Merge inbound to mozilla-central. a=merge
authorNoemi Erli <nerli@mozilla.com>
Tue, 16 Oct 2018 07:27:42 +0300
changeset 499868 3c8790a73b7f31b253704a07e1bf7d0a65696b04
parent 499824 8ceb713af9c7f2b453f42c46bd9ffd8ae1aece44 (current diff)
parent 499867 5b5648ea1b5b33d8406a0a78661dd7c86f4cd7b0 (diff)
child 499869 b6f7a0b4345849cc9cf9a40abe1ff16cf1a6d905
child 499880 b9fec5dd4ff5ed4a098f5254c701d8c47d3100c5
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmerge
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge inbound to mozilla-central. a=merge
security/sandbox/chromium-shim/patches/with_update/mingw_msvc_requirement_error.patch
--- a/devtools/shared/client/thread-client.js
+++ b/devtools/shared/client/thread-client.js
@@ -694,16 +694,40 @@ ThreadClient.prototype = {
     this.client._eventsEnabled && this.emit(packet.type, packet);
   },
 
   getLastPausePacket: function() {
     return this._lastPausePacket;
   },
 
   /**
+   * Requests to set XHR breakpoint
+   * @param string path
+   *        pause when url contains `path`
+   * @param string method
+   *        pause when method of request is `method`
+   */
+  setXHRBreakpoint: DebuggerClient.requester({
+    type: "setXHRBreakpoint",
+    path: arg(0),
+    method: arg(1)
+  }),
+
+  /**
+   * Request to remove XHR breakpoint
+   * @param string path
+   * @param string method
+   */
+  removeXHRBreakpoint: DebuggerClient.requester({
+    type: "removeXHRBreakpoint",
+    path: arg(0),
+    method: arg(1)
+  }),
+
+  /**
    * Return an EnvironmentClient instance for the given environment actor form.
    */
   environment: function(form) {
     return new EnvironmentClient(this.client, form);
   },
 
   /**
    * Return an instance of SourceClient for the given source actor form.
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -4211,19 +4211,35 @@ GetPerInterfaceObjectHandle(JSContext* a
    * it's not possible for the object to be gray here.
    */
 
   const JS::Heap<JSObject*>& entrySlot =
     protoAndIfaceCache.EntrySlotMustExist(aSlotId);
   MOZ_ASSERT(JS::ObjectIsNotGray(entrySlot));
 
   if (!entrySlot) {
-    if (aSlotId == prototypes::id::HTMLDocument ||
-        aSlotId == prototypes::id::Document) {
-      MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create the per-interface object");
+    switch (aSlotId) {
+      case prototypes::id::HTMLDocument: {
+         MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create HTMLDocument.prototype");
+         break;
+      }
+      case prototypes::id::Document: {
+        MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create Document.prototype");
+        break;
+      }
+      case prototypes::id::Node: {
+        MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create Node.prototype");
+        break;
+      }
+      case prototypes::id::EventTarget: {
+        MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create EventTarget.prototype");
+        break;
+      }
+      default:
+      break;
     }
   }
 
   return JS::Handle<JSObject*>::fromMarkedLocation(entrySlot.address());
 }
 
 namespace binding_detail {
 bool
--- a/js/src/frontend/BinSource-auto.cpp
+++ b/js/src/frontend/BinSource-auto.cpp
@@ -3127,17 +3127,22 @@ BinASTParser<Tok>::parseInterfaceDataPro
     BINJS_MOZ_TRY_DECL(name, parsePropertyName());
 
     BINJS_MOZ_TRY_DECL(expression, parseExpression());
 
     if (!factory_.isUsableAsObjectPropertyName(name)) {
         return raiseError("DataProperty key kind");
     }
 
-    BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+    ParseNode* result;
+    if (name->template is<NameNode>() && name->template as<NameNode>().atom() == cx_->names().proto) {
+        BINJS_TRY_VAR(result, factory_.newUnary(ParseNodeKind::MutateProto, start, expression));
+    } else {
+        BINJS_TRY_VAR(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+    }
     return result;
 }
 
 template<typename Tok> JS::Result<ParseNode*>
 BinASTParser<Tok>::parseInterfaceDebuggerStatement(const size_t start, const BinKind kind, const BinFields& fields)
 {
     return raiseError("FIXME: Not implemented yet in this preview release (DebuggerStatement)");
 }
@@ -4446,17 +4451,17 @@ BinASTParser<Tok>::parseInterfaceScript(
 #if defined(DEBUG)
     const BinField expected_fields[3] = { BinField::Scope, BinField::Directives, BinField::Statements };
     MOZ_TRY(tokenizer_->checkFields(kind, fields, expected_fields));
 #endif // defined(DEBUG)
 
     MOZ_TRY(parseAssertedScriptGlobalScope());
 
     BINJS_MOZ_TRY_DECL(directives, parseListOfDirective());
-
+    forceStrictIfNecessary(parseContext_->sc(), directives);
     BINJS_MOZ_TRY_DECL(statements, parseListOfStatement());
 
     MOZ_TRY(checkClosedVars(parseContext_->varScope())); BINJS_MOZ_TRY_DECL(result, appendDirectivesToBody(/* body = */ statements, /* directives = */ directives));
     return result;
 }
 
 
 /*
@@ -4533,21 +4538,22 @@ BinASTParser<Tok>::parseInterfaceShortha
 
 #if defined(DEBUG)
     const BinField expected_fields[1] = { BinField::Name };
     MOZ_TRY(tokenizer_->checkFields(kind, fields, expected_fields));
 #endif // defined(DEBUG)
 
     BINJS_MOZ_TRY_DECL(name, parseIdentifierExpression());
 
-    if (!factory_.isUsableAsObjectPropertyName(name)) {
-        BINJS_TRY_VAR(name, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
-    }
-
-    BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, name, AccessorType::None));
+    MOZ_ASSERT(name->isKind(ParseNodeKind::Name));
+    MOZ_ASSERT(!factory_.isUsableAsObjectPropertyName(name));
+    BINJS_TRY_DECL(propName, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
+
+    BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(propName, name, AccessorType::None));
+    result->setKind(ParseNodeKind::Shorthand);
     return result;
 }
 
 template<typename Tok> JS::Result<ParseNode*>
 BinASTParser<Tok>::parseInterfaceSpreadElement(const size_t start, const BinKind kind, const BinFields& fields)
 {
     return raiseError("FIXME: Not implemented yet in this preview release (SpreadElement)");
 }
@@ -5079,18 +5085,20 @@ BinASTParser<Tok>::parseInterfaceWithSta
 
 #if defined(DEBUG)
     const BinField expected_fields[2] = { BinField::Object, BinField::Body };
     MOZ_TRY(tokenizer_->checkFields(kind, fields, expected_fields));
 #endif // defined(DEBUG)
 
     BINJS_MOZ_TRY_DECL(object, parseExpression());
 
+    ParseContext::Statement stmt(parseContext_, StatementKind::With);
     BINJS_MOZ_TRY_DECL(body, parseStatement());
 
+    parseContext_->sc()->setBindingsAccessedDynamically();
     BINJS_TRY_DECL(result, factory_.newWithStatement(start, object, body));
     return result;
 }
 
 template<typename Tok> JS::Result<ParseNode*>
 BinASTParser<Tok>::parseInterfaceYieldExpression(const size_t start, const BinKind kind, const BinFields& fields)
 {
     return raiseError("FIXME: Not implemented yet in this preview release (YieldExpression)");
--- a/js/src/frontend/BinSource.cpp
+++ b/js/src/frontend/BinSource.cpp
@@ -209,39 +209,41 @@ BinASTParser<Tok>::parseLazyFunction(Scr
     BINJS_TRY_DECL(lexicalScopeData, NewLexicalScopeData(cx_, lexicalScope, alloc_, parseContext_));
     BINJS_TRY_DECL(body, factory_.newLexicalScope(*lexicalScopeData, tmpBody));
 
     auto binKind = isExpr ? BinKind::LazyFunctionExpression : BinKind::LazyFunctionDeclaration;
     return buildFunction(firstOffset, binKind, nullptr, params, body, funbox);
 }
 
 template<typename Tok> void
-BinASTParser<Tok>::forceStrictIfNecessary(FunctionBox* funbox, ListNode* directives)
+BinASTParser<Tok>::forceStrictIfNecessary(SharedContext* sc, ListNode* directives)
 {
     JSAtom* useStrict = cx_->names().useStrict;
 
     for (const ParseNode* directive : directives->contents()) {
         if (directive->as<NameNode>().atom() == useStrict) {
-            funbox->strictScript = true;
+            sc->strictScript = true;
             break;
         }
     }
 }
 
 template<typename Tok> JS::Result<FunctionBox*>
 BinASTParser<Tok>::buildFunctionBox(GeneratorKind generatorKind,
     FunctionAsyncKind functionAsyncKind,
     FunctionSyntaxKind syntax,
     ParseNode* name)
 {
     MOZ_ASSERT_IF(!parseContext_, lazyScript_);
 
     RootedAtom atom(cx_);
-    if (name) {
-        atom = name->name();
+
+    // Name might be any of {Identifier,ComputedPropertyName,LiteralPropertyName}
+    if (name && name->is<NameNode>()) {
+        atom = name->as<NameNode>().atom();
     }
 
     if (parseContext_ && syntax == FunctionSyntaxKind::Statement) {
         auto ptr = parseContext_->varScope().lookupDeclaredName(atom);
         if (!ptr) {
             return raiseError("FunctionDeclaration without corresponding AssertedDeclaredName.");
         }
 
@@ -333,30 +335,59 @@ BinASTParser<Tok>::buildFunction(const s
 
         // TODO (efaust): This capture will have to come from encoder side for arrow functions.
     }
 
     // This models PerHandlerParser::declaeFunctionArgumentsObject, with some subtleties removed,
     // as they don't yet apply to us.
     HandlePropertyName arguments = cx_->names().arguments;
     if (hasUsedName(arguments) || parseContext_->functionBox()->bindingsAccessedDynamically()) {
+        funbox->usesArguments = true;
+
         ParseContext::Scope& funScope = parseContext_->functionScope();
         ParseContext::Scope::AddDeclaredNamePtr p = funScope.lookupDeclaredNameForAdd(arguments);
         if (!p) {
             BINJS_TRY(funScope.addDeclaredName(parseContext_, p, arguments, DeclarationKind::Var,
                                                DeclaredNameInfo::npos));
             funbox->declaredArguments = true;
-            funbox->usesArguments = true;
+        } else if (p->value()->kind() != DeclarationKind::Var) {
+            // Lexicals, formal parameters, and body level functions shadow.
+            funbox->usesArguments = false;
+        }
 
+        if (funbox->usesArguments) {
             funbox->setArgumentsHasLocalBinding();
-            funbox->setDefinitelyNeedsArgsObj();
+
+            if (parseContext_->sc()->bindingsAccessedDynamically() ||
+                parseContext_->sc()->hasDebuggerStatement())
+            {
+                funbox->setDefinitelyNeedsArgsObj();
+            }
         }
     }
 
-    // Check all our bindings after maybe adding function This.
+    if (funbox->needsDotGeneratorName()) {
+        ParseContext::Scope& funScope = parseContext_->functionScope();
+        HandlePropertyName dotGenerator = cx_->names().dotGenerator;
+        ParseContext::Scope::AddDeclaredNamePtr p = funScope.lookupDeclaredNameForAdd(dotGenerator);
+        if (!p) {
+            BINJS_TRY(funScope.addDeclaredName(parseContext_, p, dotGenerator, DeclarationKind::Var,
+                                               DeclaredNameInfo::npos));
+        }
+
+        BINJS_TRY(usedNames_.noteUse(cx_, dotGenerator, parseContext_->scriptId(),
+                                     parseContext_->innermostScope()->id()));
+
+        BINJS_TRY_DECL(dotGen, factory_.newName(dotGenerator,
+                                                tokenizer_->pos(tokenizer_->offset()), cx_));
+
+        BINJS_TRY(factory_.prependInitialYield(&body->as<ListNode>(), dotGen));
+    }
+
+    // Check all our bindings after maybe adding function metavars.
     MOZ_TRY(checkFunctionClosedVars());
 
     BINJS_TRY_DECL(bindings,
              NewFunctionScopeData(cx_, parseContext_->functionScope(),
                                   /* hasParameterExprs = */ false, alloc_, parseContext_));
 
     funbox->functionScopeBindings().set(*bindings);
 
--- a/js/src/frontend/BinSource.h
+++ b/js/src/frontend/BinSource.h
@@ -224,17 +224,17 @@ class BinASTParser : public BinASTParser
 
     // --- Utilities.
 
     MOZ_MUST_USE JS::Result<ParseNode*> appendDirectivesToBody(ListNode* body,
         ListNode* directives);
 
     // Optionally force a strict context without restarting the parse when we see a strict
     // directive.
-    void forceStrictIfNecessary(FunctionBox* funbox, ListNode* directives);
+    void forceStrictIfNecessary(SharedContext* sc, ListNode* directives);
 
   private: // Implement ErrorReporter
     const JS::ReadOnlyCompileOptions& options_;
 
     const JS::ReadOnlyCompileOptions& options() const override {
         return this->options_;
     }
 
--- a/js/src/frontend/BinSource.yaml
+++ b/js/src/frontend/BinSource.yaml
@@ -617,17 +617,22 @@ ContinueStatement:
         BINJS_TRY_DECL(result, factory_.newContinueStatement(label ? label->asPropertyName() : nullptr, tokenizer_->pos(start)));
 
 DataProperty:
     build: |
         if (!factory_.isUsableAsObjectPropertyName(name)) {
             return raiseError("DataProperty key kind");
         }
 
-        BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+        ParseNode* result;
+        if (name->template is<NameNode>() && name->template as<NameNode>().atom() == cx_->names().proto) {
+            BINJS_TRY_VAR(result, factory_.newUnary(ParseNodeKind::MutateProto, start, expression));
+        } else {
+            BINJS_TRY_VAR(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+        }
 
 Directive:
     build: |
         TokenPos pos = tokenizer_->pos(start);
         BINJS_TRY_DECL(result, factory_.newStringLiteral(rawValue, pos));
 
 DoWhileStatement:
     init:
@@ -1091,27 +1096,32 @@ ReturnStatement:
             return raiseInvalidKind("Toplevel Statement", kind);
         }
 
         parseContext_->functionBox()->usesReturn = true;
     build:
         BINJS_TRY_DECL(result, factory_.newReturnStatement(expression, tokenizer_->pos(start)));
 
 Script:
+    fields:
+        directives:
+            after: |
+                forceStrictIfNecessary(parseContext_->sc(), directives);
     build:
         MOZ_TRY(checkClosedVars(parseContext_->varScope()));
         BINJS_MOZ_TRY_DECL(result, appendDirectivesToBody(/* body = */ statements, /* directives = */ directives));
 
 ShorthandProperty:
     build: |
-        if (!factory_.isUsableAsObjectPropertyName(name)) {
-            BINJS_TRY_VAR(name, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
-        }
+        MOZ_ASSERT(name->isKind(ParseNodeKind::Name));
+        MOZ_ASSERT(!factory_.isUsableAsObjectPropertyName(name));
+        BINJS_TRY_DECL(propName, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
 
-        BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, name, AccessorType::None));
+        BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(propName, name, AccessorType::None));
+        result->setKind(ParseNodeKind::Shorthand);
 
 SwitchCase:
     type-ok:
         CaseClause*
     build: |
         BINJS_TRY_DECL(result, factory_.newCaseOrDefault(start, test, consequent));
 
 SwitchDefault:
@@ -1332,10 +1342,15 @@ VariableDeclarator:
 
 WhileStatement:
     init:
         ParseContext::Statement stmt(parseContext_, StatementKind::WhileLoop);
     build:
         BINJS_TRY_DECL(result, factory_.newWhileStatement(start, test, body));
 
 WithStatement:
-    build:
+    fields:
+        body:
+            before: |
+                ParseContext::Statement stmt(parseContext_, StatementKind::With);
+    build: |
+        parseContext_->sc()->setBindingsAccessedDynamically();
         BINJS_TRY_DECL(result, factory_.newWithStatement(start, object, body));
--- a/js/src/gc/GC.cpp
+++ b/js/src/gc/GC.cpp
@@ -2088,18 +2088,18 @@ ZoneHeapThreshold::computeZoneHeapGrowth
     // the heap grow to 150%. For high frequency GCs we let the heap grow
     // depending on the heap size:
     //   lastBytes < highFrequencyLowLimit: 300%
     //   lastBytes > highFrequencyHighLimit: 150%
     //   otherwise: linear interpolation between 300% and 150% based on lastBytes
 
     float minRatio = tunables.highFrequencyHeapGrowthMin();
     float maxRatio = tunables.highFrequencyHeapGrowthMax();
-    float lowLimit = tunables.highFrequencyLowLimitBytes();
-    float highLimit = tunables.highFrequencyHighLimitBytes();
+    size_t lowLimit = tunables.highFrequencyLowLimitBytes();
+    size_t highLimit = tunables.highFrequencyHighLimitBytes();
 
     MOZ_ASSERT(minRatio <= maxRatio);
     MOZ_ASSERT(lowLimit < highLimit);
 
     if (lastBytes <= lowLimit) {
         return maxRatio;
     }
 
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -69,45 +69,47 @@ struct js::Nursery::Canary
 };
 #endif
 
 namespace js {
 struct NurseryChunk {
     char data[Nursery::NurseryChunkUsableSize];
     gc::ChunkTrailer trailer;
     static NurseryChunk* fromChunk(gc::Chunk* chunk);
-    void poisonAndInit(JSRuntime* rt);
-    void poisonAfterSweep();
+    void poisonAndInit(JSRuntime* rt, size_t extent = ChunkSize);
+    void poisonAfterSweep(size_t extent = ChunkSize);
     uintptr_t start() const { return uintptr_t(&data); }
     uintptr_t end() const { return uintptr_t(&trailer); }
     gc::Chunk* toChunk(JSRuntime* rt);
 };
 static_assert(sizeof(js::NurseryChunk) == gc::ChunkSize,
               "Nursery chunk size must match gc::Chunk size.");
 
 } /* namespace js */
 
 inline void
-js::NurseryChunk::poisonAndInit(JSRuntime* rt)
+js::NurseryChunk::poisonAndInit(JSRuntime* rt, size_t extent)
 {
-    MOZ_MAKE_MEM_UNDEFINED(this, ChunkSize);
+    MOZ_ASSERT(extent <= ChunkSize);
+    MOZ_MAKE_MEM_UNDEFINED(this, extent);
 
-    JS_POISON(this, JS_FRESH_NURSERY_PATTERN, ChunkSize, MemCheckKind::MakeUndefined);
+    JS_POISON(this, JS_FRESH_NURSERY_PATTERN, extent, MemCheckKind::MakeUndefined);
 
     new (&trailer) gc::ChunkTrailer(rt, &rt->gc.storeBuffer());
 }
 
 inline void
-js::NurseryChunk::poisonAfterSweep()
+js::NurseryChunk::poisonAfterSweep(size_t extent)
 {
+    MOZ_ASSERT(extent <= ChunkSize);
     // We can poison the same chunk more than once, so first make sure memory
     // sanitizers will let us poison it.
-    MOZ_MAKE_MEM_UNDEFINED(this, ChunkSize);
+    MOZ_MAKE_MEM_UNDEFINED(this, extent);
 
-    JS_POISON(this, JS_SWEPT_NURSERY_PATTERN, ChunkSize, MemCheckKind::MakeNoAccess);
+    JS_POISON(this, JS_SWEPT_NURSERY_PATTERN, extent, MemCheckKind::MakeNoAccess);
 }
 
 /* static */ inline js::NurseryChunk*
 js::NurseryChunk::fromChunk(Chunk* chunk)
 {
     return reinterpret_cast<NurseryChunk*>(chunk);
 }
 
@@ -170,17 +172,17 @@ js::Nursery::init(uint32_t maxNurseryByt
 
     maxChunkCount_ = 1;
     if (!allocateNextChunk(0, lock)) {
         maxChunkCount_ = 0;
         return false;
     }
     /* After this point the Nursery has been enabled */
 
-    setCurrentChunk(0);
+    setCurrentChunk(0, true);
     setStartPosition();
 
     char* env = getenv("JS_GC_PROFILE_NURSERY");
     if (env) {
         if (0 == strcmp(env, "help")) {
             fprintf(stderr, "JS_GC_PROFILE_NURSERY=N\n"
                     "\tReport minor GC's taking at least N microseconds.\n");
             exit(0);
@@ -226,17 +228,17 @@ js::Nursery::enable()
         AutoLockGCBgAlloc lock(runtime());
         maxChunkCount_ = 1;
         if (!allocateNextChunk(0, lock)) {
             maxChunkCount_ = 0;
             return;
         }
     }
 
-    setCurrentChunk(0);
+    setCurrentChunk(0, true);
     setStartPosition();
 #ifdef JS_GC_ZEAL
     if (runtime()->hasZealMode(ZealMode::GenerationalGC)) {
         enterZealMode();
     }
 #endif
 
     MOZ_ALWAYS_TRUE(runtime()->gc.storeBuffer().enable());
@@ -297,17 +299,17 @@ js::Nursery::enterZealMode() {
         maxChunkCount_ = chunkCountLimit();
     }
 }
 
 void
 js::Nursery::leaveZealMode() {
     if (isEnabled()) {
         MOZ_ASSERT(isEmpty());
-        setCurrentChunk(0);
+        setCurrentChunk(0, true);
         setStartPosition();
     }
 }
 #endif // JS_GC_ZEAL
 
 JSObject*
 js::Nursery::allocateObject(JSContext* cx, size_t size, size_t nDynamicSlots, const js::Class* clasp)
 {
@@ -1100,25 +1102,27 @@ js::Nursery::sweep(JSTracer* trc)
     sweepMapAndSetObjects();
 }
 
 void
 js::Nursery::clear()
 {
 #if defined(JS_GC_ZEAL) || defined(JS_CRASH_DIAGNOSTICS)
     /* Poison the nursery contents so touching a freed object will crash. */
-    for (unsigned i = currentStartChunk_; i < allocatedChunkCount(); ++i) {
+    for (unsigned i = currentStartChunk_; i < currentChunk_; ++i) {
         chunk(i).poisonAfterSweep();
     }
+    MOZ_ASSERT(maxChunkCount() > 0);
+    chunk(currentChunk_).poisonAfterSweep(position() - chunk(currentChunk_).start());
 #endif
 
     if (runtime()->hasZealMode(ZealMode::GenerationalGC)) {
         /* Only reset the alloc point when we are close to the end. */
         if (currentChunk_ + 1 == maxChunkCount()) {
-            setCurrentChunk(0);
+            setCurrentChunk(0, true);
         } else {
             // poisonAfterSweep poisons the chunk trailer. Ensure it's
             // initialized.
             chunk(currentChunk_).poisonAndInit(runtime());
         }
     } else {
         setCurrentChunk(0);
     }
@@ -1139,27 +1143,44 @@ js::Nursery::spaceToEnd(unsigned chunkCo
                    ((lastChunk - currentStartChunk_) * NurseryChunkUsableSize);
 
     MOZ_ASSERT(bytes <= maxChunkCount() * NurseryChunkUsableSize);
 
     return bytes;
 }
 
 MOZ_ALWAYS_INLINE void
-js::Nursery::setCurrentChunk(unsigned chunkno)
+js::Nursery::setCurrentChunk(unsigned chunkno, bool fullPoison)
 {
     MOZ_ASSERT(chunkno < chunkCountLimit());
     MOZ_ASSERT(chunkno < allocatedChunkCount());
+
+    if (!fullPoison &&
+        chunkno == currentChunk_ &&
+        position_ < chunk(chunkno).end() &&
+        position_ >= chunk(chunkno).start())
+    {
+        // When we setup a new chunk the whole chunk must be poisoned with the
+        // correct value (JS_FRESH_NURSERY_PATTERN).
+        //  1. The first time it was used it was fully poisoned with the
+        //     correct value.
+        //  2. When it is swept, only the used part is poisoned with the sept
+        //     value.
+        //  3. We repoison the swept part here, with the correct value.
+        chunk(chunkno).poisonAndInit(runtime(), position_ - chunk(chunkno).start());
+    } else {
+        chunk(chunkno).poisonAndInit(runtime());
+    }
+
     currentChunk_ = chunkno;
     position_ = chunk(chunkno).start();
     currentEnd_ = chunk(chunkno).end();
     if (canAllocateStrings_) {
         currentStringEnd_ = currentEnd_;
     }
-    chunk(chunkno).poisonAndInit(runtime());
 }
 
 bool
 js::Nursery::allocateNextChunk(const unsigned chunkno,
     AutoLockGCBgAlloc& lock)
 {
     const unsigned priorCount = allocatedChunkCount();
     const unsigned newCount = priorCount + 1;
--- a/js/src/gc/Nursery.h
+++ b/js/src/gc/Nursery.h
@@ -504,17 +504,24 @@ class Nursery
     struct Canary;
     Canary* lastCanary_;
 #endif
 
     NurseryChunk& chunk(unsigned index) const {
         return *chunks_[index];
     }
 
-    void setCurrentChunk(unsigned chunkno);
+    /*
+     * Set the current chunk. This updates the currentChunk_, position_
+     * currentEnd_ and currentStringEnd_ values as approprite. It'll also
+     * poison the chunk, either a portion of the chunk if it is already the
+     * current chunk, or the whole chunk if fullPoison is true or it is not
+     * the current chunk.
+     */
+    void setCurrentChunk(unsigned chunkno, bool fullPoison = false);
     void setStartPosition();
 
     /*
      * Allocate the next chunk, or the first chunk for initialization.
      * Callers will probably want to call setCurrentChunk(0) next.
      */
     MOZ_MUST_USE bool allocateNextChunk(unsigned chunkno,
         AutoLockGCBgAlloc& lock);
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..88139f6dfe48a27b3ebfce1f9c56d70128f0b9dd
GIT binary patch
literal 388
zc${5OO-sW-5M7oKiWDg#QpAIlB0YEzuU<?wgouffEnb3$Niy1%&4-gwnqThKG)1;J
zbD1|Y@6E?Dj31OtgT#v>FL~7kR;;<Z`H`oKZ~$)_$=@`DZL8~Q;k7LiV{wnU0m34N
z5@$<Y6}o!2gsVr*NMPcx5=rNlfAIpOAv3t+1NXW4|6EPie`8cmy5Ydo85ot<4W8YB
zF?)J8R1Az|zrp!a_JKLu%6O+TQ|p>|4OQ_>y%KSEx#j3Q!ZO=GGF7W2j00ugF(1j!
y{RWbo2@IS0pXn;`ecQpuV@EntY+VR<B;|o4Trt@6c7V>2JP~4YC|qYM_KLqJ4t{<B
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/binast/shorthand.js
@@ -0,0 +1,3 @@
+var y = 6;
+var x = { y };
+assertEq(x.y, 6);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1498177.js
@@ -0,0 +1,17 @@
+
+let a, b;
+for (i=0; i < 300000; i++) {
+    let c = { a: a, b: b };
+    a = b;
+    b = c;
+}
+
+gc();
+
+// GCRuntime::setHighFrequencyHighLimit will change the low value to be one
+// byte lower than the high value (if necessary).  But this blew up later
+// when the values were mistakingly cast to float then compared, rather than
+// kept as size_t.
+gcparam('highFrequencyHighLimit', 99);
+
+
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/typedarray/oom-allocating-arraybuffer-contents.js
@@ -0,0 +1,15 @@
+// |jit-test| skip-if: !('oomTest' in this)
+
+// Resolve ArrayBuffer before OOM-testing, so OOM-testing runs less code and is
+// less fragile.
+var AB = ArrayBuffer;
+
+function f()
+{
+  return new AB(256);
+}
+
+// Create |f|'s script before OOM-testing for the same reason.
+f();
+
+oomTest(f);
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -458,18 +458,17 @@ ArrayBufferObject::class_constructor(JSC
     }
     args.rval().setObject(*bufobj);
     return true;
 }
 
 static ArrayBufferObject::BufferContents
 AllocateArrayBufferContents(JSContext* cx, uint32_t nbytes)
 {
-    uint8_t* p = cx->pod_callocCanGC<uint8_t>(nbytes,
-                                                      js::ArrayBufferContentsArena);
+    uint8_t* p = cx->pod_callocCanGC<uint8_t>(nbytes, js::ArrayBufferContentsArena);
     return ArrayBufferObject::BufferContents::create<ArrayBufferObject::PLAIN>(p);
 }
 
 static void
 NoteViewBufferWasDetached(ArrayBufferViewObject* view,
                           ArrayBufferObject::BufferContents newContents,
                           JSContext* cx)
 {
@@ -1246,16 +1245,17 @@ ArrayBufferObject::create(JSContext* cx,
         if (nbytes <= usableSlots * sizeof(Value)) {
             int newSlots = JS_HOWMANY(nbytes, sizeof(Value));
             MOZ_ASSERT(int(nbytes) <= newSlots * int(sizeof(Value)));
             nslots = reservedSlots + newSlots;
             contents = BufferContents::createPlain(nullptr);
         } else {
             contents = AllocateArrayBufferContents(cx, nbytes);
             if (!contents) {
+                ReportOutOfMemory(cx);
                 return nullptr;
             }
             allocated = true;
         }
     }
 
     MOZ_ASSERT(!(class_.flags & JSCLASS_HAS_PRIVATE));
     gc::AllocKind allocKind = gc::GetGCObjectKind(nslots);
--- a/mobile/android/app/mobile.js
+++ b/mobile/android/app/mobile.js
@@ -835,17 +835,16 @@ pref("consoleservice.logcat", true);
 #ifndef RELEASE_OR_BETA
 // Enable VR on mobile, making it enable by default.
 pref("dom.vr.enabled", true);
 #endif
 
 pref("browser.tabs.showAudioPlayingIcon", true);
 
 pref("dom.serviceWorkers.enabled", true);
-pref("dom.serviceWorkers.interception.enabled", true);
 
 // Allow service workers to open windows for a longer period after a notification
 // click on mobile.  This is to account for some devices being quite slow.
 pref("dom.serviceWorkers.disable_open_click_delay", 5000);
 
 pref("dom.push.debug", false);
 // The upstream autopush endpoint must have the Google API key corresponding to
 // the App's sender ID; we bake this assumption directly into the URL.
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -3703,21 +3703,17 @@ pref("font.name-list.cursive.x-western",
 pref("font.name-list.serif.zh-CN", "SimSun, MS Song, SimSun-ExtB");
 pref("font.name-list.sans-serif.zh-CN", "Microsoft YaHei, SimHei");
 pref("font.name-list.monospace.zh-CN", "SimSun, MS Song, SimSun-ExtB");
 pref("font.name-list.cursive.zh-CN", "KaiTi, KaiTi_GB2312");
 
 // Per Taiwanese users' demand. They don't want to use TC fonts for
 // rendering Latin letters. (bug 88579)
 pref("font.name-list.serif.zh-TW", "Times New Roman, PMingLiu, MingLiU, MingLiU-ExtB");
-#ifdef EARLY_BETA_OR_EARLIER
 pref("font.name-list.sans-serif.zh-TW", "Arial, Microsoft JhengHei, PMingLiU, MingLiU, MingLiU-ExtB");
-#else
-pref("font.name-list.sans-serif.zh-TW", "Arial, PMingLiU, MingLiU, MingLiU-ExtB");
-#endif
 pref("font.name-list.monospace.zh-TW", "MingLiU, MingLiU-ExtB");
 pref("font.name-list.cursive.zh-TW", "DFKai-SB");
 
 // hkscsm3u.ttf (HKSCS-2001) :  http://www.microsoft.com/hk/hkscs
 // Hong Kong users have the same demand about glyphs for Latin letters (bug 88579)
 pref("font.name-list.serif.zh-HK", "Times New Roman, MingLiu_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB");
 pref("font.name-list.sans-serif.zh-HK", "Arial, MingLiU_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB");
 pref("font.name-list.monospace.zh-HK", "MingLiU_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB");
deleted file mode 100644
--- a/security/sandbox/chromium-shim/patches/with_update/mingw_msvc_requirement_error.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-# HG changeset patch
-# User Tom Ritter <tom@mozilla.com>
-# Date 1504104514 18000
-#      Wed Aug 30 09:48:34 2017 -0500
-# Node ID bfcfd788617b9cff6d08a5783a0ece0681fbf523
-# Parent  926edfc5eb283736573cc1cc16ef82646ad8b330
-Bug 1431807 Allow MinGW and silence warning about Windows SDK version r?bobowen
-
-MozReview-Commit-ID: 3aVeqSzRGXB
-
-diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc
---- a/security/sandbox/chromium/base/win/windows_version.cc
-+++ b/security/sandbox/chromium/base/win/windows_version.cc
-@@ -9,17 +9,17 @@
- #include <memory>
- 
- #include "base/file_version_info_win.h"
- #include "base/files/file_path.h"
- #include "base/logging.h"
- #include "base/strings/utf_string_conversions.h"
- #include "base/win/registry.h"
- 
--#if !defined(__clang__) && _MSC_FULL_VER < 190024213
-+#if !defined(__MINGW32__) && !defined(__clang__) && _MSC_FULL_VER < 190024213
- #error VS 2015 Update 3 with Cumulative Servicing Release or higher is required
- #endif
- 
- namespace {
- typedef BOOL (WINAPI *GetProductInfoPtr)(DWORD, DWORD, DWORD, DWORD, PDWORD);
- }  // namespace
- 
- namespace base {
--- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
+++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
@@ -8,15 +8,14 @@ add_option_to_not_use_restricting_sids.p
 ifdef_out_SequenceChecker_code.patch
 revert_c++14_typename_alias_usage.patch
 revert_c++14_index_sequence_usage.patch
 fix_Wcomma_warning_in_time_cc.patch
 allow_read_only_all_paths_rule.patch
 revert_TargetNtSetInformationThread_change.patch
 mingw_base_win_get_caller.patch
 mingw_duplicate_instatinations.patch
-mingw_msvc_requirement_error.patch
 mingw_copy_s.patch
 mingw_operator_new.patch
 mingw_cast_getprocaddress.patch
 mingw_capitalization.patch
 mingw_noexports_casts.patch
 mingw_offsetof.patch
--- a/security/sandbox/chromium/base/win/windows_version.cc
+++ b/security/sandbox/chromium/base/win/windows_version.cc
@@ -9,17 +9,17 @@
 #include <memory>
 
 #include "base/file_version_info_win.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/registry.h"
 
-#if !defined(__MINGW32__) && !defined(__clang__) && _MSC_FULL_VER < 190024213
+#if !defined(__clang__) && _MSC_FULL_VER < 190024213
 #error VS 2015 Update 3 with Cumulative Servicing Release or higher is required
 #endif
 
 namespace {
 typedef BOOL (WINAPI *GetProductInfoPtr)(DWORD, DWORD, DWORD, DWORD, PDWORD);
 }  // namespace
 
 namespace base {