this._store.getAllIDs()) {
         this._modified[id] = 0;
+      }
     }
     // Clear the tracker now. If the sync fails we'll add the ones we failed
     // to upload back.
@@ -631,7 +632,7 @@ SyncEngine.prototype = {
  
     // Array of just the IDs from this._modified. This is what we iterate over
     // so we can modify this._modified during the iteration.
-    this._modifiedIDs = [id for (id in this._modified)];
+    this._modifiedIDs = Object.keys(this._modified);
     this._log.info(this._modifiedIDs.length +
                    " outgoing items pre-reconciliation");
 
@@ -652,7 +653,7 @@ SyncEngine.prototype = {
       batchSize = MOBILE_BATCH_SIZE;
     }
     newitems.newer = this.lastSync;
-    newitems.full = true;
+    newitems.full  = true;
     newitems.limit = batchSize;
     
     // applied    => number of items that should be applied.
@@ -1002,7 +1003,7 @@ SyncEngine.prototype = {
         if (modified > this.lastSync)
           this.lastSync = modified;
 
-        let failed_ids = [id for (id in resp.obj.failed)];
+        let failed_ids = Object.keys(resp.obj.failed);
         if (failed_ids.length)
           this._log.debug("Records that will be uploaded again because "
                           + "the server couldn't store them: "
@@ -1079,8 +1080,8 @@ SyncEngine.prototype = {
     for (let [id, when] in Iterator(this._modified)) {
       this._tracker.addChangedID(id, when);
     }
-    delete this._modified;
-    delete this._modifiedIDs;
+    this._modified    = {};
+    this._modifiedIDs = [];
   },
 
   _sync: function SyncEngine__sync() {
diff --git a/services/sync/modules/engines/bookmarks.js b/services/sync/modules/engines/bookmarks.js
index 4c8b75b833d..b6cb08413d1 100644
--- a/services/sync/modules/engines/bookmarks.js
+++ b/services/sync/modules/engines/bookmarks.js
@@ -113,8 +113,9 @@ PlacesItem.prototype = {
   _logName: "Sync.Record.PlacesItem",
 };
 
-Utils.deferGetSet(PlacesItem, "cleartext", ["hasDupe", "parentid", "parentName",
-                                            "type"]);
+Utils.deferGetSet(PlacesItem,
+                  "cleartext",
+                  ["hasDupe", "parentid", "parentName", "type"]);
 
 function Bookmark(collection, id, type) {
   PlacesItem.call(this, collection, id, type || "bookmark");
@@ -124,8 +125,10 @@ Bookmark.prototype = {
   _logName: "Sync.Record.Bookmark",
 };
 
-Utils.deferGetSet(Bookmark, "cleartext", ["title", "bmkUri", "description",
-  "loadInSidebar", "tags", "keyword"]);
+Utils.deferGetSet(Bookmark,
+                  "cleartext",
+                  ["title", "bmkUri", "description",
+                   "loadInSidebar", "tags", "keyword"]);
 
 function BookmarkQuery(collection, id) {
   Bookmark.call(this, collection, id, "query");
@@ -135,8 +138,9 @@ BookmarkQuery.prototype = {
   _logName: "Sync.Record.BookmarkQuery",
 };
 
-Utils.deferGetSet(BookmarkQuery, "cleartext", ["folderName",
-                                               "queryId"]);
+Utils.deferGetSet(BookmarkQuery,
+                  "cleartext",
+                  ["folderName", "queryId"]);
 
 function BookmarkFolder(collection, id, type) {
   PlacesItem.call(this, collection, id, type || "folder");
@@ -170,14 +174,6 @@ BookmarkSeparator.prototype = {
 Utils.deferGetSet(BookmarkSeparator, "cleartext", "pos");
 
 
-function archiveBookmarks() {
-  // Some nightly builds of 3.7 don't have this function
-  try {
-    PlacesUtils.archiveBookmarksFile(null, true);
-  }
-  catch(ex) {}
-}
-
 let kSpecialIds = {
 
   // Special IDs. Note that mobile can attempt to create a record on
@@ -389,8 +385,9 @@ BookmarksEngine.prototype = {
     SyncEngine.prototype._syncStartup.call(this);
 
     // For first-syncs, make a backup for the user to restore
-    if (this.lastSync == 0)
-      archiveBookmarks();
+    if (this.lastSync == 0) {
+      PlacesUtils.archiveBookmarksFile(null, true);
+    }
 
     this.__defineGetter__("_guidMap", function() {
       // Create a mapping of folder titles and separator positions to GUID.
@@ -1174,7 +1171,7 @@ BookmarksStore.prototype = {
     if (record.parentid == "toolbar")
       index += 150;
 
-    // Add in the bookmark's frecency if we have something
+    // Add in the bookmark's frecency if we have something.
     if (record.bmkUri != null) {
       this._frecencyStm.params.url = record.bmkUri;
       let result = Async.querySpinningly(this._frecencyStm, this._frecencyCols);
@@ -1217,10 +1214,10 @@ BookmarksStore.prototype = {
   },
 
   _tagURI: function BStore_tagURI(bmkURI, tags) {
-    // Filter out any null/undefined/empty tags
+    // Filter out any null/undefined/empty tags.
     tags = tags.filter(function(t) t);
 
-    // Temporarily tag a dummy uri to preserve tag ids when untagging
+    // Temporarily tag a dummy URI to preserve tag ids when untagging.
     let dummyURI = Utils.makeURI("about:weave#BStore_tagURI");
     PlacesUtils.tagging.tagURI(dummyURI, tags);
     PlacesUtils.tagging.untagURI(bmkURI, null);
@@ -1239,8 +1236,8 @@ BookmarksStore.prototype = {
   },
 
   wipe: function BStore_wipe() {
-    // Save a backup before clearing out all bookmarks
-    archiveBookmarks();
+    // Save a backup before clearing out all bookmarks.
+    PlacesUtils.archiveBookmarksFile(null, true);
 
     for each (let guid in kSpecialIds.guids)
       if (guid != "places") {
@@ -1310,10 +1307,10 @@ BookmarksTracker.prototype = {
   ]),
 
   /**
-   * Add a bookmark guid to be uploaded and bump up the sync score
+   * Add a bookmark GUID to be uploaded and bump up the sync score.
    *
    * @param itemGuid
-   *        Guid of the bookmark to upload
+   *        GUID of the bookmark to upload.
    */
   _add: function BMT__add(itemId, guid) {
     guid = kSpecialIds.specialGUIDForId(itemId) || guid;
@@ -1321,14 +1318,14 @@ BookmarksTracker.prototype = {
       this._upScore();
   },
 
-  /* Every add/remove/change will trigger a sync for MULTI_DEVICE */
+  /* Every add/remove/change will trigger a sync for MULTI_DEVICE. */
   _upScore: function BMT__upScore() {
     this.score += SCORE_INCREMENT_XLARGE;
   },
 
   /**
    * Determine if a change should be ignored: we're ignoring everything or the
-   * folder is for livemarks
+   * folder is for livemarks.
    *
    * @param itemId
    *        Item under consideration to ignore
diff --git a/services/sync/modules/engines/clients.js b/services/sync/modules/engines/clients.js
index 4786dfaff3b..9da992ccedd 100644
--- a/services/sync/modules/engines/clients.js
+++ b/services/sync/modules/engines/clients.js
@@ -199,7 +199,8 @@ ClientEngine.prototype = {
     resetEngine: { args: 1, desc: "Clear temporary local data for engine" },
     wipeAll:     { args: 0, desc: "Delete all client data for all engines" },
     wipeEngine:  { args: 1, desc: "Delete all client data for engine" },
-    logout:      { args: 0, desc: "Log out client" }
+    logout:      { args: 0, desc: "Log out client" },
+    displayURI:  { args: 2, desc: "Instruct a client to display a URI" }
   },
 
   /**
@@ -284,6 +285,9 @@ ClientEngine.prototype = {
           case "logout":
             Weave.Service.logout();
             return false;
+          case "displayURI":
+            this._handleDisplayURI(args[0], args[1]);
+            break;
           default:
             this._log.debug("Received an unknown command: " + command);
             break;
@@ -330,6 +334,52 @@ ClientEngine.prototype = {
         this._sendCommandToClient(command, args, id);
       }
     }
+  },
+
+  /**
+   * Send a URI to another client for display.
+   *
+   * A side effect is the score is increased dramatically to incur an
+   * immediate sync.
+   *
+   * If an unknown client ID is specified, sendCommand() will throw an
+   * Error object.
+   *
+   * @param uri
+   *        URI (as a string) to send and display on the remote client
+   * @param clientId
+   *        ID of client to send the command to. If not defined, will be sent
+   *        to all remote clients.
+   */
+  sendURIToClientForDisplay: function sendURIToClientForDisplay(uri, clientId) {
+    this._log.info("Sending URI to client: " + uri + " -> " + clientId);
+    this.sendCommand("displayURI", [uri, this.syncID], clientId);
+
+    Clients._tracker.score += SCORE_INCREMENT_XLARGE;
+  },
+
+  /**
+   * Handle a single received 'displayURI' command.
+   *
+   * Interested parties should observe the "weave:engine:clients:display-uri"
+   * topic. The callback will receive an object as the subject parameter with
+   * the following keys:
+   *
+   *   uri       URI (string) that is requested for display
+   *   clientId  ID of client that sent the command
+   *
+   * The 'data' parameter to the callback will not be defined.
+   *
+   * @param uri
+   *        String URI that was received
+   * @param clientId
+   *        ID of client that sent URI
+   */
+  _handleDisplayURI: function _handleDisplayURI(uri, clientId) {
+    this._log.info("Received a URI for display: " + uri + " from " + clientId);
+
+    let subject = { uri: uri, client: clientId };
+    Svc.Obs.notify("weave:engine:clients:display-uri", subject);
   }
 };
 
diff --git a/services/sync/modules/engines/forms.js b/services/sync/modules/engines/forms.js
index 62661bb8a2a..76a2a992f46 100644
--- a/services/sync/modules/engines/forms.js
+++ b/services/sync/modules/engines/forms.js
@@ -64,36 +64,79 @@ Utils.deferGetSet(FormRec, "cleartext", ["name", "value"]);
 
 let FormWrapper = {
   _log: Log4Moz.repository.getLogger("Sync.Engine.Forms"),
-    
-  getAllEntries: function getAllEntries() {
-    // Sort by (lastUsed - minLast) / (maxLast - minLast) * timesUsed / maxTimes
-    let query = Svc.Form.DBConnection.createAsyncStatement(
+
+  _getEntryCols: ["name", "value"],
+  _guidCols:     ["guid"],
+
+  _stmts: {},
+  _getStmt: function _getStmt(query) {
+    if (query in this._stmts) {
+      return this._stmts[query];
+    }
+
+    this._log.trace("Creating SQL statement: " + query);
+    let db = Svc.Form.DBConnection;
+    return this._stmts[query] = db.createAsyncStatement(query);
+  },
+
+  get _getAllEntriesStmt() {
+    const query =
       "SELECT fieldname name, value FROM moz_formhistory " +
       "ORDER BY 1.0 * (lastUsed - (SELECT lastUsed FROM moz_formhistory ORDER BY lastUsed ASC LIMIT 1)) / " +
         "((SELECT lastUsed FROM moz_formhistory ORDER BY lastUsed DESC LIMIT 1) - (SELECT lastUsed FROM moz_formhistory ORDER BY lastUsed ASC LIMIT 1)) * " +
         "timesUsed / (SELECT timesUsed FROM moz_formhistory ORDER BY timesUsed DESC LIMIT 1) DESC " +
-      "LIMIT 500");
-    return Async.querySpinningly(query, ["name", "value"]);
+      "LIMIT 500";
+    return this._getStmt(query);
+  },
+
+  get _getEntryStmt() {
+    const query = "SELECT fieldname name, value FROM moz_formhistory " +
+                  "WHERE guid = :guid";
+    return this._getStmt(query);
+  },
+
+  get _getGUIDStmt() {
+    const query = "SELECT guid FROM moz_formhistory " +
+                  "WHERE fieldname = :name AND value = :value";
+    return this._getStmt(query);
+  },
+
+  get _setGUIDStmt() {
+    const query = "UPDATE moz_formhistory SET guid = :guid " +
+                  "WHERE fieldname = :name AND value = :value";
+    return this._getStmt(query);
+  },
+
+  get _hasGUIDStmt() {
+    const query = "SELECT guid FROM moz_formhistory WHERE guid = :guid LIMIT 1";
+    return this._getStmt(query);
+  },
+
+  get _replaceGUIDStmt() {
+    const query = "UPDATE moz_formhistory SET guid = :newGUID " +
+                  "WHERE guid = :oldGUID";
+    return this._getStmt(query);
+  },
+
+  getAllEntries: function getAllEntries() {
+    return Async.querySpinningly(this._getAllEntriesStmt, this._getEntryCols);
   },
 
   getEntry: function getEntry(guid) {
-    let query = Svc.Form.DBConnection.createAsyncStatement(
-      "SELECT fieldname name, value FROM moz_formhistory WHERE guid = :guid");
-    query.params.guid = guid;
-    return Async.querySpinningly(query, ["name", "value"])[0];
+    let stmt = this._getEntryStmt;
+    stmt.params.guid = guid;
+    return Async.querySpinningly(stmt, this._getEntryCols)[0];
   },
 
   getGUID: function getGUID(name, value) {
-    // Query for the provided entry
-    let getQuery = Svc.Form.DBConnection.createAsyncStatement(
-      "SELECT guid FROM moz_formhistory " +
-      "WHERE fieldname = :name AND value = :value");
-    getQuery.params.name = name;
-    getQuery.params.value = value;
+    // Query for the provided entry.
+    let getStmt = this._getGUIDStmt;
+    getStmt.params.name = name;
+    getStmt.params.value = value;
+
+    // Give the GUID if we found one.
+    let item = Async.querySpinningly(getStmt, this._guidCols)[0];
 
-    // Give the guid if we found one
-    let item = Async.querySpinningly(getQuery, ["guid"])[0];
-    
     if (!item) {
       // Shouldn't happen, but Bug 597400...
       // Might as well just return.
@@ -102,36 +145,33 @@ let FormWrapper = {
                       JSON.stringify(value) + ") => " + item);
       return null;
     }
-    
-    if (item.guid != null)
-      return item.guid;
 
-    // We need to create a guid for this entry
-    let setQuery = Svc.Form.DBConnection.createAsyncStatement(
-      "UPDATE moz_formhistory SET guid = :guid " +
-      "WHERE fieldname = :name AND value = :value");
+    if (item.guid != null) {
+      return item.guid;
+    }
+
+    // We need to create a GUID for this entry.
+    let setStmt = this._setGUIDStmt;
     let guid = Utils.makeGUID();
-    setQuery.params.guid = guid;
-    setQuery.params.name = name;
-    setQuery.params.value = value;
-    Async.querySpinningly(setQuery);
+    setStmt.params.guid = guid;
+    setStmt.params.name = name;
+    setStmt.params.value = value;
+    Async.querySpinningly(setStmt);
 
     return guid;
   },
 
   hasGUID: function hasGUID(guid) {
-    let query = Svc.Form.DBConnection.createAsyncStatement(
-      "SELECT guid FROM moz_formhistory WHERE guid = :guid LIMIT 1");
-    query.params.guid = guid;
-    return Async.querySpinningly(query, ["guid"]).length == 1;
+    let stmt = this._hasGUIDStmt;
+    stmt.params.guid = guid;
+    return Async.querySpinningly(stmt, this._guidCols).length == 1;
   },
 
   replaceGUID: function replaceGUID(oldGUID, newGUID) {
-    let query = Svc.Form.DBConnection.createAsyncStatement(
-      "UPDATE moz_formhistory SET guid = :newGUID WHERE guid = :oldGUID");
-    query.params.oldGUID = oldGUID;
-    query.params.newGUID = newGUID;
-    Async.querySpinningly(query);
+    let stmt = this._replaceGUIDStmt;
+    stmt.params.oldGUID = oldGUID;
+    stmt.params.newGUID = newGUID;
+    Async.querySpinningly(stmt);
   }
 
 };
@@ -149,8 +189,9 @@ FormEngine.prototype = {
   get prefName() "history",
 
   _findDupe: function _findDupe(item) {
-    if (Svc.Form.entryExists(item.name, item.value))
+    if (Svc.Form.entryExists(item.name, item.value)) {
       return FormWrapper.getGUID(item.name, item.value);
+    }
   }
 };
 
@@ -173,8 +214,9 @@ FormStore.prototype = {
 
   getAllIDs: function FormStore_getAllIDs() {
     let guids = {};
-    for each (let {name, value} in FormWrapper.getAllEntries())
+    for each (let {name, value} in FormWrapper.getAllEntries()) {
       guids[FormWrapper.getGUID(name, value)] = true;
+    }
     return guids;
   },
 
@@ -192,9 +234,9 @@ FormStore.prototype = {
     if (entry != null) {
       record.name = entry.name;
       record.value = entry.value;
-    }
-    else
+    } else {
       record.deleted = true;
+    }
     return record;
   },
 
@@ -208,8 +250,9 @@ FormStore.prototype = {
 
     // Just skip remove requests for things already gone
     let entry = FormWrapper.getEntry(record.id);
-    if (entry == null)
+    if (entry == null) {
       return;
+    }
 
     Svc.Form.removeEntry(entry.name, entry.value);
   },
@@ -281,8 +324,9 @@ FormTracker.prototype = {
   },
 
   notify: function FormTracker_notify(formElement, aWindow, actionURI) {
-    if (this.ignoreAll)
+    if (this.ignoreAll) {
       return;
+    }
 
     this._log.trace("Form submission notification for " + actionURI.spec);
 
@@ -309,8 +353,9 @@ FormTracker.prototype = {
 
       // Grab the name for debugging, but check if empty when satchel would
       let name = el.name;
-      if (name === "")
+      if (name === "") {
         name = el.id;
+      }
 
       if (!(el instanceof Ci.nsIDOMHTMLInputElement)) {
         this._log.trace(name + " is not a DOMHTMLInputElement: " + el);
diff --git a/services/sync/modules/engines/history.js b/services/sync/modules/engines/history.js
index 6686bd1c2b5..2b1ad0eeecd 100644
--- a/services/sync/modules/engines/history.js
+++ b/services/sync/modules/engines/history.js
@@ -46,7 +46,6 @@ const Cu = Components.utils;
 const Cr = Components.results;
 
 const HISTORY_TTL = 5184000; // 60 days
-const TOPIC_UPDATEPLACES_COMPLETE = "places-updatePlaces-complete";
 
 Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 Cu.import("resource://services-sync/constants.js");
@@ -162,6 +161,7 @@ HistoryStore.prototype = {
 
   get _visitStm() {
     return this._getStmt(
+      "/* do not warn (bug 599936) */ " +
       "SELECT visit_type type, visit_date date " +
       "FROM moz_historyvisits " +
       "WHERE place_id = (SELECT id FROM moz_places WHERE url = :url) " +
@@ -253,20 +253,15 @@ HistoryStore.prototype = {
       return failed;
     }
 
-    let cb = Async.makeSyncCallback();
     let updatePlacesCallback = { 
       handleResult: function handleResult() {},
       handleError: function handleError(resultCode, placeInfo) {
         failed.push(placeInfo.guid);
-      }
+      },
+      handleCompletion: Async.makeSyncCallback()
     };
-    let onComplete = function onComplete(subject, topic, data) {
-      Svc.Obs.remove(TOPIC_UPDATEPLACES_COMPLETE, onComplete);
-      cb();
-    };
-    Svc.Obs.add(TOPIC_UPDATEPLACES_COMPLETE, onComplete);
     this._asyncHistory.updatePlaces(records, updatePlacesCallback);
-    Async.waitForSyncCallback(cb);
+    Async.waitForSyncCallback(updatePlacesCallback.handleCompletion);
     return failed;
   },
 
diff --git a/services/sync/modules/policies.js b/services/sync/modules/policies.js
index e203acaa817..49d6b8b3b2b 100644
--- a/services/sync/modules/policies.js
+++ b/services/sync/modules/policies.js
@@ -236,7 +236,7 @@ let SyncScheduler = {
   },
 
   calculateScore: function calculateScore() {
-    var engines = Engines.getEnabled();
+    let engines = [Clients].concat(Engines.getEnabled());
     for (let i = 0;i < engines.length;i++) {
       this._log.trace(engines[i].name + ": score: " + engines[i].score);
       this.globalScore += engines[i].score;
diff --git a/services/sync/modules/service.js b/services/sync/modules/service.js
index f07dfd6e9b1..43aa1a5b89d 100644
--- a/services/sync/modules/service.js
+++ b/services/sync/modules/service.js
@@ -1577,7 +1577,7 @@ WeaveSvc.prototype = {
     }
 
     // Any remaining engines were either enabled locally or disabled remotely.
-    for each (engineName in enabled) {
+    for each (let engineName in enabled) {
       let engine = Engines.get(engineName);
       if (Svc.Prefs.get("engineStatusChanged." + engine.prefName, false)) {
         this._log.trace("The " + engineName + " engine was enabled locally.");
diff --git a/services/sync/modules/util.js b/services/sync/modules/util.js
index 59a52b1403e..b4948b1afe2 100644
--- a/services/sync/modules/util.js
+++ b/services/sync/modules/util.js
@@ -556,10 +556,6 @@ let Utils = {
     return T.slice(0, len);
   },
 
-  byteArrayToString: function byteArrayToString(bytes) {
-    return [String.fromCharCode(byte) for each (byte in bytes)].join("");
-  },
-  
   /**
    * PBKDF2 implementation in Javascript.
    * 
diff --git a/services/sync/tests/unit/head_helpers.js b/services/sync/tests/unit/head_helpers.js
index 6748c4ed40f..40cc91ae11a 100644
--- a/services/sync/tests/unit/head_helpers.js
+++ b/services/sync/tests/unit/head_helpers.js
@@ -204,6 +204,14 @@ function generateNewKeys(collections) {
   CollectionKeys.setContents(wbo.cleartext, modified);
 }
 
+function do_check_empty(obj) {
+  do_check_attribute_count(obj, 0);
+}
+
+function do_check_attribute_count(obj, c) {
+  do_check_eq(c, Object.keys(obj).length);
+}
+
 function do_check_throws(aFunc, aResult, aStack)
 {
   if (!aStack) {
diff --git a/services/sync/tests/unit/test_bookmark_tracker.js b/services/sync/tests/unit/test_bookmark_tracker.js
index 0f744f7323a..4e76c9d15b0 100644
--- a/services/sync/tests/unit/test_bookmark_tracker.js
+++ b/services/sync/tests/unit/test_bookmark_tracker.js
@@ -12,7 +12,7 @@ store.wipe();
 function test_tracking() {
   _("Verify we've got an empty tracker to work with.");
   let tracker = engine._tracker;
-  do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+  do_check_empty(tracker.changedIDs);
 
   let folder = PlacesUtils.bookmarks.createFolder(
     PlacesUtils.bookmarks.bookmarksMenuFolder,
@@ -26,7 +26,7 @@ function test_tracking() {
   try {
     _("Create bookmark. Won't show because we haven't started tracking yet");
     createBmk();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
     _("Tell the tracker to start tracking changes.");
@@ -34,13 +34,13 @@ function test_tracking() {
     createBmk();
     // We expect two changed items because the containing folder
     // changed as well (new child).
-    do_check_eq([id for (id in tracker.changedIDs)].length, 2);
+    do_check_attribute_count(tracker.changedIDs, 2);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
 
     _("Notifying twice won't do any harm.");
     Svc.Obs.notify("weave:engine:start-tracking");
     createBmk();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 3);
+    do_check_attribute_count(tracker.changedIDs, 3);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 4);
 
     _("Let's stop tracking again.");
@@ -48,13 +48,13 @@ function test_tracking() {
     tracker.resetScore();
     Svc.Obs.notify("weave:engine:stop-tracking");
     createBmk();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
     _("Notifying twice won't do any harm.");
     Svc.Obs.notify("weave:engine:stop-tracking");
     createBmk();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
   } finally {
@@ -72,7 +72,7 @@ function test_onItemChanged() {
 
   _("Verify we've got an empty tracker to work with.");
   let tracker = engine._tracker;
-  do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+  do_check_empty(tracker.changedIDs);
   do_check_eq(tracker.score, 0);
 
   try {
@@ -107,7 +107,7 @@ function test_onItemChanged() {
 function test_onItemMoved() {
   _("Verify we've got an empty tracker to work with.");
   let tracker = engine._tracker;
-  do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+  do_check_empty(tracker.changedIDs);
   do_check_eq(tracker.score, 0);
 
   try {
diff --git a/services/sync/tests/unit/test_clients_engine.js b/services/sync/tests/unit/test_clients_engine.js
index be77cb458ec..8f731d00009 100644
--- a/services/sync/tests/unit/test_clients_engine.js
+++ b/services/sync/tests/unit/test_clients_engine.js
@@ -449,6 +449,87 @@ add_test(function test_command_sync() {
   }
 });
 
+add_test(function test_send_uri_to_client_for_display() {
+  _("Ensure sendURIToClientForDisplay() sends command properly.");
+
+  let tracker = Clients._tracker;
+  let store = Clients._store;
+
+  let remoteId = Utils.makeGUID();
+  let rec = new ClientsRec("clients", remoteId);
+  rec.name = "remote";
+  store.create(rec);
+  let remoteRecord = store.createRecord(remoteId, "clients");
+
+  tracker.clearChangedIDs();
+  let initialScore = tracker.score;
+
+  let uri = "http://www.mozilla.org/";
+  Clients.sendURIToClientForDisplay(uri, remoteId);
+
+  let newRecord = store._remoteClients[remoteId];
+
+  do_check_neq(newRecord, undefined);
+  do_check_eq(newRecord.commands.length, 1);
+
+  let command = newRecord.commands[0];
+  do_check_eq(command.command, "displayURI");
+  do_check_eq(command.args.length, 2);
+  do_check_eq(command.args[0], uri);
+
+  do_check_true(tracker.score > initialScore);
+  do_check_true(tracker.score - initialScore >= SCORE_INCREMENT_XLARGE);
+
+  _("Ensure unknown client IDs result in exception.");
+  let unknownId = Utils.makeGUID();
+  let error;
+
+  try {
+    Clients.sendURIToClientForDisplay(uri, unknownId);
+  } catch (ex) {
+    error = ex;
+  }
+
+  do_check_eq(error.message.indexOf("Unknown remote client ID: "), 0);
+
+  run_next_test();
+});
+
+add_test(function test_receive_display_uri() {
+  _("Ensure processing of received 'displayURI' commands works.");
+
+  // We don't set up WBOs and perform syncing because other tests verify
+  // the command API works as advertised. This saves us a little work.
+
+  let uri = "http://www.mozilla.org/";
+  let remoteId = Utils.makeGUID();
+
+  let command = {
+    command: "displayURI",
+    args: [uri, remoteId],
+  };
+
+  Clients.localCommands = [command];
+
+  // Received 'displayURI' command should result in the topic defined below
+  // being called.
+  let ev = "weave:engine:clients:display-uri";
+
+  let handler = function(subject, data) {
+    Svc.Obs.remove(ev, handler);
+
+    do_check_eq(subject.uri, uri);
+    do_check_eq(subject.client, remoteId);
+    do_check_eq(data, null);
+
+    run_next_test();
+  };
+
+  Svc.Obs.add(ev, handler);
+
+  do_check_true(Clients.processIncomingCommands());
+});
+
 function run_test() {
   initTestLogging("Trace");
   Log4Moz.repository.getLogger("Sync.Engine.Clients").level = Log4Moz.Level.Trace;
diff --git a/services/sync/tests/unit/test_forms_tracker.js b/services/sync/tests/unit/test_forms_tracker.js
index 9a39816df8a..5506fcb6af4 100644
--- a/services/sync/tests/unit/test_forms_tracker.js
+++ b/services/sync/tests/unit/test_forms_tracker.js
@@ -5,35 +5,35 @@ Cu.import("resource://services-sync/log4moz.js");
 function run_test() {
   _("Verify we've got an empty tracker to work with.");
   let tracker = new FormEngine()._tracker;
-  do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+  do_check_empty(tracker.changedIDs);
   Log4Moz.repository.rootLogger.addAppender(new Log4Moz.DumpAppender());
 
   try {
     _("Create an entry. Won't show because we haven't started tracking yet");
     Svc.Form.addEntry("name", "John Doe");
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
 
     _("Tell the tracker to start tracking changes.");
     Svc.Obs.notify("weave:engine:start-tracking");
     Svc.Form.removeEntry("name", "John Doe");
     Svc.Form.addEntry("email", "john@doe.com");
-    do_check_eq([id for (id in tracker.changedIDs)].length, 2);
+    do_check_attribute_count(tracker.changedIDs, 2);
 
     _("Notifying twice won't do any harm.");
     Svc.Obs.notify("weave:engine:start-tracking");
     Svc.Form.addEntry("address", "Memory Lane");
-    do_check_eq([id for (id in tracker.changedIDs)].length, 3);
+    do_check_attribute_count(tracker.changedIDs, 3);
 
     _("Let's stop tracking again.");
     tracker.clearChangedIDs();
     Svc.Obs.notify("weave:engine:stop-tracking");
     Svc.Form.removeEntry("address", "Memory Lane");
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
 
     _("Notifying twice won't do any harm.");
     Svc.Obs.notify("weave:engine:stop-tracking");
     Svc.Form.removeEntry("email", "john@doe.com");
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
   
     _("Test error detection.");
     // This throws an exception without the fix for Bug 597400.
diff --git a/services/sync/tests/unit/test_history_store.js b/services/sync/tests/unit/test_history_store.js
index 2a54f017650..a4423a74882 100644
--- a/services/sync/tests/unit/test_history_store.js
+++ b/services/sync/tests/unit/test_history_store.js
@@ -78,14 +78,14 @@ function run_test() {
 
 add_test(function test_store() {
   _("Verify that we've got an empty store to work with.");
-  do_check_eq([id for (id in store.getAllIDs())].length, 0);
+  do_check_empty(store.getAllIDs());
 
   _("Let's create an entry in the database.");
   fxuri = Utils.makeURI("http://getfirefox.com/");
    PlacesUtils.history.addPageWithDetails(fxuri, "Get Firefox!", TIMESTAMP1);
 
   _("Verify that the entry exists.");
-  let ids = [id for (id in store.getAllIDs())];
+  let ids = Object.keys(store.getAllIDs());
   do_check_eq(ids.length, 1);
   fxguid = ids[0];
   do_check_true(store.itemExists(fxguid));
@@ -127,7 +127,7 @@ add_test(function test_store_create() {
   tbguid = Utils.makeGUID();
   tburi = Utils.makeURI("http://getthunderbird.com");
   onNextTitleChanged(ensureThrows(function() {
-    do_check_eq([id for (id in store.getAllIDs())].length, 2);
+    do_check_attribute_count(store.getAllIDs(), 2);
     let queryres = queryHistoryVisits(tburi);
     do_check_eq(queryres.length, 1);
     do_check_eq(queryres[0].time, TIMESTAMP3);
@@ -154,7 +154,7 @@ add_test(function test_null_title() {
      visits: [{date: TIMESTAMP3,
                type: Ci.nsINavHistoryService.TRANSITION_TYPED}]}
   ]);
-  do_check_eq([id for (id in store.getAllIDs())].length, 3);
+  do_check_attribute_count(store.getAllIDs(), 3);
   let queryres = queryHistoryVisits(resuri);
   do_check_eq(queryres.length, 1);
   do_check_eq(queryres[0].time, TIMESTAMP3);
@@ -168,7 +168,7 @@ add_test(function test_invalid_records() {
     + "VALUES ('invalid-uri', 'Invalid URI', '.', 1, " + TIMESTAMP3 + ")";
   let stmt = PlacesUtils.history.DBConnection.createAsyncStatement(query);
   let result = Async.querySpinningly(stmt);
-  do_check_eq([id for (id in store.getAllIDs())].length, 4);
+  do_check_attribute_count(store.getAllIDs(), 4);
 
   _("Make sure we report records with invalid URIs.");
   let invalid_uri_guid = Utils.makeGUID();
@@ -255,7 +255,7 @@ add_test(function test_remove() {
 
   _("Make sure wipe works.");
   store.wipe();
-  do_check_eq([id for (id in store.getAllIDs())].length, 0);
+  do_check_empty(store.getAllIDs());
   queryres = queryHistoryVisits(fxuri);
   do_check_eq(queryres.length, 0);
   queryres = queryHistoryVisits(tburi);
diff --git a/services/sync/tests/unit/test_history_tracker.js b/services/sync/tests/unit/test_history_tracker.js
index 322565d466a..faae58ec0b0 100644
--- a/services/sync/tests/unit/test_history_tracker.js
+++ b/services/sync/tests/unit/test_history_tracker.js
@@ -34,7 +34,7 @@ function run_test() {
 
 add_test(function test_empty() {
   _("Verify we've got an empty tracker to work with.");
-  do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+  do_check_empty(tracker.changedIDs);
   do_check_eq(tracker.score, 0);
   run_next_test();
 });
@@ -43,7 +43,7 @@ add_test(function test_not_tracking(next) {
   _("Create history item. Won't show because we haven't started tracking yet");
   addVisit();
   Utils.nextTick(function() {
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
     run_next_test();
   });
@@ -52,7 +52,7 @@ add_test(function test_not_tracking(next) {
 add_test(function test_start_tracking() {
   _("Tell the tracker to start tracking changes.");
   onScoreUpdated(function() {
-    do_check_eq([id for (id in tracker.changedIDs)].length, 1);
+    do_check_attribute_count(tracker.changedIDs, 1);
     do_check_eq(tracker.score, SCORE_INCREMENT_SMALL);
     run_next_test();
   });
@@ -63,7 +63,7 @@ add_test(function test_start_tracking() {
 add_test(function test_start_tracking_twice() {
   _("Notifying twice won't do any harm.");
   onScoreUpdated(function() {
-    do_check_eq([id for (id in tracker.changedIDs)].length, 2);
+    do_check_attribute_count(tracker.changedIDs, 2);
     do_check_eq(tracker.score, 2 * SCORE_INCREMENT_SMALL);
     run_next_test();
   });
@@ -79,7 +79,7 @@ add_test(function test_track_delete() {
 
   onScoreUpdated(function() {
     do_check_true(guid in tracker.changedIDs);
-    do_check_eq([id for (id in tracker.changedIDs)].length, 3);
+    do_check_attribute_count(tracker.changedIDs, 3);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE + 2 * SCORE_INCREMENT_SMALL);
     run_next_test();
   });
@@ -101,7 +101,7 @@ add_test(function test_dont_track_expiration() {
   onScoreUpdated(function() {
     do_check_false(guidToExpire in tracker.changedIDs);
     do_check_true(guidToRemove in tracker.changedIDs);
-    do_check_eq([id for (id in tracker.changedIDs)].length, 1);
+    do_check_attribute_count(tracker.changedIDs, 1);
     run_next_test();
   });
 
@@ -125,7 +125,7 @@ add_test(function test_stop_tracking() {
   Svc.Obs.notify("weave:engine:stop-tracking");
   addVisit();
   Utils.nextTick(function() {
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     run_next_test();
   });
 });
@@ -135,7 +135,7 @@ add_test(function test_stop_tracking_twice() {
   Svc.Obs.notify("weave:engine:stop-tracking");
   addVisit();
   Utils.nextTick(function() {
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     run_next_test();
   });
 });
diff --git a/services/sync/tests/unit/test_password_tracker.js b/services/sync/tests/unit/test_password_tracker.js
index 661ca5756c0..699dd5064e7 100644
--- a/services/sync/tests/unit/test_password_tracker.js
+++ b/services/sync/tests/unit/test_password_tracker.js
@@ -11,7 +11,7 @@ function test_tracking() {
 
   _("Verify we've got an empty tracker to work with.");
   let tracker = engine._tracker;
-  do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+  do_check_empty(tracker.changedIDs);
 
   function createPassword() {
     _("RECORD NUM: " + recordNum);
@@ -30,19 +30,19 @@ function test_tracking() {
   try {
     _("Create a password record. Won't show because we haven't started tracking yet");
     createPassword();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
     _("Tell the tracker to start tracking changes.");
     Svc.Obs.notify("weave:engine:start-tracking");
     createPassword();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 1);
+    do_check_attribute_count(tracker.changedIDs, 1);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
 
     _("Notifying twice won't do any harm.");
     Svc.Obs.notify("weave:engine:start-tracking");
     createPassword();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 2);
+    do_check_attribute_count(tracker.changedIDs, 2);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
 
     _("Let's stop tracking again.");
@@ -50,13 +50,13 @@ function test_tracking() {
     tracker.resetScore();
     Svc.Obs.notify("weave:engine:stop-tracking");
     createPassword();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
     _("Notifying twice won't do any harm.");
     Svc.Obs.notify("weave:engine:stop-tracking");
     createPassword();
-    do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
   } finally {
@@ -71,7 +71,7 @@ function test_tracking() {
 function test_onWipe() {
   _("Verify we've got an empty tracker to work with.");
   let tracker = engine._tracker;
-  do_check_eq([id for (id in tracker.changedIDs)].length, 0);
+  do_check_empty(tracker.changedIDs);
   do_check_eq(tracker.score, 0);
 
   try {
diff --git a/services/sync/tests/unit/test_prefs_store.js b/services/sync/tests/unit/test_prefs_store.js
index 3e954ee877f..c29c6995e71 100644
--- a/services/sync/tests/unit/test_prefs_store.js
+++ b/services/sync/tests/unit/test_prefs_store.js
@@ -36,7 +36,7 @@ function run_test() {
 
     _("The GUID corresponds to XUL App ID.");
     let allIDs = store.getAllIDs();
-    let ids = [id for (id in allIDs)];
+    let ids = Object.keys(allIDs);
     do_check_eq(ids.length, 1);
     do_check_eq(ids[0], PREFS_GUID);
     do_check_true(allIDs[PREFS_GUID], true);
diff --git a/services/sync/tests/unit/test_prefs_tracker.js b/services/sync/tests/unit/test_prefs_tracker.js
index 0b1aeab47bb..d0353d16543 100644
--- a/services/sync/tests/unit/test_prefs_tracker.js
+++ b/services/sync/tests/unit/test_prefs_tracker.js
@@ -20,7 +20,7 @@ function run_test() {
 
     _("Engine's getChangedID() just returns the one GUID we have.");
     let changedIDs = engine.getChangedIDs();
-    let ids = [id for (id in changedIDs)];
+    let ids = Object.keys(changedIDs);
     do_check_eq(ids.length, 1);
     do_check_eq(ids[0], Utils.encodeBase64url(Services.appinfo.ID));
 
@@ -28,7 +28,7 @@ function run_test() {
     do_check_false(tracker.modified);
 
     _("No modified state, so no changed IDs.");
-    do_check_eq([id for (id in engine.getChangedIDs())].length, 0);
+    do_check_empty(engine.getChangedIDs());
 
     _("Initial score is 0");
     do_check_eq(tracker.score, 0);
diff --git a/services/sync/tests/unit/test_score_triggers.js b/services/sync/tests/unit/test_score_triggers.js
index 89001fd71c7..b0aead4c2e7 100644
--- a/services/sync/tests/unit/test_score_triggers.js
+++ b/services/sync/tests/unit/test_score_triggers.js
@@ -2,6 +2,7 @@
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 Cu.import("resource://services-sync/engines.js");
+Cu.import("resource://services-sync/engines/clients.js");
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/policies.js");
 
@@ -95,3 +96,25 @@ add_test(function test_sync_triggered() {
   tracker.score += SCORE_INCREMENT_XLARGE;
 });
 
+add_test(function test_clients_engine_sync_triggered() {
+  _("Ensure that client engine score changes trigger a sync.");
+
+  // The clients engine is not registered like other engines. Therefore,
+  // it needs special treatment throughout the code. Here, we verify the
+  // global score tracker gives it that treatment. See bug 676042 for more.
+
+  let server = sync_httpd_setup();
+  setUp();
+  Service.login();
+
+  const TOPIC = "weave:service:sync:finish";
+  Svc.Obs.add(TOPIC, function onSyncFinish() {
+    Svc.Obs.remove(TOPIC, onSyncFinish);
+    _("Sync due to clients engine change completed.");
+    server.stop(run_next_test);
+  });
+
+  SyncScheduler.syncThreshold = MULTI_DEVICE_THRESHOLD;
+  Clients._tracker.score += SCORE_INCREMENT_XLARGE;
+});
+
diff --git a/services/sync/tests/unit/test_syncengine_sync.js b/services/sync/tests/unit/test_syncengine_sync.js
index 51a89c7393e..5300ad5b5a6 100644
--- a/services/sync/tests/unit/test_syncengine_sync.js
+++ b/services/sync/tests/unit/test_syncengine_sync.js
@@ -402,7 +402,7 @@ add_test(function test_processIncoming_mobile_batchSize() {
     _("On a mobile client, we get new records from the server in batches of 50.");
     engine._syncStartup();
     engine._processIncoming();
-    do_check_eq([id for (id in engine._store.items)].length, 234);
+    do_check_attribute_count(engine._store.items, 234);
     do_check_true('record-no-0' in engine._store.items);
     do_check_true('record-no-49' in engine._store.items);
     do_check_true('record-no-50' in engine._store.items);
@@ -473,7 +473,7 @@ add_test(function test_processIncoming_store_toFetch() {
 
     // Confirm initial environment
     do_check_eq(engine.lastSync, 0);
-    do_check_eq([id for (id in engine._store.items)].length, 0);
+    do_check_empty(engine._store.items);
 
     let error;
     try {
@@ -484,7 +484,7 @@ add_test(function test_processIncoming_store_toFetch() {
     do_check_true(!!error);
 
     // Only the first two batches have been applied.
-    do_check_eq([id for (id in engine._store.items)].length,
+    do_check_eq(Object.keys(engine._store.items).length,
                 MOBILE_BATCH_SIZE * 2);
 
     // The third batch is stuck in toFetch. lastSync has been moved forward to
@@ -602,14 +602,13 @@ add_test(function test_processIncoming_applyIncomingBatchSize_smaller() {
   try {
 
     // Confirm initial environment
-    do_check_eq([id for (id in engine._store.items)].length, 0);
+    do_check_empty(engine._store.items);
 
     engine._syncStartup();
     engine._processIncoming();
 
     // Records have been applied and the expected failures have failed.
-    do_check_eq([id for (id in engine._store.items)].length,
-                APPLY_BATCH_SIZE - 1 - 2);
+    do_check_attribute_count(engine._store.items, APPLY_BATCH_SIZE - 1 - 2);
     do_check_eq(engine.toFetch.length, 0);
     do_check_eq(engine.previousFailed.length, 2);
     do_check_eq(engine.previousFailed[0], "record-no-0");
@@ -658,15 +657,14 @@ add_test(function test_processIncoming_applyIncomingBatchSize_multiple() {
   try {
 
     // Confirm initial environment
-    do_check_eq([id for (id in engine._store.items)].length, 0);
+    do_check_empty(engine._store.items);
 
     engine._syncStartup();
     engine._processIncoming();
 
     // Records have been applied in 3 batches.
     do_check_eq(batchCalls, 3);
-    do_check_eq([id for (id in engine._store.items)].length,
-                APPLY_BATCH_SIZE * 3);
+    do_check_attribute_count(engine._store.items, APPLY_BATCH_SIZE * 3);
 
   } finally {
     cleanAndGo(server);
@@ -712,7 +710,7 @@ add_test(function test_processIncoming_notify_count() {
     do_check_eq(engine.lastSync, 0);
     do_check_eq(engine.toFetch.length, 0);
     do_check_eq(engine.previousFailed.length, 0);
-    do_check_eq([id for (id in engine._store.items)].length, 0);
+    do_check_empty(engine._store.items);
 
     let called = 0;
     let counts;
@@ -728,7 +726,7 @@ add_test(function test_processIncoming_notify_count() {
     engine._processIncoming();
     
     // Confirm failures.
-    do_check_eq([id for (id in engine._store.items)].length, 12);
+    do_check_attribute_count(engine._store.items, 12);
     do_check_eq(engine.previousFailed.length, 3);
     do_check_eq(engine.previousFailed[0], "record-no-0");
     do_check_eq(engine.previousFailed[1], "record-no-5");
@@ -744,7 +742,7 @@ add_test(function test_processIncoming_notify_count() {
     engine._processIncoming();
     
     // Confirming removed failures.
-    do_check_eq([id for (id in engine._store.items)].length, 14);
+    do_check_attribute_count(engine._store.items, 14);
     do_check_eq(engine.previousFailed.length, 1);
     do_check_eq(engine.previousFailed[0], "record-no-0");
 
@@ -799,7 +797,7 @@ add_test(function test_processIncoming_previousFailed() {
     do_check_eq(engine.lastSync, 0);
     do_check_eq(engine.toFetch.length, 0);
     do_check_eq(engine.previousFailed.length, 0);
-    do_check_eq([id for (id in engine._store.items)].length, 0);
+    do_check_empty(engine._store.items);
 
     // Initial failed items in previousFailed to be reset.
     let previousFailed = [Utils.makeGUID(), Utils.makeGUID(), Utils.makeGUID()];
@@ -811,7 +809,7 @@ add_test(function test_processIncoming_previousFailed() {
     engine._processIncoming();
 
     // Expected result: 4 sync batches with 2 failures each => 8 failures
-    do_check_eq([id for (id in engine._store.items)].length, 6);
+    do_check_attribute_count(engine._store.items, 6);
     do_check_eq(engine.previousFailed.length, 8);
     do_check_eq(engine.previousFailed[0], "record-no-0");
     do_check_eq(engine.previousFailed[1], "record-no-1");
@@ -827,7 +825,7 @@ add_test(function test_processIncoming_previousFailed() {
 
     // A second sync with the same failed items should not add the same items again.
     // Items that did not fail a second time should no longer be in previousFailed.
-    do_check_eq([id for (id in engine._store.items)].length, 10);
+    do_check_attribute_count(engine._store.items, 10);
     do_check_eq(engine.previousFailed.length, 4);
     do_check_eq(engine.previousFailed[0], "record-no-0");
     do_check_eq(engine.previousFailed[1], "record-no-1");
@@ -854,7 +852,7 @@ add_test(function test_processIncoming_failed_records() {
   // Let's create three and a bit batches worth of server side records.
   let collection = new ServerCollection();
   const NUMBER_OF_RECORDS = MOBILE_BATCH_SIZE * 3 + 5;
-  for (var i = 0; i < NUMBER_OF_RECORDS; i++) {
+  for (let i = 0; i < NUMBER_OF_RECORDS; i++) {
     let id = 'record-no-' + i;
     let payload = encryptPayload({id: id, denomination: "Record No. " + id});
     let wbo = new ServerWBO(id, payload);
@@ -916,7 +914,7 @@ add_test(function test_processIncoming_failed_records() {
     do_check_eq(engine.lastSync, 0);
     do_check_eq(engine.toFetch.length, 0);
     do_check_eq(engine.previousFailed.length, 0);
-    do_check_eq([id for (id in engine._store.items)].length, 0);
+    do_check_empty(engine._store.items);
 
     let observerSubject;
     let observerData;
@@ -930,8 +928,8 @@ add_test(function test_processIncoming_failed_records() {
     engine._processIncoming();
 
     // Ensure that all records but the bogus 4 have been applied.
-    do_check_eq([id for (id in engine._store.items)].length,
-                NUMBER_OF_RECORDS - BOGUS_RECORDS.length);
+    do_check_attribute_count(engine._store.items,
+                             NUMBER_OF_RECORDS - BOGUS_RECORDS.length);
 
     // Ensure that the bogus records will be fetched again on the next sync.
     do_check_eq(engine.previousFailed.length, BOGUS_RECORDS.length);
@@ -1530,7 +1528,7 @@ add_test(function test_syncapplied_observer() {
     engine._syncStartup();
     engine._processIncoming();
 
-    do_check_eq([id for (id in engine._store.items)].length, 10);
+    do_check_attribute_count(engine._store.items, 10);
 
     do_check_eq(numApplyCalls, 1);
     do_check_eq(engine_name, "rotary");
diff --git a/services/sync/tests/unit/test_tab_tracker.js b/services/sync/tests/unit/test_tab_tracker.js
index 11dd4d4f0a6..cf9d5bd6769 100644
--- a/services/sync/tests/unit/test_tab_tracker.js
+++ b/services/sync/tests/unit/test_tab_tracker.js
@@ -47,7 +47,7 @@ function run_test() {
   _("We assume that tabs have changed at startup.");
   let tracker = engine._tracker;
   do_check_true(tracker.modified);
-  do_check_true(Utils.deepEquals([id for (id in engine.getChangedIDs())],
+  do_check_true(Utils.deepEquals(Object.keys(engine.getChangedIDs()),
                                  [Clients.localID]));
 
   let logs;
@@ -91,7 +91,7 @@ function run_test() {
     // Send a fake tab event
     tracker.onTab({type: evttype , originalTarget: evttype});
     do_check_true(tracker.modified);
-    do_check_true(Utils.deepEquals([id for (id in engine.getChangedIDs())],
+    do_check_true(Utils.deepEquals(Object.keys(engine.getChangedIDs()),
                                    [Clients.localID]));
     do_check_eq(logs.length, idx+1);
     do_check_eq(logs[idx].target, evttype);
@@ -105,7 +105,7 @@ function run_test() {
   do_check_false(tracker.modified);
 
   tracker.onTab({type: "pageshow", originalTarget: "pageshow"});
-  do_check_true(Utils.deepEquals([id for (id in engine.getChangedIDs())],
+  do_check_true(Utils.deepEquals(Object.keys(engine.getChangedIDs()),
                                  [Clients.localID]));
   do_check_eq(logs.length, idx); // test that setTabValue isn't called
 }
diff --git a/services/sync/tps/install.rdf b/services/sync/tps/install.rdf
index e8d6dee6639..a62f8f4371a 100644
--- a/services/sync/tps/install.rdf
+++ b/services/sync/tps/install.rdf
@@ -10,7 +10,7 @@
       <Description>
         <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
         <em:minVersion>3.5.0</em:minVersion>
-        <em:maxVersion>8.0.*</em:maxVersion>
+        <em:maxVersion>10.0.*</em:maxVersion>
       </Description>
     </em:targetApplication>
 
diff --git a/testing/tps/setup.py b/testing/tps/setup.py
index b378b493643..3c86e1eafc3 100644
--- a/testing/tps/setup.py
+++ b/testing/tps/setup.py
@@ -43,7 +43,7 @@ version = '0.2.40'
 deps = ['pulsebuildmonitor >= 0.2', 'MozillaPulse == .4', 
         'mozinfo == 0.3.1', 'mozprofile == 0.1a',
         'mozprocess == 0.1a', 'mozrunner == 3.0a', 'mozregression == 0.3',
-        'mozautolog >= 0.2.0']
+        'mozautolog >= 0.2.1']
 
 # we only support python 2.6+ right now
 assert sys.version_info[0] == 2
diff --git a/testing/xpcshell/xpcshell.ini b/testing/xpcshell/xpcshell.ini
index 730cf3029a8..1b01a00a3ea 100644
--- a/testing/xpcshell/xpcshell.ini
+++ b/testing/xpcshell/xpcshell.ini
@@ -5,7 +5,6 @@
 [include:uriloader/exthandler/tests/unit/xpcshell.ini]
 [include:parser/xml/test/unit/xpcshell.ini]
 [include:modules/libpr0n/test/unit/xpcshell.ini]
-[include:modules/plugin/test/unit/xpcshell.ini]
 [include:dom/plugins/test/unit/xpcshell.ini]
 [include:dom/src/json/test/unit/xpcshell.ini]
 [include:dom/tests/unit/xpcshell.ini]
diff --git a/toolkit/components/alerts/mac/mozGrowlDelegate.mm b/toolkit/components/alerts/mac/mozGrowlDelegate.mm
index 1d5f913d765..4cf982c05d6 100644
--- a/toolkit/components/alerts/mac/mozGrowlDelegate.mm
+++ b/toolkit/components/alerts/mac/mozGrowlDelegate.mm
@@ -79,6 +79,10 @@ GetWindowOfObserver(nsIObserver* aObserver)
   NS_ENSURE_SUCCESS(rv, nsnull);
 
   JSAutoRequest ar(cx);
+  JSAutoEnterCompartment ac;
+  if (!ac.enter(cx, obj)) {
+    return nsnull;
+  }
 
   JSObject* global = JS_GetGlobalForObject(cx, obj);
   NS_ENSURE_TRUE(global, nsnull);
diff --git a/toolkit/components/alerts/resources/content/alert.js b/toolkit/components/alerts/resources/content/alert.js
index 95cd631a2e0..8e4dcf36906 100644
--- a/toolkit/components/alerts/resources/content/alert.js
+++ b/toolkit/components/alerts/resources/content/alert.js
@@ -48,7 +48,8 @@ var gSlideIncrement = 1;
 var gSlideTime = 10;
 var gOpenTime = 3000; // total time the alert should stay up once we are done animating.
 var gOrigin = 0; // Default value: alert from bottom right, sliding in vertically.
-
+var gDisableSlideEffect = false;
+ 
 var gAlertListener = null;
 var gAlertTextClickable = false;
 var gAlertCookie = "";
@@ -92,20 +93,14 @@ function prefillAlertInfo()
 
 function onAlertLoad()
 {
-  // Read out our initial settings from prefs.
-  try 
-  {
-    var prefService = Components.classes["@mozilla.org/preferences-service;1"].getService();
-    prefService = prefService.QueryInterface(Components.interfaces.nsIPrefService);
-    var prefBranch = prefService.getBranch(null);
-    gSlideIncrement = prefBranch.getIntPref("alerts.slideIncrement");
-    gSlideTime = prefBranch.getIntPref("alerts.slideIncrementTime");
-    gOpenTime = prefBranch.getIntPref("alerts.totalOpenTime");
-  }
-  catch (ex)
-  {
-  }
-
+  var prefService = Components.classes["@mozilla.org/preferences-service;1"].getService();
+  prefService = prefService.QueryInterface(Components.interfaces.nsIPrefService);
+  var prefBranch = prefService.getBranch(null);
+  gSlideIncrement = prefBranch.getIntPref("alerts.slideIncrement");
+  gSlideTime = prefBranch.getIntPref("alerts.slideIncrementTime");
+  gOpenTime = prefBranch.getIntPref("alerts.totalOpenTime");
+  gDisableSlideEffect = prefBranch.getBoolPref("alerts.disableSlidingEffect");
+ 
   // Make sure that the contents are fixed at the window edge facing the
   // screen's center so that the window looks like "sliding in" and not
   // like "unfolding". The default packing of "start" only works for
@@ -170,6 +165,9 @@ function animate(step)
 {
   gCurrentSize += step;
 
+  if (gFinalSize < gCurrentSize)
+    gCurrentSize = gFinalSize;
+
   if (gOrigin & NS_ALERT_HORIZONTAL)
   {
     if (!(gOrigin & NS_ALERT_LEFT))
@@ -188,7 +186,10 @@ function animateAlert()
 {
   if (gCurrentSize < gFinalSize)
   {
-    animate(gSlideIncrement);
+    if (gDisableSlideEffect)
+      animate(gFinalSize); // We don't begin on zero.
+    else
+      animate(gSlideIncrement);
     setTimeout(animateAlert, gSlideTime);
   }
   else
@@ -197,7 +198,7 @@ function animateAlert()
 
 function animateCloseAlert()
 {
-  if (gCurrentSize > 1)
+  if (gCurrentSize > 1 && !gDisableSlideEffect)
   {
     animate(-gSlideIncrement);
     setTimeout(animateCloseAlert, gSlideTime);
diff --git a/toolkit/components/contentprefs/nsContentPrefService.js b/toolkit/components/contentprefs/nsContentPrefService.js
index a5f417ff171..a56344fec83 100644
--- a/toolkit/components/contentprefs/nsContentPrefService.js
+++ b/toolkit/components/contentprefs/nsContentPrefService.js
@@ -75,8 +75,9 @@ function electrolify(service) {
       // messages. The whitelist contains only those settings that
       // are not at risk for either.
       // We currently whitelist saving/reading the last directory of file
-      // uploads, which is so far the only need we have identified.
-      const NAME_WHITELIST = ["browser.upload.lastDir"];
+      // uploads, and the last current spellchecker dictionary which are so far
+      // the only need we have identified.
+      const NAME_WHITELIST = ["browser.upload.lastDir", "spellcheck.lang"];
       if (NAME_WHITELIST.indexOf(json.name) == -1)
         return { succeeded: false };
 
diff --git a/toolkit/components/places/Helpers.cpp b/toolkit/components/places/Helpers.cpp
index 4572c3086da..29aa466ed61 100644
--- a/toolkit/components/places/Helpers.cpp
+++ b/toolkit/components/places/Helpers.cpp
@@ -377,14 +377,6 @@ GetHiddenState(bool aIsRedirect,
 
 PlacesEvent::PlacesEvent(const char* aTopic)
 : mTopic(aTopic)
-, mDoubleEnqueue(false)
-{
-}
-
-PlacesEvent::PlacesEvent(const char* aTopic,
-                         bool aDoubleEnqueue)
-: mTopic(aTopic)
-, mDoubleEnqueue(aDoubleEnqueue)
 {
 }
 
@@ -405,16 +397,10 @@ PlacesEvent::Complete()
 void
 PlacesEvent::Notify()
 {
-  if (mDoubleEnqueue) {
-    mDoubleEnqueue = false;
-    (void)NS_DispatchToMainThread(this);
-  }
-  else {
-    NS_ASSERTION(NS_IsMainThread(), "Must only be used on the main thread!");
-    nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
-    if (obs) {
-      (void)obs->NotifyObservers(nsnull, mTopic, nsnull);
-    }
+  NS_ASSERTION(NS_IsMainThread(), "Must only be used on the main thread!");
+  nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
+  if (obs) {
+    (void)obs->NotifyObservers(nsnull, mTopic, nsnull);
   }
 }
 
diff --git a/toolkit/components/places/Helpers.h b/toolkit/components/places/Helpers.h
index ff692e429ec..6f8de97fd93 100644
--- a/toolkit/components/places/Helpers.h
+++ b/toolkit/components/places/Helpers.h
@@ -298,12 +298,10 @@ public:
   NS_DECL_MOZISTORAGECOMPLETIONCALLBACK
 
   PlacesEvent(const char* aTopic);
-  PlacesEvent(const char* aTopic, bool aDoubleEnqueue);
 protected:
   void Notify();
 
   const char* const mTopic;
-  bool mDoubleEnqueue;
 };
 
 } // namespace places
diff --git a/toolkit/components/places/History.cpp b/toolkit/components/places/History.cpp
index 58f28a2645e..054e96264bf 100644
--- a/toolkit/components/places/History.cpp
+++ b/toolkit/components/places/History.cpp
@@ -63,9 +63,6 @@
 // Initial size for the cache holding visited status observers.
 #define VISIT_OBSERVERS_INITIAL_CACHE_SIZE 128
 
-// Topic used to notify that work in mozIAsyncHistory::updatePlaces is done.
-#define TOPIC_UPDATEPLACES_COMPLETE "places-updatePlaces-complete"
-
 using namespace mozilla::dom;
 using mozilla::unused;
 
@@ -531,14 +528,14 @@ private:
 };
 
 /**
- * Notifies a callback object about completion.
+ * Notifies a callback object when a visit has been handled.
  */
-class NotifyCompletion : public nsRunnable
+class NotifyVisitInfoCallback : public nsRunnable
 {
 public:
-  NotifyCompletion(mozIVisitInfoCallback* aCallback,
-                   const VisitData& aPlace,
-                   nsresult aResult)
+  NotifyVisitInfoCallback(mozIVisitInfoCallback* aCallback,
+                          const VisitData& aPlace,
+                          nsresult aResult)
   : mCallback(aCallback)
   , mPlace(aPlace)
   , mResult(aResult)
@@ -590,6 +587,44 @@ private:
   const nsresult mResult;
 };
 
+/**
+ * Notifies a callback object when the operation is complete.
+ */
+class NotifyCompletion : public nsRunnable
+{
+public:
+  NotifyCompletion(mozIVisitInfoCallback* aCallback)
+  : mCallback(aCallback)
+  {
+    NS_PRECONDITION(aCallback, "Must pass a non-null callback!");
+  }
+
+  NS_IMETHOD Run()
+  {
+    if (NS_IsMainThread()) {
+      (void)mCallback->HandleCompletion();
+    }
+    else {
+      (void)NS_DispatchToMainThread(this);
+
+      // Also dispatch an event to release the reference to the callback after
+      // we have run.
+      nsCOMPtr<nsIThread> mainThread = do_GetMainThread();
+      (void)NS_ProxyRelease(mainThread, mCallback, PR_TRUE);
+    }
+    return NS_OK;
+  }
+
+private:
+  /**
+   * Callers MUST hold a strong reference to this because we may be created
+   * off of the main thread, and therefore cannot call AddRef on this object
+   * (and therefore cannot hold a strong reference to it). If invoked from a
+   * background thread, NotifyCompletion will release the reference to this.
+   */
+  mozIVisitInfoCallback* mCallback;
+};
+
 /**
  * Checks to see if we can add aURI to history, and dispatches an error to
  * aCallback (if provided) if we cannot.
@@ -618,7 +653,7 @@ CanAddURI(nsIURI* aURI,
 
   // We cannot add the URI.  Notify the callback, if we were given one.
   if (aCallback) {
-    // NotifyCompletion does not hold a strong reference to the callback, so we
+    // NotifyVisitInfoCallback does not hold a strong reference to the callback, so we
     // have to manage it by AddRefing now and then releasing it after the event
     // has run.
     NS_ADDREF(aCallback);
@@ -626,11 +661,11 @@ CanAddURI(nsIURI* aURI,
     VisitData place(aURI);
     place.guid = aGUID;
     nsCOMPtr<nsIRunnable> event =
-      new NotifyCompletion(aCallback, place, NS_ERROR_INVALID_ARG);
+      new NotifyVisitInfoCallback(aCallback, place, NS_ERROR_INVALID_ARG);
     (void)NS_DispatchToMainThread(event);
 
     // Also dispatch an event to release our reference to the callback after
-    // NotifyCompletion has run.
+    // NotifyVisitInfoCallback has run.
     nsCOMPtr<nsIThread> mainThread = do_GetMainThread();
     (void)NS_ProxyRelease(mainThread, aCallback, PR_TRUE);
   }
@@ -697,7 +732,7 @@ public:
       nsresult rv = DoDatabaseInserts(known, place, referrer);
       if (mCallback) {
         nsCOMPtr<nsIRunnable> event =
-          new NotifyCompletion(mCallback, place, rv);
+          new NotifyVisitInfoCallback(mCallback, place, rv);
         nsresult rv2 = NS_DispatchToMainThread(event);
         NS_ENSURE_SUCCESS(rv2, rv2);
       }
@@ -1230,16 +1265,16 @@ StoreAndNotifyEmbedVisit(VisitData& aPlace,
   navHistory->registerEmbedVisit(uri, aPlace.visitTime);
 
   if (aCallback) {
-    // NotifyCompletion does not hold a strong reference to the callback, so we
-    // have to manage it by AddRefing now and then releasing it after the event
-    // has run.
+    // NotifyVisitInfoCallback does not hold a strong reference to the callback,
+    // so we have to manage it by AddRefing now and then releasing it after the
+    // event has run.
     NS_ADDREF(aCallback);
     nsCOMPtr<nsIRunnable> event =
-      new NotifyCompletion(aCallback, aPlace, NS_OK);
+      new NotifyVisitInfoCallback(aCallback, aPlace, NS_OK);
     (void)NS_DispatchToMainThread(event);
 
     // Also dispatch an event to release our reference to the callback after
-    // NotifyCompletion has run.
+    // NotifyVisitInfoCallback has run.
     nsCOMPtr<nsIThread> mainThread = do_GetMainThread();
     (void)NS_ProxyRelease(mainThread, aCallback, PR_TRUE);
   }
@@ -1975,14 +2010,22 @@ History::UpdatePlaces(const jsval& aPlaceInfos,
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
-  // Be sure to notify that all of our operations are complete.  This is
-  // double enqueued to make sure that all database notifications and all embed
-  // or canAddURI notifications have finished.
-  nsCOMPtr<nsIEventTarget> backgroundThread = do_GetInterface(dbConn);
-  NS_ENSURE_TRUE(backgroundThread, NS_ERROR_UNEXPECTED);
-  nsRefPtr<PlacesEvent> completeEvent =
-    new PlacesEvent(TOPIC_UPDATEPLACES_COMPLETE, true);
-  (void)backgroundThread->Dispatch(completeEvent, 0);
+  // Be sure to notify that all of our operations are complete.  This
+  // is dispatched to the background thread first and redirected to the
+  // main thread from there to make sure that all database notifications
+  // and all embed or canAddURI notifications have finished.
+  if (aCallback) {
+    // NotifyCompletion does not hold a strong reference to the callback,
+    // so we have to manage it by AddRefing now. NotifyCompletion will
+    // release it for us once it has dispatched the callback to the main
+    // thread.
+    NS_ADDREF(aCallback);
+
+    nsCOMPtr<nsIEventTarget> backgroundThread = do_GetInterface(dbConn);
+    NS_ENSURE_TRUE(backgroundThread, NS_ERROR_UNEXPECTED);
+    nsCOMPtr<nsIRunnable> event = new NotifyCompletion(aCallback);
+    (void)backgroundThread->Dispatch(event, NS_DISPATCH_NORMAL);
+  }
 
   return NS_OK;
 }
diff --git a/toolkit/components/places/mozIAsyncHistory.idl b/toolkit/components/places/mozIAsyncHistory.idl
index ca3a37fbc4c..d868d560b4e 100644
--- a/toolkit/components/places/mozIAsyncHistory.idl
+++ b/toolkit/components/places/mozIAsyncHistory.idl
@@ -122,7 +122,7 @@ interface mozIPlaceInfo : nsISupports
 /**
  * @status EXPERIMENTAL
  */
-[scriptable, uuid(eb0b406f-8f57-4f2b-b0da-8883684b138a)]
+[scriptable, uuid(1f266877-2859-418b-a11b-ec3ae4f4f93d)]
 interface mozIVisitInfoCallback : nsISupports
 {
   /**
@@ -147,6 +147,12 @@ interface mozIVisitInfoCallback : nsISupports
    */
   void handleResult(in mozIPlaceInfo aPlaceInfo);
 
+  /**
+   * Called when the mozIAsyncHistory::updatePlaces has finished processing
+   * all mozIPlaceInfo records.
+   */
+  void handleCompletion();
+
 };
 
 /**
diff --git a/toolkit/components/places/nsNavBookmarks.cpp b/toolkit/components/places/nsNavBookmarks.cpp
index 10aa0c76d0e..c46917ceede 100644
--- a/toolkit/components/places/nsNavBookmarks.cpp
+++ b/toolkit/components/places/nsNavBookmarks.cpp
@@ -67,6 +67,12 @@
 // Threashold to expire old bookmarks if the initial cache size is exceeded.
 #define RECENT_BOOKMARKS_THRESHOLD PRTime((PRInt64)1 * 60 * PR_USEC_PER_SEC)
 
+#define BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(_itemId_) \
+  mRecentBookmarksCache.RemoveEntry(_itemId_)
+
+#define END_CRITICAL_BOOKMARK_CACHE_SECTION(_itemId_) \
+  MOZ_ASSERT(!mRecentBookmarksCache.GetEntry(_itemId_))
+
 #define TOPIC_PLACES_MAINTENANCE "places-maintenance-finished"
 
 const PRInt32 nsNavBookmarks::kFindURIBookmarksIndex_Id = 0;
@@ -1052,7 +1058,7 @@ nsNavBookmarks::RemoveItem(PRInt64 aItemId)
   NS_ENSURE_ARG(aItemId != mRoot);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, true);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   NOTIFY_OBSERVERS(mCanNotify, mCacheObservers, mObservers,
@@ -1086,6 +1092,8 @@ nsNavBookmarks::RemoveItem(PRInt64 aItemId)
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
+  BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   DECLARE_AND_ASSIGN_SCOPED_LAZY_STMT(stmt, mDBRemoveItem);
   rv = stmt->BindInt64ByName(NS_LITERAL_CSTRING("item_id"), bookmark.id);
   NS_ENSURE_SUCCESS(rv, rv);
@@ -1107,6 +1115,8 @@ nsNavBookmarks::RemoveItem(PRInt64 aItemId)
   rv = transaction.Commit();
   NS_ENSURE_SUCCESS(rv, rv);
 
+  END_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   if (!mBatching) {
     ForceWALCheckpoint(mDBConn);
   }
@@ -1501,7 +1511,7 @@ nsNavBookmarks::RemoveFolderChildren(PRInt64 aFolderId)
   NS_ENSURE_ARG_MIN(aFolderId, 1);
 
   BookmarkData folder;
-  nsresult rv = FetchItemInfo(aFolderId, folder, true);
+  nsresult rv = FetchItemInfo(aFolderId, folder);
   NS_ENSURE_SUCCESS(rv, rv);
   NS_ENSURE_ARG(folder.type == TYPE_FOLDER);
 
@@ -1516,9 +1526,6 @@ nsNavBookmarks::RemoveFolderChildren(PRInt64 aFolderId)
   for (PRUint32 i = 0; i < folderChildrenArray.Length(); ++i) {
     BookmarkData& child = folderChildrenArray[i];
 
-    // Invalidate the bookmark cache.
-    mRecentBookmarksCache.RemoveEntry(child.id);
-
     // Notify observers that we are about to remove this child.
     NOTIFY_OBSERVERS(mCanNotify, mCacheObservers, mObservers,
                      nsINavBookmarkObserver,
@@ -1543,6 +1550,8 @@ nsNavBookmarks::RemoveFolderChildren(PRInt64 aFolderId)
         }
       }
     }
+
+    BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(child.id);
   }
 
   // Delete items from the database now.
@@ -1587,6 +1596,7 @@ nsNavBookmarks::RemoveFolderChildren(PRInt64 aFolderId)
       rv = UpdateKeywordsHashForRemovedBookmark(child.id);
       NS_ENSURE_SUCCESS(rv, rv);
     }
+    END_CRITICAL_BOOKMARK_CACHE_SECTION(child.id);
   }
 
   rv = transaction.Commit();
@@ -1658,7 +1668,7 @@ nsNavBookmarks::MoveItem(PRInt64 aItemId, PRInt64 aNewParent, PRInt32 aIndex)
   mozStorageTransaction transaction(mDBConn, PR_FALSE);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, true);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   // if parent and index are the same, nothing to do
@@ -1739,6 +1749,8 @@ nsNavBookmarks::MoveItem(PRInt64 aItemId, PRInt64 aNewParent, PRInt32 aIndex)
     NS_ENSURE_SUCCESS(rv, rv);
   }
 
+  BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   {
     // Update parent and position.
     DECLARE_AND_ASSIGN_SCOPED_LAZY_STMT(stmt, mDBMoveItem);
@@ -1763,6 +1775,8 @@ nsNavBookmarks::MoveItem(PRInt64 aItemId, PRInt64 aNewParent, PRInt32 aIndex)
   rv = transaction.Commit();
   NS_ENSURE_SUCCESS(rv, rv);
 
+  END_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   NOTIFY_OBSERVERS(mCanNotify, mCacheObservers, mObservers,
                    nsINavBookmarkObserver,
                    OnItemMoved(bookmark.id,
@@ -1788,17 +1802,13 @@ nsNavBookmarks::MoveItem(PRInt64 aItemId, PRInt64 aNewParent, PRInt32 aIndex)
 
 nsresult
 nsNavBookmarks::FetchItemInfo(PRInt64 aItemId,
-                              BookmarkData& _bookmark,
-                              bool aInvalidateCache)
+                              BookmarkData& _bookmark)
 {
   // Check if the requested id is in the recent cache and avoid the database
   // lookup if so.  Invalidate the cache after getting data if requested.
   BookmarkKeyClass* key = mRecentBookmarksCache.GetEntry(aItemId);
   if (key) {
     _bookmark = key->bookmark;
-    if (aInvalidateCache) {
-      mRecentBookmarksCache.RemoveEntry(aItemId);
-    }
     return NS_OK;
   }
 
@@ -1864,15 +1874,14 @@ nsNavBookmarks::FetchItemInfo(PRInt64 aItemId,
     _bookmark.grandParentId = -1;
   }
 
-  if (!aInvalidateCache) {
-    // Make space for the new entry.
-    ExpireNonrecentBookmarks(&mRecentBookmarksCache);
-    // Update the recent bookmarks cache.
-    BookmarkKeyClass* key = mRecentBookmarksCache.PutEntry(aItemId);
-    if (key) {
-      key->bookmark = _bookmark;
-    }
+  // Make space for the new entry.
+  ExpireNonrecentBookmarks(&mRecentBookmarksCache);
+  // Update the recent bookmarks cache.
+  key = mRecentBookmarksCache.PutEntry(aItemId);
+  if (key) {
+    key->bookmark = _bookmark;
   }
+
   return NS_OK;
 }
 
@@ -1881,6 +1890,8 @@ nsNavBookmarks::SetItemDateInternal(mozIStorageStatement* aStatement,
                                     PRInt64 aItemId,
                                     PRTime aValue)
 {
+  BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(aItemId);
+
   NS_ENSURE_STATE(aStatement);
   mozStorageStatementScoper scoper(aStatement);
 
@@ -1892,6 +1903,8 @@ nsNavBookmarks::SetItemDateInternal(mozIStorageStatement* aStatement,
   rv = aStatement->Execute();
   NS_ENSURE_SUCCESS(rv, rv);
 
+  END_CRITICAL_BOOKMARK_CACHE_SECTION(aItemId);
+
   // note, we are not notifying the observers
   // that the item has changed.
 
@@ -1905,7 +1918,7 @@ nsNavBookmarks::SetItemDateAdded(PRInt64 aItemId, PRTime aDateAdded)
   NS_ENSURE_ARG_MIN(aItemId, 1);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, true);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
   bookmark.dateAdded = aDateAdded;
 
@@ -1936,7 +1949,7 @@ nsNavBookmarks::GetItemDateAdded(PRInt64 aItemId, PRTime* _dateAdded)
   NS_ENSURE_ARG_POINTER(_dateAdded);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   *_dateAdded = bookmark.dateAdded;
@@ -1950,7 +1963,7 @@ nsNavBookmarks::SetItemLastModified(PRInt64 aItemId, PRTime aLastModified)
   NS_ENSURE_ARG_MIN(aItemId, 1);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, true);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
   bookmark.lastModified = aLastModified;
 
@@ -1981,7 +1994,7 @@ nsNavBookmarks::GetItemLastModified(PRInt64 aItemId, PRTime* _lastModified)
   NS_ENSURE_ARG_POINTER(_lastModified);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   *_lastModified = bookmark.lastModified;
@@ -2086,9 +2099,11 @@ nsNavBookmarks::SetItemTitle(PRInt64 aItemId, const nsACString& aTitle)
   NS_ENSURE_ARG_MIN(aItemId, 1);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, true);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
+  BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   DECLARE_AND_ASSIGN_SCOPED_LAZY_STMT(statement, mDBSetItemTitle);
   // Support setting a null title, we support this in insertBookmark.
   if (aTitle.IsVoid()) {
@@ -2109,6 +2124,8 @@ nsNavBookmarks::SetItemTitle(PRInt64 aItemId, const nsACString& aTitle)
   rv = statement->Execute();
   NS_ENSURE_SUCCESS(rv, rv);
 
+  END_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   NOTIFY_OBSERVERS(mCanNotify, mCacheObservers, mObservers,
                    nsINavBookmarkObserver,
                    OnItemChanged(bookmark.id,
@@ -2131,7 +2148,7 @@ nsNavBookmarks::GetItemTitle(PRInt64 aItemId,
   NS_ENSURE_ARG_MIN(aItemId, 1);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   _title = bookmark.title;
@@ -2147,7 +2164,7 @@ nsNavBookmarks::GetBookmarkURI(PRInt64 aItemId,
   NS_ENSURE_ARG_POINTER(_URI);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   rv = NS_NewURI(_URI, bookmark.url);
@@ -2164,7 +2181,7 @@ nsNavBookmarks::GetItemType(PRInt64 aItemId, PRUint16* _type)
   NS_ENSURE_ARG_POINTER(_type);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   *_type = static_cast<PRUint16>(bookmark.type);
@@ -2179,7 +2196,7 @@ nsNavBookmarks::GetFolderType(PRInt64 aItemId,
   NS_ENSURE_ARG_MIN(aItemId, 1);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   _type = bookmark.serviceCID;
@@ -2193,7 +2210,7 @@ nsNavBookmarks::ResultNodeForContainer(PRInt64 aItemId,
                                        nsNavHistoryResultNode** aNode)
 {
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (bookmark.type == TYPE_DYNAMIC_CONTAINER) {
@@ -2461,7 +2478,7 @@ nsNavBookmarks::ChangeBookmarkURI(PRInt64 aBookmarkId, nsIURI* aNewURI)
   NS_ENSURE_ARG(aNewURI);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aBookmarkId, bookmark, true);
+  nsresult rv = FetchItemInfo(aBookmarkId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
   NS_ENSURE_ARG(bookmark.type == TYPE_BOOKMARK);
 
@@ -2476,6 +2493,8 @@ nsNavBookmarks::ChangeBookmarkURI(PRInt64 aBookmarkId, nsIURI* aNewURI)
   if (!newPlaceId)
     return NS_ERROR_INVALID_ARG;
 
+  BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   DECLARE_AND_ASSIGN_SCOPED_LAZY_STMT(statement, mDBChangeBookmarkURI);
   rv = statement->BindInt64ByName(NS_LITERAL_CSTRING("page_id"), newPlaceId);
   NS_ENSURE_SUCCESS(rv, rv);
@@ -2491,6 +2510,8 @@ nsNavBookmarks::ChangeBookmarkURI(PRInt64 aBookmarkId, nsIURI* aNewURI)
   rv = transaction.Commit();
   NS_ENSURE_SUCCESS(rv, rv);
 
+  END_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   rv = history->UpdateFrecency(newPlaceId);
   NS_ENSURE_SUCCESS(rv, rv);
 
@@ -2525,7 +2546,7 @@ nsNavBookmarks::GetFolderIdForItem(PRInt64 aItemId, PRInt64* _parentId)
   NS_ENSURE_ARG_POINTER(_parentId);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   // this should not happen, but see bug #400448 for details
@@ -2651,7 +2672,7 @@ nsNavBookmarks::GetItemIndex(PRInt64 aItemId, PRInt32* _index)
   NS_ENSURE_ARG_POINTER(_index);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, false);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   // With respect to the API.
   if (NS_FAILED(rv)) {
     *_index = -1;
@@ -2670,7 +2691,7 @@ nsNavBookmarks::SetItemIndex(PRInt64 aItemId, PRInt32 aNewIndex)
   NS_ENSURE_ARG_MIN(aNewIndex, 0);
 
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, true);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   // Ensure we are not going out of range.
@@ -2683,6 +2704,8 @@ nsNavBookmarks::SetItemIndex(PRInt64 aItemId, PRInt32 aNewIndex)
   // Check the parent's guid is the expected one.
   MOZ_ASSERT(bookmark.parentGuid == folderGuid);
 
+  BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   DECLARE_AND_ASSIGN_SCOPED_LAZY_STMT(stmt, mDBSetItemIndex);
   rv = stmt->BindInt64ByName(NS_LITERAL_CSTRING("item_id"), aItemId);
   NS_ENSURE_SUCCESS(rv, rv);
@@ -2692,6 +2715,8 @@ nsNavBookmarks::SetItemIndex(PRInt64 aItemId, PRInt32 aNewIndex)
   rv = stmt->Execute();
   NS_ENSURE_SUCCESS(rv, rv);
 
+  END_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   NOTIFY_OBSERVERS(mCanNotify, mCacheObservers, mObservers,
                    nsINavBookmarkObserver,
                    OnItemMoved(bookmark.id,
@@ -2729,7 +2754,7 @@ nsNavBookmarks::SetKeywordForBookmark(PRInt64 aBookmarkId,
 
   // This also ensures the bookmark is valid.
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aBookmarkId, bookmark, true);
+  nsresult rv = FetchItemInfo(aBookmarkId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   rv = EnsureKeywordsHash();
@@ -2748,6 +2773,8 @@ nsNavBookmarks::SetKeywordForBookmark(PRInt64 aBookmarkId,
   if (keyword.Equals(oldKeyword) || (keyword.IsEmpty() && oldKeyword.IsEmpty()))
     return NS_OK;
 
+  BEGIN_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   mozStorageTransaction transaction(mDBConn, PR_FALSE);
 
   nsCOMPtr<mozIStorageStatement> updateBookmarkStmt;
@@ -2798,6 +2825,8 @@ nsNavBookmarks::SetKeywordForBookmark(PRInt64 aBookmarkId,
   rv = transaction.Commit();
   NS_ENSURE_SUCCESS(rv, rv);
 
+  END_CRITICAL_BOOKMARK_CACHE_SECTION(bookmark.id);
+
   NOTIFY_OBSERVERS(mCanNotify, mCacheObservers, mObservers,
                    nsINavBookmarkObserver,
                    OnItemChanged(bookmark.id,
@@ -3143,7 +3172,7 @@ nsNavBookmarks::OnPageChanged(nsIURI* aURI,
 
       if (queries.Count() == 1 && queries[0]->Folders().Length() == 1) {
         // Fetch missing data.
-        rv = FetchItemInfo(queries[0]->Folders()[0], changeData.bookmark, false);
+        rv = FetchItemInfo(queries[0]->Folders()[0], changeData.bookmark);
         NS_ENSURE_SUCCESS(rv, rv);        
         NotifyItemChanged(changeData);
       }
@@ -3195,7 +3224,7 @@ NS_IMETHODIMP
 nsNavBookmarks::OnItemAnnotationSet(PRInt64 aItemId, const nsACString& aName)
 {
   BookmarkData bookmark;
-  nsresult rv = FetchItemInfo(aItemId, bookmark, true);
+  nsresult rv = FetchItemInfo(aItemId, bookmark);
   NS_ENSURE_SUCCESS(rv, rv);
 
   bookmark.lastModified = PR_Now();
diff --git a/toolkit/components/places/nsNavBookmarks.h b/toolkit/components/places/nsNavBookmarks.h
index 6728f932a4e..472d2e263c7 100644
--- a/toolkit/components/places/nsNavBookmarks.h
+++ b/toolkit/components/places/nsNavBookmarks.h
@@ -228,12 +228,9 @@ public:
    *        Id of the item to fetch information for.
    * @param aBookmark
    *        BookmarkData to store the information.
-   * @param aInvalidateCache
-   *        True if the cache should discard its entry after the fetching.
    */
   nsresult FetchItemInfo(PRInt64 aItemId,
-                         BookmarkData& _bookmark,
-                         bool aInvalidateCache);
+                         BookmarkData& _bookmark);
 
   /**
    * Finalize all internal statements.
@@ -521,7 +518,7 @@ private:
       nsNavBookmarks* bookmarks = nsNavBookmarks::GetBookmarksService();
       NS_ENSURE_TRUE(bookmarks, NS_ERROR_OUT_OF_MEMORY);
       BookmarkData folder;
-      nsresult rv = bookmarks->FetchItemInfo(mID, folder, true);
+      nsresult rv = bookmarks->FetchItemInfo(mID, folder);
       // TODO (Bug 656935): store the BookmarkData struct instead.
       mParent = folder.parentId;
       mIndex = folder.position;
diff --git a/toolkit/components/places/tests/bookmarks/test_675416.js b/toolkit/components/places/tests/bookmarks/test_675416.js
new file mode 100644
index 00000000000..d43097ed2aa
--- /dev/null
+++ b/toolkit/components/places/tests/bookmarks/test_675416.js
@@ -0,0 +1,57 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+function run_test() {
+  /**
+   * Requests information to the service, so that bookmark's data is cached.
+   * @param aItemId
+   *        Id of the bookmark to be cached.
+   */
+  function forceBookmarkCaching(aItemId) {
+    PlacesUtils.bookmarks.getFolderIdForItem(aItemId);
+  }
+
+  let observer = {
+    onBeginUpdateBatch: function() forceBookmarkCaching(itemId1),
+    onEndUpdateBatch: function() forceBookmarkCaching(itemId1),
+    onItemAdded: forceBookmarkCaching,
+    onItemChanged: forceBookmarkCaching,
+    onItemMoved: forceBookmarkCaching,
+    onBeforeItemRemoved: forceBookmarkCaching,
+    onItemRemoved: function(id) {
+      try {
+        forceBookmarkCaching(id);
+        do_throw("trying to fetch a removed bookmark should throw");
+      } catch (ex) {}
+    },
+    onItemVisited: forceBookmarkCaching,
+    QueryInterface: XPCOMUtils.generateQI([Ci.nsINavBookmarkObserver])
+  };
+  PlacesUtils.bookmarks.addObserver(observer, false);
+
+  let folderId1 = PlacesUtils.bookmarks
+                             .createFolder(PlacesUtils.bookmarksMenuFolderId,
+                                           "Bookmarks",
+                                           PlacesUtils.bookmarks.DEFAULT_INDEX);
+  let itemId1 = PlacesUtils.bookmarks
+                           .insertBookmark(folderId1,
+                                           NetUtil.newURI("http:/www.wired.com/wiredscience"),
+                                           PlacesUtils.bookmarks.DEFAULT_INDEX,
+                                           "Wired Science");
+
+  PlacesUtils.bookmarks.removeItem(folderId1);
+
+  let folderId2 = PlacesUtils.bookmarks
+                             .createFolder(PlacesUtils.bookmarksMenuFolderId,
+                                           "Science",
+                                           PlacesUtils.bookmarks.DEFAULT_INDEX);
+  let folderId3 = PlacesUtils.bookmarks
+                             .createFolder(folderId2,
+                                           "Blogs",
+                                           PlacesUtils.bookmarks.DEFAULT_INDEX);
+  // Check title is correctly reported.
+  do_check_eq(PlacesUtils.bookmarks.getItemTitle(folderId3), "Blogs");
+  do_check_eq(PlacesUtils.bookmarks.getItemTitle(folderId2), "Science");
+
+  PlacesUtils.bookmarks.removeObserver(observer, false);
+}
diff --git a/toolkit/components/places/tests/bookmarks/xpcshell.ini b/toolkit/components/places/tests/bookmarks/xpcshell.ini
index 71f18a3bd2e..3cf21c6976a 100644
--- a/toolkit/components/places/tests/bookmarks/xpcshell.ini
+++ b/toolkit/components/places/tests/bookmarks/xpcshell.ini
@@ -31,4 +31,5 @@ tail =
 [test_removeItem.js]
 [test_restore_guids.js]
 [test_savedsearches.js]
+[test_675416.js]
 
diff --git a/toolkit/components/places/tests/browser/Makefile.in b/toolkit/components/places/tests/browser/Makefile.in
index 706106fbf61..81c896bcc9a 100644
--- a/toolkit/components/places/tests/browser/Makefile.in
+++ b/toolkit/components/places/tests/browser/Makefile.in
@@ -46,6 +46,7 @@ include $(DEPTH)/config/autoconf.mk
 include $(topsrcdir)/config/rules.mk
 
 _BROWSER_FILES = \
+	head.js \
 	browser_bug399606.js \
 	browser_visituri.js \
 	browser_visituri_nohistory.js \
diff --git a/toolkit/components/places/tests/browser/browser_bug399606.js b/toolkit/components/places/tests/browser/browser_bug399606.js
index 443490067f0..818df7e1bf5 100644
--- a/toolkit/components/places/tests/browser/browser_bug399606.js
+++ b/toolkit/components/places/tests/browser/browser_bug399606.js
@@ -75,22 +75,6 @@ function test() {
   };
   hs.addObserver(historyObserver, false);
 
-  /**
-   * Clears history invoking callback when done.
-   */
-  function waitForClearHistory(aCallback)
-  {
-    let observer = {
-      observe: function(aSubject, aTopic, aData)
-      {
-        Services.obs.removeObserver(this, PlacesUtils.TOPIC_EXPIRATION_FINISHED);
-        aCallback(aSubject, aTopic, aData);
-      }
-    };
-    Services.obs.addObserver(observer, PlacesUtils.TOPIC_EXPIRATION_FINISHED, false);
-    PlacesUtils.bhistory.removeAllPages();
-  }
-
   function confirm_results() {
     gBrowser.removeCurrentTab();
     hs.removeObserver(historyObserver, false);
diff --git a/toolkit/components/places/tests/browser/browser_settitle.js b/toolkit/components/places/tests/browser/browser_settitle.js
index 7d996131633..30b11267d1c 100644
--- a/toolkit/components/places/tests/browser/browser_settitle.js
+++ b/toolkit/components/places/tests/browser/browser_settitle.js
@@ -46,24 +46,6 @@ function getColumn(table, column, fromColumnName, fromColumnValue)
   }
 }
 
-/**
- * Clears history invoking callback when done.
- */
-function waitForClearHistory(aCallback) {
-  const TOPIC_EXPIRATION_FINISHED = "places-expiration-finished";
-  let observer = {
-    observe: function(aSubject, aTopic, aData) {
-      Services.obs.removeObserver(this, TOPIC_EXPIRATION_FINISHED);
-      aCallback();
-    }
-  };
-  Services.obs.addObserver(observer, TOPIC_EXPIRATION_FINISHED, false);
-
-  let hs = Cc["@mozilla.org/browser/nav-history-service;1"].
-           getService(Ci.nsINavHistoryService);
-  hs.QueryInterface(Ci.nsIBrowserHistory).removeAllPages();
-}
-
 function test()
 {
   // Make sure titles are correctly saved for a URI with the proper
diff --git a/toolkit/components/places/tests/browser/browser_visituri.js b/toolkit/components/places/tests/browser/browser_visituri.js
index 91be553b1f1..566ad0ae664 100644
--- a/toolkit/components/places/tests/browser/browser_visituri.js
+++ b/toolkit/components/places/tests/browser/browser_visituri.js
@@ -63,24 +63,6 @@ function getColumn(table, column, fromColumnName, fromColumnValue)
   }
 }
 
-/**
- * Clears history invoking callback when done.
- */
-function waitForClearHistory(aCallback) {
-  const TOPIC_EXPIRATION_FINISHED = "places-expiration-finished";
-  let observer = {
-    observe: function(aSubject, aTopic, aData) {
-      Services.obs.removeObserver(this, TOPIC_EXPIRATION_FINISHED);
-      aCallback();
-    }
-  };
-  Services.obs.addObserver(observer, TOPIC_EXPIRATION_FINISHED, false);
-
-  let hs = Cc["@mozilla.org/browser/nav-history-service;1"].
-           getService(Ci.nsINavHistoryService);
-  hs.QueryInterface(Ci.nsIBrowserHistory).removeAllPages();
-}
-
 function test()
 {
   // Make sure places visit chains are saved correctly with a redirect
diff --git a/toolkit/components/places/tests/browser/browser_visituri_nohistory.js b/toolkit/components/places/tests/browser/browser_visituri_nohistory.js
index cf036356251..eff04f8dd5f 100644
--- a/toolkit/components/places/tests/browser/browser_visituri_nohistory.js
+++ b/toolkit/components/places/tests/browser/browser_visituri_nohistory.js
@@ -37,22 +37,6 @@ function waitForLoad(callback)
   }, true);
 }
 
-/**
- * Clears history invoking callback when done.
- */
-function waitForClearHistory(aCallback)
-{
-  let observer = {
-    observe: function(aSubject, aTopic, aData)
-    {
-      Services.obs.removeObserver(this, PlacesUtils.TOPIC_EXPIRATION_FINISHED);
-      aCallback(aSubject, aTopic, aData);
-    }
-  };
-  Services.obs.addObserver(observer, PlacesUtils.TOPIC_EXPIRATION_FINISHED, false);
-  PlacesUtils.bhistory.removeAllPages();
-}
-
 function test()
 {
   waitForExplicitFinish();
diff --git a/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing.js b/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing.js
index 4dabd49bc6f..2bb5bac5530 100644
--- a/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing.js
+++ b/toolkit/components/places/tests/browser/browser_visituri_privatebrowsing.js
@@ -37,22 +37,6 @@ function waitForLoad(callback)
   }, true);
 }
 
-/**
- * Clears history invoking callback when done.
- */
-function waitForClearHistory(aCallback)
-{
-  let observer = {
-    observe: function(aSubject, aTopic, aData)
-    {
-      Services.obs.removeObserver(this, PlacesUtils.TOPIC_EXPIRATION_FINISHED);
-      aCallback(aSubject, aTopic, aData);
-    }
-  };
-  Services.obs.addObserver(observer, PlacesUtils.TOPIC_EXPIRATION_FINISHED, false);
-  PlacesUtils.bhistory.removeAllPages();
-}
-
 function test()
 {
   if (!("@mozilla.org/privatebrowsing;1" in Cc)) {
diff --git a/toolkit/components/places/tests/browser/head.js b/toolkit/components/places/tests/browser/head.js
new file mode 100644
index 00000000000..13206abebb4
--- /dev/null
+++ b/toolkit/components/places/tests/browser/head.js
@@ -0,0 +1,12 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+function waitForClearHistory(aCallback) {
+  Services.obs.addObserver(function observeCH(aSubject, aTopic, aData) {
+    Services.obs.removeObserver(observeCH, PlacesUtils.TOPIC_EXPIRATION_FINISHED);
+    aCallback();
+  }, PlacesUtils.TOPIC_EXPIRATION_FINISHED, false);
+  PlacesUtils.bhistory.removeAllPages();
+}
diff --git a/toolkit/components/places/tests/queries/test_containersQueries_sorting.js b/toolkit/components/places/tests/queries/test_containersQueries_sorting.js
index 61da4f446ee..a3eebf8dc89 100644
--- a/toolkit/components/places/tests/queries/test_containersQueries_sorting.js
+++ b/toolkit/components/places/tests/queries/test_containersQueries_sorting.js
@@ -439,9 +439,4 @@ function run_test()
   populateDB(visits);
 
   cartProd([resultTypes, sortingModes], test_query_callback);
-
-  // Cleanup.
-  pages.forEach(function(aPageUrl) tagging.untagURI(uri(aPageUrl), tags));
-  remove_all_bookmarks();
-  bh.removeAllPages();
 }
diff --git a/toolkit/components/places/tests/queries/test_transitions.js b/toolkit/components/places/tests/queries/test_transitions.js
index e9f788928ce..5f65bbb8698 100644
--- a/toolkit/components/places/tests/queries/test_transitions.js
+++ b/toolkit/components/places/tests/queries/test_transitions.js
@@ -151,8 +151,6 @@ function run_test() {
                 Ci.nsINavHistoryService.TRANSITION_DOWNLOAD, false, 0);
   do_check_eq(testDataDownload.length + 1, root.childCount);
   root.containerOpen = false;
-
-  PlacesUtils.bhistory.removeAllPages();
 }
 
 /*
diff --git a/toolkit/components/places/tests/unit/test_486978_sort_by_date_queries.js b/toolkit/components/places/tests/unit/test_486978_sort_by_date_queries.js
index cf9c008d92f..e777874cfa8 100644
--- a/toolkit/components/places/tests/unit/test_486978_sort_by_date_queries.js
+++ b/toolkit/components/places/tests/unit/test_486978_sort_by_date_queries.js
@@ -165,6 +165,4 @@ function run_test() {
   // Kick off tests.
   while (gTests.length)
     (gTests.shift())();
-
-  hs.QueryInterface(Ci.nsIBrowserHistory).removeAllPages();
 }
diff --git a/toolkit/components/places/tests/unit/test_async_history_api.js b/toolkit/components/places/tests/unit/test_async_history_api.js
index a4c006bdd0e..6e9822059a7 100644
--- a/toolkit/components/places/tests/unit/test_async_history_api.js
+++ b/toolkit/components/places/tests/unit/test_async_history_api.js
@@ -17,7 +17,6 @@ XPCOMUtils.defineLazyServiceGetter(this, "gGlobalHistory",
                                    "nsIGlobalHistory2");
 
 const TEST_DOMAIN = "http://mozilla.org/";
-const TOPIC_UPDATEPLACES_COMPLETE = "places-updatePlaces-complete";
 const URI_VISIT_SAVED = "uri-visit-saved";
 const RECENT_EVENT_THRESHOLD = 15 * 60 * 1000000;
 
@@ -742,14 +741,14 @@ function test_place_id_ignored()
   }));
 }
 
-function test_observer_topic_dispatched_when_complete()
+function test_handleCompletion_called_when_complete()
 {
   // We test a normal visit, and embeded visit, and a uri that would fail
   // the canAddURI test to make sure that the notification happens after *all*
   // of them have had a callback.
   let places = [
     { uri: NetUtil.newURI(TEST_DOMAIN +
-                          "test_observer_topic_dispatched_when_complete"),
+                          "test_handleCompletion_called_when_complete"),
       visits: [
         new VisitInfo(),
         new VisitInfo(TRANSITION_EMBED),
@@ -777,20 +776,13 @@ function test_observer_topic_dispatched_when_complete()
     },
     handleError: function handleError(aResultCode, aPlaceInfo) {
       callbackCountFailure++;
-    }
-  });
-
-  let observer = {
-    observe: function(aSubject, aTopic, aData)
-    {
-      do_check_eq(aTopic, TOPIC_UPDATEPLACES_COMPLETE);
+    },
+    handleCompletion: function handleCompletion() {
       do_check_eq(callbackCountSuccess, EXPECTED_COUNT_SUCCESS);
       do_check_eq(callbackCountFailure, EXPECTED_COUNT_FAILURE);
-      Services.obs.removeObserver(observer, TOPIC_UPDATEPLACES_COMPLETE);
       waitForAsyncUpdates(run_next_test);
     },
-  };
-  Services.obs.addObserver(observer, TOPIC_UPDATEPLACES_COMPLETE, false);
+  });
 }
 
 function test_add_visit()
@@ -1300,15 +1292,8 @@ function test_callbacks_not_supplied()
     }
   });
   
-  gHistory.updatePlaces(places, {} );
-  let observer = {
-    observe: function(aSubject, aTopic, aData)
-    {
-      Services.obs.removeObserver(observer, TOPIC_UPDATEPLACES_COMPLETE);
-      waitForAsyncUpdates(run_next_test);
-    },
-  };
-  Services.obs.addObserver(observer, TOPIC_UPDATEPLACES_COMPLETE, false);
+  gHistory.updatePlaces(places, {});
+  waitForAsyncUpdates(run_next_test);
 }
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -1333,7 +1318,7 @@ function test_callbacks_not_supplied()
   test_unstored_sessionId_ignored,
   test_old_referrer_ignored,
   test_place_id_ignored,
-  test_observer_topic_dispatched_when_complete,
+  test_handleCompletion_called_when_complete,
   test_add_visit,
   test_properties_saved,
   test_guid_saved,
diff --git a/toolkit/components/places/tests/unit/test_nsINavHistoryViewer.js b/toolkit/components/places/tests/unit/test_nsINavHistoryViewer.js
index 2170c98322b..03d25a7cd54 100644
--- a/toolkit/components/places/tests/unit/test_nsINavHistoryViewer.js
+++ b/toolkit/components/places/tests/unit/test_nsINavHistoryViewer.js
@@ -132,16 +132,11 @@ var resultObserver = {
 
 var testURI = uri("http://mozilla.com");
 
-// main
 function run_test() {
-  check_history_query();
-  resultObserver.reset();
-  check_bookmarks_query();
-  resultObserver.reset();
-  check_mixed_query();
+  run_next_test();
 }
 
-function check_history_query() {
+add_test(function check_history_query() {
   var options = histsvc.getNewQueryOptions();
   options.sortingMode = options.SORT_BY_DATE_DESCENDING;
   options.resultType = options.RESULTS_AS_VISIT;
@@ -209,9 +204,11 @@ function check_history_query() {
   root.containerOpen = false;
   do_check_eq(resultObserver.closedContainer, resultObserver.openedContainer);
   result.removeObserver(resultObserver);
-}
+  resultObserver.reset();
+  waitForAsyncUpdates(run_next_test);
+});
 
-function check_bookmarks_query() {
+add_test(function check_bookmarks_query() {
   var options = histsvc.getNewQueryOptions();
   var query = histsvc.getNewQuery();
   query.setFolders([bmsvc.bookmarksMenuFolder], 1);
@@ -276,9 +273,11 @@ function check_bookmarks_query() {
   root.containerOpen = false;
   do_check_eq(resultObserver.closedContainer, resultObserver.openedContainer);
   result.removeObserver(resultObserver);
-}
+  resultObserver.reset();
+  waitForAsyncUpdates(run_next_test);
+});
 
-function check_mixed_query() {
+add_test(function check_mixed_query() {
   var options = histsvc.getNewQueryOptions();
   var query = histsvc.getNewQuery();
   query.onlyBookmarked = true;
@@ -309,4 +308,6 @@ function check_mixed_query() {
   root.containerOpen = false;
   do_check_eq(resultObserver.closedContainer, resultObserver.openedContainer);
   result.removeObserver(resultObserver);
-}
+  resultObserver.reset();
+  waitForAsyncUpdates(run_next_test);
+});
diff --git a/toolkit/components/telemetry/Telemetry.cpp b/toolkit/components/telemetry/Telemetry.cpp
index 2bfe11c6c92..dffcffa0707 100644
--- a/toolkit/components/telemetry/Telemetry.cpp
+++ b/toolkit/components/telemetry/Telemetry.cpp
@@ -259,7 +259,7 @@ WrapAndReturnHistogram(Histogram *h, JSContext *cx, jsval *ret)
 }
 
 TelemetryImpl::TelemetryImpl():
-mCanRecord(true)
+mCanRecord(XRE_GetProcessType() == GeckoProcessType_Default)
 {
   mHistogramMap.Init(Telemetry::HistogramCount);
 }
diff --git a/toolkit/components/telemetry/TelemetryHistograms.h b/toolkit/components/telemetry/TelemetryHistograms.h
index 0a7b8691e71..d7187c05f62 100644
--- a/toolkit/components/telemetry/TelemetryHistograms.h
+++ b/toolkit/components/telemetry/TelemetryHistograms.h
@@ -42,6 +42,9 @@
  *    HISTOGRAM(id, minimum, maximum, bucket count, histogram kind,
  *              human-readable description for about:telemetry)
  *
+ * This file is the master list of telemetry histograms reported to Mozilla servers.
+ * The other data reported by telemetry is listed on https://wiki.mozilla.org/Privacy/Reviews/Telemetry/Measurements
+ *
  */
 
 /**
diff --git a/toolkit/content/InlineSpellChecker.jsm b/toolkit/content/InlineSpellChecker.jsm
index 010fbf400db..b946053f1fe 100644
--- a/toolkit/content/InlineSpellChecker.jsm
+++ b/toolkit/content/InlineSpellChecker.jsm
@@ -260,7 +260,6 @@ InlineSpellChecker.prototype = {
       return;
     var spellchecker = this.mInlineSpellChecker.spellChecker;
     spellchecker.SetCurrentDictionary(this.mDictionaryNames[index]);
-    spellchecker.saveDefaultDictionary();
     this.mInlineSpellChecker.spellCheckRange(null); // causes recheck
   },
 
diff --git a/toolkit/xre/nsWindowsDllInterceptor.h b/toolkit/xre/nsWindowsDllInterceptor.h
index 425771c22a9..d1773b5521d 100644
--- a/toolkit/xre/nsWindowsDllInterceptor.h
+++ b/toolkit/xre/nsWindowsDllInterceptor.h
@@ -189,7 +189,6 @@ protected:
 
     int nBytes = 0;
 #if defined(_M_IX86)
-    int nJmp32 = -1;
     while (nBytes < 5) {
       // Understand some simple instructions that might be found in a
       // prologue; we might need to extend this as necessary.
@@ -217,11 +216,6 @@ protected:
       } else if (origBytes[nBytes] == 0x6A) {
         // PUSH imm8
         nBytes += 2;
-      } else if (origBytes[nBytes] == 0xe9) {
-        // JMP rel32
-        nJmp32 = nBytes;
-        // jmp 32bit offset
-        nBytes += 5;
       } else {
         //printf ("Unknown x86 instruction byte 0x%02x, aborting trampoline\n", origBytes[nBytes]);
         return 0;
@@ -355,16 +349,8 @@ protected:
     byteptr_t trampDest = origBytes + nBytes;
 
 #if defined(_M_IX86)
-    if (nJmp32 >= 0) {
-      // Function entry has JMP rel32.  We replace with correct target address.
-      byteptr_t targetAddress =
-        origBytes + nJmp32 + 5 + (*((LONG*)(origBytes+nJmp32+1)));
-      *((intptr_t*)(tramp+nJmp32+1)) =
-        (intptr_t)targetAddress - (intptr_t)(tramp+nJmp32+5);
-    } else {
-      tramp[nBytes] = 0xE9; // jmp
-      *((intptr_t*)(tramp+nBytes+1)) = (intptr_t)trampDest - (intptr_t)(tramp+nBytes+5); // target displacement
-    }
+    tramp[nBytes] = 0xE9; // jmp
+    *((intptr_t*)(tramp+nBytes+1)) = (intptr_t)trampDest - (intptr_t)(tramp+nBytes+5); // target displacement
 #elif defined(_M_X64)
     // If JMP32 opcode found, we don't insert to trampoline jump 
     if (pJmp32 >= 0) {
diff --git a/toolkit/xre/test/win/TestDllInterceptor.cpp b/toolkit/xre/test/win/TestDllInterceptor.cpp
index f696dd5ecd6..222b4531fdf 100644
--- a/toolkit/xre/test/win/TestDllInterceptor.cpp
+++ b/toolkit/xre/test/win/TestDllInterceptor.cpp
@@ -40,10 +40,10 @@
 
 static bool patched_func_called = false;
 
-static BOOL (WINAPI *orig_GetVersionExA)(__inout LPOSVERSIONINFO);
+static BOOL (WINAPI *orig_GetVersionExA)(LPOSVERSIONINFO);
 
 static BOOL WINAPI
-patched_GetVersionExA(__inout LPOSVERSIONINFO lpVersionInfo)
+patched_GetVersionExA(LPOSVERSIONINFO lpVersionInfo)
 {
   patched_func_called = true;
   return orig_GetVersionExA(lpVersionInfo);
@@ -58,7 +58,7 @@ bool osvi_equal(OSVERSIONINFO &info0, OSVERSIONINFO &info1)
           !strncmp(info0.szCSDVersion, info1.szCSDVersion, sizeof(info0.szCSDVersion)));
 }
 
-int wmain()
+int main()
 {
   OSVERSIONINFO info0, info1;
   ZeroMemory(&info0, sizeof(OSVERSIONINFO));
diff --git a/widget/public/nsIDragService.idl b/widget/public/nsIDragService.idl
index ef8c46fbdfd..6863a8814e8 100644
--- a/widget/public/nsIDragService.idl
+++ b/widget/public/nsIDragService.idl
@@ -145,6 +145,8 @@ interface nsIDragService : nsISupports
    */
   void suppress();
   void unsuppress();
+
+  [noscript] void dragMoved(in long aX, in long aY);
 };
 
 
diff --git a/widget/public/nsWidgetInitData.h b/widget/public/nsWidgetInitData.h
index f7fed5bc8b7..858de89f6f9 100644
--- a/widget/public/nsWidgetInitData.h
+++ b/widget/public/nsWidgetInitData.h
@@ -146,6 +146,7 @@ struct nsWidgetInitData {
   PRPackedBool  mUnicode;
   PRPackedBool  mRTL;
   PRPackedBool  mNoAutoHide; // true for noautohide panels
+  PRPackedBool  mIsDragPopup;  // true for drag feedback panels
 };
 
 #endif // nsWidgetInitData_h__
diff --git a/widget/src/android/AndroidJavaWrappers.h b/widget/src/android/AndroidJavaWrappers.h
index 6e5af46b51b..e5130c7c1c2 100644
--- a/widget/src/android/AndroidJavaWrappers.h
+++ b/widget/src/android/AndroidJavaWrappers.h
@@ -163,7 +163,9 @@ public:
 
     enum {
         DRAW_ERROR = 0,
-        DRAW_GLES_2 = 1
+        DRAW_GLES_2 = 1,
+        DRAW_2D = 2,
+        DRAW_DISABLED = 3
     };
 
     int BeginDrawing();
diff --git a/widget/src/android/nsAppShell.cpp b/widget/src/android/nsAppShell.cpp
index 6eedf54f954..969920d6a67 100644
--- a/widget/src/android/nsAppShell.cpp
+++ b/widget/src/android/nsAppShell.cpp
@@ -446,9 +446,28 @@ nsAppShell::PeekNextEvent()
 void
 nsAppShell::PostEvent(AndroidGeckoEvent *ae)
 {
+    if (ae->Type() == AndroidGeckoEvent::ACTIVITY_STOPPING) {
+        PostEvent(new AndroidGeckoEvent(AndroidGeckoEvent::SURFACE_DESTROYED));
+    }
+
     {
         MutexAutoLock lock(mQueueLock);
-        mEventQueue.AppendElement(ae);
+        if (ae->Type() == AndroidGeckoEvent::SURFACE_DESTROYED) {
+            // Give priority to this event, and discard any pending
+            // SURFACE_CREATED events.
+            mEventQueue.InsertElementAt(0, ae);
+            AndroidGeckoEvent *event;
+            for (int i = mEventQueue.Length()-1; i >=1; i--) {
+                event = mEventQueue[i];
+                if (event->Type() == AndroidGeckoEvent::SURFACE_CREATED) {
+                    mEventQueue.RemoveElementAt(i);
+                    delete event;
+                }
+            }
+        } else {
+            mEventQueue.AppendElement(ae);
+        }
+
         if (ae->Type() == AndroidGeckoEvent::DRAW) {
             mNumDraws++;
         }
diff --git a/widget/src/android/nsFilePicker.cpp b/widget/src/android/nsFilePicker.cpp
index a5a7efdf5f6..354178f9e25 100644
--- a/widget/src/android/nsFilePicker.cpp
+++ b/widget/src/android/nsFilePicker.cpp
@@ -45,7 +45,10 @@ NS_IMPL_ISUPPORTS1(nsFilePicker, nsIFilePicker)
 NS_IMETHODIMP nsFilePicker::Init(nsIDOMWindow *parent, const nsAString& title, 
                                  PRInt16 mode)
 {
-    return nsIFilePicker::modeOpen == mode ? NS_OK : NS_ERROR_NOT_IMPLEMENTED;
+    return (mode == nsIFilePicker::modeOpen ||
+            mode == nsIFilePicker::modeOpenMultiple)
+        ? NS_OK
+        : NS_ERROR_NOT_IMPLEMENTED;
 }
 
 NS_IMETHODIMP nsFilePicker::AppendFilter(const nsAString& /*title*/,
diff --git a/widget/src/android/nsWindow.cpp b/widget/src/android/nsWindow.cpp
index 5f9289d957a..3fdf8ef6577 100644
--- a/widget/src/android/nsWindow.cpp
+++ b/widget/src/android/nsWindow.cpp
@@ -128,6 +128,7 @@ static nsTArray<nsWindow*> gTopLevelWindows;
 static nsRefPtr<gl::GLContext> sGLContext;
 static bool sFailedToCreateGLContext = false;
 static bool sValidSurface;
+static bool sSurfaceExists = false;
 
 // Multitouch swipe thresholds in inches
 static const double SWIPE_MAX_PINCH_DELTA_INCHES = 0.4;
@@ -844,9 +845,14 @@ nsWindow::OnGlobalAndroidEvent(AndroidGeckoEvent *ae)
             break;
 
         case AndroidGeckoEvent::SURFACE_CREATED:
+            sSurfaceExists = true;
             break;
 
         case AndroidGeckoEvent::SURFACE_DESTROYED:
+            if (sGLContext && sValidSurface) {
+                sGLContext->ReleaseSurface();
+            }
+            sSurfaceExists = false;
             sValidSurface = false;
             break;
 
@@ -970,6 +976,11 @@ nsWindow::DrawTo(gfxASurface *targetSurface)
 void
 nsWindow::OnDraw(AndroidGeckoEvent *ae)
 {
+  
+    if (!sSurfaceExists) {
+        return;
+    }
+
     if (!IsTopLevel()) {
         ALOG("##### redraw for window %p, which is not a toplevel window -- sending to toplevel!", (void*) this);
         DumpWindows();
@@ -1050,6 +1061,10 @@ nsWindow::OnDraw(AndroidGeckoEvent *ae)
     } else {
         int drawType = sview.BeginDrawing();
 
+        if (drawType == AndroidGeckoSurfaceView::DRAW_DISABLED) {
+            return;
+        }
+
         if (drawType == AndroidGeckoSurfaceView::DRAW_ERROR) {
             ALOG("##### BeginDrawing failed!");
             return;
diff --git a/widget/src/cocoa/nsChildView.mm b/widget/src/cocoa/nsChildView.mm
index 05a50cc1d9f..6cf3a867a5e 100644
--- a/widget/src/cocoa/nsChildView.mm
+++ b/widget/src/cocoa/nsChildView.mm
@@ -4503,6 +4503,23 @@ NSEvent* gLastDragMouseDownEvent = nil;
   return handled;
 }
 
+// NSDraggingSource
+- (void)draggedImage:(NSImage *)anImage movedTo:(NSPoint)aPoint
+{
+  // Get the drag service if it isn't already cached. The drag service
+  // isn't cached when dragging over a different application.
+  nsCOMPtr<nsIDragService> dragService = mDragService;
+  if (!dragService) {
+    dragService = do_GetService(kDragServiceContractID);
+  }
+
+  if (dragService) {
+    NSPoint pnt = [NSEvent mouseLocation];
+    FlipCocoaScreenCoordinate(pnt);
+    dragService->DragMoved(NSToIntRound(pnt.x), NSToIntRound(pnt.y));
+  }
+}
+
 // NSDraggingSource
 - (void)draggedImage:(NSImage *)anImage endedAt:(NSPoint)aPoint operation:(NSDragOperation)operation
 {
diff --git a/widget/src/cocoa/nsCocoaWindow.mm b/widget/src/cocoa/nsCocoaWindow.mm
index 3b0a0db2f97..d745c7c73d9 100644
--- a/widget/src/cocoa/nsCocoaWindow.mm
+++ b/widget/src/cocoa/nsCocoaWindow.mm
@@ -298,8 +298,12 @@ nsresult nsCocoaWindow::Create(nsIWidget *aParent,
                                    mBorderStyle, PR_FALSE);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (mWindowType == eWindowType_popup)
+  if (mWindowType == eWindowType_popup) {
+    if (aInitData->mIsDragPopup) {
+      [mWindow setIgnoresMouseEvents:YES];
+    }
     return CreatePopupContentView(newBounds, aHandleEventFunction, aContext, aAppShell, aToolkit);
+  }
 
   return NS_OK;
 
diff --git a/widget/src/cocoa/nsDragService.mm b/widget/src/cocoa/nsDragService.mm
index 6854a0ec01a..6e8e8e26fcd 100644
--- a/widget/src/cocoa/nsDragService.mm
+++ b/widget/src/cocoa/nsDragService.mm
@@ -302,6 +302,7 @@ nsDragService::InvokeDragSession(nsIDOMNode* aDOMNode, nsISupportsArray* aTransf
   gDraggedTransferables = aTransferableArray;
 
   nsBaseDragService::StartDragSession();
+  nsBaseDragService::OpenDragPopup();
 
   // We need to retain the view and the event during the drag in case either gets destroyed.
   mNativeDragView = [gLastDragView retain];
diff --git a/widget/src/gtk2/nsDragService.cpp b/widget/src/gtk2/nsDragService.cpp
index 8b30efb2256..dd2a9e78a25 100644
--- a/widget/src/gtk2/nsDragService.cpp
+++ b/widget/src/gtk2/nsDragService.cpp
@@ -69,6 +69,7 @@
 #include "nsPresContext.h"
 #include "nsIDocument.h"
 #include "nsISelection.h"
+#include "nsIFrame.h"
 
 // This sets how opaque the drag image is
 #define DRAG_IMAGE_ALPHA_LEVEL 0.5
@@ -1568,20 +1569,41 @@ nsDragService::SourceDataGet(GtkWidget        *aWidget,
 
 void nsDragService::SetDragIcon(GdkDragContext* aContext)
 {
+    if (!mHasImage && !mSelection)
+        return;
+
     nsIntRect dragRect;
     nsPresContext* pc;
     nsRefPtr<gfxASurface> surface;
-    if (mHasImage || mSelection) {
-      DrawDrag(mSourceNode, mSourceRegion, mScreenX, mScreenY,
-               &dragRect, getter_AddRefs(surface), &pc);
+    DrawDrag(mSourceNode, mSourceRegion, mScreenX, mScreenY,
+             &dragRect, getter_AddRefs(surface), &pc);
+    if (!pc)
+        return;
+
+    PRInt32 sx = mScreenX, sy = mScreenY;
+    ConvertToUnscaledDevPixels(pc, &sx, &sy);
+
+    PRInt32 offsetX = sx - dragRect.x;
+    PRInt32 offsetY = sy - dragRect.y;
+
+    // If a popup is set as the drag image, use its widget. Otherwise, use
+    // the surface that DrawDrag created.
+    if (mDragPopup) {
+        GtkWidget* gtkWidget = nsnull;
+        nsIFrame* frame = mDragPopup->GetPrimaryFrame();
+        if (frame) {
+            // DrawDrag ensured that this is a popup frame.
+            nsCOMPtr<nsIWidget> widget = frame->GetNearestWidget();
+            if (widget) {
+                gtkWidget = (GtkWidget *)widget->GetNativeData(NS_NATIVE_SHELLWIDGET);
+                if (gtkWidget) {
+                    OpenDragPopup();
+                    gtk_drag_set_icon_widget(aContext, gtkWidget, offsetX, offsetY);
+                }
+            }
+        }
     }
-
-    if (surface) {
-        PRInt32 sx = mScreenX, sy = mScreenY;
-        ConvertToUnscaledDevPixels(pc, &sx, &sy);
-
-        PRInt32 offsetX = sx - dragRect.x;
-        PRInt32 offsetY = sy - dragRect.y;
+    else if (surface) {
         if (!SetAlphaPixmap(surface, aContext, offsetX, offsetY, dragRect)) {
             GdkPixbuf* dragPixbuf =
               nsImageToPixbuf::SurfaceToPixbuf(surface, dragRect.width, dragRect.height);
diff --git a/widget/src/gtk2/nsWindow.cpp b/widget/src/gtk2/nsWindow.cpp
index 88bde7b4365..a2415ad0ee1 100644
--- a/widget/src/gtk2/nsWindow.cpp
+++ b/widget/src/gtk2/nsWindow.cpp
@@ -4059,16 +4059,21 @@ nsWindow::Create(nsIWidget        *aParent,
             }
 
             GdkWindowTypeHint gtkTypeHint;
-            switch (aInitData->mPopupHint) {
-                case ePopupTypeMenu:
-                    gtkTypeHint = GDK_WINDOW_TYPE_HINT_POPUP_MENU;
-                    break;
-                case ePopupTypeTooltip:
-                    gtkTypeHint = GDK_WINDOW_TYPE_HINT_TOOLTIP;
-                    break;
-                default:
-                    gtkTypeHint = GDK_WINDOW_TYPE_HINT_UTILITY;
-                    break;
+            if (aInitData->mIsDragPopup) {
+                gtkTypeHint = GDK_WINDOW_TYPE_HINT_DND;
+            }
+            else {
+                switch (aInitData->mPopupHint) {
+                    case ePopupTypeMenu:
+                        gtkTypeHint = GDK_WINDOW_TYPE_HINT_POPUP_MENU;
+                        break;
+                    case ePopupTypeTooltip:
+                        gtkTypeHint = GDK_WINDOW_TYPE_HINT_TOOLTIP;
+                        break;
+                    default:
+                        gtkTypeHint = GDK_WINDOW_TYPE_HINT_UTILITY;
+                        break;
+                }
             }
             gtk_window_set_type_hint(GTK_WINDOW(mShell), gtkTypeHint);
 
diff --git a/widget/src/qt/nsDragService.cpp b/widget/src/qt/nsDragService.cpp
index 144230cca32..e9ac4677e95 100644
--- a/widget/src/qt/nsDragService.cpp
+++ b/widget/src/qt/nsDragService.cpp
@@ -302,3 +302,8 @@ nsDragService::Unsuppress()
     return nsBaseDragService::Unsuppress();
 }
 
+NS_IMETHODIMP
+nsDragService::DragMoved(PRInt32 aX, PRInt32 aY)
+{
+    return nsBaseDragService::DragMoved(aX, aY);
+}
diff --git a/widget/src/windows/nsDragService.cpp b/widget/src/windows/nsDragService.cpp
index 62d55356a73..5a7395b102c 100644
--- a/widget/src/windows/nsDragService.cpp
+++ b/widget/src/windows/nsDragService.cpp
@@ -298,11 +298,11 @@ nsDragService::StartInvokingDragSession(IDataObject * aDataObj,
   // XXX not sure why we bother to cache this, it can change during
   // the drag
   mDragAction = aActionType;
-  mDoingDrag  = PR_TRUE;
   mSentLocalDropEvent = PR_FALSE;
 
   // Start dragging
   StartDragSession();
+  OpenDragPopup();
 
   nsRefPtr<IAsyncOperation> pAsyncOp;
   // Offer to do an async drag
diff --git a/widget/src/windows/nsFilePicker.h b/widget/src/windows/nsFilePicker.h
index 58b31c3ff3f..1f669346767 100644
--- a/widget/src/windows/nsFilePicker.h
+++ b/widget/src/windows/nsFilePicker.h
@@ -106,7 +106,7 @@ class AutoRestoreWorkingPath
 public:
   AutoRestoreWorkingPath();
   ~AutoRestoreWorkingPath();
-  inline bool AutoRestoreWorkingPath::HasWorkingPath() const
+  inline bool HasWorkingPath() const
   {
     return mWorkingPath != NULL;
   }
diff --git a/widget/src/windows/nsNativeDragSource.cpp b/widget/src/windows/nsNativeDragSource.cpp
index fa77370c5b9..b444e1f5539 100644
--- a/widget/src/windows/nsNativeDragSource.cpp
+++ b/widget/src/windows/nsNativeDragSource.cpp
@@ -39,6 +39,12 @@
 #include <stdio.h>
 #include "nsISupportsImpl.h"
 #include "nsString.h"
+#include "nsIServiceManager.h"
+#include "nsToolkit.h"
+#include "nsWidgetsCID.h"
+#include "nsIDragService.h"
+
+static NS_DEFINE_IID(kCDragServiceCID,  NS_DRAGSERVICE_CID);
 
 /*
  * class nsNativeDragSource
@@ -94,6 +100,12 @@ nsNativeDragSource::Release(void)
 STDMETHODIMP
 nsNativeDragSource::QueryContinueDrag(BOOL fEsc, DWORD grfKeyState)
 {
+  nsCOMPtr<nsIDragService> dragService = do_GetService(kCDragServiceCID);
+  if (dragService) {
+    DWORD pos = ::GetMessagePos();
+    dragService->DragMoved(GET_X_LPARAM(pos), GET_Y_LPARAM(pos));
+  }
+
   if (fEsc) {
     mUserCancelled = PR_TRUE;
     return DRAGDROP_S_CANCEL;
diff --git a/widget/src/windows/nsWindow.cpp b/widget/src/windows/nsWindow.cpp
index f052fa347ad..a54737c432e 100644
--- a/widget/src/windows/nsWindow.cpp
+++ b/widget/src/windows/nsWindow.cpp
@@ -533,6 +533,11 @@ nsWindow::Create(nsIWidget *aParent,
   if (mWindowType == eWindowType_popup) {
     if (!aParent)
       parent = NULL;
+
+    if (aInitData->mIsDragPopup) {
+      // This flag makes the window transparent to mouse events
+      extendedStyle |= WS_EX_TRANSPARENT;
+    }
   } else if (mWindowType == eWindowType_invisible) {
     // Make sure CreateWindowEx succeeds at creating a toplevel window
     style &= ~0x40000000; // WS_CHILDWINDOW
diff --git a/widget/src/xpwidgets/nsBaseDragService.cpp b/widget/src/xpwidgets/nsBaseDragService.cpp
index dbc41f3ddf1..95736d65345 100644
--- a/widget/src/xpwidgets/nsBaseDragService.cpp
+++ b/widget/src/xpwidgets/nsBaseDragService.cpp
@@ -65,6 +65,8 @@
 #include "nsIViewObserver.h"
 #include "nsRegion.h"
 #include "nsGUIEvent.h"
+#include "nsXULPopupManager.h"
+#include "nsMenuPopupFrame.h"
 #include "mozilla/Preferences.h"
 
 #include "gfxContext.h"
@@ -272,6 +274,7 @@ nsBaseDragService::InvokeDragSessionWithImage(nsIDOMNode* aDOMNode,
   mDataTransfer = aDataTransfer;
   mSelection = nsnull;
   mHasImage = PR_TRUE;
+  mDragPopup = nsnull;
   mImage = aImage;
   mImageX = aImageX;
   mImageY = aImageY;
@@ -299,6 +302,7 @@ nsBaseDragService::InvokeDragSessionWithSelection(nsISelection* aSelection,
   mDataTransfer = aDataTransfer;
   mSelection = aSelection;
   mHasImage = PR_TRUE;
+  mDragPopup = nsnull;
   mImage = nsnull;
   mImageX = 0;
   mImageY = 0;
@@ -347,9 +351,21 @@ nsBaseDragService::StartDragSession()
   mDoingDrag = PR_TRUE;
   // By default dispatch drop also to content.
   mOnlyChromeDrop = PR_FALSE;
+
   return NS_OK;
 }
 
+void
+nsBaseDragService::OpenDragPopup()
+{
+  if (mDragPopup) {
+    nsXULPopupManager* pm = nsXULPopupManager::GetInstance();
+    if (pm) {
+      pm->ShowPopupAtScreen(mDragPopup, mScreenX - mImageX, mScreenY - mImageY, PR_FALSE, nsnull);
+    }
+  }
+}
+
 //-------------------------------------------------------------------------
 NS_IMETHODIMP
 nsBaseDragService::EndDragSession(PRBool aDoneDrag)
@@ -361,6 +377,13 @@ nsBaseDragService::EndDragSession(PRBool aDoneDrag)
   if (aDoneDrag && !mSuppressLevel)
     FireDragEventAtSource(NS_DRAGDROP_END);
 
+  if (mDragPopup) {
+    nsXULPopupManager* pm = nsXULPopupManager::GetInstance();
+    if (pm) {
+      pm->HidePopup(mDragPopup, PR_FALSE, PR_TRUE, PR_FALSE);
+    }
+  }
+
   mDoingDrag = PR_FALSE;
 
   // release the source we've been holding on to.
@@ -370,6 +393,7 @@ nsBaseDragService::EndDragSession(PRBool aDoneDrag)
   mDataTransfer = nsnull;
   mHasImage = PR_FALSE;
   mUserCancelled = PR_FALSE;
+  mDragPopup = nsnull;
   mImage = nsnull;
   mImageX = 0;
   mImageY = 0;
@@ -406,6 +430,23 @@ nsBaseDragService::FireDragEventAtSource(PRUint32 aMsg)
   return NS_OK;
 }
 
+/* This is used by Windows and Mac to update the position of a popup being
+ * used as a drag image during the drag. This isn't used on GTK as it manages
+ * the drag popup itself.
+ */
+NS_IMETHODIMP
+nsBaseDragService::DragMoved(PRInt32 aX, PRInt32 aY)
+{
+  if (mDragPopup) {
+    nsIFrame* frame = mDragPopup->GetPrimaryFrame();
+    if (frame && frame->GetType() == nsGkAtoms::menuPopupFrame) {
+      (static_cast<nsMenuPopupFrame *>(frame))->MoveTo(aX - mImageX, aY - mImageY, PR_TRUE);
+    }
+  }
+
+  return NS_OK;
+}
+
 static nsIPresShell*
 GetPresShellForContent(nsIDOMNode* aDOMNode)
 {
@@ -437,8 +478,8 @@ nsBaseDragService::DrawDrag(nsIDOMNode* aDOMNode,
   // use a default size, in case of an error.
   aScreenDragRect->x = aScreenX - mImageX;
   aScreenDragRect->y = aScreenY - mImageY;
-  aScreenDragRect->width = 20;
-  aScreenDragRect->height = 20;
+  aScreenDragRect->width = 1;
+  aScreenDragRect->height = 1;
 
   // if a drag image was specified, use that, otherwise, use the source node
   nsCOMPtr<nsIDOMNode> dragNode = mImage ? mImage.get() : aDOMNode;
@@ -498,9 +539,9 @@ nsBaseDragService::DrawDrag(nsIDOMNode* aDOMNode,
     return NS_OK;
   }
 
-  // if an custom image was specified, check if it is an image node and draw
+  // if a custom image was specified, check if it is an image node and draw
   // using the source rather than the displayed image. But if mImage isn't
-  // an image, fall through to RenderNode below.
+  // an image or canvas, fall through to RenderNode below.
   if (mImage) {
     nsCOMPtr<nsICanvasElementExternal> canvas = do_QueryInterface(dragNode);
     if (canvas) {
@@ -514,18 +555,31 @@ nsBaseDragService::DrawDrag(nsIDOMNode* aDOMNode,
       return DrawDragForImage(*aPresContext, imageLoader, nsnull, aScreenX,
                               aScreenY, aScreenDragRect, aSurface);
     }
+
+    // If the image is a popup, use that as the image. This allows custom drag
+    // images that can change during the drag, but means that any platform
+    // default image handling won't occur.
+    // XXXndeakin this should be chrome-only
+
+    nsCOMPtr<nsIContent> content = do_QueryInterface(dragNode);
+    nsIFrame* frame = content->GetPrimaryFrame();
+    if (frame && frame->GetType() == nsGkAtoms::menuPopupFrame) {
+      mDragPopup = content;
+    }
   }
 
-  // otherwise, just draw the node
-  nsIntRegion clipRegion;
-  if (aRegion) {
-    aRegion->GetRegion(&clipRegion);
-  }
+  nsRefPtr<gfxASurface> surface;
+  if (!mDragPopup) {
+    // otherwise, just draw the node
+    nsIntRegion clipRegion;
+    if (aRegion) {
+      aRegion->GetRegion(&clipRegion);
+    }
 
-  nsIntPoint pnt(aScreenDragRect->x, aScreenDragRect->y);
-  nsRefPtr<gfxASurface> surface =
-    presShell->RenderNode(dragNode, aRegion ? &clipRegion : nsnull,
-                          pnt, aScreenDragRect);
+    nsIntPoint pnt(aScreenDragRect->x, aScreenDragRect->y);
+    surface = presShell->RenderNode(dragNode, aRegion ? &clipRegion : nsnull,
+                                    pnt, aScreenDragRect);
+  }
 
   // if an image was specified, reposition the drag rectangle to
   // the supplied offset in mImageX and mImageY.
diff --git a/widget/src/xpwidgets/nsBaseDragService.h b/widget/src/xpwidgets/nsBaseDragService.h
index 1711021b24d..5ee75d933e0 100644
--- a/widget/src/xpwidgets/nsBaseDragService.h
+++ b/widget/src/xpwidgets/nsBaseDragService.h
@@ -44,6 +44,7 @@
 #include "nsISupportsArray.h"
 #include "nsIDOMDocument.h"
 #include "nsIDOMDataTransfer.h"
+#include "nsIContent.h"
 #include "nsCOMPtr.h"
 #include "nsPoint.h"
 
@@ -129,6 +130,11 @@ protected:
   ConvertToUnscaledDevPixels(nsPresContext* aPresContext,
                              PRInt32* aScreenX, PRInt32* aScreenY);
 
+  /**
+   * If the drag image is a popup, open the popup when the drag begins.
+   */
+  void OpenDragPopup();
+
   PRPackedBool mCanDrop;
   PRPackedBool mOnlyChromeDrop;
   PRPackedBool mDoingDrag;
@@ -153,6 +159,10 @@ protected:
   // set if a selection is being dragged
   nsCOMPtr<nsISelection> mSelection;
 
+  // set if the image in mImage is a popup. If this case, the popup will be opened
+  // and moved instead of using a drag image.
+  nsCOMPtr<nsIContent> mDragPopup;
+
   // the screen position where drag gesture occurred, used for positioning the
   // drag image when no image is specified. If a value is -1, no event was
   // supplied so the screen position is not known
diff --git a/xpcom/ds/nsHashtable.cpp b/xpcom/ds/nsHashtable.cpp
index e302ef2b8ca..179ad4651af 100644
--- a/xpcom/ds/nsHashtable.cpp
+++ b/xpcom/ds/nsHashtable.cpp
@@ -127,12 +127,8 @@ hashEnumerate(PLDHashTable* table, PLDHashEntryHdr* hdr, PRUint32 i, void *arg)
     _HashEnumerateArgs* thunk = (_HashEnumerateArgs*)arg;
     HTEntry* entry = static_cast<HTEntry*>(hdr);
     
-    switch (thunk->fn(entry->key, entry->value, thunk->arg)) {
-      case kHashEnumerateNext:
+    if (thunk->fn(entry->key, entry->value, thunk->arg))
         return PL_DHASH_NEXT;
-      case kHashEnumerateRemove:
-        return PL_DHASH_REMOVE;
-    }
     return PL_DHASH_STOP;           
 }
 
diff --git a/xpcom/ds/nsHashtable.h b/xpcom/ds/nsHashtable.h
index 6b5a14d13e5..5aa9bf812f7 100644
--- a/xpcom/ds/nsHashtable.h
+++ b/xpcom/ds/nsHashtable.h
@@ -109,11 +109,10 @@ class nsHashKey {
 // Return values for nsHashtableEnumFunc
 enum {
     kHashEnumerateStop      = PR_FALSE,
-    kHashEnumerateNext      = PR_TRUE,
-    kHashEnumerateRemove    = 2
+    kHashEnumerateNext      = PR_TRUE
 };
 
-typedef PRIntn
+typedef PRBool
 (* nsHashtableEnumFunc)(nsHashKey *aKey, void *aData, void* aClosure);
 
 typedef nsresult
@@ -196,8 +195,6 @@ class nsSupportsHashtable
   : private nsHashtable
 {
   public:
-    typedef PRBool (* EnumFunc) (nsHashKey *aKey, void *aData, void* aClosure);
-
     nsSupportsHashtable(PRUint32 aSize = 16, PRBool threadSafe = PR_FALSE)
       : nsHashtable(aSize, threadSafe) {}
     ~nsSupportsHashtable();
@@ -214,7 +211,7 @@ class nsSupportsHashtable
     nsISupports* Get(nsHashKey *aKey);
     PRBool Remove(nsHashKey *aKey, nsISupports **value = nsnull);
     nsHashtable *Clone();
-    void Enumerate(EnumFunc aEnumFunc, void* aClosure = NULL) {
+    void Enumerate(nsHashtableEnumFunc aEnumFunc, void* aClosure = NULL) {
         nsHashtable::Enumerate(aEnumFunc, aClosure);
     }
     void Reset();
diff --git a/xpcom/io/nsEscape.cpp b/xpcom/io/nsEscape.cpp
index 9f9a78dbed6..34e15079aa7 100644
--- a/xpcom/io/nsEscape.cpp
+++ b/xpcom/io/nsEscape.cpp
@@ -353,7 +353,7 @@ const int EscapeChars[256] =
         0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,       /* 0x */
         0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,  	    /* 1x */
         0,1023,   0, 512,1023,   0,1023,   0,1023,1023,1023,1023,1023,1023, 953, 784,       /* 2x   !"#$%&'()*+,-./	 */
-     1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1008, 912,   0,1008,   0, 768,       /* 3x  0123456789:;<=>?	 */
+     1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1008,1008,   0,1008,   0, 768,       /* 3x  0123456789:;<=>?	 */
      1008,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,       /* 4x  @ABCDEFGHIJKLMNO  */
      1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023, 896, 896, 896, 896,1023,       /* 5x  PQRSTUVWXYZ[\]^_	 */
         0,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,1023,       /* 6x  `abcdefghijklmno	 */