Merge mozilla-central to fx-team

b2g/config/emulator-ics/sources.xml

@@ -12,7 +12,7 @@
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="platform_hardware_ril" path="hardware/ril" remote="b2g" revision="eda08beb3ba9a159843c70ffde0f9660ec351eb9"/>

b2g/config/emulator-jb/sources.xml

@@ -11,7 +11,7 @@
   </project>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="e33ea242b4328fb0d1824c951f379332b5021512"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="788d9ce293a9b44f64536130cf4ad577e8101dbe"/>
@@ -124,7 +124,7 @@
   <project name="platform_external_qemu" path="external/qemu" remote="b2g" revision="8f7c9ac889ae2c778197b4a4c0529d60530f480b"/>
   <project name="platform/external/wpa_supplicant_8" path="external/wpa_supplicant_8" revision="0e56e450367cd802241b27164a2979188242b95f"/>
   <project name="platform_hardware_ril" path="hardware/ril" remote="b2g" revision="2838a77ce4b8c09fa6a46fe25410bb3a4474cbd4"/>
-  <project name="platform_system_nfcd" path="system/nfcd" remote="b2g" revision="5af419c0af0650066c0c58a5e99125b1002a62c5"/>
+  <project name="platform_system_nfcd" path="system/nfcd" remote="b2g" revision="a962b2ed2195038cd566493c3f7968bea9d20189"/>
   <project name="platform/development" path="development" revision="1f18cfe031ce23b7fb838fe3d4379dd802b49e71"/>
   <project name="android-sdk" path="sdk" remote="b2g" revision="8b1365af38c9a653df97349ee53a3f5d64fd590a"/>
 </manifest>

b2g/config/emulator/sources.xml

@@ -12,7 +12,7 @@
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="platform_hardware_ril" path="hardware/ril" remote="b2g" revision="eda08beb3ba9a159843c70ffde0f9660ec351eb9"/>

b2g/config/gaia.json

@@ -1,4 +1,4 @@
 {
-    "revision": "5db3ae28ac3a44dd2c08c41732758cdf4e7116f2", 
+    "revision": "25b78e722d958fe667061a2d9e0733d0877607ac", 
     "repo_path": "/integration/gaia-central"
 }

b2g/config/hamachi/sources.xml

@@ -11,7 +11,7 @@
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="84f2f2fce22605e17d511ff1767e54770067b5b5"/>

b2g/config/helix/sources.xml

@@ -10,7 +10,7 @@
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="84f2f2fce22605e17d511ff1767e54770067b5b5"/>

b2g/config/inari/sources.xml

@@ -12,7 +12,7 @@
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="84f2f2fce22605e17d511ff1767e54770067b5b5"/>

b2g/config/leo/sources.xml

@@ -11,7 +11,7 @@
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="84f2f2fce22605e17d511ff1767e54770067b5b5"/>

b2g/config/mako/sources.xml

@@ -11,7 +11,7 @@
   </project>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="e33ea242b4328fb0d1824c951f379332b5021512"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="788d9ce293a9b44f64536130cf4ad577e8101dbe"/>
@@ -121,7 +121,7 @@
   <project name="device-mako" path="device/lge/mako" remote="b2g" revision="78d17f0c117f0c66dd55ee8d5c5dde8ccc93ecba"/>
   <project name="device/generic/armv7-a-neon" path="device/generic/armv7-a-neon" revision="3a9a17613cc685aa232432566ad6cc607eab4ec1"/>
   <project name="device/lge/mako-kernel" path="device/lge/mako-kernel" revision="d1729e53d71d711c8fde25eab8728ff2b9b4df0e"/>
-  <project name="platform_system_nfcd" path="system/nfcd" remote="b2g" revision="5af419c0af0650066c0c58a5e99125b1002a62c5"/>
+  <project name="platform_system_nfcd" path="system/nfcd" remote="b2g" revision="a962b2ed2195038cd566493c3f7968bea9d20189"/>
   <project name="platform/external/libnfc-nci" path="external/libnfc-nci" revision="7d33aaf740bbf6c7c6e9c34a92b371eda311b66b"/>
   <project name="platform/external/wpa_supplicant_8" path="external/wpa_supplicant_8" revision="0e56e450367cd802241b27164a2979188242b95f"/>
   <project name="platform/hardware/broadcom/wlan" path="hardware/broadcom/wlan" revision="0e1929fa3aa38bf9d40e9e953d619fab8164c82e"/>

b2g/config/wasabi/sources.xml

@@ -11,7 +11,7 @@
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="c273bd6525f7f295539592ce74d5e6b225d53be1"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="7ef494164bcd840dc23c7db106dff0a98f8ff15f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="0a8bdd0f43e2d8fc7d45b3b0d97125834c0ac72f"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="84f2f2fce22605e17d511ff1767e54770067b5b5"/>

configure.in

@@ -3689,7 +3689,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.15.5, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.16, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then

content/canvas/src/WebGLElementArrayCache.cpp

@@ -134,7 +134,7 @@ struct WebGLElementArrayCacheTree
 
 private:
   WebGLElementArrayCache& mParent;
-  nsTArray<T> mTreeData;
+  FallibleTArray<T> mTreeData;
   size_t mNumLeaves;
   bool mInvalidated;
   size_t mFirstInvalidatedLeaf;

content/canvas/src/WebGLProgram.h

@@ -122,7 +122,7 @@ protected:
     CheckedUint32 mGeneration;
 
     // post-link data
-    nsTArray<bool> mAttribsInUse;
+    FallibleTArray<bool> mAttribsInUse;
     nsAutoPtr<CStringMap> mIdentifierMap, mIdentifierReverseMap;
     nsAutoPtr<CStringToUniformInfoMap> mUniformInfoMap;
     int mAttribMaxNameLength;

dom/bluetooth/bluez/linux/BluetoothDBusService.cpp

@@ -2677,7 +2677,7 @@ public:
       DBUS_TYPE_OBJECT_PATH, &deviceAgentPath,
       DBUS_TYPE_STRING, &capabilities,
       DBUS_TYPE_INVALID);
-    NS_ENSURE_SUCCESS_VOID(success);
+    NS_ENSURE_TRUE_VOID(success);
 
     mRunnable.forget();
 

dom/bluetooth/tests/marionette/head.js

@@ -183,8 +183,10 @@ function waitForManagerEvent(aEventName) {
  * @return A deferred promise.
  */
 function setBluetoothEnabledAndWait(aEnabled) {
-  return setBluetoothEnabled(aEnabled)
-    .then(waitForManagerEvent.bind(null, aEnabled ? "enabled" : "disabled"));
+  return Promise.all([
+    setBluetoothEnabled(aEnabled),
+    waitForManagerEvent(aEnabled ? "enabled" : "disabled"),
+  ]);
 }
 
 /* Get default adapter.
@@ -265,8 +267,10 @@ function startBluetoothTest(aReenable, aTestCaseMain) {
       .then(function() {
         if (needEnable) {
           log("  Enable 'bluetooth.enabled' ...");
-          return setBluetoothEnabledAndWait(true)
-            .then(waitForManagerEvent.bind(null, "adapteradded"));
+          return Promise.all([
+            setBluetoothEnabledAndWait(true),
+            waitForManagerEvent("adapteradded"),
+          ]);
         }
       })
       .then(getDefaultAdapter)

dom/bluetooth/tests/marionette/test_dom_BluetoothManager_enabled.js

@@ -7,14 +7,21 @@
 MARIONETTE_TIMEOUT = 60000;
 MARIONETTE_HEAD_JS = 'head.js';
 
-let enabledEventReceived;
-function onEnabled() {
-  enabledEventReceived = true;
-}
+function waitEitherEnabledOrDisabled() {
+  let deferred = Promise.defer();
 
-let disabledEventReceived;
-function onDisabled() {
-  disabledEventReceived = true;
+  function onEnabledDisabled(aEvent) {
+    bluetoothManager.removeEventListener("enabled", onEnabledDisabled);
+    bluetoothManager.removeEventListener("disabled", onEnabledDisabled);
+
+    ok(true, "Got event " + aEvent.type);
+    deferred.resolve(aEvent.type === "enabled");
+  }
+
+  bluetoothManager.addEventListener("enabled", onEnabledDisabled);
+  bluetoothManager.addEventListener("disabled", onEnabledDisabled);
+
+  return deferred.promise;
 }
 
 function test(aEnabled) {
@@ -22,43 +29,34 @@ function test(aEnabled) {
 
   let deferred = Promise.defer();
 
-  enabledEventReceived = false;
-  disabledEventReceived = false;
+  Promise.all([setBluetoothEnabled(aEnabled),
+               waitEitherEnabledOrDisabled()])
+    .then(function(aResults) {
+      /* aResults is an array of two elements:
+       *   [ <result of setBluetoothEnabled>,
+       *     <result of waitEitherEnabledOrDisabled> ]
+       */
+      log("  Examine results " + JSON.stringify(aResults));
 
-  setBluetoothEnabled(aEnabled).then(function() {
-    log("  Settings set. Waiting 3 seconds and examine results.");
-
-    window.setTimeout(function() {
       is(bluetoothManager.enabled, aEnabled, "bluetoothManager.enabled");
-      is(enabledEventReceived, aEnabled, "enabledEventReceived");
-      is(disabledEventReceived, !aEnabled, "disabledEventReceived");
+      is(aResults[1], aEnabled, "'enabled' event received");
 
-      if (bluetoothManager.enabled === aEnabled &&
-          enabledEventReceived === aEnabled &&
-          disabledEventReceived === !aEnabled) {
+      if (bluetoothManager.enabled === aEnabled && aResults[1] === aEnabled) {
         deferred.resolve();
       } else {
         deferred.reject();
       }
-    }, 3000);
-  });
+    });
 
   return deferred.promise;
 }
 
 startBluetoothTestBase(["settings-read", "settings-write"],
                        function testCaseMain() {
-  bluetoothManager.addEventListener("enabled", onEnabled);
-  bluetoothManager.addEventListener("disabled", onDisabled);
-
   return getBluetoothEnabled()
     .then(function(aEnabled) {
       log("Original 'bluetooth.enabled' is " + aEnabled);
       // Set to !aEnabled and reset back to aEnabled.
       return test(!aEnabled).then(test.bind(null, aEnabled));
-    })
-    .then(function() {
-      bluetoothManager.removeEventListener("enabled", onEnabled);
-      bluetoothManager.removeEventListener("disabled", onDisabled);
     });
 });

dom/ipc/ContentParent.cpp

@@ -1599,25 +1599,25 @@ ContentParent::RecvSetClipboardText(const nsString& text,
     nsCOMPtr<nsISupportsString> dataWrapper =
         do_CreateInstance(NS_SUPPORTS_STRING_CONTRACTID, &rv);
     NS_ENSURE_SUCCESS(rv, true);
-    
+
     rv = dataWrapper->SetData(text);
     NS_ENSURE_SUCCESS(rv, true);
-    
+
     nsCOMPtr<nsITransferable> trans = do_CreateInstance("@mozilla.org/widget/transferable;1", &rv);
     NS_ENSURE_SUCCESS(rv, true);
     trans->Init(nullptr);
-    
+
     // If our data flavor has already been added, this will fail. But we don't care
     trans->AddDataFlavor(kUnicodeMime);
     trans->SetIsPrivateData(isPrivateData);
-    
+
     nsCOMPtr<nsISupports> nsisupportsDataWrapper =
         do_QueryInterface(dataWrapper);
-    
+
     rv = trans->SetTransferData(kUnicodeMime, nsisupportsDataWrapper,
                                 text.Length() * sizeof(char16_t));
     NS_ENSURE_SUCCESS(rv, true);
-    
+
     clipboard->SetData(trans, nullptr, whichClipboard);
     return true;
 }
@@ -1632,43 +1632,44 @@ ContentParent::RecvGetClipboardText(const int32_t& whichClipboard, nsString* tex
     nsCOMPtr<nsITransferable> trans = do_CreateInstance("@mozilla.org/widget/transferable;1", &rv);
     NS_ENSURE_SUCCESS(rv, true);
     trans->Init(nullptr);
-    
+    trans->AddDataFlavor(kUnicodeMime);
+
     clipboard->GetData(trans, whichClipboard);
     nsCOMPtr<nsISupports> tmp;
     uint32_t len;
     rv = trans->GetTransferData(kUnicodeMime, getter_AddRefs(tmp), &len);
     if (NS_FAILED(rv))
-        return false;
+        return true;
 
     nsCOMPtr<nsISupportsString> supportsString = do_QueryInterface(tmp);
     // No support for non-text data
     if (!supportsString)
-        return false;
+        return true;
     supportsString->GetData(*text);
     return true;
 }
 
 bool
-ContentParent::RecvEmptyClipboard()
+ContentParent::RecvEmptyClipboard(const int32_t& whichClipboard)
 {
     nsresult rv;
     nsCOMPtr<nsIClipboard> clipboard(do_GetService(kCClipboardCID, &rv));
     NS_ENSURE_SUCCESS(rv, true);
 
-    clipboard->EmptyClipboard(nsIClipboard::kGlobalClipboard);
+    clipboard->EmptyClipboard(whichClipboard);
 
     return true;
 }
 
 bool
-ContentParent::RecvClipboardHasText(bool* hasText)
+ContentParent::RecvClipboardHasText(const int32_t& whichClipboard, bool* hasText)
 {
     nsresult rv;
     nsCOMPtr<nsIClipboard> clipboard(do_GetService(kCClipboardCID, &rv));
     NS_ENSURE_SUCCESS(rv, true);
 
-    clipboard->HasDataMatchingFlavors(sClipboardTextFlavors, 1, 
-                                      nsIClipboard::kGlobalClipboard, hasText);
+    clipboard->HasDataMatchingFlavors(sClipboardTextFlavors, 1,
+                                      whichClipboard, hasText);
     return true;
 }
 

dom/ipc/ContentParent.h

@@ -408,8 +408,8 @@ private:
                                       const bool& isPrivateData,
                                       const int32_t& whichClipboard) MOZ_OVERRIDE;
     virtual bool RecvGetClipboardText(const int32_t& whichClipboard, nsString* text) MOZ_OVERRIDE;
-    virtual bool RecvEmptyClipboard() MOZ_OVERRIDE;
-    virtual bool RecvClipboardHasText(bool* hasText) MOZ_OVERRIDE;
+    virtual bool RecvEmptyClipboard(const int32_t& whichClipboard) MOZ_OVERRIDE;
+    virtual bool RecvClipboardHasText(const int32_t& whichClipboard, bool* hasText) MOZ_OVERRIDE;
 
     virtual bool RecvGetSystemColors(const uint32_t& colorsCount,
                                      InfallibleTArray<uint32_t>* colors) MOZ_OVERRIDE;

dom/ipc/PContent.ipdl

@@ -439,13 +439,11 @@ parent:
     // nsIPermissionManager messages
     sync ReadPermissions() returns (Permission[] permissions);
 
-    // These clipboard methods are only really used on Android since
-    // the clipboard is not available in the content process.
     SetClipboardText(nsString text, bool isPrivateData, int32_t whichClipboard);
     sync GetClipboardText(int32_t whichClipboard)
         returns (nsString text);
-    EmptyClipboard();
-    sync ClipboardHasText()
+    EmptyClipboard(int32_t whichClipboard);
+    sync ClipboardHasText(int32_t whichClipboard)
         returns (bool hasText);
 
     sync GetSystemColors(uint32_t colorsCount)

editor/libeditor/base/nsEditorEventListener.cpp

@@ -232,6 +232,21 @@ nsEditorEventListener::Disconnect()
     return;
   }
   UninstallFromEditor();
+
+  nsIFocusManager* fm = nsFocusManager::GetFocusManager();
+  if (fm) {
+    nsCOMPtr<nsIDOMElement> domFocus;
+    fm->GetFocusedElement(getter_AddRefs(domFocus));
+    nsCOMPtr<nsINode> focusedElement = do_QueryInterface(domFocus);
+    mozilla::dom::Element* root = mEditor->GetRoot();
+    if (focusedElement && root &&
+        nsContentUtils::ContentIsDescendantOf(focusedElement, root)) {
+      // Reset the Selection ancestor limiter and SelectionController state
+      // that nsEditor::InitializeSelection set up.
+      mEditor->FinalizeSelection();
+    }
+  }
+
   mEditor = nullptr;
 }
 

editor/reftests/969773-ref.html

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+  <meta charset="utf-8">
+  <title>Contenteditable Selection Test Case</title>
+  <script>
+    function runTests() {
+      var text = document.getElementById("text");
+
+      text.focus();
+
+      setTimeout(function () {
+        document.body.offsetHeight;
+        document.documentElement.removeAttribute('class');
+      }, 0);
+    }
+    document.addEventListener('MozReftestInvalidate', runTests, false);
+  </script>
+</head>
+<body>
+    <div>This is a contenteditable.</div>
+    <div id="text" tabindex="0">This is focusable text</div>
+</body>
+</html>

editor/reftests/969773.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+  <meta charset="utf-8">
+  <title>Contenteditable Selection Test Case</title>
+  <script>
+    function runTests() {
+      var editable = document.getElementById("editable");
+      var text = document.getElementById("text");
+
+      editable.focus();
+
+      setTimeout(function () {
+        editable.setAttribute("contenteditable", "false");
+        text.focus();
+        setTimeout(function () {
+          document.body.offsetHeight;
+          document.documentElement.removeAttribute('class');
+        }, 0);
+      }, 0);
+    }
+    document.addEventListener('MozReftestInvalidate', runTests, false);
+  </script>
+</head>
+<body>
+    <div id="editable" contenteditable="true" tabindex="0" spellcheck="false">This is a contenteditable.</div>
+    <div id="text" tabindex="0">This is focusable text</div>
+</body>
+</html>

editor/reftests/reftest.list

@@ -125,3 +125,4 @@ needs-focus == spellcheck-contenteditable-focused-reframe.html spellcheck-conten
 == spellcheck-contenteditable-attr-dynamic-override-inherit.html spellcheck-contenteditable-disabled-ref.html
 == spellcheck-contenteditable-property-dynamic-override.html spellcheck-contenteditable-disabled-ref.html
 == spellcheck-contenteditable-property-dynamic-override-inherit.html spellcheck-contenteditable-disabled-ref.html
+needs-focus == 969773.html 969773-ref.html

gfx/layers/YCbCrImageDataSerializer.cpp

@@ -253,7 +253,7 @@ TemporaryRef<DataSourceSurface>
 YCbCrImageDataDeserializer::ToDataSourceSurface()
 {
   RefPtr<DataSourceSurface> result =
-    Factory::CreateDataSourceSurface(GetYSize(), gfx::SurfaceFormat::R8G8B8X8);
+    Factory::CreateDataSourceSurface(GetYSize(), gfx::SurfaceFormat::B8G8R8X8);
 
   DataSourceSurface::MappedSurface map;
   result->Map(DataSourceSurface::MapType::WRITE, &map);

gfx/layers/client/CanvasClient.cpp

@@ -53,7 +53,7 @@ CanvasClient2D::Update(gfx::IntSize aSize, ClientCanvasLayer* aLayer)
 {
   if (mBuffer &&
       (mBuffer->IsImmutable() || mBuffer->GetSize() != aSize)) {
-    GetForwarder()->AddForceRemovingTexture(mBuffer);
+    GetForwarder()->HoldUntilTransaction(mBuffer);
     mBuffer = nullptr;
   }
 

gfx/layers/client/ClientLayerManager.cpp

@@ -388,7 +388,7 @@ ClientLayerManager::ForwardTransaction(bool aScheduleComposite)
     NS_WARNING("failed to forward Layers transaction");
   }
 
-  mForwarder->ForceRemoveTexturesIfNecessary();
+  mForwarder->RemoveTexturesIfNecessary();
   mPhase = PHASE_NONE;
 
   // this may result in Layers being deleted, which results in

gfx/layers/client/ImageClient.cpp

@@ -103,7 +103,7 @@ void
 ImageClientSingle::FlushAllImages(bool aExceptFront)
 {
   if (!aExceptFront && mFrontBuffer) {
-    GetForwarder()->AddForceRemovingTexture(mFrontBuffer);
+    GetForwarder()->HoldUntilTransaction(mFrontBuffer);
     mFrontBuffer = nullptr;
   }
 }
@@ -112,11 +112,11 @@ void
 ImageClientBuffered::FlushAllImages(bool aExceptFront)
 {
   if (!aExceptFront && mFrontBuffer) {
-    GetForwarder()->AddForceRemovingTexture(mFrontBuffer);
+    GetForwarder()->HoldUntilTransaction(mFrontBuffer);
     mFrontBuffer = nullptr;
   }
   if (mBackBuffer) {
-    GetForwarder()->AddForceRemovingTexture(mBackBuffer);
+    GetForwarder()->HoldUntilTransaction(mBackBuffer);
     mBackBuffer = nullptr;
   }
 }
@@ -140,14 +140,9 @@ ImageClientSingle::UpdateImage(ImageContainer* aContainer,
     // fast path: no need to allocate and/or copy image data
     RefPtr<TextureClient> texture = image->AsSharedImage()->GetTextureClient();
 
-    if (texture->IsSharedWithCompositor()) {
-      // XXX - temporary fix for bug 911941
-      // This will be changed with bug 912907
-      return false;
-    }
 
     if (mFrontBuffer) {
-      GetForwarder()->AddForceRemovingTexture(mFrontBuffer);
+      GetForwarder()->HoldUntilTransaction(mFrontBuffer);
     }
     mFrontBuffer = texture;
     if (!AddTextureClient(texture)) {
@@ -164,7 +159,7 @@ ImageClientSingle::UpdateImage(ImageContainer* aContainer,
     }
 
     if (mFrontBuffer && mFrontBuffer->IsImmutable()) {
-      GetForwarder()->AddForceRemovingTexture(mFrontBuffer);
+      GetForwarder()->HoldUntilTransaction(mFrontBuffer);
       mFrontBuffer = nullptr;
     }
 
@@ -207,7 +202,7 @@ ImageClientSingle::UpdateImage(ImageContainer* aContainer,
     gfx::IntSize size = gfx::IntSize(image->GetSize().width, image->GetSize().height);
 
     if (mFrontBuffer) {
-      GetForwarder()->AddForceRemovingTexture(mFrontBuffer);
+      GetForwarder()->HoldUntilTransaction(mFrontBuffer);
       mFrontBuffer = nullptr;
     }
 
@@ -228,7 +223,7 @@ ImageClientSingle::UpdateImage(ImageContainer* aContainer,
 
     if (mFrontBuffer &&
         (mFrontBuffer->IsImmutable() || mFrontBuffer->GetSize() != size)) {
-      GetForwarder()->AddForceRemovingTexture(mFrontBuffer);
+      GetForwarder()->HoldUntilTransaction(mFrontBuffer);
       mFrontBuffer = nullptr;
     }
 

gfx/layers/client/TextureClient.cpp

@@ -161,8 +161,11 @@ TextureClient::DestroyIPDLActor(PTextureChild* actor)
 bool
 TextureClient::InitIPDLActor(CompositableForwarder* aForwarder)
 {
-  MOZ_ASSERT(!mActor);
   MOZ_ASSERT(aForwarder);
+  if (mActor && mActor->GetForwarder() == aForwarder) {
+    return true;
+  }
+  MOZ_ASSERT(!mActor, "Cannot use a texture on several IPC channels.");
 
   SurfaceDescriptor desc;
   if (!ToSurfaceDescriptor(desc)) {

gfx/layers/ipc/CompositableForwarder.h

@@ -162,13 +162,13 @@ public:
   virtual void RemoveTexture(TextureClient* aTexture) = 0;
 
   /**
-   * Forcibly remove texture data from TextureClient
-   * after a tansaction with Compositor.
+   * Holds a reference to a TextureClient until after the next
+   * compositor transaction, and then drops it.
    */
-  virtual void AddForceRemovingTexture(TextureClient* aClient)
+  virtual void HoldUntilTransaction(TextureClient* aClient)
   {
     if (aClient) {
-      mForceRemovingTextures.AppendElement(aClient);
+      mTexturesToRemove.AppendElement(aClient);
     }
   }
 
@@ -176,12 +176,9 @@ public:
    * Forcibly remove texture data from TextureClient
    * This function needs to be called after a tansaction with Compositor.
    */
-  virtual void ForceRemoveTexturesIfNecessary()
+  virtual void RemoveTexturesIfNecessary()
   {
-    for (uint32_t i = 0; i < mForceRemovingTextures.Length(); i++) {
-       mForceRemovingTextures[i]->ForceRemove();
-    }
-    mForceRemovingTextures.Clear();
+    mTexturesToRemove.Clear();
   }
 
   /**
@@ -244,7 +241,7 @@ public:
 protected:
   TextureFactoryIdentifier mTextureFactoryIdentifier;
   bool mMultiProcess;
-  nsTArray<RefPtr<TextureClient> > mForceRemovingTextures;
+  nsTArray<RefPtr<TextureClient> > mTexturesToRemove;
 };
 
 } // namespace

gfx/layers/ipc/CompositableTransactionParent.cpp

@@ -230,6 +230,11 @@ CompositableParentManager::ReceiveCompositableUpdate(const CompositableOperation
 
       if (IsAsync()) {
         ScheduleComposition(op);
+        // Async layer updates don't trigger invalidation, manually tell the layer
+        // that its content have changed.
+        if (compositable->GetLayer()) {
+          compositable->GetLayer()->SetInvalidRectToVisibleRegion();
+        }
       }
       break;
     }

gfx/layers/ipc/ImageBridgeChild.cpp

@@ -453,15 +453,15 @@ ImageBridgeChild::BeginTransaction()
   mTxn->Begin();
 }
 
-class MOZ_STACK_CLASS AutoForceRemoveTextures
+class MOZ_STACK_CLASS AutoRemoveTextures
 {
 public:
-  AutoForceRemoveTextures(ImageBridgeChild* aImageBridge)
+  AutoRemoveTextures(ImageBridgeChild* aImageBridge)
     : mImageBridge(aImageBridge) {}
 
-  ~AutoForceRemoveTextures()
+  ~AutoRemoveTextures()
   {
-    mImageBridge->ForceRemoveTexturesIfNecessary();
+    mImageBridge->RemoveTexturesIfNecessary();
   }
 private:
   ImageBridgeChild* mImageBridge;
@@ -473,7 +473,7 @@ ImageBridgeChild::EndTransaction()
   MOZ_ASSERT(!mTxn->Finished(), "forgot BeginTransaction?");
 
   AutoEndTransaction _(mTxn);
-  AutoForceRemoveTextures autoForceRemoveTextures(this);
+  AutoRemoveTextures autoRemoveTextures(this);
 
   if (mTxn->IsEmpty()) {
     return;

js/src/builtin/TypedObject.cpp

@@ -1341,6 +1341,7 @@ void
 TypedDatum::attach(TypedDatum &datum, uint32_t offset)
 {
     JS_ASSERT(datum.getReservedSlot(JS_DATUM_SLOT_OWNER).isObject());
+    JS_ASSERT(offset + size() <= datum.size());
 
     // find the location in memory
     uint8_t *mem = datum.typedMem(offset);

js/src/builtin/TypedObject.h

@@ -516,7 +516,12 @@ class TypedDatum : public JSObject
     }
 
     uint8_t *typedMem(size_t offset) const {
-        JS_ASSERT(offset < size());
+        // It seems a bit surprising that one might request an offset
+        // == size(), but it can happen when taking the "address of" a
+        // 0-sized value. (In other words, we maintain the invariant
+        // that `offset + size <= size()` -- this is always checked in
+        // the caller's side.)
+        JS_ASSERT(offset <= size());
         return typedMem() + offset;
     }
 };

js/src/jit-test/tests/TypedObject/bug969159.js

@@ -0,0 +1,9 @@
+// Test access to a 0-sized element (in this case,
+// a zero-length array).
+
+if (!this.hasOwnProperty("TypedObject"))
+  quit();
+
+var AA = TypedObject.uint8.array(0.).array(5);
+var aa = new AA();
+var aa0 = aa[0];

layout/base/ActiveLayerTracker.cpp

@@ -115,7 +115,11 @@ LayerActivityTracker::NotifyExpired(LayerActivity* aObject)
   nsIFrame* f = aObject->mFrame;
   aObject->mFrame = nullptr;
 
-  f->SchedulePaint();
+  // The pres context might have been detached during the delay -
+  // that's fine, just skip the paint.
+  if (f->PresContext()->GetContainerWeak()) {
+    f->SchedulePaint();
+  }
   f->RemoveStateBits(NS_FRAME_HAS_LAYER_ACTIVITY_PROPERTY);
   f->Properties().Delete(LayerActivityProperty());
 }

layout/base/nsPresContext.cpp

@@ -2354,8 +2354,7 @@ nsPresContext::NotifyInvalidation(const nsIntRect& aRect, uint32_t aFlags)
 void
 nsPresContext::NotifyInvalidation(const nsRect& aRect, uint32_t aFlags)
 {
-  // Disabled temporarily for happening too frequently. (bug 967758)
-  //MOZ_ASSERT(GetContainerWeak(), "Invalidation in detached pres context");
+  MOZ_ASSERT(GetContainerWeak(), "Invalidation in detached pres context");
 
   // If there is no paint event listener, then we don't need to fire
   // the asynchronous event. We don't even need to record invalidation.

layout/base/nsPresShell.cpp

@@ -5902,6 +5902,7 @@ PresShell::Paint(nsView*        aViewToPaint,
   }
   if (mNextPaintCompressed) {
     flags |= nsLayoutUtils::PAINT_COMPRESSED;
+    mNextPaintCompressed = false;
   }
 
   if (frame) {

layout/generic/nsFrame.cpp

@@ -4896,8 +4896,7 @@ nsIFrame::SchedulePaint(PaintType aType)
     return;
   }
   
-  // Disabled temporarily for happening too frequently. (bug 967758)
-  //MOZ_ASSERT(pres->GetContainerWeak(), "SchedulePaint in a detached pres context");
+  MOZ_ASSERT(pres->GetContainerWeak(), "SchedulePaint in a detached pres context");
   pres->PresShell()->ScheduleViewManagerFlush(aType == PAINT_DELAYED_COMPRESS ?
                                               nsIPresShell::PAINT_DELAYED_COMPRESS :
                                               nsIPresShell::PAINT_DEFAULT);

layout/style/test/chrome/test_author_specified_style.html

@@ -26,19 +26,27 @@ var properties = [
   "background",             "none repeat scroll 0% 0% "
 ];
 
-var span = document.createElement("span");
-for (var j = 0; j < properties.length; j += 2) {
-  var propertyName = properties[j];
-  var expectedPrefix = properties[j + 1];
-  for (var i = 0; i < values.length; i += 2) {
-    var value = values[i];
-    var expected = values[i + 1];
-    span.setAttribute("style", propertyName + ": " + value);
-    is(span.style.getAuthoredPropertyValue(propertyName), expectedPrefix + expected, "specified " + value);
+function runTest() {
+  var span = document.createElement("span");
+  for (var j = 0; j < properties.length; j += 2) {
+    var propertyName = properties[j];
+    var expectedPrefix = properties[j + 1];
+    for (var i = 0; i < values.length; i += 2) {
+      var value = values[i];
+      var expected = values[i + 1];
+      span.setAttribute("style", propertyName + ": " + value);
+      is(span.style.getAuthoredPropertyValue(propertyName), expectedPrefix + expected, "specified " + value);
+    }
   }
+
+  // also test a custom property
+  span.setAttribute("style", "var-color: rgb(10%,25%,99%)");
+  is(span.style.getAuthoredPropertyValue("var-color"), " rgb(10%,25%,99%)", "specified var-color");
+
+  SimpleTest.finish();
 }
 
-// also test a custom property
-span.setAttribute("style", "var-color: rgb(10%,25%,99%)");
-is(span.style.getAuthoredPropertyValue("var-color"), " rgb(10%,25%,99%)", "specified var-color");
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv({ set: [["layout.css.variables.enabled", true]] },
+                          runTest);
 </script>

layout/style/test/test_value_storage.html

@@ -105,6 +105,7 @@ var gPrereqDeclaration =
 
 function test_property(property)
 {
+  ok(SpecialPowers.getBoolPref("layout.css.variables.enabled"), "pref not set #2");
   var info = gCSSProperties[property];
 
   var test_computed = !("backend_only" in info);
@@ -286,24 +287,30 @@ function test_property(property)
 
 }
 
-// To avoid triggering the slow script dialog, we have to test one
-// property at a time.
-SimpleTest.waitForExplicitFinish();
-SimpleTest.requestLongerTimeout(2);
-var props = [];
-for (var prop in gCSSProperties)
-  props.push(prop);
-props = props.reverse();
-function do_one() {
-  if (props.length == 0) {
-    SimpleTest.finish();
-    return;
+function runTest() {
+  // To avoid triggering the slow script dialog, we have to test one
+  // property at a time.
+  ok(SpecialPowers.getBoolPref("layout.css.variables.enabled"), "pref not set #1");
+  var props = [];
+  for (var prop in gCSSProperties)
+    props.push(prop);
+  props = props.reverse();
+  function do_one() {
+    if (props.length == 0) {
+      SimpleTest.finish();
+      return;
+    }
+    test_property(props.pop());
+    SimpleTest.executeSoon(do_one);
   }
-  test_property(props.pop());
   SimpleTest.executeSoon(do_one);
 }
-SimpleTest.executeSoon(do_one);
 
+SimpleTest.waitForExplicitFinish();
+SimpleTest.requestLongerTimeout(2);
+
+SpecialPowers.pushPrefEnv({ set: [["layout.css.variables.enabled", true]] },
+                          runTest);
 </script>
 </pre>
 </body>

layout/style/test/test_variable_serialization_computed.html

@@ -4,7 +4,7 @@
 <script src="/tests/SimpleTest/SimpleTest.js"></script>
 <link rel="stylesheet" href="/tests/SimpleTest/test.css" type="text/css">
 
-<div style="var-z:an-inherited-value">
+<div>
   <span></span>
 </div>
 
@@ -52,14 +52,25 @@ var values = [
   ["var-a: url(\"http://example.org/\\", "var-a", " url(\"http://example.org/\")"]
 ];
 
-var span = document.querySelector("span");
+function runTest() {
+  var div = document.querySelector("div");
+  var span = document.querySelector("span");
 
-values.forEach(function(entry, i) {
-  var declaration = entry[0];
-  var property = entry[1];
-  var expected = entry[2];
-  span.setAttribute("style", declaration);
-  var cs = getComputedStyle(span, "");
-  is(cs.getPropertyValue(property), expected, "subtest #" + i);
-});
+  div.setAttribute("style", "var-z:an-inherited-value");
+
+  values.forEach(function(entry, i) {
+    var declaration = entry[0];
+    var property = entry[1];
+    var expected = entry[2];
+    span.setAttribute("style", declaration);
+    var cs = getComputedStyle(span, "");
+    is(cs.getPropertyValue(property), expected, "subtest #" + i);
+  });
+
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv({ set: [["layout.css.variables.enabled", true]] },
+                          runTest);
 </script>

layout/style/test/test_variable_serialization_specified.html

@@ -98,11 +98,19 @@ function test_specified_value_serialization(value, expected) {
   decl.removeProperty("margin");
 }
 
-values_with_unchanged_specified_value_serialization.forEach(function(value) {
-  test_specified_value_serialization(value, value);
-});
+function runTest() {
+  values_with_unchanged_specified_value_serialization.forEach(function(value) {
+    test_specified_value_serialization(value, value);
+  });
 
-values_with_changed_specified_value_serialization.forEach(function(pair) {
-  test_specified_value_serialization(pair[0], pair[1]);
-});
+  values_with_changed_specified_value_serialization.forEach(function(pair) {
+    test_specified_value_serialization(pair[0], pair[1]);
+  });
+
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv({ set: [["layout.css.variables.enabled", true]] },
+                          runTest);
 </script>

layout/style/test/test_variables.html

@@ -5,22 +5,21 @@
 <link rel="stylesheet" href="/tests/SimpleTest/test.css" type="text/css">
 
 <style id="test1">
-p { var-a:123!important; }
 </style>
 
 <style id="test2">
-p { var-a: a !important; }
 </style>
 
 <style id="test3">
-p { border-left-style: inset; padding: 1px; var-decoration: line-through; }
 </style>
 
 <script>
 var tests = [
   function() {
     // https://bugzilla.mozilla.org/show_bug.cgi?id=773296#c121
-    var declaration = document.getElementById("test1").sheet.cssRules[0].style;
+    var test1 = document.getElementById("test1");
+    test1.textContent = "p { var-a:123!important; }";
+    var declaration = test1.sheet.cssRules[0].style;
     declaration.cssText;
     declaration.setProperty("color", "black");
     is(declaration.getPropertyValue("var-a"), "123");
@@ -28,16 +27,27 @@ var tests = [
 
   function() {
     // https://bugzilla.mozilla.org/show_bug.cgi?id=773296#c121
-    var declaration = document.getElementById("test2").sheet.cssRules[0].style;
+    var test2 = document.getElementById("test2");
+    test2.textContent = "p { var-a: a !important; }";
+    var declaration = test2.sheet.cssRules[0].style;
     is(declaration.getPropertyPriority("var-a"), "important");
   },
 
   function() {
     // https://bugzilla.mozilla.org/show_bug.cgi?id=955913
-    var declaration = document.getElementById("test3").sheet.cssRules[0].style;
+    var test3 = document.getElementById("test3");
+    test3.textContent = "p { border-left-style: inset; padding: 1px; var-decoration: line-through; }";
+    var declaration = test3.sheet.cssRules[0].style;
     is(declaration[declaration.length - 1], "var-decoration");
   },
 ];
 
-tests.forEach(function(fn) { fn(); });
+function runTest() {
+  tests.forEach(function(fn) { fn(); });
+  SimpleTest.finish();
+}
+
+SimpleTest.waitForExplicitFinish();
+SpecialPowers.pushPrefEnv({ set: [["layout.css.variables.enabled", true ]] },
+                          runTest);
 </script>

media/webrtc/signaling/src/sipcc/core/sdp/sdp_attr_access.c

@@ -12534,7 +12534,7 @@ u16 sdp_attr_get_extmap_id(void *sdp_ptr, u16 level,
     sdp_attr_t  *attr_p;
 
     if (sdp_verify_sdp_ptr(sdp_p) == FALSE) {
-        return (NULL);
+        return 0;
     }
 
     attr_p = sdp_find_attr(sdp_p, level, 0, SDP_ATTR_EXTMAP, inst_num);

python/lldbutils/README.txt

@@ -143,6 +143,23 @@ the "expr -R -- EXPR" command can be used to show its actual member variables.
     nsACString_internal = "text/html"
   }
 
+* nscolor
+
+  nscolors (32-bit RGBA colors) have a type summary that shows the color as
+  one of the CSS 2.1 color keywords, a six digit hex color, an rgba() color,
+  or the "transparent" keyword.
+
+  (lldb) p this
+  (nsTextFrame *) $0 = 0x00000001168245e0
+  (lldb) p *this->StyleColor()
+  (const nsStyleColor) $1 = {
+    mColor = lime
+  }
+  (lldb) expr -R -- *this->StyleColor()
+  (const nsStyleColor) $2 = {
+    mColor = 4278255360
+  }
+
 * nsIAtom
 
   Atoms have a type summary that shows the string value inside the atom.

python/lldbutils/lldbutils/__init__.py

@@ -1,6 +1,6 @@
 import lldb
 
-__all__ = ['content', 'general', 'layout', 'utils']
+__all__ = ['content', 'general', 'gfx', 'layout', 'utils']
 
 def init():
     for name in __all__:

python/lldbutils/lldbutils/gfx.py

@@ -0,0 +1,34 @@
+import lldb
+
+def summarize_nscolor(valobj, internal_dict):
+    colors = {
+        "#800000": "maroon",
+        "#ff0000": "red",
+        "#ffa500": "orange",
+        "#ffff00": "yellow",
+        "#808000": "olive",
+        "#800080": "purple",
+        "#ff00ff": "fuchsia",
+        "#ffffff": "white",
+        "#00ff00": "lime",
+        "#008000": "green",
+        "#000080": "navy",
+        "#0000ff": "blue",
+        "#00ffff": "aqua",
+        "#008080": "teal",
+        "#000000": "black",
+        "#c0c0c0": "silver",
+        "#808080": "gray"
+    }
+    value = valobj.GetValueAsUnsigned(0)
+    if value == 0:
+        return "transparent"
+    if value & 0xff000000 != 0xff000000:
+        return "rgba(%d, %d, %d, %f)" % (value & 0xff, (value >> 8) & 0xff, (value >> 16) & 0xff, ((value >> 24) & 0xff) / 255.0)
+    color = "#%02x%02x%02x" % (value & 0xff, (value >> 8) & 0xff, (value >> 16) & 0xff)
+    if color in colors:
+        return colors[color]
+    return color
+
+def init(debugger):
+    debugger.HandleCommand("type summary add nscolor -v -F lldbutils.gfx.summarize_nscolor")

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_15_5_RC0
+NSS_3_16_BETA1

security/nss/coreconf/config.mk

@@ -166,6 +166,10 @@ ifdef NSS_DISABLE_DBM
 DEFINES += -DNSS_DISABLE_DBM
 endif
 
+ifdef NSS_PKIX_NO_LDAP
+DEFINES += -DNSS_PKIX_NO_LDAP
+endif
+
 # Avoid building object leak test code for optimized library
 ifndef BUILD_OPT
 ifdef PKIX_OBJECT_LEAK_TEST

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/lib/certhigh/certvfy.c

@@ -506,7 +506,18 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 	    PORT_SetError (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID);
 	    LOG_ERROR_OR_EXIT(log, issuerCert, count+1, pathLengthLimit);
 	}
-	
+
+        /* make sure that the entire chain is within the name space of the
+         * current issuer certificate.
+         */
+        rv = CERT_CompareNameSpace(issuerCert, namesList, certsList,
+                                   arena, &badCert);
+        if (rv != SECSuccess || badCert != NULL) {
+            PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
+            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
+            goto loser;
+        }
+
 	/* XXX - the error logging may need to go down into CRL stuff at some
 	 * point
 	 */
@@ -628,16 +639,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 	    }
 	}
 
-	/* make sure that the entire chain is within the name space of the 
-	** current issuer certificate.
-	*/
-	rv = CERT_CompareNameSpace(issuerCert, namesList, certsList, 
-	                           arena, &badCert);
-	if (rv != SECSuccess || badCert != NULL) {
-	    PORT_SetError(SEC_ERROR_CERT_NOT_IN_NAME_SPACE);
-            LOG_ERROR_OR_EXIT(log, badCert, count + 1, 0);
-	    goto loser;
-	}
 	/* make sure that the issuer is not self signed.  If it is, then
 	 * stop here to prevent looping.
 	 */

security/nss/lib/ckfw/builtins/nssckbi.h

@@ -45,8 +45,8 @@
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 96
-#define NSS_BUILTINS_LIBRARY_VERSION "1.96"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 97
+#define NSS_BUILTINS_LIBRARY_VERSION "1.97"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

security/nss/lib/freebl/config.mk

@@ -54,9 +54,9 @@ RES     = $(OBJDIR)/$(LIBRARY_NAME).res
 RESNAME = freebl.rc
 
 ifdef NS_USE_GCC
-OS_LIBS += -lshell32
+OS_LIBS += -ladvapi32
 else
-OS_LIBS += shell32.lib
+OS_LIBS += advapi32.lib
 endif
 
 ifdef NS_USE_GCC

security/nss/lib/freebl/rsapkcs.c

@@ -24,16 +24,14 @@
 /*
  * RSA block types
  *
- * The actual values are important -- they are fixed, *not* arbitrary.
- * The explicit value assignments are not needed (because C would give
- * us those same values anyway) but are included as a reminder...
+ * The values of RSA_BlockPrivate and RSA_BlockPublic are fixed.
+ * The value of RSA_BlockRaw isn't fixed by definition, but we are keeping
+ * the value that NSS has been using in the past.
  */
 typedef enum {
-    RSA_BlockUnused = 0,    /* unused */
     RSA_BlockPrivate = 1,   /* pad for a private-key operation */
     RSA_BlockPublic = 2,    /* pad for a public-key operation */
-    RSA_BlockRaw = 4,       /* simply justify the block appropriately */
-    RSA_BlockTotal
+    RSA_BlockRaw = 4        /* simply justify the block appropriately */
 } RSA_BlockType;
 
 /* Needed for RSA-PSS functions */

security/nss/lib/freebl/sysrand.c

@@ -8,7 +8,9 @@
 
 #include "seccomon.h"
 
+#ifndef XP_WIN
 static size_t rng_systemFromNoise(unsigned char *dest, size_t maxLen);
+#endif
 
 #if defined(XP_UNIX) || defined(XP_BEOS)
 #include "unix_rand.c"
@@ -20,6 +22,7 @@ static size_t rng_systemFromNoise(unsigned char *dest, size_t maxLen);
 #include "os2_rand.c"
 #endif
 
+#ifndef XP_WIN
 /*
  * Normal RNG_SystemRNG() isn't available, use the system noise to collect
  * the required amount of entropy.
@@ -43,4 +46,4 @@ rng_systemFromNoise(unsigned char *dest, size_t maxLen)
    }
    return retBytes;
 }
-
+#endif

security/nss/lib/freebl/win_rand.c

@@ -3,24 +3,10 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secrng.h"
-#include "secerr.h"
 
 #ifdef XP_WIN
 #include <windows.h>
-#include <shlobj.h>     /* for CSIDL constants */
 #include <time.h>
-#include <io.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdio.h>
-#include "prio.h"
-#include "prerror.h"
-
-static PRInt32  filesToRead;
-static DWORD    totalFileBytes;
-static DWORD    maxFileBytes	= 250000;	/* 250 thousand */
-static DWORD    dwNumFiles, dwReadEvery, dwFileToRead;
-static PRBool   usedWindowsPRNG;
 
 static BOOL
 CurrentClockTickTime(LPDWORD lpdwHigh, LPDWORD lpdwLow)
@@ -84,168 +70,6 @@ size_t RNG_GetNoise(void *buf, size_t maxbuf)
     return n;
 }
 
-typedef PRInt32 (* Handler)(const PRUnichar *);
-#define MAX_DEPTH 2
-#define MAX_FOLDERS 4
-#define MAX_FILES 1024
-
-static void
-EnumSystemFilesInFolder(Handler func, PRUnichar* szSysDir, int maxDepth) 
-{
-    int                 iContinue;
-    unsigned int        uFolders  = 0;
-    unsigned int        uFiles    = 0;
-    HANDLE              lFindHandle;
-    WIN32_FIND_DATAW    fdData;
-    PRUnichar           szFileName[_MAX_PATH];
-
-    if (maxDepth < 0)
-    	return;
-    // append *.* so we actually look for files.
-    _snwprintf(szFileName, _MAX_PATH, L"%s\\*.*", szSysDir);
-    szFileName[_MAX_PATH - 1] = L'\0';
-
-    lFindHandle = FindFirstFileW(szFileName, &fdData);
-    if (lFindHandle == INVALID_HANDLE_VALUE)
-        return;
-    do {
-	iContinue = 1;
-	if (wcscmp(fdData.cFileName, L".") == 0 ||
-            wcscmp(fdData.cFileName, L"..") == 0) {
-	    // skip "." and ".."
-	} else {
-	    // pass the full pathname to the callback
-	    _snwprintf(szFileName, _MAX_PATH, L"%s\\%s", szSysDir, 
-		       fdData.cFileName);
-	    szFileName[_MAX_PATH - 1] = L'\0';
-	    if (fdData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
-		if (++uFolders <= MAX_FOLDERS)
-		    EnumSystemFilesInFolder(func, szFileName, maxDepth - 1);
-	    } else {
-		iContinue = (++uFiles <= MAX_FILES) && !(*func)(szFileName);
-	    }
-	}
-	if (iContinue)
-	    iContinue = FindNextFileW(lFindHandle, &fdData);
-    } while (iContinue);
-    FindClose(lFindHandle);
-}
-
-static BOOL
-EnumSystemFiles(Handler func)
-{
-    PRUnichar szSysDir[_MAX_PATH];
-    static const int folders[] = {
-    	CSIDL_BITBUCKET,  
-	CSIDL_RECENT,
-	CSIDL_INTERNET_CACHE, 
-	CSIDL_HISTORY,
-	0
-    };
-    int i = 0;
-    if (_MAX_PATH > (i = GetTempPathW(_MAX_PATH, szSysDir))) {
-        if (i > 0 && szSysDir[i-1] == L'\\')
-	    szSysDir[i-1] = L'\0'; // we need to lop off the trailing slash
-        EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
-    }
-    for(i = 0; folders[i]; i++) {
-        DWORD rv = SHGetSpecialFolderPathW(NULL, szSysDir, folders[i], 0);
-        if (szSysDir[0])
-            EnumSystemFilesInFolder(func, szSysDir, MAX_DEPTH);
-        szSysDir[0] =  L'\0';
-    }
-    return PR_TRUE;
-}
-
-static PRInt32
-CountFiles(const PRUnichar *file)
-{
-    dwNumFiles++;
-    return 0;
-}
-
-static int
-ReadSingleFile(const char *filename)
-{
-    PRFileDesc *    file;
-    unsigned char   buffer[1024];
-
-    file = PR_Open(filename, PR_RDONLY, 0);
-    if (file != NULL) {
-	while (PR_Read(file, buffer, sizeof buffer) > 0)
-	    ;
-        PR_Close(file);
-    }
-    return (file != NULL);
-}
-
-static PRInt32
-ReadOneFile(const PRUnichar *szFileName)
-{
-    char narrowFileName[_MAX_PATH];
-
-    if (dwNumFiles == dwFileToRead) {
-	int success = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
-					  narrowFileName, _MAX_PATH, 
-					  NULL, NULL);
-	if (success)
-	    success = ReadSingleFile(narrowFileName);
-    	if (!success)
-	    dwFileToRead++; /* couldn't read this one, read the next one. */
-    }
-    dwNumFiles++;
-    return dwNumFiles > dwFileToRead;
-}
-
-static PRInt32
-ReadFiles(const PRUnichar *szFileName)
-{
-    char narrowFileName[_MAX_PATH];
-
-    if ((dwNumFiles % dwReadEvery) == 0) {
-	++filesToRead;
-    }
-    if (filesToRead) {
-	DWORD prevFileBytes = totalFileBytes;
-	int   iContinue     = WideCharToMultiByte(CP_ACP, 0, szFileName, -1, 
-						  narrowFileName, _MAX_PATH, 
-						  NULL, NULL);
-	if (iContinue) {
-	    RNG_FileForRNG(narrowFileName);
-	}
-	if (prevFileBytes < totalFileBytes) {
-	    --filesToRead;
-	}
-    }
-    dwNumFiles++;
-    return (totalFileBytes >= maxFileBytes);
-}
-
-static void
-ReadSystemFiles(void)
-{
-    // first count the number of files
-    dwNumFiles = 0;
-    if (!EnumSystemFiles(CountFiles))
-        return;
-
-    RNG_RandomUpdate(&dwNumFiles, sizeof(dwNumFiles));
-
-    // now read the first 10 readable files, then 10 or 11 files
-    // spread throughout the system directory
-    filesToRead = 10;
-    if (dwNumFiles == 0)
-        return;
-
-    dwReadEvery = dwNumFiles / 10;
-    if (dwReadEvery == 0)
-        dwReadEvery = 1;  // less than 10 files
-
-    dwNumFiles = 0;
-    totalFileBytes = 0;
-    EnumSystemFiles(ReadFiles);
-}
-
 void RNG_SystemInfoForRNG(void)
 {
     DWORD           dwVal;
@@ -308,91 +132,28 @@ void RNG_SystemInfoForRNG(void)
         RNG_RandomUpdate(&dwNumClusters,  sizeof(dwNumClusters));
     }
 
-    // Skip the potentially slow file scanning if the OS's PRNG worked.
-    if (!usedWindowsPRNG)
-	ReadSystemFiles();
-
-    nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
-    RNG_RandomUpdate(buffer, nBytes);
-}
-
-static void rng_systemJitter(void)
-{   
-    dwNumFiles = 0;
-    EnumSystemFiles(ReadOneFile);
-    dwFileToRead++;
-    if (dwFileToRead >= dwNumFiles) {
-	dwFileToRead = 0;
-    }
-}
-
-
-void RNG_FileForRNG(const char *filename)
-{
-    FILE*           file;
-    int             nBytes;
-    struct stat     stat_buf;
-    unsigned char   buffer[1024];
-
-    /* windows doesn't initialize all the bytes in the stat buf,
-     * so initialize them all here to avoid UMRs.
-     */
-    memset(&stat_buf, 0, sizeof stat_buf);
-
-    if (stat((char *)filename, &stat_buf) < 0)
-        return;
-
-    RNG_RandomUpdate((unsigned char*)&stat_buf, sizeof(stat_buf));
-
-    file = fopen((char *)filename, "r");
-    if (file != NULL) {
-        for (;;) {
-            size_t  bytes = fread(buffer, 1, sizeof(buffer), file);
-
-            if (bytes == 0)
-                break;
-
-            RNG_RandomUpdate(buffer, bytes);
-            totalFileBytes += bytes;
-            if (totalFileBytes > maxFileBytes)
-                break;
-        }
-
-        fclose(file);
-    }
-
     nBytes = RNG_GetNoise(buffer, 20);  // get up to 20 bytes
     RNG_RandomUpdate(buffer, nBytes);
 }
 
 
 /*
- * Windows XP and Windows Server 2003 and later have RtlGenRandom,
- * which must be looked up by the name SystemFunction036.
+ * The RtlGenRandom function is declared in <ntsecapi.h>, but the
+ * declaration is missing a calling convention specifier. So we
+ * declare it manually here.
  */
-typedef BOOLEAN
-(APIENTRY *RtlGenRandomFn)(
+#define RtlGenRandom SystemFunction036
+DECLSPEC_IMPORT BOOLEAN WINAPI RtlGenRandom(
     PVOID RandomBuffer,
     ULONG RandomBufferLength);
 
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
-    HMODULE hModule;
-    RtlGenRandomFn pRtlGenRandom;
     size_t bytes = 0;
 
-    usedWindowsPRNG = PR_FALSE;
-    hModule = LoadLibrary("advapi32.dll");
-    if (hModule == NULL) {
-	return bytes;
-    }
-    pRtlGenRandom = (RtlGenRandomFn)
-	GetProcAddress(hModule, "SystemFunction036");
-    if (pRtlGenRandom && pRtlGenRandom(dest, maxLen)) {
+    if (RtlGenRandom(dest, maxLen)) {
 	bytes = maxLen;
-	usedWindowsPRNG = PR_TRUE;
     }
-    FreeLibrary(hModule);
     return bytes;
 }
 #endif  /* is XP_WIN */

security/nss/lib/libpkix/include/pkix_errorstrings.h

@@ -576,7 +576,9 @@ PKIX_ERRORENTRY(INFOACCESSCREATELISTFAILED,pkix_pl_InfoAccess_CreateList failed,
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONFAILED,PKIX_PL_InfoAccess_GetLocation failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETLOCATIONTYPEFAILED,PKIX_PL_InfoAccess_GetLocationType failed,0),
 PKIX_ERRORENTRY(INFOACCESSGETMETHODFAILED,PKIX_PL_InfoAccess_GetMethod failed,0),
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_ERRORENTRY(INFOACCESSPARSELOCATIONFAILED,pkix_pl_InfoAccess_ParseLocation failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
+#endif
 PKIX_ERRORENTRY(INFOACCESSPARSETOKENSFAILED,pkix_pl_InfoAccess_ParseTokens failed,SEC_ERROR_BAD_INFO_ACCESS_LOCATION),
 PKIX_ERRORENTRY(INITIALIZECHECKERSFAILED,pkix_InitializeCheckers failed,0),
 PKIX_ERRORENTRY(INITIALIZEFAILED,PKIX_PL_Initialize failed,0),

security/nss/lib/libpkix/include/pkix_pl_pki.h

@@ -1269,6 +1269,9 @@ PKIX_PL_Cert_AreCertPoliciesCritical(
  *      Must be non-NULL.
  *  "nameConstraints"
  *      Address of CertNameConstraints that need to be satisfied.
+ *  "treatCommonNameAsDNSName"
+ *      PKIX_TRUE if the subject common name should be considered a dNSName
+ *      when evaluating name constraints.
  *  "plContext"
  *      Platform-specific context pointer.
  * THREAD SAFETY:
@@ -1282,6 +1285,7 @@ PKIX_Error *
 PKIX_PL_Cert_CheckNameConstraints(
         PKIX_PL_Cert *cert,
         PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean treatCommonNameAsDNSName,
         void *plContext);
 
 /*
@@ -1827,7 +1831,9 @@ PKIX_PL_Cert_GetCrlDp(PKIX_PL_Cert *cert,
 
 #define PKIX_INFOACCESS_LOCATION_UNKNOWN 0
 #define PKIX_INFOACCESS_LOCATION_HTTP    1
+#ifndef NSS_PKIX_NO_LDAP
 #define PKIX_INFOACCESS_LOCATION_LDAP    2
+#endif
 
 /*
  * FUNCTION: PKIX_PL_InfoAccess_GetMethod

security/nss/lib/libpkix/include/pkix_sample_modules.h

@@ -117,6 +117,7 @@ PKIX_PL_Pk11CertStore_Create(
         PKIX_CertStore **pPk11CertStore,
         void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 /* PKIX_PL_LdapCertStore
  *
  * A PKIX_PL_LdapCertStore retrieves certificates and CRLs from an LDAP server
@@ -249,6 +250,7 @@ PKIX_PL_LdapCertStore_Create(
         PKIX_PL_LdapClient *client,
         PKIX_CertStore **pCertStore,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /* PKIX_PL_NssContext
  *

security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c

@@ -425,9 +425,13 @@ pkix_CertSelector_Match_NameConstraints(
                 PKIX_COMCERTSELPARAMSGETNAMECONSTRAINTSFAILED);
 
         if (nameConstraints != NULL) {
-
+                /* As only the end-entity certificate should have
+                 * the common name constrained as if it was a dNSName,
+                 * do not constrain the common name when building a
+                 * forward path.
+                 */
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
-                    (cert, nameConstraints, plContext),
+                    (cert, nameConstraints, PKIX_FALSE, plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
 

security/nss/lib/libpkix/pkix/checker/pkix_nameconstraintschecker.c

@@ -167,6 +167,7 @@ pkix_NameConstraintsChecker_Check(
         PKIX_PL_CertNameConstraints *nameConstraints = NULL;
         PKIX_PL_CertNameConstraints *mergedNameConstraints = NULL;
         PKIX_Boolean selfIssued = PKIX_FALSE;
+        PKIX_Boolean lastCert = PKIX_FALSE;
 
         PKIX_ENTER(CERTCHAINCHECKER, "pkix_NameConstraintsChecker_Check");
         PKIX_NULLCHECK_THREE(checker, cert, pNBIOContext);
@@ -178,6 +179,7 @@ pkix_NameConstraintsChecker_Check(
                     PKIX_CERTCHAINCHECKERGETCERTCHAINCHECKERSTATEFAILED);
 
         state->certsRemaining--;
+        lastCert = state->certsRemaining == 0;
 
         /* Get status of self issued */
         PKIX_CHECK(pkix_IsCertSelfIssued(cert, &selfIssued, plContext),
@@ -185,13 +187,14 @@ pkix_NameConstraintsChecker_Check(
 
         /* Check on non self-issued and if so only for last cert */
         if (selfIssued == PKIX_FALSE ||
-            (selfIssued == PKIX_TRUE && state->certsRemaining == 0)) {
+            (selfIssued == PKIX_TRUE && lastCert)) {
                 PKIX_CHECK(PKIX_PL_Cert_CheckNameConstraints
-                    (cert, state->nameConstraints, plContext),
+                    (cert, state->nameConstraints, lastCert,
+                      plContext),
                     PKIX_CERTCHECKNAMECONSTRAINTSFAILED);
         }
 
-        if (state->certsRemaining != 0) {
+        if (!lastCert) {
 
             PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
                     (cert, &nameConstraints, plContext),

security/nss/lib/libpkix/pkix/params/pkix_trustanchor.c

@@ -369,7 +369,11 @@ PKIX_TrustAnchor_CreateWithCert(
 
         anchor->caName = NULL;
         anchor->caPubKey = NULL;
-        anchor->nameConstraints = NULL;
+
+        PKIX_CHECK(PKIX_PL_Cert_GetNameConstraints
+                    (anchor->trustedCert, &anchor->nameConstraints, plContext),
+                    PKIX_CERTGETNAMECONSTRAINTSFAILED);
+
 
         *pAnchor = anchor;
         anchor = NULL;

security/nss/lib/libpkix/pkix/top/pkix_build.h

@@ -11,7 +11,9 @@
 #ifndef _PKIX_BUILD_H
 #define _PKIX_BUILD_H
 #include "pkix_tools.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapt.h"
+#endif
 #include "pkix_ekuchecker.h"
 
 #ifdef __cplusplus

security/nss/lib/libpkix/pkix_pl_nss/module/config.mk

@@ -13,3 +13,23 @@ SHARED_LIBRARY =
 IMPORT_LIBRARY =
 PROGRAM        =
 
+ifdef NSS_PKIX_NO_LDAP
+LDAP_HEADERS =
+LDAP_CSRCS =
+else
+LDAP_HEADERS = \
+	pkix_pl_ldapt.h \
+	pkix_pl_ldapcertstore.h \
+	pkix_pl_ldapresponse.h \
+	pkix_pl_ldaprequest.h \
+	pkix_pl_ldapdefaultclient.h \
+ 	$(NULL)
+ 
+LDAP_CSRCS = \
+	pkix_pl_ldaptemplates.c \
+	pkix_pl_ldapcertstore.c \
+	pkix_pl_ldapresponse.c \
+	pkix_pl_ldaprequest.c \
+	pkix_pl_ldapdefaultclient.c \
+ 	$(NULL)
+endif

security/nss/lib/libpkix/pkix_pl_nss/module/manifest.mn

@@ -12,11 +12,7 @@ PRIVATE_EXPORTS = \
 	pkix_pl_colcertstore.h \
 	pkix_pl_httpcertstore.h \
 	pkix_pl_httpdefaultclient.h \
-	pkix_pl_ldapt.h \
-	pkix_pl_ldapcertstore.h \
-	pkix_pl_ldapresponse.h \
-	pkix_pl_ldaprequest.h \
-	pkix_pl_ldapdefaultclient.h \
+	$(LDAP_HEADERS) \
 	pkix_pl_nsscontext.h \
 	pkix_pl_pk11certstore.h \
 	pkix_pl_socket.h \
@@ -32,11 +28,7 @@ CSRCS = \
 	pkix_pl_colcertstore.c \
 	pkix_pl_httpcertstore.c \
 	pkix_pl_httpdefaultclient.c \
-	pkix_pl_ldaptemplates.c \
-	pkix_pl_ldapcertstore.c \
-	pkix_pl_ldapresponse.c \
-	pkix_pl_ldaprequest.c \
-	pkix_pl_ldapdefaultclient.c \
+	$(LDAP_CSRCS) \
 	pkix_pl_nsscontext.c \
 	pkix_pl_pk11certstore.c \
 	pkix_pl_socket.c \

security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c

@@ -11,6 +11,7 @@
 #include "pkix_pl_aiamgr.h"
 extern PKIX_PL_HashTable *aiaConnectionCache;
 
+#ifndef NSS_PKIX_NO_LDAP
 /* --Virtual-LdapClient-Functions------------------------------------ */
 
 PKIX_Error *
@@ -51,6 +52,7 @@ cleanup:
         PKIX_RETURN(LDAPCLIENT);
 
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /* --Private-AIAMgr-Functions----------------------------------*/
 
@@ -81,7 +83,9 @@ pkix_pl_AIAMgr_Destroy(
         PKIX_DECREF(aiaMgr->aia);
         PKIX_DECREF(aiaMgr->location);
         PKIX_DECREF(aiaMgr->results);
+#ifndef NSS_PKIX_NO_LDAP
         PKIX_DECREF(aiaMgr->client.ldapClient);
+#endif
 
 cleanup:
 
@@ -114,6 +118,7 @@ pkix_pl_AIAMgr_RegisterSelf(void *plContext)
         PKIX_RETURN(AIAMGR);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 /*
  * FUNCTION: pkix_pl_AiaMgr_FindLDAPClient
  * DESCRIPTION:
@@ -212,6 +217,7 @@ cleanup:
 
         PKIX_RETURN(AIAMGR);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 PKIX_Error *
 pkix_pl_AIAMgr_GetHTTPCerts(
@@ -388,6 +394,7 @@ cleanup:
         PKIX_RETURN(AIAMGR);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *
 pkix_pl_AIAMgr_GetLDAPCerts(
         PKIX_PL_AIAMgr *aiaMgr,
@@ -496,6 +503,7 @@ cleanup:
 
         PKIX_RETURN(AIAMGR);
 }
+#endif /* !NSS_PKIX_NO_LDAP */
 
 /*
  * FUNCTION: PKIX_PL_AIAMgr_Create
@@ -632,10 +640,12 @@ PKIX_PL_AIAMgr_GetAIACerts(
 			PKIX_CHECK(pkix_pl_AIAMgr_GetHTTPCerts
 				(aiaMgr, ia, &nbio, &certs, plContext),
 				PKIX_AIAMGRGETHTTPCERTSFAILED);
+#ifndef NSS_PKIX_NO_LDAP
                 } else if (iaType == PKIX_INFOACCESS_LOCATION_LDAP) {
 			PKIX_CHECK(pkix_pl_AIAMgr_GetLDAPCerts
 				(aiaMgr, ia, &nbio, &certs, plContext),
 				PKIX_AIAMGRGETLDAPCERTSFAILED);
+#endif
                 } else {
                         /* We only support http and ldap requests. */
                         PKIX_DECREF(ia);
@@ -677,7 +687,9 @@ cleanup:
         if (PKIX_ERROR_RECEIVED) {
                 PKIX_DECREF(aiaMgr->aia);
                 PKIX_DECREF(aiaMgr->results);
+#ifndef NSS_PKIX_NO_LDAP
                 PKIX_DECREF(aiaMgr->client.ldapClient);
+#endif
         }
 
         PKIX_DECREF(certs);

security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.h

@@ -27,7 +27,9 @@ struct PKIX_PL_AIAMgrStruct {
         PKIX_PL_GeneralName *location;
         PKIX_List *results;
 	union {
+#ifndef NSS_PKIX_NO_LDAP
 	        PKIX_PL_LdapClient *ldapClient;
+#endif
 		struct {
 		        const SEC_HttpClientFcn *httpClient;
 			SEC_HTTP_SERVER_SESSION serverSession;
@@ -41,6 +43,7 @@ struct PKIX_PL_AIAMgrStruct {
 
 PKIX_Error *pkix_pl_AIAMgr_RegisterSelf(void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *PKIX_PL_LdapClient_InitiateRequest(
         PKIX_PL_LdapClient *client,
         LDAPRequestParams *requestParams,
@@ -53,6 +56,7 @@ PKIX_Error *PKIX_PL_LdapClient_ResumeRequest(
         void **pPollDesc,
         PKIX_List **pResponse,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 #ifdef __cplusplus
 }

security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c

@@ -3135,6 +3135,7 @@ PKIX_Error *
 PKIX_PL_Cert_CheckNameConstraints(
         PKIX_PL_Cert *cert,
         PKIX_PL_CertNameConstraints *nameConstraints,
+        PKIX_Boolean treatCommonNameAsDNSName,
         void *plContext)
 {
         PKIX_Boolean checkPass = PKIX_TRUE;
@@ -3151,11 +3152,14 @@ PKIX_PL_Cert_CheckNameConstraints(
                         PKIX_ERROR(PKIX_OUTOFMEMORY);
                 }
 
-                /* This NSS call returns both Subject and  Subject Alt Names */
+                /* This NSS call returns Subject Alt Names. If
+                 * treatCommonNameAsDNSName is true, it also returns the
+                 * Subject Common Name
+                 */
                 PKIX_CERT_DEBUG
                     ("\t\tCalling CERT_GetConstrainedCertificateNames\n");
                 nssSubjectNames = CERT_GetConstrainedCertificateNames
-                        (cert->nssCert, arena, PR_TRUE);
+                        (cert->nssCert, arena, treatCommonNameAsDNSName);
 
                 PKIX_CHECK(pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
                         (nssSubjectNames,

security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c

@@ -481,9 +481,11 @@ PKIX_PL_InfoAccess_GetLocationType(
                     PKIX_STRINGGETENCODEDFAILED);
 
                 PKIX_OID_DEBUG("\tCalling PORT_Strcmp).\n");
+#ifndef NSS_PKIX_NO_LDAP
                 if (PORT_Strncmp(location, "ldap:", 5) == 0){
                         type = PKIX_INFOACCESS_LOCATION_LDAP;
                 } else
+#endif
                 if (PORT_Strncmp(location, "http:", 5) == 0){
                         type = PKIX_INFOACCESS_LOCATION_HTTP;
                 }
@@ -499,6 +501,7 @@ cleanup:
         PKIX_RETURN(INFOACCESS);
 }
 
+#ifndef NSS_PKIX_NO_LDAP
 /*
  * FUNCTION: pkix_pl_InfoAccess_ParseTokens
  * DESCRIPTION:
@@ -868,3 +871,4 @@ cleanup:
 
         PKIX_RETURN(INFOACCESS);
 }
+#endif /* !NSS_PKIX_NO_LDAP */

security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.h

@@ -32,6 +32,7 @@ pkix_pl_InfoAccess_CreateList(
         PKIX_List **pAiaList, /* of PKIX_PL_InfoAccess */
         void *plContext);
 
+#ifndef NSS_PKIX_NO_LDAP
 PKIX_Error *
 pkix_pl_InfoAccess_ParseLocation(
         PKIX_PL_GeneralName *generalName,
@@ -39,6 +40,7 @@ pkix_pl_InfoAccess_ParseLocation(
         LDAPRequestParams *request,
         char **pDomainName,
         void *plContext);
+#endif /* !NSS_PKIX_NO_LDAP */
 
 #ifdef __cplusplus
 }

security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_common.h

@@ -38,7 +38,9 @@
 /* private PKIX_PL_NSS system headers */
 #include "pkix_pl_object.h"
 #include "pkix_pl_string.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapt.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_aiamgr.h"
 #include "pkix_pl_bigint.h"
 #include "pkix_pl_oid.h"
@@ -62,9 +64,11 @@
 #include "pkix_pl_ocspresponse.h"
 #include "pkix_pl_pk11certstore.h"
 #include "pkix_pl_socket.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapcertstore.h"
 #include "pkix_pl_ldaprequest.h"
 #include "pkix_pl_ldapresponse.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_nsscontext.h"
 #include "pkix_pl_httpcertstore.h"
 #include "pkix_pl_httpdefaultclient.h"

security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c

@@ -204,9 +204,11 @@ PKIX_PL_Initialize(
         pkix_ForwardBuilderState_RegisterSelf(plContext);
         pkix_SignatureCheckerState_RegisterSelf(plContext);
         pkix_NameConstraintsCheckerState_RegisterSelf(plContext);
+#ifndef NSS_PKIX_NO_LDAP
         pkix_pl_LdapRequest_RegisterSelf(plContext);
         pkix_pl_LdapResponse_RegisterSelf(plContext);
         pkix_pl_LdapDefaultClient_RegisterSelf(plContext);
+#endif
         pkix_pl_Socket_RegisterSelf(plContext);
 
         pkix_ResourceLimits_RegisterSelf(plContext); /* 51-59 */

security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.h

@@ -33,10 +33,12 @@
 #include "pkix_pl_crlentry.h"
 #include "pkix_pl_crl.h"
 #include "pkix_pl_colcertstore.h"
+#ifndef NSS_PKIX_NO_LDAP
 #include "pkix_pl_ldapcertstore.h"
 #include "pkix_pl_ldapdefaultclient.h"
 #include "pkix_pl_ldaprequest.h"
 #include "pkix_pl_ldapresponse.h"
+#endif /* !NSS_PKIX_NO_LDAP */
 #include "pkix_pl_socket.h"
 #include "pkix_pl_infoaccess.h"
 #include "pkix_store.h"

security/nss/lib/nss/nss.h

@@ -33,10 +33,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.15.5" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION  "3.16" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
-#define NSS_VMINOR   15
-#define NSS_VPATCH   5
+#define NSS_VMINOR   16
+#define NSS_VPATCH   0
 #define NSS_VBUILD   0
 #define NSS_BETA     PR_TRUE
 

security/nss/lib/softoken/sdb.c

@@ -2012,7 +2012,17 @@ s_open(const char *directory, const char *certPrefix, const char *keyPrefix,
 
     /* how long does it take to test for a non-existant file in our working
      * directory? Allows us to test if we may be on a network file system */
-    accessOps = sdb_measureAccess(directory);
+    accessOps = 1;
+    {
+        char *env;
+        env = PR_GetEnv("NSS_SDB_USE_CACHE");
+        /* If the environment variable is set to yes or no, sdb_init() will
+         * ignore the value of accessOps, and we can skip the measuring.*/
+        if (!env || ((PORT_Strcasecmp(env, "no") != 0) &&
+                     (PORT_Strcasecmp(env, "yes") != 0))){
+           accessOps = sdb_measureAccess(directory);
+        }
+    }
 
     /*
      * open the cert data base

security/nss/lib/softoken/softkver.h

@@ -25,10 +25,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.15.5" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION  "3.16" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR   3
-#define SOFTOKEN_VMINOR   15
-#define SOFTOKEN_VPATCH   5
+#define SOFTOKEN_VMINOR   16
+#define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
 #define SOFTOKEN_BETA     PR_TRUE
 

security/nss/lib/ssl/sslsock.c

@@ -1348,10 +1348,13 @@ ssl_ImportFD(PRFileDesc *model, PRFileDesc *fd, SSLProtocolVariant variant)
 	SET_ERROR_CODE
 	return NULL;
     }
-    ns = ssl_FindSocket(fd);
-    PORT_Assert(ns);
-    if (ns)
-	ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
+#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
+    {
+	sslSocket * ss = ssl_FindSocket(fd);
+	PORT_Assert(ss == ns);
+    }
+#endif
+    ns->TCPconnected = (PR_SUCCESS == ssl_DefGetpeername(ns, &addr));
     return fd;
 }
 

security/nss/lib/util/nssutil.h

@@ -19,10 +19,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.15.5 Beta"
+#define NSSUTIL_VERSION  "3.16 Beta"
 #define NSSUTIL_VMAJOR   3
-#define NSSUTIL_VMINOR   15
-#define NSSUTIL_VPATCH   5
+#define NSSUTIL_VMINOR   16
+#define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
 #define NSSUTIL_BETA     PR_TRUE
 

security/nss/tests/chains/scenarios/nameconstraints.cfg

@@ -7,16 +7,147 @@ scenario TrustAnchors
 db trustanchors
 
 import NameConstraints.ca:x:CT,C,C
+import NameConstraints.ncca:x:CT,C,C
+# Name Constrained CA:  Name constrained to permited DNSName ".example"
 
+# Intermediate 1: Name constrained to permited DNSName ".example"
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
 verify NameConstraints.server1:x
   cert NameConstraints.intermediate:x
   result fail
 
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
 verify NameConstraints.server2:x
   cert NameConstraints.intermediate:x
   result fail
 
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
 verify NameConstraints.server3:x
   cert NameConstraints.intermediate:x
   result pass
 
+# Intermediate 2: No name constraints, signed by Intermediate 1 (inherits name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.invalid"
+# altDNS: test.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server4:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server5:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test.example"
+# altDNS: test.example
+verify NameConstraints.server6:x
+  cert NameConstraints.intermediate2:x
+  cert NameConstraints.intermediate:x
+  result pass
+
+# Intermediate 3: Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=NSS Intermediate CA3"
+#                 Name constrained to a permitted DirectoryName of "C=US, ST=CA, O=Foo"
+#                 and a permitted DNSName of "foo.example"
+
+# Intermediate 4: Subject: "C=US, ST=CA, O=Foo, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3 (inherits name constraints)
+
+# Subject: "C=US, ST=CA, O=Foo, OU=bar, CN=bat.foo.example", no SAN
+verify NameConstraints.server7:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bat.foo.example", no SAN
+verify NameConstraints.server8:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, O=Foo, CN=bat.foo.example", no SAN
+#  Fail: ST is missing in the DirectoryName, thus not matching name constraints
+verify NameConstraints.server9:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=bar.example"
+#  Fail: CN not in name constraints
+verify NameConstraints.server10:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=site.example"
+# altDNS:foo.example
+#   Pass: Ignores CN constraint name violation because SAN is present
+verify NameConstraints.server11:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result pass
+
+# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed"
+#   Fail: CN does not match DNS name constraints - even though is not 'DNS shaped'
+verify NameConstraints.server12:x
+  cert NameConstraints.intermediate4:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 5: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA 2"
+#                 No name constraints present
+#                 Signed by Intermediate 3.
+#                 Intermediate 5's subject is not in Intermediate 3's permitted
+#                 names, so all certs issued by it are invalid.
+
+# Subject: "C=US, ST=CA, O=OtherOrg, CN=bat.foo.example"
+#   Fail: Org matches Intermediate 5's name constraints, but does not match
+#         Intermediate 3' name constraints
+verify NameConstraints.server13:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Subject: "C=US, ST=CA, O=Foo, CN=another.foo.example"
+#  Fail: Matches Intermediate 5's name constraints, but fails because
+#        Intermediate 5 does not match Intermediate 3's name constraints
+verify NameConstraints.server14:x
+  cert NameConstraints.intermediate5:x
+  cert NameConstraints.intermediate3:x
+  result fail
+
+# Intermediate 6: Subject: "C=US, ST=CA, O=OtherOrg, CN=NSS Intermediate CA6"
+#                 No name constraints present
+#                 Signed by Named Constrained CA (inherits root name constraints)
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=testfoo.invalid"
+# altDNS: testfoo.invalid
+#   Fail: CN not in name constraints, altDNS not in name constraints
+verify NameConstraints.server15:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=another_test3.invalid", no SAN
+#   Fail: CN not in name constraints
+verify NameConstraints.server16:x
+  cert NameConstraints.intermediate6:x
+  result fail
+
+# Subject: "C=US, ST=California, L=Mountain View, O=BOGUS NSS, CN=test4.example"
+# altDNS: test4.example
+verify NameConstraints.server17:x
+  cert NameConstraints.intermediate6:x
+  result pass
+
+
+