diff options
| author | jbeich <jbeich@FreeBSD.org> | 2017-11-12 04:42:33 +0800 |
|---|---|---|
| committer | jbeich <jbeich@FreeBSD.org> | 2017-11-12 04:42:33 +0800 |
| commit | dc8f685535680c7bd5aa81b34f7d52a1ec562b50 (patch) | |
| tree | 298b83b065bd47d0b06b9882d29d18bdeacb3f7d /www/firefox | |
| parent | 416a6c6ea84974a9541fff7baee70672b86bed10 (diff) | |
| download | freebsd-ports-gnome-dc8f685535680c7bd5aa81b34f7d52a1ec562b50.tar.gz freebsd-ports-gnome-dc8f685535680c7bd5aa81b34f7d52a1ec562b50.tar.zst freebsd-ports-gnome-dc8f685535680c7bd5aa81b34f7d52a1ec562b50.zip | |
www/firefox: backport some FF57+ fixes
PR: 222859
Security: f78eac48-c3d1-4666-8de5-63ceea25a578
MFH: 2017Q4
Diffstat (limited to 'www/firefox')
28 files changed, 2031 insertions, 1 deletions
diff --git a/www/firefox/Makefile b/www/firefox/Makefile index d1136fd17020..66818c9d6adf 100644 --- a/www/firefox/Makefile +++ b/www/firefox/Makefile @@ -4,7 +4,7 @@ PORTNAME= firefox DISTVERSION= 56.0.2 DISTVERSIONSUFFIX=.source -PORTREVISION= 8 +PORTREVISION= 9 PORTEPOCH= 1 CATEGORIES= www ipv6 MASTER_SITES= MOZILLA/${PORTNAME}/releases/${DISTVERSION}/source \ diff --git a/www/firefox/files/patch-bug1261175 b/www/firefox/files/patch-bug1261175 new file mode 100644 index 000000000000..527f41b4a0b3 --- /dev/null +++ b/www/firefox/files/patch-bug1261175 @@ -0,0 +1,25 @@ +commit deccfad4c8ba +Author: Matt Woodrow <mwoodrow@mozilla.com> +Date: Thu Oct 12 13:10:27 2017 +1300 + + Bug 1261175. r=tnikkel, a=ritu + + --HG-- + extra : source : 8281ed36bd4946af69af747b199814cc1a51fb52 +--- + view/nsViewManager.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git view/nsViewManager.cpp view/nsViewManager.cpp +index f3540f3478da..230512c0dcc0 100644 +--- view/nsViewManager.cpp ++++ view/nsViewManager.cpp +@@ -100,7 +100,7 @@ nsViewManager::~nsViewManager() + gViewManagers = nullptr; + } + +- mPresShell = nullptr; ++ MOZ_RELEASE_ASSERT(!mPresShell, "Releasing nsViewManager without having called Destroy on the PresShell!"); + } + + // We don't hold a reference to the presentation context because it diff --git a/www/firefox/files/patch-bug1343147 b/www/firefox/files/patch-bug1343147 new file mode 100644 index 000000000000..a548c655e4dc --- /dev/null +++ b/www/firefox/files/patch-bug1343147 @@ -0,0 +1,117 @@ +commit e215b167b9b9 +Author: cku <cku@mozilla.com> +Date: Tue Oct 3 11:29:19 2017 +0800 + + Bug 1343147 - Do not double applying transform vector of the root frame in a glyph mask into the target context. r=mstange, a=ritu + + When we generate the glyph mask for a transformed frame in + GenerateAndPushTextMask, the transform vector had been applied into aContext[1], + so we should find a way to prevent applying the vector again when painting the + glyph mask. + + In bug 1299715, I tried to prevent double apply at [2], it caused two problems: + 1. We only skip generating nsDisplayTransform, but we may still create a + nsDisplayPerspactive bellow. Since the parent of a nsDisplayPerspective must be + a nsDisplayTransform, which have been ignored, so we hit this assertion. + 2. We skip all transform for all frames while painting the glyph mask, which is + not correct. We should only skip double applying transform vector of the root + frame. + + This patch fixes both of these issues: + a. We will still create a nsDisplayTransform for the root frame if need. But + the transform matrix we apply into the target context will be an identity + matrix, so we fix #1 above. + b. In #a, we change the transform matrix to an identity matrix only for the root + frame of the glyph mask, so we fix #2. + + [1] + https://hg.mozilla.org/mozilla-central/file/59e5ec5729db/layout/painting/nsDisplayList.cpp#l752 + [2] + https://hg.mozilla.org/mozilla-central/file/ce2c129f0a87/layout/generic/nsFrame.cpp#l2806 + + MozReview-Commit-ID: 973lkQQxLB6 + + --HG-- + extra : source : 84451d723686bc47b81c44ed2ddf6c61f3e35915 +--- + layout/generic/nsFrame.cpp | 13 +++++-------- + layout/painting/nsDisplayList.cpp | 9 ++++++++- + 2 files changed, 13 insertions(+), 9 deletions(-) + +diff --git layout/generic/nsFrame.cpp layout/generic/nsFrame.cpp +index 37f2e2801220..dbfd61b7e142 100644 +--- layout/generic/nsFrame.cpp ++++ layout/generic/nsFrame.cpp +@@ -2803,14 +2803,11 @@ nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder* aBuilder, + buildingDisplayList.SetReferenceFrameAndCurrentOffset(outerReferenceFrame, + GetOffsetToCrossDoc(outerReferenceFrame)); + +- if (!aBuilder->IsForGenerateGlyphMask() && +- !aBuilder->IsForPaintingSelectionBG()) { +- nsDisplayTransform *transformItem = +- new (aBuilder) nsDisplayTransform(aBuilder, this, +- &resultList, dirtyRect, 0, +- allowAsyncAnimation); +- resultList.AppendNewToTop(transformItem); +- } ++ nsDisplayTransform *transformItem = ++ new (aBuilder) nsDisplayTransform(aBuilder, this, ++ &resultList, dirtyRect, 0, ++ allowAsyncAnimation); ++ resultList.AppendNewToTop(transformItem); + + if (hasPerspective) { + if (clipCapturedBy == ContainerItemType::ePerspective) { +diff --git layout/painting/nsDisplayList.cpp layout/painting/nsDisplayList.cpp +index 801e1ea2fb4d..6477bda52f01 100644 +--- layout/painting/nsDisplayList.cpp ++++ layout/painting/nsDisplayList.cpp +@@ -7976,11 +7976,18 @@ already_AddRefed<Layer> nsDisplayTransform::BuildLayer(nsDisplayListBuilder *aBu + LayerManager *aManager, + const ContainerLayerParameters& aContainerParameters) + { ++ // While generating a glyph mask, the transform vector of the root frame had ++ // been applied into the target context, so stop applying it again here. ++ const bool shouldSkipTransform = ++ (aBuilder->RootReferenceFrame() == mFrame) && ++ (aBuilder->IsForGenerateGlyphMask() || aBuilder->IsForPaintingSelectionBG()); ++ + /* For frames without transform, it would not be removed for + * backface hidden here. But, it would be removed by the init + * function of nsDisplayTransform. + */ +- const Matrix4x4& newTransformMatrix = GetTransformForRendering(); ++ const Matrix4x4 newTransformMatrix = ++ shouldSkipTransform ? Matrix4x4(): GetTransformForRendering(); + + uint32_t flags = FrameLayerBuilder::CONTAINER_ALLOW_PULL_BACKGROUND_COLOR; + RefPtr<ContainerLayer> container = aManager->GetLayerBuilder()-> +diff --git dom/svg/crashtests/1343147.svg dom/svg/crashtests/1343147.svg +new file mode 100644 +index 000000000000..d9c2611ca822 +--- /dev/null ++++ dom/svg/crashtests/1343147.svg +@@ -0,0 +1,13 @@ ++<svg xmlns="http://www.w3.org/2000/svg"> ++<style> ++<![CDATA[ ++ svg { ++ background-image: linear-gradient(lime, lime); ++ background-clip: text; ++ } ++ text { transform: skewy(30grad); } ++ g { perspective: 0; } ++]]> ++</style> ++ <g><text>hello</text></g> ++</svg> +diff --git dom/svg/crashtests/crashtests.list dom/svg/crashtests/crashtests.list +index 1727a206ec4f..57ab320161e2 100644 +--- dom/svg/crashtests/crashtests.list ++++ dom/svg/crashtests/crashtests.list +@@ -90,4 +90,5 @@ load 1329849-5.svg + load 1329849-6.svg + load 1329093-1.html + load 1329093-2.html ++load 1343147.svg + load 1402798.html diff --git a/www/firefox/files/patch-bug1355576 b/www/firefox/files/patch-bug1355576 new file mode 100644 index 000000000000..cc9c8236a2b4 --- /dev/null +++ b/www/firefox/files/patch-bug1355576 @@ -0,0 +1,262 @@ +commit e530ba4d4394 +Author: Thomas Wisniewski <wisniewskit@gmail.com> +Date: Tue Jul 4 20:59:26 2017 -0400 + + Bug 1355576 - Add ability to clear all localStorage with the browsingData API; r=bsilverberg,janv + + MozReview-Commit-ID: 4UUqg62yIo9 + + --HG-- + extra : rebase_source : 9c6154bbe878fc3921d22027fdc90dbdaed05be9 +--- + browser/components/extensions/ext-browsingData.js | 10 +++ + .../extensions/schemas/browsing_data.json | 1 - + .../extensions/test/browser/browser-common.ini | 1 + + .../browser_ext_browsingData_localStorage.js | 93 ++++++++++++++++++++++ + .../test/xpcshell/test_ext_browsingData.js | 4 +- + dom/storage/LocalStorageManager.cpp | 3 +- + dom/storage/StorageObserver.cpp | 12 +++ + .../extensions/schemas/browsing_data.json | 1 - + 8 files changed, 120 insertions(+), 5 deletions(-) + +diff --git browser/components/extensions/ext-browsingData.js browser/components/extensions/ext-browsingData.js +index fd59141dd15d..109ec9601487 100644 +--- browser/components/extensions/ext-browsingData.js ++++ browser/components/extensions/ext-browsingData.js +@@ -83,6 +83,10 @@ const clearHistory = options => { + return sanitizer.items.history.clear(makeRange(options)); + }; + ++const clearLocalStorage = async function(options) { ++ Services.obs.notifyObservers(null, "extension:purge-localStorage"); ++}; ++ + const clearPasswords = async function(options) { + let loginManager = Services.logins; + let yieldCounter = 0; +@@ -152,6 +156,9 @@ const doRemoval = (options, dataToRemove, extension) => { + case "history": + removalPromises.push(clearHistory(options)); + break; ++ case "localStorage": ++ removalPromises.push(clearLocalStorage(options)); ++ break; + case "passwords": + removalPromises.push(clearPasswords(options)); + break; +@@ -225,6 +232,9 @@ this.browsingData = class extends ExtensionAPI { + removeHistory(options) { + return doRemoval(options, {history: true}); + }, ++ removeLocalStorage(options) { ++ return doRemoval(options, {localStorage: true}); ++ }, + removePasswords(options) { + return doRemoval(options, {passwords: true}); + }, +diff --git browser/components/extensions/schemas/browsing_data.json browser/components/extensions/schemas/browsing_data.json +index a780f5640c8f..7755714eb898 100644 +--- browser/components/extensions/schemas/browsing_data.json ++++ browser/components/extensions/schemas/browsing_data.json +@@ -341,7 +341,6 @@ + "description": "Clears websites' local storage data.", + "type": "function", + "async": "callback", +- "unsupported": true, + "parameters": [ + { + "$ref": "RemovalOptions", +diff --git browser/components/extensions/test/browser/browser-common.ini browser/components/extensions/test/browser/browser-common.ini +index 464b8ba18f37..e3f7700f3939 100644 +--- browser/components/extensions/test/browser/browser-common.ini ++++ browser/components/extensions/test/browser/browser-common.ini +@@ -46,6 +46,7 @@ skip-if = (os == 'win' && !debug) # bug 1352668 + [browser_ext_browserAction_theme_icons.js] + [browser_ext_browsingData_formData.js] + [browser_ext_browsingData_history.js] ++[browser_ext_browsingData_localStorage.js] + [browser_ext_browsingData_pluginData.js] + [browser_ext_browsingData_serviceWorkers.js] + [browser_ext_commands_execute_browser_action.js] +diff --git browser/components/extensions/test/browser/browser_ext_browsingData_localStorage.js browser/components/extensions/test/browser/browser_ext_browsingData_localStorage.js +new file mode 100644 +index 000000000000..215f26d1fcb6 +--- /dev/null ++++ browser/components/extensions/test/browser/browser_ext_browsingData_localStorage.js +@@ -0,0 +1,93 @@ ++/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */ ++/* vim: set sts=2 sw=2 et tw=80: */ ++"use strict"; ++ ++add_task(async function testLocalStorage() { ++ async function background() { ++ function openTabs() { ++ let promise = new Promise(resolve => { ++ let tabURLs = [ ++ "http://example.com/", ++ "http://example.net/", ++ ]; ++ ++ let tabs; ++ let waitingCount = tabURLs.length; ++ ++ let listener = async msg => { ++ if (msg !== "content-script-ready" || --waitingCount) { ++ return; ++ } ++ browser.runtime.onMessage.removeListener(listener); ++ resolve(Promise.all(tabs)); ++ }; ++ ++ browser.runtime.onMessage.addListener(listener); ++ ++ tabs = tabURLs.map(url => { ++ return browser.tabs.create({url: url}); ++ }); ++ }); ++ ++ return promise; ++ } ++ ++ function sendMessageToTabs(tabs, message) { ++ return Promise.all( ++ tabs.map(tab => { return browser.tabs.sendMessage(tab.id, message); })); ++ } ++ ++ let tabs = await openTabs(); ++ ++ await sendMessageToTabs(tabs, "resetLocalStorage"); ++ await sendMessageToTabs(tabs, "checkLocalStorageSet"); ++ await browser.browsingData.removeLocalStorage({}); ++ await sendMessageToTabs(tabs, "checkLocalStorageCleared"); ++ ++ await sendMessageToTabs(tabs, "resetLocalStorage"); ++ await sendMessageToTabs(tabs, "checkLocalStorageSet"); ++ await browser.browsingData.remove({}, {localStorage: true}); ++ await sendMessageToTabs(tabs, "checkLocalStorageCleared"); ++ ++ browser.tabs.remove(tabs.map(tab => tab.id)); ++ ++ browser.test.notifyPass("done"); ++ } ++ ++ function contentScript() { ++ browser.runtime.onMessage.addListener(msg => { ++ if (msg === "resetLocalStorage") { ++ localStorage.clear(); ++ localStorage.setItem("test", "test"); ++ } else if (msg === "checkLocalStorageSet") { ++ browser.test.assertEq("test", localStorage.getItem("test")); ++ } else if (msg === "checkLocalStorageCleared") { ++ browser.test.assertEq(null, localStorage.getItem("test")); ++ } ++ }); ++ browser.runtime.sendMessage("content-script-ready"); ++ } ++ ++ let extension = ExtensionTestUtils.loadExtension({ ++ background, ++ manifest: { ++ "permissions": ["browsingData"], ++ "content_scripts": [{ ++ "matches": [ ++ "http://example.com/", ++ "http://example.net/", ++ ], ++ "js": ["content-script.js"], ++ "run_at": "document_start", ++ }], ++ }, ++ files: { ++ "content-script.js": contentScript, ++ }, ++ }); ++ ++ await extension.startup(); ++ await extension.awaitFinish("done"); ++ await extension.unload(); ++}); ++ +diff --git browser/components/extensions/test/xpcshell/test_ext_browsingData.js browser/components/extensions/test/xpcshell/test_ext_browsingData.js +index 0c1c4874ca44..0b8972058e64 100644 +--- browser/components/extensions/test/xpcshell/test_ext_browsingData.js ++++ browser/components/extensions/test/xpcshell/test_ext_browsingData.js +@@ -44,7 +44,7 @@ add_task(async function testInvalidArguments() { + + add_task(async function testUnimplementedDataType() { + function background() { +- browser.browsingData.remove({}, {localStorage: true}); ++ browser.browsingData.remove({}, {indexedDB: true}); + browser.test.sendMessage("finished"); + } + +@@ -61,6 +61,6 @@ add_task(async function testUnimplementedDataType() { + await extension.unload(); + }); + +- let warningObserved = messages.find(line => /Firefox does not support dataTypes: localStorage/.test(line)); ++ let warningObserved = messages.find(line => /Firefox does not support dataTypes: indexedDB/.test(line)); + ok(warningObserved, "Warning issued when calling remove with an unimplemented dataType."); + }); +diff --git dom/storage/LocalStorageManager.cpp dom/storage/LocalStorageManager.cpp +index a161de2bc596..f366e7874a90 100644 +--- dom/storage/LocalStorageManager.cpp ++++ dom/storage/LocalStorageManager.cpp +@@ -386,7 +386,8 @@ LocalStorageManager::Observe(const char* aTopic, + } + + // Clear everything, caches + database +- if (!strcmp(aTopic, "cookie-cleared")) { ++ if (!strcmp(aTopic, "cookie-cleared") || ++ !strcmp(aTopic, "extension:purge-localStorage-caches")) { + ClearCaches(LocalStorageCache::kUnloadComplete, pattern, EmptyCString()); + return NS_OK; + } +diff --git dom/storage/StorageObserver.cpp dom/storage/StorageObserver.cpp +index e5b010f88c7b..48d484748209 100644 +--- dom/storage/StorageObserver.cpp ++++ dom/storage/StorageObserver.cpp +@@ -66,6 +66,7 @@ StorageObserver::Init() + obs->AddObserver(sSelf, "browser:purge-domain-data", true); + obs->AddObserver(sSelf, "last-pb-context-exited", true); + obs->AddObserver(sSelf, "clear-origin-attributes-data", true); ++ obs->AddObserver(sSelf, "extension:purge-localStorage", true); + + // Shutdown + obs->AddObserver(sSelf, "profile-after-change", true); +@@ -270,6 +271,23 @@ StorageObserver::Observe(nsISupports* aSubject, + + Notify("session-only-cleared", NS_ConvertUTF8toUTF16(originSuffix), + originScope); ++ ++ return NS_OK; ++ } ++ ++ if (!strcmp(aTopic, "extension:purge-localStorage")) { ++ StorageDBChild* storageChild = StorageDBChild::GetOrCreate(); ++ if (NS_WARN_IF(!storageChild)) { ++ return NS_ERROR_FAILURE; ++ } ++ ++ storageChild->AsyncClearAll(); ++ ++ if (XRE_IsParentProcess()) { ++ storageChild->SendClearAll(); ++ } ++ ++ Notify("extension:purge-localStorage-caches"); + + return NS_OK; + } +diff --git mobile/android/components/extensions/schemas/browsing_data.json mobile/android/components/extensions/schemas/browsing_data.json +index 483a462d422c..1019c1a23953 100644 +--- mobile/android/components/extensions/schemas/browsing_data.json ++++ mobile/android/components/extensions/schemas/browsing_data.json +@@ -345,7 +345,6 @@ + "description": "Clears websites' local storage data.", + "type": "function", + "async": "callback", +- "unsupported": true, + "parameters": [ + { + "$ref": "RemovalOptions", diff --git a/www/firefox/files/patch-bug1369561 b/www/firefox/files/patch-bug1369561 new file mode 100644 index 000000000000..d3de0988830a --- /dev/null +++ b/www/firefox/files/patch-bug1369561 @@ -0,0 +1,66 @@ +commit 4a1737e0c456 +Author: David Keeler <dkeeler@mozilla.com> +Date: Fri Sep 15 14:47:54 2017 -0700 + + Bug 1369561 - Address misc. SnprintfLiteral correctness nits. r=jld, r=froydnj, a=ritu + + --HG-- + extra : source : f5533b6cd09c35eef381e311940b5bd5231d3553 +--- + security/sandbox/linux/SandboxUtil.cpp | 17 ++++++++++------- + xpcom/base/nsSystemInfo.cpp | 2 +- + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git security/sandbox/linux/SandboxUtil.cpp security/sandbox/linux/SandboxUtil.cpp +index ad6003ecaad5..999329882364 100644 +--- security/sandbox/linux/SandboxUtil.cpp ++++ security/sandbox/linux/SandboxUtil.cpp +@@ -62,7 +62,6 @@ UnshareUserNamespace() + uid_t uid = getuid(); + gid_t gid = getgid(); + char buf[80]; +- size_t len; + + if (syscall(__NR_unshare, CLONE_NEWUSER) != 0) { + return false; +@@ -84,17 +83,21 @@ UnshareUserNamespace() + // current thread. However, CLONE_NEWUSER can be unshared only in a + // single-threaded process, so those are equivalent if we reach this + // point. +- len = size_t(SprintfLiteral(buf, "%u %u 1\n", uid, uid)); +- MOZ_ASSERT(len < sizeof(buf)); +- if (!WriteStringToFile("/proc/self/uid_map", buf, len)) { ++ int len = SprintfLiteral(buf, "%u %u 1\n", uid, uid); ++ if (len >= int(sizeof(buf)) || len < 0) { ++ return false; ++ } ++ if (!WriteStringToFile("/proc/self/uid_map", buf, size_t(len))) { + MOZ_CRASH("Failed to write /proc/self/uid_map"); + } + + Unused << WriteStringToFile("/proc/self/setgroups", "deny", 4); + +- len = size_t(SprintfLiteral(buf, "%u %u 1\n", gid, gid)); +- MOZ_ASSERT(len < sizeof(buf)); +- if (!WriteStringToFile("/proc/self/gid_map", buf, len)) { ++ len = SprintfLiteral(buf, "%u %u 1\n", gid, gid); ++ if (len >= int(sizeof(buf)) || len < 0) { ++ return false; ++ } ++ if (!WriteStringToFile("/proc/self/gid_map", buf, size_t(len))) { + MOZ_CRASH("Failed to write /proc/self/gid_map"); + } + return true; +diff --git xpcom/base/nsSystemInfo.cpp xpcom/base/nsSystemInfo.cpp +index e5a7fe97be03..782dc9abf37d 100644 +--- xpcom/base/nsSystemInfo.cpp ++++ xpcom/base/nsSystemInfo.cpp +@@ -706,7 +706,7 @@ nsSystemInfo::Init() + } + + nsAutoCString secondaryLibrary; +- if (gtkver_len > 0) { ++ if (gtkver_len > 0 && gtkver_len < int(sizeof(gtkver))) { + secondaryLibrary.Append(nsDependentCSubstring(gtkver, gtkver_len)); + } + diff --git a/www/firefox/files/patch-bug1375146 b/www/firefox/files/patch-bug1375146 new file mode 100644 index 000000000000..aa742fd01adb --- /dev/null +++ b/www/firefox/files/patch-bug1375146 @@ -0,0 +1,37 @@ +commit b481800095d4 +Author: Stone Shih <sshih@mozilla.com> +Date: Tue Sep 19 15:41:52 2017 +0800 + + Bug 1375146 - Revise sending drag event. r=smaug, a=ritu + + --HG-- + extra : source : d4496b8befbf0ef5ae124a9fbda37ad5b885f9e1 +--- + dom/events/EventStateManager.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git dom/events/EventStateManager.cpp dom/events/EventStateManager.cpp +index b94dc0c88e01..1f48884058de 100644 +--- dom/events/EventStateManager.cpp ++++ dom/events/EventStateManager.cpp +@@ -1292,8 +1292,9 @@ EventStateManager::DispatchCrossProcessEvent(WidgetEvent* aEvent, + return; + } + case eDragEventClass: { +- if (remote->Manager()->IsContentParent()) { +- remote->Manager()->AsContentParent()->MaybeInvokeDragSession(remote); ++ RefPtr<TabParent> tabParent = remote; ++ if (tabParent->Manager()->IsContentParent()) { ++ tabParent->Manager()->AsContentParent()->MaybeInvokeDragSession(tabParent); + } + + nsCOMPtr<nsIDragSession> dragSession = nsContentUtils::GetDragSession(); +@@ -1309,7 +1310,7 @@ EventStateManager::DispatchCrossProcessEvent(WidgetEvent* aEvent, + } + } + +- remote->SendRealDragEvent(*aEvent->AsDragEvent(), action, dropEffect); ++ tabParent->SendRealDragEvent(*aEvent->AsDragEvent(), action, dropEffect); + return; + } + case ePluginEventClass: { diff --git a/www/firefox/files/patch-bug1387799 b/www/firefox/files/patch-bug1387799 new file mode 100644 index 000000000000..e79b52603427 --- /dev/null +++ b/www/firefox/files/patch-bug1387799 @@ -0,0 +1,49 @@ +commit e1c252eab1f4 +Author: Milan Sreckovic <milan@mozilla.com> +Date: Mon Oct 23 16:22:47 2017 -0400 + + Bug 1387799 - Keep an extra reference. r=jrmuizel, a=ritu + + --HG-- + extra : source : 8199078921c6b4c0ee4c984100d33750dfe8e144 +--- + gfx/layers/ipc/CompositorBridgeChild.cpp | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git gfx/layers/ipc/CompositorBridgeChild.cpp gfx/layers/ipc/CompositorBridgeChild.cpp +index 9419f4b2da36..55fd9c10871b 100644 +--- gfx/layers/ipc/CompositorBridgeChild.cpp ++++ gfx/layers/ipc/CompositorBridgeChild.cpp +@@ -523,10 +523,14 @@ CompositorBridgeChild::RecvHideAllPlugins(const uintptr_t& aParentWidget) + } + + mozilla::ipc::IPCResult +-CompositorBridgeChild::RecvDidComposite(const uint64_t& aId, const uint64_t& aTransactionId, ++CompositorBridgeChild::RecvDidComposite(const uint64_t& aId, ++ const uint64_t& aTransactionId, + const TimeStamp& aCompositeStart, + const TimeStamp& aCompositeEnd) + { ++ // Hold a reference to keep texture pools alive. See bug 1387799 ++ AutoTArray<RefPtr<TextureClientPool>,2> texturePools = mTexturePools; ++ + if (mLayerManager) { + MOZ_ASSERT(aId == 0); + MOZ_ASSERT(mLayerManager->GetBackendType() == LayersBackend::LAYERS_CLIENT || +@@ -541,13 +545,14 @@ CompositorBridgeChild::RecvDidComposite(const uint64_t& aId, const uint64_t& aTr + } + } + +- for (size_t i = 0; i < mTexturePools.Length(); i++) { +- mTexturePools[i]->ReturnDeferredClients(); ++ for (size_t i = 0; i < texturePools.Length(); i++) { ++ texturePools[i]->ReturnDeferredClients(); + } + + return IPC_OK(); + } + ++ + void + CompositorBridgeChild::ActorDestroy(ActorDestroyReason aWhy) + { diff --git a/www/firefox/files/patch-bug1394265 b/www/firefox/files/patch-bug1394265 new file mode 100644 index 000000000000..15d00bc63722 --- /dev/null +++ b/www/firefox/files/patch-bug1394265 @@ -0,0 +1,24 @@ +commit a51675964a63 +Author: Jeff Gilbert <jgilbert@mozilla.com> +Date: Tue Oct 17 17:14:29 2017 -0700 + + Bug 1394265 - Set MAX_COMBINED_TEXTURE_IMAGE_UNITS to 0 if GetIntegeriv fails. - r=daoshengmu a=ritu + + MozReview-Commit-ID: 5h6UPXczKhb +--- + dom/canvas/WebGLContextValidate.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git dom/canvas/WebGLContextValidate.cpp dom/canvas/WebGLContextValidate.cpp +index a8334e546414..ebf0aa8c2d78 100644 +--- dom/canvas/WebGLContextValidate.cpp ++++ dom/canvas/WebGLContextValidate.cpp +@@ -554,7 +554,7 @@ WebGLContext::InitAndValidateGL(FailureReason* const out_failReason) + if (MinCapabilityMode()) + mGLMaxTextureUnits = MINVALUE_GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS; + else +- gl->fGetIntegerv(LOCAL_GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS, &mGLMaxTextureUnits); ++ mGLMaxTextureUnits = gl->GetIntAs<GLint>(LOCAL_GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS); + + if (mGLMaxTextureUnits < 8) { + const nsPrintfCString reason("GL_MAX_COMBINED_TEXTURE_IMAGE_UNITS: %d is < 8!", diff --git a/www/firefox/files/patch-bug1394530 b/www/firefox/files/patch-bug1394530 new file mode 100644 index 000000000000..92b6e587ce1d --- /dev/null +++ b/www/firefox/files/patch-bug1394530 @@ -0,0 +1,60 @@ +commit a2b75aa9409c +Author: Tooru Fujisawa <arai_a@mac.com> +Date: Sun Sep 17 19:52:04 2017 +0900 + + Bug 1394530 - Stop using optimized path for non PromiseObject. r=till, a=sledru + + --HG-- + extra : source : 079ff8998fd50540948d3262a3a8b1f4d61b43e9 +--- + js/src/builtin/Promise.cpp | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git js/src/builtin/Promise.cpp js/src/builtin/Promise.cpp +index 1cb1cff0682e..e316f090504d 100644 +--- js/src/builtin/Promise.cpp ++++ js/src/builtin/Promise.cpp +@@ -2365,6 +2365,15 @@ NewReactionRecord(JSContext* cx, HandleObject resultPromise, HandleValue onFulfi + HandleValue onRejected, HandleObject resolve, HandleObject reject, + HandleObject incumbentGlobalObject) + { ++ // Either of the following conditions must be met: ++ // * resultPromise is a PromiseObject ++ // * resolve and reject are callable ++ // except for Async Generator, there resultPromise can be nullptr. ++ MOZ_ASSERT_IF(resultPromise && !resultPromise->is<PromiseObject>(), resolve); ++ MOZ_ASSERT_IF(resultPromise && !resultPromise->is<PromiseObject>(), IsCallable(resolve)); ++ MOZ_ASSERT_IF(resultPromise && !resultPromise->is<PromiseObject>(), reject); ++ MOZ_ASSERT_IF(resultPromise && !resultPromise->is<PromiseObject>(), IsCallable(reject)); ++ + Rooted<PromiseReactionRecord*> reaction(cx, NewObjectWithClassProto<PromiseReactionRecord>(cx)); + if (!reaction) + return nullptr; +@@ -3072,7 +3081,7 @@ BlockOnPromise(JSContext* cx, HandleValue promiseVal, HandleObject blockedPromis + // rejected promises list. + bool addToDependent = true; + +- if (C == PromiseCtor) { ++ if (C == PromiseCtor && resultPromise->is<PromiseObject>()) { + addToDependent = false; + } else { + // 25.4.5.3., step 4. +@@ -3131,12 +3140,14 @@ BlockOnPromise(JSContext* cx, HandleValue promiseVal, HandleObject blockedPromis + return false; + } + +- // If the object to depend on isn't a, maybe-wrapped, Promise instance, +- // we ignore it. All this does is lose some small amount of debug +- // information in scenarios that are highly unlikely to occur in useful +- // code. ++ // If either the object to depend on or the object that gets blocked isn't ++ // a, maybe-wrapped, Promise instance, we ignore it. All this does is lose ++ // some small amount of debug information in scenarios that are highly ++ // unlikely to occur in useful code. + if (!unwrappedPromiseObj->is<PromiseObject>()) + return true; ++ if (!blockedPromise_->is<PromiseObject>()) ++ return true; + + Rooted<PromiseObject*> promise(cx, &unwrappedPromiseObj->as<PromiseObject>()); + return AddPromiseReaction(cx, promise, UndefinedHandleValue, UndefinedHandleValue, diff --git a/www/firefox/files/patch-bug1395138 b/www/firefox/files/patch-bug1395138 new file mode 100644 index 000000000000..5422a708ab5c --- /dev/null +++ b/www/firefox/files/patch-bug1395138 @@ -0,0 +1,49 @@ +commit 8ab8a207d511 +Author: Jamie Nicol <jnicol@mozilla.com> +Date: Mon Oct 9 17:48:59 2017 +0100 + + Bug 1395138 - Hold reference to layers in ContainerLayerComposite::mPrepared. r=mattwoodrow, a=sledru + + MozReview-Commit-ID: 6qUDRnRcFAw +--- + gfx/layers/composite/ContainerLayerComposite.cpp | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git gfx/layers/composite/ContainerLayerComposite.cpp gfx/layers/composite/ContainerLayerComposite.cpp +index aad2993629fc..28d9e79925a0 100755 +--- gfx/layers/composite/ContainerLayerComposite.cpp ++++ gfx/layers/composite/ContainerLayerComposite.cpp +@@ -161,12 +161,12 @@ static gfx::IntRect ContainerVisibleRect(ContainerT* aContainer) + /* all of the per-layer prepared data we need to maintain */ + struct PreparedLayer + { +- PreparedLayer(LayerComposite *aLayer, ++ PreparedLayer(Layer *aLayer, + RenderTargetIntRect aClipRect, + Maybe<gfx::Polygon>&& aGeometry) + : mLayer(aLayer), mClipRect(aClipRect), mGeometry(Move(aGeometry)) {} + +- LayerComposite* mLayer; ++ RefPtr<Layer> mLayer; + RenderTargetIntRect mClipRect; + Maybe<Polygon> mGeometry; + }; +@@ -230,7 +230,8 @@ ContainerPrepare(ContainerT* aContainer, + CULLING_LOG("Preparing sublayer %p\n", layerToRender->GetLayer()); + + layerToRender->Prepare(clipRect); +- aContainer->mPrepared->mLayers.AppendElement(PreparedLayer(layerToRender, clipRect, ++ aContainer->mPrepared->mLayers.AppendElement(PreparedLayer(layerToRender->GetLayer(), ++ clipRect, + Move(layer.geometry))); + } + +@@ -408,7 +409,7 @@ RenderLayers(ContainerT* aContainer, LayerManagerComposite* aManager, + PreparedLayer& preparedData = aContainer->mPrepared->mLayers[i]; + + const gfx::IntRect clipRect = preparedData.mClipRect.ToUnknownRect(); +- LayerComposite* layerToRender = preparedData.mLayer; ++ LayerComposite* layerToRender = static_cast<LayerComposite*>(preparedData.mLayer->ImplData()); + const Maybe<gfx::Polygon>& childGeometry = preparedData.mGeometry; + + Layer* layer = layerToRender->GetLayer(); diff --git a/www/firefox/files/patch-bug1397811 b/www/firefox/files/patch-bug1397811 new file mode 100644 index 000000000000..4df98338ece5 --- /dev/null +++ b/www/firefox/files/patch-bug1397811 @@ -0,0 +1,48 @@ +commit 2bffd0136caf +Author: Olli Pettay <Olli.Pettay@helsinki.fi> +Date: Fri Oct 20 11:02:29 2017 +0100 + + Bug 1397811 - In order to not leak properties, ensure all the properties of adopted nodes are removed in case the adopt call fails. r=bz, a=lizzard + + --HG-- + extra : source : b609906f34b50f8e4236d0fee8d01338181dd906 +--- + dom/base/nsNodeUtils.cpp | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git dom/base/nsNodeUtils.cpp dom/base/nsNodeUtils.cpp +index dd958aa443ce..20e714d54065 100644 +--- dom/base/nsNodeUtils.cpp ++++ dom/base/nsNodeUtils.cpp +@@ -605,6 +605,15 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, bool aClone, bool aDeep, + } + } + ++ if (aNodesWithProperties && aNode->HasProperties()) { ++ bool ok = aNodesWithProperties->AppendObject(aNode); ++ MOZ_RELEASE_ASSERT(ok, "Out of memory"); ++ if (aClone) { ++ ok = aNodesWithProperties->AppendObject(clone); ++ MOZ_RELEASE_ASSERT(ok, "Out of memory"); ++ } ++ } ++ + if (aDeep && (!aClone || !aNode->IsNodeOfType(nsINode::eATTRIBUTE))) { + // aNode's children. + for (nsIContent* cloneChild = aNode->GetFirstChild(); +@@ -664,15 +673,6 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, bool aClone, bool aDeep, + } + #endif + +- if (aNodesWithProperties && aNode->HasProperties()) { +- bool ok = aNodesWithProperties->AppendObject(aNode); +- if (aClone) { +- ok = ok && aNodesWithProperties->AppendObject(clone); +- } +- +- NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY); +- } +- + clone.forget(aResult); + + return NS_OK; diff --git a/www/firefox/files/patch-bug1400003 b/www/firefox/files/patch-bug1400003 new file mode 100644 index 000000000000..5039150992e6 --- /dev/null +++ b/www/firefox/files/patch-bug1400003 @@ -0,0 +1,120 @@ +commit 677c707a4f11 +Author: Jon Coppeard <jcoppeard@mozilla.com> +Date: Mon Oct 9 10:03:20 2017 +0100 + + Bug 1400003 - Mark Heap<T> and barrier classes as MOZ_NON_MEMMOVABLE. r=sfink, r=froydnj, a=lizzard + + --HG-- + extra : source : 6ad5b916c9659aeb4b901d8f9ec7f121dc2c4418 +--- + js/public/RootingAPI.h | 10 +++++++++- + js/src/gc/Barrier.h | 5 ++++- + xpcom/ds/nsTArray.h | 27 +++++++++++++-------------- + 3 files changed, 26 insertions(+), 16 deletions(-) + +diff --git js/public/RootingAPI.h js/public/RootingAPI.h +index 74a61af93703..f8ec7c5a1f5b 100644 +--- js/public/RootingAPI.h ++++ js/public/RootingAPI.h +@@ -231,7 +231,7 @@ AssertGCThingIsNotAnObjectSubclass(js::gc::Cell* cell) {} + * Type T must be a public GC pointer type. + */ + template <typename T> +-class Heap : public js::HeapBase<T, Heap<T>> ++class MOZ_NON_MEMMOVABLE Heap : public js::HeapBase<T, Heap<T>> + { + // Please note: this can actually also be used by nsXBLMaybeCompiled<T>, for legacy reasons. + static_assert(js::IsHeapConstructibleType<T>::value, +@@ -1246,6 +1246,14 @@ class JS_PUBLIC_API(ObjectPtr) + + explicit ObjectPtr(JSObject* obj) : value(obj) {} + ++ ObjectPtr(const ObjectPtr& other) : value(other.value) {} ++ ++ ObjectPtr(ObjectPtr&& other) ++ : value(other.value) ++ { ++ other.value = nullptr; ++ } ++ + /* Always call finalize before the destructor. */ + ~ObjectPtr() { MOZ_ASSERT(!value); } + +diff --git js/src/gc/Barrier.h js/src/gc/Barrier.h +index 9c4f53975752..1740315c14e9 100644 +--- js/src/gc/Barrier.h ++++ js/src/gc/Barrier.h +@@ -318,8 +318,11 @@ struct InternalBarrierMethods<jsid> + }; + + // Base class of all barrier types. ++// ++// This is marked non-memmovable since post barriers added by derived classes ++// can add pointers to class instances to the store buffer. + template <typename T> +-class BarrieredBase ++class MOZ_NON_MEMMOVABLE BarrieredBase + { + protected: + // BarrieredBase is not directly instantiable. +diff --git xpcom/ds/nsTArray.h xpcom/ds/nsTArray.h +index 424a50ba421e..4e9b57126bfb 100644 +--- xpcom/ds/nsTArray.h ++++ xpcom/ds/nsTArray.h +@@ -37,6 +37,7 @@ + namespace JS { + template<class T> + class Heap; ++class ObjectPtr; + } /* namespace JS */ + + class nsRegion; +@@ -708,7 +709,7 @@ struct nsTArray_CopyWithConstructors + template<class E> + struct MOZ_NEEDS_MEMMOVABLE_TYPE nsTArray_CopyChooser + { +- typedef nsTArray_CopyWithMemutils Type; ++ using Type = nsTArray_CopyWithMemutils; + }; + + // +@@ -719,14 +720,18 @@ struct MOZ_NEEDS_MEMMOVABLE_TYPE nsTArray_CopyChooser + template<> \ + struct nsTArray_CopyChooser<T> \ + { \ +- typedef nsTArray_CopyWithConstructors<T> Type; \ ++ using Type = nsTArray_CopyWithConstructors<T>; \ + }; + +-template<class E> +-struct nsTArray_CopyChooser<JS::Heap<E>> +-{ +- typedef nsTArray_CopyWithConstructors<JS::Heap<E>> Type; +-}; ++#define DECLARE_USE_COPY_CONSTRUCTORS_FOR_TEMPLATE(T) \ ++ template<typename S> \ ++ struct nsTArray_CopyChooser<T<S>> \ ++ { \ ++ using Type = nsTArray_CopyWithConstructors<T<S>>; \ ++ }; ++ ++DECLARE_USE_COPY_CONSTRUCTORS_FOR_TEMPLATE(JS::Heap) ++DECLARE_USE_COPY_CONSTRUCTORS_FOR_TEMPLATE(std::function) + + DECLARE_USE_COPY_CONSTRUCTORS(nsRegion) + DECLARE_USE_COPY_CONSTRUCTORS(nsIntRegion) +@@ -740,13 +745,7 @@ DECLARE_USE_COPY_CONSTRUCTORS(mozilla::dom::indexedDB::SerializedStructuredClone + DECLARE_USE_COPY_CONSTRUCTORS(JSStructuredCloneData) + DECLARE_USE_COPY_CONSTRUCTORS(mozilla::dom::MessagePortMessage) + DECLARE_USE_COPY_CONSTRUCTORS(mozilla::SourceBufferTask) +- +-template<typename T> +-struct nsTArray_CopyChooser<std::function<T>> +-{ +- typedef nsTArray_CopyWithConstructors<std::function<T>> Type; +-}; +- ++DECLARE_USE_COPY_CONSTRUCTORS(JS::ObjectPtr) + + // + // Base class for nsTArray_Impl that is templated on element type and derived diff --git a/www/firefox/files/patch-bug1400554 b/www/firefox/files/patch-bug1400554 new file mode 100644 index 000000000000..b8ed7dec089a --- /dev/null +++ b/www/firefox/files/patch-bug1400554 @@ -0,0 +1,27 @@ +commit 62b41b600acc +Author: Dragana Damjanovic <dd.mozilla@gmail.com> +Date: Mon Oct 9 14:59:32 2017 -0400 + + Bug 1400554 - Cancel a time in TLSFilterTransaction if transaction is canceled. r=mcmanus, a=ritu + + --HG-- + extra : source : 67315954145e9cae0efe8c5323452a70a13c5484 +--- + netwerk/protocol/http/TunnelUtils.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git netwerk/protocol/http/TunnelUtils.cpp netwerk/protocol/http/TunnelUtils.cpp +index d0f6ef0b1873..0cf3ea4f3008 100644 +--- netwerk/protocol/http/TunnelUtils.cpp ++++ netwerk/protocol/http/TunnelUtils.cpp +@@ -126,6 +126,10 @@ TLSFilterTransaction::Close(nsresult aReason) + return; + } + ++ if (mTimer) { ++ mTimer->Cancel(); ++ mTimer = nullptr; ++ } + mTransaction->Close(aReason); + mTransaction = nullptr; + } diff --git a/www/firefox/files/patch-bug1401804 b/www/firefox/files/patch-bug1401804 new file mode 100644 index 000000000000..c3b4688dc744 --- /dev/null +++ b/www/firefox/files/patch-bug1401804 @@ -0,0 +1,31 @@ +commit 38e6bb85066b +Author: Jon Coppeard <jcoppeard@mozilla.com> +Date: Fri Sep 22 13:09:44 2017 +0100 + + Bug 1401804 - Fix IsMarkedBlack check used in gray marking asserts r=sfink a=sylvestre +--- + js/src/gc/Barrier.cpp | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git js/src/gc/Barrier.cpp js/src/gc/Barrier.cpp +index 5a5dfbe9bed0..0c42d16e7117 100644 +--- js/src/gc/Barrier.cpp ++++ js/src/gc/Barrier.cpp +@@ -33,15 +33,8 @@ RuntimeFromActiveCooperatingThreadIsHeapMajorCollecting(JS::shadow::Zone* shadow + bool + IsMarkedBlack(JSObject* obj) + { +- // Note: we assume conservatively that Nursery things will be live. +- if (!obj->isTenured()) +- return true; +- +- gc::TenuredCell& tenured = obj->asTenured(); +- if (tenured.isMarkedAny() || tenured.arena()->allocatedDuringIncremental) +- return true; +- +- return false; ++ return obj->isMarkedBlack() || ++ (obj->isTenured() && obj->asTenured().arena()->allocatedDuringIncremental); + } + + bool diff --git a/www/firefox/files/patch-bug1402442 b/www/firefox/files/patch-bug1402442 new file mode 100644 index 000000000000..18bf1c88ca47 --- /dev/null +++ b/www/firefox/files/patch-bug1402442 @@ -0,0 +1,181 @@ +commit 44b4458e2d21 +Author: Emilio Cobos Álvarez <emilio@crisal.io> +Date: Mon Sep 25 18:25:29 2017 +0200 + + Bug 1402442 - Properly remove display: contents pseudo-frames. r=mats, a=ritu + + MozReview-Commit-ID: 4pjVLQfv3YR + Signed-off-by: Emilio Cobos Álvarez <emilio@crisal.io> + + --HG-- + extra : source : faa69ac1c14b79838cc0aac842b470a110542ebd + extra : amend_source : 3a76e0123bf3f7d10295000cc44fd8bdddf700df +--- + layout/base/nsCSSFrameConstructor.cpp | 26 +++++++++++++++------- + testing/web-platform/meta/MANIFEST.json | 25 +++++++++++++++++++++ + ...dynamic-generated-content-fieldset-001.html.ini | 4 ++++ + ...dynamic-generated-content-fieldset-001-ref.html | 16 +++++++++++++ + ...nts-dynamic-generated-content-fieldset-001.html | 26 ++++++++++++++++++++++ + 5 files changed, 89 insertions(+), 8 deletions(-) + +diff --git layout/base/nsCSSFrameConstructor.cpp layout/base/nsCSSFrameConstructor.cpp +index 99b1211b399b..4fce3fb381a7 100644 +--- layout/base/nsCSSFrameConstructor.cpp ++++ layout/base/nsCSSFrameConstructor.cpp +@@ -1698,6 +1698,17 @@ nsCSSFrameConstructor::NotifyDestroyingFrame(nsIFrame* aFrame) + nsFrameManager::NotifyDestroyingFrame(aFrame); + } + ++static bool ++HasGeneratedContent(const nsIContent* aChild) ++{ ++ if (!aChild->MayHaveAnonymousChildren()) { ++ return false; ++ } ++ ++ return nsLayoutUtils::GetBeforeFrame(aChild) || ++ nsLayoutUtils::GetAfterFrame(aChild); ++} ++ + struct nsGenConInitializer { + nsAutoPtr<nsGenConNode> mNode; + nsGenConList* mList; +@@ -8642,16 +8653,15 @@ nsCSSFrameConstructor::ContentRemoved(nsIContent* aCo + MOZ_ASSERT(!childFrame || !GetDisplayContentsStyleFor(aChild), + "display:contents nodes shouldn't have a frame"); + if (!childFrame && GetDisplayContentsStyleFor(aChild)) { +- nsIContent* ancestor = aContainer; +- MOZ_ASSERT(ancestor, "display: contents on the root?"); +- while (!ancestor->GetPrimaryFrame()) { +- // FIXME(emilio): Should this use the flattened tree parent instead? +- ancestor = ancestor->GetParent(); +- MOZ_ASSERT(ancestor, "we can't have a display: contents subtree root!"); +- } ++ if (HasGeneratedContent(aChild)) { ++ nsIContent* ancestor = aContainer; ++ MOZ_ASSERT(ancestor, "display: contents on the root?"); ++ while (!ancestor->GetPrimaryFrame()) { ++ // FIXME(emilio): Should this use the flattened tree parent instead? ++ ancestor = ancestor->GetParent(); ++ MOZ_ASSERT(ancestor, "we can't have a display: contents subtree root!"); ++ } + +- nsIFrame* ancestorFrame = ancestor->GetPrimaryFrame(); +- if (ancestorFrame->GetProperty(nsIFrame::GenConProperty())) { + *aDidReconstruct = true; + LAYOUT_PHASE_TEMP_EXIT(); + +diff --git testing/web-platform/meta/MANIFEST.json testing/web-platform/meta/MANIFEST.json +index 5f05321c5a70..8aed4a4b5078 100644 +--- testing/web-platform/meta/MANIFEST.json ++++ testing/web-platform/meta/MANIFEST.json +@@ -102975,6 +102975,18 @@ + {} + ] + ], ++ "css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html": [ ++ [ ++ "/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html", ++ [ ++ [ ++ "/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001-ref.html", ++ "==" ++ ] ++ ], ++ {} ++ ] ++ ], + "css/css-display-3/display-contents-dynamic-inline-flex-001-inline.html": [ + [ + "/css/css-display-3/display-contents-dynamic-inline-flex-001-inline.html", +@@ -227658,6 +227670,11 @@ + {} + ] + ], ++ "css/css-display-3/display-contents-dynamic-generated-content-fieldset-001-ref.html": [ ++ [ ++ {} ++ ] ++ ], + "css/css-display-3/display-contents-flex-001-ref.html": [ + [ + {} +@@ -502880,6 +502897,14 @@ + "a2d7c9368ed8c01ca06c36646666270e85aee070", + "reftest" + ], ++ "css/css-display-3/display-contents-dynamic-generated-content-fieldset-001-ref.html": [ ++ "30ec5c8ddacfbfef8434c37ca7a0a766f2bbc89a", ++ "support" ++ ], ++ "css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html": [ ++ "984bebb3c3b8661aedef4a229848dfa818bb1f4a", ++ "reftest" ++ ], + "css/css-display-3/display-contents-dynamic-inline-flex-001-inline.html": [ + "40fb07e8ada1530e6835ff2d4e49c5571ffb0baa", + "reftest" +diff --git testing/web-platform/meta/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html.ini testing/web-platform/meta/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html.ini +new file mode 100644 +index 000000000000..63c7442a2362 +--- /dev/null ++++ testing/web-platform/meta/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html.ini +@@ -0,0 +1,4 @@ ++[display-contents-dynamic-generated-content-fieldset-001.html] ++ type: reftest ++ expected: ++ if not stylo: FAIL +diff --git testing/web-platform/tests/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001-ref.html testing/web-platform/tests/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001-ref.html +new file mode 100644 +index 000000000000..651bc19b83e9 +--- /dev/null ++++ testing/web-platform/tests/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001-ref.html +@@ -0,0 +1,16 @@ ++<!doctype html> ++<meta charset="utf-8"> ++<title>CSS Reftest Reference</title> ++<link rel="author" title="Emilio Cobos Álvarez" href="mailto:emilio@crisal.io"> ++<style> ++div { ++ display: contents; ++ border: 10px solid red; ++} ++</style> ++<p> ++ Test passes if there is no red text and no red border. ++</p> ++<fieldset> ++ <div></div> ++</fieldset> +diff --git testing/web-platform/tests/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html testing/web-platform/tests/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html +new file mode 100644 +index 000000000000..8f8a0ba47971 +--- /dev/null ++++ testing/web-platform/tests/css/css-display-3/display-contents-dynamic-generated-content-fieldset-001.html +@@ -0,0 +1,26 @@ ++<!doctype html> ++<meta charset="utf-8"> ++<title>CSS Test: Dynamic changes to display: contents generated content in fieldsets.</title> ++<link rel="author" title="Emilio Cobos Álvarez" href="mailto:emilio@crisal.io"> ++<link rel="help" href="https://drafts.csswg.org/css-display-3/#valdef-display-contents"> ++<link rel="match" href="display-contents-dynamic-generated-content-fieldset-001-ref.html"> ++<style> ++.after::after { ++ content: "FAIL"; ++ color: red; ++} ++div { ++ display: contents; ++ border: 10px solid red; ++} ++</style> ++<p> ++ Test passes if there is no red text and no red border. ++</p> ++<fieldset> ++ <div class="after"></div> ++</fieldset> ++<script> ++document.body.offsetHeight; ++document.querySelector("div").classList.remove("after"); ++</script> diff --git a/www/firefox/files/patch-bug1404324 b/www/firefox/files/patch-bug1404324 new file mode 100644 index 000000000000..afcbc3efb2ec --- /dev/null +++ b/www/firefox/files/patch-bug1404324 @@ -0,0 +1,299 @@ +commit 5647dde295f4 +Author: Emilio Cobos Álvarez <emilio@crisal.io> +Date: Wed Oct 4 11:36:20 2017 +0200 + + Bug 1404324 - Use the placeholder state to remove out-of-flows that aren't real descendants of the destruction root. r=bz, a=ritu + + Using the style of the frame can mess things up when we reparent them due to + ::first-line before removing them. + + MozReview-Commit-ID: 3Dt0wF2XRAH + + --HG-- + extra : source : 5a034cdb513208dd19adf0babf30ee734968a78f + extra : histedit_source : 4cd958939c5a76e013695e931d721454268a0dc7%2C96bdeda302c567493c7db5105f306595d25332e1 +--- + layout/base/nsCSSFrameConstructor.cpp | 8 +++--- + layout/base/nsLayoutUtils.cpp | 46 +++------------------------------ + layout/generic/nsPlaceholderFrame.cpp | 27 ++++++++++++++++--- + layout/generic/nsPlaceholderFrame.h | 21 ++++++++------- + layout/style/crashtests/1404324-1.html | 12 +++++++++ + layout/style/crashtests/1404324-2.html | 10 +++++++ + layout/style/crashtests/1404324-3.html | 14 ++++++++++ + layout/style/crashtests/crashtests.list | 3 +++ + 8 files changed, 83 insertions(+), 58 deletions(-) + +diff --git layout/base/nsCSSFrameConstructor.cpp layout/base/nsCSSFrameConstructor.cpp +index c840416fd6a7..99b1211b399b 100644 +--- layout/base/nsCSSFrameConstructor.cpp ++++ layout/base/nsCSSFrameConstructor.cpp +@@ -1260,8 +1260,10 @@ nsFrameConstructorState::GetOutOfFlowFrameItems(nsIFrame* aNewFrame, + if (disp->mTopLayer != NS_STYLE_TOP_LAYER_NONE) { + *aPlaceholderType = PLACEHOLDER_FOR_TOPLAYER; + if (disp->mPosition == NS_STYLE_POSITION_FIXED) { ++ *aPlaceholderType |= PLACEHOLDER_FOR_FIXEDPOS; + return &mTopLayerFixedItems; + } ++ *aPlaceholderType |= PLACEHOLDER_FOR_ABSPOS; + return &mTopLayerAbsoluteItems; + } + if (disp->mPosition == NS_STYLE_POSITION_ABSOLUTE) { +@@ -1303,11 +1305,11 @@ nsFrameConstructorState::ConstructBackdropFrameFor(nsIContent* aContent, + nsAbsoluteItems* frameItems = GetOutOfFlowFrameItems(backdropFrame, + true, true, false, + &placeholderType); +- MOZ_ASSERT(placeholderType == PLACEHOLDER_FOR_TOPLAYER); ++ MOZ_ASSERT(placeholderType & PLACEHOLDER_FOR_TOPLAYER); + + nsIFrame* placeholder = nsCSSFrameConstructor:: + CreatePlaceholderFrameFor(mPresShell, aContent, backdropFrame, +- frame, nullptr, PLACEHOLDER_FOR_TOPLAYER); ++ frame, nullptr, placeholderType); + nsFrameList temp(placeholder, placeholder); + frame->SetInitialChildList(nsIFrame::kBackdropList, temp); + +@@ -1361,7 +1363,7 @@ nsFrameConstructorState::AddChild(nsIFrame* aNewFrame, + // Add the placeholder frame to the flow + aFrameItems.AddChild(placeholderFrame); + +- if (placeholderType == PLACEHOLDER_FOR_TOPLAYER) { ++ if (placeholderType & PLACEHOLDER_FOR_TOPLAYER) { + ConstructBackdropFrameFor(aContent, aNewFrame); + } + } +diff --git layout/base/nsLayoutUtils.cpp layout/base/nsLayoutUtils.cpp +index cb010c0a1a80..94ead9830c25 100644 +--- layout/base/nsLayoutUtils.cpp ++++ layout/base/nsLayoutUtils.cpp +@@ -1525,6 +1525,8 @@ nsLayoutUtils::GetChildListNameFor(nsIFrame* aChildFrame) + { + nsIFrame::ChildListID id = nsIFrame::kPrincipalList; + ++ MOZ_DIAGNOSTIC_ASSERT(!(aChildFrame->GetStateBits() & NS_FRAME_OUT_OF_FLOW)); ++ + if (aChildFrame->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER) { + nsIFrame* pif = aChildFrame->GetPrevInFlow(); + if (pif->GetParent() == aChildFrame->GetParent()) { +@@ -1533,35 +1535,6 @@ nsLayoutUtils::GetChildListNameFor(nsIFrame* aChildFrame) + else { + id = nsIFrame::kOverflowContainersList; + } +- } +- // See if the frame is moved out of the flow +- else if (aChildFrame->GetStateBits() & NS_FRAME_OUT_OF_FLOW) { +- // Look at the style information to tell +- const nsStyleDisplay* disp = aChildFrame->StyleDisplay(); +- +- if (NS_STYLE_POSITION_ABSOLUTE == disp->mPosition) { +- id = nsIFrame::kAbsoluteList; +- } else if (NS_STYLE_POSITION_FIXED == disp->mPosition) { +- if (nsLayoutUtils::IsReallyFixedPos(aChildFrame)) { +- id = nsIFrame::kFixedList; +- } else { +- id = nsIFrame::kAbsoluteList; +- } +-#ifdef MOZ_XUL +- } else if (StyleDisplay::MozPopup == disp->mDisplay) { +- // Out-of-flows that are DISPLAY_POPUP must be kids of the root popup set +-#ifdef DEBUG +- nsIFrame* parent = aChildFrame->GetParent(); +- NS_ASSERTION(parent && parent->IsPopupSetFrame(), "Unexpected parent"); +-#endif // DEBUG +- +- id = nsIFrame::kPopupList; +-#endif // MOZ_XUL +- } else { +- NS_ASSERTION(aChildFrame->IsFloating(), "not a floated frame"); +- id = nsIFrame::kFloatList; +- } +- + } else { + LayoutFrameType childType = aChildFrame->Type(); + if (LayoutFrameType::MenuPopup == childType) { +@@ -1596,19 +1569,8 @@ nsLayoutUtils::GetChildListNameFor(nsIFrame* aChildFrame) + nsContainerFrame* parent = aChildFrame->GetParent(); + bool found = parent->GetChildList(id).ContainsFrame(aChildFrame); + if (!found) { +- if (!(aChildFrame->GetStateBits() & NS_FRAME_OUT_OF_FLOW)) { +- found = parent->GetChildList(nsIFrame::kOverflowList) +- .ContainsFrame(aChildFrame); +- } +- else if (aChildFrame->IsFloating()) { +- found = parent->GetChildList(nsIFrame::kOverflowOutOfFlowList) +- .ContainsFrame(aChildFrame); +- if (!found) { +- found = parent->GetChildList(nsIFrame::kPushedFloatsList) +- .ContainsFrame(aChildFrame); +- } +- } +- // else it's positioned and should have been on the 'id' child list. ++ found = parent->GetChildList(nsIFrame::kOverflowList) ++ .ContainsFrame(aChildFrame); + NS_POSTCONDITION(found, "not in child list"); + } + #endif +diff --git layout/generic/nsPlaceholderFrame.cpp layout/generic/nsPlaceholderFrame.cpp +index 7da2582ae526..4b2e1bf84b36 100644 +--- layout/generic/nsPlaceholderFrame.cpp ++++ layout/generic/nsPlaceholderFrame.cpp +@@ -25,9 +25,9 @@ using namespace mozilla::gfx; + + nsIFrame* + NS_NewPlaceholderFrame(nsIPresShell* aPresShell, nsStyleContext* aContext, +- nsFrameState aTypeBit) ++ nsFrameState aTypeBits) + { +- return new (aPresShell) nsPlaceholderFrame(aContext, aTypeBit); ++ return new (aPresShell) nsPlaceholderFrame(aContext, aTypeBits); + } + + NS_IMPL_FRAMEARENA_HELPERS(nsPlaceholderFrame) +@@ -155,6 +155,26 @@ nsPlaceholderFrame::Reflow(nsPresContext* aPresContext, + NS_FRAME_SET_TRUNCATION(aStatus, aReflowInput, aDesiredSize); + } + ++static nsIFrame::ChildListID ++ChildListIDForOutOfFlow(nsFrameState aPlaceholderState, nsIFrame* aChild) ++{ ++ if (aPlaceholderState & PLACEHOLDER_FOR_FLOAT) { ++ return nsIFrame::kFloatList; ++ } ++ if (aPlaceholderState & PLACEHOLDER_FOR_POPUP) { ++ return nsIFrame::kPopupList; ++ } ++ if (aPlaceholderState & PLACEHOLDER_FOR_FIXEDPOS) { ++ return nsLayoutUtils::IsReallyFixedPos(aChild) ++ ? nsIFrame::kFixedList : nsIFrame::kAbsoluteList; ++ } ++ if (aPlaceholderState & PLACEHOLDER_FOR_ABSPOS) { ++ return nsIFrame::kAbsoluteList; ++ } ++ MOZ_DIAGNOSTIC_ASSERT(false, "unknown list"); ++ return nsIFrame::kFloatList; ++} ++ + void + nsPlaceholderFrame::DestroyFrom(nsIFrame* aDestructRoot) + { +@@ -162,12 +182,13 @@ nsPlaceholderFrame::DestroyFrom(nsIFrame* aDestructRoot) + if (oof) { + mOutOfFlowFrame = nullptr; + oof->DeleteProperty(nsIFrame::PlaceholderFrameProperty()); ++ + // If aDestructRoot is not an ancestor of the out-of-flow frame, + // then call RemoveFrame on it here. + // Also destroy it here if it's a popup frame. (Bug 96291) + if ((GetStateBits() & PLACEHOLDER_FOR_POPUP) || + !nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, oof)) { +- ChildListID listId = nsLayoutUtils::GetChildListNameFor(oof); ++ ChildListID listId = ChildListIDForOutOfFlow(GetStateBits(), oof); + nsFrameManager* fm = PresContext()->GetPresShell()->FrameManager(); + fm->RemoveFrame(listId, oof); + } +diff --git layout/generic/nsPlaceholderFrame.h layout/generic/nsPlaceholderFrame.h +index e270c76cdd31..2af9b4ccbc93 100644 +--- layout/generic/nsPlaceholderFrame.h ++++ layout/generic/nsPlaceholderFrame.h +@@ -40,7 +40,7 @@ + + nsIFrame* NS_NewPlaceholderFrame(nsIPresShell* aPresShell, + nsStyleContext* aContext, +- nsFrameState aTypeBit); ++ nsFrameState aTypeBits); + + #define PLACEHOLDER_TYPE_MASK (PLACEHOLDER_FOR_FLOAT | \ + PLACEHOLDER_FOR_ABSPOS | \ +@@ -65,18 +65,19 @@ public: + */ + friend nsIFrame* NS_NewPlaceholderFrame(nsIPresShell* aPresShell, + nsStyleContext* aContext, +- nsFrameState aTypeBit); +- nsPlaceholderFrame(nsStyleContext* aContext, nsFrameState aTypeBit) ++ nsFrameState aTypeBits); ++ nsPlaceholderFrame(nsStyleContext* aContext, nsFrameState aTypeBits) + : nsFrame(aContext, kClassID) + , mOutOfFlowFrame(nullptr) + { +- NS_PRECONDITION(aTypeBit == PLACEHOLDER_FOR_FLOAT || +- aTypeBit == PLACEHOLDER_FOR_ABSPOS || +- aTypeBit == PLACEHOLDER_FOR_FIXEDPOS || +- aTypeBit == PLACEHOLDER_FOR_POPUP || +- aTypeBit == PLACEHOLDER_FOR_TOPLAYER, +- "Unexpected type bit"); +- AddStateBits(aTypeBit); ++ MOZ_ASSERT(aTypeBits == PLACEHOLDER_FOR_FLOAT || ++ aTypeBits == PLACEHOLDER_FOR_ABSPOS || ++ aTypeBits == PLACEHOLDER_FOR_FIXEDPOS || ++ aTypeBits == PLACEHOLDER_FOR_POPUP || ++ aTypeBits == (PLACEHOLDER_FOR_TOPLAYER | PLACEHOLDER_FOR_ABSPOS) || ++ aTypeBits == (PLACEHOLDER_FOR_TOPLAYER | PLACEHOLDER_FOR_FIXEDPOS), ++ "Unexpected type bit"); ++ AddStateBits(aTypeBits); + } + + // Get/Set the associated out of flow frame +diff --git layout/style/crashtests/1404324-1.html layout/style/crashtests/1404324-1.html +new file mode 100644 +index 000000000000..574a5437cb1b +--- /dev/null ++++ layout/style/crashtests/1404324-1.html +@@ -0,0 +1,12 @@ ++<style></style> ++<script> ++document.documentElement.className = 'c1' ++o1 = document.createElement('form') ++o2 = document.createElement('e') ++o1.className = 'c2' ++document.documentElement.appendChild(o1) ++document.documentElement.appendChild(o2) ++document.styleSheets[0].insertRule('.c1:first-line, .c2 { position:fixed', 0); ++document.documentElement.getBoundingClientRect() ++document.styleSheets[0].cssRules[0].style.position = 'relative' ++</script> +diff --git layout/style/crashtests/1404324-2.html layout/style/crashtests/1404324-2.html +new file mode 100644 +index 000000000000..797347d5c058 +--- /dev/null ++++ layout/style/crashtests/1404324-2.html +@@ -0,0 +1,10 @@ ++<style> ++ del, *::first-line { ++ position: absolute; ++ } ++</style> ++<del></del> ++<script> ++ document.documentElement.offsetTop; ++ document.styleSheets[0].cssRules[0].style.position = 'sticky' ++</script> +diff --git layout/style/crashtests/1404324-3.html layout/style/crashtests/1404324-3.html +new file mode 100644 +index 000000000000..3b06f12a2bf6 +--- /dev/null ++++ layout/style/crashtests/1404324-3.html +@@ -0,0 +1,14 @@ ++<style> ++del { ++ position: absolute; ++} ++ ++body::first-line { ++ color: red; ++} ++</style> ++<del></del> ++<script> ++ document.documentElement.offsetTop; ++ document.styleSheets[0].cssRules[0].style.position = 'sticky' ++</script> +diff --git layout/style/crashtests/crashtests.list layout/style/crashtests/crashtests.list +index be9a46c52bfa..5eaba6935ee2 100644 +--- layout/style/crashtests/crashtests.list ++++ layout/style/crashtests/crashtests.list +@@ -238,3 +238,6 @@ load 1403615.html + load 1387481-1.html + load 1387499.html + load 1391577.html ++asserts-if(stylo,1) load 1404324-1.html # bug 1405605 ++load 1404324-2.html ++load 1404324-3.html diff --git a/www/firefox/files/patch-bug1404636 b/www/firefox/files/patch-bug1404636 new file mode 100644 index 000000000000..0fcf35bcb131 --- /dev/null +++ b/www/firefox/files/patch-bug1404636 @@ -0,0 +1,111 @@ +commit 3eff0850dd67 +Author: Jan de Mooij <jdemooij@mozilla.com> +Date: Thu Oct 26 16:15:35 2017 +0200 + + Bug 1404636 - Special-case typed arrays in PropertyReadNeedsTypeBarrier. r=bhackett, a=lizzard + + --HG-- + extra : source : 74d76655c9192b20dc69ddfa40c38e65fa9a47e3 +--- + js/src/jit/IonBuilder.cpp | 26 -------------------------- + js/src/jit/MIR.cpp | 8 ++++++++ + js/src/jit/MIR.h | 23 +++++++++++++++++++++++ + 3 files changed, 31 insertions(+), 26 deletions(-) + +diff --git js/src/jit/IonBuilder.cpp js/src/jit/IonBuilder.cpp +index 0f78e9d5d3b7..f0ef380da2bc 100644 +--- js/src/jit/IonBuilder.cpp ++++ js/src/jit/IonBuilder.cpp +@@ -7825,9 +7825,6 @@ IonBuilder::getElemTryTypedObject(bool* emitted, MDefinition* obj, MDefinition* + MOZ_CRASH("Bad kind"); + } + +-static MIRType +-MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble); +- + bool + IonBuilder::checkTypedObjectIndexInBounds(uint32_t elemSize, + MDefinition* obj, +@@ -8793,29 +8790,6 @@ IonBuilder::convertShiftToMaskForStaticTypedArray(MDefinition* id, + return ptr; + } + +-static MIRType +-MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble) +-{ +- switch (arrayType) { +- case Scalar::Int8: +- case Scalar::Uint8: +- case Scalar::Uint8Clamped: +- case Scalar::Int16: +- case Scalar::Uint16: +- case Scalar::Int32: +- return MIRType::Int32; +- case Scalar::Uint32: +- return observedDouble ? MIRType::Double : MIRType::Int32; +- case Scalar::Float32: +- return MIRType::Float32; +- case Scalar::Float64: +- return MIRType::Double; +- default: +- break; +- } +- MOZ_CRASH("Unknown typed array type"); +-} +- + AbortReasonOr<Ok> + IonBuilder::jsop_getelem_typed(MDefinition* obj, MDefinition* index, + Scalar::Type arrayType) +diff --git js/src/jit/MIR.cpp js/src/jit/MIR.cpp +index bac5948bfc21..ef286b7d546c 100644 +--- js/src/jit/MIR.cpp ++++ js/src/jit/MIR.cpp +@@ -6235,6 +6235,14 @@ PropertyReadNeedsTypeBarrier(CompilerConstraintList* constraints, + return BarrierKind::TypeSet; + } + ++ if (!name && IsTypedArrayClass(key->clasp())) { ++ Scalar::Type arrayType = Scalar::Type(key->clasp() - &TypedArrayObject::classes[0]); ++ MIRType type = MIRTypeForTypedArrayRead(arrayType, true); ++ if (observed->mightBeMIRType(type)) ++ return BarrierKind::NoBarrier; ++ return BarrierKind::TypeSet; ++ } ++ + jsid id = name ? NameToId(name) : JSID_VOID; + HeapTypeSetKey property = key->property(id); + if (property.maybeTypes()) { +diff --git js/src/jit/MIR.h js/src/jit/MIR.h +index d6d895b2caf2..16824b3f67ad 100644 +--- js/src/jit/MIR.h ++++ js/src/jit/MIR.h +@@ -15107,6 +15107,29 @@ ArrayPrototypeHasIndexedProperty(IonBuilder* builder, JSScript* script); + AbortReasonOr<bool> + TypeCanHaveExtraIndexedProperties(IonBuilder* builder, TemporaryTypeSet* types); + ++inline MIRType ++MIRTypeForTypedArrayRead(Scalar::Type arrayType, bool observedDouble) ++{ ++ switch (arrayType) { ++ case Scalar::Int8: ++ case Scalar::Uint8: ++ case Scalar::Uint8Clamped: ++ case Scalar::Int16: ++ case Scalar::Uint16: ++ case Scalar::Int32: ++ return MIRType::Int32; ++ case Scalar::Uint32: ++ return observedDouble ? MIRType::Double : MIRType::Int32; ++ case Scalar::Float32: ++ return MIRType::Float32; ++ case Scalar::Float64: ++ return MIRType::Double; ++ default: ++ break; ++ } ++ MOZ_CRASH("Unknown typed array type"); ++} ++ + } // namespace jit + } // namespace js + diff --git a/www/firefox/files/patch-bug1404910 b/www/firefox/files/patch-bug1404910 new file mode 100644 index 000000000000..1157ce538381 --- /dev/null +++ b/www/firefox/files/patch-bug1404910 @@ -0,0 +1,170 @@ +commit 2c8bf0ecbc5d +Author: Andrea Marchesini <amarchesini@mozilla.com> +Date: Wed Oct 4 14:18:19 2017 +0200 + + Bug 1404910 - WebSocket should consider the corrent top-level window principal. r=smaug, a=ritu + + --HG-- + extra : source : c543c0a50db700883b57c052710c97b5ef731e1f +--- + dom/base/WebSocket.cpp | 15 ++++--- + dom/base/test/iframe_webSocket_sandbox.html | 65 +++++++++++++++++++++++++++++ + dom/base/test/mochitest.ini | 3 ++ + dom/base/test/test_webSocket_sandbox.html | 34 +++++++++++++++ + 4 files changed, 109 insertions(+), 8 deletions(-) + +diff --git dom/base/WebSocket.cpp dom/base/WebSocket.cpp +index dc2c1c70107b..982c67cd2abd 100644 +--- dom/base/WebSocket.cpp ++++ dom/base/WebSocket.cpp +@@ -1666,18 +1666,17 @@ WebSocketImpl::Init(JSContext* aCx, + nsCOMPtr<nsPIDOMWindowInner> innerWindow; + + while (true) { +- if (principal) { +- bool isNullPrincipal = true; +- isNullPrincipal = principal->GetIsNullPrincipal(); +- if (isNullPrincipal || nsContentUtils::IsSystemPrincipal(principal)) { +- break; +- } ++ if (principal && !principal->GetIsNullPrincipal()) { ++ break; + } + + if (!innerWindow) { + innerWindow = do_QueryInterface(globalObject); +- if (NS_WARN_IF(!innerWindow)) { +- return NS_ERROR_DOM_SECURITY_ERR; ++ if (!innerWindow) { ++ // If we are in a XPConnect sandbox or in a JS component, ++ // innerWindow will be null. There is nothing on top of this to be ++ // considered. ++ break; + } + } + +diff --git dom/base/test/iframe_webSocket_sandbox.html dom/base/test/iframe_webSocket_sandbox.html +new file mode 100644 +index 000000000000..d889a79b05da +--- /dev/null ++++ dom/base/test/iframe_webSocket_sandbox.html +@@ -0,0 +1,65 @@ ++<html><body> ++<iframe id="frame" sandbox="allow-scripts allow-popups"></iframe> ++<script type="application/javascript;version=1.8"> ++onmessage = function(e) { ++ parent.postMessage(e.data, '*'); ++} ++ ++var ifr = document.getElementById('frame'); ++ ++if (location.search == '?nested') { ++ var url = new URL(location); ++ url.search = ""; ++ ifr.src = url.href; ++} else if (location.search == '?popup') { ++ var url = new URL(location); ++ url.search = "?opener"; ++ ++ ifr.srcdoc = "<html><script>" + ++ "window.open('" + url.href + "', 'foobar');" + ++ "onmessage = function(e) { " + ++ " parent.postMessage(e.data, '*'); " + ++ "}" + ++ "</scr" + "ipt></html>"; ++} else if (location.search == '?opener') { ++ try{ ++ var socket = new WebSocket('ws://mochi.test:8888/tests/dom/base/test/file_websocket_basic'); ++ socket.onerror = function(e) { ++ opener.postMessage('WS onerror', '*'); ++ close(); ++ }; ++ socket.onopen = function(event) { ++ opener.postMessage('WS onopen', '*'); ++ close(); ++ }; ++ } catch(e) { ++ if (e.name == 'SecurityError') { ++ opener.postMessage('WS Throws!', '*'); ++ } else { ++ opener.postMessage('WS Throws something else!', '*'); ++ } ++ close(); ++ } ++} else { ++ ifr.srcdoc = ` ++ <html><script> ++ try{ ++ var socket = new WebSocket('ws://mochi.test:8888/tests/dom/base/test/file_websocket_basic'); ++ socket.onerror = function(e) { ++ parent.postMessage('WS onerror', '*'); ++ }; ++ socket.onopen = function(event) { ++ parent.postMessage('WS onopen', '*'); ++ }; ++ } catch(e) { ++ if (e.name == 'SecurityError') { ++ parent.postMessage('WS Throws!', '*'); ++ } else { ++ parent.postMessage('WS Throws something else!', '*'); ++ } ++ } ++ </scr`+`ipt> ++ </html>`; ++} ++</script> ++</body></html> +diff --git dom/base/test/mochitest.ini dom/base/test/mochitest.ini +index 670dd5ae0a06..5d59fe1ea7b8 100644 +--- dom/base/test/mochitest.ini ++++ dom/base/test/mochitest.ini +@@ -804,6 +804,9 @@ skip-if = toolkit == 'android' + skip-if = toolkit == 'android' + [test_websocket_permessage_deflate.html] + skip-if = toolkit == 'android' ++[test_webSocket_sandbox.html] ++skip-if = toolkit == 'android' ++support-files = iframe_webSocket_sandbox.html + [test_websocket1.html] + skip-if = toolkit == 'android' + [test_websocket2.html] +diff --git dom/base/test/test_webSocket_sandbox.html dom/base/test/test_webSocket_sandbox.html +new file mode 100644 +index 000000000000..b343fa784f39 +--- /dev/null ++++ dom/base/test/test_webSocket_sandbox.html +@@ -0,0 +1,34 @@ ++<!DOCTYPE HTML> ++<html> ++<head> ++ <title>Bug 1252751</title> ++ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> ++ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> ++</head> ++<body> ++<div id="container"></div> ++<iframe id="frame"></iframe> ++<script type="application/javascript;version=1.8"> ++var urls = [ "https://example.com/tests/dom/base/test/iframe_webSocket_sandbox.html", ++ "https://example.com/tests/dom/base/test/iframe_webSocket_sandbox.html?nested", ++ "https://example.com/tests/dom/base/test/iframe_webSocket_sandbox.html?popup" ]; ++ ++onmessage = function(e) { ++ is(e.data, "WS Throws!", "ws://URI cannot be used by a https iframe"); ++ runTest(); ++} ++ ++function runTest() { ++ if (!urls.length) { ++ SimpleTest.finish(); ++ return; ++ } ++ ++ document.getElementById("frame").src = urls.shift(); ++} ++ ++SimpleTest.waitForExplicitFinish(); ++runTest(); ++</script> ++</body> ++</html> diff --git a/www/firefox/files/patch-bug1406398 b/www/firefox/files/patch-bug1406398 new file mode 100644 index 000000000000..356c2bde3746 --- /dev/null +++ b/www/firefox/files/patch-bug1406398 @@ -0,0 +1,36 @@ +commit c79dd79bdb5c +Author: André Bargull <andre.bargull@gmail.com> +Date: Thu Oct 12 09:20:07 2017 -0700 + + Bug 1406398 - Avoid rooting the object twice in EnumerableOwnProperties. r=jandem, a=lizzard + + --HG-- + extra : source : c2cecb6d6f9bb85f258a66cf8e94c1860adde7e5 +--- + js/src/builtin/Object.cpp | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git js/src/builtin/Object.cpp js/src/builtin/Object.cpp +index dff377a1cd97..ff4dd029cb52 100644 +--- js/src/builtin/Object.cpp ++++ js/src/builtin/Object.cpp +@@ -1246,9 +1246,6 @@ EnumerableOwnProperties(JSContext* cx, const JS::CallArgs& args, EnumerableOwnPr + RootedId id(cx); + RootedValue key(cx); + RootedValue value(cx); +- RootedNativeObject nobj(cx); +- if (obj->is<NativeObject>()) +- nobj = &obj->as<NativeObject>(); + RootedShape shape(cx); + Rooted<PropertyDescriptor> desc(cx); + // Step 4. +@@ -1265,7 +1262,8 @@ EnumerableOwnProperties(JSContext* cx, const JS::CallArgs& args, EnumerableOwnPr + } + + // Step 4.a.i. +- if (nobj) { ++ if (obj->is<NativeObject>()) { ++ HandleNativeObject nobj = obj.as<NativeObject>(); + if (JSID_IS_INT(id) && nobj->containsDenseElement(JSID_TO_INT(id))) { + value = nobj->getDenseOrTypedArrayElement(JSID_TO_INT(id)); + } else { diff --git a/www/firefox/files/patch-bug1406750 b/www/firefox/files/patch-bug1406750 new file mode 100644 index 000000000000..0235d6d7c907 --- /dev/null +++ b/www/firefox/files/patch-bug1406750 @@ -0,0 +1,47 @@ +commit f2e38d27a7e3 +Author: Emilio Cobos Álvarez <emilio@crisal.io> +Date: Tue Oct 24 17:44:12 2017 -0400 + + Bug 1406750 - Use GetStyleContextNoFlush in UpdateCurrentStyleSources, and avoid flushing mPresShell twice. r=bz, a=abillings + + MozReview-Commit-ID: Nfu9FZcIzQ + + --HG-- + extra : source : c73db1c3b6e78a5fad216ca7cc7e4ce312c30a98 + extra : amend_source : 9b31fa281368a9dc39a4a949cb85ae2f354a4308 +--- + layout/style/nsComputedDOMStyle.cpp | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git layout/style/nsComputedDOMStyle.cpp layout/style/nsComputedDOMStyle.cpp +index 062e00ffebc5..1aa07e691d4a 100644 +--- layout/style/nsComputedDOMStyle.cpp ++++ layout/style/nsComputedDOMStyle.cpp +@@ -832,6 +832,11 @@ nsComputedDOMStyle::UpdateCurrentStyleSources(bool aNeedsLayoutFlush) + return; + } + ++ nsCOMPtr<nsIPresShell> presShellForContent = GetPresShellForContent(mContent); ++ if (presShellForContent && presShellForContent != mPresShell) { ++ presShellForContent->FlushPendingNotifications(FlushType::Style); ++ } ++ + // We need to use GetUndisplayedRestyleGeneration instead of + // GetRestyleGeneration, because the caching of mStyleContext is an + // optimization that is useful only for displayed elements. +@@ -922,10 +927,11 @@ nsComputedDOMStyle::UpdateCurrentStyleSources(bool aNeedsLayoutFlush) + #endif + // Need to resolve a style context + RefPtr<nsStyleContext> resolvedStyleContext = +- nsComputedDOMStyle::GetStyleContext(mContent->AsElement(), +- mPseudo, +- mPresShell, +- mStyleType); ++ nsComputedDOMStyle::GetStyleContextNoFlush( ++ mContent->AsElement(), ++ mPseudo, ++ presShellForContent ? presShellForContent.get() : mPresShell, ++ mStyleType); + if (!resolvedStyleContext) { + ClearStyleContext(); + return; diff --git a/www/firefox/files/patch-bug1407375 b/www/firefox/files/patch-bug1407375 new file mode 100644 index 000000000000..6768dc9bc072 --- /dev/null +++ b/www/firefox/files/patch-bug1407375 @@ -0,0 +1,28 @@ +commit b2d46387afc9 +Author: Boris Zbarsky <bzbarsky@mit.edu> +Date: Wed Oct 11 22:19:06 2017 -0400 + + Bug 1407375 - Make sure to call NodeInfoChanged whenever we change the nodeinfo on a node. r=peterv, a=ritu + + MozReview-Commit-ID: 71k1jv8thFA + + --HG-- + extra : source : 51ff2d13e50c1e8f7731e4c7243064bb96d2e4d0 +--- + dom/base/nsNodeUtils.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git dom/base/nsNodeUtils.cpp dom/base/nsNodeUtils.cpp +index 64ab9e852966..dd958aa443ce 100644 +--- dom/base/nsNodeUtils.cpp ++++ dom/base/nsNodeUtils.cpp +@@ -593,6 +593,9 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, bool aClone, bool aDeep, + aNode->OwnerDoc()->UnregisterActivityObserver(aNode->AsElement()); + } + aNode->mNodeInfo.swap(newNodeInfo); ++ if (elem) { ++ elem->NodeInfoChanged(newDoc); ++ } + if (wasRegistered) { + aNode->OwnerDoc()->RegisterActivityObserver(aNode->AsElement()); + } diff --git a/www/firefox/files/patch-bug1407740 b/www/firefox/files/patch-bug1407740 new file mode 100644 index 000000000000..11f575fa40e2 --- /dev/null +++ b/www/firefox/files/patch-bug1407740 @@ -0,0 +1,26 @@ +commit a8fee72c6fc1 +Author: Andrew McCreight <continuation@gmail.com> +Date: Fri Oct 20 16:11:26 2017 -0400 + + Bug 1407740 - Fix a crash by setting a flag to true. r=bz, a=lizzard + + --HG-- + extra : source : 23d3b458f69c56b0f3b2b8faa1453f79e32ce70c +--- + docshell/base/nsDocShell.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git docshell/base/nsDocShell.cpp docshell/base/nsDocShell.cpp +index 6748a2722e5a..f7dc1508a74d 100644 +--- docshell/base/nsDocShell.cpp ++++ docshell/base/nsDocShell.cpp +@@ -881,6 +881,9 @@ nsDocShell::~nsDocShell() + { + MOZ_ASSERT(!mObserved); + ++ // Avoid notifying observers while we're in the dtor. ++ mIsBeingDestroyed = true; ++ + Destroy(); + + nsCOMPtr<nsISHistoryInternal> shPrivate(do_QueryInterface(mSessionHistory)); diff --git a/www/firefox/files/patch-bug1407751 b/www/firefox/files/patch-bug1407751 new file mode 100644 index 000000000000..c2137f510e1d --- /dev/null +++ b/www/firefox/files/patch-bug1407751 @@ -0,0 +1,35 @@ +commit 390b56f13f00 +Author: Andrea Marchesini <amarchesini@mozilla.com> +Date: Fri Oct 13 07:11:40 2017 +0200 + + Bug 1407751 - DefineOSFileConstants should return false if OSFileConstants service is not initialized. r=froydnj, a=ritu + + --HG-- + extra : source : 2f76e40db328035331dd6aa79d0e5fbf04db7c96 +--- + dom/system/OSFileConstants.cpp | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git dom/system/OSFileConstants.cpp dom/system/OSFileConstants.cpp +index edafe9f1c560..3cd77f6c3c12 100644 +--- dom/system/OSFileConstants.cpp ++++ dom/system/OSFileConstants.cpp +@@ -346,6 +346,7 @@ void CleanupOSFileConstants() + + gInitialized = false; + delete gPaths; ++ gPaths = nullptr; + } + + +@@ -874,9 +875,7 @@ bool SetStringProperty(JSContext *cx, JS::Handle<JSObject*> aObject, const char + */ + bool DefineOSFileConstants(JSContext *cx, JS::Handle<JSObject*> global) + { +- MOZ_ASSERT(gInitialized); +- +- if (gPaths == nullptr) { ++ if (!gInitialized || gPaths == nullptr) { + // If an initialization error was ignored, we may end up with + // |gInitialized == true| but |gPaths == nullptr|. We cannot + // |MOZ_ASSERT| this, as this would kill precompile_cache.js, diff --git a/www/firefox/files/patch-bug1408005 b/www/firefox/files/patch-bug1408005 new file mode 100644 index 000000000000..fafa9861305d --- /dev/null +++ b/www/firefox/files/patch-bug1408005 @@ -0,0 +1,25 @@ +commit 988e61cc6282 +Author: Andrew McCreight <continuation@gmail.com> +Date: Mon Oct 23 10:18:42 2017 -0400 + + Bug 1408005 - Clear gApplicationReputationService in the dtor. r=francois, a=abillings + + --HG-- + extra : source : 1613834d8d1145200886a039f733b1e066c63cbd +--- + toolkit/components/downloads/ApplicationReputation.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git toolkit/components/downloads/ApplicationReputation.cpp toolkit/components/downloads/ApplicationReputation.cpp +index b19841d8235d..18bc3b71728d 100644 +--- toolkit/components/downloads/ApplicationReputation.cpp ++++ toolkit/components/downloads/ApplicationReputation.cpp +@@ -1576,6 +1576,8 @@ ApplicationReputationService::ApplicationReputationService() + + ApplicationReputationService::~ApplicationReputationService() { + LOG(("Application reputation service shutting down")); ++ MOZ_ASSERT(gApplicationReputationService == this); ++ gApplicationReputationService = nullptr; + } + + NS_IMETHODIMP diff --git a/www/firefox/files/patch-bug1408412 b/www/firefox/files/patch-bug1408412 new file mode 100644 index 000000000000..52ced3d9ec0d --- /dev/null +++ b/www/firefox/files/patch-bug1408412 @@ -0,0 +1,37 @@ +commit 81f184512a09 +Author: Jan de Mooij <jdemooij@mozilla.com> +Date: Wed Oct 25 11:30:17 2017 +0200 + + Bug 1408412 - Use ARGS_LENGTH_MAX as upper bound in MArgumentsLength::computeRange. r=nbp, a=lizzard + + --HG-- + extra : source : aaf54dce048a85806833529a5d53ecc46156ef47 +--- + js/src/jit/RangeAnalysis.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git js/src/jit/RangeAnalysis.cpp js/src/jit/RangeAnalysis.cpp +index a3daefa848a7..19715ccc250a 100644 +--- js/src/jit/RangeAnalysis.cpp ++++ js/src/jit/RangeAnalysis.cpp +@@ -15,6 +15,7 @@ + #include "jit/MIRGenerator.h" + #include "jit/MIRGraph.h" + #include "js/Conversions.h" ++#include "vm/ArgumentsObject.h" + #include "vm/TypedArrayObject.h" + + #include "jsopcodeinlines.h" +@@ -1845,9 +1846,9 @@ MArgumentsLength::computeRange(TempAllocator& alloc) + { + // This is is a conservative upper bound on what |TooManyActualArguments| + // checks. If exceeded, Ion will not be entered in the first place. +- MOZ_ASSERT(JitOptions.maxStackArgs <= UINT32_MAX, +- "NewUInt32Range requires a uint32 value"); +- setRange(Range::NewUInt32Range(alloc, 0, JitOptions.maxStackArgs)); ++ static_assert(ARGS_LENGTH_MAX <= UINT32_MAX, ++ "NewUInt32Range requires a uint32 value"); ++ setRange(Range::NewUInt32Range(alloc, 0, ARGS_LENGTH_MAX)); + } + + void diff --git a/www/firefox/files/patch-bug1408990 b/www/firefox/files/patch-bug1408990 new file mode 100644 index 000000000000..9c089b728499 --- /dev/null +++ b/www/firefox/files/patch-bug1408990 @@ -0,0 +1,34 @@ +commit 53a3958e0a76 +Author: Valentin Gosu <valentin.gosu@gmail.com> +Date: Sat Oct 28 00:15:01 2017 +0200 + + Bug 1408990 - Only add the entry to the performance object if the loading document's principal is the same as the triggering principal. r=bz, r=dragana, a=lizzard + + MozReview-Commit-ID: 7o8XKHioP1p + + --HG-- + extra : rebase_source : 33d4044b4901cee460cc69a0bae1fe0e84dab2aa + extra : source : ff9e841ff8544053f184d2e425500d5dd13ee14d +--- + netwerk/protocol/http/HttpBaseChannel.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git netwerk/protocol/http/HttpBaseChannel.cpp netwerk/protocol/http/HttpBaseChannel.cpp +index 8a5c4d8d9f45..16e59241e2fc 100644 +--- netwerk/protocol/http/HttpBaseChannel.cpp ++++ netwerk/protocol/http/HttpBaseChannel.cpp +@@ -4088,6 +4088,14 @@ HttpBaseChannel::GetPerformance() + return nullptr; + } + ++ // We only add to the document's performance object if it has the same ++ // principal as the one triggering the load. This is to prevent navigations ++ // triggered _by_ the iframe from showing up in the parent document's ++ // performance entries if they have different origins. ++ if (!mLoadInfo->TriggeringPrincipal()->Equals(loadingDocument->NodePrincipal())) { ++ return nullptr; ++ } ++ + nsCOMPtr<nsPIDOMWindowInner> innerWindow = loadingDocument->GetInnerWindow(); + if (!innerWindow) { + return nullptr; diff --git a/www/firefox/files/patch-bug1411458 b/www/firefox/files/patch-bug1411458 new file mode 100644 index 000000000000..8caf1f602279 --- /dev/null +++ b/www/firefox/files/patch-bug1411458 @@ -0,0 +1,44 @@ +commit da2637dd8a23 +Author: David Keeler <dkeeler@mozilla.com> +Date: Wed Oct 25 09:54:13 2017 -0700 + + Bug 1411458 - Confirm we actually have a PKCS#7 signedData content info. r=jcj, a=ritu + + MozReview-Commit-ID: GKfL1C0EPWt + + --HG-- + extra : source : 22a772cfa62ae6908751b1cdd98a9234f2ea6105 +--- + security/manager/ssl/nsDataSignatureVerifier.cpp | 6 ++++++ + security/nss.symbols | 1 + + 2 files changed, 7 insertions(+) + +diff --git security/manager/ssl/nsDataSignatureVerifier.cpp security/manager/ssl/nsDataSignatureVerifier.cpp +index f78740365e1a..2527431dd9ae 100644 +--- security/manager/ssl/nsDataSignatureVerifier.cpp ++++ security/manager/ssl/nsDataSignatureVerifier.cpp +@@ -170,6 +170,12 @@ VerifyCMSDetachedSignatureIncludingCertificate( + return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO; + } + ++ // We're expecting this to be a PKCS#7 signedData content info. ++ if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) ++ != SEC_OID_PKCS7_SIGNED_DATA) { ++ return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO; ++ } ++ + // signedData is non-owning + NSSCMSSignedData* signedData = + static_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo)); +diff --git security/nss.symbols security/nss.symbols +index 626fc64d96f9..517a577a8de4 100644 +--- security/nss.symbols ++++ security/nss.symbols +@@ -181,6 +181,7 @@ HASH_ResultLenByOidTag + HASH_Update + NSSBase64_EncodeItem_Util + NSS_CMSContentInfo_GetContent ++NSS_CMSContentInfo_GetContentTypeTag + NSS_CMSContentInfo_SetContent_Data + NSS_CMSContentInfo_SetContent_EnvelopedData + NSS_CMSContentInfo_SetContent_SignedData diff --git a/www/firefox/files/patch-bug1412252 b/www/firefox/files/patch-bug1412252 new file mode 100644 index 000000000000..9e89513a47cc --- /dev/null +++ b/www/firefox/files/patch-bug1412252 @@ -0,0 +1,42 @@ +commit 4bb201af8ede +Author: Emilio Cobos Álvarez <emilio@crisal.io> +Date: Sun Oct 29 17:39:20 2017 -0400 + + Bug 1412252 - Only fetch mPresShell after flushing the relevant content pres shell. r=bz, a=ritu + + MozReview-Commit-ID: BkcYtu2MsNs + + --HG-- + extra : rebase_source : aaf4e69af1cfb4e6becd491f3f4a6e4924cb307a + extra : source : 044406030675adf7dfdb0317fca3852fa1ea3ff7 +--- + layout/style/nsComputedDOMStyle.cpp | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git layout/style/nsComputedDOMStyle.cpp layout/style/nsComputedDOMStyle.cpp +index 1aa07e691d4a..1eb9fbebdc8d 100644 +--- layout/style/nsComputedDOMStyle.cpp ++++ layout/style/nsComputedDOMStyle.cpp +@@ -826,17 +826,17 @@ nsComputedDOMStyle::UpdateCurrentStyleSources(bool aNeedsLayoutFlush) + mFlushedPendingReflows = aNeedsLayoutFlush; + #endif + ++ nsCOMPtr<nsIPresShell> presShellForContent = GetPresShellForContent(mContent); ++ if (presShellForContent && presShellForContent != document->GetShell()) { ++ presShellForContent->FlushPendingNotifications(FlushType::Style); ++ } ++ + mPresShell = document->GetShell(); + if (!mPresShell || !mPresShell->GetPresContext()) { + ClearStyleContext(); + return; + } + +- nsCOMPtr<nsIPresShell> presShellForContent = GetPresShellForContent(mContent); +- if (presShellForContent && presShellForContent != mPresShell) { +- presShellForContent->FlushPendingNotifications(FlushType::Style); +- } +- + // We need to use GetUndisplayedRestyleGeneration instead of + // GetRestyleGeneration, because the caching of mStyleContext is an + // optimization that is useful only for displayed elements. |