diff --git a/accessible/aom/AccessibleNode.cpp b/accessible/aom/AccessibleNode.cpp
index 2fb7583c8925..90d8b69341c0 100644
--- a/accessible/aom/AccessibleNode.cpp
+++ b/accessible/aom/AccessibleNode.cpp
@@ -30,8 +30,12 @@ NS_IMPL_CYCLE_COLLECTING_RELEASE(AccessibleNode)
 
 AccessibleNode::AccessibleNode(nsINode* aNode) : mDOMNode(aNode)
 {
-  DocAccessible* doc =
-    GetOrCreateAccService()->GetDocAccessible(mDOMNode->OwnerDoc());
+  nsAccessibilityService* accService = GetOrCreateAccService();
+  if (!accService) {
+    return;
+  }
+
+  DocAccessible* doc = accService->GetDocAccessible(mDOMNode->OwnerDoc());
   if (doc) {
     mIntl = doc->GetAccessible(mDOMNode);
   }
@@ -57,8 +61,11 @@ void
 AccessibleNode::GetRole(nsAString& aRole)
 {
   if (mIntl) {
-    GetOrCreateAccService()->GetStringRole(mIntl->Role(), aRole);
-    return;
+    nsAccessibilityService* accService = GetOrCreateAccService();
+    if (accService) {
+      accService->GetStringRole(mIntl->Role(), aRole);
+      return;
+    }
   }
 
   aRole.AssignLiteral("unknown");
@@ -67,15 +74,19 @@ AccessibleNode::GetRole(nsAString& aRole)
 void
 AccessibleNode::GetStates(nsTArray<nsString>& aStates)
 {
-  if (mIntl) {
-    if (!mStates) {
-      mStates = GetOrCreateAccService()->GetStringStates(mIntl->State());
-    }
+  nsAccessibilityService* accService = GetOrCreateAccService();
+  if (!mIntl || !accService) {
+    aStates.AppendElement(NS_LITERAL_STRING("defunct"));
+    return;
+  }
+
+  if (mStates) {
     aStates = mStates->StringArray();
     return;
   }
 
-  aStates.AppendElement(NS_LITERAL_STRING("defunct"));
+  mStates = accService->GetStringStates(mIntl->State());
+  aStates = mStates->StringArray();
 }
 
 void
@@ -106,7 +117,8 @@ AccessibleNode::GetAttributes(nsTArray<nsString>& aAttributes)
 bool
 AccessibleNode::Is(const Sequence<nsString>& aFlavors)
 {
-  if (!mIntl) {
+  nsAccessibilityService* accService = GetOrCreateAccService();
+  if (!mIntl || !accService) {
     for (const auto& flavor : aFlavors) {
       if (!flavor.EqualsLiteral("unknown") && !flavor.EqualsLiteral("defunct")) {
         return false;
@@ -116,10 +128,10 @@ AccessibleNode::Is(const Sequence<nsString>& aFlavors)
   }
 
   nsAutoString role;
-  GetOrCreateAccService()->GetStringRole(mIntl->Role(), role);
+  accService->GetStringRole(mIntl->Role(), role);
 
   if (!mStates) {
-    mStates = GetOrCreateAccService()->GetStringStates(mIntl->State());
+    mStates = accService->GetStringStates(mIntl->State());
   }
 
   for (const auto& flavor : aFlavors) {
diff --git a/accessible/base/nsAccessibilityService.cpp b/accessible/base/nsAccessibilityService.cpp
index 1cf33f196744..97dc6e7fa341 100644
--- a/accessible/base/nsAccessibilityService.cpp
+++ b/accessible/base/nsAccessibilityService.cpp
@@ -1904,6 +1904,11 @@ nsAccessibilityService::NotifyOfConsumersChange()
 nsAccessibilityService*
 GetOrCreateAccService(uint32_t aNewConsumer)
 {
+  // Do not initialize accessibility if it is force disabled.
+  if (PlatformDisabledState() == ePlatformIsDisabled) {
+    return nullptr;
+  }
+
   if (!nsAccessibilityService::gAccessibilityService) {
     RefPtr<nsAccessibilityService> service = new nsAccessibilityService();
     if (!service->Init()) {
diff --git a/accessible/xpcom/xpcAccessibilityService.cpp b/accessible/xpcom/xpcAccessibilityService.cpp
index 2606d4b366cb..35fee520c685 100644
--- a/accessible/xpcom/xpcAccessibilityService.cpp
+++ b/accessible/xpcom/xpcAccessibilityService.cpp
@@ -46,7 +46,7 @@ xpcAccessibilityService::AddRef(void)
 
   // We want refcount to be > 1 because one reference is added in the XPCOM
   // accessibility service getter.
-  if (mRefCnt > 1 && PlatformDisabledState() != ePlatformIsDisabled) {
+  if (mRefCnt > 1) {
     GetOrCreateAccService(nsAccessibilityService::eXPCOM);
   }
 
@@ -280,13 +280,10 @@ NS_GetAccessibilityService(nsIAccessibilityService** aResult)
   NS_ENSURE_TRUE(aResult, NS_ERROR_NULL_POINTER);
   *aResult = nullptr;
 
-  // Do not initialize accessibility if it is force disabled.
-  if (PlatformDisabledState() == ePlatformIsDisabled) {
+  if (!GetOrCreateAccService(nsAccessibilityService::eXPCOM)) {
     return NS_ERROR_SERVICE_NOT_AVAILABLE;
   }
 
-  GetOrCreateAccService(nsAccessibilityService::eXPCOM);
-
   xpcAccessibilityService* service = new xpcAccessibilityService();
   NS_ENSURE_TRUE(service, NS_ERROR_OUT_OF_MEMORY);
   xpcAccessibilityService::gXPCAccessibilityService = service;
diff --git a/browser/components/preferences/in-content/tests/browser_subdialogs.js b/browser/components/preferences/in-content/tests/browser_subdialogs.js
index a5994fa3d175..5aa0d2ba400a 100644
--- a/browser/components/preferences/in-content/tests/browser_subdialogs.js
+++ b/browser/components/preferences/in-content/tests/browser_subdialogs.js
@@ -297,7 +297,9 @@ add_task(async function wrapped_text_in_dialog_should_have_expected_scrollHeight
     Assert.ok(docEl.scrollHeight > contentOldHeight,
       "Content height increased (from " + contentOldHeight + " to " + docEl.scrollHeight + ").");
     Assert.equal(frame.style.height, docEl.scrollHeight + "px",
-      "Height on the frame should be higher now");
+      "Height on the frame should be higher now. " +
+      "This test may fail on certain screen resoluition. " +
+      "See bug 1420576 and bug 1205717.");
   });
 
   await close_subdialog_and_test_generic_end_state(tab.linkedBrowser,
diff --git a/browser/modules/test/browser/browser_urlBar_zoom.js b/browser/modules/test/browser/browser_urlBar_zoom.js
index e9118e24fa30..050ab5f7d8e1 100644
--- a/browser/modules/test/browser/browser_urlBar_zoom.js
+++ b/browser/modules/test/browser/browser_urlBar_zoom.js
@@ -8,6 +8,8 @@ var initialPageZoom = ZoomManager.zoom;
 const kTimeoutInMS = 20000;
 
 async function testZoomButtonAppearsAndDisappearsBasedOnZoomChanges(zoomEventType) {
+  let tab = await BrowserTestUtils.openNewForegroundTab({ gBrowser, waitForStateStop: true });
+
   info("Running this test with " + zoomEventType.substring(0, 9));
   info("Confirm whether the browser zoom is set to the default level");
   is(initialPageZoom, 1, "Page zoom is set to default (100%)");
@@ -32,6 +34,8 @@ async function testZoomButtonAppearsAndDisappearsBasedOnZoomChanges(zoomEventTyp
   expectedZoomLevel = 100;
   is(pageZoomLevel, expectedZoomLevel, "Clicking zoom button successfully resets browser zoom to 100%");
   is(zoomResetButton.hidden, true, "Zoom reset button returns to being hidden");
+
+  await BrowserTestUtils.removeTab(tab);
 }
 
 add_task(async function() {
diff --git a/devtools/client/debugger/test/mochitest/browser_dbg_parser-03.js b/devtools/client/debugger/test/mochitest/browser_dbg_parser-03.js
index 439df705b4eb..76c3bfc9ebc2 100644
--- a/devtools/client/debugger/test/mochitest/browser_dbg_parser-03.js
+++ b/devtools/client/debugger/test/mochitest/browser_dbg_parser-03.js
@@ -19,7 +19,7 @@ function test() {
     "<script type='text/javascript'>",
     "let b = 42;",
     "</script>",
-    "<script type='text/javascript;version=1.8'>",
+    "<script type='text/javascript'>",
     "let c = 42;",
     "</script>",
     "</head>"
@@ -44,14 +44,14 @@ function test() {
     "The first script was located correctly.");
   is(parsed.getScriptInfo(source.indexOf("let b")).toSource(), "({start:85, length:13, index:1})",
     "The second script was located correctly.");
-  is(parsed.getScriptInfo(source.indexOf("let c")).toSource(), "({start:151, length:13, index:2})",
+  is(parsed.getScriptInfo(source.indexOf("let c")).toSource(), "({start:139, length:13, index:2})",
     "The third script was located correctly.");
 
   is(parsed.getScriptInfo(source.indexOf("let a") - 1).toSource(), "({start:31, length:13, index:0})",
     "The left edge of the first script was interpreted correctly.");
   is(parsed.getScriptInfo(source.indexOf("let b") - 1).toSource(), "({start:85, length:13, index:1})",
     "The left edge of the second script was interpreted correctly.");
-  is(parsed.getScriptInfo(source.indexOf("let c") - 1).toSource(), "({start:151, length:13, index:2})",
+  is(parsed.getScriptInfo(source.indexOf("let c") - 1).toSource(), "({start:139, length:13, index:2})",
     "The left edge of the third script was interpreted correctly.");
 
   is(parsed.getScriptInfo(source.indexOf("let a") - 2).toSource(), "({start:-1, length:-1, index:-1})",
@@ -65,7 +65,7 @@ function test() {
     "The right edge of the first script was interpreted correctly.");
   is(parsed.getScriptInfo(source.indexOf("let b") + 12).toSource(), "({start:85, length:13, index:1})",
     "The right edge of the second script was interpreted correctly.");
-  is(parsed.getScriptInfo(source.indexOf("let c") + 12).toSource(), "({start:151, length:13, index:2})",
+  is(parsed.getScriptInfo(source.indexOf("let c") + 12).toSource(), "({start:139, length:13, index:2})",
     "The right edge of the third script was interpreted correctly.");
 
   is(parsed.getScriptInfo(source.indexOf("let a") + 13).toSource(), "({start:-1, length:-1, index:-1})",
diff --git a/devtools/client/debugger/test/mochitest/browser_dbg_parser-05.js b/devtools/client/debugger/test/mochitest/browser_dbg_parser-05.js
index b34d3952a0de..e8937450beff 100644
--- a/devtools/client/debugger/test/mochitest/browser_dbg_parser-05.js
+++ b/devtools/client/debugger/test/mochitest/browser_dbg_parser-05.js
@@ -19,7 +19,7 @@ function test() {
     "a.push('<script type=\"text/javascript\">');",
     "a.push('var b = 42;');",
     "a.push('</script>');",
-    "a.push('<script type=\"text/javascript;version=1.8\">');",
+    "a.push('<script type=\"text/javascript\">');",
     "a.push('var c = 42;');",
     "a.push('</script>');"
   ].join("\n");
@@ -34,11 +34,11 @@ function test() {
   is(parsed.scriptCount, 1,
     "There should be 1 script parsed in the parent source.");
 
-  is(parsed.getScriptInfo(source.indexOf("let a")).toSource(), "({start:0, length:261, index:0})",
+  is(parsed.getScriptInfo(source.indexOf("let a")).toSource(), "({start:0, length:249, index:0})",
     "The script location is correct (1).");
-  is(parsed.getScriptInfo(source.indexOf("<script>")).toSource(), "({start:0, length:261, index:0})",
+  is(parsed.getScriptInfo(source.indexOf("<script>")).toSource(), "({start:0, length:249, index:0})",
     "The script location is correct (2).");
-  is(parsed.getScriptInfo(source.indexOf("</script>")).toSource(), "({start:0, length:261, index:0})",
+  is(parsed.getScriptInfo(source.indexOf("</script>")).toSource(), "({start:0, length:249, index:0})",
     "The script location is correct (3).");
 
   finish();
diff --git a/devtools/client/debugger/test/mochitest/browser_dbg_parser-11.js b/devtools/client/debugger/test/mochitest/browser_dbg_parser-11.js
index ee2b4c89d32c..660f93700ebf 100644
--- a/devtools/client/debugger/test/mochitest/browser_dbg_parser-11.js
+++ b/devtools/client/debugger/test/mochitest/browser_dbg_parser-11.js
@@ -12,7 +12,7 @@ function test() {
 
   let source = [
     '<script type="text/javascript" src="chrome://foo.js"/>',
-    '<script type="application/javascript;version=1.8" src="chrome://baz.js"/>',
+    '<script type="application/javascript" src="chrome://baz.js"/>',
     '<script async defer src="chrome://foobar.js"/>',
     '<script type="application/javascript"/>"hello third"',
     '<script type="application/javascript">"hello fourth"</script>',
@@ -34,7 +34,7 @@ function test() {
 
   is(parsed.getScriptInfo(source.indexOf("hello third!")).toSource(), "({start:-1, length:-1, index:-1})",
     "Inline script on self-closing tag not considered a script");
-  is(parsed.getScriptInfo(source.indexOf("hello fourth")).toSource(), "({start:267, length:14, index:4})",
+  is(parsed.getScriptInfo(source.indexOf("hello fourth")).toSource(), "({start:255, length:14, index:4})",
     "The fourth script was located correctly.");
 
   finish();
diff --git a/devtools/client/webconsole/new-console-output/test/mochitest/test-bug-632347-iterators-generators.html b/devtools/client/webconsole/new-console-output/test/mochitest/test-bug-632347-iterators-generators.html
index 2209e519dffe..b9c4a54c2531 100644
--- a/devtools/client/webconsole/new-console-output/test/mochitest/test-bug-632347-iterators-generators.html
+++ b/devtools/client/webconsole/new-console-output/test/mochitest/test-bug-632347-iterators-generators.html
@@ -5,7 +5,7 @@
     <title>Web Console test for bug 632347 - generators</title>
     <!-- Any copyright is dedicated to the Public Domain.
          http://creativecommons.org/publicdomain/zero/1.0/ -->
-<script type="application/javascript;version=1.8">
+<script type="application/javascript">
 (function(){
 function genFunc() {
   var a = 5;
diff --git a/devtools/client/webconsole/test/test-bug-632347-iterators-generators.html b/devtools/client/webconsole/test/test-bug-632347-iterators-generators.html
index 4e3ede12f843..ee5996517457 100644
--- a/devtools/client/webconsole/test/test-bug-632347-iterators-generators.html
+++ b/devtools/client/webconsole/test/test-bug-632347-iterators-generators.html
@@ -5,7 +5,7 @@
     <title>Web Console test for bug 632347 - generators</title>
     <!-- Any copyright is dedicated to the Public Domain.
          http://creativecommons.org/publicdomain/zero/1.0/ -->
-<script type="application/javascript;version=1.8">
+<script type="application/javascript">
 (function(){
 function* genFunc() {
   var a = 5;
diff --git a/dom/file/nsHostObjectProtocolHandler.cpp b/dom/file/nsHostObjectProtocolHandler.cpp
index 1e892dfdb540..f281a9a12fb3 100644
--- a/dom/file/nsHostObjectProtocolHandler.cpp
+++ b/dom/file/nsHostObjectProtocolHandler.cpp
@@ -28,7 +28,7 @@
 #include "nsIUUIDGenerator.h"
 #include "nsNetUtil.h"
 
-#define RELEASING_TIMER 1000
+#define RELEASING_TIMER 5000
 
 using namespace mozilla;
 using namespace mozilla::dom;
@@ -48,18 +48,21 @@ struct DataInfo
     : mObjectType(eBlobImpl)
     , mBlobImpl(aBlobImpl)
     , mPrincipal(aPrincipal)
+    , mRevoked(false)
   {}
 
   DataInfo(DOMMediaStream* aMediaStream, nsIPrincipal* aPrincipal)
     : mObjectType(eMediaStream)
     , mMediaStream(aMediaStream)
     , mPrincipal(aPrincipal)
+    , mRevoked(false)
   {}
 
   DataInfo(MediaSource* aMediaSource, nsIPrincipal* aPrincipal)
     : mObjectType(eMediaSource)
     , mMediaSource(aMediaSource)
     , mPrincipal(aPrincipal)
+    , mRevoked(false)
   {}
 
   ObjectType mObjectType;
@@ -73,12 +76,17 @@ struct DataInfo
 
   // WeakReferences of nsHostObjectURI objects.
   nsTArray<nsWeakPtr> mURIs;
+
+  // When a blobURL is revoked, we keep it alive for RELEASING_TIMER
+  // milliseconds in order to support pending operations such as navigation,
+  // download and so on.
+  bool mRevoked;
 };
 
 static nsClassHashtable<nsCStringHashKey, DataInfo>* gDataTable;
 
 static DataInfo*
-GetDataInfo(const nsACString& aUri)
+GetDataInfo(const nsACString& aUri, bool aAlsoIfRevoked = false)
 {
   if (!gDataTable) {
     return nullptr;
@@ -105,6 +113,10 @@ GetDataInfo(const nsACString& aUri)
     gDataTable->Get(StringHead(aUri, pos), &res);
   }
 
+  if (!aAlsoIfRevoked && res && res->mRevoked) {
+    return nullptr;
+  }
+
   return res;
 }
 
@@ -154,9 +166,8 @@ BroadcastBlobURLRegistration(const nsACString& aURI,
 }
 
 void
-BroadcastBlobURLUnregistration(const nsACString& aURI, DataInfo* aInfo)
+BroadcastBlobURLUnregistration(const nsCString& aURI)
 {
-  MOZ_ASSERT(aInfo);
   MOZ_ASSERT(NS_IsMainThread());
 
   if (XRE_IsParentProcess()) {
@@ -165,8 +176,7 @@ BroadcastBlobURLUnregistration(const nsACString& aURI, DataInfo* aInfo)
   }
 
   dom::ContentChild* cc = dom::ContentChild::GetSingleton();
-  Unused << NS_WARN_IF(!cc->SendUnstoreAndBroadcastBlobURLUnregistration(
-    nsCString(aURI)));
+  Unused << NS_WARN_IF(!cc->SendUnstoreAndBroadcastBlobURLUnregistration(aURI));
 }
 
 class HostObjectURLsReporter final : public nsIMemoryReporter
@@ -432,9 +442,10 @@ public:
   NS_DECL_ISUPPORTS
 
   static void
-  Create(nsTArray<nsWeakPtr>&& aArray)
+  Create(const nsACString& aURI, bool aBroadcastToOtherProcesses)
   {
-    RefPtr<ReleasingTimerHolder> holder = new ReleasingTimerHolder(Move(aArray));
+    RefPtr<ReleasingTimerHolder> holder =
+      new ReleasingTimerHolder(aURI, aBroadcastToOtherProcesses);
     nsresult rv = NS_NewTimerWithCallback(getter_AddRefs(holder->mTimer),
                                           holder, RELEASING_TIMER,
                                           nsITimer::TYPE_ONE_SHOT,
@@ -445,13 +456,32 @@ public:
   NS_IMETHOD
   Notify(nsITimer* aTimer) override
   {
-    for (uint32_t i = 0; i < mURIs.Length(); ++i) {
-      nsCOMPtr<nsIURI> uri = do_QueryReferent(mURIs[i]);
+    // If we have to broadcast the unregistration, let's do it now.
+    if (mBroadcastToOtherProcesses) {
+      BroadcastBlobURLUnregistration(mURI);
+    }
+
+    DataInfo* info = GetDataInfo(mURI, true /* We care about revoked dataInfo */);
+    if (!info) {
+      // Already gone!
+      return NS_OK;
+    }
+
+    MOZ_ASSERT(info->mRevoked);
+
+    for (uint32_t i = 0; i < info->mURIs.Length(); ++i) {
+      nsCOMPtr<nsIURI> uri = do_QueryReferent(info->mURIs[i]);
       if (uri) {
         static_cast<nsHostObjectURI*>(uri.get())->ForgetBlobImpl();
       }
     }
 
+    gDataTable->Remove(mURI);
+    if (gDataTable->Count() == 0) {
+      delete gDataTable;
+      gDataTable = nullptr;
+    }
+
     return NS_OK;
   }
 
@@ -463,14 +493,17 @@ public:
   }
 
 private:
-  explicit ReleasingTimerHolder(nsTArray<nsWeakPtr>&& aArray)
-    : mURIs(aArray)
+  ReleasingTimerHolder(const nsACString& aURI, bool aBroadcastToOtherProcesses)
+    : mURI(aURI)
+    , mBroadcastToOtherProcesses(aBroadcastToOtherProcesses)
   {}
 
   ~ReleasingTimerHolder()
   {}
 
-  nsTArray<nsWeakPtr> mURIs;
+  nsCString mURI;
+  bool mBroadcastToOtherProcesses;
+
   nsCOMPtr<nsITimer> mTimer;
 };
 
@@ -596,7 +629,8 @@ nsHostObjectProtocolHandler::GetAllBlobURLEntries(
     }
 
     aRegistrations.AppendElement(BlobURLRegistrationData(
-      nsCString(iter.Key()), ipcBlob, IPC::Principal(info->mPrincipal)));
+      nsCString(iter.Key()), ipcBlob, IPC::Principal(info->mPrincipal),
+                info->mRevoked));
   }
 
   return true;
@@ -615,26 +649,19 @@ nsHostObjectProtocolHandler::RemoveDataEntry(const nsACString& aUri,
     return;
   }
 
-  if (aBroadcastToOtherProcesses && info->mObjectType == DataInfo::eBlobImpl) {
-    BroadcastBlobURLUnregistration(aUri, info);
-  }
+  info->mRevoked = true;
 
-  if (!info->mURIs.IsEmpty()) {
-    ReleasingTimerHolder::Create(Move(info->mURIs));
-  }
-
-  gDataTable->Remove(aUri);
-  if (gDataTable->Count() == 0) {
-    delete gDataTable;
-    gDataTable = nullptr;
-  }
+  // The timer will take care of removing the entry for real after
+  // RELEASING_TIMER milliseconds. In the meantime, the DataInfo, marked as
+  // revoked, will not be exposed.
+  ReleasingTimerHolder::Create(aUri,
+                               aBroadcastToOtherProcesses &&
+                                 info->mObjectType == DataInfo::eBlobImpl);
 }
 
 /* static */ void
 nsHostObjectProtocolHandler::RemoveDataEntries()
 {
-  MOZ_ASSERT(XRE_IsContentProcess());
-
   if (!gDataTable) {
     return;
   }
diff --git a/dom/file/nsHostObjectProtocolHandler.h b/dom/file/nsHostObjectProtocolHandler.h
index 4b40bc3ec352..999fa5453657 100644
--- a/dom/file/nsHostObjectProtocolHandler.h
+++ b/dom/file/nsHostObjectProtocolHandler.h
@@ -77,7 +77,6 @@ public:
   static void RemoveDataEntry(const nsACString& aUri,
                               bool aBroadcastToOTherProcesses = true);
 
-  // This is for IPC only.
   static void RemoveDataEntries();
 
   static bool HasDataEntry(const nsACString& aUri);
diff --git a/dom/ipc/ContentChild.cpp b/dom/ipc/ContentChild.cpp
index 3f424ba314f2..464c7d9a49a5 100644
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@@ -2704,6 +2704,13 @@ ContentChild::RecvInitBlobURLs(nsTArray<BlobURLRegistrationData>&& aRegistration
     nsHostObjectProtocolHandler::AddDataEntry(registration.url(),
                                               registration.principal(),
                                               blobImpl);
+    // If we have received an already-revoked blobURL, we have to keep it alive
+    // for a while (see nsHostObjectProtocolHandler) in order to support pending
+    // operations such as navigation, download and so on.
+    if (registration.revoked()) {
+      nsHostObjectProtocolHandler::RemoveDataEntry(registration.url(),
+                                                   false);
+    }
   }
 
   return IPC_OK();
diff --git a/dom/ipc/ContentParent.cpp b/dom/ipc/ContentParent.cpp
index 4c346836810f..11e8bcd000b1 100644
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -2796,7 +2796,7 @@ ContentParent::Observe(nsISupports* aSubject,
     // We know prefs are ASCII here.
     NS_LossyConvertUTF16toASCII strData(aData);
 
-    Pref pref(strData, null_t(), null_t());
+    Pref pref(strData, /* isLocked */ false, null_t(), null_t());
     Preferences::GetPreference(&pref);
     if (!SendPreferenceUpdate(pref)) {
       return NS_ERROR_NOT_AVAILABLE;
diff --git a/dom/ipc/ContentProcess.cpp b/dom/ipc/ContentProcess.cpp
index bff1dfebabbd..347325d794af 100644
--- a/dom/ipc/ContentProcess.cpp
+++ b/dom/ipc/ContentProcess.cpp
@@ -156,7 +156,11 @@ ContentProcess::Init(int aArgc, char* aArgv[])
         MaybePrefValue value(PrefValue(static_cast<int32_t>(strtol(str, &str, 10))));
         MOZ_ASSERT(str[0] == '|');
         str++;
-        Pref pref(nsCString(ContentPrefs::GetContentPref(index)), value, MaybePrefValue());
+        // XXX: we assume these values as default values, which may not be
+        // true. We also assume they are unlocked. Fortunately, these prefs
+        // get reset properly by the first IPC message.
+        Pref pref(nsCString(ContentPrefs::GetContentPref(index)),
+                  /* isLocked */ false, value, MaybePrefValue());
         prefsArray.AppendElement(pref);
       }
       SET_PREF_PHASE(END_INIT_PREFS);
@@ -171,7 +175,8 @@ ContentProcess::Init(int aArgc, char* aArgv[])
         MaybePrefValue value(PrefValue(!!strtol(str, &str, 10)));
         MOZ_ASSERT(str[0] == '|');
         str++;
-        Pref pref(nsCString(ContentPrefs::GetContentPref(index)), value, MaybePrefValue());
+        Pref pref(nsCString(ContentPrefs::GetContentPref(index)),
+                  /* isLocked */ false, value, MaybePrefValue());
         prefsArray.AppendElement(pref);
       }
       SET_PREF_PHASE(END_INIT_PREFS);
@@ -187,7 +192,8 @@ ContentProcess::Init(int aArgc, char* aArgv[])
         MOZ_ASSERT(str[0] == ';');
         str++;
         MaybePrefValue value(PrefValue(nsCString(str, length)));
-        Pref pref(nsCString(ContentPrefs::GetContentPref(index)), value, MaybePrefValue());
+        Pref pref(nsCString(ContentPrefs::GetContentPref(index)),
+                  /* isLocked */ false, value, MaybePrefValue());
         prefsArray.AppendElement(pref);
         str += length + 1;
         MOZ_ASSERT(*(str - 1) == '|');
diff --git a/dom/ipc/PContent.ipdl b/dom/ipc/PContent.ipdl
index 01dfec55fe5e..8d8900a80e8d 100644
--- a/dom/ipc/PContent.ipdl
+++ b/dom/ipc/PContent.ipdl
@@ -156,6 +156,7 @@ union MaybePrefValue {
 
 struct Pref {
   nsCString name;
+  bool isLocked;
   MaybePrefValue defaultValue;
   MaybePrefValue userValue;
 };
@@ -234,9 +235,10 @@ union FileCreationResult
 
 struct BlobURLRegistrationData
 {
-    nsCString url;
-    IPCBlob blob;
-    Principal principal;
+  nsCString url;
+  IPCBlob blob;
+  Principal principal;
+  bool revoked;
 };
 
 struct GMPAPITags
diff --git a/dom/script/ScriptLoader.cpp b/dom/script/ScriptLoader.cpp
index 32ea73c80222..79a7c6ed7e5b 100644
--- a/dom/script/ScriptLoader.cpp
+++ b/dom/script/ScriptLoader.cpp
@@ -1207,12 +1207,22 @@ ParseTypeAttribute(const nsAString& aType, ValidJSVersion* aVersion)
   nsAutoString versionName;
   rv = parser.GetParameter("version", versionName);
 
-  if (NS_SUCCEEDED(rv)) {
-    *aVersion = ParseJavascriptVersion(versionName);
-  } else if (rv != NS_ERROR_INVALID_ARG) {
+  if (rv == NS_ERROR_INVALID_ARG) {
+    Telemetry::Accumulate(Telemetry::SCRIPT_LOADED_WITH_VERSION, false);
+    // Argument not set.
+    return true;
+  }
+
+  if (NS_FAILED(rv)) {
     return false;
   }
 
+  *aVersion = ParseJavascriptVersion(versionName);
+  if (*aVersion == ValidJSVersion::Valid) {
+    Telemetry::Accumulate(Telemetry::SCRIPT_LOADED_WITH_VERSION, true);
+    return true;
+  }
+
   return true;
 }
 
diff --git a/dom/u2f/U2F.cpp b/dom/u2f/U2F.cpp
index b17198b4494c..249a440f6033 100644
--- a/dom/u2f/U2F.cpp
+++ b/dom/u2f/U2F.cpp
@@ -419,11 +419,17 @@ U2F::Register(const nsAString& aAppId,
   // Always blank for U2F
   nsTArray<WebAuthnExtension> extensions;
 
-  WebAuthnTransactionInfo info(rpIdHash,
-                               clientDataHash,
-                               adjustedTimeoutMillis,
-                               excludeList,
-                               extensions);
+  // Default values for U2F.
+  WebAuthnAuthenticatorSelection authSelection(false /* requireResidentKey */,
+                                               false /* requireUserVerification */,
+                                               false /* requirePlatformAttachment */);
+
+  WebAuthnMakeCredentialInfo info(rpIdHash,
+                                  clientDataHash,
+                                  adjustedTimeoutMillis,
+                                  excludeList,
+                                  extensions,
+                                  authSelection);
 
   MOZ_ASSERT(mTransaction.isNothing());
   mTransaction = Some(U2FTransaction(clientData));
@@ -548,11 +554,11 @@ U2F::Sign(const nsAString& aAppId,
   // Always blank for U2F
   nsTArray<WebAuthnExtension> extensions;
 
-  WebAuthnTransactionInfo info(rpIdHash,
-                               clientDataHash,
-                               adjustedTimeoutMillis,
-                               permittedList,
-                               extensions);
+  WebAuthnGetAssertionInfo info(rpIdHash,
+                                clientDataHash,
+                                adjustedTimeoutMillis,
+                                permittedList,
+                                extensions);
 
   MOZ_ASSERT(mTransaction.isNothing());
   mTransaction = Some(U2FTransaction(clientData));
diff --git a/dom/u2f/U2FTransactionParent.cpp b/dom/u2f/U2FTransactionParent.cpp
index 5ad428dc4e11..d3992ad7cb1d 100644
--- a/dom/u2f/U2FTransactionParent.cpp
+++ b/dom/u2f/U2FTransactionParent.cpp
@@ -13,7 +13,7 @@ namespace dom {
 
 mozilla::ipc::IPCResult
 U2FTransactionParent::RecvRequestRegister(const uint64_t& aTransactionId,
-                                          const WebAuthnTransactionInfo& aTransactionInfo)
+                                          const WebAuthnMakeCredentialInfo& aTransactionInfo)
 {
   AssertIsOnBackgroundThread();
   U2FTokenManager* mgr = U2FTokenManager::Get();
@@ -23,7 +23,7 @@ U2FTransactionParent::RecvRequestRegister(const uint64_t& aTransactionId,
 
 mozilla::ipc::IPCResult
 U2FTransactionParent::RecvRequestSign(const uint64_t& aTransactionId,
-                                      const WebAuthnTransactionInfo& aTransactionInfo)
+                                      const WebAuthnGetAssertionInfo& aTransactionInfo)
 {
   AssertIsOnBackgroundThread();
   U2FTokenManager* mgr = U2FTokenManager::Get();
diff --git a/dom/u2f/U2FTransactionParent.h b/dom/u2f/U2FTransactionParent.h
index 2b94588f7339..84a9910ab8b1 100644
--- a/dom/u2f/U2FTransactionParent.h
+++ b/dom/u2f/U2FTransactionParent.h
@@ -26,11 +26,11 @@ public:
 
   virtual mozilla::ipc::IPCResult
   RecvRequestRegister(const uint64_t& aTransactionId,
-                      const WebAuthnTransactionInfo& aTransactionInfo) override;
+                      const WebAuthnMakeCredentialInfo& aTransactionInfo) override;
 
   virtual mozilla::ipc::IPCResult
   RecvRequestSign(const uint64_t& aTransactionId,
-                  const WebAuthnTransactionInfo& aTransactionInfo) override;
+                  const WebAuthnGetAssertionInfo& aTransactionInfo) override;
 
   virtual mozilla::ipc::IPCResult
   RecvRequestCancel(const uint64_t& aTransactionId) override;
diff --git a/dom/webauthn/PWebAuthnTransaction.ipdl b/dom/webauthn/PWebAuthnTransaction.ipdl
index a8e529f483d8..96b65fdcdc64 100644
--- a/dom/webauthn/PWebAuthnTransaction.ipdl
+++ b/dom/webauthn/PWebAuthnTransaction.ipdl
@@ -19,6 +19,12 @@ include protocol PBackground;
 namespace mozilla {
 namespace dom {
 
+struct WebAuthnAuthenticatorSelection {
+    bool requireResidentKey;
+    bool requireUserVerification;
+    bool requirePlatformAttachment;
+};
+
 struct WebAuthnScopedCredentialDescriptor {
   uint8_t[] id;
 };
@@ -27,11 +33,20 @@ struct WebAuthnExtension {
   /* TODO Fill in with predefined extensions */
 };
 
-struct WebAuthnTransactionInfo {
+struct WebAuthnMakeCredentialInfo {
   uint8_t[] RpIdHash;
   uint8_t[] ClientDataHash;
   uint32_t TimeoutMS;
-  WebAuthnScopedCredentialDescriptor[] Descriptors;
+  WebAuthnScopedCredentialDescriptor[] ExcludeList;
+  WebAuthnExtension[] Extensions;
+  WebAuthnAuthenticatorSelection AuthenticatorSelection;
+};
+
+struct WebAuthnGetAssertionInfo {
+  uint8_t[] RpIdHash;
+  uint8_t[] ClientDataHash;
+  uint32_t TimeoutMS;
+  WebAuthnScopedCredentialDescriptor[] AllowList;
   WebAuthnExtension[] Extensions;
 };
 
@@ -39,8 +54,8 @@ async protocol PWebAuthnTransaction {
   manager PBackground;
   parent:
     async __delete__();
-    async RequestRegister(uint64_t aTransactionId, WebAuthnTransactionInfo aTransactionInfo);
-    async RequestSign(uint64_t aTransactionId, WebAuthnTransactionInfo aTransactionInfo);
+    async RequestRegister(uint64_t aTransactionId, WebAuthnMakeCredentialInfo aTransactionInfo);
+    async RequestSign(uint64_t aTransactionId, WebAuthnGetAssertionInfo aTransactionInfo);
     async RequestCancel(uint64_t aTransactionId);
   child:
     async ConfirmRegister(uint64_t aTransactionId, uint8_t[] RegBuffer);
diff --git a/dom/webauthn/U2FHIDTokenManager.cpp b/dom/webauthn/U2FHIDTokenManager.cpp
index e2687b166114..368d642d470c 100644
--- a/dom/webauthn/U2FHIDTokenManager.cpp
+++ b/dom/webauthn/U2FHIDTokenManager.cpp
@@ -101,14 +101,29 @@ U2FHIDTokenManager::~U2FHIDTokenManager()
 //
 RefPtr<U2FRegisterPromise>
 U2FHIDTokenManager::Register(const nsTArray<WebAuthnScopedCredentialDescriptor>& aDescriptors,
+                             const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
                              const nsTArray<uint8_t>& aApplication,
                              const nsTArray<uint8_t>& aChallenge,
                              uint32_t aTimeoutMS)
 {
   MOZ_ASSERT(NS_GetCurrentThread() == gPBackgroundThread);
 
+  uint64_t registerFlags = 0;
+
+  // Set flags for credential creation.
+  if (aAuthenticatorSelection.requireResidentKey()) {
+    registerFlags |= U2F_FLAG_REQUIRE_RESIDENT_KEY;
+  }
+  if (aAuthenticatorSelection.requireUserVerification()) {
+    registerFlags |= U2F_FLAG_REQUIRE_USER_VERIFICATION;
+  }
+  if (aAuthenticatorSelection.requirePlatformAttachment()) {
+    registerFlags |= U2F_FLAG_REQUIRE_PLATFORM_ATTACHMENT;
+  }
+
   ClearPromises();
   mTransactionId = rust_u2f_mgr_register(mU2FManager,
+                                         registerFlags,
                                          (uint64_t)aTimeoutMS,
                                          u2f_register_callback,
                                          aChallenge.Elements(),
diff --git a/dom/webauthn/U2FHIDTokenManager.h b/dom/webauthn/U2FHIDTokenManager.h
index d9d3adbc9fec..8b024386d588 100644
--- a/dom/webauthn/U2FHIDTokenManager.h
+++ b/dom/webauthn/U2FHIDTokenManager.h
@@ -92,6 +92,7 @@ public:
 
   virtual RefPtr<U2FRegisterPromise>
   Register(const nsTArray<WebAuthnScopedCredentialDescriptor>& aDescriptors,
+           const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
            const nsTArray<uint8_t>& aApplication,
            const nsTArray<uint8_t>& aChallenge,
            uint32_t aTimeoutMS) override;
diff --git a/dom/webauthn/U2FSoftTokenManager.cpp b/dom/webauthn/U2FSoftTokenManager.cpp
index 609eb54fd3a7..e804a869d676 100644
--- a/dom/webauthn/U2FSoftTokenManager.cpp
+++ b/dom/webauthn/U2FSoftTokenManager.cpp
@@ -626,6 +626,7 @@ U2FSoftTokenManager::IsRegistered(const nsTArray<uint8_t>& aKeyHandle,
 //
 RefPtr<U2FRegisterPromise>
 U2FSoftTokenManager::Register(const nsTArray<WebAuthnScopedCredentialDescriptor>& aDescriptors,
+                              const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
                               const nsTArray<uint8_t>& aApplication,
                               const nsTArray<uint8_t>& aChallenge,
                               uint32_t aTimeoutMS)
@@ -642,6 +643,14 @@ U2FSoftTokenManager::Register(const nsTArray<WebAuthnScopedCredentialDescriptor>
     }
   }
 
+  // The U2F softtoken neither supports resident keys or
+  // user verification, nor is it a platform authenticator.
+  if (aAuthenticatorSelection.requireResidentKey() ||
+      aAuthenticatorSelection.requireUserVerification() ||
+      aAuthenticatorSelection.requirePlatformAttachment()) {
+    return U2FRegisterPromise::CreateAndReject(NS_ERROR_DOM_NOT_ALLOWED_ERR, __func__);
+  }
+
   // Optional exclusion list.
   for (auto desc: aDescriptors) {
     bool isRegistered = false;
diff --git a/dom/webauthn/U2FSoftTokenManager.h b/dom/webauthn/U2FSoftTokenManager.h
index 509cba29e5c5..44ff340eaae8 100644
--- a/dom/webauthn/U2FSoftTokenManager.h
+++ b/dom/webauthn/U2FSoftTokenManager.h
@@ -27,6 +27,7 @@ public:
 
   virtual RefPtr<U2FRegisterPromise>
   Register(const nsTArray<WebAuthnScopedCredentialDescriptor>& aDescriptors,
+           const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
            const nsTArray<uint8_t>& aApplication,
            const nsTArray<uint8_t>& aChallenge,
            uint32_t aTimeoutMS) override;
diff --git a/dom/webauthn/U2FTokenManager.cpp b/dom/webauthn/U2FTokenManager.cpp
index 68d938c2b577..7f145947dc55 100644
--- a/dom/webauthn/U2FTokenManager.cpp
+++ b/dom/webauthn/U2FTokenManager.cpp
@@ -220,7 +220,7 @@ U2FTokenManager::GetTokenManagerImpl()
 void
 U2FTokenManager::Register(PWebAuthnTransactionParent* aTransactionParent,
                           const uint64_t& aTransactionId,
-                          const WebAuthnTransactionInfo& aTransactionInfo)
+                          const WebAuthnMakeCredentialInfo& aTransactionInfo)
 {
   MOZ_LOG(gU2FTokenManagerLog, LogLevel::Debug, ("U2FAuthRegister"));
 
@@ -245,7 +245,8 @@ U2FTokenManager::Register(PWebAuthnTransactionParent* aTransactionParent,
 
   uint64_t tid = mLastTransactionId = aTransactionId;
   mozilla::TimeStamp startTime = mozilla::TimeStamp::Now();
-  mTokenManagerImpl->Register(aTransactionInfo.Descriptors(),
+  mTokenManagerImpl->Register(aTransactionInfo.ExcludeList(),
+                              aTransactionInfo.AuthenticatorSelection(),
                               aTransactionInfo.RpIdHash(),
                               aTransactionInfo.ClientDataHash(),
                               aTransactionInfo.TimeoutMS())
@@ -297,7 +298,7 @@ U2FTokenManager::MaybeAbortRegister(const uint64_t& aTransactionId,
 void
 U2FTokenManager::Sign(PWebAuthnTransactionParent* aTransactionParent,
                       const uint64_t& aTransactionId,
-                      const WebAuthnTransactionInfo& aTransactionInfo)
+                      const WebAuthnGetAssertionInfo& aTransactionInfo)
 {
   MOZ_LOG(gU2FTokenManagerLog, LogLevel::Debug, ("U2FAuthSign"));
 
@@ -318,7 +319,7 @@ U2FTokenManager::Sign(PWebAuthnTransactionParent* aTransactionParent,
 
   uint64_t tid = mLastTransactionId = aTransactionId;
   mozilla::TimeStamp startTime = mozilla::TimeStamp::Now();
-  mTokenManagerImpl->Sign(aTransactionInfo.Descriptors(),
+  mTokenManagerImpl->Sign(aTransactionInfo.AllowList(),
                           aTransactionInfo.RpIdHash(),
                           aTransactionInfo.ClientDataHash(),
                           aTransactionInfo.TimeoutMS())
diff --git a/dom/webauthn/U2FTokenManager.h b/dom/webauthn/U2FTokenManager.h
index 164fd5a945f3..715041b78382 100644
--- a/dom/webauthn/U2FTokenManager.h
+++ b/dom/webauthn/U2FTokenManager.h
@@ -32,10 +32,10 @@ public:
   static U2FTokenManager* Get();
   void Register(PWebAuthnTransactionParent* aTransactionParent,
                 const uint64_t& aTransactionId,
-                const WebAuthnTransactionInfo& aTransactionInfo);
+                const WebAuthnMakeCredentialInfo& aTransactionInfo);
   void Sign(PWebAuthnTransactionParent* aTransactionParent,
             const uint64_t& aTransactionId,
-            const WebAuthnTransactionInfo& aTransactionInfo);
+            const WebAuthnGetAssertionInfo& aTransactionInfo);
   void Cancel(PWebAuthnTransactionParent* aTransactionParent,
               const uint64_t& aTransactionId);
   void MaybeClearTransaction(PWebAuthnTransactionParent* aParent);
diff --git a/dom/webauthn/U2FTokenTransport.h b/dom/webauthn/U2FTokenTransport.h
index 6fdae2716813..1d31d69e5cfc 100644
--- a/dom/webauthn/U2FTokenTransport.h
+++ b/dom/webauthn/U2FTokenTransport.h
@@ -64,6 +64,7 @@ public:
 
   virtual RefPtr<U2FRegisterPromise>
   Register(const nsTArray<WebAuthnScopedCredentialDescriptor>& aDescriptors,
+           const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
            const nsTArray<uint8_t>& aApplication,
            const nsTArray<uint8_t>& aChallenge,
            uint32_t aTimeoutMS) = 0;
diff --git a/dom/webauthn/WebAuthnManager.cpp b/dom/webauthn/WebAuthnManager.cpp
index 0708f064bf27..defa3f75c959 100644
--- a/dom/webauthn/WebAuthnManager.cpp
+++ b/dom/webauthn/WebAuthnManager.cpp
@@ -475,11 +475,28 @@ WebAuthnManager::MakeCredential(nsPIDOMWindowInner* aParent,
   // TODO: Add extension list building
   nsTArray<WebAuthnExtension> extensions;
 
-  WebAuthnTransactionInfo info(rpIdHash,
-                               clientDataHash,
-                               adjustedTimeout,
-                               excludeList,
-                               extensions);
+  const auto& selection = aOptions.mAuthenticatorSelection;
+  const auto& attachment = selection.mAuthenticatorAttachment;
+
+  // Does the RP require attachment == "platform"?
+  bool requirePlatformAttachment =
+    attachment.WasPassed() && attachment.Value() == AuthenticatorAttachment::Platform;
+
+  // Does the RP require user verification?
+  bool requireUserVerification =
+    selection.mUserVerification == UserVerificationRequirement::Required;
+
+  // Create and forward authenticator selection criteria.
+  WebAuthnAuthenticatorSelection authSelection(selection.mRequireResidentKey,
+                                               requireUserVerification,
+                                               requirePlatformAttachment);
+
+  WebAuthnMakeCredentialInfo info(rpIdHash,
+                                  clientDataHash,
+                                  adjustedTimeout,
+                                  excludeList,
+                                  extensions,
+                                  authSelection);
 
   ListenForVisibilityEvents(aParent, this);
 
@@ -492,11 +509,11 @@ WebAuthnManager::MakeCredential(nsPIDOMWindowInner* aParent,
   MOZ_ASSERT(mTransaction.isNothing());
   mTransaction = Some(WebAuthnTransaction(aParent,
                                           promise,
-                                          Move(info),
-                                          Move(clientDataJSON),
+                                          rpIdHash,
+                                          clientDataJSON,
                                           signal));
 
-  mChild->SendRequestRegister(mTransaction.ref().mId, mTransaction.ref().mInfo);
+  mChild->SendRequestRegister(mTransaction.ref().mId, info);
   return promise.forget();
 }
 
@@ -638,11 +655,11 @@ WebAuthnManager::GetAssertion(nsPIDOMWindowInner* aParent,
   // result of this processing clientExtensions.
   nsTArray<WebAuthnExtension> extensions;
 
-  WebAuthnTransactionInfo info(rpIdHash,
-                               clientDataHash,
-                               adjustedTimeout,
-                               allowList,
-                               extensions);
+  WebAuthnGetAssertionInfo info(rpIdHash,
+                                clientDataHash,
+                                adjustedTimeout,
+                                allowList,
+                                extensions);
 
   ListenForVisibilityEvents(aParent, this);
 
@@ -655,11 +672,11 @@ WebAuthnManager::GetAssertion(nsPIDOMWindowInner* aParent,
   MOZ_ASSERT(mTransaction.isNothing());
   mTransaction = Some(WebAuthnTransaction(aParent,
                                           promise,
-                                          Move(info),
-                                          Move(clientDataJSON),
+                                          rpIdHash,
+                                          clientDataJSON,
                                           signal));
 
-  mChild->SendRequestSign(mTransaction.ref().mId, mTransaction.ref().mInfo);
+  mChild->SendRequestSign(mTransaction.ref().mId, info);
   return promise.forget();
 }
 
@@ -743,7 +760,7 @@ WebAuthnManager::FinishMakeCredential(const uint64_t& aTransactionId,
   }
 
   CryptoBuffer rpIdHashBuf;
-  if (!rpIdHashBuf.Assign(mTransaction.ref().mInfo.RpIdHash())) {
+  if (!rpIdHashBuf.Assign(mTransaction.ref().mRpIdHash)) {
     RejectTransaction(NS_ERROR_OUT_OF_MEMORY);
     return;
   }
@@ -840,7 +857,7 @@ WebAuthnManager::FinishGetAssertion(const uint64_t& aTransactionId,
   }
 
   CryptoBuffer rpIdHashBuf;
-  if (!rpIdHashBuf.Assign(mTransaction.ref().mInfo.RpIdHash())) {
+  if (!rpIdHashBuf.Assign(mTransaction.ref().mRpIdHash)) {
     RejectTransaction(NS_ERROR_OUT_OF_MEMORY);
     return;
   }
diff --git a/dom/webauthn/WebAuthnManager.h b/dom/webauthn/WebAuthnManager.h
index 84e2666967ca..49545aa9b636 100644
--- a/dom/webauthn/WebAuthnManager.h
+++ b/dom/webauthn/WebAuthnManager.h
@@ -65,12 +65,12 @@ class WebAuthnTransaction
 public:
   WebAuthnTransaction(nsPIDOMWindowInner* aParent,
                       const RefPtr<Promise>& aPromise,
-                      const WebAuthnTransactionInfo&& aInfo,
-                      const nsAutoCString&& aClientData,
+                      const nsTArray<uint8_t>& aRpIdHash,
+                      const nsCString& aClientData,
                       AbortSignal* aSignal)
     : mParent(aParent)
     , mPromise(aPromise)
-    , mInfo(aInfo)
+    , mRpIdHash(aRpIdHash)
     , mClientData(aClientData)
     , mSignal(aSignal)
     , mId(NextId())
@@ -84,9 +84,8 @@ public:
   // JS Promise representing the transaction status.
   RefPtr<Promise> mPromise;
 
-  // Holds the parameters of the current transaction, as we need them both
-  // before the transaction request is sent, and on successful return.
-  WebAuthnTransactionInfo mInfo;
+  // The RP ID hash.
+  nsTArray<uint8_t> mRpIdHash;
 
   // Client data used to assemble reply objects.
   nsCString mClientData;
diff --git a/dom/webauthn/WebAuthnTransactionParent.cpp b/dom/webauthn/WebAuthnTransactionParent.cpp
index bc11963b4636..691a51f958d9 100644
--- a/dom/webauthn/WebAuthnTransactionParent.cpp
+++ b/dom/webauthn/WebAuthnTransactionParent.cpp
@@ -13,7 +13,7 @@ namespace dom {
 
 mozilla::ipc::IPCResult
 WebAuthnTransactionParent::RecvRequestRegister(const uint64_t& aTransactionId,
-                                               const WebAuthnTransactionInfo& aTransactionInfo)
+                                               const WebAuthnMakeCredentialInfo& aTransactionInfo)
 {
   AssertIsOnBackgroundThread();
   U2FTokenManager* mgr = U2FTokenManager::Get();
@@ -23,7 +23,7 @@ WebAuthnTransactionParent::RecvRequestRegister(const uint64_t& aTransactionId,
 
 mozilla::ipc::IPCResult
 WebAuthnTransactionParent::RecvRequestSign(const uint64_t& aTransactionId,
-                                           const WebAuthnTransactionInfo& aTransactionInfo)
+                                           const WebAuthnGetAssertionInfo& aTransactionInfo)
 {
   AssertIsOnBackgroundThread();
   U2FTokenManager* mgr = U2FTokenManager::Get();
diff --git a/dom/webauthn/WebAuthnTransactionParent.h b/dom/webauthn/WebAuthnTransactionParent.h
index bd07cc01ea34..27ea2d5e992b 100644
--- a/dom/webauthn/WebAuthnTransactionParent.h
+++ b/dom/webauthn/WebAuthnTransactionParent.h
@@ -26,11 +26,11 @@ public:
 
   virtual mozilla::ipc::IPCResult
   RecvRequestRegister(const uint64_t& aTransactionId,
-                      const WebAuthnTransactionInfo& aTransactionInfo) override;
+                      const WebAuthnMakeCredentialInfo& aTransactionInfo) override;
 
   virtual mozilla::ipc::IPCResult
   RecvRequestSign(const uint64_t& aTransactionId,
-                  const WebAuthnTransactionInfo& aTransactionInfo) override;
+                  const WebAuthnGetAssertionInfo& aTransactionInfo) override;
 
   virtual mozilla::ipc::IPCResult
   RecvRequestCancel(const uint64_t& aTransactionId) override;
diff --git a/dom/webauthn/tests/mochitest.ini b/dom/webauthn/tests/mochitest.ini
index f66cc88d84b3..291f694b5e93 100644
--- a/dom/webauthn/tests/mochitest.ini
+++ b/dom/webauthn/tests/mochitest.ini
@@ -7,6 +7,7 @@ skip-if = !e10s
 scheme = https
 
 [test_webauthn_abort_signal.html]
+[test_webauthn_authenticator_selection.html]
 [test_webauthn_loopback.html]
 [test_webauthn_no_token.html]
 [test_webauthn_make_credential.html]
diff --git a/dom/webauthn/tests/test_webauthn_authenticator_selection.html b/dom/webauthn/tests/test_webauthn_authenticator_selection.html
new file mode 100644
index 000000000000..16e7a6d92d1e
--- /dev/null
+++ b/dom/webauthn/tests/test_webauthn_authenticator_selection.html
@@ -0,0 +1,101 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<head>
+  <title>W3C Web Authentication - Authenticator Selection Criteria</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SpawnTask.js"></script>
+  <script type="text/javascript" src="u2futil.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+  <h1>W3C Web Authentication - Authenticator Selection Criteria</h1>
+  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1406462">Mozilla Bug 1406462</a>
+
+  <script class="testbody" type="text/javascript">
+    "use strict";
+
+    function arrivingHereIsGood(aResult) {
+      ok(true, "Good result! Received a: " + aResult);
+    }
+
+    function arrivingHereIsBad(aResult) {
+      ok(false, "Bad result! Received a: " + aResult);
+    }
+
+    function expectNotAllowedError(aResult) {
+      ok(aResult.toString().startsWith("NotAllowedError"), "Expecting a NotAllowedError, got " + aResult);
+    }
+
+    add_task(() => {
+      // Enable the softtoken.
+      return SpecialPowers.pushPrefEnv({"set": [
+        ["security.webauth.webauthn", true],
+        ["security.webauth.webauthn_enable_softtoken", true],
+        ["security.webauth.webauthn_enable_usbtoken", false],
+      ]});
+    });
+
+    // Start a new MakeCredential() request.
+    function requestMakeCredential(authenticatorSelection) {
+      let publicKey = {
+        rp: {id: document.domain, name: "none", icon: "none"},
+        user: {id: new Uint8Array(), name: "none", icon: "none", displayName: "none"},
+        challenge: crypto.getRandomValues(new Uint8Array(16)),
+        timeout: 5000, // the minimum timeout is actually 15 seconds
+        pubKeyCredParams: [{type: "public-key", alg: cose_alg_ECDSA_w_SHA256}],
+        authenticatorSelection,
+      };
+
+      return navigator.credentials.create({publicKey});
+    }
+
+    // Test success cases.
+    add_task(async () => {
+      // No selection criteria.
+      await requestMakeCredential({})
+        .then(arrivingHereIsGood)
+        .catch(arrivingHereIsBad);
+
+      // Request a cross-platform authenticator.
+      await requestMakeCredential({authenticatorAttachment: "cross-platform"})
+        .then(arrivingHereIsGood)
+        .catch(arrivingHereIsBad);
+
+      // Don't require a resident key.
+      await requestMakeCredential({requireResidentKey: false})
+        .then(arrivingHereIsGood)
+        .catch(arrivingHereIsBad);
+
+      // Prefer user verification.
+      await requestMakeCredential({userVerification: "preferred"})
+        .then(arrivingHereIsGood)
+        .catch(arrivingHereIsBad);
+
+      // Discourage user verification.
+      await requestMakeCredential({userVerification: "discouraged"})
+        .then(arrivingHereIsGood)
+        .catch(arrivingHereIsBad);
+    });
+
+    // Test the failure cases.
+    add_task(async () => {
+      // Request a platform authenticator.
+      await requestMakeCredential({authenticatorAttachment: "platform"})
+        .then(arrivingHereIsBad)
+        .catch(expectNotAllowedError);
+
+      // Require a resident key.
+      await requestMakeCredential({requireResidentKey: true})
+        .then(arrivingHereIsBad)
+        .catch(expectNotAllowedError);
+
+      // Require user verification.
+      await requestMakeCredential({userVerification: "required"})
+        .then(arrivingHereIsBad)
+        .catch(expectNotAllowedError);
+    });
+  </script>
+
+</body>
+</html>
diff --git a/dom/webauthn/u2f-hid-rs/Cargo.toml b/dom/webauthn/u2f-hid-rs/Cargo.toml
index 5d52318e7a2b..6f05213d7dfb 100644
--- a/dom/webauthn/u2f-hid-rs/Cargo.toml
+++ b/dom/webauthn/u2f-hid-rs/Cargo.toml
@@ -19,6 +19,7 @@ env_logger = "0.4.1"
 libc = "^0.2"
 boxfnonce = "0.0.3"
 runloop = "0.1.0"
+bitflags = "1.0"
 
 [dev-dependencies]
 rust-crypto = "^0.2"
diff --git a/dom/webauthn/u2f-hid-rs/examples/main.rs b/dom/webauthn/u2f-hid-rs/examples/main.rs
index c6ab61bb68f5..2210d04ad95e 100644
--- a/dom/webauthn/u2f-hid-rs/examples/main.rs
+++ b/dom/webauthn/u2f-hid-rs/examples/main.rs
@@ -9,7 +9,7 @@ use crypto::digest::Digest;
 use crypto::sha2::Sha256;
 use std::io;
 use std::sync::mpsc::channel;
-use u2fhid::U2FManager;
+use u2fhid::{RegisterFlags, U2FManager};
 
 extern crate log;
 extern crate env_logger;
@@ -49,10 +49,12 @@ fn main() {
     application.result(&mut app_bytes);
 
     let manager = U2FManager::new().unwrap();
+    let flags = RegisterFlags::empty();
 
     let (tx, rx) = channel();
     manager
         .register(
+            flags,
             15_000,
             chall_bytes.clone(),
             app_bytes.clone(),
diff --git a/dom/webauthn/u2f-hid-rs/src/capi.rs b/dom/webauthn/u2f-hid-rs/src/capi.rs
index 2e5a72df2873..69b0c2d9c349 100644
--- a/dom/webauthn/u2f-hid-rs/src/capi.rs
+++ b/dom/webauthn/u2f-hid-rs/src/capi.rs
@@ -109,6 +109,7 @@ pub unsafe extern "C" fn rust_u2f_res_free(res: *mut U2FResult) {
 #[no_mangle]
 pub unsafe extern "C" fn rust_u2f_mgr_register(
     mgr: *mut U2FManager,
+    flags: u64,
     timeout: u64,
     callback: U2FCallback,
     challenge_ptr: *const u8,
@@ -126,20 +127,28 @@ pub unsafe extern "C" fn rust_u2f_mgr_register(
         return 0;
     }
 
+    let flags = ::RegisterFlags::from_bits_truncate(flags);
     let challenge = from_raw(challenge_ptr, challenge_len);
     let application = from_raw(application_ptr, application_len);
     let key_handles = (*khs).clone();
 
     let tid = new_tid();
-    let res = (*mgr).register(timeout, challenge, application, key_handles, move |rv| {
-        if let Ok(registration) = rv {
-            let mut result = U2FResult::new();
-            result.insert(RESBUF_ID_REGISTRATION, registration);
-            callback(tid, Box::into_raw(Box::new(result)));
-        } else {
-            callback(tid, ptr::null_mut());
-        };
-    });
+    let res = (*mgr).register(
+        flags,
+        timeout,
+        challenge,
+        application,
+        key_handles,
+        move |rv| {
+            if let Ok(registration) = rv {
+                let mut result = U2FResult::new();
+                result.insert(RESBUF_ID_REGISTRATION, registration);
+                callback(tid, Box::into_raw(Box::new(result)));
+            } else {
+                callback(tid, ptr::null_mut());
+            };
+        },
+    );
 
     if res.is_ok() { tid } else { 0 }
 }
diff --git a/dom/webauthn/u2f-hid-rs/src/lib.rs b/dom/webauthn/u2f-hid-rs/src/lib.rs
index 4b607bde2125..db3234fcd304 100644
--- a/dom/webauthn/u2f-hid-rs/src/lib.rs
+++ b/dom/webauthn/u2f-hid-rs/src/lib.rs
@@ -34,6 +34,9 @@ extern crate libc;
 extern crate boxfnonce;
 extern crate runloop;
 
+#[macro_use]
+extern crate bitflags;
+
 mod consts;
 mod statemachine;
 mod u2ftypes;
@@ -45,6 +48,15 @@ pub use manager::U2FManager;
 mod capi;
 pub use capi::*;
 
+// Keep this in sync with the constants in u2fhid-capi.h.
+bitflags! {
+    pub struct RegisterFlags: u64 {
+        const REQUIRE_RESIDENT_KEY        = 1;
+        const REQUIRE_USER_VERIFICATION   = 2;
+        const REQUIRE_PLATFORM_ATTACHMENT = 4;
+    }
+}
+
 #[cfg(fuzzing)]
 pub use u2fprotocol::*;
 #[cfg(fuzzing)]
diff --git a/dom/webauthn/u2f-hid-rs/src/manager.rs b/dom/webauthn/u2f-hid-rs/src/manager.rs
index b0cc27e3802f..502364fd8439 100644
--- a/dom/webauthn/u2f-hid-rs/src/manager.rs
+++ b/dom/webauthn/u2f-hid-rs/src/manager.rs
@@ -11,8 +11,9 @@ use statemachine::StateMachine;
 use runloop::RunLoop;
 use util::{to_io_err, OnceCallback};
 
-pub enum QueueAction {
+enum QueueAction {
     Register {
+        flags: ::RegisterFlags,
         timeout: u64,
         challenge: Vec<u8>,
         application: Vec<u8>,
@@ -45,6 +46,7 @@ impl U2FManager {
             while alive() {
                 match rx.recv_timeout(Duration::from_millis(50)) {
                     Ok(QueueAction::Register {
+                           flags,
                            timeout,
                            challenge,
                            application,
@@ -52,7 +54,14 @@ impl U2FManager {
                            callback,
                        }) => {
                         // This must not block, otherwise we can't cancel.
-                        sm.register(timeout, challenge, application, key_handles, callback);
+                        sm.register(
+                            flags,
+                            timeout,
+                            challenge,
+                            application,
+                            key_handles,
+                            callback,
+                        );
                     }
                     Ok(QueueAction::Sign {
                            timeout,
@@ -88,6 +97,7 @@ impl U2FManager {
 
     pub fn register<F>(
         &self,
+        flags: ::RegisterFlags,
         timeout: u64,
         challenge: Vec<u8>,
         application: Vec<u8>,
@@ -116,6 +126,7 @@ impl U2FManager {
 
         let callback = OnceCallback::new(callback);
         let action = QueueAction::Register {
+            flags,
             timeout,
             challenge,
             application,
diff --git a/dom/webauthn/u2f-hid-rs/src/statemachine.rs b/dom/webauthn/u2f-hid-rs/src/statemachine.rs
index 008e4be07e92..5e1b7be27d04 100644
--- a/dom/webauthn/u2f-hid-rs/src/statemachine.rs
+++ b/dom/webauthn/u2f-hid-rs/src/statemachine.rs
@@ -22,6 +22,7 @@ impl StateMachine {
 
     pub fn register(
         &mut self,
+        flags: ::RegisterFlags,
         timeout: u64,
         challenge: Vec<u8>,
         application: Vec<u8>,
@@ -45,6 +46,17 @@ impl StateMachine {
                 return;
             }
 
+            // We currently support none of the authenticator selection
+            // criteria because we can't ask tokens whether they do support
+            // those features. If flags are set, ignore all tokens for now.
+            //
+            // Technically, this is a ConstraintError because we shouldn't talk
+            // to this authenticator in the first place. But the result is the
+            // same anyway.
+            if !flags.is_empty() {
+                return;
+            }
+
             // Iterate the exclude list and see if there are any matches.
             // Abort the state machine if we found a valid key handle.
             if key_handles.iter().any(|key_handle| {
diff --git a/dom/webauthn/u2f-hid-rs/src/u2fhid-capi.h b/dom/webauthn/u2f-hid-rs/src/u2fhid-capi.h
index 2277135c6314..a27f7fc1b5be 100644
--- a/dom/webauthn/u2f-hid-rs/src/u2fhid-capi.h
+++ b/dom/webauthn/u2f-hid-rs/src/u2fhid-capi.h
@@ -15,6 +15,10 @@ const uint8_t U2F_RESBUF_ID_REGISTRATION = 0;
 const uint8_t U2F_RESBUF_ID_KEYHANDLE = 1;
 const uint8_t U2F_RESBUF_ID_SIGNATURE = 2;
 
+const uint64_t U2F_FLAG_REQUIRE_RESIDENT_KEY = 1;
+const uint64_t U2F_FLAG_REQUIRE_USER_VERIFICATION = 2;
+const uint64_t U2F_FLAG_REQUIRE_PLATFORM_ATTACHMENT = 4;
+
 // NOTE: Preconditions
 // * All rust_u2f_mgr* pointers must refer to pointers which are returned
 //   by rust_u2f_mgr_new, and must be freed with rust_u2f_mgr_free.
@@ -42,6 +46,7 @@ rust_u2f_manager* rust_u2f_mgr_new();
 /* unsafe */ void rust_u2f_mgr_free(rust_u2f_manager* mgr);
 
 uint64_t rust_u2f_mgr_register(rust_u2f_manager* mgr,
+                               uint64_t flags,
                                uint64_t timeout,
                                rust_u2f_callback,
                                const uint8_t* challenge_ptr,
diff --git a/dom/webidl/WebAuthentication.webidl b/dom/webidl/WebAuthentication.webidl
index 267b1c997a4b..0f6f6c9b4319 100644
--- a/dom/webidl/WebAuthentication.webidl
+++ b/dom/webidl/WebAuthentication.webidl
@@ -75,7 +75,7 @@ dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity {
 dictionary AuthenticatorSelectionCriteria {
     AuthenticatorAttachment      authenticatorAttachment;
     boolean                      requireResidentKey = false;
-    boolean                      requireUserVerification = false;
+    UserVerificationRequirement  userVerification = "preferred";
 };
 
 enum AuthenticatorAttachment {
@@ -83,6 +83,12 @@ enum AuthenticatorAttachment {
     "cross-platform"  // Cross-platform attachment
 };
 
+enum UserVerificationRequirement {
+    "required",
+    "preferred",
+    "discouraged"
+};
+
 dictionary PublicKeyCredentialRequestOptions {
     required BufferSource                challenge;
     unsigned long                        timeout;
diff --git a/dom/websocket/tests/iframe_webSocket_sandbox.html b/dom/websocket/tests/iframe_webSocket_sandbox.html
index f0004d85c17e..0e6d1d97bfa7 100644
--- a/dom/websocket/tests/iframe_webSocket_sandbox.html
+++ b/dom/websocket/tests/iframe_webSocket_sandbox.html
@@ -1,6 +1,6 @@
 <html><body>
 <iframe id="frame" sandbox="allow-scripts allow-popups"></iframe>
-<script type="application/javascript;version=1.8">
+<script type="application/javascript">
 onmessage = function(e) {
   parent.postMessage(e.data, '*');
 }
diff --git a/dom/websocket/tests/test_webSocket_sandbox.html b/dom/websocket/tests/test_webSocket_sandbox.html
index 95a244fe49fe..9f2f85cd98ae 100644
--- a/dom/websocket/tests/test_webSocket_sandbox.html
+++ b/dom/websocket/tests/test_webSocket_sandbox.html
@@ -8,7 +8,7 @@
 <body>
 <div id="container"></div>
 <iframe id="frame"></iframe>
-<script type="application/javascript;version=1.8">
+<script type="application/javascript">
 var urls = [ "https://example.com/tests/dom/websocket/tests/iframe_webSocket_sandbox.html",
              "https://example.com/tests/dom/websocket/tests/iframe_webSocket_sandbox.html?nested",
              "https://example.com/tests/dom/websocket/tests/iframe_webSocket_sandbox.html?popup" ];
diff --git a/gfx/2d/ConvolutionFilter.cpp b/gfx/2d/ConvolutionFilter.cpp
index 274fd1cb1c5d..7f0e830d0348 100644
--- a/gfx/2d/ConvolutionFilter.cpp
+++ b/gfx/2d/ConvolutionFilter.cpp
@@ -113,15 +113,16 @@ ConvolutionFilter::ComputeResizeFilter(ResizeMethod aResizeMethod, int32_t aSrcS
   // filter values for each one. Those values will tell us how to blend the
   // source pixels to compute the destination pixel.
 
-  // This is the pixel in the source directly under the pixel in the dest.
-  // Note that we base computations on the "center" of the pixels. To see
-  // why, observe that the destination pixel at coordinates (0, 0) in a 5.0x
-  // downscale should "cover" the pixels around the pixel with *its center*
-  // at coordinates (2.5, 2.5) in the source, not those around (0, 0).
-  // Hence we need to scale coordinates (0.5, 0.5), not (0, 0).
-  float srcPixel = 0.5f * invScale;
   mFilter->reserveAdditional(aDstSize, int32_t(ceil(aDstSize * srcSupport * 2)));
   for (int32_t destI = 0; destI < aDstSize; destI++) {
+    // This is the pixel in the source directly under the pixel in the dest.
+    // Note that we base computations on the "center" of the pixels. To see
+    // why, observe that the destination pixel at coordinates (0, 0) in a 5.0x
+    // downscale should "cover" the pixels around the pixel with *its center*
+    // at coordinates (2.5, 2.5) in the source, not those around (0, 0).
+    // Hence we need to scale coordinates (0.5, 0.5), not (0, 0).
+    float srcPixel = (static_cast<float>(destI) + 0.5f) * invScale;
+
     // Compute the (inclusive) range of source pixels the filter covers.
     float srcBegin = std::max(0.0f, floorf(srcPixel - srcSupport));
     float srcEnd = std::min(aSrcSize - 1.0f, ceilf(srcPixel + srcSupport));
@@ -165,8 +166,6 @@ ConvolutionFilter::ComputeResizeFilter(ResizeMethod aResizeMethod, int32_t aSrcS
     fixedFilterValues[filterCount / 2] += leftovers;
 
     mFilter->AddFilter(int32_t(srcBegin), fixedFilterValues.begin(), filterCount);
-
-    srcPixel += invScale;
   }
 
   return mFilter->maxFilter() > 0 && mFilter->numValues() == aDstSize;
diff --git a/gfx/layers/ipc/PWebRenderBridge.ipdl b/gfx/layers/ipc/PWebRenderBridge.ipdl
index 1e15e7390286..3e1b8eb17775 100644
--- a/gfx/layers/ipc/PWebRenderBridge.ipdl
+++ b/gfx/layers/ipc/PWebRenderBridge.ipdl
@@ -50,7 +50,7 @@ parent:
   sync Create(IntSize aSize);
   async DeleteCompositorAnimations(uint64_t[] aIds);
   async SetDisplayList(IntSize aSize, WebRenderParentCommand[] commands, OpDestroy[] toDestroy, uint64_t fwdTransactionId, uint64_t transactionId,
-                       LayoutSize aContentSize, ByteBuffer aDL, BuiltDisplayListDescriptor aDLDesc,
+                       LayoutSize aContentSize, ByteBuf aDL, BuiltDisplayListDescriptor aDLDesc,
                        WebRenderScrollData aScrollData,
                        OpUpdateResource[] aResourceUpdates, Shmem[] aSmallShmems, Shmem[] aLargeShmems,
                        IdNamespace aIdNamespace, TimeStamp txnStartTime, TimeStamp fwdTime);
diff --git a/gfx/layers/wr/WebRenderBridgeChild.cpp b/gfx/layers/wr/WebRenderBridgeChild.cpp
index 358a858aebca..06fb195b7520 100644
--- a/gfx/layers/wr/WebRenderBridgeChild.cpp
+++ b/gfx/layers/wr/WebRenderBridgeChild.cpp
@@ -144,7 +144,9 @@ WebRenderBridgeChild::EndTransaction(const wr::LayoutSize& aContentSize,
   MOZ_ASSERT(!mDestroyed);
   MOZ_ASSERT(mIsInTransaction);
 
-  ByteBuffer dlData(Move(aDL.dl));
+  ByteBuf dlData(aDL.dl.inner.data, aDL.dl.inner.length, aDL.dl.inner.capacity);
+  aDL.dl.inner.capacity = 0;
+  aDL.dl.inner.data = nullptr;
 
   TimeStamp fwdTime;
 #if defined(ENABLE_FRAME_LATENCY_LOG)
diff --git a/gfx/layers/wr/WebRenderBridgeParent.cpp b/gfx/layers/wr/WebRenderBridgeParent.cpp
index 1686d45267d0..0766a8c71e97 100644
--- a/gfx/layers/wr/WebRenderBridgeParent.cpp
+++ b/gfx/layers/wr/WebRenderBridgeParent.cpp
@@ -561,7 +561,7 @@ WebRenderBridgeParent::RecvSetDisplayList(const gfx::IntSize& aSize,
                                           const uint64_t& aFwdTransactionId,
                                           const uint64_t& aTransactionId,
                                           const wr::LayoutSize& aContentSize,
-                                          const wr::ByteBuffer& dl,
+                                          ipc::ByteBuf&& dl,
                                           const wr::BuiltDisplayListDescriptor& dlDesc,
                                           const WebRenderScrollData& aScrollData,
                                           nsTArray<OpUpdateResource>&& aResourceUpdates,
@@ -609,7 +609,7 @@ WebRenderBridgeParent::RecvSetDisplayList(const gfx::IntSize& aSize,
     gfx::Color clearColor(0.f, 0.f, 0.f, 0.f);
     mApi->SetDisplayList(clearColor, wr::NewEpoch(wrEpoch), LayerSize(aSize.width, aSize.height),
                         mPipelineId, aContentSize,
-                        dlDesc, dl.mData, dl.mLength,
+                        dlDesc, dl.mData, dl.mLen,
                         resources);
 
     ScheduleComposition();
diff --git a/gfx/layers/wr/WebRenderBridgeParent.h b/gfx/layers/wr/WebRenderBridgeParent.h
index d500b7ba71f1..94339b6ab954 100644
--- a/gfx/layers/wr/WebRenderBridgeParent.h
+++ b/gfx/layers/wr/WebRenderBridgeParent.h
@@ -82,7 +82,7 @@ public:
                                              const uint64_t& aFwdTransactionId,
                                              const uint64_t& aTransactionId,
                                              const wr::LayoutSize& aContentSize,
-                                             const wr::ByteBuffer& dl,
+                                             ipc::ByteBuf&& dl,
                                              const wr::BuiltDisplayListDescriptor& dlDesc,
                                              const WebRenderScrollData& aScrollData,
                                              nsTArray<OpUpdateResource>&& aResourceUpdates,
diff --git a/gfx/tests/gtest/TestJobScheduler.cpp b/gfx/tests/gtest/TestJobScheduler.cpp
index 5ebbdef94369..972d8fda0a73 100644
--- a/gfx/tests/gtest/TestJobScheduler.cpp
+++ b/gfx/tests/gtest/TestJobScheduler.cpp
@@ -209,6 +209,7 @@ void TestSchedulerChain(uint32_t aNumThreads, uint32_t aNumCmdBuffers)
 
 } // namespace test_scheduler
 
+#if !defined(MOZ_CODE_COVERAGE) || !defined(XP_WIN)
 TEST(Moz2D, JobScheduler_Shutdown) {
   srand(time(nullptr));
   for (uint32_t threads = 1; threads < 16; ++threads) {
@@ -218,6 +219,7 @@ TEST(Moz2D, JobScheduler_Shutdown) {
     }
   }
 }
+#endif
 
 TEST(Moz2D, JobScheduler_Join) {
   srand(time(nullptr));
diff --git a/image/test/reftest/downscaling/1421191-1.html b/image/test/reftest/downscaling/1421191-1.html
new file mode 100644
index 000000000000..b8146a2371b7
--- /dev/null
+++ b/image/test/reftest/downscaling/1421191-1.html
@@ -0,0 +1,20 @@
+<html reftest-zoom="1.6">
+<head>
+<style>
+#xx {
+background-image: url("1421191-1.png");
+background-position: -61px -797px;
+background-position-x: -61px;
+background-position-y: -797px;
+background-repeat: no-repeat;
+background-size: 82px auto;
+display: block;
+height: 24px;
+width: 22px;
+}
+</style>
+</head>
+<body>
+<span id="xx"></span>
+</body>
+</html>
diff --git a/image/test/reftest/downscaling/1421191-1.png b/image/test/reftest/downscaling/1421191-1.png
new file mode 100644
index 000000000000..e9b756a79ee0
Binary files /dev/null and b/image/test/reftest/downscaling/1421191-1.png differ
diff --git a/image/test/reftest/downscaling/reftest.list b/image/test/reftest/downscaling/reftest.list
index 267229930043..7b7c0cc345cd 100644
--- a/image/test/reftest/downscaling/reftest.list
+++ b/image/test/reftest/downscaling/reftest.list
@@ -205,3 +205,6 @@ fuzzy(18,128) == downscale-32px.html?-png-in.ico downscale-32px-ref.html
 == huge-1.html?100x32768.jpg,100,32768 huge-1.html?100x100.jpg,100,32768
 == huge-1.html?32768x100.jpg,100,100 huge-1.html?100x100.jpg,100,100
 == huge-1.html?32768x100.jpg,32768,100 huge-1.html?100x100.jpg,32768,100
+
+# Only need to run this with downscaling on
+!= 1421191-1.html about:blank
diff --git a/ipc/chromium/src/base/pickle.cc b/ipc/chromium/src/base/pickle.cc
index c06a5ecc21ee..429efd274034 100644
--- a/ipc/chromium/src/base/pickle.cc
+++ b/ipc/chromium/src/base/pickle.cc
@@ -627,6 +627,16 @@ bool Pickle::WriteUnsignedChar(unsigned char value) {
   return WriteBytes(&value, sizeof(value));
 }
 
+bool Pickle::WriteBytesZeroCopy(void* data, uint32_t data_len, uint32_t capacity) {
+
+  BeginWrite(data_len, sizeof(memberAlignmentType));
+
+  buffers_.WriteBytesZeroCopy(reinterpret_cast<char*>(data), data_len, capacity);
+
+  EndWrite(data_len);
+  return true;
+}
+
 bool Pickle::WriteBytes(const void* data, uint32_t data_len, uint32_t alignment) {
   DCHECK(alignment == 4 || alignment == 8);
   DCHECK(intptr_t(header_) % alignment == 0);
diff --git a/ipc/chromium/src/base/pickle.h b/ipc/chromium/src/base/pickle.h
index f9784e10e1b2..fe685280e2d8 100644
--- a/ipc/chromium/src/base/pickle.h
+++ b/ipc/chromium/src/base/pickle.h
@@ -162,6 +162,8 @@ class Pickle {
   bool WriteData(const char* data, uint32_t length);
   bool WriteBytes(const void* data, uint32_t data_len,
                   uint32_t alignment = sizeof(memberAlignmentType));
+  // Takes ownership of data
+  bool WriteBytesZeroCopy(void* data, uint32_t data_len, uint32_t capacity);
 
   bool WriteSentinel(uint32_t sentinel)
 #ifdef MOZ_PICKLE_SENTINEL_CHECKING
diff --git a/ipc/chromium/src/chrome/common/ipc_message_utils.h b/ipc/chromium/src/chrome/common/ipc_message_utils.h
index e8ea9ad3aa0c..5542f7f7a2d9 100644
--- a/ipc/chromium/src/chrome/common/ipc_message_utils.h
+++ b/ipc/chromium/src/chrome/common/ipc_message_utils.h
@@ -111,6 +111,11 @@ static inline void WriteParam(Message* m, const P& p) {
   ParamTraits<P>::Write(m, p);
 }
 
+template <class P>
+static inline void WriteParam(Message* m, P& p) {
+  ParamTraits<P>::Write(m, p);
+}
+
 template <class P>
 static inline bool WARN_UNUSED_RESULT ReadParam(const Message* m, PickleIterator* iter,
                                                 P* p) {
diff --git a/ipc/glue/ByteBuf.h b/ipc/glue/ByteBuf.h
new file mode 100644
index 000000000000..ae02418f15ab
--- /dev/null
+++ b/ipc/glue/ByteBuf.h
@@ -0,0 +1,116 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* A type that can be sent without needing to make a copy during
+ * serialization. In addition the receiver can take ownership of the
+ * data to avoid having to make an additional copy. */
+
+#ifndef mozilla_ipc_ByteBuf_h
+#define mozilla_ipc_ByteBuf_h
+
+#include "ipc/IPCMessageUtils.h"
+
+namespace mozilla {
+
+namespace ipc {
+
+class ByteBuf final
+{
+  friend struct IPC::ParamTraits<mozilla::ipc::ByteBuf>;
+public:
+  bool
+  Allocate(size_t aLength)
+  {
+    MOZ_ASSERT(mData == nullptr);
+    mData = (uint8_t*)malloc(aLength);
+    if (!mData) {
+      return false;
+    }
+    mLen = aLength;
+    mCapacity = aLength;
+    return true;
+  }
+
+  ByteBuf()
+    : mData(nullptr)
+    , mLen(0)
+    , mCapacity(0)
+  {}
+
+  ByteBuf(uint8_t *aData, size_t aLen, size_t aCapacity)
+    : mData(aData)
+    , mLen(aLen)
+    , mCapacity(aCapacity)
+  {}
+
+  ByteBuf(const ByteBuf& aFrom) = delete;
+
+  ByteBuf(ByteBuf&& aFrom)
+    : mData(aFrom.mData)
+    , mLen(aFrom.mLen)
+    , mCapacity(aFrom.mCapacity)
+  {
+    aFrom.mData = nullptr;
+    aFrom.mLen = 0;
+    aFrom.mCapacity = 0;
+  }
+
+  ~ByteBuf()
+  {
+    free(mData);
+  }
+
+  uint8_t* mData;
+  size_t mLen;
+  size_t mCapacity;
+};
+
+
+} // namespace ipc
+} // namespace mozilla
+
+
+namespace IPC {
+
+template<>
+struct ParamTraits<mozilla::ipc::ByteBuf>
+{
+  typedef mozilla::ipc::ByteBuf paramType;
+
+  // this is where we transfer the memory from the ByteBuf to IPDL, avoiding a copy
+  static void Write(Message* aMsg, paramType& aParam)
+  {
+    WriteParam(aMsg, aParam.mLen);
+    // hand over ownership of the buffer to the Message
+    aMsg->WriteBytesZeroCopy(aParam.mData, aParam.mLen, aParam.mCapacity);
+    aParam.mData = nullptr;
+    aParam.mCapacity = 0;
+    aParam.mLen = 0;
+  }
+
+  static bool Read(const Message* aMsg, PickleIterator* aIter, paramType* aResult)
+  {
+    // We make a copy from the BufferList so that we get a contigous result.
+    // For users the can handle a non-contiguous result using ExtractBuffers
+    // is an option, alternatively if the users don't need to take ownership of
+    // the data they can use the removed FlattenBytes (bug 1297981)
+    size_t length;
+    return ReadParam(aMsg, aIter, &length)
+      && aResult->Allocate(length)
+      && aMsg->ReadBytesInto(aIter, aResult->mData, length);
+  }
+
+  static void Log(const paramType& aParam, std::wstring* aLog)
+  {
+    aLog->append(L"(byte buf)");
+  }
+};
+
+
+} // namespace IPC
+
+
+#endif // ifndef mozilla_ipc_Shmem_h
diff --git a/ipc/glue/ProtocolUtils.h b/ipc/glue/ProtocolUtils.h
index c9fa9767be52..21934df93f79 100644
--- a/ipc/glue/ProtocolUtils.h
+++ b/ipc/glue/ProtocolUtils.h
@@ -18,6 +18,7 @@
 #include "IPCMessageStart.h"
 #include "mozilla/AlreadyAddRefed.h"
 #include "mozilla/Attributes.h"
+#include "mozilla/ipc/ByteBuf.h"
 #include "mozilla/ipc/FileDescriptor.h"
 #include "mozilla/ipc/Shmem.h"
 #include "mozilla/ipc/Transport.h"
diff --git a/ipc/glue/moz.build b/ipc/glue/moz.build
index ac0d4205480f..d256293aa150 100644
--- a/ipc/glue/moz.build
+++ b/ipc/glue/moz.build
@@ -15,6 +15,7 @@ EXPORTS.mozilla.ipc += [
     'BackgroundParent.h',
     'BackgroundUtils.h',
     'BrowserProcessSubThread.h',
+    'ByteBuf.h',
     'CrashReporterClient.h',
     'CrashReporterHost.h',
     'CrashReporterMetadataShmem.h',
diff --git a/ipc/ipdl/ipdl/builtin.py b/ipc/ipdl/ipdl/builtin.py
index 3c332cf83895..0f45c0d7f846 100644
--- a/ipc/ipdl/ipdl/builtin.py
+++ b/ipc/ipdl/ipdl/builtin.py
@@ -39,6 +39,7 @@ Types = (
     'nsDependentSubstring',
     'nsDependentCSubstring',
     'mozilla::ipc::Shmem',
+    'mozilla::ipc::ByteBuf',
     'mozilla::ipc::FileDescriptor'
 )
 
diff --git a/ipc/ipdl/ipdl/lower.py b/ipc/ipdl/ipdl/lower.py
index ec3df4c33670..69061d204e19 100644
--- a/ipc/ipdl/ipdl/lower.py
+++ b/ipc/ipdl/ipdl/lower.py
@@ -560,6 +560,9 @@ class _ConvertToCxxType(TypeVisitor):
     def visitShmemType(self, s):
         return Type(self.typename(s))
 
+    def visitByteBufType(self, s):
+        return Type(self.typename(s))
+
     def visitFDType(self, s):
         return Type(self.typename(s))
 
@@ -586,6 +589,9 @@ def _cxxConstRefType(ipdltype, side):
     if ipdltype.isIPDL() and ipdltype.isShmem():
         t.ref = 1
         return t
+    if ipdltype.isIPDL() and ipdltype.isByteBuf():
+        t.ref = 1
+        return t
     t.const = 1
     t.ref = 1
     return t
@@ -593,6 +599,7 @@ def _cxxConstRefType(ipdltype, side):
 def _cxxTypeNeedsMove(ipdltype):
     return ipdltype.isIPDL() and (ipdltype.isArray() or
                                   ipdltype.isShmem() or
+                                  ipdltype.isByteBuf() or
                                   ipdltype.isEndpoint())
 
 def _cxxMoveRefType(ipdltype, side):
@@ -768,6 +775,8 @@ class _StructField(_CompoundTypeComponent):
         refexpr = self.refExpr(thisexpr)
         if 'Shmem' == self.ipdltype.name():
             refexpr = ExprCast(refexpr, Type('Shmem', ref=1), const=1)
+        if 'ByteBuf' == self.ipdltype.name():
+            refexpr = ExprCast(refexpr, Type('ByteBuf', ref=1), const=1)
         if 'FileDescriptor' == self.ipdltype.name():
             refexpr = ExprCast(refexpr, Type('FileDescriptor', ref=1), const=1)
         return refexpr
@@ -931,6 +940,8 @@ IPDL union type."""
     def getConstValue(self):
         v = ExprDeref(self.callGetConstPtr())
         # sigh
+        if 'ByteBuf' == self.ipdltype.name():
+            v = ExprCast(v, Type('ByteBuf', ref=1), const=1)
         if 'Shmem' == self.ipdltype.name():
             v = ExprCast(v, Type('Shmem', ref=1), const=1)
         if 'FileDescriptor' == self.ipdltype.name():
@@ -1870,6 +1881,11 @@ stmt.  Some types generate both kinds.'''
         self.visited.add(s)
         self.maybeTypedef('mozilla::ipc::Shmem', 'Shmem')
 
+    def visitByteBufType(self, s):
+        if s in self.visited: return
+        self.visited.add(s)
+        self.maybeTypedef('mozilla::ipc::ByteBuf', 'ByteBuf')
+
     def visitFDType(self, s):
         if s in self.visited: return
         self.visited.add(s)
@@ -3384,6 +3400,7 @@ class _GenerateProtocolActorCode(ipdl.ast.Visitor):
         class findSpecialTypes(TypeVisitor):
             def visitActorType(self, a): specialtypes.add(a)
             def visitShmemType(self, s): specialtypes.add(s)
+            def visitByteBufType(self, s): specialtypes.add(s)
             def visitFDType(self, s): specialtypes.add(s)
             def visitStructType(self, s):
                 specialtypes.add(s)
@@ -3408,12 +3425,13 @@ class _GenerateProtocolActorCode(ipdl.ast.Visitor):
                 ret.ipdltype.accept(findSpecialTypes())
 
         for t in specialtypes:
-            if t.isActor():    self.implementActorPickling(t)
-            elif t.isArray():  self.implementSpecialArrayPickling(t)
-            elif t.isShmem():  self.implementShmemPickling(t)
-            elif t.isFD():     self.implementFDPickling(t)
-            elif t.isStruct(): self.implementStructPickling(t)
-            elif t.isUnion():  self.implementUnionPickling(t)
+            if t.isActor():     self.implementActorPickling(t)
+            elif t.isArray():   self.implementSpecialArrayPickling(t)
+            elif t.isShmem():   self.implementShmemPickling(t)
+            elif t.isByteBuf(): self.implementByteBufPickling(t)
+            elif t.isFD():      self.implementFDPickling(t)
+            elif t.isStruct():  self.implementStructPickling(t)
+            elif t.isUnion():   self.implementUnionPickling(t)
             else:
                 assert 0 and 'unknown special type'
 
@@ -3434,6 +3452,19 @@ class _GenerateProtocolActorCode(ipdl.ast.Visitor):
 
         self.cls.addstmts([ write, Whitespace.NL, read, Whitespace.NL ])
 
+    def implementByteBufPickling(self, bytebuftype):
+        var = self.var
+        msgvar = self.msgvar
+        itervar = self.itervar
+        intype = _cxxRefType(bytebuftype, self.side)
+
+        write = MethodDefn(self.writeMethodDecl(intype, var))
+        write.addstmt(StmtExpr(ExprCall(ExprVar('IPC::WriteParam'),
+                                        args=[ msgvar, var ])))
+
+        self.cls.addstmts([ write, Whitespace.NL ])
+        # the rest of generic pickling will work fine for us
+
     def implementActorPickling(self, actortype):
         # Note that we pickle based on *protocol* type and *not* actor
         # type.  The actor type includes a |nullable| qualifier, but
diff --git a/ipc/ipdl/ipdl/type.py b/ipc/ipdl/ipdl/type.py
index 9796a6b9b288..7e47b384d850 100644
--- a/ipc/ipdl/ipdl/type.py
+++ b/ipc/ipdl/ipdl/type.py
@@ -67,6 +67,9 @@ class TypeVisitor:
     def visitShmemType(self, s, *args):
         pass
 
+    def visitByteBufType(self, s, *args):
+        pass
+
     def visitShmemChmodType(self, c, *args):
         c.shmem.accept(self)
 
@@ -147,6 +150,7 @@ class IPDLType(Type):
     def isAtom(self):  return True
     def isCompound(self): return False
     def isShmem(self): return False
+    def isByteBuf(self): return False
     def isFD(self): return False
     def isEndpoint(self): return False
 
@@ -368,6 +372,16 @@ class ShmemType(IPDLType):
     def fullname(self):
         return str(self.qname)
 
+class ByteBufType(IPDLType):
+    def __init__(self, qname):
+        self.qname = qname
+    def isByteBuf(self): return True
+
+    def name(self):
+        return self.qname.baseid
+    def fullname(self):
+        return str(self.qname)
+
 class FDType(IPDLType):
     def __init__(self, qname):
         self.qname = qname
@@ -725,6 +739,8 @@ class GatherDecls(TcheckVisitor):
             fullname = None
         if fullname == 'mozilla::ipc::Shmem':
             ipdltype = ShmemType(using.type.spec)
+        elif fullname == 'mozilla::ipc::ByteBuf':
+            ipdltype = ByteBufType(using.type.spec)
         elif fullname == 'mozilla::ipc::FileDescriptor':
             ipdltype = FDType(using.type.spec)
         else:
diff --git a/js/src/frontend/BytecodeEmitter.cpp b/js/src/frontend/BytecodeEmitter.cpp
index 9b6507a6e94b..9222f5ce9e23 100644
--- a/js/src/frontend/BytecodeEmitter.cpp
+++ b/js/src/frontend/BytecodeEmitter.cpp
@@ -7434,11 +7434,9 @@ BytecodeEmitter::emitForIn(ParseNode* forInLoop, EmitterScope* headLexicalEmitte
     if (!emitTreeInBranch(expr))                          // EXPR
         return false;
 
-    // Convert the value to the appropriate sort of iterator object for the
-    // loop variant (for-in, for-each-in, or destructuring for-in).
-    unsigned iflags = forInLoop->pn_iflags;
-    MOZ_ASSERT(0 == (iflags & ~JSITER_ENUMERATE));
-    if (!emit2(JSOP_ITER, AssertedCast<uint8_t>(iflags))) // ITER
+    MOZ_ASSERT(forInLoop->pn_iflags == 0);
+
+    if (!emit1(JSOP_ITER))                                // ITER
         return false;
 
     // For-in loops have both the iterator and the value on the stack. Push
@@ -7491,10 +7489,8 @@ BytecodeEmitter::emitForIn(ParseNode* forInLoop, EmitterScope* headLexicalEmitte
 #endif
         MOZ_ASSERT(loopDepth >= 2);
 
-        if (iflags == JSITER_ENUMERATE) {
-            if (!emit1(JSOP_ITERNEXT))                    // ITER ITERVAL
-                return false;
-        }
+        if (!emit1(JSOP_ITERNEXT))                        // ITER ITERVAL
+            return false;
 
         if (!emitInitializeForInOrOfTarget(forInHead))    // ITER ITERVAL
             return false;
diff --git a/js/src/frontend/Parser.cpp b/js/src/frontend/Parser.cpp
index c2bd73b8e06a..ac5997f3f187 100644
--- a/js/src/frontend/Parser.cpp
+++ b/js/src/frontend/Parser.cpp
@@ -6306,12 +6306,10 @@ Parser<ParseHandler, CharT>::forStatement(YieldHandling yieldHandling)
         Node target = startNode;
 
         // Parse the rest of the for-in/of head.
-        if (headKind == PNK_FORIN) {
+        if (headKind == PNK_FORIN)
             stmt.refineForKind(StatementKind::ForInLoop);
-            iflags |= JSITER_ENUMERATE;
-        } else {
+        else
             stmt.refineForKind(StatementKind::ForOfLoop);
-        }
 
         // Parser::declaration consumed everything up to the closing ')'.  That
         // token follows an {Assignment,}Expression and so must be interpreted
diff --git a/js/src/gc/AtomMarking.cpp b/js/src/gc/AtomMarking.cpp
index 64348293f0ea..5bd1f34ef7e9 100644
--- a/js/src/gc/AtomMarking.cpp
+++ b/js/src/gc/AtomMarking.cpp
@@ -237,15 +237,14 @@ AtomMarkingRuntime::atomIsMarked(Zone* zone, TenuredCell* thing)
     if (!thing)
         return true;
 
-    JS::TraceKind kind = thing->getTraceKind();
-    if (kind == JS::TraceKind::String) {
-        JSString* str = static_cast<JSString*>(thing);
-        if (str->isAtom())
-            return atomIsMarked(zone, &str->asAtom());
-        return true;
+    if (thing->is<JSString>()) {
+        JSString* str = thing->as<JSString>();
+        return str->isAtom() ? atomIsMarked(zone, &str->asAtom()) : true;
     }
-    if (kind == JS::TraceKind::Symbol)
-        return atomIsMarked(zone, static_cast<JS::Symbol*>(thing));
+
+    if (thing->is<JS::Symbol>())
+        return atomIsMarked(zone, thing->as<JS::Symbol>());
+
     return true;
 }
 
diff --git a/js/src/gc/Cell.h b/js/src/gc/Cell.h
index 65784d51c754..36c6cbfc0063 100644
--- a/js/src/gc/Cell.h
+++ b/js/src/gc/Cell.h
@@ -138,6 +138,23 @@ class TenuredCell : public Cell
         return JS::shadow::Zone::asShadowZone(zoneFromAnyThread());
     }
 
+    template <class T>
+    inline bool is() const {
+        return getTraceKind() == JS::MapTypeToTraceKind<T>::kind;
+    }
+
+    template<class T>
+    inline T* as() {
+        MOZ_ASSERT(is<T>());
+        return static_cast<T*>(this);
+    }
+
+    template <class T>
+    inline const T* as() const {
+        MOZ_ASSERT(is<T>());
+        return static_cast<const T*>(this);
+    }
+
     static MOZ_ALWAYS_INLINE void readBarrier(TenuredCell* thing);
     static MOZ_ALWAYS_INLINE void writeBarrierPre(TenuredCell* thing);
 
diff --git a/js/src/gc/DeletePolicy.h b/js/src/gc/DeletePolicy.h
new file mode 100644
index 000000000000..bfa21158dbba
--- /dev/null
+++ b/js/src/gc/DeletePolicy.h
@@ -0,0 +1,79 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ * vim: set ts=8 sts=4 et sw=4 tw=99:
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef gc_DeletePolicy_h
+#define gc_DeletePolicy_h
+
+#include "js/TracingAPI.h"
+
+namespace js {
+namespace gc {
+
+struct ClearEdgesTracer : public JS::CallbackTracer
+{
+    ClearEdgesTracer();
+
+#ifdef DEBUG
+    TracerKind getTracerKind() const override { return TracerKind::ClearEdges; }
+#endif
+
+    template <typename T>
+    inline void clearEdge(T** thingp);
+
+    void onObjectEdge(JSObject** objp) override;
+    void onStringEdge(JSString** strp) override;
+    void onSymbolEdge(JS::Symbol** symp) override;
+    void onScriptEdge(JSScript** scriptp) override;
+    void onShapeEdge(js::Shape** shapep) override;
+    void onObjectGroupEdge(js::ObjectGroup** groupp) override;
+    void onBaseShapeEdge(js::BaseShape** basep) override;
+    void onJitCodeEdge(js::jit::JitCode** codep) override;
+    void onLazyScriptEdge(js::LazyScript** lazyp) override;
+    void onScopeEdge(js::Scope** scopep) override;
+    void onRegExpSharedEdge(js::RegExpShared** sharedp) override;
+    void onChild(const JS::GCCellPtr& thing) override;
+};
+
+#ifdef DEBUG
+inline bool
+IsClearEdgesTracer(JSTracer *trc)
+{
+    return trc->isCallbackTracer() &&
+           trc->asCallbackTracer()->getTracerKind() == JS::CallbackTracer::TracerKind::ClearEdges;
+}
+#endif
+
+} // namespace gc
+
+/*
+ * Provides a delete policy that can be used for objects which have their
+ * lifetime managed by the GC so they can be safely destroyed outside of GC.
+ *
+ * This is necessary for example when initializing such an object may fail after
+ * the initial allocation. The partially-initialized object must be destroyed,
+ * but it may not be safe to do so at the current time as the store buffer may
+ * contain pointers into it.
+ *
+ * This policy traces GC pointers in the object and clears them, making sure to
+ * trigger barriers while doing so. This will remove any store buffer pointers
+ * into the object and make it safe to delete.
+ */
+template <typename T>
+struct GCManagedDeletePolicy
+{
+    void operator()(const T* constPtr) {
+        if (constPtr) {
+            auto ptr = const_cast<T*>(constPtr);
+            gc::ClearEdgesTracer trc;
+            ptr->trace(&trc);
+            js_delete(ptr);
+        }
+    }
+};
+
+} // namespace js
+
+#endif // gc_DeletePolicy_h
diff --git a/js/src/gc/Marking.cpp b/js/src/gc/Marking.cpp
index af9b58c3925a..7f75423599f8 100644
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@@ -2016,7 +2016,8 @@ inline T*
 MarkStack::TaggedPtr::as() const
 {
     MOZ_ASSERT(tag() == MapTypeToMarkStackTag<T*>::value);
-    MOZ_ASSERT(ptr()->asTenured().getTraceKind() == MapTypeToTraceKind<T>::kind);
+    MOZ_ASSERT(ptr()->isTenured());
+    MOZ_ASSERT(ptr()->is<T>());
     return static_cast<T*>(ptr());
 }
 
@@ -2024,7 +2025,8 @@ inline JSObject*
 MarkStack::TaggedPtr::asValueArrayObject() const
 {
     MOZ_ASSERT(tag() == ValueArrayTag);
-    MOZ_ASSERT(ptr()->asTenured().getTraceKind() == JS::TraceKind::Object);
+    MOZ_ASSERT(ptr()->isTenured());
+    MOZ_ASSERT(ptr()->is<JSObject>());
     return static_cast<JSObject*>(ptr());
 }
 
@@ -2032,7 +2034,8 @@ inline JSObject*
 MarkStack::TaggedPtr::asSavedValueArrayObject() const
 {
     MOZ_ASSERT(tag() == SavedValueArrayTag);
-    MOZ_ASSERT(ptr()->asTenured().getTraceKind() == JS::TraceKind::Object);
+    MOZ_ASSERT(ptr()->isTenured());
+    MOZ_ASSERT(ptr()->is<JSObject>());
     return static_cast<JSObject*>(ptr());
 }
 
@@ -2040,7 +2043,8 @@ inline JSRope*
 MarkStack::TaggedPtr::asTempRope() const
 {
     MOZ_ASSERT(tag() == TempRopeTag);
-    MOZ_ASSERT(ptr()->asTenured().getTraceKind() == JS::TraceKind::String);
+    MOZ_ASSERT(ptr()->isTenured());
+    MOZ_ASSERT(ptr()->is<JSString>());
     return static_cast<JSRope*>(ptr());
 }
 
diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
index 920fe69c9d93..5f86c4493522 100644
--- a/js/src/gc/Zone.h
+++ b/js/src/gc/Zone.h
@@ -9,21 +9,20 @@
 
 #include "mozilla/Atomics.h"
 #include "mozilla/HashFunctions.h"
-#include "mozilla/MemoryReporting.h"
 
-#include "jscntxt.h"
-
-#include "ds/SplayTree.h"
 #include "gc/FindSCCs.h"
 #include "gc/GCRuntime.h"
 #include "js/GCHashTable.h"
-#include "js/TracingAPI.h"
 #include "vm/MallocProvider.h"
 #include "vm/RegExpShared.h"
-#include "vm/TypeInference.h"
+#include "vm/Runtime.h"
+
+struct JSContext;
 
 namespace js {
 
+class Debugger;
+
 namespace jit {
 class JitZone;
 } // namespace jit
@@ -987,92 +986,6 @@ ZoneAllocPolicy::pod_realloc(T* p, size_t oldSize, size_t newSize)
     return zone->pod_realloc<T>(p, oldSize, newSize);
 }
 
-/*
- * Provides a delete policy that can be used for objects which have their
- * lifetime managed by the GC so they can be safely destroyed outside of GC.
- *
- * This is necessary for example when initializing such an object may fail after
- * the initial allocation. The partially-initialized object must be destroyed,
- * but it may not be safe to do so at the current time as the store buffer may
- * contain pointers into it.
- *
- * This policy traces GC pointers in the object and clears them, making sure to
- * trigger barriers while doing so. This will remove any store buffer pointers
- * into the object and make it safe to delete.
- */
-template <typename T>
-struct GCManagedDeletePolicy
-{
-    struct ClearEdgesTracer : public JS::CallbackTracer
-    {
-        explicit ClearEdgesTracer(JSContext* cx) : CallbackTracer(cx, TraceWeakMapKeysValues) {}
-#ifdef DEBUG
-        TracerKind getTracerKind() const override { return TracerKind::ClearEdges; }
-#endif
-
-        template <typename S>
-        void clearEdge(S** thingp) {
-            InternalBarrierMethods<S*>::preBarrier(*thingp);
-            InternalBarrierMethods<S*>::postBarrier(thingp, *thingp, nullptr);
-            *thingp = nullptr;
-        }
-
-        void onObjectEdge(JSObject** objp) override { clearEdge(objp); }
-        void onStringEdge(JSString** strp) override { clearEdge(strp); }
-        void onSymbolEdge(JS::Symbol** symp) override { clearEdge(symp); }
-        void onScriptEdge(JSScript** scriptp) override { clearEdge(scriptp); }
-        void onShapeEdge(js::Shape** shapep) override { clearEdge(shapep); }
-        void onObjectGroupEdge(js::ObjectGroup** groupp) override { clearEdge(groupp); }
-        void onBaseShapeEdge(js::BaseShape** basep) override { clearEdge(basep); }
-        void onJitCodeEdge(js::jit::JitCode** codep) override { clearEdge(codep); }
-        void onLazyScriptEdge(js::LazyScript** lazyp) override { clearEdge(lazyp); }
-        void onScopeEdge(js::Scope** scopep) override { clearEdge(scopep); }
-        void onRegExpSharedEdge(js::RegExpShared** sharedp) override { clearEdge(sharedp); }
-        void onChild(const JS::GCCellPtr& thing) override { MOZ_CRASH(); }
-    };
-
-    void operator()(const T* constPtr) {
-        if (constPtr) {
-            auto ptr = const_cast<T*>(constPtr);
-            ClearEdgesTracer trc(TlsContext.get());
-            ptr->trace(&trc);
-            js_delete(ptr);
-        }
-    }
-};
-
-#ifdef DEBUG
-inline bool
-IsClearEdgesTracer(JSTracer *trc)
-{
-    return trc->isCallbackTracer() &&
-           trc->asCallbackTracer()->getTracerKind() == JS::CallbackTracer::TracerKind::ClearEdges;
-}
-#endif
-
 } // namespace js
 
-namespace JS {
-
-// Scope data that contain GCPtrs must use the correct DeletePolicy.
-//
-// This is defined here because vm/Scope.h cannot #include "vm/Runtime.h"
-
-template <>
-struct DeletePolicy<js::FunctionScope::Data>
-  : public js::GCManagedDeletePolicy<js::FunctionScope::Data>
-{ };
-
-template <>
-struct DeletePolicy<js::ModuleScope::Data>
-  : public js::GCManagedDeletePolicy<js::ModuleScope::Data>
-{ };
-
-template <>
-struct DeletePolicy<js::WasmInstanceScope::Data>
-  : public js::GCManagedDeletePolicy<js::WasmInstanceScope::Data>
-{ };
-
-} // namespace JS
-
 #endif // gc_Zone_h
diff --git a/js/src/jit-test/tests/basic/bug1420961.js b/js/src/jit-test/tests/basic/bug1420961.js
new file mode 100644
index 000000000000..24b2c355e5ba
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1420961.js
@@ -0,0 +1,5 @@
+var g = newGlobal();
+g.eval("azx918 = 1");
+for (var x in g) {
+    assertEq(x, x);
+}
diff --git a/js/src/jit-test/tests/cacheir/bug1414849.js b/js/src/jit-test/tests/cacheir/bug1414849.js
new file mode 100644
index 000000000000..1ebe86a82a99
--- /dev/null
+++ b/js/src/jit-test/tests/cacheir/bug1414849.js
@@ -0,0 +1,12 @@
+function g(s) {
+    for (var i = s; ; i--) {
+        if (s[i] !== ' ')
+            return;
+    }
+}
+function f() {
+    var s = "foo".match(/(.*)$/)[0];
+    return g(s);
+}
+for (var i = 0; i < 10; i++)
+    f();
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
index 22091c180980..317491842e7c 100644
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@@ -4087,7 +4087,6 @@ static bool
 DoGetIteratorFallback(JSContext* cx, BaselineFrame* frame, ICGetIterator_Fallback* stub,
                       HandleValue value, MutableHandleValue res)
 {
-    jsbytecode* pc = stub->icEntry()->pc(frame->script());
     FallbackICSpew(cx, stub, "GetIterator");
 
     if (stub->state().maybeTransition())
@@ -4111,8 +4110,7 @@ DoGetIteratorFallback(JSContext* cx, BaselineFrame* frame, ICGetIterator_Fallbac
             stub->state().trackNotAttached();
     }
 
-    uint8_t flags = GET_UINT8(pc);
-    JSObject* iterobj = ValueToIterator(cx, flags, value);
+    JSObject* iterobj = ValueToIterator(cx, value);
     if (!iterobj)
         return false;
 
diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
index 2b1418d4a8c0..9f8f1eb4d541 100644
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -4009,9 +4009,6 @@ GetIteratorIRGenerator::tryAttachNativeIterator(ObjOperandId objId, HandleObject
 {
     MOZ_ASSERT(JSOp(*pc_) == JSOP_ITER);
 
-    if (GET_UINT8(pc_) != JSITER_ENUMERATE)
-        return false;
-
     PropertyIteratorObject* iterobj = LookupInIteratorCache(cx_, obj);
     if (!iterobj)
         return false;
diff --git a/js/src/jit/CacheIRCompiler.cpp b/js/src/jit/CacheIRCompiler.cpp
index 339da055aec2..b4812323fe85 100644
--- a/js/src/jit/CacheIRCompiler.cpp
+++ b/js/src/jit/CacheIRCompiler.cpp
@@ -470,8 +470,6 @@ CacheRegisterAllocator::fixupAliasedInputs(MacroAssembler& masm)
             // PayloadReg: spilling the ValueReg instead would leave its type
             // register unallocated on 32-bit platforms.
             if (loc1.kind() == OperandLocation::ValueReg) {
-                MOZ_ASSERT_IF(loc2.kind() == OperandLocation::ValueReg,
-                              loc1 == loc2);
                 spillOperandToStack(masm, &loc2);
             } else {
                 MOZ_ASSERT(loc1.kind() == OperandLocation::PayloadReg);
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
index 3c8a1f0484d3..543ccb9fee6f 100644
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -9291,9 +9291,6 @@ CodeGenerator::visitIteratorEnd(LIteratorEnd* lir)
 
     LoadNativeIterator(masm, obj, temp1, ool->entry());
 
-    masm.branchTest32(Assembler::Zero, Address(temp1, offsetof(NativeIterator, flags)),
-                      Imm32(JSITER_ENUMERATE), ool->entry());
-
     // Clear active bit.
     masm.and32(Imm32(~JSITER_ACTIVE), Address(temp1, offsetof(NativeIterator, flags)));
 
diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp
index ccf406588b53..017740417b2e 100644
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@@ -2305,7 +2305,7 @@ IonBuilder::inspectOpcode(JSOp op)
         return jsop_copylexicalenv(false);
 
       case JSOP_ITER:
-        return jsop_iter(GET_INT8(pc));
+        return jsop_iter();
 
       case JSOP_MOREITER:
         return jsop_itermore();
@@ -12577,7 +12577,7 @@ IonBuilder::jsop_toid()
 }
 
 AbortReasonOr<Ok>
-IonBuilder::jsop_iter(uint8_t flags)
+IonBuilder::jsop_iter()
 {
     MDefinition* obj = current->pop();
     MInstruction* ins = MGetIteratorCache::New(alloc(), obj);
diff --git a/js/src/jit/IonBuilder.h b/js/src/jit/IonBuilder.h
index 85ec031603e5..9f252bf0ef22 100644
--- a/js/src/jit/IonBuilder.h
+++ b/js/src/jit/IonBuilder.h
@@ -578,7 +578,7 @@ class IonBuilder
     AbortReasonOr<Ok> jsop_toasyncgen();
     AbortReasonOr<Ok> jsop_toasynciter();
     AbortReasonOr<Ok> jsop_toid();
-    AbortReasonOr<Ok> jsop_iter(uint8_t flags);
+    AbortReasonOr<Ok> jsop_iter();
     AbortReasonOr<Ok> jsop_itermore();
     AbortReasonOr<Ok> jsop_isnoiter();
     AbortReasonOr<Ok> jsop_iterend();
diff --git a/js/src/jit/IonIC.cpp b/js/src/jit/IonIC.cpp
index 24dae2910fb4..3e76fb43a253 100644
--- a/js/src/jit/IonIC.cpp
+++ b/js/src/jit/IonIC.cpp
@@ -402,7 +402,6 @@ IonGetIteratorIC::update(JSContext* cx, HandleScript outerScript, IonGetIterator
                          HandleValue value)
 {
     IonScript* ionScript = outerScript->ionScript();
-    jsbytecode* pc = ic->pc();
 
     if (ic->state().maybeTransition())
         ic->discardStubs(cx->zone());
@@ -410,7 +409,7 @@ IonGetIteratorIC::update(JSContext* cx, HandleScript outerScript, IonGetIterator
     if (ic->state().canAttachStub()) {
         bool attached = false;
         RootedScript script(cx, ic->script());
-        GetIteratorIRGenerator gen(cx, script, pc, ic->state().mode(), value);
+        GetIteratorIRGenerator gen(cx, script, ic->pc(), ic->state().mode(), value);
         if (gen.tryAttachStub())
             ic->attachCacheIRStub(cx, gen.writerRef(), gen.cacheKind(), ionScript, &attached);
 
@@ -418,8 +417,7 @@ IonGetIteratorIC::update(JSContext* cx, HandleScript outerScript, IonGetIterator
             ic->state().trackNotAttached();
     }
 
-    uint8_t flags = GET_UINT8(pc);
-    return ValueToIterator(cx, flags, value);
+    return ValueToIterator(cx, value);
 }
 
 /* static */ bool
diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h
index baa81591f3c3..e04e8c65a4ea 100644
--- a/js/src/jscntxt.h
+++ b/js/src/jscntxt.h
@@ -18,6 +18,7 @@
 #include "js/Vector.h"
 #include "threading/ProtectedData.h"
 #include "vm/ErrorReporting.h"
+#include "vm/MallocProvider.h"
 #include "vm/Runtime.h"
 
 #ifdef _MSC_VER
diff --git a/js/src/jsfriendapi.h b/js/src/jsfriendapi.h
index 3c17f2deed0e..a77e2f281456 100644
--- a/js/src/jsfriendapi.h
+++ b/js/src/jsfriendapi.h
@@ -1000,9 +1000,8 @@ IsObjectInContextCompartment(JSObject* obj, const JSContext* cx);
 
 /*
  * NB: keep these in sync with the copy in builtin/SelfHostingDefines.h.
- * The first two are omitted because they shouldn't be used in new code.
  */
-#define JSITER_ENUMERATE  0x1   /* for-in compatible hidden default iterator */
+/* 0x1 is no longer used */
 /* 0x2 is no longer used */
 /* 0x4 is no longer used */
 #define JSITER_OWNONLY    0x8   /* iterate over obj's own properties only */
diff --git a/js/src/jsgc.cpp b/js/src/jsgc.cpp
index 02dd5271b75e..54efd37bc983 100644
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -9047,3 +9047,29 @@ js::gc::detail::CellIsNotGray(const Cell* cell)
     return false;
 }
 #endif
+
+js::gc::ClearEdgesTracer::ClearEdgesTracer()
+  : CallbackTracer(TlsContext.get(), TraceWeakMapKeysValues)
+{}
+
+template <typename S>
+inline void
+js::gc::ClearEdgesTracer::clearEdge(S** thingp)
+{
+    InternalBarrierMethods<S*>::preBarrier(*thingp);
+    InternalBarrierMethods<S*>::postBarrier(thingp, *thingp, nullptr);
+    *thingp = nullptr;
+}
+
+void js::gc::ClearEdgesTracer::onObjectEdge(JSObject** objp) { clearEdge(objp); }
+void js::gc::ClearEdgesTracer::onStringEdge(JSString** strp) { clearEdge(strp); }
+void js::gc::ClearEdgesTracer::onSymbolEdge(JS::Symbol** symp) { clearEdge(symp); }
+void js::gc::ClearEdgesTracer::onScriptEdge(JSScript** scriptp) { clearEdge(scriptp); }
+void js::gc::ClearEdgesTracer::onShapeEdge(js::Shape** shapep) { clearEdge(shapep); }
+void js::gc::ClearEdgesTracer::onObjectGroupEdge(js::ObjectGroup** groupp) { clearEdge(groupp); }
+void js::gc::ClearEdgesTracer::onBaseShapeEdge(js::BaseShape** basep) { clearEdge(basep); }
+void js::gc::ClearEdgesTracer::onJitCodeEdge(js::jit::JitCode** codep) { clearEdge(codep); }
+void js::gc::ClearEdgesTracer::onLazyScriptEdge(js::LazyScript** lazyp) { clearEdge(lazyp); }
+void js::gc::ClearEdgesTracer::onScopeEdge(js::Scope** scopep) { clearEdge(scopep); }
+void js::gc::ClearEdgesTracer::onRegExpSharedEdge(js::RegExpShared** sharedp) { clearEdge(sharedp); }
+void js::gc::ClearEdgesTracer::onChild(const JS::GCCellPtr& thing) { MOZ_CRASH(); }
diff --git a/js/src/jsiter.cpp b/js/src/jsiter.cpp
index f3e9c32d5f1f..0b2026f45fd4 100644
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@@ -537,36 +537,32 @@ js::GetPropertyKeys(JSContext* cx, HandleObject obj, unsigned flags, AutoIdVecto
 }
 
 static inline PropertyIteratorObject*
-NewPropertyIteratorObject(JSContext* cx, unsigned flags)
+NewPropertyIteratorObject(JSContext* cx)
 {
-    if (flags & JSITER_ENUMERATE) {
-        RootedObjectGroup group(cx, ObjectGroup::defaultNewGroup(cx, &PropertyIteratorObject::class_,
-                                                                 TaggedProto(nullptr)));
-        if (!group)
-            return nullptr;
+    RootedObjectGroup group(cx, ObjectGroup::defaultNewGroup(cx, &PropertyIteratorObject::class_,
+                                                             TaggedProto(nullptr)));
+    if (!group)
+        return nullptr;
 
-        const Class* clasp = &PropertyIteratorObject::class_;
-        RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, TaggedProto(nullptr),
-                                                          ITERATOR_FINALIZE_KIND));
-        if (!shape)
-            return nullptr;
+    const Class* clasp = &PropertyIteratorObject::class_;
+    RootedShape shape(cx, EmptyShape::getInitialShape(cx, clasp, TaggedProto(nullptr),
+                                                      ITERATOR_FINALIZE_KIND));
+    if (!shape)
+        return nullptr;
 
-        JSObject* obj;
-        JS_TRY_VAR_OR_RETURN_NULL(cx, obj, NativeObject::create(cx, ITERATOR_FINALIZE_KIND,
-                                                                GetInitialHeap(GenericObject, clasp),
-                                                                shape, group));
+    JSObject* obj;
+    JS_TRY_VAR_OR_RETURN_NULL(cx, obj, NativeObject::create(cx, ITERATOR_FINALIZE_KIND,
+                                                            GetInitialHeap(GenericObject, clasp),
+                                                            shape, group));
 
-        PropertyIteratorObject* res = &obj->as<PropertyIteratorObject>();
+    PropertyIteratorObject* res = &obj->as<PropertyIteratorObject>();
 
-        // CodeGenerator::visitIteratorStartO assumes the iterator object is not
-        // inside the nursery when deciding whether a barrier is necessary.
-        MOZ_ASSERT(!js::gc::IsInsideNursery(res));
+    // CodeGenerator::visitIteratorStartO assumes the iterator object is not
+    // inside the nursery when deciding whether a barrier is necessary.
+    MOZ_ASSERT(!js::gc::IsInsideNursery(res));
 
-        MOZ_ASSERT(res->numFixedSlots() == JSObject::ITER_CLASS_NFIXED_SLOTS);
-        return res;
-    }
-
-    return NewBuiltinClassInstance<PropertyIteratorObject>(cx);
+    MOZ_ASSERT(res->numFixedSlots() == JSObject::ITER_CLASS_NFIXED_SLOTS);
+    return res;
 }
 
 NativeIterator*
@@ -607,11 +603,11 @@ NativeIterator::allocateSentinel(JSContext* maybecx)
 }
 
 inline void
-NativeIterator::init(JSObject* obj, JSObject* iterObj, unsigned flags, uint32_t numGuards, uint32_t key)
+NativeIterator::init(JSObject* obj, JSObject* iterObj, uint32_t numGuards, uint32_t key)
 {
     this->obj.init(obj);
     this->iterObj_ = iterObj;
-    this->flags = flags;
+    this->flags = 0;
     this->guard_array = (HeapReceiverGuard*) this->props_end;
     this->guard_length = numGuards;
     this->guard_key = key;
@@ -642,23 +638,20 @@ static inline void
 RegisterEnumerator(JSContext* cx, PropertyIteratorObject* iterobj, NativeIterator* ni)
 {
     /* Register non-escaping native enumerators (for-in) with the current context. */
-    if (ni->flags & JSITER_ENUMERATE) {
-        ni->link(cx->compartment()->enumerators);
+    ni->link(cx->compartment()->enumerators);
 
-        MOZ_ASSERT(!(ni->flags & JSITER_ACTIVE));
-        ni->flags |= JSITER_ACTIVE;
-    }
+    MOZ_ASSERT(!(ni->flags & JSITER_ACTIVE));
+    ni->flags |= JSITER_ACTIVE;
 }
 
 static inline PropertyIteratorObject*
-VectorToKeyIterator(JSContext* cx, HandleObject obj, unsigned flags, AutoIdVector& keys,
-                    uint32_t numGuards)
+VectorToKeyIterator(JSContext* cx, HandleObject obj, AutoIdVector& keys, uint32_t numGuards)
 {
     if (obj->isSingleton() && !JSObject::setIteratedSingleton(cx, obj))
         return nullptr;
     MarkObjectGroupFlags(cx, obj, OBJECT_FLAG_ITERATED);
 
-    Rooted<PropertyIteratorObject*> iterobj(cx, NewPropertyIteratorObject(cx, flags));
+    Rooted<PropertyIteratorObject*> iterobj(cx, NewPropertyIteratorObject(cx));
     if (!iterobj)
         return nullptr;
 
@@ -667,7 +660,7 @@ VectorToKeyIterator(JSContext* cx, HandleObject obj, unsigned flags, AutoIdVecto
         return nullptr;
 
     iterobj->setNativeIterator(ni);
-    ni->init(obj, iterobj, flags, numGuards, 0);
+    ni->init(obj, iterobj, numGuards, 0);
     if (!ni->initProperties(cx, iterobj, keys))
         return nullptr;
 
@@ -699,17 +692,16 @@ VectorToKeyIterator(JSContext* cx, HandleObject obj, unsigned flags, AutoIdVecto
 
 
 JSObject*
-js::EnumeratedIdVectorToIterator(JSContext* cx, HandleObject obj, unsigned flags,
-                                 AutoIdVector& props)
+js::EnumeratedIdVectorToIterator(JSContext* cx, HandleObject obj, AutoIdVector& props)
 {
-    return VectorToKeyIterator(cx, obj, flags, props, 0);
+    return VectorToKeyIterator(cx, obj, props, 0);
 }
 
 // Mainly used for .. in over null/undefined
 JSObject*
-js::NewEmptyPropertyIterator(JSContext* cx, unsigned flags)
+js::NewEmptyPropertyIterator(JSContext* cx)
 {
-    Rooted<PropertyIteratorObject*> iterobj(cx, NewPropertyIteratorObject(cx, flags));
+    Rooted<PropertyIteratorObject*> iterobj(cx, NewPropertyIteratorObject(cx));
     if (!iterobj)
         return nullptr;
 
@@ -719,7 +711,7 @@ js::NewEmptyPropertyIterator(JSContext* cx, unsigned flags)
         return nullptr;
 
     iterobj->setNativeIterator(ni);
-    ni->init(nullptr, iterobj, flags, 0, 0);
+    ni->init(nullptr, iterobj, 0, 0);
     if (!ni->initProperties(cx, iterobj, keys))
         return nullptr;
 
@@ -766,10 +758,6 @@ LookupInIteratorCache(JSContext* cx, JSObject* obj, uint32_t* numGuards)
 {
     MOZ_ASSERT(*numGuards == 0);
 
-    // The iterator object for JSITER_ENUMERATE never escapes, so we don't
-    // care that the "proper" prototype is set.  This also lets us reuse an
-    // old, inactive iterator object.
-
     ReceiverGuardVector guards(cx);
     uint32_t key = 0;
     JSObject* pobj = obj;
@@ -861,39 +849,29 @@ StoreInIteratorCache(JSContext* cx, JSObject* obj, PropertyIteratorObject* itero
 }
 
 JSObject*
-js::GetIterator(JSContext* cx, HandleObject obj, unsigned flags)
+js::GetIterator(JSContext* cx, HandleObject obj)
 {
     uint32_t numGuards = 0;
-    if (flags == JSITER_ENUMERATE) {
-        if (PropertyIteratorObject* iterobj = LookupInIteratorCache(cx, obj, &numGuards)) {
-            NativeIterator* ni = iterobj->getNativeIterator();
-            UpdateNativeIterator(ni, obj);
-            RegisterEnumerator(cx, iterobj, ni);
-            return iterobj;
-        }
-
-        if (numGuards > 0 && !CanStoreInIteratorCache(cx, obj))
-            numGuards = 0;
+    if (PropertyIteratorObject* iterobj = LookupInIteratorCache(cx, obj, &numGuards)) {
+        NativeIterator* ni = iterobj->getNativeIterator();
+        UpdateNativeIterator(ni, obj);
+        RegisterEnumerator(cx, iterobj, ni);
+        return iterobj;
     }
 
-    if (MOZ_UNLIKELY(obj->is<PropertyIteratorObject>()))
-        return obj;
+    if (numGuards > 0 && !CanStoreInIteratorCache(cx, obj))
+        numGuards = 0;
 
-    // We should only call the enumerate trap for "for-in".
-    // Or when we call GetIterator from the Proxy [[Enumerate]] hook.
-    // JSITER_ENUMERATE is just an optimization and the same
-    // as flags == 0 otherwise.
-    if (flags == 0 || flags == JSITER_ENUMERATE) {
-        if (MOZ_UNLIKELY(obj->is<ProxyObject>()))
-            return Proxy::enumerate(cx, obj);
-    }
+    MOZ_ASSERT(!obj->is<PropertyIteratorObject>());
 
+    if (MOZ_UNLIKELY(obj->is<ProxyObject>()))
+        return Proxy::enumerate(cx, obj);
 
     AutoIdVector keys(cx);
-    if (!Snapshot(cx, obj, flags, &keys))
+    if (!Snapshot(cx, obj, 0, &keys))
         return nullptr;
 
-    JSObject* res = VectorToKeyIterator(cx, obj, flags, keys, numGuards);
+    JSObject* res = VectorToKeyIterator(cx, obj, keys, numGuards);
     if (!res)
         return nullptr;
 
@@ -997,17 +975,15 @@ JSCompartment::getOrCreateIterResultTemplateObject(JSContext* cx)
 
 /*** Iterator objects ****************************************************************************/
 
-MOZ_ALWAYS_INLINE bool
-NativeIteratorNext(JSContext* cx, NativeIterator* ni, MutableHandleValue rval)
+MOZ_ALWAYS_INLINE void
+NativeIteratorNext(NativeIterator* ni, MutableHandleValue rval)
 {
     if (ni->props_cursor >= ni->props_end) {
         rval.setMagic(JS_NO_ITER_VALUE);
-        return true;
+    } else {
+        rval.setString(*ni->current());
+        ni->incCursor();
     }
-
-    rval.setString(*ni->current());
-    ni->incCursor();
-    return true;
 }
 
 bool
@@ -1122,26 +1098,26 @@ js::NewStringIteratorObject(JSContext* cx, NewObjectKind newKind)
 }
 
 JSObject*
-js::ValueToIterator(JSContext* cx, unsigned flags, HandleValue vp)
+js::ValueToIterator(JSContext* cx, HandleValue vp)
 {
     RootedObject obj(cx);
     if (vp.isObject()) {
         /* Common case. */
         obj = &vp.toObject();
-    } else if ((flags & JSITER_ENUMERATE) && vp.isNullOrUndefined()) {
+    } else if (vp.isNullOrUndefined()) {
         /*
          * Enumerating over null and undefined gives an empty enumerator, so
          * that |for (var p in <null or undefined>) <loop>;| never executes
          * <loop>, per ES5 12.6.4.
          */
-        return NewEmptyPropertyIterator(cx, flags);
+        return NewEmptyPropertyIterator(cx);
     } else {
         obj = ToObject(cx, vp);
         if (!obj)
             return nullptr;
     }
 
-    return GetIterator(cx, obj, flags);
+    return GetIterator(cx, obj);
 }
 
 void
@@ -1151,18 +1127,16 @@ js::CloseIterator(JSObject* obj)
         /* Remove enumerators from the active list, which is a stack. */
         NativeIterator* ni = obj->as<PropertyIteratorObject>().getNativeIterator();
 
-        if (ni->flags & JSITER_ENUMERATE) {
-            ni->unlink();
+        ni->unlink();
 
-            MOZ_ASSERT(ni->flags & JSITER_ACTIVE);
-            ni->flags &= ~JSITER_ACTIVE;
+        MOZ_ASSERT(ni->flags & JSITER_ACTIVE);
+        ni->flags &= ~JSITER_ACTIVE;
 
-            /*
-             * Reset the enumerator; it may still be in the cached iterators
-             * for this thread, and can be reused.
-             */
-            ni->props_cursor = ni->props_array;
-        }
+        /*
+         * Reset the enumerator; it may still be in the cached iterators
+         * for this thread, and can be reused.
+         */
+        ni->props_cursor = ni->props_array;
     }
 }
 
@@ -1221,8 +1195,7 @@ js::UnwindIteratorForUncatchableException(JSContext* cx, JSObject* obj)
 {
     if (obj->is<PropertyIteratorObject>()) {
         NativeIterator* ni = obj->as<PropertyIteratorObject>().getNativeIterator();
-        if (ni->flags & JSITER_ENUMERATE)
-            ni->unlink();
+        ni->unlink();
     }
 }
 
@@ -1371,7 +1344,8 @@ js::IteratorMore(JSContext* cx, HandleObject iterobj, MutableHandleValue rval)
     // Fast path for native iterators.
     if (MOZ_LIKELY(iterobj->is<PropertyIteratorObject>())) {
         NativeIterator* ni = iterobj->as<PropertyIteratorObject>().getNativeIterator();
-        return NativeIteratorNext(cx, ni, rval);
+        NativeIteratorNext(ni, rval);
+        return true;
     }
 
     if (JS_IsDeadWrapper(iterobj)) {
@@ -1389,8 +1363,7 @@ js::IteratorMore(JSContext* cx, HandleObject iterobj, MutableHandleValue rval)
     {
         AutoCompartment ac(cx, obj);
         NativeIterator* ni = obj->as<PropertyIteratorObject>().getNativeIterator();
-        if (!NativeIteratorNext(cx, ni, rval))
-            return false;
+        NativeIteratorNext(ni, rval);
     }
     return cx->compartment()->wrap(cx, rval);
 }
diff --git a/js/src/jsiter.h b/js/src/jsiter.h
index 2f5a93e57765..48f338d3b915 100644
--- a/js/src/jsiter.h
+++ b/js/src/jsiter.h
@@ -85,7 +85,6 @@ struct NativeIterator
     void link(NativeIterator* other) {
         /* A NativeIterator cannot appear in the enumerator list twice. */
         MOZ_ASSERT(!next_ && !prev_);
-        MOZ_ASSERT(flags & JSITER_ENUMERATE);
 
         this->next_ = other;
         this->prev_ = other->prev_;
@@ -93,8 +92,6 @@ struct NativeIterator
         other->prev_ = this;
     }
     void unlink() {
-        MOZ_ASSERT(flags & JSITER_ENUMERATE);
-
         next_->prev_ = prev_;
         prev_->next_ = next_;
         next_ = nullptr;
@@ -103,7 +100,7 @@ struct NativeIterator
 
     static NativeIterator* allocateSentinel(JSContext* maybecx);
     static NativeIterator* allocateIterator(JSContext* cx, uint32_t slength, uint32_t plength);
-    void init(JSObject* obj, JSObject* iterObj, unsigned flags, uint32_t slength, uint32_t key);
+    void init(JSObject* obj, JSObject* iterObj, uint32_t slength, uint32_t key);
     bool initProperties(JSContext* cx, Handle<PropertyIteratorObject*> obj,
                         const js::AutoIdVector& props);
 
@@ -154,29 +151,19 @@ StringIteratorObject*
 NewStringIteratorObject(JSContext* cx, NewObjectKind newKind = GenericObject);
 
 JSObject*
-GetIterator(JSContext* cx, HandleObject obj, unsigned flags);
+GetIterator(JSContext* cx, HandleObject obj);
 
 PropertyIteratorObject*
 LookupInIteratorCache(JSContext* cx, HandleObject obj);
 
-/*
- * Creates either a key or value iterator, depending on flags. For a value
- * iterator, performs value-lookup to convert the given list of jsids.
- */
 JSObject*
-EnumeratedIdVectorToIterator(JSContext* cx, HandleObject obj, unsigned flags, AutoIdVector& props);
+EnumeratedIdVectorToIterator(JSContext* cx, HandleObject obj, AutoIdVector& props);
 
 JSObject*
-NewEmptyPropertyIterator(JSContext* cx, unsigned flags);
+NewEmptyPropertyIterator(JSContext* cx);
 
-/*
- * Convert the value stored in *vp to its iteration object. The flags should
- * contain JSITER_ENUMERATE if js::ValueToIterator is called when enumerating
- * for-in semantics are required, and when the caller can guarantee that the
- * iterator will never be exposed to scripts.
- */
 JSObject*
-ValueToIterator(JSContext* cx, unsigned flags, HandleValue vp);
+ValueToIterator(JSContext* cx, HandleValue vp);
 
 void
 CloseIterator(JSObject* obj);
diff --git a/js/src/jsweakmap.h b/js/src/jsweakmap.h
index c220af104bcd..8856c5f28044 100644
--- a/js/src/jsweakmap.h
+++ b/js/src/jsweakmap.h
@@ -14,6 +14,7 @@
 #include "jsfriendapi.h"
 #include "jsobj.h"
 
+#include "gc/DeletePolicy.h"
 #include "gc/StoreBuffer.h"
 #include "js/HashTable.h"
 
diff --git a/js/src/proxy/BaseProxyHandler.cpp b/js/src/proxy/BaseProxyHandler.cpp
index ca3c0ef6da27..665d73f91415 100644
--- a/js/src/proxy/BaseProxyHandler.cpp
+++ b/js/src/proxy/BaseProxyHandler.cpp
@@ -284,7 +284,7 @@ BaseProxyHandler::enumerate(JSContext* cx, HandleObject proxy) const
     if (!GetPropertyKeys(cx, proxy, 0, &props))
         return nullptr;
 
-    return EnumeratedIdVectorToIterator(cx, proxy, 0, props);
+    return EnumeratedIdVectorToIterator(cx, proxy, props);
 }
 
 bool
diff --git a/js/src/proxy/CrossCompartmentWrapper.cpp b/js/src/proxy/CrossCompartmentWrapper.cpp
index c8aaee6bfa08..48574a66a372 100644
--- a/js/src/proxy/CrossCompartmentWrapper.cpp
+++ b/js/src/proxy/CrossCompartmentWrapper.cpp
@@ -260,8 +260,7 @@ CrossCompartmentWrapper::getOwnEnumerablePropertyKeys(JSContext* cx, HandleObjec
 static bool
 CanReify(HandleObject obj)
 {
-    return obj->is<PropertyIteratorObject>() &&
-           (obj->as<PropertyIteratorObject>().getNativeIterator()->flags & JSITER_ENUMERATE);
+    return obj->is<PropertyIteratorObject>();
 }
 
 struct AutoCloseIterator
@@ -303,11 +302,13 @@ Reify(JSContext* cx, JSCompartment* origin, HandleObject objp)
         if (length > 0) {
             if (!keys.reserve(length))
                 return nullptr;
+            RootedId id(cx);
+            RootedValue v(cx);
             for (size_t i = 0; i < length; ++i) {
-                RootedId id(cx);
-                RootedValue v(cx, StringValue(ni->begin()[i]));
+                v.setString(ni->begin()[i]);
                 if (!ValueToId<CanGC>(cx, v, &id))
                     return nullptr;
+                cx->markId(id);
                 keys.infallibleAppend(id);
             }
         }
@@ -315,7 +316,7 @@ Reify(JSContext* cx, JSCompartment* origin, HandleObject objp)
         close.clear();
         CloseIterator(iterObj);
 
-        obj = EnumeratedIdVectorToIterator(cx, obj, ni->flags, keys);
+        obj = EnumeratedIdVectorToIterator(cx, obj, keys);
     }
     return obj;
 }
diff --git a/js/src/proxy/Proxy.cpp b/js/src/proxy/Proxy.cpp
index b7a7b1c145f9..63c980ae4815 100644
--- a/js/src/proxy/Proxy.cpp
+++ b/js/src/proxy/Proxy.cpp
@@ -467,7 +467,7 @@ Proxy::enumerate(JSContext* cx, HandleObject proxy)
         if (!GetPrototype(cx, proxy, &proto))
             return nullptr;
         if (!proto)
-            return EnumeratedIdVectorToIterator(cx, proxy, 0, props);
+            return EnumeratedIdVectorToIterator(cx, proxy, props);
         assertSameCompartment(cx, proxy, proto);
 
         AutoIdVector protoProps(cx);
@@ -475,7 +475,7 @@ Proxy::enumerate(JSContext* cx, HandleObject proxy)
             return nullptr;
         if (!AppendUnique(cx, props, protoProps))
             return nullptr;
-        return EnumeratedIdVectorToIterator(cx, proxy, 0, props);
+        return EnumeratedIdVectorToIterator(cx, proxy, props);
     }
 
     AutoEnterPolicy policy(cx, handler, proxy, JSID_VOIDHANDLE,
@@ -486,7 +486,7 @@ Proxy::enumerate(JSContext* cx, HandleObject proxy)
     if (!policy.allowed()) {
         if (!policy.returnValue())
             return nullptr;
-        return NewEmptyPropertyIterator(cx, 0);
+        return NewEmptyPropertyIterator(cx);
     }
     return handler->enumerate(cx, proxy);
 }
diff --git a/js/src/proxy/Wrapper.cpp b/js/src/proxy/Wrapper.cpp
index b380e3ff7141..9b6e58a4db12 100644
--- a/js/src/proxy/Wrapper.cpp
+++ b/js/src/proxy/Wrapper.cpp
@@ -86,7 +86,7 @@ ForwardingProxyHandler::enumerate(JSContext* cx, HandleObject proxy) const
     assertEnteredPolicy(cx, proxy, JSID_VOID, ENUMERATE);
     MOZ_ASSERT(!hasPrototype()); // Should never be called if there's a prototype.
     RootedObject target(cx, proxy->as<ProxyObject>().target());
-    return GetIterator(cx, target, 0);
+    return GetIterator(cx, target);
 }
 
 bool
diff --git a/js/src/vm/Interpreter.cpp b/js/src/vm/Interpreter.cpp
index d7d88531cede..48f11e9f0b8d 100644
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@@ -2276,10 +2276,8 @@ END_CASE(JSOP_HASOWN)
 CASE(JSOP_ITER)
 {
     MOZ_ASSERT(REGS.stackDepth() >= 1);
-    uint8_t flags = GET_UINT8(REGS.pc);
     HandleValue val = REGS.stackHandleAt(-1);
-    ReservedRooted<JSObject*> iter(&rootObject0);
-    iter.set(ValueToIterator(cx, flags, val));
+    JSObject* iter = ValueToIterator(cx, val);
     if (!iter)
         goto error;
     REGS.sp[-1].setObject(*iter);
diff --git a/js/src/vm/List-inl.h b/js/src/vm/List-inl.h
index 10f4672237cd..8860c080b3b5 100644
--- a/js/src/vm/List-inl.h
+++ b/js/src/vm/List-inl.h
@@ -56,11 +56,11 @@ ShiftFromList(JSContext* cx, HandleNativeObject list)
     Rooted<T*> entry(cx, &list->getDenseElement(0).toObject().as<T>());
     if (!list->tryShiftDenseElements(1)) {
         list->moveDenseElements(0, 1, length - 1);
+        list->setDenseInitializedLength(length - 1);
         list->shrinkElements(cx, length - 1);
     }
 
-    list->setDenseInitializedLength(length - 1);
-
+    MOZ_ASSERT(list->getDenseInitializedLength() == length - 1);
     return entry;
 }
 
diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp
index 61c973a718d7..4baf1afbb91c 100644
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -997,6 +997,8 @@ void
 NativeObject::shrinkElements(JSContext* cx, uint32_t reqCapacity)
 {
     MOZ_ASSERT(canHaveNonEmptyElements());
+    MOZ_ASSERT(reqCapacity >= getDenseInitializedLength());
+
     if (denseElementsAreCopyOnWrite())
         MOZ_CRASH();
 
diff --git a/js/src/vm/Opcodes.h b/js/src/vm/Opcodes.h
index 9bd60695d86b..09d1537c395a 100644
--- a/js/src/vm/Opcodes.h
+++ b/js/src/vm/Opcodes.h
@@ -698,15 +698,14 @@
     macro(JSOP_THROWMSG,   74, "throwmsg",    NULL,         3,  0,  0, JOF_UINT16) \
     \
     /*
-     * Sets up a for-in or for-each-in loop using the JSITER_* flag bits in
-     * this op's uint8_t immediate operand. It pops the top of stack value as
-     * 'val' and pushes 'iter' which is an iterator for 'val'.
+     * Sets up a for-in loop. It pops the top of stack value as 'val' and pushes
+     * 'iter' which is an iterator for 'val'.
      *   Category: Statements
      *   Type: For-In Statement
-     *   Operands: uint8_t flags
+     *   Operands:
      *   Stack: val => iter
      */ \
-    macro(JSOP_ITER,      75, "iter",       NULL,         2,  1,  1,  JOF_UINT8) \
+    macro(JSOP_ITER,      75, "iter",       NULL,         1,  1,  1,  JOF_BYTE) \
     /*
      * Pushes the next iterated value onto the stack. If no value is available,
      * MagicValue(JS_NO_ITER_VALUE) is pushed.
diff --git a/js/src/vm/Scope.h b/js/src/vm/Scope.h
index 0876da443f62..473f89aef587 100644
--- a/js/src/vm/Scope.h
+++ b/js/src/vm/Scope.h
@@ -13,6 +13,7 @@
 #include "jsobj.h"
 #include "jsopcode.h"
 
+#include "gc/DeletePolicy.h"
 #include "gc/Heap.h"
 #include "gc/Policy.h"
 #include "js/UbiNode.h"
@@ -1538,6 +1539,23 @@ DEFINE_SCOPE_DATA_GCPOLICY(js::WasmFunctionScope::Data);
 
 #undef DEFINE_SCOPE_DATA_GCPOLICY
 
+// Scope data that contain GCPtrs must use the correct DeletePolicy.
+
+template <>
+struct DeletePolicy<js::FunctionScope::Data>
+  : public js::GCManagedDeletePolicy<js::FunctionScope::Data>
+{};
+
+template <>
+struct DeletePolicy<js::ModuleScope::Data>
+  : public js::GCManagedDeletePolicy<js::ModuleScope::Data>
+{};
+
+template <>
+struct DeletePolicy<js::WasmInstanceScope::Data>
+  : public js::GCManagedDeletePolicy<js::WasmInstanceScope::Data>
+{ };
+
 namespace ubi {
 
 template <>
diff --git a/js/src/vm/UnboxedObject.h b/js/src/vm/UnboxedObject.h
index 75224f813682..175c744d1de1 100644
--- a/js/src/vm/UnboxedObject.h
+++ b/js/src/vm/UnboxedObject.h
@@ -9,6 +9,7 @@
 
 #include "jsobj.h"
 
+#include "gc/DeletePolicy.h"
 #include "gc/Zone.h"
 #include "vm/Runtime.h"
 #include "vm/TypeInference.h"
diff --git a/js/src/wasm/WasmJS.cpp b/js/src/wasm/WasmJS.cpp
index a557319f5dc1..6955c7904d11 100644
--- a/js/src/wasm/WasmJS.cpp
+++ b/js/src/wasm/WasmJS.cpp
@@ -1729,6 +1729,20 @@ const JSPropertySpec WasmTableObject::properties[] =
     JS_PS_END
 };
 
+static bool
+ToTableIndex(JSContext* cx, HandleValue v, const Table& table, const char* noun, uint32_t* index)
+{
+    if (!EnforceRangeU32(cx, v, UINT32_MAX, "Table", noun, index))
+        return false;
+
+    if (*index >= table.length()) {
+        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_WASM_BAD_UINT32, "Table", noun);
+        return false;
+    }
+
+    return true;
+}
+
 /* static */ bool
 WasmTableObject::getImpl(JSContext* cx, const CallArgs& args)
 {
@@ -1736,7 +1750,7 @@ WasmTableObject::getImpl(JSContext* cx, const CallArgs& args)
     const Table& table = tableObj->table();
 
     uint32_t index;
-    if (!EnforceRangeU32(cx, args.get(0), table.length() - 1, "Table", "get index", &index))
+    if (!ToTableIndex(cx, args.get(0), table, "get index", &index))
         return false;
 
     ExternalTableElem& elem = table.externalArray()[index];
@@ -1775,7 +1789,7 @@ WasmTableObject::setImpl(JSContext* cx, const CallArgs& args)
         return false;
 
     uint32_t index;
-    if (!EnforceRangeU32(cx, args.get(0), table.length() - 1, "Table", "set index", &index))
+    if (!ToTableIndex(cx, args.get(0), table, "set index", &index))
         return false;
 
     RootedFunction value(cx);
diff --git a/layout/build/nsLayoutStatics.cpp b/layout/build/nsLayoutStatics.cpp
index 97bb2e24fc01..7e606514ee41 100644
--- a/layout/build/nsLayoutStatics.cpp
+++ b/layout/build/nsLayoutStatics.cpp
@@ -125,6 +125,7 @@
 #include "mozilla/dom/ipc/IPCBlobInputStreamStorage.h"
 #include "mozilla/dom/U2FTokenManager.h"
 #include "mozilla/dom/PointerEventHandler.h"
+#include "nsHostObjectProtocolHandler.h"
 
 using namespace mozilla;
 using namespace mozilla::net;
@@ -433,4 +434,6 @@ nsLayoutStatics::Shutdown()
   CacheObserver::Shutdown();
 
   PromiseDebugging::Shutdown();
+
+  nsHostObjectProtocolHandler::RemoveDataEntries();
 }
diff --git a/layout/generic/nsGridContainerFrame.cpp b/layout/generic/nsGridContainerFrame.cpp
index 83acb77929c7..6720b96cb68d 100644
--- a/layout/generic/nsGridContainerFrame.cpp
+++ b/layout/generic/nsGridContainerFrame.cpp
@@ -477,9 +477,6 @@ struct nsGridContainerFrame::LineRange
                  mEnd > mStart, "invalid line range");
       mEnd -= aNumRemovedTracks[mEnd];
     }
-    if (mStart == mEnd) {
-      mEnd = nsGridContainerFrame::kAutoLine;
-    }
   }
   /**
    * Return the contribution of this line range for step 2 in
@@ -4839,10 +4836,15 @@ nsGridContainerFrame::LineRange::ToPositionAndLengthForAbsPos(
                             : GridLineSide::eBeforeGridGap;
       nscoord endPos = aTracks.GridLineEdge(mEnd, side);
       *aLength = std::max(aGridOrigin + endPos, 0);
-    } else {
+    } else if (MOZ_LIKELY(mStart != mEnd)) {
       nscoord pos;
       ToPositionAndLength(aTracks.mSizes, &pos, aLength);
       *aPos = aGridOrigin + pos;
+    } else {
+      // The grid area only covers removed 'auto-fit' tracks.
+      nscoord pos = aTracks.GridLineEdge(mStart, GridLineSide::eBeforeGridGap);
+      *aPos = aGridOrigin + pos;
+      *aLength = nscoord(0);
     }
   }
 }
diff --git a/layout/generic/nsIPageSequenceFrame.h b/layout/generic/nsIPageSequenceFrame.h
index cf346593627b..692b2e4e54e8 100644
--- a/layout/generic/nsIPageSequenceFrame.h
+++ b/layout/generic/nsIPageSequenceFrame.h
@@ -50,9 +50,6 @@ public:
   NS_IMETHOD GetPrintRange(int32_t* aFromPage, int32_t* aToPage) = 0;
 
   NS_IMETHOD DoPageEnd() = 0;
-  NS_IMETHOD SetSelectionHeight(nscoord aYOffset, nscoord aHeight) = 0;
-
-  NS_IMETHOD SetTotalNumPages(int32_t aTotal) = 0;
 
   // For Shrink To Fit
   NS_IMETHOD GetSTFPercent(float& aSTFPercent) = 0;
diff --git a/layout/generic/nsSimplePageSequenceFrame.cpp b/layout/generic/nsSimplePageSequenceFrame.cpp
index b719d6ec2eda..9ac8966ce456 100644
--- a/layout/generic/nsSimplePageSequenceFrame.cpp
+++ b/layout/generic/nsSimplePageSequenceFrame.cpp
@@ -47,8 +47,6 @@ NS_IMPL_FRAMEARENA_HELPERS(nsSimplePageSequenceFrame)
 nsSimplePageSequenceFrame::nsSimplePageSequenceFrame(nsStyleContext* aContext)
   : nsContainerFrame(aContext, kClassID)
   , mTotalPages(-1)
-  , mSelectionHeight(-1)
-  , mYSelOffset(0)
   , mCalledBeginPage(false)
   , mCurrentCanvasListSetup(false)
 {
@@ -226,12 +224,6 @@ nsSimplePageSequenceFrame::Reflow(nsPresContext*     aPresContext,
   nsSize pageSize = aPresContext->GetPageSize();
 
   mPageData->mReflowSize = pageSize;
-  // If we're printing a selection, we need to reflow with
-  // unconstrained height, to make sure we'll get to the selection
-  // even if it's beyond the first page of content.
-  if (nsIPrintSettings::kRangeSelection == mPrintRangeType) {
-    mPageData->mReflowSize.height = NS_UNCONSTRAINEDSIZE;
-  }
   mPageData->mReflowMargin = mMargin;
 
   // We use the CSS "margin" property on the -moz-page pseudoelement
@@ -428,15 +420,14 @@ nsSimplePageSequenceFrame::StartPrint(nsPresContext*    aPresContext,
   aPrintSettings->GetEndPageRange(&mToPageNum);
   aPrintSettings->GetPageRanges(mPageRanges);
 
-  mDoingPageRange = nsIPrintSettings::kRangeSpecifiedPageRange == mPrintRangeType ||
-                    nsIPrintSettings::kRangeSelection == mPrintRangeType;
+  mDoingPageRange = nsIPrintSettings::kRangeSpecifiedPageRange == mPrintRangeType;
 
   // If printing a range of pages make sure at least the starting page
   // number is valid
-  int32_t totalPages = mFrames.GetLength();
+  mTotalPages = mFrames.GetLength();
 
   if (mDoingPageRange) {
-    if (mFromPageNum > totalPages) {
+    if (mFromPageNum > mTotalPages) {
       return NS_ERROR_INVALID_ARG;
     }
   }
@@ -444,42 +435,8 @@ nsSimplePageSequenceFrame::StartPrint(nsPresContext*    aPresContext,
   // Begin printing of the document
   nsresult rv = NS_OK;
 
-  // Determine if we are rendering only the selection
-  aPresContext->SetIsRenderingOnlySelection(nsIPrintSettings::kRangeSelection == mPrintRangeType);
-
-
-  if (mDoingPageRange) {
-    // XXX because of the hack for making the selection all print on one page
-    // we must make sure that the page is sized correctly before printing.
-    nscoord height = aPresContext->GetPageSize().height;
-
-    int32_t pageNum = 1;
-    nscoord y = 0;//mMargin.top;
-
-    for (nsFrameList::Enumerator e(mFrames); !e.AtEnd(); e.Next()) {
-      nsIFrame* page = e.get();
-      if (pageNum >= mFromPageNum && pageNum <= mToPageNum) {
-        nsRect rect = page->GetRect();
-        rect.y = y;
-        rect.height = height;
-        page->SetRect(rect);
-        y += rect.height + mMargin.top + mMargin.bottom;
-      }
-      pageNum++;
-    }
-
-    // adjust total number of pages
-    if (nsIPrintSettings::kRangeSelection != mPrintRangeType) {
-      totalPages = pageNum - 1;
-    }
-  }
-
   mPageNum = 1;
 
-  if (mTotalPages == -1) {
-    mTotalPages = totalPages;
-  }
-
   return rv;
 }
 
@@ -571,10 +528,6 @@ nsSimplePageSequenceFrame::DetermineWhetherToPrintPage()
       mPrintThisPage = false;  // don't print even numbered page
     }
   }
-
-  if (nsIPrintSettings::kRangeSelection == mPrintRangeType) {
-    mPrintThisPage = true;
-  }
 }
 
 nsIFrame*
@@ -690,17 +643,6 @@ nsSimplePageSequenceFrame::ResetPrintCanvasList()
 NS_IMETHODIMP
 nsSimplePageSequenceFrame::PrintNextPage()
 {
-  // This method would be very straightforward except that the
-  // "Print Selection Only" functionality (which is a broken mess) is
-  // integrated here.  The thing to understand is that if we're printing a
-  // selection (which may contain multiple ranges) then we only enter this
-  // function once since the content to print is laid out as one arbitrarily
-  // long nsPageFrame instead of multiple nsPageFrames that are sized to fit
-  // the printer paper size(!).  Each of the "pages" between the start and end
-  // of the selection are printed by offsetting the nsPageContentFrame by the
-  // index of the page being printed and then drawing the nsPageContentFrame.
-  // This does not work for IFrames.
-  //
   // Note: When print al the pages or a page range the printed page shows the
   // actual page number, when printing selection it prints the page number starting
   // with the first page of the selection. For example if the user has a
@@ -720,82 +662,30 @@ nsSimplePageSequenceFrame::PrintNextPage()
   if (mPrintThisPage) {
     nsDeviceContext* dc = PresContext()->DeviceContext();
 
-    nsPageFrame * pf = static_cast<nsPageFrame*>(currentPageFrame);
-    pf->SetPageNumInfo(mPageNum, mTotalPages);
-    pf->SetSharedPageData(mPageData);
-
-    // Only used if we're printing a selection:
-    nsIFrame* selectionContentFrame = nullptr;
-    nscoord pageContentHeight =
-      PresContext()->GetPageSize().height - (mMargin.top + mMargin.bottom);
-    nscoord selectionY = pageContentHeight;
-    int32_t selectionCurrentPageNum = 1;
-    bool haveUnfinishedSelectionToPrint = false;
-
-    if (mSelectionHeight >= 0) {
-      selectionContentFrame = currentPageFrame->PrincipalChildList().FirstChild();
-      MOZ_ASSERT(selectionContentFrame->IsPageContentFrame() &&
-                 !selectionContentFrame->GetNextSibling(),
-                 "Unexpected frame tree");
-      // To print a selection we reposition the page content frame for each
-      // page.  We can do this (and not have to bother resetting the position
-      // after we're done) because we are printing from a static clone document
-      // that is thrown away after we finish printing.
-      selectionContentFrame->SetPosition(selectionContentFrame->GetPosition() +
-                                         nsPoint(0, -mYSelOffset));
-      nsContainerFrame::PositionChildViews(selectionContentFrame);
+    if (PresContext()->IsRootPaginatedDocument()) {
+      if (!mCalledBeginPage) {
+        // We must make sure BeginPage() has been called since some printing
+        // backends can't give us a valid rendering context for a [physical]
+        // page otherwise.
+        PR_PL(("\n"));
+        PR_PL(("***************** BeginPage *****************\n"));
+        rv = dc->BeginPage();
+        NS_ENSURE_SUCCESS(rv, rv);
+      }
     }
 
-    do {
-      if (PresContext()->IsRootPaginatedDocument()) {
-        if (!mCalledBeginPage) {
-          // We must make sure BeginPage() has been called since some printing
-          // backends can't give us a valid rendering context for a [physical]
-          // page otherwise.
-          PR_PL(("\n"));
-          PR_PL(("***************** BeginPage *****************\n"));
-          rv = dc->BeginPage();
-          NS_ENSURE_SUCCESS(rv, rv);
-        }
+    PR_PL(("SeqFr::PrintNextPage -> %p PageNo: %d", currentPageFrame, mPageNum));
 
-        // Reset this flag. We reset it early here because if we loop around to
-        // print another page's worth of selection we need to call BeginPage
-        // again:
-        mCalledBeginPage = false;
-      }
+    // CreateRenderingContext can fail
+    RefPtr<gfxContext> gCtx = dc->CreateRenderingContext();
+    NS_ENSURE_TRUE(gCtx, NS_ERROR_OUT_OF_MEMORY);
 
-      PR_PL(("SeqFr::PrintNextPage -> %p PageNo: %d", pf, mPageNum));
-
-      // CreateRenderingContext can fail
-      RefPtr<gfxContext> gCtx = dc->CreateRenderingContext();
-      NS_ENSURE_TRUE(gCtx, NS_ERROR_OUT_OF_MEMORY);
-
-      nsRect drawingRect(nsPoint(0, 0), currentPageFrame->GetSize());
-      nsRegion drawingRegion(drawingRect);
-      nsLayoutUtils::PaintFrame(gCtx, currentPageFrame,
-                                drawingRegion, NS_RGBA(0,0,0,0),
-                                nsDisplayListBuilderMode::PAINTING,
-                                nsLayoutUtils::PaintFrameFlags::PAINT_SYNC_DECODE_IMAGES);
-
-      if (mSelectionHeight >= 0) {
-        haveUnfinishedSelectionToPrint = (selectionY < mSelectionHeight);
-        if (haveUnfinishedSelectionToPrint) {
-          selectionY += pageContentHeight;
-          selectionCurrentPageNum++;
-          pf->SetPageNumInfo(selectionCurrentPageNum, mTotalPages);
-          selectionContentFrame->SetPosition(selectionContentFrame->GetPosition() +
-                                             nsPoint(0, -pageContentHeight));
-          nsContainerFrame::PositionChildViews(selectionContentFrame);
-
-          // We're going to loop and call BeginPage to print another page's worth
-          // of selection so we need to call EndPage first.  (Otherwise, EndPage
-          // is called in DoEndPage.)
-          PR_PL(("***************** End Page (PrintNextPage) *****************\n"));
-          rv = dc->EndPage();
-          NS_ENSURE_SUCCESS(rv, rv);
-        }
-      }
-    } while (haveUnfinishedSelectionToPrint);
+    nsRect drawingRect(nsPoint(0, 0), currentPageFrame->GetSize());
+    nsRegion drawingRegion(drawingRect);
+    nsLayoutUtils::PaintFrame(gCtx, currentPageFrame,
+                              drawingRegion, NS_RGBA(0,0,0,0),
+                              nsDisplayListBuilderMode::PAINTING,
+                              nsLayoutUtils::PaintFrameFlags::PAINT_SYNC_DECODE_IMAGES);
   }
   return rv;
 }
@@ -811,6 +701,7 @@ nsSimplePageSequenceFrame::DoPageEnd()
   }
 
   ResetPrintCanvasList();
+  mCalledBeginPage = false;
 
   mPageNum++;
 
diff --git a/layout/generic/nsSimplePageSequenceFrame.h b/layout/generic/nsSimplePageSequenceFrame.h
index d5fbe6bb6acd..0ae3621731ec 100644
--- a/layout/generic/nsSimplePageSequenceFrame.h
+++ b/layout/generic/nsSimplePageSequenceFrame.h
@@ -72,11 +72,6 @@ public:
   void BuildDisplayList(nsDisplayListBuilder*   aBuilder,
                         const nsDisplayListSet& aLists) override;
 
-  // nsIPageSequenceFrame
-  NS_IMETHOD SetPageNo(int32_t aPageNo) { return NS_OK;}
-  NS_IMETHOD SetSelectionHeight(nscoord aYOffset, nscoord aHeight) override { mYSelOffset = aYOffset; mSelectionHeight = aHeight; return NS_OK; }
-  NS_IMETHOD SetTotalNumPages(int32_t aTotal) override { mTotalPages = aTotal; return NS_OK; }
-
   // For Shrink To Fit
   NS_IMETHOD GetSTFPercent(float& aSTFPercent) override;
 
@@ -149,16 +144,10 @@ protected:
   nsTArray<int32_t> mPageRanges;
   nsTArray<RefPtr<mozilla::dom::HTMLCanvasElement> > mCurrentCanvasList;
 
-  // Selection Printing Info
-  nscoord      mSelectionHeight;
-  nscoord      mYSelOffset;
-
   // Asynch Printing
   bool mPrintThisPage;
   bool mDoingPageRange;
 
-  bool mIsPrintingSelection;
-
   bool mCalledBeginPage;
 
   bool mCurrentCanvasListSetup;
diff --git a/layout/printing/nsPrintEngine.cpp b/layout/printing/nsPrintEngine.cpp
index f8d8f1077ba5..64068f43fd38 100644
--- a/layout/printing/nsPrintEngine.cpp
+++ b/layout/printing/nsPrintEngine.cpp
@@ -64,6 +64,7 @@ static const char kPrintingPromptService[] = "@mozilla.org/embedcomp/printingpro
 
 // FrameSet
 #include "nsIDocument.h"
+#include "nsIDocumentInlines.h"
 
 // Focus
 #include "nsISelectionController.h"
@@ -84,6 +85,7 @@ static const char kPrintingPromptService[] = "@mozilla.org/embedcomp/printingpro
 #include "nsIPresShell.h"
 #include "nsLayoutUtils.h"
 #include "mozilla/Preferences.h"
+#include "Text.h"
 
 #include "nsWidgetsCID.h"
 #include "nsIDeviceContextSpec.h"
@@ -151,6 +153,11 @@ static const char * gPrintFrameTypeStr[]   = {"kNoFrames", "kFramesAsIs", "kSele
 static const char * gFrameHowToEnableStr[] = {"kFrameEnableNone", "kFrameEnableAll", "kFrameEnableAsIsAndEach"};
 static const char * gPrintRangeStr[]       = {"kRangeAllPages", "kRangeSpecifiedPageRange", "kRangeSelection", "kRangeFocusFrame"};
 
+// This processes the selection on aOrigDoc and creates an inverted selection on
+// aDoc, which it then deletes. If the start or end of the inverted selection
+// ranges occur in text nodes then an ellipsis is added.
+static nsresult DeleteUnselectedNodes(nsIDocument* aOrigDoc, nsIDocument* aDoc);
+
 #ifdef EXTENDED_DEBUG_PRINTING
 // Forward Declarations
 static void DumpPrintObjectsListStart(const char * aStr, nsTArray<nsPrintObject*> * aDocList);
@@ -2274,6 +2281,14 @@ nsPrintEngine::ReflowPrintObject(const UniquePtr<nsPrintObject>& aPO)
     return NS_ERROR_FAILURE;
   }
 
+  // If we're printing selection then remove the unselected nodes from our
+  // cloned document.
+  int16_t printRangeType = nsIPrintSettings::kRangeAllPages;
+  printData->mPrintSettings->GetPrintRange(&printRangeType);
+  if (printRangeType == nsIPrintSettings::kRangeSelection) {
+    DeleteUnselectedNodes(aPO->mDocument->GetOriginalDocument(), aPO->mDocument);
+  }
+
   styleSet->EndUpdate();
 
   // The pres shell now owns the style set object.
@@ -2425,78 +2440,40 @@ nsPrintEngine::PrintDocContent(const UniquePtr<nsPrintObject>& aPO,
   return false;
 }
 
-static already_AddRefed<nsIDOMNode>
-GetEqualNodeInCloneTree(nsIDOMNode* aNode, nsIDocument* aDoc)
+static nsINode*
+GetCorrespondingNodeInDocument(const nsINode* aNode, nsIDocument* aDoc)
 {
-  nsCOMPtr<nsIContent> content = do_QueryInterface(aNode);
+  MOZ_ASSERT(aNode);
+  MOZ_ASSERT(aDoc);
+
   // Selections in anonymous subtrees aren't supported.
-  if (content && content->IsInAnonymousSubtree()) {
+  if (aNode->IsInAnonymousSubtree()) {
     return nullptr;
   }
 
-  nsCOMPtr<nsINode> node = do_QueryInterface(aNode);
-  NS_ENSURE_TRUE(node, nullptr);
-
   nsTArray<int32_t> indexArray;
-  nsINode* current = node;
-  NS_ENSURE_TRUE(current, nullptr);
-  while (current) {
-    nsINode* parent = current->GetParentNode();
-    if (!parent) {
-     break;
-    }
-    int32_t index = parent->IndexOf(current);
-    NS_ENSURE_TRUE(index >= 0, nullptr);
+  const nsINode* child = aNode;
+  while (const nsINode* parent = child->GetParentNode()) {
+    int32_t index = parent->IndexOf(child);
+    MOZ_ASSERT(index >= 0);
     indexArray.AppendElement(index);
-    current = parent;
+    child = parent;
   }
-  NS_ENSURE_TRUE(current->IsNodeOfType(nsINode::eDOCUMENT), nullptr);
+  MOZ_ASSERT(child->IsNodeOfType(nsINode::eDOCUMENT));
 
-  current = aDoc;
+  nsINode* correspondingNode = aDoc;
   for (int32_t i = indexArray.Length() - 1; i >= 0; --i) {
-    current = current->GetChildAt(indexArray[i]);
-    NS_ENSURE_TRUE(current, nullptr);
+    correspondingNode = correspondingNode->GetChildAt(indexArray[i]);
+    NS_ENSURE_TRUE(correspondingNode, nullptr);
   }
-  nsCOMPtr<nsIDOMNode> result = do_QueryInterface(current);
-  return result.forget();
+
+  return correspondingNode;
 }
 
-static void
-CloneRangeToSelection(nsRange* aRange, nsIDocument* aDoc,
-                      Selection* aSelection)
-{
-  if (aRange->Collapsed()) {
-    return;
-  }
+static NS_NAMED_LITERAL_STRING(kEllipsis, u"\x2026");
 
-  nsCOMPtr<nsIDOMNode> startContainer, endContainer;
-  aRange->GetStartContainer(getter_AddRefs(startContainer));
-  int32_t startOffset = aRange->StartOffset();
-  aRange->GetEndContainer(getter_AddRefs(endContainer));
-  int32_t endOffset = aRange->EndOffset();
-  NS_ENSURE_TRUE_VOID(startContainer && endContainer);
-
-  nsCOMPtr<nsIDOMNode> newStart = GetEqualNodeInCloneTree(startContainer, aDoc);
-  nsCOMPtr<nsIDOMNode> newEnd = GetEqualNodeInCloneTree(endContainer, aDoc);
-  NS_ENSURE_TRUE_VOID(newStart && newEnd);
-
-  nsCOMPtr<nsINode> newStartNode = do_QueryInterface(newStart);
-  nsCOMPtr<nsINode> newEndNode = do_QueryInterface(newEnd);
-  if (NS_WARN_IF(!newStartNode) || NS_WARN_IF(!newEndNode)) {
-    return;
-  }
-
-  RefPtr<nsRange> range = new nsRange(newStartNode);
-  nsresult rv =
-    range->SetStartAndEnd(newStartNode, startOffset, newEndNode, endOffset);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return;
-  }
-
-  aSelection->AddRange(range);
-}
-
-static nsresult CloneSelection(nsIDocument* aOrigDoc, nsIDocument* aDoc)
+static nsresult
+DeleteUnselectedNodes(nsIDocument* aOrigDoc, nsIDocument* aDoc)
 {
   nsIPresShell* origShell = aOrigDoc->GetShell();
   nsIPresShell* shell = aDoc->GetShell();
@@ -2508,10 +2485,72 @@ static nsresult CloneSelection(nsIDocument* aOrigDoc, nsIDocument* aDoc)
     shell->GetCurrentSelection(SelectionType::eNormal);
   NS_ENSURE_STATE(origSelection && selection);
 
+  nsINode* bodyNode = aDoc->GetBodyElement();
+  nsINode* startNode = bodyNode;
+  uint32_t startOffset = 0;
+  uint32_t ellipsisOffset = 0;
+
   int32_t rangeCount = origSelection->RangeCount();
   for (int32_t i = 0; i < rangeCount; ++i) {
-      CloneRangeToSelection(origSelection->GetRangeAt(i), aDoc, selection);
+    nsRange* origRange = origSelection->GetRangeAt(i);
+
+    // New end is start of original range.
+    nsINode* endNode =
+      GetCorrespondingNodeInDocument(origRange->GetStartContainer(), aDoc);
+
+    // If we're no longer in the same text node reset the ellipsis offset.
+    if (endNode != startNode) {
+      ellipsisOffset = 0;
+    }
+    uint32_t endOffset = origRange->StartOffset() + ellipsisOffset;
+
+    // Create the range that we want to remove. Note that if startNode or
+    // endNode are null CreateRange will fail and we won't remove that section.
+    RefPtr<nsRange> range;
+    nsresult rv = nsRange::CreateRange(startNode, startOffset, endNode,
+                                       endOffset, getter_AddRefs(range));
+
+    if (NS_SUCCEEDED(rv) && !range->Collapsed()) {
+      selection->AddRange(range);
+
+      // Unless we've already added an ellipsis at the start, if we ended mid
+      // text node then add ellipsis.
+      Text* text = endNode->GetAsText();
+      if (!ellipsisOffset && text && endOffset && endOffset < text->Length()) {
+        text->InsertData(endOffset, kEllipsis);
+        ellipsisOffset += kEllipsis.Length();
+      }
+    }
+
+    // Next new start is end of original range.
+    startNode =
+      GetCorrespondingNodeInDocument(origRange->GetEndContainer(), aDoc);
+
+    // If we're no longer in the same text node reset the ellipsis offset.
+    if (startNode != endNode) {
+      ellipsisOffset = 0;
+    }
+    startOffset = origRange->EndOffset() + ellipsisOffset;
+
+    // If the next node will start mid text node then add ellipsis.
+    Text* text = startNode ? startNode->GetAsText() : nullptr;
+    if (text && startOffset && startOffset < text->Length()) {
+      text->InsertData(startOffset, kEllipsis);
+      startOffset += kEllipsis.Length();
+      ellipsisOffset += kEllipsis.Length();
+    }
   }
+
+  // Add in the last range to the end of the body.
+  RefPtr<nsRange> lastRange;
+  nsresult rv = nsRange::CreateRange(startNode, startOffset, bodyNode,
+                                     bodyNode->GetChildCount(),
+                                     getter_AddRefs(lastRange));
+  if (NS_SUCCEEDED(rv) && !lastRange->Collapsed()) {
+    selection->AddRange(lastRange);
+  }
+
+  selection->DeleteFromDocument();
   return NS_OK;
 }
 
@@ -2540,12 +2579,6 @@ nsPrintEngine::DoPrint(const UniquePtr<nsPrintObject>& aPO)
   }
 
   {
-    int16_t printRangeType = nsIPrintSettings::kRangeAllPages;
-    nsresult rv;
-    if (printData->mPrintSettings) {
-      printData->mPrintSettings->GetPrintRange(&printRangeType);
-    }
-
     // Ask the page sequence frame to print all the pages
     nsIPageSequenceFrame* pageSequence = poPresShell->GetPageSequenceFrame();
     NS_ASSERTION(nullptr != pageSequence, "no page sequence frame");
@@ -2574,77 +2607,6 @@ nsPrintEngine::DoPrint(const UniquePtr<nsPrintObject>& aPO)
     nsAutoString docURLStr;
     GetDisplayTitleAndURL(aPO, docTitleStr, docURLStr, eDocTitleDefBlank);
 
-    if (nsIPrintSettings::kRangeSelection == printRangeType) {
-      CloneSelection(aPO->mDocument->GetOriginalDocument(), aPO->mDocument);
-
-      poPresContext->SetIsRenderingOnlySelection(true);
-      // temporarily creating rendering context
-      // which is needed to find the selection frames
-      // mPrintDC must have positive width and height for this call
-
-      // find the starting and ending page numbers
-      // via the selection
-      nsIFrame* startFrame;
-      nsIFrame* endFrame;
-      int32_t   startPageNum;
-      int32_t   endPageNum;
-      nsRect    startRect;
-      nsRect    endRect;
-
-      rv = GetPageRangeForSelection(pageSequence,
-                                    &startFrame, startPageNum, startRect,
-                                    &endFrame, endPageNum, endRect);
-      if (NS_SUCCEEDED(rv)) {
-        printData->mPrintSettings->SetStartPageRange(startPageNum);
-        printData->mPrintSettings->SetEndPageRange(endPageNum);
-        nsIntMargin marginTwips(0,0,0,0);
-        nsIntMargin unwrtMarginTwips(0,0,0,0);
-        printData->mPrintSettings->GetMarginInTwips(marginTwips);
-        printData->mPrintSettings->GetUnwriteableMarginInTwips(
-                                     unwrtMarginTwips);
-        nsMargin totalMargin = poPresContext->CSSTwipsToAppUnits(marginTwips +
-                                                                 unwrtMarginTwips);
-        if (startPageNum == endPageNum) {
-          startRect.y -= totalMargin.top;
-          endRect.y   -= totalMargin.top;
-
-          // Clip out selection regions above the top of the first page
-          if (startRect.y < 0) {
-            // Reduce height to be the height of the positive-territory
-            // region of original rect
-            startRect.height = std::max(0, startRect.YMost());
-            startRect.y = 0;
-          }
-          if (endRect.y < 0) {
-            // Reduce height to be the height of the positive-territory
-            // region of original rect
-            endRect.height = std::max(0, endRect.YMost());
-            endRect.y = 0;
-          }
-          NS_ASSERTION(endRect.y >= startRect.y,
-                       "Selection end point should be after start point");
-          NS_ASSERTION(startRect.height >= 0,
-                       "rect should have non-negative height.");
-          NS_ASSERTION(endRect.height >= 0,
-                       "rect should have non-negative height.");
-
-          nscoord selectionHgt = endRect.y + endRect.height - startRect.y;
-          // XXX This is temporary fix for printing more than one page of a selection
-          pageSequence->SetSelectionHeight(startRect.y * aPO->mZoomRatio,
-                                           selectionHgt * aPO->mZoomRatio);
-
-          // calc total pages by getting calculating the selection's height
-          // and then dividing it by how page content frames will fit.
-          nscoord pageWidth, pageHeight;
-          printData->mPrintDC->GetDeviceSurfaceDimensions(pageWidth,
-                                                          pageHeight);
-          pageHeight -= totalMargin.top + totalMargin.bottom;
-          int32_t totalPages = NSToIntCeil(float(selectionHgt) * aPO->mZoomRatio / float(pageHeight));
-          pageSequence->SetTotalNumPages(totalPages);
-        }
-      }
-    }
-
     nsIFrame * seqFrame = do_QueryFrame(pageSequence);
     if (!seqFrame) {
       SetIsPrinting(false);
@@ -2898,171 +2860,6 @@ nsPrintEngine::PrintPage(nsPrintObject*    aPO,
   return donePrinting;
 }
 
-/** ---------------------------------------------------
- *  Find by checking frames type
- */
-nsresult
-nsPrintEngine::FindSelectionBoundsWithList(nsFrameList::Enumerator& aChildFrames,
-                                           nsIFrame *      aParentFrame,
-                                           nsRect&         aRect,
-                                           nsIFrame *&     aStartFrame,
-                                           nsRect&         aStartRect,
-                                           nsIFrame *&     aEndFrame,
-                                           nsRect&         aEndRect)
-{
-  NS_ASSERTION(aParentFrame, "Pointer is null!");
-
-  aRect += aParentFrame->GetPosition();
-  for (; !aChildFrames.AtEnd(); aChildFrames.Next()) {
-    nsIFrame* child = aChildFrames.get();
-    if (child->IsSelected() && child->IsVisibleForPainting()) {
-      nsRect r = child->GetRect();
-      if (aStartFrame == nullptr) {
-        aStartFrame = child;
-        aStartRect.SetRect(aRect.x + r.x, aRect.y + r.y, r.width, r.height);
-      } else {
-        aEndFrame = child;
-        aEndRect.SetRect(aRect.x + r.x, aRect.y + r.y, r.width, r.height);
-      }
-    }
-    FindSelectionBounds(child, aRect, aStartFrame, aStartRect, aEndFrame, aEndRect);
-    child = child->GetNextSibling();
-  }
-  aRect -= aParentFrame->GetPosition();
-  return NS_OK;
-}
-
-//-------------------------------------------------------
-// Find the Frame that is XMost
-nsresult
-nsPrintEngine::FindSelectionBounds(nsIFrame *      aParentFrame,
-                                   nsRect&         aRect,
-                                   nsIFrame *&     aStartFrame,
-                                   nsRect&         aStartRect,
-                                   nsIFrame *&     aEndFrame,
-                                   nsRect&         aEndRect)
-{
-  NS_ASSERTION(aParentFrame, "Pointer is null!");
-
-  // loop through named child lists
-  nsIFrame::ChildListIterator lists(aParentFrame);
-  for (; !lists.IsDone(); lists.Next()) {
-    nsFrameList::Enumerator childFrames(lists.CurrentList());
-    nsresult rv = FindSelectionBoundsWithList(childFrames, aParentFrame, aRect,
-      aStartFrame, aStartRect, aEndFrame, aEndRect);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
-  return NS_OK;
-}
-
-/** ---------------------------------------------------
- *  This method finds the starting and ending page numbers
- *  of the selection and also returns rect for each where
- *  the x,y of the rect is relative to the very top of the
- *  frame tree (absolutely positioned)
- */
-nsresult
-nsPrintEngine::GetPageRangeForSelection(nsIPageSequenceFrame* aPageSeqFrame,
-                                        nsIFrame**            aStartFrame,
-                                        int32_t&              aStartPageNum,
-                                        nsRect&               aStartRect,
-                                        nsIFrame**            aEndFrame,
-                                        int32_t&              aEndPageNum,
-                                        nsRect&               aEndRect)
-{
-  NS_ASSERTION(aPageSeqFrame, "Pointer is null!");
-  NS_ASSERTION(aStartFrame, "Pointer is null!");
-  NS_ASSERTION(aEndFrame, "Pointer is null!");
-
-  nsIFrame * seqFrame = do_QueryFrame(aPageSeqFrame);
-  if (!seqFrame) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsIFrame * startFrame = nullptr;
-  nsIFrame * endFrame   = nullptr;
-
-  // start out with the sequence frame and search the entire frame tree
-  // capturing the starting and ending child frames of the selection
-  // and their rects
-  nsRect r = seqFrame->GetRect();
-  FindSelectionBounds(seqFrame, r, startFrame, aStartRect, endFrame, aEndRect);
-
-#ifdef DEBUG_rodsX
-  printf("Start Frame: %p\n", startFrame);
-  printf("End Frame:   %p\n", endFrame);
-#endif
-
-  // initial the page numbers here
-  // in case we don't find and frames
-  aStartPageNum = -1;
-  aEndPageNum   = -1;
-
-  nsIFrame * startPageFrame;
-  nsIFrame * endPageFrame;
-
-  // check to make sure we found a starting frame
-  if (startFrame != nullptr) {
-    // Now search up the tree to find what page the
-    // start/ending selections frames are on
-    //
-    // Check to see if start should be same as end if
-    // the end frame comes back null
-    if (endFrame == nullptr) {
-      // XXX the "GetPageFrame" step could be integrated into
-      // the FindSelectionBounds step, but walking up to find
-      // the parent of a child frame isn't expensive and it makes
-      // FindSelectionBounds a little easier to understand
-      startPageFrame = nsLayoutUtils::GetPageFrame(startFrame);
-      endPageFrame   = startPageFrame;
-      aEndRect       = aStartRect;
-    } else {
-      startPageFrame = nsLayoutUtils::GetPageFrame(startFrame);
-      endPageFrame   = nsLayoutUtils::GetPageFrame(endFrame);
-    }
-  } else {
-    return NS_ERROR_FAILURE;
-  }
-
-#ifdef DEBUG_rodsX
-  printf("Start Page: %p\n", startPageFrame);
-  printf("End Page:   %p\n", endPageFrame);
-
-  // dump all the pages and their pointers
-  {
-  int32_t pageNum = 1;
-  nsIFrame* child = seqFrame->PrincipalChildList().FirstChild();
-  while (child != nullptr) {
-    printf("Page: %d - %p\n", pageNum, child);
-    pageNum++;
-    child = child->GetNextSibling();
-  }
-  }
-#endif
-
-  // Now that we have the page frames
-  // find out what the page numbers are for each frame
-  int32_t pageNum = 1;
-  for (nsIFrame* page : seqFrame->PrincipalChildList()) {
-    if (page == startPageFrame) {
-      aStartPageNum = pageNum;
-    }
-    if (page == endPageFrame) {
-      aEndPageNum = pageNum;
-    }
-    pageNum++;
-  }
-
-#ifdef DEBUG_rodsX
-  printf("Start Page No: %d\n", aStartPageNum);
-  printf("End Page No:   %d\n", aEndPageNum);
-#endif
-
-  *aStartFrame = startPageFrame;
-  *aEndFrame   = endPageFrame;
-
-  return NS_OK;
-}
 
 //-----------------------------------------------------------------
 //-- Done: Printing Methods
diff --git a/layout/printing/nsPrintEngine.h b/layout/printing/nsPrintEngine.h
index 94836a06c47a..528a419e5345 100644
--- a/layout/printing/nsPrintEngine.h
+++ b/layout/printing/nsPrintEngine.h
@@ -222,29 +222,6 @@ protected:
                                                    nsIFrame*&      aSeqFrame,
                                                    int32_t&        aCount);
 
-  static nsresult FindSelectionBoundsWithList(nsFrameList::Enumerator& aChildFrames,
-                                              nsIFrame *      aParentFrame,
-                                              nsRect&         aRect,
-                                              nsIFrame *&     aStartFrame,
-                                              nsRect&         aStartRect,
-                                              nsIFrame *&     aEndFrame,
-                                              nsRect&         aEndRect);
-
-  static nsresult FindSelectionBounds(nsIFrame *      aParentFrame,
-                                      nsRect&         aRect,
-                                      nsIFrame *&     aStartFrame,
-                                      nsRect&         aStartRect,
-                                      nsIFrame *&     aEndFrame,
-                                      nsRect&         aEndRect);
-
-  static nsresult GetPageRangeForSelection(nsIPageSequenceFrame* aPageSeqFrame,
-                                           nsIFrame**            aStartFrame,
-                                           int32_t&              aStartPageNum,
-                                           nsRect&               aStartRect,
-                                           nsIFrame**            aEndFrame,
-                                           int32_t&              aEndPageNum,
-                                           nsRect&               aEndRect);
-
   static void MapContentForPO(const mozilla::UniquePtr<nsPrintObject>& aPO,
                               nsIContent* aContent);
 
diff --git a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-006-ref.html b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-006-ref.html
index 79ac94548e6f..ab07edd5f45f 100644
--- a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-006-ref.html
+++ b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-006-ref.html
@@ -129,55 +129,55 @@ float { float:left; margin-right:20px; }
 <body>
 
 <float>
-<div class="grid c1 t1 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x5"><x></x><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 <div class="grid c2 t1 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t1 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c2 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c3 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t1 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x4"><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 <div class="grid c2 t1 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t1 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 x4"><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c2 t2 x4"><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c3 t2 x4"><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t1 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t1 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t1 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x3"><x></x><x></x><a></a><b></b><f></f><x></x></div>
+<div class="grid c2 t1 x3"><x></x><x></x><a></a><b></b><c></c><e></e><f></f><x></x></div>
+<div class="grid c3 t1 x3"><x></x><x></x><a></a><b></b><c></c><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 x3"><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c2 t2 x3"><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c3 t2 x3"><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 </float>
 
 <float>
-<div class="grid c1 t1 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t1 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t1 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x2"><x></x><a></a><b></b><f></f><x></x></div>
+<div class="grid c2 t1 x2"><x></x><a></a><b></b><c></c><e></e><f></f><x></x></div>
+<div class="grid c3 t1 x2"><x></x><a></a><b></b><c></c><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 x2"><x></x><a></a><b></b><f></f><x></x></div>
+<div class="grid c2 t2 x2"><x></x><a></a><b></b><f></f><x></x></div>
+<div class="grid c3 t2 x2"><x></x><a></a><b></b><f></f><x></x></div>
 
-<div class="grid c1 t1 x1"><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t1 x1"><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t1 x1"><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x1"><a></a><b></b><f></f><x></x></div>
+<div class="grid c2 t1 x1"><a></a><b></b><c></c><e></e><f></f><x></x></div>
+<div class="grid c3 t1 x1"><a></a><b></b><c></c><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 x1"><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 x1"><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 x1"><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 x1"><a></a><b></b><f></f><x></x></div>
+<div class="grid c2 t2 x1"><a></a><b></b><f></f><x></x></div>
+<div class="grid c3 t2 x1"><a></a><b></b><f></f><x></x></div>
 
-<div class="grid c1 t1 x1 p1"><a></a><b></b><c></c><d></d><e></e><f></f></div>
-<div class="grid c2 t1 x1 p1"><a></a><b></b><c></c><d></d><e></e><f></f></div>
-<div class="grid c3 t1 x1 p1"><a></a><b></b><c></c><d></d><e></e><f></f></div>
+<div class="grid c1 t1 x1 p1"><a></a><b></b><f></f></div>
+<div class="grid c2 t1 x1 p1"><a></a><b></b><c></c><e></e><f></f></div>
+<div class="grid c3 t1 x1 p1"><a></a><b></b><c></c><e></e><f></f></div>
 
-<div class="grid c1 t2 x0 p1"><a></a><b></b><c></c><d></d><e></e><f></f></div>
-<div class="grid c2 t2 x0 p1"><a></a><b></b><c></c><d></d><e></e><f></f></div>
-<div class="grid c3 t2 x0 p1"><a></a><b></b><c></c><d></d><e></e><f></f></div>
+<div class="grid c1 t2 x0 p1"><a></a><b></b><f></f></div>
+<div class="grid c2 t2 x0 p1"><a></a><b></b><f></f></div>
+<div class="grid c3 t2 x0 p1"><a></a><b></b><f></f></div>
 </float>
 
 </body>
diff --git a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-007-ref.html b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-007-ref.html
index 5f3cebf6a738..fd073a072fdd 100644
--- a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-007-ref.html
+++ b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-007-ref.html
@@ -146,7 +146,7 @@ float { float:left; margin-right:20px; }
 <div class="grid c2 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t2 x5"><x></x><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t1 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x4"><x></x><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 <div class="grid c2 t1 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t1 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
@@ -154,23 +154,23 @@ float { float:left; margin-right:20px; }
 <div class="grid c2 t2 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t2 x4"><x></x><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t1 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x3"><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 <div class="grid c2 t1 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t1 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 x3"><x></x><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 x3"><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c2 t2 x3"><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c3 t2 x3"><x></x><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 </float>
 
 <float>
-<div class="grid c1 t1 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t1 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t1 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 x2"><x></x><a></a><b></b><f></f><x></x></div>
+<div class="grid c2 t1 x2"><x></x><a></a><b></b><c></c><e></e><f></f><x></x></div>
+<div class="grid c3 t1 x2"><x></x><a></a><b></b><c></c><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 x2"><x></x><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 x2"><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c2 t2 x2"><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c3 t2 x2"><x></x><a></a><b></b><d></d><e></e><f></f><x></x></div>
 </float>
 
 </body>
diff --git a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008-ref.html b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008-ref.html
index 96f606682a72..d8e0adca7374 100644
--- a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008-ref.html
+++ b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008-ref.html
@@ -139,8 +139,7 @@ float { float:left; margin-right:20px; }
 
 .x2 e { left:23px; width:20px; right:auto; }
 .c2.x2 e { left:20px;  }
-.t1.c3.x2 e { width:40px; }
-.t1.c3.x2 b { width:63px; }
+.t1.c3.x2 e { width:20px; }
 .t1.c3.x2 c { width:20px; right:auto;}
 
 .t2.x5 e { left:23px; width:60px; }
@@ -159,35 +158,37 @@ float { float:left; margin-right:20px; }
 <div class="grid c2 t1 n x5"><x></x><x></x><x></x><x></x><y></y><a style="width:55px"></a><b></b><c></c><d></d><e class="s2a e6a"></e><f class="e5a"></f><x></x></div>
 <div class="grid c3 t1 n x5"><x></x><x></x><x></x><x></x><y></y><y></y><a style="width:47px"></a><b></b><c></c><d></d><e class="s2 e6b"></e><f class="e5b"></f><x></x></div>
 
-<div class="grid c1 t2 m x5"><x></x><x></x><x></x><x></x><y></y><a style="width:82px"></a><b></b><c></c><d></d><e class="s2"></e><f class="e5"></f><x></x></div>
-<div class="grid c2 t2 m x5"><x></x><x></x><x></x><x></x><y></y><a style="width:75px"></a><b></b><c></c><d></d><e class="s2e"></e><f class="e5"></f><x></x></div>
-<div class="grid c3 t2 m x5"><x></x><x></x><x></x><x></x><y></y><y></y><a style="width:67px"></a><b></b><c></c><d></d><e></e><f class="e5"></f><x></x></div>
+<div class="grid c1 t2 m x5"><x></x><x></x><x></x><x></x><y></y><a style="width:82px"></a><b></b><d></d><e class="s2"></e><f class="e5"></f><x></x></div>
+<div class="grid c2 t2 m x5"><x></x><x></x><x></x><x></x><y></y><a style="width:75px"></a><b></b><d></d><e class="s2e"></e><f class="e5"></f><x></x></div>
+<div class="grid c3 t2 m x5"><x></x><x></x><x></x><x></x><y></y><y></y><a style="width:67px"></a><b></b><d></d><e></e><f class="e5"></f><x></x></div>
 
 <div class="grid c1 t1 o x4"><x></x><x></x><x></x><y></y><a style="width:62px"></a><b></b><c></c><d></d><e></e><f class="e5"></f><x></x></div>
 <div class="grid c2 t1 o x4"><x></x><x></x><x></x><y></y><a style="width:55px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t1 o x4"><x></x><x></x><x></x><y></y><y></y><a style="width:47px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 o x4"><x></x><x></x><x></x><y></y><a style="width:102px"></a><b></b><c></c><d></d><e></e><f class="e5"></f><x></x></div>
-<div class="grid c2 t2 o x4"><x></x><x></x><x></x><y></y><a style="width:95px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 o x4"><x></x><x></x><x></x><y></y><y></y><a style="width:87px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 o x4"><x></x><x></x><x></x><y></y><a style="width:102px"></a><b></b><d></d><e></e><f class="e5"></f><x></x></div>
+<div class="grid c2 t2 o x4"><x></x><x></x><x></x><y></y><a style="width:95px"></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c3 t2 o x4"><x></x><x></x><x></x><y></y><y></y><a style="width:87px"></a><b></b><d></d><e></e><f></f><x></x></div>
 
 <div class="grid c1 t1 n x3"><x></x><x></x><y></y><a style="width:62px"></a><b></b><c></c><d></d><e></e><f class="e5"></f><x></x></div>
 <div class="grid c2 t1 n x3"><x></x><x></x><y></y><a style="width:55px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c3 t1 n x3"><x></x><x></x><y></y><y></y><a style="width:47px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 
-<div class="grid c1 t2 n x3"><x></x><x></x><y></y><a style="width:102px"></a><b></b><c></c><d></d><e></e><f class="e5"></f><x></x></div>
-<div class="grid c2 t2 n x3"><x></x><x></x><y></y><a style="width:95px"></a><b></b><c></c><d></d><e></e><f class="e5"></f><x></x></div>
-<div class="grid c3 t2 n x3"><x></x><x></x><y></y><y></y><a style="width:87px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 n x3"><x></x><x></x><y></y><a style="width:102px"></a><b></b><d></d><e></e><f class="e5"></f><x></x></div>
+<div class="grid c2 t2 n x3"><x></x><x></x><y></y><a style="width:95px"></a><b></b><d></d><e></e><f class="e5"></f><x></x></div>
+<div class="grid c3 t2 n x3"><x></x><x></x><y></y><y></y><a style="width:87px"></a><b></b><d></d><e></e><f></f><x></x></div>
 </float>
 
 <float>
-<div class="grid c1 t1 n x2"><x></x><y></y><a style="width:122px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t1 n x2"><x></x><y></y><a style="width:115px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t1 n x2"><x></x><y></y><y></y><a style="width:87px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t1 n x2"><x></x><y></y><a style="width:122px"></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c2 t1 n x2"><x></x><y></y><a style="width:115px"></a><b></b><d></d><e></e><f></f><x></x></div>
+<!-- bug 1416350
+<div class="grid c3 t1 n x2"><x></x><y></y><y></y><a style="width:107px"></a><b></b><d></d><e></e><f></f><x></x></div>
+-->
 
-<div class="grid c1 t2 n x2"><x></x><y></y><a style="width:122px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c2 t2 n x2"><x></x><y></y><a style="width:115px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
-<div class="grid c3 t2 n x2"><x></x><y></y><y></y><a style="width:107px"></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<div class="grid c1 t2 n x2"><x></x><y></y><a style="width:122px"></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c2 t2 n x2"><x></x><y></y><a style="width:115px"></a><b></b><d></d><e></e><f></f><x></x></div>
+<div class="grid c3 t2 n x2"><x></x><y></y><y></y><a style="width:107px"></a><b></b><d></d><e></e><f></f><x></x></div>
 </float>
 
 </body>
diff --git a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008.html b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008.html
index c9eb2718ebaa..5ed4b67b5a28 100644
--- a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008.html
+++ b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-008.html
@@ -138,7 +138,9 @@ float { float:left; margin-right:20px; }
 <float>
 <div class="grid c1 t1 n"><x></x><y></y><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c2 t1 n"><x></x><y></y><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+<!-- bug 1416350
 <div class="grid c3 t1 n"><x></x><y></y><y></y><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
+-->
 
 <div class="grid c1 t2 n"><x></x><y></y><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
 <div class="grid c2 t2 n"><x></x><y></y><a></a><b></b><c></c><d></d><e></e><f></f><x></x></div>
@@ -167,7 +169,7 @@ var a1 = [
 "3px [a b] 20px [c b] 0px [c b] 20px [c b] 20px [c b] 20px [c b] 20px [c d] 20px 3px",
 "3px [a b] 20px [c b] 0px [c b] 20px [c b] 0px [c b] 20px [c b] 0px [c b] 0px [c d] 20px",
 "[a b] 0px [c b] 20px [c b] 0px [c b] 20px [c b] 0px [c b] 0px [c d] 20px 3px",
-"3px [a b] 20px [c b] 0px [c b] 20px [c b] 0px [c b] 20px [c b] 0px [c d] 20px 3px"
+// bug 1416350 "3px [a b] 20px [c b] 0px [c b] 20px [c b] 0px [c b] 20px [c b] 0px [c d] 20px 3px"
 ];
 var a2 = [
 "3px [a b] 20px [c b] 0px [c b] 20px [c b] 20px [c b] 20px [c b] 20px [c b] 0px [c b] 0px [c d]",
diff --git a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-012-ref.html b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-012-ref.html
new file mode 100644
index 000000000000..04963b45fb35
--- /dev/null
+++ b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-012-ref.html
@@ -0,0 +1,144 @@
+<!DOCTYPE HTML>
+<!--
+     Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<html><head>
+  <meta charset="utf-8">
+  <title>Reference: repeat(auto-fit) with removed tracks</title>
+  <link rel="author" title="Mats Palmgren" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1417711">
+  <style type="text/css">
+html,body {
+  color:black; background-color:white; font:16px/1 monospace; padding:0px; margin:0;
+}
+
+.container {
+  width: 200px;
+}
+
+.grid {
+  position: relative;
+  display: grid;
+  grid: 10px / repeat(5, 30px);
+  grid-auto-columns: 2px;
+  background: lightgrey;
+  margin-bottom: 4px;
+  grid-gap: 5px;
+}
+.distribute {
+  grid-gap: 0;
+  align-content: space-around;
+}
+
+span {
+  background: blue;
+  height: 10px;
+}
+
+.abs {
+  position: absolute;
+  top:0; right:0; bottom:0; left:0;
+  grid-column-end: span 1;
+  background: pink;
+}
+
+  </style>
+</head>
+<body>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1 / 2" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1 / 2" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1 / 3" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1 / 2" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1 / auto" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1 / 2" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1 / 2" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1 / 3" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1 / 2" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1 / auto" class="abs"></span>
+</div>
+</div>
+
+</body>
+</html>
diff --git a/layout/reftests/css-grid/grid-repeat-auto-fill-fit-012.html b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-012.html
new file mode 100644
index 000000000000..7ed0843af2d6
--- /dev/null
+++ b/layout/reftests/css-grid/grid-repeat-auto-fill-fit-012.html
@@ -0,0 +1,160 @@
+<!DOCTYPE HTML>
+<!--
+     Any copyright is dedicated to the Public Domain.
+     http://creativecommons.org/publicdomain/zero/1.0/
+-->
+<html><head>
+  <meta charset="utf-8">
+  <title>CSS Grid Test: repeat(auto-fit) with removed tracks</title>
+  <link rel="author" title="Mats Palmgren" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1417711">
+  <link rel="help" href="https://drafts.csswg.org/css-grid/#valdef-repeat-auto-fill">
+  <link rel="match" href="grid-repeat-auto-fill-fit-012-ref.html">
+  <style type="text/css">
+html,body {
+  color:black; background-color:white; font:16px/1 monospace; padding:0px; margin:0;
+}
+
+.container {
+  width: 200px;
+}
+
+.grid {
+  position: relative;
+  display: grid;
+  grid: 10px / repeat(auto-fit, 30px);
+  grid-auto-columns: 2px;
+  background: lightgrey;
+  margin-bottom: 4px;
+  grid-gap: 5px;
+}
+.distribute {
+  grid-gap: 0;
+  align-content: space-around;
+}
+
+span {
+  background: blue;
+  height: 10px;
+}
+
+.abs {
+  position: absolute;
+  top:0; right:0; bottom:0; left:0;
+  grid-column-end: span 1;
+  background: pink;
+}
+
+  </style>
+</head>
+<body>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 4 / 5" class="abs"></span>
+<span style="grid-column: 3"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 4 / 5" class="abs"></span>
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 1 / 5" class="abs"></span>
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 2 / 5" class="abs"></span>
+<span style="grid-column: 2"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 2 / 5" class="abs"></span>
+<span style="grid-column: 2 / 4"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 2 / 5" class="abs"></span>
+<span style="grid-column: 4 / 5"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 2 / 5" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid">
+<span style="grid-column: 2 / 10" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 4 / 5" class="abs"></span>
+<span style="grid-column: 3"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 4 / 5" class="abs"></span>
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 1 / 5" class="abs"></span>
+<span style="grid-column: 1"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 2 / 5" class="abs"></span>
+<span style="grid-column: 2"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 2 / 5" class="abs"></span>
+<span style="grid-column: 2 / 4"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 2 / 5" class="abs"></span>
+<span style="grid-column: 4 / 5"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 2 / 5" class="abs"></span>
+</div>
+</div>
+
+<div class="container">
+<div class="grid distribute">
+<span style="grid-column: 2 / 10" class="abs"></span>
+</div>
+</div>
+
+</body>
+</html>
diff --git a/layout/reftests/css-grid/reftest.list b/layout/reftests/css-grid/reftest.list
index 29b9b8649eca..6500ceb63cac 100644
--- a/layout/reftests/css-grid/reftest.list
+++ b/layout/reftests/css-grid/reftest.list
@@ -185,6 +185,7 @@ skip-if(Android&&isDebugBuild) == grid-row-gap-004.html grid-row-gap-004-ref.htm
 == grid-repeat-auto-fill-fit-009.html grid-repeat-auto-fill-fit-009-ref.html
 == grid-repeat-auto-fill-fit-010.html grid-repeat-auto-fill-fit-010-ref.html
 == grid-repeat-auto-fill-fit-011.html grid-repeat-auto-fill-fit-010-ref.html
+== grid-repeat-auto-fill-fit-012.html grid-repeat-auto-fill-fit-012-ref.html
 == grid-item-blockifying-001.html grid-item-blockifying-001-ref.html
 == grid-fragmentation-001.html grid-fragmentation-001-ref.html
 == grid-fragmentation-002.html grid-fragmentation-002-ref.html
diff --git a/mfbt/BufferList.h b/mfbt/BufferList.h
index c7a2f17f0998..5c01c7f4d4a9 100644
--- a/mfbt/BufferList.h
+++ b/mfbt/BufferList.h
@@ -342,6 +342,21 @@ class BufferList : private AllocPolicy
     return start.BytesUntil(*this, end);
   }
 
+  // This takes ownership of the data
+  void* WriteBytesZeroCopy(char *aData, size_t aSize, size_t aCapacity)
+  {
+    MOZ_ASSERT(aCapacity != 0);
+    MOZ_ASSERT(aSize <= aCapacity);
+    MOZ_ASSERT(mOwning);
+
+    if (!mSegments.append(Segment(aData, aSize, aCapacity))) {
+      this->free_(aData);
+      return nullptr;
+    }
+    mSize += aSize;
+    return aData;
+  }
+
 private:
   explicit BufferList(AllocPolicy aAP)
    : AllocPolicy(aAP),
diff --git a/mobile/android/chrome/content/browser.js b/mobile/android/chrome/content/browser.js
index d535eb9a88dc..3ea937791267 100644
--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -4477,14 +4477,20 @@ Tab.prototype = {
       let originHost = "";
       try {
         originHost = Services.io.newURI(appOrigin).host;
-      } catch (e if (e.result == Cr.NS_ERROR_FAILURE)) {
+      } catch (e) {
+        if (e.result != Cr.NS_ERROR_FAILURE) {
+          throw e;
+        }
         // NS_ERROR_FAILURE can be thrown by nsIURI.host if the URI scheme does not possess a host -
         // in this case we just act as if we have an empty host.
       }
       let locationHost = "";
       try {
         locationHost = aLocationURI.host;
-      } catch (e if (e.result == Cr.NS_ERROR_FAILURE)) {
+      } catch (e) {
+        if (e.result != Cr.NS_ERROR_FAILURE) {
+          throw e;
+        }
         // Ditto.
       }
       if (originHost != locationHost || originHost == "") {
diff --git a/mobile/android/components/Snippets.js b/mobile/android/components/Snippets.js
index fbbe78f46e54..fead6897fcc1 100644
--- a/mobile/android/components/Snippets.js
+++ b/mobile/android/components/Snippets.js
@@ -265,7 +265,10 @@ function writeStat(snippetId, timestamp) {
       } finally {
         yield file.close();
       }
-    } catch (ex if ex instanceof OS.File.Error && ex.becauseNoSuchFile) {
+    } catch (ex) {
+      if (!(ex instanceof OS.File.Error && ex.becauseNoSuchFile)) {
+        throw ex;
+      }
       // If the file doesn't exist yet, create it.
       yield OS.File.writeAtomic(gStatsPath, data, { tmpPath: gStatsPath + ".tmp" });
     }
diff --git a/modules/libpref/Preferences.cpp b/modules/libpref/Preferences.cpp
index 802691c36ee0..417312e59583 100644
--- a/modules/libpref/Preferences.cpp
+++ b/modules/libpref/Preferences.cpp
@@ -200,6 +200,26 @@ union PrefValue {
         MOZ_CRASH();
     }
   }
+
+  PrefType FromDomPrefValue(const dom::PrefValue& aDomValue)
+  {
+    switch (aDomValue.type()) {
+      case dom::PrefValue::TnsCString:
+        mStringVal = aDomValue.get_nsCString().get();
+        return PrefType::String;
+
+      case dom::PrefValue::Tint32_t:
+        mIntVal = aDomValue.get_int32_t();
+        return PrefType::Int;
+
+      case dom::PrefValue::Tbool:
+        mBoolVal = aDomValue.get_bool();
+        return PrefType::Bool;
+
+      default:
+        MOZ_CRASH();
+    }
+  }
 };
 
 #ifdef DEBUG
@@ -404,6 +424,8 @@ public:
   {
     aDomPref->name() = mName;
 
+    aDomPref->isLocked() = mIsLocked;
+
     if (mHasDefaultValue) {
       aDomPref->defaultValue() = dom::PrefValue();
       mDefaultValue.ToDomPrefValue(Type(),
@@ -426,6 +448,49 @@ public:
                 aDomPref->userValue().get_PrefValue().type()));
   }
 
+  void FromDomPref(const dom::Pref& aDomPref, bool* aValueChanged)
+  {
+    MOZ_ASSERT(strcmp(mName, aDomPref.name().get()) == 0);
+
+    mIsLocked = aDomPref.isLocked();
+
+    const dom::MaybePrefValue& defaultValue = aDomPref.defaultValue();
+    bool defaultValueChanged = false;
+    if (defaultValue.type() == dom::MaybePrefValue::TPrefValue) {
+      PrefValue value;
+      PrefType type = value.FromDomPrefValue(defaultValue.get_PrefValue());
+      if (!ValueMatches(PrefValueKind::Default, type, value)) {
+        // Type() is PrefType::None if it's a newly added pref. This is ok.
+        mDefaultValue.Replace(Type(), type, value);
+        SetType(type);
+        mHasDefaultValue = true;
+        defaultValueChanged = true;
+      }
+    }
+    // Note: we never clear a default value.
+
+    const dom::MaybePrefValue& userValue = aDomPref.userValue();
+    bool userValueChanged = false;
+    if (userValue.type() == dom::MaybePrefValue::TPrefValue) {
+      PrefValue value;
+      PrefType type = value.FromDomPrefValue(userValue.get_PrefValue());
+      if (!ValueMatches(PrefValueKind::User, type, value)) {
+        // Type() is PrefType::None if it's a newly added pref. This is ok.
+        mUserValue.Replace(Type(), type, value);
+        SetType(type);
+        mHasUserValue = true;
+        userValueChanged = true;
+      }
+    } else if (mHasUserValue) {
+      ClearUserValue();
+      userValueChanged = true;
+    }
+
+    if (userValueChanged || (defaultValueChanged && !mHasUserValue)) {
+      *aValueChanged = true;
+    }
+  }
+
   bool HasAdvisablySizedValues()
   {
     if (!IsTypeString()) {
@@ -764,7 +829,7 @@ pref_SetPref(const char* aPrefName,
   }
 
   if (!pref->Name()) {
-    // New (zeroed) entry. Initialize it.
+    // New (zeroed) entry. Partially initialize it.
     new (pref) Pref(aPrefName);
     pref->SetType(aType);
   }
@@ -3574,55 +3639,50 @@ Preferences::SavePrefFile(nsIFile* aFile)
   return SavePrefFileInternal(aFile, SaveMethod::Asynchronous);
 }
 
-/* static */ nsresult
-Preferences::SetValueFromDom(const char* aPrefName,
-                             const dom::PrefValue& aValue,
-                             PrefValueKind aKind)
-{
-  switch (aValue.type()) {
-    case dom::PrefValue::TnsCString:
-      return Preferences::SetCStringInAnyProcess(
-        aPrefName, aValue.get_nsCString(), aKind);
-
-    case dom::PrefValue::Tint32_t:
-      return Preferences::SetIntInAnyProcess(
-        aPrefName, aValue.get_int32_t(), aKind);
-
-    case dom::PrefValue::Tbool:
-      return Preferences::SetBoolInAnyProcess(
-        aPrefName, aValue.get_bool(), aKind);
-
-    default:
-      MOZ_CRASH();
-  }
-}
-
-void
+/* static */ void
 Preferences::SetPreference(const dom::Pref& aDomPref)
 {
+  MOZ_ASSERT(!XRE_IsParentProcess());
+  NS_ENSURE_TRUE(InitStaticMembers(), (void)0);
+
   const char* prefName = aDomPref.name().get();
-  const dom::MaybePrefValue& defaultValue = aDomPref.defaultValue();
-  const dom::MaybePrefValue& userValue = aDomPref.userValue();
 
-  if (defaultValue.type() == dom::MaybePrefValue::TPrefValue) {
-    nsresult rv = SetValueFromDom(
-      prefName, defaultValue.get_PrefValue(), PrefValueKind::Default);
-    if (NS_FAILED(rv)) {
-      return;
-    }
+  auto pref = static_cast<Pref*>(gHashTable->Add(prefName, fallible));
+  if (!pref) {
+    return;
   }
 
-  if (userValue.type() == dom::MaybePrefValue::TPrefValue) {
-    SetValueFromDom(prefName, userValue.get_PrefValue(), PrefValueKind::User);
-  } else {
-    Preferences::ClearUserInAnyProcess(prefName);
+  if (!pref->Name()) {
+    // New (zeroed) entry. Partially initialize it.
+    new (pref) Pref(prefName);
   }
 
-  // NB: we should never try to clear a default value, that doesn't
-  // make sense
+  bool valueChanged = false;
+  pref->FromDomPref(aDomPref, &valueChanged);
+
+  // When the parent process clears a pref's user value we get a DomPref here
+  // with no default value and no user value. There are two possibilities.
+  //
+  // - There was an existing pref with only a user value. FromDomPref() will
+  //   have just cleared that user value, so the pref can be removed.
+  //
+  // - There was no existing pref. FromDomPref() will have done nothing, and
+  //   `pref` will be valueless. We will end up adding and removing the value
+  //   needlessly, but that's ok because this case is rare.
+  //
+  if (!pref->HasDefaultValue() && !pref->HasUserValue()) {
+    gHashTable->RemoveEntry(pref);
+  }
+
+  // Note: we don't have to worry about HandleDirty() because we are setting
+  // prefs in the content process that have come from the parent process.
+
+  if (valueChanged) {
+    NotifyCallbacks(prefName);
+  }
 }
 
-void
+/* static */ void
 Preferences::GetPreference(dom::Pref* aDomPref)
 {
   Pref* pref = pref_HashTableLookup(aDomPref->name().get());
diff --git a/modules/libpref/Preferences.h b/modules/libpref/Preferences.h
index bb77836f110e..41648026d447 100644
--- a/modules/libpref/Preferences.h
+++ b/modules/libpref/Preferences.h
@@ -406,10 +406,6 @@ public:
 private:
   static mozilla::Result<mozilla::Ok, const char*> InitInitialObjects();
 
-  static nsresult SetValueFromDom(const char* aPrefName,
-                                  const dom::PrefValue& aValue,
-                                  PrefValueKind aKind);
-
   // Functions above that modify prefs will fail if they are not run in the
   // parent process. The "InAnyProcess" functions below will succeed outside
   // the content process, and are used when passing pref values from the parent
diff --git a/modules/libpref/test/unit_ipc/test_initial_prefs.js b/modules/libpref/test/unit_ipc/test_initial_prefs.js
index 62b36c694b20..6380891bbd0a 100644
--- a/modules/libpref/test/unit_ipc/test_initial_prefs.js
+++ b/modules/libpref/test/unit_ipc/test_initial_prefs.js
@@ -13,6 +13,6 @@ function run_test() {
       pb.setIntPref("Test.IPC.int", 23);
       pb.setCharPref("Test.IPC.char", "hey");
 
-      run_test_in_child("test_existing_prefs.JS");
+      run_test_in_child("test_existing_prefs.js");
   }
-}
\ No newline at end of file
+}
diff --git a/modules/libpref/test/unit_ipc/test_locked_prefs.js b/modules/libpref/test/unit_ipc/test_locked_prefs.js
new file mode 100644
index 000000000000..883b29046f99
--- /dev/null
+++ b/modules/libpref/test/unit_ipc/test_locked_prefs.js
@@ -0,0 +1,40 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// Locked status should be communicated to children.
+
+var Ci = Components.interfaces;
+var Cc = Components.classes;
+
+function isParentProcess() {
+    let appInfo = Cc["@mozilla.org/xre/app-info;1"];
+    return (!appInfo || appInfo.getService(Ci.nsIXULRuntime).processType == Ci.nsIXULRuntime.PROCESS_TYPE_DEFAULT);
+}
+
+function run_test() {
+  let pb = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
+
+  let bprefname = "Test.IPC.locked.bool";
+  let iprefname = "Test.IPC.locked.int";
+  let sprefname = "Test.IPC.locked.string";
+
+  let isParent = isParentProcess();
+  if (isParent) {
+    pb.setBoolPref(bprefname, true);
+    pb.lockPref(bprefname);
+
+    pb.setIntPref(iprefname, true);
+    pb.lockPref(iprefname);
+
+    pb.setStringPref(sprefname, true);
+    pb.lockPref(sprefname);
+    pb.unlockPref(sprefname);
+
+    run_test_in_child("test_locked_prefs.js");
+  }
+
+  ok(pb.prefIsLocked(bprefname), bprefname + " should be locked in the child");
+  ok(pb.prefIsLocked(iprefname), iprefname + " should be locked in the child");
+  ok(!pb.prefIsLocked(sprefname), sprefname + " should be unlocked in the child");
+}
diff --git a/modules/libpref/test/unit_ipc/test_observed_prefs.js b/modules/libpref/test/unit_ipc/test_observed_prefs.js
index c18f7f0fe07a..41c1209796b0 100644
--- a/modules/libpref/test/unit_ipc/test_observed_prefs.js
+++ b/modules/libpref/test/unit_ipc/test_observed_prefs.js
@@ -13,4 +13,4 @@ function run_test() {
       do_check_eq(pb.getIntPref("Test.IPC.int.new"), 23);
       do_check_eq(pb.getCharPref("Test.IPC.char.new"), "hey");
   }
-}
\ No newline at end of file
+}
diff --git a/modules/libpref/test/unit_ipc/test_update_prefs.js b/modules/libpref/test/unit_ipc/test_update_prefs.js
index 7e1b0dcd7918..24832ac50efa 100644
--- a/modules/libpref/test/unit_ipc/test_update_prefs.js
+++ b/modules/libpref/test/unit_ipc/test_update_prefs.js
@@ -35,4 +35,4 @@ function testPrefClear() {
 function checkWasCleared(existsStr) {
     do_check_eq(existsStr, "false");
     do_test_finished();
-}
\ No newline at end of file
+}
diff --git a/modules/libpref/test/unit_ipc/xpcshell.ini b/modules/libpref/test/unit_ipc/xpcshell.ini
index 5a7943c526c1..f498a7377dcc 100644
--- a/modules/libpref/test/unit_ipc/xpcshell.ini
+++ b/modules/libpref/test/unit_ipc/xpcshell.ini
@@ -5,6 +5,7 @@ skip-if = toolkit == 'android'
 [test_existing_prefs.js]
 [test_initial_prefs.js]
 [test_large_pref.js]
+[test_locked_prefs.js]
 [test_observed_prefs.js]
 [test_update_prefs.js]
 [test_user_default_prefs.js]
diff --git a/nsprpub/TAG-INFO b/nsprpub/TAG-INFO
index b30aac8d1a81..c58b41a0753b 100644
--- a/nsprpub/TAG-INFO
+++ b/nsprpub/TAG-INFO
@@ -1 +1 @@
-NSPR_4_17_RTM
+NSPR_4_18_BETA2
diff --git a/nsprpub/config/prdepend.h b/nsprpub/config/prdepend.h
index e49e92677e3e..6c66b37ca0fc 100644
--- a/nsprpub/config/prdepend.h
+++ b/nsprpub/config/prdepend.h
@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+
diff --git a/nsprpub/configure b/nsprpub/configure
index deccb5f9f68d..fed917774494 100755
--- a/nsprpub/configure
+++ b/nsprpub/configure
@@ -2488,7 +2488,7 @@ test -n "$target_alias" &&
   program_prefix=${target_alias}-
 
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=17
+MOD_MINOR_VERSION=18
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
diff --git a/nsprpub/configure.in b/nsprpub/configure.in
index 1b9604d38105..3941cb7daa14 100644
--- a/nsprpub/configure.in
+++ b/nsprpub/configure.in
@@ -15,7 +15,7 @@ dnl ========================================================
 dnl = Defaults
 dnl ========================================================
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=17
+MOD_MINOR_VERSION=18
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
diff --git a/nsprpub/patches/README.TXT b/nsprpub/patches/README.TXT
deleted file mode 100644
index 38fecbaba0e6..000000000000
--- a/nsprpub/patches/README.TXT
+++ /dev/null
@@ -1,9 +0,0 @@
-bug1399100-temporary.patch :
-  This is a temporary patch as described in
-    https://bugzilla.mozilla.org/show_bug.cgi?id=1399100
-  It is temporarily necessary because of the changes in
-    https://bugzilla.mozilla.org/show_bug.cgi?id=1384633
-  The patch should be re-applied during the Firefox 57 release cycle,
-  if other changes to NSPR are necessary during the lifetime of Firefox 57.
-  The temporary API will be removed for Firefox 58, as agreed in
-    https://bugzilla.mozilla.org/show_bug.cgi?id=1394808
diff --git a/nsprpub/patches/bug1399100-temporary.patch b/nsprpub/patches/bug1399100-temporary.patch
deleted file mode 100644
index 744d747cb0cd..000000000000
--- a/nsprpub/patches/bug1399100-temporary.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/nsprpub/pr/src/nspr.def b/nsprpub/pr/src/nspr.def
---- a/nsprpub/pr/src/nspr.def
-+++ b/nsprpub/pr/src/nspr.def
-@@ -457,8 +457,12 @@ EXPORTS ;-
- ;+} NSPR_4.9.2;
- ;+# Function PR_DuplicateEnvironment had been added in NSPR 4.10.9,
- ;+# but we neglected to add it to nspr.def until NSPR 4.12
- ;+NSPR_4.12 {
- ;+      global:
- 		PR_DuplicateEnvironment;
- 		PR_GetEnvSecure;
- ;+} NSPR_4.10.3;
-+;+NSPR_4.17_fork {
-+;+      global:
-+		PR_EXPERIMENTAL_ONLY_IN_4_17_GetOverlappedIOHandle;
-+;+} NSPR_4.16;
diff --git a/nsprpub/pr/include/prinit.h b/nsprpub/pr/include/prinit.h
index 3a83a229dff2..d91aac047f54 100644
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -31,11 +31,11 @@ PR_BEGIN_EXTERN_C
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.17"
+#define PR_VERSION  "4.18 Beta"
 #define PR_VMAJOR   4
-#define PR_VMINOR   17
+#define PR_VMINOR   18
 #define PR_VPATCH   0
-#define PR_BETA     PR_FALSE
+#define PR_BETA     PR_TRUE
 
 /*
 ** PRVersionCheck
diff --git a/nsprpub/pr/include/private/pprio.h b/nsprpub/pr/include/private/pprio.h
index 83d3715b1b69..26bcd0d0121f 100644
--- a/nsprpub/pr/include/private/pprio.h
+++ b/nsprpub/pr/include/private/pprio.h
@@ -237,20 +237,6 @@ NSPR_API(PRStatus) PR_NT_CancelIo(PRFileDesc *fd);
 
 #endif /* WIN32 */
 
-/* FUNCTION: PR_EXPERIMENTAL_ONLY_IN_4_17_GetOverlappedIOHandle
-** DESCRIPTION:
-** This function will be available only in nspr version 4.17
-** This functionality is only available on windows. Some windows operation use
-** asynchronous (call overlapped) io. One of them is ConnectEx. NSPR uses
-** ConnectEx for enabling TCP Fast Open.
-** This function returns an OVERLAPPED structure associated with ConnectEx call.
-** If ConnectEx has not been called or the io has already finished, the
-** function will return PR_INVALID_ARGUMENT_ERROR.
-** PRFileDesc continues to be owner of the structure and the structure must not
-** be destroyed.
-*/
-NSPR_API(PRStatus) PR_EXPERIMENTAL_ONLY_IN_4_17_GetOverlappedIOHandle(PRFileDesc *fd, void **ol);
-
 PR_END_EXTERN_C
 
 #endif /* pprio_h___ */
diff --git a/nsprpub/pr/include/private/primpl.h b/nsprpub/pr/include/private/primpl.h
index dc24a2572752..e43416c539f5 100644
--- a/nsprpub/pr/include/private/primpl.h
+++ b/nsprpub/pr/include/private/primpl.h
@@ -2165,6 +2165,18 @@ extern PRUint32 connectCount;
 
 #endif /* XP_BEOS */
 
+#if defined(_WIN64) && defined(WIN95)
+typedef struct _PRFileDescList {
+  PRFileDesc *fd;
+  struct _PRFileDescList *next;
+} PRFileDescList;
+
+extern PRLock *_fd_waiting_for_overlapped_done_lock;
+extern PRFileDescList *_fd_waiting_for_overlapped_done;
+extern void CheckOverlappedPendingSocketsAreDone();
+#endif
+
+
 PR_END_EXTERN_C
 
 #endif /* primpl_h___ */
diff --git a/nsprpub/pr/src/io/prio.c b/nsprpub/pr/src/io/prio.c
index bf9763a2cd23..10ae5e098c77 100644
--- a/nsprpub/pr/src/io/prio.c
+++ b/nsprpub/pr/src/io/prio.c
@@ -137,11 +137,82 @@ PR_IMPLEMENT(void) PR_FreeFileDesc(PRFileDesc *fd)
     _PR_Putfd(fd);
 }
 
+#if defined(_WIN64) && defined(WIN95)
+
+PRFileDescList *_fd_waiting_for_overlapped_done = NULL;
+PRLock *_fd_waiting_for_overlapped_done_lock = NULL;
+
+void CheckOverlappedPendingSocketsAreDone()
+{
+  if (!_fd_waiting_for_overlapped_done_lock ||
+      !_fd_waiting_for_overlapped_done) {
+    return;
+  }
+
+  PR_Lock(_fd_waiting_for_overlapped_done_lock);
+
+  PRFileDescList *cur = _fd_waiting_for_overlapped_done;
+  PRFileDescList *previous = NULL;
+  while (cur) {
+    PR_ASSERT(cur->fd->secret->overlappedActive);
+    PRFileDesc *fd = cur->fd;
+    DWORD rvSent;
+    if (GetOverlappedResult((HANDLE)fd->secret->md.osfd, &fd->secret->ol, &rvSent, FALSE) == TRUE) {
+      fd->secret->overlappedActive = PR_FALSE;
+      PR_LOG(_pr_io_lm, PR_LOG_MIN,
+             ("CheckOverlappedPendingSocketsAreDone GetOverlappedResult succeeded\n"));
+    } else {
+      DWORD err = WSAGetLastError();
+      PR_LOG(_pr_io_lm, PR_LOG_MIN,
+             ("CheckOverlappedPendingSocketsAreDone GetOverlappedResult failed %d\n", err));
+      if (err != ERROR_IO_INCOMPLETE) {
+        fd->secret->overlappedActive = PR_FALSE;
+      }
+    }
+
+    if (!fd->secret->overlappedActive) {
+
+      _PR_MD_CLOSE_SOCKET(fd->secret->md.osfd);
+      fd->secret->state = _PR_FILEDESC_CLOSED;
+#ifdef _PR_HAVE_PEEK_BUFFER
+      if (fd->secret->peekBuffer) {
+        PR_ASSERT(fd->secret->peekBufSize > 0);
+        PR_DELETE(fd->secret->peekBuffer);
+        fd->secret->peekBufSize = 0;
+        fd->secret->peekBytes = 0;
+      }
+#endif
+
+      PR_FreeFileDesc(fd);
+
+      if (previous) {
+        previous->next = cur->next;
+      } else {
+        _fd_waiting_for_overlapped_done = cur->next;
+      }
+      PRFileDescList *del = cur;
+      cur = cur->next;
+      PR_Free(del);
+    } else {
+      previous = cur;
+      cur = cur->next;
+    }
+  }
+
+  PR_Unlock(_fd_waiting_for_overlapped_done_lock);
+}
+#endif
+
 /*
 ** Wait for some i/o to finish on one or more more poll descriptors.
 */
 PR_IMPLEMENT(PRInt32) PR_Poll(PRPollDesc *pds, PRIntn npds, PRIntervalTime timeout)
 {
+#if defined(_WIN64) && defined(WIN95)
+  // For each iteration check if TFO overlapped IOs are down.
+  CheckOverlappedPendingSocketsAreDone();
+#endif
+
 	return(_PR_MD_PR_POLL(pds, npds, timeout));
 }
 
diff --git a/nsprpub/pr/src/io/prsocket.c b/nsprpub/pr/src/io/prsocket.c
index b42f05683e39..26f7a245d2dc 100644
--- a/nsprpub/pr/src/io/prsocket.c
+++ b/nsprpub/pr/src/io/prsocket.c
@@ -737,6 +737,56 @@ static PRStatus PR_CALLBACK SocketClose(PRFileDesc *fd)
 	}
 
 	if (fd->secret->state == _PR_FILEDESC_OPEN) {
+#if defined(_WIN64) && defined(WIN95)
+    /* TCP Fast Open on Windows must use ConnectEx, which uses overlapped
+     * input/output. Before closing such a socket we must cancelIO.
+     */
+    if (fd->secret->overlappedActive) {
+      PR_ASSERT(fd->secret->nonblocking);
+      if (CancelIo((HANDLE) fd->secret->md.osfd) == TRUE) {
+        PR_LOG(_pr_io_lm, PR_LOG_MIN,
+               ("SocketClose - CancelIo succeeded\n"));
+      } else {
+        DWORD err = WSAGetLastError();
+        PR_LOG(_pr_io_lm, PR_LOG_MIN,
+               ("SocketClose - CancelIo failed err=%x\n", err));
+      }
+
+      DWORD rvSent;
+      if (GetOverlappedResult((HANDLE)fd->secret->md.osfd, &fd->secret->ol, &rvSent, FALSE) == TRUE) {
+        fd->secret->overlappedActive = PR_FALSE;
+        PR_LOG(_pr_io_lm, PR_LOG_MIN,
+               ("SocketClose GetOverlappedResult succeeded\n"));
+      } else {
+        DWORD err = WSAGetLastError();
+        PR_LOG(_pr_io_lm, PR_LOG_MIN,
+               ("SocketClose GetOverlappedResult failed %d\n", err));
+        if (err != ERROR_IO_INCOMPLETE) {
+          _PR_MD_MAP_CONNECT_ERROR(err);
+          fd->secret->overlappedActive = PR_FALSE;
+        }
+      }
+    }
+
+    if (fd->secret->overlappedActive &&
+        _fd_waiting_for_overlapped_done_lock) {
+      // Put osfd into the list to be checked later.
+      PRFileDescList *forWaiting = PR_NEW(PRFileDescList);
+      if (!forWaiting) {
+        PR_SetError(PR_OUT_OF_MEMORY_ERROR, 0);
+        return PR_FAILURE;
+      }
+      forWaiting->fd = fd;
+
+      PR_Lock(_fd_waiting_for_overlapped_done_lock);
+      forWaiting->next = _fd_waiting_for_overlapped_done;
+      _fd_waiting_for_overlapped_done = forWaiting;
+      PR_Unlock(_fd_waiting_for_overlapped_done_lock);
+
+      return PR_SUCCESS;
+    }
+#endif
+
 		if (_PR_MD_CLOSE_SOCKET(fd->secret->md.osfd) < 0) {
 			return PR_FAILURE;
 		}
@@ -1684,33 +1734,6 @@ PR_ChangeFileDescNativeHandle(PRFileDesc *fd, PROsfd handle)
 		fd->secret->md.osfd = handle;
 }
 
-/* Expose OVERLAPPED if present. OVERLAPPED is implemented only on WIN95. */
-PR_IMPLEMENT(PRStatus)
-PR_EXPERIMENTAL_ONLY_IN_4_17_GetOverlappedIOHandle(PRFileDesc *fd, void **ol)
-{
-#if defined(_WIN64) && defined(WIN95)
-    *ol = NULL;
-    if (fd) {
-        fd = PR_GetIdentitiesLayer(fd, PR_NSPR_IO_LAYER);
-    }
-    if (!fd) {
-        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-        return PR_FAILURE;
-    }
-
-    if (!fd->secret->overlappedActive) {
-        PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
-        return PR_FAILURE;
-    }
-
-    *ol = &fd->secret->ol;
-    return PR_SUCCESS;
-#else
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-#endif
-}
-
 /*
 ** Select compatibility
 **
diff --git a/nsprpub/pr/src/md/windows/w95sock.c b/nsprpub/pr/src/md/windows/w95sock.c
index 0429c655aa85..c6a3ec111fb9 100644
--- a/nsprpub/pr/src/md/windows/w95sock.c
+++ b/nsprpub/pr/src/md/windows/w95sock.c
@@ -382,6 +382,11 @@ PRInt32
 _PR_MD_TCPSENDTO(PRFileDesc *fd, const void *buf, PRInt32 amount, PRIntn flags,
                  const PRNetAddr *addr, PRUint32 addrlen, PRIntervalTime timeout)
 {
+    if (!_fd_waiting_for_overlapped_done_lock) {
+        PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
+        return PR_FAILURE;
+    }
+
     if (PR_CallOnce(&_pr_has_connectex_once, _pr_set_connectex) != PR_SUCCESS) {
         PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
         return PR_FAILURE;
diff --git a/nsprpub/pr/src/md/windows/w95thred.c b/nsprpub/pr/src/md/windows/w95thred.c
index c27d982a7480..06d015122616 100644
--- a/nsprpub/pr/src/md/windows/w95thred.c
+++ b/nsprpub/pr/src/md/windows/w95thred.c
@@ -35,6 +35,10 @@ _PR_MD_EARLY_INIT()
     _pr_lastThreadIndex = TlsAlloc();
     _pr_currentCPUIndex = TlsAlloc();
 #endif
+
+#if defined(_WIN64) && defined(WIN95)
+    _fd_waiting_for_overlapped_done_lock = PR_NewLock();
+#endif
 }
 
 void _PR_MD_CLEANUP_BEFORE_EXIT(void)
@@ -50,6 +54,29 @@ void _PR_MD_CLEANUP_BEFORE_EXIT(void)
     TlsFree(_pr_lastThreadIndex);
     TlsFree(_pr_currentCPUIndex);
 #endif
+
+#if defined(_WIN64) && defined(WIN95)
+    // For each iteration check if TFO overlapped IOs are down.
+    if (_fd_waiting_for_overlapped_done_lock) {
+        PRIntervalTime delay = PR_MillisecondsToInterval(1000);
+        PRFileDescList *cur;
+        do {
+            CheckOverlappedPendingSocketsAreDone();
+
+            PR_Lock(_fd_waiting_for_overlapped_done_lock);
+            cur = _fd_waiting_for_overlapped_done;
+            PR_Unlock(_fd_waiting_for_overlapped_done_lock);
+#if defined(DO_NOT_WAIT_FOR_CONNECT_OVERLAPPED_OPERATIONS)
+            cur = NULL;
+#endif
+            if (cur) {
+                PR_Sleep(delay); // wait another 1s.
+            }
+        } while (cur);
+
+        PR_DestroyLock(_fd_waiting_for_overlapped_done_lock);
+    }
+#endif
 }
 
 PRStatus
diff --git a/nsprpub/pr/src/nspr.def b/nsprpub/pr/src/nspr.def
index 16e526f57377..726979ba9dee 100644
--- a/nsprpub/pr/src/nspr.def
+++ b/nsprpub/pr/src/nspr.def
@@ -462,7 +462,3 @@ EXPORTS ;-
 		PR_DuplicateEnvironment;
 		PR_GetEnvSecure;
 ;+} NSPR_4.10.3;
-;+NSPR_4.17_fork {
-;+      global:
-		PR_EXPERIMENTAL_ONLY_IN_4_17_GetOverlappedIOHandle;
-;+} NSPR_4.16;
diff --git a/nsprpub/pr/src/pthreads/ptio.c b/nsprpub/pr/src/pthreads/ptio.c
index ebe6d8d88ace..9dde0319127e 100644
--- a/nsprpub/pr/src/pthreads/ptio.c
+++ b/nsprpub/pr/src/pthreads/ptio.c
@@ -4744,14 +4744,6 @@ PR_IMPLEMENT(PRInt32) PR_FileDesc2NativeHandle(PRFileDesc *bottom)
     return osfd;
 }  /* PR_FileDesc2NativeHandle */
 
-/* Expose OVERLAPPED if present. OVERLAPPED is implemented only on WIN95. */
-PR_IMPLEMENT(PRStatus)
-PR_EXPERIMENTAL_ONLY_IN_4_17_GetOverlappedIOHandle(PRFileDesc *fd, void **ol)
-{
-    PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
-    return PR_FAILURE;
-}
-
 PR_IMPLEMENT(void) PR_ChangeFileDescNativeHandle(PRFileDesc *fd,
     PRInt32 handle)
 {
diff --git a/nsprpub/pr/src/pthreads/ptthread.c b/nsprpub/pr/src/pthreads/ptthread.c
index 9e12606ea3f4..e57abd61e9c0 100644
--- a/nsprpub/pr/src/pthreads/ptthread.c
+++ b/nsprpub/pr/src/pthreads/ptthread.c
@@ -1064,6 +1064,11 @@ void PR_HPUX10xInit(shl_t handle, int loading)
 
 void _PR_Fini(void)
 {
+    /* We disable the cleanup code on Mac OSX, see bug 1399746.
+     * The .dylib containing NSPR can get unloaded, and _PR_Fini called,
+     * and other code calling NSPR functions can get executed afterwards.
+    */
+#ifndef DARWIN
     void *thred;
     int rv;
 
@@ -1095,6 +1100,7 @@ void _PR_Fini(void)
     pt_book.keyCreated = PR_FALSE;
     /* TODO: free other resources used by NSPR */
     /* _pr_initialized = PR_FALSE; */
+#endif
 }  /* _PR_Fini */
 
 PR_IMPLEMENT(PRStatus) PR_Cleanup(void)
diff --git a/nsprpub/pr/tests/vercheck.c b/nsprpub/pr/tests/vercheck.c
index 7a13363dbec2..da2f7b1de6d4 100644
--- a/nsprpub/pr/tests/vercheck.c
+++ b/nsprpub/pr/tests/vercheck.c
@@ -40,7 +40,7 @@ static char *compatible_version[] = {
     "4.10", "4.10.1", "4.10.2", "4.10.3", "4.10.4",
     "4.10.5", "4.10.6", "4.10.7", "4.10.8", "4.10.9",
     "4.10.10", "4.11", "4.12", "4.13", "4.14", "4.15",
-    "4.16",
+    "4.16", "4.17",
     PR_VERSION
 };
 
@@ -56,8 +56,8 @@ static char *incompatible_version[] = {
     "3.0", "3.0.1",
     "3.1", "3.1.1", "3.1.2", "3.1.3",
     "3.5", "3.5.1",
-    "4.17.1",
-    "4.18", "4.18.1",
+    "4.18.1",
+    "4.19", "4.19.1",
     "10.0", "11.1", "12.14.20"
 };
 
diff --git a/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/imports.html.ini b/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/imports.html.ini
deleted file mode 100644
index d2d90393a1d1..000000000000
--- a/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/imports.html.ini
+++ /dev/null
@@ -1,8 +0,0 @@
-[imports.html]
-  type: testharness
-  [Import a module that tries to import itself]
-    expected: FAIL
-
-  [Import a module with a cyclical module dependency]
-    expected: FAIL
-
diff --git a/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/slow-cycle.html.ini b/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/slow-cycle.html.ini
deleted file mode 100644
index 936f45f8dae0..000000000000
--- a/testing/web-platform/meta/html/semantics/scripting-1/the-script-element/module/slow-cycle.html.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-[slow-cycle.html]
-  type: testharness
-  [Cyclic graph with slow imports]
-    expected: FAIL
-
diff --git a/toolkit/components/contextualidentity/ContextualIdentityService.jsm b/toolkit/components/contextualidentity/ContextualIdentityService.jsm
index c6243cb59eea..dcfcd86735cf 100644
--- a/toolkit/components/contextualidentity/ContextualIdentityService.jsm
+++ b/toolkit/components/contextualidentity/ContextualIdentityService.jsm
@@ -35,6 +35,8 @@ XPCOMUtils.defineLazyModuleGetter(this, "FileUtils",
                                   "resource://gre/modules/FileUtils.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "NetUtil",
                                   "resource://gre/modules/NetUtil.jsm");
+XPCOMUtils.defineLazyModuleGetter(this, "AppConstants",
+                                  "resource://gre/modules/AppConstants.jsm");
 
 function _TabRemovalObserver(resolver, tabParentIds) {
   this._resolver = resolver;
@@ -160,6 +162,10 @@ _ContextualIdentityService.prototype = {
 
     this._dataReady = true;
 
+    // Let's delete all the data of any userContextId. 1 is the first valid
+    // userContextId value.
+    this.deleteContainerData();
+
     this.saveSoon();
   },
 
@@ -201,7 +207,7 @@ _ContextualIdentityService.prototype = {
     this._saverCallback = null;
 
     let object = {
-      version: 2,
+      version: 3,
       lastUserContextId: this._lastUserContextId,
       identities: this._identities
     };
@@ -285,8 +291,17 @@ _ContextualIdentityService.prototype = {
     let data = JSON.parse(gTextDecoder.decode(bytes));
     if (data.version == 1) {
       this.resetDefault();
+      return;
     }
-    if (data.version != 2) {
+
+    let saveNeeded = false;
+
+    if (data.version == 2) {
+      data = this.migrate2to3(data);
+      saveNeeded = true;
+    }
+
+    if (data.version != 3) {
       dump("ERROR - ContextualIdentityService - Unknown version found in " + this._path + "\n");
       this.loadError(null);
       return;
@@ -295,6 +310,11 @@ _ContextualIdentityService.prototype = {
     this._identities = data.identities;
     this._lastUserContextId = data.lastUserContextId;
 
+    // If we had a migration, let's force the saving of the file.
+    if (saveNeeded) {
+      this.saveSoon();
+    }
+
     this._dataReady = true;
   },
 
@@ -443,6 +463,35 @@ _ContextualIdentityService.prototype = {
   createNewInstanceForTesting(path) {
     return new _ContextualIdentityService(path);
   },
+
+  deleteContainerData() {
+    let minUserContextId = 1;
+    let maxUserContextId = minUserContextId;
+    const enumerator = Services.cookies.enumerator;
+    while (enumerator.hasMoreElements()) {
+      const cookie = enumerator.getNext().QueryInterface(Ci.nsICookie);
+      if (cookie.originAttributes.userContextId > maxUserContextId) {
+        maxUserContextId = cookie.originAttributes.userContextId;
+      }
+    }
+
+    for (let i = minUserContextId; i <= maxUserContextId; ++i) {
+      Services.obs.notifyObservers(null, "clear-origin-attributes-data",
+                                   JSON.stringify({ userContextId: i }));
+    }
+  },
+
+  migrate2to3(data) {
+    // migrating from 2 to 3 is basically just increasing the version id.
+    data.version = 3;
+
+    // *Only in nightly* we delete data of the all non-default containers.
+    if (AppConstants.NIGHTLY_BUILD) {
+      this.deleteContainerData();
+    }
+
+    return data;
+  },
 };
 
 let path = OS.Path.join(OS.Constants.Path.profileDir, "containers.json");
diff --git a/toolkit/components/contextualidentity/tests/unit/test_corruptedFile.js b/toolkit/components/contextualidentity/tests/unit/test_corruptedFile.js
new file mode 100644
index 000000000000..479f0499b4e8
--- /dev/null
+++ b/toolkit/components/contextualidentity/tests/unit/test_corruptedFile.js
@@ -0,0 +1,68 @@
+"use strict";
+
+const profileDir = do_get_profile();
+
+const {classes: Cc, interfaces: Ci, utils: Cu, results: Cr} = Components;
+
+Cu.import("resource://gre/modules/ContextualIdentityService.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/osfile.jsm");
+
+const TEST_STORE_FILE_PATH = OS.Path.join(profileDir.path, "test-containers.json");
+
+const BASE_URL = "http://example.org/";
+
+const COOKIE = {
+  host: BASE_URL,
+  path: "/",
+  name: "test",
+  value: "yes",
+  isSecure: false,
+  isHttpOnly: false,
+  isSession: true,
+  expiry: 2145934800,
+  originAttributes: { userContextId: 1 },
+};
+
+function createCookie() {
+  Services.cookies.add(COOKIE.host,
+                       COOKIE.path,
+                       COOKIE.name,
+                       COOKIE.value,
+                       COOKIE.isSecure,
+                       COOKIE.isHttpOnly,
+                       COOKIE.isSession,
+                       COOKIE.expiry,
+                       COOKIE.originAttributes);
+}
+
+function hasCookie() {
+  let found = false;
+  let enumerator = Services.cookies.getCookiesFromHost(BASE_URL, COOKIE.originAttributes);
+  while (enumerator.hasMoreElements()) {
+    let cookie = enumerator.getNext().QueryInterface(Ci.nsICookie);
+    if (cookie.originAttributes.userContextId == COOKIE.originAttributes.userContextId) {
+      found = true;
+      break;
+    }
+  }
+  return found;
+}
+
+// Correpted file should delete all.
+add_task(async function corruptedFile() {
+  createCookie();
+  ok(hasCookie(), "We have the new cookie!");
+
+  // Let's create a corrupted file.
+  await OS.File.writeAtomic(TEST_STORE_FILE_PATH, "{ vers",
+                            { tmpPath: TEST_STORE_FILE_PATH + ".tmp" });
+
+  let cis = ContextualIdentityService.createNewInstanceForTesting(TEST_STORE_FILE_PATH);
+  ok(!!cis, "We have our instance of ContextualIdentityService");
+
+  equal(cis.getPublicIdentities().length, 4, "We should have the default identities");
+
+  // Cookie is gone!
+  ok(!hasCookie(), "We should not have the new cookie!");
+});
diff --git a/toolkit/components/contextualidentity/tests/unit/test_migration2to3.js b/toolkit/components/contextualidentity/tests/unit/test_migration2to3.js
new file mode 100644
index 000000000000..e0417ee1a20f
--- /dev/null
+++ b/toolkit/components/contextualidentity/tests/unit/test_migration2to3.js
@@ -0,0 +1,119 @@
+"use strict";
+
+const profileDir = do_get_profile();
+
+const {classes: Cc, interfaces: Ci, utils: Cu, results: Cr} = Components;
+
+Cu.import("resource://gre/modules/ContextualIdentityService.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+Cu.import("resource://gre/modules/osfile.jsm");
+
+const TEST_STORE_FILE_PATH = OS.Path.join(profileDir.path, "test-containers.json");
+
+const BASE_URL = "http://example.org/";
+
+const COOKIE = {
+  host: BASE_URL,
+  path: "/",
+  name: "test",
+  value: "yes",
+  isSecure: false,
+  isHttpOnly: false,
+  isSession: true,
+  expiry: 2145934800,
+  originAttributes: { userContextId: 1 },
+};
+
+function writeFile(data) {
+  let bytes = (new TextEncoder()).encode(JSON.stringify(data));
+  return OS.File.writeAtomic(TEST_STORE_FILE_PATH, bytes,
+                             { tmpPath: TEST_STORE_FILE_PATH + ".tmp" });
+}
+
+function readFile() {
+  return OS.File.read(TEST_STORE_FILE_PATH).then(bytes => {
+    return JSON.parse((new TextDecoder()).decode(bytes));
+  });
+}
+
+function createCookie() {
+  Services.cookies.add(COOKIE.host,
+                       COOKIE.path,
+                       COOKIE.name,
+                       COOKIE.value,
+                       COOKIE.isSecure,
+                       COOKIE.isHttpOnly,
+                       COOKIE.isSession,
+                       COOKIE.expiry,
+                       COOKIE.originAttributes);
+}
+
+function hasCookie() {
+  let found = false;
+  let enumerator = Services.cookies.getCookiesFromHost(BASE_URL, COOKIE.originAttributes);
+  while (enumerator.hasMoreElements()) {
+    let cookie = enumerator.getNext().QueryInterface(Ci.nsICookie);
+    if (cookie.originAttributes.userContextId == COOKIE.originAttributes.userContextId) {
+      found = true;
+      break;
+    }
+  }
+  return found;
+}
+
+// From version 2 to version 3.
+add_task(async function simpleMigration() {
+  // Let's create a version 2.
+  await writeFile({ version: 2, lastUserContextId: 100,
+                    identities: [{ userContextId: 1, public: true,
+                                  icon: "fingerprint", color: "orange",
+                                  name: "TEST" }]});
+
+  let cis = ContextualIdentityService.createNewInstanceForTesting(TEST_STORE_FILE_PATH);
+  ok(!!cis, "We have our instance of ContextualIdentityService");
+
+  equal(cis.getPublicIdentities().length, 1, "The test file containes 1 identity");
+  ok(!!cis.getPublicIdentityFromId(1), "Identity 1 exists");
+
+  // Let's force the saving.
+  await cis.save();
+
+  // Let's check the current version
+  let data = await readFile();
+  equal(data.version, 3, "We want to be in version 3.");
+});
+
+// Here we test that, migrating from 2 to 3, cookies are deleted.
+add_task(async function cookieDeleted() {
+  createCookie();
+  ok(hasCookie(), "We have the new cookie!");
+
+  // Let's create a version 2.
+  await writeFile({ version: 2, lastUserContextId: 100,
+                    identities: [{ userContextId: 1, public: true,
+                                  icon: "fingerprint", color: "orange",
+                                  name: "TEST" }]});
+
+  let cis = ContextualIdentityService.createNewInstanceForTesting(TEST_STORE_FILE_PATH);
+  ok(!!cis, "We have our instance of ContextualIdentityService");
+
+  equal(cis.getPublicIdentities().length, 1, "The test file containes 1 identity");
+  ok(!!cis.getPublicIdentityFromId(1), "Identity 1 exists");
+
+  // Cookie is gone!
+  ok(!hasCookie(), "We should not have the new cookie!");
+
+  // Let's force the saving.
+  await cis.save();
+
+  // Let's be sure that the cookie is not deleted again.
+  createCookie();
+  ok(hasCookie(), "We have the new cookie!");
+
+  cis = ContextualIdentityService.createNewInstanceForTesting(TEST_STORE_FILE_PATH);
+  ok(!!cis, "We have our instance of ContextualIdentityService");
+
+  equal(cis.getPublicIdentities().length, 1, "The test file containes 1 identity");
+
+  ok(hasCookie(), "Cookie is not deleted when the file is reopened");
+});
diff --git a/toolkit/components/contextualidentity/tests/unit/xpcshell.ini b/toolkit/components/contextualidentity/tests/unit/xpcshell.ini
index 1b0fa73ce2eb..1f436573c4ba 100644
--- a/toolkit/components/contextualidentity/tests/unit/xpcshell.ini
+++ b/toolkit/components/contextualidentity/tests/unit/xpcshell.ini
@@ -3,3 +3,7 @@ firefox-appdir = browser
 
 [test_basic.js]
 skip-if = appname == "thunderbird"
+[test_migration2to3.js]
+skip-if = appname == "thunderbird"
+[test_corruptedFile.js]
+skip-if = appname == "thunderbird"
diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json
index 1a1bf1a9fc99..6ef1b82fb0f9 100644
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -13867,5 +13867,13 @@
     "n_buckets": 50,
     "description": "Amount of time in milliseconds the main thread spends waiting for the paint thread to complete, if the time was greater than 200us.",
     "bug_numbers": [1386968]
+  },
+  "SCRIPT_LOADED_WITH_VERSION": {
+    "record_in_processes": ["main", "content"],
+    "alert_emails": ["amarchesini@mozilla.com"],
+    "bug_numbers": [1418860],
+    "expires_in_version": "60",
+    "kind": "boolean",
+    "description": "Tracking how often scripts are loaded with a 'valid' version parameter. This telemetry ID helps us to decide if and when remove the support of script versioning."
   }
 }
diff --git a/toolkit/content/tests/chrome/test_bug437844.xul b/toolkit/content/tests/chrome/test_bug437844.xul
index fd6eaaea43c6..db422c3181df 100644
--- a/toolkit/content/tests/chrome/test_bug437844.xul
+++ b/toolkit/content/tests/chrome/test_bug437844.xul
@@ -37,7 +37,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=348233
   <script class="testbody" type="application/javascript">
     <![CDATA[
 
-      SimpleTest.expectAssertions(17, 36);
+      SimpleTest.expectAssertions(17, 38);
 
       /** Test for Bug 437844 and Bug 348233 **/
       SimpleTest.waitForExplicitFinish();
diff --git a/toolkit/library/gtest/rust/Cargo.lock b/toolkit/library/gtest/rust/Cargo.lock
index 68f7ee00028c..16e79f6382da 100644
--- a/toolkit/library/gtest/rust/Cargo.lock
+++ b/toolkit/library/gtest/rust/Cargo.lock
@@ -1402,6 +1402,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 name = "u2fhid"
 version = "0.1.0"
 dependencies = [
+ "bitflags 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "boxfnonce 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
  "core-foundation-sys 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "env_logger 0.4.3 (registry+https://github.com/rust-lang/crates.io-index)",
diff --git a/toolkit/library/rust/Cargo.lock b/toolkit/library/rust/Cargo.lock
index 0fe61f1bf48b..8b2a3aae3218 100644
--- a/toolkit/library/rust/Cargo.lock
+++ b/toolkit/library/rust/Cargo.lock
@@ -1414,6 +1414,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 name = "u2fhid"
 version = "0.1.0"
 dependencies = [
+ "bitflags 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "boxfnonce 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)",
  "core-foundation-sys 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "env_logger 0.4.3 (registry+https://github.com/rust-lang/crates.io-index)",