Merge mozilla-central to autoland. a=merge CLOSED TREE
authorNoemi Erli <nerli@mozilla.com>
Tue, 16 Oct 2018 07:29:17 +0300
changeset 489751 b6f7a0b4345849cc9cf9a40abe1ff16cf1a6d905
parent 489750 2e7851b166cebcab9f5df591f33bc8d234f1ff7c (current diff)
parent 489711 3c8790a73b7f31b253704a07e1bf7d0a65696b04 (diff)
child 489752 583d689d630e68cb1f2ae5ae1e7f27f2ca28f359
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewersmerge
milestone64.0a1
Merge mozilla-central to autoland. a=merge CLOSED TREE
security/sandbox/chromium-shim/patches/with_update/mingw_msvc_requirement_error.patch
--- a/devtools/shared/client/thread-client.js
+++ b/devtools/shared/client/thread-client.js
@@ -694,16 +694,40 @@ ThreadClient.prototype = {
     this.client._eventsEnabled && this.emit(packet.type, packet);
   },
 
   getLastPausePacket: function() {
     return this._lastPausePacket;
   },
 
   /**
+   * Requests to set XHR breakpoint
+   * @param string path
+   *        pause when url contains `path`
+   * @param string method
+   *        pause when method of request is `method`
+   */
+  setXHRBreakpoint: DebuggerClient.requester({
+    type: "setXHRBreakpoint",
+    path: arg(0),
+    method: arg(1)
+  }),
+
+  /**
+   * Request to remove XHR breakpoint
+   * @param string path
+   * @param string method
+   */
+  removeXHRBreakpoint: DebuggerClient.requester({
+    type: "removeXHRBreakpoint",
+    path: arg(0),
+    method: arg(1)
+  }),
+
+  /**
    * Return an EnvironmentClient instance for the given environment actor form.
    */
   environment: function(form) {
     return new EnvironmentClient(this.client, form);
   },
 
   /**
    * Return an instance of SourceClient for the given source actor form.
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -4211,19 +4211,35 @@ GetPerInterfaceObjectHandle(JSContext* a
    * it's not possible for the object to be gray here.
    */
 
   const JS::Heap<JSObject*>& entrySlot =
     protoAndIfaceCache.EntrySlotMustExist(aSlotId);
   MOZ_ASSERT(JS::ObjectIsNotGray(entrySlot));
 
   if (!entrySlot) {
-    if (aSlotId == prototypes::id::HTMLDocument ||
-        aSlotId == prototypes::id::Document) {
-      MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create the per-interface object");
+    switch (aSlotId) {
+      case prototypes::id::HTMLDocument: {
+         MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create HTMLDocument.prototype");
+         break;
+      }
+      case prototypes::id::Document: {
+        MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create Document.prototype");
+        break;
+      }
+      case prototypes::id::Node: {
+        MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create Node.prototype");
+        break;
+      }
+      case prototypes::id::EventTarget: {
+        MOZ_CRASH("Looks like bug 1488480/1405521, with aCreator failing to create EventTarget.prototype");
+        break;
+      }
+      default:
+      break;
     }
   }
 
   return JS::Handle<JSObject*>::fromMarkedLocation(entrySlot.address());
 }
 
 namespace binding_detail {
 bool
--- a/js/src/frontend/BinSource-auto.cpp
+++ b/js/src/frontend/BinSource-auto.cpp
@@ -3127,17 +3127,22 @@ BinASTParser<Tok>::parseInterfaceDataPro
     BINJS_MOZ_TRY_DECL(name, parsePropertyName());
 
     BINJS_MOZ_TRY_DECL(expression, parseExpression());
 
     if (!factory_.isUsableAsObjectPropertyName(name)) {
         return raiseError("DataProperty key kind");
     }
 
-    BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+    ParseNode* result;
+    if (name->template is<NameNode>() && name->template as<NameNode>().atom() == cx_->names().proto) {
+        BINJS_TRY_VAR(result, factory_.newUnary(ParseNodeKind::MutateProto, start, expression));
+    } else {
+        BINJS_TRY_VAR(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+    }
     return result;
 }
 
 template<typename Tok> JS::Result<ParseNode*>
 BinASTParser<Tok>::parseInterfaceDebuggerStatement(const size_t start, const BinKind kind, const BinFields& fields)
 {
     return raiseError("FIXME: Not implemented yet in this preview release (DebuggerStatement)");
 }
@@ -4446,17 +4451,17 @@ BinASTParser<Tok>::parseInterfaceScript(
 #if defined(DEBUG)
     const BinField expected_fields[3] = { BinField::Scope, BinField::Directives, BinField::Statements };
     MOZ_TRY(tokenizer_->checkFields(kind, fields, expected_fields));
 #endif // defined(DEBUG)
 
     MOZ_TRY(parseAssertedScriptGlobalScope());
 
     BINJS_MOZ_TRY_DECL(directives, parseListOfDirective());
-
+    forceStrictIfNecessary(parseContext_->sc(), directives);
     BINJS_MOZ_TRY_DECL(statements, parseListOfStatement());
 
     MOZ_TRY(checkClosedVars(parseContext_->varScope())); BINJS_MOZ_TRY_DECL(result, appendDirectivesToBody(/* body = */ statements, /* directives = */ directives));
     return result;
 }
 
 
 /*
@@ -4533,21 +4538,22 @@ BinASTParser<Tok>::parseInterfaceShortha
 
 #if defined(DEBUG)
     const BinField expected_fields[1] = { BinField::Name };
     MOZ_TRY(tokenizer_->checkFields(kind, fields, expected_fields));
 #endif // defined(DEBUG)
 
     BINJS_MOZ_TRY_DECL(name, parseIdentifierExpression());
 
-    if (!factory_.isUsableAsObjectPropertyName(name)) {
-        BINJS_TRY_VAR(name, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
-    }
-
-    BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, name, AccessorType::None));
+    MOZ_ASSERT(name->isKind(ParseNodeKind::Name));
+    MOZ_ASSERT(!factory_.isUsableAsObjectPropertyName(name));
+    BINJS_TRY_DECL(propName, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
+
+    BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(propName, name, AccessorType::None));
+    result->setKind(ParseNodeKind::Shorthand);
     return result;
 }
 
 template<typename Tok> JS::Result<ParseNode*>
 BinASTParser<Tok>::parseInterfaceSpreadElement(const size_t start, const BinKind kind, const BinFields& fields)
 {
     return raiseError("FIXME: Not implemented yet in this preview release (SpreadElement)");
 }
@@ -5079,18 +5085,20 @@ BinASTParser<Tok>::parseInterfaceWithSta
 
 #if defined(DEBUG)
     const BinField expected_fields[2] = { BinField::Object, BinField::Body };
     MOZ_TRY(tokenizer_->checkFields(kind, fields, expected_fields));
 #endif // defined(DEBUG)
 
     BINJS_MOZ_TRY_DECL(object, parseExpression());
 
+    ParseContext::Statement stmt(parseContext_, StatementKind::With);
     BINJS_MOZ_TRY_DECL(body, parseStatement());
 
+    parseContext_->sc()->setBindingsAccessedDynamically();
     BINJS_TRY_DECL(result, factory_.newWithStatement(start, object, body));
     return result;
 }
 
 template<typename Tok> JS::Result<ParseNode*>
 BinASTParser<Tok>::parseInterfaceYieldExpression(const size_t start, const BinKind kind, const BinFields& fields)
 {
     return raiseError("FIXME: Not implemented yet in this preview release (YieldExpression)");
--- a/js/src/frontend/BinSource.cpp
+++ b/js/src/frontend/BinSource.cpp
@@ -209,39 +209,41 @@ BinASTParser<Tok>::parseLazyFunction(Scr
     BINJS_TRY_DECL(lexicalScopeData, NewLexicalScopeData(cx_, lexicalScope, alloc_, parseContext_));
     BINJS_TRY_DECL(body, factory_.newLexicalScope(*lexicalScopeData, tmpBody));
 
     auto binKind = isExpr ? BinKind::LazyFunctionExpression : BinKind::LazyFunctionDeclaration;
     return buildFunction(firstOffset, binKind, nullptr, params, body, funbox);
 }
 
 template<typename Tok> void
-BinASTParser<Tok>::forceStrictIfNecessary(FunctionBox* funbox, ListNode* directives)
+BinASTParser<Tok>::forceStrictIfNecessary(SharedContext* sc, ListNode* directives)
 {
     JSAtom* useStrict = cx_->names().useStrict;
 
     for (const ParseNode* directive : directives->contents()) {
         if (directive->as<NameNode>().atom() == useStrict) {
-            funbox->strictScript = true;
+            sc->strictScript = true;
             break;
         }
     }
 }
 
 template<typename Tok> JS::Result<FunctionBox*>
 BinASTParser<Tok>::buildFunctionBox(GeneratorKind generatorKind,
     FunctionAsyncKind functionAsyncKind,
     FunctionSyntaxKind syntax,
     ParseNode* name)
 {
     MOZ_ASSERT_IF(!parseContext_, lazyScript_);
 
     RootedAtom atom(cx_);
-    if (name) {
-        atom = name->name();
+
+    // Name might be any of {Identifier,ComputedPropertyName,LiteralPropertyName}
+    if (name && name->is<NameNode>()) {
+        atom = name->as<NameNode>().atom();
     }
 
     if (parseContext_ && syntax == FunctionSyntaxKind::Statement) {
         auto ptr = parseContext_->varScope().lookupDeclaredName(atom);
         if (!ptr) {
             return raiseError("FunctionDeclaration without corresponding AssertedDeclaredName.");
         }
 
@@ -333,30 +335,59 @@ BinASTParser<Tok>::buildFunction(const s
 
         // TODO (efaust): This capture will have to come from encoder side for arrow functions.
     }
 
     // This models PerHandlerParser::declaeFunctionArgumentsObject, with some subtleties removed,
     // as they don't yet apply to us.
     HandlePropertyName arguments = cx_->names().arguments;
     if (hasUsedName(arguments) || parseContext_->functionBox()->bindingsAccessedDynamically()) {
+        funbox->usesArguments = true;
+
         ParseContext::Scope& funScope = parseContext_->functionScope();
         ParseContext::Scope::AddDeclaredNamePtr p = funScope.lookupDeclaredNameForAdd(arguments);
         if (!p) {
             BINJS_TRY(funScope.addDeclaredName(parseContext_, p, arguments, DeclarationKind::Var,
                                                DeclaredNameInfo::npos));
             funbox->declaredArguments = true;
-            funbox->usesArguments = true;
+        } else if (p->value()->kind() != DeclarationKind::Var) {
+            // Lexicals, formal parameters, and body level functions shadow.
+            funbox->usesArguments = false;
+        }
 
+        if (funbox->usesArguments) {
             funbox->setArgumentsHasLocalBinding();
-            funbox->setDefinitelyNeedsArgsObj();
+
+            if (parseContext_->sc()->bindingsAccessedDynamically() ||
+                parseContext_->sc()->hasDebuggerStatement())
+            {
+                funbox->setDefinitelyNeedsArgsObj();
+            }
         }
     }
 
-    // Check all our bindings after maybe adding function This.
+    if (funbox->needsDotGeneratorName()) {
+        ParseContext::Scope& funScope = parseContext_->functionScope();
+        HandlePropertyName dotGenerator = cx_->names().dotGenerator;
+        ParseContext::Scope::AddDeclaredNamePtr p = funScope.lookupDeclaredNameForAdd(dotGenerator);
+        if (!p) {
+            BINJS_TRY(funScope.addDeclaredName(parseContext_, p, dotGenerator, DeclarationKind::Var,
+                                               DeclaredNameInfo::npos));
+        }
+
+        BINJS_TRY(usedNames_.noteUse(cx_, dotGenerator, parseContext_->scriptId(),
+                                     parseContext_->innermostScope()->id()));
+
+        BINJS_TRY_DECL(dotGen, factory_.newName(dotGenerator,
+                                                tokenizer_->pos(tokenizer_->offset()), cx_));
+
+        BINJS_TRY(factory_.prependInitialYield(&body->as<ListNode>(), dotGen));
+    }
+
+    // Check all our bindings after maybe adding function metavars.
     MOZ_TRY(checkFunctionClosedVars());
 
     BINJS_TRY_DECL(bindings,
              NewFunctionScopeData(cx_, parseContext_->functionScope(),
                                   /* hasParameterExprs = */ false, alloc_, parseContext_));
 
     funbox->functionScopeBindings().set(*bindings);
 
--- a/js/src/frontend/BinSource.h
+++ b/js/src/frontend/BinSource.h
@@ -224,17 +224,17 @@ class BinASTParser : public BinASTParser
 
     // --- Utilities.
 
     MOZ_MUST_USE JS::Result<ParseNode*> appendDirectivesToBody(ListNode* body,
         ListNode* directives);
 
     // Optionally force a strict context without restarting the parse when we see a strict
     // directive.
-    void forceStrictIfNecessary(FunctionBox* funbox, ListNode* directives);
+    void forceStrictIfNecessary(SharedContext* sc, ListNode* directives);
 
   private: // Implement ErrorReporter
     const JS::ReadOnlyCompileOptions& options_;
 
     const JS::ReadOnlyCompileOptions& options() const override {
         return this->options_;
     }
 
--- a/js/src/frontend/BinSource.yaml
+++ b/js/src/frontend/BinSource.yaml
@@ -617,17 +617,22 @@ ContinueStatement:
         BINJS_TRY_DECL(result, factory_.newContinueStatement(label ? label->asPropertyName() : nullptr, tokenizer_->pos(start)));
 
 DataProperty:
     build: |
         if (!factory_.isUsableAsObjectPropertyName(name)) {
             return raiseError("DataProperty key kind");
         }
 
-        BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+        ParseNode* result;
+        if (name->template is<NameNode>() && name->template as<NameNode>().atom() == cx_->names().proto) {
+            BINJS_TRY_VAR(result, factory_.newUnary(ParseNodeKind::MutateProto, start, expression));
+        } else {
+            BINJS_TRY_VAR(result, factory_.newObjectMethodOrPropertyDefinition(name, expression, AccessorType::None));
+        }
 
 Directive:
     build: |
         TokenPos pos = tokenizer_->pos(start);
         BINJS_TRY_DECL(result, factory_.newStringLiteral(rawValue, pos));
 
 DoWhileStatement:
     init:
@@ -1091,27 +1096,32 @@ ReturnStatement:
             return raiseInvalidKind("Toplevel Statement", kind);
         }
 
         parseContext_->functionBox()->usesReturn = true;
     build:
         BINJS_TRY_DECL(result, factory_.newReturnStatement(expression, tokenizer_->pos(start)));
 
 Script:
+    fields:
+        directives:
+            after: |
+                forceStrictIfNecessary(parseContext_->sc(), directives);
     build:
         MOZ_TRY(checkClosedVars(parseContext_->varScope()));
         BINJS_MOZ_TRY_DECL(result, appendDirectivesToBody(/* body = */ statements, /* directives = */ directives));
 
 ShorthandProperty:
     build: |
-        if (!factory_.isUsableAsObjectPropertyName(name)) {
-            BINJS_TRY_VAR(name, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
-        }
+        MOZ_ASSERT(name->isKind(ParseNodeKind::Name));
+        MOZ_ASSERT(!factory_.isUsableAsObjectPropertyName(name));
+        BINJS_TRY_DECL(propName, factory_.newObjectLiteralPropertyName(name->name(), tokenizer_->pos(start)));
 
-        BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(name, name, AccessorType::None));
+        BINJS_TRY_DECL(result, factory_.newObjectMethodOrPropertyDefinition(propName, name, AccessorType::None));
+        result->setKind(ParseNodeKind::Shorthand);
 
 SwitchCase:
     type-ok:
         CaseClause*
     build: |
         BINJS_TRY_DECL(result, factory_.newCaseOrDefault(start, test, consequent));
 
 SwitchDefault:
@@ -1332,10 +1342,15 @@ VariableDeclarator:
 
 WhileStatement:
     init:
         ParseContext::Statement stmt(parseContext_, StatementKind::WhileLoop);
     build:
         BINJS_TRY_DECL(result, factory_.newWhileStatement(start, test, body));
 
 WithStatement:
-    build:
+    fields:
+        body:
+            before: |
+                ParseContext::Statement stmt(parseContext_, StatementKind::With);
+    build: |
+        parseContext_->sc()->setBindingsAccessedDynamically();
         BINJS_TRY_DECL(result, factory_.newWithStatement(start, object, body));
--- a/js/src/gc/GC.cpp
+++ b/js/src/gc/GC.cpp
@@ -2088,18 +2088,18 @@ ZoneHeapThreshold::computeZoneHeapGrowth
     // the heap grow to 150%. For high frequency GCs we let the heap grow
     // depending on the heap size:
     //   lastBytes < highFrequencyLowLimit: 300%
     //   lastBytes > highFrequencyHighLimit: 150%
     //   otherwise: linear interpolation between 300% and 150% based on lastBytes
 
     float minRatio = tunables.highFrequencyHeapGrowthMin();
     float maxRatio = tunables.highFrequencyHeapGrowthMax();
-    float lowLimit = tunables.highFrequencyLowLimitBytes();
-    float highLimit = tunables.highFrequencyHighLimitBytes();
+    size_t lowLimit = tunables.highFrequencyLowLimitBytes();
+    size_t highLimit = tunables.highFrequencyHighLimitBytes();
 
     MOZ_ASSERT(minRatio <= maxRatio);
     MOZ_ASSERT(lowLimit < highLimit);
 
     if (lastBytes <= lowLimit) {
         return maxRatio;
     }
 
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -69,45 +69,47 @@ struct js::Nursery::Canary
 };
 #endif
 
 namespace js {
 struct NurseryChunk {
     char data[Nursery::NurseryChunkUsableSize];
     gc::ChunkTrailer trailer;
     static NurseryChunk* fromChunk(gc::Chunk* chunk);
-    void poisonAndInit(JSRuntime* rt);
-    void poisonAfterSweep();
+    void poisonAndInit(JSRuntime* rt, size_t extent = ChunkSize);
+    void poisonAfterSweep(size_t extent = ChunkSize);
     uintptr_t start() const { return uintptr_t(&data); }
     uintptr_t end() const { return uintptr_t(&trailer); }
     gc::Chunk* toChunk(JSRuntime* rt);
 };
 static_assert(sizeof(js::NurseryChunk) == gc::ChunkSize,
               "Nursery chunk size must match gc::Chunk size.");
 
 } /* namespace js */
 
 inline void
-js::NurseryChunk::poisonAndInit(JSRuntime* rt)
+js::NurseryChunk::poisonAndInit(JSRuntime* rt, size_t extent)
 {
-    MOZ_MAKE_MEM_UNDEFINED(this, ChunkSize);
+    MOZ_ASSERT(extent <= ChunkSize);
+    MOZ_MAKE_MEM_UNDEFINED(this, extent);
 
-    JS_POISON(this, JS_FRESH_NURSERY_PATTERN, ChunkSize, MemCheckKind::MakeUndefined);
+    JS_POISON(this, JS_FRESH_NURSERY_PATTERN, extent, MemCheckKind::MakeUndefined);
 
     new (&trailer) gc::ChunkTrailer(rt, &rt->gc.storeBuffer());
 }
 
 inline void
-js::NurseryChunk::poisonAfterSweep()
+js::NurseryChunk::poisonAfterSweep(size_t extent)
 {
+    MOZ_ASSERT(extent <= ChunkSize);
     // We can poison the same chunk more than once, so first make sure memory
     // sanitizers will let us poison it.
-    MOZ_MAKE_MEM_UNDEFINED(this, ChunkSize);
+    MOZ_MAKE_MEM_UNDEFINED(this, extent);
 
-    JS_POISON(this, JS_SWEPT_NURSERY_PATTERN, ChunkSize, MemCheckKind::MakeNoAccess);
+    JS_POISON(this, JS_SWEPT_NURSERY_PATTERN, extent, MemCheckKind::MakeNoAccess);
 }
 
 /* static */ inline js::NurseryChunk*
 js::NurseryChunk::fromChunk(Chunk* chunk)
 {
     return reinterpret_cast<NurseryChunk*>(chunk);
 }
 
@@ -170,17 +172,17 @@ js::Nursery::init(uint32_t maxNurseryByt
 
     maxChunkCount_ = 1;
     if (!allocateNextChunk(0, lock)) {
         maxChunkCount_ = 0;
         return false;
     }
     /* After this point the Nursery has been enabled */
 
-    setCurrentChunk(0);
+    setCurrentChunk(0, true);
     setStartPosition();
 
     char* env = getenv("JS_GC_PROFILE_NURSERY");
     if (env) {
         if (0 == strcmp(env, "help")) {
             fprintf(stderr, "JS_GC_PROFILE_NURSERY=N\n"
                     "\tReport minor GC's taking at least N microseconds.\n");
             exit(0);
@@ -226,17 +228,17 @@ js::Nursery::enable()
         AutoLockGCBgAlloc lock(runtime());
         maxChunkCount_ = 1;
         if (!allocateNextChunk(0, lock)) {
             maxChunkCount_ = 0;
             return;
         }
     }
 
-    setCurrentChunk(0);
+    setCurrentChunk(0, true);
     setStartPosition();
 #ifdef JS_GC_ZEAL
     if (runtime()->hasZealMode(ZealMode::GenerationalGC)) {
         enterZealMode();
     }
 #endif
 
     MOZ_ALWAYS_TRUE(runtime()->gc.storeBuffer().enable());
@@ -297,17 +299,17 @@ js::Nursery::enterZealMode() {
         maxChunkCount_ = chunkCountLimit();
     }
 }
 
 void
 js::Nursery::leaveZealMode() {
     if (isEnabled()) {
         MOZ_ASSERT(isEmpty());
-        setCurrentChunk(0);
+        setCurrentChunk(0, true);
         setStartPosition();
     }
 }
 #endif // JS_GC_ZEAL
 
 JSObject*
 js::Nursery::allocateObject(JSContext* cx, size_t size, size_t nDynamicSlots, const js::Class* clasp)
 {
@@ -1100,25 +1102,27 @@ js::Nursery::sweep(JSTracer* trc)
     sweepMapAndSetObjects();
 }
 
 void
 js::Nursery::clear()
 {
 #if defined(JS_GC_ZEAL) || defined(JS_CRASH_DIAGNOSTICS)
     /* Poison the nursery contents so touching a freed object will crash. */
-    for (unsigned i = currentStartChunk_; i < allocatedChunkCount(); ++i) {
+    for (unsigned i = currentStartChunk_; i < currentChunk_; ++i) {
         chunk(i).poisonAfterSweep();
     }
+    MOZ_ASSERT(maxChunkCount() > 0);
+    chunk(currentChunk_).poisonAfterSweep(position() - chunk(currentChunk_).start());
 #endif
 
     if (runtime()->hasZealMode(ZealMode::GenerationalGC)) {
         /* Only reset the alloc point when we are close to the end. */
         if (currentChunk_ + 1 == maxChunkCount()) {
-            setCurrentChunk(0);
+            setCurrentChunk(0, true);
         } else {
             // poisonAfterSweep poisons the chunk trailer. Ensure it's
             // initialized.
             chunk(currentChunk_).poisonAndInit(runtime());
         }
     } else {
         setCurrentChunk(0);
     }
@@ -1139,27 +1143,44 @@ js::Nursery::spaceToEnd(unsigned chunkCo
                    ((lastChunk - currentStartChunk_) * NurseryChunkUsableSize);
 
     MOZ_ASSERT(bytes <= maxChunkCount() * NurseryChunkUsableSize);
 
     return bytes;
 }
 
 MOZ_ALWAYS_INLINE void
-js::Nursery::setCurrentChunk(unsigned chunkno)
+js::Nursery::setCurrentChunk(unsigned chunkno, bool fullPoison)
 {
     MOZ_ASSERT(chunkno < chunkCountLimit());
     MOZ_ASSERT(chunkno < allocatedChunkCount());
+
+    if (!fullPoison &&
+        chunkno == currentChunk_ &&
+        position_ < chunk(chunkno).end() &&
+        position_ >= chunk(chunkno).start())
+    {
+        // When we setup a new chunk the whole chunk must be poisoned with the
+        // correct value (JS_FRESH_NURSERY_PATTERN).
+        //  1. The first time it was used it was fully poisoned with the
+        //     correct value.
+        //  2. When it is swept, only the used part is poisoned with the sept
+        //     value.
+        //  3. We repoison the swept part here, with the correct value.
+        chunk(chunkno).poisonAndInit(runtime(), position_ - chunk(chunkno).start());
+    } else {
+        chunk(chunkno).poisonAndInit(runtime());
+    }
+
     currentChunk_ = chunkno;
     position_ = chunk(chunkno).start();
     currentEnd_ = chunk(chunkno).end();
     if (canAllocateStrings_) {
         currentStringEnd_ = currentEnd_;
     }
-    chunk(chunkno).poisonAndInit(runtime());
 }
 
 bool
 js::Nursery::allocateNextChunk(const unsigned chunkno,
     AutoLockGCBgAlloc& lock)
 {
     const unsigned priorCount = allocatedChunkCount();
     const unsigned newCount = priorCount + 1;
--- a/js/src/gc/Nursery.h
+++ b/js/src/gc/Nursery.h
@@ -504,17 +504,24 @@ class Nursery
     struct Canary;
     Canary* lastCanary_;
 #endif
 
     NurseryChunk& chunk(unsigned index) const {
         return *chunks_[index];
     }
 
-    void setCurrentChunk(unsigned chunkno);
+    /*
+     * Set the current chunk. This updates the currentChunk_, position_
+     * currentEnd_ and currentStringEnd_ values as approprite. It'll also
+     * poison the chunk, either a portion of the chunk if it is already the
+     * current chunk, or the whole chunk if fullPoison is true or it is not
+     * the current chunk.
+     */
+    void setCurrentChunk(unsigned chunkno, bool fullPoison = false);
     void setStartPosition();
 
     /*
      * Allocate the next chunk, or the first chunk for initialization.
      * Callers will probably want to call setCurrentChunk(0) next.
      */
     MOZ_MUST_USE bool allocateNextChunk(unsigned chunkno,
         AutoLockGCBgAlloc& lock);
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..88139f6dfe48a27b3ebfce1f9c56d70128f0b9dd
GIT binary patch
literal 388
zc${5OO-sW-5M7oKiWDg#QpAIlB0YEzuU<?wgouffEnb3$Niy1%&4-gwnqThKG)1;J
zbD1|Y@6E?Dj31OtgT#v>FL~7kR;;<Z`H`oKZ~$)_$=@`DZL8~Q;k7LiV{wnU0m34N
z5@$<Y6}o!2gsVr*NMPcx5=rNlfAIpOAv3t+1NXW4|6EPie`8cmy5Ydo85ot<4W8YB
zF?)J8R1Az|zrp!a_JKLu%6O+TQ|p>|4OQ_>y%KSEx#j3Q!ZO=GGF7W2j00ugF(1j!
y{RWbo2@IS0pXn;`ecQpuV@EntY+VR<B;|o4Trt@6c7V>2JP~4YC|qYM_KLqJ4t{<B
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/binast/shorthand.js
@@ -0,0 +1,3 @@
+var y = 6;
+var x = { y };
+assertEq(x.y, 6);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1498177.js
@@ -0,0 +1,17 @@
+
+let a, b;
+for (i=0; i < 300000; i++) {
+    let c = { a: a, b: b };
+    a = b;
+    b = c;
+}
+
+gc();
+
+// GCRuntime::setHighFrequencyHighLimit will change the low value to be one
+// byte lower than the high value (if necessary).  But this blew up later
+// when the values were mistakingly cast to float then compared, rather than
+// kept as size_t.
+gcparam('highFrequencyHighLimit', 99);
+
+
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/typedarray/oom-allocating-arraybuffer-contents.js
@@ -0,0 +1,15 @@
+// |jit-test| skip-if: !('oomTest' in this)
+
+// Resolve ArrayBuffer before OOM-testing, so OOM-testing runs less code and is
+// less fragile.
+var AB = ArrayBuffer;
+
+function f()
+{
+  return new AB(256);
+}
+
+// Create |f|'s script before OOM-testing for the same reason.
+f();
+
+oomTest(f);
--- a/js/src/vm/ArrayBufferObject.cpp
+++ b/js/src/vm/ArrayBufferObject.cpp
@@ -458,18 +458,17 @@ ArrayBufferObject::class_constructor(JSC
     }
     args.rval().setObject(*bufobj);
     return true;
 }
 
 static ArrayBufferObject::BufferContents
 AllocateArrayBufferContents(JSContext* cx, uint32_t nbytes)
 {
-    uint8_t* p = cx->pod_callocCanGC<uint8_t>(nbytes,
-                                                      js::ArrayBufferContentsArena);
+    uint8_t* p = cx->pod_callocCanGC<uint8_t>(nbytes, js::ArrayBufferContentsArena);
     return ArrayBufferObject::BufferContents::create<ArrayBufferObject::PLAIN>(p);
 }
 
 static void
 NoteViewBufferWasDetached(ArrayBufferViewObject* view,
                           ArrayBufferObject::BufferContents newContents,
                           JSContext* cx)
 {
@@ -1246,16 +1245,17 @@ ArrayBufferObject::create(JSContext* cx,
         if (nbytes <= usableSlots * sizeof(Value)) {
             int newSlots = JS_HOWMANY(nbytes, sizeof(Value));
             MOZ_ASSERT(int(nbytes) <= newSlots * int(sizeof(Value)));
             nslots = reservedSlots + newSlots;
             contents = BufferContents::createPlain(nullptr);
         } else {
             contents = AllocateArrayBufferContents(cx, nbytes);
             if (!contents) {
+                ReportOutOfMemory(cx);
                 return nullptr;
             }
             allocated = true;
         }
     }
 
     MOZ_ASSERT(!(class_.flags & JSCLASS_HAS_PRIVATE));
     gc::AllocKind allocKind = gc::GetGCObjectKind(nslots);
--- a/mobile/android/app/mobile.js
+++ b/mobile/android/app/mobile.js
@@ -835,17 +835,16 @@ pref("consoleservice.logcat", true);
 #ifndef RELEASE_OR_BETA
 // Enable VR on mobile, making it enable by default.
 pref("dom.vr.enabled", true);
 #endif
 
 pref("browser.tabs.showAudioPlayingIcon", true);
 
 pref("dom.serviceWorkers.enabled", true);
-pref("dom.serviceWorkers.interception.enabled", true);
 
 // Allow service workers to open windows for a longer period after a notification
 // click on mobile.  This is to account for some devices being quite slow.
 pref("dom.serviceWorkers.disable_open_click_delay", 5000);
 
 pref("dom.push.debug", false);
 // The upstream autopush endpoint must have the Google API key corresponding to
 // the App's sender ID; we bake this assumption directly into the URL.
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -3703,21 +3703,17 @@ pref("font.name-list.cursive.x-western",
 pref("font.name-list.serif.zh-CN", "SimSun, MS Song, SimSun-ExtB");
 pref("font.name-list.sans-serif.zh-CN", "Microsoft YaHei, SimHei");
 pref("font.name-list.monospace.zh-CN", "SimSun, MS Song, SimSun-ExtB");
 pref("font.name-list.cursive.zh-CN", "KaiTi, KaiTi_GB2312");
 
 // Per Taiwanese users' demand. They don't want to use TC fonts for
 // rendering Latin letters. (bug 88579)
 pref("font.name-list.serif.zh-TW", "Times New Roman, PMingLiu, MingLiU, MingLiU-ExtB");
-#ifdef EARLY_BETA_OR_EARLIER
 pref("font.name-list.sans-serif.zh-TW", "Arial, Microsoft JhengHei, PMingLiU, MingLiU, MingLiU-ExtB");
-#else
-pref("font.name-list.sans-serif.zh-TW", "Arial, PMingLiU, MingLiU, MingLiU-ExtB");
-#endif
 pref("font.name-list.monospace.zh-TW", "MingLiU, MingLiU-ExtB");
 pref("font.name-list.cursive.zh-TW", "DFKai-SB");
 
 // hkscsm3u.ttf (HKSCS-2001) :  http://www.microsoft.com/hk/hkscs
 // Hong Kong users have the same demand about glyphs for Latin letters (bug 88579)
 pref("font.name-list.serif.zh-HK", "Times New Roman, MingLiu_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB");
 pref("font.name-list.sans-serif.zh-HK", "Arial, MingLiU_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB");
 pref("font.name-list.monospace.zh-HK", "MingLiU_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB");
deleted file mode 100644
--- a/security/sandbox/chromium-shim/patches/with_update/mingw_msvc_requirement_error.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-# HG changeset patch
-# User Tom Ritter <tom@mozilla.com>
-# Date 1504104514 18000
-#      Wed Aug 30 09:48:34 2017 -0500
-# Node ID bfcfd788617b9cff6d08a5783a0ece0681fbf523
-# Parent  926edfc5eb283736573cc1cc16ef82646ad8b330
-Bug 1431807 Allow MinGW and silence warning about Windows SDK version r?bobowen
-
-MozReview-Commit-ID: 3aVeqSzRGXB
-
-diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc
---- a/security/sandbox/chromium/base/win/windows_version.cc
-+++ b/security/sandbox/chromium/base/win/windows_version.cc
-@@ -9,17 +9,17 @@
- #include <memory>
- 
- #include "base/file_version_info_win.h"
- #include "base/files/file_path.h"
- #include "base/logging.h"
- #include "base/strings/utf_string_conversions.h"
- #include "base/win/registry.h"
- 
--#if !defined(__clang__) && _MSC_FULL_VER < 190024213
-+#if !defined(__MINGW32__) && !defined(__clang__) && _MSC_FULL_VER < 190024213
- #error VS 2015 Update 3 with Cumulative Servicing Release or higher is required
- #endif
- 
- namespace {
- typedef BOOL (WINAPI *GetProductInfoPtr)(DWORD, DWORD, DWORD, DWORD, PDWORD);
- }  // namespace
- 
- namespace base {
--- a/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
+++ b/security/sandbox/chromium-shim/patches/with_update/patch_order.txt
@@ -8,15 +8,14 @@ add_option_to_not_use_restricting_sids.p
 ifdef_out_SequenceChecker_code.patch
 revert_c++14_typename_alias_usage.patch
 revert_c++14_index_sequence_usage.patch
 fix_Wcomma_warning_in_time_cc.patch
 allow_read_only_all_paths_rule.patch
 revert_TargetNtSetInformationThread_change.patch
 mingw_base_win_get_caller.patch
 mingw_duplicate_instatinations.patch
-mingw_msvc_requirement_error.patch
 mingw_copy_s.patch
 mingw_operator_new.patch
 mingw_cast_getprocaddress.patch
 mingw_capitalization.patch
 mingw_noexports_casts.patch
 mingw_offsetof.patch
--- a/security/sandbox/chromium/base/win/windows_version.cc
+++ b/security/sandbox/chromium/base/win/windows_version.cc
@@ -9,17 +9,17 @@
 #include <memory>
 
 #include "base/file_version_info_win.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/win/registry.h"
 
-#if !defined(__MINGW32__) && !defined(__clang__) && _MSC_FULL_VER < 190024213
+#if !defined(__clang__) && _MSC_FULL_VER < 190024213
 #error VS 2015 Update 3 with Cumulative Servicing Release or higher is required
 #endif
 
 namespace {
 typedef BOOL (WINAPI *GetProductInfoPtr)(DWORD, DWORD, DWORD, DWORD, PDWORD);
 }  // namespace
 
 namespace base {