From 5015907e62ca5cfb713f79781215e1d5d3ccc825 Mon Sep 17 00:00:00 2001
From: Roy Tam <roytam@gmail.com>
Date: Sun, 22 Jul 2018 23:06:10 +0800
Subject: [PATCH] cherry-picked upstream changes: bug841547, bug884920,
 bug881102, bug864099, bug872331, bug885800, bug884053, bug885959, bug885169,
 bug883570, bug875912, bug885176, bug857076, bug759257

---
 content/html/document/src/ImageDocument.cpp   |  4 +-
 content/svg/content/src/SVGAnimatedLength.cpp |  1 -
 content/svg/content/src/SVGAnimatedLength.h   |  9 +---
 .../svg/content/src/SVGTextContentElement.cpp |  1 -
 content/svg/content/src/nsSVGLength2.cpp      |  8 ---
 content/svg/content/src/nsSVGLength2.h        |  4 --
 dom/interfaces/svg/moz.build                  |  1 -
 .../svg/nsIDOMSVGAnimatedLength.idl           | 16 ------
 image/src/SVGDocumentWrapper.cpp              |  7 +--
 js/src/builtin/TestingFunctions.cpp           | 15 +++---
 js/src/frontend/Parser.cpp                    | 23 ++++-----
 js/src/frontend/SharedContext.h               |  2 +-
 js/src/frontend/TokenStream.cpp               | 14 +-----
 js/src/frontend/TokenStream.h                 |  2 -
 js/src/jit-test/tests/basic/bug864099.js      | 13 +++++
 js/src/jit-test/tests/basic/bug884920.js      |  7 +++
 js/src/jit-test/tests/ion/bug872331.js        | 10 ++++
 js/src/jit/IonAnalysis.cpp                    |  6 ++-
 js/src/jit/IonFrames.cpp                      |  4 +-
 js/src/jit/IonMacroAssembler.cpp              | 17 ++++---
 js/src/jit/MIR.cpp                            | 19 +++++--
 js/src/jit/MIR.h                              |  4 ++
 js/src/jit/MIRGraph.cpp                       | 25 ++++++++++
 js/src/jit/MIRGraph.h                         |  4 ++
 js/src/jit/RegisterSets.h                     | 49 ++++++++++++++++++-
 js/src/jit/Safepoints.cpp                     |  2 +-
 js/src/jit/TypePolicy.cpp                     |  5 +-
 js/src/jit/ValueNumbering.cpp                 |  3 +-
 js/src/jit/arm/MacroAssembler-arm.h           |  2 +-
 js/src/jsarray.cpp                            | 12 ++++-
 js/src/jsfriendapi.h                          |  4 +-
 js/src/jsiter.cpp                             |  6 ++-
 js/src/jsobj.cpp                              | 10 +++-
 js/src/jsobjinlines.h                         |  9 ++--
 js/src/vm/ArgumentsObject.cpp                 |  6 ++-
 js/xpconnect/src/XPCComponents.cpp            |  5 +-
 js/xpconnect/tests/unit/test_bug885800.js     | 13 +++++
 js/xpconnect/tests/unit/xpcshell.ini          |  1 +
 netwerk/protocol/http/PHttpChannelParams.h    |  7 ---
 netwerk/protocol/http/nsHttpChannel.cpp       |  4 +-
 netwerk/protocol/http/nsHttpHeaderArray.h     | 32 +-----------
 netwerk/protocol/http/nsHttpRequestHead.h     |  2 +-
 netwerk/protocol/http/nsHttpResponseHead.h    |  6 +--
 .../manager/ssl/src/PSMContentListener.cpp    |  3 +-
 .../ssl/src/SSLServerCertVerification.cpp     |  3 +-
 security/manager/ssl/src/nsCMS.cpp            |  1 +
 security/manager/ssl/src/nsKeygenThread.cpp   |  3 +-
 security/manager/ssl/src/nsNSSIOLayer.cpp     |  4 +-
 security/manager/ssl/src/nsPKCS12Blob.cpp     |  2 +-
 .../manager/ssl/src/nsProtectedAuthThread.cpp |  3 +-
 50 files changed, 248 insertions(+), 165 deletions(-)
 delete mode 100644 dom/interfaces/svg/nsIDOMSVGAnimatedLength.idl
 create mode 100644 js/src/jit-test/tests/basic/bug864099.js
 create mode 100644 js/src/jit-test/tests/basic/bug884920.js
 create mode 100644 js/src/jit-test/tests/ion/bug872331.js
 create mode 100644 js/xpconnect/tests/unit/test_bug885800.js

diff --git a/content/html/document/src/ImageDocument.cpp b/content/html/document/src/ImageDocument.cpp
index b22b61c4e..6fac4d2d0 100644
--- a/content/html/document/src/ImageDocument.cpp
+++ b/content/html/document/src/ImageDocument.cpp
@@ -455,7 +455,7 @@ ImageDocument::Notify(imgIRequest* aRequest, int32_t aType, const nsIntRect* aDa
   nsDOMTokenList* classList = mImageContent->AsElement()->GetClassList();
   mozilla::ErrorResult rv;
   if (aType == imgINotificationObserver::DECODE_COMPLETE) {
-    if (mImageContent) {
+    if (mImageContent && !nsContentUtils::IsChildOfSameType(this)) {
       // Update the background-color of the image only after the
       // image has been decoded to prevent flashes of just the
       // background-color.
@@ -466,7 +466,7 @@ ImageDocument::Notify(imgIRequest* aRequest, int32_t aType, const nsIntRect* aDa
 
   if (aType == imgINotificationObserver::DISCARD) {
     // mImageContent can be null if the document is already destroyed
-    if (mImageContent) {
+    if (mImageContent && !nsContentUtils::IsChildOfSameType(this)) {
       // Remove any decoded-related styling when the image is unloaded.
       classList->Remove(NS_LITERAL_STRING("decoded"), rv);
       NS_ENSURE_SUCCESS(rv.ErrorCode(), rv.ErrorCode());
diff --git a/content/svg/content/src/SVGAnimatedLength.cpp b/content/svg/content/src/SVGAnimatedLength.cpp
index f1036007b..255786d9e 100644
--- a/content/svg/content/src/SVGAnimatedLength.cpp
+++ b/content/svg/content/src/SVGAnimatedLength.cpp
@@ -18,7 +18,6 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(SVGAnimatedLength)
 
 NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(SVGAnimatedLength)
   NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY
-  NS_INTERFACE_MAP_ENTRY(nsIDOMSVGAnimatedLength)
   NS_INTERFACE_MAP_ENTRY(nsISupports)
 NS_INTERFACE_MAP_END
 
diff --git a/content/svg/content/src/SVGAnimatedLength.h b/content/svg/content/src/SVGAnimatedLength.h
index 54a92f6e5..b38ff7e4f 100644
--- a/content/svg/content/src/SVGAnimatedLength.h
+++ b/content/svg/content/src/SVGAnimatedLength.h
@@ -8,7 +8,6 @@
 
 #include "mozilla/Attributes.h"
 #include "nsSVGElement.h"
-#include "nsIDOMSVGAnimatedLength.h"
 
 class nsSVGLength2;
 class nsIDOMSVGLength;
@@ -16,7 +15,7 @@ class nsIDOMSVGLength;
 namespace mozilla {
 namespace dom {
 
-class SVGAnimatedLength MOZ_FINAL : public nsIDOMSVGAnimatedLength,
+class SVGAnimatedLength MOZ_FINAL : public nsISupports,
                                     public nsWrapperCache
 {
 public:
@@ -29,12 +28,6 @@ public:
 
   ~SVGAnimatedLength();
 
-  NS_IMETHOD GetBaseVal(nsIDOMSVGLength **aBaseVal) MOZ_OVERRIDE
-    { *aBaseVal = BaseVal().get(); return NS_OK; }
-
-  NS_IMETHOD GetAnimVal(nsIDOMSVGLength **aAnimVal) MOZ_OVERRIDE
-    { *aAnimVal = AnimVal().get(); return NS_OK; }
-
   // WebIDL
   nsSVGElement* GetParentObject() { return mSVGElement; }
   virtual JSObject* WrapObject(JSContext* aCx,
diff --git a/content/svg/content/src/SVGTextContentElement.cpp b/content/svg/content/src/SVGTextContentElement.cpp
index a0a5de1c6..cabedb152 100644
--- a/content/svg/content/src/SVGTextContentElement.cpp
+++ b/content/svg/content/src/SVGTextContentElement.cpp
@@ -7,7 +7,6 @@
 #include "nsISVGPoint.h"
 #include "nsSVGTextContainerFrame.h"
 #include "nsSVGTextFrame2.h"
-#include "nsIDOMSVGAnimatedLength.h"
 #include "mozilla/dom/SVGIRect.h"
 #include "nsIDOMSVGAnimatedEnum.h"
 
diff --git a/content/svg/content/src/nsSVGLength2.cpp b/content/svg/content/src/nsSVGLength2.cpp
index 6e5b3322e..72ae4b49d 100644
--- a/content/svg/content/src/nsSVGLength2.cpp
+++ b/content/svg/content/src/nsSVGLength2.cpp
@@ -471,14 +471,6 @@ nsSVGLength2::SetAnimValue(float aValue, nsSVGElement *aSVGElement)
                                aSVGElement);
 }
 
-nsresult
-nsSVGLength2::ToDOMAnimatedLength(nsIDOMSVGAnimatedLength **aResult,
-                                  nsSVGElement *aSVGElement)
-{
-  *aResult = ToDOMAnimatedLength(aSVGElement).get();
-  return NS_OK;
-}
-
 already_AddRefed<SVGAnimatedLength>
 nsSVGLength2::ToDOMAnimatedLength(nsSVGElement* aSVGElement)
 {
diff --git a/content/svg/content/src/nsSVGLength2.h b/content/svg/content/src/nsSVGLength2.h
index 5c9f182da..4e5ca0103 100644
--- a/content/svg/content/src/nsSVGLength2.h
+++ b/content/svg/content/src/nsSVGLength2.h
@@ -11,7 +11,6 @@
 #include "nsCoord.h"
 #include "nsCycleCollectionParticipant.h"
 #include "nsError.h"
-#include "nsIDOMSVGAnimatedLength.h"
 #include "nsIDOMSVGLength.h"
 #include "nsISMILAttr.h"
 #include "nsMathUtils.h"
@@ -89,9 +88,6 @@ public:
   // useable, and represents the default base value of the attribute.
   bool IsExplicitlySet() const
     { return mIsAnimated || mIsBaseSet; }
-  
-  nsresult ToDOMAnimatedLength(nsIDOMSVGAnimatedLength **aResult,
-                               nsSVGElement* aSVGElement);
 
   already_AddRefed<mozilla::dom::SVGAnimatedLength>
   ToDOMAnimatedLength(nsSVGElement* aSVGElement);
diff --git a/dom/interfaces/svg/moz.build b/dom/interfaces/svg/moz.build
index b3808823e..b41c9da28 100644
--- a/dom/interfaces/svg/moz.build
+++ b/dom/interfaces/svg/moz.build
@@ -7,7 +7,6 @@
 XPIDL_SOURCES += [
     'nsIDOMSVGAnimatedEnum.idl',
     'nsIDOMSVGAnimatedInteger.idl',
-    'nsIDOMSVGAnimatedLength.idl',
     'nsIDOMSVGAnimatedNumber.idl',
     'nsIDOMSVGElement.idl',
     'nsIDOMSVGLength.idl',
diff --git a/dom/interfaces/svg/nsIDOMSVGAnimatedLength.idl b/dom/interfaces/svg/nsIDOMSVGAnimatedLength.idl
deleted file mode 100644
index feddde808..000000000
--- a/dom/interfaces/svg/nsIDOMSVGAnimatedLength.idl
+++ /dev/null
@@ -1,16 +0,0 @@
-/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "domstubs.idl"
-
-interface nsIDOMSVGLength;
-
-[scriptable, uuid(a52f0322-7f4d-418d-af6d-a7b14abd5cdf)]
-interface nsIDOMSVGAnimatedLength : nsISupports
-{
-  readonly attribute nsIDOMSVGLength baseVal;
-  readonly attribute nsIDOMSVGLength animVal;
-};
-
diff --git a/image/src/SVGDocumentWrapper.cpp b/image/src/SVGDocumentWrapper.cpp
index e68b968ee..399ef093f 100644
--- a/image/src/SVGDocumentWrapper.cpp
+++ b/image/src/SVGDocumentWrapper.cpp
@@ -12,7 +12,6 @@
 #include "nsIContentViewer.h"
 #include "nsIDocument.h"
 #include "nsIDocumentLoaderFactory.h"
-#include "nsIDOMSVGAnimatedLength.h"
 #include "nsIDOMSVGLength.h"
 #include "nsIHttpChannel.h"
 #include "nsIObserverService.h"
@@ -86,14 +85,12 @@ SVGDocumentWrapper::GetWidthOrHeight(Dimension aDimension,
   NS_ENSURE_TRUE(domAnimLength, false);
 
   // Get the animated value from the object
-  nsRefPtr<nsIDOMSVGLength> domLength;
-  nsresult rv = domAnimLength->GetAnimVal(getter_AddRefs(domLength));
-  NS_ENSURE_SUCCESS(rv, false);
+  nsRefPtr<nsIDOMSVGLength> domLength = domAnimLength->AnimVal();
   NS_ENSURE_TRUE(domLength, false);
 
   // Check if it's a percent value (and fail if so)
   uint16_t unitType;
-  rv = domLength->GetUnitType(&unitType);
+  nsresult rv = domLength->GetUnitType(&unitType);
   NS_ENSURE_SUCCESS(rv, false);
   if (unitType == nsIDOMSVGLength::SVG_LENGTHTYPE_PERCENTAGE) {
     return false;
diff --git a/js/src/builtin/TestingFunctions.cpp b/js/src/builtin/TestingFunctions.cpp
index ce6d633ec..0a784cae9 100644
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -907,18 +907,19 @@ js::testingFunc_inParallelSection(JSContext *cx, unsigned argc, jsval *vp)
 
 static JSObject *objectMetadataFunction = NULL;
 
-static JSObject *
-ShellObjectMetadataCallback(JSContext *cx)
+static bool
+ShellObjectMetadataCallback(JSContext *cx, JSObject **pmetadata)
 {
     Value thisv = UndefinedValue();
 
     RootedValue rval(cx);
-    if (!Invoke(cx, thisv, ObjectValue(*objectMetadataFunction), 0, NULL, rval.address())) {
-        cx->clearPendingException();
-        return NULL;
-    }
+    if (!Invoke(cx, thisv, ObjectValue(*objectMetadataFunction), 0, NULL, rval.address()))
+        return false;
 
-    return rval.isObject() ? &rval.toObject() : NULL;
+    if (rval.isObject())
+        *pmetadata = &rval.toObject();
+
+    return true;
 }
 
 static JSBool
diff --git a/js/src/frontend/Parser.cpp b/js/src/frontend/Parser.cpp
index 0d180b70c..bec96b70e 100644
--- a/js/src/frontend/Parser.cpp
+++ b/js/src/frontend/Parser.cpp
@@ -2328,6 +2328,10 @@ typename ParseHandler::Node
 Parser<ParseHandler>::functionStmt()
 {
     JS_ASSERT(tokenStream.currentToken().type == TOK_FUNCTION);
+
+    TokenStream::Position start(keepAtoms);
+    tokenStream.tell(&start);
+
     RootedPropertyName name(context);
     if (tokenStream.getToken(TSF_KEYWORD_IS_NAME) == TOK_NAME) {
         name = tokenStream.currentToken().name();
@@ -2337,9 +2341,6 @@ Parser<ParseHandler>::functionStmt()
         return null();
     }
 
-    TokenStream::Position start(keepAtoms);
-    tokenStream.positionAfterLastFunctionKeyword(start);
-
     /* We forbid function statements in strict mode code. */
     if (!pc->atBodyLevel() && pc->sc->needStrictChecks() &&
         !report(ParseStrictError, pc->sc->strict, null(), JSMSG_STRICT_FUNCTION_STATEMENT))
@@ -2355,7 +2356,7 @@ Parser<ParseHandler>::functionExpr()
     RootedPropertyName name(context);
     JS_ASSERT(tokenStream.currentToken().type == TOK_FUNCTION);
     TokenStream::Position start(keepAtoms);
-    tokenStream.positionAfterLastFunctionKeyword(start);
+    tokenStream.tell(&start);
     if (tokenStream.getToken(TSF_KEYWORD_IS_NAME) == TOK_NAME)
         name = tokenStream.currentToken().name();
     else
@@ -2762,16 +2763,12 @@ Parser<ParseHandler>::bindVarOrConst(JSContext *cx, BindData<ParseHandler> *data
             /*
              * This definition isn't being added to the parse context's
              * declarations, so make sure to indicate the need to deoptimize
-             * the script's arguments object.
+             * the script's arguments object. Mark the function as if it
+             * contained a debugger statement, which will deoptimize arguments
+             * as much as possible.
              */
-            HandlePropertyName arguments = cx->names().arguments;
-            if (name == arguments) {
-                Node pn = parser->newName(arguments);
-                if (!pc->define(parser->context, arguments, pn, Definition::VAR))
-                    return false;
-                funbox->setArgumentsHasLocalBinding();
-                funbox->setDefinitelyNeedsArgsObj();
-            }
+            if (name == cx->names().arguments)
+                funbox->setHasDebuggerStatement();
         }
         return true;
     }
diff --git a/js/src/frontend/SharedContext.h b/js/src/frontend/SharedContext.h
index 61f339989..01ef28ff8 100644
--- a/js/src/frontend/SharedContext.h
+++ b/js/src/frontend/SharedContext.h
@@ -38,7 +38,7 @@ class AnyContextFlags
     //  - direct eval
     //  - function::
     //  - with
-    // since both effectively allow any name to be accessed. Non-exmaples are:
+    // since both effectively allow any name to be accessed. Non-examples are:
     //  - upvars of nested functions
     //  - function statement
     // since the set of assigned name is known dynamically. 'with' could be in
diff --git a/js/src/frontend/TokenStream.cpp b/js/src/frontend/TokenStream.cpp
index 76e50d3c0..833ed9fda 100644
--- a/js/src/frontend/TokenStream.cpp
+++ b/js/src/frontend/TokenStream.cpp
@@ -287,7 +287,6 @@ TokenStream::TokenStream(JSContext *cx, const CompileOptions &options,
     originPrincipals(JSScript::normalizeOriginPrincipals(options.principals,
                                                          options.originPrincipals)),
     strictModeGetter(smg),
-    lastFunctionKeyword(keepAtoms),
     tokenSkip(cx, &tokens),
     linebaseSkip(cx, &linebase),
     prevLinebaseSkip(cx, &prevLinebase)
@@ -578,18 +577,10 @@ TokenStream::seek(const Position &pos, const TokenStream &other)
 {
     if (!srcCoords.fill(other.srcCoords))
         return false;
-    lastFunctionKeyword = other.lastFunctionKeyword;
     seek(pos);
     return true;
 }
 
-void
-TokenStream::positionAfterLastFunctionKeyword(Position &pos)
-{
-    JS_ASSERT(lastFunctionKeyword.buf > userbuf.base());
-    PodAssign(&pos, &lastFunctionKeyword);
-}
-
 bool
 TokenStream::reportStrictModeErrorNumberVA(uint32_t offset, bool strictMode, unsigned errorNumber,
                                            va_list args)
@@ -1177,11 +1168,8 @@ TokenStream::getTokenInternal()
             tt = TOK_NAME;
             if (!checkForKeyword(chars, length, &tt, &tp->t_op))
                 goto error;
-            if (tt != TOK_NAME) {
-                if (tt == TOK_FUNCTION)
-                    tell(&lastFunctionKeyword);
+            if (tt != TOK_NAME)
                 goto out;
-            }
         }
 
         /*
diff --git a/js/src/frontend/TokenStream.h b/js/src/frontend/TokenStream.h
index 57ac1596a..61101db38 100644
--- a/js/src/frontend/TokenStream.h
+++ b/js/src/frontend/TokenStream.h
@@ -660,7 +660,6 @@ class MOZ_STACK_CLASS TokenStream
     void tell(Position *);
     void seek(const Position &pos);
     bool seek(const Position &pos, const TokenStream &other);
-    void positionAfterLastFunctionKeyword(Position &pos);
 
     size_t positionToOffset(const Position &pos) const {
         return pos.buf - userbuf.base();
@@ -920,7 +919,6 @@ class MOZ_STACK_CLASS TokenStream
     JSContext           *const cx;
     JSPrincipals        *const originPrincipals;
     StrictModeGetter    *strictModeGetter; /* used to test for strict mode */
-    Position            lastFunctionKeyword; /* used as a starting point for reparsing strict functions */
 
     /*
      * The tokens array stores pointers to JSAtoms. These are rooted by the
diff --git a/js/src/jit-test/tests/basic/bug864099.js b/js/src/jit-test/tests/basic/bug864099.js
new file mode 100644
index 000000000..b60eacc1e
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug864099.js
@@ -0,0 +1,13 @@
+
+a = (function() {
+    with({}) var x, arguments, arguments
+})()
+
+b = (function() {
+    with({}) {
+        var x = Math, arguments
+        ({
+            get: (1 for (x in [])),
+        })
+    }
+})()
diff --git a/js/src/jit-test/tests/basic/bug884920.js b/js/src/jit-test/tests/basic/bug884920.js
new file mode 100644
index 000000000..7f5737d30
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug884920.js
@@ -0,0 +1,7 @@
+// |jit-test| error:SyntaxError
+
+function testcase({}, a = b, ... x)  {
+  "use strict";
+  function f() { };
+  with ( f(3) );
+}
diff --git a/js/src/jit-test/tests/ion/bug872331.js b/js/src/jit-test/tests/ion/bug872331.js
new file mode 100644
index 000000000..fe32ea222
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug872331.js
@@ -0,0 +1,10 @@
+
+function d(t) {
+  if (t >= undefined) {}
+}
+function s() {
+  d(null);
+}
+d(3);
+s();
+s();
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index d68a863e4..431ca347e 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -787,8 +787,9 @@ jit::BuildDominatorTree(MIRGraph &graph)
         block->setDomIndex(index);
 
         if (!worklist.append(block->immediatelyDominatedBlocksBegin(),
-                             block->immediatelyDominatedBlocksEnd()))
+                             block->immediatelyDominatedBlocksEnd())) {
             return false;
+        }
         index++;
     }
 
@@ -1358,8 +1359,9 @@ jit::EliminateRedundantChecks(MIRGraph &graph)
 
         // Add all immediate dominators to the front of the worklist.
         if (!worklist.append(block->immediatelyDominatedBlocksBegin(),
-                             block->immediatelyDominatedBlocksEnd()))
+                             block->immediatelyDominatedBlocksEnd())) {
             return false;
+        }
 
         for (MDefinitionIterator iter(block); iter; ) {
             bool eliminated = false;
diff --git a/js/src/jit/IonFrames.cpp b/js/src/jit/IonFrames.cpp
index 6cdd7861a..f3b41cca9 100644
--- a/js/src/jit/IonFrames.cpp
+++ b/js/src/jit/IonFrames.cpp
@@ -296,7 +296,7 @@ IonFrameIterator::machineState() const
     // are unable to restore any FPUs registers from an OOL VM call.  This can
     // cause some trouble for f.arguments.
     MachineState machine;
-    for (GeneralRegisterIterator iter(reader.allSpills()); iter.more(); iter++)
+    for (GeneralRegisterBackwardIterator iter(reader.allSpills()); iter.more(); iter++)
         machine.setRegisterLocation(*iter, --spill);
 
     return machine;
@@ -726,7 +726,7 @@ MarkIonJSFrame(JSTracer *trc, const IonFrameIterator &frame)
     uintptr_t *spill = frame.spillBase();
     GeneralRegisterSet gcRegs = safepoint.gcSpills();
     GeneralRegisterSet valueRegs = safepoint.valueSpills();
-    for (GeneralRegisterIterator iter(safepoint.allSpills()); iter.more(); iter++) {
+    for (GeneralRegisterBackwardIterator iter(safepoint.allSpills()); iter.more(); iter++) {
         --spill;
         if (gcRegs.has(*iter))
             gc::MarkGCThingRoot(trc, reinterpret_cast<void **>(spill), "ion-gc-spill");
diff --git a/js/src/jit/IonMacroAssembler.cpp b/js/src/jit/IonMacroAssembler.cpp
index fe4bd23e1..5517f3b96 100644
--- a/js/src/jit/IonMacroAssembler.cpp
+++ b/js/src/jit/IonMacroAssembler.cpp
@@ -144,7 +144,7 @@ MacroAssembler::PushRegsInMask(RegisterSet set)
     if (set.gprs().size() > 1) {
         adjustFrame(diffG);
         startDataTransferM(IsStore, StackPointer, DB, WriteBack);
-        for (GeneralRegisterIterator iter(set.gprs()); iter.more(); iter++) {
+        for (GeneralRegisterBackwardIterator iter(set.gprs()); iter.more(); iter++) {
             diffG -= STACK_SLOT_SIZE;
             transferReg(*iter);
         }
@@ -153,7 +153,7 @@ MacroAssembler::PushRegsInMask(RegisterSet set)
 #endif
     {
         reserveStack(diffG);
-        for (GeneralRegisterIterator iter(set.gprs()); iter.more(); iter++) {
+        for (GeneralRegisterBackwardIterator iter(set.gprs()); iter.more(); iter++) {
             diffG -= STACK_SLOT_SIZE;
             storePtr(*iter, Address(StackPointer, diffG));
         }
@@ -165,7 +165,7 @@ MacroAssembler::PushRegsInMask(RegisterSet set)
     diffF += transferMultipleByRuns(set.fpus(), IsStore, StackPointer, DB);
 #else
     reserveStack(diffF);
-    for (FloatRegisterIterator iter(set.fpus()); iter.more(); iter++) {
+    for (FloatRegisterBackwardIterator iter(set.fpus()); iter.more(); iter++) {
         diffF -= sizeof(double);
         storeDouble(*iter, Address(StackPointer, diffF));
     }
@@ -190,7 +190,7 @@ MacroAssembler::PopRegsInMaskIgnore(RegisterSet set, RegisterSet ignore)
     } else
 #endif
     {
-        for (FloatRegisterIterator iter(set.fpus()); iter.more(); iter++) {
+        for (FloatRegisterBackwardIterator iter(set.fpus()); iter.more(); iter++) {
             diffF -= sizeof(double);
             if (!ignore.has(*iter))
                 loadDouble(Address(StackPointer, diffF), *iter);
@@ -202,7 +202,7 @@ MacroAssembler::PopRegsInMaskIgnore(RegisterSet set, RegisterSet ignore)
 #ifdef JS_CPU_ARM
     if (set.gprs().size() > 1 && ignore.empty(false)) {
         startDataTransferM(IsLoad, StackPointer, IA, WriteBack);
-        for (GeneralRegisterIterator iter(set.gprs()); iter.more(); iter++) {
+        for (GeneralRegisterBackwardIterator iter(set.gprs()); iter.more(); iter++) {
             diffG -= STACK_SLOT_SIZE;
             transferReg(*iter);
         }
@@ -211,7 +211,7 @@ MacroAssembler::PopRegsInMaskIgnore(RegisterSet set, RegisterSet ignore)
     } else
 #endif
     {
-        for (GeneralRegisterIterator iter(set.gprs()); iter.more(); iter++) {
+        for (GeneralRegisterBackwardIterator iter(set.gprs()); iter.more(); iter++) {
             diffG -= STACK_SLOT_SIZE;
             if (!ignore.has(*iter))
                 loadPtr(Address(StackPointer, diffG), *iter);
@@ -717,7 +717,10 @@ MacroAssembler::performOsr()
     bind(&isFunction);
     {
         // Function - create the callee token, then get the script.
-        orPtr(Imm32(CalleeToken_Function), calleeToken);
+
+        // Skip the or-ing of CalleeToken_Function into calleeToken since it is zero.
+        JS_ASSERT(CalleeToken_Function == 0);
+
         loadPtr(Address(script, JSFunction::offsetOfNativeOrScript()), script);
     }
 
diff --git a/js/src/jit/MIR.cpp b/js/src/jit/MIR.cpp
index d9c5234d4..8da348276 100644
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -242,11 +242,9 @@ void
 MDefinition::printOpcode(FILE *fp)
 {
     PrintOpcodeName(fp, op());
-    fprintf(fp, " ");
     for (size_t j = 0; j < numOperands(); j++) {
+        fprintf(fp, " ");
         getOperand(j)->printName(fp);
-        if (j != numOperands() - 1)
-            fprintf(fp, " ");
     }
 }
 
@@ -457,6 +455,21 @@ MConstant::printOpcode(FILE *fp)
     }
 }
 
+void
+MControlInstruction::printOpcode(FILE *fp)
+{
+    MDefinition::printOpcode(fp);
+    for (size_t j = 0; j < numSuccessors(); j++)
+        fprintf(fp, " block%d", getSuccessor(j)->id());
+}
+
+void
+MCompare::printOpcode(FILE *fp)
+{
+    MDefinition::printOpcode(fp);
+    fprintf(fp, " %s", js_CodeName[jsop()]);
+}
+
 void
 MConstantElements::printOpcode(FILE *fp)
 {
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index 7e673fc79..9043077a6 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -814,6 +814,8 @@ class MControlInstruction : public MInstruction
     bool isControlInstruction() const {
         return true;
     }
+
+    void printOpcode(FILE *fp);
 };
 
 class MTableSwitch
@@ -1907,6 +1909,8 @@ class MCompare
         return AliasSet::None();
     }
 
+    void printOpcode(FILE *fp);
+
   protected:
     bool congruentTo(MDefinition *const &ins) const {
         if (!MBinaryInstruction::congruentTo(ins))
diff --git a/js/src/jit/MIRGraph.cpp b/js/src/jit/MIRGraph.cpp
index 1430906d2..9d50a31dd 100644
--- a/js/src/jit/MIRGraph.cpp
+++ b/js/src/jit/MIRGraph.cpp
@@ -1063,3 +1063,28 @@ MBasicBlock::immediateDominatorBranch(BranchDirection *pdirection)
 
     return NULL;
 }
+
+void
+MIRGraph::dump(FILE *fp)
+{
+#ifdef DEBUG
+    for (MBasicBlockIterator iter(begin()); iter != end(); iter++) {
+        iter->dump(fp);
+    }
+#endif
+}
+
+void
+MBasicBlock::dump(FILE *fp)
+{
+#ifdef DEBUG
+    for (MPhiIterator iter(phisBegin()); iter != phisEnd(); iter++) {
+        iter->printOpcode(fp);
+        fprintf(fp, "\n");
+    }
+    for (MInstructionIterator iter(begin()); iter != end(); iter++) {
+        iter->printOpcode(fp);
+        fprintf(fp, "\n");
+    }
+#endif
+}
diff --git a/js/src/jit/MIRGraph.h b/js/src/jit/MIRGraph.h
index 60c2ef4c7..f696d2823 100644
--- a/js/src/jit/MIRGraph.h
+++ b/js/src/jit/MIRGraph.h
@@ -468,6 +468,8 @@ class MBasicBlock : public TempObject, public InlineListNode<MBasicBlock>
 
     void dumpStack(FILE *fp);
 
+    void dump(FILE *fp);
+
     // Track bailouts by storing the current pc in MIR instruction added at this
     // cycle. This is also used for tracking calls when profiling.
     void updateTrackedPc(jsbytecode *pc) {
@@ -661,6 +663,8 @@ class MIRGraph
     // lazilly insert an MParSlice instruction in the entry block and
     // return the definition.
     MDefinition *parSlice();
+
+    void dump(FILE *fp);
 };
 
 class MDefinitionIterator
diff --git a/js/src/jit/RegisterSets.h b/js/src/jit/RegisterSets.h
index a181b6176..3a88a2dfc 100644
--- a/js/src/jit/RegisterSets.h
+++ b/js/src/jit/RegisterSets.h
@@ -406,6 +406,11 @@ class TypedRegisterSet
         int ireg = js_bitscan_ctz32(bits_);
         return T::FromCode(ireg);
     }
+    T getLast() const {
+        JS_ASSERT(!empty());
+        int ireg = 31 - js_bitscan_clz32(bits_);
+        return T::FromCode(ireg);
+    }
     T takeAny() {
         JS_ASSERT(!empty());
         T reg = getAny();
@@ -439,6 +444,12 @@ class TypedRegisterSet
         take(reg);
         return reg;
     }
+    T takeLast() {
+        JS_ASSERT(!empty());
+        T reg = getLast();
+        take(reg);
+        return reg;
+    }
     void clear() {
         bits_ = 0;
     }
@@ -622,7 +633,9 @@ class RegisterSet {
     }
 };
 
-// iterates backwards, that is, rn to r0
+// iterates in whatever order happens to be convenient.
+// Use TypedRegisterBackwardIterator or TypedRegisterForwardIterator if a
+// specific order is required.
 template <typename T>
 class TypedRegisterIterator
 {
@@ -651,6 +664,36 @@ class TypedRegisterIterator
     }
 };
 
+// iterates backwards, that is, rn to r0
+template <typename T>
+class TypedRegisterBackwardIterator
+{
+    TypedRegisterSet<T> regset_;
+
+  public:
+    TypedRegisterBackwardIterator(TypedRegisterSet<T> regset) : regset_(regset)
+    { }
+    TypedRegisterBackwardIterator(const TypedRegisterBackwardIterator &other)
+      : regset_(other.regset_)
+    { }
+
+    bool more() const {
+        return !regset_.empty();
+    }
+    TypedRegisterBackwardIterator<T> operator ++(int) {
+        TypedRegisterBackwardIterator<T> old(*this);
+        regset_.takeLast();
+        return old;
+    }
+    TypedRegisterBackwardIterator<T>& operator ++() {
+        regset_.getLast();
+        return *this;
+    }
+    T operator *() const {
+        return regset_.getLast();
+    }
+};
+
 // iterates forwards, that is r0 to rn
 template <typename T>
 class TypedRegisterForwardIterator
@@ -667,7 +710,7 @@ class TypedRegisterForwardIterator
         return !regset_.empty();
     }
     TypedRegisterForwardIterator<T> operator ++(int) {
-        TypedRegisterIterator<T> old(*this);
+        TypedRegisterForwardIterator<T> old(*this);
         regset_.takeFirst();
         return old;
     }
@@ -682,6 +725,8 @@ class TypedRegisterForwardIterator
 
 typedef TypedRegisterIterator<Register> GeneralRegisterIterator;
 typedef TypedRegisterIterator<FloatRegister> FloatRegisterIterator;
+typedef TypedRegisterBackwardIterator<Register> GeneralRegisterBackwardIterator;
+typedef TypedRegisterBackwardIterator<FloatRegister> FloatRegisterBackwardIterator;
 typedef TypedRegisterForwardIterator<Register> GeneralRegisterForwardIterator;
 typedef TypedRegisterForwardIterator<FloatRegister> FloatRegisterForwardIterator;
 
diff --git a/js/src/jit/Safepoints.cpp b/js/src/jit/Safepoints.cpp
index f3241e02b..69f805ccb 100644
--- a/js/src/jit/Safepoints.cpp
+++ b/js/src/jit/Safepoints.cpp
@@ -66,7 +66,7 @@ SafepointWriter::writeGcRegs(LSafepoint *safepoint)
 
 #ifdef DEBUG
     if (IonSpewEnabled(IonSpew_Safepoints)) {
-        for (GeneralRegisterIterator iter(spilled); iter.more(); iter++) {
+        for (GeneralRegisterForwardIterator iter(spilled); iter.more(); iter++) {
             const char *type = gc.has(*iter)
                                ? "gc"
                                : valueRegs.has(*iter)
diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp
index eeca71d11..2cc4e3b3a 100644
--- a/js/src/jit/TypePolicy.cpp
+++ b/js/src/jit/TypePolicy.cpp
@@ -191,8 +191,11 @@ ComparePolicy::adjustInputs(MInstruction *def)
                 convert = MToDouble::NonNullNonStringPrimitives;
             else if (compare->compareType() == MCompare::Compare_DoubleMaybeCoerceRHS && i == 1)
                 convert = MToDouble::NonNullNonStringPrimitives;
-            if (convert == MToDouble::NumbersOnly && in->type() == MIRType_Boolean)
+            if (in->type() == MIRType_Null ||
+                (in->type() == MIRType_Boolean && convert == MToDouble::NumbersOnly))
+            {
                 in = boxAt(def, in);
+            }
             replace = MToDouble::New(in, convert);
             break;
           }
diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp
index f005ee2bb..44831ffc4 100644
--- a/js/src/jit/ValueNumbering.cpp
+++ b/js/src/jit/ValueNumbering.cpp
@@ -366,8 +366,9 @@ ValueNumberer::eliminateRedundancies()
 
         // Add all immediate dominators to the front of the worklist.
         if (!worklist.append(block->immediatelyDominatedBlocksBegin(),
-                             block->immediatelyDominatedBlocksEnd()))
+                             block->immediatelyDominatedBlocksEnd())) {
             return false;
+        }
 
         // For each instruction, attempt to look up a dominating definition.
         for (MDefinitionIterator iter(block); iter; ) {
diff --git a/js/src/jit/arm/MacroAssembler-arm.h b/js/src/jit/arm/MacroAssembler-arm.h
index 7bc0da0af..0df43646d 100644
--- a/js/src/jit/arm/MacroAssembler-arm.h
+++ b/js/src/jit/arm/MacroAssembler-arm.h
@@ -357,7 +357,7 @@ class MacroAssemblerARM : public Assembler
         }
         if (mode == DB) {
             return transferMultipleByRunsImpl
-                <FloatRegisterIterator>(set, ls, rm, mode, -1);
+                <FloatRegisterBackwardIterator>(set, ls, rm, mode, -1);
         }
         JS_NOT_REACHED("Invalid data transfer addressing mode");
     }
diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index 48cddecab..43634fef5 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2941,8 +2941,12 @@ js_InitArrayClass(JSContext *cx, HandleObject obj)
     if (!type)
         return NULL;
 
+    JSObject *metadata = NULL;
+    if (!NewObjectMetadata(cx, &metadata))
+        return NULL;
+
     RootedShape shape(cx, EmptyShape::getInitialShape(cx, &ArrayClass, TaggedProto(proto),
-                                                      proto->getParent(), NewObjectMetadata(cx),
+                                                      proto->getParent(), metadata,
                                                       gc::FINALIZE_OBJECT0));
 
     RootedObject arrayProto(cx, JSObject::createArray(cx, gc::FINALIZE_OBJECT4, gc::TenuredHeap, shape, type, 0));
@@ -3036,12 +3040,16 @@ NewArray(JSContext *cx, uint32_t length, JSObject *protoArg, NewObjectKind newKi
     if (!type)
         return NULL;
 
+    JSObject *metadata = NULL;
+    if (!NewObjectMetadata(cx, &metadata))
+        return NULL;
+
     /*
      * Get a shape with zero fixed slots, regardless of the size class.
      * See JSObject::createArray.
      */
     RootedShape shape(cx, EmptyShape::getInitialShape(cx, &ArrayClass, TaggedProto(proto),
-                                                      cx->global(), NewObjectMetadata(cx), gc::FINALIZE_OBJECT0));
+                                                      cx->global(), metadata, gc::FINALIZE_OBJECT0));
     if (!shape)
         return NULL;
 
diff --git a/js/src/jsfriendapi.h b/js/src/jsfriendapi.h
index 0ec8f0917..b7aab86d7 100644
--- a/js/src/jsfriendapi.h
+++ b/js/src/jsfriendapi.h
@@ -1865,8 +1865,8 @@ assertEnteredPolicy(JSContext *cx, JSObject *obj, jsid id);
 inline void assertEnteredPolicy(JSContext *cx, JSObject *obj, jsid id) {};
 #endif
 
-typedef JSObject *
-(* ObjectMetadataCallback)(JSContext *cx);
+typedef bool
+(* ObjectMetadataCallback)(JSContext *cx, JSObject **pmetadata);
 
 /*
  * Specify a callback to invoke when creating each JS object in the current
diff --git a/js/src/jsiter.cpp b/js/src/jsiter.cpp
index 40fdf60c6..73945d6f0 100644
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@@ -378,8 +378,12 @@ NewPropertyIteratorObject(JSContext *cx, unsigned flags)
         if (!type)
             return NULL;
 
+        JSObject *metadata = NULL;
+        if (!NewObjectMetadata(cx, &metadata))
+            return NULL;
+
         Class *clasp = &PropertyIteratorObject::class_;
-        RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, NULL, NULL, NewObjectMetadata(cx),
+        RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, NULL, NULL, metadata,
                                                           ITERATOR_FINALIZE_KIND));
         if (!shape)
             return NULL;
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 349dbb3b0..e59893f91 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -1308,8 +1308,12 @@ NewObject(JSContext *cx, Class *clasp, types::TypeObject *type_, JSObject *paren
 
     RootedTypeObject type(cx, type_);
 
+    JSObject *metadata = NULL;
+    if (!NewObjectMetadata(cx, &metadata))
+        return NULL;
+
     RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, TaggedProto(type->proto),
-                                                      parent, NewObjectMetadata(cx), kind));
+                                                      parent, metadata, kind));
     if (!shape)
         return NULL;
 
@@ -1606,7 +1610,9 @@ js::CreateThisForFunctionWithProto(JSContext *cx, HandleObject callee, JSObject
     }
 
     if (res && cx->typeInferenceEnabled()) {
-        JSScript *script = callee->as<JSFunction>().nonLazyScript();
+        JSScript *script = callee->as<JSFunction>().getOrCreateScript(cx);
+        if (!script)
+            return NULL;
         TypeScript::SetThis(cx, script, types::Type::ObjectType(res));
     }
 
diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
index 9391fb13c..86c4f1430 100644
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -1667,18 +1667,19 @@ DefineConstructorAndPrototype(JSContext *cx, HandleObject obj, JSProtoKey key, H
                               JSObject **ctorp = NULL,
                               gc::AllocKind ctorKind = JSFunction::FinalizeKind);
 
-static JS_ALWAYS_INLINE JSObject *
-NewObjectMetadata(JSContext *cx)
+static JS_ALWAYS_INLINE bool
+NewObjectMetadata(JSContext *cx, JSObject **pmetadata)
 {
     // The metadata callback is invoked before each created object, except when
     // analysis is active as the callback may reenter JS.
+    JS_ASSERT(!*pmetadata);
     if (JS_UNLIKELY((size_t)cx->compartment()->objectMetadataCallback) &&
         !cx->compartment()->activeAnalysis)
     {
         gc::AutoSuppressGC suppress(cx);
-        return cx->compartment()->objectMetadataCallback(cx);
+        return cx->compartment()->objectMetadataCallback(cx, pmetadata);
     }
-    return NULL;
+    return true;
 }
 
 } /* namespace js */
diff --git a/js/src/vm/ArgumentsObject.cpp b/js/src/vm/ArgumentsObject.cpp
index 230cb80ad..b2b6bae94 100644
--- a/js/src/vm/ArgumentsObject.cpp
+++ b/js/src/vm/ArgumentsObject.cpp
@@ -184,8 +184,12 @@ ArgumentsObject::create(JSContext *cx, HandleScript script, HandleFunction calle
     if (!type)
         return NULL;
 
+    JSObject *metadata = NULL;
+    if (!NewObjectMetadata(cx, &metadata))
+        return NULL;
+
     RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, TaggedProto(proto),
-                                                      proto->getParent(), NewObjectMetadata(cx), FINALIZE_KIND,
+                                                      proto->getParent(), metadata, FINALIZE_KIND,
                                                       BaseShape::INDEXED));
     if (!shape)
         return NULL;
diff --git a/js/xpconnect/src/XPCComponents.cpp b/js/xpconnect/src/XPCComponents.cpp
index 24d3fd0e5..a71913fc0 100644
--- a/js/xpconnect/src/XPCComponents.cpp
+++ b/js/xpconnect/src/XPCComponents.cpp
@@ -4471,7 +4471,10 @@ nsXPCComponents_Utils::IsDeadWrapper(const jsval &obj, bool *out)
     if (JSVAL_IS_PRIMITIVE(obj))
         return NS_ERROR_INVALID_ARG;
 
-    *out = JS_IsDeadWrapper(JSVAL_TO_OBJECT(obj));
+    // Make sure to unwrap first. Once a proxy is nuked, it ceases to be a
+    // wrapper, meaning that, if passed to another compartment, we'll generate
+    // a CCW for it. Make sure that IsDeadWrapper sees through the confusion.
+    *out = JS_IsDeadWrapper(js::CheckedUnwrap(JSVAL_TO_OBJECT(obj)));
     return NS_OK;
 }
 
diff --git a/js/xpconnect/tests/unit/test_bug885800.js b/js/xpconnect/tests/unit/test_bug885800.js
new file mode 100644
index 000000000..bb859141d
--- /dev/null
+++ b/js/xpconnect/tests/unit/test_bug885800.js
@@ -0,0 +1,13 @@
+const Cu = Components.utils;
+
+function run_test() {
+  var sb = new Cu.Sandbox('http://www.example.com');
+  var obj = Cu.evalInSandbox('this.obj = {foo: 2}; obj', sb);
+  var chromeSb = new Cu.Sandbox(this);
+  chromeSb.objRef = obj;
+  do_check_eq(Cu.evalInSandbox('objRef.foo', chromeSb), 2);
+  Cu.nukeSandbox(sb);
+  do_check_true(Cu.isDeadWrapper(obj));
+  // CCWs to nuked wrappers should be considered dead.
+  do_check_true(Cu.isDeadWrapper(chromeSb.objRef));
+}
diff --git a/js/xpconnect/tests/unit/xpcshell.ini b/js/xpconnect/tests/unit/xpcshell.ini
index d952b5aa7..65dd5e192 100644
--- a/js/xpconnect/tests/unit/xpcshell.ini
+++ b/js/xpconnect/tests/unit/xpcshell.ini
@@ -22,6 +22,7 @@ tail =
 [test_bug854558.js]
 [test_bug868675.js]
 [test_bug872772.js]
+[test_bug885800.js]
 [test_bug_442086.js]
 [test_file.js]
 [test_blob.js]
diff --git a/netwerk/protocol/http/PHttpChannelParams.h b/netwerk/protocol/http/PHttpChannelParams.h
index 365f338bd..e3673933a 100644
--- a/netwerk/protocol/http/PHttpChannelParams.h
+++ b/netwerk/protocol/http/PHttpChannelParams.h
@@ -110,13 +110,6 @@ struct ParamTraits<nsHttpHeaderArray::nsEntry>
 };
 
 
-template<>
-struct ParamTraits<mozilla::net::InfallableCopyCString>
-  : public ParamTraits<nsCString>
-{
-};
-
-
 template<>
 struct ParamTraits<nsHttpHeaderArray>
 {
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index d2ec489e7..d5fd73780 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -228,10 +228,10 @@ private:
     const uint32_t mLoadFlags;
     const bool mCacheForOfflineUse;
     const bool mFallbackChannel;
-    const InfallableCopyCString mClientID;
+    const nsCString mClientID;
     const nsCacheStoragePolicy mStoragePolicy;
     const bool mUsingPrivateBrowsing;
-    const InfallableCopyCString mCacheKey;
+    const nsCString mCacheKey;
     const nsCacheAccessMode mAccessToRequest;
     const bool mNoWait;
     const bool mUsingSSL;
diff --git a/netwerk/protocol/http/nsHttpHeaderArray.h b/netwerk/protocol/http/nsHttpHeaderArray.h
index 94b5e94ae..6a5881c9d 100644
--- a/netwerk/protocol/http/nsHttpHeaderArray.h
+++ b/netwerk/protocol/http/nsHttpHeaderArray.h
@@ -14,36 +14,6 @@
 #include "nsCOMPtr.h"
 #include "nsString.h"
 
-namespace mozilla { namespace net {
-
-// A nsCString that aborts if it fails to successfully copy its input during
-// copy construction and/or assignment. This is useful for building classes
-// that are safely copy-constructable and safely assignable using the compiler-
-// generated copy constructor and assignment operator.
-class InfallableCopyCString : public nsCString
-{
-public:
-    InfallableCopyCString() { }
-    InfallableCopyCString(const nsACString & other)
-        : nsCString(other)
-    {
-        if (Length() != other.Length())
-            NS_RUNTIMEABORT("malloc");
-    }
-
-    InfallableCopyCString & operator=(const nsACString & other)
-    {
-        nsCString::operator=(other);
-
-        if (Length() != other.Length())
-            NS_RUNTIMEABORT("malloc");
-
-        return *this;
-    }
-};
-
-} } // namespace mozilla::net
-
 class nsHttpHeaderArray
 {
 public:
@@ -93,7 +63,7 @@ public:
     struct nsEntry
     {
         nsHttpAtom header;
-        mozilla::net::InfallableCopyCString value;
+        nsCString value;
 
         struct MatchHeader {
           bool Equals(const nsEntry &entry, const nsHttpAtom &header) const {
diff --git a/netwerk/protocol/http/nsHttpRequestHead.h b/netwerk/protocol/http/nsHttpRequestHead.h
index 30b4ffea4..f6adbc19c 100644
--- a/netwerk/protocol/http/nsHttpRequestHead.h
+++ b/netwerk/protocol/http/nsHttpRequestHead.h
@@ -67,7 +67,7 @@ private:
     nsHttpHeaderArray mHeaders;
     nsHttpAtom        mMethod;
     nsHttpVersion     mVersion;
-    mozilla::net::InfallableCopyCString mRequestURI;
+    nsCString         mRequestURI;
 };
 
 #endif // nsHttpRequestHead_h__
diff --git a/netwerk/protocol/http/nsHttpResponseHead.h b/netwerk/protocol/http/nsHttpResponseHead.h
index fabb2ac1a..1ba4379f2 100644
--- a/netwerk/protocol/http/nsHttpResponseHead.h
+++ b/netwerk/protocol/http/nsHttpResponseHead.h
@@ -121,10 +121,10 @@ private:
     nsHttpHeaderArray mHeaders;
     nsHttpVersion     mVersion;
     uint16_t          mStatus;
-    mozilla::net::InfallableCopyCString mStatusText;
+    nsCString         mStatusText;
     int64_t           mContentLength;
-    mozilla::net::InfallableCopyCString mContentType;
-    mozilla::net::InfallableCopyCString mContentCharset;
+    nsCString         mContentType;
+    nsCString         mContentCharset;
     bool              mCacheControlNoStore;
     bool              mCacheControlNoCache;
     bool              mPragmaNoCache;
diff --git a/security/manager/ssl/src/PSMContentListener.cpp b/security/manager/ssl/src/PSMContentListener.cpp
index 5b902424d..dcb754fa8 100644
--- a/security/manager/ssl/src/PSMContentListener.cpp
+++ b/security/manager/ssl/src/PSMContentListener.cpp
@@ -13,6 +13,7 @@
 #include "nsIStreamListener.h"
 #include "nsIX509CertDB.h"
 
+#include "mozilla/Casting.h"
 #include "mozilla/Services.h"
 
 #include "nsCRT.h"
@@ -92,7 +93,7 @@ PSMContentDownloader::OnStartRequest(nsIRequest* request, nsISupports* context)
   
   mBufferOffset = 0;
   mBufferSize = 0;
-  mByteData = (char*) nsMemory::Alloc(contentLength);
+  mByteData = (char*) nsMemory::Alloc(SafeCast<size_t>(contentLength));
   if (!mByteData)
     return NS_ERROR_OUT_OF_MEMORY;
   
diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp
index a858c7d75..71201239d 100644
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -806,10 +806,11 @@ BlockServerCertChangeForSpdy(nsNSSSocketInfo *infoObject,
     return SECSuccess;
 
   // If GetNegotiatedNPN() failed we will assume spdy for safety's safe
-  if (NS_FAILED(rv))
+  if (NS_FAILED(rv)) {
     PR_LOG(gPIPNSSLog, PR_LOG_DEBUG,
            ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call."
             " Assuming spdy.\n"));
+  }
 
   // Check to see if the cert has actually changed
   ScopedCERTCertificate c(cert2->GetCert());
diff --git a/security/manager/ssl/src/nsCMS.cpp b/security/manager/ssl/src/nsCMS.cpp
index 72479f56b..8443a433b 100644
--- a/security/manager/ssl/src/nsCMS.cpp
+++ b/security/manager/ssl/src/nsCMS.cpp
@@ -259,6 +259,7 @@ nsresult nsCMSMessage::CommonVerifySignature(unsigned char* aDigestData, uint32_
 
   nsigners = NSS_CMSSignedData_SignerInfoCount(sigd);
   PR_ASSERT(nsigners > 0);
+  NS_ENSURE_TRUE(nsigners > 0, NS_ERROR_UNEXPECTED);
   si = NSS_CMSSignedData_GetSignerInfo(sigd, 0);
 
   // See bug 324474. We want to make sure the signing cert is 
diff --git a/security/manager/ssl/src/nsKeygenThread.cpp b/security/manager/ssl/src/nsKeygenThread.cpp
index 8bd247578..9c60fa7a9 100644
--- a/security/manager/ssl/src/nsKeygenThread.cpp
+++ b/security/manager/ssl/src/nsKeygenThread.cpp
@@ -11,6 +11,7 @@
 #include "nsIObserver.h"
 #include "nsNSSShutDown.h"
 #include "PSMRunnable.h"
+#include "mozilla/DebugOnly.h"
 
 using namespace mozilla;
 using namespace mozilla::psm;
@@ -235,7 +236,7 @@ void nsKeygenThread::Run(void)
   }
 
   if (notifyObserver) {
-    nsresult rv = NS_DispatchToMainThread(notifyObserver);
+    DebugOnly<nsresult> rv = NS_DispatchToMainThread(notifyObserver);
     NS_ASSERTION(NS_SUCCEEDED(rv),
 		 "failed to dispatch keygen thread observer to main thread");
   }
diff --git a/security/manager/ssl/src/nsNSSIOLayer.cpp b/security/manager/ssl/src/nsNSSIOLayer.cpp
index acfa83768..5cd64655e 100644
--- a/security/manager/ssl/src/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/src/nsNSSIOLayer.cpp
@@ -7,6 +7,8 @@
 #include "nsNSSComponent.h"
 #include "nsNSSIOLayer.h"
 
+#include "mozilla/DebugOnly.h"
+
 #include "prlog.h"
 #include "prnetdb.h"
 #include "nsIPrefService.h"
@@ -414,7 +416,7 @@ void nsNSSSocketInfo::GetPreviousCert(nsIX509Cert** _result)
 
 #ifndef NSS_NO_LIBPKIX
   RefPtr<PreviousCertRunnable> runnable(new PreviousCertRunnable(mCallbacks));
-  nsresult rv = runnable->DispatchToMainThreadAndWait();
+  DebugOnly<nsresult> rv = runnable->DispatchToMainThreadAndWait();
   NS_ASSERTION(NS_SUCCEEDED(rv), "runnable->DispatchToMainThreadAndWait() failed");
   runnable->mPreviousCert.forget(_result);
 #endif
diff --git a/security/manager/ssl/src/nsPKCS12Blob.cpp b/security/manager/ssl/src/nsPKCS12Blob.cpp
index 818af0e21..2e3afac54 100644
--- a/security/manager/ssl/src/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/src/nsPKCS12Blob.cpp
@@ -138,7 +138,7 @@ nsPKCS12Blob::ImportFromFileHelper(nsIFile *file,
                                    nsPKCS12Blob::RetryReason &aWantRetry)
 {
   nsNSSShutDownPreventionLock locker;
-  nsresult rv;
+  nsresult rv = NS_OK;
   SECStatus srv = SECSuccess;
   SEC_PKCS12DecoderContext *dcx = nullptr;
   SECItem unicodePw;
diff --git a/security/manager/ssl/src/nsProtectedAuthThread.cpp b/security/manager/ssl/src/nsProtectedAuthThread.cpp
index 3564989e9..b5f4c4579 100644
--- a/security/manager/ssl/src/nsProtectedAuthThread.cpp
+++ b/security/manager/ssl/src/nsProtectedAuthThread.cpp
@@ -3,6 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "pk11func.h"
+#include "mozilla/DebugOnly.h"
 #include "mozilla/RefPtr.h"
 #include "nsCOMPtr.h"
 #include "PSMRunnable.h"
@@ -129,7 +130,7 @@ void nsProtectedAuthThread::Run(void)
     }
     
     if (notifyObserver) {
-        nsresult rv = NS_DispatchToMainThread(notifyObserver);
+        DebugOnly<nsresult> rv = NS_DispatchToMainThread(notifyObserver);
 	NS_ASSERTION(NS_SUCCEEDED(rv),
 		     "failed to dispatch protected auth observer to main thread");
     }