Merge m-c to autoland, a=merge

MozReview-Commit-ID: 8QMHmu81oVt

browser/app/profile/firefox.js

@@ -63,9 +63,6 @@ pref("extensions.hotfix.certs.2.sha1Fingerprint", "39:E7:2B:7A:5B:CF:37:78:F9:5D
 // Check AUS for system add-on updates.
 pref("extensions.systemAddon.update.url", "https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
 
-// Disable screenshots for now, Shield will enable this.
-pref("extensions.screenshots.system-disabled", true);
-
 // Disable add-ons that are not installed by the user in all scopes by default.
 // See the SCOPE constants in AddonManager.jsm for values to use here.
 pref("extensions.autoDisableScopes", 15);
@@ -870,6 +867,8 @@ pref("browser.sessionstore.debug", false);
 pref("browser.sessionstore.debug.no_auto_updates", false);
 // Forget closed windows/tabs after two weeks
 pref("browser.sessionstore.cleanup.forget_closed_after", 1209600000);
+// Maximum number of bytes of DOMSessionStorage data we collect per origin.
+pref("browser.sessionstore.dom_storage_limit", 2048);
 
 // allow META refresh by default
 pref("accessibility.blockautorefresh", false);

browser/components/sessionstore/SessionStorage.jsm

@@ -15,6 +15,9 @@ Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "console",
   "resource://gre/modules/Console.jsm");
 
+// A bound to the size of data to store for DOM Storage.
+const DOM_STORAGE_LIMIT_PREF = "browser.sessionstore.dom_storage_limit";
+
 // Returns the principal for a given |frame| contained in a given |docShell|.
 function getPrincipalForFrame(docShell, frame) {
   let ssm = Services.scriptSecurityManager;
@@ -179,14 +182,25 @@ var SessionStorageInternal = {
       storage = null;
     }
 
-    if (storage && storage.length) {
-       for (let i = 0; i < storage.length; i++) {
-        try {
-          let key = storage.key(i);
-          hostData[key] = storage.getItem(key);
-        } catch (e) {
-          // This currently throws for secured items (cf. bug 442048).
-        }
+    if (!storage || !storage.length) {
+      return hostData;
+    }
+
+    // If the DOMSessionStorage contains too much data, ignore it.
+    let usage = window.QueryInterface(Ci.nsIInterfaceRequestor)
+                      .getInterface(Ci.nsIDOMWindowUtils)
+                      .getStorageUsage(storage);
+    Services.telemetry.getHistogramById("FX_SESSION_RESTORE_DOM_STORAGE_SIZE_ESTIMATE_CHARS").add(usage);
+    if (usage > Services.prefs.getIntPref(DOM_STORAGE_LIMIT_PREF)) {
+      return hostData;
+    }
+
+    for (let i = 0; i < storage.length; i++) {
+      try {
+        let key = storage.key(i);
+        hostData[key] = storage.getItem(key);
+      } catch (e) {
+        // This currently throws for secured items (cf. bug 442048).
       }
     }
 

browser/components/sessionstore/content/content-sessionStore.js

@@ -49,7 +49,7 @@ XPCOMUtils.defineLazyGetter(this, "gContentRestore",
 var gCurrentEpoch = 0;
 
 // A bound to the size of data to store for DOM Storage.
-const DOM_STORAGE_MAX_CHARS = 10000000; // 10M characters
+const DOM_STORAGE_LIMIT_PREF = "browser.sessionstore.dom_storage_limit";
 
 // This pref controls whether or not we send updates to the parent on a timeout
 // or not, and should only be used for tests or debugging.
@@ -580,37 +580,6 @@ var SessionStorageListener = {
     setTimeout(() => this.collect(), 0);
   },
 
-  // Before DOM Storage can be written to disk, it needs to be serialized
-  // for sending across frames/processes, then again to be sent across
-  // threads, then again to be put in a buffer for the disk. Each of these
-  // serializations is an opportunity to OOM and (depending on the site of
-  // the OOM), either crash, lose all data for the frame or lose all data
-  // for the application.
-  //
-  // In order to avoid this, compute an estimate of the size of the
-  // object, and block SessionStorage items that are too large. As
-  // we also don't want to cause an OOM here, we use a quick and memory-
-  // efficient approximation: we compute the total sum of string lengths
-  // involved in this object.
-  estimateStorageSize(collected) {
-    if (!collected) {
-      return 0;
-    }
-
-    let size = 0;
-    for (let host of Object.keys(collected)) {
-      size += host.length;
-      let perHost = collected[host];
-      for (let key of Object.keys(perHost)) {
-        size += key.length;
-        let perKey = perHost[key];
-        size += perKey.length;
-      }
-    }
-
-    return size;
-  },
-
   // We don't want to send all the session storage data for all the frames
   // for every change. So if only a few value changed we send them over as
   // a "storagechange" event. If however for some reason before we send these
@@ -623,55 +592,56 @@ var SessionStorageListener = {
   },
 
   collectFromEvent(event) {
-    // TODO: we should take browser.sessionstore.dom_storage_limit into an account here.
-    if (docShell) {
-      let {url, key, newValue} = event;
-      let uri = Services.io.newURI(url);
-      let domain = uri.prePath;
-      if (!this._changes) {
-        this._changes = {};
-      }
-      if (!this._changes[domain]) {
-        this._changes[domain] = {};
-      }
-      this._changes[domain][key] = newValue;
-
-      MessageQueue.push("storagechange", () => {
-        let tmp = this._changes;
-        // If there were multiple changes we send them merged.
-        // First one will collect all the changes the rest of
-        // these messages will be ignored.
-        this.resetChanges();
-        return tmp;
-      });
+    if (!docShell) {
+      return;
     }
+
+    // How much data does DOMSessionStorage contain?
+    let usage = content.QueryInterface(Ci.nsIInterfaceRequestor)
+                       .getInterface(Ci.nsIDOMWindowUtils)
+                       .getStorageUsage(event.storageArea);
+    Services.telemetry.getHistogramById("FX_SESSION_RESTORE_DOM_STORAGE_SIZE_ESTIMATE_CHARS").add(usage);
+
+    // Don't store any data if we exceed the limit. Wipe any data we previously
+    // collected so that we don't confuse websites with partial state.
+    if (usage > Preferences.get(DOM_STORAGE_LIMIT_PREF)) {
+      MessageQueue.push("storage", () => null);
+      return;
+    }
+
+    let {url, key, newValue} = event;
+    let uri = Services.io.newURI(url);
+    let domain = uri.prePath;
+    if (!this._changes) {
+      this._changes = {};
+    }
+    if (!this._changes[domain]) {
+      this._changes[domain] = {};
+    }
+    this._changes[domain][key] = newValue;
+
+    MessageQueue.push("storagechange", () => {
+      let tmp = this._changes;
+      // If there were multiple changes we send them merged.
+      // First one will collect all the changes the rest of
+      // these messages will be ignored.
+      this.resetChanges();
+      return tmp;
+    });
   },
 
   collect() {
-    if (docShell) {
-      // We need the entire session storage, let's reset the pending individual change
-      // messages.
-      this.resetChanges();
-      MessageQueue.push("storage", () => {
-        let collected = SessionStorage.collect(docShell, gFrameTree);
-
-        if (collected == null) {
-          return collected;
-        }
-
-        let size = this.estimateStorageSize(collected);
-        Services.telemetry.getHistogramById("FX_SESSION_RESTORE_DOM_STORAGE_SIZE_ESTIMATE_CHARS").add(size);
-
-        if (size > Preferences.get("browser.sessionstore.dom_storage_limit", DOM_STORAGE_MAX_CHARS)) {
-          // Rather than keeping the old storage, which wouldn't match the rest
-          // of the state of the page, empty the storage. DOM storage will be
-          // recollected the next time and stored if it is now small enough.
-          return {};
-        }
-
-        return collected;
-      });
+    if (!docShell) {
+      return;
     }
+
+    // We need the entire session storage, let's reset the pending individual change
+    // messages.
+    this.resetChanges();
+
+    MessageQueue.push("storage", () => {
+      return SessionStorage.collect(docShell, gFrameTree);
+    });
   },
 
   onFrameTreeCollected() {

browser/components/sessionstore/test/browser_sessionStorage_size.js

@@ -27,7 +27,7 @@ add_task(function* test_telemetry() {
   // There is no good way to make sure that the parent received the histogram entries from the child processes.
   // Let's stick to the ugly, spinning the event loop until we have a good approach (Bug 1357509).
   yield BrowserTestUtils.waitForCondition(() => {
-    return histogram.snapshot().counts[5] > snap1.counts[5];
+    return histogram.snapshot().counts[4] > snap1.counts[4];
   });
 
   Assert.ok(true);

dom/animation/test/chrome/test_animation_observers_sync.html

@@ -817,6 +817,32 @@ function createPseudo(test, element, type) {
       [], "no records after applying the same order");
   }, "animtion_order_change");
 
+  test(t => {
+    var div = addDiv(t);
+    var observer =
+      setupSynchronousObserver(t,
+                               aOptions.subtree ? div.parentNode : div,
+                               aOptions.subtree);
+
+    var anim = div.animate({ opacity: [ 0, 1 ] },
+                           { duration: 100 * MS_PER_SEC,
+                             iterationComposite: 'replace' });
+
+    assert_equals_records(observer.takeRecords(),
+      [{ added: [anim], changed: [], removed: [] }],
+      "records after animation is added");
+
+    anim.effect.iterationComposite = 'accumulate';
+    assert_equals_records(observer.takeRecords(),
+      [{ added: [], changed: [anim], removed: [] }],
+      "records after iterationComposite is changed");
+
+    anim.effect.iterationComposite = 'accumulate';
+    assert_equals_records(observer.takeRecords(),
+      [], "no record after setting the same iterationComposite");
+
+  }, "set_iterationComposite");
+
 });
 
 test(t => {

dom/file/ipc/IPCBlobInputStreamChild.cpp

@@ -167,7 +167,6 @@ IPCBlobInputStreamChild::StreamNeeded(IPCBlobInputStream* aStream,
 mozilla::ipc::IPCResult
 IPCBlobInputStreamChild::RecvStreamReady(const OptionalIPCStream& aStream)
 {
-  MutexAutoLock lock(mMutex);
   MOZ_ASSERT(!mPendingOperations.IsEmpty());
 
   nsCOMPtr<nsIInputStream> stream = DeserializeIPCStream(aStream);

dom/html/test/test_bug394700.html

@@ -19,7 +19,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=394700
 
 /** Test for Bug 394700 **/
 
-function remove(q1) { q1.parentNode.removeChild(q1); }
+function remove(q1) { q1.remove(); }
 
 function testSelectedIndex()
 {
@@ -33,8 +33,8 @@ function testSelectedIndex()
     remove(document.getElementById("A"));
   }
   var selectElement = document.getElementsByTagName("select")[0];
-  ok(selectElement.selectedIndex == -1, "Wrong selected index!");
-  ok(selectElement.length == 0, "Select shouldn't have any options!")
+  is(selectElement.selectedIndex, -1, "Wrong selected index!");
+  is(selectElement.length, 0, "Select shouldn't have any options!");
 }
 
 SimpleTest.waitForExplicitFinish();

gfx/ipc/GPUParent.cpp

@@ -208,10 +208,6 @@ GPUParent::RecvInit(nsTArray<GfxPrefSetting>&& prefs,
   RecvGetDeviceStatus(&data);
   Unused << SendInitComplete(data);
 
-#ifdef XP_WIN
-  DeviceManagerDx::PreloadAttachmentsOnCompositorThread();
-#endif
-
   Telemetry::AccumulateTimeDelta(Telemetry::GPU_PROCESS_INITIALIZATION_TIME_MS, mLaunchTime);
   return IPC_OK();
 }

gfx/layers/client/ClientLayerManager.cpp

@@ -647,7 +647,11 @@ ClientLayerManager::FlushRendering()
 {
   if (mWidget) {
     if (CompositorBridgeChild* remoteRenderer = mWidget->GetRemoteRenderer()) {
-      remoteRenderer->SendFlushRendering();
+      if (mWidget->SynchronouslyRepaintOnResize() || gfxPrefs::LayersForceSynchronousResize()) {
+        remoteRenderer->SendFlushRendering();
+      } else {
+        remoteRenderer->SendFlushRenderingAsync();
+      }
     }
   }
 }

gfx/layers/ipc/CompositorBridgeParent.cpp

@@ -549,6 +549,12 @@ CompositorBridgeParent::RecvFlushRendering()
   return IPC_OK();
 }
 
+mozilla::ipc::IPCResult
+CompositorBridgeParent::RecvFlushRenderingAsync()
+{
+  return RecvFlushRendering();
+}
+
 mozilla::ipc::IPCResult
 CompositorBridgeParent::RecvForcePresent()
 {

gfx/layers/ipc/CompositorBridgeParent.h

@@ -202,6 +202,7 @@ public:
   virtual mozilla::ipc::IPCResult RecvMakeSnapshot(const SurfaceDescriptor& aInSnapshot,
                                 const gfx::IntRect& aRect) override;
   virtual mozilla::ipc::IPCResult RecvFlushRendering() override;
+  virtual mozilla::ipc::IPCResult RecvFlushRenderingAsync() override;
   virtual mozilla::ipc::IPCResult RecvForcePresent() override;
 
   virtual mozilla::ipc::IPCResult RecvAcknowledgeCompositorUpdate(const uint64_t&, const uint64_t&) override {

gfx/layers/ipc/CrossProcessCompositorBridgeParent.h

@@ -63,6 +63,7 @@ public:
                                 const gfx::IntRect& aRect) override
   { return IPC_OK(); }
   virtual mozilla::ipc::IPCResult RecvFlushRendering() override { return IPC_OK(); }
+  virtual mozilla::ipc::IPCResult RecvFlushRenderingAsync() override { return IPC_OK(); }
   virtual mozilla::ipc::IPCResult RecvForcePresent() override { return IPC_OK(); }
   virtual mozilla::ipc::IPCResult RecvNotifyRegionInvalidated(const nsIntRegion& aRegion) override { return IPC_OK(); }
   virtual mozilla::ipc::IPCResult RecvStartFrameTimeRecording(const int32_t& aBufferSize, uint32_t* aOutStartIndex) override { return IPC_OK(); }

gfx/layers/ipc/PCompositorBridge.ipdl

@@ -205,6 +205,10 @@ parent:
   // block until they are completed.
   sync FlushRendering();
 
+  // Same as FlushRendering, but asynchronous, since not all platforms require
+  // synchronous repaints on resize.
+  async FlushRenderingAsync();
+
   // Force an additional frame presentation to be executed. This is used to
   // work around a windows presentation bug (See Bug 1232042)
   async ForcePresent();

gfx/thebes/DeviceManagerDx.cpp

@@ -136,7 +136,12 @@ DeviceManagerDx::CreateCompositorDevices()
   mD3D11Module.disown();
 
   MOZ_ASSERT(mCompositorDevice);
-  return d3d11.IsEnabled();
+  if (!d3d11.IsEnabled()) {
+    return false;
+  }
+
+  PreloadAttachmentsOnCompositorThread();
+  return true;
 }
 
 void

gfx/thebes/DeviceManagerDx.h

@@ -103,11 +103,11 @@ public:
   void ForceDeviceReset(ForcedDeviceResetReason aReason);
   void NotifyD3D9DeviceReset();
 
+private:
   // Pre-load any compositor resources that are expensive, and are needed when we
   // attempt to create a compositor.
   static void PreloadAttachmentsOnCompositorThread();
 
-private:
   IDXGIAdapter1 *GetDXGIAdapter();
 
   void DisableD3D11AfterCrash();

gfx/thebes/gfxPlatform.cpp

@@ -965,9 +965,6 @@ gfxPlatform::InitLayersIPC()
             wr::RenderThread::Start();
         }
         layers::CompositorThreadHolder::Start();
-#ifdef XP_WIN
-        gfx::DeviceManagerDx::PreloadAttachmentsOnCompositorThread();
-#endif
     }
 }
 

gfx/thebes/gfxPrefs.h

@@ -563,6 +563,7 @@ private:
   DECL_GFX_PREF(Live, "layers.shared-buffer-provider.enabled", PersistentBufferProviderSharedEnabled, bool, false);
   DECL_GFX_PREF(Live, "layers.single-tile.enabled",            LayersSingleTileEnabled, bool, true);
   DECL_GFX_PREF(Once, "layers.stereo-video.enabled",           StereoVideoEnabled, bool, false);
+  DECL_GFX_PREF(Live, "layers.force-synchronous-resize",       LayersForceSynchronousResize, bool, false);
 
   // We allow for configurable and rectangular tile size to avoid wasting memory on devices whose
   // screen size does not align nicely to the default tile size. Although layers can be any size,

js/src/vm/Runtime.h

@@ -1060,6 +1060,23 @@ struct JSRuntime : public js::MallocProvider<JSRuntime>
     js::ActiveThreadData<js::RuntimeCaches> caches_;
   public:
     js::RuntimeCaches& caches() { return caches_.ref(); }
+
+  private:
+    // When wasm is interrupted, the pc at which we should return if the
+    // interrupt hasn't stopped execution of the current running code. Since
+    // this is used only by the interrupt handler and the latter is not
+    // reentrant, this value can't be clobbered so there is at most one
+    // resume PC at a time.
+    js::ActiveThreadData<void*> wasmResumePC_;
+
+  public:
+    void* wasmResumePC() const {
+        return wasmResumePC_;
+    }
+    void setWasmResumePC(void* resumePC) {
+        MOZ_ASSERT(!!resumePC == !wasmResumePC_);
+        wasmResumePC_ = resumePC;
+    }
 };
 
 namespace js {

js/src/vm/Stack.cpp

@@ -1645,7 +1645,6 @@ jit::JitActivation::traceIonRecovery(JSTracer* trc)
 WasmActivation::WasmActivation(JSContext* cx)
   : Activation(cx, Wasm),
     entrySP_(nullptr),
-    resumePC_(nullptr),
     exitFP_(nullptr),
     exitReason_(wasm::ExitReason::Fixed::None)
 {
@@ -1691,7 +1690,7 @@ WasmActivation::startInterrupt(void* pc, uint8_t* fp)
     MOZ_ASSERT(!interrupted());
     MOZ_ASSERT(compartment()->wasm.lookupCode(pc)->lookupRange(pc)->isFunction());
 
-    resumePC_ = pc;
+    cx_->runtime()->setWasmResumePC(pc);
     exitFP_ = fp;
 
     MOZ_ASSERT(interrupted());
@@ -1703,10 +1702,23 @@ WasmActivation::finishInterrupt()
     MOZ_ASSERT(interrupted());
     MOZ_ASSERT(exitFP_);
 
-    resumePC_ = nullptr;
+    cx_->runtime()->setWasmResumePC(nullptr);
     exitFP_ = nullptr;
 }
 
+bool
+WasmActivation::interrupted() const
+{
+    return !!cx_->runtime()->wasmResumePC();
+}
+
+void*
+WasmActivation::resumePC() const
+{
+    MOZ_ASSERT(interrupted());
+    return cx_->runtime()->wasmResumePC();
+}
+
 InterpreterFrameIterator&
 InterpreterFrameIterator::operator++()
 {

js/src/vm/Stack.h

@@ -1734,7 +1734,6 @@ class WasmActivation : public Activation
 {
     WasmActivation* prevWasm_;
     void* entrySP_;
-    void* resumePC_;
     uint8_t* exitFP_;
     wasm::ExitReason exitReason_;
 
@@ -1765,8 +1764,8 @@ class WasmActivation : public Activation
     // when the interrupt is handled.
     void startInterrupt(void* pc, uint8_t* fp);
     void finishInterrupt();
-    bool interrupted() const { return !!resumePC_; }
-    void* resumePC() const { MOZ_ASSERT(interrupted()); return resumePC_; }
+    bool interrupted() const;
+    void* resumePC() const;
 
     // Used by wasm::FrameIterator during stack unwinding.
     void unwindExitFP(uint8_t* exitFP);

js/src/wasm/WasmSignalHandlers.cpp

@@ -1027,7 +1027,12 @@ HandleMachException(JSContext* cx, const ExceptionRequest& request)
     if (!IsHeapAccessAddress(*instance, faultingAddress))
         return false;
 
-    HandleMemoryAccess(&context, pc, faultingAddress, *instance, activation, ppc);
+    {
+        // HandleMemoryAccess may call startInterrupt, which sets the wasm
+        // resume PC in the runtime.
+        AutoNoteSingleThreadedRegion anstr;
+        HandleMemoryAccess(&context, pc, faultingAddress, *instance, activation, ppc);
+    }
 
     // Update the thread state with the new pc and register values.
     kret = thread_set_state(cxThread, float_state, (thread_state_t)&context.float_, float_state_count);

layout/generic/nsFrame.cpp

@@ -976,7 +976,8 @@ nsFrame::DidSetStyleContext(nsStyleContext* aOldStyleContext)
     PresContext()->SetBidiEnabled();
   }
 
-  RemoveStateBits(NS_FRAME_SIMPLE_EVENT_REGIONS);
+  RemoveStateBits(NS_FRAME_SIMPLE_EVENT_REGIONS |
+                  NS_FRAME_SIMPLE_DISPLAYLIST);
 }
 
 void
@@ -2155,8 +2156,10 @@ nsIFrame::GetClipPropClipRect(const nsStyleDisplay* aDisp,
  * handled by constructing a dedicated nsHTML/XULScrollFrame, set up clipping
  * for that overflow in aBuilder->ClipState() to clip all containing-block
  * descendants.
+ *
+ * Return true if clipping was applied.
  */
-static void
+static bool
 ApplyOverflowClipping(nsDisplayListBuilder* aBuilder,
                       const nsIFrame* aFrame,
                       const nsStyleDisplay* aDisp,
@@ -2168,7 +2171,7 @@ ApplyOverflowClipping(nsDisplayListBuilder* aBuilder,
   // is required by comboboxes which make their display text (an inline frame)
   // have clipping.
   if (!nsFrame::ShouldApplyOverflowClipping(aFrame, aDisp)) {
-    return;
+    return false;
   }
   nsRect clipRect;
   bool haveRadii = false;
@@ -2184,6 +2187,7 @@ ApplyOverflowClipping(nsDisplayListBuilder* aBuilder,
     // XXX border-radius
   }
   aClipState.ClipContainingBlockDescendantsExtra(clipRect, haveRadii ? radii : nullptr);
+  return true;
 }
 
 #ifdef DEBUG
@@ -2863,6 +2867,45 @@ WrapInWrapList(nsDisplayListBuilder* aBuilder,
   return item;
 }
 
+/**
+ * Check if a frame should be visited for building display list.
+ */
+static bool
+DescendIntoChild(nsDisplayListBuilder* aBuilder, nsIFrame *aChild,
+                 const nsRect& aDirty)
+{
+  nsIFrame* child = aChild;
+  const nsRect& dirty = aDirty;
+
+  if (!(child->GetStateBits() & NS_FRAME_FORCE_DISPLAY_LIST_DESCEND_INTO)) {
+    // No need to descend into child to catch placeholders for visible
+    // positioned stuff. So see if we can short-circuit frame traversal here.
+
+    // We can stop if child's frame subtree's intersection with the
+    // dirty area is empty.
+    // If the child is a scrollframe that we want to ignore, then we need
+    // to descend into it because its scrolled child may intersect the dirty
+    // area even if the scrollframe itself doesn't.
+    // There are cases where the "ignore scroll frame" on the builder is not set
+    // correctly, and so we additionally want to catch cases where the child is
+    // a root scrollframe and we are ignoring scrolling on the viewport.
+    nsIPresShell* shell = child->PresContext()->PresShell();
+    bool keepDescending = child == aBuilder->GetIgnoreScrollFrame() ||
+      (shell->IgnoringViewportScrolling() && child == shell->GetRootScrollFrame());
+    if (!keepDescending) {
+      nsRect childDirty;
+      if (!childDirty.IntersectRect(dirty, child->GetVisualOverflowRect()))
+        return false;
+      // Usually we could set dirty to childDirty now but there's no
+      // benefit, and it can be confusing. It can especially confuse
+      // situations where we're going to ignore a scrollframe's clipping;
+      // we wouldn't want to clip the dirty area to the scrollframe's
+      // bounds in that case.
+    }
+  }
+  return true;
+}
+
 void
 nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
                                    nsIFrame*               aChild,
@@ -2885,11 +2928,59 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
   if (child->GetStateBits() & NS_FRAME_TOO_DEEP_IN_FRAME_TREE)
     return;
 
+  const bool doingShortcut =
+    (child->GetStateBits() & NS_FRAME_SIMPLE_DISPLAYLIST) &&
+    aBuilder->IsPaintingToWindow() &&
+    // This would be changed by the change of preference.
+    aBuilder->IsBuildingLayerEventRegions() &&
+    // Animations may change the value of |HasOpacity()|.
+    !(child->GetContent() &&
+      child->GetContent()->MayHaveAnimations());
+  if (doingShortcut) {
+    // This is the shortcut for frames been handled along the common
+    // path, the most common one of THE COMMON CASE mentioned later.
+    MOZ_ASSERT(child->Type() != LayoutFrameType::Placeholder);
+    MOZ_ASSERT(!aBuilder->GetSelectedFramesOnly() &&
+               !aBuilder->GetIncludeAllOutOfFlows(),
+               "It should be held for painting to window");
+
+    // dirty rect in child-relative coordinates
+    nsRect dirty = aDirtyRect - child->GetOffsetTo(this);
+    if (!DescendIntoChild(aBuilder, child, dirty)) {
+      return;
+    }
+
+    nsDisplayListBuilder::AutoBuildingDisplayList
+      buildingForChild(aBuilder, child, dirty, false);
+
+    CheckForApzAwareEventHandlers(aBuilder, child);
+
+    nsDisplayLayerEventRegions* eventRegions = aBuilder->GetLayerEventRegions();
+    if (eventRegions) {
+      eventRegions->AddFrame(aBuilder, child);
+    }
+
+    child->MarkAbsoluteFramesForDisplayList(aBuilder, dirty);
+    aBuilder->AdjustWindowDraggingRegion(child);
+    child->BuildDisplayList(aBuilder, dirty, aLists);
+    aBuilder->DisplayCaret(child, dirty, aLists.Content());
+#ifdef DEBUG
+    DisplayDebugBorders(aBuilder, child, aLists);
+#endif
+    return;
+  }
+
   bool isSVG = (child->GetStateBits() & NS_FRAME_SVG_LAYOUT);
 
+  // It is raised if the control flow strays off the common path.
+  // The common path is the most common one of THE COMMON CASE
+  // mentioned later.
+  bool awayFromCommonPath = false;
+
   // true if this is a real or pseudo stacking context
   bool pseudoStackingContext =
     (aFlags & DISPLAY_CHILD_FORCE_PSEUDO_STACKING_CONTEXT) != 0;
+  awayFromCommonPath |= pseudoStackingContext;
   if (!isSVG &&
       (aFlags & DISPLAY_CHILD_INLINE) &&
       !child->IsFrameOfType(eLineParticipant)) {
@@ -2897,6 +2988,7 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
     // it acts like inline-block or inline-table. Therefore it is a
     // pseudo-stacking-context.
     pseudoStackingContext = true;
+    awayFromCommonPath = true;
   }
 
   // dirty rect in child-relative coordinates
@@ -2937,6 +3029,7 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
       dirty.SetEmpty();
     }
     pseudoStackingContext = true;
+    awayFromCommonPath = true;
   }
 
   NS_ASSERTION(!child->IsPlaceholderFrame(),
@@ -2950,31 +3043,9 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
   if (aBuilder->GetIncludeAllOutOfFlows() &&
       (child->GetStateBits() & NS_FRAME_OUT_OF_FLOW)) {
     dirty = child->GetVisualOverflowRect();
-  } else if (!(child->GetStateBits() & NS_FRAME_FORCE_DISPLAY_LIST_DESCEND_INTO)) {
-    // No need to descend into child to catch placeholders for visible
-    // positioned stuff. So see if we can short-circuit frame traversal here.
-
-    // We can stop if child's frame subtree's intersection with the
-    // dirty area is empty.
-    // If the child is a scrollframe that we want to ignore, then we need
-    // to descend into it because its scrolled child may intersect the dirty
-    // area even if the scrollframe itself doesn't.
-    // There are cases where the "ignore scroll frame" on the builder is not set
-    // correctly, and so we additionally want to catch cases where the child is
-    // a root scrollframe and we are ignoring scrolling on the viewport.
-    nsIPresShell* shell = PresContext()->PresShell();
-    bool keepDescending = child == aBuilder->GetIgnoreScrollFrame() ||
-        (shell->IgnoringViewportScrolling() && child == shell->GetRootScrollFrame());
-    if (!keepDescending) {
-      nsRect childDirty;
-      if (!childDirty.IntersectRect(dirty, child->GetVisualOverflowRect()))
-        return;
-      // Usually we could set dirty to childDirty now but there's no
-      // benefit, and it can be confusing. It can especially confuse
-      // situations where we're going to ignore a scrollframe's clipping;
-      // we wouldn't want to clip the dirty area to the scrollframe's
-      // bounds in that case.
-    }
+    awayFromCommonPath = true;
+  } else if (!DescendIntoChild(aBuilder, child, dirty)) {
+    return;
   }
 
   // XXX need to have inline-block and inline-table set pseudoStackingContext
@@ -2991,6 +3062,7 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
   // within the displayport.
   if (aBuilder->IsPaintingToWindow() && child->TrackingVisibility()) {
     child->PresContext()->PresShell()->EnsureFrameInApproximatelyVisibleList(child);
+    awayFromCommonPath = true;
   }
 
   // Child is composited if it's transformed, partially transparent, or has
@@ -3022,6 +3094,7 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
       (aFlags & DISPLAY_CHILD_FORCE_STACKING_CONTEXT)) {
     // If you change this, also change IsPseudoStackingContextFromStyle()
     pseudoStackingContext = true;
+    awayFromCommonPath = true;
   }
   NS_ASSERTION(!isStackingContext || pseudoStackingContext,
                "Stacking contexts must also be pseudo-stacking-contexts");
@@ -3039,6 +3112,7 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
       savedOutOfFlowData->mContainingBlockClipChain);
     asrSetter.SetCurrentActiveScrolledRoot(
       savedOutOfFlowData->mContainingBlockActiveScrolledRoot);
+    MOZ_ASSERT(awayFromCommonPath, "It is impossible when savedOutOfFlowData is true");
   } else if (GetStateBits() & NS_FRAME_FORCE_DISPLAY_LIST_DESCEND_INTO &&
              isPlaceholder) {
     NS_ASSERTION(dirty.IsEmpty(), "should have empty dirty rect");
@@ -3052,6 +3126,7 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
     // instead since we know we won't render anything, and the inner out-of-flow
     // frame will setup the correct clip for itself.
     clipState.SetClipChainForContainingBlockDescendants(nullptr);
+    awayFromCommonPath = true;
   }
 
   // Setup clipping for the parent's overflow:-moz-hidden-unscrollable,
@@ -3065,7 +3140,9 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
   nsIFrame* parent = child->GetParent();
   const nsStyleDisplay* parentDisp =
     parent == this ? ourDisp : parent->StyleDisplay();
-  ApplyOverflowClipping(aBuilder, parent, parentDisp, clipState);
+  if (ApplyOverflowClipping(aBuilder, parent, parentDisp, clipState)) {
+    awayFromCommonPath = true;
+  }
 
   nsDisplayList list;
   nsDisplayList extraPositionedDescendants;
@@ -3088,6 +3165,7 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
       dirty.IntersectRect(dirty, *clipPropClip);
       clipState.ClipContentDescendants(
         *clipPropClip + aBuilder->ToReferenceFrame(child));
+      awayFromCommonPath = true;
     }
 
     child->MarkAbsoluteFramesForDisplayList(aBuilder, dirty);
@@ -3113,6 +3191,12 @@ nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*   aBuilder,
         if (eventRegions) {
           eventRegions->AddFrame(aBuilder, child);
         }
+        if (!awayFromCommonPath &&
+            aBuilder->IsPaintingToWindow() &&
+            !buildingForChild.MaybeAnimatedGeometryRoot()) {
+          // The shortcut is available for the child for next time.
+          child->AddStateBits(NS_FRAME_SIMPLE_DISPLAYLIST);
+        }
       }
     }
 

layout/generic/nsFrameStateBits.h

@@ -273,6 +273,10 @@ FRAME_STATE_BIT(Generic, 55, NS_FRAME_OWNS_ANON_BOXES)
 // Frame has properties in the nsIFrame::Properties() hash.
 FRAME_STATE_BIT(Generic, 56, NS_FRAME_HAS_PROPERTIES)
 
+// The display list of the frame can be handled by the shortcut for
+// COMMON CASE.
+FRAME_STATE_BIT(Generic, 57, NS_FRAME_SIMPLE_DISPLAYLIST)
+
 // Set for all descendants of MathML sub/supscript elements (other than the
 // base frame) to indicate that the SSTY font feature should be used.
 FRAME_STATE_BIT(Generic, 58, NS_FRAME_MATHML_SCRIPT_DESCENDANT)

layout/painting/nsDisplayList.cpp

@@ -973,7 +973,7 @@ AnimatedGeometryRoot*
 nsDisplayListBuilder::WrapAGRForFrame(nsIFrame* aAnimatedGeometryRoot,
                                       AnimatedGeometryRoot* aParent /* = nullptr */)
 {
-  MOZ_ASSERT(IsAnimatedGeometryRoot(aAnimatedGeometryRoot));
+  MOZ_ASSERT(IsAnimatedGeometryRoot(aAnimatedGeometryRoot) == AGR_YES);
 
   AnimatedGeometryRoot* result = nullptr;
   if (!mFrameToAnimatedGeometryRootMap.Get(aAnimatedGeometryRoot, &result)) {
@@ -1477,72 +1477,94 @@ IsStickyFrameActive(nsDisplayListBuilder* aBuilder, nsIFrame* aFrame, nsIFrame*
   return sf->IsScrollingActive(aBuilder) && sf->GetScrolledFrame() == cursor;
 }
 
-bool
-nsDisplayListBuilder::IsAnimatedGeometryRoot(nsIFrame* aFrame, nsIFrame** aParent)
+nsDisplayListBuilder::AGRState
+nsDisplayListBuilder::IsAnimatedGeometryRoot(nsIFrame* aFrame,
+                                             nsIFrame** aParent)
 {
   if (aFrame == mReferenceFrame) {
-    return true;
+    return AGR_YES;
   }
   if (!IsPaintingToWindow()) {
     if (aParent) {
       *aParent = nsLayoutUtils::GetCrossDocParentFrame(aFrame);
     }
-    return false;
+    return AGR_NO;
   }
 
   if (nsLayoutUtils::IsPopup(aFrame))
-    return true;
+    return AGR_YES;
   if (ActiveLayerTracker::IsOffsetOrMarginStyleAnimated(aFrame)) {
     const bool inBudget = AddToAGRBudget(aFrame);
     if (inBudget) {
-      return true;
+      return AGR_YES;
     }
   }
   if (!aFrame->GetParent() &&
       nsLayoutUtils::ViewportHasDisplayPort(aFrame->PresContext())) {
     // Viewport frames in a display port need to be animated geometry roots
     // for background-attachment:fixed elements.
-    return true;
+    return AGR_YES;
   }
   if (aFrame->IsTransformed()) {
-    return true;
+    return AGR_YES;
   }
 
   nsIFrame* parent = nsLayoutUtils::GetCrossDocParentFrame(aFrame);
   if (!parent)
-    return true;
+    return AGR_YES;
+
+  bool maybe = false; // Possible to transition from not being an AGR
+                      // to being an AGR without a style change.
 
   LayoutFrameType parentType = parent->Type();
   // Treat the slider thumb as being as an active scrolled root when it wants
   // its own layer so that it can move without repainting.
-  if (parentType == LayoutFrameType::Slider &&
-      nsLayoutUtils::IsScrollbarThumbLayerized(aFrame)) {
-    return true;
+  if (parentType == LayoutFrameType::Slider) {
+    if (nsLayoutUtils::IsScrollbarThumbLayerized(aFrame)) {
+      return AGR_YES;
+    }
+    maybe = true;
   }
 
-  if (aFrame->StyleDisplay()->mPosition == NS_STYLE_POSITION_STICKY &&
-      IsStickyFrameActive(this, aFrame, parent))
-  {
-    return true;
+  if (aFrame->StyleDisplay()->mPosition == NS_STYLE_POSITION_STICKY) {
+    if (IsStickyFrameActive(this, aFrame, parent)) {
+      return AGR_YES;
+    }
+    maybe = true;
   }
 
   if (parentType == LayoutFrameType::Scroll ||
       parentType == LayoutFrameType::ListControl) {
     nsIScrollableFrame* sf = do_QueryFrame(parent);
-    if (sf->IsScrollingActive(this) && sf->GetScrolledFrame() == aFrame) {
-      return true;
+    if (sf->GetScrolledFrame() == aFrame) {
+      if (sf->IsScrollingActive(this)) {
+        return AGR_YES;
+      }
+      maybe = true;
     }
   }
 
   // Fixed-pos frames are parented by the viewport frame, which has no parent.
   if (nsLayoutUtils::IsFixedPosFrameInDisplayPort(aFrame)) {
-    return true;
+    return AGR_YES;
+  }
+
+  if ((aFrame->GetStateBits() & NS_FRAME_MAY_BE_TRANSFORMED) &&
+      aFrame->IsFrameOfType(nsIFrame::eSVG)) {
+    // For SVG containers, they always have
+    // NS_FRAME_MAY_BE_TRANSFORMED bit.  However, they would be
+    // affected by the fragement identifiers in the svgView form at
+    // runtime without a new style context.
+    // For example, layout/reftests/svg/fragmentIdentifier-01.xhtml
+    //
+    // see https://www.w3.org/TR/SVG/linking.html#SVGFragmentIdentifiers
+    maybe = true;
   }
 
   if (aParent) {
     *aParent = parent;
   }
-  return false;
+  return !maybe ? AGR_NO : AGR_MAYBE;
 }
 
 nsIFrame*
@@ -1552,7 +1574,7 @@ nsDisplayListBuilder::FindAnimatedGeometryRootFrameFor(nsIFrame* aFrame)
   nsIFrame* cursor = aFrame;
   while (cursor != RootReferenceFrame()) {
     nsIFrame* next;
-    if (IsAnimatedGeometryRoot(cursor, &next))
+    if (IsAnimatedGeometryRoot(cursor, &next) == AGR_YES)
       return cursor;
     cursor = next;
   }
@@ -1563,7 +1585,7 @@ void
 nsDisplayListBuilder::RecomputeCurrentAnimatedGeometryRoot()
 {
   if (*mCurrentAGR != mCurrentFrame &&
-      IsAnimatedGeometryRoot(const_cast<nsIFrame*>(mCurrentFrame))) {
+      IsAnimatedGeometryRoot(const_cast<nsIFrame*>(mCurrentFrame)) == AGR_YES) {
     AnimatedGeometryRoot* oldAGR = mCurrentAGR;
     mCurrentAGR = WrapAGRForFrame(const_cast<nsIFrame*>(mCurrentFrame), mCurrentAGR);
 

layout/painting/nsDisplayList.h

@@ -283,6 +283,15 @@ class nsDisplayListBuilder {
     nsRect mDirtyRect;
   };
 
+  /**
+   * A frame can be in one of three states of AGR.
+   * AGR_NO     means the frame is not an AGR for now.
+   * AGR_YES    means the frame is an AGR for now.
+   * AGR_MAYBE  means the frame is not an AGR for now, but a transition
+   *            to AGR_YES without restyling is possible.
+   */
+  enum AGRState { AGR_NO, AGR_YES, AGR_MAYBE };
+
 public:
   typedef mozilla::FrameLayerBuilder FrameLayerBuilder;
   typedef mozilla::DisplayItemClip DisplayItemClip;
@@ -818,8 +827,9 @@ public:
           aBuilder->FindReferenceFrameFor(aForChild,
               &aBuilder->mCurrentOffsetToReferenceFrame);
       }
+      mCurrentAGRState = aBuilder->IsAnimatedGeometryRoot(aForChild);
       if (aBuilder->mCurrentFrame == aForChild->GetParent()) {
-        if (aBuilder->IsAnimatedGeometryRoot(aForChild)) {
+        if (mCurrentAGRState == AGR_YES) {
           aBuilder->mCurrentAGR = aBuilder->WrapAGRForFrame(aForChild, aBuilder->mCurrentAGR);
         }
       } else if (aForChild != aBuilder->mCurrentFrame) {
@@ -843,8 +853,10 @@ public:
       return mPrevAnimatedGeometryRoot;
     }
     bool IsAnimatedGeometryRoot() const {
-      return *mBuilder->mCurrentAGR == mBuilder->mCurrentFrame;
-
+      return mCurrentAGRState == AGR_YES;
+    }
+    bool MaybeAnimatedGeometryRoot() const {
+      return mCurrentAGRState == AGR_MAYBE;
     }
     void RestoreBuildingInvisibleItemsValue() {
       mBuilder->mBuildingInvisibleItems = mPrevBuildingInvisibleItems;
@@ -862,6 +874,7 @@ public:
     }
   private:
     nsDisplayListBuilder* mBuilder;
+    AGRState              mCurrentAGRState;
     const nsIFrame*       mPrevFrame;
     const nsIFrame*       mPrevReferenceFrame;
     nsIFrame*             mPrevAnimatedGeometryRoot;
@@ -1398,7 +1411,8 @@ private:
    * Returns whether a frame acts as an animated geometry root, optionally
    * returning the next ancestor to check.
    */
-  bool IsAnimatedGeometryRoot(nsIFrame* aFrame, nsIFrame** aParent = nullptr);
+  AGRState IsAnimatedGeometryRoot(nsIFrame* aFrame,
+                                  nsIFrame** aParent = nullptr);
 
   /**
    * Returns the nearest ancestor frame to aFrame that is considered to have

layout/xul/nsMenuPopupFrame.cpp

@@ -2510,11 +2510,13 @@ nsMenuPopupFrame::ShouldFollowAnchor(nsRect& aRect)
   }
 
   nsIFrame* anchorFrame = mAnchorContent->GetPrimaryFrame();
-  if (anchorFrame) {
-    nsPresContext* rootPresContext = PresContext()->GetRootPresContext();
-    if (rootPresContext) {
-      aRect = ComputeAnchorRect(rootPresContext, anchorFrame);
-    }
+  if (!anchorFrame) {
+    return false;
+  }
+
+  nsPresContext* rootPresContext = PresContext()->GetRootPresContext();
+  if (rootPresContext) {
+    aRect = ComputeAnchorRect(rootPresContext, anchorFrame);
   }
 
   return true;

security/manager/ssl/StaticHPKPins.h

@@ -1160,4 +1160,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1502377322721000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1502463680810000);

security/manager/ssl/nsSTSPreloadList.errors

@@ -1,6 +1,7 @@
 007sascha.de: did not receive HSTS header
 00f.net: did not receive HSTS header
 020wifi.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 118"  data: no]
+0513c.com: could not connect to host
 0g.org.uk: could not connect to host
 0o0.ooo: could not connect to host
 0p.no: did not receive HSTS header
@@ -102,7 +103,6 @@ aaron-gustafson.com: did not receive HSTS header
 aati.info: did not receive HSTS header
 abearofsoap.com: could not connect to host
 abecodes.net: did not receive HSTS header
-abeontech.com: could not connect to host
 abilitylist.org: did not receive HSTS header
 abioniere.de: could not connect to host
 ablogagency.net: could not connect to host
@@ -134,10 +134,9 @@ actu-medias.com: did not receive HSTS header
 acuve.jp: could not connect to host
 ada.is: max-age too low: 2592000
 adajwells.me: could not connect to host
-adamgold.net: could not connect to host
 adams.net: max-age too low: 0
 adamwk.com: did not receive HSTS header
-adboos.com: could not connect to host
+adboos.com: did not receive HSTS header
 addaxpetroleum.com: could not connect to host
 addvocate.com: could not connect to host
 adelevie.com: could not connect to host
@@ -156,8 +155,6 @@ adquisitio.es: could not connect to host
 adquisitio.fr: could not connect to host
 adquisitio.it: could not connect to host
 adrianseo.ro: did not receive HSTS header
-adrienkohlbecker.com: could not connect to host
-adrinet.tk: could not connect to host
 adrl.ca: could not connect to host
 adsfund.org: could not connect to host
 aduedu.de: did not receive HSTS header
@@ -232,7 +229,7 @@ alloinformatique.net: could not connect to host
 allstarswithus.com: could not connect to host
 alpha.irccloud.com: could not connect to host
 alphabit-secure.com: could not connect to host
-alphabuild.io: did not receive HSTS header
+alphabuild.io: could not connect to host
 alphalabs.xyz: could not connect to host
 alt33c3.org: could not connect to host
 altfire.ca: could not connect to host
@@ -344,6 +341,7 @@ appsdash.io: could not connect to host
 appseccalifornia.org: did not receive HSTS header
 aptive.co.uk: did not receive HSTS header
 aqilacademy.com.au: could not connect to host
+aqualogy.de: could not connect to host
 aquilalab.com: could not connect to host
 arabdigitalexpression.org: did not receive HSTS header
 aradulconteaza.ro: could not connect to host
@@ -398,7 +396,7 @@ asuhe.cc: did not receive HSTS header
 asuhe.win: could not connect to host
 atavio.at: could not connect to host
 atavio.ch: could not connect to host
-atavio.de: did not receive HSTS header
+atavio.de: could not connect to host
 atbeckett.com: did not receive HSTS header
 athenelive.com: could not connect to host
 athul.xyz: did not receive HSTS header
@@ -493,7 +491,6 @@ bashcode.ninja: could not connect to host
 basicsolutionsus.com: did not receive HSTS header
 basilisk.io: could not connect to host
 bassh.net: could not connect to host
-batonger.com: did not receive HSTS header
 baud.ninja: could not connect to host
 baum.ga: did not receive HSTS header
 baumstark.ca: could not connect to host
@@ -548,6 +545,7 @@ besixdouze.world: could not connect to host
 besola.de: did not receive HSTS header
 bestbeards.ca: could not connect to host
 bestcellular.com: did not receive HSTS header
+bestgifts4you.com: could not connect to host
 besthost.cz: did not receive HSTS header
 betcafearena.ro: did not receive HSTS header
 bethditto.com: could not connect to host
@@ -583,7 +581,6 @@ billin.net: did not receive HSTS header
 billkiss.com: could not connect to host
 billninja.com: did not receive HSTS header
 billrusling.com: could not connect to host
-biltullen.com: did not receive HSTS header
 binderapp.net: could not connect to host
 bingcheung.com: did not receive HSTS header
 biofam.ru: did not receive HSTS header
@@ -643,7 +640,7 @@ blupig.net: did not receive HSTS header
 bluserv.net: did not receive HSTS header
 bm-trading.nl: did not receive HSTS header
 bnhlibrary.com: did not receive HSTS header
-bobiji.com: did not receive HSTS header
+bobiji.com: could not connect to host
 bodo-wolff.de: could not connect to host
 bodyblog.nl: did not receive HSTS header
 bodybuilding-legends.com: could not connect to host
@@ -697,7 +694,6 @@ britzer-toner.de: did not receive HSTS header
 brks.xyz: could not connect to host
 broken-oak.com: could not connect to host
 brokenhands.io: could not connect to host
-bronevichok.ru: could not connect to host
 brookechase.com: did not receive HSTS header
 browserid.org: could not connect to host
 brunix.net: did not receive HSTS header
@@ -828,6 +824,7 @@ catinmay.com: did not receive HSTS header
 catnapstudios.com: could not connect to host
 caveclan.org: did not receive HSTS header
 cavedroid.xyz: could not connect to host
+cbdev.de: could not connect to host
 cbhq.net: could not connect to host
 cbtistexcalac.mx: max-age too low: 0
 ccblog.de: did not receive HSTS header
@@ -910,6 +907,7 @@ chrisopperwall.com: did not receive HSTS header
 christiaandruif.nl: could not connect to host
 christianbargon.de: did not receive HSTS header
 christianbro.gq: could not connect to host
+christiangaetano.com: could not connect to host
 christophercolumbusfoundation.gov: did not receive HSTS header
 christophheich.me: could not connect to host
 chrisu3050.at: could not connect to host
@@ -935,7 +933,7 @@ ciuciucadou.ro: could not connect to host
 cium.ru: could not connect to host
 cjcaron.org: could not connect to host
 claimconnect.us: could not connect to host
-clanrose.org.uk: max-age too low: 0
+clanrose.org.uk: max-age too low: 10
 clara-baumert.de: could not connect to host
 claralabs.com: did not receive HSTS header
 classicsandexotics.com: did not receive HSTS header
@@ -1009,7 +1007,6 @@ codelayer.ca: could not connect to host
 codelitmus.com: did not receive HSTS header
 codemonkeyrawks.net: did not receive HSTS header
 codepoet.de: could not connect to host
-codepult.com: could not connect to host
 codepx.com: did not receive HSTS header
 codiva.io: max-age too low: 2592000
 coffeeetc.co.uk: did not receive HSTS header
@@ -1026,6 +1023,7 @@ colo-tech.com: could not connect to host
 colognegaming.net: could not connect to host
 coloradocomputernetworking.net: could not connect to host
 colorlib.com: did not receive HSTS header
+combron.nl: did not receive HSTS header
 comfortdom.ua: did not receive HSTS header
 comfortticket.de: did not receive HSTS header
 comicspines.com: could not connect to host
@@ -1063,6 +1061,7 @@ coole-meister.de: could not connect to host
 cooxa.com: did not receive HSTS header
 cor-ser.es: could not connect to host
 coralproject.net: did not receive HSTS header
+corbax.com: did not receive HSTS header
 corderoscleaning.com: did not receive HSTS header
 cordial-restaurant.com: did not receive HSTS header
 core.mx: could not connect to host
@@ -1108,7 +1107,7 @@ crockett.io: did not receive HSTS header
 croome.no-ip.org: could not connect to host
 crosscom.ch: could not connect to host
 crosssec.com: did not receive HSTS header
-crowd.supply: could not connect to host
+crowd.supply: did not receive HSTS header
 crowdcurity.com: did not receive HSTS header
 crowdjuris.com: could not connect to host
 crtvmgmt.com: could not connect to host
@@ -1192,6 +1191,7 @@ danieliancu.com: could not connect to host
 danielworthy.com: did not receive HSTS header
 danijobs.com: could not connect to host
 danishenanigans.com: could not connect to host
+danjesensky.com: could not connect to host
 danrl.de: could not connect to host
 daolerp.xyz: could not connect to host
 dargasia.is: could not connect to host
@@ -1223,6 +1223,7 @@ davidglidden.eu: could not connect to host
 davidhunter.scot: did not receive HSTS header
 davidnoren.com: did not receive HSTS header
 davidreinhardt.de: could not connect to host
+dawson-floridavilla.co.uk: max-age too low: 10
 daylightcompany.com: did not receive HSTS header
 daytonaseaside.com: did not receive HSTS header
 db.gy: could not connect to host
@@ -1312,8 +1313,7 @@ digitalriver.tk: could not connect to host
 digitalskillswap.com: could not connect to host
 dim.lighting: could not connect to host
 dinamoelektrik.com: could not connect to host
-dingcc.com: did not receive HSTS header
-dingcc.me: did not receive HSTS header
+dingcc.me: could not connect to host
 dinkum.online: could not connect to host
 directhskincream.com: could not connect to host
 directorinegocis.cat: could not connect to host
@@ -1366,6 +1366,7 @@ dollarstore24.com: could not connect to host
 dollywiki.co.uk: could not connect to host
 dolphin-cloud.com: could not connect to host
 dolphincorp.co.uk: could not connect to host
+domadillo.com: could not connect to host
 domaris.de: did not receive HSTS header
 dominicpratt.de: did not receive HSTS header
 dominioanimal.com: could not connect to host
@@ -1401,6 +1402,7 @@ drdevil.ru: could not connect to host
 dreadbyte.com: could not connect to host
 dreamcatcherblog.de: could not connect to host
 dreamlighteyeserum.com: could not connect to host
+dreamsforabetterworld.com.au: did not receive HSTS header
 dredgepress.com: could not connect to host
 dreid.org: did not receive HSTS header
 drewgle.net: could not connect to host
@@ -1420,6 +1422,7 @@ dubrovskiy.pro: could not connect to host
 duesee.org: could not connect to host
 dullsir.com: did not receive HSTS header
 dungi.org: could not connect to host
+dutchessuganda.com: did not receive HSTS header
 dutchrank.com: did not receive HSTS header
 dworzak.ch: could not connect to host
 dycontrol.de: could not connect to host
@@ -1427,7 +1430,6 @@ dyktig.as: did not receive HSTS header
 dylanscott.com.au: did not receive HSTS header
 dymersion.com: did not receive HSTS header
 dynamic-innovations.net: could not connect to host
-dyrkar.com: did not receive HSTS header
 dzimejl.sk: did not receive HSTS header
 dzlibs.io: could not connect to host
 dzndk.com: could not connect to host
@@ -1541,6 +1543,7 @@ endlessdiy.ca: could not connect to host
 endlesshorizon.net: could not connect to host
 endlesstone.com: did not receive HSTS header
 enefan.jp: could not connect to host
+engelwerbung.com: did not receive HSTS header
 enginsight.com: did not receive HSTS header
 englishyamal.ru: did not receive HSTS header
 enigmacpt.com: did not receive HSTS header
@@ -1563,11 +1566,14 @@ envygeeks.io: did not receive HSTS header
 eol34.com: did not receive HSTS header
 epanurse.com: could not connect to host
 ephry.com: could not connect to host
+epicpages.com: could not connect to host
 epoxate.com: could not connect to host
+epublibre.org: could not connect to host
 eq8.net.au: could not connect to host
 equate.net.au: could not connect to host
 equatetechnologies.com.au: could not connect to host
 equilibre-yoga-jennifer-will.com: could not connect to host
+equitee.co: could not connect to host
 erawanarifnugroho.com: did not receive HSTS header
 eressea.xyz: could not connect to host
 ericbond.net: could not connect to host
@@ -1623,6 +1629,7 @@ euren.se: could not connect to host
 eurocamping.se: could not connect to host
 euroshop24.net: could not connect to host
 evafojtova.cz: did not receive HSTS header
+evangelosm.com: could not connect to host
 evdenevenakliyatankara.pw: did not receive HSTS header
 everybooks.com: max-age too low: 60
 everylab.org: could not connect to host
@@ -1713,6 +1720,7 @@ festrip.com: could not connect to host
 fexmen.com: could not connect to host
 ffmradio.de: did not receive HSTS header
 fics-twosigma.com: could not connect to host
+fid.to: could not connect to host
 fiftyshadesofluca.ml: could not connect to host
 fig.co: did not receive HSTS header
 fightr.co: could not connect to host
@@ -1813,6 +1821,7 @@ frankwei.xyz: did not receive HSTS header
 franta.biz: did not receive HSTS header
 franta.email: did not receive HSTS header
 franzt.de: could not connect to host
+franzt.ovh: could not connect to host
 frasys.io: could not connect to host
 frasys.net: could not connect to host
 fredvoyage.fr: did not receive HSTS header
@@ -1953,7 +1962,6 @@ getwashdaddy.com: could not connect to host
 gfm.tech: could not connect to host
 gfwsb.ml: could not connect to host
 ggss.ml: could not connect to host
-gha.st: did not receive HSTS header
 gheorghesarcov.ga: could not connect to host
 gheorghesarcov.tk: could not connect to host
 gietvloergarant.nl: did not receive HSTS header
@@ -1974,6 +1982,7 @@ gizzo.sk: could not connect to host
 gl.search.yahoo.com: did not receive HSTS header
 glass.google.com: did not receive HSTS header (error ignored - included regardless)
 glentakahashi.com: max-age too low: 0
+glitchsys.com: could not connect to host
 glitzmirror.com: could not connect to host
 global-adult-webcams.com: did not receive HSTS header
 globalado.com: could not connect to host
@@ -1986,7 +1995,6 @@ gm.search.yahoo.com: did not receive HSTS header
 gmail.com: did not receive HSTS header (error ignored - included regardless)
 gmantra.org: could not connect to host
 gmoes.at: max-age too low: 600000
-gnylf.com: did not receive HSTS header
 go.ax: did not receive HSTS header
 go2sh.de: did not receive HSTS header
 goabonga.com: could not connect to host
@@ -2023,7 +2031,6 @@ gorilla-gym.site: could not connect to host
 gothamlimo.com: could not connect to host
 goto.google.com: did not receive HSTS header (error ignored - included regardless)
 gotocloud.ru: could not connect to host
-gotowned.org: did not receive HSTS header
 gotspot.com: could not connect to host
 gottcode.org: did not receive HSTS header
 gov.ax: could not connect to host
@@ -2185,13 +2192,11 @@ hdrboundless.com: could not connect to host
 hdsmigrationtool.com: could not connect to host
 hduin.xyz: could not connect to host
 hdwallpapers.net: did not receive HSTS header
-healthiercompany.com: did not receive HSTS header
 healtious.com: did not receive HSTS header
 heart.ge: did not receive HSTS header
 heartlandrentals.com: did not receive HSTS header
 heathmanners.com: could not connect to host
 hebaus.com: could not connect to host
-hectorj.net: could not connect to host
 heidilein.info: did not receive HSTS header
 heijblok.com: could not connect to host
 heimnetze.org: could not connect to host
@@ -2206,7 +2211,6 @@ henriknoerr.com: could not connect to host
 herrenfahrt.com: did not receive HSTS header
 herzbotschaft.de: did not receive HSTS header
 heutger.net: did not receive HSTS header
-hex2013.com: did not receive HSTS header
 heycms.com: could not connect to host
 heywoodtown.co.uk: could not connect to host
 hfi.me: could not connect to host
@@ -2245,8 +2249,6 @@ homeclouding.de: could not connect to host
 homedna.com: did not receive HSTS header
 hometownmall.com: did not receive HSTS header
 homeyantra.com: max-age too low: 86400
-hompus.nl: could not connect to host
-honeybeard.co.uk: could not connect to host
 hongzhaxiaofendui.com: could not connect to host
 honoo.com: could not connect to host
 hookandloom.com: did not receive HSTS header
@@ -2329,7 +2331,6 @@ id-co.in: could not connect to host
 id-conf.com: did not receive HSTS header
 idacmedia.com: max-age too low: 5184000
 ideal-envelopes.co.uk: did not receive HSTS header
-ideaman924.com: could not connect to host
 ideasmeetingpoint.com: could not connect to host
 ideation-inc.co.jp: could not connect to host
 idecode.net: could not connect to host
@@ -2428,7 +2429,6 @@ intel.li: did not receive HSTS header
 interference.io: could not connect to host
 interhosts.co.za: could not connect to host
 interlun.com: could not connect to host
-internect.co.za: did not receive HSTS header
 internetcasinos.de: could not connect to host
 internetcensus.org: could not connect to host
 interserved.com: did not receive HSTS header
@@ -2447,7 +2447,6 @@ iosmods.com: did not receive HSTS header
 iostips.ru: could not connect to host
 iotsms.io: could not connect to host
 ip6.im: did not receive HSTS header
-iphoneunlock.nu: did not receive HSTS header
 ipmimagazine.com: did not receive HSTS header
 iprice.co.id: did not receive HSTS header
 iprice.hk: did not receive HSTS header
@@ -2477,6 +2476,7 @@ iseek.biz: max-age too low: 0
 ishillaryclintoninprisonyet.com: could not connect to host
 isitamor.pm: could not connect to host
 iskaz.rs: did not receive HSTS header
+isntall.us: could not connect to host
 isogen5.com: could not connect to host
 isogram.nl: could not connect to host
 israkurort.com: did not receive HSTS header
@@ -2593,9 +2593,11 @@ jingyuesi.com: could not connect to host
 jirav.io: could not connect to host
 jkb.pics: could not connect to host
 jkbuster.com: could not connect to host
+jm-bea.net: did not receive HSTS header
 joakimalgroy.com: could not connect to host
 jobmedic.com: did not receive HSTS header
 jobss.co.uk: did not receive HSTS header
+joduska.me: could not connect to host
 joedavison.me: could not connect to host
 johannes-sprink.de: could not connect to host
 johnbrownphotography.ch: did not receive HSTS header
@@ -2630,6 +2632,7 @@ jslay.net: could not connect to host
 jualautoclave.com: did not receive HSTS header
 jualssh.com: could not connect to host
 julian-kipka.de: could not connect to host
+julibear.com: could not connect to host
 julido.de: did not receive HSTS header
 jumbox.xyz: could not connect to host
 junaos.xyz: did not receive HSTS header
@@ -2663,7 +2666,6 @@ kamikano.com: could not connect to host
 kamitech.ch: could not connect to host
 kanar.nl: could not connect to host
 kaneo-gmbh.de: did not receive HSTS header
-kangooroule.fr: could not connect to host
 kaplatz.is: could not connect to host
 kapucini.si: max-age too low: 0
 karaoketonight.com: could not connect to host
@@ -2691,7 +2693,7 @@ keeley.ml: could not connect to host
 keeleysam.me: could not connect to host
 keepassa.co: could not connect to host
 keepclean.me: could not connect to host
-kellyandantony.com: could not connect to host
+kellyandantony.com: did not receive HSTS header
 kerangalam.com: could not connect to host
 kerksanders.nl: did not receive HSTS header
 kermadec.net: could not connect to host
@@ -2716,6 +2718,7 @@ kingmanhall.org: could not connect to host
 kinkdr.com: could not connect to host
 kinnon.enterprises: could not connect to host
 kionetworks.com: did not receive HSTS header
+kirbear.com: could not connect to host
 kirkforcongress.com: could not connect to host
 kirkforsenate.com: could not connect to host
 kirkpatrickdavis.com: could not connect to host
@@ -2780,6 +2783,7 @@ kreb.io: could not connect to host
 kredite.sale: could not connect to host
 krestanskydarek.cz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 118"  data: no]
 kriegt.es: did not receive HSTS header
+kristikala.nl: could not connect to host
 krizevci.info: did not receive HSTS header
 kroetenfuchs.de: could not connect to host
 kroodle.nl: did not receive HSTS header
@@ -2792,13 +2796,13 @@ kstan.me: could not connect to host
 kswriter.com: could not connect to host
 kucom.it: did not receive HSTS header
 kueulangtahunanak.net: could not connect to host
-kultmobil.se: did not receive HSTS header
 kummerlaender.eu: did not receive HSTS header
 kupelne-ptacek.sk: did not receive HSTS header
 kuppingercole.com: did not receive HSTS header
 kura.io: could not connect to host
 kurehun.org: could not connect to host
 kurtmclester.com: did not receive HSTS header
+kurz.pw: could not connect to host
 kusaka-abacus.jp: max-age too low: 0
 kweddingplanning.com: did not receive HSTS header
 kwok.tv: could not connect to host
@@ -2855,6 +2859,7 @@ lawformt.com: could not connect to host
 lawly.org: could not connect to host
 laxatus.com: could not connect to host
 laxiongames.es: could not connect to host
+lazerus.net: did not receive HSTS header
 lbrt.xyz: could not connect to host
 ldarby.me.uk: could not connect to host
 leadership9.com: could not connect to host
@@ -2912,6 +2917,7 @@ liaoshuma.com: could not connect to host
 libanco.com: could not connect to host
 libertyrp.org: could not connect to host
 library.linode.com: did not receive HSTS header
+libraryfreedomproject.org: could not connect to host
 libreboot.org: did not receive HSTS header
 librechan.net: could not connect to host
 libreduca.com: could not connect to host
@@ -2926,8 +2932,8 @@ lifestylehunter.co.uk: did not receive HSTS header
 lifetimemoneymachine.com: did not receive HSTS header
 lightarmory.com: could not connect to host
 lightpaste.com: could not connect to host
-lighttp.com: did not receive HSTS header
 lightworx.io: did not receive HSTS header
+lijero.co: could not connect to host
 lila.pink: did not receive HSTS header
 lillpopp.eu: max-age too low: 10
 lilpwny.com: could not connect to host
@@ -2954,6 +2960,7 @@ linuxforyou.com: could not connect to host
 linuxgeek.ro: could not connect to host
 linuxmint.cz: max-age too low: 0
 linuxmonitoring.net: could not connect to host
+linuxwebservertips.in: could not connect to host
 liquorsanthe.in: could not connect to host
 lisaco.de: could not connect to host
 listafirmelor.com: could not connect to host
@@ -2971,23 +2978,23 @@ loafbox.com: could not connect to host
 loansonline.today: could not connect to host
 localdrive.me: did not receive HSTS header
 localhorst.xyz: could not connect to host
-lockpicks.se: did not receive HSTS header
 locktheirphone.com: could not connect to host
 locomotive.ca: did not receive HSTS header
 loftboard.eu: could not connect to host
 logario.com.br: could not connect to host
+logcat.info: could not connect to host
 logicaladvertising.com: could not connect to host
 login.corp.google.com: max-age too low: 7776000 (error ignored - included regardless)
 loginseite.com: could not connect to host
 lognot.net: could not connect to host
 lolidunno.com: could not connect to host
+lolmegafroi.de: could not connect to host
 londonlanguageexchange.com: could not connect to host
 lonerwolf.com: did not receive HSTS header
 look-at-my.site: could not connect to host
 lookasik.eu: did not receive HSTS header
 lookout.com: did not receive HSTS header
 lookzook.com: did not receive HSTS header
-loongsg.xyz: could not connect to host
 lostg.com: could not connect to host
 lostinsecurity.com: could not connect to host
 lostinweb.eu: could not connect to host
@@ -3017,6 +3024,8 @@ ludwiggrill.de: did not receive HSTS header
 lufthansaexperts.com: max-age too low: 2592000
 luine.xyz: max-age too low: 0
 luis-checa.com: could not connect to host
+lukas-schauer.de: could not connect to host
+lukas2511.de: could not connect to host
 lukonet.com: did not receive HSTS header
 luludapomerania.com: could not connect to host
 lumd.me: could not connect to host
@@ -3024,7 +3033,6 @@ lumi.do: did not receive HSTS header
 lunarift.com: could not connect to host
 lunarrift.net: could not connect to host
 luneta.nearbuysystems.com: could not connect to host
-lunix.io: did not receive HSTS header
 luno.io: could not connect to host
 luody.info: could not connect to host
 luoe.ml: could not connect to host
@@ -3058,7 +3066,6 @@ madars.org: did not receive HSTS header
 maddin.ga: could not connect to host
 madebymagnitude.com: did not receive HSTS header
 maderwin.com: did not receive HSTS header
-madreacqua.org: could not connect to host
 mae-berlinistanbul.com: could not connect to host
 mafamane.com: could not connect to host
 mafiareturns.com: max-age too low: 2592000
@@ -3106,6 +3113,7 @@ marie-elisabeth.dk: did not receive HSTS header
 marie-en-provence.com: did not receive HSTS header
 markaconnor.com: could not connect to host
 markayapilandirma.com: could not connect to host
+markcp.me: did not receive HSTS header
 market.android.com: did not receive HSTS header (error ignored - included regardless)
 markrego.com: could not connect to host
 marksill.com: could not connect to host
@@ -3114,6 +3122,7 @@ markus-dev.com: did not receive HSTS header
 markusweimar.de: did not receive HSTS header
 marleyresort.com: did not receive HSTS header
 marshut.net: could not connect to host
+martialc.be: could not connect to host
 martiert.com: could not connect to host
 martijnvhoof.nl: could not connect to host
 martinec.co.uk: could not connect to host
@@ -3200,7 +3209,6 @@ meritz.rocks: could not connect to host
 merson.me: could not connect to host
 meshok.ru: did not receive HSTS header
 mesmoque.com: did not receive HSTS header
-metachris.com: could not connect to host
 metagrader.com: could not connect to host
 metebalci.com: did not receive HSTS header
 meteosky.net: could not connect to host
@@ -3347,6 +3355,7 @@ motocyklovedily.cz: did not receive HSTS header
 motoryz.com: max-age too low: 300
 mottvd.com: could not connect to host
 moula.com.au: did not receive HSTS header
+mountainactivitysection.org.uk: max-age too low: 10
 mountainmusicpromotions.com: did not receive HSTS header
 moviesabout.net: could not connect to host
 moy-gorod.od.ua: did not receive HSTS header
@@ -3354,7 +3363,6 @@ moy.cat: did not receive HSTS header
 mp3juices.is: could not connect to host
 mpintaamalabanna.it: could not connect to host
 mqas.net: could not connect to host
-mrawe.com: could not connect to host
 mrdani.net: could not connect to host
 mrettich.org: did not receive HSTS header
 mrning.com: did not receive HSTS header
@@ -3406,6 +3414,7 @@ myepass.de: could not connect to host
 mygate.at: could not connect to host
 mygdut.com: did not receive HSTS header
 mygov.scot: did not receive HSTS header
+myimmitracker.com: did not receive HSTS header
 myiocc.org: could not connect to host
 mykolab.com: did not receive HSTS header
 mykreuzfahrt.de: could not connect to host
@@ -3418,7 +3427,6 @@ myphonebox.de: could not connect to host
 mysecretrewards.com: did not receive HSTS header
 mystery-science-theater-3000.de: did not receive HSTS header
 mythlogic.com: did not receive HSTS header
-mythslegendscollection.com: did not receive HSTS header
 myweb360.de: did not receive HSTS header
 myzone.com: did not receive HSTS header
 n-rickroll-e.pw: could not connect to host
@@ -3486,6 +3494,7 @@ nephos.xyz: did not receive HSTS header
 nepustil.net: did not receive HSTS header
 neris.io: could not connect to host
 nestedquotes.ca: could not connect to host
+neswec.org.uk: max-age too low: 10
 netba.net: could not connect to host
 netbox.cc: could not connect to host
 netherwind.eu: did not receive HSTS header
@@ -3633,7 +3642,7 @@ nystart.no: did not receive HSTS header
 nz.search.yahoo.com: max-age too low: 172800
 nzb.cat: did not receive HSTS header
 nzbs.io: could not connect to host
-nzquakes.maori.nz: could not connect to host
+nzquakes.maori.nz: did not receive HSTS header
 o-rickroll-y.pw: could not connect to host
 o0o.one: could not connect to host
 oasis.mobi: did not receive HSTS header
@@ -3663,6 +3672,7 @@ oldchaphome.nl: did not receive HSTS header
 oldoakflorist.com: could not connect to host
 oliverdunk.com: did not receive HSTS header
 ollehbizev.co.kr: could not connect to host
+olygazoo.com: could not connect to host
 omacostudio.com: could not connect to host
 omgaanmetidealen.com: could not connect to host
 ominto.com: max-age too low: 0
@@ -3777,7 +3787,7 @@ oxynux.fr: could not connect to host
 oyste.in: could not connect to host
 p-rickroll-o.pw: could not connect to host
 p.linode.com: could not connect to host
-p3in.com: did not receive HSTS header
+p3in.com: could not connect to host
 p8r.de: could not connect to host
 pa.search.yahoo.com: did not receive HSTS header
 pablocamino.tk: could not connect to host
@@ -3814,7 +3824,6 @@ parentmail.co.uk: did not receive HSTS header
 parithy.net: could not connect to host
 parkingplus.co.il: could not connect to host
 parkrocker.com: did not receive HSTS header
-parodybit.net: could not connect to host
 parpaing-paillette.net: could not connect to host
 particonpsplus.it: did not receive HSTS header
 partijtjevoordevrijheid.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /builds/slave/m-cen-l64-periodicupdate-00000/getHSTSPreloadList.js :: processStsHeader :: line 118"  data: no]
@@ -3844,6 +3853,7 @@ paul-kerebel.pro: could not connect to host
 pauladamsmith.com: could not connect to host
 paulchen.at: could not connect to host
 paulewen.ca: could not connect to host
+paulproell.at: could not connect to host
 paulyang.cn: did not receive HSTS header
 pavelfojt.cz: did not receive HSTS header
 paxwinkel.nl: did not receive HSTS header
@@ -3951,6 +3961,7 @@ playflick.com: did not receive HSTS header
 playmaker.io: could not connect to host
 playmyplay.com: did not receive HSTS header
 playnation.io: could not connect to host
+playsharp.com: could not connect to host
 please-deny.me: did not receive HSTS header
 pleasure.forsale: could not connect to host
 pleier-it.de: did not receive HSTS header
@@ -4002,6 +4013,7 @@ potsky.com: did not receive HSTS header
 poussinooz.fr: could not connect to host
 povitria.net: could not connect to host
 power99press.com: did not receive HSTS header
+poweroff.win: could not connect to host
 powerplannerapp.com: did not receive HSTS header
 powershift.ne.jp: did not receive HSTS header
 powerxequality.com: could not connect to host
@@ -4041,6 +4053,7 @@ progblog.net: could not connect to host
 progg.no: could not connect to host
 progress-technologies.com: could not connect to host
 prohostonline.fi: could not connect to host
+proitconsulting.com.au: could not connect to host
 project-sparks.eu: did not receive HSTS header
 projectmercury.space: could not connect to host
 promecon-gmbh.de: did not receive HSTS header
@@ -4049,7 +4062,6 @@ prontolight.com: did not receive HSTS header
 prontomovers.co.uk: could not connect to host
 propactrading.com: could not connect to host
 property-catalogue.eu: did not receive HSTS header
-proposalonline.com: did not receive HSTS header
 prosocialmachines.com: could not connect to host
 prosoft.sk: did not receive HSTS header
 prosperident.com: did not receive HSTS header
@@ -4096,6 +4108,7 @@ qccqld.org.au: could not connect to host
 qingpat.com: could not connect to host
 qingxuan.info: max-age too low: 864000
 qinxi1992.com: could not connect to host
+qirinus.com: could not connect to host
 qldconservation.org: could not connect to host
 qonqa.de: did not receive HSTS header
 qop.io: could not connect to host
@@ -4112,7 +4125,7 @@ quantenteranik.eu: could not connect to host
 quantum-cloud.xyz: could not connect to host
 quantumcourse.org: did not receive HSTS header
 quebecmailbox.com: could not connect to host
-queercoders.com: could not connect to host
+queercoders.com: did not receive HSTS header
 queryplayground.com: could not connect to host
 questsandrewards.com: could not connect to host
 quizmemes.org: could not connect to host
@@ -4129,6 +4142,7 @@ r3bl.me: did not receive HSTS header
 ra-schaal.de: could not connect to host
 raajheshkannaa.com: could not connect to host
 radicaleducation.net: could not connect to host
+radtke.bayern: could not connect to host
 rafaelcz.de: could not connect to host
 railjob.cn: could not connect to host
 rainbowbarracuda.com: could not connect to host
@@ -4198,6 +4212,7 @@ regenbogenwald.de: did not receive HSTS header
 regenerescence.com: did not receive HSTS header
 reggae-cdmx.com: did not receive HSTS header
 reic.me: could not connect to host
+reichl-online.net: could not connect to host
 reinaldudras.ee: did not receive HSTS header
 reisyukaku.org: did not receive HSTS header
 rejo.in: could not connect to host
@@ -4269,8 +4284,10 @@ rme.li: did not receive HSTS header
 rngmeme.com: could not connect to host
 roadfeast.com: could not connect to host
 roan24.pl: did not receive HSTS header
+robandjanine.com: could not connect to host
 robertglastra.com: could not connect to host
 robigalia.org: did not receive HSTS header
+robspc.repair: could not connect to host
 robteix.com: did not receive HSTS header
 robtex.net: did not receive HSTS header
 robtex.org: did not receive HSTS header
@@ -4296,6 +4313,7 @@ rootforum.org: did not receive HSTS header
 rootservice.org: did not receive HSTS header
 rootwpn.com: could not connect to host
 rop.io: could not connect to host
+roseitsolutions.co.uk: max-age too low: 10
 rossen.be: did not receive HSTS header
 rosslug.org.uk: could not connect to host
 rough.nu: could not connect to host
@@ -4337,6 +4355,7 @@ rx-contact.com: did not receive HSTS header
 rxprep.com: did not receive HSTS header
 rxv.cc: could not connect to host
 ryanteck.uk: did not receive HSTS header
+rylin.net: did not receive HSTS header
 s-rickroll-p.pw: could not connect to host
 s.how: did not receive HSTS header
 safelist.eu: did not receive HSTS header
@@ -4393,6 +4412,7 @@ sby.de: did not receive HSTS header
 sc4le.com: could not connect to host
 scannabi.com: could not connect to host
 schadegarant.net: could not connect to host
+schauer.so: could not connect to host
 schnapke.name: could not connect to host
 schnell-gold.com: could not connect to host
 schooltrends.co.uk: did not receive HSTS header
@@ -4428,6 +4448,7 @@ scrion.com: could not connect to host
 script.google.com: did not receive HSTS header (error ignored - included regardless)
 scriptenforcer.net: could not connect to host
 scriptict.nl: could not connect to host
+sculpture.support: did not receive HSTS header
 sdmoscow.ru: could not connect to host
 sdrobs.com: did not receive HSTS header
 sdsl-speedtest.de: could not connect to host
@@ -4465,6 +4486,7 @@ sehenderson.com: did not receive HSTS header
 seiko-dojo.com: could not connect to host
 selecadm.name: could not connect to host
 selectruckscalltrackingreports.com: could not connect to host
+self-evident.org: could not connect to host
 selfcarecentral.com: did not receive HSTS header
 selfie-france.fr: could not connect to host
 selldorado.com: could not connect to host
@@ -4544,6 +4566,7 @@ siddhant.me: did not receive HSTS header
 siebens.net: could not connect to host
 sifls.com: could not connect to host
 sig6.org: could not connect to host
+sijimi.cn: could not connect to host
 sijmenschoon.nl: did not receive HSTS header
 silaslova-ekb.ru: could not connect to host
 silentcircle.com: did not receive HSTS header
@@ -4569,7 +4592,6 @@ simply-premium.com: did not receive HSTS header
 sin30.net: could not connect to host
 sincron.org: could not connect to host
 sinful.pw: could not connect to host
-sinfulforums.net: could not connect to host
 singul4rity.com: could not connect to host
 sinosky.org: did not receive HSTS header
 siriad.com: could not connect to host
@@ -4580,7 +4602,6 @@ siterip.org: could not connect to host
 sites.google.com: did not receive HSTS header (error ignored - included regardless)
 sitesten.com: did not receive HSTS header
 sixtwentyten.com: did not receive HSTS header
-skalender.ch: could not connect to host
 skhosting.eu: max-age too low: 0
 ski-insurance.com.au: did not receive HSTS header
 skidstresser.com: did not receive HSTS header
@@ -4588,10 +4609,10 @@ skile.ru: could not connect to host
 skk.io: could not connect to host
 skoda-clever-lead.de: could not connect to host
 skolem.de: could not connect to host
+skotty.io: did not receive HSTS header
 skullhouse.nyc: did not receive HSTS header
 skyflix.me: could not connect to host
 skyoy.com: did not receive HSTS header
-slangbellor.com: did not receive HSTS header
 slash-dev.de: did not receive HSTS header
 slashand.co: did not receive HSTS header
 slashem.me: did not receive HSTS header
@@ -4657,8 +4678,7 @@ solsystems.ru: could not connect to host
 someshit.xyz: could not connect to host
 somethingnew.xyz: could not connect to host
 sonic.network: did not receive HSTS header
-sonicrainboom.rocks: did not receive HSTS header
-sonyunlock.nu: did not receive HSTS header
+sonicrainboom.rocks: could not connect to host
 soobi.org: did not receive HSTS header
 soondy.com: did not receive HSTS header
 sosaka.ml: could not connect to host
@@ -4699,11 +4719,11 @@ spiet.nl: could not connect to host
 spikeykc.me: did not receive HSTS header
 spillmaker.no: did not receive HSTS header
 spilsbury.io: could not connect to host
-spitefultowel.com: could not connect to host
 spititout.it: could not connect to host
 spittersberger.recipes: did not receive HSTS header
 sponsortobias.com: did not receive HSTS header
 sportchirp-internal.azurewebsites.net: did not receive HSTS header
+sporthit.ru: could not connect to host
 sportwette.eu: did not receive HSTS header
 spot-events.com: could not connect to host
 spotifyripper.tk: could not connect to host
@@ -4771,7 +4791,6 @@ stewartremodelingadvantage.com: did not receive HSTS header
 stig.io: did not receive HSTS header
 stigroom.com: could not connect to host
 stillblackhat.id: could not connect to host
-stilmobil.se: did not receive HSTS header
 stinkytrashhound.com: could not connect to host
 stirlingpoon.com: did not receive HSTS header
 stirlingpoon.net: did not receive HSTS header
@@ -4793,6 +4812,7 @@ stqry.com: did not receive HSTS header
 str0.at: did not receive HSTS header
 strasweb.fr: did not receive HSTS header
 strbt.de: could not connect to host
+stream.pub: did not receive HSTS header
 streamingeverywhere.com: did not receive HSTS header
 streamingmagazin.de: could not connect to host
 streampanel.net: did not receive HSTS header
@@ -4829,6 +4849,7 @@ suksit.com: could not connect to host
 sumoatm.com: did not receive HSTS header
 sumoscout.de: did not receive HSTS header
 suncountrymarine.com: did not receive HSTS header
+sunflyer.cn: did not receive HSTS header
 sunnyfruit.ru: did not receive HSTS header
 sunshinepress.org: could not connect to host
 sunyanzi.tk: could not connect to host
@@ -4883,6 +4904,7 @@ syriatalk.biz: could not connect to host
 syriatalk.org: could not connect to host
 syrocon.ch: could not connect to host
 sys.tf: could not connect to host
+sysmike.de: could not connect to host
 syso.name: could not connect to host
 systemd.me: could not connect to host
 szaszm.tk: could not connect to host
@@ -4898,7 +4920,7 @@ tafoma.com: did not receive HSTS header
 tageau.com: could not connect to host
 taglondon.org: did not receive HSTS header
 tailify.com: did not receive HSTS header
-tails.com.ar: did not receive HSTS header
+tails.com.ar: could not connect to host
 tales-of-interia.de: did not receive HSTS header
 talk.google.com: did not receive HSTS header (error ignored - included regardless)
 talktwincities.com: could not connect to host
@@ -4941,6 +4963,7 @@ tcp.expert: did not receive HSTS header
 tcptun.com: could not connect to host
 teachforcanada.ca: did not receive HSTS header
 team-teasers.com: could not connect to host
+teambeoplay.co.uk: did not receive HSTS header
 teamblueridge.org: could not connect to host
 teamsocial.co: did not receive HSTS header
 teamzeus.cz: could not connect to host
@@ -4980,6 +5003,7 @@ terrax.berlin: could not connect to host
 terrax.info: could not connect to host
 testandroid.xyz: could not connect to host
 testnode.xyz: could not connect to host
+testosterone-complex.com: did not receive HSTS header
 teulon.eu: could not connect to host
 texte-zur-taufe.de: did not receive HSTS header
 texter-linz.at: did not receive HSTS header
@@ -5012,7 +5036,6 @@ thecrochetcottage.net: could not connect to host
 thediaryofadam.com: did not receive HSTS header
 theendofzion.com: did not receive HSTS header
 theescapistswiki.com: could not connect to host
-theeyeopener.com: did not receive HSTS header
 thefarbeyond.com: could not connect to host
 theflowerbasketonline.com: could not connect to host
 thefootballanalyst.com: did not receive HSTS header
@@ -5029,7 +5052,6 @@ thehonorguard.org: did not receive HSTS header
 thehoopsarchive.com: could not connect to host
 theinvisibletrailer.com: could not connect to host
 thejserver.de: could not connect to host
-thelinuxspace.com: could not connect to host
 themarble.co: could not connect to host
 themicrocapital.com: could not connect to host
 themoderate.xyz: could not connect to host
@@ -5037,6 +5059,7 @@ thenextstep.events: could not connect to host
 theodorejones.info: could not connect to host
 theojones.name: could not connect to host
 thepartywarehouse.co.uk: did not receive HSTS header
+thepaymentscompany.com: could not connect to host
 thepcweb.tk: could not connect to host
 thepiratebay.al: could not connect to host
 thepiratebay.poker: could not connect to host
@@ -5046,7 +5069,6 @@ therewill.be: could not connect to host
 theseed.io: could not connect to host
 thestack.xyz: could not connect to host
 thestagchorleywood.co.uk: did not receive HSTS header
-thestory.ie: could not connect to host
 theurbanyoga.com: did not receive HSTS header
 thevintagenews.com: max-age too low: 0
 thewebfellas.com: did not receive HSTS header
@@ -5062,6 +5084,7 @@ thirty5.net: did not receive HSTS header
 thisisacompletetest.ga: could not connect to host
 thisisforager.com: could not connect to host
 thiswebhost.com: did not receive HSTS header
+thomascloud.ddns.net: could not connect to host
 thomaskliszowski.fr: did not receive HSTS header
 thomasschweizer.net: could not connect to host
 thorncreek.net: did not receive HSTS header
@@ -5191,7 +5214,7 @@ true.ink: did not receive HSTS header
 truebred-labradors.com: could not connect to host
 trunkjunk.co: did not receive HSTS header
 trusitio.com: did not receive HSTS header
-trusteecar.com: could not connect to host
+trusteecar.com: did not receive HSTS header
 trustmeimfancy.com: could not connect to host
 trybind.com: could not connect to host
 tryoneday.co: did not receive HSTS header
@@ -5246,7 +5269,6 @@ tzappa.net: could not connect to host
 u-blox.com: max-age too low: 0
 ua.search.yahoo.com: did not receive HSTS header
 uadp.pw: could not connect to host
-uangteman.com: did not receive HSTS header
 uber.com.au: did not receive HSTS header
 uberfunction.com: did not receive HSTS header
 ubicloud.de: could not connect to host
@@ -5261,7 +5283,6 @@ ui8.net: max-age too low: 86400
 ukas.com: did not receive HSTS header
 ukdropshipment.co.uk: did not receive HSTS header
 ukdropshipment.com: did not receive HSTS header
-ukhas.net: could not connect to host
 ukk.dk: max-age too low: 0
 ukrgadget.com: could not connect to host
 ulabox.cat: did not receive HSTS header
@@ -5337,7 +5358,6 @@ ustr.gov: max-age too low: 86400
 utilitarianism.net: did not receive HSTS header
 utleieplassen.no: could not connect to host
 utopiagalaxy.space: could not connect to host
-utopianconcept.com: did not receive HSTS header
 utopianhomespa.com: did not receive HSTS header
 utumno.ch: could not connect to host
 utvbloggen.se: max-age too low: 604800
@@ -5440,11 +5460,12 @@ voicesuk.co.uk: did not receive HSTS header
 voidpay.com: could not connect to host
 voidpay.net: could not connect to host
 voidpay.org: could not connect to host
-volcrado.com: did not receive HSTS header
+voidptr.eu: could not connect to host
+volcrado.com: could not connect to host
 voliere-info.nl: did not receive HSTS header
 volkden.com: could not connect to host
 vortexhobbies.com: did not receive HSTS header
-vosjesweb.nl: did not receive HSTS header
+vosjesweb.nl: could not connect to host
 vox.vg: did not receive HSTS header
 vpl.me: did not receive HSTS header
 vpn-byen.dk: did not receive HSTS header
@@ -5574,7 +5595,6 @@ willosagiede.com: did not receive HSTS header
 winaes.com: did not receive HSTS header
 winclient.cn: could not connect to host
 windowsphoneblog.it: could not connect to host
-winebid.com: could not connect to host
 winecodeavocado.com: could not connect to host
 winged.io: could not connect to host
 wingumd.net: could not connect to host
@@ -5587,7 +5607,7 @@ wirc.gr: could not connect to host
 wireshark.org: did not receive HSTS header
 wiseloan.com: did not receive HSTS header
 wishcert.com: could not connect to host
-witae.com: could not connect to host
+witae.com: did not receive HSTS header
 withgoogle.com: did not receive HSTS header (error ignored - included regardless)
 withmy.beer: could not connect to host
 withustrading.com: could not connect to host
@@ -5631,7 +5651,6 @@ writeapp.me: did not receive HSTS header
 wrldevelopment.com: did not receive HSTS header
 wsscompany.com.ve: could not connect to host
 wufu.org: did not receive HSTS header
-wuhengmin.com: did not receive HSTS header
 wukongmusic.us: did not receive HSTS header
 wurzelzwerg.net: could not connect to host
 wusx.club: could not connect to host
@@ -5674,7 +5693,7 @@ xcoop.me: could not connect to host
 xehoivn.vn: did not receive HSTS header
 xellos.ga: could not connect to host
 xellos.ml: could not connect to host
-xendo.net: did not receive HSTS header
+xendo.net: could not connect to host
 xenesisziarovky.sk: could not connect to host
 xett.com: could not connect to host
 xf-liam.com: did not receive HSTS header
@@ -5685,6 +5704,7 @@ xiaolvmu.me: could not connect to host
 xiaoxiao.im: could not connect to host
 xichuangke.com: could not connect to host
 ximens.me: did not receive HSTS header
+xinbiji.cn: did not receive HSTS header
 xisa.it: could not connect to host
 xiyu.moe: could not connect to host
 xmonk.org: could not connect to host
@@ -5708,6 +5728,7 @@ xn--lgb3a8bcpn.ga: could not connect to host
 xn--lgb3a8bcpn.gq: could not connect to host
 xn--lgb3a8bcpn.ml: could not connect to host
 xn--ls8hi7a.tk: could not connect to host
+xn--lsaupp-iua.se: did not receive HSTS header
 xn--mgbbh2a9fub.xn--ngbc5azd: could not connect to host
 xn--neb-tma3u8u.xyz: could not connect to host
 xn--seelenwchter-mcb.eu: could not connect to host
@@ -5778,7 +5799,7 @@ ypiresia.fr: could not connect to host
 ytcuber.xyz: could not connect to host
 yu.gg: did not receive HSTS header
 yu7.jp: did not receive HSTS header
-yuan.ga: did not receive HSTS header
+yuan.ga: could not connect to host
 yuhen.ru: did not receive HSTS header
 yuko.moe: could not connect to host
 yunzhu.li: did not receive HSTS header
@@ -5786,6 +5807,7 @@ yunzhu.org: could not connect to host
 yutabon.com: could not connect to host
 yuushou.com: max-age too low: 0
 yux.io: did not receive HSTS header
+yvesx.com: could not connect to host
 ywei.org: could not connect to host
 yzal.io: did not receive HSTS header
 z33.ch: did not receive HSTS header
@@ -5853,6 +5875,7 @@ zqhong.com: could not connect to host
 ztan.tk: could not connect to host
 ztcaoll222.cn: did not receive HSTS header
 zubel.it: could not connect to host
+zulu7.com: could not connect to host
 zvncloud.com: did not receive HSTS header
 zwollemagazine.nl: did not receive HSTS header
 zyf.pw: could not connect to host

security/nss/TAG-INFO

@@ -1 +1 @@
-fa15eb3ce158
+236a06d9c3c4

security/nss/automation/taskcluster/docker-aarch64/setup.sh

@@ -26,6 +26,7 @@ apt_packages+=('zlib1g-dev')
 apt_packages+=('ninja-build')
 apt_packages+=('gyp')
 apt_packages+=('mercurial')
+apt_packages+=('locales')
 
 # Install packages.
 apt-get install -y --no-install-recommends ${apt_packages[@]}

security/nss/automation/taskcluster/docker-arm/setup.sh

@@ -12,6 +12,7 @@ apt_packages=()
 apt_packages+=('build-essential')
 apt_packages+=('ca-certificates')
 apt_packages+=('curl')
+apt_packages+=('locales')
 apt_packages+=('python-dev')
 apt_packages+=('python-pip')
 apt_packages+=('python-setuptools')

security/nss/automation/taskcluster/docker-clang-3.9/setup.sh

@@ -12,6 +12,7 @@ apt-get install -y --no-install-recommends apt-utils
 apt_packages=()
 apt_packages+=('ca-certificates')
 apt_packages+=('curl')
+apt_packages+=('locales')
 apt_packages+=('xz-utils')
 
 # Latest Mercurial.

security/nss/automation/taskcluster/docker-decision/setup.sh

@@ -7,7 +7,7 @@ export DEBIAN_FRONTEND=noninteractive
 apt-get -y update && apt-get -y upgrade
 
 # Need those to install newer packages below.
-apt-get install -y --no-install-recommends apt-utils curl ca-certificates
+apt-get install -y --no-install-recommends apt-utils curl ca-certificates locales
 
 # Latest Mercurial.
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE

security/nss/automation/taskcluster/docker-fuzz/setup.sh

@@ -17,6 +17,7 @@ apt_packages+=('git')
 apt_packages+=('gyp')
 apt_packages+=('libssl-dev')
 apt_packages+=('libxml2-utils')
+apt_packages+=('locales')
 apt_packages+=('ninja-build')
 apt_packages+=('pkg-config')
 apt_packages+=('zlib1g-dev')
@@ -37,7 +38,6 @@ git -C clang-tmp/clang checkout HEAD scripts/update.py
 clang-tmp/clang/scripts/update.py
 rm -fr clang-tmp
 
-# Generate locales.
 locale-gen en_US.UTF-8
 dpkg-reconfigure locales
 

security/nss/automation/taskcluster/docker/setup.sh

@@ -17,6 +17,7 @@ apt_packages+=('npm')
 apt_packages+=('git')
 apt_packages+=('golang-1.6')
 apt_packages+=('libxml2-utils')
+apt_packages+=('locales')
 apt_packages+=('ninja-build')
 apt_packages+=('pkg-config')
 apt_packages+=('zlib1g-dev')

security/nss/automation/taskcluster/graph/src/extend.js

@@ -34,14 +34,8 @@ queue.filter(task => {
       return false;
     }
 
-    // Remove extra builds w/o libpkix for non-linux64-debug.
-    if (task.symbol == "noLibpkix" &&
-        (task.platform != "linux64" || task.collection != "debug")) {
-      return false;
-    }
-
-    // Make modular builds only on Linux x64.
-    if (task.symbol == "modular" && task.platform != "linux64") {
+    // Make modular builds only on Linux make.
+    if (task.symbol == "modular" && task.collection != "make") {
       return false;
     }
   }
@@ -58,9 +52,29 @@ queue.filter(task => {
     }
   }
 
-  // GYP builds with -Ddisable_libpkix=1 by default.
-  if ((task.collection == "gyp" || task.collection == "asan"
-       || task.platform == "aarch64") && task.tests == "chains") {
+  // Only old make builds have -Ddisable_libpkix=0 and can run chain tests.
+  if (task.tests == "chains" && task.collection != "make" &&
+      task.platform != "windows2012-64") {
+    return false;
+  }
+
+  if (task.group == "Test") {
+    // Don't run test builds on old make platforms
+    if (task.collection == "make") {
+      return false;
+    }
+
+    // Disable mpi tests for now on 32-bit builds (bug 1362392)
+    if (task.platform == "linux32") {
+      return false;
+    }
+  }
+
+
+  // Don't run additional hardware tests on ARM (we don't have anything there).
+  if (task.group == "Cipher" && task.platform == "aarch64" && task.env &&
+      (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1"
+       || task.env.NSS_DISABLE_AVX == "1")) {
     return false;
   }
 
@@ -87,47 +101,51 @@ queue.map(task => {
 
 export default async function main() {
   await scheduleLinux("Linux 32 (opt)", {
-    env: {BUILD_OPT: "1"},
     platform: "linux32",
     image: LINUX_IMAGE
-  });
+  }, "-m32 --opt");
 
   await scheduleLinux("Linux 32 (debug)", {
     platform: "linux32",
     collection: "debug",
     image: LINUX_IMAGE
-  });
+  }, "-m32");
 
   await scheduleLinux("Linux 64 (opt)", {
-    env: {USE_64: "1", BUILD_OPT: "1"},
     platform: "linux64",
     image: LINUX_IMAGE
-  });
+  }, "--opt");
 
   await scheduleLinux("Linux 64 (debug)", {
-    env: {USE_64: "1"},
     platform: "linux64",
     collection: "debug",
     image: LINUX_IMAGE
   });
 
-  await scheduleLinux("Linux 64 (debug, gyp)", {
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh"
-    ],
+  await scheduleLinux("Linux 64 (debug, make)", {
+    env: {USE_64: "1"},
     platform: "linux64",
-    collection: "gyp",
-    image: LINUX_IMAGE
+    image: LINUX_IMAGE,
+    collection: "make",
+    command: [
+       "/bin/bash",
+       "-c",
+       "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
+    ],
   });
 
-  await scheduleLinux("Linux 64 (GYP, ASan, debug)", {
+  await scheduleLinux("Linux 32 (debug, make)", {
+    platform: "linux32",
+    image: LINUX_IMAGE,
+    collection: "make",
     command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh -g -v --ubsan --asan"
+       "/bin/bash",
+       "-c",
+       "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
     ],
+  });
+
+  await scheduleLinux("Linux 64 (ASan, debug)", {
     env: {
       UBSAN_OPTIONS: "print_stacktrace=1",
       NSS_DISABLE_ARENA_FREE_LIST: "1",
@@ -139,7 +157,7 @@ export default async function main() {
     collection: "asan",
     image: LINUX_IMAGE,
     features: ["allowPtrace"],
-  });
+  }, "--ubsan --asan");
 
   await scheduleWindows("Windows 2012 64 (opt)", {
     env: {BUILD_OPT: "1"}
@@ -151,8 +169,6 @@ export default async function main() {
 
   await scheduleFuzzing();
 
-  await scheduleTestBuilds();
-
   await scheduleTools();
 
   let aarch64_base = {
@@ -188,13 +204,13 @@ export default async function main() {
 
 /*****************************************************************************/
 
-async function scheduleLinux(name, base) {
+async function scheduleLinux(name, base, args = "") {
   // Build base definition.
   let build_base = merge({
     command: [
       "/bin/bash",
       "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh " + args
     ],
     artifacts: {
       public: {
@@ -260,18 +276,19 @@ async function scheduleLinux(name, base) {
     symbol: "gcc-6.1"
   }));
 
-  queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ NSS_DISABLE_LIBPKIX=1`,
-    env: {NSS_DISABLE_LIBPKIX: "1"},
-    symbol: "noLibpkix"
-  }));
-
   queue.scheduleTask(merge(extra_base, {
     name: `${name} w/ modular builds`,
     env: {NSS_BUILD_MODULAR: "1"},
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh",
+    ],
     symbol: "modular"
   }));
 
+  await scheduleTestBuilds(merge(base, {group: "Test"}), args);
+
   return queue.submit();
 }
 
@@ -400,21 +417,14 @@ async function scheduleFuzzing() {
 
 /*****************************************************************************/
 
-async function scheduleTestBuilds() {
-  let base = {
-    platform: "linux64",
-    collection: "gyp",
-    group: "Test",
-    image: LINUX_IMAGE
-  };
-
+async function scheduleTestBuilds(base, args = "") {
   // Build base definition.
   let build = merge({
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --test --ct-verif"
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --test --ct-verif " + args
     ],
     artifacts: {
       public: {
@@ -425,7 +435,7 @@ async function scheduleTestBuilds() {
     },
     kind: "build",
     symbol: "B",
-    name: "Linux 64 (debug, gyp, test)"
+    name: "Linux 64 (debug, test)"
   }, base);
 
   // The task that builds NSPR+NSS.
@@ -529,7 +539,19 @@ function scheduleTests(task_build, task_cert, test_base) {
     name: "Chains tests", symbol: "Chains", tests: "chains"
   }));
   queue.scheduleTask(merge(no_cert_base, {
-    name: "Cipher tests", symbol: "Cipher", tests: "cipher"
+    name: "Cipher tests", symbol: "Default", tests: "cipher", group: "Cipher"
+  }));
+  queue.scheduleTask(merge(no_cert_base, {
+    name: "Cipher tests", symbol: "NoAESNI", tests: "cipher",
+    env: {NSS_DISABLE_HW_AES: "1"}, group: "Cipher"
+  }));
+  queue.scheduleTask(merge(no_cert_base, {
+    name: "Cipher tests", symbol: "NoPCLMUL", tests: "cipher",
+    env: {NSS_DISABLE_PCLMUL: "1"}, group: "Cipher"
+  }));
+  queue.scheduleTask(merge(no_cert_base, {
+    name: "Cipher tests", symbol: "NoAVX", tests: "cipher",
+    env: {NSS_DISABLE_AVX: "1"}, group: "Cipher"
   }));
   queue.scheduleTask(merge(no_cert_base, {
     name: "EC tests", symbol: "EC", tests: "ec"

security/nss/automation/taskcluster/graph/src/try_syntax.js

@@ -23,7 +23,7 @@ function parseOptions(opts) {
 
   // Parse platforms.
   let allPlatforms = ["linux", "linux64", "linux64-asan", "win64",
-                      "linux64-gyp", "linux64-fuzz", "aarch64"];
+                      "linux64-make", "linux-make", "linux64-fuzz", "aarch64"];
   let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
 
   // If the given value is nonsense or "none" default to all platforms.
@@ -82,11 +82,10 @@ function filter(opts) {
     // Filter unit tests.
     if (task.tests) {
       let found = opts.unittests.some(test => {
-        // TODO: think of something more intelligent here.
-        if (task.symbol.toLowerCase().startsWith("mpi") && test == "mpi") {
+        if (task.group && task.group.toLowerCase() == "ssl" && test == "ssl") {
           return true;
         }
-        return (task.group || task.symbol).toLowerCase().startsWith(test);
+        return task.symbol.toLowerCase().startsWith(test);
       });
 
       if (!found) {
@@ -107,7 +106,8 @@ function filter(opts) {
         "linux": "linux32",
         "linux64-asan": "linux64",
         "linux64-fuzz": "linux64",
-        "linux64-gyp": "linux64",
+        "linux64-make": "linux64",
+        "linux-make": "linux32",
         "win64": "windows2012-64"
       };
 
@@ -117,8 +117,8 @@ function filter(opts) {
       // Additional checks.
       if (platform == "linux64-asan") {
         keep &= coll("asan");
-      } else if (platform == "linux64-gyp") {
-        keep &= coll("gyp");
+      } else if (platform == "linux64-make" || platform == "linux-make") {
+        keep &= coll("make");
       } else if (platform == "linux64-fuzz") {
         keep &= coll("fuzz");
       } else {
@@ -133,7 +133,7 @@ function filter(opts) {
     }
 
     // Finally, filter by build type.
-    let isDebug = coll("debug") || coll("asan") || coll("gyp") ||
+    let isDebug = coll("debug") || coll("asan") || coll("make") ||
                   coll("fuzz");
     return (isDebug && opts.builds.includes("d")) ||
            (!isDebug && opts.builds.includes("o"));

security/nss/build.sh

@@ -49,6 +49,7 @@ fuzz=0
 fuzz_tls=0
 fuzz_oss=0
 no_local_nspr=0
+armhf=0
 
 gyp_params=(--depth="$cwd" --generator-output=".")
 nspr_params=()
@@ -58,6 +59,8 @@ ninja_params=()
 arch=$(python "$cwd"/coreconf/detect_host_arch.py)
 if [ "$arch" = "x64" -o "$arch" = "aarch64" ]; then
     build_64=1
+elif [ "$arch" = "arm" ]; then
+    armhf=1
 fi
 
 # parse command line arguments
@@ -101,7 +104,7 @@ else
 fi
 if [ "$build_64" = 1 ]; then
     nspr_params+=(--enable-64bit)
-else
+elif [ ! "$armhf" = 1 ]; then
     gyp_params+=(-Dtarget_arch=ia32)
 fi
 if [ "$fuzz" = 1 ]; then

security/nss/coreconf/Linux.mk

@@ -148,7 +148,7 @@ DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections
 # against the libsanitizer runtime built into the main executable.
 ZDEFS_FLAG		= -Wl,-z,defs
 DSO_LDOPTS		+= $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
-LDFLAGS			+= $(ARCHFLAG)
+LDFLAGS			+= $(ARCHFLAG) -z noexecstack
 
 # On Maemo, we need to use the -rpath-link flag for even the standard system
 # library directories.

security/nss/coreconf/config.gypi

@@ -141,6 +141,52 @@
           'debug_optimization_level%': '1',
         },
       }],
+      [ 'target_arch=="ia32" or target_arch=="x64"', {
+        'defines': [
+          'NSS_X86_OR_X64',
+        ],
+        # For Windows.
+        'msvs_settings': {
+          'VCCLCompilerTool': {
+            'PreprocessorDefinitions': [
+              'NSS_X86_OR_X64',
+            ],
+          },
+        },
+      }],
+      [ 'target_arch=="ia32"', {
+        'defines': [
+          'NSS_X86',
+        ],
+        # For Windows.
+        'msvs_settings': {
+          'VCCLCompilerTool': {
+            'PreprocessorDefinitions': [
+              'NSS_X86',
+            ],
+          },
+        },
+      }],
+      [ 'target_arch=="arm64" or target_arch=="aarch64"', {
+        'defines': [
+          'NSS_USE_64',
+        ],
+      }],
+      [ 'target_arch=="x64"', {
+        'defines': [
+          'NSS_X64',
+          'NSS_USE_64',
+        ],
+        # For Windows.
+        'msvs_settings': {
+          'VCCLCompilerTool': {
+            'PreprocessorDefinitions': [
+              'NSS_X64',
+              'NSS_USE_64',
+            ],
+          },
+        },
+      }],
     ],
     'target_conditions': [
       # If we want to properly export a static library, and copy it to lib,
@@ -315,6 +361,9 @@
             'cflags_cc': [
               '-std=c++0x',
             ],
+            'ldflags': [
+              '-z', 'noexecstack',
+            ],
             'conditions': [
               [ 'target_arch=="ia32"', {
                 'cflags': ['-m32'],

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/cpputil/databuffer.h

@@ -46,7 +46,7 @@ class DataBuffer {
     len_ = len;
   }
 
-  void Truncate(size_t len) { len_ = std::min(len_, len); }
+  void Truncate(size_t len) { len_ = (std::min)(len_, len); }
 
   void Assign(const DataBuffer& other) { Assign(other.data(), other.len()); }
 
@@ -126,14 +126,14 @@ class DataBuffer {
     size_t old_len = len_;
 
     // The amount of stuff remaining from the tail of the old.
-    size_t tail_len = old_len - std::min(old_len, index + remove);
+    size_t tail_len = old_len - (std::min)(old_len, index + remove);
     // The new length: the head of the old, the new, and the tail of the old.
     len_ = index + ins_len + tail_len;
     data_ = new uint8_t[len_ ? len_ : 1];
 
     // The head of the old.
     if (old_value) {
-      Write(0, old_value, std::min(old_len, index));
+      Write(0, old_value, (std::min)(old_len, index));
     }
     // Maybe a gap.
     if (old_value && index > old_len) {

security/nss/cpputil/tls_parser.h

@@ -17,6 +17,8 @@
 #endif
 #include "databuffer.h"
 
+#include "sslt.h"
+
 namespace nss_test {
 
 const uint8_t kTlsChangeCipherSpecType = 20;
@@ -133,6 +135,10 @@ class TlsParser {
   size_t offset_;
 };
 
+inline std::ostream& operator<<(std::ostream& os, SSLProtocolVariant v) {
+  return os << ((v == ssl_variant_stream) ? "TLS" : "DTLS");
+}
+
 }  // namespace nss_test
 
 #endif

security/nss/fuzz/config/clone_libfuzzer.sh

@@ -1,46 +1,6 @@
 #!/bin/sh
 
+LIBFUZZER_REVISION=8837e6cbbc842ab7524b06a2f7360c36add316b3
+
 d=$(dirname $0)
-$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/../libFuzzer
-
-# [https://llvm.org/bugs/show_bug.cgi?id=31318]
-# This prevents a known buffer overrun that won't be fixed as the affected code
-# will go away in the near future. Until that is we have to patch it as we seem
-# to constantly run into it.
-cat <<EOF | patch -p0 -d $d/..
-diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
---- libFuzzer/FuzzerLoop.cpp
-+++ libFuzzer/FuzzerLoop.cpp
-@@ -476,6 +476,9 @@
-   uint8_t dummy;
-   ExecuteCallback(&dummy, 0);
-
-+  // Number of counters might have changed.
-+  PrepareCounters(&MaxCoverage);
-+
-   for (const auto &U : *InitialCorpus) {
-     if (size_t NumFeatures = RunOne(U)) {
-       CheckExitOnSrcPosOrItem();
-EOF
-
-# Latest Libfuzzer uses __sanitizer_dump_coverage(), a symbol to be introduced
-# with LLVM 4.0. To keep our code working with LLVM 3.x to simplify development
-# of fuzzers we'll just provide it ourselves.
-cat <<EOF | patch -p0 -d $d/..
-diff --git libFuzzer/FuzzerTracePC.cpp libFuzzer/FuzzerTracePC.cpp
---- libFuzzer/FuzzerTracePC.cpp
-+++ libFuzzer/FuzzerTracePC.cpp
-@@ -33,6 +33,12 @@
- ATTRIBUTE_INTERFACE
- uintptr_t __sancov_trace_pc_pcs[fuzzer::TracePC::kNumPCs];
-
-+#if defined(__clang_major__) && (__clang_major__ == 3)
-+void __sanitizer_dump_coverage(const uintptr_t *pcs, uintptr_t len) {
-+  // SanCov in LLVM 4.x will provide this symbol. Make 3.x work.
-+}
-+#endif
-+
- namespace fuzzer {
-
- TracePC TPC;
-EOF
+$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer $LIBFUZZER_REVISION $d/../libFuzzer

security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc

@@ -265,6 +265,12 @@ class TestAgent {
     rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
     if (rv != SECSuccess) return false;
 
+    SSLVersionRange verify_vrange;
+    rv = SSL_VersionRangeGet(ssl_fd_, &verify_vrange);
+    if (rv != SECSuccess) return false;
+    if (vrange.min != verify_vrange.min || vrange.max != verify_vrange.max)
+      return false;
+
     rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
     if (rv != SECSuccess) return false;
 

security/nss/gtests/ssl_gtest/manifest.mn

@@ -39,6 +39,7 @@ CPPSRCS = \
       ssl_staticrsa_unittest.cc \
       ssl_v2_client_hello_unittest.cc \
       ssl_version_unittest.cc \
+      ssl_versionpolicy_unittest.cc \
       test_io.cc \
       tls_agent.cc \
       tls_connect.cc \

security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc

@@ -70,11 +70,7 @@ TEST_P(TlsConnectGenericPre13, DamageServerSignature) {
   server_->SetTlsRecordFilter(filter);
   ExpectAlert(client_, kTlsAlertDecryptError);
   ConnectExpectFail();
-  // TODO(ttaubert@mozilla.com): This is the wrong error code in
-  // 1.1 and below. Bug 1354488.
-  client_->CheckErrorCode(version_ >= SSL_LIBRARY_VERSION_TLS_1_2
-                              ? SEC_ERROR_BAD_SIGNATURE
-                              : SEC_ERROR_PKCS11_DEVICE_ERROR);
+  client_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
   server_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
 }
 
@@ -117,11 +113,7 @@ TEST_P(TlsConnectGeneric, DamageClientSignature) {
                 ? TlsAgent::STATE_CONNECTED
                 : TlsAgent::STATE_CONNECTING,
             client_->state());
-  // TODO(ttaubert@mozilla.com): This is the wrong error code in
-  // 1.1 and below. Bug 1354488.
-  server_->CheckErrorCode(version_ >= SSL_LIBRARY_VERSION_TLS_1_2
-                              ? SEC_ERROR_BAD_SIGNATURE
-                              : SEC_ERROR_PKCS11_DEVICE_ERROR);
+  server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
 }
 
 }  // namespace nspr_test

security/nss/gtests/ssl_gtest/ssl_gtest.gyp

@@ -36,6 +36,7 @@
         'ssl_staticrsa_unittest.cc',
         'ssl_v2_client_hello_unittest.cc',
         'ssl_version_unittest.cc',
+        'ssl_versionpolicy_unittest.cc',
         'test_io.cc',
         'tls_agent.cc',
         'tls_connect.cc',

security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc

@@ -0,0 +1,404 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nss.h"
+#include "secerr.h"
+#include "ssl.h"
+#include "ssl3prot.h"
+#include "sslerr.h"
+#include "sslproto.h"
+
+#include "gtest_utils.h"
+#include "scoped_ptrs.h"
+#include "tls_connect.h"
+#include "tls_filter.h"
+#include "tls_parser.h"
+
+#include <iostream>
+
+namespace nss_test {
+
+std::string GetSSLVersionString(uint16_t v) {
+  switch (v) {
+    case SSL_LIBRARY_VERSION_3_0:
+      return "ssl3";
+    case SSL_LIBRARY_VERSION_TLS_1_0:
+      return "tls1.0";
+    case SSL_LIBRARY_VERSION_TLS_1_1:
+      return "tls1.1";
+    case SSL_LIBRARY_VERSION_TLS_1_2:
+      return "tls1.2";
+    case SSL_LIBRARY_VERSION_TLS_1_3:
+      return "tls1.3";
+    case SSL_LIBRARY_VERSION_NONE:
+      return "NONE";
+  }
+  if (v < SSL_LIBRARY_VERSION_3_0) {
+    return "undefined-too-low";
+  }
+  return "undefined-too-high";
+}
+
+inline std::ostream& operator<<(std::ostream& stream,
+                                const SSLVersionRange& vr) {
+  return stream << GetSSLVersionString(vr.min) << ","
+                << GetSSLVersionString(vr.max);
+}
+
+class VersionRangeWithLabel {
+ public:
+  VersionRangeWithLabel(const std::string& label, const SSLVersionRange& vr)
+      : label_(label), vr_(vr) {}
+  VersionRangeWithLabel(const std::string& label, uint16_t min, uint16_t max)
+      : label_(label) {
+    vr_.min = min;
+    vr_.max = max;
+  }
+  VersionRangeWithLabel(const std::string& label) : label_(label) {
+    vr_.min = vr_.max = SSL_LIBRARY_VERSION_NONE;
+  }
+
+  void WriteStream(std::ostream& stream) const {
+    stream << " " << label_ << ": " << vr_;
+  }
+
+  uint16_t min() const { return vr_.min; }
+  uint16_t max() const { return vr_.max; }
+  SSLVersionRange range() const { return vr_; }
+
+ private:
+  std::string label_;
+  SSLVersionRange vr_;
+};
+
+inline std::ostream& operator<<(std::ostream& stream,
+                                const VersionRangeWithLabel& vrwl) {
+  vrwl.WriteStream(stream);
+  return stream;
+}
+
+typedef std::tuple<SSLProtocolVariant,  // variant
+                   uint16_t,            // policy min
+                   uint16_t,            // policy max
+                   uint16_t,            // input min
+                   uint16_t>            // input max
+    PolicyVersionRangeInput;
+
+class TestPolicyVersionRange
+    : public TlsConnectTestBase,
+      public ::testing::WithParamInterface<PolicyVersionRangeInput> {
+ public:
+  TestPolicyVersionRange()
+      : TlsConnectTestBase(((static_cast<SSLProtocolVariant>(
+                                 std::get<0>(GetParam())) == ssl_variant_stream)
+                                ? STREAM
+                                : DGRAM),
+                           0),
+        variant_(static_cast<SSLProtocolVariant>(std::get<0>(GetParam()))),
+        policy_("policy", std::get<1>(GetParam()), std::get<2>(GetParam())),
+        input_("input", std::get<3>(GetParam()), std::get<4>(GetParam())),
+        library_("supported-by-library",
+                 ((variant_ == ssl_variant_stream)
+                      ? SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM
+                      : SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM),
+                 SSL_LIBRARY_VERSION_MAX_SUPPORTED) {
+    TlsConnectTestBase::SkipVersionChecks();
+  }
+
+  void SetPolicy(const SSLVersionRange& policy) {
+    NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
+
+    SECStatus rv;
+    rv = NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, policy.min);
+    ASSERT_EQ(SECSuccess, rv);
+    rv = NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, policy.max);
+    ASSERT_EQ(SECSuccess, rv);
+    rv = NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, policy.min);
+    ASSERT_EQ(SECSuccess, rv);
+    rv = NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, policy.max);
+    ASSERT_EQ(SECSuccess, rv);
+  }
+
+  void CreateDummySocket(std::shared_ptr<DummyPrSocket>* dummy_socket,
+                         ScopedPRFileDesc* ssl_fd) {
+    (*dummy_socket)
+        .reset(new DummyPrSocket(
+            "dummy", (variant_ == ssl_variant_stream) ? STREAM : DGRAM));
+    *ssl_fd = (*dummy_socket)->CreateFD();
+    if (variant_ == ssl_variant_stream) {
+      SSL_ImportFD(nullptr, ssl_fd->get());
+    } else {
+      DTLS_ImportFD(nullptr, ssl_fd->get());
+    }
+  }
+
+  bool GetOverlap(const SSLVersionRange& r1, const SSLVersionRange& r2,
+                  SSLVersionRange* overlap) {
+    if (r1.min == SSL_LIBRARY_VERSION_NONE ||
+        r1.max == SSL_LIBRARY_VERSION_NONE ||
+        r2.min == SSL_LIBRARY_VERSION_NONE ||
+        r2.max == SSL_LIBRARY_VERSION_NONE) {
+      return false;
+    }
+
+    SSLVersionRange temp;
+    temp.min = PR_MAX(r1.min, r2.min);
+    temp.max = PR_MIN(r1.max, r2.max);
+
+    if (temp.min > temp.max) {
+      return false;
+    }
+
+    *overlap = temp;
+    return true;
+  }
+
+  bool IsValidInputForVersionRangeSet(SSLVersionRange* expectedEffectiveRange) {
+    if (input_.min() <= SSL_LIBRARY_VERSION_3_0 &&
+        input_.max() >= SSL_LIBRARY_VERSION_TLS_1_3) {
+      // This is always invalid input, independent of policy
+      return false;
+    }
+
+    if (input_.min() < library_.min() || input_.max() > library_.max() ||
+        input_.min() > input_.max()) {
+      // Asking for unsupported ranges is invalid input for VersionRangeSet
+      // APIs, regardless of overlap.
+      return false;
+    }
+
+    SSLVersionRange overlap_with_library;
+    if (!GetOverlap(input_.range(), library_.range(), &overlap_with_library)) {
+      return false;
+    }
+
+    SSLVersionRange overlap_with_library_and_policy;
+    if (!GetOverlap(overlap_with_library, policy_.range(),
+                    &overlap_with_library_and_policy)) {
+      return false;
+    }
+
+    RemoveConflictingVersions(variant_, &overlap_with_library_and_policy);
+    *expectedEffectiveRange = overlap_with_library_and_policy;
+    return true;
+  }
+
+  void RemoveConflictingVersions(SSLProtocolVariant variant,
+                                 SSLVersionRange* r) {
+    ASSERT_TRUE(r != nullptr);
+    if (r->max >= SSL_LIBRARY_VERSION_TLS_1_3 &&
+        r->min < SSL_LIBRARY_VERSION_TLS_1_0) {
+      r->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    }
+  }
+
+  void SetUp() {
+    SetPolicy(policy_.range());
+    TlsConnectTestBase::SetUp();
+  }
+
+  void TearDown() {
+    TlsConnectTestBase::TearDown();
+    saved_version_policy_.RestoreOriginalPolicy();
+  }
+
+ protected:
+  class VersionPolicy {
+   public:
+    VersionPolicy() { SaveOriginalPolicy(); }
+
+    void RestoreOriginalPolicy() {
+      SECStatus rv;
+      rv = NSS_OptionSet(NSS_TLS_VERSION_MIN_POLICY, saved_min_tls_);
+      ASSERT_EQ(SECSuccess, rv);
+      rv = NSS_OptionSet(NSS_TLS_VERSION_MAX_POLICY, saved_max_tls_);
+      ASSERT_EQ(SECSuccess, rv);
+      rv = NSS_OptionSet(NSS_DTLS_VERSION_MIN_POLICY, saved_min_dtls_);
+      ASSERT_EQ(SECSuccess, rv);
+      rv = NSS_OptionSet(NSS_DTLS_VERSION_MAX_POLICY, saved_max_dtls_);
+      ASSERT_EQ(SECSuccess, rv);
+      // If it wasn't set initially, clear the bit that we set.
+      if (!(saved_algorithm_policy_ & NSS_USE_POLICY_IN_SSL)) {
+        rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, 0,
+                                    NSS_USE_POLICY_IN_SSL);
+        ASSERT_EQ(SECSuccess, rv);
+      }
+    }
+
+   private:
+    void SaveOriginalPolicy() {
+      SECStatus rv;
+      rv = NSS_OptionGet(NSS_TLS_VERSION_MIN_POLICY, &saved_min_tls_);
+      ASSERT_EQ(SECSuccess, rv);
+      rv = NSS_OptionGet(NSS_TLS_VERSION_MAX_POLICY, &saved_max_tls_);
+      ASSERT_EQ(SECSuccess, rv);
+      rv = NSS_OptionGet(NSS_DTLS_VERSION_MIN_POLICY, &saved_min_dtls_);
+      ASSERT_EQ(SECSuccess, rv);
+      rv = NSS_OptionGet(NSS_DTLS_VERSION_MAX_POLICY, &saved_max_dtls_);
+      ASSERT_EQ(SECSuccess, rv);
+      rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY,
+                                  &saved_algorithm_policy_);
+      ASSERT_EQ(SECSuccess, rv);
+    }
+
+    int32_t saved_min_tls_;
+    int32_t saved_max_tls_;
+    int32_t saved_min_dtls_;
+    int32_t saved_max_dtls_;
+    uint32_t saved_algorithm_policy_;
+  };
+
+  VersionPolicy saved_version_policy_;
+
+  SSLProtocolVariant variant_;
+  const VersionRangeWithLabel policy_;
+  const VersionRangeWithLabel input_;
+  const VersionRangeWithLabel library_;
+};
+
+static const uint16_t kExpandedVersionsArr[] = {
+    /* clang-format off */
+    SSL_LIBRARY_VERSION_3_0 - 1,
+    SSL_LIBRARY_VERSION_3_0,
+    SSL_LIBRARY_VERSION_TLS_1_0,
+    SSL_LIBRARY_VERSION_TLS_1_1,
+    SSL_LIBRARY_VERSION_TLS_1_2,
+#ifndef NSS_DISABLE_TLS_1_3
+    SSL_LIBRARY_VERSION_TLS_1_3,
+#endif
+    SSL_LIBRARY_VERSION_MAX_SUPPORTED + 1
+    /* clang-format on */
+};
+static ::testing::internal::ParamGenerator<uint16_t> kExpandedVersions =
+    ::testing::ValuesIn(kExpandedVersionsArr);
+
+static const SSLProtocolVariant kVariantsArr[] = {ssl_variant_stream,
+                                                  ssl_variant_datagram};
+static ::testing::internal::ParamGenerator<SSLProtocolVariant> kVariants =
+    ::testing::ValuesIn(kVariantsArr);
+
+TEST_P(TestPolicyVersionRange, TestAllTLSVersionsAndPolicyCombinations) {
+  ASSERT_TRUE(variant_ == ssl_variant_stream ||
+              variant_ == ssl_variant_datagram)
+      << "testing unsupported ssl variant";
+
+  std::cerr << "testing: " << variant_ << policy_ << input_ << library_
+            << std::endl;
+
+  SSLVersionRange supported_range;
+  SECStatus rv = SSL_VersionRangeGetSupported(variant_, &supported_range);
+  VersionRangeWithLabel supported("SSL_VersionRangeGetSupported",
+                                  supported_range);
+
+  std::cerr << supported << std::endl;
+
+  std::shared_ptr<DummyPrSocket> dummy_socket;
+  ScopedPRFileDesc ssl_fd;
+  CreateDummySocket(&dummy_socket, &ssl_fd);
+
+  SECStatus rv_socket;
+  SSLVersionRange overlap_policy_and_lib;
+  if (!GetOverlap(policy_.range(), library_.range(), &overlap_policy_and_lib)) {
+    EXPECT_EQ(SECFailure, rv)
+        << "expected SSL_VersionRangeGetSupported to fail with invalid policy";
+
+    SSLVersionRange enabled_range;
+    rv = SSL_VersionRangeGetDefault(variant_, &enabled_range);
+    EXPECT_EQ(SECFailure, rv)
+        << "expected SSL_VersionRangeGetDefault to fail with invalid policy";
+
+    SSLVersionRange enabled_range_on_socket;
+    rv_socket = SSL_VersionRangeGet(ssl_fd.get(), &enabled_range_on_socket);
+    EXPECT_EQ(SECFailure, rv_socket)
+        << "expected SSL_VersionRangeGet to fail with invalid policy";
+
+    ConnectExpectFail();
+    return;
+  }
+
+  EXPECT_EQ(SECSuccess, rv)
+      << "expected SSL_VersionRangeGetSupported to succeed with valid policy";
+
+  EXPECT_TRUE(supported_range.min != SSL_LIBRARY_VERSION_NONE &&
+              supported_range.max != SSL_LIBRARY_VERSION_NONE)
+      << "expected SSL_VersionRangeGetSupported to return real values with "
+         "valid policy";
+
+  RemoveConflictingVersions(variant_, &overlap_policy_and_lib);
+  VersionRangeWithLabel overlap_info("overlap", overlap_policy_and_lib);
+
+  EXPECT_TRUE(supported_range == overlap_policy_and_lib)
+      << "expected range from GetSupported to be identical with calculated "
+         "overlap "
+      << overlap_info;
+
+  // We don't know which versions are "enabled by default" by the library,
+  // therefore we don't know if there's overlap between the default
+  // and the policy, and therefore, we don't if TLS connections should
+  // be successful or fail in this combination.
+  // Therefore we don't test if we can connect, without having configured a
+  // version range explicitly.
+
+  // Now start testing with supplied input.
+
+  SSLVersionRange expected_effective_range;
+  bool is_valid_input =
+      IsValidInputForVersionRangeSet(&expected_effective_range);
+
+  SSLVersionRange temp_input = input_.range();
+  rv = SSL_VersionRangeSetDefault(variant_, &temp_input);
+  rv_socket = SSL_VersionRangeSet(ssl_fd.get(), &temp_input);
+
+  if (!is_valid_input) {
+    EXPECT_EQ(SECFailure, rv)
+        << "expected failure return from SSL_VersionRangeSetDefault";
+
+    EXPECT_EQ(SECFailure, rv_socket)
+        << "expected failure return from SSL_VersionRangeSet";
+    return;
+  }
+
+  EXPECT_EQ(SECSuccess, rv)
+      << "expected successful return from SSL_VersionRangeSetDefault";
+
+  EXPECT_EQ(SECSuccess, rv_socket)
+      << "expected successful return from SSL_VersionRangeSet";
+
+  SSLVersionRange effective;
+  SSLVersionRange effective_socket;
+
+  rv = SSL_VersionRangeGetDefault(variant_, &effective);
+  EXPECT_EQ(SECSuccess, rv)
+      << "expected successful return from SSL_VersionRangeGetDefault";
+
+  rv_socket = SSL_VersionRangeGet(ssl_fd.get(), &effective_socket);
+  EXPECT_EQ(SECSuccess, rv_socket)
+      << "expected successful return from SSL_VersionRangeGet";
+
+  VersionRangeWithLabel expected_info("expectation", expected_effective_range);
+  VersionRangeWithLabel effective_info("effectively-enabled", effective);
+
+  EXPECT_TRUE(expected_effective_range == effective)
+      << "range returned by SSL_VersionRangeGetDefault doesn't match "
+         "expectation: "
+      << expected_info << effective_info;
+
+  EXPECT_TRUE(expected_effective_range == effective_socket)
+      << "range returned by SSL_VersionRangeGet doesn't match "
+         "expectation: "
+      << expected_info << effective_info;
+
+  // Because we found overlap between policy and supported versions,
+  // and because we have used SetDefault to enable at least one version,
+  // it should be possible to execute an SSL/TLS connection.
+  Connect();
+}
+
+INSTANTIATE_TEST_CASE_P(TLSVersionRanges, TestPolicyVersionRange,
+                        ::testing::Combine(kVariants, kExpandedVersions,
+                                           kExpandedVersions, kExpandedVersions,
+                                           kExpandedVersions));
+}  // namespace nss_test

security/nss/gtests/ssl_gtest/tls_agent.cc

@@ -72,7 +72,8 @@ TlsAgent::TlsAgent(const std::string& name, Role role, Mode mode)
       handshake_callback_(),
       auth_certificate_callback_(),
       sni_callback_(),
-      expect_short_headers_(false) {
+      expect_short_headers_(false),
+      skip_version_checks_(false) {
   memset(&info_, 0, sizeof(info_));
   memset(&csinfo_, 0, sizeof(csinfo_));
   SECStatus rv = SSL_VersionRangeGetDefault(
@@ -165,9 +166,12 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
   }
   dummy_fd.release();  // Now subsumed by ssl_fd_.
 
-  SECStatus rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
-  EXPECT_EQ(SECSuccess, rv);
-  if (rv != SECSuccess) return false;
+  SECStatus rv;
+  if (!skip_version_checks_) {
+    rv = SSL_VersionRangeSet(ssl_fd(), &vrange_);
+    EXPECT_EQ(SECSuccess, rv);
+    if (rv != SECSuccess) return false;
+  }
 
   if (role_ == SERVER) {
     EXPECT_TRUE(ConfigServerCert(name_, true));
@@ -435,6 +439,8 @@ void TlsAgent::ExpectReadWriteError() { expect_readwrite_error_ = true; }
 
 void TlsAgent::ExpectShortHeaders() { expect_short_headers_ = true; }
 
+void TlsAgent::SkipVersionChecks() { skip_version_checks_ = true; }
+
 void TlsAgent::SetSignatureSchemes(const SSLSignatureScheme* schemes,
                                    size_t count) {
   EXPECT_TRUE(EnsureTlsSetup());

security/nss/gtests/ssl_gtest/tls_agent.h

@@ -137,6 +137,7 @@ class TlsAgent : public PollTarget {
   void EnableFalseStart();
   void ExpectResumption();
   void ExpectShortHeaders();
+  void SkipVersionChecks();
   void SetSignatureSchemes(const SSLSignatureScheme* schemes, size_t count);
   void EnableAlpn(const uint8_t* val, size_t len);
   void CheckAlpn(SSLNextProtoState expected_state,
@@ -388,6 +389,7 @@ class TlsAgent : public PollTarget {
   AuthCertificateCallbackFunction auth_certificate_callback_;
   SniCallbackFunction sni_callback_;
   bool expect_short_headers_;
+  bool skip_version_checks_;
 };
 
 inline std::ostream& operator<<(std::ostream& stream,
@@ -485,6 +487,10 @@ class TlsAgentDgramTestClient : public TlsAgentTestBase {
   TlsAgentDgramTestClient() : TlsAgentTestBase(TlsAgent::CLIENT, DGRAM) {}
 };
 
+inline bool operator==(const SSLVersionRange& vr1, const SSLVersionRange& vr2) {
+  return vr1.min == vr2.min && vr1.max == vr2.max;
+}
+
 }  // namespace nss_test
 
 #endif

security/nss/gtests/ssl_gtest/tls_connect.cc

@@ -110,7 +110,8 @@ TlsConnectTestBase::TlsConnectTestBase(Mode mode, uint16_t version)
       expected_resumption_mode_(RESUME_NONE),
       session_ids_(),
       expect_extended_master_secret_(false),
-      expect_early_data_accepted_(false) {
+      expect_early_data_accepted_(false),
+      skip_version_checks_(false) {
   std::string v;
   if (mode_ == DGRAM && version_ == SSL_LIBRARY_VERSION_TLS_1_1) {
     v = "1.0";
@@ -209,6 +210,10 @@ void TlsConnectTestBase::Reset(const std::string& server_name,
                                const std::string& client_name) {
   client_.reset(new TlsAgent(client_name, TlsAgent::CLIENT, mode_));
   server_.reset(new TlsAgent(server_name, TlsAgent::SERVER, mode_));
+  if (skip_version_checks_) {
+    client_->SkipVersionChecks();
+    server_->SkipVersionChecks();
+  }
 
   Init();
 }
@@ -268,10 +273,12 @@ void TlsConnectTestBase::ConnectWithCipherSuite(uint16_t cipher_suite) {
 }
 
 void TlsConnectTestBase::CheckConnected() {
-  // Check the version is as expected
   EXPECT_EQ(client_->version(), server_->version());
-  EXPECT_EQ(std::min(client_->max_version(), server_->max_version()),
-            client_->version());
+  if (!skip_version_checks_) {
+    // Check the version is as expected
+    EXPECT_EQ(std::min(client_->max_version(), server_->max_version()),
+              client_->version());
+  }
 
   EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
   EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
@@ -510,6 +517,10 @@ void TlsConnectTestBase::EnsureModelSockets() {
         new TlsAgent(TlsAgent::kClient, TlsAgent::CLIENT, mode_));
     server_model_.reset(
         new TlsAgent(TlsAgent::kServerRsa, TlsAgent::SERVER, mode_));
+    if (skip_version_checks_) {
+      client_model_->SkipVersionChecks();
+      server_model_->SkipVersionChecks();
+    }
   }
 }
 
@@ -635,6 +646,12 @@ void TlsConnectTestBase::DisableECDHEServerKeyReuse() {
   server_->DisableECDHEServerKeyReuse();
 }
 
+void TlsConnectTestBase::SkipVersionChecks() {
+  skip_version_checks_ = true;
+  client_->SkipVersionChecks();
+  server_->SkipVersionChecks();
+}
+
 TlsConnectGeneric::TlsConnectGeneric()
     : TlsConnectTestBase(std::get<0>(GetParam()), std::get<1>(GetParam())) {}
 

security/nss/gtests/ssl_gtest/tls_connect.h

@@ -111,6 +111,7 @@ class TlsConnectTestBase : public ::testing::Test {
   void ExpectExtendedMasterSecret(bool expected);
   void ExpectEarlyDataAccepted(bool expected);
   void DisableECDHEServerKeyReuse();
+  void SkipVersionChecks();
 
  protected:
   Mode mode_;
@@ -139,6 +140,7 @@ class TlsConnectTestBase : public ::testing::Test {
 
   bool expect_extended_master_secret_;
   bool expect_early_data_accepted_;
+  bool skip_version_checks_;
 
   // Track groups and make sure that there are no duplicates.
   class DuplicateGroupChecker {

security/nss/gtests/util_gtest/util_b64_unittest.cc

@@ -68,11 +68,13 @@ TEST_F(B64EncodeDecodeTest, FakeEncDecTest) {
 }
 
 // These takes a while ...
-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) {
+TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) {
   EXPECT_TRUE(TestFakeDecode(0x66666666));
 }
-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); }
-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) {
+TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) {
+  TestFakeEncode(0x3fffffff);
+}
+TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) {
   EXPECT_FALSE(TestFakeEncode(0x40000000));
 }
 

security/nss/lib/freebl/blapii.h

@@ -58,4 +58,11 @@ SEC_END_PROTOS
 
 #undef HAVE_NO_SANITIZE_ATTR
 
+SECStatus RSA_Init();
+
+/* Freebl state. */
+PRBool aesni_support();
+PRBool clmul_support();
+PRBool avx_support();
+
 #endif /* _BLAPII_H_ */

security/nss/lib/freebl/blinit.c

@@ -0,0 +1,119 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifdef FREEBL_NO_DEPEND
+#include "stubs.h"
+#endif
+
+#include "blapii.h"
+#include "mpi.h"
+#include "secerr.h"
+#include "prtypes.h"
+#include "prinit.h"
+#include "prenv.h"
+
+#if defined(_MSC_VER) && !defined(_M_IX86)
+#include <intrin.h> /* for _xgetbv() */
+#endif
+
+static PRCallOnceType coFreeblInit;
+
+/* State variables. */
+static PRBool aesni_support_ = PR_FALSE;
+static PRBool clmul_support_ = PR_FALSE;
+static PRBool avx_support_ = PR_FALSE;
+
+#ifdef NSS_X86_OR_X64
+/*
+ * Adapted from the example code in "How to detect New Instruction support in
+ * the 4th generation Intel Core processor family" by Max Locktyukhin.
+ *
+ * XGETBV:
+ *   Reads an extended control register (XCR) specified by ECX into EDX:EAX.
+ */
+static PRBool
+check_xcr0_ymm()
+{
+    PRUint32 xcr0;
+#if defined(_MSC_VER)
+#if defined(_M_IX86)
+    __asm {
+        mov ecx, 0
+        xgetbv
+        mov xcr0, eax
+    }
+#else
+    xcr0 = (PRUint32)_xgetbv(0); /* Requires VS2010 SP1 or later. */
+#endif /* _M_IX86 */
+#else  /* _MSC_VER */
+    /* Old OSX compilers don't support xgetbv. Use byte form. */
+    __asm__(".byte 0x0F, 0x01, 0xd0"
+            : "=a"(xcr0)
+            : "c"(0)
+            : "%edx");
+#endif /* _MSC_VER */
+    /* Check if xmm and ymm state are enabled in XCR0. */
+    return (xcr0 & 6) == 6;
+}
+
+#define ECX_AESNI (1 << 25)
+#define ECX_CLMUL (1 << 1)
+#define ECX_XSAVE (1 << 26)
+#define ECX_OSXSAVE (1 << 27)
+#define ECX_AVX (1 << 28)
+#define AVX_BITS (ECX_XSAVE | ECX_OSXSAVE | ECX_AVX)
+
+void
+CheckX86CPUSupport()
+{
+    unsigned long eax, ebx, ecx, edx;
+    char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
+    char *disable_pclmul = PR_GetEnvSecure("NSS_DISABLE_PCLMUL");
+    char *disable_avx = PR_GetEnvSecure("NSS_DISABLE_AVX");
+    freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
+    aesni_support_ = (PRBool)((ecx & ECX_AESNI) != 0 && disable_hw_aes == NULL);
+    clmul_support_ = (PRBool)((ecx & ECX_CLMUL) != 0 && disable_pclmul == NULL);
+    /* For AVX we check AVX, OSXSAVE, and XSAVE
+     * as well as XMM and YMM state. */
+    avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
+                   disable_avx == NULL;
+}
+#endif /* NSS_X86_OR_X64 */
+
+PRBool
+aesni_support()
+{
+    return aesni_support_;
+}
+PRBool
+clmul_support()
+{
+    return clmul_support_;
+}
+PRBool
+avx_support()
+{
+    return avx_support_;
+}
+
+static PRStatus
+FreeblInit(void)
+{
+#ifdef NSS_X86_OR_X64
+    CheckX86CPUSupport();
+#endif
+    return PR_SUCCESS;
+}
+
+SECStatus
+BL_Init()
+{
+    if (PR_CallOnce(&coFreeblInit, FreeblInit) != PR_SUCCESS) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    RSA_Init();
+
+    return SECSuccess;
+}

security/nss/lib/freebl/freebl.gyp

@@ -158,8 +158,6 @@
           'VCCLCompilerTool': {
             #TODO: -Ox optimize flags
             'PreprocessorDefinitions': [
-              'NSS_X86_OR_X64',
-              'NSS_X86',
               'MP_ASSEMBLY_MULTIPLY',
               'MP_ASSEMBLY_SQUARE',
               'MP_ASSEMBLY_DIV_2DX1D',
@@ -176,9 +174,6 @@
           'VCCLCompilerTool': {
             #TODO: -Ox optimize flags
             'PreprocessorDefinitions': [
-              'NSS_USE_64',
-              'NSS_X86_OR_X64',
-              'NSS_X64',
               'MP_IS_LITTLE_ENDIAN',
               'NSS_BEVAND_ARCFOUR',
               'MPI_AMD64',
@@ -192,11 +187,8 @@
       }],
       [ 'OS!="win"', {
         'conditions': [
-          [ 'target_arch=="x64"', {
+          [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
             'defines': [
-              'NSS_USE_64',
-              'NSS_X86_OR_X64',
-              'NSS_X64',
               # The Makefile does version-tests on GCC, but we're not doing that here.
               'HAVE_INT128_SUPPORT',
             ],
@@ -205,12 +197,6 @@
               'ecl/uint128.c',
             ],
           }],
-          [ 'target_arch=="ia32"', {
-            'defines': [
-              'NSS_X86_OR_X64',
-              'NSS_X86',
-            ],
-          }],
         ],
       }],
       [ 'OS=="linux"', {
@@ -251,11 +237,7 @@
               'MP_ASSEMBLY_SQUARE',
               'MP_USE_UINT_DIGIT',
               'SHA_NO_LONG_LONG',
-            ],
-          }],
-          [ 'target_arch=="arm64" or target_arch=="aarch64"', {
-            'defines': [
-              'NSS_USE_64',
+              'ARMHF',
             ],
           }],
         ],

security/nss/lib/freebl/freebl_base.gypi

@@ -33,6 +33,7 @@
     'ecl/ecp_jm.c',
     'ecl/ecp_mont.c',
     'fipsfreebl.c',
+    'blinit.c',
     'freeblver.c',
     'gcm.c',
     'hmacct.c',

security/nss/lib/freebl/manifest.mn

@@ -132,6 +132,7 @@ CSRCS = \
 	chacha20poly1305.c \
 	cts.c \
 	ctr.c \
+	blinit.c \
 	fipsfreebl.c \
 	gcm.c \
 	hmacct.c \

security/nss/lib/freebl/rijndael.c

@@ -26,17 +26,11 @@
 #include "mpi.h"
 
 #ifdef USE_HW_AES
-static int has_intel_aes = 0;
 static PRBool use_hw_aes = PR_FALSE;
 
 #ifdef INTEL_GCM
 #include "intel-gcm.h"
-static int has_intel_avx = 0;
-static int has_intel_clmul = 0;
 static PRBool use_hw_gcm = PR_FALSE;
-#if defined(_MSC_VER) && !defined(_M_IX86)
-#include <intrin.h> /* for _xgetbv() */
-#endif
 #endif
 #endif /* USE_HW_AES */
 
@@ -999,39 +993,6 @@ AES_AllocateContext(void)
     return PORT_ZNew(AESContext);
 }
 
-#ifdef INTEL_GCM
-/*
- * Adapted from the example code in "How to detect New Instruction support in
- * the 4th generation Intel Core processor family" by Max Locktyukhin.
- *
- * XGETBV:
- *   Reads an extended control register (XCR) specified by ECX into EDX:EAX.
- */
-static PRBool
-check_xcr0_ymm()
-{
-    PRUint32 xcr0;
-#if defined(_MSC_VER)
-#if defined(_M_IX86)
-    __asm {
-        mov ecx, 0
-        xgetbv
-        mov xcr0, eax
-    }
-#else
-    xcr0 = (PRUint32)_xgetbv(0); /* Requires VS2010 SP1 or later. */
-#endif
-#else
-    __asm__("xgetbv"
-            : "=a"(xcr0)
-            : "c"(0)
-            : "%edx");
-#endif
-    /* Check if xmm and ymm state are enabled in XCR0. */
-    return (xcr0 & 6) == 6;
-}
-#endif
-
 /*
 ** Initialize a new AES context suitable for AES encryption/decryption in
 ** the ECB or CBC mode.
@@ -1070,33 +1031,9 @@ aes_InitContext(AESContext *cx, const unsigned char *key, unsigned int keysize,
         return SECFailure;
     }
 #ifdef USE_HW_AES
-    if (has_intel_aes == 0) {
-        unsigned long eax, ebx, ecx, edx;
-        char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
-
-        if (disable_hw_aes == NULL) {
-            freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
-            has_intel_aes = (ecx & (1 << 25)) != 0 ? 1 : -1;
+    use_hw_aes = aesni_support() && (keysize % 8) == 0 && blocksize == 16;
 #ifdef INTEL_GCM
-            has_intel_clmul = (ecx & (1 << 1)) != 0 ? 1 : -1;
-            if ((ecx & (1 << 27)) != 0 && (ecx & (1 << 28)) != 0 &&
-                check_xcr0_ymm()) {
-                has_intel_avx = 1;
-            } else {
-                has_intel_avx = -1;
-            }
-#endif
-        } else {
-            has_intel_aes = -1;
-#ifdef INTEL_GCM
-            has_intel_avx = -1;
-            has_intel_clmul = -1;
-#endif
-        }
-    }
-    use_hw_aes = (PRBool)(has_intel_aes > 0 && (keysize % 8) == 0 && blocksize == 16);
-#ifdef INTEL_GCM
-    use_hw_gcm = (PRBool)(use_hw_aes && has_intel_avx > 0 && has_intel_clmul > 0);
+    use_hw_gcm = use_hw_aes && avx_support() && clmul_support();
 #endif
 #endif /* USE_HW_AES */
     /* Nb = (block size in bits) / 32 */

security/nss/lib/freebl/rsa.c

@@ -1551,7 +1551,7 @@ cleanup:
     return rv;
 }
 
-static SECStatus
+SECStatus
 RSA_Init(void)
 {
     if (PR_CallOnce(&coBPInit, init_blinding_params_list) != PR_SUCCESS) {
@@ -1561,12 +1561,6 @@ RSA_Init(void)
     return SECSuccess;
 }
 
-SECStatus
-BL_Init(void)
-{
-    return RSA_Init();
-}
-
 /* cleanup at shutdown */
 void
 RSA_Cleanup(void)

security/nss/lib/freebl/rsapkcs.c

@@ -1211,6 +1211,7 @@ RSA_SignPSS(RSAPrivateKey *key,
     if (rv != SECSuccess)
         goto done;
 
+    // This sets error codes upon failure.
     rv = RSA_PrivateKeyOpDoubleChecked(key, output, pssEncoded);
     *outputLen = modulusLen;
 
@@ -1270,7 +1271,6 @@ RSA_CheckSignPSS(RSAPublicKey *key,
     return rv;
 }
 
-/* XXX Doesn't set error code */
 SECStatus
 RSA_Sign(RSAPrivateKey *key,
          unsigned char *output,
@@ -1279,34 +1279,34 @@ RSA_Sign(RSAPrivateKey *key,
          const unsigned char *input,
          unsigned int inputLen)
 {
-    SECStatus rv = SECSuccess;
+    SECStatus rv = SECFailure;
     unsigned int modulusLen = rsa_modulusLen(&key->modulus);
-    SECItem formatted;
-    SECItem unformatted;
+    SECItem formatted = { siBuffer, NULL, 0 };
+    SECItem unformatted = { siBuffer, (unsigned char *)input, inputLen };
 
-    if (maxOutputLen < modulusLen)
-        return SECFailure;
+    if (maxOutputLen < modulusLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        goto done;
+    }
 
-    unformatted.len = inputLen;
-    unformatted.data = (unsigned char *)input;
-    formatted.data = NULL;
     rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate,
                          &unformatted);
-    if (rv != SECSuccess)
+    if (rv != SECSuccess) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         goto done;
+    }
 
+    // This sets error codes upon failure.
     rv = RSA_PrivateKeyOpDoubleChecked(key, output, formatted.data);
     *outputLen = modulusLen;
 
-    goto done;
-
 done:
-    if (formatted.data != NULL)
+    if (formatted.data != NULL) {
         PORT_ZFree(formatted.data, modulusLen);
+    }
     return rv;
 }
 
-/* XXX Doesn't set error code */
 SECStatus
 RSA_CheckSign(RSAPublicKey *key,
               const unsigned char *sig,
@@ -1314,60 +1314,71 @@ RSA_CheckSign(RSAPublicKey *key,
               const unsigned char *data,
               unsigned int dataLen)
 {
-    SECStatus rv;
+    SECStatus rv = SECFailure;
     unsigned int modulusLen = rsa_modulusLen(&key->modulus);
     unsigned int i;
-    unsigned char *buffer;
+    unsigned char *buffer = NULL;
+
+    if (sigLen != modulusLen) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
+    }
 
-    if (sigLen != modulusLen)
-        goto failure;
     /*
      * 0x00 || BT || Pad || 0x00 || ActualData
      *
      * The "3" below is the first octet + the second octet + the 0x00
      * octet that always comes just before the ActualData.
      */
-    if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))
-        goto failure;
+    if (dataLen > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)) {
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        goto done;
+    }
 
     buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
-    if (!buffer)
-        goto failure;
+    if (!buffer) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto done;
+    }
 
-    rv = RSA_PublicKeyOp(key, buffer, sig);
-    if (rv != SECSuccess)
-        goto loser;
+    if (RSA_PublicKeyOp(key, buffer, sig) != SECSuccess) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
+    }
 
     /*
      * check the padding that was used
      */
     if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
         buffer[1] != (unsigned char)RSA_BlockPrivate) {
-        goto loser;
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
     }
     for (i = 2; i < modulusLen - dataLen - 1; i++) {
-        if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
-            goto loser;
+        if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) {
+            PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+            goto done;
+        }
+    }
+    if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
     }
-    if (buffer[i] != RSA_BLOCK_AFTER_PAD_OCTET)
-        goto loser;
 
     /*
      * make sure we get the same results
      */
-    if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) != 0)
-        goto loser;
+    if (PORT_Memcmp(buffer + modulusLen - dataLen, data, dataLen) == 0) {
+        rv = SECSuccess;
+    }
 
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
+done:
+    if (buffer) {
+        PORT_Free(buffer);
+    }
+    return rv;
 }
 
-/* XXX Doesn't set error code */
 SECStatus
 RSA_CheckSignRecover(RSAPublicKey *key,
                      unsigned char *output,
@@ -1376,21 +1387,27 @@ RSA_CheckSignRecover(RSAPublicKey *key,
                      const unsigned char *sig,
                      unsigned int sigLen)
 {
-    SECStatus rv;
+    SECStatus rv = SECFailure;
     unsigned int modulusLen = rsa_modulusLen(&key->modulus);
     unsigned int i;
-    unsigned char *buffer;
+    unsigned char *buffer = NULL;
 
-    if (sigLen != modulusLen)
-        goto failure;
+    if (sigLen != modulusLen) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
+    }
 
     buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
-    if (!buffer)
-        goto failure;
+    if (!buffer) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        goto done;
+    }
+
+    if (RSA_PublicKeyOp(key, buffer, sig) != SECSuccess) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
+    }
 
-    rv = RSA_PublicKeyOp(key, buffer, sig);
-    if (rv != SECSuccess)
-        goto loser;
     *outputLen = 0;
 
     /*
@@ -1398,28 +1415,34 @@ RSA_CheckSignRecover(RSAPublicKey *key,
      */
     if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
         buffer[1] != (unsigned char)RSA_BlockPrivate) {
-        goto loser;
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
     }
     for (i = 2; i < modulusLen; i++) {
         if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
             *outputLen = modulusLen - i - 1;
             break;
         }
-        if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET)
-            goto loser;
+        if (buffer[i] != RSA_BLOCK_PRIVATE_PAD_OCTET) {
+            PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+            goto done;
+        }
+    }
+    if (*outputLen == 0) {
+        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+        goto done;
+    }
+    if (*outputLen > maxOutputLen) {
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        goto done;
     }
-    if (*outputLen == 0)
-        goto loser;
-    if (*outputLen > maxOutputLen)
-        goto loser;
 
     PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+    rv = SECSuccess;
 
-    PORT_Free(buffer);
-    return SECSuccess;
-
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
+done:
+    if (buffer) {
+        PORT_Free(buffer);
+    }
+    return rv;
 }

security/nss/lib/jar/jar.gyp

@@ -26,49 +26,6 @@
     'defines': [
       'MOZILLA_CLIENT=1',
     ],
-    'conditions': [
-      [ 'OS=="win"', {
-        'configurations': {
-          'x86_Base': {
-            'msvs_settings': {
-              'VCCLCompilerTool': {
-                'PreprocessorDefinitions': [
-                  'NSS_X86_OR_X64',
-                  'NSS_X86',
-                ],
-              },
-            },
-          },
-          'x64_Base': {
-            'msvs_settings': {
-              'VCCLCompilerTool': {
-                'PreprocessorDefinitions': [
-                  'NSS_USE_64',
-                  'NSS_X86_OR_X64',
-                  'NSS_X64',
-                ],
-              },
-            },
-          },
-        },
-      }, {
-        'conditions': [
-          [ 'target_arch=="x64"', {
-            'defines': [
-              'NSS_USE_64',
-              'NSS_X86_OR_X64',
-              'NSS_X64',
-            ],
-          }],
-          [ 'target_arch=="ia32"', {
-            'defines': [
-              'NSS_X86_OR_X64',
-              'NSS_X86',
-            ],
-          }],
-        ],
-      }],
-    ],
   },
   'variables': {
     'module': 'nss'

security/nss/lib/ssl/sslimpl.h

@@ -1496,6 +1496,14 @@ extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec,
  */
 #define SSL_LIBRARY_VERSION_NONE 0
 
+/* SSL_LIBRARY_VERSION_MIN_SUPPORTED is the minimum version that this version
+ * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
+ * runtime to determine which versions are supported by the version of libssl
+ * in use.
+ */
+#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM SSL_LIBRARY_VERSION_TLS_1_1
+#define SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM SSL_LIBRARY_VERSION_3_0
+
 /* SSL_LIBRARY_VERSION_MAX_SUPPORTED is the maximum version that this version
  * of libssl supports. Applications should use SSL_VersionRangeGetSupported at
  * runtime to determine which versions are supported by the version of libssl

security/nss/lib/ssl/sslsock.c

@@ -2152,11 +2152,11 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
         ss->sniSocketConfig = sm->sniSocketConfig;
     if (sm->sniSocketConfigArg)
         ss->sniSocketConfigArg = sm->sniSocketConfigArg;
-    if (ss->alertReceivedCallback) {
+    if (sm->alertReceivedCallback) {
         ss->alertReceivedCallback = sm->alertReceivedCallback;
         ss->alertReceivedCallbackArg = sm->alertReceivedCallbackArg;
     }
-    if (ss->alertSentCallback) {
+    if (sm->alertSentCallback) {
         ss->alertSentCallback = sm->alertSentCallback;
         ss->alertSentCallbackArg = sm->alertSentCallbackArg;
     }
@@ -2173,61 +2173,82 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
     return fd;
 }
 
-/*
- * Get the user supplied range
- */
-static SECStatus
-ssl3_GetRangePolicy(SSLProtocolVariant protocolVariant, SSLVersionRange *prange)
+SECStatus
+ssl3_GetEffectiveVersionPolicy(SSLProtocolVariant variant,
+                               SSLVersionRange *effectivePolicy)
 {
     SECStatus rv;
-    PRUint32 policy;
-    PRInt32 option;
+    PRUint32 policyFlag;
+    PRInt32 minPolicy, maxPolicy;
 
-    /* only use policy constraints if we've set the apply ssl policy bit */
-    rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy);
-    if ((rv != SECSuccess) || !(policy & NSS_USE_POLICY_IN_SSL)) {
+    if (variant == ssl_variant_stream) {
+        effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM;
+        effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
+    } else {
+        effectivePolicy->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM;
+        effectivePolicy->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
+    }
+
+    rv = NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policyFlag);
+    if ((rv != SECSuccess) || !(policyFlag & NSS_USE_POLICY_IN_SSL)) {
+        /* Policy is not active, report library extents. */
+        return SECSuccess;
+    }
+
+    rv = NSS_OptionGet(VERSIONS_POLICY_MIN(variant), &minPolicy);
+    if (rv != SECSuccess) {
         return SECFailure;
     }
-    rv = NSS_OptionGet(VERSIONS_POLICY_MIN(protocolVariant), &option);
+    rv = NSS_OptionGet(VERSIONS_POLICY_MAX(variant), &maxPolicy);
     if (rv != SECSuccess) {
-        return rv;
+        return SECFailure;
     }
-    prange->min = (PRUint16)option;
-    rv = NSS_OptionGet(VERSIONS_POLICY_MAX(protocolVariant), &option);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    prange->max = (PRUint16)option;
-    if (prange->max < prange->min) {
-        return SECFailure; /* don't accept an invalid policy */
+
+    if (minPolicy > effectivePolicy->max ||
+        maxPolicy < effectivePolicy->min ||
+        minPolicy > maxPolicy) {
+        return SECFailure;
     }
+    effectivePolicy->min = PR_MAX(effectivePolicy->min, minPolicy);
+    effectivePolicy->max = PR_MIN(effectivePolicy->max, maxPolicy);
     return SECSuccess;
 }
 
-/*
- * Constrain a single protocol variant's range based on the user policy
+/* 
+ * Assumes that rangeParam values are within the supported boundaries,
+ * but should contain all potentially allowed versions, even if they contain
+ * conflicting versions.
+ * Will return the overlap, or a NONE range if system policy is invalid.
  */
 static SECStatus
-ssl3_ConstrainVariantRangeByPolicy(SSLProtocolVariant protocolVariant)
+ssl3_CreateOverlapWithPolicy(SSLProtocolVariant protocolVariant,
+                             SSLVersionRange *input,
+                             SSLVersionRange *overlap)
 {
-    SSLVersionRange vrange;
-    SSLVersionRange pvrange;
     SECStatus rv;
+    SSLVersionRange effectivePolicyBoundary;
+    SSLVersionRange vrange;
 
-    vrange = *VERSIONS_DEFAULTS(protocolVariant);
-    rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
-    if (rv != SECSuccess) {
-        return SECSuccess; /* we don't have any policy */
+    PORT_Assert(input != NULL);
+
+    rv = ssl3_GetEffectiveVersionPolicy(protocolVariant,
+                                        &effectivePolicyBoundary);
+    if (rv == SECFailure) {
+        /* SECFailure means internal failure or invalid configuration. */
+        overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
+        return SECFailure;
     }
-    vrange.min = PR_MAX(vrange.min, pvrange.min);
-    vrange.max = PR_MIN(vrange.max, pvrange.max);
-    if (vrange.max >= vrange.min) {
-        *VERSIONS_DEFAULTS(protocolVariant) = vrange;
-    } else {
+
+    vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min);
+    vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max);
+
+    if (vrange.max < vrange.min) {
         /* there was no overlap, turn off range altogether */
-        pvrange.min = pvrange.max = SSL_LIBRARY_VERSION_NONE;
-        *VERSIONS_DEFAULTS(protocolVariant) = pvrange;
+        overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
+        return SECFailure;
     }
+
+    *overlap = vrange;
     return SECSuccess;
 }
 
@@ -2235,16 +2256,17 @@ static PRBool
 ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant,
                                SSL3ProtocolVersion version)
 {
-    SSLVersionRange pvrange;
     SECStatus rv;
+    SSLVersionRange effectivePolicyBoundary;
 
-    rv = ssl3_GetRangePolicy(protocolVariant, &pvrange);
-    if (rv == SECSuccess) {
-        if ((version > pvrange.max) || (version < pvrange.min)) {
-            return PR_FALSE; /* disallowed by policy */
-        }
+    rv = ssl3_GetEffectiveVersionPolicy(protocolVariant,
+                                        &effectivePolicyBoundary);
+    if (rv == SECFailure) {
+        /* SECFailure means internal failure or invalid configuration. */
+        return PR_FALSE;
     }
-    return PR_TRUE;
+    return version >= effectivePolicyBoundary.min &&
+           version <= effectivePolicyBoundary.max;
 }
 
 /*
@@ -2254,18 +2276,36 @@ ssl_VersionIsSupportedByPolicy(SSLProtocolVariant protocolVariant,
 SECStatus
 ssl3_ConstrainRangeByPolicy(void)
 {
-    SECStatus rv;
-    rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_stream);
-    if (rv != SECSuccess) {
-        return rv;
-    }
-    rv = ssl3_ConstrainVariantRangeByPolicy(ssl_variant_datagram);
-    if (rv != SECSuccess) {
-        return rv;
-    }
+    /* We ignore failures in ssl3_CreateOverlapWithPolicy. Although an empty
+     * overlap disables all connectivity, it's an allowed state.
+     */
+    ssl3_CreateOverlapWithPolicy(ssl_variant_stream,
+                                 VERSIONS_DEFAULTS(ssl_variant_stream),
+                                 VERSIONS_DEFAULTS(ssl_variant_stream));
+    ssl3_CreateOverlapWithPolicy(ssl_variant_datagram,
+                                 VERSIONS_DEFAULTS(ssl_variant_datagram),
+                                 VERSIONS_DEFAULTS(ssl_variant_datagram));
     return SECSuccess;
 }
 
+PRBool
+ssl3_VersionIsSupportedByCode(SSLProtocolVariant protocolVariant,
+                              SSL3ProtocolVersion version)
+{
+    switch (protocolVariant) {
+        case ssl_variant_stream:
+            return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM &&
+                    version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
+        case ssl_variant_datagram:
+            return (version >= SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM &&
+                    version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
+    }
+
+    /* Can't get here */
+    PORT_Assert(PR_FALSE);
+    return PR_FALSE;
+}
+
 PRBool
 ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
                         SSL3ProtocolVersion version)
@@ -2273,33 +2313,7 @@ ssl3_VersionIsSupported(SSLProtocolVariant protocolVariant,
     if (!ssl_VersionIsSupportedByPolicy(protocolVariant, version)) {
         return PR_FALSE;
     }
-    switch (protocolVariant) {
-        case ssl_variant_stream:
-            return (version >= SSL_LIBRARY_VERSION_3_0 &&
-                    version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
-        case ssl_variant_datagram:
-            return (version >= SSL_LIBRARY_VERSION_TLS_1_1 &&
-                    version <= SSL_LIBRARY_VERSION_MAX_SUPPORTED);
-        default:
-            /* Can't get here */
-            PORT_Assert(PR_FALSE);
-            return PR_FALSE;
-    }
-}
-
-/* Returns PR_TRUE if the given version range is valid and
-** fully supported; otherwise, returns PR_FALSE.
-*/
-static PRBool
-ssl3_VersionRangeIsValid(SSLProtocolVariant protocolVariant,
-                         const SSLVersionRange *vrange)
-{
-    return vrange &&
-           vrange->min <= vrange->max &&
-           ssl3_VersionIsSupported(protocolVariant, vrange->min) &&
-           ssl3_VersionIsSupported(protocolVariant, vrange->max) &&
-           (vrange->min > SSL_LIBRARY_VERSION_3_0 ||
-            vrange->max < SSL_LIBRARY_VERSION_TLS_1_3);
+    return ssl3_VersionIsSupportedByCode(protocolVariant, version);
 }
 
 const SECItem *
@@ -2325,6 +2339,8 @@ SECStatus
 SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
                              SSLVersionRange *vrange)
 {
+    SECStatus rv;
+
     if (!vrange) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
@@ -2332,15 +2348,15 @@ SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
 
     switch (protocolVariant) {
         case ssl_variant_stream:
-            vrange->min = SSL_LIBRARY_VERSION_3_0;
+            vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_STREAM;
             vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
-            // We don't allow SSLv3 and TLSv1.3 together.
-            if (vrange->max == SSL_LIBRARY_VERSION_TLS_1_3) {
-                vrange->min = SSL_LIBRARY_VERSION_TLS_1_0;
-            }
+            /* We don't allow SSLv3 and TLSv1.3 together.
+             * However, don't check yet, apply the policy first.
+             * Because if the effective supported range doesn't use TLS 1.3,
+             * then we don't need to increase the minimum. */
             break;
         case ssl_variant_datagram:
-            vrange->min = SSL_LIBRARY_VERSION_TLS_1_1;
+            vrange->min = SSL_LIBRARY_VERSION_MIN_SUPPORTED_DATAGRAM;
             vrange->max = SSL_LIBRARY_VERSION_MAX_SUPPORTED;
             break;
         default:
@@ -2348,6 +2364,17 @@ SSL_VersionRangeGetSupported(SSLProtocolVariant protocolVariant,
             return SECFailure;
     }
 
+    rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange);
+    if (rv != SECSuccess) {
+        /* Library default and policy don't overlap. */
+        return rv;
+    }
+
+    /* We don't allow SSLv3 and TLSv1.3 together */
+    if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) {
+        vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
+    }
+
     return SECSuccess;
 }
 
@@ -2363,6 +2390,43 @@ SSL_VersionRangeGetDefault(SSLProtocolVariant protocolVariant,
     }
 
     *vrange = *VERSIONS_DEFAULTS(protocolVariant);
+    return ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange);
+}
+
+static PRBool
+ssl3_HasConflictingSSLVersions(const SSLVersionRange *vrange)
+{
+    return (vrange->min <= SSL_LIBRARY_VERSION_3_0 &&
+            vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3);
+}
+
+static SECStatus
+ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant,
+                                         SSLVersionRange *vrange)
+{
+    SECStatus rv;
+
+    if (vrange->min > vrange->max ||
+        !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) ||
+        !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) ||
+        ssl3_HasConflictingSSLVersions(vrange)) {
+        PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+        return SECFailure;
+    }
+
+    /* Try to adjust the received range using our policy.
+     * If there's overlap, we'll use the (possibly reduced) range.
+     * If there isn't overlap, it's failure. */
+
+    rv = ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
+    /* We don't allow SSLv3 and TLSv1.3 together */
+    if (vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3) {
+        vrange->min = PR_MAX(vrange->min, SSL_LIBRARY_VERSION_TLS_1_0);
+    }
 
     return SECSuccess;
 }
@@ -2371,13 +2435,21 @@ SECStatus
 SSL_VersionRangeSetDefault(SSLProtocolVariant protocolVariant,
                            const SSLVersionRange *vrange)
 {
-    if (!ssl3_VersionRangeIsValid(protocolVariant, vrange)) {
-        PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+    SSLVersionRange constrainedRange;
+    SECStatus rv;
+
+    if (!vrange) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
-    *VERSIONS_DEFAULTS(protocolVariant) = *vrange;
+    constrainedRange = *vrange;
+    rv = ssl3_CheckRangeValidAndConstrainByPolicy(protocolVariant,
+                                                  &constrainedRange);
+    if (rv != SECSuccess)
+        return rv;
 
+    *VERSIONS_DEFAULTS(protocolVariant) = constrainedRange;
     return SECSuccess;
 }
 
@@ -2405,24 +2477,33 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
 
-    return SECSuccess;
+    return ssl3_CreateOverlapWithPolicy(ss->protocolVariant, vrange, vrange);
 }
 
 SECStatus
 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
 {
-    sslSocket *ss = ssl_FindSocket(fd);
+    SSLVersionRange constrainedRange;
+    sslSocket *ss;
+    SECStatus rv;
 
+    if (!vrange) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    ss = ssl_FindSocket(fd);
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in SSL_VersionRangeSet",
                  SSL_GETPID(), fd));
         return SECFailure;
     }
 
-    if (!ssl3_VersionRangeIsValid(ss->protocolVariant, vrange)) {
-        PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
-        return SECFailure;
-    }
+    constrainedRange = *vrange;
+    rv = ssl3_CheckRangeValidAndConstrainByPolicy(ss->protocolVariant,
+                                                  &constrainedRange);
+    if (rv != SECSuccess)
+        return rv;
 
     ssl_Get1stHandshakeLock(ss);
     ssl_GetSSL3HandshakeLock(ss);
@@ -2435,7 +2516,7 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
         return SECFailure;
     }
 
-    ss->vrange = *vrange;
+    ss->vrange = constrainedRange;
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
@@ -3684,7 +3765,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
     ss->opt.noLocks = !makeLocks;
     ss->vrange = *VERSIONS_DEFAULTS(protocolVariant);
     ss->protocolVariant = protocolVariant;
-
+    /* Ignore overlap failures, because returning NULL would trigger assertion
+     * failures elsewhere. We don't want this scenario to be fatal, it's just
+     * a state where no SSL connectivity is possible. */
+    ssl3_CreateOverlapWithPolicy(ss->protocolVariant, &ss->vrange, &ss->vrange);
     ss->peerID = NULL;
     ss->rTimeout = PR_INTERVAL_NO_TIMEOUT;
     ss->wTimeout = PR_INTERVAL_NO_TIMEOUT;

security/nss/nss-tool/enc/enctool.cc

@@ -231,20 +231,20 @@ bool EncTool::DoCipher(std::string file_name, std::string out_file,
                        bool encrypt, key_func_t get_params) {
   SECStatus rv;
   unsigned int outLen = 0, chunkSize = 1024;
-  char buffer[chunkSize + 16];
+  char buffer[1040];
   const unsigned char* bufferStart =
       reinterpret_cast<const unsigned char*>(buffer);
 
   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     PrintError("Unable to find security device", PR_GetError(), __LINE__);
-    return SECFailure;
+    return false;
   }
 
   ScopedSECItem key, params;
   if (!(this->*get_params)(std::vector<uint8_t>(), key, params)) {
     PrintError("Geting keys and params failed.", __LINE__);
-    return SECFailure;
+    return false;
   }
 
   ScopedPK11SymKey symKey(
@@ -252,7 +252,7 @@ bool EncTool::DoCipher(std::string file_name, std::string out_file,
                         CKA_DECRYPT | CKA_ENCRYPT, key.get(), nullptr));
   if (!symKey) {
     PrintError("Failure to import key into NSS", PR_GetError(), __LINE__);
-    return SECFailure;
+    return false;
   }
 
   std::streambuf* buf;
@@ -270,21 +270,21 @@ bool EncTool::DoCipher(std::string file_name, std::string out_file,
   // Read from stdin.
   if (file_name.empty()) {
     std::vector<uint8_t> data = ReadInputData("");
-    uint8_t out[data.size() + 16];
+    std::vector<uint8_t> out(data.size() + 16);
     SECStatus rv;
     if (encrypt) {
-      rv = PK11_Encrypt(symKey.get(), cipher_mech_, params.get(), out, &outLen,
-                        data.size() + 16, data.data(), data.size());
+      rv = PK11_Encrypt(symKey.get(), cipher_mech_, params.get(), out.data(),
+                        &outLen, data.size() + 16, data.data(), data.size());
     } else {
-      rv = PK11_Decrypt(symKey.get(), cipher_mech_, params.get(), out, &outLen,
-                        data.size() + 16, data.data(), data.size());
+      rv = PK11_Decrypt(symKey.get(), cipher_mech_, params.get(), out.data(),
+                        &outLen, data.size() + 16, data.data(), data.size());
     }
     if (rv != SECSuccess) {
       PrintError(encrypt ? "Error encrypting" : "Error decrypting",
                  PR_GetError(), __LINE__);
       return false;
     };
-    output.write(reinterpret_cast<char*>(out), outLen);
+    output.write(reinterpret_cast<char*>(out.data()), outLen);
     output.flush();
     if (output_file.good()) {
       output_file.close();
@@ -302,7 +302,7 @@ bool EncTool::DoCipher(std::string file_name, std::string out_file,
   if (!input.good()) {
     return false;
   }
-  uint8_t out[chunkSize + 16];
+  uint8_t out[1040];
   while (input) {
     if (encrypt) {
       input.read(buffer, chunkSize);

security/nss/tests/common/cleanup.sh

@@ -27,6 +27,9 @@ if [ -z "${CLEANUP}" -o "${CLEANUP}" = "${SCRIPTNAME}" ]; then
     echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}"
     echo "IOPR_HOSTADDR_LIST=${IOPR_HOSTADDR_LIST}"
     echo "PKITS_DATA=${PKITS_DATA}"
+    echo "NSS_DISABLE_HW_AES=${NSS_DISABLE_HW_AES}"
+    echo "NSS_DISABLE_PCLMUL=${NSS_DISABLE_PCLMUL}"
+    echo "NSS_DISABLE_AVX=${NSS_DISABLE_AVX}"
     echo
     echo "Tests summary:"
     echo "--------------"

toolkit/content/tests/chrome/window_panel_anchoradjust.xul

@@ -32,6 +32,9 @@
   <menuitem label="Three"/>
 </menupopup>
 
+<button id="anchorhidden" label="HiddenAnchor" hidden="true"/>
+<button id="anchorextra" label="ExtraAnchor"/>
+
 <script type="application/javascript"><![CDATA[
 
 Components.utils.import("resource://gre/modules/Task.jsm");
@@ -140,6 +143,27 @@ function runTests() {
     yield popuphidden;
     yield menupopuphidden;
 
+    // A popup with a hidden anchor should not update
+    let anchorhidden = document.getElementById("anchorhidden");
+    popupshown = waitForPanel(panel, "popupshown");
+    panel.openPopup(anchorhidden, "after_start");
+    yield popupshown;
+
+    let oldtop = panel.getBoundingClientRect().top;
+
+    // Show and adjust anchors. The panel should not update or hide due to this.
+    anchorhidden.hidden = false;
+    document.getElementById("anchorextra").hidden = true;
+    yield new Promise(r => { SimpleTest.executeSoon(r); });
+
+    let newtop = panel.getBoundingClientRect().top;
+    is(panel.state, "open", "panel is still open after showing anchor");
+    is(oldtop, newtop, "panel top did not change after showing anchor");
+
+    popuphidden = waitForPanel(panel, "popuphidden");
+    panel.hidePopup();
+    yield popuphidden;
+
     // The panel should no longer follow anchors.
     panel.setAttribute("followanchor", "false");
 

widget/nsIWidget.h

@@ -1950,6 +1950,13 @@ public:
     virtual CompositorBridgeChild* GetRemoteRenderer()
     { return nullptr; }
 
+    /**
+     * Returns true if the widget requires synchronous repaints on resize,
+     * false otherwise.
+     */
+    virtual bool SynchronouslyRepaintOnResize()
+    { return true; }
+
     /**
      * Some platforms (only cocoa right now) round widget coordinates to the
      * nearest even pixels (see bug 892994), this function allows us to

widget/windows/nsWindow.h

@@ -316,6 +316,9 @@ public:
 
   void GetCompositorWidgetInitData(mozilla::widget::CompositorWidgetInitData* aInitData) override;
   bool IsTouchWindow() const { return mTouchWindow; }
+  bool SynchronouslyRepaintOnResize() override {
+    return false;
+  }
 
 protected:
   virtual ~nsWindow();

xpcom/io/Base64.cpp

@@ -6,6 +6,7 @@
 
 #include "Base64.h"
 
+#include "mozilla/ScopeExit.h"
 #include "mozilla/UniquePtrExtensions.h"
 #include "nsIInputStream.h"
 #include "nsString.h"
@@ -356,16 +357,27 @@ Base64Encode(const nsACString& aBinary, nsACString& aBase64)
 nsresult
 Base64Encode(const nsAString& aBinary, nsAString& aBase64)
 {
-  NS_LossyConvertUTF16toASCII binary(aBinary);
+  auto truncater = mozilla::MakeScopeExit([&]() { aBase64.Truncate(); });
+
+  // XXX We should really consider decoding directly from the string, rather
+  // than making a separate copy here.
+  nsAutoCString binary;
+  if (!binary.SetCapacity(aBinary.Length(), mozilla::fallible)) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+  LossyCopyUTF16toASCII(aBinary, binary);
+
   nsAutoCString base64;
 
   nsresult rv = Base64Encode(binary, base64);
-  if (NS_SUCCEEDED(rv)) {
-    CopyASCIItoUTF16(base64, aBase64);
-  } else {
-    aBase64.Truncate();
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (!CopyASCIItoUTF16(base64, aBase64, mozilla::fallible)) {
+    return NS_ERROR_OUT_OF_MEMORY;
   }
 
+  truncater.release();
+
   return rv;
 }
 
@@ -464,16 +476,27 @@ Base64Decode(const nsACString& aBase64, nsACString& aBinary)
 nsresult
 Base64Decode(const nsAString& aBase64, nsAString& aBinary)
 {
-  NS_LossyConvertUTF16toASCII base64(aBase64);
+  auto truncater = mozilla::MakeScopeExit([&]() { aBinary.Truncate(); });
+
+  // XXX We should really consider decoding directly from the string, rather
+  // than making a separate copy here.
+  nsAutoCString base64;
+  if (!base64.SetCapacity(aBase64.Length(), mozilla::fallible)) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+  LossyCopyUTF16toASCII(aBase64, base64);
+
   nsAutoCString binary;
 
   nsresult rv = Base64Decode(base64, binary);
-  if (NS_SUCCEEDED(rv)) {
-    CopyASCIItoUTF16(binary, aBinary);
-  } else {
-    aBinary.Truncate();
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (!CopyASCIItoUTF16(binary, aBinary, mozilla::fallible)) {
+    return NS_ERROR_OUT_OF_MEMORY;
   }
 
+  truncater.release();
+
   return rv;
 }
 

xpcom/io/SlicedInputStream.cpp

@@ -38,8 +38,6 @@ SlicedInputStream::SlicedInputStream(nsIInputStream* aInputStream,
   , mLength(aLength)
   , mCurPos(0)
   , mClosed(false)
-  , mAsyncWaitFlags(0)
-  , mAsyncWaitRequestedCount(0)
 {
   MOZ_ASSERT(aInputStream);
   SetSourceStream(aInputStream);
@@ -54,8 +52,6 @@ SlicedInputStream::SlicedInputStream()
   , mLength(0)
   , mCurPos(0)
   , mClosed(false)
-  , mAsyncWaitFlags(0)
-  , mAsyncWaitRequestedCount(0)
 {}
 
 SlicedInputStream::~SlicedInputStream()

xpcom/string/nsReadableUtils.cpp

@@ -87,9 +87,20 @@ LossyCopyUTF16toASCII(const nsAString& aSource, nsACString& aDest)
 
 void
 CopyASCIItoUTF16(const nsACString& aSource, nsAString& aDest)
+{
+  if (!CopyASCIItoUTF16(aSource, aDest, mozilla::fallible)) {
+    // Note that this may wildly underestimate the allocation that failed, as
+    // we report the length of aSource as UTF-16 instead of UTF-8.
+    aDest.AllocFailed(aDest.Length() + aSource.Length());
+  }
+}
+
+bool
+CopyASCIItoUTF16(const nsACString& aSource, nsAString& aDest,
+                 const mozilla::fallible_t& aFallible)
 {
   aDest.Truncate();
-  AppendASCIItoUTF16(aSource, aDest);
+  return AppendASCIItoUTF16(aSource, aDest, aFallible);
 }
 
 void

xpcom/string/nsReadableUtils.h

@@ -35,6 +35,8 @@ Distance(const nsReadingIterator<char>& aStart,
 
 void LossyCopyUTF16toASCII(const nsAString& aSource, nsACString& aDest);
 void CopyASCIItoUTF16(const nsACString& aSource, nsAString& aDest);
+MOZ_MUST_USE bool CopyASCIItoUTF16(const nsACString& aSource, nsAString& aDest,
+                                   const mozilla::fallible_t&);
 
 void LossyCopyUTF16toASCII(const char16ptr_t aSource, nsACString& aDest);
 void CopyASCIItoUTF16(const char* aSource, nsAString& aDest);