Merge mozilla-beta to release. a=merge FIREFOX_52_0_BUILD2 FIREFOX_52_0_RELEASE
authorRyan VanderMeulen <ryanvm@gmail.com>
Thu, 02 Mar 2017 15:07:02 -0500
changeset 369566 44d6a57ab554308585a67a13035d31b264be781e
parent 369560 d21569fad687d88464d60dba771660a9e51a6b07 (current diff)
parent 369565 25ee9d2ee428d3cc16ba425ad2dd74496cf1d7a6 (diff)
child 369567 aab6e1c401fc76de5273524fd741fe8c41cd8195
child 369569 5b1e2bff2ca380b7d52ca3db00f59aff5ff972c7
push id1380
push userryanvm@gmail.com
push dateThu, 02 Mar 2017 20:07:08 +0000
treeherdermozilla-release@44d6a57ab554 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmerge
milestone52.0
Merge mozilla-beta to release. a=merge
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@@ -1034,38 +1034,36 @@ static void
 AllocateObjectBufferWithInit(JSContext* cx, TypedArrayObject* obj, int32_t count)
 {
     JS::AutoCheckCannotGC nogc(cx);
 
     obj->initPrivate(nullptr);
 
     // Negative numbers or zero will bail out to the slow path, which in turn will raise
     // an invalid argument exception or create a correct object with zero elements.
-    if (count <= 0) {
+    if (count <= 0 || uint32_t(count) >= INT32_MAX / obj->bytesPerElement()) {
         obj->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(0));
         return;
     }
 
     obj->setFixedSlot(TypedArrayObject::LENGTH_SLOT, Int32Value(count));
     size_t nbytes;
 
     switch (obj->type()) {
 #define CREATE_TYPED_ARRAY(T, N) \
       case Scalar::N: \
-        if (!js::CalculateAllocSize<T>(count, &nbytes)) \
-            return; \
+        MOZ_ALWAYS_TRUE(js::CalculateAllocSize<T>(count, &nbytes)); \
         break;
 JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPED_ARRAY)
 #undef CREATE_TYPED_ARRAY
       default:
         MOZ_CRASH("Unsupported TypedArray type");
     }
 
-    if (!(CheckedUint32(nbytes) + sizeof(Value)).isValid())
-        return;
+    MOZ_ASSERT((CheckedUint32(nbytes) + sizeof(Value)).isValid());
 
     nbytes = JS_ROUNDUP(nbytes, sizeof(Value));
     Nursery& nursery = cx->runtime()->gc.nursery;
     void* buf = nursery.allocateBuffer(obj, nbytes);
     if (buf) {
         obj->initPrivate(buf);
         memset(buf, 0, nbytes);
     }
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -665,22 +665,24 @@ class TypedArrayObjectTemplate : public 
             tarray->initPrivate(data);
             memset(data, 0, nbytes);
         }
     }
 
     static TypedArrayObject*
     makeTypedArrayWithTemplate(JSContext* cx, TypedArrayObject* templateObj, int32_t len)
     {
-        size_t nbytes;
-        if (len < 0 || !js::CalculateAllocSize<NativeType>(len, &nbytes)) {
+        if (len < 0 || uint32_t(len) >= INT32_MAX / sizeof(NativeType)) {
             JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_TYPED_ARRAY_BAD_ARGS);
             return nullptr;
         }
 
+        size_t nbytes;
+        MOZ_ALWAYS_TRUE(js::CalculateAllocSize<NativeType>(len, &nbytes));
+
         bool fitsInline = nbytes <= INLINE_BUFFER_LIMIT;
 
         AutoSetNewObjectMetadata metadata(cx);
 
         const Class* clasp = templateObj->group()->clasp();
         gc::AllocKind allocKind = !fitsInline
                                   ? GetGCObjectKind(clasp)
                                   : AllocKindForLazyBuffer(nbytes);
new file mode 100644
--- /dev/null
+++ b/layout/base/crashtests/1343606.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<style>
+body {
+  columns: 5;
+  column-fill: auto;
+  height: 100px;
+}
+div {
+  display: grid;
+  grid-template-columns: 30px 30px 30px;
+  grid-auto-rows: 30px;
+  border:5px solid;
+}
+span {
+  border:1px solid black;
+}
+</style>
+<script>
+setTimeout(function(){ window.close(); },1000);
+window.onload = function(){
+  let a = document.getElementsByTagName("x")[0],
+      b = document.createTextNode("カ쾊紋鴺");
+  a.appendChild(b);
+  setTimeout(function(){
+    b.remove();
+  }, 0);
+};
+</script>
+</head>
+<body>
+<div>
+<span><x>某שּׁ큤</x></span>
+The quick brown fox jumps over the lazy dog.
+</div>
+</body>
+</html>
--- a/layout/base/crashtests/crashtests.list
+++ b/layout/base/crashtests/crashtests.list
@@ -477,8 +477,9 @@ load 1270797-1.html
 load 1278455-1.html
 load 1286889.html
 load 1297835.html
 load 1288608.html
 load 1299736-1.html
 load 1308793.svg
 load 1308848-1.html
 load 1308848-2.html
+asserts(0-1) load 1343606.html # bug 1343948
--- a/layout/base/nsBidiPresUtils.cpp
+++ b/layout/base/nsBidiPresUtils.cpp
@@ -706,17 +706,18 @@ nsBidiPresUtils::Resolve(nsBlockFrame* a
 #endif
     block->RemoveStateBits(NS_BLOCK_NEEDS_BIDI_RESOLUTION);
     nsBlockInFlowLineIterator it(block, block->LinesBegin());
     bpd.mPrevFrame = nullptr;
     TraverseFrames(&it, block->PrincipalChildList().FirstChild(), &bpd);
     nsBlockFrame::FrameLines* overflowLines = block->GetOverflowLines();
     if (overflowLines) {
       nsBlockInFlowLineIterator it(block, overflowLines->mLines.begin(), true);
-      TraverseFrames(&it, block->PrincipalChildList().FirstChild(), &bpd);
+      bpd.mPrevFrame = nullptr;
+      TraverseFrames(&it, overflowLines->mFrames.FirstChild(), &bpd);
     }
   }
 
   if (ch != 0) {
     bpd.PopBidiControl(ch);
   }
 
   return ResolveParagraph(&bpd);
--- a/toolkit/components/remotebrowserutils/tests/browser/browser_RemoteWebNavigation.js
+++ b/toolkit/components/remotebrowserutils/tests/browser/browser_RemoteWebNavigation.js
@@ -1,29 +1,19 @@
-var { interfaces: Ci, classes: Cc, utils: Cu, results: Cr } = Components;
+/* eslint-env mozilla/frame-script */
 
 const DUMMY1 = "http://example.com/browser/toolkit/modules/tests/browser/dummy_page.html";
 const DUMMY2 = "http://example.org/browser/toolkit/modules/tests/browser/dummy_page.html"
 
 function waitForLoad(browser = gBrowser.selectedBrowser) {
-  return new Promise(resolve => {
-    browser.addEventListener("load", function listener() {
-      browser.removeEventListener("load", listener, true);
-      resolve();
-    }, true);
-  });
+  return BrowserTestUtils.browserLoaded(browser);
 }
 
 function waitForPageShow(browser = gBrowser.selectedBrowser) {
-  return new Promise(resolve => {
-    browser.addEventListener("pageshow", function listener() {
-      browser.removeEventListener("pageshow", listener, true);
-      resolve();
-    }, true);
-  });
+  return BrowserTestUtils.waitForContentEvent(browser, "pageshow", true);
 }
 
 function makeURI(url) {
   return Cc["@mozilla.org/network/io-service;1"].
          getService(Ci.nsIIOService).
          newURI(url, null, null);
 }
 
@@ -32,93 +22,109 @@ add_task(function* test_referrer() {
   gBrowser.selectedTab = gBrowser.addTab();
   let browser = gBrowser.selectedBrowser;
 
   browser.webNavigation.loadURI(DUMMY1,
                                 Ci.nsIWebNavigation.LOAD_FLAGS_NONE,
                                 makeURI(DUMMY2),
                                 null, null);
   yield waitForLoad();
-  is(browser.contentWindow.location, DUMMY1, "Should have loaded the right URL");
-  is(browser.contentDocument.referrer, DUMMY2, "Should have the right referrer");
+
+  yield ContentTask.spawn(browser, [ DUMMY1, DUMMY2 ], function([dummy1, dummy2]) {
+    is(content.location, dummy1, "Should have loaded the right URL");
+    is(content.document.referrer, dummy2, "Should have the right referrer");
+  });
 
   gBrowser.removeCurrentTab();
 });
 
 // Tests that remote access to webnavigation.sessionHistory works.
 add_task(function* test_history() {
+  function checkHistoryIndex(browser, n) {
+    return ContentTask.spawn(browser, n, function(n) {
+      let history = docShell.QueryInterface(Ci.nsIInterfaceRequestor)
+                            .getInterface(Ci.nsISHistory);
+      is(history.index, n, "Should be at the right place in history");
+    });
+  }
   gBrowser.selectedTab = gBrowser.addTab();
   let browser = gBrowser.selectedBrowser;
 
   browser.webNavigation.loadURI(DUMMY1,
                                 Ci.nsIWebNavigation.LOAD_FLAGS_NONE,
                                 null, null, null);
   yield waitForLoad();
 
   browser.webNavigation.loadURI(DUMMY2,
                                 Ci.nsIWebNavigation.LOAD_FLAGS_NONE,
                                 null, null, null);
   yield waitForLoad();
 
-  let history = browser.webNavigation.sessionHistory;
-  is(history.count, 2, "Should be two history items");
-  is(history.index, 1, "Should be at the right place in history");
-  let entry = history.getEntryAtIndex(0, false);
-  is(entry.URI.spec, DUMMY1, "Should have the right history entry");
-  entry = history.getEntryAtIndex(1, false);
-  is(entry.URI.spec, DUMMY2, "Should have the right history entry");
+  yield ContentTask.spawn(browser, [DUMMY1, DUMMY2], function([dummy1, dummy2]) {
+    let history = docShell.QueryInterface(Ci.nsIInterfaceRequestor)
+                          .getInterface(Ci.nsISHistory);
+    is(history.count, 2, "Should be two history items");
+    is(history.index, 1, "Should be at the right place in history");
+    let entry = history.getEntryAtIndex(0, false);
+    is(entry.URI.spec, dummy1, "Should have the right history entry");
+    entry = history.getEntryAtIndex(1, false);
+    is(entry.URI.spec, dummy2, "Should have the right history entry");
+  });
 
   let promise = waitForPageShow();
   browser.webNavigation.goBack();
   yield promise;
-  is(history.index, 0, "Should be at the right place in history");
+  yield checkHistoryIndex(browser, 0);
 
   promise = waitForPageShow();
   browser.webNavigation.goForward();
   yield promise;
-  is(history.index, 1, "Should be at the right place in history");
+  yield checkHistoryIndex(browser, 1);
 
   promise = waitForPageShow();
   browser.webNavigation.gotoIndex(0);
   yield promise;
-  is(history.index, 0, "Should be at the right place in history");
+  yield checkHistoryIndex(browser, 0);
 
   gBrowser.removeCurrentTab();
 });
 
 // Tests that load flags are passed through to the content process.
 add_task(function* test_flags() {
+  function checkHistory(browser, { count, index }) {
+    return ContentTask.spawn(browser, [ DUMMY2, count, index ],
+      function([ dummy2, count, index ]) {
+        let history = docShell.QueryInterface(Ci.nsIInterfaceRequestor)
+                              .getInterface(Ci.nsISHistory);
+        is(history.count, count, "Should be one history item");
+        is(history.index, index, "Should be at the right place in history");
+        let entry = history.getEntryAtIndex(index, false);
+        is(entry.URI.spec, dummy2, "Should have the right history entry");
+      });
+  }
+
   gBrowser.selectedTab = gBrowser.addTab();
   let browser = gBrowser.selectedBrowser;
 
   browser.webNavigation.loadURI(DUMMY1,
                                 Ci.nsIWebNavigation.LOAD_FLAGS_NONE,
                                 null, null, null);
   yield waitForLoad();
 
   browser.webNavigation.loadURI(DUMMY2,
                                 Ci.nsIWebNavigation.LOAD_FLAGS_REPLACE_HISTORY,
                                 null, null, null);
   yield waitForLoad();
-
-  let history = browser.webNavigation.sessionHistory;
-  is(history.count, 1, "Should be one history item");
-  is(history.index, 0, "Should be at the right place in history");
-  let entry = history.getEntryAtIndex(0, false);
-  is(entry.URI.spec, DUMMY2, "Should have the right history entry");
+  yield checkHistory(browser, { count: 1, index: 0 });
 
   browser.webNavigation.loadURI(DUMMY1,
                                 Ci.nsIWebNavigation.LOAD_FLAGS_BYPASS_HISTORY,
                                 null, null, null);
   yield waitForLoad();
-
-  is(history.count, 1, "Should still be one history item");
-  is(history.index, 0, "Should be at the right place in history");
-  entry = history.getEntryAtIndex(0, false);
-  is(entry.URI.spec, DUMMY2, "Should have the right history entry");
+  yield checkHistory(browser, { count: 1, index: 0 });
 
   gBrowser.removeCurrentTab();
 });
 
 // Tests that attempts to use unsupported arguments throw an exception.
 add_task(function* test_badarguments() {
   if (!gMultiProcessBrowser)
     return;