Merge m-c to fx-team. a=merge
authorRyan VanderMeulen <ryanvm@gmail.com>
Mon, 17 Nov 2014 16:30:19 -0500
changeset 240422 cc48ff0ed5092319d1953dc15fc595c7ea0cbbbf
parent 240421 1cdf743b10cb2ca5438acbb04e5667a8555a8ca3 (current diff)
parent 240383 2d0a51ef828dc93013ae7a70bd8af8d9c2518f57 (diff)
child 240423 872f2f8a6c0d9517fab6cfd3dae2f44a49cfea4e
push id4311
push userraliiev@mozilla.com
push dateMon, 12 Jan 2015 19:37:41 +0000
treeherdermozilla-beta@150c9fed433b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmerge
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge m-c to fx-team. a=merge
gfx/ots/ots-brotli-path.patch
--- a/b2g/config/dolphin/sources.xml
+++ b/b2g/config/dolphin/sources.xml
@@ -10,17 +10,17 @@
   <!--original fetch url was git://codeaurora.org/-->
   <remote fetch="https://git.mozilla.org/external/caf" name="caf"/>
   <!--original fetch url was https://git.mozilla.org/releases-->
   <remote fetch="https://git.mozilla.org/releases" name="mozillaorg"/>
   <!-- B2G specific things. -->
   <project name="platform_build" path="build" remote="b2g" revision="3ab0d9c70f0b2e1ededc679112c392303f037361">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="891e5069c0ad330d8191bf8c7b879c814258c89f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="valgrind" path="external/valgrind" remote="b2g" revision="daa61633c32b9606f58799a3186395fd2bbb8d8c"/>
   <project name="vex" path="external/VEX" remote="b2g" revision="47f031c320888fe9f3e656602588565b52d43010"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
--- a/b2g/config/emulator-ics/sources.xml
+++ b/b2g/config/emulator-ics/sources.xml
@@ -14,17 +14,17 @@
   <!--original fetch url was git://github.com/apitrace/-->
   <remote fetch="https://git.mozilla.org/external/apitrace" name="apitrace"/>
   <default remote="caf" revision="refs/tags/android-4.0.4_r2.1" sync-j="4"/>
   <!-- Gonk specific things and forks -->
   <project name="platform_build" path="build" remote="b2g" revision="df362ace56338da8173d30d3e09e08c42c1accfa">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="platform_hardware_ril" path="hardware/ril" remote="b2g" revision="cd88d860656c31c7da7bb310d6a160d0011b0961"/>
   <project name="platform_external_qemu" path="external/qemu" remote="b2g" revision="67f2907bc340bad250b4ea6ce2902b52896c9ef0"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
   <!-- Stock Android things -->
   <project name="platform/abi/cpp" path="abi/cpp" revision="dd924f92906085b831bf1cbbc7484d3c043d613c"/>
--- a/b2g/config/emulator-jb/sources.xml
+++ b/b2g/config/emulator-jb/sources.xml
@@ -12,17 +12,17 @@
   <!--original fetch url was https://git.mozilla.org/releases-->
   <remote fetch="https://git.mozilla.org/releases" name="mozillaorg"/>
   <!-- B2G specific things. -->
   <project name="platform_build" path="build" remote="b2g" revision="0e94c080bee081a50aa2097527b0b40852f9143f">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
   <project name="valgrind" path="external/valgrind" remote="b2g" revision="daa61633c32b9606f58799a3186395fd2bbb8d8c"/>
   <project name="vex" path="external/VEX" remote="b2g" revision="47f031c320888fe9f3e656602588565b52d43010"/>
   <!-- Stock Android things -->
   <project groups="linux" name="platform/prebuilts/clang/linux-x86/3.1" path="prebuilts/clang/linux-x86/3.1" revision="5c45f43419d5582949284eee9cef0c43d866e03b"/>
   <project groups="linux" name="platform/prebuilts/clang/linux-x86/3.2" path="prebuilts/clang/linux-x86/3.2" revision="3748b4168e7bd8d46457d4b6786003bc6a5223ce"/>
--- a/b2g/config/emulator-kk/sources.xml
+++ b/b2g/config/emulator-kk/sources.xml
@@ -10,17 +10,17 @@
   <!--original fetch url was git://codeaurora.org/-->
   <remote fetch="https://git.mozilla.org/external/caf" name="caf"/>
   <!--original fetch url was https://git.mozilla.org/releases-->
   <remote fetch="https://git.mozilla.org/releases" name="mozillaorg"/>
   <!-- B2G specific things. -->
   <project name="platform_build" path="build" remote="b2g" revision="3ab0d9c70f0b2e1ededc679112c392303f037361">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="891e5069c0ad330d8191bf8c7b879c814258c89f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="valgrind" path="external/valgrind" remote="b2g" revision="daa61633c32b9606f58799a3186395fd2bbb8d8c"/>
   <project name="vex" path="external/VEX" remote="b2g" revision="47f031c320888fe9f3e656602588565b52d43010"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
--- a/b2g/config/emulator/sources.xml
+++ b/b2g/config/emulator/sources.xml
@@ -14,17 +14,17 @@
   <!--original fetch url was git://github.com/apitrace/-->
   <remote fetch="https://git.mozilla.org/external/apitrace" name="apitrace"/>
   <default remote="caf" revision="refs/tags/android-4.0.4_r2.1" sync-j="4"/>
   <!-- Gonk specific things and forks -->
   <project name="platform_build" path="build" remote="b2g" revision="df362ace56338da8173d30d3e09e08c42c1accfa">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="platform_hardware_ril" path="hardware/ril" remote="b2g" revision="cd88d860656c31c7da7bb310d6a160d0011b0961"/>
   <project name="platform_external_qemu" path="external/qemu" remote="b2g" revision="67f2907bc340bad250b4ea6ce2902b52896c9ef0"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
   <!-- Stock Android things -->
   <project name="platform/abi/cpp" path="abi/cpp" revision="dd924f92906085b831bf1cbbc7484d3c043d613c"/>
--- a/b2g/config/flame-kk/sources.xml
+++ b/b2g/config/flame-kk/sources.xml
@@ -10,17 +10,17 @@
   <!--original fetch url was git://codeaurora.org/-->
   <remote fetch="https://git.mozilla.org/external/caf" name="caf"/>
   <!--original fetch url was https://git.mozilla.org/releases-->
   <remote fetch="https://git.mozilla.org/releases" name="mozillaorg"/>
   <!-- B2G specific things. -->
   <project name="platform_build" path="build" remote="b2g" revision="3ab0d9c70f0b2e1ededc679112c392303f037361">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="891e5069c0ad330d8191bf8c7b879c814258c89f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="valgrind" path="external/valgrind" remote="b2g" revision="daa61633c32b9606f58799a3186395fd2bbb8d8c"/>
   <project name="vex" path="external/VEX" remote="b2g" revision="47f031c320888fe9f3e656602588565b52d43010"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
--- a/b2g/config/flame/sources.xml
+++ b/b2g/config/flame/sources.xml
@@ -12,17 +12,17 @@
   <!--original fetch url was https://git.mozilla.org/releases-->
   <remote fetch="https://git.mozilla.org/releases" name="mozillaorg"/>
   <!-- B2G specific things. -->
   <project name="platform_build" path="build" remote="b2g" revision="0e94c080bee081a50aa2097527b0b40852f9143f">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="librecovery" path="librecovery" remote="b2g" revision="891e5069c0ad330d8191bf8c7b879c814258c89f"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
   <project name="valgrind" path="external/valgrind" remote="b2g" revision="daa61633c32b9606f58799a3186395fd2bbb8d8c"/>
   <project name="vex" path="external/VEX" remote="b2g" revision="47f031c320888fe9f3e656602588565b52d43010"/>
   <!-- Stock Android things -->
   <project groups="linux" name="platform/prebuilts/clang/linux-x86/3.1" path="prebuilts/clang/linux-x86/3.1" revision="e95b4ce22c825da44d14299e1190ea39a5260bde"/>
   <project groups="linux" name="platform/prebuilts/clang/linux-x86/3.2" path="prebuilts/clang/linux-x86/3.2" revision="471afab478649078ad7c75ec6b252481a59e19b8"/>
--- a/b2g/config/gaia.json
+++ b/b2g/config/gaia.json
@@ -1,9 +1,9 @@
 {
     "git": {
         "git_revision": "", 
         "remote": "", 
         "branch": ""
     }, 
-    "revision": "8c025d0c8038d8e0c90e294d0501f6c5fb252d59", 
+    "revision": "587d98bf26625137015c17d5b937bf06bd055dd0", 
     "repo_path": "integration/gaia-central"
 }
--- a/b2g/config/hamachi/sources.xml
+++ b/b2g/config/hamachi/sources.xml
@@ -12,17 +12,17 @@
   <!--original fetch url was git://github.com/apitrace/-->
   <remote fetch="https://git.mozilla.org/external/apitrace" name="apitrace"/>
   <default remote="caf" revision="b2g/ics_strawberry" sync-j="4"/>
   <!-- Gonk specific things and forks -->
   <project name="platform_build" path="build" remote="b2g" revision="df362ace56338da8173d30d3e09e08c42c1accfa">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="891e5069c0ad330d8191bf8c7b879c814258c89f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
   <!-- Stock Android things -->
   <project name="platform/abi/cpp" path="abi/cpp" revision="6426040f1be4a844082c9769171ce7f5341a5528"/>
   <project name="platform/bionic" path="bionic" revision="d2eb6c7b6e1bc7643c17df2d9d9bcb1704d0b9ab"/>
   <project name="platform/bootable/recovery" path="bootable/recovery" revision="746bc48f34f5060f90801925dcdd964030c1ab6d"/>
--- a/b2g/config/helix/sources.xml
+++ b/b2g/config/helix/sources.xml
@@ -10,17 +10,17 @@
   <!--original fetch url was https://git.mozilla.org/releases-->
   <remote fetch="https://git.mozilla.org/releases" name="mozillaorg"/>
   <default remote="caf" revision="b2g/ics_strawberry" sync-j="4"/>
   <!-- Gonk specific things and forks -->
   <project name="platform_build" path="build" remote="b2g" revision="df362ace56338da8173d30d3e09e08c42c1accfa">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="891e5069c0ad330d8191bf8c7b879c814258c89f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="gonk-patches" path="patches" remote="b2g" revision="223a2421006e8f5da33f516f6891c87cae86b0f6"/>
   <!-- Stock Android things -->
   <project name="platform/abi/cpp" path="abi/cpp" revision="6426040f1be4a844082c9769171ce7f5341a5528"/>
   <project name="platform/bionic" path="bionic" revision="d2eb6c7b6e1bc7643c17df2d9d9bcb1704d0b9ab"/>
--- a/b2g/config/nexus-4/sources.xml
+++ b/b2g/config/nexus-4/sources.xml
@@ -12,17 +12,17 @@
   <!--original fetch url was https://git.mozilla.org/releases-->
   <remote fetch="https://git.mozilla.org/releases" name="mozillaorg"/>
   <!-- B2G specific things. -->
   <project name="platform_build" path="build" remote="b2g" revision="0e94c080bee081a50aa2097527b0b40852f9143f">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="fake-libdvm" path="dalvik" remote="b2g" revision="d50ae982b19f42f0b66d08b9eb306be81687869f"/>
-  <project name="gaia" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
   <project name="valgrind" path="external/valgrind" remote="b2g" revision="daa61633c32b9606f58799a3186395fd2bbb8d8c"/>
   <project name="vex" path="external/VEX" remote="b2g" revision="47f031c320888fe9f3e656602588565b52d43010"/>
   <!-- Stock Android things -->
   <project groups="linux" name="platform/prebuilts/clang/linux-x86/3.1" path="prebuilts/clang/linux-x86/3.1" revision="5c45f43419d5582949284eee9cef0c43d866e03b"/>
   <project groups="linux" name="platform/prebuilts/clang/linux-x86/3.2" path="prebuilts/clang/linux-x86/3.2" revision="3748b4168e7bd8d46457d4b6786003bc6a5223ce"/>
--- a/b2g/config/wasabi/sources.xml
+++ b/b2g/config/wasabi/sources.xml
@@ -12,17 +12,17 @@
   <!--original fetch url was git://github.com/apitrace/-->
   <remote fetch="https://git.mozilla.org/external/apitrace" name="apitrace"/>
   <default remote="caf" revision="ics_chocolate_rb4.2" sync-j="4"/>
   <!-- Gonk specific things and forks -->
   <project name="platform_build" path="build" remote="b2g" revision="df362ace56338da8173d30d3e09e08c42c1accfa">
     <copyfile dest="Makefile" src="core/root.mk"/>
   </project>
   <project name="fake-dalvik" path="dalvik" remote="b2g" revision="ca1f327d5acc198bb4be62fa51db2c039032c9ce"/>
-  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ddf5b92f43ec27c93ad4fea4fd1207da8936b8e7"/>
+  <project name="gaia.git" path="gaia" remote="mozillaorg" revision="ae3a84acaab80a5b35d5542d63e68462273c8a1b"/>
   <project name="gonk-misc" path="gonk-misc" remote="b2g" revision="45c54a55e31758f7e54e5eafe0d01d387f35897a"/>
   <project name="rilproxy" path="rilproxy" remote="b2g" revision="827214fcf38d6569aeb5c6d6f31cb296d1f09272"/>
   <project name="librecovery" path="librecovery" remote="b2g" revision="891e5069c0ad330d8191bf8c7b879c814258c89f"/>
   <project name="moztt" path="external/moztt" remote="b2g" revision="fe893bb760a3bb64375f62fdf4762a58c59df9ef"/>
   <project name="apitrace" path="external/apitrace" remote="apitrace" revision="11ad0ea69796915552c9bae148d81fddf9856ddb"/>
   <project name="gonk-patches" path="patches" remote="b2g" revision="223a2421006e8f5da33f516f6891c87cae86b0f6"/>
   <!-- Stock Android things -->
   <project name="platform/abi/cpp" path="abi/cpp" revision="6426040f1be4a844082c9769171ce7f5341a5528"/>
--- a/configure.in
+++ b/configure.in
@@ -7300,17 +7300,17 @@ export MOZ_CRT
 AC_SUBST(MOZ_GLUE_IN_PROGRAM)
 AC_SUBST_LIST(WIN32_CRT_LIBS)
 
 dnl We need to wrap dlopen and related functions on Android because we use
 dnl our own linker.
 if test "$OS_TARGET" = Android; then
     MOZ_GLUE_WRAP_LDFLAGS="${MOZ_GLUE_WRAP_LDFLAGS} -Wl,--wrap=PR_GetEnv,--wrap=PR_SetEnv"
     if test "$MOZ_WIDGET_TOOLKIT" = gonk -a -n "$MOZ_NUWA_PROCESS"; then
-        MOZ_GLUE_WRAP_LDFLAGS="${MOZ_GLUE_WRAP_LDFLAGS} -Wl,--wrap=pthread_create,--wrap=epoll_wait,--wrap=poll,--wrap=pthread_cond_timedwait,--wrap=__pthread_cond_timedwait,--wrap=pthread_cond_wait,--wrap=epoll_create,--wrap=epoll_ctl,--wrap=close,--wrap=pthread_key_create,--wrap=pthread_key_delete,--wrap=socketpair,--wrap=pthread_self,--wrap=pthread_mutex_lock,--wrap=pthread_join,--wrap=pipe,--wrap=pipe2,--wrap=tgkill"
+        MOZ_GLUE_WRAP_LDFLAGS="${MOZ_GLUE_WRAP_LDFLAGS} -Wl,--wrap=pthread_create,--wrap=epoll_wait,--wrap=poll,--wrap=pthread_cond_timedwait,--wrap=__pthread_cond_timedwait,--wrap=pthread_cond_wait,--wrap=epoll_create,--wrap=epoll_ctl,--wrap=close,--wrap=pthread_key_create,--wrap=pthread_key_delete,--wrap=socketpair,--wrap=pthread_self,--wrap=pthread_mutex_lock,--wrap=pthread_join,--wrap=pipe,--wrap=pipe2"
     fi
 fi
 
 AC_SUBST_LIST(MOZ_GLUE_WRAP_LDFLAGS)
 export MOZ_GLUE_WRAP_LDFLAGS
 
 dnl ========================================================
 dnl = Use JS Call tracing
--- a/dom/base/nsDocument.cpp
+++ b/dom/base/nsDocument.cpp
@@ -6007,137 +6007,157 @@ nsDocument::RegisterElement(JSContext* a
     return;
   }
 
   nsIGlobalObject* sgo = GetScopeObject();
   if (!sgo) {
     rv.Throw(NS_ERROR_UNEXPECTED);
     return;
   }
+
   JS::Rooted<JSObject*> global(aCx, sgo->GetGlobalJSObject());
-
-  JSAutoCompartment ac(aCx, global);
-
-  JS::Handle<JSObject*> htmlProto(
-    HTMLElementBinding::GetProtoObjectHandle(aCx, global));
-  if (!htmlProto) {
-    rv.Throw(NS_ERROR_OUT_OF_MEMORY);
-    return;
-  }
-
+  nsCOMPtr<nsIAtom> nameAtom;;
   int32_t namespaceID = kNameSpaceID_XHTML;
   JS::Rooted<JSObject*> protoObject(aCx);
-  if (!aOptions.mPrototype) {
-    protoObject = JS_NewObject(aCx, nullptr, htmlProto, JS::NullPtr());
-    if (!protoObject) {
-      rv.Throw(NS_ERROR_UNEXPECTED);
-      return;
-    }
-  } else {
-    // If a prototype is provided, we must check to ensure that it is from the
-    // same browsing context as us.
-    protoObject = aOptions.mPrototype;
-    if (JS_GetGlobalForObject(aCx, protoObject) != global) {
-      rv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
-      return;
-    }
-
-    // If PROTOTYPE is already an interface prototype object for any interface
-    // object or PROTOTYPE has a non-configurable property named constructor,
-    // throw a NotSupportedError and stop.
-    const js::Class* clasp = js::GetObjectClass(protoObject);
-    if (IsDOMIfaceAndProtoClass(clasp)) {
-      rv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
-      return;
-    }
-
-    JS::Rooted<JSPropertyDescriptor> descRoot(aCx);
-    JS::MutableHandle<JSPropertyDescriptor> desc(&descRoot);
-    if (!JS_GetPropertyDescriptor(aCx, protoObject, "constructor", desc)) {
-      rv.Throw(NS_ERROR_UNEXPECTED);
-      return;
-    }
-
-    // Check if non-configurable
-    if (desc.isPermanent()) {
-      rv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
-      return;
-    }
-
-    JS::Handle<JSObject*> svgProto(
-      SVGElementBinding::GetProtoObjectHandle(aCx, global));
-    if (!svgProto) {
+  {
+    JSAutoCompartment ac(aCx, global);
+
+    JS::Handle<JSObject*> htmlProto(
+      HTMLElementBinding::GetProtoObjectHandle(aCx, global));
+    if (!htmlProto) {
       rv.Throw(NS_ERROR_OUT_OF_MEMORY);
       return;
     }
 
-    JS::Rooted<JSObject*> protoProto(aCx, protoObject);
-
-    // If PROTOTYPE's interface inherits from SVGElement, set NAMESPACE to SVG
-    // Namespace.
-    while (protoProto) {
-      if (protoProto == htmlProto) {
-        break;
-      }
-
-      if (protoProto == svgProto) {
-        namespaceID = kNameSpaceID_SVG;
-        break;
-      }
-
-      if (!JS_GetPrototype(aCx, protoProto, &protoProto)) {
+    if (!aOptions.mPrototype) {
+      protoObject = JS_NewObject(aCx, nullptr, htmlProto, JS::NullPtr());
+      if (!protoObject) {
         rv.Throw(NS_ERROR_UNEXPECTED);
         return;
       }
-    }
-  }
-
-  // If name was provided and not null...
-  nsCOMPtr<nsIAtom> nameAtom;
-  if (!lcName.IsEmpty()) {
-    // Let BASE be the element interface for NAME and NAMESPACE.
-    bool known = false;
-    nameAtom = do_GetAtom(lcName);
-    if (namespaceID == kNameSpaceID_XHTML) {
-      nsIParserService* ps = nsContentUtils::GetParserService();
-      if (!ps) {
+    } else {
+      protoObject = aOptions.mPrototype;
+
+      // We are already operating on the document's (/global's) compartment. Let's
+      // get a view of the passed in proto from this compartment.
+      if (!JS_WrapObject(aCx, &protoObject)) {
+        rv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+        return;
+      }
+
+      // We also need an unwrapped version of it for various checks.
+      JS::Rooted<JSObject*> protoObjectUnwrapped(aCx,
+        js::CheckedUnwrap(protoObject));
+      if (!protoObjectUnwrapped) {
+        // If the documents compartment does not have same origin access
+        // to the compartment of the proto we should just throw.
+        rv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+        return;
+      }
+
+      // If PROTOTYPE is already an interface prototype object for any interface
+      // object or PROTOTYPE has a non-configurable property named constructor,
+      // throw a NotSupportedError and stop.
+      const js::Class* clasp = js::GetObjectClass(protoObjectUnwrapped);
+      if (IsDOMIfaceAndProtoClass(clasp)) {
+        rv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+        return;
+      }
+
+      JS::Rooted<JSPropertyDescriptor> descRoot(aCx);
+      JS::MutableHandle<JSPropertyDescriptor> desc(&descRoot);
+      // This check will go through a wrapper, but as we checked above
+      // it should be transparent or an xray. This should be fine for now,
+      // until the spec is sorted out.
+      if (!JS_GetPropertyDescriptor(aCx, protoObject, "constructor", desc)) {
         rv.Throw(NS_ERROR_UNEXPECTED);
         return;
       }
 
-      known =
-        ps->HTMLCaseSensitiveAtomTagToId(nameAtom) != eHTMLTag_userdefined;
+      // Check if non-configurable
+      if (desc.isPermanent()) {
+        rv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+        return;
+      }
+
+      JS::Handle<JSObject*> svgProto(
+        SVGElementBinding::GetProtoObjectHandle(aCx, global));
+      if (!svgProto) {
+        rv.Throw(NS_ERROR_OUT_OF_MEMORY);
+        return;
+      }
+
+      JS::Rooted<JSObject*> protoProto(aCx, protoObject);
+
+      // If PROTOTYPE's interface inherits from SVGElement, set NAMESPACE to SVG
+      // Namespace.
+      while (protoProto) {
+        if (protoProto == htmlProto) {
+          break;
+        }
+
+        if (protoProto == svgProto) {
+          namespaceID = kNameSpaceID_SVG;
+          break;
+        }
+
+        if (!JS_GetPrototype(aCx, protoProto, &protoProto)) {
+          rv.Throw(NS_ERROR_UNEXPECTED);
+          return;
+        }
+      }
+    }
+
+    // If name was provided and not null...
+    if (!lcName.IsEmpty()) {
+      // Let BASE be the element interface for NAME and NAMESPACE.
+      bool known = false;
+      nameAtom = do_GetAtom(lcName);
+      if (namespaceID == kNameSpaceID_XHTML) {
+        nsIParserService* ps = nsContentUtils::GetParserService();
+        if (!ps) {
+          rv.Throw(NS_ERROR_UNEXPECTED);
+          return;
+        }
+
+        known =
+          ps->HTMLCaseSensitiveAtomTagToId(nameAtom) != eHTMLTag_userdefined;
+      } else {
+        known = SVGElementFactory::Exists(nameAtom);
+      }
+
+      // If BASE does not exist or is an interface for a custom element, set ERROR
+      // to InvalidName and stop.
+      // If BASE exists, then it cannot be an interface for a custom element.
+      if (!known) {
+        rv.Throw(NS_ERROR_DOM_SYNTAX_ERR);
+        return;
+      }
     } else {
-      known = SVGElementFactory::Exists(nameAtom);
-    }
-
-    // If BASE does not exist or is an interface for a custom element, set ERROR
-    // to InvalidName and stop.
-    // If BASE exists, then it cannot be an interface for a custom element.
-    if (!known) {
-      rv.Throw(NS_ERROR_DOM_SYNTAX_ERR);
-      return;
-    }
-  } else {
-    // If NAMESPACE is SVG Namespace, set ERROR to InvalidName and stop.
-    if (namespaceID == kNameSpaceID_SVG) {
-      rv.Throw(NS_ERROR_UNEXPECTED);
-      return;
-    }
-
-    nameAtom = typeAtom;
-  }
-
+      // If NAMESPACE is SVG Namespace, set ERROR to InvalidName and stop.
+      if (namespaceID == kNameSpaceID_SVG) {
+        rv.Throw(NS_ERROR_UNEXPECTED);
+        return;
+      }
+
+      nameAtom = typeAtom;
+    }
+  } // Leaving the document's compartment for the LifecycleCallbacks init
+
+  // Note: We call the init from the caller compartment here
   nsAutoPtr<LifecycleCallbacks> callbacksHolder(new LifecycleCallbacks());
   JS::RootedValue rootedv(aCx, JS::ObjectValue(*protoObject));
-  if (!callbacksHolder->Init(aCx, rootedv)) {
+  if (!JS_WrapValue(aCx, &rootedv) || !callbacksHolder->Init(aCx, rootedv)) {
     rv.Throw(NS_ERROR_FAILURE);
     return;
   }
 
+  // Entering the global's compartment again
+  JSAutoCompartment ac(aCx, global);
+
   // Associate the definition with the custom element.
   CustomElementHashKey key(namespaceID, typeAtom);
   LifecycleCallbacks* callbacks = callbacksHolder.forget();
   CustomElementDefinition* definition =
     new CustomElementDefinition(protoObject,
                                 typeAtom,
                                 nameAtom,
                                 callbacks,
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -1464,16 +1464,35 @@ CanvasRenderingContext2D::ClearTarget()
   mDSPathBuilder = nullptr;
 
   ContextState *state = mStyleStack.AppendElement();
   state->globalAlpha = 1.0;
 
   state->colorStyles[Style::FILL] = NS_RGB(0,0,0);
   state->colorStyles[Style::STROKE] = NS_RGB(0,0,0);
   state->shadowColor = NS_RGBA(0,0,0,0);
+
+  // For vertical writing-mode, unless text-orientation is sideways,
+  // we'll modify the initial value of textBaseline to 'middle'.
+  nsRefPtr<nsStyleContext> canvasStyle;
+  if (mCanvasElement && mCanvasElement->IsInDoc()) {
+    nsCOMPtr<nsIPresShell> presShell = GetPresShell();
+    if (presShell) {
+      canvasStyle =
+        nsComputedDOMStyle::GetStyleContextForElement(mCanvasElement,
+                                                      nullptr,
+                                                      presShell);
+      if (canvasStyle) {
+        WritingMode wm(canvasStyle);
+        if (wm.IsVertical() && !wm.IsSideways()) {
+          state->textBaseline = TextBaseline::MIDDLE;
+        }
+      }
+    }
+  }
 }
 
 NS_IMETHODIMP
 CanvasRenderingContext2D::InitializeWithSurface(nsIDocShell *shell,
                                                 gfxASurface *surface,
                                                 int32_t width,
                                                 int32_t height)
 {
@@ -3260,16 +3279,17 @@ struct MOZ_STACK_CLASS CanvasBidiProcess
     return NSToCoordRound(textRunMetrics.mAdvanceWidth);
   }
 
   virtual void DrawText(nscoord xOffset, nscoord width)
   {
     gfxPoint point = mPt;
     bool rtl = mTextRun->IsRightToLeft();
     bool verticalRun = mTextRun->IsVertical();
+    bool centerBaseline = mTextRun->UseCenterBaseline();
 
     gfxFloat& inlineCoord = verticalRun ? point.y : point.x;
     inlineCoord += xOffset;
 
     // offset is given in terms of left side of string
     if (rtl) {
       // Bug 581092 - don't use rounded pixel width to advance to
       // right-hand end of run, because this will cause different
@@ -3328,30 +3348,37 @@ struct MOZ_STACK_CLASS CanvasBidiProcess
         // This can occur when something switched DirectWrite off.
         return;
       }
 
       AutoRestoreTransform sidewaysRestore;
       if (runs[c].mOrientation ==
           gfxTextRunFactory::TEXT_ORIENT_VERTICAL_SIDEWAYS_RIGHT) {
         sidewaysRestore.Init(mCtx->mTarget);
-        // TODO: The baseline adjustment here is kinda ad-hoc; eventually
-        // perhaps we should check for horizontal and vertical baseline data
-        // in the font, and adjust accordingly.
-        // (The same will be true for HTML text layout.)
         const gfxFont::Metrics& metrics = mTextRun->GetFontGroup()->
           GetFirstValidFont()->GetMetrics(gfxFont::eHorizontal);
-        mCtx->mTarget->SetTransform(mCtx->mTarget->GetTransform().Copy().
+
+        gfx::Matrix mat = mCtx->mTarget->GetTransform().Copy().
           PreTranslate(baselineOrigin).      // translate origin for rotation
           PreRotate(gfx::Float(M_PI / 2.0)). // turn 90deg clockwise
-          PreTranslate(-baselineOrigin).     // undo the translation
-          PreTranslate(Point(0, (metrics.emAscent - metrics.emDescent) / 2)));
-                              // and offset the (alphabetic) baseline of the
+          PreTranslate(-baselineOrigin);     // undo the translation
+
+        if (centerBaseline) {
+          // TODO: The baseline adjustment here is kinda ad hoc; eventually
+          // perhaps we should check for horizontal and vertical baseline data
+          // in the font, and adjust accordingly.
+          // (The same will be true for HTML text layout.)
+          float offset = (metrics.emAscent - metrics.emDescent) / 2;
+          mat = mat.PreTranslate(Point(0, offset));
+                              // offset the (alphabetic) baseline of the
                               // horizontally-shaped text from the (centered)
                               // default baseline used for vertical
+        }
+
+        mCtx->mTarget->SetTransform(mat);
       }
 
       RefPtr<GlyphRenderingOptions> renderingOptions = font->GetGlyphRenderingOptions();
 
       GlyphBuffer buffer;
 
       std::vector<Glyph> glyphBuf;
 
@@ -3633,49 +3660,60 @@ CanvasRenderingContext2D::DrawOrMeasureT
             (isRTL && state.textAlign == TextAlign::END)) {
     anchorX = 0;
   } else {
     anchorX = 1;
   }
 
   processor.mPt.x -= anchorX * totalWidth;
 
-  // offset pt.y based on text baseline
+  // offset pt.y (or pt.x, for vertical text) based on text baseline
   processor.mFontgrp->UpdateUserFonts(); // ensure user font generation is current
   const gfxFont::Metrics& fontMetrics =
-    processor.mFontgrp->GetFirstValidFont()->GetMetrics(
-      ((processor.mTextRunFlags & gfxTextRunFactory::TEXT_ORIENT_MASK) ==
-        gfxTextRunFactory::TEXT_ORIENT_HORIZONTAL)
-      ? gfxFont::eHorizontal : gfxFont::eVertical);
-
-  gfxFloat anchorY;
+    processor.mFontgrp->GetFirstValidFont()->GetMetrics(gfxFont::eHorizontal);
+
+  gfxFloat baselineAnchor;
 
   switch (state.textBaseline)
   {
   case TextBaseline::HANGING:
       // fall through; best we can do with the information available
   case TextBaseline::TOP:
-    anchorY = fontMetrics.emAscent;
+    baselineAnchor = fontMetrics.emAscent;
     break;
   case TextBaseline::MIDDLE:
-    anchorY = (fontMetrics.emAscent - fontMetrics.emDescent) * .5f;
+    baselineAnchor = (fontMetrics.emAscent - fontMetrics.emDescent) * .5f;
     break;
   case TextBaseline::IDEOGRAPHIC:
     // fall through; best we can do with the information available
   case TextBaseline::ALPHABETIC:
-    anchorY = 0;
+    baselineAnchor = 0;
     break;
   case TextBaseline::BOTTOM:
-    anchorY = -fontMetrics.emDescent;
+    baselineAnchor = -fontMetrics.emDescent;
     break;
   default:
     MOZ_CRASH("unexpected TextBaseline");
   }
 
-  processor.mPt.y += anchorY;
+  // We can't query the textRun directly, as it may not have been created yet;
+  // so instead we check the flags that will be used to initialize it.
+  uint16_t runOrientation =
+    (processor.mTextRunFlags & gfxTextRunFactory::TEXT_ORIENT_MASK);
+  if (runOrientation != gfxTextRunFactory::TEXT_ORIENT_HORIZONTAL) {
+    if (runOrientation == gfxTextRunFactory::TEXT_ORIENT_VERTICAL_MIXED ||
+        runOrientation == gfxTextRunFactory::TEXT_ORIENT_VERTICAL_UPRIGHT) {
+      // Adjust to account for mTextRun being shaped using center baseline
+      // rather than alphabetic.
+      baselineAnchor -= (fontMetrics.emAscent - fontMetrics.emDescent) * .5f;
+    }
+    processor.mPt.x -= baselineAnchor;
+  } else {
+    processor.mPt.y += baselineAnchor;
+  }
 
   // correct bounding box to get it to be the correct size/position
   processor.mBoundingBox.width = totalWidth;
   processor.mBoundingBox.MoveBy(processor.mPt);
 
   processor.mPt.x *= processor.mAppUnitsPerDevPixel;
   processor.mPt.y *= processor.mAppUnitsPerDevPixel;
 
--- a/dom/canvas/WebGLContextValidate.cpp
+++ b/dom/canvas/WebGLContextValidate.cpp
@@ -1524,17 +1524,17 @@ WebGLContext::InitAndValidateGL()
     GLenum error = gl->fGetError();
     if (error != LOCAL_GL_NO_ERROR) {
         GenerateWarning("GL error 0x%x occurred during OpenGL context initialization, before WebGL initialization!", error);
         return false;
     }
 
     mMinCapability = Preferences::GetBool("webgl.min_capability_mode", false);
     mDisableExtensions = Preferences::GetBool("webgl.disable-extensions", false);
-    mLoseContextOnMemoryPressure = Preferences::GetBool("webgl.lose-context-on-memory-preasure", false);
+    mLoseContextOnMemoryPressure = Preferences::GetBool("webgl.lose-context-on-memory-pressure", false);
     mCanLoseContextInForeground = Preferences::GetBool("webgl.can-lose-context-in-foreground", true);
     mRestoreWhenVisible = Preferences::GetBool("webgl.restore-context-when-visible", true);
 
     if (MinCapabilityMode()) {
       mDisableFragHighP = true;
     }
 
     // These are the default values, see 6.2 State tables in the
--- a/dom/fmradio/FMRadioService.cpp
+++ b/dom/fmradio/FMRadioService.cpp
@@ -5,25 +5,28 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "FMRadioService.h"
 #include "mozilla/Hal.h"
 #include "mozilla/ClearOnShutdown.h"
 #include "nsIAudioManager.h"
 #include "AudioManager.h"
 #include "nsDOMClassInfo.h"
+#include "mozilla/LazyIdleThread.h"
 #include "mozilla/Preferences.h"
 #include "mozilla/dom/FMRadioChild.h"
 #include "mozilla/dom/ScriptSettings.h"
 #include "nsIObserverService.h"
 #include "nsISettingsService.h"
 #include "nsJSUtils.h"
 #include "mozilla/dom/BindingUtils.h"
 #include "mozilla/dom/SettingChangeNotificationBinding.h"
 
+#define TUNE_THREAD_TIMEOUT_MS  5000
+
 #define BAND_87500_108000_kHz 1
 #define BAND_76000_108000_kHz 2
 #define BAND_76000_90000_kHz  3
 
 #define MOZSETTINGS_CHANGED_ID "mozsettings-changed"
 #define SETTING_KEY_AIRPLANEMODE_ENABLED "airplaneMode.enabled"
 
 #define DOM_PARSED_RDS_GROUPS ((0x2 << 30) | (0x3 << 4) | (0x3 << 0))
@@ -156,19 +159,20 @@ public:
     info.lowerLimit() = mLowerLimit;
     info.spaceType() = mSpaceType;
     info.preEmphasis() = mPreemphasis;
 
     EnableFMRadio(info);
 
     FMRadioService* fmRadioService = FMRadioService::Singleton();
     if (!fmRadioService->mTuneThread) {
-      // SeekRunnable and SetFrequencyRunnable run on this thread.
-      // These call ioctls that can stall the main thread, so we run them here.
-      NS_NewNamedThread("FM Tuning", getter_AddRefs(fmRadioService->mTuneThread));
+      // SeekRunnable and SetFrequencyRunnable run on this thread. These
+      // call ioctls that can stall the main thread, so we run them here.
+      fmRadioService->mTuneThread = new LazyIdleThread(
+        TUNE_THREAD_TIMEOUT_MS, NS_LITERAL_CSTRING("FM Tuning"));
     }
 
     return NS_OK;
   }
 
 private:
   uint32_t mUpperLimit;
   uint32_t mLowerLimit;
--- a/dom/plugins/base/nsJSNPRuntime.cpp
+++ b/dom/plugins/base/nsJSNPRuntime.cpp
@@ -1269,18 +1269,17 @@ NPObjWrapper_DelProperty(JSContext *cx, 
       return false;
 
     if (!hasProperty) {
       *succeeded = true;
       return true;
     }
   }
 
-  if (!npobj->_class->removeProperty(npobj, identifier))
-    *succeeded = false;
+  *succeeded = npobj->_class->removeProperty(npobj, identifier);
 
   return ReportExceptionIfPending(cx);
 }
 
 static bool
 NPObjWrapper_SetProperty(JSContext *cx, JS::Handle<JSObject*> obj, JS::Handle<jsid> id, bool strict,
                          JS::MutableHandle<JS::Value> vp)
 {
--- a/dom/system/gonk/ril_worker.js
+++ b/dom/system/gonk/ril_worker.js
@@ -3930,18 +3930,35 @@ RilObject.prototype = {
     }
 
     return [CALL_STATE_UNKNOWN, new Set()];
   },
 
   /**
    * Helpers for processing call state changes.
    */
-  _processClassifiedCalls: function(removedCalls, remainedCalls, addedCalls,
-                                    failCause) {
+  _processCalls: function(newCalls, failCause) {
+    // Let's get the failCause first if there are removed calls. Otherwise, we
+    // need to trigger another async request when removing call and it cause
+    // the order of callDisconnected and conferenceCallStateChanged
+    // unpredictable.
+    if (failCause === undefined) {
+      for each (let currentCall in this.currentCalls) {
+        if (!newCalls[currentCall.callIndex] && !currentCall.hangUpLocal) {
+          this.getFailCauseCode((function(newCalls, failCause) {
+            this._processCalls(newCalls, failCause);
+          }).bind(this, newCalls));
+          return;
+        }
+      }
+    }
+
+    let [removedCalls, remainedCalls, addedCalls] =
+      this._classifyCalls(newCalls);
+
     // Handle removed calls.
     // Only remove it from the map here. Notify callDisconnected later.
     for (let call of removedCalls) {
       delete this.currentCalls[call.callIndex];
       call.failCause = call.hangUpLocal ? GECKO_CALL_ERROR_NORMAL_CALL_CLEARING
                                         : failCause;
     }
 
@@ -4014,32 +4031,16 @@ RilObject.prototype = {
     if (this.currentConferenceState != newConferenceState) {
       this.currentConferenceState = newConferenceState;
       let message = {rilMessageType: "conferenceCallStateChanged",
                      state: newConferenceState};
       this.sendChromeMessage(message);
     }
   },
 
-  _processCalls: function(newCalls) {
-    let [removed, remained, added] = this._classifyCalls(newCalls);
-
-    // Let's get the failCause first if there are removed calls. Otherwise, we
-    // need to trigger another async request when removing call and it cause
-    // the order of callDisconnected and conferenceCallStateChanged
-    // unpredictable.
-    if (removed.length) {
-      this.getFailCauseCode((function(removed, remained, added, failCause) {
-        this._processClassifiedCalls(removed, remained, added, failCause);
-      }).bind(this, removed, remained, added));
-    } else {
-      this._processClassifiedCalls(removed, remained, added);
-    }
-  },
-
   _detectAudioState: function() {
     let callNum = Object.keys(this.currentCalls).length;
     if (!callNum) {
       return AUDIO_STATE_NO_CALL;
     }
 
     let firstIndex = Object.keys(this.currentCalls)[0];
     if (callNum == 1 &&
@@ -5384,20 +5385,16 @@ RilObject.prototype[REQUEST_GET_CURRENT_
 
   let Buf = this.context.Buf;
   let calls_length = 0;
   // The RIL won't even send us the length integer if there are no active calls.
   // So only read this integer if the parcel actually has it.
   if (length) {
     calls_length = Buf.readInt32();
   }
-  if (!calls_length) {
-    this._processCalls(null);
-    return;
-  }
 
   let calls = {};
   for (let i = 0; i < calls_length; i++) {
     let call = {};
 
     // Extra uint32 field to get correct callIndex and rest of call data for
     // call waiting feature.
     if (RILQUIRKS_EXTRA_UINT32_2ND_CALL && i > 0) {
@@ -5461,33 +5458,24 @@ RilObject.prototype[REQUEST_GET_IMSI] = 
   options.rilMessageType = "iccimsi";
   options.imsi = this.iccInfoPrivate.imsi;
   this.sendChromeMessage(options);
 };
 RilObject.prototype[REQUEST_HANGUP] = function REQUEST_HANGUP(length, options) {
   options.success = options.rilRequestError === 0;
   options.errorMsg = RIL_ERROR_TO_GECKO_ERROR[options.rilRequestError];
   this.sendChromeMessage(options);
-
-  if (options.success) {
-    this.getCurrentCalls();
-  }
 };
 RilObject.prototype[REQUEST_HANGUP_WAITING_OR_BACKGROUND] = function REQUEST_HANGUP_WAITING_OR_BACKGROUND(length, options) {
   RilObject.prototype[REQUEST_HANGUP].call(this, length, options);
 };
 RilObject.prototype[REQUEST_HANGUP_FOREGROUND_RESUME_BACKGROUND] = function REQUEST_HANGUP_FOREGROUND_RESUME_BACKGROUND(length, options) {
   RilObject.prototype[REQUEST_HANGUP].call(this, length, options);
 };
 RilObject.prototype[REQUEST_SWITCH_WAITING_OR_HOLDING_AND_ACTIVE] = function REQUEST_SWITCH_WAITING_OR_HOLDING_AND_ACTIVE(length, options) {
-  if (options.rilRequestError) {
-    return;
-  }
-
-  this.getCurrentCalls();
 };
 RilObject.prototype[REQUEST_CONFERENCE] = function REQUEST_CONFERENCE(length, options) {
   options.success = (options.rilRequestError === 0);
   if (!options.success) {
     options.errorName = "addError";
     options.errorMsg = RIL_ERROR_TO_GECKO_ERROR[options.rilRequestError];
     this.sendChromeMessage(options);
     return;
--- a/dom/system/gonk/tests/test_ril_worker_ssn.js
+++ b/dom/system/gonk/tests/test_ril_worker_ssn.js
@@ -67,17 +67,17 @@ add_test(function test_notification() {
     context.RIL._processSuppSvcNotification(notificationInfo);
 
     let postedMessage = workerHelper.postedMessage;
     do_check_eq(postedMessage.rilMessageType, 'suppSvcNotification');
     do_check_eq(postedMessage.notification, resultNotification);
     do_check_eq(postedMessage.callIndex, resultCallIndex);
 
     // Clear all existed calls.
-    context.RIL._processCalls(null);
+    context.RIL._processCalls({});
   }
 
   testNotification(oneCall, SUPP_SVC_NOTIFICATION_CODE2_PUT_ON_HOLD, null,
                    GECKO_SUPP_SVC_NOTIFICATION_REMOTE_HELD, 0);
 
   testNotification(oneCall, SUPP_SVC_NOTIFICATION_CODE2_RETRIEVED, null,
                    GECKO_SUPP_SVC_NOTIFICATION_REMOTE_RESUMED, 0);
 
--- a/gfx/layers/composite/ContentHost.cpp
+++ b/gfx/layers/composite/ContentHost.cpp
@@ -210,38 +210,29 @@ ContentHostTexture::Composite(EffectChai
   }
   GetCompositor()->DrawDiagnostics(diagnostics, nsIntRegion(mBufferRect), aClipRect,
                                    aTransform, mFlashCounter);
 }
 
 void
 ContentHostTexture::UseTextureHost(TextureHost* aTexture)
 {
-  if (mTextureHost && mTextureHost != aTexture) {
-    mTextureHost->UnbindTextureSource();
-  }
   ContentHostBase::UseTextureHost(aTexture);
   mTextureHost = aTexture;
   mTextureHostOnWhite = nullptr;
   mTextureSourceOnWhite = nullptr;
   if (mTextureHost) {
     mTextureHost->PrepareTextureSource(mTextureSource);
   }
 }
 
 void
 ContentHostTexture::UseComponentAlphaTextures(TextureHost* aTextureOnBlack,
                                               TextureHost* aTextureOnWhite)
 {
-  if (mTextureHost && mTextureHost != aTextureOnBlack) {
-    mTextureHost->UnbindTextureSource();
-  }
-  if (mTextureHostOnWhite && mTextureHostOnWhite != aTextureOnWhite) {
-    mTextureHostOnWhite->UnbindTextureSource();
-  }
   ContentHostBase::UseComponentAlphaTextures(aTextureOnBlack, aTextureOnWhite);
   mTextureHost = aTextureOnBlack;
   mTextureHostOnWhite = aTextureOnWhite;
   if (mTextureHost) {
     mTextureHost->PrepareTextureSource(mTextureSource);
   }
   if (mTextureHostOnWhite) {
     mTextureHostOnWhite->PrepareTextureSource(mTextureSourceOnWhite);
--- a/gfx/layers/composite/ContentHost.h
+++ b/gfx/layers/composite/ContentHost.h
@@ -168,18 +168,18 @@ public:
     mLocked = false;
   }
 
   LayerRenderState GetRenderState();
 
   virtual TemporaryRef<TexturedEffect> GenEffect(const gfx::Filter& aFilter) MOZ_OVERRIDE;
 
 protected:
-  RefPtr<TextureHost> mTextureHost;
-  RefPtr<TextureHost> mTextureHostOnWhite;
+  CompositableTextureHostRef mTextureHost;
+  CompositableTextureHostRef mTextureHostOnWhite;
   CompositableTextureSourceRef mTextureSource;
   CompositableTextureSourceRef mTextureSourceOnWhite;
   bool mLocked;
 };
 
 /**
  * Double buffering is implemented by swapping the front and back TextureHosts.
  * We assume that whenever we use double buffering, then we have
--- a/gfx/layers/composite/ImageHost.cpp
+++ b/gfx/layers/composite/ImageHost.cpp
@@ -24,34 +24,27 @@ class Matrix4x4;
 using namespace gfx;
 
 namespace layers {
 
 class ISurfaceAllocator;
 
 ImageHost::ImageHost(const TextureInfo& aTextureInfo)
   : CompositableHost(aTextureInfo)
-  , mFrontBuffer(nullptr)
   , mHasPictureRect(false)
   , mLocked(false)
 {}
 
 ImageHost::~ImageHost()
 {
-  if (mFrontBuffer) {
-    mFrontBuffer->UnbindTextureSource();
-  }
 }
 
 void
 ImageHost::UseTextureHost(TextureHost* aTexture)
 {
-  if (mFrontBuffer && mFrontBuffer != aTexture) {
-    mFrontBuffer->UnbindTextureSource();
-  }
   CompositableHost::UseTextureHost(aTexture);
   mFrontBuffer = aTexture;
   if (mFrontBuffer) {
     mFrontBuffer->PrepareTextureSource(mTextureSource);
   }
 }
 
 void
--- a/gfx/layers/composite/ImageHost.h
+++ b/gfx/layers/composite/ImageHost.h
@@ -83,17 +83,17 @@ public:
   virtual bool Lock() MOZ_OVERRIDE;
 
   virtual void Unlock() MOZ_OVERRIDE;
 
   virtual TemporaryRef<TexturedEffect> GenEffect(const gfx::Filter& aFilter) MOZ_OVERRIDE;
 
 protected:
 
-  RefPtr<TextureHost> mFrontBuffer;
+  CompositableTextureHostRef mFrontBuffer;
   CompositableTextureSourceRef mTextureSource;
   nsIntRect mPictureRect;
   bool mHasPictureRect;
   bool mLocked;
 };
 
 #ifdef MOZ_WIDGET_GONK
 
--- a/gfx/layers/composite/TextureHost.cpp
+++ b/gfx/layers/composite/TextureHost.cpp
@@ -284,16 +284,17 @@ TextureHost::CompositorRecycle()
     return;
   }
   static_cast<TextureParent*>(mActor)->CompositorRecycle();
 }
 
 TextureHost::TextureHost(TextureFlags aFlags)
     : mActor(nullptr)
     , mFlags(aFlags)
+    , mCompositableCount(0)
 {}
 
 TextureHost::~TextureHost()
 {
 }
 
 void TextureHost::Finalize()
 {
--- a/gfx/layers/composite/TextureHost.h
+++ b/gfx/layers/composite/TextureHost.h
@@ -164,61 +164,65 @@ protected:
   RefPtr<TextureSource> mNextSibling;
   int mCompositableCount;
 };
 
 /**
  * equivalent of a RefPtr<TextureSource>, that calls AddCompositableRef and
  * ReleaseCompositableRef in addition to the usual AddRef and Release.
  */
-class CompositableTextureSourceRef {
+template<typename T>
+class CompositableTextureRef {
 public:
-  CompositableTextureSourceRef() {}
+  CompositableTextureRef() {}
 
-  ~CompositableTextureSourceRef()
+  ~CompositableTextureRef()
   {
     if (mRef) {
       mRef->ReleaseCompositableRef();
     }
   }
 
-  CompositableTextureSourceRef& operator=(const TemporaryRef<TextureSource>& aOther)
+  CompositableTextureRef& operator=(const TemporaryRef<T>& aOther)
   {
-    RefPtr<TextureSource> temp = aOther;
+    RefPtr<T> temp = aOther;
     if (temp) {
       temp->AddCompositableRef();
     }
     if (mRef) {
       mRef->ReleaseCompositableRef();
     }
     mRef = temp;
     return *this;
   }
 
-  CompositableTextureSourceRef& operator=(TextureSource* aOther)
+  CompositableTextureRef& operator=(T* aOther)
   {
     if (aOther) {
       aOther->AddCompositableRef();
     }
     if (mRef) {
       mRef->ReleaseCompositableRef();
     }
     mRef = aOther;
     return *this;
   }
 
-  TextureSource* get() const { return mRef; }
-  operator TextureSource*() const { return mRef; }
-  TextureSource* operator->() const { return mRef; }
-  TextureSource& operator*() const { return *mRef; }
+  T* get() const { return mRef; }
+  operator T*() const { return mRef; }
+  T* operator->() const { return mRef; }
+  T& operator*() const { return *mRef; }
 
 private:
-  RefPtr<TextureSource> mRef;
+  RefPtr<T> mRef;
 };
 
+typedef CompositableTextureRef<TextureSource> CompositableTextureSourceRef;
+typedef CompositableTextureRef<TextureHost> CompositableTextureHostRef;
+
 /**
  * Interface for TextureSources that can be updated from a DataSourceSurface.
  *
  * All backend should implement at least one DataTextureSource.
  */
 class DataTextureSource : public TextureSource
 {
 public:
@@ -500,21 +504,35 @@ public:
    */
   virtual bool HasInternalBuffer() const { return false; }
 
   /**
    * Cast to a TextureHost for each backend.
    */
   virtual TextureHostOGL* AsHostOGL() { return nullptr; }
 
+  void AddCompositableRef() { ++mCompositableCount; }
+
+  void ReleaseCompositableRef()
+  {
+    --mCompositableCount;
+    MOZ_ASSERT(mCompositableCount >= 0);
+    if (mCompositableCount == 0) {
+      UnbindTextureSource();
+    }
+  }
+
+  int NumCompositableRefs() const { return mCompositableCount; }
+
 protected:
   void RecycleTexture(TextureFlags aFlags);
 
   PTextureParent* mActor;
   TextureFlags mFlags;
+  int mCompositableCount;
 
   friend class TextureParent;
 };
 
 /**
  * TextureHost that wraps a random access buffer such as a Shmem or some raw
  * memory.
  *
--- a/gfx/ots/README.mozilla
+++ b/gfx/ots/README.mozilla
@@ -1,12 +1,12 @@
 This is the Sanitiser for OpenType project, from http://code.google.com/p/ots/.
 
 Our reference repository is https://github.com/khaledhosny/ots/.
 
-Current revision: c24a839b1c66c4de09e58fabaacb82bf3bd692a4
+Current revision: 7091a232a10a741591ff25158c98ca3f0c319cf9
 
 Upstream files included: LICENSE, src/, include/
 
 Additional files: README.mozilla, src/moz.build
 
 Additional patch: ots-visibility.patch (bug 711079).
 Additional patch: ots-brotli-path.patch (bug 1064737).
--- a/gfx/ots/include/opentype-sanitiser.h
+++ b/gfx/ots/include/opentype-sanitiser.h
@@ -210,17 +210,17 @@ enum TableAction {
   TABLE_ACTION_SANITIZE, // Sanitize the table, potentially droping it
   TABLE_ACTION_PASSTHRU, // Serialize the table unchanged
   TABLE_ACTION_DROP      // Drop the table
 };
 
 class OTS_API OTSContext {
   public:
     OTSContext() {}
-    ~OTSContext() {}
+    virtual ~OTSContext() {}
 
     // Process a given OpenType file and write out a sanitised version
     //   output: a pointer to an object implementing the OTSStream interface. The
     //     sanitisied output will be written to this. In the even of a failure,
     //     partial output may have been written.
     //   input: the OpenType file
     //   length: the size, in bytes, of |input|
     //   context: optional context that holds various OTS settings like user callbacks
deleted file mode 100644
--- a/gfx/ots/ots-brotli-path.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/gfx/ots/src/woff2.cc b/gfx/ots/src/woff2.cc
---- a/gfx/ots/src/woff2.cc
-+++ b/gfx/ots/src/woff2.cc
-@@ -6,17 +6,17 @@
- // Condensed file format.
- 
- #include <cassert>
- #include <cstdlib>
- #include <vector>
- 
- #include <zlib.h>
- 
--#include "third_party/brotli/src/brotli/dec/decode.h"
-+#include "decode.h"
- 
- #include "opentype-sanitiser.h"
- #include "ots-memory-stream.h"
- #include "ots.h"
- #include "woff2.h"
- 
- namespace {
- 
--- a/gfx/ots/ots-visibility.patch
+++ b/gfx/ots/ots-visibility.patch
@@ -45,17 +45,17 @@ diff --git a/gfx/ots/include/opentype-sa
    TABLE_ACTION_PASSTHRU, // Serialize the table unchanged
    TABLE_ACTION_DROP      // Drop the table
  };
  
 -class OTSContext {
 +class OTS_API OTSContext {
    public:
      OTSContext() {}
-     ~OTSContext() {}
+     virtual ~OTSContext() {}
  
      // Process a given OpenType file and write out a sanitised version
      //   output: a pointer to an object implementing the OTSStream interface. The
      //     sanitisied output will be written to this. In the even of a failure,
      //     partial output may have been written.
 @@ -222,13 +242,13 @@ class OTSContext {
  // For backward compatibility - remove once Chrome switches over to the new API.
  bool Process(OTSStream *output, const uint8_t *input, size_t length);
--- a/gfx/ots/src/gasp.cc
+++ b/gfx/ots/src/gasp.cc
@@ -6,20 +6,20 @@
 
 // gasp - Grid-fitting And Scan-conversion Procedure
 // http://www.microsoft.com/typography/otspec/gasp.htm
 
 #define TABLE_NAME "gasp"
 
 #define DROP_THIS_TABLE(...) \
   do { \
+    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
+    OTS_FAILURE_MSG("Table discarded"); \
     delete file->gasp; \
     file->gasp = 0; \
-    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
-    OTS_FAILURE_MSG("Table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_gasp_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   Buffer table(data, length);
 
   OpenTypeGASP *gasp = new OpenTypeGASP;
--- a/gfx/ots/src/gdef.cc
+++ b/gfx/ots/src/gdef.cc
@@ -226,19 +226,19 @@ bool ParseMarkGlyphSetsDefTable(ots::Ope
   file->gdef->num_mark_glyph_sets = mark_set_count;
   return true;
 }
 
 }  // namespace
 
 #define DROP_THIS_TABLE(msg_) \
   do { \
+    OTS_FAILURE_MSG(msg_ ", table discarded"); \
     file->gdef->data = 0; \
     file->gdef->length = 0; \
-    OTS_FAILURE_MSG(msg_ ", table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_gdef_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   // Grab the number of glyphs in the file from the maxp table to check
   // GlyphIDs in GDEF table.
   if (!file->maxp) {
--- a/gfx/ots/src/gpos.cc
+++ b/gfx/ots/src/gpos.cc
@@ -672,19 +672,19 @@ bool ParseExtensionPositioning(const ots
   return ots::ParseExtensionSubtable(file, data, length,
                                      &kGposLookupSubtableParser);
 }
 
 }  // namespace
 
 #define DROP_THIS_TABLE(msg_) \
   do { \
+    OTS_FAILURE_MSG(msg_ ", table discarded"); \
     file->gpos->data = 0; \
     file->gpos->length = 0; \
-    OTS_FAILURE_MSG(msg_ ", table discarded"); \
   } while (0)
 
 namespace ots {
 
 // As far as I checked, following fonts contain invalid GPOS table and
 // OTS will drop their GPOS table.
 //
 // # invalid delta format in device table
--- a/gfx/ots/src/gsub.cc
+++ b/gfx/ots/src/gsub.cc
@@ -525,19 +525,19 @@ bool ParseReverseChainingContextSingleSu
 
   return true;
 }
 
 }  // namespace
 
 #define DROP_THIS_TABLE(msg_) \
   do { \
+    OTS_FAILURE_MSG(msg_ ", table discarded"); \
     file->gsub->data = 0; \
     file->gsub->length = 0; \
-    OTS_FAILURE_MSG(msg_ ", table discarded"); \
   } while (0)
 
 namespace ots {
 
 // As far as I checked, following fonts contain invalid values in GSUB table.
 // OTS will drop their GSUB table.
 //
 // # too large substitute (value is 0xFFFF)
--- a/gfx/ots/src/hdmx.cc
+++ b/gfx/ots/src/hdmx.cc
@@ -8,20 +8,20 @@
 
 // hdmx - Horizontal Device Metrics
 // http://www.microsoft.com/typography/otspec/hdmx.htm
 
 #define TABLE_NAME "hdmx"
 
 #define DROP_THIS_TABLE(...) \
   do { \
+    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
+    OTS_FAILURE_MSG("Table discarded"); \
     delete file->hdmx; \
     file->hdmx = 0; \
-    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
-    OTS_FAILURE_MSG("Table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_hdmx_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   Buffer table(data, length);
   file->hdmx = new OpenTypeHDMX;
   OpenTypeHDMX * const hdmx = file->hdmx;
--- a/gfx/ots/src/kern.cc
+++ b/gfx/ots/src/kern.cc
@@ -6,19 +6,19 @@
 
 // kern - Kerning
 // http://www.microsoft.com/typography/otspec/kern.htm
 
 #define TABLE_NAME "kern"
 
 #define DROP_THIS_TABLE(msg_) \
   do { \
+    OTS_FAILURE_MSG(msg_ ", table discarded"); \
     delete file->kern; \
     file->kern = 0; \
-    OTS_FAILURE_MSG(msg_ ", table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_kern_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   Buffer table(data, length);
 
   OpenTypeKERN *kern = new OpenTypeKERN;
--- a/gfx/ots/src/ltsh.cc
+++ b/gfx/ots/src/ltsh.cc
@@ -8,20 +8,20 @@
 
 // LTSH - Linear Threshold
 // http://www.microsoft.com/typography/otspec/ltsh.htm
 
 #define TABLE_NAME "LTSH"
 
 #define DROP_THIS_TABLE(...) \
   do { \
+    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
+    OTS_FAILURE_MSG("Table discarded"); \
     delete file->ltsh; \
     file->ltsh = 0; \
-    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
-    OTS_FAILURE_MSG("Table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_ltsh_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   Buffer table(data, length);
 
   if (!file->maxp) {
--- a/gfx/ots/src/math.cc
+++ b/gfx/ots/src/math.cc
@@ -513,19 +513,19 @@ bool ParseMathVariantsTable(const ots::O
 
   return true;
 }
 
 }  // namespace
 
 #define DROP_THIS_TABLE(msg_) \
   do { \
+    OTS_FAILURE_MSG(msg_ ", table discarded"); \
     file->math->data = 0; \
     file->math->length = 0; \
-    OTS_FAILURE_MSG(msg_ ", table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_math_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   // Grab the number of glyphs in the file from the maxp table to check
   // GlyphIDs in MATH table.
   if (!file->maxp) {
--- a/gfx/ots/src/ots.cc
+++ b/gfx/ots/src/ots.cc
@@ -404,17 +404,17 @@ bool ProcessWOFF2(ots::OpenTypeFile *hea
     return OTS_FAILURE();
   }
   // decompressed font must be <= 30MB
   if (decompressed_size > 30 * 1024 * 1024) {
     return OTS_FAILURE();
   }
 
   std::vector<uint8_t> decompressed_buffer(decompressed_size);
-  if (!ots::ConvertWOFF2ToTTF(&decompressed_buffer[0], decompressed_size,
+  if (!ots::ConvertWOFF2ToTTF(header, &decompressed_buffer[0], decompressed_size,
                               data, length)) {
     return OTS_FAILURE();
   }
   return ProcessTTF(header, output, &decompressed_buffer[0], decompressed_size);
 }
 #endif
 
 ots::TableAction GetTableAction(ots::OpenTypeFile *header, uint32_t tag) {
--- a/gfx/ots/src/vdmx.cc
+++ b/gfx/ots/src/vdmx.cc
@@ -6,20 +6,20 @@
 
 // VDMX - Vertical Device Metrics
 // http://www.microsoft.com/typography/otspec/vdmx.htm
 
 #define TABLE_NAME "VDMX"
 
 #define DROP_THIS_TABLE(...) \
   do { \
+    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
+    OTS_FAILURE_MSG("Table discarded"); \
     delete file->vdmx; \
     file->vdmx = 0; \
-    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
-    OTS_FAILURE_MSG("Table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_vdmx_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   Buffer table(data, length);
   file->vdmx = new OpenTypeVDMX;
   OpenTypeVDMX * const vdmx = file->vdmx;
--- a/gfx/ots/src/vorg.cc
+++ b/gfx/ots/src/vorg.cc
@@ -8,20 +8,20 @@
 
 // VORG - Vertical Origin Table
 // http://www.microsoft.com/typography/otspec/vorg.htm
 
 #define TABLE_NAME "VORG"
 
 #define DROP_THIS_TABLE(...) \
   do { \
+    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
+    OTS_FAILURE_MSG("Table discarded"); \
     delete file->vorg; \
     file->vorg = 0; \
-    OTS_FAILURE_MSG_(file, TABLE_NAME ": " __VA_ARGS__); \
-    OTS_FAILURE_MSG("Table discarded"); \
   } while (0)
 
 namespace ots {
 
 bool ots_vorg_parse(OpenTypeFile *file, const uint8_t *data, size_t length) {
   Buffer table(data, length);
   file->vorg = new OpenTypeVORG;
   OpenTypeVORG * const vorg = file->vorg;
--- a/gfx/ots/src/woff2.cc
+++ b/gfx/ots/src/woff2.cc
@@ -4,25 +4,25 @@
 
 // This is the implementation of decompression of the proposed WOFF Ultra
 // Condensed file format.
 
 #include <cassert>
 #include <cstdlib>
 #include <vector>
 
-#include <zlib.h>
-
 #include "decode.h"
 
 #include "opentype-sanitiser.h"
 #include "ots-memory-stream.h"
 #include "ots.h"
 #include "woff2.h"
 
+#define TABLE_NAME "WOFF2"
+
 namespace {
 
 // simple glyph flags
 const uint8_t kGlyfOnCurve = 1 << 0;
 const uint8_t kGlyfXShort = 1 << 1;
 const uint8_t kGlyfYShort = 1 << 2;
 const uint8_t kGlyfRepeat = 1 << 3;
 const uint8_t kGlyfThisXIsSame = 1 << 4;
@@ -41,25 +41,18 @@ const size_t kSfntEntrySize = 16;
 const size_t kCheckSumAdjustmentOffset = 8;
 
 const size_t kEndPtsOfContoursOffset = 10;
 const size_t kCompositeGlyphBegin = 10;
 
 // Note that the byte order is big-endian, not the same as ots.cc
 #define TAG(a, b, c, d) ((a << 24) | (b << 16) | (c << 8) | d)
 
-const unsigned int kWoff2FlagsContinueStream = 1 << 4;
 const unsigned int kWoff2FlagsTransform = 1 << 5;
 
-// Compression type values common to both short and long formats
-const uint32_t kCompressionTypeMask = 0xf;
-const uint32_t kCompressionTypeNone = 0;
-const uint32_t kCompressionTypeGzip = 1;
-const uint32_t kCompressionTypeBrotli = 2;
-
 const uint32_t kKnownTags[] = {
   TAG('c', 'm', 'a', 'p'),  // 0
   TAG('h', 'e', 'a', 'd'),  // 1
   TAG('h', 'h', 'e', 'a'),  // 2
   TAG('h', 'm', 't', 'x'),  // 3
   TAG('m', 'a', 'x', 'p'),  // 4
   TAG('n', 'a', 'm', 'e'),  // 5
   TAG('O', 'S', '/', '2'),  // 6
@@ -125,29 +118,25 @@ struct Point {
   int16_t x;
   int16_t y;
   bool on_curve;
 };
 
 struct Table {
   uint32_t tag;
   uint32_t flags;
-  uint32_t src_offset;
-  uint32_t src_length;
 
   uint32_t transform_length;
 
   uint32_t dst_offset;
   uint32_t dst_length;
 
   Table()
       : tag(0),
         flags(0),
-        src_offset(0),
-        src_length(0),
         transform_length(0),
         dst_offset(0),
         dst_length(0) {}
 };
 
 // Based on section 6.1.1 of MicroType Express draft spec
 bool Read255UShort(ots::Buffer* buf, uint16_t* value) {
   static const uint8_t kWordCode = 253;
@@ -770,81 +759,67 @@ bool FixChecksums(const std::vector<Tabl
   file_checksum += ComputeChecksum(dst,
       kSfntHeaderSize + kSfntEntrySize * n_tables);
   uint32_t checksum_adjustment = 0xb1b0afba - file_checksum;
   StoreU32(dst, adjustment_offset, checksum_adjustment);
   return true;
 }
 
 bool Woff2Uncompress(uint8_t* dst_buf, size_t dst_size,
-    const uint8_t* src_buf, size_t src_size, uint32_t compression_type) {
-  if (compression_type == kCompressionTypeGzip) {
-    uLongf uncompressed_length = dst_size;
-    int r = uncompress(reinterpret_cast<Bytef *>(dst_buf), &uncompressed_length,
-        src_buf, src_size);
-    if (r != Z_OK || uncompressed_length != dst_size) {
-      return OTS_FAILURE();
-    }
-    return true;
-  } else if (compression_type == kCompressionTypeBrotli) {
-    size_t uncompressed_size = dst_size;
-    int ok = BrotliDecompressBuffer(src_size, src_buf,
-                                    &uncompressed_size, dst_buf);
-    if (!ok || uncompressed_size != dst_size) {
-      return OTS_FAILURE();
-    }
-    return true;
+    const uint8_t* src_buf, size_t src_size) {
+  size_t uncompressed_size = dst_size;
+  int ok = BrotliDecompressBuffer(src_size, src_buf,
+                                  &uncompressed_size, dst_buf);
+  if (!ok || uncompressed_size != dst_size) {
+    return OTS_FAILURE();
   }
-  // Unknown compression type
-  return OTS_FAILURE();
+  return true;
 }
 
-bool ReadShortDirectory(ots::Buffer* file, std::vector<Table>* tables,
+bool ReadShortDirectory(ots::OpenTypeFile* file,
+    ots::Buffer* buffer, std::vector<Table>* tables,
     size_t num_tables) {
   for (size_t i = 0; i < num_tables; ++i) {
     Table* table = &tables->at(i);
     uint8_t flag_byte;
-    if (!file->ReadU8(&flag_byte)) {
-      return OTS_FAILURE();
+    if (!buffer->ReadU8(&flag_byte)) {
+      return OTS_FAILURE_MSG("Failed to read the flags of table directory entry %d", i);
     }
     uint32_t tag;
     if ((flag_byte & 0x3f) == 0x3f) {
-      if (!file->ReadU32(&tag)) {
-        return OTS_FAILURE();
+      if (!buffer->ReadU32(&tag)) {
+        return OTS_FAILURE_MSG("Failed to read the tag of table directory entry %d", i);
       }
     } else {
       tag = kKnownTags[flag_byte & 0x3f];
     }
     // Bits 6 and 7 are reserved and must be 0.
     if ((flag_byte & 0xc0) != 0) {
-      return OTS_FAILURE();
+      return OTS_FAILURE_MSG("Bits 6 and 7 are not 0 for table directory entry %d", i);
     }
-    uint32_t flags = kCompressionTypeBrotli;
-    if (i > 0) {
-      flags |= kWoff2FlagsContinueStream;
-    }
+    uint32_t flags = 0;
     // Always transform the glyf and loca tables
     if (tag == TAG('g', 'l', 'y', 'f') ||
         tag == TAG('l', 'o', 'c', 'a')) {
       flags |= kWoff2FlagsTransform;
     }
     uint32_t dst_length;
-    if (!ReadBase128(file, &dst_length)) {
-      return OTS_FAILURE();
+    if (!ReadBase128(buffer, &dst_length)) {
+      return OTS_FAILURE_MSG("Failed to read \"origLength\" for table %4.4s", (char*)&tag);
     }
     uint32_t transform_length = dst_length;
     if ((flags & kWoff2FlagsTransform) != 0) {
-      if (!ReadBase128(file, &transform_length)) {
-        return OTS_FAILURE();
+      if (!ReadBase128(buffer, &transform_length)) {
+        return OTS_FAILURE_MSG("Failed to read \"transformLength\" for table %4.4s", (char*)&tag);
       }
     }
     // Disallow huge numbers (> 1GB) for sanity.
     if (transform_length > 1024 * 1024 * 1024 ||
         dst_length > 1024 * 1024 * 1024) {
-      return OTS_FAILURE();
+      return OTS_FAILURE_MSG("\"origLength\" or \"transformLength\" > 1GB");
     }
     table->tag = tag;
     table->flags = flags;
     table->transform_length = transform_length;
     table->dst_length = dst_length;
   }
   return true;
 }
@@ -859,92 +834,82 @@ size_t ComputeWOFF2FinalSize(const uint8
 
   if (!file.Skip(16) ||
       !file.ReadU32(&total_length)) {
     return 0;
   }
   return total_length;
 }
 
-bool ConvertWOFF2ToTTF(uint8_t* result, size_t result_length,
+bool ConvertWOFF2ToTTF(ots::OpenTypeFile* file,
+                       uint8_t* result, size_t result_length,
                        const uint8_t* data, size_t length) {
   static const uint32_t kWoff2Signature = 0x774f4632;  // "wOF2"
-  ots::Buffer file(data, length);
+  ots::Buffer buffer(data, length);
 
   uint32_t signature;
   uint32_t flavor = 0;
-  if (!file.ReadU32(&signature) || signature != kWoff2Signature ||
-      !file.ReadU32(&flavor)) {
-    return OTS_FAILURE();
+  if (!buffer.ReadU32(&signature) || signature != kWoff2Signature ||
+      !buffer.ReadU32(&flavor)) {
+    return OTS_FAILURE_MSG("Failed to read \"signature\" or \"flavor\", or not WOFF2 signature");
   }
 
   if (!IsValidVersionTag(ntohl(flavor))) {
-    return OTS_FAILURE();
+    return OTS_FAILURE_MSG("Invalid \"flavor\"");
   }
 
   uint32_t reported_length;
-  if (!file.ReadU32(&reported_length) || length != reported_length) {
-    return OTS_FAILURE();
+  if (!buffer.ReadU32(&reported_length) || length != reported_length) {
+    return OTS_FAILURE_MSG("Failed to read \"length\" or it does not match the actual file size");
   }
   uint16_t num_tables;
-  if (!file.ReadU16(&num_tables) || !num_tables) {
-    return OTS_FAILURE();
+  if (!buffer.ReadU16(&num_tables) || !num_tables) {
+    return OTS_FAILURE_MSG("Failed to read \"numTables\"");
   }
   // We don't care about these fields of the header:
   //   uint16_t reserved
   //   uint32_t total_sfnt_size
-  if (!file.Skip(6)) {
-    return OTS_FAILURE();
+  if (!buffer.Skip(6)) {
+    return OTS_FAILURE_MSG("Failed to read \"reserve\" or \"totalSfntSize\"");
   }
   uint32_t compressed_length;
-  if (!file.ReadU32(&compressed_length)) {
+  if (!buffer.ReadU32(&compressed_length)) {
+    return OTS_FAILURE_MSG("Failed to read \"totalCompressedSize\"");
+  }
+  if (compressed_length > std::numeric_limits<uint32_t>::max()) {
     return OTS_FAILURE();
   }
+
   // We don't care about these fields of the header:
   //   uint16_t major_version, minor_version
   //   uint32_t meta_offset, meta_length, meta_orig_length
   //   uint32_t priv_offset, priv_length
-  if (!file.Skip(24)) {
+  if (!buffer.Skip(24)) {
     return OTS_FAILURE();
   }
   std::vector<Table> tables(num_tables);
-  if (!ReadShortDirectory(&file, &tables, num_tables)) {
+  if (!ReadShortDirectory(file, &buffer, &tables, num_tables)) {
+    return OTS_FAILURE_MSG("Failed to read table directory");
+  }
+  uint64_t compressed_offset = buffer.offset();
+  if (compressed_offset > std::numeric_limits<uint32_t>::max()) {
     return OTS_FAILURE();
   }
-  uint64_t src_offset = file.offset();
   uint64_t dst_offset = kSfntHeaderSize +
       kSfntEntrySize * static_cast<uint64_t>(num_tables);
-  uint64_t uncompressed_sum = 0;
   for (uint16_t i = 0; i < num_tables; ++i) {
     Table* table = &tables.at(i);
-    table->src_offset = static_cast<uint32_t>(src_offset);
-    table->src_length = (i == 0 ? compressed_length : 0);
-    src_offset += table->src_length;
-    if (src_offset > std::numeric_limits<uint32_t>::max()) {
-      return OTS_FAILURE();
-    }
-    src_offset = ots::Round4(src_offset);
     table->dst_offset = static_cast<uint32_t>(dst_offset);
     dst_offset += table->dst_length;
     if (dst_offset > std::numeric_limits<uint32_t>::max()) {
       return OTS_FAILURE();
     }
     dst_offset = ots::Round4(dst_offset);
-    if ((table->flags & kCompressionTypeMask) != kCompressionTypeNone) {
-      uncompressed_sum += table->src_length;
-      if (uncompressed_sum > std::numeric_limits<uint32_t>::max()) {
-        return OTS_FAILURE();
-      }
-    }
   }
-  // Enforce same 30M limit on uncompressed tables as OTS
-  if (uncompressed_sum > 30 * 1024 * 1024) {
-    return OTS_FAILURE();
-  }
-  if (src_offset > length || dst_offset > result_length) {
+  if (ots::Round4(compressed_offset + compressed_length) > length || dst_offset > result_length) {
     return OTS_FAILURE();
   }
 
   const uint32_t sfnt_header_and_table_directory_size = 12 + 16 * num_tables;
   if (sfnt_header_and_table_directory_size > result_length) {
     return OTS_FAILURE();
   }
 
@@ -963,60 +928,42 @@ bool ConvertWOFF2ToTTF(uint8_t* result, 
   for (uint16_t i = 0; i < num_tables; ++i) {
     const Table* table = &tables.at(i);
     offset = StoreU32(result, offset, table->tag);
     offset = StoreU32(result, offset, 0);  // checksum, to fill in later
     offset = StoreU32(result, offset, table->dst_offset);
     offset = StoreU32(result, offset, table->dst_length);
   }
   std::vector<uint8_t> uncompressed_buf;
-  bool continue_valid = false;
   const uint8_t* transform_buf = NULL;
+  uint64_t total_size = 0;
+
+  for (uint16_t i = 0; i < num_tables; ++i) {
+    total_size += tables.at(i).transform_length;
+    if (total_size > std::numeric_limits<uint32_t>::max()) {
+      return OTS_FAILURE();
+    }
+  }
+  // Enforce same 30M limit on uncompressed tables as OTS
+  if (total_size > 30 * 1024 * 1024) {
+    return OTS_FAILURE();
+  }
+  const size_t total_size_size_t = static_cast<size_t>(total_size);
+  uncompressed_buf.resize(total_size_size_t);
+  const uint8_t* src_buf = data + compressed_offset;
+  if (!Woff2Uncompress(&uncompressed_buf[0], total_size_size_t,
+      src_buf, compressed_length)) {
+    return OTS_FAILURE();
+  }
+  transform_buf = &uncompressed_buf[0];
+
   for (uint16_t i = 0; i < num_tables; ++i) {
     const Table* table = &tables.at(i);
     uint32_t flags = table->flags;
-    const uint8_t* src_buf = data + table->src_offset;
-    uint32_t compression_type = flags & kCompressionTypeMask;
     size_t transform_length = table->transform_length;
-    if ((flags & kWoff2FlagsContinueStream) != 0) {
-      if (!continue_valid) {
-        return OTS_FAILURE();
-      }
-    } else if (compression_type == kCompressionTypeNone) {
-      if (transform_length != table->src_length) {
-        return OTS_FAILURE();
-      }
-      transform_buf = src_buf;
-      continue_valid = false;
-    } else if ((flags & kWoff2FlagsContinueStream) == 0) {
-      uint64_t total_size = transform_length;
-      for (uint16_t j = i + 1; j < num_tables; ++j) {
-        if ((tables.at(j).flags & kWoff2FlagsContinueStream) == 0) {
-          break;
-        }
-        total_size += tables.at(j).transform_length;
-        if (total_size > std::numeric_limits<uint32_t>::max()) {
-          return OTS_FAILURE();
-        }
-      }
-      // Enforce same 30M limit on uncompressed tables as OTS
-      if (total_size > 30 * 1024 * 1024) {
-        return OTS_FAILURE();
-      }
-      const size_t total_size_size_t = static_cast<size_t>(total_size);
-      uncompressed_buf.resize(total_size_size_t);
-      if (!Woff2Uncompress(&uncompressed_buf[0], total_size_size_t,
-          src_buf, compressed_length, compression_type)) {
-        return OTS_FAILURE();
-      }
-      transform_buf = &uncompressed_buf[0];
-      continue_valid = true;
-    } else {
-      return OTS_FAILURE();
-    }
 
     if ((flags & kWoff2FlagsTransform) == 0) {
       if (transform_length != table->dst_length) {
         return OTS_FAILURE();
       }
       if (static_cast<uint64_t>(table->dst_offset) + transform_length >
           result_length) {
         return OTS_FAILURE();
@@ -1024,20 +971,21 @@ bool ConvertWOFF2ToTTF(uint8_t* result, 
       std::memcpy(result + table->dst_offset, transform_buf,
           transform_length);
     } else {
       if (!ReconstructTransformed(tables, table->tag,
             transform_buf, transform_length, result, result_length)) {
         return OTS_FAILURE();
       }
     }
-    if (continue_valid) {
-      transform_buf += transform_length;
-      if (transform_buf > &uncompressed_buf[0] + uncompressed_buf.size()) {
-        return OTS_FAILURE();
-      }
+
+    transform_buf += transform_length;
+    if (transform_buf > &uncompressed_buf[0] + uncompressed_buf.size()) {
+      return OTS_FAILURE();
     }
   }
 
   return FixChecksums(tables, result);
 }
 
 }  // namespace ots
+
+#undef TABLE_NAME
--- a/gfx/ots/src/woff2.h
+++ b/gfx/ots/src/woff2.h
@@ -8,13 +8,13 @@
 namespace ots {
 
 // Compute the size of the final uncompressed font, or 0 on error.
 size_t ComputeWOFF2FinalSize(const uint8_t *data, size_t length);
 
 // Decompresses the font into the target buffer. The result_length should
 // be the same as determined by ComputeFinalSize(). Returns true on successful
 // decompression.
-bool ConvertWOFF2ToTTF(uint8_t *result, size_t result_length,
+bool ConvertWOFF2ToTTF(OpenTypeFile *file, uint8_t *result, size_t result_length,
                        const uint8_t *data, size_t length);
 }
 
 #endif  // OTS_WOFF2_H_
--- a/gfx/ots/sync.sh
+++ b/gfx/ots/sync.sh
@@ -21,11 +21,8 @@ rm -rf include/
 cp -r $1/include .
 
 echo "Updating README.mozilla..."
 REVISION=`cd $1; git log | head -1 | sed "s/commit //"`
 sed -e "s/\(Current revision: \).*/\1$REVISION/" -i "" README.mozilla
 
 echo "Applying ots-visibility.patch..."
 patch -p3 < ots-visibility.patch
-
-echo "Applying ots-brotli-path.patch..."
-patch -p3 < ots-brotli-path.patch
--- a/gfx/thebes/gfxDWriteFonts.cpp
+++ b/gfx/thebes/gfxDWriteFonts.cpp
@@ -464,17 +464,17 @@ gfxDWriteFont::SetupCairoFont(gfxContext
         // the cairo_t, precluding any further drawing.
         return false;
     }
     cairo_set_scaled_font(aContext->GetCairo(), scaledFont);
     return true;
 }
 
 bool
-gfxDWriteFont::IsValid()
+gfxDWriteFont::IsValid() const
 {
     return mFontFace != nullptr;
 }
 
 IDWriteFontFace*
 gfxDWriteFont::GetFontFace()
 {
     return  mFontFace.get();
--- a/gfx/thebes/gfxDWriteFonts.h
+++ b/gfx/thebes/gfxDWriteFonts.h
@@ -23,60 +23,64 @@ class gfxDWriteFont : public gfxFont
 {
 public:
     gfxDWriteFont(gfxFontEntry *aFontEntry,
                   const gfxFontStyle *aFontStyle,
                   bool aNeedsBold = false,
                   AntialiasOption = kAntialiasDefault);
     ~gfxDWriteFont();
 
-    virtual gfxFont* CopyWithAntialiasOption(AntialiasOption anAAOption);
+    virtual gfxFont*
+    CopyWithAntialiasOption(AntialiasOption anAAOption) MOZ_OVERRIDE;
 
-    virtual uint32_t GetSpaceGlyph();
+    virtual uint32_t GetSpaceGlyph() MOZ_OVERRIDE;
 
-    virtual bool SetupCairoFont(gfxContext *aContext);
+    virtual bool SetupCairoFont(gfxContext *aContext) MOZ_OVERRIDE;
 
-    virtual bool AllowSubpixelAA() { return mAllowManualShowGlyphs; }
+    virtual bool AllowSubpixelAA() MOZ_OVERRIDE
+    { return mAllowManualShowGlyphs; }
 
-    virtual bool IsValid();
+    bool IsValid() const;
 
-    gfxFloat GetAdjustedSize() {
+    virtual gfxFloat GetAdjustedSize() const MOZ_OVERRIDE {
         return mAdjustedSize;
     }
 
     IDWriteFontFace *GetFontFace();
 
     /* override Measure to add padding for antialiasing */
     virtual RunMetrics Measure(gfxTextRun *aTextRun,
                                uint32_t aStart, uint32_t aEnd,
                                BoundingBoxType aBoundingBoxType,
                                gfxContext *aContextForTightBoundingBox,
                                Spacing *aSpacing,
-                               uint16_t aOrientation);
+                               uint16_t aOrientation) MOZ_OVERRIDE;
 
-    virtual bool ProvidesGlyphWidths() const;
+    virtual bool ProvidesGlyphWidths() const MOZ_OVERRIDE;
 
-    virtual int32_t GetGlyphWidth(DrawTarget& aDrawTarget, uint16_t aGID);
+    virtual int32_t GetGlyphWidth(DrawTarget& aDrawTarget,
+                                  uint16_t aGID) MOZ_OVERRIDE;
 
     virtual mozilla::TemporaryRef<mozilla::gfx::GlyphRenderingOptions>
-        GetGlyphRenderingOptions(const TextRunDrawParams* aRunParams = nullptr) MOZ_OVERRIDE;
+    GetGlyphRenderingOptions(const TextRunDrawParams* aRunParams = nullptr) MOZ_OVERRIDE;
 
     virtual void AddSizeOfExcludingThis(mozilla::MallocSizeOf aMallocSizeOf,
                                         FontCacheSizes* aSizes) const;
     virtual void AddSizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf,
                                         FontCacheSizes* aSizes) const;
 
     virtual FontType GetType() const { return FONT_TYPE_DWRITE; }
 
-    virtual mozilla::TemporaryRef<mozilla::gfx::ScaledFont> GetScaledFont(mozilla::gfx::DrawTarget *aTarget);
+    virtual mozilla::TemporaryRef<mozilla::gfx::ScaledFont>
+    GetScaledFont(mozilla::gfx::DrawTarget *aTarget) MOZ_OVERRIDE;
 
-    virtual cairo_scaled_font_t *GetCairoScaledFont();
+    virtual cairo_scaled_font_t *GetCairoScaledFont() MOZ_OVERRIDE;
 
 protected:
-    virtual const Metrics& GetHorizontalMetrics();
+    virtual const Metrics& GetHorizontalMetrics() MOZ_OVERRIDE;
 
     bool GetFakeMetricsForArialBlack(DWRITE_FONT_METRICS *aFontMetrics);
 
     void ComputeMetrics(AntialiasOption anAAOption);
 
     bool HasBitmapStrikeForSize(uint32_t aSize);
 
     cairo_font_face_t *CairoFontFace();
--- a/gfx/thebes/gfxFT2FontBase.h
+++ b/gfx/thebes/gfxFT2FontBase.h
@@ -16,31 +16,33 @@ public:
     gfxFT2FontBase(cairo_scaled_font_t *aScaledFont,
                    gfxFontEntry *aFontEntry,
                    const gfxFontStyle *aFontStyle);
     virtual ~gfxFT2FontBase();
 
     uint32_t GetGlyph(uint32_t aCharCode);
     void GetGlyphExtents(uint32_t aGlyph,
                          cairo_text_extents_t* aExtents);
-    virtual uint32_t GetSpaceGlyph();
-    virtual bool ProvidesGetGlyph() const { return true; }
-    virtual uint32_t GetGlyph(uint32_t unicode, uint32_t variation_selector);
-    virtual bool ProvidesGlyphWidths() const { return true; }
-    virtual int32_t GetGlyphWidth(DrawTarget& aDrawTarget, uint16_t aGID);
+    virtual uint32_t GetSpaceGlyph() MOZ_OVERRIDE;
+    virtual bool ProvidesGetGlyph() const MOZ_OVERRIDE { return true; }
+    virtual uint32_t GetGlyph(uint32_t unicode,
+                              uint32_t variation_selector) MOZ_OVERRIDE;
+    virtual bool ProvidesGlyphWidths() const MOZ_OVERRIDE { return true; }
+    virtual int32_t GetGlyphWidth(DrawTarget& aDrawTarget,
+                                  uint16_t aGID) MOZ_OVERRIDE;
 
     cairo_scaled_font_t *CairoScaledFont() { return mScaledFont; };
-    virtual bool SetupCairoFont(gfxContext *aContext);
+    virtual bool SetupCairoFont(gfxContext *aContext) MOZ_OVERRIDE;
 
-    virtual FontType GetType() const { return FONT_TYPE_FT2; }
+    virtual FontType GetType() const MOZ_OVERRIDE { return FONT_TYPE_FT2; }
 
     mozilla::gfx::FontOptions* GetFontOptions() { return &mFontOptions; }
 
 protected:
-    virtual const Metrics& GetHorizontalMetrics();
+    virtual const Metrics& GetHorizontalMetrics() MOZ_OVERRIDE;
 
     uint32_t mSpaceGlyph;
     bool mHasMetrics;
     Metrics mMetrics;
 
     // Azure font description
     mozilla::gfx::FontOptions  mFontOptions;
     void ConstructFontOptions();
--- a/gfx/thebes/gfxGDIFont.h
+++ b/gfx/thebes/gfxGDIFont.h
@@ -23,68 +23,77 @@ public:
                const gfxFontStyle *aFontStyle,
                bool aNeedsBold,
                AntialiasOption anAAOption = kAntialiasDefault);
 
     virtual ~gfxGDIFont();
 
     HFONT GetHFONT() { if (!mMetrics) Initialize(); return mFont; }
 
-    gfxFloat GetAdjustedSize() { if (!mMetrics) Initialize(); return mAdjustedSize; }
+    virtual gfxFloat GetAdjustedSize()
+    {
+        if (!mMetrics) {
+            Initialize();
+        }
+        return mAdjustedSize;
+    }
 
     cairo_font_face_t   *CairoFontFace() { return mFontFace; }
     cairo_scaled_font_t *CairoScaledFont() { return mScaledFont; }
 
     /* overrides for the pure virtual methods in gfxFont */
-    virtual uint32_t GetSpaceGlyph();
+    virtual uint32_t GetSpaceGlyph() MOZ_OVERRIDE;
 
-    virtual bool SetupCairoFont(gfxContext *aContext);
+    virtual bool SetupCairoFont(gfxContext *aContext) MOZ_OVERRIDE;
 
     /* override Measure to add padding for antialiasing */
     virtual RunMetrics Measure(gfxTextRun *aTextRun,
                                uint32_t aStart, uint32_t aEnd,
                                BoundingBoxType aBoundingBoxType,
                                gfxContext *aContextForTightBoundingBox,
                                Spacing *aSpacing,
-                               uint16_t aOrientation);
+                               uint16_t aOrientation) MOZ_OVERRIDE;
 
     /* required for MathML to suppress effects of ClearType "padding" */
-    virtual gfxFont* CopyWithAntialiasOption(AntialiasOption anAAOption);
+    virtual gfxFont*
+    CopyWithAntialiasOption(AntialiasOption anAAOption) MOZ_OVERRIDE;
 
     // If the font has a cmap table, we handle it purely with harfbuzz;
     // but if not (e.g. .fon fonts), we'll use a GDI callback to get glyphs.
-    virtual bool ProvidesGetGlyph() const {
+    virtual bool ProvidesGetGlyph() const MOZ_OVERRIDE {
         return !mFontEntry->HasCmapTable();
     }
 
-    virtual uint32_t GetGlyph(uint32_t aUnicode, uint32_t aVarSelector);
+    virtual uint32_t GetGlyph(uint32_t aUnicode,
+                              uint32_t aVarSelector) MOZ_OVERRIDE;
 
-    virtual bool ProvidesGlyphWidths() const { return true; }
+    virtual bool ProvidesGlyphWidths() const MOZ_OVERRIDE { return true; }
 
     // get hinted glyph width in pixels as 16.16 fixed-point value
-    virtual int32_t GetGlyphWidth(DrawTarget& aDrawTarget, uint16_t aGID);
+    virtual int32_t GetGlyphWidth(DrawTarget& aDrawTarget,
+                                  uint16_t aGID) MOZ_OVERRIDE;
 
     virtual void AddSizeOfExcludingThis(mozilla::MallocSizeOf aMallocSizeOf,
                                         FontCacheSizes* aSizes) const;
     virtual void AddSizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf,
                                         FontCacheSizes* aSizes) const;
 
-    virtual FontType GetType() const { return FONT_TYPE_GDI; }
+    virtual FontType GetType() const MOZ_OVERRIDE { return FONT_TYPE_GDI; }
 
 protected:
-    virtual const Metrics& GetHorizontalMetrics();
+    virtual const Metrics& GetHorizontalMetrics() MOZ_OVERRIDE;
 
     /* override to ensure the cairo font is set up properly */
     virtual bool ShapeText(gfxContext     *aContext,
                            const char16_t *aText,
                            uint32_t        aOffset,
                            uint32_t        aLength,
                            int32_t         aScript,
                            bool            aVertical,
-                           gfxShapedText  *aShapedText);
+                           gfxShapedText  *aShapedText) MOZ_OVERRIDE;
 
     void Initialize(); // creates metrics and Cairo fonts
 
     // Fill the given LOGFONT record according to our style, but don't adjust
     // the lfItalic field if we're going to use a cairo transform for fake
     // italics.
     void FillLogFont(LOGFONTW& aLogFont, gfxFloat aSize, bool aUseGDIFakeItalic);
 
--- a/gfx/thebes/gfxMacFont.cpp
+++ b/gfx/thebes/gfxMacFont.cpp
@@ -20,16 +20,17 @@
 
 using namespace mozilla;
 using namespace mozilla::gfx;
 
 gfxMacFont::gfxMacFont(MacOSFontEntry *aFontEntry, const gfxFontStyle *aFontStyle,
                        bool aNeedsBold)
     : gfxFont(aFontEntry, aFontStyle),
       mCGFont(nullptr),
+      mCTFont(nullptr),
       mFontFace(nullptr)
 {
     mApplySyntheticBold = aNeedsBold;
 
     mCGFont = aFontEntry->GetFontRef();
     if (!mCGFont) {
         mIsValid = false;
         return;
@@ -105,16 +106,19 @@ gfxMacFont::gfxMacFont(MacOSFontEntry *a
                 NS_ConvertUTF16toUTF8(GetName()).get(), cairoerr);
         NS_WARNING(warnBuf);
 #endif
     }
 }
 
 gfxMacFont::~gfxMacFont()
 {
+    if (mCTFont) {
+        ::CFRelease(mCTFont);
+    }
     if (mScaledFont) {
         cairo_scaled_font_destroy(mScaledFont);
     }
     if (mFontFace) {
         cairo_font_face_destroy(mFontFace);
     }
 }
 
@@ -357,16 +361,34 @@ gfxMacFont::GetCharWidth(CFDataRef aCmap
         if (::CGFontGetGlyphAdvances(mCGFont, &glyph, 1, &advance)) {
             return advance * aConvFactor;
         }
     }
 
     return 0;
 }
 
+int32_t
+gfxMacFont::GetGlyphWidth(DrawTarget& aDrawTarget, uint16_t aGID)
+{
+    if (!mCTFont) {
+        mCTFont = ::CTFontCreateWithGraphicsFont(mCGFont, mAdjustedSize,
+                                                 nullptr, nullptr);
+        if (!mCTFont) { // shouldn't happen, but let's be safe
+            NS_WARNING("failed to create CTFontRef to measure glyph width");
+            return 0;
+        }
+    }
+
+    CGSize advance;
+    ::CTFontGetAdvancesForGlyphs(mCTFont, kCTFontDefaultOrientation, &aGID,
+                                 &advance, 1);
+    return advance.width * 0x10000;
+}
+
 // Try to initialize font metrics via platform APIs (CG/CT),
 // and set mIsValid = TRUE on success.
 // We ONLY call this for local (platform) fonts that are not sfnt format;
 // for sfnts, including ALL downloadable fonts, we prefer to use
 // InitMetricsFromSfntTables and avoid platform APIs.
 void
 gfxMacFont::InitMetricsFromPlatform()
 {
--- a/gfx/thebes/gfxMacFont.h
+++ b/gfx/thebes/gfxMacFont.h
@@ -19,67 +19,83 @@ public:
     gfxMacFont(MacOSFontEntry *aFontEntry, const gfxFontStyle *aFontStyle,
                bool aNeedsBold);
 
     virtual ~gfxMacFont();
 
     CGFontRef GetCGFontRef() const { return mCGFont; }
 
     /* overrides for the pure virtual methods in gfxFont */
-    virtual uint32_t GetSpaceGlyph() {
+    virtual uint32_t GetSpaceGlyph() MOZ_OVERRIDE {
         return mSpaceGlyph;
     }
 
-    virtual bool SetupCairoFont(gfxContext *aContext);
+    virtual bool SetupCairoFont(gfxContext *aContext) MOZ_OVERRIDE;
 
     /* override Measure to add padding for antialiasing */
     virtual RunMetrics Measure(gfxTextRun *aTextRun,
                                uint32_t aStart, uint32_t aEnd,
                                BoundingBoxType aBoundingBoxType,
                                gfxContext *aContextForTightBoundingBox,
-                               Spacing *aSpacing, uint16_t aOrientation);
+                               Spacing *aSpacing,
+                               uint16_t aOrientation) MOZ_OVERRIDE;
 
-    virtual mozilla::TemporaryRef<mozilla::gfx::ScaledFont> GetScaledFont(mozilla::gfx::DrawTarget *aTarget);
+    // We need to provide hinted (non-linear) glyph widths if using a font
+    // with embedded color bitmaps (Apple Color Emoji), as Core Text renders
+    // the glyphs with non-linear scaling at small pixel sizes.
+    virtual bool ProvidesGlyphWidths() const MOZ_OVERRIDE {
+        return mFontEntry->HasFontTable(TRUETYPE_TAG('s','b','i','x'));
+    }
+
+    virtual int32_t GetGlyphWidth(DrawTarget& aDrawTarget,
+                                  uint16_t aGID) MOZ_OVERRIDE;
+
+    virtual mozilla::TemporaryRef<mozilla::gfx::ScaledFont>
+    GetScaledFont(mozilla::gfx::DrawTarget *aTarget) MOZ_OVERRIDE;
 
     virtual mozilla::TemporaryRef<mozilla::gfx::GlyphRenderingOptions>
       GetGlyphRenderingOptions(const TextRunDrawParams* aRunParams = nullptr) MOZ_OVERRIDE;
 
     virtual void AddSizeOfExcludingThis(mozilla::MallocSizeOf aMallocSizeOf,
                                         FontCacheSizes* aSizes) const;
     virtual void AddSizeOfIncludingThis(mozilla::MallocSizeOf aMallocSizeOf,
                                         FontCacheSizes* aSizes) const;
 
-    virtual FontType GetType() const { return FONT_TYPE_MAC; }
+    virtual FontType GetType() const MOZ_OVERRIDE { return FONT_TYPE_MAC; }
 
 protected:
-    virtual const Metrics& GetHorizontalMetrics() {
+    virtual const Metrics& GetHorizontalMetrics() MOZ_OVERRIDE {
         return mMetrics;
     }
 
     // override to prefer CoreText shaping with fonts that depend on AAT
     virtual bool ShapeText(gfxContext     *aContext,
                            const char16_t *aText,
                            uint32_t        aOffset,
                            uint32_t        aLength,
                            int32_t         aScript,
                            bool            aVertical,
-                           gfxShapedText  *aShapedText);
+                           gfxShapedText  *aShapedText) MOZ_OVERRIDE;
 
     void InitMetrics();
     void InitMetricsFromPlatform();
 
     // Get width and glyph ID for a character; uses aConvFactor
     // to convert font units as returned by CG to actual dimensions
     gfxFloat GetCharWidth(CFDataRef aCmap, char16_t aUniChar,
                           uint32_t *aGlyphID, gfxFloat aConvFactor);
 
     // a weak reference to the CoreGraphics font: this is owned by the
     // MacOSFontEntry, it is not retained or released by gfxMacFont
     CGFontRef             mCGFont;
 
+    // a Core Text font reference, created only if we're using CT to measure
+    // glyph widths; otherwise null.
+    CTFontRef             mCTFont;
+
     cairo_font_face_t    *mFontFace;
 
     nsAutoPtr<gfxFontShaper> mCoreTextShaper;
 
     Metrics               mMetrics;
     uint32_t              mSpaceGlyph;
 };
 
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -2124,17 +2124,17 @@ size_t ArenaList::countUsedCells()
 {
     size_t count = 0;
     for (ArenaHeader *arena = head_; arena; arena = arena->next)
         count += arena->countUsedCells();
     return count;
 }
 
 ArenaHeader *
-ArenaList::removeRemainingArenas(ArenaHeader **arenap)
+ArenaList::removeRemainingArenas(ArenaHeader **arenap, const AutoLockGC &lock)
 {
     // This is only ever called to remove arenas that are after the cursor, so
     // we don't need to update it.
 #ifdef DEBUG
     for (ArenaHeader *arena = *arenap; arena; arena = arena->next)
         MOZ_ASSERT(cursorp_ != &arena->next);
 #endif
     ArenaHeader *remainingArenas = *arenap;
@@ -2143,26 +2143,28 @@ ArenaList::removeRemainingArenas(ArenaHe
     return remainingArenas;
 }
 
 /*
  * Choose which arenas to relocate all cells out of and remove them from the
  * arena list. Return the head of a list of arenas to relocate.
  */
 ArenaHeader *
-ArenaList::pickArenasToRelocate()
-{
+ArenaList::pickArenasToRelocate(JSRuntime *runtime)
+{
+    AutoLockGC lock(runtime);
+
     check();
     if (isEmpty())
         return nullptr;
 
     // In zeal mode and in debug builds on 64 bit architectures, we relocate all
     // arenas. The purpose of this is to balance test coverage of object moving
     // with test coverage of the arena selection routine below.
-    bool relocateAll = head()->zone->runtimeFromMainThread()->gc.zeal() == ZealCompactValue;
+    bool relocateAll = runtime->gc.zeal() == ZealCompactValue;
 #if defined(DEBUG) && defined(JS_PUNBOX64)
     relocateAll = true;
 #endif
     if (relocateAll) {
         ArenaHeader *allArenas = head();
         clear();
         return allArenas;
     }
@@ -2185,17 +2187,17 @@ ArenaList::pickArenasToRelocate()
     size_t previousFreeCells = 0;                  // Count of free cells before
     size_t followingUsedCells = countUsedCells();  // Count of used cells after
     mozilla::DebugOnly<size_t> lastFreeCells(0);
     size_t cellsPerArena = Arena::thingsPerArena((*arenap)->getThingSize());
 
     while (*arenap) {
         ArenaHeader *arena = *arenap;
         if (followingUsedCells <= previousFreeCells)
-            return removeRemainingArenas(arenap);
+            return removeRemainingArenas(arenap, lock);
         size_t freeCells = arena->countFreeCells();
         size_t usedCells = cellsPerArena - freeCells;
         followingUsedCells -= usedCells;
 #ifdef DEBUG
         MOZ_ASSERT(freeCells >= lastFreeCells);
         lastFreeCells = freeCells;
 #endif
         previousFreeCells += freeCells;
@@ -2306,17 +2308,17 @@ ArenaLists::relocateArenas(ArenaHeader *
 {
     // Flush all the freeLists back into the arena headers
     purge();
     checkEmptyFreeLists();
 
     for (size_t i = 0; i < FINALIZE_LIMIT; i++) {
         if (CanRelocateAllocKind(AllocKind(i))) {
             ArenaList &al = arenaLists[i];
-            ArenaHeader *toRelocate = al.pickArenasToRelocate();
+            ArenaHeader *toRelocate = al.pickArenasToRelocate(runtime_);
             if (toRelocate)
                 relocatedList = al.relocateArenas(toRelocate, relocatedList);
         }
     }
 
     /*
      * When we allocate new locations for cells, we use
      * allocateFromFreeList(). Reset the free list again so that
--- a/js/src/jsgc.h
+++ b/js/src/jsgc.h
@@ -495,18 +495,18 @@ class ArenaList {
         *cursorp_ = other.head_;
         cursorp_ = other.cursorp_;
         check();
         return *this;
     }
 
 #ifdef JSGC_COMPACTING
     size_t countUsedCells();
-    ArenaHeader *removeRemainingArenas(ArenaHeader **arenap);
-    ArenaHeader *pickArenasToRelocate();
+    ArenaHeader *removeRemainingArenas(ArenaHeader **arenap, const AutoLockGC &lock);
+    ArenaHeader *pickArenasToRelocate(JSRuntime *runtime);
     ArenaHeader *relocateArenas(ArenaHeader *toRelocate, ArenaHeader *relocated);
 #endif
 };
 
 /*
  * A class that holds arenas in sorted order by appending arenas to specific
  * segments. Each segment has a head and a tail, which can be linked up to
  * other segments to create a contiguous ArenaList.
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -2306,17 +2306,17 @@ baseops::DeleteGeneric(JSContext *cx, Ha
         if (IsAnyTypedArray(obj)) {
             // Don't delete elements from typed arrays.
             *succeeded = false;
             return true;
         }
 
         if (!CallJSDeletePropertyOp(cx, obj->getClass()->delProperty, obj, id, succeeded))
             return false;
-        if (!succeeded)
+        if (!*succeeded)
             return true;
 
         NativeObject *nobj = &obj->as<NativeObject>();
         if (!nobj->maybeCopyElementsForWrite(cx))
             return false;
 
         nobj->setDenseElementHole(cx, JSID_TO_INT(id));
         return SuppressDeletedProperty(cx, obj, id);
@@ -2325,13 +2325,13 @@ baseops::DeleteGeneric(JSContext *cx, Ha
     if (!shape->configurable()) {
         *succeeded = false;
         return true;
     }
 
     RootedId propid(cx, shape->propid());
     if (!CallJSDeletePropertyOp(cx, obj->getClass()->delProperty, obj, propid, succeeded))
         return false;
-    if (!succeeded)
+    if (!*succeeded)
         return true;
 
     return obj->removeProperty(cx, id) && SuppressDeletedProperty(cx, obj, id);
 }
--- a/js/xpconnect/tests/mochitest/mochitest.ini
+++ b/js/xpconnect/tests/mochitest/mochitest.ini
@@ -90,16 +90,17 @@ skip-if= buildapp == 'mulet'
 [test_bug92773.html]
 [test_bug940783.html]
 [test_bug965082.html]
 [test_bug960820.html]
 [test_bug986542.html]
 [test_bug993423.html]
 [test_bug1005806.html]
 [test_bug1021258.html]
+[test_bug1094930.html]
 [test_crossOriginObjects.html]
 [test_crosscompartment_weakmap.html]
 [test_frameWrapping.html]
 # The JS test component we use below is only available in debug builds.
 [test_getWebIDLCaller.html]
 skip-if = (debug == false || os == "android")
 [test_nac.xhtml]
 [test_sameOriginPolicy.html]
new file mode 100644
--- /dev/null
+++ b/js/xpconnect/tests/mochitest/test_bug1094930.html
@@ -0,0 +1,29 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=1094930
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 1094930</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <iframe id="ifr"></iframe>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1094930">Mozilla Bug 1094930</a>
+<p id="display"></p>
+<script type="application/javascript">
+  SimpleTest.waitForExplicitFinish();
+  var proto = { 
+    createdCallback: function() {
+      ok(true, "createdCallback was called");
+      SimpleTest.finish()
+    }
+  };
+
+  var f = document.registerElement.call(frames[0].document, "x-foo", { prototype: proto });
+  var inst = new f();
+</script>
+</body>
+</html>
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -2643,17 +2643,18 @@ pref("ui.mouse.radius.visitedWeight", 12
 
 // When true, the ui.mouse.radius.* prefs will only affect simulated mouse events generated by touch input.
 // When false, the prefs will be used for all mouse events.
 pref("ui.mouse.radius.inputSource.touchOnly", true);
 
 #ifdef XP_WIN
 
 pref("font.name.serif.ar", "Times New Roman");
-pref("font.name.sans-serif.ar", "Arial");
+pref("font.name.sans-serif.ar", "Segoe UI");
+pref("font.name-list.sans-serif.ar", "Segoe UI, Tahoma, Arial");
 pref("font.name.monospace.ar", "Courier New");
 pref("font.name.cursive.ar", "Comic Sans MS");
 
 pref("font.name.serif.el", "Times New Roman");
 pref("font.name.sans-serif.el", "Arial");
 pref("font.name.monospace.el", "Courier New");
 pref("font.name.cursive.el", "Comic Sans MS");
 
@@ -3829,17 +3830,17 @@ pref("webgl.disabled", false);
 pref("webgl.shader_validator", true);
 pref("webgl.disable-angle", false);
 pref("webgl.min_capability_mode", false);
 pref("webgl.disable-extensions", false);
 pref("webgl.msaa-force", false);
 pref("webgl.prefer-16bpp", false);
 pref("webgl.default-no-alpha", false);
 pref("webgl.force-layers-readback", false);
-pref("webgl.lose-context-on-memory-preasure", false);
+pref("webgl.lose-context-on-memory-pressure", false);
 pref("webgl.can-lose-context-in-foreground", true);
 pref("webgl.restore-context-when-visible", true);
 pref("webgl.max-warnings-per-context", 32);
 pref("webgl.enable-draft-extensions", false);
 pref("webgl.enable-privileged-extensions", false);
 #ifdef XP_WIN
 pref("webgl.angle.try-d3d11", false);
 pref("webgl.angle.force-d3d11", false);
--- a/mozglue/build/Nuwa.cpp
+++ b/mozglue/build/Nuwa.cpp
@@ -24,20 +24,16 @@
 #include <vector>
 
 #include "mozilla/LinkedList.h"
 #include "mozilla/TaggedAnonymousMemory.h"
 #include "Nuwa.h"
 
 using namespace mozilla;
 
-extern "C" MFBT_API int tgkill(pid_t tgid, pid_t tid, int signalno) {
-  return syscall(__NR_tgkill, tgid, tid, signalno);
-}
-
 /**
  * Provides the wrappers to a selected set of pthread and system-level functions
  * as the basis for implementing Zygote-like preforking mechanism.
  */
 
 /**
  * Real functions for the wrappers.
  */
@@ -116,32 +112,55 @@ static size_t getPageSize(void) {
  * methods or do large allocations on the stack to avoid stack overflow.
  */
 #ifndef NUWA_STACK_SIZE
 #define NUWA_STACK_SIZE (1024 * 128)
 #endif
 
 #define NATIVE_THREAD_NAME_LENGTH 16
 
+typedef struct nuwa_construct {
+  typedef void(*construct_t)(void*);
+
+  construct_t construct;
+  void *arg;
+
+  nuwa_construct(construct_t aConstruct, void *aArg)
+    : construct(aConstruct)
+    , arg(aArg)
+  { }
+
+  nuwa_construct(const nuwa_construct&) = default;
+  nuwa_construct& operator=(const nuwa_construct&) = default;
+
+} nuwa_construct_t;
+
 struct thread_info : public mozilla::LinkedListElement<thread_info> {
   pthread_t origThreadID;
   pthread_t recreatedThreadID;
   pthread_attr_t threadAttr;
   jmp_buf jmpEnv;
   jmp_buf retEnv;
 
   int flags;
 
   void *(*startupFunc)(void *arg);
   void *startupArg;
 
   // The thread specific function to recreate the new thread. It's executed
   // after the thread is recreated.
-  void (*recrFunc)(void *arg);
-  void *recrArg;
+
+  std::vector<nuwa_construct_t> *recrFunctions;
+  void addThreadConstructor(const nuwa_construct_t *construct) {
+    if (!recrFunctions) {
+      recrFunctions = new std::vector<nuwa_construct_t>();
+    }
+
+    recrFunctions->push_back(*construct);
+  }
 
   TLSInfoList tlsInfo;
 
   /**
    * We must ensure that the recreated thread has entered pthread_cond_wait() or
    * similar functions before proceeding to recreate the next one. Otherwise, if
    * the next thread depends on the same mutex, it may be used in an incorrect
    * state.  To do this, the main thread must unconditionally acquire the mutex.
@@ -168,18 +187,22 @@ static thread_info_t *sCurrentRecreating
 
 /**
  * This function runs the custom recreation function registered when calling
  * NuwaMarkCurrentThread() after thread stack is restored.
  */
 static void
 RunCustomRecreation() {
   thread_info_t *tinfo = sCurrentRecreatingThread;
-  if (tinfo->recrFunc != nullptr) {
-    tinfo->recrFunc(tinfo->recrArg);
+  if (tinfo->recrFunctions) {
+    for (auto iter = tinfo->recrFunctions->begin();
+         iter != tinfo->recrFunctions->end();
+         iter++) {
+      iter->construct(iter->arg);
+    }
   }
 }
 
 /**
  * Every thread should be marked as either TINFO_FLAG_NUWA_SUPPORT or
  * TINFO_FLAG_NUWA_SKIP, or it means a potential error.  We force
  * Gecko code to mark every single thread to make sure there are no accidents
  * when recreating threads with Nuwa.
@@ -188,21 +211,16 @@ RunCustomRecreation() {
  * calling NuwaCheckpointCurrentThread(), or implicitly when they call into wrapped
  * functions like pthread_mutex_lock(), epoll_wait(), etc.
  * TINFO_FLAG_NUWA_EXPLICIT_CHECKPOINT denotes the explicitly checkpointed thread.
  */
 #define TINFO_FLAG_NUWA_SUPPORT 0x1
 #define TINFO_FLAG_NUWA_SKIP 0x2
 #define TINFO_FLAG_NUWA_EXPLICIT_CHECKPOINT 0x4
 
-typedef struct nuwa_construct {
-  void (*construct)(void *);
-  void *arg;
-} nuwa_construct_t;
-
 static std::vector<nuwa_construct_t> sConstructors;
 static std::vector<nuwa_construct_t> sFinalConstructors;
 
 typedef std::map<pthread_key_t, void (*)(void *)> TLSKeySet;
 static TLSKeySet sTLSKeys;
 
 /**
  * This mutex is used to block the running threads and freeze their contexts.
@@ -506,18 +524,17 @@ private:
 
 EpollManager* EpollManager::sInstance;
 
 static thread_info_t *
 thread_info_new(void) {
   /* link tinfo to sAllThreads */
   thread_info_t *tinfo = new thread_info_t();
   tinfo->flags = 0;
-  tinfo->recrFunc = nullptr;
-  tinfo->recrArg = nullptr;
+  tinfo->recrFunctions = nullptr;
   tinfo->recreatedThreadID = 0;
   tinfo->recreatedNativeThreadID = 0;
   tinfo->condMutex = nullptr;
   tinfo->condMutexNeedsBalancing = false;
   tinfo->stk = MozTaggedAnonymousMmap(nullptr,
                                       NUWA_STACK_SIZE + getPageSize(),
                                       PROT_READ | PROT_WRITE,
                                       MAP_PRIVATE | MAP_ANONYMOUS,
@@ -555,16 +572,20 @@ thread_info_cleanup(void *arg) {
 
   munmap(tinfo->stk, NUWA_STACK_SIZE + getPageSize());
 
   REAL(pthread_mutex_lock)(&sThreadCountLock);
   /* unlink tinfo from sAllThreads */
   tinfo->remove();
   pthread_mutex_unlock(&sThreadCountLock);
 
+  if (tinfo->recrFunctions) {
+    delete tinfo->recrFunctions;
+  }
+
   // while sThreadCountLock is held, since delete calls wrapped functions
   // which try to lock sThreadCountLock. This results in deadlock. And we
   // need to delete |tinfo| before decreasing sThreadCount, so Nuwa won't
   // get ready before tinfo is cleaned.
   delete tinfo;
 
   REAL(pthread_mutex_lock)(&sThreadCountLock);
   sThreadCount--;
@@ -1345,37 +1366,16 @@ extern "C" MFBT_API int
     EpollManager::Singleton()->FindEpollInfo(aFd);
   if (info) {
     EpollManager::Singleton()->RemoveEpollInfo(aFd);
   }
 
   return rv;
 }
 
-extern "C" MFBT_API int
-__wrap_tgkill(pid_t tgid, pid_t tid, int signalno)
-{
-  if (sIsNuwaProcess) {
-    return tgkill(tgid, tid, signalno);
-  }
-
-  if (tid == sMainThread.origNativeThreadID) {
-    return tgkill(tgid, sMainThread.recreatedNativeThreadID, signalno);
-  }
-
-  thread_info_t *tinfo = (tid == sMainThread.origNativeThreadID ?
-      &sMainThread :
-      GetThreadInfo(tid));
-  if (!tinfo) {
-    return tgkill(tgid, tid, signalno);
-  }
-
-  return tgkill(tgid, tinfo->recreatedNativeThreadID, signalno);
-}
-
 static void *
 thread_recreate_startup(void *arg) {
   /*
    * Dark Art!! Never do the same unless you are ABSOLUTELY sure what you are
    * doing!
    *
    * The stack space collapsed by this frame had been reserved by
    * thread_create_startup().  And thread_create_startup() will
@@ -1785,18 +1785,20 @@ NuwaMarkCurrentThread(void (*recreate)(v
   }
 
   thread_info_t *tinfo = CUR_THREAD_INFO;
   if (tinfo == nullptr) {
     abort();
   }
 
   tinfo->flags |= TINFO_FLAG_NUWA_SUPPORT;
-  tinfo->recrFunc = recreate;
-  tinfo->recrArg = arg;
+  if (recreate) {
+    nuwa_construct_t construct(recreate, arg);
+    tinfo->addThreadConstructor(&construct);
+  }
 
   // XXX Thread name might be set later than this call. If this is the case, we
   // might need to delay getting the thread name.
   prctl(PR_GET_NAME, (unsigned long)&tinfo->nativeThreadName, 0, 0, 0);
 }
 
 /**
  * Mark the current thread as not supporting Nuwa. Don't recreate this thread in
@@ -1893,34 +1895,41 @@ NuwaCheckpointCurrentThread2(int setjmpC
 }
 
 /**
  * Register methods to be invoked before recreating threads in the spawned
  * process.
  */
 MFBT_API void
 NuwaAddConstructor(void (*construct)(void *), void *arg) {
-  nuwa_construct_t ctr;
-  ctr.construct = construct;
-  ctr.arg = arg;
+  nuwa_construct_t ctr(construct, arg);
   sConstructors.push_back(ctr);
 }
 
 /**
  * Register methods to be invoked after recreating threads in the spawned
  * process.
  */
 MFBT_API void
 NuwaAddFinalConstructor(void (*construct)(void *), void *arg) {
-  nuwa_construct_t ctr;
-  ctr.construct = construct;
-  ctr.arg = arg;
+  nuwa_construct_t ctr(construct, arg);
   sFinalConstructors.push_back(ctr);
 }
 
+MFBT_API void
+NuwaAddThreadConstructor(void (*aConstruct)(void *), void *aArg) {
+  thread_info *tinfo = CUR_THREAD_INFO;
+  if (!tinfo || !aConstruct) {
+    return;
+  }
+
+  nuwa_construct_t construct(aConstruct, aArg);
+  tinfo->addThreadConstructor(&construct);
+}
+
 /**
  * @return if the current process is the nuwa process.
  */
 MFBT_API bool
 IsNuwaProcess() {
   return sIsNuwaProcess;
 }
 
--- a/mozglue/build/Nuwa.h
+++ b/mozglue/build/Nuwa.h
@@ -83,16 +83,20 @@ MFBT_API pid_t NuwaSpawn();
 
 /**
  * Mark the current thread as supporting Nuwa. The thread will implicitly freeze
  * by calling a blocking method such as pthread_mutex_lock() or epoll_wait().
  *
  * @param recreate The custom function that will be called in the spawned
  *                 process, after the thread is recreated. Can be nullptr if no
  *                 custom function to be called after the thread is recreated.
+ *                 Note that this function is called duing thread recreation
+ *                 while other threads are frozen. It must not perform any
+ *                 action (e.g. acquiring a mutex) that might depend on another
+ *                 thread that is still blocked.
  * @param arg The argument passed to the custom function. Can be nullptr.
  */
 MFBT_API void NuwaMarkCurrentThread(void (*recreate)(void *), void *arg);
 
 /**
  * Mark the current thread as not supporting Nuwa. The calling thread will not
  * be automatically cloned from the Nuwa process to spawned process. If this
  * thread needs to be created in the spawned process, use NuwaAddConstructor()
@@ -132,32 +136,48 @@ MFBT_API void PrepareNuwaProcess();
 
 /**
  * Make the current process a Nuwa process. Start to freeze the threads.
  */
 MFBT_API void MakeNuwaProcess();
 
 /**
  * Register a method to be invoked after a new process is spawned. The method
- * will be invoked on the main thread.
+ * will be invoked on the main thread *before* recreating the other threads.
+ * The registered method must not perform any action (e.g. acquiring a mutex)
+ * that might depend on another thread that has not yet been recreated.
  *
  * @param construct The method to be invoked.
  * @param arg The argument passed to the method.
  */
 MFBT_API void NuwaAddConstructor(void (*construct)(void *), void *arg);
 
+
 /**
  * Register a method to be invoked after a new process is spawned and threads
- * are recreated. The method will be invoked on the main thread.
+ * are recreated. The method will be invoked on the main thread *after*
+ * the other threads are recreated and fully functional.
  *
  * @param construct The method to be invoked.
  * @param arg The argument passed to the method.
  */
 MFBT_API void NuwaAddFinalConstructor(void (*construct)(void *), void *arg);
 
+
+/**
+ * Register a method to be invoked after the current thread is recreated in the
+ * spawned process. Note that this function is called while other threads are
+ * frozen. It must not perform any action (e.g. acquiring a mutex) that might
+ * depend on another thread that is still blocked.
+ *
+ * @param construct The method to be invoked.
+ * @param arg The argument passed to the method.
+ */
+MFBT_API void NuwaAddThreadConstructor(void (*construct)(void *), void *arg);
+
 /**
  * The methods to query the Nuwa-related states.
  */
 
 /**
  * @return If the current process is the Nuwa process.
  */
 MFBT_API bool IsNuwaProcess();
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_18_BETA1
+NSS_3_18_BETA2
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/lib/ckfw/builtins/bfind.c
+++ b/security/nss/lib/ckfw/builtins/bfind.c
@@ -178,17 +178,26 @@ nss_builtins_FindObjectsInit
   CK_ULONG ulAttributeCount,
   CK_RV *pError
 )
 {
   /* This could be made more efficient.  I'm rather rushed. */
   NSSArena *arena;
   NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
   struct builtinsFOStr *fo = (struct builtinsFOStr *)NULL;
-  builtinsInternalObject **temp = (builtinsInternalObject **)NULL;
+
+  /*
+   * 99% of the time we get 0 or 1 matches. So we start with a small
+   * stack-allocated array to hold the matches and switch to a heap-allocated
+   * array later if the number of matches exceeds STACK_BUF_LENGTH.
+   */
+  #define STACK_BUF_LENGTH 1
+  builtinsInternalObject *stackTemp[STACK_BUF_LENGTH];
+  builtinsInternalObject **temp = stackTemp;
+  PRBool tempIsHeapAllocated = PR_FALSE;
   PRUint32 i;
 
   arena = NSSArena_Create();
   if( (NSSArena *)NULL == arena ) {
     goto loser;
   }
 
   rv = nss_ZNEW(arena, NSSCKMDFindObjects);
@@ -206,46 +215,57 @@ nss_builtins_FindObjectsInit
   fo->arena = arena;
   /* fo->n and fo->i are already zero */
 
   rv->etc = (void *)fo;
   rv->Final = builtins_mdFindObjects_Final;
   rv->Next = builtins_mdFindObjects_Next;
   rv->null = (void *)NULL;
 
-  temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *, 
-                       nss_builtins_nObjects);
-  if( (builtinsInternalObject **)NULL == temp ) {
-    *pError = CKR_HOST_MEMORY;
-    goto loser;
-  }
-
   for( i = 0; i < nss_builtins_nObjects; i++ ) {
     builtinsInternalObject *o = (builtinsInternalObject *)&nss_builtins_data[i];
 
     if( CK_TRUE == builtins_match(pTemplate, ulAttributeCount, o) ) {
+      if( fo->n == STACK_BUF_LENGTH ) {
+        /* Switch from the small stack array to a heap-allocated array large
+         * enough to handle matches in all remaining cases. */
+        temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *,
+                             fo->n + nss_builtins_nObjects - i);
+        if( (builtinsInternalObject **)NULL == temp ) {
+          *pError = CKR_HOST_MEMORY;
+          goto loser;
+        }
+        tempIsHeapAllocated = PR_TRUE;
+        (void)nsslibc_memcpy(temp, stackTemp,
+                             sizeof(builtinsInternalObject *) * fo->n);
+      }
+
       temp[ fo->n ] = o;
       fo->n++;
     }
   }
 
   fo->objs = nss_ZNEWARRAY(arena, builtinsInternalObject *, fo->n);
   if( (builtinsInternalObject **)NULL == fo->objs ) {
     *pError = CKR_HOST_MEMORY;
     goto loser;
   }
 
   (void)nsslibc_memcpy(fo->objs, temp, sizeof(builtinsInternalObject *) * fo->n);
-  nss_ZFreeIf(temp);
-  temp = (builtinsInternalObject **)NULL;
+  if (tempIsHeapAllocated) {
+    nss_ZFreeIf(temp);
+    temp = (builtinsInternalObject **)NULL;
+  }
 
   return rv;
 
  loser:
-  nss_ZFreeIf(temp);
+  if (tempIsHeapAllocated) {
+    nss_ZFreeIf(temp);
+  }
   nss_ZFreeIf(fo);
   nss_ZFreeIf(rv);
   if ((NSSArena *)NULL != arena) {
      NSSArena_Destroy(arena);
   }
   return (NSSCKMDFindObjects *)NULL;
 }
 
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -65,431 +65,16 @@
 BEGINDATA
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_BUILTIN_ROOT_LIST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
 CKA_LABEL UTF8 "Mozilla Builtin Roots"
 
 #
-# Certificate "GTE CyberTrust Global Root"
-#
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\132\060\202\001\303\002\002\001\245\060\015\006\011
-\052\206\110\206\367\015\001\001\004\005\000\060\165\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\030\060\026\006\003
-\125\004\012\023\017\107\124\105\040\103\157\162\160\157\162\141
-\164\151\157\156\061\047\060\045\006\003\125\004\013\023\036\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\123\157
-\154\165\164\151\157\156\163\054\040\111\156\143\056\061\043\060
-\041\006\003\125\004\003\023\032\107\124\105\040\103\171\142\145
-\162\124\162\165\163\164\040\107\154\157\142\141\154\040\122\157
-\157\164\060\036\027\015\071\070\060\070\061\063\060\060\062\071
-\060\060\132\027\015\061\070\060\070\061\063\062\063\065\071\060
-\060\132\060\165\061\013\060\011\006\003\125\004\006\023\002\125
-\123\061\030\060\026\006\003\125\004\012\023\017\107\124\105\040
-\103\157\162\160\157\162\141\164\151\157\156\061\047\060\045\006
-\003\125\004\013\023\036\107\124\105\040\103\171\142\145\162\124
-\162\165\163\164\040\123\157\154\165\164\151\157\156\163\054\040
-\111\156\143\056\061\043\060\041\006\003\125\004\003\023\032\107
-\124\105\040\103\171\142\145\162\124\162\165\163\164\040\107\154
-\157\142\141\154\040\122\157\157\164\060\201\237\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\201\215\000\060
-\201\211\002\201\201\000\225\017\240\266\360\120\234\350\172\307
-\210\315\335\027\016\056\260\224\320\033\075\016\366\224\300\212
-\224\307\006\310\220\227\310\270\144\032\172\176\154\074\123\341
-\067\050\163\140\177\262\227\123\007\237\123\371\155\130\224\322
-\257\215\155\210\147\200\346\355\262\225\317\162\061\312\245\034
-\162\272\134\002\347\144\102\347\371\251\054\326\072\015\254\215
-\102\252\044\001\071\346\234\077\001\205\127\015\130\207\105\370
-\323\205\252\223\151\046\205\160\110\200\077\022\025\307\171\264
-\037\005\057\073\142\231\002\003\001\000\001\060\015\006\011\052
-\206\110\206\367\015\001\001\004\005\000\003\201\201\000\155\353
-\033\011\351\136\331\121\333\147\042\141\244\052\074\110\167\343
-\240\174\246\336\163\242\024\003\205\075\373\253\016\060\305\203
-\026\063\201\023\010\236\173\064\116\337\100\310\164\327\271\175
-\334\364\166\125\175\233\143\124\030\351\360\352\363\134\261\331
-\213\102\036\271\300\225\116\272\372\325\342\174\365\150\141\277
-\216\354\005\227\137\133\260\327\243\205\064\304\044\247\015\017
-\225\223\357\313\224\330\236\037\235\134\205\155\307\252\256\117
-\037\042\265\315\225\255\272\247\314\371\253\013\172\177
-END
-
-# Trust for Certificate "GTE CyberTrust Global Root"
-# Issuer: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Serial Number: 421 (0x1a5)
-# Subject: CN=GTE CyberTrust Global Root,OU="GTE CyberTrust Solutions, Inc.",O=GTE Corporation,C=US
-# Not Valid Before: Thu Aug 13 00:29:00 1998
-# Not Valid After : Mon Aug 13 23:59:00 2018
-# Fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
-# Fingerprint (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GTE CyberTrust Global Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\227\201\171\120\330\034\226\160\314\064\330\011\317\171\104\061
-\066\176\364\164
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\312\075\323\150\361\003\134\320\062\372\270\053\131\350\132\333
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\165\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\030\060\026\006\003\125\004\012\023\017\107\124\105\040\103\157
-\162\160\157\162\141\164\151\157\156\061\047\060\045\006\003\125
-\004\013\023\036\107\124\105\040\103\171\142\145\162\124\162\165
-\163\164\040\123\157\154\165\164\151\157\156\163\054\040\111\156
-\143\056\061\043\060\041\006\003\125\004\003\023\032\107\124\105
-\040\103\171\142\145\162\124\162\165\163\164\040\107\154\157\142
-\141\154\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\001\245
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Server CA"
-#
-# Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
-# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\023\060\202\002\174\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
-\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
-\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
-\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124\150
-\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061\046
-\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027\163
-\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141\167
-\164\145\056\143\157\155\060\036\027\015\071\066\060\070\060\061
-\060\060\060\060\060\060\132\027\015\062\060\061\062\063\061\062
-\063\065\071\065\071\132\060\201\304\061\013\060\011\006\003\125
-\004\006\023\002\132\101\061\025\060\023\006\003\125\004\010\023
-\014\127\145\163\164\145\162\156\040\103\141\160\145\061\022\060
-\020\006\003\125\004\007\023\011\103\141\160\145\040\124\157\167
-\156\061\035\060\033\006\003\125\004\012\023\024\124\150\141\167
-\164\145\040\103\157\156\163\165\154\164\151\156\147\040\143\143
-\061\050\060\046\006\003\125\004\013\023\037\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\123\145\162\166\151\143\145
-\163\040\104\151\166\151\163\151\157\156\061\031\060\027\006\003
-\125\004\003\023\020\124\150\141\167\164\145\040\123\145\162\166
-\145\162\040\103\101\061\046\060\044\006\011\052\206\110\206\367
-\015\001\011\001\026\027\163\145\162\166\145\162\055\143\145\162
-\164\163\100\164\150\141\167\164\145\056\143\157\155\060\201\237
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\201\215\000\060\201\211\002\201\201\000\323\244\120\156\310\377
-\126\153\346\317\135\266\352\014\150\165\107\242\252\302\332\204
-\045\374\250\364\107\121\332\205\265\040\164\224\206\036\017\165
-\311\351\010\141\365\006\155\060\156\025\031\002\351\122\300\142
-\333\115\231\236\342\152\014\104\070\315\376\276\343\144\011\160
-\305\376\261\153\051\266\057\111\310\073\324\047\004\045\020\227
-\057\347\220\155\300\050\102\231\327\114\103\336\303\365\041\155
-\124\237\135\303\130\341\300\344\331\133\260\270\334\264\173\337
-\066\072\302\265\146\042\022\326\207\015\002\003\001\000\001\243
-\023\060\021\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\015\006\011\052\206\110\206\367\015\001\001
-\004\005\000\003\201\201\000\007\372\114\151\134\373\225\314\106
-\356\205\203\115\041\060\216\312\331\250\157\111\032\346\332\121
-\343\140\160\154\204\141\021\241\032\310\110\076\131\103\175\117
-\225\075\241\213\267\013\142\230\172\165\212\335\210\116\116\236
-\100\333\250\314\062\164\271\157\015\306\343\263\104\013\331\212
-\157\232\051\233\231\030\050\073\321\343\100\050\232\132\074\325
-\265\347\040\033\213\312\244\253\215\351\121\331\342\114\054\131
-\251\332\271\262\165\033\366\102\362\357\307\362\030\371\211\274
-\243\377\212\043\056\160\107
-END
-
-# Trust for Certificate "Thawte Server CA"
-# Issuer: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=server-certs@thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
-# Fingerprint (SHA1): 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\043\345\224\224\121\225\362\101\110\003\264\325\144\322\243\243
-\365\330\213\214
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\305\160\304\242\355\123\170\014\310\020\123\201\144\313\320\035
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\304\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\031\060\027\006\003\125\004\003\023\020\124
-\150\141\167\164\145\040\123\145\162\166\145\162\040\103\101\061
-\046\060\044\006\011\052\206\110\206\367\015\001\011\001\026\027
-\163\145\162\166\145\162\055\143\145\162\164\163\100\164\150\141
-\167\164\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Thawte Premium Server CA"
-#
-# Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
-# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Premium Server CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\047\060\202\002\220\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\004\005\000\060
-\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101\061
-\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145\162
-\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007\023
-\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006\003
-\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156\163
-\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003\125
-\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151\157
-\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151\163
-\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124\150
-\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145\162
-\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110\206
-\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055\163
-\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157\155
-\060\036\027\015\071\066\060\070\060\061\060\060\060\060\060\060
-\132\027\015\062\060\061\062\063\061\062\063\065\071\065\071\132
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155\060\201\237\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\201\215\000\060\201\211\002\201\201\000\322\066
-\066\152\213\327\302\133\236\332\201\101\142\217\070\356\111\004
-\125\326\320\357\034\033\225\026\107\357\030\110\065\072\122\364
-\053\152\006\217\073\057\352\126\343\257\206\215\236\027\367\236
-\264\145\165\002\115\357\313\011\242\041\121\330\233\320\147\320
-\272\015\222\006\024\163\324\223\313\227\052\000\234\134\116\014
-\274\372\025\122\374\362\104\156\332\021\112\156\010\237\057\055
-\343\371\252\072\206\163\266\106\123\130\310\211\005\275\203\021
-\270\163\077\252\007\215\364\102\115\347\100\235\034\067\002\003
-\001\000\001\243\023\060\021\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206
-\367\015\001\001\004\005\000\003\201\201\000\046\110\054\026\302
-\130\372\350\026\164\014\252\252\137\124\077\362\327\311\170\140
-\136\136\156\067\143\042\167\066\176\262\027\304\064\271\365\010
-\205\374\311\001\070\377\115\276\362\026\102\103\347\273\132\106
-\373\301\306\021\037\361\112\260\050\106\311\303\304\102\175\274
-\372\253\131\156\325\267\121\210\021\343\244\205\031\153\202\114
-\244\014\022\255\351\244\256\077\361\303\111\145\232\214\305\310
-\076\045\267\224\231\273\222\062\161\007\360\206\136\355\120\047
-\246\015\246\043\371\273\313\246\007\024\102
-END
-
-# Trust for Certificate "Thawte Premium Server CA"
-# Issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Serial Number: 1 (0x1)
-# Subject: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
-# Not Valid Before: Thu Aug 01 00:00:00 1996
-# Not Valid After : Thu Dec 31 23:59:59 2020
-# Fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
-# Fingerprint (SHA1): 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Thawte Premium Server CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\142\177\215\170\047\145\143\231\322\175\177\220\104\311\376\263
-\363\076\372\232
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\006\237\151\171\026\146\220\002\033\214\214\242\303\007\157\072
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\316\061\013\060\011\006\003\125\004\006\023\002\132\101
-\061\025\060\023\006\003\125\004\010\023\014\127\145\163\164\145
-\162\156\040\103\141\160\145\061\022\060\020\006\003\125\004\007
-\023\011\103\141\160\145\040\124\157\167\156\061\035\060\033\006
-\003\125\004\012\023\024\124\150\141\167\164\145\040\103\157\156
-\163\165\154\164\151\156\147\040\143\143\061\050\060\046\006\003
-\125\004\013\023\037\103\145\162\164\151\146\151\143\141\164\151
-\157\156\040\123\145\162\166\151\143\145\163\040\104\151\166\151
-\163\151\157\156\061\041\060\037\006\003\125\004\003\023\030\124
-\150\141\167\164\145\040\120\162\145\155\151\165\155\040\123\145
-\162\166\145\162\040\103\101\061\050\060\046\006\011\052\206\110
-\206\367\015\001\011\001\026\031\160\162\145\155\151\165\155\055
-\163\145\162\166\145\162\100\164\150\141\167\164\145\056\143\157
-\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Equifax Secure CA"
 #
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
@@ -1428,19 +1013,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
 \162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
 \167\157\162\153
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\175\331\376\007\317\250\036\267\020\171\147\373\247\211
 \064\306
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign Root CA"
 #
 # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
 # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
 # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
@@ -2983,19 +2568,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \170\040\123\145\143\165\162\145\040\111\156\143\056\061\046\060
 \044\006\003\125\004\003\023\035\105\161\165\151\146\141\170\040
 \123\145\143\165\162\145\040\145\102\165\163\151\156\145\163\163
 \040\103\101\055\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\004
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "AddTrust Low-Value Services Root"
 #
 # Issuer: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
 # Serial Number: 1 (0x1)
 # Subject: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
@@ -4598,322 +4183,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \063\167
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "America Online Root Certification Authority 1"
-#
-# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Thu Nov 19 20:43:00 2037
-# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
-# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\244\060\202\002\214\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064
-\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117
-\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\061\060\036\027\015\060\062\060\065\062\070\060\066
-\060\060\060\060\132\027\015\063\067\061\061\061\071\062\060\064
-\063\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155
-\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143
-\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
-\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\061\060\202\001\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017
-\000\060\202\001\012\002\202\001\001\000\250\057\350\244\151\006
-\003\107\303\351\052\230\377\031\242\160\232\306\120\262\176\245
-\337\150\115\033\174\017\266\227\150\175\055\246\213\227\351\144
-\206\311\243\357\240\206\277\140\145\234\113\124\210\302\110\305
-\112\071\277\024\343\131\125\345\031\264\164\310\264\005\071\134
-\026\245\342\225\005\340\022\256\131\213\242\063\150\130\034\246
-\324\025\267\330\237\327\334\161\253\176\232\277\233\216\063\017
-\042\375\037\056\347\007\066\357\142\071\305\335\313\272\045\024
-\043\336\014\306\075\074\316\202\010\346\146\076\332\121\073\026
-\072\243\005\177\240\334\207\325\234\374\162\251\240\175\170\344
-\267\061\125\036\145\273\324\141\260\041\140\355\020\062\162\305
-\222\045\036\370\220\112\030\170\107\337\176\060\067\076\120\033
-\333\034\323\153\232\206\123\007\260\357\254\006\170\370\204\231
-\376\041\215\114\200\266\014\202\366\146\160\171\032\323\117\243
-\317\361\317\106\260\113\017\076\335\210\142\270\214\251\011\050
-\073\172\307\227\341\036\345\364\237\300\300\256\044\240\310\241
-\331\017\326\173\046\202\151\062\075\247\002\003\001\000\001\243
-\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\000
-\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327\114
-\317\063\336\060\037\006\003\125\035\043\004\030\060\026\200\024
-\000\255\331\243\366\171\366\156\164\251\177\063\075\201\027\327
-\114\317\063\336\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\174\212\321\037\030\067\202\340
-\270\260\243\355\126\225\310\142\141\234\005\242\315\302\142\046
-\141\315\020\026\327\314\264\145\064\320\021\212\255\250\251\005
-\146\357\164\363\155\137\235\231\257\366\213\373\353\122\262\005
-\230\242\157\052\305\124\275\045\275\137\256\310\206\352\106\054
-\301\263\275\301\351\111\160\030\026\227\010\023\214\040\340\033
-\056\072\107\313\036\344\000\060\225\133\364\105\243\300\032\260
-\001\116\253\275\300\043\156\143\077\200\112\305\007\355\334\342
-\157\307\301\142\361\343\162\326\004\310\164\147\013\372\210\253
-\241\001\310\157\360\024\257\322\231\315\121\223\176\355\056\070
-\307\275\316\106\120\075\162\343\171\045\235\233\210\053\020\040
-\335\245\270\062\237\215\340\051\337\041\164\206\202\333\057\202
-\060\306\307\065\206\263\371\226\137\106\333\014\105\375\363\120
-\303\157\306\303\110\255\106\246\341\047\107\012\035\016\233\266
-\302\167\177\143\362\340\175\032\276\374\340\337\327\307\247\154
-\260\371\256\272\074\375\164\264\021\350\130\015\200\274\323\250
-\200\072\231\355\165\314\106\173
-END
-
-# Trust for Certificate "America Online Root Certification Authority 1"
-# Issuer: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 1,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Thu Nov 19 20:43:00 2037
-# Fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
-# Fingerprint (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\071\041\301\025\301\135\016\312\134\313\133\304\360\175\041\330
-\005\013\126\152
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\024\361\010\255\235\372\144\342\211\347\034\317\250\255\175\136
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "America Online Root Certification Authority 2"
-#
-# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Tue Sep 29 14:08:00 2037
-# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
-# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\244\060\202\003\214\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061\034
-\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143\141
-\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060\064
-\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040\117
-\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164\151
-\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
-\164\171\040\062\060\036\027\015\060\062\060\065\062\070\060\066
-\060\060\060\060\132\027\015\063\067\060\071\062\071\061\064\060
-\070\060\060\132\060\143\061\013\060\011\006\003\125\004\006\023
-\002\125\123\061\034\060\032\006\003\125\004\012\023\023\101\155
-\145\162\151\143\141\040\117\156\154\151\156\145\040\111\156\143
-\056\061\066\060\064\006\003\125\004\003\023\055\101\155\145\162
-\151\143\141\040\117\156\154\151\156\145\040\122\157\157\164\040
-\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165
-\164\150\157\162\151\164\171\040\062\060\202\002\042\060\015\006
-\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017
-\000\060\202\002\012\002\202\002\001\000\314\101\105\035\351\075
-\115\020\366\214\261\101\311\340\136\313\015\267\277\107\163\323
-\360\125\115\335\306\014\372\261\146\005\152\315\170\264\334\002
-\333\116\201\363\327\247\174\161\274\165\143\240\135\343\007\014
-\110\354\045\304\003\040\364\377\016\073\022\377\233\215\341\306
-\325\033\264\155\042\343\261\333\177\041\144\257\206\274\127\042
-\052\326\107\201\127\104\202\126\123\275\206\024\001\013\374\177
-\164\244\132\256\361\272\021\265\233\130\132\200\264\067\170\011
-\063\174\062\107\003\134\304\245\203\110\364\127\126\156\201\066
-\047\030\117\354\233\050\302\324\264\327\174\014\076\014\053\337
-\312\004\327\306\216\352\130\116\250\244\245\030\034\154\105\230
-\243\101\321\055\322\307\155\215\031\361\255\171\267\201\077\275
-\006\202\047\055\020\130\005\265\170\005\271\057\333\014\153\220
-\220\176\024\131\070\273\224\044\023\345\321\235\024\337\323\202
-\115\106\360\200\071\122\062\017\343\204\262\172\103\362\136\336
-\137\077\035\335\343\262\033\240\241\052\043\003\156\056\001\025
-\207\134\246\165\165\307\227\141\276\336\206\334\324\110\333\275
-\052\277\112\125\332\350\175\120\373\264\200\027\270\224\277\001
-\075\352\332\272\174\340\130\147\027\271\130\340\210\206\106\147
-\154\235\020\107\130\062\320\065\174\171\052\220\242\132\020\021
-\043\065\255\057\314\344\112\133\247\310\047\362\203\336\136\273
-\136\167\347\350\245\156\143\302\015\135\141\320\214\322\154\132
-\041\016\312\050\243\316\052\351\225\307\110\317\226\157\035\222
-\045\310\306\306\301\301\014\005\254\046\304\322\165\322\341\052
-\147\300\075\133\245\232\353\317\173\032\250\235\024\105\345\017
-\240\232\145\336\057\050\275\316\157\224\146\203\110\051\330\352
-\145\214\257\223\331\144\237\125\127\046\277\157\313\067\061\231
-\243\140\273\034\255\211\064\062\142\270\103\041\006\162\014\241
-\134\155\106\305\372\051\317\060\336\211\334\161\133\335\266\067
-\076\337\120\365\270\007\045\046\345\274\265\376\074\002\263\267
-\370\276\103\301\207\021\224\236\043\154\027\212\270\212\047\014
-\124\107\360\251\263\300\200\214\240\047\353\035\031\343\007\216
-\167\160\312\053\364\175\166\340\170\147\002\003\001\000\001\243
-\143\060\141\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024\115
-\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241\043
-\024\327\236\060\037\006\003\125\035\043\004\030\060\026\200\024
-\115\105\301\150\070\273\163\251\151\241\040\347\355\365\042\241
-\043\024\327\236\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\206\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\002\001\000\147\153\006\271\137\105\073\052
-\113\063\263\346\033\153\131\116\042\314\271\267\244\045\311\247
-\304\360\124\226\013\144\363\261\130\117\136\121\374\262\227\173
-\047\145\302\345\312\347\015\014\045\173\142\343\372\237\264\207
-\267\105\106\257\203\245\227\110\214\245\275\361\026\053\233\166
-\054\172\065\140\154\021\200\227\314\251\222\122\346\053\346\151
-\355\251\370\066\055\054\167\277\141\110\321\143\013\271\133\122
-\355\030\260\103\102\042\246\261\167\256\336\151\305\315\307\034
-\241\261\245\034\020\373\030\276\032\160\335\301\222\113\276\051
-\132\235\077\065\276\345\175\121\370\125\340\045\165\043\207\036
-\134\334\272\235\260\254\263\151\333\027\203\311\367\336\014\274
-\010\334\221\236\250\320\327\025\067\163\245\065\270\374\176\305
-\104\100\006\303\353\370\042\200\134\107\316\002\343\021\237\104
-\377\375\232\062\314\175\144\121\016\353\127\046\166\072\343\036
-\042\074\302\246\066\335\031\357\247\374\022\363\046\300\131\061
-\205\114\234\330\317\337\244\314\314\051\223\377\224\155\166\134
-\023\010\227\362\355\245\013\115\335\350\311\150\016\146\323\000
-\016\063\022\133\274\225\345\062\220\250\263\306\154\203\255\167
-\356\213\176\176\261\251\253\323\341\361\266\300\261\352\210\300
-\347\323\220\351\050\222\224\173\150\173\227\052\012\147\055\205
-\002\070\020\344\003\141\324\332\045\066\307\010\130\055\241\247
-\121\257\060\012\111\365\246\151\207\007\055\104\106\166\216\052
-\345\232\073\327\030\242\374\234\070\020\314\306\073\322\265\027
-\072\157\375\256\045\275\365\162\131\144\261\164\052\070\137\030
-\114\337\317\161\004\132\066\324\277\057\231\234\350\331\272\261
-\225\346\002\113\041\241\133\325\301\117\217\256\151\155\123\333
-\001\223\265\134\036\030\335\144\132\312\030\050\076\143\004\021
-\375\034\215\000\017\270\067\337\147\212\235\146\251\002\152\221
-\377\023\312\057\135\203\274\207\223\154\334\044\121\026\004\045
-\146\372\263\331\302\272\051\276\232\110\070\202\231\364\277\073
-\112\061\031\371\277\216\041\063\024\312\117\124\137\373\316\373
-\217\161\177\375\136\031\240\017\113\221\270\304\124\274\006\260
-\105\217\046\221\242\216\376\251
-END
-
-# Trust for Certificate "America Online Root Certification Authority 2"
-# Issuer: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
-# Not Valid Before: Tue May 28 06:00:00 2002
-# Not Valid After : Tue Sep 29 14:08:00 2037
-# Fingerprint (MD5): D6:ED:3C:CA:E2:66:0F:AF:10:43:0D:77:9B:04:09:BF
-# Fingerprint (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "America Online Root Certification Authority 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\205\265\377\147\233\014\171\226\037\310\156\104\042\000\106\023
-\333\027\222\204
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\326\355\074\312\342\146\017\257\020\103\015\167\233\004\011\277
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\143\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\034\060\032\006\003\125\004\012\023\023\101\155\145\162\151\143
-\141\040\117\156\154\151\156\145\040\111\156\143\056\061\066\060
-\064\006\003\125\004\003\023\055\101\155\145\162\151\143\141\040
-\117\156\154\151\156\145\040\122\157\157\164\040\103\145\162\164
-\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162
-\151\164\171\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Visa eCommerce Root"
 #
 # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
 # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Not Valid Before: Wed Jun 26 02:18:36 2002
 # Not Valid After : Fri Jun 24 00:16:12 2022
 # Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
@@ -29990,16 +29269,725 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \110\215
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
+# Certificate "COMODO RSA Certification Authority"
+#
+# Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
+# Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Tue Jan 19 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
+# Fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO RSA Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\122\123\101
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\122\123\101
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\114\252\371\312\333\143\157\340\037\367\116\330\133\003
+\206\235
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\330\060\202\003\300\240\003\002\001\002\002\020\114
+\252\371\312\333\143\157\340\037\367\116\330\133\003\206\235\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\201
+\205\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
+\060\031\006\003\125\004\010\023\022\107\162\145\141\164\145\162
+\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
+\003\125\004\007\023\007\123\141\154\146\157\162\144\061\032\060
+\030\006\003\125\004\012\023\021\103\117\115\117\104\117\040\103
+\101\040\114\151\155\151\164\145\144\061\053\060\051\006\003\125
+\004\003\023\042\103\117\115\117\104\117\040\122\123\101\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171\060\036\027\015\061\060\060\061\061\071
+\060\060\060\060\060\060\132\027\015\063\070\060\061\061\070\062
+\063\065\071\065\071\132\060\201\205\061\013\060\011\006\003\125
+\004\006\023\002\107\102\061\033\060\031\006\003\125\004\010\023
+\022\107\162\145\141\164\145\162\040\115\141\156\143\150\145\163
+\164\145\162\061\020\060\016\006\003\125\004\007\023\007\123\141
+\154\146\157\162\144\061\032\060\030\006\003\125\004\012\023\021
+\103\117\115\117\104\117\040\103\101\040\114\151\155\151\164\145
+\144\061\053\060\051\006\003\125\004\003\023\042\103\117\115\117
+\104\117\040\122\123\101\040\103\145\162\164\151\146\151\143\141
+\164\151\157\156\040\101\165\164\150\157\162\151\164\171\060\202
+\002\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
+\000\003\202\002\017\000\060\202\002\012\002\202\002\001\000\221
+\350\124\222\322\012\126\261\254\015\044\335\305\317\104\147\164
+\231\053\067\243\175\043\160\000\161\274\123\337\304\372\052\022
+\217\113\177\020\126\275\237\160\162\267\141\177\311\113\017\027
+\247\075\343\260\004\141\356\377\021\227\307\364\206\076\012\372
+\076\134\371\223\346\064\172\331\024\153\347\234\263\205\240\202
+\172\166\257\161\220\327\354\375\015\372\234\154\372\337\260\202
+\364\024\176\371\276\304\246\057\117\177\231\177\265\374\147\103
+\162\275\014\000\326\211\353\153\054\323\355\217\230\034\024\253
+\176\345\343\156\374\330\250\344\222\044\332\103\153\142\270\125
+\375\352\301\274\154\266\213\363\016\215\232\344\233\154\151\231
+\370\170\110\060\105\325\255\341\015\074\105\140\374\062\226\121
+\047\274\147\303\312\056\266\153\352\106\307\307\040\240\261\037
+\145\336\110\010\272\244\116\251\362\203\106\067\204\353\350\314
+\201\110\103\147\116\162\052\233\134\275\114\033\050\212\134\042
+\173\264\253\230\331\356\340\121\203\303\011\106\116\155\076\231
+\372\225\027\332\174\063\127\101\074\215\121\355\013\266\134\257
+\054\143\032\337\127\310\077\274\351\135\304\233\257\105\231\342
+\243\132\044\264\272\251\126\075\317\157\252\377\111\130\276\360
+\250\377\364\270\255\351\067\373\272\270\364\013\072\371\350\103
+\102\036\211\330\204\313\023\361\331\273\341\211\140\270\214\050
+\126\254\024\035\234\012\347\161\353\317\016\335\075\251\226\241
+\110\275\074\367\257\265\015\042\114\300\021\201\354\126\073\366
+\323\242\342\133\267\262\004\042\122\225\200\223\151\350\216\114
+\145\361\221\003\055\160\164\002\352\213\147\025\051\151\122\002
+\273\327\337\120\152\125\106\277\240\243\050\141\177\160\320\303
+\242\252\054\041\252\107\316\050\234\006\105\166\277\202\030\047
+\264\325\256\264\313\120\346\153\364\114\206\161\060\351\246\337
+\026\206\340\330\377\100\335\373\320\102\210\177\243\063\072\056
+\134\036\101\021\201\143\316\030\161\153\053\354\246\212\267\061
+\134\072\152\107\340\303\171\131\326\040\032\257\362\152\230\252
+\162\274\127\112\322\113\235\273\020\374\260\114\101\345\355\035
+\075\136\050\235\234\314\277\263\121\332\247\107\345\204\123\002
+\003\001\000\001\243\102\060\100\060\035\006\003\125\035\016\004
+\026\004\024\273\257\176\002\075\372\246\361\074\204\216\255\356
+\070\230\354\331\062\062\324\060\016\006\003\125\035\017\001\001
+\377\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001
+\377\004\005\060\003\001\001\377\060\015\006\011\052\206\110\206
+\367\015\001\001\014\005\000\003\202\002\001\000\012\361\325\106
+\204\267\256\121\273\154\262\115\101\024\000\223\114\234\313\345
+\300\124\317\240\045\216\002\371\375\260\242\015\365\040\230\074
+\023\055\254\126\242\260\326\176\021\222\351\056\272\236\056\232
+\162\261\275\031\104\154\141\065\242\232\264\026\022\151\132\214
+\341\327\076\244\032\350\057\003\364\256\141\035\020\033\052\244
+\213\172\305\376\005\246\341\300\326\310\376\236\256\217\053\272
+\075\231\370\330\163\011\130\106\156\246\234\364\327\047\323\225
+\332\067\203\162\034\323\163\340\242\107\231\003\070\135\325\111
+\171\000\051\034\307\354\233\040\034\007\044\151\127\170\262\071
+\374\072\204\240\265\234\174\215\277\056\223\142\047\267\071\332
+\027\030\256\275\074\011\150\377\204\233\074\325\326\013\003\343
+\127\236\024\367\321\353\117\310\275\207\043\267\266\111\103\171
+\205\134\272\353\222\013\241\306\350\150\250\114\026\261\032\231
+\012\350\123\054\222\273\241\011\030\165\014\145\250\173\313\043
+\267\032\302\050\205\303\033\377\320\053\142\357\244\173\011\221
+\230\147\214\024\001\315\150\006\152\143\041\165\003\200\210\212
+\156\201\306\205\362\251\244\055\347\364\245\044\020\107\203\312
+\315\364\215\171\130\261\006\233\347\032\052\331\235\001\327\224
+\175\355\003\112\312\360\333\350\251\001\076\365\126\231\311\036
+\216\111\075\273\345\011\271\340\117\111\222\075\026\202\100\314
+\314\131\306\346\072\355\022\056\151\074\154\225\261\375\252\035
+\173\177\206\276\036\016\062\106\373\373\023\217\165\177\114\213
+\113\106\143\376\000\064\100\160\301\303\271\241\335\246\160\342
+\004\263\101\274\351\200\221\352\144\234\172\341\042\003\251\234
+\156\157\016\145\117\154\207\207\136\363\156\240\371\165\245\233
+\100\350\123\262\047\235\112\271\300\167\041\215\377\207\362\336
+\274\214\357\027\337\267\111\013\321\362\156\060\013\032\016\116
+\166\355\021\374\365\351\126\262\175\277\307\155\012\223\214\245
+\320\300\266\035\276\072\116\224\242\327\156\154\013\302\212\174
+\372\040\363\304\344\345\315\015\250\313\221\222\261\174\205\354
+\265\024\151\146\016\202\347\315\316\310\055\246\121\177\041\301
+\065\123\205\006\112\135\237\255\273\033\137\164
+END
+
+# Trust for "COMODO RSA Certification Authority"
+# Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
+# Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+# Not Valid Before: Tue Jan 19 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 52:F0:E1:C4:E5:8E:C6:29:29:1B:60:31:7F:07:46:71:B8:5D:7E:A8:0D:5B:07:27:34:63:53:4B:32:B4:02:34
+# Fingerprint (SHA1): AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "COMODO RSA Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\257\345\322\104\250\321\031\102\060\377\107\237\342\370\227\273
+\315\172\214\264
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\033\061\260\161\100\066\314\024\066\221\255\304\076\375\354\030
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\205\061\013\060\011\006\003\125\004\006\023\002\107\102
+\061\033\060\031\006\003\125\004\010\023\022\107\162\145\141\164
+\145\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060
+\016\006\003\125\004\007\023\007\123\141\154\146\157\162\144\061
+\032\060\030\006\003\125\004\012\023\021\103\117\115\117\104\117
+\040\103\101\040\114\151\155\151\164\145\144\061\053\060\051\006
+\003\125\004\003\023\042\103\117\115\117\104\117\040\122\123\101
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\114\252\371\312\333\143\157\340\037\367\116\330\133\003
+\206\235
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "USERTrust RSA Certification Authority"
+#
+# Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
+# Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
+# Fingerprint (SHA1): 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust RSA Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\122\123\101\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\122\123\101\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\001\375\155\060\374\243\312\121\250\033\274\144\016\065
+\003\055
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\336\060\202\003\306\240\003\002\001\002\002\020\001
+\375\155\060\374\243\312\121\250\033\274\144\016\065\003\055\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\201
+\210\061\013\060\011\006\003\125\004\006\023\002\125\123\061\023
+\060\021\006\003\125\004\010\023\012\116\145\167\040\112\145\162
+\163\145\171\061\024\060\022\006\003\125\004\007\023\013\112\145
+\162\163\145\171\040\103\151\164\171\061\036\060\034\006\003\125
+\004\012\023\025\124\150\145\040\125\123\105\122\124\122\125\123
+\124\040\116\145\164\167\157\162\153\061\056\060\054\006\003\125
+\004\003\023\045\125\123\105\122\124\162\165\163\164\040\122\123
+\101\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040
+\101\165\164\150\157\162\151\164\171\060\036\027\015\061\060\060
+\062\060\061\060\060\060\060\060\060\132\027\015\063\070\060\061
+\061\070\062\063\065\071\065\071\132\060\201\210\061\013\060\011
+\006\003\125\004\006\023\002\125\123\061\023\060\021\006\003\125
+\004\010\023\012\116\145\167\040\112\145\162\163\145\171\061\024
+\060\022\006\003\125\004\007\023\013\112\145\162\163\145\171\040
+\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
+\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
+\167\157\162\153\061\056\060\054\006\003\125\004\003\023\045\125
+\123\105\122\124\162\165\163\164\040\122\123\101\040\103\145\162
+\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150\157
+\162\151\164\171\060\202\002\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
+\002\202\002\001\000\200\022\145\027\066\016\303\333\010\263\320
+\254\127\015\166\355\315\047\323\114\255\120\203\141\342\252\040
+\115\011\055\144\011\334\316\211\237\314\075\251\354\366\317\301
+\334\361\323\261\326\173\067\050\021\053\107\332\071\306\274\072
+\031\264\137\246\275\175\235\243\143\102\266\166\362\251\073\053
+\221\370\342\157\320\354\026\040\220\011\076\342\350\164\311\030
+\264\221\324\142\144\333\177\243\006\361\210\030\152\220\042\074
+\274\376\023\360\207\024\173\366\344\037\216\324\344\121\306\021
+\147\106\010\121\313\206\024\124\077\274\063\376\176\154\234\377
+\026\235\030\275\121\216\065\246\247\146\310\162\147\333\041\146
+\261\324\233\170\003\300\120\072\350\314\360\334\274\236\114\376
+\257\005\226\065\037\127\132\267\377\316\371\075\267\054\266\366
+\124\335\310\347\022\072\115\256\114\212\267\134\232\264\267\040
+\075\312\177\042\064\256\176\073\150\146\001\104\347\001\116\106
+\123\233\063\140\367\224\276\123\067\220\163\103\363\062\303\123
+\357\333\252\376\164\116\151\307\153\214\140\223\336\304\307\014
+\337\341\062\256\314\223\073\121\170\225\147\213\356\075\126\376
+\014\320\151\017\033\017\363\045\046\153\063\155\367\156\107\372
+\163\103\345\176\016\245\146\261\051\174\062\204\143\125\211\304
+\015\301\223\124\060\031\023\254\323\175\067\247\353\135\072\154
+\065\134\333\101\327\022\332\251\111\013\337\330\200\212\011\223
+\142\216\265\146\317\045\210\315\204\270\261\077\244\071\017\331
+\002\236\353\022\114\225\174\363\153\005\251\136\026\203\314\270
+\147\342\350\023\235\314\133\202\323\114\263\355\133\377\336\345
+\163\254\043\073\055\000\277\065\125\164\011\111\330\111\130\032
+\177\222\066\346\121\222\016\363\046\175\034\115\027\274\311\354
+\103\046\320\277\101\137\100\251\104\104\364\231\347\127\207\236
+\120\037\127\124\250\076\375\164\143\057\261\120\145\011\346\130
+\102\056\103\032\114\264\360\045\107\131\372\004\036\223\324\046
+\106\112\120\201\262\336\276\170\267\374\147\025\341\311\127\204
+\036\017\143\326\351\142\272\326\137\125\056\352\134\306\050\010
+\004\045\071\270\016\053\251\362\114\227\034\007\077\015\122\365
+\355\357\057\202\017\002\003\001\000\001\243\102\060\100\060\035
+\006\003\125\035\016\004\026\004\024\123\171\277\132\252\053\112
+\317\124\200\341\330\233\300\235\362\262\003\146\313\060\016\006
+\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006
+\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015
+\006\011\052\206\110\206\367\015\001\001\014\005\000\003\202\002
+\001\000\134\324\174\015\317\367\001\175\101\231\145\014\163\305
+\122\237\313\370\317\231\006\177\033\332\103\025\237\236\002\125
+\127\226\024\361\122\074\047\207\224\050\355\037\072\001\067\242
+\166\374\123\120\300\204\233\306\153\116\272\214\041\117\242\216
+\125\142\221\363\151\025\330\274\210\343\304\252\013\375\357\250
+\351\113\125\052\006\040\155\125\170\051\031\356\137\060\134\113
+\044\021\125\377\044\232\156\136\052\053\356\013\115\237\177\367
+\001\070\224\024\225\103\007\011\373\140\251\356\034\253\022\214
+\240\232\136\247\230\152\131\155\213\077\010\373\310\321\105\257
+\030\025\144\220\022\017\163\050\056\305\342\044\116\374\130\354
+\360\364\105\376\042\263\353\057\216\322\331\105\141\005\301\227
+\157\250\166\162\217\213\214\066\257\277\015\005\316\161\215\346
+\246\157\037\154\246\161\142\305\330\320\203\162\014\361\147\021
+\211\014\234\023\114\162\064\337\274\325\161\337\252\161\335\341
+\271\154\214\074\022\135\145\332\275\127\022\266\103\153\377\345
+\336\115\146\021\121\317\231\256\354\027\266\350\161\221\214\336
+\111\376\335\065\161\242\025\047\224\034\317\141\343\046\273\157
+\243\147\045\041\135\346\335\035\013\056\150\033\073\202\257\354
+\203\147\205\324\230\121\164\261\271\231\200\211\377\177\170\031
+\134\171\112\140\056\222\100\256\114\067\052\054\311\307\142\310
+\016\135\367\066\133\312\340\045\045\001\264\335\032\007\234\167
+\000\077\320\334\325\354\075\324\372\273\077\314\205\326\157\177
+\251\055\337\271\002\367\365\227\232\265\065\332\303\147\260\207
+\112\251\050\236\043\216\377\134\047\153\341\260\117\363\007\356
+\000\056\324\131\207\313\122\101\225\352\364\107\327\356\144\101
+\125\174\215\131\002\225\335\142\235\302\271\356\132\050\164\204
+\245\233\267\220\307\014\007\337\365\211\066\164\062\326\050\301
+\260\260\013\340\234\114\303\034\326\374\343\151\265\107\106\201
+\057\242\202\253\323\143\104\160\304\215\377\055\063\272\255\217
+\173\265\160\210\256\076\031\317\100\050\330\374\310\220\273\135
+\231\042\365\122\346\130\305\037\210\061\103\356\210\035\327\306
+\216\074\103\152\035\247\030\336\175\075\026\361\142\371\312\220
+\250\375
+END
+
+# Trust for "USERTrust RSA Certification Authority"
+# Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
+# Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): E7:93:C9:B0:2F:D8:AA:13:E2:1C:31:22:8A:CC:B0:81:19:64:3B:74:9C:89:89:64:B1:74:6D:46:C3:D4:CB:D2
+# Fingerprint (SHA1): 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust RSA Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\053\217\033\127\063\015\273\242\320\172\154\121\367\016\351\015
+\332\271\255\216
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\033\376\151\321\221\267\031\063\243\162\250\017\341\125\345\265
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\122\123\101\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\001\375\155\060\374\243\312\121\250\033\274\144\016\065
+\003\055
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "USERTrust ECC Certification Authority"
+#
+# Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
+# Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
+# Fingerprint (SHA1): D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust ECC Certification Authority"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\134\213\231\305\132\224\305\322\161\126\336\315\211\200
+\314\046
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\217\060\202\002\025\240\003\002\001\002\002\020\134
+\213\231\305\132\224\305\322\161\126\336\315\211\200\314\046\060
+\012\006\010\052\206\110\316\075\004\003\003\060\201\210\061\013
+\060\011\006\003\125\004\006\023\002\125\123\061\023\060\021\006
+\003\125\004\010\023\012\116\145\167\040\112\145\162\163\145\171
+\061\024\060\022\006\003\125\004\007\023\013\112\145\162\163\145
+\171\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
+\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
+\145\164\167\157\162\153\061\056\060\054\006\003\125\004\003\023
+\045\125\123\105\122\124\162\165\163\164\040\105\103\103\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171\060\036\027\015\061\060\060\062\060\061
+\060\060\060\060\060\060\132\027\015\063\070\060\061\061\070\062
+\063\065\071\065\071\132\060\201\210\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\023\060\021\006\003\125\004\010\023
+\012\116\145\167\040\112\145\162\163\145\171\061\024\060\022\006
+\003\125\004\007\023\013\112\145\162\163\145\171\040\103\151\164
+\171\061\036\060\034\006\003\125\004\012\023\025\124\150\145\040
+\125\123\105\122\124\122\125\123\124\040\116\145\164\167\157\162
+\153\061\056\060\054\006\003\125\004\003\023\045\125\123\105\122
+\124\162\165\163\164\040\105\103\103\040\103\145\162\164\151\146
+\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
+\171\060\166\060\020\006\007\052\206\110\316\075\002\001\006\005
+\053\201\004\000\042\003\142\000\004\032\254\124\132\251\371\150
+\043\347\172\325\044\157\123\306\132\330\113\253\306\325\266\321
+\346\163\161\256\335\234\326\014\141\375\333\240\211\003\270\005
+\024\354\127\316\356\135\077\342\041\263\316\367\324\212\171\340
+\243\203\176\055\227\320\141\304\361\231\334\045\221\143\253\177
+\060\243\264\160\342\307\241\063\234\363\277\056\134\123\261\137
+\263\175\062\177\212\064\343\171\171\243\102\060\100\060\035\006
+\003\125\035\016\004\026\004\024\072\341\011\206\324\317\031\302
+\226\166\164\111\166\334\340\065\306\143\143\232\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\012\006
+\010\052\206\110\316\075\004\003\003\003\150\000\060\145\002\060
+\066\147\241\026\010\334\344\227\000\101\035\116\276\341\143\001
+\317\073\252\102\021\144\240\235\224\071\002\021\171\134\173\035
+\372\144\271\356\026\102\263\277\212\302\011\304\354\344\261\115
+\002\061\000\351\052\141\107\214\122\112\113\116\030\160\366\326
+\104\326\156\365\203\272\155\130\275\044\331\126\110\352\357\304
+\242\106\201\210\152\072\106\321\251\233\115\311\141\332\321\135
+\127\152\030
+END
+
+# Trust for "USERTrust ECC Certification Authority"
+# Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
+# Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
+# Not Valid Before: Mon Feb 01 00:00:00 2010
+# Not Valid After : Mon Jan 18 23:59:59 2038
+# Fingerprint (SHA-256): 4F:F4:60:D5:4B:9C:86:DA:BF:BC:FC:57:12:E0:40:0D:2B:ED:3F:BC:4D:4F:BD:AA:86:E0:6A:DC:D2:A9:AD:7A
+# Fingerprint (SHA1): D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "USERTrust ECC Certification Authority"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\321\313\312\135\262\325\052\177\151\073\147\115\345\360\132\035
+\014\225\175\360
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\372\150\274\331\265\177\255\375\311\035\006\203\050\314\044\301
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\210\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\023\060\021\006\003\125\004\010\023\012\116\145\167\040\112
+\145\162\163\145\171\061\024\060\022\006\003\125\004\007\023\013
+\112\145\162\163\145\171\040\103\151\164\171\061\036\060\034\006
+\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124\122
+\125\123\124\040\116\145\164\167\157\162\153\061\056\060\054\006
+\003\125\004\003\023\045\125\123\105\122\124\162\165\163\164\040
+\105\103\103\040\103\145\162\164\151\146\151\143\141\164\151\157
+\156\040\101\165\164\150\157\162\151\164\171
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\134\213\231\305\132\224\305\322\161\126\336\315\211\200
+\314\046
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GlobalSign ECC Root CA - R4"
+#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
+# Fingerprint (SHA1): 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R4"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\052\070\244\034\226\012\004\336\102\262\050\245\013\350
+\064\230\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\001\341\060\202\001\207\240\003\002\001\002\002\021\052
+\070\244\034\226\012\004\336\102\262\050\245\013\350\064\230\002
+\060\012\006\010\052\206\110\316\075\004\003\002\060\120\061\044
+\060\042\006\003\125\004\013\023\033\107\154\157\142\141\154\123
+\151\147\156\040\105\103\103\040\122\157\157\164\040\103\101\040
+\055\040\122\064\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156\060\036
+\027\015\061\062\061\061\061\063\060\060\060\060\060\060\132\027
+\015\063\070\060\061\061\071\060\063\061\064\060\067\132\060\120
+\061\044\060\042\006\003\125\004\013\023\033\107\154\157\142\141
+\154\123\151\147\156\040\105\103\103\040\122\157\157\164\040\103
+\101\040\055\040\122\064\061\023\060\021\006\003\125\004\012\023
+\012\107\154\157\142\141\154\123\151\147\156\061\023\060\021\006
+\003\125\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+\060\131\060\023\006\007\052\206\110\316\075\002\001\006\010\052
+\206\110\316\075\003\001\007\003\102\000\004\270\306\171\323\217
+\154\045\016\237\056\071\031\034\003\244\256\232\345\071\007\011
+\026\312\143\261\271\206\370\212\127\301\127\316\102\372\163\241
+\367\145\102\377\036\301\000\262\156\163\016\377\307\041\345\030
+\244\252\331\161\077\250\324\271\316\214\035\243\102\060\100\060
+\016\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060
+\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377
+\060\035\006\003\125\035\016\004\026\004\024\124\260\173\255\105
+\270\342\100\177\373\012\156\373\276\063\311\074\243\204\325\060
+\012\006\010\052\206\110\316\075\004\003\002\003\110\000\060\105
+\002\041\000\334\222\241\240\023\246\317\003\260\346\304\041\227
+\220\372\024\127\055\003\354\356\074\323\156\312\250\154\166\274
+\242\336\273\002\040\047\250\205\047\065\233\126\306\243\362\107
+\322\267\156\033\002\000\027\252\147\246\025\221\336\372\224\354
+\173\013\370\237\204
+END
+
+# Trust for "GlobalSign ECC Root CA - R4"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C
+# Fingerprint (SHA1): 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R4"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\151\151\126\056\100\200\364\044\241\347\031\237\024\272\363\356
+\130\253\152\273
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\040\360\047\150\321\176\240\235\016\346\052\312\337\134\211\216
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\064\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\052\070\244\034\226\012\004\336\102\262\050\245\013\350
+\064\230\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GlobalSign ECC Root CA - R5"
+#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
+# Fingerprint (SHA1): 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R5"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\065\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\065\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\140\131\111\340\046\056\273\125\371\012\167\212\161\371
+\112\330\154
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\036\060\202\001\244\240\003\002\001\002\002\021\140
+\131\111\340\046\056\273\125\371\012\167\212\161\371\112\330\154
+\060\012\006\010\052\206\110\316\075\004\003\003\060\120\061\044
+\060\042\006\003\125\004\013\023\033\107\154\157\142\141\154\123
+\151\147\156\040\105\103\103\040\122\157\157\164\040\103\101\040
+\055\040\122\065\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156\060\036
+\027\015\061\062\061\061\061\063\060\060\060\060\060\060\132\027
+\015\063\070\060\061\061\071\060\063\061\064\060\067\132\060\120
+\061\044\060\042\006\003\125\004\013\023\033\107\154\157\142\141
+\154\123\151\147\156\040\105\103\103\040\122\157\157\164\040\103
+\101\040\055\040\122\065\061\023\060\021\006\003\125\004\012\023
+\012\107\154\157\142\141\154\123\151\147\156\061\023\060\021\006
+\003\125\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+\060\166\060\020\006\007\052\206\110\316\075\002\001\006\005\053
+\201\004\000\042\003\142\000\004\107\105\016\226\373\175\135\277
+\351\071\321\041\370\237\013\266\325\173\036\222\072\110\131\034
+\360\142\061\055\300\172\050\376\032\247\134\263\266\314\227\347
+\105\324\130\372\321\167\155\103\242\300\207\145\064\012\037\172
+\335\353\074\063\241\305\235\115\244\157\101\225\070\177\311\036
+\204\353\321\236\111\222\207\224\207\014\072\205\112\146\237\235
+\131\223\115\227\141\006\206\112\243\102\060\100\060\016\006\003
+\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
+\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006
+\003\125\035\016\004\026\004\024\075\346\051\110\233\352\007\312
+\041\104\112\046\336\156\336\322\203\320\237\131\060\012\006\010
+\052\206\110\316\075\004\003\003\003\150\000\060\145\002\061\000
+\345\151\022\311\156\333\306\061\272\011\101\341\227\370\373\375
+\232\342\175\022\311\355\174\144\323\313\005\045\213\126\331\240
+\347\136\135\116\013\203\234\133\166\051\240\011\046\041\152\142
+\002\060\161\322\265\217\134\352\073\341\170\011\205\250\165\222
+\073\310\134\375\110\357\015\164\042\250\010\342\156\305\111\316
+\307\014\274\247\141\151\361\367\073\341\052\313\371\053\363\146
+\220\067
+END
+
+# Trust for "GlobalSign ECC Root CA - R5"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
+# Not Valid Before: Tue Nov 13 00:00:00 2012
+# Not Valid After : Tue Jan 19 03:14:07 2038
+# Fingerprint (SHA-256): 17:9F:BC:14:8A:3D:D0:0F:D2:4E:A1:34:58:CC:43:BF:A7:F5:9C:81:82:D7:83:A5:13:F6:EB:EC:10:0C:89:24
+# Fingerprint (SHA1): 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign ECC Root CA - R5"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\037\044\306\060\315\244\030\357\040\151\377\255\117\335\137\106
+\072\033\151\252
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\237\255\073\034\002\036\212\272\027\164\070\201\014\242\274\010
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\120\061\044\060\042\006\003\125\004\013\023\033\107\154\157
+\142\141\154\123\151\147\156\040\105\103\103\040\122\157\157\164
+\040\103\101\040\055\040\122\065\061\023\060\021\006\003\125\004
+\012\023\012\107\154\157\142\141\154\123\151\147\156\061\023\060
+\021\006\003\125\004\003\023\012\107\154\157\142\141\154\123\151
+\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\140\131\111\340\046\056\273\125\371\012\167\212\161\371
+\112\330\154
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
 # Certificate "USERTrust-temporary-intermediate-after-1024bit-removal"
 #
 # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
 # Serial Number:5d:20:61:8e:8c:0e:b9:34:40:93:b9:b1:d8:63:95:b6
 # Subject: CN=USERTrust Legacy Secure Server CA,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Not Valid Before: Tue Aug 05 00:00:00 2014
 # Not Valid After : Sun Nov 01 23:59:59 2015
 # Fingerprint (SHA-256): 92:96:6E:83:44:D2:FB:3A:28:0E:B8:60:4D:81:40:77:4C:E1:A0:57:C5:82:BE:BC:83:4D:03:02:E8:59:BC:43
@@ -30146,8 +30134,189 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\135\040\141\216\214\016\271\064\100\223\271\261\330\143
 \225\266
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+#
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
+# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Thu Mar 26 00:00:00 2009
+# Not Valid After : Sun Mar 24 23:59:59 2019
+# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
+# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\201\265\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\073\060\071\006\003
+\125\004\013\023\062\124\145\162\155\163\040\157\146\040\165\163
+\145\040\141\164\040\150\164\164\160\163\072\057\057\167\167\167
+\056\166\145\162\151\163\151\147\156\056\143\157\155\057\162\160
+\141\040\050\143\051\060\071\061\057\060\055\006\003\125\004\003
+\023\046\126\145\162\151\123\151\147\156\040\103\154\141\163\163
+\040\063\040\123\145\143\165\162\145\040\123\145\162\166\145\162
+\040\103\101\040\055\040\107\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
+\005\256
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\071\060\202\004\041\240\003\002\001\002\002\020\057
+\000\156\315\027\160\146\347\137\243\202\012\171\037\005\256\060
+\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
+\312\061\013\060\011\006\003\125\004\006\023\002\125\123\061\027
+\060\025\006\003\125\004\012\023\016\126\145\162\151\123\151\147
+\156\054\040\111\156\143\056\061\037\060\035\006\003\125\004\013
+\023\026\126\145\162\151\123\151\147\156\040\124\162\165\163\164
+\040\116\145\164\167\157\162\153\061\072\060\070\006\003\125\004
+\013\023\061\050\143\051\040\062\060\060\066\040\126\145\162\151
+\123\151\147\156\054\040\111\156\143\056\040\055\040\106\157\162
+\040\141\165\164\150\157\162\151\172\145\144\040\165\163\145\040
+\157\156\154\171\061\105\060\103\006\003\125\004\003\023\074\126
+\145\162\151\123\151\147\156\040\103\154\141\163\163\040\063\040
+\120\165\142\154\151\143\040\120\162\151\155\141\162\171\040\103
+\145\162\164\151\146\151\143\141\164\151\157\156\040\101\165\164
+\150\157\162\151\164\171\040\055\040\107\065\060\036\027\015\060
+\071\060\063\062\066\060\060\060\060\060\060\132\027\015\061\071
+\060\063\062\064\062\063\065\071\065\071\132\060\201\265\061\013
+\060\011\006\003\125\004\006\023\002\125\123\061\027\060\025\006
+\003\125\004\012\023\016\126\145\162\151\123\151\147\156\054\040
+\111\156\143\056\061\037\060\035\006\003\125\004\013\023\026\126
+\145\162\151\123\151\147\156\040\124\162\165\163\164\040\116\145
+\164\167\157\162\153\061\073\060\071\006\003\125\004\013\023\062
+\124\145\162\155\163\040\157\146\040\165\163\145\040\141\164\040
+\150\164\164\160\163\072\057\057\167\167\167\056\166\145\162\151
+\163\151\147\156\056\143\157\155\057\162\160\141\040\050\143\051
+\060\071\061\057\060\055\006\003\125\004\003\023\046\126\145\162
+\151\123\151\147\156\040\103\154\141\163\163\040\063\040\123\145
+\143\165\162\145\040\123\145\162\166\145\162\040\103\101\040\055
+\040\107\062\060\202\001\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
+\202\001\001\000\324\126\217\127\073\067\050\246\100\143\322\225
+\325\005\164\332\265\031\152\226\326\161\127\057\342\300\064\214
+\240\225\263\214\341\067\044\363\056\355\103\105\005\216\211\327
+\372\332\112\265\370\076\215\116\307\371\111\120\105\067\100\237
+\164\252\240\121\125\141\361\140\204\211\245\236\200\215\057\260
+\041\252\105\202\304\317\264\024\177\107\025\040\050\202\260\150
+\022\300\256\134\007\327\366\131\314\313\142\126\134\115\111\377
+\046\210\253\124\121\072\057\112\332\016\230\342\211\162\271\374
+\367\150\074\304\037\071\172\313\027\201\363\014\255\017\334\141
+\142\033\020\013\004\036\051\030\161\136\142\313\103\336\276\061
+\272\161\002\031\116\046\251\121\332\214\144\151\003\336\234\375
+\175\375\173\141\274\374\204\174\210\134\264\303\173\355\137\053
+\106\022\361\375\000\001\232\213\133\351\243\005\056\217\056\133
+\336\363\033\170\370\146\221\010\300\136\316\325\260\066\312\324
+\250\173\240\175\371\060\172\277\370\335\031\121\053\040\272\376
+\247\317\241\116\260\147\365\200\252\053\203\056\322\216\124\211
+\216\036\051\013\002\003\001\000\001\243\202\001\054\060\202\001
+\050\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
+\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
+\004\003\002\001\006\060\051\006\003\125\035\021\004\042\060\040
+\244\036\060\034\061\032\060\030\006\003\125\004\003\023\021\103
+\154\141\163\163\063\103\101\062\060\064\070\055\061\055\065\062
+\060\035\006\003\125\035\016\004\026\004\024\245\357\013\021\316
+\300\101\003\243\112\145\220\110\262\034\340\127\055\175\107\060
+\146\006\003\125\035\040\004\137\060\135\060\133\006\013\140\206
+\110\001\206\370\105\001\007\027\003\060\114\060\043\006\010\053
+\006\001\005\005\007\002\001\026\027\150\164\164\160\163\072\057
+\057\144\056\163\171\155\143\142\056\143\157\155\057\143\160\163
+\060\045\006\010\053\006\001\005\005\007\002\002\060\031\032\027
+\150\164\164\160\163\072\057\057\144\056\163\171\155\143\142\056
+\143\157\155\057\162\160\141\060\057\006\003\125\035\037\004\050
+\060\046\060\044\240\042\240\040\206\036\150\164\164\160\072\057
+\057\163\056\163\171\155\143\142\056\143\157\155\057\160\143\141
+\063\055\147\065\056\143\162\154\060\037\006\003\125\035\043\004
+\030\060\026\200\024\177\323\145\247\302\335\354\273\360\060\011
+\363\103\071\372\002\257\063\061\063\060\015\006\011\052\206\110
+\206\367\015\001\001\005\005\000\003\202\001\001\000\053\216\024
+\314\354\206\010\140\067\213\154\145\211\045\041\336\057\122\242
+\007\236\130\323\263\026\170\001\231\121\225\264\023\167\314\167
+\335\013\134\201\067\326\276\366\142\326\004\067\013\030\163\232
+\323\366\301\242\036\155\234\273\214\021\346\076\022\136\007\137
+\013\203\134\164\002\340\120\364\261\046\033\155\306\350\351\277
+\115\271\001\025\031\354\120\232\371\021\360\201\130\103\054\115
+\021\100\263\132\106\010\246\136\163\241\210\022\065\214\377\003
+\072\275\326\235\372\347\334\226\271\032\144\076\304\375\331\012
+\266\145\236\272\245\250\130\374\073\042\360\242\127\356\212\127
+\107\234\167\307\045\341\254\064\005\115\363\202\176\101\043\272
+\264\127\363\347\306\001\145\327\115\211\231\034\151\115\136\170
+\366\353\162\161\075\262\304\225\001\237\135\014\267\057\045\246
+\134\171\101\357\236\304\147\074\241\235\177\161\072\320\225\227
+\354\170\102\164\230\156\276\076\150\114\127\074\250\223\101\207
+\013\344\271\257\221\373\120\114\014\272\300\044\047\321\025\333
+\145\110\041\012\057\327\334\176\240\314\145\176\171
+END
+
+# Trust for "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
+# Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+# Not Valid Before: Thu Mar 26 00:00:00 2009
+# Not Valid After : Sun Mar 24 23:59:59 2019
+# Fingerprint (SHA-256): 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14
+# Fingerprint (SHA1): 76:44:59:78:1B:AC:B0:47:63:A5:D0:A1:58:91:65:26:1F:29:8E:3B
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\166\104\131\170\033\254\260\107\143\245\320\241\130\221\145\046
+\037\051\216\073
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\277\022\155\372\174\325\133\046\171\072\215\252\021\357\057\134
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
+\151\147\156\054\040\111\156\143\056\061\037\060\035\006\003\125
+\004\013\023\026\126\145\162\151\123\151\147\156\040\124\162\165
+\163\164\040\116\145\164\167\157\162\153\061\072\060\070\006\003
+\125\004\013\023\061\050\143\051\040\062\060\060\066\040\126\145
+\162\151\123\151\147\156\054\040\111\156\143\056\040\055\040\106
+\157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
+\145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
+\074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
+\063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+\040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+\165\164\150\157\162\151\164\171\040\055\040\107\065
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\057\000\156\315\027\160\146\347\137\243\202\012\171\037
+\005\256
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -40,18 +40,18 @@
  *     ...
  *   - NSS 3.29 branch: 250-255
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION "2.1"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 2
+#define NSS_BUILTINS_LIBRARY_VERSION "2.2"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself 
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/util/quickder.c
+++ b/security/nss/lib/util/quickder.c
@@ -11,65 +11,120 @@
 #include "secasn1.h" /* for SEC_ASN1GetSubtemplate */
 #include "secitem.h"
 
 /*
  * simple definite-length ASN.1 decoder
  */
 
 static unsigned char* definite_length_decoder(const unsigned char *buf,
-                                              const unsigned int length,
-                                              unsigned int *data_length,
+                                              const unsigned int buf_length,
+                                              unsigned int *out_data_length,
                                               PRBool includeTag)
 {
     unsigned char tag;
-    unsigned int used_length= 0;
-    unsigned int data_len;
+    unsigned int used_length = 0;
+    unsigned int data_length = 0;
+    unsigned char length_field_len = 0;
+    unsigned char byte;
+    unsigned int i;
 
-    if (used_length >= length)
+    if (used_length >= buf_length)
     {
+        /* Tag field was not found! */
         return NULL;
     }
     tag = buf[used_length++];
 
-    /* blow out when we come to the end */
     if (tag == 0)
     {
+        /* End-of-contents octects should not be present in DER because
+           DER doesn't use the indefinite length form. */
+        return NULL;
+    }
+
+    if ((tag & 0x1F) == 0x1F)
+    {
+        /* High tag number (a tag number > 30) is not supported */
         return NULL;
     }
 
-    if (used_length >= length)
+    if (used_length >= buf_length)
     {
+        /* Length field was not found! */
         return NULL;
     }
-    data_len = buf[used_length++];
+    byte = buf[used_length++];
 
-    if (data_len&0x80)
+    if (!(byte & 0x80))
+    {
+        /* Short form: The high bit is not set. */
+        data_length = byte; /* clarity; we're returning a 32-bit int. */
+    }
+    else
     {
-        int  len_count = data_len & 0x7f;
+        /* Long form. Extract the field length */
+        length_field_len = byte & 0x7F;
+        if (length_field_len == 0)
+        {
+            /* DER doesn't use the indefinite length form. */
+            return NULL;
+        }
 
-        data_len = 0;
+        if (length_field_len > sizeof(data_length))
+        {
+            /* We don't support an extended length field  longer than
+               4 bytes (2^32) */
+            return NULL;
+        }
 
-        while (len_count-- > 0)
+        if (length_field_len > (buf_length - used_length))
         {
-            if (used_length >= length)
+            /* Extended length field was not found */
+            return NULL;
+        }
+
+        /* Iterate across the extended length field */
+        for (i = 0; i < length_field_len; i++)
+        {
+            byte = buf[used_length++];
+            data_length = (data_length << 8) | byte;
+
+            if (i == 0)
             {
-                return NULL;
+                PRBool too_long = PR_FALSE;
+                if (length_field_len == 1)
+                {
+                    too_long = ((byte & 0x80) == 0); /* Short form suffices */
+                }
+                else
+                {
+                    too_long = (byte == 0); /* This zero byte can be omitted */
+                }
+                if (too_long)
+                {
+                    /* The length is longer than needed. */
+                    return NULL;
+                }
             }
-            data_len = (data_len << 8) | buf[used_length++];
         }
     }
 
-    if (data_len > (length-used_length) )
+    if (data_length > (buf_length - used_length))
     {
+        /* The decoded length exceeds the available buffer */
         return NULL;
     }
-    if (includeTag) data_len += used_length;
 
-    *data_length = data_len;
+    if (includeTag)
+    {
+        data_length += used_length;
+    }
+
+    *out_data_length = data_length;
     return ((unsigned char*)buf + (includeTag ? 0 : used_length));
 }
 
 static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag)
 {
     if ( (!src) || (!dest) || (!src->data && src->len) )
     {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
--- a/tools/profiler/platform-linux.cc
+++ b/tools/profiler/platform-linux.cc
@@ -247,25 +247,19 @@ static void ProfilerSignalThread(ThreadP
     profile->mRssMemory = nsMemoryReporterManager::ResidentFast();
     profile->mUssMemory = nsMemoryReporterManager::ResidentUnique();
   } else {
     profile->mRssMemory = 0;
     profile->mUssMemory = 0;
   }
 }
 
-// If the Nuwa process is enabled, we need to use the wrapper of tgkill() to
-// perform the mapping of thread ID.
-#ifdef MOZ_NUWA_PROCESS
-extern "C" MFBT_API int tgkill(pid_t tgid, pid_t tid, int signalno);
-#else
 int tgkill(pid_t tgid, pid_t tid, int signalno) {
   return syscall(SYS_tgkill, tgid, tid, signalno);
 }
-#endif
 
 class PlatformData : public Malloced {
  public:
   PlatformData()
   {}
 };
 
 /* static */ PlatformData*
@@ -442,16 +436,28 @@ void Sampler::Stop() {
   // Restore old signal handler
   if (signal_handler_installed_) {
     sigaction(SIGNAL_SAVE_PROFILE, &old_sigsave_signal_handler_, 0);
     sigaction(SIGPROF, &old_sigprof_signal_handler_, 0);
     signal_handler_installed_ = false;
   }
 }
 
+#ifdef MOZ_NUWA_PROCESS
+static void
+UpdateThreadId(void* aThreadInfo) {
+  ThreadInfo* info = static_cast<ThreadInfo*>(aThreadInfo);
+  // Note that this function is called during thread recreation. Only the thread
+  // calling this method is running. We can't try to acquire
+  // Sampler::sRegisteredThreadsMutex because it could be held by another
+  // thread.
+  info->SetThreadId(gettid());
+}
+#endif
+
 bool Sampler::RegisterCurrentThread(const char* aName,
                                     PseudoStack* aPseudoStack,
                                     bool aIsMainThread, void* stackTop)
 {
   if (!Sampler::sRegisteredThreadsMutex)
     return false;
 
   mozilla::MutexAutoLock lock(*Sampler::sRegisteredThreadsMutex);
@@ -473,16 +479,30 @@ bool Sampler::RegisterCurrentThread(cons
     aIsMainThread, aPseudoStack, stackTop);
 
   if (sActiveSampler) {
     sActiveSampler->RegisterThread(info);
   }
 
   sRegisteredThreads->push_back(info);
 
+#ifdef MOZ_NUWA_PROCESS
+  if (IsNuwaProcess()) {
+    if (info->IsMainThread()) {
+      // Main thread isn't a marked thread. Register UpdateThreadId() to
+      // NuwaAddConstructor(), which runs before all other threads are
+      // recreated.
+      NuwaAddConstructor(UpdateThreadId, info);
+    } else {
+      // Register UpdateThreadInfo() to be run when the thread is recreated.
+      NuwaAddThreadConstructor(UpdateThreadId, info);
+    }
+  }
+#endif
+
   uwt__register_thread_for_profiling(stackTop);
   return true;
 }
 
 void Sampler::UnregisterCurrentThread()
 {
   if (!Sampler::sRegisteredThreadsMutex)
     return;
--- a/tools/profiler/platform.h
+++ b/tools/profiler/platform.h
@@ -415,16 +415,19 @@ class ThreadInfo {
   ThreadProfile* Profile() const { return mProfile; }
 
   PlatformData* GetPlatformData() const { return mPlatformData; }
   void* StackTop() const { return mStackTop; }
 
   void SetPendingDelete();
   bool IsPendingDelete() const { return mPendingDelete; }
 
+#ifdef MOZ_NUWA_PROCESS
+  void SetThreadId(int aThreadId) { mThreadId = aThreadId; }
+#endif
 
   /**
    * May be null for the main thread if the profiler was started during startup
    */
   nsIThread* GetThread() const { return mThread.get(); }
  private:
   char* mName;
   int mThreadId;